基于SM9的前向安全公钥加密方案

Forward-Secure Public-Key Encryption Scheme Based on SM9

在传统的混合密码机制中,用户的私钥一旦泄露,攻击者就可以生成该用户前期使用的会话密钥,从而解密出用该会话密钥加密的会话内容。针对这种私钥泄露带来的安全问题,使用密钥封装技术,提出了一个基于标识密码SM9的前向安全的公钥加密方案(FS-SM9),并且在标准模型下,证明了该方案在(q,n)-DBDHI困难问题假设下是IND-FS-CPA安全的。在该方案中,系统可使用总时长分为多个时间段,同时使用二叉树管理时间段,将开销降至对数级别。在加密时将时间信息嵌入到密文中,只有特定时间段的私钥才能解密该密文,而私钥在每个时间段都会通过更新算法更新一次,生成新私钥,并删除旧私钥,该更新过程是单向的,所以能实现前向安全。此外,性能分析和实验结果都表明,该方案在实现前向安全的同时引入的额外时间开销在一定条件下是可忽略的。因此,该方案具有较好的实用性,可以运行在特定的资源受限的设备上,为这些设备提供前向安全保障。

In the traditional hybrid cryptosystem,an attacker can generate the previously used session key to decrypt session contents encrypted under the session key due to the leakage of the current private key.To address this issue of leakage of the private key,this paper applies the key encapsulation mechanism and proposes a forward-secure public-key encryption scheme(FS-SM9)based on identity cryptosystem SM9.This paper also proves that the scheme is IND-FS-CPA under the hardness assumption(q,n)-DBDHI in the standard model.In the encryption scheme,the lifetime of the system is divided into multiple periods which are managed by a binary tree,which reduces the overheads of the system to a logarithmic level.The time information is embedded into the ciphertext when encrypting messages.Only the private key of the specific period can decrypt the ciphertext.Each private key is updated via an updating procedure and this updating procedure is unidirectional,during which a new private key is generated while the old one is deleted,so the forward security is preserved.Moreover,as shown by the performance analysis and experimental results,the scheme only introduces negligible overheads in achieving forward security under certain conditions.Therefore,the proposed scheme is practical and can be run on specific resource-constrained devices,providing forward security for these devices.