软件学报 ISSN 1000-9825, CODEN RUXUEW                                        E-mail: jos@iscas.ac.cn
         Journal of Software,2021,32(9):2887−2900 [doi: 10.13328/j.cnki.jos.005976]   http://www.jos.org.cn
         ©中国科学院软件研究所版权所有.                                                          Tel: +86-10-62562563


                                              ∗
         抗随机数后门攻击的密码算法

                                           1,2
                                  1,2
         康步荣   1,2,3 ,   张   磊  1,2,3 ,   张   蕊 ,   孟欣宇 ,   陈   桐  1,2
         1
          (软硬件协同设计技术与应用教育部工程研究中心(华东师范大学),上海  200062)
         2 (华东师范大学  软件工程学院,上海  200062)
         3 (密码科学技术国家重点实验室,北京  100878)
         通讯作者:  张磊, E-mail: leizhang@sei.ecnu.edu.cn

         摘   要:  迄今为止,大多数密码原语的安全性都依赖于高质量的不可预测的随机数.密码学中,通常用伪随机数生
         成器(pseudorandom number generator,简称 PRNG)生成随机数.因此,密码算法中所用的 PRNG 的安全性将直接影响
         着密码算法的安全性.然而,近年来,越来越多的研究结果表明:在实际应用中,很多人为因素会导致 PRNG 生成的随
         机数是不随机或可预测的,称这种不安全的 PRNG 为有后门的 PRNG(backdoored pseudorandom number generator,
         简称 BPRNG).BPRNG 最典型的例子是双椭圆曲线伪随机数生成器(dual elliptic  curves pseudorandom number
         generator,简称 Dual EC PRNG),其算法于 2014 年被曝出存在后门.BPRNG 的出现,使密码算法的研究面临着新的挑
         战.因此,研究抗随机数后门攻击的密码算法显得尤为重要.首先概述了抗随机数后门攻击密码算法的研究背景,然
         后着重对已有抗随机数后门攻击密码算法进行了总结和梳理.
         关键词:  伪随机数生成器;随机数后门;抗随机数后门攻击;密码算法
         中图法分类号: TP309


         中文引用格式:  康步荣,张磊,张蕊,孟欣宇,陈桐.抗随机数后门攻击的密码算法.软件学报,2021,32(9):2887−2900.  http://www.
         jos.org.cn/1000-9825/5976.htm
         英文引用格式: Kang BR, Zhang L, Zhang R, Meng XY, Chen T. Cryptographic algorithms against backdoored pseudorandom
         number generator. Ruan Jian Xue Bao/Journal of  Software, 2021,32(9):2887−2900 (in Chinese).  http://www.jos.org.cn/1000-
         9825/5976.htm
         Cryptographic Algorithms Against Backdoored Pseudorandom Number Generator

                                                   1,2
                                                                  1,2
         KANG Bu-Rong 1,2,3 ,   ZHANG Lei 1,2,3 ,   ZHANG Rui ,   MENG Xin-Yu ,   CHEN Tong 1,2
         1  (Engineering Research Center of Software/Hardware Co-design Technology and Application, Ministry of Education (East China Normal
          University), Shanghai 200062, China)
         2 (Software Engineering Institute, East China Normal University, Shanghai 200062, China)
         3 (State Key Laboratory of Cryptology, Beijing 100878, China)
         Abstract:    So far, the security of the most of the cryptographic primitives depends on the high-quality and unpredictable randomness. In
         cryptography, the pseudorandom number generator (PRNG) is used to generate randomness. Thus, the security of the PRNG will directly
         impact the security of cryptographic algorithms. However, there have been some reports showing that many human factors can lead to the
         failure randomness generated by the PRNG which is referred to as the backdoored pseudorandom number generator (BPRNG). A good
         example of this BPRNG is the dual elliptic curves PRNG (Dual EC PRNG) which has been exposed to generate bad randomness. With the

            ∗  基金项目:  国家重点研发计划(2017YFB0802000);  国家自然科学基金(61972159, 61572198);  软硬件协同设计技术与应用教育
         部工程研究中心主任基金(华东师范大学)
              Foundation item: National Natural Science Foundation of China (2017YFB0802000); National Natural Science Foundation of China
         (61972159, 61572198);  Dean's Fund of Engineering  Research  Center of Software/Hardware  Co-design  Technology  and Application,
         Ministry of Education (East China Normal University)
              收稿时间: 2019-07-11;  修改时间: 2019-09-28;  采用时间: 2019-11-04