1 Introduction

The smart card [6] is a miniature electronic device that contains a storage medium and an integrated circuit. It plays two important roles in the application system [22, 30]: identity and security. Due to its low cost, convenient to carry, and the ability to improve security through cryptographic algorithm, it has been widely used in communication, banking, transportation, access control and other fields. In the past few decades, the computing power on smart cards has developed rapidly. Smart cards based on public keys are widely used in various fields, and their applications tend to be diversified. The development of semiconductor technology has improved the capabilities, practicability and accessibility of smart cards. The use of a variety of smart card features, as well as the use of smart cards that are versatile in the future, will make their security, especially user identity authentication and privacy protection become extremely challenging.

In smart card security, there are three main types of attacks. They are: (1) Invasive attacks: These attacks require the microprocessor in the smart card to be removed and attacked directly by physical means. However, these attacks often require very expensive equipment and significant time investment to produce results. (2)Semi-Invasive Attacks: These attacks need to expose the chip surface. Then, the attacker tries to destroy the security of the secure microprocessor without directly modifying the chip. Gandolfi attacks smart cards by analyzing the electromagnetic power radiation of smart cards [11]; Quisquater proves that electromagnetic attacks achieve at least the same results as power consumption [26]. (3) Non-Invasive Attacks: These attacks seek to obtain information without modifying the smart card, i.e. the security microprocessor and the plastic card are not affected. Attackers will attempt to obtain information by observing information leaked during the calculation of a given command or by attempting to inject failures using mechanisms other than light. Kocher found that the time information leaked during the operation of smart card can be used for cryptanalysis, and successfully used time attack to crack the DH key exchange protocol and RSA cryptographic algorithm [16]. After that, Kocher used dozens of power consumption curves to crack DES cryptographic algorithm [17]. Jiang [25] et al have improved the design defects of privacy aware authentication scheme for distributed mobile cloud computing services,including the problem of biometrics misuse, wrong password, and fingerprint login, no user revocation facility when the smart card is lost/stolen. Later, Tian [29] et al have proposed a rational delegation of computation protocol, which is an important technology of mobile Internet at present, which is significant to the construction of intelligent urban computing. In order to close to practical applications, many tasks need cooperation with edge computing and cloud computing.

Although there are many attacks on smart cards, the security of smart cards mainly depends on the complexity of the embedded cryptographic algorithm and authentication protocol, that is, the security of Public-key Cryptography used by smart cards. Public-key cryptography is well suited for applications such as smart cards, which are mobile devices with limited storage and computing power. In recent years, Side channel attack (SCA) is a fast, low-cost and powerful attack method for cryptographic chips, because it can effectively obtain key data and keys in cryptographic chips, which seriously threatens the security of smart card chips. Traditionally, the security of cryptographic chips depends on the complexity of cryptographic algorithms and authentication protocols embedded in them, and most of the chips adopt CMOS technology [21]. Different from existing mathematical analysis methods, Kocher [16] et al. found that the time of operation time leakage of cipher chip could be used for cipher analysis, and successfully used the time attack method to crack Diffie-Hellman key exchange protocol and RSA cipher algorithm. Messerges [19, 20] et al. They have analyzed the power consumption achieved by the public key cryptography algorithm of smart card, and proposed a method to maximize the peak value of differential energy analysis (DPA). At present, many scholars have proposed some anti-power attack schemes [7, 18]. Jiang [14] et al propose an integrated AKA framework for public key cryptosystem that integrates the single-server 3-factor AKA protocol and the non-interactive identity-based key establishment protocol, and evaluate its performance based on a simulated experimental platform. However, smart cards are often sensitive to the implementation cost and efficiency of schemes due to the limitations of their internal resources and computing speed. In order to improve the performance and security of smart card products, we need to design algorithms with higher efficiency and security, among which the elliptic curve scalar multiplication technology [13, 15] has become a current research hotspot. With the standardization and standardization of smart card development, the future development of smart card field has provided a huge power [5, 12]. Figure 1 is the smart cards security and application scenario diagram.

Figure 1
figure 1

Smart cards security and applications

Full size image

Public-key Cryptography is the most important invention and development of modern cryptography. Since Diffie and Hellman proposed the public key cryptography in 1976 [10], scholars have come up with a number of public key cryptography schemes, such as RSA [27], ElGamal system [4, 28], McEliece [23], backpack system, etc [1, 24]. Many researches has been done into methods for designing encryption schemes that are both practical and could be analyzed formally [2]. Bellare and Rogaway proposed the stochastic prediction model. In this model, the cryptographic hash function is assumed to be completely random. In provable secure public key cryptosystems, the traditional Chosen Plaintext Attack (IND-CPA) [31] model has a relatively low security level. Naor and Yung [9] propose Adaptive Chosen Ciphertext Indiscernibility (IND-CCA2) is the model with the highest level of security in provable security theory. In 1998, Cramer and Shoup (CS98) constructed a public-key encryption algorithm for Adaptive Chosen Ciphertext Attack (CCA) security based on standard model [8]. In 2005, Boyen, Mei and Waters (BMW) gave a secure encryption algorithm [3] for CCA using Waters identity-based encryption algorithm [32]. The BMW algorithm has a prominent feature: before decryption of ciphertext, there is a verification algorithm that can determine the integrity of ciphertext without inputting any private key, and it can ensure the correctness of the plaintext message after decryption. The verification algorithm is called public ciphertext integrity verification because it does not need to input the private key. In the above public-key cryptography based on the adversary attack model, the security of the scheme is proved, but the quantization of the security limit is not considered. This paper is motivated by the goal of finding secure/insecure limitation of Public-key Cryptography schemes in the standard model, in perspective of the convertible attack channels capacity of adversaries. We mainly analyze the security of common public cipher algorithm used in smart cards and its security, and give the security boundaries of different cipher algorithms and their mathematical relations.

Our contribution

We transform the security problem of smart card into the security problem of its PKC algorithm. One may hope to obtain secure or insecure limitation of a Public-key Cryptography algorithm by using naive construction of the convertible attack channel of adversaries, in which the secure problems of Public-key Cryptography is transformed into its capacity. According to this line of thought, we propose several attack channel models based on Shannon information theory in this paper. The average mutual information and conditional mutual information of information theory are used to describe plaintext-ciphertext metric, plaintext leakage metric, plaintext metric and leakage metric with background knowledge in adversary attack channel. The key point is to treat the attack system as a communication model. The security limitations of Public-key Cryptography encryption and signature under different types of attacks, that is, the security limitation of smart cards under different Public-key Cryptography algorithms are analyzed and described.

2 Public-key cryptography

The publication of Diffie and Hellman’s New Directions in Cryptography was a landmark in computer cryptography. Based on this, the concept of a public key cryptography has emerged. It has two important principles: First, the encrypted ciphertext must be secure under the premise that both the encryption algorithm and the public key are public. Second, all cryptographers and decryptors with private secret keys are required to calculate or handle them in a relatively simple manner, but for others who do not have secret keys, deciphering them should be extremely difficult. In recent years, public key cryptography has been combined with technologies such as PKI, digital signature, and e-commerce to ensure the confidentiality, integrity, validity, and non-repudiation of online data transmission, and has played a huge role in network security and information security.

Figure 2 is a graph of asymmetric cryptography. In this asymmetric cipher model, both Alice and Bob have two keys, a public key which is exposed to anyone is used to encrypt messages to that person, and a private key which is kept secret is used to decrypt messages. So if Alice wants to send a message to Bob, she gets Bob’s public key which can be published in a key directory, and encrypts her message by using Bob’s public key. She then sends the message to Bob. When Bob receives the message, he uses his private key, which is known by himself, to decrypt Alice’s message. Even if Eve intercepts Alice’s message, she can not decrypt it. Because only the person with Bob’s private key can decrypt a message encrypted with his public key and Bob keeps his private key secret from everyone.

Figure 2
figure 2

The basic model of public-key cryptography

Full size image

The keys in the public key cryptography algorithm are classified according to their nature and can be divided into two types: public key and private key. The user or system generates a pair of keys, one of which is disclosed as a public key, and the other is reserved, called a private key. Anyone who knows the user’s public key can encrypt the information with the user’s public key and interact with the user to implement secure information. Due to the dependencies between the public key and the private key, only the user itself can decrypt the information, and any unauthorised user or even the sender of the information cannot decrypt the information. In the study of modern public key cryptography, their security is based on intractable computable problems. Such as large number decomposition problem, computation of finite field discrete logarithm problem, square residual problem and logarithm problem of elliptic curve.

Based on these problems, there are various public key cryptographys. There are numerous studies on public key cryptography, mainly focusing on Research on RSA public key system Research on elliptic curve cryptography, Research on various public key cryptographys and Research on digital signature.

2.1 The RSA algorithm

In 1978, Rivest, Shamir and Adleman proposed the RSA algorithm which is a well-recognized public key cryptographic algorithm. The RSA algorithm is the most effective security algorithm for secure communication and digital signature on the network. Its security is based on the difficulty of large prime decomposition in number theory. The more difficult the factorization, the harder it is to decrypt the ciphertext and the higher the encryption strength. Its public key and private key are functions of a pair of large prime numbers. The research status of factorization theory shows that the RSA key used requires at least 1024 bits to ensure sufficient long-term security.

The RSA algorithm is based on exponentiation in a finite field over integers (mod p) where p is a prime. And the security of the RSA algorithm lies in the big integer factor problem. It is easy to compute n = pq, while it is very difficult to do the reverse. That is, it is extremely computationally expensive to find the prime factors of a large composite number.

2.2 The ElGamal algorithm

ElGamal proposed a double-key cryptography based on discrete logarithm problem in 1984, which can be used for both encryption and signature. It is a public key cryptography based on the difficulty of solving the discrete logarithm problem over finite multiplicative groups. The cryptography is still considered to be a public key cryptography with good security performance. There are ElGamal public key cryptography based on the multiplicative group Zp and the public key cryptography on any finite cyclic group.

The basic ElGamal encryption scheme is described as follows:

  1. 1.

    Gen algorithm: Public key p,g and y, where p is a large prime number, g < p,y = gd mod p. Private key d, 2 ≤d ≤p - 2.

  2. 2.

    Encrypt algorithm: Select random number r, where 2 ≤ rp − 2. Ciphertext: \(c = {g^{r}}\bmod p, c^{\prime } = m{y^{r}}\bmod p\).

  3. 3.

    Decrypt algorithm: Plaintext \(m = \frac {c^{\prime }}{c^{d}\bmod p}\).

ElGamal’s security is based on DLP, and more strictly based on DHP. This algorithm can realize two-way identity authentication between the two parties, and effectively prevents the attacker from pretending to be a sender to forge a message. At the same time, the algorithm adds information that can track the source of the message during the communication process, so that the receiver can effectively verify the authenticity of the message. By double protection of the message, the system realizes secure communication on the public channel.

2.3 The SM2 algorithm

SM2 is the standard of public key cryptography in China, as well as it is a elliptic curve public key cryptography(ECC). Koblitz and Miller independently propose to apply elliptic curve to public key cryptography. The properties of the elliptic curve based on the ECC are as follows:

  1. 1.

    The elliptic curve in the finite domain constitutes a finite exchange group under the point addition operation, and its order is similar to the scale of the fundamental domain.

  2. 2.

    Similar to the power operation in the finite field multiplication group, the elliptic curve multi-point operation constitutes a one-way function.

SM2 algorithm includes digital signature algorithm, key exchange protocol, public key encryption algorithm and system parameters. The public key encryption algorithm requires the sender to encrypt the message with the receiver’s public key, and the receiver uses its private key to decrypt the received message and restore it to the original message. SM2 public key encryption algorithm is designed based on the generalized ELGamal encryption algorithm, but the security level of the generalized ELGamal encryption algorithm is not high enough to reach the security of IND- CCA2. SM2 public key encryption algorithm for the security of the IND- CCA2.

3 Security limitation of encryption

The adversary Eve intercepts the ciphertext sent by the sender Alice to the receiver Bob, and assumes that the channel of disclosure of the plaintext is an adversary attack channel.

A random variable M is used to represent the message space composed of all plaintext, \(M=\left \{ {{m_{1}}, {m_{2}}, {\cdots } , {m_{t}}} \right \}\), where i = 1,2,⋯,t; The information set obtained by the adversary is represented by the random variable C, which is composed of all the messages obtained by the adversary, this is \(\left \{ {{c_{1}}, {c_{2}}, {\cdots } , {c_{n}}} \right \}\), where \({c_{j}}\left ({j = 1, 2, {\cdots } , n}\right )\) is a ciphertext message obtained for an adversary. Accordingly, a specific PKC encryption algorithm can be regarded as a way to transform and encode plaintext messages, which can protect information. The whole encryption algorithm constitutes a clear text protection mechanism space. The method of mining and analyzing plaintext information under certain background knowledge is called plaintext attack.

Based on this assumption, the communication framework based on Shannon information theory will be used to analyze the security limitation of the adversary in PKC under four attack scenarios: Ciphertext-only Attack, Chosen Plaintext Attack (CPA), Chosen Ciphertext Attack (CCA) and Adaptive Chosen Ciphertext Attack (CCA2). We propose several attack channel models, including Ciphertext-only Attack Channel Model, Chosen Plaintext Attack Channel Model, Chosen Ciphertext Attack Channel Model and Adaptive Chosen Ciphertext Attack Channel Model.

3.1 Ciphertext-only attack (COA) channel model and security limitation

We first assume that the adversary has no attack ability and the adversary only observes the ciphertext information through the channel and only considers the discrete single plaintext source. The model definition is shown in Figure 3.

Figure 3
figure 3

COA channel model

Full size image

Assume the mathematical model of M be expressed as

$$\left( {\begin{array}{l} M\\ {P\left( M\right)} \end{array}}\right) = \left( {\begin{array}{l} {m{}_{1}}\\ {p\left( m_{1}\right)} \end{array}\begin{array}{l} m_{2}\\ {p\left( m_{2}\right)} \end{array}\begin{array}{l} {\cdots} \\ \cdots \end{array}\begin{array}{l} {m{}_{i}}\\ {p\left( {m{}_{i}}\right)} \end{array}\begin{array}{l} {\cdots} \\ \cdots \end{array}\begin{array}{l} {m{}_{t}}\\ {p\left( {m{}_{t}}\right)} \end{array}}\right) $$

where \(0 \le p\left (m_{i}\right ) \le 1, {\sum }_{i = 1}^{t}p\left (m_{i}\right ) = 1\). Similarly, the mathematical model of C can be expressed as

$$\left( {\begin{array}{l} C\\ {P\left( C\right)} \end{array}}\right) = \left( {\begin{array}{l} {c{}_{1}}\\ {p\left( {{c_{1}}}\right)} \end{array}\begin{array}{l} {{c_{2}}}\\ {p\left( {{c_{2}}}\right)} \end{array}\begin{array}{l} {\cdots} \\ \cdots \end{array}\begin{array}{l} {c{}_{i}}\\ {p\left( {c{}_{j}}\right)} \end{array}\begin{array}{l} {\cdots} \\ \cdots \end{array}\begin{array}{l} {c{}_{t}}\\ {p\left( {c{}_{n}}\right)} \end{array}}\right) $$

where \(0 \le p\left ({{c_{j}}}\right ) \le 1, {\sum }_{j = 1}^{n}p\left ({{c_{j}}}\right ) = 1\).

For this model, the plaintext entropy H(M) is defined as

$$ H\left( M\right) = - \sum\limits_{i = 1}^{t} {p\left( m_{i}\right)} {\log_{2}}p\left( m_{i}\right) $$

H(M) is used to describe the average mutual information of plaintext. The H(M) is greater, the possibility of plaintext disclosure is less, thus the ability of hiding plaintext is stronger. This value is a definite value when no external conditions affect it.

When Eve acquires some ciphertext information, the conditional entropy H(M/C) can be introduced to characterize the uncertainty of the plaintext source, which is defined as

$$ H\left( {M/C}\right) = - \sum\limits_{j = 1}^{n} {\sum\limits_{i = 1}^{t} {p\left( {{m_{i}}{c_{j}}}\right)} } {\log_{2}}p\left( {{m_{i}}/{c_{j}}}\right) $$

The conditional entropy denotes the uncertainty of the plaintext M after receiving C. The uncertainty is caused by the interference (plaintext protection) between the Alice ciphertext transmission channel and the Eve attack channel, that is, during the long term observation of the plaintext source, because of some public key encryption protection mechanism of plaintext, there are still some unknown information sources. It is easy to prove that this plaintext information entropy satisfies the basic properties of Shannon source entropy. That is, it has non-negativity, symmetry, extensibility, certainty, additivity, extremum property, upper convexity, etc., and satisfies the maximum discrete entropy theorem. No more repetition.

In this paper, we introduce ciphertext average mutual information I(M;C) to describe the degree of plaintext leakage on the channel, which is defined as

$$ I\left( {M{\text{;}}C}\right) = \sum\limits_{j = 1}^{n} {\sum\limits_{i = 1}^{t} {p\left( {{m_{i}}{c_{j}}}\right)} } {\log_{2}}\frac{{p\left( {{m_{i}}/{c_{j}}}\right)}}{{p\left( m_{i}\right)}} $$

\(I\left ({M{\text {;}}C}\right )\) represents the average mutual information between the plaintext M and the ciphertext C, that is, the amount of plaintext information on the attack channel. It can describe the degree to which the adversary acquires the plaintext information from the ciphertext as a whole, so it can be used as a security measure for the disclosure of plaintext. Therefore, the maximum extent of plaintext leakage is the maximum value of the average mutual information between M and C, that is \({I_{MAX}}\left ({M{\text {;}}C} \right )\). In this case, the security limitation of PKE under ciphertext-only attack model is the lowest.

3.2 Chosen plaintext attack (CPA) channel model and security limitation

The information entropy model of ciphertext attack proposed in the previous section objectively describes the problem of ciphertext measurement in the absence of the adversary’s ability to attack. In the actual system, there is often a ciphertext attack analysis. The adversary can analyze the attack under certain background knowledge. For example, in the Chosen Plaintext Attack, the adversary not only has known ‘plaintext-ciphertext pairs’, but also can choose the encrypted plaintext and obtain the corresponding ciphertext. In this case, the adversary can choose a specific block of plaintext data to encrypt, and compare the plaintext with the corresponding ciphertext to analyze and find more information related to the key. The model definition is shown in Figure 4.

Figure 4
figure 4

CPA channel model

Full size image

In this model, Z represents the knowledge space of the plaintext-ciphertexts pair known to the adversary, and its mathematical model can also be defined as

$$ \left( {\begin{array}{l} Z\\ {P(Z)} \end{array}}\right) = \left( {\begin{array}{l} {{z_{1}}}\\ {p({z_{1}})} \end{array}\begin{array}{l} {{z_{2}}}\\ {p({z_{2}})} \end{array}\begin{array}{l} {\cdots} \\ \cdots \end{array}\begin{array}{l} {{z_{k}}}\\ {p({z_{k}})} \end{array}\begin{array}{l} {\cdots} \\ \cdots \end{array}\begin{array}{l} {{z_{l}}}\\ {p({z_{l}})} \end{array}}\right), 0 \le p \le 1, \sum\limits_{k = 1}^{l} {p({z_{k}}) = 1} $$

The adversary can use the plaintext-ciphertext pairs Z to enhance the attack on the plaintext. For the attacker, he can combine the ciphertext message \(C^{\prime }(C^{\prime } \in C)\) through the selected plaintext and the plaintext-ciphertext pairs Z to attack, introducing the attack conditional entropy:

$$ H(M/CZ) = - \sum\limits_{j = 1}^{n} {\sum\limits_{i = 1}^{t} {\sum\limits_{k = 1}^{l} {p({m_{i}}{c_{j}}{z_{k}})} } } {\log_{2}}p({m_{i}}/{c_{j}}{z_{k}}) $$

The H(M/CZ) reflects the uncertainty about M that still exists after the adversary selects the ciphertext message C and the plaintext-ciphertext pairs Z, which can actually be used as the uncertainty of the plaintext under a certain attack method. Similarly, the attack average mutual information is further defined as:

$$ I(M;C/Z) = - \sum\limits_{j = 1}^{n} {\sum\limits_{i = 1}^{t} {\sum\limits_{k = 1}^{l} {p({m_{i}}{c_{j}}{z_{k}})} } } {\log_{2}}\frac{{p({m_{i}}{z_{k}}/{c_{j}})}}{{p({m_{i}}/{z_{k}})p({c_{j}}/{z_{k}})}} $$

I(M;C/Z) reflects the average mutual information between C and M under the condition of Z, that is, the adversary obtains the amount of plaintext information, and also describes the degree of plaintext leakage under the attack with plaintext-ciphertext pairs. Therefore, the maximum extent of plaintext leakage is the maximum value of the average mutual information between the M and the C, that is \({I_{{\max \nolimits } }}(M;C/Z)\). In this case, the security limitation of PKE system under CPA model is the lowest.

3.3 Chosen ciphertext attack (CCA) channel model and security limitation

To consider IND-CCA security, there is such a game, the participants in the game include attacker and challenger. The rule of the game includes attacker selecting two plaintext M and N, and then challenger randomly selecting one to encrypt the ciphertext. Attacker can do some querying with challenger at any time before the game is over, including the Hash function query and decryption of some ciphertext queries, of course, the attacker can’t be queried on C. When attcker thinks it’s time to end the game, he has to report an answer to challenger, which plaintext he thinks C corresponds to (one of M and N), and attacker wins the game if the answer he gives is exactly the same as that chosen by challenger.

The attacker selects the ciphertext and obtains the decryption service to produce the corresponding plaintext. After the target ciphertext is obtained the decryption service stops immediately. If the attacker can obtain the message of the secret plaintext from the target ciphertext, the attack is said to have been successful, the attacker expects a plaintext-ciphertext to reduce the security of the PKC.

Obviously, CCA is a more powerful attack model than CPA. The model definition is shown in Figure 5.

Figure 5
figure 5

CCA channel model

Full size image

In this model, the adversary obtained the decryption result asked by the decryption oracle and represented the knowledge space of the plaintext-ciphertext pairs after first and second interrogations oracle in training stage. The mathematical model can also be defined as

$$ \left( {\begin{array}{l} {Z^{\prime}}\\ {P(Z^{\prime})} \end{array}}\right) = \left( {\begin{array}{l} {{{z^{\prime}}_{1}}}\\ {p({{z^{\prime}}_{1}})} \end{array}\begin{array}{l} {{{z^{\prime}}_{2}}}\\ {p({{z^{\prime}}_{2}})} \end{array}\begin{array}{l} {\cdots} \\ \cdots \end{array}\begin{array}{l} {{{z^{\prime}}_{k^{\prime}}}}\\ {p({{z^{\prime}}_{k^{\prime}}})} \end{array}\begin{array}{l} {\cdots} \\ \cdots \end{array}\begin{array}{l} {{{z^{\prime}}_{l^{\prime}}}}\\ {p({{z^{\prime}}_{l^{\prime}}})} \end{array}}\right) $$

where \(0 \le p({z^{\prime }_{k^{\prime }}}) \le 1, \sum \nolimits _{k^{\prime } = 1}^{l^{\prime }} {p({{z^{\prime }}_{k^{\prime }}})} = 1\).

$$ \left( {\begin{array}{l} {Z^{\prime\prime}}\\ {P(Z^{\prime\prime})} \end{array}}\right) = \left( {\begin{array}{l} {{{z^{\prime\prime}}_{1}}}\\ {p({{z^{\prime\prime}}_{1}})} \end{array}\begin{array}{l} {{{z^{\prime\prime}}_{2}}}\\ {p({{z^{\prime\prime}}_{2}})} \end{array}\begin{array}{l} {\cdots} \\ \cdots \end{array}\begin{array}{l} {{{z^{\prime\prime}}_{k^{\prime\prime}}}}\\ {p({{z^{\prime\prime}}_{k^{\prime\prime}}})} \end{array}\begin{array}{l} {\cdots} \\ \cdots \end{array}\begin{array}{l} {{{z^{\prime\prime}}_{l^{\prime\prime}}}}\\ {p({{z^{\prime\prime}}_{l^{\prime\prime}}})} \end{array}}\right) $$

where \(0 \le p({z^{\prime \prime }_{k^{\prime \prime }}}) \le 1, \sum \nolimits _{k^{\prime \prime } = 1}^{l^{\prime \prime }} {p({{z^{\prime \prime }}_{k^{\prime \prime }}})} = 1\).

The adversary can use the plaintext-ciphertext pairs \(Z^{\prime }\) and \(Z^{\prime \prime }\) to enhance the attack on the plaintext. For the attacker, he can combine the selected ciphertext message \(C^{\prime }(C^{\prime } \in C)\) and the plaintext-ciphertext pairs \(Z^{\prime }\) and \(Z^{\prime \prime }\) to attack , introducing the attack conditional entropy:

$$ H({M / {CZ^{\prime}Z^{\prime\prime}}}) = - \sum\limits_{i = 1}^{t} {\sum\limits_{j = 1}^{n} {\sum\limits_{k^{\prime} = 1}^{l^{\prime}} {\sum\limits_{k^{\prime\prime} = 1}^{l^{\prime\prime}} {p({m_{i}}{c_{j}}z^{\prime}_{k^{\prime}}{{z^{\prime\prime}}_{k^{\prime\prime}}}){{\log}_{2}}} } } } p(m_{i} / {{c_{j}}z^{\prime}_{k^{\prime}}{{z^{\prime\prime}}_{k^{\prime\prime}}}}) $$

\(H(M {\left /\right . {\vphantom {M {CZ^{\prime }Z^{\prime \prime }}}} {CZ^{\prime }Z^{\prime \prime }}})\) reflects the uncertainty about M that still exists after the adversary selects the ciphertext message \(C^{\prime }\) and the plaintext-ciphertext pairs \(Z^{\prime }\) and \(Z^{\prime \prime }\), which can actually be used as the uncertainty of the plaintext under a certain attack method. Similarly, the attack average mutual information is further defined as:

$$ H({M;C} {\left/\right. {\vphantom {{M;C} {Z^{\prime}Z^{\prime\prime}}}} {Z^{\prime}Z^{\prime\prime}}}) = \sum\limits_{i = 1}^{t} {\sum\limits_{j = 1}^{n} {\sum\limits_{k^{\prime} = 1}^{l^{\prime}} {\sum\limits_{k^{\prime\prime} = 1}^{l^{\prime\prime}} {p({m_{i}}{c_{j}}{{z^{\prime}}_{k^{\prime}}}{{z^{\prime\prime}}_{k^{\prime\prime}}}){{\log }_{2}}} } } } \frac{{p({{m_{i}}{{z^{\prime}}_{k^{\prime}}}{{z^{\prime\prime}}_{k^{\prime\prime}}}} {\left/\right. {\vphantom {{{m_{i}}{{z^{\prime}}_{k^{\prime}}}{{z^{\prime\prime}}_{k^{\prime\prime}}}} {{c_{j}}}}} {{c_{j}}}})}}{{p(m_{i} {\left/\right. {\vphantom {m_{i} {{{z^{\prime}}_{k^{\prime}}}{{z^{\prime\prime}}_{k^{\prime\prime}}}}}} {{{z^{\prime}}_{k^{\prime}}}{{z^{\prime\prime}}_{k^{\prime\prime}}}}})P({{c_{j}}} {\left/\right. {\vphantom {{{c_{j}}} {{{z^{\prime}}_{k^{\prime}}}{{z^{\prime\prime}}_{k^{\prime\prime}}}}}} {{{z^{\prime}}_{k^{\prime}}}{{z^{\prime\prime}}_{k^{\prime\prime}}}}})}} $$

\(I(M;C {\left /\right . {\vphantom {C {Z^{\prime }Z^{\prime \prime }}}} {Z^{\prime }Z^{\prime \prime }}})\) reflects the average mutual information between C and M under the condition of \(Z^{\prime }\) and \(Z^{\prime \prime }\), that is, the amount of plaintext information obtained by the adversary, and also describes the degree of plaintext leakage under the attack with plaintext-ciphertext pairs. Therefore, the maximum extent of plaintext leakage is the maximum value of the average mutual information between the M and the C, that is, \({I_{{\max \nolimits } }}(M;C {\left /\right . {\vphantom {C {Z^{\prime }Z^{\prime \prime }}}} {Z^{\prime }Z^{\prime \prime }}})\).

As the number of interrogations increases(polynomial time inquiry), the average mutual information between M and C can be expressed as

$$ \begin{array}{@{}rcl@{}} I\left( M;C \left/\right. \vphantom{M;C Z^{\prime}Z^{\prime\prime} {\cdots} Z^{(n)}} Z^{\prime}Z^{\prime\prime} {\cdots} {Z^{(n)}}\right) &=& \sum\limits_{i = 1}^{t} \sum\limits_{j = 1}^{n} \sum\limits_{k^{\prime} = 1}^{l^{\prime}} \sum\limits_{k^{\prime\prime} = 1}^{l^{\prime\prime}} {\cdots} \sum\limits_{{k^{\left( n \right)}} = 1}^{l^{\left( {\text{n}}\right)}} p\left( {m_{i}}{c_{j}}{{z^{\prime}}_{k^{\prime}}}{{z^{\prime\prime}}_{k^{\prime\prime}}} {\cdots} z_{{k^{(n)}}}^{(n)}\right)\\ &&\times\log_{2}\frac{p\left( {{m_{i}}{{z^{\prime}}_{k^{\prime}}}{{z^{\prime\prime}}_{k^{\prime\prime}}} {\cdots} z_{{k^{(n)}}}^{(n)}} {\left/\right. {\vphantom {{{m_{i}}{{z^{\prime}}_{k^{\prime}}}{{z^{\prime\prime}}_{k^{\prime\prime}}} {\cdots} z_{{k^{(n)}}}^{(n)}} {{c_{j}}}}} {{c_{j}}}}\right)}{{p\left( {m_{i}}/{{z^{\prime}}_{k^{\prime}}}{{z^{\prime\prime}}_{k^{\prime\prime}}} \cdots z_{{k^{(n)}}}^{(n)}\right)P\left( {c_{j}}/{{z^{\prime}}_{k^{\prime}}}{{z^{\prime\prime}}_{k^{\prime\prime}}} {\cdots} z_{{k^{(n)}}}^{(n)}\right)}} \end{array} $$

That is, the maximum amount of plaintext information obtained by the adversary, \({I_{{\max \nolimits } }}(M;C/Z^{\prime }Z^{\prime \prime } {\cdots } {Z^{\left (n\right )}}) > {I_{{\max \nolimits } }}(M;C \left /\right . {\vphantom {C {Z^{\prime }Z^{\prime \prime }}}} {Z^{\prime }Z^{\prime \prime }})\), and the adversary has increased the amount of plaintext information but not the whole amount of plaintext information, that is \(M^{\prime }M^{\prime \prime } < M^{\prime }M^{\prime \prime } {\cdots } {M^{\left ({\text {n}}\right )}} < M\).

3.4 Adaptive Chosen ciphertext attack (CCA2) channel model and security limitation

In CCA2, an attacker can always get decryption service except decrypting the target ciphertext. The rules of the IND-CCA2 game are as follows: the adversary first asks the challenger for decryption (can be repeated), that is, take the ciphertext c to the challenger, after the challenger decrypts, challenger give the plaintext to the adversary; Then the adversary chooses two plaintext m0 and m1, the challenger chooses one at random to encrypt to get the ciphertext cb, where the random value b ∈{0,1}. Next the adversary can make decryption query to the challenger (multiple times), that is, get the ciphertext c \(\left ({c \ne {c_{b}}}\right )\) to the challenger and the challenger decrypts the text to the adversary. The adversary guessed \(b^{\prime }\), if the answer he gave was the same as the original text chosen by the challenger, the adversary would succeed.

Obviously, CCA2 is a more powerful attack model than CCA. The model definition is shown in Figure 6.

Figure 6
figure 6

CCA2 channel model

Full size image

In this model, the adversary has obtained the decryption result that asks the decryption prophecy or challenger, Z and R respectively represent the knowledge space of plaintext-ciphertext pairs obtained from the first and second stages of training, in which \({\text {Z}} = \{ f(C^{\prime }), C^{\prime }\} \), \(R = \{ f(C^{\prime \prime }), C^{\prime \prime }\}\), \(C^{\prime } \in C\) represents chosen ciphertext for the first stage training selection and the corresponding plaintext is \(m^{\prime } = f(C^{\prime })\), \(C^{\prime \prime } \in C\) represents chosen ciphertext for the first stage training selection and the corresponding plaintext is \(m^{\prime \prime } = f(C^{\prime \prime })\). The mathematical model can also be defined as

$$ \left( {\begin{array}{l} Z\\ {P(Z)} \end{array}}\right) = \left( \begin{array}{llllll} {{{\text{z}}_{1}}}&{{z_{2}}}& {\cdots} &{{z_{{k_{1}}}}}& {\cdots} &{{z_{{l_{1}}}}}\\ {p({z_{1}})}&{p({z_{2}})}& {\cdots} &{p({z_{{k_{1}}}})}& {\cdots} &{p({z_{{l_{1}}}})} \end{array}\right) $$

where \({\text {0}} \le p({z_{{k_{1}}}}) \le 1\), \(\sum {_{{k_{1}} = 1}^{{l_{1}}}p({z_{{k_{1}}}}) = 1} \).

$$ \left( {\begin{array}{l} R\\ {P(R)} \end{array}}\right) = \left( {\begin{array}{llllll} {{r_{1}}}&{{r_{2}}}& {\cdots} &{{r_{{k_{2}}}}}& {\cdots} &{{r_{{l_{2}}}}}\\ {p({r_{1}})}&{p({r_{2}})}& {\cdots} &{p({r_{{k_{2}}}})}& {\cdots} &{p({r_{{l_{2}}}})} \end{array}}\right) $$

where \({\text {0}} \le p({r_{{k_{2}}}}) \le 1\), \(\sum {_{{k_{2}} = 1}^{{l_{2}}}p({r_{{k_{2}}}}) = 1}\).

The adversary can use the plaintext-ciphertext pairs Z and R to enhance the attack on the plaintext. For the attacker, he can combine the selected ciphertext message \(C^{\prime }\) and \(C^{\prime \prime }\) and the plaintext-ciphertext pairs Z and R to attack , introducing the attack conditional entropy:

$$ H\left( {M;C/ZR}\right) = \sum\limits_{i = 1}^{t} {\sum\limits_{j = 1}^{n} {\sum\limits_{{k_{1}} = 1}^{{l_{1}}} {\sum\limits_{{k_{2}} = 1}^{{l_{2}}} {p\left( {{m_{i}}{c_{j}}{z_{{k_{1}}}}{r_{{k_{2}}}}}\right){{\log }_{2}}p\left( {{m_{i}}/{c_{j}}{z_{{k_{1}}}}{r_{{k_{2}}}}}\right)} } } } $$

The \(H\left ({M/CZR}\right )\) reflects the uncertainty about M that still exists after the adversary selects the ciphertext message C and the plaintext-ciphertext pairs Z and R, which can actually be used as the uncertainty of the plaintext under a certain attack method. Similarly, the attack average mutual information is further defined as:

$$ I(M;C/ZR) = \sum\limits_{i = 1}^{t} {\sum\limits_{j = 1}^{n} {\sum\limits_{{k_{1}} = 1}^{{l_{1}}} {\sum\limits_{{k_{2}} = 1}^{{l_{2}}} {p\left( {{m_{i}}{c_{j}}{z_{{k_{1}}}}{r_{{k_{2}}}}}\right){{\log }_{2}}\frac{{p({m_{i}}{z_{{k_{1}}}}{r_{{k_{2}}}}/{c_{j}})}}{{p\left( {{m_{i}}/{z_{{k_{1}}}}{r_{{k_{2}}}}}\right)p\left( {{c_{j}}/{z_{{k_{1}}}}{r_{{k_{2}}}}}\right)}}} } } } $$

\(I\left ({M;C/ZR}\right )\) eflects the average mutual information between C and M under the condition of Z and R, that is, the amount of plaintext information obtained by the adversary, and also describes the degree of plaintext leakage under the attack with plaintext-ciphertext pairs. Therefore, the maximum extent of plaintext leakage is the maximum value of the average mutual information between the M and the C, that is \({I_{{\max \nolimits } }}\left ({M;C/ZR}\right )\). In this case, the security limitation of PKE system is the lowest after two inquiries in CCA2 model. With the increase of the number of interrogations in the two training stages, the amount of plaintext information obtained by the enemy increases gradually, and the PKE security limitation decreases gradually.

Theorem 1

If PKC satisfies COA, CPA, CCA, and CCA2-security separately, there is the security factors of the four models are sorted as follows:

$$ {\text{Secure}_{COA}} < {\text{Secure}_{CPA}} < {\text{Secure}_{CCA}} < {\text{Secure}_{CCA2}} $$

Proof

In the COA, CPA, CCA, CCA2 security model, the knowledge background of the adversary increases in turn, that is

$$ {\text{Kno}}{{\text{w}}_{COA}} < {\text{Kno}}{{\text{w}}_{CPA}} < {\text{Kno}}{{\text{w}}_{CCA}} < {\text{Kno}}{{\text{w}}_{CCA2}} $$

There is

$$ {I_{\max }}\left( {M;C}\right) < {I_{\max }}\left( {M;C/Z}\right) < {I_{\max }}\left( {M;C/Z^{\prime}Z^{\prime\prime} {\cdots} {Z^{\left( n\right)}}}\right) < {I_{\max }}\left( {M;C/ZR}\right) $$

Therefore, the ability of the adversary to successfully break through PKE increases exponentially under these four models, but if the adversary does not break PKC, the security factor of CCA2 is the highest, and that of COA is the lowest and the security factors of the four models are sorted as follows:

$$ {\text{Secure}_{COA}} < {\text{Secure}_{CPA}} < {\text{Secure}_{CCA}} < {\text{Secure}_{CCA2}} $$

4 Security limitation of signature

According to the PKC model, we consider the man-in-the-middle attack of digital signature, and define two types of adversary:

Type I adversary attack. :

The adversary has obtained the private key of Alice through intermediate attack and can forge the signature message.

Type II adversary attack. :

The adversary has the public key of Alice, intercepts the signature of Alice and forges a signature message, which is different from the true signature of the sender.

4.1 Direct forgery attack channel model and security limitation

The process of type I adversary attack is as follows: The adversary forges a signature as Alice, and sends the signed message to Bob, Bob does not know the message is forged. We describe the definition of the attack channel model as shown in Figure 7, where M represents the signature and its message, S represents the message which Bob receives signed by the adversary.

Figure 7
figure 7

Type I attack channel model

Full size image

Assume the mathematical model of M be expressed as

$$ \left( {\begin{array}{l} M\\ {P\left( M\right)} \end{array}}\right) = \left( {\begin{array}{l} m_{1}\\ {p\left( m_{1}\right)} \end{array}\begin{array}{l} m_{2}\\ {p\left( m_{2}\right)} \end{array}\begin{array}{l} {\cdots} \\ \cdots \end{array}\begin{array}{l} m_{i}\\ {p\left( m_{i}\right)} \end{array}\begin{array}{l} {\cdots} \\ \cdots \end{array}\begin{array}{l} {{m_{t}}}\\ {p\left( {{m_{t}}}\right)} \end{array}}\right) $$

where \(0 \le p\left (m_{i}\right ) \le 1\), \(\sum \limits _{i = 1}^{t} {p\left (m_{i}\right ) = 1} \). Similarly, the mathematical model of S can be expressed as

$$ \left( {\begin{array}{l} S\\ {P\left( S\right)} \end{array}}\right) = \left( {\begin{array}{l} {{s_{1}}}\\ {p\left( {{s_{1}}}\right)} \end{array}\begin{array}{l} {{s_{2}}}\\ {p\left( {{s_{2}}}\right)} \end{array}\begin{array}{l} {\cdots} \\ \cdots \end{array}\begin{array}{l} s_{j}\\ {p\left( {{s_{\text{j}}}}\right)} \end{array}\begin{array}{l} {\cdots} \\ \cdots \end{array}\begin{array}{l} {{s_{n}}}\\ {p\left( {{s_{\text{n}}}}\right)} \end{array}}\right) $$

where \(0 \le p\left (s_{j}\right ) \le 1\), \(\sum \limits _{j = 1}^{n} {p\left (s_{j}\right ) = 1} \).

For this model, the source entropy H(M) is defined as

$$ H\left( M\right) = - \sum\limits_{i = 1}^{t} {p\left( m_{i}\right){{\log }_{2}}p\left( m_{i}\right)} $$

H(M) is used to describe the average mutual information of M, which is also the uncertainty of the source.

When Bob acquires a signature message, the conditional entropy H(M/S) is introduced to characterize the uncertainty of the source, which is defined as

$$ H\left( {M/S}\right) = - \sum\limits_{j = 1}^{n} {\sum\limits_{i = 1}^{t} {p\left( m_{i}s_{j}\right){{\log }_{2}}} } p\left( {{m_{i}}/{s_{j}}}\right) $$

The conditional entropy indicates that after Bob receives S, the uncertainty of source M still exists. The uncertainty is due to the Bob’s trust in the signature of the message. It can actually be regarded as the uncertainty of M in some attack.

A forgery attack average mutual information I(M;S) is introduced below to describe the forgery information metric transmitted on the channel, which is defined as

$$ I\left( {M;S}\right) = \sum\limits_{j = 1}^{n} {\sum\limits_{i = 1}^{t} {p\left( m_{i}s_{j}\right){{\log }_{2}}\frac{{p\left( {{m_{i}}/{s_{j}}}\right)}}{{p\left( m_{i}\right)}}} } $$

\(I = \left ({M;S}\right )\) reflects the average mutual information exchanged between M and S, that is, the amount of fake information on the attack channel. It can precisely describe the degree to which Bob acquires forged information from the whole receiving signature message, thus it can be used as an insecure measure by an adversary to successfully attack Bob. Therefore, the maximum degree of successful attack is the maximum of the average mutual information between M and C, that is \({I_{{\max \nolimits } }} = \left ({M;S}\right )\). In this case, the PKE digital signature security limitation reaches the minimum.

4.2 Tampering attack channel model and security limitation

The process of type II adversary attack is as follows: the adversary intercepts the message sent by Alice with signature, tampers with the message and forges a signature \(S^{\prime }\), and sends the signed message to Bob, at which time Bob does not know whether the message has been tampered with or not. Next, we define the attack channel model of the adversary as shown in Figure 8. We define the interaction between Alice and Bob as a series channel, the interaction between Alice and Eve as class I channel, and the interaction between Eve and Bob as class II channel, where M represents the signature of Alice and its message, S indicates the signature and message intercepted by the adversary, and \(S^{\prime }\) denotes that Bob receives the adversary’s signature and message.

Figure 8
figure 8

Type II attack channel model

Full size image

Assume the mathematical model of M be expressed as

$$ \left( {\begin{array}{l} M\\ {P\left( M\right)} \end{array}}\right) = \left( {\begin{array}{l} m_{1}\\ {p\left( m_{1}\right)} \end{array}\begin{array}{l} m_{2}\\ {p\left( m_{2}\right)} \end{array}\begin{array}{l} {\cdots} \\ \cdots \end{array}\begin{array}{l} m_{i}\\ {p\left( m_{i}\right)} \end{array}\begin{array}{l} {\cdots} \\ \cdots \end{array}\begin{array}{l} {{m_{t}}}\\ {p\left( {{m_{t}}}\right)} \end{array}}\right) $$

where \(0 \le p\left (m_{i}\right ) \le 1\), \(\sum \limits _{i = 1}^{t} {p\left (m_{i}\right ) = 1} \). Similarly, the mathematical model of S s can be expressed as

$$ \left( {\begin{array}{l} S\\ {P\left( S\right)} \end{array}}\right) = \left( {\begin{array}{l} {{s_{1}}}\\ {p\left( {{s_{1}}}\right)} \end{array}\begin{array}{l} {{s_{2}}}\\ {p\left( {{s_{2}}}\right)} \end{array}\begin{array}{l} {\cdots} \\ \cdots \end{array}\begin{array}{l} s_{j}\\ {p\left( {{s_{\text{j}}}}\right)} \end{array}\begin{array}{l} {\cdots} \\ \cdots \end{array}\begin{array}{l} {{s_{n}}}\\ {p\left( {{s_{\text{n}}}}\right)} \end{array}}\right) $$

where \(0 \le p\left (s_{j}\right ) \le 1\), \(\sum \limits _{j = 1}^{n} {p\left (s_{j}\right ) = 1}\). Similarly, the mathematical model of \(S^{\prime }\) can be expressed as

$$ \left( {\begin{array}{l} {S^{\prime}}\\ {P\left( {S^{\prime\prime}}\right)} \end{array}}\right) = \left( {\begin{array}{l} s^{\prime}_{1}\\ {p\left( s^{\prime}_{1}\right)} \end{array}\begin{array}{l} {{{s^{\prime}}_{2}}}\\ {p\left( {{{s^{\prime}}_{2}}}\right)} \end{array}\begin{array}{l} {\cdots} \\ \cdots \end{array}\begin{array}{l} s^{\prime}_{\text{k}}\\ {p\left( {{{s^{\prime}}_{k}}}\right)} \end{array}\begin{array}{l} {\cdots} \\ \cdots \end{array}\begin{array}{l} s^{\prime}_{l}\\ {p\left( s^{\prime}_{l}\right)} \end{array}}\right) $$

where \(0 \le p\left ({{{s^{\prime }}_{k}}}\right ) \le 1\), \(\sum \limits _{k = 1}^{l} {p\left ({{{s^{\prime }}_{k}}}\right ) = 1} \).

For series channel, similar to Section 4.1, average mutual information \(I\left ({M;S^{\prime }}\right )\) is introduced to describe the amount of information transmitted over the series channel, which is defined as

$$ I\left( {M;S^{\prime}}\right) = \sum\limits_{k = 1}^{l} {\sum\limits_{i = 1}^{t} {p\left( m_{i}s^{\prime}_{k}\right){{\log }_{2}}\frac{{p\left( {{m_{i}}/{{s^{\prime}}_{k}}} \right)}}{{p\left( m_{i}\right)}}} } $$

\(I\left ({M;S^{\prime }}\right )\) represents the average mutual information that M and \(S^{\prime }\) interact with, that is, the amount of information on the series channel. It can describe the degree to which the Bob obtains M from the received signature message, thus it can represent the security of the series channel. So its security limitation is the maximum of the average mutual information between M and \(S^{\prime }\), that is \({I_{{\max \nolimits } }}\left ({M;S^{\prime }}\right )\). In this case, the security limitation of PKE digital signature reaches the maximum.

Similarly, for class I channel and class II channel, separate definition

$$ I\left( {M;S}\right) = \sum\limits_{j = 1}^{n} {\sum\limits_{i = 1}^{t} {p\left( m_{i}s_{j}\right){{\log }_{2}}\frac{{p\left( {{m_{i}}/{s_{j}}}\right)}}{{p\left( m_{i}\right)}}} } $$
$$ I\left( {S;S^{\prime}}\right) = \sum\limits_{k = 1}^{l} {\sum\limits_{j = 1}^{n} {p\left( {{s_{j}}{{s^{\prime}}_{k}}}\right){{\log }_{2}}\frac{{p\left( {{s_{j}}/{{s^{\prime}}_{k}}} \right)}}{{p\left( s_{j}\right)}}} } $$

\(I = \left ({M;S}\right )\) means the average amount of information between M and S, which shows the degree to which the adversary acquired M. \(I\left ({S;S^{\prime }}\right )\) means the average amount of information between S and \(S^{\prime }\), which shows that Bob acquires the amount of information tampered with by the adversary, that is, the measure of successful attack by the adversary. Therefore, it can be used to express the degree of insecurity of the class II channel, the limitation of which is the \({I_{{\max \nolimits } }}\left ({S;S^{\prime }}\right )\).

Lemma 1

(Data processing theorem) As the number of processors increases, the average mutual information between the input message and the output message tends to become smaller.

$$ \begin{array}{@{}rcl@{}} I\left( {X;Z}\right) &\le& I\left( {X;Y}\right)\\ I\left( {X;Z}\right) &\le& I\left( {Y;Z}\right) \end{array} $$

It is assumed that X and Z are independent of each other under Y condition.

In this model, the data processing system of the adversary Eve is regarded as the class II channel, and the series channel is formed with the class I channel and class II channel, so the input and output messages of the sender and receiver can be quantified compared by the data processing theorem. Theorem 2 can be obtained from Lemma 1.

Theorem 2

When the signature message of Alice is tampered with by the adversary Eve, the average mutual information between the input and output messages of the series channel does not exceed the average mutual information between the input and output messages of the class I channel, and it does not exceed the average mutual information between the input and output messages of the class II channel. So the following inequality holds:

$$ \begin{array}{@{}rcl@{}} I\left( {M;S^{\prime}}\right) \le I\left( {M;S}\right)\\ I\left( {M;S^{\prime}}\right) \le I\left( {S;S^{\prime}}\right) \end{array} $$

From the above inequalities we have

$$ {I_{\max }}\left( {M;S^{\prime}}\right) \le {I_{\max }}\left( {S;S^{\prime}}\right) $$

That is, the security limitation of series channel is less than or equal to that of the class II channel, where \(I{}_{{\max \nolimits } }\left ({S;S^{\prime }}\right )\) represents insecurity limitation of the class II channel and \(I{}_{{\max \nolimits } }\left ({M;S^{\prime }}\right )\) represents security limitation of the series channel.

5 Discussion of secure limitation

This paper analyses the security of Public-key Cryptography in smart card environment. We establish mathematical models of public key encryption and public key signature respectively and simulate adversary’s attack on Public-key Cryptography as a communication process, then describe the attack ability of the attacker and analyze the security limitation of the Public-key Cryptography by using the information theory, such as the the average mutual information and conditional mutual information.

This work only considers an insecure limitation in the perspective of the adversary, although the value of insecure limitation may be also equal to the value of secure limitation in the view of communication parties. The Insecure limitation is the bound of attack ability to an adversity, which is a point that communication parties need to defense the cryptosystem. Thus, The value of Secure Limitation, denoted by D, to communication parties and Insecure limitation, denoted by C, to adversaries are the key factors, which show the security of whole cryptosystem. If C < D, then this cryptosystem is insecure; However, if CD,then this cryptosystem is secure. Therefore, We can also convert the secure problems of Public-key Cryptography into the defense channels capacity of communication parties that the maximum value of the average mutual information is the secure limitations of a Public-key Cryptography scheme, which will be an important research issue.

The proposed method of secure limitation provides a naive solution to the secure bound problem of a Public-key Cryptography system, which is also applicable to other secure Attack and defense systems.

6 Conclusion

Aiming at the security problem of Public-key Cryptography of smart card, we introduced a naive notion of security for Public-key Encryption called insecure limitation which is a bound with respect to a adversary attacking the Public-key Cryptography system, as well as the value of insecure limitation also is a bound with respect to the communication parties secure guarding their cryptosystems. Based on the relevant knowledge of information theory, the key point of this paper is to treat the process of the adversary’s attack on Public-key Cryptography as a communication model. We give the quantification method of Public-key Cryptography under different attack models by defining the source, the sink and the channel, and introduce the concepts of information entropy, conditional entropy, the average mutual information and conditional mutual information. Although the work of this paper only gives a more basic Public-key Cryptography security limitation model, but in order to solve the quantification problem of Public-key Cryptography security limitation, a feasible system foundation is established. And it is believed that under the support of the information theory related achievements, the relevant research can be further developed. Including the Public-key Cryptography security limitation under more complex multi-adversary attacks and the study of Public-key Cryptography security limitation by generalized information theory and fuzzy information theory have the feasibility of further research.