With the introduction of the action plan for the development of trusted data space, advancing the transaction and circulation of data elements has become a national strategy. As the core technology and fundamental support of network security, cryptographic technology possesses the characteristics of confidentiality, integrity, authenticity and non-repudiation, which strongly supports data security in trusted data space. Focusing on the scenario of data element circulation, this paper constructs a commercial cryptography security assurance system from three dimensions of technology empowerment, standard alignment and management synergy. By sorting out the security application requirements in the whole life cycle of data, this paper proposes a layered and decoupled cryptographic application framework, establishes a standard system covering general basic specifications to application evaluation, and builds a comprehensive management mechanism integrating institutional norms, supervision and evaluation, as well as policy coordination. Comparative analysis with traditional data security and cryptographic application systems shows that the proposed system has significant advantages in the integration depth of data business and cryptographic functions, full-link security protection, and the coordination of standards and management, which provides a theoretical reference and practical path for the secure and efficient circulation of data elements.
Trusted data space is a core infrastructure for secure data circulation. With the development of the digital economy, higher security requirements have been put forward for data storage, transmission and sharing in trusted data spaces. Cryptographic technology can provide strong security support for the development of trusted data spaces in terms of distributed deployment, scalability and cross-domain collaboration. Based on a comprehensive review of domestic and foreign research on key management for trusted data spaces, this paper conducts a review from three dimensions: key management architecture and mechanism, key full-life-cycle management, and cross-domain authentication and security negotiation. This paper mainly analyzes hierarchical, distributed and lightweight key mechanisms, as well as key technologies including key update, key escrow and proxy re-encryption, and summarizes the mainstream methods of cross-domain authentication and group key negotiation. Furthermore, the deficiencies of existing researches in dynamic adaptation capability and cross-domain collaboration efficiency are summarized. Finally, the future development directions of trusted data spaces such as adaptive key management and intelligent secure key management are prospected.
Trusted data space (TDS) is a data circulation and utilization infrastructure that connects multiple stakeholders and realizes shared use of data resources based on consensus rules. As an application ecology for value co-creation of data elements, it serves as an important carrier to support the construction of a national integrated data market. Against this background, the compliant, correct and effective application of commercial cryptography to build a security foundation for TDS and realize the full life-cycle protection of data has become an urgent issue for the development of TDS and the compliant and efficient circulation of data elements. In view of the distributed federation architecture of trusted data space composed of a central service platform and multiple distributed access nodes, as well as its core functions of "centralized control, distributed execution, data in-domain, and available but invisible", this paper decouples the core architecture of TDS and divides it into five security domains. It systematically analyzes the typical security risks, and sorts out the cryptography application requirements and evaluation demands in full scenarios. On this basis, in strict accordance with the framework of GB/T 39786—2021, an indicator system and evaluation model for the security evaluation of commercial cryptography application adapted to TDS are constructed, and the effectiveness and applicability of the system are verified through theoretical analysis. This research provides references for the application and evaluation implementation of commercial cryptography.
A layered hybrid verifiable secure computation model (LH-VSC) was proposed to address the core challenges in encrypted state computing, including the rigid trade-off between security and efficiency, the tight coupling of verification mechanisms with cryptographic primitives, and the lack of cross-paradigm interoperability. This model adopts a vertically layered and horizontally hybrid architecture. Vertically, it realizes functional decoupling via five layers: data access, encrypted computation, verifiable computation, trust management, and result output. Horizontally, a dynamic scheduler intelligently switches between fully homomorphic encryption (FHE) and secure multi-party computation (MPC) paths based on task attributes and system state, enabling on-demand optimization of security and efficiency. A lightweight verifiable secure multi-party computation protocol was designed, leveraging information-theoretically secure message authentication codes and aggregated proofs to reduce verification complexity to O(1). A concise proof mechanism for FHE computation traces was constructed, combining semantic-aware decomposition and recursive proof aggregation to reduce the zero-knowledge succinct non-interactive argument of knowledge (zkSNARK) proof generation overhead from O(M·D) to O(M+D) (where M is the number of sub-steps and D is the maximum sub-circuit depth). This mechanism achieves synergistic optimization of security, efficiency, and flexibility, providing a new paradigm for privacy-preserving computing infrastructure.
Secure distributed matrix multiplication (SDMM) is a core technique to solve data privacy leakage and node straggler problems in large-scale distributed computation. Most existing polynomial coding frameworks of secure distributed matrix computation (SDMC) are based on the semi-honest security model and lack lightweight mechanisms to identify Byzantine malicious nodes that tamper with calculation results. To solve this problem, this paper proposes a Byzantine fault-tolerant verification extension scheme for active result tampering scenarios. While retaining the privacy protection capability of the traditional polynomial masking scheme, the proposed scheme introduces a redundant replication strategy and combines it with element-wise robust median aggregation to effectively mitigate data poisoning attacks. Furthermore, it deploys a lightweight statistical verification layer, which detects and isolates malicious nodes through Frobenius norm deviation scores. Theoretical analysis demonstrates that the scheme can realize the accurate reconstruction of matrix products when the number of malicious nodes meets the honest majority threshold condition. Experimental results show that the proposed scheme has excellent scalability when the matrix dimension increases from 32 to 512, and its runtime overhead ratio drops significantly from 4.86 to 1.06. Independent of complex cryptographic proof mechanisms, the proposed scheme provides a highly scalable, verifiable and Byzantine fault-tolerant solution for matrix multiplication operations in decentralized cloud environments.
This paper investigates hardware acceleration architectures for point multiplication to address the computational efficiency issues of Koblitz curves in elliptic curve cryptography (ECC) systems. An optimized τNAF scalar conversion algorithm and its corresponding hardware structure are first proposed to reduce latency in the pre-computation phase. On this basis, two computation architectures with optimized pipeline efficiency are designed. The area-efficient architecture employs a compact four-stage pipeline with a single multiplier to improve hardware resource utilization. For different binary fields (GF(2163), GF(2283), and GF(2571)), the low-latency architecture adopts two-stage and three-stage pipeline designs respectively, and leverages dual parallel multipliers to reduce the clock cycles required for point addition. Experimental results on the Virtex-7 FPGA platform demonstrate that both architectures achieve substantial latency improvements across all three fields. Compared with state-of-the-art designs, the area-efficient architecture reduces latency by 58.111% over GF(2571), while the low-latency architecture reduces latency by 43.952% over GF(2163). The results demonstrate that optimizing pipeline scheduling and algorithm mapping can effectively balance the computational performance and resource consumption of ECC coprocessors, providing a practical reference for the design of high-performance cryptographic hardware.
Threshold implementation (TI), as a countermeasure against side-channel attacks with provable security, has been widely applied in cryptographic algorithms. Although various side-channel attack protection schemes for the SM4 algorithm have been proposed, existing schemes still exhibit security vulnerabilities when facing novel attack models such as the glitch-extended probing model. To this end, this paper proposes an improved first-order threshold implementation scheme for the S-box of the SM4 algorithm. This scheme designs the S-box based on the tower field GF((22)2)2 structure, reconstructs a multiplier that satisfies threshold properties, and introduces COTG (changing of the guards) technique to optimize the randomness addition strategy, reducing the randomness consumption of a single S-box to 10 bits. Furthermore, the theoretical security of the proposed scheme under the glitch-extended probing model is proven by utilizing the formal verification tool SILVER, and the actual protection capability of the overall physical circuit is validated through test vector leakage assessment (TVLA). The results demonstrate that the proposed scheme can effectively resist first-order side-channel attacks.
Multi-authority attribute-based encryption (MA-ABE) schemes serve as a promising core technology for secure data access control in multi-organizational cross-domain collaboration scenarios. However, the dynamic nature of such scenarios may cause adaptive leakage risks of authorities and require the periodic update of partial user attributes and secret keys. To address the above problems and challenges, this paper proposes a fully adaptive secure access control scheme supporting attribute revocation. While guaranteeing full adaptive security, the scheme designs dedicated revocation parameters and adopts an efficient user key update algorithm to realize flexible and efficient multi-authority attribute revocation. To guarantee forward and backward security, this paper constructs a ciphertext update component and proposes a lightweight ciphertext update mechanism, which only requires one pairing operation and one multiplication operation. Rigorous security proofs demonstrate that the proposed scheme satisfies full adaptive security. Theoretical analysis and experimental comparisons are performed for performance evaluation. The results show that the scheme achieves high efficiency in the attribute revocation phase. Specifically, the computational cost of key revocation is only 25% of that of comparable schemes, and the ciphertext update computational cost is at a constant level.






