Chosen Ciphertext Combined Attack Based on Round-Reduced Fault Against SM2 Decryption Algorithm

LI Hao-yuan; HAN Xu-cang; CAO Wei-qiong; WANG Jian; CHEN Hua

doi:10.12263/DZXB.20220481

您当前的位置：

首页 >

文章列表页 >

Chosen Ciphertext Combined Attack Based on Round-Reduced Fault Against SM2 Decryption Algorithm

PAPERS | 更新时间：2025-12-08

- Chosen Ciphertext Combined Attack Based on Round-Reduced Fault Against SM2 Decryption Algorithm
- ACTA ELECTRONICA SINICA Vol. 51, Issue 11, Pages: 3187-3198(2023)
- 作者机构：
  
  1.中国科学院软件研究所可信计算与信息保障实验室，北京 100190
  2.中国科学院大学，北京 100049
- 作者简介：
- 基金信息：
  
  National Natural Science Foundation of China(62172395)
- DOI：10.12263/DZXB.20220481
  CLC： TN918;TP309
- Received：29 April 2022，
  
  Revised：2022-09-07，
  
  Published：25 November 2023
- 稿件说明：
移动端阅览
李昊远,韩绪仓,曹伟琼等.基于减轮故障的SM2解密算法选择密文组合攻击[J].电子学报,2023,51(11):3187-3198.

LI Hao-yuan,HAN Xu-cang,CAO Wei-qiong,et al.Chosen Ciphertext Combined Attack Based on Round-Reduced Fault Against SM2 Decryption Algorithm[J].ACTA ELECTRONICA SINICA,2023,51(11):3187-3198.
李昊远,韩绪仓,曹伟琼等.基于减轮故障的SM2解密算法选择密文组合攻击[J].电子学报,2023,51(11):3187-3198. DOI： 10.12263/DZXB.20220481.

LI Hao-yuan,HAN Xu-cang,CAO Wei-qiong,et al.Chosen Ciphertext Combined Attack Based on Round-Reduced Fault Against SM2 Decryption Algorithm[J].ACTA ELECTRONICA SINICA,2023,51(11):3187-3198. DOI： 10.12263/DZXB.20220481.

摘要

SM2系列算法是由我国自主设计的商用椭圆曲线密码算法.目前，对SM2解密算法的实现安全性分析通常遵循对椭圆曲线通用组件的研究成果，缺乏结合算法本身结构和特点而进行的实现安全性研究.同时，SM2解密算法中的哈希和验证步骤，使大部分需要利用错误输出的故障攻击方式对于SM2解密算法并不适用.针对该现状，本文根据SM2解密算法本身的特点，结合安全错误类故障攻击思想，提出了一种减轮故障与侧信道相结合的选择密文组合攻击.攻击的核心是通过故障注入改变标量乘循环的轮数，然后由侧信道分析确定故障轮数的具体取值.根据部分密钥猜测结合明文、正确密文等构建选择密文，并将其输入至具有特定故障效果的解密设备，最后通过解密设备输出验证部分密钥猜测是否正确，逐步恢复私钥.此外，文中分析了攻击对不同标量乘法以及常见防护对策的适用性.最后，本文在基于ARM Cortex M4核心的STM32F303微控制器芯片上，使用时钟毛刺注入和简单能量分析的方式对SM2解密算法进行了实际攻击实验并成功恢复出了私钥.实验结果表明，该攻击方法具有可行性和实用性.

Abstract

SM2 algorithm is a commercial elliptic curve cryptographic algorithm designed by China. At present

the analysis of the implementation security of this algorithm usually follows the research results on the common components of elliptic curves rather than the structure and characteristics of the algorithm. At the same time

hash and verification steps in SM2 decryption algorithm make most of the fault attacks that need to exploit the error output not applicable. To solve this problem

according to characteristics of SM2 decryption algorithm

this paper proposes a chosen ciphertext combined attack that combines the round-reduced fault with side channel based on the idea of safe-error. The core of the attack is changing the number of rounds of scalar multiplication by fault injection

and determining the specific number of faulty rounds by side channel analysis. Then it constructs the chosen ciphertext based on partial key guesses combined with plaintext and correct ciphertext. And the chosen ciphertext is input to the decryption device with specific fault effect

verifying whether the partial key guess is correct by the output of the decryption device. Also

the applicability of the attack to different scalar multiplication methods and common protection countermeasures is analyzed in the paper. Lastly

we conduct practical attack experiments on the SM2 decryption algorithm with clock glitch injection and simple power analysis on an STM32F303 microcontroller chip based on the ARM Cortex M4. And we successfully recover the private key. The experimental results show that the attack method is feasible and practical.

关键词

Keywords

references

KOCHER P C . Timing attacks on implementations of Diffie-Hellman, RSA, DSS, and other systems [C ] // Advances in Cryptology — CRYPTO'96 . Berlin : Springer , 1996 : 104 - 113 .

KOCHER P , JAFFE J , JUN B . Differential power analysis [C ] // Advances in Cryptology — CRYPTO'99 . Berlin : Springer , 1999 : 388 - 397 .

BONEH D , DEMILLO R A , LIPTON R J . On the importance of checking cryptographic protocols for faults [C ] // Advances in Cryptology — EUROCRYPT'97 . Berlin : Springer , 1997 : 37 - 51 .

欧庆于 , 罗芳 , 吴晓平 , 等 . 基于电压毛刺故障扰动的分组密码安全性度量方法研究 [J ] . 电子学报 , 2021 , 49 ( 3 ): 417 - 423 .

OU Q Y , LUO F , WU X P , et al . Research on the metric method for the security of the block cipher based on the voltage glitch fault disturbance [J ] . Acta Electronica Sinica , 2021 , 49 ( 3 ): 417 - 423 . (in Chinese)

AMIEL F , VILLEGAS K , FEIX B , et al . Passive and active combined attacks: Combining fault attacks and side channel analysis [C ] // Workshop on Fault Diagnosis and Tolerance in Cryptography (FDTC 2007) . Piscataway : IEEE , 2007 : 92 - 102 .

国家质量监督检验检疫总局 , 中国国家标准化管理委员会 . 信息安全技术SM2椭圆曲线公钥密码算法: 第1部分总则 : GB/T 32918.1—2016 [S ] . 北京 : 中国标准出版社 , 2017 .

General Administration of Quality Supervision , Inspection and Quarantine of the People's Republic of China , Standardization Administration of the People's Republic of China . Information Security Technology—Public Key Cryptographic Algorithm SM2 Based on Elliptic Curves: Part 1 General : GB/T 32918.1—2016 [S ] . Beijing : Standards Press of China , 2017 . (in Chinese)

汪朝晖 , 张振峰 . SM2椭圆曲线公钥密码算法综述 [J ] . 信息安全研究 , 2016 , 2 ( 11 ): 972 - 982 .

WANG Z H , ZHANG Z F . Overview on public key cryptographic algorithm SM2 based on elliptic curves [J ] . Journal of Information Security Research , 2016 , 2 ( 11 ): 972 - 982 . (in Chinese)

史汝辉 , 李增局 , 杜磊 , 等 . 一种针对SM2解密算法的侧信道攻击方法 [J ] . 密码学报 , 2015 , 2 ( 5 ): 467 - 476 .

SHI R H , LI Z J , DU L , et al . Side channel analysis on SM2 decryption algorithm [J ] . Journal of Cryptologic Research , 2015 , 2 ( 5 ): 467 - 476 . (in Chinese)

DHEM J F , KOEUNE F , LEROUX P A , et al . A practical implementation of the timing attack [C ] // Lecture Notes in Computer Science . Berlin : Springer , 2000 : 167 - 182 .

BRUMLEY B B , TUVERI N . Remote timing attacks are still practical [C ] // European Symposium on Research in Computer Security . Berlin : Springer , 2011 : 355 - 371 .

CORON J S . Resistance against differential power analysis for elliptic curve cryptosystems [C ] // Cryptographic Hardware and Embedded Systems . Berlin : Springer , 1999 : 292 - 302 .

MEDWED M , OSWALD E . Template attacks on ECDSA [C ] // Information Security Applications . Berlin : Springer , 2009 : 14 - 27 .

GOUBIN L . A refined power-analysis attack on elliptic curve cryptosystems [C ] // Public Key Cryptography — PKC 2003 . Berlin : Springer , 2002 : 199 - 211 .

AKISHITA T , TAKAGI T . Zero-value point attacks on elliptic curve cryptosystem [C ] // Lecture Notes in Computer Science . Berlin : Springer , 2003 : 218 - 233 .

FOUQUE P A , VALETTE F . The doubling attack-why upwards is better than downwards [C ] // International Workshop on Cryptographic Hardware and Embedded Systems . Berlin : Springer , 2003 : 269 - 280 .

BAUER A , JAULMES E , PROUFF E , et al . Horizontal collision correlation attack on elliptic curves [J ] . Cryptography and Communications , 2015 , 7 ( 1 ): 91 - 119 .

JOYE M , TYMEN C . Protections against differential analysis for elliptic curve cryptography — an algebraic approach [C ] // Cryptographic Hardware and Embedded Systems — CHES 2001 . Berlin : Springer , 2001 : 377 - 390 .

SUNG-MING Y , KIM S , LIM S , et al . A countermeasure against one physical cryptanalysis may benefit another attack [C ] // Information Security and Cryptology — ICISC 2001 . Berlin : Springer , 2002 : 414 - 427 .

BIEHL I , MEYER B , MÜLLER V . Differential fault attacks on elliptic curve cryptosystems [C ] // Advances in Cryptology — CRYPTO 2000 . Berlin : Springer , 2000 : 131 - 146 .

YEN S M , JOYE M . Checking before output may not be enough against fault-based cryptanalysis [J ] . IEEE Transactions on Computers , 2000 , 49 ( 9 ): 967 - 970 .

CHOUKRI H , TUNSTALL M . Round reduction using faults [J ] . Fault Diagnosis and Tolerance in Cryptography 2005 , 2005 : 13 - 24 .

PARK J . Differential fault analysis for round-reduced AES by fault injection [J ] . ETRI Journal , 2011 , 33 ( 3 ): 434 - 442 .

JEONG K , LEE Y , SUNG J , et al . Security analysis of HMAC/NMAC by using fault injection [J ] . Journal of Applied Mathematics , 2013 , 2013 : 1 - 6 .

FAN J F , GIERLICHS B , VERCAUTEREN F . To infinity and beyond: Combined attack on ECC using points of low order [C ] // International Workshop on Cryptographic Hardware and Embedded Systems . Berlin : Springer , 2011 : 143 - 159 .

FEIX B , VENELLI A . Defeating with fault injection a combined attack resistant exponentiation [C ] // International Workshop on Constructive Side-Channel Analysis and Secure Design . Berlin : Springer , 2013 : 32 - 45 .

罗鹏 , 李慧云 , 王鲲鹏 , 等 . 对ECC算法实现的选择明文攻击方法 [J ] . 通信学报 , 2014 , 35 ( 5 ): 79 - 87 .

LUO P , LI H Y , WANG K P , et al . Chosen message attacks method against ECC implementations [J ] . Journal on Communications , 2014 , 35 ( 5 ): 79 - 87 . (in Chinese)

JOYE M , YEN S M . The Montgomery powering ladder [C ] // Cryptographic Hardware and Embedded Systems — CHES 2002 . Berlin : Springer , 2003 : 291 - 302 .

Views

下载量

CSCD

Alert me when the article has been cited

提交

Tools

Publicity Resources

An Attack Method Against the Modular Reduction Within a RSA-CRT Implementation Based on Template Attack

A Comprehensive Protection Implementation of SM4 Algorithm Based on Threshold and Infection Technology

Related Author

LIU Yu-ling

HUANG Ke-zhen

ZHANG Xiang-min

WANG Hong

WU Li-ji

MA Xiang-liang

JIAO Zhi-peng

YAO Fu

Related Institution

School of Cyber Security， University of Chinese Academy of Sciences

Institute of Information Engineering， Chinese Academy of Sciences

National Research Center for Information Technology Security

School of Integrated Circuits， Beijing University of Posts and Telecommunications

Beijing National Research Center for Information Science and Technology， Tsinghua University

⁰