SIFA Attack Against SM4 with DFA Protection

Journal of Information Security Reserach ›› 2023, Vol. 9 ›› Issue (10): 1015-.

Previous Articles Next Articles

SIFA Attack Against SM4 with DFA Protection

Tan Zixin, Hu Yongbo, Gong Yanhao, Hu Chunya, Zhang Qi, Zhu Wenfeng, and Gong Zichao

(Laboratory of Vulnerability Analysis, Shenzhen Huiding Technology Co., Ltd. Formula Shanghai Branch, Shanghai 201210)

Online:2023-10-17 Published:2023-10-28

针对带DFA防护SM4的SIFA攻击

谭子欣胡永波龚彦昊胡春雅张琪朱文锋龚子超

(深圳市汇顶科技股份有限公司上海分公司脆弱性分析实验室上海201210)

通讯作者: 胡永波硕士，工程师.主要研究方向为侧信道分析与故障注入分析、逻辑分析、物理安全实现以及安全认证. huyongbo@goodix.com
作者简介:谭子欣硕士，工程师.主要研究方向为理论密码学、零知识证明、侧信道攻击及故障注入分析. 1119398442@qq.com 胡永波硕士，工程师.主要研究方向为侧信道分析与故障注入分析、逻辑分析、物理安全实现以及安全认证. huyongbo@goodix.com 龚彦昊硕士，工程师.主要研究方向为侧信道分析与故障注入分析. gongyanhao@goodix.com 胡春雅硕士，工程师.主要研究方向为理论密码学、零知识证明、侧信道分析以及故障注入分析. huchunya@goodix.com

Abstract

Abstract: As a national standard block cipher algorithm issued by State Cryptography Administration (SCA), SM4 is widely used in domestic security products, such as financial IC card, blockchain, encryption card, router, electronic wallet, electronic ID card and other applications. Its security has always been concerned by various industries, with the continuous innovation of attack methods, carious SM4 implementation schemes with countermeasure have also been proposed. We proposed a statistical ineffectual fault analysis (SIFA) attack on SM4 with differential fault analysis (DFA) countermeasure firstly inspired by the idea of SIFA proposed by Christoph et al. in 2018, and this attack can recover the key of SM4 with the computational complexity of 234. Then, we had successfully recovered the key on the STM32F103C8T6 microcontroller with voltage glitch fault injection. Finally, we further improved this attack by chosen plaintext, and reduced the computational complexity to 212.

Key words: SM4, SIFA, DFA protection, voltage glitch fault injection, chosen plaintext

摘要： SM4算法作为中国密码管理局(SCA)发布的一项国家标准分组密码算法，当前被广泛应用到国内市场的安全产品中，如金融IC卡、区块链、加密卡、路由器、电子钱包以及电子身份证等.其安全性一直受各业界所关注，随着攻击方法不断的革新，各类带有防护的SM4实现方案也被提出.基于2018年Christoph等人提出的统计无效错误分析(SIFA)的思想，首次针对带差分错误分析(DFA)防护的SM4算法，提出了一套统计无效错误分析攻击方案，该攻击方案能以234的计算复杂度破解出SM4的密钥.然后，在单片机STM32F103C8T6上利用电压毛刺故障注入成功还原密钥，最后在该攻击的基础上进一步改进，利用选择明文的策略能将计算复杂度降低至212.

关键词: SM4, 统计无效错误分析, 差分错误分析防护, 电压毛刺故障注入, 选择明文

CLC Number:

TP309

谭子欣, 胡永波, 龚彦昊, 胡春雅, 张琪, 朱文锋, 龚子超, . 针对带DFA防护SM4的SIFA攻击[J]. 信息安全研究, 2023, 9(10): 1015-.

References

［1］Boneh D, DeMillo, R A, Lipton R J. On the importance of checking cryptographic protocols for faults［C］ Proc of Int Conf on the Theory and Applications of Cryptographic Techniques. Berlin: Springer, 1997: 3751［2］Biham E, Shamir A. Differential fault analysis of secret key cryptosystems［C］ Proc of Annual Int Cryptology Conf. Berlin: Springer, 1997: 513525［3］Hemme L. A differential fault attack against early rounds of (Triple) DES［C］ Proc of Int Workshop on Cryptographic Hardware and Embedded Systems. Berlin: Springer, 2004: 254267［4］Fuhr T, Jaulmes E, Lomné V, et al. Fault attacks on AES with faulty ciphertexts only［C］ Proc of 2013 Workshop on Fault Diagnosis and Tolerance in Cryptography. Piscataway, NJ: IEEE, 2013: 108118［5］Li Y, Sakiyama K, Gomisawa S, et al. Fault sensitivity analysis［C］ Proc of Int Workshop on Cryptographic Hardware and Embedded Systems. Berlin: Springer, 2010: 320334［6］Ghalaty N F, Yuce B, Taha M, et al. Differential fault intensity analysis［C］ Proc of 2014 Workshop on Fault Diagnosis and Tolerance in Cryptography. Piscataway, NJ: IEEE, 2014: 4958［7］BarEl H, Choukri H, Naccache D, et al. The sorcerer’s apprentice guide to fault attacks ［J］. Proceedings of the IEEE, 2006, 94(3): 370382［8］Gierlichs B, Schmidt J M, Tunstall M. Infective computation and dummy rounds: Fault protection for block ciphers without checkbeforeoutput［C］ Proc of Int conf on cryptology and information security in Latin America. Berlin: Springer, 2012: 305321［9］Clavier C. Secret external encodings do not prevent transient fault analysis［C］ Proc of Cryptographic Hardware and Embedded Systems. Berlin: Springer, 2007: 181194［10］Dobraunig C, Eichlseder M, Korak T, et al. SIFA: Exploiting ineffective fault inductions on symmetric cryptography ［J］. IACR Trans on Cryptographic Hardware Embedded System, 2018, 2018(3): 547572［11］吕述望, 苏波展, 王鹏, 等. SM4分组密码算法综述［J］. 信息安全研究, 2016, 2(11): 9951007［12］Zhang L, Wu W L. Differential fault analysis on SMS4 ［J］. Chinese Journal of Computers, 2006, 29(9): 1596［13］Li R, Sun B, Li C, et al. Differential fault analysis on SMS4 using a single fault ［J］. Information Processing Letters, 2011, 111(4): 156163［14］朱仁杰. 扩大故障注入范围的SM4差分故障攻击研究［J］. 计算机科学, 2019, 46(S2): 493506［15］金雨璇, 杨宏志, 王相宾, 等. 对SM4算法的改进差分故障攻击［J］. 密码学报, 2020, 7(4): 453464

[1]	. Optimization Design of SM4 Pipeline Based on SIMD Idea [J]. Journal of Information Security Reserach, 2023, 9(9): 832-.
[2]	. Feature Selection Method for Electromagnetic Radiation Leakage of Crypto Chip [J]. Journal of Information Security Reserach, 2022, 8(12): 1214-.
[3]	. ACARS Data Protection Technology Based on National Secret Algorithm [J]. Journal of Information Security Reserach, 2021, 7(4): 342-350.
[4]	. Research on Application Scheme of National Secret Algorithm in SecOC Security Mechanism [J]. Journal of Information Security Research, 2020, 6(9): 0-0.
[5]	. A Data Security Verification Scheme Based on Task Macro [J]. Journal of Information Security Research, 2019, 5(7): 631-634.
[6]	. Research on Cloud Data Encryption Scheme Based on Chinese Cryptographic Algorithms [J]. Journal of Information Security Research, 2018, 4(7): 646-651.
[7]	. The Research and Practice of the Encryption Algorithm Promotion for the Financial Information System [J]. Journal of Information Security Research, 2016, 2(8): 754-759.
[8]	. Overview on SM4 Algorithm [J]. Journal of Information Security Research, 2016, 2(11): 995-1007.

SIFA Attack Against SM4 with DFA Protection

针对带DFA防护SM4的SIFA攻击

PDF

Knowledge

Abstract

Cite this article

share this article

References

Related Articles 8

Recommended Articles

Metrics