Chosen Ciphertext Combined Attack Based on Round-Reduced Fault Against SM2 Decryption Algorithm

被引：0

作者：

Li H.-Y. ^{[1
,2
]}

Han X.-C. ^{[1
,2
]}

Cao W.-Q. ^{[1
]}

Wang J. ^{[1
,2
]}

Chen H. ^{[1
]}

机构：

[1] Trusted Computing and Information Assurance Laboratory, Institute of Software, Chinese Academy of Sciences, Beijing

[2] University of Chinese Academy of Sciences, Beijing

来源：

Tien Tzu Hsueh Pao/Acta Electronica Sinica | 2023年 / 51卷 / 11期

基金：

中国国家自然科学基金;

关键词：

chosen ciphertext; combined attack; round-reduced fault; safe-error; side channel attack; SM2; decryption;

D O I：

10.12263/DZXB.20220481

中图分类号：

学科分类号：

摘要：

SM2 algorithm is a commercial elliptic curve cryptographic algorithm designed by China. At present, the analysis of the implementation security of this algorithm usually follows the research results on the common components of elliptic curves rather than the structure and characteristics of the algorithm. At the same time, hash and verification steps in SM2 decryption algorithm make most of the fault attacks that need to exploit the error output not applicable. To solve this problem, according to characteristics of SM2 decryption algorithm, this paper proposes a chosen ciphertext combined attack that combines the round-reduced fault with side channel based on the idea of safe-error. The core of the attack is changing the number of rounds of scalar multiplication by fault injection, and determining the specific number of faulty rounds by side channel analysis. Then it constructs the chosen ciphertext based on partial key guesses combined with plaintext and correct ciphertext. And the chosen ciphertext is input to the decryption device with specific fault effect, verifying whether the partial key guess is correct by the output of the decryption device. Also, the applicability of the attack to different scalar multiplication methods and common protection countermeasures is analyzed in the paper. Lastly, we conduct practical at⁃ tack experiments on the SM2 decryption algorithm with clock glitch injection and simple power analysis on an STM32F303 microcontroller chip based on the ARM Cortex M4. And we successfully recover the private key. The experimental results show that the attack method is feasible and practical. © 2023 Chinese Institute of Electronics. All rights reserved.

引用

页码：3187 / 3198

页数：11

共 27 条

[1]

KOCHER P C., Timing attacks on implementations of Dif⁃ fie-Hellman, RSA, DSS, and other systems, Advances in Cryptology — CRYPTO'96, pp. 104-113, (1996)

[2]

KOCHER P, JAFFE J, JUN B., Differential power analysis, Advances in Cryptology — CRYPTO'99, pp. 388-397, (1999)

[3]

BONEH D, DEMILLO R A, LIPTON R J., On the impor⁃ tance of checking cryptographic protocols for faults, Advances in Cryptology — EUROCRYPT'97, pp. 37-51, (1997)

[4]

OU Q Y, LUO F, WU X P, Et al., Research on the metric method for the security of the block cipher based on the voltage glitch fault disturbance, Acta Electronica Sinica, 49, 3, pp. 417-423, (2021)

[5]

AMIEL F, VILLEGAS K, FEIX B, Et al., Passive and ac⁃ tive combined attacks: Combining fault attacks and side channel analysis, Workshop on Fault Diagnosis and Tolerance in Cryptography (FDTC 2007), pp. 92-102, (2007)

[6]

Information Security Technology—Public Key Cryptographic Algorithm SM2 Based on Elliptic Curves: Part 1 General: GB/T 32918.1—2016, (2017)

[7]

WANG Z H, ZHANG Z F., Overview on public key crypto⁃ graphic algorithm SM2 based on elliptic curves, Journal of Information Security Research, 2, 11, pp. 972-982, (2016)

[8]

SHI R H, LI Z J, DU L, Et al., Side channel analysis on SM2 decryption algorithm, Journal of Cryptologic Re⁃ search, 2, 5, pp. 467-476, (2015)

[9]

DHEM J F, KOEUNE F, LEROUX P A, Et al., A practical implementation of the timing attack, Lecture Notes in Computer Science, pp. 167-182, (2000)

[10]

BRUMLEY B B, TUVERI N., Remote timing attacks are still practical, European Symposium on Research in Computer Security, pp. 355-371, (2011)

← 1 2 3 →