CN114696994A - Differential fault analysis and detection method for SM4 cryptographic algorithm - Google Patents
Differential fault analysis and detection method for SM4 cryptographic algorithm Download PDFInfo
- Publication number
- CN114696994A CN114696994A CN202011575094.7A CN202011575094A CN114696994A CN 114696994 A CN114696994 A CN 114696994A CN 202011575094 A CN202011575094 A CN 202011575094A CN 114696994 A CN114696994 A CN 114696994A
- Authority
- CN
- China
- Prior art keywords
- ciphertext
- round
- error
- correct
- plaintext
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000004458 analytical method Methods 0.000 title claims abstract description 34
- 238000001514 detection method Methods 0.000 title claims abstract description 34
- 238000000034 method Methods 0.000 claims abstract description 17
- 230000009466 transformation Effects 0.000 claims description 13
- 241000287196 Asthenes Species 0.000 claims description 3
- 230000008685 targeting Effects 0.000 claims 1
- 238000011084 recovery Methods 0.000 abstract description 2
- 238000005516 engineering process Methods 0.000 description 2
- 238000007630 basic procedure Methods 0.000 description 1
- 238000005336 cracking Methods 0.000 description 1
- 238000010586 diagram Methods 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/06—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols the encryption apparatus using shift registers or memories for block-wise or stream coding, e.g. DES systems or RC4; Hash functions; Pseudorandom sequence generators
- H04L9/0618—Block ciphers, i.e. encrypting groups of characters of a plain text message using fixed encryption transformation
- H04L9/0631—Substitution permutation network [SPN], i.e. cipher composed of a number of stages or rounds each involving linear and nonlinear transformations, e.g. AES algorithms
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/002—Countermeasures against attacks on cryptographic mechanisms
- H04L9/004—Countermeasures against attacks on cryptographic mechanisms for fault attacks
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Detection And Prevention Of Errors In Transmission (AREA)
Abstract
The invention discloses a differential fault analysis and detection method for SM4 cryptographic algorithm. The method collects error ciphertexts generated by the last four rounds of the SM4 cryptographic algorithm during differential fault detection, and carries out key recovery by using the generated error ciphertexts to complete the differential fault detection of the SM4 cryptographic algorithm. And in the selection of the error ciphertext, the correct ciphertext is used for comparison, and the error ciphertext with the same plaintext, different ciphertexts and complete data information is selected and used for subsequent differential analysis. Aiming at each round of attack, the adopted error ciphertexts are completely the same, and the data classification of the ciphertexts is not required according to the requirement of each round. The method solves the problem that special errors are infeasible when special bytes are needed to generate in the differential fault detection of the SM4 cryptographic algorithm at the present stage.
Description
Technical Field
The invention relates to the field of cryptographic algorithm analysis and detection, in particular to differential fault analysis and detection aiming at an SM4 cryptographic algorithm.
Background
Generally, hardware devices or software programs running the cryptographic algorithms can correctly execute various cryptographic algorithms, but in some cases, register errors or operation errors may occur in the cryptographic operation module, and a method for recovering the key by using these wrong actions or information is called as the analysis of the cryptographic errors. The password equipment is mostly realized based on electronic technology, the interface is relatively simple, and the password equipment is easily interfered by the outside, so that fault error analysis becomes one of the most effective bypass analysis methods, and is also one of the methods for detecting the security of the password product by a detection mechanism and a design enterprise.
The failure detection is that when the working condition of the cryptographic chip changes, the cryptographic chip generates an error output by encryption, the cryptographic operation module may have a register error or operation, and a method for recovering the key by using the error behavior or information is called as a cryptographic error analysis. The password equipment is mostly realized based on electronic technology, the interface is relatively simple, and the password equipment is easily interfered by the outside, so that error analysis becomes one of the most effective bypass analysis methods, and is also one of the methods for detecting the security of the password product by a detection mechanism and a design enterprise.
Differential fault analysis and Detection (DFA) is a detection method generated by combining a fault test detection method and a traditional differential password analysis detection method, and key cracking is mainly performed by using the relationship between correct output and wrong output of the same plaintext under normal conditions respectively. It is specifically expressed as follows: (1) determining a plaintext, and obtaining a corresponding correct ciphertext under the action of a correct key; (2) aiming at the same plaintext, collecting error ciphertexts corresponding to fault test detection; (3) and analyzing the correct ciphertext and the wrong ciphertext, so that a tester can obtain a candidate value set of each key, an intersection of the key sets can be obtained after analyzing a plurality of ciphertexts, the correct key is definitely in the intersection, and the key recovery is realized by analyzing the keys one by one.
The SM4 cryptographic algorithm is a block symmetric cryptographic algorithm designed by China, and has the following basic properties: (1) both the packet length and the key length are 128 bits; (2) the encryption and decryption algorithm structure is the same, but the use sequence of the round keys is opposite; (3) the encryption algorithm and the key expansion algorithm both adopt 32-round nonlinear iteration structures, and the repeatability of the 32-round nonlinear iteration structures enables the SM4 algorithm to be ideally used on a special chip; (4) the SM4 algorithm uses standard arithmetic and logical operations with a maximum of 32 bits and is therefore easy to implement in hardware. The SM4 algorithm is described below by taking the first round of encryption flow and the key arrangement algorithm as examples.
The first round of the SM4 encryption algorithm is shown in fig. 1. Assume that the input plaintext is
The output ciphertext is
The round key is
The input of the S-box is
The output is, the output of the linear transformation L is
SM4 encryption algorithm the first round of basic procedure is as follows:
1)
;
2)
3)
4)
;
the output of the first wheel is
The steps of the other 32 rounds are the same as those of the first round, only a reverse order transformation is needed in the last round, namely, the 32 nd round, as shown in fig. 2, and the final output ciphertext is:
(
the sub-keys of the encryption algorithm in the SM4 algorithm are generated from the original key by a key expansion algorithm, and the flow is shown in fig. 3. Let original key MK = (
,
,
,
) I =0,1,2, 3. Order to
∈
I =0,1,2, …,35, subkey
∈
I =0,1,2, …,31, the subkey generation method is as follows:
1)(
,
,
,
)=(
⊕
,
⊕
,
⊕
,
⊕
)
2)
=
=
⊕
(
⊕
⊕
⊕
)
wherein,
the transformation is substantially the same as the T transformation in the encryption transformation, but the linear transformation must be changed to
I.e. by
(B)= B⊕(B<<<13)⊕(B<<<23) 。
The value of the system parameter FK is expressed by a 16-system:
the value taking method of the fixed parameter CK comprises the following steps: is provided with
Is composed of
I.e., j =0,1,2, …, 31; j =0,1,2,3), i.e., the
=(
, 
, 
, 
) E is the then
=(4i+j)
7(mod 256). 32 fixed parameters
Expressed in 16-ary as:
00070e15, 1c232a31, 383f464d, 545b6269,e0e7eef5, fc030a11, 181f262d, 343b4249,50575e65, 6c737a81, 888f969d, a4abb2b9,c0c7ced5, dce3eaf1, f8ff060d, 141b2229,
30373e45, 4c535a61, 686f767d, 848b9299,a0a7aeb5, bcc3cad1, d8dfe6ed, f4fb0209,
10171e25, 2c333a41, 484f565d, 646b727。
the method for reversely deducing the original key according to the key arrangement algorithm comprises the following steps:
1) known rear four-round subkey
、
、
Then, there are:
2) by
(
⊕
⊕⊕
) The following can be obtained:
3) from the following results:
=
this results in the sub-key for the fifth to last round, i.e. round 28. And by analogy, the sub-keys and the original keys of each round can be recovered.
In the study of differential fault analysis and detection aiming at the SM4 cryptographic algorithm, Zhang-lei and Wu Wen were the first to conduct such studies in 2006, but the successful premises is that errors which generate a single byte at a fixed position need to be collected before each round of fault analysis and detection is conducted, and in numerous subsequent published documents, the assumption is that a single byte fault is generated at a certain position, and the assumption is difficult to realize in actual detection of the cryptographic equipment.
Disclosure of Invention
The invention aims to provide a differential fault analysis and detection method for SM4 cryptographic algorithm, which aims to solve two practical problems: (1) the differential fault analysis and detection of the SM4 cryptographic algorithm cannot collect the ciphertext problem generated by a specific fault generated by some special bytes in a certain intermediate state. 2) When the round key is restored, special fault test detection must be carried out according to the requirement of each round, and the process is complicated. The invention creatively carries out any fault analysis and detection on the four wheels after the SM4 encryption algorithm, does not need to carry out special faults, has the same fault data aiming at the attack of each wheel, and does not need to carry out fault test and detection again, thereby ensuring that the fault analysis and detection are very easy to implement when the fault analysis and detection are actually carried out.
In order to solve the above problems, the present invention provides a differential fault analysis and detection method for SM4 cryptographic algorithm, which specifically includes the following steps:
s1: determining a group of plaintext X, and obtaining a correct ciphertext Y of the group of plaintext X in a normal state and an error ciphertext under differential fault analysis
。
S11: and determining a group of plaintext X, and obtaining a correct ciphertext Y of the group of plaintext X under the action of a correct key K.
S12: inputting the same plaintext X, and performing any fault test detection on the last four rounds of the SM4 cryptographic algorithm encryption process to obtain an error ciphertext
。
S13: using the plaintext X and the correct ciphertext Y, and the error ciphertext
And comparing, and selecting error cipher texts with complete data return values (including plain texts and cipher texts), identical plain texts and different cipher texts for subsequent differential analysis.
S2: for the obtained correct ciphertext Y and the error ciphertext
Carrying out differential analysis to obtain the subkey of 32 th round of SM4 cryptographic algorithm
. Then using the same correct ciphertext Y, error ciphertext
And subkey of 32 th round
Obtaining subkeys for round 31
. Similarly, the sub-keys of the 30 th round and the 29 th round are obtained in turn
And
。
s21: according to the reverse order transformation, the ciphertext is reversely calculated to enter an input value of the reverse order transformation R, namely an output value of the 32 th round, wherein the correct output value is marked as XX4, XX3, XX2 and XX1, and the error output value is Xx4, Xx3, Xx2 and Xx 1;
s22: calculating the difference value input by the S box and the difference value output by the S box, and respectively recording the difference values as Sin _ buffer and Sout _ buffer, wherein the following steps are performed:
where invT1 is the inverse of the L transform.
Take four S boxes corresponding to Sout _ buffer as
And i is 0,1,2 and 3, which represents four S boxes from left to right, and then:
s23: calculate S-Box output, where the output of correct data into S-Box is recorded
The output of the error data into the S-box is recorded as
Then, for four S-boxes there are:
where M is 256 candidate subkeys.
S24: rotating 256 candidate subkeys M into the formula of S23, and judging
And
if not, and if so, the correct subkey.
S25: the subkey of the 32 nd round can be obtained from S24
By using
Carrying out decryption operation on the correct ciphertext and the error ciphertext to obtain a correct round output value and an error round output value of the 31 st round, then carrying out operation from S22 to S24 again, and finally attackingHit out the subkey of round 31
. This process is repeated to obtain sub-keys of 30 th and 29 th rounds
And
。
s3: by making use of the obtained
、
、
、
And (4) combining the SM4 key arrangement algorithm to perform inverse operation, and recovering the sub-keys and the original keys of each round.
Drawings
FIG. 1 is a first round flow of an SM4 encryption algorithm;
fig. 2 is a reverse order transformation R of the SM4 encryption algorithm;
fig. 3 is a SM4 key expansion flow;
fig. 4 is a basic flow diagram of differential fault analysis detection for the SM4 cryptographic algorithm.
Detailed Description
The following description of the embodiments of the present invention is provided to enable those skilled in the art to understand the present invention, but it should be understood that the present invention is not limited to the scope of the embodiments, and it will be apparent to those skilled in the art that various changes may be made without departing from the spirit and scope of the present invention as defined and defined in the appended claims, and all changes that come within the meaning and range of equivalency of the claims are to be embraced therein.
The differential fault analysis and detection method for the SM4 cryptographic algorithm specifically comprises the following steps:
s1: determining a group of plaintext X, obtaining a correct ciphertext Y of the group of plaintext X in a normal state, and obtaining an error ciphertext under differential fault analysis and detection
。
S11: and determining a group of plaintext X, and obtaining a correct ciphertext Y of the group of plaintext X under the action of a correct key K.
S12: inputting the same plaintext X, and performing any fault test detection on the last four rounds of the SM4 cryptographic algorithm encryption process to obtain an error ciphertext
。
S13: using plaintext X and correct ciphertext Y, and error ciphertext in failure state
And comparing, and selecting error cipher texts with complete data return values (including plain texts and cipher texts), identical plain texts and different cipher texts for subsequent differential analysis.
S2: for the obtained correct ciphertext Y and the error ciphertext
Carrying out differential analysis to obtain the sub-key of 32 nd round of SM4 cryptographic algorithm
. Then using the same correct ciphertext Y, error ciphertext
And subkey of 32 th round
Obtaining subkeys for round 31
. Similarly, the sub-keys of the 30 th round and the 29 th round are obtained in turn
And
。
s21: according to the reverse order transformation, the ciphertext is reversely calculated to enter an input value of the reverse order transformation R, namely an output value of the 32 th round, wherein the correct output value is marked as XX4, XX3, XX2 and XX1, and the error output value is Xx4, Xx3, Xx2 and Xx 1;
s22: calculating the difference value input by the S box and the difference value output by the S box, and respectively recording the difference values as Sin _ buffer and Sout _ buffer, wherein the following steps are performed:
where invT1 is the inverse of the L transform.
Take four S boxes corresponding to Sout _ buffer as
And i is 0,1,2 and 3, which represents four S boxes from left to right, and then:
s23: calculate S-Box output, where the output of correct data into S-Box is recorded
The output of the error data into the S-box is recorded as
Then, for four S-boxes there are:
where M is 256 candidate subkeys.
S24: rotating 256 candidate subkeys M into the formula of S23, and judging
And
if not, and if so, the correct subkey.
S25: the subkey of the 32 nd round can be obtained from S24
By using
Carrying out decryption operation on the correct ciphertext and the error ciphertext to obtain a correct round output value and an error round output value of the 31 st round, then carrying out operation from S22 to S24 again, and finally attacking the subkey of the 31 st round
. This process is repeated to obtain sub-keys of 30 th and 29 th rounds
And
。
s3: using the obtained
、
、
、
And (4) combining SM4 key arrangement algorithm inverse operation, and recovering the sub-keys and the original keys of each round.
Claims (3)
1. A differential fault analysis detection method for SM4 cryptographic algorithm, targeting the last four rounds of the SM4 cryptographic process, characterized in that it comprises the following steps:
s1: determining a group of plaintext X, and obtaining a correct ciphertext Y of the group of plaintext X in a normal state and an error ciphertext Y under differential fault analysis’;
S2: carrying out differential analysis on the obtained correct ciphertext Y and the error ciphertext Y' to obtain the sub-key rk of the 32 th round of the SM4 cryptographic algorithm32(ii) a Then using the same correct ciphertext Y, error ciphertext Y' and round 32 subkey rk32Obtain the subkey rk of round 3131(ii) a Similarly, the sub-keys rk of the 30 th round and the 29 th round are obtained in turn30And rk29;
S3: using the obtained rk32、rk31、rk30、rk29And combining the SM4 key arrangement algorithm inverse operation, and recovering the sub-keys and the original keys of each round.
2. The step S1 specifically includes the steps of:
s11: determining a group of plaintext X and obtaining a correct ciphertext Y of the group of plaintext X under the action of a correct key K;
s12: inputting the same plaintext X, and carrying out any fault test detection on the last four rounds of the SM4 cryptographic algorithm encryption process to obtain an error ciphertext Y';
s13: and comparing the plaintext X and the correct ciphertext Y with the error ciphertext Y', and selecting the error ciphertext with complete data return value (including the plaintext and the ciphertext), the same plaintext and different ciphertexts for subsequent differential analysis.
3. The step S2 specifically includes the following steps:
s21: according to the reverse order transformation, the ciphertext is reversely calculated to enter an input value of the reverse order transformation R, namely an output value of the 32 th round, wherein the correct output value is marked as XX4, XX3, XX2 and XX1, and the error output value is Xx4, Xx3, Xx2 and Xx 1;
s22: calculating the difference value input by the S box and the difference value output by the S box, and respectively recording the difference values as Sin _ buffer and Sout _ buffer, wherein the following steps are performed:
where invT1 is the inverse of the L transform;
take four S boxes corresponding to Sout _ buffer as
And i is 0,1,2 and 3, which represents four S boxes from left to right, and then:
s23: calculate S-Box output, where the output of correct data into S-Box is recorded
The output of the error data into the S-box is recorded as
Then, for four S-boxes there are:
wherein, M is 256 candidate subkeys;
s24: rotating 256 candidate subkeys M into the formula of S23, and judging
And
whether the two keys are the same or not, if the two keys are the same, the key is a possible correct sub-key;
s25: the subkey rk of the 32 nd round can be obtained from S2432Using rk32Carrying out decryption operation on the correct ciphertext and the error ciphertext to obtain a correct round output value and an error round output value of the 31 st round, then carrying out operation from S22 to S24 again, and finally attacking the 31 st round sub-key rk31(ii) a This process is repeated to obtain the sub-keys rk of the 30 th and 29 th rounds30And rk29。
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202011575094.7A CN114696994A (en) | 2020-12-28 | 2020-12-28 | Differential fault analysis and detection method for SM4 cryptographic algorithm |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202011575094.7A CN114696994A (en) | 2020-12-28 | 2020-12-28 | Differential fault analysis and detection method for SM4 cryptographic algorithm |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN114696994A true CN114696994A (en) | 2022-07-01 |
Family
ID=82129913
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202011575094.7A Pending CN114696994A (en) | 2020-12-28 | 2020-12-28 | Differential fault analysis and detection method for SM4 cryptographic algorithm |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN114696994A (en) |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105227295A (en) * | 2015-10-10 | 2016-01-06 | 成都芯安尤里卡信息科技有限公司 | A kind of Differential fault injection attacks for SMS4 cryptographic algorithm |
| CN108880783A (en) * | 2018-09-06 | 2018-11-23 | 成都三零嘉微电子有限公司 | It is a kind of to gang up against method for SM4 algorithm |
| CN110601818A (en) * | 2019-09-25 | 2019-12-20 | 东华大学 | Method for detecting SMS4 cryptographic algorithm to resist statistical fault attack |
-
2020
- 2020-12-28 CN CN202011575094.7A patent/CN114696994A/en active Pending
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105227295A (en) * | 2015-10-10 | 2016-01-06 | 成都芯安尤里卡信息科技有限公司 | A kind of Differential fault injection attacks for SMS4 cryptographic algorithm |
| CN108880783A (en) * | 2018-09-06 | 2018-11-23 | 成都三零嘉微电子有限公司 | It is a kind of to gang up against method for SM4 algorithm |
| CN110601818A (en) * | 2019-09-25 | 2019-12-20 | 东华大学 | Method for detecting SMS4 cryptographic algorithm to resist statistical fault attack |
Non-Patent Citations (1)
| Title |
|---|
| 荣雪芳;吴震;王敏;杜之波;饶金涛;: "基于随机故障注入的SM4差分故障攻击方法", 计算机工程, no. 07, 15 July 2016 (2016-07-15) * |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| Bagheri et al. | New differential fault analysis on PRESENT | |
| Li et al. | Differential fault analysis on the ARIA algorithm | |
| Jaffe | A first-order DPA attack against AES in counter mode with unknown initial counter | |
| Takahashi et al. | Improved differential fault analysis on CLEFIA | |
| CN101162557A (en) | Encryption processing apparatus, encryption processing method and computer program | |
| CN105227295A (en) | A kind of Differential fault injection attacks for SMS4 cryptographic algorithm | |
| CN107204841B (en) | Method for realizing multiple S boxes of block cipher for resisting differential power attack | |
| Li et al. | Related-tweak statistical saturation cryptanalysis and its application on QARMA | |
| Takahashi et al. | Differential fault analysis on AES with 192 and 256-bit keys | |
| Le et al. | Improved fault analysis on SIMECK ciphers | |
| CN110601818B (en) | Method for detecting SMS4 cryptographic algorithm to resist statistical fault attack | |
| CN114696994A (en) | Differential fault analysis and detection method for SM4 cryptographic algorithm | |
| CN113949500A (en) | Attack method aiming at SM4 second-order energy analysis | |
| Fouque et al. | Practical electromagnetic template attack on HMAC | |
| Hou et al. | DNFA: Differential no-fault analysis of bit permutation based ciphers assisted by side-channel | |
| Ghafoori et al. | PNB based differential cryptanalysis of Salsa20 and Chacha | |
| CN110417540B (en) | Information encryption method for resisting differential power analysis | |
| JP3782210B2 (en) | Crypto device | |
| Li et al. | Single byte differential fault analysis on the LED lightweight cipher in the wireless sensor network | |
| Tran et al. | A new S-box structure based on graph isomorphism | |
| Joux et al. | Loosening the KNOT | |
| Li et al. | An extension of differential fault analysis on AES | |
| Takahashi et al. | Differential fault analysis on the AES key schedule | |
| Joux et al. | Two attacks against the HBB stream cipher | |
| CN114696993A (en) | Method for detecting fault analysis attack of final round reduction aiming at SM4 cryptographic algorithm |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |