摘要
SM2系列算法是由我国自主设计的商用椭圆曲线密码算法.目前,对SM2解密算法的实现安全性分析通常遵循对椭圆曲线通用组件的研究成果,缺乏结合算法本身结构和特点而进行的实现安全性研究.同时,SM2解密算法中的哈希和验证步骤,使大部分需要利用错误输出的故障攻击方式对于SM2解密算法并不适用.针对该现状,本文根据SM2解密算法本身的特点,结合安全错误类故障攻击思想,提出了一种减轮故障与侧信道相结合的选择密文组合攻击.攻击的核心是通过故障注入改变标量乘循环的轮数,然后由侧信道分析确定故障轮数的具体取值.根据部分密钥猜测结合明文、正确密文等构建选择密文,并将其输入至具有特定故障效果的解密设备,最后通过解密设备输出验证部分密钥猜测是否正确,逐步恢复私钥.此外,文中分析了攻击对不同标量乘法以及常见防护对策的适用性.最后,本文在基于ARM Cortex M4核心的STM32F303微控制器芯片上,使用时钟毛刺注入和简单能量分析的方式对SM2解密算法进行了实际攻击实验并成功恢复出了私钥.实验结果表明,该攻击方法具有可行性和实用性.
SM2 algorithm is a commercial elliptic curve cryptographic algorithm designed by China.At present,the analysis of the implementation security of this algorithm usually follows the research results on the common components of elliptic curves rather than the structure and characteristics of the algorithm.At the same time,hash and verification steps in SM2 decryption algorithm make most of the fault attacks that need to exploit the error output not applicable.To solve this problem,according to characteristics of SM2 decryption algorithm,this paper proposes a chosen ciphertext combined attack that combines the round-reduced fault with side channel based on the idea of safe-error.The core of the attack is changing the number of rounds of scalar multiplication by fault injection,and determining the specific number of faulty rounds by side channel analysis.Then it constructs the chosen ciphertext based on partial key guesses combined with plaintext and correct ciphertext.And the chosen ciphertext is input to the decryption device with specific fault effect,verifying whether the partial key guess is correct by the output of the decryption device.Also,the applicability of the attack to different scalar multiplication methods and common protection countermeasures is analyzed in the paper.Lastly,we conduct practical attack experiments on the SM2 decryption algorithm with clock glitch injection and simple power analysis on an STM32F303 microcontroller chip based on the ARM Cortex M4.And we successfully recover the private key.The experimental results show that the attack method is feasible and practical.
作者
李昊远
韩绪仓
曹伟琼
王舰
陈华
LI Hao-yuan;HAN Xu-cang;CAO Wei-qiong;WANG Jian;CHEN Hua(Trusted Computing and Information Assurance Laboratory,Institute of Software,Chinese Academy of Sciences,Beijing 100190,China;University of Chinese Academy of Sciences,Beijing 100049,China)
出处
《电子学报》
EI
CAS
CSCD
北大核心
2023年第11期3187-3198,共12页
Acta Electronica Sinica
基金
国家自然科学基金(No.62172395)。
关键词
组合攻击
减轮故障
侧信道攻击
选择密文
安全错误
SM2解密
combined attack
round-reduced fault
side channel attack
chosen ciphertext
safe-error
SM2 decryption
