白盒SM4的中间值平均差分分析

doi:10.19665/j.issn1001-2400.2022.01.011

Abstract

Abstract:

In the white box attack context,the attacker has full access to the cryptographic system.In order to ensure the key security in the white box attack context,the concept of white-box cryptography is proposed.In 2016,BOS et al.proposed the differential computation analysis (DCA) by introducing the idea of side channel analysis into white-box cryptography for the first time,creating a new path of white box cryptography analysis.DCA takes the software execution trace in the running process of the white-box cryptography program as the analytical object,and uses the statistical analysis method to extract the key.Whether to master the design details of the white-box cryptography or not has little impact on the analysis.The white-box SM4 is the cryptographic implementation of the commercial cryptographic standard algorithm SM4 under the white-box security model.In order to evaluate the security of the white-box SM4 efficiently,a side channel analytical method is proposed for white-box SM4 implementation based on the research on the DCA,called Intermediate-values Mean Difference Analysis (IVMDA).IVMDA directly uses the intermediate value in the process of encryption for analysis,and uses linear combination to counteract the confusion of the white-box SM4.With the participation of at least 60 random plaintexts,the first round key can be completely extracted in about 8 minutes.Compared with the existing analytical methods,this method has the characteristics of convenient deployment,suitability for practical application environment and high analytical efficiency.

Key words: white box implementation, SM4, side channel analysis, differential computational analysis

CLC Number:

TN918.1

ZHANG Yueyu,XU Dong,CAI Zhiqiang,CHEN Jie. Analysis of the mean difference of intermediate-values in a white box SM4[J].Journal of Xidian University, 2022, 49(1): 111-120.

Figures/Tables 6

References 22

[1]	CHOW S T, EISEN P A, JOHNSON H J, et al. White-Box Cryptography and an AES Implementation[C]// Selected Areas in Cryptography.Heidelberg:Springer, 2002:250-270.
[2]	CHOW S T, EISEN P A, JOHNSON H J, et al. A White-Box DES Implementation for DRM Applications[C]// Digital Rights Management.Berlin:Springer, 2002:1-15.
[3]	BILLET O, GILBERT H, ECHCHATBI C, et al. Cryptanalysis of a White Box AES Implementation[C]// Lecture Notes in Computer Science.Heidelberg:Springer, 2004:227-240.
[4]	MICHIELS W, GORISSEN P, HOLLMANN H D, et al. Cryptanalysis of a Generic Class of White-Box Implementations[C]// Lecture Notes in Computer Science.Heidelberg:Springer, 2009:414-428.
[5]	BOS J W, HUBAIN C, MICHIELS W, et al. Differential Computation Analysis:Hiding Your White-Box Designs is Not Enough[C]// Cryptographic Hardware and Embedded Systems. Berlin: Springer, 2016:215-236.
[6]	BIRYUKOV A, UDOVENKO A. Attacks and Countermeasures for White-Box Designs[C]// International Conference on the Theory and Application of Cryptology and Information Security. Berlin: Springer, 2018:373-402.
[7]	BOCK E A, BRZUSKA C, MICHIELS W, et al. On the Ineffectiveness of Internal Encodings - Revisiting the DCA Attack on White-Box Cryptography[C]// Applied Cryptography and Network Security. Berlin: Springer, 2018:103-120.
[8]	BREUNESSE C, KIZHVATOV I, MUIJRERS R, et al. Towards Fully Automated Analysis of Whiteboxes:Perfect Dimensionality Reduction for Perfect Leakage(2020)[J/OL]. [2020-12-09]. https://eprint.iacr.org/2018/095.pdf.
[9]	RIVAIN M, WANG J. Analysis and Improvement of Differential Computation Attacks against Internally-Encoded White-Box Implementations.[J]Cryptographic Hardware and Embedded Systems, 2019(2):225-255.
[10]	BOGDANOV A, RIVAIN M, VEIRE P S, et al. Higher-Order DCA Against Standard Side-Channel Countermeasures[C]// Constructive Side-Channel Analysis and Secure Design. Berlin: Springer, 2019:118-141.
[11]	国家标准化管理委员会. 信息安全技术SM 4分组密码算法(2020)[S/OL]. [2020-12-9]. http://c.gb688.cn/bzgk/gb/showGbtype=online&hcno=7803DE42D3BC5E80B0C3E5D8E873D56A.
[12]	肖雅莹, 来学嘉. 白盒密码及SMS 4算法的白盒实现[C]// 中国密码学会2009年会. 北京: 科学出版社, 2009:24-34.
[13]	林婷婷, 来学嘉. 对白盒SMS 4实现的一种有效攻击[J]. 软件学报, 2013, 24(9):2238-2249. doi: 10.3724/SP.J.1001.2013.04356
	LIN Tingting, LAI Xuejia. Efficient Attack to White-Box SMS 4 Implementation[J]. Journal of Software, 2013, 24(9):2238-2249. doi: 10.3724/SP.J.1001.2013.04356
[14]	SHI Y, WEI W, HE Z, et al. A Lightweight White-Box Symmetric Encryption Algorithm Against Node Capture for Wsns[J]. Sensors, 2015, 15(5):11928-11952. doi: 10.3390/s150511928
[15]	BAI K P, WU C K. A Secure White-Box SM 4 Implementation[J]. Security and Communication Networks, 2016, 9(10):996-1006. doi: 10.1002/sec.1394
[16]	潘文伦, 秦体红, 贾音, 等. 对两个SM 4白盒方案的分析[J]. 密码学报, 2018, 5(6):651-670.
	PAN Wenlun, QIN Tihong, JIA Yin, et al. Cryptanalysis of Two White-Box SM 4 Implementations[J]. Journal of Cryptologic Research, 2018, 5(6):651-670.
[17]	姚思, 陈杰. SM 4算法的一种新型白盒实现[J]. 密码学报, 2020, 7(3):358-374.
	YAO Si, CHEN Jie. A New Method for White-Box Implementation of SM 4 Algorithm[J]. Journal of Cryptologic Research, 2020, 7(3):358-374.
[18]	KOCHER P, JAFFE J, JUN B. Differential Power Analysis.[C]// Advances in Cryptology-CPYPTO'99. Berlin: Springer, 1999:388-397.
[19]	LUK C, COHN R S, MUTH R, et al. Pin:Building Customized Program Analysis Tools with Dynamic Instrumentation[J]. ACM SIGPLAN Notices, 2005, 40(6):190-200. doi: 10.1145/1064978.1065034
[20]	NETHERCOTE N, SEWARD J. Valgrind:A Framework for Heavyweight Dynamic Binary Instrumentation[J]. ACM SIGPLAN Notices, 2007, 42(6):89-100. doi: 10.1145/1273442.1250746
[21]	HYUNJIN A, DONG-GUK H. Multilateral White-Box Cryptanalysis:Case Study on WB-AES of CHES Challenge 2016(2020)[J/OL]. [2020-12-09]. https://eprint.iacr.org/2016/807.pdf.
[22]	姚思, 陈杰, 宫雅婷. CLEFIA算法的一种新型白盒实现[J]. 西安电子科技大学学报, 2020, 47(5):150-158.
	YAO Si, CHEN Jie, GONG Yating, et al. A New Method for White-Box Implementation of CLEFIA Algorithm[J]. Journal of Xidian University, 2020, 47(5):150-158.

明文数量	正确率/%	分析时长/min	Δ^key的最高值×10⁹	Δ^key的次高值×10⁹
200	100	27.60	2.124	1.011
150	100	20.40	2.215	1.091
100	100	13.60	2.199	1.297
80	100	11.05	2.305	1.394
70	100	10.20	2.213	1.461
60	100	8.05	2.276	1.655
50	75	6.80	2.305	1.791

分析方法	分析所需条件	分析步骤	分析过程计算复杂度	分析结果
IVMDA	掌握密码算法程序及其运行环境	多次运行白盒实现程序采集中间查表结果对采集的结果执行统计分析,提取轮密钥	集合的加、减、求平均值运算	用时8分钟计算出一轮的轮密钥
文献[13]	掌握密码算法程序及其运行环境完全掌握密码算法设计细节	恢复白盒实现中的仿射编码矩阵部分获取S盒的输入差分,计算仿射编码常数部分求解轮密钥	32阶矩阵乘法 32阶矩阵求逆 32阶矩阵方程组求解	以时间复杂度2⁴⁷ 确定轮密钥
文献[16]	掌握密码算法程序及其运行环境完全掌握密码算法设计细节	恢复白盒实现中仿射编码的矩阵部分恢复白盒实现中仿射编码的常数部分求解轮密钥	32阶矩阵乘法 32阶矩阵求逆 32阶矩阵方程组求解	给出肖-来白盒SM 4 方案的密钥搜索空间为61 200*2³²

Analysis of the mean difference of intermediate-values in a white box SM4

RichHTML

PDF (PC)

Like

Knowledge

Abstract

Cite this article

share this article

Figures/Tables 6

References 22

Related Articles 2

Metrics

Comments

Recommended 0

[1]	WANG Xingxin,HU Wei,TAN Jing,ZHU Jiacheng,TANG Shibo. Correlation fault attack on AES [J]. Journal of Xidian University, 2021, 48(4): 192-199.
[2]	HE Shiyang,LI Hui,LI Fenghua. Optimization and implementation of the SM4 on FPGA [J]. Journal of Xidian University, 2021, 48(3): 155-162.