Zijing Jiang,Wenhao Yan,Wei Ding,Linlin Yue,Qun Ding

DOI: https://doi.org/10.1142/s0218127422501103

IF: 2.45

2022-06-30

International Journal of Bifurcation and Chaos

Abstract:SCA is one of the biggest threats to the security of encryption chip. It can crack the unprotected encryption chip at lower cost and faster speed, which weakens the security of the SM4 encryption algorithm circuit without any protection. In this paper, the SM4 encryption algorithm is implemented on FPGA. The pseudo-random sequence generated by discrete chaotic system is used to randomly mask the intermediate value in the SM4 encryption process. This will disrupt the power consumption in the encryption process, thus preventing power analysis. Experimental results show that the proposed chaotic mask scheme can effectively prevent intermediate value leakage and protect the SM4 encryption system from power analysis attack.

mathematics, interdisciplinary applications,multidisciplinary sciences

Shuang Qiu,Guoqiang Bai

DOI: https://doi.org/10.1109/ICCCNT.2014.6963131

2014-01-01

Abstract:SM4 (SMS4) algorithm is a block cipher used in the Chinese National Standard for WLAN WAPI. In this paper we investigate the vulnerability of SM4 FPGA (Field Programmable Array) implementation to differential power analysis (DPA). To tackle this issue, we review the theory behind the conventional DPA on DES and AES first. By comparing the differences in algorithm structure, we show that SM4 is more difficult to attack than DES and AES. Then, we concentrate on showing how “chosen-text DPA” can be applied to attack SM4 successfully while the conventional DPA is hardly effective. Experimental results against a FPGA implementation of SM4 demonstrate the inefficient of conventional DPA and the effectiveness of “chosen-text DPA”. In addition, proper countermeasures for SM4 are also discussed according to its DPA-related properties.

Haoran Gong,Tailiang Ju

DOI: https://doi.org/10.1038/s41598-023-50220-2

IF: 4.6

2024-01-11

Scientific Reports

Abstract:Encryption chips are specialized integrated circuits that incorporate encryption algorithms for data encryption and decryption, ensuring data confidentiality and security. In China, the domestic SM4 algorithm is commonly utilized, as opposed to the international AES encryption algorithm. These widely implemented encryption standards have been proven to be difficult to crack through crypt analysis methods Currently, power consumption side-channel attacks are the most prevalent method. They involve capturing power consumption data during the encryption process and subsequently recovering the encryption key from this data. The two leading methods are Differential Power Analysis (DPA) and machine learning techniques. DPA does not necessitate prior knowledge but relies heavily on the number of power consumption curves. With only 50 power consumption data points, the accuracy is a mere 80%. Machine learning methods require prior knowledge, achieving an accuracy rate above 95% with only 30 power traces, albeit with training times typically exceeding 15 min. In this paper, a distributed energy analysis attack approach was presented based on Correlation Power Analysis (CPA). The power consumption data was divided into 16 subsets, with each subset corresponding to 8 bytes of the key. By training each subset separately, the 8-byte key's corresponding power consumption data is reduced to only 100 dimensions, resulting in a 76% decrease in cracking time and a 3% improvement in cracking accuracy rate.This article also trains a more complex 256 classification model to directly crack the final key, achieving a success rate of 28% in cracking 128-bit passwords with only 1 power trace

multidisciplinary sciences

Guoqiang Bai,Hailiang Fu,Wei Li,Xingjun Wu

DOI: https://doi.org/10.1109/trustcom/bigdatase.2018.00210

2018-01-01

Abstract:This paper presents a practicable method of differential power attack on SM4 block cipher. We build the power acquisition platform based on SASEBO-G board. Through the platform, the encryption of SM4 algorithm is implemented in hardware and the power curves are obtained by the Agilent oscilloscope at the same time. The hamming weight of 8-bit output of S-box is selected as the power model to realize the DPA attack on MATLAB. Only 2000 power traces are needed to crack the sub-key byte in the first round of standard SM4 algorithm. The cost of DPA attack has been reduced more than 60% compared with the references which need at least 5000 power traces.

Sulong Tang,Liji Wu,Xiangmin Zhang,Xingjun Wu,Beibei Wang

DOI: https://doi.org/10.1109/cis.2016.0055

2016-01-01

Abstract:SM4 is a 128-bit block cipher used in the WAPI (Wireless LAN Authentication and Privacy Infrastructure) standard for protecting data packets in WLAN. This paper proposes a novel method of CPA (Correlation Power Analysis) on SM4 based on chosen-plaintext. Using SM4 as target algorithm, Sakura-G FPGA board as hardware verification platform, we only collect 1000 power consumption waveforms to obtain the first round key of SM4 successfully, significantly lowering the number of power consumption waveforms used in regular CPA.

Wen-jing HU,An WANG,Li-ji WU,Xin-jun XIE

DOI: https://doi.org/10.19304/j.cnki.issn1000-7180.2015.04.004

2015-01-01

Abstract:Currently ,in public researches about SM4 power attack ,the power traces are generated by computer simulation or software implementation .However ,this is different with hardware implementation which is used in actual .A research of a SM4 algorithm hardware implementation is given out ,which is applied in market .we download the Verilog code to a SAKURA‐G board , and collect the power traces when it actually operates . Correlation Power Analysis method is used to analyze the leakage of the input of the S‐box in the first round ,the output of the S‐box in the first round and the output registers of the first round .We recovered the sub‐key of the first round .By the same method ,we can recover the sub‐keys of round 2‐4 ,and eventually get the 128‐bit key .

Weijun Shan,Chi Zhang,Qing Li,Jun Yu

DOI: https://doi.org/10.1109/icnisc57059.2022.00103

2022-01-01

Abstract:This paper presents a lightweight countermeasure scheme of SM4 cryptographic algorithm against side channel analysis attacks. SM4 is one of the widely used block ciphers in information computing and data communication. However, as it is usually implemented in cryptographic devices, it is definitely under the threat of side channel analysis attacks. Some schemes of implementations have been provided as the countermeasures against the side channel analysis attacks, which leads to a relatively complicated realization on both cost and performance. This paper proposes a new mask scheme for SM4 implementation with lightweight cost and low performance loss. Experiment results show the effectiveness of the method against the side channel analysis attacks.

Hailiang Fu,Guoqiang Bai,Xingjun Wu

DOI: https://doi.org/10.1007/978-3-319-59608-2_39

2016-01-01

Abstract:Implementations of the SM4 algorithm, including different hardware applications with limited resources, are vulnerable to Side-Channel Attacks. This paper presents a countermeasure against such attacks by adding a random “mask” to the input plaintext and protect all variables through the whole encryption process. As is known to all, the unique nonlinear step in each round of SM4 algorithm is the “S-Box” and the previous works using lookup-table method to implement the S-Box always incur large area and high power. Here we give the compact design of masked S-Box using the normal basis in the composite field (consisting of a Galois inversion and several affine transformations). Then we compute the different masks diffused to all the steps in the SM4 algorithm process. The proposed design results in ultra-low cost of hardware and capability to resist first-order differential power analysis (DPA), which is suitable for the resource constrained devices. The synthesis result of masked S-Box shows that the area under the SMIC 0.13 (upmu )m is only about 978-gates, 46.8% fewer than the other works. Further, we apply the pipeline technique to our proposed “masked S-Box”, thereby to the whole masked SM4 algorithm. The results of FPGA implementation present that our works have achieved an ultra-high speed with frequency nearly 551 MHz and the throughput over 70 Gbps.

Chao Jin,Zhejing Bao,Weiwei Miao,Zeng,Xiaogang Wei,Rui Zhang

DOI: https://doi.org/10.1109/access.2023.3290211

2021-01-01

Abstract:The white-box implementation of cryptography algorithm can hide key information even in the white-box attack context owing to the means of obfuscation. However, under the deliberately designed attack, there is still a risk of the information being recovered within a certain time complexity. In this paper, a lightweight nonlinear white-box SM4 implementation is proposed to prevent several typical attacks from extracting the secret key, which hides the encryption and decryption process in obfuscated lookup tables. Aiming to improve the diversity and ambiguity of the lookup tables as well as resist the different types of white-box attacks, the random bijective nonlinear mappings are applied as scrambling encodings of the lookup tables. Moreover, the memory occupation of the implementation doesn't increase significantly by simplifying the structure and using concatenation code. Through several quantitative indicators, including memory size, diversity, ambiguity, the time complexity required to extract the key, and the value space of the key and external encodings, it is proved that the security of the proposed implementation could been enhanced significantly, while no sacrificing the practicality, compared with the existing schemes.

Xiaowei Han,Beibei Wang,An Wang,Liji Wu,Woogeun Rhee

DOI: https://doi.org/10.1109/CIS.2014.116

2014-01-01

Abstract:SM2 is a public-key cryptography algorithm which is based on elliptic curves. Since the side channel leakage of devices can be used to deduce the information of secret keys, algorithms to implement SM2 need to be improved. In this paper, we propose an initialized masking scalar multiplication algorithm (IMSM), a modified atomic point doubling and point addition algorithm (MADA), and a transformed formula countermeasure (TFCS). Analysis shows they can resist Simple Power Analysis (SPA), Differential Power Analysis and Template Attacks. IMSM and MADA have been verified to resist SPA on FPGA board successfully. Compared to Binary Expansion with RIP algorithm, 28.6% calculations can be saved when the scalar is divided into four parts, which is rather fast.

Youqi Li,Xingjun Wu,Guoqiang Bai

DOI: https://doi.org/10.1109/icsict.2018.8564874

2018-01-01

Abstract:Chips in Internet of Things devices require extremely low power consumption and excellent security. In this paper, we present the first implementation of the SM4 algorithm literally. Taking advantage of asynchronous dual-rail domino logic pipeline, which can naturally avoid abundant request signals and register flips, the power consumption of SM4 can be largely reduced. Prototyped on SMIC 0.18um technology, we designed an asynchronous pipeline architecture of SM4 encryption algorithm. Compared with synchronous designs [2], our design has smaller area and lower power consumption while possess strong resistance to side channel attack spontaneously. The circuit simulation results show that the full pipeline SM4 algorithm can achieve 21.26Gbps throughput, while a single round of encryption costs just 6.07mW on average with the delay 2.8ns. For comparison, we normalized the throughput to [2] and get a 20x improvement on power consumption.

Ruolin Zhang,Zejun Xiang,Shasha Zhang,Xiangyong Zeng,Min Song

DOI: https://doi.org/10.1049/2024/7047055

2024-06-25

IET Information Security

Abstract:The SM4 block cipher is standardized in ISO/IEC, and it is also the national standard of commercial cryptography in China. In this paper, we propose two new techniques called "split‐and‐join" and "off‐peak and stagger" to make SM4 more applicable to resource‐constrained environments. The area optimization method uses a 1‐bit data path while reducing the number of registers from 64 to 8 and the number of XOR gates from 194 to 8. As a result, we report a 1‐bit‐serial SM4 encryption circuit that occupies 1771 GE with a latency of 2,336 cycles. Additionally, the "off‐peak and stagger" technique compresses all the operations within the state update and key schedule into 32 clock cycles to reduce the latency. In other words, it takes 32 clock cycles to complete one round encryption. The new circuit occupies 1861 GE with a latency of 1,344 cycles. Moreover, we also discuss how to further reduce the latency by increasing the data path with a small area overhead to provide wider area‐latency tradeoffs for SM4. Our designs make SM4 competitive with many ciphers specifically designed for lightweight cryptography.

computer science, information systems, theory & methods

Jiachao Chen,Qin Wang,Zheng Guo,Junrong Liu,Haihua Gu

DOI: https://doi.org/10.1109/CIS.2015.96

2015-01-01

Abstract:As the first official published commercial block cipher standard of China, SMS4 has been widely used in local area wireless product. Although the algorithm is proved to be secure enough mathematically, when implemented in hardware, it is vulnerable to differential power analysis (DPA), especially using chosen plaintext method. In order to discuss countermeasures against DPA, we present a secure circuit design of SMS4 combining hiding and masking techniques in this paper. For the trade-off between area and speed, we use additive masking and fix masking for the linear operations and S-box respectively. Hiding technique is applied to make power traces harder to align to increase the difficulty of attacking. We implement our scheme in a side channel evaluation board and analyze the collected power traces. Our experimental results show that the designed circuit has a good performance in DPA-resistance.

Wei Li,Xingjun Wu,Guoqiang Bai

DOI: https://doi.org/10.1109/edssc.2019.8754041

2019-01-01

Abstract:In this paper, we executed a power analysis of hardware implementation of SM4 algorithm using machine learning classifiers (support vector machine (SVMs), Decision Trees (DT), k-Nearest Neighbor, (KNN), Ensemble learning (EB), etc.). We first download hardware design to the FPGA in power acquisition platform based on SASEBO-G board to obtain the power traces of SM4 during its encryption process. Then we introduced a machine learning method to the Hamming-weight attack model of SM4 algorithm. In the data preprocessing phase, principal component analysis (PCA) method was applied, and we explored how many points of interested (PoIs) should we take to achieve the best test accuracy. We have tried different kinds of classifiers and their performance against Gaussian noise. The results show that for different classifiers, the number of PoIs selected when achieving maximum precision is different, PCA can reduce the dimensions of power trace effectively but probably decrease the test accuracy. Furthermore, most of these classifiers have excellent resolution (up to 100%) for Gaussian noise superimposed on the power traces, which means that machine learning classifiers such like SVM and Decision Trees can compete with template attacks based on Gaussian distribution.

dan zhang,guoqiang bai

DOI: https://doi.org/10.1109/edssc.2015.7285166

2015-01-01

Abstract:In this paper, we propose a high-performance implementation of elliptic curve cryptography over SCA-256 prime field by introducing an all-new isochronous architecture, which can also resist power-analysis attack. By modifying Montgomery ladder-based scalar multiplication, point addition (PA) and point double (PD) can operate synchronously, resisting simple power analysis (SPA) and double attack with minimum time-cost. Then PA and PD are designed to be strictly isochronous units by matching our configurable modular multiplication unit of pipelined stage. Both algorithm and hardware schedule are optimized from bottom to up, random cycles are also inserted to resist differential power analysis (DPA). In the hardware evaluation using CMOS standard cell library of 0.13 mu m, our ECC processor achieves 211 mu s and 8.5 mu J for one scalar multiplication with 208k gate counts. Compared to other related designs, our architecture offers not only 2 similar to 6 times better area-time product but also great power analysis resistance.

Zhanzhan Chen,Liji Wu,Zhenhui Zhang,Dehang Xiao,Xiangmin Zhang,Yan Liu

DOI: https://doi.org/10.1109/asid56930.2022.9995777

2022-01-01

Abstract:SM2 algorithm is widely used in financial IC cards. It has the advantages of fast operation speed and short signature, but it may also contain security vulnerabilities. Attackers can crack the secret key via Simple Power Analysis (SPA), which is the inexpensive and extremely effective method, causing a great threat to the security of SM2 algorithm. In order to improve the safety of SM2 algorithm, this paper introduces atomic algorithm to implement point addition and point doubling operation, and proposes precomputed Non Adjacent Form (NAF) random window algorithm to achieve scalar multiplication. Based on experimental analysis with SAKURA-G FPGA board, the improved SM2 algorithm can resist successfully SPA. Compared with the original algorithm, the time of computation is reduced by 67.5%, and the number of slice registers has increased by less than 5%. The security and speed of SM2 algorithm has been significantly improved.

Tianyi Shao,Bohua Wei,Yu Ou,Yongzhuang Wei,Xiaonian Wu

DOI: https://doi.org/10.1007/s10836-023-06076-5

2023-01-01

Journal of Electronic Testing

Abstract:As SM4 block cipher has become an ISO/IEC international encryption standard in June 2020, the security of SM4 against side-channel analysis (SCA) is highly valued by academic community. Threshold implementation (TI) scheme is a common countermeasure against SCA. However, the implementation of a high-order TI scheme can be costly. How to improve the resistance of SM4 implementation against high-order SCA without significant increasing the cost appears to be an important task. In this article, a new SM4 second-order TI scheme is proposed based on the tower field decomposition of 8-bits inverter. In more detail, by performing the tower field decomposition twice in the SM4 S-box, the inverse and multiplication operations on finite field are transformed into inverse and multiplication operations on tower field, thus reducing the algebraic order of the decomposed S-box from 7 to 2. Then, the design and implementation of our scheme with 3 shares is illustrated based on the decomposed S-box. Compared with the best-known TI of the S-box in the SM4, our scheme uses smaller number of register stages. The circuit area of S-box is reduced by 48.6%. The number of fresh randomness required in a single round operation is 96 bits. Moreover, both the second-order t-test with 10 million power traces and the correlation power analysis are performed, thus verifying the second-order security of this scheme.

Yan Ting Ren,Li Ji Wu

DOI: https://doi.org/10.4028/www.scientific.net/amr.718-720.2376

2013-01-01

Advanced Materials Research

Abstract:In order to test the security of cryptographic devices against Side Channel Attacks (SCA), an automatic general-purpose power analysis system (TH-PAS-01) is designed and implemented. TH-PAS-01 is scalable and can be applied to many cryptographic devices when specific modules are installed. Using the system TH-PAS-01, correlation power analysis (CPA) are carried out on an AES chip under two working models: normal and shuffling mode. The security level of the countermeasure provided by the target chip is verified by TH-PAS-01. The experimental results show that the correct key of the AES chip is obtained with around 50,000 power traces when the chip was working under normal mode, while the whole key bits are not obtained with 960,000 power traces when the chip works under shuffling mode. The automatic general-purpose system TH-PAS-01 is feasible for security analysis on power analysis for cryptographic devices.

Xiaowei Han,Liji Wu,Beibei Wang,An Wang

DOI: https://doi.org/10.7544/issn1000-1239.2016.20150052

2016-01-01

Abstract:SM2 algorithms are commercial elliptic curve public‐key algorithms ,which are released by Chinese Cryptography Administration and similar to ECC . Traditional cryptographic algorithms always have security flaws .Attackers often attack on security weaknesses of algorithms and analyze the secret‐key ,which poses great threat to cryptographic systems and peoples’ property .There are various kinds of attacks ,such as power attack ,fault attack and electromagnetic attack .Among these attacks ,power attack is the most traditional one ,which has many advantages such as small secret‐key searching space and high analysis efficiency .Usually ,power attack utilizes the power leakage during operation processes of cryptographic algorithms ,acquires power waves and retrieves the secret key .In order to resist power attack and enhance the security of SM 2 algorithms , this article learns from elliptic curve cryptography algorithms ,applies the atomic concept into SM2 and proposes a novel atomic algorithm . According to theoretical comparison between the proposed algorithm and other former algorithms ,it show s that the proposed algorithm saves 27 .4% of computation in comparison to double‐and‐add always algorithm . Besides , it has less computation amount than other atomic algorithms .Furthermore ,implementation has been fulfilled on SAKURA‐G FPGA board .Simulation results demonstrate that the proposed algorithm can resist simple power attack successfully .

Rusi Wang,Hua Guo,Jiqiang Lu,Jianwei Liu

DOI: https://doi.org/10.1049/ise2.12045

2021-01-01

IET Information Security

Abstract:White-box cryptography is to primarily protect the key of a cipher from being extracted in a white-box scenario, where an adversary has full access to the execution environment of software implementation. Since the introduction of white-box cryptography, a number of white-box implementations of the Chinese SM4 block cipher standard have been proposed, and all of them have been attacked based on Billet et al.'s attack. In this study, we show that collision-based attack can work more efficiently on Shi et al.'s white-box SM4 implementation than the previously published attacks, by devising an attack with a time complexity of 223, significantly reducing the previously known time complexity of 249 to a very practical level. Our attack can also be similarly applied to some other white-box SM4 implementations.