谢满德,沈海斌,竺红卫

DOI: https://doi.org/10.3969/j.issn.1004-3365.2004.06.003

2004-01-01

Abstract:The fundamental principle of differential power analysis (DPA) attacks against universal cryptosystems and a particular theory of DPA attacks against data encryption standard (DES) algorithm are described in detail. An improved algorithm is proposed for DPA. Based on the analysis of noise characteristics of the power signals, an approach to modeling the signal-to-noise ratio (SNR) is proposed and corresponding theory is demonstrated. Finally, experimental results of the algorithm are presented.

Guoqiang Bai,Hailiang Fu,Wei Li,Xingjun Wu

DOI: https://doi.org/10.1109/trustcom/bigdatase.2018.00210

2018-01-01

Abstract:This paper presents a practicable method of differential power attack on SM4 block cipher. We build the power acquisition platform based on SASEBO-G board. Through the platform, the encryption of SM4 algorithm is implemented in hardware and the power curves are obtained by the Agilent oscilloscope at the same time. The hamming weight of 8-bit output of S-box is selected as the power model to realize the DPA attack on MATLAB. Only 2000 power traces are needed to crack the sub-key byte in the first round of standard SM4 algorithm. The cost of DPA attack has been reduced more than 60% compared with the references which need at least 5000 power traces.

ZHOU Zhou,HE Yi-fan,SHEN Hai-bin,ZHAO Xu-xin

DOI: https://doi.org/10.3969/j.issn.1005-9490.2007.04.089

2007-01-01

Abstract:SMS4 algorithm is the domestic encryption standard released for WLAN use.An inner-round pipelined,high-speed engine is proposed after analyzing the features of this algorithm.By using pipelined or parallel multi-engines,throughput and hardware cost can be easily adjusted according to different applications.Compared with the 32-stage pipelined structure,hardware cost is much lower under the same throughput.Moreover,the SMS4 encryption/decryption system can easily fit in a low-cost Spartan II XC2S50 FPGA in a single-engine implementation.

Jin Yier,Shen Haibin,You Rongquan

DOI: https://doi.org/10.1109/CHINACOM.2006.344900

2007-01-01

Abstract:This paper describes two encryption designs of Chinese wireless local area network block cipher standard - SMS4 algorithm. Then these two designs are implemented on Xilinx Virtex-4 FPGA devices. The first (pipelined) design is optimized in order to reduce time delay and the encryption core has a throughput of 24Gb/s. The second (folded) design is optimized in order to minimize area coverage and the encryption core only needs 380 CLB slices with throughput of 740Mb/s. There are no known hardware implementations of an encryption SMS4 designs. © 2006 IEEE.

Zijing Jiang,Wenhao Yan,Wei Ding,Linlin Yue,Qun Ding

DOI: https://doi.org/10.1142/s0218127422501103

IF: 2.45

2022-06-30

International Journal of Bifurcation and Chaos

Abstract:SCA is one of the biggest threats to the security of encryption chip. It can crack the unprotected encryption chip at lower cost and faster speed, which weakens the security of the SM4 encryption algorithm circuit without any protection. In this paper, the SM4 encryption algorithm is implemented on FPGA. The pseudo-random sequence generated by discrete chaotic system is used to randomly mask the intermediate value in the SM4 encryption process. This will disrupt the power consumption in the encryption process, thus preventing power analysis. Experimental results show that the proposed chaotic mask scheme can effectively prevent intermediate value leakage and protect the SM4 encryption system from power analysis attack.

mathematics, interdisciplinary applications,multidisciplinary sciences

Sulong Tang,Liji Wu,Xiangmin Zhang,Xingjun Wu,Beibei Wang

DOI: https://doi.org/10.1109/cis.2016.0055

2016-01-01

Abstract:SM4 is a 128-bit block cipher used in the WAPI (Wireless LAN Authentication and Privacy Infrastructure) standard for protecting data packets in WLAN. This paper proposes a novel method of CPA (Correlation Power Analysis) on SM4 based on chosen-plaintext. Using SM4 as target algorithm, Sakura-G FPGA board as hardware verification platform, we only collect 1000 power consumption waveforms to obtain the first round key of SM4 successfully, significantly lowering the number of power consumption waveforms used in regular CPA.

Nengyuan Sun,Wenrui Liu,Jiafeng Cheng,Zhaokang Peng,Chunyang Wang,Caiban Sun,Heng Sha,Zhiyuan Pan,Ming Jin,Hongyang Zhao,Jinghe Wang,Yiming Wen,Pengliang Kong,Yunfeng Zhao,Yaoqiang Wang,Selcuk Kose,Weize Yu

DOI: https://doi.org/10.1002/cta.3962

IF: 2.378

2024-02-02

International Journal of Circuit Theory and Applications

Abstract:Regular SM4 cryptographic circuit is pretty vulnerable to higher order power attacks. The robustness of the proposed SM4 architecture against fourth‐order power attacks can be reinforced significantly by embedding four random number generators. In this letter, a novel secret merchant‐4 (SM4) cryptographic circuit implementation is proposed against higher order power analysis attacks (PAAs). Four different random number generators (RNGs) are embedded into the SM4 architecture for breaking the correlation between the processed data and monitored power dissipation against PAAs. Firstly, fake keys are created by the first RNG to scramble the critical information related with the actual secret key. Furthermore, the second RNG controls the implementations of substitution boxes (Sboxes) with composite fields or look‐up tables randomly while the third RNG randomizes the substitution locations with respect to these Sboxes. Ultimately, the fourth RNG randomly swaps the behaviors of the fake SM4 and true SM4 to further break the critical correlation. Under the assistance of the four embedded RNGs, the proposed SM4 cryptographic architecture is capable of resisting against fourth‐order PAAs effectively with a 300 Mbps throughput and 165,354 μ m2 area after synthesizing in the TSMC 90 nm process design kits (PDK).

engineering, electrical & electronic

Haoran Gong,Tailiang Ju

DOI: https://doi.org/10.1038/s41598-023-50220-2

IF: 4.6

2024-01-11

Scientific Reports

Abstract:Encryption chips are specialized integrated circuits that incorporate encryption algorithms for data encryption and decryption, ensuring data confidentiality and security. In China, the domestic SM4 algorithm is commonly utilized, as opposed to the international AES encryption algorithm. These widely implemented encryption standards have been proven to be difficult to crack through crypt analysis methods Currently, power consumption side-channel attacks are the most prevalent method. They involve capturing power consumption data during the encryption process and subsequently recovering the encryption key from this data. The two leading methods are Differential Power Analysis (DPA) and machine learning techniques. DPA does not necessitate prior knowledge but relies heavily on the number of power consumption curves. With only 50 power consumption data points, the accuracy is a mere 80%. Machine learning methods require prior knowledge, achieving an accuracy rate above 95% with only 30 power traces, albeit with training times typically exceeding 15 min. In this paper, a distributed energy analysis attack approach was presented based on Correlation Power Analysis (CPA). The power consumption data was divided into 16 subsets, with each subset corresponding to 8 bytes of the key. By training each subset separately, the 8-byte key's corresponding power consumption data is reduced to only 100 dimensions, resulting in a 76% decrease in cracking time and a 3% improvement in cracking accuracy rate.This article also trains a more complex 256 classification model to directly crack the final key, achieving a success rate of 28% in cracking 128-bit passwords with only 1 power trace

multidisciplinary sciences

Xuefei Bai,Yanhua Xu,Li Guo

DOI: https://doi.org/10.1109/ICCS.2008.4737165

2008-01-01

Abstract:Differential power analysis is of great concern because it can be used to break implementations of almost any symmetric or asymmetric algorithm, and several countermeasures have been proposed to protect implementations of cryptographic algorithms except SMS4 cipher. In the present paper, we focus on the differential power analysis attack on SMS4 cipher, and suggest a secure masking scheme for SMS4 cipher, which is particularly suited for implementation in dedicated hardware. The masking scheme for the inversion presented in this article is based on composite field arithmetic, in which the inversion is shifted from GF(28) down to GF(22). In addition, several methods such as module reuse and changing computing order are employed to reduce circuit area and maintain its speed. Using SMIC 0.18 ¿m CMOS technology, the area of this improved SMS4 cipher is only about 25 k-gates and the frequency could be up to 50 MHz.

Cong Chen,Xiangyu Li,Liji Wu,Xiangmin Zhang

DOI: https://doi.org/10.1109/ICSICT.2010.5667831

2010-01-01

Abstract:In this paper, an automatic general-purpose Differential Power Analysis (DPA) System for cryptographic devices is designed and implemented. This system aims at testing the security of cryptographic devices, e.g., Smart Card, FPGA and ASIC circuit against DPA attacks. To verify the effectiveness of the system, a DPA attack was successfully carried out by it on an AES cryptographic ASIC chip which had countermeasures implemented in it. The experimental results showed that the correct cipher key of this AES chip could be obtained during less than 3 hours of data processing time with at least 5000 power traces.

Wei Li,Xingjun Wu,Guoqiang Bai

DOI: https://doi.org/10.1109/edssc.2019.8754041

2019-01-01

Abstract:In this paper, we executed a power analysis of hardware implementation of SM4 algorithm using machine learning classifiers (support vector machine (SVMs), Decision Trees (DT), k-Nearest Neighbor, (KNN), Ensemble learning (EB), etc.). We first download hardware design to the FPGA in power acquisition platform based on SASEBO-G board to obtain the power traces of SM4 during its encryption process. Then we introduced a machine learning method to the Hamming-weight attack model of SM4 algorithm. In the data preprocessing phase, principal component analysis (PCA) method was applied, and we explored how many points of interested (PoIs) should we take to achieve the best test accuracy. We have tried different kinds of classifiers and their performance against Gaussian noise. The results show that for different classifiers, the number of PoIs selected when achieving maximum precision is different, PCA can reduce the dimensions of power trace effectively but probably decrease the test accuracy. Furthermore, most of these classifiers have excellent resolution (up to 100%) for Gaussian noise superimposed on the power traces, which means that machine learning classifiers such like SVM and Decision Trees can compete with template attacks based on Gaussian distribution.

BAI Xue-fei,GUO Li,XU Yan-hua,LI Zhi-yuan

2009-01-01

Abstract:SMS4 algorithm is a block cipher used in WLAN products. In this paper, the differential power analysis attack on SMS4 algorithm is discussed. Based on analyses of the algorithm structure and principles of differential power analysis technologies, an attack method on every byte of round keys is presented. Through this attack, the round keys of the last four rounds of SMS4 can be obtained, and then the 128bit encryption key can be found out. The results of simulation experiments indicate that this attack method is effective and practical on SMS4 round operation. SMS4 algorithm is vulnerable to differential power analysis attacks, and cryptographic devices should be protected to prevent this kind of attacks.

Xiaowei Han,Beibei Wang,An Wang,Liji Wu,Woogeun Rhee

DOI: https://doi.org/10.1109/CIS.2014.116

2014-01-01

Abstract:SM2 is a public-key cryptography algorithm which is based on elliptic curves. Since the side channel leakage of devices can be used to deduce the information of secret keys, algorithms to implement SM2 need to be improved. In this paper, we propose an initialized masking scalar multiplication algorithm (IMSM), a modified atomic point doubling and point addition algorithm (MADA), and a transformed formula countermeasure (TFCS). Analysis shows they can resist Simple Power Analysis (SPA), Differential Power Analysis and Template Attacks. IMSM and MADA have been verified to resist SPA on FPGA board successfully. Compared to Binary Expansion with RIP algorithm, 28.6% calculations can be saved when the scalar is divided into four parts, which is rather fast.

Shuang QIU,Guo-qiang BAI,Hong-yi CHEN

DOI: https://doi.org/10.19304/j.cnki.issn1000-7180.2015.02.006

2015-01-01

Abstract:By mounting an actual DPA against FPGA implementation of SM 4 , the DPA resistance of linear component in SM4 has been discovered .Furthermore ,the DPA resistance of linear component in block ciphers has been generalized ,thus an algorithmic DPA countermeasures is proposed .This work also completes a successful DPA against a hardware implementation of SM 4 for the first time .

Wen-jing HU,An WANG,Li-ji WU,Xin-jun XIE

DOI: https://doi.org/10.19304/j.cnki.issn1000-7180.2015.04.004

2015-01-01

Abstract:Currently ,in public researches about SM4 power attack ,the power traces are generated by computer simulation or software implementation .However ,this is different with hardware implementation which is used in actual .A research of a SM4 algorithm hardware implementation is given out ,which is applied in market .we download the Verilog code to a SAKURA‐G board , and collect the power traces when it actually operates . Correlation Power Analysis method is used to analyze the leakage of the input of the S‐box in the first round ,the output of the S‐box in the first round and the output registers of the first round .We recovered the sub‐key of the first round .By the same method ,we can recover the sub‐keys of round 2‐4 ,and eventually get the 128‐bit key .

Jiahao Fang,Liji Wu,Xiangming Zhang

DOI: https://doi.org/10.1109/asid52932.2021.9651700

2021-01-01

Abstract:SM2 algorithm has been widely used in the field of financial IC cards. However, it is easy to be attacked by the side channel, and Simple Power Analysis (SPA) is the most common attack method. An atomic point addition and point doubling algorithms is proposed to be used in SM2 algorithm against SPA. Based on the software and hardware co-design with SAKURA-G FPGA board, the correctness of the algorithm is verified in the 256-bit SM2 digital signature algorithm, and the power consumption curves are collected. Experiments show that the atomic algorithm improves the ability to resist SPA in SM2.

Xuefei Bai,Li Guo,Tie Li

DOI: https://doi.org/10.1109/iccsc.2008.136

2008-01-01

Abstract:SMS4 is a 128-bit block cipher used in the WAPI standard for protecting data packets in WLAN. In this paper, a differential power analysis attack method on every byte of round keys is presented. Through this attack, the round keys of the last four rounds of SMS4 can be obtained, and then the 128- bit encryption key can be found out. The results of simulation experiments indicate that this attack is effective and practical on the SMS4 cipher.

Weijun Shan,Chi Zhang,Qing Li,Jun Yu

DOI: https://doi.org/10.1109/icnisc57059.2022.00103

2022-01-01

Abstract:This paper presents a lightweight countermeasure scheme of SM4 cryptographic algorithm against side channel analysis attacks. SM4 is one of the widely used block ciphers in information computing and data communication. However, as it is usually implemented in cryptographic devices, it is definitely under the threat of side channel analysis attacks. Some schemes of implementations have been provided as the countermeasures against the side channel analysis attacks, which leads to a relatively complicated realization on both cost and performance. This paper proposes a new mask scheme for SM4 implementation with lightweight cost and low performance loss. Experiment results show the effectiveness of the method against the side channel analysis attacks.

Hailiang Fu,Guoqiang Bai,Xingjun Wu

DOI: https://doi.org/10.1007/978-3-319-59608-2_39

2016-01-01

Abstract:Implementations of the SM4 algorithm, including different hardware applications with limited resources, are vulnerable to Side-Channel Attacks. This paper presents a countermeasure against such attacks by adding a random “mask” to the input plaintext and protect all variables through the whole encryption process. As is known to all, the unique nonlinear step in each round of SM4 algorithm is the “S-Box” and the previous works using lookup-table method to implement the S-Box always incur large area and high power. Here we give the compact design of masked S-Box using the normal basis in the composite field (consisting of a Galois inversion and several affine transformations). Then we compute the different masks diffused to all the steps in the SM4 algorithm process. The proposed design results in ultra-low cost of hardware and capability to resist first-order differential power analysis (DPA), which is suitable for the resource constrained devices. The synthesis result of masked S-Box shows that the area under the SMIC 0.13 (upmu )m is only about 978-gates, 46.8% fewer than the other works. Further, we apply the pipeline technique to our proposed “masked S-Box”, thereby to the whole masked SM4 algorithm. The results of FPGA implementation present that our works have achieved an ultra-high speed with frequency nearly 551 MHz and the throughput over 70 Gbps.

Xiaoxuan Lou,Fan Zhang,Guorui Xu,Ziyuan Liang,Xinjie Zhao,Shize Guo,Kui Ren

DOI: https://doi.org/10.1007/978-3-030-42921-8_29

2020-01-01

Abstract:Block ciphers with Feistel structures are vulnerable to a specific type of cache attacks named differential cache attacks. The attacks leverage side-channel leakages from cache and differential property of cipher component to reveal the master key of cipher. In this paper, we combine the algebraic analysis to enhance the attacks, and propose a novel method named Algebraic Differential Cache Attack (ADCA). By converting both cipher and cache leakages to algebraic equations, ADCA can reveal the cipher key automatically with the help of the SAT solver, which allows the analysis on much deeper rounds and makes a considerable reduction in attack complexity. When it is applied to the block cipher SM4, 10 plaintexts are enough to reveal the master key in 8-rounds analysis, while the traditional differential cache attack needs 20 ones. Finally, to eliminate the impact from noise, an error-tolerant method is proposed to deduce cache events from the leakage traces. It vastly enhances the robustness of attack, and makes the attack more practical. The experimental results show that the error-tolerant ADCA can correctly reveal the master key even when the uncertainty rate of cache events reaches to 60%.