Limin Guo,Lihui Wang,Qing Li,Zhimin Zhang,Dan Liu,Weijun Shan

DOI: https://doi.org/10.2991/iset-15.2015.25

2015-01-01

Abstract:HMAC algorithm is one of the most famous keyed hash functions, and widely utilized. And SM3 is the only standard hash algorithm of China. However, most cryptographic algorithms implementations are vulnerable against side channel attacks. But specific side channel attacks on HMAC-SM3 have not been given so far. This paper presents a first-order DPA attack on HMAC-SM3. HMAC-SM3 hash algorithm is based on the mixing of different algebraic operations, such as XOR and addition modulo 2(32), thus the proposed DPA attack is mainly against these basic group operations. Experimental results are given by attacking an implementation of HMAC-SM3 in a smart card, which demonstrate the practicability of such attacks described in this paper.

谢满德,沈海斌,竺红卫

DOI: https://doi.org/10.3969/j.issn.1004-3365.2004.06.003

2004-01-01

Abstract:The fundamental principle of differential power analysis (DPA) attacks against universal cryptosystems and a particular theory of DPA attacks against data encryption standard (DES) algorithm are described in detail. An improved algorithm is proposed for DPA. Based on the analysis of noise characteristics of the power signals, an approach to modeling the signal-to-noise ratio (SNR) is proposed and corresponding theory is demonstrated. Finally, experimental results of the algorithm are presented.

Fan Zhang,Zhijie Jerry Shi

DOI: https://doi.org/10.1109/ITNG.2011.70

2011-01-01

Abstract:In cryptography, a keyed-Hash Message Authentication Code (HMAC) is a type of message authentication code(MAC) calculated with a cryptographic hash function and a secret key. The security of the HMAC relies on the underlying hash function and the secret key. Whirlpool is a block cipher based hash algorithm that has been in public for about ten years. So far no effective attacks have been found on Whirlpool. As a result, HMAC with Whirlpool, i.e., HMAC-Whirlpool, is supposed to be secure. In this paper, we demonstrate that HMAC-Whirlpool is vulnerable to power analysis attacks. We designed two types of attacks: one is based on Differential Power Analysis (DPA) and the other on Correlation Power Analysis (CPA). We successfully launched the attacks at HMAC-Whirlpool running on an Atmel AVR processor. We also compared the attacks in terms of the number of power traces needed.

Ye Yuan,Kai-ge Qu,Li-ji Wu,Jia-wei Ma,Xiang-min Zhang

DOI: https://doi.org/10.1631/fitee.1800312

IF: 2.526

2019-01-01

Frontiers of Information Technology & Electronic Engineering

Abstract:Hash-based message authentication code (HMAC) is widely used in authentication and message integrity. As a Chinese hash algorithm, the SM3 algorithm is gradually winning domestic market value in China. The side channel security of HMAC based on SM3 (HMAC-SM3) is still to be evaluated, especially in hardware implementation, where only intermediate values stored in registers have apparent Hamming distance leakage. In addition, the algorithm structure of SM3 determines the difficulty in HMAC-SM3 side channel analysis. In this paper, a skillful bit-wise chosen-plaintext correlation power attack procedure is proposed for HMAC-SM3 hardware implementation. Real attack experiments on a field programmable gate array (FPGA) board have been performed. Experimental results show that we can recover the key from the hypothesis space of 2256 based on the proposed procedure.

Limin Guo,Qing Li,Lihui Wang,Zhimin Zhang,Dan Liu,Weijun Shan

DOI: https://doi.org/10.2991/iset-15.2015.28

2015-01-01

Abstract:Dynamic password technology is one of the most widely utilized methods for identity authentication. The security of dynamic password system depends on the cryptographic strength of the underlying hash function. And SM3 is the only standard hash algorithm of China. However, most cryptographic algorithm implementations are vulnerable against side channel attacks. But specific side channel attacks on dynamic password token based on SM3 hash function have not been given so far. This paper presents a differential power analysis attack on dynamic password token based on SM3 algorithm. SM3 hash algorithm is based on the mixing of different algebraic operations, such as XOR and addition modulo 2(32), thus the proposed DPA attack is mainly against these basic group operations. Experimental results are given by attacking an implementation of generating dynamic password using SM3 algorithm in a smart card, which demonstrate the feasibility of such attacks described in this paper.

Limin Guo,Lihui Wang,Qing Li,Jun Yu,Peng Luo

DOI: https://doi.org/10.1109/cis.2015.92

2015-01-01

Abstract:Dynamic password technology is widely utilized for identity authentication, which depends on using hash functions, such as SM3. And SM3 hash algorithm is based on the mixing of different group operations, such as XOR and addition modulo 232. In this paper, we present two original first-order differential power analysis attacks on dynamic password token based on SM3 algorithm. The two proposed DPA attacks are against XOR and addition modulo 232 operation respectively. Experimental results show that dynamic password token based on SM3 algorithm is vulnerable to side channel attacks, no matter implemented in software or hardware. We also provide a masked implementation of the algorithm, which is designed to avoid those proposed attacks.

CQ Li,S Li,D Zhang,G Chen

DOI: https://doi.org/10.1049/ip-vis:20045234

2006-01-01

IEE Proceedings - Vision Image and Signal Processing

Abstract:A voice-over-Internet protocol technique with a new hierarchical data security protection (HDSP) scheme using a secret chaotic bit sequence has been recently proposed. Some insecure properties of the HDSP scheme are pointed out and then used to develop known/chosen-plaintext attacks. The main findings are: given n known plaintexts, about (100 - (50/2(n)))% of secret chaotic bits can be uniquely determined; given only one specially-chosen plaintext, all secret chaotic bits can be uniquely derived; and the secret key can be derived with practically small computational complexity when only one plaintext is known (or chosen). These facts reveal that HDSP is very weak against known/chosen-plaintext attacks. Experiments are given to show the feasibility of the proposed attacks. It is also found that the security of HDSP against the brute-force attack is not practically strong. Some countermeasures are discussed for enhancing the security of HDSP and several basic principles are suggested for the design of a secure encryption scheme.

Jia-wei Ma,Xu-guang Guan,Tong Zhou,Tao Sun

DOI: https://doi.org/10.1109/asicon.2017.8252479

2017-01-01

Abstract:With the application of Hash-based Message Authentication Code(HMAC) in the field of security, the research on its Side Channel Attack(SCA) has been paid more and more attention. In this paper, a new countermeasure against side channel attack for HMAC-SM3 is proposed, which uses the ring oscillator technology to construct the power disorder module. Through analyzing the power consumption of the improved HMAC-SM3 hardware circuit on FPGA, we proved the effectiveness of this countermeasure. Compared with the traditional masking protection technique, the power disorder module has the advantages of simpler design, less hardware cost, and no influence on the performance at all.

Guoqiang Bai,Hailiang Fu,Wei Li,Xingjun Wu

DOI: https://doi.org/10.1109/trustcom/bigdatase.2018.00210

2018-01-01

Abstract:This paper presents a practicable method of differential power attack on SM4 block cipher. We build the power acquisition platform based on SASEBO-G board. Through the platform, the encryption of SM4 algorithm is implemented in hardware and the power curves are obtained by the Agilent oscilloscope at the same time. The hamming weight of 8-bit output of S-box is selected as the power model to realize the DPA attack on MATLAB. Only 2000 power traces are needed to crack the sub-key byte in the first round of standard SM4 algorithm. The cost of DPA attack has been reduced more than 60% compared with the references which need at least 5000 power traces.

Shuang Qiu,Guoqiang Bai

DOI: https://doi.org/10.1109/ICCCNT.2014.6963131

2014-01-01

Abstract:SM4 (SMS4) algorithm is a block cipher used in the Chinese National Standard for WLAN WAPI. In this paper we investigate the vulnerability of SM4 FPGA (Field Programmable Array) implementation to differential power analysis (DPA). To tackle this issue, we review the theory behind the conventional DPA on DES and AES first. By comparing the differences in algorithm structure, we show that SM4 is more difficult to attack than DES and AES. Then, we concentrate on showing how “chosen-text DPA” can be applied to attack SM4 successfully while the conventional DPA is hardly effective. Experimental results against a FPGA implementation of SM4 demonstrate the inefficient of conventional DPA and the effectiveness of “chosen-text DPA”. In addition, proper countermeasures for SM4 are also discussed according to its DPA-related properties.

Cong Chen,Xiangyu Li,Liji Wu,Xiangmin Zhang

DOI: https://doi.org/10.1109/ICSICT.2010.5667831

2010-01-01

Abstract:In this paper, an automatic general-purpose Differential Power Analysis (DPA) System for cryptographic devices is designed and implemented. This system aims at testing the security of cryptographic devices, e.g., Smart Card, FPGA and ASIC circuit against DPA attacks. To verify the effectiveness of the system, a DPA attack was successfully carried out by it on an AES cryptographic ASIC chip which had countermeasures implemented in it. The experimental results showed that the correct cipher key of this AES chip could be obtained during less than 3 hours of data processing time with at least 5000 power traces.

Haoran Gong,Tailiang Ju

DOI: https://doi.org/10.1038/s41598-023-50220-2

IF: 4.6

2024-01-11

Scientific Reports

Abstract:Encryption chips are specialized integrated circuits that incorporate encryption algorithms for data encryption and decryption, ensuring data confidentiality and security. In China, the domestic SM4 algorithm is commonly utilized, as opposed to the international AES encryption algorithm. These widely implemented encryption standards have been proven to be difficult to crack through crypt analysis methods Currently, power consumption side-channel attacks are the most prevalent method. They involve capturing power consumption data during the encryption process and subsequently recovering the encryption key from this data. The two leading methods are Differential Power Analysis (DPA) and machine learning techniques. DPA does not necessitate prior knowledge but relies heavily on the number of power consumption curves. With only 50 power consumption data points, the accuracy is a mere 80%. Machine learning methods require prior knowledge, achieving an accuracy rate above 95% with only 30 power traces, albeit with training times typically exceeding 15 min. In this paper, a distributed energy analysis attack approach was presented based on Correlation Power Analysis (CPA). The power consumption data was divided into 16 subsets, with each subset corresponding to 8 bytes of the key. By training each subset separately, the 8-byte key's corresponding power consumption data is reduced to only 100 dimensions, resulting in a 76% decrease in cracking time and a 3% improvement in cracking accuracy rate.This article also trains a more complex 256 classification model to directly crack the final key, achieving a success rate of 28% in cracking 128-bit passwords with only 1 power trace

multidisciplinary sciences

Hang Yu,Zhenhao He,Liji Wu,Xiangmin Zhang

DOI: https://doi.org/10.1109/icasid.2019.8925299

2019-01-01

Abstract:The SM3-MAC algorithm is a Message Authentication Code (MAC) algorithm based on the SM3 hash algorithm proposed by Office of Security Commercial Code Administration in 2010. In this paper, a masking scheme for SM3-MAC algorithm using key mask is proposed. Then, 5,000 power traces are collected by software simulation with Hamming distance model. We can prove that the unmasked SM3-MAC hardware is vulnerable to first-order power analysis, while the masked SM3-MAC hardware does not have register leakage under the Hamming distance model. After that, the SAKURA-G FPGA board is used to collect two sets of power traces of the masked SM3-MAC hardware, each of which contains 3,000 traces. The Test Vector Leakage Assessment (TVLA) methodology proves that there is a 99.999% chance that no first-order power leakage is detected in the masked SM3-MAC hardware. Finally, the feasibility of second-order power analysis is discussed, and the effects of different pre-processing functions on correlation are investigated. A second-order test has been carried out to analyze the second-order security of the masked SM3-MAC hardware, which proves that there exists second-order leakage.

BAI Xue-fei,GUO Li,XU Yan-hua,LI Zhi-yuan

2009-01-01

Abstract:SMS4 algorithm is a block cipher used in WLAN products. In this paper, the differential power analysis attack on SMS4 algorithm is discussed. Based on analyses of the algorithm structure and principles of differential power analysis technologies, an attack method on every byte of round keys is presented. Through this attack, the round keys of the last four rounds of SMS4 can be obtained, and then the 128bit encryption key can be found out. The results of simulation experiments indicate that this attack method is effective and practical on SMS4 round operation. SMS4 algorithm is vulnerable to differential power analysis attacks, and cryptographic devices should be protected to prevent this kind of attacks.

lihui wang,qing li,zhimin zhang,weijun shan,davidwei zhang

DOI: https://doi.org/10.2991/iset-15.2015.33

2015-01-01

Abstract:Elliptic curve cryptosystems (ECCs) are becoming more popular because of the reduced number of key bits required in comparison to other cryptosystems such as RSA. They are especially suited to smartcards because of the limited memory and computational power available on these devices. However, the side-channel attacks especially simple side-channel analysis (SPA) can obtain information about the cryptosystem by measuring power consumption and processing time. To resist this attack there appear a number of countermeasures and the most widely used methods are Montgomery ladder and double-and-add-always algorithm. This paper proposes a novel simple power analysis attack to these countermeasures. Experimental results on smart cards demonstrate that this attack method can retrieve secret keys by distinguishing the conditional subtraction of Montgomery modular multiplication (MMM). Several countermeasures that can resist this kind of SPA attack are also demonstrated in this paper.

Xiaowei Han,Beibei Wang,An Wang,Liji Wu,Woogeun Rhee

DOI: https://doi.org/10.1109/CIS.2014.116

2014-01-01

Abstract:SM2 is a public-key cryptography algorithm which is based on elliptic curves. Since the side channel leakage of devices can be used to deduce the information of secret keys, algorithms to implement SM2 need to be improved. In this paper, we propose an initialized masking scalar multiplication algorithm (IMSM), a modified atomic point doubling and point addition algorithm (MADA), and a transformed formula countermeasure (TFCS). Analysis shows they can resist Simple Power Analysis (SPA), Differential Power Analysis and Template Attacks. IMSM and MADA have been verified to resist SPA on FPGA board successfully. Compared to Binary Expansion with RIP algorithm, 28.6% calculations can be saved when the scalar is divided into four parts, which is rather fast.

Xuefei Bai,Yanhua Xu,Li Guo

DOI: https://doi.org/10.1109/ICCS.2008.4737165

2008-01-01

Abstract:Differential power analysis is of great concern because it can be used to break implementations of almost any symmetric or asymmetric algorithm, and several countermeasures have been proposed to protect implementations of cryptographic algorithms except SMS4 cipher. In the present paper, we focus on the differential power analysis attack on SMS4 cipher, and suggest a secure masking scheme for SMS4 cipher, which is particularly suited for implementation in dedicated hardware. The masking scheme for the inversion presented in this article is based on composite field arithmetic, in which the inversion is shifted from GF(28) down to GF(22). In addition, several methods such as module reuse and changing computing order are employed to reduce circuit area and maintain its speed. Using SMIC 0.18 ¿m CMOS technology, the area of this improved SMS4 cipher is only about 25 k-gates and the frequency could be up to 50 MHz.

Xiaofei Dong,Fan Zhang,Samiya Queshi,Yiran Zhang,Ziyuan Liang,Bolin Yang,Feng Gao

DOI: https://doi.org/10.1109/asianhost.2018.8607162

2018-01-01

Abstract:Random delay insertion is a simple yet rather effective technique to increase the difficulty for traditional power analysis. However as compared to the random masking technique, it is uncommonly used as a countermeasure considering the frequency analysis. In this paper, it is investigated that the frequency analysis may not work as efficiently as expected when facing to advanced random delay countermeasures. Hence, a novel attack is proposed which is in the wavelet domain. After preprocessing the wavelet coefficients of power traces with wavelet decomposition, the effects of multiple random delays can be removed. Two attack strategies are proposed to recover the secret key: either indirectly from the reconstructed power traces without random delays or directly from the processed wavelet coefficients. Our experimental results show that the wavelet-based power analysis attack can perform much better than those frequency-based ones, which is evaluated through several standard metrics to show the efficiency and robustness.

Xiaoyun Wang,Hongbo Yu,Wei Wang,Haina Zhang,Tao Zhan

DOI: https://doi.org/10.1007/978-3-642-01001-9_7

2009-01-01

Abstract:In this paper, we present the first distinguishing attack on HMAC and NMAC based on MD5 without related keys, which distinguishes the HMAC/NMAC-MD5 from HMAC/NMAC with a random function. The attack needs 2(97) queries, with a success probability 0.87, while the previous distinguishing attack on HMAC-MD5 reduced to 33 rounds takes 2(126.1) messages with a success rate of 0.92. Furthermore, we give distinguishing and partial key recovery attacks on MDx-MAC based on MD5. The MDx-MAC was proposed by Preneel and van Oorschot in Crypto'95 which uses three subkeys derived from the initial key. We are able to recover one 128-bit subkey with 2(97) queries.

Xuefei Bai,Li Guo,Tie Li

DOI: https://doi.org/10.1109/iccsc.2008.136

2008-01-01

Abstract:SMS4 is a 128-bit block cipher used in the WAPI standard for protecting data packets in WLAN. In this paper, a differential power analysis attack method on every byte of round keys is presented. Through this attack, the round keys of the last four rounds of SMS4 can be obtained, and then the 128- bit encryption key can be found out. The results of simulation experiments indicate that this attack is effective and practical on the SMS4 cipher.