ZHOU Zhou,HE Yi-fan,SHEN Hai-bin,ZHAO Xu-xin

DOI: https://doi.org/10.3969/j.issn.1005-9490.2007.04.089

2007-01-01

Abstract:SMS4 algorithm is the domestic encryption standard released for WLAN use.An inner-round pipelined,high-speed engine is proposed after analyzing the features of this algorithm.By using pipelined or parallel multi-engines,throughput and hardware cost can be easily adjusted according to different applications.Compared with the 32-stage pipelined structure,hardware cost is much lower under the same throughput.Moreover,the SMS4 encryption/decryption system can easily fit in a low-cost Spartan II XC2S50 FPGA in a single-engine implementation.

Shuang Qiu,Guoqiang Bai

DOI: https://doi.org/10.1109/ICCCNT.2014.6963131

2014-01-01

Abstract:SM4 (SMS4) algorithm is a block cipher used in the Chinese National Standard for WLAN WAPI. In this paper we investigate the vulnerability of SM4 FPGA (Field Programmable Array) implementation to differential power analysis (DPA). To tackle this issue, we review the theory behind the conventional DPA on DES and AES first. By comparing the differences in algorithm structure, we show that SM4 is more difficult to attack than DES and AES. Then, we concentrate on showing how “chosen-text DPA” can be applied to attack SM4 successfully while the conventional DPA is hardly effective. Experimental results against a FPGA implementation of SM4 demonstrate the inefficient of conventional DPA and the effectiveness of “chosen-text DPA”. In addition, proper countermeasures for SM4 are also discussed according to its DPA-related properties.

Wen-jing HU,An WANG,Li-ji WU,Xin-jun XIE

DOI: https://doi.org/10.19304/j.cnki.issn1000-7180.2015.04.004

2015-01-01

Abstract:Currently ,in public researches about SM4 power attack ,the power traces are generated by computer simulation or software implementation .However ,this is different with hardware implementation which is used in actual .A research of a SM4 algorithm hardware implementation is given out ,which is applied in market .we download the Verilog code to a SAKURA‐G board , and collect the power traces when it actually operates . Correlation Power Analysis method is used to analyze the leakage of the input of the S‐box in the first round ,the output of the S‐box in the first round and the output registers of the first round .We recovered the sub‐key of the first round .By the same method ,we can recover the sub‐keys of round 2‐4 ,and eventually get the 128‐bit key .

Guoqiang Bai,Hailiang Fu,Wei Li,Xingjun Wu

DOI: https://doi.org/10.1109/trustcom/bigdatase.2018.00210

2018-01-01

Abstract:This paper presents a practicable method of differential power attack on SM4 block cipher. We build the power acquisition platform based on SASEBO-G board. Through the platform, the encryption of SM4 algorithm is implemented in hardware and the power curves are obtained by the Agilent oscilloscope at the same time. The hamming weight of 8-bit output of S-box is selected as the power model to realize the DPA attack on MATLAB. Only 2000 power traces are needed to crack the sub-key byte in the first round of standard SM4 algorithm. The cost of DPA attack has been reduced more than 60% compared with the references which need at least 5000 power traces.

Nengyuan Sun,Wenrui Liu,Jiafeng Cheng,Zhaokang Peng,Chunyang Wang,Caiban Sun,Heng Sha,Zhiyuan Pan,Ming Jin,Hongyang Zhao,Jinghe Wang,Yiming Wen,Pengliang Kong,Yunfeng Zhao,Yaoqiang Wang,Selcuk Kose,Weize Yu

DOI: https://doi.org/10.1002/cta.3962

IF: 2.378

2024-02-02

International Journal of Circuit Theory and Applications

Abstract:Regular SM4 cryptographic circuit is pretty vulnerable to higher order power attacks. The robustness of the proposed SM4 architecture against fourth‐order power attacks can be reinforced significantly by embedding four random number generators. In this letter, a novel secret merchant‐4 (SM4) cryptographic circuit implementation is proposed against higher order power analysis attacks (PAAs). Four different random number generators (RNGs) are embedded into the SM4 architecture for breaking the correlation between the processed data and monitored power dissipation against PAAs. Firstly, fake keys are created by the first RNG to scramble the critical information related with the actual secret key. Furthermore, the second RNG controls the implementations of substitution boxes (Sboxes) with composite fields or look‐up tables randomly while the third RNG randomizes the substitution locations with respect to these Sboxes. Ultimately, the fourth RNG randomly swaps the behaviors of the fake SM4 and true SM4 to further break the critical correlation. Under the assistance of the four embedded RNGs, the proposed SM4 cryptographic architecture is capable of resisting against fourth‐order PAAs effectively with a 300 Mbps throughput and 165,354 μ m2 area after synthesizing in the TSMC 90 nm process design kits (PDK).

engineering, electrical & electronic

Haoran Gong,Tailiang Ju

DOI: https://doi.org/10.1038/s41598-023-50220-2

IF: 4.6

2024-01-11

Scientific Reports

Abstract:Encryption chips are specialized integrated circuits that incorporate encryption algorithms for data encryption and decryption, ensuring data confidentiality and security. In China, the domestic SM4 algorithm is commonly utilized, as opposed to the international AES encryption algorithm. These widely implemented encryption standards have been proven to be difficult to crack through crypt analysis methods Currently, power consumption side-channel attacks are the most prevalent method. They involve capturing power consumption data during the encryption process and subsequently recovering the encryption key from this data. The two leading methods are Differential Power Analysis (DPA) and machine learning techniques. DPA does not necessitate prior knowledge but relies heavily on the number of power consumption curves. With only 50 power consumption data points, the accuracy is a mere 80%. Machine learning methods require prior knowledge, achieving an accuracy rate above 95% with only 30 power traces, albeit with training times typically exceeding 15 min. In this paper, a distributed energy analysis attack approach was presented based on Correlation Power Analysis (CPA). The power consumption data was divided into 16 subsets, with each subset corresponding to 8 bytes of the key. By training each subset separately, the 8-byte key's corresponding power consumption data is reduced to only 100 dimensions, resulting in a 76% decrease in cracking time and a 3% improvement in cracking accuracy rate.This article also trains a more complex 256 classification model to directly crack the final key, achieving a success rate of 28% in cracking 128-bit passwords with only 1 power trace

multidisciplinary sciences

Weijun Shan,Lihui Wang,Qing Li,Limin Guo,Shanshan Liu,Zhimin Zhang

DOI: https://doi.org/10.1109/CIS.2014.57

2014-01-01

Abstract:In this paper, we will present a chosen-plaintext method of CPA on SM4 block cipher. This attack consists of a chosen-plaintext method and a transformed CPA attack. The chosen-plaintext method is used to decrease the computation complexity to guess the round register value and the transformed CPA attack is introduced to improve the effect of CPA attack. We accomplished hardware implement on Sasebo-Gii and power analysis, whose result proved that it takes 5000 traces to recover the key successfully by our method, while the normal CPA method needs 270000 traces.

Jiahao Fang,Liji Wu,Xiangming Zhang

DOI: https://doi.org/10.1109/asid52932.2021.9651700

2021-01-01

Abstract:SM2 algorithm has been widely used in the field of financial IC cards. However, it is easy to be attacked by the side channel, and Simple Power Analysis (SPA) is the most common attack method. An atomic point addition and point doubling algorithms is proposed to be used in SM2 algorithm against SPA. Based on the software and hardware co-design with SAKURA-G FPGA board, the correctness of the algorithm is verified in the 256-bit SM2 digital signature algorithm, and the power consumption curves are collected. Experiments show that the atomic algorithm improves the ability to resist SPA in SM2.

Youqi Li,Xingjun Wu,Guoqiang Bai

DOI: https://doi.org/10.1109/icsict.2018.8564874

2018-01-01

Abstract:Chips in Internet of Things devices require extremely low power consumption and excellent security. In this paper, we present the first implementation of the SM4 algorithm literally. Taking advantage of asynchronous dual-rail domino logic pipeline, which can naturally avoid abundant request signals and register flips, the power consumption of SM4 can be largely reduced. Prototyped on SMIC 0.18um technology, we designed an asynchronous pipeline architecture of SM4 encryption algorithm. Compared with synchronous designs [2], our design has smaller area and lower power consumption while possess strong resistance to side channel attack spontaneously. The circuit simulation results show that the full pipeline SM4 algorithm can achieve 21.26Gbps throughput, while a single round of encryption costs just 6.07mW on average with the delay 2.8ns. For comparison, we normalized the throughput to [2] and get a 20x improvement on power consumption.

Ruolin Zhang,Zejun Xiang,Shasha Zhang,Xiangyong Zeng,Min Song

DOI: https://doi.org/10.1049/2024/7047055

2024-06-25

IET Information Security

Abstract:The SM4 block cipher is standardized in ISO/IEC, and it is also the national standard of commercial cryptography in China. In this paper, we propose two new techniques called "split‐and‐join" and "off‐peak and stagger" to make SM4 more applicable to resource‐constrained environments. The area optimization method uses a 1‐bit data path while reducing the number of registers from 64 to 8 and the number of XOR gates from 194 to 8. As a result, we report a 1‐bit‐serial SM4 encryption circuit that occupies 1771 GE with a latency of 2,336 cycles. Additionally, the "off‐peak and stagger" technique compresses all the operations within the state update and key schedule into 32 clock cycles to reduce the latency. In other words, it takes 32 clock cycles to complete one round encryption. The new circuit occupies 1861 GE with a latency of 1,344 cycles. Moreover, we also discuss how to further reduce the latency by increasing the data path with a small area overhead to provide wider area‐latency tradeoffs for SM4. Our designs make SM4 competitive with many ciphers specifically designed for lightweight cryptography.

computer science, information systems, theory & methods

Wei Li,Xingjun Wu,Guoqiang Bai

DOI: https://doi.org/10.1109/edssc.2019.8754041

2019-01-01

Abstract:In this paper, we executed a power analysis of hardware implementation of SM4 algorithm using machine learning classifiers (support vector machine (SVMs), Decision Trees (DT), k-Nearest Neighbor, (KNN), Ensemble learning (EB), etc.). We first download hardware design to the FPGA in power acquisition platform based on SASEBO-G board to obtain the power traces of SM4 during its encryption process. Then we introduced a machine learning method to the Hamming-weight attack model of SM4 algorithm. In the data preprocessing phase, principal component analysis (PCA) method was applied, and we explored how many points of interested (PoIs) should we take to achieve the best test accuracy. We have tried different kinds of classifiers and their performance against Gaussian noise. The results show that for different classifiers, the number of PoIs selected when achieving maximum precision is different, PCA can reduce the dimensions of power trace effectively but probably decrease the test accuracy. Furthermore, most of these classifiers have excellent resolution (up to 100%) for Gaussian noise superimposed on the power traces, which means that machine learning classifiers such like SVM and Decision Trees can compete with template attacks based on Gaussian distribution.

Yan Ting Ren,Li Ji Wu

DOI: https://doi.org/10.4028/www.scientific.net/amr.718-720.2376

2013-01-01

Advanced Materials Research

Abstract:In order to test the security of cryptographic devices against Side Channel Attacks (SCA), an automatic general-purpose power analysis system (TH-PAS-01) is designed and implemented. TH-PAS-01 is scalable and can be applied to many cryptographic devices when specific modules are installed. Using the system TH-PAS-01, correlation power analysis (CPA) are carried out on an AES chip under two working models: normal and shuffling mode. The security level of the countermeasure provided by the target chip is verified by TH-PAS-01. The experimental results show that the correct key of the AES chip is obtained with around 50,000 power traces when the chip was working under normal mode, while the whole key bits are not obtained with 960,000 power traces when the chip works under shuffling mode. The automatic general-purpose system TH-PAS-01 is feasible for security analysis on power analysis for cryptographic devices.

Zijing Jiang,Wenhao Yan,Wei Ding,Linlin Yue,Qun Ding

DOI: https://doi.org/10.1142/s0218127422501103

IF: 2.45

2022-06-30

International Journal of Bifurcation and Chaos

Abstract:SCA is one of the biggest threats to the security of encryption chip. It can crack the unprotected encryption chip at lower cost and faster speed, which weakens the security of the SM4 encryption algorithm circuit without any protection. In this paper, the SM4 encryption algorithm is implemented on FPGA. The pseudo-random sequence generated by discrete chaotic system is used to randomly mask the intermediate value in the SM4 encryption process. This will disrupt the power consumption in the encryption process, thus preventing power analysis. Experimental results show that the proposed chaotic mask scheme can effectively prevent intermediate value leakage and protect the SM4 encryption system from power analysis attack.

mathematics, interdisciplinary applications,multidisciplinary sciences

Zhanzhan Chen,Liji Wu,Zhenhui Zhang,Dehang Xiao,Xiangmin Zhang,Yan Liu

DOI: https://doi.org/10.1109/asid56930.2022.9995777

2022-01-01

Abstract:SM2 algorithm is widely used in financial IC cards. It has the advantages of fast operation speed and short signature, but it may also contain security vulnerabilities. Attackers can crack the secret key via Simple Power Analysis (SPA), which is the inexpensive and extremely effective method, causing a great threat to the security of SM2 algorithm. In order to improve the safety of SM2 algorithm, this paper introduces atomic algorithm to implement point addition and point doubling operation, and proposes precomputed Non Adjacent Form (NAF) random window algorithm to achieve scalar multiplication. Based on experimental analysis with SAKURA-G FPGA board, the improved SM2 algorithm can resist successfully SPA. Compared with the original algorithm, the time of computation is reduced by 67.5%, and the number of slice registers has increased by less than 5%. The security and speed of SM2 algorithm has been significantly improved.

Weijun Shan,Chi Zhang,Qing Li,Jun Yu

DOI: https://doi.org/10.1109/icnisc57059.2022.00103

2022-01-01

Abstract:This paper presents a lightweight countermeasure scheme of SM4 cryptographic algorithm against side channel analysis attacks. SM4 is one of the widely used block ciphers in information computing and data communication. However, as it is usually implemented in cryptographic devices, it is definitely under the threat of side channel analysis attacks. Some schemes of implementations have been provided as the countermeasures against the side channel analysis attacks, which leads to a relatively complicated realization on both cost and performance. This paper proposes a new mask scheme for SM4 implementation with lightweight cost and low performance loss. Experiment results show the effectiveness of the method against the side channel analysis attacks.

Xiaowei Han,Beibei Wang,An Wang,Liji Wu,Woogeun Rhee

DOI: https://doi.org/10.1109/CIS.2014.116

2014-01-01

Abstract:SM2 is a public-key cryptography algorithm which is based on elliptic curves. Since the side channel leakage of devices can be used to deduce the information of secret keys, algorithms to implement SM2 need to be improved. In this paper, we propose an initialized masking scalar multiplication algorithm (IMSM), a modified atomic point doubling and point addition algorithm (MADA), and a transformed formula countermeasure (TFCS). Analysis shows they can resist Simple Power Analysis (SPA), Differential Power Analysis and Template Attacks. IMSM and MADA have been verified to resist SPA on FPGA board successfully. Compared to Binary Expansion with RIP algorithm, 28.6% calculations can be saved when the scalar is divided into four parts, which is rather fast.

Han Gan,Hongxin Zhang,Muhammad Saad Khan,Xueli Wang,Fan Zhang,Pengfei He

DOI: https://doi.org/10.1109/cc.2017.8068768

2017-01-01

China Communications

Abstract:Correlation power analysis (CPA) has become a successful attack method about crypto-graphic hardware to recover the secret keys. However, the noise influence caused by the random process interrupts (RPIs) becomes an important factor of the power analysis attack efficiency, which will cost more traces or attack time. To address the issue, an improved method about empirical mode decomposition (EMD) was proposed. Instead of restructuring the decomposed signals of intrinsic mode functions (IMFs), we extract a certain intrinsic mode function (IMF) as new feature signal for CPA attack. Meantime, a new attack assessment is proposed to compare the attack effectiveness of different methods. The experiment shows that our method has more excellent performance on CPA than others. The first and the second IMF can be chosen as two optimal feature signals in CPA. In the new method, the signals of the first IMF increase peak visibility by 64% than those of the tradition EMD method in the situation of non-noise. On the condition of different noise interference, the orders of attack efficiencies are also same. With external noise interference, the attack effect of the first IMF based on noise with 15dB is the best.

Huaxin Wang,Yiwen Gao,Yuejun Liu,Qian Zhang,Yongbin Zhou

DOI: https://doi.org/10.1186/s42400-024-00209-9

2024-06-05

Abstract:During the standardisation process of post-quantum cryptography, NIST encourages research on side-channel analysis for candidate schemes. As the recommended lattice signature scheme, CRYSTALS-Dilithium, when implemented on hardware, has seen limited research on side-channel analysis, and current attacks are incomplete or requires a substantial quantity of traces. Therefore, we conducted a more complete analysis to investigate the leakage of an FPGA implementation of CRYSTALS-Dilithium using the Correlation Power Analysis (CPA) method, where with a minimum of 70,000 traces partial private key coefficients can be recovered. Furthermore, we optimise the attack by extracting Point-of-Interests using known information due to parallelism (named CPA-PoI) and by iteratively utilising parallel leakages (named CPA-ITR). Our experimental results show that CPA-PoI reduces the number of traces by up to 16.67%, CPA-ITR by up to 25%, and both increase the number of recovered key coefficients by up to 55.17% and 93.10% using the same number of traces. They outperfom the CPA method. As a result, it suggests that the FPGA implementation of CRYSTALS-Dilithium is more vulnerable than thought before to side-channel analysis.

Xinjie Zhao,Shize Guo,Fan Zhang,Tao Wang,Zhijie Shi,Huiying Liu,Keke Ji,Jing Huang

DOI: https://doi.org/10.1016/j.jss.2012.11.007

IF: 3.5

2013-01-01

Journal of Systems and Software

Abstract:The side-channel cube attack (SCCA) is a powerful cryptanalysis technique that combines the side-channel and cube attack. This paper proposes several advanced techniques to improve the Hamming weight-based SCCA (HW-SCCA) on the block cipher PRESENT. The new techniques utilize non-linear equations and an iterative scheme to extract more information from leakage. The new attacks need only 2^8^.^9^5 chosen plaintexts to recover 72 key bits of PRESENT-80 and 2^9^.^7^8 chosen plaintexts to recover 121 key bits of PRESENT-128. To the best of our knowledge, these are the most efficient SCCAs on PRESENT-80/128. To show the feasibility of the proposed techniques, real attacks have been conducted on PRESENT on an 8-bit microcontroller, which are the first SCCAs on PRESENT on a real device. The proposed HW-SCCA can successfully break PRESENT implementations even if they have some countermeasures such as random delay and masking.

Fan Zhang,Zhijie Jerry Shi

DOI: https://doi.org/10.1109/ITNG.2008.183

2008-01-01

Abstract:Elliptic curve cryptography (ECC) has been adopted in many systems because it requires shorter keys than traditional public-key algorithms in primary fields. However, power analysis attacks can exploit the power consumption of ECC devices to retrieve secret keys. In this paper, we propose an efficient window-based countermeasure that is secure against existing power analysis attacks. Compared to previous counter- measures, our method has low memory overhead, requiring only a table of w+1 entries when the window size is w bits. It also has better performance than many algorithms that perform one point addition or subtraction for every bit in the scalar.