LIN Ting-Ting,LAI Xue-Jia

DOI: https://doi.org/10.3724/sp.j.1001.2013.04356

2014-01-01

Journal of Software

Abstract:In traditional cryptographic model, it is assumed that the communication end points and computing environments of a cryptosystem are trusted. But this model becomes increasingly frailer with the development of the attack method. In the white-box attack model, the adversary can get not only access to the same resources as in the traditional cryptographic model but also total visibility of the internal implementation of the cryptosystem and full control over its execution environment, so it has the higher level of secure significance. The white-box SMS4 implementation, which was proposed in 2009, is aimed at protecting SMS4 operated in the white box context against key exposure. In this paper, based on the review of previous research, we propose an efficient attack and explain in detail how to extract the round key embedded in such a white box SMS4 implementation, with worst time complexity 2. As a result, we show that the white-box method is unreliable and provide reference for the secure white-box implementation.

ZHOU Zhou,HE Yi-fan,SHEN Hai-bin,ZHAO Xu-xin

DOI: https://doi.org/10.3969/j.issn.1005-9490.2007.04.089

2007-01-01

Abstract:SMS4 algorithm is the domestic encryption standard released for WLAN use.An inner-round pipelined,high-speed engine is proposed after analyzing the features of this algorithm.By using pipelined or parallel multi-engines,throughput and hardware cost can be easily adjusted according to different applications.Compared with the 32-stage pipelined structure,hardware cost is much lower under the same throughput.Moreover,the SMS4 encryption/decryption system can easily fit in a low-cost Spartan II XC2S50 FPGA in a single-engine implementation.

Jin Yier,Shen Haibin,You Rongquan

DOI: https://doi.org/10.1109/CHINACOM.2006.344900

2007-01-01

Abstract:This paper describes two encryption designs of Chinese wireless local area network block cipher standard - SMS4 algorithm. Then these two designs are implemented on Xilinx Virtex-4 FPGA devices. The first (pipelined) design is optimized in order to reduce time delay and the encryption core has a throughput of 24Gb/s. The second (folded) design is optimized in order to minimize area coverage and the encryption core only needs 380 CLB slices with throughput of 740Mb/s. There are no known hardware implementations of an encryption SMS4 designs. © 2006 IEEE.

LI Gang,FANG Dong-bo,SHEN Hai-bin

DOI: https://doi.org/10.3969/j.issn.1000-3428.2011.21.032

2011-01-01

Abstract:Combined with the characteristic and practical working condition of SMS4 cipher algorithm,this paper proposes its low consumption implementation method.By comparative analyzing the secret keys of the front and back grouping encryption deciphering data,selectively reuse the previously generated intermediate data.Combined with dynamic clock switching,operator isolation,gated clock as well as other lower consumption design technic,the power consumption is greatly reduced.Experimental result shows that,this implementation method compared with the original algorithm,the consumption reduces by 65%,and equivalent door number reduces by 13%.

Fen Liu,Wen Ji,Lei Hu,Jintai Ding,Shuwang Lv,Andrei Pyshkin,Ralf-Philipp Weinmann

DOI: https://doi.org/10.1007/978-3-540-73458-1_13

2007-01-01

Abstract:SMS4 is a 128-bit block cipher used in the WAPI standard for providing data confidentiality in wireless networks. In this paper we investigate and explain the origin of the S-Box employed by the cipher, show that an embedded cipher similar to BES can be obtained for SMS4 and demonstrate the fragility of the cipher design by giving variants that exhibit 2(64) weak keys. We also show attacks on reduced round versions of the cipher. The best practical attack we found is an integral attack that works on 10 rounds out of 32 rounds with a complexity of 2(18) operations; it can be extended to 13 rounds using round key guesses, resulting in a complexity of 2(114) operations and a data complexity of 2(16) chosen pairs.

Tingting Lin,Yixin Zhong,Xuejia Lai,Weidong Qiu

DOI: https://doi.org/10.1007/978-981-15-1301-5_38

2019-01-01

Abstract:In software protection, we’ve always faced the problem that an attacker is assumed to have full control over the target software and its execution. This is similar to the attack model in white-box cryptography, which aims to provide robust and secure implementations of cryptographic schemes against white-box attacks. In this paper, we propose our tamper-resistance technique, Siren, that uses white-box implementation to make software tamper resistant. We interpret the binary of software code as lookup table and incorporate these tables into the underlying white-box SMS4 implementation. In addition, we prove that Siren has good performance in security, and show the lower space complexity and higher efficiency. Finally, we present CBC-Siren, a white-box encryption scheme using CBC mode, which can provide protection to code with flexible size.

Chao Jin,Zhejing Bao,Weiwei Miao,Zeng,Xiaogang Wei,Rui Zhang

DOI: https://doi.org/10.1109/access.2023.3290211

2021-01-01

Abstract:The white-box implementation of cryptography algorithm can hide key information even in the white-box attack context owing to the means of obfuscation. However, under the deliberately designed attack, there is still a risk of the information being recovered within a certain time complexity. In this paper, a lightweight nonlinear white-box SM4 implementation is proposed to prevent several typical attacks from extracting the secret key, which hides the encryption and decryption process in obfuscated lookup tables. Aiming to improve the diversity and ambiguity of the lookup tables as well as resist the different types of white-box attacks, the random bijective nonlinear mappings are applied as scrambling encodings of the lookup tables. Moreover, the memory occupation of the implementation doesn't increase significantly by simplifying the structure and using concatenation code. Through several quantitative indicators, including memory size, diversity, ambiguity, the time complexity required to extract the key, and the value space of the key and external encodings, it is proved that the security of the proposed implementation could been enhanced significantly, while no sacrificing the practicality, compared with the existing schemes.

Wei Li,Dawu Gu,Yong Wang,Ya Liu,Zhiqiang Liu

DOI: https://doi.org/10.1109/EBISS.2010.5473514

2010-01-01

Abstract:SMS4 is a 128-bit block cipher published by as released as the symmetric-key encryption standard of Wireless Local Area Network(WLAN) by China in 2006. On the differential analysis principle, we propose an extension of differential fault attack on the SMS4 cipher. Mathematical analysis shows that our attack can recover its secret key by introducing about 40 faulty ciphertexts. Our work expands the locations of the fault injection into SMS4.

Xuefei Bai,Yanhua Xu,Li Guo

DOI: https://doi.org/10.1109/ICCS.2008.4737165

2008-01-01

Abstract:Differential power analysis is of great concern because it can be used to break implementations of almost any symmetric or asymmetric algorithm, and several countermeasures have been proposed to protect implementations of cryptographic algorithms except SMS4 cipher. In the present paper, we focus on the differential power analysis attack on SMS4 cipher, and suggest a secure masking scheme for SMS4 cipher, which is particularly suited for implementation in dedicated hardware. The masking scheme for the inversion presented in this article is based on composite field arithmetic, in which the inversion is shifted from GF(28) down to GF(22). In addition, several methods such as module reuse and changing computing order are employed to reduce circuit area and maintain its speed. Using SMIC 0.18 ¿m CMOS technology, the area of this improved SMS4 cipher is only about 25 k-gates and the frequency could be up to 50 MHz.

Xuefei Bai,Li Guo,Tie Li

DOI: https://doi.org/10.1109/iccsc.2008.136

2008-01-01

Abstract:SMS4 is a 128-bit block cipher used in the WAPI standard for protecting data packets in WLAN. In this paper, a differential power analysis attack method on every byte of round keys is presented. Through this attack, the round keys of the last four rounds of SMS4 can be obtained, and then the 128- bit encryption key can be found out. The results of simulation experiments indicate that this attack is effective and practical on the SMS4 cipher.

Ting-Ting Lin,Xue-Jia Lai,Wei-Jia Xue,Yin Jia

2015-01-01

Abstract:At DRM 2002, Chow et al. proposed the notion of white-box attack context (WBAC), in recent years, many white-box schemes have been proposed, most of them discussed how to implement the known cryptographic primitives in the white-box attack context; but unfortunately, every scheme has been proved unsecure. Therefore, we explore a new way to accomplish the white-box security goal, which is not an implementation of known primitive but a fresh white-box scheme. The new scheme is designed by improving Chow et al.'s methods and based on the framework of SMS4, so it can be viewed as a variant of SMS4. We also show that our scheme is secure by cryptanalysis. Besides, our scheme is quite efficient on space requirements.

Shutong Wang,Dawu Gu,Junrong Liu,Zheng Guo,Weijia Wang,Sigang Bao

DOI: https://doi.org/10.1109/CIS.2013.163

2013-01-01

Abstract:SMS4 is the first official released commercial cryptographic algorithm. It provides unified standards for designing and using local area wireless network product. The general DPA attack is not suitable for SMS4 owing to the ample random diffusion of the round output. This article proposed a new power analysis method for SMS4 to reduce the diffusion by chosen plaintext. Two means - Hamming distance model and bit model - are used to build the power model. Simulation results show that this method is effective and can be used in actual cryptographic circuit such as smart cards.

BAI Xue-fei,GUO Li,XU Yan-hua,LI Zhi-yuan

2009-01-01

Abstract:SMS4 algorithm is a block cipher used in WLAN products. In this paper, the differential power analysis attack on SMS4 algorithm is discussed. Based on analyses of the algorithm structure and principles of differential power analysis technologies, an attack method on every byte of round keys is presented. Through this attack, the round keys of the last four rounds of SMS4 can be obtained, and then the 128bit encryption key can be found out. The results of simulation experiments indicate that this attack method is effective and practical on SMS4 round operation. SMS4 algorithm is vulnerable to differential power analysis attacks, and cryptographic devices should be protected to prevent this kind of attacks.

Jiachao Chen,Qin Wang,Zheng Guo,Junrong Liu,Haihua Gu

DOI: https://doi.org/10.1109/CIS.2015.96

2015-01-01

Abstract:As the first official published commercial block cipher standard of China, SMS4 has been widely used in local area wireless product. Although the algorithm is proved to be secure enough mathematically, when implemented in hardware, it is vulnerable to differential power analysis (DPA), especially using chosen plaintext method. In order to discuss countermeasures against DPA, we present a secure circuit design of SMS4 combining hiding and masking techniques in this paper. For the trade-off between area and speed, we use additive masking and fix masking for the linear operations and S-box respectively. Hiding technique is applied to make power traces harder to align to increase the difficulty of attacking. We implement our scheme in a side channel evaluation board and analyze the collected power traces. Our experimental results show that the designed circuit has a good performance in DPA-resistance.

Dongyan Zhao,Yubo Wang,Yan Li,Xiaobo Hu,Yanyan Yu,Shi Chen,Shihui Zheng

DOI: https://doi.org/10.3390/electronics13122326

IF: 2.9

2024-06-15

Electronics

Abstract:Differential computation analysis (DCA) is a powerful method for extracting secret information from carefully designed white-box schemes without reverse engineering. Consequently, white-box solutions typically require substantial storage and computing resources to withstand DCAs, as demonstrated by the schemes proposed by Zhang et al. and Yuan et al. for the ISO/IEC standard algorithm SM4. Our approach employs Boolean masking to obscure the correlation between the key and intermediate states. Additionally, we introduce nonlinear permutations to reuse random mask values, thereby reducing space consumption. Experimental results indicate that DCAs against both the simplified version and the algebraic enhancement version of our scheme fail to retrieve the correct keys. Moreover, the former version can be implemented with approximately 1.62 MB of memory and the latter with 7.8 MB, which is much less than 24.3 MB (Zhang et al.) and 34.5 MB (Yuan et al.). Consequently, our design can thwart first-order DCA with lower overhead.

engineering, electrical & electronic,computer science, information systems,physics, applied

Zhang Ting,Chen Wei,Miao Chun-Yu

2010-01-01

Abstract:By analyzing the overall structure and linear error probability of SMS4, this paper translate the problem of finding upper bound of linear error probability of SMS4 into the problem of finding the maximum linear error probability and the minimum number of linear actives of S-box. By analysis, this paper get the theoretical upper bounds of linear error probability of SMS4 rounds range from 4 to 33 to assess their ability of resisting from linear attack on SMS4. The result says that SMS4 with 32 rounds has stronger linear attack resistance.

Yufeng Tang,Zheng Gong,Tao Sun,Jinhai Chen,Fan Zhang

DOI: https://doi.org/10.1007/978-3-030-88323-2_22

2021-01-01

Abstract:White-box block cipher (WBC) aims at protecting the secret key of a block cipher even if an adversary has full control over the implementations. At CHES 2016, Bos et al. proved that WBC are also threatened by side-channel analysis (SCA), e.g., differential fault analysis (DFA) and differential computation analysis (DCA). Therefore, advanced countermeasures have been proposed by Lee et al. for resisting DFA and DCA, such as table redundancy and improved masking methods, respectively. In this paper, we introduce a new adaptive side-channel analysis model which assumes that an adversary adaptively collects the intermediate values of a specific function and can mount the DFA/DCA attack with chosen inputs. In the adaptive SCA model, both theoretical analysis and experimental results show that Lee et al.’s proposed methods are vulnerable to DFA and DCA attacks. Moreover, a negative proposition is also demonstrated on the corresponding high-order countermeasures under our new model.

Weiwei Miao,Chao Jin,Zeng Zeng,Zhejing Bao,Xiaogang Wei,Rui Zhang

DOI: https://doi.org/10.1109/AEEES54426.2022.9759711

2022-01-01

Abstract:With the widespread application of power Internet of Things (IoT), the edge IoT agents are often threatened by various attacks, among which the white-box attack is the most serious. The white-box implementation of the cryptography algorithm can hide key information even in the white-box attack context by means of obfuscation. However, under the specially designed attack, there is still a risk of t...

Jeremy Erickson,Jintai Ding,Chris Christensen

DOI: https://doi.org/10.1007/978-3-642-14423-3_6

2009-01-01

Abstract:The SMS4 block cipher is part of the Chinese WAPI wireless standard. This paper describes the specification and offers a specification for a toy version called simplified SMS4 (S-SMS4). We explore algebraic attacks on SMS4 and S-SMS4 using Gröbner basis attacks on equation systems over GF(2) and GF(28), as well as attacks using a SAT solver derived from the GF(2) model. A comparison of SAT and Gröbner basis attacks is provided.

Weijun Shan,Chi Zhang,Qing Li,Jun Yu

DOI: https://doi.org/10.1109/icnisc57059.2022.00103

2022-01-01

Abstract:This paper presents a lightweight countermeasure scheme of SM4 cryptographic algorithm against side channel analysis attacks. SM4 is one of the widely used block ciphers in information computing and data communication. However, as it is usually implemented in cryptographic devices, it is definitely under the threat of side channel analysis attacks. Some schemes of implementations have been provided as the countermeasures against the side channel analysis attacks, which leads to a relatively complicated realization on both cost and performance. This paper proposes a new mask scheme for SM4 implementation with lightweight cost and low performance loss. Experiment results show the effectiveness of the method against the side channel analysis attacks.