Since differential power analysis (DPA) is one of most important side-channel attacks on block ciphers implemented in chips, this paper revisits the DPA attack on hardware-implemented SM4. Reasonably choosing the plaintexts minimizes the affection of the variable input bits on the output bits, of the linear transformation of SM4, which leads to effective side-channel attacks on SM4. This paper deduces 8 bit-relationship in the chosen-plaintext setting by going into the linear transformation of SM4. Incorporating the bit-relationship with the known ones, this paper improves the previous chosen-plaintext DPA attacks on SM4, by proposing an analyzing module that makes better use of the side-channel information of the round-output bits. Experimental results show that the proposed manner improves the success rate of the chosen-plaintext DPA attacks on SM4.
CHEN Jiazhe
,
LI Hexin
,
WANG Beibei
. Improved chosen-plaintext DPA on block cipher SM4[J]. Journal of Tsinghua University(Science and Technology), 2017
, 57(11)
: 1134
-1138
.
DOI: 10.16511/j.cnki.qhdxxb.2017.26.056
[1] Kocher P, Jaffe J, Jun B. Differential power analysis[C]//Proc CRYPTO' 99. Berlin Heidelberg:Springer-Verlag, 1999:388-397.[2] Brier E, Clavier C, Olivier F. Correlation power analysis with a leakage model[C]//Proc CHES 2004. Berlin Heidelberg:Springer-Verlag, 2004:16-29.[3] Mangard S, Oswald E, Popp T. Power Analysis Attacks:Revealing the Secrets of Smart Cards[M]. New York:Springer, 2007.[4] 国家商用密码管理办公室. 无线局域网产品使用的SMS4密码算法[Z/OL].[2016-05-03]. http://www.oscca.gov.cn/UpFile/200621016423197990.pdf. Office of State Commercial Cryptography Administration. Specification of SMS4, block cipher for WLAN products-SMS4[Z/OL].[2016-05-03]. http://www.oscca.gov.cn/UpFile/200621016423197990.pdf. (in Chinese)[5] Mangard S, Pramstaller N, Oswald E. Successfully attacking masked AES hardware implementations[C]//Proc CHES 2005. Berlin Heidelberg:Springer-Verlag, 2005:157-171.[6] Wang S T, Gu D W, Liu J R, et al. A power analysis on SMS4 using the chosen plaintext method[C]//Proc CIS 2013. New York:IEEE, 2013:748-752.[7] Shan W J, Wang L H, Li Q, et al. A chosen-plaintext method of CPA on SM4 block cipher[C]//Proc CIS 2014. New York:IEEE, 2014:363-366.[8] 王敏, 杜之波, 吴震, 等. 针对SMS4轮输出的选择明文能量分析攻击[J]. 通信学报, 2015, 36(1):142-148.WANG Min, DU Zhibo, WU Zhen, et al. Chosen-plaintext power analysis attack against SMS4 with the round-output as the intermediate data[J]. Journal on Communications, 2015, 36(1):142-148. (in Chinese)[9] 杜之波, 吴震, 王敏, 等. 针对SM4轮输出的改进型选择明文功耗分析攻击[J]. 通信学报, 2015, 36(10):85-91.DU Zhibo, WU Zhen, WANG Min, et al. Improved chosen-plaintext power analysis attack against SM4 at the round-output[J]. Journal on Communications, 2015, 36(10):85-91. (in Chinese)[10] Gierlichs B, Batina L, Tuyls P, et al. Mutual information analysis:A generic side-channel distinguisher[C]//Proc CHES 2008. Berlin Heidelberg:Springer-Verlag, 2008:426-442.[11] Mangard S, Oswald E, Standaert F X. One for all-all for one:Unifying standard differential power analysis attacks[J]. IET Information Security, 2011, 5(2):100-110.[12] Goodwill G, Jun B, Jaffe J, et al. A testing methodology for side channel resistance validation[Z/OL].[2016-05-03]. http://csrc.nist.gov/news_events/non-invasive-attack-testing-workshop/papers/08_Goodwill.pdf
