白盒SM4的中间值平均差分分析

doi:10.19665/j.issn1001-2400.2022.01.011

西安电子科技大学学报 ›› 2022, Vol. 49 ›› Issue (1): 111-120.doi: 10.19665/j.issn1001-2400.2022.01.011

• 隐私计算与数据安全专题 • 上一篇下一篇

白盒SM4的中间值平均差分分析

张跃宇^1,²(),徐东^1,²(),蔡志强³(),陈杰^2,⁴()

1.西安电子科技大学网络与信息安全学院,陕西西安 710071
2.西安电子科技大学综合业务网理论与关键技术国家重点实验室,陕西西安 710071
3.中国人民解放军66061部队,山西阳泉 100141
4.桂林电子科技大学广西密码学与信息安全重点实验室,广西桂林 541004

收稿日期:2020-12-23 出版日期:2022-02-20 发布日期:2022-04-27
通讯作者: 陈杰
作者简介:张跃宇(1978—),男,副教授,博士,E-mail: yyzhang@xidian.edu.cn;|徐东(1997—),男,西安电子科技大学硕士研究生,E-mail: xudong1997124@163.com;|蔡志强(1975—),男,高级工程师,硕士,E-mail: qqbox521@163.com
基金资助:
十三五密码发展基金(MMJJ20180219);陕西省自然科学基础研究计划(2021JM-126);广西密码学与信息安全重点实验室研究课题(GCIS202125)

Analysis of the mean difference of intermediate-values in a white box SM4

ZHANG Yueyu^1,²(),XU Dong^1,²(),CAI Zhiqiang³(),CHEN Jie^2,⁴()

1. School of Cyber Engineering,Xidian University,Xi'an 710071,China
2. State Key Laboratory of Integrated Services Networks,Xidian University,Xi'an 710071,China
3. Unit 66061 of PLA,Yangquan 100141,China
4. Guangxi Key Laboratory of Cryptography and Information Security,Guilin University of Electronic Technology,Guilin 541004,China

Received:2020-12-23 Online:2022-02-20 Published:2022-04-27
Contact: Jie CHEN

摘要/Abstract

摘要：

在白盒攻击环境中,攻击者对密码系统拥有全部的访问权限。为保证在白盒攻击环境下密钥的安全性,提出了白盒密码的概念。2016年,BOS等人首次将侧信道分析思想引入白盒密码的分析工作中,提出差分计算分析方法,开创了白盒密码分析的新路径。差分计算分析以白盒密码程序运行过程中的软件执行轨迹为分析对象,采用统计分析的方法执行密钥提取,是否掌握白盒密码的设计细节对分析几乎不产生影响。白盒SM4是商用密码标准算法SM4在白盒安全模型下的密码实现。为高效地评估白盒SM4的安全性,在对差分计算分析进行研究的基础上,提出一种针对白盒SM4的侧信道分析方法,称为中间值平均差分分析方法(IVMDA)。IVMDA直接利用加密过程中的中间值进行分析,采用线性组合的方式抵消白盒SM4的混淆手段。在最少60条随机明文的参与下,仅需8 min左右即可完整地提取出第一轮子密钥。该方法相比于已有的分析方法,具备部署方便、适用于实际应用环境、分析效率高的特点。

关键词: 白盒实现, SM4, 侧信道分析, 差分计算分析

Abstract:

In the white box attack context,the attacker has full access to the cryptographic system.In order to ensure the key security in the white box attack context,the concept of white-box cryptography is proposed.In 2016,BOS et al.proposed the differential computation analysis (DCA) by introducing the idea of side channel analysis into white-box cryptography for the first time,creating a new path of white box cryptography analysis.DCA takes the software execution trace in the running process of the white-box cryptography program as the analytical object,and uses the statistical analysis method to extract the key.Whether to master the design details of the white-box cryptography or not has little impact on the analysis.The white-box SM4 is the cryptographic implementation of the commercial cryptographic standard algorithm SM4 under the white-box security model.In order to evaluate the security of the white-box SM4 efficiently,a side channel analytical method is proposed for white-box SM4 implementation based on the research on the DCA,called Intermediate-values Mean Difference Analysis (IVMDA).IVMDA directly uses the intermediate value in the process of encryption for analysis,and uses linear combination to counteract the confusion of the white-box SM4.With the participation of at least 60 random plaintexts,the first round key can be completely extracted in about 8 minutes.Compared with the existing analytical methods,this method has the characteristics of convenient deployment,suitability for practical application environment and high analytical efficiency.

Key words: white box implementation, SM4, side channel analysis, differential computational analysis

中图分类号:

TN918.1

张跃宇,徐东,蔡志强,陈杰. 白盒SM4的中间值平均差分分析[J]. 西安电子科技大学学报, 2022, 49(1): 111-120.

ZHANG Yueyu,XU Dong,CAI Zhiqiang,CHEN Jie. Analysis of the mean difference of intermediate-values in a white box SM4[J]. Journal of Xidian University, 2022, 49(1): 111-120.

图/表 6

图1

图2

图3

图4

表1

表2

参考文献 22

[1]	CHOW S T, EISEN P A, JOHNSON H J, et al. White-Box Cryptography and an AES Implementation[C]// Selected Areas in Cryptography.Heidelberg:Springer, 2002:250-270.
[2]	CHOW S T, EISEN P A, JOHNSON H J, et al. A White-Box DES Implementation for DRM Applications[C]// Digital Rights Management.Berlin:Springer, 2002:1-15.
[3]	BILLET O, GILBERT H, ECHCHATBI C, et al. Cryptanalysis of a White Box AES Implementation[C]// Lecture Notes in Computer Science.Heidelberg:Springer, 2004:227-240.
[4]	MICHIELS W, GORISSEN P, HOLLMANN H D, et al. Cryptanalysis of a Generic Class of White-Box Implementations[C]// Lecture Notes in Computer Science.Heidelberg:Springer, 2009:414-428.
[5]	BOS J W, HUBAIN C, MICHIELS W, et al. Differential Computation Analysis:Hiding Your White-Box Designs is Not Enough[C]// Cryptographic Hardware and Embedded Systems. Berlin: Springer, 2016:215-236.
[6]	BIRYUKOV A, UDOVENKO A. Attacks and Countermeasures for White-Box Designs[C]// International Conference on the Theory and Application of Cryptology and Information Security. Berlin: Springer, 2018:373-402.
[7]	BOCK E A, BRZUSKA C, MICHIELS W, et al. On the Ineffectiveness of Internal Encodings - Revisiting the DCA Attack on White-Box Cryptography[C]// Applied Cryptography and Network Security. Berlin: Springer, 2018:103-120.
[8]	BREUNESSE C, KIZHVATOV I, MUIJRERS R, et al. Towards Fully Automated Analysis of Whiteboxes:Perfect Dimensionality Reduction for Perfect Leakage(2020)[J/OL]. [2020-12-09]. https://eprint.iacr.org/2018/095.pdf.
[9]	RIVAIN M, WANG J. Analysis and Improvement of Differential Computation Attacks against Internally-Encoded White-Box Implementations.[J]Cryptographic Hardware and Embedded Systems, 2019(2):225-255.
[10]	BOGDANOV A, RIVAIN M, VEIRE P S, et al. Higher-Order DCA Against Standard Side-Channel Countermeasures[C]// Constructive Side-Channel Analysis and Secure Design. Berlin: Springer, 2019:118-141.
[11]	国家标准化管理委员会. 信息安全技术SM 4分组密码算法(2020)[S/OL]. [2020-12-9]. http://c.gb688.cn/bzgk/gb/showGbtype=online&hcno=7803DE42D3BC5E80B0C3E5D8E873D56A.
[12]	肖雅莹, 来学嘉. 白盒密码及SMS 4算法的白盒实现[C]// 中国密码学会2009年会. 北京: 科学出版社, 2009:24-34.
[13]	林婷婷, 来学嘉. 对白盒SMS 4实现的一种有效攻击[J]. 软件学报, 2013, 24(9):2238-2249. doi: 10.3724/SP.J.1001.2013.04356
	LIN Tingting, LAI Xuejia. Efficient Attack to White-Box SMS 4 Implementation[J]. Journal of Software, 2013, 24(9):2238-2249. doi: 10.3724/SP.J.1001.2013.04356
[14]	SHI Y, WEI W, HE Z, et al. A Lightweight White-Box Symmetric Encryption Algorithm Against Node Capture for Wsns[J]. Sensors, 2015, 15(5):11928-11952. doi: 10.3390/s150511928
[15]	BAI K P, WU C K. A Secure White-Box SM 4 Implementation[J]. Security and Communication Networks, 2016, 9(10):996-1006. doi: 10.1002/sec.1394
[16]	潘文伦, 秦体红, 贾音, 等. 对两个SM 4白盒方案的分析[J]. 密码学报, 2018, 5(6):651-670.
	PAN Wenlun, QIN Tihong, JIA Yin, et al. Cryptanalysis of Two White-Box SM 4 Implementations[J]. Journal of Cryptologic Research, 2018, 5(6):651-670.
[17]	姚思, 陈杰. SM 4算法的一种新型白盒实现[J]. 密码学报, 2020, 7(3):358-374.
	YAO Si, CHEN Jie. A New Method for White-Box Implementation of SM 4 Algorithm[J]. Journal of Cryptologic Research, 2020, 7(3):358-374.
[18]	KOCHER P, JAFFE J, JUN B. Differential Power Analysis.[C]// Advances in Cryptology-CPYPTO'99. Berlin: Springer, 1999:388-397.
[19]	LUK C, COHN R S, MUTH R, et al. Pin:Building Customized Program Analysis Tools with Dynamic Instrumentation[J]. ACM SIGPLAN Notices, 2005, 40(6):190-200. doi: 10.1145/1064978.1065034
[20]	NETHERCOTE N, SEWARD J. Valgrind:A Framework for Heavyweight Dynamic Binary Instrumentation[J]. ACM SIGPLAN Notices, 2007, 42(6):89-100. doi: 10.1145/1273442.1250746
[21]	HYUNJIN A, DONG-GUK H. Multilateral White-Box Cryptanalysis:Case Study on WB-AES of CHES Challenge 2016(2020)[J/OL]. [2020-12-09]. https://eprint.iacr.org/2016/807.pdf.
[22]	姚思, 陈杰, 宫雅婷. CLEFIA算法的一种新型白盒实现[J]. 西安电子科技大学学报, 2020, 47(5):150-158.
	YAO Si, CHEN Jie, GONG Yating, et al. A New Method for White-Box Implementation of CLEFIA Algorithm[J]. Journal of Xidian University, 2020, 47(5):150-158.

明文数量	正确率/%	分析时长/min	Δ^key的最高值×10⁹	Δ^key的次高值×10⁹
200	100	27.60	2.124	1.011
150	100	20.40	2.215	1.091
100	100	13.60	2.199	1.297
80	100	11.05	2.305	1.394
70	100	10.20	2.213	1.461
60	100	8.05	2.276	1.655
50	75	6.80	2.305	1.791

分析方法	分析所需条件	分析步骤	分析过程计算复杂度	分析结果
IVMDA	掌握密码算法程序及其运行环境	多次运行白盒实现程序采集中间查表结果对采集的结果执行统计分析,提取轮密钥	集合的加、减、求平均值运算	用时8分钟计算出一轮的轮密钥
文献[13]	掌握密码算法程序及其运行环境完全掌握密码算法设计细节	恢复白盒实现中的仿射编码矩阵部分获取S盒的输入差分,计算仿射编码常数部分求解轮密钥	32阶矩阵乘法 32阶矩阵求逆 32阶矩阵方程组求解	以时间复杂度2⁴⁷ 确定轮密钥
文献[16]	掌握密码算法程序及其运行环境完全掌握密码算法设计细节	恢复白盒实现中仿射编码的矩阵部分恢复白盒实现中仿射编码的常数部分求解轮密钥	32阶矩阵乘法 32阶矩阵求逆 32阶矩阵方程组求解	给出肖-来白盒SM 4 方案的密钥搜索空间为61 200*2³²

白盒SM4的中间值平均差分分析

Analysis of the mean difference of intermediate-values in a white box SM4

RichHTML

PDF (PC)

赞

可视化

摘要/Abstract

引用本文

使用本文

图/表 6

参考文献 22

相关文章 4

Metrics

本文评价

推荐阅读 0

[1]	王省欣,胡伟,谭静,朱嘉诚,唐时博. AES相关故障注入攻击[J]. 西安电子科技大学学报, 2021, 48(4): 192-199.
[2]	何诗洋,李晖,李凤华. SM4算法的FPGA优化实现方法[J]. 西安电子科技大学学报, 2021, 48(3): 155-162.
[3]	谷大武,张驰,陆相君. 密码系统的侧信道分析:进展与问题[J]. 西安电子科技大学学报, 2021, 48(1): 14-21.
[4]	姚思,陈杰,宫雅婷,徐东. CLEFIA算法的一种新型白盒实现[J]. 西安电子科技大学学报, 2020, 47(5): 150-158.