Differential fault analysis method for white-box protection of SM4 block cipher algorithm
By studying the fault injection points of the SM4 block cipher algorithm and establishing a differential fault analysis system, the problem of lack of tools in the existing technology is solved, and efficient white-box protection scheme evaluation and key recovery are achieved.
Patent Information
- Authority / Receiving Office
- CN · China
- Patent Type
- Patents(China)
- Current Assignee / Owner
- QUAN CHENG LABORATORY
- Filing Date
- 2023-07-05
- Publication Date
- 2026-07-14
AI Technical Summary
Existing technologies lack differential fault analysis tools for white-box protection schemes of the SM4 block cipher algorithm, resulting in long analysis times, high manpower costs, and a lack of methods to assess the resistance of protection schemes in a white-box environment.
A differential fault analysis method for white-box protection of the SM4 block cipher algorithm was developed. By studying the possible fault injection locations, a fault model was established, and a differential fault analysis system was designed, including a fault model determination module, a four-round self-key generation module, and a master key generation module, which can perform preliminary analysis on any white-box protection scheme.
It improves the efficiency of algorithm security assessment in cryptography competitions, frees up the labor of cryptanalysts and design teams, can adapt to different white-box protection schemes, and successfully recovers keys.
Smart Images

Figure CN116684072B_ABST
Abstract
Description
Technical Field
[0001] This invention relates to the field of differential fault analysis technology for white-box protection schemes, and particularly to a differential fault analysis method for white-box protection of the SM4 block cipher algorithm. Background Technology
[0002] The statements in this section are merely background information related to the present invention and do not necessarily constitute prior art.
[0003] In the design and implementation of traditional cryptographic algorithms, the design details are generally accepted to be public, and it is assumed that the terminal environment in which the cryptographic algorithm runs is secure and trustworthy. The security of the entire cryptographic system depends on the confidentiality of the key. However, with the popularization of computer and internet technologies and the rapid development of emerging industries such as the Internet of Things, cryptographic systems are increasingly being used in open devices such as computers, smartphones, and set-top boxes. Attackers have almost complete control over these devices. Changes in terminal devices make the operating environment unprotected and increasingly untrustworthy, making it extremely easy for attackers to extract the key, thus posing a security threat to the cryptographic system.
[0004] In response to the above phenomena, Chow et al. first proposed the white-box security model in 2002. This model assumes that encryption software and attack software with special privileges can run simultaneously on the same host, and that the attacker has complete control over the execution of the cryptographic algorithm; the dynamic execution process of the program can be monitored; and the implementation details and execution process of the cryptographic algorithm are visible and can be arbitrarily modified. Traditional cryptographic algorithms offer no security under the white-box security model. Therefore, a new cryptographic technology is needed to guarantee the required security under the white-box security model, achieving a higher level of information security.
[0005] In 2002, Chow et al. first proposed a lookup table-based white-box scheme, embedding a key lookup table into the cryptographic algorithm and protecting it with obfuscation techniques, thus initiating research on white-box cryptographic algorithms. Subsequently, Biryukov et al. proposed a Boolean mask-based white-box scheme at the 2018 Subcrypto conference, thus starting the trend of mask-based design. The openness of devices and the white-box security model make fault injection easier to execute and less costly. Therefore, differential fault analysis has become an effective white-box analysis method. Differential fault analysis is an analysis method that combines fault injection analysis methods with traditional differential cryptanalysis methods. It mainly uses the relationship between the correct output of the same plaintext under normal conditions and the erroneous output after fault injection to crack the key.
[0006] With the SM4 block cipher algorithm becoming an ISO / IEC international standard, security analysis of the SM4 algorithm itself and its white-box variants has become a new research hotspot. In various information security competitions, white-box protection schemes for the SM4 block cipher algorithm have become an indispensable module. For cryptanalysts and cryptographic design teams, differential fault analysis is essential when evaluating the numerous white-box protection schemes submitted in competitions. Therefore, developing a general-purpose differential fault analysis tool can improve the efficiency of algorithm evaluation, while also freeing up the labor of cryptanalysts and cryptographic design teams to a certain extent and improving the design level of white-box protection schemes. This has a profound impact on continuously promoting the research and development of the SM4 block cipher algorithm and related technologies, thereby providing more robust information security guarantees.
[0007] The inventors discovered that existing technologies have the following problems: There is currently no tool to support differential fault analysis of any white-box protection scheme for the SM4 block cipher algorithm. When it is necessary to analyze the effectiveness of differential fault analysis for a new white-box protection scheme, it is necessary to start from scratch, which takes a long time and consumes more energy from cryptographers.
[0008] Research on differential fault analysis of the SM4 block cipher algorithm mainly focuses on attack schemes, fault injection timing, and fault injection points to reduce the difficulty of fault injection and attack complexity. However, there is a lack of development and research on tools, and the focus is mostly on the SM4 block cipher algorithm itself. Differential fault analysis has not been applied to white-box environments to evaluate the resistance of protection schemes to differential fault analysis. Summary of the Invention
[0009] To address the shortcomings of existing technologies, this invention provides a differential fault analysis method for white-box protection of the SM4 block cipher algorithm. This method fills the gap in the current lack of differential fault analysis tools for white-box protection schemes of the SM4 block cipher algorithm, which can greatly improve the efficiency of algorithm security assessment in cryptography competitions, free up the labor of cryptographic analysts and cryptographic design teams, and is flexible enough to be adjusted according to different white-box protection schemes.
[0010] To achieve the above objectives, the present invention adopts the following technical solution:
[0011] The first aspect of this invention provides a differential fault analysis method for white-box protection of the SM4 block cipher algorithm.
[0012] A differential fault analysis method for white-box protection of the SM4 block cipher algorithm includes the following steps:
[0013] Based on all possible injection points of the SM4 block cipher algorithm, a fault model for the SM4 block cipher algorithm is determined, wherein the fault model includes at least the following: when the number of ciphertext differential bytes is a first value, a second value, and a third value, all active Sboxes can effectively perform key filtering, and the mode with the first value, the second value, and the third value is the valid ciphertext mode.
[0014] Based on the obtained faulty ciphertext and valid ciphertext pattern, the subkeys for the last four rounds are obtained, including: during the ciphertext collection stage, the valid ciphertext pattern needs to be adjusted. When the number of differential bytes in the ciphertext reaches the fourth and fifth values, the subkeys of the previous round can be solved. This is considered a valid ciphertext pattern. In the fourth to last round, there is an active Sbox. All bytes of the sixth value in the ciphertext are active. When the number of differential bytes in the ciphertext reaches the sixth value, it is considered a valid ciphertext pattern. During the differential analysis stage, the key is recovered using the valid ciphertext pattern to obtain the final subkey for the fourth to last round.
[0015] Based on the obtained last four rounds of subkeys, the subkey for each round is solved using the key expansion algorithm, and finally the master key for the SM4 block cipher algorithm is obtained.
[0016] As a further limitation of the first aspect of the present invention, the first value is 5, representing that the number of ciphertext differential bytes is 5; the second value is 9, representing that the number of ciphertext differential bytes is 9; the third value is 13, representing that the number of ciphertext differential bytes is 13; the fourth value is 8, representing that the number of ciphertext differential bytes is 8; the fifth value is 12, representing that the number of ciphertext differential bytes is 12; and the sixth value is 16, representing that the number of ciphertext differential bytes is 16.
[0017] As a further limitation of the first aspect of the present invention, the key recovery in the differential analysis stage using the effective ciphertext mode to obtain the final penultimate round subkey also includes:
[0018] For any of the subkeys in the last four rounds, the input-output difference of the Sbox is uniquely determined by the ciphertext difference. According to the Sbox difference distribution table, the full key space for the SM4 block cipher algorithm is reduced to a maximum of 4 candidate keys. The key selection continues with other ciphertext pairs until the subkey for this round is uniquely determined.
[0019] As a further limitation of the first aspect of the present invention, if the program crashes after fault injection, or the execution time becomes significantly longer, or the output ciphertext format changes, then the fault is not injected into the value of the intermediate state.
[0020] If the faulty ciphertext is the same as the correct ciphertext, then the fault was injected into an unused area during the encryption process, or the fault at this time is exactly the same as the original state.
[0021] If the faulty ciphertext has only one byte faulty compared to the correct ciphertext, then the fault injection is too late and the difference has not undergone a linear transformation.
[0022] If a valid ciphertext pattern appears in the faulty ciphertext, the faulty ciphertext is preserved.
[0023] The second aspect of the present invention provides a differential fault analysis system for white-box protection of the SM4 block cipher algorithm.
[0024] A differential fault analysis system for white-box protection of the SM4 block cipher algorithm includes:
[0025] The fault model determination module is configured to: determine the fault model of the SM4 block cipher algorithm based on all possible injection positions of the SM4 block cipher algorithm, wherein the fault model includes at least: when the number of ciphertext differential bytes is a first value, a second value, and a third value, all active Sboxes can effectively perform key filtering, and the mode with the first value, the second value, and the third value is the valid ciphertext mode.
[0026] The four-round self-key generation module is configured to: obtain the last four round subkeys based on the acquired faulty ciphertext and valid ciphertext patterns, including: adjusting the valid ciphertext pattern during the ciphertext collection stage; when the number of differential bytes in the ciphertext reaches the fourth and fifth values, the subkeys of the previous round can be solved, and this is considered a valid ciphertext pattern; in the fourth to last round, there is an active Sbox, and the sixth value of the ciphertext bytes are all active, and the sixth value of the ciphertext differential bytes is considered a valid ciphertext pattern; during the differential analysis stage, the key is recovered using the valid ciphertext pattern to obtain the final subkey of the fourth to last round.
[0027] The master key generation module is configured to: solve for the subkey of each round using the key expansion algorithm based on the obtained last four round subkeys, and finally obtain the master key of the SM4 block cipher algorithm.
[0028] As a further limitation of the second aspect of the present invention, the first value is 5, representing that the number of ciphertext differential bytes is 5; the second value is 9, representing that the number of ciphertext differential bytes is 9; the third value is 13, representing that the number of ciphertext differential bytes is 13; the fourth value is 8, representing that the number of ciphertext differential bytes is 8; the fifth value is 12, representing that the number of ciphertext differential bytes is 12; and the sixth value is 16, representing that the number of ciphertext differential bytes is 16.
[0029] As a further limitation of the second aspect of the invention, the key recovery in the differential analysis stage using the effective ciphertext mode to obtain the final penultimate round subkey also includes:
[0030] For any of the subkeys in the last four rounds, the input-output difference of the Sbox is uniquely determined by the ciphertext difference. According to the Sbox difference distribution table, the full key space for the SM4 block cipher algorithm is reduced to a maximum of 4 candidate keys. The key selection continues with other ciphertext pairs until the subkey for this round is uniquely determined.
[0031] As a further limitation of the second aspect of the present invention, if the program crashes after fault injection, or the execution time becomes significantly longer, or the output ciphertext format changes, then the fault is not injected into the value of the intermediate state.
[0032] If the faulty ciphertext is the same as the correct ciphertext, then the fault was injected into an unused area during the encryption process, or the fault at this time is exactly the same as the original state.
[0033] If the faulty ciphertext has only one byte faulty compared to the correct ciphertext, then the fault injection is too late and the difference has not undergone a linear transformation.
[0034] If a valid ciphertext pattern appears in the faulty ciphertext, the faulty ciphertext is preserved.
[0035] A third aspect of the present invention provides a computer-readable storage medium having a program stored thereon, which, when executed by a processor, implements the steps in the differential fault analysis method for white-box protection of the SM4 block cipher algorithm as described in the first aspect of the present invention.
[0036] The fourth aspect of the present invention provides an electronic device, including a memory, a processor, and a program stored in the memory and executable on the processor, wherein the processor executes the program to implement the steps in the differential fault analysis method for white-box protection of the SM4 block cipher algorithm as described in the first aspect of the present invention.
[0037] Compared with the prior art, the beneficial effects of the present invention are:
[0038] 1. This invention innovatively proposes a differential fault analysis method for white-box protection of the SM4 block cipher algorithm, filling the gap in the current lack of differential fault analysis tools for white-box protection schemes of the SM4 block cipher algorithm. It can greatly improve the efficiency of algorithm security assessment in cryptography competitions, free up the labor of cryptographic analysts and cryptographic design teams, and this invention is flexible enough to be adjusted according to different white-box protection schemes.
[0039] 2. This invention innovatively proposes a differential fault analysis method for white-box protection of the SM4 block cipher algorithm. By studying all possible fault injection locations of the SM4 block cipher algorithm, a fault model is obtained. Based on this fault model, a differential fault analysis scheme for white-box protection schemes of the SM4 block cipher algorithm is developed. This scheme can perform preliminary differential fault analysis on any white-box protection scheme of the SM4 block cipher algorithm. It can be applied to Chow lookup table schemes, second-order / third-order linear mask protection bool schemes, and Biryukov nonlinear mask protection bool schemes, and can successfully recover the key.
[0040] Advantages of additional aspects of the invention will be set forth in part in the description which follows, and in part will be obvious from the description, or may be learned by practice of the invention. Attached Figure Description
[0041] The accompanying drawings, which form part of this invention, are used to provide a further understanding of the invention. The illustrative embodiments of the invention and their descriptions are used to explain the invention and do not constitute an improper limitation of the invention.
[0042] Figure 1 This is a schematic diagram of the SM4 block cipher algorithm provided in Embodiment 1 of the present invention;
[0043] Figure 2 This is a flowchart illustrating the differential fault analysis method for the white-box protection scheme of the SM4 block cipher algorithm provided in Embodiment 1 of the present invention.
[0044] Figure 3 This is a schematic diagram of all possible fault injection locations for the SM4 block cipher algorithm provided in Embodiment 1 of the present invention;
[0045] Figure 4 This is a schematic diagram of the differential analysis solution key provided in Embodiment 1 of the present invention;
[0046] Figure 5 This is a schematic diagram of the encryption function provided in Embodiment 1 of the present invention;
[0047] Figure 6 This is a schematic diagram of box difference analysis provided in Embodiment 1 of the present invention. Detailed Implementation
[0048] The present invention will be further described below with reference to the accompanying drawings and embodiments.
[0049] It should be noted that the following detailed descriptions are exemplary and intended to provide further illustration of the invention. Unless otherwise specified, all technical and scientific terms used herein have the same meaning as commonly understood by one of ordinary skill in the art to which this invention pertains.
[0050] It should be noted that the terminology used herein is for the purpose of describing particular embodiments only and is not intended to limit the scope of exemplary embodiments according to the invention. As used herein, the singular form is intended to include the plural form as well, unless the context clearly indicates otherwise. Furthermore, it should be understood that when the terms "comprising" and / or "including" are used in this specification, they indicate the presence of features, steps, operations, devices, components, and / or combinations thereof.
[0051] Where there is no conflict, the embodiments and features in the embodiments of the present invention can be combined with each other.
[0052] Example 1:
[0053] This invention studies all possible fault injection points in the SM4 block cipher algorithm, derives a fault model, and designs a fault injection method for the SM4 block cipher algorithm (e.g., ...). Figure 1 The differential fault analysis method for white-box protection schemes (shown) can perform preliminary differential fault analysis on any white-box protection scheme for the SM4 block cipher algorithm. This method has been applied to the Chow lookup table scheme, the bool scheme protected by second / third-order linear masks, and the bool scheme protected by Biryukov nonlinear masks, and has successfully recovered the key. This invention fills the gap in current differential fault analysis tools for white-box protection schemes of the SM4 block cipher algorithm, greatly improving the efficiency of algorithm security assessment in cryptography competitions, freeing up the labor of cryptanalysts and cryptographic design teams. Furthermore, this invention is flexible enough to be adjusted according to different white-box protection schemes.
[0054] Specifically, such as Figure 2 As shown, the process includes the following:
[0055] S1: Determine the fault model.
[0056] The fault model is crucial throughout the entire differential fault analysis process. Therefore, a good fault model plays a vital role in successfully recovering the key. The fault model adopted in this invention is a byte-oriented random fault model. In this model, an attacker can introduce arbitrary single-byte errors into the intermediate state values during the algorithm's operation, but the attacker cannot obtain the specific location of the error. At the same time, the attacker can encrypt the same plaintext multiple times under the same key, thereby obtaining faulty ciphertext multiple times. Such an attacker assumption naturally holds true in a white-box scenario.
[0057] In this embodiment, we first analyze the possible injection points in the SM4 block cipher algorithm, and then carefully study the propagation path of the differential through the round function to select the effective injection points based on the effective ciphertext pattern.
[0058] Figure 3This paper lists all possible injection points during the execution of the SM4 block cipher algorithm. The following section will analyze each case in detail in conjunction with the role of the round function, explaining the criteria for determining whether an injection point is valid.
[0059] The discussion focuses on the output of round 32, without considering the inversion transformation R, because the output of round 32 can be easily obtained from the ciphertext through the inverse operation of the inversion transformation. Furthermore, the validity of the injection position is determined in the following analysis using the round 32 subkey rk. 31 The standard is the recovery.
[0060] The first type of fault injection location: input X in round 32. 34 A single-byte fault occurred, i.e., ΔX. 34 The existence of a single-byte difference means that the initial XOR operation does not affect the difference state. Then, the 32-bit input is divided into four bytes and passed in parallel through four 8-bit Sboxes. According to the properties of the Sbox, a non-zero differential input will inevitably lead to a non-zero differential output, and a zero differential input will inevitably lead to a zero differential output. Therefore, although the difference value changes, the original byte still has a difference, while the differences in the other bytes remain zero. Next, a linear transformation L is performed. Since the linear transformation L has five differential branches, the single-byte differential input will inevitably result in all four bytes of the output having a difference. Finally, an XOR operation is performed to obtain the output of the 32nd round. At this point, X... 35 All four bytes of X have differences, because X 34 X is obtained by directly drawing a line. 34 There is a single-byte difference, so there are 5 bytes of difference in the 16 bytes output in the 32nd round, and the difference in the other byte positions is 0.
[0061] The analysis of the fault injection locations for types (2) and (3) is similar to that for type (1), and both exhibit a characteristic reflected in the output of round 32: X 35 The four bytes of the difference are all non-zero. In these three cases, since only one Sbox is active (only one Sbox has a non-zero input difference), a one-byte key can be solved, and the injection position can be considered valid. At this time, the ciphertext has a 5-byte difference.
[0062] The fourth type of fault injection location: input X in round 32. 31 A single-byte failure occurred due to X 31 It only participated in the XOR operation in the round function, so X was output in the 32nd round. 35 Similarly, only a single-byte fault exists, but X 31 It does not directly affect the input and round key of the Sbox, so it is meaningless for solving the key. This injection position is invalid, and the ciphertext has a 1-byte difference.
[0063] The fifth type of fault injection location: Input X in round 31. 33 A single-byte fault occurred, X 33 The single-byte difference in the data is passed to the output X of the 31st round after passing through the Sbox and linear transformation L. 34 The four bytes in the middle, and the output X of round 31. 33 Obtained by the pull wire, there is a single-byte difference, and X is also present. 33 X 34 As the input for round 32, after the XOR operation, a difference still exists, and this difference is passed to the output X of round 32. 35 Of the four bytes, X in the output of round 32 33 X 34 Then, the input X from the 31st round... 33 Input X in round 32 34 Obtained directly by pulling the line; at this point, X is in the output of round 32. 33 There is single-byte difference, X 34 and X 35 All four bytes of the difference are non-zero, so there are a total of 9 bytes of difference.
[0064] The analysis process for the sixth type of fault injection location is similar to that for the fifth type of fault injection location, and at this time, X in the output of the 35th round... 34 and X 35 In both cases where the four-byte differences are non-zero, all four Sboxes in round 32 are active and one Sbox exists in round 31. This not only allows for the analysis of the subkey rk in round 32. 31 The four bytes are solved simultaneously and rk is successfully solved. 31 Afterwards, the ciphertext can be decrypted once to obtain the output of the 31st round, and the subkey rk of the 31st round can be solved. 30 Even a single byte has a positive effect, so the injection position is valid, and the ciphertext now contains a 9-byte difference.
[0065] The seventh type of fault injection location: Input X in round 31. 31 A single-byte fault occurred, X 31 The single-byte difference in X is propagated to X through the round function in the 31st round. 34 The four bytes also propagate to the 32nd round output X. 35 Of the four bytes, X is the output of round 32. 34 Input X from round 32 34 Obtained directly by pulling the line, X is in the output of the 32nd round at this time. 34 X 35 The four-byte differences are all non-zero, and there are a total of 8 bytes of differences.
[0066] Although all four Sboxes were active in round 32 in this case, the X entered in round 32... 31 X, input in round 31 31 The signal is obtained directly by drawing a wire and contains a single-byte difference. Furthermore, we cannot deduce the specific byte position of this single-byte difference from the ciphertext information. Therefore, to obtain the output state of the Sbox, we need to adjust the X... 31 Performing a traversal not only requires high time complexity, but more importantly, it makes it impossible to filter keys using a difference distribution table; however, in this case, there exists an active S-box in round 31, which can be used to solve for rk. 30 The one-byte information, although injected at this location has a positive effect on the recovery key, cannot recover the 32nd round subkey rk. 31 Therefore, this position is considered invalid, and the ciphertext now has an 8-byte difference.
[0067] The eighth type of fault injection location: Input X in round 31. 30 A single-byte fault occurred, X 30 The single-byte difference is propagated to the output X of the 31st round according to the original difference. 34 And X 30 X will no longer participate in other calculations. 34 The single-byte difference affects the output X of the 32nd round under the action of the round function. 35 The four bytes, therefore X in the output of round 32 34 Single-byte difference exists, X 35 All four bytes of the difference are non-zero, for a total of 5 bytes of difference.
[0068] This situation is the same as the first case, and rk can be solved using the difference distribution table. 31 The one-byte key is also considered valid at this injection location, and the ciphertext has a 5-byte difference.
[0069] The (9th) type of fault injection location: Input X in round 30. 32 A single-byte failure occurred, and after the 30th round of the round function, X 32 The single-byte differential propagation to the 30th round output X 33 The four bytes, input X in round 31 32 Single-byte difference exists, X 33 There is a four-byte difference, while the rest of the inputs have no difference. The XOR operation does not eliminate the difference, therefore the output in round 31 is X. 34 There is also a four-byte difference; similarly, the output X in round 32... 35 The four bytes of the difference are all non-zero, except for X. 35 In addition, X in the 32nd round output 32 X 33 X 34All are obtained directly by pulling the wire, and there are single-byte, four-byte, and four-byte differences respectively, for a total of 13 bytes of differences.
[0070] In this scenario, all four Sboxes in rounds 32 and 31 are active, while only one Sbox is active in round 30. Furthermore, the input-output difference of each active Sbox can be uniquely determined from the ciphertext, allowing for effective candidate key selection. This means that the injection position can simultaneously recover rk. 31 All key bytes, using the recovered rk 31 After decrypting the ciphertext once, the rk can be recovered simultaneously. 30 All key bytes, similarly using the recovered rk 30 Continue decrypting for another round to recover rk. 29 The key is a one-byte key, so the injection position is valid, and the ciphertext now has a 13-byte difference.
[0071] Type (10) fault injection location: Input X in round 30 31 A single-byte fault occurs at the same location as the fault injection point of type (9), which can both lead to X in the output of round 32. 33 X 34 X 35 The four-byte differences are all non-zero, but because X 31 Unlike X 32 The output of round 32 can be directly reflected by the string, but it is not added to the calculation as the input of round 32. Therefore, X in the output of round 32 is... 32 All four bytes of difference are 0, so the output of round 32 has a total of 12 bytes of difference.
[0072] Although the fault injection location is the same as that of the (9th) type of fault injection location, both of which can cause all four Sboxes in rounds 32 and 31 to be in an active state, and one active Sbox in round 30; however, due to the occurrence of a single-byte fault X 31 By using a string as input to the round function operation in round 32, the output difference of the four active Sboxes in round 32 changes from a deterministic state to an indeterminate state, making it impossible to effectively select candidate keys based on the difference distribution table. For other active Sboxes, the input and output differences can be uniquely determined, reducing the key set. However, since it is meaningless for the recovery of the subkey rk31 in round 32, this position is considered invalid. At this time, the ciphertext has 12 bytes of difference.
[0073] For the fault injection location of type (11), similar to type (10), both can result in a 12-byte difference in the output of round 32, and the difference bytes are exactly the same; the only difference is that X of the fault injection location of type (11) 30This results in uncertain output differences for the four active Sboxes in round 31, while the remaining active Sboxes can be used for candidate key selection, although this injection position can effectively recover rk. 31 However, its differential bytes in the ciphertext are exactly the same as the injection position of the (10) type, and cannot be distinguished, so this position is also considered invalid.
[0074] The 12th type of fault injection location: Input X in round 30 29 A single-byte failure occurred due to X 29 In round 30, only the XOR operation was performed, so the single-byte difference propagated to the output X of round 30 in the original pattern. 33 Through the action of the round function in rounds 31 and 32, X 34 X 35 The four-byte differences are all non-zero, so the output of the 32nd round has a total of 9 bytes of differences.
[0075] The fault injection location caused all four Sboxes in rounds 31 and 32 to be active, and the input-output difference of each Sbox can be uniquely determined, so the injection location is considered valid, and the ciphertext has 9 bytes of difference at this time.
[0076] Fault injection locations of types (13), (14), and (15): respectively at input X in round 29. 31 X 30 X 29 A single-byte fault occurred. After rounds 29-32, X was found in the output of round 32. 32 X 33 X 34 X 35 The four-byte differences are all non-zero, meaning that the output of round 32 has a total of 16 bytes of differences.
[0077] All three scenarios result in all four Sboxes being active in rounds 30, 31, and 32, and one Sbox being active in round 29. Furthermore, the output differential states of the four Sboxes in rounds 32, 31, and 30 become uncertain, preventing effective key filtering. For the other active Sboxes, however, the input-output differentials are uniquely determined, allowing key recovery using the differential distribution table. Therefore, these three injection positions seem like valid injection points. However, at this point, all bytes of the ciphertext are active. If the injection position is located in any intermediate state before the input of round 29, all bytes of the ciphertext will become active. In more extreme cases, the output differentials of all active Sboxes in rounds 29-32 will become uncertain, preventing effective filtering of the subkeys in the last four rounds using the differential distribution table. Therefore, we cannot eliminate this invalid faulty ciphertext based on its differential state, and thus consider these three injection positions invalid.
[0078] The 16th type of fault injection location: Input X in round 29 28 A single-byte failure, similar to the previous analysis, will cause the output X of the 29th round to be affected by the round function. 32 There is single-byte difference, and the output X of rounds 30-32 33 X 34 X 35 All four bytes of the difference are non-zero, so there are 13 bytes of difference in the output of the 35th round.
[0079] The fault injection location resulted in an active Sbox in round 30, and all four Sboxes in rounds 31 and 32 were active. Since the input-output difference was uniquely determined, the injection location was effective, and the ciphertext had a 13-byte difference.
[0080] In summary, since we cannot know the specific fault location or the specific fault value injected in real differential fault analysis, but can only obtain the ciphertext state, the only information we can use is the ciphertext differential. Table 1 summarizes the above analysis.
[0081] Table 1: Ciphertext Differential Feedback
[0082]
[0083] As shown in Table 1, when the number of ciphertext differential bytes is 5, 9, or 13, all active Sboxes can effectively perform key filtering. When the number of ciphertext differential bytes is 8 or 12, there are invalid active Sboxes, and the remaining valid active Sboxes cannot effectively recover the last round subkey; we consider this an invalid mode. When the number of ciphertext differential bytes is 16, since there are many injection positions that could lead to this ciphertext mode, and the validity of the faulty ciphertext cannot be identified solely based on the ciphertext differential state, it is considered an invalid ciphertext differential mode. When the number of ciphertext differential bytes is 5, 9, or 13, there is an additional restriction: the leftmost bytes in the ciphertext are always all active first. For example, when the number of ciphertext differential bytes is 5, these 5 active bytes always include the high 4 bytes of the ciphertext.
[0084] S2: Collect fault ciphertext.
[0085] According to the key expansion algorithm, to recover the 128-bit master key of the SM4 block cipher algorithm, it is necessary to recover the last four rounds of subkeys first. Based on the valid ciphertext patterns summarized in S1), the last three rounds of subkeys can be recovered if enough faulty ciphertexts are collected. There are generally two approaches to recovering the last four rounds of subkeys:
[0086] (1) Recovering subkeys while collecting faulty ciphertexts: When a valid ciphertext pattern is encountered in a faulty ciphertext, the key is solved by ciphertext difference. When the last round of subkeys is uniquely determined, each subsequent faulty ciphertext is decrypted, and the intermediate state at this time is used as the new ciphertext. The previous operation is repeated until the last four rounds of subkeys are completely recovered.
[0087] (2) First collect enough faulty ciphertexts, and then perform differential analysis to recover the subkey: During the ciphertext collection stage, the effective ciphertext mode needs to be adjusted. First, when the number of differential bytes in the ciphertext is 8 and 12, the subkey of the previous round can be effectively solved, so this is considered an effective mode. Second, in order to recover the subkey of the fourth to last round, there must be an active Sbox in the fourth to last round, which will result in all 16 bytes of the ciphertext being active. Therefore, the number of differential bytes in the ciphertext is 16, which is considered an effective mode. During the differential analysis stage, the effective ciphertext mode in step 1) is still used for key recovery.
[0088] The present invention adopts the second strategy because the first strategy discards the cases where the number of ciphertext differential bytes is 8 and 12 as invalid modes, thus failing to make full use of the effective information therein.
[0089] Currently, there are two techniques for fault injection at the software level: dynamic injection and static injection.
[0090] Dynamic injection modifies the binary image of the target system during its normal operation to achieve fault injection. Because this type of injection is based on the target system's operating state or conditions, dynamic injection offers great flexibility. Static injection, on the other hand, primarily alters the original program through program mutation, causing static errors in the target system files and resulting in runtime failures. Static injection has the advantage of faster execution speed compared to dynamic injection, making it more suitable for differential fault analysis, as it requires collecting a sufficient amount of fault ciphertext and necessitates multiple injections. Therefore, this invention employs static injection to inject faults, requiring only the copying of the original encrypted program (or table, if the table is stored separately in a file) and modification of a single byte to complete the fault injection.
[0091] After the fault injection is complete, the output fault ciphertext can help determine the nature of the injected fault:
[0092] (1) Program crashes / execution time increases significantly / output ciphertext format changes.
[0093] This indicates that the fault was not injected into the intermediate state value, but rather into a critical part of the program execution.
[0094] (2) The faulty ciphertext is the same as the correct ciphertext.
[0095] This indicates that the fault was injected into an area that was not used during the encryption process, or that the fault at this point is exactly the same as the original state.
[0096] (3) The faulty ciphertext has only one byte faulty compared to the correct ciphertext.
[0097] This indicates that the fault injection occurred too late, and the differential signal did not undergo the linear transformation L.
[0098] (4) A valid ciphertext pattern appears in the faulty ciphertext.
[0099] This indicates that the encrypted message containing the fault should be preserved at this point.
[0100] S3: Differential analysis and key recovery.
[0101] Once the faulty ciphertext collection is complete, the ciphertext difference can be obtained. Figure 4 It demonstrates how to perform differential analysis based on ciphertext differentials and how to recover the subkey.
[0102] Because the SM4 block cipher algorithm is a four-branch Feistel structure, part of the ciphertext is directly obtained by drawing lines from the partial input of the last round. This is equivalent to the value of A in the diagram being derived from the ciphertext X. 32 ⊕X 33 ⊕X 34 It is found that the XOR key does not affect the difference value, which means that the input difference ΔZ of the Sbox can be directly obtained from the ciphertext difference; when the number of ciphertext difference bytes is 5, 9, or 13, ΔX 31 =0, therefore ΔC = ΔX 35 Since the linear transformation L is an invertible operation, the output difference ΔB of the Sbox can be obtained through the inverse operation of the linear transformation L. That is, the input and output difference of the Sbox can be uniquely determined by the ciphertext difference. According to the properties of the Sbox difference distribution table, 2 8 The total key space is reduced to a maximum of 4 candidate keys, where the candidate key set is... ΔA refers to the XOR value of A obtained from correct encryption and A1 obtained from faulty encryption. Continue to use other ciphertext pairs to filter the key until the key is uniquely determined. The same operation can be repeated for the recovery of the other three rounds of subkeys. After solving the four rounds of subkeys, use the key expansion algorithm to solve the subkey of each round and finally obtain the master key.
[0103] In this embodiment, regarding The difference distribution table is an important indicator for measuring the security of the Sbox, and it can intuitively reflect the difference distribution characteristics of the Sbox. Its definition is as follows:
[0104] Assumption ,from arrive The nonlinear mapping (also known as the Sbox) is denoted as It is an m-in, n-out Sbox, given , ,definition:
[0105]
[0106]
[0107] By iterating through all possible... It is possible to construct a The table, where α is the row number, β is the column number, and the items at the intersection of rows and columns are... The table constructed in this way is the difference distribution table of the Sbox.
[0108] For the SM4 algorithm For ox, it is a... arrive The nonlinear mapping, i.e., the 8-in-8-out table, has the following characteristics in its difference distribution table: when the input difference... At that time, there will be 127 possible output differences, and one output difference satisfies The remaining 126 output differences all satisfy .
[0109] Based on the above characteristics, we can perform differential attacks on the Sbox, such as... Figure 5 Assuming the encryption function is , where x is the input, k is the encryption key, and y is the output.
[0110] like Figure 6 As shown, when the adversary uses the input pair and obtain the corresponding outputs respectively. The input pairs satisfy The output pairs satisfy In this formula, k is an unknown, and there are a total of 100 possible values. Based on the difference distribution table of the Sbox in the SM4 algorithm, the species can be determined. The number of species may be reduced to a maximum of four, because The following relationship must be satisfied: ,in The maximum value is 4.
[0111] According to the characteristics of the Sbox in the SM4 block cipher algorithm, when both the input difference α and the output difference β of the Sbox are not 0, There are 126 items. If there is one item, then the average number of candidate keys after a pair of ciphertext filtering is: On average, only two different fault ciphertexts are needed to successfully recover a one-byte key.
[0112] The method described in this invention has been applied to the Chow lookup table scheme, the bool scheme protected by second-order / third-order linear masks, and the bool scheme protected by Biryukov nonlinear masks, and the key has been successfully recovered, as shown in Table 2.
[0113] Table 2: Recovery Key Information
[0114]
[0115] Example 2:
[0116] Embodiment 2 of the present invention provides a differential fault analysis system for white-box protection of the SM4 block cipher algorithm, comprising:
[0117] The fault model determination module is configured to: determine the fault model of the SM4 block cipher algorithm based on all possible injection positions of the SM4 block cipher algorithm, wherein the fault model includes at least: when the number of ciphertext differential bytes is a first value, a second value, and a third value, all active Sboxes can effectively perform key filtering, and the mode with the first value, the second value, and the third value is the valid ciphertext mode.
[0118] The four-round self-key generation module is configured to: obtain the last four round subkeys based on the acquired faulty ciphertext and valid ciphertext patterns, including: adjusting the valid ciphertext pattern during the ciphertext collection stage; when the number of differential bytes in the ciphertext reaches the fourth and fifth values, the subkeys of the previous round can be solved, and this is considered a valid ciphertext pattern; in the fourth to last round, there is an active Sbox, and the sixth value of the ciphertext bytes are all active, and the sixth value of the ciphertext differential bytes is considered a valid ciphertext pattern; during the differential analysis stage, the key is recovered using the valid ciphertext pattern to obtain the final subkey of the fourth to last round.
[0119] The master key generation module is configured to: solve for the subkey of each round using the key expansion algorithm based on the obtained last four round subkeys, and finally obtain the master key of the SM4 block cipher algorithm.
[0120] The working methods of each module of the system are the same as the differential fault analysis method for white-box protection of the SM4 block cipher algorithm provided in Example 1, and will not be repeated here.
[0121] Example 3:
[0122] Embodiment 3 of the present invention provides a computer-readable storage medium having a program stored thereon. When executed by a processor, the program implements the steps in the differential fault analysis method for white-box protection of the SM4 block cipher algorithm as described in Embodiment 1 of the present invention.
[0123] Example 4:
[0124] Embodiment 4 of the present invention provides an electronic device, including a memory, a processor, and a program stored in the memory and executable on the processor. When the processor executes the program, it implements the steps in the differential fault analysis method for white-box protection of the SM4 block cipher algorithm as described in Embodiment 1 of the present invention.
[0125] The above description is merely a preferred embodiment of the present invention and is not intended to limit the invention. Various modifications and variations can be made to the present invention by those skilled in the art. Any modifications, equivalent substitutions, improvements, etc., made within the spirit and principles of the present invention should be included within the scope of protection of the present invention.
Claims
1. A differential fault analysis method for white-box protection of the SM4 block cipher algorithm, characterized in that, The process includes the following: Based on all possible injection points of the SM4 block cipher algorithm, a fault model for the SM4 block cipher algorithm is determined, wherein the fault model includes at least the following: when the number of ciphertext differential bytes is a first value, a second value, and a third value, all active Sboxes can effectively perform key filtering, and the mode with the first value, the second value, and the third value is the valid ciphertext mode. Based on the obtained faulty ciphertext and valid ciphertext pattern, the subkeys for the last four rounds are obtained, including: during the ciphertext collection stage, the valid ciphertext pattern needs to be adjusted. When the number of differential bytes in the ciphertext reaches the fourth and fifth values, the subkeys of the previous round can be solved. This is considered a valid ciphertext pattern. In the fourth to last round, there is an active Sbox. All bytes of the sixth value in the ciphertext are active. The number of differential bytes in the ciphertext is the sixth value, which is considered a valid ciphertext pattern. During the differential analysis stage, the key is recovered using the valid ciphertext pattern to obtain the final subkey for the fourth to last round. Based on the obtained last four rounds of subkeys, the subkey for each round is solved using the key expansion algorithm, and finally the master key for the SM4 block cipher algorithm is obtained.
2. The differential fault analysis method for white-box protection of the SM4 block cipher algorithm as described in claim 1, characterized in that, The first value is 5, representing 5 differential bytes in the ciphertext; the second value is 9, representing 9 differential bytes in the ciphertext; the third value is 13, representing 13 differential bytes in the ciphertext; the fourth value is 8, representing 8 differential bytes in the ciphertext; the fifth value is 12, representing 12 differential bytes in the ciphertext; and the sixth value is 16, representing 16 differential bytes in the ciphertext.
3. The differential fault analysis method for white-box protection of the SM4 block cipher algorithm as described in claim 1, characterized in that, During the differential analysis phase, key recovery is performed using the effective ciphertext pattern to obtain the final penultimate round subkey, which also includes: For any of the subkeys in the last four rounds, the input-output difference of the Sbox is uniquely determined by the ciphertext difference. According to the Sbox difference distribution table, the full key space of the SM4 block cipher algorithm is reduced to a maximum of 4 candidate keys. The key selection is continued using other ciphertext pairs until the subkey of this round is uniquely determined.
4. The differential fault analysis method for white-box protection of the SM4 block cipher algorithm as described in claim 1, characterized in that, If the program crashes after fault injection, or the execution time becomes longer, or the output ciphertext format changes, then the fault was not injected into the intermediate state value. If the faulty ciphertext is the same as the correct ciphertext, then the fault was injected into an unused area during the encryption process, or the fault at this time is exactly the same as the original state. If the faulty ciphertext has only one byte faulty compared to the correct ciphertext, then the fault injection is too late and the difference has not undergone a linear transformation. If a valid ciphertext pattern appears in the faulty ciphertext, the faulty ciphertext is preserved.
5. A differential fault analysis system for white-box protection of the SM4 block cipher algorithm, characterized in that, include: The fault model determination module is configured to: determine the fault model of the SM4 block cipher algorithm based on all possible injection positions of the SM4 block cipher algorithm, wherein the fault model includes at least: when the number of ciphertext differential bytes is a first value, a second value, and a third value, all active Sboxes can effectively perform key filtering, and the mode with the first value, the second value, and the third value is the valid ciphertext mode. The four-round subkey generation module is configured to: obtain the final four round subkeys based on the acquired faulty ciphertext and valid ciphertext patterns, including: adjusting the valid ciphertext pattern during the ciphertext collection stage; when the number of differential bytes in the ciphertext reaches the fourth and fifth values, the subkeys of the previous round can be solved, and this is considered a valid ciphertext pattern; in the fourth to last round, there is an active Sbox, and the sixth value of the ciphertext bytes are all active, and the sixth value of the ciphertext differential bytes is considered a valid ciphertext pattern; during the differential analysis stage, the key is recovered using the valid ciphertext pattern to obtain the final subkey of the fourth to last round. The master key generation module is configured to: solve for the subkey of each round using the key expansion algorithm based on the obtained last four round subkeys, and finally obtain the master key of the SM4 block cipher algorithm.
6. The differential fault analysis system for white-box protection of the SM4 block cipher algorithm as described in claim 5, characterized in that, The first value is 5, representing 5 differential bytes in the ciphertext; the second value is 9, representing 9 differential bytes in the ciphertext; the third value is 13, representing 13 differential bytes in the ciphertext; the fourth value is 8, representing 8 differential bytes in the ciphertext; the fifth value is 12, representing 12 differential bytes in the ciphertext; and the sixth value is 16, representing 16 differential bytes in the ciphertext.
7. The differential fault analysis system for white-box protection of the SM4 block cipher algorithm as described in claim 5, characterized in that, During the differential analysis phase, key recovery is performed using the effective ciphertext pattern to obtain the final penultimate round subkey, which also includes: For any of the subkeys in the last four rounds, the input-output difference of the Sbox is uniquely determined by the ciphertext difference. According to the Sbox difference distribution table, the full key space of the SM4 block cipher algorithm is reduced to a maximum of 4 candidate keys. The key selection is continued using other ciphertext pairs until the subkey of this round is uniquely determined.
8. The differential fault analysis system for white-box protection of the SM4 block cipher algorithm as described in claim 5, characterized in that, If the program crashes after fault injection, or the execution time becomes longer, or the output ciphertext format changes, then the fault was not injected into the intermediate state value. If the faulty ciphertext is the same as the correct ciphertext, then the fault was injected into an unused area during the encryption process, or the fault at this time is exactly the same as the original state. If the faulty ciphertext has only one byte faulty compared to the correct ciphertext, then the fault injection is too late and the difference has not undergone a linear transformation. If a valid ciphertext pattern appears in the faulty ciphertext, the faulty ciphertext is preserved.
9. A computer-readable storage medium having a program stored thereon, characterized in that, When executed by the processor, the program implements the steps in the differential fault analysis method for white-box protection of the SM4 block cipher algorithm as described in any one of claims 1-4.
10. An electronic device comprising a memory, a processor, and a program stored in the memory and executable on the processor, characterized in that, When the processor executes the program, it implements the steps in the differential fault analysis method for white-box protection of the SM4 block cipher algorithm as described in any one of claims 1-4.