Attack method, device and equipment for SM2 cryptographic algorithm and medium

What is AI technical title?
AI technical title is built by PatSnap AI team. It summarizes the technical point description of the patent document.
By injecting faults into the original random number during the SM2 signing process to generate erroneous random numbers and calculate the difference value, and combining this with the lattice basis reduction algorithm to crack the signature private key, the problem of easy defense and difficult cracking in existing technologies is solved, and efficient signature private key cracking is achieved.

CN117459240BActive Publication Date: 2026-06-12SHENZHEN INST OF ADVANCED TECH CHINESE ACAD OF SCI +1

View PDF 2 Cites 0 Cited by

Patent Information

Authority / Receiving Office: CN · China
Patent Type: Patents(China)
Current Assignee / Owner: SHENZHEN INST OF ADVANCED TECH CHINESE ACAD OF SCI
Filing Date: 2023-11-21
Publication Date: 2026-06-12

Application Information

Patent Timeline

21 Nov 2023

Application

12 Jun 2026

Publication

CN117459240B

IPC: H04L9/32; H04L9/08

CPC: H04L9/3252; H04L9/0869; H04L9/002

AI Tagging

Application Domain

Key distribution for secure communication User identity/authority verification

Explore More Agents

Novelty Search
Search existing technologies and assess novelty
↗
FTO
Analyze whether a product may infringe others' patents
↗
Design FTO
Check prior-design risk for exterior design
↗
Drafting
Draft patent application text based on a technical solution
↗
Find Solutions with TRIZ
Generate feasible solution to solve your technical challenge
↗

Similar Technology Patents

Get free access to AI patent search and analysis

Check patentability, review prior art and ask IP Agent with full patent context.

AI Technical Summary

⚠Technical Problem

Existing attack methods targeting the SM2 cryptographic algorithm are vulnerable to defense and difficult to crack, making it difficult to effectively crack the signature private key.

⚗Method used

By injecting a preset time fault into the preset number of bytes of the original random number during the SM2 signing process, an erroneous random number is generated, and an erroneous signature pair is obtained. The difference between the erroneous intermediate value and the correct intermediate value is calculated, and the signature private key is cracked using the lattice basis reduction algorithm.

🎯Benefits of technology

It enables brief attacks during the signing process, reducing the difficulty of cracking the attack, increasing the success rate of the attack, and accurately cracking the signing private key.

✦ Generated by Eureka AI based on patent content.

Smart Images

Figure CN117459240B_ABST

Patent Text Reader

Abstract

The application relates to the technical field of information security, and discloses an attack method, device, equipment and medium for a national secret SM2 cryptographic algorithm, which comprises the following steps: preset time fault injection is performed on a preset bit digital byte of an original random number in an SM2 signature process; an error signature pair generated after the fault injection is obtained; an error intermediate value determined by the error random number is calculated; SM2 signature verification is performed on the error signature pair; a correct intermediate value determined by the original random number is obtained; the error intermediate value and the correct intermediate value are subjected to differential calculation to obtain the preset bit digital byte of the original random number; a preset group number of error signature pairs and preset bit digital bytes of original random numbers are repeatedly generated; and the SM2 signature private key is obtained according to the preset group number of error signature pairs and the preset bit digital bytes of original random numbers. The attack method through short-time fault injection can make the attack not easy to be defended by users, and the signature private key can be cracked after the attack, so that the difficulty of the attack cracking is reduced.

Need to check novelty before this filing date? Find Prior Art

Description

Technical Field

[0001] This invention relates to the field of information security technology, specifically to an attack method, apparatus, device, and medium targeting the Chinese national cryptographic algorithm SM2. Background Technology

[0002] Secure and reliable cryptographic chips are crucial for ensuring information security. Elliptic curve cryptography, as an asymmetric cryptographic algorithm, is widely used in signature authentication, data encryption and decryption, and key exchange. This algorithm features small computational parameters, fast processing speed, and short signature data, making it highly suitable for the vehicle-to-everything (V2X) application environment where processing power, storage space, bandwidth, and power consumption are limited. It has become a domestically developed public-key cryptographic scheme in my country's V2X security technology. However, in recent years, security chips have become vulnerable to error injection attacks, posing a challenge to their security. Attackers can inject transient logical errors during the execution of encryption algorithms to create vulnerabilities. By analyzing the correct and incorrect encryption results, attackers may ultimately leak the key.

[0003] To address this challenge, research into novel fault injection attack methods is crucial. This allows designers to identify potential risks in algorithms and hardware early on, enabling them to implement appropriate defensive measures during the design phase and mitigate potential risks. Depending on the target of the fault injection, existing attack methods can be categorized into attacks targeting the base point and attacks targeting elliptic curve parameters. The core idea of both attacks is to make the base point fall on a weak elliptic curve, thereby reducing the computational complexity of solving the Discrete Logarithm Problem (ECDLP) and ultimately cracking the private key. However, both of these attack methods are highly complex and possess a degree of randomness, making them difficult to crack and vulnerable to defense. Summary of the Invention

[0004] In view of this, the present invention provides an attack method and apparatus for the national cryptographic algorithm SM2, in order to solve the problems that the attack is vulnerable to defense and difficult to crack after the attack.

[0005] In a first aspect, the present invention provides an attack method against the Chinese national cryptographic algorithm SM2, the method comprising:

[0006] During the SM2 signature process, a fault injection with a preset time is performed on the preset number of bytes of the generated original random number to generate an erroneous random number;

[0007] Obtain the error signature pair generated after the fault injection at a preset time, and calculate the intermediate error value determined by the error random number based on the error signature pair;

[0008] Perform SM2 verification on erroneous signature pairs and obtain the correct intermediate value determined by the original random number during the SM2 verification process;

[0009] The difference between the incorrect intermediate value and the correct intermediate value is calculated to obtain the preset number of bytes of the original random number;

[0010] The process of repeatedly injecting a preset time fault into the preset number of bytes of the generated original random number during the SM2 signing process is repeated until a preset number of erroneous signature pairs and a preset number of bytes of the original random number are generated. The SM2 signing private key is then obtained based on the preset number of erroneous signature pairs and the preset number of bytes of the original random number.

[0011] The attack method against the SM2 cryptographic algorithm provided in this invention involves injecting a preset-time fault into a preset-length byte of the original random number during the SM2 signing process to generate an erroneous random number. An erroneous signature pair generated after the preset-time fault injection is obtained. An erroneous intermediate value determined by the erroneous random number is calculated based on the erroneous signature pair, and the correct intermediate value determined by the original random number is obtained by verifying the erroneous signature pair. The difference between the erroneous intermediate value and the correct intermediate value is calculated to obtain a preset-length byte of the original random number. This process is repeated to obtain a preset number of erroneous signature pairs and a preset-length byte of the original random number. Finally, the SM2 signing private key is obtained based on the preset number of erroneous signature pairs and the preset-length byte of the original random number. This invention, by injecting a brief fault into the original random number during the signing process, can launch a brief attack on the signing process, making it difficult for the attacked party to defend against. Furthermore, the signing private key can be cracked based on the erroneous signature pairs after the attack, reducing the difficulty of cracking the attack.

[0012] In one optional implementation, the process of injecting a preset time fault into the preset number of bytes of the generated original random number to generate an erroneous random number includes: obtaining an erroneous intermediate value based on the product of the erroneous random number in the second register and a known base point; reading the original random number stored in the first register and storing it in the third memory; and generating an erroneous signature pair according to a preset signature pair calculation formula based on the erroneous intermediate value and the original random number in the third memory.

[0013] This invention briefly inverts a preset number of bytes in the original random number at a certain calculation step in the signature process, making attacks difficult to detect and thus preventing the attacked party from defending against them, thereby increasing the success rate of the attack.

[0014] In one optional implementation, after generating the erroneous random number, the method further includes: obtaining an erroneous intermediate value based on the product of the erroneous random number in the second register and a known base point; reading the original random number stored in the first register and storing it in the third memory; and generating an erroneous signature pair according to a preset signature pair calculation formula based on the erroneous intermediate value and the original random number in the third memory.

[0015] This invention injects a pre-set time fault into the original random number during the signing process, which ensures that the intermediate value calculation in the signing process is incorrect, but subsequent calculations are still performed using the original random number. This allows the correct intermediate value determined by the original random number to be obtained in the subsequent attack and cracking process, thereby providing the possibility for attack and cracking.

[0016] In one alternative implementation, the process of calculating the error intermediate value determined by the error random number based on the error signature pair includes: calculating a first formula for the signature pair based on the x-coordinate of the intermediate value during the SM2 signing process, and deriving a second formula for calculating the x-coordinate of the signature pair, to calculate the x-coordinate of the error intermediate value based on the second formula and the error signature pair; and substituting the x-coordinate of the error intermediate value into the SM2 elliptic curve to obtain the y-coordinate of the error intermediate value.

[0017] This invention reverses the process of calculating signature pairs from intermediate values during the signing process, thereby enabling the calculation of erroneous intermediate values determined by erroneous random numbers from erroneous signature pairs. This is equivalent to identifying errors in the signature attack process, further providing possibilities for attack and cracking.

[0018] In one optional implementation, the process of obtaining the correct intermediate value determined by the original random number during the signature verification process includes: obtaining the correct intermediate value according to the third formula for calculating the preset coordinate point on the SM2 elliptic curve based on the erroneous signature pair during the SM2 signature verification process, wherein the correct intermediate value is verified to be determined by the original random number through formula derivation.

[0019] This invention derives the formula for the signature verification process and can verify that injecting a fault into the random number at a preset time does not affect the intermediate value during the verification process. That is, the intermediate value obtained during the signature verification process is determined by the original random number after the fault injection at the preset time. Therefore, by performing normal signature verification on erroneous signature pairs, the correct intermediate value can be obtained.

[0020] In one optional implementation, the process of calculating the preset number of bytes of the original random number by performing a difference calculation on the erroneous intermediate value and the correct intermediate value includes: subtracting the erroneous intermediate value from the correct intermediate value to obtain the product of the difference in preset number of bytes between the original random number and the erroneous random number and a known base point; obtaining the difference in preset number of bytes between the original random number and the erroneous random number by traversing; inverting the preset bits of the preset number of bytes of the original random number based on the preset number of bytes of the erroneous random number being the preset number of bytes, to obtain the sum of the preset number of bytes between the original random number and the erroneous random number; and calculating the preset number of bytes of the original random number by combining the difference in preset number of bytes and the sum of the preset number of bytes.

[0021] Based on the characteristics of random numbers, this invention can calculate the preset number of bytes of the original random number and the erroneous random number by calculating the difference between the erroneous intermediate value and the correct intermediate value, thereby accurately obtaining the private key without having to gradually narrow down the search range to derive the private key, thus increasing the possibility of cracking the signature private key.

[0022] In one optional implementation, the SM2 signature private key is obtained based on a preset number of erroneous signature pairs and a preset number of bytes of the original random number. This includes: using a fourth formula derived from the SM2 signature process to calculate the signature pair from the SM2 signature private key and the original random number, and a fifth formula derived from the fourth formula, to calculate the SM2 signature private key from the signature pair and the original random number; and using the relationship between the preset number of bytes of the original random number and all bytes, and the fifth formula, to obtain the nearest vector; and using a lattice basis reduction algorithm to solve for the nearest vector to obtain the SM2 signature private key.

[0023] This invention reduces the problem of cracking the signature private key to the nearest vector problem by constructing the hidden number problem represented by the fifth formula. Then, the signature private key is solved by the lattice basis reduction algorithm, thus successfully achieving the attack and cracking the attack.

[0024] Secondly, the present invention provides an attack device targeting the Chinese national cryptographic algorithm SM2, the device comprising:

[0025] The fault injection module is used to inject a fault into the preset number of bytes of the generated original random number during the SM2 signing process at a preset time to generate an erroneous random number.

[0026] The first calculation module is used to obtain the error signature pair generated after the fault injection at a preset time, and to calculate the error intermediate value determined by the error random number based on the error signature pair;

[0027] The second calculation module is used to perform SM2 verification on erroneous signature pairs and obtain the correct intermediate value determined by the original random number during the SM2 verification process.

[0028] The third calculation module is used to perform differential calculation on the erroneous intermediate value and the correct intermediate value to obtain the preset number of bytes of the original random number;

[0029] The private key derivation module is used to repeatedly return the steps of injecting a preset time fault into the preset number of bytes of the generated original random number during the SM2 signing process to generate an erroneous random number, until a preset number of erroneous signature pairs and a preset number of bytes of the original random number are generated, and the SM2 signing private key is obtained based on the preset number of erroneous signature pairs and the preset number of bytes of the original random number.

[0030] The attack apparatus against the SM2 cryptographic algorithm provided in this invention injects a preset-time fault into a preset-length byte of the original random number during the SM2 signing process, generating an erroneous random number. It then obtains an erroneous signature pair generated after the preset-time fault injection, calculates an erroneous intermediate value determined by the erroneous random number based on the erroneous signature pair, verifies the erroneous signature pair to obtain a correct intermediate value determined by the original random number, and performs a difference calculation between the erroneous and correct intermediate values to obtain a preset-length byte of the original random number. This process is repeated to obtain a preset number of erroneous signature pairs and a preset-length byte of the original random number. Finally, the SM2 signing private key is obtained based on the preset number of erroneous signature pairs and the preset-length byte of the original random number. This invention, through its attack method of injecting a brief fault into the original random number during the signing process, can launch a brief attack on the signing process, making it difficult for the attacked party to defend against. Furthermore, it can crack the signing private key based on the erroneous signature pairs after the attack, reducing the difficulty of the attack.

[0031] Thirdly, the present invention provides a computer device, comprising: a memory and a processor, wherein the memory and the processor are communicatively connected to each other, the memory stores computer instructions, and the processor executes the computer instructions to perform the attack method against the SM2 cryptographic algorithm described in the first aspect or any corresponding embodiment thereof.

[0032] Fourthly, the present invention provides a computer-readable storage medium storing computer instructions for causing a computer to execute the attack method against the SM2 cryptographic algorithm described in the first aspect or any corresponding embodiment thereof. Attached Figure Description

[0033] To more clearly illustrate the specific embodiments of the present invention or the technical solutions in the prior art, the drawings used in the description of the specific embodiments or the prior art will be briefly introduced below. Obviously, the drawings described below are some embodiments of the present invention. For those skilled in the art, other drawings can be obtained from these drawings without creative effort.

[0034] Figure 1 This is a flowchart illustrating an attack method against the SM2 cryptographic algorithm according to an embodiment of the present invention.

[0035] Figure 2 This is a flowchart illustrating the signature algorithm for the SM2 cryptographic algorithm according to an embodiment of the present invention.

[0036] Figure 3 This is a flowchart illustrating the signature verification algorithm for the SM2 cryptographic algorithm according to an embodiment of the present invention.

[0037] Figure 4 This is a flowchart illustrating another attack method against the SM2 cryptographic algorithm according to an embodiment of the present invention.

[0038] Figure 5 This is a schematic diagram of the attack process of another attack method against the SM2 cryptographic algorithm according to an embodiment of the present invention;

[0039] Figure 6 This is a structural block diagram of an attack device targeting the SM2 cryptographic algorithm according to an embodiment of the present invention;

[0040] Figure 7 This is a schematic diagram of the hardware structure of a computer device according to an embodiment of the present invention. Detailed Implementation

[0041] To make the objectives, technical solutions, and advantages of the embodiments of the present invention clearer, the technical solutions of the embodiments of the present invention will be clearly and completely described below with reference to the accompanying drawings. Obviously, the described embodiments are only some embodiments of the present invention, not all embodiments. Based on the embodiments of the present invention, all other embodiments obtained by those skilled in the art without creative effort are within the scope of protection of the present invention.

[0042] This invention relates to scenarios involving attacks on SM2 signatures. SM2 is an asymmetric encryption algorithm in China's national cryptographic algorithms, widely used in the field of information security. Based on elliptic curve cryptography, SM2 possesses high security and high performance. When the largest prime factor of the order n of the base point in an elliptic curve cryptography is sufficiently large, current computer technology cannot crack it within a finite time. Attacks targeting the base point and those targeting the elliptic curve parameters share the commonality of moving intermediate and output points to a new, weak elliptic curve, but such attacks are easily detected. The security of the algorithm can be determined by verifying whether each point in the algorithm lies on a secure elliptic curve. Furthermore, these attack methods all revolve around the dot product operation, but in actual computation, dot product is only an intermediate step; attackers cannot obtain the dot product result used for cracking, especially in secure chips. Therefore, existing attack methods are very difficult to implement and easily defended against.

[0043] This invention provides an attack method against the SM2 cryptographic algorithm, which injects a brief malfunction into the original random number of the SM2 signature process to achieve a successful attack and crack the algorithm. It should be noted that the steps shown in the flowchart in the accompanying drawings can be executed in a computer system such as a set of computer-executable instructions. Furthermore, although a logical order is shown in the flowchart, in some cases, the steps shown or described may be executed in a different order than that shown here.

[0044] This embodiment provides an attack method against the Chinese national cryptographic algorithm SM2, which can be used on the aforementioned computer. Figure 1 This is a flowchart of an attack method against the SM2 cryptographic algorithm according to an embodiment of the present invention, as shown below. Figure 1 As shown, the process includes the following steps:

[0045] Step S101: During the SM2 signature process, a preset time fault injection is performed on the preset number of bytes of the generated original random number to generate an erroneous random number.

[0046] Specifically, in embodiments of the present invention, such as Figure 2 As shown, Z in the SM2 signature algorithm A The hash value is obtained by concatenating some user-generated messages, curve parameters, and base point information. It can be calculated publicly; the hash function H is public, e can be pre-calculated, and the parameters of the elliptic curve and the base point G are also public. Therefore, the SM2 signature process can output a signature pair (r, s) from the input plaintext M. During the signature process, a random number k is generated by hardware and stored in register a. When the random number k is needed in a certain step of the signature process, it is directly read from register a into register b and then used.

[0047] In some optional implementations, embodiments of the present invention are based on the user's... Figure 2 In the signature algorithm described above, before step 4, a random number k is read from register a into register b as the original random number k. A preset-time fault injection is then performed on a preset-length byte of the original random number k in register b to generate an erroneous random number k′. At this time, the random number k in register a remains unchanged. In this embodiment, the preset time for fault injection is relatively short, executed before the fourth step of the signature process is detected, equivalent to a brief fault injection. Therefore, during the brief fault injection, step 4 of the signature algorithm obtains the erroneous intermediate value Q′ based on the product of the erroneous random number k′ and the known base point G. Furthermore, experimental calculations in this embodiment show that when performing a brief fault injection on the preset-length byte of the original random number k, it targets the lowest n bits of the preset-length byte, and n must be greater than or equal to 7. However, the probability of fault injection decreases as n increases. Therefore, based on the fault injection probability and ease of implementation, this embodiment selects the lowest 8 bits of the original random number k, i.e., the lowest byte, for optimal fault injection, but this is not a limitation.

[0048] In some alternative implementations, when other steps use the random number k, the original random number k in register a is reread, and the calculation is performed using the original random number k without injected faults. In this embodiment of the invention, step 5 of the signature algorithm calculates r′ in the signature pair based on the erroneous intermediate value Q′, and step 6 of the signature algorithm calculates s′ in the signature pair based on the original random number k and r′, ultimately generating the erroneous signature pair (r′, s′).

[0049] Step S102: Obtain the error signature pair generated after the fault injection at a preset time, and calculate the error intermediate value determined by the error random number based on the error signature pair.

[0050] Specifically, in this embodiment of the invention, after the user generates an erroneous signature pair (r′, s′) according to the SM2 signing process, the erroneous signature pair (r′, s′) generated by the user based on the erroneous intermediate value Q′ is obtained. Then, based on the formula for calculating r′ in the erroneous signature pair (r′, s′) from the erroneous intermediate value Q′ during the signing process, the erroneous intermediate value Q′ determined by the erroneous random number k′ is deduced.

[0051] Step S103: Perform SM2 verification on the erroneous signature pair and obtain the correct intermediate value determined by the original random number during the SM2 verification process.

[0052] Specifically, in embodiments of the present invention, such as Figure 3 As shown, the SM2 signature verification algorithm performs calculations step by step based on the signature pair (r, s). In step 6, the algorithm calculates the SM2 elliptic curve point (x1, y1), i.e., the intermediate value Q, from s in the signature pair (r, s). The calculation process for Q is as follows:

[0053] Q = (x1, y1)

[0054] =sG+tP A

[0055] =sG+(r+s)·d A ·G

[0056] =(1+d) A )sG+r·d A ·G

[0057] =(1+d) A (1+d) A ) -1 ·(kr·d A )G+r·d A ·G

[0058] =(kr·d A )G+r·d A ·G

[0059] =kG

[0060] As can be seen, all the operations involving r and s in step 6 of the signature verification algorithm are canceled out, and finally simplified to kG operation. Therefore, as long as the correct calculation of k is used in the signature algorithm, the correct Q can be obtained in the signature verification algorithm.

[0061] In some optional implementations, embodiments of the present invention briefly inject a fault into the original random number k during the signing process; that is, an erroneous random number k′ is used only in the fourth step when calculating the intermediate value, while the original random number k is used in all other steps. Therefore, the intermediate value calculated in the signature verification process is the correct intermediate value Q. Thus, embodiments of the present invention, based on the obtained erroneous signature pair (r′, s′), according to... Figure 3 The verification algorithm shown performs SM2 verification to obtain the correct intermediate value determined by the original random number.

[0062] Step S104: Perform a difference calculation on the erroneous intermediate value and the correct intermediate value to obtain the preset number of bytes of the original random number.

[0063] Specifically, in this embodiment of the invention, based on the characteristics of random numbers, the error intermediate value Q′ and the correct intermediate value Q are analyzed by differential calculation to obtain the lowest byte lsb(k) of the original random number k without brief fault injection and the lowest byte lsb(k′) of the error random number k′ after brief fault injection.

[0064] Step S105: Repeat the steps of injecting a preset time fault into the preset number of bytes of the generated original random number during the SM2 signing process to generate an erroneous random number, until a preset number of erroneous signature pairs and a preset number of bytes of the original random number are generated, and obtain the SM2 signing private key based on the preset number of erroneous signature pairs and the preset number of bytes of the original random number.

[0065] Specifically, in this embodiment of the invention, steps S101-S104 are repeated until a preset number of erroneous signature pairs and the lowest byte of the original random number are obtained. This embodiment of the invention generates at least 50 erroneous signature pairs (r′). j ,s′ j ) and lsb(k j ), where 0≤j≤50, but not limited to this. Then, based on 50 sets of erroneous signature pairs (r′) j ,s′ j ) and lsb(k j The problem of cracking the signature key is summarized as the nearest vector problem and solved using the lattice basis reduction algorithm to obtain the signature key. The hidden number problem involves given a number of randomly selected integers t. i ∈F p and a fixed unknown integer Known ( Representing the highest i-th bit information of a mod p), recovering The value of . The nearest vector problem (CVP) is a problem that, given a lattice L and a target vector t∈R, solves the problem. m (where m is the rank of lattice L), find a non-zero lattice vector v such that for any non-zero vector u∈L, ||vu||≤||ut||.

[0066] This invention provides an attack method against the SM2 cryptographic algorithm, which injects a pre-set time fault into the lowest byte of the original random number during the SM2 signing process to generate an erroneous random number. It then obtains an erroneous signature pair generated after the pre-set time fault injection, calculates an erroneous intermediate value determined by the erroneous random number based on the erroneous signature pair, verifies the erroneous signature pair to obtain a correct intermediate value determined by the original random number, and performs a difference calculation between the erroneous and correct intermediate values to obtain the lowest byte of the original random number. This process is repeated to obtain a pre-set number of erroneous signature pairs and the lowest byte of the original random number, and finally, the SM2 signing private key is obtained based on these pre-set number of erroneous signature pairs and the lowest byte of the original random number. This invention, by injecting a brief fault into the original random number during the signing process, can launch a brief attack on the signing process, making it difficult for the attacked party to defend against. Furthermore, it allows the signing private key to be cracked based on the erroneous signature pairs after the attack, reducing the difficulty of the attack.

[0067] This embodiment provides an attack method against the Chinese national cryptographic algorithm SM2, which can be used on the aforementioned computer. Figure 4 This is a flowchart of an attack method against the SM2 cryptographic algorithm according to an embodiment of the present invention, as shown below. Figure 4 As shown, the process includes the following steps:

[0068] Step S401: During the SM2 signature process, a preset time fault injection is performed on the preset number of bytes of the generated original random number to generate an erroneous random number.

[0069] Specifically, step S401 includes:

[0070] Step S4011: Read the raw random number stored in the first register and store it in the second register. See details below. Figure 1 Step S101 of the illustrated embodiment will not be described again here.

[0071] Step S4012: Invert the preset bits of the preset bit length byte of the original random number in the second register to generate an erroneous random number.

[0072] Specifically, in this embodiment of the invention, the embodiment of the invention selects the domain F defined in the domain F pThe equation of the Weierstrass elliptic curve on the curve is defined as follows:

[0073] E:y 2 =x 3 +ax+b

[0074] Where a and b are parameters defining the shape of the curve. When 4a 3 +27b 2 When F ≠ 0, the curve defined by this equation is a non-singular elliptic curve. In the prime field F p There are only a finite number of points on an elliptic curve. The number of points on an elliptic curve is called the order of the elliptic curve. The curve parameter information is shown in the table below, but is not limited to this.

[0075] In some alternative implementations, embodiments of the present invention assume that user A's identity is ALICE123@YAHOO.COM, and the ID is recorded using ASCII encoding. A :

[0076] 414C494345313233405941484F4F2E434F4D,ENTL A =0090

[0077] This embodiment of the invention uses the message to be signed, M = 6D65737361676520646967657374, as an example to illustrate the attack process.

[0078]

[0079] In some alternative implementations, such as Figure 5 In the attack process shown, this embodiment of the invention performs a brief fault injection on the lowest byte of the original random number k stored in register b, so that all the bits of the lowest byte are reversed to obtain k′.

[0080] k′=0x6cb28d99385c175c94f94e934817663fc176d925dd72b727260dbaae1fb2f990

[0081] Step S4013: Obtain the intermediate error value based on the product of the error random number in the second register and the known base point.

[0082] Specifically, in embodiments of the present invention, such as Figure 2 In step 4 of the signature algorithm shown, k′ is multiplied by the known base point G to obtain the erroneous intermediate value Q′=(x′1,y′1);

[0083] x′1=0x57f44ddcea163ebec5ddefec409a1ca761be909a31093e7c5126f057db9fb62e

[0084] y′1=0x4019e431e1bab035d55ff0e87baeb5ba12338c8c0ff3c3267017e4f250e69f1a

[0085] Step S4014: Read the original random number stored in the first register and store it in the third memory.

[0086] Step S4015: Generate an error signature pair according to the preset signature pair calculation formula based on the error intermediate value and the original random number in the third memory.

[0087] Specifically, in embodiments of the present invention, such as Figure 2 In steps 5 and 6 of the signature algorithm shown, the original random number in register a is reread and stored in register c. Then, the correct random number k in register c is used to calculate the signature pair (r′, s′):

[0088] r′=(e+x′1)modp

[0089] s′=(1+d A ) -1 ·(kr′·d A )modp

[0090] r′=0x29395f31f90593d1cb315811df1ac9ea95836d0902bc21cf89b36620f32c136

[0091] s′=0xdc32981a9ccc4f572f785432fe4396d859b7389f7b601cd51138b96f4d44c3a

[0092] Step S402: Obtain the error signature pair generated after the fault injection at a preset time, and calculate the error intermediate value determined by the error random number based on the error signature pair.

[0093] Specifically, step S402 includes:

[0094] Step S4021: Based on the first formula for calculating the x-coordinate of the signature pair from the x-coordinate of the intermediate value during the SM2 signature process, the second formula for calculating the x-coordinate of the signature pair is derived, and the x-coordinate of the erroneous intermediate value is calculated according to the second formula and the erroneous signature pair.

[0095] Specifically, in embodiments of the present invention, such as Figure 2 Step 5 of the signature algorithm shown below involves reversing the first formula r = (e + x1) mod p to calculate the signature pair r, which is the x-coordinate of the intermediate value x1. This yields the second formula for calculating the x-coordinate x1 of the signature pair r, as shown below:

[0096] x1=r+i×pe

[0097] In some optional embodiments, after obtaining the erroneous signature pair (r′, s′), the present invention substitutes it into the above-mentioned horizontal coordinate formula to obtain the horizontal coordinate x′1 of the intermediate error value Q′, as shown in the following formula:

[0098] x′1=r′+i×pe

[0099] x′1=0x57f44ddcea163ebec5ddefec409a1ca761be909a31093e7c5126f057db9fb62e

[0100] Step S4022: Substitute the x-coordinate of the error intermediate value into the SM2 elliptic curve to obtain the y-coordinate of the error intermediate value.

[0101] Specifically, in this embodiment of the invention, the intermediate value is a point on the SM2 elliptic curve. Therefore, based on obtaining the abscissa x1, the abscissa x1 is substituted into the elliptic curve equation to obtain the ordinate y1. In this embodiment of the invention, the ordinate y′1 is obtained by substituting the abscissa x′1, as shown in the following formula:

[0102]

[0103] y′1=0x4019e431e1bab035d55ff0e87baebSba12338c8c0ff3c3267017e4f250e69f1a

[0104] Step S403: Perform SM2 verification on the erroneous signature pair and obtain the correct intermediate value determined by the original random number during the SM2 verification process.

[0105] Specifically, step S403 includes:

[0106] Step S4031: According to the third formula for calculating the preset coordinate points on the SM2 elliptic curve from the erroneous signature pair during the SM2 signature verification process, the correct intermediate value is obtained. The correct intermediate value is determined by the original random number through formula derivation.

[0107] Specifically, in this embodiment of the invention, an error signature (r′, s′) is used to... Figure 3The verification algorithm shown executes steps 1-5 to calculate t, as shown in the formula below:

[0108] t=(r′+s′)modp

[0109] Then, step 6 of the signature verification algorithm calculates the correct intermediate value Q determined by the original random number k. For a detailed derivation of the formula, please refer to [link to relevant documentation]. Figure 1 Step S103 of the illustrated embodiment will not be described again here.

[0110] Q=(x1,y1)=[s′]G+[t]P=kG

[0111] x1=0x110fcda57615705d5e7b9324ac4b856d23e6d9188b2ae47759514657ce25d112

[0112] y1=0x1c65d68a4a08601df24b431e0cab4ebe084772b3817e85811a8510b2df7eca1a

[0113] Step S404: Perform a difference calculation on the erroneous intermediate value and the correct intermediate value to obtain the preset number of bytes of the original random number.

[0114] Specifically, step S404 includes:

[0115] Step S4041: Subtract the erroneous intermediate value from the correct intermediate value to obtain the product of the difference in the preset number of bytes between the original random number and the erroneous random number and the known base point.

[0116] Specifically, in this embodiment of the invention, difference analysis is performed based on the erroneous intermediate value Q′ and the correct intermediate value Q obtained in steps S4022, S4023, and S4031, as shown in the following formula:

[0117] QQ′≡(kk′)G≡candidate×G, candidate∈[0, 2 8 -1]=(x2,y2)

[0118] x2=0x79055db1de7d2a63ebbe3488cb2e8d868d4556a9bc054d17c98f8204f7b4f3fa

[0119] y2=0x74645929f9051330fcd30d46c5b1421d23380fcc908a09f95cec65071a2b2df0

[0120] Step S4042: Obtain the difference in preset bit length bytes between the original random number and the erroneous random number by traversing the sequence.

[0121] Specifically, in this embodiment of the invention, the difference between the lowest byte of the original random number k and the erroneous random number k′ is obtained by traversing, i.e., candidate = -33.

[0122] Step S4043: Based on the preset bit length byte of the erroneous random number being the preset bit of the original random number being inverted, the sum of the preset bit length bytes between the original random number and the erroneous random number is obtained.

[0123] Specifically, in this embodiment of the invention, since one byte of a random number contains 8 bits, and the lowest byte lsb(k′) of the erroneous random number k′ is the original random number k with all bits inverted, the sum of the lowest byte lsb(k′) of the erroneous random number k′ and the lowest byte lsb(k) of the original random number k is the sum of the opposite of 8 bits, 255.

[0124] Step S4044: Combine the difference of the preset number of bytes and the sum of the preset number of bytes to calculate the preset number of bytes of the original random number.

[0125] Specifically, in this embodiment of the invention, the lowest byte lsb(k′) = 0x90 and the lowest byte lsb(k) = 0x6F of the erroneous random number k′ are obtained by combining the difference between the lowest bytes (candidate) and the sum of the lowest bytes (255) as shown in the following formula.

[0126]

[0127] Step S405: Repeat the steps of injecting a preset time fault into the preset number of bytes of the generated original random number during the SM2 signing process to generate an erroneous random number, until a preset number of erroneous signature pairs and a preset number of bytes of the original random number are generated, and obtain the SM2 signing private key based on the preset number of erroneous signature pairs and the preset number of bytes of the original random number.

[0128] Specifically, step S405 includes:

[0129] Step S4051: Based on the fourth formula for calculating the signature pair from the SM2 signature private key and the original random number during the SM2 signature process, the fifth formula for calculating the SM2 signature private key from the signature pair and the original random number is derived. The nearest vector is obtained by calculating the relationship between the preset number of bytes and all bytes of the original random number and the fifth formula.

[0130] Specifically, in embodiments of the present invention, according to Figure 2The signature algorithm shown in step 6 uses the SM2 signature private key d. A The fourth formula for calculating the signature pair s using the original random number k can be used to deduce the SM2 signature private key d calculated using the erroneous signature pair (r′, s′) and the original random number k. A The fifth formula, the two formulas are shown below:

[0131] s=(1+d A ) -1 ·(kr·d A )modp

[0132] d A = (ks′)×(s′+r′)modp

[0133] In some optional implementations, embodiments of the present invention construct the problem of cracking the signature private key as an implicit number problem as shown in the fifth formula. Then, the relationship between the outlier and the implicit number problem is established as follows: Let the lower i-th bit of the original random number k be a, then k = 2. i Substituting b+a into the fifth formula, we get:

[0134] d A =(2 i b+as′)×(s′+r′)modp

[0135] We can obtain:

[0136] b≡(s′+r′)•2 -i •d A -(as′)•2 -i modp

[0137] Let m = (s′ + r′)•2 -i n = (as') - 2 -i Then b = m·d A -nmodp. Since k∈[1, p-1], then b∈[0, p / 2]. i ],so:

[0138] 0≤|m·d A -n|≤p / 2 i

[0139] Furthermore, we can obtain:

[0140] |m·d A -np / 2 i+1 |≤p / 2 i+1

[0141] Let h = n·2 i+1 +p, then we get:

[0142] |m·dA -h / 2 i+1 |≤p / 2 i+1

[0143] For the obtained w sets of signature results (r′) j ,s′ j ), w-1, r′ j and s′ j Let w be the corresponding incorrect signature pairs in group w, and each signature pair satisfies the following formula:

[0144] |m j ·d A -h j / 2 i+1 |≤p / 2 i+1

[0145] In the above formula, m j =(s′) j +r′ j )·2 -i h j =n j ·2 i+1 +p, vector h = (h1, h2, ..., h w ,0) is related to a portion of the original random number k and the corresponding erroneous signature pair. When h j / 2 i+1 Given that the problem of cracking the signature private key is reduced to solving an implicit number problem, the problem is reduced to solving an implicit number problem.

[0146] In some alternative implementations, embodiments of the present invention utilize the nearest vector problem to crack the signed private key. For the aforementioned |m j ·d A -h j / 2 i+1 |≤p / 2 i+1 Further derivation shows that when there exists an integer c j At that time, we can obtain:

[0147] |2 i+1 m j ·d A -h j +2 i+1 c j p|≤p

[0148] Based on the above formula, a lattice L(B) with dimension w+1 can be constructed:

[0149]

[0150] Let x = (c1, c2, ..., c w d A ), then y = xB = (2 i+1 m0·dA +2 i+1 c1p, ...2 i+1 m w-1 ·d A +2 i+1 c w p, d A y is a non-zero vector in lattice L(B), and the vector y contains d. A Therefore, vector y is a hidden vector, p, m j h j All are known, by |2 i+1 m j ·d A -h j +2 i+1 c j Since p|≤p, we know that:

[0151] ||yh|| ∞ ≤p

[0152] Therefore, in this embodiment of the invention, the hidden vector y and the vector h are closest, thus reducing the problem of cracking the signature private key to solving the closest vector problem.

[0153] Step S4052: Solve the nearest vector using the lattice basis reduction algorithm to obtain the SM2 signature private key.

[0154] Specifically, in this embodiment of the invention, the lattice basis reduction algorithm, a conventional technique in the art, is used to solve for the nearest vector; the specific solution process will not be repeated here. In this embodiment of the invention, the lowest byte lsb(k) of the corresponding original random number from 50 sets of erroneous signature pairs (r′, s′) is substituted into the following formula:

[0155] |2 i+1 m j ·d A -h j +2 i+1 c j p|≤p

[0156] m j =(s′) j +r′ j )·2 -i

[0157] h j =n j ·2 i+1 +p

[0158] After substituting the first set of data, we can obtain:

[0159] 2m0=0xf0f2d169f46587fa482f085ce777fdfe5e790916d063afc1d8ca4516726fc930

[0160] h0=0x69bc839af86ac52e02ca19af5fa785021e40394f15195ef2b8c037b9d985e221

[0161] Then, substituting L(B) into the equation, we get:

[0162]

[0163] At this time, the hidden vector y = (2 i+1 m0·d A +2 i+1 c1p, ...2 i+1 m w-1 ·d A +2 i+1 c w p, d A The proximity vector h = (h1, h2, ..., h) w The signature private key d is derived by solving the nearest vector using the lattice basis reduction algorithm (0), where d is 0. A :

[0164] d A

[0165] =0x128B2FA8BD433C6C068C8D803DFF79792A519A55171B1B650C23661D15897263

[0166] This invention provides an attack method against the SM2 cryptographic algorithm, which injects a pre-set time fault into the lowest byte of the original random number during the SM2 signing process to generate an erroneous random number. It then obtains an erroneous signature pair generated after the pre-set time fault injection, calculates an erroneous intermediate value determined by the erroneous random number based on the erroneous signature pair, verifies the erroneous signature pair to obtain a correct intermediate value determined by the original random number, and performs a difference calculation between the erroneous and correct intermediate values to obtain the lowest byte of the original random number. This process is repeated to obtain a pre-set number of erroneous signature pairs and the lowest byte of the original random number, and finally, the SM2 signing private key is obtained based on these pre-set number of erroneous signature pairs and the lowest byte of the original random number. This invention, by injecting a brief fault into the original random number during the signing process, can launch a brief attack on the signing process, making it difficult for the attacked party to defend against. Furthermore, it allows the signing private key to be cracked based on the erroneous signature pairs after the attack, reducing the difficulty of the attack.

[0167] This embodiment provides an attack device targeting the Chinese national cryptographic algorithm SM2, such as... Figure 6 As shown, it includes:

[0168] The fault injection module 601 is used to inject a fault into the preset number of bytes of the generated original random number during the SM2 signing process at a preset time to generate an erroneous random number.

[0169] The first calculation module 602 is used to obtain the error signature pair generated after the fault injection at a preset time, and calculate the error intermediate value determined by the error random number based on the error signature pair;

[0170] The second calculation module 603 is used to perform SM2 verification on erroneous signature pairs and obtain the correct intermediate value determined by the original random number during the SM2 verification process.

[0171] The third calculation module 604 is used to perform differential calculation on the erroneous intermediate value and the correct intermediate value to obtain the preset number of bytes of the original random number;

[0172] The private key derivation module 605 is used to repeatedly return the steps of injecting a preset time fault into the preset number of bytes of the generated original random number during the SM2 signing process to generate an erroneous random number, until a preset number of erroneous signature pairs and a preset number of bytes of the original random number are generated, and to obtain the SM2 signing private key based on the preset number of erroneous signature pairs and the preset number of bytes of the original random number.

[0173] In some alternative implementations, the fault injection module 601 includes:

[0174] The error random number generation unit is used to read the original random number stored in the first register and store it in the second register; and to invert the preset bits of the preset number of bytes of the original random number in the second register to generate an error random number.

[0175] The error signature pair generation unit is used to obtain an error intermediate value based on the product of the error random number in the second register and the known base point; read the original random number stored in the first register and store it in the third memory; and generate an error signature pair according to the preset signature pair calculation formula based on the error intermediate value and the original random number in the third memory.

[0176] In some alternative implementations, the first computing module 602 includes:

[0177] The horizontal coordinate calculation unit is used to calculate the first formula of the signature pair based on the horizontal coordinate of the intermediate value in the SM2 signing process, and to deduce the second formula of the signature pair for calculating the horizontal coordinate. Based on the second formula and the erroneous signature pair, the horizontal coordinate of the erroneous intermediate value is calculated.

[0178] The ordinate calculation unit is used to input the x-coordinate of the erroneous intermediate value into the SM2 elliptic curve to obtain the ordinate of the erroneous intermediate value.

[0179] In some alternative implementations, the second computing module 603 includes:

[0180] The correct intermediate value calculation unit is used to obtain the correct intermediate value based on the third formula for calculating the preset coordinate points on the SM2 elliptic curve from the erroneous signatures during the SM2 verification process. The correct intermediate value is determined by the original random number through formula derivation.

[0181] In some alternative implementations, the third computing module 604 includes:

[0182] The difference unit is used to subtract the erroneous intermediate value from the correct intermediate value to obtain the product of the difference in preset number of bytes between the original random number and the erroneous random number and the known base point.

[0183] The byte difference calculation unit is used to obtain the difference in bytes between the original random number and the erroneous random number by traversing the data.

[0184] The byte summation unit is used to invert the preset bits of the preset bit length bytes of the original random number based on the preset bit length bytes of the erroneous random number, and obtain the sum of the preset bit length bytes between the original random number and the erroneous random number.

[0185] The byte calculation unit is used to combine the difference of the preset number of bytes and the sum of the preset number of bytes to calculate the preset number of bytes of the original random number.

[0186] In some alternative implementations, the private key derivation module 605 includes:

[0187] The nearest vector acquisition unit is used to calculate the nearest vector based on the fourth formula for calculating the signature pair from the SM2 signature private key and the original random number during the SM2 signature process, and the fifth formula for calculating the SM2 signature private key from the signature pair and the original random number. The calculation is performed according to the relationship between the preset number of bytes and all bytes of the original random number and the fifth formula.

[0188] The signature private key cracking unit is used to solve the nearest vector using the lattice basis reduction algorithm to obtain the SM2 signature private key.

[0189] Further functional descriptions of the above modules and units are the same as those in the corresponding embodiments described above, and will not be repeated here.

[0190] In this embodiment, the attack device targeting the SM2 cryptographic algorithm is presented in the form of a functional unit. Here, a unit refers to an FPGA (Field Programmable Gate Array) circuit, a processor and memory that execute one or more software or fixed programs, and / or other devices that can provide the above functions.

[0191] This invention also provides a computer device having the above-described features. Figure 6 The image shows an attack device targeting the Chinese national cryptographic algorithm SM2.

[0192] Please see Figure 7 , Figure 7 This is a schematic diagram of the structure of a computer device provided in an optional embodiment of the present invention, such as... Figure 7 As shown, the computer device includes one or more processors 10, memory 20, and interfaces for connecting the components, including high-speed interfaces and low-speed interfaces. The components communicate with each other via different buses and can be mounted on a common motherboard or otherwise installed as needed. The processors can process instructions executed within the computer device, including instructions stored in or on memory to display graphical information of a GUI on external input / output devices (such as display devices coupled to the interfaces). In some alternative implementations, multiple processors and / or multiple buses can be used with multiple memories and multiple memory modules, if desired. Similarly, multiple computer devices can be connected, each providing some of the necessary operations (e.g., as a server array, a group of blade servers, or a multiprocessor system). Figure 7 Take a processor 10 as an example.

[0193] Processor 10 may be a central processing unit, a network processor, or a combination thereof. Processor 10 may further include a hardware chip. The hardware chip may be an application-specific integrated circuit (ASIC), a programmable logic device (PLD), or a combination thereof. The programmable logic device may be a complex programmable logic device (CAMP), a field-programmable gate array (FPGA), a general-purpose array logic (GDA), or any combination thereof.

[0194] The memory 20 stores instructions executable by at least one processor 10 to cause at least one processor 10 to perform the method shown in the above embodiments.

[0195] The memory 20 may include a program storage area and a data storage area. The program storage area may store the operating system and applications required for at least one function; the data storage area may store data created based on the use of the computer device. Furthermore, the memory 20 may include high-speed random access memory and may also include non-transitory memory, such as at least one disk storage device, flash memory device, or other non-transitory solid-state storage device. In some alternative embodiments, the memory 20 may optionally include memory remotely located relative to the processor 10, and these remote memories may be connected to the computer device via a network. Examples of such networks include, but are not limited to, the Internet, intranets, local area networks, mobile communication networks, and combinations thereof.

[0196] The memory 20 may include volatile memory, such as random access memory; the memory may also include non-volatile memory, such as flash memory, hard disk or solid-state drive; the memory 20 may also include a combination of the above types of memory.

[0197] The computer device also includes a communication interface 30 for communicating with other devices or communication networks.

[0198] This invention also provides a computer-readable storage medium. The methods described above according to embodiments of the invention can be implemented in hardware or firmware, or implemented as computer code that can be recorded on a storage medium, or implemented as computer code downloaded via a network and originally stored on a remote storage medium or a non-transitory machine-readable storage medium and then stored on a local storage medium. Thus, the methods described herein can be processed by software stored on a storage medium using a general-purpose computer, a dedicated processor, or programmable or dedicated hardware. The storage medium can be a magnetic disk, optical disk, read-only memory, random access memory, flash memory, hard disk, or solid-state drive, etc.; further, the storage medium can also include combinations of the above types of memory. It is understood that computers, processors, microprocessor controllers, or programmable hardware include storage components capable of storing or receiving software or computer code, which, when accessed and executed by the computer, processor, or hardware, implements the methods shown in the above embodiments.

[0199] Although embodiments of the invention have been described in conjunction with the accompanying drawings, those skilled in the art can make various modifications and variations without departing from the spirit and scope of the invention, and such modifications and variations all fall within the scope defined by the appended claims.

Claims

1. An attack method targeting the Chinese national cryptographic algorithm SM2, characterized in that, include: During the SM2 signature process, a fault injection with a preset time is performed on the preset number of bytes of the generated original random number to generate an erroneous random number; Obtain the error signature pair generated after the fault injection at the preset time, and calculate the error intermediate value determined by the error random number based on the error signature pair; Perform SM2 verification on the erroneous signature pair and obtain the correct intermediate value determined by the original random number during the SM2 verification process; The difference between the incorrect intermediate value and the correct intermediate value is calculated to obtain the preset number of bytes of the original random number; The process of repeatedly injecting a preset time fault into the preset number of bytes of the generated original random number during the SM2 signing process to generate an erroneous random number is repeated until a preset number of the erroneous signature pairs and the preset number of bytes of the original random number are generated. The SM2 signing private key is then obtained based on the preset number of the erroneous signature pairs and the preset number of bytes of the original random number.

2. The method according to claim 1, characterized in that, The process of injecting a preset time fault into the preset number of bytes of the generated original random number to generate an erroneous random number includes: Read the original random number stored in the first register and store it in the second register; Invert the preset bits of the preset number of bytes of the original random number in the second register to generate an erroneous random number.

3. The method according to claim 2, characterized in that, After generating incorrect random numbers, the following is also included: The intermediate error value is obtained by multiplying the erroneous random number in the second register with the known base point; Read the original random number stored in the first register and store it in the third memory; An error signature pair is generated based on the error intermediate value and the original random number in the third memory according to a preset signature pair calculation formula.

4. The method according to claim 1, characterized in that, The process of calculating the intermediate error value determined by the erroneous random number based on the erroneous signature includes: Based on the first formula for calculating the x-coordinate of the signature pair from the intermediate value during the SM2 signature process, the second formula for calculating the x-coordinate of the signature pair is derived, and the x-coordinate of the erroneous intermediate value is calculated according to the second formula and the erroneous signature pair; Substitute the x-coordinate of the erroneous intermediate value into the SM2 elliptic curve to obtain the y-coordinate of the erroneous intermediate value.

5. The method according to claim 1, characterized in that, The process of obtaining the correct intermediate value determined by the original random number during the SM2 signature verification process includes: The correct intermediate value is obtained by calculating the preset coordinate point on the SM2 elliptic curve based on the erroneous signature pair during the SM2 signature verification process. The correct intermediate value is determined by the original random number, as verified by formula derivation.

6. The method according to claim 4 or 5, characterized in that, The process of performing a difference calculation between the erroneous intermediate value and the correct intermediate value to obtain the preset number of bytes of the original random number includes: Subtract the incorrect intermediate value from the correct intermediate value to obtain the product of the difference in the number of bytes between the original random number and the incorrect random number and the known base point; The difference in bits between the original random number and the erroneous random number is obtained by iterating through the data. The preset number of bytes of the erroneous random number is obtained by inverting the preset bits of the preset number of bytes of the original random number, and obtaining the sum of the preset number of bytes between the original random number and the erroneous random number; The preset number of bytes is calculated by combining the difference between the preset number of bytes and the sum of the preset number of bytes.

7. The method according to claim 1, characterized in that, The step of obtaining the SM2 signature private key based on the preset number of erroneous signature pairs and the preset number of bytes of the original random number includes: Based on the fourth formula for calculating the signature pair using the SM2 signature private key and the original random number during the SM2 signature process, the fifth formula for calculating the SM2 signature private key using the signature pair and the original random number is derived. The nearest vector is obtained by calculating the relationship between the preset number of bytes and all bytes of the original random number and the fifth formula. The SM2 signature private key is obtained by solving the nearest vector using the lattice basis reduction algorithm.

8. An attack device targeting the Chinese national cryptographic algorithm SM2, characterized in that, The device includes: The fault injection module is used to inject a fault into the preset number of bytes of the generated original random number during the SM2 signing process at a preset time to generate an erroneous random number. The first calculation module is used to obtain the error signature pair generated after the fault injection at the preset time, and to calculate the error intermediate value determined by the error random number based on the error signature pair; The second calculation module is used to perform SM2 verification on the erroneous signature pair and obtain the correct intermediate value determined by the original random number during the SM2 verification process. The third calculation module is used to perform a difference calculation on the erroneous intermediate value and the correct intermediate value to obtain the preset number of bytes of the original random number; The private key derivation module is used to repeatedly return the step of injecting a preset time fault into the preset number of bytes of the generated original random number during the SM2 signing process to generate an erroneous random number, until a preset number of the erroneous signature pairs and the preset number of bytes of the original random number are generated, and to obtain the SM2 signing private key based on the preset number of the erroneous signature pairs and the preset number of bytes of the original random number.

9. A computer device, characterized in that, include: A memory and a processor are communicatively connected, the memory stores computer instructions, and the processor executes the computer instructions to perform the attack method against the SM2 cryptographic algorithm as described in any one of claims 1 to 7.

10. A computer-readable storage medium, characterized in that, The computer-readable storage medium stores computer instructions for causing the computer to execute the attack method against the SM2 cryptographic algorithm as described in any one of claims 1 to 7.