Persistent Fault Analysis Against SM4 Implementations in Libraries Crypto++ and GMSSL
Compared to the injection of a transient fault, time synchronization and accuracy are not required for the injection process of a persistent fault. However, the known <italic>persistent fault analyses</italic> (PFAs) do not work on SM4 implementations because the linear transformation la...
Main Authors: | , , , |
---|---|
Format: | Article |
Language: | English |
Published: |
IEEE
2021-01-01
|
Series: | IEEE Access |
Subjects: | |
Online Access: | https://ieeexplore.ieee.org/document/9410242/ |
id |
doaj-af35db98823a4414a743cecf07f8b981 |
---|---|
record_format |
Article |
spelling |
doaj-af35db98823a4414a743cecf07f8b9812021-05-27T23:00:58ZengIEEEIEEE Access2169-35362021-01-019636366364510.1109/ACCESS.2021.30747089410242Persistent Fault Analysis Against SM4 Implementations in Libraries Crypto++ and GMSSLQing Guo0https://orcid.org/0000-0001-8261-8127Zhenhan Ke1https://orcid.org/0000-0002-8929-9779Siyuan Wang2https://orcid.org/0000-0002-4971-0236Shihui Zheng3https://orcid.org/0000-0001-6360-5777School of Cyberspace Security, Beijing University of Posts and Telecommunications, Beijing, ChinaSchool of Cyberspace Security, Beijing University of Posts and Telecommunications, Beijing, ChinaSchool of Cyberspace Security, Beijing University of Posts and Telecommunications, Beijing, ChinaSchool of Cyberspace Security, Beijing University of Posts and Telecommunications, Beijing, ChinaCompared to the injection of a transient fault, time synchronization and accuracy are not required for the injection process of a persistent fault. However, the known <italic>persistent fault analyses</italic> (PFAs) do not work on SM4 implementations because the linear transformation layer hides the position where an error occurs during the encryption process. We present the first <italic>persistent fault analysis</italic> against SM4 implemented with an S-box by combining the inverse linear transformation with differential techniques. In addition, we propose a locating algorithm to figure out not only where an error occurs during the encryption process but also where a fault is inserted in the lookup table. Consequently, the locating algorithm helps break SM4 implemented with a T-table. We validate our PFA on two open-source implementations of SM4 – Crypto++(v8.3) and GMSSL(v1.0.0). The experiments are performed on a PC and the analysis codes are written in C language. The experimental data shows that the probability of successfully recovering the encryption key approximates 1 when the number of normal-and-faulty-ciphertext pairs is 3000 on average. Namely, PFA can break the encryption system of SM4 in practice once valid faults are inserted. Finally, we apply the attack to protected SM4 implementations and prove that the E-and-D mode of the <italic>dual modular temporal redundancy</italic> (DMTR) can defeat our PFA.https://ieeexplore.ieee.org/document/9410242/SM4persistent fault analysisfault attackCrypto++GMSSL |
collection |
DOAJ |
language |
English |
format |
Article |
sources |
DOAJ |
author |
Qing Guo Zhenhan Ke Siyuan Wang Shihui Zheng |
spellingShingle |
Qing Guo Zhenhan Ke Siyuan Wang Shihui Zheng Persistent Fault Analysis Against SM4 Implementations in Libraries Crypto++ and GMSSL IEEE Access SM4 persistent fault analysis fault attack Crypto++ GMSSL |
author_facet |
Qing Guo Zhenhan Ke Siyuan Wang Shihui Zheng |
author_sort |
Qing Guo |
title |
Persistent Fault Analysis Against SM4 Implementations in Libraries Crypto++ and GMSSL |
title_short |
Persistent Fault Analysis Against SM4 Implementations in Libraries Crypto++ and GMSSL |
title_full |
Persistent Fault Analysis Against SM4 Implementations in Libraries Crypto++ and GMSSL |
title_fullStr |
Persistent Fault Analysis Against SM4 Implementations in Libraries Crypto++ and GMSSL |
title_full_unstemmed |
Persistent Fault Analysis Against SM4 Implementations in Libraries Crypto++ and GMSSL |
title_sort |
persistent fault analysis against sm4 implementations in libraries crypto++ and gmssl |
publisher |
IEEE |
series |
IEEE Access |
issn |
2169-3536 |
publishDate |
2021-01-01 |
description |
Compared to the injection of a transient fault, time synchronization and accuracy are not required for the injection process of a persistent fault. However, the known <italic>persistent fault analyses</italic> (PFAs) do not work on SM4 implementations because the linear transformation layer hides the position where an error occurs during the encryption process. We present the first <italic>persistent fault analysis</italic> against SM4 implemented with an S-box by combining the inverse linear transformation with differential techniques. In addition, we propose a locating algorithm to figure out not only where an error occurs during the encryption process but also where a fault is inserted in the lookup table. Consequently, the locating algorithm helps break SM4 implemented with a T-table. We validate our PFA on two open-source implementations of SM4 – Crypto++(v8.3) and GMSSL(v1.0.0). The experiments are performed on a PC and the analysis codes are written in C language. The experimental data shows that the probability of successfully recovering the encryption key approximates 1 when the number of normal-and-faulty-ciphertext pairs is 3000 on average. Namely, PFA can break the encryption system of SM4 in practice once valid faults are inserted. Finally, we apply the attack to protected SM4 implementations and prove that the E-and-D mode of the <italic>dual modular temporal redundancy</italic> (DMTR) can defeat our PFA. |
topic |
SM4 persistent fault analysis fault attack Crypto++ GMSSL |
url |
https://ieeexplore.ieee.org/document/9410242/ |
work_keys_str_mv |
AT qingguo persistentfaultanalysisagainstsm4implementationsinlibrariescryptox002bx002bandgmssl AT zhenhanke persistentfaultanalysisagainstsm4implementationsinlibrariescryptox002bx002bandgmssl AT siyuanwang persistentfaultanalysisagainstsm4implementationsinlibrariescryptox002bx002bandgmssl AT shihuizheng persistentfaultanalysisagainstsm4implementationsinlibrariescryptox002bx002bandgmssl |
_version_ |
1721425239490953216 |