Abstract
SM2 digital signature scheme, which is part of the Chinese public key cryptosystem standard SM2 issued by Chinese State Cryptography Administration, is based on the elliptic curve discrete logarithm problem. Since SM2 was made public, very few cryptanalytic results have been found in the literatures. In this paper, we discuss the partially known nonces attack against SM2. In our experiments, the private key can be recovered, given 100 signatures with 3 bits of nonces known for 256-bit SM2. We also provide a byte-fault attack on SM2 when a byte of random fault is injected on the secret key during the signing process.
Keywords
This is a preview of subscription content, log in via an institution.
Buying options
Tax calculation will be finalised at checkout
Purchases are for personal use only
Learn about institutional subscriptionsNotes
- 1.
An informal English translation can be found in [36].
- 2.
In the rest of the paper, when we say SM2, we refer to SM2 digital signature algorithm.
References
Bao, F., Deng, R.H., Han, Y., Jeng, A.B., Narasimhalu, A.D., Ngair, T.H.: Breaking public key cryptosystems on tamper resistant devices in the presence of transient faults. In: Christianson, B., Lomas, M., Crispo, B., Roe, M. (eds.) Security Protocols 1997. LNCS, vol. 1361, pp. 115–124. Springer, Heidelberg (1998)
Berzati, A., Canovas-Dumas, C., Goubin, L.: Secret key leakage from public key perturbation of DLP-based cryptosystems. In: Naccache, D. (ed.) Cryphtography and Security: From Theory to Applications. LNCS, vol. 6805, pp. 233–247. Springer, Heidelberg (2012)
Biehl, I., Meyer, B., Müller, V.: Differential fault attacks on elliptic curve cryptosystems. In: Bellare, M. (ed.) CRYPTO 2000. LNCS, vol. 1880, pp. 131–146. Springer, Heidelberg (2000)
Bleichenbacher, D.: On the generation of one-time keys in DL signature schemes. Presentation at IEEE P1363 Working Group meeting (2000)
Bleichenbacher, D.: On the generation of DSA one-time keys. Presentation at Cryptography Research Inc. (2007)
Blömer, J., Otto, M., Seifert, J.-P.: Sign change fault attacks on elliptic curve cryptosystems. In: Breveglieri, L., Koren, I., Naccache, D., Seifert, J.-P. (eds.) FDTC 2006. LNCS, vol. 4236, pp. 36–52. Springer, Heidelberg (2006)
Boneh, D., DeMillo, R.A., Lipton, R.J.: On the importance of checking cryptographic protocols for faults. In: Fumy, W. (ed.) EUROCRYPT 1997. LNCS, vol. 1233, pp. 37–51. Springer, Heidelberg (1997)
Boneh, D., Venkatesan, R.: Hardness of computing the most significant bits of secret keys in Diffie-Hellman and related schemes. In: Koblitz, N. (ed.) CRYPTO 1996. LNCS, vol. 1109, pp. 129–142. Springer, Heidelberg (1996)
Boneh, D., Venkatesan, R.: Rounding in lattices and its cryptographic applications. In: Saks, M.E. (ed.) SODA 1997, pp. 675–681. ACM/SIAM (1997)
Chen, Y., Nguyen, P.Q.: BKZ 2.0: better lattice security estimates. In: Lee, D.H., Wang, X. (eds.) ASIACRYPT 2011. LNCS, vol. 7073, pp. 1–20. Springer, Heidelberg (2011)
Ciet, M., Joye, M.: Elliptic curve cryptosystems in the presence of permanent and transient faults. Des. Codes Crypt. 36(1), 33–43 (2005)
Diffie, W., Hellman, M.E.: New directions in cryptography. IEEE Trans. Inf. Theor. 22(6), 644–654 (1976)
Dottax, E.: Fault attacks on NESSIE signature and identification schemes. Technical report, NESSIE (2002)
Gama, N., Nguyen, P.Q.: Finding short lattice vectors within Mordell’s inequality. In: Dwork, C. (ed.) STOC 2008, pp. 207–216. ACM (2008)
Gama, N., Nguyen, P.Q., Regev, O.: Lattice enumeration using extreme pruning. In: Gilbert, H. (ed.) EUROCRYPT 2010. LNCS, vol. 6110, pp. 257–278. Springer, Heidelberg (2010)
Giraud, C., Knudsen, E.W.: Fault attacks on signature schemes. In: Wang, H., Pieprzyk, J., Varadharajan, V. (eds.) ACISP 2004. LNCS, vol. 3108, pp. 478–491. Springer, Heidelberg (2004)
Giraud, C., Knudsen, E.W., Tunstall, M.: Improved fault analysis of signature schemes. In: Gollmann, D., Lanet, J.-L., Iguchi-Cartigny, J. (eds.) CARDIS 2010. LNCS, vol. 6035, pp. 164–181. Springer, Heidelberg (2010)
Howgrave-Graham, N., Smart, N.P.: Lattice attacks on digital signature schemes. Des. Codes Crypt. 23(3), 283–290 (2001)
Kannan, R.: Improved algorithms for integer programming and related lattice problems. In: Johnson, D.S., Fagin, R., Fredman, M.L., Harel, D., Karp, R.M., Lynch, N.A., Papadimitriou, C.H., Rivest, R.L., Ruzzo, W.L., Seiferas, J.I. (eds.) STOC 1983, pp. 193–206. ACM (1983)
Kannan, R.: Minkowski’s convex body theorem and integer programming. Math. Oper. Res. 12(3), 415–440 (1987)
Koblitz, N.: Elliptic curve cryptosystems. Math. Comput. 48(177), 203–209 (1987)
Kocher, P.C., Jaffe, J., Jun, B.: Differential power analysis. In: Wiener, M. (ed.) CRYPTO 1999. LNCS, vol. 1666, pp. 388–397. Springer, Heidelberg (1999)
Liu, M., Nguyen, P.Q.: Solving BDD by enumeration: an update. In: Dawson, E. (ed.) CT-RSA 2013. LNCS, vol. 7779, pp. 293–309. Springer, Heidelberg (2013)
Miller, V.S.: Use of elliptic curves in cryptography. In: Williams, H.C. (ed.) CRYPTO 1985. LNCS, vol. 218, pp. 417–426. Springer, Heidelberg (1986)
De Mulder, E., Hutter, M., Marson, M.E., Pearson, P.: Using Bleichenbacher’s solution to the hidden number problem to attack nonce leaks in 384-bit ECDSA. In: Bertoni, G., Coron, J.-S. (eds.) CHES 2013. LNCS, vol. 8086, pp. 435–452. Springer, Heidelberg (2013)
Naccache, D., Nguyên, P.Q., Tunstall, M., Whelan, C.: Experimenting with faults, lattices and the DSA. In: Vaudenay, S. (ed.) PKC 2005. LNCS, vol. 3386, pp. 16–28. Springer, Heidelberg (2005)
National Institute of Standards and Technology (NIST): Fips publication 186–3:digital signature standard (2009)
Nguyen, P.Q., Shparlinski, I.: The insecurity of the digital signature algorithm with partially known nonces. J. Cryptology 15(3), 151–176 (2002)
Nguyen, P.Q., Shparlinski, I.: The insecurity of the elliptic curve digital signature algorithm with partially known nonces. Des. Codes Crypt. 30(2), 201–217 (2003)
Nikodem, M.: DSA signature scheme immune to the fault cryptanalysis. In: Grimaud, G., Standaert, F.-X. (eds.) CARDIS 2008. LNCS, vol. 5189, pp. 61–73. Springer, Heidelberg (2008)
Office of State Commercial Cryptography Administration: Public Key Cryptographic Algorithm SM2 Based on Elliptic Curves (in Chinese). http://www.oscca.gov.cn/UpFile/2010122214822692.pdf
Pohst, M.: On the computation of lattice vectors of minimal length, successive minima and reduced bases with applications. SIGSAM Bull 15, 37–44 (1981)
Rosa, T.: Lattice-based fault attacks on DSA - another possible strategy. In: Proceedings of the Conference Security and Protection of Information, vol. 2005, pp. 91–96 (2005)
Schnorr, C.P., Euchner, M.: Lattice basis reduction: improved practical algorithms and solving subset sum problems. Math. Program. 66, 181–191 (1994)
Schnorr, C.P.: A hierarchy of polynomial time lattice basis reduction algorithms. Theor. Comput. Sci. 53, 201–224 (1987)
Shen, S., Lee, X.: SM2 Digital Signature Algorithm draft-shen-sm2-ecdsa-01. http://tools.ietf.org/pdf/draft-shen-sm2-ecdsa-01.pdf
Shoup, V.: Number Theory C++ Library (NTL) version 5.5.2. http://www.shoup.net/ntl/
Xu, J., Feng, D.: Comments on the SM2 key exchange protocol. In: Lin, D., Tsudik, G., Wang, X. (eds.) CANS 2011. LNCS, vol. 7092, pp. 160–171. Springer, Heidelberg (2011)
Acknowledgement
We thank the anonymous referees for their careful reading and constructive comments.
This work is supported by China Postdoctoral Science Foundation (No. 2013M540786), China’s 973 Program (No. 2013CB834201) and National Natural Science Foundation of China (No. 61202493).
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
A Background About Elliptic Curves
A Background About Elliptic Curves
The elliptic curve is defined as \(\mathbb {E}(\mathbb {F}_p)=\{P=(x,y)|y^2=x^3+ax+b \mod p. \ x,y\in \mathbb {F}_p\}\cup \{\mathcal {O}\}\), where an \(\mathcal {O}\) is an extra infinity point.
This set of points form a group under a group operation which is denoted as “+”. This addition is defined as follows:
-
\(\mathcal {O} +\mathcal {O}=\mathcal {O}\)
-
\(\forall P=(x,y)\in \mathbb {E}(\mathbb {F}_p)\backslash {\mathcal {O}}\), \(P+\mathcal {O}=\mathcal {O}+P=P\)
-
\(\forall P=(x,y)\in \mathbb {E}(\mathbb {F}_p)\backslash {\mathcal {O}}\), the inverse of P is \(-P=(x,-y), P+(-P)=\mathcal {O}\)
-
\(\forall P_1=(x_1,y_1)\in \mathbb {E}(\mathbb {F}_p)\backslash {\mathcal {O}}\), \(\forall P_2=(x_2,y_2)\in \mathbb {E}(\mathbb {F}_p)\backslash {\mathcal {O}}\), \(x_1\ne x_2\), let \(P_3=P_1+P_2=(x_3,y_3)\), then
$$ \left\{ \begin{array}{ll} x_3=\lambda ^2-x_1-x_2 &{} \\ y_3=\lambda (x_1-x_3)-y_1, &{} \end{array} \right. $$where \(\lambda =\frac{y_2-y_1}{x_2-x_1}\)
-
\(\forall P_1=(x_1,y_1)\in \mathbb {E}(\mathbb {F}_p)\backslash {\mathcal {O}}\), \(y_1\ne 0\), \(P_3=P_1+P_1=(x_3,y_3)\), then
$$ \left\{ \begin{array}{ll} x_3=\lambda ^2-2x_1 &{} \\ y_3=\lambda (x_1-x_3)-y_1, &{} \end{array} \right. $$where \(\lambda =\frac{3x_1^2+a}{2y_1}\)
Elliptic curve discrete logarithm problem. Given \(P\in \mathbb {E}(\mathbb {F}_p)\) and an integer \(m\), there are many efficient scalar multiplication algorithms to compute \(mP\). However, it is widely believed that given \(P\) and \(mP\), computing \(m\) is hard when the point \(P\) has a large prime order. This problem is called elliptic curve discrete logarithm problem (ECDLP).
It is well known that the number of rational points in \(\mathbb {E}(\mathbb {F}_p)\) is in the interval \([p+1-2\sqrt{p},p+1+2\sqrt{p}]\). Therefore, for a curve over \(\mathbb {F}_p\), it is easy to find a subgroup with order \(n\) which is a large prime and slightly smaller than \(p\). Solving ECDLP in this subgroup is expensive.
Rights and permissions
Copyright information
© 2014 Springer International Publishing Switzerland
About this paper
Cite this paper
Liu, M., Chen, J., Li, H. (2014). Partially Known Nonces and Fault Injection Attacks on SM2 Signature Algorithm. In: Lin, D., Xu, S., Yung, M. (eds) Information Security and Cryptology. Inscrypt 2013. Lecture Notes in Computer Science(), vol 8567. Springer, Cham. https://doi.org/10.1007/978-3-319-12087-4_22
Download citation
DOI: https://doi.org/10.1007/978-3-319-12087-4_22
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-12086-7
Online ISBN: 978-3-319-12087-4
eBook Packages: Computer ScienceComputer Science (R0)