CN112332970A - Side channel analysis method, device, medium and equipment for attacking SM9 signature algorithm - Google Patents

Side channel analysis method, device, medium and equipment for attacking SM9 signature algorithm Download PDF

Info

Publication number
CN112332970A
CN112332970A CN201910717925.0A CN201910717925A CN112332970A CN 112332970 A CN112332970 A CN 112332970A CN 201910717925 A CN201910717925 A CN 201910717925A CN 112332970 A CN112332970 A CN 112332970A
Authority
CN
China
Prior art keywords
side channel
operand
channel characteristics
algorithm
power exponent
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN201910717925.0A
Other languages
Chinese (zh)
Inventor
单伟君
郭丽敏
雷婉
姜焜
王立辉
李清
俞军
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Shanghai Fudan Microelectronics Group Co Ltd
Original Assignee
Shanghai Fudan Microelectronics Group Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Shanghai Fudan Microelectronics Group Co Ltd filed Critical Shanghai Fudan Microelectronics Group Co Ltd
Priority to CN201910717925.0A priority Critical patent/CN112332970A/en
Publication of CN112332970A publication Critical patent/CN112332970A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/002Countermeasures against attacks on cryptographic mechanisms

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Complex Calculations (AREA)

Abstract

A side channel analysis method, device, medium and equipment for attacking SM9 signature algorithm, the side channel analysis method for attacking SM9 signature algorithm includes: and respectively performing operation on the power exponent of each bit in the SM9 signature algorithm power calculation by analyzing a large digital multiplication algorithm to obtain the value of the power exponent, and obtaining the user signature private key based on the value of the power exponent and the SM9 signature algorithm. The technical scheme of the invention has beneficial effect on protecting the side channel attack of SM9 signature.

Description

Side channel analysis method, device, medium and equipment for attacking SM9 signature algorithm
Technical Field
The invention relates to the technical field of data encryption, in particular to a side channel analysis method, a side channel analysis device, a side channel analysis storage medium and side channel analysis equipment for attacking an SM9 signature algorithm.
Background
The SM9 ID cryptographic algorithm is an ID-Based cryptographic system (IBC for short) Based on bilinear pairings, and is a standard algorithm (with the standard name of GM/T0044-2016 SM 9) in public key cryptographic algorithms in the commercial cryptographic industry in China.
SM9 part 2 of the identity cryptographic algorithm describes the digital signature generation algorithm (hereinafter algorithm one). In the first algorithm, a message M to be signed and a user signature master public key P are inputpub-sUser signature private key dSA(ii) a The output is a digital signature (h, S). The calculation procedure is as follows.
A1: computing group GTWherein the element g ═ e (P)1,Ppub-s);
A2: generating a random number r ∈ [1, N-1 ];
a3: computing group GTWherein w is gr
A4: calculating the integer H ═ H2(M||w,N);
A5: calculating an integer l ═ (r-h) modN, and if l ═ 0, returning to a 2;
a6: computing group G1Wherein the element S ═ l]dSA
A7: the signature of the message M is (h, S).
In 1999, Kocher et al proposed the idea of Side Channel Attack (SCA). Even though the algorithm can be proven to be secure in mathematical theory, the algorithm still receives a threat of side channel attack in its implementation. The side channel attack realizes that the side channel information (such as time, power consumption, electromagnetism, heat, light and the like) generated in the running process obtains sensitive information (such as a secret key) in the algorithm by analyzing the algorithm.
Document one (Qi Z, An W, Yongchuan N, et al, side-Channel anchors and Countermeasures for Identity-Based Cryptographic Algorithm SM9[ J]Security and Communication Networks,2018,2018:1-14) describes a side channel attack method implemented on SM9 signatures. Specifically, this side channel attack method is to sign SM9 with the point product S [ |, at step a6]dSATemplate attacks were performed (see article two, Chari, Suresh, j.r.rao, and p.rohatgi. "Template attacks." InternationalWorkshop on Cryptographic Hardware&Embedded Systems 2002) that uses an elliptic curve point doubling formula, some of which are as follows:
Figure BDA0002156107030000021
in the above formula, x and y are each dSAThe abscissa and the ordinate. The method in document two uses the formula to calculate x2And carrying out template attack on the generated side channel information so as to obtain the value of x, and substituting x into the SM9 elliptic curve formula to calculate and obtain a corresponding y value. The sign of the y value can be validated and verified by simply bringing it into the signature flow of the known message and its signature, respectively.
However, the side channel attack method adopted by the first and second prior arts in the literature has the following defects: on one hand, if coordinate randomization protection is added in the process of calculating the dot product, the attack method cannot attack successfully; on the other hand, the template attack firstly needs to acquire the same or similar equipment as the attack object, and acquire a plurality of curves to establish the template, so that the attack has certain difficulty.
Disclosure of Invention
The technical problem solved by the invention is how to solve the protection of coordinate randomization and how to collect a plurality of curves so that the attack has certain difficulty and the like.
In order to solve the above technical problem, an embodiment of the present invention provides a side channel analysis method for attacking an SM9 signature algorithm, including: respectively performing the following operations on the power exponent of each bit in the SM9 signature algorithm power calculation by analyzing a large digital multiplication algorithm to obtain the value of the power exponent: extracting side channel characteristics of a sequence used by a large digital-to-analog multiplication algorithm to obtain a first modular multiplication side channel characteristic and a second modular multiplication side channel characteristic corresponding to one bit of a power exponent, the first modular multiplication side channel characteristic comprising a first operand and a second operand, the second modular multiplication side channel characteristic comprising a third operand and a fourth operand, calculating the side channel characteristics of the first operand and the side channel characteristics of the second operand in the first modular multiplication side channel characteristic, and calculating the side channel characteristics of the third operand and the side channel characteristics of the fourth operand in the second modular multiplication side channel characteristic, calculating a first discrimination value of the side channel characteristics of the first operand and the side channel characteristics of the third operand, and calculating a second discrimination value of the side channel characteristics of the second operand and the side channel characteristics of the fourth operand, when the first discrimination value is less than the second discrimination value, the power exponent of the bit is 0, and when the first discrimination value is greater than the second discrimination value, the power exponent of the bit is 1; the user private signature key is obtained based on the value of the power exponent and the SM9 signature algorithm.
Optionally, the large-scale multiplication algorithm is SOS, CIOS, FIOS, FIPS, or CIHS.
Optionally, the sequence used by the large-number multiplication algorithm is a left-to-right binary algorithm sequence or a Lucas sequence.
Optionally, the first discrimination value and the second discrimination value are calculated by an euclidean distance calculation formula, a manhattan distance calculation formula, a chebyshev distance calculation formula, or a correlation coefficient calculation formula.
Optionally, obtaining the user signature private key based on the power exponent value and the SM9 signature algorithm includes: the user signature private key is obtained based on the value of the power exponent and the following equation,
Figure BDA0002156107030000031
wherein w and G are group GTR is a power exponent, H2() Is a cryptographic function derived from a cryptographic hash function, M is the message to be signed, N is the group GTH and l are integers, dSAThe private key is signed for the user.
The embodiment of the invention also discloses a side channel analysis device for attacking the SM9 signature algorithm, which comprises: a power exponent obtaining module adapted to perform the following operations on the power exponent of each bit in the SM9 signature algorithm power calculation respectively by analyzing a large digital multiplication algorithm to obtain a value of the power exponent: extracting side channel characteristics of a sequence used by a large digital-to-analog multiplication algorithm to obtain a first modular multiplication side channel characteristic and a second modular multiplication side channel characteristic corresponding to one bit of a power exponent, the first modular multiplication side channel characteristic comprising a first operand and a second operand, the second modular multiplication side channel characteristic comprising a third operand and a fourth operand, calculating the side channel characteristics of the first operand and the side channel characteristics of the second operand in the first modular multiplication side channel characteristic, and calculating the side channel characteristics of the third operand and the side channel characteristics of the fourth operand in the second modular multiplication side channel characteristic, calculating a first discrimination value of the side channel characteristics of the first operand and the side channel characteristics of the third operand, and calculating a second discrimination value of the side channel characteristics of the second operand and the side channel characteristics of the fourth operand, when the first discrimination value is less than the second discrimination value, the power exponent of the bit is 0, and when the first discrimination value is greater than the second discrimination value, the power exponent of the bit is 1; and the user signature private key obtaining module is suitable for obtaining the user signature private key based on the value of the power exponent and the SM9 signature algorithm.
Optionally, the large-scale multiplication algorithm is SOS, CIOS, FIOS, FIPS, or CIHS.
Optionally, the user signature private key obtaining module includes a module for obtaining the user signature private key based on the value of the power exponent and the following equation,
Figure BDA0002156107030000041
wherein w and G are group GTR is a power exponent, H2() Is a cryptographic function derived from a cryptographic hash function, M is the message to be signed, N is the group GTH and l are integers, dSAThe private key is signed for the user.
The embodiment of the invention also discloses a storage medium, wherein a computer instruction is stored on the storage medium, and the computer instruction executes the steps of the attack SM9 signature algorithm side channel analysis method when running.
The embodiment of the invention also discloses equipment which comprises a memory and a processor, wherein the memory is stored with computer instructions capable of running on the processor, and the processor executes the steps of the attack SM9 signature algorithm side channel analysis method when running the computer instructions.
The technical scheme of the invention aims at the mode exponentiation process w ═ g in the step A3 of the SM9 signature flowrWhile providing a means of attacking the power exponent r has a beneficial effect on protecting SM9 signed side channel attacks.
Drawings
Fig. 1 is a flowchart of a side channel analysis method of attacking SM9 signature algorithm according to an embodiment of the present invention;
fig. 2 is a schematic structural diagram of a side channel analysis device for attacking the SM9 signature algorithm according to an embodiment of the present invention.
Detailed Description
For the side channel attack signed by the SM9, the attack object in the prior art is the point multiplication in the step a6 in the SM9 signature flow, but the side channel attack of the type can be protected only by adding coordinate randomization in the process of calculating the point multiplication, and the template attack in the prior art firstly needs to acquire the same or similar equipment as the attack object and acquire a plurality of curves to establish the template, so that the side channel attack of the type has certain difficulty.
In contrast, the present invention focuses on the modular exponentiation process w ═ g in step A3 in the SM9 signature flowr(also called power computation), the side channel attack is targeted by the power exponent r. The prior art does not consider the attack on the power exponent r in the step a3, and therefore, the approach of attacking the power exponent r proposed by the present invention has a beneficial effect on protecting the side channel attack of the SM9 signature.
In order to make the aforementioned objects, features and advantages of the present invention comprehensible, embodiments accompanied with figures are described in detail below.
In an embodiment of the present invention, one of a plurality of sequences may be used to compute group G in SM9 signature flow step A3TWherein w is grThe plurality of sequences includes, but is not limited to, a left-to-right binary algorithm sequence, a Lucas sequence.
In one embodiment, left to right usingCalculating w-g by binary algorithm sequencer(algorithm two, below). In the second algorithm, the input is the group GTElement (1) of
Figure BDA0002156107030000051
Power exponent k ═ k (k)l-2,...,k1,k0)2(ii) a The output is f (i.e., g)k). The calculation procedure is as follows.
1.f=g
2.for i from l-2to 0do
2.1f=g2
2.2if ki=1then f=f*g
3.return f
In another embodiment, the Lucas sequence is used to calculate w ═ gr(algorithm three, below). In the third algorithm, the input is group GTElement (1) of
Figure BDA0002156107030000052
Exponent of power
Figure BDA0002156107030000053
Wherein n is the bit length of r; the output is w. The calculation procedure is as follows, wherein g1、g2Is composed of
Figure BDA0002156107030000054
Above, alpha, P, f1And f2Is an intermediate variable, riIs the power exponent of the ith bit, v0And v1A first operand and a second operand, respectively.
G can be represented as
Figure BDA0002156107030000055
2.P=2g2,v0=2,v1=P
3.for i=n-1to 0do
4.if ri==1then
5.
Figure BDA0002156107030000061
6.else if ri==0then
7.
Figure BDA0002156107030000062
8.end if
9.end for
10.f2=v1*2-1,f1=(P*v1-2v0)*(P2-4)-1*g1
11.return w=f1α+f2
The inventor of the present application has found that in steps 4 to 7 of algorithm three, when the power exponent r of the current bit isiWhen 1, v is calculated0v1And
Figure BDA0002156107030000063
the second operand of these two operations is the same (both are v)1) (ii) a When the power exponent r of the current bitiWhen it is 0, v is calculated0v1And
Figure BDA0002156107030000064
the first operands of these two operations are the same (both are v)0). Wherein v is0v1
Figure BDA0002156107030000065
And
Figure BDA0002156107030000066
are all at
Figure BDA0002156107030000067
All of which can eventually be expanded to FqThe method is implemented.
Figure BDA0002156107030000068
Multiplication of (2) to FqThe above may have different implementation forms, and in one embodiment, the display may be performed firstTo open to
Figure BDA0002156107030000069
Then is unfolded to FqIn the above implementation, the following algorithms four and five describe this process.
The fourth algorithm is inputted as
Figure BDA00021561070300000610
The output is p ═ m · n. The calculation steps are as follows, wherein u is
Figure BDA00021561070300000611
Constant terms of irreducible polynomial of (a).
1.p0=m0·n2+m1·n1+m2·n0
2.p1=m1·n2+m2·n1+m0·n0·u,u=(1,0)
3.p2=m2·n2+(m0·n1+m1·n0)·u,u=(1,0)
4.
Figure BDA00021561070300000612
The input of the algorithm five is
Figure BDA00021561070300000613
The output is q ═ s · t. The calculation steps are as follows, wherein u is
Figure BDA00021561070300000614
Constant terms of irreducible polynomial of (a).
1.q0=s0·t1+s1·t0
2.q1=s1·t1+s0·t0·u,u=-2
3.
Figure BDA0002156107030000071
V according to algorithm four and algorithm five0v1Will eventually unfold into FqModular multiplication above, including the following multiplications:
(v0.m0.s0·v1.n2.t1),(v0.m0.s1·v1.n2.t0),(v0.m1.s0·v1.n1.t1),(v0.m1.s1·v1.n1.t0)...(1)
Figure BDA0002156107030000072
is unfolded into FqModular multiplication above, including the following multiplications:
(v1.n0.t0·v1.n2.t1),(v1.n0.t1·v1.n2.t0),(v1.n1.t0·v1.n1.t1),(v1.n1.t1·v1.n1.t0)...(2)
Figure BDA0002156107030000073
is unfolded into FqModular multiplication above, including the following multiplications:
(v0.m0.s0·v0.m2.s1),(v0.m0.s1·v0.m2.s0),(v0.m1.s0·v0.m1.s1),(v0.m1.s1·v0.m1.s0)...(3)
v is referred to in equations (1), (2) and (3)0.m0.s0、v1.n2.t1、v0.m0.s1、v1.n2.t0、v0.m1.s0、v1.n1.t1、v0.m1.s1、v1.n1.t0、v1.n0.t0、v1.n0.t1、v0.m2.s1、v0.m2.s0Etc. are explained as follows. With ai.bj.ckTo generally reflect the above representation, wherein aiIn that
Figure BDA0002156107030000074
The j-th dimension of (A) is represented as bj,bjAt FqThe upper k-th dimension is represented as ckI.e. at aiFrom
Figure BDA0002156107030000075
Expand to FqAfter the above, the k-th dimension of the j-th dimension is denoted as ai.bj.ck
As can be seen from formulae (1), (2) and (3), in
Figure BDA0002156107030000076
Is unfolded to FqThen, one modular multiplication is expanded into a plurality of modular multiplications, so that the power exponent r of the current bit in the third algorithmiThe difference between 0 and 1 is further expanded.
The inventors of the present application found that the second operands of the modular multiplication in equations (1) and (2) are the same, respectively, and the first operands of the modular multiplication in equations (1) and (3) are the same, respectively. As can be seen from the above description of Algorithm three, it can be first determined whether the operands of the modular multiplication are the same (e.g., Algorithm three distinguishes that v is currently calculated0v1And
Figure BDA0002156107030000077
or v0v1And
Figure BDA0002156107030000078
to analyze whether the first operand is the same or the second operand is the same), then it can be determined whether the exponent of the current bit is 0 or 1, and w-g can be obtainedrThe power exponent r in the database, and finally, the user signature private key d is calculated through the signature process of SM9SA
In the prior art, template attacks are divided into a training phase and an attack phase. In the training stage, an attacker collects a plurality of energy characteristic curves, and corresponding energy characteristic templates are respectively established for a plurality of energy data characteristics (such as data of 0x1, 0x3, 0x7, 0xE and the like); in the attack stage, the energy data characteristic of the attack object is recorded as x, so that the attacker can use the energy data characteristic of x to match with each template respectively, and the most highly matched template is most likely to be the value of x. After the coordinate randomization protection is added, each calculated data is provided with a different random number r (as shown in the following, r1, r2, r3, r4 and r5 represent different random numbers), so that an attacker can only obtain energy data characteristics of 0x1 × r1, 0x3 × r2, 0x7 × r3, 0xE × r4 and the like in the training stage, and cannot establish a template of real data; in the attack stage, an attacker can only use the energy data characteristics of x r5 to carry out matching, and cannot obtain the real value of x. However, in the embodiment of the present invention, it is considered that the coordinate randomization is not changed in the same calculation, so only one energy characteristic curve may be acquired, the energy data characteristics of a plurality of different positions in the energy curve are extracted, and whether the first multiplier or the second multiplier of different multiplications are the same (without knowing the specific data content) is determined by combining the multiplications in equations (1), (2), and (3), so as to obtain the power exponent used in the SM9 signature process, and further derive the private key d of the user signature according to the signature flow of SM9SA
Fig. 1 illustrates a flowchart of a side channel analysis method 100 for attacking SM9 signature algorithm according to an embodiment of the present invention, which includes the following steps:
step S110: respectively performing the following operations on the power exponent of each bit in the SM9 signature algorithm power calculation by analyzing a large digital multiplication algorithm to obtain the value of the power exponent: extracting side channel characteristics of a sequence used by a large digital-to-analog multiplication algorithm to obtain a first modular multiplication side channel characteristic and a second modular multiplication side channel characteristic corresponding to one bit of a power exponent, the first modular multiplication side channel characteristic comprising a first operand and a second operand, the second modular multiplication side channel characteristic comprising a third operand and a fourth operand, calculating the side channel characteristics of the first operand and the side channel characteristics of the second operand in the first modular multiplication side channel characteristic, and calculating the side channel characteristics of the third operand and the side channel characteristics of the fourth operand in the second modular multiplication side channel characteristic, calculating a first discrimination value of the side channel characteristics of the first operand and the side channel characteristics of the third operand, and calculating a second discrimination value of the side channel characteristics of the second operand and the side channel characteristics of the fourth operand, when the first discrimination value is less than the second discrimination value, the power exponent of the bit is 0, and when the first discrimination value is greater than the second discrimination value, the power exponent of the bit is 1;
step S120: the user private signature key is obtained based on the value of the power exponent and the SM9 signature algorithm.
In the execution of step S110, the following operations are respectively performed on the power exponent of each bit in the SM9 signature algorithm power calculation by analyzing the large-scale multiplication algorithm to obtain the value of the power exponent.
Specifically, although it is determined whether the side channel characteristics of the first operands of different large number modular multiplications are similar or not and whether the side channel characteristics of the second operands are similar or not by analyzing each small multiplication side channel information in the large number modular multiplication implementation process, a value of the power exponent can be obtained, in a specific implementation, extraction of the side channel characteristics of the operands is involved, from the perspective of an attacker, since the attacker cannot know a specific intermediate value in the algorithm process, the attacker can only attack by collecting the side channel characteristic information in the algorithm execution process, and the collected side channel characteristic information is noisy and not a certain value. Therefore, it is necessary to perform data processing on the acquired side channel feature information first, then obtain a discrimination value between operands, and then compare the discrimination value to obtain a power exponent value, as described further below.
There are many ways to implement large number modular multiplication, one of which is montgomery modular multiplication. Montgomery modular multiplication has many versions, including Split Operand Scanning (SOS), Fine Integrated Product Scanning (FIPS), Coarse Integrated Operand Scanning (CIOS), Coarse Integrated Hybrid Scanning (CIHS), and Fine Integrated Operand Scanning (FIOS). The calculation process (hereinafter referred to as algorithm six) is described below by taking the Montgomery modular multiplication of CIOS as an example.
The input of algorithm six is
Figure BDA0002156107030000091
Wherein X and Y are large numbers, XiAnd yiIs a small multiplication number, b is xiAnd yiN is a modulus, N' is a modulus parameter, i is an integer between 0 and N-1; the output is X, Y and R-1modN. The calculation procedure is as follows, wherein A is a large number, aiIs an intermediate variable.
1.A=(anan-1...a1a0)b←0
2.for i=0to n-1do
3.for j=0to n-1do
4.(aj+1,aj)←aj+xiyj
5.ui←a0·n′modb
6.A←(A+ui·N)/b
7.if A≥N then
8.A←A-N
9.end if
10.end for
11.return A
In algorithm six, all small multiplications xiyjIs determined, the side channel characteristics associated with the first operand and the second operand may be further extracted from the side channel information of the first modular multiplication.
Note the book
Figure BDA0002156107030000101
Is X, Y, R-1All small multiplications x in mod NiyjA side channel characteristic of (1), wherein
Figure BDA0002156107030000102
Is X, Y, R-1mod N small multiplication xiyjI ═ 0,1, ·, n-1; j-0, 1,.., n-1. Note the book
Figure BDA0002156107030000103
Is X, Y, R-1The side channel characteristics of X in mod N,
Figure BDA0002156107030000104
Figure BDA0002156107030000105
is X, Y, R-1The side channel characteristics of Y in mod N,
Figure BDA0002156107030000106
for the whole Lucas sequence, according to the sequence of the time sequence, the characteristics of two modular multiplication side channels corresponding to the ith bit power exponent are recorded as
Figure BDA0002156107030000107
And
Figure BDA0002156107030000108
Figure BDA0002156107030000109
the side channel characteristic of the first operand extracted in
Figure BDA00021561070300001010
Side channel characterization of the extracted second operand
Figure BDA00021561070300001011
Figure BDA00021561070300001012
The side channel of the first operand (which can also be regarded as the third operand involved in the ith bit power exponent operation) extracted in (A) is characterized as
Figure BDA00021561070300001013
The side channel of the extracted second operand (which may also be considered as the fourth operand involved in the power exponent operation on the ith bit) is characterized as
Figure BDA00021561070300001014
Calculating a first discrimination value of the side channel characteristics of the two modulo multiplication first operands, and calculating a second discrimination value of the side channel characteristics of the two modulo multiplication second operands; and, the power exponent of the ith bit is judged by comparing the first discrimination value and the second discrimination value, for example, when the first discrimination value is smaller than the second discrimination value, the power exponent r of the ith bit is judgedi0; when the first discrimination value is larger than the second discrimination value, the power exponent r of the ith bit is judgedi1. The above operation is performed on the power exponent of each bit, respectively, thereby obtaining the value of the power exponent.
In one embodiment, the first discrimination value and the second discrimination value are calculated by a euclidean distance calculation formula. Suppose there are two sets of m-dimensional vectors, denoted as a ═ a (a) respectively0,a1,...,am-1) And b ═ b0,b1,...,bm-1) Then, the euclidean distance calculation formula is:
Figure BDA00021561070300001015
the calculated first discrimination value is calculated as a first Euclidean distance Di.op1Indicating that the second discrimination value is a second Euclidean distance Di.op2Represents; when D is presenti.op1<Di.op2Then, the power exponent r of the ith bit is determinediWhen D is equal to 0i.op1>Di.op2Then, the power exponent r of the ith bit is determinedi==1。
In another embodiment, the first discrimination value and the second discrimination value are calculated by a Manhattan distance calculation formulaThe value is obtained. Suppose there are two sets of m-dimensional vectors, denoted as a ═ a (a) respectively0,a1,...,am-1) And b ═ b0,b1,...,bm-1) Then, the manhattan distance calculation formula is: d2=|a0-b0|+|a1-b1|+...+|am-1-bm-1L. The calculated first discrimination value is expressed by a first Manhattan distance, and the second discrimination value is expressed by a second Manhattan distance; when the first Manhattan distance is smaller than the second Manhattan distance, the power exponent r of the ith bit is judgediWhen the first Manhattan distance is larger than the second Manhattan distance, the power exponent r of the ith bit is judged to be 0i==1。
In yet another embodiment, the first discrimination value and the second discrimination value are calculated by a chebyshev distance calculation formula. Suppose there are two sets of m-dimensional vectors, denoted as a ═ a (a) respectively0,a1,...,am-1) And b ═ b0,b1,...,bm-1) Then, the chebyshev distance calculation formula is: d3=max(ai-bi). The calculated first discrimination value is represented by a first Chebyshev distance, and the second discrimination value is represented by a second Chebyshev distance; when the first Chebyshev distance is smaller than the second Chebyshev distance, the power exponent r of the ith bit is judgediWhen the first Chebyshev distance is greater than the second Chebyshev distance, the power exponent r of the ith bit is judged to be 0i==1。
In yet another embodiment, the first discrimination value and the second discrimination value are calculated by a correlation coefficient calculation formula. Suppose there are two sets of m-dimensional vectors, denoted as a ═ a (a) respectively0,a1,...,am-1) And b ═ b0,b1,...,bm-1) Then, the correlation coefficient calculation formula is:
Figure BDA0002156107030000111
where Cov (a, b) is the covariance of vector a and vector b, Var (a) is the variance of vector a, and Var (b) is the variance of vector b. Calculated the firstOne discrimination value is represented by a second correlation coefficient, and the second discrimination value is represented by a first correlation coefficient; when the first correlation coefficient is smaller than the second correlation coefficient, the power exponent r of the ith bit is judgedi0, and when the first correlation coefficient is larger than the second correlation coefficient, the power exponent r of the ith bit is judgedi==1。
In the execution of step S120, the user signature private key is obtained based on the value of the power exponent and the SM9 signature algorithm.
Specifically, when the power exponent of each bit is obtained, w ═ g is obtainedrThe value of the middle power exponent r; then, according to the SM9 signature flow, l can be obtained by power exponent r calculation, and user signature private key d is obtained by l and the following equation calculationSA
Figure BDA0002156107030000121
Wherein w and G are group GTR is a power exponent, H2() Is a cryptographic function derived from a cryptographic hash function, M is the message to be signed, N is the group GTH and l are integers, dSAThe private key is signed for the user.
As shown in fig. 2, the embodiment of the present invention further discloses a schematic structural diagram 200 of a side channel attack apparatus of SM 9. The apparatus 200 includes a power exponent obtaining module 210 and a user signature private key obtaining module 220.
The power exponent obtaining module 210 is adapted to perform the following operations on the power exponent of each bit in the SM9 signature algorithm power calculation by analyzing a large digital multiplication algorithm, respectively, to obtain a value of the power exponent: extracting side channel characteristics of a sequence used by a large digital-to-analog multiplication algorithm to obtain a first modular multiplication side channel characteristic and a second modular multiplication side channel characteristic corresponding to one bit of a power exponent, the first modular multiplication side channel characteristic comprising a first operand and a second operand, the second modular multiplication side channel characteristic comprising a third operand and a fourth operand, calculating the side channel characteristics of the first operand and the side channel characteristics of the second operand in the first modular multiplication side channel characteristic, and calculating the side channel characteristics of the third operand and the side channel characteristics of the fourth operand in the second modular multiplication side channel characteristic, calculating a first discrimination value of the side channel characteristics of the first operand and the side channel characteristics of the third operand, and calculating a second discrimination value of the side channel characteristics of the second operand and the side channel characteristics of the fourth operand, when the first discrimination value is less than the second discrimination value, the power of the bit is 0 and the power of the bit is 1 when the first discrimination value is greater than the second discrimination value.
The user signature private key obtaining module 220 is adapted to obtain the user signature private key based on the value of the power exponent and the SM9 signature algorithm.
For more details of the working principle and working mode of the side channel analysis device 200 for attacking SM9 signature algorithm, reference may be made to the above description of the side channel analysis method for attacking SM9 signature algorithm, and details are not repeated here.
The embodiment of the invention also discloses a side channel analysis storage medium for attacking the SM9 signature algorithm, wherein computer instructions are stored on the side channel analysis storage medium, and the steps of the side channel analysis method for attacking the SM9 signature algorithm can be executed when the computer instructions are operated. The storage medium may include ROM, RAM, magnetic or optical disks, or the like. The storage medium may further include a non-volatile (non-volatile) memory or a non-transitory (non-transient) memory, etc.
The embodiment of the invention also discloses a side channel analysis device for attacking the SM9 signature algorithm, which comprises a memory and a processor, wherein the memory stores computer instructions capable of running on the processor. The processor, when executing the computer instructions, may perform the steps of the attack SM9 signature algorithm side channel analysis method described above.
Although the present invention is disclosed above, the present invention is not limited thereto. Various changes and modifications may be effected therein by one skilled in the art without departing from the spirit and scope of the invention as defined in the appended claims.

Claims (10)

1. A side channel analysis method for attacking SM9 signature algorithm is characterized by comprising the following steps:
respectively performing the following operations on the power exponent of each bit in the SM9 signature algorithm power calculation by analyzing a large digital multiplication algorithm to obtain the value of the power exponent: extracting side channel characteristics of a sequence used by the large number multiplication algorithm to obtain first and second modular multiplication side channel characteristics corresponding to one bit of the exponent, the first modular multiplication side channel characteristics including a first operand and a second operand, the second modular multiplication side channel characteristics including a third operand and a fourth operand, calculating side channel characteristics of the first operand and the second operand in the first modular multiplication side channel characteristics, and calculating side channel characteristics of the third operand and side channel characteristics of the fourth operand in the second modular multiplication side channel characteristics, calculating first discrimination values of the side channel characteristics of the first operand and the side channel characteristics of the third operand, and calculating second discrimination values of the side channel characteristics of the second operand and the side channel characteristics of the fourth operand, when the first discrimination value is smaller than the second discrimination value, the power exponent of the bit is 0, and when the first discrimination value is larger than the second discrimination value, the power exponent of the bit is 1; obtaining a user signature private key based on the value of the power exponent and the SM9 signature algorithm.
2. The side channel analysis method of claim 1, wherein the large number multiplication algorithm is SOS, CIOS, FIOS, FIPS, or CIHS.
3. The side channel analysis method of claim 1, wherein the sequence used by the large number multiplication algorithm is a left-to-right binary algorithm sequence or a Lucas sequence.
4. The side channel analysis method according to claim 1, wherein the first discrimination value and the second discrimination value are calculated by a euclidean distance calculation formula, a manhattan distance calculation formula, a chebyshev distance calculation formula, or a correlation coefficient calculation formula.
5. The side channel analysis method of claim 1, wherein the obtaining a user signature private key based on the power exponent value and the SM9 signature algorithm comprises: a user signature private key is obtained based on the value of the power exponent and the following equation,
Figure FDA0002156107020000011
wherein w and G are group GTR is the power exponent, H2() Is a cryptographic function derived from a cryptographic hash function, M is the message to be signed, N is the group GTH and l are integers, dSAThe private key is signed for the user.
6. A side channel analysis apparatus for attacking SM9 signature algorithm, comprising:
a power exponent obtaining module adapted to perform the following operations on the power exponent of each bit in the SM9 signature algorithm power calculation respectively by analyzing a large digital multiplication algorithm to obtain a value of the power exponent: extracting side channel characteristics of a sequence used by the large number multiplication algorithm to obtain first and second modular multiplication side channel characteristics corresponding to one bit of the exponent, the first modular multiplication side channel characteristics including a first operand and a second operand, the second modular multiplication side channel characteristics including a third operand and a fourth operand, calculating side channel characteristics of the first operand and the second operand in the first modular multiplication side channel characteristics, and calculating side channel characteristics of the third operand and side channel characteristics of the fourth operand in the second modular multiplication side channel characteristics, calculating first discrimination values of the side channel characteristics of the first operand and the side channel characteristics of the third operand, and calculating second discrimination values of the side channel characteristics of the second operand and the side channel characteristics of the fourth operand, when the first discrimination value is smaller than the second discrimination value, the power exponent of the bit is 0, and when the first discrimination value is larger than the second discrimination value, the power exponent of the bit is 1;
a user signature private key obtaining module adapted to obtain a user signature private key based on the value of the power exponent and the SM9 signature algorithm.
7. The side channel analysis device of claim 6, wherein the large number multiplication algorithm is SOS, CIOS, FIOS, FIPS, or CIHS.
8. The side channel analysis apparatus according to claim 6, wherein the user signature private key obtaining module includes a module for obtaining a user signature private key based on the value of the power exponent and the following equation,
Figure FDA0002156107020000021
wherein w and G are group GTR is the power exponent, H2() Is a cryptographic function derived from a cryptographic hash function, M is the message to be signed, N is the group GTH and l are integers, dSAThe private key is signed for the user.
9. A storage medium having stored thereon computer instructions, wherein said computer instructions when executed perform the steps of the attack SM9 signature algorithm side channel analysis method of any of claims 1 to 5.
10. An apparatus comprising a memory and a processor, the memory having stored thereon computer instructions executable on the processor, wherein the processor when executing the computer instructions performs the steps of the attack SM9 signature algorithm side channel analysis method of any of claims 1 to 5.
CN201910717925.0A 2019-08-05 2019-08-05 Side channel analysis method, device, medium and equipment for attacking SM9 signature algorithm Pending CN112332970A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201910717925.0A CN112332970A (en) 2019-08-05 2019-08-05 Side channel analysis method, device, medium and equipment for attacking SM9 signature algorithm

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201910717925.0A CN112332970A (en) 2019-08-05 2019-08-05 Side channel analysis method, device, medium and equipment for attacking SM9 signature algorithm

Publications (1)

Publication Number Publication Date
CN112332970A true CN112332970A (en) 2021-02-05

Family

ID=74319693

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201910717925.0A Pending CN112332970A (en) 2019-08-05 2019-08-05 Side channel analysis method, device, medium and equipment for attacking SM9 signature algorithm

Country Status (1)

Country Link
CN (1) CN112332970A (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113609535A (en) * 2021-08-16 2021-11-05 中国信息安全测评中心 Side channel curve feature extraction method and device

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106452789A (en) * 2016-11-02 2017-02-22 北京宏思电子技术有限责任公司 Signature method of preventing side-channel attack from multi-azimuth
US20180026782A1 (en) * 2016-07-22 2018-01-25 Qualcomm Incorporated Modular exponentiation with transparent side channel attack countermeasures
CN107896142A (en) * 2017-10-11 2018-04-10 大唐微电子技术有限公司 A kind of method and device for performing Montgomery Algorithm, computer-readable recording medium
CN108173639A (en) * 2018-01-22 2018-06-15 中国科学院数据与通信保护研究教育中心 A kind of two side's cooperation endorsement methods based on SM9 signature algorithms

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20180026782A1 (en) * 2016-07-22 2018-01-25 Qualcomm Incorporated Modular exponentiation with transparent side channel attack countermeasures
CN106452789A (en) * 2016-11-02 2017-02-22 北京宏思电子技术有限责任公司 Signature method of preventing side-channel attack from multi-azimuth
CN107896142A (en) * 2017-10-11 2018-04-10 大唐微电子技术有限公司 A kind of method and device for performing Montgomery Algorithm, computer-readable recording medium
CN108173639A (en) * 2018-01-22 2018-06-15 中国科学院数据与通信保护研究教育中心 A kind of two side's cooperation endorsement methods based on SM9 signature algorithms

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
任燕婷,李翔宇,王安,张向民: "抗攻击低功耗RSA处理器设计与实现", 《清华大学学报(自然科学版)》 *

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113609535A (en) * 2021-08-16 2021-11-05 中国信息安全测评中心 Side channel curve feature extraction method and device
CN113609535B (en) * 2021-08-16 2024-02-13 中国信息安全测评中心 Side channel curve feature extraction method and device

Similar Documents

Publication Publication Date Title
Thangavel et al. An enhanced and secured RSA key generation scheme (ESRKGS)
Boneh Twenty years of attacks on the RSA cryptosystem
Guo et al. Towards efficient privacy-preserving face recognition in the cloud
EP1840732A1 (en) Protection against side channel attacks
WO2005008955A1 (en) Tamper-resistant encryption using individual key
EP3396894A1 (en) Apparatus and method for performing operation being secure against side channel attack
US20090136025A1 (en) Method for scalarly multiplying points on an elliptic curve
JP2004501385A (en) Elliptic curve encryption method
Dawahdeh et al. Modified ElGamal elliptic curve cryptosystem using hexadecimal representation
CN109831312B (en) Connectable ring signature method, device, equipment and storage medium
Perez Broon et al. Isogenies on twisted Hessian curves
JPH11242434A (en) Elliptic curve cipher executing method and cipher processing system
CN112332970A (en) Side channel analysis method, device, medium and equipment for attacking SM9 signature algorithm
Vijayakumar et al. Comparative study of hyperelliptic curve cryptosystem over prime field and its survey
Ding et al. Inverting square systems algebraically is exponential
CN111897578A (en) Parallel processing method and device for scalar multiplication on elliptic curve with characteristic of 2
Overmars et al. A new method of golden ratio computation for faster cryptosystems
CN111368317A (en) Computer data encryption system and method
Kayode et al. Efficient RSA cryptosystem decryption based on Chinese remainder theorem and strong prime
Jaafar et al. A new public-key encryption scheme based on non-expansion visual cryptography and boolean operation
Somsuk et al. The new modified methodology to solve ECDLP based on brute force attack
CN111614465B (en) Public key generation method and device based on super-singular homologous secret key encapsulation protocol
JP5323196B2 (en) Arithmetic apparatus, method and program
RU2392736C1 (en) Method for generation and authentication of electronic digital signature that verifies electronic document
Borges et al. Small private keys for systems of multivariate quadratic equations using symmetric cryptography

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
RJ01 Rejection of invention patent application after publication
RJ01 Rejection of invention patent application after publication

Application publication date: 20210205