Abstract
The SM2 digital signature algorithm is part of the Chinese standard public key cryptography suite designed on elliptic curves and has been included in various Chinese commercial applications. Due to the structure of the algorithm and quality of coding, some implementations are vulnerable to potential side-channel attacks and leak information about the double-and-add chains. Popular SM2 libraries such as GmSSL, TASSL and old versions of OpenSSL still use sliding-window (recommended by standard) or wNAF to conduct scalar multiplication of points, which is vulnerable to side-channel attacks like Flush+Reload: key recovery is then an instance of the Extended Hidden Number Problem (EHNP). The EHNP can be reduced to the Shortest Vector Problem (SVP) and solved with lattice algorithms. In this paper, we propose an extended key-recovery attack with leaked double-and-add chains from signature schemes such as SM2 and ECDSA. The side-channel leakage is possible in libraries which use wNAF or sliding-window multiplication. Our approach translates side information of different implementations to an EHNP instance, then propose novel strategies to reduce the EHNP to SVP in a lattice of smaller dimension than previous method, and introduce our algorithms to solve the problem. To evaluate the probability, we provide new estimations for the norm of the target vector, and formulate a tradeoff function. Finally, we show the new record of attacking SM2 with provided information. We are able to recover the secret key with only three signatures, while previous attacks required more than six signatures. We also attack the SM2 traces with improved probability and efficiency. Our new algorithm does not rely on any specific digital signature scheme, thus can be used to attack other signature algorithms.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Albrecht, M.R., Ducas, L., Herold, G., Kirshanova, E., Postlethwaite, E.W., Stevens, M.: The general sieve kernel and new records in lattice reduction. In: Ishai, Y., Rijmen, V. (eds.) EUROCRYPT 2019. LNCS, vol. 11477, pp. 717–746. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-17656-3_25
Albrecht, M.R., Göpfert, F., Virdia, F., Wunderer, T.: Revisiting the expected cost of solving uSVP and applications to LWE. In: Takagi, T., Peyrin, T. (eds.) ASIACRYPT 2017. LNCS, vol. 10624, pp. 297–322. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-70694-8_11
Albrecht, M.R., Heninger, N.: On bounded distance decoding with predicate: breaking the “lattice barrier’’ for the hidden number problem. In: Canteaut, A., Standaert, F.-X. (eds.) EUROCRYPT 2021. LNCS, vol. 12696, pp. 528–558. Springer, Cham (2021). https://doi.org/10.1007/978-3-030-77870-5_19
Becker, A., Ducas, L., Gama, N., Laarhoven, T.: New directions in nearest neighbor searching with applications to lattice sieving. In: Proceedings of the Twenty-Seventh Annual ACM-SIAM Symposium on Discrete Algorithms, SODA 2016, pp. 10–24. Society for Industrial and Applied Mathematics, USA (2016)
Chen, J., Liu, M., Li, H., Shi, H.: Mind your nonces moving: template-based partially-sharing nonces attack on sm2 digital signature algorithm. In: Proceedings of the 10th ACM Symposium on Information, Computer and Communications Security, ASIACCS 2015, pp. 609–614, April 2015. https://doi.org/10.1145/2714576.2714587
Chen, Y., Nguyen, P.Q.: BKZ 2.0: better lattice security estimates. In: Lee, D.H., Wang, X. (eds.) ASIACRYPT 2011. LNCS, vol. 7073, pp. 1–20. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-25385-0_1
Dachman-Soled, D., Ducas, L., Gong, H., Rossi, M.: LWE with side information: attacks and concrete security estimation. In: Micciancio, D., Ristenpart, T. (eds.) CRYPTO 2020. LNCS, vol. 12171, pp. 329–358. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-56880-1_12
De Feo, L., Poettering, B., Sorniotti, A.: On the (in)security of ELGamal in OpenPGP. In: Proceedings of the 2021 ACM SIGSAC Conference on Computer and Communications Security, CCS 2021, New York, NY, USA, pp. 2066–2080. Association for Computing Machinery (2021). https://doi.org/10.1145/3460120.3485257
De Micheli, G., Piau, R., Pierrot, C.: A tale of three signatures: practical attack of ECDSA with wNAF. In: Nitaj, A., Youssef, A. (eds.) AFRICACRYPT 2020. LNCS, vol. 12174, pp. 361–381. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-51938-4_18
Ducas, L.: Shortest vector from lattice sieving: a few dimensions for free. In: Nielsen, J.B., Rijmen, V. (eds.) EUROCRYPT 2018. LNCS, vol. 10820, pp. 125–145. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-78381-9_5
Ducas, L., Stevens, M., van Woerden, W.: Advanced lattice sieving on GPUs, with tensor cores. In: Canteaut, A., Standaert, F.-X. (eds.) EUROCRYPT 2021. LNCS, vol. 12697, pp. 249–279. Springer, Cham (2021). https://doi.org/10.1007/978-3-030-77886-6_9
Fan, S., Wang, W., Cheng, Q.: Attacking OpenSSL implementation of ECDSA with a few signatures. In: Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security, pp. 1505–1515 (2016)
Gama, N., Nguyen, P.Q.: Finding short lattice vectors within Mordell’s inequality. In: Proceedings of the Fortieth Annual ACM Symposium on Theory of Computing, STOC 2008, New York, NY, USA, pp. 207–216. Association for Computing Machinery (2008). https://doi.org/10.1145/1374376.1374408
Genkin, D., Pachmanov, L., Pipman, I., Tromer, E., Yarom, Y.: ECDSA key extraction from mobile devices via nonintrusive physical side channels. In: Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security, CCS 2016, New York, NY, USA, pp. 1626–1638. Association for Computing Machinery (2016). https://doi.org/10.1145/2976749.2978353
Hanrot, G., Pujol, X., Stehlé, D.: Analyzing blockwise lattice algorithms using dynamical systems. In: Rogaway, P. (ed.) CRYPTO 2011. LNCS, vol. 6841, pp. 447–464. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-22792-9_25
Jancar, J., Sedlacek, V., Svenda, P., Sys, M.: Minerva: the curse of ECDSA nonces systematic analysis of lattice attacks on noisy leakage of bit-length of ECDSA nonces. IACR Trans. Cryptogr. Hardw. Embedded Syst. 2020(4), 281–308 (2020). https://doi.org/10.13154/tches.v2020.i4.281-308. https://tches.iacr.org/index.php/TCHES/article/view/8684
Kocher, P., Jaffe, J., Jun, B.: Differential power analysis. In: Wiener, M. (ed.) CRYPTO 1999. LNCS, vol. 1666, pp. 388–397. Springer, Heidelberg (1999). https://doi.org/10.1007/3-540-48405-1_25
Laarhoven, T.: Sieving for shortest vectors in lattices using angular locality-sensitive hashing. In: Gennaro, R., Robshaw, M. (eds.) CRYPTO 2015. LNCS, vol. 9215, pp. 3–22. Springer, Heidelberg (2015). https://doi.org/10.1007/978-3-662-47989-6_1
Lenstra, A.K., Lenstra, H.W., Lovasz, L.: Factoring polynomials with rational coefficients. Math. Ann. 261, 515–534 (1982). https://doi.org/10.1007/BF01457454. http://infoscience.epfl.ch/record/164484
Li, S., Fan, S., Lu, X.: Attacking ECDSA leaking discrete bits with a more efficient lattice. In: Yu, Yu., Yung, M. (eds.) Inscrypt 2021. LNCS, vol. 13007, pp. 251–266. Springer, Cham (2021). https://doi.org/10.1007/978-3-030-88323-2_13
Micciancio, D., Regev, O.: Lattice-based cryptography. In: Bernstein, D.J., Buchmann, J., Dahmen, E. (eds.) Post-Quantum Cryptography, pp. 147–191. Springer, Heidelberg (2009). https://doi.org/10.1007/978-3-540-88702-7_5
Micciancio, D., Walter, M.: Practical, predictable lattice basis reduction. In: Fischlin, M., Coron, J.-S. (eds.) EUROCRYPT 2016. LNCS, vol. 9665, pp. 820–849. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-49890-3_31
Nguyen, P.Q., Vallée, B.: The LLL Algorithm: Survey and Applications. Information Security and Cryptography, Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-02295-1. https://hal.archives-ouvertes.fr/hal-01141414
van de Pol, J., Smart, N.P., Yarom, Y.: Just a little bit more. In: Nyberg, K. (ed.) CT-RSA 2015. LNCS, vol. 9048, pp. 3–21. Springer, Cham (2015). https://doi.org/10.1007/978-3-319-16715-2_1
The FPLLL development team: FPLLL, a lattice reduction library, Version: 5.4.1 (2021). https://github.com/fplll/fplll/
The FPLLL development team: FPYLLL, a Python wraper for the FPLLL lattice reduction library, Version: 0.5.6 (2021). https://github.com/fplll/fpylll
The FPLLL Development Team: The general sieve kernel (G6K) (2021). https://github.com/fplll/fpylll
Thibault, J.P., O’Flynn, C., Dewar, A.: Ark of the ECC: an open-source ECDSA power analysis attack on a FPGA based curve P-256 implementation. Cryptology ePrint Archive, Report 2021/1520 (2021). https://ia.cr/2021/1520
Tuveri, N., ul Hassan, S., GarcÃa, C.P., Brumley, B.B.: Side-channel analysis of SM2: a late-stage featurization case study. In: Proceedings of the 2018 Annual Computer Security Applications Conference, ACSAC 2018, New York, NY, USA, pp. 147–160. Association for Computing Machinery (2018). https://doi.org/10.1145/3274694.3274725
Wei, W., Chen, J., Li, D., Wang, B.: Partially known information attack on SM2 key exchange protocol. SCIENCE CHINA Inf. Sci. 62(3), 1–14 (2019). https://doi.org/10.1007/s11432-018-9515-9
Zhang, K., et al.: Practical partial-nonce-exposure attack on ECC algorithm. In: 2017 13th International Conference on Computational Intelligence and Security (CIS), pp. 248–252 (2017). https://doi.org/10.1109/CIS.2017.00061
Acknowledgements
The work of Qingfeng Cheng was supported by the National Natural Science Foundation of China under Grant No. 61872449; The work of Jian Weng was supported by National Key Research and Development Plan of China under Grant No. 2020YFB1005600, Major Program of Guangdong Basic and Applied Research Project under Grant No. 2019B030302008, National Natural Science Foundation of China under Grant No. 61825203, Guangdong Provincial Science and Technology Project under Grant Nos. 2017B010111005 and 2021A0505030033, National Joint Engineering Research Center of Network Security Detection and Protection Technology, and Guangdong Key Laboratory of Data Security and Privacy Preserving.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2022 The Author(s), under exclusive license to Springer Nature Switzerland AG
About this paper
Cite this paper
Cao, J., Cheng, Q., Weng, J. (2022). EHNP Strikes Back: Analyzing SM2 Implementations. In: Batina, L., Daemen, J. (eds) Progress in Cryptology - AFRICACRYPT 2022. AFRICACRYPT 2022. Lecture Notes in Computer Science, vol 13503. Springer, Cham. https://doi.org/10.1007/978-3-031-17433-9_25
Download citation
DOI: https://doi.org/10.1007/978-3-031-17433-9_25
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-031-17432-2
Online ISBN: 978-3-031-17433-9
eBook Packages: Computer ScienceComputer Science (R0)