Skip to main content
SpringerLink
Log in

EHNP Strikes Back: Analyzing SM2 Implementations

  • Conference paper
  • First Online:
Progress in Cryptology - AFRICACRYPT 2022 (AFRICACRYPT 2022)

Part of the book series: Lecture Notes in Computer Science ((LNCS,volume 13503))

Included in the following conference series:

  • 523 Accesses

Abstract

The SM2 digital signature algorithm is part of the Chinese standard public key cryptography suite designed on elliptic curves and has been included in various Chinese commercial applications. Due to the structure of the algorithm and quality of coding, some implementations are vulnerable to potential side-channel attacks and leak information about the double-and-add chains. Popular SM2 libraries such as GmSSL, TASSL and old versions of OpenSSL still use sliding-window (recommended by standard) or wNAF to conduct scalar multiplication of points, which is vulnerable to side-channel attacks like Flush+Reload: key recovery is then an instance of the Extended Hidden Number Problem (EHNP). The EHNP can be reduced to the Shortest Vector Problem (SVP) and solved with lattice algorithms. In this paper, we propose an extended key-recovery attack with leaked double-and-add chains from signature schemes such as SM2 and ECDSA. The side-channel leakage is possible in libraries which use wNAF or sliding-window multiplication. Our approach translates side information of different implementations to an EHNP instance, then propose novel strategies to reduce the EHNP to SVP in a lattice of smaller dimension than previous method, and introduce our algorithms to solve the problem. To evaluate the probability, we provide new estimations for the norm of the target vector, and formulate a tradeoff function. Finally, we show the new record of attacking SM2 with provided information. We are able to recover the secret key with only three signatures, while previous attacks required more than six signatures. We also attack the SM2 traces with improved probability and efficiency. Our new algorithm does not rely on any specific digital signature scheme, thus can be used to attack other signature algorithms.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

References

  1. Albrecht, M.R., Ducas, L., Herold, G., Kirshanova, E., Postlethwaite, E.W., Stevens, M.: The general sieve kernel and new records in lattice reduction. In: Ishai, Y., Rijmen, V. (eds.) EUROCRYPT 2019. LNCS, vol. 11477, pp. 717–746. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-17656-3_25

    Chapter  MATH  Google Scholar 

  2. Albrecht, M.R., Göpfert, F., Virdia, F., Wunderer, T.: Revisiting the expected cost of solving uSVP and applications to LWE. In: Takagi, T., Peyrin, T. (eds.) ASIACRYPT 2017. LNCS, vol. 10624, pp. 297–322. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-70694-8_11

    Chapter  Google Scholar 

  3. Albrecht, M.R., Heninger, N.: On bounded distance decoding with predicate: breaking the “lattice barrier’’ for the hidden number problem. In: Canteaut, A., Standaert, F.-X. (eds.) EUROCRYPT 2021. LNCS, vol. 12696, pp. 528–558. Springer, Cham (2021). https://doi.org/10.1007/978-3-030-77870-5_19

    Chapter  Google Scholar 

  4. Becker, A., Ducas, L., Gama, N., Laarhoven, T.: New directions in nearest neighbor searching with applications to lattice sieving. In: Proceedings of the Twenty-Seventh Annual ACM-SIAM Symposium on Discrete Algorithms, SODA 2016, pp. 10–24. Society for Industrial and Applied Mathematics, USA (2016)

    Google Scholar 

  5. Chen, J., Liu, M., Li, H., Shi, H.: Mind your nonces moving: template-based partially-sharing nonces attack on sm2 digital signature algorithm. In: Proceedings of the 10th ACM Symposium on Information, Computer and Communications Security, ASIACCS 2015, pp. 609–614, April 2015. https://doi.org/10.1145/2714576.2714587

  6. Chen, Y., Nguyen, P.Q.: BKZ 2.0: better lattice security estimates. In: Lee, D.H., Wang, X. (eds.) ASIACRYPT 2011. LNCS, vol. 7073, pp. 1–20. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-25385-0_1

    Chapter  Google Scholar 

  7. Dachman-Soled, D., Ducas, L., Gong, H., Rossi, M.: LWE with side information: attacks and concrete security estimation. In: Micciancio, D., Ristenpart, T. (eds.) CRYPTO 2020. LNCS, vol. 12171, pp. 329–358. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-56880-1_12

    Chapter  Google Scholar 

  8. De Feo, L., Poettering, B., Sorniotti, A.: On the (in)security of ELGamal in OpenPGP. In: Proceedings of the 2021 ACM SIGSAC Conference on Computer and Communications Security, CCS 2021, New York, NY, USA, pp. 2066–2080. Association for Computing Machinery (2021). https://doi.org/10.1145/3460120.3485257

  9. De Micheli, G., Piau, R., Pierrot, C.: A tale of three signatures: practical attack of ECDSA with wNAF. In: Nitaj, A., Youssef, A. (eds.) AFRICACRYPT 2020. LNCS, vol. 12174, pp. 361–381. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-51938-4_18

    Chapter  Google Scholar 

  10. Ducas, L.: Shortest vector from lattice sieving: a few dimensions for free. In: Nielsen, J.B., Rijmen, V. (eds.) EUROCRYPT 2018. LNCS, vol. 10820, pp. 125–145. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-78381-9_5

    Chapter  Google Scholar 

  11. Ducas, L., Stevens, M., van Woerden, W.: Advanced lattice sieving on GPUs, with tensor cores. In: Canteaut, A., Standaert, F.-X. (eds.) EUROCRYPT 2021. LNCS, vol. 12697, pp. 249–279. Springer, Cham (2021). https://doi.org/10.1007/978-3-030-77886-6_9

    Chapter  Google Scholar 

  12. Fan, S., Wang, W., Cheng, Q.: Attacking OpenSSL implementation of ECDSA with a few signatures. In: Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security, pp. 1505–1515 (2016)

    Google Scholar 

  13. Gama, N., Nguyen, P.Q.: Finding short lattice vectors within Mordell’s inequality. In: Proceedings of the Fortieth Annual ACM Symposium on Theory of Computing, STOC 2008, New York, NY, USA, pp. 207–216. Association for Computing Machinery (2008). https://doi.org/10.1145/1374376.1374408

  14. Genkin, D., Pachmanov, L., Pipman, I., Tromer, E., Yarom, Y.: ECDSA key extraction from mobile devices via nonintrusive physical side channels. In: Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security, CCS 2016, New York, NY, USA, pp. 1626–1638. Association for Computing Machinery (2016). https://doi.org/10.1145/2976749.2978353

  15. Hanrot, G., Pujol, X., Stehlé, D.: Analyzing blockwise lattice algorithms using dynamical systems. In: Rogaway, P. (ed.) CRYPTO 2011. LNCS, vol. 6841, pp. 447–464. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-22792-9_25

    Chapter  Google Scholar 

  16. Jancar, J., Sedlacek, V., Svenda, P., Sys, M.: Minerva: the curse of ECDSA nonces systematic analysis of lattice attacks on noisy leakage of bit-length of ECDSA nonces. IACR Trans. Cryptogr. Hardw. Embedded Syst. 2020(4), 281–308 (2020). https://doi.org/10.13154/tches.v2020.i4.281-308. https://tches.iacr.org/index.php/TCHES/article/view/8684

  17. Kocher, P., Jaffe, J., Jun, B.: Differential power analysis. In: Wiener, M. (ed.) CRYPTO 1999. LNCS, vol. 1666, pp. 388–397. Springer, Heidelberg (1999). https://doi.org/10.1007/3-540-48405-1_25

    Chapter  Google Scholar 

  18. Laarhoven, T.: Sieving for shortest vectors in lattices using angular locality-sensitive hashing. In: Gennaro, R., Robshaw, M. (eds.) CRYPTO 2015. LNCS, vol. 9215, pp. 3–22. Springer, Heidelberg (2015). https://doi.org/10.1007/978-3-662-47989-6_1

    Chapter  MATH  Google Scholar 

  19. Lenstra, A.K., Lenstra, H.W., Lovasz, L.: Factoring polynomials with rational coefficients. Math. Ann. 261, 515–534 (1982). https://doi.org/10.1007/BF01457454. http://infoscience.epfl.ch/record/164484

  20. Li, S., Fan, S., Lu, X.: Attacking ECDSA leaking discrete bits with a more efficient lattice. In: Yu, Yu., Yung, M. (eds.) Inscrypt 2021. LNCS, vol. 13007, pp. 251–266. Springer, Cham (2021). https://doi.org/10.1007/978-3-030-88323-2_13

    Chapter  Google Scholar 

  21. Micciancio, D., Regev, O.: Lattice-based cryptography. In: Bernstein, D.J., Buchmann, J., Dahmen, E. (eds.) Post-Quantum Cryptography, pp. 147–191. Springer, Heidelberg (2009). https://doi.org/10.1007/978-3-540-88702-7_5

    Chapter  MATH  Google Scholar 

  22. Micciancio, D., Walter, M.: Practical, predictable lattice basis reduction. In: Fischlin, M., Coron, J.-S. (eds.) EUROCRYPT 2016. LNCS, vol. 9665, pp. 820–849. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-49890-3_31

    Chapter  Google Scholar 

  23. Nguyen, P.Q., Vallée, B.: The LLL Algorithm: Survey and Applications. Information Security and Cryptography, Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-02295-1. https://hal.archives-ouvertes.fr/hal-01141414

  24. van de Pol, J., Smart, N.P., Yarom, Y.: Just a little bit more. In: Nyberg, K. (ed.) CT-RSA 2015. LNCS, vol. 9048, pp. 3–21. Springer, Cham (2015). https://doi.org/10.1007/978-3-319-16715-2_1

    Chapter  Google Scholar 

  25. The FPLLL development team: FPLLL, a lattice reduction library, Version: 5.4.1 (2021). https://github.com/fplll/fplll/

  26. The FPLLL development team: FPYLLL, a Python wraper for the FPLLL lattice reduction library, Version: 0.5.6 (2021). https://github.com/fplll/fpylll

  27. The FPLLL Development Team: The general sieve kernel (G6K) (2021). https://github.com/fplll/fpylll

  28. Thibault, J.P., O’Flynn, C., Dewar, A.: Ark of the ECC: an open-source ECDSA power analysis attack on a FPGA based curve P-256 implementation. Cryptology ePrint Archive, Report 2021/1520 (2021). https://ia.cr/2021/1520

  29. Tuveri, N., ul Hassan, S., García, C.P., Brumley, B.B.: Side-channel analysis of SM2: a late-stage featurization case study. In: Proceedings of the 2018 Annual Computer Security Applications Conference, ACSAC 2018, New York, NY, USA, pp. 147–160. Association for Computing Machinery (2018). https://doi.org/10.1145/3274694.3274725

  30. Wei, W., Chen, J., Li, D., Wang, B.: Partially known information attack on SM2 key exchange protocol. SCIENCE CHINA Inf. Sci. 62(3), 1–14 (2019). https://doi.org/10.1007/s11432-018-9515-9

    Article  Google Scholar 

  31. Zhang, K., et al.: Practical partial-nonce-exposure attack on ECC algorithm. In: 2017 13th International Conference on Computational Intelligence and Security (CIS), pp. 248–252 (2017). https://doi.org/10.1109/CIS.2017.00061

Download references

Acknowledgements

The work of Qingfeng Cheng was supported by the National Natural Science Foundation of China under Grant No. 61872449; The work of Jian Weng was supported by National Key Research and Development Plan of China under Grant No. 2020YFB1005600, Major Program of Guangdong Basic and Applied Research Project under Grant No. 2019B030302008, National Natural Science Foundation of China under Grant No. 61825203, Guangdong Provincial Science and Technology Project under Grant Nos. 2017B010111005 and 2021A0505030033, National Joint Engineering Research Center of Network Security Detection and Protection Technology, and Guangdong Key Laboratory of Data Security and Privacy Preserving.

Author information

Authors and Affiliations

  1. Strategic Support Force Information Engineering University, Zhengzhou, 450001, China

    Jinzheng Cao & Qingfeng Cheng

  2. Jinan University, Guangzhou, 510630, China

    Jian Weng

Authors
  1. Jinzheng Cao
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Qingfeng Cheng
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Jian Weng
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Qingfeng Cheng .

Editor information

Editors and Affiliations

  1. Radboud University, Nijmegen, The Netherlands

    Lejla Batina

  2. Radboud University, Nijmegen, Gelderland, The Netherlands

    Joan Daemen

Rights and permissions

Reprints and permissions

Copyright information

© 2022 The Author(s), under exclusive license to Springer Nature Switzerland AG

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Cao, J., Cheng, Q., Weng, J. (2022). EHNP Strikes Back: Analyzing SM2 Implementations. In: Batina, L., Daemen, J. (eds) Progress in Cryptology - AFRICACRYPT 2022. AFRICACRYPT 2022. Lecture Notes in Computer Science, vol 13503. Springer, Cham. https://doi.org/10.1007/978-3-031-17433-9_25

Download citation

  • DOI: https://doi.org/10.1007/978-3-031-17433-9_25

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-031-17432-2

  • Online ISBN: 978-3-031-17433-9

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation