Partially known information attack on SM2 key exchange protocol

  • Wei WeiEmail author
  • Jiazhe Chen
  • Dan Li
  • Beibei Wang
Research Paper


SM2 key exchange protocol is a part of the SM2 public key cryptographic algorithm based on elliptic curves which has been issued by Chinese State Cryptography Administration since 2010. Under the guide of Chinese government, SM2 has been widely used in Chinese commercial applications. This paper gives the first partially known information attack on SM2 key exchange protocol. Our attack is based on a technique modified from the hidden number problem (HNP) which was introduced originally to study the bit security of Diffie-Hellman and related schemes. We present a polynomial-time algorithm which could recover the user’s secret key when given about half least significant bits of the two unknown intermediate values in each congruence over about 30 to 40 instances. Compared with the standard HNP, our approach deals with congruence involved two independent unknown variables and each of them possesses the same size as the secret key. Moreover, our results almost coincide with the previous best result among the same field considering the extreme case in which one variant is completely revealed.


SM2 key exchange protocol cryptanalysis information leakage lattice attack extended hidden number problem 



This work was supported by National Key Research and Development Program of China (Grant Nos. 2016YFB0800902, 2016YFF0204004), and National Nature Science Foundation of China (Grant No. 61402536). The authors would like to thank the anonymous referees for their valuable comments.


  1. 1.
    Office of State Commercial Cryptography Administration. Public key cryptographic alforithm SM2 based on elliptic curves (in chinese). 2010. Google Scholar
  2. 2.
    International Organization for Standardization. Information technology, trusted platform module library, Part 1: Architecture. ISO/IEC 11889–1:2015. Google Scholar
  3. 3.
    International Organization for Standardization. Information technology, security techniques digital signatures with appendix Part 3: discrete logarithm based mechanisms. ISO/IEC 14888–3:2016. Google Scholar
  4. 4.
    Diffie W, Hellman M E. New directions in cryptography. IEEE Trans Inform Theor, 1976, 22: 644–654MathSciNetCrossRefzbMATHGoogle Scholar
  5. 5.
    Howgrave-Graham N A, Smart N P. Lattice attacks on digital signature schemes. Dess Codes Cryptography, 2001, 23: 283–290MathSciNetCrossRefzbMATHGoogle Scholar
  6. 6.
    Liu M, Nguyen P Q. Solving BDD by enumeration: an update. In: Topics in Cryptology–CT-RSA 2013. Berlin: Springer, 2013. 7779: 293–309Google Scholar
  7. 7.
    Nguyen P Q. The dark side of the hidden number problem: lattice attacks on DSA. In: Cryptography and Computational Number Theory. Basel: Birkhäuser, 2001. 321–330CrossRefGoogle Scholar
  8. 8.
    Nguyen P Q, Shparlinski I E. The insecurity of the digital signature algorithm with partially known nonces. J Cryptology, 2002, 15: 151–176MathSciNetCrossRefzbMATHGoogle Scholar
  9. 9.
    Boneh D, Venkatesan R. Hardness of computing the most significant bits of secret keys in Diffie-Hellman and related schemes. In: Advances in Cryptology–CRYPTO’96. Berlin: Springer, 1996. 1109: 129–142Google Scholar
  10. 10.
    Shani B. On the bit security of elliptic curve Diffie-Hellman. In: Proceedings of the 20th IACR International Conference on Practice and Theory in Public-Key Cryptography. Berlin: Springer, 2017. 10174: 361–387Google Scholar
  11. 11.
    Liu M, Chen J, Li H. Partially known nonces and fault injection attacks on SM2 signature algorithm. In: Proceedings of the 9th International Conference on Information Security and Cryptology. Cham: Springer, 2013. 8567: 343–358Google Scholar
  12. 12.
    Aranha D F, Fouque P A, Gérard B, et al. GLV/GLS decomposition, power analysis, and attacks on ECDSA signatures with single-bit nonce bias. In: Advances in Cryptology–ASIACRYPT 2014. Berlin: Springer, 2014. 8873: 262–281Google Scholar
  13. 13.
    Bleichenbacher D. On the generation of one-time keys in DL signature schemes. In: Proceedings of IEEE P1363 Working Group Meeting, 2000Google Scholar
  14. 14.
    Bleichenbacher D. On the generation of dsa one-time keys. In: Presentation at Cryptography Research Inc., 2007Google Scholar
  15. 15.
    De Mulder E, Hutter M, Marson M E, et al. Using Bleichenbacher’s solution to the hidden number problem to attack nonce leaks in 384-bit ECDSA. In: Cryptographic Hardware and Embedded Systems–CHES 2013. Berlin: Springer, 2013. 8086: 435–452Google Scholar
  16. 16.
    Boneh D, Halevi S, Howgrave-Graham N A. The modular inversion hidden number problem. In: Advances in Cryptology–ASIACRYPT 2001. Berlin: Springer, 2001. 2248: 36–51Google Scholar
  17. 17.
    Shparlinski I E. Playing hide-and-seek with numbers: the hidden number problem, lattices and exponential sums. In: Proceedings of Symposia in Applied Mathematics, 2005. 62: 153–177Google Scholar
  18. 18.
    Hlaváč M, Rosa T. Extended hidden number problem and its cryptanalytic applications. In: Selected Areas in Cryptography: 13th International Workshop, SAC 2006. Berlin: Springer, 2006. 4356: 114–133Google Scholar
  19. 19.
    Fan S, Wang W, Cheng Q. Attacking OpenSSL implementations of ECDSA with a few signatures. In: Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security. New York: ACM, 2016. 1505–1515Google Scholar
  20. 20.
    Lenstra A K, Lenstra H W, Lovász L. Factoring polynomials with rational coefficients. Math Ann, 1982, 261: 515–534MathSciNetCrossRefzbMATHGoogle Scholar
  21. 21.
    Chen Y, Nguyen P Q. BKZ 2.0: better lattice security estimates. In: Advances in Cryptology–ASIACRYPT 2011. Berlin: Springer, 2011. 7073: 1–20Google Scholar
  22. 22.
    Schnorr C P, Euchner M. Lattice basis reduction: improved practical algorithms and solving subset sum problems. Math Programm, 1994, 66: 181–199MathSciNetCrossRefzbMATHGoogle Scholar
  23. 23.
    Aono Y, Nguyen P Q. Random sampling revisited: lattice enumeration with discrete pruning. In: Advances in Cryptology–EUROCRYPT 2017. Cham: Springer, 2017. 10211: 65–102Google Scholar
  24. 24.
    Aono Y, Wang Y, Hayashi T, et al. Improved progressive BKZ algorithms and their precise cost estimation by sharp simulator. In: Advances in Cryptology–EUROCRYPT 2016. Berlin: Springer, 2016. 9665: 789–819Google Scholar
  25. 25.
    Zheng Z X, Wang X Y, Xu G W, et al. Orthogonalized lattice enumeration for solving SVP. Sci China Inf Sci, 2018, 61: 032115MathSciNetCrossRefGoogle Scholar
  26. 26.
    Micciancio D, Goldwasser S. Complexity of Lattice Problems: a Cryptographic Perspective. Norwell: Kluwer Academic Publishers, 2002. 14–22CrossRefzbMATHGoogle Scholar
  27. 27.
    Schnorr C P. A hierarchy of polynomial time lattice basis reduction algorithms. Theor Comput Sci, 1987, 53: 201–224MathSciNetCrossRefzbMATHGoogle Scholar
  28. 28.
    Schnorr C P, Hörner H. Attacking the Chor-Rivest cryptosystem by improved lattice reduction. In: Advances in Cryptology–EUROCRYPT’95. Berlin: Springer, 1995. 921: 1–12Google Scholar
  29. 29.
    Babai L. On Lovász’ lattice reduction and the nearest lattice point problem. Combinatorica, 1986, 6: 1–13MathSciNetCrossRefzbMATHGoogle Scholar
  30. 30.
    Kannan R. Algorithmic geometry of numbers. Annu Rev Comput Sci, 1987, 2: 231–267MathSciNetCrossRefGoogle Scholar
  31. 31.
    Shoup V. Number theory C++ library (NTL) vesion 6.0.0.
  32. 32.
    Kannan R. Minkowski’s convex body theorem and integer programming. Math Oper Res, 1987, 12: 415–440MathSciNetCrossRefzbMATHGoogle Scholar

Copyright information

© Science China Press and Springer-Verlag GmbH Germany, part of Springer Nature 2019

Authors and Affiliations

  1. 1.China Information Technology Security Evaluation CenterBeijingChina
  2. 2.Institute for Advanced StudyTsinghua UniversityBeijingChina

Personalised recommendations