Advertisement

Springer Nature is making SARS-CoV-2 and COVID-19 research free. View research | View latest news | Sign up for updates

Partially known information attack on SM2 key exchange protocol

  • 44 Accesses

Abstract

SM2 key exchange protocol is a part of the SM2 public key cryptographic algorithm based on elliptic curves which has been issued by Chinese State Cryptography Administration since 2010. Under the guide of Chinese government, SM2 has been widely used in Chinese commercial applications. This paper gives the first partially known information attack on SM2 key exchange protocol. Our attack is based on a technique modified from the hidden number problem (HNP) which was introduced originally to study the bit security of Diffie-Hellman and related schemes. We present a polynomial-time algorithm which could recover the user’s secret key when given about half least significant bits of the two unknown intermediate values in each congruence over about 30 to 40 instances. Compared with the standard HNP, our approach deals with congruence involved two independent unknown variables and each of them possesses the same size as the secret key. Moreover, our results almost coincide with the previous best result among the same field considering the extreme case in which one variant is completely revealed.

This is a preview of subscription content, log in to check access.

References

  1. 1

    Office of State Commercial Cryptography Administration. Public key cryptographic alforithm SM2 based on elliptic curves (in chinese). 2010. https://doi.org/www.oscca.gov.cn/UpFile/2010122214822692.pdf

  2. 2

    International Organization for Standardization. Information technology, trusted platform module library, Part 1: Architecture. ISO/IEC 11889–1:2015. https://doi.org/www.iso.org/standard/66510.html

  3. 3

    International Organization for Standardization. Information technology, security techniques digital signatures with appendix Part 3: discrete logarithm based mechanisms. ISO/IEC 14888–3:2016. https://doi.org/www.iso.org/standard/64267.html

  4. 4

    Diffie W, Hellman M E. New directions in cryptography. IEEE Trans Inform Theor, 1976, 22: 644–654

  5. 5

    Howgrave-Graham N A, Smart N P. Lattice attacks on digital signature schemes. Dess Codes Cryptography, 2001, 23: 283–290

  6. 6

    Liu M, Nguyen P Q. Solving BDD by enumeration: an update. In: Topics in Cryptology–CT-RSA 2013. Berlin: Springer, 2013. 7779: 293–309

  7. 7

    Nguyen P Q. The dark side of the hidden number problem: lattice attacks on DSA. In: Cryptography and Computational Number Theory. Basel: Birkhäuser, 2001. 321–330

  8. 8

    Nguyen P Q, Shparlinski I E. The insecurity of the digital signature algorithm with partially known nonces. J Cryptology, 2002, 15: 151–176

  9. 9

    Boneh D, Venkatesan R. Hardness of computing the most significant bits of secret keys in Diffie-Hellman and related schemes. In: Advances in Cryptology–CRYPTO’96. Berlin: Springer, 1996. 1109: 129–142

  10. 10

    Shani B. On the bit security of elliptic curve Diffie-Hellman. In: Proceedings of the 20th IACR International Conference on Practice and Theory in Public-Key Cryptography. Berlin: Springer, 2017. 10174: 361–387

  11. 11

    Liu M, Chen J, Li H. Partially known nonces and fault injection attacks on SM2 signature algorithm. In: Proceedings of the 9th International Conference on Information Security and Cryptology. Cham: Springer, 2013. 8567: 343–358

  12. 12

    Aranha D F, Fouque P A, Gérard B, et al. GLV/GLS decomposition, power analysis, and attacks on ECDSA signatures with single-bit nonce bias. In: Advances in Cryptology–ASIACRYPT 2014. Berlin: Springer, 2014. 8873: 262–281

  13. 13

    Bleichenbacher D. On the generation of one-time keys in DL signature schemes. In: Proceedings of IEEE P1363 Working Group Meeting, 2000

  14. 14

    Bleichenbacher D. On the generation of dsa one-time keys. In: Presentation at Cryptography Research Inc., 2007

  15. 15

    De Mulder E, Hutter M, Marson M E, et al. Using Bleichenbacher’s solution to the hidden number problem to attack nonce leaks in 384-bit ECDSA. In: Cryptographic Hardware and Embedded Systems–CHES 2013. Berlin: Springer, 2013. 8086: 435–452

  16. 16

    Boneh D, Halevi S, Howgrave-Graham N A. The modular inversion hidden number problem. In: Advances in Cryptology–ASIACRYPT 2001. Berlin: Springer, 2001. 2248: 36–51

  17. 17

    Shparlinski I E. Playing hide-and-seek with numbers: the hidden number problem, lattices and exponential sums. In: Proceedings of Symposia in Applied Mathematics, 2005. 62: 153–177

  18. 18

    Hlaváč M, Rosa T. Extended hidden number problem and its cryptanalytic applications. In: Selected Areas in Cryptography: 13th International Workshop, SAC 2006. Berlin: Springer, 2006. 4356: 114–133

  19. 19

    Fan S, Wang W, Cheng Q. Attacking OpenSSL implementations of ECDSA with a few signatures. In: Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security. New York: ACM, 2016. 1505–1515

  20. 20

    Lenstra A K, Lenstra H W, Lovász L. Factoring polynomials with rational coefficients. Math Ann, 1982, 261: 515–534

  21. 21

    Chen Y, Nguyen P Q. BKZ 2.0: better lattice security estimates. In: Advances in Cryptology–ASIACRYPT 2011. Berlin: Springer, 2011. 7073: 1–20

  22. 22

    Schnorr C P, Euchner M. Lattice basis reduction: improved practical algorithms and solving subset sum problems. Math Programm, 1994, 66: 181–199

  23. 23

    Aono Y, Nguyen P Q. Random sampling revisited: lattice enumeration with discrete pruning. In: Advances in Cryptology–EUROCRYPT 2017. Cham: Springer, 2017. 10211: 65–102

  24. 24

    Aono Y, Wang Y, Hayashi T, et al. Improved progressive BKZ algorithms and their precise cost estimation by sharp simulator. In: Advances in Cryptology–EUROCRYPT 2016. Berlin: Springer, 2016. 9665: 789–819

  25. 25

    Zheng Z X, Wang X Y, Xu G W, et al. Orthogonalized lattice enumeration for solving SVP. Sci China Inf Sci, 2018, 61: 032115

  26. 26

    Micciancio D, Goldwasser S. Complexity of Lattice Problems: a Cryptographic Perspective. Norwell: Kluwer Academic Publishers, 2002. 14–22

  27. 27

    Schnorr C P. A hierarchy of polynomial time lattice basis reduction algorithms. Theor Comput Sci, 1987, 53: 201–224

  28. 28

    Schnorr C P, Hörner H. Attacking the Chor-Rivest cryptosystem by improved lattice reduction. In: Advances in Cryptology–EUROCRYPT’95. Berlin: Springer, 1995. 921: 1–12

  29. 29

    Babai L. On Lovász’ lattice reduction and the nearest lattice point problem. Combinatorica, 1986, 6: 1–13

  30. 30

    Kannan R. Algorithmic geometry of numbers. Annu Rev Comput Sci, 1987, 2: 231–267

  31. 31

    Shoup V. Number theory C++ library (NTL) vesion 6.0.0. https://doi.org/www.shoup.net/ntl/

  32. 32

    Kannan R. Minkowski’s convex body theorem and integer programming. Math Oper Res, 1987, 12: 415–440

Download references

Acknowledgements

This work was supported by National Key Research and Development Program of China (Grant Nos. 2016YFB0800902, 2016YFF0204004), and National Nature Science Foundation of China (Grant No. 61402536). The authors would like to thank the anonymous referees for their valuable comments.

Author information

Correspondence to Wei Wei.

Rights and permissions

Reprints and Permissions

About this article

Verify currency and authenticity via CrossMark

Cite this article

Wei, W., Chen, J., Li, D. et al. Partially known information attack on SM2 key exchange protocol. Sci. China Inf. Sci. 62, 32105 (2019). https://doi.org/10.1007/s11432-018-9515-9

Download citation

Keywords

  • SM2 key exchange protocol
  • cryptanalysis
  • information leakage
  • lattice attack
  • extended hidden number problem