Partially known information attack on SM2 key exchange protocol


SM2 key exchange protocol is a part of the SM2 public key cryptographic algorithm based on elliptic curves which has been issued by Chinese State Cryptography Administration since 2010. Under the guide of Chinese government, SM2 has been widely used in Chinese commercial applications. This paper gives the first partially known information attack on SM2 key exchange protocol. Our attack is based on a technique modified from the hidden number problem (HNP) which was introduced originally to study the bit security of Diffie-Hellman and related schemes. We present a polynomial-time algorithm which could recover the user’s secret key when given about half least significant bits of the two unknown intermediate values in each congruence over about 30 to 40 instances. Compared with the standard HNP, our approach deals with congruence involved two independent unknown variables and each of them possesses the same size as the secret key. Moreover, our results almost coincide with the previous best result among the same field considering the extreme case in which one variant is completely revealed.

This is a preview of subscription content, access via your institution.


  1. 1

    Office of State Commercial Cryptography Administration. Public key cryptographic alforithm SM2 based on elliptic curves (in chinese). 2010.

    Google Scholar 

  2. 2

    International Organization for Standardization. Information technology, trusted platform module library, Part 1: Architecture. ISO/IEC 11889–1:2015.

    Google Scholar 

  3. 3

    International Organization for Standardization. Information technology, security techniques digital signatures with appendix Part 3: discrete logarithm based mechanisms. ISO/IEC 14888–3:2016.

    Google Scholar 

  4. 4

    Diffie W, Hellman M E. New directions in cryptography. IEEE Trans Inform Theor, 1976, 22: 644–654

    MathSciNet  Article  MATH  Google Scholar 

  5. 5

    Howgrave-Graham N A, Smart N P. Lattice attacks on digital signature schemes. Dess Codes Cryptography, 2001, 23: 283–290

    MathSciNet  Article  MATH  Google Scholar 

  6. 6

    Liu M, Nguyen P Q. Solving BDD by enumeration: an update. In: Topics in Cryptology–CT-RSA 2013. Berlin: Springer, 2013. 7779: 293–309

    Google Scholar 

  7. 7

    Nguyen P Q. The dark side of the hidden number problem: lattice attacks on DSA. In: Cryptography and Computational Number Theory. Basel: Birkhäuser, 2001. 321–330

    Google Scholar 

  8. 8

    Nguyen P Q, Shparlinski I E. The insecurity of the digital signature algorithm with partially known nonces. J Cryptology, 2002, 15: 151–176

    MathSciNet  Article  MATH  Google Scholar 

  9. 9

    Boneh D, Venkatesan R. Hardness of computing the most significant bits of secret keys in Diffie-Hellman and related schemes. In: Advances in Cryptology–CRYPTO’96. Berlin: Springer, 1996. 1109: 129–142

    Google Scholar 

  10. 10

    Shani B. On the bit security of elliptic curve Diffie-Hellman. In: Proceedings of the 20th IACR International Conference on Practice and Theory in Public-Key Cryptography. Berlin: Springer, 2017. 10174: 361–387

    Google Scholar 

  11. 11

    Liu M, Chen J, Li H. Partially known nonces and fault injection attacks on SM2 signature algorithm. In: Proceedings of the 9th International Conference on Information Security and Cryptology. Cham: Springer, 2013. 8567: 343–358

    Google Scholar 

  12. 12

    Aranha D F, Fouque P A, Gérard B, et al. GLV/GLS decomposition, power analysis, and attacks on ECDSA signatures with single-bit nonce bias. In: Advances in Cryptology–ASIACRYPT 2014. Berlin: Springer, 2014. 8873: 262–281

    Google Scholar 

  13. 13

    Bleichenbacher D. On the generation of one-time keys in DL signature schemes. In: Proceedings of IEEE P1363 Working Group Meeting, 2000

    Google Scholar 

  14. 14

    Bleichenbacher D. On the generation of dsa one-time keys. In: Presentation at Cryptography Research Inc., 2007

    Google Scholar 

  15. 15

    De Mulder E, Hutter M, Marson M E, et al. Using Bleichenbacher’s solution to the hidden number problem to attack nonce leaks in 384-bit ECDSA. In: Cryptographic Hardware and Embedded Systems–CHES 2013. Berlin: Springer, 2013. 8086: 435–452

    Google Scholar 

  16. 16

    Boneh D, Halevi S, Howgrave-Graham N A. The modular inversion hidden number problem. In: Advances in Cryptology–ASIACRYPT 2001. Berlin: Springer, 2001. 2248: 36–51

    Google Scholar 

  17. 17

    Shparlinski I E. Playing hide-and-seek with numbers: the hidden number problem, lattices and exponential sums. In: Proceedings of Symposia in Applied Mathematics, 2005. 62: 153–177

    Google Scholar 

  18. 18

    Hlaváč M, Rosa T. Extended hidden number problem and its cryptanalytic applications. In: Selected Areas in Cryptography: 13th International Workshop, SAC 2006. Berlin: Springer, 2006. 4356: 114–133

    Google Scholar 

  19. 19

    Fan S, Wang W, Cheng Q. Attacking OpenSSL implementations of ECDSA with a few signatures. In: Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security. New York: ACM, 2016. 1505–1515

    Google Scholar 

  20. 20

    Lenstra A K, Lenstra H W, Lovász L. Factoring polynomials with rational coefficients. Math Ann, 1982, 261: 515–534

    MathSciNet  Article  MATH  Google Scholar 

  21. 21

    Chen Y, Nguyen P Q. BKZ 2.0: better lattice security estimates. In: Advances in Cryptology–ASIACRYPT 2011. Berlin: Springer, 2011. 7073: 1–20

    Google Scholar 

  22. 22

    Schnorr C P, Euchner M. Lattice basis reduction: improved practical algorithms and solving subset sum problems. Math Programm, 1994, 66: 181–199

    MathSciNet  Article  MATH  Google Scholar 

  23. 23

    Aono Y, Nguyen P Q. Random sampling revisited: lattice enumeration with discrete pruning. In: Advances in Cryptology–EUROCRYPT 2017. Cham: Springer, 2017. 10211: 65–102

    Google Scholar 

  24. 24

    Aono Y, Wang Y, Hayashi T, et al. Improved progressive BKZ algorithms and their precise cost estimation by sharp simulator. In: Advances in Cryptology–EUROCRYPT 2016. Berlin: Springer, 2016. 9665: 789–819

    Google Scholar 

  25. 25

    Zheng Z X, Wang X Y, Xu G W, et al. Orthogonalized lattice enumeration for solving SVP. Sci China Inf Sci, 2018, 61: 032115

    MathSciNet  Article  Google Scholar 

  26. 26

    Micciancio D, Goldwasser S. Complexity of Lattice Problems: a Cryptographic Perspective. Norwell: Kluwer Academic Publishers, 2002. 14–22

    Google Scholar 

  27. 27

    Schnorr C P. A hierarchy of polynomial time lattice basis reduction algorithms. Theor Comput Sci, 1987, 53: 201–224

    MathSciNet  Article  MATH  Google Scholar 

  28. 28

    Schnorr C P, Hörner H. Attacking the Chor-Rivest cryptosystem by improved lattice reduction. In: Advances in Cryptology–EUROCRYPT’95. Berlin: Springer, 1995. 921: 1–12

    Google Scholar 

  29. 29

    Babai L. On Lovász’ lattice reduction and the nearest lattice point problem. Combinatorica, 1986, 6: 1–13

    MathSciNet  Article  MATH  Google Scholar 

  30. 30

    Kannan R. Algorithmic geometry of numbers. Annu Rev Comput Sci, 1987, 2: 231–267

    MathSciNet  Article  Google Scholar 

  31. 31

    Shoup V. Number theory C++ library (NTL) vesion 6.0.0.

  32. 32

    Kannan R. Minkowski’s convex body theorem and integer programming. Math Oper Res, 1987, 12: 415–440

    MathSciNet  Article  MATH  Google Scholar 

Download references


This work was supported by National Key Research and Development Program of China (Grant Nos. 2016YFB0800902, 2016YFF0204004), and National Nature Science Foundation of China (Grant No. 61402536). The authors would like to thank the anonymous referees for their valuable comments.

Author information



Corresponding author

Correspondence to Wei Wei.

Rights and permissions

Reprints and Permissions

About this article

Verify currency and authenticity via CrossMark

Cite this article

Wei, W., Chen, J., Li, D. et al. Partially known information attack on SM2 key exchange protocol. Sci. China Inf. Sci. 62, 32105 (2019).

Download citation


  • SM2 key exchange protocol
  • cryptanalysis
  • information leakage
  • lattice attack
  • extended hidden number problem