Partially Known Nonces and Fault Injection Attacks on SM2 Signature Algorithm

Abstract

SM2 digital signature scheme, which is part of the Chinese public key cryptosystem standard SM2 issued by Chinese State Cryptography Administration, is based on the elliptic curve discrete logarithm problem. Since SM2 was made public, very few cryptanalytic results have been found in the literatures. In this paper, we discuss the partially known nonces attack against SM2. In our experiments, the private key can be recovered, given 100 signatures with 3 bits of nonces known for 256-bit SM2. We also provide a byte-fault attack on SM2 when a byte of random fault is injected on the secret key during the signing process.

A Background About Elliptic Curves

The elliptic curve is defined as \(\mathbb {E}(\mathbb {F}_p)=\{P=(x,y)|y^2=x^3+ax+b \mod p. \ x,y\in \mathbb {F}_p\}\cup \{\mathcal {O}\}\), where an \(\mathcal {O}\) is an extra infinity point.

This set of points form a group under a group operation which is denoted as “+”. This addition is defined as follows:

• \(\mathcal {O} +\mathcal {O}=\mathcal {O}\)

• \(\forall P=(x,y)\in \mathbb {E}(\mathbb {F}_p)\backslash {\mathcal {O}}\), \(P+\mathcal {O}=\mathcal {O}+P=P\)

• \(\forall P=(x,y)\in \mathbb {E}(\mathbb {F}_p)\backslash {\mathcal {O}}\), the inverse of P is \(-P=(x,-y), P+(-P)=\mathcal {O}\)

• \(\forall P_1=(x_1,y_1)\in \mathbb {E}(\mathbb {F}_p)\backslash {\mathcal {O}}\), \(\forall P_2=(x_2,y_2)\in \mathbb {E}(\mathbb {F}_p)\backslash {\mathcal {O}}\), \(x_1\ne x_2\), let \(P_3=P_1+P_2=(x_3,y_3)\), then

  $$ \left\{ \begin{array}{ll} x_3=\lambda ^2-x_1-x_2 &{} \\ y_3=\lambda (x_1-x_3)-y_1, &{} \end{array} \right. $$

  where \(\lambda =\frac{y_2-y_1}{x_2-x_1}\)

• \(\forall P_1=(x_1,y_1)\in \mathbb {E}(\mathbb {F}_p)\backslash {\mathcal {O}}\), \(y_1\ne 0\), \(P_3=P_1+P_1=(x_3,y_3)\), then

  $$ \left\{ \begin{array}{ll} x_3=\lambda ^2-2x_1 &{} \\ y_3=\lambda (x_1-x_3)-y_1, &{} \end{array} \right. $$

  where \(\lambda =\frac{3x_1^2+a}{2y_1}\)

Elliptic curve discrete logarithm problem. Given \(P\in \mathbb {E}(\mathbb {F}_p)\) and an integer \(m\), there are many efficient scalar multiplication algorithms to compute \(mP\). However, it is widely believed that given \(P\) and \(mP\), computing \(m\) is hard when the point \(P\) has a large prime order. This problem is called elliptic curve discrete logarithm problem (ECDLP).

It is well known that the number of rational points in \(\mathbb {E}(\mathbb {F}_p)\) is in the interval \([p+1-2\sqrt{p},p+1+2\sqrt{p}]\). Therefore, for a curve over \(\mathbb {F}_p\), it is easy to find a subgroup with order \(n\) which is a large prime and slightly smaller than \(p\). Solving ECDLP in this subgroup is expensive.