摘要
SMS4是用于WAPI的分组密码算法,是国内官方公布的第一个商用密码算法.由于公布时间不长,关于它的安全性研究尚没有公开结果发表.该文研究SMS4密码算法对差分故障攻击的安全性.攻击采用面向字节的随机故障模型,并且结合了差分分析技术.该攻击方法理论上仅需要32个错误密文就可以完全恢复出SMS4的128比特种子密钥.因为实际中故障发生的字节位置是不可能完全平均的,所以实际攻击所需错误密文数将略大于理论值;文中的实验结果也验证了这一事实,恢复SMS4的128bit种子密钥平均大约需要47个错误密文.文章结果显示SMS4对差分故障攻击是脆弱的.为了避免这类攻击,建议用户对加密设备进行保护,阻止攻击者对其进行故障诱导.
SMS4 is the block cipher used in WAPI, and it is also the first commercial block cipher disclosed by the government. Since it was disclosed only a short time ago, on its security, there has been no published paper at present. In this paper the strength of SMS4 against the differential fault attack is examined. The authors use the byte-oriented fault model, and take advantage of the differential analysis as well. Theoretically, the 128bit master key for SMS4 can be obtained by using 32 faulty ciphertexts. But in practice, for the fact that the byte position where the fault happens isn't equally distributed, the number of faulty ciphertexts needed will be a little bigger than the theoretical value. The attack experiment result validates this fact too. The result shows that only need average 47 faulty ciphertexts to recover the 128bit keys for SMS4. So SMS4 is vulnerable to differential fault attack. To avoid this kind of attack, the authors suggest that the encryption device should be protected to prevent the adversary from deducing faults.
出处
《计算机学报》
EI
CSCD
北大核心
2006年第9期1596-1602,共7页
Chinese Journal of Computers
基金
国家自然科学基金(60373047
90604036
60503014)
国家"九七三"重点基础研究发展规划项目基金(2004CB318004)资助
关键词
SMS4密码算法
差分分析
差分故障攻击
故障模型
差分表
SMS4
differential analysis
differential fault attack
fault model
difference distri bution table
