一种针对SM2数字签名算法的攻击方案  

作　　者：白野 何德彪 罗敏[1] 杨智超 彭聪 BAI Ye;HE De-Biao;LUO Min;YANG Zhi-Chao;PENG Cong(Key Laboratory of Aerospace Information Security and Trusted Computing,Ministry of Education,School of Cyber Science and Engineering,Wuhan University,Wuhan 430072,China;Department of Information Security,Naval University of Engineering,Wuhan 430032,China)

机构地区：[1]武汉大学国家网络安全学院空天信息安全与可信计算教育部重点实验室,武汉430072 [2]海军工程大学信息安全系,武汉430032

出　　处：《密码学报》2023年第4期823-835,共13页Journal of Cryptologic Research

基　　金：山东省重点研发计划(2020CXGC010107);国家自然科学基金(U21A20466,62172307,61972294,61932016)。

摘　　要：SM2数字签名算法是我国商用密码体系的重要组成部分,目前已广泛应用于电子签章等领域.研究SM2数字签名算法潜在的安全风险及相应的防范技术,对于推动我国商用密码体系的安全应用具有重要意义.SM2数字签名算法的安全性基于椭圆曲线离散对数问题的困难性,当前已有一些针对不同椭圆曲线类数字签名算法的攻击研究,但攻击SM2数字签名算法的方案还存在所需签名数量较多、攻击耗时较长、成功率较低的问题.本文针对SM2数字签名算法设计了一组判断函数,基于带判断的格基约减算法,提出了一种针对SM2数字签名算法的侧信道攻击方案,并分别就算法中随机数的最高3比特、最低3比特和中间17比特已知三种情况进行了侧信道攻击实验.实验结果表明,相比现有攻击SM2数字签名算法的方案,本文攻击方案所需签名数量减少了10%,私钥恢复时间减少了86%,成功率提高了2倍.SM2 digital signature algorithm is an important part of Chinese commercial cryptography system,which has been widely used in electronic signature and other fields.Studying the potential security vulnerabilities of SM2 digital signature algorithm and the corresponding prevention methods are of great significance to promote the application of Chinese commercial cryptosystem.The security of SM2 digital signature algorithm is based on the hardness of elliptic curve based discrete logarithm problem.At present,there have been some researches about attacks on different elliptic curve digital signature algorithms,however,the existing attacks on SM2 digital signature algorithm still have some efficiency problems such as large number of signatures required,long attacking time and low success rate.This paper designs a set of judgment functions for SM2 digital signature algorithm,and proposes a side-channel attack on SM2 digital signature algorithm based on lattice basis reduction algorithm with judgment.Experiments of private key recovery are carried out in three cases of knowing the highest 3 bits,the lowest 3 bits and the middle 17 bits of the random number.Experimental results show that,compared with the existing attacks on the SM2 digital signature algorithm,in this proposed attack,the number of signatures required is reduced by 10%,the private key recovery time is reduced by 86%,and the success rate is increased by 2 times.

关 键 词：SM2数字签名算法 格基约减算法 侧信道攻击 判断函数 

分 类 号：TP309.7[自动化与计算机技术—计算机系统结构]