Security and Communication Networks

Security and Communication Networks / 2018 / Article
Special Issue

Applied Cryptography and Noise Resistant Data Security

View this Special Issue

Research Article | Open Access

Volume 2018 |Article ID 9701756 | 14 pages |

Side-Channel Attacks and Countermeasures for Identity-Based Cryptographic Algorithm SM9

Academic Editor: Amir Anees
Received02 Nov 2017
Revised08 Feb 2018
Accepted21 Feb 2018
Published05 Apr 2018


Identity-based cryptographic algorithm SM9, which has become the main part of the ISO/IEC 14888-3/AMD1 standard in November 2017, employs the identities of users to generate public-private key pairs. Without the support of digital certificate, it has been applied for cloud computing, cyber-physical system, Internet of Things, and so on. In this paper, the implementation of SM9 algorithm and its Simple Power Attack (SPA) are discussed. Then, we present template attack and fault attack on SPA-resistant SM9. Our experiments have proved that if attackers try the template attack on an 8-bit microcontrol unit, the secret key can be revealed by enabling the device to execute one time. Fault attack even allows the attackers to obtain the 256-bit key of SM9 by performing the algorithm twice and analyzing the two different results. Accordingly, some countermeasures to resist the three kinds of attacks above are given.

1. Introduction

With the development of integrated circuit and communication technology, smart devices are not only widely spread in our daily life with the proliferation of Internet of things, but also extensively used in the global IT environments and critical infrastructures. Security becomes a critical issue since attacks on these devices may directly harm the consumers. Several papers [14] have studied related security and wireless issues.

Identity-Based Cryptography (IBC) which applies user identity as the public key was proposed by Shamir in 1984 [5] to reduce the complexity of key and certificate management. Developed by the Commercial Cryptography Administration of China in 2016, SM9 [6] has become the most typical identity-based cryptographic algorithm in China. Compared with traditional cryptographic algorithms, SM9 not only omits the exchange of digital certificates and public key processes, but also simplifies the deployment and management of the security systems. Because of its usability and simplicity, SM9 has been employed as the standard for commercial cryptography in China. Its digital signature algorithm has become an international standard as the main part of the ISO/IEC 14888-3/AMD1 in November 2017 [7] too. It is also adopted to secure various systems and scenarios like E-mail [8], cloud storage, intelligent devices [9], industrial control, online communications, mobile payment, and so on.

As described in [10] by Kocher et al. in 1999, it has been proved that even though mathematical characteristics can guarantee the security of cryptographic algorithms in theory, their implementation may suffer from Side-Channel Attack (SCA). SCA allows attackers to reveal secrets by analyzing the side information of an attacked device which is running a cryptographic algorithm, such as power consumption, electromagnetic radiation, and execution time. Because of the low cost and high efficiency, SCA has successfully cracked lots of devices which run DES [11], AES [12], RSA [13], and ECC [14]. Despite SM9 algorithm being secure in cryptography theory, whether it is against SCA is still a matter of concern.

At present, the three main SCA techniques are Simple Power Attack (SPA), template attack, and fault attack. Due to the versatility and operability, they have been studied in depth and used to crack various cryptographic algorithms. SPA [15] exploits one trace to reconstruct the sequence of operations during the secret computation and derive information about the secrets from this sequence. As a special power analysis, template attack [16] makes a better use of all information present in each sample. And it is hence the strongest form of SCA possible in an information theoretic sense given the few samples that are available. Fault attack, as another main branch of SCA, often injects errors into cryptographic computation processes and identifies the secret key by analyzing the mathematical and statistical properties of wrong calculation results. Proposed by Biham and Shamir in [17], the fault attack on RSA has become a milestone for the security of public key cryptographic devices.

In this paper, we show that SCA does have a practical threat to the implementation of SM9. We propose the above three kinds of SCA attacks on SM9 algorithm. After this, some corresponding countermeasures are also introduced. The main contributions of this paper are as follows.

A SPA attack on SM9 algorithm is proposed. And we also introduce some countermeasures to resist SPA.

Different from general Elliptic Curve Digital Signature Algorithm (ECDSA), the key is a point on elliptic curves rather than a scalar in scalar multiplication for SM9 algorithm. According to this feature, a template attack is presented for SPA-resistant SM9 implementation and several countermeasures are provided.

We propose a fault attack and conduct experiments to prove that software implementation of SM9 algorithm is vulnerable to this scheme. And then, some corresponding countermeasures are also presented.

This paper is organized as follows. In Section 2, the summarization of SM9 algorithm and its implementation are introduced. We give the basic idea of SPA on SM9 in detail and put forward some countermeasures in Section 3. Then, in Section 4, a template attack is provided to attack the protected SM9 which can resist SPA and the corresponding countermeasures are also given. In Section 5, a fault attack for SPA-resistant SM9 algorithm is presented and several countermeasures are introduced against this scheme. Finally, we conclude this paper in Section 6.

2. The Preliminaries

2.1. SM9 Digital Signature Generation Algorithm

SM9 digital signature algorithm usually assumes a scenario where Alice communicates with Bob. Alice generates the signature of message by SM9 digital signature generation algorithm for authentication and sends them to Bob. Bob validates the received message and its signature with signature verification algorithm to ensure the authenticity and integrity of this digital signature.

In order to express clearly, we give the meanings of letters as follows. The signature private key of Alice denoted as is provided by Key Generation Center (KGC). Group and group are addition cyclic groups of order and their generators are denoted as and , respectively. Group is a multiplicative cyclic group with order . Let denote the bilinear pairs mapping function from to . KGC generates a random number as the signature master private key and computes as the master public key. is well-known, and is kept secretly by KGC. A cryptographic hash function is denoted as .

Algorithm 1 shows SM9 digital signature generation algorithm. At the beginning of the signature process, system parameters are provided as a part of inputs to make this algorithm work.

Input: system parameters, signature master public key , message , signature private key .
Output:  , .
Compute in .
Generate a random number .
Compute in , and convert the data type of to bit stream.
Compute .
Compute .
  if    then
   goto  .
Compute in .
Convert the data type of and to byte stream.
  return  ,
2.2. The Implementation of SM9 Digital Signature Algorithm
2.2.1. Scalar Multiplication

Scalar multiplication is the most important part in elliptic curve cryptography algorithm and its fast implementation is an inevitable demand of practical applications. As shown in Algorithm 1, scalar multiplication is directly related to the signature private key in SM9 digital signature generation algorithm.

The operation of adding a point to itself for times is called scalar multiplication and is denoted as . For decades, many methods have been proposed to implement this operation and the most common is binary algorithm. There are two ways to implement scalar multiplication, left-to-right and right-to-left. And the former is shown in Algorithm 2 and the special point is called the point at infinity. In the following sections, we assume that scalar multiplication is executed with the left-to-right binary algorithm.

Input: point , bit integer , .
Output:  .
for   to 0 do
if    then
end for

In Algorithm 2, point doubling is executed times. In probability, the count of 1 in a scalar integer is close to , so point addition is executed nearly times. Let represent point addition and represent point doubling; the operation quantity of binary method is approximately .

2.2.2. Point Addition and Point Doubling

An elliptic curve is a set of points in which . denotes a finite field. The set of points on an elliptic curve, together with a special point called the point at infinity, can be equipped with an Abelian group structure by addition operation. An elliptic curve over can be expressed as the form of Weierstrass equation:where . If prime number and , the Weierstrass equation can be transformed towith .

For prime number and , let be a point. The inverse of is and is a second point with . Point addition can be calculated as with

The operation of is called point addition if . And it is called point doubling if . Obviously, point addition differs from point doubling in the form of formula.

2.2.3. Montgomery Modular Multiplication

Given a modulus and two integers and of size in base , with and , Montgomery modular multiplication algorithm [18] computes:

Montgomery modular multiplication algorithm is shown in Algorithm 3. Its essence is to combine and by traditional multiplication method. As described in line 2 to line 8, is unknown at first. With obtaining calculated by , each can be calculated too. Finally, can be derived. can be computed by alternating all and and adding up to . Figure 1 illustrates the intuitive graphical representation of CIOS modular multiplication [19, 20].

Input:  , , ,  , ,  .
Output:  .
for   to   do
if    then
end for
2.3. Power Analysis Attack

In SPA [15], attackers directly observe power consumption for a single execution of target operation without any statistical methods. As a special power analysis, template attack [16] generally consists of the following three phases. The first is template building phase, and attackers build templates to characterize devices by executing a sequence of instructions on fixed data. Next, it allows attackers to match the templates to the power consumption traces of devices in template matching phase. Finally, attackers can do some analysis and derive secret information during offline searching phase.

Hamming weight model proposed in [10, 21] analyzes the correlation between power consumption and the register switching from one state to the other. It is generally assumed that power consumption depends on the number of bits switching from 0 to 1 or 1 to 0 within the corresponding time. For -bit register, binary data is coded as with or ; its Hamming weight is the number of bits set to 1. Considering a chip as a large set of elementary electrical components, its power consumption contains not only the state changes but also other variables’ consumption, such as offsets, time dependent components, and noise. Therefore, the basic model for the data dependency can be described as , where is a constant and indicates the other consumption.

2.4. Fault Attack

Fault attack [17] allows attackers to disturb cryptographic devices by physical methods to make them run in wrong states. Due to the injected fault, the devices perform some operations in modified environment and produce incorrect results. Combining with the algorithm in the devices, some knowledge related to the secret key could be gained from the results. Because of the lower cost, simple operation, and obvious effect, fault attack has become one of the most concerned SCA techniques.

Faults in devices can be made for a variety of reasons. In general, variations in normal working conditions can be injecting faults into a system effectively. For example, changing supply voltage or clock frequency can disrupt execution process and cause the processor to skip some instructions or change its output. Exposing devices in the temperatures outside its operational range usually makes random modifications to the memory. It is also possible to inject faults more accurately by using the inherent photoelectric effects of electric circuits. Under the exposure of photons, devices can produce induced currents and disrupt normal operations. In fact, lasers can make faults more precise in terms of target area and injection time. Also, faults can be injected in packaged circuits without removing the packaging by X-rays and ion beams.

2.5. Problem Formulation

Different from the general ECDSA and SM2 algorithm, the secret key in scalar multiplication is the point on elliptic curves rather than the scalar for SM9 algorithm. The scalar of the classical ECC and SM2 is a secret and the point is known, while the scalar and the point are both unknown in SM9. Therefore, the attack methods of the two are fundamentally different. In this paper, we focus on this issue to present template attack described in Section 4 and fault attack described in Section 5 which are only applied to SM9.

3. Simple Power Attack and Countermeasures on SM9

3.1. Simple Power Attack on SM9

In this paper, we focus the computation of scalar multiplication to apply our SPA attack which is described in line 8 of Algorithm 1.

Our SPA attack against SM9 recovers by observing the differences in power consumption caused by the difference operations for bit 1 and bit 0. As described in Algorithm 2, it always performs a point doubling operation whether the bit is 0 or 1. And an extra point addition will be performed if the bit is 1. Because of the differences between side-channel pattern of doubling and that of addition, attackers can easily reveal from a single power trace. As and are both known, can be calculated by the formula .

Attackers can also perform SPA attack on as shown in line 3 of Algorithm 1. The SPA attack on modular exponentiation is similar to that of scalar multiplication. Employing the different power consumption by manipulating 1 and 0 can derive the exponent . The lengths of , , and are 256 bits so that can be obtained by the formula . According to the scheme described above, attackers can also restore the secret key .

3.2. Countermeasures against Simple Power Attack

Based on our SPA attack, we can draw a conclusion that and are equally important in the security of SM9 digital signature algorithm. It is necessary to deploy some countermeasures on and against SPA attack.

There are five ways [22, 23] against SPA scheme for in SM9 digital signature algorithm. In addition, countermeasures to protect the exponent should be implemented. We would not repeat the descriptions about the methods for here as they are similar to that of . We also can refer to the SPA countermeasures of RSA [13] for against SPA attack.

In conclusion, the five ways are as follows.

(1) Indistinguishable Point Operation Formulae. Indistinguishable Point Operation Formulae (IPOF) try to eliminate the difference between point addition and point doubling. The usage of unified formulae for point doubling and addition is a special case of IPOF. However, even when unified formulae are in use, the implementation of the underlying arithmetic, especially the operations with conditional instructions, may still reveal the type of the point operation (addition or doubling).

(2) Double-and-Add-Always Algorithm. The double-and-add-always algorithm ensures that the sequence of operations during a scalar multiplication is independent of the scalar by inserting dummy point additions. However, due to the use of dummy operations, it makes the time complexity doubled and may cause safe-error fault attack.

(3) Atomic Block Algorithm. Instead of making the group operations indistinguishable, one can rewrite them as sequences of side-channel atomic blocks that are indistinguishable for SPA attack. If dummy atomic blocks are added, then this countermeasure may enable safe-error attack.

(4) Montgomery Ladder Method. Because the intermediate values are stored in registers randomly in Montgomery ladder method, the Hamming weight of secret information would not leak out to attackers.

(5) Random Splitting and . There are two different ways to split and . Here we take as an example and also should be protected by the same principle. One is to transform to where is a random integer and do scalar multiplication by the formula:Another is to convert to and where is a 256-bit random value. The formula is

4. Template Attack and Countermeasures on SM9

4.1. Template Attack on SM9

The template attack proposed in this paper reveals in the case that both and are unknown. As shown in Section 2, the first step of scalar multiplication performs a point doubling operation. And needs to be calculated by where and represent the -coordinate and -coordinate of . We focus this computation to perform our template attack. For ease of description, we use (256-bit) to replace in Formula (8) and () denotes one byte of .

Assume that SM9 digital signature algorithm is executed on an 8-bit microcontroller, and the power consumption of intermediate values in the calculation process of CIOS modular multiplication algorithm can be acquired. We give the letters meanings as follows. is the -coordinate of . And and are the power consumption traces with the high 8-bit and low 8-bit of the intermediate value (, ). The template with Hamming weight from 0 to 8 is denoted as and Match is a method to reflect the degree of and . and denote the Hamming weight of high 8-bit and low 8-bit of , respectively.

As shown in Figure 2, there are three phases in our template attack. Firstly, in the template building phase, we focus on the operation (, ) and calculate the Hamming weight of high 8-bit and low 8-bit of as the target of template. We build templates of Hamming weight to characterize devices. Next, we match the templates to the power consumption traces of devices with the match function to obtain and in template matching phase. Finally, two searching operations are carried out during offline searching phase and the secret key can be derived by analysis.

Algorithm 4 shows our template attack. There are two searching operations used to narrow the range of candidates in offline searching phase. The first is shown in offline searching phase from the line 1 to the line 6. For each (), we traverse from 0 to 255, and add satisfying and to set where candidates of are stored. The second searching is based on , as demonstrated in line 7 to the line 14. For each element in () and each element in (), we calculate the high 8-bit and low 8-bit Hamming weight of . Selecting and with the conditions of and and adding them in set , consists of many pairs and represents the correspondence between and . The pair means that if so . Next, the possible values of can be obtained. It is necessary to validate whether they are the points of the elliptic curve. Finally, the secret key can be recovered.

Input:  , (, ).
Output:  .
Template Building Phase:
Build power consumption templates
based on and where , from 0
to 31 and , from 0 to 255.
Template Matching Phase:
  for   to 31 do
for   to 31 do
calculate Match to recover .
calculate Match to recover .
end for
  end for
Off-line Searching Phase:
  for   to 31 do
for   to 255 do
Add to set where stores candidates of .
end for
  end for
  for   to 31 do
for   + 1 to 31 do
for each in   && each in   do
If        then
Add the pair to set .
end for
end for
  end for
  Search in .
  for each in   do
Compute the corresponding and verify and .
4.2. Template Attack Experiments on SM9

We present concrete experiments on side-channel traces captured from a real device. We implemented the Montgomery modular multiplication algorithm and focused on a single precision multiplication power consumption on AT89S52 8-bit microcontroller. Traces were acquired on a Lecroy WaveRunner oscilloscope with a sampling rate of 10 GS/s. In our experiments, the parameters and of are shown in Table 1.

Parameter Value (hexadecimal)

93DE051D 62BF718F F5ED0704 487D01D6
E1E40869 09DC3280 E8C4E481 7C66DDDD
21FE8DDA 4F21E607 63106512 5C395BBC
1C1C00CB FA602435 0C464CD7 0A3EA616

The templates of Hamming weight from 0 to 8 built in our attack are illustrated in Figures 3 and 4.

During our template attack, the power consumption of intermediate values in the calculation process of CIOS modular multiplication algorithm is acquired. Figure 5 shows the (black-line) and (dark-gray-line) which are the power consumption traces with the high 8-bit and low 8-bit of . The Match applied in our attack is least square method to reflect the distance of and . Hence, and were revealed which were equal to 6 and 4, respectively. For each from 0 to 31, and can be recovered by the steps described above.

Then, the first searching phase is performed. For each from 0 to 31, we traverse from 0 to 255 and calculate high 8-bit and low 8-bit Hamming weight of . Selecting with the conditions of and and adding to set , the set where candidates of are stored is given as shown in Table 2.

Parameter The set of candidates of (hexadecimal)

1D, 1F, 26, 29, 31, 32, 33, 43, 4F, 61, 66, 9D, B6
05, 07, 09, 0A, 0E
1E, 34, 5E, 6F, DE
2B, 37, 3B, 47, 55, 56, 67, 71, 93, AA, B9, E7

And then, the second searching phase is carried out. For each element in () and each element in (), we calculate the high 8-bit and low 8-bit Hamming weight of . Select and with the conditions of and and adding them in set . consists of many pairs and represents the correspondence between and . Next, the possible values of can be obtained. The result of offline searching phase is shown in Figures 6 and 7. Finally, the value of is 93DE051D 62BF718F F5ED0704 487D01D6 E1E40869 09DC3280 E8C4E481 7C66DDDD and it is validated to be correct. And can be revealed successfully. The experiments have proved that our attack works well. If attackers employ the template attack on an 8-bit microcontrol unit, the key often can be obtained just by analyzing algorithm procedure of one message.

4.3. Countermeasures Against Template Attack

There are four ways [23, 24] to resist the template attack presented above.

(1) Base Point Blinding. This method is to select a random point and convert to . The value of is computed first and the known value is subtracted at the end of scalar multiplication to ensure its correctness. The and are stored secretly in the cryptographic devices and updated at each iteration.

(2) Random Projective Coordinates. Let denote the mapping value of in the Jacobian coordinates where and . Point is considered to be the same as point where is a random number. For different , is not the same. The random variable can be updated in every execution or after each doubling or addition. Attackers could not accurately gain the values of and , so this method does resist the attack.

(3) Random EC Isomorphism. Based on the isomorphism of elliptic curves, we transform scalar multiplication algorithm to another stochastic mapping domain. A random isomorphism curve is generated and is mapped to which is on . The calculation of is on rather than . Finally, we should map to and get . As can not be estimated, this method can resist the template attack.

(4) Random Field Isomorphism. This method makes use of isomorphisms between fields. To compute , it first randomly chooses a field to through isomorphism and then computesIt means that is used to represent and is calculated on . Finally we need to transform to . The value of is hidden in this method so as to resist the above attack.

Figures 8 and 9 show the templates of Hamming weight from 0 to 8 after applying some countermeasures.

5. Fault Attack and Countermeasures on SM9

5.1. Fault Attack on SM9

Base point is one of the system parameters in scalar multiplication, and it is determined by protocols. So we inject a single-bit fault on base point to recover the secret key. Two assumptions are made before the fault attack on SM9 is performed. One hypothesis is that attackers can inject a fault on at an unknown location during the moments of error detection and signature computation. Let denote the fault key. Another assumption is that the injected fault causes a bit value to flip from 0 to 1.

Figure 10 illustrates the flowchart of fault attack on SM9. As an example, we performed the fault attack on . The correct signature for message is calculated by the formula . Then, a single-bit fault is injected to the -coordinate of and the fault key is denoted as . The wrong signature for message is calculated by the formula . Obviously, and are on , while and are on . As and are both known, and can be calculated. So we have

Then, (11) can be gained:

Let ; (11) is equal toBecause only one bit is different between and , (12) can be expressed aswhere . And represents the location of the different bit.

Convert (13) into the following form:

For each from 0 to 255, its corresponding equation like (14) can be obtained. All values of satisfying this equation are calculated by mathematical methods and added to set . If is an empty set, that means the fault position corresponding to this equation is incorrect. Otherwise, the fault position is correct and we need to validate each for getting the real . It is worth noting that as long as is correct, the equation must have solutions. Once the is derived, the value of can be calculated correctly.

Obviously, if the fault is injected into the -coordinate of , the above fault attack is still performed validly. And our fault attack also has the ability to break the SPA-resistant SM9 implementation.

To sum up the above, the fault attack algorithm is shown in Algorithm 5.

Input: SM9 system parameters, message .
Output:  .
Calculate the correct signature value .
Inject fault on and denote as .
Calculate the wrong signature value .
Calculate .
Calculate .
Establish equations of and .
  for   to 255 do
 Compute by .
  end for
  Calculate by and verify and .

Remark 1. In the above attack, we assume that the injected fault causes a bit to flip from 0 to 1. As we all know, common faults are single-bit flipping fault, single-bit constant fault, and multibits fault. In fact, no matter which fault is injected, as long as , the above attack can be performed. If , for single-bit constant fault, we can think of it as a single-bit flipping fault. For multibits fault, the only difference is that multi- should be searched. We believe that using mathematical methods to solve this issue is not a difficult task.

5.2. Fault Attack Experiments on SM9

Assume that the elliptic curve used in our experiments is . The is a prime number, and means the order of group . The denotes a point of , and the scalar is denoted as . is computed by . Let denote the fault point, and the wrong signature of message is computed by the formula . The experiment parameters are listed in Table 3. We can see that the fault location is equal to 1.

Parameter Value (hexadecimal)

B6400000 02A3A6F1 D603AB4F F58EC745
21F2934B 1A7AEEDB E56F9B27 E351457D
B6400000 02A3A6F1 D603AB4F F58EC744
49F2934B 18EA8BEE E56EE19C D69ECF25
93DE051D 62BF718F F5ED0704 487D01D6
E1E40869 09DC3280 E8C4E481 7C66DDDD
93DE051D 62BF718F F5ED0704 487D01D6
E1E40869 09DC3280 E8C4E481 7C66DDDF
21FE8DDA 4F21E607 63106512 5C395BBC
1C1C00CB FA602435 0C464CD7 0A3EA616
291FE3CA C8F58AD2 DC462C8D 4D578A94
DAFD5624 DDC28E32 8D293668 8A86CF1A

We conduct some experiments with the attack in Algorithm 5, and the intermediate values of SM9 digital signature algorithm are shown in Table 4. When , the equation has two solutions that may be the correct . Let and denote the two solutions, and , , , and denote the corresponding calculated by . Comparing with Table 3, and are the correct -coordinate and -coordinate of , so the fault attack also shows its feasibility. Usually, attackers can reveal the 256-bit by enabling the device to execute twice and comparing the two different results by our fault attack.

Intermediate values Value (hexadecimal)

A5702F05 CF131530 5E2D6EB6 4B0DEB92
3DB1A0BC F0CAFF90 523AC875 4AA69820
78559A84 4411F982 5C109F5E E3F52D72
0DD01785 392A727B B1556952 B2B013D3
48F78AA4 9A9443DE 0DC72D8C A91BB73C
1B2D6C4F 1FB2DA61 2E9EFACA 45D87116
1FC550A9 CE2DCEAD 83CF500D AEB690A4
4401D3E6 11DC9F02 B3D5FE40 482C72E6
66B99EE0 079E3769 9982B5B7 280386ED
D0DA26F4 BB2CE030 3F07C542 841F257C
66B99EE0 079E3769 9982B5B7 280386ED
D0DA26F4 BB2CE030 3F07C542 841F2577
93DE051D 62BF718F F5ED0704 487D01D6
E1E40869 09DC3280 E8C4E481 7C66DDDD
94417225 B381C0EA 72F3463D 99556B89
05D6927F 201ACAA6 D9294E50 D9129F67
21FE8DDA 4F21E607 63106512 5C395BBC
C1C00CB FA602435 0C464CD7 0A3EA616
2261FAE2 9FE43561 E016A44B AD11C56E
400E8AE2 109EBC5A FCAAB6A6 66EA679E
9A426326 D3E2BCF1 AFA21657 5CF85BA8
B347DB94 ECF14C97 104FCE07 67C23979
1BFD9CD9 2EC0EA00 266194F8 98966B9C
6EAAB7B6 2D89A244 D51FCD20 7B8F0C04

5.3. Countermeasures against Fault Attack

We introduce three countermeasures against the above fault attack [2527]; they are as follows.

(1) Point Validation. This method verifies if a point lies on the specified curve or not. It should be performed before and after scalar multiplication. If the point or result does not belong to the original curve, no output should be given. It is an effective countermeasure against our fault attack.

(2) Curve Integrity Check. The curve integrity check is to detect faults on curve parameters. Before starting an SM9 algorithm the curve parameters are read from the memory and verified using an error detecting code (i.e., cyclic redundancy check) before the algorithm execution. It is an effective method to prevent the fault attack above.

(3) Coherence Check. A coherence check verifies the intermediate or final results with respect to a valid pattern. Randomly coding the intermediate variables such as scalar, base point, and curve parameters is a most common operation.

(4) Combined Curve Check. This method uses a reference curve to detect faults. It makes use of two curves: a reference curve and a combined curve that is defined over the ring . In order to compute on curve , it first generates a combined point from and (with prime order). Two scalar multiplications are then performed: on and on . If no error occurred, and () will be equal. Otherwise, the one of the results is faulty and the results should be aborted. It is also an effective countermeasure against the fault attack presented in this paper.

(5) Security Curve Selection. Using the NIST curves [28] with the fragile twin curves should be avoided.

6. Conclusion

In this paper, we propose SPA attack, template attack, and fault attack on SM9 algorithm. After this, some corresponding countermeasures are also introduced. We also conduct some experiments to prove the validity of these attacks. Although this paper mainly studies SCA attacks of SM9 digital signature algorithm, we have reason to believe that these schemes are equally effective for SM9 encryption algorithm.

Overall, a security SM9 digital signature algorithm implementation should pay attention to these points shown in Table 5. And we also provide the overhead to deploy these countermeasures as a reference guidance for the SM9 algorithm security implementation [27].

Countermeasures Target attacks Computation overhead

Indistinguishable point operation SPA Low
Double-and-add-always SPA Low
Atomic block SPA Negligible
Montgomery ladder SPA Low
Random splitting SPA High

Base point blinding Template attack Negligible
Random projective coordinates Template attack Negligible
Random EC isomorphism Template attack Low
Random field isomorphism Template attack Low

Point validation Fault attack Negligible
Curve integrity check Fault attack Negligible
Coherence check Fault attack Low
Combined curve check Fault attack Low
Security curve selection Fault attack -

Conflicts of Interest

The authors declare that there are no conflicts of interest regarding the publication of this paper.


This work is supported by Beijing Natural Science Foundation (no. 4162053), the National Cryptography Development Fund (no. MMJJ20170201), the Foundation of Science and Technology on Information Assurance Laboratory, and Beijing Institute of Technology Research Fund Program for Young Scholars.


  1. X. Hei, X. Du, J. Wu, and F. Hu, “Defending resource depletion attacks on implantable medical devices,” in Proceedings of the of IEEE GLOBECOM, MIA, FL, USA, 2010. View at: Publisher Site | Google Scholar
  2. X. Du, Y. Xiao, M. Guizani, and H.-H. Chen, An Effective Key Management Scheme for Heterogeneous Sensor Networks, Ad Hoc Networks, vol. 5, Elsevier, 2007. View at: Publisher Site
  3. X. J. Du, M. Guizani, Y. Xiao, and H.-H. Chen, “Transactions papers a routing-driven Elliptic Curve Cryptography based key management scheme for Heterogeneous Sensor Networks,” IEEE Transactions on Wireless Communications, vol. 8, no. 3, pp. 1223–1229, 2009. View at: Publisher Site | Google Scholar
  4. X. Du, M. Guizani, Y. Xiao, and H.-H. Chen, “Secure and efficient time synchronization in heterogeneous sensor networks,” IEEE Transactions on Vehicular Technology, vol. 57, no. 4, pp. 2387–2394, 2008. View at: Publisher Site | Google Scholar
  5. A. Shamir, Identity-based cryptosystems and signature schemes Crypto, vol. 84, 1984.
  6. F. Yuan and Z. Cheng, “Overview on SM9 Identity-Based Cryptographic Algorithm,” Journal of Information Security Research, 2016. View at: Google Scholar
  7. ISO/IEC 14888-3:2016 DAmd 1, Information technology - Security techniques - Digital signatures with appendix, Part 3: Discrete logarithm based mechanisms,
  8. Z. Cheng, E-mail security system, 2016,
  9. M. Zhang, X. Du, and K. Nygard, “Improving Coverage Performance in Sensor Networks by Using Mobile Sensors,” in Proceedings of the IEEE MILCOM, Atlantic City, NJ, USA, 2005. View at: Publisher Site | Google Scholar
  10. P. Kocher, J. Jaffe, and B. Jun, “Differential power analysis,” in Advances in Cryptology, pp. 388–397, Springer, 1999. View at: Publisher Site | Google Scholar
  11. B. Yang, K. Wu, and R. Karri, “Scan based side channel attack on dedicated hardware implementations of data encryption standard Test Conference,” in Proceedings of the ITC International IEEE, pp. 339–344, USA, October 2004. View at: Google Scholar
  12. E. Oswald, A side-channel analysis resistant description of the AES S-box International Workshop on Fast Software Encryption, Springe, Berlin, Heidelberg, Germany, 2005. View at: MathSciNet
  13. Y. Yarom and K. Falkner, FLUSH+ RELOAD: A High Resolution, Low Noise, L3 Cache Side-Channel Attack USENIX Security Symposium, 2014.
  14. T. Izu and T. Takagi, A fast parallel elliptic curve multiplication resistant against side channel attacks Public Key Cryptography, 2002. View at: Publisher Site
  15. S. Mangard, A simple power-analysis (SPA) attack on implementations of the AES key expansion International Conference on Information Security and Cryptology, vol. 2587 of Springer, Berlin, Heidelberg, Germany, 2003. View at: Publisher Site | MathSciNet
  16. S. Chari, J. R. Rao, and P. Rohatgi, Template attacks International Workshop on Cryptographic Hardware and Embedded Systems, Springer, Berlin, Heidelberg, Germany, 2003. View at: Publisher Site
  17. E. Biham and A. Shamir, “Differential fault analysis of secret key cryptosystems,” in Advances in CryptologyCRYPTO’97, pp. 513–525, 1997. View at: Publisher Site | Google Scholar
  18. P. L. Montgomery, “Modular multiplication without trial division,” Mathematics of Computation, vol. 44, no. 170, pp. 519–521, 1985. View at: Publisher Site | Google Scholar | MathSciNet
  19. Ç. K. Koç, T. Acar, and B. S. Kaliski, “Analyzing and comparing montgomery multiplication algorithms,” IEEE Micro, vol. 16, no. 3, pp. 26–33, 1996. View at: Publisher Site | Google Scholar
  20. M. McLoone, C. McIvor, and J. V. McCanny, “Coarsely integrated operand scanning (CIOS) architecture for high-speed Montgomery modular multiplication Field-Programmable Technology,” in Proceedings of the IEEE International Conference, pp. 185–191, December 2004. View at: Google Scholar
  21. E. Brier, C. Clavier, and F. Olivier, Correlation Power Analysis with a Leakage Model International Workshop on Cryptographic Hardware and Embedded Systems, Springer, Berlin, Heidelberg, Germany, 2004. View at: Publisher Site
  22. L. Goubin and J. Patarin, DES and Differential Power Analysis the Duplication Method Cryptographic Hardware and Embedded Systems, Springer, Berlin, Heidelberg, Germany, 1999. View at: Publisher Site
  23. P.-Y. Liardet and N. P. Smart, Preventing SPA/DPA in ECC systems using the Jacobi form International Workshop on Cryptographic Hardware and Embedded Systems, Springer, Berlin, Heidelberg, Germany, 2001. View at: Publisher Site | MathSciNet
  24. J. Cheol Ha and S. Jae Moon, Randomized Signed-Scalar Multiplication of ECC to Resist Power Attacks CHES, 2003. View at: Publisher Site
  25. J.-W. Lee, S.-C. Chung, H.-C. Chang, and C.-Y. Lee, An Efficient Countermeasure against Correlation Power-Analysis Attacks with Randomized Montgomery Operations for DF-ECC Processor CHES, 2012. View at: Publisher Site
  26. A. Barenghi, L. Breveglieri, I. Koren, and D. Naccache, “Fault injection attacks on cryptographic devices: Theory, practice, and countermeasures,” Proceedings of the IEEE, vol. 100, no. 11, pp. 3056–3076, 2012. View at: Publisher Site | Google Scholar
  27. J. Fan and I. Verbauwhede, “An Updated Survey on Secure ECC Implementations: Attacks, Countermeasures and Cost,” in Cryptography and security, vol. 6805, pp. 265–282, 2012. View at: Google Scholar
  28. M. Brown, D. Hankerson, J. Lpez, and A. Menezes, “Software implementation of the NIST elliptic curves over prime fields,” Topics in CryptologylCT-RSA, vol. 2001, pp. 250–265, 2001. View at: Publisher Site | Google Scholar | MathSciNet

Copyright © 2018 Qi Zhang et al. This is an open access article distributed under the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.

More related articles

2465 Views | 732 Downloads | 1 Citation
 PDF  Download Citation  Citation
 Download other formatsMore
 Order printed copiesOrder

Related articles

We are committed to sharing findings related to COVID-19 as quickly and safely as possible. Any author submitting a COVID-19 paper should notify us at to ensure their research is fast-tracked and made available on a preprint server as soon as possible. We will be providing unlimited waivers of publication charges for accepted articles related to COVID-19. Sign up here as a reviewer to help fast-track new submissions.