CN104836808B - Based on the SM2 signature algorithm security verification methods for improving difference fault analysis - Google Patents

Abstract

The invention discloses a kind of based on the SM2 signature algorithm security verification methods for improving difference fault analysis.This method is：1) message M is signed using SM2 signature algorithms, injects mistake when the random number k of generation and the elliptic curve basic point G scalar multiplication iteration of SM2 signature algorithms proceed to the i-th wheel, change the partial bit value of the i-th wheel median y-coordinate；2) the signature result obtained using step 1), and sign test public key P_AThe consecutive bit values of random number k are recovered with message M Hash Values e；3) using the consecutive bit values and error signature result construction HNP problems, private key is gone out using lattice attack analysis, then judges whether current SM2 signature algorithms are safe according to the private key.The present invention can be easier injection mistake, more comprehensively analyze the security capabilities of SM2 signature algorithms resistance attack.

Description

Based on the SM2 signature algorithm security verification methods for improving difference fault analysis

Technical field

The invention belongs to elliptic curve cryptography (ECC) analysis and fault analysis field, and in particular to one kind is based on changing Enter the SM2 signature algorithm security verification methods of difference fault analysis, belong to field of information security technology.

Background technology

Since in the 1980s, elliptic curve is introduced cryptography, and Lenstra propositions by Miller and Koblitz Since carrying out factorising algorithm using elliptic curve, effect of the elliptic curve in cryptography be increasing.ECC is to be based on Finite field elliptic curves discrete logarithm problem (ECDLP)：In a circled addition group, G is generation member, and G rank is n, Know Q=kG and G, seek k value, wherein Q=kG is the scalar multiplication in finite field, the algebraic operation specially in finite field.

If F is finite field, at least contain two elements, and an addition "+" and multiplication " " computing be present, it is full The following condition of foot：

1) (F ,+) it is an abelian group；

2) (F/ { 0 }) is an abelian group；

3) associative law is met：(ab) c=a (bc) additions and multiplication meet distributive law, i.e., to any a, b, c ∈ R, a (b+c)=ab+ac, (b+c) a=ab+ac.

The most frequently used finite field includes in cipher application：Prime field and the extension field (binary expansion domain) for being characterized as 2, lead here Introduce prime field.If p is prime number, F={ 0,1,2 ..., p-1 } is on mod p+and the finite field formed, note For F_p, referred to as prime field (Galois domains), F_p ^*=F_P/ { 0 } is F_pThe multiplicative group that all non-zero entries are formed in, due to F_p ^*It is to follow Ring group, so in F_pIn an element g at least be present so that F_pIn any non-zero entry can be shown by a g square power table, claim g For F_p ^*Generation it is first (or primitive element), i.e. F_p ^*=＜ g ＞, rank p-1.

If in prime field F_pElliptic curve equation on (p is greater than 3 prime number) is：

y²=x³+ax+b mod p,a、b∈F_p, and (4a³+27b²)mod p≠0

Then finite field F_pUpper elliptic curve point set E (F_p) be defined as：

E(F_p)={ (x, y) | x, y ∈ F_p,y²=x³+ ax+b mod p } ∪ { O }, wherein, O is infinite point.

If point G ∈ E (F_p), and G rank n is prime number, then cyclic group ＜ G ＞={ O, G, 2G, 3G ... the, (n- generated by G 1) G } it is E (F_p) cyclic subgroup.Elliptic curve point set E (F_p) element number #E (F_p) represent, referred to as elliptic curve E (F_p) rank.In ECC cryptographic systems, prime number p, domain F_pElliptic curve equation, basic point G and its rank n be disclosed domain ginseng Count, optional private key d ∈ [1, n-1], then corresponding public key P=dG.

The point defined on elliptic curve has used string tangent rule with dot summation operation, then E (F_p) it is addition abelian group, nothing Poor far point O is that unit is first, P (x, y)+P (x ,-y)=O.To E (F_p) upper 2 points P, Q sum P+Q, if P ≠ Q, connection P, Q's is straight Line hands over E, and in point R', then R' is P+Q sums on the symmetric points R of x-axis, referred to as point add operation (A).As shown in Figure 1.

If P=Q, the tangent line for doing P points hands over E in point R', then R' is then 2P, referred to as Point Double Operation on the symmetric points R of x-axis (D).As shown in Figure 2.

Added by the point on elliptic curve and put geometric meaning again, can be inferred that E (F_p) operation method under affine coordinate Then, it is specific as follows：

Point adds:Make P=(x₁,y₁)∈E(F_p), Q=(x₂,y₂)∈E(F_p), and P ≠ Q, then R (x₃,y₃)=P+Q, wherein,

Point times:Make P=(x₁,y₁)∈E(F_p), P ≠-P, then R (x₃,y₃)=2P, wherein,

Therefore, it is actually k identical point G sum for the scalar multiplication Q=kG in ECC, by multiple points times Combined with point add operation, kG is basic operation related to key in ECC, and fault analysis and side Multiple Channel Analysis enter generally directed to kG OK.KG have it is a variety of realize algorithm, wherein most basic is radix-2 algorithm, if k=(k_m-1,…,k₁,k₀)₂, below with from the right side Illustrate kG binary arithmetic operation exemplified by computing to the left：

1.Q=O, H=G

2.i=0 to n-1, repeat

If 2.1 k_i=1, then Q=Q+H

2.2H=2H

3. return (Q)

Due to elliptic curve parameter b being not used in scalar multiplication computing, for not in elliptic curve E (F_p) on point P '= (x₁′,y₁'), curve is E ' (F where can setting_p)={ (x, y) | x, y ∈ F_p,y²=x³+ ax+b ' mod p } ∪ { O }, whereinSo P ' is in E ' (F_p) under algorithm with virgin curve E (F_p) on it is identical, it is fixed Justice is " pseudo-addition " and " pseudo- multiplication ".Pseudo operation is widely used in the attack of ECC systems.

ECC is as public key algorithm, relatively traditional RSA public key algorithms, under identical security, ECC algorithm key Length is short, calculating data volume is small, arithmetic speed is fast, flexibility is good, in the case of no coprocessor, is easy to real in the chips It is existing.In addition, there is presently no the efficient algorithm for finding solution ECDLP problems, therefore it is higher than RSA calculations on algorithm security Method.ECC cryptographic algorithms are based on its own feature, just gradually instead of traditional RSA Algorithm in numerous applications, are extensively used.

ECC Digital Signature Algorithms are one of widest algorithms in being applied in ECC public key algorithms, are mainly used in identity and test Card, data are produced with digital signature by a signer, and the reliability of signature is verified by a verifier.Each signer has One public key and a private key, wherein private key are used to produce signature, the public key verifications signature of verifier's signer.

SM2 signature algorithms are a kind of ECC Digital Signature Algorithms, by national Password Management office in the mark issued in 2010 Standard, include signature and sign test two parts altogether.

In signature process (as shown in Figure 3), if message to be signed is M, in order to obtain message M digital signature (r, S), signer A public and private key is respectively P_A、d_A, the hash algorithm used in algorithm is equally by the issue of national Password Management office SM3 hash algorithms, then signer A should realize following calculation step：

1. orderWherein, Z_A=H_v(ENTL_A||ID_A),ID_AMark, ENTL are distinguished for signer A_AFor ID_ABit length, by two byte representations, H_v() is the hash function of SM3 algorithms；

2. calculate

3. produce random number k ∈ [1, n-1] with randomizer；

4. calculate elliptic curve point (x₁,y₁)=kG；

5. calculate r=(e+x₁) mod n, return to 3 if r=0 or r+k=n；

6. calculate s=(1+d_A)^-1(k-rd_A) mod n, 3 are returned if s=0；

7. output message M signature (r, s).

Signature result (r, s) and message M are sent to sign test person B by signer, it is known that signer A's distinguishes mark ID_A, Z can be obtained by hash computing B_A=H_v(ENTL_A||ID_A), and using A public key P_ASign test (as shown in Figure 4) is carried out, specifically such as Under：

1. examining whether r ∈ [1, n-1], s ∈ [1, n-1] set up, sign test fails if invalid；

2. order

3. calculate

4. t=(r+s) mod n are calculated, if t=0, sign test failure；

5. calculate elliptic curve point (x₁,y₁)=sG+tP_A；

6. calculate R=(e+x₁) mod n, sign test fails if R ≠ r, otherwise sign test success.

In view of the application importance of SM2 signature algorithms, it is necessary to analyze its security, typically examined by the method for attack Whether it is safe.From the foregoing, it will be observed that due to private key d_AUsed only in signature, therefore, attack and protection typically to SM2 are all Analyze private key d in signature process_ASecurity.Most of attack methods to other ECC signature algorithms are used equally for SM2 to sign Algorithm, such as to scalar multiplication, ECDSA side channel and fault analysis method.At present, existing document is proposed to sign to SM2 and calculated The fault analysis method of method, mainly including weak curve, the fault analysis to private key and the fault analysis based on lattice.Weak curve mistake Attack is to inject some bit-errors to basic point G in scalar multiplication kG computings to become point G', and scalar multiplication result Q=kG is then changed into Q' =kG', G' be not on virgin curve, and on a new weak curve, and the relatively original rank n of rank n's of the G' on new curve will It is much smaller, if n' largest prime divisor qCalculating is feasible, then can obtain k value by solving Q'=kG', and then Private key d can be derived_A.Fault analysis to private key is to utilize rd in signature_AMod n modular multiplication, to the private in the computing Key injects mistake, it the mistake of a byte is occurred, and private key d is determined by guessing_AValue.Fault analysis method based on lattice Mistake usually is injected in scalar multiplication, the partial bit of random number k is obtained by analyzing, carries out n times error signature, generation Enter to sign result s=(1+d_A)^-1(k-rd_A) in mod n, an equation group can be generated, the d of private key is can determine that using lattice attack_A Value.

Lattice are m dimension real number spaces R^mDiscrete subgroup L, its element β ∈ L are N number of linearly independent vector α_i∈L(i∈{0, 1 ..., N-1 }) linear combination,a_i∈ Z, Z are integer field, then α₀,…,α_N-1For Lattice L one group of base, B=[α₀,…,α_N-1]^TFor basic matrix.

Two famous double linear problems of difficulty for solving, respectively minimum Vector Problem (SVP) and nearest Vector Problem in lattice be present (CVP)。

SVP：Known lattice L one group of base B, its most short non-vanishing vector v ∈ L is found in lattice so that | | v | |=min | | u | | | u ∈ L }, wherein | | | | it is two norms, the problem can determine v approximate solution by LLL algorithms.

CVP:Known lattice L one group of base B, any vectorial u ∈ R^m, the vector v ∈ L nearest away from u is found in lattice, is met | | V-u | |=min | | t-u | | | t ∈ L }.CVP can obtain its approximate solution by LLL algorithms and Babai algorithms in polynomial time.

If implementing lattice attack to SM2 signature algorithms, number problem (HNP) is hidden with regard to needing to change into first.If t_i∈Z_nBe with Machine is equally distributed, i ∈ { 1,2 ..., N }, u_i∈Z_n, 0 ＜ l ＜ log₂N, find a α ∈ Z_n, make its satisfaction | α t_i-u_i|_n≤ n/2^l, wherein | x |_n=min | x-bn | | x ∈ Z_n, b ∈ Z }, above-mentioned is HNP.In fact, above-mentioned inequality is equivalent to | α t_i- u_i+h_in|≤n/2^l, wherein h_iIt is so that the minimum value that above-mentioned inequality is set up.

HNP can change into the CVP in lattice, structure (N+1) dimension lattice L, then basal orientation moment matrix is

Make object vector u=(u₁,u₂,…,u_N, 0), x=(h₁,h₂,…,h_N,d_A), then v=xM is vectorial in lattice L, and v =(α t₁+nh₁,…,αt_N+nh_N,α/2^l), it can be obtained by HNP inequality groupsFor CVP problems, ask Solution CVP can obtain v, and α value is can determine that by v.

For SM2 signature algorithms, if having carried out n times signature computing, pass through the wrong induction means such as electromagnetism, laser There is mistake in signature computing each time, so as to get random number k respectively_iMinimum l positions bit value a_i, i ∈ { 1,2 ..., N }, And obtain the signature result (r of mistake_i,s_i), corresponding HNP can be constructed.Make k_i=b_i2^l+a_i, wherein b_i＜ n/2^lFor unknown-value. By k_iThe 6th step s=(1+d substituted into signature_A)^-1(k-rd_A) mod n can obtain following formula：

2^-l(s_i+r_i)d_A-2^-l(a_i-s_i)=b_i mod n

Make t_i=2^-l(s_i+r_i)mod n、u_i=2^-l(a_i-s_i) mod n, so as to：

|t_id_A+h_in-u_i| ＜ n/2^l

Wherein, h_iIt is so that the minimum value that above-mentioned inequality is set up.

Above formula is HNP problems, converts thereof into CVP, can solve to obtain d_AValue.For the signature algorithm of m positions, at present If the l bits for thering is document to prove known k, need the signature of m/l bar mistakes, you can obtain correct d_A.SM2 such as 256 Signature algorithm, if known k 8 bits, 32 signatures are typically about needed successfully to obtain private key, this is very in actual experiment Feasible.

Attacked compared to weaker curve and directly to the fault analysis of private key, the fault analysis arithmetic speed based on lattice is fast, mould Type is simple, has become the Main Means for examining ECC signature algorithm securities.At present to fault analysis of the signature algorithm based on lattice The error injection mode of method predominantly ignores some points times and point add operation in scalar multiplication, and this method is to wrong class Type, mistake are higher to injection length and status requirement, therefore, it is relatively low to error injection precise requirements based on lattice to need some badly The fault analysis method of attack is come the security that reappraises and define algorithm.

Traditional ECC difference fault analysis is, it is necessary to two for binary system scalar multiplication computing kG in ECC AESs Secondary input value identical computing, once-through operation are correctly obtained Q, another median Q to the i-th wheel iteration_i=[(k_i-1,..., k₀)₂] P coordinate values storage region injection single-bit error obtain Q_i', complete to mark followed by " pseudo-addition " and " pseudo- multiplication " Amount multiplication obtain error result Q '=(... ((Q_i′+k_i2ⁱG)+k_i+12ⁱ⁺¹G)+...)+k_m-12^m-1G.Attacker passes through conjecture (k_m-1,...,k_i)₂Possibility be worth toGuess that the position of bit-errors obtains againPush away Calculate error resultIf the error result calculatedWith it is true Real error result Q' is consistent, then what explanation was guessed is correct, i.e., attacker successfully recovers scalar k high-order successive bits.

But in SM2 signs computing, random number k is arbitrarily chosen, and can not possibly substantially occur inputting the deutero-albumose of identical two Measure multiplication.In addition, scalar multiplication result Q' whole coordinates can not be recovered using signature result.But because bit-errors can pass through Laser irradiation memory block obtains, and it is small that the mistake than ignoring some points times and point add operation obtains difficulty, it is possible to it is poor to improve ECC Misclassification misses, and it is applied to the situation that signature algorithm and multi-bit errors inject, and can attack and be applied in combination with dative.

The content of the invention

In order to improve examine and assess SM2 signature algorithms whether the efficiency of safety, the present invention proposes a kind of based on improving The SM2 signature algorithm security verification methods of difference fault analysis.The safety that this method passes through difference fault analysis check algorithm Property, the requirement to ill-formalness is relatively low, as long as injection mistake causes the median of certain wheel iteration in scalar multiplication to occur to be less than certain The bit-errors of threshold value, then without knowing which specific bit makes a mistake, and any bit value of unknown random number, still may be used Lattice attack is carried out to algorithm and obtains private key d_A.Whole fault analysis method (as shown in Figure 5) includes three parts altogether, and 1) in SM2 label Name scalar multiplication i-th, which takes turns iteration injection mistake, makes the partial bit value of median y-coordinate change (in SM2 DSSs Recommendation curve on, scalar multiplication computing carry out 256 wheel, inverse the 10th wheel nearby injection mistake.To other curves, if iteration Wheel number is n, then suggests injecting mistake close to a certain wheel before inverse log n wheels.)；2) it is extensive using error signature result The consecutive bit values for random number k of appearing again；3) consecutive bit values and error signature result the construction HNP recovered using step 2 is asked Topic, goes out private key using lattice attack analysis, if consistent with correct private key, judges that current signature algorithm is dangerous.It is specific as follows：

1) taking turns iteration injection mistake in SM2 signature scalars multiplication i-th changes the partial bit value of median y-coordinate. In the intelligent card chip that one realizes SM2 signature algorithms, message is inputted, carries out signature computing, its chips need to be to random Number k=(k_m-1,…,k₁,k₀)₂The elliptic curve basic point G of ∈ [1, n-1] and SM2 signature algorithms carries out scalar multiplication computing kG, base Point G rank is n.In binary system scalar multiplication computing from right to left, chip k in sequence₀,k₁,…,k_m-1Carry out one by one a little Again, point add operation, because there is Point Double Operation in each round iteration, therefore it can infer certain for the moment by counting a point times energy mark The iteration wheel number at quarter.In addition, point under affine coordinate system times, point add operation calculate the x of median successively, y-coordinate, as long as therefore As soon as wheel iteration will at the end of to the memory of y-coordinate using laser injection mistake, median y-coordinate partial bit can be made Change, the bit number Δ y of change (the threshold in known threshold value N can be controlled by weakening laser exposure intensity or irradiation time The upper bound of value can be derived by probability and be obtained, and threshold value is smaller then higher to the success rate of current signature algorithm attack.It is recommended that use Threshold value less than 32), the energy mark of collection is checked after attack can filter out the satisfactory signature of injection length.Therefore marking Measure the median using laser to the i-th wheel iteration in multiplicationY-coordinate memory block Mistake is injected in domain, obtains wrong medianThe bit number Δ y ＜ N of change.Continue computing, obtain the mark of mistake Measure multiplication resultAnd obtain error signature (r,s)。

2) consecutive bit values of random number k are recovered using error signature result.The signature of known error As a result (r, s), A public key P is utilized_AThe correct result of scalar multiplication computing can be recovered with message Hash Value eAnd error resultAbscissaIfThenAlso it is candidate's abscissa, wherein p is elliptic curve modulus, is public data. Guess random-number portion successive bits k⁽ⁱ⁾=(k_m-1,…,k_i)₂Probable valueScope is [0,2^m-i- 1], and calculate with The unimplanted wrong median of corresponding i-th wheelWillIn all bitsIt is converted into PointAfterwards, wherein t ∈ [i, m-1], according to binary system scalar multiplication algorithm from right to left, with the centre of the i-th wheel mistake Value, will for initial pointF is carried out successively according to the orders of t from small to large_p" pseudo-addition " computing under the affine coordinate system of domain, Obtain equationCaused by after injection mistake Abscissa, the candidate's abscissa of error resultIt is represented by wrong median coordinateIn F_pUnitary high order on domain Multinomial, bring intoPolynomial equation is solved to obtainBy taking i=m-1 as an example, to conjecture valueCarry out " pseudo- to add Method " computingIfSo exist on unknown numberQuadratic equation with one unknownSolve equation to obtain one or twoSolution.If in the presence ofMake Hamming distance Function meetsThen determineFor k⁽ⁱ⁾, otherwise guess againIt is if allDo not comply with requirement, Then give up the signature.

3) HNP problems are constructed, private key is gone out using lattice attack analysis.The signature result (r, s) of known error and random number k Continuous high order bit k⁽ⁱ⁾, then random number is represented by k=k⁽ⁱ⁾2ⁱ+k_(i), wherein k_(i)For remaining known bits, s can be obtained =(1+d_A)^-1(k-rd_A)mod n.By k⁽ⁱ⁾Bring into, (r+s) d can be obtained_A+s-k⁽ⁱ⁾2ⁱ=k_(i)mod n.By | k_(i)| ＜ 2ⁱ, can structure Make HNP problems：|(r+s)d_A+s-k⁽ⁱ⁾2ⁱ+ nh | ＜ 2ⁱ, wherein h is the minimum positive number for setting up inequality.In H different messages Signature computing injection mistake, attacker obtain H mistake signature result, recover correspondence k⁽ⁱ⁾Afterwards, H data can be constructed Hide problem (HNP problems).H HNP problem is converted into CVP problems, using LLL (A.K.Lenstra, H.W.Lenstra, Jr.and L.Lovász,Factoring polynomials with rational coefficients, Mathematische Ann., Vol.261 (1982) pp.513-534) and Babai algorithms (L.Babai, OnLov á szlatticereductionandthe nearestlatticepointproblem,Combinatorica,Vol.6(1986) Pp.1-13.) solve, analyze private key d_A.If the private key d analyzed_ACorrectly, then from the perspective of algorithm security, SM2 label Name algorithm is unsafe.

Compared to the prior art, the present invention has following advantage：

1. the present invention innovatively proposes a kind of difference fault analysis security verification method based on lattice, the present invention is used The new method of proposition can be easier injection mistake, more comprehensively analyze the security capabilities of SM2 signature algorithms resistance attack；

2. the present invention is different from the attack method based on lattice in the past, former lattice attack method requirement injection ignore a little again, The mistake of point add operation is very high to attacker's Prerequisite and horizontal requirement.And present invention only requires fast in each round iteration At the end of mistake is injected to median y-coordinate storage region, low is required to attack time precision, and can be examined by energy mark Look into whether the attack moment meets the requirements；

3. the present invention is different from the wrong method based on difference in the past, the requirement of former difference fault analysis method is as far as possible Single bit number is set to make a mistake, to ensure that scalar bit recovers to have feasible complexity.And the present invention is then hardly by mistake Bit number constrains, and can be removed in the case of error bit number is more than threshold value with Automatic sieve.For bit length be 256 with Machine number, as long as being made a mistake less than 32 bits, it is possible to recover random-number portion bit with high probability, this improvement is non- Often be advantageous to error injection experiment；

4. the present invention is different from the wrong method based on difference in the past, former difference fault analysis method is on ECC Encryption, it is necessary to input the complete scalar multiplication result of identical.And the present invention only needs a signature in random number Restoration stage, And do not know the y-coordinate of wrong scalar multiplication result, this improvement matches with SM2 signature algorithms.

Brief description of the drawings

Fig. 1 is that Point on Elliptic Curve adds computing geometric representation figure；

Fig. 2 is Point on Elliptic Curve times computing geometric representation figure；

Fig. 3 is SM2 signature product process figures；

Fig. 4 is SM2 sign test flow charts；

Fig. 5 is the attack flow chart to SM2 signature algorithms in the present invention.

Embodiment

The present invention will be further described in detail with an example below in conjunction with the accompanying drawings, but does not limit this in any way The scope of invention.In embodiment, by the experiment for carrying out lattice attack to SM2 signature algorithms in the fault analysis method of the present invention Exemplified by illustrate effectiveness of the invention.

1) taking turns iteration injection mistake in SM2 signature scalars multiplication i-th changes the partial bit value of median y-coordinate. SM2 (F are realized at one_p- 256) signed in 32 chips of signature algorithm, in binary system scalar multiplication from right to left 248 wheel Point Double Operations of method iteration close to an end the moment and (the energy mark of mistake can be injected into by checking, filters out and meets mistake Inject the signature of moment requirement), to storing wheel Point Double Operation result Q₂₄₈Y-coordinate where chip area injection mistake, can Obtain wrong median Q '₂₄₈, meetContinue computing, obtain the scalar multiplication knot of mistake Fruit Q '₂₅₆=(... (Q '₂₄₈+k₂₄₈2²⁴⁸G)+...)+k₂₅₅2²⁵⁵G, and obtain error signature (r, s).

2) consecutive bit values of random number k are recovered using error signature result.Utilize public key P_AIt is extensive with message Hash Value e The correct result Q of multiple scalar multiplication₂₅₆=(es^-1mod n)G+(rs^-1mod n)P_A, and error result Q '₂₅₆AbscissaIf (Also it is abscissa).Guess random-number portion Bit k⁽²⁴⁸⁾=(k₂₅₅,....,k₂₄₈)₂Probable valueThe 248th correct median of wheel corresponding to calculatingByIn F_pUnder the affine coordinate system of domain " pseudo-addition " operational criterion handleBe expressed as onUnitary high-order moment, solve equation obtainIfThenOtherwise guess again(through calculating, the conjecture for mistakeMakeProbability be almost 0).It is if allRequirement is not complyed with, then gives up the signature.

3) HNP problems are constructed, private key is gone out using lattice attack analysis.Construct HNP problems：|(r+s)d_A+s-k⁽²⁴⁸⁾2²⁴⁸+nh| ＜ 2²⁴⁸.Said process is repeated to multiple SM2 signature computings, construction at least 38 HNP problems carry out lattice attack, obtain private key.

4) it is whether correct according to obtained private key, verify the security of current signature algorithm.

The specific embodiment of detailed description above has been used for the purpose of to understand what the present invention used more preferable, and the present invention is not This is confined to, persons skilled in the art can be according to the disclosure, using other numerous embodiments come real The present invention is applied, it is every using design structure and thinking of the invention, the conversion of right and replacement are not being departed from, all Belong to protection scope of the present invention.

Claims (7)

1. It is 1. a kind of based on the SM2 signature algorithm security verification methods for improving difference fault analysis, it is characterised in that methods described Including step：

   1) message M is signed using SM2 signature algorithms, when the random number k of generation and the elliptic curve base of SM2 signature algorithms Point G scalar multiplication iteration injects mistake when proceeding to the i-th wheel, changes the partial bit value of the i-th wheel median y-coordinate；

   2) the signature result obtained using step 1), and sign test public key P_AThe continuous of random number k is recovered with message M Hash Values e Bit value；

   3) number problem is hidden using the consecutive bit values and error signature result construction, private key is gone out using lattice attack analysis, so Judge whether current SM2 signature algorithms are safe according to the private key afterwards.
2. 2. the method as described in claim 1, it is characterised in that the i-th wheel iteration injection mistake, sit the i-th wheel median y Target partial bit value change method be：

   1) SM2 signature algorithms carry out scalar multiplication iteration fortune to the random number k of generation and the elliptic curve basic point G of SM2 signature algorithms Calculate kG；Wherein, k=(k_m-1,…,k₁,k₀)₂∈ [1, n-1], n are basic point G rank, and m is the bit length of random number k；

   2) rule of thumb the i-th wheel iteration of energy mark estimation setting goes out current moment in current SM2 signs computing, the of estimation I wheels iteration will at the end of mistake is injected to the memory of median y-coordinate, make the partial bit value changes of median y-coordinate； Continue interative computation, obtain final signature result；The error injection moment of present energy mark is checked, if error injection is I wheel iteration will at the end of, then retain the signature, otherwise give up the signature.
3. 3. method as claimed in claim 2, it is characterised in that irradiate the memory using laser and realize injection mistake；It is logical Cross adjustment laser exposure intensity or irradiation time so that bit number Δ y the ＜ N, N of change are the threshold value of setting.
4. 4. method as claimed in claim 3, it is characterised in that the threshold value N is less than 32.
5. 5. method as claimed in claim 2 or claim 3, it is characterised in that the method for the consecutive bit values for recovering random number k For：

   1) first with the signature result, public key P_AThe correct result of scalar multiplication computing is recovered with message M Hash Values e, and The abscissa of caused wrong scalar multiplication result after injection mistake；

   2) set random number k part successive bits probable value asCalculate withThe unimplanted wrong median of corresponding i-th wheel；

   3) willIn all bitsIt is converted into a littleAfterwards, wherein t ∈ [i, m-1]；According to binary system mark from right to left Multiplication rule is measured, will using the median of the i-th wheel mistake as initial pointPuppet is carried out successively according to the orders of t from small to large Add operation, then obtained according to the abscissa of caused wrong scalar multiplication result after the pseudo-addition operational formula and injection mistake To the wrong median coordinate of the i-th wheel iterationIf Hamming distance functionThen determineTo be described Consecutive bit values k⁽ⁱ⁾, otherwise return to step 2) resetWherein,For in the i-th unimplanted wrong median of wheel Coordinate；It is if allRequirement is not complyed with, then gives up the signature.
6. 6. method as claimed in claim 5, it is characterised in that the method for analyzing the private key is：Tied according to the signature Fruit and the consecutive bit values k determined⁽ⁱ⁾Construction hides number problem, is then converted into hiding several problems of construction recently Vector Problem, using based on lattice reductive algorithm and the solution of nearest Plat algorithm, analyze private key d_A。
7. 7. the method as described in claim 1, it is characterised in that injected in a certain wheel iteration before inverse logn wheels wrong By mistake, wherein, iteration wheel number is n.