CN113037495A

CN113037495A - Safety evaluation method of elliptic curve signature algorithm

Info

Publication number: CN113037495A
Application number: CN202110234700.7A
Authority: CN
Inventors: 李昊远; 陈华; 匡晓云; 杨祎巍; 黄开天; 范丽敏
Original assignee: Institute of Software of CAS
Current assignee: Institute of Software of CAS; Research Institute of Southern Power Grid Co Ltd
Priority date: 2021-03-03
Filing date: 2021-03-03
Publication date: 2021-06-25
Anticipated expiration: 2041-03-03
Also published as: CN113037495B

Abstract

The invention discloses a security evaluation method of an elliptic curve signature algorithm. The method comprises the following steps: 1) the signature equipment runs a target elliptic curve signature algorithm to be evaluated to execute signature operation and determine a fault injection time point; 2) the signature device runs the target elliptic curve signature algorithm to execute signature operation, fault injection is carried out on a position area of the signature device at the fault injection time point during each signature operation, and the position of the counter is determined; 3) fault injection is carried out at the position of the counter and the determined fault injection time point during signature operation, and if the stored value count 'of the counter after fault injection is less than count and the difference value is solvable in the ECDLP problem of scalar digits, the corresponding stored value count' and an error signature output result are recorded; 4) recovering a signature private key of the target elliptic curve signature algorithm by using an error signature output result; if the recovery is not successful, the security assessment is determined to be passed.

Description

Safety evaluation method of elliptic curve signature algorithm

Technical Field

The invention relates to the technical field of information security, in particular to an error security evaluation method for an elliptic curve signature algorithm.

Background

With the development of information technology, society has fully entered the digital age. The importance of information security reaches an unprecedented level. Cryptography is used as the basis of information security and is widely applied to various industries such as finance, economy, communication, military and the like. Among them, elliptic curve cryptography proposed by Miller and Koblitz in the 80's of the 20 th century has played an extremely important role in various fields as an important branch of public key cryptography. Therefore, security research on elliptic curve cryptosystems is increasingly important.

With the diversification of attack forms, in addition to the traditional research on the theoretical security of the cryptosystem, the research on the security of physical implementation is more and more. Fault injection attacks are one such attack. In 1996, Boneh et al put forward a concept of fault injection attack for the first time, and the method obtains secret information in an RSA public key algorithm by using error information in a password operation process. Then, researchers put forward various fault attack methods on the basis of the above, and certain threats exist to common cryptosystems such as DES, AES, SM4, ECC, SM2, and the like. Therefore, it is a common security evaluation means to evaluate the security of the cryptographic algorithm by using the fault injection attack method.

The importance of the elliptic curve cryptosystem in the public key cryptosystem is important, so that the research on the safety evaluation of the elliptic curve cryptosystem, particularly the research on the safety evaluation by using a fault injection attack method, becomes a current research hotspot. In an elliptic curve cryptosystem, an elliptic curve digital signature algorithm is one of the most widely applied algorithms in the elliptic curve cryptosystem, and is mainly used for identity verification.

ECDSA is internationalThe basic flow of the signature process of the above general elliptic curve-based digital signature scheme is as follows. Where M is the message to be signed, G is the base point of the elliptic curve, d_AIs the private key used for signing.

1: generating a random number k ∈ [1, n-1] by using a random number generator;

2: calculating the point (x) of the elliptic curve₁,y₁)＝[k]G；

3: calculating r ═ x₁mod n, if r is 0, return 1;

4: calculating e ═ H_v(M)，H_v() A cryptographic hash function with a message digest length of v bits;

5: calculating s ═ k^-1(e+r·d_A) mod n, if s ═ 0 returns 1;

6: the signature value of the outgoing message M is (r, s).

The basic process of ECDSA signature verification is as follows, where r ' and s ' are the received signature results, and M ' is the received signed message P_AIs a signature verification public key, P_A＝[d_A]G。

1: calculating e ═ H_v(M’)，H_v() A cryptographic hash function with a message digest length of v bits;

2: calculating u₁＝s^-1·e mod n；

3: calculating u₂＝s^-1·r mod n；

4: calculating (x'₁，y′₁)＝u₁G+u₂P_A；

5: test r ═ x₁If yes, the verification is passed; otherwise, the verification is not passed.

Another commonly used digital signature scheme SM2 signature algorithm is part of the standard GMT 0003.4-2012SM2 elliptic curve public key cryptographic algorithm published by the national crypto authority in 2010. The method is used for digital signature and verification in commercial password application, and can meet the safety requirements of identity authentication, data integrity and authenticity in various password applications. At present, the SM2 signature algorithm is widely applied to important fields of China finance, Internet of things and the like.

The basic procedure of the SM2 signature algorithm is as follows. Wherein, the message to be signed is M, and the distinguishable mark of the user A as the signer is Z_A,d_AIs the private key used by the signature and G uses the base point on the elliptic curve for the signature. r and s are signature output results.

1: device for placing

2: computing

H_v() A cryptographic hash function with a message digest length of v bits;

3: generating a random number k ∈ [1, n-1] by using a random number generator;

4: calculating the point (x) of the elliptic curve₁,y₁)＝[k]G；

5: calculating r ═ e + x₁) mod n, return 3 if r is 0 or r + k is n;

6: calculating s ═ 1+ d_A)^-1·(k-r·d_A) Mod n, if s is 0, return to 3;

7: the signature of the outgoing message M is (r, s).

The basic process of the SM2 signature verification algorithm is as follows. Where r ' and s ' are the received signature results, and M ' is the received signed message P_AIs a signature verification public key, P_A＝[d_A]G。

1: checking whether r 'belongs to [1, n-1] or not, and if not, verifying that the r' does not pass;

2: checking whether s' belongs to [1, n-1] or not, and if not, verifying not to pass;

3: device for placing

4: computing

H_v() For message digest length ofA cryptographic hash function of v bits;

5: calculating t ═ r '+ s') modn, and if t ═ 0, then the verification fails;

6: calculating the point (x) of the elliptic curve₁′,y₁′)＝[s′]G+[t]P_A；

7: calculating R ═ (e' + x₁') modn, checking whether R ═ R' is true, and if true, verifying to pass; otherwise, the verification is not passed.

For the ECDSA and SM2 signature algorithms described above, the fault injection attack has a significant attack effect on it. The fault injection attack generally injects faults into the cryptographic circuit in the execution process by means of clock, voltage, radiation sudden change, electromagnetic interference, laser injection and the like, so as to generate error output. The attacker can obtain some secret information of the cryptographic algorithm in the execution process by using the error output and combining other known information according to the characteristics of the cryptographic algorithm.

For the elliptic curve signature algorithm represented by ECDSA and SM2, the common fault injection method is mainly performed by multiplying the scalar of the core transport module of the elliptic curve cipher by [ k ] G. For example, an attacker can inject a fault in a curve parameter, a base point or a scalar multiplication process, so that scalar multiplication is transferred from one safety curve to another unsafe weak curve, and then an Elliptic Curve Discrete Logarithm Problem (ECDLP) is solved by scalar multiplication on the weak curve to recover a scalar k. An attacker may also obtain secret information by attacking the sign bit of a scalar times an intermediate value. The error output point generated by the attack mode is still on the original curve, and an attacker can recover the scalar k according to the correct scalar multiplication output result and the error scalar multiplication output result. After the scalar k is recovered, the value of the signature private key is recovered through derivation calculation. In addition, an attacker can also obtain partial bit information of the scalar k through error injection, obtain enough error output under enough signature times and obtain a signature private key through a lattice attack mode. For the fault injection attack method, the protection method commonly used in elliptic curve cryptography generally includes checking an elliptic curve input parameter, a base point and the like, checking a middle value point and an output point in scalar multiplication, judging whether the point is on an elliptic curve or not, and the like.

In the following, the risk of elliptic curve signature algorithm in the presence of fault attack will be described by taking the example of scalar multiplication by SM2 signature using binary algorithm.

After an attacker obtains k, a signature private key d can be calculated according to the output signature values r and s_A. From the above equation for calculating s in step 6 of the SM2 signature algorithm, it can be derived,

d_A＝(k-s)(s+r)^-1mod n

it can be seen that leakage of scalar information k results in signing private key d_AIs leaked. Thus, the attacker can utilize the acquired private signature key d_AThe signature value is forged.

Still another type of fault injection attack is a lattice-based attack method. In the attack method, an attacker leaks partial continuous bits of scalar k used each time by injecting errors in a signature execution process, particularly a scalar multiplication process, carries out signature for n times, obtains an inequality set according to a formula for calculating s in the algorithm step 6, and can recover a signature private key by using a lattice attack method under a certain condition. Next, a lattice attack method for an elliptic curve will be described.

A lattice is a set of vectors formed by a linear combination of a set of linearly independent vectors. Is defined as follows, let v₁，…，v_n∈R^mIs a set of linearly independent vectors. By v₁，…,v_nThe generated lattice L refers to the vector v₁,…，v_nAnd the coefficients used are all in Z, i.e.

L＝{a₁v₁+a₂v₂+…+a_nv_n:a₁，a₂，…,a_n∈Z}

There are two fundamental computational challenges in a lattice, the shortest non-zero vector found in the lattice and the vector closest to the given non-lattice vector found in the lattice. Commonly referred to as the Shortest Vector Problem (SVP) and the most recent vector problem (CVP). These two problems will be briefly explained below.

Shortest Vector Problem (SVP): and searching a shortest non-zero vector in the lattice L, namely searching a non-zero vector v epsilon L to ensure that the Euclidean norm | v | is minimum.

Recent vector problem (CVP): given a vector w ∈ R that is not in lattice L^mAnd finding a vector v ∈ L to be closest to w, namely finding a vector v ∈ L to minimize the Euclidean norm w-v |.

Attacks on elliptic curve signature algorithms using the above mathematical structure are generally constructed as Hidden Number Problems (HNPs) by obtaining a specific set of inequalities associated with secret information. Thus, the shortest vector problem or the nearest vector problem on the lattice is constructed according to the corresponding hidden number problem. Obtaining the shortest vector problem or approximate solution of the nearest vector problem in polynomial time by using LLL algorithm and Babai algorithm, and further recovering the secret message, namely the signature private key d_AThe value of (c).

Next, a method for implementing a lattice attack is described by taking the elliptic curve signature algorithm SM2 as an example.

First, the hidden number problem is introduced: if t_i∈Z_nAre randomly and uniformly distributed, i is equal to {1,2, …, N }, u ∈ }_i∈Z_n，0＜l＜log₂n, finding an alpha epsilon Z_nSo that it satisfies | α t_i-u_i|_n≤n/2^lWherein | x |_n＝min{|x-bn||x∈Z_nAnd b belongs to Z, and the problem is a hidden number problem. In fact, the above inequality is equivalent to | α t_i-u_i+h_in|≤n/2^lWherein h is_iIs the minimum value at which the above inequality holds.

Next, a method of converting the hidden number problem into a CVP in a cell is introduced: using the parameters in the hidden number problem to construct an (N +1) -dimensional lattice L whose basis vector matrix is

Let the target vector u be (u)₁,u₂,…,u_N,0)、x＝(h₁,h₂,…,h_Nα), then v ═ xM is the vector in lattice L, and v ═ t (α t)₁+nh₁,…,αt_N+nh_N,α/2^l) Obtained from the HNP inequality group

According to the inference about the latest vector problem in the lattice, the inequality group can be known to be classified as a CVP problem, the CVP can be solved by using the LLL algorithm and the Babai algorithm, namely, the vector v is obtained, and the value of alpha can be determined through v.

Assuming that N signature operations are performed for the SM2 signature algorithm, each signature operation is erroneous by an error inducing means such as an electromagnetic or laser beam, and the random number k is acquired separately_iOf the lowest l-bit value a_iI ∈ {1,2, …, N }, and a false signature result (r) is obtained_i,s_i) For the above case, a corresponding hidden number problem can be constructed. Let k_i＝b_i2^l+a_iWherein b is_i＜n/2^lIs an unknown value. Will k_iSubstituting step 6 in the signature as (1+ d)_A)^-1(k-rd_A) mod n can be given by:

2^-l(s_i+r_i)d_A-2^-l(a_i-s_i)＝b_imod n

let t_i＝2^-l(s_i+r_i)mod n、u_i＝2^-l(a_i-s_i) mod n, so that:

|t_id_A+h_in-u_i|＜n/2^l

wherein h is_iIs the minimum value at which the above inequality holds.

The above equation is the hidden number problem converted from the known scalar k part of the lower continuous bits in the SM2 signature, and the above equation is reusedThe method for converting the signature into the CVP can solve and obtain the signature private key d through the LLL algorithm and the Babai algorithm_AThe value of (c). Likewise, obtaining the upper successive bits of scalar k may also implement the attack steps described above. At present, it has been proved in literature that, for a signature algorithm with a scalar of m bits, if l bits of k are known, about m/l times of wrong signatures are required to obtain correct d_A. For example, for a common SM2 signature algorithm with a scalar k of 256 bits, it is feasible in practical experiments that about 32 signatures are generally required to successfully obtain a private key if 8 bits of the scalar k are known.

In order to obtain continuous bits of a scalar k, in a traditional differential fault attack aiming at an elliptic curve, in the process of binary scalar multiplication operation, an attacker carries out single-bit fault injection on an output intermediate value result of an ith round of iterative operation, and finally obtains an error scalar multiplication result through calculation. An attacker uses a correct scalar multiplication result to guess continuous bits used by the scalar k in an iteration process after the ith round of binary scalar multiplication to obtain an output intermediate value of the ith round corresponding to the guess, and further guess an error bit of the intermediate value, namely guess an error intermediate value. And continuously calculating a corresponding error output result by using the error intermediate value of each guess and the continuous bit of the corresponding guess k, and if the error intermediate value of each guess and the continuous bit of the corresponding guess k are the same as the error scalar multiplication result obtained by fault injection, indicating that the continuous bit of the k is guessed correctly. The experiment is repeated, and after enough k continuous bit information is obtained, the signature private key d can be cracked by constructing the CVP problem on the lattice_AThe value of (c). The attack method has two main disadvantages, one is that in order to obtain continuous bits of a scalar k, at least two times of signature operation are required to be guaranteed by using the scalar k, which is in violation of the principle of signature operation scalar random selection. The other is that the fault injection method needs to accurately grasp the fault injection time and position, and the injected error must be guaranteed to be a single-bit error, thereby greatly weakening the feasibility of the fault injection method.

Most of other existing fault injection methods aiming at the scalar multiplication operation of the elliptic curve have attack difficulty similar to the scheme, namely the injection time and the injection position are difficult to accurately determine, so that the feasibility and the attack efficiency of the fault injection attack are greatly reduced. That is to say, for a security evaluator of the cryptographic device, the existing fault injection attack method has high implementation difficulty for evaluation, and it is difficult to perform efficient security evaluation on the elliptic curve signature algorithm.

Disclosure of Invention

In order to solve the problems of difficulty and low efficiency of fault injection, namely the problem of difficulty in using a fault injection attack method for safety evaluation, the invention provides a safety evaluation method of an elliptic curve signature algorithm, which is easy to implement the fault injection attack aiming at the elliptic curve signature scheme. If the attack method is used, the correct signature private key can be recovered, and the signature is proved to fail the security evaluation; if the private key of the signature cannot be successfully recovered by using the attack method, the signature is proved to pass the security evaluation. The scalar multiplication used in the elliptic curve signature scheme takes a scalar digit number as a counter of an iteration wheel, and common scalar multiplication is mostly realized in the type, such as binary scalar multiplication, a direct point and point addition algorithm which can resist time analysis and simple energy analysis, a Montgomery factorial algorithm and the like.

The fault injection attack method and the fault injection attack process for elliptic curve signatures provided by the invention are shown in the attached figure 1 and comprise the following contents:

1) the method comprises the steps of operating a signature device, enabling the signature device to use the same signature private key to execute multiple signature operations on a known message to be signed, acquiring energy information of the signature device by using an oscilloscope, analyzing an acquired energy waveform in a simple energy analysis mode in energy analysis, finding and recording the moment before the start of a scalar multiplication part of the signature operation by combining algorithm execution time information when the energy information can reflect the equipment execution condition and scalar multiplication is the most important part of signature, and selecting the moment as a fault injection time point. And repeating the method, analyzing and confirming the multi-time signature energy waveform, and determining the fault injection time point.

2) The method comprises the steps of operating a signature device, executing a signature algorithm by using the same signature private key, selecting a position area in a fixed range for the signature device by using a fault injection device to perform scanning fault injection, performing injection before scalar multiplication in each signature operation starts, acquiring energy information of the signature device by using an oscilloscope, observing and analyzing an acquired energy curve in a simple energy analysis mode in energy analysis to judge the change of the iteration round number of the scalar multiplication compared with the normal condition, and if the change does not affect the subsequent normal operation of the signature algorithm, indicating that the position area is properly selected as the position of a counter for controlling the iteration round number, otherwise, continuously searching the next position area.

3) And for each signature operation, injecting error information of any random bit into a counter for controlling the iteration round number in the signature device at a selected fault injection time point by using a fault injection device, so that the stored value in the counter is changed into a stored value which is not equal to the correct initial stored value of the counter.

And for each signature operation injected with the error, recording the output error signature result for screening attack availability.

For each signature operation injected with the error, the signature operation is executed in the signature device, an oscilloscope is used for collecting energy or electromagnetic information of the signature device, a pattern representing an iteration wheel in the energy waveform is observed by observing the collected energy or electromagnetic waveform and combining a known scalar multiplication algorithm used by the operation, a method similar to simple energy analysis is used, matching information of the energy waveform and the algorithm execution is utilized, the number of the rounds of loop iteration execution in the scalar multiplication is determined by counting the repeated times of the pattern, and then the value count' after the counter stored value is injected with the random bit error is determined by the equivalent relation between the number of the rounds and the counter stored value.

For each signature operation injected with an error as described above, assume that the counter stored value in scalar multiplication [ k ] G changes from a correct value count to an error value count'. The method of observing the waveform with an oscilloscope is used to screen out specific error signature operation. These signature operations satisfy count ' < count, and scalar multiplication with the difference (count-count ') as a scalar digit number matches the algorithm and apparatus selected to solve ECDLP, i.e., the difference corresponds to ECDLP with a scalar digit number that is resolvable, generally, when 0 < count-count ' ≦ 32, it is considered to have a higher solution efficiency. And recording the counter error value count' of the signature and the error signature output result, and judging that the signature operation is an error signature operation.

For the selected signature operation with the injected error, the corresponding scalar multiplication output result Q '═ k' ] G after the injection of the error in the counter, that is, the result of each error signature of the record in the above paragraph. The relationship between the value of the error scalar [ k '] corresponding to the output result and the original correct scalar [ k ] is related by the count, the count', and the algorithm used for scalar multiplication. If the number of loop iterations corresponding to the correct value count of the scalar multiplication counter is count +1, and the scalar multiplication uses a binary algorithm from left to right, the error scalar [ k ' ] corresponding to the error result Q ' output by the scalar multiplication is the first count ' +1 bit of the correct scalar [ k ]. By the signature output result after error injection, the corresponding value of the error scalar multiplication result Q '═ k' ] G can be calculated, and also the scalar multiplication result in the case of no error, that is, the value of [ k ] G can be calculated. The methods for calculating correct and incorrect scalar multiplication results corresponding to different elliptic curve signature algorithms are different, and ECDSA and SM2-DSA are taken as examples in the specific implementation method for explanation.

For the selected error-injected signature operation, if the scalar multiplication uses a binary algorithm from left to right, and the relationship between the counter correct value count and the counter error value count 'is w ═ count-count', as described above, the correct scalar multiplication result [ k ] can be calculated from the signature error output result]G and error scalar multiplication result [ k']G, using the point addition operation on the elliptic curve corresponding to the signature, calculating to obtain [ k ″ ]]G＝[k]G-2^w[k′]G，[k″]I.e. the correct scalar value [ k ]]The low w bits of (a). From the foregoing, it can be seen that an Elliptic Curve Discrete Logarithm Problem (ECDLP) solvable scalar digit number is knownCorresponding value w, i.e. the scalar [ k ] to be solved "]Is a binary digit value of w, in which case [ k "", is known]G and G, a w-bit scalar [ k ] can be obtained by solving an Elliptic Curve Discrete Logarithm Problem (ECDLP) in a limited time "]Such as using an exhaustive method, a large step and small step method, etc. By derived w-bit scalar [ k ] "]May prepare for subsequent recovery of secret information using a lattice attack.

For each signature operation injected with the error, when the condition of energy collection or electromagnetic collection by using an oscilloscope is not met in the screening process, a difference w between an initial correct value and an error value of a counter obtained after error injection is selected to be q (q is more than 0 and less than or equal to 32), and a correct scalar multiplication result [ k is calculated according to a signature error output result]G and error scalar multiplication result [ k']G, calculating to obtain P ═ k]G-2^q[k′]G. Further, q bits of scalar value [ k ] are processed_q]Solving for P ═ k_q]G, if a scalar [ k ] can be obtained_q]The value of (b) indicates that w equals q after error injection and the scalar [ k ] used in the signature is used in the signature operation]The low q bit of (1) is [ k ]_q](ii) a Otherwise, the signature operation w is not equal to q after error injection. And repeating the method to screen out enough signature operations, and recording low-q-bit scalar information and error signature output corresponding to each operation for the screened signature operations. By derived q-bit scalar [ k ] "]May prepare for subsequent recovery of secret information using a lattice attack.

For the selected signature operation with injected errors, the scalar [ k ] of each time is obtained by the method described above]The bit value of the corresponding low w bits. At the same time, due to the scalar k used during the computation of the signature output values r and s]Still correct values, so N signature output values (r, s), and the low w bits of scalar k can be obtained with sufficient signature operations. The data are combined with a formula for calculating a signature output value in signature operation to construct a hidden number problem, the hidden number problem can be further converted into a lattice nearest vector problem, and a signature private key d used in signature operation can be recovered by using an LLL algorithm and a Babai algorithm_AOf (2) to obtain elliptic curve signature algorithmSecret information.

Advantages over the prior art

Compared with the existing common fault injection attack security assessment method aiming at the elliptic curve, the method has the following advantages:

1. the invention discloses an elliptic curve signature scheme for round iteration by using counter control aiming at scalar multiplication, and innovatively provides a grid-based fault injection attack method for attacking an initial numerical value of a counter;

2. the invention has low requirement on attack conditions, and signature error output and related information which can be used for implementing the attack can be obtained by simple screening only after any random bit error is injected into the initial value storage position of the counter at any time before scalar multiplication starts;

3. the invention attacks the signature protection methods such as the addition of elliptic curve parameter base point verification, scalar multiplication input/output point verification, intermediate value point verification and the like, is still effective, and has higher safety evaluation requirements on the cryptographic algorithm;

4. the method has low requirement on attack conditions and low requirement on attack precision, so that the method has higher efficiency and feasibility compared with most fault injection methods aiming at elliptic curves.

Drawings

FIG. 1 is a basic flow chart for security assessment through elliptic curve signature algorithm fault attack proposed by the present invention;

fig. 2 is a flowchart of an error injection attack against the SM2 signature algorithm according to a first embodiment of the present invention;

fig. 3 is a flowchart of an error injection attack on ECDSA according to the second embodiment of the present invention.

Detailed Description

The invention is explained in more detail below with reference to the drawing and two exemplary embodiments, without in any way limiting the scope of the invention.

A common fault injection attack method is performed on a cryptographic device, in particular a secure chip, executing a cryptographic algorithm. Methods commonly used to achieve fault injection effects include laser injection, electromagnetic interference, abrupt changes in voltage clock, and the like. The fault injection attack method provided by the invention has certain attack threats to some common elliptic curve signature schemes and some common protection schemes. The present invention will be described in greater detail below with respect to its attack capabilities in various embodiments. The embodiment is to carry out an attack of error injection aiming at an SM2 signature algorithm implemented on a security chip, wherein the SM2 signature algorithm can comprise a fault protection method of elliptic curve parameter base point verification, scalar multiplication input/output point verification and intermediate value point verification; the second embodiment is directed to an ECDSA fault injection attack implemented on a security chip, and the ECDSA signature algorithm may include a fault protection method for elliptic curve parameter base point verification, scalar multiplication input/output point verification and intermediate value point verification.

First embodiment, this embodiment performs an attack of error injection on SM2 signature algorithm implemented on a secure chip, scalar multiplication in the SM2 signature algorithm is performed using a binary algorithm from left to right, an elliptic curve over a 256-bit prime field is used, the order of the elliptic curve is 256 bits, each signature generates a random scalar k for signature operation with a maximum of 256 bits, and therefore the counter initial value of the scalar multiplication used for signature is 256. The specific attack flow is shown in fig. 2, and includes the following main steps:

s101, executing an SM2 signature algorithm in the signature device, and selecting fault injection time and position.

Specifically, when the signature device performs the SM2 signature operation, an oscilloscope is used to collect power consumption information or electromagnetic radiation information of the signature device. Identifying the acquired energy waveform by means of energy analysis, judging the time point of executing scalar multiplication round iteration by the signature equipment, and recording the time point; and executing signature operation in the signature device under the fault injection environment again, selecting a proper fault injection range by using a laser or other fault injection devices, using proper fault injection precision, carrying out error injection on the signature device at a time point before scalar multiplication starts, observing the change of an energy waveform corresponding to scalar multiplication round iteration, and if the repetition times of the iteration waveform of the round iteration waveform are less than that of the waveform during normal signature and the subsequent operation of a signature algorithm is normal, indicating that the injection position is correctly selected, and recording the position, wherein the position is the position of the attack target scalar multiplication counter.

And S102, executing signature operation in a fault environment, and screening a signature process and signature output which can be used for implementing attacks.

Specifically, multiple signature operations are performed by using the same signature private key, and each signature operation performs fault injection at the selected fault injection time and position. During signature execution, an oscilloscope is used for collecting energy or electromagnetic information of a signature device, and a round number of cycle iteration execution in scalar multiplication is determined by observing the collected energy or electromagnetic waveform and combining a left-to-right binary scalar multiplication algorithm used in operation and a method similar to simple energy analysis, so that a value stored by a counter is determined after random bit errors are injected. If the value w of the change of the initial value of the counter is calculated to be the count-count '(the count is the correct value of the initial value of the counter, and the count' is the error value of the initial value of the counter), and in the attack of the SM2 signature algorithm for a certain time, the value w is more than 0 and less than or equal to 32 (the set range of w is comprehensively considered according to the equipment performance and the solving time), the error signature operation is considered to pass the screening, and the fault output value of the signature operation at this time is recorded. In the SM2 signature algorithm of the attack, the counter initial value count is 256, and if the counter initial value is incorrectly set to 224 to be not less than count' < 256 in a certain attack, the attack can be screened for use in subsequent steps to recover the private key.

And S103, calculating low-order continuous bit information of a scalar used in the signature operation according to the error information and the error output in each screened signature operation.

Specifically, w-bit low-order bit information corresponding to each error signature operation can be recovered through calculation by using the screened error signature operation and error output thereof. First, the calculation formula r for the signature output value r in step 5 according to the SM2 signature algorithm described in the background art is (e + x)₁) mod n, where e is the known hash value of the message to be signed, x can be derived₁(r-e) mod n, generalAn erroneous scalar multiplication result [ k 'can be calculated by an elliptic curve equation']G. Next, the signature algorithm described in the background art uses the calculation formula s ((1+ d) for the signature output value s in step 6 of the SM2 signature algorithm_A)^-1·(k-r·d_A) Mod n, can yield [ k]G＝[(r+s)d_A]G+[s]G, wherein d_ATo sign the private key, [ d ]_A]G equals public key P disclosed in SM2 signature_A. Thus, the correct scalar multiplication result k can be calculated by this equation]The value of G. Let the w-bit low-order bit information in each error signature operation be k ', then [ k')]G＝[k]G-2^l[k′]And G, as k 'is a value of w bits (w is less than or equal to 16), for the ECDLP problem corresponding to the scalar of the number of bits, experimental equipment can solve the ECDLP problem within acceptable time to obtain low w bit information k' of the scalar k of the signature operation at this time. And repeating the steps to obtain the low w-bit information corresponding to the scalar k of each screened error signature.

S104, constructing a lattice problem, and recovering a signature private key of the SM2 signature algorithm by using a lattice attack method.

Specifically, using the low w-bit information of scalar k in each error signature obtained in step S103 and the error signature output value, a trellis nearest vector problem (CVP) is constructed to find the value of the signature private key. In the error signature filtered, w corresponding to the low w bit information obtained each time is not fixed. In constructing the trellis problem described in the background art, the trellis parameter l may be selected as the minimum value of w in the filtered error signatures, so that the obtained inequality set meets the construction condition of the trellis CVP problem described in the background art, and since the attack information provided by the error signatures used for implementing the trellis attack, i.e. the minimum value of the lower consecutive bits of the scalar k is l, the method is more optimized in terms of execution efficiency and the number of required signature pieces than if the fixed lowest l bits of the scalar k are known in each signature operation. Furthermore, by using the LLL algorithm and the Babai algorithm on the constructed lattice, the signature private key d can be recovered_AThe value of (c).

The SM2 signature algorithm described in this embodiment includes the ordinary SM2 signature algorithm without protection, and the SM2 signature algorithm with common fault protection methods, such as elliptic curve parameter base point verification, scalar multiplication input-output point verification, and intermediate value point verification. If the SM2 signature algorithm attacked by the embodiment includes the above-mentioned fault protection method, the attack method of the present invention is still effective, and the specific analysis is as follows. Firstly, for the SM2 signature algorithm containing elliptic curve parameters and base point verification, the protection method is ineffective for the attack method because the attack method does not cause any influence on the elliptic curve parameters and the base points. Next, for the verification of the scalar multiplication input/output point and the intermediate value point, after error injection is performed in the signature operation, the initial value of the counter changes, and the error injection causes the number of iteration rounds of scalar multiplication to change. In this case, the output point of scalar multiplication in the signature algorithm running after error injection is still located on the elliptic curve and can be checked through the point on the elliptic curve, so that the protection method is ineffective to the attack method of the invention.

In the second embodiment, the present embodiment performs an attack of error injection on the ECDSA signature algorithm implemented on the secure chip, scalar multiplication in the signature algorithm is performed by using a left-to-right binary algorithm, an elliptic curve on a 256-bit element domain is used, the order of the elliptic curve is 256 bits, a random scalar k generated by each signature for signature operation is 256 bits at most, and therefore, the initial value of a counter for scalar multiplication used by the signature is 256. The specific attack flow is shown in fig. 3, and includes the following main steps:

s201, executing an ECDSA signature algorithm in the signature device, and selecting fault injection time and position.

Specifically, when the signature device executes the ECDSA signature operation, an oscilloscope is used to collect power consumption information or electromagnetic radiation information of the signature device. Identifying the acquired energy waveform by means of energy analysis, judging the time point of executing scalar multiplication round iteration by the signature equipment, and recording the time point; and executing signature operation in the signature device under the fault injection environment again, selecting a proper fault injection range by using a laser or other fault injection devices, using proper fault injection precision, carrying out error injection on the signature device at a time point before scalar multiplication starts, observing the change of an energy waveform corresponding to scalar multiplication round iteration, and if the repetition times of the iteration waveform of the round iteration waveform are less than that of the waveform during normal signature and the subsequent operation of a signature algorithm is normal, indicating that the injection position is correctly selected, and recording the position, wherein the position is the position of the attack target scalar multiplication counter.

S202, executing signature operation in a fault environment, and screening a signature process and signature output which can be used for implementing attacks.

Specifically, multiple signature operations are performed by using the same signature private key, and each signature operation performs fault injection at the selected fault injection time and position. During signature execution, an oscilloscope is used for collecting energy or electromagnetic information of a signature device, and a round number of cycle iteration execution in scalar multiplication is determined by observing the collected energy or electromagnetic waveform and combining a left-to-right binary scalar multiplication algorithm used in operation and a method similar to simple energy analysis, so that a value stored by a counter is determined after random bit errors are injected. If the value w of the change of the initial value of the counter is calculated to be the count-count '(the count is the correct value of the initial value of the counter, and the count' is the error value of the initial value of the counter), and in the attack of the ECDSA signature algorithm for a certain time, the w is more than 0 and less than or equal to 32 (the set range of the w is comprehensively considered according to the equipment performance and the solving time), the error signature operation is considered to pass the screening, and the fault output value of the signature operation at this time is recorded. In the ECDSA signature algorithm of the attack, the counter initial value count is 256, and if the counter initial value is incorrectly set to 224 to be not less than count' < 256 in a certain attack, the attack can be screened and used in the subsequent steps to recover the private key.

And S203, calculating the low-order continuous bit information of the scalar used in the signature operation according to the error information and the error output in each screened signature operation.

Specifically, w-bit low-order bit information corresponding to each error signature operation can be recovered through calculation by using the screened error signature operation and error output thereof. First, according to the calculation formula r ═ x in step 3 of the ECDSA signature algorithm described in the background art, the signature output value r is calculated₁mod n, can give x₁R mod n, that is, the signature output value r is the abscissa of the scalar product output value under error injection, and the error scalar product result [ k 'can be calculated by an elliptic curve equation']G. Next, the ECDSA signature algorithm described in the background art uses k as a calculation formula for the signature output value s in step 5^-1(e+r·d_A) mod n, can result in [ k]G＝[e·s^-1]G+[r·s^-1d_A]G, wherein d_ATo sign the private key, [ d ]_A]G is equal to the public key P disclosed in the ECDSA signature_A. Thus, the correct scalar multiplication result k can be calculated by this equation]The value of G. Let the w-bit low-order bit information in each error signature operation be k ', then [ k')]G＝[k]G-2^l[k′]And G, as k 'is a value of w bits (w is less than or equal to 16), for the ECDLP problem corresponding to the scalar of the number of bits, experimental equipment can solve the ECDLP problem within acceptable time to obtain low w bit information k' of the scalar k of the signature operation at this time. And repeating the steps to obtain the low w-bit information corresponding to the scalar k of each screened error signature.

And S204, constructing a lattice problem, and recovering a signature private key of the ECDSA signature algorithm by using a lattice attack method.

Specifically, using the low w-bit information of scalar k in each error signature obtained in step S203 and the error signature output value, a trellis nearest vector problem (CVP) is constructed to find the value of the signature private key. In the error signature filtered, w corresponding to the low w bit information obtained each time is not fixed. In constructing the lattice problem described in the background, the lattice parameter l may be selected as the minimum value of w in the filtered error signatures, so that the resulting set of inequalities all meet the construction conditions of the lattice CVP problem described in the background above, and the attack information provided by the error signatures used to implement the lattice attack, i.e. the targetThe minimum value of the lower consecutive bits of the quantity k is l, so the method is more efficient and requires more signature pieces than the fixed lowest l bits of the scalar k in each signature operation. Furthermore, by using the LLL algorithm and the Babai algorithm on the constructed lattice, the signature private key d can be recovered_AThe value of (c).

The ECDSA signature algorithm described in this embodiment includes an ordinary ECDSA signature algorithm without protection, and an ECDSA signature algorithm with a common fault protection method, such as elliptic curve parameter base point verification, scalar multiplication input/output point verification, and median point verification. If the ECDSA signature algorithm attacked by the embodiment includes the fault protection method, the attack method is still effective, and the specific analysis is as follows. Firstly, for the ECDSA signature algorithm containing elliptic curve parameters and base point verification, the attack method of the invention does not affect the elliptic curve parameters and the base points, so the protection method is ineffective for the attack method of the invention. Next, for the verification of the scalar multiplication input/output point and the intermediate value point, after error injection is performed in the signature operation, the initial value of the counter changes, and the error injection causes the number of iteration rounds of scalar multiplication to change. In this case, the output point of scalar multiplication in the signature algorithm running after error injection is still located on the elliptic curve and can be checked through the point on the elliptic curve, so that the protection method is ineffective to the attack method of the invention.

It will be apparent to those skilled in the art that various changes and modifications may be made in the present invention without departing from the spirit and scope of the invention. Thus, if such modifications and variations of the present invention fall within the scope of the claims of the present invention and their equivalents, the present invention is also intended to include such modifications and variations.

Claims

1. A security evaluation method of elliptic curve signature algorithm comprises the following steps:

1) the signature device executes signature operation on a message to be signed by running a target elliptic curve signature algorithm to be evaluated, collects energy information of the signature device, and determines a fault injection time point according to the collected energy information;

2) the signature device runs the target elliptic curve signature algorithm to execute signature operation on a message to be signed, fault injection is carried out on a position area of the signature device at the fault injection time point determined in the step 1) by using fault injection equipment during each signature operation, energy information of the signature device is collected, and the position of a counter for controlling the number of iteration rounds in the signature device is determined according to the collected energy information;

3) the signature device runs the target elliptic curve signature algorithm to execute a plurality of times of signature operations on the message to be signed, fault injection is carried out on the position of the counter and the determined fault injection time point by using fault injection equipment during each signature operation, energy information of the signature device is collected, and the stored value count' of the counter after fault injection is determined according to the collected energy information; if the condition that the count 'is less than the count and the ECDLP problem of the difference value w corresponding to the scalar digit number can be solved on equipment used by an attacker, recording the counter storage value count' of the signature and an error signature output result; wherein the count is a correct storage value of the counter when the signing device executes the target elliptic curve signing algorithm to sign the message to be signed; w ═ count-count';

4) recovering the signature private key of the target elliptic curve signature algorithm by using the N error signature output results obtained in the step 3); and if the recovery is not successful, judging that the target elliptic curve signature algorithm passes the safety evaluation.

2. The method of claim 1, wherein an energy waveform is generated based on the collected energy information, and a time before a start of the scalar multiplication section of the signature operation, i.e., a fault injection time point, is determined based on the energy waveform.

3. The method of claim 1, wherein the counter controlling the number of iterations in the subscribing device is located by:

21) fault injection is carried out on one area of the signature equipment at the determined fault injection time point, and the energy waveform of the signature equipment is collected;

22) judging the scalar multiplication iteration round number of the signature operation according to the energy waveform and comparing the scalar multiplication iteration round number of the signature operation when the fault injection is not carried out, if the scalar multiplication iteration round number is changed and the normal operation of the signature algorithm is not influenced, judging that the currently selected position area is the position of a counter for controlling the iteration round number, and otherwise, changing the position area of the fault injection;

23) and repeating the steps 21) to 22) until the position of the counter for controlling the number of iteration rounds is found.

4. The method of claim 1, wherein the signature private key of the target elliptic curve signature algorithm is recovered using LLL algorithm or Babai algorithm.

5. A security evaluation method of elliptic curve signature algorithm comprises the following steps:

3) the signature device runs the target elliptic curve signature algorithm to execute a plurality of times of signature operations on the message to be signed, and fault injection is carried out on the position of the counter and the determined fault injection time point by using fault injection equipment during each signature operation; setting the storage value of the counter after fault injection as count ', wherein the count-count' is w; wherein count is a correct storage value of the counter when the signing device operates the target elliptic curve signing algorithm to execute signing on the message to be signed, and q is a set value; calculating a correct scalar multiplication result [ k ] according to the current signature operation output result]G and error scalar multiplication result [ k']G, then calculating to obtain P ═ k]G-2^q[k′]G, then scalar value [ k ] of q bits_q]Solving for P ═ k_q]G elliptic curve discrete logarithm problem, if a scalar [ k ] can be obtained_q]If w is equal to q, and the scalar [ k ] used in the signature is determined to be q]The low q bit of (a) is [ k ]_q]Recording low-q bit scalar information and error signature output corresponding to the signature operation; otherwise, judging that w is not equal to q after the signature operation is wrongly injected; by derived q-bit scalar [ k ] "]May prepare for subsequent recovery of secret information using a lattice attack;

4) outputting and recovering a signature private key of the target elliptic curve signature algorithm according to the low q-bit scalar information and the error signature recorded in the step 3); and if the recovery is not successful, judging that the target elliptic curve signature algorithm passes the safety evaluation.

6. The method of claim 5, wherein q is a scalar bit value in an aggressor-solvable ECDLP problem.

7. The method of claim 5, wherein the signature private key of the target elliptic curve signature algorithm is recovered using LLL algorithm or Babai algorithm.