¡¡Chinese Journal of Computers   Full Text
  TitleDifferential Fault Analysis on SMS4
  AuthorsZHANG Lei WU Wen-Ling
  Address(State Key Laboratory of Information Security, Institute of Software, Chinese Academy of Sciences, Beijing 100080)
(State Key Laboratory of Information Security, Graduate University of Chinese Academy of Sciences, Beijing 100049)
  Year2006
  IssueNo.9(1594¡ª1600)
  Abstract &
  Background
Abstract SMS4 is the block cipher used in WAPI, and it is also the first commercial block cipher disclosed by the government. Since it was disclosed only a short time ago, on its security, there has been no published paper at present. In this paper the strength of SMS4 against the differential fault attack is examined. The authors use the byte-oriented fault model, and take advantage of the differential analysis as well. Theoretically, the 128bit master key for SMS4 can be obtained by using 32 faulty ciphertexts. But in practice, for the fact that the byte position where the fault happens isn¡¯t equally distributed, the number of faulty ciphertexts needed will be a little bigger than the theoretical value. The attack experiment result validates this fact too. The result shows that only need average 47 faulty ciphertexts to recover the 128bit keys for SMS4. So SMS4 is vulnerable to differential fault attack. To avoid this kind of attack, the authors suggest that the encryption device should be protected to prevent the adversary from deducing faults.

keywords SMS4£» differential analysis£» differential fault attack£» fault model£» difference distribution table

background In September 1996 Boneh, DeMillo, and Lipton announced a new type of cryptanalytic attack which exploits computational errors to find cryptographic keys. Their attack is called Fault Attack. In 1997, Biham and Shamir extended this technique to secret key cryptosystem and came up with the concept of Differential Fault Attack(DFA). They successfully analyzed the Data Encryption Standard(DES) using this method. From then on, researchers had come up with many different kinds of differential fault cryptanalytic techniques and successfully attacked many different cryptosystems. For example, in 2000 Biehl, Meyer and Muller presented a paper describing two types of differential fault attacks on elliptic curve cryptosystems. Later many new results have been continuously given by using differential fault attack to analyze various cryptosystems such as AES, (Triple-)DES, and RC4. It is clearly that these attacks are very powerful because they can be made in practice and various techniques have been described to induce faults during cryptographic computations.
In this paper the strength of SMS4 against the differential fault attack is examined. The authors use the byte-oriented fault model, and take advantage of the differential analysis as well. Theoretically, the 128bit master key for SMS4 can be obtained by using 32 faulty ciphertexts. But in practice, for the fact that the byte position where the fault happens isn¡¯t equally distributed, the number of faulty ciphertexts needed will be a little bigger than the theoretical value. The attack experiment result validates this fact too. The result shows that only need average 47 faulty ciphertexts to recover the 128bit keys for SMS4. So SMS4 is vulnerable to differential fault attack. To avoid this kind of attack, the authors suggest that the encryption device should be protected to prevent the adversary from deducing faults.