Persistent Fault Analysis Against SM4 Implementations in Libraries Crypto++ and GMSSL

Abstract

Compared to the injection of a transient fault, time synchronization and accuracy are not required for the injection process of a persistent fault. However, the known persistent fault analyses (PFAs) do not work on SM4 implementations because the linear transformation layer hides the position where an error occurs during the encryption process. We present the first persistent fault analysis against SM4 implemented with an S-box by combining the inverse linear transformation with differential techniques. In addition, we propose a locating algorithm to figure out not only where an error occurs during the encryption process but also where a fault is inserted in the lookup table. Consequently, the locating algorithm helps break SM4 implemented with a T-table. We validate our PFA on two open-source implementations of SM4 – Crypto++(v8.3) and GMSSL(v1.0.0). The experiments are performed on a PC and the analysis codes are written in C language. The experimental data shows that the probability of successfully recovering the encryption key approximates 1 when the number of normal-and-faulty-ciphertext pairs is 3000 on average. Namely, PFA can break the encryption system of SM4 in practice once valid faults are inserted. Finally, we apply the attack to protected SM4 implementations and prove that the E-and-D mode of the dual modular temporal redundancy (DMTR) can defeat our PFA.