Differential Fault Analysis Against White-Box SM4 Implementations
摘要
Side-channel analyses like differential computation analysis (DCA) and differential fault analysis (DFA) become one of the primary threat to white-box cryptography. Yet the proposed encoding-based white-box SM4 implementations (based on CEJO and self-equivalence framework) have not been systematically evaluated against fault attacks. Therefore, we conduct a comprehensive DFA study targeting encoding-based white-box SM4, under at most a single remotely handled external encoding situation. Our results demonstrate that any white-box SM4 implementation utilizing 32-bit internal encodings without output external encoding is inherently vulnerable to DFA. In Boolean circuit-based software implementations, masking is commonly used to protect sensitive bits by distributing them across secret shares. While prior research has focused primarily on evaluating the resistance of masking-based white-box designs against computation analyses, their robustness against fault analysis remains largely unexplored. To address this gap, we examine the vulnerability of the non-linear masking scheme proposed at ASIACRYPT 2018 and the SEL masking scheme introduced at CHES 2021 under fault injection. Through a systematic analysis of fault propagation across masking shares, we show that masking-based white-box SM4 implementations do not provide sufficient resistance against fault analysis. Our theoretical analysis and experimental validation demonstrate that the master keys of both encoding-based and masking-based white-box SM4 implementations can be successfully recovered with as few as 8 and 32 injected faults, respectively.