| 引用本文: |
-
吴坡,阮冲,张倩,张锐,陶杨,刘亚杰.SM4至AES冗余塔域的结构迁移与紧凑掩码实现[J].信息安全学报,已采用 [点击复制]
- wu po,ruan chong,zhang qian,zhangrui,tao yang,liu ya jie.Structural Migration of SM4 toward AES Redundant Tower Fields with Compact Masked Implementation[J].Journal of Cyber Security,Accept [点击复制]
|
|
| 摘要: |
| SM4作为我国法定分组密码标准,在电力监控等关键基础设施中面临侧信道攻击威胁,现有SM4防护方案存在显著局限——隐藏方案和利用密码硬件结构方案缺乏可证明安全性,而已有掩码方案因依赖复合域计算导致最佳紧凑性仅为无防护基准实现的6.72%。冗余塔域(RTF)技术在AES中展现出高效性,但SM4与AES的S盒因底层代数结构差异(不可约多项式互异、仿射变换不兼容)无法直接迁移该技术。本研究提出基于RTF的掩码型SM4硬件设计,通过代数映射将SM4 S盒嵌入AES冗余塔域框架,合并仿射变换与常数偏移实现紧凑轮函数;设计共享密钥调度单元,复用加密逻辑以实时生成解密密钥;结合一阶ISW掩码形成ISW-RTF SM4防护方案。本文实现了基于查表和冗余塔域的无防护、双轨防护以及掩码防护共六种SM4方案,在Kintex7/Virtex6/Spartan6/Spartan3四款FPGA上,依据单位面积吞吐率(Kbps/LUT)定义的紧凑性指标对其进行了评估,同时,通过提出的防护比特数和防护覆盖率指标,系统评估与比较了六种实现对全部32比特敏感中间值的侧信道安全性。实验表明:在Kintex7器件上,ISW-RTF SM4实现的紧凑性为251.56Kbps/LUT,为无防护基准实现的32.40%,是已有最紧凑SM4掩码实现紧凑性的4.82倍。在百万条能量迹时,ISW-RTF SM4能够防护全部敏感中间值,防护比特数为32,防护覆盖率达到100%,具有极强的抗侧信道攻击能力。 |
| 关键词: SM4 冗余塔域 掩码防护 紧凑性 防护比特数 |
| DOI: |
| 投稿时间:2025-08-17修订日期:2025-11-24 |
| 基金项目:本课题得到面向调度控制系统的关键密码模块技术研究与适配应用(52170225001N)资助。 |
|
| Structural Migration of SM4 toward AES Redundant Tower Fields with Compact Masked Implementation |
|
wu po1, ruan chong1, zhang qian2, zhangrui2, tao yang2, liu ya jie3
|
| (1.State Grid Henan Electric Power Research Institute;2.Institute of Information Engineering, Chinese Academy of Sciences;3.State Grid Henan Electric Power Company) |
| Abstract: |
| As China's national standard for block ciphers, SM4 faces threats from side-channel attacks (SCAs) in critical infra-structures like power monitoring. Existing SM4 countermeasures exhibit significant limitations: hiding schemes and hardware-based schemes lack provable security, while masking schemes suffer from low area efficiency (only 6.72% of the unprotected baseline) due to reliance on composite field computation. Although the Redundant Tower Field (RTF) technique has proven efficient for AES, its direct application to SM4 is hindered by fundamental algebraic differences in their S-boxes (irreducible polynomials and affine transformations are incompatible). This paper proposes an RTF-based masked SM4 hardware design. We embed the SM4 S-box into the AES RTF framework via algebraic mapping and merge affine transformations with constant offsets to achieve a compact round function. A shared key scheduling unit is designed to reuse encryption logic for real-time decryption key generation. Integrating first-order Ishai-Sahai-Wagner (ISW) masking yields the ISW-RTF SM4 protected scheme. We implement six designs: unprotected (lookup-table and RTF-based), dual-rail protected, and masked protected. Their area efficiency, defined as throughput per unit area (Kbps/LUT), is evaluated on four FPGAs (Kintex7, Virtex6, Spartan6, Spartan3). The side-channel security of all 32 sensitive intermediate bits across all six implementations is systematically assessed and compared using the proposed metrics: Security Bit Number and Security Coverage Rate. Experimental results demonstrate that on Kintex7, the ISW-RTF SM4 achieves an area efficiency of 251.56 Kbps/LUT, which is 32.40% of the unprotected baseline and 4.82 times higher than the most compact existing masked SM4 implementation. Under one million power traces, the ISW-RTF SM4 attains a Security Bit Number of 32 and a Security Coverage Rate of 100% for all 32 sensitive bits, ex-hibiting robust resistance against SCAs. |
| Key words: SM4 Redundant Tower Fields (RTF) Masking Countermeasure Area Efficiency Security Bit Number |
