A DCA-resistant Implementation of SM4 for the White-box Context

Abstract

SM4 [ISO.IEC.18033-3.AMD2] is a cryptographic standard issued by the Organization of State Commercial Administration of China as an authorized block cipher for the use within China. Based on threshold implementations and operations in composite fields, we propose and implement a fixed-key white-box SM4, where all intermediate values (inputs and outputs of the lookup tables) are masked. We express the SM4 S-box in term of operations in composite fields, thus reducing the total size of the lookup tables. The threshold implementation makes the distribution of the masked values uniform and independent of the original values being represented. The white-box SM4 implementation provides resistance against traditional white-box attacks, such as the affine equivalence attack, the BGE-like attack. For DCA-like attacks, our test shows that for aggregating 2048 single-bit correlations, an identified DCA leakage requires billions of microseconds of processor time to extract the secret key, which increases 1st order DCA resistance by at least thousands of times compared with resistance against a single-bit correlation used in a classical DCA attack.