Resumen
The SM4 algorithm is widely used to ensure the security of data transmission. The traditional chosen plaintext power attacks against SM4 usually need to analyze four rounds power traces in turn to recover the secret key. In this paper, we propose a new combined chosen plaintext power analysis, which combines the chosen plaintext power attack and the differential characteristics of the substitution box (S-box) in SM4. In our attack, only the second and fourth round S-box outputs of SM4 algorithm are used as attack points, and some sensitive fixed intermediate values are obtained by power analysis when inputting specific plaintext. Then the differential analysis of these sensitive intermediate values is carried out to calculate the difference between the input and output of the S-box, and the key can be recovered from the differential characteristics of S-box. Compared with the traditional chosen plaintext power analysis, which requires four rounds of analysis, our analysis reduces the number of attack rounds into two rounds, and adopts the nonlinear S-box with obvious leakage information as the attack intermediate value, which effectively improves the feasibility of attack. Finally, a practical attack experiment is carried out on a Field Programmable Gate Array (FPGA) based implementation of SM4 algorithm, and the results show that our method is feasible and effective for real experiments.