Differential Fault Analysis on SMS4

SMS4 is the block cipher used in WAPI,and it is also the first commercial block(cipher) disclosed by the government.Since it was disclosed only a short time ago,on its security,there has been no published paper at present.In this paper the strength of SMS4(against) the differential fault attack is examined.The authors use the byte-oriented fault model,and take advantage of the differential analysis as well.Theoretically,the 128bit master key for SMS4 can be obtained by using 32 faulty ciphertexts.But in practice,for the fact that the byte position where the fault happens isn't equally distributed,the number of faulty ciphertexts needed will be a little bigger than the theoretical value.The attack experiment result validates this fact too.The result shows that only need average 47 faulty ciphertexts to recover the 128bit keys for SMS4.So SMS4 is vulnerable to differential fault attack.To(avoid) this kind of attack, the authors suggest that the encryption device should be protected to prevent the adversary from deducing faults.