Side-Channel Attacks and Countermeasures for Identity-Based Cryptographic Algorithm SM 9

Identity-based cryptographic algorithm SM9, which has become the main part of the ISO/IEC 14888-3/AMD1 standard in November 2017, employs the identities of users to generate public-private key pairs. Without the support of digital certificate, it has been applied for cloud computing, cyber-physical system, Internet of Things, and so on. In this paper, the implementation of SM9 algorithm and its Simple Power Attack (SPA) are discussed.Then, we present template attack and fault attack on SPA-resistant SM9. Our experiments have proved that if attackers try the template attack on an 8-bit microcontrol unit, the secret key can be revealed by enabling the device to execute one time. Fault attack even allows the attackers to obtain the 256-bit key of SM9 by performing the algorithm twice and analyzing the two different results. Accordingly, some countermeasures to resist the three kinds of attacks above are given.


Introduction
With the development of integrated circuit and communication technology, smart devices are not only widely spread in our daily life with the proliferation of Internet of things, but also extensively used in the global IT environments and critical infrastructures.Security becomes a critical issue since attacks on these devices may directly harm the consumers.Several papers [1][2][3][4] have studied related security and wireless issues.
Identity-Based Cryptography (IBC) which applies user identity as the public key was proposed by Shamir in 1984 [5] to reduce the complexity of key and certificate management.Developed by the Commercial Cryptography Administration of China in 2016, SM9 [6] has become the most typical identity-based cryptographic algorithm in China.Compared with traditional cryptographic algorithms, SM9 not only omits the exchange of digital certificates and public key processes, but also simplifies the deployment and management of the security systems.Because of its usability and simplicity, SM9 has been employed as the standard for commercial cryptography in China.Its digital signature algorithm has become an international standard as the main part of the ISO/IEC 14888-3/AMD1 in November 2017 [7] too.It is also adopted to secure various systems and scenarios like E-mail [8], cloud storage, intelligent devices [9], industrial control, online communications, mobile payment, and so on.
As described in [10] by Kocher et al. in 1999, it has been proved that even though mathematical characteristics can guarantee the security of cryptographic algorithms in theory, their implementation may suffer from Side-Channel Attack (SCA).SCA allows attackers to reveal secrets by analyzing the side information of an attacked device which is running a cryptographic algorithm, such as power consumption, electromagnetic radiation, and execution time.Because of the low cost and high efficiency, SCA has successfully cracked lots of devices which run DES [11], AES [12], RSA [13], and ECC 2 Security and Communication Networks [14].Despite SM9 algorithm being secure in cryptography theory, whether it is against SCA is still a matter of concern.
At present, the three main SCA techniques are Simple Power Attack (SPA), template attack, and fault attack.Due to the versatility and operability, they have been studied in depth and used to crack various cryptographic algorithms.SPA [15] exploits one trace to reconstruct the sequence of operations during the secret computation and derive information about the secrets from this sequence.As a special power analysis, template attack [16] makes a better use of all information present in each sample.And it is hence the strongest form of SCA possible in an information theoretic sense given the few samples that are available.Fault attack, as another main branch of SCA, often injects errors into cryptographic computation processes and identifies the secret key by analyzing the mathematical and statistical properties of wrong calculation results.Proposed by Biham and Shamir in [17], the fault attack on RSA has become a milestone for the security of public key cryptographic devices.
In this paper, we show that SCA does have a practical threat to the implementation of SM9.We propose the above three kinds of SCA attacks on SM9 algorithm.After this, some corresponding countermeasures are also introduced.The main contributions of this paper are as follows.
(1) A SPA attack on SM9 algorithm is proposed.And we also introduce some countermeasures to resist SPA.
(2) Different from general Elliptic Curve Digital Signature Algorithm (ECDSA), the key is a point on elliptic curves rather than a scalar in scalar multiplication for SM9 algorithm.According to this feature, a template attack is presented for SPA-resistant SM9 implementation and several countermeasures are provided.
(3) We propose a fault attack and conduct experiments to prove that software implementation of SM9 algorithm is vulnerable to this scheme.And then, some corresponding countermeasures are also presented.
This paper is organized as follows.In Section 2, the summarization of SM9 algorithm and its implementation are introduced.We give the basic idea of SPA on SM9 in detail and put forward some countermeasures in Section 3.Then, in Section 4, a template attack is provided to attack the protected SM9 which can resist SPA and the corresponding countermeasures are also given.In Section 5, a fault attack for SPA-resistant SM9 algorithm is presented and several countermeasures are introduced against this scheme.Finally, we conclude this paper in Section 6.

The Preliminaries
2.1.SM9 Digital Signature Generation Algorithm.SM9 digital signature algorithm usually assumes a scenario where Alice communicates with Bob.Alice generates the signature (ℎ, ) of message  by SM9 digital signature generation algorithm for authentication and sends them to Bob. Bob validates the received message   and its signature (ℎ  ,   ) with signature verification algorithm to ensure the authenticity and integrity of this digital signature.
In order to express clearly, we give the meanings of letters as follows.The signature private key of Alice denoted as   is provided by Key Generation Center (KGC).Group  1 and group  2 are addition cyclic groups of order  and their generators are denoted as  1 and  2 , respectively.Group   is a multiplicative cyclic group with order .Let  denote the bilinear pairs mapping function from  1 ⋅  2 to   .KGC generates a random number  as the signature master private key and computes  pub- = [] 2 as the master public key. pub- is well-known, and s is kept secretly by KGC.A cryptographic hash function is denoted as  2 (, ).
Algorithm 1 shows SM9 digital signature generation algorithm.At the beginning of the signature process, system parameters are provided as a part of inputs to make this algorithm work.The operation of adding a point  to itself for  times is called scalar multiplication and is denoted as  = .For decades, many methods have been proposed to implement this operation and the most common is binary algorithm.There are two ways to implement scalar multiplication, left-to-right and right-to-left.And the former is shown in Algorithm 2 and the special point  is called the point at infinity.In the following sections, we assume that scalar multiplication is executed with the left-to-right binary algorithm.

The Implementation of SM9
In Algorithm 2, point doubling is executed  times.In probability, the count of 1 in a scalar integer  is close to /2, so point addition is executed nearly /2 times.Let  represent point addition and  represent point doubling; the operation quantity of binary method is approximately (/2) ⋅  +  ⋅ .

Point Addition and Point
Doubling.An elliptic curve is a set of points (, ) in which ,  ∈ . denotes a finite field.The set of points on an elliptic curve, together with a special point  called the point at infinity, can be equipped with an Abelian group structure by addition operation.An elliptic curve over  can be expressed as the form of Weierstrass equation: where   ∈ .If prime number  ̸ = 2 and 3, the Weierstrass equation can be transformed to with ,  ∈ .
For prime number  ̸ = 2 and 3, let  = ( 1 ,  1 ) ̸ =  be a point.The inverse of  is − = ( 1 , − 1 ) and  = ( 2 ,  2 ) ̸ =  is a second point with  ̸ = −.Point addition + = ( 3 ,  3 ) can be calculated as with The operation of  +  is called point addition if  ̸ = .And it is called point doubling if  = .Obviously, point addition differs from point doubling in the form of formula.

Montgomery Modular Multiplication. Given a modulus
and two integers  and  of size  in base , with gcd(, ) = 1 and  =  ⌈log  ()⌉ , Montgomery modular multiplication algorithm [18] computes: MontMul (, , ) =  ⋅  ⋅  −1 mod . ( Montgomery modular multiplication algorithm is shown in Algorithm 3. Its essence is to combine  ⋅  and  ⋅  by traditional multiplication method.As described in line 2 to line 8,  is unknown at first.With obtaining   calculated by   ⋅  0 , each   ⋅  can be calculated too.Finally,  can be derived.MontMul(, , ) can be computed by alternating all   ⋅  and   ⋅  and adding up to . Figure 1 illustrates the intuitive graphical representation of CIOS modular multiplication [19,20].

Power Analysis Attack.
In SPA [15], attackers directly observe power consumption for a single execution of target operation without any statistical methods.As a special power analysis, template attack [16] generally consists of the following three phases.The first is template building phase, and attackers build templates to characterize devices by executing a sequence of instructions on fixed data.Next, it allows attackers to match the templates to the power consumption traces of devices in template matching phase.Finally, attackers can do some analysis and derive secret information during offline searching phase.
Hamming weight model proposed in [10,21] analyzes the correlation between power consumption and the register switching from one state to the other.It is generally assumed that power consumption depends on the number of bits switching from 0 to 1 or 1 to 0 within the corresponding time.For -bit register, binary data =0   is the number of bits set to 1. Considering a chip as a large set of elementary electrical components, its power consumption contains not only the state changes but also other variables' consumption, such as offsets, time dependent components, and noise.Therefore, the basic model for the data dependency can be described as  = HW() + , where  is a constant and  indicates the other consumption.

Fault Attack.
Fault attack [17] allows attackers to disturb cryptographic devices by physical methods to make them ← ( +   ⋅ )/.(6) if  ≥  then (7)  ←  − .(8) end for (9) return  Algorithm 3: Montgomery modular multiplication algorithm.run in wrong states.Due to the injected fault, the devices perform some operations in modified environment and produce incorrect results.Combining with the algorithm in the devices, some knowledge related to the secret key could be gained from the results.Because of the lower cost, simple operation, and obvious effect, fault attack has become one of the most concerned SCA techniques.Faults in devices can be made for a variety of reasons.In general, variations in normal working conditions can be injecting faults into a system effectively.For example, changing supply voltage or clock frequency can disrupt execution process and cause the processor to skip some instructions or change its output.Exposing devices in the temperatures outside its operational range usually makes random modifications to the memory.It is also possible to inject faults more accurately by using the inherent photoelectric effects of electric circuits.Under the exposure of photons, devices can produce induced currents and disrupt normal operations.In fact, lasers can make faults more precise in terms of target area and injection time.Also, faults can be injected in packaged circuits without removing the packaging by X-rays and ion beams.

Problem Formulation.
Different from the general ECDSA and SM2 algorithm, the secret key in scalar multiplication is the point on elliptic curves rather than the scalar for SM9 algorithm.The scalar of the classical ECC and SM2 is a secret and the point is known, while the scalar and the point are both unknown in SM9.Therefore, the attack methods of the two are fundamentally different.In this paper, we focus on this issue to present template attack described in Section 4 and fault attack described in Section 5 which are only applied to SM9.

Simple Power Attack and
Countermeasures on SM9 Our SPA attack against SM9 recovers  by observing the differences in power consumption caused by the difference operations for bit 1 and bit 0. As described in Algorithm 2, it always performs a point doubling operation whether the bit is 0 or 1.And an extra point addition will be performed if the bit is 1.Because of the differences between side-channel pattern of doubling and that of addition, attackers can easily reveal  from a single power trace.As  and  are both known,   can be calculated by the formula   =  −1 .
Attackers can also perform SPA attack on  =   as shown in line 3 of Algorithm 1.The SPA attack on modular exponentiation is similar to that of scalar multiplication.Employing the different power consumption by manipulating 1 and 0 can derive the exponent .The lengths of , , and  are 256 bits so that  can be obtained by the formula  = ( − ℎ)mod .According to the scheme described above, attackers can also restore the secret key   .

Countermeasures against Simple Power
Attack.Based on our SPA attack, we can draw a conclusion that  and  are equally important in the security of SM9 digital signature algorithm.It is necessary to deploy some countermeasures on  and  against SPA attack.
There are five ways [22,23] against SPA scheme for  in SM9 digital signature algorithm.In addition, countermeasures to protect the exponent  should be implemented.We would not repeat the descriptions about the methods for  here as they are similar to that of .We also can refer to the SPA countermeasures of RSA [13] for  against SPA attack.
In conclusion, the five ways are as follows.
(1) Indistinguishable Point Operation Formulae.Indistinguishable Point Operation Formulae (IPOF) try to eliminate the difference between point addition and point doubling.The usage of unified formulae for point doubling and addition is a special case of IPOF.However, even when unified formulae are in use, the implementation of the underlying arithmetic, especially the operations with conditional instructions, may still reveal the type of the point operation (addition or doubling).
(2) Double-and-Add-Always Algorithm.The double-and-addalways algorithm ensures that the sequence of operations during a scalar multiplication is independent of the scalar by inserting dummy point additions.However, due to the use of dummy operations, it makes the time complexity doubled and may cause safe-error fault attack.
( (5) Random Splitting  and .There are two different ways to split  and .Here we take  as an example and  also should be protected by the same principle.One is to transform  to + where  is a random integer and do scalar multiplication by the formula: Another is to convert  to  +  and  where  is a 256-bit random value.The formula is

Template Attack and
Countermeasures on SM9 where  and  represent the -coordinate and -coordinate of   .We focus this computation  2 to perform our template attack.For ease of description, we use  (256-bit) to replace  in Formula ( 8) and   (0 ≤  < 32) denotes one byte of .
Assume that SM9 digital signature algorithm is executed on an 8-bit microcontroller, and the power consumption of intermediate values in the calculation process of CIOS modular multiplication algorithm can be acquired.We give the letters meanings as follows. = ( 31 , . . .,  1 ,  0 ) is the -coordinate of   (, ).And  ℎ (    ) and   (    ) are the power consumption traces with the high 8-bit and low 8-bit of the intermediate value     (0 ≤  < 32, 0 ≤  < 32).The template with Hamming weight from 0 to 8 is denoted as   = { 0 ,  1 , . . .,  8 } and Match(,   ) is a method to reflect the degree of  and   .HW ℎ (    ) and HW  (    ) denote the Hamming weight of high 8-bit and low 8-bit of     , respectively.
As shown in Figure 2, there are three phases in our template attack.Firstly, in the template building phase, we focus on the operation     (0 ≤  < 32, 0 ≤  < 32) and calculate the Hamming weight of high 8-bit and low 8bit of     as the target of template.We build templates of Hamming weight   = { 0 ,  1 , . . .,  8 } to characterize devices.Next, we match the templates to the power consumption traces of devices with the match function Match(,   ) to obtain HW ℎ (    ) and HW  (    ) in template matching phase.Finally, two searching operations are carried out during offline searching phase and the secret key   can be derived by analysis.
Algorithm 4 shows our template attack.There are two searching operations used to narrow the range of candidates in offline searching phase.The first is shown in offline searching phase from the line 1 to the line 6.For each   (0 ≤  < 32), we traverse  from 0 to 255, and add  satisfying HW ℎ ( 2 ) == HW ℎ (    ) and HW  ( 2 ) == HW  (    ) to set  1, where candidates of   are stored.The second searching is based on  1, , as demonstrated in line 7 to the line 14.For each element  in  1, (0 ≤  < 32) and each element  in  1, ( <  < 32), we calculate the high 8-bit and low 8-bit Hamming weight of .Selecting  and  with the conditions

Validate candidates
Template building Template matching Offline searching Build templates based on H７ ℎ (x i x j ) and H７ l (x i x j ) (from i = 0, j = 0 to 31 and x i = 0, x j = 0 to 255): T =  0 ,  1 , . . .,  8 P ℎＧ；Ｒ = Match(t ℎ (x i x j ), T) (0 ≤ i, j < 32) P lＧ；Ｒ = Match(t l (x i x j ), T) (0 ≤ i, j < 32) Correct key ds A First searching: Construct set U 1,i where stores the 0 ≤ i < 32) candidates of x i are ( Second searching: Construct set U 2 where the stores the (0 ≤ i < 32, i < j < 32) correspondence between x i and x j . of HW ℎ () == HW ℎ (    ) and HW  () == HW  (    ) and adding them in set  2 ,  2 consists of many pairs (, , , ) and represents the correspondence between   and   .The pair (, , , ) means that if   ==  so   == .Next, the possible values of  = ( 31 , . . .,  1 ,  0 ) can be obtained.It is necessary to validate whether they are the points of the elliptic curve.Finally, the secret key   can be recovered.

Template Attack Experiments on SM9
. We present concrete experiments on side-channel traces captured from a real device.We implemented the Montgomery modular multiplication algorithm and focused on a single precision multiplication power consumption on AT89S52 8-bit microcontroller.Traces were acquired on a Lecroy WaveRunner oscilloscope with a sampling rate of 10 GS/s.In our experiments, the parameters  and  of   are shown in Table 1.
The templates of Hamming weight from 0 to 8 built in our attack are illustrated in Figures 3 and 4.During our template attack, the power consumption of intermediate values in the calculation process of CIOS modular multiplication algorithm is acquired.Figure 5 shows the  ℎ ( 0  0 ) (black-line) and   ( 0  0 ) (dark-gray-line) which are the power consumption traces with the high 8-bit and low 8-bit of  0  0 .The Match(,   ) applied in our attack is least square method to reflect the distance of  and   .Hence, HW ℎ ( 0  0 ) and HW  ( 0  0 ) were revealed which were equal to 6 and 4, respectively.For each  from 0 to 31, HW ℎ (    ) and HW  (    ) can be recovered by the steps described above.
And then, the second searching phase is carried out.For each element  in  1, (0 ≤  < 32) and each element  in  1, ( <  < 32), we calculate the high 8-bit and low 8-bit Hamming weight of .Select  and  with the conditions of HW ℎ () == HW ℎ (    ) and HW  () == HW  (    ) and adding them in set  2 . 2 consists of many pairs (, , , ) and represents the correspondence between   and   .Next, the possible values of  = ( 31 , . . .,  1 ,  0 ) can be obtained.The result of offline searching phase is shown in Figures 6 and  7. Finally, the value of  is 93DE051D 62BF718F F5ED0704 487D01D6 E1E40869 09DC3280 E8C4E481 7C66DDDD and it is validated to be correct.And   can be revealed successfully.The experiments have proved that our attack works well.If attackers employ the template attack on an 8bit microcontrol unit, the key often can be obtained just by analyzing algorithm procedure of one message.

Countermeasures Against Template Attack.
There are four ways [23,24] to resist the template attack presented above.
(1) Base Point Blinding.This method is to select a random point  and convert  = (2) Random Projective Coordinates.Let    (  ,   , ) denote the mapping value of   (, ) in the Jacobian coordinates where  =   / 2 and  =   / 3 .Point    (  ,   , ) is considered to be the same as point ( 2   ,  3   , ) where  is a random number.For different ,   is not the same.The random variable  can be updated in every execution or after each doubling or addition.Attackers could not accurately gain the values of   and 2  , so this method does resist the attack.
(3) Random EC Isomorphism.Based on the isomorphism of elliptic curves, we transform scalar multiplication algorithm to another stochastic mapping domain.A random isomorphism curve   (  ) is generated and   is mapped to    which is on   (  ).The calculation of  is on   (  ) rather than (  ).Finally, we should map    to   and get .As    can not be estimated, this method can resist the template attack.
(4) Random Field Isomorphism.This method makes use of isomorphisms between fields.To compute  = []  , it first randomly chooses a field   to  through isomorphism  and then computes It means that  ∈   (  ) is used to represent   ∈ (K) and   = [] is calculated on   (  ).Finally we need to transform   to  ∈ ().The value of   is hidden in this method so as to resist the above attack.Figures 8 and 9 show the templates of Hamming weight from 0 to 8 after applying some countermeasures.

Fault Attack and Countermeasures on SM9
5.1.Fault Attack on SM9.Base point is one of the system parameters in scalar multiplication, and it is determined by protocols.So we inject a single-bit fault on base point to recover the secret key.Two assumptions are made before  the fault attack on SM9 is performed.One hypothesis is that attackers can inject a fault on   (, ) at an unknown location during the moments of error detection and signature computation.Let    (  ,   ) denote the fault key.Another assumption is that the injected fault causes a bit value to flip from 0 to 1.
Figure 10 illustrates the flowchart of fault attack on SM9.As an example, we performed the fault attack on  :  2 =  3 + .The correct signature for message  is calculated by the formula (  ,   ) = []  (, ).Then, a single-bit fault is injected to the -coordinate of   (, ) and the fault key is denoted as    (  ,   ).The wrong signature for message  is calculated by the formula   ( Then, (11) can be gained: Let  =  −   ; ( 11) is equal to Because only one bit is different between  and   , ( 12) can be expressed as where  ∈ {0, 1, . . ., 255}.And  represents the location of the different bit.Convert (13) into the following form: For each  from 0 to 255, its corresponding equation like ( 14) can be obtained.All values of  satisfying this equation are calculated by mathematical methods and added to set   .If   is an empty set, that means the fault position  corresponding to this equation is incorrect.Otherwise, the fault position  is correct and we need to validate each  ∈   for getting the real .It is worth noting that as long as  is correct, the equation must have solutions.Once the  is derived, the value of   (, ) can be calculated correctly.
Obviously, if the fault is injected into the -coordinate of   (, ), the above fault attack is still performed validly.And our fault attack also has the ability to break the SPAresistant SM9 implementation.
To sum up the above, the fault attack algorithm is shown in Algorithm 5.
Remark 1.In the above attack, we assume that the injected fault causes a bit to flip from 0 to 1.As we all know, common faults are single-bit flipping fault, single-bit constant fault, and multibits fault.In fact, no matter which fault is injected, as long as  ̸ = 0, the above attack can be performed.If  ̸ = 0, for single-bit constant fault, we can think of it as a single-bit flipping fault.For multibits fault, the only difference is that multi- should be searched.We believe that using mathematical methods to solve this issue is not a difficult task.

Fault Attack
Usually, attackers can reveal the 256-bit   by enabling the device to execute twice and comparing the two different results by our fault attack.5.3.Countermeasures against Fault Attack.We introduce three countermeasures against the above fault attack [25][26][27]; they are as follows.
(1) Point Validation.This method verifies if a point lies on the specified curve or not.It should be performed before and after scalar multiplication.If the point   or result does not belong to the original curve, no output should be given.It is an effective countermeasure against our fault attack.
(2) Curve Integrity Check.The curve integrity check is to detect faults on curve parameters.Before starting an SM9 algorithm the curve parameters are read from the memory and verified using an error detecting code (i.e., cyclic redundancy check) before the algorithm execution.It is an effective method to prevent the fault attack above.
(3) Coherence Check.A coherence check verifies the intermediate or final results with respect to a valid pattern.Randomly coding the intermediate variables such as scalar, base point, and curve parameters is a most common operation.
(4) Combined Curve Check.This method uses a reference curve to detect faults.It makes use of two curves: a reference curve  fl (  ) and a combined curve   that is defined over the ring   .In order to compute  = []  on curve , it first generates a combined point    from   and   ∈ (  ) (with prime order).Two scalar multiplications are then performed:   = []   on   and  = []  on .If no error occurred,  and   (mod ) will be equal.Otherwise, the one of the results is faulty and the results should be aborted.It is also an effective countermeasure against the fault attack presented in this paper.
(5) Security Curve Selection.Using the NIST curves [28] with the fragile twin curves should be avoided.

Conclusion
In this paper, we propose SPA attack, template attack, and fault attack on SM9 algorithm.After this, some corresponding countermeasures are also introduced.We also conduct some experiments to prove the validity of these attacks.Although this paper mainly studies SCA attacks of SM9 digital signature algorithm, we have reason to believe that these schemes are equally effective for SM9 encryption algorithm.
Overall, a security SM9 digital signature algorithm implementation should pay attention to these points shown in Table 5.And we also provide the overhead to deploy these countermeasures as a reference guidance for the SM9 algorithm security implementation [27].

Figure 2 :
Figure 2: The flowchart of template attack on SM9.
[]  to  = []( +   ) − [].The value of []( +   ) is computed first and the known value [] is subtracted at the end of scalar multiplication to ensure its correctness.The [] and  are stored secretly in the cryptographic devices and updated at each iteration.

Figure 6 :
Figure 6: The result of offline searching phase.
Digital Signature Algorithm 2.2.1.Scalar Multiplication.Scalar multiplication is the most important part in elliptic curve cryptography algorithm and its fast implementation is an inevitable demand of practical applications.As shown in Algorithm 1, scalar multiplication is directly related to the signature private key   in SM9 digital signature generation algorithm.
3) Atomic Block Algorithm.Instead of making the group operations indistinguishable, one can rewrite them as sequences of side-channel atomic blocks that are indistinguishable for SPA attack.If dummy atomic blocks are added, then this countermeasure may enable safe-error attack.
4.1.Template Attack on SM9.The template attack proposed in this paper reveals   in the case that both  and  are unknown.As shown in Section 2, the first step of scalar multiplication performs a point doubling operation.And  needs to be calculated by

Table 1 :
Template attack experiment parameters.

Table 3 ,
Experiments on SM9.Assume that the elliptic curve used in our experiments is  :  2 =  3 + .The  is a prime number, and  means the order of group  1 .The   (, ) denotes a point of  1 , and the scalar is denoted as .(,   ) is computed by (  ,   ) = []  (, ).Let    (  ,   ) denote the fault point, and the wrong signature of message  is computed by the formula   (   ,    ) = [  ]   (  ,   ).The experiment parameters are listed in Table3.We can see that the fault location is equal to 1.We conduct some experiments with the attack in Algorithm 5, and the intermediate values of SM9 digital signature algorithm are shown in Table4.When  = 1, the equation has two solutions that may be the correct . Lt  1 and  2 denote the two solutions, and  11 ,  12 ,  21 , and  22 denote the corresponding  calculated by  2 =  3 + .Comparing with  1 and  12 are the correct -coordinate and coordinate of   , so the fault attack also shows its feasibility.

Table 4 :
The intermediate values of fault attack.