Design of SM2 Digital Signature Algorithm Against Weak Curve Fault Attack

QIAN Chuisheng, ZENG Jiuzhen, WANG Yan*

(School of Electrical Engineering, University of South China, Hengyang, Hunan 421001, China)

Abstract：The SM2 digital signature algorithm is the Chinese version of the Elliptic Curve Digital Signature Algorithm (ECDSA). Although the design of the algorithm is mathematically safe, it is vulnerable to physical attacks when the algorithm is implemented. Therefore, it is of great significance to strengthen the attack resistance of the SM2 digital signature algorithm in the implementation process. Based on the idea of fault infection, this paper proposes an anti-fault attack strategy for the SM2 digital signature algorithm, which changes the scalar operation in the algorithm so that the fault will spread in the signing process after the algorithm is attacked, thereby destroying the conditions for attackers to quickly retrieve the signature private key by using incorrect signatures. Experimental results show that the proposed defense strategy can not only resist weak curve fault attacks but also defend against combined attacks of weak curve faults and secondary fault injection. In addition, we also implement the common point detection anti-fault attack strategy in the elliptic curve algorithm and the fault infection prevention strategy proposed on Field Programmable Logic Array (FPGA) and compare the hardware area overhead and single signature time overhead of the two strategies, and the results show that the proposed strategy is superior to the point detection-based strategy in hardware performance.

Keywords：SM2 digital signature algorithm; weak elliptic curve; FPGA implementation; against fault attack

1 Introduction

With the comprehensive advancement of digitalization, information security has received increasing public attention, and cryptographic technology is currently the main technical means to solve information security issues. Cryptographic algorithms, as the core of cryptographic technology, are generally divided into three types: encryption and decryption, signature verification, and key exchange, among which the digital signature algorithm (DSA) is used to ensure the authenticity, integrity, and non-repudiation of data during transmission [1]. Since Whitfield Diffie and Martin Hellman first proposed the concept of digital signatures in 1976, many excellent digital signature algorithms have emerged. Among numerous digital signature algorithms, the Elliptic Curve Digital Signature Algorithm (ECDSA) is widely used due to its advantages of shorter keys and faster signature speeds at the same security level. The SM2 digital signature algorithm (SM2-DSA) is the Chinese version of ECDSA. Although both rely on the elliptic curve discrete logarithm problem (ECDLP) for security, the security of SM2-DSA is higher than that of ECDSA [2]. Although both SM2-DSA and ECDSA are theoretically secure, introducing fault injection attacks in the physical devices implementing the algorithm can lead to a significant loss of security.

Fault injection attacks refer to injecting specific faults into cryptographic devices, causing the device to output faulty information, which can then be analyzed to retrieve the keys used in the device. Literature [3-6] introduces several fault injection attack schemes targeting elliptic curve cryptography (ECC). Among them, weak curve fault attacks utilize fault injection to transform the secure elliptic curve used during the algorithm’s operation into an insecure weak elliptic curve, and then use the Pohlig-Hellman algorithm and Pollard Rho algorithm to break the ECDLP on the weak elliptic curve, thereby obtaining the private key used in the algorithm [6]. To enhance the security of cryptographic algorithms in practical applications, researchers have conducted extensive studies on defense strategies against fault attacks.

For ECC algorithms, effective point detection is the most commonly used defense strategy against fault attacks. During the algorithm’s operation, if a fault is injected into an intermediate state point, that point will deviate from the original elliptic curve, affecting subsequent point operations. Therefore, before outputting results, the points generated from scalar operations can be checked; if the generated point is not on the original elliptic curve, the output will be rejected. Literature [7] proposes a dual random point detection strategy for ECDSA to defend against weak curve fault attacks. This defense strategy adds random delays and a dual detection mechanism to the point detection, addressing the failure of simple point detection strategies under secondary fault injections. Literature [8] combines low-cost fault detection and recovery mechanisms with coordinate randomization techniques to propose a low-cost solution that can simultaneously defend against differential power attacks and differential fault attacks. When subjected to differential fault injection attacks, the invariance of intermediate variable relationships in the Montgomery ladder algorithm can be used to detect faults, allowing the scalar operation to revert to the last valid state, ensuring that fault injection fails without affecting the final correct result. In addition to effective point verification, the idea of fault infection is also a key focus in fault attack research. Literature [9] introduces a fault defense strategy based on fault infection to resist lattice fault attacks targeting SM2-DSA. This strategy propagates faults during the signature generation process, destroying the conditions required for lattice attacks, ensuring that even if critical information is leaked, it can still resist lattice attacks.

Currently, research on fault attack resistance for SM2-DSA mainly focuses on lattice fault attacks and differential fault attacks, with relatively few studies on defenses against weak curve fault attacks. This paper proposes a new fault attack defense strategy based on the idea of fault infection to obtain an improved version of SM2-DSA that resists weak curve fault attacks. By utilizing the propagation of faults, it disrupts the relationship between the random scalar value used in the signing process and the signature private key, ensuring that even if an attacker breaks the ECDLP on the weak elliptic curve, they cannot obtain the signature private key. The improved algorithm’s hardware circuit design is implemented on a Field Programmable Gate Array (FPGA), and the defense effectiveness of the circuit is tested. To better verify the effectiveness of the defense strategy, a hardware Trojan was designed to simulate random fault injections targeting the hardware circuit. A hardware circuit based on a simple point detection defense strategy was also designed for comparative experiments, analyzing and comparing the performance and hardware overhead of the two defense strategies.

2 SM2 Digital Signature Algorithm Basics

2.1 Basic Theory of Elliptic Curves

The analysis of SM2-DSA in this paper is based on the elliptic curve E(a,b) over the prime field Fp, defined by the Weierstrass equation as follows:

E:y2=x3+ax+b mod p

(1)

where a,b∈Fp, and satisfy 4a3+27b2≠0 mod p. All points on the elliptic curve E(a,b) and the point at infinity O over the prime field Fp form an elliptic curve group E(Fp), and the scalar operation kP=P+P+…+P is the core of the elliptic curve cryptographic algorithm. Here, point P(xP,yP) is any point on E(Fp) except for the point at infinity O, and k∈{1,…,p-1}. Scalar operations consist of point addition and doubling, with the formulas for these basic point operations as follows:

Let (x3,y3)=(x1,y1)+(x2,y2), then:

(2)

where

(3)

Additionally, for all points P(xP,yP) on E(Fp), it also holds that: P+O=P; –P=P(xP,p–yP). The reason scalar operations are the core of elliptic curve cryptography is that the ECDLP derived from them provides mathematical theoretical security. ECDLP is defined as follows: given a non-infinite point P on E(Fp) with order n, if there exists an integer k∈[1,…,n-1] such that Q=kP, then k is called the discrete logarithm of Q to the base P. If P and Q are known, solving for k is called the elliptic discrete logarithm problem. Currently, the best method for solving ECDLP is a combination of the Pohlig-Hellman algorithm and the Pollard Rho algorithm, but the time complexity for breaking ECDLP remains exponential where q is the largest prime factor of n. In the elliptic curve points selected for cryptographic algorithms, the order n itself is a large prime number. Therefore, under normal circumstances, even the best algorithms cannot break the ECDLP in a finite time.

2.2 SM2 Digital Signature Algorithm

As an improved version of ECDSA released by the Chinese government, the signature generation process of SM2-DSA differs from the standard elliptic curve used in ECDSA. Before signing, SM2-DSA first requires pre-computation to generate the user hash value ZA:

ZA=Hv(AENTL‖IDA‖a‖b‖xG‖yG‖xA‖yA)

(4)

where Hv is the SM3 hash function; IDA is the identifier of the signing party A; AENTL is a two-byte value converted from the bit length of IDA. The signature generation process of SM2-DSA is shown in Algorithm 1.

1) Algorithm 1: SM2 Digital Signature Algorithm

Input: prime field characteristic p, elliptic curve parameters (a,b), base point G(xG,yG) and the order of the base point n, message to be signed M, user hash value ZA, signing private key dA.

Output: signature pair (r,s).

1:e=Hv(ZA‖M);

2: choose a random integer k∈[1,n-1];

3: scalar operation Q(x1,y1)=kG;

4: calculate r=e+x1 mod n. If r=0 or r+k=n, return to step 2;

5: calculate s=(1+dA)-1(k–rdA) mod n. If s=0, return to step 2;

6: output signature pair (r,s).

The overall architecture of the hardware implementation of SM2-DSA is shown in Figure 1, divided into the cryptographic protocol layer, elliptic curve point operation layer, and modular operation layer. This paper adopts the Montgomery ladder algorithm to implement the scalar operation module, which is not only suitable for hardware implementation but also resistant to simple power attacks, as detailed in Algorithm 2 [10]. Additionally, modular multiplication, the most important operation in modular arithmetic, is implemented based on adders, making the entire hardware design more lightweight.

Figure 1 SM2-DSA Hardware Architecture

2) Algorithm 2: Montgomery Ladder Algorithm

Input: point P(xP,yP) on the elliptic curve, scalar value k=(kn-1,…,k1,k0).

Output: Q(xQ,yQ)=kP.

1: calculate Q0=P, Q1=2P;

2: iterate i from n-2 to i=0 over ki;

2.1: if ki=1, Q0=Q0+Q1, Q1=2Q1;

2.2: otherwise, Q1=Q0+Q1, Q0=2Q0;

3: end iteration, output Q0.

3 Defense Strategy Against Weak Curve Fault Attacks for SM2 Digital Signature Algorithm

3.1 Weak Curve Fault Attack on SM2 Digital Signature Algorithm

During the execution of the signature generation for SM2-DSA, an attacker injects a continuous random fault into the coordinate value of the elliptic curve parameter a. This causes the scalar operation in step 3 of Algorithm 1 to fall on a weak elliptic curve, resulting in the algorithm outputting an incorrect signature pair. The attacker can then use the incorrect signature pair and the quadratic residue theorem to obtain the weak elliptic curve parameters and the coordinates of the scalar operation result Q′, allowing them to break the ECDLP on the weak elliptic curve and obtain a random scalar value k′ such that Q′=k′G′. However, k′ is not the actual random scalar k used in the signing process, and their relationship is shown in equation (5).

(5)

where n is the order of the base point G on the standard elliptic curve; n′ is the order of the base point G′ on the weak elliptic curve.

Based on the signature generation formula for s in step 6 of Algorithm 1, the expression for the private key dA can be derived, as shown in equation (6). Clearly, the signature pair (r,s) is known, so substituting equation (5) into the expression allows for the calculation of all possible values of the private key. Typically, n and n′ differ only slightly, so the number of possible values for the private key dA is also small. Since the public key PA and the private key dA satisfy the relationship: PA=dAG, the correct private key value can be quickly filtered based on this relationship.

dA=(k–s)(r+s)-1mod n

(6)

In summary, the above method can be used to crack the value of the signature private key dA. In addition to injecting faults into the parameter a, injecting faults into the coordinates of the base point G can also achieve the same effect, as detailed in literature [6].

3.2 Point Detection-Based Defense Strategy

According to the attack principle of weak curve fault attacks, the signature algorithm will operate on a non-standard elliptic curve after being attacked, so point detection is the most commonly used means to defend against such attacks. Based on the idea of point detection, the signing process of SM2-DSA is improved by adding a point detection operation before outputting the signature pair (r,s). Specifically, since the public-private key pair (PA,dA) is generated on the standard elliptic curve, under normal circumstances, the following equation can be obtained based on equation (6):

PA==(k–s)(r+s)-1G

(7)

If equation (7) holds, it indicates that the signature pair generation and the public-private key pair generation used the same standard elliptic curve, meaning that the signing process has not suffered from weak curve fault attacks, and the signature pair can be output normally. Otherwise, it indicates that the signing process has been attacked, and the algorithm will refuse to output the signature pair. The detailed process of point detection-SM2-DSA is shown in Algorithm 3.

Algorithm 3: Point Detection-SM2 Digital Signature Algorithm.

Input: prime field characteristic p, elliptic curve parameters (a,b), base point G(xG,yG) and the order of the base point n, message to be signed M, user hash value ZA, signing private key dA, signing public key PA.

Output: signature pair (r,s).

1:e=Hv(ZA‖M);

2: choose a random integer k∈[1,n-1];

3: scalar operation Q(x1,y1)=kG;

4: calculate r=e+x1mod n. If r=0 or r+k=n, return to step 2;

5: calculate s=(1+dA)-1(k–rdA)mod n. If s=0, return to step 2;

6: scalar operation D=(k–s)(r+s)-1G;

7: check if D==PA holds:

7.1: if it holds, output signature pair (r,s) normally;

7.2: otherwise, clear the signature pair and refuse to output;

8: end signing.

From the above algorithm process, it can be seen that the improved SM2-DSA based on the point detection strategy adds an additional scalar operation compared to the original algorithm. Furthermore, the algorithm ultimately determines whether to output the signature pair based on a condition. In practical applications, such a judgment operation can easily be skipped due to secondary fault injections [7]. If the condition check is skipped, it means that the signature pair will be output directly, indicating that the point detection mechanism has failed.

3.3 Fault Infection-Based Defense Strategy

From the description of weak curve fault attacks on SM2-DSA in section 2.1, it is evident that although the attack does not directly target the private key dA, it can obtain a random scalar value k′ on the weak elliptic curve by breaking the ECDLP. By utilizing the relationship between k′ and the actual random scalar value k used in the signature, as well as the relationship between the actual random scalar value k and the private key dA, the correct private key can be quickly retrieved. Based on the idea of fault infection, the original SM2-DSA is improved so that when the improved SM2-DSA is subjected to fault attacks, faults will continuously propagate during the signing process, ultimately destroying the conditions for quickly retrieving the private key dA. This means that even if the attacker breaks the value of k′, they cannot retrieve the correct private key value within a limited time. The signing process of the improved algorithm is shown in Algorithm 4.

Algorithm 4: Fault Infection-SM2 Digital Signature Algorithm.

Input: prime field characteristic p, elliptic curve parameters (a,b), base point G(xG,yG) and the order of the base point n, message to be signed M, user hash value ZA, signing private key dA, signing public key PA.

Output: signature pair (r,s).

1:e=Hv(ZA‖M);

2: choose a random integer k∈[1,n-1];

3: scalar operation T(xT,yT)=kG+dAG;

4: calculate D(xD,yD)=T–PA;

5: calculate r=e+xDmod n. If r=0 or r+k=n, return to step 2;

6: calculate s=(1+dA)-1(k–rdA) mod n. If s=0, return to step 2;

7: output signature pair (r,s).

When the algorithm runs normally, the elliptic curve used during the signing process and the one used to generate the public-private key pair are the same standard elliptic curve. Based on the relationship between the public and private keys, steps 3 and 4 in the algorithm correspond to equation (8). Replacing steps 3 and 4 with equation (8) results in a signing process identical to that of the original SM2-DSA, outputting the correct signature pair.

D(xD,yD)=kG+dAG–dAG=kG.

(8)

If the algorithm is subjected to a weak curve fault attack during execution, the scalar operation in step 3 of Algorithm 4 will be executed on a faulty elliptic curve, meaning that T and PA are not on the same elliptic curve. Therefore, even if step 4 in the algorithm still uses the operations shown in equations (2) and (3) in actual calculations, the final result D′(xD′,yD′) will not be a point on the faulty elliptic curve. If the attacker attempts to continue exploiting the weak curve’s characteristics for fault analysis, they can only recover the coordinates of the point T′(xT′,yT′) on the faulty curve, and then find a random scalar value k′T that satisfies T′(xT′,yT′)=k′TG′ by breaking the ECDLP. Assuming the attacker successfully breaks the ECDLP and obtains the value of k′T, the scalar operation in step 3 of Algorithm 4 indicates that k′T is related to both the actual random scalar value k and the private key dA, as expressed in equation (9). Here, n′ is the order of the base point G′ on the faulty elliptic curve, and n is the order of the base point G on the standard elliptic curve. The actual random scalar value k and the private key value dA are both unknown random numbers. The right side of the expression contains an unknown random number, making it impossible to retrieve the unique correct random scalar value k or private key value dA faster than exhaustive search. Currently, the random scalar value k and private key value dA used in signatures are generally large numbers of 256 bits, and it is impossible to complete an exhaustive search for a 256-bit unknown number within a limited time with current computational capabilities. Moreover, from the expression, even in the best case (i.e., when i=0), one search will still be required. In the worst case, 2²⁵⁶ searches will be needed to achieve the goal. Therefore, the improved SM2-DSA based on the fault infection strategy ensures that even if the ECDLP on the faulty curve is broken after a weak curve fault attack, the attacker cannot obtain the signature private key dA.

(9)

In fact, the two scalar operations in step 3 of Algorithm 4 can be combined into one scalar operation T(xT,yT)=(k+dA)G. Compared to the original SM2-DSA, the improved SM2-DSA based on the fault infection strategy only adds one point addition operation during the signing process. Furthermore, unlike the point detection strategy, which can easily be bypassed due to secondary fault injections, leading to defense failure, the fault infection strategy does not have such obvious flaws.

4 Experimental Analysis

This paper sets up three groups of comparative experiments, including a no defense strategy group, a point detection defense group, and a fault infection defense group. Each group uses Verilog hardware language to complete circuit design, then uses the ModelSim tool for circuit functional simulation verification, and finally synthesizes and evaluates the performance of the three groups of circuits based on FPGA chips. The entire experiment is conducted on a personal computer with a 3.2 GHz, 4-core CPU. All SM2-DSA circuits in the experiment use the same officially recommended 256-bit standard elliptic curve [11].

A hardware Trojan is a small circuit implanted by an attacker during chip design or manufacturing, which can alter the chip’s functionality or leak internal information when activated under certain conditions [12]. Based on this characteristic, hardware Trojans can be effectively combined with hardware fault attacks. The structure of the hardware Trojan based on fault attacks is shown in Figure 2. The hardware Trojan designed in the experiment has two states when activated. In the first state, it can inject continuous L bit flips randomly into the elliptic curve parameters starting from a specified position. In the second state, it can inject specific continuous L bit flips into the elliptic curve parameters starting from a specified position (L=1,2,4,8,16). By masking the judgment operation before the signature output after the first fault injection, we can simulate secondary fault injections on the point detection SM2-DSA circuit, while on the fault infection SM2-DSA circuit, we can randomly activate the hardware Trojan after the first fault injection and inject another fault to simulate secondary fault injection.

Figure 2 Schematic Diagram of a Hardware Trojan Based on a Fault Attack

According to the attack principle of weak curve fault attacks, not every fault curve obtained after a fault attack is a weak elliptic curve. Only when the order n′ of the base point G′(xG′,yG′) on the fault curve has a small maximum prime factor q can it be guaranteed that the ECDLP on the fault curve can be successfully broken. Given the current computational capabilities, when the maximum prime factor q satisfies 2^lq<70, the elliptic curve can be defined as a weak elliptic curve [13].

Considering the actual computing power of the computer in this experiment, we first simulate multiple fault injections on the no defense strategy SM2-DSA circuit, then recover the fault curve parameters and analyze the order n′ of the base point G′ on the fault curve, selecting fault curves that satisfy the maximum prime factor q with bit length lq<70. The corresponding fault injection positions and flip conditions for these fault curves are recorded, and then using the second activation state of the hardware Trojan circuit, specific faults are injected into the point detection SM2-DSA circuit and the fault infection SM2-DSA circuit, ensuring that the signing process after fault injection uses the corresponding lq<70 fault curves. The situation of weak curve fault attacks on the three groups of circuits is shown in Table 1, where lq is the bit length of the maximum prime factor of the order of the base point obtained after the fault attack, and “-” indicates that no experiments were conducted on the original SM2-DSA circuit without defense against weak curve fault injection and secondary fault injection combined attacks.

From Table 1, it can be seen that the original SM2-DSA circuit without any defense strategy is vulnerable to weak curve fault attack threats. Although the point detection SM2-DSA circuit can defend against single weak curve fault attacks, if the attacker bypasses the pre-output judgment operation through secondary fault injection, the point detection SM2-DSA circuit’s defense against weak curve fault attacks will fail. In contrast, the fault infection SM2-DSA circuit can successfully defend against both single weak curve fault attacks and combined weak curve fault attacks with secondary fault injections.

Table 1 Weak Curve Fault Attack on Three Sets of SM2-DSA Circuits

Finally, the three groups of circuits are synthesized and implemented on the Xilinx Kintex-7 series xc7k325 chip on the Vivado platform. When designing the point detection SM2-DSA circuit, the scalar operations in the point detection operation and the signature generation were reused in the same scalar operation unit. As shown in Table 2, compared to the SM2-DSA circuit without defense strategy, the point detection SM2-DSA circuit incurs an additional 15.7% overhead in look-up tables (LUT) and 13.1% in flip-flops (FF), but the time overhead for the point detection SM2-DSA circuit is an additional 94.0%. In contrast, the fault infection SM2-DSA circuit only adds one point addition operation during the signing process, resulting in an additional 7.4% overhead in LUT and 3.4% in flip-flops, with a time overhead of only 0.84%.

Table 2 Performance Comparison of Three Sets of SM2-DSA Circuits Based on FPGA Hardware Implementations

In summary, the improved SM2-DSA circuit based on the fault infection strategy can not only defend against weak curve fault attacks but also against combined attacks of weak curve faults and secondary fault injections. Additionally, it demonstrates better performance in terms of hardware area overhead and time overhead compared to the general point detection SM2-DSA circuit.

5 Conclusion

This paper proposes a defense strategy against weak curve fault attacks based on the idea of fault infection for the SM2-DSA algorithm. The SM2-DSA hardware circuit is improved according to this defense strategy, and fault injection attack simulation experiments are conducted on the improved circuit. The simulation results indicate that the fault infection-based strategy can simultaneously resist weak curve fault attacks and secondary fault injection attacks. Furthermore, the circuits based on the fault infection strategy, the general point detection strategy, and the no defense strategy are analyzed for performance on the Kintex-7 FPGA. The analysis results show that the fault infection defense strategy incurs approximately half the additional hardware area overhead compared to the general point detection strategy, and only increases the single signature generation time by 0.84%, far less than the 94.0% increase of the point detection strategy.

References：

[1] CHENG Zhaohui. Overview of Digital Signature Technology[J]. Information Security and Communication Confidentiality, 2020(7):48-62.

[2] SUN Rongyan, CAI Changshu, et al. Comparative Analysis of National Secret SM2 Digital Signature Algorithm and ECDSA Algorithm[J]. Network Security Technology and Application, 2013(2):60-62.

[3] RUSSON A.Differential fault attack on Montgomery ladder and in the presence of scalar Randomization[C]//Progress in Cryptology-INDOCRYPT 2021:22nd International Conference on Cryptology in India. Jaipur, India: Springer International Publishing, 2021:287-310.

[4] CAO W Q, SHI H S, CHEN H, et al. Lattice-based weak curve fault attack on ECDSA[C]//ICT Systems Security and Privacy Protection:36th IFIP TC 11 International Conference, SEC 2021. Cham, Switzerland: Springer International Publishing, 2021:146-161.

[5] TAKAHASHI A, TIBOUCHI M. Degenerate fault attacks on elliptic curve parameters in OpenSSL[C]//2019 IEEE European Symposium on Security and Privacy (Euro S & P). Stockholm, Sweden: IEEE, 2019:371-386.

[6] QIAN C S, WANG Y, WANG M H, et al. Security analysis of SM2 signature algorithm based on fault attack[C]//Second International Symposium on Computer Technology and Information Science (ISCTIS 2022). Guilin, China: SPIE, 2022, 12474:1247402.

[7] ZHANG Yu. Research on Fault Attacks Based on ECDSA[D]. Xi’an: Xi’an University of Electronic Science and Technology, 2014:29-34.

[8] YU Xiao. Research and Design of Dual-Domain ECC Scalar Multiplication Circuit Against Side-Channel Attacks[D]. Nanjing: Nanjing University of Aeronautics and Astronautics, 2020:58-60.

[9] CAO W Q, FENG J Y, ZHU S F, et al. Practical lattice-based fault attack and countermeasure on SM2 signature algorithm[C]//Information and Communications Security:17th International Conference, ICICS 2015. Beijing, China: Springer International Publishing, 2016:62-70.

[10] CHAKRABORTY A, BHATTACHARYA S, DIXIT T H, et al. Template attack on SPA and FA resistant implementation of Montgomery ladder[J]. IET Information Security, 2016, 10(5):245-251.

[11] IT security techniques. Digital signatures with appendix Part 3: Discrete logarithm based mechanisms: ISO/IEC 14888-3:2006[S]. Geneva, Switzerland: ISO (International Organization for Standardization), 2018:155.

[12] HUANG Zhao, WANG Quan, YANG Pengfei. Hardware Trojans: Key Issues Research Progress and New Trends[J]. Computer Journal, 2019, 42(5):993-1017.

[13] MARTNEZ V G, GONZALEZ-MANIANO L, MUOZ A M, et al. Secure elliptic curves in cryptography[J]. Computer and Network Security Essentials, 2018(1):283-298.