A Novel Encryption Scheme in Ship Remote Control against Differential Fault Attack

Abstract

Cyber security has drawn more attention in the research of intelligent and unmanned ships. The remote control command transmitted in time sequence has a high similarity. This makes the ships more vulnerable to cyber-attacks, especially when they are controlled remotely. Aiming at the defense of Differential Fault Attack (DFA), this paper improved the SM4 algorithm in the phase of the S-box generation and circular encryption. The Wasserstein GAN Gradient Penalty (WGAN-GP) is used to generate S-boxes dynamically to confuse differential distribution tables. After the round encryption, the combination transformation is further applied to prevent from DFA. The corresponding symmetric decryption algorithm is also developed. Simulation result shows that the generated S-box meets the cryptography criteria and the combined transformation effectively hides the sensitive information in output ciphertext and guards against the DFA.

1. Introduction

Leading ship manufacturers and operators now expect to deploy intelligent ships with increased monitoring, communication, and connection capabilities to access and manage ships from anywhere at any time via remote land services [1]. An intelligent ship combines the advantages of sensor technology, communication technology, intelligent control, big data technology and other comprehensive technologies to build a cyber physical system (CPS) that integrates resources and information analysis and processing, as shown in Figure 1. It is used to automatically perceive the information of ship equipment, marine environment, port logistics and so on, to realize real-time decision-making and control. With the introduction of intelligent ship CPS, the system becomes more complex. Network attacks can take advantage of loopholes in communication links and directly affect the integrity or availability of data and control systems, resulting in ship accidents [2]. In the real-time information sharing of intelligent ships, data security is important. Data is the carrier of information in the network. Ensuring the safety of data means that ships can receive correct instructions and environmental information in time. On the one hand, it ensures the navigation safety of ships; on the other hand, for ship operators, it avoids property losses caused by data and privacy leakage.

The shore-based platform needs to collect the status information of intelligent ships continually during navigation, to provide real-time remote control, status monitoring and auxiliary decision-making functions. Rødseth et al. [3] point out that communication system, position sensing and vehicle control system should be prevented from exposing in typically high risk scenarios, including terrorism. The engine room data, meteorological data and ocean current data of intelligent ship CPS have the characteristics of slight data variation, which leads to the high similarity of message contents in a short time. The symmetric encryption algorithm is less sensitive to this kind of data plaintext and cannot effectively resist selective plaintext attack and selective ciphertext attack [4]. In the remote control of intelligent ships, the ships are taken over by the shore-based control center and complete direct control, indirect control, and situation processing [5]. Remote control instructions have the most significant impact on the safe navigation of ships. The data link layer of the ship CPS includes communication equipment such as a microwave and 5G. These devices are used to receive, and the remote control instructions sent continually by the shore-based control center to complete the expected navigation objectives, and feed back the ship’s state and environmental parameters simultaneously, and then process these information. The amount of feedback data changes with the complexity of the system. The message data varies greatly in a short time, but the message data frame of the control instruction is short and has high reusability. Therefore, remote control instructions have higher requirements for data security. For this data, the security of using an asymmetric encryption algorithm is high. Still, the delay caused by large-scale asymmetric encryption and decryption has a potential impact on the stability of intelligent ship CPS [6]. Under complex sea conditions, there are risks such as ship remote control delay becoming larger and ships becoming out of control. Using a symmetric encryption algorithm can ensure data security with fewer system resources. However, the block cipher generally has poor protection against DFA, and the ship CPS has not designed facilities for encryption hardware protection. Thus, there are potential threats and vulnerabilities of DFA, which cannot meet the absolute security requirements of intelligent ship data transmission.

AungMaw and others applied blockchain technology to ensure the data security of industrial control systems meets the invariance and redundancy of data [7]. However, this technology has high requirements for computing power and the size of data space, and puts considerable pressure on the ship-end platform of CPS. With the continuous increase of historical data, the stability of the whole system cannot be guaranteed. Iyer et al. [8] designed a data security management system based on hybrid encryption, which uses a symmetric encryption algorithm to encrypt the original data, and an asymmetric encryption algorithm to encrypt the symmetric key, which improves the security while ensuring the efficiency of data encryption. However, this method did not improve the poor protection of symmetric encryption algorithms against DFA. The development of neural network and complex network topology led to the realization that such an application is the next development direction of good cryptography. Volna et al. [9] proposed a data encryption technology based on GAN, which takes the network itself as the encryption and decryption key. This method effectively migrates the attacks on the encryption algorithm itself, but fails to guarantee the performance in the case of a long key.

In the selection of stream cipher and block cipher, a stream cipher such as RC4 is bit-to-bit encryption, and the change of a single bit can be easily seen in the ciphertext. Therefore, it is not suitable for hard disk encryption, which means that it is not suitable for encryption of a ship’s historical state database. If the stream cipher is used for remote control commands and the block cipher is used for other parts, this will increase the complexity of the ship CPS and may increase other unforeseen risks and vulnerabilities. Therefore, the whole ship CPS uses the same encryption algorithm, that is, SM4 block cipher. This paper applies the SM4 algorithm to encrypt data in the border security gateway to meet the stability and data security requirements of intelligent ship CPS. With the aim of tackling the problem of DFA in the symmetric encryption algorithms, the application scheme and optimization scheme are designed.

The rest of this paper is organized as follows:

• Preliminaries: We introduce SM4 encryption algorithm and specific model of DFA;
• Prevention of DFA: It is proposed to use the WGAN-GP to generate S-boxes dynamically with good cryptographic indicators to replace the original S-boxes, to confuse the differential distribution table. An algorithm optimization scheme is proposed. The combined transform is further applied after the round encryption, so that the attacker cannot recover the correct encryption key through the output ciphertext obtained by DFA;
• Results and discussion: We analyze, using the CPS of an intelligent ship as an example, the data security threats in ship-shore communication and evaluate the S-boxes. Before and after applying the optimization scheme, we compare the plaintext of the control instruction data frame with the ciphertext to verify the scheme’s effectiveness in preventing DFA. In addition, some safety suggestions on hardware and management are put forward;
• Conclusions.

2. Preliminaries

This section introduces the standard SM4 encryption algorithm as the basis of the improved SM4 algorithm proposed in this paper. A kind of DFA against SM4 algorithm is described, which is the specific model of DFA to prevent in this scheme.

2.1. SM4 Encryption Algorithm

SM4 is a symmetric encryption algorithm, specifically a blockcipher, issued by the Organization of State Commercial Administration of China [10]. It has the advantages of easy implementation of software and hardware, and speed, etc. It has little impact on the stability of the intelligent ship information integration platform. SM4 algorithm has a block length of 128 bit and a key length of 128 bit, which is composed of two algorithm modules: the data encryption algorithm and key expansion algorithm. Both the data encryption algorithm and the key expansion algorithm adopt 32 rounds of function cyclic iteration with a similar structure [11]. Detailed descriptions of the data encryption algorithm and the key expansion algorithm are provided below:

Data encryption and decryption. Define $z_2^e$ is the vector product of e bits, $<<<i$ is a 32 bit cyclic left shift of i bits, ⊕ represents XOR. Let the plaintext input be $X=(X_0,X_1,X_2,X_3)\in {\left(Z_2^{32}\right)}^4$ and the ciphertext output be $Y=(Y_0,Y_1,Y_2,Y_3)=(X_{35},X_{34},X_{33}$, $X_{32})$. The round function of each iteration is:

$$X_{i+4}=F(X_i,X_{i+1},X_{i+2},X_{i+3},r{k}_i)=X_i\oplus T(X_{i+1}\oplus X_{i+2}\oplus X_{i+3}\oplus r{k}_i),i=0,1,2,\cdots ,31$$

(1)

where, $X_i$, $Y_i$ and $r{k}_i$ are 32 bit, and $r{k}_i$ is the round key. The synthetic permutation $\tau$ is a reversible transform, which consists of a nonlinear transform $\tau$ and linear transform L, i.e., $T(\ast )=L\left(\tau \right(\ast \left)\right)$. The nonlinear transform $\tau$ is composed of four parallel S-boxes. If the input is $A=(a_0,a_1,a_2,a_3)\in {\left(F_2^8\right)}^4$ and the output is $B=(b_0,b_1,b_2,b_3)\in {\left(F_2^8\right)}^4$, then $(b_0,b_1,b_2,b_3)=\tau \left(A\right)=(S\left(a_0\right),S\left(a_1\right),S\left(a_2\right),S\left(a_3\right))$.

The input of linear transform L is the output of nonlinear transform $\tau$. If the input is $B\in F_2^{32}$ and the output is $C\in F_2^{32}$, then

$$C=L\left(B\right)=B\oplus (B<<<2)\oplus (B<<<10)\oplus (B<<<18)\oplus (B<<<24)$$

(2)

The last round of encryption is reverse transform R:

$$R(Y_3,Y_2,Y_1,Y_0)=(Y_0,Y_1,Y_2,Y_3),Y_i\in F_2^{32}(i=0,1,2,3)$$

(3)

The encryption process of SM4 algorithm is shown in Figure 2.

The decryption algorithm has the same structure as the encryption algorithm, except the round key is used in reverse order.

The function of the key expansion algorithm is to use the encryption key to generate the round key $r{k}_i$ of the encryption algorithm. If encryption key $MK=(M{K}_0,M{K}_1,M{K}_2,M{K}_3)\in {\left(Z_2^{32}\right)}^4$ is set, the initial key is:

$$(k_0,k_1,k_2,k_3)=(M{K}_0\oplus F{K}_0,M{K}_1\oplus F{K}_1,M{K}_2\oplus F{K}_2,M{K}_3\oplus F{K}_3)$$

(4)

$$r{k}_i=k_{i+4}=k_i\oplus T^{\prime }(k_{i+1},k_{i+2},k_{i+3},c{k}_i),i=0,1,2,\cdots ,31$$

(5)

where, $T^{\prime }$ transform is the result of changing linear transform L into $L^{\prime }$ in T transform.

$$L^{\prime }\left(B\right)=B\oplus (B<<<13)\oplus (B<<<23)$$

(6)

$FK$ of Equation (4) and $c{k}_i$ of Equation (5) is the fixed value set in relevant standard documents [10].

2.2. Differential Fault Attack

As a type of fault attack, Differential Fault Attack (DFA) is a powerful attack strategy for block symmetric cryptographic algorithms. The attacker can inject fault into the algorithm’s intermediate value, which drastically reduces the amount of data needed to decrypt the key information [12]. During the voyage of the intelligent ship, the ship’s communication management personnel cannot be replaced in time. If an internal attacker is present, even if the key is frequently changed, the threat of such an attack cannot be ruled out [13]. The attacker obtains the key of ship encrypted communication through DFA, which will affect the navigation and remote control of the ship [14]. Consequently, it is crucial to provide an optimization technique to lower the risk of such attacks.

In order to ease comprehension of the optimization strategy presented in this research, a class of fault modes provided in reference [15] is investigated in conjunction with the SM4 algorithm’s fundamental principle:

• It is known that the ciphertext $Y=(Y_0,Y_1,Y_2,Y_3)=(X_{35},X_{34},X_{33},X_{32})$ under the action of the random plaintext X and the key K. Induce random byte failure in the word $X_{32}$ in the input $(X_{31},X_{32},X_{33},X_{34})$ of the 32nd round of encryption to obtain $X_{32}^{*}$ and thus obtains the error ciphertext $Y=(Y_0^{*},Y_1^{*},Y_2^{*},Y_3^{*})=(X_{35}^{*},X_{34}^{*},X_{33}^{*},X_{32}^{*})$.
• By $▵A_{32}=▵X_{32}\oplus ▵X_{33}\oplus ▵X_{34}\oplus r{k}_{31}=▵X_{32}=Y_3\oplus Y_3^{*}$, locate the fault byte position $▵a_{32,j},j\in (0,1,2,3)$ in the input of S-box, which is also the position of induced byte fault in $X_{32}$.
• The fault byte position $▵c_{32,j},j\in (0,1,2,3)$ in the output of linear transform L is located by the two same bytes in $▵C_{32}=▵X_{35}\oplus ▵X_{31}=▵X_{35}=Y_0\oplus Y_0^{*}$. At the same time, ${(▵C_{32})}_{(j-1)mod4}={(▵C_{32})}_{(j-2)mod4}=▵b_{32,j}<<<2$ can be deduced to obtain $▵b_{32,j}$ according to the shift and XOR operations in linear transform L.
• For the S-box transform of round i in the SM4 algorithm: $IN(▵a_{32,j},▵b_{32,j})=\left\{z_{i,j}\right|z_{i,j}\in F_2^8,S\left(z_{i,j}\right)\oplus S(z_{i,j}\oplus ▵a_{i,j})=▵b_{i,j}\}$. According to the difference table of S-box (the input value can be derived from the known input difference and output difference), it can be determined that the jth byte value of $r{k}_{31}$ meets $r{k}_{31,j}\in {(X_{32},X_{33},X_{34})}_j\oplus IN(▵a_{32,j},▵b_{32,j})$ and then $r{k}_{31}$ can be derived. In this step, two $z_{i,j}$ meet the conditions, but only one can be used to recover the key.
• Repeat 1∼4 to recover all byte values of $r{k}_{31}$.
• All byte values of $r{k}_{30}$, $r{k}_{29}$ and $r{k}_{28}$ are recovered by using the appeal method.
• Using the key arrangement algorithm, the encryption key $MK$ is recovered from the round keys $r{k}_{31}$, $r{k}_{30}$, $r{k}_{29}$ and $r{k}_{28}$ obtained from the appeal.

3. Prevention of DFA

The encryption key can be recovered by (8 × 2) × 4 = 64 failure inducement at most, but in fact, it only needs an average of 47 failure inducements. These calculations take no more than 1 ms to complete on a computer with ordinary performance. Therefore, on the one hand, the encryption devices should be physically protected to prevent the attacker from inducing its failure. On the other hand, it can also optimize the algorithm itself, confuse the results of fault induction, and increase the amount of calculation consumed by the attack as much as possible. It can provide the sensing system with time to discover the attack behavior, and take effective protective measures in time.

The infection prevention scheme proposed by Yen et al. implicitly verifies the ciphertext difference $▵C$ by adding redundant encryption, so that the wrong ciphertext and ciphertext difference cannot be sent [16]. Based on adding redundant encryption, Zhang et al. [17] processed the ciphertext difference of twice encrypted output by a random vector, which masks the output of the original ciphertext and outputs the processed ciphertext, so that the attacker cannot get the correct ciphertext difference, and prevents double fault attack by adding a message verification code to the redundant encrypted plaintext. The above methods resist DFA by adding external protection and verification mechanisms, which to a certain extent ensures that the sensitive information induced by the fault cannot be sent out. They do not fundamentally solve the problem of "exposure" to sensitive information.

3.1. Differential Distribution Table

According to Section 2.2, the key of DFA is to recover the input information of S-box by using the differential distribution table of S-box combined with $▵a_{i,j}$ and $▵b_{i,j}$ indirectly obtained, and then the round key and encryption key can be recovered. However, this sensitive information can be directly obtained from the ciphertext difference and the differential distribution table of original S-box is public. This paper designs a prevention scheme of DFA based on the concept of “defense in depth strategy” [18]. That is, generating new S-boxes dynamically based on WGAN-GP to confuse the differential distribution table of SM4 to prevent DFA in the phase of encryption component, and then designing an optimization scheme to prevent DFA in the phase of principle of algorithm.

The S-box of SM4 algorithm is an encryption component that functions to add confusion. It can be regarded as a vector Boolean function with input of m bits and output of m bits, i.e., $S:F_2^m\to F_2^m,X\to Y=S\left(X\right)$. The cryptographic characteristics of S-box reflect its ability to ensure data security in the application of the encryption algorithm.

To solve the DFA of the ship shore communication data of intelligent ships, this paper replaces the S-box to dynamically change the differential distribution table. However, the number of S-boxes with excellent cryptographic characteristics is limited and difficult to generate. At present, the proposed S-box generation methods include: generate based on random replacement [19,20] and generate using chaotic systems [21]. The former has good randomness, but it cannot guarantee the cryptographic characteristics of S-boxes, and it is easy to produce weak S-boxes with low security. The latter takes advantage of the good key sensitivity of the chaotic system, but it requires a lot of floating-point operations and discretization processing in the production process. It will be limited by hardware performance. Weak S-boxes may still be generated. In this paper, we generate S-boxes by using WGAN-GP, and generate similar S-boxes by learning the distribution of excellent S-boxes.

Generative Adversarial Network (GAN) is a new framework for estimating the generation model through the confrontation process proposed by Ian J. Goodfellow and others in 2014 in Generative adversarial networks [22]. The framework of the original GAN theory includes two models, Generator (G) and Discriminator (D), which achieve Nash equilibrium through cross training and then output generated pictures. Because the loss function in the original GAN is JS divergence, the output of the generator overlaps very little with the distribution of the S-box. It cannot reflect the distance between the two distributions, resulting in the disappearance of the gradient. Therefore, the WGAN-GP model with Wasserstein distance and gradient penalty is used in this paper [23]. Its objective function is:

$$L=E_{\tilde{x}\sim P_g}\left[D\left(\tilde{x}\right)\right]-E_{\sim P_r}\left[D\left(x\right)\right]+\lambda E_{\widehat{x}\sim P_{\widehat{x}}}\left[\right(\parallel {\nabla }_{\widehat{x}}D\left(\widehat{x}\right){\parallel }_2-1{)}^2]$$

(7)

In this paper, we refer to another reference [24] to affine transform the S-box [10] of SM4 algorithm to get a new S-box (recorded as $S^{\prime }$), which is $S^{\prime }\left(X\right)=(A\times Y)\oplus C$, to get the training data set, where A is an affine matrix and C is a constant vector. The cryptographic indexes of the S-box generated by affine transform are not affected by affine transform, and have good cryptographic characteristics, which is suitable for use as the training data set of WGAN-GP.

In terms of the adjustment and use of WGAN-GP, this paper attempts to use one-dimensional and two-dimensional deconvolution and convolution as the internal network of generator and discriminator for training and comparison. In the early stage, we regarded the S-box as a sequence of 256 bits and trained it by GAN with one-dimensional convolution and deconvolution structure. The results show that one-dimensional structure cannot learn the distribution of the S-box well, and there will be problems such as mode collapse and gradient disappearance. We realized that the S-box is more like a 16 × 16 single channel picture. Therefore, the convolution dimension of the generator and discriminator is selected as two-dimensional. The training times of the generator and the discriminator in a single iteration are modified to balance their capabilities. The outputs of the generator were changed into integers by data processing and modified the structure of the discriminator. Because the JS divergence between integers could not be calculated, it will be changed to the Wasserstein distance. Mode collapse may be caused by the few training samples. To solve this problem, in the generating training samples stage, the number of training samples is significantly increased by removing the restriction of the fixed points parameter of the samples. Although this reduces the quality of the samples, we believe that GAN has low sensitivity to fixed points and this will not affect its training effect. We can limit and screen the fixed points parameter of GAN output results to improve their quality.

The model parameters are shown in

Table 1. WGAN-GP model parameters.

Item 1	Item 2
Convolution layers of generator/discriminator	3/3
Filter, kernel and step of generator	128, 2, 2/64, 2, 2/1, 2, 2
Filter, kernel and step of discriminator	64, 3, 2/128, 3, 2/256, 3, 2
Lr of generator/discriminator	0.0001/0.0001
Optimizer of generator	SGD (lr = 0.0001, momentum = 0.0, decay = 0.0, nesterov = False)
Optimizer of discriminator	SGD (lr = 0.0001, momentum = 0.0, decay = 0.0, nesterov = False)
Iterations of generator in single round epoch	3
Iterations of discriminator in single epoch	1
BatchSize	64
Epoch	5000

. In training, a 100-dimensional noise is used as the input of the generator. The output of the generator and the S-box of the data set are used as the input of the discriminator, as shown in Figure 3.

The training of GAN does not participate in the encryption and decryption process, and its training is independent. With the increase of iteration, GAN reaches Nash-equilibrium and outputs S-box with good performance. At this time, we stop the training and save the network structure. When there is a need to replace the S-box, a batch of S-boxes are generated by using the saved GAN and the usable S-boxes are selected for replacement after detecting some parameters. This process will not affect the encryption and decryption process.

3.2. Combined Transform

The optimization scheme can improve the difficulty of DFA to obtain $▵a_{i,j}$. The algorithm optimization scheme is as follows:

• Taking the last round of encryption and reverse transform in the encryption process as an example (the following descriptions take this round as an example). $Y_3$ is no longer directly shifted from the original $X_{32}$, but first combined with $X_{33}$ and $X_{34}$ through transform $F(X_{32},X_{33},X_{34})=(T_0,T_1,T_2)$, as shown in Figure 4.
• After an S-box transform and XOR with the round key, that is
  $(S\left(T_0\right)\oplus r{k}_{31},S\left(T_1\right)\oplus r{k}_{31},S\left(T_2\right)\oplus r{k}_{31})=(F_0,F_1,F_2)$.
• Finally, the output ciphertext $R(F_0,F_1,F_2,X_{35})=R(Y_3,Y_2,Y_1,Y_0)=(Y_0,Y_1,Y_2,Y_3)$ is obtained by reverse transform.

4. Results and Discussion

4.1. Ship Shore Transmission Network

This paper takes the network system of CPS of an intelligent ship as an example, as shown in Figure 4. Intelligent ship CPS integrates information communication technology and all function-oriented subsystems to develop a networked, information-based and intelligent integrated monitoring and management system. The network system consists of satellite communication, 4G tracking antenna, 4G array antenna, Beidou antenna and display and control terminal, VEDS communication antenna, external communication management platform, on-site integrated control network, and life network. Multiple business subnets are set up according to different business needs, and safety equipment is used to isolate the subnets to ensure the security of data and business. The interaction between the ship end network system and the vase area network adopts the border security gateway to provide the security protection of the network layer. At the exit of the on-site integrated control network and living network, the ship shore communication behavior management server provides data transfer and caching, flow monitoring, filtering, user authority management, and other functions. The service function layer is responsible for ship monitoring and business processing, which is the most complex part of the network structure in CPS. The CPS network of the intelligent ship realizes the collection of information resources and equipment management of the whole ship through the interaction of internal application services and external access systems.

In the network structure in Figure 5, the communication connection between the business subnets in the ship LAN and the communication connection with the WAN are the risk points of the intelligent ship CPS. The data security risks it faces are similar to other IoT systems, such as malware attacks, DDoS attacks, hacker attacks, malicious insiders, etc. At the same time, the lack of a risk assessment scheme for complex business subnet of intelligent ships CPS will lead to exposing potential risk points to attackers [25]. To ensure data security, data encryption algorithms are usually applied in border security gateways or other security protection systems, combined with identity recognition and other mechanisms to ensure that data is not tampered with, stolen and forged by attackers [26].

4.2. Analysis of Experimental Results

The experimental environment is shown in

Table 2. Experimental environment parameter settings.

Item	Parameter
OS	Win10 professional
CPU	Intel(R) Core(TM) i7-6700HQ
GPU	NVIDIA GeForce GTX 960M
TensorFlow	2.8.0
CUDA/CuDNN	CUDA v11.6/CuDNN v8.3.3

.

The S-boxes generated in Section 3 are sampled and evaluated. The Figure 6 is one of the generated S-boxes. The evaluation indicators include nonlinearity $N_F$, differential uniformity ${\delta }_F$, algebraic degree $de{g}_F$, avalanche characteristics, and compared with the original S-box of the SM4. The evaluation results are shown in

Table 3. Cryptography performance analysis of generated S-boxes.

S-Box	${\mathit{N}}_{\mathit{F}}$	${\mathit{\delta }}_{\mathit{F}}$	${\mathit{deg}}_{\mathit{F}}$	Strict Avalanche Distance
SM4	112	4/256	7	6~8
S-box 1	102	10/256	7	8~12
S-box 2	104	6/256	7	6~12
S-box 3	102	10/256	7	8~10

. Among them, nonlinearity $N_F$ is a nonlinear criterion used to measure the ability to resist linear attacks. The greater the nonlinearity, the stronger the ability to resist the linear attack. Differential uniformity ${\delta }_F$ is used to measure the ability of a cryptographic algorithm to resist differential cryptanalysis. In order to resist differential cryptanalysis attacks, the lower the differential uniformity, the better. If the algebraic degree $de{g}_F$ is too low, the cryptographic algorithm is vulnerable to attack by higher-order differential cryptanalysis. The strict avalanche distance is an important index to measure the anti-attack ability of the S-box. The smaller the strict avalanche distance of each component function, the better. Although the indexes of the S-box generated in this paper are slightly weaker than the original S-box, its generation speed is fast and can meet the requirements of replacing the S-box at any time. We take the plaintext of a command message data frame of the remote control of the intelligent ship as an example. Through the comparison of the ciphertext before and after the dynamic replacement of the S-box, it can be found that the replacement of the S-boxes can not only change the differential distribution table, but also change the corresponding ciphertext, and the generated S-boxes does not significantly reduce the information entropy of the ciphertext, as shown in

Table 4. Comparison of ciphertext using different S-boxes.

S-box	Data Frame Plaintext	Data Frame Ciphertext	Information Entropy
SM4	01 06 00 32 29 f9	6307237438457ae0cab724aed7af5aef 3f01f6c050d50d78e7f3f8d3c7639530	4.87802
S-box 1	01 06 00 32 29 f9	0c1c2d7e0acf2e65ed8a9db87675b563 76a44b7f5e31f2b9edc7b1a5c411e562	5.26455
S-box 2	01 06 00 32 29 f9	0301702e9475f982954bd52b18f83ef7 ad41fe64e575b617d64fe53cbaf49d29	5.26888
S-box 3	01 06 00 32 29 f9	c700dd5f80f9e08ff7d0380deca97724 b28dda1891e423ec03d2e4fae24469af	4.99667

.

The results show that the generated S-boxes have good cryptographic characteristics. As a dynamic replacement for the SM4 algorithm, generated S-boxes can ensure the data security of intelligent ships.

The optimization scheme is applied at the end of the original round encryption. Even if the algorithm mechanism and S-box are public, the attacker can only obtain the difference table of S-box and directly obtain $▵F_i=▵S_i\oplus ▵r{k}_{31}=▵S_i$ from the correct ciphertext and the wrong ciphertext. The attacker lack the way to obtain $▵T_i$, cannot recover the input $T_i$ of S-box in the optimization scheme, and cannot continue to reverse the values of $X_{32}$, $X_{33}$, $X_{34}$ and the corresponding difference value $▵a_{i,j}$. The optimization scheme defends the DFA and double fault attack from the encryption algorithm. If the fault occurs at an intermediatary stage, for example, the word $X_{28}$ in the input $(X_{27},X_{28},X_{29},X_{30})$ of the 28-th round of encryption induces a failure. The output of the 28-th round is $(X_{28}^{*},X_{29},X_{30},X_{31}^{*})$. The output of the 29-th round is $(X_{29},X_{30},X_{31}^{*},X_{32}^{*})$. The output of the 30-th round is $(X_{30},X_{31}^{*},X_{32}^{*},X_{33}^{*})$ The output of the 31-st round is $(X_{31}^{*},X_{32}^{*},X_{33}^{*},X_{34}^{*})$ The output of the 32-nd round is $(X_{32}^{*},X_{33}^{*},X_{34}^{*},X_{35}^{*})$. Where, * indicates that the word has fault information. After simplification, the output difference is: $▵X_{32}=▵X_{28}\oplus T(▵X_{31})$, $▵X_{33}=T(▵X_{31}\oplus ▵X_{32})$, $▵X_{34}=T(▵X_{31}\oplus ▵X_{32}\oplus ▵X_{33})$, $▵X_{35}$ = $▵X_{31}\oplus T(▵X_{32}\oplus ▵X_{33}\oplus ▵X_{34})$.

Where, $▵X_{31}=▵X_{35}\oplus T(▵X_{32}\oplus ▵X_{33}\oplus ▵X_{34})=T(▵X_{28})$, and then $▵X_{28}=▵X_{32}\oplus T(▵X_{31})$. Taking $▵X_{28}$ as $▵A$ and $▵X_{31}$ as $▵C$, the key of 28 rounds can be recovered when the difference table is known. After applying the combined transform, $▵X_{35}=▵X_{31}\oplus T(▵F_{32}\oplus ▵F_{33}\oplus ▵F_{34})=▵X_{31}\oplus T(▵S_{32}\oplus ▵S_{33}\oplus ▵S_{34})$. At this time, since the original $X_{32}$, $X_{33}$ and $X_{34}$ before the combination transform cannot be obtained, the value of $S_{32}$, $S_{33}$ and $S_{34}$ cannot be derived, so the $▵X_{31}$ cannot be obtained. The key also cannot be recovered.

Figure 7 is a diagram for showing the influence on DFA after applying the combined transpose. The red part is the $▵A$ calculated by correct ciphertext and wrong ciphertext in a certain round of DFA. The green part is the comparison between the rkj obtained by DFA and the correct $r{k}_j$. The original $X_{32}$, $X_{32}$ and $r{k}_{31}$ that induce the fault in the figure are the internal values of the algorithm, which cannot be obtained by the attacker. Here, in order to verify the optimization effect, it needs to be shown. The range of the fault difference is spread from $Y_0$ to $(Y_0,Y_1,Y_2)$, and the specific position is determined by the change rules of $X_i\to T_i$ in the combination transform. If the fault difference still appears in $Y_1$, according to the obtained $▵A$ cannot recover the correct key information. If the fault difference appears in $(Y_1,Y_2)$, then there is no fault information in $▵A$, it can only use $▵Y_1$ or $▵Y_2$, but still unable to recover the correct ciphertext information. The board-shore communication management personnel can regularly change the S-box and the transform rule of $X_i\to T_i$ at the same time, which increases the complexity of the algorithm being attacked. Compared with the infection scheme, the improved SM4 algorithm in this paper needs less computation cost. It can ensure the data security of CPS of intelligent ships.

Disadvantages: Although the output $F_i$ of the combined transform increases the difficulty of obtaining $▵a_{i,j}$, as the input of the next round of encryption, it needs to be stored in the storage unit and may be exposed to the attacker. Therefore, the optimization scheme does no effect on the acquisition difficulty of $▵C$ and $▵b_{i,j}$, and the scheme cannot locate the fault source. The implementation of the improved SM4 algorithm is based on the premise that its intermediate values $T_i$ and $S_i$ are not stored in the storage unit, otherwise the DFA is still threatening. In the improved SM4 source code, we avoid using separate variables as $T_i$ and $S_i$ to participate in encryption and decryption operations. Instead, they are replaced by other variables and calculation processes that appear in the context. In addition, if it is unavoidable to use variables to store these two parameters, and the hardware including the storage unit can be physically protected to avoid DFA.

4.3. Safety Suggestions for CPS

To ensure the data security of ship CPS, this paper also puts forward the following suggestions from hardware and management.

Hardware. The safety gateway, switch, and other equipment already equipped on the ship’s CPS can detect, intercept and distribute the data flow. Among them, the border security gateway and the ship shore communication behavior management server responsible for data encryption and decryption must be physically protected to prevent power consumption analysis and side channel attacks against hardware. If necessary, a hardware encryption device with mask technology is required. In addition to using cryptographic technology, it is also essential to use encrypted channels for data transmission to ensure data security and redundancy.

Management. The management of keys, including generation, storage, distribution, use, backup or recovery, update, revocation and destruction, should be improved, as should the authority management of communication-related personnel. Although these contents have been improved and relevant standards have been issued in other fields, such as intelligent factories, adaptive modifications should be made to the existing standards for intelligent ships to adapt to the ocean-going operation environment of ships.

5. Conclusions

This paper analyzes the requirements of intelligent ships for data security, and proposes an improved SM4 algorithm for the security threats of DFA. The S-boxes generated dynamically by WGAN-GP. For the same plaintext, the corresponding ciphertext and the differential distribution table are effectively changed after replacing the S-box. The information entropy of the ciphertext, that is, the degree of chaos, changes little. The combination transform can effectively confuse the two sensitive information easily obtained by the attacker in the output ciphertext, so that the improved SM4 algorithm can prevent a kind of DFA. The application of the improved SM4 algorithm in the border gateway of intelligent ship CPS can ensure data security.