The SM4 Block Cipher Algorithm And Its Modes Of OperationsRiboseSuite 1111, 1 Pedder StreetCentralHong KongHong Kongronald.tse@ribose.comhttps://www.ribose.comHang Seng Management CollegeHang Shin Link, Siu Lek YuenShatinHong KongNew Territorieswongwk@hsmc.edu.hkhttps://www.hsmc.edu.hk
Internet
This document describes the SM4 symmetric blockcipher algorithm
published as GB/T 32907-2016 by the Organization of State Commercial
Administration of China (OSCCA).
SM4 is a cryptographic standard issued by the
Organization of State Commercial Administration of China as
authorized cryptographic algorithms for the use within China. The
algorithm is applicable published in public.
SM4 is a symmetric encryption algorithm, specifically a blockcipher,
designed for data encryption.
This document does not aim to introduce a new algorithm, but to
provide a clear and open description of the SM4 algorithm in English,
and also to serve as a stable reference for IETF documents that utilize
this algorithm.
While this document is similar to in nature,
is a textual translation of "SMS4" published in 2006, and this
document follows the updated text and structure of .
The sections 1 to 7 of this document are intentionally mapped to the
corresponding sections 1 to 7 of the standard for
convenience of the reader.
The "SMS4" algorithm (the former name of SM4) was invented by
Shu-Wang Lu , first published in 2003 as part of
, then published independently in 2006 by OSCCA,
officially renamed to "SM4" in 2012 in published by OSCCA,
and finally standardized in 2016 as a Chinese National Standard (GB Standard)
.
SMS4 was originally created for use in protecting wireless networks ,
and is mandated in the Chinese National Standard for Wireless LAN WAPI (Wired
Authentication and Privacy Infrastructure) . A proposal
was made to adopt SMS4 into the IEEE 802.11i standard, but the algorithm
was eventually not included due to concerns of introducing inoperability
with existing ciphers.
The latest SM4 standard was proposed by OSCCA,
standardized through TC 260 of the Standardization Administration of the
People's Republic of China (SAC), and was drafted by the following
individuals at the Data Assurance and Communication Security Research
Center (DAS Center) of the Chinese Academy of Sciences, the China
Commercial Cryptography Testing Center and the Beijing Academy of
Information Science & Technology (BAIST):
Shu-Wang LuDai-Wai LiKai-Yong DengChao ZhangPeng LuoZhong ZhangFang DongYing-Ying MaoZhen-Hua LiuSM4 (and SMS4) has prevalent hardware implementations , due to its being the only OSCCA-approved symmetric encryption
algorithm allowed for use in China.
SM4 can be used with multiple modes (See ).
A number of attacks have been attempted on SM4, such as , but there are no known feasible attacks against the
SM4 algorithm by the time of publishing this document.
There are, however, security concerns with regards to side-channel attacks
when the SM4 algorithm is implemented in a device .
For instance, illustrated an attack by measuring the power
consumption of the device. A chosen ciphertext attack, assuming a fixed
correlation between the sub-keys and data mask, is able to recover the round
key successfully. When the SM4 algorithm is implemented in hardware, the
parameters/keys SHOULD be randomly generated without fixed correlation.
There have been improvements to the hardware embodiment of SM4 such as
that may resist such attacks.
In order to improve security of the SM4 cryptographic process, secure white-box
implementations such as have been proposed. Speed enhancements,
such as , have also been proposed.
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL",
"SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED",
"MAY", and "OPTIONAL" in this document are to be interpreted
as described in .
The following terms and definitions apply to this document.
Bit-length of a message block.
Bit-length of a key.
An operation that converts a key into a round key.
The number of iterations that the round function is run.
A key used in each round on the blockcipher, derived from the input key, also called a subkey.
a 32-bit quantity
The S (substitution) box function produces 8-bit output from 8-bit input, represented as Sbox(.)
bitwise execlusive-or of two 32-bit vectors S and T.
S and T will always have the same length.
32-bit bitwise cyclic shift on a with i bits shifted left.The SM4 algorithm is a blockcipher, with block size of 128 bits and a key
length of 128 bits.
Both encryption and key expansion uses 32 rounds of a nonlinear key schedule
per block. Each round processes one of the four 32-bit words that constitute
the block.
The structure of encryption and decryption are identical, except that the round key
schedule has its order reversed during decryption.
Using a 8-bit S-box, it only uses exclusive-or, cyclic bit shifts and S-box
lookups to execute.
Encryption key length is 128-bits, and represented below, where each
MK_i, (i = 0, 1, 2, 3) is a word.
MK = (MK_0, MK_1, MK_2, MK_3)
The round key schedule is derived from the encryption key, represented as below
where each rk_i (i = 0, ..., 31) is a word:
(rk_0, rk_1, ... , rk_31)
System parameters used for key expansion is represented as FK, where
each FK_i (i = 0, ..., 3) is a word:
FK = (FK_0, FK_1, FK_2, FK_3)
Constant parameters used for key expansion is represented as CK, where
each CK_i (i = 0, ..., 31) is a word:
CK = (CK_0, CK_1, ... , CK_31)
Given the 128-bit input below, where each $$X_i$ is a 32-bit word:
(X_0, X_1, X_2, X_3)
And the round key rk is a 32-bit word:
The round function F is defined as:
F(X_0, X_1, X_2, X_3, rk) = X_0 xor T(X_1 xor X_2 xor X_3 xor rk)
T is a reversible substitution function that outputs 32 bits from an input of 32 bits.
It consists of a non-linear transform tau and linear transform L.
T(.) = L(tau(.))
tau is composed of four parallel S-boxes.
Given a 32-bit input of A, where each a_i is a 8-bit string:
A = (a_0, a_1, a_2, a_3)
The output is a 32-bit B, where each b_i is a 8-bit string:
B = (b_0, b_1, b_2, b_3)
B is calculated as follows:
(b_0, b_1, b_2, b_3) = tau(A)
tau(A) = (Sbox(a_0), Sbox(a_1), Sbox(a_2), Sbox(a_3))
The Sbox lookup table is shown here:
For example, input "EF" will produce an output read from the S-box table
row E and column F, giving the result Sbox(EF) = 84.
The output of non-linear transformation function tau is used as input
to linear transformation function L.
Given B, a 32-bit input:
L produces a 32-bit output C:
C = L(B)
L(B) = B xor (B <<< 2) xor (B <<< 10) xor (B <<< 18) xor (B <<< 24)
The encryption algorithm consists of 32 rounds and 1 reverse transform R.
Given a 128-bit plaintext input, where each X_i is a 32-bit word:
(X_0, X_1, X_2, X_3)
The output is a 128-bit ciphertext, where each Y_i is a 32-bit word:
(Y_0, Y_1, Y_2, Y_3)
Each round key is designated as rk_i, where each rk_i is a 32-bit word
and i = 0, 1, 2, ..., 31.
a. 32 rounds of calculation
i = 0, 1, ..., 31
X_{i+4} = F(X_i, X_{i+1}, X_{i+2}, X_{i+3}, rk_i)
b. reverse transformation
(Y_0, Y_1, Y_2, Y_3) = R(X_32, X_33, X_34, X_35)
R(X_32, X_33, X_34, X_35) = (X_35, X_34, X_33, X_32)
Please refer to for a sample calculation.
Decryption takes an identical process as encryption, with the only difference
the order of the round key sequence.
During decryption, the round key sequence is:
(rk_31, rk_30, ..., rk_0)
Round keys used during encryption are derived from the encryption key.
Specifically, given the encryption key MK, where each MK_i is a 32-bit
word:
MK = (MK_0, MK_1, MK_2, MK_3)
Each round key rk_i is created as follows, where i = 0, 1, ..., 31.
(K_0, K_1, K_2, K_3)
= (MK_0 xor FK_0, MK_1 xor FK_1, MK_2 xor FK_2, MK_3 xor FK_3)
rk_i = K_{i + 4}
K_{i + 4} = K_i xor T' (K_{i + 1} xor K_{i + 2} xor K_{i + 3} xor CK_i)
Since the decryption key is identical to the encryption key, the round keys
used in the decryption process are derived from the decryption key through
the identical process to that of during encryption.
The transformation function T' is created from T by replacing the
linear transform function L with L'.
L'(B) = B xor (B <<< 13) xor (B <<< 23)
System parameter FK given in hexadecimal notation, is:
FK_0 = A3B1BAC6
FK_1 = 56AA3350
FK_2 = 677D9197
FK_3 = B27022DC
The method to retrieve values from the constant parameter CK is as follows.
Let ck_{i, j} be the j-th byte (i = 0, 1, ..., 31; j = 0, 1, 2, 3) of CK_i.
Therefore, each ck_{i, j} is a 8-bit string, and each CK_i a 32-bit word.
CK_i = (ck_{i, 0}, ck_{i, 1}, ck_{i, 2}, ck_{i, 3})
ck_{i, j} = (4i + j) x 7 (mod 256)
The constant parameter CK_i, (i = 0, 1, ..., 31) values, in
hexadecimal, are:
This document defines multiple modes of operation for the SM4 blockcipher
algorithm.
The CBC (Cipher Block Chaining), ECB (Electronic CodeBook), CFB (Cipher
FeedBack), OFB (Output FeedBack) and CTR (Counter) modes are defined in
and utilized with the SM4 algorithm in the following
sections.
Hereinafter we define:
The SM4 algorithm that encrypts plaintext P with key K, described in
The SM4 algorithm that decrypts ciphertext C with key K, described in
block size in bits, defined as 128 for SM4
block j of ciphertext bitstring P
block j of ciphertext bitstring C
Number of blocks of size b-bits in bitstring B
Initialization vector
Least significant b bits of the bitstring S
Most significant b bits of the bitstring SThe CBC, CFB and OFB modes require an additional input to the encryption process,
called the initialization vector (IV). The identical IV is used in the input
of encryption as well as the decryption of the corresponding ciphertext.
The IV MUST fulfill the following requirements for security:
CBC, CFB modes. The IV for a particular execution must be unpredictable.OFB mode. Each execution must be given a unique IV.In SM4-ECB, the same key is utilized to create a
fixed assignment for a plaintext block with a ciphertext block, meaning
that a given plaintext block always gets encrypted to the same ciphertext
block. As described in , this mode should be avoided if
this property is undesirable.
This mode requires input plaintext to be a multiple of the block size,
which in this case of SM4 it is 128-bits. It also allows multiple blocks
to be computed in parallel.
Inputs:
P, plaintext, length MUST be multiple of bK, SM4 128-bit encryption keyOutput:
C, ciphertext, length is a multiple of bC is defined as follows.
Inputs:
C, ciphertext, length MUST be multiple of bK, SM4 128-bit encryption keyOutput:
P, plaintext, length is a multiple of bP is defined as follows.
SM4-CBC is similar to SM4-ECB that the input plaintext MUST be a multiple
of the block size, which is 128-bits in SM4. SM4-CBC requires
an additional input, the IV, that is unpredictable for a particular
execution of the encryption process.
Since CBC encryption relies on a foward cipher operation that depend on results
of the previous operation, it cannot be parallelized. However, for decryption,
since ciphertext blocks are already available, CBC parallel decryption is
possible.
Inputs:
P, plaintext, length MUST be multiple of bK, SM4 128-bit encryption keyIV, 128-bit, unpredictable, initialization vectorOutput:
C, ciphertext, length is a multiple of bC is defined as follows.
Inputs:
C, ciphertext, length MUST be a multiple of bK, SM4 128-bit encryption keyIV, 128-bit, unpredictable, initialization vectorOutput:
P, plaintext, length is multiple of bP is defined as follows.
SM4-CFB relies on feedback provided by successive ciphertext segments to
generate output blocks. The plaintext given must be a multiple of the block
size.
Similar to SM4-CBC, SM4-CFB requires an IV that is unpredictable for a particular
execution of the encryption process.
SM4-CFB further allows setting a positive integer parameter s, that is less than or
equal to the block size, to specify the size of each data segment. The same
segment size must be used in encryption and decryption.
In SM4-CFB, since the input block to each forward cipher function depends
on the output of the previous block (except the first that depends on the IV),
encryption is not parallizable. Decryption, however, can be parallelized.
SM4-CFB takes an integer s to determine segment size in its encryption and
decryption routines. We define the following variants of SM4-CFB for
various s:
SM4-CFB-1, the 1-bit SM4-CFB mode, where s is set to 1.SM4-CFB-8, the 8-bit SM4-CFB mode, where s is set to 8.SM4-CFB-64, the 64-bit SM4-CFB mode, where s is set to 64.SM4-CFB-128, the 128-bit SM4-CFB mode, where s is set to 128.Inputs:
P#, plaintext, length MUST be multiple of sK, SM4 128-bit encryption keyIV, 128-bit, unpredictable, initialization vectors, an integer 1 <= s <= b that defines segment sizeOutput:
C#, ciphertext, length is a multiple of sC# is defined as follows.
Inputs:
C#, ciphertext, length MUST be a multiple of sK, SM4 128-bit encryption keyIV, 128-bit, unpredictable, initialization vectors, an integer 1 <= s <= b that defines segment sizeOutput:
P#, plaintext, length is multiple of sP is defined as follows.
SM4-OFB is the application of SM4 through the Output Feedback mode.
This mode requires that the IV is a nonce, meaning that the IV MUST
be unique for each execution for an input key. OFB does not require the
input plaintext to be a multiple of the block size.
In OFB, the routines for encryption and decryption are identical. As
each forward cipher function (except the first) depends on previous
results, both routines cannot be parallelized. However given a known IV, output
blocks could be generated prior to the input of plaintext (encryption)
or ciphertext (decryption).
Inputs:
P, plaintext, composed of (n - 1) blocks of size b, with the last block P_n of size 1 <= u <= bK, SM4 128-bit encryption keyIV, a nonce (a unique value for each execution per given key)Output:
C, ciphertext, composed of (n - 1) blocks of size b, with the last block C_n of size 1 <= u <= bC is defined as follows.
Inputs:
C, ciphertext, composed of (n - 1) blocks of size b, with the last block C_n of size 1 <= u <= bK, SM4 128-bit encryption keyIV, the nonce used during encryptionOutput:
P, plaintext, composed of (n - 1) blocks of size b, with the last block P_n of size 1 <= u <= bC is defined as follows.
SM4-CTR is an implementation of a stream cipher through a block cipher
primitive. It generates a "keystream" of keys that are used to
encrypt successive blocks, with the keystream created from the input key,
a nonce (the IV) and an incremental counter. The counter could be any
sequence that does not repeat within the block size.
Both SM4-CTR encryption and decryption routines could be parallelized, and
random access is also possible.
Inputs:
P, plaintext, composed of (n - 1) blocks of size b, with the last block P_n of size 1 <= u <= bK, SM4 128-bit encryption keyIV, a nonce (a unique value for each execution per given key)T, a sequence of counters from T_1 to T_nOutput:
C, ciphertext, composed of (n - 1) blocks of size b, with the last block C_n of size 1 <= u <= bC is defined as follows.
Inputs:
C, ciphertext, composed of (n - 1) blocks of size b, with the last block C_n of size 1 <= u <= bK, SM4 128-bit encryption keyIV, a nonce (a unique value for each execution per given key)T, a sequence of counters from T_1 to T_nOutput:
P, plaintext, composed of (n - 1) blocks of size b, with the last block P_n of size 1 <= u <= bP is defined as follows.
The Object Identifier for SM4 is the value "1.2.156.10197.1.104", specified
in .
Products and services that utilize cryptography are regulated by OSCCA ;
they must be explicitly approved or certified by OSCCA before being allowed to
be sold or used in China.SM4 is a blockcipher certified by OSCCA .
No formal proof of security is provided. There are no known feasible
attacks against SM4 algorithm by the time of publishing this document.
On the other hand, there are security concerns with regards to
side-channel attacks, when the SM4 algorithm is implemented in a
device . For instance, illustrated an attack
by measuring the power consumption of the device. A chosen ciphertext
attack, assuming a fixed correlation between the sub-keys and data
mask, is able to recover the round key successfully. When the SM4
algorithm is implemented in hardware, the parameters/keys SHOULD
be randomly generated without fixed correlation.SM4 is a blockcipher symmetric algorithm with key length of 128 bits. It is
considered as an alternative to AES-128 .SM4-CFB: The OFB mode requires a unique IV for every message that is ever encrypted under the given key. If, contrary to this requirement, the same IV is used for the encryption of more than one message, then the confidentiality of those messages may be compromised. In particular, if a plaintext block of any of these messages is known, say, the jth plaintext block, then the jth output of the forward cipher function can be determined easily from the jth ciphertext block of the message. This information allows the jth plaintext block of any other message that is encrypted using the same IV to be easily recovered from the jth ciphertext block of that message. Confidentiality may similarly be compromised if any of the input blocks to the forward cipher function for the encryption of a message is designated as the IV for the encryption of another message under the given key.This document does not require any action by IANA.
This example demonstrates encryption of a plaintext.
Plaintext:
01 23 45 67 89 AB CD EF FE DC BA 98 76 54 32 10
Encryption key:
01 23 45 67 89 AB CD EF FE DC BA 98 76 54 32 10
Status of the round key (rk_i) and round output (X_i) per round:
Ciphertext:
68 1E DF 34 D2 06 96 5E 86 B3 E9 4F 53 6E 42 46
This example demonstrates encryption of a plaintext 1,000,000 times repeatedly using a fixed encryption key.
Plaintext:
01 23 45 67 89 AB CD EF FE DC BA 98 76 54 32 10
Encryption Key:
01 23 45 67 89 AB CD EF FE DC BA 98 76 54 32 10
Ciphertext:
59 52 98 C7 C6 FD 27 1F 04 02 F8 04 C3 3D 3F 66
GB/T 32907-2016: Information security technology —- SM4 block cipher algorithmStandardization Administration of the People's Republic of ChinaNo. 9 Madian Donglu, Haidian DistrictBeijingBeijing100088People's Republic of China+86 (0)10 8226-2609http://www.sac.gov.cnInformation technology -- Telecommunications and information exchange between systems -- Local and metropolitan area networks -- Specific requirements -- Part 11: Wireless LAN Medium Access Control (MAC) and Physical Layer (PHY) SpecificationsStandardization Administration of the People's Republic of ChinaNo. 9 Madian Donglu, Haidian DistrictBeijingBeijing100088People's Republic of China+86 (0)10 8226-2609http://www.sac.gov.cnGM/T 0002-2012: SM4 block cipher algorithmOrganization of State Commercial Administration of China7 Dian Chang Lu, Fengtai QuBeijingBeijing100036People's Republic of China+86 (0)10 5970-3789http://www.oscca.gov.cnGM/T 0006-2012: Cryptographic Application Identifier Criterion SpecificationOrganization of State Commercial Administration of China7 Dian Chang Lu, Fengtai QuBeijingBeijing100036People's Republic of China+86 (0)10 5970-3789http://www.oscca.gov.cnLv Shu Wang -- A life in cryptographyXinhua CatalogNIST FIPS 197: Advanced Encryption Standard (AES)National Institute of Standards and Technology100 Bureau DriveGaithersburgMD20899-8900United Stateshttp://www.nist.gov/NIST Special Publication 800-38A: Recommendation for Block Cipher Modes of Operation -- Methods and TechniquesNational Institute of Standards and Technology100 Bureau DriveGaithersburgMD20899-8930United Stateshttp://www.nist.gov/Organization of State Commercial Administration of ChinaOrganization of State Commercial Administration of China7 Dian Chang Lu, Fengtai QuBeijingBeijing100036People's Republic of China+86 (0)10 5970-3789http://www.oscca.gov.cnSMS4 Cryptographic Algorithm For Wireless LAN ProductsOrganization of State Commercial Administration of China7 Dian Chang Lu, Fengtai QuBeijingBeijing100036People's Republic of China+86 (0)10 5970-3789http://www.oscca.gov.cnLinear and Differential Cryptanalysis of Reduced SMS4 Block CipherCenter for Information Security Technologies (CIST), Korea UniversityRoom 615, International Center for Conversing Technology BuildingAnam Campus(Science), Korea University145 Anam-roSeongbuk-guSeoul02841Republic of Koreakimth714@cist.korea.ac.krhttp://gss.korea.edu/Center for Information Security Technologies (CIST), Korea UniversityRoom 615, International Center for Conversing Technology BuildingAnam Campus(Science), Korea University145 Anam-roSeongbuk-guSeoul02841Republic of Koreajoshep@cist.korea.ac.krhttp://gss.korea.edu/Center for Information Security Technologies (CIST), Korea UniversityRoom 615, International Center for Conversing Technology BuildingAnam Campus(Science), Korea University145 Anam-roSeongbuk-guSeoul02841Republic of Koreahsh@cist.korea.ac.krhttp://gss.korea.edu/Department of Mathematics, University of SeoulDepartment of Mathematical SciencesSeoul National University1 Gwan Ak-roGwanak-guSeoul08826Republic of Koreajcsung@uos.ac.krhttp://uos.ac.kr/SMS4 Encryption Algorithm for Wireless NetworksSun Microsystems4150 Network CircleSanta ClaraCA95054United States of Americawhitfielddiffie@gmail.comhttps://cisac.fsi.stanford.edu/Sonoma State UniversityDarwin 116, 1801 East Cotati Ave.Rohnert ParkCA94928United States of Americageorge.ledin@sonoma.eduhttp://www.cs.sonoma.edu/Improvements of SM4 Algorithm and Application in Ethernet Encryption System Based on FPGAKey Laboratory of Electronic Engineering, University of Heilongjiang74 Xuefu RoadHarbinHeilongjiang150080People's Republic of Chinachengh@hlju.edu.cnhttphttp://www.hlju.edu.cn/Key Laboratory of Electronic Engineering, University of Heilongjiang74 Xuefu RoadHarbinHeilongjiang150080People's Republic of Chinahttphttp://www.hlju.edu.cn/Key Laboratory of Electronic Engineering, University of Heilongjiang74 Xuefu RoadHarbinHeilongjiang150080People's Republic of Chinachengh@hlju.edu.cnhttphttp://www.hlju.edu.cn/Key Laboratory of Electronic Engineering, University of Heilongjiang74 Xuefu RoadHarbinHeilongjiang150080People's Republic of Chinaqunding@aliyun.cnhttphttp://www.hlju.edu.cn/Key Laboratory of Electronic Engineering, University of Heilongjiang74 Xuefu RoadHarbinHeilongjiang150080People's Republic of Chinachenghdahuangr@163.comhttp://www.hlju.edu.cn/High-speed Encryption & Decryption System Based on SM4Binzhou Polytechnic391 Huanghe RoadBinzhouShandong256600People's Republic of Chinaihappylucy@outlook.comhttp://www.bzu.edu.cn/Binzhou Polytechnic391 Huanghe RoadBinzhouShandong256600People's Republic of Chinalili_thesky@163.comhttp://www.bzu.edu.cn/Binzhou Polytechnic391 Huanghe RoadBinzhouShandong256600People's Republic of Chinayaya_sd@163.comhttp://www.bzu.edu.cn/Improved Linear Attacks on the Chinese Block Cipher StandardBeijing International Center for Mathematical Research, Peking UniversityNo. 5 Yiheyuan Road Haidian DistrictBeijing100871People's Republic of Chinaliumj9705@pku.edu.cnhttp://www.bicmr.orgChina Information Technology Security Evaluation CenterBuilding 1, No.8, Shangdi West Road, Haidian DistrictBeijing100085People's Republic of Chinajiazhechen@gmail.comhttp://www.itsec.gov.cnImproved chosen-plaintext power analysis attack against SM4 at the round-outputCollege of Information Security Engineering, Chengdu University of Information TechnologyNo. 24 Block 1, Xuefu RoadChengduMD610225Chinahttp://www.cuit.edu.cn/College of Information Security Engineering, Chengdu University of Information TechnologyNo. 24 Block 1, Xuefu RoadChengduMD610225Chinahttp://www.cuit.edu.cn/College of Information Security Engineering, Chengdu University of Information TechnologyNo. 24 Block 1, Xuefu RoadChengduMD610225Chinahttp://www.cuit.edu.cn/College of Information Security Engineering, Chengdu University of Information TechnologyNo. 24 Block 1, Xuefu RoadChengduMD610225Chinahttp://www.cuit.edu.cn/A VLSI implementation of an SM4 algorithm resistant to power analysisCollege of Information Science and Engineering, Hunan UniversityLushan Road S, Yuelu DistrictChangshaHunan410082People's Republic of Chinanickysy@hnu.edu.cnhttp://www.hnu.edu.cn/Department of Computer Science, New Platz, State University of New YorkSUNY New Paltz, 1 Hawk DriveNew PaltzNY12561United States of Americahttp://www.hnu.edu.cn/College of Information Science and Engineering, Hunan UniversityLushan Road S, Yuelu DistrictChangshaHunan410082People's Republic of Chinahttp://www.hnu.edu.cn/College of Information Science and Engineering, Hunan UniversityLushan Road S, Yuelu DistrictChangshaHunan410082People's Republic of Chinahttp://www.hnu.edu.cn/College of Mathematics and Computer Science, Performance Computing and Stochastic Information Processing, (Ministry of Education of China), Hunan Normal University36 Lushan Rd., Yuelu DistrictChangshaHunan410081People's Republic of Chinahttp://www.hunnu.edu.cn/A secure white-box SM4 implementationState Key Laboratory of Information Security, Institute of Information Engineering, Chinese Academy of SciencesInstitute of Software, Chinese Academy of SciencesNo. 4 South Fourth StreetZhong Guan CunBeijing100190People's Republic of Chinahttp://www.is.cas.cn/State Key Laboratory of Information Security, Institute of Information Engineering, Chinese Academy of SciencesInstitute of Software, Chinese Academy of SciencesNo. 4 South Fourth StreetZhong Guan CunBeijing100190People's Republic of Chinackwu@iie.ac.cnhttp://www.is.cas.cn/Software Hardware Co-design for Side-Channel Analysis Platform on Security ChipsTsinghua National Laboratory for Information Science and Technology, Tsinghua UniversityTsinghua UniversityHaidianBeijing100190People's Republic of Chinahttp://www.sist.tsinghua.edu.cn/Tsinghua National Laboratory for Information Science and Technology, Tsinghua UniversityTsinghua UniversityHaidianBeijing100190People's Republic of Chinahttp://www.sist.tsinghua.edu.cn/Tsinghua National Laboratory for Information Science and Technology, Tsinghua UniversityTsinghua UniversityHaidianBeijing100190People's Republic of Chinahttp://www.sist.tsinghua.edu.cn/Tsinghua National Laboratory for Information Science and Technology, Tsinghua UniversityTsinghua UniversityHaidianBeijing100190People's Republic of Chinahttp://www.sist.tsinghua.edu.cn/Tsinghua National Laboratory for Information Science and Technology, Tsinghua UniversityTsinghua UniversityHaidianBeijing100190People's Republic of Chinahttp://www.sist.tsinghua.edu.cn/Tsinghua National Laboratory for Information Science and Technology, Tsinghua UniversityTsinghua UniversityHaidianBeijing100190People's Republic of Chinahttp://www.sist.tsinghua.edu.cn/Tsinghua National Laboratory for Information Science and Technology, Tsinghua UniversityTsinghua UniversityHaidianBeijing100190People's Republic of Chinahttp://www.sist.tsinghua.edu.cn/The authors would like to thank the following persons for their valuable advice and input.
Jack Lloyd and Daniel Wyatt of the Ribose rnp team for their input and implementation