idnits 2.17.1 draft-ribose-cfrg-sm4-02.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- No issues found here. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year -- The document date (October 18, 2017) is 2382 days in the past. Is this intentional? Checking references for intended status: Informational ---------------------------------------------------------------------------- No issues found here. Summary: 0 errors (**), 0 flaws (~~), 1 warning (==), 1 comment (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Crypto Forum Research Group R. Tse 3 Internet-Draft Ribose 4 Intended status: Informational W. Wong 5 Expires: April 21, 2018 Hang Seng Management College 6 October 18, 2017 8 The SM4 Block Cipher Algorithm And Its Modes Of Operations 9 draft-ribose-cfrg-sm4-02 11 Abstract 13 This document describes the SM4 symmetric blockcipher algorithm 14 published as GB/T 32907-2016 by the Organization of State Commercial 15 Administration of China (OSCCA). 17 This document is a product of the Crypto Forum Research Group (CFRG). 19 Status of This Memo 21 This Internet-Draft is submitted in full conformance with the 22 provisions of BCP 78 and BCP 79. 24 Internet-Drafts are working documents of the Internet Engineering 25 Task Force (IETF). Note that other groups may also distribute 26 working documents as Internet-Drafts. The list of current Internet- 27 Drafts is at https://datatracker.ietf.org/drafts/current/. 29 Internet-Drafts are draft documents valid for a maximum of six months 30 and may be updated, replaced, or obsoleted by other documents at any 31 time. It is inappropriate to use Internet-Drafts as reference 32 material or to cite them other than as "work in progress." 34 This Internet-Draft will expire on April 21, 2018. 36 Copyright Notice 38 Copyright (c) 2017 IETF Trust and the persons identified as the 39 document authors. All rights reserved. 41 This document is subject to BCP 78 and the IETF Trust's Legal 42 Provisions Relating to IETF Documents 43 (https://trustee.ietf.org/license-info) in effect on the date of 44 publication of this document. Please review these documents 45 carefully, as they describe your rights and restrictions with respect 46 to this document. Code Components extracted from this document must 47 include Simplified BSD License text as described in Section 4.e of 48 the Trust Legal Provisions and are provided without warranty as 49 described in the Simplified BSD License. 51 Table of Contents 53 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3 54 1.1. Purpose . . . . . . . . . . . . . . . . . . . . . . . . . 3 55 1.2. History . . . . . . . . . . . . . . . . . . . . . . . . . 4 56 1.3. Applications . . . . . . . . . . . . . . . . . . . . . . 5 57 1.4. Cryptanalysis . . . . . . . . . . . . . . . . . . . . . . 5 58 2. Terms and Definitions . . . . . . . . . . . . . . . . . . . . 5 59 3. Symbols And Abbreviations . . . . . . . . . . . . . . . . . . 6 60 4. Compute Structure . . . . . . . . . . . . . . . . . . . . . . 6 61 5. Key And Key Parameters . . . . . . . . . . . . . . . . . . . 6 62 6. Functions . . . . . . . . . . . . . . . . . . . . . . . . . . 7 63 6.1. Round Function F . . . . . . . . . . . . . . . . . . . . 7 64 6.2. Permutation T and T' . . . . . . . . . . . . . . . . . . 7 65 6.2.1. Non-linear Transformation tau . . . . . . . . . . . . 7 66 6.2.2. Linear Transformation L and L' . . . . . . . . . . . 8 67 6.2.3. S-box S . . . . . . . . . . . . . . . . . . . . . . . 8 68 7. Algorithm . . . . . . . . . . . . . . . . . . . . . . . . . . 9 69 7.1. Encryption . . . . . . . . . . . . . . . . . . . . . . . 9 70 7.2. Decryption . . . . . . . . . . . . . . . . . . . . . . . 9 71 7.3. Key Schedule . . . . . . . . . . . . . . . . . . . . . . 10 72 7.3.1. Family Key FK . . . . . . . . . . . . . . . . . . . . 10 73 7.3.2. Constant Key CK . . . . . . . . . . . . . . . . . . . 10 74 8. Modes of Operation . . . . . . . . . . . . . . . . . . . . . 11 75 8.1. Variables And Primitives . . . . . . . . . . . . . . . . 11 76 8.2. Initialization Vectors . . . . . . . . . . . . . . . . . 12 77 8.3. SM4-ECB . . . . . . . . . . . . . . . . . . . . . . . . . 12 78 8.3.1. SM4-ECB Encryption . . . . . . . . . . . . . . . . . 12 79 8.3.2. SM4-ECB Decryption . . . . . . . . . . . . . . . . . 13 80 8.4. SM4-CBC . . . . . . . . . . . . . . . . . . . . . . . . . 13 81 8.4.1. SM4-CBC Encryption . . . . . . . . . . . . . . . . . 13 82 8.4.2. SM4-CBC Decryption . . . . . . . . . . . . . . . . . 14 83 8.5. SM4-CFB . . . . . . . . . . . . . . . . . . . . . . . . . 15 84 8.5.1. SM4-CFB Variants . . . . . . . . . . . . . . . . . . 15 85 8.5.2. SM4-CFB Encryption . . . . . . . . . . . . . . . . . 15 86 8.5.3. SM4-CFB Decryption . . . . . . . . . . . . . . . . . 16 87 8.6. SM4-OFB . . . . . . . . . . . . . . . . . . . . . . . . . 17 88 8.6.1. SM4-OFB Encryption . . . . . . . . . . . . . . . . . 17 89 8.6.2. SM4-OFB Decryption . . . . . . . . . . . . . . . . . 18 90 8.7. SM4-CTR . . . . . . . . . . . . . . . . . . . . . . . . . 19 91 8.7.1. SM4-CTR Encryption . . . . . . . . . . . . . . . . . 19 92 8.7.2. SM4-CTR Decryption . . . . . . . . . . . . . . . . . 20 93 9. Object Identifier . . . . . . . . . . . . . . . . . . . . . . 21 94 9.1. GM/T OID . . . . . . . . . . . . . . . . . . . . . . . . 21 95 9.2. ISO OID . . . . . . . . . . . . . . . . . . . . . . . . . 21 97 10. Security Considerations . . . . . . . . . . . . . . . . . . . 21 98 11. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 22 99 12. Appendix A: Example Calculations . . . . . . . . . . . . . . 22 100 12.1. Examples From GB/T 32907-2016 . . . . . . . . . . . . . 22 101 12.1.1. Example 1 . . . . . . . . . . . . . . . . . . . . . 22 102 12.1.2. Example 2 . . . . . . . . . . . . . . . . . . . . . 23 103 12.2. Examples For Various Modes Of Operations . . . . . . . . 24 104 12.2.1. SM4-ECB Example . . . . . . . . . . . . . . . . . . 24 105 12.2.2. SM4-CBC Example . . . . . . . . . . . . . . . . . . 24 106 12.2.3. SM4-OFB Example . . . . . . . . . . . . . . . . . . 25 107 12.2.4. SM4-CFB Example . . . . . . . . . . . . . . . . . . 25 108 12.2.5. SM4-CTR Example . . . . . . . . . . . . . . . . . . 25 109 13. References . . . . . . . . . . . . . . . . . . . . . . . . . 26 110 13.1. Normative References . . . . . . . . . . . . . . . . . . 26 111 13.2. Informative References . . . . . . . . . . . . . . . . . 26 112 Appendix A. Acknowledgements . . . . . . . . . . . . . . . . . . 29 113 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 29 115 1. Introduction 117 SM4 [GBT.32907-2016] [ISO.IEC.18033-3.AMD2] is a cryptographic 118 standard issued by the Organization of State Commercial 119 Administration of China [OSCCA] as an authorized cryptographic 120 algorithm for the use within China. The algorithm is published in 121 public. 123 SM4 is a symmetric encryption algorithm, specifically a blockcipher, 124 designed for data encryption. 126 1.1. Purpose 128 This document does not aim to introduce a new algorithm, but to 129 provide a clear and open description of the SM4 algorithm in English, 130 and also to serve as a stable reference for IETF documents that 131 utilize this algorithm. 133 While this document is similar to [SM4-En] in nature, [SM4-En] is a 134 textual translation of the "SMS4" algorithm [SM4] published in 2006, 135 while this document follows the updated description and structure of 136 [GBT.32907-2016] published in 2016. Sections 1 to 7 of this document 137 directly map to the corresponding sections numbers of the 138 [GBT.32907-2016] standard for convenience of the reader. 140 This document also provides additional information on the practical 141 usage and implementation of SM4, specifying multiple modes of 142 operations that are known to be used with SM4 and providing the SM4 143 OIDs. 145 1.2. History 147 The "SMS4" algorithm (the former name of SM4) was invented by Shu- 148 Wang Lu [LSW-Bio], first published in 2003 as part of 149 [GB.15629.11-2003], then published independently in 2006 [SM4] by the 150 OSCCA, officially renamed to "SM4" in 2012 in [GMT-0002-2012] 151 published by the OSCCA, and finally standardized in 2016 as a Chinese 152 National Standard (GB Standard) [GBT.32907-2016]. SM4 is also 153 standardized in [ISO.IEC.18033-3.AMD2] by the International 154 Organization for Standardization in 2017. 156 SMS4 was originally created for use in protecting wireless networks 157 [SM4], and is mandated in the Chinese National Standard for Wireless 158 LAN WAPI (Wired Authentication and Privacy Infrastructure) 159 [GB.15629.11-2003]. A proposal was made to adopt SMS4 into the IEEE 160 802.11i standard, but the algorithm was eventually not included due 161 to concerns of introducing inoperability with existing ciphers. 163 The latest SM4 standard [GBT.32907-2016] was proposed by the OSCCA, 164 standardized through TC 260 of the Standardization Administration of 165 the People's Republic of China (SAC), and was drafted by the 166 following individuals at the Data Assurance and Communication 167 Security Research Center (DAS Center) of the Chinese Academy of 168 Sciences, the China Commercial Cryptography Testing Center and the 169 Beijing Academy of Information Science & Technology (BAIST): 171 o Shu-Wang Lu 173 o Dai-Wai Li 175 o Kai-Yong Deng 177 o Chao Zhang 179 o Peng Luo 181 o Zhong Zhang 183 o Fang Dong 185 o Ying-Ying Mao 187 o Zhen-Hua Liu 189 1.3. Applications 191 SM4 (and SMS4) has prevalent hardware implementations [SM4-FPGA] 192 [SM4-VLSI], due to its being the only OSCCA-approved symmetric 193 encryption algorithm allowed for use in China. 195 SM4 can be used with multiple modes (See Section 8). 197 1.4. Cryptanalysis 199 A number of attacks have been attempted on SM4, such as 200 [SM4-Analysis] [SM4-Linear], but there are no known feasible attacks 201 against the SM4 algorithm by the time of publishing this document. 203 There are, however, security concerns with regards to side-channel 204 attacks [SideChannel] when the SM4 algorithm is implemented in a 205 hardware device [SM4-Power]. 207 For instance, [SM4-Power] illustrated an attack by measuring the 208 power consumption of the device. A chosen ciphertext attack, 209 assuming a fixed correlation between the round keys and data mask, is 210 able to recover the round key successfully. When the SM4 algorithm 211 is implemented in hardware, the parameters and keys SHOULD be 212 randomly generated without fixed correlation. 214 There have been improvements to the hardware embodiment design for 215 SM4, such as [SM4-VLSI], that may resist such attacks. 217 In order to improve security of the SM4 cryptographic process, secure 218 white-box implementations such as [SM4-WhiteBox] have been proposed. 219 Speed enhancements, such as [SM4-HiSpeed], have also been proposed. 221 2. Terms and Definitions 223 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 224 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 225 document are to be interpreted as described in [RFC2119]. 227 The following terms and definitions apply to this document. 229 block length 230 Bit-length of a message block. 232 key length 233 Bit-length of a key. 235 key expansion algorithm 236 An operation that converts a key into a round key. 238 rounds 239 The number of iterations that the round function is run. 241 round key 242 A key used in each round on the blockcipher, derived from the 243 input key, also called a subkey. 245 word 246 a 32-bit quantity 248 S-box 249 The S (substitution) box function produces 8-bit output from 8-bit 250 input, represented as S(.) 252 3. Symbols And Abbreviations 254 S xor T 255 bitwise exclusive-or of two 32-bit vectors S and T. S and T will 256 always have the same length. 258 a <<< i 259 32-bit bitwise cyclic shift on a with i bits shifted left. 261 4. Compute Structure 263 The SM4 algorithm is a blockcipher, with block size of 128 bits and a 264 key length of 128 bits. 266 Both encryption and key expansion uses 32 rounds of a nonlinear key 267 schedule per block. Each round processes one of the four 32-bit 268 words that constitute the block. 270 The structure of encryption and decryption are identical, except that 271 the round key schedule has its order reversed during decryption. 273 Using a 8-bit S-box, it only uses exclusive-or, cyclic bit shifts and 274 S-box lookups to execute. 276 5. Key And Key Parameters 278 Encryption key length is 128-bits, and represented below, where each 279 MK_i, (i = 0, 1, 2, 3) is 32-bits wide. 281 MK = (MK_0, MK_1, MK_2, MK_3) 283 The round key schedule is derived from the encryption key, 284 represented as below where each rk_i (i = 0, ..., 31) is a word: 286 (rk_0, rk_1, ... , rk_31) 288 The family key used for key expansion is represented as FK, where 289 each FK_i (i = 0, ..., 3) is a word: 291 FK = (FK_0, FK_1, FK_2, FK_3) 293 The constant key used for key expansion is represented as CK, where 294 each CK_i (i = 0, ..., 31) is a word: 296 CK = (CK_0, CK_1, ... , CK_31) 298 6. Functions 300 6.1. Round Function F 302 The round function F is defined as: 304 F(X_0, X_1, X_2, X_3, rk) = X_0 xor T(X_1 xor X_2 xor X_3 xor rk) 306 Where: 308 o Each $$X_i$ is 32 bits wide. 310 o The round key rk is 32 bits wide. 312 6.2. Permutation T and T' 314 T is a reversible permutation that outputs 32 bits from an input of 315 32 bits. 317 It consists of a non-linear transform tau and linear transform L. 319 T(.) = L(tau(.)) 321 The permutation T' is created from T by replacing the linear 322 transform function L with L'. 324 T'(.) = L'(tau(.)) 326 6.2.1. Non-linear Transformation tau 328 tau is composed of four parallel S-boxes. 330 Given a 32-bit input A, where each a_i is a 8-bit string: 332 A = (a_0, a_1, a_2, a_3) 333 The output is a 32-bit B, where each b_i is a 8-bit string: 335 B = (b_0, b_1, b_2, b_3) 337 B is calculated as follows: 339 (b_0, b_1, b_2, b_3) = tau(A) 341 tau(A) = (S(a_0), S(a_1), S(a_2), S(a_3)) 343 6.2.2. Linear Transformation L and L' 345 The output of non-linear transformation function tau is used as input 346 to linear transformation function L. 348 Given B, a 32-bit input. 350 The linear transformation L' is defined as follows. 352 L(B) = B xor (B <<< 2) xor (B <<< 10) xor (B <<< 18) xor (B <<< 24) 354 The linear transformation L' is defined as follows. 356 L'(B) = B xor (B <<< 13) xor (B <<< 23) 358 6.2.3. S-box S 360 The S-box S used in tau is given in this lookup table in hexadecimal 361 form: 363 | 0 1 2 3 4 5 6 7 8 9 A B C D E F 364 ---|------------------------------------------------- 365 0 | D6 90 E9 FE CC E1 3D B7 16 B6 14 C2 28 FB 2C 05 366 1 | 2B 67 9A 76 2A BE 04 C3 AA 44 13 26 49 86 06 99 367 2 | 9C 42 50 F4 91 EF 98 7A 33 54 0B 43 ED CF AC 62 368 3 | E4 B3 1C A9 C9 08 E8 95 80 DF 94 FA 75 8F 3F A6 369 4 | 47 07 A7 FC F3 73 17 BA 83 59 3C 19 E6 85 4F A8 370 5 | 68 6B 81 B2 71 64 DA 8B F8 EB 0F 4B 70 56 9D 35 371 6 | 1E 24 0E 5E 63 58 D1 A2 25 22 7C 3B 01 21 78 87 372 7 | D4 00 46 57 9F D3 27 52 4C 36 02 E7 A0 C4 C8 9E 373 8 | EA BF 8A D2 40 C7 38 B5 A3 F7 F2 CE F9 61 15 A1 374 9 | E0 AE 5D A4 9B 34 1A 55 AD 93 32 30 F5 8C B1 E3 375 A | 1D F6 E2 2E 82 66 CA 60 C0 29 23 AB 0D 53 4E 6F 376 B | D5 DB 37 45 DE FD 8E 2F 03 FF 6A 72 6D 6C 5B 51 377 C | 8D 1B AF 92 BB DD BC 7F 11 D9 5C 41 1F 10 5A D8 378 D | 0A C1 31 88 A5 CD 7B BD 2D 74 D0 12 B8 E5 B4 B0 379 E | 89 69 97 4A 0C 96 77 7E 65 B9 F1 09 C5 6E C6 84 380 F | 18 F0 7D EC 3A DC 4D 20 79 EE 5F 3E D7 CB 39 48 382 For example, input "EF" will produce an output read from the S-box 383 table row E and column F, giving the result S(EF) = 84. 385 7. Algorithm 387 7.1. Encryption 389 The encryption algorithm consists of 32 rounds and 1 reverse 390 transform R. 392 Given a 128-bit plaintext input, where each X_i is a 32-bit word: 394 (X_0, X_1, X_2, X_3) 396 The output is a 128-bit ciphertext, where each Y_i is a 32-bit word: 398 (Y_0, Y_1, Y_2, Y_3) 400 Each round key is designated as rk_i, where each rk_i is a 32-bit 401 word and i = 0, 1, 2, ..., 31. 403 a. 32 rounds of calculation 405 i = 0, 1, ..., 31 407 X_{i+4} = F(X_i, X_{i+1}, X_{i+2}, X_{i+3}, rk_i) 409 b. reverse transformation 411 (Y_0, Y_1, Y_2, Y_3) = R(X_32, X_33, X_34, X_35) 413 R(X_32, X_33, X_34, X_35) = (X_35, X_34, X_33, X_32) 415 Please refer to Section 12 for sample calculations. 417 7.2. Decryption 419 Decryption takes an identical process as encryption, with the only 420 difference the order of the round key sequence. 422 During decryption, the round key sequence is: 424 (rk_31, rk_30, ..., rk_0) 426 7.3. Key Schedule 428 Round keys used during encryption are derived from the encryption 429 key. 431 Specifically, given the encryption key MK, where each MK_i is 32 bits 432 wide: 434 MK = (MK_0, MK_1, MK_2, MK_3) 436 Each round key rk_i is created as follows, where i = 0, 1, ..., 31. 438 (K_0, K_1, K_2, K_3) = (MK_0 xor FK_0, MK_1 xor FK_1, MK_2 xor FK_2, 439 MK_3 xor FK_3) 441 rk_i = K_{i + 4} 443 K_{i + 4} = K_i xor T' (K_{i + 1} xor K_{i + 2} xor K_{i + 3} xor 444 CK_i) 446 Since the decryption key is identical to the encryption key, the 447 round keys used in the decryption process are derived from the 448 decryption key through the identical process to that of during 449 encryption. 451 7.3.1. Family Key FK 453 Family key FK given in hexadecimal notation, is: 455 FK_0 = A3B1BAC6 FK_1 = 56AA3350 FK_2 = 677D9197 FK_3 = B27022DC 457 7.3.2. Constant Key CK 459 The method to retrieve values from the constant key CK is as follows. 461 Let ck_{i, j} be the j-th byte (i = 0, 1, ..., 31; j = 0, 1, 2, 3) of 462 CK_i. 464 Therefore, each ck_{i, j} is a 8-bit string, and each CK_i a 32-bit 465 word. 467 CK_i = (ck_{i, 0}, ck_{i, 1}, ck_{i, 2}, ck_{i, 3}) 469 ck_{i, j} = (4i + j) x 7 (mod 256) 471 The values of the constant key CK_i, where (i = 0, 1, ..., 31), in 472 hexadecimal, are: 474 CK_0 = 00070E15 CK_16 = C0C7CED5 475 CK_1 = 1C232A31 CK_17 = DCE3EAF1 476 CK_2 = 383F464D CK_18 = F8FF060D 477 CK_3 = 545B6269 CK_19 = 141B2229 478 CK_4 = 70777E85 CK_20 = 30373E45 479 CK_5 = 8C939AA1 CK_21 = 4C535A61 480 CK_6 = A8AFB6BD CK_22 = 686F767D 481 CK_7 = C4CBD2D9 CK_23 = 848B9299 482 CK_8 = E0E7EEF5 CK_24 = A0A7AEB5 483 CK_9 = FC030A11 CK_25 = BCC3CAD1 484 CK_10 = 181F262D CK_26 = D8DFE6ED 485 CK_11 = 343B4249 CK_27 = F4FB0209 486 CK_12 = 50575E65 CK_28 = 10171E25 487 CK_13 = 6C737A81 CK_29 = 2C333A41 488 CK_14 = 888F969D CK_30 = 484F565D 489 CK_15 = A4ABB2B9 CK_31 = 646B7279 491 8. Modes of Operation 493 This document defines multiple modes of operation for the SM4 494 blockcipher algorithm. 496 The CBC (Cipher Block Chaining), ECB (Electronic CodeBook), CFB 497 (Cipher FeedBack), OFB (Output FeedBack) and CTR (Counter) modes are 498 defined in [NIST.SP.800-38A] and utilized with the SM4 algorithm in 499 the following sections. 501 8.1. Variables And Primitives 503 Hereinafter we define: 505 SM4Encrypt(P, K) 506 The SM4 algorithm that encrypts plaintext P with key K, described 507 in Section 7.1 509 SM4Decrypt(C, K) 510 The SM4 algorithm that decrypts ciphertext C with key K, described 511 in Section 7.2 513 b 514 block size in bits, defined as 128 for SM4 516 P_j 517 block j of ciphertext bitstring P 519 C_j 520 block j of ciphertext bitstring C 522 NBlocks(B, b) 523 Number of blocks of size b-bits in bitstring B 525 IV 526 Initialization vector 528 LSB(b, S) 529 Least significant b bits of the bitstring S 531 MSB(b, S) 532 Most significant b bits of the bitstring S 534 8.2. Initialization Vectors 536 The CBC, CFB and OFB modes require an additional input to the 537 encryption process, called the initialization vector (IV). The 538 identical IV is used in the input of encryption as well as the 539 decryption of the corresponding ciphertext. 541 Generation of IV values MUST take into account of the considerations 542 in Section 10 recommended by [BC-EVAL]. 544 8.3. SM4-ECB 546 In SM4-ECB, the same key is utilized to create a fixed assignment for 547 a plaintext block with a ciphertext block, meaning that a given 548 plaintext block always gets encrypted to the same ciphertext block. 549 As described in [NIST.SP.800-38A], this mode should be avoided if 550 this property is undesirable. 552 This mode requires input plaintext to be a multiple of the block 553 size, which in this case of SM4 it is 128-bits. It also allows 554 multiple blocks to be computed in parallel. 556 8.3.1. SM4-ECB Encryption 558 Inputs: 560 o P, plaintext, length MUST be multiple of b 562 o K, SM4 128-bit encryption key 564 Output: 566 o C, ciphertext, length is a multiple of b 568 C is defined as follows. 570 n = NBlocks(P, b) 572 for i = 1 to n 573 C_i = SM4Encrypt(P_i, K) 574 end for 576 C = C_1 || ... || C_n 578 8.3.2. SM4-ECB Decryption 580 Inputs: 582 o C, ciphertext, length MUST be multiple of b 584 o K, SM4 128-bit encryption key 586 Output: 588 o P, plaintext, length is a multiple of b 590 P is defined as follows. 592 n = NBlocks(C, b) 594 for i = 1 to n 595 P_i = SM4Decrypt(C_i, K) 596 end for 598 P = P_1 || ... || P_n 600 8.4. SM4-CBC 602 SM4-CBC is similar to SM4-ECB that the input plaintext MUST be a 603 multiple of the block size, which is 128-bits in SM4. SM4-CBC 604 requires an additional input, the IV, that is unpredictable for a 605 particular execution of the encryption process. 607 Since CBC encryption relies on a forward cipher operation that depend 608 on results of the previous operation, it cannot be parallelized. 609 However, for decryption, since ciphertext blocks are already 610 available, CBC parallel decryption is possible. 612 8.4.1. SM4-CBC Encryption 614 Inputs: 616 o P, plaintext, length MUST be multiple of b 617 o K, SM4 128-bit encryption key 619 o IV, 128-bit, unpredictable, initialization vector 621 Output: 623 o C, ciphertext, length is a multiple of b 625 C is defined as follows. 627 n = NBlocks(P, b) 629 C_1 = SM4Encrypt(P_1 xor IV, K) 631 for i = 2 to n 632 C_i = SM4Encrypt(P_i xor C_{i - 1}, K) 633 end for 635 C = C_1 || ... || C_n 637 8.4.2. SM4-CBC Decryption 639 Inputs: 641 o C, ciphertext, length MUST be a multiple of b 643 o K, SM4 128-bit encryption key 645 o IV, 128-bit, unpredictable, initialization vector 647 Output: 649 o P, plaintext, length is multiple of b 651 P is defined as follows. 653 n = NBlocks(C, b) 655 P_1 = SM4Decrypt(C_1, K) xor IV 657 for i = 2 to n 658 P_i = SM4Decrypt(C_i, K) xor C_{i - 1} 659 end for 661 P = P_1 || ... || P_n 663 8.5. SM4-CFB 665 SM4-CFB relies on feedback provided by successive ciphertext segments 666 to generate output blocks. The plaintext given must be a multiple of 667 the block size. 669 Similar to SM4-CBC, SM4-CFB requires an IV that is unpredictable for 670 a particular execution of the encryption process. 672 SM4-CFB further allows setting a positive integer parameter s, that 673 is less than or equal to the block size, to specify the size of each 674 data segment. The same segment size must be used in encryption and 675 decryption. 677 In SM4-CFB, since the input block to each forward cipher function 678 depends on the output of the previous block (except the first that 679 depends on the IV), encryption is not parallelizable. Decryption, 680 however, can be parallelized. 682 8.5.1. SM4-CFB Variants 684 SM4-CFB takes an integer s to determine segment size in its 685 encryption and decryption routines. We define the following variants 686 of SM4-CFB for various s: 688 o SM4-CFB-1, the 1-bit SM4-CFB mode, where s is set to 1. 690 o SM4-CFB-8, the 8-bit SM4-CFB mode, where s is set to 8. 692 o SM4-CFB-64, the 64-bit SM4-CFB mode, where s is set to 64. 694 o SM4-CFB-128, the 128-bit SM4-CFB mode, where s is set to 128. 696 8.5.2. SM4-CFB Encryption 698 Inputs: 700 o P#, plaintext, length MUST be multiple of s 702 o K, SM4 128-bit encryption key 704 o IV, 128-bit, unpredictable, initialization vector 706 o s, an integer 1 <= s <= b that defines segment size 708 Output: 710 o C#, ciphertext, length is a multiple of s 711 C# is defined as follows. 713 n = NBlocks(P#, s) 715 I_1 = IV 716 for i = 2 to n 717 I_i = LSB(b - s, I_{i - 1}) || C#_{j - 1} 718 end for 720 for i = 1 to n 721 O_j = SM4Encrypt(I_i, K) 722 end for 724 for i = 1 to n 725 C#_i = P#_1 xor MSB(s, O_j) 726 end for 728 C# = C#_1 || ... || C#_n 730 8.5.3. SM4-CFB Decryption 732 Inputs: 734 o C#, ciphertext, length MUST be a multiple of s 736 o K, SM4 128-bit encryption key 738 o IV, 128-bit, unpredictable, initialization vector 740 o s, an integer 1 <= s <= b that defines segment size 742 Output: 744 o P#, plaintext, length is multiple of s 746 P is defined as follows. 748 n = NBlocks(P#, s) 750 I_1 = IV 751 for i = 2 to n 752 I_i = LSB(b - s, I_{i - 1}) || C#_{j - 1} 753 end for 755 for i = 1 to n 756 O_j = SM4Encrypt(I_i, K) 757 end for 759 for i = 1 to n 760 P#_i = C#_1 xor MSB(s, O_j) 761 end for 763 P# = P#_1 || ... || P#_n 765 8.6. SM4-OFB 767 SM4-OFB is the application of SM4 through the Output Feedback mode. 768 This mode requires that the IV is a nonce, meaning that the IV MUST 769 be unique for each execution for an input key. OFB does not require 770 the input plaintext to be a multiple of the block size. 772 In OFB, the routines for encryption and decryption are identical. As 773 each forward cipher function (except the first) depends on previous 774 results, both routines cannot be parallelized. However given a known 775 IV, output blocks could be generated prior to the input of plaintext 776 (encryption) or ciphertext (decryption). 778 8.6.1. SM4-OFB Encryption 780 Inputs: 782 o P, plaintext, composed of (n - 1) blocks of size b, with the last 783 block P_n of size 1 <= u <= b 785 o K, SM4 128-bit encryption key 787 o IV, a nonce (a unique value for each execution per given key) 789 Output: 791 o C, ciphertext, composed of (n - 1) blocks of size b, with the last 792 block C_n of size 1 <= u <= b 794 C is defined as follows. 796 n = NBlocks(P, b) 798 I_1 = IV 799 for i = 1 to (n - 1) 800 O_i = SM4Encrypt(I_i) 801 I_{i + 1} = O_i 802 end for 804 for i = 1 to (n - 1) 805 C_i = P_i xor O_i 806 end for 808 C_n = P_n xor MSB(u, O_n) 810 C = C_1 || ... || C_n 812 8.6.2. SM4-OFB Decryption 814 Inputs: 816 o C, ciphertext, composed of (n - 1) blocks of size b, with the last 817 block C_n of size 1 <= u <= b 819 o K, SM4 128-bit encryption key 821 o IV, the nonce used during encryption 823 Output: 825 o P, plaintext, composed of (n - 1) blocks of size b, with the last 826 block P_n of size 1 <= u <= b 828 C is defined as follows. 830 n = NBlocks(C, b) 832 I_1 = IV 833 for i = 1 to (n - 1) 834 O_i = SM4Encrypt(I_i) 835 I_{i + 1} = O_i 836 end for 838 for i = 1 to (n - 1) 839 P_i = C_i xor O_i 840 end for 842 P_n = C_n xor MSB(u, O_n) 844 P = P_1 || ... || P_n 846 8.7. SM4-CTR 848 SM4-CTR is an implementation of a stream cipher through a block 849 cipher primitive. It generates a "keystream" of keys that are used 850 to encrypt successive blocks, with the keystream created from the 851 input key, a nonce (the IV) and an incremental counter. The counter 852 could be any sequence that does not repeat within the block size. 854 Both SM4-CTR encryption and decryption routines could be 855 parallelized, and random access is also possible. 857 8.7.1. SM4-CTR Encryption 859 Inputs: 861 o P, plaintext, composed of (n - 1) blocks of size b, with the last 862 block P_n of size 1 <= u <= b 864 o K, SM4 128-bit encryption key 866 o IV, a nonce (a unique value for each execution per given key) 868 o T, a sequence of counters from T_1 to T_n 870 Output: 872 o C, ciphertext, composed of (n - 1) blocks of size b, with the last 873 block C_n of size 1 <= u <= b 875 C is defined as follows. 877 n = NBlocks(P, b) 879 for i = 1 to n 880 O_i = SM4Encrypt(T_i) 881 end for 883 for i = 1 to (n - 1) 884 C_i = P_i xor O_i 885 end for 887 C_n = P_n xor MSB(u, O_n) 889 C = C_1 || ... || C_n 891 8.7.2. SM4-CTR Decryption 893 Inputs: 895 o C, ciphertext, composed of (n - 1) blocks of size b, with the last 896 block C_n of size 1 <= u <= b 898 o K, SM4 128-bit encryption key 900 o IV, a nonce (a unique value for each execution per given key) 902 o T, a sequence of counters from T_1 to T_n 904 Output: 906 o P, plaintext, composed of (n - 1) blocks of size b, with the last 907 block P_n of size 1 <= u <= b 909 P is defined as follows. 911 n = NBlocks(C, b) 913 for i = 1 to n 914 O_i = SM4Encrypt(T_i) 915 end for 917 for i = 1 to (n - 1) 918 P_i = C_i xor O_i 919 end for 921 P_n = C_n xor MSB(u, O_n) 923 C = C_1 || ... || C_n 925 9. Object Identifier 927 The Object Identifier for SM4 is identified through these OIDs. 929 9.1. GM/T OID 931 "1.2.156.10197.1.104" for "SM4 Algorithm" [GMT-0006-2012]. 933 9.2. ISO OID 935 "1.0.18033.3.2.4" for "id-bc128-sm4" [ISO.IEC.18033-3.AMD2], 936 described below. 938 is18033-3 OID ::= {iso(1) standard(0) is18033(18033) part3(3)} 939 id-bc128 OID ::= {is18033-3 block-cipher-128-bit(2)} 940 id-bc128-sm4 OID ::= {id-bc128 sm4(4)} 942 10. Security Considerations 944 o Products and services that utilize cryptography are regulated by 945 the OSCCA [OSCCA]; they must be explicitly approved or certified 946 by the OSCCA before being allowed to be sold or used in China. 948 o SM4 is a blockcipher symmetric algorithm with key length of 128 949 bits. It is considered as an alternative to AES-128 950 [NIST.FIPS.197]. 952 o SM4 [GBT.32907-2016] is a blockcipher certified by the OSCCA 953 [OSCCA]. No formal proof of security is provided. There are no 954 known feasible attacks against SM4 algorithm by the time of 955 publishing this document, but there are security concerns with 956 regards to side-channel attacks when the SM4 algorithm is 957 implemented in hardware. See Section 1.4 for more details. 959 o The IV does not have to be secret. The IV itself, or criteria 960 enough to determine it, MAY be transmitted with ciphertext. 962 o SM4-ECB: ECB is one of the four original modes defined for DES. 963 With its problem well known to "leak quite a large amount of 964 information" [BC-EVAL], it SHOULD NOT be used in most cases. 966 o SM4-CBC, SM4-CFB, SM4-OFB: CBC, CFB and OFB are IV-based modes of 967 operation originally defined for DES. 969 When using these modes of operation, the IV SHOULD be random to 970 preserve message confidentiality [BC-EVAL]. It is shown in the same 971 document that CBC, CFB, OFB, the variants #CBC, #CFB that utilize the 972 recommendation of [NIST.SP.800-38A] to make CBC and CFB nonce-based, 973 are SemCPA secure as probabilistic encryption schemes. 975 Various attack scenarios have been described in [BC-EVAL] and these 976 modes SHOULD NOT be used unless for compatibility reasons. 978 o SM4-CTR: CTR is considered to be the "best" mode of operation 979 within [NIST.SP.800-38A] as it is considered SemCPA secure as a 980 nonce-based encryption scheme, providing provable-security 981 guarantees as good as the classic modes of operation (ECB, CBC, 982 CFB, OFB) [BC-EVAL]. 984 Users with no need of authenticity, non-malleablility and chosen- 985 ciphertext (CCA) security MAY utilize this mode of operation 986 [BC-EVAL]. 988 11. IANA Considerations 990 This document does not require any action by IANA. 992 12. Appendix A: Example Calculations 994 12.1. Examples From GB/T 32907-2016 996 12.1.1. Example 1 998 This is example 1 provided by [GBT.32907-2016] to demonstrate 999 encryption of a plaintext. 1001 Plaintext: 01 23 45 67 89 AB CD EF FE DC BA 98 76 54 32 10 1003 Encryption key: 01 23 45 67 89 AB CD EF FE DC BA 98 76 54 32 10 1005 Status of the round key (rk_i) and round output (X_i) per round: 1007 rk_0 = F12186F9 X_4 = 27FAD345 1008 rk_1 = 41662B61 X_5 = A18B4CB2 1009 rk_2 = 5A6AB19A X_6 = 11C1E22A 1010 rk_3 = 7BA92077 X_7 = CC13E2EE 1011 rk_4 = 367360F4 X_8 = F87C5BD5 1012 rk_5 = 776A0C61 X_9 = 33220757 1013 rk_6 = B6BB89B3 X_10 = 77F4C297 1014 rk_7 = 24763151 X_11 = 7A96F2EB 1015 rk_8 = A520307C X_12 = 27DAC07F 1016 rk_9 = B7584DBD X_13 = 42DD0F19 1017 rk_10 = C30753ED X_14 = B8A5DA02 1018 rk_11 = 7EE55B57 X_15 = 907127FA 1019 rk_12 = 6988608C X_16 = 8B952B83 1020 rk_13 = 30D895B7 X_17 = D42B7C59 1021 rk_14 = 44BA14AF X_18 = 2FFC5831 1022 rk_15 = 104495A1 X_19 = F69E6888 1023 rk_16 = D120B428 X_20 = AF2432C4 1024 rk_17 = 73B55FA3 X_21 = ED1EC85E 1025 rk_18 = CC874966 X_22 = 55A3BA22 1026 rk_19 = 92244439 X_23 = 124B18AA 1027 rk_20 = E89E641F X_24 = 6AE7725F 1028 rk_21 = 98CA015A X_25 = F4CBA1F9 1029 rk_22 = C7159060 X_26 = 1DCDFA10 1030 rk_23 = 99E1FD2E X_27 = 2FF60603 1031 rk_24 = B79BD80C X_28 = EFF24FDC 1032 rk_25 = 1D2115B0 X_29 = 6FE46B75 1033 rk_26 = 0E228AEB X_30 = 893450AD 1034 rk_27 = F1780C81 X_31 = 7B938F4C 1035 rk_28 = 428D3654 X_32 = 536E4246 1036 rk_29 = 62293496 X_33 = 86B3E94F 1037 rk_30 = 01CF72E5 X_34 = D206965E 1038 rk_31 = 9124A012 X_35 = 681EDF34 1040 Ciphertext: 68 1E DF 34 D2 06 96 5E 86 B3 E9 4F 53 6E 42 46 1042 12.1.2. Example 2 1044 This example is provided by [GBT.32907-2016] to demonstrate 1045 encryption of a plaintext 1,000,000 times repeatedly, using a fixed 1046 encryption key. 1048 Plaintext: 1050 01 23 45 67 89 AB CD EF FE DC BA 98 76 54 32 10 1052 Encryption Key: 1054 01 23 45 67 89 AB CD EF FE DC BA 98 76 54 32 10 1056 Ciphertext: 1058 59 52 98 C7 C6 FD 27 1F 04 02 F8 04 C3 3D 3F 66 1060 12.2. Examples For Various Modes Of Operations 1062 The following examples can be verified using open-source 1063 cryptographic libraries including: 1065 o the Botan cryptographic library [BOTAN] with SM4 support, and 1067 o the OpenSSL Cryptography and SSL/TLS Toolkit [OPENSSL] with SM4 1068 support 1070 12.2.1. SM4-ECB Example 1072 Plaintext: 1074 01 23 45 67 89 AB CD EF FE DC BA 98 76 54 32 10 1076 Encryption Key: 1078 01 23 45 67 89 AB CD EF FE DC BA 98 76 54 32 10 1080 Ciphertext: 1082 68 1E DF 34 D2 06 96 5E 86 B3 E9 4F 53 6E 42 46 1084 12.2.2. SM4-CBC Example 1086 Plaintext: 1088 01 23 45 67 89 AB CD EF FE DC BA 98 76 54 32 10 1089 01 23 45 67 89 AB CD EF FE DC BA 98 76 54 32 10 1091 Encryption Key: 1093 01 23 45 67 89 AB CD EF FE DC BA 98 76 54 32 10 1095 IV: 1097 01 23 45 67 89 AB CD EF FE DC BA 98 76 54 32 10 1099 Ciphertext: 1101 26 77 F4 6B 09 C1 22 CC 97 55 33 10 5B D4 A2 2A 1102 F6 12 5F 72 75 CE 55 2C 3A 2B BC F5 33 DE 8A 3B 1104 12.2.3. SM4-OFB Example 1106 Plaintext: 1108 01 23 45 67 89 AB CD EF FE DC BA 98 76 54 32 10 1109 01 23 45 67 89 AB CD EF FE DC BA 98 76 54 32 10 1111 Encryption Key: 1113 01 23 45 67 89 AB CD EF FE DC BA 98 76 54 32 10 1115 IV: 1117 01 23 45 67 89 AB CD EF FE DC BA 98 76 54 32 10 1119 Ciphertext: 1121 69 3D 9A 53 5B AD 5B B1 78 6F 53 D7 25 3A 70 56 1122 F2 07 5D 28 B5 23 5F 58 D5 00 27 E4 17 7D 2B CE 1124 12.2.4. SM4-CFB Example 1126 Plaintext: 1128 01 23 45 67 89 AB CD EF FE DC BA 98 76 54 32 10 1129 01 23 45 67 89 AB CD EF FE DC BA 98 76 54 32 10 1131 Encryption Key: 1133 01 23 45 67 89 AB CD EF FE DC BA 98 76 54 32 10 1135 IV: 1137 01 23 45 67 89 AB CD EF FE DC BA 98 76 54 32 10 1139 Ciphertext: 1141 69 3D 9A 53 5B AD 5B B1 78 6F 53 D7 25 3A 70 56 1142 9E D2 58 A8 5A 04 67 CC 92 AA B3 93 DD 97 89 95 1144 12.2.5. SM4-CTR Example 1146 Plaintext: 1148 AA AA AA AA AA AA AA AA BB BB BB BB BB BB BB BB 1149 CC CC CC CC CC CC CC CC DD DD DD DD DD DD DD DD 1150 EE EE EE EE EE EE EE EE FF FF FF FF FF FF FF FF 1151 EE EE EE EE EE EE EE EE AA AA AA AA AA AA AA AA 1153 Encryption Key: 1155 01 23 45 67 89 AB CD EF FE DC BA 98 76 54 32 10 1157 IV: 1159 01 23 45 67 89 AB CD EF FE DC BA 98 76 54 32 10 1161 Ciphertext: 1163 C2 B4 75 9E 78 AC 3C F4 3D 08 52 F4 E8 D5 F9 FD 1164 72 56 E8 A5 FC B6 5A 35 0E E0 06 30 91 2E 44 49 1165 2A 0B 17 E1 B8 5B 06 0D 0F BA 61 2D 8A 95 83 16 1166 38 B3 61 FD 5F FA CD 94 2F 08 14 85 A8 3C A3 5D 1168 13. References 1170 13.1. Normative References 1172 [GBT.32907-2016] 1173 Standardization Administration of the People's Republic of 1174 China, "GB/T 32907-2016: Information security technology 1175 -- SM4 block cipher algorithm", August 2016, 1176 . 1179 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 1180 Requirement Levels", BCP 14, RFC 2119, 1181 DOI 10.17487/RFC2119, March 1997, 1182 . 1184 13.2. Informative References 1186 [BC-EVAL] Rogaway, P., "Evaluation of Some Blockcipher Modes of 1187 Operation", February 2011, 1188 . 1190 [BOTAN] Lloyd, J., "Botan: Crypto and TLS for C++11", October 1191 2017, . 1193 [GB.15629.11-2003] 1194 Standardization Administration of the People's Republic of 1195 China, "Information technology -- Telecommunications and 1196 information exchange between systems -- Local and 1197 metropolitan area networks -- Specific requirements -- 1198 Part 11: Wireless LAN Medium Access Control (MAC) and 1199 Physical Layer (PHY) Specifications", May 2003, 1200 . 1203 [GMT-0002-2012] 1204 Organization of State Commercial Administration of China, 1205 "GM/T 0002-2012: SM4 block cipher algorithm", March 2012, 1206 . 1208 [GMT-0006-2012] 1209 Organization of State Commercial Administration of China, 1210 "GM/T 0006-2012: Cryptographic Application Identifier 1211 Criterion Specification", March 2012, 1212 . 1214 [ISO.IEC.18033-3.AMD2] 1215 International Organization for Standardization, "ISO/IEC 1216 WD1 18033-3/AMD2 -- Encryption algorithms -- Part 3: Block 1217 ciphers -- Amendment 2", June 2017, 1218 . 1220 [LSW-Bio] Sun, M., "Lv Shu Wang -- A life in cryptography", November 1221 2010, 1222 . 1227 [NIST.FIPS.197] 1228 National Institute of Standards and Technology, "NIST FIPS 1229 197: Advanced Encryption Standard (AES)", November 2001, 1230 . 1232 [NIST.SP.800-38A] 1233 Dworkin, M., "NIST Special Publication 800-38A: 1234 Recommendation for Block Cipher Modes of Operation -- 1235 Methods and Techniques", December 2001, 1236 . 1238 [OPENSSL] OpenSSL Software Foundation, "OpenSSL: Cryptography and 1239 SSL/TLS Toolkit", October 2017, . 1241 [OSCCA] Organization of State Commercial Administration of China, 1242 "Organization of State Commercial Administration of 1243 China", May 2017, . 1245 [SideChannel] 1246 Lei, Q., Wu, L., Zhang, S., Zhang, X., Li, X., Pan, L., 1247 and Z. Dong, "Software Hardware Co-design for Side-Channel 1248 Analysis Platform on Security Chips", December 2015, 1249 . 1251 [SM4] Organization of State Commercial Administration of China, 1252 "SMS4 Cryptographic Algorithm For Wireless LAN Products", 1253 January 2006, 1254 . 1256 [SM4-Analysis] 1257 Kim, T., Kim, J., Kim, S., and J. Sung, "Linear and 1258 Differential Cryptanalysis of Reduced SMS4 Block Cipher", 1259 June 2008, . 1261 [SM4-En] Diffie, W. and G. Ledin, "SMS4 Encryption Algorithm for 1262 Wireless Networks", May 2008, 1263 . 1266 [SM4-FPGA] 1267 Cheng, H., Zhai, S., Fang, L., Ding, Q., and C. Huang, 1268 "Improvements of SM4 Algorithm and Application in Ethernet 1269 Encryption System Based on FPGA", July 2014, 1270 . 1274 [SM4-HiSpeed] 1275 Lv, Q., Li, L., and Y. Cao, "High-speed Encryption & 1276 Decryption System Based on SM4", July 2016, 1277 . 1279 [SM4-Linear] 1280 Liu, M. and J. Chen, "Improved Linear Attacks on the 1281 Chinese Block Cipher Standard", November 2014, 1282 . 1284 [SM4-Power] 1285 Du, Z., Wu, Z., Wang, M., and J. Rao, "Improved chosen- 1286 plaintext power analysis attack against SM4 at the round- 1287 output", October 2015, 1288 . 1290 [SM4-VLSI] 1291 Yu, S., Li, K., Li, K., Qin, Y., and Z. Tong, "A VLSI 1292 implementation of an SM4 algorithm resistant to power 1293 analysis", July 2016, 1294 . 1296 [SM4-WhiteBox] 1297 Bai, K. and C. Wu, "A secure white-box SM4 1298 implementation", May 2008, 1299 . 1301 Appendix A. Acknowledgements 1303 The authors would like to thank the following persons for their 1304 valuable advice and input. 1306 o Erick Borsboom for assisting the lengthy review of this document 1308 o Jack Lloyd and Daniel Wyatt of the Ribose rnp team for their input 1309 and implementation 1311 Authors' Addresses 1313 Ronald Henry Tse 1314 Ribose 1315 Suite 1111, 1 Pedder Street 1316 Central, Hong Kong 1317 Hong Kong 1319 Email: ronald.tse@ribose.com 1320 URI: https://www.ribose.com 1322 Dr. Wai Kit Wong 1323 Hang Seng Management College 1324 Hang Shin Link, Siu Lek Yuen 1325 Shatin, New Territories 1326 Hong Kong 1328 Email: wongwk@hsmc.edu.hk 1329 URI: https://www.hsmc.edu.hk