idnits 2.17.1 draft-ribose-cfrg-sm4-08.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- No issues found here. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year -- The document date (December 15, 2017) is 2322 days in the past. Is this intentional? Checking references for intended status: Informational ---------------------------------------------------------------------------- No issues found here. Summary: 0 errors (**), 0 flaws (~~), 1 warning (==), 1 comment (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Internet Research Task Force R. Tse 3 Internet-Draft Ribose 4 Intended status: Informational W. Wong 5 Expires: June 18, 2018 Hang Seng Management College 6 December 15, 2017 8 The SM4 Blockcipher Algorithm And Its Modes Of Operations 9 draft-ribose-cfrg-sm4-08 11 Abstract 13 This document describes the SM4 symmetric blockcipher algorithm 14 published as GB/T 32907-2016 by the State Cryptography Administration 15 of China (SCA). 17 This document is a product of the Crypto Forum Research Group (CFRG). 19 Status of This Memo 21 This Internet-Draft is submitted in full conformance with the 22 provisions of BCP 78 and BCP 79. 24 Internet-Drafts are working documents of the Internet Engineering 25 Task Force (IETF). Note that other groups may also distribute 26 working documents as Internet-Drafts. The list of current Internet- 27 Drafts is at https://datatracker.ietf.org/drafts/current/. 29 Internet-Drafts are draft documents valid for a maximum of six months 30 and may be updated, replaced, or obsoleted by other documents at any 31 time. It is inappropriate to use Internet-Drafts as reference 32 material or to cite them other than as "work in progress." 34 This Internet-Draft will expire on June 18, 2018. 36 Copyright Notice 38 Copyright (c) 2017 IETF Trust and the persons identified as the 39 document authors. All rights reserved. 41 This document is subject to BCP 78 and the IETF Trust's Legal 42 Provisions Relating to IETF Documents 43 (https://trustee.ietf.org/license-info) in effect on the date of 44 publication of this document. Please review these documents 45 carefully, as they describe your rights and restrictions with respect 46 to this document. 48 Table of Contents 50 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 4 51 1.1. Purpose . . . . . . . . . . . . . . . . . . . . . . . . . 4 52 1.2. History . . . . . . . . . . . . . . . . . . . . . . . . . 4 53 2. Terms and Definitions . . . . . . . . . . . . . . . . . . . . 5 54 3. Symbols And Abbreviations . . . . . . . . . . . . . . . . . . 6 55 4. Compute Structure . . . . . . . . . . . . . . . . . . . . . . 6 56 5. Key And Key Parameters . . . . . . . . . . . . . . . . . . . 7 57 6. Functions . . . . . . . . . . . . . . . . . . . . . . . . . . 7 58 6.1. Round Function F . . . . . . . . . . . . . . . . . . . . 7 59 6.2. Permutations T and T' . . . . . . . . . . . . . . . . . . 7 60 6.2.1. Nonlinear Transformation tau . . . . . . . . . . . . 8 61 6.2.2. Linear Transformations L and L' . . . . . . . . . . . 8 62 6.2.3. S-box S . . . . . . . . . . . . . . . . . . . . . . . 8 63 7. Algorithm . . . . . . . . . . . . . . . . . . . . . . . . . . 9 64 7.1. Encryption . . . . . . . . . . . . . . . . . . . . . . . 9 65 7.2. Decryption . . . . . . . . . . . . . . . . . . . . . . . 12 66 7.3. Key Schedule . . . . . . . . . . . . . . . . . . . . . . 12 67 7.3.1. Family Key FK . . . . . . . . . . . . . . . . . . . . 13 68 7.3.2. Constant Key CK . . . . . . . . . . . . . . . . . . . 13 69 8. Modes of Operation . . . . . . . . . . . . . . . . . . . . . 14 70 8.1. Variables And Primitives . . . . . . . . . . . . . . . . 14 71 8.2. Initialization Vectors . . . . . . . . . . . . . . . . . 15 72 8.3. SM4-ECB . . . . . . . . . . . . . . . . . . . . . . . . . 15 73 8.3.1. SM4-ECB Encryption . . . . . . . . . . . . . . . . . 15 74 8.3.2. SM4-ECB Decryption . . . . . . . . . . . . . . . . . 16 75 8.4. SM4-CBC . . . . . . . . . . . . . . . . . . . . . . . . . 16 76 8.4.1. SM4-CBC Encryption . . . . . . . . . . . . . . . . . 17 77 8.4.2. SM4-CBC Decryption . . . . . . . . . . . . . . . . . 17 78 8.5. SM4-CFB . . . . . . . . . . . . . . . . . . . . . . . . . 18 79 8.5.1. SM4-CFB Variants . . . . . . . . . . . . . . . . . . 18 80 8.5.2. SM4-CFB Encryption . . . . . . . . . . . . . . . . . 19 81 8.5.3. SM4-CFB Decryption . . . . . . . . . . . . . . . . . 19 82 8.6. SM4-OFB . . . . . . . . . . . . . . . . . . . . . . . . . 20 83 8.6.1. SM4-OFB Encryption . . . . . . . . . . . . . . . . . 20 84 8.6.2. SM4-OFB Decryption . . . . . . . . . . . . . . . . . 21 85 8.7. SM4-CTR . . . . . . . . . . . . . . . . . . . . . . . . . 22 86 8.7.1. SM4-CTR Encryption . . . . . . . . . . . . . . . . . 22 87 8.7.2. SM4-CTR Decryption . . . . . . . . . . . . . . . . . 23 88 9. Object Identifier . . . . . . . . . . . . . . . . . . . . . . 24 89 9.1. GM/T OID . . . . . . . . . . . . . . . . . . . . . . . . 24 90 9.2. ISO OID . . . . . . . . . . . . . . . . . . . . . . . . . 24 91 10. Design Considerations . . . . . . . . . . . . . . . . . . . . 24 92 10.1. Basic Transformation . . . . . . . . . . . . . . . . . . 24 93 10.2. Nonlinear Transformation . . . . . . . . . . . . . . . . 25 94 10.2.1. S-box Algebraic Expression . . . . . . . . . . . . . 25 95 10.2.2. Algebraic Degree And Distribution Of Terms . . . . . 26 96 10.2.3. Differential Distribution . . . . . . . . . . . . . 27 97 10.2.4. Nonlinearity . . . . . . . . . . . . . . . . . . . . 28 98 10.2.5. Maximum Linearity Advantage . . . . . . . . . . . . 28 99 10.2.6. Balance . . . . . . . . . . . . . . . . . . . . . . 28 100 10.2.7. Completness and Avalanche Effect . . . . . . . . . . 29 101 10.3. Linear Transform . . . . . . . . . . . . . . . . . . . . 29 102 10.4. Key Expansion Algorithm . . . . . . . . . . . . . . . . 30 103 11. Cryptanalysis Results . . . . . . . . . . . . . . . . . . . . 31 104 11.1. Differential Cryptanalysis . . . . . . . . . . . . . . . 31 105 11.2. Linear Cryptanalysis . . . . . . . . . . . . . . . . . . 32 106 11.3. Multi-dimensional Linear Cryptanalysis . . . . . . . . . 32 107 11.4. Impossible Differential Cryptanalysis . . . . . . . . . 32 108 11.5. Zero-correlation Linear Cryptanalysis . . . . . . . . . 33 109 11.6. Integral Cryptanalysis . . . . . . . . . . . . . . . . . 33 110 11.7. Algebraic Attacks . . . . . . . . . . . . . . . . . . . 33 111 11.8. Matrix Attacks . . . . . . . . . . . . . . . . . . . . . 33 112 11.9. Provable Security Against Differential And Linear 113 Cryptanalysis . . . . . . . . . . . . . . . . . . . . . 34 114 11.10. Provable Security Against Related-Key Differential 115 Cryptanalysis . . . . . . . . . . . . . . . . . . . . . 34 116 11.11. Summary of SM4 Cryptanalytic Attacks . . . . . . . . . . 35 117 12. Security Considerations . . . . . . . . . . . . . . . . . . . 36 118 13. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 38 119 14. References . . . . . . . . . . . . . . . . . . . . . . . . . 38 120 14.1. Normative References . . . . . . . . . . . . . . . . . . 38 121 14.2. Informative References . . . . . . . . . . . . . . . . . 38 122 Appendix A. Appendix A: Example Calculations . . . . . . . . . . 44 123 A.1. Examples From GB/T 32907-2016 . . . . . . . . . . . . . . 44 124 A.1.1. Example 1 (GB/T 32907-2016 Example 1 Encryption) . . 44 125 A.1.2. Example 2 (GB/T 32907-2016 Example 1 Decryption) . . 45 126 A.1.3. Example 3 (GB/T 32907-2016 Example 2 Encryption) . . 46 127 A.1.4. Example 4 . . . . . . . . . . . . . . . . . . . . . . 47 128 A.1.5. Example 5 . . . . . . . . . . . . . . . . . . . . . . 48 129 A.1.6. Example 6 . . . . . . . . . . . . . . . . . . . . . . 49 130 A.2. Examples For Various Modes Of Operations . . . . . . . . 50 131 A.2.1. SM4-ECB Examples . . . . . . . . . . . . . . . . . . 50 132 A.2.1.1. Example 1 . . . . . . . . . . . . . . . . . . . . 50 133 A.2.1.2. Example 2 . . . . . . . . . . . . . . . . . . . . 50 134 A.2.2. SM4-CBC Examples . . . . . . . . . . . . . . . . . . 51 135 A.2.2.1. Example 1 . . . . . . . . . . . . . . . . . . . . 51 136 A.2.2.2. Example 2 . . . . . . . . . . . . . . . . . . . . 51 137 A.2.3. SM4-OFB Examples . . . . . . . . . . . . . . . . . . 52 138 A.2.3.1. Example 1 . . . . . . . . . . . . . . . . . . . . 52 139 A.2.3.2. Example 2 . . . . . . . . . . . . . . . . . . . . 52 140 A.2.4. SM4-CFB Examples . . . . . . . . . . . . . . . . . . 52 141 A.2.4.1. Example 1 . . . . . . . . . . . . . . . . . . . . 53 142 A.2.4.2. Example 2 . . . . . . . . . . . . . . . . . . . . 53 143 A.2.5. SM4-CTR Examples . . . . . . . . . . . . . . . . . . 53 144 A.2.5.1. Example 1 . . . . . . . . . . . . . . . . . . . . 53 145 A.2.5.2. Example 2 . . . . . . . . . . . . . . . . . . . . 54 146 Appendix B. Sample Implementation In C . . . . . . . . . . . . . 55 147 B.1. sm4.h . . . . . . . . . . . . . . . . . . . . . . . . . . 55 148 B.2. sm4.c . . . . . . . . . . . . . . . . . . . . . . . . . . 55 149 B.3. sm4_main.c . . . . . . . . . . . . . . . . . . . . . . . 59 150 B.4. print.c and print.h . . . . . . . . . . . . . . . . . . . 64 151 Appendix C. Acknowledgements . . . . . . . . . . . . . . . . . . 65 152 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 65 154 1. Introduction 156 SM4 [GBT.32907-2016] [ISO.IEC.18033-3.AMD2] is a cryptographic 157 standard issued by the State Cryptography Administration (SCA) of 158 China [SCA] (formerly the Office of State Commercial Cryptography 159 Administration, OSCCA) as an authorized cryptographic algorithm for 160 the use within China. The algorithm is published in public. 162 SM4 is a symmetric encryption algorithm, specifically a blockcipher, 163 designed for data encryption. 165 1.1. Purpose 167 This document does not aim to introduce a new algorithm, but to 168 provide a clear and open description of the SM4 algorithm in English, 169 and also to serve as a stable reference for IETF documents that 170 utilize this algorithm. 172 While this document is similar to [SM4-En] in nature, [SM4-En] is a 173 textual translation of the "SMS4" algorithm [SM4] published in 2006. 174 Instead, this document follows the updated description and structure 175 of [GBT.32907-2016] published in 2016. Sections 1 to 7 of this 176 document directly map to the corresponding sections numbers of the 177 [GBT.32907-2016] standard for convenience of the reader. 179 This document also provides additional information on the design 180 considerations of the SM4 algorithm [SM4-Details], its modes of 181 operations that are currently being used (see Section 8), and the 182 offical SM4 OIDs (see Section 9). 184 1.2. History 186 The "SMS4" algorithm (the former name of SM4) was invented by Shu- 187 Wang Lu [LSW-Bio]. It was first published in 2003 as part of 188 [GB.15629.11-2003], then published independently in 2006 by SCA 189 (OSCCA at that time) [SM4], published as an industry cryptographic 190 standard and renamed to "SM4" in 2012 by SCA (OSCCA at that time) 191 [GMT-0002-2012], and finally formalized in 2016 as a Chinese National 192 Standard (GB Standard) [GBT.32907-2016]. SM4 has also been 193 standardized in [ISO.IEC.18033-3.AMD2] by the International 194 Organization for Standardization in 2017. 196 SMS4 was originally created for use in protecting wireless networks 197 [SM4], and is mandated in the Chinese National Standard for Wireless 198 LAN WAPI (Wired Authentication and Privacy Infrastructure) 199 [GB.15629.11-2003]. A proposal was made to adopt SMS4 into the IEEE 200 802.11i standard, but the algorithm was eventually not included due 201 to concerns of introducing inoperability with existing ciphers. 203 The latest SM4 standard [GBT.32907-2016] was proposed by the SCA 204 (OSCCA at that time), standardized through TC 260 of the 205 Standardization Administration of the People's Republic of China 206 (SAC), and was drafted by the following individuals at the Data 207 Assurance and Communication Security Research Center (DAS Center) of 208 the Chinese Academy of Sciences, the China Commercial Cryptography 209 Testing Center and the Beijing Academy of Information Science & 210 Technology (BAIST): 212 o Shu-Wang Lu 214 o Dai-Wai Li 216 o Kai-Yong Deng 218 o Chao Zhang 220 o Peng Luo 222 o Zhong Zhang 224 o Fang Dong 226 o Ying-Ying Mao 228 o Zhen-Hua Liu 230 2. Terms and Definitions 232 The key words "*MUST*", "*MUST NOT*", "*REQUIRED*", "*SHALL*", 233 "*SHALL NOT*", "*SHOULD*", "*SHOULD NOT*", "*RECOMMENDED*", "*MAY*", 234 and "*OPTIONAL*" in this document are to be interpreted as described 235 in [RFC2119]. 237 The following terms and definitions apply to this document. 239 block length 240 Bit-length of a message block. 242 key length 243 Bit-length of a key. 245 key expansion algorithm 246 An operation that converts a key into a round key. 248 rounds 249 The number of iterations that the round function is run. 251 round key 252 A key used in each round on the blockcipher, derived from the 253 input key, also called a subkey. 255 word 256 a 32-bit quantity 258 S-box 259 The S (substitution) box function produces 8-bit output from 8-bit 260 input, represented as S(.) 262 3. Symbols And Abbreviations 264 S xor T 265 bitwise exclusive-or of two 32-bit vectors S and T. S and T will 266 always have the same length. 268 a <<< i 269 32-bit bitwise cyclic shift on a with i bits shifted left. 271 4. Compute Structure 273 The SM4 algorithm is a blockcipher, with block size of 128 bits and a 274 key length of 128 bits. 276 Both encryption and key expansion use 32 rounds of a nonlinear key 277 schedule per block. Each round processes one of the four 32-bit 278 words that constitute the block. 280 The structure of encryption and decryption are identical, except that 281 the round key schedule has its order reversed during decryption. 283 Using a 8-bit S-box, it only uses exclusive-or, cyclic bit shifts and 284 S-box lookups to execute. 286 5. Key And Key Parameters 288 The SM4 encryption key is 128 bits long and represented below, where 289 each MK_i, (i = 0, 1, 2, 3) is 32 bits long. 291 MK = (MK_0, MK_1, MK_2, MK_3) 293 The round key schedule is derived from the encryption key, 294 represented as below where each rk_i (i = 0, ..., 31) is 32 bits 295 long: 297 (rk_0, rk_1, ... , rk_31) 299 The family key used for key expansion is represented as FK, where 300 each FK_i (i = 0, ..., 3) is 32 bits long: 302 FK = (FK_0, FK_1, FK_2, FK_3) 304 The constant key used for key expansion is represented as CK, where 305 each CK_i (i = 0, ..., 31) is 32 bits long: 307 CK = (CK_0, CK_1, ... , CK_31) 309 6. Functions 311 6.1. Round Function F 313 The round function F is defined as: 315 F(X_0, X_1, X_2, X_3, rk) = X_0 xor T(X_1 xor X_2 xor X_3 xor rk) 317 Where: 319 o Each $$X_i$ is 32-bit wide. 321 o The round key rk is 32-bit wide. 323 6.2. Permutations T and T' 325 T is a reversible permutation that outputs 32 bits from a 32-bit 326 input. 328 It consists of a nonlinear transform tau and linear transform L. 330 T(.) = L(tau(.)) 332 The permutation T' is created from T by replacing the linear 333 transform function L with L'. 335 T'(.) = L'(tau(.)) 337 6.2.1. Nonlinear Transformation tau 339 tau is composed of four parallel S-boxes. 341 Given a 32-bit input A, where each a_i is a 8-bit string: 343 A = (a_0, a_1, a_2, a_3) 345 The output is a 32-bit B, where each b_i is a 8-bit string: 347 B = (b_0, b_1, b_2, b_3) 349 B is calculated as follows: 351 (b_0, b_1, b_2, b_3) = tau(A) 353 tau(A) = (S(a_0), S(a_1), S(a_2), S(a_3)) 355 6.2.2. Linear Transformations L and L' 357 The output of nonlinear transformation function tau is used as input 358 to linear transformation function L. 360 Given B, a 32-bit input. 362 The linear transformation L' is defined as follows. 364 L(B) = B xor (B <<< 2) xor (B <<< 10) xor (B <<< 18) xor (B <<< 24) 366 The linear transformation L' is defined as follows. 368 L'(B) = B xor (B <<< 13) xor (B <<< 23) 370 6.2.3. S-box S 372 The S-box S used in nonlinear transformation tau is given in the 373 lookup table shown in Figure 1 with hexadecimal values. 375 | 0 1 2 3 4 5 6 7 8 9 A B C D E F 376 ---|------------------------------------------------- 377 0 | D6 90 E9 FE CC E1 3D B7 16 B6 14 C2 28 FB 2C 05 378 1 | 2B 67 9A 76 2A BE 04 C3 AA 44 13 26 49 86 06 99 379 2 | 9C 42 50 F4 91 EF 98 7A 33 54 0B 43 ED CF AC 62 380 3 | E4 B3 1C A9 C9 08 E8 95 80 DF 94 FA 75 8F 3F A6 381 4 | 47 07 A7 FC F3 73 17 BA 83 59 3C 19 E6 85 4F A8 382 5 | 68 6B 81 B2 71 64 DA 8B F8 EB 0F 4B 70 56 9D 35 383 6 | 1E 24 0E 5E 63 58 D1 A2 25 22 7C 3B 01 21 78 87 384 7 | D4 00 46 57 9F D3 27 52 4C 36 02 E7 A0 C4 C8 9E 385 8 | EA BF 8A D2 40 C7 38 B5 A3 F7 F2 CE F9 61 15 A1 386 9 | E0 AE 5D A4 9B 34 1A 55 AD 93 32 30 F5 8C B1 E3 387 A | 1D F6 E2 2E 82 66 CA 60 C0 29 23 AB 0D 53 4E 6F 388 B | D5 DB 37 45 DE FD 8E 2F 03 FF 6A 72 6D 6C 5B 51 389 C | 8D 1B AF 92 BB DD BC 7F 11 D9 5C 41 1F 10 5A D8 390 D | 0A C1 31 88 A5 CD 7B BD 2D 74 D0 12 B8 E5 B4 B0 391 E | 89 69 97 4A 0C 96 77 7E 65 B9 F1 09 C5 6E C6 84 392 F | 18 F0 7D EC 3A DC 4D 20 79 EE 5F 3E D7 CB 39 48 394 Figure 1: SM4 S-box Values 396 For example, input "EF" will produce an output read from the S-box 397 table row E and column F, giving the result S(EF) = 84. 399 7. Algorithm 401 7.1. Encryption 403 The encryption algorithm consists of 32 rounds and 1 reverse 404 transform R. 406 Given a 128-bit plaintext input, where each X_i is 32-bit wide: 408 (X_0, X_1, X_2, X_3) 410 The output is a 128-bit ciphertext, where each Y_i is 32-bit wide: 412 (Y_0, Y_1, Y_2, Y_3) 414 Each round key is designated as rk_i, where each rk_i is 32-bit wide 415 and i = 0, 1, 2, ..., 31. 417 a. 32 rounds of calculation 419 i = 0, 1, ..., 31 421 X_{i+4} = F(X_i, X_{i+1}, X_{i+2}, X_{i+3}, rk_i) 422 b. reverse transformation 424 (Y_0, Y_1, Y_2, Y_3) = R(X_32, X_33, X_34, X_35) 426 R(X_32, X_33, X_34, X_35) = (X_35, X_34, X_33, X_32) 428 Please refer to Appendix A for sample calculations. 430 A flow of the calculation is given in Figure 2. 432 128-bits plaintext 433 \___________________________/ 434 | 435 v 436 X_0 X_1 X_2 X_3 437 | | | | 438 v v v v 439 +---------------------------+ 440 Round 1 | Round Function | <--rk_0 441 +---------------------------+ 442 | | | | 443 X_1 X_2 X_3 X_4 444 | | | | 445 v v v v 446 +---------------------------+ 447 Round 2 | Round Function | <--rk_1 448 +---------------------------+ 449 | | | | 450 X_2 X_3 X_4 X_5 451 | | | | 452 v v v v 453 ... 455 X_31 X_32 X_33 X_34 456 | | | | 457 v v v v 458 +---------------------------+ 459 Round 32 | Round Function | <--rk_31 460 +---------------------------+ 461 | | | | 462 X_32 X_33 X_34 X_35 463 | | | | 464 v v v v 465 +---------------------------+ 466 | Reverse Transformation R | 467 +---------------------------+ 468 | | | | 469 Y_0 Y_1 Y_2 Y_3 471 \___________________________/ 472 | 473 v 474 128-bits ciphertext 476 Figure 2: SM4 Encryption Flow 478 7.2. Decryption 480 Decryption takes an identical process as encryption, with the only 481 difference the order of the round key sequence. 483 During decryption, the round key sequence is: 485 (rk_31, rk_30, ..., rk_0) 487 7.3. Key Schedule 489 Round keys used during encryption are derived from the encryption 490 key. 492 Specifically, given the encryption key MK, where each MK_i is 32-bit 493 wide: 495 MK = (MK_0, MK_1, MK_2, MK_3) 497 Each round key rk_i is created as follows, where i = 0, 1, ..., 31. 499 (K_0, K_1, K_2, K_3) = 500 (MK_0 xor FK_0, MK_1 xor FK_1, MK_2 xor FK_2, MK_3 xor FK_3) 502 rk_i = K_{i + 4} 504 K_{i + 4} = 505 K_i xor T' (K_{i + 1} xor K_{i + 2} xor K_{i + 3} xor CK_i) 507 Since the decryption key is identical to the encryption key, the 508 round keys used in the decryption process are derived from the 509 decryption key through the identical process to that of during 510 encryption. 512 Figure 3 depicts the i-th round of SM4. 514 X_i rk_i X_{i+1} X_{i+2} X_{i+3} 515 | | | | | 516 | | | | | 517 | v | | | 518 +---+ +---+ +---+ | | | 519 | X | | | | X | <--+ | | 520 | O | <- | T | <- | O | <----------+ | 521 | R | | | | R | <------------------+ 522 +---+ +---+ +---+ | | | 523 | / / / 524 | / / / 525 | / / / 526 \--------------------------------------= 527 / / / \ 528 / / / | 529 /---------------/ / / | 530 | | | | 531 X_{i+1} X_{i+2} X_{i+3} X_{i+4} 533 Figure 3: SM4 Round Function For the i-th Round 535 7.3.1. Family Key FK 537 Family key FK given in hexadecimal notation, is: 539 FK_0 = A3B1BAC6 540 FK_1 = 56AA3350 541 FK_2 = 677D9197 542 FK_3 = B27022DC 544 7.3.2. Constant Key CK 546 The method to retrieve values from the constant key CK is as follows. 548 Let ck_{i, j} be the j-th byte (i = 0, 1, ..., 31; j = 0, 1, 2, 3) of 549 CK_i. 551 Therefore, each ck_{i, j} is a 8-bit string, and each CK_i a 32-bit 552 word. 554 CK_i = (ck_{i, 0}, ck_{i, 1}, ck_{i, 2}, ck_{i, 3}) 556 ck_{i, j} = (4i + j) x 7 (mod 256) 558 The values of the constant key CK_i, where (i = 0, 1, ..., 31), in 559 hexadecimal, are: 561 CK_0 = 00070E15 CK_16 = C0C7CED5 562 CK_1 = 1C232A31 CK_17 = DCE3EAF1 563 CK_2 = 383F464D CK_18 = F8FF060D 564 CK_3 = 545B6269 CK_19 = 141B2229 565 CK_4 = 70777E85 CK_20 = 30373E45 566 CK_5 = 8C939AA1 CK_21 = 4C535A61 567 CK_6 = A8AFB6BD CK_22 = 686F767D 568 CK_7 = C4CBD2D9 CK_23 = 848B9299 569 CK_8 = E0E7EEF5 CK_24 = A0A7AEB5 570 CK_9 = FC030A11 CK_25 = BCC3CAD1 571 CK_10 = 181F262D CK_26 = D8DFE6ED 572 CK_11 = 343B4249 CK_27 = F4FB0209 573 CK_12 = 50575E65 CK_28 = 10171E25 574 CK_13 = 6C737A81 CK_29 = 2C333A41 575 CK_14 = 888F969D CK_30 = 484F565D 576 CK_15 = A4ABB2B9 CK_31 = 646B7279 578 8. Modes of Operation 580 This document defines multiple modes of operation for the SM4 581 blockcipher algorithm. 583 The CBC (Cipher Block Chaining), ECB (Electronic CodeBook), CFB 584 (Cipher FeedBack), OFB (Output FeedBack) and CTR (Counter) modes are 585 defined in [NIST.SP.800-38A] and utilized with the SM4 algorithm in 586 the following sections. 588 8.1. Variables And Primitives 590 Hereinafter we define: 592 SM4Encrypt(P, K) 593 The SM4 algorithm that encrypts plaintext P with key K, described 594 in Section 7.1 596 SM4Decrypt(C, K) 597 The SM4 algorithm that decrypts ciphertext C with key K, described 598 in Section 7.2 600 b 601 block size in bits, defined as 128 for SM4 603 P_j 604 block j of ciphertext bitstring P 606 C_j 607 block j of ciphertext bitstring C 609 NBlocks(B, b) 610 Number of blocks of size b-bit in bitstring B 612 IV 613 Initialization vector 615 LSB(b, S) 616 Least significant b bits of the bitstring S 618 MSB(b, S) 619 Most significant b bits of the bitstring S 621 8.2. Initialization Vectors 623 The CBC, CFB and OFB modes require an additional input to the 624 encryption process, called the initialization vector (IV). The 625 identical IV is used in the input of encryption as well as the 626 decryption of the corresponding ciphertext. 628 Generation of IV values *MUST* take into account of the 629 considerations in Section 12 recommended by [BC-EVAL]. 631 8.3. SM4-ECB 633 In SM4-ECB, the same key is utilized to create a fixed assignment for 634 a plaintext block with a ciphertext block, meaning that a given 635 plaintext block always gets encrypted to the same ciphertext block. 636 As described in [NIST.SP.800-38A], this mode should be avoided if 637 this property is undesirable. 639 This mode requires input plaintext to be a multiple of the block 640 size, which in this case of SM4 it is 128-bit. It also allows 641 multiple blocks to be computed in parallel. 643 8.3.1. SM4-ECB Encryption 645 Inputs: 647 o P, plaintext, length *MUST* be multiple of b 649 o K, SM4 128-bit encryption key 651 Output: 653 o C, ciphertext, length is a multiple of b 655 C is defined as follows. 657 _____________________________________________________________________ 659 n = NBlocks(P, b) 661 for i = 1 to n 662 C_i = SM4Encrypt(P_i, K) 663 end for 665 C = C_1 || ... || C_n 666 _____________________________________________________________________ 668 8.3.2. SM4-ECB Decryption 670 Inputs: 672 o C, ciphertext, length *MUST* be multiple of b 674 o K, SM4 128-bit encryption key 676 Output: 678 o P, plaintext, length is a multiple of b 680 P is defined as follows. 682 _____________________________________________________________________ 684 n = NBlocks(C, b) 686 for i = 1 to n 687 P_i = SM4Decrypt(C_i, K) 688 end for 690 P = P_1 || ... || P_n 691 _____________________________________________________________________ 693 8.4. SM4-CBC 695 SM4-CBC is similar to SM4-ECB that the input plaintext *MUST* be a 696 multiple of the block size, which is 128-bit in SM4. SM4-CBC 697 requires an additional input, the IV, that is unpredictable for a 698 particular execution of the encryption process. 700 Since CBC encryption relies on a forward cipher operation that depend 701 on results of the previous operation, it cannot be parallelized. 702 However, for decryption, since ciphertext blocks are already 703 available, CBC parallel decryption is possible. 705 8.4.1. SM4-CBC Encryption 707 Inputs: 709 o P, plaintext, length *MUST* be multiple of b 711 o K, SM4 128-bit encryption key 713 o IV, 128-bit, unpredictable, initialization vector 715 Output: 717 o C, ciphertext, length is a multiple of b 719 C is defined as follows. 721 _____________________________________________________________________ 723 n = NBlocks(P, b) 725 C_1 = SM4Encrypt(P_1 xor IV, K) 727 for i = 2 to n 728 C_i = SM4Encrypt(P_i xor C_{i - 1}, K) 729 end for 731 C = C_1 || ... || C_n 732 _____________________________________________________________________ 734 8.4.2. SM4-CBC Decryption 736 Inputs: 738 o C, ciphertext, length *MUST* be a multiple of b 740 o K, SM4 128-bit encryption key 742 o IV, 128-bit, unpredictable, initialization vector 744 Output: 746 o P, plaintext, length is multiple of b 748 P is defined as follows. 750 _____________________________________________________________________ 752 n = NBlocks(C, b) 754 P_1 = SM4Decrypt(C_1, K) xor IV 756 for i = 2 to n 757 P_i = SM4Decrypt(C_i, K) xor C_{i - 1} 758 end for 760 P = P_1 || ... || P_n 761 _____________________________________________________________________ 763 8.5. SM4-CFB 765 SM4-CFB relies on feedback provided by successive ciphertext segments 766 to generate output blocks. The plaintext given must be a multiple of 767 the block size. 769 Similar to SM4-CBC, SM4-CFB requires an IV that is unpredictable for 770 a particular execution of the encryption process. 772 SM4-CFB further allows setting a positive integer parameter s, that 773 is less than or equal to the block size, to specify the size of each 774 data segment. The same segment size must be used in encryption and 775 decryption. 777 In SM4-CFB, since the input block to each forward cipher function 778 depends on the output of the previous block (except the first that 779 depends on the IV), encryption is not parallelizable. Decryption, 780 however, can be parallelized. 782 8.5.1. SM4-CFB Variants 784 SM4-CFB takes an integer s to determine segment size in its 785 encryption and decryption routines. We define the following variants 786 of SM4-CFB for various s: 788 o SM4-CFB-1, the 1-bit SM4-CFB mode, where s is set to 1. 790 o SM4-CFB-8, the 8-bit SM4-CFB mode, where s is set to 8. 792 o SM4-CFB-64, the 64-bit SM4-CFB mode, where s is set to 64. 794 o SM4-CFB-128, the 128-bit SM4-CFB mode, where s is set to 128. 796 8.5.2. SM4-CFB Encryption 798 Inputs: 800 o P#, plaintext, length *MUST* be multiple of s 802 o K, SM4 128-bit encryption key 804 o IV, 128-bit, unpredictable, initialization vector 806 o s, an integer 1 <= s <= b that defines segment size 808 Output: 810 o C#, ciphertext, length is a multiple of s 812 C# is defined as follows. 814 _____________________________________________________________________ 816 n = NBlocks(P#, s) 818 I_1 = IV 819 for i = 2 to n 820 I_i = LSB(b - s, I_{i - 1}) || C#_{j - 1} 821 end for 823 for i = 1 to n 824 O_j = SM4Encrypt(I_i, K) 825 end for 827 for i = 1 to n 828 C#_i = P#_1 xor MSB(s, O_j) 829 end for 831 C# = C#_1 || ... || C#_n 832 _____________________________________________________________________ 834 8.5.3. SM4-CFB Decryption 836 Inputs: 838 o C#, ciphertext, length *MUST* be a multiple of s 840 o K, SM4 128-bit encryption key 842 o IV, 128-bit, unpredictable, initialization vector 843 o s, an integer 1 <== s <== b that defines segment size 845 Output: 847 o P#, plaintext, length is multiple of s 849 P# is defined as follows. 851 _____________________________________________________________________ 853 n = NBlocks(P#, s) 855 I_1 = IV 856 for i = 2 to n 857 I_i = LSB(b - s, I_{i - 1}) || C#_{j - 1} 858 end for 860 for i = 1 to n 861 O_j = SM4Encrypt(I_i, K) 862 end for 864 for i = 1 to n 865 P#_i = C#_1 xor MSB(s, O_j) 866 end for 868 P# = P#_1 || ... || P#_n 869 _____________________________________________________________________ 871 8.6. SM4-OFB 873 SM4-OFB is the application of SM4 through the Output Feedback mode. 874 This mode requires that the IV is a nonce, meaning that the IV *MUST* 875 be unique for each execution for an input key. OFB does not require 876 the input plaintext to be a multiple of the block size. 878 In OFB, the routines for encryption and decryption are identical. As 879 each forward cipher function (except the first) depends on previous 880 results, both routines cannot be parallelized. However given a known 881 IV, output blocks could be generated prior to the input of plaintext 882 (encryption) or ciphertext (decryption). 884 8.6.1. SM4-OFB Encryption 886 Inputs: 888 o P, plaintext, composed of (n - 1) blocks of size b, with the last 889 block P_n of size 1 <== u <== b 891 o K, SM4 128-bit encryption key 893 o IV, a nonce (a unique value for each execution per given key) 895 Output: 897 o C, ciphertext, composed of (n - 1) blocks of size b, with the last 898 block C_n of size 1 <== u <== b 900 C is defined as follows. 902 _____________________________________________________________________ 904 n = NBlocks(P, b) 906 I_1 = IV 907 for i = 1 to (n - 1) 908 O_i = SM4Encrypt(I_i) 909 I_{i + 1} = O_i 910 end for 912 for i = 1 to (n - 1) 913 C_i = P_i xor O_i 914 end for 916 C_n = P_n xor MSB(u, O_n) 918 C = C_1 || ... || C_n 919 _____________________________________________________________________ 921 8.6.2. SM4-OFB Decryption 923 Inputs: 925 o C, ciphertext, composed of (n - 1) blocks of size b, with the last 926 block C_n of size 1 <== u <== b 928 o K, SM4 128-bit encryption key 930 o IV, the nonce used during encryption 932 Output: 934 o P, plaintext, composed of (n - 1) blocks of size b, with the last 935 block P_n of size 1 <== u <== b 937 C is defined as follows. 939 _____________________________________________________________________ 941 n = NBlocks(C, b) 943 I_1 = IV 944 for i = 1 to (n - 1) 945 O_i = SM4Encrypt(I_i) 946 I_{i + 1} = O_i 947 end for 949 for i = 1 to (n - 1) 950 P_i = C_i xor O_i 951 end for 953 P_n = C_n xor MSB(u, O_n) 955 P = P_1 || ... || P_n 956 _____________________________________________________________________ 958 8.7. SM4-CTR 960 SM4-CTR is an implementation of a stream cipher through a blockcipher 961 primitive. It generates a "keystream" of keys that are used to 962 encrypt successive blocks, with the keystream created from the input 963 key, a nonce (the IV) and an incremental counter. The counter could 964 be any sequence that does not repeat within the block size. 966 Both SM4-CTR encryption and decryption routines could be 967 parallelized, and random access is also possible. 969 8.7.1. SM4-CTR Encryption 971 Inputs: 973 o P, plaintext, composed of (n - 1) blocks of size b, with the last 974 block P_n of size 1 <== u <== b 976 o K, SM4 128-bit encryption key 978 o IV, a nonce (a unique value for each execution per given key) 980 o T, a sequence of counters from T_1 to T_n 982 Output: 984 o C, ciphertext, composed of (n - 1) blocks of size b, with the last 985 block C_n of size 1 <== u <== b 987 C is defined as follows. 989 _____________________________________________________________________ 991 n = NBlocks(P, b) 993 for i = 1 to n 994 O_i = SM4Encrypt(T_i) 995 end for 997 for i = 1 to (n - 1) 998 C_i = P_i xor O_i 999 end for 1001 C_n = P_n xor MSB(u, O_n) 1003 C = C_1 || ... || C_n 1004 _____________________________________________________________________ 1006 8.7.2. SM4-CTR Decryption 1008 Inputs: 1010 o C, ciphertext, composed of (n - 1) blocks of size b, with the last 1011 block C_n of size 1 <= u <= b 1013 o K, SM4 128-bit encryption key 1015 o IV, a nonce (a unique value for each execution per given key) 1017 o T, a sequence of counters from T_1 to T_n 1019 Output: 1021 o P, plaintext, composed of (n - 1) blocks of size b, with the last 1022 block P_n of size 1 <= u <= b 1024 P is defined as follows. 1026 _____________________________________________________________________ 1028 n = NBlocks(C, b) 1030 for i = 1 to n 1031 O_i = SM4Encrypt(T_i) 1032 end for 1034 for i = 1 to (n - 1) 1035 P_i = C_i xor O_i 1036 end for 1038 P_n = C_n xor MSB(u, O_n) 1040 C = C_1 || ... || C_n 1041 _____________________________________________________________________ 1043 9. Object Identifier 1045 The Object Identifier for SM4 is identified through these OIDs. 1047 9.1. GM/T OID 1049 "1.2.156.10197.1.104" for "SM4 Algorithm" [GMT-0006-2012]. 1051 9.2. ISO OID 1053 "1.0.18033.3.2.4" for "id-bc128-sm4" [ISO.IEC.18033-3.AMD2], 1054 described below. 1056 o "is18033-3" {iso(1) standard(0) is18033(18033) part3(3)} 1058 o "id-bc128" {is18033-3 block-cipher-128-bit(2)} 1060 o "id-bc128-sm4" {id-bc128 sm4(4)} 1062 10. Design Considerations 1064 10.1. Basic Transformation 1066 The chaos principle and the diffusion principle are two basic 1067 principles of block cipher design. A well-designed blockcipher 1068 algorithm should be based on a cryptographically sound basic 1069 transformation structure, with its round calculation based on a 1070 cryptographically sound basic transformation. 1072 The cryptographic properties of the basic transformation determines 1073 the efficiency of the resulting encryption transformation. 1075 The SM4 algorithm is structured on orthomorphic permutation. Its 1076 round transformation is an orthomorphic permutation, and its 1077 cryptographic properties can be deduced from the characteristics of 1078 orthomorphic permutations. 1080 Let the single round of the SM4 block cipher algorithm be P, for any 1081 given plaintext X, P (X, K ')! = P (X, K) if the key K'! = K. 1083 The conclusion shows that if X is a row variable and K is a column 1084 variable, the square P(X, K) forms a Latin square. There are two 1085 conclusions about the nature of cryptography: 1087 1. The SM4 blockcipher algorithm will produce different round 1088 transformations given different keys. 1090 2. The SM4 blockcipher algorithm, within a single round, will 1091 produce a different output given the same input with different 1092 keys. 1094 10.2. Nonlinear Transformation 1096 An S-box can be viewed as a bijection: 1098 S(X) = (f_1(X), f_2(X), ... , f_m(X)) : F_2^n -> F_2^m. 1100 S(x): F_2^n -> F_2^m can be represented as a multi-output boolean 1101 function with n-bit input and m-bit output, or a n x m S-box (an 1102 S-box with n inputs and m outputs), usually realized as a 1103 substitution that takes an n-bit input and produces a m-bit output. 1104 In SM4, the S-box takes n = m = 8. 1106 In many blockciphers, the S-box is the sole element providing 1107 nonlinearity, for the purpose of mixing, in order to reduce linearity 1108 and to hide its variable structure. 1110 The cryptographic properties of the S-box directly affects the 1111 resulting cryptographic strength of the blockcipher. When designing 1112 a blockcipher, the cryptographic strength of the S-box must be taken 1113 into account. The cryptographic strength of an S-box can be 1114 generally measured by factors such as its nonlinearity and 1115 differential distribution. 1117 10.2.1. S-box Algebraic Expression 1119 In order to prevent insertion attacks, the algebraic formula used for 1120 cryptographic substitution should be a high degree polynomial and 1121 contain a large number of terms. 1123 The algebraic expression of the SM4 S-box [SM4-Sbox] is determined 1124 through Lagrange's interpolation to be a polynomial of the 254th 1125 degree with 255 terms, providing the highest level of complexity 1126 based on its size: 1128 f(x) : sum_{i=0}^{255} y_i 1129 PI_{j!=i, j=0}^255 ((x - x_j) / (x_i - x_j)) 1131 10.2.2. Algebraic Degree And Distribution Of Terms 1133 Any n boolean function f(x): F_2^n -> F_2 can be represented uniquely 1134 in its algebraic normal form shown below: 1136 f(X) = a_0 + sum_{1<=i_i<... F_2^m. Consider S(X) to be a random 1152 substitution, each of its component functions would be best to have 1153 algebraic degree of n-1, each component function i-th coefficient 1154 should be near C_n^i/2. If the algebraic degree is too low, for 1155 example, each component function has a degree of 2, then the 1156 algorithm can be easily attacked by advanced differential 1157 cryptanalysis. If the number of terms are insufficient, then it may 1158 improve the success probability of insert attacks. 1160 The algebraic degrees and number of terms of the SM4 S-box are 1161 described in Figure 4. 1163 +--------------------+--------------------------------------------+ 1164 | | Algebraic Degree | 1165 | Component Function +-----+---+----+----+----+----+----+---+-----+ 1166 | | 8 | 7 | 6 | 5 | 4 | 3 | 2 | 1 | 0 | 1167 +--------------------+-----+---+----+----+----+----+----+---+-----+ 1168 | Y_0 | 0 | 3 | 15 | 31 | 28 | 29 | 14 | 3 | 1 | 1169 | Y_1 | 0 | 3 | 12 | 34 | 40 | 33 | 12 | 4 | 1 | 1170 | Y_2 | 0 | 5 | 17 | 24 | 40 | 24 | 11 | 3 | 0 | 1171 | Y_3 | 0 | 2 | 11 | 31 | 34 | 27 | 15 | 5 | 1 | 1172 | Y_4 | 0 | 5 | 15 | 28 | 33 | 24 | 13 | 5 | 0 | 1173 | Y_5 | 0 | 5 | 11 | 25 | 41 | 25 | 16 | 4 | 1 | 1174 | Y_6 | 0 | 4 | 15 | 29 | 27 | 32 | 18 | 4 | 1 | 1175 | Y_7 | 0 | 4 | 14 | 32 | 35 | 30 | 16 | 3 | 0 | 1176 +--------------------+-----+---+----+----+----+----+----+---+-----+ 1177 | Expected Value | 1/2 | 4 | 14 | 28 | 35 | 28 | 14 | 4 | 1/2 | 1178 +--------------------+-----+---+----+----+----+----+----+---+-----+ 1180 Figure 4: SM4 S-box Component Functions Algebraic Degree And Terms 1182 10.2.3. Differential Distribution 1184 The definition of differential distribution has been given in 1185 [BC-Design]. 1187 Differential cryptanalysis is a chosen-plaintext attack, with the 1188 understanding that analysis of selected plaintexts of differentials 1189 can retrive the most probable key. Differential distribution is an 1190 attribute to measure the resistance of a cryptographic function 1191 against differential cryptanalysis. 1193 delta_S = 1/2^n max_{a in F_2^n, a!=0} max_{beta in F_2^m} | 1194 { X in F_2^n : S(X and alpha) - S(X) = beta } | 1196 "delta_S" is the differential distribution of the S-box "S". 1198 According to the definition of differential distribution, 2^{-m} <= 1199 delta_S <= 2^{m-n}, if there is a delta_S = 2^{m-n} then S is 1200 considered a fully nonlinear function from F_2^n to F_2^m. For 1201 resistance against differential cryptanalysis, the differential 1202 distribution should be as low as possible. 1204 The highest differential distribution of the SM4 S-box is 2^{-6}, 1205 meaning it has a good resistance against differential cryptanalysis. 1207 10.2.4. Nonlinearity 1209 The nonlinearity of an S-box is described by [BC-Design]. 1211 Let S(X) = (f_1(X), f_2(X), ... , f_m(X)) : F_2^n -> F_2^m be a 1212 multi-output function. The nonlinearity of S(X) is defined as N_S = 1213 min_{l in L_n, 0 != u in F_2^m} d_H (u . S(X), l(X)). 1215 L_n is the group of all n-boolean functions, d_H(f, l) is the Hamming 1216 distance between f and l. The nonlinearity of the S-box is in fact 1217 the minimum Hamming distance between all the Boolean functions and 1218 all affine functions. 1220 The upper-bound of nonlinearity is known to be 2^{n-1} - 2^{n/2 - 1}, 1221 where a Boolean function that reaches this bound is called a "bent 1222 function". 1224 The nonlinearity of a Boolean function is used to measure resistance 1225 against linear attacks. The higher the nonlinearity, the higher 1226 resistance that the Boolean function f(x) has against linear attacks. 1227 On the contrary, the lower the nonlinearity, the Boolean function 1228 f(x) has lower resistance against linear attacks. 1230 The nonlinearity of the SM4 S-box is 112. 1232 10.2.5. Maximum Linearity Advantage 1234 Linear approximation of a S-box is defined in [BC-Design]. Given a 1235 S-box with n inputs and m outputs, any linear approximation can be 1236 represented as : a . X = b . Y, where a in F_2^n, b in F_2^m. 1238 The probability p that satisfies a . X = b . Y is 1240 | p - 1/2 | <= 1/2 - N_S / 2^n 1242 where | p - 1/2 | is the advantage of the linear approximation 1243 equation, lambda_S = 1/2 - N_s / 2^n is the maximum advantage of the 1244 S-box. 1246 The maximum advantage of the SM4 S-box is 2^{-4}. 1248 10.2.6. Balance 1250 A S-box S(X) = (f_1(X), f_2(X), ... , f_m(X)) : F_2^n -> F_2^m is 1251 considered "balanced" if for any beta in F_2^m, there are 2^{n-m} x 1252 in F_2^n, such that S(x) = beta. 1254 The SM4 S-box is balanced. 1256 10.2.7. Completness and Avalanche Effect 1258 A S-box S(X) = (f_1(X), f_2(X), ... , f_m(X)) : F_2^n -> F_2^m is 1259 considered "complete" if every input bit directly correlates to an 1260 output bit. 1262 In algebraic expression, each component function contains the unknown 1263 variables x_1, x_2, ... x_n, such that for any (s, t) in { (i, j) | 1 1264 <= i <= n, 1 <= j <= m}, there is an X that S(X) and S(X and e_s) 1265 would contain a different bit t. 1267 Avalanche effect refers to a single bit change in the input would 1268 correspond to a change of half of the output bits. 1270 The SM4 S-box satisfies completness and the avalanche effect. 1272 10.3. Linear Transform 1274 Linear transformation is used to provide diffusion in SM4. A 1275 blockcipher algorithm often adopts m x m S-boxes to form an 1276 obfuscation layer. 1278 Since the m-bits output by one S-box are only related to the m bits 1279 of its input and are irrelevant to the input of other S boxes, the 1280 introduction of a linear transform would disrupt and mix the output 1281 m-bits so that they seem correlating to the other S-box inputs. 1283 A sound linear transform design will diffuse the S-box output, 1284 allowing the blockcipher to resist differential and linear 1285 cryptanalysis. 1287 An important measure of the diffusivity of a linear transform is its 1288 branch number. 1290 The "branch number" of a linear transform is defined in [BC-Design]: 1292 B(theta) = min_{x!=0} w_b(x) + w_b(theta(x)) 1294 Where B(theta) is the branch number of transform theta, w_b(x) is a 1295 non-zero integer x_i (1 <== i <== m), and x_i is called the "bundle 1296 weight". 1298 The branch number can be used to quantify the resistance of the block 1299 cipher algorithm to differential cryptanalysis and linear 1300 cryptanalysis. 1302 Similar to differential cryptanalysis and linear cryptanalysis, the 1303 differential branch number and linear branch number of theta can be 1304 defined as follows. 1306 The differential branch number of theta is: 1308 B_d(theta) = min_{x, x!= x*} 1309 (w_b(x and x*) + w_b(theta(x)) and theta(x*)) 1311 The linear branch number of theta is: 1313 B_l(theta) = min_{a, b, c (x . alpha^t , theta(x) . beta) != 0} 1314 (w_b(alpha) + w_b(beta)) 1316 where, 1317 c (x . a^t , theta(x) . beta) = 1318 2 X Pr(x . alpha^t = theta(x) . beta) - 1 1319 x . alpha^t is a matrix multiplication. 1321 The branch number in a linear transformation reflects its 1322 diffusivity. The higher the branch number, the better the diffusion 1323 effect. 1325 This means that the larger the differential branch number or linear 1326 branch number, the more known plaintexts will be required for 1327 differential or linear cryptanalysis respectively. 1329 The linear transform differential branch number and linear branch 1330 number of SM4 are both 5. 1332 10.4. Key Expansion Algorithm 1334 The SM4 key schedule is designed to fulfill the security requirements 1335 of the encryption algorithm and achieve ease of implementation for 1336 performance reasons. 1338 All subkeys are derived from the encryption key, and therefore, 1339 subkeys are always statistically relevant. In the context of a 1340 blockcipher, it is not possible to have non-statistical-correlated 1341 subkeys, but the designer can only aim to have subkeys achieve near 1342 statistical independence [BC-Design]. 1344 The purpose of the key schedule, generated through the key expansion 1345 algorithm, is to mask the statistical correlation between subkeys to 1346 make this relationship difficult to exploit. 1348 The SM4 key expansion algorithm satisfies the following design 1349 criteria: 1351 1. There are no obvious statistical correlation between subkeys; 1353 2. There are no weak subkeys; 1355 3. The speed of key expansion is not slower than the encryption 1356 algorithm, and uses less resources; 1358 4. Every subkey can be directly generated from the encryption key. 1360 11. Cryptanalysis Results 1362 SM4 has been heavily cryptanalyzed by international researchers since 1363 it was first published. Nearly all currently known cryptanalysis 1364 techniques have been applied to SM4. 1366 At the time of publishing this document, there are no known practical 1367 attacks against the full SM4 blockcipher. However, there are side- 1368 channel concerns [SideChannel] when the algorithm is implemented in a 1369 hardware device. 1371 A summary of cryptanalysis results are presented in the following 1372 sections. 1374 11.1. Differential Cryptanalysis 1376 In 2008, Zhang et al. [SM4-DiffZhang1] gave a 21-round differential 1377 analysis with data complexity 2^188, time complexity 2^126.8 1378 encryptions. 1380 In 2008, Kim et al. [SM4-LDA] gave a 22-round differential attack 1381 that requires 2^118 chosen plaintexts, 2^123 memory and 2^125.71 1382 encryptions. 1384 In 2009, Zhang et al. (differing author but overlapping team) 1385 [SM4-DiffZhang2] gave a 18-round differential characteristics with an 1386 attack that reaches the 22nd round, with data complexity 2^117 and 1387 time complexity 2^112.3. 1389 In 2010, Zhang et al. (with no relation to above) [SM4-DiffZhang3] 1390 utilized 18-round differential characteristics for the 22nd round 1391 with 2^117 chosen plaintexts with time complexity 2^123 encryptions, 1392 memory complexity of 2^112. 1394 In 2011, Su et al. [SM4-DiffSu] gave a 19 round differential 1395 characteristics and pushed their attack to the 23rd round, with data 1396 complexity of 2^118 chosen plaintexts, time complexity 2^126.7 1397 encryptions, and memory complexity 2^120.7. 1399 11.2. Linear Cryptanalysis 1401 In 2008 Etrog et al. [SM4-LinearEtrog] provided a linear 1402 cryptanalysis result for 22 rounds of SM4, the data complexity is 1403 given as 2^188.4 known plaintexts, time complexity 2^117 encrypt 1404 operations. 1406 In the same year, Kim et al. [SM4-LDA] improved on the linear 1407 cryptanalysis result for 22 rounds of SM4 with data complexity of 1408 2^117 known plaintexts, memory complexity of 2^109 and time 1409 complexity of 2^109.86. 1411 In 2011 Dong [SM4-LinearDong] presented a linear cryptanalysis result 1412 for 20 rounds, 2^110.4 known ciphertexts, 2^106.8 encryption 1413 operations, memory complexity 2^90. 1415 In 2014 Liu et al. [SM4-LinearLiu] presented their linear 1416 cryptanalysis for 23-rounds of SM4, time complexity 2^112 encryption 1417 operations, data complexity 2^126.54 known ciphertexts, memory 1418 complexity 2^116. 1420 In 2017 Liu et al. [SM4-NLC] presented an attack based on linear 1421 cryptanalysis on 24-rounds of SM4, with time complexity of 2^122.6 1422 encryptions, data complexity of 2^122.6 known ciphertexts, and memory 1423 complexity of 2^85. 1425 11.3. Multi-dimensional Linear Cryptanalysis 1427 In 2010, Liu et al. [SM4-MLLiu] constructed a series of 18 rounds of 1428 linear traces based on a 5-round circular linear trace, capable of 1429 attacking 22 rounds of SM4. The required data complexity was 2^112 1430 known plaintexts, time complexity 2^124.21 encryption operations, 1431 with memory complexity of 2^118.83. 1433 In 2010 Cho et al. [SM4-MLCho] gave a linear analysis of 23 rounds 1434 of SM4 with a data complexity of 2^126.7 known plaintexts and a time 1435 complexity of 2^127, memory complexity of 2^120.7. 1437 In 2014, Liu et al. [SM4-LinearLiu] gave the results of multi- 1438 dimensional linear analysis of 23 rounds of SM4 algorithm. The time 1439 complexity was 2^122.7, data complexity was 2^122.6 known plaintext 1440 with memory complexity 2^120.6. 1442 11.4. Impossible Differential Cryptanalysis 1444 In 2007 Lu et al. [SM4-IDCLu] first presented 16 rounds of 1445 impossible differential analysis of SM4 with the required data 1446 complexity 2^105 chosen plaintexts, time complexity 2^107 encryption 1447 operations. 1449 In 2008 Toz et al. [SM4-IDCToz] revised the results of [SM4-IDCLu], 1450 that the data complexity is actually 2^117.05 chosen plaintexts, time 1451 complexity 2^132.06 encryptions, but its complexity is already beyond 1452 the 2^128 limit. 1454 In 2010 Wang et al. [SM4-IDCWang] pushed the impossible differential 1455 cryptanalysis to 17 rounds of SM4, the data complexity is 2^117 1456 chosen ciphertexts, time complexity 2^132 memory queries. 1458 11.5. Zero-correlation Linear Cryptanalysis 1460 In 2015 Ma et al. [SM4-ZCLC] gives the results of multi-dimensional 1461 zero-correlation linear cryptanalysis of a 14-round SM4 algorithm. 1462 The required data complexity is 2^123.5 known plaintexts, time 1463 complexity is 2^120.7 encryption operations and memory complexity of 1464 2^73 blocks. 1466 11.6. Integral Cryptanalysis 1468 In 2007 Liu et al. [SM4-ICLiu] first gave a 13-round integral 1469 analysis of SM4, which required 2^16 chosen plaintexts and time 1470 complexity of 2^114 encryption operations. 1472 In 2008 Zhong et al. [SM4-ICZhong] constructed a 12-round 1473 distinguisher of SM4 to attack 14-round SM4, with data complexity of 1474 2^32 chosen plaintexts and time complexity 2^96.5 encryptions. 1476 11.7. Algebraic Attacks 1478 In 2009 Ji et al. [SM4-AAJi] and in 2010 Erickson et al. [SM4-AAEr] 1479 utilized algebraic methods such as XL, Groebner base and SAT to 1480 analyze the resistance of SM4 against algebraic attacks. The results 1481 demonstrate that SM4 is safe against algebraic attacks, and 1482 specifically, has a higher resistance against algebraic attacks than 1483 AES. 1485 11.8. Matrix Attacks 1487 In 2007 Lu et al. [SM4-IDCLu] provided a matrix attack against 1488 14-round SM4, with data complexity 2^121.82 chosen plaintexts, time 1489 complexity 2^116.66 encryptions. 1491 In 2008 Toz et al. [SM4-IDCToz] lowered both data and time 1492 complexity of the aformentioned attack to 2^106.89 chosen ciphertexts 1493 and time complexity of 2^107.89. 1495 In 2008, Zhang et al. [SM4-DiffZhang1] provided a matrix attack 1496 against 16-round SM4, which required a data complexity of 2^125 1497 chosen plaintexts and time complexity of 2^116 encryptions. 1499 She's Master dissertation [SM4-MatrixShe] provided a SM4 16-round 1500 matrix distinguisher that can attack 18-round SM4, with data 1501 complexity of 2^127 chosen plaintexts and time complexity 2^110.77 1502 encryptions with memory complexity of 2^130. 1504 In 2012 Wei et al. [SM4-MatrixWei] applied differential analysis and 1505 algebraic attack techniques on 20-round SM4 and discovered that the 1506 combined attack results on 20-round SM4 are superior than using pure 1507 differential cryptanalysis. 1509 11.9. Provable Security Against Differential And Linear Cryptanalysis 1511 SM4 uses a novel structure differing from the general Feistel and SP 1512 structures. 1514 [SM4-Random] has proven that the SM4 non-balanced Feistel structure 1515 is pseudo-random. 1517 [SM4-SLDC] analyzes the SM4 non-balanced Feistel structure on its 1518 resistance against differential and linear cryptanalysis techniques. 1519 Under SP type round functions with branch number 5, it is proven that 1520 in a 27-round SM4 guarantees at least 22 active S-boxes, therefore 1521 SM4 is secure against differential attacks. 1523 [SM4-SLC] has analyzed resistance of SM4 against linear 1524 cryptanalysis. 1526 11.10. Provable Security Against Related-Key Differential Cryptanalysis 1528 Related-key differential cryptanalysis is related to the encryption 1529 algorithm and key schedule. When performing a related-key attack, 1530 the attacker simultaneously insert differences in both the key and 1531 the message. 1533 In [AutoDC], Sun et al. proposed an automated differential route 1534 search method based on MILP (mixed-integer linear programming) that 1535 can be used to assess the security bounds of a blockcipher under 1536 (related-key) differential cryptanalysis. 1538 [SM4-RKDC] describes the lower bounds of active S-boxes within SM4 1539 and is shown in Table 1. 1541 +-------+------------+-------------+ 1542 | Round | Single Key | Related Key | 1543 +-------+------------+-------------+ 1544 | 3 | 0 | 0 | 1545 | 4 | 1 | 1 | 1546 | 5 | 2 | 2 | 1547 | 6 | 2 | 4 | 1548 | 7 | 5 | 6 | 1549 | 8 | 6 | 8 | 1550 | 9 | 7 | 9 | 1551 | 10 | 8 | 10 | 1552 | 11 | 9 | 11 | 1553 | 12 | 10 | 13 | 1554 | 13 | 10 | 14 | 1555 | 14 | 10 | 14 | 1556 | 15 | 13 | 16 | 1557 | 16 | 14 | 18 | 1558 | 17 | 15 | 19 | 1559 | 18 | 16 | 20 | 1560 | 19 | 18 | 22 | 1561 | 20 | 18 | - | 1562 | 21 | 19 | - | 1563 | 22 | 20 | - | 1564 | 23 | 22 | - | 1565 | 24 | 23 | - | 1566 | 25 | 23 | - | 1567 | 26 | 24 | - | 1568 +-------+------------+-------------+ 1570 Table 1: Strongest SM4 Attacks ("-" denotes unknown) 1572 As the maximal probability of the SM4 S-box is 2^-6, when the minimum 1573 active S-boxes reach 22 the differential characteristics will have 1574 probability 2^132, which is higher than enumeration (2^128). 1576 This indicates that 19 rounds and 23 rounds under related key and 1577 single key settings will provide a minimum of 22 active S-boxes and 1578 is able to resist related-key differential attacks. 1580 11.11. Summary of SM4 Cryptanalytic Attacks 1582 Table 2 provides a summary on the strongest attacks on SM4 at the 1583 time of publishing. 1585 +-------------------+--------+--------------------+-----------------+ 1586 | Method | Rounds | Complexity | Reference | 1587 +-------------------+--------+--------------------+-----------------+ 1588 | Linear | 24 | Time: 2^{122.6}, | [SM4-NLC] | 1589 | | | Data: 2^{122.6}, | | 1590 | | | Memory: 2^{85} | | 1591 +-------------------+--------+--------------------+-----------------+ 1592 | Multi-dimensional | 23 | Time: 2^{122.7}, | [SM4-LinearLiu] | 1593 | Linear | | Data: 2^{122.6}, | | 1594 | | | Memory: 2^{120.6} | | 1595 +-------------------+--------+--------------------+-----------------+ 1596 | Differential | 23 | Time: 2^{126.7}, | [SM4-DiffSu] | 1597 | | | Data: 2^{117}, | | 1598 | | | Memory: 2^{120.7} | | 1599 +-------------------+--------+--------------------+-----------------+ 1600 | Matrix | 18 | Time: 2^{110.77}, | [SM4-MatrixShe] | 1601 | | | Data: 2^{127}, | | 1602 | | | Memory 2^{130} | | 1603 +-------------------+--------+--------------------+-----------------+ 1604 | Impossible | 17 | Time: 2^{132}, | [SM4-IDCWang] | 1605 | Differential | | Data: 2^{117}, | | 1606 | | | Memory: -- | | 1607 +-------------------+--------+--------------------+-----------------+ 1608 | Zero-correlation | 14 | Time: 2^{120.7}, | [SM4-ZCLC] | 1609 | Linear | | Data: 2^{123.5}, | | 1610 | | | Memory: 2^{73} | | 1611 +-------------------+--------+--------------------+-----------------+ 1612 | Integral | 14 | Time: 2^{96.5}, | [SM4-ICZhong] | 1613 | | | Data: 2^{32}, | | 1614 | | | Memory: -- | | 1615 +-------------------+--------+--------------------+-----------------+ 1617 Table 2: Leading SM4 Attacks As Of Publication 1619 As of the publication of this document, no open research results have 1620 provided a method to successfully attack beyond 24 rounds of SM4. 1622 The traditional view suggests that SM4 provides an extra safety 1623 margin compared to blockciphers adopted in [ISO.IEC.18033-3] that 1624 already have full-round attacks, including MISTY1 [MISTY1-IC] 1625 [MISTY1-270] and AES [AES-CA] [AES-BC] [AES-RKC]. 1627 12. Security Considerations 1629 o Products and services that utilize cryptography are regulated by 1630 the SCA [SCA]; they must be explicitly approved or certified by 1631 the SCA before being allowed to be sold or used in China. 1633 o SM4 is a blockcipher symmetric algorithm with key length of 128 1634 bits. It is considered as an alternative to AES-128 1635 [NIST.FIPS.197]. 1637 o SM4 [GBT.32907-2016] is a blockcipher certified by the SCA [SCA]. 1638 No formal proof of security is provided. There are no known 1639 practical attacks against SM4 algorithm by the time of publishing 1640 this document, but there are security concerns with regards to 1641 side-channel attacks when the SM4 algorithm is implemented in 1642 hardware. 1643 For instance, [SM4-Power] illustrated an attack by measuring the 1644 power consumption of the device. A chosen ciphertext attack, 1645 assuming a fixed correlation between the round keys and data mask, 1646 is able to recover the round key successfully. 1647 When the SM4 algorithm is implemented in hardware, the parameters 1648 and keys *SHOULD* be randomly generated without fixed correlation. 1649 There have also been improvements to the hardware embodiment 1650 design for SM4 [SM4-VLSI] [SM4-FPGA], white-box implementions 1651 [SM4-WhiteBox], and performance enhancements [SM4-HiSpeed], that 1652 may resist such attacks. 1654 o The IV does not have to be secret. The IV itself, or criteria 1655 enough to determine it, *MAY* be transmitted with ciphertext. 1657 o SM4-ECB: ECB is one of the four original modes defined for DES. 1658 With its problem well known to "leak quite a large amount of 1659 information" [BC-EVAL], it *SHOULD NOT* be used in most cases. 1661 o SM4-CBC, SM4-CFB, SM4-OFB: CBC, CFB and OFB are IV-based modes of 1662 operation originally defined for DES. 1663 When using these modes of operation, the IV *SHOULD* be random to 1664 preserve message confidentiality [BC-EVAL]. It is shown in the 1665 same document that CBC, CFB, OFB, the variants #CBC, #CFB that 1666 utilize the recommendation of [NIST.SP.800-38A] to make CBC and 1667 CFB nonce-based, are SemCPA secure as probabilistic encryption 1668 schemes. 1669 Various attack scenarios have been described in [BC-EVAL] and 1670 these modes *SHOULD NOT* be used unless for compatibility reasons. 1672 o SM4-CTR: CTR is considered to be the "best" mode of operation 1673 within [NIST.SP.800-38A] as it is considered SemCPA secure as a 1674 nonce-based encryption scheme, providing provable-security 1675 guarantees as good as the classic modes of operation (ECB, CBC, 1676 CFB, OFB) [BC-EVAL]. 1677 Users with no need of authenticity, non-malleablility and chosen- 1678 ciphertext (CCA) security *MAY* utilize this mode of operation 1679 [BC-EVAL]. 1681 13. IANA Considerations 1683 This document does not require any action by IANA. 1685 14. References 1687 14.1. Normative References 1689 [GBT.32907-2016] 1690 Standardization Administration of the People's Republic of 1691 China, "GB/T 32907-2016: Information security technology 1692 -- SM4 block cipher algorithm", August 2016, 1693 . 1696 [ISO.IEC.18033-3.AMD2] 1697 International Organization for Standardization, "ISO/IEC 1698 WD1 18033-3/AMD2 -- Encryption algorithms -- Part 3: Block 1699 ciphers -- Amendment 2", June 2017, 1700 . 1702 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 1703 Requirement Levels", BCP 14, RFC 2119, 1704 DOI 10.17487/RFC2119, March 1997, 1705 . 1707 14.2. Informative References 1709 [AES-BC] Bogdanov, A., Khovratovich, D., and C. Rechberger, 1710 "Biclique Cryptanalysis of the Full AES", 2011, 1711 . 1713 [AES-CA] Ferguson, N., Kelsey, J., Lucks, S., Schneier, B., Stay, 1714 M., Wagner, D., and D. Whiting, "Improved Cryptanalysis of 1715 Rijndael", Jan 2002, 1716 . 1718 [AES-RKC] Biryukov, A. and D. Khovratovich, "Related-Key 1719 Cryptanalysis of the Full AES-192 and AES-256", 2009, 1720 . 1722 [AutoDC] Siwei, S., Hu, L., Wang, P., Qiao, K., Ma, X., and L. 1723 Song, "Automatic Security Evaluation and (Related-key) 1724 Differential Characteristic Search: Application to SIMON, 1725 PRESENT, LBlock, DES(L) and Other Bit-Oriented Block 1726 Ciphers", 2014, 1727 . 1729 [BC-Design] 1730 Wu, W., "Block Cipher Design and Analysis (in Chinese)", 1731 October 2009, . 1734 [BC-EVAL] Rogaway, P., "Evaluation of Some Blockcipher Modes of 1735 Operation", February 2011, 1736 . 1738 [BOTAN] Lloyd, J., "Botan: Crypto and TLS for C++11", October 1739 2017, . 1741 [GB.15629.11-2003] 1742 Standardization Administration of the People's Republic of 1743 China, "Information technology -- Telecommunications and 1744 information exchange between systems -- Local and 1745 metropolitan area networks -- Specific requirements -- 1746 Part 11: Wireless LAN Medium Access Control (MAC) and 1747 Physical Layer (PHY) Specifications", May 2003, 1748 . 1751 [GMT-0002-2012] 1752 Office of State Commercial Administration of China, "GM/T 1753 0002-2012: SM4 block cipher algorithm", March 2012, 1754 . 1756 [GMT-0006-2012] 1757 Office of State Commercial Administration of China, "GM/T 1758 0006-2012: Cryptographic Application Identifier Criterion 1759 Specification", March 2012, 1760 . 1762 [ISO.IEC.18033-3] 1763 International Organization for Standardization, "ISO/IEC 1764 18033-3:2010 -- Encryption algorithms -- Part 3: Block 1765 ciphers", December 2017, 1766 . 1768 [LSW-Bio] Sun, M., "Lv Shu Wang -- A life in cryptography", November 1769 2010, 1770 . 1775 [MISTY1-270] 1776 Bar-On, A. and N. Keller, "A 2^{70} Attack on the Full 1777 MISTY1", 2016, 1778 . 1780 [MISTY1-IC] 1781 Todo, Y., "Integral Cryptanalysis on Full MISTY1", 2015, 1782 . 1784 [NIST.FIPS.197] 1785 National Institute of Standards and Technology, "NIST FIPS 1786 197: Advanced Encryption Standard (AES)", November 2001, 1787 . 1789 [NIST.SP.800-38A] 1790 Dworkin, M., "NIST Special Publication 800-38A: 1791 Recommendation for Block Cipher Modes of Operation -- 1792 Methods and Techniques", December 2001, 1793 . 1795 [OPENSSL] OpenSSL Software Foundation, "OpenSSL: Cryptography and 1796 SSL/TLS Toolkit", October 2017, . 1798 [SCA] State Cryptography Administration of China, "State 1799 Cryptography Administration of China", Dec 2017, 1800 . 1802 [SideChannel] 1803 Lei, Q., Wu, L., Zhang, S., Zhang, X., Li, X., Pan, L., 1804 and Z. Dong, "Software Hardware Co-design for Side-Channel 1805 Analysis Platform on Security Chips", December 2015, 1806 . 1808 [SM4] Office of State Commercial Administration of China, "SMS4 1809 Cryptographic Algorithm For Wireless LAN Products", 1810 January 2006, 1811 . 1813 [SM4-AAEr] 1814 Erickson, J., Ding, J., and C. Christensen, "Algebraic 1815 Cryptanalysis of SMS4: Groebner Basis Attack and SAT 1816 Attack Compared", 2010, 1817 . 1819 [SM4-AAJi] 1820 Wen, J., Lei, H., and H. Ou, "Algebraic Attack to SMS4 and 1821 the Comparison with AES", 2009, 1822 . 1824 [SM4-Details] 1825 Lu, S., Su, B., Peng, P., Miao, Y., and L. Huo, "Overview 1826 on SM4 Algorithm", October 2016, 1827 . 1829 [SM4-DiffSu] 1830 Su, B., Wu, W., and W. Zhang, "Security of the SMS4 Block 1831 Cipher Against Differential Cryptanalysis", January 2011, 1832 . 1834 [SM4-DiffZhang1] 1835 Zhang, L., Zhang, W., and W. Wu, "Cryptanalysis of 1836 Reduced-Round SMS4 Block Cipher", July 2008, 1837 . 1839 [SM4-DiffZhang2] 1840 Zhang, W., Wu, W., Feng, D., and B. Su, "Some New 1841 Observations on the SMS4 Block Cipher in the Chinese WAPI 1842 Standard", 2009, 1843 . 1845 [SM4-DiffZhang3] 1846 Zhang, M., Liu, J., and X. Wang, "22-Round SMS4 1847 Differential Cryptanalysis", 2010, 1848 . 1851 [SM4-En] Diffie, W. and G. Ledin, "SMS4 Encryption Algorithm for 1852 Wireless Networks", May 2008, 1853 . 1855 [SM4-FPGA] 1856 Cheng, H., Zhai, S., Fang, L., Ding, Q., and C. Huang, 1857 "Improvements of SM4 Algorithm and Application in Ethernet 1858 Encryption System Based on FPGA", July 2014, 1859 . 1863 [SM4-HiSpeed] 1864 Lv, Q., Li, L., and Y. Cao, "High-speed Encryption 1865 Decryption System Based on SM4", July 2016, 1866 . 1868 [SM4-ICLiu] 1869 Liu, F., Ji, W., Hu, L., Ding, J., Lv, S., Pyshkin, A., 1870 and R. Weinmann, "Analysis of the SMS4 Block Cipher", 1871 2007, . 1873 [SM4-ICZhong] 1874 Zhong, M., Hu, Y., and J. Chen, "14-Round Square Attack on 1875 Blockcipher SMS4", 2008, . 1878 [SM4-IDCLu] 1879 Lu, J., "Attacking Reduced-Round Versions of the SMS4 1880 Block Cipher in the Chinese WAPI Standard", 2007, 1881 . 1883 [SM4-IDCToz] 1884 Toz, D. and O. Dunkelman, "Analysis of Two Attacks on 1885 Reduced-Round Versions of the SMS4", 2008, 1886 . 1888 [SM4-IDCWang] 1889 Wang, G., "Improved Impossible Differential Cryptanalysis 1890 on SMS4", October 2010, 1891 . 1893 [SM4-LDA] Kim, T., Kim, J., Kim, S., and J. Sung, "Linear and 1894 Differential Cryptanalysis of Reduced SMS4 Block Cipher", 1895 June 2008, . 1897 [SM4-LinearDong] 1898 Dong, X., "Security Analysis of the blockciphers AES and 1899 SM4", 2011, . 1902 [SM4-LinearEtrog] 1903 Etrog, J. and M. Robshaw, "The Cryptanalysis of Reduced- 1904 Round SMS4", 2009, 1905 . 1907 [SM4-LinearLiu] 1908 Liu, M. and J. Chen, "Improved Linear Attacks on the 1909 Chinese Block Cipher Standard", November 2014, 1910 . 1912 [SM4-MatrixShe] 1913 Ping, S., "Matrix Attack On Blockcipher SMS4", 2012, 1914 . 1917 [SM4-MatrixWei] 1918 Wei, H., Cui, H., and X. Lu, "Differential-Algebraic 1919 Analysis of the SMS4 Block Cipher", 2012, 1920 . 1923 [SM4-MLCho] 1924 Cho, J. and K. Nyberg, "Improved linear cryptanalysis of 1925 SM4 block cipher", 2010, . 1928 [SM4-MLLiu] 1929 Zhiqiang, L., Dawu, G., and Z. Jing, "Multiple Linear 1930 Cryptanalysis of Reduced-Round SMS4 Block Cipher", 2010, 1931 . 1934 [SM4-NLC] Liu, Y., Liang, H., Wang, W., and M. Wang, "New Linear 1935 Cryptanalysis of Chinese Commercial Block Cipher Standard 1936 SM4", June 2017, . 1938 [SM4-Power] 1939 Du, Z., Wu, Z., Wang, M., and J. Rao, "Improved chosen- 1940 plaintext power analysis attack against SM4 at the round- 1941 output", October 2015, 1942 . 1944 [SM4-Random] 1945 Zhang, L. and W. Wu, "Pseudorandomness and Super- 1946 pseudorandomness of a non-balanced Feistel Structure using 1947 compressed functions", January 2009, 1948 . 1951 [SM4-RKDC] 1952 Zhang, J., Wu, W., and Y. Zheng, "Security of SM4 Against 1953 (Related-Key) Differential Cryptanalysis", November 2016, 1954 . 1956 [SM4-Sbox] 1957 Liu, J., Wei, B., and X. Dai, "Cryptographic Properties of 1958 S-box in SMS4", January 2011, 1959 . 1962 [SM4-SLC] Zhang, B. and J. Chenhui, "Practical security against 1963 linear cryptanalysis for SMS4-like ciphers with SP round 1964 function", 2012, 1965 . 1967 [SM4-SLDC] 1968 Zhang, M., Liu, Y., Liu, J., and X. Min, "Practically 1969 Secure against Differential Cryptanalysis for Block Cipher 1970 SMS4", 2011, . 1972 [SM4-VLSI] 1973 Yu, S., Li, K., Li, K., Qin, Y., and Z. Tong, "A VLSI 1974 implementation of an SM4 algorithm resistant to power 1975 analysis", July 2016, 1976 . 1978 [SM4-WhiteBox] 1979 Bai, K. and C. Wu, "A secure white-box SM4 1980 implementation", May 2008, 1981 . 1983 [SM4-ZCLC] 1984 Ma, M., Zhao, Y., Liu, Q., and F. Liu, "Multidimensional 1985 Zero-correlation Linear Cryptanalysis on SMS4 Algorithm", 1986 September 2015, 1987 . 1990 Appendix A. Appendix A: Example Calculations 1992 A.1. Examples From GB/T 32907-2016 1994 A.1.1. Example 1 (GB/T 32907-2016 Example 1 Encryption) 1996 This is example 1 provided by [GBT.32907-2016] to demonstrate 1997 encryption of a plaintext. 1999 Plaintext: 2001 01 23 45 67 89 AB CD EF FE DC BA 98 76 54 32 10 2003 Encryption key: 2005 01 23 45 67 89 AB CD EF FE DC BA 98 76 54 32 10 2007 Status of the round key (rk_i) and round output (X_i) per round: 2009 rk_0 = F12186F9 X_4 = 27FAD345 2010 rk_1 = 41662B61 X_5 = A18B4CB2 2011 rk_2 = 5A6AB19A X_6 = 11C1E22A 2012 rk_3 = 7BA92077 X_7 = CC13E2EE 2013 rk_4 = 367360F4 X_8 = F87C5BD5 2014 rk_5 = 776A0C61 X_9 = 33220757 2015 rk_6 = B6BB89B3 X_10 = 77F4C297 2016 rk_7 = 24763151 X_11 = 7A96F2EB 2017 rk_8 = A520307C X_12 = 27DAC07F 2018 rk_9 = B7584DBD X_13 = 42DD0F19 2019 rk_10 = C30753ED X_14 = B8A5DA02 2020 rk_11 = 7EE55B57 X_15 = 907127FA 2021 rk_12 = 6988608C X_16 = 8B952B83 2022 rk_13 = 30D895B7 X_17 = D42B7C59 2023 rk_14 = 44BA14AF X_18 = 2FFC5831 2024 rk_15 = 104495A1 X_19 = F69E6888 2025 rk_16 = D120B428 X_20 = AF2432C4 2026 rk_17 = 73B55FA3 X_21 = ED1EC85E 2027 rk_18 = CC874966 X_22 = 55A3BA22 2028 rk_19 = 92244439 X_23 = 124B18AA 2029 rk_20 = E89E641F X_24 = 6AE7725F 2030 rk_21 = 98CA015A X_25 = F4CBA1F9 2031 rk_22 = C7159060 X_26 = 1DCDFA10 2032 rk_23 = 99E1FD2E X_27 = 2FF60603 2033 rk_24 = B79BD80C X_28 = EFF24FDC 2034 rk_25 = 1D2115B0 X_29 = 6FE46B75 2035 rk_26 = 0E228AEB X_30 = 893450AD 2036 rk_27 = F1780C81 X_31 = 7B938F4C 2037 rk_28 = 428D3654 X_32 = 536E4246 2038 rk_29 = 62293496 X_33 = 86B3E94F 2039 rk_30 = 01CF72E5 X_34 = D206965E 2040 rk_31 = 9124A012 X_35 = 681EDF34 2042 Ciphertext: 2044 68 1E DF 34 D2 06 96 5E 86 B3 E9 4F 53 6E 42 46 2046 A.1.2. Example 2 (GB/T 32907-2016 Example 1 Decryption) 2048 This demonstrates the decryption process of the Example 1 ciphertext 2049 provided by [GBT.32907-2016]. 2051 Ciphertext: 2053 68 1E DF 34 D2 06 96 5E 86 B3 E9 4F 53 6E 42 46 2055 Encryption key: 2057 01 23 45 67 89 AB CD EF FE DC BA 98 76 54 32 10 2059 Status of the round key (rk_i) and round output (X_i) per round: 2061 rk_31 = 9124A012 X_35 = 7B938F4C 2062 rk_30 = 01CF72E5 X_34 = 893450AD 2063 rk_29 = 62293496 X_33 = 6FE46B75 2064 rk_28 = 428D3654 X_32 = EFF24FDC 2065 rk_27 = F1780C81 X_31 = 2FF60603 2066 rk_26 = 0E228AEB X_30 = 1DCDFA10 2067 rk_25 = 1D2115B0 X_29 = F4CBA1F9 2068 rk_24 = B79BD80C X_28 = 6AE7725F 2069 rk_23 = 99E1FD2E X_27 = 124B18AA 2070 rk_22 = C7159060 X_26 = 55A3BA22 2071 rk_21 = 98CA015A X_25 = ED1EC85E 2072 rk_20 = E89E641F X_24 = AF2432C4 2073 rk_19 = 92244439 X_23 = F69E6888 2074 rk_18 = CC874966 X_22 = 2FFC5831 2075 rk_17 = 73B55FA3 X_21 = D42B7C59 2076 rk_16 = D120B428 X_20 = 8B952B83 2077 rk_15 = 104495A1 X_19 = 907127FA 2078 rk_14 = 44BA14AF X_18 = B8A5DA02 2079 rk_13 = 30D895B7 X_17 = 42DD0F19 2080 rk_12 = 6988608C X_16 = 27DAC07F 2081 rk_11 = 7EE55B57 X_15 = 7A96F2EB 2082 rk_10 = C30753ED X_14 = 77F4C297 2083 rk_9 = B7584DBD X_13 = 33220757 2084 rk_8 = A520307C X_12 = F87C5BD5 2085 rk_7 = 24763151 X_11 = CC13E2EE 2086 rk_6 = B6BB89B3 X_10 = 11C1E22A 2087 rk_5 = 776A0C61 X_9 = A18B4CB2 2088 rk_4 = 367360F4 X_8 = 27FAD345 2089 rk_3 = 7BA92077 X_7 = 76543210 2090 rk_2 = 5A6AB19A X_6 = FEDCBA98 2091 rk_1 = 41662B61 X_5 = 89ABCDEF 2092 rk_0 = F12186F9 X_4 = 01234567 2094 Plaintext: 2096 01 23 45 67 89 AB CD EF FE DC BA 98 76 54 32 10 2098 A.1.3. Example 3 (GB/T 32907-2016 Example 2 Encryption) 2100 This example is provided by [GBT.32907-2016] to demonstrate 2101 encryption of a plaintext 1,000,000 times repeatedly, using a fixed 2102 encryption key. 2104 Plaintext: 2106 01 23 45 67 89 AB CD EF FE DC BA 98 76 54 32 10 2108 Encryption Key: 2110 01 23 45 67 89 AB CD EF FE DC BA 98 76 54 32 10 2112 Ciphertext: 2114 59 52 98 C7 C6 FD 27 1F 04 02 F8 04 C3 3D 3F 66 2116 A.1.4. Example 4 2118 The following example demonstrates encryption of a different message 2119 using a different key from the above examples. 2121 Plaintext: 2123 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 2125 Encryption key: 2127 FE DC BA 98 76 54 32 10 01 23 45 67 89 AB CD EF 2129 Status of the round key (rk_i) and round output (X_i) per round: 2131 rk_0 = 0D8CC1B4 X_4 = F7EAEB6A 2132 rk_1 = AC44F213 X_5 = B4967C0F 2133 rk_2 = 188C0C40 X_6 = 5B9B2419 2134 rk_3 = 7537585E X_7 = F46BECBA 2135 rk_4 = 627646F5 X_8 = A8013E25 2136 rk_5 = 54D785AD X_9 = B38E2ABE 2137 rk_6 = 51B96DEE X_10 = 3E7C99A1 2138 rk_7 = 0C385958 X_11 = 6DD5F47F 2139 rk_8 = 5E494992 X_12 = B286430C 2140 rk_9 = 32F3FE04 X_13 = AB997DE3 2141 rk_10 = 3A3A733D X_14 = 80F8F21F 2142 rk_11 = 0EDFB91D X_15 = 4EF7052E 2143 rk_12 = 6823CD6B X_16 = 4462FFAF 2144 rk_13 = 40F7D825 X_17 = 14DFD5EA 2145 rk_14 = 4BD68EE5 X_18 = 6D33EFED 2146 rk_15 = 165A36C8 X_19 = 3A4F8B3C 2147 rk_16 = 56608984 X_20 = 1A435088 2148 rk_17 = 23F35FF4 X_21 = 4E64B153 2149 rk_18 = 8B592B3E X_22 = 0415CEDA 2150 rk_19 = 80F7388A X_23 = ADD88955 2151 rk_20 = 0415C409 X_24 = 73964EF1 2152 rk_21 = AFDF1370 X_25 = B0085092 2153 rk_22 = CF444772 X_26 = 554A1293 2154 rk_23 = 9AF9901F X_27 = 4BC6D6A8 2155 rk_24 = C457578C X_28 = 7BB650E1 2156 rk_25 = 95701C60 X_29 = DDFB8A61 2157 rk_26 = 2B0F4EE1 X_30 = 5C4DFD78 2158 rk_27 = 7F826139 X_31 = FD9066FD 2159 rk_28 = FA37F8D9 X_32 = 55ADB594 2160 rk_29 = D18AF8CE X_33 = AC1B3EA9 2161 rk_30 = 5BD5D8C6 X_34 = 13F01ADE 2162 rk_31 = 711138B7 X_35 = F766678F 2164 Ciphertext: 2166 F7 66 67 8F 13 F0 1A DE AC 1B 3E A9 55 AD B5 94 2168 A.1.5. Example 5 2170 The following example demonstrates decryption of Example 4. 2172 Ciphertext: 2174 F7 66 67 8F 13 F0 1A DE AC 1B 3E A9 55 AD B5 94 2176 Encryption key: 2178 FE DC BA 98 76 54 32 10 01 23 45 67 89 AB CD EF 2179 Status of the round key (rk_i) and round output (X_i) per round: 2181 rk_31 = 711138B7 X_35 = FD9066FD 2182 rk_30 = 5BD5D8C6 X_34 = 5C4DFD78 2183 rk_29 = D18AF8CE X_33 = DDFB8A61 2184 rk_28 = FA37F8D9 X_32 = 7BB650E1 2185 rk_27 = 7F826139 X_31 = 4BC6D6A8 2186 rk_26 = 2B0F4EE1 X_30 = 554A1293 2187 rk_25 = 95701C60 X_29 = B0085092 2188 rk_24 = C457578C X_28 = 73964EF1 2189 rk_23 = 9AF9901F X_27 = ADD88955 2190 rk_22 = CF444772 X_26 = 0415CEDA 2191 rk_21 = AFDF1370 X_25 = 4E64B153 2192 rk_20 = 0415C409 X_24 = 1A435088 2193 rk_19 = 80F7388A X_23 = 3A4F8B3C 2194 rk_18 = 8B592B3E X_22 = 6D33EFED 2195 rk_17 = 23F35FF4 X_21 = 14DFD5EA 2196 rk_16 = 56608984 X_20 = 4462FFAF 2197 rk_15 = 165A36C8 X_19 = 4EF7052E 2198 rk_14 = 4BD68EE5 X_18 = 80F8F21F 2199 rk_13 = 40F7D825 X_17 = AB997DE3 2200 rk_12 = 6823CD6B X_16 = B286430C 2201 rk_11 = 0EDFB91D X_15 = 6DD5F47F 2202 rk_10 = 3A3A733D X_14 = 3E7C99A1 2203 rk_9 = 32F3FE04 X_13 = B38E2ABE 2204 rk_8 = 5E494992 X_12 = A8013E25 2205 rk_7 = 0C385958 X_11 = F46BECBA 2206 rk_6 = 51B96DEE X_10 = 5B9B2419 2207 rk_5 = 54D785AD X_9 = B4967C0F 2208 rk_4 = 627646F5 X_8 = F7EAEB6A 2209 rk_3 = 7537585E X_7 = 0C0D0E0F 2210 rk_2 = 188C0C40 X_6 = 08090A0B 2211 rk_1 = AC44F213 X_5 = 04050607 2212 rk_0 = 0D8CC1B4 X_4 = 00010203 2214 Plaintext: 2216 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 2218 A.1.6. Example 6 2220 This example is based on Example 4 to demonstrate encryption of a 2221 plaintext 1,000,000 times repeatedly, using a fixed encryption key. 2223 Plaintext: 2225 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 2226 Encryption Key: 2228 FE DC BA 98 76 54 32 10 01 23 45 67 89 AB CD EF 2230 Ciphertext: 2232 37 9A 96 D0 A6 A5 A5 06 0F B4 60 C7 5D 18 79 ED 2234 A.2. Examples For Various Modes Of Operations 2236 The following examples can be verified using open-source 2237 cryptographic libraries including: 2239 o the Botan cryptographic library [BOTAN] with SM4 support, and 2241 o the OpenSSL Cryptography and SSL/TLS Toolkit [OPENSSL] with SM4 2242 support 2244 A.2.1. SM4-ECB Examples 2246 A.2.1.1. Example 1 2248 Plaintext: 2250 AA AA AA AA BB BB BB BB CC CC CC CC DD DD DD DD 2251 EE EE EE EE FF FF FF FF AA AA AA AA BB BB BB BB 2253 Encryption Key: 2255 01 23 45 67 89 AB CD EF FE DC BA 98 76 54 32 10 2257 Ciphertext: 2259 5E C8 14 3D E5 09 CF F7 B5 17 9F 8F 47 4B 86 19 2260 2F 1D 30 5A 7F B1 7D F9 85 F8 1C 84 82 19 23 04 2262 A.2.1.2. Example 2 2264 Plaintext: 2266 AA AA AA AA BB BB BB BB CC CC CC CC DD DD DD DD 2267 EE EE EE EE FF FF FF FF AA AA AA AA BB BB BB BB 2269 Encryption Key: 2271 FE DC BA 98 76 54 32 10 01 23 45 67 89 AB CD EF 2273 Ciphertext: 2275 C5 87 68 97 E4 A5 9B BB A7 2A 10 C8 38 72 24 5B 2276 12 DD 90 BC 2D 20 06 92 B5 29 A4 15 5A C9 E6 00 2278 A.2.2. SM4-CBC Examples 2280 A.2.2.1. Example 1 2282 Plaintext: 2284 AA AA AA AA BB BB BB BB CC CC CC CC DD DD DD DD 2285 EE EE EE EE FF FF FF FF AA AA AA AA BB BB BB BB 2287 Encryption Key: 2289 01 23 45 67 89 AB CD EF FE DC BA 98 76 54 32 10 2291 IV: 2293 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 2295 Ciphertext: 2297 78 EB B1 1C C4 0B 0A 48 31 2A AE B2 04 02 44 CB 2298 4C B7 01 69 51 90 92 26 97 9B 0D 15 DC 6A 8F 6D 2300 A.2.2.2. Example 2 2302 Plaintext: 2304 AA AA AA AA BB BB BB BB CC CC CC CC DD DD DD DD 2305 EE EE EE EE FF FF FF FF AA AA AA AA BB BB BB BB 2307 Encryption Key: 2309 FE DC BA 98 76 54 32 10 01 23 45 67 89 AB CD EF 2311 IV: 2313 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 2315 Ciphertext: 2317 0D 3A 6D DC 2D 21 C6 98 85 72 15 58 7B 7B B5 9A 2318 91 F2 C1 47 91 1A 41 44 66 5E 1F A1 D4 0B AE 38 2320 A.2.3. SM4-OFB Examples 2322 A.2.3.1. Example 1 2324 Plaintext: 2326 AA AA AA AA BB BB BB BB CC CC CC CC DD DD DD DD 2327 EE EE EE EE FF FF FF FF AA AA AA AA BB BB BB BB 2329 Encryption Key: 2331 01 23 45 67 89 AB CD EF FE DC BA 98 76 54 32 10 2333 IV: 2335 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 2337 Ciphertext: 2339 AC 32 36 CB 86 1D D3 16 E6 41 3B 4E 3C 75 24 B7 2340 1D 01 AC A2 48 7C A5 82 CB F5 46 3E 66 98 53 9B 2342 A.2.3.2. Example 2 2344 Plaintext: 2346 AA AA AA AA BB BB BB BB CC CC CC CC DD DD DD DD 2347 EE EE EE EE FF FF FF FF AA AA AA AA BB BB BB BB 2349 Encryption Key: 2351 FE DC BA 98 76 54 32 10 01 23 45 67 89 AB CD EF 2353 IV: 2355 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 2357 Ciphertext: 2359 5D CC CD 25 A8 4B A1 65 60 D7 F2 65 88 70 68 49 2360 33 FA 16 BD 5C D9 C8 56 CA CA A1 E1 01 89 7A 97 2362 A.2.4. SM4-CFB Examples 2363 A.2.4.1. Example 1 2365 Plaintext: 2367 AA AA AA AA BB BB BB BB CC CC CC CC DD DD DD DD 2368 EE EE EE EE FF FF FF FF AA AA AA AA BB BB BB BB 2370 Encryption Key: 2372 01 23 45 67 89 AB CD EF FE DC BA 98 76 54 32 10 2374 IV: 2376 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 2378 Ciphertext: 2380 AC 32 36 CB 86 1D D3 16 E6 41 3B 4E 3C 75 24 B7 2381 69 D4 C5 4E D4 33 B9 A0 34 60 09 BE B3 7B 2B 3F 2383 A.2.4.2. Example 2 2385 Plaintext: 2387 AA AA AA AA BB BB BB BB CC CC CC CC DD DD DD DD 2388 EE EE EE EE FF FF FF FF AA AA AA AA BB BB BB BB 2390 Encryption Key: 2392 FE DC BA 98 76 54 32 10 01 23 45 67 89 AB CD EF 2394 IV: 2396 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 2398 Ciphertext: 2400 5D CC CD 25 A8 4B A1 65 60 D7 F2 65 88 70 68 49 2401 0D 9B 86 FF 20 C3 BF E1 15 FF A0 2C A6 19 2C C5 2403 A.2.5. SM4-CTR Examples 2405 A.2.5.1. Example 1 2407 Plaintext: 2409 AA AA AA AA AA AA AA AA BB BB BB BB BB BB BB BB 2410 CC CC CC CC CC CC CC CC DD DD DD DD DD DD DD DD 2411 EE EE EE EE EE EE EE EE FF FF FF FF FF FF FF FF 2412 AA AA AA AA AA AA AA AA BB BB BB BB BB BB BB BB 2414 Encryption Key: 2416 01 23 45 67 89 AB CD EF FE DC BA 98 76 54 32 10 2418 IV: 2420 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 2422 Ciphertext: 2424 AC 32 36 CB 97 0C C2 07 91 36 4C 39 5A 13 42 D1 2425 A3 CB C1 87 8C 6F 30 CD 07 4C CE 38 5C DD 70 C7 2426 F2 34 BC 0E 24 C1 19 80 FD 12 86 31 0C E3 7B 92 2427 6E 02 FC D0 FA A0 BA F3 8B 29 33 85 1D 82 45 14 2429 A.2.5.2. Example 2 2431 Plaintext: 2433 AA AA AA AA AA AA AA AA BB BB BB BB BB BB BB BB 2434 CC CC CC CC CC CC CC CC DD DD DD DD DD DD DD DD 2435 EE EE EE EE EE EE EE EE FF FF FF FF FF FF FF FF 2436 AA AA AA AA AA AA AA AA BB BB BB BB BB BB BB BB 2438 Encryption Key: 2440 FE DC BA 98 76 54 32 10 01 23 45 67 89 AB CD EF 2442 IV: 2444 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 2446 Ciphertext: 2448 5D CC CD 25 B9 5A B0 74 17 A0 85 12 EE 16 0E 2F 2449 8F 66 15 21 CB BA B4 4C C8 71 38 44 5B C2 9E 5C 2450 0A E0 29 72 05 D6 27 04 17 3B 21 23 9B 88 7F 6C 2451 8C B5 B8 00 91 7A 24 88 28 4B DE 9E 16 EA 29 06 2453 Appendix B. Sample Implementation In C 2455 B.1. sm4.h 2457 "sm4.h" is the header file for the SM4 function. 2459 2460 #ifndef HEADER_SM4_H 2461 # define HEADER_SM4_H 2463 #include 2465 # define SM4_BLOCK_SIZE 16 2466 # define SM4_KEY_SCHEDULE 32 2468 void sm4_encrypt(uint8_t key[], 2469 unsigned char plaintext[], 2470 unsigned char ciphertext[]); 2472 void sm4_decrypt(uint8_t key[], 2473 unsigned char ciphertext[], 2474 unsigned char plaintext[]); 2476 #endif 2478 2480 B.2. sm4.c 2482 "sm4.c" contains the main implementation of SM4. 2484 2485 /* A sample implementation of SM4 */ 2487 #include 2488 #include 2489 #include "sm4.h" 2490 #include "print.h" 2492 /* Operations */ 2493 /* Rotate Left 32-bit number */ 2494 #define ROTL32(X, n) (((X) << (n)) | ((X) >> (32 - (n)))) 2496 static uint32_t sm4_ck[32] = { 2497 0x00070E15, 0x1C232A31, 0x383F464D, 0x545B6269, 2498 0x70777E85, 0x8C939AA1, 0xA8AFB6BD, 0xC4CBD2D9, 2499 0xE0E7EEF5, 0xFC030A11, 0x181F262D, 0x343B4249, 2500 0x50575E65, 0x6C737A81, 0x888F969D, 0xA4ABB2B9, 2501 0xC0C7CED5, 0xDCE3EAF1, 0xF8FF060D, 0x141B2229, 2502 0x30373E45, 0x4C535A61, 0x686F767D, 0x848B9299, 2503 0xA0A7AEB5, 0xBCC3CAD1, 0xD8DFE6ED, 0xF4FB0209, 2504 0x10171E25, 0x2C333A41, 0x484F565D, 0x646B7279 2505 }; 2507 static uint8_t sm4_sbox[256] = { 2508 0xD6, 0x90, 0xE9, 0xFE, 0xCC, 0xE1, 0x3D, 0xB7, 2509 0x16, 0xB6, 0x14, 0xC2, 0x28, 0xFB, 0x2C, 0x05, 2510 0x2B, 0x67, 0x9A, 0x76, 0x2A, 0xBE, 0x04, 0xC3, 2511 0xAA, 0x44, 0x13, 0x26, 0x49, 0x86, 0x06, 0x99, 2512 0x9C, 0x42, 0x50, 0xF4, 0x91, 0xEF, 0x98, 0x7A, 2513 0x33, 0x54, 0x0B, 0x43, 0xED, 0xCF, 0xAC, 0x62, 2514 0xE4, 0xB3, 0x1C, 0xA9, 0xC9, 0x08, 0xE8, 0x95, 2515 0x80, 0xDF, 0x94, 0xFA, 0x75, 0x8F, 0x3F, 0xA6, 2516 0x47, 0x07, 0xA7, 0xFC, 0xF3, 0x73, 0x17, 0xBA, 2517 0x83, 0x59, 0x3C, 0x19, 0xE6, 0x85, 0x4F, 0xA8, 2518 0x68, 0x6B, 0x81, 0xB2, 0x71, 0x64, 0xDA, 0x8B, 2519 0xF8, 0xEB, 0x0F, 0x4B, 0x70, 0x56, 0x9D, 0x35, 2520 0x1E, 0x24, 0x0E, 0x5E, 0x63, 0x58, 0xD1, 0xA2, 2521 0x25, 0x22, 0x7C, 0x3B, 0x01, 0x21, 0x78, 0x87, 2522 0xD4, 0x00, 0x46, 0x57, 0x9F, 0xD3, 0x27, 0x52, 2523 0x4C, 0x36, 0x02, 0xE7, 0xA0, 0xC4, 0xC8, 0x9E, 2524 0xEA, 0xBF, 0x8A, 0xD2, 0x40, 0xC7, 0x38, 0xB5, 2525 0xA3, 0xF7, 0xF2, 0xCE, 0xF9, 0x61, 0x15, 0xA1, 2526 0xE0, 0xAE, 0x5D, 0xA4, 0x9B, 0x34, 0x1A, 0x55, 2527 0xAD, 0x93, 0x32, 0x30, 0xF5, 0x8C, 0xB1, 0xE3, 2528 0x1D, 0xF6, 0xE2, 0x2E, 0x82, 0x66, 0xCA, 0x60, 2529 0xC0, 0x29, 0x23, 0xAB, 0x0D, 0x53, 0x4E, 0x6F, 2530 0xD5, 0xDB, 0x37, 0x45, 0xDE, 0xFD, 0x8E, 0x2F, 2531 0x03, 0xFF, 0x6A, 0x72, 0x6D, 0x6C, 0x5B, 0x51, 2532 0x8D, 0x1B, 0xAF, 0x92, 0xBB, 0xDD, 0xBC, 0x7F, 2533 0x11, 0xD9, 0x5C, 0x41, 0x1F, 0x10, 0x5A, 0xD8, 2534 0x0A, 0xC1, 0x31, 0x88, 0xA5, 0xCD, 0x7B, 0xBD, 2535 0x2D, 0x74, 0xD0, 0x12, 0xB8, 0xE5, 0xB4, 0xB0, 2536 0x89, 0x69, 0x97, 0x4A, 0x0C, 0x96, 0x77, 0x7E, 2537 0x65, 0xB9, 0xF1, 0x09, 0xC5, 0x6E, 0xC6, 0x84, 2538 0x18, 0xF0, 0x7D, 0xEC, 0x3A, 0xDC, 0x4D, 0x20, 2539 0x79, 0xEE, 0x5F, 0x3E, 0xD7, 0xCB, 0x39, 0x48 2540 }; 2542 static uint32_t sm4_fk[4] = { 2543 0xA3B1BAC6, 0x56AA3350, 0x677D9197, 0xB27022DC 2544 }; 2546 static uint32_t load_u32_be(const uint8_t *b, uint32_t n) 2547 { 2548 return ((uint32_t)b[4 * n + 3] << 24) | 2549 ((uint32_t)b[4 * n + 2] << 16) | 2550 ((uint32_t)b[4 * n + 1] << 8) | 2551 ((uint32_t)b[4 * n ]); 2552 } 2554 static void store_u32_be(uint32_t v, uint8_t *b) 2555 { 2556 b[3] = (uint8_t)(v >> 24); 2557 b[2] = (uint8_t)(v >> 16); 2558 b[1] = (uint8_t)(v >> 8); 2559 b[0] = (uint8_t)(v); 2560 } 2562 static void sm4_key_schedule(uint8_t key[], uint32_t rk[]) 2563 { 2564 uint32_t t, x, k[36]; 2565 int i; 2567 for (i = 0; i < 4; i++) 2568 { 2569 k[i] = load_u32_be(key, i) ^ sm4_fk[i]; 2570 } 2572 /* T' */ 2573 for (i = 0; i < SM4_KEY_SCHEDULE; ++i) 2574 { 2575 x = k[i + 1] ^ k[i + 2] ^ k[i + 3] ^ sm4_ck[i]; 2577 /* Nonlinear operation tau */ 2578 t = ((uint32_t)sm4_sbox[(uint8_t)(x >> 24)]) << 24 | 2579 ((uint32_t)sm4_sbox[(uint8_t)(x >> 16)]) << 16 | 2580 ((uint32_t)sm4_sbox[(uint8_t)(x >> 8)]) << 8 | 2581 ((uint32_t)sm4_sbox[(uint8_t)(x)]); 2583 /* Linear operation L' */ 2584 k[i+4] = k[i] ^ (t ^ ROTL32(t, 13) ^ ROTL32(t, 23)); 2585 rk[i] = k[i + 4]; 2586 } 2588 } 2590 #define SM4_ROUNDS(k0, k1, k2, k3, F) \ 2591 do { \ 2592 X0 ^= F(X1 ^ X2 ^ X3 ^ rk[k0]); \ 2593 X1 ^= F(X0 ^ X2 ^ X3 ^ rk[k1]); \ 2594 X2 ^= F(X0 ^ X1 ^ X3 ^ rk[k2]); \ 2595 X3 ^= F(X0 ^ X1 ^ X2 ^ rk[k3]); \ 2596 debug_print("rk_%0.2i = %0.8x " \ 2597 " X_%0.2i = %0.8x\n", k0, rk[k0], k0+4, X0); \ 2598 debug_print("rk_%0.2i = %0.8x " \ 2599 " X_%0.2i = %0.8x\n", k1, rk[k1], k1+4, X1); \ 2600 debug_print("rk_%0.2i = %0.8x " \ 2601 " X_%0.2i = %0.8x\n", k2, rk[k2], k2+4, X2); \ 2602 debug_print("rk_%0.2i = %0.8x " \ 2603 " X_%0.2i = %0.8x\n", k3, rk[k3], k3+4, X3); \ 2604 } while(0) 2606 static uint32_t sm4_t(uint32_t x) 2607 { 2608 uint32_t t = 0; 2610 t |= ((uint32_t)sm4_sbox[(uint8_t)(x >> 24)]) << 24; 2611 t |= ((uint32_t)sm4_sbox[(uint8_t)(x >> 16)]) << 16; 2612 t |= ((uint32_t)sm4_sbox[(uint8_t)(x >> 8)]) << 8; 2613 t |= sm4_sbox[(uint8_t)x]; 2615 /* 2616 * L linear transform 2617 */ 2618 return t ^ ROTL32(t, 2) ^ ROTL32(t, 10) ^ 2619 ROTL32(t, 18) ^ ROTL32(t, 24); 2620 } 2622 void sm4_encrypt(uint8_t key[], 2623 unsigned char plaintext[], 2624 unsigned char ciphertext[]) 2625 { 2626 uint32_t rk[SM4_KEY_SCHEDULE], X0, X1, X2, X3; 2627 int i, j; 2629 sm4_key_schedule(key, rk); 2631 X0 = load_u32_be(plaintext, 0); 2632 X1 = load_u32_be(plaintext, 1); 2633 X2 = load_u32_be(plaintext, 2); 2634 X3 = load_u32_be(plaintext, 3); 2636 SM4_ROUNDS( 0, 1, 2, 3, sm4_t); 2637 SM4_ROUNDS( 4, 5, 6, 7, sm4_t); 2638 SM4_ROUNDS( 8, 9, 10, 11, sm4_t); 2639 SM4_ROUNDS(12, 13, 14, 15, sm4_t); 2640 SM4_ROUNDS(16, 17, 18, 19, sm4_t); 2641 SM4_ROUNDS(20, 21, 22, 23, sm4_t); 2642 SM4_ROUNDS(24, 25, 26, 27, sm4_t); 2643 SM4_ROUNDS(28, 29, 30, 31, sm4_t); 2644 store_u32_be(X3, ciphertext); 2645 store_u32_be(X2, ciphertext + 4); 2646 store_u32_be(X1, ciphertext + 8); 2647 store_u32_be(X0, ciphertext + 12); 2648 } 2650 void sm4_decrypt(uint8_t key[], 2651 unsigned char ciphertext[], 2652 unsigned char plaintext[]) 2653 { 2654 uint32_t rk[SM4_KEY_SCHEDULE], X0, X1, X2, X3; 2655 int i, j; 2657 sm4_key_schedule(key, rk); 2659 X0 = load_u32_be(ciphertext, 0); 2660 X1 = load_u32_be(ciphertext, 1); 2661 X2 = load_u32_be(ciphertext, 2); 2662 X3 = load_u32_be(ciphertext, 3); 2664 SM4_ROUNDS(31, 30, 29, 28, sm4_t); 2665 SM4_ROUNDS(27, 26, 25, 24, sm4_t); 2666 SM4_ROUNDS(23, 22, 21, 20, sm4_t); 2667 SM4_ROUNDS(19, 18, 17, 16, sm4_t); 2668 SM4_ROUNDS(15, 14, 13, 12, sm4_t); 2669 SM4_ROUNDS(11, 10, 9, 8, sm4_t); 2670 SM4_ROUNDS( 7, 6, 5, 4, sm4_t); 2671 SM4_ROUNDS( 3, 2, 1, 0, sm4_t); 2673 store_u32_be(X3, plaintext); 2674 store_u32_be(X2, plaintext + 4); 2675 store_u32_be(X1, plaintext + 8); 2676 store_u32_be(X0, plaintext + 12); 2677 } 2679 2681 B.3. sm4_main.c 2683 "sm4_main.c" is used to run the examples provided in this document 2684 and print out internal state for implementation reference. 2686 2687 #include 2688 #include 2689 #include 2690 #include "sm4.h" 2691 #include "print.h" 2692 typedef struct { 2693 unsigned char* key; 2694 unsigned char* message; 2695 unsigned char* expected; 2696 int iterations; 2697 bool encrypt; 2698 } test_case; 2700 int sm4_run_example(test_case tc) 2701 { 2702 unsigned char input[SM4_BLOCK_SIZE] = {0}; 2703 unsigned char output[SM4_BLOCK_SIZE] = {0}; 2704 int i; 2706 debug_print("-----------------------" 2707 " Message Input m Begin " 2708 "-------------------------\n"); 2709 print_bytes((unsigned int*)tc.message, SM4_BLOCK_SIZE); 2710 debug_print("----------------------- " 2711 "Message Input m End " 2712 "---------------------------\n"); 2714 if (tc.encrypt) 2715 { 2716 debug_print("----------------------- " 2717 "Encrypt " 2718 "---------------------------\n"); 2719 memcpy(input, tc.message, SM4_BLOCK_SIZE); 2720 for (i = 0; i != tc.iterations; ++i) 2721 { 2722 sm4_encrypt(tc.key, 2723 (unsigned char*)input, 2724 (unsigned char*)output); 2725 memcpy(input, output, SM4_BLOCK_SIZE); 2726 } 2727 } 2728 else 2729 { 2730 debug_print("----------------------- " 2731 "Decrypt " 2732 "---------------------------\n"); 2733 memcpy(input, tc.message, SM4_BLOCK_SIZE); 2734 for (i = 0; i != tc.iterations; ++i) 2735 { 2736 sm4_decrypt(tc.key, 2737 (unsigned char*)input, 2738 (unsigned char*)output); 2739 memcpy(input, output, SM4_BLOCK_SIZE); 2741 } 2742 } 2744 debug = 1; 2745 debug_print("+++++++++++++++++++++++++++++++" 2746 " RESULT " 2747 "++++++++++++++++++++++++++++++++\n"); 2748 debug_print("RESULTS:\n"); 2749 debug_print(" Expected:\n"); 2750 print_bytes((unsigned int*)tc.expected, SM4_BLOCK_SIZE); 2752 debug_print(" Output:\n"); 2753 print_bytes((unsigned int*)output, SM4_BLOCK_SIZE); 2755 debug = 0; 2756 return memcmp( 2757 (unsigned char*)output, 2758 (unsigned char*)tc.expected, 2759 SM4_BLOCK_SIZE 2760 ); 2761 } 2763 int main(int argc, char **argv) 2764 { 2766 int i; 2767 unsigned char key[SM4_BLOCK_SIZE]; 2768 unsigned char block[SM4_BLOCK_SIZE]; 2770 test_case tests[8] = {0}; 2772 /* 2773 * This test vector comes from Example 1 of GB/T 32907-2016, 2774 */ 2775 static const unsigned int gbt32907k1[SM4_BLOCK_SIZE] = { 2776 0x01234567, 0x89abcdef, 2777 0xfedcba98, 0x76543210 2778 }; 2779 static const unsigned int gbt32907m1[SM4_BLOCK_SIZE] = { 2780 0x01234567, 0x89abcdef, 2781 0xfedcba98, 0x76543210 2782 }; 2783 static const unsigned int gbt32907e1[SM4_BLOCK_SIZE] = { 2784 0x681edf34, 0xd206965e, 2785 0x86b3e94f, 0x536e4246 2786 }; 2787 test_case gbt32907t1 = { 2788 (unsigned char*)gbt32907k1, 2789 (unsigned char*)gbt32907m1, 2790 (unsigned char*)gbt32907e1, 2791 1, 2792 true 2793 }; 2794 tests[0] = gbt32907t1; 2796 /* 2797 * This test vector comes from Example 2 from GB/T 32907-2016. 2798 * After 1,000,000 iterations. 2799 */ 2800 static const unsigned int gbt32907e2[SM4_BLOCK_SIZE] = { 2801 0x595298c7, 0xc6fd271f, 2802 0x0402f804, 0xc33d3f66 2803 }; 2804 test_case gbt32907t2 = { 2805 (unsigned char*)gbt32907k1, 2806 (unsigned char*)gbt32907m1, 2807 (unsigned char*)gbt32907e2, 2808 1000000, 2809 true 2810 }; 2811 tests[1] = gbt32907t2; 2813 /* 2814 * This test vector reverses Example 1 of GB/T 32907-2016. 2815 * After decrypting 1 iteration. 2816 */ 2817 test_case gbt32907t3 = { 2818 (unsigned char*)gbt32907k1, 2819 (unsigned char*)gbt32907e1, 2820 (unsigned char*)gbt32907m1, 2821 1, 2822 false 2823 }; 2824 tests[2] = gbt32907t3; 2826 /* 2827 * This test vector reverses Example 2 of GB/T 32907-2016. 2828 * After decrypting 1,000,000 iterations. 2829 */ 2830 test_case gbt32907t4 = { 2831 (unsigned char*)gbt32907k1, 2832 (unsigned char*)gbt32907e2, 2833 (unsigned char*)gbt32907m1, 2834 1000000, 2835 false 2836 }; 2837 tests[3] = gbt32907t4; 2839 /* 2840 * Newly added examples to demonstrate key changes. 2841 */ 2842 static const unsigned int newexamplek1[SM4_BLOCK_SIZE] = { 2843 0xfedcba98, 0x76543210, 2844 0x01234567, 0x89abcdef 2845 }; 2846 static const unsigned int newexamplem1[SM4_BLOCK_SIZE] = { 2847 0x00010203, 0x04050607, 2848 0x08090a0b, 0x0c0d0e0f 2849 }; 2850 static const unsigned int newexamplee1[SM4_BLOCK_SIZE] = { 2851 0xf766678f, 0x13f01ade, 2852 0xac1b3ea9, 0x55adb594 2853 }; 2854 /* 2855 */ 2856 test_case newexample1 = { 2857 (unsigned char*)newexamplek1, 2858 (unsigned char*)newexamplem1, 2859 (unsigned char*)newexamplee1, 2860 1, 2861 true 2862 }; 2863 tests[4] = newexample1; 2865 test_case newexample2 = { 2866 (unsigned char*)newexamplek1, 2867 (unsigned char*)newexamplee1, 2868 (unsigned char*)newexamplem1, 2869 1, 2870 false 2871 }; 2872 tests[5] = newexample2; 2874 /* 2875 * After 1,000,000 iterations. 2876 */ 2877 static const unsigned int newexamplee2[SM4_BLOCK_SIZE] = { 2878 0x379a96d0, 0xa6a5a506, 2879 0x0fb460c7, 0x5d1879ed 2880 }; 2881 test_case newexample3 = { 2882 (unsigned char*)newexamplek1, 2883 (unsigned char*)newexamplem1, 2884 (unsigned char*)newexamplee2, 2885 1000000, 2886 true 2887 }; 2888 tests[6] = newexample3; 2890 for (i = 0; i < 7; ++i) 2891 { 2893 if (i == 1 || i == 3) 2894 continue; 2896 printf("sm4_example[%2i]: %s\n", i, 2897 sm4_run_example(tests[i]) ? "FAIL" : "PASS"); 2898 } 2900 return 0; 2901 } 2903 2905 B.4. print.c and print.h 2907 "print.c" and "print.h" are used to provide pretty formatting used to 2908 print out the examples for this document. 2910 "print.h" 2912 2913 #ifndef SM4PRINT_H 2914 #define SM4PRINT_H 2916 #define DEBUG 0 2917 #define debug_print(...) \ 2918 do { if (DEBUG) fprintf(stderr, __VA_ARGS__); } while (0) 2920 #include 2922 void print_bytes(unsigned* buf, int n); 2924 #endif 2925 2927 "print.c" 2928 2929 #include 2930 #include "print.h" 2932 void print_bytes(unsigned int* buf, int n) 2933 { 2934 unsigned char* ptr = (unsigned char*)buf; 2935 int i, j; 2937 for (i = 0; i <= n/4; i++) { 2938 if (i > 0 && i % 8 == 0) { 2939 debug_print("\n"); 2940 } 2941 for (j = 1; j <= 4; j++) { 2942 if ((i*4+4-j) < n) { 2943 debug_print("%.2X", ptr[(i*4)+4-j]); 2944 } 2945 } 2946 debug_print(" "); 2947 } 2948 debug_print("\n"); 2949 } 2951 2953 Appendix C. Acknowledgements 2955 The authors would like to thank the following persons for their 2956 valuable advice and input. 2958 o Erick Borsboom, for assisting the lengthy review of this document; 2960 o Jack Lloyd and Daniel Wyatt, of the Ribose RNP team, for their 2961 input and implementation; 2963 o Paul Yang, for reviewing and proposing improvements to readability 2964 of this document; 2966 o Markku-Juhani Olavi Saarinen, for reviewing and proposing 2967 inclusion of better examples and reference code to aid 2968 implementers, as well as for actually going through the examples 2969 to ensure their correctness. 2971 Authors' Addresses 2972 Ronald Henry Tse 2973 Ribose 2974 Suite 1111, 1 Pedder Street 2975 Central, Hong Kong 2976 People's Republic of China 2978 Email: ronald.tse@ribose.com 2979 URI: https://www.ribose.com 2981 Wai Kit Wong 2982 Hang Seng Management College 2983 Hang Shin Link, Siu Lek Yuen 2984 Shatin, Hong Kong 2985 People's Republic of China 2987 Email: wongwk@hsmc.edu.hk 2988 URI: https://www.hsmc.edu.hk