idnits 2.17.1 draft-ribose-cfrg-sm4-09.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- No issues found here. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year -- The document date (January 8, 2018) is 2290 days in the past. Is this intentional? Checking references for intended status: Informational ---------------------------------------------------------------------------- No issues found here. Summary: 0 errors (**), 0 flaws (~~), 1 warning (==), 1 comment (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Internet Research Task Force R. Tse 3 Internet-Draft Ribose 4 Intended status: Informational W. Wong 5 Expires: July 12, 2018 Hang Seng Management College 6 January 8, 2018 8 The SM4 Blockcipher Algorithm And Its Modes Of Operations 9 draft-ribose-cfrg-sm4-09 11 Abstract 13 This document describes the SM4 symmetric blockcipher algorithm 14 published as GB/T 32907-2016 by the State Cryptography Administration 15 of China (SCA). 17 This document is a product of the Crypto Forum Research Group (CFRG). 19 Status of This Memo 21 This Internet-Draft is submitted in full conformance with the 22 provisions of BCP 78 and BCP 79. 24 Internet-Drafts are working documents of the Internet Engineering 25 Task Force (IETF). Note that other groups may also distribute 26 working documents as Internet-Drafts. The list of current Internet- 27 Drafts is at https://datatracker.ietf.org/drafts/current/. 29 Internet-Drafts are draft documents valid for a maximum of six months 30 and may be updated, replaced, or obsoleted by other documents at any 31 time. It is inappropriate to use Internet-Drafts as reference 32 material or to cite them other than as "work in progress." 34 This Internet-Draft will expire on July 12, 2018. 36 Copyright Notice 38 Copyright (c) 2018 IETF Trust and the persons identified as the 39 document authors. All rights reserved. 41 This document is subject to BCP 78 and the IETF Trust's Legal 42 Provisions Relating to IETF Documents 43 (https://trustee.ietf.org/license-info) in effect on the date of 44 publication of this document. Please review these documents 45 carefully, as they describe your rights and restrictions with respect 46 to this document. 48 Table of Contents 50 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 4 51 1.1. Purpose . . . . . . . . . . . . . . . . . . . . . . . . . 4 52 1.2. History . . . . . . . . . . . . . . . . . . . . . . . . . 4 53 2. Terms and Definitions . . . . . . . . . . . . . . . . . . . . 5 54 3. Symbols And Abbreviations . . . . . . . . . . . . . . . . . . 6 55 4. Compute Structure . . . . . . . . . . . . . . . . . . . . . . 6 56 5. Key And Key Parameters . . . . . . . . . . . . . . . . . . . 7 57 6. Functions . . . . . . . . . . . . . . . . . . . . . . . . . . 7 58 6.1. Round Function F . . . . . . . . . . . . . . . . . . . . 7 59 6.2. Permutations T and T' . . . . . . . . . . . . . . . . . . 7 60 6.2.1. Nonlinear Transformation tau . . . . . . . . . . . . 8 61 6.2.2. Linear Transformations L and L' . . . . . . . . . . . 8 62 6.2.3. S-box S . . . . . . . . . . . . . . . . . . . . . . . 8 63 7. Algorithm . . . . . . . . . . . . . . . . . . . . . . . . . . 9 64 7.1. Encryption . . . . . . . . . . . . . . . . . . . . . . . 9 65 7.2. Decryption . . . . . . . . . . . . . . . . . . . . . . . 12 66 7.3. Key Schedule . . . . . . . . . . . . . . . . . . . . . . 12 67 7.3.1. Family Key FK . . . . . . . . . . . . . . . . . . . . 13 68 7.3.2. Constant Key CK . . . . . . . . . . . . . . . . . . . 13 69 8. Modes of Operation . . . . . . . . . . . . . . . . . . . . . 14 70 8.1. Variables And Primitives . . . . . . . . . . . . . . . . 14 71 8.2. Initialization Vectors . . . . . . . . . . . . . . . . . 15 72 8.3. SM4-ECB . . . . . . . . . . . . . . . . . . . . . . . . . 15 73 8.3.1. SM4-ECB Encryption . . . . . . . . . . . . . . . . . 15 74 8.3.2. SM4-ECB Decryption . . . . . . . . . . . . . . . . . 16 75 8.4. SM4-CBC . . . . . . . . . . . . . . . . . . . . . . . . . 16 76 8.4.1. SM4-CBC Encryption . . . . . . . . . . . . . . . . . 17 77 8.4.2. SM4-CBC Decryption . . . . . . . . . . . . . . . . . 17 78 8.5. SM4-CFB . . . . . . . . . . . . . . . . . . . . . . . . . 18 79 8.5.1. SM4-CFB Variants . . . . . . . . . . . . . . . . . . 18 80 8.5.2. SM4-CFB Encryption . . . . . . . . . . . . . . . . . 19 81 8.5.3. SM4-CFB Decryption . . . . . . . . . . . . . . . . . 19 82 8.6. SM4-OFB . . . . . . . . . . . . . . . . . . . . . . . . . 20 83 8.6.1. SM4-OFB Encryption . . . . . . . . . . . . . . . . . 20 84 8.6.2. SM4-OFB Decryption . . . . . . . . . . . . . . . . . 21 85 8.7. SM4-CTR . . . . . . . . . . . . . . . . . . . . . . . . . 22 86 8.7.1. SM4-CTR Encryption . . . . . . . . . . . . . . . . . 22 87 8.7.2. SM4-CTR Decryption . . . . . . . . . . . . . . . . . 23 88 9. Object Identifier . . . . . . . . . . . . . . . . . . . . . . 24 89 9.1. GM/T OIDs . . . . . . . . . . . . . . . . . . . . . . . . 24 90 9.1.1. SCA OID Prefix . . . . . . . . . . . . . . . . . . . 24 91 9.1.2. Blockcipher Algorithms . . . . . . . . . . . . . . . 24 92 9.1.3. Standard Identification . . . . . . . . . . . . . . . 25 93 9.2. ISO OID . . . . . . . . . . . . . . . . . . . . . . . . . 25 94 10. Design Considerations . . . . . . . . . . . . . . . . . . . . 25 95 10.1. Basic Transformation . . . . . . . . . . . . . . . . . . 25 96 10.2. Nonlinear Transformation . . . . . . . . . . . . . . . . 26 97 10.2.1. S-box Algebraic Expression . . . . . . . . . . . . . 26 98 10.2.2. Algebraic Degree And Distribution Of Terms . . . . . 27 99 10.2.3. Differential Distribution . . . . . . . . . . . . . 28 100 10.2.4. Nonlinearity . . . . . . . . . . . . . . . . . . . . 29 101 10.2.5. Maximum Linearity Advantage . . . . . . . . . . . . 29 102 10.2.6. Balance . . . . . . . . . . . . . . . . . . . . . . 29 103 10.2.7. Completness and Avalanche Effect . . . . . . . . . . 30 104 10.3. Linear Transform . . . . . . . . . . . . . . . . . . . . 30 105 10.4. Key Expansion Algorithm . . . . . . . . . . . . . . . . 31 106 11. Cryptanalysis Results . . . . . . . . . . . . . . . . . . . . 32 107 11.1. Differential Cryptanalysis . . . . . . . . . . . . . . . 32 108 11.2. Linear Cryptanalysis . . . . . . . . . . . . . . . . . . 33 109 11.3. Multi-dimensional Linear Cryptanalysis . . . . . . . . . 33 110 11.4. Impossible Differential Cryptanalysis . . . . . . . . . 33 111 11.5. Zero-correlation Linear Cryptanalysis . . . . . . . . . 34 112 11.6. Integral Cryptanalysis . . . . . . . . . . . . . . . . . 34 113 11.7. Algebraic Attacks . . . . . . . . . . . . . . . . . . . 34 114 11.8. Matrix Attacks . . . . . . . . . . . . . . . . . . . . . 34 115 11.9. Provable Security Against Differential And Linear 116 Cryptanalysis . . . . . . . . . . . . . . . . . . . . . 35 117 11.10. Provable Security Against Related-Key Differential 118 Cryptanalysis . . . . . . . . . . . . . . . . . . . . . 35 119 11.11. Summary of SM4 Cryptanalytic Attacks . . . . . . . . . . 36 120 12. Security Considerations . . . . . . . . . . . . . . . . . . . 37 121 13. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 39 122 14. References . . . . . . . . . . . . . . . . . . . . . . . . . 39 123 14.1. Normative References . . . . . . . . . . . . . . . . . . 39 124 14.2. Informative References . . . . . . . . . . . . . . . . . 39 125 Appendix A. Appendix A: Example Calculations . . . . . . . . . . 45 126 A.1. Examples From GB/T 32907-2016 . . . . . . . . . . . . . . 45 127 A.1.1. Example 1 (GB/T 32907-2016 Example 1 Encryption) . . 45 128 A.1.2. Example 2 (GB/T 32907-2016 Example 1 Decryption) . . 47 129 A.1.3. Example 3 (GB/T 32907-2016 Example 2 Encryption) . . 48 130 A.1.4. Example 4 . . . . . . . . . . . . . . . . . . . . . . 48 131 A.1.5. Example 5 . . . . . . . . . . . . . . . . . . . . . . 49 132 A.1.6. Example 6 . . . . . . . . . . . . . . . . . . . . . . 50 133 A.2. Examples For Various Modes Of Operations . . . . . . . . 51 134 A.2.1. SM4-ECB Examples . . . . . . . . . . . . . . . . . . 51 135 A.2.1.1. Example 1 . . . . . . . . . . . . . . . . . . . . 51 136 A.2.1.2. Example 2 . . . . . . . . . . . . . . . . . . . . 51 137 A.2.2. SM4-CBC Examples . . . . . . . . . . . . . . . . . . 52 138 A.2.2.1. Example 1 . . . . . . . . . . . . . . . . . . . . 52 139 A.2.2.2. Example 2 . . . . . . . . . . . . . . . . . . . . 52 140 A.2.3. SM4-OFB Examples . . . . . . . . . . . . . . . . . . 53 141 A.2.3.1. Example 1 . . . . . . . . . . . . . . . . . . . . 53 142 A.2.3.2. Example 2 . . . . . . . . . . . . . . . . . . . . 53 143 A.2.4. SM4-CFB Examples . . . . . . . . . . . . . . . . . . 53 144 A.2.4.1. Example 1 . . . . . . . . . . . . . . . . . . . . 54 145 A.2.4.2. Example 2 . . . . . . . . . . . . . . . . . . . . 54 146 A.2.5. SM4-CTR Examples . . . . . . . . . . . . . . . . . . 54 147 A.2.5.1. Example 1 . . . . . . . . . . . . . . . . . . . . 54 148 A.2.5.2. Example 2 . . . . . . . . . . . . . . . . . . . . 55 149 Appendix B. Sample Implementation In C . . . . . . . . . . . . . 56 150 B.1. sm4.h . . . . . . . . . . . . . . . . . . . . . . . . . . 56 151 B.2. sm4.c . . . . . . . . . . . . . . . . . . . . . . . . . . 56 152 B.3. sm4_main.c . . . . . . . . . . . . . . . . . . . . . . . 60 153 B.4. print.c and print.h . . . . . . . . . . . . . . . . . . . 65 154 Appendix C. Acknowledgements . . . . . . . . . . . . . . . . . . 66 155 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 66 157 1. Introduction 159 SM4 [GBT.32907-2016] [ISO.IEC.18033-3.AMD2] is a cryptographic 160 standard issued by the State Cryptography Administration (SCA) of 161 China [SCA] (formerly the Office of State Commercial Cryptography 162 Administration, OSCCA) as an authorized cryptographic algorithm for 163 the use within China. The algorithm is published in public. 165 SM4 is a symmetric encryption algorithm, specifically a blockcipher, 166 designed for data encryption. 168 1.1. Purpose 170 This document does not aim to introduce a new algorithm, but to 171 provide a clear and open description of the SM4 algorithm in English, 172 and also to serve as a stable reference for IETF documents that 173 utilize this algorithm. 175 While this document is similar to [SM4-En] in nature, [SM4-En] is a 176 textual translation of the "SMS4" algorithm [SM4] published in 2006. 177 Instead, this document follows the updated description and structure 178 of [GBT.32907-2016] published in 2016. Sections 1 to 7 of this 179 document directly map to the corresponding sections numbers of the 180 [GBT.32907-2016] standard for convenience of the reader. 182 This document also provides additional information on the design 183 considerations of the SM4 algorithm [SM4-Details], its modes of 184 operations that are currently being used (see Section 8), and the 185 offical SM4 OIDs (see Section 9). 187 1.2. History 189 The "SMS4" algorithm (the former name of SM4) was invented by Shu- 190 Wang Lu [LSW-Bio]. It was first published in 2003 as part of 191 [GB.15629.11-2003], then published independently in 2006 by SCA 192 (OSCCA at that time) [SM4], published as an industry cryptographic 193 standard and renamed to "SM4" in 2012 by SCA (OSCCA at that time) 194 [GMT-0002-2012], and finally formalized in 2016 as a Chinese National 195 Standard (GB Standard) [GBT.32907-2016]. SM4 has also been 196 standardized in [ISO.IEC.18033-3.AMD2] by the International 197 Organization for Standardization in 2017. 199 SMS4 was originally created for use in protecting wireless networks 200 [SM4], and is mandated in the Chinese National Standard for Wireless 201 LAN WAPI (Wired Authentication and Privacy Infrastructure) 202 [GB.15629.11-2003]. A proposal was made to adopt SMS4 into the IEEE 203 802.11i standard, but the algorithm was eventually not included due 204 to concerns of introducing inoperability with existing ciphers. 206 The latest SM4 standard [GBT.32907-2016] was proposed by the SCA 207 (OSCCA at that time), standardized through TC 260 of the 208 Standardization Administration of the People's Republic of China 209 (SAC), and was drafted by the following individuals at the Data 210 Assurance and Communication Security Research Center (DAS Center) of 211 the Chinese Academy of Sciences, the China Commercial Cryptography 212 Testing Center and the Beijing Academy of Information Science & 213 Technology (BAIST): 215 o Shu-Wang Lu 217 o Dai-Wai Li 219 o Kai-Yong Deng 221 o Chao Zhang 223 o Peng Luo 225 o Zhong Zhang 227 o Fang Dong 229 o Ying-Ying Mao 231 o Zhen-Hua Liu 233 2. Terms and Definitions 235 The key words "*MUST*", "*MUST NOT*", "*REQUIRED*", "*SHALL*", 236 "*SHALL NOT*", "*SHOULD*", "*SHOULD NOT*", "*RECOMMENDED*", "*NOT 237 RECOMMENDED*", "*MAY*", and "*OPTIONAL*" in this document are to be 238 interpreted as described in BCP 14 [RFC2119] [RFC8174] when, and only 239 when, they appear in all capitals, as shown here. 241 The following terms and definitions apply to this document. 243 block length 244 Bit-length of a message block. 246 key length 247 Bit-length of a key. 249 key expansion algorithm 250 An operation that converts a key into a round key. 252 rounds 253 The number of iterations that the round function is run. 255 round key 256 A key used in each round on the blockcipher, derived from the 257 input key, also called a subkey. 259 word 260 a 32-bit quantity 262 S-box 263 The S (substitution) box function produces 8-bit output from 8-bit 264 input, represented as S(.) 266 3. Symbols And Abbreviations 268 S xor T 269 bitwise exclusive-or of two 32-bit vectors S and T. S and T will 270 always have the same length. 272 a <<< i 273 32-bit bitwise cyclic shift on a with i bits shifted left. 275 4. Compute Structure 277 The SM4 algorithm is a blockcipher, with block size of 128 bits and a 278 key length of 128 bits. 280 Both encryption and key expansion use 32 rounds of a nonlinear key 281 schedule per block. Each round processes one of the four 32-bit 282 words that constitute the block. 284 The structure of encryption and decryption are identical, except that 285 the round key schedule has its order reversed during decryption. 287 Using a 8-bit S-box, it only uses exclusive-or, cyclic bit shifts and 288 S-box lookups to execute. 290 5. Key And Key Parameters 292 The SM4 encryption key is 128 bits long and represented below, where 293 each MK_i, (i = 0, 1, 2, 3) is 32 bits long. 295 MK = (MK_0, MK_1, MK_2, MK_3) 297 The round key schedule is derived from the encryption key, 298 represented as below where each rk_i (i = 0, ..., 31) is 32 bits 299 long: 301 (rk_0, rk_1, ... , rk_31) 303 The family key used for key expansion is represented as FK, where 304 each FK_i (i = 0, ..., 3) is 32 bits long: 306 FK = (FK_0, FK_1, FK_2, FK_3) 308 The constant key used for key expansion is represented as CK, where 309 each CK_i (i = 0, ..., 31) is 32 bits long: 311 CK = (CK_0, CK_1, ... , CK_31) 313 6. Functions 315 6.1. Round Function F 317 The round function F is defined as: 319 F(X_0, X_1, X_2, X_3, rk) = X_0 xor T(X_1 xor X_2 xor X_3 xor rk) 321 Where: 323 o Each $$X_i$ is 32-bit wide. 325 o The round key rk is 32-bit wide. 327 6.2. Permutations T and T' 329 T is a reversible permutation that outputs 32 bits from a 32-bit 330 input. 332 It consists of a nonlinear transform tau and linear transform L. 334 T(.) = L(tau(.)) 336 The permutation T' is created from T by replacing the linear 337 transform function L with L'. 339 T'(.) = L'(tau(.)) 341 6.2.1. Nonlinear Transformation tau 343 tau is composed of four parallel S-boxes. 345 Given a 32-bit input A, where each a_i is a 8-bit string: 347 A = (a_0, a_1, a_2, a_3) 349 The output is a 32-bit B, where each b_i is a 8-bit string: 351 B = (b_0, b_1, b_2, b_3) 353 B is calculated as follows: 355 (b_0, b_1, b_2, b_3) = tau(A) 357 tau(A) = (S(a_0), S(a_1), S(a_2), S(a_3)) 359 6.2.2. Linear Transformations L and L' 361 The output of nonlinear transformation function tau is used as input 362 to linear transformation function L. 364 Given B, a 32-bit input. 366 The linear transformation L' is defined as follows. 368 L(B) = B xor (B <<< 2) xor (B <<< 10) xor (B <<< 18) xor (B <<< 24) 370 The linear transformation L' is defined as follows. 372 L'(B) = B xor (B <<< 13) xor (B <<< 23) 374 6.2.3. S-box S 376 The S-box S used in nonlinear transformation tau is given in the 377 lookup table shown in Figure 1 with hexadecimal values. 379 | 0 1 2 3 4 5 6 7 8 9 A B C D E F 380 ---|------------------------------------------------- 381 0 | D6 90 E9 FE CC E1 3D B7 16 B6 14 C2 28 FB 2C 05 382 1 | 2B 67 9A 76 2A BE 04 C3 AA 44 13 26 49 86 06 99 383 2 | 9C 42 50 F4 91 EF 98 7A 33 54 0B 43 ED CF AC 62 384 3 | E4 B3 1C A9 C9 08 E8 95 80 DF 94 FA 75 8F 3F A6 385 4 | 47 07 A7 FC F3 73 17 BA 83 59 3C 19 E6 85 4F A8 386 5 | 68 6B 81 B2 71 64 DA 8B F8 EB 0F 4B 70 56 9D 35 387 6 | 1E 24 0E 5E 63 58 D1 A2 25 22 7C 3B 01 21 78 87 388 7 | D4 00 46 57 9F D3 27 52 4C 36 02 E7 A0 C4 C8 9E 389 8 | EA BF 8A D2 40 C7 38 B5 A3 F7 F2 CE F9 61 15 A1 390 9 | E0 AE 5D A4 9B 34 1A 55 AD 93 32 30 F5 8C B1 E3 391 A | 1D F6 E2 2E 82 66 CA 60 C0 29 23 AB 0D 53 4E 6F 392 B | D5 DB 37 45 DE FD 8E 2F 03 FF 6A 72 6D 6C 5B 51 393 C | 8D 1B AF 92 BB DD BC 7F 11 D9 5C 41 1F 10 5A D8 394 D | 0A C1 31 88 A5 CD 7B BD 2D 74 D0 12 B8 E5 B4 B0 395 E | 89 69 97 4A 0C 96 77 7E 65 B9 F1 09 C5 6E C6 84 396 F | 18 F0 7D EC 3A DC 4D 20 79 EE 5F 3E D7 CB 39 48 398 Figure 1: SM4 S-box Values 400 For example, input "EF" will produce an output read from the S-box 401 table row E and column F, giving the result S(EF) = 84. 403 7. Algorithm 405 7.1. Encryption 407 The encryption algorithm consists of 32 rounds and 1 reverse 408 transform R. 410 Given a 128-bit plaintext input, where each X_i is 32-bit wide: 412 (X_0, X_1, X_2, X_3) 414 The output is a 128-bit ciphertext, where each Y_i is 32-bit wide: 416 (Y_0, Y_1, Y_2, Y_3) 418 Each round key is designated as rk_i, where each rk_i is 32-bit wide 419 and i = 0, 1, 2, ..., 31. 421 a. 32 rounds of calculation 423 i = 0, 1, ..., 31 425 X_{i+4} = F(X_i, X_{i+1}, X_{i+2}, X_{i+3}, rk_i) 426 b. reverse transformation 428 (Y_0, Y_1, Y_2, Y_3) = R(X_32, X_33, X_34, X_35) 430 R(X_32, X_33, X_34, X_35) = (X_35, X_34, X_33, X_32) 432 Please refer to Appendix A for sample calculations. 434 A flow of the calculation is given in Figure 2. 436 128-bits plaintext 437 \___________________________/ 438 | 439 v 440 X_0 X_1 X_2 X_3 441 | | | | 442 v v v v 443 +---------------------------+ 444 Round 1 | Round Function | <--rk_0 445 +---------------------------+ 446 | | | | 447 X_1 X_2 X_3 X_4 448 | | | | 449 v v v v 450 +---------------------------+ 451 Round 2 | Round Function | <--rk_1 452 +---------------------------+ 453 | | | | 454 X_2 X_3 X_4 X_5 455 | | | | 456 v v v v 457 ... 459 X_31 X_32 X_33 X_34 460 | | | | 461 v v v v 462 +---------------------------+ 463 Round 32 | Round Function | <--rk_31 464 +---------------------------+ 465 | | | | 466 X_32 X_33 X_34 X_35 467 | | | | 468 v v v v 469 +---------------------------+ 470 | Reverse Transformation R | 471 +---------------------------+ 472 | | | | 473 Y_0 Y_1 Y_2 Y_3 475 \___________________________/ 476 | 477 v 478 128-bits ciphertext 480 Figure 2: SM4 Encryption Flow 482 7.2. Decryption 484 Decryption takes an identical process as encryption, with the only 485 difference the order of the round key sequence. 487 During decryption, the round key sequence is: 489 (rk_31, rk_30, ..., rk_0) 491 7.3. Key Schedule 493 Round keys used during encryption are derived from the encryption 494 key. 496 Specifically, given the encryption key MK, where each MK_i is 32-bit 497 wide: 499 MK = (MK_0, MK_1, MK_2, MK_3) 501 Each round key rk_i is created as follows, where i = 0, 1, ..., 31. 503 (K_0, K_1, K_2, K_3) = 504 (MK_0 xor FK_0, MK_1 xor FK_1, MK_2 xor FK_2, MK_3 xor FK_3) 506 rk_i = K_{i + 4} 508 K_{i + 4} = 509 K_i xor T' (K_{i + 1} xor K_{i + 2} xor K_{i + 3} xor CK_i) 511 Since the decryption key is identical to the encryption key, the 512 round keys used in the decryption process are derived from the 513 decryption key through the identical process to that of during 514 encryption. 516 Figure 3 depicts the i-th round of SM4. 518 X_i rk_i X_{i+1} X_{i+2} X_{i+3} 519 | | | | | 520 | | | | | 521 | v | | | 522 +---+ +---+ +---+ | | | 523 | X | | | | X | <--+ | | 524 | O | <- | T | <- | O | <----------+ | 525 | R | | | | R | <------------------+ 526 +---+ +---+ +---+ | | | 527 | / / / 528 | / / / 529 | / / / 530 \--------------------------------------= 531 / / / \ 532 / / / | 533 /---------------/ / / | 534 | | | | 535 X_{i+1} X_{i+2} X_{i+3} X_{i+4} 537 Figure 3: SM4 Round Function For the i-th Round 539 7.3.1. Family Key FK 541 Family key FK given in hexadecimal notation, is: 543 FK_0 = A3B1BAC6 544 FK_1 = 56AA3350 545 FK_2 = 677D9197 546 FK_3 = B27022DC 548 7.3.2. Constant Key CK 550 The method to retrieve values from the constant key CK is as follows. 552 Let ck_{i, j} be the j-th byte (i = 0, 1, ..., 31; j = 0, 1, 2, 3) of 553 CK_i. 555 Therefore, each ck_{i, j} is a 8-bit string, and each CK_i a 32-bit 556 word. 558 CK_i = (ck_{i, 0}, ck_{i, 1}, ck_{i, 2}, ck_{i, 3}) 560 ck_{i, j} = (4i + j) x 7 (mod 256) 562 The values of the constant key CK_i, where (i = 0, 1, ..., 31), in 563 hexadecimal, are: 565 CK_0 = 00070E15 CK_16 = C0C7CED5 566 CK_1 = 1C232A31 CK_17 = DCE3EAF1 567 CK_2 = 383F464D CK_18 = F8FF060D 568 CK_3 = 545B6269 CK_19 = 141B2229 569 CK_4 = 70777E85 CK_20 = 30373E45 570 CK_5 = 8C939AA1 CK_21 = 4C535A61 571 CK_6 = A8AFB6BD CK_22 = 686F767D 572 CK_7 = C4CBD2D9 CK_23 = 848B9299 573 CK_8 = E0E7EEF5 CK_24 = A0A7AEB5 574 CK_9 = FC030A11 CK_25 = BCC3CAD1 575 CK_10 = 181F262D CK_26 = D8DFE6ED 576 CK_11 = 343B4249 CK_27 = F4FB0209 577 CK_12 = 50575E65 CK_28 = 10171E25 578 CK_13 = 6C737A81 CK_29 = 2C333A41 579 CK_14 = 888F969D CK_30 = 484F565D 580 CK_15 = A4ABB2B9 CK_31 = 646B7279 582 8. Modes of Operation 584 This document defines multiple modes of operation for the SM4 585 blockcipher algorithm. 587 The CBC (Cipher Block Chaining), ECB (Electronic CodeBook), CFB 588 (Cipher FeedBack), OFB (Output FeedBack) and CTR (Counter) modes are 589 defined in [NIST.SP.800-38A] and utilized with the SM4 algorithm in 590 the following sections. 592 8.1. Variables And Primitives 594 Hereinafter we define: 596 SM4Encrypt(P, K) 597 The SM4 algorithm that encrypts plaintext P with key K, described 598 in Section 7.1 600 SM4Decrypt(C, K) 601 The SM4 algorithm that decrypts ciphertext C with key K, described 602 in Section 7.2 604 b 605 block size in bits, defined as 128 for SM4 607 P_j 608 block j of ciphertext bitstring P 610 C_j 611 block j of ciphertext bitstring C 613 NBlocks(B, b) 614 Number of blocks of size b-bit in bitstring B 616 IV 617 Initialization vector 619 LSB(b, S) 620 Least significant b bits of the bitstring S 622 MSB(b, S) 623 Most significant b bits of the bitstring S 625 8.2. Initialization Vectors 627 The CBC, CFB and OFB modes require an additional input to the 628 encryption process, called the initialization vector (IV). The 629 identical IV is used in the input of encryption as well as the 630 decryption of the corresponding ciphertext. 632 Generation of IV values *MUST* take into account of the 633 considerations in Section 12 recommended by [BC-EVAL]. 635 8.3. SM4-ECB 637 In SM4-ECB, the same key is utilized to create a fixed assignment for 638 a plaintext block with a ciphertext block, meaning that a given 639 plaintext block always gets encrypted to the same ciphertext block. 640 As described in [NIST.SP.800-38A], this mode should be avoided if 641 this property is undesirable. 643 This mode requires input plaintext to be a multiple of the block 644 size, which in this case of SM4 it is 128-bit. It also allows 645 multiple blocks to be computed in parallel. 647 8.3.1. SM4-ECB Encryption 649 Inputs: 651 o P, plaintext, length *MUST* be multiple of b 653 o K, SM4 128-bit encryption key 655 Output: 657 o C, ciphertext, length is a multiple of b 659 C is defined as follows. 661 _____________________________________________________________________ 663 n = NBlocks(P, b) 665 for i = 1 to n 666 C_i = SM4Encrypt(P_i, K) 667 end for 669 C = C_1 || ... || C_n 670 _____________________________________________________________________ 672 8.3.2. SM4-ECB Decryption 674 Inputs: 676 o C, ciphertext, length *MUST* be multiple of b 678 o K, SM4 128-bit encryption key 680 Output: 682 o P, plaintext, length is a multiple of b 684 P is defined as follows. 686 _____________________________________________________________________ 688 n = NBlocks(C, b) 690 for i = 1 to n 691 P_i = SM4Decrypt(C_i, K) 692 end for 694 P = P_1 || ... || P_n 695 _____________________________________________________________________ 697 8.4. SM4-CBC 699 SM4-CBC is similar to SM4-ECB that the input plaintext *MUST* be a 700 multiple of the block size, which is 128-bit in SM4. SM4-CBC 701 requires an additional input, the IV, that is unpredictable for a 702 particular execution of the encryption process. 704 Since CBC encryption relies on a forward cipher operation that depend 705 on results of the previous operation, it cannot be parallelized. 706 However, for decryption, since ciphertext blocks are already 707 available, CBC parallel decryption is possible. 709 8.4.1. SM4-CBC Encryption 711 Inputs: 713 o P, plaintext, length *MUST* be multiple of b 715 o K, SM4 128-bit encryption key 717 o IV, 128-bit, unpredictable, initialization vector 719 Output: 721 o C, ciphertext, length is a multiple of b 723 C is defined as follows. 725 _____________________________________________________________________ 727 n = NBlocks(P, b) 729 C_1 = SM4Encrypt(P_1 xor IV, K) 731 for i = 2 to n 732 C_i = SM4Encrypt(P_i xor C_{i - 1}, K) 733 end for 735 C = C_1 || ... || C_n 736 _____________________________________________________________________ 738 8.4.2. SM4-CBC Decryption 740 Inputs: 742 o C, ciphertext, length *MUST* be a multiple of b 744 o K, SM4 128-bit encryption key 746 o IV, 128-bit, unpredictable, initialization vector 748 Output: 750 o P, plaintext, length is multiple of b 752 P is defined as follows. 754 _____________________________________________________________________ 756 n = NBlocks(C, b) 758 P_1 = SM4Decrypt(C_1, K) xor IV 760 for i = 2 to n 761 P_i = SM4Decrypt(C_i, K) xor C_{i - 1} 762 end for 764 P = P_1 || ... || P_n 765 _____________________________________________________________________ 767 8.5. SM4-CFB 769 SM4-CFB relies on feedback provided by successive ciphertext segments 770 to generate output blocks. The plaintext given must be a multiple of 771 the block size. 773 Similar to SM4-CBC, SM4-CFB requires an IV that is unpredictable for 774 a particular execution of the encryption process. 776 SM4-CFB further allows setting a positive integer parameter s, that 777 is less than or equal to the block size, to specify the size of each 778 data segment. The same segment size must be used in encryption and 779 decryption. 781 In SM4-CFB, since the input block to each forward cipher function 782 depends on the output of the previous block (except the first that 783 depends on the IV), encryption is not parallelizable. Decryption, 784 however, can be parallelized. 786 8.5.1. SM4-CFB Variants 788 SM4-CFB takes an integer s to determine segment size in its 789 encryption and decryption routines. We define the following variants 790 of SM4-CFB for various s: 792 o SM4-CFB-1, the 1-bit SM4-CFB mode, where s is set to 1. 794 o SM4-CFB-8, the 8-bit SM4-CFB mode, where s is set to 8. 796 o SM4-CFB-64, the 64-bit SM4-CFB mode, where s is set to 64. 798 o SM4-CFB-128, the 128-bit SM4-CFB mode, where s is set to 128. 800 8.5.2. SM4-CFB Encryption 802 Inputs: 804 o P#, plaintext, length *MUST* be multiple of s 806 o K, SM4 128-bit encryption key 808 o IV, 128-bit, unpredictable, initialization vector 810 o s, an integer 1 <= s <= b that defines segment size 812 Output: 814 o C#, ciphertext, length is a multiple of s 816 C# is defined as follows. 818 _____________________________________________________________________ 820 n = NBlocks(P#, s) 822 I_1 = IV 823 for i = 2 to n 824 I_i = LSB(b - s, I_{i - 1}) || C#_{j - 1} 825 end for 827 for i = 1 to n 828 O_j = SM4Encrypt(I_i, K) 829 end for 831 for i = 1 to n 832 C#_i = P#_1 xor MSB(s, O_j) 833 end for 835 C# = C#_1 || ... || C#_n 836 _____________________________________________________________________ 838 8.5.3. SM4-CFB Decryption 840 Inputs: 842 o C#, ciphertext, length *MUST* be a multiple of s 844 o K, SM4 128-bit encryption key 846 o IV, 128-bit, unpredictable, initialization vector 847 o s, an integer 1 <== s <== b that defines segment size 849 Output: 851 o P#, plaintext, length is multiple of s 853 P# is defined as follows. 855 _____________________________________________________________________ 857 n = NBlocks(P#, s) 859 I_1 = IV 860 for i = 2 to n 861 I_i = LSB(b - s, I_{i - 1}) || C#_{j - 1} 862 end for 864 for i = 1 to n 865 O_j = SM4Encrypt(I_i, K) 866 end for 868 for i = 1 to n 869 P#_i = C#_1 xor MSB(s, O_j) 870 end for 872 P# = P#_1 || ... || P#_n 873 _____________________________________________________________________ 875 8.6. SM4-OFB 877 SM4-OFB is the application of SM4 through the Output Feedback mode. 878 This mode requires that the IV is a nonce, meaning that the IV *MUST* 879 be unique for each execution for an input key. OFB does not require 880 the input plaintext to be a multiple of the block size. 882 In OFB, the routines for encryption and decryption are identical. As 883 each forward cipher function (except the first) depends on previous 884 results, both routines cannot be parallelized. However given a known 885 IV, output blocks could be generated prior to the input of plaintext 886 (encryption) or ciphertext (decryption). 888 8.6.1. SM4-OFB Encryption 890 Inputs: 892 o P, plaintext, composed of (n - 1) blocks of size b, with the last 893 block P_n of size 1 <== u <== b 895 o K, SM4 128-bit encryption key 897 o IV, a nonce (a unique value for each execution per given key) 899 Output: 901 o C, ciphertext, composed of (n - 1) blocks of size b, with the last 902 block C_n of size 1 <== u <== b 904 C is defined as follows. 906 _____________________________________________________________________ 908 n = NBlocks(P, b) 910 I_1 = IV 911 for i = 1 to (n - 1) 912 O_i = SM4Encrypt(I_i) 913 I_{i + 1} = O_i 914 end for 916 for i = 1 to (n - 1) 917 C_i = P_i xor O_i 918 end for 920 C_n = P_n xor MSB(u, O_n) 922 C = C_1 || ... || C_n 923 _____________________________________________________________________ 925 8.6.2. SM4-OFB Decryption 927 Inputs: 929 o C, ciphertext, composed of (n - 1) blocks of size b, with the last 930 block C_n of size 1 <== u <== b 932 o K, SM4 128-bit encryption key 934 o IV, the nonce used during encryption 936 Output: 938 o P, plaintext, composed of (n - 1) blocks of size b, with the last 939 block P_n of size 1 <== u <== b 941 C is defined as follows. 943 _____________________________________________________________________ 945 n = NBlocks(C, b) 947 I_1 = IV 948 for i = 1 to (n - 1) 949 O_i = SM4Encrypt(I_i) 950 I_{i + 1} = O_i 951 end for 953 for i = 1 to (n - 1) 954 P_i = C_i xor O_i 955 end for 957 P_n = C_n xor MSB(u, O_n) 959 P = P_1 || ... || P_n 960 _____________________________________________________________________ 962 8.7. SM4-CTR 964 SM4-CTR is an implementation of a stream cipher through a blockcipher 965 primitive. It generates a "keystream" of keys that are used to 966 encrypt successive blocks, with the keystream created from the input 967 key, a nonce (the IV) and an incremental counter. The counter could 968 be any sequence that does not repeat within the block size. 970 Both SM4-CTR encryption and decryption routines could be 971 parallelized, and random access is also possible. 973 8.7.1. SM4-CTR Encryption 975 Inputs: 977 o P, plaintext, composed of (n - 1) blocks of size b, with the last 978 block P_n of size 1 <== u <== b 980 o K, SM4 128-bit encryption key 982 o IV, a nonce (a unique value for each execution per given key) 984 o T, a sequence of counters from T_1 to T_n 986 Output: 988 o C, ciphertext, composed of (n - 1) blocks of size b, with the last 989 block C_n of size 1 <== u <== b 991 C is defined as follows. 993 _____________________________________________________________________ 995 n = NBlocks(P, b) 997 for i = 1 to n 998 O_i = SM4Encrypt(T_i) 999 end for 1001 for i = 1 to (n - 1) 1002 C_i = P_i xor O_i 1003 end for 1005 C_n = P_n xor MSB(u, O_n) 1007 C = C_1 || ... || C_n 1008 _____________________________________________________________________ 1010 8.7.2. SM4-CTR Decryption 1012 Inputs: 1014 o C, ciphertext, composed of (n - 1) blocks of size b, with the last 1015 block C_n of size 1 <= u <= b 1017 o K, SM4 128-bit encryption key 1019 o IV, a nonce (a unique value for each execution per given key) 1021 o T, a sequence of counters from T_1 to T_n 1023 Output: 1025 o P, plaintext, composed of (n - 1) blocks of size b, with the last 1026 block P_n of size 1 <= u <= b 1028 P is defined as follows. 1030 _____________________________________________________________________ 1032 n = NBlocks(C, b) 1034 for i = 1 to n 1035 O_i = SM4Encrypt(T_i) 1036 end for 1038 for i = 1 to (n - 1) 1039 P_i = C_i xor O_i 1040 end for 1042 P_n = C_n xor MSB(u, O_n) 1044 C = C_1 || ... || C_n 1045 _____________________________________________________________________ 1047 9. Object Identifier 1049 The Object Identifier for SM4 is identified through these OIDs. 1051 9.1. GM/T OIDs 1053 9.1.1. SCA OID Prefix 1055 All SM4 GM/T OIDs belong under the "1.2.156.10197" OID prefix, 1056 registered by the Chinese Cryptography Standardization Technology 1057 Committee ("CCSTC"), a committee under the SCA. Its components are 1058 described below in ASN.1 notation. 1060 o "id-ccstc" "{iso(1) member-body(2) cn(156) ccstc(10197)}" 1062 9.1.2. Blockcipher Algorithms 1064 These SM4 OIDs are assigned in [GMT-0006-2012] and described in 1065 [GBT.33560-2017]. 1067 "1.2.156.10197.1.100" for "Blockcipher Algorithms": 1069 o "id-bc" "{id-ccstc sm-scheme(1) block-cipher(100)}" 1071 "1.2.156.10197.1.104" for "Blockcipher Algorithm: SM4": 1073 o "id-bc-sm4" "{id-ccstc sm-scheme(1) sm4(104)}" 1075 9.1.3. Standard Identification 1077 The "SM4 Blockcipher Algorithm" standard is assigned the OID 1078 "1.2.156.10197.6.1.1.2" in [GMT-0002-2012] and this assignment is 1079 also described in [GBT.33560-2017]. 1081 o "id-standard-sm4" "{id-ccstc standard(1) fundamental(1) 1082 algorithm(1) sm4(2)}" 1084 Note that this OID is purely used for identifying the SM4 standard 1085 itself. 1087 9.2. ISO OID 1089 SM4 is assigned the OID "1.0.18033.3.2.4" ("id-bc128-sm4") in 1090 [ISO.IEC.18033-3.AMD2]. Its components are described below in ASN.1 1091 notation. 1093 o "is18033-3" "{iso(1) standard(0) is18033(18033) part3(3)}" 1095 o "id-bc128" "{is18033-3 block-cipher-128-bit(2)}" 1097 o "id-bc128-sm4" "{id-bc128 sm4(4)}" 1099 10. Design Considerations 1101 10.1. Basic Transformation 1103 The chaos principle and the diffusion principle are two basic 1104 principles of block cipher design. A well-designed blockcipher 1105 algorithm should be based on a cryptographically sound basic 1106 transformation structure, with its round calculation based on a 1107 cryptographically sound basic transformation. 1109 The cryptographic properties of the basic transformation determines 1110 the efficiency of the resulting encryption transformation. 1112 The SM4 algorithm is structured on orthomorphic permutation. Its 1113 round transformation is an orthomorphic permutation, and its 1114 cryptographic properties can be deduced from the characteristics of 1115 orthomorphic permutations. 1117 Let the single round of the SM4 block cipher algorithm be P, for any 1118 given plaintext X, P (X, K ')! = P (X, K) if the key K'! = K. 1120 The conclusion shows that if X is a row variable and K is a column 1121 variable, the square P(X, K) forms a Latin square. There are two 1122 conclusions about the nature of cryptography: 1124 1. The SM4 blockcipher algorithm will produce different round 1125 transformations given different keys. 1127 2. The SM4 blockcipher algorithm, within a single round, will 1128 produce a different output given the same input with different 1129 keys. 1131 10.2. Nonlinear Transformation 1133 An S-box can be viewed as a bijection: 1135 S(X) = (f_1(X), f_2(X), ... , f_m(X)) : F_2^n -> F_2^m. 1137 S(x): F_2^n -> F_2^m can be represented as a multi-output boolean 1138 function with n-bit input and m-bit output, or a n x m S-box (an 1139 S-box with n inputs and m outputs), usually realized as a 1140 substitution that takes an n-bit input and produces a m-bit output. 1141 In SM4, the S-box takes n = m = 8. 1143 In many blockciphers, the S-box is the sole element providing 1144 nonlinearity, for the purpose of mixing, in order to reduce linearity 1145 and to hide its variable structure. 1147 The cryptographic properties of the S-box directly affects the 1148 resulting cryptographic strength of the blockcipher. When designing 1149 a blockcipher, the cryptographic strength of the S-box must be taken 1150 into account. The cryptographic strength of an S-box can be 1151 generally measured by factors such as its nonlinearity and 1152 differential distribution. 1154 10.2.1. S-box Algebraic Expression 1156 In order to prevent insertion attacks, the algebraic formula used for 1157 cryptographic substitution should be a high degree polynomial and 1158 contain a large number of terms. 1160 The algebraic expression of the SM4 S-box [SM4-Sbox] is determined 1161 through Lagrange's interpolation to be a polynomial of the 254th 1162 degree with 255 terms, providing the highest level of complexity 1163 based on its size: 1165 f(x) : sum_{i=0}^{255} y_i 1166 PI_{j!=i, j=0}^255 ((x - x_j) / (x_i - x_j)) 1168 10.2.2. Algebraic Degree And Distribution Of Terms 1170 Any n boolean function f(x): F_2^n -> F_2 can be represented uniquely 1171 in its algebraic normal form shown below: 1173 f(X) = a_0 + sum_{1<=i_i<... F_2^m. Consider S(X) to be a random 1189 substitution, each of its component functions would be best to have 1190 algebraic degree of n-1, each component function i-th coefficient 1191 should be near C_n^i/2. If the algebraic degree is too low, for 1192 example, each component function has a degree of 2, then the 1193 algorithm can be easily attacked by advanced differential 1194 cryptanalysis. If the number of terms are insufficient, then it may 1195 improve the success probability of insert attacks. 1197 The algebraic degrees and number of terms of the SM4 S-box are 1198 described in Figure 4. 1200 +--------------------+--------------------------------------------+ 1201 | | Algebraic Degree | 1202 | Component Function +-----+---+----+----+----+----+----+---+-----+ 1203 | | 8 | 7 | 6 | 5 | 4 | 3 | 2 | 1 | 0 | 1204 +--------------------+-----+---+----+----+----+----+----+---+-----+ 1205 | Y_0 | 0 | 3 | 15 | 31 | 28 | 29 | 14 | 3 | 1 | 1206 | Y_1 | 0 | 3 | 12 | 34 | 40 | 33 | 12 | 4 | 1 | 1207 | Y_2 | 0 | 5 | 17 | 24 | 40 | 24 | 11 | 3 | 0 | 1208 | Y_3 | 0 | 2 | 11 | 31 | 34 | 27 | 15 | 5 | 1 | 1209 | Y_4 | 0 | 5 | 15 | 28 | 33 | 24 | 13 | 5 | 0 | 1210 | Y_5 | 0 | 5 | 11 | 25 | 41 | 25 | 16 | 4 | 1 | 1211 | Y_6 | 0 | 4 | 15 | 29 | 27 | 32 | 18 | 4 | 1 | 1212 | Y_7 | 0 | 4 | 14 | 32 | 35 | 30 | 16 | 3 | 0 | 1213 +--------------------+-----+---+----+----+----+----+----+---+-----+ 1214 | Expected Value | 1/2 | 4 | 14 | 28 | 35 | 28 | 14 | 4 | 1/2 | 1215 +--------------------+-----+---+----+----+----+----+----+---+-----+ 1217 Figure 4: SM4 S-box Component Functions Algebraic Degree And Terms 1219 10.2.3. Differential Distribution 1221 The definition of differential distribution has been given in 1222 [BC-Design]. 1224 Differential cryptanalysis is a chosen-plaintext attack, with the 1225 understanding that analysis of selected plaintexts of differentials 1226 can retrive the most probable key. Differential distribution is an 1227 attribute to measure the resistance of a cryptographic function 1228 against differential cryptanalysis. 1230 delta_S = 1/2^n max_{a in F_2^n, a!=0} max_{beta in F_2^m} | 1231 { X in F_2^n : S(X and alpha) - S(X) = beta } | 1233 "delta_S" is the differential distribution of the S-box "S". 1235 According to the definition of differential distribution, 2^{-m} <= 1236 delta_S <= 2^{m-n}, if there is a delta_S = 2^{m-n} then S is 1237 considered a fully nonlinear function from F_2^n to F_2^m. For 1238 resistance against differential cryptanalysis, the differential 1239 distribution should be as low as possible. 1241 The highest differential distribution of the SM4 S-box is 2^{-6}, 1242 meaning it has a good resistance against differential cryptanalysis. 1244 10.2.4. Nonlinearity 1246 The nonlinearity of an S-box is described by [BC-Design]. 1248 Let S(X) = (f_1(X), f_2(X), ... , f_m(X)) : F_2^n -> F_2^m be a 1249 multi-output function. The nonlinearity of S(X) is defined as N_S = 1250 min_{l in L_n, 0 != u in F_2^m} d_H (u . S(X), l(X)). 1252 L_n is the group of all n-boolean functions, d_H(f, l) is the Hamming 1253 distance between f and l. The nonlinearity of the S-box is in fact 1254 the minimum Hamming distance between all the Boolean functions and 1255 all affine functions. 1257 The upper-bound of nonlinearity is known to be 2^{n-1} - 2^{n/2 - 1}, 1258 where a Boolean function that reaches this bound is called a "bent 1259 function". 1261 The nonlinearity of a Boolean function is used to measure resistance 1262 against linear attacks. The higher the nonlinearity, the higher 1263 resistance that the Boolean function f(x) has against linear attacks. 1264 On the contrary, the lower the nonlinearity, the Boolean function 1265 f(x) has lower resistance against linear attacks. 1267 The nonlinearity of the SM4 S-box is 112. 1269 10.2.5. Maximum Linearity Advantage 1271 Linear approximation of a S-box is defined in [BC-Design]. Given a 1272 S-box with n inputs and m outputs, any linear approximation can be 1273 represented as : a . X = b . Y, where a in F_2^n, b in F_2^m. 1275 The probability p that satisfies a . X = b . Y is 1277 | p - 1/2 | <= 1/2 - N_S / 2^n 1279 where | p - 1/2 | is the advantage of the linear approximation 1280 equation, lambda_S = 1/2 - N_s / 2^n is the maximum advantage of the 1281 S-box. 1283 The maximum advantage of the SM4 S-box is 2^{-4}. 1285 10.2.6. Balance 1287 A S-box S(X) = (f_1(X), f_2(X), ... , f_m(X)) : F_2^n -> F_2^m is 1288 considered "balanced" if for any beta in F_2^m, there are 2^{n-m} x 1289 in F_2^n, such that S(x) = beta. 1291 The SM4 S-box is balanced. 1293 10.2.7. Completness and Avalanche Effect 1295 A S-box S(X) = (f_1(X), f_2(X), ... , f_m(X)) : F_2^n -> F_2^m is 1296 considered "complete" if every input bit directly correlates to an 1297 output bit. 1299 In algebraic expression, each component function contains the unknown 1300 variables x_1, x_2, ... x_n, such that for any (s, t) in { (i, j) | 1 1301 <= i <= n, 1 <= j <= m}, there is an X that S(X) and S(X and e_s) 1302 would contain a different bit t. 1304 Avalanche effect refers to a single bit change in the input would 1305 correspond to a change of half of the output bits. 1307 The SM4 S-box satisfies completness and the avalanche effect. 1309 10.3. Linear Transform 1311 Linear transformation is used to provide diffusion in SM4. A 1312 blockcipher algorithm often adopts m x m S-boxes to form an 1313 obfuscation layer. 1315 Since the m-bits output by one S-box are only related to the m bits 1316 of its input and are irrelevant to the input of other S boxes, the 1317 introduction of a linear transform would disrupt and mix the output 1318 m-bits so that they seem correlating to the other S-box inputs. 1320 A sound linear transform design will diffuse the S-box output, 1321 allowing the blockcipher to resist differential and linear 1322 cryptanalysis. 1324 An important measure of the diffusivity of a linear transform is its 1325 branch number. 1327 The "branch number" of a linear transform is defined in [BC-Design]: 1329 B(theta) = min_{x!=0} w_b(x) + w_b(theta(x)) 1331 Where B(theta) is the branch number of transform theta, w_b(x) is a 1332 non-zero integer x_i (1 <== i <== m), and x_i is called the "bundle 1333 weight". 1335 The branch number can be used to quantify the resistance of the block 1336 cipher algorithm to differential cryptanalysis and linear 1337 cryptanalysis. 1339 Similar to differential cryptanalysis and linear cryptanalysis, the 1340 differential branch number and linear branch number of theta can be 1341 defined as follows. 1343 The differential branch number of theta is: 1345 B_d(theta) = min_{x, x!= x*} 1346 (w_b(x and x*) + w_b(theta(x)) and theta(x*)) 1348 The linear branch number of theta is: 1350 B_l(theta) = min_{a, b, c (x . alpha^t , theta(x) . beta) != 0} 1351 (w_b(alpha) + w_b(beta)) 1353 where, 1354 c (x . a^t , theta(x) . beta) = 1355 2 X Pr(x . alpha^t = theta(x) . beta) - 1 1356 x . alpha^t is a matrix multiplication. 1358 The branch number in a linear transformation reflects its 1359 diffusivity. The higher the branch number, the better the diffusion 1360 effect. 1362 This means that the larger the differential branch number or linear 1363 branch number, the more known plaintexts will be required for 1364 differential or linear cryptanalysis respectively. 1366 The linear transform differential branch number and linear branch 1367 number of SM4 are both 5. 1369 10.4. Key Expansion Algorithm 1371 The SM4 key schedule is designed to fulfill the security requirements 1372 of the encryption algorithm and achieve ease of implementation for 1373 performance reasons. 1375 All subkeys are derived from the encryption key, and therefore, 1376 subkeys are always statistically relevant. In the context of a 1377 blockcipher, it is not possible to have non-statistical-correlated 1378 subkeys, but the designer can only aim to have subkeys achieve near 1379 statistical independence [BC-Design]. 1381 The purpose of the key schedule, generated through the key expansion 1382 algorithm, is to mask the statistical correlation between subkeys to 1383 make this relationship difficult to exploit. 1385 The SM4 key expansion algorithm satisfies the following design 1386 criteria: 1388 1. There are no obvious statistical correlation between subkeys; 1390 2. There are no weak subkeys; 1392 3. The speed of key expansion is not slower than the encryption 1393 algorithm, and uses less resources; 1395 4. Every subkey can be directly generated from the encryption key. 1397 11. Cryptanalysis Results 1399 SM4 has been heavily cryptanalyzed by international researchers since 1400 it was first published. Nearly all currently known cryptanalysis 1401 techniques have been applied to SM4. 1403 At the time of publishing this document, there are no known practical 1404 attacks against the full SM4 blockcipher. However, there are side- 1405 channel concerns [SideChannel] when the algorithm is implemented in a 1406 hardware device. 1408 A summary of cryptanalysis results are presented in the following 1409 sections. 1411 11.1. Differential Cryptanalysis 1413 In 2008, Zhang et al. [SM4-DiffZhang1] gave a 21-round differential 1414 analysis with data complexity 2^188, time complexity 2^126.8 1415 encryptions. 1417 In 2008, Kim et al. [SM4-LDA] gave a 22-round differential attack 1418 that requires 2^118 chosen plaintexts, 2^123 memory and 2^125.71 1419 encryptions. 1421 In 2009, Zhang et al. (differing author but overlapping team) 1422 [SM4-DiffZhang2] gave a 18-round differential characteristics with an 1423 attack that reaches the 22nd round, with data complexity 2^117 and 1424 time complexity 2^112.3. 1426 In 2010, Zhang et al. (with no relation to above) [SM4-DiffZhang3] 1427 utilized 18-round differential characteristics for the 22nd round 1428 with 2^117 chosen plaintexts with time complexity 2^123 encryptions, 1429 memory complexity of 2^112. 1431 In 2011, Su et al. [SM4-DiffSu] gave a 19 round differential 1432 characteristics and pushed their attack to the 23rd round, with data 1433 complexity of 2^118 chosen plaintexts, time complexity 2^126.7 1434 encryptions, and memory complexity 2^120.7. 1436 11.2. Linear Cryptanalysis 1438 In 2008 Etrog et al. [SM4-LinearEtrog] provided a linear 1439 cryptanalysis result for 22 rounds of SM4, the data complexity is 1440 given as 2^188.4 known plaintexts, time complexity 2^117 encrypt 1441 operations. 1443 In the same year, Kim et al. [SM4-LDA] improved on the linear 1444 cryptanalysis result for 22 rounds of SM4 with data complexity of 1445 2^117 known plaintexts, memory complexity of 2^109 and time 1446 complexity of 2^109.86. 1448 In 2011 Dong [SM4-LinearDong] presented a linear cryptanalysis result 1449 for 20 rounds, 2^110.4 known ciphertexts, 2^106.8 encryption 1450 operations, memory complexity 2^90. 1452 In 2014 Liu et al. [SM4-LinearLiu] presented their linear 1453 cryptanalysis for 23-rounds of SM4, time complexity 2^112 encryption 1454 operations, data complexity 2^126.54 known ciphertexts, memory 1455 complexity 2^116. 1457 In 2017 Liu et al. [SM4-NLC] presented an attack based on linear 1458 cryptanalysis on 24-rounds of SM4, with time complexity of 2^122.6 1459 encryptions, data complexity of 2^122.6 known ciphertexts, and memory 1460 complexity of 2^85. 1462 11.3. Multi-dimensional Linear Cryptanalysis 1464 In 2010, Liu et al. [SM4-MLLiu] constructed a series of 18 rounds of 1465 linear traces based on a 5-round circular linear trace, capable of 1466 attacking 22 rounds of SM4. The required data complexity was 2^112 1467 known plaintexts, time complexity 2^124.21 encryption operations, 1468 with memory complexity of 2^118.83. 1470 In 2010 Cho et al. [SM4-MLCho] gave a linear analysis of 23 rounds 1471 of SM4 with a data complexity of 2^126.7 known plaintexts and a time 1472 complexity of 2^127, memory complexity of 2^120.7. 1474 In 2014, Liu et al. [SM4-LinearLiu] gave the results of multi- 1475 dimensional linear analysis of 23 rounds of SM4 algorithm. The time 1476 complexity was 2^122.7, data complexity was 2^122.6 known plaintext 1477 with memory complexity 2^120.6. 1479 11.4. Impossible Differential Cryptanalysis 1481 In 2007 Lu et al. [SM4-IDCLu] first presented 16 rounds of 1482 impossible differential analysis of SM4 with the required data 1483 complexity 2^105 chosen plaintexts, time complexity 2^107 encryption 1484 operations. 1486 In 2008 Toz et al. [SM4-IDCToz] revised the results of [SM4-IDCLu], 1487 that the data complexity is actually 2^117.05 chosen plaintexts, time 1488 complexity 2^132.06 encryptions, but its complexity is already beyond 1489 the 2^128 limit. 1491 In 2010 Wang et al. [SM4-IDCWang] pushed the impossible differential 1492 cryptanalysis to 17 rounds of SM4, the data complexity is 2^117 1493 chosen ciphertexts, time complexity 2^132 memory queries. 1495 11.5. Zero-correlation Linear Cryptanalysis 1497 In 2015 Ma et al. [SM4-ZCLC] gives the results of multi-dimensional 1498 zero-correlation linear cryptanalysis of a 14-round SM4 algorithm. 1499 The required data complexity is 2^123.5 known plaintexts, time 1500 complexity is 2^120.7 encryption operations and memory complexity of 1501 2^73 blocks. 1503 11.6. Integral Cryptanalysis 1505 In 2007 Liu et al. [SM4-ICLiu] first gave a 13-round integral 1506 analysis of SM4, which required 2^16 chosen plaintexts and time 1507 complexity of 2^114 encryption operations. 1509 In 2008 Zhong et al. [SM4-ICZhong] constructed a 12-round 1510 distinguisher of SM4 to attack 14-round SM4, with data complexity of 1511 2^32 chosen plaintexts and time complexity 2^96.5 encryptions. 1513 11.7. Algebraic Attacks 1515 In 2009 Ji et al. [SM4-AAJi] and in 2010 Erickson et al. [SM4-AAEr] 1516 utilized algebraic methods such as XL, Groebner base and SAT to 1517 analyze the resistance of SM4 against algebraic attacks. The results 1518 demonstrate that SM4 is safe against algebraic attacks, and 1519 specifically, has a higher resistance against algebraic attacks than 1520 AES. 1522 11.8. Matrix Attacks 1524 In 2007 Lu et al. [SM4-IDCLu] provided a matrix attack against 1525 14-round SM4, with data complexity 2^121.82 chosen plaintexts, time 1526 complexity 2^116.66 encryptions. 1528 In 2008 Toz et al. [SM4-IDCToz] lowered both data and time 1529 complexity of the aformentioned attack to 2^106.89 chosen ciphertexts 1530 and time complexity of 2^107.89. 1532 In 2008, Zhang et al. [SM4-DiffZhang1] provided a matrix attack 1533 against 16-round SM4, which required a data complexity of 2^125 1534 chosen plaintexts and time complexity of 2^116 encryptions. 1536 She's Master dissertation [SM4-MatrixShe] provided a SM4 16-round 1537 matrix distinguisher that can attack 18-round SM4, with data 1538 complexity of 2^127 chosen plaintexts and time complexity 2^110.77 1539 encryptions with memory complexity of 2^130. 1541 In 2012 Wei et al. [SM4-MatrixWei] applied differential analysis and 1542 algebraic attack techniques on 20-round SM4 and discovered that the 1543 combined attack results on 20-round SM4 are superior than using pure 1544 differential cryptanalysis. 1546 11.9. Provable Security Against Differential And Linear Cryptanalysis 1548 SM4 uses a novel structure differing from the general Feistel and SP 1549 structures. 1551 [SM4-Random] has proven that the SM4 non-balanced Feistel structure 1552 is pseudo-random. 1554 [SM4-SLDC] analyzes the SM4 non-balanced Feistel structure on its 1555 resistance against differential and linear cryptanalysis techniques. 1556 Under SP type round functions with branch number 5, it is proven that 1557 in a 27-round SM4 guarantees at least 22 active S-boxes, therefore 1558 SM4 is secure against differential attacks. 1560 [SM4-SLC] has analyzed resistance of SM4 against linear 1561 cryptanalysis. 1563 11.10. Provable Security Against Related-Key Differential Cryptanalysis 1565 Related-key differential cryptanalysis is related to the encryption 1566 algorithm and key schedule. When performing a related-key attack, 1567 the attacker simultaneously insert differences in both the key and 1568 the message. 1570 In [AutoDC], Sun et al. proposed an automated differential route 1571 search method based on MILP (mixed-integer linear programming) that 1572 can be used to assess the security bounds of a blockcipher under 1573 (related-key) differential cryptanalysis. 1575 [SM4-RKDC] describes the lower bounds of active S-boxes within SM4 1576 and is shown in Table 1. 1578 +-------+------------+-------------+ 1579 | Round | Single Key | Related Key | 1580 +-------+------------+-------------+ 1581 | 3 | 0 | 0 | 1582 | 4 | 1 | 1 | 1583 | 5 | 2 | 2 | 1584 | 6 | 2 | 4 | 1585 | 7 | 5 | 6 | 1586 | 8 | 6 | 8 | 1587 | 9 | 7 | 9 | 1588 | 10 | 8 | 10 | 1589 | 11 | 9 | 11 | 1590 | 12 | 10 | 13 | 1591 | 13 | 10 | 14 | 1592 | 14 | 10 | 14 | 1593 | 15 | 13 | 16 | 1594 | 16 | 14 | 18 | 1595 | 17 | 15 | 19 | 1596 | 18 | 16 | 20 | 1597 | 19 | 18 | 22 | 1598 | 20 | 18 | - | 1599 | 21 | 19 | - | 1600 | 22 | 20 | - | 1601 | 23 | 22 | - | 1602 | 24 | 23 | - | 1603 | 25 | 23 | - | 1604 | 26 | 24 | - | 1605 +-------+------------+-------------+ 1607 Table 1: Strongest SM4 Attacks ("-" denotes unknown) 1609 As the maximal probability of the SM4 S-box is 2^-6, when the minimum 1610 active S-boxes reach 22 the differential characteristics will have 1611 probability 2^132, which is higher than enumeration (2^128). 1613 This indicates that 19 rounds and 23 rounds under related key and 1614 single key settings will provide a minimum of 22 active S-boxes and 1615 is able to resist related-key differential attacks. 1617 11.11. Summary of SM4 Cryptanalytic Attacks 1619 Table 2 provides a summary on the strongest attacks on SM4 at the 1620 time of publishing. 1622 +-------------------+--------+--------------------+-----------------+ 1623 | Method | Rounds | Complexity | Reference | 1624 +-------------------+--------+--------------------+-----------------+ 1625 | Linear | 24 | Time: 2^{122.6}, | [SM4-NLC] | 1626 | | | Data: 2^{122.6}, | | 1627 | | | Memory: 2^{85} | | 1628 +-------------------+--------+--------------------+-----------------+ 1629 | Multi-dimensional | 23 | Time: 2^{122.7}, | [SM4-LinearLiu] | 1630 | Linear | | Data: 2^{122.6}, | | 1631 | | | Memory: 2^{120.6} | | 1632 +-------------------+--------+--------------------+-----------------+ 1633 | Differential | 23 | Time: 2^{126.7}, | [SM4-DiffSu] | 1634 | | | Data: 2^{117}, | | 1635 | | | Memory: 2^{120.7} | | 1636 +-------------------+--------+--------------------+-----------------+ 1637 | Matrix | 18 | Time: 2^{110.77}, | [SM4-MatrixShe] | 1638 | | | Data: 2^{127}, | | 1639 | | | Memory 2^{130} | | 1640 +-------------------+--------+--------------------+-----------------+ 1641 | Impossible | 17 | Time: 2^{132}, | [SM4-IDCWang] | 1642 | Differential | | Data: 2^{117}, | | 1643 | | | Memory: -- | | 1644 +-------------------+--------+--------------------+-----------------+ 1645 | Zero-correlation | 14 | Time: 2^{120.7}, | [SM4-ZCLC] | 1646 | Linear | | Data: 2^{123.5}, | | 1647 | | | Memory: 2^{73} | | 1648 +-------------------+--------+--------------------+-----------------+ 1649 | Integral | 14 | Time: 2^{96.5}, | [SM4-ICZhong] | 1650 | | | Data: 2^{32}, | | 1651 | | | Memory: -- | | 1652 +-------------------+--------+--------------------+-----------------+ 1654 Table 2: Leading SM4 Attacks As Of Publication 1656 As of the publication of this document, no open research results have 1657 provided a method to successfully attack beyond 24 rounds of SM4. 1659 The traditional view suggests that SM4 provides an extra safety 1660 margin compared to blockciphers adopted in [ISO.IEC.18033-3] that 1661 already have full-round attacks, including MISTY1 [MISTY1-IC] 1662 [MISTY1-270] and AES [AES-CA] [AES-BC] [AES-RKC]. 1664 12. Security Considerations 1666 o Products and services that utilize cryptography are regulated by 1667 the SCA [SCA]; they must be explicitly approved or certified by 1668 the SCA before being allowed to be sold or used in China. 1670 o SM4 is a blockcipher symmetric algorithm with key length of 128 1671 bits. It is considered as an alternative to AES-128 1672 [NIST.FIPS.197]. 1674 o SM4 [GBT.32907-2016] is a blockcipher certified by the SCA [SCA]. 1675 No formal proof of security is provided. There are no known 1676 practical attacks against SM4 algorithm by the time of publishing 1677 this document, but there are security concerns with regards to 1678 side-channel attacks when the SM4 algorithm is implemented in 1679 hardware. 1680 For instance, [SM4-Power] illustrated an attack by measuring the 1681 power consumption of the device. A chosen ciphertext attack, 1682 assuming a fixed correlation between the round keys and data mask, 1683 is able to recover the round key successfully. 1684 When the SM4 algorithm is implemented in hardware, the parameters 1685 and keys *SHOULD* be randomly generated without fixed correlation. 1686 There have also been improvements to the hardware embodiment 1687 design for SM4 [SM4-VLSI] [SM4-FPGA], white-box implementions 1688 [SM4-WhiteBox], and performance enhancements [SM4-HiSpeed], that 1689 may resist such attacks. 1691 o The IV does not have to be secret. The IV itself, or criteria 1692 enough to determine it, *MAY* be transmitted with ciphertext. 1694 o SM4-ECB: ECB is one of the four original modes defined for DES. 1695 With its problem well known to "leak quite a large amount of 1696 information" [BC-EVAL], it *SHOULD NOT* be used in most cases. 1698 o SM4-CBC, SM4-CFB, SM4-OFB: CBC, CFB and OFB are IV-based modes of 1699 operation originally defined for DES. 1700 When using these modes of operation, the IV *SHOULD* be random to 1701 preserve message confidentiality [BC-EVAL]. It is shown in the 1702 same document that CBC, CFB, OFB, the variants #CBC, #CFB that 1703 utilize the recommendation of [NIST.SP.800-38A] to make CBC and 1704 CFB nonce-based, are SemCPA secure as probabilistic encryption 1705 schemes. 1706 Various attack scenarios have been described in [BC-EVAL] and 1707 these modes *SHOULD NOT* be used unless for compatibility reasons. 1709 o SM4-CTR: CTR is considered to be the "best" mode of operation 1710 within [NIST.SP.800-38A] as it is considered SemCPA secure as a 1711 nonce-based encryption scheme, providing provable-security 1712 guarantees as good as the classic modes of operation (ECB, CBC, 1713 CFB, OFB) [BC-EVAL]. 1714 Users with no need of authenticity, non-malleablility and chosen- 1715 ciphertext (CCA) security *MAY* utilize this mode of operation 1716 [BC-EVAL]. 1718 13. IANA Considerations 1720 This document does not require any action by IANA. 1722 14. References 1724 14.1. Normative References 1726 [GBT.32907-2016] 1727 Standardization Administration of the People's Republic of 1728 China, "GB/T 32907-2016: Information security technology 1729 -- SM4 block cipher algorithm", August 2016, 1730 . 1733 [ISO.IEC.18033-3.AMD2] 1734 International Organization for Standardization, "ISO/IEC 1735 WD1 18033-3/AMD2 -- Encryption algorithms -- Part 3: Block 1736 ciphers -- Amendment 2", June 2017, 1737 . 1739 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 1740 Requirement Levels", BCP 14, RFC 2119, 1741 DOI 10.17487/RFC2119, March 1997, 1742 . 1744 [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC 1745 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, 1746 May 2017, . 1748 14.2. Informative References 1750 [AES-BC] Bogdanov, A., Khovratovich, D., and C. Rechberger, 1751 "Biclique Cryptanalysis of the Full AES", 2011, 1752 . 1754 [AES-CA] Ferguson, N., Kelsey, J., Lucks, S., Schneier, B., Stay, 1755 M., Wagner, D., and D. Whiting, "Improved Cryptanalysis of 1756 Rijndael", Jan 2002, 1757 . 1759 [AES-RKC] Biryukov, A. and D. Khovratovich, "Related-Key 1760 Cryptanalysis of the Full AES-192 and AES-256", 2009, 1761 . 1763 [AutoDC] Siwei, S., Hu, L., Wang, P., Qiao, K., Ma, X., and L. 1764 Song, "Automatic Security Evaluation and (Related-key) 1765 Differential Characteristic Search: Application to SIMON, 1766 PRESENT, LBlock, DES(L) and Other Bit-Oriented Block 1767 Ciphers", 2014, 1768 . 1770 [BC-Design] 1771 Wu, W., "Block Cipher Design and Analysis (in Chinese)", 1772 October 2009, . 1775 [BC-EVAL] Rogaway, P., "Evaluation of Some Blockcipher Modes of 1776 Operation", February 2011, 1777 . 1779 [BOTAN] Lloyd, J., "Botan: Crypto and TLS for C++11", October 1780 2017, . 1782 [GB.15629.11-2003] 1783 Standardization Administration of the People's Republic of 1784 China, "Information technology -- Telecommunications and 1785 information exchange between systems -- Local and 1786 metropolitan area networks -- Specific requirements -- 1787 Part 11: Wireless LAN Medium Access Control (MAC) and 1788 Physical Layer (PHY) Specifications", May 2003, 1789 . 1792 [GBT.33560-2017] 1793 Standardization Administration of the People's Republic of 1794 China, "GB/T 33560-2017: Information security technology 1795 -- Cryptographic application identifier criterion 1796 specification", May 2017, . 1799 [GMT-0002-2012] 1800 Office of State Commercial Administration of China, "GM/T 1801 0002-2012: SM4 block cipher algorithm", March 2012, 1802 . 1804 [GMT-0006-2012] 1805 Office of State Commercial Administration of China, "GM/T 1806 0006-2012: Cryptographic Application Identifier Criterion 1807 Specification", March 2012, 1808 . 1810 [ISO.IEC.18033-3] 1811 International Organization for Standardization, "ISO/IEC 1812 18033-3:2010 -- Encryption algorithms -- Part 3: Block 1813 ciphers", December 2017, 1814 . 1816 [LSW-Bio] Sun, M., "Lv Shu Wang -- A life in cryptography", November 1817 2010, 1818 . 1823 [MISTY1-270] 1824 Bar-On, A. and N. Keller, "A 2^{70} Attack on the Full 1825 MISTY1", 2016, 1826 . 1828 [MISTY1-IC] 1829 Todo, Y., "Integral Cryptanalysis on Full MISTY1", 2015, 1830 . 1832 [NIST.FIPS.197] 1833 National Institute of Standards and Technology, "NIST FIPS 1834 197: Advanced Encryption Standard (AES)", November 2001, 1835 . 1837 [NIST.SP.800-38A] 1838 Dworkin, M., "NIST Special Publication 800-38A: 1839 Recommendation for Block Cipher Modes of Operation -- 1840 Methods and Techniques", December 2001, 1841 . 1843 [OPENSSL] OpenSSL Software Foundation, "OpenSSL: Cryptography and 1844 SSL/TLS Toolkit", October 2017, . 1846 [SCA] State Cryptography Administration of China, "State 1847 Cryptography Administration of China", Dec 2017, 1848 . 1850 [SideChannel] 1851 Lei, Q., Wu, L., Zhang, S., Zhang, X., Li, X., Pan, L., 1852 and Z. Dong, "Software Hardware Co-design for Side-Channel 1853 Analysis Platform on Security Chips", December 2015, 1854 . 1856 [SM4] Office of State Commercial Administration of China, "SMS4 1857 Cryptographic Algorithm For Wireless LAN Products", 1858 January 2006, 1859 . 1861 [SM4-AAEr] 1862 Erickson, J., Ding, J., and C. Christensen, "Algebraic 1863 Cryptanalysis of SMS4: Groebner Basis Attack and SAT 1864 Attack Compared", 2010, 1865 . 1867 [SM4-AAJi] 1868 Wen, J., Lei, H., and H. Ou, "Algebraic Attack to SMS4 and 1869 the Comparison with AES", 2009, 1870 . 1872 [SM4-Details] 1873 Lu, S., Su, B., Peng, P., Miao, Y., and L. Huo, "Overview 1874 on SM4 Algorithm", October 2016, 1875 . 1877 [SM4-DiffSu] 1878 Su, B., Wu, W., and W. Zhang, "Security of the SMS4 Block 1879 Cipher Against Differential Cryptanalysis", January 2011, 1880 . 1882 [SM4-DiffZhang1] 1883 Zhang, L., Zhang, W., and W. Wu, "Cryptanalysis of 1884 Reduced-Round SMS4 Block Cipher", July 2008, 1885 . 1887 [SM4-DiffZhang2] 1888 Zhang, W., Wu, W., Feng, D., and B. Su, "Some New 1889 Observations on the SMS4 Block Cipher in the Chinese WAPI 1890 Standard", 2009, 1891 . 1893 [SM4-DiffZhang3] 1894 Zhang, M., Liu, J., and X. Wang, "22-Round SMS4 1895 Differential Cryptanalysis", 2010, 1896 . 1899 [SM4-En] Diffie, W. and G. Ledin, "SMS4 Encryption Algorithm for 1900 Wireless Networks", May 2008, 1901 . 1903 [SM4-FPGA] 1904 Cheng, H., Zhai, S., Fang, L., Ding, Q., and C. Huang, 1905 "Improvements of SM4 Algorithm and Application in Ethernet 1906 Encryption System Based on FPGA", July 2014, 1907 . 1911 [SM4-HiSpeed] 1912 Lv, Q., Li, L., and Y. Cao, "High-speed Encryption 1913 Decryption System Based on SM4", July 2016, 1914 . 1916 [SM4-ICLiu] 1917 Liu, F., Ji, W., Hu, L., Ding, J., Lv, S., Pyshkin, A., 1918 and R. Weinmann, "Analysis of the SMS4 Block Cipher", 1919 2007, . 1921 [SM4-ICZhong] 1922 Zhong, M., Hu, Y., and J. Chen, "14-Round Square Attack on 1923 Blockcipher SMS4", 2008, . 1926 [SM4-IDCLu] 1927 Lu, J., "Attacking Reduced-Round Versions of the SMS4 1928 Block Cipher in the Chinese WAPI Standard", 2007, 1929 . 1931 [SM4-IDCToz] 1932 Toz, D. and O. Dunkelman, "Analysis of Two Attacks on 1933 Reduced-Round Versions of the SMS4", 2008, 1934 . 1936 [SM4-IDCWang] 1937 Wang, G., "Improved Impossible Differential Cryptanalysis 1938 on SMS4", October 2010, 1939 . 1941 [SM4-LDA] Kim, T., Kim, J., Kim, S., and J. Sung, "Linear and 1942 Differential Cryptanalysis of Reduced SMS4 Block Cipher", 1943 June 2008, . 1945 [SM4-LinearDong] 1946 Dong, X., "Security Analysis of the blockciphers AES and 1947 SM4", 2011, . 1950 [SM4-LinearEtrog] 1951 Etrog, J. and M. Robshaw, "The Cryptanalysis of Reduced- 1952 Round SMS4", 2009, 1953 . 1955 [SM4-LinearLiu] 1956 Liu, M. and J. Chen, "Improved Linear Attacks on the 1957 Chinese Block Cipher Standard", November 2014, 1958 . 1960 [SM4-MatrixShe] 1961 Ping, S., "Matrix Attack On Blockcipher SMS4", 2012, 1962 . 1965 [SM4-MatrixWei] 1966 Wei, H., Cui, H., and X. Lu, "Differential-Algebraic 1967 Analysis of the SMS4 Block Cipher", 2012, 1968 . 1971 [SM4-MLCho] 1972 Cho, J. and K. Nyberg, "Improved linear cryptanalysis of 1973 SM4 block cipher", 2010, . 1976 [SM4-MLLiu] 1977 Zhiqiang, L., Dawu, G., and Z. Jing, "Multiple Linear 1978 Cryptanalysis of Reduced-Round SMS4 Block Cipher", 2010, 1979 . 1982 [SM4-NLC] Liu, Y., Liang, H., Wang, W., and M. Wang, "New Linear 1983 Cryptanalysis of Chinese Commercial Block Cipher Standard 1984 SM4", June 2017, . 1986 [SM4-Power] 1987 Du, Z., Wu, Z., Wang, M., and J. Rao, "Improved chosen- 1988 plaintext power analysis attack against SM4 at the round- 1989 output", October 2015, 1990 . 1992 [SM4-Random] 1993 Zhang, L. and W. Wu, "Pseudorandomness and Super- 1994 pseudorandomness of a non-balanced Feistel Structure using 1995 compressed functions", January 2009, 1996 . 1999 [SM4-RKDC] 2000 Zhang, J., Wu, W., and Y. Zheng, "Security of SM4 Against 2001 (Related-Key) Differential Cryptanalysis", November 2016, 2002 . 2004 [SM4-Sbox] 2005 Liu, J., Wei, B., and X. Dai, "Cryptographic Properties of 2006 S-box in SMS4", January 2011, 2007 . 2010 [SM4-SLC] Zhang, B. and J. Chenhui, "Practical security against 2011 linear cryptanalysis for SMS4-like ciphers with SP round 2012 function", 2012, 2013 . 2015 [SM4-SLDC] 2016 Zhang, M., Liu, Y., Liu, J., and X. Min, "Practically 2017 Secure against Differential Cryptanalysis for Block Cipher 2018 SMS4", 2011, . 2020 [SM4-VLSI] 2021 Yu, S., Li, K., Li, K., Qin, Y., and Z. Tong, "A VLSI 2022 implementation of an SM4 algorithm resistant to power 2023 analysis", July 2016, 2024 . 2026 [SM4-WhiteBox] 2027 Bai, K. and C. Wu, "A secure white-box SM4 2028 implementation", May 2008, 2029 . 2031 [SM4-ZCLC] 2032 Ma, M., Zhao, Y., Liu, Q., and F. Liu, "Multidimensional 2033 Zero-correlation Linear Cryptanalysis on SMS4 Algorithm", 2034 September 2015, 2035 . 2038 Appendix A. Appendix A: Example Calculations 2040 A.1. Examples From GB/T 32907-2016 2042 A.1.1. Example 1 (GB/T 32907-2016 Example 1 Encryption) 2044 This is example 1 provided by [GBT.32907-2016] to demonstrate 2045 encryption of a plaintext. 2047 Plaintext: 2049 01 23 45 67 89 AB CD EF FE DC BA 98 76 54 32 10 2051 Encryption key: 2053 01 23 45 67 89 AB CD EF FE DC BA 98 76 54 32 10 2055 Status of the round key (rk_i) and round output (X_i) per round: 2057 rk_0 = F12186F9 X_4 = 27FAD345 2058 rk_1 = 41662B61 X_5 = A18B4CB2 2059 rk_2 = 5A6AB19A X_6 = 11C1E22A 2060 rk_3 = 7BA92077 X_7 = CC13E2EE 2061 rk_4 = 367360F4 X_8 = F87C5BD5 2062 rk_5 = 776A0C61 X_9 = 33220757 2063 rk_6 = B6BB89B3 X_10 = 77F4C297 2064 rk_7 = 24763151 X_11 = 7A96F2EB 2065 rk_8 = A520307C X_12 = 27DAC07F 2066 rk_9 = B7584DBD X_13 = 42DD0F19 2067 rk_10 = C30753ED X_14 = B8A5DA02 2068 rk_11 = 7EE55B57 X_15 = 907127FA 2069 rk_12 = 6988608C X_16 = 8B952B83 2070 rk_13 = 30D895B7 X_17 = D42B7C59 2071 rk_14 = 44BA14AF X_18 = 2FFC5831 2072 rk_15 = 104495A1 X_19 = F69E6888 2073 rk_16 = D120B428 X_20 = AF2432C4 2074 rk_17 = 73B55FA3 X_21 = ED1EC85E 2075 rk_18 = CC874966 X_22 = 55A3BA22 2076 rk_19 = 92244439 X_23 = 124B18AA 2077 rk_20 = E89E641F X_24 = 6AE7725F 2078 rk_21 = 98CA015A X_25 = F4CBA1F9 2079 rk_22 = C7159060 X_26 = 1DCDFA10 2080 rk_23 = 99E1FD2E X_27 = 2FF60603 2081 rk_24 = B79BD80C X_28 = EFF24FDC 2082 rk_25 = 1D2115B0 X_29 = 6FE46B75 2083 rk_26 = 0E228AEB X_30 = 893450AD 2084 rk_27 = F1780C81 X_31 = 7B938F4C 2085 rk_28 = 428D3654 X_32 = 536E4246 2086 rk_29 = 62293496 X_33 = 86B3E94F 2087 rk_30 = 01CF72E5 X_34 = D206965E 2088 rk_31 = 9124A012 X_35 = 681EDF34 2090 Ciphertext: 2092 68 1E DF 34 D2 06 96 5E 86 B3 E9 4F 53 6E 42 46 2094 A.1.2. Example 2 (GB/T 32907-2016 Example 1 Decryption) 2096 This demonstrates the decryption process of the Example 1 ciphertext 2097 provided by [GBT.32907-2016]. 2099 Ciphertext: 2101 68 1E DF 34 D2 06 96 5E 86 B3 E9 4F 53 6E 42 46 2103 Encryption key: 2105 01 23 45 67 89 AB CD EF FE DC BA 98 76 54 32 10 2107 Status of the round key (rk_i) and round output (X_i) per round: 2109 rk_31 = 9124A012 X_35 = 7B938F4C 2110 rk_30 = 01CF72E5 X_34 = 893450AD 2111 rk_29 = 62293496 X_33 = 6FE46B75 2112 rk_28 = 428D3654 X_32 = EFF24FDC 2113 rk_27 = F1780C81 X_31 = 2FF60603 2114 rk_26 = 0E228AEB X_30 = 1DCDFA10 2115 rk_25 = 1D2115B0 X_29 = F4CBA1F9 2116 rk_24 = B79BD80C X_28 = 6AE7725F 2117 rk_23 = 99E1FD2E X_27 = 124B18AA 2118 rk_22 = C7159060 X_26 = 55A3BA22 2119 rk_21 = 98CA015A X_25 = ED1EC85E 2120 rk_20 = E89E641F X_24 = AF2432C4 2121 rk_19 = 92244439 X_23 = F69E6888 2122 rk_18 = CC874966 X_22 = 2FFC5831 2123 rk_17 = 73B55FA3 X_21 = D42B7C59 2124 rk_16 = D120B428 X_20 = 8B952B83 2125 rk_15 = 104495A1 X_19 = 907127FA 2126 rk_14 = 44BA14AF X_18 = B8A5DA02 2127 rk_13 = 30D895B7 X_17 = 42DD0F19 2128 rk_12 = 6988608C X_16 = 27DAC07F 2129 rk_11 = 7EE55B57 X_15 = 7A96F2EB 2130 rk_10 = C30753ED X_14 = 77F4C297 2131 rk_9 = B7584DBD X_13 = 33220757 2132 rk_8 = A520307C X_12 = F87C5BD5 2133 rk_7 = 24763151 X_11 = CC13E2EE 2134 rk_6 = B6BB89B3 X_10 = 11C1E22A 2135 rk_5 = 776A0C61 X_9 = A18B4CB2 2136 rk_4 = 367360F4 X_8 = 27FAD345 2137 rk_3 = 7BA92077 X_7 = 76543210 2138 rk_2 = 5A6AB19A X_6 = FEDCBA98 2139 rk_1 = 41662B61 X_5 = 89ABCDEF 2140 rk_0 = F12186F9 X_4 = 01234567 2141 Plaintext: 2143 01 23 45 67 89 AB CD EF FE DC BA 98 76 54 32 10 2145 A.1.3. Example 3 (GB/T 32907-2016 Example 2 Encryption) 2147 This example is provided by [GBT.32907-2016] to demonstrate 2148 encryption of a plaintext 1,000,000 times repeatedly, using a fixed 2149 encryption key. 2151 Plaintext: 2153 01 23 45 67 89 AB CD EF FE DC BA 98 76 54 32 10 2155 Encryption Key: 2157 01 23 45 67 89 AB CD EF FE DC BA 98 76 54 32 10 2159 Ciphertext: 2161 59 52 98 C7 C6 FD 27 1F 04 02 F8 04 C3 3D 3F 66 2163 A.1.4. Example 4 2165 The following example demonstrates encryption of a different message 2166 using a different key from the above examples. 2168 Plaintext: 2170 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 2172 Encryption key: 2174 FE DC BA 98 76 54 32 10 01 23 45 67 89 AB CD EF 2176 Status of the round key (rk_i) and round output (X_i) per round: 2178 rk_0 = 0D8CC1B4 X_4 = F7EAEB6A 2179 rk_1 = AC44F213 X_5 = B4967C0F 2180 rk_2 = 188C0C40 X_6 = 5B9B2419 2181 rk_3 = 7537585E X_7 = F46BECBA 2182 rk_4 = 627646F5 X_8 = A8013E25 2183 rk_5 = 54D785AD X_9 = B38E2ABE 2184 rk_6 = 51B96DEE X_10 = 3E7C99A1 2185 rk_7 = 0C385958 X_11 = 6DD5F47F 2186 rk_8 = 5E494992 X_12 = B286430C 2187 rk_9 = 32F3FE04 X_13 = AB997DE3 2188 rk_10 = 3A3A733D X_14 = 80F8F21F 2189 rk_11 = 0EDFB91D X_15 = 4EF7052E 2190 rk_12 = 6823CD6B X_16 = 4462FFAF 2191 rk_13 = 40F7D825 X_17 = 14DFD5EA 2192 rk_14 = 4BD68EE5 X_18 = 6D33EFED 2193 rk_15 = 165A36C8 X_19 = 3A4F8B3C 2194 rk_16 = 56608984 X_20 = 1A435088 2195 rk_17 = 23F35FF4 X_21 = 4E64B153 2196 rk_18 = 8B592B3E X_22 = 0415CEDA 2197 rk_19 = 80F7388A X_23 = ADD88955 2198 rk_20 = 0415C409 X_24 = 73964EF1 2199 rk_21 = AFDF1370 X_25 = B0085092 2200 rk_22 = CF444772 X_26 = 554A1293 2201 rk_23 = 9AF9901F X_27 = 4BC6D6A8 2202 rk_24 = C457578C X_28 = 7BB650E1 2203 rk_25 = 95701C60 X_29 = DDFB8A61 2204 rk_26 = 2B0F4EE1 X_30 = 5C4DFD78 2205 rk_27 = 7F826139 X_31 = FD9066FD 2206 rk_28 = FA37F8D9 X_32 = 55ADB594 2207 rk_29 = D18AF8CE X_33 = AC1B3EA9 2208 rk_30 = 5BD5D8C6 X_34 = 13F01ADE 2209 rk_31 = 711138B7 X_35 = F766678F 2211 Ciphertext: 2213 F7 66 67 8F 13 F0 1A DE AC 1B 3E A9 55 AD B5 94 2215 A.1.5. Example 5 2217 The following example demonstrates decryption of Example 4. 2219 Ciphertext: 2221 F7 66 67 8F 13 F0 1A DE AC 1B 3E A9 55 AD B5 94 2223 Encryption key: 2225 FE DC BA 98 76 54 32 10 01 23 45 67 89 AB CD EF 2226 Status of the round key (rk_i) and round output (X_i) per round: 2228 rk_31 = 711138B7 X_35 = FD9066FD 2229 rk_30 = 5BD5D8C6 X_34 = 5C4DFD78 2230 rk_29 = D18AF8CE X_33 = DDFB8A61 2231 rk_28 = FA37F8D9 X_32 = 7BB650E1 2232 rk_27 = 7F826139 X_31 = 4BC6D6A8 2233 rk_26 = 2B0F4EE1 X_30 = 554A1293 2234 rk_25 = 95701C60 X_29 = B0085092 2235 rk_24 = C457578C X_28 = 73964EF1 2236 rk_23 = 9AF9901F X_27 = ADD88955 2237 rk_22 = CF444772 X_26 = 0415CEDA 2238 rk_21 = AFDF1370 X_25 = 4E64B153 2239 rk_20 = 0415C409 X_24 = 1A435088 2240 rk_19 = 80F7388A X_23 = 3A4F8B3C 2241 rk_18 = 8B592B3E X_22 = 6D33EFED 2242 rk_17 = 23F35FF4 X_21 = 14DFD5EA 2243 rk_16 = 56608984 X_20 = 4462FFAF 2244 rk_15 = 165A36C8 X_19 = 4EF7052E 2245 rk_14 = 4BD68EE5 X_18 = 80F8F21F 2246 rk_13 = 40F7D825 X_17 = AB997DE3 2247 rk_12 = 6823CD6B X_16 = B286430C 2248 rk_11 = 0EDFB91D X_15 = 6DD5F47F 2249 rk_10 = 3A3A733D X_14 = 3E7C99A1 2250 rk_9 = 32F3FE04 X_13 = B38E2ABE 2251 rk_8 = 5E494992 X_12 = A8013E25 2252 rk_7 = 0C385958 X_11 = F46BECBA 2253 rk_6 = 51B96DEE X_10 = 5B9B2419 2254 rk_5 = 54D785AD X_9 = B4967C0F 2255 rk_4 = 627646F5 X_8 = F7EAEB6A 2256 rk_3 = 7537585E X_7 = 0C0D0E0F 2257 rk_2 = 188C0C40 X_6 = 08090A0B 2258 rk_1 = AC44F213 X_5 = 04050607 2259 rk_0 = 0D8CC1B4 X_4 = 00010203 2261 Plaintext: 2263 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 2265 A.1.6. Example 6 2267 This example is based on Example 4 to demonstrate encryption of a 2268 plaintext 1,000,000 times repeatedly, using a fixed encryption key. 2270 Plaintext: 2272 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 2273 Encryption Key: 2275 FE DC BA 98 76 54 32 10 01 23 45 67 89 AB CD EF 2277 Ciphertext: 2279 37 9A 96 D0 A6 A5 A5 06 0F B4 60 C7 5D 18 79 ED 2281 A.2. Examples For Various Modes Of Operations 2283 The following examples can be verified using open-source 2284 cryptographic libraries including: 2286 o the Botan cryptographic library [BOTAN] with SM4 support, and 2288 o the OpenSSL Cryptography and SSL/TLS Toolkit [OPENSSL] with SM4 2289 support 2291 A.2.1. SM4-ECB Examples 2293 A.2.1.1. Example 1 2295 Plaintext: 2297 AA AA AA AA BB BB BB BB CC CC CC CC DD DD DD DD 2298 EE EE EE EE FF FF FF FF AA AA AA AA BB BB BB BB 2300 Encryption Key: 2302 01 23 45 67 89 AB CD EF FE DC BA 98 76 54 32 10 2304 Ciphertext: 2306 5E C8 14 3D E5 09 CF F7 B5 17 9F 8F 47 4B 86 19 2307 2F 1D 30 5A 7F B1 7D F9 85 F8 1C 84 82 19 23 04 2309 A.2.1.2. Example 2 2311 Plaintext: 2313 AA AA AA AA BB BB BB BB CC CC CC CC DD DD DD DD 2314 EE EE EE EE FF FF FF FF AA AA AA AA BB BB BB BB 2316 Encryption Key: 2318 FE DC BA 98 76 54 32 10 01 23 45 67 89 AB CD EF 2320 Ciphertext: 2322 C5 87 68 97 E4 A5 9B BB A7 2A 10 C8 38 72 24 5B 2323 12 DD 90 BC 2D 20 06 92 B5 29 A4 15 5A C9 E6 00 2325 A.2.2. SM4-CBC Examples 2327 A.2.2.1. Example 1 2329 Plaintext: 2331 AA AA AA AA BB BB BB BB CC CC CC CC DD DD DD DD 2332 EE EE EE EE FF FF FF FF AA AA AA AA BB BB BB BB 2334 Encryption Key: 2336 01 23 45 67 89 AB CD EF FE DC BA 98 76 54 32 10 2338 IV: 2340 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 2342 Ciphertext: 2344 78 EB B1 1C C4 0B 0A 48 31 2A AE B2 04 02 44 CB 2345 4C B7 01 69 51 90 92 26 97 9B 0D 15 DC 6A 8F 6D 2347 A.2.2.2. Example 2 2349 Plaintext: 2351 AA AA AA AA BB BB BB BB CC CC CC CC DD DD DD DD 2352 EE EE EE EE FF FF FF FF AA AA AA AA BB BB BB BB 2354 Encryption Key: 2356 FE DC BA 98 76 54 32 10 01 23 45 67 89 AB CD EF 2358 IV: 2360 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 2362 Ciphertext: 2364 0D 3A 6D DC 2D 21 C6 98 85 72 15 58 7B 7B B5 9A 2365 91 F2 C1 47 91 1A 41 44 66 5E 1F A1 D4 0B AE 38 2367 A.2.3. SM4-OFB Examples 2369 A.2.3.1. Example 1 2371 Plaintext: 2373 AA AA AA AA BB BB BB BB CC CC CC CC DD DD DD DD 2374 EE EE EE EE FF FF FF FF AA AA AA AA BB BB BB BB 2376 Encryption Key: 2378 01 23 45 67 89 AB CD EF FE DC BA 98 76 54 32 10 2380 IV: 2382 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 2384 Ciphertext: 2386 AC 32 36 CB 86 1D D3 16 E6 41 3B 4E 3C 75 24 B7 2387 1D 01 AC A2 48 7C A5 82 CB F5 46 3E 66 98 53 9B 2389 A.2.3.2. Example 2 2391 Plaintext: 2393 AA AA AA AA BB BB BB BB CC CC CC CC DD DD DD DD 2394 EE EE EE EE FF FF FF FF AA AA AA AA BB BB BB BB 2396 Encryption Key: 2398 FE DC BA 98 76 54 32 10 01 23 45 67 89 AB CD EF 2400 IV: 2402 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 2404 Ciphertext: 2406 5D CC CD 25 A8 4B A1 65 60 D7 F2 65 88 70 68 49 2407 33 FA 16 BD 5C D9 C8 56 CA CA A1 E1 01 89 7A 97 2409 A.2.4. SM4-CFB Examples 2410 A.2.4.1. Example 1 2412 Plaintext: 2414 AA AA AA AA BB BB BB BB CC CC CC CC DD DD DD DD 2415 EE EE EE EE FF FF FF FF AA AA AA AA BB BB BB BB 2417 Encryption Key: 2419 01 23 45 67 89 AB CD EF FE DC BA 98 76 54 32 10 2421 IV: 2423 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 2425 Ciphertext: 2427 AC 32 36 CB 86 1D D3 16 E6 41 3B 4E 3C 75 24 B7 2428 69 D4 C5 4E D4 33 B9 A0 34 60 09 BE B3 7B 2B 3F 2430 A.2.4.2. Example 2 2432 Plaintext: 2434 AA AA AA AA BB BB BB BB CC CC CC CC DD DD DD DD 2435 EE EE EE EE FF FF FF FF AA AA AA AA BB BB BB BB 2437 Encryption Key: 2439 FE DC BA 98 76 54 32 10 01 23 45 67 89 AB CD EF 2441 IV: 2443 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 2445 Ciphertext: 2447 5D CC CD 25 A8 4B A1 65 60 D7 F2 65 88 70 68 49 2448 0D 9B 86 FF 20 C3 BF E1 15 FF A0 2C A6 19 2C C5 2450 A.2.5. SM4-CTR Examples 2452 A.2.5.1. Example 1 2454 Plaintext: 2456 AA AA AA AA AA AA AA AA BB BB BB BB BB BB BB BB 2457 CC CC CC CC CC CC CC CC DD DD DD DD DD DD DD DD 2458 EE EE EE EE EE EE EE EE FF FF FF FF FF FF FF FF 2459 AA AA AA AA AA AA AA AA BB BB BB BB BB BB BB BB 2461 Encryption Key: 2463 01 23 45 67 89 AB CD EF FE DC BA 98 76 54 32 10 2465 IV: 2467 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 2469 Ciphertext: 2471 AC 32 36 CB 97 0C C2 07 91 36 4C 39 5A 13 42 D1 2472 A3 CB C1 87 8C 6F 30 CD 07 4C CE 38 5C DD 70 C7 2473 F2 34 BC 0E 24 C1 19 80 FD 12 86 31 0C E3 7B 92 2474 6E 02 FC D0 FA A0 BA F3 8B 29 33 85 1D 82 45 14 2476 A.2.5.2. Example 2 2478 Plaintext: 2480 AA AA AA AA AA AA AA AA BB BB BB BB BB BB BB BB 2481 CC CC CC CC CC CC CC CC DD DD DD DD DD DD DD DD 2482 EE EE EE EE EE EE EE EE FF FF FF FF FF FF FF FF 2483 AA AA AA AA AA AA AA AA BB BB BB BB BB BB BB BB 2485 Encryption Key: 2487 FE DC BA 98 76 54 32 10 01 23 45 67 89 AB CD EF 2489 IV: 2491 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 2493 Ciphertext: 2495 5D CC CD 25 B9 5A B0 74 17 A0 85 12 EE 16 0E 2F 2496 8F 66 15 21 CB BA B4 4C C8 71 38 44 5B C2 9E 5C 2497 0A E0 29 72 05 D6 27 04 17 3B 21 23 9B 88 7F 6C 2498 8C B5 B8 00 91 7A 24 88 28 4B DE 9E 16 EA 29 06 2500 Appendix B. Sample Implementation In C 2502 B.1. sm4.h 2504 "sm4.h" is the header file for the SM4 function. 2506 2507 #ifndef HEADER_SM4_H 2508 # define HEADER_SM4_H 2510 #include 2512 # define SM4_BLOCK_SIZE 16 2513 # define SM4_KEY_SCHEDULE 32 2515 void sm4_encrypt(uint8_t key[], 2516 unsigned char plaintext[], 2517 unsigned char ciphertext[]); 2519 void sm4_decrypt(uint8_t key[], 2520 unsigned char ciphertext[], 2521 unsigned char plaintext[]); 2523 #endif 2525 2527 B.2. sm4.c 2529 "sm4.c" contains the main implementation of SM4. 2531 2532 /* A sample implementation of SM4 */ 2534 #include 2535 #include 2536 #include "sm4.h" 2537 #include "print.h" 2539 /* Operations */ 2540 /* Rotate Left 32-bit number */ 2541 #define ROTL32(X, n) (((X) << (n)) | ((X) >> (32 - (n)))) 2543 static uint32_t sm4_ck[32] = { 2544 0x00070E15, 0x1C232A31, 0x383F464D, 0x545B6269, 2545 0x70777E85, 0x8C939AA1, 0xA8AFB6BD, 0xC4CBD2D9, 2546 0xE0E7EEF5, 0xFC030A11, 0x181F262D, 0x343B4249, 2547 0x50575E65, 0x6C737A81, 0x888F969D, 0xA4ABB2B9, 2548 0xC0C7CED5, 0xDCE3EAF1, 0xF8FF060D, 0x141B2229, 2549 0x30373E45, 0x4C535A61, 0x686F767D, 0x848B9299, 2550 0xA0A7AEB5, 0xBCC3CAD1, 0xD8DFE6ED, 0xF4FB0209, 2551 0x10171E25, 0x2C333A41, 0x484F565D, 0x646B7279 2552 }; 2554 static uint8_t sm4_sbox[256] = { 2555 0xD6, 0x90, 0xE9, 0xFE, 0xCC, 0xE1, 0x3D, 0xB7, 2556 0x16, 0xB6, 0x14, 0xC2, 0x28, 0xFB, 0x2C, 0x05, 2557 0x2B, 0x67, 0x9A, 0x76, 0x2A, 0xBE, 0x04, 0xC3, 2558 0xAA, 0x44, 0x13, 0x26, 0x49, 0x86, 0x06, 0x99, 2559 0x9C, 0x42, 0x50, 0xF4, 0x91, 0xEF, 0x98, 0x7A, 2560 0x33, 0x54, 0x0B, 0x43, 0xED, 0xCF, 0xAC, 0x62, 2561 0xE4, 0xB3, 0x1C, 0xA9, 0xC9, 0x08, 0xE8, 0x95, 2562 0x80, 0xDF, 0x94, 0xFA, 0x75, 0x8F, 0x3F, 0xA6, 2563 0x47, 0x07, 0xA7, 0xFC, 0xF3, 0x73, 0x17, 0xBA, 2564 0x83, 0x59, 0x3C, 0x19, 0xE6, 0x85, 0x4F, 0xA8, 2565 0x68, 0x6B, 0x81, 0xB2, 0x71, 0x64, 0xDA, 0x8B, 2566 0xF8, 0xEB, 0x0F, 0x4B, 0x70, 0x56, 0x9D, 0x35, 2567 0x1E, 0x24, 0x0E, 0x5E, 0x63, 0x58, 0xD1, 0xA2, 2568 0x25, 0x22, 0x7C, 0x3B, 0x01, 0x21, 0x78, 0x87, 2569 0xD4, 0x00, 0x46, 0x57, 0x9F, 0xD3, 0x27, 0x52, 2570 0x4C, 0x36, 0x02, 0xE7, 0xA0, 0xC4, 0xC8, 0x9E, 2571 0xEA, 0xBF, 0x8A, 0xD2, 0x40, 0xC7, 0x38, 0xB5, 2572 0xA3, 0xF7, 0xF2, 0xCE, 0xF9, 0x61, 0x15, 0xA1, 2573 0xE0, 0xAE, 0x5D, 0xA4, 0x9B, 0x34, 0x1A, 0x55, 2574 0xAD, 0x93, 0x32, 0x30, 0xF5, 0x8C, 0xB1, 0xE3, 2575 0x1D, 0xF6, 0xE2, 0x2E, 0x82, 0x66, 0xCA, 0x60, 2576 0xC0, 0x29, 0x23, 0xAB, 0x0D, 0x53, 0x4E, 0x6F, 2577 0xD5, 0xDB, 0x37, 0x45, 0xDE, 0xFD, 0x8E, 0x2F, 2578 0x03, 0xFF, 0x6A, 0x72, 0x6D, 0x6C, 0x5B, 0x51, 2579 0x8D, 0x1B, 0xAF, 0x92, 0xBB, 0xDD, 0xBC, 0x7F, 2580 0x11, 0xD9, 0x5C, 0x41, 0x1F, 0x10, 0x5A, 0xD8, 2581 0x0A, 0xC1, 0x31, 0x88, 0xA5, 0xCD, 0x7B, 0xBD, 2582 0x2D, 0x74, 0xD0, 0x12, 0xB8, 0xE5, 0xB4, 0xB0, 2583 0x89, 0x69, 0x97, 0x4A, 0x0C, 0x96, 0x77, 0x7E, 2584 0x65, 0xB9, 0xF1, 0x09, 0xC5, 0x6E, 0xC6, 0x84, 2585 0x18, 0xF0, 0x7D, 0xEC, 0x3A, 0xDC, 0x4D, 0x20, 2586 0x79, 0xEE, 0x5F, 0x3E, 0xD7, 0xCB, 0x39, 0x48 2587 }; 2589 static uint32_t sm4_fk[4] = { 2590 0xA3B1BAC6, 0x56AA3350, 0x677D9197, 0xB27022DC 2591 }; 2593 static uint32_t load_u32_be(const uint8_t *b, uint32_t n) 2594 { 2595 return ((uint32_t)b[4 * n + 3] << 24) | 2596 ((uint32_t)b[4 * n + 2] << 16) | 2597 ((uint32_t)b[4 * n + 1] << 8) | 2598 ((uint32_t)b[4 * n ]); 2599 } 2601 static void store_u32_be(uint32_t v, uint8_t *b) 2602 { 2603 b[3] = (uint8_t)(v >> 24); 2604 b[2] = (uint8_t)(v >> 16); 2605 b[1] = (uint8_t)(v >> 8); 2606 b[0] = (uint8_t)(v); 2607 } 2609 static void sm4_key_schedule(uint8_t key[], uint32_t rk[]) 2610 { 2611 uint32_t t, x, k[36]; 2612 int i; 2614 for (i = 0; i < 4; i++) 2615 { 2616 k[i] = load_u32_be(key, i) ^ sm4_fk[i]; 2617 } 2619 /* T' */ 2620 for (i = 0; i < SM4_KEY_SCHEDULE; ++i) 2621 { 2622 x = k[i + 1] ^ k[i + 2] ^ k[i + 3] ^ sm4_ck[i]; 2624 /* Nonlinear operation tau */ 2625 t = ((uint32_t)sm4_sbox[(uint8_t)(x >> 24)]) << 24 | 2626 ((uint32_t)sm4_sbox[(uint8_t)(x >> 16)]) << 16 | 2627 ((uint32_t)sm4_sbox[(uint8_t)(x >> 8)]) << 8 | 2628 ((uint32_t)sm4_sbox[(uint8_t)(x)]); 2630 /* Linear operation L' */ 2631 k[i+4] = k[i] ^ (t ^ ROTL32(t, 13) ^ ROTL32(t, 23)); 2632 rk[i] = k[i + 4]; 2633 } 2635 } 2637 #define SM4_ROUNDS(k0, k1, k2, k3, F) \ 2638 do { \ 2639 X0 ^= F(X1 ^ X2 ^ X3 ^ rk[k0]); \ 2640 X1 ^= F(X0 ^ X2 ^ X3 ^ rk[k1]); \ 2641 X2 ^= F(X0 ^ X1 ^ X3 ^ rk[k2]); \ 2642 X3 ^= F(X0 ^ X1 ^ X2 ^ rk[k3]); \ 2643 debug_print("rk_%0.2i = %0.8x " \ 2644 " X_%0.2i = %0.8x\n", k0, rk[k0], k0+4, X0); \ 2645 debug_print("rk_%0.2i = %0.8x " \ 2646 " X_%0.2i = %0.8x\n", k1, rk[k1], k1+4, X1); \ 2647 debug_print("rk_%0.2i = %0.8x " \ 2648 " X_%0.2i = %0.8x\n", k2, rk[k2], k2+4, X2); \ 2649 debug_print("rk_%0.2i = %0.8x " \ 2650 " X_%0.2i = %0.8x\n", k3, rk[k3], k3+4, X3); \ 2651 } while(0) 2653 static uint32_t sm4_t(uint32_t x) 2654 { 2655 uint32_t t = 0; 2657 t |= ((uint32_t)sm4_sbox[(uint8_t)(x >> 24)]) << 24; 2658 t |= ((uint32_t)sm4_sbox[(uint8_t)(x >> 16)]) << 16; 2659 t |= ((uint32_t)sm4_sbox[(uint8_t)(x >> 8)]) << 8; 2660 t |= sm4_sbox[(uint8_t)x]; 2662 /* 2663 * L linear transform 2664 */ 2665 return t ^ ROTL32(t, 2) ^ ROTL32(t, 10) ^ 2666 ROTL32(t, 18) ^ ROTL32(t, 24); 2667 } 2669 void sm4_encrypt(uint8_t key[], 2670 unsigned char plaintext[], 2671 unsigned char ciphertext[]) 2672 { 2673 uint32_t rk[SM4_KEY_SCHEDULE], X0, X1, X2, X3; 2674 int i, j; 2676 sm4_key_schedule(key, rk); 2678 X0 = load_u32_be(plaintext, 0); 2679 X1 = load_u32_be(plaintext, 1); 2680 X2 = load_u32_be(plaintext, 2); 2681 X3 = load_u32_be(plaintext, 3); 2683 SM4_ROUNDS( 0, 1, 2, 3, sm4_t); 2684 SM4_ROUNDS( 4, 5, 6, 7, sm4_t); 2685 SM4_ROUNDS( 8, 9, 10, 11, sm4_t); 2686 SM4_ROUNDS(12, 13, 14, 15, sm4_t); 2687 SM4_ROUNDS(16, 17, 18, 19, sm4_t); 2688 SM4_ROUNDS(20, 21, 22, 23, sm4_t); 2689 SM4_ROUNDS(24, 25, 26, 27, sm4_t); 2690 SM4_ROUNDS(28, 29, 30, 31, sm4_t); 2691 store_u32_be(X3, ciphertext); 2692 store_u32_be(X2, ciphertext + 4); 2693 store_u32_be(X1, ciphertext + 8); 2694 store_u32_be(X0, ciphertext + 12); 2695 } 2697 void sm4_decrypt(uint8_t key[], 2698 unsigned char ciphertext[], 2699 unsigned char plaintext[]) 2700 { 2701 uint32_t rk[SM4_KEY_SCHEDULE], X0, X1, X2, X3; 2702 int i, j; 2704 sm4_key_schedule(key, rk); 2706 X0 = load_u32_be(ciphertext, 0); 2707 X1 = load_u32_be(ciphertext, 1); 2708 X2 = load_u32_be(ciphertext, 2); 2709 X3 = load_u32_be(ciphertext, 3); 2711 SM4_ROUNDS(31, 30, 29, 28, sm4_t); 2712 SM4_ROUNDS(27, 26, 25, 24, sm4_t); 2713 SM4_ROUNDS(23, 22, 21, 20, sm4_t); 2714 SM4_ROUNDS(19, 18, 17, 16, sm4_t); 2715 SM4_ROUNDS(15, 14, 13, 12, sm4_t); 2716 SM4_ROUNDS(11, 10, 9, 8, sm4_t); 2717 SM4_ROUNDS( 7, 6, 5, 4, sm4_t); 2718 SM4_ROUNDS( 3, 2, 1, 0, sm4_t); 2720 store_u32_be(X3, plaintext); 2721 store_u32_be(X2, plaintext + 4); 2722 store_u32_be(X1, plaintext + 8); 2723 store_u32_be(X0, plaintext + 12); 2724 } 2726 2728 B.3. sm4_main.c 2730 "sm4_main.c" is used to run the examples provided in this document 2731 and print out internal state for implementation reference. 2733 2734 #include 2735 #include 2736 #include 2737 #include "sm4.h" 2738 #include "print.h" 2739 typedef struct { 2740 unsigned char* key; 2741 unsigned char* message; 2742 unsigned char* expected; 2743 int iterations; 2744 bool encrypt; 2745 } test_case; 2747 int sm4_run_example(test_case tc) 2748 { 2749 unsigned char input[SM4_BLOCK_SIZE] = {0}; 2750 unsigned char output[SM4_BLOCK_SIZE] = {0}; 2751 int i; 2753 debug_print("-----------------------" 2754 " Message Input m Begin " 2755 "-------------------------\n"); 2756 print_bytes((unsigned int*)tc.message, SM4_BLOCK_SIZE); 2757 debug_print("----------------------- " 2758 "Message Input m End " 2759 "---------------------------\n"); 2761 if (tc.encrypt) 2762 { 2763 debug_print("----------------------- " 2764 "Encrypt " 2765 "---------------------------\n"); 2766 memcpy(input, tc.message, SM4_BLOCK_SIZE); 2767 for (i = 0; i != tc.iterations; ++i) 2768 { 2769 sm4_encrypt(tc.key, 2770 (unsigned char*)input, 2771 (unsigned char*)output); 2772 memcpy(input, output, SM4_BLOCK_SIZE); 2773 } 2774 } 2775 else 2776 { 2777 debug_print("----------------------- " 2778 "Decrypt " 2779 "---------------------------\n"); 2780 memcpy(input, tc.message, SM4_BLOCK_SIZE); 2781 for (i = 0; i != tc.iterations; ++i) 2782 { 2783 sm4_decrypt(tc.key, 2784 (unsigned char*)input, 2785 (unsigned char*)output); 2786 memcpy(input, output, SM4_BLOCK_SIZE); 2788 } 2789 } 2791 debug = 1; 2792 debug_print("+++++++++++++++++++++++++++++++" 2793 " RESULT " 2794 "++++++++++++++++++++++++++++++++\n"); 2795 debug_print("RESULTS:\n"); 2796 debug_print(" Expected:\n"); 2797 print_bytes((unsigned int*)tc.expected, SM4_BLOCK_SIZE); 2799 debug_print(" Output:\n"); 2800 print_bytes((unsigned int*)output, SM4_BLOCK_SIZE); 2802 debug = 0; 2803 return memcmp( 2804 (unsigned char*)output, 2805 (unsigned char*)tc.expected, 2806 SM4_BLOCK_SIZE 2807 ); 2808 } 2810 int main(int argc, char **argv) 2811 { 2813 int i; 2814 unsigned char key[SM4_BLOCK_SIZE]; 2815 unsigned char block[SM4_BLOCK_SIZE]; 2817 test_case tests[8] = {0}; 2819 /* 2820 * This test vector comes from Example 1 of GB/T 32907-2016, 2821 */ 2822 static const unsigned int gbt32907k1[SM4_BLOCK_SIZE] = { 2823 0x01234567, 0x89abcdef, 2824 0xfedcba98, 0x76543210 2825 }; 2826 static const unsigned int gbt32907m1[SM4_BLOCK_SIZE] = { 2827 0x01234567, 0x89abcdef, 2828 0xfedcba98, 0x76543210 2829 }; 2830 static const unsigned int gbt32907e1[SM4_BLOCK_SIZE] = { 2831 0x681edf34, 0xd206965e, 2832 0x86b3e94f, 0x536e4246 2833 }; 2834 test_case gbt32907t1 = { 2835 (unsigned char*)gbt32907k1, 2836 (unsigned char*)gbt32907m1, 2837 (unsigned char*)gbt32907e1, 2838 1, 2839 true 2840 }; 2841 tests[0] = gbt32907t1; 2843 /* 2844 * This test vector comes from Example 2 from GB/T 32907-2016. 2845 * After 1,000,000 iterations. 2846 */ 2847 static const unsigned int gbt32907e2[SM4_BLOCK_SIZE] = { 2848 0x595298c7, 0xc6fd271f, 2849 0x0402f804, 0xc33d3f66 2850 }; 2851 test_case gbt32907t2 = { 2852 (unsigned char*)gbt32907k1, 2853 (unsigned char*)gbt32907m1, 2854 (unsigned char*)gbt32907e2, 2855 1000000, 2856 true 2857 }; 2858 tests[1] = gbt32907t2; 2860 /* 2861 * This test vector reverses Example 1 of GB/T 32907-2016. 2862 * After decrypting 1 iteration. 2863 */ 2864 test_case gbt32907t3 = { 2865 (unsigned char*)gbt32907k1, 2866 (unsigned char*)gbt32907e1, 2867 (unsigned char*)gbt32907m1, 2868 1, 2869 false 2870 }; 2871 tests[2] = gbt32907t3; 2873 /* 2874 * This test vector reverses Example 2 of GB/T 32907-2016. 2875 * After decrypting 1,000,000 iterations. 2876 */ 2877 test_case gbt32907t4 = { 2878 (unsigned char*)gbt32907k1, 2879 (unsigned char*)gbt32907e2, 2880 (unsigned char*)gbt32907m1, 2881 1000000, 2882 false 2883 }; 2884 tests[3] = gbt32907t4; 2886 /* 2887 * Newly added examples to demonstrate key changes. 2888 */ 2889 static const unsigned int newexamplek1[SM4_BLOCK_SIZE] = { 2890 0xfedcba98, 0x76543210, 2891 0x01234567, 0x89abcdef 2892 }; 2893 static const unsigned int newexamplem1[SM4_BLOCK_SIZE] = { 2894 0x00010203, 0x04050607, 2895 0x08090a0b, 0x0c0d0e0f 2896 }; 2897 static const unsigned int newexamplee1[SM4_BLOCK_SIZE] = { 2898 0xf766678f, 0x13f01ade, 2899 0xac1b3ea9, 0x55adb594 2900 }; 2901 /* 2902 */ 2903 test_case newexample1 = { 2904 (unsigned char*)newexamplek1, 2905 (unsigned char*)newexamplem1, 2906 (unsigned char*)newexamplee1, 2907 1, 2908 true 2909 }; 2910 tests[4] = newexample1; 2912 test_case newexample2 = { 2913 (unsigned char*)newexamplek1, 2914 (unsigned char*)newexamplee1, 2915 (unsigned char*)newexamplem1, 2916 1, 2917 false 2918 }; 2919 tests[5] = newexample2; 2921 /* 2922 * After 1,000,000 iterations. 2923 */ 2924 static const unsigned int newexamplee2[SM4_BLOCK_SIZE] = { 2925 0x379a96d0, 0xa6a5a506, 2926 0x0fb460c7, 0x5d1879ed 2927 }; 2928 test_case newexample3 = { 2929 (unsigned char*)newexamplek1, 2930 (unsigned char*)newexamplem1, 2931 (unsigned char*)newexamplee2, 2932 1000000, 2933 true 2934 }; 2935 tests[6] = newexample3; 2937 for (i = 0; i < 7; ++i) 2938 { 2940 if (i == 1 || i == 3) 2941 continue; 2943 printf("sm4_example[%2i]: %s\n", i, 2944 sm4_run_example(tests[i]) ? "FAIL" : "PASS"); 2945 } 2947 return 0; 2948 } 2950 2952 B.4. print.c and print.h 2954 "print.c" and "print.h" are used to provide pretty formatting used to 2955 print out the examples for this document. 2957 "print.h" 2959 2960 #ifndef SM4PRINT_H 2961 #define SM4PRINT_H 2963 #define DEBUG 0 2964 #define debug_print(...) \ 2965 do { if (DEBUG) fprintf(stderr, __VA_ARGS__); } while (0) 2967 #include 2969 void print_bytes(unsigned* buf, int n); 2971 #endif 2972 2974 "print.c" 2975 2976 #include 2977 #include "print.h" 2979 void print_bytes(unsigned int* buf, int n) 2980 { 2981 unsigned char* ptr = (unsigned char*)buf; 2982 int i, j; 2984 for (i = 0; i <= n/4; i++) { 2985 if (i > 0 && i % 8 == 0) { 2986 debug_print("\n"); 2987 } 2988 for (j = 1; j <= 4; j++) { 2989 if ((i*4+4-j) < n) { 2990 debug_print("%.2X", ptr[(i*4)+4-j]); 2991 } 2992 } 2993 debug_print(" "); 2994 } 2995 debug_print("\n"); 2996 } 2998 3000 Appendix C. Acknowledgements 3002 The authors would like to thank the following persons for their 3003 valuable advice and input. 3005 o Erick Borsboom, for assisting the lengthy review of this document; 3007 o Jack Lloyd and Daniel Wyatt, of the Ribose RNP team, for their 3008 input and implementation; 3010 o Paul Yang, for reviewing and proposing improvements to readability 3011 of this document; 3013 o Markku-Juhani Olavi Saarinen, for reviewing and proposing 3014 inclusion of better examples and reference code to aid 3015 implementers, as well as for actually going through the examples 3016 to ensure their correctness. 3018 Authors' Addresses 3019 Ronald Henry Tse 3020 Ribose 3021 Suite 1111, 1 Pedder Street 3022 Central, Hong Kong 3023 People's Republic of China 3025 Email: ronald.tse@ribose.com 3026 URI: https://www.ribose.com 3028 Wai Kit Wong 3029 Hang Seng Management College 3030 Hang Shin Link, Siu Lek Yuen 3031 Shatin, Hong Kong 3032 People's Republic of China 3034 Email: wongwk@hsmc.edu.hk 3035 URI: https://www.hsmc.edu.hk