CN110278070B - Method and device for realizing S box in SM4 algorithm - Google Patents

Method and device for realizing S box in SM4 algorithm Download PDF

Info

Publication number
CN110278070B
CN110278070B CN201810203978.6A CN201810203978A CN110278070B CN 110278070 B CN110278070 B CN 110278070B CN 201810203978 A CN201810203978 A CN 201810203978A CN 110278070 B CN110278070 B CN 110278070B
Authority
CN
China
Prior art keywords
transformation
polynomial
base
matrix
composite
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201810203978.6A
Other languages
Chinese (zh)
Other versions
CN110278070A (en
Inventor
胡红钢
陈颖
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
University of Science and Technology of China USTC
Original Assignee
University of Science and Technology of China USTC
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by University of Science and Technology of China USTC filed Critical University of Science and Technology of China USTC
Priority to CN201810203978.6A priority Critical patent/CN110278070B/en
Publication of CN110278070A publication Critical patent/CN110278070A/en
Application granted granted Critical
Publication of CN110278070B publication Critical patent/CN110278070B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/06Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols the encryption apparatus using shift registers or memories for block-wise or stream coding, e.g. DES systems or RC4; Hash functions; Pseudorandom sequence generators
    • H04L9/0618Block ciphers, i.e. encrypting groups of characters of a plain text message using fixed encryption transformation
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2209/00Additional information or applications relating to cryptographic mechanisms or cryptographic arrangements for secret or secure communication H04L9/00
    • H04L2209/12Details relating to cryptographic hardware or logic circuitry
    • H04L2209/122Hardware reduction or efficient architectures
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2209/00Additional information or applications relating to cryptographic mechanisms or cryptographic arrangements for secret or secure communication H04L9/00
    • H04L2209/80Wireless

Abstract

The invention provides a method for realizing an S box in SM4 algorithm, which is used for realizing the S box in a finite field GF (2)8) Performing a first affine transformation and isomorphic transformation on the input elementIn a composite domain
Figure DDA0001595341060000011
The element (1) in (1); placing the elements in a composite domain
Figure DDA0001595341060000012
The multiplicative inverse of the above equation is decomposed into GF (2)4) On the basis of a polynomial loop, GF (2)4) The inversion operation on the redundant representation base and GF (2)4) Is multiplied to obtain a composite field
Figure DDA0001595341060000013
The upper inverse element; for composite domain
Figure DDA0001595341060000014
And performing inverse isomorphic transformation and second affine transformation on the above inverse elements to obtain an output result of the S box. The calculation of the S box is converted to be carried out on the basis of corresponding high efficiency, so that the structure of the S box is more compact and efficient, and the circuit area and the time delay of the S box in the SM4 algorithm are further reduced.

Description

Method and device for realizing S box in SM4 algorithm
Technical Field
The invention relates to the technical field of cryptographic algorithm hardware implementation, in particular to a method and a device for implementing an S box in an SM4 algorithm.
Background
The SM4 is a block cipher algorithm used by wireless lan products, approved by the national cipher administration in 2006, and is the first commercial cipher algorithm published by the domestic authorities. With the development of the standardization work of the cryptographic algorithm in China, the SM4 algorithm is released in 3 months of 2012 and becomes the national cryptographic industry standard. And released as a national standard in 2016, 8 months.
The only nonlinear computing unit in the SM4 is the S-box, which is used in both key expansion and round function, so that the circuit area of the whole SM4 algorithm is greatly affected, and how to reduce the circuit area of the S-box part is particularly important, and the existing related optimization methods all adopt an isomorphic mapping method based on a composite domain to place the S-box in a finite field GF (2)8) The elements in the data are expressed in the form of polynomial bases or non-redundant bases of normal bases, and the expression method brings about a certain degree of optimization, but the calculation is still complex, and an S box needs a large number of equivalent NAND gates, so that a relatively large circuit area is consumed.
Disclosure of Invention
In view of this, the present invention provides a method and an apparatus for implementing an S-box in an SM4 algorithm, so as to reduce the circuit area of the whole S-box to the maximum extent.
In order to achieve the above purpose, the invention provides the following specific technical scheme:
a method for realizing an S box in an SM4 algorithm comprises the following steps:
for S-box in the finite field GF (2)8) The input element in (2) is subjected to first affine transformation and isomorphic transformation to obtain the input element in a composite domain GF4)2) The element (1) in (1);
placing said element in a composite domain GF ((2)4)2) The multiplicative inverse of the above equation is decomposed into GF (2) 4) On the basis of a polynomial loop, GF (2)4) The inversion operation on the redundant representation base and GF (2)4) The multiplication operation on the above to obtain the composite field GF ((2)4)2) An upper inverse element;
for composite domain GF ((2)4)2) And performing inverse isomorphic transformation and second affine transformation on the upper inverse element to obtain an output result of the S box.
Preferably, the pair of S-boxes is in the finite field GF (2)8) The input element in (1) is subjected to a first affine transformation and isomorphic transformation to obtain the composite field GF ((2)4)2) The element of (1), comprising:
will have a finite field GF (2)8) The elements in (1) are expressed in the form of the product of an 8 x 8 square matrix composed of 8 polynomial bases and a column vector composed of 8 1-bit coefficients;
composite domain GF ((2)4)2) The element in (1) is expressed in the form of the product of a matrix formed by multiplying an inner group of basis and an outer group of basis and a corresponding coefficient;
according to the finite field GF (2)8) The representation of the element in (1) and the composite domain GF ((2)4)2) Representation of middle element, computing from finite field GF (2)8) To the composite domain GF ((2)4)2) The isomorphic mapping matrix of (a);
combining the first affine transformation matrix with the isomorphic mapping matrix to obtain a first transformation matrix;
placing S-boxes in a finite field GF (2) according to the first transformation matrix8) The input element in (1) is converted into a composite domain GF ((2) 4)2) Of (2).
In a preferred embodiment of the method of the invention,
performing GF (2) on polynomial Ring bases4) Before the inversion operation, the method further comprises:
GF (2)4) Converting the upper element into a polynomial ring base for representation;
the general formula is GF (2)4) The conversion of the upper element to a representation in a polynomial ring base includes:
constructing a multiplication unit cell on a polynomial ring base by using an extended Euclidean algorithm;
calculating the corresponding relation between each base of the polynomial base and the base of the polynomial ring base according to the multiplication unit cell;
GF (2) is calculated based on the correspondence of each of the polynomial bases to the base of the polynomial ring base4) An isomorphic mapping matrix of upper normal bases to polynomial ring bases;
according to GF (2)4) Isomorphic mapping matrix from upper regular base to polynomial ring base, GF (2)4) The upper element is transformed to an element represented on the polynomial ring basis.
Preferably, the pair of composite domains GF ((2)4)2) And performing inverse isomorphic transformation and second affine transformation on the above inverse elements to obtain an output result of the S box, wherein the output result comprises:
according to the slave finite field GF (2)8) To the composite domain GF ((2)4)2) Calculates the secondary composite field GF ((2)4)2) To the finite field GF (2)8) The isomorphic mapping matrix of (a);
will be derived from the complex domain GF ((2)4)2) To the finite field GF (2)8) The isomorphic mapping matrix and the second affine transformation matrix are merged to obtain a second transformation matrix;
Pair of composite fields GF ((2) according to said second transformation matrix4)2) And transforming the upper inverse element to obtain an output result of the S box.
An apparatus for implementing an S-box in SM4 algorithm, comprising:
a first transformation unit 201 for transforming S-boxes in the finite field GF (2)8) The input element in (1) is subjected to a first affine transformation and isomorphic transformation to obtain the composite field GF ((2)4)2) The element (1) in (1);
a multiplicative inverse computation unit 202 for computing said elements in the composite domain GF ((2)4)2) The multiplicative inverse of the above equation is decomposed into GF (2)4) On the basis of a polynomial loop, GF (2)4) The inversion operation on the redundant representation base and GF (2)4) The multiplication operation on the above to obtain the composite field GF ((2)4)2) An upper inverse element;
a second transformation unit 203 for transforming the composite domain GF ((2)4)2) And performing inverse isomorphic transformation and second affine transformation on the above inverse elements to obtain an output result of the S box.
Preferably, the first transform unit includes:
a first representing subunit for representing the finite field GF (2)8) The elements in (1) are expressed in the form of the product of an 8 x 8 square matrix composed of 8 polynomial bases and a column vector composed of 8 1-bit coefficients;
a second representing subunit for forming the composite domain GF ((2)4)2) The element in (1) is expressed in the form of the product of a matrix formed by multiplying an inner group of basis and an outer group of basis and a corresponding coefficient;
A first isomorphic mapping matrix computation subunit for computing from the finite field GF (2)8) The representation form of the element in (1) and the composite domain GF ((2)4)2) Representation of the middle element, calculating from the finite field GF (2)8) To the composite domain GF ((2)4)2) An isomorphic mapping matrix of (a);
the first merging subunit is used for merging the first affine transformation matrix and the isomorphic mapping matrix to obtain a first transformation matrix;
a first transformation subunit for placing S-box in a finite field GF (2) according to the first transformation matrix8) Is converted into a composite field GF((24)2) Of (2).
Preferably, the multiplicative inverse computation unit further comprises:
a conversion subunit, configured to construct a multiplication unit cell on the polynomial ring base using an extended euclidean algorithm; calculating the corresponding relation between each base of the polynomial base and the base of the polynomial ring base according to the multiplication unit cell; GF (2) is calculated based on the correspondence of each of the polynomial bases to the base of the polynomial ring base4) An isomorphic mapping matrix of upper normal bases to polynomial ring bases; according to GF (2)4) Isomorphic mapping matrix from upper regular base to polynomial ring base, GF (2)4) The upper element is converted to an element represented on the polynomial ring basis.
Preferably, the second transformation unit includes:
A second isomorphic mapping matrix calculation subunit for calculating a second mapping matrix based on the secondary finite field GF (2)8) To the composite domain GF ((2)4)2) Calculates the secondary composite field GF ((2)4)2) To the finite field GF (2)8) The isomorphic mapping matrix of (a);
a second merging subunit for merging the secondary composite domain GF ((2)4)2) To the finite field GF (2)8) The isomorphic mapping matrix and the second affine transformation matrix are merged to obtain a second transformation matrix;
a second transform subunit for pairing the composite domain GF ((2) according to the second transform matrix4)2) And transforming the inverse elements to obtain the output result of the S box.
Compared with the prior art, the invention has the following beneficial effects:
the invention discloses a method and a device for realizing an S box in an SM4 algorithm, which improve the realization of the S box on the basis of the original S box design idea and utilize a composite field GF (2)4) The efficient advantage of the inverse operation calculated on the polynomial ring base and the efficient advantage of the multiplication operation on the composite field GF (24) calculated on the redundancy expression base convert the corresponding S box realization process into the S box calculation on the finite field GF (2)8) The input element in (1) is subjected to affine transformation and isomorphic transformation for the first time to obtainIn the composite domain GF ((2)4)2) The elements of (1); placing the element in a composite domain GF ((2) 4)2) The multiplicative inverse of the above equation is decomposed into GF (2)4) On the basis of a polynomial loop, GF (2)4) The inversion operation on the redundant representation base and GF (2)4) The multiplication operation on the above to obtain the composite field GF ((2)4)2) An upper inverse element; for composite domain GF ((2)4)2) And performing inverse isomorphic transformation and second affine transformation on the upper inverse element to obtain an output result of the S box. The calculation in the multiplication inverse is converted to be carried out on the basis of corresponding high efficiency, and on the basis, the number of effective NAND gates in the S box is reduced, so that the S box is more compact and efficient in structure, and the circuit area and the time delay of the S box in the SM4 algorithm are further reduced.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below, it is obvious that the drawings in the following description are only embodiments of the present invention, and for those skilled in the art, other drawings can be obtained according to the provided drawings without creative efforts.
Fig. 1 is a flowchart of an implementation method of an S-box in the SM4 algorithm disclosed in the embodiment of the present invention;
Fig. 2 is a schematic diagram of an inversion operation performed by using a redundant base in an S-box according to an embodiment of the present invention;
fig. 3 is a schematic structural diagram of an implementation apparatus of an S-box in another SM4 algorithm disclosed in the embodiment of the present invention.
Detailed Description
The technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments. All other embodiments, which can be obtained by a person skilled in the art without making any creative effort based on the embodiments in the present invention, belong to the protection scope of the present invention.
The S-box is the only non-linear arithmetic unit in the SM4 algorithm, and is generally implemented by using a lookup table, as shown in table 1, it is a visual representation thereof, where the first half byte of the input is a row number, the second half byte is a column number, data at the intersection of the row and column is the output of the S-box, if the input is ' ef ', the row number is e, the column number is f, and the value after the S-box is non-linearly transformed is the value of the intersection of the e-th row and f-th column of the S-box, that is, Sbox (' ef ') -84 '. The data in table 1 are 16-ary.
TABLE 1
0 1 2 3 4 5 6 7 8 9 a b c d e f
0 d6 90 e9 fe cc e1 3d b7 16 b6 14 c2 28 fb 2c 05
1 2b 67 9a 76 2a be 04 c3 aa 44 13 26 49 86 06 99
2 9c 42 50 f4 91 ef 98 7a 33 54 0b 43 ed cf ac 62
3 e4 b3 1c a9 c9 08 e8 95 80 df 94 fa 75 8f 3f a6
4 47 07 a7 fc f3 73 17 ba 83 59 3c 19 e6 85 4f a8
5 68 6b 81 b2 71 64 da 8b f8 eb 0f 4b 70 56 9d 35
6 1e 24 0e 5e 63 58 d1 a2 25 22 7c 3b 01 21 78 87
7 d4 00 46 57 9f d3 27 52 4c 36 02 e7 a0 c4 c8 9e
8 ea bf 8a d2 40 c7 38 b5 a3 f7 f2 ce f9 61 15 a1
9 e0 ae 5d a4 9b 34 1a 55 ad 93 32 30 f5 8c b1 e3
a 1d f6 e2 2e 82 66 ca 60 c0 29 23 ab 0d 53 4e 6f
b d5 db 37 45 de fd 8e 2f 03 ff 6a 72 6d 6c 5b 51
c 8d 1b af 92 bb dd bc 7f 11 d9 5c 41 1f 10 5a d8
d 0a c1 31 88 a5 cd 7b bd 2d 74 d0 12 b8 e5 b4 b0
e 89 69 97 4a 0c 96 77 7e 65 b9 f1 09 c5 6e C6 84
f 18 f0 7d ec 3a dc 4d 20 79 ee 5f 3e d7 cb 39 48
The algebraic structure of the S-box is composed of two linear affine transformations and one nonlinear finite field inversion, Sbox (p) is A2·I(A1·p+C1)+C2. Wherein, A1,A2Is a 8 x 8 matrix, C1,C2Is a row vector;
the specific values are as follows:
Figure BDA0001595341040000061
C1=C2=(1,1,0,0,1,0,1,1);
i (x) denotes GF (2) in the finite field8) The above multiplication inverse operation corresponds to 8 irreducible polynomials f (x) x8+x7+x6+x5+x4+x2+1。
On this basis, please refer to fig. 1, this embodiment discloses a method for implementing an S-box in an SM4 algorithm, which specifically includes the following steps:
s101: for S-box in the finite field GF (2)8) The input element in (1) is subjected to a first affine transformation and isomorphic transformation to obtain the composite field GF ((2)4)2) The elements of (1);
in particular, the method comprises the following steps of,
will have a finite field GF (2)8) The elements in (1) are expressed in the form of the product of an 8 x 8 square matrix composed of 8 polynomial bases and a column vector composed of 8 1-bit coefficients;
wherein, the column vector composed of 8 1-bit coefficients is g ═ g (g)7,g6,g5,g4,g3,g2,g1,g0B), a finite field GF (2)8) The element g in (A) is expressed as 8 polynomial radicals { A }7,A6,A5,A4,A3,A2,A1And 1} above are:
g=g7A7+g6A6+g5A5+g4A4+g3A3+g2A2+g1A1+g0
the composite domain GF ((2)4)2) The element in (1) is expressed in the form of the product of a matrix formed by multiplying an inner group of basis and an outer group of basis and a corresponding coefficient;
x=(h4z4+h3Z3+h2Z2+h1Z1)Y16+(l4Z4+l3Z3+l2Z2+l1Z1)Y
=(Z4Y16,Z3Y16,Z2Y16,Z1Y16,Z4Y,Z3Y,Z2Y,Z1Y)*(h4,h3,h2,h1,l4,l3,l2,l1)T
wherein x is a composite domain GF ((2)4)2) Of (1).
According to the finite field GF (2)8) The representation of the element in (1) and the composite domain GF ((2) 4)2) Representation of middle element, computing from finite field GF (2)8) To the composite domain GF ((2)4)2) Is mapped onto the isomorphic mapping matrix.
From a finite field GF (2)8) To the composite domain GF ((2)4)2) The isomorphic mapping matrix of (a) is:
M=(Z4Y16,Z3Y16,Z2Y16,Z1Y16,Z4Y,Z3Y,Z2Y,Z1Y)-1
Figure BDA0001595341040000071
combining the first affine transformation matrix with the isomorphic mapping matrix to obtain a first transformation matrix;
the first transformation matrix is known:
Figure BDA0001595341040000081
the combined first transformation matrix is:
Figure BDA0001595341040000082
placing S-boxes in a finite field GF (2) according to the first transformation matrix8) The input element in (1) is converted into a composite domain GF ((2)4)2) Of (1).
S102: placing the element in a composite domain GF ((2)4)2) The inverse operation of the multiplication of (1) is decomposed into GF (2)4) The inverse and multiplication operations above, GF (2) on polynomial bases4) And performing GF (2) on the basis of the redundant representation4) The multiplication operation above to obtain the composite field GF ((2)4)2) The upper inverse element;
wherein GF (2) is carried out on polynomial rings4) Before the inversion operation, the method further comprises:
GF (2)4) Converting the upper element into a polynomial ring base for representation;
the general formula is GF (2)4) The conversion of the upper element to a representation in a polynomial ring base includes:
constructing a multiplication unit cell on a polynomial ring base by using an extended Euclidean algorithm;
calculating the corresponding relation between each base of the polynomial base and the base of the polynomial ring base according to the multiplication unit cell;
GF (2) is calculated based on the correspondence of each of the polynomial bases to the base of the polynomial ring base4) An isomorphic mapping matrix of an upper normal base to a polynomial ring base;
according to GF (2)4) Isomorphic mapping matrix of upper normal base to polynomial ring base, GF (2)4) The upper element is transformed to an element represented on the basis of the polynomial ring.
S103: for composite domain GF ((2)4)2) And performing inverse isomorphic transformation and second affine transformation on the upper inverse element to obtain an output result of the S box.
In particular, according to the slave finite field GF (2)8) To the composite domain GF ((2)4)2) From the homogeneous mapping matrix of (2), computing the composite domain GF4)2) To the finite field GF (2)8) The isomorphic mapping matrix of (a);
will be derived from the complex domain GF ((2)4)2) To the finite field GF (2)8) The isomorphic mapping matrix and the second affine transformation matrix are merged to obtain a second transformation matrix;
pairing the composite domain GF ((2) according to said second transformation matrix4)2) And transforming the inverse elements to obtain the output result of the S box.
The implementation method of the S-box in the SM4 algorithm disclosed in this embodiment improves the implementation of the S-box based on the original S-box design concept, and utilizes the composite domain GF ((2)4)2) The efficient advantage of the inversion operation on polynomial bases, and the composite field GF ((2)4)2) The multiplication operation has the advantage of high calculation efficiency on the basis of redundant representation, and the corresponding S box implementation process is converted into the operation on the S box in the finite field GF (2) 8) The input element in (2) is subjected to first affine transformation and isomorphic transformation to obtain the input element in a composite domain GF4)2) The element (1) in (1); placing said element in a composite domain GF ((2)4)2) The multiplicative inverse of the above equation is decomposed into GF (2)4) On the basis of a polynomial loop, GF (2)4) The inversion operation on the redundant representation base and GF (2)4) The multiplication operation on the above to obtain the composite field GF ((2)4)2) An upper inverse element; for composite domain GF ((2)4)2) And performing inverse isomorphic transformation and second affine transformation on the upper inverse element to obtain an output result of the S box. The calculation in the multiplication inverse is converted to be carried out on the basis of corresponding high efficiency, and on the basis, the number of effective NAND gates in the S box is reduced, so that the S box is more compact and efficient in structure, and the circuit area and the time delay of the S box in the SM4 algorithm are further reduced.
In order to further describe the implementation method of the S-box in the SM4 algorithm disclosed in the above embodiments, a specific embodiment is described below.
Step 11: the S-box input is subjected to a first affine transformation and isomorphic transformation. Which involves the solution of an isomorphic mapping matrix.
Because the subsequent inversion operation and multiplication operation in the finite field are both realized efficiently In the finite field GF (2)8) Over the calculation and in the smaller field GF (2)4) The element in (2) is also represented in the normal base { Z4,Z3,Z2,Z1On the S-box input, the original GF (2) needs to be transformed using a linear isomorphic mapping after the first affine transformation and before the inversion operation8) Isomorphic field GF of element transition in (2)4)2) Corresponding to the element above, this isomorphic mapping matrix M at this time is represented by the original finite field GF (2)8) Irreducible polynomial of degree 8 above and GF (2)4) Base representation of (C) and (C) GF (2)4) Extension to GF ((2)4)2) The quadratic irreducible polynomial used is determined jointly. The specific solving process is as follows.
S box 8-bit input element p is subjected to first affine transformation to output g which is expressed as polynomial base { A7,A6,A5,A4,A3,A2,A1And 1} above are:
g=g7A7+g6A6+g5A5+g4A4+g3A3+g2A2+g1A1+g0
can be represented bit-by-bit as a column vector g ═ g (g)7,g6,g5,g4,g3,g2,g1,g0). Wherein a is the root of the irreducible polynomial f (x) 0, g7,g6,g5,g4,g3,g2,g1,g0Is GF (2)4) The above elements.
Using a regular base GF (2)8) Wherein the element is represented by GF (2)4) The first order linear polynomial x is hY16+ lY where the coefficients h and l both belong to GF (2)4) Set from a finite field GF (2)4) To GF ((2)4)2) The second irreducible polynomial used in the expansion process of (a) is r (y) ═ y2+ μ Y + v, normal radical { Y16Y is two roots of r (Y) 0.
h and l belong to Over GF (2)4) Structure GF (2)4) Is p (z) z4+z3+z2+z1+1, note that each coefficient in the irreducible polynomial used here is 1, called the all 1 polynomial (AOP), and h and l are represented in the regular basis { Z }4,Z3,Z2,Z1On (the standard representation should be { Z }4,Z3,Z2,Z1Where the first two bases are transposed to simplify the subsequent isomorphic transposition, this transposition not affecting the use of the normal bases), where { Z }4,Z3,Z2,Z1Is four roots corresponding to irreducible polynomial p (x) ═ 0, specifically h = h4Z4+h3Z3+h2Z2+h1Z1,l=l4Z4+l3Z3+l2Z2+l1Z1Coefficient h4,h3,h2,h1l4,l3,l2,l1Is GF (2)4) The element of (A) is g in GF ((2)4)2) The vector of the corresponding element x in (b) is represented as (h)4,h3,h2,h1,l4,l3,l2,l1)。
After the coefficients h and l are replaced respectively, from the perspective of matrix multiplication, the element x can be represented again in the form of a product between an 8 × 8 square matrix composed of 8 bases and a column vector composed of 8 coefficients:
x=(h4Z4+h3Z3+h2Z2+h1Z1)Y16+(l4Z4+l3Z3+l2Z2+l1Z1)Y
=(Z4Y16,Z3Y16,Z2Y16,Z1Y16,Z4Y,Z3Y,Z2Y,Z1Y)*(h4,h3,h2,h1,l4,l3,l2,l1)T
and the original g can be expressed as:
g=(A7,A6,A5,A4,A3,A2,A1,1)*(g7,g6,g5,g4,g3,g2,g1,g0,)T
from this, the isomorphic correspondence between two isomorphic finite field elements can be seen. The easy-to-know isomorphic mapping matrix M ═ (z)4Y16,Z3Y16,Z2Y16,Z1Y16,Z4Y,Z3Y,Z2Y,Z1Y)-1
In this embodiment, the irreducible polynomial r (y) y used for finite field expansion2+ μ y + v
μ=Z4+Z,v=Z。
{ Z corresponding to p (x) ═ 0 can be obtained4,Z3,Z2,Z1Specific parameter values of GF (2) in the finite field GF of polynomial bases by 8-bit 16-ary numbers 8) The above is {0x7A, 0x77, 0x2A, 0x26}, and r (Y) ═ 0 is the corresponding { Y }16Y is {0xDB, 0x87 }. Thus, an isomorphic mapping matrix is calculated as follows:
Figure BDA0001595341040000111
as can be seen from the computational properties of the matrix, the affine transformation and the isomorphic transformation matrix can be combined by two linear transformations, and x ═ M · (a) can be combined1·p+C1)=M1·p+TC1Can find out
Figure BDA0001595341040000112
TC1=M·C1=(0,1,1,1,0,1,0,0)
The operation corresponds to a module formed by a group of exclusive-or gates on hardware, and can be optimized by using a common sub-expression reduction algorithm to reduce the use of the exclusive-or gates, wherein the optimized expression is as follows:
Figure BDA0001595341040000113
Figure BDA0001595341040000114
Figure BDA0001595341040000115
Figure BDA0001595341040000116
Figure BDA0001595341040000117
Figure BDA0001595341040000118
Figure BDA0001595341040000119
Figure BDA00015953410400001110
Figure BDA00015953410400001111
wherein, a, b and c are intermediate variables, which is convenient for calculation and use.
Step 12: performing a finite field GF ((2) on the 8-bit vector x output from step 114)2) The inverse operation of the above is carried out,
finite field GF ((2)4)2) The element x in (A) represents x-hY on a regular basis16+ lY, then
x-1=(x·x16)-1·x16=(x17)-1·x16
It can be seen that the inversion process for x can be converted into the logarithm (x)17)-1·x16And (4) solving.
Specifically, fig. 2 is a schematic flow chart illustrating a multiplication inversion operation in the S-box implementation method according to the embodiment of the present invention. The method comprises the following steps:
step 21: the 16 th and 17 th power of the input x are calculated.
Implementing a finite field GF (2)4) To GF ((2)4)2) The quadratic irreducible polynomial of the extension field is y2+μy+v,μ=Z4+Z,v=Z。
By the nature of the normal radical: x is the number of16=lY16+hY,x17=hlμ2+(h+l)2v, x calculated here for maximum efficiency of subsequent calculations 16And x17All require conversion to a specific base representation rather than the original normal base, x16Is shown in GF (2)4) Directly participating in the multiplication calculation in the step 23 to obtain the final output under the upper finite field redundancy expression base, and regarding the redundancy expression base, calculating the output by the { Z }4,Z3,Z2,Z11 is a set of radicals whose generator polynomial Z5-1=(Z+1)(Z4+Z3+Z2+Z1+1), the multiplication based on the redundant representation being modulo-reducible polynomial Z51, is more efficient in implementing the multiplier than in the non-redundant basis.
The polynomial ring base is a redundant base represented by another finite field, the corresponding finite field is regarded as a subset of the polynomial ring, the base of the polynomial ring is a generation base of the subset of the ring, and the x is17The conversion of the multiplicative inverse to polynomial ring-base may be improved to the maximum extentAnd (4) working efficiency. For GF (2) as shown in FIG. 34) The isomorphic mapping matrix from normal basis to polynomial ring basis is constructed as follows:
step 31: the generator polynomial of the polynomial ring base is p (x) x5+1, the normal basis generating polynomial is: h (x) x4+x3+x2+ x +1, p (x) may be decomposed into the product of h (x) and g (x) x +1, and u (x) x may be constructed using an extended euclidean algorithm3+ x and v (x) ═ 1 such that u (x) × g (x) +1 × h (x) ═ 1, both sides are multiplied by u (x) g (x) to obtain { e (x) } 2E (t ≡ e), (x) mod P (x), from which multiplying units e (x) on the polynomial ring base are known3+x)×G(x)=x4+x3+x2+x。
Step 32: given that Z is a root of H (x), and x is a root of P (x), Z can be mapped to x E (x) under the polynomial ring base, and ZiMapping to xiE (x) (0 ≦ i ≦ 3), and Ci(x) Is under the polynomial ring base corresponds to ZiThat element of (2), then Ci(x)≡xiE(x)modP(x)。
It can thus be seen that the representation of each of the polynomial bases under the polynomial ring base is an isomorphic mapping matrix of elements under the polynomial base to the polynomial ring base, i.e.
Figure BDA0001595341040000121
Wherein specifically:
C0(x)=x4+x3+x2+x,
C1(x)=x4+x3+x2+1,
C2(x)=x4+x3+x+1,
C3(x)=x4+x2+x1+1,
step 33: the isomorphic mapping matrix from the polynomial base to the polynomial ring base can be obtained from the corresponding relation between each base in the two expression modes, and the transformation matrix from the normal base to the polynomial ring base can be obtained from the simple corresponding relation between the polynomial base and the normal base as follows:
Figure BDA0001595341040000131
with the least significant bits all located in the upper left corner.
Using the above calculated transformation matrix to convert x17The conversion to the representation d under the polynomial ring basis,
let d be d4x4+d3x3+d2x2+d1x+d0For x17=hlμ2+(h+l)2v,μ2And v are both known, also linear transformations, so that two linear transformations can be combined into one linear transformation phi' and phi ″, respectively, using multiplication of the matrix
d=φ(hlμ2+(h+l)2v)=φ(μ2hl)+φ(v(h+l)2)=φ′(hl)+φ″((h+l)2))。
Calculating to obtain:
Figure BDA0001595341040000132
expanding the expression for d can obtain each coefficient of d as follows:
Figure BDA0001595341040000133
Figure BDA0001595341040000134
Figure BDA0001595341040000135
Figure BDA0001595341040000136
Figure BDA0001595341040000141
Wherein
Figure BDA0001595341040000142
Indicating an exclusive or gate, i.e. an addition operation over a finite field,
Figure BDA0001595341040000149
which is indicative of an or-gate,&indicating and gates, are all basic gate units.
The calculation of the above five equations constitutes the calculating circuit block in step 21, and it is easy to find out that the total delay time of this block is To+3TxWherein T iso,TxRespectively representing the time delay of one or gate and one and gate in the standard cell. Compared to GF (((2))2)2)2) In need of at least 6TxThis implementation has a large boost in terms of latency.
Step 22: calculating d-1Where d is GF (2) represented on the polynomial ring base4) The element (B) can fully utilize the efficient characteristic of multiplication inverse operation on the polynomial ring base to realize the optimization of the inverse unit circuit. Let the module output be e ═ d-1=e4x4+e3x3+e2x2+e1x+e0From the property over a finite field, d16D, so that e is d14=d-1
The coefficients of the terms of e are known using a fast modular exponentiation algorithm on polynomial bases as follows:
e0=(d1|d4)&(d2|d3),
Figure BDA0001595341040000143
Figure BDA0001595341040000144
Figure BDA0001595341040000145
Figure BDA0001595341040000146
in the circuit structure for realizing the step by the group of calculation formulas, the calculation of each coefficient is parallel, and the delay on the critical path is TA+TO+TXIs also larger than GF (((2)2)2)2) The time delay on the structure is small. Because e needs to be input into the next module to participate in the modular multiplication operation under the redundant expression base, the linear transformation of isomorphic mapping on e is needed at the end of the second module, and the polynomial ring base and the redundant expression base have the properties that an additional circuit structure is not needed, and e can be directly regarded as an element expressed on the redundant expression base.
Step 23: using two GF (2)4) The modulus multiplication units on the model respectively calculate GF (2)8) The redundancy of the inverse of the multiplication above represents the upper 5 bits and the lower 5 bits of the base representation, which are respectively set as H ═ H4Z4+H3Z3+H2Z2+H1Z1+H0
And L ═ L4Z4+L3Z3+L2Z2+L1Z1+L0
The corresponding efficient multiplication process is as follows:
the 5 high-order coefficients are respectively:
Figure BDA0001595341040000147
Figure BDA0001595341040000148
Figure BDA0001595341040000151
Figure BDA0001595341040000152
Figure BDA0001595341040000153
the 5 low coefficients are:
Figure BDA0001595341040000154
Figure BDA0001595341040000155
Figure BDA0001595341040000156
Figure BDA0001595341040000157
Figure BDA0001595341040000158
it can be seen that the critical path delay of this module is TA+2TXAnd is less than the computation delay of the non-redundant base representation.
The ten-bit output obtained at this time { H }4,H3,H2,H1,H0,L4,L3,L2,L1,L0Is a finite field GF (2)4)2The next two coefficientsThe representation based on the redundant representation is the inverse of the input x.
Step 13: the inverse of x calculated by the above module is 10 bits and needs to be inverse transformed and mapped back to GF (2)8) And obtaining the final output result q of the S box after affine transformation.
Since x is now-1Each coefficient of (a) is represented by 5 bits under the redundant expression basis, and it needs to be converted into a 4-bit normal basis expression, and the transformation matrix can be obtained from the corresponding relation between the redundant expression basis and the normal basis as follows:
Figure BDA0001595341040000159
in step 11, the values obtained from GF (2)8) To GF ((2)4)2) Is mapped onto the matrix M, thus M-1I.e. from GF ((2)4)2) To GF (2)8) Is mapped onto the isomorphic mapping matrix.
After inverse transformation x -1And go back to GF (2)8) The above elements are followed by an affine transformation, and two successive linear transformations can be combined into a matrix M2. The algebraic structure of the entire S-box can be expressed as:
Sbox(p)=A2·(M-1·T(I(M·(A1·p+C1))))+C2=M2·I(M1·p+TC1)+TC2
the method comprises the following steps: m is a group of1=M·A1,TC1=M·C1,M2=A2·M-1·T,TC2=C2
And (3) calculating:
Figure BDA0001595341040000161
TC2=(1,1,0,0,1,0,1,1)
this linear transformation module can also be optimized using a common sub-expression reduction algorithm, the expression after optimization being as follows:
Figure BDA0001595341040000162
Figure BDA0001595341040000163
Figure BDA0001595341040000164
Figure BDA0001595341040000165
Figure BDA0001595341040000166
Figure BDA0001595341040000167
Figure BDA0001595341040000168
Figure BDA0001595341040000169
Figure BDA00015953410400001610
in summary, the delay of two linear isomorphic transformations is 3TXThe total delay of the design of the whole S box is 3T in combination with the analysis of each moduleA+T0+12TX. And for the area of the whole circuit structure, under the TSMC0.18 mu m process, an ASIC synthesis tool Synopsys DC 2013.03-sp2 is used for synthesizing 249 equivalent NAND gatesCompared with the prior art, the door achieves the minimum and has higher realization efficiency.
Based on the method for implementing the S-box in the SM4 algorithm disclosed in the foregoing embodiment, referring to fig. 3, this embodiment correspondingly discloses an apparatus for implementing the S-box in the SM4 algorithm, which includes:
a first transformation unit 201 for placing S-boxes in a finite field GF (2)8) The input element in (1) is subjected to a first affine transformation and isomorphic transformation to obtain the composite field GF ((2)4)2) The elements of (1);
a multiplicative inverse computation unit 202 for computing said elements in the composite domain GF ((2) 4)2) The multiplicative inverse of the above equation is decomposed into GF (2)4) On the basis of a polynomial loop, GF (2)4) The inversion operation on the redundant representation base and GF (2)4) The multiplication operation on the above to obtain the composite field GF ((2)4)2) An upper inverse element;
a second transform unit 203 for transforming the complex field GF ((2)4)2) And performing inverse isomorphic transformation and second affine transformation on the upper inverse element to obtain an output result of the S box.
Preferably, the first transformation 201 unit includes:
a first representing subunit for representing the finite field GF (2)8) The elements in (a) are represented in the form of the product of an 8 x 8 square matrix composed of 8 polynomial bases and a column vector composed of 8 1-bit coefficients;
a second representing subunit for forming the composite domain GF ((2)4)2) The element in (1) is expressed in the form of the product of a matrix formed by multiplying an inner group of basis and an outer group of basis and a corresponding coefficient;
a first isomorphic mapping matrix computation subunit for computing a mapping matrix based on the finite field GF (2)8) The representation of the element in (1) and the composite domain GF ((2)4)2) Representation of middle element, computing from finite field GF (2)8) To the composite domain GF ((2)4)2) The isomorphic mapping matrix of (a);
the first combining subunit is used for combining the first affine transformation matrix and the isomorphic mapping matrix to obtain a first transformation matrix;
A first transformation subunit for placing S-box in a finite field GF (2) according to the first transformation matrix8) The input element in (1) is converted into a composite domain GF ((2)4)2) Of (2).
Preferably, the inverse multiplication unit 202 further includes:
a conversion subunit, configured to construct a multiplication unit cell on the polynomial ring base using an extended euclidean algorithm; calculating the corresponding relation between each base of the polynomial bases and the base of the polynomial ring base according to the multiplication unit; GF (2) is calculated based on the correspondence of each of the polynomial bases to the base of the polynomial ring base4) An isomorphic mapping matrix of upper normal bases to polynomial ring bases; according to GF (2)4) Isomorphic mapping matrix from upper regular base to polynomial ring base, GF (2)4) The upper element is converted to an element represented on the polynomial ring basis.
Preferably, the second transforming unit 203 comprises:
a second isomorphic mapping matrix calculation subunit for calculating a second mapping matrix based on the secondary finite field GF (2)8) To the composite domain GF ((2)4)2) Calculates the secondary composite field GF ((2)4)2) To the finite field GF (2)8) The isomorphic mapping matrix of (a);
a second merging subunit for merging the secondary composite domain GF ((2)4)2) To the finite field GF (2)8) The isomorphic mapping matrix and the second affine transformation matrix are merged to obtain a second transformation matrix;
A second transform subunit for pair of complex fields GF ((2) according to said second transform matrix4)2) And transforming the upper inverse element to obtain an output result of the S box.
The device for implementing the S-box in the SM4 algorithm disclosed in this embodiment improves the implementation of the S-box based on the original S-box design concept, and utilizes the composite domain GF ((2)4)2) The advantage of the inversion operation of being efficient in computation on polynomial bases, and the composite domain GF ((2)4)2) Multiplication-on-redundant representation baseThe calculation in the implementation process of the corresponding S box is converted to be carried out on the basis of corresponding high efficiency, on the basis, the number of the equivalent NAND gates in the S box is reduced, the structure of the S box is more compact and efficient, and the circuit area and the time delay of the S box in the SM4 algorithm are further reduced.
The previous description of the disclosed embodiments is provided to enable any person skilled in the art to make or use the present invention. Various modifications to these embodiments will be readily apparent to those skilled in the art, and the generic principles defined herein may be applied to other embodiments without departing from the spirit or scope of the invention. Thus, the present invention is not intended to be limited to the embodiments shown herein but is to be accorded the widest scope consistent with the principles and novel features disclosed herein.

Claims (4)

1. A method for realizing an S box in an SM4 algorithm is characterized by comprising the following steps:
for S-box in the finite field GF (2)8) The input element in (2) is subjected to first affine transformation and isomorphic transformation to obtain the input element in a composite domain GF4)2) The element (1) in (1);
placing said element in a composite domain GF ((2)4)2) The multiplicative inverse of the above equation is decomposed into GF (2)4) On the basis of a polynomial loop, GF (2)4) The inversion operation on the redundant representation base and GF (2)4) The multiplication operation on the above to obtain the composite field GF ((2)4)2) The upper inverse element;
for composite domain GF ((2)4)2) Performing inverse isomorphic transformation and second affine transformation on the inverse elements to obtain an output result of the S box;
the pair of S boxes is in a finite field GF (2)8) The input element in (1) is subjected to a first affine transformation and isomorphic transformation to obtain the composite field GF ((2)4)2) The element of (1), comprising:
will have a finite field GF (2)8) The elements in (1) are represented by 8 × 8 square matrixes composed of 8 polynomial bases and 8 columns composed of 1-bit coefficientsThe form of the product of the vectors;
the composite domain GF ((2)4)2) The element in (1) is expressed in the form of the product of a matrix formed by multiplying an inner group of basis and an outer group of basis and a corresponding coefficient;
according to the finite field GF (2)8) The representation of the element in (1) and the composite domain GF ((2) 4)2) Representation of the middle element, calculating from the finite field GF (2)8) To the composite domain GF ((2)4)2) An isomorphic mapping matrix of (a);
combining the first affine transformation matrix with the isomorphic mapping matrix to obtain a first transformation matrix;
packing S into a finite field GF (2) according to the first transformation matrix8) The input element in (1) is converted into a composite domain GF ((2)4)2) The elements of (1);
performing GF (2) on polynomial rings4) Before the inversion operation, the method further comprises:
GF (2)4) Converting the upper element into a polynomial ring base for representation;
the general formula is GF (2)4) The conversion of the upper element to a representation in a polynomial ring base includes:
constructing a multiplication unit cell on a polynomial ring base by using an extended Euclidean algorithm;
calculating the corresponding relation between each base of the polynomial base and the base of the polynomial ring base according to the multiplication unit cell;
GF (2) is calculated based on the correspondence of each of the polynomial bases to the base of the polynomial ring base4) An isomorphic mapping matrix of upper normal bases to polynomial ring bases;
according to GF (2)4) Isomorphic mapping matrix from upper regular base to polynomial ring base, GF (2)4) The upper element is transformed to an element represented on the polynomial ring basis.
2. The method according to claim 1, wherein the composite domain GF ((2) 4)2) And performing inverse isomorphic transformation and second affine transformation on the upper inverse element to obtain an output result of the S box, wherein the output result comprises the following steps:
according to the slave finite field GF (2)8) To the composite domain GF ((2)4)2) From the homogeneous mapping matrix of (2), computing the composite domain GF4)2) To the finite field GF (2)8) An isomorphic mapping matrix of (a);
will be derived from the complex domain GF ((2)4)2) To the finite field GF (2)8) The isomorphic mapping matrix and the second affine transformation matrix are merged to obtain a second transformation matrix;
pairing the composite domain GF ((2) according to said second transformation matrix4)2) And transforming the inverse elements to obtain the output result of the S box.
3. An apparatus for implementing an S-box in SM4 algorithm, comprising:
a first transformation unit for placing S-boxes in a finite field GF (2)8) The input element in (1) is subjected to a first affine transformation and isomorphic transformation to obtain the composite field GF ((2)4)2) The elements of (1);
a multiplicative inverse computing unit for computing said elements in the composite domain GF ((2)4)2) The inverse operation of the multiplication of (1) is decomposed into GF (2)4) The inverse and multiplication operations above, GF (2) on polynomial bases4) And performing GF (2) on the basis of the redundant representation4) The multiplication operation above to obtain the composite field GF ((2)4)2) The upper inverse element;
a second transformation unit for transforming the composite domain GF ((2) 4)2) Carrying out inverse isomorphic transformation and second affine transformation on the inverse elements to obtain an output result of the S box;
the first transform unit includes:
a first representing subunit for representing the finite field GF (2)8) The elements in (1) are expressed in the form of the product of an 8 x 8 square matrix composed of 8 polynomial bases and a column vector composed of 8 1-bit coefficients;
a second representing subunit for forming the composite domain GF ((2)4)2) The element in (1) is expressed in the form of the product of a matrix formed by multiplying an inner group of basis and an outer group of basis and a corresponding coefficient;
a first isomorphic mapping matrix computation subunit for computing a mapping matrix based on the finite field GF (2)8) The representation of the element in (1) and the composite domain GF ((2)4)2) Representation of middle element, computing from finite field GF (2)8) To the composite domain GF ((2)4)2) The isomorphic mapping matrix of (a);
the first combining subunit is used for combining the first affine transformation matrix and the isomorphic mapping matrix to obtain a first transformation matrix;
a first transformation subunit for, according to the first transformation matrix, binning S into a finite field GF (2)8) The input element in (1) is converted into a composite domain GF ((2)4)2) The elements of (1);
the multiplication inverse calculation unit further includes:
a conversion subunit, configured to construct a multiplication unit cell on the polynomial ring base using an extended euclidean algorithm; calculating the corresponding relation between each base of the polynomial base and the base of the polynomial ring base according to the multiplication unit cell; GF (2) is calculated based on the correspondence of each of the polynomial bases to the base of the polynomial ring base 4) An isomorphic mapping matrix of an upper normal base to a polynomial ring base; according to GF (2)4) Isomorphic mapping matrix from upper regular base to polynomial ring base, GF (2)4) The upper element is converted to an element represented on the polynomial ring basis.
4. The apparatus of claim 3, wherein the second transform unit comprises:
a second isomorphic mapping matrix calculation subunit for calculating a second mapping matrix based on the secondary finite field GF (2)8) To the composite domain GF ((2)4)2) Calculates the secondary composite field GF ((2)4)2) To the finite field GF (2)8) The isomorphic mapping matrix of (a);
a second merging subunit for merging the secondary composite domain GF ((2)4)2) To the finite field GF (2)8) The isomorphic mapping matrix and the second affine transformation matrix are merged to obtain a second transformation matrix;
a second transformation subunit for transforming the signal according toThe second transformation matrix is applied to the composite field GF ((2)4)2) And transforming the inverse elements to obtain the output result of the S box.
CN201810203978.6A 2018-03-13 2018-03-13 Method and device for realizing S box in SM4 algorithm Active CN110278070B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201810203978.6A CN110278070B (en) 2018-03-13 2018-03-13 Method and device for realizing S box in SM4 algorithm

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201810203978.6A CN110278070B (en) 2018-03-13 2018-03-13 Method and device for realizing S box in SM4 algorithm

Publications (2)

Publication Number Publication Date
CN110278070A CN110278070A (en) 2019-09-24
CN110278070B true CN110278070B (en) 2022-07-15

Family

ID=67959007

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201810203978.6A Active CN110278070B (en) 2018-03-13 2018-03-13 Method and device for realizing S box in SM4 algorithm

Country Status (1)

Country Link
CN (1) CN110278070B (en)

Families Citing this family (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111786775A (en) * 2020-07-28 2020-10-16 山东省计算中心(国家超级计算济南中心) Realization method and system of SM4 algorithm S box based on basis conversion
CN113922943B (en) * 2021-09-29 2023-09-19 哲库科技(北京)有限公司 SBOX circuit, operation method and electronic equipment
CN114710285B (en) * 2022-05-19 2022-08-23 北京大学 High-performance SM4 bit slice optimization method for heterogeneous parallel architecture

Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106330429A (en) * 2016-08-24 2017-01-11 中国信息安全测评中心 Generation method and device for S box of SM4 algorithm

Family Cites Families (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8675866B2 (en) * 2011-07-07 2014-03-18 Apple Inc. Multiplicative splits to protect cipher keys
US9281941B2 (en) * 2012-02-17 2016-03-08 International Business Machines Corporation Homomorphic evaluation including key switching, modulus switching, and dynamic noise management
KR101753467B1 (en) * 2014-06-26 2017-07-03 인텔 코포레이션 Instructions and logic to provide general purpose gf(256) simd cryptographic arithmetic functionality
CN106936569B (en) * 2017-05-18 2020-05-19 北京万协通信息技术有限公司 Method for realizing SM4 algorithm mask S box for resisting power consumption attack

Patent Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106330429A (en) * 2016-08-24 2017-01-11 中国信息安全测评中心 Generation method and device for S box of SM4 algorithm

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
基于复合域的SM4算法的设计与实现;梁浩等;《微电子学与计算机》;20150505(第05期);全文 *

Also Published As

Publication number Publication date
CN110278070A (en) 2019-09-24

Similar Documents

Publication Publication Date Title
CN110278070B (en) Method and device for realizing S box in SM4 algorithm
Costello et al. Faster pairing computations on curves with high-degree twists
US6550035B1 (en) Method and apparatus of Reed-Solomon encoding-decoding
Cid et al. Algebraic aspects of the advanced encryption standard
Li Local systems of twisted vertex operators
CN101753306B (en) Digital signature authentication method for applying Montgomery elliptic curve
Zhao et al. Algebraic cryptanalysis scheme of AES-256 using Gröbner basis
CN105245343A (en) On-line off-line signature system and method based on multivariable cipher technology
CN101841415A (en) Word-oriented key stream generating method and encrypting method
Reed et al. Convolutions over residue classes of quadratic integers
CN113467754A (en) Lattice encryption modular multiplication operation method and framework based on decomposition reduction
CN109981276B (en) National cipher substitution realization method for zk-snark bottom layer bilinear pairs
Jingmei et al. One AES S-box to increase complexity and its cryptanalysis
CN114745099B (en) FPGA-based poseidon hash algorithm optimization method
Abbasi et al. A compact S-Box design for SMS4 block cipher
Edoukou Codes Defined by Forms of Degree $2 $ on Quadric Surfaces
Chalk et al. The distribution of solutions of congruences
CN115967493A (en) Hash pre-image zero-knowledge proof circuit generation method and device based on SM3 cryptographic key
Mazurkov et al. Nonlinear transformations based on complete classes of isomorphic and automorphic representations of field GF (256)
JP2005534973A (en) Method and apparatus for manipulating data within a finite body
Doche et al. Moments of the Rudin–Shapiro polynomials
Khoroshkin et al. Twisted Yangians and Mickelsson algebras I
WO2011030468A1 (en) Arithmetic device
CN113162755B (en) Construction method and circuit of light-weight 8-bit S box
CN107959565A (en) A kind of implementation method of unified AES and SM4 S boxes

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant