CN104333447B - It is a kind of can resisting energy analysis attacks SM4 methods - Google Patents
It is a kind of can resisting energy analysis attacks SM4 methods Download PDFInfo
- Publication number
- CN104333447B CN104333447B CN201410704525.3A CN201410704525A CN104333447B CN 104333447 B CN104333447 B CN 104333447B CN 201410704525 A CN201410704525 A CN 201410704525A CN 104333447 B CN104333447 B CN 104333447B
- Authority
- CN
- China
- Prior art keywords
- msub
- mrow
- circleplus
- mtr
- mtd
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Abstract
It is a kind of can resisting energy analysis attacks SM4 methods, single order mask cipher key spreading engine performs cipher key spreading computing to the key of input, exports round key and give second order mask crypto-engine, second order mask crypto-engine is to the bright of input(It is close)Text and round key perform 32 and taken turns after loop iteration computing, export close(It is bright)Text.The present invention is realized to SM4 crypto-engine using second order mask, realized simultaneously for the cipher key spreading engine of SM4 algorithms using single order mask, the high-order power analysis in encryption process can not only be resisted, it can also resist for the template attack during cipher key spreading, be effectively improved the security of SM4 hardware algorithms realization.
Description
Technical field
The present invention relates to information security chip design field, more particularly to it is a kind of can resisting energy analysis attacks
SM4 methods.
Background technology
Last century the nineties, internet starts to flourish with mobile communication, and information-based tide has swept across rapidly people
The various aspects such as clothing, food, shelter, row.Information technology just with a kind of blowout impulsive force, changes the life of the mankind revolutionaryly
Mode and thoughtcast living.For example, the shopping at network gradually come into vogue in the last few years, makes people are home-confined can just choose
Commodity all over the world;Mobile-phone payment can make people by mobile phone payment platform complete small amount quick payment, enjoy at any time with
The facility on ground;Popular wechat red packet in 2013, further person to person apart from while, also have a deep effect on traditional finance
Industry.
Development in science and technology is a double-edged sword, and advanced IT application is no exception, and the life given people brings huge easily same
When, also bring the potential safety hazard outside anticipation.For example, if the system for the personal identification number information that is stored with were under attack, its band
The influence come will be catastrophic.In September, 2011, CSDN recognizes that security system, by assault, is used as opening for largest domestic
Originator community, CSDN certain customers' login name and password are leaked;Ends of the earth community forum with strongest influence power also there occurs
User data leaks, and has triggered serious network crisis;The Snowdon event of 2013, makes the information system it was recognized that fragile
System has threatened national defence and military safety, and information security should not be stopped only on the surface, it is necessary to bring up to national strategy
Height.
The importance of information security progressively shows especially out.Encrypt as one in information security the strongest force
Device, plays an important role.Any safety product or cryptographic system all must in face of one how defensive attack and
The problem of spying out, in the last few years, occurs in that a kind of new strong attack method, people are referred to as bypass attack (SCA).It is other
Road attack is exactly the bypass message revealed in the process of running using crypto chip, such as power consumption, time, electromagnetic wave and poor
Wrong information etc., is attacked and is spied out to cryptographic system using above- mentioned information.Bypass attack turns into information security chip product
Grave danger, its harm is far longer than traditional mathematical analysis means.
Power consumption attack is one kind of bypass attack, and the power consumption consumed when performing cryptographic calculation using crypto chip is come to key
Attacked.The power consumption that chip is consumed when nonidentity operation is handled is different, even if processing same command operating
Number different power consumption is also different, therefore power consumption is analyzed, and can extrapolate key.Power consumption attack is divided into simple work(
Consumption analysis attacks (SPA) and Differential power attack analysis (DPA), and wherein DPA attacks are more effective, and application field is more extensive.
The principle of DPA attacks is utilized by attack equipment in ciphering process in the power consumption and AES of institute's actual consumption
Between the correlation that is worth, so as to draw a kind of attack method of key.According to the plaintext of input and the key of conjecture, AES
What median can always be calculated.Therefore the research of confrontation power analysis method just becomes to be necessary in the extreme.
The foundation that power consumption analysis attack is implemented is the energy expenditure of crypto chip dependent on the password performed by crypto chip
The median of algorithm.Therefore, if attempting to resist this attack to reduce or eliminate this dependence.Random mask skill
Art realizes this target by the median handled by randomization crypto chip.The advantage of random mask technology is to calculate
Realized in method rank, and the energy expenditure characteristic of crypto chip need not be changed, that is to say, that even if the energy of crypto chip disappears
Consumption has a data dependency, random mask technology can also make the energy expenditure of crypto chip with performed cryptographic algorithm
Between be worth between without dependence.Random mask technology is a kind of defensive measure for obtaining engineering circles extensive concern.
The S box replacement operations of symmetry algorithm need to consume substantial amounts of energy, in power analysis, pass through choosing in attack
The output of S boxes is selected as the point of analysis, therefore in the hardware of symmetry algorithm, crypto-engine is to seem non-using mask measure
It is normal to be necessary.
The process of SM4 cipher key spreadings, needs also exist for during execution 32 wheel loop iteration processes, and SM4 cipher key spreadings, makes
With S box replacement operations.The replacement operation of S boxes, is most easily by the one of power consumption analysis attack when symmetric cryptographic algorithm hardware is realized
Individual weak link.To the power consumption analysis attack of cipher key spreading, generally using template attack.Assuming that attacker obtains one with treating
The duplicate equipment of equipment is attacked, while possessing the complete control to the equipment.Attacker initially sets up the circuit
Know the power consumption situation under various passwords, the template set up during cipher key spreading attacks equipment to be attacked by template matches
Key.
SM4 algorithms are first commercial cipher algorithms that official of China publishes.Due to SM4 cryptographic algorithms announcement when
Between it is later, the research on the anti-power consumption analysis attack defensive measure of SM4 cryptographic algorithms is less, it is desirable to provide on SM4 algorithms
Anti-attack method.
The content of the invention
The present invention provide it is a kind of can resisting energy analysis attacks SM4 methods, SM4 crypto-engine is covered using second order
Code is realized, is realized, can be not only resisted in encryption process using single order mask simultaneously for the cipher key spreading engine of SM4 algorithms
High-order power analysis, can also resist for during cipher key spreading template attack, be effectively improved SM4 algorithms
Hard-wired security.
In order to achieve the above object, the present invention provide it is a kind of can resisting energy analysis attacks SM4 methods, this method use
Single order mask cipher key spreading engine performs cipher key spreading computing to the key of input, exports round key and draws to second order mask encryption and decryption
Hold up, second order mask crypto-engine performs 32 to the plaintext and round key of input and taken turns after loop iteration computing, export ciphertext, or
Second order mask crypto-engine performs 32 to the ciphertext and round key of input and taken turns after loop iteration computing, and output is in plain text;
Single order mask cipher key spreading engine and second order mask crypto-engine work simultaneously, single order mask cipher key spreading engine
Each round generates a round key, exports and performs encryption and decryption computing to second order mask crypto-engine.
Described single order mask cipher key spreading engine is performed in cipher key spreading computing to the key of input, 32 wheel loop iterations
During used 4 Compensation Transformations, 4 Compensation Transformations C0, C1, C2, C3 of single order mask cipher key spreading engine are defined as:
Wherein, the random number of 128 bits is from left to right divided into 4 parts by stroke, is designated as r0, r1, r2, r3, in 32 wheels
In loop iteration, random number be always maintained at it is constant, if i-th wheel loop iteration input value be designated as in the case of no mask
k0i、k1i、k2i、k3i, i=1~32, the value after each round Compensation Transformation be stored in four 32 bits register Reg0,
In Reg1, Reg2, Reg3;
By the value and CK in register Reg1, register Reg2, register Reg3iXor operation is done, single order mask is used as
The input of type S boxes MS conversion:
CKiValue use SM4 algorithm texts in standard value.
The construction of MS conversion is expressed as follows using formula:
Input of the result that MS is converted as L ' conversion:
L ' conversion is linear transformation specified in SM4 algorithm texts, and the construction of L ' conversion is expressed as follows using formula:
Register Reg0 value and the result of L ' conversion are done into xor operation, Compensation Transformation C3 input is used as:
Described second order mask crypto-engine performs 32 to the plaintext or cipher text and round key of input and takes turns loop iteration fortune
In calculation, 4 Compensation Transformations have been used during 32 wheel loop iterations, 4 Compensation Transformation C0 of second order mask crypto-engine,
C1, C2, C3 are defined as:
Wherein, if the initial value of the i-th wheel loop iteration is designated as a in the case of no maski, from left to right it is divided into 4
Word, is designated as a0 successivelyi、a1i、a2i、a3i, the corresponding random number of the i-th wheel is ri, from left to right it is divided into 4 words, r0 is designated as successivelyi、
r1i、r2i、r3i, i=1~32,32 wheel loop iterations process is using different random numbers, i.e., the random number often taken turns all can be more
Newly, the value after each round Compensation Transformation is stored in register Reg0, Reg1, Reg2, Reg3 of four 32 bits;
By the value and round key rk in register Reg1, register Reg2, register Reg3iXor operation is done, two are used as
The input of rank mask type S boxes MS conversion:
rkiFor the round key of the i-th wheel;
The construction of MS conversion is expressed as follows using formula:
The input that the result that MS is converted is converted as L:
L is transformed to linear transformation specified in SM4 algorithm texts, and the construction of L conversion is expressed as follows using formula:
Register Reg0 value and the L result converted are done into xor operation, Compensation Transformation C3 input is used as:
The present invention also provides a kind of SM4 cipher key spreadings single order mask method, comprises the steps of:
Step S1.1, single order mask cipher key spreading engine are carried out plus mask xor operation to input key and random number, plus
Value after mask is stored in a register, the initial value extended as mask;
The initial value that step S1.2, single order mask cipher key spreading engine extend to mask performs 32 and takes turns loop iteration computing,
The result that the round key of every wheel and random number add mask is stored in a register;
Step S1.3, the final data in register and random number carried out to remove mask xor operation, go after mask to obtain
Round key rkiOutput.
In described step S1.2,4 Compensation Transformations, single order mask cipher key spreading have been used during 32 wheel loop iterations
4 Compensation Transformations C0, C1, C2, C3 of engine are defined as:
Wherein, the random number of 128 bits is from left to right divided into 4 parts by stroke, is designated as r0, r1, r2, r3, in 32 wheels
In loop iteration, random number be always maintained at it is constant, if i-th wheel loop iteration input value be designated as in the case of no mask
k0i、k1i、k2i、k3i, i=1~32, the value after each round Compensation Transformation be stored in four 32 bits register Reg0,
In Reg1, Reg2, Reg3;
By the value and CK in register Reg1, register Reg2, register Reg3iXor operation is done, single order mask is used as
The input of type S boxes MS conversion:
CKiValue use SM4 algorithm texts in standard value.
The construction of MS conversion is expressed as follows using formula:
Input of the result that MS is converted as L ' conversion:
L ' conversion is linear transformation specified in SM4 algorithm texts, and the construction of L ' conversion is expressed as follows using formula:
Register Reg0 value and the result of L ' conversion are done into xor operation, Compensation Transformation C3 input is used as:
The present invention also provides a kind of second order mask method of SM4 crypto-engines, comprises the steps of:
Step S2.1, second order mask crypto-engine are carried out plus mask XOR behaviour to the plaintext or cipher text and random number of input
Make, plus the value storage after mask is in a register, is used as the input value of the loop iteration first round;
Step S2.2, second order mask crypto-engine perform 32 and take turns loop iteration computing, after each round Compensation Transformation
Value storage is in a register;
Step S2.3, the final data in register and random number carried out to remove mask xor operation, go after mask to obtain
Ciphertext is exported in plain text.
In described step S2.2,4 Compensation Transformations are used during 32 wheel loop iterations, second order mask encryption and decryption is drawn
4 Compensation Transformations C0, C1, C2, the C3 held up are defined as:
Wherein, if the initial value of the i-th wheel loop iteration is designated as a in the case of no maski, from left to right it is divided into 4
Word, is designated as a0 successivelyi、a1i、a2i、a3i, the corresponding random number of the i-th wheel is ri, from left to right it is divided into 4 words, r0 is designated as successivelyi、
r1i、r2i、r3i, i=1~32,32 wheel loop iterations process is using different random numbers, i.e., the random number often taken turns all can be more
Newly, the value after each round Compensation Transformation is stored in register Reg0, Reg1, Reg2, Reg3 of four 32 bits;
By the value and round key rk in register Reg1, register Reg2, register Reg3iXor operation is done, two are used as
The input of rank mask type S boxes MS conversion:
rkiFor the round key of the i-th wheel;
The construction of MS conversion is expressed as follows using formula:
The input that the result that MS is converted is converted as L:
L is transformed to linear transformation specified in SM4 algorithm texts, and the construction of L conversion is expressed as follows using formula:
Register Reg0 value and the L result converted are done into xor operation, Compensation Transformation C3 input is used as:
Compared with prior art, the invention has the advantages that:
1st, crypto-engine uses second order mask method, and simple power analysis, first-order difference energy can be resisted simultaneously
Analytical attack and second differnce energy spectrometer are measured, and the C conversion often taken turns can ensure that the result of calculation often taken turns is equal to nothing plus covered
The value of result and epicycle random number XOR during code, this feature is conducive to last going mask to operate.
2nd, cipher key spreading engine uses single order mask method, and the effect for resisting template attack can be played simultaneously.
The operations such as Compensation Transformation, MS conversion, L conversion and L ' conversion that the 3, the present invention is used, can easily be used
Hardware is realized.
Brief description of the drawings
Fig. 1 is the flow chart of the present invention.
Fig. 2 is that second order mask crypto-engine realizes schematic diagram in one embodiment of the present of invention.
Fig. 3 is that single order mask cipher key spreading engine realizes schematic diagram in one embodiment of the present of invention.
Embodiment
Below according to Fig. 1~Fig. 3, presently preferred embodiments of the present invention is illustrated.
SM4 algorithms are a grouping algorithms, are a kind of Feistel structures of broad sense, and its unique nonlinear transformation is S boxes
Conversion.
The present invention provide it is a kind of can resisting energy analysis attacks SM4 methods, this method use single order mask cipher key spreading
Engine is performed after cipher key spreading computing to the key of input, is exported round key and is given second order mask crypto-engine, second order mask adds
Decryption engine performs 32 to bright (close) text and round key of input and taken turns after loop iteration computing, exports close (bright) text.
Single order mask cipher key spreading engine and second order mask crypto-engine work simultaneously, single order mask cipher key spreading engine
Each round generates a round key, exports and performs encryption and decryption computing to second order mask crypto-engine.
As shown in Fig. 2 round key is realized using single order mask scheme, lower mask body introduces SM4 cipher key spreading processes
In single order mask method.In order to be balanced between area and security, cipher key spreading S boxes conversion of the invention is covered using single order
Code mode.
As depicted in figs. 1 and 2, described SM4 cipher key spreading single order mask methods are comprised the steps of:
Step S1.1, single order mask cipher key spreading engine are carried out plus mask XOR behaviour to initial input key and random number
Make, plus the value after mask is stored in a register by MUX, the initial value extended as mask.
128 bit initial input keys are from left to right divided into 4 parts by stroke, be designated as respectively kin0, kin1,
Kin2, kin3, kin0, kin1, kin2, kin3 are the initial values for not adding mask, and the random number of 128 is correspondingly also divided into 4
Individual word, is designated as r0, r1, r2, r3, initial input key and value kin0+r0, kin1+r1, kin2+ after random number mask successively
R2, kin3+r3 be stored in by MUX D0, D1, D2, D3 the register Reg0 of four 32 bits, Reg1, Reg2,
In Reg3, the initial value extended as mask.
In step S1.1, MUX selects initial input key to be posted with the result deposit after random number progress mask
In storage.
The initial value that step S1.2, single order mask cipher key spreading engine extend to mask performs 32 and takes turns loop iteration computing,
The round key that each round computing is obtained is stored in a register with random number plus the result of mask.
Because employing single order mask method, 32 wheel loop iterations random numbers be always maintained at it is constant, be always r0,
R1, r2, r3, if the input value of the i-th wheel loop iteration is designated as k0 in the case of no maski、k1i、k2i、k3i, i=1~
32, the value after each round Compensation Transformation is stored in register Reg0, Reg1, Reg2, Reg3 of four 32 bits;
Three Compensation Transformations C0, C1 during 4 Compensation Transformations, cipher key spreading have been used during 32 wheel loop iterations
Fairly simple with C2, three conversion corresponding with encryption process are similar.The difference is that cipher key spreading process employs single order
Mask scheme, it is not necessary to update random number.Three Compensation Transformations C0, C1 and C2 during cipher key spreading be formulated as
Under:
The construction of C3 conversion is also similar with encryption process., it is necessary to by Reg1, Reg2, Reg3 during cipher key spreading
Value and CKiThe input that the value of XOR is converted as single order mask type S boxes MS.
The input of MS conversion is expressed as follows:
In formula, CKiValue use SM4 algorithm texts in standard value.
The construction of MS conversion is expressed as follows using formula:
L ' is transformed to linear transformation specified in SM4 algorithm texts, and the process of L ' conversion is as follows:
Therefore Compensation Transformation C3 input is following representation:
The effect of Compensation Transformation is to ensure that the result that the result of calculation of epicycle is equal to nothing in the case of mask is covered with random number
The value of code.
Therefore C3 compensation is defined as:
Therefore register Reg3 input is obtained after C3 Compensation Transformations, its representation is as follows:
Finally, the value stored in register Reg0, Reg1, Reg2, Reg3 is round key and random number plus the result of mask.
In step S1.2, MUX is selected in the result deposit register of four Compensation Transformations.
Step S1.3, the final data in register and random number carried out to remove mask xor operation, go after mask to obtain
Round key rki(i=1~32), which are exported, gives second order mask crypto-engine.
As shown in figure 3, introducing the second order mask implementation method of SM4 crypto-engines.The mask design of SM4 encryption and decryption is in knot
It is similar with cipher key spreading mask scheme on structure.
Register Reg0, Reg1, Reg2, Reg3 are the register of 4 32 bit wides, and the knot of computing is often taken turns for storing SM4
Really, referred to as scratch-pad register, totally 128 bit.L in Fig. 3 is transformed to L specified in SM4 algorithm texts and converted, and does not have here
There is any change.The replacement operation of S boxes needs to use second order mask type S boxes, referred to as MS boxes.Compensation Transformation (C conversion) in figure is
The result of computing is often taken turns for compensating, it is ensured that the result for often taking turns computing is not add the result and epicycle random number in the case of mask
XOR value.
As shown in figures 1 and 3, by taking plaintext ciphering process as an example, described SM4 encryption and decryption second orders mask method is comprising following
Step:
Step S2.1, second order mask crypto-engine are carried out plus mask xor operation to the plaintext and random number of input, plus
Value after mask is stored in a register by MUX, is used as the input value of the loop iteration first round.
128 plaintexts are divided into 4 words by left-to-right, din0, din1, din2, din3 is designated as successively, din0, din1,
Din2, din3 be not plus mask initial value, the random number of 128 is correspondingly also divided into 4 words, be designated as successively r0, r1,
R2, r3, the plaintext of input are added value din0+r0, din1+r1, din2+r2, din3+r3 after mask to pass through MUX
D0, D1, D2, D3 are stored in four scratch-pad registers Reg0, Reg1, Reg2, Reg3, are used as 32 wheel loop iterations first
The input value of wheel.
In step S2.1, MUX selection carries out the result after carry out mask with random number in plain text and is stored in register
In.
Step S2.2, second order mask crypto-engine perform 32 and take turns the value after loop iteration computing, each round Compensation Transformation
In register Reg0, Reg1, Reg2, Reg3 for being stored in four 32 bits.
4 Compensation Transformations have been used during 32 wheel loop iterations.
If the initial value of the i-th wheel loop iteration is designated as a in the case of no maski, from left to right it is divided into 4 words, according to
It is secondary to be designated as a0i、a1i、a2i、a3i, the corresponding random number of the i-th wheel is ri, from left to right it is divided into 4 words, r0 is designated as successivelyi、r1i、
r2i、r3i, i=1~32.
From figure 3, it can be seen that the value in Reg1 registers is saved in after Compensation Transformation C0 in register Reg0.Cause
This Compensation Transformation C0 operation is formulated as follows:
Pass through Compensation Transformation C0 effect, random number r0iUpdate new random number r0i+1, equally, Compensation Transformation C1, C2
It is defined as:
By Compensation Transformation C1, C2 effect, random number r1iAnd r2iUpdate respectively and arrive r1i+1And r2i+1。
Compensation Transformation C3 definition is more complicated, and its input value has sequentially passed through InvAddRoundKey, MS conversion and L conversion.From
As can be seen that the input of MS conversion is following value in Fig. 3
Rk in formulaiFor the round key of the i-th wheel.
The construction of MS conversion is expressed as follows using formula:
After being converted by MS, random number r3iUpdate new random number r3i+1。
L is transformed to linear transformation specified in SM4 algorithm texts, and L conversion processes are as follows:
Therefore Compensation Transformation C3 input is following representation:
The effect of Compensation Transformation is to ensure that the result that the result of calculation of epicycle is equal to nothing in the case of mask is covered with random number
The value of code.
Therefore C3 compensation is defined as:
Therefore register Reg3 input is obtained after C3 Compensation Transformations, its representation is as follows:
In step S2.2, MUX is selected in the result deposit register of four Compensation Transformations.
Step S2.3, the final data in register and random number carried out to remove mask xor operation, go after mask to obtain
Ciphertext is exported.
The decrypting process of the ciphertext is as plaintext ciphering process.
Compared with prior art, the invention has the advantages that:
First, crypto-engine uses second order mask method, and simple power analysis, first-order difference can be resisted simultaneously
Power analysis and second differnce energy spectrometer, and often take turns C conversion can ensure the result of calculation often taken turns be equal to nothing plus
The value of result and epicycle random number XOR during mask, this feature is conducive to last going mask to operate.
Secondly, cipher key spreading engine uses single order mask method, and the effect for resisting template attack can be played simultaneously.
Although present disclosure is discussed in detail by above preferred embodiment, but it should be appreciated that above-mentioned
Description is not considered as limitation of the present invention.After those skilled in the art have read the above, for the present invention's
A variety of modifications and substitutions all will be apparent.Therefore, protection scope of the present invention should be limited to the appended claims.
Claims (3)
1. it is a kind of can resisting energy analysis attacks SM4 methods, it is characterised in that this method is drawn using single order mask cipher key spreading
Hold up and cipher key spreading computing is performed to the key of input, export round key and give second order mask crypto-engine, second order mask encryption and decryption
Engine performs 32 to the plaintext and round key of input and taken turns after loop iteration computing, exports ciphertext, or second order mask encryption and decryption is drawn
Hold up and the ciphertext and round key of input are performed after 32 wheel loop iteration computings, output is in plain text;
Single order mask cipher key spreading engine and second order mask crypto-engine work simultaneously, and single order mask cipher key spreading engine is each
Wheel one round key of generation, exports and performs encryption and decryption computing to second order mask crypto-engine;
Described single order mask cipher key spreading engine is performed in cipher key spreading computing to the key of input, 32 wheel loop iteration processes
In used 4 Compensation Transformations, 4 Compensation Transformations C0, C1, C2, C3 of single order mask cipher key spreading engine are defined as:
<mrow>
<mfenced open = "{" close = "">
<mtable>
<mtr>
<mtd>
<mi>C</mi>
<mn>0</mn>
<mo>(</mo>
<mo>(</mo>
<mi>k</mi>
<msub>
<mn>1</mn>
<mi>i</mi>
</msub>
<mo>&CirclePlus;</mo>
<mi>r</mi>
<mn>1</mn>
<mo>)</mo>
<mo>,</mo>
<mi>r</mi>
<mn>0</mn>
<mo>,</mo>
<mi>r</mi>
<mn>1</mn>
<mo>)</mo>
<mo>=</mo>
<mo>(</mo>
<mi>k</mi>
<msub>
<mn>1</mn>
<mi>i</mi>
</msub>
<mo>&CirclePlus;</mo>
<mi>r</mi>
<mn>1</mn>
<mo>)</mo>
<mo>&CirclePlus;</mo>
<mi>r</mi>
<mn>0</mn>
<mo>&CirclePlus;</mo>
<mi>r</mi>
<mn>1</mn>
</mtd>
</mtr>
<mtr>
<mtd>
<mi>C</mi>
<mn>1</mn>
<mo>(</mo>
<mo>(</mo>
<mi>k</mi>
<msub>
<mn>2</mn>
<mi>i</mi>
</msub>
<mo>&CirclePlus;</mo>
<mi>r</mi>
<mn>2</mn>
<mo>)</mo>
<mo>,</mo>
<mi>r</mi>
<mn>1</mn>
<mo>,</mo>
<mi>r</mi>
<mn>2</mn>
<mo>)</mo>
<mo>=</mo>
<mo>(</mo>
<mi>k</mi>
<msub>
<mn>2</mn>
<mi>i</mi>
</msub>
<mo>&CirclePlus;</mo>
<mi>r</mi>
<mn>2</mn>
<mo>)</mo>
<mo>&CirclePlus;</mo>
<mi>r</mi>
<mn>1</mn>
<mo>&CirclePlus;</mo>
<mi>r</mi>
<mn>2</mn>
</mtd>
</mtr>
<mtr>
<mtd>
<mi>C</mi>
<mn>2</mn>
<mo>(</mo>
<mo>(</mo>
<mi>k</mi>
<msub>
<mn>3</mn>
<mi>i</mi>
</msub>
<mo>&CirclePlus;</mo>
<mi>r</mi>
<mn>3</mn>
<mo>)</mo>
<mo>,</mo>
<mi>r</mi>
<mn>2</mn>
<mo>,</mo>
<mi>r</mi>
<mn>3</mn>
<mo>)</mo>
<mo>=</mo>
<mo>(</mo>
<mi>k</mi>
<msub>
<mn>3</mn>
<mi>i</mi>
</msub>
<mo>&CirclePlus;</mo>
<mi>r</mi>
<mn>3</mn>
<mo>)</mo>
<mo>&CirclePlus;</mo>
<mi>r</mi>
<mn>2</mn>
<mo>&CirclePlus;</mo>
<mi>r</mi>
<mn>3</mn>
</mtd>
</mtr>
<mtr>
<mtd>
<mi>C</mi>
<mn>3</mn>
<mo>(</mo>
<mi>x</mi>
<mo>,</mo>
<mi>r</mi>
<mn>3</mn>
<mo>,</mo>
<mi>r</mi>
<mn>1</mn>
<mo>)</mo>
<mo>=</mo>
<mi>x</mi>
<mo>&CirclePlus;</mo>
<mi>r</mi>
<mn>3</mn>
<mo>&CirclePlus;</mo>
<msup>
<mi>L</mi>
<mo>&prime;</mo>
</msup>
<mo>(</mo>
<mi>S</mi>
<mo>(</mo>
<mi>r</mi>
<mn>1</mn>
<mo>&CirclePlus;</mo>
<mi>r</mi>
<mn>2</mn>
<mo>&CirclePlus;</mo>
<mi>r</mi>
<mn>3</mn>
<mo>)</mo>
<mo>)</mo>
<mo>&CirclePlus;</mo>
<mi>r</mi>
<mn>1</mn>
</mtd>
</mtr>
</mtable>
</mfenced>
<mo>;</mo>
</mrow>
Wherein,Represent to press bit XOR, the random number of 128 bits is from left to right divided into 4 parts by stroke, be designated as r0,
R1, r2, r3,32 wheel loop iterations in, random number be always maintained at it is constant, if i-th wheel loop iteration input value do not covering
K0 is designated as in the case of codei、k1i、k2i、k3i, i=1~32, the value after each round Compensation Transformation is stored in four 32 bits
In register Reg0, Reg1, Reg2, Reg3;
By the value and CK in register Reg1, register Reg2, register Reg3iXor operation is done, single order mask type S boxes are used as
The input of MS conversion:
<mrow>
<mo>(</mo>
<mi>k</mi>
<msub>
<mn>1</mn>
<mi>i</mi>
</msub>
<mo>&CirclePlus;</mo>
<mi>r</mi>
<mn>1</mn>
<mo>)</mo>
<mo>&CirclePlus;</mo>
<mo>(</mo>
<mi>k</mi>
<msub>
<mn>2</mn>
<mi>i</mi>
</msub>
<mo>&CirclePlus;</mo>
<mi>r</mi>
<mn>2</mn>
<mo>)</mo>
<mo>&CirclePlus;</mo>
<mo>(</mo>
<mi>k</mi>
<msub>
<mn>3</mn>
<mi>i</mi>
</msub>
<mo>&CirclePlus;</mo>
<mi>r</mi>
<mn>3</mn>
<mo>)</mo>
<mo>&CirclePlus;</mo>
<msub>
<mi>CK</mi>
<mi>i</mi>
</msub>
<mo>;</mo>
</mrow>
Wherein, CKiValue use SM4 algorithm texts in standard value;
The construction of MS conversion is expressed as follows using formula:
<mrow>
<mtable>
<mtr>
<mtd>
<mrow>
<mi>M</mi>
<mi>S</mi>
<mrow>
<mo>(</mo>
<mo>(</mo>
<mi>k</mi>
<msub>
<mn>1</mn>
<mi>i</mi>
</msub>
<mo>&CirclePlus;</mo>
<mi>r</mi>
<mn>1</mn>
<mo>)</mo>
</mrow>
<mo>&CirclePlus;</mo>
<mrow>
<mo>(</mo>
<mi>k</mi>
<msub>
<mn>2</mn>
<mi>i</mi>
</msub>
<mo>&CirclePlus;</mo>
<mi>r</mi>
<mn>2</mn>
<mo>)</mo>
</mrow>
<mo>&CirclePlus;</mo>
<mrow>
<mo>(</mo>
<mi>k</mi>
<msub>
<mn>3</mn>
<mi>i</mi>
</msub>
<mo>&CirclePlus;</mo>
<mi>r</mi>
<mn>3</mn>
<mo>)</mo>
</mrow>
<mo>&CirclePlus;</mo>
<msub>
<mi>CK</mi>
<mi>i</mi>
</msub>
<mo>)</mo>
<mo>)</mo>
</mrow>
</mtd>
</mtr>
<mtr>
<mtd>
<mrow>
<mi>S</mi>
<mrow>
<mo>(</mo>
<mi>k</mi>
<msub>
<mn>1</mn>
<mi>i</mi>
</msub>
<mo>&CirclePlus;</mo>
<mi>k</mi>
<msub>
<mn>2</mn>
<mi>i</mi>
</msub>
<mo>&CirclePlus;</mo>
<mi>k</mi>
<msub>
<mn>3</mn>
<mi>i</mi>
</msub>
<mo>&CirclePlus;</mo>
<msub>
<mi>CK</mi>
<mi>i</mi>
</msub>
<mo>)</mo>
</mrow>
<mo>&CirclePlus;</mo>
<mi>S</mi>
<mrow>
<mo>(</mo>
<mi>r</mi>
<mn>1</mn>
<mo>&CirclePlus;</mo>
<mi>r</mi>
<mn>2</mn>
<mo>&CirclePlus;</mo>
<mi>r</mi>
<mn>3</mn>
<mo>)</mo>
</mrow>
</mrow>
</mtd>
</mtr>
</mtable>
<mo>;</mo>
</mrow>
Input of the result that MS is converted as L ' conversion:
<mrow>
<msup>
<mi>L</mi>
<mo>&prime;</mo>
</msup>
<mrow>
<mo>(</mo>
<mi>S</mi>
<mo>(</mo>
<mrow>
<mi>k</mi>
<msub>
<mn>1</mn>
<mi>i</mi>
</msub>
<mo>&CirclePlus;</mo>
<mi>k</mi>
<msub>
<mn>2</mn>
<mi>i</mi>
</msub>
<mo>&CirclePlus;</mo>
<mi>k</mi>
<msub>
<mn>3</mn>
<mi>i</mi>
</msub>
<mo>&CirclePlus;</mo>
<msub>
<mi>CK</mi>
<mi>i</mi>
</msub>
</mrow>
<mo>)</mo>
<mo>&CirclePlus;</mo>
<mi>S</mi>
<mo>(</mo>
<mrow>
<mi>r</mi>
<mn>1</mn>
<mo>&CirclePlus;</mo>
<mi>r</mi>
<mn>2</mn>
<mo>&CirclePlus;</mo>
<mi>r</mi>
<mn>3</mn>
</mrow>
<mo>)</mo>
<mo>)</mo>
</mrow>
<mo>;</mo>
</mrow>
L ' conversion is linear transformation specified in SM4 algorithm texts, and the construction of L ' conversion is expressed as follows using formula:
<mrow>
<mtable>
<mtr>
<mtd>
<mrow>
<msup>
<mi>L</mi>
<mo>&prime;</mo>
</msup>
<mrow>
<mo>(</mo>
<mi>S</mi>
<mo>(</mo>
<mi>k</mi>
<msub>
<mn>1</mn>
<mi>i</mi>
</msub>
<mo>&CirclePlus;</mo>
<mi>k</mi>
<msub>
<mn>2</mn>
<mi>i</mi>
</msub>
<mo>&CirclePlus;</mo>
<mi>k</mi>
<msub>
<mn>3</mn>
<mi>i</mi>
</msub>
<mo>&CirclePlus;</mo>
<msub>
<mi>CK</mi>
<mi>i</mi>
</msub>
<mo>)</mo>
</mrow>
<mo>&CirclePlus;</mo>
<mi>S</mi>
<mrow>
<mo>(</mo>
<mi>r</mi>
<mn>1</mn>
<mo>&CirclePlus;</mo>
<mi>r</mi>
<mn>2</mn>
<mo>&CirclePlus;</mo>
<mi>r</mi>
<mn>3</mn>
<mo>)</mo>
</mrow>
<mo>)</mo>
</mrow>
</mtd>
</mtr>
<mtr>
<mtd>
<mrow>
<mo>=</mo>
<msup>
<mi>L</mi>
<mo>&prime;</mo>
</msup>
<mrow>
<mo>(</mo>
<mi>S</mi>
<mo>(</mo>
<mi>k</mi>
<msub>
<mn>1</mn>
<mi>i</mi>
</msub>
<mo>&CirclePlus;</mo>
<mi>k</mi>
<msub>
<mn>2</mn>
<mi>i</mi>
</msub>
<mo>&CirclePlus;</mo>
<mi>k</mi>
<msub>
<mn>3</mn>
<mi>i</mi>
</msub>
<mo>&CirclePlus;</mo>
<msub>
<mi>CK</mi>
<mrow>
<mi>I</mi>
<mi>i</mi>
</mrow>
</msub>
<mo>)</mo>
</mrow>
<mo>&CirclePlus;</mo>
<msup>
<mi>L</mi>
<mo>&prime;</mo>
</msup>
<mrow>
<mo>(</mo>
<mi>S</mi>
<mo>(</mo>
<mi>r</mi>
<mn>1</mn>
<mo>&CirclePlus;</mo>
<mi>r</mi>
<mn>2</mn>
<mo>&CirclePlus;</mo>
<mi>r</mi>
<mn>3</mn>
<mo>)</mo>
</mrow>
<mo>)</mo>
</mrow>
</mtd>
</mtr>
</mtable>
<mo>;</mo>
</mrow>
Register Reg0 value and the result of L ' conversion are done into xor operation, Compensation Transformation C3 input is used as:
<mrow>
<mi>x</mi>
<mo>=</mo>
<msup>
<mi>L</mi>
<mo>&prime;</mo>
</msup>
<mrow>
<mo>(</mo>
<mi>S</mi>
<mo>(</mo>
<mrow>
<mi>k</mi>
<msub>
<mn>1</mn>
<mi>i</mi>
</msub>
<mo>&CirclePlus;</mo>
<mi>k</mi>
<msub>
<mn>2</mn>
<mi>i</mi>
</msub>
<mo>&CirclePlus;</mo>
<mi>k</mi>
<msub>
<mn>3</mn>
<mi>i</mi>
</msub>
<mo>&CirclePlus;</mo>
<msub>
<mi>CK</mi>
<mrow>
<mi>i</mi>
<mi>i</mi>
</mrow>
</msub>
</mrow>
<mo>)</mo>
<mo>)</mo>
</mrow>
<mo>&CirclePlus;</mo>
<msup>
<mi>L</mi>
<mo>&prime;</mo>
</msup>
<mrow>
<mo>(</mo>
<mi>S</mi>
<mo>(</mo>
<mrow>
<mi>r</mi>
<mn>1</mn>
<mo>&CirclePlus;</mo>
<mi>r</mi>
<mn>2</mn>
<mo>&CirclePlus;</mo>
<mi>r</mi>
<mn>3</mn>
</mrow>
<mo>)</mo>
<mo>)</mo>
</mrow>
<mo>&CirclePlus;</mo>
<mrow>
<mo>(</mo>
<mi>k</mi>
<msub>
<mn>0</mn>
<mi>i</mi>
</msub>
<mo>&CirclePlus;</mo>
<mi>r</mi>
<mn>1</mn>
<mo>)</mo>
</mrow>
<mo>;</mo>
</mrow>
Described second order mask crypto-engine performs 32 to the plaintext or cipher text and round key of input and taken turns in loop iteration computing,
Used 4 Compensation Transformations during 32 wheel loop iterations, 4 Compensation Transformation C0 of second order mask crypto-engine, C1, C2,
C3 is defined as:
<mrow>
<mi>C</mi>
<mn>0</mn>
<mrow>
<mo>(</mo>
<mo>(</mo>
<mrow>
<mi>a</mi>
<msub>
<mn>1</mn>
<mi>i</mi>
</msub>
<mo>&CirclePlus;</mo>
<mi>r</mi>
<msub>
<mn>1</mn>
<mi>i</mi>
</msub>
</mrow>
<mo>)</mo>
<mo>,</mo>
<mi>r</mi>
<msub>
<mn>0</mn>
<mrow>
<mi>i</mi>
<mo>+</mo>
<mn>1</mn>
</mrow>
</msub>
<mo>,</mo>
<mi>r</mi>
<msub>
<mn>1</mn>
<mi>i</mi>
</msub>
<mo>)</mo>
</mrow>
<mo>=</mo>
<mrow>
<mo>(</mo>
<mi>a</mi>
<msub>
<mn>1</mn>
<mi>i</mi>
</msub>
<mo>&CirclePlus;</mo>
<mi>r</mi>
<msub>
<mn>1</mn>
<mi>i</mi>
</msub>
<mo>)</mo>
</mrow>
<mo>&CirclePlus;</mo>
<mi>r</mi>
<msub>
<mn>0</mn>
<mrow>
<mi>i</mi>
<mo>+</mo>
<mn>1</mn>
</mrow>
</msub>
<mo>&CirclePlus;</mo>
<mi>r</mi>
<msub>
<mn>1</mn>
<mi>i</mi>
</msub>
<mo>;</mo>
</mrow>
<mrow>
<mi>C</mi>
<mn>1</mn>
<mrow>
<mo>(</mo>
<mo>(</mo>
<mrow>
<mi>a</mi>
<msub>
<mn>2</mn>
<mi>i</mi>
</msub>
<mo>&CirclePlus;</mo>
<mi>r</mi>
<msub>
<mn>2</mn>
<mi>i</mi>
</msub>
</mrow>
<mo>)</mo>
<mo>,</mo>
<mi>r</mi>
<msub>
<mn>1</mn>
<mrow>
<mi>i</mi>
<mo>+</mo>
<mn>1</mn>
</mrow>
</msub>
<mo>,</mo>
<mi>r</mi>
<msub>
<mn>2</mn>
<mi>i</mi>
</msub>
<mo>)</mo>
</mrow>
<mo>=</mo>
<mrow>
<mo>(</mo>
<mi>a</mi>
<msub>
<mn>2</mn>
<mi>i</mi>
</msub>
<mo>&CirclePlus;</mo>
<mi>r</mi>
<msub>
<mn>2</mn>
<mi>i</mi>
</msub>
<mo>)</mo>
</mrow>
<mo>&CirclePlus;</mo>
<mi>r</mi>
<msub>
<mn>1</mn>
<mrow>
<mi>i</mi>
<mo>+</mo>
<mn>1</mn>
</mrow>
</msub>
<mo>&CirclePlus;</mo>
<mi>r</mi>
<msub>
<mn>2</mn>
<mi>i</mi>
</msub>
<mo>;</mo>
</mrow>
<mrow>
<mi>C</mi>
<mn>2</mn>
<mrow>
<mo>(</mo>
<mo>(</mo>
<mrow>
<mi>a</mi>
<msub>
<mn>3</mn>
<mi>i</mi>
</msub>
<mo>&CirclePlus;</mo>
<mi>r</mi>
<msub>
<mn>3</mn>
<mi>i</mi>
</msub>
</mrow>
<mo>)</mo>
<mo>,</mo>
<mi>r</mi>
<msub>
<mn>2</mn>
<mrow>
<mi>i</mi>
<mo>+</mo>
<mn>1</mn>
</mrow>
</msub>
<mo>,</mo>
<mi>r</mi>
<msub>
<mn>3</mn>
<mi>i</mi>
</msub>
<mo>)</mo>
</mrow>
<mo>=</mo>
<mrow>
<mo>(</mo>
<mi>a</mi>
<msub>
<mn>3</mn>
<mi>i</mi>
</msub>
<mo>&CirclePlus;</mo>
<mi>r</mi>
<msub>
<mn>3</mn>
<mi>i</mi>
</msub>
<mo>)</mo>
</mrow>
<mo>&CirclePlus;</mo>
<mi>r</mi>
<msub>
<mn>2</mn>
<mrow>
<mi>i</mi>
<mo>+</mo>
<mn>1</mn>
</mrow>
</msub>
<mo>&CirclePlus;</mo>
<mi>r</mi>
<msub>
<mn>3</mn>
<mi>i</mi>
</msub>
<mo>;</mo>
</mrow>
<mrow>
<mi>C</mi>
<mn>3</mn>
<mrow>
<mo>(</mo>
<mi>x</mi>
<mo>,</mo>
<mi>r</mi>
<msub>
<mn>3</mn>
<mrow>
<mi>i</mi>
<mo>+</mo>
<mn>1</mn>
</mrow>
</msub>
<mo>,</mo>
<mi>r</mi>
<msub>
<mn>1</mn>
<mi>i</mi>
</msub>
<mo>)</mo>
</mrow>
<mo>=</mo>
<mi>x</mi>
<mo>&CirclePlus;</mo>
<mi>r</mi>
<msub>
<mn>3</mn>
<mrow>
<mi>i</mi>
<mo>+</mo>
<mn>1</mn>
</mrow>
</msub>
<mo>&CirclePlus;</mo>
<mi>L</mi>
<mrow>
<mo>(</mo>
<mi>S</mi>
<mo>(</mo>
<mrow>
<mi>r</mi>
<msub>
<mn>3</mn>
<mrow>
<mi>i</mi>
<mo>+</mo>
<mn>1</mn>
</mrow>
</msub>
</mrow>
<mo>)</mo>
<mo>)</mo>
</mrow>
<mo>&CirclePlus;</mo>
<mi>r</mi>
<msub>
<mn>1</mn>
<mi>i</mi>
</msub>
<mo>;</mo>
</mrow>
1
Wherein, if the initial value of the i-th wheel loop iteration is designated as a in the case of no maski, from left to right it is divided into 4 words, according to
It is secondary to be designated as a0i、a1i、a2i、a3i, the corresponding random number of the i-th wheel is ri, from left to right it is divided into 4 words, r0 is designated as successivelyi、r1i、
r2i、r3i, i=1~32,32 wheel loop iterations process is using different random numbers, i.e., the random number often taken turns can all update, often
Value after one wheel Compensation Transformation is stored in register Reg0, Reg1, Reg2, Reg3 of four 32 bits;
By the value and round key rk in register Reg1, register Reg2, register Reg3iXor operation is done, second order mask is used as
The input of type S boxes MS conversion:
<mrow>
<mi>m</mi>
<mi>s</mi>
<mo>_</mo>
<mi>i</mi>
<mi>n</mi>
<mo>=</mo>
<mrow>
<mo>(</mo>
<mi>a</mi>
<msub>
<mn>1</mn>
<mi>i</mi>
</msub>
<mo>&CirclePlus;</mo>
<mi>r</mi>
<msub>
<mn>1</mn>
<mi>i</mi>
</msub>
<mo>)</mo>
</mrow>
<mo>&CirclePlus;</mo>
<mrow>
<mo>(</mo>
<mi>a</mi>
<msub>
<mn>2</mn>
<mi>i</mi>
</msub>
<mo>&CirclePlus;</mo>
<mi>r</mi>
<msub>
<mn>2</mn>
<mi>i</mi>
</msub>
<mo>)</mo>
</mrow>
<mo>&CirclePlus;</mo>
<mrow>
<mo>(</mo>
<mi>a</mi>
<msub>
<mn>3</mn>
<mi>i</mi>
</msub>
<mo>&CirclePlus;</mo>
<mi>r</mi>
<msub>
<mn>3</mn>
<mi>i</mi>
</msub>
<mo>)</mo>
</mrow>
<mo>&CirclePlus;</mo>
<msub>
<mi>rk</mi>
<mi>i</mi>
</msub>
<mo>;</mo>
</mrow>
rkiFor the round key of the i-th wheel;
The construction of MS conversion is expressed as follows using formula:
<mrow>
<mtable>
<mtr>
<mtd>
<mrow>
<mi>M</mi>
<mi>S</mi>
<mrow>
<mo>(</mo>
<mo>(</mo>
<mi>a</mi>
<msub>
<mn>1</mn>
<mi>i</mi>
</msub>
<mo>&CirclePlus;</mo>
<mi>r</mi>
<msub>
<mn>1</mn>
<mi>i</mi>
</msub>
<mo>)</mo>
</mrow>
<mo>&CirclePlus;</mo>
<mrow>
<mo>(</mo>
<mi>a</mi>
<msub>
<mn>2</mn>
<mi>i</mi>
</msub>
<mo>&CirclePlus;</mo>
<mi>r</mi>
<msub>
<mn>2</mn>
<mi>i</mi>
</msub>
<mo>)</mo>
</mrow>
<mo>&CirclePlus;</mo>
<mrow>
<mo>(</mo>
<mi>a</mi>
<msub>
<mn>3</mn>
<mi>i</mi>
</msub>
<mo>&CirclePlus;</mo>
<mi>r</mi>
<msub>
<mn>3</mn>
<mi>i</mi>
</msub>
<mo>)</mo>
</mrow>
<mo>&CirclePlus;</mo>
<msub>
<mi>rk</mi>
<mi>i</mi>
</msub>
<mo>)</mo>
<mo>)</mo>
</mrow>
</mtd>
</mtr>
<mtr>
<mtd>
<mrow>
<mo>=</mo>
<mi>S</mi>
<mrow>
<mo>(</mo>
<mi>a</mi>
<msub>
<mn>1</mn>
<mi>i</mi>
</msub>
<mo>&CirclePlus;</mo>
<mi>a</mi>
<msub>
<mn>2</mn>
<mi>i</mi>
</msub>
<mo>&CirclePlus;</mo>
<mi>a</mi>
<msub>
<mn>3</mn>
<mi>i</mi>
</msub>
<mo>&CirclePlus;</mo>
<msub>
<mi>rk</mi>
<mi>i</mi>
</msub>
<mo>)</mo>
</mrow>
<mo>&CirclePlus;</mo>
<mi>S</mi>
<mrow>
<mo>(</mo>
<mi>r</mi>
<msub>
<mn>3</mn>
<mrow>
<mi>i</mi>
<mo>+</mo>
<mn>1</mn>
</mrow>
</msub>
<mo>)</mo>
</mrow>
</mrow>
</mtd>
</mtr>
</mtable>
<mo>;</mo>
</mrow>
The input that the result that MS is converted is converted as L:
<mrow>
<mi>L</mi>
<mrow>
<mo>(</mo>
<mi>S</mi>
<mo>(</mo>
<mrow>
<mi>a</mi>
<msub>
<mn>1</mn>
<mi>i</mi>
</msub>
<mo>&CirclePlus;</mo>
<mi>a</mi>
<msub>
<mn>2</mn>
<mi>i</mi>
</msub>
<mo>&CirclePlus;</mo>
<mi>a</mi>
<msub>
<mn>3</mn>
<mi>i</mi>
</msub>
<mo>&CirclePlus;</mo>
<msub>
<mi>rk</mi>
<mi>i</mi>
</msub>
</mrow>
<mo>)</mo>
<mo>&CirclePlus;</mo>
<mi>S</mi>
<mo>(</mo>
<mrow>
<mi>r</mi>
<msub>
<mn>3</mn>
<mrow>
<mi>i</mi>
<mo>+</mo>
<mn>1</mn>
</mrow>
</msub>
</mrow>
<mo>)</mo>
<mo>)</mo>
</mrow>
<mo>;</mo>
</mrow>
L is transformed to linear transformation specified in SM4 algorithm texts, and the construction of L conversion is expressed as follows using formula:
<mrow>
<mtable>
<mtr>
<mtd>
<mrow>
<mi>L</mi>
<mrow>
<mo>(</mo>
<mi>S</mi>
<mo>(</mo>
<mi>a</mi>
<msub>
<mn>1</mn>
<mi>i</mi>
</msub>
<mo>&CirclePlus;</mo>
<mi>a</mi>
<msub>
<mn>2</mn>
<mi>i</mi>
</msub>
<mo>&CirclePlus;</mo>
<mi>a</mi>
<msub>
<mn>3</mn>
<mi>i</mi>
</msub>
<mo>&CirclePlus;</mo>
<msub>
<mi>rk</mi>
<mi>i</mi>
</msub>
<mo>)</mo>
</mrow>
<mo>&CirclePlus;</mo>
<mi>S</mi>
<mrow>
<mo>(</mo>
<mi>r</mi>
<msub>
<mn>3</mn>
<mrow>
<mi>i</mi>
<mo>+</mo>
<mn>1</mn>
</mrow>
</msub>
<mo>)</mo>
</mrow>
<mo>)</mo>
</mrow>
</mtd>
</mtr>
<mtr>
<mtd>
<mrow>
<mo>=</mo>
<mi>L</mi>
<mrow>
<mo>(</mo>
<mi>S</mi>
<mo>(</mo>
<mi>a</mi>
<msub>
<mn>1</mn>
<mi>i</mi>
</msub>
<mo>&CirclePlus;</mo>
<mi>a</mi>
<msub>
<mn>2</mn>
<mi>i</mi>
</msub>
<mo>&CirclePlus;</mo>
<mi>a</mi>
<msub>
<mn>3</mn>
<mi>i</mi>
</msub>
<mo>&CirclePlus;</mo>
<msub>
<mi>rk</mi>
<mi>i</mi>
</msub>
<mo>)</mo>
</mrow>
<mo>)</mo>
<mo>&CirclePlus;</mo>
<mi>L</mi>
<mrow>
<mo>(</mo>
<mi>S</mi>
<mo>(</mo>
<mi>r</mi>
<msub>
<mn>3</mn>
<mrow>
<mi>i</mi>
<mo>+</mo>
<mn>1</mn>
</mrow>
</msub>
<mo>)</mo>
</mrow>
<mo>)</mo>
</mrow>
</mtd>
</mtr>
</mtable>
<mo>;</mo>
</mrow>
Register Reg0 value and the L result converted are done into xor operation, Compensation Transformation C3 input is used as:
<mrow>
<mi>x</mi>
<mo>=</mo>
<mi>L</mi>
<mrow>
<mo>(</mo>
<mi>S</mi>
<mo>(</mo>
<mrow>
<mi>a</mi>
<msub>
<mn>1</mn>
<mi>i</mi>
</msub>
<mo>&CirclePlus;</mo>
<mi>a</mi>
<msub>
<mn>2</mn>
<mi>i</mi>
</msub>
<mo>&CirclePlus;</mo>
<mi>a</mi>
<msub>
<mn>3</mn>
<mi>i</mi>
</msub>
<mo>&CirclePlus;</mo>
<msub>
<mi>rk</mi>
<mi>i</mi>
</msub>
</mrow>
<mo>)</mo>
<mo>)</mo>
</mrow>
<mo>&CirclePlus;</mo>
<mi>L</mi>
<mrow>
<mo>(</mo>
<mi>S</mi>
<mo>(</mo>
<mrow>
<mi>r</mi>
<msub>
<mn>3</mn>
<mrow>
<mi>i</mi>
<mo>+</mo>
<mn>1</mn>
</mrow>
</msub>
</mrow>
<mo>)</mo>
<mo>)</mo>
</mrow>
<mo>&CirclePlus;</mo>
<mrow>
<mo>(</mo>
<mi>a</mi>
<msub>
<mn>0</mn>
<mi>i</mi>
</msub>
<mo>&CirclePlus;</mo>
<mi>r</mi>
<msub>
<mn>1</mn>
<mi>i</mi>
</msub>
<mo>)</mo>
</mrow>
<mo>.</mo>
</mrow>
2. a kind of SM4 cipher key spreadings single order mask method, it is characterised in that comprise the steps of:
Step S1.1, single order mask cipher key spreading engine are carried out plus mask xor operation to input key and random number, plus mask
Value afterwards is stored in a register, the initial value extended as mask;
The initial value that step S1.2, single order mask cipher key spreading engine extend to mask performs 32 and takes turns loop iteration computing, will be every
The round key of wheel adds the result of mask to store in a register with random number;
Step S1.3, the final data in register and random number carried out to remove mask xor operation, go after mask to obtain wheel close
Key rkiOutput;
In described step S1.2,4 Compensation Transformations, single order mask cipher key spreading engine have been used during 32 wheel loop iterations
4 Compensation Transformations C0, C1, C2, C3 be defined as:
<mrow>
<mfenced open = "{" close = "">
<mtable>
<mtr>
<mtd>
<mi>C</mi>
<mn>0</mn>
<mo>(</mo>
<mo>(</mo>
<mi>k</mi>
<msub>
<mn>1</mn>
<mi>i</mi>
</msub>
<mo>&CirclePlus;</mo>
<mi>r</mi>
<mn>1</mn>
<mo>)</mo>
<mo>,</mo>
<mi>r</mi>
<mn>0</mn>
<mo>,</mo>
<mi>r</mi>
<mn>1</mn>
<mo>)</mo>
<mo>=</mo>
<mo>(</mo>
<mi>k</mi>
<msub>
<mn>1</mn>
<mi>i</mi>
</msub>
<mo>&CirclePlus;</mo>
<mi>r</mi>
<mn>1</mn>
<mo>)</mo>
<mo>&CirclePlus;</mo>
<mi>r</mi>
<mn>0</mn>
<mo>&CirclePlus;</mo>
<mi>r</mi>
<mn>1</mn>
</mtd>
</mtr>
<mtr>
<mtd>
<mi>C</mi>
<mn>1</mn>
<mo>(</mo>
<mo>(</mo>
<mi>k</mi>
<msub>
<mn>2</mn>
<mi>i</mi>
</msub>
<mo>&CirclePlus;</mo>
<mi>r</mi>
<mn>2</mn>
<mo>)</mo>
<mo>,</mo>
<mi>r</mi>
<mn>1</mn>
<mo>,</mo>
<mi>r</mi>
<mn>2</mn>
<mo>)</mo>
<mo>=</mo>
<mo>(</mo>
<mi>k</mi>
<msub>
<mn>2</mn>
<mi>i</mi>
</msub>
<mo>&CirclePlus;</mo>
<mi>r</mi>
<mn>2</mn>
<mo>)</mo>
<mo>&CirclePlus;</mo>
<mi>r</mi>
<mn>1</mn>
<mo>&CirclePlus;</mo>
<mi>r</mi>
<mn>2</mn>
</mtd>
</mtr>
<mtr>
<mtd>
<mi>C</mi>
<mn>2</mn>
<mo>(</mo>
<mo>(</mo>
<mi>k</mi>
<msub>
<mn>3</mn>
<mi>i</mi>
</msub>
<mo>&CirclePlus;</mo>
<mi>r</mi>
<mn>3</mn>
<mo>)</mo>
<mo>,</mo>
<mi>r</mi>
<mn>2</mn>
<mo>,</mo>
<mi>r</mi>
<mn>3</mn>
<mo>)</mo>
<mo>=</mo>
<mo>(</mo>
<mi>k</mi>
<msub>
<mn>3</mn>
<mi>i</mi>
</msub>
<mo>&CirclePlus;</mo>
<mi>r</mi>
<mn>3</mn>
<mo>)</mo>
<mo>&CirclePlus;</mo>
<mi>r</mi>
<mn>2</mn>
<mo>&CirclePlus;</mo>
<mi>r</mi>
<mn>3</mn>
</mtd>
</mtr>
<mtr>
<mtd>
<mi>C</mi>
<mn>3</mn>
<mo>(</mo>
<mi>x</mi>
<mo>,</mo>
<mi>r</mi>
<mn>3</mn>
<mo>,</mo>
<mi>r</mi>
<mn>1</mn>
<mo>)</mo>
<mo>=</mo>
<mi>x</mi>
<mo>&CirclePlus;</mo>
<mi>r</mi>
<mn>3</mn>
<mo>&CirclePlus;</mo>
<msup>
<mi>L</mi>
<mo>&prime;</mo>
</msup>
<mo>(</mo>
<mi>S</mi>
<mo>(</mo>
<mi>r</mi>
<mn>1</mn>
<mo>&CirclePlus;</mo>
<mi>r</mi>
<mn>2</mn>
<mo>&CirclePlus;</mo>
<mi>r</mi>
<mn>3</mn>
<mo>)</mo>
<mo>)</mo>
<mo>&CirclePlus;</mo>
<mi>r</mi>
<mn>1</mn>
</mtd>
</mtr>
</mtable>
</mfenced>
<mo>;</mo>
</mrow>
Wherein, the random number of 128 bits is from left to right divided into 4 parts by stroke, is designated as r0, r1, r2, r3, in 32 wheel circulations
In iteration, random number be always maintained at it is constant, if i-th wheel loop iteration input value be designated as k0 in the case of no maski、
k1i、k2i、k3i, i=1~32, the value after each round Compensation Transformation be stored in the register Reg0 of four 32 bits, Reg1,
In Reg2, Reg3;
By the value and CK in register Reg1, register Reg2, register Reg3iXor operation is done, single order mask type S boxes are used as
The input of MS conversion:
<mrow>
<mo>(</mo>
<mi>k</mi>
<msub>
<mn>1</mn>
<mi>i</mi>
</msub>
<mo>&CirclePlus;</mo>
<mi>r</mi>
<mn>1</mn>
<mo>)</mo>
<mo>&CirclePlus;</mo>
<mo>(</mo>
<mi>k</mi>
<msub>
<mn>2</mn>
<mi>i</mi>
</msub>
<mo>&CirclePlus;</mo>
<mi>r</mi>
<mn>2</mn>
<mo>)</mo>
<mo>&CirclePlus;</mo>
<mo>(</mo>
<mi>k</mi>
<msub>
<mn>3</mn>
<mi>i</mi>
</msub>
<mo>&CirclePlus;</mo>
<mi>r</mi>
<mn>3</mn>
<mo>)</mo>
<mo>&CirclePlus;</mo>
<msub>
<mi>CK</mi>
<mi>i</mi>
</msub>
<mo>;</mo>
</mrow>
2
Wherein, CKiValue use SM4 algorithm texts in standard value;
The construction of MS conversion is expressed as follows using formula:
<mrow>
<mtable>
<mtr>
<mtd>
<mrow>
<mi>M</mi>
<mi>S</mi>
<mrow>
<mo>(</mo>
<mo>(</mo>
<mi>k</mi>
<msub>
<mn>1</mn>
<mi>i</mi>
</msub>
<mo>&CirclePlus;</mo>
<mi>r</mi>
<mn>1</mn>
<mo>)</mo>
</mrow>
<mo>&CirclePlus;</mo>
<mrow>
<mo>(</mo>
<mi>k</mi>
<msub>
<mn>2</mn>
<mi>i</mi>
</msub>
<mo>&CirclePlus;</mo>
<mi>r</mi>
<mn>2</mn>
<mo>)</mo>
</mrow>
<mo>&CirclePlus;</mo>
<mrow>
<mo>(</mo>
<mi>k</mi>
<msub>
<mn>3</mn>
<mi>i</mi>
</msub>
<mo>&CirclePlus;</mo>
<mi>r</mi>
<mn>3</mn>
<mo>)</mo>
</mrow>
<mo>&CirclePlus;</mo>
<msub>
<mi>CK</mi>
<mi>i</mi>
</msub>
<mo>)</mo>
<mo>)</mo>
</mrow>
</mtd>
</mtr>
<mtr>
<mtd>
<mrow>
<mi>S</mi>
<mrow>
<mo>(</mo>
<mi>k</mi>
<msub>
<mn>1</mn>
<mi>i</mi>
</msub>
<mo>&CirclePlus;</mo>
<mi>k</mi>
<msub>
<mn>2</mn>
<mi>i</mi>
</msub>
<mo>&CirclePlus;</mo>
<mi>k</mi>
<msub>
<mn>3</mn>
<mi>i</mi>
</msub>
<mo>&CirclePlus;</mo>
<msub>
<mi>CK</mi>
<mi>i</mi>
</msub>
<mo>)</mo>
</mrow>
<mo>&CirclePlus;</mo>
<mi>S</mi>
<mrow>
<mo>(</mo>
<mi>r</mi>
<mn>1</mn>
<mo>&CirclePlus;</mo>
<mi>r</mi>
<mn>2</mn>
<mo>&CirclePlus;</mo>
<mi>r</mi>
<mn>3</mn>
<mo>)</mo>
</mrow>
</mrow>
</mtd>
</mtr>
</mtable>
<mo>;</mo>
</mrow>
Input of the result that MS is converted as L ' conversion:
<mrow>
<msup>
<mi>L</mi>
<mo>&prime;</mo>
</msup>
<mrow>
<mo>(</mo>
<mi>S</mi>
<mo>(</mo>
<mrow>
<mi>k</mi>
<msub>
<mn>1</mn>
<mi>i</mi>
</msub>
<mo>&CirclePlus;</mo>
<mi>k</mi>
<msub>
<mn>2</mn>
<mi>i</mi>
</msub>
<mo>&CirclePlus;</mo>
<mi>k</mi>
<msub>
<mn>3</mn>
<mi>i</mi>
</msub>
<mo>&CirclePlus;</mo>
<msub>
<mi>CK</mi>
<mi>i</mi>
</msub>
</mrow>
<mo>)</mo>
<mo>&CirclePlus;</mo>
<mi>S</mi>
<mo>(</mo>
<mrow>
<mi>r</mi>
<mn>1</mn>
<mo>&CirclePlus;</mo>
<mi>r</mi>
<mn>2</mn>
<mo>&CirclePlus;</mo>
<mi>r</mi>
<mn>3</mn>
</mrow>
<mo>)</mo>
<mo>)</mo>
</mrow>
<mo>;</mo>
</mrow>
L ' conversion is linear transformation specified in SM4 algorithm texts, and the construction of L ' conversion is expressed as follows using formula:
<mrow>
<mtable>
<mtr>
<mtd>
<mrow>
<msup>
<mi>L</mi>
<mo>&prime;</mo>
</msup>
<mrow>
<mo>(</mo>
<mi>S</mi>
<mo>(</mo>
<mi>k</mi>
<msub>
<mn>1</mn>
<mi>i</mi>
</msub>
<mo>&CirclePlus;</mo>
<mi>k</mi>
<msub>
<mn>2</mn>
<mi>i</mi>
</msub>
<mo>&CirclePlus;</mo>
<mi>k</mi>
<msub>
<mn>3</mn>
<mi>i</mi>
</msub>
<mo>&CirclePlus;</mo>
<msub>
<mi>CK</mi>
<mi>i</mi>
</msub>
<mo>)</mo>
</mrow>
<mo>&CirclePlus;</mo>
<mi>S</mi>
<mrow>
<mo>(</mo>
<mi>r</mi>
<mn>1</mn>
<mo>&CirclePlus;</mo>
<mi>r</mi>
<mn>2</mn>
<mo>&CirclePlus;</mo>
<mi>r</mi>
<mn>3</mn>
<mo>)</mo>
</mrow>
<mo>)</mo>
</mrow>
</mtd>
</mtr>
<mtr>
<mtd>
<mrow>
<mo>=</mo>
<msup>
<mi>L</mi>
<mo>&prime;</mo>
</msup>
<mrow>
<mo>(</mo>
<mi>S</mi>
<mo>(</mo>
<mi>k</mi>
<msub>
<mn>1</mn>
<mi>i</mi>
</msub>
<mo>&CirclePlus;</mo>
<mi>k</mi>
<msub>
<mn>2</mn>
<mi>i</mi>
</msub>
<mo>&CirclePlus;</mo>
<mi>k</mi>
<msub>
<mn>3</mn>
<mi>i</mi>
</msub>
<mo>&CirclePlus;</mo>
<msub>
<mi>CK</mi>
<mrow>
<mi>I</mi>
<mi>i</mi>
</mrow>
</msub>
<mo>)</mo>
</mrow>
<mo>&CirclePlus;</mo>
<msup>
<mi>L</mi>
<mo>&prime;</mo>
</msup>
<mrow>
<mo>(</mo>
<mi>S</mi>
<mo>(</mo>
<mi>r</mi>
<mn>1</mn>
<mo>&CirclePlus;</mo>
<mi>r</mi>
<mn>2</mn>
<mo>&CirclePlus;</mo>
<mi>r</mi>
<mn>3</mn>
<mo>)</mo>
</mrow>
<mo>)</mo>
</mrow>
</mtd>
</mtr>
</mtable>
<mo>;</mo>
</mrow>
Register Reg0 value and the result of L ' conversion are done into xor operation, Compensation Transformation C3 input is used as:
<mrow>
<mi>x</mi>
<mo>=</mo>
<msup>
<mi>L</mi>
<mo>&prime;</mo>
</msup>
<mrow>
<mo>(</mo>
<mi>S</mi>
<mo>(</mo>
<mrow>
<mi>k</mi>
<msub>
<mn>1</mn>
<mi>i</mi>
</msub>
<mo>&CirclePlus;</mo>
<mi>k</mi>
<msub>
<mn>2</mn>
<mi>i</mi>
</msub>
<mo>&CirclePlus;</mo>
<mi>k</mi>
<msub>
<mn>3</mn>
<mi>i</mi>
</msub>
<mo>&CirclePlus;</mo>
<msub>
<mi>CK</mi>
<mrow>
<mi>i</mi>
<mi>i</mi>
</mrow>
</msub>
</mrow>
<mo>)</mo>
<mo>)</mo>
</mrow>
<mo>&CirclePlus;</mo>
<msup>
<mi>L</mi>
<mo>&prime;</mo>
</msup>
<mrow>
<mo>(</mo>
<mi>S</mi>
<mo>(</mo>
<mrow>
<mi>r</mi>
<mn>1</mn>
<mo>&CirclePlus;</mo>
<mi>r</mi>
<mn>2</mn>
<mo>&CirclePlus;</mo>
<mi>r</mi>
<mn>3</mn>
</mrow>
<mo>)</mo>
<mo>)</mo>
</mrow>
<mo>&CirclePlus;</mo>
<mrow>
<mo>(</mo>
<mi>k</mi>
<msub>
<mn>0</mn>
<mi>i</mi>
</msub>
<mo>&CirclePlus;</mo>
<mi>r</mi>
<mn>1</mn>
<mo>)</mo>
</mrow>
<mo>;</mo>
</mrow>
3. a kind of second order mask method of SM4 crypto-engines, it is characterised in that comprise the steps of:
Step S2.1, second order mask crypto-engine are carried out plus mask xor operation to the plaintext or cipher text and random number of input,
Plus the value storage after mask is in a register, is used as the input value of the loop iteration first round;
Step S2.2, second order mask crypto-engine perform 32 and take turns loop iteration computing, and the value after each round Compensation Transformation is deposited
Storage is in a register;
Step S2.3, the final data in register and random number carried out to remove mask xor operation, go to obtain ciphertext after mask
Or export in plain text;
In described step S2.2,4 Compensation Transformations have been used during 32 wheel loop iterations, second order mask crypto-engine
4 Compensation Transformations C0, C1, C2, C3 are defined as:
<mrow>
<mi>C</mi>
<mn>0</mn>
<mrow>
<mo>(</mo>
<mo>(</mo>
<mrow>
<mi>a</mi>
<msub>
<mn>1</mn>
<mi>i</mi>
</msub>
<mo>&CirclePlus;</mo>
<mi>r</mi>
<msub>
<mn>1</mn>
<mi>i</mi>
</msub>
</mrow>
<mo>)</mo>
<mo>,</mo>
<mi>r</mi>
<msub>
<mn>0</mn>
<mrow>
<mi>i</mi>
<mo>+</mo>
<mn>1</mn>
</mrow>
</msub>
<mo>,</mo>
<mi>r</mi>
<msub>
<mn>1</mn>
<mi>i</mi>
</msub>
<mo>)</mo>
</mrow>
<mo>=</mo>
<mrow>
<mo>(</mo>
<mi>a</mi>
<msub>
<mn>1</mn>
<mi>i</mi>
</msub>
<mo>&CirclePlus;</mo>
<mi>r</mi>
<msub>
<mn>1</mn>
<mi>i</mi>
</msub>
<mo>)</mo>
</mrow>
<mo>&CirclePlus;</mo>
<mi>r</mi>
<msub>
<mn>0</mn>
<mrow>
<mi>i</mi>
<mo>+</mo>
<mn>1</mn>
</mrow>
</msub>
<mo>&CirclePlus;</mo>
<mi>r</mi>
<msub>
<mn>1</mn>
<mi>i</mi>
</msub>
<mo>;</mo>
</mrow>
<mrow>
<mi>C</mi>
<mn>1</mn>
<mrow>
<mo>(</mo>
<mo>(</mo>
<mrow>
<mi>a</mi>
<msub>
<mn>2</mn>
<mi>i</mi>
</msub>
<mo>&CirclePlus;</mo>
<mi>r</mi>
<msub>
<mn>2</mn>
<mi>i</mi>
</msub>
</mrow>
<mo>)</mo>
<mo>,</mo>
<mi>r</mi>
<msub>
<mn>1</mn>
<mrow>
<mi>i</mi>
<mo>+</mo>
<mn>1</mn>
</mrow>
</msub>
<mo>,</mo>
<mi>r</mi>
<msub>
<mn>2</mn>
<mi>i</mi>
</msub>
<mo>)</mo>
</mrow>
<mo>=</mo>
<mrow>
<mo>(</mo>
<mi>a</mi>
<msub>
<mn>2</mn>
<mi>i</mi>
</msub>
<mo>&CirclePlus;</mo>
<mi>r</mi>
<msub>
<mn>2</mn>
<mi>i</mi>
</msub>
<mo>)</mo>
</mrow>
<mo>&CirclePlus;</mo>
<mi>r</mi>
<msub>
<mn>1</mn>
<mrow>
<mi>i</mi>
<mo>+</mo>
<mn>1</mn>
</mrow>
</msub>
<mo>&CirclePlus;</mo>
<mi>r</mi>
<msub>
<mn>2</mn>
<mi>i</mi>
</msub>
<mo>;</mo>
</mrow>
<mrow>
<mi>C</mi>
<mn>2</mn>
<mrow>
<mo>(</mo>
<mo>(</mo>
<mrow>
<mi>a</mi>
<msub>
<mn>3</mn>
<mi>i</mi>
</msub>
<mo>&CirclePlus;</mo>
<mi>r</mi>
<msub>
<mn>3</mn>
<mi>i</mi>
</msub>
</mrow>
<mo>)</mo>
<mo>,</mo>
<mi>r</mi>
<msub>
<mn>2</mn>
<mrow>
<mi>i</mi>
<mo>+</mo>
<mn>1</mn>
</mrow>
</msub>
<mo>,</mo>
<mi>r</mi>
<msub>
<mn>3</mn>
<mi>i</mi>
</msub>
<mo>)</mo>
</mrow>
<mo>=</mo>
<mrow>
<mo>(</mo>
<mi>a</mi>
<msub>
<mn>3</mn>
<mi>i</mi>
</msub>
<mo>&CirclePlus;</mo>
<mi>r</mi>
<msub>
<mn>3</mn>
<mi>i</mi>
</msub>
<mo>)</mo>
</mrow>
<mo>&CirclePlus;</mo>
<mi>r</mi>
<msub>
<mn>2</mn>
<mrow>
<mi>i</mi>
<mo>+</mo>
<mn>1</mn>
</mrow>
</msub>
<mo>&CirclePlus;</mo>
<mi>r</mi>
<msub>
<mn>3</mn>
<mi>i</mi>
</msub>
<mo>;</mo>
</mrow>
<mrow>
<mi>C</mi>
<mn>3</mn>
<mrow>
<mo>(</mo>
<mi>x</mi>
<mo>,</mo>
<mi>r</mi>
<msub>
<mn>3</mn>
<mrow>
<mi>i</mi>
<mo>+</mo>
<mn>1</mn>
</mrow>
</msub>
<mo>,</mo>
<mi>r</mi>
<msub>
<mn>1</mn>
<mi>i</mi>
</msub>
<mo>)</mo>
</mrow>
<mo>=</mo>
<mi>x</mi>
<mo>&CirclePlus;</mo>
<mi>r</mi>
<msub>
<mn>3</mn>
<mrow>
<mi>i</mi>
<mo>+</mo>
<mn>1</mn>
</mrow>
</msub>
<mo>&CirclePlus;</mo>
<mi>L</mi>
<mrow>
<mo>(</mo>
<mi>S</mi>
<mo>(</mo>
<mrow>
<mi>r</mi>
<msub>
<mn>3</mn>
<mrow>
<mi>i</mi>
<mo>+</mo>
<mn>1</mn>
</mrow>
</msub>
</mrow>
<mo>)</mo>
<mo>)</mo>
</mrow>
<mo>&CirclePlus;</mo>
<mi>r</mi>
<msub>
<mn>1</mn>
<mi>i</mi>
</msub>
<mo>;</mo>
</mrow>
Wherein, if the initial value of the i-th wheel loop iteration is designated as a in the case of no maski, from left to right it is divided into 4 words, according to
It is secondary to be designated as a0i、a1i、a2i、a3i, the corresponding random number of the i-th wheel is ri, from left to right it is divided into 4 words, r0 is designated as successivelyi、r1i、
r2i、r3i, i=1~32,32 wheel loop iterations process is using different random numbers, i.e., the random number often taken turns can all update, often
Value after one wheel Compensation Transformation is stored in register Reg0, Reg1, Reg2, Reg3 of four 32 bits;
By the value and round key rk in register Reg1, register Reg2, register Reg3iXor operation is done, second order mask is used as
The input of type S boxes MS conversion:
<mrow>
<mi>m</mi>
<mi>s</mi>
<mo>_</mo>
<mi>i</mi>
<mi>n</mi>
<mo>=</mo>
<mrow>
<mo>(</mo>
<mi>a</mi>
<msub>
<mn>1</mn>
<mi>i</mi>
</msub>
<mo>&CirclePlus;</mo>
<mi>r</mi>
<msub>
<mn>1</mn>
<mi>i</mi>
</msub>
<mo>)</mo>
</mrow>
<mo>&CirclePlus;</mo>
<mrow>
<mo>(</mo>
<mi>a</mi>
<msub>
<mn>2</mn>
<mi>i</mi>
</msub>
<mo>&CirclePlus;</mo>
<mi>r</mi>
<msub>
<mn>2</mn>
<mi>i</mi>
</msub>
<mo>)</mo>
</mrow>
<mo>&CirclePlus;</mo>
<mrow>
<mo>(</mo>
<mi>a</mi>
<msub>
<mn>3</mn>
<mi>i</mi>
</msub>
<mo>&CirclePlus;</mo>
<mi>r</mi>
<msub>
<mn>3</mn>
<mi>i</mi>
</msub>
<mo>)</mo>
</mrow>
<mo>&CirclePlus;</mo>
<msub>
<mi>rk</mi>
<mi>i</mi>
</msub>
<mo>;</mo>
</mrow>
rkiFor the round key of the i-th wheel;
The construction of MS conversion is expressed as follows using formula:
<mrow>
<mtable>
<mtr>
<mtd>
<mrow>
<mi>M</mi>
<mi>S</mi>
<mrow>
<mo>(</mo>
<mo>(</mo>
<mi>a</mi>
<msub>
<mn>1</mn>
<mi>i</mi>
</msub>
<mo>&CirclePlus;</mo>
<mi>r</mi>
<msub>
<mn>1</mn>
<mi>i</mi>
</msub>
<mo>)</mo>
</mrow>
<mo>&CirclePlus;</mo>
<mrow>
<mo>(</mo>
<mi>a</mi>
<msub>
<mn>2</mn>
<mi>i</mi>
</msub>
<mo>&CirclePlus;</mo>
<mi>r</mi>
<msub>
<mn>2</mn>
<mi>i</mi>
</msub>
<mo>)</mo>
</mrow>
<mo>&CirclePlus;</mo>
<mrow>
<mo>(</mo>
<mi>a</mi>
<msub>
<mn>3</mn>
<mi>i</mi>
</msub>
<mo>&CirclePlus;</mo>
<mi>r</mi>
<msub>
<mn>3</mn>
<mi>i</mi>
</msub>
<mo>)</mo>
</mrow>
<mo>&CirclePlus;</mo>
<msub>
<mi>rk</mi>
<mi>i</mi>
</msub>
<mo>)</mo>
<mo>)</mo>
</mrow>
</mtd>
</mtr>
<mtr>
<mtd>
<mrow>
<mo>=</mo>
<mi>S</mi>
<mrow>
<mo>(</mo>
<mi>a</mi>
<msub>
<mn>1</mn>
<mi>i</mi>
</msub>
<mo>&CirclePlus;</mo>
<mi>a</mi>
<msub>
<mn>2</mn>
<mi>i</mi>
</msub>
<mo>&CirclePlus;</mo>
<mi>a</mi>
<msub>
<mn>3</mn>
<mi>i</mi>
</msub>
<mo>&CirclePlus;</mo>
<msub>
<mi>rk</mi>
<mi>i</mi>
</msub>
<mo>)</mo>
</mrow>
<mo>&CirclePlus;</mo>
<mi>S</mi>
<mrow>
<mo>(</mo>
<mi>r</mi>
<msub>
<mn>3</mn>
<mrow>
<mi>i</mi>
<mo>+</mo>
<mn>1</mn>
</mrow>
</msub>
<mo>)</mo>
</mrow>
</mrow>
</mtd>
</mtr>
</mtable>
<mo>;</mo>
</mrow>
The input that the result that MS is converted is converted as L:
<mrow>
<mi>L</mi>
<mrow>
<mo>(</mo>
<mi>S</mi>
<mo>(</mo>
<mrow>
<mi>a</mi>
<msub>
<mn>1</mn>
<mi>i</mi>
</msub>
<mo>&CirclePlus;</mo>
<mi>a</mi>
<msub>
<mn>2</mn>
<mi>i</mi>
</msub>
<mo>&CirclePlus;</mo>
<mi>a</mi>
<msub>
<mn>3</mn>
<mi>i</mi>
</msub>
<mo>&CirclePlus;</mo>
<msub>
<mi>rk</mi>
<mi>i</mi>
</msub>
</mrow>
<mo>)</mo>
<mo>&CirclePlus;</mo>
<mi>S</mi>
<mo>(</mo>
<mrow>
<mi>r</mi>
<msub>
<mn>3</mn>
<mrow>
<mi>i</mi>
<mo>+</mo>
<mn>1</mn>
</mrow>
</msub>
</mrow>
<mo>)</mo>
<mo>)</mo>
</mrow>
<mo>;</mo>
</mrow>
3
L is transformed to linear transformation specified in SM4 algorithm texts, and the construction of L conversion is expressed as follows using formula:
<mrow>
<mtable>
<mtr>
<mtd>
<mrow>
<mi>L</mi>
<mrow>
<mo>(</mo>
<mi>S</mi>
<mo>(</mo>
<mi>a</mi>
<msub>
<mn>1</mn>
<mi>i</mi>
</msub>
<mo>&CirclePlus;</mo>
<mi>a</mi>
<msub>
<mn>2</mn>
<mi>i</mi>
</msub>
<mo>&CirclePlus;</mo>
<mi>a</mi>
<msub>
<mn>3</mn>
<mi>i</mi>
</msub>
<mo>&CirclePlus;</mo>
<msub>
<mi>rk</mi>
<mi>i</mi>
</msub>
<mo>)</mo>
</mrow>
<mo>&CirclePlus;</mo>
<mi>S</mi>
<mrow>
<mo>(</mo>
<mi>r</mi>
<msub>
<mn>3</mn>
<mrow>
<mi>i</mi>
<mo>+</mo>
<mn>1</mn>
</mrow>
</msub>
<mo>)</mo>
</mrow>
<mo>)</mo>
</mrow>
</mtd>
</mtr>
<mtr>
<mtd>
<mrow>
<mo>=</mo>
<mi>L</mi>
<mrow>
<mo>(</mo>
<mi>S</mi>
<mo>(</mo>
<mi>a</mi>
<msub>
<mn>1</mn>
<mi>i</mi>
</msub>
<mo>&CirclePlus;</mo>
<mi>a</mi>
<msub>
<mn>2</mn>
<mi>i</mi>
</msub>
<mo>&CirclePlus;</mo>
<mi>a</mi>
<msub>
<mn>3</mn>
<mi>i</mi>
</msub>
<mo>&CirclePlus;</mo>
<msub>
<mi>rk</mi>
<mi>i</mi>
</msub>
<mo>)</mo>
</mrow>
<mo>)</mo>
<mo>&CirclePlus;</mo>
<mi>L</mi>
<mrow>
<mo>(</mo>
<mi>S</mi>
<mo>(</mo>
<mi>r</mi>
<msub>
<mn>3</mn>
<mrow>
<mi>i</mi>
<mo>+</mo>
<mn>1</mn>
</mrow>
</msub>
<mo>)</mo>
</mrow>
<mo>)</mo>
</mrow>
</mtd>
</mtr>
</mtable>
<mo>;</mo>
</mrow>
Register Reg0 value and the L result converted are done into xor operation, Compensation Transformation C3 input is used as:
<mrow>
<mi>x</mi>
<mo>=</mo>
<mi>L</mi>
<mrow>
<mo>(</mo>
<mi>S</mi>
<mo>(</mo>
<mrow>
<mi>a</mi>
<msub>
<mn>1</mn>
<mi>i</mi>
</msub>
<mo>&CirclePlus;</mo>
<mi>a</mi>
<msub>
<mn>2</mn>
<mi>i</mi>
</msub>
<mo>&CirclePlus;</mo>
<mi>a</mi>
<msub>
<mn>3</mn>
<mi>i</mi>
</msub>
<mo>&CirclePlus;</mo>
<msub>
<mi>rk</mi>
<mi>i</mi>
</msub>
</mrow>
<mo>)</mo>
<mo>)</mo>
</mrow>
<mo>&CirclePlus;</mo>
<mi>L</mi>
<mrow>
<mo>(</mo>
<mi>S</mi>
<mo>(</mo>
<mrow>
<mi>r</mi>
<msub>
<mn>3</mn>
<mrow>
<mi>i</mi>
<mo>+</mo>
<mn>1</mn>
</mrow>
</msub>
</mrow>
<mo>)</mo>
<mo>)</mo>
</mrow>
<mo>&CirclePlus;</mo>
<mrow>
<mo>(</mo>
<mi>a</mi>
<msub>
<mn>0</mn>
<mi>i</mi>
</msub>
<mo>&CirclePlus;</mo>
<mi>r</mi>
<msub>
<mn>1</mn>
<mi>i</mi>
</msub>
<mo>)</mo>
</mrow>
<mo>.</mo>
</mrow>
4
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201410704525.3A CN104333447B (en) | 2014-11-26 | 2014-11-26 | It is a kind of can resisting energy analysis attacks SM4 methods |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201410704525.3A CN104333447B (en) | 2014-11-26 | 2014-11-26 | It is a kind of can resisting energy analysis attacks SM4 methods |
Publications (2)
Publication Number | Publication Date |
---|---|
CN104333447A CN104333447A (en) | 2015-02-04 |
CN104333447B true CN104333447B (en) | 2017-10-10 |
Family
ID=52408106
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201410704525.3A Active CN104333447B (en) | 2014-11-26 | 2014-11-26 | It is a kind of can resisting energy analysis attacks SM4 methods |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN104333447B (en) |
Families Citing this family (11)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN104734842B (en) * | 2015-03-13 | 2018-06-08 | 上海交通大学 | Method is resisted in circuits bypass attack based on pseudo-operation |
CN104717055B (en) * | 2015-03-25 | 2018-11-20 | 成都信息工程学院 | A kind of template attack method for SM4 cryptographic algorithm wheel input Hamming weight |
CN106161002A (en) * | 2015-04-01 | 2016-11-23 | 上海华虹集成电路有限责任公司 | A kind of method of SM4 cryptochannel opposing side Multiple Channel Analysis |
CN104868990B (en) * | 2015-04-15 | 2018-04-06 | 成都信息工程学院 | A kind of template attack method for the output of SM4 cryptographic algorithms wheel |
CN105577363B (en) * | 2016-01-29 | 2018-06-01 | 江苏沁恒股份有限公司 | For the Extensible pipeline circuit and its implementation of SM4 cryptographic algorithms |
CN107070629A (en) * | 2016-11-14 | 2017-08-18 | 成都信息工程大学 | A kind of template attack method exported for SM4 cryptographic algorithms wheel |
CN107231229B (en) * | 2017-05-31 | 2020-10-27 | 中国电力科学研究院 | Low-entropy mask leakage protection method for protecting SM4 password chip and implementation system thereof |
CN110311771B (en) * | 2018-03-20 | 2022-07-22 | 北京小米松果电子有限公司 | SM4 encryption and decryption method and circuit |
CN111314090B (en) * | 2020-03-25 | 2021-03-26 | 北京航空航天大学 | Secure multi-cloud password management method based on bit level threshold |
CN112422288B (en) * | 2020-10-26 | 2023-06-27 | 中国科学院大学 | SM2 algorithm-based two-party collaborative signature method for resisting energy analysis attack |
CN112787800B (en) * | 2021-01-19 | 2022-06-17 | 清华大学 | Encryption and decryption method and device based on second-order mask, electronic equipment and storage medium |
Citations (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN102664730A (en) * | 2012-05-02 | 2012-09-12 | 西安电子科技大学 | 128 bit secret key expansion method based on AES (Advanced Encryption Standard) |
CN103647637A (en) * | 2013-11-19 | 2014-03-19 | 国家密码管理局商用密码检测中心 | Second-order side channel energy analysis method for SM4 algorithm of simple mask |
Family Cites Families (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
JP4718288B2 (en) * | 2005-09-29 | 2011-07-06 | 株式会社日立製作所 | Diskless computer operation management system |
-
2014
- 2014-11-26 CN CN201410704525.3A patent/CN104333447B/en active Active
Patent Citations (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN102664730A (en) * | 2012-05-02 | 2012-09-12 | 西安电子科技大学 | 128 bit secret key expansion method based on AES (Advanced Encryption Standard) |
CN103647637A (en) * | 2013-11-19 | 2014-03-19 | 国家密码管理局商用密码检测中心 | Second-order side channel energy analysis method for SM4 algorithm of simple mask |
Also Published As
Publication number | Publication date |
---|---|
CN104333447A (en) | 2015-02-04 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN104333447B (en) | It is a kind of can resisting energy analysis attacks SM4 methods | |
CN104852795B (en) | It is a kind of to take turns ZUC stream cipher algorithm mask means of defence of the output for boolean's mask | |
Moldovyan et al. | A cipher based on data-dependent permutations | |
CN106357380B (en) | The mask method and device of SM4 algorithm | |
CN103051442B (en) | Cipher device adopting Feistel-PG structure and encryption method | |
CN108964872A (en) | A kind of encryption method and device based on AES | |
CN102904710B (en) | Hyper-chaos encryption method for weak password based on quantum cellular neural network | |
CN103795527A (en) | Software mask defense scheme capable of preventing attack on advanced encryption standard (AES) algorithm based on power analysis | |
CN103888247B (en) | Resist the data handling system and its data processing method of Differential power attack analysis | |
CN103986571B (en) | A kind of smart card multi-core processor system and its method for defending differential power consumption analysis | |
CN103647637A (en) | Second-order side channel energy analysis method for SM4 algorithm of simple mask | |
CN106656465B (en) | A kind of the addition mask hardware implementation method and circuit of resisting energy analysis attacks | |
CN104065473A (en) | Compact realization method of SM4 block cipher algorithm S box | |
CN102571331A (en) | Cryptographic algorithm realization protecting method used for defending energy analysis attacks | |
CN104410490B (en) | The method of non-linear extruding protection password S boxes | |
CN107257279A (en) | A kind of clear data encryption method and equipment | |
CN109450632A (en) | Key recovery method based on whitepack block cipher CLEFIA analysis | |
CN105897400A (en) | Masking method and device for SM4 algorithm | |
CN104967509B (en) | It is a kind of to take turns ZUC stream cipher algorithm mask means of defence of the output for arithmetic mask | |
CN104601321B (en) | Cipher key spreading method and apparatus | |
CN104009981B (en) | A kind of real-time big data method for secret protection based on symmetric cryptography | |
CN101958790B (en) | Encryption or decryption method of wireless communication network digital information | |
CN104811295A (en) | Side channel energy analysis method for ZUC cryptographic algorithm with mask protection | |
CN103888245A (en) | S box randomized method and system for smart card | |
CN106936822A (en) | For the mask realization method and system of the anti-high-order bypass analysis of SMS4 |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
C06 | Publication | ||
PB01 | Publication | ||
C10 | Entry into substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant | ||
CP03 | Change of name, title or address | ||
CP03 | Change of name, title or address |
Address after: 200233 Room 704, Building 2, No. 2570 Hechuan Road, Minhang District, Shanghai Patentee after: Shanghai Hangxin Electronic Technology Co.,Ltd. Address before: 200241, building 6, building 555, No. 8, Dongchuan Road, Shanghai, Minhang District Patentee before: SHANGHAI AISINOCHIP ELECTRONIC TECHNOLOGY Co.,Ltd. |