CN104333447B

CN104333447B - It is a kind of can resisting energy analysis attacks SM4 methods

Info

Publication number: CN104333447B
Application number: CN201410704525.3A
Authority: CN
Inventors: 周玉洁; 朱念好
Original assignee: SHANGHAI AISINO CHIP ELECTRONIC TECHNOLOGY Co Ltd
Current assignee: Shanghai Hangxin Electronic Technology Co ltd
Priority date: 2014-11-26
Filing date: 2014-11-26
Publication date: 2017-10-10
Anticipated expiration: 2034-11-26
Also published as: CN104333447A

Abstract

It is a kind of can resisting energy analysis attacks SM4 methods, single order mask cipher key spreading engine performs cipher key spreading computing to the key of input, exports round key and give second order mask crypto-engine, second order mask crypto-engine is to the bright of input（It is close）Text and round key perform 32 and taken turns after loop iteration computing, export close（It is bright）Text.The present invention is realized to SM4 crypto-engine using second order mask, realized simultaneously for the cipher key spreading engine of SM4 algorithms using single order mask, the high-order power analysis in encryption process can not only be resisted, it can also resist for the template attack during cipher key spreading, be effectively improved the security of SM4 hardware algorithms realization.

Description

It is a kind of can resisting energy analysis attacks SM4 methods

Technical field

The present invention relates to information security chip design field, more particularly to it is a kind of can resisting energy analysis attacks SM4 methods.

Background technology

Last century the nineties, internet starts to flourish with mobile communication, and information-based tide has swept across rapidly people The various aspects such as clothing, food, shelter, row.Information technology just with a kind of blowout impulsive force, changes the life of the mankind revolutionaryly Mode and thoughtcast living.For example, the shopping at network gradually come into vogue in the last few years, makes people are home-confined can just choose Commodity all over the world；Mobile-phone payment can make people by mobile phone payment platform complete small amount quick payment, enjoy at any time with The facility on ground；Popular wechat red packet in 2013, further person to person apart from while, also have a deep effect on traditional finance Industry.

Development in science and technology is a double-edged sword, and advanced IT application is no exception, and the life given people brings huge easily same When, also bring the potential safety hazard outside anticipation.For example, if the system for the personal identification number information that is stored with were under attack, its band The influence come will be catastrophic.In September, 2011, CSDN recognizes that security system, by assault, is used as opening for largest domestic Originator community, CSDN certain customers' login name and password are leaked；Ends of the earth community forum with strongest influence power also there occurs User data leaks, and has triggered serious network crisis；The Snowdon event of 2013, makes the information system it was recognized that fragile System has threatened national defence and military safety, and information security should not be stopped only on the surface, it is necessary to bring up to national strategy Height.

The importance of information security progressively shows especially out.Encrypt as one in information security the strongest force Device, plays an important role.Any safety product or cryptographic system all must in face of one how defensive attack and The problem of spying out, in the last few years, occurs in that a kind of new strong attack method, people are referred to as bypass attack (SCA).It is other Road attack is exactly the bypass message revealed in the process of running using crypto chip, such as power consumption, time, electromagnetic wave and poor Wrong information etc., is attacked and is spied out to cryptographic system using above- mentioned information.Bypass attack turns into information security chip product Grave danger, its harm is far longer than traditional mathematical analysis means.

Power consumption attack is one kind of bypass attack, and the power consumption consumed when performing cryptographic calculation using crypto chip is come to key Attacked.The power consumption that chip is consumed when nonidentity operation is handled is different, even if processing same command operating Number different power consumption is also different, therefore power consumption is analyzed, and can extrapolate key.Power consumption attack is divided into simple work( Consumption analysis attacks (SPA) and Differential power attack analysis (DPA), and wherein DPA attacks are more effective, and application field is more extensive.

The principle of DPA attacks is utilized by attack equipment in ciphering process in the power consumption and AES of institute's actual consumption Between the correlation that is worth, so as to draw a kind of attack method of key.According to the plaintext of input and the key of conjecture, AES What median can always be calculated.Therefore the research of confrontation power analysis method just becomes to be necessary in the extreme.

The foundation that power consumption analysis attack is implemented is the energy expenditure of crypto chip dependent on the password performed by crypto chip The median of algorithm.Therefore, if attempting to resist this attack to reduce or eliminate this dependence.Random mask skill Art realizes this target by the median handled by randomization crypto chip.The advantage of random mask technology is to calculate Realized in method rank, and the energy expenditure characteristic of crypto chip need not be changed, that is to say, that even if the energy of crypto chip disappears Consumption has a data dependency, random mask technology can also make the energy expenditure of crypto chip with performed cryptographic algorithm Between be worth between without dependence.Random mask technology is a kind of defensive measure for obtaining engineering circles extensive concern.

The S box replacement operations of symmetry algorithm need to consume substantial amounts of energy, in power analysis, pass through choosing in attack The output of S boxes is selected as the point of analysis, therefore in the hardware of symmetry algorithm, crypto-engine is to seem non-using mask measure It is normal to be necessary.

The process of SM4 cipher key spreadings, needs also exist for during execution 32 wheel loop iteration processes, and SM4 cipher key spreadings, makes With S box replacement operations.The replacement operation of S boxes, is most easily by the one of power consumption analysis attack when symmetric cryptographic algorithm hardware is realized Individual weak link.To the power consumption analysis attack of cipher key spreading, generally using template attack.Assuming that attacker obtains one with treating The duplicate equipment of equipment is attacked, while possessing the complete control to the equipment.Attacker initially sets up the circuit Know the power consumption situation under various passwords, the template set up during cipher key spreading attacks equipment to be attacked by template matches Key.

SM4 algorithms are first commercial cipher algorithms that official of China publishes.Due to SM4 cryptographic algorithms announcement when Between it is later, the research on the anti-power consumption analysis attack defensive measure of SM4 cryptographic algorithms is less, it is desirable to provide on SM4 algorithms Anti-attack method.

The content of the invention

The present invention provide it is a kind of can resisting energy analysis attacks SM4 methods, SM4 crypto-engine is covered using second order Code is realized, is realized, can be not only resisted in encryption process using single order mask simultaneously for the cipher key spreading engine of SM4 algorithms High-order power analysis, can also resist for during cipher key spreading template attack, be effectively improved SM4 algorithms Hard-wired security.

In order to achieve the above object, the present invention provide it is a kind of can resisting energy analysis attacks SM4 methods, this method use Single order mask cipher key spreading engine performs cipher key spreading computing to the key of input, exports round key and draws to second order mask encryption and decryption Hold up, second order mask crypto-engine performs 32 to the plaintext and round key of input and taken turns after loop iteration computing, export ciphertext, or Second order mask crypto-engine performs 32 to the ciphertext and round key of input and taken turns after loop iteration computing, and output is in plain text；

Single order mask cipher key spreading engine and second order mask crypto-engine work simultaneously, single order mask cipher key spreading engine Each round generates a round key, exports and performs encryption and decryption computing to second order mask crypto-engine.

Described single order mask cipher key spreading engine is performed in cipher key spreading computing to the key of input, 32 wheel loop iterations During used 4 Compensation Transformations, 4 Compensation Transformations C0, C1, C2, C3 of single order mask cipher key spreading engine are defined as：

Wherein, the random number of 128 bits is from left to right divided into 4 parts by stroke, is designated as r0, r1, r2, r3, in 32 wheels In loop iteration, random number be always maintained at it is constant, if i-th wheel loop iteration input value be designated as in the case of no mask k0_i、k1_i、k2_i、k3_i, i=1~32, the value after each round Compensation Transformation be stored in four 32 bits register Reg0, In Reg1, Reg2, Reg3；

By the value and CK in register Reg1, register Reg2, register Reg3_iXor operation is done, single order mask is used as The input of type S boxes MS conversion：

CK_iValue use SM4 algorithm texts in standard value.

The construction of MS conversion is expressed as follows using formula：

Input of the result that MS is converted as L ' conversion：

L ' conversion is linear transformation specified in SM4 algorithm texts, and the construction of L ' conversion is expressed as follows using formula：

Register Reg0 value and the result of L ' conversion are done into xor operation, Compensation Transformation C3 input is used as：

Described second order mask crypto-engine performs 32 to the plaintext or cipher text and round key of input and takes turns loop iteration fortune In calculation, 4 Compensation Transformations have been used during 32 wheel loop iterations, 4 Compensation Transformation C0 of second order mask crypto-engine, C1, C2, C3 are defined as：

Wherein, if the initial value of the i-th wheel loop iteration is designated as a in the case of no mask_i, from left to right it is divided into 4 Word, is designated as a0 successively_i、a1_i、a2_i、a3_i, the corresponding random number of the i-th wheel is r_i, from left to right it is divided into 4 words, r0 is designated as successively_i、 r1_i、r2_i、r3_i, i=1~32,32 wheel loop iterations process is using different random numbers, i.e., the random number often taken turns all can be more Newly, the value after each round Compensation Transformation is stored in register Reg0, Reg1, Reg2, Reg3 of four 32 bits；

By the value and round key rk in register Reg1, register Reg2, register Reg3_iXor operation is done, two are used as The input of rank mask type S boxes MS conversion：

rk_iFor the round key of the i-th wheel；

The construction of MS conversion is expressed as follows using formula：

The input that the result that MS is converted is converted as L：

L is transformed to linear transformation specified in SM4 algorithm texts, and the construction of L conversion is expressed as follows using formula：

Register Reg0 value and the L result converted are done into xor operation, Compensation Transformation C3 input is used as：

The present invention also provides a kind of SM4 cipher key spreadings single order mask method, comprises the steps of：

Step S1.1, single order mask cipher key spreading engine are carried out plus mask xor operation to input key and random number, plus Value after mask is stored in a register, the initial value extended as mask；

The initial value that step S1.2, single order mask cipher key spreading engine extend to mask performs 32 and takes turns loop iteration computing, The result that the round key of every wheel and random number add mask is stored in a register；

Step S1.3, the final data in register and random number carried out to remove mask xor operation, go after mask to obtain Round key rk_iOutput.

In described step S1.2,4 Compensation Transformations, single order mask cipher key spreading have been used during 32 wheel loop iterations 4 Compensation Transformations C0, C1, C2, C3 of engine are defined as：

CK_iValue use SM4 algorithm texts in standard value.

The construction of MS conversion is expressed as follows using formula：

Input of the result that MS is converted as L ' conversion：

The present invention also provides a kind of second order mask method of SM4 crypto-engines, comprises the steps of：

Step S2.1, second order mask crypto-engine are carried out plus mask XOR behaviour to the plaintext or cipher text and random number of input Make, plus the value storage after mask is in a register, is used as the input value of the loop iteration first round；

Step S2.2, second order mask crypto-engine perform 32 and take turns loop iteration computing, after each round Compensation Transformation Value storage is in a register；

Step S2.3, the final data in register and random number carried out to remove mask xor operation, go after mask to obtain Ciphertext is exported in plain text.

In described step S2.2,4 Compensation Transformations are used during 32 wheel loop iterations, second order mask encryption and decryption is drawn 4 Compensation Transformations C0, C1, C2, the C3 held up are defined as：

rk_iFor the round key of the i-th wheel；

The construction of MS conversion is expressed as follows using formula：

The input that the result that MS is converted is converted as L：

Compared with prior art, the invention has the advantages that：

1st, crypto-engine uses second order mask method, and simple power analysis, first-order difference energy can be resisted simultaneously Analytical attack and second differnce energy spectrometer are measured, and the C conversion often taken turns can ensure that the result of calculation often taken turns is equal to nothing plus covered The value of result and epicycle random number XOR during code, this feature is conducive to last going mask to operate.

2nd, cipher key spreading engine uses single order mask method, and the effect for resisting template attack can be played simultaneously.

The operations such as Compensation Transformation, MS conversion, L conversion and L ' conversion that the 3, the present invention is used, can easily be used Hardware is realized.

Brief description of the drawings

Fig. 1 is the flow chart of the present invention.

Fig. 2 is that second order mask crypto-engine realizes schematic diagram in one embodiment of the present of invention.

Fig. 3 is that single order mask cipher key spreading engine realizes schematic diagram in one embodiment of the present of invention.

Embodiment

Below according to Fig. 1~Fig. 3, presently preferred embodiments of the present invention is illustrated.

SM4 algorithms are a grouping algorithms, are a kind of Feistel structures of broad sense, and its unique nonlinear transformation is S boxes Conversion.

The present invention provide it is a kind of can resisting energy analysis attacks SM4 methods, this method use single order mask cipher key spreading Engine is performed after cipher key spreading computing to the key of input, is exported round key and is given second order mask crypto-engine, second order mask adds Decryption engine performs 32 to bright (close) text and round key of input and taken turns after loop iteration computing, exports close (bright) text.

As shown in Fig. 2 round key is realized using single order mask scheme, lower mask body introduces SM4 cipher key spreading processes In single order mask method.In order to be balanced between area and security, cipher key spreading S boxes conversion of the invention is covered using single order Code mode.

As depicted in figs. 1 and 2, described SM4 cipher key spreading single order mask methods are comprised the steps of：

Step S1.1, single order mask cipher key spreading engine are carried out plus mask XOR behaviour to initial input key and random number Make, plus the value after mask is stored in a register by MUX, the initial value extended as mask.

128 bit initial input keys are from left to right divided into 4 parts by stroke, be designated as respectively kin0, kin1, Kin2, kin3, kin0, kin1, kin2, kin3 are the initial values for not adding mask, and the random number of 128 is correspondingly also divided into 4 Individual word, is designated as r0, r1, r2, r3, initial input key and value kin0+r0, kin1+r1, kin2+ after random number mask successively R2, kin3+r3 be stored in by MUX D0, D1, D2, D3 the register Reg0 of four 32 bits, Reg1, Reg2, In Reg3, the initial value extended as mask.

In step S1.1, MUX selects initial input key to be posted with the result deposit after random number progress mask In storage.

The initial value that step S1.2, single order mask cipher key spreading engine extend to mask performs 32 and takes turns loop iteration computing, The round key that each round computing is obtained is stored in a register with random number plus the result of mask.

Because employing single order mask method, 32 wheel loop iterations random numbers be always maintained at it is constant, be always r0, R1, r2, r3, if the input value of the i-th wheel loop iteration is designated as k0 in the case of no mask_i、k1_i、k2_i、k3_i, i=1~ 32, the value after each round Compensation Transformation is stored in register Reg0, Reg1, Reg2, Reg3 of four 32 bits；

Three Compensation Transformations C0, C1 during 4 Compensation Transformations, cipher key spreading have been used during 32 wheel loop iterations Fairly simple with C2, three conversion corresponding with encryption process are similar.The difference is that cipher key spreading process employs single order Mask scheme, it is not necessary to update random number.Three Compensation Transformations C0, C1 and C2 during cipher key spreading be formulated as Under：

The construction of C3 conversion is also similar with encryption process., it is necessary to by Reg1, Reg2, Reg3 during cipher key spreading Value and CK_iThe input that the value of XOR is converted as single order mask type S boxes MS.

The input of MS conversion is expressed as follows：

In formula, CK_iValue use SM4 algorithm texts in standard value.

The construction of MS conversion is expressed as follows using formula：

L ' is transformed to linear transformation specified in SM4 algorithm texts, and the process of L ' conversion is as follows：

Therefore Compensation Transformation C3 input is following representation：

The effect of Compensation Transformation is to ensure that the result that the result of calculation of epicycle is equal to nothing in the case of mask is covered with random number The value of code.

Therefore C3 compensation is defined as：

Therefore register Reg3 input is obtained after C3 Compensation Transformations, its representation is as follows：

Finally, the value stored in register Reg0, Reg1, Reg2, Reg3 is round key and random number plus the result of mask.

In step S1.2, MUX is selected in the result deposit register of four Compensation Transformations.

Step S1.3, the final data in register and random number carried out to remove mask xor operation, go after mask to obtain Round key rk_i(i=1~32), which are exported, gives second order mask crypto-engine.

As shown in figure 3, introducing the second order mask implementation method of SM4 crypto-engines.The mask design of SM4 encryption and decryption is in knot It is similar with cipher key spreading mask scheme on structure.

Register Reg0, Reg1, Reg2, Reg3 are the register of 4 32 bit wides, and the knot of computing is often taken turns for storing SM4 Really, referred to as scratch-pad register, totally 128 bit.L in Fig. 3 is transformed to L specified in SM4 algorithm texts and converted, and does not have here There is any change.The replacement operation of S boxes needs to use second order mask type S boxes, referred to as MS boxes.Compensation Transformation (C conversion) in figure is The result of computing is often taken turns for compensating, it is ensured that the result for often taking turns computing is not add the result and epicycle random number in the case of mask XOR value.

As shown in figures 1 and 3, by taking plaintext ciphering process as an example, described SM4 encryption and decryption second orders mask method is comprising following Step：

Step S2.1, second order mask crypto-engine are carried out plus mask xor operation to the plaintext and random number of input, plus Value after mask is stored in a register by MUX, is used as the input value of the loop iteration first round.

128 plaintexts are divided into 4 words by left-to-right, din0, din1, din2, din3 is designated as successively, din0, din1, Din2, din3 be not plus mask initial value, the random number of 128 is correspondingly also divided into 4 words, be designated as successively r0, r1, R2, r3, the plaintext of input are added value din0+r0, din1+r1, din2+r2, din3+r3 after mask to pass through MUX D0, D1, D2, D3 are stored in four scratch-pad registers Reg0, Reg1, Reg2, Reg3, are used as 32 wheel loop iterations first The input value of wheel.

In step S2.1, MUX selection carries out the result after carry out mask with random number in plain text and is stored in register In.

Step S2.2, second order mask crypto-engine perform 32 and take turns the value after loop iteration computing, each round Compensation Transformation In register Reg0, Reg1, Reg2, Reg3 for being stored in four 32 bits.

4 Compensation Transformations have been used during 32 wheel loop iterations.

If the initial value of the i-th wheel loop iteration is designated as a in the case of no mask_i, from left to right it is divided into 4 words, according to It is secondary to be designated as a0_i、a1_i、a2_i、a3_i, the corresponding random number of the i-th wheel is r_i, from left to right it is divided into 4 words, r0 is designated as successively_i、r1_i、 r2_i、r3_i, i=1~32.

From figure 3, it can be seen that the value in Reg1 registers is saved in after Compensation Transformation C0 in register Reg0.Cause This Compensation Transformation C0 operation is formulated as follows：

Pass through Compensation Transformation C0 effect, random number r0_iUpdate new random number r0_i+1, equally, Compensation Transformation C1, C2 It is defined as：

By Compensation Transformation C1, C2 effect, random number r1_iAnd r2_iUpdate respectively and arrive r1_i+1And r2_i+1。

Compensation Transformation C3 definition is more complicated, and its input value has sequentially passed through InvAddRoundKey, MS conversion and L conversion.From As can be seen that the input of MS conversion is following value in Fig. 3

Rk in formula_iFor the round key of the i-th wheel.

The construction of MS conversion is expressed as follows using formula：

After being converted by MS, random number r3_iUpdate new random number r3_i+1。

L is transformed to linear transformation specified in SM4 algorithm texts, and L conversion processes are as follows：

Therefore Compensation Transformation C3 input is following representation：

Therefore C3 compensation is defined as：

In step S2.2, MUX is selected in the result deposit register of four Compensation Transformations.

Step S2.3, the final data in register and random number carried out to remove mask xor operation, go after mask to obtain Ciphertext is exported.

The decrypting process of the ciphertext is as plaintext ciphering process.

Compared with prior art, the invention has the advantages that：

First, crypto-engine uses second order mask method, and simple power analysis, first-order difference can be resisted simultaneously Power analysis and second differnce energy spectrometer, and often take turns C conversion can ensure the result of calculation often taken turns be equal to nothing plus The value of result and epicycle random number XOR during mask, this feature is conducive to last going mask to operate.

Secondly, cipher key spreading engine uses single order mask method, and the effect for resisting template attack can be played simultaneously.

Although present disclosure is discussed in detail by above preferred embodiment, but it should be appreciated that above-mentioned Description is not considered as limitation of the present invention.After those skilled in the art have read the above, for the present invention's A variety of modifications and substitutions all will be apparent.Therefore, protection scope of the present invention should be limited to the appended claims.

Claims

1. it is a kind of can resisting energy analysis attacks SM4 methods, it is characterised in that this method is drawn using single order mask cipher key spreading Hold up and cipher key spreading computing is performed to the key of input, export round key and give second order mask crypto-engine, second order mask encryption and decryption Engine performs 32 to the plaintext and round key of input and taken turns after loop iteration computing, exports ciphertext, or second order mask encryption and decryption is drawn Hold up and the ciphertext and round key of input are performed after 32 wheel loop iteration computings, output is in plain text；

Single order mask cipher key spreading engine and second order mask crypto-engine work simultaneously, and single order mask cipher key spreading engine is each Wheel one round key of generation, exports and performs encryption and decryption computing to second order mask crypto-engine；

Described single order mask cipher key spreading engine is performed in cipher key spreading computing to the key of input, 32 wheel loop iteration processes In used 4 Compensation Transformations, 4 Compensation Transformations C0, C1, C2, C3 of single order mask cipher key spreading engine are defined as：

<mrow> <mfenced open = "{" close = ""> <mtable> <mtr> <mtd> <mi>C</mi> <mn>0</mn> <mo>(</mo> <mo>(</mo> <mi>k</mi> <msub> <mn>1</mn> <mi>i</mi> </msub> <mo>&CirclePlus;</mo> <mi>r</mi> <mn>1</mn> <mo>)</mo> <mo>,</mo> <mi>r</mi> <mn>0</mn> <mo>,</mo> <mi>r</mi> <mn>1</mn> <mo>)</mo> <mo>=</mo> <mo>(</mo> <mi>k</mi> <msub> <mn>1</mn> <mi>i</mi> </msub> <mo>&CirclePlus;</mo> <mi>r</mi> <mn>1</mn> <mo>)</mo> <mo>&CirclePlus;</mo> <mi>r</mi> <mn>0</mn> <mo>&CirclePlus;</mo> <mi>r</mi> <mn>1</mn> </mtd> </mtr> <mtr> <mtd> <mi>C</mi> <mn>1</mn> <mo>(</mo> <mo>(</mo> <mi>k</mi> <msub> <mn>2</mn> <mi>i</mi> </msub> <mo>&CirclePlus;</mo> <mi>r</mi> <mn>2</mn> <mo>)</mo> <mo>,</mo> <mi>r</mi> <mn>1</mn> <mo>,</mo> <mi>r</mi> <mn>2</mn> <mo>)</mo> <mo>=</mo> <mo>(</mo> <mi>k</mi> <msub> <mn>2</mn> <mi>i</mi> </msub> <mo>&CirclePlus;</mo> <mi>r</mi> <mn>2</mn> <mo>)</mo> <mo>&CirclePlus;</mo> <mi>r</mi> <mn>1</mn> <mo>&CirclePlus;</mo> <mi>r</mi> <mn>2</mn> </mtd> </mtr> <mtr> <mtd> <mi>C</mi> <mn>2</mn> <mo>(</mo> <mo>(</mo> <mi>k</mi> <msub> <mn>3</mn> <mi>i</mi> </msub> <mo>&CirclePlus;</mo> <mi>r</mi> <mn>3</mn> <mo>)</mo> <mo>,</mo> <mi>r</mi> <mn>2</mn> <mo>,</mo> <mi>r</mi> <mn>3</mn> <mo>)</mo> <mo>=</mo> <mo>(</mo> <mi>k</mi> <msub> <mn>3</mn> <mi>i</mi> </msub> <mo>&CirclePlus;</mo> <mi>r</mi> <mn>3</mn> <mo>)</mo> <mo>&CirclePlus;</mo> <mi>r</mi> <mn>2</mn> <mo>&CirclePlus;</mo> <mi>r</mi> <mn>3</mn> </mtd> </mtr> <mtr> <mtd> <mi>C</mi> <mn>3</mn> <mo>(</mo> <mi>x</mi> <mo>,</mo> <mi>r</mi> <mn>3</mn> <mo>,</mo> <mi>r</mi> <mn>1</mn> <mo>)</mo> <mo>=</mo> <mi>x</mi> <mo>&CirclePlus;</mo> <mi>r</mi> <mn>3</mn> <mo>&CirclePlus;</mo> <msup> <mi>L</mi> <mo>&prime;</mo> </msup> <mo>(</mo> <mi>S</mi> <mo>(</mo> <mi>r</mi> <mn>1</mn> <mo>&CirclePlus;</mo> <mi>r</mi> <mn>2</mn> <mo>&CirclePlus;</mo> <mi>r</mi> <mn>3</mn> <mo>)</mo> <mo>)</mo> <mo>&CirclePlus;</mo> <mi>r</mi> <mn>1</mn> </mtd> </mtr> </mtable> </mfenced> <mo>;</mo> </mrow>

Wherein,Represent to press bit XOR, the random number of 128 bits is from left to right divided into 4 parts by stroke, be designated as r0, R1, r2, r3,32 wheel loop iterations in, random number be always maintained at it is constant, if i-th wheel loop iteration input value do not covering K0 is designated as in the case of code_i、k1_i、k2_i、k3_i, i=1~32, the value after each round Compensation Transformation is stored in four 32 bits In register Reg0, Reg1, Reg2, Reg3；

By the value and CK in register Reg1, register Reg2, register Reg3_iXor operation is done, single order mask type S boxes are used as The input of MS conversion：

<mrow> <mo>(</mo> <mi>k</mi> <msub> <mn>1</mn> <mi>i</mi> </msub> <mo>&CirclePlus;</mo> <mi>r</mi> <mn>1</mn> <mo>)</mo> <mo>&CirclePlus;</mo> <mo>(</mo> <mi>k</mi> <msub> <mn>2</mn> <mi>i</mi> </msub> <mo>&CirclePlus;</mo> <mi>r</mi> <mn>2</mn> <mo>)</mo> <mo>&CirclePlus;</mo> <mo>(</mo> <mi>k</mi> <msub> <mn>3</mn> <mi>i</mi> </msub> <mo>&CirclePlus;</mo> <mi>r</mi> <mn>3</mn> <mo>)</mo> <mo>&CirclePlus;</mo> <msub> <mi>CK</mi> <mi>i</mi> </msub> <mo>;</mo> </mrow>

Wherein, CK_iValue use SM4 algorithm texts in standard value；

The construction of MS conversion is expressed as follows using formula：

<mrow> <mtable> <mtr> <mtd> <mrow> <mi>M</mi> <mi>S</mi> <mrow> <mo>(</mo> <mo>(</mo> <mi>k</mi> <msub> <mn>1</mn> <mi>i</mi> </msub> <mo>&CirclePlus;</mo> <mi>r</mi> <mn>1</mn> <mo>)</mo> </mrow> <mo>&CirclePlus;</mo> <mrow> <mo>(</mo> <mi>k</mi> <msub> <mn>2</mn> <mi>i</mi> </msub> <mo>&CirclePlus;</mo> <mi>r</mi> <mn>2</mn> <mo>)</mo> </mrow> <mo>&CirclePlus;</mo> <mrow> <mo>(</mo> <mi>k</mi> <msub> <mn>3</mn> <mi>i</mi> </msub> <mo>&CirclePlus;</mo> <mi>r</mi> <mn>3</mn> <mo>)</mo> </mrow> <mo>&CirclePlus;</mo> <msub> <mi>CK</mi> <mi>i</mi> </msub> <mo>)</mo> <mo>)</mo> </mrow> </mtd> </mtr> <mtr> <mtd> <mrow> <mi>S</mi> <mrow> <mo>(</mo> <mi>k</mi> <msub> <mn>1</mn> <mi>i</mi> </msub> <mo>&CirclePlus;</mo> <mi>k</mi> <msub> <mn>2</mn> <mi>i</mi> </msub> <mo>&CirclePlus;</mo> <mi>k</mi> <msub> <mn>3</mn> <mi>i</mi> </msub> <mo>&CirclePlus;</mo> <msub> <mi>CK</mi> <mi>i</mi> </msub> <mo>)</mo> </mrow> <mo>&CirclePlus;</mo> <mi>S</mi> <mrow> <mo>(</mo> <mi>r</mi> <mn>1</mn> <mo>&CirclePlus;</mo> <mi>r</mi> <mn>2</mn> <mo>&CirclePlus;</mo> <mi>r</mi> <mn>3</mn> <mo>)</mo> </mrow> </mrow> </mtd> </mtr> </mtable> <mo>;</mo> </mrow>

Input of the result that MS is converted as L ' conversion：

<mrow> <msup> <mi>L</mi> <mo>&prime;</mo> </msup> <mrow> <mo>(</mo> <mi>S</mi> <mo>(</mo> <mrow> <mi>k</mi> <msub> <mn>1</mn> <mi>i</mi> </msub> <mo>&CirclePlus;</mo> <mi>k</mi> <msub> <mn>2</mn> <mi>i</mi> </msub> <mo>&CirclePlus;</mo> <mi>k</mi> <msub> <mn>3</mn> <mi>i</mi> </msub> <mo>&CirclePlus;</mo> <msub> <mi>CK</mi> <mi>i</mi> </msub> </mrow> <mo>)</mo> <mo>&CirclePlus;</mo> <mi>S</mi> <mo>(</mo> <mrow> <mi>r</mi> <mn>1</mn> <mo>&CirclePlus;</mo> <mi>r</mi> <mn>2</mn> <mo>&CirclePlus;</mo> <mi>r</mi> <mn>3</mn> </mrow> <mo>)</mo> <mo>)</mo> </mrow> <mo>;</mo> </mrow>

<mrow> <mtable> <mtr> <mtd> <mrow> <msup> <mi>L</mi> <mo>&prime;</mo> </msup> <mrow> <mo>(</mo> <mi>S</mi> <mo>(</mo> <mi>k</mi> <msub> <mn>1</mn> <mi>i</mi> </msub> <mo>&CirclePlus;</mo> <mi>k</mi> <msub> <mn>2</mn> <mi>i</mi> </msub> <mo>&CirclePlus;</mo> <mi>k</mi> <msub> <mn>3</mn> <mi>i</mi> </msub> <mo>&CirclePlus;</mo> <msub> <mi>CK</mi> <mi>i</mi> </msub> <mo>)</mo> </mrow> <mo>&CirclePlus;</mo> <mi>S</mi> <mrow> <mo>(</mo> <mi>r</mi> <mn>1</mn> <mo>&CirclePlus;</mo> <mi>r</mi> <mn>2</mn> <mo>&CirclePlus;</mo> <mi>r</mi> <mn>3</mn> <mo>)</mo> </mrow> <mo>)</mo> </mrow> </mtd> </mtr> <mtr> <mtd> <mrow> <mo>=</mo> <msup> <mi>L</mi> <mo>&prime;</mo> </msup> <mrow> <mo>(</mo> <mi>S</mi> <mo>(</mo> <mi>k</mi> <msub> <mn>1</mn> <mi>i</mi> </msub> <mo>&CirclePlus;</mo> <mi>k</mi> <msub> <mn>2</mn> <mi>i</mi> </msub> <mo>&CirclePlus;</mo> <mi>k</mi> <msub> <mn>3</mn> <mi>i</mi> </msub> <mo>&CirclePlus;</mo> <msub> <mi>CK</mi> <mrow> <mi>I</mi> <mi>i</mi> </mrow> </msub> <mo>)</mo> </mrow> <mo>&CirclePlus;</mo> <msup> <mi>L</mi> <mo>&prime;</mo> </msup> <mrow> <mo>(</mo> <mi>S</mi> <mo>(</mo> <mi>r</mi> <mn>1</mn> <mo>&CirclePlus;</mo> <mi>r</mi> <mn>2</mn> <mo>&CirclePlus;</mo> <mi>r</mi> <mn>3</mn> <mo>)</mo> </mrow> <mo>)</mo> </mrow> </mtd> </mtr> </mtable> <mo>;</mo> </mrow>

<mrow> <mi>x</mi> <mo>=</mo> <msup> <mi>L</mi> <mo>&prime;</mo> </msup> <mrow> <mo>(</mo> <mi>S</mi> <mo>(</mo> <mrow> <mi>k</mi> <msub> <mn>1</mn> <mi>i</mi> </msub> <mo>&CirclePlus;</mo> <mi>k</mi> <msub> <mn>2</mn> <mi>i</mi> </msub> <mo>&CirclePlus;</mo> <mi>k</mi> <msub> <mn>3</mn> <mi>i</mi> </msub> <mo>&CirclePlus;</mo> <msub> <mi>CK</mi> <mrow> <mi>i</mi> <mi>i</mi> </mrow> </msub> </mrow> <mo>)</mo> <mo>)</mo> </mrow> <mo>&CirclePlus;</mo> <msup> <mi>L</mi> <mo>&prime;</mo> </msup> <mrow> <mo>(</mo> <mi>S</mi> <mo>(</mo> <mrow> <mi>r</mi> <mn>1</mn> <mo>&CirclePlus;</mo> <mi>r</mi> <mn>2</mn> <mo>&CirclePlus;</mo> <mi>r</mi> <mn>3</mn> </mrow> <mo>)</mo> <mo>)</mo> </mrow> <mo>&CirclePlus;</mo> <mrow> <mo>(</mo> <mi>k</mi> <msub> <mn>0</mn> <mi>i</mi> </msub> <mo>&CirclePlus;</mo> <mi>r</mi> <mn>1</mn> <mo>)</mo> </mrow> <mo>;</mo> </mrow>

Described second order mask crypto-engine performs 32 to the plaintext or cipher text and round key of input and taken turns in loop iteration computing, Used 4 Compensation Transformations during 32 wheel loop iterations, 4 Compensation Transformation C0 of second order mask crypto-engine, C1, C2, C3 is defined as：

<mrow> <mi>C</mi> <mn>0</mn> <mrow> <mo>(</mo> <mo>(</mo> <mrow> <mi>a</mi> <msub> <mn>1</mn> <mi>i</mi> </msub> <mo>&CirclePlus;</mo> <mi>r</mi> <msub> <mn>1</mn> <mi>i</mi> </msub> </mrow> <mo>)</mo> <mo>,</mo> <mi>r</mi> <msub> <mn>0</mn> <mrow> <mi>i</mi> <mo>+</mo> <mn>1</mn> </mrow> </msub> <mo>,</mo> <mi>r</mi> <msub> <mn>1</mn> <mi>i</mi> </msub> <mo>)</mo> </mrow> <mo>=</mo> <mrow> <mo>(</mo> <mi>a</mi> <msub> <mn>1</mn> <mi>i</mi> </msub> <mo>&CirclePlus;</mo> <mi>r</mi> <msub> <mn>1</mn> <mi>i</mi> </msub> <mo>)</mo> </mrow> <mo>&CirclePlus;</mo> <mi>r</mi> <msub> <mn>0</mn> <mrow> <mi>i</mi> <mo>+</mo> <mn>1</mn> </mrow> </msub> <mo>&CirclePlus;</mo> <mi>r</mi> <msub> <mn>1</mn> <mi>i</mi> </msub> <mo>;</mo> </mrow>

<mrow> <mi>C</mi> <mn>1</mn> <mrow> <mo>(</mo> <mo>(</mo> <mrow> <mi>a</mi> <msub> <mn>2</mn> <mi>i</mi> </msub> <mo>&CirclePlus;</mo> <mi>r</mi> <msub> <mn>2</mn> <mi>i</mi> </msub> </mrow> <mo>)</mo> <mo>,</mo> <mi>r</mi> <msub> <mn>1</mn> <mrow> <mi>i</mi> <mo>+</mo> <mn>1</mn> </mrow> </msub> <mo>,</mo> <mi>r</mi> <msub> <mn>2</mn> <mi>i</mi> </msub> <mo>)</mo> </mrow> <mo>=</mo> <mrow> <mo>(</mo> <mi>a</mi> <msub> <mn>2</mn> <mi>i</mi> </msub> <mo>&CirclePlus;</mo> <mi>r</mi> <msub> <mn>2</mn> <mi>i</mi> </msub> <mo>)</mo> </mrow> <mo>&CirclePlus;</mo> <mi>r</mi> <msub> <mn>1</mn> <mrow> <mi>i</mi> <mo>+</mo> <mn>1</mn> </mrow> </msub> <mo>&CirclePlus;</mo> <mi>r</mi> <msub> <mn>2</mn> <mi>i</mi> </msub> <mo>;</mo> </mrow>

<mrow> <mi>C</mi> <mn>2</mn> <mrow> <mo>(</mo> <mo>(</mo> <mrow> <mi>a</mi> <msub> <mn>3</mn> <mi>i</mi> </msub> <mo>&CirclePlus;</mo> <mi>r</mi> <msub> <mn>3</mn> <mi>i</mi> </msub> </mrow> <mo>)</mo> <mo>,</mo> <mi>r</mi> <msub> <mn>2</mn> <mrow> <mi>i</mi> <mo>+</mo> <mn>1</mn> </mrow> </msub> <mo>,</mo> <mi>r</mi> <msub> <mn>3</mn> <mi>i</mi> </msub> <mo>)</mo> </mrow> <mo>=</mo> <mrow> <mo>(</mo> <mi>a</mi> <msub> <mn>3</mn> <mi>i</mi> </msub> <mo>&CirclePlus;</mo> <mi>r</mi> <msub> <mn>3</mn> <mi>i</mi> </msub> <mo>)</mo> </mrow> <mo>&CirclePlus;</mo> <mi>r</mi> <msub> <mn>2</mn> <mrow> <mi>i</mi> <mo>+</mo> <mn>1</mn> </mrow> </msub> <mo>&CirclePlus;</mo> <mi>r</mi> <msub> <mn>3</mn> <mi>i</mi> </msub> <mo>;</mo> </mrow>

<mrow> <mi>C</mi> <mn>3</mn> <mrow> <mo>(</mo> <mi>x</mi> <mo>,</mo> <mi>r</mi> <msub> <mn>3</mn> <mrow> <mi>i</mi> <mo>+</mo> <mn>1</mn> </mrow> </msub> <mo>,</mo> <mi>r</mi> <msub> <mn>1</mn> <mi>i</mi> </msub> <mo>)</mo> </mrow> <mo>=</mo> <mi>x</mi> <mo>&CirclePlus;</mo> <mi>r</mi> <msub> <mn>3</mn> <mrow> <mi>i</mi> <mo>+</mo> <mn>1</mn> </mrow> </msub> <mo>&CirclePlus;</mo> <mi>L</mi> <mrow> <mo>(</mo> <mi>S</mi> <mo>(</mo> <mrow> <mi>r</mi> <msub> <mn>3</mn> <mrow> <mi>i</mi> <mo>+</mo> <mn>1</mn> </mrow> </msub> </mrow> <mo>)</mo> <mo>)</mo> </mrow> <mo>&CirclePlus;</mo> <mi>r</mi> <msub> <mn>1</mn> <mi>i</mi> </msub> <mo>;</mo> </mrow> 1

Wherein, if the initial value of the i-th wheel loop iteration is designated as a in the case of no mask_i, from left to right it is divided into 4 words, according to It is secondary to be designated as a0_i、a1_i、a2_i、a3_i, the corresponding random number of the i-th wheel is r_i, from left to right it is divided into 4 words, r0 is designated as successively_i、r1_i、 r2_i、r3_i, i=1~32,32 wheel loop iterations process is using different random numbers, i.e., the random number often taken turns can all update, often Value after one wheel Compensation Transformation is stored in register Reg0, Reg1, Reg2, Reg3 of four 32 bits；

By the value and round key rk in register Reg1, register Reg2, register Reg3_iXor operation is done, second order mask is used as The input of type S boxes MS conversion：

<mrow> <mi>m</mi> <mi>s</mi> <mo>_</mo> <mi>i</mi> <mi>n</mi> <mo>=</mo> <mrow> <mo>(</mo> <mi>a</mi> <msub> <mn>1</mn> <mi>i</mi> </msub> <mo>&CirclePlus;</mo> <mi>r</mi> <msub> <mn>1</mn> <mi>i</mi> </msub> <mo>)</mo> </mrow> <mo>&CirclePlus;</mo> <mrow> <mo>(</mo> <mi>a</mi> <msub> <mn>2</mn> <mi>i</mi> </msub> <mo>&CirclePlus;</mo> <mi>r</mi> <msub> <mn>2</mn> <mi>i</mi> </msub> <mo>)</mo> </mrow> <mo>&CirclePlus;</mo> <mrow> <mo>(</mo> <mi>a</mi> <msub> <mn>3</mn> <mi>i</mi> </msub> <mo>&CirclePlus;</mo> <mi>r</mi> <msub> <mn>3</mn> <mi>i</mi> </msub> <mo>)</mo> </mrow> <mo>&CirclePlus;</mo> <msub> <mi>rk</mi> <mi>i</mi> </msub> <mo>;</mo> </mrow>

rk_iFor the round key of the i-th wheel；

The construction of MS conversion is expressed as follows using formula：

<mrow> <mtable> <mtr> <mtd> <mrow> <mi>M</mi> <mi>S</mi> <mrow> <mo>(</mo> <mo>(</mo> <mi>a</mi> <msub> <mn>1</mn> <mi>i</mi> </msub> <mo>&CirclePlus;</mo> <mi>r</mi> <msub> <mn>1</mn> <mi>i</mi> </msub> <mo>)</mo> </mrow> <mo>&CirclePlus;</mo> <mrow> <mo>(</mo> <mi>a</mi> <msub> <mn>2</mn> <mi>i</mi> </msub> <mo>&CirclePlus;</mo> <mi>r</mi> <msub> <mn>2</mn> <mi>i</mi> </msub> <mo>)</mo> </mrow> <mo>&CirclePlus;</mo> <mrow> <mo>(</mo> <mi>a</mi> <msub> <mn>3</mn> <mi>i</mi> </msub> <mo>&CirclePlus;</mo> <mi>r</mi> <msub> <mn>3</mn> <mi>i</mi> </msub> <mo>)</mo> </mrow> <mo>&CirclePlus;</mo> <msub> <mi>rk</mi> <mi>i</mi> </msub> <mo>)</mo> <mo>)</mo> </mrow> </mtd> </mtr> <mtr> <mtd> <mrow> <mo>=</mo> <mi>S</mi> <mrow> <mo>(</mo> <mi>a</mi> <msub> <mn>1</mn> <mi>i</mi> </msub> <mo>&CirclePlus;</mo> <mi>a</mi> <msub> <mn>2</mn> <mi>i</mi> </msub> <mo>&CirclePlus;</mo> <mi>a</mi> <msub> <mn>3</mn> <mi>i</mi> </msub> <mo>&CirclePlus;</mo> <msub> <mi>rk</mi> <mi>i</mi> </msub> <mo>)</mo> </mrow> <mo>&CirclePlus;</mo> <mi>S</mi> <mrow> <mo>(</mo> <mi>r</mi> <msub> <mn>3</mn> <mrow> <mi>i</mi> <mo>+</mo> <mn>1</mn> </mrow> </msub> <mo>)</mo> </mrow> </mrow> </mtd> </mtr> </mtable> <mo>;</mo> </mrow>

The input that the result that MS is converted is converted as L：

<mrow> <mi>L</mi> <mrow> <mo>(</mo> <mi>S</mi> <mo>(</mo> <mrow> <mi>a</mi> <msub> <mn>1</mn> <mi>i</mi> </msub> <mo>&CirclePlus;</mo> <mi>a</mi> <msub> <mn>2</mn> <mi>i</mi> </msub> <mo>&CirclePlus;</mo> <mi>a</mi> <msub> <mn>3</mn> <mi>i</mi> </msub> <mo>&CirclePlus;</mo> <msub> <mi>rk</mi> <mi>i</mi> </msub> </mrow> <mo>)</mo> <mo>&CirclePlus;</mo> <mi>S</mi> <mo>(</mo> <mrow> <mi>r</mi> <msub> <mn>3</mn> <mrow> <mi>i</mi> <mo>+</mo> <mn>1</mn> </mrow> </msub> </mrow> <mo>)</mo> <mo>)</mo> </mrow> <mo>;</mo> </mrow>

<mrow> <mtable> <mtr> <mtd> <mrow> <mi>L</mi> <mrow> <mo>(</mo> <mi>S</mi> <mo>(</mo> <mi>a</mi> <msub> <mn>1</mn> <mi>i</mi> </msub> <mo>&CirclePlus;</mo> <mi>a</mi> <msub> <mn>2</mn> <mi>i</mi> </msub> <mo>&CirclePlus;</mo> <mi>a</mi> <msub> <mn>3</mn> <mi>i</mi> </msub> <mo>&CirclePlus;</mo> <msub> <mi>rk</mi> <mi>i</mi> </msub> <mo>)</mo> </mrow> <mo>&CirclePlus;</mo> <mi>S</mi> <mrow> <mo>(</mo> <mi>r</mi> <msub> <mn>3</mn> <mrow> <mi>i</mi> <mo>+</mo> <mn>1</mn> </mrow> </msub> <mo>)</mo> </mrow> <mo>)</mo> </mrow> </mtd> </mtr> <mtr> <mtd> <mrow> <mo>=</mo> <mi>L</mi> <mrow> <mo>(</mo> <mi>S</mi> <mo>(</mo> <mi>a</mi> <msub> <mn>1</mn> <mi>i</mi> </msub> <mo>&CirclePlus;</mo> <mi>a</mi> <msub> <mn>2</mn> <mi>i</mi> </msub> <mo>&CirclePlus;</mo> <mi>a</mi> <msub> <mn>3</mn> <mi>i</mi> </msub> <mo>&CirclePlus;</mo> <msub> <mi>rk</mi> <mi>i</mi> </msub> <mo>)</mo> </mrow> <mo>)</mo> <mo>&CirclePlus;</mo> <mi>L</mi> <mrow> <mo>(</mo> <mi>S</mi> <mo>(</mo> <mi>r</mi> <msub> <mn>3</mn> <mrow> <mi>i</mi> <mo>+</mo> <mn>1</mn> </mrow> </msub> <mo>)</mo> </mrow> <mo>)</mo> </mrow> </mtd> </mtr> </mtable> <mo>;</mo> </mrow>

<mrow> <mi>x</mi> <mo>=</mo> <mi>L</mi> <mrow> <mo>(</mo> <mi>S</mi> <mo>(</mo> <mrow> <mi>a</mi> <msub> <mn>1</mn> <mi>i</mi> </msub> <mo>&CirclePlus;</mo> <mi>a</mi> <msub> <mn>2</mn> <mi>i</mi> </msub> <mo>&CirclePlus;</mo> <mi>a</mi> <msub> <mn>3</mn> <mi>i</mi> </msub> <mo>&CirclePlus;</mo> <msub> <mi>rk</mi> <mi>i</mi> </msub> </mrow> <mo>)</mo> <mo>)</mo> </mrow> <mo>&CirclePlus;</mo> <mi>L</mi> <mrow> <mo>(</mo> <mi>S</mi> <mo>(</mo> <mrow> <mi>r</mi> <msub> <mn>3</mn> <mrow> <mi>i</mi> <mo>+</mo> <mn>1</mn> </mrow> </msub> </mrow> <mo>)</mo> <mo>)</mo> </mrow> <mo>&CirclePlus;</mo> <mrow> <mo>(</mo> <mi>a</mi> <msub> <mn>0</mn> <mi>i</mi> </msub> <mo>&CirclePlus;</mo> <mi>r</mi> <msub> <mn>1</mn> <mi>i</mi> </msub> <mo>)</mo> </mrow> <mo>.</mo> </mrow>

2. a kind of SM4 cipher key spreadings single order mask method, it is characterised in that comprise the steps of：

Step S1.1, single order mask cipher key spreading engine are carried out plus mask xor operation to input key and random number, plus mask Value afterwards is stored in a register, the initial value extended as mask；

The initial value that step S1.2, single order mask cipher key spreading engine extend to mask performs 32 and takes turns loop iteration computing, will be every The round key of wheel adds the result of mask to store in a register with random number；

Step S1.3, the final data in register and random number carried out to remove mask xor operation, go after mask to obtain wheel close Key rk_iOutput；

In described step S1.2,4 Compensation Transformations, single order mask cipher key spreading engine have been used during 32 wheel loop iterations 4 Compensation Transformations C0, C1, C2, C3 be defined as：

Wherein, the random number of 128 bits is from left to right divided into 4 parts by stroke, is designated as r0, r1, r2, r3, in 32 wheel circulations In iteration, random number be always maintained at it is constant, if i-th wheel loop iteration input value be designated as k0 in the case of no mask_i、 k1_i、k2_i、k3_i, i=1~32, the value after each round Compensation Transformation be stored in the register Reg0 of four 32 bits, Reg1, In Reg2, Reg3；

<mrow> <mo>(</mo> <mi>k</mi> <msub> <mn>1</mn> <mi>i</mi> </msub> <mo>&CirclePlus;</mo> <mi>r</mi> <mn>1</mn> <mo>)</mo> <mo>&CirclePlus;</mo> <mo>(</mo> <mi>k</mi> <msub> <mn>2</mn> <mi>i</mi> </msub> <mo>&CirclePlus;</mo> <mi>r</mi> <mn>2</mn> <mo>)</mo> <mo>&CirclePlus;</mo> <mo>(</mo> <mi>k</mi> <msub> <mn>3</mn> <mi>i</mi> </msub> <mo>&CirclePlus;</mo> <mi>r</mi> <mn>3</mn> <mo>)</mo> <mo>&CirclePlus;</mo> <msub> <mi>CK</mi> <mi>i</mi> </msub> <mo>;</mo> </mrow> 2

Wherein, CK_iValue use SM4 algorithm texts in standard value；

The construction of MS conversion is expressed as follows using formula：

Input of the result that MS is converted as L ' conversion：

3. a kind of second order mask method of SM4 crypto-engines, it is characterised in that comprise the steps of：

Step S2.1, second order mask crypto-engine are carried out plus mask xor operation to the plaintext or cipher text and random number of input, Plus the value storage after mask is in a register, is used as the input value of the loop iteration first round；

Step S2.2, second order mask crypto-engine perform 32 and take turns loop iteration computing, and the value after each round Compensation Transformation is deposited Storage is in a register；

Step S2.3, the final data in register and random number carried out to remove mask xor operation, go to obtain ciphertext after mask Or export in plain text；

In described step S2.2,4 Compensation Transformations have been used during 32 wheel loop iterations, second order mask crypto-engine 4 Compensation Transformations C0, C1, C2, C3 are defined as：

<mrow> <mi>C</mi> <mn>3</mn> <mrow> <mo>(</mo> <mi>x</mi> <mo>,</mo> <mi>r</mi> <msub> <mn>3</mn> <mrow> <mi>i</mi> <mo>+</mo> <mn>1</mn> </mrow> </msub> <mo>,</mo> <mi>r</mi> <msub> <mn>1</mn> <mi>i</mi> </msub> <mo>)</mo> </mrow> <mo>=</mo> <mi>x</mi> <mo>&CirclePlus;</mo> <mi>r</mi> <msub> <mn>3</mn> <mrow> <mi>i</mi> <mo>+</mo> <mn>1</mn> </mrow> </msub> <mo>&CirclePlus;</mo> <mi>L</mi> <mrow> <mo>(</mo> <mi>S</mi> <mo>(</mo> <mrow> <mi>r</mi> <msub> <mn>3</mn> <mrow> <mi>i</mi> <mo>+</mo> <mn>1</mn> </mrow> </msub> </mrow> <mo>)</mo> <mo>)</mo> </mrow> <mo>&CirclePlus;</mo> <mi>r</mi> <msub> <mn>1</mn> <mi>i</mi> </msub> <mo>;</mo> </mrow>

rk_iFor the round key of the i-th wheel；

The construction of MS conversion is expressed as follows using formula：

The input that the result that MS is converted is converted as L：

<mrow> <mi>L</mi> <mrow> <mo>(</mo> <mi>S</mi> <mo>(</mo> <mrow> <mi>a</mi> <msub> <mn>1</mn> <mi>i</mi> </msub> <mo>&CirclePlus;</mo> <mi>a</mi> <msub> <mn>2</mn> <mi>i</mi> </msub> <mo>&CirclePlus;</mo> <mi>a</mi> <msub> <mn>3</mn> <mi>i</mi> </msub> <mo>&CirclePlus;</mo> <msub> <mi>rk</mi> <mi>i</mi> </msub> </mrow> <mo>)</mo> <mo>&CirclePlus;</mo> <mi>S</mi> <mo>(</mo> <mrow> <mi>r</mi> <msub> <mn>3</mn> <mrow> <mi>i</mi> <mo>+</mo> <mn>1</mn> </mrow> </msub> </mrow> <mo>)</mo> <mo>)</mo> </mrow> <mo>;</mo> </mrow> 3

<mrow> <mi>x</mi> <mo>=</mo> <mi>L</mi> <mrow> <mo>(</mo> <mi>S</mi> <mo>(</mo> <mrow> <mi>a</mi> <msub> <mn>1</mn> <mi>i</mi> </msub> <mo>&CirclePlus;</mo> <mi>a</mi> <msub> <mn>2</mn> <mi>i</mi> </msub> <mo>&CirclePlus;</mo> <mi>a</mi> <msub> <mn>3</mn> <mi>i</mi> </msub> <mo>&CirclePlus;</mo> <msub> <mi>rk</mi> <mi>i</mi> </msub> </mrow> <mo>)</mo> <mo>)</mo> </mrow> <mo>&CirclePlus;</mo> <mi>L</mi> <mrow> <mo>(</mo> <mi>S</mi> <mo>(</mo> <mrow> <mi>r</mi> <msub> <mn>3</mn> <mrow> <mi>i</mi> <mo>+</mo> <mn>1</mn> </mrow> </msub> </mrow> <mo>)</mo> <mo>)</mo> </mrow> <mo>&CirclePlus;</mo> <mrow> <mo>(</mo> <mi>a</mi> <msub> <mn>0</mn> <mi>i</mi> </msub> <mo>&CirclePlus;</mo> <mi>r</mi> <msub> <mn>1</mn> <mi>i</mi> </msub> <mo>)</mo> </mrow> <mo>.</mo> </mrow> 4