CN107623566B - 基于非线性变换的sm4白盒实现方法 - Google Patents

基于非线性变换的sm4白盒实现方法 Download PDF

Info

Publication number
CN107623566B
CN107623566B CN201610555295.8A CN201610555295A CN107623566B CN 107623566 B CN107623566 B CN 107623566B CN 201610555295 A CN201610555295 A CN 201610555295A CN 107623566 B CN107623566 B CN 107623566B
Authority
CN
China
Prior art keywords
box
bit
round
white
operator
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201610555295.8A
Other languages
English (en)
Other versions
CN107623566A (zh
Inventor
范修斌
白琨鹏
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Qingdao Bowenguangcheng Information Security Technology Co ltd
Original Assignee
Qingdao Bowenguangcheng Information Security Technology Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Qingdao Bowenguangcheng Information Security Technology Co ltd filed Critical Qingdao Bowenguangcheng Information Security Technology Co ltd
Priority to CN201610555295.8A priority Critical patent/CN107623566B/zh
Publication of CN107623566A publication Critical patent/CN107623566A/zh
Application granted granted Critical
Publication of CN107623566B publication Critical patent/CN107623566B/zh
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Landscapes

  • Two-Way Televisions, Distribution Of Moving Picture Or The Like (AREA)
  • Mobile Radio Communication Systems (AREA)

Abstract

白盒技术是指通过查表来实现密码算法密钥保护的技术。本发明给出了基于非线性变换的SM4白盒实现方法。本发明属于信息安全技术领域,涉及密码算法。基于非线性变换的SM4白盒实现方法有三个基本算子构成,它们分别为D盒、R盒和X盒,分别称之为状态变换算子、密钥保护算子和异或算子。本发明给出了详细的基于非线性变换的SM4白盒实现方法步骤以及安全性分析。

Description

基于非线性变换的SM4白盒实现方法
技术领域
本发明属于信息安全技术领域,涉及密码算法的实现方法。
背景技术
白盒技术是指通过查表来实现密码算法密钥保护的技术。该技术提供了一种在终端用户没有专门介质保护密钥情况下的一种密码算法软件安全应用方法。白盒技术主要应用领域是数字产权保护。该技术虽然允许用户在设备中使用密码软件,但防止非法用户恢复、传播密码算法的密钥而牟利。同时,该技术又可以防止能量攻击。由此可见,白盒技术具有重要的实践意义。人们已经研发了基于仿射变换的SM4白盒实现方法,本发明给出了基于非线性变换的SM4白盒实现方法。
发明内容
在基于非线性变换的SM4白盒实现方法中,有三个基本算子,即D盒、R盒和X盒,分别称之为状态变换算子、密钥保护算子和异或算子。下面先介绍D盒、R盒和X盒,然后给出基于非线性变换的SM4白盒实现方法的描述。
D盒:
D盒算子用于将本轮输入的32比特数据进行状态变换,定义如下:
Figure GSB0000199182040000011
其中:
(1)Dr,i,j算子8进32出,其为左作用算子,即Dr,i,j的作用方式为
Figure GSB0000199182040000013
(2)r=1,2,…,32是当前的轮数,i,j=0,1,2,3,i由右向左增序,其为输入的位置参数,j由左向右增序,其为输入分割位置的参数;
(3)PD和PX都是随机选取的4比特可逆非线性变换;
(4)
Figure GSB0000199182040000012
(5)MB是在GF(2)上随机选取的32×32可逆线性变换,mb是在GF(2)上随机选取的8×8可逆线性变换。
R盒:
R盒是密钥保护算子,定义如下:
Figure GSB0000199182040000021
其中:
(1)Rr,j算子16进32出,其为左作用算子,即Rr,j的作用方式为
Figure GSB0000199182040000022
Figure GSB0000199182040000023
由左向右增序;
(2)
Figure GSB0000199182040000024
(3)
Figure GSB0000199182040000025
(4)
Figure GSB0000199182040000026
(5)kr是标准SM4密码算法第r轮的32比特轮密钥,kr,j是kr的第j个字节;
(6)S是标准SM4密码算法轮函数中的8比特S盒,M是标准SM4密码算法轮函数中的32比特循环移位生成的线性变换,Mj是M的第j个32×8子变换,M=(M0,M1,M2,M3);
(7)MB与D盒中的MB一致;
(8)PR是随机选取的4比特可逆非线性变换。
X盒:
X盒用于连接D盒和R盒,用于实现异或运算,以两个4比特数据为输入,输出一个新的4比特数据。X盒分为两种:X0和X1,其定义如下:
Figure GSB0000199182040000027
Figure GSB0000199182040000028
其中:
(1)sid=0,1;
(2)对于X0,nib=0,1;
(3)对于X1,nib=0,1,…,7。
基于非线性变换的SM4白盒实现方法每轮计算步骤:
基于非线性变换的SM4白盒加密/解密方法共有32轮,每轮需要16个D盒、4个R盒和136个X盒。第r轮以4个32比特数值
(x′r+2,x′r+1,x′r,x′r-1)=(Er+2(xr+2),Er+1(xr+1),Er(xr),Er-1(xr-1))
为输入,其中:
(a)
Figure GSB0000199182040000031
Figure GSB0000199182040000032
(b)l=r-1,r,r+1,r+2,r=1,2,…,32;
(c)xl是标准SM4密码算法的中间值。
计算一个新的32比特数值x′r+3=Er+3(xr+3),每轮计算步骤如下:
(1)sr,0←Dr,1,0(x′r,0),sr,1←Dr,1,2(x′r,2);
(2)sr,0←(X0,r,0,0,0,0,X0,r,0,0,1,0,…,X0,r,0,3,0,0,X0,r,0,3,1,0)(sr,0,Dr,1,1(x′r,1));
注:sr,0=(sr,0,0,…,sr,0,7),Dr,1,1(x′r,1)=((Dr,1,1(x′r,1))0,…,(Dr,1,1(x′r,1))7),其中t=0,1,…,7。
当t=0时,X0,r,0,0,0,0的作用方式为:
Figure GSB0000199182040000033
当1≤t≤7时,同理于t=0。
(3)sr,0←(X0,r,0,0,0,1,X0,r,0,0,1,1,…,X0,r,0,3,0,1,X0,r,0,3,1,1)(sr,0,Dr,2,0(x′r+1,0));
(4)sr,0←(X0,r,0,0,0,2,X0,r,0,0,1,2,…,X0,r,0,3,0,2,X0,r,0,3,1,2)(sr,0,Dr,2,1(x′r+1,1));
(5)sr,0←(X0,r,0,0,0,3,X0,r,0,0,1,3,…,X0,r,0,3,0,3,X0,r,0,3,1,3)(sr,0,Dr,3,0(x′r+2,0));
(6)sr,0←(X0,r,0,0,0,4,X0,r,0,0,1,4,…,X0,r,0,3,0,4,X0,r,0,3,1,4)(sr,0,Dr,3,1(x′r+2,1));
(7)sr,1←(X0,r,1,0,0,0,X0,r,1,0,1,0,…,X0,r,1,3,0,0,X0,r,1,3,1,0)(sr,1,Dr,1,3(x′r,3));
(8)sr,1←(X0,r,1,0,0,1,X0,r,1,0,1,1,…,X0,r,1,3,0,1,X0,r,1,3,1,1)(sr,1,Dr,2,2(x′r+12));
(9)sr,1←(X0,r,1,0,0,2,X0,r,1,0,1,2,…,X0,r,1,3,0,2,X0,r,1,3,1,2)(sr,1,Dr,2,3(x′r+1,3));
(10)sr,1←(X0,r,1,0,0,3,X0,r,1,0,1,3,…,X0,r,1,3,0,3,X0,r,1,3,1,3)(sr,1,Dr,3,2(x′r+2,2));
(11)sr,1←(X0,r,1,0,0,4,X0,r,1,0,1,4,…,X0,r,1,3,0,4,X0,r,1,3,1,4)(sr,1,Dr,3,3(x′r+2,3));
(12)x′r+3←Dr,0,0(x′r-1,0);
(13)x′r+3←(X1,r,0,0,…,X1,r,0,7)(x′r+3,Dr,0,1(x′r-1,1));
(14)x′r+3←(X1,r,1,0,…,X1,r,1,7)(x′r+3,Dr,0,2(x′r-1,2));
(15)x′r+3←(X1,r,2,0,…,X1,r,2,7)(x′r+3,Dr,0,3(x′r-1,3));
(16)x′r+3←(X1,r,3,0,…,X1,r,3,7)(x′r+3,Rr,0(sr,0,0,sr,1,0));
(17)x′r+3←(X1,r,4,0,…,X1,r,4,7)(x′r+3,Rr,1(sr,0,1,sr,1,1));
(18)x′r+3←(X1,r,5,0,…,X1,r,5,7)(x′r+3,Rr,2(sr,0,2,sr,1,2));
(19)x′r+3←(X1,r,6,0,…,X1,r,6,7)(x′r+3,Rr,3(sr,0,3,sr,1,3));
其中:
(1)x′l,j是x′l的第j个字节;
(2)sr,sid是32比特中间值;
(3)sr,sid,j是sr,sid的第j个字节。
整个SM4白盒实现方法以(x′3,x′2,x′1,x′0)为输入,经过32轮变换后,输出(x′35,x′34,x′33,x′32),其中要保护E3,E2,E1,E0,E35,E34,E33,E32以及它们的逆。
基于非线性变换的SM4白盒实现方法的安全性:
已有的BGE攻击[1]、MGH攻击[2]、MRP攻击[3]、LR攻击[4]、LL攻击[5]等攻击方法的主要思想是首先通过将查找表组合起来以抵消内嵌在查找表中的大的线性变换,降低破解难度;将非线性变换恢复成仿射变换,构建仿射等价方程,寻找仿射等价以恢复嵌入在查找表中的变换。本发明的SM4白盒实现方法就是为抵抗上述已有的白盒攻击方法而设计的,本发明的SM4白盒实现方法有以下安全性分析结论。
命题1基于非线性变换的SM4白盒实现方法能够抵抗已有的基于仿射等价的攻击方法。
证明如果将一轮的D盒、R盒及X盒组合起来,整个组合外部被32比特变换保护,仿射等价的恢复难度是32比特。从而本发明的SM4白盒实现方法能够对抗已有的基于仿射等价的白盒攻击方法。证毕。
参考文献
[1]Billet O,Gilbert H,Ech-Chatbi C.Cryptanalysis of a White Box AESImplementation[C]//International Conference on Selected Areas inCryptography.Springer-Verlag,2004:227-240.
[2]Michiels W,Gorissen P,Hollmann H D L.Cryptanalysis of a GenericClass of White-Box Implementations[C]//Selected Areas in Cryptography,International Workshop,SAC 2008,Sackville,New Brunswick,Canada,August 14-15,Revised Selected Papers.2008:414-428.
[3]De Mulder Y,Roelse P,Preneel B.Cryptanalysis of the Xiao-LaiWhite-Box AES Implementation[M]//Selected Areas in Cryptography.SpringerBerlin Heidelberg,2012:34-49.
[4]Lepoint T,Rivain M,De Mulder Y,et al.Two Attacks on a White-BoxAES Implementation[M]//Selected Areas in Cryptography--SAC 2013.SpringerBerlin Heidelberg,2013:265-285.
[5]林婷婷,来学嘉.对白盒SMS4实现的一种有效攻击[J].软件学报,2013,24(9):2238-2249。

Claims (1)

1.基于非线性变换的SM4白盒实现方法,其特征在于:SM4白盒加密/解密方法共有32轮;每轮需要16个D盒、4个R盒和136个X盒;
其中,D盒是用于将每轮输入的32比特数据进行状态变换的查找表,定义如下:
Figure FSB0000199182030000011
其中:
(1)Dr,i,j算子8进32出,其为左作用算子,即Dr,i,j的作用方式为
Figure FSB0000199182030000012
(2)r=1,2,…,32是当前的轮数,i,j=0,1,2,3,i由右向左增序,其为输入的位置参数,j由左向右增序,其为输入分割位置的参数;
(3)PD和PX都是随机选取的4比特可逆非线性变换;
(4)
Figure FSB0000199182030000013
(5)MBr+i-1是在GF(2)上随机选取的32×32可逆线性变换,
Figure FSB0000199182030000014
是MBr+i-1的逆变换,
Figure FSB0000199182030000015
Figure FSB0000199182030000016
的第j个32×8子变换,mb是在GF(2)上随机选取的8×8可逆线性变换;
R盒是用于密钥保护的查找表,定义如下:
Figure FSB0000199182030000017
其中:
(1)Rr,j算子16进32出,其为左作用算子,即Rr,j的作用方式为
Figure FSB0000199182030000018
Figure FSB0000199182030000019
由左向右增序;
(2)
Figure FSB00001991820300000110
(3)
Figure FSB00001991820300000111
(4)XOR(x)是左作用算子,对于与x等长的值y,
Figure FSB00001991820300000112
其中
Figure FSB00001991820300000113
为比特异或运算;
(5)kr是标准SM4密码算法第r轮的32比特轮密钥,kr,j是kr的第j个字节;
(6)S是标准SM4密码算法轮函数中的8比特S盒,M是标准SM4密码算法轮函数中的32比特循环移位生成的线性变换,Mj是M的第j个32×8子变换,M=(M0,M1,M2,M3);
(7)MB与D盒中的MB一致;
(8)PR是随机选取的4比特可逆非线性变换;
X盒是用于连接D盒和R盒、实现异或运算的查找表,以两个4比特数据为输入,输出一个新的4比特数据,X盒分为两种:X0和X1,其定义如下:
Figure FSB0000199182030000021
Figure FSB0000199182030000022
其中:
(1)sid=0,1;
(2)对于X0,nib=0,1;
(3)对于X1,nib=0,1,…,7;
整个SM4白盒实现方法以(x′3,x′2,x′1,x′0)为输入,经过32轮变换后,输出(x′35,x′34,x′33,x′32),其中要保护E3,E2,E1,E0,E35,E34,E33,E32以及它们的逆:
第r轮以4个32比特数值,
(x′r+2,x′r+1,x′r,x′r-1)=(Er+2(xr+2),Er+1(xr+1),Er(xr),Er-1(xr-1))
为输入,其中:
(a)
Figure FSB0000199182030000023
PX1,l,6,2t,PX1,l,6,2t+1,t=0,1,2,3是随机选取的4比特可逆非线性变换;MBl是在GF(2)上随机选取的32×32可逆线性变换;
(b)l=r-1,r,r+1,r+2,r=1,2,…,32;
(c)xl是标准SM4密码算法的中间值;
计算一个新的32比特数值x′r+3=Er+3(xr+3),每轮计算步骤如下:
(1)sr,0←Dr,1,0(x′r,0),sr,1←Dr,1,2(x′r,2);
(2)sr,0←(X0,r,0,0,0,0,X0,r,0,0,1,0,…,X0,r,0,3,0,0,X0,r,0,3,1,0)(sr,0,Dr,1,1(x′r,1));注:sr,0=(sr,0,0,…,sr,0,7),Dr,1,1(x′r,1)=((Dr,1,1(x′r,1))0,…,(Dr,1,1(x′r,1))7),其中t=0,1,…,7;
(3)sr,0←(X0,r,0,0,0,1,X0,r,0,0,1,1,…,X0,r,0,3,0,1,X0,r,0,3,1,1)(sr,0,Dr,2,0(x′r+1,0));
(4)sr,0←(X0,r,0,0,0,2,X0,r,0,0,1,2,…,X0,r,0,3,0,2,X0,r,0,3,1,2)(sr,0,Dr,2,1(x′r+1,1));
(5)sr,0←(X0,r,0,0,0,3,X0,r,0,0,1,3,…,X0,r,0,3,0,3,X0,r,0,3,1,3)(sr,0,Dr,3,0(x′r+2,0));
(6)sr,0←(X0,r,0,0,0,4,X0,r,0,0,1,4,…,X0,r,0,3,0,4,X0,r,0,3,1,4)(sr,0,Dr,3,1(x′r+2,1));
(7)sr,1←(X0,r,1,0,0,0,X0,r,1,0,1,0,…,X0,r,1,3,0,0,X0,r,1,3,1,0)(sr,1,Dr,1,3(x′r,3));
(8)sr,1←(X0,r,1,0,0,1,X0,r,1,0,1,1,…,X0,r,1,3,0,1,X0,r,1,3,1,1)(sr,1,Dr,2,2(x′r+1,2));
(9)sr,1←(X0,r,1,0,0,2,X0,r,1,0,1,2,…,X0,r,1,3,0,2,X0,r,1,3,1,2)(sr,1,Dr,2,3(x′r+1,3));
(10)sr,1←(X0,r,1,0,0,3,X0,r,1,0,1,3,…,X0,r,1,3,0,3,X0,r,1,3,1,3)(sr,1,Dr,3,2(x′r+2,2));
(11)sr,1←(X0,r,1,0,0,4,X0,r,1,0,1,4,…,X0,r,1,3,0,4,X0,r,1,3,1,4)(sr,1,Dr,3,3(x′r+2,3));
(12)x′r+3←Dr,0,0(x′r-1,0);
(13)x′r+3←(X1,r,0,0,…,X1,r,0,7)(x′r+3,Dr,0,1(x′r-1,1));
(14)x′r+3←(X1,r,1,0,…,X1,r,1,7)(x′r+3,Dr,0,2(x′r-1,2));
(15)x′r+3←(X1,r,2,0,…,X1,r,2,7)(x′r+3,Dr,0,3(x′r-1,3));
(16)x′r+3←(X1,r,3,0,…,X1,r,3,7)(x′r+3,Rr,0(sr,0,0,sr,1,0));
(17)x′r+3←(X1,r,4,0,…,X1,r,4,7)(x′r+3,Rr,1(sr,0,1,sr,1,1));
(18)x′r+3←(X1,r,5,0,…,X1,r,5,7)(x′r+3,Rr,2(sr,0,2,sr,1,2));
(19)x′r+3←(X1,r,6,0,…,X1,r,6,7)(x′r+3,Rr,3(sr,0,3,sr,1,3));
其中,字母D、R、X表示D盒、R盒、X盒,且:
(1)x′l,j是x′l的第j个字节;
(2)sr,sid是32比特中间值;
(3)sr,sid,j是sr,sid的第j个字节。
CN201610555295.8A 2016-07-15 2016-07-15 基于非线性变换的sm4白盒实现方法 Active CN107623566B (zh)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201610555295.8A CN107623566B (zh) 2016-07-15 2016-07-15 基于非线性变换的sm4白盒实现方法

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201610555295.8A CN107623566B (zh) 2016-07-15 2016-07-15 基于非线性变换的sm4白盒实现方法

Publications (2)

Publication Number Publication Date
CN107623566A CN107623566A (zh) 2018-01-23
CN107623566B true CN107623566B (zh) 2022-09-06

Family

ID=61087466

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201610555295.8A Active CN107623566B (zh) 2016-07-15 2016-07-15 基于非线性变换的sm4白盒实现方法

Country Status (1)

Country Link
CN (1) CN107623566B (zh)

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104868990A (zh) * 2015-04-15 2015-08-26 成都信息工程学院 一种针对sm4密码算法轮输出的模板攻击方法
CN105553638A (zh) * 2015-12-07 2016-05-04 成都芯安尤里卡信息科技有限公司 针对sm4一阶掩码算法的二阶频域能量分析攻击
CN105656622A (zh) * 2015-04-24 2016-06-08 桂林电子科技大学 一种基于查表和扰动置乱相结合的白盒密码非线性编码保护方法

Family Cites Families (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP2458774A1 (en) * 2010-11-24 2012-05-30 Nagravision S.A. A method of processing a cryptographic function in obfuscated form
US9838198B2 (en) * 2014-03-19 2017-12-05 Nxp B.V. Splitting S-boxes in a white-box implementation to resist attacks
EP2940917B1 (en) * 2014-04-28 2019-02-20 Nxp B.V. Behavioral fingerprint in a white-box implementation
US9513913B2 (en) * 2014-07-22 2016-12-06 Intel Corporation SM4 acceleration processors, methods, systems, and instructions
CN105591734A (zh) * 2015-04-24 2016-05-18 桂林电子科技大学 一种基于查表的白盒密码非线性编码保护方法
CN105681025B (zh) * 2016-01-29 2019-04-16 中国科学院信息工程研究所 一种国家密码标准算法sm4的安全白盒实现方法和装置

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104868990A (zh) * 2015-04-15 2015-08-26 成都信息工程学院 一种针对sm4密码算法轮输出的模板攻击方法
CN105656622A (zh) * 2015-04-24 2016-06-08 桂林电子科技大学 一种基于查表和扰动置乱相结合的白盒密码非线性编码保护方法
CN105553638A (zh) * 2015-12-07 2016-05-04 成都芯安尤里卡信息科技有限公司 针对sm4一阶掩码算法的二阶频域能量分析攻击

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
一种SM4掩码方法和抗DPA攻击分析;裴超;《密码学报》;20160215(第01期);全文 *

Also Published As

Publication number Publication date
CN107623566A (zh) 2018-01-23

Similar Documents

Publication Publication Date Title
Liu et al. Audio encryption scheme by confusion and diffusion based on multi-scroll chaotic system and one-time keys
CN107196763A (zh) Sm2算法协同签名及解密方法、装置与系统
EP2829010B1 (en) Updating key information
US20120170739A1 (en) Method of diversification of a round function of an encryption algorithm
Jaffe A first-order DPA attack against AES in counter mode with unknown initial counter
WO2011105367A1 (ja) ブロック暗号化装置、ブロック復号装置、ブロック暗号化方法、ブロック復号方法及びプログラム
WO2017203992A1 (ja) 暗号化装置、暗号化方法、復号化装置、及び復号化方法
CN109067517A (zh) 加密、解密装置、加密、解密方法和隐藏密钥的通信方法
El-Zoghdy et al. How good is the DES algorithm in image ciphering
Kim et al. DES with any reduced masked rounds is not secure against side-channel attacks
Pareek et al. A symmetric encryption scheme for colour BMP images
CN107623568B (zh) 基于依赖密钥的s盒的sm4白盒实现方法
Shorin et al. Linear and differential cryptanalysis of Russian GOST
Aslam et al. A strong construction of S-box using Mandelbrot set an image encryption scheme
CN107623566B (zh) 基于非线性变换的sm4白盒实现方法
CN115361109B (zh) 一种支持双向代理重加密的同态加密方法
Mahalakshmi et al. Image encryption method using differential expansion technique, AES and RSA algorithm
Lee et al. Design and evaluation of a block encryption algorithm using dynamic-key mechanism
CN114629619A (zh) 基于sm4和动态s盒的视频加密方法
Sharma et al. Cryptography Algorithms and approaches used for data security
Al-Sabaawi Cryptanalysis of Block Cipher: Method Implementation
Saraireh et al. Image encryption scheme based on filter bank and lifting
CN112866288A (zh) 一种双明文传输的数据对称加密方法
Keliher et al. Modeling linear characteristics of substitution-permutation networks
Silva-Garcia et al. The triple-DES-96 cryptographic system

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant