CN107623568B - SM4 white box implementation method based on S box dependent on secret key - Google Patents

SM4 white box implementation method based on S box dependent on secret key Download PDF

Info

Publication number
CN107623568B
CN107623568B CN201610555791.3A CN201610555791A CN107623568B CN 107623568 B CN107623568 B CN 107623568B CN 201610555791 A CN201610555791 A CN 201610555791A CN 107623568 B CN107623568 B CN 107623568B
Authority
CN
China
Prior art keywords
box
bit
white
round
key
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201610555791.3A
Other languages
Chinese (zh)
Other versions
CN107623568A (en
Inventor
范修斌
白琨鹏
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Qingdao Bowenguangcheng Information Security Technology Co ltd
Original Assignee
Qingdao Bowenguangcheng Information Security Technology Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Qingdao Bowenguangcheng Information Security Technology Co ltd filed Critical Qingdao Bowenguangcheng Information Security Technology Co ltd
Priority to CN201610555791.3A priority Critical patent/CN107623568B/en
Publication of CN107623568A publication Critical patent/CN107623568A/en
Application granted granted Critical
Publication of CN107623568B publication Critical patent/CN107623568B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Abstract

The white-box technique refers to a technique for realizing cryptographic algorithm key protection by table lookup. The invention provides a SM4 white box implementation method based on an S box depending on a secret key. The invention belongs to the technical field of information security, and relates to a cryptographic algorithm. The SM4 white box implementation method based on the S box of the dependent key has two basic operator compositions which are respectively a D box and an R box. The invention provides a detailed SM4 white box implementation method based on an S box depending on a secret key and security analysis.

Description

SM4 white box implementation method based on S box dependent on secret key
Technical Field
The invention belongs to the technical field of information security, and relates to a method for realizing a cryptographic algorithm.
Background
The white-box technique refers to a technique for realizing cryptographic algorithm key protection by table lookup. The technique provides a cryptographic algorithm software security application method in the absence of a special media protection key by the end user. The main application field of the white box technology is digital property protection. The technology allows users to use the password software in the equipment, but prevents illegal users from recovering and spreading the key of the password algorithm to profit. Meanwhile, the technology can prevent energy attack. It follows that the white-box technique has important practical significance. The SM4 white box implementation method based on the fixed S box has been developed, and the invention provides a SM4 white box implementation method based on the S box depending on the secret key.
Disclosure of Invention
The S-box depending on the secret key means
Figure GSB0000199182100000011
Wherein f is:
g(x)=x 8 +x 7 +x 6 +x 5 +x 4 +x 2 +1
formed GF (2) 8 ) The inverse operation of the above is carried out,
Figure GSB0000199182100000012
λ r,j is an 8 × 8 reversible linear transformation, u r,j Is an 8-bit vector, and λ r,j ,u r,j Generated by key control.
In the SM4 white box implementation method based on the S box dependent on the key, there are two basic operators, i.e., a D box and an R box, which are called a state transformation operator and a key protection operator, respectively. The following first introduces D-box, R-box, and then gives a description of the SM4 white-box implementation method based on S-box dependent keys and security analysis.
And (D) box:
the D-box operator is used for performing state transformation on the 32-bit data input in the current round, and is defined as follows:
Figure GSB0000199182100000013
wherein:
(1) r 1, 2, …, 32 is the current round number, i, j 0, 1, 2, 3, i, j all increase in order from right to left, i refers to the order of the 32-bit input, j is the order of the 4 packets of a group of 8 bits per 32-bit input;
(2)D r,i,j operator 8 goes in and out 32, which is the left-acting operator, D r,i,j In the mode of action of
Figure GSB0000199182100000021
Wherein
Figure GSB0000199182100000022
Is the function or operator;
(3) MB is a 32 × 32 reversible linear transformation randomly chosen over GF (2), MB is an 8 × 8 reversible linear transformation randomly chosen over GF (2);
(4)b r,α,i,j α is 0, 1, 2, 3 are 4 independently randomly selected 8-bit values;
(5) b and B' are:
(5.1)
Figure GSB0000199182100000023
(5.2)
Figure GSB0000199182100000024
(5.3)B r+i-1,1,3 ,B r+i-1,1,2 ,B r+i-1,1,1 ,B r+i-1,1,0 ,B r+i-1,0,3 ,B r+i-1,0,2 ,B r+i-1,0,1 ,B r+i-1,0,0 is 32-bit random numbers which are independently and randomly selected;
(5.4)B′ r+i-1,3 ,B′ r+i-1,2 ,B′ r+i-1,1 ,B, r+i-1,0 is only 3 degrees of freedom4 32-bit random numbers.
R box:
the R-box is a key protection operator, defined as follows:
Figure GSB0000199182100000025
wherein:
(1)R r,j operator 8 goes in and out 32, which is a left-acting operator, R r,j In the mode of action of
Figure GSB0000199182100000026
Figure GSB0000199182100000027
(2)
Figure GSB0000199182100000028
(3)
Figure GSB0000199182100000029
(4)k r Is a 32-bit round key, k, of the r-th round of the standard SM4 cryptographic algorithm r,j Is k r The (j) th byte of (a),
k r =(k r,3 ,k r,2 ,k r,1 ,k r,0 );
(5)S r,j is 8-bit dependent key S box in round function of SM4 white-box implementation method, M is linear transformation generated by 32-bit cyclic shift in round function of standard SM4 cryptographic algorithm, M is j Is the jth 32 × 8 sub-transform of M, i.e., M ═ M (M) 3 ,M 2 ,M 1 ,M 0 );
(6) MB is identical to MB in the D-box;
(7)B r+3,1,j is an independently randomly selected 32-bit random number, and
Figure GSB0000199182100000031
calculating the SM4 white box implementation method based on the dependent key S box:
the SM4 white-box encryption/decryption method based on key-dependent S-boxes has 32 rounds, each round requiring 16D-boxes and 4R-boxes. The r round takes 4 32-bit values
(x′ r+2 ,x′ r+1 ,x′ r ,x′ r-1 )=(E r+2 (x r+2 ),E r+1 (x r+1 ),E r (x r ),E r-1 (x r-1 ))
Is used as an input for, among other things,
Figure GSB0000199182100000032
x l is an intermediate value of the standard SM4 cryptographic algorithm, a new 32-bit value x 'is calculated' l+3 =E r+3 (x r+3 ) Each round of calculation comprises the following steps:
(1)
Figure GSB0000199182100000033
(2)
Figure GSB0000199182100000034
wherein:
(a)x′ l,j is x' l The jth byte of (c);
(b)s r is a 32-bit intermediate value;
(c)s r,j is s r The jth byte of (c).
The whole SM4 white box implementation method based on the dependent key S box is (x' 3 ,x′ 2 ,x′ 1 ,x′ 0 ) Is input, converted by 32 wheels and output (x' 35 ,x′ 34 ,x′ 33 ,x′ 32 ) In which E is to be protected 3 ,E 2 ,E 1 ,E 0 ,E 35 ,E 34 ,E 33 ,E 32 And their inverse.
The SM4 white box implementation method based on the S box of the dependent key is verified in correctness:
only the correctness of the calculation result of any round of the SM4 white box implementation method can be verified.
Property 1 in the SM4 white-box implementation based on a key S-box,
Figure GSB0000199182100000041
certifying that
Figure GSB0000199182100000042
Figure GSB0000199182100000051
So property 1 holds. After the syndrome is confirmed.
Property 2 in the SM4 white-box implementation based on a dependent key S-box,
Figure GSB0000199182100000052
certifying that
Figure GSB0000199182100000053
From property 1, it can be seen that:
Figure GSB0000199182100000054
the same principle is that:
Figure GSB0000199182100000055
Figure GSB0000199182100000056
Figure GSB0000199182100000057
so property 2 holds. After the syndrome is confirmed.
From properties 1 and 2, it can be seen that:
property 3 is correct based on the SM4 white-box encryption flow that relies on the key S-box.
Prove the fact
Because of the fact that
Figure GSB0000199182100000058
Figure GSB0000199182100000059
Thus:
Figure GSB00001991821000000510
Figure GSB0000199182100000061
the SM4 white-box encryption flow based on the dependent key S-box is correct. After the test is finished.
Security analysis of the SM4 white-box implementation method based on S-boxes dependent on keys:
there are two types of common attack methods for white boxes: that is, the parameters are generated by a single table or by a combination of tables.
The security of the SM4 white-box implementation method based on the S-box dependent key against these two types of attack methods is analyzed below.
Safety analysis on single D-box:
let clear text input be x' 3,3 ,x′ 3,2 ,x′ 3,1 ,x′ 3,0 ,x′ 2,3 ,x′ 2,2 ,x′ 2,1 ,x′ 2,0 ,x′ 1,3 ,x′ 1,2 ,x′ 1,1 ,x′ 1,0 ,x′ 0,3 ,x′ 0,2 ,x′ 0,1 ,x′ 0,0 Then, according to:
Figure GSB0000199182100000062
we can set the following arguments:
(1)
Figure GSB0000199182100000063
73728 arguments in total;
(2)b r,α,i,j,l ,r=1,2,…,32,α=0,1,2,3,i=1,2,3,j=0,1,2,3,l=0,1,2,…,7,
a total of 32 × 4 × 3 × 4 × 8 ═ 12288 bits;
(3)B r+i-1,1,3 ,B r+i-1,1,2 ,B r+i-1,1,1 ,B r+i-1,1,0 ,B r+i-1,0,3 ,B r+i-1,0,2 ,B r+i-1,0,1 ,B r+i-1,0,0
wherein r is 1, 2, 3, …, 32, i is 0, 1, 2, 3, total 32 × 4 × 32 × 8 is 32768 arguments;
(4)B′ r+i-1,3 ,B′ r+i-1,2 ,B′ r+i-1,1 ,B′ r+i-1,0 where r is 1, 2, 3, …, 32, i is 0, 1, 2, 3,
a total of 32 × 4 × 32 × 4 ═ 16384 arguments;
(5)mb r,3 ,mb r,2 ,mb r,1 ,mb r,0 r is 1, 2, …, 32 × 8 × 8 × 4 is 8192 argument.
Thus, according to the above arguments, the following conclusions can be drawn:
property 4 the Boolean system of equations set forth by a single D-box is a quadratic Boolean system of equations.
Safety analysis on individual R-boxes:
let input be s r,3 ,s r,2 ,s r,1 ,s r,0 Then, according to:
Figure GSB0000199182100000071
the following arguments may be provided:
(1)b r,j r is 1, 2, …, 32, j is 3, 2, 1, 0, and 32 × 4 × 8 is 1024 bits;
(2)
Figure GSB0000199182100000072
a total of 32 × 8 × 8 × 4 to 8192 arguments;
(3)k r,j 1, 2, …, 32, j is 0, 1, 2, 3, and total 32 × 8 × 4 is 1024 arguments;
(4)π r,j r is 1, 2, …, 32, j is 3, 2, 1, 0, 32 × 4 × (8 × 8+8) for 9216 variables;
(5)
Figure GSB0000199182100000073
32 × 4 × (8 × 8+8) in total, 9216 arguments;
(6)
Figure GSB0000199182100000074
36 × 32 × 32 ═ 36864 arguments;
(7)B r+i-1,1,3 ,B r+i-1,1,2 ,B r+i-1,1,1 ,B r+i-1,1,0 ,B r+i-1,0,3 ,B r+i-1,0,2 ,B r+i-1,0,1 ,B r+i-1,0,0 where r is 1, 2, 3, …, 32, i is 1, 2, 3, and 32 × 3 × 32 × 8 is 24576 arguments.
Therefore, according to the inversion operation of the argument and f, the following can be concluded:
property 5 the system of boolean equations set forth by a single R-box is a system of 4-degree boolean functions.
Safety analysis after white box compounding:
according to the following steps:
Figure GSB0000199182100000075
thus, the following conclusions can be drawn:
property 6 after recombination of the D and R boxes, the set of Boolean equations is set to 4 Boolean function equations.
From properties 4-6, it can be seen that the SM4 white-box implementation method based on the S-box dependent key has some security since the set of equations listed is non-linear.
Reference documents
[1]Billet O,Gilbert H,Ech-Chatbi C.Cryptanalysis of a White Box AES Implementation[C]//International Conference on Selected Areas in Cryptography.Springer-Verlag,2004:227-240.
[2]Michiels W,Gorissen P,Hollmann H D L.Cryptanalysis of a Generic Class of White-Box Implementations[C]//Selected Areas in Cryptography,International Workshop,SAC 2008,Sackville,New Brunswick,Canada,August 14-15,Revised Selected Papers.2008:414-428.
[3]De Mulder Y,Roelse P,Preneel B.Cryptanalysis of the Xiao-Lai White-Box AES Implementation[M]//Selected Areas in Cryptography.Springer Berlin Heidelberg,2012:34-49.
[4]Lepoint T,Rivain M,De Mulder Y,et al.Two Attacks on a White-Box AES Implementation[M]//Selected Areas in Cryptography--SAC 2013.Springer Berlin Heidelberg,2013:265-285,
[5] Lingting, come to learn jia, an effective attack [ J ] to white box SMS4 implementation, software bulletin, 2013, 24 (9): 2238-2249.

Claims (1)

1. A SM4 white box implementation method based on a secret key dependent S box is characterized in that: the SM4 white-box encryption/decryption method has 32 rounds; each round requires 16D-boxes and 4R-boxes;
wherein the content of the first and second substances,
the D-box is a lookup table for performing state transformation on the 32-bit data input in the current round, and is defined as follows:
Figure FSB0000199182090000011
wherein:
(1) r is 1, 2, …, 32 is the current round number, i, j is 0, 1, 2, 3, i, j all increase from right to left, i refers to the order of 32-bit input, j is the order of 8-bit quantiles of each 32-bit input;
(2)D r,i,j operator 8 goes in and out 32, which is the left-acting operator, D r,i,j In the mode of action of
Figure FSB0000199182090000012
Wherein "is the role of a function or operator;
(3)f=(mb r,3 ,…,mb r,0 ) MB is a 32 × 32 reversible linear transformation randomly chosen over GF (2), and MB is an 8 × 8 reversible linear transformation randomly chosen over GF (2);
(4)b r,α,i,j α is 0, 1, 2, 3 are 4 independently randomly selected 8-bit values;
(5) b and B' are:
(5.1)
Figure FSB0000199182090000013
(5.2)
Figure FSB0000199182090000014
(5.3)B r+i-1,1,3 ,B r+i-1,1,2 ,B r+i-1,1,1 ,B r+i-1,1,0 ,B r+i-1,0,3 ,B r+i-1,0,2 ,B r+i-1,0,1 ,B r+i-1,0,0 is 8 independently randomly selected 32-bit random numbersCounting machines;
(5.4)B′ r+i-1,3 ,B′ r+i-1,2 ,B′ r+i-1,1 ,B′ r+i-1,0 is a 4 32-bit random number with only 3 degrees of freedom;
(5.5) XOR (x) is a left-acting operator, which, for a value y of length x,
Figure FSB0000199182090000015
wherein
Figure FSB0000199182090000016
Is a bit exclusive or operation;
the R-box is a look-up table for key protection defined as follows:
Figure FSB0000199182090000017
wherein:
(1)R r,j operator 8 goes in and out 32, which is a left-acting operator, R r,j In the mode of action of
Figure FSB0000199182090000018
Figure FSB0000199182090000021
(2)
Figure FSB0000199182090000022
(3)k r Is a 32-bit round key, k, of the r-th round of the SM4 cryptographic algorithm r,j Is k r The (j) th byte of (a),
k r =(k r,3 ,k r,2 ,k r,1 ,k r,0 );
(4)S r,j is an 8-bit dependent key S-box in the SM4 white-box implementation method round function, i.e.
Figure FSB0000199182090000023
Wherein f is g (x) x 8 +x 7 +x 6 +x 5 +x 4 +x 2 +1 GF (2) produced 8 ) The inverse operation of the above is carried out,
Figure FSB0000199182090000024
λ r,j is an 8 × 8 reversible linear transformation, u r,j Is an 8-bit vector, and λ r,j ,u r,j Generated by key control, M is a linear transformation generated by a 32-bit cyclic shift in a round function of a standard SM4 cryptographic algorithm, M j Is the jth 32 × 8 sub-transform of M, i.e., M ═ M (M) 3 ,M 2 ,M 1 ,M 0 );
(5) MB is identical to MB in the D-box;
(6)B r+3,1,j is an independently randomly selected 32-bit random number, and
Figure FSB0000199182090000025
method for realizing whole SM4 white box by (x' 3 ,x′ 2 ,x′ 1 ,x′ 0 ) Is input, converted by 32 wheels and output (x' 35 ,x′ 34 ,x′ 33 ,x′ 32 ) In which E is to be protected 3 ,E 2 ,E 1 ,E 0 ,E 35 ,E 34 ,E 33 ,E 32 And their inverse; r wheel is numbered with 4 32-bit values (x' r+2 ,x′ r+1 ,x′ r ,x′ r-1 )=(E r+2 (x r+2 ),E r+1 (x r+1 ),E r (x r ),E r-1 (x r-1 ) Is input, wherein,
Figure FSB0000199182090000026
x l is the median of the standard SM4 algorithm;
calculate a new 32-bit value x' r+3 =E r+3 (x r+3 ) Each round of calculation comprises the following steps:
(1)
Figure FSB0000199182090000031
(2)
Figure FSB0000199182090000032
wherein:
(a)x′ l,j is x' l The jth byte of (1);
(b)s r is a 32-bit intermediate value;
(c)s r,j is s r The jth byte of (a).
CN201610555791.3A 2016-07-15 2016-07-15 SM4 white box implementation method based on S box dependent on secret key Active CN107623568B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201610555791.3A CN107623568B (en) 2016-07-15 2016-07-15 SM4 white box implementation method based on S box dependent on secret key

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201610555791.3A CN107623568B (en) 2016-07-15 2016-07-15 SM4 white box implementation method based on S box dependent on secret key

Publications (2)

Publication Number Publication Date
CN107623568A CN107623568A (en) 2018-01-23
CN107623568B true CN107623568B (en) 2022-09-06

Family

ID=61086625

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201610555791.3A Active CN107623568B (en) 2016-07-15 2016-07-15 SM4 white box implementation method based on S box dependent on secret key

Country Status (1)

Country Link
CN (1) CN107623568B (en)

Families Citing this family (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111740816B (en) * 2019-03-25 2023-03-31 山东文斌信息安全技术有限公司 BWGCF block cipher algorithm realizing method
CN112003687B (en) * 2020-08-26 2023-04-07 成都卫士通信息产业股份有限公司 White box operation method and device, electronic equipment and computer storage medium

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101536398B (en) * 2006-11-17 2012-11-07 耶德托公司 Cryptographic method for a white-box implementation
CN103227717A (en) * 2013-01-25 2013-07-31 国家密码管理局商用密码检测中心 Application of selecting round key XOR input to perform side-channel power analysis of SM4 cryptographic algorithm
WO2016043665A1 (en) * 2014-09-18 2016-03-24 Huawei International Pte. Ltd. Encryption function and decryption function generating method, encryption and decryption method and related apparatuses

Family Cites Families (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2013142980A1 (en) * 2012-03-30 2013-10-03 Irdeto Canada Corporation Securing accessible systems using variable dependent coding
CN103516511B (en) * 2013-09-11 2016-05-04 国家电网公司 A kind of method and device that AES and key are detected
EP2983156B1 (en) * 2014-08-06 2019-07-24 Secure-IC SAS System and method for circuit protection
CN105591734A (en) * 2015-04-24 2016-05-18 桂林电子科技大学 White-box cryptograph non-linear encoding protection method based on table lookup
CN105681025B (en) * 2016-01-29 2019-04-16 中国科学院信息工程研究所 A kind of safe whitepack implementation method and device of country password standard algorithm SM4

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101536398B (en) * 2006-11-17 2012-11-07 耶德托公司 Cryptographic method for a white-box implementation
CN103227717A (en) * 2013-01-25 2013-07-31 国家密码管理局商用密码检测中心 Application of selecting round key XOR input to perform side-channel power analysis of SM4 cryptographic algorithm
WO2016043665A1 (en) * 2014-09-18 2016-03-24 Huawei International Pte. Ltd. Encryption function and decryption function generating method, encryption and decryption method and related apparatuses

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
网络空间安全综述;张焕国等;《中国科学:信息科学》;20160220(第02期);全文 *

Also Published As

Publication number Publication date
CN107623568A (en) 2018-01-23

Similar Documents

Publication Publication Date Title
D'souza et al. Advanced encryption standard (AES) security enhancement using hybrid approach
Kazlauskas et al. Key-dependent S-box generation in AES block cipher system
EP2829010B1 (en) Updating key information
US20120170739A1 (en) Method of diversification of a round function of an encryption algorithm
Yousaf et al. Comparison of pre and post-action of a finite abelian group over certain nonlinear schemes
WO2011105367A1 (en) Block encryption device, block decryption device, block encryption method, block decryption method and program
Jaffe A first-order DPA attack against AES in counter mode with unknown initial counter
Hussain et al. Construction of new S-box using a linear fractional transformation
WO2017203992A1 (en) Encryption device, encryption method, decryption device, and decryption method
Reyad et al. Key-based enhancement of data encryption standard for text security
CN107623568B (en) SM4 white box implementation method based on S box dependent on secret key
CN109951273B (en) SM4 algorithm white box implementation method and device
JP2000511755A (en) How to encrypt binary code information
Kim et al. DES with any reduced masked rounds is not secure against side-channel attacks
Shorin et al. Linear and differential cryptanalysis of Russian GOST
Sanap et al. Analysis of encryption techniques for secure communication
Dar et al. A Comparative Study of Cryptographic Algorithms A Comparative Study of Cryptographic Algorithms
CN116192364A (en) AES white box encryption method for anti-side channel and related equipment
Lee et al. Design and evaluation of a block encryption algorithm using dynamic-key mechanism
Gulom The encryption algorithm GOST28147-89-PES16-2 and GOST28147-89-RFWKPES16-2
JPH0738558A (en) Ciphering device, communication system using the same and method therefor
Al-Sabaawi Cryptanalysis of Block Cipher: Method Implementation
CN107623566B (en) SM4 white box implementation method based on nonlinear transformation
Seilova et al. About Cryptographic Properties of the Qalqan Encryption Algorithm.
Amandeep et al. Analysis of bitsum attack on block ciphers

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant