CN107623568B - SM4 white box implementation method based on S box dependent on secret key - Google Patents
SM4 white box implementation method based on S box dependent on secret key Download PDFInfo
- Publication number
- CN107623568B CN107623568B CN201610555791.3A CN201610555791A CN107623568B CN 107623568 B CN107623568 B CN 107623568B CN 201610555791 A CN201610555791 A CN 201610555791A CN 107623568 B CN107623568 B CN 107623568B
- Authority
- CN
- China
- Prior art keywords
- box
- bit
- white
- round
- key
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Abstract
The white-box technique refers to a technique for realizing cryptographic algorithm key protection by table lookup. The invention provides a SM4 white box implementation method based on an S box depending on a secret key. The invention belongs to the technical field of information security, and relates to a cryptographic algorithm. The SM4 white box implementation method based on the S box of the dependent key has two basic operator compositions which are respectively a D box and an R box. The invention provides a detailed SM4 white box implementation method based on an S box depending on a secret key and security analysis.
Description
Technical Field
The invention belongs to the technical field of information security, and relates to a method for realizing a cryptographic algorithm.
Background
The white-box technique refers to a technique for realizing cryptographic algorithm key protection by table lookup. The technique provides a cryptographic algorithm software security application method in the absence of a special media protection key by the end user. The main application field of the white box technology is digital property protection. The technology allows users to use the password software in the equipment, but prevents illegal users from recovering and spreading the key of the password algorithm to profit. Meanwhile, the technology can prevent energy attack. It follows that the white-box technique has important practical significance. The SM4 white box implementation method based on the fixed S box has been developed, and the invention provides a SM4 white box implementation method based on the S box depending on the secret key.
Disclosure of Invention
g(x)=x 8 +x 7 +x 6 +x 5 +x 4 +x 2 +1
formed GF (2) 8 ) The inverse operation of the above is carried out,λ r,j is an 8 × 8 reversible linear transformation, u r,j Is an 8-bit vector, and λ r,j ,u r,j Generated by key control.
In the SM4 white box implementation method based on the S box dependent on the key, there are two basic operators, i.e., a D box and an R box, which are called a state transformation operator and a key protection operator, respectively. The following first introduces D-box, R-box, and then gives a description of the SM4 white-box implementation method based on S-box dependent keys and security analysis.
And (D) box:
the D-box operator is used for performing state transformation on the 32-bit data input in the current round, and is defined as follows:
wherein:
(1) r 1, 2, …, 32 is the current round number, i, j 0, 1, 2, 3, i, j all increase in order from right to left, i refers to the order of the 32-bit input, j is the order of the 4 packets of a group of 8 bits per 32-bit input;
(2)D r,i,j operator 8 goes in and out 32, which is the left-acting operator, D r,i,j In the mode of action ofWhereinIs the function or operator;
(3) MB is a 32 × 32 reversible linear transformation randomly chosen over GF (2), MB is an 8 × 8 reversible linear transformation randomly chosen over GF (2);
(4)b r,α,i,j α is 0, 1, 2, 3 are 4 independently randomly selected 8-bit values;
(5) b and B' are:
(5.2)
(5.3)B r+i-1,1,3 ,B r+i-1,1,2 ,B r+i-1,1,1 ,B r+i-1,1,0 ,B r+i-1,0,3 ,B r+i-1,0,2 ,B r+i-1,0,1 ,B r+i-1,0,0 is 32-bit random numbers which are independently and randomly selected;
(5.4)B′ r+i-1,3 ,B′ r+i-1,2 ,B′ r+i-1,1 ,B, r+i-1,0 is only 3 degrees of freedom4 32-bit random numbers.
R box:
the R-box is a key protection operator, defined as follows:
wherein:
(1)R r,j operator 8 goes in and out 32, which is a left-acting operator, R r,j In the mode of action of
(3)(4)k r Is a 32-bit round key, k, of the r-th round of the standard SM4 cryptographic algorithm r,j Is k r The (j) th byte of (a),
k r =(k r,3 ,k r,2 ,k r,1 ,k r,0 );
(5)S r,j is 8-bit dependent key S box in round function of SM4 white-box implementation method, M is linear transformation generated by 32-bit cyclic shift in round function of standard SM4 cryptographic algorithm, M is j Is the jth 32 × 8 sub-transform of M, i.e., M ═ M (M) 3 ,M 2 ,M 1 ,M 0 );
(6) MB is identical to MB in the D-box;
(7)B r+3,1,j is an independently randomly selected 32-bit random number, and
calculating the SM4 white box implementation method based on the dependent key S box:
the SM4 white-box encryption/decryption method based on key-dependent S-boxes has 32 rounds, each round requiring 16D-boxes and 4R-boxes. The r round takes 4 32-bit values
(x′ r+2 ,x′ r+1 ,x′ r ,x′ r-1 )=(E r+2 (x r+2 ),E r+1 (x r+1 ),E r (x r ),E r-1 (x r-1 ))
Is used as an input for, among other things,x l is an intermediate value of the standard SM4 cryptographic algorithm, a new 32-bit value x 'is calculated' l+3 =E r+3 (x r+3 ) Each round of calculation comprises the following steps:
wherein:
(a)x′ l,j is x' l The jth byte of (c);
(b)s r is a 32-bit intermediate value;
(c)s r,j is s r The jth byte of (c).
The whole SM4 white box implementation method based on the dependent key S box is (x' 3 ,x′ 2 ,x′ 1 ,x′ 0 ) Is input, converted by 32 wheels and output (x' 35 ,x′ 34 ,x′ 33 ,x′ 32 ) In which E is to be protected 3 ,E 2 ,E 1 ,E 0 ,E 35 ,E 34 ,E 33 ,E 32 And their inverse.
The SM4 white box implementation method based on the S box of the dependent key is verified in correctness:
only the correctness of the calculation result of any round of the SM4 white box implementation method can be verified.
Property 1 in the SM4 white-box implementation based on a key S-box,
certifying that
So property 1 holds. After the syndrome is confirmed.
Property 2 in the SM4 white-box implementation based on a dependent key S-box,
certifying that
From property 1, it can be seen that:
the same principle is that:
so property 2 holds. After the syndrome is confirmed.
From properties 1 and 2, it can be seen that:
property 3 is correct based on the SM4 white-box encryption flow that relies on the key S-box.
Prove the fact
Thus:
the SM4 white-box encryption flow based on the dependent key S-box is correct. After the test is finished.
Security analysis of the SM4 white-box implementation method based on S-boxes dependent on keys:
there are two types of common attack methods for white boxes: that is, the parameters are generated by a single table or by a combination of tables.
The security of the SM4 white-box implementation method based on the S-box dependent key against these two types of attack methods is analyzed below.
Safety analysis on single D-box:
let clear text input be x' 3,3 ,x′ 3,2 ,x′ 3,1 ,x′ 3,0 ,x′ 2,3 ,x′ 2,2 ,x′ 2,1 ,x′ 2,0 ,x′ 1,3 ,x′ 1,2 ,x′ 1,1 ,x′ 1,0 ,x′ 0,3 ,x′ 0,2 ,x′ 0,1 ,x′ 0,0 Then, according to:
we can set the following arguments:
(2)b r,α,i,j,l ,r=1,2,…,32,α=0,1,2,3,i=1,2,3,j=0,1,2,3,l=0,1,2,…,7,
a total of 32 × 4 × 3 × 4 × 8 ═ 12288 bits;
(3)B r+i-1,1,3 ,B r+i-1,1,2 ,B r+i-1,1,1 ,B r+i-1,1,0 ,B r+i-1,0,3 ,B r+i-1,0,2 ,B r+i-1,0,1 ,B r+i-1,0,0 ,
wherein r is 1, 2, 3, …, 32, i is 0, 1, 2, 3, total 32 × 4 × 32 × 8 is 32768 arguments;
(4)B′ r+i-1,3 ,B′ r+i-1,2 ,B′ r+i-1,1 ,B′ r+i-1,0 where r is 1, 2, 3, …, 32, i is 0, 1, 2, 3,
a total of 32 × 4 × 32 × 4 ═ 16384 arguments;
(5)mb r,3 ,mb r,2 ,mb r,1 ,mb r,0 r is 1, 2, …, 32 × 8 × 8 × 4 is 8192 argument.
Thus, according to the above arguments, the following conclusions can be drawn:
property 4 the Boolean system of equations set forth by a single D-box is a quadratic Boolean system of equations.
Safety analysis on individual R-boxes:
let input be s r,3 ,s r,2 ,s r,1 ,s r,0 Then, according to:
the following arguments may be provided:
(1)b r,j r is 1, 2, …, 32, j is 3, 2, 1, 0, and 32 × 4 × 8 is 1024 bits;
(3)k r,j 1, 2, …, 32, j is 0, 1, 2, 3, and total 32 × 8 × 4 is 1024 arguments;
(4)π r,j r is 1, 2, …, 32, j is 3, 2, 1, 0, 32 × 4 × (8 × 8+8) for 9216 variables;
(7)B r+i-1,1,3 ,B r+i-1,1,2 ,B r+i-1,1,1 ,B r+i-1,1,0 ,B r+i-1,0,3 ,B r+i-1,0,2 ,B r+i-1,0,1 ,B r+i-1,0,0 where r is 1, 2, 3, …, 32, i is 1, 2, 3, and 32 × 3 × 32 × 8 is 24576 arguments.
Therefore, according to the inversion operation of the argument and f, the following can be concluded:
property 5 the system of boolean equations set forth by a single R-box is a system of 4-degree boolean functions.
Safety analysis after white box compounding:
according to the following steps:
thus, the following conclusions can be drawn:
property 6 after recombination of the D and R boxes, the set of Boolean equations is set to 4 Boolean function equations.
From properties 4-6, it can be seen that the SM4 white-box implementation method based on the S-box dependent key has some security since the set of equations listed is non-linear.
Reference documents
[1]Billet O,Gilbert H,Ech-Chatbi C.Cryptanalysis of a White Box AES Implementation[C]//International Conference on Selected Areas in Cryptography.Springer-Verlag,2004:227-240.
[2]Michiels W,Gorissen P,Hollmann H D L.Cryptanalysis of a Generic Class of White-Box Implementations[C]//Selected Areas in Cryptography,International Workshop,SAC 2008,Sackville,New Brunswick,Canada,August 14-15,Revised Selected Papers.2008:414-428.
[3]De Mulder Y,Roelse P,Preneel B.Cryptanalysis of the Xiao-Lai White-Box AES Implementation[M]//Selected Areas in Cryptography.Springer Berlin Heidelberg,2012:34-49.
[4]Lepoint T,Rivain M,De Mulder Y,et al.Two Attacks on a White-Box AES Implementation[M]//Selected Areas in Cryptography--SAC 2013.Springer Berlin Heidelberg,2013:265-285,
[5] Lingting, come to learn jia, an effective attack [ J ] to white box SMS4 implementation, software bulletin, 2013, 24 (9): 2238-2249.
Claims (1)
1. A SM4 white box implementation method based on a secret key dependent S box is characterized in that: the SM4 white-box encryption/decryption method has 32 rounds; each round requires 16D-boxes and 4R-boxes;
wherein the content of the first and second substances,
the D-box is a lookup table for performing state transformation on the 32-bit data input in the current round, and is defined as follows:
wherein:
(1) r is 1, 2, …, 32 is the current round number, i, j is 0, 1, 2, 3, i, j all increase from right to left, i refers to the order of 32-bit input, j is the order of 8-bit quantiles of each 32-bit input;
(2)D r,i,j operator 8 goes in and out 32, which is the left-acting operator, D r,i,j In the mode of action ofWherein "is the role of a function or operator;
(3)f=(mb r,3 ,…,mb r,0 ) MB is a 32 × 32 reversible linear transformation randomly chosen over GF (2), and MB is an 8 × 8 reversible linear transformation randomly chosen over GF (2);
(4)b r,α,i,j α is 0, 1, 2, 3 are 4 independently randomly selected 8-bit values;
(5) b and B' are:
(5.3)B r+i-1,1,3 ,B r+i-1,1,2 ,B r+i-1,1,1 ,B r+i-1,1,0 ,B r+i-1,0,3 ,B r+i-1,0,2 ,B r+i-1,0,1 ,B r+i-1,0,0 is 8 independently randomly selected 32-bit random numbersCounting machines;
(5.4)B′ r+i-1,3 ,B′ r+i-1,2 ,B′ r+i-1,1 ,B′ r+i-1,0 is a 4 32-bit random number with only 3 degrees of freedom;
(5.5) XOR (x) is a left-acting operator, which, for a value y of length x,whereinIs a bit exclusive or operation;
the R-box is a look-up table for key protection defined as follows:
wherein:
(1)R r,j operator 8 goes in and out 32, which is a left-acting operator, R r,j In the mode of action of
(2)
(3)k r Is a 32-bit round key, k, of the r-th round of the SM4 cryptographic algorithm r,j Is k r The (j) th byte of (a),
k r =(k r,3 ,k r,2 ,k r,1 ,k r,0 );
(4)S r,j is an 8-bit dependent key S-box in the SM4 white-box implementation method round function, i.e.Wherein f is g (x) x 8 +x 7 +x 6 +x 5 +x 4 +x 2 +1 GF (2) produced 8 ) The inverse operation of the above is carried out,λ r,j is an 8 × 8 reversible linear transformation, u r,j Is an 8-bit vector, and λ r,j ,u r,j Generated by key control, M is a linear transformation generated by a 32-bit cyclic shift in a round function of a standard SM4 cryptographic algorithm, M j Is the jth 32 × 8 sub-transform of M, i.e., M ═ M (M) 3 ,M 2 ,M 1 ,M 0 );
(5) MB is identical to MB in the D-box;
(6)B r+3,1,j is an independently randomly selected 32-bit random number, and
method for realizing whole SM4 white box by (x' 3 ,x′ 2 ,x′ 1 ,x′ 0 ) Is input, converted by 32 wheels and output (x' 35 ,x′ 34 ,x′ 33 ,x′ 32 ) In which E is to be protected 3 ,E 2 ,E 1 ,E 0 ,E 35 ,E 34 ,E 33 ,E 32 And their inverse; r wheel is numbered with 4 32-bit values (x' r+2 ,x′ r+1 ,x′ r ,x′ r-1 )=(E r+2 (x r+2 ),E r+1 (x r+1 ),E r (x r ),E r-1 (x r-1 ) Is input, wherein,x l is the median of the standard SM4 algorithm;
calculate a new 32-bit value x' r+3 =E r+3 (x r+3 ) Each round of calculation comprises the following steps:
(1)
(2)
wherein:
(a)x′ l,j is x' l The jth byte of (1);
(b)s r is a 32-bit intermediate value;
(c)s r,j is s r The jth byte of (a).
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201610555791.3A CN107623568B (en) | 2016-07-15 | 2016-07-15 | SM4 white box implementation method based on S box dependent on secret key |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201610555791.3A CN107623568B (en) | 2016-07-15 | 2016-07-15 | SM4 white box implementation method based on S box dependent on secret key |
Publications (2)
Publication Number | Publication Date |
---|---|
CN107623568A CN107623568A (en) | 2018-01-23 |
CN107623568B true CN107623568B (en) | 2022-09-06 |
Family
ID=61086625
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201610555791.3A Active CN107623568B (en) | 2016-07-15 | 2016-07-15 | SM4 white box implementation method based on S box dependent on secret key |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN107623568B (en) |
Families Citing this family (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN111740816B (en) * | 2019-03-25 | 2023-03-31 | 山东文斌信息安全技术有限公司 | BWGCF block cipher algorithm realizing method |
CN112003687B (en) * | 2020-08-26 | 2023-04-07 | 成都卫士通信息产业股份有限公司 | White box operation method and device, electronic equipment and computer storage medium |
Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101536398B (en) * | 2006-11-17 | 2012-11-07 | 耶德托公司 | Cryptographic method for a white-box implementation |
CN103227717A (en) * | 2013-01-25 | 2013-07-31 | 国家密码管理局商用密码检测中心 | Application of selecting round key XOR input to perform side-channel power analysis of SM4 cryptographic algorithm |
WO2016043665A1 (en) * | 2014-09-18 | 2016-03-24 | Huawei International Pte. Ltd. | Encryption function and decryption function generating method, encryption and decryption method and related apparatuses |
Family Cites Families (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
WO2013142980A1 (en) * | 2012-03-30 | 2013-10-03 | Irdeto Canada Corporation | Securing accessible systems using variable dependent coding |
CN103516511B (en) * | 2013-09-11 | 2016-05-04 | 国家电网公司 | A kind of method and device that AES and key are detected |
EP2983156B1 (en) * | 2014-08-06 | 2019-07-24 | Secure-IC SAS | System and method for circuit protection |
CN105591734A (en) * | 2015-04-24 | 2016-05-18 | 桂林电子科技大学 | White-box cryptograph non-linear encoding protection method based on table lookup |
CN105681025B (en) * | 2016-01-29 | 2019-04-16 | 中国科学院信息工程研究所 | A kind of safe whitepack implementation method and device of country password standard algorithm SM4 |
-
2016
- 2016-07-15 CN CN201610555791.3A patent/CN107623568B/en active Active
Patent Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101536398B (en) * | 2006-11-17 | 2012-11-07 | 耶德托公司 | Cryptographic method for a white-box implementation |
CN103227717A (en) * | 2013-01-25 | 2013-07-31 | 国家密码管理局商用密码检测中心 | Application of selecting round key XOR input to perform side-channel power analysis of SM4 cryptographic algorithm |
WO2016043665A1 (en) * | 2014-09-18 | 2016-03-24 | Huawei International Pte. Ltd. | Encryption function and decryption function generating method, encryption and decryption method and related apparatuses |
Non-Patent Citations (1)
Title |
---|
网络空间安全综述;张焕国等;《中国科学:信息科学》;20160220(第02期);全文 * |
Also Published As
Publication number | Publication date |
---|---|
CN107623568A (en) | 2018-01-23 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
D'souza et al. | Advanced encryption standard (AES) security enhancement using hybrid approach | |
Kazlauskas et al. | Key-dependent S-box generation in AES block cipher system | |
EP2829010B1 (en) | Updating key information | |
US20120170739A1 (en) | Method of diversification of a round function of an encryption algorithm | |
Yousaf et al. | Comparison of pre and post-action of a finite abelian group over certain nonlinear schemes | |
WO2011105367A1 (en) | Block encryption device, block decryption device, block encryption method, block decryption method and program | |
Jaffe | A first-order DPA attack against AES in counter mode with unknown initial counter | |
Hussain et al. | Construction of new S-box using a linear fractional transformation | |
WO2017203992A1 (en) | Encryption device, encryption method, decryption device, and decryption method | |
Reyad et al. | Key-based enhancement of data encryption standard for text security | |
CN107623568B (en) | SM4 white box implementation method based on S box dependent on secret key | |
CN109951273B (en) | SM4 algorithm white box implementation method and device | |
JP2000511755A (en) | How to encrypt binary code information | |
Kim et al. | DES with any reduced masked rounds is not secure against side-channel attacks | |
Shorin et al. | Linear and differential cryptanalysis of Russian GOST | |
Sanap et al. | Analysis of encryption techniques for secure communication | |
Dar et al. | A Comparative Study of Cryptographic Algorithms A Comparative Study of Cryptographic Algorithms | |
CN116192364A (en) | AES white box encryption method for anti-side channel and related equipment | |
Lee et al. | Design and evaluation of a block encryption algorithm using dynamic-key mechanism | |
Gulom | The encryption algorithm GOST28147-89-PES16-2 and GOST28147-89-RFWKPES16-2 | |
JPH0738558A (en) | Ciphering device, communication system using the same and method therefor | |
Al-Sabaawi | Cryptanalysis of Block Cipher: Method Implementation | |
CN107623566B (en) | SM4 white box implementation method based on nonlinear transformation | |
Seilova et al. | About Cryptographic Properties of the Qalqan Encryption Algorithm. | |
Amandeep et al. | Analysis of bitsum attack on block ciphers |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |