1. Introduction to SM4 national secret algorithm
The SM4 national cipher algorithm is a symmetric cipher algorithm, also known as the SM4 block cipher algorithm. It is widely used in the national cipher algorithm standard issued by the State Cryptography Administration of China. Each block length of the SM4 block cipher algorithm is generally 128 bits, and the key length is also 128 bits. Both the encryption algorithm and the password expansion algorithm adopt a 32-round nonlinear iteration mechanism.
This article divides the SM4 algorithm into two modules for introduction, one part is the encryption/decryption module, and the other part is the key expansion module. The operations included in these modules mainly include: XOR operation, shift transformation, and box transformation.
- Exclusive OR operation XOR
In the exclusive OR operation, if the two values involved in the operation are the same, the result is false (or 0); is true. The truth table of the XOR operation is as follows:
| A | B | A XOR B |
|---|---|---|
| 0 | 0 | 0 |
| 0 | 1 | 1 |
| 1 | 0 | 1 |
| 1 | 1 | 0 |
-
Shift transformation
In cryptography, shifting is a simple encryption technique that encrypts text by moving letters or numbers by a fixed number of digits.
-
Box transformation
Box transformation is a non-linear transformation that replaces each byte of the input by looking for a predefined S box (Substitution Box). The S-box is a fixed byte substitution table that maps input bytes to output bytes. In SM4, the S box is a 16x16 matrix containing fixed byte replacement values. Box transformation can increase the nonlinearity and security of encryption algorithms. SM4 box transformation matrixAs shown in the figure:
2. Encryption and decryption module
Figure 2.1 Encryption/decryption flow chart
Figure 2.1 shows the encryption/decryption flow chart of the SM4 algorithm. The input is 128-bit plaintext data, and the output is 128-bit ciphertext data. The entire encryption/decryption process requires 32 ( i = 0 , 1 , . . . , 31 ) (i=0,1,...,31) (i=0,1,...,31) rounds of iterations, the first round of transformation is performed when i=0, and continues until i = 31 i=31 i=31End. The addition/solution process is expressed as, where F is the round function, that is, 32 rounds of nonlinear iteration mechanism.
Divide the input 128-bit plaintext into 4 groups of 32-bit data bit by bit, expressed as ( X i , X i + 1 , X i + 2 , X i + 3) \left(X_i, X_{i+1}, X_{i+2}, X_{i+3}\right) (Xi,Xi+1,Xi+2,Xi+3), inside X i ( i = 0 , 1 , … , 31 ) X_i (i=0,1,…,31 )Xi(i=0,1,…,31)32bit clear number setting.
首先,将 X i X_i XiKeep it untransformed, general X i + 1 , X i + 2 , X i + 3 X_{i+1}, X_{i+2}, X_{i +3} Xi+1,Xi+2,Xi+3和轮密钥 r k i rk_i rkiXOR gets a 32-bit data, which is used as the input of the box transformation, expressed as sbox input = X i + 1 ⊕ X i + 2 ⊕ X i + 3 ⊕ r k i _ {\text {input }}=X_{i+1} \oplus X_{i+2} \oplus X_{i+3} \oplus rk_i input =Xi+1⊕Xi+2⊕Xi+3⊕rki, inside ⊕ ⊕ ⊕display different or calculation, r k i rk_i rkiis the round key.
Return, General s b o x input sbox_{\text {input }} sboxinput is split into four 8-bit data, and box transformation operations are performed respectively. Combine the outputs of the 4 box transforms (each output is still 8bit) into a 32bit s b o x output sbox_{\text {output }} sboxoutput 。
Then, perform a shift transformation operation on this 32-bit sbox_output. Perform 4 circular left shift operations, cyclic left shifts of 2, 10, 18, and 24 bits respectively, and obtain four 32-bit results, respectively recorded as y 2 y_{2} and2, y 10 y_{10} and10, y 18 y_{18} and18, y 24 y_{\text {24 }} and24 。
The result of shifting y 2 y_{2} and2, y 10 y_{10} and10, y 18 y_{18} and18, y 24 y_{\text {24 }} and24 , the output of the box transformation sbox_output, the first set of input plaintext X i X_{i} Xi, XOR the three, we get X i + 4 X_{i+4} Xi+4,表示为 X i + 4 = s b o x o u t p u t ⊕ y 2 ⊕ y 10 ⊕ y 18 ⊕ y 24 ⊕ X i X_{i+4}=sbox_{output}⊕y_{2}⊕y_{10}⊕y_{18}⊕y_{24}⊕X_{i} Xi+4=sboxoutput⊕and2⊕and10⊕and18⊕and24⊕Xi
In the actual encryption/decryption process, the above process is executed for a total of 32 rounds, and each round uses a different round key r k i = K i + 4 ( i = 0 , 1 , … , 31 ) rk_i=K_{i+4} (i=0,1,…,31) rki=Ki+4(i=0,1,…,31), the round key is generated by key expansion. The last four 32bit data generated by the round function F X 32 , X 33 , X 34 , X 34 X32,X33,X34,X34After merging, perform the reverse transformation operation to obtain the final 128-bit ciphertext data, namely X 35 , X 34 , X 33 , X 32 X_{35},X_{ 34},X_{33},X_{32} X35,X34,X33,X32。
3. Key expansion module
Figure 3.1 Key expansion flow chart
Figure 3.1 shows the flow chart of key expansion. The input is the initial key, which is a 128-bit data, and the output is a 32-bit round key.
First, split the initial key into four pieces of 32-bit data, recorded as M K 0 , M K 1 , M K 2 , M K 3 MK_0,MK_1,MK_2, MK_3 MK0,MK1,MK2,MK3. Then perform bitwise XOR on the initial key and the system parameter FK to obtain the key used for the cycle K 0 , K 1 , K 2 , K 3 K_0,K_1,K_2,K_3 K0,K1,K2,K3, among K 0 = M K 0 ⊕ F K 0 , K 1 = K 1 ⊕ F K 1 , K 2 = K 2 ⊕ F K 2 , K 3 = K 3 ⊕ F K 3 K_0=M K_0 \oplus F K_0, \quad K_1=K_1 \oplus F K_1, K_2=K_2 \oplus F K_2, \quad K_3=K_3 \oplus F K_3 K0=MK0⊕FK0,K1=K1⊕FK1,K2=K2⊕FK2,K3=K3⊕FK3 。
4. SM4 decryption principle
The SM4 algorithm decrypts ciphertext data, using the same round function as the encryption process F F F, just reverse the order of the round keys used in each iteration. Execute 32 rounds of nonlinear iteration mechanism, and finally output the original plaintext.
First enter the ciphertext of the 0th round of operation (X 35, X 34, X 33, X 32) \left(X_{35}, X_{34}, X_{33}, X_{32}\right) (X35,X34,X33,X32)记为 ( X 0 ′ , X 1 ′ , X 2 ′ , X 3 ′ ) (\left.X_0^{\prime}, X_1^{\prime}, X_2^{\prime}, X_3^{\prime}\right) (X0′,X1′,X2′,X3′). Then perform the key operation in reverse order, that is r k i ′ = r k 31 − i ( r k 0 ′ = r k 31 , r k 1 ′ = r k 30 , … , r k 31 ′ = r k 0 ) r k_i^{\prime}=r k_{31-i} \quad\left(r k_0^{\prime}=r k_{31}, r k_1^{\prime}=r k_{30}, \ldots, r k_{31}^{\prime}=r k_0\right) rki′=rk31−i(rk0′=rk31,rk1′=rk30,…,rk31′=rk0)。
因此,第0轮的输出可以表示为
X 4 ′ = X 0 ′ ⊕ T ( X 1 ′ ⊕ X 2 ′ ⊕ X 3 ′ ⊕ r k 0 ′ ) = X 0 ′ ⊕ T ( X 1 ′ ⊕ X 2 ′ ⊕ X 3 ′ ⊕ r k 31 ) = X 35 ⊕ T ( X 34 ⊕ X 33 ⊕ X 32 ⊕ r k 31 ) = X 31 ⊕ T ( X 32 ⊕ X 33 ⊕ X 34 ⊕ r k 31 ) ⊕ T ( X 34 ⊕ X 33 ⊕ X 32 ⊕ r k 31 ) = X 31 \begin{aligned} X_4^{\prime} & =X_0^{\prime} \oplus T\left(X_1^{\prime} \oplus X_2^{\prime} \oplus X_3^{\prime} \oplus r k_0^{\prime}\right) \\ & =X_0^{\prime} \oplus T\left(X_1^{\prime} \oplus X_2^{\prime} \oplus X_3^{\prime} \oplus r k_{31}\right) \\ & =X_{35} \oplus T\left(X_{34} \oplus X_{33} \oplus X_{32} \oplus r k_{31}\right) \\ & =X_{31} \oplus T\left(X_{32} \oplus X_{33} \oplus X_{34} \oplus r k_{31}\right) \oplus T\left(X_{34} \oplus X_{33} \oplus X_{32} \oplus r k_{31}\right) \\ & =X_{31} \end{aligned} X4′=X0′⊕T(X1′⊕X2′⊕X3′⊕rk0′)=X0′⊕T(X1′⊕X2′⊕X3′⊕rk31)=X35⊕T(X34⊕X33⊕X32⊕rk31)=X31⊕T(X32⊕X33⊕X34⊕rk31)⊕T(X34⊕X33⊕X32⊕rk31)=X31
…
28th round export X 3 X_{3} X3
The output of round 29 is X 2 X_{2} X2
The output of the 30th round is X 1 X_{1} X1
第31轮的输出为
X 35 ′ = X 31 ′ ⊕ T ( X 32 ′ ⊕ X 33 ′ ⊕ X 34 ′ ⊕ r k 31 ′ ) = X 4 ⊕ T ( X 3 ⊕ X 2 ⊕ X 1 ⊕ r k 0 ) = X 0 ⊕ T ( X 1 ⊕ X 2 ⊕ X 3 ⊕ r k 0 ) ⊕ T ( X 3 ⊕ X 2 ⊕ X 1 ⊕ r k 0 ) = X 0 \begin{aligned} X_{35}^{\prime} & =X_{31}^{\prime} \oplus T\left(X_{32}^{\prime} \oplus X_{33}^{\prime} \oplus X_{34}^{\prime} \oplus r k_{31}^{\prime}\right) \\ & =X_4 \oplus T\left(X_3 \oplus X_2 \oplus X_1 \oplus r k_0\right) \\ & =X_0 \oplus T\left(X_1 \oplus X_2 \oplus X_3 \oplus r k_0\right) \oplus T\left(X_3 \oplus X_2 \oplus X_1 \oplus r k_0\right) \\ & =X_0 \end{aligned} X35′=X31′⊕T(X32′⊕X33′⊕X34′⊕rk31′)=X4⊕T(X3⊕X2⊕X1⊕rk0)=X0⊕T(X1⊕X2⊕X3⊕rk0)⊕T(X3⊕X2⊕X1⊕rk0)=X0
Perform the reverse order operation on the output of the last four rounds, namely rounds 28, 29, 30, and 31, to obtain the decrypted plaintext data ( X 0 , X 1 , X 2 , X 3) (X_0,X_1,X_2,X_3) (X0,X1,X2,X3)。
5. References
https://houbb.github.io/2020/06/17/althgorim-cryptograph-04-sm4#%E5%8A%A0%E8%A7%A3%E5%AF%86