]>
The SM4 Blockcipher Algorithm And Its Modes Of OperationsRiboseSuite 1111, 1 Pedder StreetCentralHong KongPeople's Republic of Chinaronald.tse@ribose.comhttps://www.ribose.comHang Seng Management CollegeHang Shin Link, Siu Lek YuenShatinHong KongPeople's Republic of Chinawongwk@hsmc.edu.hkhttps://www.hsmc.edu.hk
sec
Internet Research Task ForceThis document describes the SM4 symmetric blockcipher algorithm
published as GB/T 32907-2016 by the State Cryptography
Administration of China (SCA).This document is a product of the Crypto Forum Research Group (CFRG).SM4 is a cryptographic standard
issued by the State Cryptography Administration (SCA) of China
(formerly the Office of State Commercial Cryptography Administration, OSCCA)
as an authorized cryptographic algorithm for the use within China. The
algorithm is published in public.SM4 is a symmetric encryption algorithm, specifically a blockcipher,
designed for data encryption.This document does not aim to introduce a new algorithm, but to
provide a clear and open description of the SM4 algorithm in English,
and also to serve as a stable reference for IETF documents that utilize
this algorithm.While this document is similar to in nature, is a textual
translation of the "SMS4" algorithm published in 2006. Instead, this
document follows the updated description and structure of
published in 2016. Sections 1 to 7 of this document directly map to the
corresponding sections numbers of the standard for
convenience of the reader.This document also provides additional information on the design
considerations of the SM4 algorithm , its modes of operations
that are currently being used (see ), and the offical SM4 OIDs
(see ).The "SMS4" algorithm (the former name of SM4) was invented by Shu-Wang Lu
. It was first published in 2003 as part of ,
then published independently in 2006 by SCA (OSCCA at that time) ,
published as an industry cryptographic standard and renamed to "SM4" in 2012 by
SCA (OSCCA at that time) , and finally formalized in 2016 as a
Chinese National Standard (GB Standard) . SM4 has also been
standardized in by the International Organization for
Standardization in 2017.SMS4 was originally created for use in protecting wireless networks ,
and is mandated in the Chinese National Standard for Wireless LAN WAPI (Wired
Authentication and Privacy Infrastructure) . A proposal was
made to adopt SMS4 into the IEEE 802.11i standard, but the algorithm was
eventually not included due to concerns of introducing inoperability with
existing ciphers.The latest SM4 standard was proposed by the SCA (OSCCA at
that time), standardized through TC 260 of the Standardization Administration
of the People’s Republic of China (SAC), and was drafted by the following
individuals at the Data Assurance and Communication Security Research Center
(DAS Center) of the Chinese Academy of Sciences, the China Commercial
Cryptography Testing Center and the Beijing Academy of Information Science &
Technology (BAIST):Shu-Wang LuDai-Wai LiKai-Yong DengChao ZhangPeng LuoZhong ZhangFang DongYing-Ying MaoZhen-Hua LiuThe key words "MUST", "MUST NOT", "REQUIRED", "SHALL",
"SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED",
"NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document
are to be interpreted as described in BCP 14
when, and only when, they appear in all capitals, as shown here.The following terms and definitions apply to this document.Bit-length of a message block.Bit-length of a key.An operation that converts a key into a round key.The number of iterations that the round function is run.A key used in each round on the blockcipher, derived from the input key, also
called a subkey.a 32-bit quantityThe S (substitution) box function produces 8-bit output from 8-bit input,
represented as S(.)bitwise exclusive-or of two 32-bit vectors S and T.
S and T will always have the same length.32-bit bitwise cyclic shift on a with i bits shifted left.The SM4 algorithm is a blockcipher, with block size of 128 bits and a key
length of 128 bits.Both encryption and key expansion use 32 rounds of a nonlinear key schedule
per block. Each round processes one of the four 32-bit words that constitute
the block.The structure of encryption and decryption are identical, except that the round key
schedule has its order reversed during decryption.Using a 8-bit S-box, it only uses exclusive-or, cyclic bit shifts and S-box
lookups to execute.The SM4 encryption key is 128 bits long and represented below, where each
MK_i, (i = 0, 1, 2, 3) is 32 bits long.
MK = (MK_0, MK_1, MK_2, MK_3)
The round key schedule is derived from the encryption key, represented as below
where each rk_i (i = 0, ..., 31) is 32 bits long:
(rk_0, rk_1, ... , rk_31)
The family key used for key expansion is represented as FK, where
each FK_i (i = 0, ..., 3) is 32 bits long:
FK = (FK_0, FK_1, FK_2, FK_3)
The constant key used for key expansion is represented as CK, where
each CK_i (i = 0, ..., 31) is 32 bits long:
CK = (CK_0, CK_1, ... , CK_31)
The round function F is defined as:
F(X_0, X_1, X_2, X_3, rk) = X_0 xor T(X_1 xor X_2 xor X_3 xor rk)
Where:Each $$X_i$ is 32-bit wide.The round key rk is 32-bit wide.T is a reversible permutation that outputs 32 bits from a 32-bit input.It consists of a nonlinear transform tau and linear transform L.
T(.) = L(tau(.))
The permutation T' is created from T by replacing the
linear transform function L with L'.
T'(.) = L'(tau(.))
tau is composed of four parallel S-boxes.Given a 32-bit input A, where each a_i is a 8-bit string:
A = (a_0, a_1, a_2, a_3)
The output is a 32-bit B, where each b_i is a 8-bit string:
B = (b_0, b_1, b_2, b_3)
B is calculated as follows:
(b_0, b_1, b_2, b_3) = tau(A)
tau(A) = (S(a_0), S(a_1), S(a_2), S(a_3))
The output of nonlinear transformation function tau is used as input
to linear transformation function L.Given B, a 32-bit input.The linear transformation L' is defined as follows.
L(B) = B xor (B <<< 2) xor (B <<< 10) xor (B <<< 18) xor (B <<< 24)
The linear transformation L' is defined as follows.
L'(B) = B xor (B <<< 13) xor (B <<< 23)
The S-box S used in nonlinear transformation tau is given in
the lookup table shown in with hexadecimal values.For example, input "EF" will produce an output read from the S-box table
row E and column F, giving the result S(EF) = 84.The encryption algorithm consists of 32 rounds and 1 reverse transform R.Given a 128-bit plaintext input, where each X_i is 32-bit wide:The output is a 128-bit ciphertext, where each Y_i is 32-bit wide:Each round key is designated as rk_i, where each rk_i is 32-bit wide
and i = 0, 1, 2, ..., 31.32 rounds of calculationreverse transformationPlease refer to for sample calculations.A flow of the calculation is given in .Decryption takes an identical process as encryption, with the only difference
the order of the round key sequence.During decryption, the round key sequence is:Round keys used during encryption are derived from the encryption key.Specifically, given the encryption key MK, where each MK_i is 32-bit
wide:Each round key rk_i is created as follows, where i = 0, 1, ..., 31.Since the decryption key is identical to the encryption key, the round keys
used in the decryption process are derived from the decryption key through
the identical process to that of during encryption. depicts the i-th round of SM4.Family key FK given in hexadecimal notation, is:The method to retrieve values from the constant key CK is as follows.Let ck_{i, j} be the j-th byte (i = 0, 1, ..., 31; j = 0, 1, 2, 3) of CK_i.Therefore, each ck_{i, j} is a 8-bit string, and each CK_i a 32-bit word.The values of the constant key CK_i, where (i = 0, 1, ..., 31), in
hexadecimal, are:This document defines multiple modes of operation for the SM4 blockcipher
algorithm.The CBC (Cipher Block Chaining), ECB (Electronic CodeBook), CFB (Cipher
FeedBack), OFB (Output FeedBack) and CTR (Counter) modes are defined in
and utilized with the SM4 algorithm in the following
sections.Hereinafter we define:The SM4 algorithm that encrypts plaintext P with key K, described in The SM4 algorithm that decrypts ciphertext C with key K, described in block size in bits, defined as 128 for SM4block j of ciphertext bitstring Pblock j of ciphertext bitstring CNumber of blocks of size b-bit in bitstring BInitialization vectorLeast significant b bits of the bitstring SMost significant b bits of the bitstring SThe CBC, CFB and OFB modes require an additional input to the encryption process,
called the initialization vector (IV). The identical IV is used in the input
of encryption as well as the decryption of the corresponding ciphertext.Generation of IV values MUST take into account of the considerations
in recommended by .In SM4-ECB, the same key is utilized to create a
fixed assignment for a plaintext block with a ciphertext block, meaning
that a given plaintext block always gets encrypted to the same ciphertext
block. As described in , this mode should be avoided if
this property is undesirable.This mode requires input plaintext to be a multiple of the block size,
which in this case of SM4 it is 128-bit. It also allows multiple blocks
to be computed in parallel.Inputs:P, plaintext, length MUST be multiple of bK, SM4 128-bit encryption keyOutput:C, ciphertext, length is a multiple of bC is defined as follows.Inputs:C, ciphertext, length MUST be multiple of bK, SM4 128-bit encryption keyOutput:P, plaintext, length is a multiple of bP is defined as follows.SM4-CBC is similar to SM4-ECB that the input plaintext MUST be a multiple
of the block size, which is 128-bit in SM4. SM4-CBC requires
an additional input, the IV, that is unpredictable for a particular
execution of the encryption process.Since CBC encryption relies on a forward cipher operation that depend on results
of the previous operation, it cannot be parallelized. However, for decryption,
since ciphertext blocks are already available, CBC parallel decryption is
possible.Inputs:P, plaintext, length MUST be multiple of bK, SM4 128-bit encryption keyIV, 128-bit, unpredictable, initialization vectorOutput:C, ciphertext, length is a multiple of bC is defined as follows.Inputs:C, ciphertext, length MUST be a multiple of bK, SM4 128-bit encryption keyIV, 128-bit, unpredictable, initialization vectorOutput:P, plaintext, length is multiple of bP is defined as follows.SM4-CFB relies on feedback provided by successive ciphertext segments to
generate output blocks. The plaintext given must be a multiple of the block
size.Similar to SM4-CBC, SM4-CFB requires an IV that is unpredictable for a particular
execution of the encryption process.SM4-CFB further allows setting a positive integer parameter s, that is less than or
equal to the block size, to specify the size of each data segment. The same
segment size must be used in encryption and decryption.In SM4-CFB, since the input block to each forward cipher function depends
on the output of the previous block (except the first that depends on the IV),
encryption is not parallelizable. Decryption, however, can be parallelized.SM4-CFB takes an integer s to determine segment size in its encryption and
decryption routines. We define the following variants of SM4-CFB for
various s:SM4-CFB-1, the 1-bit SM4-CFB mode, where s is set to 1.SM4-CFB-8, the 8-bit SM4-CFB mode, where s is set to 8.SM4-CFB-64, the 64-bit SM4-CFB mode, where s is set to 64.SM4-CFB-128, the 128-bit SM4-CFB mode, where s is set to 128.Inputs:P#, plaintext, length MUST be multiple of sK, SM4 128-bit encryption keyIV, 128-bit, unpredictable, initialization vectors, an integer 1 <= s <= b that defines segment sizeOutput:C#, ciphertext, length is a multiple of sC# is defined as follows.Inputs:C#, ciphertext, length MUST be a multiple of sK, SM4 128-bit encryption keyIV, 128-bit, unpredictable, initialization vectors, an integer 1 ⇐ s ⇐ b that defines segment sizeOutput:P#, plaintext, length is multiple of sP# is defined as follows.SM4-OFB is the application of SM4 through the Output Feedback mode.
This mode requires that the IV is a nonce, meaning that the IV MUST
be unique for each execution for an input key. OFB does not require the
input plaintext to be a multiple of the block size.In OFB, the routines for encryption and decryption are identical. As
each forward cipher function (except the first) depends on previous
results, both routines cannot be parallelized. However given a known IV, output
blocks could be generated prior to the input of plaintext (encryption)
or ciphertext (decryption).Inputs:P, plaintext, composed of (n - 1) blocks of size b, with the last block P_n of size 1 ⇐ u ⇐ bK, SM4 128-bit encryption keyIV, a nonce (a unique value for each execution per given key)Output:C, ciphertext, composed of (n - 1) blocks of size b, with the last block C_n of size 1 ⇐ u ⇐ bC is defined as follows.Inputs:C, ciphertext, composed of (n - 1) blocks of size b, with the last block C_n of size 1 ⇐ u ⇐ bK, SM4 128-bit encryption keyIV, the nonce used during encryptionOutput:P, plaintext, composed of (n - 1) blocks of size b, with the last block P_n of size 1 ⇐ u ⇐ bC is defined as follows.SM4-CTR is an implementation of a stream cipher through a blockcipher
primitive. It generates a "keystream" of keys that are used to
encrypt successive blocks, with the keystream created from the input key,
a nonce (the IV) and an incremental counter. The counter could be any
sequence that does not repeat within the block size.Both SM4-CTR encryption and decryption routines could be parallelized, and
random access is also possible.Inputs:P, plaintext, composed of (n - 1) blocks of size b, with the last block P_n of size 1 ⇐ u ⇐ bK, SM4 128-bit encryption keyIV, a nonce (a unique value for each execution per given key)T, a sequence of counters from T_1 to T_nOutput:C, ciphertext, composed of (n - 1) blocks of size b, with the last block C_n of size 1 ⇐ u ⇐ bC is defined as follows.Inputs:C, ciphertext, composed of (n - 1) blocks of size b, with the last block C_n of size 1 <= u <= bK, SM4 128-bit encryption keyIV, a nonce (a unique value for each execution per given key)T, a sequence of counters from T_1 to T_nOutput:P, plaintext, composed of (n - 1) blocks of size b, with the last block P_n of size 1 <= u <= bP is defined as follows.The Object Identifier for SM4 is identified through these OIDs.All SM4 GM/T OIDs belong under the "1.2.156.10197" OID prefix,
registered by the Chinese Cryptography Standardization Technology
Committee ("CCSTC"), a committee under the SCA. Its components are
described below in ASN.1 notation."id-ccstc" {iso(1) member-body(2) cn(156) ccstc(10197)}These SM4 OIDs are assigned in and described in
."1.2.156.10197.1.100" for "Blockcipher Algorithms":"id-bc" {id-ccstc sm-scheme(1) block-cipher(100)}"1.2.156.10197.1.104" for "Blockcipher Algorithm: SM4":"id-bc-sm4" {id-ccstc sm-scheme(1) sm4(104)}The "SM4 Blockcipher Algorithm" standard is assigned the OID
"1.2.156.10197.6.1.1.2" in and this assignment is
also described in ."id-standard-sm4" {id-ccstc standard(1) fundamental(1) algorithm(1) sm4(2)}Note that this OID is purely used for identifying the SM4 standard
itself.SM4 is assigned the OID "1.0.18033.3.2.4" ("id-bc128-sm4") in
. Its components are described below in ASN.1
notation."is18033-3" {iso(1) standard(0) is18033(18033) part3(3)}"id-bc128" {is18033-3 block-cipher-128-bit(2)}"id-bc128-sm4" {id-bc128 sm4(4)}The chaos principle and the diffusion principle are two basic principles of
block cipher design. A well-designed blockcipher algorithm should be based on a
cryptographically sound basic transformation structure, with its round
calculation based on a cryptographically sound basic transformation.The cryptographic properties of the basic transformation determines the
efficiency of the resulting encryption transformation.The SM4 algorithm is structured on orthomorphic permutation. Its round
transformation is an orthomorphic permutation, and its cryptographic properties
can be deduced from the characteristics of orthomorphic permutations.Let the single round of the SM4 block cipher algorithm be P, for any given
plaintext X, P (X, K ')! = P (X, K) if the key K'! = K.The conclusion shows that if X is a row variable and K is a column
variable, the square P(X, K) forms a Latin square. There are two
conclusions about the nature of cryptography:The SM4 blockcipher algorithm will produce different round transformations
given different keys.The SM4 blockcipher algorithm, within a single round, will produce a
different output given the same input with different keys.An S-box can be viewed as a bijection:S(X) = (f_1(X), f_2(X), ... , f_m(X)) : F_2^n -> F_2^m.S(x): F_2^n -> F_2^m can be represented as a multi-output boolean function
with n-bit input and m-bit output, or a n x m S-box (an S-box with n inputs
and m outputs), usually realized as a substitution that takes an n-bit input
and produces a m-bit output. In SM4, the S-box takes n = m = 8.In many blockciphers, the S-box is the sole element providing nonlinearity, for
the purpose of mixing, in order to reduce linearity and to hide its variable
structure.The cryptographic properties of the S-box directly affects the resulting
cryptographic strength of the blockcipher. When designing a blockcipher, the
cryptographic strength of the S-box must be taken into account. The
cryptographic strength of an S-box can be generally measured by factors such as
its nonlinearity and differential distribution.In order to prevent insertion attacks, the algebraic formula used for
cryptographic substitution should be a high degree polynomial and contain a
large number of terms.The algebraic expression of the SM4 S-box is determined through Lagrange’s
interpolation to be a polynomial of the 254th degree with 255 terms, providing
the highest level of complexity based on its size:Any n boolean function f(x): F_2^n -> F_2 can be represented
uniquely in its algebraic normal form shown below:The "algebraic degree" of the n-boolean function f(X) is defined to be the
algebraic degree of the highest algebraic degree of its terms with a nonzero
coefficient in its ANF representation. The constant of the i-th term of f(x) in
ANF representation is called the i-th term of f(X), the total number of all
i-th (0<=i<=n) terms is called the "number of terms" of f(X).S(X) can be represented as a m-component function
S(X) = (f_1(X), f_2(X), ... f_m(X)): F_2^n -> F_2^m.
Consider S(X) to be a random substitution, each of its component functions
would be best to have algebraic degree of n-1, each component function i-th
coefficient should be near C_n^i/2. If the algebraic degree is too low, for
example, each component function has a degree of 2, then the algorithm can be
easily attacked by advanced differential cryptanalysis. If the number of terms
are insufficient, then it may improve the success probability of insert
attacks.The algebraic degrees and number of terms of the SM4 S-box are described in
.The definition of differential distribution has been given in .Differential cryptanalysis is a chosen-plaintext attack, with the understanding
that analysis of selected plaintexts of differentials can retrive the most
probable key. Differential distribution is an attribute to measure the
resistance of a cryptographic function against differential cryptanalysis.delta_S is the differential distribution of the S-box S.According to the definition of differential distribution,
2^{-m} <= delta_S <= 2^{m-n},
if there is a delta_S = 2^{m-n} then S is considered a fully nonlinear
function from F_2^n to F_2^m. For resistance against differential
cryptanalysis, the differential distribution should be as low as possible.The highest differential distribution of the SM4 S-box is 2^{-6}, meaning
it has a good resistance against differential cryptanalysis.The nonlinearity of an S-box is described by .Let S(X) = (f_1(X), f_2(X), ... , f_m(X)) : F_2^n -> F_2^m be a
multi-output function. The nonlinearity of S(X) is defined as
N_S = min_{l in L_n, 0 != u in F_2^m} d_H (u . S(X), l(X)).L_n is the group of all n-boolean functions, d_H(f, l) is the Hamming distance
between f and l. The nonlinearity of the S-box is in fact the minimum Hamming
distance between all the Boolean functions and all affine functions.The upper-bound of nonlinearity is known to be 2^{n-1} - 2^{n/2 - 1}, where
a Boolean function that reaches this bound is called a "bent function".The nonlinearity of a Boolean function is used to measure resistance against
linear attacks. The higher the nonlinearity, the higher resistance that the
Boolean function f(x) has against linear attacks. On the contrary, the lower
the nonlinearity, the Boolean function f(x) has lower resistance against linear
attacks.The nonlinearity of the SM4 S-box is 112.Linear approximation of a S-box is defined in . Given a S-box with
n inputs and m outputs, any linear approximation can be represented as :
a . X = b . Y, where a in F_2^n, b in F_2^m.The probability p that satisfies a . X = b . Y is| p - 1/2 | <= 1/2 - N_S / 2^nwhere | p - 1/2 | is the advantage of
the linear approximation equation, lambda_S = 1/2 - N_s / 2^n is the
maximum advantage of the S-box.The maximum advantage of the SM4 S-box is 2^{-4}.A S-box S(X) = (f_1(X), f_2(X), ... , f_m(X)) : F_2^n -> F_2^m is
considered "balanced" if for any beta in F_2^m,
there are 2^{n-m} x in F_2^n, such that S(x) = beta.The SM4 S-box is balanced.A S-box S(X) = (f_1(X), f_2(X), ... , f_m(X)) : F_2^n -> F_2^m is
considered "complete" if every input bit directly correlates to an output bit.In algebraic expression, each component function contains the unknown variables
x_1, x_2, ... x_n, such that for any
(s, t) in { (i, j) | 1 <= i <= n, 1 <= j <= m}, there is an X that
S(X) and S(X and e_s) would contain a different bit t.Avalanche effect refers to a single bit change in the input would correspond to
a change of half of the output bits.The SM4 S-box satisfies completness and the avalanche effect.Linear transformation is used to provide diffusion in SM4. A blockcipher
algorithm often adopts m x m S-boxes to form an obfuscation layer.Since the m-bits output by one S-box are only related to the m bits of its
input and are irrelevant to the input of other S boxes, the introduction of a
linear transform would disrupt and mix the output m-bits so that they seem
correlating to the other S-box inputs.A sound linear transform design will diffuse the S-box output, allowing the
blockcipher to resist differential and linear cryptanalysis.An important measure of the diffusivity of a linear transform is its branch
number.The "branch number" of a linear transform is defined in :Where B(theta) is the branch number of transform theta, w_b(x) is a
non-zero integer x_i (1 ⇐ i ⇐ m), and x_i is called the "bundle weight".The branch number can be used to quantify the resistance of the block cipher
algorithm to differential cryptanalysis and linear cryptanalysis.Similar to differential cryptanalysis and linear cryptanalysis, the
differential branch number and linear branch number of theta can be defined as
follows.The differential branch number of theta is:The linear branch number of theta is:The branch number in a linear transformation reflects its diffusivity. The
higher the branch number, the better the diffusion effect.This means that the larger the differential branch number or linear branch
number, the more known plaintexts will be required for differential or linear
cryptanalysis respectively.The linear transform differential branch number and linear branch number of SM4
are both 5.The SM4 key schedule is designed to fulfill the security requirements of the
encryption algorithm and achieve ease of implementation for performance
reasons.All subkeys are derived from the encryption key, and therefore, subkeys are
always statistically relevant. In the context of a blockcipher, it is not
possible to have non-statistical-correlated subkeys, but the designer can only
aim to have subkeys achieve near statistical independence .The purpose of the key schedule, generated through the key expansion algorithm,
is to mask the statistical correlation between subkeys to make this
relationship difficult to exploit.The SM4 key expansion algorithm satisfies the following design criteria:There are no obvious statistical correlation between subkeys;There are no weak subkeys;The speed of key expansion is not slower than the encryption algorithm, and
uses less resources;Every subkey can be directly generated from the encryption key.SM4 has been heavily cryptanalyzed by international researchers since
it was first published. Nearly all currently known cryptanalysis techniques
have been applied to SM4.At the time of publishing this document, there are no known practical attacks
against the full SM4 blockcipher. However, there are side-channel concerns
when the algorithm is implemented in a hardware device.A summary of cryptanalysis results are presented in the following
sections.In 2008, Zhang et al. gave a 21-round differential analysis
with data complexity 2^188, time complexity 2^126.8 encryptions.In 2008, Kim et al. gave a 22-round differential attack that requires
2^118 chosen plaintexts, 2^123 memory and 2^125.71 encryptions.In 2009, Zhang et al. (differing author but overlapping team)
gave a 18-round differential characteristics with an attack
that reaches the 22nd round, with data complexity 2^117 and time complexity
2^112.3.In 2010, Zhang et al. (with no relation to above)
utilized 18-round differential characteristics for the 22nd round with
2^117 chosen plaintexts with time complexity 2^123 encryptions, memory
complexity of 2^112.In 2011, Su et al. gave a 19 round differential characteristics
and pushed their attack to the 23rd round, with data complexity of 2^118
chosen plaintexts, time complexity 2^126.7 encryptions, and memory
complexity 2^120.7.In 2008 Etrog et al. provided a linear cryptanalysis result
for 22 rounds of SM4, the data complexity is given as 2^188.4 known
plaintexts, time complexity 2^117 encrypt operations.In the same year, Kim et al. improved on the linear cryptanalysis result
for 22 rounds of SM4 with data complexity of 2^117 known plaintexts, memory
complexity of 2^109 and time complexity of 2^109.86.In 2011 Dong presented a linear cryptanalysis result for 20
rounds, 2^110.4 known ciphertexts, 2^106.8 encryption operations,
memory complexity 2^90.In 2014 Liu et al. presented their linear cryptanalysis for
23-rounds of SM4, time complexity 2^112 encryption
operations, data complexity 2^126.54 known ciphertexts, memory complexity
2^116.In 2017 Liu et al. presented an attack based on linear
cryptanalysis on 24-rounds of SM4, with time complexity of 2^122.6
encryptions, data complexity of 2^122.6 known ciphertexts, and memory
complexity of 2^85.In 2010, Liu et al. constructed a series of 18 rounds of linear
traces based on a 5-round circular linear trace, capable of attacking 22 rounds
of SM4. The required data complexity was 2^112 known plaintexts, time
complexity 2^124.21 encryption operations, with memory complexity of
2^118.83.In 2010 Cho et al. gave a linear analysis of 23 rounds of SM4
with a data complexity of 2^126.7 known plaintexts and a time complexity of
2^127, memory complexity of 2^120.7.In 2014, Liu et al. gave the results of multi-dimensional
linear analysis of 23 rounds of SM4 algorithm. The time complexity was
2^122.7, data complexity was 2^122.6 known plaintext with memory
complexity 2^120.6.In 2007 Lu et al. first presented 16 rounds of impossible differential
analysis of SM4 with the required data complexity 2^105 chosen plaintexts,
time complexity 2^107 encryption operations.In 2008 Toz et al. revised the results of , that the data
complexity is actually 2^117.05 chosen plaintexts, time complexity
2^132.06 encryptions, but its complexity is already beyond the 2^128
limit.In 2010 Wang et al. pushed the impossible differential
cryptanalysis to 17 rounds of SM4, the data complexity is 2^117 chosen
ciphertexts, time complexity 2^132 memory queries.In 2015 Ma et al. gives the results of multi-dimensional
zero-correlation linear cryptanalysis of a 14-round SM4 algorithm. The required
data complexity is 2^123.5 known plaintexts, time complexity is 2^120.7
encryption operations and memory complexity of 2^73 blocks.In 2007 Liu et al. first gave a 13-round integral analysis of
SM4, which required 2^16 chosen plaintexts and time complexity of 2^114
encryption operations.In 2008 Zhong et al. constructed a 12-round distinguisher of
SM4 to attack 14-round SM4, with data complexity of 2^32 chosen plaintexts
and time complexity 2^96.5 encryptions.In 2009 Ji et al. and in 2010 Erickson et al.
utilized algebraic methods such as XL, Groebner base and SAT to analyze the
resistance of SM4 against algebraic attacks. The results demonstrate that SM4
is safe against algebraic attacks, and specifically, has a higher resistance
against algebraic attacks than AES.In 2007 Lu et al. provided a matrix attack against 14-round SM4, with
data complexity 2^121.82 chosen plaintexts, time complexity 2^116.66
encryptions.In 2008 Toz et al. lowered both data and time complexity of
the aformentioned attack to 2^106.89 chosen ciphertexts and time complexity
of 2^107.89.In 2008, Zhang et al. provided a matrix
attack against 16-round SM4, which required a data complexity of 2^125
chosen plaintexts and time complexity of 2^116 encryptions.She’s Master dissertation provided a SM4
16-round matrix distinguisher that can attack 18-round SM4, with data
complexity of 2^127 chosen plaintexts and time complexity 2^110.77
encryptions with memory complexity of 2^130.In 2012 Wei et al. applied differential analysis and algebraic attack
techniques on 20-round SM4 and discovered that the combined attack results on
20-round SM4 are superior than using pure differential cryptanalysis.SM4 uses a novel structure differing from the general Feistel and SP
structures. has proven that the SM4 non-balanced Feistel structure is
pseudo-random. analyzes the SM4 non-balanced Feistel structure on its resistance
against differential and linear cryptanalysis techniques. Under SP type round
functions with branch number 5, it is proven that in a 27-round SM4 guarantees
at least 22 active S-boxes, therefore SM4 is secure against differential
attacks. has analyzed resistance of SM4 against linear cryptanalysis.Related-key differential cryptanalysis is related to the encryption algorithm
and key schedule. When performing a related-key attack, the attacker
simultaneously insert differences in both the key and the message.In , Sun et al. proposed an automated differential route search
method based on MILP (mixed-integer linear programming) that can be used to
assess the security bounds of a blockcipher under (related-key) differential
cryptanalysis. describes the lower bounds of active S-boxes within SM4
and is shown in .RoundSingle KeyRelated Key30041152262475686897910810119111210131310141410141513161614181715191816201918222018-2119-2220-2322-2423-2523-2624-As the maximal probability of the SM4 S-box is 2^−6, when the minimum active
S-boxes reach 22 the differential characteristics will have probability
2^132, which is higher than enumeration (2^128).This indicates that 19 rounds and 23 rounds under related key and single key
settings will provide a minimum of 22 active S-boxes and is able to resist
related-key differential attacks. provides a summary on the strongest attacks on SM4
at the time of publishing.MethodRoundsComplexityReferenceLinear24Time: 2^{122.6},
Data: 2^{122.6},
Memory: 2^{85}Multi-dimensional Linear23Time: 2^{122.7},
Data: 2^{122.6},
Memory: 2^{120.6}Differential23Time: 2^{126.7},
Data: 2^{117},
Memory: 2^{120.7}Matrix18Time: 2^{110.77},
Data: 2^{127},
Memory 2^{130}Impossible Differential17Time: 2^{132},
Data: 2^{117},
Memory: — Zero-correlation Linear14Time: 2^{120.7},
Data: 2^{123.5},
Memory: 2^{73}Integral14Time: 2^{96.5},
Data: 2^{32},
Memory: — As of the publication of this document, no open research results have provided
a method to successfully attack beyond 24 rounds of SM4.The traditional view suggests that SM4 provides an extra safety margin
compared to blockciphers adopted in that already have
full-round attacks, including MISTY1 and AES
.Products and services that utilize cryptography are regulated by the SCA
; they must be explicitly approved or certified by the SCA before being
allowed to be sold or used in China.SM4 is a blockcipher symmetric algorithm with key length of 128 bits. It is
considered as an alternative to AES-128 .SM4 is a blockcipher certified by the SCA .
No formal proof of security is provided. There are no known practical
attacks against SM4 algorithm by the time of publishing this document, but
there are security concerns with regards to side-channel attacks when the
SM4 algorithm is implemented in hardware.For instance, illustrated an attack by measuring the power
consumption of the device. A chosen ciphertext attack, assuming a fixed
correlation between the round keys and data mask, is able to recover the round
key successfully.
When the SM4 algorithm is implemented in hardware, the parameters and keys
SHOULD be randomly generated without fixed correlation.
There have also been improvements to the hardware embodiment design for SM4
, white-box implementions ,
and performance enhancements , that may resist such attacks.The IV does not have to be secret. The IV itself, or criteria enough to
determine it, MAY be transmitted with ciphertext.SM4-ECB: ECB is one of the four original modes defined for DES. With its
problem well known to "leak quite a large amount of information" ,
it SHOULD NOT be used in most cases.SM4-CBC, SM4-CFB, SM4-OFB: CBC, CFB and OFB are IV-based modes of operation
originally defined for DES.When using these modes of operation, the IV SHOULD be random to preserve
message confidentiality . It is shown in the same document that
CBC, CFB, OFB, the variants #CBC, #CFB that utilize the recommendation of
to make CBC and CFB nonce-based, are SemCPA secure as
probabilistic encryption schemes.
Various attack scenarios have been described in and these modes
SHOULD NOT be used unless for compatibility reasons.SM4-CTR: CTR is considered to be the "best" mode of operation within
as it is considered SemCPA secure as a nonce-based
encryption scheme, providing provable-security guarantees as good as
the classic modes of operation (ECB, CBC, CFB, OFB) .Users with no need of authenticity, non-malleablility and chosen-ciphertext
(CCA) security MAY utilize this mode of operation .This document does not require any action by IANA.GB/T 32907-2016: Information security technology -- SM4 block cipher algorithmStandardization Administration of the People's Republic of China9 Madian Donglu, Haidian DistrictBeijingBeijing100088People's Republic of China+86 (0)10 8226-2609http://www.sac.gov.cnISO/IEC WD1 18033-3/AMD2 -- Encryption algorithms -- Part 3: Block ciphers -- Amendment 2International Organization for StandardizationBIBC IIChemin de Blandonnet 8CP 401VernierGeneva1214Switzerland+41 22 749 01 11central@iso.orghttps://www.iso.org/
&RFC2119;
&RFC8174;
Biclique Cryptanalysis of the Full AESK.U.LeuvenBelgiumMicrosoft ResearchRedmondWAUSAENS Paris and Chaire France TelecomFranceImproved Cryptanalysis of RijndaelCounterpane Internet Security, Inc.San JoseCAUSACounterpane Internet Security, Inc.San JoseCAUSAUniversity of MannheimMannheimGermanyCounterpane Internet Security, Inc.San JoseCAUSAAccess Data Corp.2500 N. UniversityProvoUTUSAUniversity of California BerkeleyBerkeleyCAUSAHi/fn, Inc.CarlsbadUSARelated-Key Cryptanalysis of the Full AES-192 and AES-256University of LuxembourgUniversity of LuxembourgAutomatic Security Evaluation and (Related-key) Differential Characteristic Search: Application to SIMON, PRESENT, LBlock, DES(L) and Other Bit-Oriented Block CiphersState Key Laboratory of Information SecurityChinese Academy of SciencesBeijingChinaState Key Laboratory of Information SecurityChinese Academy of SciencesBeijingChinaState Key Laboratory of Information SecurityChinese Academy of SciencesBeijingChinaState Key Laboratory of Information SecurityChinese Academy of SciencesBeijingChinaState Key Laboratory of Information SecurityChinese Academy of SciencesBeijingChinaState Key Laboratory of Information SecurityChinese Academy of SciencesBeijingChinaBlock Cipher Design and Analysis (in Chinese)Tsinghua University PressEvaluation of Some Blockcipher Modes of OperationUniversity of California, DavisDept. of Computer ScienceKemper Hall of Engineering, #3009One Shields AvenueDavisCalifornia95616-8562United States of America+1 530 752 7583rogaway@cs.ucdavis.eduhttp://www.cs.ucdavis.edu/rogawayBotan: Crypto and TLS for C++11Botan ProjectUnited States of Americajack@randombit.nethttps://botan.randombit.netInformation technology -- Telecommunications and information exchange between systems -- Local and metropolitan area networks -- Specific requirements -- Part 11: Wireless LAN Medium Access Control (MAC) and Physical Layer (PHY) SpecificationsStandardization Administration of the People's Republic of ChinaNo. 9 Madian Donglu, Haidian DistrictBeijingBeijing100088People's Republic of China+86 (0)10 8226-2609http://www.sac.gov.cnGB/T 33560-2017: Information security technology -- Cryptographic application identifier criterion specificationStandardization Administration of the People's Republic of ChinaNo. 9 Madian Donglu, Haidian DistrictBeijingBeijing100088People's Republic of China+86 (0)10 8226-2609http://www.sac.gov.cnGM/T 0002-2012: SM4 block cipher algorithmOffice of State Commercial Administration of China7 Dian Chang Lu, Fengtai QuBeijingBeijing100036People's Republic of China+86 (0)10 5970-3789http://www.oscca.gov.cnGM/T 0006-2012: Cryptographic Application Identifier Criterion SpecificationOffice of State Commercial Administration of China7 Dian Chang Lu, Fengtai QuBeijingBeijing100036People's Republic of China+86 (0)10 5970-3789http://www.oscca.gov.cnISO/IEC 18033-3:2010 -- Encryption algorithms -- Part 3: Block ciphersInternational Organization for StandardizationBIBC IIChemin de Blandonnet 8CP 401VernierGeneva1214Switzerland+41 22 749 01 11central@iso.orghttps://www.iso.org/Lv Shu Wang -- A life in cryptographyXinhua CatalogA 2^{70} Attack on the Full MISTY1Bar Ilan UniversityRamat GanIsraelabo1000@gmail.comBar Ilan UniversityRamat GanIsraelabo1000@gmail.comIntegral Cryptanalysis on Full MISTY1NTT Secure Platform LaboratoriesTokyoJapantodo.yosuke@lab.ntt.co.jpNIST FIPS 197: Advanced Encryption Standard (AES)National Institute of Standards and Technology100 Bureau DriveGaithersburgMD20899-8900United Stateshttp://www.nist.gov/NIST Special Publication 800-38A: Recommendation for Block Cipher Modes of Operation -- Methods and TechniquesNational Institute of Standards and Technology100 Bureau DriveGaithersburgMD20899-8930United Stateshttp://www.nist.gov/OpenSSL: Cryptography and SSL/TLS ToolkitOpenSSL Software Foundation20-22 Wenlock RoadLondonN1 7GUUnited Kingdom+44 17 8550 8015info@opensslfoundation.orghttps://www.openssl.orgState Cryptography Administration of ChinaState Cryptography Administration of China7 Dian Chang Lu, Fengtai QuBeijingBeijing100036People's Republic of China+86 (0)10 5970-3789http://www.sca.gov.cnAlgebraic Cryptanalysis of SMS4: Gröbner Basis Attack and SAT Attack Compared The University of North Carolina at Chapel HillChapel HillNCUnited States of AmericaDepartment of Mathematical SciencesUniversity of CincinnatiCincinnatiOH45221United States of AmericaNorthern Kentucky UniversityUnited States of AmericaAlgebraic Attack to SMS4 and the Comparison with AESBeijing Electron. Sci. and Technol. Inst.BeijingChinaState Key Lab. of Inf. SecurityGraduate School of Chinese Academy of SciencesBeijing100049ChinaBeijing Electron. Sci. and Technol. Inst.BeijingChinaOverview on SM4 AlgorithmData Assurance Communication Security Center, Chinese Academy of ScienceBeijing100093People's Republic of Chinaswlu@ustc.edu.cnState Key Laboratory of CryptologyBeijing100878People's Republic of Chinasubozhan@163.comInstitute of InformationEngineering, Chinese Academy of ScienceBeijing100093People's Republic of Chinawp@is.ac.cnCommercial Cryptography Testing CenterBeijing100036People's Republic of Chinamaoyy2000@163.comCommercial Cryptography Testing CenterBeijing100093People's Republic of Chinalily.home.hao@163.comSecurity of the SMS4 Block Cipher Against Differential CryptanalysisState Key Laboratory of Information Security, Institute of Information Engineering, Chinese Academy of SciencesInstitute of Software, Chinese Academy of Sciences4 South Fourth StreetZhong Guan CunBeijing100190People's Republic of Chinasubozhan@is.iscas.ac.cnhttp://www.is.cas.cn/State Key Laboratory of Information Security, Institute of Information Engineering, Chinese Academy of SciencesInstitute of Software, Chinese Academy of Sciences4 South Fourth StreetZhong Guan CunBeijing100190People's Republic of Chinahttp://www.is.cas.cn/State Key Laboratory of Information Security, Institute of Information Engineering, Chinese Academy of SciencesInstitute of Software, Chinese Academy of Sciences4 South Fourth StreetZhong Guan CunBeijing100190People's Republic of Chinahttp://www.is.cas.cn/Cryptanalysis of Reduced-Round SMS4 Block CipherState Key Laboratory of Information Security, Institute of Information Engineering, Chinese Academy of SciencesInstitute of Software, Chinese Academy of Sciences4 South Fourth StreetZhong Guan CunBeijing100190People's Republic of Chinazhanglei1015@is.iscas.ac.cnhttp://www.is.cas.cn/State Key Laboratory of Information Security, Institute of Information Engineering, Chinese Academy of SciencesInstitute of Software, Chinese Academy of Sciences4 South Fourth StreetZhong Guan CunBeijing100190People's Republic of Chinazhangwt06@yahoo.comhttp://www.is.cas.cn/State Key Laboratory of Information Security, Institute of Information Engineering, Chinese Academy of SciencesInstitute of Software, Chinese Academy of Sciences4 South Fourth StreetZhong Guan CunBeijing100190People's Republic of Chinawwl@is.iscas.ac.cnhttp://www.is.cas.cn/Some New Observations on the SMS4 Block Cipher in the Chinese WAPI StandardState Key Laboratory of Information Security, Institute of Information Engineering, Chinese Academy of SciencesInstitute of Software, Chinese Academy of Sciences4 South Fourth StreetZhong Guan CunBeijing100190People's Republic of Chinazhangwt06@yahoo.comhttp://www.is.cas.cn/State Key Laboratory of Information Security, Institute of Information Engineering, Chinese Academy of SciencesInstitute of Software, Chinese Academy of Sciences4 South Fourth StreetZhong Guan CunBeijing100190People's Republic of Chinawwl@is.iscas.ac.cnhttp://www.is.cas.cn/State Key Laboratory of Information Security, Institute of Information Engineering, Chinese Academy of SciencesInstitute of Software, Chinese Academy of Sciences4 South Fourth StreetZhong Guan CunBeijing100190People's Republic of Chinahttp://www.is.cas.cn/State Key Laboratory of Information Security, Institute of Information Engineering, Chinese Academy of SciencesInstitute of Software, Chinese Academy of Sciences4 South Fourth StreetZhong Guan CunBeijing100190People's Republic of Chinahttp://www.is.cas.cn/22-Round SMS4 Differential CryptanalysisNational Key Lab of Integrated Service NetworksXidian UniversityXi'an710071ChinaNational Key Lab of Integrated Service NetworksXidian UniversityXi'an710071ChinaNational Key Lab of Integrated Service NetworksXidian UniversityXi'an710071ChinaSMS4 Encryption Algorithm for Wireless NetworksSun Microsystems4150 Network CircleSanta ClaraCA95054United States of Americawhitfielddiffie@gmail.comhttps://cisac.fsi.stanford.edu/Sonoma State UniversityDarwin 116, 1801 East Cotati Ave.Rohnert ParkCA94928United States of Americageorge.ledin@sonoma.eduhttp://www.cs.sonoma.edu/Improvements of SM4 Algorithm and Application in Ethernet Encryption System Based on FPGAKey Laboratory of Electronic Engineering, University of Heilongjiang74 Xuefu RoadHarbinHeilongjiang150080People's Republic of Chinachengh@hlju.edu.cnhttphttp://www.hlju.edu.cn/Key Laboratory of Electronic Engineering, University of Heilongjiang74 Xuefu RoadHarbinHeilongjiang150080People's Republic of Chinahttphttp://www.hlju.edu.cn/Key Laboratory of Electronic Engineering, University of Heilongjiang74 Xuefu RoadHarbinHeilongjiang150080People's Republic of Chinachengh@hlju.edu.cnhttphttp://www.hlju.edu.cn/Key Laboratory of Electronic Engineering, University of Heilongjiang74 Xuefu RoadHarbinHeilongjiang150080People's Republic of Chinaqunding@aliyun.cnhttphttp://www.hlju.edu.cn/Key Laboratory of Electronic Engineering, University of Heilongjiang74 Xuefu RoadHarbinHeilongjiang150080People's Republic of Chinachenghdahuangr@163.comhttp://www.hlju.edu.cn/High-speed Encryption Decryption System Based on SM4Binzhou Polytechnic391 Huanghe RoadBinzhouShandong256600People's Republic of Chinaihappylucy@outlook.comhttp://www.bzu.edu.cn/Binzhou Polytechnic391 Huanghe RoadBinzhouShandong256600People's Republic of Chinalili_thesky@163.comhttp://www.bzu.edu.cn/Binzhou Polytechnic391 Huanghe RoadBinzhouShandong256600People's Republic of Chinayaya_sd@163.comhttp://www.bzu.edu.cn/Analysis of the SMS4 Block CipherState Key Laboratory of Information SecurityGraduate School of Chinese Academy of SciencesBeijing100049ChinaState Key Laboratory of Information SecurityGraduate School of Chinese Academy of SciencesBeijing100049ChinaState Key Laboratory of Information SecurityGraduate School of Chinese Academy of SciencesBeijing100049ChinaDepartment of Mathematical SciencesUniversity of CincinnatiCincinnatiOH45221USAState Key Laboratory of Information SecurityGraduate School of Chinese Academy of SciencesBeijing100049ChinaFachbereich InformatikTechnische Universität DarmstadtDarmstadt64289GermanyFachbereich InformatikTechnische Universität DarmstadtDarmstadt64289Germany14-Round Square Attack on Blockcipher SMS4Computer Network and Information Security Ministry of Education Key LaboratoryXidian UniversityPeople's Republic of ChinaComputer Network and Information Security Ministry of Education Key LaboratoryXidian UniversityPeople's Republic of ChinaComputer Network and Information Security Ministry of Education Key LaboratoryXidian UniversityPeople's Republic of ChinaAttacking Reduced-Round Versions of the SMS4 Block Cipher in the Chinese WAPI StandardUniversity of London, Information Security GroupRoyal HollowayEghamSurreyTW20 0EXUKUnited KingdomAnalysis of Two Attacks on Reduced-Round Versions of the SMS4Institute of Applied MathematicsMiddle East Technical UniversityAnkaraTurkeyDepartment of Electronical Engineering ESAT SDC-COSIC and Interdisciplinary Institute for BroadBand TechnologyKatholieke Universiteit LeuvenLeuven-HeverleeBelgiumImproved Impossible Differential Cryptanalysis on SMS4School of Computer Science and TechnologyDonghua UniversityShanghaiChinaLinear and Differential Cryptanalysis of Reduced SMS4 Block CipherCenter for Information Security Technologies (CIST), Korea UniversityRoom 615, International Center for Conversing Technology BuildingAnam Campus(Science), Korea University145 Anam-roSeongbuk-guSeoul02841Republic of Koreakimth714@cist.korea.ac.krhttp://gss.korea.edu/Center for Information Security Technologies (CIST), Korea UniversityRoom 615, International Center for Conversing Technology BuildingAnam Campus(Science), Korea University145 Anam-roSeongbuk-guSeoul02841Republic of Koreajoshep@cist.korea.ac.krhttp://gss.korea.edu/Center for Information Security Technologies (CIST), Korea UniversityRoom 615, International Center for Conversing Technology BuildingAnam Campus(Science), Korea University145 Anam-roSeongbuk-guSeoul02841Republic of Koreahsh@cist.korea.ac.krhttp://gss.korea.edu/Department of Mathematics, University of SeoulDepartment of Mathematical SciencesSeoul National University1 Gwan Ak-roGwanak-guSeoul08826Republic of Koreajcsung@uos.ac.krhttp://uos.ac.kr/Security Analysis of the blockciphers AES and SM4Xidian UniversityXianChinaThe Cryptanalysis of Reduced-Round SMS4Orange LabsIssy les MoulineauxCedexFranceOrange LabsIssy les MoulineauxCedexFranceImproved Linear Attacks on the Chinese Block Cipher StandardBeijing International Center for Mathematical Research, Peking University5 Yiheyuan Road Haidian DistrictBeijing100871People's Republic of Chinaliumj9705@pku.edu.cnhttp://www.bicmr.orgChina Information Technology Security Evaluation CenterBuilding 1, No.8, Shangdi West Road, Haidian DistrictBeijing100085People's Republic of Chinajiazhechen@gmail.comhttp://www.itsec.gov.cnImproved linear cryptanalysis of SM4 block cipherViennaAustriaViennaAustriaMultiple Linear Cryptanalysis of Reduced-Round SMS4 Block CipherDepartment of Computer Science and EngineeringShanghai Jiao Tong UniversityShanghai200240Chinailu_zq@sjtu.edu.cnDepartment of Computer Science and EngineeringShanghai Jiao Tong UniversityShanghai200240ChinaDepartment of Computer Science and EngineeringShanghai Jiao Tong UniversityShanghai200240ChinaMatrix Attack On Blockcipher SMS4Shandong UniversityJinanShandongChinaDifferential-Algebraic Analysis of the SMS4 Block CipherChengdu University of TechnologyChengdu University of TechnologyChengdu University of TechnologyNew Linear Cryptanalysis of Chinese Commercial Block Cipher Standard SM4Key Laboratory of Cryptologic Technology and Information Security, Ministry of Education, Shandong University27 Shan Da Nan Lu, Licheng QuJinanShandong250100People's Republic of ChinaKey Laboratory of Cryptologic Technology and Information Security, Ministry of Education, Shandong University27 Shan Da Nan Lu, Licheng QuJinanShandong250100People's Republic of ChinaKey Laboratory of Cryptologic Technology and Information Security, Ministry of Education, Shandong University27 Shan Da Nan Lu, Licheng QuJinanShandong250100People's Republic of ChinaKey Laboratory of Cryptologic Technology and Information Security, Ministry of Education, Shandong University27 Shan Da Nan Lu, Licheng QuJinanShandong250100People's Republic of Chinamqwang@sdu.edu.cnImproved chosen-plaintext power analysis attack against SM4 at the round-outputCollege of Information Security Engineering, Chengdu University of Information TechnologyBlock 1, 24 Xuefu RoadChengduMD610225Chinahttp://www.cuit.edu.cn/College of Information Security Engineering, Chengdu University of Information TechnologyBlock 1, 24 Xuefu RoadChengduMD610225Chinahttp://www.cuit.edu.cn/College of Information Security Engineering, Chengdu University of Information TechnologyBlock 1, 24 Xuefu RoadChengduMD610225Chinahttp://www.cuit.edu.cn/College of Information Security Engineering, Chengdu University of Information TechnologyBlock 1, 24 Xuefu RoadChengduMD610225Chinahttp://www.cuit.edu.cn/Security of SM4 Against (Related-Key) Differential CryptanalysisInstitute of Software, Chinese Academy of Sciences4 South Fourth Street, Zhong Guan CunBeijingBeijing100190People's Republic of Chinazhangjian@tca.iscas.ac.cnInstitute of Software, Chinese Academy of Sciences4 South Fourth Street, Zhong Guan CunBeijingBeijing100190People's Republic of Chinawwl@tca.iscas.ac.cnInstitute of Software, Chinese Academy of Sciences4 South Fourth Street, Zhong Guan CunBeijingBeijing100190People's Republic of Chinazhengyafei@tca.iscas.ac.cnPseudorandomness and Super-pseudorandomness of a non-balanced Feistel Structure using compressed functionsState Key Laboratory of Information Security, Institute of Information Engineering, Chinese Academy of SciencesInstitute of Software, Chinese Academy of Sciences4 South Fourth StreetZhong Guan CunBeijing100190People's Republic of Chinaliyen.zhang@is.cas.cnhttp://www.is.cas.cn/State Key Laboratory of Information Security, Institute of Information Engineering, Chinese Academy of SciencesInstitute of Software, Chinese Academy of Sciences4 South Fourth StreetZhong Guan CunBeijing100190People's Republic of Chinahttp://www.is.cas.cn/Practical security against linear cryptanalysis for SMS4-like ciphers with SP round functionPO. Box 1936Beijing100193Chinadzjszhangbin@126.comElectronic Technology InstituteInformation Engineering UniversityZhengzhouChinaPractically Secure against Differential Cryptanalysis for Block Cipher SMS4School of Communication and Information EngineeringXi'an University of Post and TelecommunicationsXi'anChinaSchool of Communication and Information EngineeringXi'an University of Post and TelecommunicationsXi'anChinaNational Key Lab of Integrated Service NetworksXidian UniversityXi'an710071ChinaSchool of Communication and Information EngineeringXi'an University of Post and TelecommunicationsXi'anChinaCryptographic Properties of S-box in SMS4Department of Electronic and Communications Engineering, Sun Yat-Sen UniversityBuilding 3, Gezhi Yuan132 Outer Ring East RoadUniversity City Punyu DistrictGuangzhouGuangdong510275People's Republic of Chinahttp://sece.sysu.edu.cnDepartment of Electronic and Communications Engineering, Sun Yat-Sen UniversityBuilding 3, Gezhi Yuan132 Outer Ring East RoadUniversity City Punyu DistrictGuangzhouGuangdong510275People's Republic of Chinahttp://sece.sysu.edu.cnDepartment of Electronic and Communications Engineering, Sun Yat-Sen UniversityBuilding 3, Gezhi Yuan132 Outer Ring East RoadUniversity City Punyu DistrictGuangzhouGuangdong510275People's Republic of Chinahttp://sece.sysu.edu.cnA VLSI implementation of an SM4 algorithm resistant to power analysisCollege of Information Science and Engineering, Hunan UniversityLushan Road S, Yuelu DistrictChangshaHunan410082People's Republic of Chinanickysy@hnu.edu.cnhttp://www.hnu.edu.cn/Department of Computer Science, New Platz, State University of New YorkSUNY New Paltz, 1 Hawk DriveNew PaltzNY12561United States of Americahttp://www.hnu.edu.cn/College of Information Science and Engineering, Hunan UniversityLushan Road S, Yuelu DistrictChangshaHunan410082People's Republic of Chinahttp://www.hnu.edu.cn/College of Information Science and Engineering, Hunan UniversityLushan Road S, Yuelu DistrictChangshaHunan410082People's Republic of Chinahttp://www.hnu.edu.cn/College of Mathematics and Computer Science, Performance Computing and Stochastic Information Processing, (Ministry of Education of China), Hunan Normal University36 Lushan Rd., Yuelu DistrictChangshaHunan410081People's Republic of Chinahttp://www.hunnu.edu.cn/A secure white-box SM4 implementationState Key Laboratory of Information Security, Institute of Information Engineering, Chinese Academy of SciencesInstitute of Software, Chinese Academy of Sciences4 South Fourth StreetZhong Guan CunBeijing100190People's Republic of Chinahttp://www.is.cas.cn/State Key Laboratory of Information Security, Institute of Information Engineering, Chinese Academy of SciencesInstitute of Software, Chinese Academy of Sciences4 South Fourth StreetZhong Guan CunBeijing100190People's Republic of Chinackwu@iie.ac.cnhttp://www.is.cas.cn/Multidimensional Zero-correlation Linear Cryptanalysis on SMS4 AlgorithmState Key Laboratory of Mathematical Engineering and Advanced ComputingInformation Engineering UniversityZhengzhou450001ChinaState Key Laboratory of Mathematical Engineering and Advanced ComputingInformation Engineering UniversityZhengzhou450001ChinaState Key Laboratory of Mathematical Engineering and Advanced ComputingInformation Engineering UniversityZhengzhou450001ChinaScience and Technology on Information Assurance LaboratoryBeijing100072ChinaSMS4 Cryptographic Algorithm For Wireless LAN ProductsOffice of State Commercial Administration of China7 Dian Chang Lu, Fengtai QuBeijingBeijing100036People's Republic of China+86 (0)10 5970-3789http://www.oscca.gov.cnSoftware Hardware Co-design for Side-Channel Analysis Platform on Security ChipsTsinghua National Laboratory for Information Science and Technology, Tsinghua UniversityTsinghua UniversityHaidianBeijing100190People's Republic of Chinahttp://www.sist.tsinghua.edu.cn/Tsinghua National Laboratory for Information Science and Technology, Tsinghua UniversityTsinghua UniversityHaidianBeijing100190People's Republic of Chinahttp://www.sist.tsinghua.edu.cn/Tsinghua National Laboratory for Information Science and Technology, Tsinghua UniversityTsinghua UniversityHaidianBeijing100190People's Republic of Chinahttp://www.sist.tsinghua.edu.cn/Tsinghua National Laboratory for Information Science and Technology, Tsinghua UniversityTsinghua UniversityHaidianBeijing100190People's Republic of Chinahttp://www.sist.tsinghua.edu.cn/Tsinghua National Laboratory for Information Science and Technology, Tsinghua UniversityTsinghua UniversityHaidianBeijing100190People's Republic of Chinahttp://www.sist.tsinghua.edu.cn/Tsinghua National Laboratory for Information Science and Technology, Tsinghua UniversityTsinghua UniversityHaidianBeijing100190People's Republic of Chinahttp://www.sist.tsinghua.edu.cn/Tsinghua National Laboratory for Information Science and Technology, Tsinghua UniversityTsinghua UniversityHaidianBeijing100190People's Republic of Chinahttp://www.sist.tsinghua.edu.cn/This is example 1 provided by to demonstrate encryption of a
plaintext.Plaintext:Encryption key:Status of the round key (rk_i) and round output (X_i) per round:Ciphertext:This demonstrates the decryption process of the Example 1 ciphertext provided
by .Ciphertext:Encryption key:Status of the round key (rk_i) and round output (X_i) per round:Plaintext:This example is provided by to demonstrate encryption of a
plaintext 1,000,000 times repeatedly, using a fixed encryption key.Plaintext:Encryption Key:Ciphertext:The following example demonstrates encryption of a different message using a
different key from the above examples.Plaintext:Encryption key:Status of the round key (rk_i) and round output (X_i) per round:Ciphertext:The following example demonstrates decryption of Example 4.Ciphertext:Encryption key:Status of the round key (rk_i) and round output (X_i) per round:Plaintext:This example is based on Example 4 to demonstrate encryption of a
plaintext 1,000,000 times repeatedly, using a fixed encryption key.Plaintext:Encryption Key:Ciphertext:The following examples can be verified using open-source cryptographic
libraries including:the Botan cryptographic library with SM4 support, andthe OpenSSL Cryptography and SSL/TLS Toolkit with SM4 supportPlaintext:Encryption Key:Ciphertext:Plaintext:Encryption Key:Ciphertext:Plaintext:Encryption Key:IV:Ciphertext:Plaintext:Encryption Key:IV:Ciphertext:Plaintext:Encryption Key:IV:Ciphertext:Plaintext:Encryption Key:IV:Ciphertext:Plaintext:Encryption Key:IV:Ciphertext:Plaintext:Encryption Key:IV:Ciphertext:Plaintext:Encryption Key:IV:Ciphertext:Plaintext:Encryption Key:IV:Ciphertext:"sm4.h" is the header file for the SM4 function."sm4.c" contains the main implementation of SM4."sm4_main.c" is used to run the examples provided in this document
and print out internal state for implementation reference."print.c" and "print.h" are used to provide pretty formatting used
to print out the examples for this document."print.h""print.c"The authors would like to thank the following persons for their valuable advice and input.Erick Borsboom, for assisting the lengthy review of this document;Jack Lloyd and Daniel Wyatt, of the Ribose RNP team, for their input and
implementation;Paul Yang, for reviewing and proposing improvements to readability of this
document;Markku-Juhani Olavi Saarinen, for reviewing and proposing inclusion of better
examples and reference code to aid implementers, as well as for actually
going through the examples to ensure their correctness.