The SM4 Block Cipher Algorithm And Its Modes Of OperationsRiboseSuite 1111, 1 Pedder StreetCentralHong KongHong Kongronald.tse@ribose.comhttps://www.ribose.comHang Seng Management CollegeHang Shin Link, Siu Lek YuenShatinHong KongNew Territorieswongwk@hsmc.edu.hkhttps://www.hsmc.edu.hk
cfrg
Crypto Forum Research GroupThis document describes the SM4 symmetric blockcipher algorithm
published as GB/T 32907-2016 by the Organization of State Commercial
Administration of China (OSCCA).
This document is a product of the Crypto Forum Research Group (CFRG).
SM4 is a cryptographic standard
issued by the Organization of State Commercial Administration of China
as an authorized cryptographic algorithm for the use within China.
The algorithm is published in public.
SM4 is a symmetric encryption algorithm, specifically a blockcipher,
designed for data encryption.
This document does not aim to introduce a new algorithm, but to
provide a clear and open description of the SM4 algorithm in English,
and also to serve as a stable reference for IETF documents that utilize
this algorithm.
While this document is similar to in nature, is a textual
translation of the "SMS4" algorithm published in 2006, while this
document follows the updated description and structure of
published in 2016. Sections 1 to 7 of this document directly map to the
corresponding sections numbers of the standard for
convenience of the reader.
This document also provides additional information on the practical usage and
implementation of SM4, specifying multiple modes of operations that are known
to be used with SM4 and providing the SM4 OIDs.
The "SMS4" algorithm (the former name of SM4) was invented by
Shu-Wang Lu , first published in 2003 as part of
, then published independently in 2006 by the OSCCA,
officially renamed to "SM4" in 2012 in published by the OSCCA,
and finally standardized in 2016 as a Chinese National Standard (GB Standard)
. SM4 is also standardized in
by the International Organization for Standardization in 2017.
SMS4 was originally created for use in protecting wireless networks ,
and is mandated in the Chinese National Standard for Wireless LAN WAPI (Wired
Authentication and Privacy Infrastructure) . A proposal
was made to adopt SMS4 into the IEEE 802.11i standard, but the algorithm
was eventually not included due to concerns of introducing inoperability
with existing ciphers.
The latest SM4 standard was proposed by the OSCCA,
standardized through TC 260 of the Standardization Administration of the
People's Republic of China (SAC), and was drafted by the following
individuals at the Data Assurance and Communication Security Research
Center (DAS Center) of the Chinese Academy of Sciences, the China
Commercial Cryptography Testing Center and the Beijing Academy of
Information Science & Technology (BAIST):
Shu-Wang LuDai-Wai LiKai-Yong DengChao ZhangPeng LuoZhong ZhangFang DongYing-Ying MaoZhen-Hua LiuSM4 (and SMS4) has prevalent hardware implementations , due to its being the only OSCCA-approved symmetric encryption
algorithm allowed for use in China.
SM4 can be used with multiple modes (See ).
A number of attacks have been attempted on SM4, such as , but there are no known feasible attacks against the
SM4 algorithm by the time of publishing this document.
There are, however, security concerns with regards to side-channel attacks
when the SM4 algorithm is implemented in a hardware device
.
For instance, illustrated an attack by measuring the power
consumption of the device. A chosen ciphertext attack, assuming a fixed
correlation between the round keys and data mask, is able to recover the round
key successfully. When the SM4 algorithm is implemented in hardware, the
parameters and keys SHOULD be randomly generated without fixed correlation.
There have been improvements to the hardware embodiment design for SM4, such
as , that may resist such attacks.
In order to improve security of the SM4 cryptographic process, secure white-box
implementations such as have been proposed. Speed enhancements,
such as , have also been proposed.
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL",
"SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED",
"MAY", and "OPTIONAL" in this document are to be interpreted
as described in .
The following terms and definitions apply to this document.
Bit-length of a message block.
Bit-length of a key.
An operation that converts a key into a round key.
The number of iterations that the round function is run.
A key used in each round on the blockcipher, derived from the input key, also called a subkey.
a 32-bit quantity
The S (substitution) box function produces 8-bit output from 8-bit input, represented as S(.)
bitwise exclusive-or of two 32-bit vectors S and T.
S and T will always have the same length.
32-bit bitwise cyclic shift on a with i bits shifted left.The SM4 algorithm is a blockcipher, with block size of 128 bits and a key
length of 128 bits.
Both encryption and key expansion uses 32 rounds of a nonlinear key schedule
per block. Each round processes one of the four 32-bit words that constitute
the block.
The structure of encryption and decryption are identical, except that the round key
schedule has its order reversed during decryption.
Using a 8-bit S-box, it only uses exclusive-or, cyclic bit shifts and S-box
lookups to execute.
Encryption key length is 128-bits, and represented below, where each
MK_i, (i = 0, 1, 2, 3) is 32-bits wide.
MK = (MK_0, MK_1, MK_2, MK_3)
The round key schedule is derived from the encryption key, represented as below
where each rk_i (i = 0, ..., 31) is a word:
(rk_0, rk_1, ... , rk_31)
The family key used for key expansion is represented as FK, where
each FK_i (i = 0, ..., 3) is a word:
FK = (FK_0, FK_1, FK_2, FK_3)
The constant key used for key expansion is represented as CK, where
each CK_i (i = 0, ..., 31) is a word:
CK = (CK_0, CK_1, ... , CK_31)
The round function F is defined as:
F(X_0, X_1, X_2, X_3, rk) = X_0 xor T(X_1 xor X_2 xor X_3 xor rk)
Where:
Each $$X_i$ is 32 bits wide.The round key rk is 32 bits wide.T is a reversible permutation that outputs 32 bits from an input of 32 bits.
It consists of a non-linear transform tau and linear transform L.
T(.) = L(tau(.))
The permutation T' is created from T by replacing the
linear transform function L with L'.
T'(.) = L'(tau(.))
tau is composed of four parallel S-boxes.
Given a 32-bit input A, where each a_i is a 8-bit string:
A = (a_0, a_1, a_2, a_3)
The output is a 32-bit B, where each b_i is a 8-bit string:
B = (b_0, b_1, b_2, b_3)
B is calculated as follows:
(b_0, b_1, b_2, b_3) = tau(A)
tau(A) = (S(a_0), S(a_1), S(a_2), S(a_3))
The output of non-linear transformation function tau is used as input
to linear transformation function L.
Given B, a 32-bit input.
The linear transformation L' is defined as follows.
L(B) = B xor (B <<< 2) xor (B <<< 10) xor (B <<< 18) xor (B <<< 24)
The linear transformation L' is defined as follows.
L'(B) = B xor (B <<< 13) xor (B <<< 23)
The S-box S used in tau is given in this lookup table in hexadecimal form:
For example, input "EF" will produce an output read from the S-box table
row E and column F, giving the result S(EF) = 84.
The encryption algorithm consists of 32 rounds and 1 reverse transform R.
Given a 128-bit plaintext input, where each X_i is a 32-bit word:
(X_0, X_1, X_2, X_3)
The output is a 128-bit ciphertext, where each Y_i is a 32-bit word:
(Y_0, Y_1, Y_2, Y_3)
Each round key is designated as rk_i, where each rk_i is a 32-bit word
and i = 0, 1, 2, ..., 31.
a. 32 rounds of calculation
i = 0, 1, ..., 31
X_{i+4} = F(X_i, X_{i+1}, X_{i+2}, X_{i+3}, rk_i)
b. reverse transformation
(Y_0, Y_1, Y_2, Y_3) = R(X_32, X_33, X_34, X_35)
R(X_32, X_33, X_34, X_35) = (X_35, X_34, X_33, X_32)
Please refer to for sample calculations.
Decryption takes an identical process as encryption, with the only difference
the order of the round key sequence.
During decryption, the round key sequence is:
(rk_31, rk_30, ..., rk_0)
Round keys used during encryption are derived from the encryption key.
Specifically, given the encryption key MK, where each MK_i is 32 bits
wide:
MK = (MK_0, MK_1, MK_2, MK_3)
Each round key rk_i is created as follows, where i = 0, 1, ..., 31.
(K_0, K_1, K_2, K_3)
= (MK_0 xor FK_0, MK_1 xor FK_1, MK_2 xor FK_2, MK_3 xor FK_3)
rk_i = K_{i + 4}
K_{i + 4} = K_i xor T' (K_{i + 1} xor K_{i + 2} xor K_{i + 3} xor CK_i)
Since the decryption key is identical to the encryption key, the round keys
used in the decryption process are derived from the decryption key through
the identical process to that of during encryption.
Family key FK given in hexadecimal notation, is:
FK_0 = A3B1BAC6
FK_1 = 56AA3350
FK_2 = 677D9197
FK_3 = B27022DC
The method to retrieve values from the constant key CK is as follows.
Let ck_{i, j} be the j-th byte (i = 0, 1, ..., 31; j = 0, 1, 2, 3) of CK_i.
Therefore, each ck_{i, j} is a 8-bit string, and each CK_i a 32-bit word.
CK_i = (ck_{i, 0}, ck_{i, 1}, ck_{i, 2}, ck_{i, 3})
ck_{i, j} = (4i + j) x 7 (mod 256)
The values of the constant key CK_i, where (i = 0, 1, ..., 31), in
hexadecimal, are:
This document defines multiple modes of operation for the SM4 blockcipher
algorithm.
The CBC (Cipher Block Chaining), ECB (Electronic CodeBook), CFB (Cipher
FeedBack), OFB (Output FeedBack) and CTR (Counter) modes are defined in
and utilized with the SM4 algorithm in the following
sections.
Hereinafter we define:
The SM4 algorithm that encrypts plaintext P with key K, described in
The SM4 algorithm that decrypts ciphertext C with key K, described in
block size in bits, defined as 128 for SM4
block j of ciphertext bitstring P
block j of ciphertext bitstring C
Number of blocks of size b-bits in bitstring B
Initialization vector
Least significant b bits of the bitstring S
Most significant b bits of the bitstring SThe CBC, CFB and OFB modes require an additional input to the encryption process,
called the initialization vector (IV). The identical IV is used in the input
of encryption as well as the decryption of the corresponding ciphertext.
Generation of IV values MUST take into account of the considerations
in recommended by .
In SM4-ECB, the same key is utilized to create a
fixed assignment for a plaintext block with a ciphertext block, meaning
that a given plaintext block always gets encrypted to the same ciphertext
block. As described in , this mode should be avoided if
this property is undesirable.
This mode requires input plaintext to be a multiple of the block size,
which in this case of SM4 it is 128-bits. It also allows multiple blocks
to be computed in parallel.
Inputs:
P, plaintext, length MUST be multiple of bK, SM4 128-bit encryption keyOutput:
C, ciphertext, length is a multiple of bC is defined as follows.
Inputs:
C, ciphertext, length MUST be multiple of bK, SM4 128-bit encryption keyOutput:
P, plaintext, length is a multiple of bP is defined as follows.
SM4-CBC is similar to SM4-ECB that the input plaintext MUST be a multiple
of the block size, which is 128-bits in SM4. SM4-CBC requires
an additional input, the IV, that is unpredictable for a particular
execution of the encryption process.
Since CBC encryption relies on a forward cipher operation that depend on results
of the previous operation, it cannot be parallelized. However, for decryption,
since ciphertext blocks are already available, CBC parallel decryption is
possible.
Inputs:
P, plaintext, length MUST be multiple of bK, SM4 128-bit encryption keyIV, 128-bit, unpredictable, initialization vectorOutput:
C, ciphertext, length is a multiple of bC is defined as follows.
Inputs:
C, ciphertext, length MUST be a multiple of bK, SM4 128-bit encryption keyIV, 128-bit, unpredictable, initialization vectorOutput:
P, plaintext, length is multiple of bP is defined as follows.
SM4-CFB relies on feedback provided by successive ciphertext segments to
generate output blocks. The plaintext given must be a multiple of the block
size.
Similar to SM4-CBC, SM4-CFB requires an IV that is unpredictable for a particular
execution of the encryption process.
SM4-CFB further allows setting a positive integer parameter s, that is less than or
equal to the block size, to specify the size of each data segment. The same
segment size must be used in encryption and decryption.
In SM4-CFB, since the input block to each forward cipher function depends
on the output of the previous block (except the first that depends on the IV),
encryption is not parallelizable. Decryption, however, can be parallelized.
SM4-CFB takes an integer s to determine segment size in its encryption and
decryption routines. We define the following variants of SM4-CFB for
various s:
SM4-CFB-1, the 1-bit SM4-CFB mode, where s is set to 1.SM4-CFB-8, the 8-bit SM4-CFB mode, where s is set to 8.SM4-CFB-64, the 64-bit SM4-CFB mode, where s is set to 64.SM4-CFB-128, the 128-bit SM4-CFB mode, where s is set to 128.Inputs:
P#, plaintext, length MUST be multiple of sK, SM4 128-bit encryption keyIV, 128-bit, unpredictable, initialization vectors, an integer 1 <= s <= b that defines segment sizeOutput:
C#, ciphertext, length is a multiple of sC# is defined as follows.
Inputs:
C#, ciphertext, length MUST be a multiple of sK, SM4 128-bit encryption keyIV, 128-bit, unpredictable, initialization vectors, an integer 1 <= s <= b that defines segment sizeOutput:
P#, plaintext, length is multiple of sP is defined as follows.
SM4-OFB is the application of SM4 through the Output Feedback mode.
This mode requires that the IV is a nonce, meaning that the IV MUST
be unique for each execution for an input key. OFB does not require the
input plaintext to be a multiple of the block size.
In OFB, the routines for encryption and decryption are identical. As
each forward cipher function (except the first) depends on previous
results, both routines cannot be parallelized. However given a known IV, output
blocks could be generated prior to the input of plaintext (encryption)
or ciphertext (decryption).
Inputs:
P, plaintext, composed of (n - 1) blocks of size b, with the last block P_n of size 1 <= u <= bK, SM4 128-bit encryption keyIV, a nonce (a unique value for each execution per given key)Output:
C, ciphertext, composed of (n - 1) blocks of size b, with the last block C_n of size 1 <= u <= bC is defined as follows.
Inputs:
C, ciphertext, composed of (n - 1) blocks of size b, with the last block C_n of size 1 <= u <= bK, SM4 128-bit encryption keyIV, the nonce used during encryptionOutput:
P, plaintext, composed of (n - 1) blocks of size b, with the last block P_n of size 1 <= u <= bC is defined as follows.
SM4-CTR is an implementation of a stream cipher through a block cipher
primitive. It generates a "keystream" of keys that are used to
encrypt successive blocks, with the keystream created from the input key,
a nonce (the IV) and an incremental counter. The counter could be any
sequence that does not repeat within the block size.
Both SM4-CTR encryption and decryption routines could be parallelized, and
random access is also possible.
Inputs:
P, plaintext, composed of (n - 1) blocks of size b, with the last block P_n of size 1 <= u <= bK, SM4 128-bit encryption keyIV, a nonce (a unique value for each execution per given key)T, a sequence of counters from T_1 to T_nOutput:
C, ciphertext, composed of (n - 1) blocks of size b, with the last block C_n of size 1 <= u <= bC is defined as follows.
Inputs:
C, ciphertext, composed of (n - 1) blocks of size b, with the last block C_n of size 1 <= u <= bK, SM4 128-bit encryption keyIV, a nonce (a unique value for each execution per given key)T, a sequence of counters from T_1 to T_nOutput:
P, plaintext, composed of (n - 1) blocks of size b, with the last block P_n of size 1 <= u <= bP is defined as follows.
The Object Identifier for SM4 is identified through these OIDs.
"1.2.156.10197.1.104" for "SM4 Algorithm" .
"1.0.18033.3.2.4" for "id-bc128-sm4" ,
described below.
Products and services that utilize cryptography are regulated by the OSCCA
; they must be explicitly approved or certified by the OSCCA before being
allowed to be sold or used in China.SM4 is a blockcipher symmetric algorithm with key length of 128 bits. It is
considered as an alternative to AES-128 .SM4 is a blockcipher certified by the OSCCA .
No formal proof of security is provided. There are no known feasible
attacks against SM4 algorithm by the time of publishing this document, but
there are security concerns with regards to side-channel attacks when the
SM4 algorithm is implemented in hardware. See for more
details.The IV does not have to be secret. The IV itself, or criteria enough to
determine it, MAY be transmitted with ciphertext.SM4-ECB: ECB is one of the four original modes defined for DES. With its
problem well known to "leak quite a large amount of information" ,
it SHOULD NOT be used in most cases.SM4-CBC, SM4-CFB, SM4-OFB: CBC, CFB and OFB are IV-based modes of operation
originally defined for DES.When using these modes of operation, the IV SHOULD be random to preserve
message confidentiality . It is shown in the same document that
CBC, CFB, OFB, the variants #CBC, #CFB that utilize the recommendation of
to make CBC and CFB nonce-based, are SemCPA secure as
probabilistic encryption schemes.
Various attack scenarios have been described in and these modes
SHOULD NOT be used unless for compatibility reasons.
SM4-CTR: CTR is considered to be the "best" mode of operation within
as it is considered SemCPA secure as a nonce-based
encryption scheme, providing provable-security guarantees as good as
the classic modes of operation (ECB, CBC, CFB, OFB) .Users with no need of authenticity, non-malleablility and chosen-ciphertext
(CCA) security MAY utilize this mode of operation .
This document does not require any action by IANA.
This is example 1 provided by to demonstrate encryption of a
plaintext.
Plaintext:
01 23 45 67 89 AB CD EF FE DC BA 98 76 54 32 10
Encryption key:
01 23 45 67 89 AB CD EF FE DC BA 98 76 54 32 10
Status of the round key (rk_i) and round output (X_i) per round:
Ciphertext:
68 1E DF 34 D2 06 96 5E 86 B3 E9 4F 53 6E 42 46
This example is provided by to demonstrate encryption of a
plaintext 1,000,000 times repeatedly, using a fixed encryption key.
Plaintext:
Encryption Key:
Ciphertext:
The following examples can be verified using open-source cryptographic
libraries including:
the Botan cryptographic library with SM4 support, andthe OpenSSL Cryptography and SSL/TLS Toolkit with SM4 supportPlaintext:
Encryption Key:
Ciphertext:
Plaintext:
Encryption Key:
IV:
Ciphertext:
Plaintext:
Encryption Key:
IV:
Ciphertext:
Plaintext:
Encryption Key:
IV:
Ciphertext:
Plaintext:
Encryption Key:
IV:
Ciphertext:
GB/T 32907-2016: Information security technology -- SM4 block cipher algorithmStandardization Administration of the People's Republic of ChinaNo. 9 Madian Donglu, Haidian DistrictBeijingBeijing100088People's Republic of China+86 (0)10 8226-2609http://www.sac.gov.cnEvaluation of Some Blockcipher Modes of OperationUniversity of California, DavisDept. of Computer ScienceKemper Hall of Engineering, #3009One Shields AvenueDavisCalifornia95616-8562United States of America+1 530 752 7583rogaway@cs.ucdavis.eduhttp://www.cs.ucdavis.edu/˜rogawayBotan: Crypto and TLS for C++11Botan ProjectUnited States of Americajack@randombit.nethttps://botan.randombit.netInformation technology -- Telecommunications and information exchange between systems -- Local and metropolitan area networks -- Specific requirements -- Part 11: Wireless LAN Medium Access Control (MAC) and Physical Layer (PHY) SpecificationsStandardization Administration of the People's Republic of ChinaNo. 9 Madian Donglu, Haidian DistrictBeijingBeijing100088People's Republic of China+86 (0)10 8226-2609http://www.sac.gov.cnGM/T 0002-2012: SM4 block cipher algorithmOrganization of State Commercial Administration of China7 Dian Chang Lu, Fengtai QuBeijingBeijing100036People's Republic of China+86 (0)10 5970-3789http://www.oscca.gov.cnGM/T 0006-2012: Cryptographic Application Identifier Criterion SpecificationOrganization of State Commercial Administration of China7 Dian Chang Lu, Fengtai QuBeijingBeijing100036People's Republic of China+86 (0)10 5970-3789http://www.oscca.gov.cnISO/IEC WD1 18033-3/AMD2 -- Encryption algorithms -- Part 3: Block ciphers -- Amendment 2International Organization for StandardizationBIBC IIChemin de Blandonnet 8CP 401VernierGeneva1214Switzerland+41 22 749 01 11central@iso.orghttps://www.iso.org/Lv Shu Wang -- A life in cryptographyXinhua CatalogNIST FIPS 197: Advanced Encryption Standard (AES)National Institute of Standards and Technology100 Bureau DriveGaithersburgMD20899-8900United Stateshttp://www.nist.gov/NIST Special Publication 800-38A: Recommendation for Block Cipher Modes of Operation -- Methods and TechniquesNational Institute of Standards and Technology100 Bureau DriveGaithersburgMD20899-8930United Stateshttp://www.nist.gov/OpenSSL: Cryptography and SSL/TLS ToolkitOpenSSL Software Foundation20-22 Wenlock RoadLondonN1 7GUUnited Kingdom+44 17 8550 8015info@opensslfoundation.orghttps://www.openssl.orgOrganization of State Commercial Administration of ChinaOrganization of State Commercial Administration of China7 Dian Chang Lu, Fengtai QuBeijingBeijing100036People's Republic of China+86 (0)10 5970-3789http://www.oscca.gov.cnSMS4 Cryptographic Algorithm For Wireless LAN ProductsOrganization of State Commercial Administration of China7 Dian Chang Lu, Fengtai QuBeijingBeijing100036People's Republic of China+86 (0)10 5970-3789http://www.oscca.gov.cnLinear and Differential Cryptanalysis of Reduced SMS4 Block CipherCenter for Information Security Technologies (CIST), Korea UniversityRoom 615, International Center for Conversing Technology BuildingAnam Campus(Science), Korea University145 Anam-roSeongbuk-guSeoul02841Republic of Koreakimth714@cist.korea.ac.krhttp://gss.korea.edu/Center for Information Security Technologies (CIST), Korea UniversityRoom 615, International Center for Conversing Technology BuildingAnam Campus(Science), Korea University145 Anam-roSeongbuk-guSeoul02841Republic of Koreajoshep@cist.korea.ac.krhttp://gss.korea.edu/Center for Information Security Technologies (CIST), Korea UniversityRoom 615, International Center for Conversing Technology BuildingAnam Campus(Science), Korea University145 Anam-roSeongbuk-guSeoul02841Republic of Koreahsh@cist.korea.ac.krhttp://gss.korea.edu/Department of Mathematics, University of SeoulDepartment of Mathematical SciencesSeoul National University1 Gwan Ak-roGwanak-guSeoul08826Republic of Koreajcsung@uos.ac.krhttp://uos.ac.kr/SMS4 Encryption Algorithm for Wireless NetworksSun Microsystems4150 Network CircleSanta ClaraCA95054United States of Americawhitfielddiffie@gmail.comhttps://cisac.fsi.stanford.edu/Sonoma State UniversityDarwin 116, 1801 East Cotati Ave.Rohnert ParkCA94928United States of Americageorge.ledin@sonoma.eduhttp://www.cs.sonoma.edu/Improvements of SM4 Algorithm and Application in Ethernet Encryption System Based on FPGAKey Laboratory of Electronic Engineering, University of Heilongjiang74 Xuefu RoadHarbinHeilongjiang150080People's Republic of Chinachengh@hlju.edu.cnhttphttp://www.hlju.edu.cn/Key Laboratory of Electronic Engineering, University of Heilongjiang74 Xuefu RoadHarbinHeilongjiang150080People's Republic of Chinahttphttp://www.hlju.edu.cn/Key Laboratory of Electronic Engineering, University of Heilongjiang74 Xuefu RoadHarbinHeilongjiang150080People's Republic of Chinachengh@hlju.edu.cnhttphttp://www.hlju.edu.cn/Key Laboratory of Electronic Engineering, University of Heilongjiang74 Xuefu RoadHarbinHeilongjiang150080People's Republic of Chinaqunding@aliyun.cnhttphttp://www.hlju.edu.cn/Key Laboratory of Electronic Engineering, University of Heilongjiang74 Xuefu RoadHarbinHeilongjiang150080People's Republic of Chinachenghdahuangr@163.comhttp://www.hlju.edu.cn/High-speed Encryption & Decryption System Based on SM4Binzhou Polytechnic391 Huanghe RoadBinzhouShandong256600People's Republic of Chinaihappylucy@outlook.comhttp://www.bzu.edu.cn/Binzhou Polytechnic391 Huanghe RoadBinzhouShandong256600People's Republic of Chinalili_thesky@163.comhttp://www.bzu.edu.cn/Binzhou Polytechnic391 Huanghe RoadBinzhouShandong256600People's Republic of Chinayaya_sd@163.comhttp://www.bzu.edu.cn/Improved Linear Attacks on the Chinese Block Cipher StandardBeijing International Center for Mathematical Research, Peking UniversityNo. 5 Yiheyuan Road Haidian DistrictBeijing100871People's Republic of Chinaliumj9705@pku.edu.cnhttp://www.bicmr.orgChina Information Technology Security Evaluation CenterBuilding 1, No.8, Shangdi West Road, Haidian DistrictBeijing100085People's Republic of Chinajiazhechen@gmail.comhttp://www.itsec.gov.cnImproved chosen-plaintext power analysis attack against SM4 at the round-outputCollege of Information Security Engineering, Chengdu University of Information TechnologyNo. 24 Block 1, Xuefu RoadChengduMD610225Chinahttp://www.cuit.edu.cn/College of Information Security Engineering, Chengdu University of Information TechnologyNo. 24 Block 1, Xuefu RoadChengduMD610225Chinahttp://www.cuit.edu.cn/College of Information Security Engineering, Chengdu University of Information TechnologyNo. 24 Block 1, Xuefu RoadChengduMD610225Chinahttp://www.cuit.edu.cn/College of Information Security Engineering, Chengdu University of Information TechnologyNo. 24 Block 1, Xuefu RoadChengduMD610225Chinahttp://www.cuit.edu.cn/A VLSI implementation of an SM4 algorithm resistant to power analysisCollege of Information Science and Engineering, Hunan UniversityLushan Road S, Yuelu DistrictChangshaHunan410082People's Republic of Chinanickysy@hnu.edu.cnhttp://www.hnu.edu.cn/Department of Computer Science, New Platz, State University of New YorkSUNY New Paltz, 1 Hawk DriveNew PaltzNY12561United States of Americahttp://www.hnu.edu.cn/College of Information Science and Engineering, Hunan UniversityLushan Road S, Yuelu DistrictChangshaHunan410082People's Republic of Chinahttp://www.hnu.edu.cn/College of Information Science and Engineering, Hunan UniversityLushan Road S, Yuelu DistrictChangshaHunan410082People's Republic of Chinahttp://www.hnu.edu.cn/College of Mathematics and Computer Science, Performance Computing and Stochastic Information Processing, (Ministry of Education of China), Hunan Normal University36 Lushan Rd., Yuelu DistrictChangshaHunan410081People's Republic of Chinahttp://www.hunnu.edu.cn/A secure white-box SM4 implementationState Key Laboratory of Information Security, Institute of Information Engineering, Chinese Academy of SciencesInstitute of Software, Chinese Academy of SciencesNo. 4 South Fourth StreetZhong Guan CunBeijing100190People's Republic of Chinahttp://www.is.cas.cn/State Key Laboratory of Information Security, Institute of Information Engineering, Chinese Academy of SciencesInstitute of Software, Chinese Academy of SciencesNo. 4 South Fourth StreetZhong Guan CunBeijing100190People's Republic of Chinackwu@iie.ac.cnhttp://www.is.cas.cn/Software Hardware Co-design for Side-Channel Analysis Platform on Security ChipsTsinghua National Laboratory for Information Science and Technology, Tsinghua UniversityTsinghua UniversityHaidianBeijing100190People's Republic of Chinahttp://www.sist.tsinghua.edu.cn/Tsinghua National Laboratory for Information Science and Technology, Tsinghua UniversityTsinghua UniversityHaidianBeijing100190People's Republic of Chinahttp://www.sist.tsinghua.edu.cn/Tsinghua National Laboratory for Information Science and Technology, Tsinghua UniversityTsinghua UniversityHaidianBeijing100190People's Republic of Chinahttp://www.sist.tsinghua.edu.cn/Tsinghua National Laboratory for Information Science and Technology, Tsinghua UniversityTsinghua UniversityHaidianBeijing100190People's Republic of Chinahttp://www.sist.tsinghua.edu.cn/Tsinghua National Laboratory for Information Science and Technology, Tsinghua UniversityTsinghua UniversityHaidianBeijing100190People's Republic of Chinahttp://www.sist.tsinghua.edu.cn/Tsinghua National Laboratory for Information Science and Technology, Tsinghua UniversityTsinghua UniversityHaidianBeijing100190People's Republic of Chinahttp://www.sist.tsinghua.edu.cn/Tsinghua National Laboratory for Information Science and Technology, Tsinghua UniversityTsinghua UniversityHaidianBeijing100190People's Republic of Chinahttp://www.sist.tsinghua.edu.cn/The authors would like to thank the following persons for their valuable advice and input.
Erick Borsboom for assisting the lengthy review of this documentJack Lloyd and Daniel Wyatt of the Ribose rnp team for their input and implementation