CN106357380B - The mask method and device of SM4 algorithm - Google Patents

The mask method and device of SM4 algorithm Download PDF

Info

Publication number
CN106357380B
CN106357380B CN201610887900.1A CN201610887900A CN106357380B CN 106357380 B CN106357380 B CN 106357380B CN 201610887900 A CN201610887900 A CN 201610887900A CN 106357380 B CN106357380 B CN 106357380B
Authority
CN
China
Prior art keywords
mask
output
round
inverse
subparameter
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201610887900.1A
Other languages
Chinese (zh)
Other versions
CN106357380A (en
Inventor
王蓓蓓
陈佳哲
李贺鑫
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
China Information Technology Security Evaluation Center
Original Assignee
China Information Technology Security Evaluation Center
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by China Information Technology Security Evaluation Center filed Critical China Information Technology Security Evaluation Center
Priority to CN201610887900.1A priority Critical patent/CN106357380B/en
Publication of CN106357380A publication Critical patent/CN106357380A/en
Application granted granted Critical
Publication of CN106357380B publication Critical patent/CN106357380B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/06Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols the encryption apparatus using shift registers or memories for block-wise or stream coding, e.g. DES systems or RC4; Hash functions; Pseudorandom sequence generators
    • H04L9/0618Block ciphers, i.e. encrypting groups of characters of a plain text message using fixed encryption transformation
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/002Countermeasures against attacks on cryptographic mechanisms

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Respiratory Apparatuses And Protective Means (AREA)
  • Storage Device Security (AREA)

Abstract

The invention discloses the mask method of SM4 algorithm and devices, this method comprises: obtaining the plaintext with mask of input, random mask, round key;The first round operation of round function is carried out to the first round key in the plaintext with mask, random mask and round key, obtains first round ciphertext and first round mask;The second wheel operation that round function is carried out to the second round key in first round ciphertext, first round mask and round key, obtains the second wheel ciphertext and the second wheel mask, realizes that the N of round function takes turns operation according to this;The N wheel ciphertext of N wheel operation output and N wheel mask are subjected to XOR operation, using operation result as the output of SM4 algorithm.That is, in the N wheel operation of round function, in addition to first round operation, mask needed for each round operation is obtained by the output of the last round of operation adjacent with the wheel operation, therefore, it is not necessarily to that the median of N wheel operation take off to cover using the scheme of the application, to realize the resistance to Attacks.

Description

The mask method and device of SM4 algorithm
Technical field
The present invention relates to cryptographic algorithm realization technology fields, a kind of mask method more particularly to SM4 algorithm and Device.
Background technique
SM4 algorithm is the block cipher that national commercial cipher management office is announced, and is most widely used at present The block cipher of Chinese autonomous Design, which is gradually applied in smart card and USBKey at present, and considers The problem of to operation efficiency, essentially by hard-wired mode.In the application such as smart card, USBKey, Encryption Algorithm is not only Want the safety of guarantee agreement and mathematical algorithm, it is often more important that guarantee actual use in encrypted circuit operation when power consumption or Electromagnetic information will not be bypassed analysis method utilization, cause security threat.
For SM4 algorithm, Attacks can obtain key by taking turns the correlation of operation median, it is therefore desirable to Use the hardware design methods that can resist Attacks.Mask technology be the current common method for resisting Attacks it One.By increasing random mask in plain text or on key, so that the median of Encryption Algorithm is unpredictable, to reach The purpose of anti-Attacks.
The existing mask method for SM4 algorithm usually introduces random mask by every wheel, makes pregnable wheel The mask value of intermediate results of operations institute band is different, to be effective against Attacks.Specifically, covering at random for next round is being introduced Before code, needs that the result that the previous round exports first is carried out taking off covering using the mask of previous round, could then use the next round The random mask of introducing is carried out plus is covered to the result after de- cover.Since de- cover will appear true intermediate value information, it is easy Lead to the leakage of energy, Attacks cannot be resisted.
Summary of the invention
In order to solve the above technical problems, being used for the embodiment of the invention provides the mask method and device of a kind of SM4 algorithm Solve the problems, such as every leakage for taking turns energy caused by occurring true intermediate value information in the mask method for being introduced into random mask, technology Scheme is as follows:
A kind of mask method of SM4 algorithm, comprising:
Obtain the plaintext with mask, the random mask, round key of input;
Round function is carried out to the first round key in the plaintext with mask, the random mask and the round key First round operation, obtain first round ciphertext and first round mask;
The wheel is carried out to the second round key in the first round ciphertext, the first round mask and the round key Second wheel operation of function, obtains the second wheel ciphertext and the second wheel mask, realizes the N wheel operation of the round function according to this, N is big In 1 positive integer;
By the N wheel operation output N wheel ciphertext and N wheel mask carry out XOR operation, using operation result as The output of the SM4 algorithm.
Optionally, to the first round key in the plaintext with mask, the random mask and the round key into The first round operation of row round function, comprising:
According to the sequence of bit from high to low, the bit for forming the plaintext with mask is divided into M group, to obtain M In plain text, the bit number of sub- plaintext of the M group with mask is identical for son of the group with mask;It, will according to the sequence of bit from high to low The bit for forming the random mask is divided into M group, to obtain the sub- random mask of M group, the bit number of the sub- random mask of M group It is identical;Are carried out by the synthesis in the first round operation of the plaintext with mask and is set for rear M-1 group plaintext, first round key Operation is changed, rear M-1 group is that son plaintext in the plaintext with mask bit of the M group with mask is low in plain text M-1 group is in plain text;
Synthesis in-place computation in the first round operation of the random mask is carried out to the rear sub- random mask of M-1 group, it is described The sub- random mask of M-1 group is that low M-1 group of the sub- random mask of M group bit in the random mask is covered at random afterwards Code;
The result of the synthesis in-place computation of the plaintext with mask and the son in addition to the sub- plaintext of the rear M-1 group is bright Text takes XOR operation, using the result of XOR operation as the first round ciphertext, by the synthesis in-place computation of the random mask Result and the sub- random mask of M-1 group after described in addition to sub- random mask take XOR operation, the result of XOR operation is made For the first round mask.
Optionally, the synthesis in-place computation includes nonlinear transformation, and the nonlinear transformation is real by the S box with mask It is existing;
The operation of the S box with mask, comprising:
The median of first round ciphertext and the median of first round mask are received, the median of the first round ciphertext is institute State it is that rear M-1 group takes XOR operation with first round key in plain text as a result, the first round mask median is described after The sub- random mask of M-1 group takes the result of XOR operation;
The median of median and the first round mask to the first round ciphertext carries out affine transformation and fortune of inverting It calculates, and using the result after the affine transformation and inversion operation as the output of the S box.
Optionally, the median to the first round ciphertext and the median of the first round mask carry out affine transformation square Battle array and inversion operation, comprising:
Using the first affine transformation matrix, respectively in the median to the first round ciphertext and the first round mask Between be worth, carry out finite field gf (28) on first time affine transformation operation, obtain with mask S box output and mask output;
To the output of S box and mask output with mask, compositum GF (((2 is carried out respectively2)2)2) on take it is inverse Operation obtains taking inverse output and mask to take inverse output with mask;
Using the second affine transformation matrix, inverse output and the mask is taken to take inverse output with mask to described respectively, into Row finite field gf (28) on second of affine transformation operation, and using the result of second of affine transformation operation as described in The output of S box.
Optionally, the S box output to described with mask and mask output carry out compositum GF (((2 respectively2)2)2) on Take inverse operation, comprising:
Using the first normal basis, the output of S box and mask output by described with mask, are expressed as finite field gf respectively (24) in once linear multinomial, the element in first normal basis is that constant belongs to finite field gf (24) it is secondary can not About root of polynomial, the finite field gf (24) in the polynomial coefficient of once linear belong to finite field gf (24);
According to the S box output with mask, in finite field gf (24) in once linear multinomial and the mask it is defeated Out in finite field gf (24) in once linear multinomial, by it is described with mask S box output with the mask output and Take it is inverse, with finite field gf (24) in element and the first parameter indicate, first parameter be used for the finite field gf (24) in Element take it is inverse;
Finite field gf (2 will be used4) in indicate described of element and the first parameter and take it is inverse, with the first output and second Output expression, first output and second output are the dependent variable of first function, and the independent variable of the first function is By first parameter decomposition at the first subparameter and the second subparameter, to the sum of first subparameter and the second subparameter The result for taking inverse operation be it is described first output and second output the sum of;
Taking for sum described in being indicated with first output and second output is inverse, resolves into first part and second Part, and inverse output is taken with mask using first part as described, inverse output is taken using second part as the mask;
First subparameter and second subparameter are expressed as finite field gf using the second normal basis (22) in once linear multinomial, the element in second normal basis is that constant belongs to finite field gf (22) it is secondary can not About root of polynomial, the finite field gf (22) in the polynomial coefficient of once linear belong to finite field gf (24);
According to first subparameter and second subparameter in finite field gf (22) in once linear multinomial, will Inverse finite field gf (2 is taken to first parameter2) in element and the second parameter indicate, second parameter be used for institute State finite field gf (22) in element take it is inverse;
Finite field gf (2 will be used2) in the first parameter for indicating of element and the second parameter take it is inverse, with third output and the Four outputs indicate that the third output and the 4th output are second function because becoming, and the independent variable of the second function is By second parameter decomposition at third subparameter and the 4th subparameter, to the sum of the third subparameter and the 4th subparameter Take inverse operation as a result, for the third output and the 4th output the sum of;
It will be exported with the third and the first parameter that the 4th output indicates takes inverse, and resolve into Part III and the Four parts, and using Part III as to first output, it is exported Part IV as described second;
Using third normal basis, the third subparameter and the 4th subparameter are expressed as finite field gf (2) In once linear multinomial, the element in the third normal basis is that constant belongs to the secondary irreducible more of finite field gf (2) The root of formula, the polynomial coefficient of once linear in the finite field gf (2) belong to finite field gf (2);
It, will according to the once linear multinomial of the third subparameter and the 4th subparameter in finite field gf (2) To the element representation of second parameter taken in inverse finite field gf (2), and finally obtain second parameter is taken it is inverse As a result be, the negative one of the negative one of third subparameter time and the 4th subparameter it is secondary and;
Taking the third output is the negative one time of the third subparameter, and the 4th output is the 4th subparameter Negative one time;
According to the output of the third of the negative one time for the third subparameter and be the 4th subparameter negative one time the Four outputs, calculate the Part III and Part IV, to obtain first output and second output;
According to the first output and the second output being calculated, the first part and second part are calculated, and will calculate First part is obtained as described and takes inverse output with mask, is taken using the second part being calculated as the mask inverse defeated Out.
A kind of mask device of SM4 algorithm, comprising:
Module is obtained, for obtaining the plaintext with mask, the random mask, round key of input;
First round computing module, for in the plaintext with mask, the random mask and the round key First round key carries out the first round operation of round function, obtains first round ciphertext and first round mask;
Second wheel computing module, for in the first round ciphertext, the first round mask and the round key Second round key carries out the second wheel operation of the round function, the second wheel ciphertext and the second wheel mask is obtained, according to this described in realization The N of round function takes turns operation, and N is the positive integer greater than 1;
First output module, for the N wheel ciphertext of N wheel operation output and N wheel mask to be carried out exclusive or fortune It calculates, using operation result as the output of the SM4 algorithm.
Optionally, the first round computing module, comprising:
First division module will form the bit of the plaintext with mask for the sequence according to bit from high to low It is divided into M group, to obtain son of the M group with mask in plain text, the bit number of sub- plaintext of the M group with mask is identical;According to bit The bit for forming the random mask is divided into M group by sequence from high to low, to obtain the sub- random mask of M group, the M group The bit number of sub- random mask is identical;
Second division module, for carrying out the plaintext with mask to rear M-1 group plaintext, first round key Synthesis in-place computation in first round operation, rear M-1 group are that the M group is covered with the son plaintext of mask in the band in plain text The low M-1 group son plaintext of bit in the plaintext of code;
In-place computation module is synthesized, for carrying out the first round operation of the random mask to the rear sub- random mask of M-1 group In synthesis in-place computation, it is described after the sub- random mask of M-1 group be the sub- random mask of M group bit in the random mask The low sub- random mask of M-1 group in position;
XOR operation module, for by the result of the synthesis in-place computation of the plaintext with mask and except the rear M-1 Son except the sub- plaintext of group takes XOR operation in plain text, will be described random using the result of XOR operation as the first round ciphertext The result of the synthesis in-place computation of mask takes XOR operation with the sub- random mask in addition to the sub- random mask of the rear M-1 group, Using the result of XOR operation as the first round mask.
Optionally, the synthesis in-place computation includes nonlinear transformation, and the nonlinear transformation passes through the computing module of S box It realizes;
The computing module of the S box, comprising:
Receiving module, for receiving the median of first round ciphertext and the median of first round mask, the first round is close The median of text be it is described after M-1 group plaintext and first round key take XOR operation as a result, the first round mask Median is the result that the rear sub- random mask of M-1 group takes XOR operation;
Second output module, the median for median and the first round mask to the first round ciphertext carry out Affine transformation and inversion operation, and using the result after the affine transformation and inversion operation as the output of the S box.
Optionally, second output module, comprising:
First affine transformation module, for utilizing the first affine transformation matrix, respectively to the centre of the first round ciphertext The median of value and the first round mask carries out finite field gf (28) on first time affine transformation operation, obtain band mask S box output and mask output;
Inverse module is taken, for exporting to the S box output with mask and the mask, carries out compositum GF respectively (((22)2)2) on take inverse operation, obtain taking inverse output and mask to take inverse output with mask;
Second affine transformation module takes inverse output with mask to described respectively for utilizing the second affine transformation matrix Inverse output is taken with the mask, carries out finite field gf (28) on second of affine transformation operation, and will be described second affine Output of the result of transform operation as the S box.
It is optionally, described to take inverse module, comprising:
First representation module, for using the first normal basis, the S box output by described with mask and the mask are defeated respectively Out, it is expressed as finite field gf (24) in once linear multinomial, it is limited that the element in first normal basis is that constant belongs to Domain GF (24) secondary irreducible function root, the finite field gf (24) in the polynomial coefficient of once linear belong to and have Confinement GF (24);
Second representation module, for exporting, according to the S box with mask in finite field gf (24) in once linear it is more Item formula and mask output are in finite field gf (24) in once linear multinomial, by it is described with mask S box output and institute It is inverse to state taking for the sum of mask output, with finite field gf (24) in element and the first parameter indicate, first parameter for pair The finite field gf (24) in element take it is inverse;
Third representation module, for finite field gf (2 will to be used4) in indicate described of element and the first parameter and take It is inverse, it is indicated with the first output and the second output, first output and second output are the dependent variable of first function, described The independent variable of first function be by first parameter decomposition at the first subparameter and the second subparameter, to it is described first son join The result for taking inverse operation of several and the second subparameter sum is the sum of first output and second output;
First decomposing module, for will with it is described first output and it is described second output indicate described in sum take it is inverse, point Solution takes inverse output with mask at first part and second part, and using first part as described, using second part as institute It states mask and takes inverse output;
4th representation module, for using the second normal basis, by first subparameter and second subparameter, respectively It is expressed as finite field gf (22) in once linear multinomial, the element in second normal basis is that constant belongs to finite field gf (22) secondary irreducible function root, the finite field gf (22) in the polynomial coefficient of once linear belong to finite field GF(24);
5th representation module is used for according to first subparameter and second subparameter in finite field gf (22) in Once linear multinomial will take inverse finite field gf (2 to first parameter2) in element and the second parameter indicate, institute The second parameter is stated for the finite field gf (22) in element take it is inverse;
6th representation module, for finite field gf (2 will to be used2) in element the first parameter for being indicated with the second parameter take It is inverse, it is indicated with third output and the 4th output, third output and the 4th output are second function because becoming, described the Two argument of functions be by second parameter decomposition at third subparameter and the 4th subparameter, to the third subparameter With the sum of the 4th subparameter take inverse operation as a result, for the third output and the 4th output the sum of;
Second decomposing module, it is inverse for taking for the first parameter indicated with the 4th output will to be exported with the third, Part III and Part IV are resolved into, and using Part III as to first output, using Part IV as described the Two outputs;
7th representation module distinguishes the third subparameter and the 4th subparameter for using third normal basis The once linear multinomial being expressed as in finite field gf (2), the element in the third normal basis are that constant belongs to finite field gf (2) root of secondary irreducible function, the polynomial coefficient of once linear in the finite field gf (2) belong to finite field gf (2);
8th representation module is used for according to the third subparameter and the 4th subparameter in finite field gf (2) Once linear multinomial by the element representation taken in inverse finite field gf (2) to second parameter, and is finally obtained to institute Stating the second parameter takes the inverse result to be, the negative one time of third subparameter and the negative one of the 4th subparameter it is secondary and;
Determining module is the negative one time of the third subparameter for taking the third output, and the 4th output is institute State the negative one time of the 4th subparameter;
First computing module, for being exported according to the third for the negative one time for being the third subparameter and being the 4th son 4th output of the negative one of parameter time, calculates the Part III and Part IV, to obtain first output and described the Two outputs;
Second computing module calculates the first part and second according to the first output and the second output being calculated Part, and first part will be calculated as described and take inverse output with mask, using the second part being calculated as institute It states mask and takes inverse output.
Technical solution provided by the embodiment of the present invention, it is each in addition to first round operation in the N wheel operation of round function Mask needed for wheel operation is obtained by the output of the last round of operation adjacent with the wheel operation, that is, in addition to first round operation Each round operation without introducing new random mask, therefore, using the scheme of the application be not necessarily to the median of N wheel operation into Row is de- to be covered, to realize the resistance to Attacks.Further, due to only needing to input in first round operation to cover at random Code, mask needed for subsequent each round operation can be obtained by the output of the last round of operation adjacent with the wheel operation, because This, random mask required for the technical solution of the application is few.
Detailed description of the invention
In order to more clearly explain the embodiment of the invention or the technical proposal in the existing technology, to embodiment or will show below There is attached drawing needed in technical description to be briefly described, it should be apparent that, the accompanying drawings in the following description is only this Some embodiments of invention without any creative labor, may be used also for those of ordinary skill in the art To obtain other drawings based on these drawings.
Fig. 1 is a kind of a kind of flow diagram of mask method of SM4 algorithm provided by the embodiment of the present invention;
Fig. 2 is a kind of another flow diagram of the mask method of SM4 algorithm provided by the embodiment of the present invention;
Fig. 3 is to carry out provided by the embodiment of the present invention to the median of the median of first round ciphertext and first round mask A kind of flow diagram of affine transformation matrix and inversion operation;
Fig. 4 is to carry out compositum GF respectively to the S box output with mask and mask output provided by the embodiment of the present invention (((22)2)2) on a kind of flow diagram for taking inverse operation;
Fig. 5 is the schematic diagram that the method for mask of SM4 algorithm is realized when M takes 4;
Fig. 6 is a kind of a kind of structural schematic diagram of the device of the mask of SM4 algorithm provided by the embodiment of the present invention;
Fig. 7 is a kind of another structural schematic diagram of the device of the mask of SM4 algorithm provided by the embodiment of the present invention;
Fig. 8 is a kind of structural schematic diagram of the second output module provided by the embodiment of the present invention;
Fig. 9 is a kind of structural schematic diagram that inverse module is taken provided by the embodiment of the present invention.
Specific embodiment
Following will be combined with the drawings in the embodiments of the present invention, and technical solution in the embodiment of the present invention carries out clear, complete Site preparation description, it is clear that the described embodiment is only a part of the embodiment of the present invention, instead of all the embodiments.Based on this Embodiment in invention, every other reality obtained by those of ordinary skill in the art without making creative efforts Example is applied, shall fall within the protection scope of the present invention.
Present inventor has found in the research process of the mask method to the SM4 algorithm provided in the prior art, by Input random mask is required in every wheel operation, and the random mask that introduces of every wheel cannot be guaranteed identical, therefore draw Before the random mask for entering next round, need first to carry out taking off covering using the mask of previous round, and de- cover will appear true median Information, therefore it is easy to cause the leakage of energy, Attacks cannot be resisted.
The scheme of the application, in the N wheel operation of round function, in addition to first round operation, mask needed for each round operation It is obtained by the output of the last round of operation adjacent with the wheel operation, therefore, is not necessarily to take turns operation to N using the scheme of the application Median carry out it is de- cover, to realize the resistance to Attacks.
Referring to Fig. 1, Fig. 1 is a kind of implementation flow chart of the mask method of SM4 algorithm provided by the embodiments of the present application, it should Method includes:
Step S101, the plaintext with mask, the random mask, round key of input are obtained.
The plaintext with mask is obtained by the way that the plaintext of input is carried out XOR operation with the random mask, specifically Ground, before obtaining the plaintext with mask inputted, random mask, round key, further includes:
The plaintext of input and the random mask are taken into XOR operation, obtain the plaintext with mask.
Wherein, the plaintext of input can be 128 bits, and the random mask of input can be 32-128 bit.
Step S102, to the first round key in the plaintext with mask, the random mask and the round key The first round operation of round function is carried out, first round ciphertext and first round mask are obtained.
Step S103, to the second round key in the first round ciphertext, the first round mask and the round key The the second wheel operation for carrying out the round function, obtains the second wheel ciphertext and the second wheel mask, realizes the N wheel of the round function according to this Operation, N are the positive integer greater than 1.
In actual operation, N can be 32, be certainly not limited to this.
Step S104, the N wheel ciphertext of N wheel operation output and N wheel mask are subjected to XOR operation, by operation As a result the output as the SM4 algorithm.
Technical solution provided by the embodiment of the present invention, it is each in addition to first round operation in the N wheel operation of round function Mask needed for wheel operation is obtained by the output of the last round of operation adjacent with the wheel operation, that is, in addition to first round operation Each round operation without introducing new random mask, therefore, using the scheme of the application be not necessarily to the median of N wheel operation into Row is de- to be covered, to realize the resistance to Attacks.Further, due to only needing to input in first round operation to cover at random Code, mask needed for subsequent each round operation can be obtained by the output of the last round of operation adjacent with the wheel operation, because This, random mask required for the technical solution of the application is few.
Referring to Fig. 2, Fig. 2 is another implementation flow chart of the mask method of SM4 algorithm provided by the embodiments of the present application, This method comprises:
Step S201, the plaintext with mask, the random mask, round key of input are obtained.
Step S202, the bit for forming the plaintext with mask is divided into M by the sequence according to bit from high to low Group, to obtain son of the M group with mask in plain text, the bit number of sub- plaintext of the M group with mask is identical.
In the present embodiment, M is the positive integer greater than 1.In practical applications, the bit of the plaintext with mask can be 128 Bit, M be can be 4, thus, this step S202 can be expressed as, will be with the bright of mask according to the sequence of bit from high to low 128 bits of text are divided into the son of 4 group of 32 bit in plain text, as the son after dividing can be expressed as X ' in plain texti、X′i+1、X′i+2、 X′i+3, X 'iIn bit > X ' of the bit in the plaintext with maski+1In bit of the bit in the plaintext with mask Position > X 'i+2In bit > X ' of the bit in the plaintext with maski+3In bit of the bit in the plaintext with mask Position.
Step S203, the bit for forming the random mask is divided into M group by the sequence according to bit from high to low, with The sub- random mask of M group is obtained, the bit number of the sub- random mask of M group is identical.
In the present embodiment, M is the positive integer greater than 1.In practical applications, the bit of random mask can be 32~128 Bit, M be can be 4, thus, this step S203 can be expressed as, according to the sequence of bit from high to low, by random mask Bit is divided into 4 groups of sub- random masks, as the sub- random mask after dividing can be expressed as Mi、Mi+1、Mi+2、Mi+3, MiIn ratio Bit > M of the spy in the plaintext with maski+1In bit > M of the bit in the plaintext with maski+2In bit Bit > M in the plaintext with maski+3In bit of the bit in the plaintext with mask.
It should be noted that the present embodiment does not limit step S202, step S203 executes sequence, it can first carry out Step S203 is executed after step S202, can also first carry out step S203, it is rear to execute step S202.
Step S204, the first round for carrying out the plaintext with mask to rear M-1 group plaintext, first round key transports Synthesis in-place computation in calculation.
Wherein, rear M-1 group is son plaintext in the plaintext with mask bit of the M group with mask in plain text Low M-1 group in position is in plain text.
It is that 4 illustration step S204 realize the formula of the step when M is 4 with M are as follows:
T'(X'i+1,X'i+2,X'i+3,rki);
Wherein, T' is synthesis in-place computation, X'i+1,X'i+2,X'i+3In plain text for rear three groups of sons, rkiFor first round round key, I indicates the wheel number of wheel operation.
Step S205, the displacement of the synthesis in the first round operation of the random mask is carried out to the rear sub- random mask of M-1 group Operation.
Wherein, the rear sub- random mask of M-1 group is that the sub- random mask of M group bit in the random mask is low The sub- random mask of M-1 group.
It is that 4 illustration step S204 realize the formula of the step when M is 4 with M are as follows:
T'(Mi+1,Mi+2,Mi+3);
Wherein, T' is synthesis in-place computation, Mi+1,Mi+2,Mi+3For rear three groups of sub- random masks, i indicates the wheel of wheel operation Number.
Step S206, by the result of the synthesis in-place computation of the plaintext with mask and except the rear M-1 group is sub in plain text Except son in plain text take XOR operation, using the result of XOR operation as the first round ciphertext, by the conjunction of the random mask XOR operation is taken at the result and the sub- random mask in addition to the sub- random mask of the rear M-1 group of in-place computation, exclusive or is transported The result of calculation is as the first round mask.
It is that 4 illustration step S206 realize the formula of the step when M is 4 with M are as follows:
Wherein,Indicate XOR operation, i indicates the wheel number of wheel operation.
Synthesis in-place computation in step S204 and step S205 includes nonlinear transformation τ ' and linear transformation L, linear change The input for changing L is the output of nonlinear transformation τ ', and nonlinear transformation τ ' is realized by the S box with mask.
Taking the plaintext of 4, input tape mask by M below is 128 bits and for random mask is 32~128 bits, illustrates S The realization of box:
The input of S box is the median of first round ciphertext and the median of first round mask, the median of first round ciphertext For rear 3 groups of sons take XOR operation with first round key in plain text as a result, the first round mask median be it is described after 3 groups Sub- random mask takes the result of XOR operation;
Wherein, if rear 3 groups of sons take the result of XOR operation to be indicated with A', set rear 3 groups of sons with first round key in plain text Random mask takes the result of XOR operation to be indicated with MI, then the value formula of A', MI are respectively as follows:
The output of S box is to carry out affine change to the median of the first round ciphertext and the median of the first round mask Change the result with inversion operation.
If the output of S box be B, ' M'}, then
Further, the output of linear transformation L are as follows:
C', M " are respectively the result of the synthesis in-place computation of the plaintext with mask and the synthesis in-place computation of random mask As a result, it may be assumed that
T'(X′i+1,X′i+2,X′i+3,rki)=C', T'(Mi+1,Mi+2,Mi+3)=M ";
Optionally, the median to the first round ciphertext and the median of the first round mask carry out affine transformation square Battle array and inversion operation, as shown in Figure 3, comprising:
Step S301, using the first affine transformation matrix, the median to the first round ciphertext and described first respectively The median of mask is taken turns, finite field gf (2 is carried out8) on first time affine transformation operation, obtain with mask S box output and cover Code output.
If first round ciphertext median is x', the median of first round mask is m, and the S box output with mask is y', mask Output is n, then:
Y'=TA1*x'+TC1
N=TA1*m。
Wherein TA1For the affine transformation matrix of 8*8, TC1For column vector, occurrence is as follows:
TC1=(1 100001 0)T
Step S302, the output of S box and mask output to described with mask, carry out compositum GF (((2 respectively2)2)2) On take inverse operation, obtain taking inverse output and mask to take inverse output with mask.
If the inverse output that takes with mask is z', it is n' that mask, which takes inverse output, in which:
(z', n')=f (y', n);
F (y', n) indicates GF (28) on finite field operations, meet following two condition: 1. (z'+n')=(y'+n)-1, Wherein (2 GF8) on inversion operation corresponding to 8 irreducible functions are as follows: g (x)=x8+x7+x6+x5+x4+x2+1.2. counting Do not occur the intermediate result without mask when calculation.
Step S303, using the second affine transformation matrix, inverse output and the mask is taken to take with mask to described respectively Inverse output, carries out finite field gf (28) on second of affine transformation operation, and by the knot of second of affine transformation operation Output of the fruit as the S box.
If the output of S box is s', m'
S'=TA2*z'+C2
M'=TA2*n'。
Wherein, TA2For the affine transformation matrix of 8*8, C2For column vector, occurrence is as follows:
C2=(1 101001 1)T
So as to obtain final output S (x)=S (x'+m)=s'+m' of S box.
Optionally, the S box output to described with mask and mask output carry out compositum GF (((2 respectively2)2)2) on Take inverse operation, as shown in Figure 4, comprising:
Step S401, using the first normal basis, the output of S box and mask output by described with mask, are indicated respectively For finite field gf (24) in once linear multinomial, the element in first normal basis is that constant belongs to finite field gf (24) Secondary irreducible function root, the finite field gf (24) in the polynomial coefficient of once linear belong to finite field gf (24)。
In the present embodiment, the S box output with mask is y', and mask output is n;
Use the first normal basis [Y16, Y] and indicate GF (28) element on domain, wherein Y and Y16It is irreducible function r (y)=y2+ y+v, v ∈ GF (24) one group of root, then y', n can be indicated are as follows:
Y'=y '1Y16+y'0Y, n=n1Y16+n0Y;
Wherein, y 'i,ni∈GF(24), (i=0,1).
Step S402, the S box according to described with mask exports, in finite field gf (24) in once linear multinomial and institute Mask output is stated in finite field gf (24) in once linear multinomial, by it is described with mask S box output it is defeated with the mask Taking for sum out is inverse, with finite field gf (24) in element and the first parameter indicate, first parameter be used for described limited Domain GF (24) in element take it is inverse.
If the first parameter is a, in GF (28)/GF(24) on invert and can indicate are as follows:
Wherein a, v ∈ GF (24)。
Step S403, finite field gf (2 will be used4) in indicate described of element and the first parameter and take it is inverse, with first Output and the second output expression, first output and second output are the dependent variable of first function, the first function Independent variable be by first parameter decomposition at the first subparameter and the second subparameter, to first subparameter and second The result for taking inverse operation of the sum of subparameter is the sum of first output and second output.
If the first output is b', the second output is t', and a', t are respectively the first subparameter and the second subparameter,
(b', t')=h (a', t), b', t', a', t ∈ GF (24), (b'+t')=a-1=(a'+t)-1,
(y'+n)-1=((b'+t') (y'0+n0))Y16+((b'+t')(y′1+n1))Y (1)
Step S404, taking for sum described in being indicated with first output and second output is inverse, resolves into first Part and second part, and inverse output is taken with mask using first part as described, it is taken second part as the mask Inverse output.
If the inverse output that takes with mask is z', it is n' that mask, which takes inverse output,;
Formula (1) is resolved into two parts, obtains z' and n';
Z'=((b'+t') y'0+b'n0)Y16+((b'+t')y′1+b'n1) Y, z' ∈ GF (28) (2)
N'=t'n0Y16+t'n1Y, n' ∈ GF (28) (3)
Step S405, first subparameter and second subparameter have been expressed as using the second normal basis Confinement GF (22) in once linear multinomial, the element in second normal basis is that constant belongs to finite field gf (22) two The root of secondary irreducible function, the finite field gf (22) in the polynomial coefficient of once linear belong to finite field gf (24)。
Use the second normal basis [Z16, Z] and indicate GF (24) element on domain, wherein Z and Z4It is irreducible function s (z)=z2+z+ρ,ρ∈GF(22) one group of root.So a', t can be indicated are as follows:
A'=a '1Z4+a'0Z, t=t1Z4+t0Z, wherein a 'i,ti,b′i,t′i∈GF(22), (i=0,1).
Step S406, according to first subparameter and second subparameter in finite field gf (22) in once linear Multinomial will take inverse finite field gf (2 to first parameter2) in element and the second parameter indicate, it is described second ginseng Number is for the finite field gf (22) in element take it is inverse.
If the second parameter is c, then the formula of step S406 is realized are as follows:
(a'+t)-1=(c-1(a'0+t0))Z4+(c-1(a′1+t1))Z;
C=(a'0a′1+(a'0+a′1)2ρ)+a′1t0+a'0t1+(t0t1+(t0+t1)2ρ)。
Wherein c, ρ ∈ GF (22)。
Step S407, finite field gf (2 will be used2) in the first parameter for indicating of element and the second parameter take it is inverse, with Three outputs and the 4th output indicate that the third output and the 4th output are second function because becoming, the second function Independent variable be by second parameter decomposition at third subparameter and the 4th subparameter, to the third subparameter and the 4th The sum of subparameter take inverse operation as a result, for the third output and the 4th output the sum of.
If third output is d', the 4th output is k', and third subparameter is c', and the 4th subparameter is k, then:
(d', k')=g (c', k) so that (d'+k')=c-1
(a'+t)-1=((d'+k') (a'0+t0))Z4+((d'+k')(a′1+t1))Z (4)
Step S408, it will be exported with the third and the first parameter that the 4th output indicates takes inverse, and resolve into the Three parts and Part IV, and using Part III as to first output, it is exported Part IV as described second.
Formula (4) is resolved into two parts, is obtained:
B'=((d'+k') a'0+d't0))Z4+((d'+k')a′1+d't1))Z,b'∈GF(24) (5)
T'=k't0Z4+k't1Z,t'∈GF(24) (6)
Step S409, using third normal basis, the third subparameter and the 4th subparameter have been expressed as Once linear multinomial in confinement GF (2), the element in the third normal basis are that constant belongs to the secondary of finite field gf (2) The root of irreducible function, the polynomial coefficient of once linear in the finite field gf (2) belong to finite field gf (2).
Use third normal basis [W2, W] and indicate GF (22) element on domain, wherein W and w2It is irreducible function t (w) =w2One group of root of+w+1, then c', k can be indicated are as follows:
If c'=c1'w2+c'0W, k=k1w2+k0w。
Step S410, the once linear according to the third subparameter and the 4th subparameter in finite field gf (2) Multinomial by the element representation taken in inverse finite field gf (2) to second parameter, and is finally obtained to second ginseng Number takes the inverse result to be, the negative one time of third subparameter and the negative one of the 4th subparameter it is secondary and.
In GF (22Inverting on)/GF (2) can be expressed from the next:
(c'+k)-1=(c'0+k0)W2+(c′1+k1) W=c'-1+k-1
Step S411, taking third output is the negative one time of the third subparameter, and the 4th output is described the The negative one time of four subparameters.
Take d'=c'-1, k'=k-1
It step S412, according to the third output for the negative one time for being the third subparameter and is the negative of the 4th subparameter The 4th primary output, calculates the Part III and Part IV, to obtain first output and second output.
By d'=c'-1, k'=k-1Bring formula (5) into, (6) obtain b' and t'.
Step S413, according to the first output and the second output being calculated, the first part and second part are calculated, And first part will be calculated as described and take inverse output with mask, using the second part being calculated as the mask Take inverse output.
It brings b' and t' into formula (2), (3), obtains z' and n'.
Step S207, to the second round key in the first round ciphertext, the first round mask and the round key The the second wheel operation for carrying out the round function, obtains the second wheel ciphertext and the second wheel mask, realizes the N wheel of the round function according to this Operation, N are the positive integer greater than 1.
Similarly, which is continued to explain for 4 with M, after step S206 and step S207, the obtained first round is close Text can be X 'i+4, an obtained wheel mask can be Mi+4, by X 'i+1、X′i+2、X′i+3、X′i+4、rki+1、Mi+1、Mi+2、Mi+3、 Mi+4As the input of the second wheel operation, the second wheel operation of round function is carried out.
Step S208, the N wheel ciphertext of N wheel operation output and N wheel mask are subjected to XOR operation, by operation As a result the output as the SM4 algorithm.
Technical solution provided by the embodiment of the present invention, it is each in addition to first round operation in the N wheel operation of round function Mask needed for wheel operation is obtained by the output of the last round of operation adjacent with the wheel operation, that is, in addition to first round operation Each round operation without introducing new random mask, therefore, using the scheme of the application be not necessarily to the median of N wheel operation into Row is de- to be covered, to realize the resistance to Attacks.
The mask device of SM4 algorithm provided by the embodiments of the present application is described below, SM4 algorithm described below Mask device can correspond to each other reference with the mask method of above-described SM4 algorithm.
Referring to Fig. 6, Fig. 6 is a kind of structural schematic diagram of the mask device of SM4 algorithm disclosed in the embodiment of the present application, packet It includes:
Module 601 is obtained, for obtaining the plaintext with mask, the random mask, round key of input;
First round computing module 602, for in the plaintext with mask, the random mask and the round key The first round key carry out the first round operation of round function, obtain first round ciphertext and first round mask;
Second wheel computing module 603, for in the first round ciphertext, the first round mask and the round key The second round key carry out the round function second wheel operation, obtain second wheel ciphertext and second wheel mask, realize institute according to this The N wheel operation of round function is stated, N is the positive integer greater than 1;
First output module 604, for the N wheel ciphertext of N wheel operation output and N wheel mask to be carried out exclusive or Operation, using operation result as the output of the SM4 algorithm.
Technical solution provided by the embodiment of the present invention, it is each in addition to first round operation in the N wheel operation of round function Mask needed for wheel computing module is obtained by the output of the last round of computing module adjacent with the wheel operation, that is, removes first Each round operation outside wheel operation is without introducing new random mask, therefore, is not necessarily to using the scheme of the application to N wheel operation Median take off and is covered, to realize the resistance to Attacks.
Referring to Fig. 7, Fig. 7 is another structural schematic diagram of the mask device of SM4 algorithm disclosed in the embodiment of the present application, Include:
Module 701 is obtained, for obtaining the plaintext with mask, the random mask, round key of input;
First division module 702 will form the ratio of the plaintext with mask for the sequence according to bit from high to low Spy is divided into M group, and to obtain son of the M group with mask in plain text, the bit number of sub- plaintext of the M group with mask is identical;According to than Special sequence from high to low, is divided into M group for the bit for forming the random mask, to obtain the sub- random mask of M group, the M The bit number of the sub- random mask of group is identical;
Second division module 703, it is described with the bright of mask for being carried out to rear M-1 group plaintext, first round key Synthesis in-place computation in the first round operation of text, rear M-1 group are son plaintext of the M group with mask described in plain text The low M-1 group son plaintext of bit in plaintext with mask;
In-place computation module 704 is synthesized, the first round for carrying out the random mask to the rear sub- random mask of M-1 group transports Synthesis in-place computation in calculation, the rear sub- random mask of M-1 group are that the sub- random mask of M group compares in the random mask The low sub- random mask of M-1 group in special position;
Synthesizing in-place computation includes nonlinear transformation, and the nonlinear transformation is realized by the computing module of S box;
The computing module of the S box, comprising:
Receiving module, for receiving the median of first round ciphertext and the median of first round mask, the first round is close The median of text be it is described after M-1 group plaintext and first round key take XOR operation as a result, the first round mask Median is the result that the rear sub- random mask of M-1 group takes XOR operation;
Second output module, the median for median and the first round mask to the first round ciphertext carry out Affine transformation and inversion operation, and using the result after the affine transformation and inversion operation as the output of the S box.
As shown in figure 8, second output module, comprising:
First affine transformation module 801, for utilizing the first affine transformation matrix, respectively in the first round ciphertext Between value and the first round mask median, carry out finite field gf (28) on first time affine transformation operation, obtain band and cover The output of S box and mask output of code;
Inverse module 802 is taken, for exporting to the S box output with mask and the mask, carries out compositum GF respectively (((22)2)2) on take inverse operation, obtain taking inverse output and mask to take inverse output with mask;
Second affine transformation module 803 is used to utilize the second affine transformation matrix, respectively the taking against defeated with mask to described Inverse output is taken with the mask out, carries out finite field gf (28) on second of affine transformation operation, and will be described second imitative Penetrate output of the result of transform operation as the S box.
As shown in figure 9, described take inverse module, comprising:
First representation module 901, for using the first normal basis, the S box output by described with mask is covered with described respectively Code output, is expressed as finite field gf (24) in once linear multinomial, the element in first normal basis belongs to for constant Finite field gf (24) secondary irreducible function root, the finite field gf (24) in the polynomial coefficient category of once linear In finite field gf (24);
Second representation module 902, for exporting, according to the S box with mask in finite field gf (24) in primary line Property multinomial and the mask output in finite field gf (24) in once linear multinomial, the S box with mask is exported With the mask output and take it is inverse, with finite field gf (24) in element and the first parameter indicate that first parameter is used In to the finite field gf (24) in element take it is inverse;
Third representation module 903, for finite field gf (2 will to be used4) in element and the first parameter indicate it is described and Take it is inverse, with first output and second output indicate, it is described first output and it is described second output be first function dependent variable, institute State first function independent variable be by first parameter decomposition at the first subparameter and the second subparameter, to it is described first son The result for taking inverse operation of the sum of parameter and the second subparameter is the sum of first output and second output;
First decomposing module 904, for will with it is described first output and it is described second output indicate described in sum take it is inverse, Resolve into first part and second part, and take inverse output with mask using first part as described, using second part as The mask takes inverse output;
4th representation module 905, for using the second normal basis, by first subparameter and second subparameter, It is expressed as finite field gf (22) in once linear multinomial, it is limited that the element in second normal basis is that constant belongs to Domain GF (22) secondary irreducible function root, the finite field gf (22) in the polynomial coefficient of once linear belong to and have Confinement GF (24);
5th representation module 906 is used for according to first subparameter and second subparameter in finite field gf (22) In once linear multinomial, inverse finite field gf (2 will be taken to first parameter2) in element and the second parameter list Show, second parameter is used for the finite field gf (22) in element take it is inverse;
6th representation module 907, for finite field gf (2 will to be used2) in element and the second parameter indicate the first parameter Take inverse, indicated with third output and the 4th output, third output and the 4th output are second function because becoming, institute State second function independent variable be by second parameter decomposition at third subparameter and the 4th subparameter, to third The sum of parameter and the 4th subparameter take inverse operation as a result, for the third output and the 4th output the sum of;
Second decomposing module 908, for taking for the first parameter indicated with the 4th output will to be exported with the third It is inverse, resolve into Part III and Part IV, and using Part III as to first output, Part IV is used as described in Second output;
7th representation module 909, for using third normal basis, by the third subparameter and the 4th subparameter point The once linear multinomial not being expressed as in finite field gf (2), the element in the third normal basis are that constant belongs to finite field The root of the secondary irreducible function of GF (2), the polynomial coefficient of once linear in the finite field gf (2) belong to finite field GF(2);
8th representation module 910 is used for according to the third subparameter and the 4th subparameter in finite field gf (2) Once linear multinomial, by the element representation taken in inverse finite field gf (2) to second parameter, and finally obtain pair Second parameter takes the inverse result to be, the negative one time of third subparameter and the negative one of the 4th subparameter it is secondary and;
Determining module 911, is the negative one time of the third subparameter for taking the third output, and the 4th output is The negative one time of 4th subparameter;
First computing module 912, for according to the third output of the negative one time for being the third subparameter and be described the 4th output of the negative one time of four subparameters, calculates the Part III and Part IV, to obtain first output and institute State the second output;
Second computing module 913 calculates the first part and the according to the first output and the second output being calculated Two parts, and first part will be calculated as described and take inverse output with mask, using the second part being calculated as The mask takes inverse output.
XOR operation module 705, for by the result of the synthesis in-place computation of the plaintext with mask with except after described Son except the sub- plaintext of M-1 group takes XOR operation in plain text, using the result of XOR operation as the first round ciphertext, will it is described with The result of the synthesis in-place computation of machine mask takes exclusive or to transport with the sub- random mask in addition to the sub- random mask of the rear M-1 group It calculates, using the result of XOR operation as the first round mask.
Second wheel computing module 706, for in the first round ciphertext, the first round mask and the round key The second round key carry out the round function second wheel operation, obtain second wheel ciphertext and second wheel mask, realize institute according to this The N wheel operation of round function is stated, N is the positive integer greater than 1;
First output module 707, for the N wheel ciphertext of N wheel operation output and N wheel mask to be carried out exclusive or Operation, using operation result as the output of the SM4 algorithm.
Technical solution provided by the embodiment of the present invention, it is each in addition to first round operation in the N wheel operation of round function Mask needed for wheel computing module is obtained by the output of the last round of computing module adjacent with the wheel operation, that is, removes first Each round operation outside wheel operation is without introducing new random mask, therefore, is not necessarily to using the scheme of the application to N wheel operation Median take off and is covered, to realize the resistance to Attacks.
For device or system embodiments, since it essentially corresponds to embodiment of the method, thus related place referring to The part of embodiment of the method illustrates.Device or system embodiment described above is only schematical, wherein described Unit may or may not be physically separated as illustrated by the separation member, and component shown as a unit can be with It is or may not be physical unit, it can it is in one place, or may be distributed over multiple network units.It can With some or all of the units may be selected to achieve the purpose of the solution of this embodiment according to the actual needs.This field is common Technical staff can understand and implement without creative efforts.
In several embodiments provided by the present invention, it should be understood that disclosed system, device and method are not having It has more than in spirit and scope, can realize in other way.Current embodiment is a kind of demonstration Example, should not be taken as limiting, given particular content should in no way limit the purpose of the application.For example, the unit or The division of subelement, only a kind of logical function partition, there may be another division manner in actual implementation, such as multiple lists First or multiple subelements combine.In addition, multiple units can with or component may be combined or can be integrated into another and be System, or some features can be ignored or not executed.
In addition, described system, the schematic diagram of device and method and different embodiments, without departing from scope of the present application It is interior, it can be with other systems, unit, techniques or methods combination or integrated.Another point, shown or discussed mutual coupling It closes or direct-coupling or communication connection can be through some interfaces, the indirect coupling or communication connection of device or unit can be with It is electrically mechanical or other forms.
The above is only a specific embodiment of the invention, it is noted that for the ordinary skill people of the art For member, various improvements and modifications may be made without departing from the principle of the present invention, these improvements and modifications are also answered It is considered as protection scope of the present invention.

Claims (10)

1. a kind of mask method of SM4 algorithm characterized by comprising
Obtain the plaintext with mask, the random mask, round key of input;
The of round function is carried out to the first round key in the plaintext with mask, the random mask and the round key One wheel operation, obtains first round ciphertext and first round mask;
The round function is carried out to the second round key in the first round ciphertext, the first round mask and the round key Second wheel operation, obtain second wheel ciphertext and second wheel mask, successively realize the round function N wheel operation, N be greater than 1 Positive integer;The second wheel mask is obtained by the first round mask;
The N wheel ciphertext of N wheel operation output and N wheel mask are subjected to XOR operation, operation result is used as described in The output of SM4 algorithm.
2. the method according to claim 1, wherein to the plaintext with mask, the random mask and The first round key in the round key carries out the first round operation of round function, comprising:
According to the sequence of bit from high to low, the bit for forming the plaintext with mask is divided into M group, to obtain M group band In plain text, the bit number of sub- plaintext of the M group with mask is identical for the son of mask;According to the sequence of bit from high to low, will form The bit of the random mask is divided into M group, to obtain the sub- random mask of M group, the bit number phase of the sub- random mask of M group Together;Synthesis in the first round operation of the plaintext with mask displacement is carried out to rear M-1 group plaintext, first round key Operation, rear M-1 group are son plaintext in the plaintext with mask bit low M- of the M group with mask in plain text 1 group of son is in plain text;
Synthesis in-place computation in the first round operation of the random mask, the rear M-1 are carried out to the rear sub- random mask of M-1 group The sub- random mask of group is the low sub- random mask of M-1 group of the sub- random mask of M group bit in the random mask;
The result of the synthesis in-place computation of the plaintext with mask and the son in addition to the sub- plaintext of the rear M-1 group are taken in plain text XOR operation, using the result of XOR operation as the first round ciphertext, by the knot of the synthesis in-place computation of the random mask Fruit takes XOR operation with the sub- random mask in addition to the sub- random mask of the rear M-1 group, using the result of XOR operation as institute State first round mask.
3. described according to the method described in claim 2, it is characterized in that, the synthesis in-place computation includes nonlinear transformation Nonlinear transformation is realized by the S box with mask;
The operation of the S box with mask, comprising:
The median of first round ciphertext and the median of first round mask are received, after the median of the first round ciphertext is described It is that M-1 group takes XOR operation with first round key in plain text as a result, the first round mask median be it is described after M-1 group Sub- random mask takes the result of XOR operation;
The median of median and the first round mask to the first round ciphertext carries out affine transformation and inversion operation, and Using the result after the affine transformation and inversion operation as the output of the S box.
4. according to the method described in claim 3, it is characterized in that, median and the first round to the first round ciphertext The median of mask carries out affine transformation matrix and inversion operation, comprising:
Using the first affine transformation matrix, the centre of the median to the first round ciphertext and the first round mask respectively Value carries out finite field gf (28) on first time affine transformation operation, obtain with mask S box output and mask output;
To the output of S box and mask output with mask, compositum GF (((2 is carried out respectively2)2)2) on take inverse fortune It calculates, obtains taking inverse output and mask to take inverse output with mask;
Using the second affine transformation matrix, takes inverse output and the mask to take inverse output with mask to described respectively, had Confinement GF (28) on second of affine transformation operation, and using the result of second of affine transformation operation as the S box Output.
5. according to the method described in claim 4, it is characterized in that, being exported to the S box output with mask and the mask Compositum GF (((2 is carried out respectively2)2)2) on take inverse operation, comprising:
Using the first normal basis, the output of S box and mask output by described with mask, are expressed as finite field gf (2 respectively4) In once linear multinomial, the element in first normal basis is that constant belongs to finite field gf (24) it is secondary irreducible more The root of item formula, the finite field gf (24) in the polynomial coefficient of once linear belong to finite field gf (24);
According to the S box output with mask, in finite field gf (24) in once linear multinomial and the mask output having Confinement GF (24) in once linear multinomial, by it is described with mask S box output exported with the mask and take it is inverse, use Finite field gf (24) in element and the first parameter indicate, first parameter be used for the finite field gf (24) in element It takes inverse;
Finite field gf (2 will be used4) in indicate described of element and the first parameter and take it is inverse, with the first output and the second output It indicates, first output and second output are the dependent variable of first function, and the independent variable of the first function is by institute State the first parameter decomposition at the first subparameter and the second subparameter, to taking for the sum of first subparameter and the second subparameter The result of inverse operation is the sum of first output and second output;
Taking for sum described in being indicated with first output and second output is inverse, resolves into first part and second Point, and inverse output is taken with mask using first part as described, inverse output is taken using second part as the mask;
First subparameter and second subparameter are expressed as finite field gf (2 using the second normal basis2) in Once linear multinomial, the element in second normal basis are that constant belongs to finite field gf (22) secondary irreducible function Root, the finite field gf (22) in the polynomial coefficient of once linear belong to finite field gf (24);
According to first subparameter and second subparameter in finite field gf (22) in once linear multinomial, will be to institute That states the first parameter takes inverse finite field gf (22) in element and the second parameter indicate that second parameter to described for having Confinement GF (22) in element take it is inverse;
Finite field gf (2 will be used2) in the first parameter for indicating of element and the second parameter take it is inverse, it is defeated with third output and the 4th It indicates out, third output and the 4th output are second function because becoming, and the independent variable of the second function is by institute State the second parameter decomposition at third subparameter and the 4th subparameter, to taking for the sum of the third subparameter and the 4th subparameter Inverse operation as a result, for the third output and the 4th output the sum of;
Taking for the first parameter indicated with third output and the 4th output is inverse, resolve into Part III and the 4th Point, and using Part III as to first output, it is exported Part IV as described second;
Using third normal basis, the third subparameter and the 4th subparameter are expressed as in finite field gf (2) Once linear multinomial, the element in the third normal basis are the secondary irreducible function that constant belongs to finite field gf (2) Root, the polynomial coefficient of once linear in the finite field gf (2) belongs to finite field gf (2);
It, will be to institute according to the once linear multinomial of the third subparameter and the 4th subparameter in finite field gf (2) The element representation of the second parameter taken in inverse finite field gf (2) is stated, and finally obtains and inverse result is taken to second parameter For the negative one time of, third subparameter and the negative one of the 4th subparameter it is secondary and;
Taking the third output is the negative one time of the third subparameter, and the 4th output is the negative one of the 4th subparameter It is secondary;
According to the output of the third of the negative one time for the third subparameter and be the 4th subparameter negative one time it is the 4th defeated Out, the Part III and Part IV are calculated, to obtain first output and second output;
According to the first output and the second output being calculated, the first part and second part are calculated, and will be calculated First part takes inverse output with mask as described, takes inverse output for the second part being calculated as the mask.
6. a kind of mask device of SM4 algorithm characterized by comprising
Module is obtained, for obtaining the plaintext with mask, the random mask, round key of input;
First round computing module, for first in the plaintext with mask, the random mask and the round key Round key carries out the first round operation of round function, obtains first round ciphertext and first round mask;
Second wheel computing module, for second in the first round ciphertext, the first round mask and the round key Round key carries out the second wheel operation of the round function, obtains the second wheel ciphertext and the second wheel mask, successively realizes the wheel letter Several N takes turns operation, and N is the positive integer greater than 1;The second wheel mask is obtained by the first round mask;
First output module will for the N wheel ciphertext of N wheel operation output and N wheel mask to be carried out XOR operation Output of the operation result as the SM4 algorithm.
7. mask device according to claim 6, which is characterized in that the first round computing module, comprising:
First division module divides the bit for forming the plaintext with mask for the sequence according to bit from high to low At M group, to obtain son of the M group with mask in plain text, the bit number of sub- plaintext of the M group with mask is identical;According to bit by height To low sequence, the bit for forming the random mask is divided into M group, to obtain the sub- random mask of M group, M group with The bit number of machine mask is identical;
Second division module, for carrying out the first of the plaintext with mask to rear M-1 group plaintext, first round key Take turns the synthesis in-place computation in operation, it is described after M-1 group be in plain text son plaintext of the M group with mask described with mask The low M-1 group son plaintext of bit in plaintext;
In-place computation module is synthesized, for carrying out in the first round operation of the random mask to the rear sub- random mask of M-1 group In-place computation is synthesized, the rear sub- random mask of M-1 group is that the sub- random mask of M group bit in the random mask is low The sub- random mask of M-1 group;
XOR operation module, for by the result of the synthesis in-place computation of the plaintext with mask and except rear M-1 group Son except plaintext takes XOR operation in plain text, using the result of XOR operation as the first round ciphertext, by the random mask Synthesis in-place computation result and the sub- random mask of M-1 group after described in addition to sub- random mask take XOR operation, will be different Or the result of operation is as the first round mask.
8. mask device according to claim 7, which is characterized in that the synthesis in-place computation includes nonlinear transformation, The nonlinear transformation is realized by the computing module of S box;
The computing module of the S box, comprising:
Receiving module, for receiving the median of first round ciphertext and the median of first round mask, the first round ciphertext Median be it is described after M-1 group plaintext and first round key take XOR operation as a result, among the first round mask Value is the result that the rear sub- random mask of M-1 group takes XOR operation;
Second output module, the median for median and the first round mask to the first round ciphertext carry out affine Transformation and inversion operation, and using the result after the affine transformation and inversion operation as the output of the S box.
9. mask device according to claim 8, which is characterized in that second output module, comprising:
First affine transformation module, for utilizing the first affine transformation matrix, respectively to the median of the first round ciphertext and The median of the first round mask carries out finite field gf (28) on first time affine transformation operation, obtain the S box with mask Output and mask output;
Inverse module is taken, for exporting to the S box output with mask and the mask, carries out compositum GF (((2 respectively2)2)2) On take inverse operation, obtain taking inverse output and mask to take inverse output with mask;
Second affine transformation module takes inverse output and institute with mask to described respectively for utilizing the second affine transformation matrix It states mask and takes inverse output, carry out finite field gf (28) on second of affine transformation operation, and by second of affine transformation Output of the result of operation as the S box.
10. mask device according to claim 9, which is characterized in that described to take inverse module, comprising:
First representation module, for using the first normal basis, the output of S box and mask output by described with mask respectively, It is expressed as finite field gf (24) in once linear multinomial, the element in first normal basis is that constant belongs to finite field gf (24) secondary irreducible function root, the finite field gf (24) in the polynomial coefficient of once linear belong to finite field GF(24);
Second representation module, for exporting, according to the S box with mask in finite field gf (24) in once linear multinomial And the mask output is in finite field gf (24) in once linear multinomial, the S box with mask is exported and is covered with described Taking for the sum of code output is inverse, with finite field gf (24) in element and the first parameter indicate, first parameter be used for described Finite field gf (24) in element take it is inverse;
Third representation module, for finite field gf (2 will to be used4) in indicate described of element and the first parameter and take it is inverse, with One output and the second output expression, first output and second output are the dependent variable of first function, first letter Several independents variable be by first parameter decomposition at the first subparameter and the second subparameter, to first subparameter and the The result for taking inverse operation of the sum of two subparameters is the sum of first output and second output;
First decomposing module takes inverse, resolves into for sum described in being indicated with first output and second output First part and second part, and take inverse output with mask using first part as described, by second part be used as described in cover Code takes inverse output;
4th representation module, for being respectively indicated first subparameter and second subparameter using the second normal basis For finite field gf (22) in once linear multinomial, the element in second normal basis is that constant belongs to finite field gf (22) Secondary irreducible function root, the finite field gf (22) in the polynomial coefficient of once linear belong to finite field gf (24);
5th representation module is used for according to first subparameter and second subparameter in finite field gf (22) in it is primary Linear polynomial will take inverse finite field gf (2 to first parameter2) in element and the second parameter indicate, described the Two parameters are used for the finite field gf (22) in element take it is inverse;
6th representation module, for finite field gf (2 will to be used2) in the first parameter for indicating of element and the second parameter take inverse, use Third output and the 4th output indicate that the third output and the 4th output are second function because becoming, second letter Several independents variable be by second parameter decomposition at third subparameter and the 4th subparameter, to the third subparameter and the The sum of four subparameters take inverse operation as a result, for the third output and the 4th output the sum of;
Second decomposing module, it is inverse for taking for the first parameter indicated with the 4th output will to be exported with the third, it decomposes It is exported at Part III and Part IV, and using Part III as to described first, it is defeated using Part IV as described second Out;
7th representation module respectively indicates the third subparameter and the 4th subparameter for using third normal basis For the once linear multinomial in finite field gf (2), the element in the third normal basis is that constant belongs to finite field gf (2) The root of secondary irreducible function, the polynomial coefficient of once linear in the finite field gf (2) belong to finite field gf (2);
8th representation module, for primary in finite field gf (2) according to the third subparameter and the 4th subparameter Linear polynomial by the element representation taken in inverse finite field gf (2) to second parameter, and is finally obtained to described Two parameters take the inverse result to be, the negative one time of third subparameter and the negative one of the 4th subparameter it is secondary and;
Determining module is the negative one time of the third subparameter for taking third output, and the 4th output is described the The negative one time of four subparameters;
First computing module, for being exported according to the third for the negative one time for being the third subparameter and being the 4th subparameter Negative one time the 4th output, the Part III and Part IV are calculated, to obtain first output and described second defeated Out;
Second computing module calculates the first part and second part according to the first output and the second output being calculated, And first part will be calculated as described and take inverse output with mask, using the second part being calculated as the mask Take inverse output.
CN201610887900.1A 2016-10-11 2016-10-11 The mask method and device of SM4 algorithm Active CN106357380B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201610887900.1A CN106357380B (en) 2016-10-11 2016-10-11 The mask method and device of SM4 algorithm

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201610887900.1A CN106357380B (en) 2016-10-11 2016-10-11 The mask method and device of SM4 algorithm

Publications (2)

Publication Number Publication Date
CN106357380A CN106357380A (en) 2017-01-25
CN106357380B true CN106357380B (en) 2019-10-25

Family

ID=57866229

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201610887900.1A Active CN106357380B (en) 2016-10-11 2016-10-11 The mask method and device of SM4 algorithm

Country Status (1)

Country Link
CN (1) CN106357380B (en)

Families Citing this family (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107231229B (en) * 2017-05-31 2020-10-27 中国电力科学研究院 Low-entropy mask leakage protection method for protecting SM4 password chip and implementation system thereof
CN107342865B (en) * 2017-06-20 2020-07-10 贵州安融科技发展有限公司 SM 4-based authentication encryption algorithm
CN107800530B (en) * 2017-11-28 2020-09-18 聚辰半导体股份有限公司 S-box mask method of SMS4
US11632231B2 (en) * 2020-03-05 2023-04-18 Novatek Microelectronics Corp. Substitute box, substitute method and apparatus thereof
CN112787800B (en) * 2021-01-19 2022-06-17 清华大学 Encryption and decryption method and device based on second-order mask, electronic equipment and storage medium
CN112883395A (en) * 2021-02-25 2021-06-01 山东华翼微电子技术股份有限公司 High-performance GFN mask method for enhancing anti-attack capability
CN113922948B (en) * 2021-10-13 2023-10-03 中国人民解放军国防科技大学 SM4 data encryption method and system based on composite domain round function

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104639502A (en) * 2013-11-08 2015-05-20 国家电网公司 Mask method and device for resisting power attack in SM4 algorithm
CN105897400A (en) * 2016-06-20 2016-08-24 北京华大信安科技有限公司 Masking method and device for SM4 algorithm

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP3332175B2 (en) * 1993-09-30 2002-10-07 大日本印刷株式会社 Defect inspection method for periodic pattern

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104639502A (en) * 2013-11-08 2015-05-20 国家电网公司 Mask method and device for resisting power attack in SM4 algorithm
CN105897400A (en) * 2016-06-20 2016-08-24 北京华大信安科技有限公司 Masking method and device for SM4 algorithm

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
"一种SM4掩码方法和抗DPA攻击分析";裴超;《密码学报》;20160705;全文 *

Also Published As

Publication number Publication date
CN106357380A (en) 2017-01-25

Similar Documents

Publication Publication Date Title
CN106357380B (en) The mask method and device of SM4 algorithm
Qayyum et al. Chaos-based confusion and diffusion of image pixels using dynamic substitution
CN106850221B (en) Information encryption and decryption method and device
Kanso et al. A novel image encryption algorithm based on a 3D chaotic map
Ye et al. An efficient chaotic image encryption algorithm based on a generalized Arnold map
CN103167213B (en) Digital image encryption method based on Cat mapping and hyper-chaos Lorenz system
Li et al. Colour image encryption based on advanced encryption standard algorithm with two‐dimensional chaotic map
CN107070630B (en) A kind of fast and safely hardware configuration of aes algorithm
CN107547194A (en) Guard method and equipment from side Multiple Channel Analysis
CN104270247B (en) Suitable for the efficient general Hash functions authentication method of quantum cryptography system
CN101814985B (en) Block cipher system using multi-chaotic mapping multi-dynamic S-box
CN103020891A (en) Color image encryption method based on compound chaotic sequence and shifting
Wang et al. A method for constructing bijective S-box with high nonlinearity based on chaos and optimization
CN104065473A (en) Compact realization method of SM4 block cipher algorithm S box
CN104410490B (en) The method of non-linear extruding protection password S boxes
CN105591734A (en) White-box cryptograph non-linear encoding protection method based on table lookup
CN103780382A (en) Multivariable public-key encryption/decryption system and method based on hypersphere
Liu et al. Chaos-based color image encryption using one-time keys and Choquet fuzzy integral
CN107070636A (en) A kind of whitepack software implementation method of the close SM4 algorithms of the business of standard ciphertext output format
CN104301095A (en) DES round operation method and circuit
CN109921899A (en) A kind of S box implementation method of complete snowslide 4 × 4
CN106603224B (en) Method for safe operation and system based on whitepack encryption
Sani et al. Creation of S-box based on a hierarchy of Julia sets: image encryption approach
JunLi et al. Email encryption system based on hybrid AES and ECC
Wang et al. Cryptanalysis of a white‐box SM4 implementation based on collision attack

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant