The SM4 Blockcipher Algorithm And Its Modes Of Operations

The SM4 Blockcipher Algorithm And Its Modes Of Operations Ribose

Suite 1111, 1 Pedder Street Central Hong Kong People's Republic of China ronald.tse@ribose.com https://www.ribose.com

Hang Seng Management College

Hang Shin Link, Siu Lek Yuen Shatin Hong Kong People's Republic of China wongwk@hsmc.edu.hk https://www.hsmc.edu.hk

cfrg Crypto Forum Research Group This document describes the SM4 symmetric blockcipher algorithm published as GB/T 32907-2016 by the Organization of State Commercial Administration of China (OSCCA). This document is a product of the Crypto Forum Research Group (CFRG).

SM4 is a cryptographic standard issued by the Organization of State Commercial Administration of China as an authorized cryptographic algorithm for the use within China. The algorithm is published in public. SM4 is a symmetric encryption algorithm, specifically a blockcipher, designed for data encryption.

This document does not aim to introduce a new algorithm, but to provide a clear and open description of the SM4 algorithm in English, and also to serve as a stable reference for IETF documents that utilize this algorithm. While this document is similar to in nature, is a textual translation of the "SMS4" algorithm published in 2006, while this document follows the updated description and structure of published in 2016. Sections 1 to 7 of this document directly map to the corresponding sections numbers of the standard for convenience of the reader. This document also provides additional information on the design considerations of the algorithm , practical usage and implementation of SM4 specifying modes of operations that are known to be used with SM4 (see ), and providing the SM4 OIDs (see ).

The "SMS4" algorithm (the former name of SM4) was invented by Shu-Wang Lu , first published in 2003 as part of , then published independently in 2006 by the OSCCA, officially renamed to "SM4" in 2012 in published by the OSCCA, and finally standardized in 2016 as a Chinese National Standard (GB Standard) . SM4 is also standardized in by the International Organization for Standardization in 2017. SMS4 was originally created for use in protecting wireless networks , and is mandated in the Chinese National Standard for Wireless LAN WAPI (Wired Authentication and Privacy Infrastructure) . A proposal was made to adopt SMS4 into the IEEE 802.11i standard, but the algorithm was eventually not included due to concerns of introducing inoperability with existing ciphers. The latest SM4 standard was proposed by the OSCCA, standardized through TC 260 of the Standardization Administration of the People’s Republic of China (SAC), and was drafted by the following individuals at the Data Assurance and Communication Security Research Center (DAS Center) of the Chinese Academy of Sciences, the China Commercial Cryptography Testing Center and the Beijing Academy of Information Science & Technology (BAIST): Shu-Wang Lu Dai-Wai Li Kai-Yong Deng Chao Zhang Peng Luo Zhong Zhang Fang Dong Ying-Ying Mao Zhen-Hua Liu

The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in . The following terms and definitions apply to this document. Bit-length of a message block. Bit-length of a key. An operation that converts a key into a round key. The number of iterations that the round function is run. A key used in each round on the blockcipher, derived from the input key, also called a subkey. a 32-bit quantity The S (substitution) box function produces 8-bit output from 8-bit input, represented as S(.)

bitwise exclusive-or of two 32-bit vectors S and T. S and T will always have the same length. 32-bit bitwise cyclic shift on a with i bits shifted left.

The SM4 algorithm is a blockcipher, with block size of 128 bits and a key length of 128 bits. Both encryption and key expansion use 32 rounds of a nonlinear key schedule per block. Each round processes one of the four 32-bit words that constitute the block. The structure of encryption and decryption are identical, except that the round key schedule has its order reversed during decryption. Using a 8-bit S-box, it only uses exclusive-or, cyclic bit shifts and S-box lookups to execute.

Encryption key is 128 bits long, and represented below, where each MK_i, (i = 0, 1, 2, 3) is 32 bits long. MK = (MK_0, MK_1, MK_2, MK_3) The round key schedule is derived from the encryption key, represented as below where each rk_i (i = 0, ..., 31) is 32 bits long: (rk_0, rk_1, ... , rk_31) The family key used for key expansion is represented as FK, where each FK_i (i = 0, ..., 3) is 32 bits long: FK = (FK_0, FK_1, FK_2, FK_3) The constant key used for key expansion is represented as CK, where each CK_i (i = 0, ..., 31) is 32 bits long: CK = (CK_0, CK_1, ... , CK_31)

The round function F is defined as: F(X_0, X_1, X_2, X_3, rk) = X_0 xor T(X_1 xor X_2 xor X_3 xor rk) Where: Each $$X_i$ is 32-bit wide. The round key rk is 32-bit wide.

T is a reversible permutation that outputs 32 bits from a 32-bit input. It consists of a nonlinear transform tau and linear transform L. T(.) = L(tau(.)) The permutation T' is created from T by replacing the linear transform function L with L'. T'(.) = L'(tau(.))

tau is composed of four parallel S-boxes. Given a 32-bit input A, where each a_i is a 8-bit string: A = (a_0, a_1, a_2, a_3) The output is a 32-bit B, where each b_i is a 8-bit string: B = (b_0, b_1, b_2, b_3) B is calculated as follows: (b_0, b_1, b_2, b_3) = tau(A) tau(A) = (S(a_0), S(a_1), S(a_2), S(a_3))

The output of nonlinear transformation function tau is used as input to linear transformation function L. Given B, a 32-bit input. The linear transformation L' is defined as follows. L(B) = B xor (B <<< 2) xor (B <<< 10) xor (B <<< 18) xor (B <<< 24) The linear transformation L' is defined as follows. L'(B) = B xor (B <<< 13) xor (B <<< 23)

The S-box S used in nonlinear transformation tau is given in the lookup table shown in with hexadecimal values.

| 0 1 2 3 4 5 6 7 8 9 A B C D E F ---|------------------------------------------------- 0 | D6 90 E9 FE CC E1 3D B7 16 B6 14 C2 28 FB 2C 05 1 | 2B 67 9A 76 2A BE 04 C3 AA 44 13 26 49 86 06 99 2 | 9C 42 50 F4 91 EF 98 7A 33 54 0B 43 ED CF AC 62 3 | E4 B3 1C A9 C9 08 E8 95 80 DF 94 FA 75 8F 3F A6 4 | 47 07 A7 FC F3 73 17 BA 83 59 3C 19 E6 85 4F A8 5 | 68 6B 81 B2 71 64 DA 8B F8 EB 0F 4B 70 56 9D 35 6 | 1E 24 0E 5E 63 58 D1 A2 25 22 7C 3B 01 21 78 87 7 | D4 00 46 57 9F D3 27 52 4C 36 02 E7 A0 C4 C8 9E 8 | EA BF 8A D2 40 C7 38 B5 A3 F7 F2 CE F9 61 15 A1 9 | E0 AE 5D A4 9B 34 1A 55 AD 93 32 30 F5 8C B1 E3 A | 1D F6 E2 2E 82 66 CA 60 C0 29 23 AB 0D 53 4E 6F B | D5 DB 37 45 DE FD 8E 2F 03 FF 6A 72 6D 6C 5B 51 C | 8D 1B AF 92 BB DD BC 7F 11 D9 5C 41 1F 10 5A D8 D | 0A C1 31 88 A5 CD 7B BD 2D 74 D0 12 B8 E5 B4 B0 E | 89 69 97 4A 0C 96 77 7E 65 B9 F1 09 C5 6E C6 84 F | 18 F0 7D EC 3A DC 4D 20 79 EE 5F 3E D7 CB 39 48 For example, input "EF" will produce an output read from the S-box table row E and column F, giving the result S(EF) = 84.

The encryption algorithm consists of 32 rounds and 1 reverse transform R. Given a 128-bit plaintext input, where each X_i is 32-bit wide:

(X_0, X_1, X_2, X_3) The output is a 128-bit ciphertext, where each Y_i is 32-bit wide:

(Y_0, Y_1, Y_2, Y_3) Each round key is designated as rk_i, where each rk_i is 32-bit wide and i = 0, 1, 2, ..., 31. 32 rounds of calculation

i = 0, 1, ..., 31 X_{i+4} = F(X_i, X_{i+1}, X_{i+2}, X_{i+3}, rk_i) reverse transformation

(Y_0, Y_1, Y_2, Y_3) = R(X_32, X_33, X_34, X_35) R(X_32, X_33, X_34, X_35) = (X_35, X_34, X_33, X_32) Please refer to for sample calculations. A flow of the calculation is given in .

Decryption takes an identical process as encryption, with the only difference the order of the round key sequence. During decryption, the round key sequence is:

(rk_31, rk_30, ..., rk_0)

Round keys used during encryption are derived from the encryption key. Specifically, given the encryption key MK, where each MK_i is 32-bit wide:

MK = (MK_0, MK_1, MK_2, MK_3) Each round key rk_i is created as follows, where i = 0, 1, ..., 31.

(K_0, K_1, K_2, K_3) = (MK_0 xor FK_0, MK_1 xor FK_1, MK_2 xor FK_2, MK_3 xor FK_3) rk_i = K_{i + 4} K_{i + 4} = K_i xor T' (K_{i + 1} xor K_{i + 2} xor K_{i + 3} xor CK_i) Since the decryption key is identical to the encryption key, the round keys used in the decryption process are derived from the decryption key through the identical process to that of during encryption. depicts the i-th round of SM4.

X_i rk_i X_{i+1} X_{i+2} X_{i+3} | | | | | | | | | | | v | | | +---+ +---+ +---+ | | | | X | | | | X | <--+ | | | O | <-- | T | <-- | O | <----------+ | | R | | | | R | <------------------+ +---+ +---+ +---+ | | | | / / / | / / / | / / / \----------------------------------------= / / / \ / / / | /-----------------/ / / | | | | | X_{i+1} X_{i+2} X_{i+3} X_{i+4}

Family key FK given in hexadecimal notation, is:

FK_0 = A3B1BAC6 FK_1 = 56AA3350 FK_2 = 677D9197 FK_3 = B27022DC

The method to retrieve values from the constant key CK is as follows. Let ck_{i, j} be the j-th byte (i = 0, 1, ..., 31; j = 0, 1, 2, 3) of CK_i. Therefore, each ck_{i, j} is a 8-bit string, and each CK_i a 32-bit word.

CK_i = (ck_{i, 0}, ck_{i, 1}, ck_{i, 2}, ck_{i, 3})

ck_{i, j} = (4i + j) x 7 (mod 256) The values of the constant key CK_i, where (i = 0, 1, ..., 31), in hexadecimal, are:

CK_0 = 00070E15 CK_16 = C0C7CED5 CK_1 = 1C232A31 CK_17 = DCE3EAF1 CK_2 = 383F464D CK_18 = F8FF060D CK_3 = 545B6269 CK_19 = 141B2229 CK_4 = 70777E85 CK_20 = 30373E45 CK_5 = 8C939AA1 CK_21 = 4C535A61 CK_6 = A8AFB6BD CK_22 = 686F767D CK_7 = C4CBD2D9 CK_23 = 848B9299 CK_8 = E0E7EEF5 CK_24 = A0A7AEB5 CK_9 = FC030A11 CK_25 = BCC3CAD1 CK_10 = 181F262D CK_26 = D8DFE6ED CK_11 = 343B4249 CK_27 = F4FB0209 CK_12 = 50575E65 CK_28 = 10171E25 CK_13 = 6C737A81 CK_29 = 2C333A41 CK_14 = 888F969D CK_30 = 484F565D CK_15 = A4ABB2B9 CK_31 = 646B7279

This document defines multiple modes of operation for the SM4 blockcipher algorithm. The CBC (Cipher Block Chaining), ECB (Electronic CodeBook), CFB (Cipher FeedBack), OFB (Output FeedBack) and CTR (Counter) modes are defined in and utilized with the SM4 algorithm in the following sections.

Hereinafter we define: The SM4 algorithm that encrypts plaintext P with key K, described in The SM4 algorithm that decrypts ciphertext C with key K, described in block size in bits, defined as 128 for SM4 block j of ciphertext bitstring P block j of ciphertext bitstring C Number of blocks of size b-bit in bitstring B Initialization vector Least significant b bits of the bitstring S Most significant b bits of the bitstring S

The CBC, CFB and OFB modes require an additional input to the encryption process, called the initialization vector (IV). The identical IV is used in the input of encryption as well as the decryption of the corresponding ciphertext. Generation of IV values MUST take into account of the considerations in recommended by .

In SM4-ECB, the same key is utilized to create a fixed assignment for a plaintext block with a ciphertext block, meaning that a given plaintext block always gets encrypted to the same ciphertext block. As described in , this mode should be avoided if this property is undesirable. This mode requires input plaintext to be a multiple of the block size, which in this case of SM4 it is 128-bit. It also allows multiple blocks to be computed in parallel.

Inputs: P, plaintext, length MUST be multiple of b K, SM4 128-bit encryption key Output: C, ciphertext, length is a multiple of b C is defined as follows.

_____________________________________________________________________ n = NBlocks(P, b) for i = 1 to n C_i = SM4Encrypt(P_i, K) end for C = C_1 || ... || C_n _____________________________________________________________________

Inputs: C, ciphertext, length MUST be multiple of b K, SM4 128-bit encryption key Output: P, plaintext, length is a multiple of b P is defined as follows.

_____________________________________________________________________ n = NBlocks(C, b) for i = 1 to n P_i = SM4Decrypt(C_i, K) end for P = P_1 || ... || P_n _____________________________________________________________________

SM4-CBC is similar to SM4-ECB that the input plaintext MUST be a multiple of the block size, which is 128-bit in SM4. SM4-CBC requires an additional input, the IV, that is unpredictable for a particular execution of the encryption process. Since CBC encryption relies on a forward cipher operation that depend on results of the previous operation, it cannot be parallelized. However, for decryption, since ciphertext blocks are already available, CBC parallel decryption is possible.

Inputs: P, plaintext, length MUST be multiple of b K, SM4 128-bit encryption key IV, 128-bit, unpredictable, initialization vector Output: C, ciphertext, length is a multiple of b C is defined as follows.

_____________________________________________________________________ n = NBlocks(P, b) C_1 = SM4Encrypt(P_1 xor IV, K) for i = 2 to n C_i = SM4Encrypt(P_i xor C_{i - 1}, K) end for C = C_1 || ... || C_n _____________________________________________________________________

Inputs: C, ciphertext, length MUST be a multiple of b K, SM4 128-bit encryption key IV, 128-bit, unpredictable, initialization vector Output: P, plaintext, length is multiple of b P is defined as follows.

_____________________________________________________________________ n = NBlocks(C, b) P_1 = SM4Decrypt(C_1, K) xor IV for i = 2 to n P_i = SM4Decrypt(C_i, K) xor C_{i - 1} end for P = P_1 || ... || P_n _____________________________________________________________________

SM4-CFB relies on feedback provided by successive ciphertext segments to generate output blocks. The plaintext given must be a multiple of the block size. Similar to SM4-CBC, SM4-CFB requires an IV that is unpredictable for a particular execution of the encryption process. SM4-CFB further allows setting a positive integer parameter s, that is less than or equal to the block size, to specify the size of each data segment. The same segment size must be used in encryption and decryption. In SM4-CFB, since the input block to each forward cipher function depends on the output of the previous block (except the first that depends on the IV), encryption is not parallelizable. Decryption, however, can be parallelized.

SM4-CFB takes an integer s to determine segment size in its encryption and decryption routines. We define the following variants of SM4-CFB for various s: SM4-CFB-1, the 1-bit SM4-CFB mode, where s is set to 1. SM4-CFB-8, the 8-bit SM4-CFB mode, where s is set to 8. SM4-CFB-64, the 64-bit SM4-CFB mode, where s is set to 64. SM4-CFB-128, the 128-bit SM4-CFB mode, where s is set to 128.

Inputs: P#, plaintext, length MUST be multiple of s K, SM4 128-bit encryption key IV, 128-bit, unpredictable, initialization vector s, an integer 1 <= s <= b that defines segment size Output: C#, ciphertext, length is a multiple of s C# is defined as follows.

_____________________________________________________________________ n = NBlocks(P#, s) I_1 = IV for i = 2 to n I_i = LSB(b - s, I_{i - 1}) || C#_{j - 1} end for for i = 1 to n O_j = SM4Encrypt(I_i, K) end for for i = 1 to n C#_i = P#_1 xor MSB(s, O_j) end for C# = C#_1 || ... || C#_n _____________________________________________________________________

Inputs: C#, ciphertext, length MUST be a multiple of s K, SM4 128-bit encryption key IV, 128-bit, unpredictable, initialization vector s, an integer 1 ⇐ s ⇐ b that defines segment size Output: P#, plaintext, length is multiple of s P# is defined as follows.

_____________________________________________________________________ n = NBlocks(P#, s) I_1 = IV for i = 2 to n I_i = LSB(b - s, I_{i - 1}) || C#_{j - 1} end for for i = 1 to n O_j = SM4Encrypt(I_i, K) end for for i = 1 to n P#_i = C#_1 xor MSB(s, O_j) end for P# = P#_1 || ... || P#_n _____________________________________________________________________

SM4-OFB is the application of SM4 through the Output Feedback mode. This mode requires that the IV is a nonce, meaning that the IV MUST be unique for each execution for an input key. OFB does not require the input plaintext to be a multiple of the block size. In OFB, the routines for encryption and decryption are identical. As each forward cipher function (except the first) depends on previous results, both routines cannot be parallelized. However given a known IV, output blocks could be generated prior to the input of plaintext (encryption) or ciphertext (decryption).

Inputs: P, plaintext, composed of (n - 1) blocks of size b, with the last block P_n of size 1 ⇐ u ⇐ b K, SM4 128-bit encryption key IV, a nonce (a unique value for each execution per given key) Output: C, ciphertext, composed of (n - 1) blocks of size b, with the last block C_n of size 1 ⇐ u ⇐ b C is defined as follows.

_____________________________________________________________________ n = NBlocks(P, b) I_1 = IV for i = 1 to (n - 1) O_i = SM4Encrypt(I_i) I_{i + 1} = O_i end for for i = 1 to (n - 1) C_i = P_i xor O_i end for C_n = P_n xor MSB(u, O_n) C = C_1 || ... || C_n _____________________________________________________________________

Inputs: C, ciphertext, composed of (n - 1) blocks of size b, with the last block C_n of size 1 ⇐ u ⇐ b K, SM4 128-bit encryption key IV, the nonce used during encryption Output: P, plaintext, composed of (n - 1) blocks of size b, with the last block P_n of size 1 ⇐ u ⇐ b C is defined as follows.

_____________________________________________________________________ n = NBlocks(C, b) I_1 = IV for i = 1 to (n - 1) O_i = SM4Encrypt(I_i) I_{i + 1} = O_i end for for i = 1 to (n - 1) P_i = C_i xor O_i end for P_n = C_n xor MSB(u, O_n) P = P_1 || ... || P_n _____________________________________________________________________

SM4-CTR is an implementation of a stream cipher through a blockcipher primitive. It generates a "keystream" of keys that are used to encrypt successive blocks, with the keystream created from the input key, a nonce (the IV) and an incremental counter. The counter could be any sequence that does not repeat within the block size. Both SM4-CTR encryption and decryption routines could be parallelized, and random access is also possible.

Inputs: P, plaintext, composed of (n - 1) blocks of size b, with the last block P_n of size 1 ⇐ u ⇐ b K, SM4 128-bit encryption key IV, a nonce (a unique value for each execution per given key) T, a sequence of counters from T_1 to T_n Output: C, ciphertext, composed of (n - 1) blocks of size b, with the last block C_n of size 1 ⇐ u ⇐ b C is defined as follows.

_____________________________________________________________________ n = NBlocks(P, b) for i = 1 to n O_i = SM4Encrypt(T_i) end for for i = 1 to (n - 1) C_i = P_i xor O_i end for C_n = P_n xor MSB(u, O_n) C = C_1 || ... || C_n _____________________________________________________________________

Inputs: C, ciphertext, composed of (n - 1) blocks of size b, with the last block C_n of size 1 <= u <= b K, SM4 128-bit encryption key IV, a nonce (a unique value for each execution per given key) T, a sequence of counters from T_1 to T_n Output: P, plaintext, composed of (n - 1) blocks of size b, with the last block P_n of size 1 <= u <= b P is defined as follows.

_____________________________________________________________________ n = NBlocks(C, b) for i = 1 to n O_i = SM4Encrypt(T_i) end for for i = 1 to (n - 1) P_i = C_i xor O_i end for P_n = C_n xor MSB(u, O_n) C = C_1 || ... || C_n _____________________________________________________________________

The Object Identifier for SM4 is identified through these OIDs.

"1.2.156.10197.1.104" for "SM4 Algorithm" .

"1.0.18033.3.2.4" for "id-bc128-sm4" , described below. "is18033-3" {iso(1) standard(0) is18033(18033) part3(3)} "id-bc128" {is18033-3 block-cipher-128-bit(2)} "id-bc128-sm4" {id-bc128 sm4(4)}

The chaos principle and the diffusion principle are two basic principles of block cipher design. A well-designed blockcipher algorithm should be based on a cryptographically sound basic transformation structure, with its round calculation based on a cryptographically sound basic transformation. The cryptographic properties of the basic transformation determines the efficiency of the resulting encryption transformation. The SM4 algorithm is structured on orthomorphic permutation. Its round transformation is an orthomorphic permutation, and its cryptographic properties can be deduced from the characteristics of orthomorphic permutations. Let the single round of the SM4 block cipher algorithm be P, for any given plaintext X, P (X, K ')! = P (X, K) if the key K'! = K. The conclusion shows that if X is a row variable and K is a column variable, the square P(X, K) forms a Latin square. There are two conclusions about the nature of cryptography: The SM4 blockcipher algorithm will produce different round transformations given different keys. The SM4 blockcipher algorithm, within a single round, will produce a different output given the same input with different keys.

An S-box can be viewed as a bijection: S(X) = (f_1(X), f_2(X), ... , f_m(X)) : F_2^n -> F_2^m. S(x): F_2^n -> F_2^m can be represented as a multi-output boolean function with n-bit input and m-bit output, or a n x m S-box (an S-box with n inputs and m outputs), usually realized as a substitution that takes an n-bit input and produces a m-bit output. In SM4, the S-box takes n = m = 8. In many blockciphers, the S-box is the sole element providing nonlinearity, for the purpose of mixing, in order to reduce linearity and to hide its variable structure. The cryptographic properties of the S-box directly affects the resulting cryptographic strength of the blockcipher. When designing a blockcipher, the cryptographic strength of the S-box must be taken into account. The cryptographic strength of an S-box can be generally measured by factors such as its nonlinearity and differential distribution.

In order to prevent insertion attacks, the algebraic formula used for cryptographic substitution should be a high degree polynomial and contain a large number of terms. The algebraic expression of the SM4 S-box is determined through Lagrange’s interpolation to be a polynomial of the 254th degree with 255 terms, providing the highest level of complexity based on its size:

f(x) : sum_{i=0}^{255} y_i PI_{j!=i, j=0}^255 ((x - x_j) / (x_i - x_j))

Any n boolean function f(x): F_2^n -> F_2 can be represented uniquely in its algebraic normal form shown below:

f(X) = a_0 + sum_{1<=i_i<...<i_k<=n, 1<=k<=n} a_{i_1 i_2 ... i_k} x_{i_1} x_{i_2} ... x_{i_k} X = (x_1, x_2, ..., x_n) a_0, a_{i_1, i_2, ... i_k} element-of F_2 The "algebraic degree" of the n-boolean function f(X) is defined to be the algebraic degree of the highest algebraic degree of its terms with a nonzero coefficient in its ANF representation. The constant of the i-th term of f(x) in ANF representation is called the i-th term of f(X), the total number of all i-th (0<=i<=n) terms is called the "number of terms" of f(X). ///(X)的次数;它的代数正规形式中的f次项的个数称为/〇〇的f次项数;所有次项数 S(X) can be represented as a m-component function S(X) = (f_1(X), f_2(X), ... f_m(X)): F_2^n -> F_2^m. Consider S(X) to be a random substitution, each of its component functions would be best to have algebraic degree of n-1, each component function i-th coefficient should be near C_n^i/2. If the algebraic degree is too low, for example, each component function has a degree of 2, then the algorithm can be easily attacked by advanced differential cryptanalysis. If the number of terms are insufficient, then it may improve the success probability of insert attacks. The algebraic degrees and number of terms of the SM4 S-box are described in .

+----------------------------------------------------------+ | Component | Algebraic degree | | Function +----------------------------------------------+ | | 8 | 7 | 6 | 5 | 4 | 3 | 2 | 1 | 0 | +----------------------------------------------------------+ | Y_0 | 0 | 3 | 15 | 31 | 28 | 29 | 14 | 3 | 1 | | Y_1 | 0 | 3 | 12 | 34 | 40 | 33 | 12 | 4 | 1 | | Y_2 | 0 | 5 | 17 | 24 | 40 | 24 | 11 | 3 | 0 | | Y_3 | 0 | 2 | 11 | 31 | 34 | 27 | 15 | 5 | 1 | | Y_4 | 0 | 5 | 15 | 28 | 33 | 24 | 13 | 5 | 0 | | Y_5 | 0 | 5 | 11 | 25 | 41 | 25 | 16 | 4 | 1 | | Y_6 | 0 | 4 | 15 | 29 | 27 | 32 | 18 | 4 | 1 | | Y_7 | 0 | 4 | 14 | 32 | 35 | 30 | 16 | 3 | 0 | +----------------------------------------------------------+ | Expected | 1/2 | 4 | 14 | 28 | 35 | 28 | 14 | 4 | 1/2 | | Value | | | | | | | | | | +----------------------------------------------------------+

The definition of differential distribution has been given in . Differential cryptanalysis is a chosen-plaintext attack, with the understanding that analysis of selected plaintexts of differentials can retrive the most probable key. Differential distribution is an attribute to measure the resistance of a cryptographic function against differential cryptanalysis.

delta_S = 1/2^n max_{a in F_2^n, a!=0} max_{beta in F_2^m} | { X in F_2^n : S(X and alpha) - S(X) = beta } | delta_S is the differential distribution of the S-box S. According to the definition of differential distribution, 2^{-m} <= delta_S <= 2^{m-n}, if there is a delta_S = 2^{m-n} then S is considered a fully nonlinear function from F_2^n to F_2^m. For resistance against differential cryptanalysis, the differential distribution should be as low as possible. The highest differential distribution of the SM4 S-box is 2^{-6}, meaning it has a good resistance against differential cryptanalysis.

The nonlinearity of an S-box is described by . Let S(X) = (f_1(X), f_2(X), ... , f_m(X)) : F_2^n -> F_2^m be a multi-output function. The nonlinearity of S(X) is defined as N_S = min_{l in L_n, 0 != u in F_2^m} d_H (u . S(X), l(X)). L_n is the group of all n-boolean functions, d_H(f, l) is the Hamming distance between f and l. The nonlinearity of the S-box is in fact the minimum Hamming distance between all the Boolean functions and all affine functions. The upper-bound of nonlinearity is known to be 2^{n-1} - 2^{n/2 - 1}, where a Boolean function that reaches this bound is called a "bent function". The nonlinearity of a Boolean function is used to measure resistance against linear attacks. The higher the nonlinearity, the higher resistance that the Boolean function f(x) has against linear attacks. On the contrary, the lower the nonlinearity, the Boolean function f(x) has lower resistance against linear attacks. The nonlinearity of the SM4 S-box is 112.

Linear approximation of a S-box is defined in . Given a S-box with n inputs and m outputs, any linear approximation can be represented as : a . X = b . Y, where a in F_2^n, b in F_2^m. The probability p that satisfies a . X = b . Y is | p - 1/2 | <= 1/2 - N_S / 2^n, where | p - 1/2 | is the advantage of the linear approximation equation, lambda_S = 1/2 - N_s / 2^n is the maximum advantage of the S-box. The maximum advantage of the SM4 S-box is 2^{-4}.

A S-box S(X) = (f_1(X), f_2(X), ... , f_m(X)) : F_2^n -> F_2^m is considered "balanced" if for any beta in F_2^m, there are 2^{n-m} x in F_2^n, such that S(x) = beta. The SM4 S-box is balanced.

A S-box S(X) = (f_1(X), f_2(X), ... , f_m(X)) : F_2^n -> F_2^m is considered "complete" if every input bit directly correlates to an output bit. In algebraic expression, each component function contains the unknown variables x_1, x_2, ... x_n, such that for any (s, t) in { (i, j) | 1 <= i <= n, 1 <= j <= m}, there is an X that S(X) and S(X and e_s) would contain a different bit t. Avalanche effect refers to a single bit change in the input would correspond to a change of half of the output bits. The SM4 S-box satisfies completness and the avalanche effect.

Linear transformation is used to provide diffusion in SM4. A blockcipher algorithm often adopts m x m S-boxes to form an obfuscation layer. Since the m-bits output by one S-box are only related to the m bits of its input and are irrelevant to the input of other S boxes, the introduction of a linear transform would disrupt and mix the output m-bits so that they seem correlating to the other S-box inputs. A sound linear transform design will diffuse the S-box output, allowing the blockcipher to resist differential and linear cryptanalysis. An important measure of the diffusivity of a linear transform is its branch number. The "branch number" of a linear transform is defined in :

B(theta) = min_{x!=0} w_b(x) + w_b(theta(x)) Where B(theta) is the branch number of transform theta, w_b(x) is a non-zero integer x_i (1 ⇐ i ⇐ m), and x_i is called the "bundle weight". The branch number can be used to quantify the resistance of the block cipher algorithm to differential cryptanalysis and linear cryptanalysis. Similar to differential cryptanalysis and linear cryptanalysis, the differential branch number and linear branch number of theta can be defined as follows. The differential branch number of theta is:

B_d(theta) = min_{x, x!= x*} (w_b(x and x*) + w_b(theta(x)) and theta(x*)) The linear branch number of theta is:

B_l(theta) = min_{a, b, c (x . alpha^t , theta(x) . beta) != 0} (w_b(alpha) + w_b(beta)) where, c (x . a^t , theta(x) . beta) = 2 X Pr(x . alpha^t = theta(x) . beta) - 1 x . alpha^t is a matrix multiplication. The branch number in a linear transformation reflects its diffusivity. The higher the branch number, the better the diffusion effect. This means that the larger the differential branch number or linear branch number, the more known plaintexts will be required for differential or linear cryptanalysis respectively. The linear transform differential branch number and linear branch number of SM4 are both 5.

The SM4 key schedule is designed to fulfill the security requirements of the encryption algorithm and achieve ease of implementation for performance reasons. All subkeys are derived from the encryption key, and therefore, subkeys are always statistically relevant. In the context of a blockcipher, it is not possible to have non-statistical-correlated subkeys, but the designer can only aim to have subkeys achieve near statistical independence . The purpose of the key schedule, generated through the key expansion algorithm, is to mask the statistical correlation between subkeys to make this relationship difficult to exploit. The SM4 key expansion algorithm satisfies the following design criteria: There are no obvious statistical correlation between subkeys; There are no weak subkeys; The speed of key expansion is not slower than the encryption algorithm, and uses less resources; Every subkey can be directly generated from the encryption key.

SM4 has been heavily cryptanalyzed by international researchers since it was first published in January 2016. Nearly all currently known cryptanalysis techniques have already been applied to SM4, but there have been no known feasible attacks against the full SM4 blockcipher and results demonstrate that SM4 currently provides a suitable security margin, by the time of publishing this document. A summary of cryptanalysis results are presented in the following sections. A number of attacks have been attempted on SM4, such as . There are, however, security concerns with regards to side-channel attacks when the SM4 algorithm is implemented in a hardware device . For instance, illustrated an attack by measuring the power consumption of the device. A chosen ciphertext attack, assuming a fixed correlation between the round keys and data mask, is able to recover the round key successfully. When the SM4 algorithm is implemented in hardware, the parameters and keys SHOULD be randomly generated without fixed correlation. There have been improvements to the hardware embodiment design for SM4, such as , that may resist such attacks. In order to improve security of the SM4 cryptographic process, secure white-box implementations such as have been proposed. Speed enhancements, such as , have also been proposed.

In 2008, Zhang et al. gave a 21-round differential analysis with data complexity 2^188, time complexity 2^126.8 encryptions. In 2009, Zhang et al. (differing first author but overlapping team) gave a 18-round differential characteristics with an attack that reaches the 22nd round, with data complexity 2^117 and time complexity 2^112.3. In 2010, Zhang et al. (with no relation to above) utilized 18-round differential characteristics for the 22nd round with 2^117 chosen plaintexts with time complexity 2^123 encryptions, storage complexity of 2^112. In 2011, Su et al. gave a 19 round differential characteristics and pushed their attack to the 23rd round, with data complexity of 2^118 chosen plaintexts, time complexity 2^126.7 encryptions, and storage complexity 2^120.7.

In 2008 Etrog et al. provided a linear cryptanalysis result for 22 rounds of SM4, the data complexity is given as 2^188.4 known plaintexts, time complexity 2^117 encrypt operations. In 2011 Dong presented a linear cryptanalysis result for 20 rounds, 2^110.4 known ciphertexts, 2^106.8 encryption operations, storage complexity 2^90. In 2014 Liu et al. presented their linear cryptanalysis for 23-rounds of SM4, time complexity 2^112 encryption operations, data complexity 2^126.54 known ciphertexts, storage complexity 2^116. In 2017 Liu et al. presented an attack based on linear cryptanalysis on 24-rounds of SM4, with time complexity of 2^122.6 encryptions, data complexity of 2^122.6 known ciphertexts, and storage complexity of 2^85.

In 2010, Liu et al. constructed a series of 18 rounds of linear traces based on a 5-round circular linear trace, capable of attacking 22 rounds of SM4. The required data complexity was 2^112 known plaintexts, time complexity 2^124.21 encryption operations, with storage complexity of 2^118.83. In 2010 Cho et al. gave a linear analysis of 23 rounds of SM4 with a data complexity of 2^126.7 known plaintexts and a time complexity of 2^127, storage complexity of 2^120.7. In 2014, Liu et al. gave the results of multi-dimensional linear analysis of 23 rounds of SM4 algorithm. The time complexity was 2^122.7, data complexity was 2^122.6 known plaintext with storage complexity 2^120.6.

In 2007 Lu et al. first presented 16 rounds of impossible differential analysis of SM4 with the required data complexity 2^105 chosen plaintexts, time complexity 2^107 encryption operations. In 2008 Toz et al. revised the results of , that the data complexity is actually 2^117.05 chosen plaintexts, time complexity 2^132.06 encryptions, but its complexity is already beyond the 2^128 limit. In 2010 Wang et al. pushed the impossible differential cryptanalysis to 17 rounds of SM4, the data complexity is 2^117 chosen ciphertexts, time complexity 2^132 memory queries.

In 2015 Ma et al. gives the results of multi-dimensional zero-correlation linear cryptanalysis of a 14-round SM4 algorithm. The required data complexity is 2^123.5 known plaintexts, time complexity is 2^120.7 encryption operations and storage complexity of 2^73 blocks.

In 2007 Liu et al. first gave a 13-round integral analysis of SM4, which required 2^16 chosen plaintexts and time complexity of 2^114 encryption operations. In 2008 Zhong et al. constructed a 12-round distinguisher of SM4 to attack 14-round SM4, with data complexity of 2^32 chosen plaintexts and time complexity 2^96.5 encryptions.

In 2009 Ji et al. (2009) and in 2010 Erickson et al. utilized algebraic methods such as XL, Groebner base and SAT to analyze the resistance of SM4 against algebraic attacks. The results demonstrate that SM4 is safe against algebraic attacks, and specifically, has a higher resistance against algebraic attacks than AES.

In 2007 Lu et al. provided a matrix attack against 14-round SM4, with data complexity 2^121.82 chosen plaintexts, time complexity 2^116.66 encryptions. In 2008 Toz et al. lowered both data and time complexity of the aformentioned attack to 2^106.89 chosen ciphertexts and time complexity of 2^107.89. In 2008, Zhang et al. provided a matrix attack against 16-round SM4, which required a data complexity of 2^125 chosen plaintexts and time complexity of 2^116 encryptions. She’s Master dissertation provided a SM4 16-round matrix distinguisher that can attack 18-round SM4, with data complexity of 2^127 chosen plaintexts and time complexity 2^110.77 encryptions with memory storage of 2^130. In 2012 Wei et al. applied differential analysis and algebraic attack techniques on 20-round SM4 and discovered that the combined attack results on 20-round SM4 are superior than using pure differential cryptanalysis.

SM4 uses a novel structure differing from the general Feistel and SP structures. has proven that the SM4 non-balanced Feistel structure is pseudo-random. analyzes the SM4 non-balanced Feistel structure on its resistance against differential and linear cryptanalysis techniques. Under SP type round functions with branch number 5, it is proven that in a 27-round SM4 guarantees at least 22 active S-boxes, therefore SM4 is secure against differential attacks. has analyzed resistance of SM4 against linear cryptanalysis.

Related-key differential cryptanalysis is related to the encryption algorithm and key schedule. When performing a related-key attack, the attacker simultaneously insert differences in both the key and the message. In , Sun et al. proposed an automated differential route search method based on MILP (mixed-integer linear programming) that can be used to assess the security bounds of a blockcipher under (related-key) differential cryptanalysis. describes the lower bounds of active S-boxes within SM4 and is shown in .

+--------------+---------------------------------------+ | Round | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 | | Single Key | 0 | 1 | 2 | 2 | 5 | 6 | 7 | 8 | | Related Key | 0 | 1 | 2 | 4 | 6 | 8 | 9 | 10 | +--------------+---------------------------------------+ | Round | 11 | 12 | 13 | 14 | 15 | 16 | 17 | 18 | | Single Key | 9 | 10 | 10 | 10 | 13 | 14 | 15 | 16 | | Related Key | 11 | 13 | 14 | 14 | 16 | 18 | 19 | 20 | +--------------+---------------------------------------+ | Round | 19 | 20 | 21 | 22 | 23 | 24 | 25 | 26 | | Single Key | 18 | 18 | 19 | 20 | 22 | 23 | 23 | 24 | | Related Key | 22 | - | - | - | - | - | - | - | +--------------+---------------------------------------+ ("-" denotes unknown) As the maximal probability of the SM4 S-box is 2^−6, when the minimum active S-boxes reach 22 the differential characteristics will have probability 2^132, which is higher than enumeration (2^128). This indicates that 19 rounds and 23 rounds under related key and single key settings will provide a minimum of 22 active S-boxes and is able to resist related-key differential attacks.

As of the publication of this document, no open research results have provided a method to successfully attack beyond 24 rounds of SM4. The traditional view suggests that SM4 provides an extra safety margin compared to blockciphers adopted in that already have full-round attacks, including MISTY1 and AES .

Products and services that utilize cryptography are regulated by the OSCCA ; they must be explicitly approved or certified by the OSCCA before being allowed to be sold or used in China. SM4 is a blockcipher symmetric algorithm with key length of 128 bits. It is considered as an alternative to AES-128 . SM4 is a blockcipher certified by the OSCCA . No formal proof of security is provided. There are no known feasible attacks against SM4 algorithm by the time of publishing this document, but there are security concerns with regards to side-channel attacks when the SM4 algorithm is implemented in hardware. See for more details. The IV does not have to be secret. The IV itself, or criteria enough to determine it, MAY be transmitted with ciphertext. SM4-ECB: ECB is one of the four original modes defined for DES. With its problem well known to "leak quite a large amount of information" , it SHOULD NOT be used in most cases. SM4-CBC, SM4-CFB, SM4-OFB: CBC, CFB and OFB are IV-based modes of operation originally defined for DES.When using these modes of operation, the IV SHOULD be random to preserve message confidentiality . It is shown in the same document that CBC, CFB, OFB, the variants #CBC, #CFB that utilize the recommendation of to make CBC and CFB nonce-based, are SemCPA secure as probabilistic encryption schemes. Various attack scenarios have been described in and these modes SHOULD NOT be used unless for compatibility reasons. SM4-CTR: CTR is considered to be the "best" mode of operation within as it is considered SemCPA secure as a nonce-based encryption scheme, providing provable-security guarantees as good as the classic modes of operation (ECB, CBC, CFB, OFB) .Users with no need of authenticity, non-malleablility and chosen-ciphertext (CCA) security MAY utilize this mode of operation .

This document does not require any action by IANA.

GB/T 32907-2016: Information security technology -- SM4 block cipher algorithm Standardization Administration of the People's Republic of China

9 Madian Donglu, Haidian District Beijing Beijing 100088 People's Republic of China +86 (0)10 8226-2609 http://www.sac.gov.cn

ISO/IEC WD1 18033-3/AMD2 -- Encryption algorithms -- Part 3: Block ciphers -- Amendment 2 International Organization for Standardization

BIBC II Chemin de Blandonnet 8 CP 401 Vernier Geneva 1214 Switzerland +41 22 749 01 11 central@iso.org https://www.iso.org/

Key words for use in RFCs to Indicate Requirement Levels In many standards track documents several words are used to signify the requirements in the specification. These words are often capitalized. This document defines these words as they should be interpreted in IETF documents. This document specifies an Internet Best Current Practices for the Internet Community, and requests discussion and suggestions for improvements. Biclique Cryptanalysis of the Full AES K.U.

Leuven Belgium

Microsoft Research

Redmond WA USA

ENS Paris and Chaire France Telecom

France

Improved Cryptanalysis of Rijndael Counterpane Internet Security, Inc.

San Jose CA USA

Counterpane Internet Security, Inc.

San Jose CA USA

University of Mannheim

Mannheim Germany

Counterpane Internet Security, Inc.

San Jose CA USA

Access Data Corp.

2500 N. University Provo UT USA

University of California Berkeley

Berkeley CA USA

Hi/fn, Inc.

Carlsbad USA

Related-Key Cryptanalysis of the Full AES-192 and AES-256 University of Luxembourg University of Luxembourg Automatic Security Evaluation and (Related-key) Differential Characteristic Search: Application to SIMON, PRESENT, LBlock, DES(L) and Other Bit-Oriented Block Ciphers State Key Laboratory of Information Security

Chinese Academy of Sciences Beijing China

State Key Laboratory of Information Security

Chinese Academy of Sciences Beijing China

State Key Laboratory of Information Security

Chinese Academy of Sciences Beijing China

State Key Laboratory of Information Security

Chinese Academy of Sciences Beijing China

State Key Laboratory of Information Security

Chinese Academy of Sciences Beijing China

State Key Laboratory of Information Security

Chinese Academy of Sciences Beijing China

Block Cipher Design and Analysis (in Chinese) Tsinghua University Press Evaluation of Some Blockcipher Modes of Operation University of California, Davis

Dept. of Computer Science Kemper Hall of Engineering, #3009 One Shields Avenue Davis California 95616-8562 United States of America +1 530 752 7583 rogaway@cs.ucdavis.edu http://www.cs.ucdavis.edu/rogaway

Botan: Crypto and TLS for C++11 Botan Project

United States of America jack@randombit.net https://botan.randombit.net

Information technology -- Telecommunications and information exchange between systems -- Local and metropolitan area networks -- Specific requirements -- Part 11: Wireless LAN Medium Access Control (MAC) and Physical Layer (PHY) Specifications Standardization Administration of the People's Republic of China

No. 9 Madian Donglu, Haidian District Beijing Beijing 100088 People's Republic of China +86 (0)10 8226-2609 http://www.sac.gov.cn

GM/T 0002-2012: SM4 block cipher algorithm Organization of State Commercial Administration of China

7 Dian Chang Lu, Fengtai Qu Beijing Beijing 100036 People's Republic of China +86 (0)10 5970-3789 http://www.oscca.gov.cn

GM/T 0006-2012: Cryptographic Application Identifier Criterion Specification Organization of State Commercial Administration of China

7 Dian Chang Lu, Fengtai Qu Beijing Beijing 100036 People's Republic of China +86 (0)10 5970-3789 http://www.oscca.gov.cn

IEEE P1619-2007: The XTS-AES Tweakable Block Cipher Institute of Electrical and Electronics Engineers, Inc

Three Park Avenue New York NY 10016-5997 United States http://www.ieee.org/

ISO/IEC 18033-3:2010 -- Encryption algorithms -- Part 3: Block ciphers International Organization for Standardization

BIBC II Chemin de Blandonnet 8 CP 401 Vernier Geneva 1214 Switzerland +41 22 749 01 11 central@iso.org https://www.iso.org/

Lv Shu Wang -- A life in cryptography Xinhua Catalog A 2^{70} Attack on the Full MISTY1 Bar Ilan University

Ramat Gan Israel abo1000@gmail.com

Bar Ilan University

Ramat Gan Israel abo1000@gmail.com

Integral Cryptanalysis on Full MISTY1 NTT Secure Platform Laboratories

Tokyo Japan todo.yosuke@lab.ntt.co.jp

NIST FIPS 197: Advanced Encryption Standard (AES) National Institute of Standards and Technology

100 Bureau Drive Gaithersburg MD 20899-8900 United States http://www.nist.gov/

NIST Special Publication 800-38A: Recommendation for Block Cipher Modes of Operation -- Methods and Techniques National Institute of Standards and Technology

100 Bureau Drive Gaithersburg MD 20899-8930 United States http://www.nist.gov/

NIST Special Publication 800-38E: Recommendation for Block Cipher Modes of Operation: the XTS-AES Mode for Confidentiality on Storage Devices National Institute of Standards and Technology

100 Bureau Drive Gaithersburg MD 20899-8930 United States http://www.nist.gov/

OpenSSL: Cryptography and SSL/TLS Toolkit OpenSSL Software Foundation

20-22 Wenlock Road London N1 7GU United Kingdom +44 17 8550 8015 info@opensslfoundation.org https://www.openssl.org

Organization of State Commercial Administration of China Organization of State Commercial Administration of China

7 Dian Chang Lu, Fengtai Qu Beijing Beijing 100036 People's Republic of China +86 (0)10 5970-3789 http://www.oscca.gov.cn

Algebraic Cryptanalysis of SMS4: Gröbner Basis Attack and SAT Attack Compared The University of North Carolina at Chapel Hill

Chapel Hill NC United States of America

Department of Mathematical Sciences

University of Cincinnati Cincinnati OH 45221 United States of America

Northern Kentucky University

United States of America

Algebraic Attack to SMS4 and the Comparison with AES Beijing Electron. Sci. and Technol. Inst.

Beijing China

State Key Lab. of Inf. Security

Graduate School of Chinese Academy of Sciences Beijing 100049 China

Beijing Electron. Sci. and Technol. Inst.

Beijing China

Overview on SM4 Algorithm Data Assurance Communication Security Center, Chinese Academy of Science

Beijing 100093 People's Republic of China swlu@ustc.edu.cn

State Key Laboratory of Cryptology

Beijing 100878 People's Republic of China subozhan@163.com

Institute of InformationEngineering, Chinese Academy of Science

Beijing 100093 People's Republic of China wp@is.ac.cn

Commercial Cryptography Testing Center

Beijing 100036 People's Republic of China maoyy2000@163.com

Commercial Cryptography Testing Center

Beijing 100093 People's Republic of China lily.home.hao@163.com

Security of the SMS4 Block Cipher Against Differential Cryptanalysis State Key Laboratory of Information Security, Institute of Information Engineering, Chinese Academy of Sciences

Institute of Software, Chinese Academy of Sciences 4 South Fourth Street Zhong Guan Cun Beijing 100190 People's Republic of China subozhan@is.iscas.ac.cn http://www.is.cas.cn/

State Key Laboratory of Information Security, Institute of Information Engineering, Chinese Academy of Sciences

Institute of Software, Chinese Academy of Sciences 4 South Fourth Street Zhong Guan Cun Beijing 100190 People's Republic of China http://www.is.cas.cn/

State Key Laboratory of Information Security, Institute of Information Engineering, Chinese Academy of Sciences

Institute of Software, Chinese Academy of Sciences 4 South Fourth Street Zhong Guan Cun Beijing 100190 People's Republic of China http://www.is.cas.cn/

Cryptanalysis of Reduced-Round SMS4 Block Cipher State Key Laboratory of Information Security, Institute of Information Engineering, Chinese Academy of Sciences

Institute of Software, Chinese Academy of Sciences 4 South Fourth Street Zhong Guan Cun Beijing 100190 People's Republic of China zhanglei1015@is.iscas.ac.cn http://www.is.cas.cn/

State Key Laboratory of Information Security, Institute of Information Engineering, Chinese Academy of Sciences

Institute of Software, Chinese Academy of Sciences 4 South Fourth Street Zhong Guan Cun Beijing 100190 People's Republic of China zhangwt06@yahoo.com http://www.is.cas.cn/

State Key Laboratory of Information Security, Institute of Information Engineering, Chinese Academy of Sciences

Institute of Software, Chinese Academy of Sciences 4 South Fourth Street Zhong Guan Cun Beijing 100190 People's Republic of China wwl@is.iscas.ac.cn http://www.is.cas.cn/

Some New Observations on the SMS4 Block Cipher in the Chinese WAPI Standard State Key Laboratory of Information Security, Institute of Information Engineering, Chinese Academy of Sciences

Institute of Software, Chinese Academy of Sciences 4 South Fourth Street Zhong Guan Cun Beijing 100190 People's Republic of China zhangwt06@yahoo.com http://www.is.cas.cn/

State Key Laboratory of Information Security, Institute of Information Engineering, Chinese Academy of Sciences

Institute of Software, Chinese Academy of Sciences 4 South Fourth Street Zhong Guan Cun Beijing 100190 People's Republic of China wwl@is.iscas.ac.cn http://www.is.cas.cn/

State Key Laboratory of Information Security, Institute of Information Engineering, Chinese Academy of Sciences

Institute of Software, Chinese Academy of Sciences 4 South Fourth Street Zhong Guan Cun Beijing 100190 People's Republic of China http://www.is.cas.cn/

State Key Laboratory of Information Security, Institute of Information Engineering, Chinese Academy of Sciences

Institute of Software, Chinese Academy of Sciences 4 South Fourth Street Zhong Guan Cun Beijing 100190 People's Republic of China http://www.is.cas.cn/

22-Round SMS4 Differential Cryptanalysis National Key Lab of Integrated Service Networks

Xidian University Xi'an 710071 China

National Key Lab of Integrated Service Networks

Xidian University Xi'an 710071 China

National Key Lab of Integrated Service Networks

Xidian University Xi'an 710071 China

SMS4 Encryption Algorithm for Wireless Networks Sun Microsystems

4150 Network Circle Santa Clara CA 95054 United States of America whitfielddiffie@gmail.com https://cisac.fsi.stanford.edu/

Sonoma State University

Darwin 116, 1801 East Cotati Ave. Rohnert Park CA 94928 United States of America george.ledin@sonoma.edu http://www.cs.sonoma.edu/

Improvements of SM4 Algorithm and Application in Ethernet Encryption System Based on FPGA Key Laboratory of Electronic Engineering, University of Heilongjiang

74 Xuefu Road Harbin Heilongjiang 150080 People's Republic of China chengh@hlju.edu.cn httphttp://www.hlju.edu.cn/

Key Laboratory of Electronic Engineering, University of Heilongjiang

74 Xuefu Road Harbin Heilongjiang 150080 People's Republic of China httphttp://www.hlju.edu.cn/

Key Laboratory of Electronic Engineering, University of Heilongjiang

74 Xuefu Road Harbin Heilongjiang 150080 People's Republic of China chengh@hlju.edu.cn httphttp://www.hlju.edu.cn/

Key Laboratory of Electronic Engineering, University of Heilongjiang

74 Xuefu Road Harbin Heilongjiang 150080 People's Republic of China qunding@aliyun.cn httphttp://www.hlju.edu.cn/

Key Laboratory of Electronic Engineering, University of Heilongjiang

74 Xuefu Road Harbin Heilongjiang 150080 People's Republic of China chenghdahuangr@163.com http://www.hlju.edu.cn/

High-speed Encryption Decryption System Based on SM4 Binzhou Polytechnic

391 Huanghe Road Binzhou Shandong 256600 People's Republic of China ihappylucy@outlook.com http://www.bzu.edu.cn/

Binzhou Polytechnic

391 Huanghe Road Binzhou Shandong 256600 People's Republic of China lili_thesky@163.com http://www.bzu.edu.cn/

Binzhou Polytechnic

391 Huanghe Road Binzhou Shandong 256600 People's Republic of China yaya_sd@163.com http://www.bzu.edu.cn/

Analysis of the SMS4 Block Cipher State Key Laboratory of Information Security

Graduate School of Chinese Academy of Sciences Beijing 100049 China

State Key Laboratory of Information Security

Graduate School of Chinese Academy of Sciences Beijing 100049 China

State Key Laboratory of Information Security

Graduate School of Chinese Academy of Sciences Beijing 100049 China

Department of Mathematical Sciences

University of Cincinnati Cincinnati OH 45221 USA

State Key Laboratory of Information Security

Graduate School of Chinese Academy of Sciences Beijing 100049 China

Fachbereich Informatik

Technische Universität Darmstadt Darmstadt 64289 Germany

Fachbereich Informatik

Technische Universität Darmstadt Darmstadt 64289 Germany

14-Round Square Attack on Blockcipher SMS4 Computer Network and Information Security Ministry of Education Key Laboratory

Xidian University People's Republic of China

Computer Network and Information Security Ministry of Education Key Laboratory

Xidian University People's Republic of China

Computer Network and Information Security Ministry of Education Key Laboratory

Xidian University People's Republic of China

Attacking Reduced-Round Versions of the SMS4 Block Cipher in the Chinese WAPI Standard University of London, Information Security Group

Royal Holloway Egham Surrey TW20 0EXUK United Kingdom

Analysis of Two Attacks on Reduced-Round Versions of the SMS4 Institute of Applied Mathematics

Middle East Technical University Ankara Turkey

Department of Electronical Engineering ESAT SDC-COSIC and Interdisciplinary Institute for BroadBand Technology

Katholieke Universiteit Leuven Leuven-Heverlee Belgium

Improved Impossible Differential Cryptanalysis on SMS4 School of Computer Science and Technology

Donghua University Shanghai China

Linear and Differential Cryptanalysis of Reduced SMS4 Block Cipher Center for Information Security Technologies (CIST), Korea University

Room 615, International Center for Conversing Technology Building Anam Campus(Science), Korea University 145 Anam-ro Seongbuk-gu Seoul 02841 Republic of Korea kimth714@cist.korea.ac.kr http://gss.korea.edu/

Center for Information Security Technologies (CIST), Korea University

Room 615, International Center for Conversing Technology Building Anam Campus(Science), Korea University 145 Anam-ro Seongbuk-gu Seoul 02841 Republic of Korea joshep@cist.korea.ac.kr http://gss.korea.edu/

Center for Information Security Technologies (CIST), Korea University

Room 615, International Center for Conversing Technology Building Anam Campus(Science), Korea University 145 Anam-ro Seongbuk-gu Seoul 02841 Republic of Korea hsh@cist.korea.ac.kr http://gss.korea.edu/

Department of Mathematics, University of Seoul

Department of Mathematical Sciences Seoul National University 1 Gwan Ak-ro Gwanak-gu Seoul 08826 Republic of Korea jcsung@uos.ac.kr http://uos.ac.kr/

Security Analysis of the blockciphers AES and SM4 Xidian University

Xian China

The Cryptanalysis of Reduced-Round SMS4 Orange Labs

Issy les Moulineaux Cedex France

Orange Labs

Issy les Moulineaux Cedex France

Improved Linear Attacks on the Chinese Block Cipher Standard Beijing International Center for Mathematical Research, Peking University

5 Yiheyuan Road Haidian District Beijing 100871 People's Republic of China liumj9705@pku.edu.cn http://www.bicmr.org

China Information Technology Security Evaluation Center

Building 1, No.8, Shangdi West Road, Haidian District Beijing 100085 People's Republic of China jiazhechen@gmail.com http://www.itsec.gov.cn

Improved linear cryptanalysis of SM4 block cipher

Vienna Austria

Multiple Linear Cryptanalysis of Reduced-Round SMS4 Block Cipher Department of Computer Science and Engineering

Shanghai Jiao Tong University Shanghai 200240 China ilu_zq@sjtu.edu.cn

Department of Computer Science and Engineering

Shanghai Jiao Tong University Shanghai 200240 China

Department of Computer Science and Engineering

Shanghai Jiao Tong University Shanghai 200240 China

Matrix Attack On Blockcipher SMS4 Shandong University

Jinan Shandong China

Differential-Algebraic Analysis of the SMS4 Block Cipher Chengdu University of Technology Chengdu University of Technology Chengdu University of Technology New Linear Cryptanalysis of Chinese Commercial Block Cipher Standard SM4 Key Laboratory of Cryptologic Technology and Information Security, Ministry of Education, Shandong University

27 Shan Da Nan Lu, Licheng Qu Jinan Shandong 250100 People's Republic of China

Key Laboratory of Cryptologic Technology and Information Security, Ministry of Education, Shandong University

27 Shan Da Nan Lu, Licheng Qu Jinan Shandong 250100 People's Republic of China

Key Laboratory of Cryptologic Technology and Information Security, Ministry of Education, Shandong University

27 Shan Da Nan Lu, Licheng Qu Jinan Shandong 250100 People's Republic of China

Key Laboratory of Cryptologic Technology and Information Security, Ministry of Education, Shandong University

27 Shan Da Nan Lu, Licheng Qu Jinan Shandong 250100 People's Republic of China mqwang@sdu.edu.cn

Improved chosen-plaintext power analysis attack against SM4 at the round-output College of Information Security Engineering, Chengdu University of Information Technology

Block 1, 24 Xuefu Road Chengdu MD 610225 China http://www.cuit.edu.cn/

College of Information Security Engineering, Chengdu University of Information Technology

Block 1, 24 Xuefu Road Chengdu MD 610225 China http://www.cuit.edu.cn/

College of Information Security Engineering, Chengdu University of Information Technology

Block 1, 24 Xuefu Road Chengdu MD 610225 China http://www.cuit.edu.cn/

College of Information Security Engineering, Chengdu University of Information Technology

Block 1, 24 Xuefu Road Chengdu MD 610225 China http://www.cuit.edu.cn/

Security of SM4 Against (Related-Key) Differential Cryptanalysis Institute of Software, Chinese Academy of Sciences

4 South Fourth Street, Zhong Guan Cun Beijing Beijing 100190 People's Republic of China zhangjian@tca.iscas.ac.cn

Institute of Software, Chinese Academy of Sciences

4 South Fourth Street, Zhong Guan Cun Beijing Beijing 100190 People's Republic of China wwl@tca.iscas.ac.cn

Institute of Software, Chinese Academy of Sciences

4 South Fourth Street, Zhong Guan Cun Beijing Beijing 100190 People's Republic of China zhengyafei@tca.iscas.ac.cn

Pseudorandomness and Super-pseudorandomness of a non-balanced Feistel Structure using compressed functions State Key Laboratory of Information Security, Institute of Information Engineering, Chinese Academy of Sciences

Institute of Software, Chinese Academy of Sciences 4 South Fourth Street Zhong Guan Cun Beijing 100190 People's Republic of China liyen.zhang@is.cas.cn http://www.is.cas.cn/

State Key Laboratory of Information Security, Institute of Information Engineering, Chinese Academy of Sciences

Institute of Software, Chinese Academy of Sciences 4 South Fourth Street Zhong Guan Cun Beijing 100190 People's Republic of China http://www.is.cas.cn/

Practical security against linear cryptanalysis for SMS4-like ciphers with SP round function

PO. Box 1936 Beijing 100193 China dzjszhangbin@126.com

Electronic Technology Institute

Information Engineering University Zhengzhou China

Practically Secure against Differential Cryptanalysis for Block Cipher SMS4 School of Communication and Information Engineering

Xi'an University of Post and Telecommunications Xi'an China

School of Communication and Information Engineering

Xi'an University of Post and Telecommunications Xi'an China

National Key Lab of Integrated Service Networks

Xidian University Xi'an 710071 China

School of Communication and Information Engineering

Xi'an University of Post and Telecommunications Xi'an China

Cryptographic Properties of S-box in SMS4 Department of Electronic and Communications Engineering, Sun Yat-Sen University

Building 3, Gezhi Yuan 132 Outer Ring East Road University City Punyu District Guangzhou Guangdong 510275 People's Republic of China http://sece.sysu.edu.cn

Department of Electronic and Communications Engineering, Sun Yat-Sen University

Building 3, Gezhi Yuan 132 Outer Ring East Road University City Punyu District Guangzhou Guangdong 510275 People's Republic of China http://sece.sysu.edu.cn

Department of Electronic and Communications Engineering, Sun Yat-Sen University

Building 3, Gezhi Yuan 132 Outer Ring East Road University City Punyu District Guangzhou Guangdong 510275 People's Republic of China http://sece.sysu.edu.cn

A VLSI implementation of an SM4 algorithm resistant to power analysis College of Information Science and Engineering, Hunan University

Lushan Road S, Yuelu District Changsha Hunan 410082 People's Republic of China nickysy@hnu.edu.cn http://www.hnu.edu.cn/

Department of Computer Science, New Platz, State University of New York

SUNY New Paltz, 1 Hawk Drive New Paltz NY 12561 United States of America http://www.hnu.edu.cn/

College of Information Science and Engineering, Hunan University

Lushan Road S, Yuelu District Changsha Hunan 410082 People's Republic of China http://www.hnu.edu.cn/

College of Information Science and Engineering, Hunan University

Lushan Road S, Yuelu District Changsha Hunan 410082 People's Republic of China http://www.hnu.edu.cn/

College of Mathematics and Computer Science, Performance Computing and Stochastic Information Processing, (Ministry of Education of China), Hunan Normal University

36 Lushan Rd., Yuelu District Changsha Hunan 410081 People's Republic of China http://www.hunnu.edu.cn/

A secure white-box SM4 implementation State Key Laboratory of Information Security, Institute of Information Engineering, Chinese Academy of Sciences

Institute of Software, Chinese Academy of Sciences 4 South Fourth Street Zhong Guan Cun Beijing 100190 People's Republic of China http://www.is.cas.cn/

State Key Laboratory of Information Security, Institute of Information Engineering, Chinese Academy of Sciences

Institute of Software, Chinese Academy of Sciences 4 South Fourth Street Zhong Guan Cun Beijing 100190 People's Republic of China ckwu@iie.ac.cn http://www.is.cas.cn/

Multidimensional Zero-correlation Linear Cryptanalysis on SMS4 Algorithm State Key Laboratory of Mathematical Engineering and Advanced Computing

Information Engineering University Zhengzhou 450001 China

State Key Laboratory of Mathematical Engineering and Advanced Computing

Information Engineering University Zhengzhou 450001 China

State Key Laboratory of Mathematical Engineering and Advanced Computing

Information Engineering University Zhengzhou 450001 China

Science and Technology on Information Assurance Laboratory

Beijing 100072 China

SMS4 Cryptographic Algorithm For Wireless LAN Products Organization of State Commercial Administration of China

7 Dian Chang Lu, Fengtai Qu Beijing Beijing 100036 People's Republic of China +86 (0)10 5970-3789 http://www.oscca.gov.cn

Software Hardware Co-design for Side-Channel Analysis Platform on Security Chips Tsinghua National Laboratory for Information Science and Technology, Tsinghua University

Tsinghua University Haidian Beijing 100190 People's Republic of China http://www.sist.tsinghua.edu.cn/

Tsinghua National Laboratory for Information Science and Technology, Tsinghua University