+

CN116132019B - A white box SM4 encryption method and system based on multidimensional linear mask - Google Patents

A white box SM4 encryption method and system based on multidimensional linear mask Download PDF

Info

Publication number
CN116132019B
CN116132019B CN202211673922.XA CN202211673922A CN116132019B CN 116132019 B CN116132019 B CN 116132019B CN 202211673922 A CN202211673922 A CN 202211673922A CN 116132019 B CN116132019 B CN 116132019B
Authority
CN
China
Prior art keywords
data
exclusive
box
white
operation result
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202211673922.XA
Other languages
Chinese (zh)
Other versions
CN116132019A (en
Inventor
王美琴
牛超
王锦良
李保宇
张俊宇
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Shandong University
Original Assignee
Shandong University
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Shandong University filed Critical Shandong University
Priority to CN202211673922.XA priority Critical patent/CN116132019B/en
Publication of CN116132019A publication Critical patent/CN116132019A/en
Application granted granted Critical
Publication of CN116132019B publication Critical patent/CN116132019B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/06Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols the encryption apparatus using shift registers or memories for block-wise or stream coding, e.g. DES systems or RC4; Hash functions; Pseudorandom sequence generators
    • H04L9/0618Block ciphers, i.e. encrypting groups of characters of a plain text message using fixed encryption transformation
    • H04L9/0631Substitution permutation network [SPN], i.e. cipher composed of a number of stages or rounds each involving linear and nonlinear transformations, e.g. AES algorithms
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2209/00Additional information or applications relating to cryptographic mechanisms or cryptographic arrangements for secret or secure communication H04L9/00
    • H04L2209/16Obfuscation or hiding, e.g. involving white box
    • YGENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
    • Y02TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
    • Y02DCLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
    • Y02D30/00Reducing energy consumption in communication networks
    • Y02D30/50Reducing energy consumption in communication networks in wire-line communication networks, e.g. low power modes or reduced link rate

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Storage Device Security (AREA)

Abstract

The invention relates to the technical field of encryption and provides a white-box SM4 encryption method and system based on a multidimensional linear mask, which comprise the steps of obtaining a secret key and a plaintext, dividing the plaintext into first data, second data, third data and fourth data according to bits, encrypting through a plurality of round functions to obtain a ciphertext, wherein each round of functions carries out exclusive-OR operation on the second data, the third data and the fourth data to obtain a first exclusive-OR operation result, dividing the first exclusive-OR operation result, the secret key and the first data into a plurality of shares by adopting different encoding functions, carrying out exclusive-OR operation on the share corresponding to the first exclusive-OR operation result and the share corresponding to the secret key after carrying out exclusive-OR operation on the share corresponding to the first data, S-box operation and a linear layer, obtaining a second exclusive-OR operation result, and obtaining the input of a next round of functions based on the second exclusive-OR operation result. The method can resist the existing white box attack method, resist the attack such as DFA and the like, and has stronger security.

Description

White-box SM4 encryption method and system based on multidimensional linear mask
Technical Field
The invention belongs to the technical field of encryption, and particularly relates to a white-box SM4 encryption method and system based on a multidimensional linear mask.
Background
The statements in this section merely provide background information related to the present disclosure and may not necessarily constitute prior art.
The SM4 algorithm is a commercial cryptographic standard algorithm, and nowadays, white-box SM4 algorithms are mostly implemented based on look-up tables. In 2009, xiaoya et al proposed a white-box implementation scheme of the first SM4 algorithm, also called xiaolai white-box SM4. Thereafter, the white-box SM4 scheme with internal state expansion proposed by Yao Sai et al in 2020 significantly increases the complexity of key extraction. 2021, lin Tingting and the like analyze part of the existing white-box SM4 algorithm, and respectively adopt BGE attack, affine equivalent attack and DCA attack to attack the white-box schemes proposed by Shore-Lai white-box, bai-Wu Baihe, shish-Yang Baihe, yao Sai and the like, and propose an SM4 white-box design scheme for resisting first-order DCA attack.
In 2018, biryukov proposed white-box AES implementation based on boolean mask, which can effectively resist conventional attacks and DCA attacks, but has large time and space overhead.
The existing white-box SM4 algorithm based on the lookup table is mostly not resistant to differential computing attack and differential fault attack, and the realization cost based on the Boolean mask is large. The white box SM4 scheme based on the lookup table has obvious structure exposure, is easy to locate the memory address and further can pertinently launch DCA attacks, and the scheme using the Boolean mask can resist most DCA attacks in the prior art, but brings great expense when adding the nonlinear mask and the linear mask in each round.
Disclosure of Invention
In order to solve the technical problems in the background art, the invention provides a white-box SM4 encryption method and system based on a multidimensional linear mask, which can resist the existing white-box attack method and attacks such as DCA, DFA and the like by using the multidimensional linear mask to protect keys from being extracted, and has stronger security.
In order to achieve the above purpose, the present invention adopts the following technical scheme:
A first aspect of the present invention provides a white-box SM4 encryption method based on a multidimensional linear mask, which includes:
Obtaining a secret key and a plaintext, and splitting the plaintext into first data, second data, third data and fourth data according to bits;
based on the secret key, the first data, the second data, the third data and the fourth data, a ciphertext is obtained through encryption of a plurality of round functions;
And after the shares corresponding to the first exclusive-or operation result and the secret key are subjected to exclusive-or operation, S box operation and a linear layer, carrying out exclusive-or operation on the shares corresponding to the first data to obtain a second exclusive-or operation result, and obtaining the input of the next round of functions based on the second exclusive-or operation result.
Further, the S-box operation employs a nonlinear mask guard.
Further, the share represents a basis vector of the multidimensional linear space.
Further, the second exclusive-or operation result is input into a decoding function to obtain the input of the next round of functions.
A second aspect of the present invention provides a white-box SM4 encryption system based on a multidimensional linear mask, comprising:
The data acquisition module is configured to acquire a secret key and a plaintext and split the plaintext into first data, second data, third data and fourth data according to bits;
The encryption module is configured to obtain ciphertext through encryption of a plurality of round functions based on the secret key, the first data, the second data, the third data and the fourth data;
And after the shares corresponding to the first exclusive-or operation result and the secret key are subjected to exclusive-or operation, S box operation and a linear layer, carrying out exclusive-or operation on the shares corresponding to the first data to obtain a second exclusive-or operation result, and obtaining the input of the next round of functions based on the second exclusive-or operation result.
A third aspect of the present invention provides a computer-readable storage medium having stored thereon a computer program which, when executed by a processor, implements the steps of a multi-dimensional linear mask based white-box SM4 encryption method as described above.
A fourth aspect of the invention provides a computer device comprising a memory, a processor and a computer program stored on the memory and executable on the processor, said processor implementing the steps in a white-box SM4 encryption method based on a multi-dimensional linear mask as described above when said program is executed by said processor.
Compared with the prior art, the invention has the beneficial effects that:
The invention provides a white-box SM4 encryption method based on a multidimensional linear mask, which uses the multidimensional linear mask to protect a secret key from being extracted, can resist the existing white-box attack method, and resists DCA, DFA and other attacks, and has stronger security.
The invention provides a white-box SM4 encryption method based on a multidimensional linear mask, which has lower realization cost and higher encryption speed under the same security level.
The invention provides a white-box SM4 encryption method based on a multidimensional linear mask, which can run on a machine completely controlled by an adversary to ensure that key information is not extracted, so that the method has wide application prospects in the aspects of digital copyright management, a cloud-based remote encryption system, a high-efficiency public key system and the like.
Drawings
The accompanying drawings, which are included to provide a further understanding of the invention and are incorporated in and constitute a part of this specification, illustrate embodiments of the invention and together with the description serve to explain the invention.
Fig. 1 is a flowchart of a white-box SM4 encryption method based on a multidimensional linear mask according to a first embodiment of the present invention;
FIG. 2 is a diagram of a memory read/write trace implemented based on a lookup table according to a first embodiment of the present invention;
fig. 3 is a schematic diagram of a memory read-write track implemented by a white-box SM4 encryption method based on a multidimensional linear mask according to a first embodiment of the present invention;
Fig. 4 is a diagram of the result of a scheme CPA attack by Biryukov according to one embodiment of the present invention;
fig. 5 is a CPA attack result diagram of a white-box SM4 encryption method based on a multidimensional linear mask according to the first embodiment of the present invention;
FIG. 6 is a graph of the results of a scheme DCA attack by Biryukov according to one embodiment of the present invention;
Fig. 7 is a DCA attack result diagram of a white-box SM4 encryption method based on a multidimensional linear mask according to the first embodiment of the present invention.
Detailed Description
The invention will be further described with reference to the drawings and examples.
It should be noted that the following detailed description is illustrative and is intended to provide further explanation of the invention. Unless defined otherwise, all technical and scientific terms used herein have the same meaning as commonly understood by one of ordinary skill in the art to which this invention belongs.
Term interpretation:
The SM4 algorithm adopts a generalized Feistel structure, and the packet length and the key length are 128 bits. The encryption algorithm and the key expansion algorithm both adopt a nonlinear iteration structure of 32 rounds. Let the input encryption key be The 128 bit master key is represented and the 32 bit round key for the ith round is represented by K i. Wherein the round key is generated by the master key through a key expansion algorithm. Let SM 4's 128-bit plaintext beX 0,X1,X2,X3 is 4 32-bit data into which the input 128-bit plaintext is bit-split. The round function F generates 32 bits of intermediate state at a time, then F can be expressed as:
Wherein, X i+4 represents the output of the ith round function, X i,Xi+1,Xi+2,Xi+3 is the data corresponding to the ith round of X 0,X1,X2,X3, and T consists of nonlinear transformation tau and linear transformation L. For development, there are:
τ(x0,x1,x2,x3)=Sbox(x0),Sbox(x1),Sbox(x2),Sbox(x3))
Where X is a 32-bit intermediate state, splitting X into 4 8-bit data, i.e., X i is an 8-bit byte, and Sbox represents an 8-in 8-out S-box used by SM 4. The ciphertext output by the final SM4 algorithm is (X 35,X34,X33,X32).
Example 1
The embodiment provides a white-box SM4 encryption method based on a multidimensional linear mask, which comprises the following steps:
Obtaining a secret key K i and a plaintext, and splitting the plaintext into first data X i, second data X i+1, third data X i+2 and fourth data X i+3 according to bits;
based on the secret key, the first data, the second data, the third data and the fourth data, a ciphertext is obtained through encryption of a plurality of round functions;
wherein each round of function carries out exclusive-OR operation on the second data, the third data and the fourth data to obtain a first exclusive-OR operation result After the first exclusive-or operation result, the secret key and the first data are respectively split into a plurality of shares by adopting different coding functions, the shares corresponding to the first exclusive-or operation result and the shares corresponding to the secret key are subjected to exclusive-or operation, S-box operation and linear layer, and then exclusive-or operation is carried out on the shares corresponding to the first data, namelyAnd obtaining a second exclusive-or operation result X i+4, and inputting the second exclusive-or operation result into the decoding function to obtain the input of the next round of function.
The present embodiment provides a white-box SM4 encryption method based on a multidimensional linear mask, as shown in fig. 1, for the protected ith round function, a round key K i is generated by pre-calculation. The inputs to the round function are 128 bits of intermediate state X i||i+1||i+2||Xi+3, 32 bits of round key K i. First, will K i,Xi is split into multiple shares by the Encode 1,Encode2,Encode3 function, respectively. In the round function encryption process, in order to ensure correctness, all the shares are exclusive-or together in a special corresponding relation. Finally, the resulting shares are combined by decoding the Decode function to get the correct wheel output.
Unlike the mask-based white-box protection scheme proposed by Biryukov, the present embodiment uses the relation between the block cipher algorithm multidimensional linear analysis and multidimensional zero correlation analysis and integral analysis to reference the round keyIs one Byte of (2)A set of basis vector (v 0,v1,…,vn) representations of the multidimensional vector space is used. Typically the set of basis vectors corresponds to a set of wrong keys These wrong keys are referred to herein as shares of the correct key and satisfy:
wherein, the Represents the kth group error key corresponding to the jth Byte of the ith round key.
After passing through the round function of SM4, these internal states through special processing will be output at the round function, and the correct round output will be obtained through a Decode function. Thereby protecting the correct round keys. The mask protection schemes such as Biryukov and the like are not in conflict in use. This means that both designs can be used simultaneously. Compared with the design scheme based on mask protection alone, the embodiment can further improve the difficulty of extracting the round key by an attacker.
Biryukov et al define two main categories of protection policies for white-box passwords, hiding of values, and hiding of structures. For combating white-box attacks, locating its position becomes very difficult if the number of shares is very large, even without the necessity of hiding its share position. However, designing a solution that achieves a low cost multi-share is a very challenging task. Based on this, a white-box SM4 encryption method based on multidimensional linear masks is proposed, in particular in two steps, firstly, the implementation of the structured redundancy code Encode 1,Encode2,Encode3 functions will enter the internal states of the round function F, respectively K i,Xi performs the share split. The symbolic representation is defined below. For round function F of SM4, its input is 32 bits, let the internal stateSplitting 32 bits into 8-bit variable representationsOrder theIs the 32-bit internal state after the S-box, Is an internal state after the linear layer L, in whichIs a 32-bit intermediate variable after the split matrix R j of L. For expansion, a transformation that divides the linear layer L into 4 8-in 32-out can be obtained:
next, a base vector of the multidimensional linear space is represented using the shares and a symbolic representation of the shares of each variable is defined.
Order theOne share of the jth Byte representing the internal state of the ith round, N is the number of shares (because each variable is 8 bits, the shares are all 256 values, most of the intermediate values are redundant error values, to hide the correct encryption result, as long as ensuring that the exclusive or result is correct encryption). Similarly, there areRepresenting a share of the jth Byte of the ith round key. Notably, use is made ofRepresenting the 8-bit intermediate variable after the shares have passed the S-box operation,Representing one of the shares of the 32-bit intermediate variable after the matrix R j of the linear layer L. So each shareThe share of the intermediate variable obtained by the 8-in 32-out transform satisfies:
of course, the use of aliasing strategies in the merging of shares increases the distance between shares of a real value, i.e. makes it extremely difficult to extract all shares of a real value from the boolean circuit.
For encodings 1 and encodings 3, there are:
Wherein the share of the internal state satisfies:
Where r k is a 32-bit pseudorandom number.
The round key for the i-th round of encodings 2 is encoded as:
The proportion thereof is as follows:
Through decoding, the wheel function output of the ith wheel satisfies:
Through the characteristics of the Decode function, the multidimensional linear mask of the embodiment can ensure that correct round output is obtained, and protect round keys so that DCA and DFA attacks can be resisted. That is, X i+4 passes through the Decode function and then is used as the first data in the next round of function input.
Based on the implementation framework of the mask white box scheme proposed by Biryukov et al, the S-box boolean implementation of the SM4 algorithm is optimized. Based on four boolean operations (AND, OR, NOT, XOR), a boolean circuit implementation of the S-box of AES with 113 gates was generated and affine transformation ax+b was applied to get the S-box of SM4, where a, B:
BT=[0,1,1,0,1,0,0,1]
to enhance the security of the present white-box scheme, the hiding of values is increased on the basis of the above-described multidimensional linear masking scheme, i.e. for each true value And a basis vector of its multidimensional linear maskMasking of the values is performed. A non-linear mask is used here. Let V represent any intermediate variable, where V can be any true valueOr a fraction thereofDefinition of the definitionRepresents a nonlinear mask, where v1, v2 are random numbers,The equation is constant. Here, two security intensities are given corresponding to n e {0,1}, respectively, where n=0 represents that only multidimensional linear masking protection is performed, and n=1 represents that multidimensional linear masking and nonlinear masking protection are used simultaneously.
As shown in fig. 2 and fig. 3, the memory read-write track is collected during the running of the program, and it is found that the white-box SM4 algorithm of the present embodiment does not show obvious wheel characteristics, and the white-box SM4 scheme based on the lookup table shows an obvious wheel structure.
The white-box SM4 protocol was tested based on DAREDEVIL CPATOOL. Setting the state after the first round of S box of SM4 algorithm as a predicted value, and calculating the correlation of trace after guessing the first round of sub-keys of four bytes respectively, and if the correlation of the correct sub-key is obviously different from the wrong sub-key, then the first round of sub-key of SM4 is called to recover.
As shown in fig. 4 and fig. 5, the correlation of the correct key and the correlation calculated by the wrong key implemented by the white-box SM4 provided by the present embodiment are indistinguishable, and the white-box scheme of the present embodiment can resist CPA attack.
As shown in fig. 6 and 7, for each S-box, the combined DCA attack recommended all 256 keys, and the frequency of occurrence of each key was not significantly different, and the frequency of occurrence of the correct key was not higher than that of the wrong key. The same security as expected in this embodiment. The window size is expanded to 5000 and 10000, and the attack is repeated. The combined DCA attacks cannot effectively extract the correct round keys. Based on the experimental results described above, this embodiment is considered to be effective against combined DCA attacks.
The round key for the first round is set to 0x4f907c79, the window size is set to 1000, and the window sliding speed is 250/time. 1280 plaintext is randomly generated for encryption, and 1280 trace corresponding to the plaintext is collected. Based on the above parameters, algebraic DCA attack experiments were performed. For each S box, the algebraic DCA attack recommends all 256 keys, and the occurrence frequency of each key is not obviously different, and the occurrence frequency of the correct key is not higher than that of the wrong key. The same as expected for safety. Based on the experimental results, the white-box design scheme is considered to be capable of effectively resisting algebraic DCA attacks.
The white-box SM4 encryption method based on the multidimensional linear mask realizes the Boolean white-box SM4 scheme based on the multidimensional linear mask, does not expose an algorithm structure, and can resist differential computing (DIFFERENTIAL COMPUTATION ATTACK, DCA) type attacks. Aiming at DCA attacks and DFA attacks, the protection is carried out only in the first round and the last round, so that the time and space cost is greatly reduced. And meanwhile, the share quantity is increased, and the safety is improved.
Example two
The embodiment provides a white-box SM4 encryption system based on a multidimensional linear mask, which specifically comprises:
The data acquisition module is configured to acquire a secret key and a plaintext and split the plaintext into first data, second data, third data and fourth data according to bits;
The encryption module is configured to obtain ciphertext through encryption of a plurality of round functions based on the secret key, the first data, the second data, the third data and the fourth data;
And after the shares corresponding to the first exclusive-or operation result and the secret key are subjected to exclusive-or operation, S box operation and a linear layer, carrying out exclusive-or operation on the shares corresponding to the first data to obtain a second exclusive-or operation result, and obtaining the input of the next round of functions based on the second exclusive-or operation result.
It should be noted that, each module in the embodiment corresponds to each step in the first embodiment one to one, and the implementation process is the same, which is not described here.
Example III
The present embodiment provides a computer-readable storage medium having stored thereon a computer program which, when executed by a processor, implements the steps in a white-box SM4 encryption method based on a multidimensional linear mask as described in the above embodiment one.
Example IV
The present embodiment provides a computer device, including a memory, a processor, and a computer program stored in the memory and executable on the processor, where the processor implements the steps in a white-box SM4 encryption method based on a multidimensional linear mask according to the above embodiment when executing the program.
It will be appreciated by those skilled in the art that embodiments of the present invention may be provided as a method, system, or computer program product. Accordingly, the present invention may take the form of a hardware embodiment, a software embodiment, or an embodiment combining software and hardware aspects. Furthermore, the present invention may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, magnetic disk storage, optical storage, and the like) having computer-usable program code embodied therein.
The present invention is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems) and computer program products according to embodiments of the invention. It will be understood that each flow and/or block of the flowchart illustrations and/or block diagrams, and combinations of flows and/or blocks in the flowchart illustrations and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
Those skilled in the art will appreciate that implementing all or part of the above-described methods in accordance with the embodiments may be accomplished by way of a computer program stored on a computer readable storage medium, which when executed may comprise the steps of the embodiments of the methods described above. The storage medium may be a magnetic disk, an optical disc, a Read-Only Memory (ROM), a Random access Memory (Random AccessMemory, RAM), or the like.
The above description is only of the preferred embodiments of the present invention and is not intended to limit the present invention, but various modifications and variations can be made to the present invention by those skilled in the art. Any modification, equivalent replacement, improvement, etc. made within the spirit and principle of the present invention should be included in the protection scope of the present invention.

Claims (8)

1. A white-box SM4 encryption method based on a multidimensional linear mask, comprising:
Obtaining a secret key and a plaintext, and splitting the plaintext into first data, second data, third data and fourth data according to bits;
based on the secret key, the first data, the second data, the third data and the fourth data, a ciphertext is obtained through encryption of a plurality of round functions;
And after the shares corresponding to the first exclusive-or operation result and the secret key are subjected to exclusive-or operation, S box operation and a linear layer, carrying out exclusive-or operation on the shares corresponding to the first data to obtain a second exclusive-or operation result, and obtaining the input of the next round of functions based on the second exclusive-or operation result, wherein the shares corresponding to the first exclusive-or operation result and the secret key represent one basis vector of the multidimensional linear space.
2. The white-box SM4 encryption method based on the multidimensional linear mask as recited in claim 1, wherein the S-box operation employs a nonlinear mask guard.
3. The white-box SM4 encryption method based on the multidimensional linear mask as recited in claim 1, wherein the second exclusive-or operation result is input into a decoding function to obtain the input of the next round of functions.
4. A white-box SM4 encryption system based on a multidimensional linear mask, comprising:
The data acquisition module is configured to acquire a secret key and a plaintext and split the plaintext into first data, second data, third data and fourth data according to bits;
The encryption module is configured to obtain ciphertext through encryption of a plurality of round functions based on the secret key, the first data, the second data, the third data and the fourth data;
And after the shares corresponding to the first exclusive-or operation result and the secret key are subjected to exclusive-or operation, S box operation and a linear layer, carrying out exclusive-or operation on the shares corresponding to the first data to obtain a second exclusive-or operation result, and obtaining the input of the next round of functions based on the second exclusive-or operation result, wherein the shares corresponding to the first exclusive-or operation result and the secret key represent one basis vector of the multidimensional linear space.
5. The white-box SM4 encryption system based on multidimensional linear masking as recited in claim 4, wherein the S-box operation employs nonlinear masking protection.
6. The white-box SM4 encryption system as recited in claim 4, wherein the second exclusive-or operation result is input to a decoding function to obtain the input of the next round of functions.
7. A computer readable storage medium, on which a computer program is stored, characterized in that the program, when being executed by a processor, implements the steps of a multi-dimensional linear mask based white-box SM4 encryption method as claimed in any one of claims 1-3.
8. A computer device comprising a memory, a processor and a computer program stored on the memory and executable on the processor, characterized in that the processor implements the steps of a multi-dimensional linear mask based white-box SM4 encryption method as claimed in any one of claims 1-3 when the program is executed.
CN202211673922.XA 2022-12-26 2022-12-26 A white box SM4 encryption method and system based on multidimensional linear mask Active CN116132019B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202211673922.XA CN116132019B (en) 2022-12-26 2022-12-26 A white box SM4 encryption method and system based on multidimensional linear mask

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202211673922.XA CN116132019B (en) 2022-12-26 2022-12-26 A white box SM4 encryption method and system based on multidimensional linear mask

Publications (2)

Publication Number Publication Date
CN116132019A CN116132019A (en) 2023-05-16
CN116132019B true CN116132019B (en) 2025-06-24

Family

ID=86305670

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202211673922.XA Active CN116132019B (en) 2022-12-26 2022-12-26 A white box SM4 encryption method and system based on multidimensional linear mask

Country Status (1)

Country Link
CN (1) CN116132019B (en)

Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110278072A (en) * 2019-07-11 2019-09-24 北京电子科技学院 One kind 16 takes turns SM4-128/128 whitepack password implementation method

Patent Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110278072A (en) * 2019-07-11 2019-09-24 北京电子科技学院 One kind 16 takes turns SM4-128/128 whitepack password implementation method

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
"对SMS4 密码算法改进的差分攻击";赵艳敏等;《软件学报》;20170331;全文 *

Also Published As

Publication number Publication date
CN116132019A (en) 2023-05-16

Similar Documents

Publication Publication Date Title
Rivain et al. Higher-order masking and shuffling for software implementations of block ciphers
US10439797B2 (en) Methods and devices against a side-channel analysis
RU2502201C2 (en) Encryption/decryption device, encryption/decryption method, information processing device and computer programme
EP2195761B1 (en) Substitution table masking for cryptographic processes
Niu et al. An efficient collision power attack on AES encryption in edge computing
CN110278072A (en) One kind 16 takes turns SM4-128/128 whitepack password implementation method
Banik et al. Analysis of software countermeasures for whitebox encryption
Baek et al. White-box AES implementation revisited
CN108809626A (en) A kind of whitepack SM4 cryptographic algorithms scheme and system
CN105940439A (en) Countermeasures against side-channel attacks on cryptographic algorithms using permutations
CN105453481A (en) Computing device comprising a table network
CN102571331A (en) Cryptographic algorithm realization protecting method used for defending energy analysis attacks
EP2606603A1 (en) Apparatus and method for block cipher process for insecure environments
CN109726565B (en) Using white boxes in anti-leakage primitives
WO2010020910A2 (en) Method for generating a cipher-based message authentication code
CN113273131B (en) Using a shared computing device
You et al. Low trace-count template attacks on 32-bit implementations of ASCON AEAD
Zeyad et al. Another look on bucketing attack to defeat white-box implementations
Wu et al. Not so difficult in the end: Breaking the lookup table-based affine masking scheme
CN116132019B (en) A white box SM4 encryption method and system based on multidimensional linear mask
Link et al. Clarifying obfuscation: Improving the security of white-box encoding
EP2363974A1 (en) Variable table masking for cryptographic processes
Biryukov et al. Cryptanalysis of ARX-based White-box Implementations
Tang et al. Adaptive side-channel analysis model and its applications to white-box block cipher implementations
CN115001656B (en) A method and device for analyzing chosen plaintext persistence faults of block ciphers

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant
点击 这是indexloc提供的php浏览器服务,不要输入任何密码和下载