SM4

Posted on 2025-09-16 Edited on 2025-09-18 In crypto

分组/密钥：128 位 / 128 位，32 轮（不平衡 Feistel，SM4 风格）

概述

结构：基于 32 位字的不平衡 Feistel
字节序：标准大端（big-endian），16 字节装成 4 个 32 位字
解密：与加密相同，轮密钥倒序使用即可

轮函数

轮函数定义为

T(x) = L(\tau(x))

$\tau$ ：对 32 位字的 4 个字节逐字节过 $8\to 8$ 的 S 盒
$L$ ：线性扩散

L(x) = x \oplus (x\lll2) \oplus (x\lll10) \oplus (x\lll18) \oplus (x\lll24)

密钥扩展（Key Schedule）

同一个 S 盒，线性层换成 $L'$ ：

L'(x) = x \oplus (x\lll13) \oplus (x\lll23)

用 $FK[4]$ 与 $CK[32]$ 生成 32 个轮密钥 $\mathrm{rk}[0\ldots31]$ 。

加/解密与密钥扩展（Python 参考实现）

# SM4 reference implementation (single-block)

SBOX = [
    0xd6,0x90,0xe9,0xfe,0xcc,0xe1,0x3d,0xb7,0x16,0xb6,0x14,0xc2,0x28,0xfb,0x2c,0x05,
    0x2b,0x67,0x9a,0x76,0x2a,0xbe,0x04,0xc3,0xaa,0x44,0x13,0x26,0x49,0x86,0x06,0x99,
    0x9c,0x42,0x50,0xf4,0x91,0xef,0x98,0x7a,0x33,0x54,0x0b,0x43,0xed,0xcf,0xac,0x62,
    0xe4,0xb3,0x1c,0xa9,0xc9,0x08,0xe8,0x95,0x80,0xdf,0x94,0xfa,0x75,0x8f,0x3f,0xa6,
    0x47,0x07,0xa7,0xfc,0xf3,0x73,0x17,0xba,0x83,0x59,0x3c,0x19,0xe6,0x85,0x4f,0xa8,
    0x68,0x6b,0x81,0xb2,0x71,0x64,0xda,0x8b,0xf8,0xeb,0x0f,0x4b,0x70,0x56,0x9d,0x35,
    0x1e,0x24,0x0e,0x5e,0x63,0x58,0xd1,0xa2,0x25,0x22,0x7c,0x3b,0x01,0x21,0x78,0x87,
    0xd4,0x00,0x46,0x57,0x9f,0xd3,0x27,0x52,0x4c,0x36,0x02,0xe7,0xa0,0xc4,0xc8,0x9e,
    0xea,0xbf,0x8a,0xd2,0x40,0xc7,0x38,0xb5,0xa3,0xf7,0xf2,0xce,0xf9,0x61,0x15,0xa1,
    0xe0,0xae,0x5d,0xa4,0x9b,0x34,0x1a,0x55,0xad,0x93,0x32,0x30,0xf5,0x8c,0xb1,0xe3,
    0x1d,0xf6,0xe2,0x2e,0x82,0x66,0xca,0x60,0xc0,0x29,0x23,0xab,0x0d,0x53,0x4e,0x6f,
    0xd5,0xdb,0x37,0x45,0xde,0xfd,0x8e,0x2f,0x03,0xff,0x6a,0x72,0x6d,0x6c,0x5b,0x51,
    0x8d,0x1b,0xaf,0x92,0xbb,0xdd,0xbc,0x7f,0x11,0xd9,0x5c,0x41,0x1f,0x10,0x5a,0xd8,
    0x0a,0xc1,0x31,0x88,0xa5,0xcd,0x7b,0xbd,0x2d,0x74,0xd0,0x12,0xb8,0xe5,0xb4,0xb0,
    0x89,0x69,0x97,0x4a,0x0c,0x96,0x77,0x7e,0x65,0xb9,0xf1,0x09,0xc5,0x6e,0xc6,0x84,
    0x18,0xf0,0x7d,0xec,0x3a,0xdc,0x4d,0x20,0x79,0xee,0x5f,0x3e,0xd7,0xcb,0x39,0x48,
]

FK = [0xa3b1bac6, 0x56aa3350, 0x677d9197, 0xb27022dc]
CK = [
    0x00070e15,0x1c232a31,0x383f464d,0x545b6269,
    0x70777e85,0x8c939aa1,0xa8afb6bd,0xc4cbd2d9,
    0xe0e7eef5,0xfc030a11,0x181f262d,0x343b4249,
    0x50575e65,0x6c737a81,0x888f969d,0xa4abb2b9,
    0xc0c7ced5,0xdce3eaf1,0xf8ff060d,0x141b2229,
    0x30373e45,0x4c535a61,0x686f767d,0x848b9299,
    0xa0a7aeb5,0xbcc3cad1,0xd8dfe6ed,0xf4fb0209,
    0x10171e25,0x2c333a41,0x484f565d,0x646b7279,
]

def rotl32(x, r): return ((x << r) | (x >> (32 - r))) & 0xffffffff

def tau(x):
    b0 = SBOX[(x >> 24) & 0xff]
    b1 = SBOX[(x >> 16) & 0xff]
    b2 = SBOX[(x >>  8) & 0xff]
    b3 = SBOX[(x >>  0) & 0xff]
    return ((b0 << 24) | (b1 << 16) | (b2 << 8) | b3) & 0xffffffff

def L(x):   return x ^ rotl32(x,2) ^ rotl32(x,10) ^ rotl32(x,18) ^ rotl32(x,24)
def Lp(x):  return x ^ rotl32(x,13) ^ rotl32(x,23)   # L'

def T(x):   return L(tau(x))
def Tp(x):  return Lp(tau(x))                        # T'

def bytes_to_u32_be(b, i): return int.from_bytes(b[i:i+4], 'big')
def u32_to_bytes_be(x):    return x.to_bytes(4, 'big')

def key_schedule(key16: bytes):
    MK0, MK1, MK2, MK3 = [bytes_to_u32_be(key16, i) for i in (0,4,8,12)]
    K0, K1, K2, K3 = MK0 ^ FK[0], MK1 ^ FK[1], MK2 ^ FK[2], MK3 ^ FK[3]
    K = [K0, K1, K2, K3]
    rk = []
    for i in range(32):
        Ki4 = K[i] ^ Tp(K[i+1] ^ K[i+2] ^ K[i+3] ^ CK[i])
        K.append(Ki4)
        rk.append(Ki4)
    return rk

def sm4_encrypt_block(plain16: bytes, key16: bytes) -> bytes:
    rk = key_schedule(key16)
    X = [bytes_to_u32_be(plain16, i) for i in (0,4,8,12)]
    # expand to X0..X35
    for i in range(32):
        Xi4 = X[i] ^ T(X[i+1] ^ X[i+2] ^ X[i+3] ^ rk[i])
        X.append(Xi4)
    # output is X35,X34,X33,X32
    out = b''.join(u32_to_bytes_be(X[35 - i]) for i in range(4))
    return out

def sm4_decrypt_block(cipher16: bytes, key16: bytes) -> bytes:
    rk = key_schedule(key16)[::-1]  # reverse order
    X = [bytes_to_u32_be(cipher16, i) for i in (0,4,8,12)]
    for i in range(32):
        Xi4 = X[i] ^ T(X[i+1] ^ X[i+2] ^ X[i+3] ^ rk[i])
        X.append(Xi4)
    out = b''.join(u32_to_bytes_be(X[35 - i]) for i in range(4))
    return out

# --- self-test (KAT) ---
if __name__ == "__main__":
    key = bytes.fromhex("0123456789abcdeffedcba9876543210")
    pt  = bytes.fromhex("0123456789abcdeffedcba9876543210")
    ct_expect = bytes.fromhex("681edf34d206965e86b3e94f536e4246")
    ct = sm4_encrypt_block(pt, key)
    assert ct == ct_expect, (ct.hex(), ct_expect.hex())
    assert sm4_decrypt_block(ct, key) == pt
    print("SM4 KAT ok:", ct.hex())

细节说明

每一轮先用 S 盒提供非线性（混淆），再用多次循环左移 + 异或提供线性扩散（扩散）。
轮函数 $T$ 分为两步 $\tau$ （S 盒）+ $L$ （扩散）。
- $\tau$ ：逐字节过 S 盒（对 32 位字 $x=b_0\|b_1\|b_2\|b_3$ ，把每个字节丢进 8→8 的 S 盒得到 $\tau(x)$ ）。
- $L$ ：把一个 32 位字做若干循环左移后异或： $L(y) = y \oplus (y\lll2) \oplus (y\lll10) \oplus (y\lll18) \oplus (y\lll24).$
一轮流程重述：
- step1: $s = X[i+1] \oplus X[i+2] \oplus X[i+3] \oplus rk[i]$
- step2: $t = T(s)$ （即先 $\tau$ 再 $L$ ）
- step3: $X[i+4] = X[i] \oplus t$
  32 轮后输出按反序拼接为 $C = X[35]\|X[34]\|X[33]\|X[32]$ 。
轮密钥来源：主密钥按大端拆成 MK0..MK3，与 FK[0..3] 异或得到 K0..K3，随后迭代生成 K4..K35（每步用 $T'$ 与 CK[i]），并把 $K_{i+4}$ 作为 $rk[i]$ 。

设计目的与安全考量

S-盒（ $\tau$ ）：提供非线性，阻断简单线性/差分传播。
$L$ 与 $L'$ （多次循环左移 + 异或）：提供快速扩散，字内和字间影响传播。
Feistel 架构：保证可逆性并允许复杂轮函数。
CK / FK：破坏对称性，降低相关密钥攻击风险。
32 轮：通过多轮累积将局部非线性与简单扩散叠加为全局混合。