# SM4 研究与实现

## SM4

SM4 分组对称加密算法，分组长度128位， 密钥长度128位； 实现参考论文，讲解的非常详细；以下列举几个易错点

• 基于密钥扩展轮密钥，在传入密钥时就可以确定
• 解密和加密都是一样流程，区别在于密钥；解密轮密钥是加密轮密钥的逆序
• <

<

<

符号的含义

<<< 符号的含义

，该符号表示32位循环左移; 代码表示如下

func rol32(x uint32, n int) uint32 {
return (x << n) | ((x & 0xffffffff) >> (32 - n))
}


## 实现

SM4和AES很类似，保持在golang语言实现的统一性； 可参考golang aes 实现结构和逻辑; https://github.com/golang/go/blob/go1.17.13/src/crypto/aes/cipher.go#L32

### 目录结构

cryptox/sm4/
|-------const.go                     常量定义和常量公式定义
|-------sm4.go                       SM4实现源文件
|-------sm4_test.go               SM4单元测试
|-------block.go                      SM4数字签名生成逻辑


### 代码实现

#### const.go

 package sm4

// GB/T 32907-2016
// http://c.gb688.cn/bzgk/gb/showGb?type=online&hcno=7803DE42D3BC5E80B0C3E5D8E873D56A

const BlockSize = 16

// GB/T 32907-2016 SBox
var sbox = [256]byte{
0xd6, 0x90, 0xe9, 0xfe, 0xcc, 0xe1, 0x3d, 0xb7, 0x16, 0xb6, 0x14, 0xc2, 0x28, 0xfb, 0x2c, 0x05,
0x2b, 0x67, 0x9a, 0x76, 0x2a, 0xbe, 0x04, 0xc3, 0xaa, 0x44, 0x13, 0x26, 0x49, 0x86, 0x06, 0x99,
0x9c, 0x42, 0x50, 0xf4, 0x91, 0xef, 0x98, 0x7a, 0x33, 0x54, 0x0b, 0x43, 0xed, 0xcf, 0xac, 0x62,
0xe4, 0xb3, 0x1c, 0xa9, 0xc9, 0x08, 0xe8, 0x95, 0x80, 0xdf, 0x94, 0xfa, 0x75, 0x8f, 0x3f, 0xa6,
0x47, 0x07, 0xa7, 0xfc, 0xf3, 0x73, 0x17, 0xba, 0x83, 0x59, 0x3c, 0x19, 0xe6, 0x85, 0x4f, 0xa8,
0x68, 0x6b, 0x81, 0xb2, 0x71, 0x64, 0xda, 0x8b, 0xf8, 0xeb, 0x0f, 0x4b, 0x70, 0x56, 0x9d, 0x35,
0x1e, 0x24, 0x0e, 0x5e, 0x63, 0x58, 0xd1, 0xa2, 0x25, 0x22, 0x7c, 0x3b, 0x01, 0x21, 0x78, 0x87,
0xd4, 0x00, 0x46, 0x57, 0x9f, 0xd3, 0x27, 0x52, 0x4c, 0x36, 0x02, 0xe7, 0xa0, 0xc4, 0xc8, 0x9e,
0xea, 0xbf, 0x8a, 0xd2, 0x40, 0xc7, 0x38, 0xb5, 0xa3, 0xf7, 0xf2, 0xce, 0xf9, 0x61, 0x15, 0xa1,
0xe0, 0xae, 0x5d, 0xa4, 0x9b, 0x34, 0x1a, 0x55, 0xad, 0x93, 0x32, 0x30, 0xf5, 0x8c, 0xb1, 0xe3,
0x1d, 0xf6, 0xe2, 0x2e, 0x82, 0x66, 0xca, 0x60, 0xc0, 0x29, 0x23, 0xab, 0x0d, 0x53, 0x4e, 0x6f,
0xd5, 0xdb, 0x37, 0x45, 0xde, 0xfd, 0x8e, 0x2f, 0x03, 0xff, 0x6a, 0x72, 0x6d, 0x6c, 0x5b, 0x51,
0x8d, 0x1b, 0xaf, 0x92, 0xbb, 0xdd, 0xbc, 0x7f, 0x11, 0xd9, 0x5c, 0x41, 0x1f, 0x10, 0x5a, 0xd8,
0x0a, 0xc1, 0x31, 0x88, 0xa5, 0xcd, 0x7b, 0xbd, 0x2d, 0x74, 0xd0, 0x12, 0xb8, 0xe5, 0xb4, 0xb0,
0x89, 0x69, 0x97, 0x4a, 0x0c, 0x96, 0x77, 0x7e, 0x65, 0xb9, 0xf1, 0x09, 0xc5, 0x6e, 0xc6, 0x84,
0x18, 0xf0, 0x7d, 0xec, 0x3a, 0xdc, 0x4d, 0x20, 0x79, 0xee, 0x5f, 0x3e, 0xd7, 0xcb, 0x39, 0x48,
}

var (
fk0 = uint32(0xa3b1bac6)
fk1 = uint32(0x56aa3350)
fk2 = uint32(0x677d9197)
fk3 = uint32(0xb27022dc)
)

var ck = [32]uint32{
0x00070e15, 0x1c232a31, 0x383f464d, 0x545b6269,
0x70777e85, 0x8c939aa1, 0xa8afb6bd, 0xc4cbd2d9,
0xe0e7eef5, 0xfc030a11, 0x181f262d, 0x343b4249,
0x50575e65, 0x6c737a81, 0x888f969d, 0xa4abb2b9,
0xc0c7ced5, 0xdce3eaf1, 0xf8ff060d, 0x141b2229,
0x30373e45, 0x4c535a61, 0x686f767d, 0x848b9299,
0x10171e25, 0x2c333a41, 0x484f565d, 0x646b7279,
}

func delta(a uint32) uint32 {
a = (uint32(sbox[byte(a>>24)]) << 24) | (a & 0x00ffffff)
a = (uint32(sbox[byte(a>>16)]) << 16) | (a & 0xff00ffff)
a = (uint32(sbox[byte(a>>8)]) << 8) | (a & 0xffff00ff)
a = (uint32(sbox[byte(a)])) | (a & 0xffffff00)
return a
}

func rol32(x uint32, n int) uint32 {
return (x << n) | ((x & 0xffffffff) >> (32 - n))
}

func L1(a uint32) uint32 {
return a ^ rol32(a, 2) ^ rol32(a, 10) ^ rol32(a, 18) ^ rol32(a, 24)
}

func L2(a uint32) uint32 {
return a ^ rol32(a, 13) ^ rol32(a, 23)
}

func T1(a uint32) uint32 {
return L1(delta(a))
}

func T2(a uint32) uint32 {
return L2(delta(a))
}

func F(a, b, c, d, k uint32) uint32 {
return a ^ T1(b^c^d^k)
}


#### block.go

package sm4

import (
"encoding/binary"
"unsafe"
)

// GB/T 32907-2016
// http://c.gb688.cn/bzgk/gb/showGb?type=online&hcno=7803DE42D3BC5E80B0C3E5D8E873D56A
func encryptBlockGo(xk []uint32, dst, src []byte) {
_ = src[15] // early bounds check
s0 := binary.BigEndian.Uint32(src[0:4])
s1 := binary.BigEndian.Uint32(src[4:8])
s2 := binary.BigEndian.Uint32(src[8:12])
s3 := binary.BigEndian.Uint32(src[12:16])

for i := 0; i < 32; i++ {

si := F(s0, s1, s2, s3, xk[i])

s0 = s1
s1 = s2
s2 = s3
s3 = si
}

_ = dst[15] // early bounds check
binary.BigEndian.PutUint32(dst[0:4], s3)
binary.BigEndian.PutUint32(dst[4:8], s2)
binary.BigEndian.PutUint32(dst[8:12], s1)
binary.BigEndian.PutUint32(dst[12:16], s0)
}

func expandEncKeyGo(key []byte) []uint32 {
_ = key[15] // early bounds check
s0 := binary.BigEndian.Uint32(key[0:4])
s1 := binary.BigEndian.Uint32(key[4:8])
s2 := binary.BigEndian.Uint32(key[8:12])
s3 := binary.BigEndian.Uint32(key[12:16])

k0 := s0 ^ fk0
k1 := s1 ^ fk1
k2 := s2 ^ fk2
k3 := s3 ^ fk3

rk := make([]uint32, 32)

for i := 0; i < 32; i++ {
x := k0 ^ T2(k1^k2^k3^ck[i])

k0 = k1
k1 = k2
k2 = k3
k3 = x

rk[i] = x
}
return rk
}

func expandDecKeyGo(key []byte) []uint32 {
_ = key[15] // early bounds check
s0 := binary.BigEndian.Uint32(key[0:4])
s1 := binary.BigEndian.Uint32(key[4:8])
s2 := binary.BigEndian.Uint32(key[8:12])
s3 := binary.BigEndian.Uint32(key[12:16])

k0 := s0 ^ fk0
k1 := s1 ^ fk1
k2 := s2 ^ fk2
k3 := s3 ^ fk3

rk := make([]uint32, 32)

for i := 0; i < 32; i++ {
x := k0 ^ T2(k1^k2^k3^ck[i])

k0 = k1
k1 = k2
k2 = k3
k3 = x

rk[31-i] = x
}

return rk
}

// copy from https://github.com/golang/go/blob/15da892a4950a4caac987ee72c632436329f62d5/src/crypto/internal/subtle/aliasing.go#L30
func inexactOverlap(x, y []byte) bool {
if len(x) == 0 || len(y) == 0 || &x[0] == &y[0] {
return false
}
return anyOverlap(x, y)
}

func anyOverlap(x, y []byte) bool {
return len(x) > 0 && len(y) > 0 &&
uintptr(unsafe.Pointer(&x[0])) <= uintptr(unsafe.Pointer(&y[len(y)-1])) &&
uintptr(unsafe.Pointer(&y[0])) <= uintptr(unsafe.Pointer(&x[len(x)-1]))
}


#### sm4.go

package sm4

import (
"crypto/cipher"
"strconv"
)

type sm4 struct {
enc []uint32
dec []uint32
}

type KeySizeError int

func (k KeySizeError) Error() string {
return "cryptox/sm4: invalid key size " + strconv.Itoa(int(k))
}

//GB/T 32907-2016; SM4-128
func NewCipher(key []byte) (cipher.Block, error) {
k := len(key)
switch k {
default:
return nil, KeySizeError(k)
case 16:
break
}
return newCipher(key)
}

func newCipher(key []byte) (cipher.Block, error) {
c := sm4{}
c.enc = expandEncKeyGo(key)
c.dec = expandDecKeyGo(key)
return &c, nil
}

func (c *sm4) BlockSize() int { return BlockSize }

func (c *sm4) Encrypt(dst, src []byte) {
if len(src) < BlockSize {
panic("crypto/sm4: input not full block")
}
if len(dst) < BlockSize {
panic("crypto/sm4: output not full block")
}
if inexactOverlap(dst[:BlockSize], src[:BlockSize]) {
panic("crypto/sm4: invalid buffer overlap")
}
encryptBlockGo(c.enc, dst, src)
}

func (c *sm4) Decrypt(dst, src []byte) {
if len(src) < BlockSize {
panic("crypto/sm4: input not full block")
}
if len(dst) < BlockSize {
panic("crypto/sm4: output not full block")
}
if inexactOverlap(dst[:BlockSize], src[:BlockSize]) {
panic("crypto/sm4: invalid buffer overlap")
}
encryptBlockGo(c.dec, dst, src)
}


### 遗留问题

SM4 是128位加密算法，但是对于加密很多数据时，需要填充数据，使其长度是128位的整数倍； 常见的填充方式；

AES五种加密模式（CBC、ECB、CTR、OCF、CFB），那么SM4 也应该有该五种加密模式；

• 电码本模式（Electronic Codebook Book (ECB)）
• 密码分组链接模式（Cipher Block Chaining (CBC)）
• 计算器模式（Counter (CTR)）；
• 密码反馈模式（Cipher FeedBack (CFB)）
• 输出反馈模式（Output FeedBack (OFB)）

THE END