SM3密码杂凑算法

摘要/Abstract

摘要： 密码杂凑算法是3类基础密码算法之一，它可以将任意长度的消息压缩成固定长度的摘要，主要用于数字签名和数据完整性保护等.SM3密码杂凑算法的消息分组长度为512b，输出摘要长度为256b.该算法于2012年发布为密码行业标准(GMT 0004—2012)，2016年发布为国家密码杂凑算法标准(GBT 32905—2016).总结了SM3密码杂凑算法的设计原理、算法特点、软硬件实现和安全性分析，同时将SM3密码杂凑算法和国际通用杂凑算法在实现效率和安全性方面进行比较.

关键词: SM3算法, 密码杂凑算法, 碰撞攻击, 原像攻击, 区分攻击

Abstract: The cryptographic hash functions play an important role in modern cryptography. They are used to compress messages of arbitrary length to fixed length hash values. The most common cryptographic applications of hash functions are with digital signature and for data integrity. SM3 cryptographic hash algorithm is issued as the industry standard in 2012. In 2016, it was published as national standard. It takes a 512bit message as input and outputs a 256bit hash value. This paper summarizes the design, properties, software and hardware implementations and cryptanalysis of SM3 cryptographic hash algorithm. Furthermore, we compare SM3 with other hash standards.

Key words: SM3 algorithm, cryptographic hash function, collision attack, preimage attack, distinguishing attack

王小云. SM3密码杂凑算法[J]. 信息安全研究, 2016, 2(11): 983-994.

参考文献

［1］Kelsey J, Schneier B. Second preimages on nbit hash functions for much less than 2n work［G］ LNCS 3494: Proc of the 24th Annual Int Conf on the Theory and Applications of Cryptographic Techniques. Berlin: Springer, 2005: 474490［2］Kelsey J, Kohno T. Herding hash functions and the nostradamus attack［G］ LNCS 4004: Proc of the 24th Annual Int Conf on the Theory and Applications of Cryptographic Techniques. Berlin: Springer, 2006: 183200［3］Wang X, Feng D, Lai X, et al. Collisions for hash functions MD4, MD5, HAVAL128 and RIPEMD［OL］. 2004 ［20161007］. https:eprint.iacr.org2004199.pdf［4］Wang X, Yin Y L, Yu H. Finding collisions in the full SHA1［G］ LNCS 3621: Proc of the 25th Annual Int Cryptology Conf. Berlin: Springer, 2005: 1736［5］Wang X, Yu H. How to break MD5 and other hash functions［G］ LNCS 3494: Proc of the 24th Annual Int Conf on the Theory and Applications of Cryptographic Techniques. Berlin: Springer, 2005: 1935［6］National Institute of Standards and Technology. SHA3 competition［EBOL］. (20050415) ［20161007］. http:csrc.nist.govgroupsSThashdocumentsFR_Notice_Nov07.pdf［7］国家密码管理局. GMT 0004—2012 信息安全技术 SM3密码杂凑算法［SOL］. 2012 ［20161007］. http:www.oscca.gov.cnUpFile20101222141857786.pdf［8］国家标准化委员会. GBT32905—2016 信息安全技术SM3密码杂凑算法［SOL］2016 ［20161007］. http:www.soc.gov.cngzfwggcxgjbzgg201614［9］Miyano H. Addend dependency of differentiallinear probability of addition［J］. IEICE Trans on Fundamentals of Electronics, Communications and Computer Sciences, 1998, E81A(1): 106109［10］Ao T, He Z, Dai K, et al. A compact hardware implementation of SM3［C］ Proc of 2014 IEEE Int Conf on Consumer ElectronicsChina. Piscataway, NJ: IEEE, 2014: 14［11］Satoh A. ASIC hardware implementations for 512bit hash function whirlpool［C］ Proc of 2008 IEEE Int Symp on Circuits and Systems. Piscataway, NJ: IEEE, 2008: 29172920［12］Tillich S, Feldhofer M, Kirschbaum M, et al. Highspeed hardware implementations of BLAKE, Blue Midnight Wish, CubeHash, ECHO, Fugue, Grstl, Hamsi, JH, KECCAK, Luffa, Shabal, SHAvite3, SIMD, and Skein［OL］. 2009 ［20161007］. http:eprint.iacr.org2009510［13］Ma Y, Xia L, Lin J, et al. Hardware performance optimization and evaluation of SM3 hash algorithm on FPGA［G］ LNCS 7618: Proc of the 14th Int Conf on Information and Communications Security. Berlin: Springer, 2012: 105118［14］HELION: Fast SHA256 core for xilinx FPGA［OL］. 2011 ［20161007］. http:www.helion.com［15］Homsirikamol E, Rogawski M, Gaj K. Comparing hardware performance of round 3 SHA3 candidates using multiple hardware architectures in Xilinx and Altera FPGAs［C］ Proc of the ECRYPT II Hash. Tallinn, Estonia, 2011: 1934［16］Cannière C D, Rechberger C. Finding SHA1 characteristics: General results and applications［G］ LNCS 4284: Proc of the 12th Int Conf on the Theory and Application of Cryptology and Information Security. Berlin: Springer, 2006: 120［17］Mendel F, Nad T, Schlffer M. Finding SHA2 characteristics: Searching through a minefield of contradictions［G］ LNCS 7073: Proc of the 17th Int Conf on the Theory and Application of Cryptology and Information Security. Berlin: Springer,2011: 288307［18］Mendel F, Nad T, Schlffer M. Finding collisions for roundreduced SM3［G］ LNCS 7779: Proc of the Cryptographers Track at the RSA Conf 2013. Berlin: Springer, 2013: 174188［19］Aoki K, Sasaki Y. Preimage attacks on oneblock MD4, 63step MD5 and more［G］ LNCS 5381: Proc of the 15th Int Workshop on Selected Areas in Cryptography. Berlin: Springer, 2008: 103119［20］Diffie W, Hellman M E. Special feature exhaustive cryptanalysis of the NBS data encryption standard［J］. Computer, 1977, 10(6): 7484［21］Knellwolf S, Khovratovich D. New preimage attacks against reduced SHA1［G］ LNCS 7417: Proc of the 32nd Annual Cryptology Conf. Berlin: Springer, 2012: 367383［22］Menezes A J, van Oorschot P C, Vanstone S A. Handbook of Applied Cryptography［M］. Boca Raton: CRC Press, 1996［23］Khovratovich D, Rechberger C, Savelieva A. Bicliques for preimages: Attacks on Skein512 and the SHA2 family［G］ LNCS 7549: Proc of the 19th Int Workshop on Fast Software Encryption. Berlin: Springer, 2012: 244263［24］Zou J, Wu W, Wu S, et al. Preimage attacks on stepreduced SM3 hash function［G］ LNCS 7259: Proc of the 14th Int Conf on Information Security and Cryptology. Berlin: Springer, 2011: 375390［25］Wang G, Shen Y. Preimage and pseudocollision attacks on stepreduced SM3 hash function［J］. Information Processing Letters, 2013, 113(8): 301306［26］Kircanski A, Shen Y, Wang G, et al. Boomerang and sliderotational analysis of the SM3 hash function［G］ LNCS 7707: Proc of the 19th Int Conf on Selected Areas in Cryptography. Berlin: Springer, 2012: 304320［27］Bai D, Yu H, Wang G, et al. Improved boomerang attacks on roundreduced SM3 and keyed permutation of BLAKE256［J］. IET Information Security, 2015, 9(3): 167178［28］Wang X, Yao A C, Yao F. Cryptanalysis on SHA1［OL］. 2005 ［20161007］. http:csrc.nist.govgroupsSThashdocumentsWang_SHA1NewResult.pdf［29］Stevens M. New collision attacks on SHA1 based on optimal joint localcollision analysis［G］ LNCS 7881: Proc of the 32nd Annual Int Conf on the Theory and Applications of Cryptographic Techniques. Berlin: Springer, 2013: 245261［30］Espitau T, Fouque PA, Karpman P. Higherorder differential meetinthemiddle preimage attacks on SHA1 and BLAKE［G］ LNCS 9215: Proc of the 35th Annual Cryptology Conf. Berlin: Springer, 2015: 683701［31］Wang G. Practical collision attack on 40step RIPEMD128［G］ LNCS 8366: Proc of the Cryptographers Track at the RSA Conf 2014. Berlin: Springer, 2014: 444460［32］Wang L, Sasaki Y, Komatsubara W, et al. Preimage attacks on stepreduced RIPEMDRIPEMD128 with a new localcollision approach［G］ LNCS 6558: Proc of the Cryptographers Track at the RSA Conf 2011. Berlin: Springer, 2011: 197212［33］Landelle F, Peyrin T. Cryptanalysis of full RIPEMD128［G］ LNCS 7881: Proc of the 32nd Annual Int Conf on the Theory and Applications of Cryptographic Techniques. Berlin: Springer, 2013: 228244［34］Wang G, Shen Y. (Pseudo) Preimage attacks on stepreduced HAS160 and RIPEMD160［G］ LNCS 8783: Proc of the 17th Int Conf on Information Security. Berlin: Springer, 2014: 90103［35］Sasaki Y, Wang L. Distinguishers beyond three rounds of the RIPEMD128160 compression functions［G］ LNCS 7341: Proc of the 10th Int Conf on Applied Cryptography and Network Security. Berlin: Springer, 2012: 275292［36］Mendel F, Nad T, Schlffer M. Improving local collisions: New attacks on reduced SHA256［G］ LNCS 7881: Proc of the 32nd Annual Int Conf on the Theory and Applications of Cryptographic Techniques. Berlin: Springer, 2013: 262278［37］Biryukov A, Lamberger M, Mendel F, et al. Secondorder differential collisions for reduced SHA256［G］ LNCS 7073: Proc of the 17th Annual Int Conf on the Theory and Application of Cryptology and Information Security. Berlin: Springer, 2011: 270287［38］Sasaki Y, Wang L, Wu S, et al. Investigating fundamental security requirements on Whirlpool: improved preimage and collision attacks［G］ LNCS 7658: Proc of the 18th Int Conf on the Theory and Application of Cryptology and Information Security. Berlin: Springer, 2012: 562579［39］Lamberger M, Mendel F, Rechberger C, et al. The rebound attack and subspace distinguishers: Application to Whirlpool［OL］. 2010 ［20161007］. http:eprint.iacr.org2010198.pdf［40］Ma B, Li B, Hao R, et al. Improved cryptanalysis on reducedround GOST and Whirlpool hash function［G］ LNCS 8479: Proc of the 12th Int Conf on Applied Cryptography and Network Security. Berlin: Springer, 2014: 289307［41］AlTawy R, Youssef A M. Preimage attacks on reducedround Stribog［G］ LNCS 8469: Proc of the 7th Int Conf on Cryptology in Africa. Berlin: Springer, 2014: 10912［42］Dinur I, Dunkelman O, Shamir A. Collision attacks on up to 5 rounds of SHA3 using generalized internal differentials［G］ LNCS 8424: Proc of the 20th International Workshop on Fast Software Encryption. Berlin: Springer, 2013: 219240［43］Homsirikamol E, Morawiecki P, Rogawski M, et al. Security margin evaluation of SHA3 contest finalists through SATbased attacks［G］ LNCS 7564: Proc of the 11th IFIP TC 8 Int Conf on Computer Information Systems and Industrial Management. Berlin: Springer, 2012: 5667［44］Duan M, Lai X. Improved zerosum distinguisher for full round Keccakf permutation［J］. Chinese Science Bulletin, 2012, 57(6): 694697

[1]	刘磊. 基于可信计算技术的密码服务平台[J]. 信息安全研究, 2017, 3(4): 305-309.
[2]	王小云1,2 于红波3. 密码杂凑算法综述[J]. 信息安全研究, 2015, 1(1): 19-30.