文章总结: 本文详细解析了国密SM4分组密码算法的完整计算过程,依据GB/T32907-2016国家标准,对密钥扩展和加密两大核心环节进行了深入浅出的分析。文中不仅定义了算法的基本参数与符号,还通过具体示例展示了如何从初始密钥计算出32个轮密钥,并最终完成明文的加密迭代。内容严谨且易于理解,是掌握SM4算法工作原理的实用指南。 综合评分: 85 文章分类: 技术标准,解决方案,应用安全,网络安全,数据安全
【商密测评】SM4 分组密码算法完整计算过程
原创
利刃信安 利刃信安
利刃信安
2026年3月21日 12:11 北京
SM4 分组密码算法完整计算过程
依据标准: GB/T 32907-2016《信息安全技术 SM4分组密码算法》
验证状态: ✅ 全部验证通过
一、算法概述
1.1 标准定义
根据GB/T 32907-2016国家标准:
SM4密码算法是一个分组算法。该算法的分组长度为128比特,密钥长度为128比特。加密算法与密钥扩展算法均采用非线性迭代结构,运算轮数均为32轮。数据解密和数据加密的算法结构相同,只是轮密钥的使用顺序相反,解密轮密钥是加密轮密钥的逆序。
1.2 基本参数
| 参数 | 值 | 说明 | | — | — | — | | 分组长度 | 128比特(16字节) | 每次加密的数据块大小 | | 密钥长度 | 128比特(16字节) | 加密密钥的长度 | | 轮数 | 32轮 | 迭代加密的次数 | | 字长 | 32比特 | 算法基本运算单位 |
1.3 符号定义(国标第3章)
| 符号 | 含义 | | — | — | | ⊕ | 32位异或 | | <<<i | 32位循环左移i位 | | Z₂ⁿ | 比特长度为n的二进制序列集合 |
二、SM4 密钥扩展算法详细分析
2.1 输入密钥(第5-10行)
原文内容:
【输入密钥】
MK = (MK0, MK1, MK2, MK3)
MK0 = 0x5C62DA45
MK1 = 0xB0B2ACF9
MK2 = 0xF3DA5DB9
MK3 = 0x3D18CAFD
国标对应: 根据国标第5章,密钥长度为128比特,表示为MK=(MK0,MK1,MK2,MK3),其中MKi(i=0,1,2,3)为字。
分析:
- • 输入密钥为4个32位字,共128位
- • 每个MKi是一个独立的32位字
- • 完整密钥十六进制表示:
5C62DA45B0B2ACF9F3DA5DB93D18CAFD
验证结果: ✅ 格式正确,符合国标定义
2.2 步骤1:计算初始密钥 K(第12-14行)
原文内容:
步骤1: 计算初始密钥 K
国标对应: 国标公式(6)
(K0,K1,K2,K3) = (MK0⊕FK0, MK1⊕FK1, MK2⊕FK2, MK3⊕FK3)
系统参数FK(国标7.3节):
| 分量 | 值 | | — | — | | FK₀ | 0xA3B1BAC6 | | FK₁ | 0x56AA3350 | | FK₂ | 0x677D9197 | | FK₃ | 0xB27022DC |
计算过程:
K₀ = MK₀ ⊕ FK₀ = 0x5C62DA45 ⊕ 0xA3B1BAC6 = 0xFFD36083
K₁ = MK₁ ⊕ FK₁ = 0xB0B2ACF9 ⊕ 0x56AA3350 = 0xE6189FA9
K₂ = MK₂ ⊕ FK₂ = 0xF3DA5DB9 ⊕ 0x677D9197 = 0x94A7CC2E
K₃ = MK₃ ⊕ FK₃ = 0x3D18CAFD ⊕ 0xB27022DC = 0x8F68E821
验证结果: ✅ 计算正确
2.3 步骤2:计算32个轮密钥(第16-33行)
原文内容:
步骤2: 计算32个轮密钥 rk[0] ~ rk[31]
公式: rk[i] = Ki ⊕ T'(Ki+1 ⊕ Ki+2 ⊕ Ki+3 ⊕ CKi)
国标对应: 国标公式(7)
rki = Ki+4 = Ki ⊕ T'(Ki+1 ⊕ Ki+2 ⊕ Ki+3 ⊕ CKi), i=0,1,...,31
合成置换T’定义(国标7.3节):
T’是将合成置换T的线性变换L替换为L’:
T'(A) = L'(τ(A))
线性变换L’(国标公式(8)):
L'(B) = B ⊕ (B <<< 13) ⊕ (B <<< 23)
固定参数CK(国标7.3节):
设cki,j为CKi的第j字节(i=0,1,…,31;j=0,1,2,3),则:
cki,j = (4i+j)×7 (mod 256)
CK完整取值:
CK[0] = 00070E15 CK[8] = E0E7EEF5 CK[16] = C0C7CED5 CK[24] = A0A7AEB5
CK[1] = 1C232A31 CK[9] = FC030A11 CK[17] = DCE3EAF1 CK[25] = BCC3CAD1
CK[2] = 383F464D CK[10] = 181F262D CK[18] = F8FF060D CK[26] = D8DFE6ED
CK[3] = 545B6269 CK[11] = 343B4249 CK[19] = 141B2229 CK[27] = F4FB0209
CK[4] = 70777E85 CK[12] = 50575E65 CK[20] = 30373E45 CK[28] = 10171E25
CK[5] = 8C939AA1 CK[13] = 6C737A81 CK[21] = 4C535A61 CK[29] = 2C333A41
CK[6] = A8AFB6BD CK[14] = 888F969D CK[22] = 686F767D CK[30] = 484F565D
CK[7] = C4CBD2D9 CK[15] = A4ABB2B9 CK[23] = 848B9299 CK[31] = 646B7279
轮密钥计算示例(第1轮):
rk[0] = K₀ ⊕ T'(K₁ ⊕ K₂ ⊕ K₃ ⊕ CK[0])
步骤1: K₁ ⊕ K₂ ⊕ K₃ ⊕ CK[0]
= 0xE6189FA9 ⊕ 0x94A7CC2E ⊕ 0x8F68E821 ⊕ 0x00070E15
= 0xFDD0B5B3
步骤2: τ(0xFDD0B5B3) - S盒替换
输入字节: 0xFD, 0xD0, 0xB5, 0xB3
S盒输出: 0xCB, 0x0A, 0xFD, 0x45
τ输出: 0xCB0AFD45
步骤3: L'(0xCB0AFD45)
= 0xCB0AFD45 ⊕ (0xCB0AFD45 <<< 13) ⊕ (0xCB0AFD45 <<< 23)
= 0xCB0AFD45 ⊕ 0x5FA8B961 ⊕ 0xA2E5857E
= 0x3647C15A
步骤4: rk[0] = K₀ ⊕ 0x3647C15A
= 0xFFD36083 ⊕ 0x3647C15A
= 0xC994A1D9
轮密钥汇总表(第25-33行):
| 索引 | 轮密钥值 | 索引 | 轮密钥值 | 索引 | 轮密钥值 | 索引 | 轮密钥值 | | — | — | — | — | — | — | — | — | | rk[0] | C994A1D9 | rk[1] | 8E961DA9 | rk[2] | 3B064726 | rk[3] | DD302728 | | rk[4] | F4B61421 | rk[5] | EDFAD6F1 | rk[6] | 1540513D | rk[7] | C83EBD4D | | rk[8] | E5DE7FA7 | rk[9] | 5AFE4561 | rk[10] | E94A3F7E | rk[11] | C90C33AD | | rk[12] | A8A8DF0B | rk[13] | 26C94B0F | rk[14] | 2348FC7C | rk[15] | 285ED00F | | rk[16] | 17908EE3 | rk[17] | 29B3F5C1 | rk[18] | 61D27218 | rk[19] | A2CDA8E6 | | rk[20] | 4A28ABD4 | rk[21] | 105D3CD5 | rk[22] | B3392991 | rk[23] | A5143E89 | | rk[24] | 9E19AB2C | rk[25] | 16EB5274 | rk[26] | BD46BFDE | rk[27] | 70453A24 | | rk[28] | 11C4BEC2 | rk[29] | 47DB1C0D | rk[30] | 4995756A | rk[31] | E788F4C2 |
验证结果: ✅ 全部32个轮密钥验证通过
三、SM4 加密算法详细分析
3.1 输入明文块(第38-44行)
原文内容:
【输入明文块】
X = (X0, X1, X2, X3)
X0 = 0xE588A9E5
X1 = 0x8883E4BF
X2 = 0xA1E5AE89
X3 = 0x00000000
国标对应: 国标7.1节,明文输入为(X0,X1,X2,X3)∈(Z₂³²)⁴
明文解析:
- • 原始明文:
利刃信安(UTF-8编码,12字节) - • UTF-8编码:
E5 88 A9 E5 88 83 E4 BF A1 E5 AE 89 - • 填充方式: 零填充(4字节0x00)
- • 填充后:
E588A9E58883E4BFA1E5AE8900000000
验证结果: ✅ 明文编码正确
3.2 轮函数 F(国标第6章)
国标定义(公式(1)):
F(X0, X1, X2, X3, rk) = X0 ⊕ T(X1 ⊕ X2 ⊕ X3 ⊕ rk)
合成置换T(国标6.2节):
T由非线性变换τ和线性变换L复合而成:T(.) = L(τ(.))
3.2.1 非线性变换 τ
国标定义(公式(2)):
(b0, b1, b2, b3) = τ(A) = (Sbox(a0), Sbox(a1), Sbox(a2), Sbox(a3))
其中输入A=(a0,a1,a2,a3)∈(Z₂⁸)⁴,输出B=(b0,b1,b2,b3)∈(Z₂⁸)⁴
S盒数据(国标表1):
0 1 2 3 4 5 6 7 8 9 A B C D E F
0 D6 90 E9 FE CC E1 3D B7 16 B6 14 C2 28 FB 2C 05
1 2B 67 9A 76 2A BE 04 C3 AA 44 13 26 49 86 06 99
2 9C 42 50 F4 91 EF 98 7A 33 54 0B 43 ED CF AC 62
3 E4 B3 1C A9 C9 08 E8 95 80 DF 94 FA 75 8F 3F A6
4 47 07 A7 FC F3 73 17 BA 83 59 3C 19 E6 85 4F A8
5 68 6B 81 B2 71 64 DA 8B F8 EB 0F 4B 70 56 9D 35
6 1E 24 0E 5E 63 58 D1 A2 25 22 7C 3B 01 21 78 87
7 D4 00 46 57 9F D3 27 52 4C 36 02 E7 A0 C4 C8 9E
8 EA BF 8A D2 40 C7 38 B5 A3 F7 F2 CE F9 61 15 A1
9 E0 AE 5D A4 9B 34 1A 55 AD 93 32 30 F5 8C B1 E3
A 1D F6 E2 2E 82 66 CA 60 C0 29 23 AB 0D 53 4E 6F
B D5 DB 37 45 DE FD 8E 2F 03 FF 6A 72 6D 6C 5B 51
C 8D 1B AF 92 BB DD BC 7F 11 D9 5C 41 1F 10 5A D8
D 0A C1 31 88 A5 CD 7B BD 2D 74 D0 12 B8 E5 B4 B0
E 89 69 97 4A 0C 96 77 7E 65 B9 F1 09 C5 6E C6 84
F 18 F0 7D EC 3A DC 4D 20 79 EE 5F 3E D7 CB 39 48
示例: 输入’EF’,则经S盒后的值为表中第E行和第F列的值,Sbox(EF)=84
3.2.2 线性变换 L
国标定义(公式(3)):
C = L(B) = B ⊕ (B <<< 2) ⊕ (B <<< 10) ⊕ (B <<< 18) ⊕ (B <<< 24)
3.3 32轮迭代加密(第46-53行)
原文内容:
32轮迭代加密
公式: X[i+4] = X[i] ⊕ T(X[i+1] ⊕ X[i+2] ⊕ X[i+3] ⊕ rk[i])
第7轮完成: X[11] = 0x0EE01CB1
第15轮完成: X[19] = 0xBE8BD948
第23轮完成: X[27] = 0xD5A9247E
第31轮完成: X[35] = 0xE76B9AA7
国标对应: 国标公式(4)
Xi+4 = F(Xi, Xi+1, Xi+2, Xi+3, rki), i=0,1,...,31
3.3.1 完整32轮迭代详细计算过程
第0轮迭代 (i=0)
输入状态:
X[0] = 0xE588A9E5
X[1] = 0x8883E4BF
X[2] = 0xA1E5AE89
X[3] = 0x00000000
轮密钥: rk[0] = 0xC994A1D9
计算步骤:
步骤1: X[1] ⊕ X[2] ⊕ X[3] ⊕ rk[0]
= 0x8883E4BF ⊕ 0xA1E5AE89 ⊕ 0x00000000 ⊕ 0xC994A1D9
= 0xE0F2EBEF
步骤2: τ(0xE0F2EBEF) - S盒替换
输入字节: 0xE0, 0xF2, 0xEB, 0xEF
S盒输出: 0x89, 0x7D, 0x09, 0x84
τ输出: 0x897D0984
步骤3: L(0x897D0984) - 线性变换
= B ⊕ (B <<< 2) ⊕ (B <<< 10) ⊕ (B <<< 18) ⊕ (B <<< 24)
= 0x897D0984 ⊕ 0x25F42612 ⊕ 0xF4261225 ⊕ 0x261225F4 ⊕ 0x84897D09
= 0xFA34654E
步骤4: X[0] ⊕ T(...)
= 0xE588A9E5 ⊕ 0xFA34654E
= 0x1FBCCCAB
输出: X[4] = 0x1FBCCCAB
第1轮迭代 (i=1)
输入状态:
X[1] = 0x8883E4BF
X[2] = 0xA1E5AE89
X[3] = 0x00000000
X[4] = 0x1FBCCCAB
轮密钥: rk[1] = 0x8E961DA9
计算步骤:
步骤1: X[2] ⊕ X[3] ⊕ X[4] ⊕ rk[1]
= 0xA1E5AE89 ⊕ 0x00000000 ⊕ 0x1FBCCCAB ⊕ 0x8E961DA9
= 0x30CF7F8B
步骤2: τ(0x30CF7F8B) - S盒替换
输入字节: 0x30, 0xCF, 0x7F, 0x8B
S盒输出: 0xE4, 0xD8, 0x9E, 0xCE
τ输出: 0xE4D89ECE
步骤3: L(0xE4D89ECE) - 线性变换
= B ⊕ (B <<< 2) ⊕ (B <<< 10) ⊕ (B <<< 18) ⊕ (B <<< 24)
= 0xE4D89ECE ⊕ 0x93627B3B ⊕ 0x627B3B93 ⊕ 0x7B3B9362 ⊕ 0xCEE4D89E
= 0xA01E959A
步骤4: X[1] ⊕ T(...)
= 0x8883E4BF ⊕ 0xA01E959A
= 0x289D7125
输出: X[5] = 0x289D7125
第2轮迭代 (i=2)
输入状态:
X[2] = 0xA1E5AE89
X[3] = 0x00000000
X[4] = 0x1FBCCCAB
X[5] = 0x289D7125
轮密钥: rk[2] = 0x3B064726
计算步骤:
步骤1: X[3] ⊕ X[4] ⊕ X[5] ⊕ rk[2]
= 0x00000000 ⊕ 0x1FBCCCAB ⊕ 0x289D7125 ⊕ 0x3B064726
= 0x0C27FAA8
步骤2: τ(0x0C27FAA8) - S盒替换
输入字节: 0x0C, 0x27, 0xFA, 0xA8
S盒输出: 0x28, 0x7A, 0x5F, 0xC0
τ输出: 0x287A5FC0
步骤3: L(0x287A5FC0) - 线性变换
= B ⊕ (B <<< 2) ⊕ (B <<< 10) ⊕ (B <<< 18) ⊕ (B <<< 24)
= 0x287A5FC0 ⊕ 0xA1E97F00 ⊕ 0xE97F00A1 ⊕ 0x7F00A1E9 ⊕ 0xC0287A5F
= 0xDFC4FBD7
步骤4: X[2] ⊕ T(...)
= 0xA1E5AE89 ⊕ 0xDFC4FBD7
= 0x7E21555E
输出: X[6] = 0x7E21555E
第3轮迭代 (i=3)
输入状态:
X[3] = 0x00000000
X[4] = 0x1FBCCCAB
X[5] = 0x289D7125
X[6] = 0x7E21555E
轮密钥: rk[3] = 0xDD302728
计算步骤:
步骤1: X[4] ⊕ X[5] ⊕ X[6] ⊕ rk[3]
= 0x1FBCCCAB ⊕ 0x289D7125 ⊕ 0x7E21555E ⊕ 0xDD302728
= 0x9430CFF8
步骤2: τ(0x9430CFF8) - S盒替换
输入字节: 0x94, 0x30, 0xCF, 0xF8
S盒输出: 0x9B, 0xE4, 0xD8, 0x79
τ输出: 0x9BE4D879
步骤3: L(0x9BE4D879) - 线性变换
= B ⊕ (B <<< 2) ⊕ (B <<< 10) ⊕ (B <<< 18) ⊕ (B <<< 24)
= 0x9BE4D879 ⊕ 0x6F9361E6 ⊕ 0x9361E66F ⊕ 0x61E66F93 ⊕ 0x799BE4D8
= 0x7F6BD4BB
步骤4: X[3] ⊕ T(...)
= 0x00000000 ⊕ 0x7F6BD4BB
= 0x7F6BD4BB
输出: X[7] = 0x7F6BD4BB
第4轮迭代 (i=4)
输入状态:
X[4] = 0x1FBCCCAB
X[5] = 0x289D7125
X[6] = 0x7E21555E
X[7] = 0x7F6BD4BB
轮密钥: rk[4] = 0xF4B61421
计算步骤:
步骤1: X[5] ⊕ X[6] ⊕ X[7] ⊕ rk[4]
= 0x289D7125 ⊕ 0x7E21555E ⊕ 0x7F6BD4BB ⊕ 0xF4B61421
= 0xDD61E4E1
步骤2: τ(0xDD61E4E1) - S盒替换
输入字节: 0xDD, 0x61, 0xE4, 0xE1
S盒输出: 0xE5, 0x24, 0x0C, 0x69
τ输出: 0xE5240C69
步骤3: L(0xE5240C69) - 线性变换
= B ⊕ (B <<< 2) ⊕ (B <<< 10) ⊕ (B <<< 18) ⊕ (B <<< 24)
= 0xE5240C69 ⊕ 0x949031A7 ⊕ 0x9031A794 ⊕ 0x31A79490 ⊕ 0x69E5240C
= 0xB9C72AC6
步骤4: X[4] ⊕ T(...)
= 0x1FBCCCAB ⊕ 0xB9C72AC6
= 0xA67BE66D
输出: X[8] = 0xA67BE66D
第5轮迭代 (i=5)
输入状态:
X[5] = 0x289D7125
X[6] = 0x7E21555E
X[7] = 0x7F6BD4BB
X[8] = 0xA67BE66D
轮密钥: rk[5] = 0xEDFAD6F1
计算步骤:
步骤1: X[6] ⊕ X[7] ⊕ X[8] ⊕ rk[5]
= 0x7E21555E ⊕ 0x7F6BD4BB ⊕ 0xA67BE66D ⊕ 0xEDFAD6F1
= 0x4ACBB179
步骤2: τ(0x4ACBB179) - S盒替换
输入字节: 0x4A, 0xCB, 0xB1, 0x79
S盒输出: 0x3C, 0x41, 0xDB, 0x36
τ输出: 0x3C41DB36
步骤3: L(0x3C41DB36) - 线性变换
= B ⊕ (B <<< 2) ⊕ (B <<< 10) ⊕ (B <<< 18) ⊕ (B <<< 24)
= 0x3C41DB36 ⊕ 0xF1076CD8 ⊕ 0x076CD8F1 ⊕ 0x6CD8F107 ⊕ 0x363C41DB
= 0x90CEDFC3
步骤4: X[5] ⊕ T(...)
= 0x289D7125 ⊕ 0x90CEDFC3
= 0xB853AEE6
输出: X[9] = 0xB853AEE6
第6轮迭代 (i=6)
输入状态:
X[6] = 0x7E21555E
X[7] = 0x7F6BD4BB
X[8] = 0xA67BE66D
X[9] = 0xB853AEE6
轮密钥: rk[6] = 0x1540513D
计算步骤:
步骤1: X[7] ⊕ X[8] ⊕ X[9] ⊕ rk[6]
= 0x7F6BD4BB ⊕ 0xA67BE66D ⊕ 0xB853AEE6 ⊕ 0x1540513D
= 0x7403CD0D
步骤2: τ(0x7403CD0D) - S盒替换
输入字节: 0x74, 0x03, 0xCD, 0x0D
S盒输出: 0x9F, 0xFE, 0x10, 0xFB
τ输出: 0x9FFE10FB
步骤3: L(0x9FFE10FB) - 线性变换
= B ⊕ (B <<< 2) ⊕ (B <<< 10) ⊕ (B <<< 18) ⊕ (B <<< 24)
= 0x9FFE10FB ⊕ 0x7FF843EE ⊕ 0xF843EE7F ⊕ 0x43EE7FF8 ⊕ 0xFB9FFE10
= 0xA0343C82
步骤4: X[6] ⊕ T(...)
= 0x7E21555E ⊕ 0xA0343C82
= 0xDE1569DC
输出: X[10] = 0xDE1569DC
第7轮迭代 (i=7)
输入状态:
X[7] = 0x7F6BD4BB
X[8] = 0xA67BE66D
X[9] = 0xB853AEE6
X[10] = 0xDE1569DC
轮密钥: rk[7] = 0xC83EBD4D
计算步骤:
步骤1: X[8] ⊕ X[9] ⊕ X[10] ⊕ rk[7]
= 0xA67BE66D ⊕ 0xB853AEE6 ⊕ 0xDE1569DC ⊕ 0xC83EBD4D
= 0x08039C1A
步骤2: τ(0x08039C1A) - S盒替换
输入字节: 0x08, 0x03, 0x9C, 0x1A
S盒输出: 0x16, 0xFE, 0xF5, 0x13
τ输出: 0x16FEF513
步骤3: L(0x16FEF513) - 线性变换
= B ⊕ (B <<< 2) ⊕ (B <<< 10) ⊕ (B <<< 18) ⊕ (B <<< 24)
= 0x16FEF513 ⊕ 0x5BFBD44C ⊕ 0xFBD44C5B ⊕ 0xD44C5BFB ⊕ 0x1316FEF5
= 0x718BC80A
步骤4: X[7] ⊕ T(...)
= 0x7F6BD4BB ⊕ 0x718BC80A
= 0x0EE01CB1
输出: X[11] = 0x0EE01CB1 ✓
第8轮迭代 (i=8)
输入状态:
X[8] = 0xA67BE66D
X[9] = 0xB853AEE6
X[10] = 0xDE1569DC
X[11] = 0x0EE01CB1
轮密钥: rk[8] = 0xE5DE7FA7
计算步骤:
步骤1: X[9] ⊕ X[10] ⊕ X[11] ⊕ rk[8]
= 0xB853AEE6 ⊕ 0xDE1569DC ⊕ 0x0EE01CB1 ⊕ 0xE5DE7FA7
= 0x8D78A42C
步骤2: τ(0x8D78A42C) - S盒替换
输入字节: 0x8D, 0x78, 0xA4, 0x2C
S盒输出: 0x61, 0x4C, 0x82, 0xED
τ输出: 0x614C82ED
步骤3: L(0x614C82ED) - 线性变换
= B ⊕ (B <<< 2) ⊕ (B <<< 10) ⊕ (B <<< 18) ⊕ (B <<< 24)
= 0x614C82ED ⊕ 0x85320BB5 ⊕ 0x320BB585 ⊕ 0x0BB58532 ⊕ 0xED614C82
= 0x30A1F56D
步骤4: X[8] ⊕ T(...)
= 0xA67BE66D ⊕ 0x30A1F56D
= 0x96DA1300
输出: X[12] = 0x96DA1300
第9轮迭代 (i=9)
输入状态:
X[9] = 0xB853AEE6
X[10] = 0xDE1569DC
X[11] = 0x0EE01CB1
X[12] = 0x96DA1300
轮密钥: rk[9] = 0x5AFE4561
计算步骤:
步骤1: X[10] ⊕ X[11] ⊕ X[12] ⊕ rk[9]
= 0xDE1569DC ⊕ 0x0EE01CB1 ⊕ 0x96DA1300 ⊕ 0x5AFE4561
= 0x1CD1230C
步骤2: τ(0x1CD1230C) - S盒替换
输入字节: 0x1C, 0xD1, 0x23, 0x0C
S盒输出: 0x49, 0xC1, 0xF4, 0x28
τ输出: 0x49C1F428
步骤3: L(0x49C1F428) - 线性变换
= B ⊕ (B <<< 2) ⊕ (B <<< 10) ⊕ (B <<< 18) ⊕ (B <<< 24)
= 0x49C1F428 ⊕ 0x2707D0A1 ⊕ 0x07D0A127 ⊕ 0xD0A12707 ⊕ 0x2849C1F4
= 0x91FE635D
步骤4: X[9] ⊕ T(...)
= 0xB853AEE6 ⊕ 0x91FE635D
= 0x29ADCDBB
输出: X[13] = 0x29ADCDBB
第10轮迭代 (i=10)
输入状态:
X[10] = 0xDE1569DC
X[11] = 0x0EE01CB1
X[12] = 0x96DA1300
X[13] = 0x29ADCDBB
轮密钥: rk[10] = 0xE94A3F7E
计算步骤:
步骤1: X[11] ⊕ X[12] ⊕ X[13] ⊕ rk[10]
= 0x0EE01CB1 ⊕ 0x96DA1300 ⊕ 0x29ADCDBB ⊕ 0xE94A3F7E
= 0x58DDFD74
步骤2: τ(0x58DDFD74) - S盒替换
输入字节: 0x58, 0xDD, 0xFD, 0x74
S盒输出: 0xF8, 0xE5, 0xCB, 0x9F
τ输出: 0xF8E5CB9F
步骤3: L(0xF8E5CB9F) - 线性变换
= B ⊕ (B <<< 2) ⊕ (B <<< 10) ⊕ (B <<< 18) ⊕ (B <<< 24)
= 0xF8E5CB9F ⊕ 0xE3972E7F ⊕ 0x972E7FE3 ⊕ 0x2E7FE397 ⊕ 0x9FF8E5CB
= 0x3DDB9C5F
步骤4: X[10] ⊕ T(...)
= 0xDE1569DC ⊕ 0x3DDB9C5F
= 0xE3CEF583
输出: X[14] = 0xE3CEF583
第11轮迭代 (i=11)
输入状态:
X[11] = 0x0EE01CB1
X[12] = 0x96DA1300
X[13] = 0x29ADCDBB
X[14] = 0xE3CEF583
轮密钥: rk[11] = 0xC90C33AD
计算步骤:
步骤1: X[12] ⊕ X[13] ⊕ X[14] ⊕ rk[11]
= 0x96DA1300 ⊕ 0x29ADCDBB ⊕ 0xE3CEF583 ⊕ 0xC90C33AD
= 0x95B51895
步骤2: τ(0x95B51895) - S盒替换
输入字节: 0x95, 0xB5, 0x18, 0x95
S盒输出: 0x34, 0xFD, 0xAA, 0x34
τ输出: 0x34FDAA34
步骤3: L(0x34FDAA34) - 线性变换
= B ⊕ (B <<< 2) ⊕ (B <<< 10) ⊕ (B <<< 18) ⊕ (B <<< 24)
= 0x34FDAA34 ⊕ 0xD3F6A8D0 ⊕ 0xF6A8D0D3 ⊕ 0xA8D0D3F6 ⊕ 0x3434FDAA
= 0x8D47FC6B
步骤4: X[11] ⊕ T(...)
= 0x0EE01CB1 ⊕ 0x8D47FC6B
= 0x83A7E0DA
输出: X[15] = 0x83A7E0DA
第12轮迭代 (i=12)
输入状态:
X[12] = 0x96DA1300
X[13] = 0x29ADCDBB
X[14] = 0xE3CEF583
X[15] = 0x83A7E0DA
轮密钥: rk[12] = 0xA8A8DF0B
计算步骤:
步骤1: X[13] ⊕ X[14] ⊕ X[15] ⊕ rk[12]
= 0x29ADCDBB ⊕ 0xE3CEF583 ⊕ 0x83A7E0DA ⊕ 0xA8A8DF0B
= 0xE16C07E9
步骤2: τ(0xE16C07E9) - S盒替换
输入字节: 0xE1, 0x6C, 0x07, 0xE9
S盒输出: 0x69, 0x01, 0xB7, 0xB9
τ输出: 0x6901B7B9
步骤3: L(0x6901B7B9) - 线性变换
= B ⊕ (B <<< 2) ⊕ (B <<< 10) ⊕ (B <<< 18) ⊕ (B <<< 24)
= 0x6901B7B9 ⊕ 0xA406DEE5 ⊕ 0x06DEE5A4 ⊕ 0xDEE5A406 ⊕ 0xB96901B7
= 0xAC552949
步骤4: X[12] ⊕ T(...)
= 0x96DA1300 ⊕ 0xAC552949
= 0x3A8F3A49
输出: X[16] = 0x3A8F3A49
第13轮迭代 (i=13)
输入状态:
X[13] = 0x29ADCDBB
X[14] = 0xE3CEF583
X[15] = 0x83A7E0DA
X[16] = 0x3A8F3A49
轮密钥: rk[13] = 0x26C94B0F
计算步骤:
步骤1: X[14] ⊕ X[15] ⊕ X[16] ⊕ rk[13]
= 0xE3CEF583 ⊕ 0x83A7E0DA ⊕ 0x3A8F3A49 ⊕ 0x26C94B0F
= 0x7C2F641F
步骤2: τ(0x7C2F641F) - S盒替换
输入字节: 0x7C, 0x2F, 0x64, 0x1F
S盒输出: 0xA0, 0x62, 0x63, 0x99
τ输出: 0xA0626399
步骤3: L(0xA0626399) - 线性变换
= B ⊕ (B <<< 2) ⊕ (B <<< 10) ⊕ (B <<< 18) ⊕ (B <<< 24)
= 0xA0626399 ⊕ 0x81898E66 ⊕ 0x898E6681 ⊕ 0x8E668189 ⊕ 0x99A06263
= 0xBFA36894
步骤4: X[13] ⊕ T(...)
= 0x29ADCDBB ⊕ 0xBFA36894
= 0x960EA52F
输出: X[17] = 0x960EA52F
第14轮迭代 (i=14)
输入状态:
X[14] = 0xE3CEF583
X[15] = 0x83A7E0DA
X[16] = 0x3A8F3A49
X[17] = 0x960EA52F
轮密钥: rk[14] = 0x2348FC7C
计算步骤:
步骤1: X[15] ⊕ X[16] ⊕ X[17] ⊕ rk[14]
= 0x83A7E0DA ⊕ 0x3A8F3A49 ⊕ 0x960EA52F ⊕ 0x2348FC7C
= 0x0C6E83C0
步骤2: τ(0x0C6E83C0) - S盒替换
输入字节: 0x0C, 0x6E, 0x83, 0xC0
S盒输出: 0x28, 0x78, 0xD2, 0x8D
τ输出: 0x2878D28D
步骤3: L(0x2878D28D) - 线性变换
= B ⊕ (B <<< 2) ⊕ (B <<< 10) ⊕ (B <<< 18) ⊕ (B <<< 24)
= 0x2878D28D ⊕ 0xA1E34A34 ⊕ 0xE34A34A1 ⊕ 0x4A34A1E3 ⊕ 0x8D2878D2
= 0xADCD7529
步骤4: X[14] ⊕ T(...)
= 0xE3CEF583 ⊕ 0xADCD7529
= 0x4E0380AA
输出: X[18] = 0x4E0380AA
第15轮迭代 (i=15)
输入状态:
X[15] = 0x83A7E0DA
X[16] = 0x3A8F3A49
X[17] = 0x960EA52F
X[18] = 0x4E0380AA
轮密钥: rk[15] = 0x285ED00F
计算步骤:
步骤1: X[16] ⊕ X[17] ⊕ X[18] ⊕ rk[15]
= 0x3A8F3A49 ⊕ 0x960EA52F ⊕ 0x4E0380AA ⊕ 0x285ED00F
= 0xCADCCFC3
步骤2: τ(0xCADCCFC3) - S盒替换
输入字节: 0xCA, 0xDC, 0xCF, 0xC3
S盒输出: 0x5C, 0xB8, 0xD8, 0x92
τ输出: 0x5CB8D892
步骤3: L(0x5CB8D892) - 线性变换
= B ⊕ (B <<< 2) ⊕ (B <<< 10) ⊕ (B <<< 18) ⊕ (B <<< 24)
= 0x5CB8D892 ⊕ 0x72E36249 ⊕ 0xE3624972 ⊕ 0x624972E3 ⊕ 0x925CB8D8
= 0x3D2C3992
步骤4: X[15] ⊕ T(...)
= 0x83A7E0DA ⊕ 0x3D2C3992
= 0xBE8BD948
输出: X[19] = 0xBE8BD948 ✓
第16轮迭代 (i=16)
输入状态:
X[16] = 0x3A8F3A49
X[17] = 0x960EA52F
X[18] = 0x4E0380AA
X[19] = 0xBE8BD948
轮密钥: rk[16] = 0x17908EE3
计算步骤:
步骤1: X[17] ⊕ X[18] ⊕ X[19] ⊕ rk[16]
= 0x960EA52F ⊕ 0x4E0380AA ⊕ 0xBE8BD948 ⊕ 0x17908EE3
= 0x7116722E
步骤2: τ(0x7116722E) - S盒替换
输入字节: 0x71, 0x16, 0x72, 0x2E
S盒输出: 0x00, 0x04, 0x46, 0xAC
τ输出: 0x000446AC
步骤3: L(0x000446AC) - 线性变换
= B ⊕ (B <<< 2) ⊕ (B <<< 10) ⊕ (B <<< 18) ⊕ (B <<< 24)
= 0x000446AC ⊕ 0x00111AB0 ⊕ 0x111AB000 ⊕ 0x1AB00011 ⊕ 0xAC000446
= 0xA7BFE84B
步骤4: X[16] ⊕ T(...)
= 0x3A8F3A49 ⊕ 0xA7BFE84B
= 0x9D30D202
输出: X[20] = 0x9D30D202
第17轮迭代 (i=17)
输入状态:
X[17] = 0x960EA52F
X[18] = 0x4E0380AA
X[19] = 0xBE8BD948
X[20] = 0x9D30D202
轮密钥: rk[17] = 0x29B3F5C1
计算步骤:
步骤1: X[18] ⊕ X[19] ⊕ X[20] ⊕ rk[17]
= 0x4E0380AA ⊕ 0xBE8BD948 ⊕ 0x9D30D202 ⊕ 0x29B3F5C1
= 0x440B7E21
步骤2: τ(0x440B7E21) - S盒替换
输入字节: 0x44, 0x0B, 0x7E, 0x21
S盒输出: 0xF3, 0xC2, 0xC8, 0x42
τ输出: 0xF3C2C842
步骤3: L(0xF3C2C842) - 线性变换
= B ⊕ (B <<< 2) ⊕ (B <<< 10) ⊕ (B <<< 18) ⊕ (B <<< 24)
= 0xF3C2C842 ⊕ 0xCF0B210B ⊕ 0x0B210BCF ⊕ 0x210BCF0B ⊕ 0x42F3C2C8
= 0x5410EF45
步骤4: X[17] ⊕ T(...)
= 0x960EA52F ⊕ 0x5410EF45
= 0xC21E4A6A
输出: X[21] = 0xC21E4A6A
第18轮迭代 (i=18)
输入状态:
X[18] = 0x4E0380AA
X[19] = 0xBE8BD948
X[20] = 0x9D30D202
X[21] = 0xC21E4A6A
轮密钥: rk[18] = 0x61D27218
计算步骤:
步骤1: X[19] ⊕ X[20] ⊕ X[21] ⊕ rk[18]
= 0xBE8BD948 ⊕ 0x9D30D202 ⊕ 0xC21E4A6A ⊕ 0x61D27218
= 0x80773338
步骤2: τ(0x80773338) - S盒替换
输入字节: 0x80, 0x77, 0x33, 0x38
S盒输出: 0xEA, 0x52, 0xA9, 0x80
τ输出: 0xEA52A980
步骤3: L(0xEA52A980) - 线性变换
= B ⊕ (B <<< 2) ⊕ (B <<< 10) ⊕ (B <<< 18) ⊕ (B <<< 24)
= 0xEA52A980 ⊕ 0xA94AA603 ⊕ 0x4AA603A9 ⊕ 0xA603A94A ⊕ 0x80EA52A9
= 0x2F57F7C9
步骤4: X[18] ⊕ T(...)
= 0x4E0380AA ⊕ 0x2F57F7C9
= 0x61547763
输出: X[22] = 0x61547763
第19轮迭代 (i=19)
输入状态:
X[19] = 0xBE8BD948
X[20] = 0x9D30D202
X[21] = 0xC21E4A6A
X[22] = 0x61547763
轮密钥: rk[19] = 0xA2CDA8E6
计算步骤:
步骤1: X[20] ⊕ X[21] ⊕ X[22] ⊕ rk[19]
= 0x9D30D202 ⊕ 0xC21E4A6A ⊕ 0x61547763 ⊕ 0xA2CDA8E6
= 0x9CB747ED
步骤2: τ(0x9CB747ED) - S盒替换
输入字节: 0x9C, 0xB7, 0x47, 0xED
S盒输出: 0xF5, 0x2F, 0xBA, 0x6E
τ输出: 0xF52FBA6E
步骤3: L(0xF52FBA6E) - 线性变换
= B ⊕ (B <<< 2) ⊕ (B <<< 10) ⊕ (B <<< 18) ⊕ (B <<< 24)
= 0xF52FBA6E ⊕ 0xD4BEE9BB ⊕ 0xBEE9BBD4 ⊕ 0xE9BBD4BE ⊕ 0x6EF52FBA
= 0x18361305
步骤4: X[19] ⊕ T(...)
= 0xBE8BD948 ⊕ 0x18361305
= 0xA6BDCA4D
输出: X[23] = 0xA6BDCA4D
第20轮迭代 (i=20)
输入状态:
X[20] = 0x9D30D202
X[21] = 0xC21E4A6A
X[22] = 0x61547763
X[23] = 0xA6BDCA4D
轮密钥: rk[20] = 0x4A28ABD4
计算步骤:
步骤1: X[21] ⊕ X[22] ⊕ X[23] ⊕ rk[20]
= 0xC21E4A6A ⊕ 0x61547763 ⊕ 0xA6BDCA4D ⊕ 0x4A28ABD4
= 0x4FDF5C90
步骤2: τ(0x4FDF5C90) - S盒替换
输入字节: 0x4F, 0xDF, 0x5C, 0x90
S盒输出: 0xA8, 0xB0, 0x70, 0xE0
τ输出: 0xA8B070E0
步骤3: L(0xA8B070E0) - 线性变换
= B ⊕ (B <<< 2) ⊕ (B <<< 10) ⊕ (B <<< 18) ⊕ (B <<< 24)
= 0xA8B070E0 ⊕ 0xA2C1C382 ⊕ 0xC1C382A2 ⊕ 0xC382A2C1 ⊕ 0xE0A8B070
= 0xE8982371
步骤4: X[20] ⊕ T(...)
= 0x9D30D202 ⊕ 0xE8982371
= 0x75A8F173
输出: X[24] = 0x75A8F173
第21轮迭代 (i=21)
输入状态:
X[21] = 0xC21E4A6A
X[22] = 0x61547763
X[23] = 0xA6BDCA4D
X[24] = 0x75A8F173
轮密钥: rk[21] = 0x105D3CD5
计算步骤:
步骤1: X[22] ⊕ X[23] ⊕ X[24] ⊕ rk[21]
= 0x61547763 ⊕ 0xA6BDCA4D ⊕ 0x75A8F173 ⊕ 0x105D3CD5
= 0xA21C7088
步骤2: τ(0xA21C7088) - S盒替换
输入字节: 0xA2, 0x1C, 0x70, 0x88
S盒输出: 0xE2, 0x49, 0xD4, 0xA3
τ输出: 0xE249D4A3
步骤3: L(0xE249D4A3) - 线性变换
= B ⊕ (B <<< 2) ⊕ (B <<< 10) ⊕ (B <<< 18) ⊕ (B <<< 24)
= 0xE249D4A3 ⊕ 0x8927528F ⊕ 0x27528F89 ⊕ 0x528F8927 ⊕ 0xA3E249D4
= 0xBD51C956
步骤4: X[21] ⊕ T(...)
= 0xC21E4A6A ⊕ 0xBD51C956
= 0x7F4F833C
输出: X[25] = 0x7F4F833C
第22轮迭代 (i=22)
输入状态:
X[22] = 0x61547763
X[23] = 0xA6BDCA4D
X[24] = 0x75A8F173
X[25] = 0x7F4F833C
轮密钥: rk[22] = 0xB3392991
计算步骤:
步骤1: X[23] ⊕ X[24] ⊕ X[25] ⊕ rk[22]
= 0xA6BDCA4D ⊕ 0x75A8F173 ⊕ 0x7F4F833C ⊕ 0xB3392991
= 0x1F639193
步骤2: τ(0x1F639193) - S盒替换
输入字节: 0x1F, 0x63, 0x91, 0x93
S盒输出: 0x99, 0x5E, 0xAE, 0xA4
τ输出: 0x995EAEA4
步骤3: L(0x995EAEA4) - 线性变换
= B ⊕ (B <<< 2) ⊕ (B <<< 10) ⊕ (B <<< 18) ⊕ (B <<< 24)
= 0x995EAEA4 ⊕ 0x657ABA92 ⊕ 0x7ABA9265 ⊕ 0xBA92657A ⊕ 0xA4995EAE
= 0x9895BD87
步骤4: X[22] ⊕ T(...)
= 0x61547763 ⊕ 0x9895BD87
= 0xF9C1CAE4
输出: X[26] = 0xF9C1CAE4
第23轮迭代 (i=23)
输入状态:
X[23] = 0xA6BDCA4D
X[24] = 0x75A8F173
X[25] = 0x7F4F833C
X[26] = 0xF9C1CAE4
轮密钥: rk[23] = 0xA5143E89
计算步骤:
步骤1: X[24] ⊕ X[25] ⊕ X[26] ⊕ rk[23]
= 0x75A8F173 ⊕ 0x7F4F833C ⊕ 0xF9C1CAE4 ⊕ 0xA5143E89
= 0x56328622
步骤2: τ(0x56328622) - S盒替换
输入字节: 0x56, 0x32, 0x86, 0x22
S盒输出: 0xDA, 0x1C, 0x38, 0x50
τ输出: 0xDA1C3850
步骤3: L(0xDA1C3850) - 线性变换
= B ⊕ (B <<< 2) ⊕ (B <<< 10) ⊕ (B <<< 18) ⊕ (B <<< 24)
= 0xDA1C3850 ⊕ 0x6870E143 ⊕ 0x70E14368 ⊕ 0xE1436870 ⊕ 0x50DA1C38
= 0x7314EE33
步骤4: X[23] ⊕ T(...)
= 0xA6BDCA4D ⊕ 0x7314EE33
= 0xD5A9247E
输出: X[27] = 0xD5A9247E ✓
第24轮迭代 (i=24)
输入状态:
X[24] = 0x75A8F173
X[25] = 0x7F4F833C
X[26] = 0xF9C1CAE4
X[27] = 0xD5A9247E
轮密钥: rk[24] = 0x9E19AB2C
计算步骤:
步骤1: X[25] ⊕ X[26] ⊕ X[27] ⊕ rk[24]
= 0x7F4F833C ⊕ 0xF9C1CAE4 ⊕ 0xD5A9247E ⊕ 0x9E19AB2C
= 0xCD3EC68A
步骤2: τ(0xCD3EC68A) - S盒替换
输入字节: 0xCD, 0x3E, 0xC6, 0x8A
S盒输出: 0x10, 0x3F, 0xBC, 0xF2
τ输出: 0x103FBCF2
步骤3: L(0x103FBCF2) - 线性变换
= B ⊕ (B <<< 2) ⊕ (B <<< 10) ⊕ (B <<< 18) ⊕ (B <<< 24)
= 0x103FBCF2 ⊕ 0x40FEF3C8 ⊕ 0xFEF3C840 ⊕ 0xF3C840FE ⊕ 0xF2103FBC
= 0xAFEAF838
步骤4: X[24] ⊕ T(...)
= 0x75A8F173 ⊕ 0xAFEAF838
= 0xDA42094B
输出: X[28] = 0xDA42094B
第25轮迭代 (i=25)
输入状态:
X[25] = 0x7F4F833C
X[26] = 0xF9C1CAE4
X[27] = 0xD5A9247E
X[28] = 0xDA42094B
轮密钥: rk[25] = 0x16EB5274
计算步骤:
步骤1: X[26] ⊕ X[27] ⊕ X[28] ⊕ rk[25]
= 0xF9C1CAE4 ⊕ 0xD5A9247E ⊕ 0xDA42094B ⊕ 0x16EB5274
= 0xE0C1B5A5
步骤2: τ(0xE0C1B5A5) - S盒替换
输入字节: 0xE0, 0xC1, 0xB5, 0xA5
S盒输出: 0x89, 0x1B, 0xFD, 0x66
τ输出: 0x891BFD66
步骤3: L(0x891BFD66) - 线性变换
= B ⊕ (B <<< 2) ⊕ (B <<< 10) ⊕ (B <<< 18) ⊕ (B <<< 24)
= 0x891BFD66 ⊕ 0x246FF59A ⊕ 0x6FF59A24 ⊕ 0xF59A246F ⊕ 0x66891BFD
= 0x5192AD4A
步骤4: X[25] ⊕ T(...)
= 0x7F4F833C ⊕ 0x5192AD4A
= 0x2EDD2E76
输出: X[29] = 0x2EDD2E76
第26轮迭代 (i=26)
输入状态:
X[26] = 0xF9C1CAE4
X[27] = 0xD5A9247E
X[28] = 0xDA42094B
X[29] = 0x2EDD2E76
轮密钥: rk[26] = 0xBD46BFDE
计算步骤:
步骤1: X[27] ⊕ X[28] ⊕ X[29] ⊕ rk[26]
= 0xD5A9247E ⊕ 0xDA42094B ⊕ 0x2EDD2E76 ⊕ 0xBD46BFDE
= 0x9C70BC9D
步骤2: τ(0x9C70BC9D) - S盒替换
输入字节: 0x9C, 0x70, 0xBC, 0x9D
S盒输出: 0xF5, 0xD4, 0x6D, 0x8C
τ输出: 0xF5D46D8C
步骤3: L(0xF5D46D8C) - 线性变换
= B ⊕ (B <<< 2) ⊕ (B <<< 10) ⊕ (B <<< 18) ⊕ (B <<< 24)
= 0xF5D46D8C ⊕ 0xD751B633 ⊕ 0x51B633D7 ⊕ 0xB633D751 ⊕ 0x8CF5D46D
= 0x49F5EB54
步骤4: X[26] ⊕ T(...)
= 0xF9C1CAE4 ⊕ 0x49F5EB54
= 0xB03421B0
输出: X[30] = 0xB03421B0
第27轮迭代 (i=27)
输入状态:
X[27] = 0xD5A9247E
X[28] = 0xDA42094B
X[29] = 0x2EDD2E76
X[30] = 0xB03421B0
轮密钥: rk[27] = 0x70453A24
计算步骤:
步骤1: X[28] ⊕ X[29] ⊕ X[30] ⊕ rk[27]
= 0xDA42094B ⊕ 0x2EDD2E76 ⊕ 0xB03421B0 ⊕ 0x70453A24
= 0x34EE3CA9
步骤2: τ(0x34EE3CA9) - S盒替换
输入字节: 0x34, 0xEE, 0x3C, 0xA9
S盒输出: 0xC9, 0xC6, 0x75, 0x29
τ输出: 0xC9C67529
步骤3: L(0xC9C67529) - 线性变换
= B ⊕ (B <<< 2) ⊕ (B <<< 10) ⊕ (B <<< 18) ⊕ (B <<< 24)
= 0xC9C67529 ⊕ 0x2719D4A7 ⊕ 0x19D4A727 ⊕ 0xD4A72719 ⊕ 0x29C9C675
= 0x0A65E7C5
步骤4: X[27] ⊕ T(...)
= 0xD5A9247E ⊕ 0x0A65E7C5
= 0xDFCCC3BB
输出: X[31] = 0xDFCCC3BB
第28轮迭代 (i=28)
输入状态:
X[28] = 0xDA42094B
X[29] = 0x2EDD2E76
X[30] = 0xB03421B0
X[31] = 0xDFCCC3BB
轮密钥: rk[28] = 0x11C4BEC2
计算步骤:
步骤1: X[29] ⊕ X[30] ⊕ X[31] ⊕ rk[28]
= 0x2EDD2E76 ⊕ 0xB03421B0 ⊕ 0xDFCCC3BB ⊕ 0x11C4BEC2
= 0x50E172BF
步骤2: τ(0x50E172BF) - S盒替换
输入字节: 0x50, 0xE1, 0x72, 0xBF
S盒输出: 0x68, 0x69, 0x46, 0x51
τ输出: 0x68694651
步骤3: L(0x68694651) - 线性变换
= B ⊕ (B <<< 2) ⊕ (B <<< 10) ⊕ (B <<< 18) ⊕ (B <<< 24)
= 0x68694651 ⊕ 0xA1A51945 ⊕ 0xA51945A1 ⊕ 0x1945A1A5 ⊕ 0x51686946
= 0x24F8D256
步骤4: X[28] ⊕ T(...)
= 0xDA42094B ⊕ 0x24F8D256
= 0xFEBADB1D
输出: X[32] = 0xFEBADB1D
第29轮迭代 (i=29)
输入状态:
X[29] = 0x2EDD2E76
X[30] = 0xB03421B0
X[31] = 0xDFCCC3BB
X[32] = 0xFEBADB1D
轮密钥: rk[29] = 0x47DB1C0D
计算步骤:
步骤1: X[30] ⊕ X[31] ⊕ X[32] ⊕ rk[29]
= 0xB03421B0 ⊕ 0xDFCCC3BB ⊕ 0xFEBADB1D ⊕ 0x47DB1C0D
= 0xD699251B
步骤2: τ(0xD699251B) - S盒替换
输入字节: 0xD6, 0x99, 0x25, 0x1B
S盒输出: 0x7B, 0x93, 0xEF, 0x26
τ输出: 0x7B93EF26
步骤3: L(0x7B93EF26) - 线性变换
= B ⊕ (B <<< 2) ⊕ (B <<< 10) ⊕ (B <<< 18) ⊕ (B <<< 24)
= 0x7B93EF26 ⊕ 0xEE4FBC99 ⊕ 0x4FBC99EE ⊕ 0xBC99EE4F ⊕ 0x267B93EF
= 0x4082B7F1
步骤4: X[29] ⊕ T(...)
= 0x2EDD2E76 ⊕ 0x4082B7F1
= 0x6E5F9987
输出: X[33] = 0x6E5F9987
第30轮迭代 (i=30)
输入状态:
X[30] = 0xB03421B0
X[31] = 0xDFCCC3BB
X[32] = 0xFEBADB1D
X[33] = 0x6E5F9987
轮密钥: rk[30] = 0x4995756A
计算步骤:
步骤1: X[31] ⊕ X[32] ⊕ X[33] ⊕ rk[30]
= 0xDFCCC3BB ⊕ 0xFEBADB1D ⊕ 0x6E5F9987 ⊕ 0x4995756A
= 0x06BCF44B
步骤2: τ(0x06BCF44B) - S盒替换
输入字节: 0x06, 0xBC, 0xF4, 0x4B
S盒输出: 0x3D, 0x6D, 0x3A, 0x19
τ输出: 0x3D6D3A19
步骤3: L(0x3D6D3A19) - 线性变换
= B ⊕ (B <<< 2) ⊕ (B <<< 10) ⊕ (B <<< 18) ⊕ (B <<< 24)
= 0x3D6D3A19 ⊕ 0xF5B4E864 ⊕ 0xB4E864F5 ⊕ 0xE864F5B4 ⊕ 0x193D6D3A
= 0x8D682E06
步骤4: X[30] ⊕ T(...)
= 0xB03421B0 ⊕ 0x8D682E06
= 0x3D5C0FB6
输出: X[34] = 0x3D5C0FB6
第31轮迭代 (i=31)
输入状态:
X[31] = 0xDFCCC3BB
X[32] = 0xFEBADB1D
X[33] = 0x6E5F9987
X[34] = 0x3D5C0FB6
轮密钥: rk[31] = 0xE788F4C2
计算步骤:
步骤1: X[32] ⊕ X[33] ⊕ X[34] ⊕ rk[31]
= 0xFEBADB1D ⊕ 0x6E5F9987 ⊕ 0x3D5C0FB6 ⊕ 0xE788F4C2
= 0x4A31B9EE
步骤2: τ(0x4A31B9EE) - S盒替换
输入字节: 0x4A, 0x31, 0xB9, 0xEE
S盒输出: 0x3C, 0xB3, 0xFF, 0xC6
τ输出: 0x3CB3FFC6
步骤3: L(0x3CB3FFC6) - 线性变换
= B ⊕ (B <<< 2) ⊕ (B <<< 10) ⊕ (B <<< 18) ⊕ (B <<< 24)
= 0x3CB3FFC6 ⊕ 0xF2CFFF18 ⊕ 0xCFFF18F2 ⊕ 0xFF18F2CF ⊕ 0xC63CB3FF
= 0x38A7591C
步骤4: X[31] ⊕ T(...)
= 0xDFCCC3BB ⊕ 0x38A7591C
= 0xE76B9AA7
输出: X[35] = 0xE76B9AA7 ✓
3.3.2 32轮迭代结果汇总表
| 轮次 | 轮密钥 rk[i] | 输出 X[i+4] | | — | — | — | | 0 | C994A1D9 | 1FBCCCAB | | 1 | 8E961DA9 | 289D7125 | | 2 | 3B064726 | 7E21555E | | 3 | DD302728 | 7F6BD4BB | | 4 | F4B61421 | A67BE66D | | 5 | EDFAD6F1 | B853AEE6 | | 6 | 1540513D | DE1569DC | | 7 | C83EBD4D | 0EE01CB1 ✓ | | 8 | E5DE7FA7 | 96DA1300 | | 9 | 5AFE4561 | 29ADCDBB | | 10 | E94A3F7E | E3CEF583 | | 11 | C90C33AD | 83A7E0DA | | 12 | A8A8DF0B | 3A8F3A49 | | 13 | 26C94B0F | 960EA52F | | 14 | 2348FC7C | 4E0380AA | | 15 | 285ED00F | BE8BD948 ✓ | | 16 | 17908EE3 | 9D30D202 | | 17 | 29B3F5C1 | C21E4A6A | | 18 | 61D27218 | 61547763 | | 19 | A2CDA8E6 | A6BDCA4D | | 20 | 4A28ABD4 | 75A8F173 | | 21 | 105D3CD5 | 7F4F833C | | 22 | B3392991 | F9C1CAE4 | | 23 | A5143E89 | D5A9247E ✓ | | 24 | 9E19AB2C | DA42094B | | 25 | 16EB5274 | 2EDD2E76 | | 26 | BD46BFDE | B03421B0 | | 27 | 70453A24 | DFCCC3BB | | 28 | 11C4BEC2 | FEBADB1D | | 29 | 47DB1C0D | 6E5F9987 | | 30 | 4995756A | 3D5C0FB6 | | 31 | E788F4C2 | E76B9AA7 ✓ |
验证结果: ✅ 全部32轮中间结果验证通过
3.4 反序变换 R(第55-61行)
原文内容:
反序变换 R
(Y0,Y1,Y2,Y3) = (X35,X34,X33,X32)
Y0 = 0xE76B9AA7, Y1 = 0x3D5C0FB6, Y2 = 0x6E5F9987, Y3 = 0xFEBADB1D
密文块输出: E76B9AA73D5C0FB66E5F9987FEBADB1D
国标对应: 国标公式(5)
(Y0, Y1, Y2, Y3) = R(X32, X33, X34, X35) = (X35, X34, X33, X32)
计算过程:
Y₀ = X₃₅ = 0xE76B9AA7
Y₁ = X₃₄ = 0x3D5C0FB6
Y₂ = X₃₃ = 0x6E5F9987
Y₃ = X₃₂ = 0xFEBADB1D
密文输出: E76B9AA73D5C0FB66E5F9987FEBADB1D
验证结果: ✅ 反序变换正确
四、计算结果汇总
| 项目 | 值 |
| — | — |
| 输入密钥 | 5C62DA45B0B2ACF9F3DA5DB93D18CAFD |
| 输入明文 | 利刃信安 (原始长度: 12 字节) |
| 填充后明文 | E588A9E58883E4BFA1E5AE8900000000 |
| 数据块数 | 1 |
| 输出密文 | E76B9AA73D5C0FB66E5F9987FEBADB1D |
五、国标示例验证
为验证算法实现的正确性,使用国标附录A.1的示例进行验证:
输入:
- • 明文:
0123456789ABCDEFFEDCBA9876543210 - • 密钥:
0123456789ABCDEFFEDCBA9876543210
计算结果:
- • rk[0] = F12186F9(国标: F12186F9)✓
- • rk[31] = 9124A012(国标: 9124A012)✓
- • 密文输出:
681EDF34D206965E86B3E94F536E4246(国标:681EDF34D206965E86B3E94F536E4246)✓
结论:算法实现与国标完全一致
文档版本: v3.0 生成日期: 2026-03-21 验证状态: ✅ 全部通过
免责声明:
本文所载程序、技术方法仅面向合法合规的安全研究与教学场景,旨在提升网络安全防护能力,具有明确的技术研究属性。
任何单位或个人未经授权,将本文内容用于攻击、破坏等非法用途的,由此引发的全部法律责任、民事赔偿及连带责任,均由行为人独立承担,本站不承担任何连带责任。
本站内容均为技术交流与知识分享目的发布,若存在版权侵权或其他异议,请通过邮件联系处理,具体联系方式可点击页面上方的联系我。
本文转载自:利刃信安 利刃信安 利刃信安《【商密测评】SM4 分组密码算法完整计算过程》
版权声明
本站仅做备份收录,仅供研究与教学参考之用。
读者将信息用于其他用途的,全部法律及连带责任由读者自行承担,本站不承担任何责任。
评论