Introduction

Description of SMS4

Linearity

Cryptographic Significance

On the Branch Number of L0

Summary and Conclusion

Linearity within the SMS4 Block Cipher Muhammad Reza Z’aba Leonie Simpson Kenneth Wong Information Security Institute Queensland University of Technology, Australia

14 December 2009 – Inscrypt 2009

Ed Dawson

Introduction

Description of SMS4

Linearity

Cryptographic Significance

Outline

1

Introduction

2

Description of SMS4

3

Linearity

4

Cryptographic Significance

5

On the Branch Number of L0

6

Summary and Conclusion

On the Branch Number of L0

Summary and Conclusion

Introduction

Description of SMS4

Linearity

Cryptographic Significance

On the Branch Number of L0

Summary and Conclusion

Introduction

SMS4 Block cipher used in the Chinese Wireless LAN Wired Authentication and Privacy Infrastructure (WAPI) Extensively analyzed: integral, rectangle, impossible differential, boomerang, differential and linear attacks This Presentation The existence of simple linear relationships in components of SMS4

Introduction

Description of SMS4

Linearity

Cryptographic Significance

On the Branch Number of L0

Summary and Conclusion

Introduction

SMS4 Block cipher used in the Chinese Wireless LAN Wired Authentication and Privacy Infrastructure (WAPI) Extensively analyzed: integral, rectangle, impossible differential, boomerang, differential and linear attacks This Presentation The existence of simple linear relationships in components of SMS4

Introduction

Description of SMS4

Linearity

Cryptographic Significance

On the Branch Number of L0

Specification

SMS4 Structure: source-heavy unbalanced generic Feistel Plaintext block: P = (X0 , X1 , X2 , X3 ) (128 bits) Master key block: K = (MK0 , MK1 , MK2 , MK3 ) (128 bits) Thirty-two 32-bit round subkeys: K0 , K1 , . . . , K31 Number of rounds: 32 Ciphertext block: C = (X35 , X34 , X33 , X32 ) (128 bits)

Summary and Conclusion

Introduction

Description of SMS4

Linearity

Cryptographic Significance

On the Branch Number of L0

Specification

SMS4 Structure: source-heavy unbalanced generic Feistel Plaintext block: P = (X0 , X1 , X2 , X3 ) (128 bits) Master key block: K = (MK0 , MK1 , MK2 , MK3 ) (128 bits) Thirty-two 32-bit round subkeys: K0 , K1 , . . . , K31 Number of rounds: 32 Ciphertext block: C = (X35 , X34 , X33 , X32 ) (128 bits)

Summary and Conclusion

Introduction

Description of SMS4

Linearity

Cryptographic Significance

On the Branch Number of L0

Specification

SMS4 Structure: source-heavy unbalanced generic Feistel Plaintext block: P = (X0 , X1 , X2 , X3 ) (128 bits) Master key block: K = (MK0 , MK1 , MK2 , MK3 ) (128 bits) Thirty-two 32-bit round subkeys: K0 , K1 , . . . , K31 Number of rounds: 32 Ciphertext block: C = (X35 , X34 , X33 , X32 ) (128 bits)

Summary and Conclusion

Introduction

Description of SMS4

Linearity

Cryptographic Significance

On the Branch Number of L0

Encryption and Decryption Algorithms

Encryption

Decryption

X0

X1

X2

X3

X1

X2

X3

X4

X31

X32 K31

X33

X34

X32

X33

X34

X35

X35

X34

X33

X32

K0 T

T

Summary and Conclusion

Introduction

Description of SMS4

Linearity

Cryptographic Significance

On the Branch Number of L0

Encryption and Decryption Algorithms

Encryption

Decryption

X0

X1

X2

X3

X1

X2

X3

X4

X31

X32 K31

X33

X34

X32

X33

X34

X35

X35

X34

X33

X32

K0 T

T

Summary and Conclusion

Introduction

Description of SMS4

Linearity

Cryptographic Significance

On the Branch Number of L0

Encryption and Decryption Algorithms

Encryption

Decryption

X0

X1

X2

X3

X1

X2

X3

X4

X31

X32 K31

X33

X34

X32

X33

X34

X35

X35

X34

X33

X32

K0 T

T

Summary and Conclusion

Introduction

Description of SMS4

Linearity

On the Branch Number of L0

Cryptographic Significance

Summary and Conclusion

Encryption and Decryption Algorithms

Encryption

Decryption

X0

X1

X2

X3

X35

K0 T

X34 K31

X33

X32

X33

X32

X31

X3

X2

X1

T

X1

X2

X3

X4

X34

X31

X32 K31

X33

X34

X4 K0

T

T

X32

X33

X34

X35

X3

X2

X1

X0

X35

X34

X33

X32

X0

X1

X2

X3

Introduction

Description of SMS4

Linearity

Cryptographic Significance

On the Branch Number of L0

Summary and Conclusion

Encryption and Decryption Algorithms

Round Function Xi +4 = Xi ⊕ T (Xi +1 ⊕ Xi +2 ⊕ Xi +3 ⊕ Ki ), i = 0, 1, . . . , 31 T = L◦S

T is a 32-bit to 32-bit function S composed of four 8 × 8 bijective S-boxes s: S (Xi ) = (s(Xi ,0 ), s(Xi ,1 ), s(Xi ,2 ), s(Xi ,3 )). L consists of rotations L(Xi ) = Xi ⊕ (Xi ≪ 2) ⊕ (Xi ≪ 10) ⊕ (Xi ≪ 18) ⊕ (Xi ≪ 24).

Introduction

Description of SMS4

Linearity

Cryptographic Significance

On the Branch Number of L0

Summary and Conclusion

Encryption and Decryption Algorithms

Round Function Xi +4 = Xi ⊕ T (Xi +1 ⊕ Xi +2 ⊕ Xi +3 ⊕ Ki ), i = 0, 1, . . . , 31 T = L◦S

T is a 32-bit to 32-bit function S composed of four 8 × 8 bijective S-boxes s: S (Xi ) = (s(Xi ,0 ), s(Xi ,1 ), s(Xi ,2 ), s(Xi ,3 )). L consists of rotations L(Xi ) = Xi ⊕ (Xi ≪ 2) ⊕ (Xi ≪ 10) ⊕ (Xi ≪ 18) ⊕ (Xi ≪ 24).

Introduction

Description of SMS4

Linearity

Cryptographic Significance

On the Branch Number of L0

Key Scheduling Algorithm Key Schedule M K0

M K1 F K0

K−4

M K2 F K1

M K3 F K2

F K3

K−3 CK0

K−2

K−1

K−3

K−2

K−1

K0

K27

K28 CK31

K29

K30

K29

K30

K31

T′

T′

K28

Summary and Conclusion

Introduction

Description of SMS4

Linearity

Cryptographic Significance

On the Branch Number of L0

Key Scheduling Algorithm Key Schedule M K0

M K1 F K0

K−4

M K2 F K1

M K3 F K2

F K3

K−3 CK0

K−2

K−1

K−3

K−2

K−1

K0

K27

K28 CK31

K29

K30

K29

K30

K31

T′

T′

K28

Summary and Conclusion

Introduction

Description of SMS4

Linearity

Cryptographic Significance

On the Branch Number of L0

Key Scheduling Algorithm Key Schedule M K0

M K1 F K0

K−4

M K2 F K1

M K3 F K2

F K3

K−3 CK0

K−2

K−1

K−3

K−2

K−1

K0

K27

K28 CK31

K29

K30

K29

K30

K31

T′

T′

K28

Summary and Conclusion

Introduction

Description of SMS4

Linearity

Cryptographic Significance

On the Branch Number of L0

Key Scheduling Algorithm Key Schedule M K0

M K1 F K0

K−4

M K2 F K1

M K3 F K2

F K3

K−3 CK0

K−2

K−1

K−3

K−2

K−1

K0

K27

K28 CK31

K29

K30

K29

K30

K31

T′

T′

K28

Summary and Conclusion

Introduction

Description of SMS4

Linearity

Cryptographic Significance

On the Branch Number of L0

Key Scheduling Algorithm

Round Function Ki = Ki −4 ⊕ T 0 (Ki −3 ⊕ Ki −2 ⊕ Ki −1 ⊕ CKi ), i = 0, 1, . . . , 31 T 0 = L0 ◦ S

T 0 is a 32-bit to 32-bit function The same S as used in T : S (Xi ) = (s(Xi ,0 ), s(Xi ,1 ), s(Xi ,2 ), s(Xi ,3 )). L0 consists of rotations L0 (Xi ) = Xi ⊕ (Xi ≪ 13) ⊕ (Xi ≪ 23).

Summary and Conclusion

Introduction

Description of SMS4

Linearity

Cryptographic Significance

On the Branch Number of L0

Key Scheduling Algorithm

Round Function Ki = Ki −4 ⊕ T 0 (Ki −3 ⊕ Ki −2 ⊕ Ki −1 ⊕ CKi ), i = 0, 1, . . . , 31 T 0 = L0 ◦ S

T 0 is a 32-bit to 32-bit function The same S as used in T : S (Xi ) = (s(Xi ,0 ), s(Xi ,1 ), s(Xi ,2 ), s(Xi ,3 )). L0 consists of rotations L0 (Xi ) = Xi ⊕ (Xi ≪ 13) ⊕ (Xi ≪ 23).

Summary and Conclusion

Introduction

Description of SMS4

Linearity

Cryptographic Significance

On the Branch Number of L0

Summary and Conclusion

Simple Linear Relationships

Rotations Investigation of the existence of the following linear relationship F (Xi ) = Xi ≪ j

(1)

for particular rotation values j ∈ {0, 1, . . . , 31}. Fixed point is a special case when j = 0. The Set ΘF The set containing all distinct values that satisfy Equation 1

Introduction

Description of SMS4

Linearity

Cryptographic Significance

On the Branch Number of L0

Summary and Conclusion

Simple Linear Relationships

Rotations Investigation of the existence of the following linear relationship F (Xi ) = Xi ≪ j

(1)

for particular rotation values j ∈ {0, 1, . . . , 31}. Fixed point is a special case when j = 0. The Set ΘF The set containing all distinct values that satisfy Equation 1

Introduction

Description of SMS4

Linearity

Cryptographic Significance

On the Branch Number of L0

Summary and Conclusion

Linearity within Components

Table: Number of output words which are equivalent to the rotation of the input word by j bits to the left (0 ≤ j ≤ 31), for each component function

Set

ΘS ΘL ΘT ΘL0 ΘT 0

Number of elements in the set 39 1024 59 8 59

Number of fixed points 1 4 11 4 0

Introduction

Description of SMS4

Linearity

Cryptographic Significance

On the Branch Number of L0

Summary and Conclusion

Linearity within Components Random Permutation Probability that a given permutation of n elements has c fixed points is given by [Rio80, Chap. 3] pn,c =

1 n!

 ·

n c

 · (n − c )! ·

n−c

(−1)k 1 ≈ . k ! c !e k =0

∑

Expected number of fixed points for a random permutation is one [GS97, Chap. 6] The Nonlinear Function T Number of fixed points = 11 Prob., p232 ,11 = 1/(11! · e) ≈ 9.216E − 9 The function T does not appear random

Introduction

Description of SMS4

Linearity

Cryptographic Significance

On the Branch Number of L0

Summary and Conclusion

Linearity within Components Random Permutation Probability that a given permutation of n elements has c fixed points is given by [Rio80, Chap. 3] pn,c =

1 n!

 ·

n c

 · (n − c )! ·

n−c

1 (−1)k ≈ . c !e k ! k =0

∑

Expected number of fixed points for a random permutation is one [GS97, Chap. 6] The Nonlinear Function T Number of fixed points = 11 Prob., p232 ,11 = 1/(11! · e) ≈ 9.216E − 9 The function T does not appear random

Introduction

Description of SMS4

Linearity

Cryptographic Significance

On the Branch Number of L0

Summary and Conclusion

Linearity within Components Random Permutation Probability that a given permutation of n elements has c fixed points is given by [Rio80, Chap. 3] pn,c =

1 n!

 ·

n c

 · (n − c )! ·

n−c

1 (−1)k ≈ . c !e k ! k =0

∑

Expected number of fixed points for a random permutation is one [GS97, Chap. 6] The Nonlinear Function T Number of fixed points = 11 Prob., p232 ,11 = 1/(11! · e) ≈ 9.216E − 9 The function T does not appear random

Introduction

Description of SMS4

Linearity

Cryptographic Significance

On the Branch Number of L0

Summary and Conclusion

Linearity within Components Random Permutation Probability that a given permutation of n elements has c fixed points is given by [Rio80, Chap. 3] pn,c =

1 n!

 ·

n c

 · (n − c )! ·

n−c

1 (−1)k ≈ . c !e k ! k =0

∑

Expected number of fixed points for a random permutation is one [GS97, Chap. 6] The Nonlinear Function T Number of fixed points = 11 Prob., p232 ,11 = 1/(11! · e) ≈ 9.216E − 9 The function T does not appear random

Introduction

Description of SMS4

Linearity

Cryptographic Significance

On the Branch Number of L0

Summary and Conclusion

Linearity within Components Random Permutation Probability that a given permutation of n elements has c fixed points is given by [Rio80, Chap. 3] pn,c =

1 n!

 ·

n c

 · (n − c )! ·

n−c

1 (−1)k ≈ . c !e k ! k =0

∑

Expected number of fixed points for a random permutation is one [GS97, Chap. 6] The Nonlinear Function T Number of fixed points = 11 Prob., p232 ,11 = 1/(11! · e) ≈ 9.216E − 9 The function T does not appear random

Introduction

Description of SMS4

Linearity

Cryptographic Significance

On the Branch Number of L0

Summary and Conclusion

T versus T 0

Same input and output

The only difference between T and T 0 is the linear transformation L and L0 Eight Yi for which L(Yi ) = L0 (Yi ) The Yi are 00000000, 33333333, 55555555, 66666666, 99999999, AAAAAAAA, CCCCCCCC and FFFFFFFF T and T 0 There exist Xi = S −1 (Yi ) such that T (Xi ) = L(S (Xi )) = L0 (S (Xi )) = T 0 (Xi ) The Xi are 71717171, 28282828, 97979797, A5A5A5A5, 1F1F1F1F, 18181818, 04040404 and B9B9B9B9

Introduction

Description of SMS4

Linearity

Cryptographic Significance

On the Branch Number of L0

Summary and Conclusion

T versus T 0

Same input and output

The only difference between T and T 0 is the linear transformation L and L0 Eight Yi for which L(Yi ) = L0 (Yi ) The Yi are 00000000, 33333333, 55555555, 66666666, 99999999, AAAAAAAA, CCCCCCCC and FFFFFFFF T and T 0 There exist Xi = S −1 (Yi ) such that T (Xi ) = L(S (Xi )) = L0 (S (Xi )) = T 0 (Xi ) The Xi are 71717171, 28282828, 97979797, A5A5A5A5, 1F1F1F1F, 18181818, 04040404 and B9B9B9B9

Introduction

Description of SMS4

Linearity

Cryptographic Significance

On the Branch Number of L0

Summary and Conclusion

Implications for the Key Scheduling Algorithm

Subkey Sequence T0

(32-bit to 32-bit map) is bijective [ZWFS09]

Key Schedule M K0 K−4

A single 32-bit word is updated by T 0 , using other three 32-bit words as input After four rounds, all 128 bits of the master key are completely updated

M K1 F K0

M K2 F K1

M K3 F K2

F K3

K−3 CK0

K−2

K−1

K−2

K−1

K0

K0 CK3

K1

K2

K1

K2

K3

T′

K−3 K−1

Conjecture: all possible values of the first four subkeys are equally likely to occur

T′

K0

Introduction

Description of SMS4

Linearity

Cryptographic Significance

On the Branch Number of L0

Summary and Conclusion

Implications for the Key Scheduling Algorithm

Subkey Sequence T0

(32-bit to 32-bit map) is bijective [ZWFS09]

Key Schedule M K0 K−4

A single 32-bit word is updated by T 0 , using other three 32-bit words as input After four rounds, all 128 bits of the master key are completely updated

M K1 F K0

M K2 F K1

M K3 F K2

F K3

K−3 CK0

K−2

K−1

K−2

K−1

K0

K0 CK3

K1

K2

K1

K2

K3

T′

K−3 K−1

Conjecture: all possible values of the first four subkeys are equally likely to occur

T′

K0

Introduction

Description of SMS4

Linearity

Cryptographic Significance

On the Branch Number of L0

Summary and Conclusion

Implications for the Key Scheduling Algorithm

Subkey Sequence T0

(32-bit to 32-bit map) is bijective [ZWFS09]

Key Schedule M K0 K−4

A single 32-bit word is updated by T 0 , using other three 32-bit words as input After four rounds, all 128 bits of the master key are completely updated

M K1 F K0

M K2 F K1

M K3 F K2

F K3

K−3 CK0

K−2

K−1

K−2

K−1

K0

K0 CK3

K1

K2

K1

K2

K3

T′

K−3 K−1

Conjecture: all possible values of the first four subkeys are equally likely to occur

T′

K0

Introduction

Description of SMS4

Linearity

Cryptographic Significance

On the Branch Number of L0

Implications for the Key Scheduling Algorithm

Rounds 0–1 K−4

Rounds 2–3

K−3 CK0

K−2

K−3

K−2

K−1

K−3

K−2 CK1

K−1

ΘT ′

K−1

T′

K0 K0 ΘT ′

T′

K−2

K−1

K0

K1

Summary and Conclusion

Introduction

Description of SMS4

Linearity

Cryptographic Significance

On the Branch Number of L0

Implications for the Key Scheduling Algorithm

Rounds 0–1 K−4

Rounds 2–3

K−3 CK0

K−2

K−3

K−2

K−1

K−3

K−2 CK1

K−1

ΘT ′

K−1

T′

K0 K0 ΘT ′

T′

K−2

K−1

K0

K1

Summary and Conclusion

Introduction

Description of SMS4

Linearity

Cryptographic Significance

On the Branch Number of L0

Summary and Conclusion

Implications for the Key Scheduling Algorithm

Rounds 0–1 K−4

K−3 CK0

Rounds 2–3 K−2

ΘT ′

K−1

K−2

T′

K0

K1 ΘT ′

T′

K−3

K−2

K−1

K−3

K−2 CK1

K−1

K0

K−1

K0

K1

K0

K−1

K0 CK3

K1

K1

K2

ΘT ′

T′

K−2

K−1 CK2

K2 K2 ΘT ′

T′

K−1

K0

K1

K0

K3

Introduction

Description of SMS4

Linearity

Cryptographic Significance

On the Branch Number of L0

Summary and Conclusion

Implications for the Key Scheduling Algorithm

Rounds 0–1 K−4

K−3 CK0

Rounds 2–3 K−2

ΘT ′

K−1

K−2

T′

K0

K1 ΘT ′

T′

K−3

K−2

K−1

K−3

K−2 CK1

K−1

K0

K−1

K0

K1

K0

K−1

K0 CK3

K1

K1

K2

ΘT ′

T′

K−2

K−1 CK2

K2 K2 ΘT ′

T′

K−1

K0

K1

K0

K3

Introduction

Description of SMS4

Linearity

Cryptographic Significance

On the Branch Number of L0

Implications for the Key Scheduling Algorithm

Nature of Events Probability = (59/232 )4 ≈ 2−104.5

Number of master keys ≈ 223.5 ≈ 11, 863, 283

Summary and Conclusion

Introduction

Description of SMS4

Linearity

Cryptographic Significance

On the Branch Number of L0

Summary and Conclusion

Implications for the Encryption Algorithm

Focusing on Specific Case of Fixed Points Only fixed points occur in the first four consecutive rounds

ˆ T : a subset of ΘT containing the 11 fixed points for T Θ

Introduction

Description of SMS4

Linearity

Cryptographic Significance

On the Branch Number of L0

Implications for the Encryption Algorithm

Rounds 0–1 X0

Rounds 2–3 X1

X2

X3 ˆT Θ

K0 T

X1 X1

X2

X3

X2

X3

X3

X4

K1

X0 ⊕ X1 ⊕ X2 ⊕ X3 ⊕ K 0 X4 ˆT Θ

T

X2

X0 ⊕ K 0 ⊕ K 1

Summary and Conclusion

Introduction

Description of SMS4

Linearity

Cryptographic Significance

On the Branch Number of L0

Implications for the Encryption Algorithm

Rounds 0–1 X0

Rounds 2–3 X1

X2

X3 ˆT Θ

K0 T

X1 X1

X2

X3

X2

X3

X3

X4

K1

X0 ⊕ X1 ⊕ X2 ⊕ X3 ⊕ K 0 X4 ˆT Θ

T

X2

X0 ⊕ K 0 ⊕ K 1

Summary and Conclusion

Introduction

Description of SMS4

Linearity

Cryptographic Significance

On the Branch Number of L0

Summary and Conclusion

Implications for the Encryption Algorithm

Rounds 0–1 X0

Rounds 2–3 X1

X2

X3

X2

X4

X5 ˆT Θ

K2

T

T

X1 X1

X2

X3

X2

X3

K1

X0 ⊕ X1 ⊕ X2 ⊕ X3 ⊕ K 0 X4 ˆT Θ

X3 X3

X4

X5

X4

X5

X1 ⊕ K 1 ⊕ K 2 X6 ˆT Θ

K3

T

X2

X3

ˆT Θ

K0

T

X3

X4

X0 ⊕ K 0 ⊕ K 1

X4

X5

X6

X2 ⊕ K 2 ⊕ K 3

Introduction

Description of SMS4

Linearity

Cryptographic Significance

On the Branch Number of L0

Summary and Conclusion

Implications for the Encryption Algorithm

Rounds 0–1 X0

Rounds 2–3 X1

X2

X3

X2

X4

X5 ˆT Θ

K2

T

T

X1 X1

X2

X3

X2

X3

K1

X0 ⊕ X1 ⊕ X2 ⊕ X3 ⊕ K 0 X4 ˆT Θ

X3 X3

X4

X5

X4

X5

X1 ⊕ K 1 ⊕ K 2 X6 ˆT Θ

K3

T

X2

X3

ˆT Θ

K0

T

X3

X4

X0 ⊕ K 0 ⊕ K 1

X4

X5

X6

X2 ⊕ K 2 ⊕ K 3

Introduction

Description of SMS4

Linearity

Cryptographic Significance

On the Branch Number of L0

Implications for the Encryption Algorithm

Output Block After Four Rounds X4 X5 X6 X7

= X0 ⊕ X1 ⊕ X2 ⊕ X3 ⊕ K0 = X0 ⊕ K0 ⊕ K1

= X1 ⊕ K1 ⊕ K2

= X2 ⊕ K2 ⊕ K3

Nature of Events Probability = (11/232 )4 ≈ 2−114.2

Number of plaintext blocks ≈ 213.8 ≈ 14, 263

Summary and Conclusion

Introduction

Description of SMS4

Linearity

Cryptographic Significance

On the Branch Number of L0

Summary and Conclusion

Implications for Key Scheduling and Encryption Algorithms

First Four Rounds are Linear If both key schedule and encryption behave linearly in the first four rounds Output block after four rounds – only linear combination of plaintext and master key blocks. Reduction in Number of Rounds Theoretically, number of effective rounds of SMS4 reduced by four (from 32 to 28 rounds) Linearity might not be restricted only to the case of the first four rounds

Introduction

Description of SMS4

Linearity

Cryptographic Significance

On the Branch Number of L0

Summary and Conclusion

Susceptibility to Attacks Algebraic

Inversion-Based S-Box The SMS4 S-box is based on a finite field inversion [LJH+ 07] Equations are quadratic 4 Rounds of Linear Equations Equations over GF (2): No quadratic equations for the first four rounds Statistical – needs more known plaintexts Reduction of quadratic equations – might help reducing complexity of solving equations

Introduction

Description of SMS4

Linearity

Cryptographic Significance

On the Branch Number of L0

Summary and Conclusion

Susceptibility to Attacks Advanced Variants of the Slide Attack

Slide Attack Sliding of the encryptions by a certain number of rounds [BW99] – similarity between the two encryptions Allows the sliding of encryption with decryption [BW00] Application to SMS4 Eight input words for which T and T 0 produce the same output words Slide encryption with key scheduling algorithm?

Introduction

Description of SMS4

Linearity

Cryptographic Significance

On the Branch Number of L0

Summary and Conclusion

Susceptibility to Attacks Subkeys and Related Keys

On the Subkey Sequence Explore the relationship between subkeys Determine classes of possible / impossible subkey sequences Related-Keys Extend to the case where the attacker is allowed to choose the relationship between two or more different master keys but not the actual value of the keys [Bih94, Knu93]

Introduction

Description of SMS4

Linearity

Cryptographic Significance

On the Branch Number of L0

Branch Numbers for L and L0

Branch Number for L Already been investigated by Zhang et al. [ZWFS09] Branch Number for L0 Our work

Summary and Conclusion

Introduction

Description of SMS4

Linearity

Cryptographic Significance

On the Branch Number of L0

Summary and Conclusion

What is a Branch Number?

Definition The minimum number of active S-boxes for any two consecutive rounds (SPN ciphers) The minimum number of non-zero subword for any input and output pair of the linear transformation

Introduction

Description of SMS4

Linearity

Cryptographic Significance

On the Branch Number of L0

Summary and Conclusion

What is a Branch Number?

Calculation of Branch Number ... ...

Xi = Xi,0 Xi,1 Xi,2 ΓXi = ΓXi,0 ΓXi,1 ΓXi,2

B(L)

L ΓYi = ΓYi,0 ΓYi,1 ΓYi,2 Yi = Yi,0 Yi,1 Yi,2

Xi,j ∈ {0, 1, . . . , 2b − 1} ΓXi,j ∈ {0, 1}

Xi,m−1 ΓXi,m−1

... ...

ΓYi,m−1 Yi,m−1

Yi = L(Xi ) ΓYi,j ∈ {0, 1}

Yi,j ∈ {0, 1, . . . , 2b − 1}

Branch Number

B(L) = min{wt (ΓXi ) + wt (ΓYi ) : Xi 6= 0 and Yi = L(Xi )} ≤ m + 1 where B(L) = m + 1 is optimal

Introduction

Description of SMS4

Linearity

Cryptographic Significance

On the Branch Number of L0

Summary and Conclusion

What is a Branch Number?

Calculation of Branch Number ... ...

Xi = Xi,0 Xi,1 Xi,2 ΓXi = ΓXi,0 ΓXi,1 ΓXi,2

B(L)

L ΓYi = ΓYi,0 ΓYi,1 ΓYi,2 Yi = Yi,0 Yi,1 Yi,2

Xi,j ∈ {0, 1, . . . , 2b − 1} ΓXi,j ∈ {0, 1}

Xi,m−1 ΓXi,m−1

... ...

ΓYi,m−1 Yi,m−1

Yi = L(Xi ) ΓYi,j ∈ {0, 1}

Yi,j ∈ {0, 1, . . . , 2b − 1}

Branch Number

B(L) = min{wt (ΓXi ) + wt (ΓYi ) : Xi 6= 0 and Yi = L(Xi )} ≤ m + 1 where B(L) = m + 1 is optimal

Introduction

Description of SMS4

Linearity

Cryptographic Significance

On the Branch Number of L0

Summary and Conclusion

What is a Branch Number?

Calculation of Branch Number ... ...

Xi = Xi,0 Xi,1 Xi,2 ΓXi = ΓXi,0 ΓXi,1 ΓXi,2

B(L)

L ΓYi = ΓYi,0 ΓYi,1 ΓYi,2 Yi = Yi,0 Yi,1 Yi,2

Xi,j ∈ {0, 1, . . . , 2b − 1} ΓXi,j ∈ {0, 1}

Xi,m−1 ΓXi,m−1

... ...

ΓYi,m−1 Yi,m−1

Yi = L(Xi ) ΓYi,j ∈ {0, 1}

Yi,j ∈ {0, 1, . . . , 2b − 1}

Branch Number

B(L) = min{wt (ΓXi ) + wt (ΓYi ) : Xi 6= 0 and Yi = L(Xi )} ≤ m + 1 where B(L) = m + 1 is optimal

Introduction

Description of SMS4

Linearity

Cryptographic Significance

On the Branch Number of L0

Summary and Conclusion

What is a Branch Number?

Calculation of Branch Number ... ...

Xi = Xi,0 Xi,1 Xi,2 ΓXi = ΓXi,0 ΓXi,1 ΓXi,2

B(L)

L ΓYi = ΓYi,0 ΓYi,1 ΓYi,2 Yi = Yi,0 Yi,1 Yi,2

Xi,j ∈ {0, 1, . . . , 2b − 1} ΓXi,j ∈ {0, 1}

Xi,m−1 ΓXi,m−1

... ...

ΓYi,m−1 Yi,m−1

Yi = L(Xi ) ΓYi,j ∈ {0, 1}

Yi,j ∈ {0, 1, . . . , 2b − 1}

Branch Number

B(L) = min{wt (ΓXi ) + wt (ΓYi ) : Xi 6= 0 and Yi = L(Xi )} ≤ m + 1 where B(L) = m + 1 is optimal

Introduction

Description of SMS4

Linearity

Cryptographic Significance

On the Branch Number of L0

Branch Number for L and L0

L m=4

B(L) = 5, which is optimal [ZWFS09] L0 Search over all possible inputs and observe the outputs Result: B(L0 ) = 4, which is not optimal Input-output pattern distribution table

Summary and Conclusion

Introduction

Description of SMS4

Linearity

Cryptographic Significance

On the Branch Number of L0

Summary and Conclusion

Implications: Differential Attack on Modified SMS4 27-Round Key Recovery Attack

Modified Variant of SMS4 Replacing L with L0 5-Round Self-Iterating Characteristic Based on previous 5-round characteristic [KKHS08, ZWFS09, ZZW08] (six active S-boxes) New 5-round characteristic: four active S-boxes with prob. 2−28 Concatenated four and a half times: 23-round differential characteristic with prob. 2−112

Introduction

Description of SMS4

Linearity

Cryptographic Significance

On the Branch Number of L0

Summary and Conclusion

Implications: Differential Attack on Modified SMS4 27-Round Key Recovery Attack

Complexities 2116 chosen plaintexts 2115 encryptions Comments Attack on modified variant: 27 rounds – one round short of the effective 28 rounds Best attack on existing variant: 22 rounds – six rounds short of the effective 28 rounds Number of rounds is reduced if the four-round linearity can be exploited

Introduction

Description of SMS4

Linearity

Cryptographic Significance

On the Branch Number of L0

Summary and Conclusion

Summary and Conclusion

Summary Several new observations on SMS4: Existence of fixed points and of simple linear relationships within components Branch number of L0 is less than optimal

Implications: Effective number of rounds is reduced by four A differential attack on modified SMS4 reduced to 27 rounds

Conclusion Components not selected randomly – criteria not known Findings might be used for further cryptanalysis

Introduction

Description of SMS4

Linearity

Cryptographic Significance

On the Branch Number of L0

Summary and Conclusion

Summary and Conclusion

Summary Several new observations on SMS4: Existence of fixed points and of simple linear relationships within components Branch number of L0 is less than optimal

Implications: Effective number of rounds is reduced by four A differential attack on modified SMS4 reduced to 27 rounds

Conclusion Components not selected randomly – criteria not known Findings might be used for further cryptanalysis

Introduction

Description of SMS4

Linearity

Cryptographic Significance

Thank You

THANK YOU. QUESTIONS?

On the Branch Number of L0

Summary and Conclusion

Introduction

Description of SMS4

Linearity

Cryptographic Significance

On the Branch Number of L0

Summary and Conclusion

Eli Biham. New Types of Cryptanalytic Attacks Using Related Keys. In Tor Helleseth, editor, Advances in Cryptology – EUROCRYPT ’93: Workshop on the Theory and Application of Cryptographic Techniques, volume 765 of Lecture Notes in Computer Science, pages 398–409. Springer-Verlag, 1994. Alex Biryukov and David Wagner. Slide Attacks. In Lars Knudsen, editor, Fast Software Encryption: 6th International Workshop, FSE’99, volume 1636 of Lecture Notes in Computer Science, pages 245–259. Springer-Verlag, 1999. Alex Biryukov and David Wagner. Advanced Slide Attacks. In Bart Preneel, editor, Advances in Cryptology – EUROCRYPT 2000: International Conference on the Theory and Application of Cryptographic Techniques, volume 1807 of Lecture Notes in Computer Science, pages 589–606. Springer-Verlag, 2000.

Introduction

Description of SMS4

Linearity

Cryptographic Significance

On the Branch Number of L0

Summary and Conclusion

Charles M. Grinstead and James L. Snell. Introduction to Probability. American Mathematical Society, 2nd revised ed. edition, 1997. Taehyun Kim, Jongsung Kim, Seokhie Hong, and Jaechul Sung. Linear and Differential Cryptanalysis of Reduced SMS4 Block Cipher. Cryptology ePrint Archive, Report 2008/281, 2008. Available at http://eprint.iacr.org/2008/281/. Lars Knudsen. Cryptanalysis of LOKI91. In Jennifer Seberry and Yuliang Zheng, editors, Advances in Cryptology – ASIACRYPT ’92, Workshop on the Theory and Application of Cryptographic Techniques, volume 718 of Lecture Notes in Computer Science, pages 22–35. Springer-Verlag, 1993. Fen Liu, Wen Ji, Lei Hu, Jintai Ding, Shuwang Lv, Andrei Pyshkin, and Ralf-Philipp Weinmann. Analysis of the SMS4 Block Cipher.

Introduction

Description of SMS4

Linearity

Cryptographic Significance

On the Branch Number of L0

Summary and Conclusion

In Josef Pieprzyk, Hossein Ghodosi, and Ed Dawson, editors, Information Security and Privacy: 12th Australasian Conference, ACISP 2007, volume 4586 of Lecture Notes in Computer Science, pages 158ï¿ 21 –170. Springer-Verlag, 2007. John Riordan. An Introduction to Combinatorial Analysis. Princeton University Press, 1980. Wentao Zhang, Wenling Wu, Dengguo Feng, and Bozhan Su. Some New Observations on the SMS4 Block Cipher in the Chinese WAPI Standard. In Feng Bao, Hui Li, and Guilin Wang, editors, Information Security Practice and Experience, 5th International Conference, ISPEC 2009, volume 5451 of Lecture Notes in Computer Science, pages 324–335. Springer-Verlag, 2009. Lei Zhang, Wentao Zhang, and Wenling Wu. Cryptanalysis of Reduced-Round SMS4 Block Cipher.

Introduction

Description of SMS4

Linearity

Cryptographic Significance

On the Branch Number of L0

Summary and Conclusion

In Yi Mu, Willy Susilo, and Jennifer Seberry, editors, Information Security and Privacy, 13th Australasian Conference, ACISP 2008, volume 5107 of Lecture Notes in Computer Science, pages 216–229. Springer-Verlag, 2008.