Queensland University of Technology, Australia ...... Techniques, volume 765 of Lecture Notes in Computer Science, ... P
Introduction
Description of SMS4
Linearity
Cryptographic Significance
On the Branch Number of L0
Summary and Conclusion
Linearity within the SMS4 Block Cipher Muhammad Reza Z’aba Leonie Simpson Kenneth Wong Information Security Institute Queensland University of Technology, Australia
14 December 2009 – Inscrypt 2009
Ed Dawson
Introduction
Description of SMS4
Linearity
Cryptographic Significance
Outline
1
Introduction
2
Description of SMS4
3
Linearity
4
Cryptographic Significance
5
On the Branch Number of L0
6
Summary and Conclusion
On the Branch Number of L0
Summary and Conclusion
Introduction
Description of SMS4
Linearity
Cryptographic Significance
On the Branch Number of L0
Summary and Conclusion
Introduction
SMS4 Block cipher used in the Chinese Wireless LAN Wired Authentication and Privacy Infrastructure (WAPI) Extensively analyzed: integral, rectangle, impossible differential, boomerang, differential and linear attacks This Presentation The existence of simple linear relationships in components of SMS4
Introduction
Description of SMS4
Linearity
Cryptographic Significance
On the Branch Number of L0
Summary and Conclusion
Introduction
SMS4 Block cipher used in the Chinese Wireless LAN Wired Authentication and Privacy Infrastructure (WAPI) Extensively analyzed: integral, rectangle, impossible differential, boomerang, differential and linear attacks This Presentation The existence of simple linear relationships in components of SMS4
Introduction
Description of SMS4
Linearity
Cryptographic Significance
On the Branch Number of L0
Specification
SMS4 Structure: source-heavy unbalanced generic Feistel Plaintext block: P = (X0 , X1 , X2 , X3 ) (128 bits) Master key block: K = (MK0 , MK1 , MK2 , MK3 ) (128 bits) Thirty-two 32-bit round subkeys: K0 , K1 , . . . , K31 Number of rounds: 32 Ciphertext block: C = (X35 , X34 , X33 , X32 ) (128 bits)
Summary and Conclusion
Introduction
Description of SMS4
Linearity
Cryptographic Significance
On the Branch Number of L0
Specification
SMS4 Structure: source-heavy unbalanced generic Feistel Plaintext block: P = (X0 , X1 , X2 , X3 ) (128 bits) Master key block: K = (MK0 , MK1 , MK2 , MK3 ) (128 bits) Thirty-two 32-bit round subkeys: K0 , K1 , . . . , K31 Number of rounds: 32 Ciphertext block: C = (X35 , X34 , X33 , X32 ) (128 bits)
Summary and Conclusion
Introduction
Description of SMS4
Linearity
Cryptographic Significance
On the Branch Number of L0
Specification
SMS4 Structure: source-heavy unbalanced generic Feistel Plaintext block: P = (X0 , X1 , X2 , X3 ) (128 bits) Master key block: K = (MK0 , MK1 , MK2 , MK3 ) (128 bits) Thirty-two 32-bit round subkeys: K0 , K1 , . . . , K31 Number of rounds: 32 Ciphertext block: C = (X35 , X34 , X33 , X32 ) (128 bits)
Summary and Conclusion
Introduction
Description of SMS4
Linearity
Cryptographic Significance
On the Branch Number of L0
Encryption and Decryption Algorithms
Encryption
Decryption
X0
X1
X2
X3
X1
X2
X3
X4
X31
X32 K31
X33
X34
X32
X33
X34
X35
X35
X34
X33
X32
K0 T
T
Summary and Conclusion
Introduction
Description of SMS4
Linearity
Cryptographic Significance
On the Branch Number of L0
Encryption and Decryption Algorithms
Encryption
Decryption
X0
X1
X2
X3
X1
X2
X3
X4
X31
X32 K31
X33
X34
X32
X33
X34
X35
X35
X34
X33
X32
K0 T
T
Summary and Conclusion
Introduction
Description of SMS4
Linearity
Cryptographic Significance
On the Branch Number of L0
Encryption and Decryption Algorithms
Encryption
Decryption
X0
X1
X2
X3
X1
X2
X3
X4
X31
X32 K31
X33
X34
X32
X33
X34
X35
X35
X34
X33
X32
K0 T
T
Summary and Conclusion
Introduction
Description of SMS4
Linearity
On the Branch Number of L0
Cryptographic Significance
Summary and Conclusion
Encryption and Decryption Algorithms
Encryption
Decryption
X0
X1
X2
X3
X35
K0 T
X34 K31
X33
X32
X33
X32
X31
X3
X2
X1
T
X1
X2
X3
X4
X34
X31
X32 K31
X33
X34
X4 K0
T
T
X32
X33
X34
X35
X3
X2
X1
X0
X35
X34
X33
X32
X0
X1
X2
X3
Introduction
Description of SMS4
Linearity
Cryptographic Significance
On the Branch Number of L0
Summary and Conclusion
Encryption and Decryption Algorithms
Round Function Xi +4 = Xi ⊕ T (Xi +1 ⊕ Xi +2 ⊕ Xi +3 ⊕ Ki ), i = 0, 1, . . . , 31 T = L◦S
T is a 32-bit to 32-bit function S composed of four 8 × 8 bijective S-boxes s: S (Xi ) = (s(Xi ,0 ), s(Xi ,1 ), s(Xi ,2 ), s(Xi ,3 )). L consists of rotations L(Xi ) = Xi ⊕ (Xi ≪ 2) ⊕ (Xi ≪ 10) ⊕ (Xi ≪ 18) ⊕ (Xi ≪ 24).
Introduction
Description of SMS4
Linearity
Cryptographic Significance
On the Branch Number of L0
Summary and Conclusion
Encryption and Decryption Algorithms
Round Function Xi +4 = Xi ⊕ T (Xi +1 ⊕ Xi +2 ⊕ Xi +3 ⊕ Ki ), i = 0, 1, . . . , 31 T = L◦S
T is a 32-bit to 32-bit function S composed of four 8 × 8 bijective S-boxes s: S (Xi ) = (s(Xi ,0 ), s(Xi ,1 ), s(Xi ,2 ), s(Xi ,3 )). L consists of rotations L(Xi ) = Xi ⊕ (Xi ≪ 2) ⊕ (Xi ≪ 10) ⊕ (Xi ≪ 18) ⊕ (Xi ≪ 24).
Introduction
Description of SMS4
Linearity
Cryptographic Significance
On the Branch Number of L0
Key Scheduling Algorithm Key Schedule M K0
M K1 F K0
K−4
M K2 F K1
M K3 F K2
F K3
K−3 CK0
K−2
K−1
K−3
K−2
K−1
K0
K27
K28 CK31
K29
K30
K29
K30
K31
T′
T′
K28
Summary and Conclusion
Introduction
Description of SMS4
Linearity
Cryptographic Significance
On the Branch Number of L0
Key Scheduling Algorithm Key Schedule M K0
M K1 F K0
K−4
M K2 F K1
M K3 F K2
F K3
K−3 CK0
K−2
K−1
K−3
K−2
K−1
K0
K27
K28 CK31
K29
K30
K29
K30
K31
T′
T′
K28
Summary and Conclusion
Introduction
Description of SMS4
Linearity
Cryptographic Significance
On the Branch Number of L0
Key Scheduling Algorithm Key Schedule M K0
M K1 F K0
K−4
M K2 F K1
M K3 F K2
F K3
K−3 CK0
K−2
K−1
K−3
K−2
K−1
K0
K27
K28 CK31
K29
K30
K29
K30
K31
T′
T′
K28
Summary and Conclusion
Introduction
Description of SMS4
Linearity
Cryptographic Significance
On the Branch Number of L0
Key Scheduling Algorithm Key Schedule M K0
M K1 F K0
K−4
M K2 F K1
M K3 F K2
F K3
K−3 CK0
K−2
K−1
K−3
K−2
K−1
K0
K27
K28 CK31
K29
K30
K29
K30
K31
T′
T′
K28
Summary and Conclusion
Introduction
Description of SMS4
Linearity
Cryptographic Significance
On the Branch Number of L0
Key Scheduling Algorithm
Round Function Ki = Ki −4 ⊕ T 0 (Ki −3 ⊕ Ki −2 ⊕ Ki −1 ⊕ CKi ), i = 0, 1, . . . , 31 T 0 = L0 ◦ S
T 0 is a 32-bit to 32-bit function The same S as used in T : S (Xi ) = (s(Xi ,0 ), s(Xi ,1 ), s(Xi ,2 ), s(Xi ,3 )). L0 consists of rotations L0 (Xi ) = Xi ⊕ (Xi ≪ 13) ⊕ (Xi ≪ 23).
Summary and Conclusion
Introduction
Description of SMS4
Linearity
Cryptographic Significance
On the Branch Number of L0
Key Scheduling Algorithm
Round Function Ki = Ki −4 ⊕ T 0 (Ki −3 ⊕ Ki −2 ⊕ Ki −1 ⊕ CKi ), i = 0, 1, . . . , 31 T 0 = L0 ◦ S
T 0 is a 32-bit to 32-bit function The same S as used in T : S (Xi ) = (s(Xi ,0 ), s(Xi ,1 ), s(Xi ,2 ), s(Xi ,3 )). L0 consists of rotations L0 (Xi ) = Xi ⊕ (Xi ≪ 13) ⊕ (Xi ≪ 23).
Summary and Conclusion
Introduction
Description of SMS4
Linearity
Cryptographic Significance
On the Branch Number of L0
Summary and Conclusion
Simple Linear Relationships
Rotations Investigation of the existence of the following linear relationship F (Xi ) = Xi ≪ j
(1)
for particular rotation values j ∈ {0, 1, . . . , 31}. Fixed point is a special case when j = 0. The Set ΘF The set containing all distinct values that satisfy Equation 1
Introduction
Description of SMS4
Linearity
Cryptographic Significance
On the Branch Number of L0
Summary and Conclusion
Simple Linear Relationships
Rotations Investigation of the existence of the following linear relationship F (Xi ) = Xi ≪ j
(1)
for particular rotation values j ∈ {0, 1, . . . , 31}. Fixed point is a special case when j = 0. The Set ΘF The set containing all distinct values that satisfy Equation 1
Introduction
Description of SMS4
Linearity
Cryptographic Significance
On the Branch Number of L0
Summary and Conclusion
Linearity within Components
Table: Number of output words which are equivalent to the rotation of the input word by j bits to the left (0 ≤ j ≤ 31), for each component function
Set
ΘS ΘL ΘT ΘL0 ΘT 0
Number of elements in the set 39 1024 59 8 59
Number of fixed points 1 4 11 4 0
Introduction
Description of SMS4
Linearity
Cryptographic Significance
On the Branch Number of L0
Summary and Conclusion
Linearity within Components Random Permutation Probability that a given permutation of n elements has c fixed points is given by [Rio80, Chap. 3] pn,c =
1 n!
� ·
n c
� · (n − c )! ·
n−c
(−1)k 1 ≈ . k ! c !e k =0
∑
Expected number of fixed points for a random permutation is one [GS97, Chap. 6] The Nonlinear Function T Number of fixed points = 11 Prob., p232 ,11 = 1/(11! · e) ≈ 9.216E − 9 The function T does not appear random
Introduction
Description of SMS4
Linearity
Cryptographic Significance
On the Branch Number of L0
Summary and Conclusion
Linearity within Components Random Permutation Probability that a given permutation of n elements has c fixed points is given by [Rio80, Chap. 3] pn,c =
1 n!
� ·
n c
� · (n − c )! ·
n−c
1 (−1)k ≈ . c !e k ! k =0
∑
Expected number of fixed points for a random permutation is one [GS97, Chap. 6] The Nonlinear Function T Number of fixed points = 11 Prob., p232 ,11 = 1/(11! · e) ≈ 9.216E − 9 The function T does not appear random
Introduction
Description of SMS4
Linearity
Cryptographic Significance
On the Branch Number of L0
Summary and Conclusion
Linearity within Components Random Permutation Probability that a given permutation of n elements has c fixed points is given by [Rio80, Chap. 3] pn,c =
1 n!
� ·
n c
� · (n − c )! ·
n−c
1 (−1)k ≈ . c !e k ! k =0
∑
Expected number of fixed points for a random permutation is one [GS97, Chap. 6] The Nonlinear Function T Number of fixed points = 11 Prob., p232 ,11 = 1/(11! · e) ≈ 9.216E − 9 The function T does not appear random
Introduction
Description of SMS4
Linearity
Cryptographic Significance
On the Branch Number of L0
Summary and Conclusion
Linearity within Components Random Permutation Probability that a given permutation of n elements has c fixed points is given by [Rio80, Chap. 3] pn,c =
1 n!
� ·
n c
� · (n − c )! ·
n−c
1 (−1)k ≈ . c !e k ! k =0
∑
Expected number of fixed points for a random permutation is one [GS97, Chap. 6] The Nonlinear Function T Number of fixed points = 11 Prob., p232 ,11 = 1/(11! · e) ≈ 9.216E − 9 The function T does not appear random
Introduction
Description of SMS4
Linearity
Cryptographic Significance
On the Branch Number of L0
Summary and Conclusion
Linearity within Components Random Permutation Probability that a given permutation of n elements has c fixed points is given by [Rio80, Chap. 3] pn,c =
1 n!
� ·
n c
� · (n − c )! ·
n−c
1 (−1)k ≈ . c !e k ! k =0
∑
Expected number of fixed points for a random permutation is one [GS97, Chap. 6] The Nonlinear Function T Number of fixed points = 11 Prob., p232 ,11 = 1/(11! · e) ≈ 9.216E − 9 The function T does not appear random
Introduction
Description of SMS4
Linearity
Cryptographic Significance
On the Branch Number of L0
Summary and Conclusion
T versus T 0
Same input and output
The only difference between T and T 0 is the linear transformation L and L0 Eight Yi for which L(Yi ) = L0 (Yi ) The Yi are 00000000, 33333333, 55555555, 66666666, 99999999, AAAAAAAA, CCCCCCCC and FFFFFFFF T and T 0 There exist Xi = S −1 (Yi ) such that T (Xi ) = L(S (Xi )) = L0 (S (Xi )) = T 0 (Xi ) The Xi are 71717171, 28282828, 97979797, A5A5A5A5, 1F1F1F1F, 18181818, 04040404 and B9B9B9B9
Introduction
Description of SMS4
Linearity
Cryptographic Significance
On the Branch Number of L0
Summary and Conclusion
T versus T 0
Same input and output
The only difference between T and T 0 is the linear transformation L and L0 Eight Yi for which L(Yi ) = L0 (Yi ) The Yi are 00000000, 33333333, 55555555, 66666666, 99999999, AAAAAAAA, CCCCCCCC and FFFFFFFF T and T 0 There exist Xi = S −1 (Yi ) such that T (Xi ) = L(S (Xi )) = L0 (S (Xi )) = T 0 (Xi ) The Xi are 71717171, 28282828, 97979797, A5A5A5A5, 1F1F1F1F, 18181818, 04040404 and B9B9B9B9
Introduction
Description of SMS4
Linearity
Cryptographic Significance
On the Branch Number of L0
Summary and Conclusion
Implications for the Key Scheduling Algorithm
Subkey Sequence T0
(32-bit to 32-bit map) is bijective [ZWFS09]
Key Schedule M K0 K−4
A single 32-bit word is updated by T 0 , using other three 32-bit words as input After four rounds, all 128 bits of the master key are completely updated
M K1 F K0
M K2 F K1
M K3 F K2
F K3
K−3 CK0
K−2
K−1
K−2
K−1
K0
K0 CK3
K1
K2
K1
K2
K3
T′
K−3 K−1
Conjecture: all possible values of the first four subkeys are equally likely to occur
T′
K0
Introduction
Description of SMS4
Linearity
Cryptographic Significance
On the Branch Number of L0
Summary and Conclusion
Implications for the Key Scheduling Algorithm
Subkey Sequence T0
(32-bit to 32-bit map) is bijective [ZWFS09]
Key Schedule M K0 K−4
A single 32-bit word is updated by T 0 , using other three 32-bit words as input After four rounds, all 128 bits of the master key are completely updated
M K1 F K0
M K2 F K1
M K3 F K2
F K3
K−3 CK0
K−2
K−1
K−2
K−1
K0
K0 CK3
K1
K2
K1
K2
K3
T′
K−3 K−1
Conjecture: all possible values of the first four subkeys are equally likely to occur
T′
K0
Introduction
Description of SMS4
Linearity
Cryptographic Significance
On the Branch Number of L0
Summary and Conclusion
Implications for the Key Scheduling Algorithm
Subkey Sequence T0
(32-bit to 32-bit map) is bijective [ZWFS09]
Key Schedule M K0 K−4
A single 32-bit word is updated by T 0 , using other three 32-bit words as input After four rounds, all 128 bits of the master key are completely updated
M K1 F K0
M K2 F K1
M K3 F K2
F K3
K−3 CK0
K−2
K−1
K−2
K−1
K0
K0 CK3
K1
K2
K1
K2
K3
T′
K−3 K−1
Conjecture: all possible values of the first four subkeys are equally likely to occur
T′
K0
Introduction
Description of SMS4
Linearity
Cryptographic Significance
On the Branch Number of L0
Implications for the Key Scheduling Algorithm
Rounds 0–1 K−4
Rounds 2–3
K−3 CK0
K−2
K−3
K−2
K−1
K−3
K−2 CK1
K−1
ΘT ′
K−1
T′
K0 K0 ΘT ′
T′
K−2
K−1
K0
K1
Summary and Conclusion
Introduction
Description of SMS4
Linearity
Cryptographic Significance
On the Branch Number of L0
Implications for the Key Scheduling Algorithm
Rounds 0–1 K−4
Rounds 2–3
K−3 CK0
K−2
K−3
K−2
K−1
K−3
K−2 CK1
K−1
ΘT ′
K−1
T′
K0 K0 ΘT ′
T′
K−2
K−1
K0
K1
Summary and Conclusion
Introduction
Description of SMS4
Linearity
Cryptographic Significance
On the Branch Number of L0
Summary and Conclusion
Implications for the Key Scheduling Algorithm
Rounds 0–1 K−4
K−3 CK0
Rounds 2–3 K−2
ΘT ′
K−1
K−2
T′
K0
K1 ΘT ′
T′
K−3
K−2
K−1
K−3
K−2 CK1
K−1
K0
K−1
K0
K1
K0
K−1
K0 CK3
K1
K1
K2
ΘT ′
T′
K−2
K−1 CK2
K2 K2 ΘT ′
T′
K−1
K0
K1
K0
K3
Introduction
Description of SMS4
Linearity
Cryptographic Significance
On the Branch Number of L0
Summary and Conclusion
Implications for the Key Scheduling Algorithm
Rounds 0–1 K−4
K−3 CK0
Rounds 2–3 K−2
ΘT ′
K−1
K−2
T′
K0
K1 ΘT ′
T′
K−3
K−2
K−1
K−3
K−2 CK1
K−1
K0
K−1
K0
K1
K0
K−1
K0 CK3
K1
K1
K2
ΘT ′
T′
K−2
K−1 CK2
K2 K2 ΘT ′
T′
K−1
K0
K1
K0
K3
Introduction
Description of SMS4
Linearity
Cryptographic Significance
On the Branch Number of L0
Implications for the Key Scheduling Algorithm
Nature of Events Probability = (59/232 )4 ≈ 2−104.5
Number of master keys ≈ 223.5 ≈ 11, 863, 283
Summary and Conclusion
Introduction
Description of SMS4
Linearity
Cryptographic Significance
On the Branch Number of L0
Summary and Conclusion
Implications for the Encryption Algorithm
Focusing on Specific Case of Fixed Points Only fixed points occur in the first four consecutive rounds
ˆ T : a subset of ΘT containing the 11 fixed points for T Θ
Introduction
Description of SMS4
Linearity
Cryptographic Significance
On the Branch Number of L0
Implications for the Encryption Algorithm
Rounds 0–1 X0
Rounds 2–3 X1
X2
X3 ˆT Θ
K0 T
X1 X1
X2
X3
X2
X3
X3
X4
K1
X0 ⊕ X1 ⊕ X2 ⊕ X3 ⊕ K 0 X4 ˆT Θ
T
X2
X0 ⊕ K 0 ⊕ K 1
Summary and Conclusion
Introduction
Description of SMS4
Linearity
Cryptographic Significance
On the Branch Number of L0
Implications for the Encryption Algorithm
Rounds 0–1 X0
Rounds 2–3 X1
X2
X3 ˆT Θ
K0 T
X1 X1
X2
X3
X2
X3
X3
X4
K1
X0 ⊕ X1 ⊕ X2 ⊕ X3 ⊕ K 0 X4 ˆT Θ
T
X2
X0 ⊕ K 0 ⊕ K 1
Summary and Conclusion
Introduction
Description of SMS4
Linearity
Cryptographic Significance
On the Branch Number of L0
Summary and Conclusion
Implications for the Encryption Algorithm
Rounds 0–1 X0
Rounds 2–3 X1
X2
X3
X2
X4
X5 ˆT Θ
K2
T
T
X1 X1
X2
X3
X2
X3
K1
X0 ⊕ X1 ⊕ X2 ⊕ X3 ⊕ K 0 X4 ˆT Θ
X3 X3
X4
X5
X4
X5
X1 ⊕ K 1 ⊕ K 2 X6 ˆT Θ
K3
T
X2
X3
ˆT Θ
K0
T
X3
X4
X0 ⊕ K 0 ⊕ K 1
X4
X5
X6
X2 ⊕ K 2 ⊕ K 3
Introduction
Description of SMS4
Linearity
Cryptographic Significance
On the Branch Number of L0
Summary and Conclusion
Implications for the Encryption Algorithm
Rounds 0–1 X0
Rounds 2–3 X1
X2
X3
X2
X4
X5 ˆT Θ
K2
T
T
X1 X1
X2
X3
X2
X3
K1
X0 ⊕ X1 ⊕ X2 ⊕ X3 ⊕ K 0 X4 ˆT Θ
X3 X3
X4
X5
X4
X5
X1 ⊕ K 1 ⊕ K 2 X6 ˆT Θ
K3
T
X2
X3
ˆT Θ
K0
T
X3
X4
X0 ⊕ K 0 ⊕ K 1
X4
X5
X6
X2 ⊕ K 2 ⊕ K 3
Introduction
Description of SMS4
Linearity
Cryptographic Significance
On the Branch Number of L0
Implications for the Encryption Algorithm
Output Block After Four Rounds X4 X5 X6 X7
= X0 ⊕ X1 ⊕ X2 ⊕ X3 ⊕ K0 = X0 ⊕ K0 ⊕ K1
= X1 ⊕ K1 ⊕ K2
= X2 ⊕ K2 ⊕ K3
Nature of Events Probability = (11/232 )4 ≈ 2−114.2
Number of plaintext blocks ≈ 213.8 ≈ 14, 263
Summary and Conclusion
Introduction
Description of SMS4
Linearity
Cryptographic Significance
On the Branch Number of L0
Summary and Conclusion
Implications for Key Scheduling and Encryption Algorithms
First Four Rounds are Linear If both key schedule and encryption behave linearly in the first four rounds Output block after four rounds – only linear combination of plaintext and master key blocks. Reduction in Number of Rounds Theoretically, number of effective rounds of SMS4 reduced by four (from 32 to 28 rounds) Linearity might not be restricted only to the case of the first four rounds
Introduction
Description of SMS4
Linearity
Cryptographic Significance
On the Branch Number of L0
Summary and Conclusion
Susceptibility to Attacks Algebraic
Inversion-Based S-Box The SMS4 S-box is based on a finite field inversion [LJH+ 07] Equations are quadratic 4 Rounds of Linear Equations Equations over GF (2): No quadratic equations for the first four rounds Statistical – needs more known plaintexts Reduction of quadratic equations – might help reducing complexity of solving equations
Introduction
Description of SMS4
Linearity
Cryptographic Significance
On the Branch Number of L0
Summary and Conclusion
Susceptibility to Attacks Advanced Variants of the Slide Attack
Slide Attack Sliding of the encryptions by a certain number of rounds [BW99] – similarity between the two encryptions Allows the sliding of encryption with decryption [BW00] Application to SMS4 Eight input words for which T and T 0 produce the same output words Slide encryption with key scheduling algorithm?
Introduction
Description of SMS4
Linearity
Cryptographic Significance
On the Branch Number of L0
Summary and Conclusion
Susceptibility to Attacks Subkeys and Related Keys
On the Subkey Sequence Explore the relationship between subkeys Determine classes of possible / impossible subkey sequences Related-Keys Extend to the case where the attacker is allowed to choose the relationship between two or more different master keys but not the actual value of the keys [Bih94, Knu93]
Introduction
Description of SMS4
Linearity
Cryptographic Significance
On the Branch Number of L0
Branch Numbers for L and L0
Branch Number for L Already been investigated by Zhang et al. [ZWFS09] Branch Number for L0 Our work
Summary and Conclusion
Introduction
Description of SMS4
Linearity
Cryptographic Significance
On the Branch Number of L0
Summary and Conclusion
What is a Branch Number?
Definition The minimum number of active S-boxes for any two consecutive rounds (SPN ciphers) The minimum number of non-zero subword for any input and output pair of the linear transformation
Introduction
Description of SMS4
Linearity
Cryptographic Significance
On the Branch Number of L0
Summary and Conclusion
What is a Branch Number?
Calculation of Branch Number ... ...
Xi = Xi,0 Xi,1 Xi,2 ΓXi = ΓXi,0 ΓXi,1 ΓXi,2
B(L)
L ΓYi = ΓYi,0 ΓYi,1 ΓYi,2 Yi = Yi,0 Yi,1 Yi,2
Xi,j ∈ {0, 1, . . . , 2b − 1} ΓXi,j ∈ {0, 1}
Xi,m−1 ΓXi,m−1
... ...
ΓYi,m−1 Yi,m−1
Yi = L(Xi ) ΓYi,j ∈ {0, 1}
Yi,j ∈ {0, 1, . . . , 2b − 1}
Branch Number
B(L) = min{wt (ΓXi ) + wt (ΓYi ) : Xi 6= 0 and Yi = L(Xi )} ≤ m + 1 where B(L) = m + 1 is optimal
Introduction
Description of SMS4
Linearity
Cryptographic Significance
On the Branch Number of L0
Summary and Conclusion
What is a Branch Number?
Calculation of Branch Number ... ...
Xi = Xi,0 Xi,1 Xi,2 ΓXi = ΓXi,0 ΓXi,1 ΓXi,2
B(L)
L ΓYi = ΓYi,0 ΓYi,1 ΓYi,2 Yi = Yi,0 Yi,1 Yi,2
Xi,j ∈ {0, 1, . . . , 2b − 1} ΓXi,j ∈ {0, 1}
Xi,m−1 ΓXi,m−1
... ...
ΓYi,m−1 Yi,m−1
Yi = L(Xi ) ΓYi,j ∈ {0, 1}
Yi,j ∈ {0, 1, . . . , 2b − 1}
Branch Number
B(L) = min{wt (ΓXi ) + wt (ΓYi ) : Xi 6= 0 and Yi = L(Xi )} ≤ m + 1 where B(L) = m + 1 is optimal
Introduction
Description of SMS4
Linearity
Cryptographic Significance
On the Branch Number of L0
Summary and Conclusion
What is a Branch Number?
Calculation of Branch Number ... ...
Xi = Xi,0 Xi,1 Xi,2 ΓXi = ΓXi,0 ΓXi,1 ΓXi,2
B(L)
L ΓYi = ΓYi,0 ΓYi,1 ΓYi,2 Yi = Yi,0 Yi,1 Yi,2
Xi,j ∈ {0, 1, . . . , 2b − 1} ΓXi,j ∈ {0, 1}
Xi,m−1 ΓXi,m−1
... ...
ΓYi,m−1 Yi,m−1
Yi = L(Xi ) ΓYi,j ∈ {0, 1}
Yi,j ∈ {0, 1, . . . , 2b − 1}
Branch Number
B(L) = min{wt (ΓXi ) + wt (ΓYi ) : Xi 6= 0 and Yi = L(Xi )} ≤ m + 1 where B(L) = m + 1 is optimal
Introduction
Description of SMS4
Linearity
Cryptographic Significance
On the Branch Number of L0
Summary and Conclusion
What is a Branch Number?
Calculation of Branch Number ... ...
Xi = Xi,0 Xi,1 Xi,2 ΓXi = ΓXi,0 ΓXi,1 ΓXi,2
B(L)
L ΓYi = ΓYi,0 ΓYi,1 ΓYi,2 Yi = Yi,0 Yi,1 Yi,2
Xi,j ∈ {0, 1, . . . , 2b − 1} ΓXi,j ∈ {0, 1}
Xi,m−1 ΓXi,m−1
... ...
ΓYi,m−1 Yi,m−1
Yi = L(Xi ) ΓYi,j ∈ {0, 1}
Yi,j ∈ {0, 1, . . . , 2b − 1}
Branch Number
B(L) = min{wt (ΓXi ) + wt (ΓYi ) : Xi 6= 0 and Yi = L(Xi )} ≤ m + 1 where B(L) = m + 1 is optimal
Introduction
Description of SMS4
Linearity
Cryptographic Significance
On the Branch Number of L0
Branch Number for L and L0
L m=4
B(L) = 5, which is optimal [ZWFS09] L0 Search over all possible inputs and observe the outputs Result: B(L0 ) = 4, which is not optimal Input-output pattern distribution table
Summary and Conclusion
Introduction
Description of SMS4
Linearity
Cryptographic Significance
On the Branch Number of L0
Summary and Conclusion
Implications: Differential Attack on Modified SMS4 27-Round Key Recovery Attack
Modified Variant of SMS4 Replacing L with L0 5-Round Self-Iterating Characteristic Based on previous 5-round characteristic [KKHS08, ZWFS09, ZZW08] (six active S-boxes) New 5-round characteristic: four active S-boxes with prob. 2−28 Concatenated four and a half times: 23-round differential characteristic with prob. 2−112
Introduction
Description of SMS4
Linearity
Cryptographic Significance
On the Branch Number of L0
Summary and Conclusion
Implications: Differential Attack on Modified SMS4 27-Round Key Recovery Attack
Complexities 2116 chosen plaintexts 2115 encryptions Comments Attack on modified variant: 27 rounds – one round short of the effective 28 rounds Best attack on existing variant: 22 rounds – six rounds short of the effective 28 rounds Number of rounds is reduced if the four-round linearity can be exploited
Introduction
Description of SMS4
Linearity
Cryptographic Significance
On the Branch Number of L0
Summary and Conclusion
Summary and Conclusion
Summary Several new observations on SMS4: Existence of fixed points and of simple linear relationships within components Branch number of L0 is less than optimal
Implications: Effective number of rounds is reduced by four A differential attack on modified SMS4 reduced to 27 rounds
Conclusion Components not selected randomly – criteria not known Findings might be used for further cryptanalysis
Introduction
Description of SMS4
Linearity
Cryptographic Significance
On the Branch Number of L0
Summary and Conclusion
Summary and Conclusion
Summary Several new observations on SMS4: Existence of fixed points and of simple linear relationships within components Branch number of L0 is less than optimal
Implications: Effective number of rounds is reduced by four A differential attack on modified SMS4 reduced to 27 rounds
Conclusion Components not selected randomly – criteria not known Findings might be used for further cryptanalysis
Introduction
Description of SMS4
Linearity
Cryptographic Significance
Thank You
THANK YOU. QUESTIONS?
On the Branch Number of L0
Summary and Conclusion
Introduction
Description of SMS4
Linearity
Cryptographic Significance
On the Branch Number of L0
Summary and Conclusion
Eli Biham. New Types of Cryptanalytic Attacks Using Related Keys. In Tor Helleseth, editor, Advances in Cryptology – EUROCRYPT ’93: Workshop on the Theory and Application of Cryptographic Techniques, volume 765 of Lecture Notes in Computer Science, pages 398–409. Springer-Verlag, 1994. Alex Biryukov and David Wagner. Slide Attacks. In Lars Knudsen, editor, Fast Software Encryption: 6th International Workshop, FSE’99, volume 1636 of Lecture Notes in Computer Science, pages 245–259. Springer-Verlag, 1999. Alex Biryukov and David Wagner. Advanced Slide Attacks. In Bart Preneel, editor, Advances in Cryptology – EUROCRYPT 2000: International Conference on the Theory and Application of Cryptographic Techniques, volume 1807 of Lecture Notes in Computer Science, pages 589–606. Springer-Verlag, 2000.
Introduction
Description of SMS4
Linearity
Cryptographic Significance
On the Branch Number of L0
Summary and Conclusion
Charles M. Grinstead and James L. Snell. Introduction to Probability. American Mathematical Society, 2nd revised ed. edition, 1997. Taehyun Kim, Jongsung Kim, Seokhie Hong, and Jaechul Sung. Linear and Differential Cryptanalysis of Reduced SMS4 Block Cipher. Cryptology ePrint Archive, Report 2008/281, 2008. Available at http://eprint.iacr.org/2008/281/. Lars Knudsen. Cryptanalysis of LOKI91. In Jennifer Seberry and Yuliang Zheng, editors, Advances in Cryptology – ASIACRYPT ’92, Workshop on the Theory and Application of Cryptographic Techniques, volume 718 of Lecture Notes in Computer Science, pages 22–35. Springer-Verlag, 1993. Fen Liu, Wen Ji, Lei Hu, Jintai Ding, Shuwang Lv, Andrei Pyshkin, and Ralf-Philipp Weinmann. Analysis of the SMS4 Block Cipher.
Introduction
Description of SMS4
Linearity
Cryptographic Significance
On the Branch Number of L0
Summary and Conclusion
In Josef Pieprzyk, Hossein Ghodosi, and Ed Dawson, editors, Information Security and Privacy: 12th Australasian Conference, ACISP 2007, volume 4586 of Lecture Notes in Computer Science, pages 158ï¿ 21 –170. Springer-Verlag, 2007. John Riordan. An Introduction to Combinatorial Analysis. Princeton University Press, 1980. Wentao Zhang, Wenling Wu, Dengguo Feng, and Bozhan Su. Some New Observations on the SMS4 Block Cipher in the Chinese WAPI Standard. In Feng Bao, Hui Li, and Guilin Wang, editors, Information Security Practice and Experience, 5th International Conference, ISPEC 2009, volume 5451 of Lecture Notes in Computer Science, pages 324–335. Springer-Verlag, 2009. Lei Zhang, Wentao Zhang, and Wenling Wu. Cryptanalysis of Reduced-Round SMS4 Block Cipher.
Introduction
Description of SMS4
Linearity
Cryptographic Significance
On the Branch Number of L0
Summary and Conclusion
In Yi Mu, Willy Susilo, and Jennifer Seberry, editors, Information Security and Privacy, 13th Australasian Conference, ACISP 2008, volume 5107 of Lecture Notes in Computer Science, pages 216–229. Springer-Verlag, 2008.
