Cryptanalysis Of The AES And SMS4Block Ciphers

A block cipher is a symmetric cryptographic algorithm. It has many attractivefeatures such as high-speed encryption and decryption, easy standardization, efficientimplementation and so on. Therefore it is essential to investigate the cryptanalysis ofblock ciphers. In this dissertation, some new cryptanalytic attacks are proposed forAdvanced Encryption Standard (AES) and the SMS4algorithm which is the firstcommercial block cipher published by Chinese government. The main results arespecified as follows:1. The security of AES against impossible differential cryptanalysis is studied. Ageneral4-round impossible differential of AES is proposed using the propertythat the differential branch number of AES linear transformation is5. Then, anew key-sieving technique is presented in impossible differential attacks onAES with table look-up method and an early abort strategy. Based on thewidely used4-round impossible differential and the new key-sieving technique,new attacks on7-round AES-128,7-round AES-192,7-round AES-256and8-round AES-256are presented by exploiting weaknesses in the AES keyschedule. Compared with the best known impossible differential attacks onAES, our new attacks reduce the time complexity while the data and memorycomplexity remains unchanged.2. Based on the principle of differential cryptanalysis, we introduce a newcryptanalytic technique on block ciphers: asymmetric impossible boomerangattack. The attack uses an asymmetric impossible boomerang distinguisher toeliminate wrong key material and leave the right key candidate. Withconsiderations of key schedule, techniques of looking up tables and re-usingthe data, the asymmetric impossible boomerang attack is applied to AES-128: a4-round asymmetric impossible boomerang distinguisher of AES is firstconstructed; then based on it, a new attack on7-round AES-128is put forward.Our new attack reduces the data and time complexity of the previously knownattacks on7-round AES-128at the cost of a higher memory complexity.3. The security of AES against a meet-in-the-middle attack is studied. Using theproperties of AES round transformation, new5-round AES properties withwhitening key and without whitening key are proposed respectively. Base on the two new properties and a time-memory tradeoff, a new meet-in-the-middleattack on8-round AES independent of the key schedule algorithm is firstly putforward; new meet-in-the-middle attacks on8-round AES-192and8-roundAES-256with key schedule considerations are then presented. Meanwhile inthe attack on8-round AES-192, the new partial table look-up technique isproposed through altering the storage and index of the table. The previouslyknown meet-in-the-middle attacks can be classified into two types. Our resultsreduce the complexity of them as follow: for the first, the time and memorycomplexity is reduced with the data complexity unchanged; for the second, thedata and time complexity is reduced at the cost of a higher memory complexityin the attacks on8-round AES-256and8-round AES independent of the keyschedule algorithm.4. The security of SMS4against differential cryptanalysis is examined. Using theproperties of the difference distribution of S-box and the linear diffusiontransformation in SMS4, the detailed analysis on4-round differentialcharacteristics of SMS4is made. It is pointed out that19-round differentialcharacteristics of SMS4can be viewed as the cascade of these4-rounddifferential characteristics with the same structure. Based on the19-rounddifferential characteristics with a probability of2-125of SMS4, new differentialcryptanalysis of23-round SMS4is put forward. It is shown that our new attackhas a lower time and memory complexity than the best known cryptanalysis of23-round SMS4at the cost of a higher data complexity.5. The security of SMS4against linear cryptanalysis is examined. Using theproperties of the linear approximation of S-box and the linear diffusiontransformation in SMS4, a new16-round linear approximation of SMS4can beconstructed. Then based on it, new linear cryptanalysis of20-round SMS4ispresented. It is shown that our new attack has a lower data and timecomplexity than the currently known linear cryptanalysis of20-round SMS4atthe cost of a higher memory complexity. Meanwhile,19-round linearapproximation can be obtained by extending the16-round linearapproximation. It increases the chance of the successful linear cryptanalysis of23-round SMS4.