| SMS4is an iterated block cipher whose block size and user key size are both128bits. It is a32-round unbalanced Feistel network and its decryption is identical to the encryption except for the order of the roundkeys, which are used in the reverse order. The key schedule is similar to the encryption algorithm. The differences are the linear transformation L and some parameters used in round-function.SMS4is used in WAPI as data’s encryption and integrity check. WAPI, abbreviation of Wireless Authentication and Privacy Infrastructure, is pro-posed firstly in GB15629.11as the Chinese national standards of Wireless Lan. Compared to the earlier standard IEEE802.11i, WAPI uses special algorithm and special encrypting protection to supply higher security and compatibility. It can efficiently prevent the users’ terminal device browsing some insecure Web.Due to the significance of WAPI standard, it have obtained much attention by the general public and there have been kind of research and analysis of SMS4since its structure was announced publicly. The previously best published rectangle cryptanalytic result is proposed by T.Kim, J.Kim et al in2008. They present a16-round distinguisher with probability of2-244and a18-round rectangle attack with a data complexity of2128and time complexity of2112.83In this paper, according to the special property of S box, we exploit a certain16-round rectangle distinguisher with probability2-247, and basing on this distinguisher, a rectangle attack on SMS4reduced to18rounds is proposed. This attack expect to require2127chosen plaintexts.2130.5memory accesses and2110.77total running time. The16-round distinguisher E is treated as a cascade of two subciphers E=E1(?)E0. For E0, it is denoted as a10-round differential with the input difference (β,β,α(?)β,α), output difference (α(?)γ,α(?)β(?)γ,β,β), probability of p=2-98. E1is denoted as a6-round characteristic with the differential (δ,δ,η(?)δ,η)â†'(η,η(?)δ,δ,δ) and the probability of q=224. The requirements which α,β,γ have to satisfy go as follows:1. a only have one active S box,β is the output difference of T transfor-mation of α, and also α(?)β0only have three active S box.2. Prob(α(?)β)=2-6, which means the probability of input difference a and output difference β is2-6.3.γ is the output difference of T transformation of α(?)β, and at the same time, α(?)γ only have three active S box.4. Prob(α(?)γ(?)γ)>0, which means the probability of input difference α(?)γ and output difference γ is bigger than0. According to computer research, we choose α=0x00000064,β=0xb6d2d264,andAnd in this condition, we get about210γ according to our computer research, so the probability of differential of Eo is And the requirements which δ.η have to satisfy go as follows:1. ηonly have one active S box。2.δ is the output difference of T transformation of η.3. Prob(η(?)δ)=2-6. So the differential E1we construct has the probability of (2-6)2·(2-6)2=2-24. Totally, the probability of E is2-98.2-24.2-128=2-250.This distinguisher leads to a18-round rectangle attack with2127chosen plaintexts and2110.77encryptions, which is the better than T.Kim’s rectangle attack on SMS4of time complexity. |
PDF Full Text Request