| SMS4is the first commercial block cipher published by China authority in February,2006. It is recommended by the Chinese WLAN security standard. SMS4has block size and user key size both of128bits. It adopts32rounds unbalanced Feistel network structure, which is first used in the key schedule algorithm of LOKI. After32rounds nonlinear iteration, it appends an reverse transformation, which makes the decryption algorithm identical with the encryption algorithm so long as the decryption keys are in reverse order with the encryption keys. The key schedule algorithm also adopts the unbalanced Feistel network.In the application of WLAN, security is always of most importance and it has become the biggest obstacle preventing WLAN coming into the application of information technology. In recent years, security technology in WLAN is developing very fast, but security problem is still the weakness of WLAN, which restraints the spread of WLAN. From the point of the development of WLAN, many people have devoted to solving the security problem. As an algorithm used in WAPI and the first commercial cryptographic algorithm, how to make new security evaluation of SMS4is a hot spot for the moment.Because of its importance, SMS4has obtained much attention since its publication. There are many attack methods for SMS4now. As one of the most used cryptanalysis methods, rectangle attack can use shorter differential paths of high probability to construct longer differential distinguishers, so it can attack algorithms that does not have long differential path of high probability. The most early rectangle attack is proposed by Lu in2007. He analyzed14-round SMS4with a distinguisher of probability2-237.64. In2008, T. Kim and J. Kim constructed a16-round rectangle distinguisher with probability2-244, and then they attacked18-round SMS4using2112.83encryptions and2124chosen plaintexts. Ping Xue proposed a16-round rectangle distinguisher with probability2-250and attacked18-round SMS4using2127chosen plaintexts.On the base of Ping Xue’ work, we improve the efficiency of the attack. We use the same16-round distinguisher which is composed of a10-round differential path and a6-round one. The S box and L transform used in SMS4has some special properties. Its S box has an output difference with the highest probability of2-6and the branch number of its L transform is5. Using these properties and by controlling some values in the differential path we make the distinguisher reach its highest probability. Besides, we use a new attack method. We make use of hash tables in the attack procedure to sort the quartets, which reduces the number of comparison and the time complexity. The improved attack needs2127chosen plaintexts and2103.8318-round encryptions.The attack can still be improved. So we propose three possible methods in the end. We can find better differential paths, add one more round or combine rectangle attack with Biclique attack. That is left for our future work. |
PDF Full Text Request