Abstract
Constructions of quantum distinguishers (extended to key recovery attacks) for generalized Feistel networks have been recently proposed in several works, where the main focus has been on Type 1 and 2 schemes. In this work, we derive a quantum distinguisher for 7 and 8 rounds of the SMS4 block cipher, which belongs to the class of unbalanced (contracting) generalized Feistel schemes. In the former case, by applying Simon’s quantum algorithm we construct a quantum distinguisher that runs in (quantum) polynomial time \(\mathcal {O}(n)\) (n is the branch size), while later we need to combine Simon’s and Grover’s algorithms in context of the amplitude amplification technique. We show that for the 8-round SMS4 cipher a quantum distinguisher can be constructed in both Q1 and Q2 attack models. This is achieved by applying the method of asymmetric search of a period, introduced by Bonnetain et al. (Advances in cryptology ASIACRYPT 2019, LNCS, 2019), where online and offline queries to the encryption oracle are separated. In this context, we answer the open problem posed by Dong et al. (Sci China Inf Sci 62:22501, 2019), which has been left open for construction of quantum distinguishers for \(\ge 7\) rounds. Moreover, we show that for the specific instance when the quantum oracle for 8 rounds of SMS4 cipher is available, one can extract the master secret key with the same complexity and number of qubits required for the 8-round distinguisher.
Similar content being viewed by others
Notes
Following the notion of unicity distance, the sufficient number of pairs, in order to determine the key uniquely, is \(\ge \lceil \frac{k}{N}\rceil \). Here, k is size of the master secret key, and N is size of the input block. In our case, \(k=N=128\), and thus \(r\ge 2\) is sufficient.
References
Abbasi, I., Afzal, M.: A compact S-Box design for SMS4 block cipher. IT Convergence and Services. LNEE, vol. 107. Springer, Dordrecht, pp. 641–658 (2011)
Bernstein, E., Vazirani, U.: Quantum complexity theory. SIAM J. Comput. 26(5), 1411–1473 (1997)
Bonnetain, X.: Quantum key-recovery on full AEZ. In: 24th International Conference on Security and Cryptology, Selected Areas in Cryptography SAC 2017. Ottawa, ON, Canada, 16–18, pp. 3941–406 (2017). https://doi.org/10.1007/978-3-319-72565-9
Bonnetain, X., Plasencia, M.N.: Hidden shift quantum cryptanalysis and implications. Advances in Cryptology ASIACRYPT 2018, LNCS, vol. 11272, pp. 560–592 (2018)
Bonnetain, X., Plasencia, M.N., Schrottenloher, A.: On quantum Slide attacks. Selected Areas in Cryptography SAC 2019, LNCS, vol. 11959, pp. 492–519 (2019)
Bonnetain, X., Hosoyamada, A., Plasencia, M.N., Sasaki, Y., Schrottenloher, A.: Quantum attacks without superposition queries: the offline Simon algorithm. Advances in Cryptology ASIACRYPT 2019, LNCS, vol. 11921, pp. 552–583 (2019)
Brassard, G., Høyer, P., Mosca, M., Tapp, A.: Quantum amplitude amplification and estimation. Quantum Computation and Information (Washington, DC, 2000), Contemporary Mathematics, vol. 305, pp. 53–74 (2002)
Diffie, W., Ledin, G.: SMS4 encryption algorithm for wireless networks. IACR Cryptology ePrint Archive (2008). https://eprint.iacr.org/2008/329.pdf
Dong, X., Dong, B., Wang, X.: Quantum attacks on some Feistel block ciphers. IACR Cryptology ePrint Archive (2018). https://eprint.iacr.org/2018/504.pdf
Dong, X., Li, Z., Wang, X.: Quantum cryptanalysis on some generalized Feistel schemes. Sci. China Inf. Sci. 62, 22501 (2019)
Dong, X., Wang, X.: Quantum key-recovery attack on Feistel structures. Sci. China Inf. Sci. 61, 102501 (2019)
Feistel, H., Notz, W.A., Smith, J.L.: Some cryptographic techniques for machine-to-machine data communications. Proc. IEEE 63(11), 1545–1554 (1975)
Grover, L.K.: A fast quantum mechanical algorithm for database search. In: Proceedings of the Twenty-Eighth Annual ACM Symposium on Theory of Computing, Philadelphia, Pennsylvania, USA, May 22–24, pp. 212–219 (1996)
Hao, X., Zhang, F., Wei, Y., Zhou, Y.: Quantum period finding based on the Bernstein–Vazirani algorithm. Quantum Inf. Comput. 20(1–2), 65–84 (2020)
Hosoyamada, A., Aoki, K.: On quantum related-key attacks on iterated Even-Mansour ciphers. Advances in Information and Computer Security, International Workshop on Security IWSEC 2017, LNCS, vol. 10418, pp. 3–18 (2017)
Hosoyamada, A., Sasaki, Y.: Quantum Demiric-Selçuk meet-in-the-middle attacks: applications to 6-round generic Feistel constructions. In: International Conference on Security and Cryptography for Networks, Security and Cryptography for Networks, LNCS, vol. 11035, pp. 386–403 (2018)
Ito, G., Hosoyamada, A., Matsumoto, R., Sasaki, Y., Iwata, T.: Quantum chosen-ciphertext attacks against Feistel ciphers. Cryptographers Track at the RSA Conference, CT-RSA 2019: Topics in Cryptology CT-RSA 2019, LNCS, vol. 11405, pp. 391–411 (2019)
Ito, G., Iwata, T.: Quantum distinguishing attacks against type-1 generalized Feistel ciphers. IACR Cryptology ePrint Archive (2019). https://eprint.iacr.org/2019/327.pdf
Kaplan, M., Leurent, G., Leverrier, A., Plasencia, M.N.: Breaking symmetric cryptosystems using quantum period finding. CRYPTO 2016: Advances in Cryptology CRYPTO 2016, LNCS, vol. 9815. Springer, Berlin, Heidelberg, pp. 207–237 (2016)
Kuwakado, H., Morii, M.: Quantum distinguisher between the 3-round Feistel cipher and the random permutation. In: IEEE International Symposium on Information Theory (2010). https://doi.org/10.1109/ISIT.2010.5513654
Kuwakado, H., Morii, M.: Security on the quantum-type Even-Mansour cipher. In: International Symposium on Information Theory and its Applications, October 28–31, Honolulu, HI, USA (2012)
Leander, G., May, A.: Grover meets Simon quantumly attacking the FX-construction. In: Advances in Cryptology ASIACRYPT 2017, International Conference on the Theory and Application of Cryptology and Information Security, LNCS, vol. 10625, pp. 161–178 (2017)
Liu, F., Ji, W., Hu, L., Ding, J., Lv, S., Pyshkin, A., Weinmann, R.-P.: Analysis of the SMS4 block cipher. In: Australasian Conference on Information Security and Privacy, Information Security and Privacy, LNCS, vol. 4586. Springer, Berlin, Heidelberg, pp. 158–170 (2007)
Matsui, M.: New block encryption algorithm MISTY. In: International Workshop on Fast Software Encryption, LNCS, vol. 1267. Springer, Berlin, Heidelberg, pp. 54–68 (2006)
Ni, B., Dong, X.: Improved quantum attack on type-1 generalized Feistel schemes and its application to CAST-256. IACR Cryptology ePrint Archive (2019). https://eprint.iacr.org/2019/318.pdf
Röetteler, M., Steinwandt, R.: A note on quantum related-key attacks. Inf. Process. Lett. 115(1), 40–44 (2015)
Santoli, T., Schaffner, C.: Using Simon’s algorithm to attack symmetric-key cryptographic primitives. Quantum Inf. Comput. 17(1–2), 65–78 (2017)
Simon, D.R.: On the power of quantum computation. SIAM J. Comput. 26(5), 1474–1483 (1997)
Shor, P.W.: Algorithms for quantum computation: discrete logarithms and factoring. In: Proceedings 35th Annual Symposium on Foundations of Computer Science, IEEE Computer Society Washington, DC, USA, pp. 124–134 (1994)
Xu, L., Guo, J., Cui, J., Li, M.: Key-recovery attacks on LED-like block ciphers. Tsinghua Sci. Technol. 24(5), 585–595 (2019)
Zhang, L.T., Wu, W.L.: Pseudorandomness and super pseudorandomness on the unbalanced Feistel networks with contracting functions. China J. Comput. 32, 1320–1330 (2009)
Acknowledgements
S. Hodžić and L. R. Knudsen are supported by a grant from the Independent Research Fund Denmark for Technology and Production, Grant No. 8022-00348A.
Author information
Authors and Affiliations
Corresponding author
Additional information
Publisher's Note
Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.
Appendix
Appendix
1.1 Further prospect of the full key recovery approach
We have that the significant reduction of complexity in revealing the key K by the Simon–Grover algorithm (via \(RF^{(1)}_8\)) is actually the environment that the function f creates. More precisely, all three tests that are involved in definition of the classifier \(\mathcal {B}\) actually depend mainly on periodicity of the function f, which is expected to happen (with high probability) when \(y=k_1\).
If we would like to apply the same approach to other rounds, by canceling certain functions (as we have employed \(\zeta (x,y)\) to cancel \(x\oplus F_1(\alpha )\)), the main problem would be actually that the complexity of the round function through iterations rises the complexity of branches very fast. This means that one would need to cancel many functions until a periodic function is reached, which means involvement of many rounds keys. For instance, if we consider \(RF^{(1)}_9(x,\varLambda )\), which is given as
then one has to cancel the function \(\alpha \oplus F_2(x\oplus F_1(\alpha ))\) (which requires the guess of \(k_1\) and \(k_2\)) and then to apply \(F^{-1}_6\). Since then we obtain a sum of many functions (inside \(F_6\)), then one can cancel the whole term \(F_5[\alpha \oplus G(x\oplus F_1(\alpha ))]\) (since applying \(F^{-1}_5\) is not possible directly), or one can cancel all other functions. Clearly, it is easier to cancel the term \(F_5[\alpha \oplus G(x\oplus F_1(\alpha ))]\), which means guessing the key \(k_5\) as well. All terms that are left, can be written in the form \(\tilde{G}(x\oplus F_1(\alpha ))\), for some function \(\tilde{G}\), which can be utilized for construction of a periodic function f.
In the context of the Simon–Grover algorithm, the periodicity relies on guessing the keys \(k_1,\) \(k_2\) and \(k_5\), with probability \(2^{-3n}\). In this case, the overall query complexity of extracting the full key K is \(2^{3n/2}\cdot \mathcal {O}(n)\), which is faster than the brute force, but still much less efficient in comparison to complexity derived for 8 rounds. Thus, considering the approach given in Sect. 5 becomes inefficient very fast, since branches (over higher rounds) are becoming more complicated.
1.2 Experiments related to periodicity of f given by (7) (simplified settings)
Let us consider the function f given by (7) when \(n=8\), such that \(F_r\) are defined as \(F_r(x)=S(x\oplus k_r)\), \(x\in \mathbb {F}^8_2\), where S is the S-box of the SMS4 cipher (see for instance [8, 23]). The round function with this setting is denoted by \(\overline{RF}_r\). Hence, we omit the linear mapping L (defined in Sect. 3) and set that the branch size is equal to \(n=8\). Roughly speaking, this is one of the design ideas that have been involved in round function of the MISTY block cipher (see Figure 4 in [24]).
Let us consider the function \(f:\mathbb {F}^{8+9}_2\rightarrow \mathbb {F}_2\) defined by
where \(\varLambda _j=(\alpha _j,\alpha _j,\alpha _j)\) (\(j=0,1\)) with \(\alpha _0\ne \alpha _1\).
In Table 2 we check the number of vectors \(y\in \mathbb {F}^8_2\) for which the function f given by (11) is periodic in general, i.e., we are checking whether it holds that \(g(y,x\oplus \overline{s})=h(y,x)\), for all \(\overline{s}\in \mathbb {F}^8_2\) (Remark 2). We are taking arbitrary pairs \((\alpha _0,\alpha _1)\in \mathbb {F}^{8+8}_2\), random sets of keys for 8 rounds, and the periodicity of f is tested by checking the equality \(g(y,x\oplus s)=h(y,x)\) for vectors \(x\in RandomS\), where the set RandomS is of cardinality \(30>\lceil \frac{3n+3\ell }{n+1}\rceil =24\) for \(\ell =2(n+1+\sqrt{n+1})=24\) (Lemma 1). As written in the table, in all observed instances we have maximally one period \(\overline{s}\) (corresponding always to only one vector y) which satisfies the equality \(g(y,x\oplus \overline{s})=h(y,x)\) (for all \(x\in RandomS\)), and it is always given by \(\overline{s}=F_1(\alpha _0)\oplus F_1(\alpha _1)\).
For instance, let us consider \((\alpha _0,\alpha _1)=(00010010, 11001100)\), and the key set (for 8 rounds) given as
Then, one can check that the function \(g(y,x\oplus s)=h(y,x)\) holds (for all \(x\in \mathbb {F}^8_2\)) exactly for only one vector \(y=10101111\), which is equal to the key \(k_1=10101111\). This equality can be firstly tested for \(x\in RandomS\) (where one takes \(\# RandomS=30\)), and then it is further verified on whole space \(\mathbb {F}^8_2\). One can verify that values of the function h(10101111, x) (evaluated over lexicographically ordered space \(\mathbb {F}^8_2\)) are given (in the hexadecimal notation) by
The period \(\overline{s}\) is given by \(\overline{s}=F_1(\alpha _0)\oplus F_1(\alpha _1)=S(00010010\oplus k_1)\oplus S(11001100\oplus k_1)=00110010.\)
Rights and permissions
About this article
Cite this article
Hodžić, S., Knudsen, L.R. A quantum distinguisher for 7/8-round SMS4 block cipher. Quantum Inf Process 19, 411 (2020). https://doi.org/10.1007/s11128-020-02929-6
Received:
Accepted:
Published:
DOI: https://doi.org/10.1007/s11128-020-02929-6