A quantum distinguisher for 7/8-round SMS4 block cipher

Abstract

Constructions of quantum distinguishers (extended to key recovery attacks) for generalized Feistel networks have been recently proposed in several works, where the main focus has been on Type 1 and 2 schemes. In this work, we derive a quantum distinguisher for 7 and 8 rounds of the SMS4 block cipher, which belongs to the class of unbalanced (contracting) generalized Feistel schemes. In the former case, by applying Simon’s quantum algorithm we construct a quantum distinguisher that runs in (quantum) polynomial time \(\mathcal {O}(n)\) (n is the branch size), while later we need to combine Simon’s and Grover’s algorithms in context of the amplitude amplification technique. We show that for the 8-round SMS4 cipher a quantum distinguisher can be constructed in both Q1 and Q2 attack models. This is achieved by applying the method of asymmetric search of a period, introduced by Bonnetain et al. (Advances in cryptology ASIACRYPT 2019, LNCS, 2019), where online and offline queries to the encryption oracle are separated. In this context, we answer the open problem posed by Dong et al. (Sci China Inf Sci 62:22501, 2019), which has been left open for construction of quantum distinguishers for \(\ge 7\) rounds. Moreover, we show that for the specific instance when the quantum oracle for 8 rounds of SMS4 cipher is available, one can extract the master secret key with the same complexity and number of qubits required for the 8-round distinguisher.

Appendix

1.1 Further prospect of the full key recovery approach

We have that the significant reduction of complexity in revealing the key K by the Simon–Grover algorithm (via \(RF^{(1)}_8\)) is actually the environment that the function f creates. More precisely, all three tests that are involved in definition of the classifier \(\mathcal {B}\) actually depend mainly on periodicity of the function f, which is expected to happen (with high probability) when \(y=k_1\).

If we would like to apply the same approach to other rounds, by canceling certain functions (as we have employed \(\zeta (x,y)\) to cancel \(x\oplus F_1(\alpha )\)), the main problem would be actually that the complexity of the round function through iterations rises the complexity of branches very fast. This means that one would need to cancel many functions until a periodic function is reached, which means involvement of many rounds keys. For instance, if we consider \(RF^{(1)}_9(x,\varLambda )\), which is given as

$$\begin{aligned} RF^{(1)}_9(x,\varLambda )= & {} \alpha \oplus F_2(x\oplus F_1(\alpha ))\oplus F_6\{ F_3(x\oplus F_1(\alpha )\oplus F_2(x\oplus F_1(\alpha )))\\&\oplus F_4[x\oplus F_1(\alpha ) F_2(x\oplus F_1(\alpha ))\oplus F_3(x\oplus F_1(\alpha )\oplus F_2(x\oplus F_1(\alpha )))]\\&\oplus x\oplus F_1(\alpha )\oplus F_5[\alpha \oplus G(x\oplus F_1(\alpha ))]\}, \end{aligned}$$

then one has to cancel the function \(\alpha \oplus F_2(x\oplus F_1(\alpha ))\) (which requires the guess of \(k_1\) and \(k_2\)) and then to apply \(F^{-1}_6\). Since then we obtain a sum of many functions (inside \(F_6\)), then one can cancel the whole term \(F_5[\alpha \oplus G(x\oplus F_1(\alpha ))]\) (since applying \(F^{-1}_5\) is not possible directly), or one can cancel all other functions. Clearly, it is easier to cancel the term \(F_5[\alpha \oplus G(x\oplus F_1(\alpha ))]\), which means guessing the key \(k_5\) as well. All terms that are left, can be written in the form \(\tilde{G}(x\oplus F_1(\alpha ))\), for some function \(\tilde{G}\), which can be utilized for construction of a periodic function f.

In the context of the Simon–Grover algorithm, the periodicity relies on guessing the keys \(k_1,\) \(k_2\) and \(k_5\), with probability \(2^{-3n}\). In this case, the overall query complexity of extracting the full key K is \(2^{3n/2}\cdot \mathcal {O}(n)\), which is faster than the brute force, but still much less efficient in comparison to complexity derived for 8 rounds. Thus, considering the approach given in Sect. 5 becomes inefficient very fast, since branches (over higher rounds) are becoming more complicated.

1.2 Experiments related to periodicity of f given by (7) (simplified settings)

Let us consider the function f given by (7) when \(n=8\), such that \(F_r\) are defined as \(F_r(x)=S(x\oplus k_r)\), \(x\in \mathbb {F}^8_2\), where S is the S-box of the SMS4 cipher (see for instance [8, 23]). The round function with this setting is denoted by \(\overline{RF}_r\). Hence, we omit the linear mapping L (defined in Sect. 3) and set that the branch size is equal to \(n=8\). Roughly speaking, this is one of the design ideas that have been involved in round function of the MISTY block cipher (see Figure 4 in [24]).

Let us consider the function \(f:\mathbb {F}^{8+9}_2\rightarrow \mathbb {F}_2\) defined by

$$\begin{aligned} f(y,b,x)=\left\{ \begin{array}{lc} g(y,x)=\alpha _0\oplus S^{-1}[x\oplus S(\alpha _0\oplus y)\oplus \overline{RF}^{(1)}_8(x,\varLambda _0)], &{} b=0 \\ h(y,x)=\alpha _1\oplus S^{-1}[x\oplus S(\alpha _1\oplus y)\oplus \overline{RF}^{(1)}_8(x,\varLambda _1)], &{} b=1 \end{array} \right. , \end{aligned}$$

(11)

where \(\varLambda _j=(\alpha _j,\alpha _j,\alpha _j)\) (\(j=0,1\)) with \(\alpha _0\ne \alpha _1\).

In Table 2 we check the number of vectors \(y\in \mathbb {F}^8_2\) for which the function f given by (11) is periodic in general, i.e., we are checking whether it holds that \(g(y,x\oplus \overline{s})=h(y,x)\), for all \(\overline{s}\in \mathbb {F}^8_2\) (Remark 2). We are taking arbitrary pairs \((\alpha _0,\alpha _1)\in \mathbb {F}^{8+8}_2\), random sets of keys for 8 rounds, and the periodicity of f is tested by checking the equality \(g(y,x\oplus s)=h(y,x)\) for vectors \(x\in RandomS\), where the set RandomS is of cardinality \(30>\lceil \frac{3n+3\ell }{n+1}\rceil =24\) for \(\ell =2(n+1+\sqrt{n+1})=24\) (Lemma 1). As written in the table, in all observed instances we have maximally one period \(\overline{s}\) (corresponding always to only one vector y) which satisfies the equality \(g(y,x\oplus \overline{s})=h(y,x)\) (for all \(x\in RandomS\)), and it is always given by \(\overline{s}=F_1(\alpha _0)\oplus F_1(\alpha _1)\).

Table 2 Testing the periodicity of f given by (11) for different (randomly) chosen parameters

For instance, let us consider \((\alpha _0,\alpha _1)=(00010010, 11001100)\), and the key set (for 8 rounds) given as

$$\begin{aligned} Keys= & {} \{k_1,\ldots ,k_8\}\\= & {} \{10101111, 01000011, 11100110, 10001000, 11110010, 10101000, 10101010,\\&11010100\}. \end{aligned}$$

Then, one can check that the function \(g(y,x\oplus s)=h(y,x)\) holds (for all \(x\in \mathbb {F}^8_2\)) exactly for only one vector \(y=10101111\), which is equal to the key \(k_1=10101111\). This equality can be firstly tested for \(x\in RandomS\) (where one takes \(\# RandomS=30\)), and then it is further verified on whole space \(\mathbb {F}^8_2\). One can verify that values of the function h(10101111, x) (evaluated over lexicographically ordered space \(\mathbb {F}^8_2\)) are given (in the hexadecimal notation) by

$$\begin{aligned}&cc, 9b, 60, c9, 4b, f1, 32, 34, 86, 35, a8, 94, 15, 6f, fd, 5e, 1a, d, d6, 1b, f5, f6, cf, f4, 27, 4f, 26, 79,\\&f, 4f, ae, d3, d4, f8, 5b, cc, 10, 28, 49, c4, 1c, 99, 64, 80, 92, 8f, dd, 63, 23, 5e, bf, 8d, bb, 54, e4, 9a, a2,\\&2c, 75, fe, 26, 83, 4f, d3, ff, 5e, 29, ca, b0, 19, dc, dd, 29, a5, d, a, e0, 88, c7, f2, 6, 72, 33, bc, ce, 45,\\&34, 4e, ce, ec, ea, c2, c0, fb, bf, 30, 85, 26, eb, 8e, e6, 7b, 69, cf, 7b, a5, 86, f2, ce, fe, 72, 71, 55, cd,\\&3a, 62, 1, f8, af, 66, 4c, df, 65, ce, e8, 9e, 4a, ed, 6c, 74, f7, b5, 40, b9, 8, 96, c0, 34, ae, ca, d2, f8, fd,\\&9f, 2, df, de, 5f, 77, 98, 2, 3f, 6b, d5, 1f, 5e, a0, f6, 7, cb, c6, c7, cf, cc, 38, d0, 7f, 5a, f, c2, ea, 6e, c7,\\&5e, a4, 68, 22, f9, 77, 37, b6, 67, 6c, 53, 31, 4, 75, 29, 10, fd, 3c, 0, 5, 8f, 67, a8, 44, 6d, 1f, 3, 2, 6b, a1,\\&4b, 56, c7, 6a, 72, a1, 6c, 14, de, 4e, 74, 25, 3d, 12, fa, d7, 6e, d6, 50, 47, 63, 76, ec, 57, 2c, 22, 8, f9, 78,\\&f1, cc, 9b, 9e, 3, a5, 2f, 2c, e, e8, 73, df, 2d, 77, e5, 96, 8d, b1, 83, e8, ad, 8, ac, b1. \end{aligned}$$

The period \(\overline{s}\) is given by \(\overline{s}=F_1(\alpha _0)\oplus F_1(\alpha _1)=S(00010010\oplus k_1)\oplus S(11001100\oplus k_1)=00110010.\)