Practical security against linear cryptanalysis for SMS4-like ciphers with SP round function  被引量：6

作　　者：ZHANG Bin JIN ChenHui 

机构地区：[1]P.O.Box 1936,Beijing 100193,China [2]Electronic Technology Institute,Information Engineering University,Zhengzhou 450004,China

出　　处：《Science China(Information Sciences)》2012年第9期2161-2170,共10页中国科学（信息科学）（英文版）

基　　金：supported by Henan Province Science Fund for Distinguished Young Scholars in China (Grant No.0312001800)

摘　　要：SMS4, a block cipher whose global structure adopts a special unbalanced Feistel scheme with SP round function, is accepted as the Chinese National Standard for securing Wireless LANs. In this paper, in order to evaluate the security against linear cryptanalysis, we examine the upper bound of the maximum linear characteristic probability of SMS4-1ike ciphers with SP round function. In the same way as for SPN ciphers, it is sufficient to consider the lower bound of the number of linear active s-boxes. We propose a formula to compute the lower bound of the number of linear active s-boxes with regard to the number of rounds. The security threshold of SMS4-1ike ciphers can be estimated easily with our result. Furthermore, if the number of input words in each round of SMS4-1ike cipher is m, we find that it is unnecessary for designers to make the linear branch number of P greater than 2m with respect to linear cryptanalysis.SMS4, a block cipher whose global structure adopts a special unbalanced Feistel scheme with SP round function, is accepted as the Chinese National Standard for securing Wireless LANs. In this paper, in order to evaluate the security against linear cryptanalysis, we examine the upper bound of the maximum linear characteristic probability of SMS4-1ike ciphers with SP round function. In the same way as for SPN ciphers, it is sufficient to consider the lower bound of the number of linear active s-boxes. We propose a formula to compute the lower bound of the number of linear active s-boxes with regard to the number of rounds. The security threshold of SMS4-1ike ciphers can be estimated easily with our result. Furthermore, if the number of input words in each round of SMS4-1ike cipher is m, we find that it is unnecessary for designers to make the linear branch number of P greater than 2m with respect to linear cryptanalysis.

关 键 词：block cipher SMS4-1ike cipher practical security linear cryptanalysis 

分 类 号：TN918.1[电子电信—通信与信息系统] D631[电子电信—信息与通信工程]