Paper 2008/281

Linear and Differential Cryptanalysis of Reduced SMS4 Block Cipher

Taehyun Kim, Jongsung Kim, Seokhie Hong, and Jaechul Sung


SMS4 is a 128-bit block cipher with a 128-bit user key and 32 rounds, which is used in WAPI, the Chinese WLAN national standard. In this paper, we present a linear attack and a differential attack on a 22-round reduced SMS4; our 22-round linear attack has a data complexity of 2^{117} known plaintexts, a memory complexity of 2^{109} bytes and a time complexity of 2^{109.86} 22-round SMS4 encryptions and 2^{120.39} arithmetic operations, while our 22-round differential attack requires 2^{118} chosen plaintexts, 2^{123} memory bytes and 2^{125.71} 22-round SMS4 encryptions. Both of our attacks are better than any previously known cryptanalytic results on SMS4 in terms of the number of attacked rounds. Furthermore, we present a boomerang and a rectangle attacks on a 18-round reduced SMS4. These results are better than previously known rectangle attacks on reduced SMS4. The methods presented to attack SMS4 can be applied to other unbalanced Feistel ciphers with incomplete diffusion.

Available format(s)
Secret-key cryptography
Publication info
Published elsewhere. Unknown where it was published
Block CipherSMS4Linear AttackDifferential AttackBoomerang AttackRectangle Attck
Contact author(s)
kimth714 @ cist korea ac kr
2008-06-24: received
Short URL
Creative Commons Attribution


      author = {Taehyun Kim and Jongsung Kim and Seokhie Hong and Jaechul Sung},
      title = {Linear and Differential Cryptanalysis of Reduced {SMS4} Block Cipher},
      howpublished = {Cryptology ePrint Archive, Paper 2008/281},
      year = {2008},
      note = {\url{}},
      url = {}
Note: In order to protect the privacy of readers, does not use cookies or embedded third party content.