Paper 2010/062

Differential Cryptanalysis of SMS4 Block Cipher

Bozhan Su, Wenling Wu, and Wentao Zhang


SMS4 is a 128-bit block cipher used in the WAPI standard for wireless networks in China. In this paper, we analyze the security of SMS4 block cipher against differential cryptanalysis. Firstly, we prove three theorems and one corollary that reflect relationships of 5- and 6-round SMS4. Nextly, by these relationships, we clarify the minimum number of differentially active S-boxes in 6-, 7- and 12-round SMS4 respectively. Finally, based on the above results, we present a family of about $2^{14}$ differential characteristics for 19-round SMS4, which leads to an attack on 23-round SMS4 with $2^{115}$ chosen plaintexts and $2^{124.3}$ encryptions. Our attack is the best known attack on SMS4 so far.

Available format(s)
Secret-key cryptography
Publication info
Published elsewhere. Unknown where it was published
Block CipherSMS4Differential Cryptanalysis
Contact author(s)
subozhan @ 126 com
2010-02-08: received
Short URL
Creative Commons Attribution


      author = {Bozhan Su and Wenling Wu and Wentao Zhang},
      title = {Differential Cryptanalysis of SMS4 Block Cipher},
      howpublished = {Cryptology ePrint Archive, Paper 2010/062},
      year = {2010},
      note = {\url{}},
      url = {}
Note: In order to protect the privacy of readers, does not use cookies or embedded third party content.