Cryptographic Properties and Quadratic Equations of S-Box in SMS4

Analysis of the S-box password SMS4 algorithm characteristics, discussed the algorithm of S-box algebraic balance, nonlinearity, avalanche characteristics, diffusion characteristics, and XLS attack the related quadratic equation number. Compared with the S-box of AES, Camellia algorithm, algorithm SMS4 S-box design has reached the standards of Europe and the United States block cipher standard algorithm for the S-box design. However, the algorithm's overall security features remains to be further studied.


Introduction
In 2001, Nicolas and Pieprzyk designed a new algebraic attack -XSL(eXtended Sparse Linearization) attack [1] to attack Serpent and AES, simplifying cryptanalysis of Serpent and AES into the problem of solving multivariate quadratic equations (MQ problem).The key technique in XSL attack is to describe non-linear parts of block ciphers in the form of quadratic equation, overdetermine it through XSL and solve the equation with linear methods.However, it remains an open question as to whether this attack method is effective or not.
In 2005, Carlos Cid et al. revealed the essence of XSL [2] attack, pointing out that XSL attack is ineffective for equations constituted by Serpent and AES.Meanwhile, hidden equations in the non-linear parts of block ciphers found by Courtois et al. provided new directions for future research.
This paper analyzed hidden equations of non-linear parts in block cipher Serpent [3] while combining boomeran [4] [5] attack and Rectangle [5][6] attack in order to design a new method called differential algebraic attack, and put forward algebraic attack of 10-round Serpent-128.
Well-designed S-box to ensure that the cryptographic algorithms better able to resist the differential cryptanalysis and linear cryptanalysis attacks, while the S-box of any defects that may affect the safety of the entire algorithm.SMS4 algorithm principle SMS4 algorithm S-box algebraic properties S-box is the only non-linear structure of most of the block cipher algorithm, their passwords properties directly determine the performance of cryptographic algorithms.

S-box algebraic expression
If the password elements in the compact algebraic expressions, and these elements can be combined into control the complexity of the expression, then the interpolation method of attack is feasible for the password, the lower the number and complexity of transformation algebra .The password is particularly effective.To prevent injection attacks, usually require a password to transform the algebraic expression has a high enough frequency and complexity.

Differential characteristics
Differential cryptanalysis is a chosen plaintext attack, the basic idea is the possibility to obtain the corresponding ciphertext through the analysis of the specific expressly poor key, it is one of the most effective ways to attack the block cipher.The S-box ability to anti differential cryptanalysis from the differential uniformity and differential distribution matrix approach: with a smaller differential uniformity is a necessary condition for the S-box against differential attacks.

Linearity characteristics
Linear cryptanalysis is a known plaintext attack, the goal is to find linear expressions and use between the number of bits of the plaintext P, ciphertext C and key K. Established by the expression probability and 1/2 deviation size is an important measure of linear cryptanalysis.Linear cryptanalysis thinking boils down to the core components of the S-box is to examine the relationship between the input and output bit can be linearly distributed matrix to characterize.
Table 1,is SMS4 algorithm for the calculation of the S-box of the AES algorithm and the Camellia algorithm of the data indicators, this expression, non-linear and anti-attack capability to conduct a comprehensive comparison.

Table 1 Cryptographic Properties
Although the number of SMS4 algorithm, AES algorithm and the Camellia algorithm S-box algebraic expression are 254, but up to 255 the number of SMS4 algorithm and Camellia algorithm, the AES algorithm is only 9.Visible SMS4 algorithm and the Camellia algorithm S-box algebraic expression is more complex than the AES, to some extent, to better ensure the security of the algorithm.

Quadratic Equations of S-box in SMS4
As S-boxes [8][9] [10] are the most important non-linear parts in block cipher, how to utilize equations constructed by S-boxes to attack ciphers is an important study question of cryptanalysis.In 2011, Hu Zhi-Hua, Qin Zhong-Ping utilizes algebraic equations about input and output differentials as well as keys that can be constructed by S-box, which are combined with differential attack in order to put forward a new 8-round Serpent-128 differential algebraic attack.This method needs 2 packets of memory store room to guess 12 bits of 8-round Serpent-128 encrypted keys [13,14].

Quadratic Equations
) ) as multi-output function of S-boxes with m as input and n as output, in which ) ) . Thus, multivariate coefficient matrix about , i j x y can be constructed according to the above function.
Advanced Engineering Forum Vols.6-7 The multi-output function for S-boxes in Serpent encryption algorithm is ( × can be constructed, with array elements as , if fundamental system of solutions constructed according to Definition 1 and Definition 2 contain equation of the following form: Then we can make use of input differentials of two pairs of plaintexts to construct output differential and first order algebraic equation of the key..Thus, the following can be obtained: full binary coefficient matrix of the size of16 25

Proving
and output of S-boxes,

Definition 2 :
After linearizing the formed binary coefficient matrix, we can obtain fundamental system of solutions in the form of the following equation: