Research Article New Linear Cryptanalysis of Chinese Commercial Block Cipher Standard SM4

Transcription

1 Hindawi ecurity and Communication Networks Volume 2017, Article ID , 10 pages Research Article New Linear Cryptanalysis of Chinese Commercial Block Cipher tandard M4 Yu Liu, 1,2 Huicong Liang, 1 Wei Wang, 1 and Meiqin Wang 1 1 Key Laboratory of Cryptologic Technology and Information ecurity, Ministry of Education, handong University, Jinan, China 2 Weifang University, Weifang, China Correspondence should be addressed to Meiqin Wang; mqwang@sdu.edu.cn Received 8 June 2017; Accepted 1 August 2017; Published 6 eptember 2017 Academic Editor: Jesús Díaz-Verdejo Copyright 2017 Yu Liu et al. This is an open access article distributed under the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited. M4 is a Chinese commercial block cipher standard used for wireless communication in China. In this paper, we use the partial linear approximation table of -box to search for three rounds of iterative linear approximations of M4, based on which the linear approximation for 20-round M4 has been constructed. However, the best previous identified linear approximation only covers 19 rounds. At the same time, a linear approximation for 19-round M4 is obtained, which is better than the known results. Furthermore, we show the key recovery attack on 24-round M4 which is the best attack according to the number of rounds. 1. Introduction M4 [1], issued in 2006 by Chinese government, serves the WAPI (WLAN Authentication and Privacy Infrastructure) as the underling block cipher for the security of wireless LANs. In 2012, M4 was announced as the Chinese commercial block cipher standard, renamed M4 [2]. M4 receives more attention from the cryptographic community and a lot of cryptanalytic results for M4 have been produced. In [], the rectangle and boomerang attacks on 18-round M4 and the linear and differential attacks on 22-round M4 have been presented. Using multiple linear attack, Etrog and Robshaw gave an attack on 2-round M4 in [4]. Besides these, the differential attack and the multiple linear attack on 22-round M4 have been introduced in [5, 6]. Till now, the best differential attack for 2-round M4 is given in [7]. Cho and Nyberg proposed a multidimensional linear attack on 2-round M4 in [8]. The best linear attack on 2-round M4 is provided by Liu and Chen in [9]. Bai and Wu proposed a new lookup-table-based white-box implementation for M4 which could protect the large linear encodings from being cancelled out in [10]. Moreover, related-key differential attack on M4 has been given in [11] and the lower bound of the number of linear active -boxes for M4-like ciphers has been analyzed in [12]. Linear cryptanalysis [1] is one of the most important techniques in the analysis of symmetric-key cryptographic primitives. The linear cryptanalysis focuses on the linear approximation between plaintext, ciphertext, and key. If a cipher behaves differently from a random permutation for linear cryptanalysis, this can be used to build a distinguisher or even a key recovery attack through adding some rounds. The subkeys of appended rounds are guessed and the ciphertexts are decrypted and/or plaintexts are encrypted using these subkeys to calculate intermediate state at the ends of distinguisher. If the subkeys are correctly guessed, then the distinguisher should hold. Otherwise, it will fail. Linear cryptanalysis has been used to analyze many ciphers such as [14 17]. Our Contributions.Intermsofthenumberofroundsthatall the previous attacks for M4 can work, the best key recovery attacks on M4 are linear cryptanalysis and differential cryptanalysis, and both of them are based on 19-round distinguishers. Whether we can get a better distinguisher is our first motivation to improve the attacks on M4. Therefore, we focus on searching the linear approximation for M4 to improve the attacks on M4. The contributions of this paper are summarized as follows. The best previous linear attacks work on the 19-round linear approximations. We design a new search algorithm for the

2 2 ecurity and Communication Networks Table 1: ummary of linear approximations of M4. Rounds Bias Reference [9] ection ection iterative linear approximations for small rounds of M4 by gradually expanding the partial linear approximation table of -box. Firstly, it is proved that there is no one-round or tworound iterative linear approximation for M4, and then some propertiesareobtainedfortheiterativelinearapproximations of -round M4. Based on these properties, we utilize our searching algorithm to get an 19-round linear approximation with bias 2 58 and a 20-round linear approximation with bias The results about our identified linear approximations withthepreviousonesaredepictedintable1.itcanbeseen thatourlinearapproximationsarethebestonessofar. The best previous attacks can work on 2-round M4. Utilizing our identified 20-round linear approximation of M4, we give a key recovery attack on 24-round M4, which is the best attack according to the number of rounds for M4. Moreover, the new 19-round linear approximation is used to attack 2-round M4. As a result, the best previous linear attack on 2-round M4 is improved. A summary of our attacks and the previous attacks on M4 is listed in Table 2. The paper is organized as follows. ection 2 briefly describes the notations used in this paper and introduces the M4 block cipher. ection shows how to search the better linear approximations for M4. In ection 4, we use the 19-round and 20-round linear approximations to attack 2- round and 24-round M4, respectively. ection 5 concludes this paper. Xr 0 T Xr 1 Xr 2 Xr L 2 k r Xr+1 0 Xr+1 1 Xr+1 2 Xr+1 Figure 1: The round function of M4. as (P 0,P 1,P 2,P ) = (X 0 0,X1 0,X2 0,X 2 0 ) (F2 )4,andtheencryption procedure is described as follows: X r+1 =X0 r T(X1 r X2 r X r k r) =X 0 r L (X1 r X2 r X r k r), for r=0,...,1, where k r is the rth round s subkey (0 r 1).Theciphertext (C 0,C 1,C 2,C ) = (X 2,X2 2,X1 2,X0 2 ).Thedecryption procedureisthesameastheencryptionprocedurewiththe reverse order of subkeys. One round of M4 is shown in Figure 1. It can be known from Figure 1 that T is composed of the nonlinear layer and the linear transformation L. Layer has four 8 8boxes used in parallel. The specification of the -box could be referred to [1]. Let X F 2 2 and Y F 2 2 be the 2-bit input and output words of the linear transformation L.Then (1) 2. Preliminaries 2.1. Notations. In this subsection, we will present the notations used in this paper as follows: Y=L(X) =X (X 2) (X ) (X ) (X ). (2) (i) :abitwisexoroperation (ii) : concatenation of two words (iii) : left cyclic shift operation (iv) : multiplication of two vectors, matrix and vector, or two matrices (v) :bitwiseinnerproduct (vi) &&: logical AND operation (vii) X[i]:theith bit of X (viii) X[i j]: a bit string starting from the ith bit to the jth bit of X Brief Description of M4. M4 is a Chinese national standard block cipher used in WAPI for WLAN. It has 128- bit block size and the key size is also 128 bits. The design of M4isbasedontheunbalancedgeneralizedFeistelstructure and the number of rounds is 2. We denote the plaintext ThekeyscheduleofM4issimilartotheencryption procedurebuttheonlydifferencebetweenthemisthatthe linear transformation in the key schedule is L (X) =X (X 1) (X 2). () The 128-bit master key (MK 0, MK 1, MK 2, MK ) is first masked with the constants FK 0, FK 1, FK 2, FK and then input to the key schedule function. (K 0,K 1,K 2,K )=(MK 0 FK 0, MK 1 FK 1, MK 2 FK 2, MK FK ), where FK 0 = 0xab1bac6, FK 1 = 0x56aa50, FK = 0x677d9197, andfk = 0xb27022dc. Andthenk r is computed as follows: (4) k r =K r+4 =K r L (K r+1 K r+2 K r+ CK r ), (5) where CK r, r=0,1,...,1,istheconstant.

3 ecurity and Communication Networks Table2:ummaryofattacksonM4. Rounds Attack type Data Time Memory ource 1 Integral [6] 16 Impossible differential [18] 18 Rectangle [] 18 Boomerang [] 22 Multiple linear [19] 2 Differential [7] 2 Multidimensional linear [9] 2 Linear [9] 2 Linear ection 4 24 Linear ection 4. earch for the Linear Approximations of M4 In terms of the number of rounds, all previous attacks for M4 can work. One of the best key recovery attacks on M4 is linear and differential cryptanalysis, and both of them are based on 19-round distinguishers. Whether we can get a better distinguisher is our first motivation to improve the attacks on M4. Therefore, the key point is to search for the linear approximation of M4. As far as we know, some methods to search for linear approximations of M4 have beenconsideredin[,4,9,19]. The search method in [] is to construct linear approximations for reduced-round M4 by identifying a one-round linear approximation with the same input and output masks for the T function. In this way, the number of active T functions can be minimized. As a result, an 18-round linear approximation with bias for M4 has been found. In [4], Etrog and Robshaw derived a 5-round iterative linear approximation where only the last two rounds are active, and then they concatenated three five-round iterative linear approximations to construct an 18-round linear approximation with bias In[19],Liuetal.usedthebranch-and-boundalgorithm in [20] to obtain a series of 5-round iterative linear approximations, which are utilized to construct an 18-round linear approximation with bias In order to get a better linear approximation for M4, Liu andchengaveamorededicatedsearchalgorithmin[9].they firstly used an MILP-based method to search the mode for the linear approximation with the minimum number of active - boxes for reduced-round M4; then based on the identified mode they found the 19-round linear approximation with bias It is obvious that even if the number of active -boxes for a linear approximation is minimized, the absolute of its bias might not be maximum. From this point, we focus on searching for better linear approximations with a few more active -boxes. At CT-RA 2014, Biryukov and Velichkov extended the branch-and-bound algorithm to search for the differential characteristics of ARX ciphers where the partial differential distribution table for modular addition is used in order to improve the search efficiency [21]. Inspired from this idea, we will use the partial linear approximation table to search forlinearapproximationsofm4. At first, some properties for basic operations such as the XOR operation, the three-forked branching operation, and the linear map will be introduced. Lemma 1 (XOR operation [22]). Let f(x 0,x 1 )=x 0 x 1 ;the input mask vector and output mask are Γ = (Γ 0,Γ 1 ) and Λ, respectively. Then Pr(Λ f(x 0,x 1 )=Γ 0 x 0 Γ 1 x 1 ) =1/2if and only if Γ 0 =Γ 1 =Λ. Lemma 2 (three-forked branching operation [22]). Let f(x) = (x, x); the input mask and output linear mask vector are Γ and Λ=(Λ 0,Λ 1 ),respectively.thenpr(γ x = Λ f(x)) = 1/2 if and only if Γ=Λ 0 Λ 1. Lemma (linear map [2]). Let f(x) = M x with the input mask vector Γ=(Γ 0,Γ 1,...,Γ n 1 ) andoutputmaskvectorλ= (Λ 0,Λ 1,...,Λ n 1 );thenpr(γ x = Λ f(x)) =1/2if and only if Γ=M T Λ,whereM T is the transposed matrix of M and M is an n ninvertible binary matrix. Biases in the linear approximation table for -box of M4 take the values l/2 8 (2 l 16).Ifweputall the linear approximation table into the search program, the program will be too slow to get a better linear approximation. Thus, the partial linear approximation table is used in the searchalgorithm.thebasicideaisthatlinearapproximations of -box with higher bias are utilized first. If no better linear approximation is output, then we can expand the partial linear approximation table by appending more linear approximations of -box with less bias successively till a better linear approximation is output. In order to get a better linear approximation, one common method is to find iterative linear approximations for short rounds first based on which long rounds of linear approximations could be produced directly. Thus, we will focus on searching for iterative linear approximations of M4. Now three properties for iterative linear approximations of M4 are shown as follows. Property 4. There is no one-round iterative linear approximation with active -boxes on M4.

4 4 ecurity and Communication Networks Γ T r 0 Γr 1 Γr 2 Γr L 2 Λ r Γ r which implies Γ r = 0 andallthe-boxesinthisround are passive. Thus, there is no one-round iterative linear approximation for M4. Property 5. The iterative linear approximation for two rounds of M4 does not exist. Proof. If there is an iterative linear approximation for the first tworoundsinfigure2,thenwehave T Γr+1 0 L 2 Γr+1 1 Γr+1 2 Γr+1 Λ r+1 Γ r+1 Γ 0 r =Γ0 r+2, Γ 1 r =Γ1 r+2, Γ 2 r =Γ2 r+2, Γ r =Γ0 r+1. (9) T Γr+2 0 L 2 Γr+2 1 Γr+2 2 Γr+2 Λ r+2 Γ r+2 With the property of three-forked branch, we have Γ 1 r =Γ0 r+1 Γ r, Γ 2 r =Γ0 r+2 Γ r Γ r+1, Γ r =Γ1 r+2 Γ r Γ r+1, Γ 2 r+2 =Γ0 r Γ r+1. (10) Γr+ 0 Γr+ 1 Γr+ 2 Γr+ Figure 2: Linear approximation of -round M4. Proof. From Figure 2, if there is an iterative linear approximation for the first round, we have According to (9) and (10), we derive Γ 2 r =Γ0 r Γ r Γ r+1, Γ r =Γ1 r Γ r Γ r+1, Γ 2 r =Γ0 r Γ r+1. (11) Γ 0 r =Γ0 r+1, Γ 1 r =Γ1 r+1, Γ 2 r =Γ2 r+1, Γ r =Γ0 r. Using the property of three-forked branch, we have Γ 1 r =Γ0 r+1 Γ r, Γ 2 r =Γ1 r+1 Γ r, Γ r =Γ2 r+1 Γ r. From (6) and (7), we get Γ 1 r+1 =Γ0 r Γ r, Γ 0 r Γ r Γ r =Γ 2 r+1, Γ r =Γ0 r Γ r Γ r Γ r =Γ 0 r Γ r =Γ 0 r, (6) (7) (8) Thus, Γ 0 r Γ r+1 =Γ 0 r Γ r Γ r+1 Γ r =0, (12) which means that Γ 0 r =Γ0 r+2 =0.ubstitutethetermsΓ r in the above formulas and we have Γ 1 r =Γ0 r+1 =Γ1 r+2, Γ 2 r =Γ r+1, Γ r =Γ1 r+2 Γ r+1 =Γ 0 r+1 Γ r+1 =Γ 0 r+1, (1) so Γ r+1 = 0,whichmeansthatall-boxesinthefirst two rounds are passive. Therefore, 2-round iterative linear approximation for M4 does not exist. Property 6. For the iterative linear approximation of - round M4, the minimum number of active -boxes is. Meanwhile,eachroundhasoneactive-boxandtheactive -boxes are located in the same positions of three rounds.

5 ecurity and Communication Networks 5 Table : Linear approximation for 19-round M4. Round i Γ 0 i Λ i Γ i Bias Γ 1 i Γ 2 i Γ i A A F B A A A E F A A A B E A A A F B A A A E F A A A B E A A A F B A A A E F A A A B E A A A F B A A A E F A A A B E A A A F B A A A E F A A A B E A A A F B A A A E F A A A B E A A A F B A A A E F A0828 Proof. If there is an iterative linear approximation for three rounds in Figure 2, then we have o Γ 1 r Γ r Γ r+2 =Γ 2 r, Γ r Γ r Γ r+1 Γ r+2 =Γ 0 r, Γ 0 r Γ r+1 Γ r+2 =Γ 1 r. Γ r =Γ2 r Γ r Γ r+1, Γ r+1 =Γ r Γ r+2, (14) Γ 0 r =Γ r. (15) We focus on the linear approximation with less active - boxes. From (15), it is impossible for a three-round iterative linear approximation to have only one active -box. If there are two active -boxes, then Γ r =0or Γ r+1 =0or Γ r+2 =0. Hence, all -boxes in the three-round linear approximation are passive. Take Γ r =0as an example. If Γ r =0,thenΛ r =0, which implies Γ 0 r =0.Then Γ r =Γ0 r+ =Γ r+ =Γ0 r =0, Γ 0 r+2 =Γ r+ Γ 0 r+2 =0. Thus, Λ r+2 =0;wehaveΓ r+2 =0. 0=Γ r Γ r =Γ 2 r+1 =Γ r+1 Γ 1 r+2 =Γ r+1 Γ r+2 Γ 0 r+ =Γ r+1. (16) (17) In the cases Γ r+1 = 0 and Γ r+2 = 0,wecanalso obtain that there is no active -box in the three-round linear approximation by the similar way of the case Γ r = 0. Therefore, the iterative linear approximation for three-round M4 has at least three active -boxes. From (15), it is clear that eachroundhasoneactive-boxandtheseactive-boxesare locatedinthesamepositionsofthreerounds. From Property 6, we will try to search for the iterative linear approximation of -round M4 where each round has only one active -box. The search algorithm is listed in Algorithm 1. In Algorithm 1, the following notations are used. Γ r =Γ r,0 Γ r,1 Γ r,2 Γ r, and Λ r =Λ r,0 Λ r,1 Λ r,2 Λ r, are input and output masks of -layer in the rth round. Γ r,j and Λ r,j are input and output mask of the jth -box of the rth round. T l is a partial linear approximation table of -box which consists of linear approximations with bias no less than l/2 8 (2 l 16). After proceeding the search algorithm, we identify round iterative linear approximations with bias 2 10.With any -round iterative linear approximation, we can construct linear approximations for 19-round and 20-round M4 with bias 2 58 and 2 61, respectively. Compared with the best previous 19-round linear approximation in [9], the bias has been improved from to In Tables and 4, we give linear approximations for 19-round and 20-round M4, respectively, where all masks are denoted as hexadecimal values and is undecided. 4. Key Recovery Attacks for M Linear Attack on 24-Round M4. We append two rounds to the bottom and the top of the 20-round linear

6 6 ecurity and Communication Networks (1) for l 16to 2 do (2) for j 0to do () for all Λ 0,j =0, Λ 1,j =0, Λ 2,j =0, Λ 0,j =Λ 1,j =Λ 2,j =0, (0 j =j )do (4) Γ 0,j =Γ 1,j =Γ 2,j =0, (0 j =j ) (5) find all m 0 input masks indexed by Λ 0,j from T l,andstoreinr j [m 0 ] (6) for k 0 0to m 0 1do (7) Γ 0,j R j [k 0 ] (8) find all m 1 input masks indexed by Λ 1,j from T l,andstoreinr j [m 1 ] (9) for k 1 0to m 1 1do (10) Γ 1,j R j [k 1 ] (11) find all m 2 input masks indexed by Λ 2,j from T l,andstoreinr j [m 2 ] (12) for k 2 0to m 2 1do (1) Γ 2,j R j [k 2 ] (14) for i 0to 2 do (15) Γ 0 i =L T (Λ i,0 Λ i,1 Λ i,2 Λ i, )=L T (Λ i ) (16) end for (17) for i 0to 2 do (18) Γ i =Γ i,0 Γ i,1 Γ i,2 Γ i, (19) end for (20) (21) Γ 0 =Γ0 0 Γ 1 =Γ0 0 Γ 1 Γ 2 (22) (2) Γ 2 =Γ0 1 Γ 2 Γ 0 =Γ0 0 Γ 0 Γ 1 Γ 2 (24) (25) Γ 1 0 =Γ0 1 Γ 0 Γ 2 0 =Γ0 2 Γ 0 Γ 1 (26) (27) if Γ 0 =Γ0 2 && Γ1 0 =Γ1 && Γ2 0 =Γ2 then return Γ 0 0,Γ0 1,Γ0 2,Γ0,Γ 0,Γ 1,Γ 2 (28) // -round iterative linear approximation (29) else (0) continue. (1) end if (2) end for () end for (4) end for (5) end for (6) end for (7) l = l 2 (8) end for Algorithm 1: earch algorithm for iterative linear approximation of -round M4. approximation in Table 4, respectively. Then a linear attack on 24-round M4 is presented. The partial sum technique [24] is used in the partial encryption and decryption procedures. ee Figure. According to the linear approximation in Figure, we denote Γ 0 2 = Γ 2 = Γ 0 22 = Γ 22 = 0x8808A228, Γ 1 2 = 0x8808C228, Γ 2 2 =Γ1 22 = 0x , Γ2 22 = 0x , Λ 1 =Λ 22 = 0x , andλ 1,2 =Λ 22,2 =0x82.From the linear approximation, we have Γ 0 2 X0 2 Γ1 2 X1 2 Γ2 2 X2 2 Γ 2 X 2 Γ0 22 X0 22 Γ1 22 X 1 22 Γ2 22 X2 22 Γ 22 X 22 =κ. (18) Consider the partial encryption and decryption; the left side of the above equation can be written as follows: Γ 0 2 P 2 Γ 1 2 P Γ 2 2 (P 0 XX 0 ) Γ 0 2 (P 1 XX 1 ) Γ 0 2 (C 2 XX 22 ) Γ 2 2 (C XX 2 ) Γ 2 22 C 0 Γ 0 2 C 1 =Γ 0 2 P 2 Γ 1 2 P Γ 2 2 P 0 Γ 0 2 P 1 Γ 0 2 C 2 Γ 2 2 C Γ 2 22 C 0 Γ 0 2 C 1 Γ 2 2 XX 0 Γ 0 2 XX 1 Γ 0 2 XX 22 Γ 2 2 XX 2, (19) where XX r is the state after transformation T and X r is the state after layer in the rth round. ince Γ 0 2 XX 22 =Λ 22 X 22 =Λ 22,2 X 22 [16 2] =Λ 1,2 ((X 1 22 X2 22 X 22 k 22) [16 2]) =Λ 1,2 ((C C 0 C 1 ) [16 2]

7 ecurity and Communication Networks 7 Table 4: Linear approximation for 20-round M4. Round i Γ 0 i Λ i Γ i Bias Γ 1 i Γ 2 i Γ i A C A A CA C A A AA A A C A A CA C A A AA A A C A A CA C A A AA A A C A A CA C A A AA A A C A A CA C A A AA A A C A A CA C A A AA A A C A A CA C A A A228 XX 2 [16 2] k 22 [16 2]), Γ 0 2 XX 1 =Λ 1 X 1 =Λ 1,2 X 1 [16 2] =Λ 1,2 ((X 1 1 X2 1 X 1 k 1) [16 2]) =Λ 1,2 ((P 0 P 2 P ) [16 2] XX 0 [16 2] k 1 [16 2]), then, (19) can be transformed into Γ 0 2 P 2 Γ 1 2 P Γ 2 2 P 0 Γ 0 2 P 1 Γ 0 2 C 2 Γ 2 2 C Γ 2 22 C 0 Γ 0 2 C 1 Γ 2 2 T(P 1 P 2 P k 0 ) Λ 1,2 ((P 0 P 2 P ) [16 2] XX 0 [16 2] k 1 [16 2]) Λ 1,2 ((C C 0 C 1 ) [16 2] XX 2 [16 2] k 22 [16 2]) Γ 2 2 T(C 0 C 1 C 2 k 2 ). (20) (21) Let O =Γ 0 2 P 2 Γ 1 2 P Γ 2 2 P 0 Γ 0 2 P 1 Γ 0 2 C 2 Γ 2 2 C Γ 2 22 C 0 Γ 0 2 C 1. The attack process is given as follows: (1) CollectN plaintext/ciphertext pairs. (2) Initialize 2 81 counters V 0 [0],...,V 0 [2 81 1] to zero. () For every plaintext/ciphertext pair, calculate w=o (P 0 P 2 P )[16 2] (C C 0 C 1 )[16 2] C 0 C 1 C 2 P 1 P 2 P. Then increase the counter V 0 [w] by one. (4) Guess the 2-bit k 2.Allocate2 49 counters V 1 [0],...,V 1 [2 49 1] to zero. (5) For every 0 w ,calculateO O Γ 2 2 T(C 0 C 1 C 2 k 2 ), XX 2 and x=o (P 0 P 2 P )[16 2] (C C 0 C 1 )[16 2] XX 2 [16 2] P 1 P 2 P. V 1 [x] += V 0 [w]. (6) Guess the 8-bit k 22 [16 2]. Allocate 2 41 counters V 2 [0],...,V 2 [2 41 1] to zero. (7) For every 0 x , calculateo O Λ 1,2 ((C C 0 C 1 )[16 2] XX 2 [16 2] k 22 [16 2]) and y=o (P 0 P 2 P )[16 2] P 1 P 2 P. V 2 [y] += V 1 [x]. (8) Guess the 2-bit k 0.Allocate2 9 counters V [0],..., V [2 9 1] to zero. (9) For every 0 y ,calculateO O Γ 2 2 T(P 1 P 2 P k 0 ), XX 0 and z=o (P 0 P 2 P )[16 2] XX 0 [16 2]. V [z] += V 2 [y]. (10) Guess the 8-bit k 1 [16 2]. Initialize 2 80 counters V key [0],...,V key [2 80 1] to zero. (11) For every 0 z 2 9 1, calculateo O Λ 1,2 ((P 0 P 2 P )[16 2] XX 0 [16 2] k 1 [16 2]). If O =0,increasethecounterV key [k 0 k 1 [16 2] k 22 [16 2] k 2 ] by V [z];otherwise,decreaseitby V [z]. (12) We set the advantage a to be 47 which implies that the top 2 absolute values in V key are kept. For each

8 8 ecurity and Communication Networks P 0 X0 0 P 1 X0 1 P 2 X0 2 P X0 2 k 0 XX 0 X 0 X1 0 2 Λ 1 k 1 X1 1 X1 2 X1 XX X 1 00 X2 0 X2 1 X2 2 X2 0x8808A228 0x8808C228 0x x8808A228 Γ2 0 Γ2 1 Γ2 2 Γ2 20-round linear approximation Γ21 0 Γ21 1 Γ21 2 Γ21 0x8808A228 0x x x8808A228 X22 0 X22 1 X22 2 X22 2 Λ 22 k 22 XX X X2 0 2 k 2 X2 1 X2 2 X2 XX 2 X 2 C 0 X 0 24 C 1 X 1 24 C 2 X 2 24 C X 24 Figure:Keyrecoveryattackon24-roundM4.

9 ecurity and Communication Networks 9 kept subkey value, we guess the remaining 88 bits of k 1 [0 15, 24 1] k 2 k (the master key can be gotten from the key schedule) and test the key by trail encryptions. The time complexity of tep () is about operations which is equivalent to /24 = round encryptions. Both teps (5) and (9) need 2 11 one-round decryptions or encryptions. teps (7) and (11) take 2 89 one-round decryptions or encryptions. The complexity of tep (12) is round encryptions. o the total time complexity is about encryptions. The memory complexity of tep (2) is about =2 84 bytes and the counter V key requires =2 84 bytes, so the total memory complexity is about =2 85 bytes. If we set the data complexity N= , the success rate P =Φ(2 N ε 1+N/2 n Φ 1 (1 2 a 1 )) = 76.1%by[25]. The time complexity is round encryptions. 4.2.LinearAttackon2-RoundM4. Two rounds are added to the bottom and the top of the 19-round linear approximation in Table, respectively. The key recovery attack on 2-round M4 is similar to the attack procedure of 24-round M4, so we omit details of the process. If we set the data complexity N= and the advantage a to be 47, the time complexity is = round encryptions, and the memory complexity is 2 85 bytes. The success rate P = 85.9%iscomputedwiththemethodin [25]. 5. Conclusions In this paper, it is firstly shown that there is no one-round or two-round iterative linear approximation for M4 and the property for the -round iterative linear approximation. On the basis of the property, we search for the iterative linear approximation of -round M4 by the partial linear approximation table. Next the 20-round linear approximation is constructed by -round iterative linear approximations. The best previous distinguishers only cover 19 rounds. Then the key recovery attack on 24-round M4 is provided, which is the best known attack on M4 so far. Moreover, we also get a better 19-round linear approximation, used to improve the linear attack on 2-round M4. As for future work, we hope to use the similar technique to search for a better differential characteristic for M4. Conflicts of Interest The authors declare that there are no conflicts of interest regarding the publication of this paper. Acknowledgments Thisworkissupportedby97Program(no.201CB84205), NFC Projects (nos and ), and Program for New Century Excellent Talents in University of China (NCET-1-050). References [1] W. Diffie and G. Ledin, M4 Encryption Algorithm for Wireless Networks, Cryptology eprint Archive 2008/29, 2014, [2] Office of tate Commercial Cryptography Administration: pecification of M4, block cipher for WLAN products-m4 (Chinese), pdf. [] T. Kim, J. Kim,. Hong, and J. ung, Linear and Differential Cryptanalysis of Reduced M4 Block Cipher, IACR Cryptology eprint Archive 2008/281, 2008, pdf. [4] J.EtrogandM.J.B.Robshaw, TheCryptanalysisofReduced- Round M4, in elected Areas in Cryptography, vol.581of Lecture Notes in Computer cience, pp , pringer, Berlin, Germany, [5] W.Zhang,W.Wu,D.Feng,andB.u, omenewobservations on the M4 Block Cipher in the Chinese WAPI tandard, in Information ecurity Practice and Experience, vol.5451 of Lecture Notes in Computer cience, pp. 24 5, pringer, Berlin, Germany, [6] F.Liu,W.Ji,L.Huetal., AnalysisoftheM4BlockCipher, in Information ecurity and Privacy, vol.4586oflecture Notes in Computer cience, pp , pringer, Berlin, Germany, [7] B.-Z. u, W.-L. Wu, and W.-T. Zhang, ecurity of the M4 block cipher against differential cryptanalysis, JournalofComputer cience and Technology, vol. 26, no. 1, pp , [8] J.ChoandK.Nyberg, ImprovedLinearCryptanalysisofM4 Block Cipher, ymmetric Key Encryption Workshop, pp. 1 14, [9] M.-J. Liu and J.-Z. Chen, Improved linear attacks on the Chinese block cipher standard, Journal of Computer cience and Technology,vol.29,no.6,pp ,2014. [10] K. Bai and C. Wu, A secure white-box M4 implementation, ecurity and Communication Networks, vol.9,no.10,pp , [11] J. Zhang, W. Wu, and Y. Zheng, ecurity of M4 Against (Related-Key) Differential Cryptanalysis, in Proceedings of the International Conference on Information ecurity Practice and Experience, vol of Lecture Notes in Computer cience,pp , pringer, Berlin, Germany, November [12] B. Zhang and C. Jin, Practical security against linear cryptanalysis for M4-like ciphers with P round function, cience China Information ciences,vol.55,no.9,pp ,2012. [1] T. Helleseth, Linear cryptanalysis method for des cipher, in Advances in Cryptology EUROCRYPT, vol.765 of Lecture Notes in Computer cience, pp , pringer, Berlin, Germany, 199. [14] F. ano, K. Ohkuma, H. himizu, and. Kawamura, On the security of nested PN cipher against the differential and linear cryptanalysis, IEICE Transactions on Fundamentals of Electronics, Communications and Computer ciences, vol.e86- A, no. 1, pp. 7 46, 200. [15] G. Jakimoski and L. Kocarev, Differential and linear probabilities of a block-encryption cipher, IEEE Transactions on Circuits and ystems. I. Fundamental Theory and Applications, vol.50, no. 1, pp , 200.

10 10 ecurity and Communication Networks [16] Y. un, Linear Cryptanalysis of Light-Weight Block Cipher ICEBERG, in Advances in Electronic Commerce, Web Application and Communication,vol.149,pp ,pringerBerlin Heidelberg, Berlin, Germany, [17] Y. Liu, K. Fu, W. Wang, L. un, and M. Wang, Linear cryptanalysis of reduced-round PECK, Information Processing Letters,vol.116,no.,pp ,2016. [18] D. Toz and O. Dunkelman, Analysis of two attacks on reducedround versions of the M 4, in Information and Communications ecurity,vol.508oflecture Notes incomputer cience,pp , pringer Berlin Heidelberg, Berlin, Heidelberg, [19] Z. Liu, D. Gu, and J. Zhang, Multiple linear cryptanalysis of reduced-round M4 block cipher, Chinese Journal of Electronics,vol.19,no.,pp.89 9,2010. [20] M. Matsui, On correlation between the order of -boxes and the strength of DE, in Advances in cryptology EUROCRYPT, vol. 950 of Lecture Notes in Comput. ci.,pp.66 75,pringer, Berlin, Germany, [21] A. Biryukov and V. Velichkov, Automatic search for differential trails in ARX ciphers, in Topics in Cryptology CT-RA 2014, vol. 866 of Lecture Notes in Comput. ci.,pp ,pringer, Berlin, Germany, [22] E. Biham, On Matsui s linear cryptanalysis, in Advances in Cryptology, vol.950oflecture Notes in Comput. ci., pp.41 55, pringer, Berlin, Germany, [2] J. Daemen, R. Govaerts, and J. Vandewalle, Correlation matrices, in Fast oftware Encryption, vol of Lecture Notes in Computer cience, pp , pringer, Berlin, Germany, [24] N. Ferguson, J. Kelsey,. Lucks et al., Improved Cryptanalysis of Rijndael, in Fast oftware Encryption, vol of Lecture Notes in Computer cience, pp , pringer, Berlin, Germany, [25] A. Bogdanov and E. Tischhauser, On the Wrong Key Randomisation and Key Equivalence Hypotheses in Matsui s Algorithm 2, in Fast oftware Encryption, vol of Lecture Notes in Computer cience, pp. 19 8, pringer, Berlin, Germany, 201.

11 Volume 201 International Journal of Rotating Machinery Journal of Volume 201 The cientific World Journal Journal of ensors International Journal of Distributed ensor Networks Journal of Control cience and Engineering Advances in Civil Engineering ubmit your manuscripts at Journal of Robotics Journal of Electrical and Computer Engineering Advances in OptoElectronics Volume 2014 VLI Design International Journal of Navigation and Observation Modelling & imulation in Engineering International Journal of International Journal of Antennas and Chemical Engineering Propagation Active and Passive Electronic Components hock and Vibration Advances in Acoustics and Vibration