Security of SM4 Against (Related-Key) Differential Cryptanalysis

In this paper, we study the security of SM4 block cipher against (related-key) differential cryptanalysis by making use of the Mixed Integer Linear Programming (MILP) method. SM4 is the first commercial block cipher standard of China, which attracts lots of attentions in cryptography. To analyze the security of SM4 against differential attack, we exploit a highly automatic MILP method to determine the minimum number of active S-boxes for consecutive rounds of SM4. We try to dig out the underlying relationships in different rounds, and convert them to the constraints trickily to extend the MILP model, in order to cut off the invalid differential modes as many as possible. We obtain tighter lower bounds on the number of active S-boxes by solving the extended MILP model with optimizer Gurobi. Moreover, we consider the security of SM4 against related-key differential analysis. We construct the extended MILP model by adding more helpful constraints, and get the lower bounds on the number of active Sboxes, which proves the intuition of stronger differential security of SM4 in the related-key setting. Our results shows that there exists no differential characteristic with probability larger than 2−128 for 23 rounds of SM4 in the single-key setting and 19 rounds in the related-key setting.