Korea University

SMS4 is a 128-bit block cipher with a 128-bit user key and 32 rounds, which is used in WAPI, the Chinese WLAN national standard. In this paper, we present a linear attack and a differential attack on a 22round reduced SMS4; our 22-round linear attack has a data complexity of 2 117 known plaintexts, a memory complexity of 2 109 bytes and a time complexity of 2 109.86 22-round SMS4 encryptions and 2 120.39 arithmetic operations, while our 22-round differential attack requires 2 118 chosen plaintexts, 2 123 memory bytes and 2 125.71 22-round SMS4 encryptions. Both of our attacks are better than any previously known cryptanalytic results on SMS4 in terms of the number of attacked rounds. Furthermore, we present a boomerang and a rectangle attacks on a 18-round reduced SMS4. These results are better than previously known rectangle attacks on reduced SMS4. The methods presented to attack SMS4 can be applied to other unbalanced Feistel ciphers with incomplete diffusion.