6.2 Merge window, part 1 [LWN.net]

6.2 Merge window, part 1

Posted Dec 18, 2022 6:48 UTC (Sun) by Cyberax (✭ supporter ✭, #52523)
In reply to: 6.2 Merge window, part 1 by Paf
Parent article: 6.2 Merge window, part 1

There are no constants in SM4 that are not derived from first principles. Just like AES, SM4 uses S-boxes for the round function. They are calculated using different polynomials, but otherwise they are very similar.

So it's extremely unlikely that SM4 is backdoored. And if it is, then AES is also pretty much guaranteed to be just as vulnerable.

It doesn't mean that everyone should switch to SM4, it's simply not a good modern cipher from a purely practical standpoint.

to post comments

6.2 Merge window, part 1

Posted Dec 20, 2022 1:24 UTC (Tue) by Paf (subscriber, #91811) [Link] (1 responses)

“ The eight S-boxes of DES were the subject of intense study for many years out of a concern that a backdoor (a vulnerability known only to its designers) might have been planted in the cipher. The S-box design criteria were eventually published (in Coppersmith 1994) after the public rediscovery of differential cryptanalysis, showing that they had been carefully tuned to increase resistance against this specific attack. Biham and Shamir found that even small modifications to an S-box could significantly weaken DES.[4]”
From Wikipedia. From your description, you know more of the details of S-box creation than I do, but this sure sounds like an S-box could be weak in a way that might not be apparent to others.

6.2 Merge window, part 1

Posted Dec 23, 2022 3:45 UTC (Fri) by Cyberax (✭ supporter ✭, #52523) [Link]

S-Boxes in DES were basically chosen experimentally, they are not a result of any "nothing up my sleeves" process.

In contrast, both AES and SM4 use algorithmically generated S-Boxes. The algorithms are very similar, so it's highly unlikely that only one of them is vulnerable.