Improved key-recovery attacks on reduced-round WEM-8

Abstract

Proposed in CT-RSA’2017, WEM is a family of white-box block ciphers based on the Even-Mansour structure and AES. Due to its elegant structure and impressive performance, WEM is a prominent primitive in white-box cryptography-oriented scenarios like digital rights management (DRM) and mobile payment. In this paper, we focus on the black-box key-recovery security of reduced-round WEM-8, one of the main instances in the WEM family, with the aim of gaining an intensive understanding of the security of WEM. Potential weaknesses of WEM-8 are explored, and a new approach to improving the efficiency of integral attacks is introduced, which constructs equations from the constant property, instead of the balance property. Aided by these observations, new competitive key-recovery attacks with lower time/data/memory complexity on reduced-round WEM-8 are proposed. In particular, the improved attack on 4-round WEM-8 requires only \(2^8\) adaptively chosen ciphertexts, whereas the current best attack has the data complexity of \(2^{40}\) chosen plaintexts. The results in this work show the effectiveness of the constant property in enhancing integral attacks and can inspire novel techniques in key-recovery attacks against other (white-box) block ciphers.

Appendix A: Improved Gauss elimination of matrices over \({\mathbb {F}}_{2^8}\)

To solve an equation system over \({\mathbb {F}}_{2^8}\), the Gauss elimination method is required. We introduce the general Gauss elimination (Algorithm 5) and propose an improved version (Algorithm 6) on an \(m \times n\) matrix over \({\mathbb {F}}_{2^8}\). The time complexity is estimated by counting the number of additions and multiplications respectively.

In Algorithm 5, n multiplications are required respectively in lines 3 and 5, and n additions are required in line 5. Hence, the total number of additions and multiplications are \(n^2(m - 1)\) and \(n^2m\) respectively.

Algorithm 6 takes Algorithm 7 (GenerateTable) as a subroutine, which is to compute i times an n-dimensional vector \(\varvec{v}\) for \(i \in [0, 255]\) and return the results as a table T sorted by gray codes. Lines 2-5 are to calculate \(2^i\) times \(\varvec{v}\) for \(i \in [0, 7]\), which costs 7n multiplications. In lines 6-13, we compute T with the help of a property of gray codes—the gray codes \(g_0\) and \(g_1\) of two consecutive numbers only differ in one bit, i.e. the d-th bit position. Thus, we have \(g_1 = 2^d \oplus g_0\), which implies that \( g_1 \cdot \varvec{v} = 2^d \cdot \varvec{v} \oplus g_0 \cdot \varvec{v}\). As we compute T row by row, we can always get row i of T by adding row d of \(T_b\) to row \(i - 1\) of T. As a result, Algorithm 7 (GenerateTable) requires 254n additions and 7n multiplications. In Algorithm 6, an inverse gray code is needed to look up the table, but the cost is negligible. To sum up, Algorithm 6 requires \(\left( 254n + (m - 1)n \right) \cdot n\) additions and \(8n^2\) multiplications. We regard the expense of multiplying by \(\mathtt {2}\) as two additions. Then, the total complexity is \((277 + m)n^2\) additions. In the 3- and 4-round key-recovery attacks on WEM-8, \(m=2^9\) and \(n=2^8\). Consequently, the time complexity of our improved Gauss elimination method is approximately \(2^{26}\) additions, i.e., \(2^{26}\) steps.