Cryptology ePrint Archive: Report 2021/1586

Cryptanalysis of a Type of White-Box Implementations of the SM4 Block Cipher

Jiqiang Lu and Jingyu Li

Abstract: The SM4 block cipher was first released in 2006 as SMS4 used in the Chinese national standard WAPI, and became a Chinese national standard in 2016 and an ISO international standard in 2021. White-box cryptography aims primarily to protect the secret key used in a cryptographic software implementation in the white-box scenario that assumes an attacker to have full access to the execution environment and execution details of an implementation. Since white-box cryptography has many real-life applications nowadays, a few white-box implementations of the SM4 block cipher has been proposed with its increasingly wide use, among which a type of constructions is dominated, that use an affine (or extremely even linear) diagonal block encoding to protect the original output of an SM4 round function and use the encoding or its inverse to protect the original input of the S-box layer of the next round, such as Xiao and Lai's implementation in 2009, Shang's implementation in 2016, Yao and Chen's and Wu et al.'s implementations in 2020. In this paper, we show that this type of white-box SM4 constructions is rather insecure against collision-based attacks, by devising attacks on Xiao and Lai's, Shang's, Yao and Chen's and Wu et al.'s implementations with a time complexity of respectively about $2^{19.4}$, $2^{35.6}$, $2^{19.4}$ and $2^{17.1}$ to recover a round key, and thus their security is much lower than previously published or expected. Thus, such white-box SM4 constructions should be avoided unless being enhanced somehow.

Category / Keywords: secret-key cryptography / White-box cryptography, SM4 (SMS4) block cipher, collision attack

Original Publication (with major differences): Proceedings of ISC 2021 --- The 24th Information Security Conference

Date: received 3 Dec 2021

Contact author: lvjiqiang at hotmail com

Available format(s): PDF | BibTeX Citation

Note: This is an extended version of the paper appeared in Proceedings of ISC 2021 --- The 24th Information Security Conference. In this extended version, we corrected and revised the phase of how to recover the round key and the part of time complexity analysis for Yao and Chen's and Xiao and Lai's implementations, and cryptanalysed two other white-box SM4 implementations, namely Shang's and Wu et al.'s implementations.

Version: 20211206:034803 (All versions of this report)

Short URL:

[ Cryptology ePrint archive ]