You are looking at a specific version 20211206:034803 of this paper. See the latest version.

Paper 2021/1586

Cryptanalysis of a Type of White-Box Implementations of the SM4 Block Cipher

Jiqiang Lu and Jingyu Li

Abstract

The SM4 block cipher was first released in 2006 as SMS4 used in the Chinese national standard WAPI, and became a Chinese national standard in 2016 and an ISO international standard in 2021. White-box cryptography aims primarily to protect the secret key used in a cryptographic software implementation in the white-box scenario that assumes an attacker to have full access to the execution environment and execution details of an implementation. Since white-box cryptography has many real-life applications nowadays, a few white-box implementations of the SM4 block cipher has been proposed with its increasingly wide use, among which a type of constructions is dominated, that use an affine (or extremely even linear) diagonal block encoding to protect the original output of an SM4 round function and use the encoding or its inverse to protect the original input of the S-box layer of the next round, such as Xiao and Lai's implementation in 2009, Shang's implementation in 2016, Yao and Chen's and Wu et al.'s implementations in 2020. In this paper, we show that this type of white-box SM4 constructions is rather insecure against collision-based attacks, by devising attacks on Xiao and Lai's, Shang's, Yao and Chen's and Wu et al.'s implementations with a time complexity of respectively about $2^{19.4}$, $2^{35.6}$, $2^{19.4}$ and $2^{17.1}$ to recover a round key, and thus their security is much lower than previously published or expected. Thus, such white-box SM4 constructions should be avoided unless being enhanced somehow.

Note: This is an extended version of the paper appeared in Proceedings of ISC 2021 --- The 24th Information Security Conference. In this extended version, we corrected and revised the phase of how to recover the round key and the part of time complexity analysis for Yao and Chen's and Xiao and Lai's implementations, and cryptanalysed two other white-box SM4 implementations, namely Shang's and Wu et al.'s implementations.

Metadata
Available format(s)
PDF
Category
Secret-key cryptography
Publication info
Published elsewhere. Major revision. Proceedings of ISC 2021 --- The 24th Information Security Conference
DOI
https://doi.org/10.1007/978-3-030-91356-4_4
Keywords
White-box cryptographySM4 (SMS4) block ciphercollision attack
Contact author(s)
lvjiqiang @ hotmail com
History
2022-01-23: revised
2021-12-06: received
See all versions
Short URL
https://ia.cr/2021/1586
License
Creative Commons Attribution
CC BY
Note: In order to protect the privacy of readers, eprint.iacr.org does not use cookies or embedded third party content.