Improved key-recovery attacks on reduced-round WEM-8

Proposed in CT-RSA’2017, WEM is a family of white-box block ciphers based on the Even-Mansour structure and AES. Due to its elegant structure and impressive performance, WEM is a prominent primitive in white-box cryptography-oriented scenarios like digital rights management (DRM) and mobile payment. In this paper, we focus on the black-box key-recovery security of reduced-round WEM-8, one of the main instances in the WEM family, with the aim of gaining an intensive understanding of the security of WEM. Potential weaknesses of WEM-8 are explored, and a new approach to improving the efficiency of integral attacks is introduced, which constructs equations from the constant property, instead of the balance property. Aided by these observations, new competitive key-recovery attacks with lower time/data/memory complexity on reduced-round WEM-8 are proposed. In particular, the improved attack on 4-round WEM-8 requires only 28\documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$2^8$$\end{document} adaptively chosen ciphertexts, whereas the current best attack has the data complexity of 240\documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$2^{40}$$\end{document} chosen plaintexts. The results in this work show the effectiveness of the constant property in enhancing integral attacks and can inspire novel techniques in key-recovery attacks against other (white-box) block ciphers.