Improved key-recovery attacks on reduced-round WEM-8

Proposed in CT-RSA’2017, WEM is a family of white-box block ciphers based on the Even-Mansour structure and AES. Due to its elegant structure and impressive performance, WEM is a prominent primitive in white-box cryptography-oriented scenarios like digital rights management (DRM) and mobile payment. In this paper, we focus on the black-box key-recovery security of reduced-round WEM-8, one of the main instances in the WEM family, with the aim of gaining an intensive understanding of the security of WEM. Potential weaknesses of WEM-8 are explored, and a new approach to improving the efficiency of integral attacks is introduced, which constructs equations from the constant property, instead of the balance property. Aided by these observations, new competitive key-recovery attacks with lower time/data/memory complexity on reduced-round WEM-8 are proposed. In particular, the improved attack on 4-round WEM-8 requires only 2 8 adaptively chosen ciphertexts, whereas the current best attack has the data complexity of 2 40 chosen plaintexts. The results in this work show the effectiveness of the constant property in enhancing integral attacks and can inspire novel techniques in key-recovery attacks against other (white-box) block ciphers.