Cryptanalysis of two white-box implementations of the SM4 block cipher (Q2154039)

The SM4 block cipher has a 128-bit block length and a 128-bit user key, which is formerly known as SMS4. It is a Chinese national standard and an ISO international standard. White-box cryptography aims primarily to protect the secret key used in a cryptographic software implementation in the white-box scenario that assumes an attacker has full access to the execution environment and execution details of an implementation. Since white-box cryptography has many real-life applications nowadays, a few white-box implementations of the SM4 block cipher has been proposed, in particular, \textit{Y. Xiao} and \textit{X. Lai} [``A secure implementation of white-box AES'', in: Proceedings of the 2009 2nd international conference on computer science and its applications, CSA 2009. Piscataway, NJ: IEEE. 1--6 (2009; \url{doi:10.1109/CSA.2009.5404239})] presented the first white-box SM4 implementation based on the traditional way, which has been attacked with the lowest currently published attack complexity of about \(2^{32}\) using affine equivalence technique; and \textit{S. Yao} and \textit{J. Chen} [``A new method for White-Box implementation of SM4 algorithm'', J. Cryptol. Res. 7, No. 3, 358--374 (2020; \url{doi:10.13868/j.cnki.jcr.000373})] presented a white-box SM4 implementation based on state expansion, and got the lowest attack complexity of about \(2^{51}\) among a variety of attack techniques. In this paper, the authors present collision-based attacks on Yao-and-Chen's and Xiao-and-Lai's white-box SM4 implementations with a time complexity of about \(2^{23}\) for recovering a round key, and thus show that their security is much lower than previously published. For the entire collection see [Zbl 1490.68022].