Attacks and Countermeasures for White-box Designs

  • Alex BiryukovEmail author
  • Aleksei UdovenkoEmail author
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 11273)


In traditional symmetric cryptography, the adversary has access only to the inputs and outputs of a cryptographic primitive. In the white-box model the adversary is given full access to the implementation. He can use both static and dynamic analysis as well as fault analysis in order to break the cryptosystem, e.g. to extract the embedded secret key. Implementations secure in such model have many applications in industry. However, creating such implementations turns out to be a very challenging if not an impossible task.

Recently, Bos et al. [7] proposed a generic attack on white-box primitives called differential computation analysis (DCA). This attack was applied to many white-box implementations both from academia and industry. The attack comes from the area of side-channel analysis and the most common method protecting against such attacks is masking, which in turn is a form of secret sharing. In this paper we present multiple generic attacks against masked white-box implementations. We use the term “masking” in a very broad sense. As a result, we deduce new constraints that any secure white-box implementation must satisfy.

Based on the new constraints, we develop a general method for protecting white-box implementations. We split the protection into two independent components: value hiding and structure hiding. Value hiding must provide protection against passive DCA-style attacks that rely on analysis of computation traces. Structure hiding must provide protection against circuit analysis attacks. In this paper we focus on developing the value hiding component. It includes protection against the DCA attack by Bos et al. and protection against a new attack called algebraic attack.

We present a provably secure first-order protection against the new algebraic attack. The protection is based on small gadgets implementing secure masked XOR and AND operations. Furthermore, we give a proof of compositional security allowing to freely combine secure gadgets. We derive concrete security bounds for circuits built using our construction.


White-box Obfuscation Cryptanalysis Provable security Masking 


  1. 1.
    Banik, S., Bogdanov, A., Isobe, T., Jepsen, M.: Analysis of software countermeasures for Whitebox encryption. IACR Trans. Symmetric Cryptol. 2017(1), 307–328 (2017). MarGoogle Scholar
  2. 2.
    Billet, O., Gilbert, H., Ech-Chatbi, C.: Cryptanalysis of a White Box AES implementation. In: Handschuh, H., Hasan, M.A. (eds.) SAC 2004. LNCS, vol. 3357, pp. 227–240. Springer, Heidelberg (2004). Scholar
  3. 3.
    Biryukov, A., Bouillaguet, C., Khovratovich, D.: Cryptographic schemes based on the ASASA structure: Black-Box, White-Box, and public-key (Extended Abstract). In: Sarkar, P., Iwata, T. (eds.) ASIACRYPT 2014. LNCS, vol. 8873, pp. 63–84. Springer, Heidelberg (2014). Scholar
  4. 4.
    Biryukov, A., Khovratovich, D., Perrin, L.: Multiset-algebraic cryptanalysis of reduced Kuznyechik, Khazad, and secret SPNs. IACR Trans. Symmetric Cryptol. 2016(2), 226–247 (2017)Google Scholar
  5. 5.
    Biryukov, A., Shamir, A.: Structural Cryptanalysis of SASAS. In: Pfitzmann, B. (ed.) EUROCRYPT 2001. LNCS, vol. 2045, pp. 395–405. Springer, Heidelberg (2001). Scholar
  6. 6.
    Biryukov, A., Udovenko, A.: White-box Tools (2018).
  7. 7.
    Bos, J.W., Hubain, C., Michiels, W., Teuwen, P.: Differential computation analysis: hiding your White-Box designs is not enough. In: Gierlichs, B., Poschmann, A.Y. (eds.) CHES 2016. LNCS, vol. 9813, pp. 215–236. Springer, Heidelberg (2016). Scholar
  8. 8.
    Both, Leif, May, Alexander: Decoding linear codes with high error rate and its impact for LPN security. In: Lange, Tanja, Steinwandt, Rainer (eds.) PQCrypto 2018. LNCS, vol. 10786, pp. 25–46. Springer, Cham (2018). Scholar
  9. 9.
    Bottinelli, P., Bos, J.W.: Computational aspects of correlation power analysis. J. Cryptogr. Eng. 7(3), 167–181 (2017). SepCrossRefGoogle Scholar
  10. 10.
    Bringer, J., Chabanne, H., Dottax, E.: White Box Cryptography: Another Attempt. Cryptology ePrint Archive, Report 2006/468 (2006).
  11. 11.
    Canright, D.: A very compact S-Box for AES. In: Rao, J.R., Sunar, B. (eds.) CHES 2005. LNCS, vol. 3659, pp. 441–455. Springer, Heidelberg (2005). Scholar
  12. 12.
    Carlet, C.: Boolean functions for cryptography and error-correcting codes, Encyclopedia of Mathematics and its Applications. pp. 257–397. Cambridge University Press, Cambridge (2010)Google Scholar
  13. 13.
    Carmer, B., Malozemoff, A.J., Raykova, M.: 5Gen-C: Multi-input Functional Encryption and Program Obfuscation for Arithmetic Circuits. In: Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security, CCS 2017, pp. 747–764. ACM, New York (2017)Google Scholar
  14. 14.
    Chow, S., Eisen, P., Johnson, H., van Oorschot, P.C.: A White-Box DES implementation for DRM applications. In: Feigenbaum, J. (ed.) DRM 2002. LNCS, vol. 2696, pp. 1–15. Springer, Heidelberg (2003). Scholar
  15. 15.
    Chow, S., Eisen, P., Johnson, H., Van Oorschot, P.C.: White-Box cryptography and an AES implementation. In: Nyberg, K., Heys, H. (eds.) SAC 2002. LNCS, vol. 2595, pp. 250–270. Springer, Heidelberg (2003). Scholar
  16. 16.
    De Mulder, Y., Wyseur, B., Preneel, B.: Cryptanalysis of a perturbated White-Box AES implementation. In: Gong, G., Gupta, K.C. (eds.) INDOCRYPT 2010. LNCS, vol. 6498, pp. 292–310. Springer, Heidelberg (2010). Scholar
  17. 17.
    ECRYPT-CSA Consortium: CHES 2017 Capture The Flag Challenge. The WhibOx Contest (2017).
  18. 18.
    Esser, A., Kübler, R., May, A.: LPN decoded. In: Katz, J., Shacham, H. (eds.) CRYPTO 2017. LNCS, vol. 10402, pp. 486–514. Springer, Cham (2017). Scholar
  19. 19.
    Ferreira, P.J.S.G., Jesus, B., Vieira, J., Pinho, A.J.: The rank of random binary matrices and distributed storage applications. IEEE Commun. Lett. 17(1), 151–154 (2013). JanuaryCrossRefGoogle Scholar
  20. 20.
    Garg, S., Gentry, C., Halevi, S., Raykova, M., Sahai, A., Waters, B.: Candidate indistinguishability obfuscation and functional encryption for all circuits. In: 2013 IEEE 54th Annual Symposium on Foundations of Computer Science, pp. 40–49, October 2013Google Scholar
  21. 21.
    Gilbert, H., Plût, J., Treger, J.: Key-Recovery attack on the ASASA cryptosystem with expanding S-Boxes. In: Gennaro, R., Robshaw, M. (eds.) CRYPTO 2015. LNCS, vol. 9215, pp. 475–490. Springer, Heidelberg (2015). Scholar
  22. 22.
    L. Goubin, P. Paillier, M. Rivain, and J. Wang. Reveal Secrets in Adoring Poitras. A victory of reverse engineering and cryptanalysis over challenge 777, CHES 2017 Rump Session, slides (2017).
  23. 23.
    Goubin, L., Paillier, P., Rivain, M., Wang, J.: How to reveal the secrets of an obscure white-box implementation. Cryptology ePrint Archive, Report 2018/098 (2018).
  24. 24.
    Hubain, C., et al.: Side-Channel Marvels (2016).
  25. 25.
    Ishai, Y., Prabhakaran, M., Sahai, A., Wagner, D.: Private circuits II: keeping secrets in tamperable circuits. In: Vaudenay, S. (ed.) EUROCRYPT 2006. LNCS, vol. 4004, pp. 308–327. Springer, Heidelberg (2006). Scholar
  26. 26.
    Ishai, Y., Sahai, A., Wagner, D.: Private circuits: securing hardware against probing attacks. In: Boneh, D. (ed.) CRYPTO 2003. LNCS, vol. 2729, pp. 463–481. Springer, Heidelberg (2003). Scholar
  27. 27.
    Karroumi, M.: Protecting White-Box AES with dual ciphers. In: Rhee, K.-H., Nyang, D.H. (eds.) ICISC 2010. LNCS, vol. 6829, pp. 278–291. Springer, Heidelberg (2011). Scholar
  28. 28.
    Lepoint, T., Rivain, M.: Another Nail in the Coffin of White-Box AES Implementations. Cryptology ePrint Archive, Report 2013/455 (2013).
  29. 29.
    Minaud, B., Derbez, P., Fouque, P.-A., Karpman, P.: Key-Recovery attacks on ASASA. In: Iwata, T., Cheon, J.H. (eds.) ASIACRYPT 2015. LNCS, vol. 9453, pp. 3–27. Springer, Heidelberg (2015). Scholar
  30. 30.
    Sasdrich, P., Moradi, A., Güneysu, T.: White-Box cryptography in the gray box. In: Peyrin, T. (ed.) FSE 2016. LNCS, vol. 9783, pp. 185–203. Springer, Heidelberg (2016). Scholar
  31. 31.
    The Sage Developers: SageMath, the Sage Mathematics Software System (Version 7.3) (2016).
  32. 32.
    Warrens, M.J., et al.: Similarity coefficients for binary data: properties of coefficients, coefficient matrices, multi-way metrics and multivariate coefficients. Psychometrics and Research Methodology Group, Leiden University Institute for Psychological Research, Faculty of Social Sciences, Leiden University (2008)Google Scholar
  33. 33.
    Xiao, Y., Lai, X.: A secure implementation of White-Box AES. In: 2009 2nd International Conference on Computer Science and its Applications, pp. 1–6, December 2009Google Scholar

Copyright information

© International Association for Cryptologic Research 2018

Authors and Affiliations

  1. 1.SnT and CSCUniversity of LuxembourgEsch-sur-AlzetteLuxembourg
  2. 2.SnTUniversity of LuxembourgEsch-sur-AlzetteLuxembourg

Personalised recommendations