Advertisement

Attacks and Countermeasures for White-box Designs

  • Alex BiryukovEmail author
  • Aleksei UdovenkoEmail author
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 11273)

Abstract

In traditional symmetric cryptography, the adversary has access only to the inputs and outputs of a cryptographic primitive. In the white-box model the adversary is given full access to the implementation. He can use both static and dynamic analysis as well as fault analysis in order to break the cryptosystem, e.g. to extract the embedded secret key. Implementations secure in such model have many applications in industry. However, creating such implementations turns out to be a very challenging if not an impossible task.

Recently, Bos et al. [7] proposed a generic attack on white-box primitives called differential computation analysis (DCA). This attack was applied to many white-box implementations both from academia and industry. The attack comes from the area of side-channel analysis and the most common method protecting against such attacks is masking, which in turn is a form of secret sharing. In this paper we present multiple generic attacks against masked white-box implementations. We use the term “masking” in a very broad sense. As a result, we deduce new constraints that any secure white-box implementation must satisfy.

Based on the new constraints, we develop a general method for protecting white-box implementations. We split the protection into two independent components: value hiding and structure hiding. Value hiding must provide protection against passive DCA-style attacks that rely on analysis of computation traces. Structure hiding must provide protection against circuit analysis attacks. In this paper we focus on developing the value hiding component. It includes protection against the DCA attack by Bos et al. and protection against a new attack called algebraic attack.

We present a provably secure first-order protection against the new algebraic attack. The protection is based on small gadgets implementing secure masked XOR and AND operations. Furthermore, we give a proof of compositional security allowing to freely combine secure gadgets. We derive concrete security bounds for circuits built using our construction.

Keywords

White-box Obfuscation Cryptanalysis Provable security Masking 

References

  1. 1.
    Banik, S., Bogdanov, A., Isobe, T., Jepsen, M.: Analysis of software countermeasures for Whitebox encryption. IACR Trans. Symmetric Cryptol. 2017(1), 307–328 (2017). MarGoogle Scholar
  2. 2.
    Billet, O., Gilbert, H., Ech-Chatbi, C.: Cryptanalysis of a White Box AES implementation. In: Handschuh, H., Hasan, M.A. (eds.) SAC 2004. LNCS, vol. 3357, pp. 227–240. Springer, Heidelberg (2004).  https://doi.org/10.1007/978-3-540-30564-4_16CrossRefGoogle Scholar
  3. 3.
    Biryukov, A., Bouillaguet, C., Khovratovich, D.: Cryptographic schemes based on the ASASA structure: Black-Box, White-Box, and public-key (Extended Abstract). In: Sarkar, P., Iwata, T. (eds.) ASIACRYPT 2014. LNCS, vol. 8873, pp. 63–84. Springer, Heidelberg (2014).  https://doi.org/10.1007/978-3-662-45611-8_4CrossRefGoogle Scholar
  4. 4.
    Biryukov, A., Khovratovich, D., Perrin, L.: Multiset-algebraic cryptanalysis of reduced Kuznyechik, Khazad, and secret SPNs. IACR Trans. Symmetric Cryptol. 2016(2), 226–247 (2017)Google Scholar
  5. 5.
    Biryukov, A., Shamir, A.: Structural Cryptanalysis of SASAS. In: Pfitzmann, B. (ed.) EUROCRYPT 2001. LNCS, vol. 2045, pp. 395–405. Springer, Heidelberg (2001).  https://doi.org/10.1007/3-540-44987-6_24CrossRefGoogle Scholar
  6. 6.
    Biryukov, A., Udovenko, A.: White-box Tools (2018). https://github.com/cryptolu/whitebox
  7. 7.
    Bos, J.W., Hubain, C., Michiels, W., Teuwen, P.: Differential computation analysis: hiding your White-Box designs is not enough. In: Gierlichs, B., Poschmann, A.Y. (eds.) CHES 2016. LNCS, vol. 9813, pp. 215–236. Springer, Heidelberg (2016).  https://doi.org/10.1007/978-3-662-53140-2_11CrossRefGoogle Scholar
  8. 8.
    Both, Leif, May, Alexander: Decoding linear codes with high error rate and its impact for LPN security. In: Lange, Tanja, Steinwandt, Rainer (eds.) PQCrypto 2018. LNCS, vol. 10786, pp. 25–46. Springer, Cham (2018).  https://doi.org/10.1007/978-3-319-79063-3_2CrossRefGoogle Scholar
  9. 9.
    Bottinelli, P., Bos, J.W.: Computational aspects of correlation power analysis. J. Cryptogr. Eng. 7(3), 167–181 (2017). SepCrossRefGoogle Scholar
  10. 10.
    Bringer, J., Chabanne, H., Dottax, E.: White Box Cryptography: Another Attempt. Cryptology ePrint Archive, Report 2006/468 (2006). http://eprint.iacr.org/2006/468
  11. 11.
    Canright, D.: A very compact S-Box for AES. In: Rao, J.R., Sunar, B. (eds.) CHES 2005. LNCS, vol. 3659, pp. 441–455. Springer, Heidelberg (2005).  https://doi.org/10.1007/11545262_32CrossRefGoogle Scholar
  12. 12.
    Carlet, C.: Boolean functions for cryptography and error-correcting codes, Encyclopedia of Mathematics and its Applications. pp. 257–397. Cambridge University Press, Cambridge (2010)Google Scholar
  13. 13.
    Carmer, B., Malozemoff, A.J., Raykova, M.: 5Gen-C: Multi-input Functional Encryption and Program Obfuscation for Arithmetic Circuits. In: Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security, CCS 2017, pp. 747–764. ACM, New York (2017)Google Scholar
  14. 14.
    Chow, S., Eisen, P., Johnson, H., van Oorschot, P.C.: A White-Box DES implementation for DRM applications. In: Feigenbaum, J. (ed.) DRM 2002. LNCS, vol. 2696, pp. 1–15. Springer, Heidelberg (2003).  https://doi.org/10.1007/978-3-540-44993-5_1CrossRefGoogle Scholar
  15. 15.
    Chow, S., Eisen, P., Johnson, H., Van Oorschot, P.C.: White-Box cryptography and an AES implementation. In: Nyberg, K., Heys, H. (eds.) SAC 2002. LNCS, vol. 2595, pp. 250–270. Springer, Heidelberg (2003).  https://doi.org/10.1007/3-540-36492-7_17CrossRefzbMATHGoogle Scholar
  16. 16.
    De Mulder, Y., Wyseur, B., Preneel, B.: Cryptanalysis of a perturbated White-Box AES implementation. In: Gong, G., Gupta, K.C. (eds.) INDOCRYPT 2010. LNCS, vol. 6498, pp. 292–310. Springer, Heidelberg (2010).  https://doi.org/10.1007/978-3-642-17401-8_21CrossRefGoogle Scholar
  17. 17.
    ECRYPT-CSA Consortium: CHES 2017 Capture The Flag Challenge. The WhibOx Contest (2017). http://whibox.cr.yp.to/
  18. 18.
    Esser, A., Kübler, R., May, A.: LPN decoded. In: Katz, J., Shacham, H. (eds.) CRYPTO 2017. LNCS, vol. 10402, pp. 486–514. Springer, Cham (2017).  https://doi.org/10.1007/978-3-319-63715-0_17CrossRefGoogle Scholar
  19. 19.
    Ferreira, P.J.S.G., Jesus, B., Vieira, J., Pinho, A.J.: The rank of random binary matrices and distributed storage applications. IEEE Commun. Lett. 17(1), 151–154 (2013). JanuaryCrossRefGoogle Scholar
  20. 20.
    Garg, S., Gentry, C., Halevi, S., Raykova, M., Sahai, A., Waters, B.: Candidate indistinguishability obfuscation and functional encryption for all circuits. In: 2013 IEEE 54th Annual Symposium on Foundations of Computer Science, pp. 40–49, October 2013Google Scholar
  21. 21.
    Gilbert, H., Plût, J., Treger, J.: Key-Recovery attack on the ASASA cryptosystem with expanding S-Boxes. In: Gennaro, R., Robshaw, M. (eds.) CRYPTO 2015. LNCS, vol. 9215, pp. 475–490. Springer, Heidelberg (2015).  https://doi.org/10.1007/978-3-662-47989-6_23CrossRefGoogle Scholar
  22. 22.
    L. Goubin, P. Paillier, M. Rivain, and J. Wang. Reveal Secrets in Adoring Poitras. A victory of reverse engineering and cryptanalysis over challenge 777, CHES 2017 Rump Session, slides (2017). https://ches.2017.rump.cr.yp.to/a905c99d1845f2cf373aad564ac7b5e4.pdf
  23. 23.
    Goubin, L., Paillier, P., Rivain, M., Wang, J.: How to reveal the secrets of an obscure white-box implementation. Cryptology ePrint Archive, Report 2018/098 (2018). https://eprint.iacr.org/2018/098
  24. 24.
    Hubain, C., et al.: Side-Channel Marvels (2016). https://github.com/SideChannelMarvels
  25. 25.
    Ishai, Y., Prabhakaran, M., Sahai, A., Wagner, D.: Private circuits II: keeping secrets in tamperable circuits. In: Vaudenay, S. (ed.) EUROCRYPT 2006. LNCS, vol. 4004, pp. 308–327. Springer, Heidelberg (2006).  https://doi.org/10.1007/11761679_19CrossRefzbMATHGoogle Scholar
  26. 26.
    Ishai, Y., Sahai, A., Wagner, D.: Private circuits: securing hardware against probing attacks. In: Boneh, D. (ed.) CRYPTO 2003. LNCS, vol. 2729, pp. 463–481. Springer, Heidelberg (2003).  https://doi.org/10.1007/978-3-540-45146-4_27CrossRefGoogle Scholar
  27. 27.
    Karroumi, M.: Protecting White-Box AES with dual ciphers. In: Rhee, K.-H., Nyang, D.H. (eds.) ICISC 2010. LNCS, vol. 6829, pp. 278–291. Springer, Heidelberg (2011).  https://doi.org/10.1007/978-3-642-24209-0_19CrossRefGoogle Scholar
  28. 28.
    Lepoint, T., Rivain, M.: Another Nail in the Coffin of White-Box AES Implementations. Cryptology ePrint Archive, Report 2013/455 (2013). http://eprint.iacr.org/2013/455
  29. 29.
    Minaud, B., Derbez, P., Fouque, P.-A., Karpman, P.: Key-Recovery attacks on ASASA. In: Iwata, T., Cheon, J.H. (eds.) ASIACRYPT 2015. LNCS, vol. 9453, pp. 3–27. Springer, Heidelberg (2015).  https://doi.org/10.1007/978-3-662-48800-3_1CrossRefGoogle Scholar
  30. 30.
    Sasdrich, P., Moradi, A., Güneysu, T.: White-Box cryptography in the gray box. In: Peyrin, T. (ed.) FSE 2016. LNCS, vol. 9783, pp. 185–203. Springer, Heidelberg (2016).  https://doi.org/10.1007/978-3-662-52993-5_10CrossRefGoogle Scholar
  31. 31.
    The Sage Developers: SageMath, the Sage Mathematics Software System (Version 7.3) (2016). http://www.sagemath.org
  32. 32.
    Warrens, M.J., et al.: Similarity coefficients for binary data: properties of coefficients, coefficient matrices, multi-way metrics and multivariate coefficients. Psychometrics and Research Methodology Group, Leiden University Institute for Psychological Research, Faculty of Social Sciences, Leiden University (2008)Google Scholar
  33. 33.
    Xiao, Y., Lai, X.: A secure implementation of White-Box AES. In: 2009 2nd International Conference on Computer Science and its Applications, pp. 1–6, December 2009Google Scholar

Copyright information

© International Association for Cryptologic Research 2018

Authors and Affiliations

  1. 1.SnT and CSCUniversity of LuxembourgEsch-sur-AlzetteLuxembourg
  2. 2.SnTUniversity of LuxembourgEsch-sur-AlzetteLuxembourg

Personalised recommendations