Abstract
White-box cryptosystems aim at providing security against an adversary that has access to the encryption process. As a countermeasure against code lifting (in which the adversary simply distributes the code of the cipher), recent white-box schemes aim for ‘incompressibility’, meaning that any useful representation of the secret key material is memory-consuming.
In this paper we introduce a new family of white-box block ciphers relying on incompressible permutations and the classical Even-Mansour construction. Our ciphers allow achieving tradeoffs between encryption speed and white-box security that were not obtained by previous designs. In particular, we present a cipher with reasonably strong space hardness of \(2^{15}\) bytes, that runs at less than 100 cycles per byte.
O. Dunkelman—The fourth author was supported in part by the Israeli Science Foundation through grant No. 827/12 and by the Commission of the European Communities through the Horizon 2020 program under project number 645622 PQCRYPTO.
N. Keller—The fifth author was supported by the Alon Fellowship.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
We may also reuse S-boxes to obtain greater flexibility, as noted below.
- 2.
We note that instead, a per-domain fixed key can be used, e.g., each country gets its own key, or even a per-user key. However, we assume this key to be publicly known.
- 3.
Interestingly, it is shown in [13] that for certain types of schemes, the gap between the number of rounds required to resist the best known attack and the the number of rounds required to obtain provable security is not large.
- 4.
Resistance to such attacks is addressed by the strong incompressibility definition of [13], which also gives a scheme (called WhiteKey) that provably achieves this security notion. However, WhiteKey is a key generator rather than a block cipher, and hence is incomparable to our scheme.
- 5.
- 6.
We note that in terms of provable security, it was shown in [13] for WhiteBlock (and similar arguments can be applied to our scheme) that the analysis for an arbitrary set of S-box entries should give a close estimation to the number of rounds required to achieve the desired security level of 112 bits.
- 7.
We point out that the adversary can reduce the number of guesses in case of common missed S-boxes entries. We do not expect this to give the adversary a significant advantage, as the adversary can only miss a small number of S-box entries in the encryption which are likely to be distinct. Nevertheless, this is a shortcoming of our analysis (which is also present in the analysis of [13]).
- 8.
It is also possible to instantiate our scheme for values of m that do not divide n, as briefly discussed in Sect. 4.4.
- 9.
This factor is even smaller when considering representation of a fraction of the S-box entries.
References
Billet, O., Gilbert, H., Ech-Chatbi, C.: Cryptanalysis of a white box AES implementation. In: Handschuh, H., Hasan, M.A. (eds.) SAC 2004. LNCS, vol. 3357, pp. 227–240. Springer, Berlin (2004). doi:10.1007/978-3-540-30564-4_16
Biryukov, A.: The boomerang attack on 5 and 6-round reduced AES. In: Dobbertin, H., Rijmen, V., Sowa, A. (eds.) AES 2004. LNCS, vol. 3373, pp. 11–15. Springer, Berlin (2005). doi:10.1007/11506447_2
Biryukov, A., Bouillaguet, C., Khovratovich, D.: Cryptographic schemes based on the ASASA structure: black-box, white-box, and public-key (extended abstract). In: Sarkar, P., Iwata, T. (eds.) ASIACRYPT 2014. LNCS, vol. 8873, pp. 63–84. Springer, Berlin (2014). doi:10.1007/978-3-662-45611-8_4
Biryukov, A., Wagner, D.: Advanced slide attacks. In: Preneel, B. (ed.) EUROCRYPT 2000. LNCS, vol. 1807, pp. 589–606. Springer, Berlin (2000). doi:10.1007/3-540-45539-6_41
Bogdanov, A., Isobe, T.: White-box cryptography revisited: space-hard ciphers. In: Ray, I., Li, N., Kruegel, C. (eds.) Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security, Denver, CO, USA, 12–6 October 2015, pp. 1058–1069. ACM (2015). http://doi.acm.org/10.1145/2810103.2813699
Chow, S., Eisen, P., Johnson, H., Oorschot, P.C.: White-box cryptography and an AES implementation. In: Nyberg, K., Heys, H. (eds.) SAC 2002. LNCS, vol. 2595, pp. 250–270. Springer, Berlin (2003). doi:10.1007/3-540-36492-7_17
Daemen, J.: Limitations of the Even-Mansour construction. In: Imai, H., Rivest, R.L., Matsumoto, T. (eds.) ASIACRYPT 1991. LNCS, vol. 739, pp. 495–498. Springer, Berlin (1993). doi:10.1007/3-540-57332-1_46
Delerablée, C., Lepoint, T., Paillier, P., Rivain, M.: White-box security notions for symmetric encryption schemes. In: Lange, T., Lauter, K., Lisoněk, P. (eds.) SAC 2013. LNCS, vol. 8282, pp. 247–264. Springer, Berlin (2014). doi:10.1007/978-3-662-43414-7_13
Dinur, I., Dunkelman, O., Keller, N., Shamir, A.: Key recovery attacks on iterated Even-Mansour encryption schemes. J. Cryptology 29(4), 697–728 (2016)
Dunkelman, O., Keller, N., Shamir, A.: Slidex attacks on the Even-Mansour encryption scheme. J. Cryptology 28(1), 1–28 (2015)
Even, S., Mansour, Y.: A construction of a cipher from a single pseudorandom permutation. J. Cryptology 10(3), 151–162 (1997)
Fisher, R.A., Yates, F.: Statistical Tables for Biological, Agricultural and Medical Research. Oliver and Boyd, London (1938)
Fouque, P., Karpman, P., Kirchner, P., Minaud, B.: Efficient and Provable White-Box Primitives. IACR Cryptology ePrint Archive 2016, 642 (2016). http://eprint.iacr.org/2016/642
Gilbert, H., Plût, J., Treger, J.: Key-recovery attack on the ASASA cryptosystem with expanding S-boxes. In: Gennaro, R., Robshaw, M. (eds.) CRYPTO 2015. LNCS, vol. 9215, pp. 475–490. Springer, Berlin (2015). doi:10.1007/978-3-662-47989-6_23
Lange, T., Lauter, K.E., Lisonek, P.: Selected Areas in Cryptography – SAC 2013. LNCS, vol. 8282. Springer, Berlin (2014). doi:10.1007/978-3-662-43414-7
Lepoint, T., Rivain, M., Mulder, Y., Roelse, P., Preneel, B.: Two attacks on a white-box AES implementation. In: Lange, T., Lauter, K., Lisoněk, P. (eds.) SAC 2013. LNCS, vol. 8282, pp. 265–285. Springer, Berlin (2014). doi:10.1007/978-3-662-43414-7_14
Minaud, B., Derbez, P., Fouque, P.-A., Karpman, P.: Key-recovery attacks on ASASA. In: Iwata, T., Cheon, J.H. (eds.) ASIACRYPT 2015. LNCS, vol. 9453, pp. 3–27. Springer, Berlin (2015). doi:10.1007/978-3-662-48800-3_1
Tiessen, T., Knudsen, L.R., Kölbl, S., Lauridsen, M.M.: Security of the AES with a secret S-box. In: Leander, G. (ed.) FSE 2015. LNCS, vol. 9054, pp. 175–189. Springer, Berlin (2015). doi:10.1007/978-3-662-48116-5_9
Wyseur, B., Michiels, W., Gorissen, P., Preneel, B.: Cryptanalysis of white-box DES implementations with arbitrary external encodings. In: Adams, C., Miri, A., Wiener, M. (eds.) SAC 2007. LNCS, vol. 4876, pp. 264–277. Springer, Heidelberg (2007). doi:10.1007/978-3-540-77360-3_17
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2017 Springer International Publishing AG
About this paper
Cite this paper
Cho, J. et al. (2017). WEM: A New Family of White-Box Block Ciphers Based on the Even-Mansour Construction. In: Handschuh, H. (eds) Topics in Cryptology – CT-RSA 2017. CT-RSA 2017. Lecture Notes in Computer Science(), vol 10159. Springer, Cham. https://doi.org/10.1007/978-3-319-52153-4_17
Download citation
DOI: https://doi.org/10.1007/978-3-319-52153-4_17
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-52152-7
Online ISBN: 978-3-319-52153-4
eBook Packages: Computer ScienceComputer Science (R0)