Journal of Communications and Networks

The Korean Institute of Commucations and Information Sciences (한국통신학회)
권호 표지
DOI QR코드

DOI QR Code

White-Box AES Implementation Revisited

  • Baek, Chung Hun (Department of Mathematical Sciences, Seoul National University (SNU)) ;
  • Cheon, Jung Hee (Department of Mathematical Sciences, Seoul National University (SNU)) ;
  • Hong, Hyunsook (Department of Mathematical Sciences, Seoul National University (SNU))
  • Received : 2015.03.02
  • Accepted : 2015.06.11
  • Published : 2016.06.30
⟨ Previous Next ⟩

Abstract

White-box cryptography presented by Chow et al. is an obfuscation technique for protecting secret keys in software implementations even if an adversary has full access to the implementation of the encryption algorithm and full control over its execution platforms. Despite its practical importance, progress has not been substantial. In fact, it is repeated that as a proposal for a white-box implementation is reported, an attack of lower complexity is soon announced. This is mainly because most cryptanalytic methods target specific implementations, and there is no general attack tool for white-box cryptography. In this paper, we present an analytic toolbox on white-box implementations of the Chow et al.'s style using lookup tables. According to our toolbox, for a substitution-linear transformation cipher on n bits with S-boxes on m bits, the complexity for recovering the $$O\((3n/max(m_Q,m))2^{3max(m_Q,m)}+2min\{(n/m)L^{m+3}2^{2m},\;(n/m)L^32^{3m}+n{\log}L{\cdot}2^{L/2}\}\)$$, where $m_Q$ is the input size of nonlinear encodings,$m_A$ is the minimized block size of linear encodings, and $L=lcm(m_A,m_Q)$. As a result, a white-box implementation in the Chow et al.'s framework has complexity at most $O\(min\{(2^{2m}/m)n^{m+4},\;n{\log}n{\cdot}2^{n/2}\}\)$ which is much less than $2^n$. To overcome this, we introduce an idea that obfuscates two advanced encryption standard (AES)-128 ciphers at once with input/output encoding on 256 bits. To reduce storage, we use a sparse unsplit input encoding. As a result, our white-box AES implementation has up to 110-bit security against our toolbox, close to that of the original cipher. More generally, we may consider a white-box implementation of the t parallel encryption of AES to increase security.

Keywords

Acknowledgement

Supported by : IITP (Institute for Information & communications Technology Promotion, National Research Foundation of Korea

References

  1. K. Gandolfi, C. Mourtel, and F. Olivier, "Electromagnetic analysis: Concrete results," in Proc. CHES, May 2001, pp. 251-261.
  2. P. Kocher, "Timing attacks on implementations of Diffie-Hellman, RSA, DSS, and other systems," in Proc. CRYPTO, Aug. 1996, pp. 104-113.
  3. P. Kocher, J. Jaffe, and B. Jun, "Differential power analysis," in Proc. CRYPTO, Aug. 1999, pp. 388-397.
  4. R. Novak, "SPA-based adaptive chosen-ciphertext attack on RSA implementation," in Proc. PKC, Feb. 2002, pp. 252-262.
  5. J.-J. Quisquater and D. Samyde, "Electromagnetic analysis (EMA): Measures and counter-measures for smart cards," in Proc. Smart Card Programming and Security, 2001, pp. 200-210.
  6. S. Chow, P. Eisen, H. Johnson, and P. C. V. Oorschot, "White-box cryptography and an AES implementation," in Proc. SAC, Aug. 2002, pp. 250-270.
  7. S. Chow, P. Eisen, H. Johnson, and P. C. van Oorschot, "A white-box DES Implementation for DRM Applications," in Proc. DRM, Nov. 2003, pp. 1-15.
  8. B. Wyseur, W. Michiels, P. Gorissen, and B. Preneel, "Cryptanalysis of white-box DES implementations with arbitrary external encodings," in Proc. SAC, Aug. 2007, pp. 264-277.
  9. T. Lepoint, M. Rivain, Y. D. Mulder, P. Roelse, and B. Preneel, "Two attacks on a white-box AES Implementation," in Proc. SAC, Aug. 2013, pp. 265-285.
  10. Y. Xiao and X. Lai, "A secure implementation of white-box AES," in Proc. IEEE CSA, Dec. 2009, pp. 1-6.
  11. M. Karroumi, "Protecting white-box AES with dual ciphers," in Proc. ICISC, Dec. 2010, pp. 278-291.
  12. Y. D. Mulder, P. Roelse, and B. Preneel, "Cryptanalysis of the Xiao-Lai white-box AES implementation," in Proc. SAC, Aug. 2012, pp. 34-49.
  13. C. Delerablee, T. Lepoint, P. Paillier, and M. Rivain, "White-box security notions for symmetric encryption schemes," in Proc. SAC, Aug. 2013, pp. 247-264.
  14. A. Saxena, B. Wyseur, and B. Preneel, "Towards security notions for white-box cryptography," in Proc. Inf. Security, Sept. 2009, pp. 49-58.
  15. B. Wyseur, "White-box cruptography," Ph.D. thesis, Katholieke Universiteit Leuven, 2009.
  16. A. Biryukov, C. Bouillaguet, and D. Khovratovich, "Cryptographic schemes based on the ASASA structure: Black-box, white-box, and public-key," in Proc. ASIACRYPT, Dec. 2014, pp. 63-84.
  17. A. Biryukov and A. Shamir, "Structural Cryptanalysis of SASAS," in Proc. EUROCRYPT,May 2001, pp. 395-405.
  18. O. Billet, H. Gilbert, and C. Ech-Chatbi, "Cryptanalysis of a white box AES implementation," in Proc. SAC, Aug. 2004, pp. 227-240.
  19. A. Biryukov, C. D. Canniere, A. Braeken, and B. Preneel, "A toolbox for cryptanalysis: Linear and affine equivalence algorithms," in Proc. EUROCRYPT, May 2003, pp. 33-50.
  20. W. Michiels, P. Gorissen, and H. D. L. Hollmann, "Cryptanalysis of a generic class of white-box implementations," in Proc. SAC, Aug. 2008, pp. 414-428.
  21. I. Dinur, O. Dunkelman, N. Keller, and A. Shamir, "Efficient dissection of composite problems, with applications to cryptanalysis, knapsacks, and combinatorial search problems," in Proc. CRYPTO, Aug. 2012, pp. 719-740.
  22. J.-S. Coron, D. Naccache, and M. Tibouchi, "Public key compression and modulus switching for fully homomorphic encryption over the integers," in Proc. EUROCRYPT, Apr. 2012, pp. 446-464.
  23. C. Gentry and S. Halevi, "Implementing gentry's fully-homomorphic encryption scheme," in Proc. EUROCRYPT, May 2011, pp. 129-148.
  24. N. Smart and F. Vercauteren, "Fully homomorphic SIMD operations," Designs, Codes and Cryptography, vol. 71, no. 1, pp. 57-81, 2014. https://doi.org/10.1007/s10623-012-9720-4
  25. R. Schroeppel and A. Shamir, "A TcS2 = 0 (2n) time/space tradeoff for certain NP-complete problems," in Proc. IEEE Foundations of Computer Science, Oct. 1979, pp. 328-336.