White-box AES implementation revisited

White-box cryptography presented by Chow et al. is an obfuscation technique for protecting secret keys in software implementations even if an adversary has full access to the implementation of the encryption algorithm and full control over its execution platforms. Despite its practical importance, progress has not been substantial. In fact, it is repeated that as a proposal for a whitebox implementation is reported, an attack of lower complexity is soon announced. This is mainly because most cryptanalytic methods target specific implementations, and there is no general attack tool for white-box cryptography. In this paper, we present an analytic toolbox on white-box implementations of the Chow et al.'s style using lookup tables. According to our toolbox, for a substitution-linear transformation cipher on n bits with S-boxes on m bits, the complexity for recovering the key obfuscated in the white-box implementation is O((3n/max(mQ,m))23 max(mQ,m) + 2 min {(n/m) Lm+322m, (n/m) L323m + n log L·2L/2}), where mQ is the input size of nonlinear encodings, mA is the minimized block size of linear encodings, and L = lcm(mA, mQ). As a result, a white-box implementation in the Chow et al.'s framework has complexity at most O(min {(22m/m) nm+4, n log n · 2n/2}), which is much less than 2n. To overcome this, we introduce an idea that obfuscates two advanced encryption standard (AES)-128 ciphers at once with input/output encoding on 256 bits. To reduce storage, we use a sparse unsplit input encoding. As a result, our white-box AES implementation has up to 110-bit security against our toolbox, close to that of the original cipher. More generally, we may consider a whitebox implementation of the t parallel encryption of AES to increase security.

[1]  Adi Shamir,et al.  A TcS2 = 0 (2n) time/space tradeoff for certain NP-complete problems , 1979, 20th Annual Symposium on Foundations of Computer Science (sfcs 1979).

[2]  Paul C. van Oorschot,et al.  White-Box Cryptography and an AES Implementation , 2002, Selected Areas in Cryptography.

[3]  Bart Preneel,et al.  Cryptanalysis of a Perturbated White-Box AES Implementation , 2010, INDOCRYPT.

[4]  Mohamed Karroumi,et al.  Protecting White-Box AES with Dual Ciphers , 2010, ICISC.

[5]  Xuejia Lai,et al.  A Secure Implementation of White-Box AES , 2009, 2009 2nd International Conference on Computer Science and its Applications.

[6]  Paul C. van Oorschot,et al.  A White-Box DES Implementation for DRM Applications , 2002, Digital Rights Management Workshop.

[7]  Jean-Jacques Quisquater,et al.  ElectroMagnetic Analysis (EMA): Measures and Counter-Measures for Smart Cards , 2001, E-smart.

[8]  Adi Shamir,et al.  Efficient Dissection of Composite Problems, with Applications to Cryptanalysis, Knapsacks, and Combinatorial Search Problems , 2012, CRYPTO.

[9]  Olivier Billet,et al.  Cryptanalysis of a White Box AES Implementation , 2004, Selected Areas in Cryptography.

[10]  Paul C. Kocher,et al.  Timing Attacks on Implementations of Diffie-Hellman, RSA, DSS, and Other Systems , 1996, CRYPTO.

[11]  Frederik Vercauteren,et al.  Fully homomorphic SIMD operations , 2012, Designs, Codes and Cryptography.

[12]  Roman Novak,et al.  SPA-Based Adaptive Chosen-Ciphertext Attack on RSA Implementation , 2002, Public Key Cryptography.

[13]  Siva Sai Yerubandi,et al.  Differential Power Analysis , 2002 .

[14]  Bart Preneel,et al.  Cryptanalysis of the Xiao - Lai White-Box AES Implementation , 2012, Selected Areas in Cryptography.

[15]  Bart Preneel,et al.  Cryptanalysis of White-Box DES Implementations with Arbitrary External Encodings , 2007, IACR Cryptol. ePrint Arch..

[16]  Craig Gentry,et al.  Implementing Gentry's Fully-Homomorphic Encryption Scheme , 2011, EUROCRYPT.

[17]  Francis Olivier,et al.  Electromagnetic Analysis: Concrete Results , 2001, CHES.

[18]  Martijn Stam,et al.  Selected Areas in Cryptography – SAC 2015 , 2015, Lecture Notes in Computer Science.

[19]  Bart Preneel,et al.  Towards Security Notions for White-Box Cryptography , 2009, ISC.

[20]  Alex Biryukov,et al.  Cryptographic Schemes Based on the ASASA Structure: Black-Box, White-Box, and Public-Key (Extended Abstract) , 2014, ASIACRYPT.

[21]  Jean-Sébastien Coron,et al.  Public Key Compression and Modulus Switching for Fully Homomorphic Encryption over the Integers , 2012, EUROCRYPT.

[22]  Alex Biryukov,et al.  Structural Cryptanalysis of SASAS , 2001, Journal of Cryptology.

[23]  Tancrède Lepoint,et al.  White-Box Security Notions for Symmetric Encryption Schemes , 2013, Selected Areas in Cryptography.

[24]  Bart Preneel,et al.  Two Attacks on a White-Box AES Implementation , 2013, Selected Areas in Cryptography.

[25]  Julien Bringer,et al.  White Box Cryptography: Another Attempt , 2006, IACR Cryptol. ePrint Arch..

[26]  Wil Michiels,et al.  Cryptanalysis of a Generic Class of White-Box Implementations , 2009, Selected Areas in Cryptography.

[27]  Alex Biryukov,et al.  A Toolbox for Cryptanalysis: Linear and Affine Equivalence Algorithms , 2003, EUROCRYPT.