A White-Box Masking Scheme Resisting Computational and Algebraic Attacks

White-box cryptography attempts to protect cryptographic secrets in pure software implementations. Due to its high utility, whitebox cryptosystems (WBC) are deployed even though their secure construction is not well understood. A major breakthrough in generic cryptanalysis of WBC was Differential Computation Analysis (DCA), which requires minimal knowledge of the underlying white-box protection and also thwarts many obfuscation methods. To avert DCA, classic masking countermeasures originally intended to protect against highly related side channel attacks have been proposed for use in WBC. However, due to the controlled environment of WBCs, new algebraic attacks able to break all classic masking schemes have quickly been found. These algebraic DCA attacks break classic masking countermeasures efficiently, as they are independent of the masking order. In this work, we propose a novel generic masking scheme that can resist both DCA and algebraic attacks. The proposed scheme extends the seminal work by Ishai et al. which is probing secure and thus resists DCA, to also resist algebraic attacks. To prove the security of our scheme, we demonstrate the connection between two main security notions in whitebox cryptography: Side Channel Analysis (SCA) security and prediction security. Resistance of our masking scheme to DCA is proven for an arbitrary order of protection. Our masking scheme also resists algebraic attacks, which we show concretely for first and second order algebraic protection, and show how it can be generalized to any order. Moreover, we present an extensive performance analysis and quantify the overhead of our scheme, for a proof-of-concept protection of an AES implementation.

[1]  Máire O'Neill,et al.  Practical homomorphic encryption: A survey , 2014, 2014 IEEE International Symposium on Circuits and Systems (ISCAS).

[2]  Rina Zeitoun,et al.  Side-channel Masking with Pseudo-Random Generator , 2020, IACR Cryptol. ePrint Arch..

[3]  Richard J. Lipton,et al.  On the Importance of Checking Cryptographic Protocols for Faults (Extended Abstract) , 1997, EUROCRYPT.

[4]  Yousung Kang,et al.  A Masked White-Box Cryptographic Implementation for Protecting Against Differential Computation Analysis , 2018, IEEE Transactions on Information Forensics and Security.

[5]  Bart Preneel,et al.  Cryptanalysis of a Perturbated White-Box AES Implementation , 2010, INDOCRYPT.

[6]  Begül Bilgin,et al.  CAPA: The Spirit of Beaver against Physical Attacks , 2018, IACR Cryptol. ePrint Arch..

[7]  P. Rohatgi,et al.  A testing methodology for side channel resistance , 2011 .

[8]  Xuejia Lai,et al.  A Secure Implementation of White-Box AES , 2009, 2009 2nd International Conference on Computer Science and its Applications.

[9]  Andrey Bogdanov,et al.  Analysis of Software Countermeasures for Whitebox Encryption , 2017, IACR Trans. Symmetric Cryptol..

[10]  Yuval Ishai,et al.  Private Circuits: Securing Hardware against Probing Attacks , 2003, CRYPTO.

[11]  Suresh Chari,et al.  A Cautionary Note Regarding Evaluation of AES Candidates on Smart-Cards , 1999 .

[12]  David Naccache,et al.  The Sorcerer's Apprentice Guide to Fault Attacks , 2006, Proceedings of the IEEE.

[13]  Mohamed Karroumi,et al.  Protecting White-Box AES with Dual Ciphers , 2010, ICISC.

[14]  Louis Goubin,et al.  How to reveal the secrets of an obscure white-box implementation , 2019, Journal of Cryptographic Engineering.

[15]  Adi Shamir,et al.  RSA Key Extraction via Low-Bandwidth Acoustic Cryptanalysis , 2014, CRYPTO.

[16]  Wil Michiels,et al.  Differential Computation Analysis: Hiding Your White-Box Designs is Not Enough , 2016, CHES.

[17]  Wil Michiels,et al.  On the Ineffectiveness of Internal Encodings - Revisiting the DCA Attack on White-Box Cryptography , 2018, IACR Cryptol. ePrint Arch..

[18]  Tim Güneysu,et al.  ParTI - Towards Combined Hardware Countermeasures Against Side-Channel and Fault-Injection Attacks , 2016, CRYPTO.

[19]  Olivier Billet,et al.  Cryptanalysis of a White Box AES Implementation , 2004, Selected Areas in Cryptography.

[20]  Rafail Ostrovsky,et al.  Robust Pseudorandom Generators , 2013, ICALP.

[21]  Hamilton E. Link,et al.  Clarifying obfuscation: improving the security of white-box DES , 2005, International Conference on Information Technology: Coding and Computing (ITCC'05) - Volume II.

[22]  Emmanuel Prouff,et al.  Higher-order glitch free implementation of the AES using Secure Multi-Party Computation protocols , 2012, Journal of Cryptographic Engineering.

[23]  Joan Boyar,et al.  New logic minimization techniques with applications to cryptology , 2009, IACR Cryptol. ePrint Arch..

[24]  Adi Shamir,et al.  How to share a secret , 1979, CACM.

[25]  Paul C. van Oorschot,et al.  White-Box Cryptography and an AES Implementation , 2002, Selected Areas in Cryptography.

[26]  Gorka Irazoqui Apecechea,et al.  CacheZoom: How SGX Amplifies The Power of Cache Attacks , 2017, CHES.

[27]  Frank Piessens,et al.  SGX-Step: A Practical Attack Framework for Precise Enclave Execution Control , 2017, SysTEX@SOSP.

[28]  Thomas F. Wenisch,et al.  Foreshadow: Extracting the Keys to the Intel SGX Kingdom with Transient Out-of-Order Execution , 2018, USENIX Security Symposium.

[29]  Matthieu Rivain,et al.  Analysis and Improvement of Differential Computation Attacks against Internally-Encoded White-Box Implementations , 2019, IACR Cryptol. ePrint Arch..

[30]  Alex Biryukov,et al.  Attacks and Countermeasures for White-box Designs , 2018, IACR Cryptol. ePrint Arch..

[31]  Pankaj Rohatgi,et al.  Towards Sound Approaches to Counteract Power-Analysis Attacks , 1999, CRYPTO.

[32]  Vincent Rijmen,et al.  Secure Hardware Implementation of Non-linear Functions in the Presence of Glitches , 2009, ICISC.

[33]  Bart Preneel,et al.  Cryptanalysis of White-Box DES Implementations with Arbitrary External Encodings , 2007, IACR Cryptol. ePrint Arch..

[34]  Thomas Eisenbarth,et al.  Extending Glitch-Free Multiparty Protocols to Resist Fault Injection Attacks , 2018, IACR Cryptol. ePrint Arch..

[35]  Julien Bringer,et al.  White Box Cryptography: Another Attempt , 2006, IACR Cryptol. ePrint Arch..

[36]  Francis Olivier,et al.  Electromagnetic Analysis: Concrete Results , 2001, CHES.

[37]  Siva Sai Yerubandi,et al.  Differential Power Analysis , 2002 .

[38]  François-Xavier Standaert,et al.  Shuffling against Side-Channel Attacks: A Comprehensive Study with Cautionary Note , 2012, ASIACRYPT.

[39]  Andrey Bogdanov,et al.  Higher-Order DCA against Standard Side-Channel Countermeasures , 2018, IACR Cryptol. ePrint Arch..

[40]  Emmanuel Prouff,et al.  Provably Secure Higher-Order Masking of AES , 2010, IACR Cryptol. ePrint Arch..

[41]  Wil Michiels,et al.  White-Box Cryptography: Don’t Forget About Grey-Box Attacks , 2019, Journal of Cryptology.

[42]  Bart Preneel,et al.  Two Attacks on a White-Box AES Implementation , 2013, Selected Areas in Cryptography.

[43]  Paul C. van Oorschot,et al.  A White-Box DES Implementation for DRM Applications , 2002, Digital Rights Management Workshop.