White-Box Cryptography Revisited: Space-Hard Ciphers

The need for software security in untrusted environments is ever increasing. White-box cryptography aims to ensure the security of cryptographic algorithms when the attacker has full access to their implementations. However, there is no secure white-box implementation of standard block ciphers such as DES and AES known to date: All published techniques have been practically broken. In this paper, we revisit white-box cryptography and propose a family of white-box secure block ciphers SPACE with several novel features. The design of SPACE is such that the key-extraction security in the white box reduces to the well-studied problem of key recovery for block ciphers (AES in our example) in the standard black-box setting. Moreover, to mitigate code lifting, we introduce the notion of space hardness. It measures the difficulty of compressing the white-box implementation of a cipher, and quantifies security against code lifting by the amount of code that needs to be extracted from the implementation by a white-box attacker to maintain its functionality. SPACE includes several variants with different white-box code sizes. Therefore, it is applicable to a wide range of environments and use cases. One of the variants called N-SPACE can be implemented with different code sizes while keeping the cipher itself unchanged. SPACE offers a high level of space hardness: It is difficult to find a compact but still functional representation of SPACE given its white-box implementation. This property has several useful consequences for applications. First, it gets more challenging for a DRM attacker (e.g. in a pay TV setting) to scale a code-lifting attack and to distribute the break. Moreover, this paves the way for mass-surveillance resistant cryptography: If a large proportion of users dedicates a significant part of their computers' storage (e.g. HDD) to white-box SPACE implementations, it will be much more complex or even infeasible for governmental agencies to deal with the keys of all users simultaneously due to the limited storage available, forcing them to focus on targeted attacks instead. This consequence is especially important given Snowden's revelations on the extent of the mass surveillance practice by NSA and GCHQ. Finally, the usage of SPACE ciphers can mitigate the damage of having malware in security-critical systems such as networks processing top-secret data: As those are typically insulated from the Internet, the capacity of the communication channel from inside to outside the system is often limited, making it infeasible for Trojans to transmit the necessary key material.

[1]  Vincent Rijmen,et al.  The Design of Rijndael , 2002, Information Security and Cryptography.

[2]  Brice Minaud,et al.  Key-Recovery Attacks on ASASA , 2015, ASIACRYPT.

[3]  Morris J. Dworkin,et al.  SP 800-38B. Recommendation for Block Cipher Modes of Operation: the CMAC Mode for Authentication , 2005 .

[4]  Adi Shamir,et al.  Improved Single-Key Attacks on 8-Round AES-192 and AES-256 , 2010, Journal of Cryptology.

[5]  Bruce Schneier,et al.  Unbalanced Feistel Networks and Block Cipher Design , 1996, FSE.

[6]  Paul C. van Oorschot,et al.  White-Box Cryptography and an AES Implementation , 2002, Selected Areas in Cryptography.

[7]  Alex Biryukov,et al.  Decomposition attack on SASASASAS , 2015, IACR Cryptol. ePrint Arch..

[8]  Bart Preneel,et al.  Cryptanalysis of a Perturbated White-Box AES Implementation , 2010, INDOCRYPT.

[9]  Colin Percival STRONGER KEY DERIVATION VIA SEQUENTIAL MEMORY-HARD FUNCTIONS , 2009 .

[10]  Xuejia Lai,et al.  A Secure Implementation of White-Box AES , 2009, 2009 2nd International Conference on Computer Science and its Applications.

[11]  Paul C. van Oorschot,et al.  A White-Box DES Implementation for DRM Applications , 2002, Digital Rights Management Workshop.

[12]  Vincent Rijmen,et al.  The Design of Rijndael: AES - The Advanced Encryption Standard , 2002 .

[13]  Valérie Nachef,et al.  Generic Attacks on Unbalanced Feistel Schemes with Expanding Functions , 2007, ASIACRYPT.

[14]  Christof Paar,et al.  Block Ciphers - Focus on the Linear Layer (feat. PRIDE) , 2014, CRYPTO.

[15]  Hamilton E. Link,et al.  Clarifying obfuscation: improving the security of white-box DES , 2005, International Conference on Information Technology: Coding and Computing (ITCC'05) - Volume II.

[16]  Alex Biryukov,et al.  Feasible Attack on the 13-round AES-256 , 2010, IACR Cryptol. ePrint Arch..

[17]  Andrey Bogdanov,et al.  Bounds in Shallows and in Miseries , 2013, CRYPTO.

[18]  Julien Bringer,et al.  White Box Cryptography: Another Attempt , 2006, IACR Cryptol. ePrint Arch..

[19]  Brecht Wyseur,et al.  White-Box Cryptography , 2011, Encyclopedia of Cryptography and Security.

[20]  Lars R. Knudsen,et al.  Slender-Set Differential Cryptanalysis , 2011, Journal of Cryptology.

[21]  Yoni De Mulder White-Box Cryptography: Analysis of White-Box AES Implementations (White-Box Cryptografie: Analyse van White-Box AES implementaties) , 2014 .

[22]  Mohamed Karroumi,et al.  Protecting White-Box AES with Dual Ciphers , 2010, ICISC.

[23]  Stefan Kölbl,et al.  Security of the AES with a Secret S-Box , 2015, FSE.

[24]  Olivier Billet,et al.  Cryptanalysis of a White Box AES Implementation , 2004, Selected Areas in Cryptography.

[25]  Alex Biryukov,et al.  Structural Cryptanalysis of SASAS , 2001, Journal of Cryptology.

[26]  Jérémy Jean,et al.  Improved Key Recovery Attacks on Reduced-Round AES in the Single-Key Setting , 2013, IACR Cryptol. ePrint Arch..

[27]  Jason Smith,et al.  SIMON and SPECK: Block Ciphers for the Internet of Things , 2015, IACR Cryptol. ePrint Arch..

[28]  Henri Gilbert,et al.  Key-Recovery Attack on the ASASA Cryptosystem with Expanding S-Boxes , 2015, CRYPTO.

[29]  Itai Dinur,et al.  Decomposing the ASASA Block Cipher Construction , 2015, IACR Cryptol. ePrint Arch..

[30]  Bart Preneel,et al.  Two Attacks on a White-Box AES Implementation , 2013, Selected Areas in Cryptography.

[31]  Wil Michiels Opportunities in White-Box Cryptography , 2010, IEEE Security & Privacy.

[32]  Stefan Lucks,et al.  Memory-Demanding Password Scrambling , 2014, ASIACRYPT.

[33]  Alex Biryukov,et al.  Fast and Tradeoff-Resilient Memory-Hard Functions for Cryptocurrencies and Password Hashing , 2015, IACR Cryptol. ePrint Arch..

[34]  Bart Preneel,et al.  Cryptanalysis of the Xiao - Lai White-Box AES Implementation , 2012, Selected Areas in Cryptography.

[35]  Bart Preneel,et al.  Cryptanalysis of White-Box DES Implementations with Arbitrary External Encodings , 2007, IACR Cryptol. ePrint Arch..

[36]  Andrey Bogdanov,et al.  Biclique Cryptanalysis of the Full AES , 2011, ASIACRYPT.

[37]  Kazuhiko Minematsu,et al.  Improving the Generalized Feistel , 2010, FSE.

[38]  Vincent Rijmen,et al.  ALE: AES-Based Lightweight Authenticated Encryption , 2013, FSE.

[39]  Wil Michiels,et al.  Cryptanalysis of a Generic Class of White-Box Implementations , 2009, Selected Areas in Cryptography.

[40]  Lidong Chen,et al.  Recommendation for Key Derivation Using Pseudorandom Functions (Revised) , 2009 .

[41]  Vincent Rijmen,et al.  Probability distributions of correlation and differentials in block ciphers , 2007, J. Math. Cryptol..

[42]  Alex Biryukov,et al.  Cryptographic Schemes Based on the ASASA Structure: Black-Box, White-Box, and Public-Key (Extended Abstract) , 2014, ASIACRYPT.

[43]  Hugo Krawczyk,et al.  Cryptographic Extraction and Key Derivation: The HKDF Scheme , 2010, IACR Cryptol. ePrint Arch..