How to reveal the secrets of an obscure white-box implementation

  • Louis Goubin
  • Pascal Paillier
  • Matthieu Rivain
  • Junwei WangEmail author
Regular Paper


White-box cryptography (WBC) protects key extraction from software implementations of cryptographic primitives. Many academic works have been done achieving partial results toward WBC, but a complete solution has not been found yet by the cryptography community. As a result, the industry can only on proprietary and non-publicly scrutinized white-box implementations. It is therefore of interest to investigate the obtainable resistance of an AES implementation to thwart a white-box adversary in this paradigm. To this purpose, the ECRYPT CSA project has organized the WhibOx contest as the catch the flag challenge of CHES 2017. Researchers and engineers were invited to participate either as designers by submitting the source code of an AES-128 white-box implementation with a freely chosen key, or as breakers by trying to extract the hard-coded keys in the submissions. The participants were not expected to disclose their identities or the underlying designing/attacking techniques. In the end, 94 submitted challenges were all broken, and only 13 of them held more than one day. The strongest (in terms of surviving time) implementation survived for 28 days (which is more than twice as much as the second one). It was only broken by the authors of the present paper with reverse engineering and algebraic analysis. In this paper, we give a detailed description of the different steps of our cryptanalysis. We then generalize it to an attack methodology to break further obscure white-box implementations. In particular, we formalize and generalize the linear decoding analysis that we use to extract the key from the encoded intermediate variables of the target challenge.


White-box cryptography WhibOX contest Linear decoding analysis Reverse engineering 



The fourth author has received funding from the European Union’s Horizon 2020 research and innovation programme under the Marie Skłodowska-Curie Grant Agreement No. 643161.


  1. 1.
    CHES 2017 Capture the Flag Challenge—The WhibOx Contest, an ECRYPT white-box cryptography competition. Accessed Oct 2017
  2. 2.
    ISO/IEC 8859-1:1998: Information technology—8-bit single-byte coded graphic character sets—Part 1: Latin Alphabet No. 1. Accessed Oct 2017
  3. 3.
    WhibOx 2016: White-box cryptography and obfuscation. Accessed Oct 2017
  4. 4.
    Barak, B., Goldreich, O., Impagliazzo, R., Rudich, S., Sahai, A., Vadhan, S.P., Yang, K.: On the (im)possibility of obfuscating programs. In: Kilian, J. (ed.) CRYPTO 2001, LNCS, vol. 2139, pp. 1–18. Springer, Heidelberg (2001)Google Scholar
  5. 5.
    Beimel, A.: Secret-sharing schemes: a survey. In: Chee, Y.M., Guo, Z., Ling, S., Shao, F., Tang, Y., Wang, H., Xing, C. (eds.) Coding and Cryptology—Third International Workshop, IWCC 2011, Qingdao, China, May 30–June 3, 2011. Proceedings, Lecture Notes in Computer Science, vol. 6639, pp. 11–46. Springer (2011)Google Scholar
  6. 6.
    Billet, O., Gilbert, H., Ech-Chatbi, C.: Cryptanalysis of a white box AES implementation. In: Handschuh, H., Hasan, A. (eds.) SAC 2004, LNCS, vol. 3357, pp. 227–240. Springer, Heidelberg (2004)Google Scholar
  7. 7.
    Biryukov, A., Udovenko, A.: Attacks and countermeasures for white-box designs. In: Peyrin, T., Galbraith, S. (eds.) Advances in Cryptology—ASIACRYPT 2018. Lecture Notes in Computer Science, vol. 11273, pp. 373–402. Springer, Cham (2018).
  8. 8.
    Bogdanov, A., Rivain, M., Vejre, P.S., Wang, J.: Higher-order DCA against standard side-channel countermeasures. In: Polian, I., Stöttinger, M. (eds.) Constructive Side-Channel Analysis and Secure Design. Lecture Notes in Computer Science, vol. 11421, pp. 118–141. Springer, Cham (2019).
  9. 9.
    Bos, J.W., Hubain, C., Michiels, W., Teuwen, P.: Differential computation analysis: hiding your white-box designs is not enough. In: Gierlichs, B., Poschmann, A.Y. (eds.) CHES 2016, LNCS, vol. 9813, pp. 215–236. Springer, Heidelberg (2016)Google Scholar
  10. 10.
    Bringer, J., Chabanne, H., Dottax, E.: White box cryptography: another attempt. Cryptology ePrint Archive, Report 2006/468. (2006)
  11. 11.
    Chow, S., Eisen, P., Johnson, H., Van Oorschot, P.C.: A white-box des implementation for DRM applications. In: Digital Rights Management Workshop, vol. 2696, pp. 1–15. Springer (2002)Google Scholar
  12. 12.
    Chow, S., Eisen, P.A., Johnson, H., van Oorschot, P.C.: White-box cryptography and an AES implementation. In: Nyberg, K., Heys, H.M. (eds.) SAC 2002, LNCS, vol. 2595, pp. 250–270. Springer, Heidelberg (2003)Google Scholar
  13. 13.
    Collberg, C., Thomborson, C., Low, D.: A taxonomy of obfuscating transformations. Department of Computer Science, The University of Auckland, New Zealand, Technical report (1997)Google Scholar
  14. 14.
    Daemen, J., Rijmen, V.: AES—The Advanced Encryption Standard: The Design of Rijndael. Springer, Berlin (2013)zbMATHGoogle Scholar
  15. 15.
    Delerablée, C., Lepoint, T., Paillier, P., Rivain, M.: White-box security notions for symmetric encryption schemes. In: Lange, T., Lauter, K., Lisonek, P. (eds.) SAC 2013, LNCS, vol. 8282, pp. 247–264. Springer, Heidelberg (2014)Google Scholar
  16. 16.
    Garg, S., Gentry, C., Halevi, S.: Candidate multilinear maps from ideal lattices. In: Johansson, T., Nguyen, P.Q. (eds.) EUROCRYPT 2013, LNCS, vol. 7881, pp. 1–17. Springer, Heidelberg (2013)Google Scholar
  17. 17.
    Garg, S., Gentry, C., Halevi, S., Raykova, M., Sahai, A., Waters, B.: Candidate indistinguishability obfuscation and functional encryption for all circuits. In: 54th FOCS, pp. 40–49. IEEE Computer Society Press (2013)Google Scholar
  18. 18.
    Golub, G., Van Loan, C.: Matrix Computations. Johns Hopkins Studies in the Mathematical Sciences. Johns Hopkins University Press, Baltimore (1996)Google Scholar
  19. 19.
    Goubin, L., Masereel, J.-M., Quisquater, M.: Cryptanalysis of white box DES implementations. In: Adams, C.M., Miri, A., Wiener, M.J. (eds.) SAC 2007, LNCS, vol. 4876, pp. 278–295. Springer, Heidelberg (2007)Google Scholar
  20. 20.
    Ishai, Y., Sahai, A., Wagner, D.: Private circuits: securing hardware against probing attacks. In: Boneh, D. (ed.) CRYPTO 2003, LNCS, vol. 2729, pp. 463–481. Springer, Heidelberg (2003)Google Scholar
  21. 21.
    Jacob, M., Boneh, D., Felten, E.: Attacking an obfuscated cipher by injecting faults. In: Digital Rights Management Workshop, vol. 2696, pp. 16–31. Springer (2002)Google Scholar
  22. 22.
    Karroumi, M.: Protecting white-box AES with dual ciphers. In: Rhee, K.H., Nyang, D. (eds.) ICISC 10, LNCS, vol. 6829, pp. 278–291. Springer, Heidelberg (2011)Google Scholar
  23. 23.
    Kocher, P.C., Jaffe, J., Jun, B.: Differential power analysis. In: Wiener, M.J. (ed.) CRYPTO’99, LNCS, vol. 1666, pp. 388–397, Springer, Heidelberg (1999)Google Scholar
  24. 24.
    Lepoint, T., Rivain, M.: Another nail in the coffin of white-box AES implementations. Cryptology ePrint Archive, Report 2013/455. (2013)
  25. 25.
    Lepoint, T., Rivain, M., Mulder, Y.D., Roelse, P., Preneel, B.: Two attacks on a white-box AES implementation. In: Lange, T., Lauter, K., Lisonek, P. (eds.) SAC 2013, LNCS, vol. 8282, pp. 265–285. Springer, Heidelberg (2014)Google Scholar
  26. 26.
    Lin, H.: Indistinguishability obfuscation from constant-degree graded encoding schemes. In: Fischlin, M., Coron, J.-S. (eds.) EUROCRYPT 2016, Part I, LNCS, vol. 9665, pp. 28–57. Springer, Heidelberg (2016)Google Scholar
  27. 27.
    Lin, H.: Indistinguishability obfuscation from SXDH on 5-linear maps and locality-5 PRGs. In: Katz, J., Shacham, H. (eds.) CRYPTO 2017, Part I, LNCS, vol. 10401. Springer, Heidelberg, pp. 599–629 (2017)Google Scholar
  28. 28.
    Lin, H., Tessaro, S.: Indistinguishability obfuscation from trilinear maps and block-wise local PRGs. In: Katz, J., Shacham, H. (eds.) CRYPTO 2017, Part I, LNCS, vol. 10401, pp. 630–660. Springer, Heidelberg (2017)Google Scholar
  29. 29.
    Link, H.E., Neumann, W.D.: Clarifying obfuscation: improving the security of white-box des. In: International Conference on Information Technology: Coding and Computing (ITCC’05)—Volume II, vol. 1, pp. 679–684 (2005)Google Scholar
  30. 30.
    Mulder, Y.D., Roelse, P., Preneel, B.: Cryptanalysis of the Xiao-Lai white-box AES implementation. In: Knudsen, L.R., Wu, H. (eds.) SAC 2012, LNCS, vol. 7707, pp. 34–49. Springer, Heidelberg (2013)Google Scholar
  31. 31.
    Mulder, Y.D., Roelse, P., Preneel, B.: Revisiting the BGE attack on a white-box AES implementation. Cryptology ePrint Archive, Report 2013/450. (2013)
  32. 32.
    Mulder, Y.D., Wyseur, B., Preneel, B.: Cryptanalysis of a perturbated white-box AES implementation. In: Gong, G., Gupta, K.C. (eds.) INDOCRYPT 2010, LNCS, vol. 6498, pp. 292–310. Springer, Heidelberg (2010)Google Scholar
  33. 33.
    Newman, M.E.J.: Fast algorithm for detecting community structure in networks. Phys. Rev. E 69, 066133 (2004)CrossRefGoogle Scholar
  34. 34.
    Rivain, M., Prouff, E.: Provably secure higher-order masking of AES. In: Mangard, S., Standaert, F.-X. (eds.) CHES 2010, LNCS, vol. 6225, , pp. 413–427. Springer, Heidelberg (2010)Google Scholar
  35. 35.
    Rolles, R.: Unpacking virtualization obfuscators. In: Proceedings of the 3rd USENIX conference on offensive technologies (Berkeley, CA, USA), WOOT’09, p. 1. USENIX Association (2009)Google Scholar
  36. 36.
    Sahai, A., Waters, B.: How to use indistinguishability obfuscation: deniable encryption, and more. In: Shmoys, D.B. (ed.) 46th ACM STOC, pp. 475–484. ACM Press (2014)Google Scholar
  37. 37.
    Sanfelix, E., Mune, C., Haas, J.D.: Unboxing the white-box—practical attacks against obfuscated ciphers. (2015). Accessed Oct 2017
  38. 38.
    Saxena, A., Wyseur, B., Preneel, B.: Towards security notions for white-box cryptography. In: Samarati, P., Yung, M., Martinelli, F., Ardagna, C.A. (eds.) ISC 2009, LNCS, vol. 5735, pp. 49–58. Springer, Heidelberg (2009)Google Scholar
  39. 39.
    Strassen, V.: Gaussian elimination is not optimal. Numer. Math. 13(4), 354–356 (1969)MathSciNetCrossRefzbMATHGoogle Scholar
  40. 40.
    Wyseur, B., Michiels, W., Gorissen, P., Preneel, B.: Cryptanalysis of white-box DES implementations with arbitrary external encodings. In: Adams, C.M., Miri, A., Wiener, M.J. (eds.) SAC 2007, LNCS, vol. 4876, pp. 264–277. Springer, Heidelberg (2007)Google Scholar
  41. 41.
    Xiao, Y., Lai, X.: A secure implementation of white-box aes. In: 2nd International Conference on Computer Science and its Applications, 2009. CSA’09. IEEE, pp. 1–6 (2009)Google Scholar
  42. 42.
    Yadegari, B., Johannesmeyer, B., Whitely, B., Debray, S.: A generic approach to automatic deobfuscation of executable code. In: 2015 IEEE Symposium on Security and Privacy, pp. 674–691. IEEE Computer Society Press (2015)Google Scholar

Copyright information

© Springer-Verlag GmbH Germany, part of Springer Nature 2019

Authors and Affiliations

  1. 1.Laboratoire de Mathématiques de Versailles, UVSQ, CNRSUniversité Paris-SaclayVersaillesFrance
  2. 2.CryptoExpertsParisFrance
  3. 3.University of LuxembourgEsch-sur-AlzetteLuxembourg
  4. 4.University Paris 8Saint-DenisFrance

Personalised recommendations