White-Box Cryptography and an AES Implementation

  • Stanley Chow
  • Philip Eisen
  • Harold Johnson
  • Paul C. Van Oorschot
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 2595)


Conventional software implementations of cryptographic algorithms are totally insecure where a hostile user may control the execution environment, or where co-located with malicious software. Yet current trends point to increasing usage in environments so threatened. We discuss encrypted-composed-function methods intended to provide a practical degree of protection against white-box (total access) attacks in untrusted execution environments. As an example, we show how aes can be implemented as a series of lookups in key-dependent tables. The intent is to hide the key by a combination of encoding its tables with random bijections representing compositions rather than individual steps, and extending the cryptographic boundary by pushing it out further into the containing application. We partially justify our aes implementation, and motivate its design, by showing how removal of parts of the recommended implementation allows specified attacks, including one utilizing a pattern in the aes SubBytes table.


Lookup Table Malicious Software Malicious Host Output Encodings Input Encodings 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


  1. 1.
    J. Algesheimer, C. Cachin, J. Camenisch, G. Karjoth, Cryptographic Security for Mobile Code, pp. 2–11 in Proceedings of the 2001 ieee Symposium on Security and Privacy, May 2001.Google Scholar
  2. 2.
    R.J. Anderson, M.G. Kuhn, Low Cost Attacks on Tamper-Resistant Devices, pp. 125–136, 5th International Workshop on Security Protocols (lncs 1361), Springer 1997.Google Scholar
  3. 3.
    B. Barak, O. Goldreich, R. Impagliazzo, S. Rudich, A. Sahai, S. Vadhan, K. Yang, On the (Im)possibility of Obfuscating Programs, pp. 1–18, Advances in Cryptology-Crypto 2001 (lncs 2139), Springer-Verlag, 2001.Google Scholar
  4. 4.
    E. Biham, A. Shamir, Differential Fault Analysis of Secret Key Cryptosystems, pp. 513–525, Advances in Cryptology-Crypto’ 97 (lncs 1294), Springer-Verlag, 1997. Revised: Technion-C.S. Dept.-Technical Report CS0910-revised, 1997.CrossRefGoogle Scholar
  5. 5.
    E. Biham, A. Shamir, Power Analysis of the Key Scheduling of the aes Candidates, presented at the 2nd aes Candidate Conference, Rome, Mar. 22-23 1999.Google Scholar
  6. 6.
    D. Boneh, R.A. DeMillo, R.J. Lipton, On the Importance of Eliminating Errors in Cryptographic Computations, J. Cryptology 14(2), pp. 101–119, 2001.MathSciNetCrossRefGoogle Scholar
  7. 8.
    S. Chari, C. Jutla, J.R. Rao, P. Rohatgi, A Cautionary Note Regarding Evaluation of aes Candidates on Smart-Cards, presented at the Second aes Candidate Conference, Rome, Italy, March 22-23, 1999.Google Scholar
  8. 9.
    S. Chow, P. Eisen, H. Johnson, P.C. van Oorschot, A White-Box des Implementation for drm Applications, Proceedings of drm 2002-2nd acm Workshop on Digital Rights Management, Nov. 18, 2002 (Springer-Verlag lncs, to appear).Google Scholar
  9. 10.
    S. Chow, Y. Gu, H. Johnson, V.A. Zakharov, An Approach to the Obfuscation of Control-Flow of Sequential Computer Programs, pp. 144–155, Proceedings of isc 2001-Information Security, 4th International Conference (Malaga, Spain, 1-3 October 2001), lncs 2200, Springer-Verlag, 2001.Google Scholar
  10. 11.
    F. Cohen, Operating System Protection Through Program Evolution, Computers and Security 12(6), 1 Oct. 1993, pp. 565–584.CrossRefGoogle Scholar
  11. 12.
    J. Daemen, V. Rijmen, Resistance Against Implementation Attacks: A Comparative Study of the aes proposals, presented at the Second aes Candidate Conference, Rome, Italy, March 22-23, 1999.Google Scholar
  12. 13.
    J. Daemen, M. Peeters, G. [van Assche, Bitslice Ciphers and Power Analysis Attacks, pp. 134–149, 7th International Workshop on Fast Software Encryption-fse 2000 (lncs 1978), Springer-Verlag, 2000.Google Scholar
  13. 14.
    J. Daemen, V. Rijmen, aes Proposal: Rijndael,, 1999.
  14. 15.
    J. Daemen, V. Rijmen, The Design of Rijndael: aes-The Advanced Encryption Standard, Springer, 2001.Google Scholar
  15. 16.
    S. Forrest, A. Somayaji, D. H. Ackley, Building Diverse Computer Systems, pp. 67–72, Proceedings of the 6th Workshop on Hot Topics in Operating Systems, ieee Computer Society Press, 1997.Google Scholar
  16. 17.
    M. Jakobsson, M.K. Reiter, Discouraging Software Piracy Using Software Aging, pp. 1–12, Security and Privacy in Digital Rights Management-acm ccs-8 Workshop drm 2001 (lncs 2320), Springer-Verlag, 2002.Google Scholar
  17. 18.
    P.C. Kocher, Timing Attacks against Implementations of Di.e-Hellman, RSA, DSS, and Other Systems, pp. 104–113, Advances in Cryptology-Crypto’ 96 (lncs 1109), Springer-Verlag, 1996.Google Scholar
  18. 19.
    P. Kocher, J. Jaffe, B. Jun, Differential Power Analysis, pp. 388–397, Advances in Cryptology-Crypto’ 99 (lncs 1666), Springer-Verlag, 1999.Google Scholar
  19. 20.
    O. Kömmerling, M.G. Kuhn, Design Principles for Tamper-Resistant Smartcard Processors, pp. 9–20, Proceedings of the usenix Workshop on Smartcard Technology (Smartcard’ 99), usenix Association, isbn 1-880446-34-0, 1999.Google Scholar
  20. 21.
    P. L’Ecuyer, Efficient and Portable Combined Random Number Generators, Communications of the acm 31(6), pp. 742–749, 1988.MathSciNetCrossRefGoogle Scholar
  21. 24.
    T. Sander, C.F. Tschudin, Towards Mobile Cryptography, pp. 215–224, Proceedings of the 1998 ieee Symposium on Security and Privacy.Google Scholar
  22. 25.
    T. Sander, C.F. Tschudin, Protecting Mobile Agents Against Malicious Hosts, pp. 44–60, Mobile Agent Security (lncs 1419), Springer-Verlag, 1998.Google Scholar
  23. 26.
    N. van Someren, A. Shamir, Playing Hide and Seek with Keys, pp. 118–124, Financial Cryptography’ 99 (lncs 1648), Springer-Verlag, 1999.Google Scholar
  24. 27.
    C. Wang, A Security Architecture for Survivability Mechanisms, Doctoral thesis, University of Virginia, October 2000.Google Scholar
  25. 28.
    J. Xiao, Y. Zhou, Generating Large Non-Singular Matrices over an Arbitrary Field with Blocks of Full Rank, Cryptology ePrint Archive (, no. 2002/096.

Copyright information

© Springer-Verlag Berlin Heidelberg 2003

Authors and Affiliations

  • Stanley Chow
    • 1
  • Philip Eisen
    • 1
  • Harold Johnson
    • 1
  • Paul C. Van Oorschot
    • 1
  1. 1.Cloakware CorporationOttawaCanada

Personalised recommendations