Attacks and Countermeasures for White-box Designs
In traditional symmetric cryptography, the adversary has access only to the inputs and outputs of a cryptographic primitive. In the white-box model the adversary is given full access to the implementation. He can use both static and dynamic analysis as well as fault analysis in order to break the cryptosystem, e.g. to extract the embedded secret key. Implementations secure in such model have many applications in industry. However, creating such implementations turns out to be a very challenging if not an impossible task.
Recently, Bos et al.  proposed a generic attack on white-box primitives called differential computation analysis (DCA). This attack was applied to many white-box implementations both from academia and industry. The attack comes from the area of side-channel analysis and the most common method protecting against such attacks is masking, which in turn is a form of secret sharing. In this paper we present multiple generic attacks against masked white-box implementations. We use the term “masking” in a very broad sense. As a result, we deduce new constraints that any secure white-box implementation must satisfy.
Based on the new constraints, we develop a general method for protecting white-box implementations. We split the protection into two independent components: value hiding and structure hiding. Value hiding must provide protection against passive DCA-style attacks that rely on analysis of computation traces. Structure hiding must provide protection against circuit analysis attacks. In this paper we focus on developing the value hiding component. It includes protection against the DCA attack by Bos et al. and protection against a new attack called algebraic attack.
We present a provably secure first-order protection against the new algebraic attack. The protection is based on small gadgets implementing secure masked XOR and AND operations. Furthermore, we give a proof of compositional security allowing to freely combine secure gadgets. We derive concrete security bounds for circuits built using our construction.
KeywordsWhite-box Obfuscation Cryptanalysis Provable security Masking
- 1.Banik, S., Bogdanov, A., Isobe, T., Jepsen, M.: Analysis of software countermeasures for Whitebox encryption. IACR Trans. Symmetric Cryptol. 2017(1), 307–328 (2017). MarGoogle Scholar
- 3.Biryukov, A., Bouillaguet, C., Khovratovich, D.: Cryptographic schemes based on the ASASA structure: Black-Box, White-Box, and public-key (Extended Abstract). In: Sarkar, P., Iwata, T. (eds.) ASIACRYPT 2014. LNCS, vol. 8873, pp. 63–84. Springer, Heidelberg (2014). https://doi.org/10.1007/978-3-662-45611-8_4CrossRefGoogle Scholar
- 4.Biryukov, A., Khovratovich, D., Perrin, L.: Multiset-algebraic cryptanalysis of reduced Kuznyechik, Khazad, and secret SPNs. IACR Trans. Symmetric Cryptol. 2016(2), 226–247 (2017)Google Scholar
- 6.Biryukov, A., Udovenko, A.: White-box Tools (2018). https://github.com/cryptolu/whitebox
- 7.Bos, J.W., Hubain, C., Michiels, W., Teuwen, P.: Differential computation analysis: hiding your White-Box designs is not enough. In: Gierlichs, B., Poschmann, A.Y. (eds.) CHES 2016. LNCS, vol. 9813, pp. 215–236. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-53140-2_11CrossRefGoogle Scholar
- 10.Bringer, J., Chabanne, H., Dottax, E.: White Box Cryptography: Another Attempt. Cryptology ePrint Archive, Report 2006/468 (2006). http://eprint.iacr.org/2006/468
- 12.Carlet, C.: Boolean functions for cryptography and error-correcting codes, Encyclopedia of Mathematics and its Applications. pp. 257–397. Cambridge University Press, Cambridge (2010)Google Scholar
- 13.Carmer, B., Malozemoff, A.J., Raykova, M.: 5Gen-C: Multi-input Functional Encryption and Program Obfuscation for Arithmetic Circuits. In: Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security, CCS 2017, pp. 747–764. ACM, New York (2017)Google Scholar
- 17.ECRYPT-CSA Consortium: CHES 2017 Capture The Flag Challenge. The WhibOx Contest (2017). http://whibox.cr.yp.to/
- 20.Garg, S., Gentry, C., Halevi, S., Raykova, M., Sahai, A., Waters, B.: Candidate indistinguishability obfuscation and functional encryption for all circuits. In: 2013 IEEE 54th Annual Symposium on Foundations of Computer Science, pp. 40–49, October 2013Google Scholar
- 22.L. Goubin, P. Paillier, M. Rivain, and J. Wang. Reveal Secrets in Adoring Poitras. A victory of reverse engineering and cryptanalysis over challenge 777, CHES 2017 Rump Session, slides (2017). https://ches.2017.rump.cr.yp.to/a905c99d1845f2cf373aad564ac7b5e4.pdf
- 23.Goubin, L., Paillier, P., Rivain, M., Wang, J.: How to reveal the secrets of an obscure white-box implementation. Cryptology ePrint Archive, Report 2018/098 (2018). https://eprint.iacr.org/2018/098
- 24.Hubain, C., et al.: Side-Channel Marvels (2016). https://github.com/SideChannelMarvels
- 28.Lepoint, T., Rivain, M.: Another Nail in the Coffin of White-Box AES Implementations. Cryptology ePrint Archive, Report 2013/455 (2013). http://eprint.iacr.org/2013/455
- 31.The Sage Developers: SageMath, the Sage Mathematics Software System (Version 7.3) (2016). http://www.sagemath.org
- 32.Warrens, M.J., et al.: Similarity coefficients for binary data: properties of coefficients, coefficient matrices, multi-way metrics and multivariate coefficients. Psychometrics and Research Methodology Group, Leiden University Institute for Psychological Research, Faculty of Social Sciences, Leiden University (2008)Google Scholar
- 33.Xiao, Y., Lai, X.: A secure implementation of White-Box AES. In: 2009 2nd International Conference on Computer Science and its Applications, pp. 1–6, December 2009Google Scholar