A Tutorial on White-Box AES
White-box cryptography concerns the design and analysis of implementations of cryptographic algorithms engineered to execute on untrusted platforms. Such implementations are said to operate in a white-box attack context. This is an attack model where all details of the implementation are completely visible to an attacker: not only do they see input and output, they see every intermediate computation that happens along the way. The goal of a white-box attacker when targeting an implementation of a cipher is typically to extract the cryptographic key; thus, white-box implementations have been designed to thwart this goal (i.e., to make key extraction difficult/infeasible). The academic study of white-box cryptography was initiated in 2002 in the seminal work of Chow et al. (White-box cryptography and an AES implementation. In: Selected areas in cryptography: 9th annual international workshop, SAC 2002. Lecture notes in computer science, vol 2595, pp 250–270, 2003). Here, we review the first white-box AES implementation proposed by Chow et al. and give detailed information on how to construct it. We provide a number of diagrams that summarize the flow of data through the various look-up tables in the implementation, which helps clarify the overall design. We then briefly review the impressive 2004 cryptanalysis by Billet et al. (Cryptanalysis of a white box AES implementation. In: Selected areas in cryptography: 11th international workshop, SAC 2004. Lecture notes in computer science, vol 3357, pp 227–240, 2005). The BGE attack can used to extract an AES key from Chow et al.’s original white-box AES implementation with a work factor of about 230, and this fact has motivated subsequent work on improved AES implementations.
KeywordsBlock Cipher Digital Right Management Digital Right Management System Output Encodings Input Encodings
The author thanks Phil Eisen who, over a number of conversations and presentations at Irdeto, motivated the style of exposition on AES in Sect. 9.3. Thanks are also extended to Michael Wiener who provided valuable comments on a preliminary draft of this work (especially with regards to the local security of the composed T-box/Ty i tables). Also, conversations on white-box cryptography with Jeremy Clark, Alfred Menezes and Anil Somayaji were helpful in directing some of our commentary. Thanks also go to Elif Bilge Kavun who pointed out a notational error in a previous version of Sect. 9.4.2.
- 1.B. Barak, O. Goldreich, R. Impagliazzo, S. Rudich, A. Sahai, S. Vadhan, and K. Yang. On the (Im)possibility of Obfuscating Programs (Extended Abstract). In “Advances in Cryptology – CRYPTO 2001: 21st Annual International Cryptology Conference”, Lecture Notes in Computer Science 2139 (2001), 1–18. Full version available from http://eccc.hpi-web.de/report/2001/057/.
- 2.O. Billet, H. Gilbert, and C. Ech-Chatbi. Cryptanalysis of a White Box AES Implementation. In “Selected Areas in Cryptography: 11th International Workshop, SAC 2004”, Lecture Notes in Computer Science 3357 (2005), 227–240.Google Scholar
- 3.D. Boneh, R. DeMillo, and R. Lipton. On the importance of checking cryptographic protocols for faults. Journal of Cryptology 14 (2001), 101–119.Google Scholar
- 4.S. Chow, P. Eisen, H. Johnson, and P.C. van Oorschot. White-Box Cryptography and an AES Implementation. In “Selected Areas in Cryptography: 9th Annual International Workshop, SAC 2002”, Lecture Notes in Computer Science 2595 (2003), 250–270.Google Scholar
- 5.S. Chow, P. Eisen, H. Johnson, and P.C. van Oorschot. A White-box DES Implementation for DRM Applications. In “Digital Rights Management: ACM CCS-9 Workshop, DRM 2002”, Lecture Notes in Computer Science 2696 (2003), 1–15.Google Scholar
- 6.J. Daemen and V. Rijmen. AES submission document on Rijndael, Version 2, September 1999. Available from http://csrc.nist.gov/archive/aes/rijndael/Rijndael-ammended.pdf
- 7.FIPS 197. Advanced Encryption Standard. Federal Information Processing Standards Publication 197, U.S. Department Of Commerce / National Institute of Standards and Technology, 2001. Available from http://www.csrc.nist.gov/publications/fips/
- 8.L. Goubin, J.-M. Masereel, and M. Quisquater. Cryptanalysis of White-Box DES Implementations. In “Selected Areas in Cryptography: 14th International Workshop, SAC 2007”, Lecture Notes in Computer Science 4876 (2007), 278–295.Google Scholar
- 9.S. Hohenberger, G. Rothblum, A. Shelat, and V. Vaikuntanathan. Securely Obfuscating Re-Encryption. In “Theory of Cryptography: 4th Theory of Cryptography Conference, TCC 2007”, Lecture Notes in Computer Science 4392 (2007), 233–252.Google Scholar
- 10.M. Karroumi. Protecting White-Box AES with Dual Ciphers. In “Information Security and Cryptology – ICISC 2010”, Lecture Notes in Computer Science 6829 (2010), 278–291.Google Scholar
- 11.P. Kocher. Timing Attacks on Implementations of Diffie-Hellman, RSA, DSS, and Other Systems. In “Advances in Cryptology – CRYPTO ’96”, Lecture Notes in Computer Science 1109 (1996), 104–113.Google Scholar
- 12.P. Kocher, J. Jaffe, and B. Jun. Differential Power Analysis. In “Advances in Cryptology – CRYPTO ’99”, Lecture Notes in Computer Science 1666 (1999), 388–397.Google Scholar
- 13.W. Michiels and P. Gorissen. “Cryptographic Method for a White-Box Implementation”. U.S. Patent Application 2010/0080395 A1, filed November 9, 2007.Google Scholar
- 14.W. Michiels and P. Gorissen. “Cryptographic System”. U.S. Patent Application 2011/0116625 A1, filed March 2, 2009.Google Scholar
- 15.C. E. Shannon. Communication Theory of Secrecy Systems. Bell System Technical Journal 28 (1949), 656–715.Google Scholar
- 16.B. Wyseur. “White-Box Cryptography”, PhD thesis, Katholieke Universiteit Leuven, 2009.Google Scholar
- 17.B. Wyseur, W. Michiels, P. Gorissen, and B. Preneel. Cryptanalysis of White-Box DES Implementations with Arbitrary External Encodings. In “Selected Areas in Cryptography: 14th International Workshop, SAC 2007”, Lecture Notes in Computer Science 4876 (2007), 264–277.Google Scholar
- 18.Y. Xiao and X. Lai. A Secure Implementation of White-Box AES. In “2009 2nd International Conference on Computer Science and its Applications: CSA 2009”, IEEE (2009), 6 pages.Google Scholar