Skip to main content
SpringerLink
Log in

Another Look on Bucketing Attack to Defeat White-Box Implementations

  • Conference paper
  • First Online:
Book cover Constructive Side-Channel Analysis and Secure Design (COSADE 2019)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 11421))

Abstract

White-box cryptography was first introduced by Chow et al. in 2002 as a software technique for implementing cryptographic algorithms in a secure way that protects secret keys in a compromised environment. Ever since, Chow et al.’s design has been subject to mainly two categories of attacks published by the cryptographic community. The first category encompasses the so-called differential and algebraic cryptanalysis. Basically, these attacks counteract the obfuscation process by inverting the applied encoding functions after which the used secret key can easily be recovered. The second category comprises the software counterpart of the well-known physical attacks often applied to thwart hardware cryptographic implementations on embedded devices. In this paper, we turn a cryptanalysis technique, called statistical bucketing attack, into a computational analysis one allowing an efficient key recovery from software execution traces. Moreover, we extend this cryptanalysis technique, originally designed to break DES white-box implementations, to target AES white-box implementations. To illustrate the effectiveness of our proposal, we apply our attack on several publicly available white-box implementations with different level of protections. Based on the obtained results, we argue that our attack is not only an alternative but also a more efficient technique compared to the existing computational attacks, especially when some side-channel countermeasures are involved as a protection.

M. Zeyad and B. Batteux—This work has been done when the authors were working at UL Identity Management & Security.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Notes

  1. 1.

    For ease of explanation, we will only consider attacking the first round of the encryption case in this work.

  2. 2.

    The Python script we developed is available on Github [3].

  3. 3.

    We stress the fact that are our results are inline with those obtained by Chow et al. in their seminal work [12, Section 5.4].

  4. 4.

    We keep the study of the most optimal choice of the pair (\(d_0, d_1\)) as a future work. For the sake of simplicity, we considered in this work two fixed values (\(d_0=0\) and \(d_1=15\)) when targeting the 16 Sboxes of an AES white-box implementation.

  5. 5.

    The Python script we developed is available on Github [3].

  6. 6.

    For instance, we can consider a time sample in the traces containing the AES input data that takes every value from 0 to 256 which would count as disjointed for every guess whatever the bucketing is.

  7. 7.

    Please note that our obtained results are in-line with those published in [2].

  8. 8.

    Only the first and the last rounds are protected against DCA [21].

  9. 9.

    This attack is computationally expensive but theoretically feasible. Another approach would consist in performing a DCA in a chosen-plaintext context, i.e. varying the plaintext byte corresponding to the targeted Sbox and fix the remaining ones.

References

  1. Ph4r05 White-Box. https://github.com/ph4r05/Whitebox-crypto-AES

  2. SideChannelMarvels Deadpool. https://github.com/SideChannelMarvels/Deadpool

  3. Source code of the Bucketing Computational Analysis for AES and DES. https://github.com/Bucketing/BCA-attack

  4. Wyseur Challenge (2007). http://www.whiteboxcrypto.com/challenges.php

  5. Allibert, J., Feix, B., Gagnerot, G., Kane, I., Thiebeauld, H., Razafindralambo, T.: Chicken or the egg - computational data attacks or physical attacks. Cryptology ePrint Archive, Report 2015/1086 (2015). https://eprint.iacr.org/2015/1086

  6. Banik, S., Bogdanov, A., Isobe, T., Jepsen, M.B.: Analysis of software countermeasures for whitebox encryption. IACR Cryptology ePrint Archive 2017:183 (2017)

    Google Scholar 

  7. Billet, O., Gilbert, H., Ech-Chatbi, C.: Cryptanalysis of a white box AES implementation. In: Handschuh, H., Hasan, M.A. (eds.) SAC 2004. LNCS, vol. 3357, pp. 227–240. Springer, Heidelberg (2004). https://doi.org/10.1007/978-3-540-30564-4_16

    Chapter  Google Scholar 

  8. Biryukov, A., Udovenko, A.: Attacks and countermeasures for white-box designs. Cryptology ePrint Archive, Report 2018/049 (2018). https://eprint.iacr.org/2018/049

  9. Bogdanov, A., Rivain, M., Vejre, P.S., Wang, J.: Higher-order DCA against standard side-channel countermeasures. Cryptology ePrint Archive, Report 2018/869 (2018). https://eprint.iacr.org/2018/869

  10. Bos, J.W., Hubain, C., Michiels, W., Teuwen, P.: Differential computation analysis: hiding your white-box designs is not enough. In: Gierlichs, B., Poschmann, A.Y. (eds.) Cryptographic Hardware and Embedded Systems - CHES 2016, vol. 1717, pp. 215–236. Springer, Heidelberg (2016)

    Google Scholar 

  11. Bringer, J., Chabanne, H., Dottax, E.: White box cryptography: another attempt. Cryptology ePrint Archive, Report 2006/468 (2006). https://eprint.iacr.org/2006/468

  12. Chow, S., Eisen, P., Johnson, H., van Oorschot, P.C.: A white-box DES implementation for DRM applications. In: Feigenbaum, J. (ed.) DRM 2002. LNCS, vol. 2696, pp. 1–15. Springer, Heidelberg (2003). https://doi.org/10.1007/978-3-540-44993-5_1

    Chapter  Google Scholar 

  13. Chow, S., Eisen, P., Johnson, H., Van Oorschot, P.C.: White-box cryptography and an AES implementation. In: Nyberg, K., Heys, H. (eds.) SAC 2002. LNCS, vol. 2595, pp. 250–270. Springer, Heidelberg (2003). https://doi.org/10.1007/3-540-36492-7_17

    Chapter  MATH  Google Scholar 

  14. De Mulder, Y., Roelse, P., Preneel, B.: Cryptanalysis of the Xiao – Lai white-box AES implementation. In: Knudsen, L.R., Wu, H. (eds.) SAC 2012. LNCS, vol. 7707, pp. 34–49. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-35999-6_3

    Chapter  Google Scholar 

  15. De Mulder, Y., Wyseur, B., Preneel, B.: Cryptanalysis of a perturbated white-box AES implementation. In: Gong, G., Gupta, K.C. (eds.) INDOCRYPT 2010. LNCS, vol. 6498, pp. 292–310. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-17401-8_21

    Chapter  Google Scholar 

  16. Ding, B., König, A.C.: Fast set intersection in memory. Proc. VLDB Endow. 4(4), 255–266 (2011)

    Article  Google Scholar 

  17. Goubin, L., Masereel, J.-M., Quisquater, M.: Cryptanalysis of white box DES implementations. In: Adams, C., Miri, A., Wiener, M. (eds.) SAC 2007. LNCS, vol. 4876, pp. 278–295. Springer, Heidelberg (2007). https://doi.org/10.1007/978-3-540-77360-3_18

    Chapter  Google Scholar 

  18. Goubin, L., Paillier, P., Rivain, M., Wang, J.: How to reveal the secrets of an obscure white-box implementation. Cryptology ePrint Archive, Report 2018/098 (2018). https://eprint.iacr.org/2018/098

  19. Karroumi, M.: Protecting white-box AES with dual ciphers. In: Rhee, K.-H., Nyang, D.H. (eds.) ICISC 2010. LNCS, vol. 6829, pp. 278–291. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-24209-0_19

    Chapter  Google Scholar 

  20. Kocher, P., Jaffe, J., Jun, B.: Differential power analysis. In: Wiener, M. (ed.) CRYPTO 1999. LNCS, vol. 1666, pp. 388–397. Springer, Heidelberg (1999). https://doi.org/10.1007/3-540-48405-1_25

    Chapter  Google Scholar 

  21. Lee, S., Kim, T., Kang, Y.: A masked white-box cryptographic implementation for protecting against differential computation analysis. IEEE Trans. Inf. Forensics Secur. 13(10), 2602–2615 (2018)

    Article  Google Scholar 

  22. Lepoint, T., Rivain, M.: Another nail in the coffin of white-box AES implementations. Cryptology ePrint Archive, Report 2013/455 (2013). https://eprint.iacr.org/2013/455

  23. Lepoint, T., Rivain, M., De Mulder, Y., Roelse, P., Preneel, B.: Two attacks on a white-box AES implementation. In: Lange, T., Lauter, K., Lisoněk, P. (eds.) SAC 2013. LNCS, vol. 8282, pp. 265–285. Springer, Heidelberg (2014). https://doi.org/10.1007/978-3-662-43414-7_14

    Chapter  Google Scholar 

  24. Link, H.E., Neumann, W.D.: Clarifying obfuscation: improving the security of white-box DES. In: International Conference on Information Technology: Coding and Computing (ITCC 2005), vol. II, vol. 1, pp. 679–684, April 2005

    Google Scholar 

  25. Michiels, W., Gorissen, P., Hollmann, H.D.L.: Cryptanalysis of a generic class of white-box implementations. In: Avanzi, R.M., Keliher, L., Sica, F. (eds.) SAC 2008. LNCS, vol. 5381, pp. 414–428. Springer, Heidelberg (2009). https://doi.org/10.1007/978-3-642-04159-4_27

    Chapter  Google Scholar 

  26. Mulder, Y.D., Roelse, P., Preneel, B.: Revisiting the BGE attack on a white-box AES implementation. Cryptology ePrint Archive, Report 2013/450 (2013). https://eprint.iacr.org/2013/450

  27. Sanfelix, E., Mune, C., de Haas, J.: Unboxing the white-box practical attacks against obfuscated ciphers. Black Hat (2015)

    Google Scholar 

  28. Wyseur, B.: Software security: white-box cryptography. Ph.D. thesis, K.U.L., March 2009. https://www.esat.kuleuven.be/cosic/publications/thesis-152.pdf

  29. Wyseur, B., Michiels, W., Gorissen, P., Preneel, B.: Cryptanalysis of white-box DES implementations with arbitrary external encodings. In: Adams, C., Miri, A., Wiener, M. (eds.) SAC 2007. LNCS, vol. 4876, pp. 264–277. Springer, Heidelberg (2007). https://doi.org/10.1007/978-3-540-77360-3_17

    Chapter  Google Scholar 

  30. Xiao, Y., Lai, X.: A secure implementation of white-box AES. In: 2009 2nd International Conference on Computer Science and its Applications, pp. 1–6, December 2009

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. UL Identity Management & Security, La Ciotat, France

    Houssem Maghrebi & Davide Alessio

  2. Eshard, Marseille, France

    Boris Batteux

  3. Trusted Labs, Meudon, France

    Mohamed Zeyad

Authors
  1. Mohamed Zeyad
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Houssem Maghrebi
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Davide Alessio
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Boris Batteux
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Houssem Maghrebi .

Editor information

Editors and Affiliations

  1. Universität Stuttgart, Stuttgart, Germany

    Ilia Polian

  2. Continental AG, Frankfurt, Germany

    Marc Stöttinger

Appendices

A Experimental Estimation of the Probability that for an Incorrect Key Guess the Sets \(V_0\) and \(V_1\) are Disjoints - DES CASE

Fig. 3.
figure 3

Evolution of the probability that for an incorrect key guess the sets \(V_0\) and \(V_1\) are disjoints according to an increasing number of plaintexts in \(I_0\) and \(I_1\) when considering the 8 DES Sboxes.

Full size image

B Experimental Estimation of the Probability that for an Incorrect Key Guess the Sets \(V_0\) and \(V_1\) are Disjoints - AES CASE

Fig. 4.
figure 4

Evolution of the probability that for an incorrect key guess the sets \(V_0\) and \(V_1\) are disjoints according to an increasing number of plaintexts in \(I_0\) and \(I_1\).

Full size image

Rights and permissions

Reprints and permissions

Copyright information

© 2019 Springer Nature Switzerland AG

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Zeyad, M., Maghrebi, H., Alessio, D., Batteux, B. (2019). Another Look on Bucketing Attack to Defeat White-Box Implementations. In: Polian, I., Stöttinger, M. (eds) Constructive Side-Channel Analysis and Secure Design. COSADE 2019. Lecture Notes in Computer Science(), vol 11421. Springer, Cham. https://doi.org/10.1007/978-3-030-16350-1_7

Download citation

  • DOI: https://doi.org/10.1007/978-3-030-16350-1_7

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-030-16349-5

  • Online ISBN: 978-3-030-16350-1

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation