Towards Practical Whitebox Cryptography: Optimizing Efficiency and Space Hardness
Whitebox cryptography aims to provide security for cryptographic algorithms in an untrusted environment where the adversary has full access to their implementation. Typical security goals for whitebox cryptography include key extraction security and decomposition security: Indeed, it should be infeasible to recover the secret key from the implementation and it should be hard to decompose the implementation by finding a more compact representation without recovering the secret key, which mitigates code lifting.
Whereas all published whitebox implementations for standard cryptographic algorithms such as DES or AES are prone to practical key extraction attacks, there have been two dedicated design approaches for whitebox block ciphers: ASASA by Birykov et al. at ASIACRYPT’14 and SPACE by Bogdanov and Isobe at CCS’15. While ASASA suffers from decomposition attacks, SPACE reduces the security against key extraction and decomposition attacks in the white box to the security of a standard block cipher such as AES in the standard blackbox setting. However, due to the security-prioritized design strategy, SPACE imposes a sometimes prohibitive performance overhead in the real world as it needs many AES calls to encrypt a single block.
In this paper, we address the issue by designing a family of dedicated whitebox block ciphers SPNbox and a family of underlying small block ciphers with software efficiency and constant-time execution in mind. While still relying on the standard blackbox block cipher security for the resistance against key extraction and decomposition, SPNbox attains speed-ups of up to 6.5 times in the black box and up to 18 times in the white box on Intel Skylake and ARMv8 CPUs, compared to SPACE. The designs allow for constant-time implementations in the blackbox setting and meet the practical requirements to whitebox cryptography in real-world applications such as DRM or mobile payments. Moreover, we formalize resistance towards decomposition in form of weak and strong space hardness at various security levels. We obtain bounds on space hardness in all those adversarial models.
Thus, for the first time, SPNbox provides a practical whitebox block cipher that features well-understood key extraction security, rigorous analysis towards decomposition security, demonstrated real-world efficiency on various platforms and constant-time implementations. This paves the way to enhancing susceptible real-world applications with whitebox cryptography.
KeywordsWhite-box cryptography Space hardness Code lifting Decomposition Key extraction Mass surveillance Trojans Malware
- 1.Adobe Systems Incorporated. Adobe Primetime Technical Primer for Operators (2014)Google Scholar
- 2.Akamai Technologies. Securing Cloud-Based Workflows for Premium Content (2014)Google Scholar
- 3.Benadjila, R., Billet, O., Gilbert, H., Macario-Rat, G., Peyrin, T., Robshaw, M., Seurin, Y.: SHA-3 Proposal: ECHO. Submission to NIST (2009)Google Scholar
- 4.Barreto, P., Rijmen, V.: The Anubis Block Cipher. Submission to the NESSIE Project (2000)Google Scholar
- 5.Barreto, P., Rijmen, V.: The Khazad Legacy-level Block Cipher. Submission to the NESSIE Project (2000)Google Scholar
- 7.Biryukov, A., Bouillaguet, C., Khovratovich, D.: Cryptographic schemes based on the ASASA structure: black-box, white-box, and public-key (extended abstract). In: Sarkar, P., Iwata, T. (eds.) ASIACRYPT 2014. LNCS, vol. 8873, pp. 63–84. Springer, Heidelberg (2014). doi: 10.1007/978-3-662-45611-8_4 Google Scholar
- 9.Bogdanov, A., Isobe, T.: White-box cryptography revisited: space-hard ciphers. In: Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security, pp. 1058–1069. ACM (2015)Google Scholar
- 12.Bringer, J., Chabanne, H., Dottax, E.: White box cryptography: another attempt. IACR Cryptology ePrint Archive 2006:468 (2006)Google Scholar
- 18.Gruss, D., Spreitzer, R., Mangard, S.: Cache template attacks: automating attacks on inclusive last-level caches. In: 24th USENIX Security Symposium, USENIX Security 15, pp. 897–912. USENIX Association (2015)Google Scholar
- 19.Gueron, S.: Intel Advanced Encryption Standard (AES) Instructions Set. Intel white paper, September 2012Google Scholar
- 20.Halderman, J.A., Schoen, S.D., Heninger, N., Clarkson, W., Paul, W., Calandrino, J.A., Feldman, A.J., Appelbaum, J., Felten, E.W.: Lest we remember: cold boot attacks on encryption keys. In: Proceedings of the 17th USENIX Security Symposium, pp. 45–60. USENIX Association (2008)Google Scholar
- 22.Irazoqui, G., Eisenbarth, T., Sunar, B.: S$a: A shared cache attack that works across cores and defies VM sandboxing - and its application to AES. In: 2015 IEEE Symposium on Security and Privacy, SP 2015, pp. 591–604. IEEE Computer Society (2015)Google Scholar
- 27.Link, H.E., Neumann, W.D.: Clarifying obfuscation: improving the security of white-box DES. In: International Symposium on Information Technology: Coding and Computing (ITCC 2005), vol. 1, pp. 679–684 (2005)Google Scholar
- 29.Workgroup Mobey, H.C.E., Forum. The Host Card Emulation in Payments: Options for Financial Institutions (2014)Google Scholar
- 32.National Institute of Standards and Technology. Recommendation for Key Derivation Using Pseudorandom Functions. NIST Special Publication (SP) 800–108 (2009)Google Scholar
- 33.National Institute of Standards and Technology: SHA-3 Standard: Permutation-Based Hash and Extendable-Output Functions. Federal Information Processing Standards Publication 202 (2015)Google Scholar
- 34.Ristenpart, T., Tromer, E., Shacham, H., Savage, S.: Hey, you, get off of my cloud: exploring information leakage in third-party compute clouds. In: Proceedings of the 2009 ACM Conference on Computer and Communications Security, CCS 2009, pp. 199–212. ACM (2009)Google Scholar
- 35.Sanfelix, E., Mune, C., de Haas, J.: Unboxing the white-box practical attacks against obfuscated ciphers. In: Black Hat Europe 2015 (2015)Google Scholar
- 37.Alliance, S.C., Paper, W.: Host Card Emulation (HCE) 101 (2014)Google Scholar
- 39.Wyseur, B., Michiels, W., Gorissen, P., Preneel, B.: Cryptanalysis of white-box DES implementations with arbitrary external encodings. In: Adams, C., Miri, A., Wiener, M. (eds.) SAC 2007. LNCS, vol. 4876, pp. 264–277. Springer, Heidelberg (2007). doi: 10.1007/978-3-540-77360-3_17 CrossRefGoogle Scholar
- 40.Xiao, Y., Lai, X.: A secure implementation of white-box AES. In: 2nd International Conference on Computer Science and its Applications (CSA2009) (2009)Google Scholar
- 41.Yarom, Y., Falkner, K.: FLUSH+RELOAD: A high resolution, low noise, L3 cache side-channel attack. In: Proceedings of the 23rd USENIX Security Symposium, pp. 719–732. USENIX Association (2014)Google Scholar