Towards Practical Whitebox Cryptography: Optimizing Efficiency and Space Hardness

  • Andrey BogdanovEmail author
  • Takanori Isobe
  • Elmar Tischhauser
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 10031)


Whitebox cryptography aims to provide security for cryptographic algorithms in an untrusted environment where the adversary has full access to their implementation. Typical security goals for whitebox cryptography include key extraction security and decomposition security: Indeed, it should be infeasible to recover the secret key from the implementation and it should be hard to decompose the implementation by finding a more compact representation without recovering the secret key, which mitigates code lifting.

Whereas all published whitebox implementations for standard cryptographic algorithms such as DES or AES are prone to practical key extraction attacks, there have been two dedicated design approaches for whitebox block ciphers: ASASA by Birykov et al. at ASIACRYPT’14 and SPACE by Bogdanov and Isobe at CCS’15. While ASASA suffers from decomposition attacks, SPACE reduces the security against key extraction and decomposition attacks in the white box to the security of a standard block cipher such as AES in the standard blackbox setting. However, due to the security-prioritized design strategy, SPACE imposes a sometimes prohibitive performance overhead in the real world as it needs many AES calls to encrypt a single block.

In this paper, we address the issue by designing a family of dedicated whitebox block ciphers SPNbox and a family of underlying small block ciphers with software efficiency and constant-time execution in mind. While still relying on the standard blackbox block cipher security for the resistance against key extraction and decomposition, SPNbox attains speed-ups of up to 6.5 times in the black box and up to 18 times in the white box on Intel Skylake and ARMv8 CPUs, compared to SPACE. The designs allow for constant-time implementations in the blackbox setting and meet the practical requirements to whitebox cryptography in real-world applications such as DRM or mobile payments. Moreover, we formalize resistance towards decomposition in form of weak and strong space hardness at various security levels. We obtain bounds on space hardness in all those adversarial models.

Thus, for the first time, SPNbox provides a practical whitebox block cipher that features well-understood key extraction security, rigorous analysis towards decomposition security, demonstrated real-world efficiency on various platforms and constant-time implementations. This paves the way to enhancing susceptible real-world applications with whitebox cryptography.


White-box cryptography Space hardness Code lifting Decomposition Key extraction Mass surveillance Trojans Malware 


  1. 1.
    Adobe Systems Incorporated. Adobe Primetime Technical Primer for Operators (2014)Google Scholar
  2. 2.
    Akamai Technologies. Securing Cloud-Based Workflows for Premium Content (2014)Google Scholar
  3. 3.
    Benadjila, R., Billet, O., Gilbert, H., Macario-Rat, G., Peyrin, T., Robshaw, M., Seurin, Y.: SHA-3 Proposal: ECHO. Submission to NIST (2009)Google Scholar
  4. 4.
    Barreto, P., Rijmen, V.: The Anubis Block Cipher. Submission to the NESSIE Project (2000)Google Scholar
  5. 5.
    Barreto, P., Rijmen, V.: The Khazad Legacy-level Block Cipher. Submission to the NESSIE Project (2000)Google Scholar
  6. 6.
    Billet, O., Gilbert, H., Ech-Chatbi, C.: Cryptanalysis of a white box AES implementation. In: Handschuh, H., Hasan, M.A. (eds.) SAC 2004. LNCS, vol. 3357, pp. 227–240. Springer, Heidelberg (2004). doi: 10.1007/978-3-540-30564-4_16 CrossRefGoogle Scholar
  7. 7.
    Biryukov, A., Bouillaguet, C., Khovratovich, D.: Cryptographic schemes based on the ASASA structure: black-box, white-box, and public-key (extended abstract). In: Sarkar, P., Iwata, T. (eds.) ASIACRYPT 2014. LNCS, vol. 8873, pp. 63–84. Springer, Heidelberg (2014). doi: 10.1007/978-3-662-45611-8_4 Google Scholar
  8. 8.
    Biryukov, A., Shamir, A.: Structural cryptanalysis of SASAS. J. Cryptology 23(4), 505–518 (2010)MathSciNetCrossRefzbMATHGoogle Scholar
  9. 9.
    Bogdanov, A., Isobe, T.: White-box cryptography revisited: space-hard ciphers. In: Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security, pp. 1058–1069. ACM (2015)Google Scholar
  10. 10.
    Borghoff, J., Knudsen, L.R., Leander, G., Thomsen, S.S.: Slender-set differential cryptanalysis. J. Cryptology 26(1), 11–38 (2013)MathSciNetCrossRefzbMATHGoogle Scholar
  11. 11.
    Bos, J.W., Hubain, C., Michiels, W., Teuwen, P.: Differential computation analysis: hiding your white-box designs is not enough. In: Gierlichs, B., Poschmann, A.Y. (eds.) CHES 2016. LNCS, vol. 9813, pp. 215–236. Springer, Heidelberg (2016). doi: 10.1007/978-3-662-53140-2_11 CrossRefGoogle Scholar
  12. 12.
    Bringer, J., Chabanne, H., Dottax, E.: White box cryptography: another attempt. IACR Cryptology ePrint Archive 2006:468 (2006)Google Scholar
  13. 13.
    Chong, K.-M.: The arithmetic mean-geometric mean inequality: a new proof. Math. Mag. 49(2), 87–88 (1976)MathSciNetCrossRefGoogle Scholar
  14. 14.
    Chow, S., Eisen, P., Johnson, H., Oorschot, P.C.: A white-box DES implementation for DRM applications. In: Feigenbaum, J. (ed.) DRM 2002. LNCS, vol. 2696, pp. 1–15. Springer, Heidelberg (2003). doi: 10.1007/978-3-540-44993-5_1 CrossRefGoogle Scholar
  15. 15.
    Chow, S., Eisen, P., Johnson, H., Oorschot, P.C.: White-box cryptography and an AES implementation. In: Nyberg, K., Heys, H. (eds.) SAC 2002. LNCS, vol. 2595, pp. 250–270. Springer, Heidelberg (2003). doi: 10.1007/3-540-36492-7_17 CrossRefGoogle Scholar
  16. 16.
    Delerablée, C., Lepoint, T., Paillier, P., Rivain, M.: White-box security notions for symmetric encryption schemes. In: Lange, T., Lauter, K., Lisoněk, P. (eds.) SAC 2013. LNCS, vol. 8282, pp. 247–264. Springer, Heidelberg (2014). doi: 10.1007/978-3-662-43414-7_13 CrossRefGoogle Scholar
  17. 17.
    Dziembowski, S.: Intrusion-resilience via the bounded-storage model. In: Halevi, S., Rabin, T. (eds.) TCC 2006. LNCS, vol. 3876, pp. 207–224. Springer, Heidelberg (2006). doi: 10.1007/11681878_11 CrossRefGoogle Scholar
  18. 18.
    Gruss, D., Spreitzer, R., Mangard, S.: Cache template attacks: automating attacks on inclusive last-level caches. In: 24th USENIX Security Symposium, USENIX Security 15, pp. 897–912. USENIX Association (2015)Google Scholar
  19. 19.
    Gueron, S.: Intel Advanced Encryption Standard (AES) Instructions Set. Intel white paper, September 2012Google Scholar
  20. 20.
    Halderman, J.A., Schoen, S.D., Heninger, N., Clarkson, W., Paul, W., Calandrino, J.A., Feldman, A.J., Appelbaum, J., Felten, E.W.: Lest we remember: cold boot attacks on encryption keys. In: Proceedings of the 17th USENIX Security Symposium, pp. 45–60. USENIX Association (2008)Google Scholar
  21. 21.
    Hawkes, P., O’Connor, L.: XOR and Non-XOR differential probabilities. In: Stern, J. (ed.) EUROCRYPT 1999. LNCS, vol. 1592, pp. 272–285. Springer, Heidelberg (1999). doi: 10.1007/3-540-48910-X_19 Google Scholar
  22. 22.
    Irazoqui, G., Eisenbarth, T., Sunar, B.: S$a: A shared cache attack that works across cores and defies VM sandboxing - and its application to AES. In: 2015 IEEE Symposium on Security and Privacy, SP 2015, pp. 591–604. IEEE Computer Society (2015)Google Scholar
  23. 23.
    Irazoqui, G., Inci, M.S., Eisenbarth, T., Sunar, B.: Wait a minute! A fast, cross-VM attack on AES. In: Stavrou, A., Bos, H., Portokalidis, G. (eds.) RAID 2014. LNCS, vol. 8688, pp. 299–319. Springer, Heidelberg (2014). doi: 10.1007/978-3-319-11379-1_15 Google Scholar
  24. 24.
    Karroumi, M.: Protecting white-box AES with dual ciphers. In: Rhee, K.-H., Nyang, D.H. (eds.) ICISC 2010. LNCS, vol. 6829, pp. 278–291. Springer, Heidelberg (2011). doi: 10.1007/978-3-642-24209-0_19 CrossRefGoogle Scholar
  25. 25.
    Käsper, E., Schwabe, P.: Faster and timing-attack resistant AES-GCM. In: Clavier, C., Gaj, K. (eds.) CHES 2009. LNCS, vol. 5747, pp. 1–17. Springer, Heidelberg (2009). doi: 10.1007/978-3-642-04138-9_1 CrossRefGoogle Scholar
  26. 26.
    Lepoint, T., Rivain, M., Mulder, Y., Roelse, P., Preneel, B.: Two attacks on a white-box AES implementation. In: Lange, T., Lauter, K., Lisoněk, P. (eds.) SAC 2013. LNCS, vol. 8282, pp. 265–285. Springer, Heidelberg (2014). doi: 10.1007/978-3-662-43414-7_14 CrossRefGoogle Scholar
  27. 27.
    Link, H.E., Neumann, W.D.: Clarifying obfuscation: improving the security of white-box DES. In: International Symposium on Information Technology: Coding and Computing (ITCC 2005), vol. 1, pp. 679–684 (2005)Google Scholar
  28. 28.
    Minaud, B., Derbez, P., Fouque, P.-A., Karpman, P.: Key-recovery attacks on ASASA. In: Iwata, T., Cheon, J.H. (eds.) ASIACRYPT 2015. LNCS, vol. 9453, pp. 3–27. Springer, Heidelberg (2015). doi: 10.1007/978-3-662-48800-3_1 CrossRefGoogle Scholar
  29. 29.
    Workgroup Mobey, H.C.E., Forum. The Host Card Emulation in Payments: Options for Financial Institutions (2014)Google Scholar
  30. 30.
    Mulder, Y., Roelse, P., Preneel, B.: Cryptanalysis of the xiao – lai white-box AES implementation. In: Knudsen, L.R., Wu, H. (eds.) SAC 2012. LNCS, vol. 7707, pp. 34–49. Springer, Heidelberg (2013). doi: 10.1007/978-3-642-35999-6_3 CrossRefGoogle Scholar
  31. 31.
    De Mulder, Y., Wyseur, B., Preneel, B.: Cryptanalysis of a perturbated white-box AES implementation. In: Gong, G., Gupta, K.C. (eds.) INDOCRYPT 2010. LNCS, vol. 6498, pp. 292–310. Springer, Heidelberg (2010). doi: 10.1007/978-3-642-17401-8_21 CrossRefGoogle Scholar
  32. 32.
    National Institute of Standards and Technology. Recommendation for Key Derivation Using Pseudorandom Functions. NIST Special Publication (SP) 800–108 (2009)Google Scholar
  33. 33.
    National Institute of Standards and Technology: SHA-3 Standard: Permutation-Based Hash and Extendable-Output Functions. Federal Information Processing Standards Publication 202 (2015)Google Scholar
  34. 34.
    Ristenpart, T., Tromer, E., Shacham, H., Savage, S.: Hey, you, get off of my cloud: exploring information leakage in third-party compute clouds. In: Proceedings of the 2009 ACM Conference on Computer and Communications Security, CCS 2009, pp. 199–212. ACM (2009)Google Scholar
  35. 35.
    Sanfelix, E., Mune, C., de Haas, J.: Unboxing the white-box practical attacks against obfuscated ciphers. In: Black Hat Europe 2015 (2015)Google Scholar
  36. 36.
    Sim, S.M., Khoo, K., Oggier, F., Peyrin, T.: Lightweight MDS involution matrices. In: Leander, G. (ed.) FSE 2015. LNCS, vol. 9054, pp. 471–493. Springer, Heidelberg (2015). doi: 10.1007/978-3-662-48116-5_23 CrossRefGoogle Scholar
  37. 37.
    Alliance, S.C., Paper, W.: Host Card Emulation (HCE) 101 (2014)Google Scholar
  38. 38.
    Tiessen, T., Knudsen, L.R., Kölbl, S., Lauridsen, M.M.: Security of the AES with a secret S-Box. In: Leander, G. (ed.) Fast Software Encryption. LNCS, vol. 9054, pp. 175–189. Springer, Heidelberg (2015). doi: 10.1007/978-3-662-48116-5_9 CrossRefGoogle Scholar
  39. 39.
    Wyseur, B., Michiels, W., Gorissen, P., Preneel, B.: Cryptanalysis of white-box DES implementations with arbitrary external encodings. In: Adams, C., Miri, A., Wiener, M. (eds.) SAC 2007. LNCS, vol. 4876, pp. 264–277. Springer, Heidelberg (2007). doi: 10.1007/978-3-540-77360-3_17 CrossRefGoogle Scholar
  40. 40.
    Xiao, Y., Lai, X.: A secure implementation of white-box AES. In: 2nd International Conference on Computer Science and its Applications (CSA2009) (2009)Google Scholar
  41. 41.
    Yarom, Y., Falkner, K.: FLUSH+RELOAD: A high resolution, low noise, L3 cache side-channel attack. In: Proceedings of the 23rd USENIX Security Symposium, pp. 719–732. USENIX Association (2014)Google Scholar

Copyright information

© International Association for Cryptologic Research 2016

Authors and Affiliations

  • Andrey Bogdanov
    • 1
    Email author
  • Takanori Isobe
    • 2
  • Elmar Tischhauser
    • 1
  1. 1.Technical University of DenmarkKongens LyngbyDenmark
  2. 2.Sony Global Manufacturing & Operations CorporationTokyoJapan

Personalised recommendations