Attacks and Countermeasures for White-box Designs

Biryukov, Alex; Udovenko, Aleksei

doi:10.1007/978-3-030-03329-3_13

Cited by 32 publications

(84 citation statements)

References 26 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Although the exact location of the shares might not be obvious for the adversary because of some obfuscation or obscurity in the implementation structure, linear masking can be completely smashed using a simple gray-box attack. The so-called linear decoding analysis (LDA) was formally introduced in [GPRW18, GPRW20] -and also independently discussed in [BU18]-as an effective way to break linear masking (or any other linear encoding scheme) in white-box model.…”

Section: Algorithm 1 and Gadget For Linear Masking [Isw03]mentioning

confidence: 99%

“…The principle of shuffling is to randomly permute the order of several independent operations (possibly including dummy operations) in order to increase the noise in the instantaneous leakage on a sensitive variable. It was shown that an implementation solely protected with linear masking is vulnerable to a linear decoding analysis (LDA), which is able to recover the locations of shares by solving a linear system [GPRW18,GPRW20,BU18]. The authors of [BRVW19] analyze the combination of linear masking and shuffling and show that it can achieve some level of resistance against advanced gray-box attacks.…”

Section: Introductionmentioning

confidence: 99%

“…Three implementations (all due to Biryukov and Udovenko) were still alive at the deadline of the contest but were broken a few days or weeks afterward. 2 As explained in this paper, all three winning implementations were based on state-of-the-art white-box countermeasures, including a mix of linear and non-linear masking [BU18] together with shuffling and additional obfuscation. In this article, we give a thorough explanation of how we managed to break all three implementations with advanced gray-box attacks and our novel data-dependency analytic techniques (as well as a "lightweight" de-obfuscation).…”

Section: Introductionmentioning

confidence: 99%

See 2 more Smart Citations

Defeating State-of-the-Art White-Box Countermeasures with Advanced Gray-Box Attacks

Goubin

Rivain

Wang

2020

TCHES

View full text Add to dashboard Cite

The goal of white-box cryptography is to protect secret keys embedded in a cryptographic software deployed in an untrusted environment. In this article, we revisit state-of-the-art countermeasures employed in white-box cryptography, and we discuss possible ways to combine them. Then we analyze the different gray-box attack paths and study their performances in terms of required traces and computation time. Afterward, we propose a new paradigm for the gray-box attack against white-box cryptography, which exploits the data-dependency of the target implementation. We demonstrate that our approach provides substantial complexity improvements over the existing attacks. Finally, we showcase this new technique by breaking the three winning AES-128 white-box implementations from WhibOx 2019 white-box cryptography competition.

show abstract

Section: Algorithm 1 and Gadget For Linear Masking [Isw03]mentioning

confidence: 99%

Section: Introductionmentioning

confidence: 99%

Section: Introductionmentioning

confidence: 99%

See 1 more Smart Citation

Defeating State-of-the-Art White-Box Countermeasures with Advanced Gray-Box Attacks

Goubin

Rivain

Wang

2020

TCHES

View full text Add to dashboard Cite

show abstract

“…For this reason, there were several approaches to preventing DPA and DPA variants on white-box cryptography. For example, applying masking [25], a standard countermeasure to DPA, was investigated [26], [27]. However, masking is vulnerable to higher-order DPA attacks, and this is also the case with masking applied to white-box cryptography [27].…”

Section: Past Design Of Masked Wb-aesmentioning

confidence: 99%

Improvement on a Masked White-Box Cryptographic Implementation

Lee

Kim

2020

IEEE Access

View full text Add to dashboard Cite

White-box cryptography is a software technique to protect secret keys of cryptographic algorithms from attackers who have access to memory. By adapting techniques of differential power analysis to computation traces consisting of runtime information, Differential Computation Analysis (DCA) has recovered the secret keys from white-box cryptographic implementations. In order to thwart DCA, a masked white-box implementation was suggested. It was a customized masking technique that randomizes all the values in the lookup tables with different masks. However, the round output was only permuted by byte encodings, not protected by masking. This is the main reason behind the success of DCA variants on the masked white-box implementation. In this paper, we improve the masked white-box cryptography in such a way to protect against DCA variants by obfuscating the round output with random masks. Specifically, we introduce a white-box AES (WB-AES) implementation applying the masking technique to the key-dependent intermediate value and the several outer-round outputs computed by partial bits of the key. Our analysis and experimental results show that the proposed WB-AES can protect against DCA variants including DCA with a 2-byte key guess, collision, and bucketing attacks. This work requires approximately 3.7 times the table size and 0.7 times the number of lookups compared to the previous masked WB-AES.

show abstract

“…In particular, new approaches to verify the security of a white-box implementation have been proposed in [44] where Bos et al present differential fault analysis (DFA) and differential computational analysis (DCA) attacks (further information on fault-injection and differential power analysis attacks can be found in [45,46] respectively). In addition, in [47,48] the authors explained more formally why DCA is effective against linear and nibble encoding, Rivain and Wang [43] provide an extensive analysis on the effectiveness of DCA, finally Biryukov and Udovenko [49] give a general protection method for white-box implementations against DCA.…”

Section: The White-box Approachmentioning

confidence: 99%

Measuring Performances of a White-Box Approach in the IoT Context

et al. 2019

View full text Add to dashboard Cite

The internet of things (IoT) refers to all the smart objects that are connected to other objects, devices or servers and that are able to collect and share data, in order to "learn" and improve their functionalities. Smart objects suffer from lack of memory and computational power, since they are usually lightweight. Moreover, their security is weakened by the fact that smart objects can be placed in unprotected environments, where adversaries are able to play with the symmetric-key algorithm used and the device on which the cryptographic operations are executed. In this paper, we focus on a family of white-box symmetric ciphers substitution-permutation network (SPN)box, extending and improving our previous paper on the topic presented at WIDECOM2019. We highlight the importance of white-box cryptography in the IoT context, but also the need to have a fast black-box implementation (server-side) of the cipher. We show that, modifying an internal layer of SPNbox, we are able to increase the key length and to improve the performance of the implementation. We measure these improvements (a) on 32/64-bit architectures and (b) in the IoT context by encrypting/decrypting 10,000 payloads of lightweight messaging protocol Message Queuing Telemetry Transport (MQTT).

show abstract

Attacks and Countermeasures for White-box Designs

Cited by 32 publications

References 26 publications

Defeating State-of-the-Art White-Box Countermeasures with Advanced Gray-Box Attacks

Defeating State-of-the-Art White-Box Countermeasures with Advanced Gray-Box Attacks

Improvement on a Masked White-Box Cryptographic Implementation

Measuring Performances of a White-Box Approach in the IoT Context

Contact Info

Product

Resources

About