White-Box Cryptography in the Gray Box

Sasdrich, Pascal; Moradi, Amir; Güneysu, Tim

doi:10.1007/978-3-662-52993-5_10

Cited by 19 publications

(11 citation statements)

References 14 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Recent work in this direction has shed more light on the success of the gray-box approach outlined above, and studied more closely the effect of affine and non-linear encodings on the resistance of a white-box implementation against side-channel attacks [SMG16,BBMT18]. These works show that 4-bit non-linear encodings, which were recommended in the original scheme by Chow et al for size reasons, are insecure in that context.…”

Section: Related Workmentioning

confidence: 99%

On Recovering Affine Encodings in White-Box Implementations

Derbez

Fouque

Lambin

et al. 2018

TCHES

View full text Add to dashboard Cite

Ever since the first candidate white-box implementations by Chow et al. in 2002, producing a secure white-box implementation of AES has remained an enduring challenge. Following the footsteps of the original proposal by Chow et al., other constructions were later built around the same framework. In this framework, the round function of the cipher is “encoded” by composing it with non-linear and affine layers known as encodings. However, all such attempts were broken by a series of increasingly efficient attacks that are able to peel off these encodings, eventually uncovering the underlying round function, and with it the secret key.These attacks, however, were generally ad-hoc and did not enjoy a wide applicability. As our main contribution, we propose a generic and efficient algorithm to recover affine encodings, for any Substitution-Permutation-Network (SPN) cipher, such as AES, and any form of affine encoding. For AES parameters, namely 128-bit blocks split into 16 parallel 8-bit S-boxes, affine encodings are recovered with a time complexity estimated at 232 basic operations, independently of how the encodings are built. This algorithm is directly applicable to a large class of schemes. We illustrate this on a recent proposal due to Baek, Cheon and Hong, which was not previously analyzed. While Baek et al. evaluate the security of their scheme to 110 bits, a direct application of our generic algorithm is able to break the scheme with an estimated time complexity of only 235 basic operations.As a second contribution, we show a different approach to cryptanalyzing the Baek et al. scheme, which reduces the analysis to a standalone combinatorial problem, ultimately achieving key recovery in time complexity 231. We also provide an implementation of the attack, which is able to recover the secret key in about 12 seconds on a standard desktop computer.

show abstract

Section: Related Workmentioning

confidence: 99%

On Recovering Affine Encodings in White-Box Implementations

Derbez

Fouque

Lambin

et al. 2018

TCHES

View full text Add to dashboard Cite

show abstract

“…However, it was found that there was a correlation between the encoded value and the non-encoded value due to the imbalanced encoding applied to the lookup table generation in the white-box implementation. Thus, the gray-box attack succeeded [3], [4]. Thus, white-box cryptography is vulnerable to not only algebraic analysis, but also gray-box attacks.…”

Section: Introductionmentioning

confidence: 99%

“…Although the encoding randomizes the Hamming weight of the intermediate values, it is known to be imbalanced [4], and thus leads to a bit-to-bit correlation before and after the encoding. This imbalance makes it possible to perform power analysis including Differential Power Analysis (DPA) [5] or Correlation Power Analysis (CPA) [6] based on the mono-bit model.…”

Section: Introductionmentioning

confidence: 99%

See 1 more Smart Citation

A White-Box Cryptographic Implementation for Protecting against Power Analysis

Lee

2018

IEICE Trans. Inf. & Syst.

View full text Add to dashboard Cite

SUMMARYEncoded lookup tables used in white-box cryptography are known to be vulnerable to power analysis due to the imbalanced encoding. This means that the countermeasures against white-box attacks can not even defend against gray-box attacks. For this reason, those who want to defend against power analysis through the white-box cryptographic implementation need to find other ways. In this paper, we propose a method to defend power analysis without resolving the problematic encoding problem. Compared with the existing white-box cryptography techniques, the proposed method has twice the size of the lookup table and nearly the same amount of computation. key words: white-box cryptography, power analysis, countermeasure

show abstract

“…The attack is called differential computation analysis (DCA). Sasdrich et al [30] pointed out that the weakness against the DCA attack can be explained using the Walsh transform of the encoding functions. Banik et al [1] analyzed software countermeasures against the DCA attack and proposed another automated attack called Zero Difference Enumeration attack.…”

Section: Introductionmentioning

confidence: 99%

Attacks and Countermeasures for White-box Designs

Biryukov

Udovenko

2018

Lecture Notes in Computer Science

View full text Add to dashboard Cite

In traditional symmetric cryptography, the adversary has access only to the inputs and outputs of a cryptographic primitive. In the white-box model the adversary is given full access to the implementation. He can use both static and dynamic analysis as well as fault analysis in order to break the cryptosystem, e.g. to extract the embedded secret key. Implementations secure in such model have many applications in industry. However, creating such implementations turns out to be a very challenging if not an impossible task. Recently, Bos et al. [7] proposed a generic attack on white-box primitives called differential computation analysis (DCA). This attack was applied to many white-box implementations both from academia and industry. The attack comes from the area of side-channel analysis and the most common method protecting against such attacks is masking, which in turn is a form of secret sharing. In this paper we present multiple generic attacks against masked white-box implementations. We use the term "masking" in a very broad sense. As a result, we deduce new constraints that any secure white-box implementation must satisfy. Based on the new constraints, we develop a general method for protecting white-box implementations. We split the protection into two independent components: value hiding and structure hiding. Value hiding must provide protection against passive DCA-style attacks that rely on analysis of computation traces. Structure hiding must provide protection against circuit analysis attacks. In this paper we focus on developing the value hiding component. It includes protection against the DCA attack by Bos et al. and protection against a new attack called algebraic attack. We present a provably secure first-order protection against the new algebraic attack. The protection is based on small gadgets implementing secure masked XOR and AND operations. Furthermore, we give a proof of compositional security allowing to freely combine secure gadgets. We derive concrete security bounds for circuits built using our construction.

show abstract

White-Box Cryptography in the Gray Box

Cited by 19 publications

References 14 publications

On Recovering Affine Encodings in White-Box Implementations

On Recovering Affine Encodings in White-Box Implementations

A White-Box Cryptographic Implementation for Protecting against Power Analysis

Attacks and Countermeasures for White-box Designs

Contact Info

Product

Resources

About