Implicit White-Box Implementations: White-Boxing ARX Ciphers

Abstract

Since the first white-box implementation of AES published twenty years ago, no significant progress has been made in the design of secure implementations against an attacker with full control of the device. Designing white-box implementations of existing block ciphers is a challenging problem, as all proposals have been broken. Only two white-box design strategies have been published this far: the CEJO framework, which can only be applied to ciphers with small S-boxes, and self-equivalence encodings, which were only applied to AES.

In this work we propose implicit implementations, a new design of white-box implementations based on implicit functions, and we show that current generic attacks that break CEJO or self-equivalence implementations are not successful against implicit implementations. The generation and the security of implicit implementations are related to the self-equivalences of the non-linear layer of the cipher, and we propose a new method to obtain self-equivalences based on the CCZ-equivalence. We implemented this method and many other functionalities in a new open-source tool BoolCrypt, which we used to obtain for the first time affine, linear, and even quadratic self-equivalences of the permuted modular addition. Using the implicit framework and these self-equivalences, we describe for the first time a practical white-box implementation of a generic Addition-Rotation-XOR (ARX) cipher, and we provide an open-source tool to easily generate implicit implementations of ARX ciphers.

A Affine Self-equivalences of the Permuted Modular Addition with Wordsize 4

Let \( L (A)\) and \( C (A)\) be the linear part and the constant vector, respectively, of an affine function A. Any affine self-equivalence (A, B) of the 8-bit permuted modular addition (wordsize 4) is of the form

$$ L (A) = \begin{pmatrix} c_1 + c_8 + c_9 &{} 0 &{} 0 &{} 0 &{} c_1 + c_8 &{} 0 &{} 0 &{} 0 \\ d_0 + d_2 &{} 1 &{} 0 &{} 0 &{} d_1 &{} 0 &{} 0 &{} 0 \\ d_0 + d_2 &{} 0 &{} 1 &{} 0 &{} d_1 &{} 0 &{} 0 &{} 0 \\ d_1 + c_6 + c_{12} + c_{15} &{} 0 &{} c_4 + c_7 &{} 1 &{} d_1 + c_6 + c_{12} &{} c_{13} &{} c_4 + c_7 + c_{16} &{} c_5 + 1 \\ c_0 + c_8 + c_9 &{} 0 &{} 0 &{} 0 &{} c_0 + c_1 + c_8 &{} 0 &{} 0 &{} 0 \\ d_0 + d_2 &{} 0 &{} 0 &{} 0 &{} d_1 &{} 1 &{} 0 &{} 0 \\ d_0 + d_2 &{} 0 &{} 0 &{} 0 &{} d_1 &{} 0 &{} 1 &{} 0 \\ d_1 + c_2 + c_{12} + c_{15} &{} 0 &{} 0 &{} 0 &{} d_1 + c_2 + c_6 + c_{12} &{} c_3 + c_{13} &{} c_7 + c_{16} &{} 1 \\ \end{pmatrix}$$

$$ C (A) = (c_{10} + c_{11}, \ c_{10} c_{11} + c_{11}, \ c_4 + d_3, \ c_{17} + c_{18}, \ c_{11}, \ c_{10} c_{11} + c_{11}, \ d_3 + c_{14} + c_{16}, \ d_4)^T $$

$$ L (B^{-1}) = \begin{pmatrix} c_0 + c_1 &{} 0 &{} 0 &{} 0 &{} c_1 &{} 0 &{} 0 &{} 0\\ d_0 + d_2 &{} 1 &{} 0 &{} 0 &{} d_2 + c_1 c_{10} &{} 0 &{} 0 &{} 0 \\ d_0 + d_2 &{} 0 &{} 1 &{} 0 &{} d_2 + c_1 c_{10} &{} 0 &{} 0 &{} 0 \\ d_0 + c_2 + c_6 &{} 0 &{} c_4 + c_{14} + c_{16} &{} 1 &{} c_1 c_{10} + c_6 &{} c_3 &{} d_5 + c_7 &{} c_5 + 1 \\ c_0 + c_8 + c_9 &{} 0 &{} 0 &{} 0 &{} c_1 + c_9 &{} 0 &{} 0 &{} 0 \\ d_0 + d_2 &{} 0 &{} 0 &{} 0 &{} d_2 + c_1 c_{10} &{} 1 &{} 0 &{} 0 \\ d_0 + d_2 &{} 0 &{} 0 &{} 0 &{} d_2 + c_1 c_{10} &{} 0 &{} 1 &{} 0 \\ d_1 + c_2 + c_{12} + c_{15} &{} 0 &{} 0 &{} 0 &{} c_6 + c_{15} &{} c_3 + c_{13} &{} c_7 + c_{16} &{} 1 \\ \end{pmatrix} $$

$$ C (B^{-1}) = (c_{10}, \ c_{10} c_{11} + c_{11}, \ c_{10} c_{11} + c_{11} + d_5, \ c_{17}, \ c_{11}, \ c_{10} c_{11} + c_{11}, \ d_3 + c_{14} + c_{16}, \ d_4)^T $$

where the binary coefficients \(c_i\) and \(d_j\) satisfy the following constraints

$$\begin{aligned}&0 = d_0 + c_0 c_1 + c_0 c_8 + c_0 c_{10} + c_0 c_{11} + c_1 + c_8 c_{10} + c_8 \\&0 = d_1 + d_0 + c_1 c_{10} \\&0 = d_2 + c_1 c_9 + c_1 c_{11} + c_9 c_{10} + c_9 + 1 \\&0 = d_3 + c_7 + c_{10} c_{11} + c_{11} \\&0 = d_4 + c_4 c_7 + c_4 c_{14} + c_4 c_{16} + c_7 c_{14} + c_7 c_{16} + d_3 + c_{18} \\&0 = d_5 + c_4 + c_{14} + c_{16} \\&0 = c_0 c_9 + c_1 c_8 + c_1 + 1 . \end{aligned}$$

The coefficients \(d_j\) are just short labels to denote large expressions involving coefficients \(c_i\). Among the 19 \(c_i\) coefficients, 15 are free variables and \((c_0, c_1, c_8, c_9)\) are restricted by the constraint \(c_0 c_9 + c_1 c_8 + c_1 + 1\). This constraint excludes 10 out of the \(2^4\) assignments of \((c_0, c_1, c_8, c_9)\). Therefore, the number of affine self-equivalences is \(2^{15} \times (2^4 - 10) = 196\,608\), which corresponds to \(3 \times 2^{2n + 8}\) for \(n = 4\).