Abstract
Since the first white-box implementation of AES published twenty years ago, no significant progress has been made in the design of secure implementations against an attacker with full control of the device. Designing white-box implementations of existing block ciphers is a challenging problem, as all proposals have been broken. Only two white-box design strategies have been published this far: the CEJO framework, which can only be applied to ciphers with small S-boxes, and self-equivalence encodings, which were only applied to AES.
In this work we propose implicit implementations, a new design of white-box implementations based on implicit functions, and we show that current generic attacks that break CEJO or self-equivalence implementations are not successful against implicit implementations. The generation and the security of implicit implementations are related to the self-equivalences of the non-linear layer of the cipher, and we propose a new method to obtain self-equivalences based on the CCZ-equivalence. We implemented this method and many other functionalities in a new open-source tool BoolCrypt, which we used to obtain for the first time affine, linear, and even quadratic self-equivalences of the permuted modular addition. Using the implicit framework and these self-equivalences, we describe for the first time a practical white-box implementation of a generic Addition-Rotation-XOR (ARX) cipher, and we provide an open-source tool to easily generate implicit implementations of ARX ciphers.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Similar content being viewed by others
Notes
- 1.
The power function \(F(x) = x^d \in \mathbb {F}_{2^n}\) has at least \(n (2^n - 1)\) linear self-equivalences of the form \((A(x), B(x)) = (a x^{2^i}, \ a^{- d 2^{n - i}} x^{2^{n - i}}),\) where \(a \ne 0\) and \(i = 0, 1, \dots , n-1\). The whole linear self-equivalence group has only been found for some exponents [41].
- 2.
- 3.
- 4.
Self-equivalences are sometimes called automorphisms in the literature, but in this paper we only use the term automorphism to refer to a graph automorphism.
- 5.
It is worth to mention that all known white-box implementations of existing ciphers that do not rely on secret designs include external encodings in their designs. While external encodings impose severe limitations on the applicability of the white-box implementation, it is currently the only alternative to secret designs.
- 6.
We will provide specific numbers for the size of an example of an implicit implementation in Sect. 6.
- 7.
While not the focus of this work, it is worth mentioning that this type of implicit implementations with trivial external encodings seems less vulnerable than CEJO or self-equivalences implementations with trivial external encodings.
- 8.
- 9.
The self-equivalence group of the permuted modular addition cannot be derived from that of the modular addition, as the permuted variant contains many non-diagonal self-equivalences.
- 10.
For simplicity we restrict the n-bit non-linear layer to contain a single permuted modular addition with wordsize n/2, but our method can easily be extended to non-linear layers composed of smaller permuted modular additions.
- 11.
References
Albrecht, M., Grassi, L., Rechberger, C., Roy, A., Tiessen, T.: MiMC: efficient encryption and cryptographic hashing with minimal multiplicative complexity. In: Cheon, J.H., Takagi, T. (eds.) ASIACRYPT 2016. LNCS, vol. 10031, pp. 191–219. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-53887-6_7
Amadori, A., Michiels, W., Roelse, P.: A DFA attack on white-box implementations of AES with external encodings. In: Paterson, K.G., Stebila, D. (eds.) SAC 2019. LNCS, vol. 11959, pp. 591–617. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-38471-5_24
Baek, C.H., Cheon, J.H., Hong, H.: White-box AES implementation revisited. J. Commun. Networks 18(3), 273–287 (2016)
Banik, S., Bogdanov, A., Isobe, T., Jepsen, M.B.: Analysis of software countermeasures for whitebox encryption. IACR Trans. Symmetric Cryptol. 2017(1), 307–328 (2017)
Beaulieu, R., Shors, D., Smith, J., Treatman-Clark, S., Weeks, B., Wingers, L.: The SIMON and SPECK families of lightweight block ciphers. IACR Cryptology ePrint Archive, p. 404 (2013)
Biryukov, A., Bouillaguet, C., Khovratovich, D.: Cryptographic schemes based on the ASASA structure: Black-Box, White-Box, and Public-Key (Extended abstract). In: Sarkar, P., Iwata, T. (eds.) ASIACRYPT 2014. LNCS, vol. 8873, pp. 63–84. Springer, Heidelberg (2014). https://doi.org/10.1007/978-3-662-45611-8_4
Biryukov, A., De Cannière, C.: Block ciphers and systems of quadratic equations. In: Johansson, T. (ed.) FSE 2003. LNCS, vol. 2887, pp. 274–289. Springer, Heidelberg (2003). https://doi.org/10.1007/978-3-540-39887-5_21
Biryukov, A., De Cannière, C., Braeken, A., Preneel, B.: A toolbox for cryptanalysis: linear and affine equivalence algorithms. In: Biham, E. (ed.) EUROCRYPT 2003. LNCS, vol. 2656, pp. 33–50. Springer, Heidelberg (2003). https://doi.org/10.1007/3-540-39200-9_3
Biryukov, A., Udovenko, A.: Attacks and countermeasures for white-box designs. In: Peyrin, T., Galbraith, S. (eds.) ASIACRYPT 2018. LNCS, vol. 11273, pp. 373–402. Springer, Cham (2018). https://doi.org/10.1007/978-3-030-03329-3_13
Bos, J.W., Hubain, C., Michiels, W., Teuwen, P.: Differential computation analysis: hiding your white-box designs is not enough. In: Gierlichs, B., Poschmann, A.Y. (eds.) CHES 2016. LNCS, vol. 9813, pp. 215–236. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-53140-2_11
Bringer, J., Chabanne, H., Dottax, E.: White box cryptography: another attempt. IACR Cryptology ePrint Archive 2006, 468 (2006)
Carlet, C., Charpin, P., Zinoviev, V.A.: Codes, bent functions and permutations suitable for DES-like cryptosystems. Des. Codes Cryptogr. 15(2), 125–156 (1998)
Chow, S., Eisen, P., Johnson, H., Van Oorschot, P.C.: White-box cryptography and an AES implementation. In: Nyberg, K., Heys, H. (eds.) SAC 2002. LNCS, vol. 2595, pp. 250–270. Springer, Heidelberg (2003). https://doi.org/10.1007/3-540-36492-7_17
Chow, S., Eisen, P., Johnson, H., van Oorschot, P.C.: A white-box DES implementation for DRM applications. In: Feigenbaum, J. (ed.) DRM 2002. LNCS, vol. 2696, pp. 1–15. Springer, Heidelberg (2003). https://doi.org/10.1007/978-3-540-44993-5_1
De Cannière, C.: Analysis and design of symmetric encryption algorithms. Ph.D. thesis, Katholieke Universiteit Leuven (2007). Bart Preneel (Promotor)
Delerablée, C., Lepoint, T., Paillier, P., Rivain, M.: White-box security notions for symmetric encryption schemes. In: Lange, T., Lauter, K., Lisoněk, P. (eds.) SAC 2013. LNCS, vol. 8282, pp. 247–264. Springer, Heidelberg (2014). https://doi.org/10.1007/978-3-662-43414-7_13
Derbez, P., Fouque, P., Lambin, B., Minaud, B.: On recovering affine encodings in white-box implementations. IACR Trans. Cryptogr. Hardw. Embed. Syst. 2018(3), 121–149 (2018)
Ding, J.: A new variant of the Matsumoto-Imai cryptosystem through perturbation. In: Bao, F., Deng, R., Zhou, J. (eds.) PKC 2004. LNCS, vol. 2947, pp. 305–318. Springer, Heidelberg (2004). https://doi.org/10.1007/978-3-540-24632-9_22
Faugère, J.-C., Perret, L.: Polynomial equivalence problems: algorithmic and theoretical aspects. In: Vaudenay, S. (ed.) EUROCRYPT 2006. LNCS, vol. 4004, pp. 30–47. Springer, Heidelberg (2006). https://doi.org/10.1007/11761679_3
Faugère, J., Perret, L.: An efficient algorithm for decomposing multivariate polynomials and its applications to cryptography. J. Symb. Comput. 44(12), 1676–1689 (2009)
Gupta, K.C., Ray, I.G.: Finding biaffine and quadratic equations for s-boxes based on power mappings. IEEE Trans. Inf. Theory 61(4), 2200–2209 (2015)
Warren Jr., H.S.: Hacker’s Delight. Addison-Wesley, Boston (2003)
Karroumi, M.: Protecting white-box AES with dual ciphers. In: Rhee, K.-H., Nyang, D.H. (eds.) ICISC 2010. LNCS, vol. 6829, pp. 278–291. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-24209-0_19
Kipnis, A., Patarin, J., Goubin, L.: Unbalanced oil and vinegar signature schemes. In: Stern, J. (ed.) EUROCRYPT 1999. LNCS, vol. 1592, pp. 206–222. Springer, Heidelberg (1999). https://doi.org/10.1007/3-540-48910-X_15
Lin, D., Faugère, J., Perret, L., Wang, T.: On enumeration of polynomial equivalence classes and their application to MPKC. Finite Fields Appl. 18(2), 283–302 (2012)
Link, H.E., Neumann, W.D.: Clarifying obfuscation: Improving the security of white-box DES. In: ITCC (1), pp. 679–684. IEEE Computer Society (2005)
Luo, R., Lai, X., You, R.: A new attempt of white-box AES implementation. In: SPAC, pp. 423–429. IEEE (2014)
McMillion, B., Sullivan, N.: Attacking white-box AES constructions. In: SPRO@CCS, pp. 85–90. ACM (2016)
Michiels, W., Gorissen, P., Hollmann, H.D.L.: Cryptanalysis of a generic class of white-box implementations. In: Avanzi, R.M., Keliher, L., Sica, F. (eds.) SAC 2008. LNCS, vol. 5381, pp. 414–428. Springer, Heidelberg (2009). https://doi.org/10.1007/978-3-642-04159-4_27
Minaud, B., Derbez, P., Fouque, P., Karpman, P.: Key-recovery attacks on ASASA. J. Cryptol. 31(3), 845–884 (2018)
Patarin, J.: Hidden Fields Equations (HFE) and Isomorphisms of Polynomials (IP): two new families of asymmetric algorithms. In: Maurer, U. (ed.) EUROCRYPT 1996. LNCS, vol. 1070, pp. 33–48. Springer, Heidelberg (1996). https://doi.org/10.1007/3-540-68339-9_4
Patarin, J., Goubin, L.: Asymmetric cryptography with S-boxes Is it easier than expected to design efficient asymmetric cryptosystems? In: Han, Y., Okamoto, T., Qing, S. (eds.) ICICS 1997. LNCS, vol. 1334, pp. 369–380. Springer, Heidelberg (1997). https://doi.org/10.1007/BFb0028492
Patarin, J., Goubin, L., Courtois, N.: \({C}^{\text{* }}_{{-+}}\) and HM: variations around two schemes of T. Matsumoto and H. Imai. In: Ohta, K., Pei, D. (eds.) ASIACRYPT 1998. LNCS, vol. 1514, pp. 35–50. Springer, Heidelberg (1998). https://doi.org/10.1007/3-540-49649-1_4
Ranea, A., Preneel, B.: On self-equivalence encodings in white-box implementations. In: Dunkelman, O., Jacobson Jr., M.J., O’Flynn, C. (eds.) SAC 2020. LNCS, vol. 12804, pp. 639–669. Springer, Cham (2021). https://doi.org/10.1007/978-3-030-81652-0_25
Rivain, M., Wang, J.: Analysis and improvement of differential computation attacks against internally-encoded white-box implementations. IACR Trans. Cryptogr. Hardw. Embed. Syst. 2019(2), 225–255 (2019)
Schulte-Geers, E.: On CCZ-equivalence of addition mod \(2^n\). Des. Codes Cryptogr. 66(1–3), 111–127 (2013)
Shi, Y., Wei, W., He, Z.: A lightweight white-box symmetric encryption algorithm against node capture for WSNs. Sensors 15(5), 11928–11952 (2015)
Soos, M., Nohl, K., Castelluccia, C.: Extending SAT solvers to cryptographic problems. In: Kullmann, O. (ed.) SAT 2009. LNCS, vol. 5584, pp. 244–257. Springer, Heidelberg (2009). https://doi.org/10.1007/978-3-642-02777-2_24
The Sage Developers: SageMath, the Sage Mathematics Software System (Version 9.1) (2021). https://www.sagemath.org
Capture the Flag Challenge - The WhibOx Contest (2007). https://whibox.io/contests/2017/
Wiemers, A.: A note on invariant linear transformations in multivariate public key cryptography. IACR Cryptology ePrint Archive, p. 602 (2012)
Wolf, C., Braeken, A., Preneel, B.: On the security of stepwise triangular systems. Des. Codes Cryptogr. 40(3), 285–302 (2006)
Xiao, Y., Lai, X.: A secure implementation of white-box AES. In: 2009 2nd International Conference on Computer Science and its Applications, pp. 1–6. IEEE (2009)
Acknowledgements
Adrián Ranea is supported by a PhD Fellowship from the Research Foundation - Flanders (FWO). The authors would like to thank the anonymous reviewers for their comments and suggestions.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
A Affine Self-equivalences of the Permuted Modular Addition with Wordsize 4
A Affine Self-equivalences of the Permuted Modular Addition with Wordsize 4
Let \( L (A)\) and \( C (A)\) be the linear part and the constant vector, respectively, of an affine function A. Any affine self-equivalence (A, B) of the 8-bit permuted modular addition (wordsize 4) is of the form
where the binary coefficients \(c_i\) and \(d_j\) satisfy the following constraints
The coefficients \(d_j\) are just short labels to denote large expressions involving coefficients \(c_i\). Among the 19 \(c_i\) coefficients, 15 are free variables and \((c_0, c_1, c_8, c_9)\) are restricted by the constraint \(c_0 c_9 + c_1 c_8 + c_1 + 1\). This constraint excludes 10 out of the \(2^4\) assignments of \((c_0, c_1, c_8, c_9)\). Therefore, the number of affine self-equivalences is \(2^{15} \times (2^4 - 10) = 196\,608\), which corresponds to \(3 \times 2^{2n + 8}\) for \(n = 4\).
Rights and permissions
Copyright information
© 2022 International Association for Cryptologic Research
About this paper
Cite this paper
Ranea, A., Vandersmissen, J., Preneel, B. (2022). Implicit White-Box Implementations: White-Boxing ARX Ciphers. In: Dodis, Y., Shrimpton, T. (eds) Advances in Cryptology – CRYPTO 2022. CRYPTO 2022. Lecture Notes in Computer Science, vol 13507. Springer, Cham. https://doi.org/10.1007/978-3-031-15802-5_2
Download citation
DOI: https://doi.org/10.1007/978-3-031-15802-5_2
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-031-15801-8
Online ISBN: 978-3-031-15802-5
eBook Packages: Computer ScienceComputer Science (R0)