Paper 2013/450

Revisiting the BGE Attack on a White-Box AES Implementation

Yoni De Mulder, Peter Roelse, and Bart Preneel


White-box cryptography aims to protect the secret key of a cipher in an environment in which an adversary has full access to the implementation of the cipher and its execution environment. In 2002, Chow, Eisen, Johnson and van Oorschot proposed a white-box implementation of AES. In 2004, Billet, Gilbert and Ech-Chatbi presented an efficient attack (referred to as the BGE attack) on this implementation, extracting its embedded AES key with a work factor of $2^{30}$. In 2012, Tolhuizen presented an improvement of the most time-consuming phase of the BGE attack. This paper presents several improvements to the other phases of the BGE attack. The paper shows that the overall work factor of the BGE attack is reduced to $2^{22}$ when all improvements are implemented. In 2010, Karroumi presented a white-box AES implementation that is designed to withstand the BGE attack. This paper shows that the implementations of Karroumi and Chow \emph{et al.} are the same. As a result, Karroumi's white-box AES implementation is vulnerable to the attack it was designed to resist.

Available format(s)
Secret-key cryptography
Publication info
Published elsewhere. Unknown where it was published
White-box cryptographydual cipherAEScryptanalysis
Contact author(s)
yoni demulder @ esat kuleuven be
2013-07-22: received
Short URL
Creative Commons Attribution


      author = {Yoni De Mulder and Peter Roelse and Bart Preneel},
      title = {Revisiting the BGE Attack on a White-Box AES Implementation},
      howpublished = {Cryptology ePrint Archive, Paper 2013/450},
      year = {2013},
      note = {\url{}},
      url = {}
Note: In order to protect the privacy of readers, does not use cookies or embedded third party content.