Paper 2013/450

Revisiting the BGE Attack on a White-Box AES Implementation

Yoni De Mulder, Peter Roelse, and Bart Preneel

Abstract

White-box cryptography aims to protect the secret key of a cipher in an environment in which an adversary has full access to the implementation of the cipher and its execution environment. In 2002, Chow, Eisen, Johnson and van Oorschot proposed a white-box implementation of AES. In 2004, Billet, Gilbert and Ech-Chatbi presented an efficient attack (referred to as the BGE attack) on this implementation, extracting its embedded AES key with a work factor of 230. In 2012, Tolhuizen presented an improvement of the most time-consuming phase of the BGE attack. This paper presents several improvements to the other phases of the BGE attack. The paper shows that the overall work factor of the BGE attack is reduced to 222 when all improvements are implemented. In 2010, Karroumi presented a white-box AES implementation that is designed to withstand the BGE attack. This paper shows that the implementations of Karroumi and Chow \emph{et al.} are the same. As a result, Karroumi's white-box AES implementation is vulnerable to the attack it was designed to resist.

Metadata
Available format(s)
PDF
Category
Secret-key cryptography
Publication info
Published elsewhere. Unknown where it was published
Keywords
White-box cryptographydual cipherAEScryptanalysis
Contact author(s)
yoni demulder @ esat kuleuven be
History
2013-07-22: received
Short URL
https://ia.cr/2013/450
License
Creative Commons Attribution
CC BY

BibTeX 

@misc{cryptoeprint:2013/450,
      author = {Yoni De Mulder and Peter Roelse and Bart Preneel},
      title = {Revisiting the {BGE} Attack on a White-Box {AES} Implementation},
      howpublished = {Cryptology {ePrint} Archive, Paper 2013/450},
      year = {2013},
      url = {https://eprint.iacr.org/2013/450}
}
Note: In order to protect the privacy of readers, eprint.iacr.org does not use cookies or embedded third party content.