Paper 2018/049

Attacks and Countermeasures for White-box Designs

Alex Biryukov and Aleksei Udovenko

Abstract

In traditional symmetric cryptography, the adversary has access only to the inputs and outputs of a cryptographic primitive. In the white-box model the adversary is given full access to the implementation. He can use both static and dynamic analysis as well as fault analysis in order to break the cryptosystem, e.g. to extract the embedded secret key. Implementations secure in such model have many applications in industry. However, creating such implementations turns out to be a very challenging if not an impossible task. Recently, Bos et al. proposed a generic attack on white-box primitives called differential computation analysis (DCA). This attack was applied to many white-box implementations both from academia and industry. The attack comes from the area of side-channel analysis and the most common method protecting against such attacks is masking, which in turn is a form of secret sharing. In this paper we present multiple generic attacks against masked white-box implementations. We use the term “masking” in a very broad sense. As a result, we deduce new constraints that any secure white-box implementation must satisfy. Based on the new constraints, we develop a general method for protecting white-box implementations. We split the protection into two independent components: value hiding and structure hiding. Value hiding must pro- vide protection against passive DCA-style attacks that rely on analysis of computation traces. Structure hiding must provide protection against circuit analysis attacks. In this paper we focus on developing the value hiding component. It includes protection against the DCA attack by Bos et al. and protection against a new attack called algebraic attack. We present a provably secure first-order protection against the new al- gebraic attack. The protection is based on small gadgets implementing secure masked XOR and AND operations. Furthermore, we give a proof of compositional security allowing to freely combine secure gadgets. We derive concrete security bounds for circuits built using our construction.

Note: ASIACRYPT 2018 version.

Metadata
Available format(s)
PDF
Publication info
Published by the IACR in ASIACRYPT 2018
DOI
10.1007/978-3-030-03329-3_13
Keywords
White-boxObfuscationCryptanalysisProvable SecurityMasking
Contact author(s)
aleksei @ affine group
History
2021-05-31: last of 2 revisions
2018-01-15: received
See all versions
Short URL
https://ia.cr/2018/049
License
Creative Commons Attribution
CC BY

BibTeX

@misc{cryptoeprint:2018/049,
      author = {Alex Biryukov and Aleksei Udovenko},
      title = {Attacks and Countermeasures for White-box Designs},
      howpublished = {Cryptology {ePrint} Archive, Paper 2018/049},
      year = {2018},
      doi = {10.1007/978-3-030-03329-3_13},
      url = {https://eprint.iacr.org/2018/049}
}
Note: In order to protect the privacy of readers, eprint.iacr.org does not use cookies or embedded third party content.