Cryptology ePrint Archive: Report 2018/049

Attacks and Countermeasures for White-box Designs

Alex Biryukov and Aleksei Udovenko

Abstract: In traditional symmetric cryptography, the adversary has access only to the inputs and outputs of a cryptographic primitive. In the white-box model the adversary is given full access to the implementation. He can use both static and dynamic analysis as well as fault analysis in order to break the cryptosystem, e.g. to extract the embedded secret key. Implementations secure in such model have many applications in industry. However, creating such implementations turns out to be a very challenging if not an impossible task.

Recently, Bos et al. proposed a generic attack on white-box primitives called differential computation analysis (DCA). This attack was applied to many white-box implementations both from academia and industry. The attack comes from the area of side-channel analysis and the most common method protecting against such attacks is masking, which in turn is a form of secret sharing. In this paper we present multiple generic attacks against masked white-box implementations. We use the term “masking” in a very broad sense. As a result, we deduce new constraints that any secure white-box implementation must satisfy.

Based on the new constraints, we develop a general method for protecting white-box implementations. We split the protection into two independent components: value hiding and structure hiding. Value hiding must pro- vide protection against passive DCA-style attacks that rely on analysis of computation traces. Structure hiding must provide protection against circuit analysis attacks. In this paper we focus on developing the value hiding component. It includes protection against the DCA attack by Bos et al. and protection against a new attack called algebraic attack. We present a provably secure first-order protection against the new al- gebraic attack. The protection is based on small gadgets implementing secure masked XOR and AND operations. Furthermore, we give a proof of compositional security allowing to freely combine secure gadgets. We derive concrete security bounds for circuits built using our construction.

Category / Keywords: White-box, Obfuscation, Cryptanalysis, Provable Security, Masking

Original Publication (in the same form): IACR-ASIACRYPT-2018

Date: received 9 Jan 2018, last revised 7 Nov 2018

Contact author: aleksei udovenko at uni lu

Available format(s): PDF | BibTeX Citation

Note: ASIACRYPT 2018 version.

Version: 20181107:160016 (All versions of this report)

Short URL: ia.cr/2018/049


[ Cryptology ePrint archive ]