Cryptology ePrint Archive: Report 2018/049

Attacks and Countermeasures for White-box Designs

Alex Biryukov and Aleksei Udovenko

Abstract: In the traditional symmetric cryptography, the adversary has access only to the inputs and outputs of a cryptographic primitive. In the white-box model the adversary is given full access to the implementation. He can use both static and dynamic analysis as well as fault analysis in order to break the cryptosystem, e.g. to extract embedded secret key. Implementations secure in such model have many applications in industry. However, creating such implementations turns out to be a very challenging if not an impossible task.

Recently, Bos et al. proposed a generic attack on white-box primitives called differential computation analysis (DCA). This attack applies to most existent whitebox implementations both from academia and industry. The attack comes from side-channel cryptanalysis method. The most common method protecting against such side-channel attacks is masking. Therefore, masking can be used in white-box implementations to protect against the DCA attack. In this paper we investigate this possibility and present multiple generic attacks against masked white-box implementations. We use the term “masking” in a very broad sense. As a result, we deduce new constraints that any secure white-box implementation must satisfy. We suggest partial countermeasures against the attacks.

Some of our attacks were successfully applied to the WhibOx 2017 challenges.

Category / Keywords: secret-key cryptography / white-box, obfuscation, cryptanalysis

Date: received 9 Jan 2018, last revised 11 Jan 2018

Contact author: aleksei udovenko at uni lu

Available format(s): PDF | BibTeX Citation

Note: Fix abstract formatting and typo.

Version: 20180115:002829 (All versions of this report)

Short URL: ia.cr/2018/049