Cryptology ePrint Archive: Report 2022/385

ECDSA White-Box Implementations: Attacks and Designs from WhibOx 2021 Contest

Guillaume Barbu and Ward Beullens and Emmanuelle Dottax and Christophe Giraud and Agathe Houzelot and Chaoyun Li and Mohammad Mahzoun and Adrián Ranea and Jianrui Xie

Abstract: Despite the growing demand for software implementations of ECDSA secure against attackers with full control of the execution environment, the scientific literature on white-box ECDSA design is scarce. To assess the state-of-the-art and encourage practical research on this topic, the WhibOx 2021 contest invited developers to submit white-box ECDSA implementations and attackers to break the corresponding submissions. In this work we describe several attack techniques and designs used during the WhibOx 2021 contest. We explain the attack methods used by the team TheRealIdefix, who broke the largest number of challenges, and we show the success of each method against all the implementations in the contest. Moreover, we describe the designs, submitted by the team zerokey, of the two winning challenges; these designs represent the ECDSA signature algorithm by a sequence of systems of low-degree equations, which are obfuscated with affine encodings and extra random variables and equations. The WhibOx contest has shown that securing ECDSA in the white-box model is an open and challenging problem, as no implementation survived more than two days. To this end, our designs provide a starting methodology for further research, and our attacks highlight the weak points future work should address.

Category / Keywords: public-key cryptography / ECDSA, White-box Cryptography, WhibOx

Date: received 24 Mar 2022

Contact author: agathe houzelot at idemia com, christophe giraud at idemia com, emmanuelle dottax at idemia com, guillaume barbu at idemia com, wbe at zurich ibm com, m mahzoun at tue nl, chaoyun li at esat kuleuven be, adrian ranea at esat kuleuven be, jianrui xie at esat kuleuven be

Available format(s): PDF | BibTeX Citation

Version: 20220328:143539 (All versions of this report)

Short URL: ia.cr/2022/385


[ Cryptology ePrint archive ]