Reference : How to reveal the secrets of an obscure white-box implementation
Scientific journals : Article
Engineering, computing & technology : Computer science
Security, Reliability and Trust
How to reveal the secrets of an obscure white-box implementation
Goubin, Louis mailto [Université Paris-Saclay, UVSQ, CNRS > Laboratoire de Mathématiques de Versailles]
Paillier, Pascal mailto [CryptoExperts]
Rivain, Matthieu mailto [CryptoExperts]
Wang, Junwei mailto [University of Luxembourg > Faculty of Science, Technology and Communication (FSTC) > > ; CryptoExperts > > > ; Université Paris 8]
Journal of Cryptographic Engineering
New York
[en] white-box cryptography ; WhibOx contest ; linear decoding analysis ; reverse engineering
[en] White-box cryptography protects key extraction from software implementations of cryptographic primitives. It is widely deployed in DRM and mobile payment applications in which a malicious attacker might control the entire execution environment. So far, no provably secure white- box implementation of AES has been put forward, and all the published practical constructions are vulnerable to differential computation analysis (DCA) and differential fault analysis (DFA). As a consequence, the industry relies on home-made obscure white-box implementations based on secret designs. It is therefore of interest to investigate the achievable resistance of an AES implementation to thwart a white-box adversary in this paradigm. To this purpose, the ECRYPT CSA project has organized the WhibOx contest as the catch the flag challenge of CHES 2017. Researchers and engineers were invited to participate either as designers by submitting the source code of an AES-128 white-box implementation with a freely chosen key, or as breakers by trying to extract the hard-coded keys in the submitted challenges. The participants were not expected to disclose their identities or the underlying designing/attacking techniques. In the end, 94 submitted challenges were all broken and only 13 of them held more than 1 day. The strongest (in terms of surviving time) implementation, submitted by Biryukov and Udovenko, survived for 28 days (which is more than twice as much as the second strongest implementation), and it was broken by a single team, i.e., the authors of the present paper, with reverse engineering and algebraic analysis. In this paper, we give a detailed description of the different steps of our cryptanalysis. We then generalize it to an attack methodology to break further obscure white-box implementations. In particular, we formalize and generalize the linear decoding analysis that we use to extract the key from the encoded intermediate variables of the target challenge.
European Union's Horizon 2020
Researchers ; Professionals ; Students ; General public
H2020 ; 643161 - ECRYPT-NET - European Integrated Research Training Network on Advanced Cryptographic Technologies for the Internet of Things and the Cloud

File(s) associated to this reference

Fulltext file(s):

Limited access
jcen2019.pdfPublisher postprint961.64 kBRequest a copy

Bookmark and Share SFX Query

All documents in ORBilu are protected by a user license.