Cryptanalysis of ARX-based White-box Implementations

[en] At CRYPTO’22, Ranea, Vandersmissen, and Preneel proposed a new way to design white-box implementations of ARX-based ciphers using so-called implicit functions and quadratic-affine encodings. They suggest the Speck block-cipher as an example target. In this work, we describe practical attacks on the construction. For the implementation without one of the external encodings, we describe a simple algebraic key recovery attack. If both external encodings are used (the main scenario suggested by the authors), we propose optimization and inversion attacks, followed by our main result - a multiple-step round decomposition attack and a decomposition-based key recovery attack. Our attacks only use the white-box round functions as oracles and do not rely on their description. We implemented and verified experimentally attacks on white-box instances of Speck-32/64 and Speck-64/128. We conclude that a single ARX-round is too weak to be used as a white-box round.

Disciplines :

Computer science

Author, co-author :

BIRYUKOV, Alexei ; University of Luxembourg > Faculty of Science, Technology and Medicine (FSTM) > Department of Computer Science (DCS) ; University of Luxembourg > Interdisciplinary Centre for Security, Reliability and Trust (SNT) > Cryptolux

LAMBIN, Baptiste ; University of Luxembourg > Interdisciplinary Centre for Security, Reliability and Trust (SNT) > Cryptolux

UDOVENKO, Aleksei ; University of Luxembourg > Interdisciplinary Centre for Security, Reliability and Trust (SNT) > Cryptolux

External co-authors :

Language :

English

Title :

Cryptanalysis of ARX-based White-box Implementations

Publication date :

09 June 2023

Journal title :

IACR Transactions on Cryptographic Hardware and Embedded Systems

eISSN :

2569-2925

Publisher :

Ruhr-University of Bochum, Bochum, Germany

Volume :

2023

Issue :

Pages :

97-135

Peer reviewed :

Peer Reviewed verified by ORBi

Focus Area :

Security, Reliability and Trust

Additional URL :

https://tches.iacr.org/index.php/TCHES/article/view/10958

FnR Project :

FNR13641232 - Analysis And Protection Of Lightweight Cryptographic Algorithms, 2019 (01/01/2021-31/12/2023) - Alex Biryukov

Name of the research project :

R-AGR-3748 - C19/IS/13641232/APLICA (01/09/2020 - 30/08/2022) - BIRYUKOV Alexei

Funders :

FNR - Fonds National de la Recherche

Funding number :

C19/IS/13641232

Available on ORBilu :

since 14 July 2023

Statistics

Number of views

189 (3 by Unilu)

Number of downloads

227 (5 by Unilu)

More statistics

Scopus citations^®

Scopus citations^®
without self-citations

OpenAlex citations

Bibliography

[AABM20] Estuardo Alpirez Bock, Alessandro Amadori, Chris Brzuska, and Wil Michiels. On the security goals of white-box cryptography. IACR TCHES, 2020(2):327– 357, 2020. https://tches.iacr.org/index.php/TCHES/article/view/8554. 97
[ABF+ 20] Estuardo Alpirez Bock, Chris Brzuska, Marc Fischlin, Christian Janson, and Wil Michiels. Security reductions for white-box key-storage in mobile payments. In Shiho Moriai and Huaxiong Wang, editors, ASIACRYPT 2020, Part I, volume 12491 of LNCS, pages 221–252. Springer, Heidelberg, December 2020. 97
[BCD06] Julien Bringer, Hervé Chabanne, and Emmanuelle Dottax. White box cryp-tography: Another attempt. IACR Cryptol. ePrint Arch., page 468, 2006. 131
[BCH16] Chung Hun Baek, Jung Hee Cheon, and Hyunsook Hong. White-box aes implementation revisited. Journal of Communications and Networks, 18(3):273– 287, 2016. 97
[BGEC04] Olivier Billet, Henri Gilbert, and Charaf Ech-Chatbi. Cryptanalysis of a white box AES implementation. In Helena Handschuh and Anwar Hasan, editors, SAC 2004, volume 3357 of LNCS, pages 227–240. Springer, Heidelberg, August 2004. 98, 99
[BHMT16] Joppe W. Bos, Charles Hubain, Wil Michiels, and Philippe Teuwen. Differential computation analysis: Hiding your white-box designs is not enough. In Benedikt Gierlichs and Axel Y. Poschmann, editors, CHES 2016, volume 9813 of LNCS, pages 215–236. Springer, Heidelberg, August 2016. 99, 102
[BU18] Alex Biryukov and Aleksei Udovenko. Attacks and countermeasures for white-box designs. In Thomas Peyrin and Steven Galbraith, editors, ASI-ACRYPT 2018, Part II, volume 11273 of LNCS, pages 373–402. Springer, Heidelberg, December 2018. 99, 102
[CD08] Nicolas Courtois and Blandine Debraize. Algebraic description and simultane-ous linear approximations of addition in Snow 2.0. In Liqun Chen, Mark Der-mot Ryan, and Guilin Wang, editors, ICICS 08, volume 5308 of LNCS, pages 328–344. Springer, Heidelberg, October 2008. 99, 108, 109
[CEJv03] Stanley Chow, Philip A. Eisen, Harold Johnson, and Paul C. van Oorschot. White-box cryptography and an AES implementation. In Kaisa Nyberg and Howard M. Heys, editors, SAC 2002, volume 2595 of LNCS, pages 250–270. Springer, Heidelberg, August 2003. 97, 99
[CEJvO03] Stanley Chow, Phil Eisen, Harold Johnson, and Paul C. van Oorschot. A white-box des implementation for drm applications. In Joan Feigenbaum, editor, Digital Rights Management, pages 1–15, Berlin, Heidelberg, 2003. Springer Berlin Heidelberg. 97
[CLO10] David A. Cox, John Little, and Donal O’Shea. Ideals, Varieties, and Algorithms: An Introduction to Computational Algebraic Geometry and Commutative Alge-bra. Springer Publishing Company, Incorporated, 3rd edition, 2010. 127
[DFLM18] Patrick Derbez, Pierre-Alain Fouque, Baptiste Lambin, and Brice Minaud. On recovering affine encodings in white-box implementations. IACR TCHES, 2018(3):121–149, 2018. https://tches.iacr.org/index.php/TCHES/article/view/7271. 112, 113
[GPRW20] Louis Goubin, Pascal Paillier, Matthieu Rivain, and Junwei Wang. How to reveal the secrets of an obscure white-box implementation. Journal of Cryptographic Engineering, 10(1):49–66, April 2020. 99, 102
[KPG99] Aviad Kipnis, Jacques Patarin, and Louis Goubin. Unbalanced Oil and Vinegar signature schemes. In Jacques Stern, editor, EUROCRYPT’99, volume 1592 of LNCS, pages 206–222. Springer, Heidelberg, May 1999. 111, 126
[LM01] Helger Lipmaa and Shiho Moriai. Efficient algorithms for computing differential properties of addition. In FSE, volume 2355 of LNCS, pages 336–350. Springer, 2001. 107, 108
[LN05] H.E. Link and W.D. Neumann. Clarifying obfuscation: improving the security of white-box des. In International Conference on Information Technology: Coding and Computing (ITCC’05)-Volume II, volume 1, pages 679–684 Vol. 1, 2005. 97
[MGH09] Wil Michiels, Paul Gorissen, and Henk D. L. Hollmann. Cryptanalysis of a generic class of white-box implementations. In Roberto Maria Avanzi, Liam Keliher, and Francesco Sica, editors, SAC 2008, volume 5381 of LNCS, pages 414–428. Springer, Heidelberg, August 2009. 98
[RP20] Adrián Ranea and Bart Preneel. On self-equivalence encodings in white-box implementations. In Orr Dunkelman, Michael J. Jacobson Jr., and Colin O’Flynn, editors, SAC 2020, volume 12804 of LNCS, pages 639–669. Springer, Heidelberg, October 2020. 97, 99
[RVP22] Adrián Ranea, Joachim Vandersmissen, and Bart Preneel. Implicit white-box implementations: White-boxing ARX ciphers. In CRYPTO (1), volume 13507 of Lecture Notes in Computer Science, pages 33–63. Springer, 2022. 98, 99, 100, 101, 102, 105, 110, 111, 121, 122, 124, 125, 126, 127, 129, 131, 132
[Sag22] The Sage Developers. SageMath, the Sage Mathematics Software System (Version 9.7, Release Date: 2022-09-19), 2022. https://www.sagemath.org. 131
[VRP22] Joachim Vandersmissen, Adrián Ranea, and Bart Preneel. A white-box speck implementation using self-equivalence encodings. In ACNS, volume 13269 of Lecture Notes in Computer Science, pages 771–791. Springer, 2022. 98, 128, 129
[XL09] Yaying Xiao and Xuejia Lai. A secure implementation of white-box aes. In 2009 2nd International Conference on Computer Science and its Applications, pages 1–6, 2009. 97