Cryptanalysis; DCA; Dummy Shuffling; LDA; LPN; Masking; White-box Cryptography; Learning parity with noise; Linear decoding; Linear decoding analyse attack; Masking schemes; White-box cryptographies; Software
Abstract :
[en] In white-box cryptography, early protection techniques have fallen to the automated Differential Computation Analysis attack (DCA), leading to new countermeasures and attacks. A standard side-channel countermeasure, Ishai-Sahai-Wagner’s masking scheme (ISW, CRYPTO 2003) prevents Differential Computation Analysis but was shown to be vulnerable in the white-box context to the Linear Decoding Analysis attack (LDA). However, recent quadratic and cubic masking schemes by Biryukov-Udovenko (ASIACRYPT 2018) and Seker-Eisenbarth-Liskiewicz (CHES 2021) prevent LDA and force to use its higher-degree generalizations with much higher complexity. In this work, we study the relationship between the security of these and related schemes to the Learning Parity with Noise (LPN) problem and propose a new automated attack by applying an LPN-solving algorithm to white-box implementations. The attack effectively exploits strong linear approximations of the masking scheme and thus can be seen as a combination of the DCA and LDA techniques. Different from previous attacks, the complexity of this algorithm depends on the approximation error, henceforth allowing new practical attacks on masking schemes which previously resisted automated analysis. We demonstrate it theoretically and experimentally, exposing multiple cases where the LPN-based method significantly outperforms LDA and DCA methods, including their higher-order variants. This work applies the LPN problem beyond its usual post-quantum cryptography boundary, strengthening its interest for the cryptographic community, while expanding the range of automated attacks by presenting a new direction for breaking masking schemes in the white-box model.
Research center :
Interdisciplinary Centre for Security, Reliability and Trust (SnT) > CryptoLUX – Cryptography
Disciplines :
Computer science
Author, co-author :
CHARLÈS, Alex ; University of Luxembourg > Faculty of Science, Technology and Medicine (FSTM) > Department of Computer Science (DCS)
UDOVENKO, Aleksei ; University of Luxembourg > Interdisciplinary Centre for Security, Reliability and Trust (SNT) > Cryptolux
External co-authors :
no
Language :
English
Title :
LPN-based Attacks in the White-box Setting
Publication date :
31 August 2023
Journal title :
IACR Transactions on Cryptographic Hardware and Embedded Systems
FNR - Luxembourg National Research Fund DFG - German Research Foundation
Funding number :
C19/IS/13641232
Funding text :
This work was supported by the Luxembourg National Research Fund’s (FNR) and the German Research Foundation’s (DFG) joint project APLICA (C19/IS/13641232).
[ABMT18] Estuardo Alpirez Bock, Chris Brzuska, Wil Michiels, and Alexander Treff. On the ineffectiveness of internal encodings-revisiting the DCA attack on white-box cryptography. In Bart Preneel and Frederik Vercauteren, editors, ACNS 18, volume 10892 of LNCS, pages 103–120. Springer, Heidelberg, July 2018. 324
[AES01] Advanced Encryption Standard (AES). National Institute of Standards and Technology, NIST FIPS PUB 197, U.S. Department of Commerce, November 2001. 318
[BBD+22] Guillaume Barbu, Ward Beullens, Emmanuelle Dottax, Christophe Giraud, Agathe Houzelot, Chaoyun Li, Mohammad Mahzoun, Adrián Ranea, and Jianrui Xie. ECDSA white-box implementations: Attacks and designs from CHES 2021 challenge. IACR TCHES, 2022(4):527–552, 2022. 321
[BDG+22] Sven Bauer, Hermann Drexler, Max Gebhardt, Dominik Klein, Friederike Laus, and Johannes Mittmann. Attacks against white-box ECDSA and discussion of countermeasures: A report on the WhibOx contest 2021. IACR TCHES, 2022(4):25–55, 2022. 321
[BGEC04] Olivier Billet, Henri Gilbert, and Charaf Ech-Chatbi. Cryptanalysis of a white box AES implementation. In Helena Handschuh and Anwar Hasan, editors, SAC 2004, volume 3357 of LNCS, pages 227–240. Springer, Heidelberg, August 2004. 318
[BHMT16] Joppe W. Bos, Charles Hubain, Wil Michiels, and Philippe Teuwen. Differential computation analysis: Hiding your white-box designs is not enough. In Benedikt Gierlichs and Axel Y. Poschmann, editors, CHES 2016, volume 9813 of LNCS, pages 215–236. Springer, Heidelberg, August 2016. 318, 324
[BRVW19] Andrey Bogdanov, Matthieu Rivain, Philip S. Vejre, and Junwei Wang. Higherorder DCA against standard side-channel countermeasures. In Ilia Polian and Marc Stöttinger, editors, COSADE 2019, volume 11421 of LNCS, pages 118– 141. Springer, Heidelberg, April 2019. 319, 324
[BU18] Alex Biryukov and Aleksei Udovenko. Attacks and countermeasures for white-box designs. In Thomas Peyrin and Steven Galbraith, editors, ASIACRYPT 2018, Part II, volume 11273 of LNCS, pages 373–402. Springer, Heidelberg, December 2018. 319, 321, 322, 337
[BU21] Alex Biryukov and Aleksei Udovenko. Dummy shuffling against algebraic attacks in white-box implementations. In Anne Canteaut and François-Xavier Standaert, editors, EUROCRYPT 2021, Part II, volume 12697 of LNCS, pages 219–248. Springer, Heidelberg, October 2021. 319, 320, 321, 322, 327, 335, 336, 337
[CEJv03] Stanley Chow, Philip A. Eisen, Harold Johnson, and Paul C. van Oorschot. White-box cryptography and an AES implementation. In Kaisa Nyberg and Howard M. Heys, editors, SAC 2002, volume 2595 of LNCS, pages 250–270. Springer, Heidelberg, August 2003. 318
[CEJvO02] Stanley Chow, Philip A. Eisen, Harold Johnson, and Paul C. van Oorschot. A white-box DES implementation for DRM applications. In Digital Rights Management Workshop, volume 2696 of Lecture Notes in Computer Science, pages 1–15. Springer, 2002. 318
[DRP13] Yoni De Mulder, Peter Roelse, and Bart Preneel. Cryptanalysis of the Xiao-Lai white-box AES implementation. In Lars R. Knudsen and Huapeng Wu, editors, SAC 2012, volume 7707 of LNCS, pages 34–49. Springer, Heidelberg, August 2013. 318
[EKM17] Andre Esser, Robert Kübler, and Alexander May. LPN decoded. In Jonathan Katz and Hovav Shacham, editors, CRYPTO 2017, Part II, volume 10402 of LNCS, pages 486–514. Springer, Heidelberg, August 2017. 320, 328, 329, 330, 333
[FA76] Fino and Algazi. Unified matrix treatment of the fast Walsh-Hadamard transform. IEEE Transactions on Computers, C-25(11):1142–1146, 1976. 321
[GPRW20] Louis Goubin, Pascal Paillier, Matthieu Rivain, and Junwei Wang. How to reveal the secrets of an obscure white-box implementation. Journal of Cryptographic Engineering, 10(1):49–66, April 2020. 319, 321, 325
[HOM06] Christoph Herbst, Elisabeth Oswald, and Stefan Mangard. An AES smart card implementation resistant to power analysis attacks. In Jianying Zhou, Moti Yung, and Feng Bao, editors, ACNS 06, volume 3989 of LNCS, pages 239–252. Springer, Heidelberg, June 2006. 322
[ISW03] Yuval Ishai, Amit Sahai, and David Wagner. Private circuits: Securing hardware against probing attacks. In Dan Boneh, editor, CRYPTO 2003, volume 2729 of LNCS, pages 463–481. Springer, Heidelberg, August 2003. 318
[Kar11] Mohamed Karroumi. Protecting white-box AES with dual ciphers. In KyungHyune Rhee and DaeHun Nyang, editors, Information Security and Cryptology-ICISC 2010, pages 278–291, Berlin, Heidelberg, 2011. Springer Berlin Heidelberg. 318
[KJJ99] Paul C. Kocher, Joshua Jaffe, and Benjamin Jun. Differential power analysis. In Michael J. Wiener, editor, CRYPTO’99, volume 1666 of LNCS, pages 388–397. Springer, Heidelberg, August 1999. 318, 324
[LRD+14] Tancrède Lepoint, Matthieu Rivain, Yoni De Mulder, Peter Roelse, and Bart Preneel. Two attacks on a white-box AES implementation. In Tanja Lange, Kristin Lauter, and Petr Lisonek, editors, SAC 2013, volume 8282 of LNCS, pages 265–285. Springer, Heidelberg, August 2014. 318
[Mat94] Mitsuru Matsui. Linear cryptanalysis method for DES cipher. In Tor Helleseth, editor, EUROCRYPT’93, volume 765 of LNCS, pages 386–397. Springer, Heidelberg, May 1994. 327, 338
[Nat79] National Institute of Standards and Technology. FIPS-46: Data Encryption Standard (DES), 1979. Revised as FIPS 46-1:1988, FIPS 46-2:1993, FIPS 46-3:1999. 318
[Pra62] E. Prange. The use of information sets in decoding cyclic codes. IRE Transactions on Information Theory, 8(5):5–9, 1962. 328
[RW19] Matthieu Rivain and Junwei Wang. Analysis and improvement of differential computation attacks against internally-encoded white-box implementations. IACR TCHES, 2019(2):225–255, 2019. https://tches.iacr.org/index.php/TCHES/article/view/7391. 324
[Sag22] The Sage Developers. SageMath, the Sage Mathematics Software System (Version 9.7, Release Date: 2022-09-19), 2022. https://www.sagemath.org. 334
[SEL21] Okan Seker, Thomas Eisenbarth, and Maciej Liskiewicz. A white-box masking scheme resisting computational and algebraic attacks. IACR TCHES, 2021(2):61–105, 2021. https://tches.iacr.org/index.php/TCHES/article/view/8788. 319, 320, 321, 322, 335, 337, 339
[TGCX23] Yufeng Tang, Zheng Gong, Jinhai Chen, and Nanjiang Xie. Higher-order DCA attacks on white-box implementations with masking and shuffling countermeasures. IACR TCHES, 2023(1):369–400, 2023. 319, 321, 323
[VMKS12] Nicolas Veyrat-Charvillon, Marcel Medwed, Stéphanie Kerckhof, and FrançoisXavier Standaert. Shuffling against side-channel attacks: A comprehensive study with cautionary note. In Xiaoyun Wang and Kazue Sako, editors, ASIACRYPT 2012, volume 7658 of LNCS, pages 740–757. Springer, Heidelberg, December 2012. 322
[XL09] Yaying Xiao and Xuejia Lai. A secure implementation of white-box AES. In 2009 2nd International Conference on Computer Science and its Applications, pages 1–6, 2009. 318
