[en] This work proposes a new white-box attack technique called filtering, which can be combined with any other trace-based attack method. The idea is to filter the traces based on the value of an intermediate variable in the implementation, aiming to fix a share of a sensitive value and degrade the security of an involved masking scheme. Coupled with LDA (filtered LDA, FLDA), it leads to an attack defeating the state-of-the-art SEL masking scheme (CHES 2021) of arbitrary degree and number of linear shares with quartic complexity in the window size. In comparison, the current best attacks have exponential complexities in the degree (higher degree decoding analysis, HDDA), in the number of linear shares (higher-order differential computation analysis, HODCA), or the window size (white-box learning parity with noise, WBLPN). The attack exploits the key idea of the SEL scheme-an efficient parallel combination of the nonlinear and linear masking schemes. We conclude that a proper composition of masking schemes is essential for security. In addition, we propose several optimizations for linear algebraic attacks: redundant node removal (RNR), optimized parity check matrix usage, and chosen-plaintext filtering (CPF), significantly improving the performance of security evaluation of white-box implementations.
Research center :
Interdisciplinary Centre for Security, Reliability and Trust (SnT) > CryptoLUX – Cryptography
Disciplines :
Computer science
Author, co-author :
CHARLÈS, Alex ; University of Luxembourg > Faculty of Science, Technology and Medicine (FSTM) > Department of Computer Science (DCS)
UDOVENKO, Aleksei ; University of Luxembourg > Interdisciplinary Centre for Security, Reliability and Trust (SNT) > Cryptolux
External co-authors :
no
Language :
English
Title :
White-box filtering attacks breaking SEL masking: from exponential to polynomial time
Publication date :
18 July 2024
Event name :
Conference on Cryptographic Hardware and Embedded Systems (CHES)
Event organizer :
International Association for Cryptologic Research (IACR)
Event place :
Halifax, Canada
Event date :
September 4-7, 2024
Audience :
International
Journal title :
IACR Transactions on Cryptographic Hardware and Embedded Systems
FNR - Fonds National de la Recherche DFG - German Research Foundation
Funding number :
C19/AES/1364232
Funding text :
This work was supported by the Luxembourg National Research Fund's (FNR) and the German Research Foundation's (DFG) joint project APLICA (C19/IS/13641232).
[ABMT18] Estuardo Alpirez Bock, Chris Brzuska, Wil Michiels, and Alexander Treff. On the ineffectiveness of internal encodings-revisiting the DCA attack on white-box cryptography. In Bart Preneel and Frederik Vercauteren, editors, ACNS 18, volume 10892 of LNCS, pages 103–120. Springer, Heidelberg, July 2018. 1, 14
[BHMT16] Joppe W. Bos, Charles Hubain, Wil Michiels, and Philippe Teuwen. Differential computation analysis: Hiding your white-box designs is not enough. In Benedikt Gierlichs and Axel Y. Poschmann, editors, CHES 2016, volume 9813 of LNCS, pages 215–236. Springer, Heidelberg, August 2016. 1, 4, 5
[BRVW19] Andrey Bogdanov, Matthieu Rivain, Philip S. Vejre, and Junwei Wang. Higher-order DCA against standard side-channel countermeasures. In Ilia Polian and Marc Stöttinger, editors, COSADE 2019, volume 11421 of LNCS, pages 118– 141. Springer, Heidelberg, April 2019. 2, 3, 6, 10, 11
[BU18] Alex Biryukov and Aleksei Udovenko. Attacks and countermeasures for white-box designs. In Thomas Peyrin and Steven Galbraith, editors, ASI-ACRYPT 2018, Part II, volume 11273 of LNCS, pages 373–402. Springer, Heidelberg, December 2018. 1, 2, 3, 4, 6, 10, 11, 13
[BU21] Alex Biryukov and Aleksei Udovenko. Dummy shuffling against algebraic attacks in white-box implementations. In Anne Canteaut and François-Xavier Standaert, editors, EUROCRYPT 2021, Part II, volume 12697 of LNCS, pages 219–248. Springer, Heidelberg, October 2021. 2, 13, 14
[CC98] A. Canteaut and F. Chabaud. A new algorithm for finding minimum-weight words in a linear code: application to McEliece’s cryptosystem and to narrow-sense BCH codes of length 511. IEEE Transactions on Information Theory, 44(1):367–378, 1998. 20
[CEJv02] Stanley Chow, Philip A. Eisen, Harold Johnson, and Paul C. van Oorschot. A white-box DES implementation for DRM applications. In Digital Rights Management Workshop, volume 2696 of Lecture Notes in Computer Science, pages 1–15. Springer, 2002. 1, 5
[CEJv03] Stanley Chow, Philip A. Eisen, Harold Johnson, and Paul C. van Oorschot. White-box cryptography and an AES implementation. In Kaisa Nyberg and Howard M. Heys, editors, SAC 2002, volume 2595 of LNCS, pages 250–270. Springer, Heidelberg, August 2003. 1, 5
[CU23] Alex Charlès and Aleksei Udovenko. LPN-based attacks in the white-box setting. IACR TCHES, 2023(4):318–343, 2023. https://tches.iacr.org/index.php/TCHES/article/view/11168. 2, 3, 5, 7, 10, 20, 21
[DLPR14] Cécile Delerablée, Tancrède Lepoint, Pascal Paillier, and Matthieu Rivain. White-box security notions for symmetric encryption schemes. In Tanja Lange, Kristin Lauter, and Petr Lisonek, editors, SAC 2013, volume 8282 of LNCS, pages 247–264. Springer, Heidelberg, August 2014. 1
[DR98] Joan Daemen and Vincent Rijmen. AES proposal: Rijndael. AES submission. See also http://csrc.nist.gov/archive/aes/rijndael/, 1998. 4
[DR02] Joan Daemen and Vincent Rijmen. The design of Rijndael: AES-the advanced encryption standard. Information Security and Cryptography. Springer-Verlag Berlin Heidelberg, 2002. 4
[EKM17] Andre Esser, Robert Kübler, and Alexander May. LPN decoded. In Jonathan Katz and Hovav Shacham, editors, CRYPTO 2017, Part II, volume 10402 of LNCS, pages 486–514. Springer, Heidelberg, August 2017. 20
[GPRW20] Louis Goubin, Pascal Paillier, Matthieu Rivain, and Junwei Wang. How to reveal the secrets of an obscure white-box implementation. Journal of Cryptographic Engineering, 10(1):49–66, April 2020. 2, 3, 5, 6, 11
[ISW03] Yuval Ishai, Amit Sahai, and David Wagner. Private circuits: Securing hardware against probing attacks. In Dan Boneh, editor, CRYPTO 2003, volume 2729 of LNCS, pages 463–481. Springer, Heidelberg, August 2003. 2, 5, 10, 13
[Kar11] Mohamed Karroumi. Protecting white-box AES with dual ciphers. In Kyung-Hyune Rhee and DaeHun Nyang, editors, Information Security and Cryptology-ICISC 2010, pages 278–291, Berlin, Heidelberg, 2011. Springer Berlin Heidel-berg. 4, 14
[KJJ99] Paul C. Kocher, Joshua Jaffe, and Benjamin Jun. Differential power analysis. In Michael J. Wiener, editor, CRYPTO’99, volume 1666 of LNCS, pages 388–397. Springer, Heidelberg, August 1999. 5
[Mat94] Mitsuru Matsui. Linear cryptanalysis method for DES cipher. In Tor Helleseth, editor, EUROCRYPT’93, volume 765 of LNCS, pages 386–397. Springer, Heidelberg, May 1994. 21
[RW19] Matthieu Rivain and Junwei Wang. Analysis and improvement of differential computation attacks against internally-encoded white-box implementations. IACR TCHES, 2019(2):225–255, 2019. https://tches.iacr.org/index.php/TCHES/article/view/7391. 1
[Sag23] The Sage Developers. SageMath, the Sage Mathematics Software System (Version 10.2), 2023. https://www.sagemath.org. 13
[SEL21] Okan Seker, Thomas Eisenbarth, and Maciej Liskiewicz. A white-box masking scheme resisting computational and algebraic attacks. IACR TCHES, 2021(2):61–105, 2021. https://tches.iacr.org/index.php/TCHES/article/view/8788. 2, 6, 10, 13
[Str69] Volker Strassen. Gaussian elimination is not optimal. Numerische Mathematik, 13(4):354–356, Aug 1969. 3
[TGCX23] Yufeng Tang, Zheng Gong, Jinhai Chen, and Nanjiang Xie. Higher-order DCA attacks on white-box implementations with masking and shuffling countermeasures. IACR TCHES, 2023(1):369–400, 2023. 4, 6, 9, 15
[TGLZ23] Yufeng Tang, Zheng Gong, Bin Li, and Liangju Zhao. Revisiting the computation analysis against internal encodings in white-box implementations. IACR TCHES, 2023(4):493–522, 2023. 14
