White-box cryptography

Last updated

In cryptography, the white-box model refers to an extreme attack scenario, in which an adversary has full unrestricted access to a cryptographic implementation, most commonly of a block cipher such as the Advanced Encryption Standard (AES). A variety of security goals may be posed (see the section below), the most fundamental being "unbreakability", requiring that any (bounded) attacker should not be able to extract the secret key hardcoded in the implementation, while at the same time the implementation must be fully functional. In contrast, the black-box model only provides an oracle access to the analyzed cryptographic primitive (in the form of encryption and/or decryption queries). There is also a model in-between, the so-called gray-box model, which corresponds to additional information leakage from the implementation, more commonly referred to as side-channel leakage.

Contents

White-box cryptography is a practice and study of techniques for designing and attacking white-box implementations. It has many applications, including digital rights management (DRM), pay television, protection of cryptographic keys in the presence of malware, [1] mobile payments and cryptocurrency wallets. Examples of DRM systems employing white-box implementations include CSS, Widevine.

White-box cryptography is closely related to the more general notions of obfuscation, in particular, to Black-box obfuscation, proven to be impossible, and to Indistinguishability obfuscation, constructed recently under well-founded assumptions but so far being infeasible to implement in practice. [2]

As of January 2023, there are no publicly known unbroken white-box designs of standard symmetric encryption schemes. On the other hand, there exist many unbroken white-box implementations of dedicated block ciphers designed specifically to achieve incompressibility (see § Security goals).

Security goals

Depending on the application, different security goals may be required from a white-box implementation. Specifically, for symmetric-key algorithms the following are distinguished: [3]

A commonly used technique is to compose the white-box implementation with so-called external encodings. [1] These are lightweight secret encodings that modify the function computed by the white-box part of an application. It is required that their effect is canceled in other parts of the application in an obscure way, using code obfuscation techniques. Alternatively, the canceling counterparts can be applied on a remote server.
Examples of incompressible designs include SPACE cipher, [5] SPNbox, [6] WhiteKey and WhiteBlock. [7] These ciphers use large lookup tables that can be pseudorandomly generated from a secret master key. Although this makes the recovery of the master key hard, the lookup tables themselves play the role of an equivalent secret key. Thus, unbreakability is achieved only partially.

History

The white-box model with initial attempts of white-box DES and AES implementations were first proposed by Chow, Eisen, Johnson and van Oorshot in 2003. [1] [8] The designs were based on representing the cipher as a network of lookup tables and obfuscating the tables by composing them with small (4- or 8-bit) random encodings. Such protection satisfied a property that each single obfuscated table individually does not contain any information about the secret key. Therefore, a potential attacker has to combine several tables in their analysis.

The first two schemes were broken in 2004 by Billet, Gilbert, and Ech-Chatbi using structural cryptanalysis. [9] The attack was subsequently called "the BGE attack".

The numerous consequent design attempts (2005-2022) [10] were quickly broken by practical dedicated attacks. [11]

In 2016, Bos, Hubain, Michiels and Teuwen showed that an adaptation of standard side-channel power analysis attacks can be used to efficiently and fully automatically break most existing white-box designs. [12] This result created a new research direction about generic attacks (correlation-based, algebraic, fault injection) and protections against them. [13]

Competitions

Four editions of the WhibOx contest were held in 2017, 2019, 2021 and 2024 respectively. These competitions invited white-box designers both from academia and industry to submit their implementation in the form of (possibly obfuscated) C code. At the same time, everyone could attempt to attack these programs and recover the embedded secret key. Each of these competitions lasted for about 4-5 months.

See also

Related Research Articles

<span class="mw-page-title-main">Advanced Encryption Standard</span> Standard for the encryption of electronic data

The Advanced Encryption Standard (AES), also known by its original name Rijndael, is a specification for the encryption of electronic data established by the U.S. National Institute of Standards and Technology (NIST) in 2001.

<span class="mw-page-title-main">Data Encryption Standard</span> Early unclassified symmetric-key block cipher

The Data Encryption Standard is a symmetric-key algorithm for the encryption of digital data. Although its short key length of 56 bits makes it too insecure for modern applications, it has been highly influential in the advancement of cryptography.

Differential cryptanalysis is a general form of cryptanalysis applicable primarily to block ciphers, but also to stream ciphers and cryptographic hash functions. In the broadest sense, it is the study of how differences in information input can affect the resultant difference at the output. In the case of a block cipher, it refers to a set of techniques for tracing differences through the network of transformation, discovering where the cipher exhibits non-random behavior, and exploiting such properties to recover the secret key.

<span class="mw-page-title-main">International Data Encryption Algorithm</span> Symmetric-key block cipher

In cryptography, the International Data Encryption Algorithm (IDEA), originally called Improved Proposed Encryption Standard (IPES), is a symmetric-key block cipher designed by James Massey of ETH Zurich and Xuejia Lai and was first described in 1991. The algorithm was intended as a replacement for the Data Encryption Standard (DES). IDEA is a minor revision of an earlier cipher, the Proposed Encryption Standard (PES).

In cryptography, RC4 is a stream cipher. While it is remarkable for its simplicity and speed in software, multiple vulnerabilities have been discovered in RC4, rendering it insecure. It is especially vulnerable when the beginning of the output keystream is not discarded, or when nonrandom or related keys are used. Particularly problematic uses of RC4 have led to very insecure protocols such as WEP.

In cryptography, an S-box (substitution-box) is a basic component of symmetric key algorithms which performs substitution. In block ciphers, they are typically used to obscure the relationship between the key and the ciphertext, thus ensuring Shannon's property of confusion. Mathematically, an S-box is a nonlinear vectorial Boolean function.

<span class="mw-page-title-main">GOST (block cipher)</span> Soviet/Russian national standard block cipher

The GOST block cipher (Magma), defined in the standard GOST 28147-89, is a Soviet and Russian government standard symmetric key block cipher with a block size of 64 bits. The original standard, published in 1989, did not give the cipher any name, but the most recent revision of the standard, GOST R 34.12-2015, specifies that it may be referred to as Magma. The GOST hash function is based on this cipher. The new standard also specifies a new 128-bit block cipher called Kuznyechik.

<span class="mw-page-title-main">Tiny Encryption Algorithm</span> Block cipher

In cryptography, the Tiny Encryption Algorithm (TEA) is a block cipher notable for its simplicity of description and implementation, typically a few lines of code. It was designed by David Wheeler and Roger Needham of the Cambridge Computer Laboratory; it was first presented at the Fast Software Encryption workshop in Leuven in 1994, and first published in the proceedings of that workshop.

<span class="mw-page-title-main">XTEA</span> Block cipher

In cryptography, XTEA is a block cipher designed to correct weaknesses in TEA. The cipher's designers were David Wheeler and Roger Needham of the Cambridge Computer Laboratory, and the algorithm was presented in an unpublished technical report in 1997. It is not subject to any patents.

In cryptography, Camellia is a symmetric key block cipher with a block size of 128 bits and key sizes of 128, 192 and 256 bits. It was jointly developed by Mitsubishi Electric and NTT of Japan. The cipher has been approved for use by the ISO/IEC, the European Union's NESSIE project and the Japanese CRYPTREC project. The cipher has security levels and processing abilities comparable to the Advanced Encryption Standard.

In cryptography, the eXtended Sparse Linearization (XSL) attack is a method of cryptanalysis for block ciphers. The attack was first published in 2002 by researchers Nicolas Courtois and Josef Pieprzyk. It has caused some controversy as it was claimed to have the potential to break the Advanced Encryption Standard (AES) cipher, also known as Rijndael, faster than an exhaustive search. Since AES is already widely used in commerce and government for the transmission of secret information, finding a technique that can shorten the amount of time it takes to retrieve the secret message without having the key could have wide implications.

Bart Preneel is a Belgian cryptographer and cryptanalyst. He is a professor at Katholieke Universiteit Leuven, in the COSIC group.

In cryptography, Hierocrypt-L1 and Hierocrypt-3 are block ciphers created by Toshiba in 2000. They were submitted to the NESSIE project, but were not selected. Both algorithms were among the cryptographic techniques recommended for Japanese government use by CRYPTREC in 2003, however, both have been dropped to "candidate" by CRYPTREC revision in 2013.

In cryptography, Zodiac is a block cipher designed in 2000 by Chang-Hyi Lee for the Korean firm SoftForum.

In cryptography, ARIA is a block cipher designed in 2003 by a large group of South Korean researchers. In 2004, the Korean Agency for Technology and Standards selected it as a standard cryptographic technique.

PRESENT is a lightweight block cipher, developed by the Orange Labs (France), Ruhr University Bochum (Germany) and the Technical University of Denmark in 2007. PRESENT was designed by Andrey Bogdanov, Lars R. Knudsen, Gregor Leander, Christof Paar, Axel Poschmann, Matthew J. B. Robshaw, Yannick Seurin, and C. Vikkelsoe. The algorithm is notable for its compact size.

Dmitry Khovratovich is a Russian cryptographer, currently a Lead Cryptographer for the Dusk Network, researcher for the Ethereum Foundation, and member of the International Association for Cryptologic Research.

<span class="mw-page-title-main">Anne Canteaut</span> French cryptographic researcher

Anne Canteaut is a French researcher in cryptography, working at the French Institute for Research in Computer Science and Automation (INRIA) in Paris. She studies the design and cryptanalysis of symmetric-key algorithms and S-boxes.

<span class="mw-page-title-main">Orr Dunkelman</span> Israeli cryptographer and cryptanalyst

Orr Dunkelman is an Israeli cryptographer and cryptanalyst, currently a professor at the University of Haifa Computer Science department. Dunkelman is a co-director of the Center for Cyber Law & Privacy at the University of Haifa and a co-founder of Privacy Israel, an Israeli NGO for promoting privacy in Israel.

In cryptography, a round or round function is a basic transformation that is repeated (iterated) multiple times inside the algorithm. Splitting a large algorithmic function into rounds simplifies both implementation and cryptanalysis.

References

  1. 1 2 3 Chow, Stanley; Eisen, Phil; Johnson, Harold; van Oorschot, Paul C. (2003). A White-Box DES Implementation for DRM Applications. Digital Rights Management. Lecture Notes in Computer Science. Vol. 2696. pp. 1–15. doi:10.1007/978-3-540-44993-5_1. ISBN   978-3-540-40410-1.
  2. Jain, Aayush; Lin, Huijia; Sahai, Amit (15 June 2021). "Indistinguishability obfuscation from well-founded assumptions". Proceedings of the 53rd Annual ACM SIGACT Symposium on Theory of Computing. pp. 60–73. arXiv: 2008.09317 . doi:10.1145/3406325.3451093. ISBN   978-1-4503-8053-9.
  3. Delerablée, Cécile; Lepoint, Tancrède; Paillier, Pascal; Rivain, Matthieu (2014). White-Box Security Notions for Symmetric Encryption Schemes. SAC 2013: Selected Areas in Cryptography. Lecture Notes in Computer Science. Vol. 8282. pp. 247–264. doi:10.1007/978-3-662-43414-7_13. ISBN   978-3-662-43413-0.
  4. Diffie, Whitfield; Hellman, Martin (November 1976). "New directions in cryptography". IEEE Transactions on Information Theory. 22 (6): 644–654. doi:10.1109/TIT.1976.1055638.
  5. 1 2 Bogdanov, Andrey; Isobe, Takanori (12 October 2015). "White-Box Cryptography Revisited: Space-Hard Ciphers". Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security. pp. 1058–1069. doi:10.1145/2810103.2813699. ISBN   978-1-4503-3832-5.
  6. Bogdanov, Andrey; Isobe, Takanori; Tischhauser, Elmar (2016). "Towards Practical Whitebox Cryptography: Optimizing Efficiency and Space Hardness". Advances in Cryptology – ASIACRYPT 2016. Lecture Notes in Computer Science. Vol. 10031. pp. 126–158. doi:10.1007/978-3-662-53887-6_5. ISBN   978-3-662-53886-9.
  7. Fouque, Pierre-Alain; Karpman, Pierre; Kirchner, Paul; Minaud, Brice (2016). "Efficient and Provable White-Box Primitives" (PDF). Advances in Cryptology – ASIACRYPT 2016. Lecture Notes in Computer Science. Vol. 10031. pp. 159–188. doi:10.1007/978-3-662-53887-6_6. ISBN   978-3-662-53886-9.
  8. Chow, Stanley; Eisen, Philip; Johnson, Harold; Van Oorschot, Paul C. (2003). "White-Box Cryptography and an AES Implementation". SAC 2002: Selected Areas in Cryptography. Lecture Notes in Computer Science. Vol. 2595. pp. 250–270. doi:10.1007/3-540-36492-7_17. ISBN   978-3-540-00622-0.
  9. Billet, Olivier; Gilbert, Henri; Ech-Chatbi, Charaf (2004). "Cryptanalysis of a White Box AES Implementation". Selected Areas in Cryptography. Lecture Notes in Computer Science. Vol. 3357. pp. 227–240. doi:10.1007/978-3-540-30564-4_16. ISBN   978-3-540-24327-4.
  12. Bos, Joppe W.; Hubain, Charles; Michiels, Wil; Teuwen, Philippe (2016). "Differential Computation Analysis: Hiding Your White-Box Designs is Not Enough". Cryptographic Hardware and Embedded Systems – CHES 2016. Lecture Notes in Computer Science. Vol. 9813. pp. 215–236. doi:10.1007/978-3-662-53140-2_11. ISBN   978-3-662-53139-6.
  14. "CryptoLUX Research Group. Whitebox cryptography. WhibOx 2019 Competition". www.cryptolux.org. Retrieved 28 February 2024.
  15. Goubin, Louis; Rivain, Matthieu; Wang, Junwei (19 June 2020). "Defeating State-of-the-Art White-Box Countermeasures with Advanced Gray-Box Attacks". IACR Transactions on Cryptographic Hardware and Embedded Systems: 454–482. doi:10.13154/tches.v2020.i3.454-482.
  16. Barbu, Guillaume; Beullens, Ward; Dottax, Emmanuelle; Giraud, Christophe; Houzelot, Agathe; Li, Chaoyun; Mahzoun, Mohammad; Ranea, Adrián; Xie, Jianrui (31 August 2022). "ECDSA White-Box Implementations: Attacks and Designs from CHES 2021 Challenge". IACR Transactions on Cryptographic Hardware and Embedded Systems: 527–552. doi:10.46586/tches.v2022.i4.527-552.
  17. Bauer, Sven; Drexler, Hermann; Gebhardt, Max; Klein, Dominik; Laus, Friederike; Mittmann, Johannes (31 August 2022). "Attacks Against White-Box ECDSA and Discussion of Countermeasures: A Report on the WhibOx Contest 2021". IACR Transactions on Cryptographic Hardware and Embedded Systems: 25–55. doi: 10.46586/tches.v2022.i4.25-55 .
This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.