White-box cryptography: Difference between revisions

From Wikipedia, the free encyclopedia
Content deleted Content added
m v2.05b - Bot T20 CW#61 - Fix errors for CW project (Reference before punctuation - Title linked in text - Link equal to linktext)
Citation bot (talk | contribs)
Alter: template type, title, journal. Add: pages, volume, chapter-url, chapter, series, isbn. Removed or converted URL. Removed parameters. Some additions/deletions were parameter name changes. | Use this bot. Report bugs. | Suggested by Headbomb | Linked from Wikipedia:WikiProject_Academic_Journals/Journals_cited_by_Wikipedia/Sandbox2 | #UCB_webform_linked 669/686
Line 4: Line 4:
'''White-box cryptography''' is a practice and study of techniques for designing and attacking white-box implementations. It has many applications, including [[digital rights management]] (DRM), [[pay television]], protection of cryptographic keys in the presence of [[malware]],<ref name="CEJVO-DES"/> mobile payments and [[cryptocurrency]] wallets. Examples of DRM systems employing white-box implementations include [[Content Scramble System|CSS]], [[Widevine]].
'''White-box cryptography''' is a practice and study of techniques for designing and attacking white-box implementations. It has many applications, including [[digital rights management]] (DRM), [[pay television]], protection of cryptographic keys in the presence of [[malware]],<ref name="CEJVO-DES"/> mobile payments and [[cryptocurrency]] wallets. Examples of DRM systems employing white-box implementations include [[Content Scramble System|CSS]], [[Widevine]].


White-box cryptography is closely related to the more general notions of [[Obfuscation (software)|obfuscation]], in particular, to [[Black-box obfuscation]], proven to be impossible, and to [[Indistinguishability obfuscation]], constructed recently under well-founded assumptions but so far being infeasible to implement in practice.<ref>{{cite journal |last1=Jain |first1=Aayush |last2=Lin |first2=Huijia |last3=Sahai |first3=Amit |title=Indistinguishability obfuscation from well-founded assumptions |date=15 June 2021 |pages=60–73 |doi=10.1145/3406325.3451093 |journal=STOC 2021: Proceedings of the 53rd Annual ACM SIGACT Symposium on Theory of Computing|arxiv=2008.09317 }}</ref>
White-box cryptography is closely related to the more general notions of [[Obfuscation (software)|obfuscation]], in particular, to [[Black-box obfuscation]], proven to be impossible, and to [[Indistinguishability obfuscation]], constructed recently under well-founded assumptions but so far being infeasible to implement in practice.<ref>{{cite journal |last1=Jain |first1=Aayush |last2=Lin |first2=Huijia |last3=Sahai |first3=Amit |title=Indistinguishability obfuscation from well-founded assumptions |date=15 June 2021 |pages=60–73 |doi=10.1145/3406325.3451093 |journal=STOC 2021: Proceedings of the 53rd Annual ACM SIGACT Symposium on Theory of Computing|arxiv=2008.09317 |isbn=978-1-4503-8053-9 }}</ref>


As of January 2023, there are no publicly known unbroken white-box designs of standard symmetric encryption schemes. On the other hand, there exist many unbroken white-box implementations of ''dedicated'' block ciphers designed specifically to achieve incompressibility (see [[#Security goals|security goals]]).
As of January 2023, there are no publicly known unbroken white-box designs of standard symmetric encryption schemes. On the other hand, there exist many unbroken white-box implementations of ''dedicated'' block ciphers designed specifically to achieve incompressibility (see [[#Security goals|security goals]]).
Line 10: Line 10:
==Security goals==
==Security goals==


Depending on the application, different security goals may be required from a white-box implementation. Specifically, for [[Symmetric-key algorithm|symmetric-key algorithms]] the following are distinguished:<ref>{{cite journal |last1=Delerablée |first1=Cécile |last2=Lepoint |first2=Tancrède |last3=Paillier |first3=Pascal |last4=Rivain |first4=Matthieu |title=White-Box Security Notions for Symmetric Encryption Schemes |journal=SAC 2013: Selected Areas in Cryptography |date=2014 |volume=8282 |pages=247–264 |doi=10.1007/978-3-662-43414-7_13}}</ref>
Depending on the application, different security goals may be required from a white-box implementation. Specifically, for [[Symmetric-key algorithm|symmetric-key algorithms]] the following are distinguished:<ref>{{cite book |last1=Delerablée |first1=Cécile |last2=Lepoint |first2=Tancrède |last3=Paillier |first3=Pascal |last4=Rivain |first4=Matthieu |title=White-Box Security Notions for Symmetric Encryption Schemes |journal=SAC 2013: Selected Areas in Cryptography |series=Lecture Notes in Computer Science |date=2014 |volume=8282 |pages=247–264 |doi=10.1007/978-3-662-43414-7_13|isbn=978-3-662-43413-0 }}</ref>


* '''Unbreakability''' is the most fundamental goal requiring that a bounded attacker should not be able to recover the secret key embedded in the white-box implementation. Without this requirement, all other security goals are unreachable since a successful attacker can simply use a reference implementation of the encryption scheme together with the extracted key.
* '''Unbreakability''' is the most fundamental goal requiring that a bounded attacker should not be able to recover the secret key embedded in the white-box implementation. Without this requirement, all other security goals are unreachable since a successful attacker can simply use a reference implementation of the encryption scheme together with the extracted key.
Line 20: Line 20:


* '''Incompressibility''' requires that an attacker can not significantly compress a given white-box implementation. This can be seen as a way to achieve code lifting security (see above), since exfiltrating a large program from a constrained device (for example, an [[Embedded system|embedded]] or a [[Mobile device|mobile]] device) can be time-consuming and may be easy to detect by a [[Firewall (computing)|firewall]].<ref name="SPACE"/>
* '''Incompressibility''' requires that an attacker can not significantly compress a given white-box implementation. This can be seen as a way to achieve code lifting security (see above), since exfiltrating a large program from a constrained device (for example, an [[Embedded system|embedded]] or a [[Mobile device|mobile]] device) can be time-consuming and may be easy to detect by a [[Firewall (computing)|firewall]].<ref name="SPACE"/>
:Examples of incompressible designs include SPACE cipher,<ref name="SPACE">{{cite journal |last1=Bogdanov |first1=Andrey |last2=Isobe |first2=Takanori |title=White-Box Cryptography Revisited: Space-Hard Ciphers |date=12 October 2015 |pages=1058–1069 |journal=CCS '15: Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security |doi=10.1145/2810103.2813699}}</ref> SPNbox,<ref>{{cite journal |last1=Bogdanov |first1=Andrey |last2=Isobe |first2=Takanori |last3=Tischhauser |first3=Elmar |title=Towards Practical Whitebox Cryptography: Optimizing Efficiency and Space Hardness |journal=Advances in Cryptology – ASIACRYPT 2016 |date=2016 |volume=10031 |pages=126–158 |doi=10.1007/978-3-662-53887-6_5}}</ref> WhiteKey and WhiteBlock.<ref>{{cite journal |last1=Fouque |first1=Pierre-Alain |last2=Karpman |first2=Pierre |last3=Kirchner |first3=Paul |last4=Minaud |first4=Brice |title=Efficient and Provable White-Box Primitives |journal=Advances in Cryptology – ASIACRYPT 2016 |date=2016 |volume=10031 |pages=159–188 |doi=10.1007/978-3-662-53887-6_6}}</ref> These ciphers use large lookup tables that can be [[Cryptographically secure pseudorandom number generator|pseudorandomly]] generated from a secret master key. Although this makes the recovery of the master key hard, the lookup tables themselves play the role of an equivalent secret key. Thus, unbreakability is achieved only partially.
:Examples of incompressible designs include SPACE cipher,<ref name="SPACE">{{cite book |last1=Bogdanov |first1=Andrey |last2=Isobe |first2=Takanori |chapter=White-Box Cryptography Revisited: Space-Hard Ciphers |title=Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security |date=12 October 2015 |pages=1058–1069 |doi=10.1145/2810103.2813699|isbn=978-1-4503-3832-5 }}</ref> SPNbox,<ref>{{cite book |last1=Bogdanov |first1=Andrey |last2=Isobe |first2=Takanori |last3=Tischhauser |first3=Elmar |chapter=Towards Practical Whitebox Cryptography: Optimizing Efficiency and Space Hardness |series=Lecture Notes in Computer Science |title=Advances in Cryptology – ASIACRYPT 2016 |date=2016 |volume=10031 |pages=126–158 |doi=10.1007/978-3-662-53887-6_5|isbn=978-3-662-53886-9 }}</ref> WhiteKey and WhiteBlock.<ref>{{cite book |last1=Fouque |first1=Pierre-Alain |last2=Karpman |first2=Pierre |last3=Kirchner |first3=Paul |last4=Minaud |first4=Brice |chapter=Efficient and Provable White-Box Primitives |series=Lecture Notes in Computer Science |title=Advances in Cryptology – ASIACRYPT 2016 |date=2016 |volume=10031 |pages=159–188 |doi=10.1007/978-3-662-53887-6_6|isbn=978-3-662-53886-9 |chapter-url=https://hal.archives-ouvertes.fr/hal-01427810/file/h4.pdf }}</ref> These ciphers use large lookup tables that can be [[Cryptographically secure pseudorandom number generator|pseudorandomly]] generated from a secret master key. Although this makes the recovery of the master key hard, the lookup tables themselves play the role of an equivalent secret key. Thus, unbreakability is achieved only partially.


* '''Traceability''' ([[Traitor tracing]]) requires that each distributed white-box implementation contains a [[Digital watermarking|digital watermark]] allowing identification of the guilty user in case the white-box program is being leaked and distributed publicly.
* '''Traceability''' ([[Traitor tracing]]) requires that each distributed white-box implementation contains a [[Digital watermarking|digital watermark]] allowing identification of the guilty user in case the white-box program is being leaked and distributed publicly.
Line 26: Line 26:
==History==
==History==


The white-box model with initial attempts of white-box [[Data Encryption Standard|DES]] and [[Advanced Encryption Standard|AES]] implementations were first proposed by Chow, Eisen, Johnson and van Oorshot in 2003.<ref name="CEJVO-DES">{{cite journal |last1=Chow |first1=Stanley |last2=Eisen |first2=Phil |last3=Johnson |first3=Harold |last4=van Oorschot |first4=Paul C. |title=A White-Box DES Implementation for DRM Applications |journal=Digital Rights Management |date=2003 |pages=1–15 |doi=10.1007/978-3-540-44993-5_1}}</ref><ref>{{cite journal |last1=Chow |first1=Stanley |last2=Eisen |first2=Philip |last3=Johnson |first3=Harold |last4=Van Oorschot |first4=Paul C. |title=White-Box Cryptography and an AES Implementation |journal=SAC 2002: Selected Areas in Cryptography |date=2003 |pages=250–270 |doi=10.1007/3-540-36492-7_17}}</ref>
The white-box model with initial attempts of white-box [[Data Encryption Standard|DES]] and [[Advanced Encryption Standard|AES]] implementations were first proposed by Chow, Eisen, Johnson and van Oorshot in 2003.<ref name="CEJVO-DES">{{cite book |last1=Chow |first1=Stanley |last2=Eisen |first2=Phil |last3=Johnson |first3=Harold |last4=van Oorschot |first4=Paul C. |title=A White-Box DES Implementation for DRM Applications |journal=Digital Rights Management |series=Lecture Notes in Computer Science |date=2003 |volume=2696 |pages=1–15 |doi=10.1007/978-3-540-44993-5_1|isbn=978-3-540-40410-1 }}</ref><ref>{{cite book |last1=Chow |first1=Stanley |last2=Eisen |first2=Philip |last3=Johnson |first3=Harold |last4=Van Oorschot |first4=Paul C. |title=White-Box Cryptography and an AES Implementation |journal=SAC 2002: Selected Areas in Cryptography |series=Lecture Notes in Computer Science |date=2003 |volume=2595 |pages=250–270 |doi=10.1007/3-540-36492-7_17|isbn=978-3-540-00622-0 }}</ref>
The designs were based on representing the cipher as a network of [[Lookup table|lookup tables]] and obfuscating the tables by composing them with small (4- or 8-bit) random encodings. Such protection satisfied a property that each single obfuscated table individually does not contain any information about the secret key. Therefore, a potential attacker has to combine several tables in their analysis.
The designs were based on representing the cipher as a network of [[Lookup table|lookup tables]] and obfuscating the tables by composing them with small (4- or 8-bit) random encodings. Such protection satisfied a property that each single obfuscated table individually does not contain any information about the secret key. Therefore, a potential attacker has to combine several tables in their analysis.


The first two schemes were broken in 2004 by Billet, Gilbert, and Ech-Chatbi using structural cryptanalysis.<ref>{{cite journal |last1=Billet |first1=Olivier |last2=Gilbert |first2=Henri |last3=Ech-Chatbi |first3=Charaf |title=Cryptanalysis of a White Box AES Implementation |journal=Selected Areas in Cryptography |date=2004 |volume=3357 |pages=227–240 |doi=10.1007/978-3-540-30564-4_16}}</ref>
The first two schemes were broken in 2004 by Billet, Gilbert, and Ech-Chatbi using structural cryptanalysis.<ref>{{cite book |last1=Billet |first1=Olivier |last2=Gilbert |first2=Henri |last3=Ech-Chatbi |first3=Charaf |title=Cryptanalysis of a White Box AES Implementation |journal=Selected Areas in Cryptography |series=Lecture Notes in Computer Science |date=2004 |volume=3357 |pages=227–240 |doi=10.1007/978-3-540-30564-4_16|isbn=978-3-540-24327-4 }}</ref>
The attack was subsequently called "the BGE attack".
The attack was subsequently called "the BGE attack".


The numerous consequent design attempts (2005-2022)
The numerous consequent design attempts (2005-2022)
<ref>{{cite journal |last1=Link |first1=Hamilton |last2=Neumann |first2=W.D. |title=Clarifying obfuscation: improving the security of white-box DES |journal=International Conference on Information Technology: Coding and Computing (ITCC) |date=2005 |volume=II |url=https://ieeexplore.ieee.org/document/1428542 |doi=10.1109/ITCC.2005.100}}</ref><ref>{{cite journal |last1=Bringer |first1=Julien |last2=Chabanne |first2=Hervé |last3=Dottax |first3=Emmanuelle |title=Perturbing and Protecting a Traceable Block Cipher |journal=Communications and Multimedia Security |date=2006 |volume=4237 |pages=109–119 |doi=10.1007/11909033_10}}</ref><ref>{{cite journal |last1=Xiao |first1=Yaying |last2=Lai |first2=Xuejia |title=A Secure Implementation of White-Box AES |journal=2009 2nd International Conference on Computer Science and its Applications |date=2010 |doi=10.1109/CSA.2009.5404239}}</ref><ref>{{cite journal |last1=Karroumi |first1=Mohamed |title=Protecting White-Box AES with Dual Ciphers |journal=Information Security and Cryptology - ICISC 2010 |date=2011 |volume=6829 |pages=278–291 |doi=10.1007/978-3-642-24209-0_19}}</ref><ref>{{cite journal |last1=Vandersmissen |first1=Joachim |last2=Ranea |first2=Adrián |last3=Preneel |first3=Bart |title=A White-Box Speck Implementation Using Self-equivalence Encodings |journal=Applied Cryptography and Network Security |date=2022 |volume=13269 |pages=771–791 |doi=10.1007/978-3-031-09234-3_38}}</ref><ref>{{cite journal |last1=Ranea |first1=Adrián |last2=Vandersmissen |first2=Joachim |last3=Preneel |first3=Bart |title=Implicit White-Box Implementations: White-Boxing ARX Ciphers |journal=Advances in Cryptology – CRYPTO 2022 |date=2022 |volume=13507 |pages=33–63 |doi=10.1007/978-3-031-15802-5_2}}</ref> were quickly broken by practical dedicated attacks.<ref>{{cite journal |last1=Goubin |first1=Louis |last2=Masereel |first2=Jean-Michel |last3=Quisquater |first3=Michaël |title=Cryptanalysis of White Box DES Implementations |journal=Selected Areas in Cryptography |date=2007 |volume=4876 |pages=278–295 |doi=10.1007/978-3-540-77360-3_18}}</ref><ref>{{cite journal |last1=Wyseur |first1=Brecht |last2=Michiels |first2=Wil |last3=Gorissen |first3=Paul |last4=Preneel |first4=Bart |title=Cryptanalysis of White-Box DES Implementations with Arbitrary External Encodings |journal=Selected Areas in Cryptography |date=2007 |volume=4876 |pages=264–277 |doi=10.1007/978-3-540-77360-3_17}}</ref><ref>{{cite journal |last1=Michiels |first1=Wil |last2=Gorissen |first2=Paul |last3=Hollmann |first3=Henk D. L. |title=Cryptanalysis of a Generic Class of White-Box Implementations |journal=Selected Areas in Cryptography |date=2009 |volume=5381 |pages=414–428 |doi=10.1007/978-3-642-04159-4_27}}</ref><ref>{{cite journal |last1=De Mulder |first1=Yoni |last2=Wyseur |first2=Brecht |last3=Preneel |first3=Bart |title=Cryptanalysis of a Perturbated White-Box AES Implementation |journal=Progress in Cryptology - INDOCRYPT 2010 |date=2010 |volume=6498 |pages=292–310 |doi=10.1007/978-3-642-17401-8_21}}</ref><ref>{{cite journal |last1=De Mulder |first1=Yoni |last2=Roelse |first2=Peter |last3=Preneel |first3=Bart |title=Cryptanalysis of the Xiao – Lai White-Box AES Implementation |journal=Selected Areas in Cryptography |date=2013 |volume=7707 |pages=34–49 |doi=10.1007/978-3-642-35999-6_3}}</ref><ref>{{cite journal |last1=Lepoint |first1=Tancrède |last2=Rivain |first2=Matthieu |last3=De Mulder |first3=Yoni |last4=Roelse |first4=Peter |last5=Preneel |first5=Bart |title=Two Attacks on a White-Box AES Implementation |journal=Selected Areas in Cryptography -- SAC 2013 |date=2014 |volume=8282 |pages=265–285 |doi=10.1007/978-3-662-43414-7_14}}</ref><ref>{{cite journal |last1=Biryukov |first1=Alex |last2=Lambin |first2=Baptiste |last3=Udovenko |first3=Aleksei |title=Cryptanalysis of ARX-based White-box Implementations |journal=IACR Transactions on Cryptographic Hardware and Embedded Systems |date=9 June 2023 |pages=97–135 |doi=10.46586/tches.v2023.i3.97-135|doi-access=free }}</ref>
<ref>{{cite book |last1=Link |first1=Hamilton |last2=Neumann |first2=W.D. |chapter=Clarifying obfuscation: Improving the security of white-box DES |title=International Conference on Information Technology: Coding and Computing (ITCC'05) - Volume II |date=2005 |volume=II |pages=679-684 Vol. 1 |chapter-url=https://ieeexplore.ieee.org/document/1428542 |doi=10.1109/ITCC.2005.100|isbn=0-7695-2315-3 }}</ref><ref>{{cite book |last1=Bringer |first1=Julien |last2=Chabanne |first2=Hervé |last3=Dottax |first3=Emmanuelle |title=Perturbing and Protecting a Traceable Block Cipher |journal=Communications and Multimedia Security |series=Lecture Notes in Computer Science |date=2006 |volume=4237 |pages=109–119 |doi=10.1007/11909033_10|isbn=978-3-540-47820-1 }}</ref><ref>{{cite book |last1=Xiao |first1=Yaying |last2=Lai |first2=Xuejia |chapter=A Secure Implementation of White-Box AES |title=2009 2nd International Conference on Computer Science and its Applications |date=2010 |pages=1–6 |doi=10.1109/CSA.2009.5404239|isbn=978-1-4244-4945-3 }}</ref><ref>{{cite book |last1=Karroumi |first1=Mohamed |title=Protecting White-Box AES with Dual Ciphers |journal=Information Security and Cryptology - ICISC 2010 |series=Lecture Notes in Computer Science |date=2011 |volume=6829 |pages=278–291 |doi=10.1007/978-3-642-24209-0_19|isbn=978-3-642-24208-3 }}</ref><ref>{{cite book |last1=Vandersmissen |first1=Joachim |last2=Ranea |first2=Adrián |last3=Preneel |first3=Bart |title=A White-Box Speck Implementation Using Self-equivalence Encodings |journal=Applied Cryptography and Network Security |series=Lecture Notes in Computer Science |date=2022 |volume=13269 |pages=771–791 |doi=10.1007/978-3-031-09234-3_38|isbn=978-3-031-09233-6 }}</ref><ref>{{cite book |last1=Ranea |first1=Adrián |last2=Vandersmissen |first2=Joachim |last3=Preneel |first3=Bart |chapter=Implicit White-Box Implementations: White-Boxing ARX Ciphers |series=Lecture Notes in Computer Science |title=Advances in Cryptology – CRYPTO 2022 |date=2022 |volume=13507 |pages=33–63 |doi=10.1007/978-3-031-15802-5_2|isbn=978-3-031-15801-8 }}</ref> were quickly broken by practical dedicated attacks.<ref>{{cite book |last1=Goubin |first1=Louis |last2=Masereel |first2=Jean-Michel |last3=Quisquater |first3=Michaël |title=Cryptanalysis of White Box DES Implementations |journal=Selected Areas in Cryptography |series=Lecture Notes in Computer Science |date=2007 |volume=4876 |pages=278–295 |doi=10.1007/978-3-540-77360-3_18|isbn=978-3-540-77359-7 }}</ref><ref>{{cite book |last1=Wyseur |first1=Brecht |last2=Michiels |first2=Wil |last3=Gorissen |first3=Paul |last4=Preneel |first4=Bart |title=Cryptanalysis of White-Box DES Implementations with Arbitrary External Encodings |journal=Selected Areas in Cryptography |series=Lecture Notes in Computer Science |date=2007 |volume=4876 |pages=264–277 |doi=10.1007/978-3-540-77360-3_17|isbn=978-3-540-77359-7 }}</ref><ref>{{cite book |last1=Michiels |first1=Wil |last2=Gorissen |first2=Paul |last3=Hollmann |first3=Henk D. L. |title=Cryptanalysis of a Generic Class of White-Box Implementations |journal=Selected Areas in Cryptography |series=Lecture Notes in Computer Science |date=2009 |volume=5381 |pages=414–428 |doi=10.1007/978-3-642-04159-4_27|isbn=978-3-642-04158-7 }}</ref><ref>{{cite book |last1=De Mulder |first1=Yoni |last2=Wyseur |first2=Brecht |last3=Preneel |first3=Bart |title=Cryptanalysis of a Perturbated White-Box AES Implementation |journal=Progress in Cryptology - INDOCRYPT 2010 |series=Lecture Notes in Computer Science |date=2010 |volume=6498 |pages=292–310 |doi=10.1007/978-3-642-17401-8_21|isbn=978-3-642-17400-1 }}</ref><ref>{{cite book |last1=De Mulder |first1=Yoni |last2=Roelse |first2=Peter |last3=Preneel |first3=Bart |title=Cryptanalysis of the Xiao – Lai White-Box AES Implementation |journal=Selected Areas in Cryptography |series=Lecture Notes in Computer Science |date=2013 |volume=7707 |pages=34–49 |doi=10.1007/978-3-642-35999-6_3|isbn=978-3-642-35998-9 }}</ref><ref>{{cite book |last1=Lepoint |first1=Tancrède |last2=Rivain |first2=Matthieu |last3=De Mulder |first3=Yoni |last4=Roelse |first4=Peter |last5=Preneel |first5=Bart |title=Two Attacks on a White-Box AES Implementation |journal=Selected Areas in Cryptography -- SAC 2013 |series=Lecture Notes in Computer Science |date=2014 |volume=8282 |pages=265–285 |doi=10.1007/978-3-662-43414-7_14|isbn=978-3-662-43413-0 }}</ref><ref>{{cite journal |last1=Biryukov |first1=Alex |last2=Lambin |first2=Baptiste |last3=Udovenko |first3=Aleksei |title=Cryptanalysis of ARX-based White-box Implementations |journal=IACR Transactions on Cryptographic Hardware and Embedded Systems |date=9 June 2023 |pages=97–135 |doi=10.46586/tches.v2023.i3.97-135|doi-access=free }}</ref>


In 2016, Bos, Hubain, Michiels and Teuwen showed that an adaptation of standard side-channel [[power analysis]] attacks can be used to efficiently and fully automatically break most existing white-box designs.<ref>{{cite journal |last1=Bos |first1=Joppe W. |last2=Hubain |first2=Charles |last3=Michiels |first3=Wil |last4=Teuwen |first4=Philippe |title=Differential Computation Analysis: Hiding Your White-Box Designs is Not Enough |journal=Cryptographic Hardware and Embedded Systems – CHES 2016 |date=2016 |volume=9813 |pages=215–236 |doi=10.1007/978-3-662-53140-2_11}}</ref>
In 2016, Bos, Hubain, Michiels and Teuwen showed that an adaptation of standard side-channel [[power analysis]] attacks can be used to efficiently and fully automatically break most existing white-box designs.<ref>{{cite book |last1=Bos |first1=Joppe W. |last2=Hubain |first2=Charles |last3=Michiels |first3=Wil |last4=Teuwen |first4=Philippe |title=Differential Computation Analysis: Hiding Your White-Box Designs is Not Enough |journal=Cryptographic Hardware and Embedded Systems – CHES 2016 |series=Lecture Notes in Computer Science |date=2016 |volume=9813 |pages=215–236 |doi=10.1007/978-3-662-53140-2_11|isbn=978-3-662-53139-6 }}</ref>
This result created a new research direction about generic attacks (correlation-based, algebraic, [[fault injection]]) and protections against them.
This result created a new research direction about generic attacks (correlation-based, algebraic, [[fault injection]]) and protections against them.
<ref>{{cite journal |last1=Rivain |first1=Matthieu |last2=Wang |first2=Junwei |title=Analysis and Improvement of Differential Computation Attacks against Internally-Encoded White-Box Implementations |journal=IACR Transactions on Cryptographic Hardware and Embedded Systems |date=28 February 2019 |pages=225–255 |doi=10.13154/tches.v2019.i2.225-255}}</ref><ref>{{cite journal |last1=Goubin |first1=Louis |last2=Paillier |first2=Pascal |last3=Rivain |first3=Matthieu |last4=Wang |first4=Junwei |title=How to reveal the secrets of an obscure white-box implementation |journal=Journal of Cryptographic Engineering |date=April 2020 |volume=10 |issue=1 |pages=49–66 |doi=10.1007/s13389-019-00207-5}}</ref><ref>{{cite journal |last1=Biryukov |first1=Alex |last2=Udovenko |first2=Aleksei |title=Attacks and Countermeasures for White-box Designs |journal=Advances in Cryptology – ASIACRYPT 2018 |date=2018 |volume=11273 |pages=373–402 |doi=10.1007/978-3-030-03329-3_13}}</ref><ref>{{cite journal |last1=Ezepue |first1=B.C. |title=Differential fault analysis of white-box cryptographic implementations |journal=Master thesis |date=2017 |url=https://research.tue.nl/en/studentTheses/differential-fault-analysis-of-white-box-cryptographic-implementa |language=en}}</ref><ref>{{cite journal |last1=Seker |first1=Okan |last2=Eisenbarth |first2=Thomas |last3=Liskiewicz |first3=Maciej |title=A White-Box Masking Scheme Resisting Computational and Algebraic Attacks |journal=IACR Transactions on Cryptographic Hardware and Embedded Systems |date=2021 |pages=61–105 |doi=10.46586/tches.v2021.i2.61-105|doi-access=free }}</ref><ref>{{cite journal |last1=Biryukov |first1=Alex |last2=Udovenko |first2=Aleksei |title=Dummy Shuffling Against Algebraic Attacks in White-Box Implementations |journal=Advances in Cryptology – EUROCRYPT 2021 |date=2021 |volume=12697 |pages=219–248 |doi=10.1007/978-3-030-77886-6_8}}</ref>
<ref>{{cite journal |last1=Rivain |first1=Matthieu |last2=Wang |first2=Junwei |title=Analysis and Improvement of Differential Computation Attacks against Internally-Encoded White-Box Implementations |journal=IACR Transactions on Cryptographic Hardware and Embedded Systems |date=28 February 2019 |pages=225–255 |doi=10.13154/tches.v2019.i2.225-255}}</ref><ref>{{cite journal |last1=Goubin |first1=Louis |last2=Paillier |first2=Pascal |last3=Rivain |first3=Matthieu |last4=Wang |first4=Junwei |title=How to reveal the secrets of an obscure white-box implementation |journal=Journal of Cryptographic Engineering |date=April 2020 |volume=10 |issue=1 |pages=49–66 |doi=10.1007/s13389-019-00207-5}}</ref><ref>{{cite book |last1=Biryukov |first1=Alex |last2=Udovenko |first2=Aleksei |chapter=Attacks and Countermeasures for White-box Designs |series=Lecture Notes in Computer Science |title=Advances in Cryptology – ASIACRYPT 2018 |date=2018 |volume=11273 |pages=373–402 |doi=10.1007/978-3-030-03329-3_13|isbn=978-3-030-03328-6 }}</ref><ref>{{cite journal |last1=Ezepue |first1=B.C. |title=Differential fault analysis of white-box cryptographic implementations |journal=Master Thesis |date=2017 |url=https://research.tue.nl/en/studentTheses/differential-fault-analysis-of-white-box-cryptographic-implementa |language=en}}</ref><ref>{{cite journal |last1=Seker |first1=Okan |last2=Eisenbarth |first2=Thomas |last3=Liskiewicz |first3=Maciej |title=A White-Box Masking Scheme Resisting Computational and Algebraic Attacks |journal=IACR Transactions on Cryptographic Hardware and Embedded Systems |date=2021 |pages=61–105 |doi=10.46586/tches.v2021.i2.61-105|doi-access=free }}</ref><ref>{{cite book |last1=Biryukov |first1=Alex |last2=Udovenko |first2=Aleksei |chapter=Dummy Shuffling Against Algebraic Attacks in White-Box Implementations |series=Lecture Notes in Computer Science |title=Advances in Cryptology – EUROCRYPT 2021 |date=2021 |volume=12697 |pages=219–248 |doi=10.1007/978-3-030-77886-6_8|isbn=978-3-030-77885-9 |chapter-url=https://orbilu.uni.lu/bitstream/10993/49462/1/2021-290.pdf }}</ref>


==Competitions==
==Competitions==

Revision as of 02:35, 18 March 2024

In cryptography, the white-box model refers to an extreme attack scenario, in which an adversary has full unrestricted access to a cryptographic implementation, most commonly of a block cipher such as the Advanced Encryption Standard (AES). A variety of security goals may be posed (see the section below), the most fundamental being "unbreakability", requiring that any (bounded) attacker should not be able to extract the secret key hardcoded in the implementation, while at the same time the implementation must be fully functional. In contrast, the black-box model only provides an oracle access to the analyzed cryptographic primitive (in the form of encryption and/or decryption queries). There is also a model in-between, the so-called gray-box model, which corresponds to additional information leakage from the implementation, more commonly referred to as side-channel leakage.

White-box cryptography is a practice and study of techniques for designing and attacking white-box implementations. It has many applications, including digital rights management (DRM), pay television, protection of cryptographic keys in the presence of malware,[1] mobile payments and cryptocurrency wallets. Examples of DRM systems employing white-box implementations include CSS, Widevine.

White-box cryptography is closely related to the more general notions of obfuscation, in particular, to Black-box obfuscation, proven to be impossible, and to Indistinguishability obfuscation, constructed recently under well-founded assumptions but so far being infeasible to implement in practice.[2]

As of January 2023, there are no publicly known unbroken white-box designs of standard symmetric encryption schemes. On the other hand, there exist many unbroken white-box implementations of dedicated block ciphers designed specifically to achieve incompressibility (see security goals).

Security goals

Depending on the application, different security goals may be required from a white-box implementation. Specifically, for symmetric-key algorithms the following are distinguished:[3]

  • Unbreakability is the most fundamental goal requiring that a bounded attacker should not be able to recover the secret key embedded in the white-box implementation. Without this requirement, all other security goals are unreachable since a successful attacker can simply use a reference implementation of the encryption scheme together with the extracted key.
  • One-wayness requires that a white-box implementation of an encryption scheme can not be used by a bounded attacker to decrypt ciphertexts. This requirement essentially turns a symmetric encryption scheme into a public-key encryption scheme, where the white-box implementation plays the role of the public key associated to the embedded secret key. This idea was proposed already in the famous work of Diffie and Hellman in 1976[4] as a potential public-key encryption candidate.
  • Code lifting security is an informal requirement on the context, in which the white-box program is being executed. It demands that an attacker can not extract a functional copy of the program. This goal is particularly relevant in the DRM setting. Code obfuscation techniques are often used to achieve this goal.
A commonly used technique is to compose the white-box implementation with so-called external encodings.[1] These are lightweight secret encodings that modify the function computed by the white-box part of an application. It is required that their effect is canceled in other parts of the application in an obscure way, using code obfuscation techniques. Alternatively, the canceling counterparts can be applied on a remote server.
  • Incompressibility requires that an attacker can not significantly compress a given white-box implementation. This can be seen as a way to achieve code lifting security (see above), since exfiltrating a large program from a constrained device (for example, an embedded or a mobile device) can be time-consuming and may be easy to detect by a firewall.[5]
Examples of incompressible designs include SPACE cipher,[5] SPNbox,[6] WhiteKey and WhiteBlock.[7] These ciphers use large lookup tables that can be pseudorandomly generated from a secret master key. Although this makes the recovery of the master key hard, the lookup tables themselves play the role of an equivalent secret key. Thus, unbreakability is achieved only partially.
  • Traceability (Traitor tracing) requires that each distributed white-box implementation contains a digital watermark allowing identification of the guilty user in case the white-box program is being leaked and distributed publicly.

History

The white-box model with initial attempts of white-box DES and AES implementations were first proposed by Chow, Eisen, Johnson and van Oorshot in 2003.[1][8] The designs were based on representing the cipher as a network of lookup tables and obfuscating the tables by composing them with small (4- or 8-bit) random encodings. Such protection satisfied a property that each single obfuscated table individually does not contain any information about the secret key. Therefore, a potential attacker has to combine several tables in their analysis.

The first two schemes were broken in 2004 by Billet, Gilbert, and Ech-Chatbi using structural cryptanalysis.[9] The attack was subsequently called "the BGE attack".

The numerous consequent design attempts (2005-2022) [10][11][12][13][14][15] were quickly broken by practical dedicated attacks.[16][17][18][19][20][21][22]

In 2016, Bos, Hubain, Michiels and Teuwen showed that an adaptation of standard side-channel power analysis attacks can be used to efficiently and fully automatically break most existing white-box designs.[23] This result created a new research direction about generic attacks (correlation-based, algebraic, fault injection) and protections against them. [24][25][26][27][28][29]

Competitions

Three editions of the WhibOx contest were held in 2017, 2019 and 2021 respectively. These competitions invited white-box designers both from academia and industry to submit their implementation in the form of (possibly obfuscated) C code. At the same time, everyone could attempt to attack these programs and recover the embedded secret key. Each of these competitions lasted for about 4-5 months.

  • WhibOx 2017 / CHES 2017 Capture the Flag Challenge targeted the standard AES block cipher. Among 94 submitted implementations, all were broken during the competition, with the strongest one staying unbroken for 28 days.
  • WhibOx 2019 / CHES 2019 Capture the Flag Challenge again targeted the AES block cipher. Among 27 submitted implementations, 3 programs stayed unbroken throughout the competition, but were broken after 51 days since the publication.[30][31]
  • WhibOx 2021 / CHES 2021 Capture the Flag Challenge changed the target to ECDSA, a digital signature scheme based on elliptic curves. Among 97 submitted implementations, all were broken within at most 2 days.[32][33]

See also

External links

References

  1. ^ a b c Chow, Stanley; Eisen, Phil; Johnson, Harold; van Oorschot, Paul C. (2003). A White-Box DES Implementation for DRM Applications. Lecture Notes in Computer Science. Vol. 2696. pp. 1–15. doi:10.1007/978-3-540-44993-5_1. ISBN 978-3-540-40410-1. {{cite book}}: |journal= ignored (help)
  2. ^ Jain, Aayush; Lin, Huijia; Sahai, Amit (15 June 2021). "Indistinguishability obfuscation from well-founded assumptions". STOC 2021: Proceedings of the 53rd Annual ACM SIGACT Symposium on Theory of Computing: 60–73. arXiv:2008.09317. doi:10.1145/3406325.3451093. ISBN 978-1-4503-8053-9.
  3. ^ Delerablée, Cécile; Lepoint, Tancrède; Paillier, Pascal; Rivain, Matthieu (2014). White-Box Security Notions for Symmetric Encryption Schemes. Lecture Notes in Computer Science. Vol. 8282. pp. 247–264. doi:10.1007/978-3-662-43414-7_13. ISBN 978-3-662-43413-0. {{cite book}}: |journal= ignored (help)
  4. ^ Diffie, Whitfield; Hellman, Martin (November 1976). "New directions in cryptography". IEEE Transactions on Information Theory. 22 (6): 644–654. doi:10.1109/TIT.1976.1055638.
  5. ^ a b Bogdanov, Andrey; Isobe, Takanori (12 October 2015). "White-Box Cryptography Revisited: Space-Hard Ciphers". Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security. pp. 1058–1069. doi:10.1145/2810103.2813699. ISBN 978-1-4503-3832-5.
  6. ^ Bogdanov, Andrey; Isobe, Takanori; Tischhauser, Elmar (2016). "Towards Practical Whitebox Cryptography: Optimizing Efficiency and Space Hardness". Advances in Cryptology – ASIACRYPT 2016. Lecture Notes in Computer Science. Vol. 10031. pp. 126–158. doi:10.1007/978-3-662-53887-6_5. ISBN 978-3-662-53886-9.
  7. ^ Fouque, Pierre-Alain; Karpman, Pierre; Kirchner, Paul; Minaud, Brice (2016). "Efficient and Provable White-Box Primitives" (PDF). Advances in Cryptology – ASIACRYPT 2016. Lecture Notes in Computer Science. Vol. 10031. pp. 159–188. doi:10.1007/978-3-662-53887-6_6. ISBN 978-3-662-53886-9.
  8. ^ Chow, Stanley; Eisen, Philip; Johnson, Harold; Van Oorschot, Paul C. (2003). White-Box Cryptography and an AES Implementation. Lecture Notes in Computer Science. Vol. 2595. pp. 250–270. doi:10.1007/3-540-36492-7_17. ISBN 978-3-540-00622-0. {{cite book}}: |journal= ignored (help)
  9. ^ Billet, Olivier; Gilbert, Henri; Ech-Chatbi, Charaf (2004). Cryptanalysis of a White Box AES Implementation. Lecture Notes in Computer Science. Vol. 3357. pp. 227–240. doi:10.1007/978-3-540-30564-4_16. ISBN 978-3-540-24327-4. {{cite book}}: |journal= ignored (help)
  10. ^ Link, Hamilton; Neumann, W.D. (2005). "Clarifying obfuscation: Improving the security of white-box DES". International Conference on Information Technology: Coding and Computing (ITCC'05) - Volume II. Vol. II. pp. 679-684 Vol. 1. doi:10.1109/ITCC.2005.100. ISBN 0-7695-2315-3.
  11. ^ Bringer, Julien; Chabanne, Hervé; Dottax, Emmanuelle (2006). Perturbing and Protecting a Traceable Block Cipher. Lecture Notes in Computer Science. Vol. 4237. pp. 109–119. doi:10.1007/11909033_10. ISBN 978-3-540-47820-1. {{cite book}}: |journal= ignored (help)
  12. ^ Xiao, Yaying; Lai, Xuejia (2010). "A Secure Implementation of White-Box AES". 2009 2nd International Conference on Computer Science and its Applications. pp. 1–6. doi:10.1109/CSA.2009.5404239. ISBN 978-1-4244-4945-3.
  13. ^ Karroumi, Mohamed (2011). Protecting White-Box AES with Dual Ciphers. Lecture Notes in Computer Science. Vol. 6829. pp. 278–291. doi:10.1007/978-3-642-24209-0_19. ISBN 978-3-642-24208-3. {{cite book}}: |journal= ignored (help)
  14. ^ Vandersmissen, Joachim; Ranea, Adrián; Preneel, Bart (2022). A White-Box Speck Implementation Using Self-equivalence Encodings. Lecture Notes in Computer Science. Vol. 13269. pp. 771–791. doi:10.1007/978-3-031-09234-3_38. ISBN 978-3-031-09233-6. {{cite book}}: |journal= ignored (help)
  15. ^ Ranea, Adrián; Vandersmissen, Joachim; Preneel, Bart (2022). "Implicit White-Box Implementations: White-Boxing ARX Ciphers". Advances in Cryptology – CRYPTO 2022. Lecture Notes in Computer Science. Vol. 13507. pp. 33–63. doi:10.1007/978-3-031-15802-5_2. ISBN 978-3-031-15801-8.
  16. ^ Goubin, Louis; Masereel, Jean-Michel; Quisquater, Michaël (2007). Cryptanalysis of White Box DES Implementations. Lecture Notes in Computer Science. Vol. 4876. pp. 278–295. doi:10.1007/978-3-540-77360-3_18. ISBN 978-3-540-77359-7. {{cite book}}: |journal= ignored (help)
  17. ^ Wyseur, Brecht; Michiels, Wil; Gorissen, Paul; Preneel, Bart (2007). Cryptanalysis of White-Box DES Implementations with Arbitrary External Encodings. Lecture Notes in Computer Science. Vol. 4876. pp. 264–277. doi:10.1007/978-3-540-77360-3_17. ISBN 978-3-540-77359-7. {{cite book}}: |journal= ignored (help)
  18. ^ Michiels, Wil; Gorissen, Paul; Hollmann, Henk D. L. (2009). Cryptanalysis of a Generic Class of White-Box Implementations. Lecture Notes in Computer Science. Vol. 5381. pp. 414–428. doi:10.1007/978-3-642-04159-4_27. ISBN 978-3-642-04158-7. {{cite book}}: |journal= ignored (help)
  19. ^ De Mulder, Yoni; Wyseur, Brecht; Preneel, Bart (2010). Cryptanalysis of a Perturbated White-Box AES Implementation. Lecture Notes in Computer Science. Vol. 6498. pp. 292–310. doi:10.1007/978-3-642-17401-8_21. ISBN 978-3-642-17400-1. {{cite book}}: |journal= ignored (help)
  20. ^ De Mulder, Yoni; Roelse, Peter; Preneel, Bart (2013). Cryptanalysis of the Xiao – Lai White-Box AES Implementation. Lecture Notes in Computer Science. Vol. 7707. pp. 34–49. doi:10.1007/978-3-642-35999-6_3. ISBN 978-3-642-35998-9. {{cite book}}: |journal= ignored (help)
  21. ^ Lepoint, Tancrède; Rivain, Matthieu; De Mulder, Yoni; Roelse, Peter; Preneel, Bart (2014). Two Attacks on a White-Box AES Implementation. Lecture Notes in Computer Science. Vol. 8282. pp. 265–285. doi:10.1007/978-3-662-43414-7_14. ISBN 978-3-662-43413-0. {{cite book}}: |journal= ignored (help)
  22. ^ Biryukov, Alex; Lambin, Baptiste; Udovenko, Aleksei (9 June 2023). "Cryptanalysis of ARX-based White-box Implementations". IACR Transactions on Cryptographic Hardware and Embedded Systems: 97–135. doi:10.46586/tches.v2023.i3.97-135.
  23. ^ Bos, Joppe W.; Hubain, Charles; Michiels, Wil; Teuwen, Philippe (2016). Differential Computation Analysis: Hiding Your White-Box Designs is Not Enough. Lecture Notes in Computer Science. Vol. 9813. pp. 215–236. doi:10.1007/978-3-662-53140-2_11. ISBN 978-3-662-53139-6. {{cite book}}: |journal= ignored (help)
  24. ^ Rivain, Matthieu; Wang, Junwei (28 February 2019). "Analysis and Improvement of Differential Computation Attacks against Internally-Encoded White-Box Implementations". IACR Transactions on Cryptographic Hardware and Embedded Systems: 225–255. doi:10.13154/tches.v2019.i2.225-255.
  25. ^ Goubin, Louis; Paillier, Pascal; Rivain, Matthieu; Wang, Junwei (April 2020). "How to reveal the secrets of an obscure white-box implementation". Journal of Cryptographic Engineering. 10 (1): 49–66. doi:10.1007/s13389-019-00207-5.
  26. ^ Biryukov, Alex; Udovenko, Aleksei (2018). "Attacks and Countermeasures for White-box Designs". Advances in Cryptology – ASIACRYPT 2018. Lecture Notes in Computer Science. Vol. 11273. pp. 373–402. doi:10.1007/978-3-030-03329-3_13. ISBN 978-3-030-03328-6.
  27. ^ Ezepue, B.C. (2017). "Differential fault analysis of white-box cryptographic implementations". Master Thesis.
  28. ^ Seker, Okan; Eisenbarth, Thomas; Liskiewicz, Maciej (2021). "A White-Box Masking Scheme Resisting Computational and Algebraic Attacks". IACR Transactions on Cryptographic Hardware and Embedded Systems: 61–105. doi:10.46586/tches.v2021.i2.61-105.
  29. ^ Biryukov, Alex; Udovenko, Aleksei (2021). "Dummy Shuffling Against Algebraic Attacks in White-Box Implementations" (PDF). Advances in Cryptology – EUROCRYPT 2021. Lecture Notes in Computer Science. Vol. 12697. pp. 219–248. doi:10.1007/978-3-030-77886-6_8. ISBN 978-3-030-77885-9.
  30. ^ "CryptoLUX Research Group. Whitebox cryptography. WhibOx 2019 Competition". www.cryptolux.org. Retrieved 28 February 2024.
  31. ^ Goubin, Louis; Rivain, Matthieu; Wang, Junwei (19 June 2020). "Defeating State-of-the-Art White-Box Countermeasures with Advanced Gray-Box Attacks". IACR Transactions on Cryptographic Hardware and Embedded Systems: 454–482. doi:10.13154/tches.v2020.i3.454-482.
  32. ^ Barbu, Guillaume; Beullens, Ward; Dottax, Emmanuelle; Giraud, Christophe; Houzelot, Agathe; Li, Chaoyun; Mahzoun, Mohammad; Ranea, Adrián; Xie, Jianrui (31 August 2022). "ECDSA White-Box Implementations: Attacks and Designs from CHES 2021 Challenge". IACR Transactions on Cryptographic Hardware and Embedded Systems: 527–552. doi:10.46586/tches.v2022.i4.527-552.
  33. ^ Bauer, Sven; Drexler, Hermann; Gebhardt, Max; Klein, Dominik; Laus, Friederike; Mittmann, Johannes (31 August 2022). "Attacks Against White-Box ECDSA and Discussion of Countermeasures: A Report on the WhibOx Contest 2021". IACR Transactions on Cryptographic Hardware and Embedded Systems: 25–55. doi:10.46586/tches.v2022.i4.25-55.