A DFA Attack on White-Box Implementations of AES with External Encodings

Abstract

Attacks based on DFA are an important threat to the security of white-box AES implementations. DFA typically requires that the output of AES is known. The use of external encodings that obfuscate this output is therefore a straightforward and well-known measure against such attacks. This paper presents a new DFA attack on a class of white-box implementations of AES that use a specific type of external encoding on the output. The expected work factor of the new attack is dominated by \(2^{32}\) executions of the white-box implementation.

Appendices

A Finding the Location to Inject Faults in Step 2

In this section we answer the following question. Given two pairs of correct and faulty outputs, where the inputs are elements of \(\mathcal {M}_0\), if for both inputs we inject faults in the input or output of an S-box in Round 9, how can we determine whether we are targeting the same S-box? To this end, we make use of the additional output \(x_2\) of which the value is fixed in the definition of \(\mathcal {M}_0\). Let \(m, \overline{m} \in \mathcal {M}_0\) with \(m \ne \overline{m}\) and let the first column of their output states be denoted by \((x_0, x_1, x_2, x_3)\) and \((\overline{x}_0, \overline{x}_1, \overline{x}_2, \overline{x}_3)\), respectively. The definition of \(\mathcal {M}_0\) implies that

$$\begin{aligned} x_0 \ne \overline{x}_0, \quad x_1 = \overline{x}_1, \quad x_2 =\overline{x}_2. \end{aligned}$$

(25)

Let \(\ell \) and \(\overline{\ell }\) be locations in the executions of the white-box implementation for m and \(\overline{m}\), respectively, for which the adversary assumes they relate to the input or output of the same S-box. Then, the theorem below states that for every change we make at \(\ell \) for m, there exists a change in \(\overline{\ell }\) for \(\overline{m}\) such that the values of the two fixed output bytes considered (in our example, the ones with index 1 and 2) are the same. Hence, by comparing outputs for all 256 possible values associated with \(\ell \) and \(\overline{\ell }\), we get a check on whether \(\ell \) and \(\overline{\ell }\) relate to the same S-box output.

Lemma 2

Let \(m, \overline{m} \in \mathcal {M}_i\) be different inputs that produce output bytes \(x_i, x_{r(i)}\), \(x_{s(i)}\) and \(\overline{x}_i, \overline{x}_{r(i)}, \overline{x}_{s(i)}\) respectively with \(x_{r(i)} = \overline{x}_{r(i)}\) and \(x_s{(i)}= \overline{x}_{s(i)}\). Let \((\varepsilon , \ell )\) be the fault affecting a Round 9 S-box input or output with value \(\varepsilon \) injected at location \(\ell \) during the encryption of m and define \((\overline{\varepsilon }, \overline{\ell })\) similarly for \(\overline{m}\). Then, \(\ell \) and \(\overline{\ell }\) affect the same S-box input or output if and only if for all non-zero \(\varepsilon \) injected at \(\ell \), there exist a non-zero \(\overline{\varepsilon }\) injected at \(\overline{\ell }\) so that for all faulty output bytes \(X_i, X_{r(i)}, X_{s(i)}\), there exist \(\overline{X}_i, \overline{X}_{r(i)}, \overline{X}_{s(i)}\) such that \(X_i \ne \overline{X}_i\), \(X_{r(i)} = \overline{X}_{r(i)}\) and \(X_{s(i)} = \overline{X}_{s(i)}\).

Proof

We first prove that if two locations \(\ell \) and \(\overline{\ell }\) refer to the same S-box input or output, then for all faulty values \(\varepsilon \) that output the bytes \(X_i, X_{r(i)}, X_{s(i)}\), there exists a fault \(\overline{\varepsilon }\) that produces \(\overline{X}_i, \overline{X}_{r(i)}, \overline{X}_{s(i)}\) such that \(X_i \ne \overline{X}_i\), \(X_{r(i)} = \overline{X}_{r(i)}\) and \(X_{s(i)} = \overline{X}_{s(i)}\). Without loss of generality, we prove this statement for \(i = 0\), \(r(0) = 1\), and \(s(0) = 2\). Let \(z = (z_0, z_1, z_2, z_3)\) and \(\overline{z}= (\overline{z}_0, \overline{z}_1, \overline{z}_2, \overline{z}_3)\) be the bytes at the beginning of the MixColumns operation of Round 9 that contribute to the computations of \((x_0, x_1, x_2, x_3)\) and \((\overline{x}_0, \overline{x}_1, \overline{x}_2, \overline{x}_3)\) respectively. Let \(\mathcal {MC}_j\) with \(j\in \{0,1,2,3\}\) denote the j-th row of \(\mathcal {MC}\). Then Eq. 25 is equivalent to:

$$\begin{aligned} \left. \begin{array}{l} \mathcal {MC}_0 \cdot z^T \ne \mathcal {MC}_0 \cdot \overline{z}^T \\ \mathcal {MC}_1 \cdot z^T = \mathcal {MC}_1 \cdot \overline{z}^T \\ \mathcal {MC}_2 \cdot z^T = \mathcal {MC}_2 \cdot \overline{z}^T. \end{array}\right. \end{aligned}$$

Suppose that the injections \(\varepsilon \) and \(\overline{\varepsilon }\) affect the first byte of the state (for other bytes in the same column, the proof is analogous), so that the input to the MixColumns equals \((Z_0, z_1, z_2, z_3)\) and \((\overline{Z}_0,\overline{z}_1, \overline{z}_2, \overline{z}_3)\), respectively. It follows that for all \(\varepsilon \in \mathbb {F}^*_{2^8}\), there exists a unique \(\delta \in \mathbb {F}^*_{2^8}\) such that \(Z_0 = z_0 \oplus \delta \) (and, analogously, that for all \(\overline{\varepsilon }\in \mathbb {F}^*_{2^8},\) there exists a unique \(\overline{\delta } \in \mathbb {F}^*_{2^8} \) such that \(\overline{Z}_0 = \overline{z}_0 \oplus \overline{\delta }\)). From this it follows that for all \(\varepsilon \) there exist \(\overline{\varepsilon }\in \mathbb {F}^*_{2^8}\) such that \(\delta =\overline{\delta }\). Let \(y = (y_0, y_1, y_2, y_3)\) and \(\overline{y}= (\overline{y}_0, \overline{y}_1, \overline{y}_2, \overline{y}_3)\) be such that \(\mathcal {MC} \cdot z^T = y^T\) and \(\mathcal {MC}\cdot \overline{z}^T = \overline{y}^T\). By assumption, it holds that \(x_0 \ne \overline{x}_0\), \(x_1 = \overline{x}_1\) and \(x_2 = \overline{x}_2\), hence that \(y_0\ne \overline{y}_0, \ y_1 = \overline{y}_1, \ y_2 = \overline{y}_2\).

Thus, we have for \(\delta = \overline{\delta }\):

$$\begin{aligned} \mathcal {MC} \cdot \left( \begin{array}{c} z_0\oplus \delta \\ z_1\\ z_2\\ z_3 \end{array}\right) = \left( \begin{array}{c} y_0\oplus 02\delta \\ y_1 \oplus \delta \\ y_2\oplus \delta \\ y_3\oplus 03\delta \end{array}\right) , \qquad \mathcal {MC} \cdot \left( \begin{array}{c} \overline{z}_0\oplus \overline{\delta }\\ \overline{z}_1\\ \overline{z}_2\\ \overline{z}_3 \end{array}\right) = \left( \begin{array}{c} \overline{y}_0\oplus 02\overline{\delta }\\ \overline{y}_1\oplus \overline{\delta }\\ \overline{y}_2\oplus \overline{\delta }\\ \overline{y}_3\oplus 03\overline{\delta } \end{array}\right) , \end{aligned}$$

with \(y_0\oplus 2\delta \ne \overline{y}_0\oplus 2\overline{\delta }\), \(y_1\oplus \delta = \overline{y}_1\oplus \overline{\delta }\), \(y_2\oplus \delta = \overline{y}_2\oplus \overline{\delta }\). This yields \(X_i \ne \overline{X}_i\), \(X_1 = \overline{X}_1\) and \(X_2 =\overline{X}_2\).

Next, we prove the converse statement: if two injections \(\varepsilon \) and \(\overline{\varepsilon }\) during the encryption of m and \(\overline{m}\) produce outputs \(X_i, X_{r(i)}, X_{s(i)}\), and \(\overline{X}_i, \overline{X}_{r(i)}, \overline{X}_{s(i)}\) such that \(X_i \ne \overline{X}_i\), \(X_{r(i)} = \overline{X}_{r(i)}\) and \(X_{s(i)} = \overline{X}_{s(i)}\), then \(\varepsilon \) and \(\overline{\varepsilon }\) are affecting the same S-box output. As before, we set \(i = 0\), \(r(0) = 1\) and \(s(0) = 2\) without loss of generality. Now suppose that for input m we inject a fault affecting \(z_0\) and for \(\overline{m}\) we inject a fault affecting \(\overline{z}_1\), however the same proof works analogously if we inject faults affecting any two bytes in the same column. Thus, we construct two separate equations:

$$\begin{aligned} \left. \begin{array}{rcr} g_2^{-1}(x_2)\oplus g_2^{-1}(X_2)= & {} g_1^{-1}(x_1)\oplus g_1^{-1}(X_1) \end{array}\right. \end{aligned}$$

for an injection affecting \(z_0\) during the encryption of m, and

$$\begin{aligned} \left. \begin{array}{rcr} 02(g_2^{-1}(\overline{x}_2)\oplus g_2^{-1}(\overline{X}_2))&{}=&{} g_1^{-1}(\overline{x}_1)\oplus g_1^{-1}(\overline{X}_1)\\ \end{array}\right. \end{aligned}$$

for an injection affecting \(\overline{z}_1\) during the encryption of \(\overline{m}\). By adding these two equations, and substituting \(x_1 = \overline{x}_1\), \(x_2 = \overline{x}_2\), \(X_1 = \overline{X}_1\), \(X_2 = \overline{X}_2\), we get:

$$\begin{aligned} 03(g_2^{-1}(x_2)\oplus g_2^{-1}(X_2)) = 0 \end{aligned}$$

which implies \(x_2 = X_2\), leading to a contradiction.    \(\square \)

Lemma 2 provides a criterion to inspect whether injected faults affect the same output byte. Note that Lemma 2 does not allow us to understand which S-box input or output has been modified. By affecting a different S-box, the attacker would construct systems of equations similar to Eqs. 1, 2, and 3, with a function \(h^{\mu }_{g_i,x_i}\) which may have different multiplicative coefficients \(\mu \) and different fixed output bytes. However, this does not complicate the attack. Since \(h^{\mu }_{g_i,x_i}\) assumes all possible values, the resulting set of functions \(\mathcal {S}_{g_i}\) would be the same regardless of the S-box output that the fault is affecting. Since the set \(\mathcal {S}_{g_i}\) would be the same, Theorem 1 applies to all cases, as shown by the following lemma:

Lemma 3

If \(\mathcal {S}_1 = \{g_0\circ \oplus _{h^{\mu }_{g_i,x_i}(X_i)}\circ g_0^{-1} \}_{X_i \in \mathbb {F}_{2^8}}\) and \(\mathcal {S}_2 = \{g_0\circ \oplus _{h^{\overline{\mu }}_{g_j,\overline{x}_j}(\overline{X}_j)}\circ g_0^{-1}\}_{\overline{X}_j \in \mathbb {F}_{2^8}}\) be two sets of functions constructed by injecting faults affecting two different S-box input or outputs, then \(\mathcal {S}_1 = \mathcal {S}_2\).

Proof

An injection affecting an S-box input or output allows us to derive the following equation:

$$\begin{aligned} g_0^{-1}(x_0) \oplus g_0^{-1}(X_0) = h^{\mu }_{g_i,x_i}(X_i) \end{aligned}$$

Since \(h^{\mu }_{g_i,x_i}\) is bijective and \(X_i\) ranges over all possible values, \(h^{\mu }_{g_i,x_i}(X_1)\) also ranges over all possible values. By injecting faults that affect another S-box input or output, we derive the following equation:

$$\begin{aligned} g_0^{-1}(\overline{x}_0) \oplus g_0^{-1}(\overline{X}_0) = h^{\overline{\mu }}_{g_j,\overline{x}_j}(\overline{X}_j). \end{aligned}$$

By the same argument also \(h^{\overline{\mu }}_{g_j,\overline{x}_j}(\overline{X}_j)\) assumes all possible values. By construction of \(\mathcal {S}_1\) and \(\mathcal {S}_2\), \(x_i\) and \(\overline{x}_j\) are fixed, therefore the function

$$\otimes _{\overline{\mu }}\circ \oplus _{g_j(\overline{x}_j)} \circ g_j\circ g_i^{-1}\circ \oplus _{g_i(x_i)}\circ \otimes _{\mu ^{-1}}$$

is a bijection that maps \(h^{\mu }_{g_i,x_i}\) to \(h^{\overline{\mu }}_{g_j,\overline{x}_j}\), hence \(\mathcal {S}_1 = \mathcal {S}_2\).    \(\square \)

B Reducing the Number of Variables

In this section we reduce the number of unknown \(\lambda _i\)’s to one per column. Let i be the first output byte of a column. By 3 in Lemma 1, we can decompose \(\gamma ^{(i+1,\ell _0, \ell _1)}_i\) from \(L^{(i+1,\ell _0, \ell _1)}_{\gamma _i,i}\) uniquely into \(\gamma ^{(\ell _0)}_{i,i+1}\) and \(\gamma ^{(\ell _1)}_{i,i+1}\). Similarly, we can also decompose \(\gamma ^{(i+3,\ell _0, \ell _1)}_i\) from \(L^{(i+3,\ell _0, \ell _1)}_{\gamma _i,i}\) uniquely into \(\gamma ^{(\ell _0)}_{i,i+3}\) and \(\gamma ^{(\ell _1)}_{i,i+3}\). Since we have \(\gamma _{i,j}^{(\ell _0)} = \mathcal {MC}_{j,\ell _0} \cdot \left( \mathcal {MC}_{i,\ell _0}\right) ^{-1}\), we can derive the value of \(\ell _0\) from this. Having this value, we can next compute value \(\gamma _{i,j}^{\ell _0}\) for all i, j (hence, also for i, j with \(|i-j|=2\)). That is, for any \(G_{j}\circ \otimes _{\gamma _{i,j}^{(\ell _0)}} \circ G^{-1}_i\) from \(\mathcal {F}^{(\ell _0)}\) we now have the value of \(\gamma _{i,j}^{(\ell _0)}\). By applying \(\overline{G}^{-1}_i\) to the input and \(\overline{G}^{-1}_j\) to the output of these functions, the attacker obtains a new family of functions, given by values:

$$\begin{aligned} \otimes _{ \lambda _{j} }\circ \otimes _{ \gamma _{i,j}^{(\ell _0)}} \circ \otimes _{ \lambda _i^{-1}}, \end{aligned}$$

or, equivalently \(\otimes _{ \lambda _{j} \gamma _{i,j}^{(\ell _0)}\lambda _i^{-1}}\). Hence, if the value of \(\lambda _i\) is known, one can compute all other values \(\lambda _j\) associated with the same output column. In fact, given \(\overline{x}_i = \overline{G}_i^{-1}(\tilde{x}_i \ \oplus \tilde{X}_i)\) and \(\overline{x}_j = \overline{G}^{-1}_j(\tilde{x}_j \oplus \tilde{X}_j) \), it follows that \(\overline{x}_j= \lambda _j \gamma _{i,j}^{(\ell _0)}\lambda _i^{-1}\overline{x}_i\) which can be rewritten as \(\overline{x}_j^{-1}\overline{x}_i\gamma _{i,j}^{(\ell _0)}\lambda _i^{-1}= \lambda _j^{-1} \). For each column, we write \(\lambda _j^{-1}\) with respect to the one with the lowest index, that is, with respect to \(\lambda _0^{-1}, \lambda _4^{-1}, \lambda _8^{-1}, \lambda _{12}^{-1}\) for the first, second, third, and fourth column respectively. Given \(\lambda ^{-1}_i\) with \(i \mod 4=0\), we can compute any other \(\lambda _j^{-1} = c_i\lambda _i^{-1}\), with \(c_i=1\) and \(c_j = \overline{y}^{-1}\overline{x}\gamma _{i,j}^{\ell _0}\), where \(j>i\) and \(j\in \left[ 4\lfloor \frac{i}{4}\rfloor , 4\lfloor \frac{i}{4}\rfloor + 3\right] \). It follows that, given \(\hat{x}_i= \overline{G}_i^{-1}(\tilde{x}_i)\), the non-encoded output of Round 9 can be written as \(c_i\lambda _{4\lfloor \frac{i}{4} \rfloor }^{-1}(\hat{x_i} \oplus \hat{b}_i)\) for a known constant \(c_i \in \mathbb {F}_{2^8}^*\) and unknown \(\lambda _{4\lfloor \frac{i}{4} \rfloor }^{-1} \in \mathbb {F}_{2^8}^*\) and \(\hat{b}_i \in \mathbb {F}_{2^8}\). The state corresponding to the non-encoded output of Round 9 equals:

$$\begin{aligned} \begin{array}{|c|c|c|c|} \hline c_0\lambda _0^{-1}(\hat{x}_0 \oplus \hat{b}_0) &{} c_4\lambda _4^{-1}(\hat{x}_4 \oplus \hat{b}_4) &{} c_{8}\lambda _8^{-1}(\hat{x}_8 \oplus \hat{b}_{8}) &{} c_{12}\lambda _{12}^{-1}(\hat{x}_{12}\oplus \hat{b}_{12})\\ \hline c_1\lambda _0^{-1}(\hat{x}_1 \oplus \hat{b}_1) &{} c_5\lambda _4^{-1}(\hat{x}_5 \oplus \hat{b}_5) &{} c_{9}\lambda _8^{-1}(\hat{x}_9 \oplus \hat{b}_{9}) &{} c_{13}\lambda _{12}^{-1}(\hat{x}_{13}\oplus \hat{b}_{13})\\ \hline c_2\lambda _0^{-1}(\hat{x}_2 \oplus \hat{b}_2) &{} c_6\lambda _4^{-1}(\hat{x}_6 \oplus \hat{b}_6) &{} c_{10}\lambda _8^{-1}(\hat{x}_{10} \oplus \hat{b}_{10}) &{} c_{14}\lambda _{12}^{-1}(\hat{x}_{14}\oplus \hat{b}_{14})\\ \hline c_3\lambda _0^{-1}(\hat{x}_3 \oplus \hat{b}_3) &{} c_7\lambda _4^{-1}(\hat{x}_7 \oplus \hat{b}_7) &{} c_{11}\lambda _8^{-1}(\hat{x}_{11} \oplus \hat{b}_{11}) &{} c_{15}\lambda _{12}^{-1}(\hat{x}_{15}\oplus \hat{b}_{15})\\ \hline \end{array} \end{aligned}$$

(26)

The constants \(c_0\), \(c_1\), \(c_2\), \(c_3\) can now be computed as follows: \(c_0 = 1\) and \(c_i = [\overline{G}_i^{-1}(\tilde{x}_i\oplus \tilde{X}_i)]^{-1}\cdot \overline{G}_0^{-1}(\tilde{x}_0\oplus \tilde{X}_0) \cdot \gamma _{0,i}\) for \(i=1,2,3\).

C Work Factor

Step 1

Note that Algorithm 1 is closely related to the coupon collector’s problem. To compute the expected number of iterations, we define the state of the algorithm as the cardinality of \(\mathcal {M}_i\). Further, if the algorithm is in State j with \(1 \le j < 256\), then we define \(p_j\) as the probability that the algorithm transitions to State \(j+1\) in one iteration. It follows that \(p_j = \frac{2^8-j}{2^8}\cdot \left( \frac{1}{2^8}\right) ^2\), and that the expected total number of iterations for all 16 sets \(\mathcal {M}_i\) equals

$$\begin{aligned} 16 \sum _{j=1}^{2^8 -1}\dfrac{1}{p_j} = 2^{28} \sum _{j=1}^{2^8 -1}\frac{1}{2^8 -j }< 2^{28}\cdot 2^3 = 2^{31}. \end{aligned}$$

The expected number of executions of the white-box implementation equals the expected number of iterations \(+ 1\) since \(Enc_k(m_\text {ref})\) needs to be computed only once.

Step 2

Algorithm 2 can be interpreted as follows: for all 256 elements of \(\mathcal {M}_i\), we execute the white-box implementation and collect the output bytes of the functions in \(\mathcal {S}_{g_i}\). For each input, it is necessary to inject \(2^8-1\) different values and there are 16 sets \(\mathcal {M}_i\). Therefore, the total number of executions of the white-box implementation equals \(16\cdot 2^8\cdot 2^8\). The final step of the algorithm applies Tolhuizen’s algorithm. The work factor of this algorithm is bounded above by \(2^{14}\) (refer to [16] for details), implying an upper bound of \(16\cdot 2^{14}\) for all 16 sets.

Step 3

Similar reasoning applies to Step 3. The work factor of this step is defined by the effort to compute the 16 functions \(\overline{G}^{-1}_i\) as described in Algorithm 3. The algorithm encrypts a plaintext and injects \(2^8-1\) values that target an S-Box. The same procedure is repeated but now focusing on a different S-box. These steps require \(2^8 + 2^8 -1\) white-box executions in total. After this, the function \(L_i\) is constructed. Then, we apply Proposition 1 to the functions derived from the output bytes of the white-box implementation in order to construct the functions \(\overline{G}^{-1}_i\). The work factor of this last step is bounded above by \(2^{16}\). This procedure is repeated for all affine byte encodings. Therefore, the number of executions of the white-box implementation equals \(16(2^8+2^8-1)\) and the number of operations to compute all functions \(\overline{G}^{-1}_i\) is bounded above by \(16\cdot 2^{16}\).

The intermediate part between Steps 3 and 4 computes the coefficients \(c_0, c_1, \ldots , c_{15}\) as described in Appendix B. For each of the 4 columns of the AES state, the algorithm fixes a value of j, computes the 3 functions \(\{G_i^{-1} \circ \otimes _{\gamma _{i,j}}\circ G_j\}\), and retrieves the value of \(\gamma _{i,j}\). Then, it applies \(\overline{G}_j\) to the input and \(\overline{G}_i\) to the output of these functions. Then, for the 3 new functions, it performs a division in \(\mathbb {F}_{2^8}\) to compute the values \(c_i\) as shown in Sect. 3.4. As a result, the number of operations required for this intermediate step is \(4(3 + 3)\).

Step 4

Algorithm 4 solves 4 different systems of equations, each system defined by Eqs. 18, 19 and 20. We can choose \(\alpha < 8\) as suggested by Table 1. We are required to inject \(\alpha \) different faults and we perform 2 more operations within this loop. After this, we are using a meet-in-the-middle approach. The complexity for solving one system of equations is given by the sum of the work factors of the two main for-loops, and equals \(8\cdot 2^{16}\). Finally, we need to check the common solutions to the single equations. This procedure is repeated 4 times, once for every column of the AES state. Therefore, the number of executions of the white-box implementation is \(4\cdot \alpha \) and the number of operations required to find the solutions for the systems of equations is bounded above by \(4\cdot 2^3\cdot 2\cdot 2^{16} \).

We tested the performance of Algorithm 4 on a 9 round AES implementation with affine encodings over \(\mathbb {F}_{2^8}\) on the output bytes. The experiments were performed with SageMath 8.2 on an i7-6700HQ rated at 2.60 GHz. In the experiments, we varied the value of \(\alpha \) and recorded the average time to compute HT (referred to as time HT), the minimum size of HT (referred to as size HT), the maximum number of solutions to a single equation in the system (referred to as # matches), and the maximum number of solutions for several different output bytes (referred to as # solutions). Table 1 lists the values of these parameters for our experiments. The experiments suggest that for \(\alpha = 2, 3\), the size of HT is small compared to its maximum number of \(2^{16}\) entries. This is due to the fact that for some different pairs (\(\lambda ^{-1}\), \(\beta \)), the values derived from the Eq. 21 result in equal values, and therefore just one of them occurs in HT. For \(\alpha > 3 \) the hash-table HT starts to reach its maximum number of entries, and the average number of solutions is very small. In particular, starting from \(\alpha = 6\), the number of solutions for the system did not exceed 1.

Table 1. Implementation of Algorithm 4.

In addition, we need to take into consideration the probability that two different values of Eq. 21 are mapped to the same hash value. If such a collision occurs, then there is a possibility that an entry in the table HT or a candidate solution gets discarded. To estimate the probability of a collision, we used hash tables implemented in SageMath 8.2 with a hash function that maps a bit-string to a 64-bit integer. Since \(65280 < 2^{16}\) different hash values of Eq. 21 are computed, the probability that at least two of them collide is approximately

$$\begin{aligned} 1 - \exp \,\,\left( -\dfrac{\left( 2^{16}\right) ^2}{2 \cdot 2^{64}}\right) = 1 - \exp \,\left( -2^{-33}\right) \approx 2^{-33}. \end{aligned}$$

This implies that collisions are unlikely to occur in practice.

Step 5

This step uses standard DFA to solve 4 different systems of equations, each system defined by Eqs. 22, 23 and 24. If a meet-in-the-middle based approach as in Step 4 is used for this, then the required number of executions of the white-box implementation equals \(4\alpha \) (in our experiments, \(\alpha = 4\) already yielded a unique solution in Step 5), and the required number of operations to find a solution to Eqs. 22, 23 and 24 is around \(4\cdot \alpha \cdot 2^{9}\).

Overall Work Factor

The overall work factor is the sum of the work factors of Steps 1–5. This work factor is dominated by \(2^{32}\) executions of the white-box implementation. In Table 2, we report the total amount of white-box executions and the computational effort needed to analyze the faulty ciphertexts (work-factor of BGE Theorems and Meet-in-the-middle approaches) which are required to perform each step. Note that the number of faulty ciphertexts is approximately equal to the number of white-box executions because, per plaintext, only one additional white-box encryption is required to compute a non-faulty ciphertext.

Table 2. Number of white-box executions and analysis work-load.