Skip to main content

Advertisement

Log in

How to reveal the secrets of an obscure white-box implementation

  • Regular Paper
  • Published:
Journal of Cryptographic Engineering Aims and scope Submit manuscript

Abstract

White-box cryptography (WBC) protects key extraction from software implementations of cryptographic primitives. Many academic works have been done achieving partial results toward WBC, but a complete solution has not been found yet by the cryptography community. As a result, the industry can only on proprietary and non-publicly scrutinized white-box implementations. It is therefore of interest to investigate the obtainable resistance of an AES implementation to thwart a white-box adversary in this paradigm. To this purpose, the ECRYPT CSA project has organized the WhibOx contest as the catch the flag challenge of CHES 2017. Researchers and engineers were invited to participate either as designers by submitting the source code of an AES-128 white-box implementation with a freely chosen key, or as breakers by trying to extract the hard-coded keys in the submissions. The participants were not expected to disclose their identities or the underlying designing/attacking techniques. In the end, 94 submitted challenges were all broken, and only 13 of them held more than one day. The strongest (in terms of surviving time) implementation survived for 28 days (which is more than twice as much as the second one). It was only broken by the authors of the present paper with reverse engineering and algebraic analysis. In this paper, we give a detailed description of the different steps of our cryptanalysis. We then generalize it to an attack methodology to break further obscure white-box implementations. In particular, we formalize and generalize the linear decoding analysis that we use to extract the key from the encoded intermediate variables of the target challenge.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Subscribe and save

Springer+ Basic
$34.99 /Month
  • Get 10 units per month
  • Download Article/Chapter or eBook
  • 1 Unit = 1 Article or 1 Chapter
  • Cancel anytime
Subscribe now

Buy Now

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Fig. 1
Fig. 2
Fig. 3

Similar content being viewed by others

Notes

  1. The name was generated by the server. Source code available at https://whibox-contest.github.io/show/candidate/777.

  2. Experiments are done with Apple LLVM version 9.0.0 on macOS 10.12 and clang version 3.8.1 on Alpine Linux 3.5. The latter is the reference OS used by the contest server.

  3. In fact, the conditional jump is also implemented as a function in the same format (see goto_func and jump_if functions above). Particularly, it is used for simulating the do ...while loop in a high-level language, where the first two arguments are used for condition checking and the third arguments is the destination.

  4. See https://www.wolfram.com/mathematica/.

  5. We could probably extract these bytes through the algebraic analysis as well, but it was faster to search exhaustively.

  6. This could theoretically be reduced to \({\mathcal {O}}(t^{2.376})\) using the Coppersmith–Winograd algorithm for very large t (see for instance [18]) but in practice one shall prefer the Strassen algorithm.

  7. According to our three assumptions, the probability that there does not exist any full rank subsystem containing \(t+1\) equations is negligible.

References

  1. CHES 2017 Capture the Flag Challenge—The WhibOx Contest, an ECRYPT white-box cryptography competition. https://whibox.cr.yp.to/. Accessed Oct 2017

  2. ISO/IEC 8859-1:1998: Information technology—8-bit single-byte coded graphic character sets—Part 1: Latin Alphabet No. 1. https://www.iso.org/standard/28245.html. Accessed Oct 2017

  3. WhibOx 2016: White-box cryptography and obfuscation. https://www.cryptoexperts.com/whibox2016/. Accessed Oct 2017

  4. Barak, B., Goldreich, O., Impagliazzo, R., Rudich, S., Sahai, A., Vadhan, S.P., Yang, K.: On the (im)possibility of obfuscating programs. In: Kilian, J. (ed.) CRYPTO 2001, LNCS, vol. 2139, pp. 1–18. Springer, Heidelberg (2001)

  5. Beimel, A.: Secret-sharing schemes: a survey. In: Chee, Y.M., Guo, Z., Ling, S., Shao, F., Tang, Y., Wang, H., Xing, C. (eds.) Coding and Cryptology—Third International Workshop, IWCC 2011, Qingdao, China, May 30–June 3, 2011. Proceedings, Lecture Notes in Computer Science, vol. 6639, pp. 11–46. Springer (2011)

  6. Billet, O., Gilbert, H., Ech-Chatbi, C.: Cryptanalysis of a white box AES implementation. In: Handschuh, H., Hasan, A. (eds.) SAC 2004, LNCS, vol. 3357, pp. 227–240. Springer, Heidelberg (2004)

  7. Biryukov, A., Udovenko, A.: Attacks and countermeasures for white-box designs. In: Peyrin, T., Galbraith, S. (eds.) Advances in Cryptology—ASIACRYPT 2018. Lecture Notes in Computer Science, vol. 11273, pp. 373–402. Springer, Cham (2018). https://doi.org/10.1007/978-3-030-03329-3_13

  8. Bogdanov, A., Rivain, M., Vejre, P.S., Wang, J.: Higher-order DCA against standard side-channel countermeasures. In: Polian, I., Stöttinger, M. (eds.) Constructive Side-Channel Analysis and Secure Design. Lecture Notes in Computer Science, vol. 11421, pp. 118–141. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-16350-1_8

  9. Bos, J.W., Hubain, C., Michiels, W., Teuwen, P.: Differential computation analysis: hiding your white-box designs is not enough. In: Gierlichs, B., Poschmann, A.Y. (eds.) CHES 2016, LNCS, vol. 9813, pp. 215–236. Springer, Heidelberg (2016)

  10. Bringer, J., Chabanne, H., Dottax, E.: White box cryptography: another attempt. Cryptology ePrint Archive, Report 2006/468. https://eprint.iacr.org/2006/468/20061220:083203 (2006)

  11. Chow, S., Eisen, P., Johnson, H., Van Oorschot, P.C.: A white-box des implementation for DRM applications. In: Digital Rights Management Workshop, vol. 2696, pp. 1–15. Springer (2002)

  12. Chow, S., Eisen, P.A., Johnson, H., van Oorschot, P.C.: White-box cryptography and an AES implementation. In: Nyberg, K., Heys, H.M. (eds.) SAC 2002, LNCS, vol. 2595, pp. 250–270. Springer, Heidelberg (2003)

  13. Collberg, C., Thomborson, C., Low, D.: A taxonomy of obfuscating transformations. Department of Computer Science, The University of Auckland, New Zealand, Technical report (1997)

  14. Daemen, J., Rijmen, V.: AES—The Advanced Encryption Standard: The Design of Rijndael. Springer, Berlin (2013)

    MATH  Google Scholar 

  15. Delerablée, C., Lepoint, T., Paillier, P., Rivain, M.: White-box security notions for symmetric encryption schemes. In: Lange, T., Lauter, K., Lisonek, P. (eds.) SAC 2013, LNCS, vol. 8282, pp. 247–264. Springer, Heidelberg (2014)

  16. Garg, S., Gentry, C., Halevi, S.: Candidate multilinear maps from ideal lattices. In: Johansson, T., Nguyen, P.Q. (eds.) EUROCRYPT 2013, LNCS, vol. 7881, pp. 1–17. Springer, Heidelberg (2013)

  17. Garg, S., Gentry, C., Halevi, S., Raykova, M., Sahai, A., Waters, B.: Candidate indistinguishability obfuscation and functional encryption for all circuits. In: 54th FOCS, pp. 40–49. IEEE Computer Society Press (2013)

  18. Golub, G., Van Loan, C.: Matrix Computations. Johns Hopkins Studies in the Mathematical Sciences. Johns Hopkins University Press, Baltimore (1996)

    Google Scholar 

  19. Goubin, L., Masereel, J.-M., Quisquater, M.: Cryptanalysis of white box DES implementations. In: Adams, C.M., Miri, A., Wiener, M.J. (eds.) SAC 2007, LNCS, vol. 4876, pp. 278–295. Springer, Heidelberg (2007)

  20. Ishai, Y., Sahai, A., Wagner, D.: Private circuits: securing hardware against probing attacks. In: Boneh, D. (ed.) CRYPTO 2003, LNCS, vol. 2729, pp. 463–481. Springer, Heidelberg (2003)

  21. Jacob, M., Boneh, D., Felten, E.: Attacking an obfuscated cipher by injecting faults. In: Digital Rights Management Workshop, vol. 2696, pp. 16–31. Springer (2002)

  22. Karroumi, M.: Protecting white-box AES with dual ciphers. In: Rhee, K.H., Nyang, D. (eds.) ICISC 10, LNCS, vol. 6829, pp. 278–291. Springer, Heidelberg (2011)

  23. Kocher, P.C., Jaffe, J., Jun, B.: Differential power analysis. In: Wiener, M.J. (ed.) CRYPTO’99, LNCS, vol. 1666, pp. 388–397, Springer, Heidelberg (1999)

  24. Lepoint, T., Rivain, M.: Another nail in the coffin of white-box AES implementations. Cryptology ePrint Archive, Report 2013/455. https://eprint.iacr.org/2013/455/20130723:130134 (2013)

  25. Lepoint, T., Rivain, M., Mulder, Y.D., Roelse, P., Preneel, B.: Two attacks on a white-box AES implementation. In: Lange, T., Lauter, K., Lisonek, P. (eds.) SAC 2013, LNCS, vol. 8282, pp. 265–285. Springer, Heidelberg (2014)

  26. Lin, H.: Indistinguishability obfuscation from constant-degree graded encoding schemes. In: Fischlin, M., Coron, J.-S. (eds.) EUROCRYPT 2016, Part I, LNCS, vol. 9665, pp. 28–57. Springer, Heidelberg (2016)

  27. Lin, H.: Indistinguishability obfuscation from SXDH on 5-linear maps and locality-5 PRGs. In: Katz, J., Shacham, H. (eds.) CRYPTO 2017, Part I, LNCS, vol. 10401. Springer, Heidelberg, pp. 599–629 (2017)

  28. Lin, H., Tessaro, S.: Indistinguishability obfuscation from trilinear maps and block-wise local PRGs. In: Katz, J., Shacham, H. (eds.) CRYPTO 2017, Part I, LNCS, vol. 10401, pp. 630–660. Springer, Heidelberg (2017)

  29. Link, H.E., Neumann, W.D.: Clarifying obfuscation: improving the security of white-box des. In: International Conference on Information Technology: Coding and Computing (ITCC’05)—Volume II, vol. 1, pp. 679–684 (2005)

  30. Mulder, Y.D., Roelse, P., Preneel, B.: Cryptanalysis of the Xiao-Lai white-box AES implementation. In: Knudsen, L.R., Wu, H. (eds.) SAC 2012, LNCS, vol. 7707, pp. 34–49. Springer, Heidelberg (2013)

  31. Mulder, Y.D., Roelse, P., Preneel, B.: Revisiting the BGE attack on a white-box AES implementation. Cryptology ePrint Archive, Report 2013/450. http://eprint.iacr.org/2013/450 (2013)

  32. Mulder, Y.D., Wyseur, B., Preneel, B.: Cryptanalysis of a perturbated white-box AES implementation. In: Gong, G., Gupta, K.C. (eds.) INDOCRYPT 2010, LNCS, vol. 6498, pp. 292–310. Springer, Heidelberg (2010)

  33. Newman, M.E.J.: Fast algorithm for detecting community structure in networks. Phys. Rev. E 69, 066133 (2004)

    Article  Google Scholar 

  34. Rivain, M., Prouff, E.: Provably secure higher-order masking of AES. In: Mangard, S., Standaert, F.-X. (eds.) CHES 2010, LNCS, vol. 6225, , pp. 413–427. Springer, Heidelberg (2010)

  35. Rolles, R.: Unpacking virtualization obfuscators. In: Proceedings of the 3rd USENIX conference on offensive technologies (Berkeley, CA, USA), WOOT’09, p. 1. USENIX Association (2009)

  36. Sahai, A., Waters, B.: How to use indistinguishability obfuscation: deniable encryption, and more. In: Shmoys, D.B. (ed.) 46th ACM STOC, pp. 475–484. ACM Press (2014)

  37. Sanfelix, E., Mune, C., Haas, J.D.: Unboxing the white-box—practical attacks against obfuscated ciphers. https://www.blackhat.com/docs/eu-15/materials/eu-15-Sanfelix-Unboxing-The-White-Box-Practical-Attacks-Against-Obfuscated-Ciphers-wp.pdf (2015). Accessed Oct 2017

  38. Saxena, A., Wyseur, B., Preneel, B.: Towards security notions for white-box cryptography. In: Samarati, P., Yung, M., Martinelli, F., Ardagna, C.A. (eds.) ISC 2009, LNCS, vol. 5735, pp. 49–58. Springer, Heidelberg (2009)

  39. Strassen, V.: Gaussian elimination is not optimal. Numer. Math. 13(4), 354–356 (1969)

    Article  MathSciNet  Google Scholar 

  40. Wyseur, B., Michiels, W., Gorissen, P., Preneel, B.: Cryptanalysis of white-box DES implementations with arbitrary external encodings. In: Adams, C.M., Miri, A., Wiener, M.J. (eds.) SAC 2007, LNCS, vol. 4876, pp. 264–277. Springer, Heidelberg (2007)

  41. Xiao, Y., Lai, X.: A secure implementation of white-box aes. In: 2nd International Conference on Computer Science and its Applications, 2009. CSA’09. IEEE, pp. 1–6 (2009)

  42. Yadegari, B., Johannesmeyer, B., Whitely, B., Debray, S.: A generic approach to automatic deobfuscation of executable code. In: 2015 IEEE Symposium on Security and Privacy, pp. 674–691. IEEE Computer Society Press (2015)

Download references

Acknowledgements

The fourth author has received funding from the European Union’s Horizon 2020 research and innovation programme under the Marie Skłodowska-Curie Grant Agreement No. 643161.

Author information

Authors and Affiliations

Authors

Corresponding author

Correspondence to Junwei Wang.

Additional information

Publisher's Note

Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.

The fourth author has received funding from the European Union’s Horizon 2020 research and innovation program under the Marie Skłodowska-Curie Grant Agreement No. 643161.

Appendix: Code listings

Appendix: Code listings

1.1 Swapping in overlapping loops

Here is a code segment to show swapping implementation in two different ways by using bitwise operations. The operands indicate the address in table T. The first operand is for the result, while the remaining ones are for the inputs.

figure h

Rights and permissions

Reprints and permissions

About this article

Check for updates. Verify currency and authenticity via CrossMark

Cite this article

Goubin, L., Paillier, P., Rivain, M. et al. How to reveal the secrets of an obscure white-box implementation. J Cryptogr Eng 10, 49–66 (2020). https://doi.org/10.1007/s13389-019-00207-5

Download citation

  • Received:

  • Accepted:

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s13389-019-00207-5

Keywords

Navigation