White-Box AES Implementation Revisited

Abstract

White-box cryptography is an obfuscation technique for protecting secret keys in software implementations even if an adversary has full access to the implementation of the encryption algorithm and full control over its execution platforms. This concept was presented by Chow et al. with white-box implementations of DES and AES in 2002. The strategy used in the implementations has become a design principle for subsequent white-box implementations. However, despite its practical importance, progress has not been substantial. In fact, it is repeated that as a proposal for a white-box implementation is reported, an attack of lower complexity is soon announced. This is mainly because most cryptanalytic methods target specific implementations, and there is no general attack tool for white-box cryptography. In this paper, we present an analytic toolbox on white-box implementations in this design framework and show how to reveal the secret information obfuscated in the implementation using this. For a substitution-linear transformation cipher on $n$ bits with S-boxes on $m$ bits, if $m_Q$-bit nonlinear encodings are used to obfuscate output values in the implementation, our attack tool can remove the nonlinear encodings with complexity $O(\frac{n}{m_Q}2^{3m_Q})$. We should increase $m_Q$ to obtain higher security, but it yields exponential storage blowing up and so there are limits to increase the security using the nonlinear encoding. If the inverse of the encoded round function $F$ on $n$ bits is given, the affine encoding $A$ can be recovered in $O(\frac{n}{m}\cdot{m_A}^32^{3m})$ time using our specialized affine equivalence algorithm, where $m_A$ is the smallest integer $p$ such that $A$ (or its similar matrix obtained by permuting rows and columns) is a block-diagonal matrix with $p\times p$ matrix blocks. According to our toolbox, a white-box implementation in the Chow et al.\u27s framework has complexity at most $O\left(\min\left\{ \tfrac{2^{2m}}{m}\cdot n^{m+4}, n\log n \cdot 2^{n/2}\right\}\right)$ within reasonable storage, which is much less than $2^n$. To overcome this, we introduce an idea that obfuscates two AES-128 ciphers at once with input/output encoding on 256 bits. To reduce storage, we use a sparse unsplit input encoding. As a result, our white-box AES implementation has up to 110-bit security against our toolbox, close to that of the original cipher. More generally, we may consider a white-box implementation on the concatenation of $t$ ciphertexts to increase security