Another Look on Bucketing Attack to Defeat White-Box Implementations

Zeyad, Mohamed; Maghrebi, Houssem; Alessio, Davide; Batteux, Boris

doi:10.1007/978-3-030-16350-1_7

Cited by 7 publications

(3 citation statements)

References 17 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Extended statistical bucketing analysis [22], as a variant of the collision attack, is based on the fact that if two correct hypothetical values computed by a pair of plaintexts do not collide, their corresponding encoded values should not collide as well. Bucketing Computational Analysis (BCA) applied this principle to white-box cryptography using computation traces.…”

Section: Bucketing Attackmentioning

confidence: 99%

“…A collision-based DCA attack [21] is similar to the 2-byte key guess, but the analysis method of computation traces is different. A bucketing attack [22], as a collision attack, can be also successful with chosen-plaintext sets, in which the plaintexts are divided into two set based on the predefined four bits of a hypothetical round output. The common cause of these vulnerabilities is that an attacker who correctly guessed one or two subkeys can predict the input value to the encoding of a round output using a set of subbytes in the plaintext.…”

Section: Introductionmentioning

confidence: 99%

See 1 more Smart Citation

Improvement on a Masked White-Box Cryptographic Implementation

Lee

Kim

2020

IEEE Access

View full text Add to dashboard Cite

White-box cryptography is a software technique to protect secret keys of cryptographic algorithms from attackers who have access to memory. By adapting techniques of differential power analysis to computation traces consisting of runtime information, Differential Computation Analysis (DCA) has recovered the secret keys from white-box cryptographic implementations. In order to thwart DCA, a masked white-box implementation was suggested. It was a customized masking technique that randomizes all the values in the lookup tables with different masks. However, the round output was only permuted by byte encodings, not protected by masking. This is the main reason behind the success of DCA variants on the masked white-box implementation. In this paper, we improve the masked white-box cryptography in such a way to protect against DCA variants by obfuscating the round output with random masks. Specifically, we introduce a white-box AES (WB-AES) implementation applying the masking technique to the key-dependent intermediate value and the several outer-round outputs computed by partial bits of the key. Our analysis and experimental results show that the proposed WB-AES can protect against DCA variants including DCA with a 2-byte key guess, collision, and bucketing attacks. This work requires approximately 3.7 times the table size and 0.7 times the number of lookups compared to the previous masked WB-AES.

show abstract

Section: Bucketing Attackmentioning

confidence: 99%

Section: Introductionmentioning

confidence: 99%

Improvement on a Masked White-Box Cryptographic Implementation

Lee

Kim

2020

IEEE Access

View full text Add to dashboard Cite

show abstract

“…At CHES 2019, Rivain and Wang [RW19] proposed collision attack (CA) and mutual information analysis (MIA) as the variants of DCA. Zeyad et al [ZMAB19] proposed the bucketing computational analysis (BCA) to attack white-box implementations. Similar to ZDE, BCA sorts the computation traces based on key-dependent intermediate values.…”

Section: Introductionmentioning

confidence: 99%

Revisiting the Computation Analysis against Internal Encodings in White-Box Implementations

Tang,

Gong,

et al. 2023

TCHES

View full text Add to dashboard Cite

White-box implementations aim to prevent the key extraction of the cryptographic algorithm even if the attacker has full access to the execution environment. To obfuscate the round functions, Chow et al. proposed a pivotal principle of white-box implementations to convert the round functions as look-up tables which are encoded by random internal encodings. These encodings consist of a linear mapping and a non-linear nibble permutation. At CHES 2016, Bos et al. introduced differential computation analysis (DCA) to extract the secret key from the runtime information, such as accessed memory and registers. Following this attack, many computation analysis methods were proposed to break the white-box implementations by leveraging some properties of the linear internal encodings, such as Hamming weight and imbalance. Therefore, it becomes an alternative choice to use a non-linear byte encoding to thwart DCA. At CHES 2021, Carlet et al. proposed a structural attack and revealed the weakness of the non-linear byte encodings which are combined with a non-invertible linear mapping. However, such a structural attack requires the details of the implementation, which relies on extra reverse engineering efforts in practice. To the best of our knowledge, it still lacks a thorough investigation of whether the non-linear byte encodings can resist the computation analyses.In this paper, we revisit the proposed computation analyses by investigating their capabilities against internal encodings with different algebraic degrees. Particularly, the algebraic degree of encodings is leveraged to explain the key leakage on the non-linear encodings. Based on this observation, we propose a new algebraic degree computation analysis (ADCA), which targets the mappings from the inputs to each sample of the computation traces. Different from the previous computation analyses, ADCA is a higher-degree attack that can distinguish the correct key by matching the algebraic degrees of the mappings. The experimental results prove that ADCA can break the internal encodings from degree 1 to 6 with the lowest time complexity. nstead of running different computation analyses separately, ADCA can be used as a generic tool to attack the white-box implementations.

show abstract