Efficient and Provable White-Box Primitives

Abstract: Abstract. In recent years there have been several attempts to build white-box block ciphers whose implementations aim to be incompressible. This includes the weak white-box ASASA construction by Bouillaguet, Biryukov and Khovratovich from Asiacrypt 2014, and the recent space-hard construction by Bogdanov and Isobe from CCS 2015.In this article we propose the first constructions aiming at the same goal while offering provable security guarantees. Moreover we propose concrete instantiations of our constructions,… Show more

“…Code-hardness is very close to what was first defined as memory-hard whitebox implementation (or weak white-box) in the paper introducing the ASASA crypto-system [BBK14], and later formalized under different names as ( , )-space hardness [BI15,BIT16] or as incompressibility in [FKKM16] following the more general definition from [DLPR14]. In all cases, the aim is the same: the block cipher implementation must be such that it is impossible to write a functionally equivalent implementation with a smaller code.…”

“…As was pointed out in [FKKM16], what we call code-hardness is also the goal of so-called big-key encryption. For instance, the XKEY2 scheme introduced in [BKR16] achieves this goal: it uses a huge table and a nonce to derive a key of regular size (say, 128 bits) to be used in a standard encryption algorithm, e.g.…”

“…The most recent white-box block ciphers such as SPACE [BI15], the PuppyCipher [FKKM16] and SPNbox [BIT16] can be seen as providing asymmetric code-hardness. Indeed, while the first aim of these algorithms is to provide regular code-hardness, referred to as "space-hardness" for the former and "incompressibility" for the latter, they both allow the construction of far more code-efficient implementation.…”

“…This is the case for the most recent weak white-box block ciphers [BBK14,BI15,FKKM16]: while the white-box implementation requires a significant code size, there exists a functionally equivalent implementation which is much smaller but cannot be obtained unless a secret is known. That way, two classes of users are created: those who know the secret and can evaluate the block cipher efficiently and those who do not and thus are forced to use the code-hard implementation.…”

“…Memory-hardness was one of the design goals of the winner of the Password Hashing Competition, Argon2 [BDK16], the aim being to prevent hardware optimization of the primitive. As another example, one research direction in white-box cryptography is nowadays focusing on designing block ciphers such that the code implementing them is very large in order to prevent duplication and distribution of their functionality [BBK14,BI15,FKKM16,BIT16,BKR16]. In this case, the aim could be to implement some form of Digital Right Management or to prevent the exfiltration of a block cipher key by malware.…”

Symmetrically and Asymmetrically Hard Cryptography

“…Code-hardness is very close to what was first defined as memory-hard whitebox implementation (or weak white-box) in the paper introducing the ASASA crypto-system [BBK14], and later formalized under different names as ( , )-space hardness [BI15,BIT16] or as incompressibility in [FKKM16] following the more general definition from [DLPR14]. In all cases, the aim is the same: the block cipher implementation must be such that it is impossible to write a functionally equivalent implementation with a smaller code.…”

“…As was pointed out in [FKKM16], what we call code-hardness is also the goal of so-called big-key encryption. For instance, the XKEY2 scheme introduced in [BKR16] achieves this goal: it uses a huge table and a nonce to derive a key of regular size (say, 128 bits) to be used in a standard encryption algorithm, e.g.…”

“…The most recent white-box block ciphers such as SPACE [BI15], the PuppyCipher [FKKM16] and SPNbox [BIT16] can be seen as providing asymmetric code-hardness. Indeed, while the first aim of these algorithms is to provide regular code-hardness, referred to as "space-hardness" for the former and "incompressibility" for the latter, they both allow the construction of far more code-efficient implementation.…”

“…This is the case for the most recent weak white-box block ciphers [BBK14,BI15,FKKM16]: while the white-box implementation requires a significant code size, there exists a functionally equivalent implementation which is much smaller but cannot be obtained unless a secret is known. That way, two classes of users are created: those who know the secret and can evaluate the block cipher efficiently and those who do not and thus are forced to use the code-hard implementation.…”

“…Memory-hardness was one of the design goals of the winner of the Password Hashing Competition, Argon2 [BDK16], the aim being to prevent hardware optimization of the primitive. As another example, one research direction in white-box cryptography is nowadays focusing on designing block ciphers such that the code implementing them is very large in order to prevent duplication and distribution of their functionality [BBK14,BI15,FKKM16,BIT16,BKR16]. In this case, the aim could be to implement some form of Digital Right Management or to prevent the exfiltration of a block cipher key by malware.…”

Symmetrically and Asymmetrically Hard Cryptography

Doubly Half-Injective PRGs for Incompressible White-Box Cryptography

Fast White-Box Implementations of Dedicated Ciphers on the ARMv8 Architecture