Two Attacks on a White-Box AES Implementation

Lepoint, Tancrède; Rivain, Matthieu; Mulder, Yoni De; Roelse, Peter; Preneel, Bart

doi:10.1007/978-3-662-43414-7_14

Cited by 62 publications

(41 citation statements)

References 8 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…This approach [30] uses dual ciphers to modify the state and key representations in each round as well as two of the four classical AES operations. This approach was shown to be equivalent to the first WB-AES implementation [18] in [35] in 2013. Moreover, the authors of [35] built upon a 2012 result [65] which improves the most time-consuming phase of the BGE attack.…”

Section: White-box Advanced Encryption Standard (Wb-aes)mentioning

confidence: 98%

“…This approach was shown to be equivalent to the first WB-AES implementation [18] in [35] in 2013. Moreover, the authors of [35] built upon a 2012 result [65] which improves the most time-consuming phase of the BGE attack. This reduces the cost of the BGE attack to a time complexity of 2 22 .…”

Section: White-box Advanced Encryption Standard (Wb-aes)mentioning

confidence: 98%

“…This reduces the cost of the BGE attack to a time complexity of 2 22 . An independent attack, of the same time complexity, is presented in [35] as well.…”

Section: White-box Advanced Encryption Standard (Wb-aes)mentioning

confidence: 99%

See 2 more Smart Citations

Differential Computation Analysis: Hiding Your White-Box Designs is Not Enough

Bos

Hubain²,

Michiels

et al. 2016

Lecture Notes in Computer Science

View full text Add to dashboard Cite

Abstract. Although all current scientific white-box approaches of standardized cryptographic primitives are broken, there is still a large number of companies which sell "secure" white-box products. In this paper a new approach to assess the security of white-box implementations is presented which requires neither knowledge about the look-up tables used nor any reverse engineering effort. This differential computation analysis (DCA) attack is the software counterpart of the differential power analysis attack as applied by the cryptographic hardware community. We developed plugins to widely available dynamic binary instrumentation frameworks to produce software execution traces which contain information about the memory addresses being accessed. We show how DCA can extract the secret key from all publicly (non-commercial) available whitebox programs implementing standardized cryptography by analyzing these traces to identify secret-key dependent correlations.

show abstract

Section: White-box Advanced Encryption Standard (Wb-aes)mentioning

confidence: 98%

Section: White-box Advanced Encryption Standard (Wb-aes)mentioning

confidence: 98%

See 1 more Smart Citation

Differential Computation Analysis: Hiding Your White-Box Designs is Not Enough

Bos

Hubain²,

Michiels

et al. 2016

Lecture Notes in Computer Science

View full text Add to dashboard Cite

show abstract

“…Nonetheless, such a white-box cryptographic cipher still requires a higher workfactor (i.e. ≤ 2 22 [24]), relative to attacks on systems which store the encryption key separately from the cipher logic [27].…”

Section: White-box Cryptographymentioning

confidence: 99%

Software-Based Protection against Changeware

Bănescu

Pretschner

Battré³

et al. 2015

Proceedings of the 5th ACM Conference on Data and Application Security and Privacy

View full text Add to dashboard Cite

We call changeware software that surreptitiously modifies resources of software applications, e.g., configuration files. Changeware is developed by malicious entities which gain profit if their changeware is executed by large numbers of end-users of the targeted software. Browser hijacking malware is one popular example that aims at changing webbrowser settings such as the default search engine or the home page. Changeware tends to provoke end-user dissatisfaction with the target application, e.g. due to repeated failure of persisting the desired configuration. We describe a solution to counter changeware, to be employed by vendors of software targeted by changeware. It combines several protection mechanisms: white-box cryptography to hide a cryptographic key, software diversity to counter automated key retrieval attacks, and run-time process memory integrity checking to avoid illegitimate calls of the developed API.

show abstract

“…Although we know that general obfuscation of any function is impossible to achieve [1], there is no known impossibility result for white-box cryptography and positive examples have even been discovered [14,7]. On the other hand, the work of Chow et al gave rise to several proposals for white-box implementations of symmetric ciphers, specifically DES [10,20,32] and AES [11,6,33,18], even though all these proposals have been broken [15,3,12,31,21,23,22,19].…”

Section: Introductionmentioning

confidence: 99%

White-Box Security Notions for Symmetric Encryption Schemes

Delerablée

Lepoint

Paillier

et al. 2014

Lecture Notes in Computer Science

Self Cite

View full text Add to dashboard Cite

Abstract. White-box cryptography has attracted a growing interest from researchers in the last decade. Several white-box implementations of standard block-ciphers (DES, AES) have been proposed but they have all been broken. On the other hand, neither evidence of existence nor proofs of impossibility have been provided for this particular setting. This might be in part because it is still quite unclear what white-box cryptography really aims to achieve and which security properties are expected from white-box programs in applications. This paper builds a first step towards a practical answer to this question by translating folklore intuitions behind white-box cryptography into concrete security notions. Specifically, we introduce the notion of white-box compiler that turns a symmetric encryption scheme into randomized white-box programs, and we capture several desired security properties such as one-wayness, incompressibility and traceability for white-box programs. We also give concrete examples of white-box compilers that already achieve some of these notions. Overall, our results open new perspectives on the design of white-box programs that securely implement symmetric encryption.

show abstract

Two Attacks on a White-Box AES Implementation

Cited by 62 publications

References 8 publications

Differential Computation Analysis: Hiding Your White-Box Designs is Not Enough

Differential Computation Analysis: Hiding Your White-Box Designs is Not Enough

Software-Based Protection against Changeware

White-Box Security Notions for Symmetric Encryption Schemes

Contact Info

Product

Resources

About