Analysis and improvement of differential computation attacks against internally-encoded white-box implementations

被引:9
作者
Rivain M. [1 ]
Wang J. [1 ,2 ,3 ]
机构
[1] CryptoExperts, United States
[2] University of Luxembourg, Luxembourg
[3] University Paris 8, France
来源
IACR Transactions on Cryptographic Hardware and Embedded Systems | 2019年 / 2019卷 / 02期
关键词
Collision attack; Differential computation analysis; Internal encoding; Mutual information analysis; White-box cryptography;
D O I
10.13154/tches.v2019.i2.225-255
中图分类号
学科分类号
摘要
White-box cryptography is the last security barrier for a cryptographic software implementation deployed in an untrusted environment. The principle of internal encodings is a commonly used white-box technique to protect block cipher implementations. It consists in representing an implementation as a network of look-up tables which are then encoded using randomly generated bijections (the internal encodings). When this approach is implemented based on nibble (i.e. 4-bit wide) encodings, the protected implementation has been shown to be vulnerable to differential computation analysis (DCA). The latter is essentially an adaptation of differential power analysis techniques to computation traces consisting of runtime information, e.g., memory accesses, of the target software. In order to thwart DCA, it has then been suggested to use wider encodings, and in particular byte encodings, at least to protect the outer rounds of the block cipher which are the prime targets of DCA. In this work, we provide an in-depth analysis of when and why DCA works. We pinpoint the properties of the target variables and the encodings that make the attack (in)feasible. In particular, we show that DCA can break encodings wider than 4-bit, such as byte encodings. Additionally, we propose new DCA-like attacks inspired from side-channel analysis techniques. Specifically, we describe a collision attack partic-ularly effective against the internal encoding countermeasure. We also investigate mutual information analysis (MIA) which naturally applies in this context. Compared to the original DCA, these attacks are also passive and they require very limited knowledge of the attacked implementation, but they achieve significant improvements in terms of trace complexity. All the analyses of our work are experimentally backed up with various attack simulation results. We also verified the practicability of our analyses and attack techniques against a publicly available white-box AES implementation protected with byte encodings –which DCA has failed to break before– and against a “masked” white-box AES implementation –which intends to resist DCA. © 2019, Ruhr-University of Bochum. All rights reserved.
引用
收藏
页码:225 / 255
页数:30
相关论文
共 30 条
[1]  
Bock Estuardo Alpirez, Bos Joppe W., Brzuska Chris, Hubain Charles, Michiels Wil, Mune Cristofaro, Gonzalez Eloi Sanfelix, Teuwen Philippe, Treff Alexander, White-box cryptography: Don’t forget about grey box attacks, Cryptology ePrint Archive, (2017)
[2]  
Bock Estuardo Alpirez, Brzuska Chris, Michiels Wil, Treff Alexander, On the ineffectiveness of internal encodings-revisiting the DCA attack on white-box cryptography, ACNS 18, volume 10892 of LNCS, pp. 103-120, (2018)
[3]  
Bringer Julien, Chabanne Herve, Dottax Emmanuelle, Perturbing and protecting a traceable block cipher, Communications and Multimedia Secu-rity, 10th IFIP TC-6 TC-11 International Conference, CMS 2006, pp. 109-119, (2006)
[4]  
Boneh Dan, DeMillo Richard A., Lipton Richard J., On the importance of checking cryptographic protocols for faults (extended abstract), EUROCRYPT’97, volume 1233 of LNCS, pp. 37-51, (1997)
[5]  
Billet Olivier, Gilbert Henri, Ech-Chatbi Charaf, Cryptanalysis of a white box AES implementation, SAC 2004, volume 3357 of LNCS, pp. 227-240, (2004)
[6]  
Batina Lejla, Gierlichs Benedikt, Prouff Emmanuel, Rivain Matthieu, Standaert Francois-Xavier, Veyrat-Charvillon Nicolas, Mutual information analysis: a comprehensive study, Journal of Cryptology, 24, 2, pp. 269-291, (2011)
[7]  
Bos Joppe W., Hubain Charles, Michiels Wil, Teuwen Philippe, Differential computation analysis: Hiding your white-box designs is not enough, CHES 2016, volume 9813 of LNCS, pp. 215-236, (2016)
[8]  
Bogdanov Andrey, Rivain Matthieu, Vejre Philip S., Wang Junwei, Higher-order DCA against standard side-channel countermeasures, (2018)
[9]  
Biham Eli, Shamir Adi, Differential fault analysis of secret key cryptosys-tems, CRYPTO’97, volume 1294 of LNCS, pp. 513-525, (1997)
[10]  
Chow Stanley, Eisen Philip A., Johnson Harold, van Oorschot Paul C., White-box cryptography and an AES implementation, Selected Areas in Cryptography, 9th Annual International Workshop, SAC 2002, pp. 250-270, (2002)