Collision-Based Attacks on White-Box Implementations of the AES Block Cipher

被引：0

作者：

Lu, Jiqiang ^{[1
,2
,3
]}

Wang, Mingxue ^{[1
]}

Wang, Can ^{[1
]}

Yang, Chen ^{[4
]}

机构：

[1] Beihang Univ, Sch Cyber Sci & Technol, Beijing, Peoples R China

[2] Guangxi Key Lab Cryptog & Informat Secur, Guilin, Peoples R China

[3] Beihang Univ, Hangzhou Innovat Inst, Hangzhou, Peoples R China

[4] Chinese Acad Sci, Inst Software, Beijing, Peoples R China

来源：

SELECTED AREAS IN CRYPTOGRAPHY, SAC 2022 | 2024年 / 13742卷

关键词：

White-box cryptography; Block cipher; AES; Collision attack; CRYPTANALYSIS; CRYPTOGRAPHY;

D O I：

10.1007/978-3-031-58411-4_15

中图分类号：

TP301 [理论、方法];

学科分类号：

081202 ;

摘要：

Since Chow et al. introduced white-box cryptography with a white-box implementation of the AES block cipher in 2002, a few attacks and improvements on Chow et al.'s white-box AES implementation have been presented, particularly Lepoint et al. gave a collision-based attack with a time complexity of about 2(22) in 2013. Lepoint et al.'s attack involves three phases at a high level: first defining a collision function to recover a round's keyed S-box transformations each from protected input by a white-box encoding to original output, then recovering the output encoding of this round, and finally recovering the round key bytes of the next round by testing every key candidate under a statistical distinguisher. In this paper, we give two extensions to Lepoint et al.'s collision-based attack, one is by executing Lepoint et al.'s first phase for two consecutive rounds and then recovering the round key of the latter round directly from the two recovered SubBytes outputs of the two rounds, and the other is by executing Lepoint et al.'s first phase for two consecutive rounds, then executing Lepoint et al.'s second phase for the former round and finally recovering the round key of the latter round directly from the recovered keyed S-box transformations of the latter round. Compared with Lepoint et al.'s approach, the two extensions avoid the last one or two phases and the associated prerequisites, and thus they can attack a broader range of white-box implementations, specifically, the first extension targets SPN ciphers, and the second extension targets both SPN and Feistel ciphers. As an example, we apply the first extension to attack Bai et al.'s white-box AES implementation with an expected time complexity of about 2(20) S-box computations. Together with some previous work, our work indicates that all the previously published white-box AES implementations with external encodings are not practically secure, and white-box implementation designers should pay attention to these new collision-based approaches.

引用

页码：328 / 352

页数：25

共 34 条

[1] White-Box AES Implementation Revisited [J].

Baek, Chung Hun ;

Cheon, Jung Hee ;

Hong, Hyunsook .

JOURNAL OF COMMUNICATIONS AND NETWORKS, 2016, 18 (03) :273-287

[2] Protect white-box AES to resist table composition attacks [J].

Bai, Kunpeng ;

Wu, Chuankun ;

Zhang, Zhenfeng .

IET INFORMATION SECURITY, 2018, 12 (04) :305-313

[3] A secure white-box SM4 implementation [J].

Bai, Kunpeng ;

Wu, Chuankun .

SECURITY AND COMMUNICATION NETWORKS, 2016, 9 (10) :996-1006

[4]

Banik S, 2017, IACR T SYMMETRIC CRY, V2017, P307, DOI 10.13154/tosc.v2017.i1.307-328

[5]

Barkan E, 2002, LECT NOTES COMPUT SC, V2501, P160

[6]

Billet O, 2005, LECT NOTES COMPUT SC, V3357, P227

[7]

Biryukov A, 2003, LECT NOTES COMPUT SC, V2656, P33

[8]

Biryukov A, 2018, LECT NOTES COMPUT SC, V11273, P373, DOI 10.1007/978-3-030-03329-3_13

[9]

Biryukov A, 2014, LECT NOTES COMPUT SC, V8873, P63, DOI 10.1007/978-3-662-45611-8_4

[10] White-box Cryptography Revisited: Space-Hard Ciphers [J].

Bogdanov, Andrey ;

Isobe, Takanori .

CCS'15: PROCEEDINGS OF THE 22ND ACM SIGSAC CONFERENCE ON COMPUTER AND COMMUNICATIONS SECURITY, 2015, :1058-1069

← 1 2 3 4 →