Cryptanalysis of White-Box DES Implementations with Arbitrary External Encodings Brecht Wyseur, Wil Michiels, Paul Gorissen, Bart Preneel COSIC – K.U.Leuven and Philips Research March 27 2007
White-Box Attack Context key key ke y � Software running on host � Dynamic execution can be observed � Internal details both completely visible and alterable at will Attacker's goal: extract the embedded secret key
State-of-the-art WB DES WB AES Chow et al. 2002 Chow et al. 2002 Naked variant Encoded variant Fault injection attack Jacob et al. 2002 Cryptanalysis Statistical attack Billet et al. 2004 Link et al. 2005 Condensed impl. Wyseur et al. 2005 Improved variant Cryptanalysis Goubin et al. 2007 Cryptanalysis Wyseur et al. 2007
White-box transformation
White-box transformations � Internal encodings LT 1 LT 1 LT' 1 Encoding Inv encoding LT' 2 LT 2 LT 2
White-box transformations External encodings Input encoding � Protection against implementation extraction E/D � Protection against first and last round attacks Output encoding “Encoded variant”
White-box transformation
Differential Cryptanalysis Input Difference propagation Input encoding 12 byte state Round 1 12 byte state Difference knowledge Round 2 12 byte state Round 3 12 byte state S-box input recovery Round 4 S-box identification 12 byte state Round 16 Key recovery Output encoding Output
Differential Cryptanalysis Detect single R-bit flips � Change the input to a T- box in round 1 � Observe difference propagation at the input of round 3 Observe: 2 different T- boxes affected
Conclusion � Attack with time complexity: 2 14 independent of the external encodings � Design choices that make DES “strong” in a black-box environment, make it weak in a black-box environment � Paper at http://eprint.iacr.org
Recommend
More recommend
