Reveal Secrets in Adoring Poitras A generic attack on white-box - - PowerPoint PPT Presentation

reveal secrets in adoring poitras
SMART_READER_LITE
LIVE PREVIEW

Reveal Secrets in Adoring Poitras A generic attack on white-box - - PowerPoint PPT Presentation

Mar 16, 2023 319 likes •599 views

Reveal Secrets in Adoring Poitras A generic attack on white-box cryptography Junwei Wang CryptoExperts University of Luxembourg University of Paris 8 ECRYPT-NET School on Correct and Secure Implementation October 11, 2017, Crete Outline 1

slide-1
SLIDE 1

Reveal Secrets in Adoring Poitras

A generic attack on white-box cryptography

Junwei Wang

CryptoExperts University of Luxembourg University of Paris 8 ECRYPT-NET School on Correct and Secure Implementation October 11, 2017, Crete

slide-2
SLIDE 2

Outline

1 White-Box Cryptography

What Is White-Box Cryptography (WBC)? WhiBox Contest

2 Breaking Adoring Poitras

Cleaning the Code De-Virtualization Bitwise-Based Program to Boolean Circuits Boolean Circuits Minimization Data Dependency Analysis Algebraic Analysis

2

slide-3
SLIDE 3

What Is White-Box Cryptography (WBC)?

WBC is resistant against key extraction in a software

implementation of a cryptographic algorithm.

The attacker entirely controls the running environment. ◮ to record the computation trace (memory address/value,

access type/time, etc)

◮ to modify the control flow / intermediate value, etc No provably secure construction exists. All known practical constructions has been broken by generic

attacks (DCA and DFA) before 2016.

Applications: ◮ digital rights management (DRM) ◮ mobile payments

4

slide-4
SLIDE 4

WhiBox Contest - CHES 2017 CTF

Organized by ECRYPT CSA Two categories: ◮ designers ◮ breakers AES-128, physical limitation (<50M source code, <20M

binary, <1s execution)

94 submitted challenges are all broken (most of them were

alive < 1 day)

Hardest challenge: Adoring Poitras. ◮ Surviving for 28 days (2.3 × the 2nd hardest one) ◮ Submitted by cryptolux (Biryukov-Udovenko) ◮ Only broken by team cryptoexperts

(Goubin-Paillier-Rivain-Wang)

6

slide-5
SLIDE 5

Untidy Code

More than 1k functions

8

slide-6
SLIDE 6

Readability Processing

Duplicate / redundancy / unused codes elimination Functions / variables renaming Constants rewriting Code combination

Only 20 functions are remaining

9

slide-7
SLIDE 7

Universal Turing Machine

11

slide-8
SLIDE 8

Universal Turing Machine (2)

12

slide-9
SLIDE 9

Universal Turing Machine (3)

13

slide-10
SLIDE 10

De-virtualization - Simulate the UTM

We get a bitwise-based program (600k operations).

14

slide-11
SLIDE 11

Bitwise-Based Program

Input: plaintext bits (b1, b2, · · · , b128) Output: ciphertext bits (c1, c2, · · · , c128) for i = 1 to 128 do t[addr1,i ] ← 0bbi bi bi · · · bi ⊲ expand bi to unsigned long integer (64 bits) for j = 1 to 64 do t[addr2,i + j ∗ 212] ← t[addr1,i ] end for end for BitwiseOperationLoop1 ⊲ loop for 64 times BitwiseOperationLoop2 · · · BitwiseOperationLoop2573 for i = 1 to 129 do t[addr3,i ] ← vi ⊲ vi ∈ GF(2) is a constant for j = 1 to 64 do tmp ← t[addr4,i + j ∗ 212] ⊕ t[addr5,i + j ∗ 212] t[addr3,i ] ← t[addr3,i ]⊕ Parity(tmp) ⊲ Parity computes the number of 1-bit modulo 2 end for end for BitwiseOperationLoop2574 · · · BitwiseOperationLoop2582 for i = 1 to 128 do ci ← t[addr6,i ] end for

16

slide-12
SLIDE 12

Bitwise-Based Program to Boolean Circuits

64 (loop length) * 64 (number of bits in a unsigned long

integer) independent AES computations operated in boolean circuits

3 out of 64*64 are the real and identical AES computations

(e.g., bit 42 of loop 26)

Hence, the bitwsie-based program can be simplified as a

boolean circuits with 600k gates (XOR, AND, OR, NOT).

Breakers are stopped by this step??

17

slide-13
SLIDE 13

Boolean Circuits Minimization

Constant variable detection and propagation Deduplication “Potential” pseudorandomness detection and removal Dead code elimination Repeat the above steps until no more constant / duplicate /

”potential” pseudorandomness can be detected The circuits is reduced to 280k boolean gates (53% smaller)

19

slide-14
SLIDE 14

Data Dependency Graph (DDG)

x =a; y =b; x =y + x; y =x ∗ y; z =x − y; x =z ∗ x; x y z

21

slide-15
SLIDE 15

DDG of the Circuits (First 5%)

22

slide-16
SLIDE 16

First Round Computation of AES

MixColumns SubBytes

23

slide-17
SLIDE 17

Extracting the Branches (Clustering)

24

slide-18
SLIDE 18

Assumption

Assumption (Informal) Each of the green ”branch” corresponds to an individual S-Box computation in the first round of AES, the t-bit output (s1, s2, · · · , st) of which is a linear encoding of a real S-Box output bit.

26

slide-19
SLIDE 19

Output Bits of A Branch

Bits in a branch (530) S-Box output bits (34)

27

slide-20
SLIDE 20

Solve A System of Linear Equations

      s(1)

1

s(1)

2

. . . s(1)

34

1 s(2)

1

s(2)

2

. . . s(2)

34

1 . . . . . . ... . . . . . . s(n)

1

s(n)

2

. . . s(n)

34

1              a1 a2 . . . a34 a35        =      SBox(x(1) ⊕ ˆ k)[i] SBox(x(2) ⊕ ˆ k)[i] . . . SBox(x(n) ⊕ ˆ k)[i]      If n ≥ 35 + 8 + λ, Pr[“ˆ k = k∗ has a solution”]≤ 2−λ.

28

slide-21
SLIDE 21

Results

29

slide-22
SLIDE 22

Why DCA / DFA does not work?

0: {0,0,0,0,0,0,1,0,1,0,1,1,1,0,0,0,1,0,1,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0} 1: {0,0,0,0,0,0,1,0,0,1,1,0,1,1,1,1,1,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0} 2: {0,0,0,0,0,0,0,0,1,0,1,0,0,0,1,1,1,0,1,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0} 3: {0,0,0,0,0,0,0,0,0,1,1,0,0,0,1,1,1,0,1,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0} 4: {0,0,0,0,0,0,0,1,1,0,0,1,0,0,0,0,0,0,1,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0} 5: {0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0} 6: {0,0,0,0,0,0,1,0,0,0,1,0,0,1,0,1,0,1,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0} 7: {0,0,0,0,0,0,0,1,0,0,0,0,1,0,0,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0}

15 used / 34 output bits

30

slide-23
SLIDE 23

Why DCA / DFA does not work?

0: {0,0,0,0,0,0,1,0,1,0,1,1,1,0,0,0,1,0,1,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0} 1: {0,0,0,0,0,0,1,0,0,1,1,0,1,1,1,1,1,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0} 2: {0,0,0,0,0,0,0,0,1,0,1,0,0,0,1,1,1,0,1,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0} 3: {0,0,0,0,0,0,0,0,0,1,1,0,0,0,1,1,1,0,1,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0} 4: {0,0,0,0,0,0,0,1,1,0,0,1,0,0,0,0,0,0,1,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0} 5: {0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0} 6: {0,0,0,0,0,0,1,0,0,0,1,0,0,1,0,1,0,1,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0} 7: {0,0,0,0,0,0,0,1,0,0,0,0,1,0,0,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0}

Each real bit is encoded by at least 2 intermediate bits.

31

slide-24
SLIDE 24

Why DCA / DFA does not work?

0: {0,0,0,0,0,0,1,0,1,0,1,1,1,0,0,0,1,0,1,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0} 1: {0,0,0,0,0,0,1,0,0,1,1,0,1,1,1,1,1,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0} 2: {0,0,0,0,0,0,0,0,1,0,1,0,0,0,1,1,1,0,1,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0} 3: {0,0,0,0,0,0,0,0,0,1,1,0,0,0,1,1,1,0,1,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0} 4: {0,0,0,0,0,0,0,1,1,0,0,1,0,0,0,0,0,0,1,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0} 5: {0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0} 6: {0,0,0,0,0,0,1,0,0,0,1,0,0,1,0,1,0,1,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0} 7: {0,0,0,0,0,0,0,1,0,0,0,0,1,0,0,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0}

Each intermediate bit is encoding at least for 2 real output bits.

32

slide-25
SLIDE 25

Summary and Future Works

White-box cryptography is widely deployed. All known constructions are broken by DFA and DCA attacks

before 2016.

A algebraic analysis attack is applied to break challenges.

Future works:

Countermeasures to design Generalization of this attack Theoretical construction

33

slide-26
SLIDE 26

Thank you! Question?

34