Towards Security Notions for Motivation: White-Box Cryptography - - PDF document

ISC conference, September 2009, Pisa, Italy Brecht Wyseur 1 Towards Security Notions for White-Box Cryptography

Brecht Wyseur ISC 2009, September 2009 Pisa, Italy Joint work with Amitabh Saxena and Bart Preneel

Outline

• Motivation: White-Box Cryptography
• The Theory of Obfuscation

– (im)possibility results – Obfuscation vs. White-Box Cryptography yp g p y

• Towards a formal model for white-box

cryptography

• (Im)possibility results
• Conclusion and future research

Motivation

• Our research:

– How can we implement cryptographic primitives in software in a secure way?

• Not: implementation itself (bugs, efficiency)
• But: threats that arise when deploying cryptographic software

implementations in systems

• Threat model: Adversary has full access to the

implementation of cryptographic primitives

– DRM scenario: decryption device on untrusted machine (set- top box / PC) – Mobile agents – Online-gaming

3 threat models

• Traditional cryptography (black-box cryptography)
• Observable cryptography (side-channel attacks)
• White-box cryptography (software

implementations)

WBC in practice

• WB-DES, WB-AES constructions [S. Chow, P. Eisen, H.

Johnson, and P.C. van Oorschot, 2002]

– Hardwire secret keys, and scramble internal operations

08 C1 EE 18 33 78 08 0F B6 C6 33 3C 85 80 50 14 95 80 4C 00 08 C1 E8 45 D8 C1 E9 10 0F B6 C9 C4 89 49 54 0F

AES WB-AES

• Subsequent work:

– (differential & algebraic) cryptanalysis (2002, 2004, 2007) – improvements (2002, 2004, 2006) – (algebraic) cryptanalysis of classes of WB implementations (2008, 2009)

4D C1 9C 8B 14 95 5D CC C1 E8 18 7D D0 85 D4 55 94 E3 6C 0F 8B 5D 1C 5F

Objective

• Our main question: do “secure” white-box

implementations exist? (and how do they look like?)

‘white-box’ ‘black-box’

• Broader perspective: can the security that was achieved

in ‘black-box’ be maintained in ‘white-box’? (Beyond the confidentiality of secret keys)

E

k

ISC conference, September 2009, Pisa, Italy Brecht Wyseur 2

Concepts

• Our formal model includes

– Security notions (to capture “secure algorithm”) – Theoretic models for Obfuscation

Theory of Obfuscation

• [Barak et al., 2001]: comparison between the ‘real world’

and its simulated counterpart in an idealized setting.

O(P) P 1n – Example: predicate-based definition: – Other definitions include distinguisher-based definitions A A P b b

(im)possibility results

• The main impossibility result [Barak et al., 2001]

– There exists an unobfuscatable function  the cannibalistic function construction.

If (input behaves like

• Positive results: obfuscation of Point Functions [Lynn,

Prahbakaran and Sahai, 2004 – Wee, 2005]

me) { Leak my secret SECRET; }

SECRET ?

Obfuscation vs. White-Box Crypto

• No agreement on which model of obfuscation would

be suitable for cryptographic purposes

– Predicate-based definitions: too weak (meaningless) – Distinguisher-based definitions: too strong (nothing interesting is possible: deterministic & obfuscatable  function must be learnable) function must be learnable)

• Cryptographic schemes are generally not learnable

(predictable)

• Definitions of obfuscation do not capture ‘context’

and ‘objective’  Need for a model that captures “White-Box Cryptography”

Security Notions

• Security in ‘black-box’

– Security notions

• Attack goals
• Attacker capabilities (described as a game between a

challenger and the adversary)

• An example: IND-CCA2

Challenger Adversary

Ek Dk

m0,m1 c = EK(mb,r) b $ {0,1} r $ R b but not on input c

Formal model

• Pin down obfuscation models to cryptographic primitives

– Family Q – Keyspace K; q $ K – Instantiated cryptographic primitive Q[q]

• We follow the game-based approach [Bellare et al. ,1997]

Black-box game

A

WIN?

s

(1k, sn)

White-box game

A

WIN?

s

(1k, O(Qi), sn)

b b meaning context

ISC conference, September 2009, Pisa, Italy Brecht Wyseur 3

Obfuscatability

• Black-box game
• IND-CCA2 game

A

Q1[q1] Q2[q2] Q3[q3]

s (1k, sn)

…

Challenger Adversary

• Obfuscatable family Q

Challenger Adversary

Ek Dk

m0,m1 EK(mb,r) b $ {0,1} r $ R b but not on input c

?

Formal model

Black-box game

A

(1k, sn)

White-box game

A

(1k, O(Qi), sn)

• Comparison between the white-box game, and its idealized version

14

• O is a secure obfuscator for Qi, under the sn security notion, if

WIN?

s

WIN?

s b b

Negative Results

• For any non-learnable family Q, there exist a

non-obfuscatable security notion (this is stronger than Barak et al., 2001)

(1k, O(Q), sn)

(1k, sn)

• Obfuscation is not trivially composable

Q[q] Q1[q1] Q[q] Q1[q1]

q 

WIN? WIN?

Positive result

• There exists an obfuscator O that turns a IND-CPA

secure, symmetric encryption scheme into an IND- CPA secure asymmetric encryption scheme

– Based on the bi-linear Diffie-Hellman assumption

E

• There exists approximately learnable families that

can be universally obfuscated (e.g., point functions)

16

Conclusion and Future Work

• A formal model for White-Box Cryptography was

presented, based on

– Theoretic models on obfuscation – Security notions

• Some security notions are inherently unobfuscatable
• (Im)possibility results
• Future Work

– Extend the (im)possibility results towards other (reasonable) security notions and cryptographic primitives – Capture probabilistic encryption schemes (initial steps are included in the full version; see e-print report 2008/273) – Design of a new white-boxing strategy (e.g., AES  WB’-AES)

The End

• Thank you.

– The authors would like to thank the ISC chairs for organizing the event, – and the anonymous referees for their valuable comments.