Two Attacks on a White-Box AES Implementation Tancrde Lepoint 1,2 , - - PowerPoint PPT Presentation

SLIDE 1

Two Attacks on a White-Box AES Implementation

SAC 2013, Vancouver, Canada August 15th, 2013 Tancrède Lepoint1,2, Matthieu Rivain1, Yoni De Mulder3, Peter Roelse4, and Bart Preneel3

1 CryptoExperts, France

{tancrede.lepoint,matthieu.rivain}@cryptoexperts.com

2 ´

Ecole Normale Sup´ erieure, France

3 KU Leuven and iMinds, Belgium

{yoni.demulder,bart.preneel}@esat.kuleuven.be

4 Irdeto B.V., The Netherlands

peter.roelse@irdeto.com

SLIDE 2

What is White-Box Cryptography ?

SLIDE 3

• focuses on the software implementation of cryptographic primitives

executed in an untrusted environment.

• aims at protecting the embedded secret cryptographic key; it has the
• bjective that the white-box implementation behaves as a “virtual

black box”:

• a white-box adversary may not have any advantage over a black-box

attacker, i.e., he is unable to extract any more key information than he could extract under a black-box attack (oracle access to the WB implementation).

White-Box Cryptography

SLIDE 4

• Black-box attacker:
• only has access to the input/output

behavior of the cryptographic algorithm.

• has no visibility into its execution.
• White-box attacker:
• h a s f u l l a c c e s s t o t h e s o f twa r e

implementation of the cryptographic algorithm.

• has full control over its execution

environment.

• has the goal to extract the secret

cryptographic key (key recovery).

Dk(·) Ek(·) m/c c/m adversary black-box model m/c c/m adversary

• debug
• reverse engineer
• inspect memory

Dk(·) Ek(·)

• inject faults
• alter implementation

white-box model

SLIDE 5

• S-box Blanking Attack

[Kerins and Kursawe, 2006]

S

⊕

kw xr−1 xr = S(xr−1) ⊕ kw

⊕

kw xr−1 xr = 0 ⊕ kw = kw

When the attacker has knowledge of the internal structure

• f a cryptographic primitive, the way how it is implemented

is the sole remaining line of defense.

SLIDE 6

Use case: a (very) simplified DRM model

• The trusted digital media player (containing the WB implementation) is

deployed in an untrusted environment (the end-user’s playback device).

• The goal of a malicious behaving end-user is to extract the secret

decryption key out of the decryption routine in order to:

• decrypt the encrypted content while circumventing the License Verification
• distribute the key to non-authorized end-users

Remote Content Provider

Ek

m License Generator User’s Playback Device

Lic

License Verifier

Dk

YES NO

player

Ek(m) k Lic

WB Impl.

Ek(m)

m EVE

SLIDE 7

White-Box AES Implementation

SLIDE 8

State-of-the-Art

SLIDE 9

White-box AES Implementation

Chow, Eisen, Johnson, van Oorschot [2002]

Billet, Gilbert and Ech-Chatbi [2004] Generic Class Michiels, Gorissen and Hollmann [2008]

Perturbated White-box AES Implementation

Bringer, Chabanne, Dottax [2006]

De Mulder, Wyseur and Preneel [2010]

White-box AES Implementation based on Wide Linear Encodings

Xiao and Lai [2009]

White-box AES Implementation based on Dual Ciphers of AES

Karroumi [2010]

De Mulder, Roelse and Preneel [2012]

SLIDE 10

White-box AES Implementation

Chow, Eisen, Johnson, van Oorschot [2002]

Billet, Gilbert and Ech-Chatbi [2004] Generic Class Michiels, Gorissen and Hollmann [2008]

Perturbated White-box AES Implementation

Bringer, Chabanne, Dottax [2006]

De Mulder, Wyseur and Preneel [2010]

White-box AES Implementation based on Wide Linear Encodings

Xiao and Lai [2009]

White-box AES Implementation based on Dual Ciphers of AES

Karroumi [2010]

De Mulder, Roelse and Preneel [2012] a new attack based on collision

SLIDE 11

Aspects of Chow’s White-Box AES Implementation

SLIDE 12

Descriptions of AES-128

• 1. AddRoundKey (K(1));
• 2. for r from 1 to 9:

(a) SubBytes; (b) ShiftRows; (c) MixColumns; (d) AddRoundKey (K(r+1));

• 3. SubBytes;
• 4. ShiftRows;
• 5. AddRoundKey (K(11)).

Conventional way: Used for WB AES:

^

^

(

Round 1-9 Round 10

(

(

Round 1-9 Round 10

• 1. for r from 1 to 9:

(a) ShiftRows; (b) AddRoundKey (K(r)); (c) SubBytes; (d) MixColumns;

• 2. ShiftRows;
• 3. AddRoundKey (K(10));
• 4. SubBytes;
• 5. AddRoundKey (K(11)).

(

SLIDE 13

AES Subround

k(r,j)

1

k(r,j)

2

k(r,j)

3

k(r,j)

⊕ ⊕ ⊕ ⊕

S S S S

MixColumns

2 6 6 4

‘02’ ‘03’ ‘01’ ‘01’ ‘01’ ‘02’ ‘03’ ‘01’ ‘01’ ‘01’ ‘02’ ‘03’ ‘03’ ‘01’ ‘01’ ‘02’

3 7 7 5

8 8 8 8 8 8 8 8

for 0 ≤ j ≤ 3 and 1 ≤ r ≤ 9

for r from 1 to 9: (a) ShiftRows; (b) AddRoundKey (K(r)); (c) SubBytes; (d) MixColumns;

SLIDE 14

Encoded AES Subround

the naive version the generic version

k(r,j)

1

k(r,j)

2

k(r,j)

3

k(r,j)

⊕ ⊕ ⊕ ⊕

S S S S

MixColumns

2 6 6 4

‘02’ ‘03’ ‘01’ ‘01’ ‘01’ ‘02’ ‘03’ ‘01’ ‘01’ ‘01’ ‘02’ ‘03’ ‘03’ ‘01’ ‘01’ ‘02’

3 7 7 5

8 8 8 8 8 8 8 8

P (r,j) P (r,j)

1

P (r,j)

2

P (r,j)

3

Q(r,j)

3

Q(r,j)

2

Q(r,j)

1

Q(r,j)

⊕ ⊕ ⊕ ⊕ S S S S

MixColumns

2 6 6 4

‘02’ ‘03’ ‘01’ ‘01’ ‘01’ ‘02’ ‘03’ ‘01’ ‘01’ ‘01’ ‘02’ ‘03’ ‘03’ ‘01’ ‘01’ ‘02’

3 7 7 5

8 8 8 8 8 8 8 8

P (r,j) P (r,j)

1

P (r,j)

2

P (r,j)

3

Q(r,j)

3

Q(r,j)

2

Q(r,j)

1

Q(r,j) Π(r,j)

1

k(r,π(r)(j)) k(r,π(r)(j))

1

k(r,π(r)(j))

2

k(r,π(r)(j))

3

Π(r,j)

2

new attack (collisions) BGE attack

SLIDE 15

Revisiting the BGE Attack

SLIDE 16

BGE Attack

Phase 1

• obtain the output encodings up to an affine part
• the same for the input through round r-1

⊕ ⊕ ⊕ ⊕ S S S S

MixColumns

2 6 6 4

‘02’ ‘03’ ‘01’ ‘01’ ‘01’ ‘02’ ‘03’ ‘01’ ‘01’ ‘01’ ‘02’ ‘03’ ‘03’ ‘01’ ‘01’ ‘02’

3 7 7 5

8 8 8 8 8 8 8 8

P (r,j) P (r,j)

1

P (r,j)

2

P (r,j)

3

Q(r,j)

3

Q(r,j)

2

Q(r,j)

1

Q(r,j) Π(r,j)

1

k(r,π(r)(j)) k(r,π(r)(j))

1

k(r,π(r)(j))

2

k(r,π(r)(j))

3

Π(r,j)

2

Phase 1

⊕ ⊕ ⊕ ⊕ S S S S

MixColumns

2 6 6 4

‘02’ ‘03’ ‘01’ ‘01’ ‘01’ ‘02’ ‘03’ ‘01’ ‘01’ ‘01’ ‘02’ ‘03’ ‘03’ ‘01’ ‘01’ ‘02’

3 7 7 5

8 8 8 8 8 8 8 8

P (r,j) P (r,j)

1

P (r,j)

2

P (r,j)

3

Q(r,j)

3

Q(r,j)

2

Q(r,j)

1

Q(r,j) Π(r,j)

1

k(r,π(r)(j)) k(r,π(r)(j))

1

k(r,π(r)(j))

2

k(r,π(r)(j))

3

Π(r,j)

2

Q(r−1,j0)

i0

^ ^ ^ ^ ^ ^ ^ ^ ^

SLIDE 17

BGE Attack

Phase 2

• fully recover the affine output encodings and the key-

dependent affine input encodings

• fully recover the affine input encodings through round r-1

Phase 2

⊕ ⊕ ⊕ ⊕ S S S S

MixColumns

2 6 6 4

‘02’ ‘03’ ‘01’ ‘01’ ‘01’ ‘02’ ‘03’ ‘01’ ‘01’ ‘01’ ‘02’ ‘03’ ‘03’ ‘01’ ‘01’ ‘02’

3 7 7 5

8 8 8 8 8 8 8 8

P (r,j) P (r,j)

1

P (r,j)

2

P (r,j)

3

Q(r,j)

3

Q(r,j)

2

Q(r,j)

1

Q(r,j) Π(r,j)

1

k(r,π(r)(j)) k(r,π(r)(j))

1

k(r,π(r)(j))

2

k(r,π(r)(j))

3

Π(r,j)

2

Q(r−1,j0)

i0

^ ^ ^ ^ ^ ^ ^ ^ ^

P (r,j)

1

P (r,j)

2

P (r,j)

3

⊕ ⊕ ⊕

8 8 8 8

P (r,j)

⊕¯

k(r,j) ¯ k(r,j)

1

¯ k(r,j)

3

¯ k(r,j)

2

8 8 8 8 8

Q(r,j)

3

8

Q(r,j)

2

8

Q(r,j)

1

8

Q(r,j)

8 8 8 8

Q(r−1,j0)

i0

^

[¯ k(r,j)

i

]0≤i≤3 = (Π(r,j)

1

)−1 [k(r,π(r)(j))

i

]0≤i≤3

• with

SLIDE 18

Phase 3:

• apply Phases 1 and 2 to rounds r

and r+1 to obtain the round keys

• relate both round keys via:
• 1. the white-box implementation
• 2. the AES key scheduling algorithm

Original BGE Attack Improved BGE Attack

total work factor: 230 total work factor: 222

no given work factor

[Tolhuizen, 2012]

Phase 1: Phase 2:

• apply Phases 1 and 2 only to round

r to obtain the rth round key

• a new method to obtain the (r+1)th

round key

• an efficient method to determine

the correct order of the round keys

230 229 219 222 218 213

SLIDE 19

BGE Attack

Phase 3

• obtain the (r+1)th round key
• correctness: is non-affine for

all non-zero values of c

Phase 3

S S S S

MixColumns

2 6 6 4

‘02’ ‘03’ ‘01’ ‘01’ ‘01’ ‘02’ ‘03’ ‘01’ ‘01’ ‘01’ ‘02’ ‘03’ ‘03’ ‘01’ ‘01’ ‘02’

3 7 7 5

8 8 8 8 8 8 8 8

P (r+1,j) P (r+1,j)

2

P (r+1,j)

1

P (r+1,j)

3

Q(r+1,j)

3

Q(r+1,j)

2

Q(r+1,j)

1

Q(r+1,j)

⊕ ⊕ ⊕ ⊕

¯ k(r+1,j) ¯ k(r+1,j)

1

¯ k(r+1,j)

2

¯ k(r+1,j)

3

Π(r+1,j)

1

Π(r+1,j)

2

S S S S

MixColumns

2 6 6 4

‘02’ ‘03’ ‘01’ ‘01’ ‘01’ ‘02’ ‘03’ ‘01’ ‘01’ ‘01’ ‘02’ ‘03’ ‘03’ ‘01’ ‘01’ ‘02’

3 7 7 5

8 8 8 8 8 8 8 8

Q(r+1,j)

3

Q(r+1,j)

2

Q(r+1,j)

1

Q(r+1,j)

⊕ ⊕ ⊕ ⊕

¯ k(r+1,j) ¯ k(r+1,j)

1

¯ k(r+1,j)

2

¯ k(r+1,j)

3

Π(r+1,j)

1

Π(r+1,j)

2

^ ^ ^ ^ k ⊕ S−1(x) affine?

S

• c ⊕ S−1(x)

SLIDE 20

New Attack based on Collisions

SLIDE 21

k(r,j)

1

k(r,j)

2

k(r,j)

3

k(r,j)

⊕ ⊕ ⊕ ⊕

S S S S

MixColumns

2 6 6 4

‘02’ ‘03’ ‘01’ ‘01’ ‘01’ ‘02’ ‘03’ ‘01’ ‘01’ ‘01’ ‘02’ ‘03’ ‘03’ ‘01’ ‘01’ ‘02’

3 7 7 5

P (r,j) P (r,j)

1

P (r,j)

2

P (r,j)

3

Q(r,j)

3

Q(r,j)

2

Q(r,j)

1

Q(r,j)

k(r,j)

1

k(r,j)

2

k(r,j)

3

k(r,j)

⊕ ⊕ ⊕ ⊕

S S S S

MixColumns

2 6 6 4

‘02’ ‘03’ ‘01’ ‘01’ ‘01’ ‘02’ ‘03’ ‘01’ ‘01’ ‘01’ ‘02’ ‘03’ ‘03’ ‘01’ ‘01’ ‘02’

3 7 7 5

P (r,j) P (r,j)

1

P (r,j)

2

P (r,j)

3

Q(r,j)

3

Q(r,j)

2

Q(r,j)

1

Q(r,j)

α β collision?

S(r,j)

i

yes

02 ⊗ S(r,j) (α) ⊕ 03 ⊗ S(r,j)

1

(0) = 02 ⊗ S(r,j) (0) ⊕ 03 ⊗ S(r,j)

1

(β) 256 pairs (α,β) with the trivial solution (α,β)=(0,0)

222

SLIDE 22

S(r,j)

i

k(r,j)

1

k(r,j)

2

k(r,j)

3

k(r,j)

⊕ ⊕ ⊕ ⊕

S S S S

MixColumns

2 6 6 4

‘02’ ‘03’ ‘01’ ‘01’ ‘01’ ‘02’ ‘03’ ‘01’ ‘01’ ‘01’ ‘02’ ‘03’ ‘03’ ‘01’ ‘01’ ‘02’

3 7 7 5

P (r,j) P (r,j)

1

P (r,j)

2

P (r,j)

3

Q(r,j)

3

Q(r,j)

2

Q(r,j)

1

Q(r,j)

8 8 8 8 8 8 8 8

Q(r,j)

3

Q(r,j)

2

Q(r,j)

1

Q(r,j)

8 8 8 8 8 8 8 8

⊕ ⊕

⊕ ⊕

S S S S

MixColumns

2 6 6 4

‘02’ ‘03’ ‘01’ ‘01’ ‘01’ ‘02’ ‘03’ ‘01’ ‘01’ ‘01’ ‘02’ ‘03’ ‘03’ ‘01’ ‘01’ ‘02’

3 7 7 5

8 8 8 8 8 8 8 8

P (r+1,j) P (r+1,j)

2

P (r+1,j)

1

P (r+1,j)

3

Q(r+1,j)

3

Q(r+1,j)

2

Q(r+1,j)

1

Q(r+1,j)

k(r+1,j) k(r+1,j)

1

k(r+1,j)

2

k(r+1,j)

3

⊕ ⊕

⊕ ⊕

S S S S

MixColumns

2 6 6 4

‘02’ ‘03’ ‘01’ ‘01’ ‘01’ ‘02’ ‘03’ ‘01’ ‘01’ ‘01’ ‘02’ ‘03’ ‘03’ ‘01’ ‘01’ ‘02’

3 7 7 5

8 8 8 8 8 8 8 8

Q(r+1,j)

3

Q(r+1,j)

2

Q(r+1,j)

1

Q(r+1,j)

k(r+1,j) k(r+1,j)

1

k(r+1,j)

2

k(r+1,j)

3

k ⊕ S−1(x)

algebraic degree ≤ 4?

• obtain the (r+1)th round key
• correctness: has algebraic

degree greater than 4 for all non-zero values of c S

• c ⊕ S−1(x)

SLIDE 23

Cryptanalysis of Karroumi’s White-Box AES Implementation

SLIDE 24

Dual AES Ciphers

T = {Rl mα ft | 1  l  30, α 2 F∗

256 and 0  t  7}

squaring operations ft(x) = x2t multiplication with a non-zero constant mα(x) = α ⊗ x isomorphisms between the AES polynomial representation of F256 and one of the 30 polynomial representations of F256 |T | = 61.200 [Biryukov, De Cannière, Braeken, and Preneel, 2003] (∆ ∈ T )

C = AESk(P) ∆(C) = AES∆

k

• ∆(P)
• [Barkan and Biham, 2002]

with

SLIDE 25

∆r,j ∆r,j ∆r,j ∆r,j ∆−1

r−1,sr(0,j)

∆−1

r−1,sr(1,j)

∆−1

r−1,sr(2,j)

∆−1

r−1,sr(3,j)

A(r,j) A(r,j)

1

A(r,j)

2

A(r,j)

3

AES(r,j,∆r,j) B(r,j) B(r,j)

1

B(r,j)

2

B(r,j)

3

An encoded dual AES subround ...

SLIDE 26

P (r,j)

i

(0 ≤ i ≤ 3) (0 ≤ i ≤ 3)

Q(r,j)

i

∆r,j ∆r,j ∆r,j ∆r,j ∆−1

r−1,sr(0,j)

∆−1

r−1,sr(1,j)

∆−1

r−1,sr(2,j)

∆−1

r−1,sr(3,j)

A(r,j) A(r,j)

1

A(r,j)

2

A(r,j)

3

AES(r,j,∆r,j) B(r,j) B(r,j)

1

B(r,j)

2

B(r,j)

3

=

∆−1

r−1,sr(0,j)

∆−1

r−1,sr(1,j)

∆−1

r−1,sr(2,j)

∆−1

r−1,sr(3,j)

A(r,j) A(r,j)

1

A(r,j)

2

A(r,j)

3

∆r,j ∆r,j ∆r,j ∆r,j B(r,j) B(r,j)

1

B(r,j)

2

B(r,j)

3

AES(r,j)

... is in fact an encoded AES subround

SLIDE 27

Conclusions

• reduced the work factor of the BGE attack from 230 to 222
• non-affine encodings and permutations on the round key bytes have a negligible

contribution to the overall work factor of the improved BGE attack

• a new attack based on internal collision with work factor 222
• insecurity of Karroumi’s white-box AES implementation

Open problem: new WB-AES designs?

• Research for new secure WBAES designs: fixed key vs. dynamic key
• WBC part of bigger program: additional layers of security by
• bfuscation techniques
• Companies: “security through obscurity”

SLIDE 28

Questions?