White-Box Security Notions for Symmetric Encryption Schemes ee 1 ede - - PowerPoint PPT Presentation

White-Box Security Notions for Symmetric Encryption Schemes

C´ ecile Delerabl´ ee1 Tancr` ede Lepoint1,2 Pascal Paillier1 Matthieu Rivain1 CryptoExperts1, ´ Ecole Normale Sup´ erieure2

SAC 2013

Outline 1 What is white-box crypto? 2 A framework of security notions 3 Achieving incompressibility 4 Traceable white-box programs 5 Conclusion

White-Box Security Notions for Symmetric Encryption Schemes

What is NOT white-box crypto?

General obfuscation

from any program P, generate an obfuscated program O(P) hide any program property π in the code of O(P) meaning: the code of O(P) ≡ a black-box oracle that runs P

How realistic is obfuscation?

very strong requirements on the compiler O known impossibility results [BGI+01]

White-Box Security Notions for Symmetric Encryption Schemes

What is white-box crypto?

= general program obfuscation!

White-box cryptography [CEJO+02]

considers programs in a restricted class

programs(f ) where f = some keyed function

hides some program properties π in the code (but not all) code ≡ a black-box oracle only in some adversarial contexts already provably secure constructions for some f

(f = re-encryption [HRSV07,CCV12])

no impossibility results so far for f = blockcipher but no secure construction for e.g. f = AESk(·), k ← $

White-Box Security Notions for Symmetric Encryption Schemes

Our approach

What do we really want from white-box crypto?

• 1. given k ← $, generate (possibly randomly) P = [AESk(.)]
• 2. it must be hard to recover k by playing around with P OLD
• 3. it also must be hard to decrypt under k OLD
• 4. we may want P to be big and incompressibleNEW
• 5. we may want to distribute traceableNEW versions P1, . . . , Pn

This work

we capture 1-5 into concrete security gamesOLD+NEW we build a toy blockcipher that provably satisfies 1-4NEW we build a construction that provably achieves 5NEW

White-Box Security Notions for Symmetric Encryption Schemes

Outline 1 What is white-box crypto? 2 A framework of security notions 3 Achieving incompressibility 4 Traceable white-box programs 5 Conclusion

White-Box Security Notions for Symmetric Encryption Schemes

White-box compilers

Let E = (K, E, D) be a symmetric encryption scheme. Definition A white-box compiler CE takes as input a key k ∈ K and some index r ∈ R and outputs a program P = CE(k, r) = [E r

k].

Huge behavioral differences between function E(·, ·)

• racle E(k, ·)

program [E r

k]

analytic description or algorithmic description remote access, input/output only, might be stateful word in a language, stateless since rebootable, copiable, transferable,

• bservable, modifiable,

system calls simulatable (specification) (smart card) (executable software)

White-Box Security Notions for Symmetric Encryption Schemes

Attack models

Security notion = adversarial goal + attack model What are the attack models against white-box programs? Given the description of CE(·, ·) and P = [E r

k] for unknown k ∈ K

chosen-plaintext attack – CPA can encrypt any plaintext unavoidable chosen-ciphertext attack – CCA can make decryption queries to an oracle D(k, ·) recompilation attack – RCA can make recompilation requests to get other programs CE(k, r′) for unknown r′ = r combined attack – RCA + CCA most powerful (?) RCA can be made stronger with known or chosen r′ ∈ R. What about adversarial goals?

White-Box Security Notions for Symmetric Encryption Schemes

Unbreakability – UBK

A k ← K(), r

$

← R [Er

k] = CE(k, r)

[Er

k]

ˆ k ˆ k

?

= k

Challenger

D(k, ·) CE(k, R)

UBK-CCA UBK-RCA

c′ m′ [Er′

k ]

There is no ”semantic security” on k since verifying that ˆ k = k is easy. So some information on k always leaks.

White-Box Security Notions for Symmetric Encryption Schemes

One-wayness – OW

A k ← K(), r

$

← R [Er

k] = CE(k, r)

m

$

← M c = E(k, m) [Er

k], c

ˆ m ˆ m

?

= m

Challenger

D(k, ·) CE(k, R)

OW-CCA OW-RCA

c′ m′ [Er′

k ]

Again, no semantic security on m since verifying that ˆ m = m is easy. Expected since E is a deterministic encryption scheme.

White-Box Security Notions for Symmetric Encryption Schemes

Incompressibility – INC

Given a large program, build an equivalent yet much smaller one

A

Challenger

k ← K(), r

$

← R [Er

k] = CE(k, r)

[Er

k]

P ∆(P, E(k, ·))

?

δ and size (P)

?

< λ D(k, ·) CE(k, R)

INC-CCA INC-RCA

c′ m′ [Er′

k ]

White-Box Security Notions for Symmetric Encryption Schemes

Traceability – TRAC

CE admits a tracing scheme if there exists an algorithm trace such that no adversary can win the ”tracing game” TRAC:

generate a key k $

← K and P1 = [E r1

k ], . . . , Pn = [E rn k ]

A chooses some T ⊆ [1, n] and is provided with {Pi, i ∈ T} A returns some rogue program Q ← A({Pi, i ∈ T}) trace a traitor t ← trace(Q, k, r1, . . . , rn) A wins if Q is functional enough and t ∈ T

White-Box Security Notions for Symmetric Encryption Schemes

The big picture

α ⇐ β: if β can be broken, α can be broken INC ⇐ UBK ⇒ TRAC ⇓ OW CCA ⇐ CPA ⇓ ⇓ RCA + CCA ⇐ RCA The weakest security notion is UBK-CPA. We don’t even know how to achieve it with E = AES. . .

White-Box Security Notions for Symmetric Encryption Schemes

Outline 1 What is white-box crypto? 2 A framework of security notions 3 Achieving incompressibility 4 Traceable white-box programs 5 Conclusion

White-Box Security Notions for Symmetric Encryption Schemes

Achieving incompressibility

A toy example. . . G group of secret order w and e = exponent with large entropy Hard problems on G Given desc(G) and e UBK[G] find the group order w (FACT) ORD[G] find the order of a group element (≡ FACT) ROOT[G, e] find the e-th root of a group element (RSA) GAP[G, e] find the group order w with the help of an e-th root extractor (FACTRSA def = GAP-RSA)

White-Box Security Notions for Symmetric Encryption Schemes

Achieving incompressibility

Key generation: generate k = (desc(G), e, w) Encryption: E(k, m) = me Decryption: D(k, c) = c1/e mod w CE(k, r = ””) just returns [m → me] Then ORD[G] ⇐ INC-CPA assuming that the compressed program is algebraic.

White-Box Security Notions for Symmetric Encryption Schemes

ORD[G] ⇐ INC-CPA

A

Challenger

k ← K(), r

$

← R [Er

k] = CE(k, r)

[Er

k]

P ∆(P, E(k, ·))

?

δ and size (P)

?

< λ D(k, ·) CE(k, R)

INC-CCA INC-RCA

c′ m′ [Er′

k ]

Here, [E r

k] = [m → me] and P is algebraic.

Using extract, we can find an execution of P where P(m) = mα for a known α. Then

either α = e then e − α ∝ ord(m) and we break ORD[G]

• r α = e then size (P) H(e) and P must be big

White-Box Security Notions for Symmetric Encryption Schemes

Achieving incompressibility

Security profile of CE: ⇐ ORD[G] UBK[G] ROOT[G, e] ⇑ ≡ ≡ INC-CPA ⇐ UBK-CPA ⇒ OW-CPA ⇓ ⇓ ⇓ INC-CCA ⇐ UBK-CCA ⇒ OW-CCA ≡ ≡ ≡ GAP[G, e] GAP[G, e] trivial (under standard assumptions)

White-Box Security Notions for Symmetric Encryption Schemes

Achieving incompressibility

Security profile of CE: ⇐ ORD[G] UBK[G] ROOT[G, e] ⇑ ≡ ≡ INC-CPA ⇐ UBK-CPA ⇒ OW-CPA ⇓ ⇓ ⇓ INC-CCA ⇐ UBK-CCA ⇒ OW-CCA ≡ ≡ ≡ GAP[G, e] GAP[G, e] trivial (under standard assumptions)

White-Box Security Notions for Symmetric Encryption Schemes

Achieving incompressibility

Security profile of CE: ⇐ ORD[G] UBK[G] ROOT[G, e] ⇑ ≡ ≡ INC-CPA ⇐ UBK-CPA ⇒ OW-CPA ⇓ ⇓ ⇓ INC-CCA ⇐ UBK-CCA ⇒ OW-CCA ≡ ≡ ≡ GAP[G, e] GAP[G, e] trivial (under standard assumptions)

White-Box Security Notions for Symmetric Encryption Schemes

Achieving incompressibility

Security profile of CE: ⇐ ORD[G] ≡ UBK[G] ROOT[G, e] ⇑ ≡ ≡ INC-CPA ⇐ UBK-CPA ⇒ OW-CPA ⇓ ⇓ ⇓ INC-CCA ⇐ UBK-CCA ⇒ OW-CCA ≡ ≡ ≡ GAP[G, e] GAP[G, e] trivial (under standard assumptions)

White-Box Security Notions for Symmetric Encryption Schemes

Achieving incompressibility

Security profile of CE: ⇐ ORD[G] ≡ UBK[G] ROOT[G, e] ≡ ≡ ≡ INC-CPA ≡ UBK-CPA ⇒ OW-CPA ⇓ ⇓ ⇓ INC-CCA ⇐ UBK-CCA ⇒ OW-CCA ≡ ≡ ≡ GAP[G, e] GAP[G, e] trivial (under standard assumptions)

White-Box Security Notions for Symmetric Encryption Schemes

Achieving incompressibility

Security profile of CE: ⇐ ORD[G] UBK[G] ROOT[G, e] ⇑ ≡ ≡ INC-CPA ≡ UBK-CPA ⇒ OW-CPA ⇓ ⇓ ⇓ INC-CCA ⇐ UBK-CCA ⇒ OW-CCA ≡ ≡ ≡ GAP[G, e] GAP[G, e] trivial (under standard assumptions)

White-Box Security Notions for Symmetric Encryption Schemes

Achieving incompressibility

Security profile of CE: ⇐ ORD[G] UBK[G] ROOT[G, e] ⇑ ≡ ≡ INC-CPA ≡ UBK-CPA ⇒ OW-CPA ⇓ ⇓ ⇓ INC-CCA ⇐ UBK-CCA ⇒ OW-CCA ≡ ≡ ≡ GAP[G, e] GAP[G, e] trivial (under standard assumptions)

White-Box Security Notions for Symmetric Encryption Schemes

Achieving incompressibility

Security profile of CE: ⇐ ORD[G] UBK[G] ROOT[G, e] ⇑ ≡ ≡ INC-CPA ≡ UBK-CPA ⇒ OW-CPA ⇓ ⇓ ⇓ INC-CCA ⇐ UBK-CCA ⇒ OW-CCA ⇓ ≡ ≡ GAP[G, e] GAP[G, e] trivial (under standard assumptions)

White-Box Security Notions for Symmetric Encryption Schemes

Achieving incompressibility

Security profile of CE: ⇐ ORD[G] UBK[G] ROOT[G, e] ⇑ ≡ ≡ INC-CPA ≡ UBK-CPA ⇒ OW-CPA ⇓ ⇓ ⇓ INC-CCA ≡ UBK-CCA ⇒ OW-CCA ≡ ≡ ≡ GAP[G, e] GAP[G, e] trivial (under standard assumptions)

White-Box Security Notions for Symmetric Encryption Schemes

Achieving incompressibility

Security profile of CE: ⇐ ORD[G] UBK[G] ROOT[G, e] ⇑ ≡ ≡ INC-CPA ≡ UBK-CPA ⇒ OW-CPA ⇓ ⇓ ⇓ INC-CCA ≡ UBK-CCA ⇒ OW-CCA ≡ ≡ ≡ GAP[G, e] GAP[G, e] trivial (under standard assumptions)

White-Box Security Notions for Symmetric Encryption Schemes

Achieving incompressibility

Security profile of CE: ⇐ ORD[G] UBK[G] ROOT[G, e] ⇑ ≡ ≡ INC-CPA ≡ UBK-CPA ⇒ OW-CPA ⇓ ⇓ ⇓ INC-CCA ≡ UBK-CCA ⇒ OW-CCA ≡ ≡ ≡ GAP[G, e] GAP[G, e] trivial (under standard assumptions)

White-Box Security Notions for Symmetric Encryption Schemes

Achieving incompressibility

Security profile of CE: ⇐ ORD[G] UBK[G] ROOT[G, e] ⇑ ≡ ≡ INC-CPA ≡ UBK-CPA ⇒ OW-CPA ⇓ ⇓ ⇓ INC-CCA ≡ UBK-CCA ⇒ OW-CCA ≡ ≡ ≡ GAP[G, e] GAP[G, e] trivial (under standard assumptions)

White-Box Security Notions for Symmetric Encryption Schemes

Achieving incompressibility

Security profile of CE: ⇐ ORD[G] UBK[G] ROOT[G, e] ⇑ ≡ ≡ INC-CPA ≡ UBK-CPA ⇒ OW-CPA ⇓ ⇓ ⇓ INC-CCA ≡ UBK-CCA ⇒ OW-CCA ≡ ≡ ≡ GAP[G, e] GAP[G, e] easy (under standard assumptions)

White-Box Security Notions for Symmetric Encryption Schemes

Achieving incompressibility

Security profile of CE: ⇐ ORD[G] UBK[G] ROOT[G, e] ⇑ ≡ ≡ INC-CPA ≡ UBK-CPA ⇒ OW-CPA ⇓ ⇓ ⇓ INC-CCA ≡ UBK-CCA ⇒ OW-CCA ≡ ≡ ≡ GAP[G, e] GAP[G, e] trivial (under standard assumptions)

White-Box Security Notions for Symmetric Encryption Schemes

Outline 1 What is white-box crypto? 2 A framework of security notions 3 Achieving incompressibility 4 Traceable white-box programs 5 Conclusion

White-Box Security Notions for Symmetric Encryption Schemes

Traceable white-box programs

Assume we can hide ”functional perturbations” in [Dr

k]

a perturbation ci → m′

i means that [Dr k](ci) returns m′ i

instead of the correct plaintext mi = D(k, ci)

the white-box compiler CE now takes a list of perturbations

(c1 → m′

1, c2 → m′ 2, . . . , cu → m′ u)

as extra input

assuming perturbations are ”hidden”, we can construct a

log-efficient tracing scheme

White-Box Security Notions for Symmetric Encryption Schemes

Traceable white-box programs

Setup User program Specification Perturbations P1 [D(k, ·)] c1, c2, . . . , cn P2 [D(k, ·)] c2, c3, . . . , cn P3 [D(k, ·)] c3, c4, . . . , cn . . . . . . . . . Pn−1 [D(k, ·)] cn−1, cn Pn [D(k, ·)] cn Note that

• 1. when c = c1, . . . , cn, all programs decrypt c correctly
• 2. when c = ci, programs P1, . . . , Pi are incorrect on c but

Pi+1, . . . , Pn are correct

White-Box Security Notions for Symmetric Encryption Schemes

Traceable white-box programs

We get a private-key linear broadcast encryption (PLBE) scheme With p(0) = Pr [Q(c) = D(k, c)] for c

$

← C p(v) = Pr [Q(cv) = D(k, cv)] for v = 1, . . . , n If there is a gap on the curve of p(v) for some v then v is a traitor.

White-Box Security Notions for Symmetric Encryption Schemes

Traceable white-box programs

Tracing algorithm on rogue decryption program Q Estimate p(v) as ˆ p(v) and find a gap using dichotomy ⇒ takes O(log n) executions of Q Requires 2 assumptions on ”how well” perturbations are hidden by the white-box compiler. See details in the paper.

White-Box Security Notions for Symmetric Encryption Schemes

Outline 1 What is white-box crypto? 2 A framework of security notions 3 Achieving incompressibility 4 Traceable white-box programs 5 Conclusion

White-Box Security Notions for Symmetric Encryption Schemes

Conclusion

New achievements

framework of proper security notions for white-box compilers unbreakability + one-wayness + incompressibility is achievable traceability of programs is achievable under assumptions

A lot of issues remain

are there any other security notions of interest?

unforgeability? non-malleability? public verifiability?

can we achieve any of these notions with a true blockcipher? . . . even just UBK-CPA with f = AES? can we extend traceability for f = any keyed function?

White-Box Security Notions for Symmetric Encryption Schemes