Visible to the public Protect white-box AES to resist table composition attacks

TitleProtect white-box AES to resist table composition attacks
Publication TypeJournal Article
Year of Publication2018
AuthorsBai, Kunpeng, Wu, Chuankun, Zhang, Zhenfeng
JournalIET Information Security
Volume12
Pagination305–313
ISSN1751-8717
Keywordsaffine mappings, Billet et al.'s attack, composability, computational complexity, cryptographic software protection, data protection, De Mulder et al.'s attack, key recovery attacks, key-embedding lookup tables, Metrics, pubcrawl, public key cryptography, Resiliency, Secret key, Table lookup, table-composition-targeting cryptanalysis techniques, table-composition-targeting white-box attacks, Time complexity, WBAC, white box cryptography, white-box AES protection, white-box attack context, white-box cryptography
AbstractWhite-box cryptography protects cryptographic software in a white-box attack context (WBAC), where the dynamic execution of the cryptographic software is under full control of an adversary. Protecting AES in the white-box setting attracted many scientists and engineers, and several solutions emerged. However, almost all these solutions have been badly broken by various efficient white-box attacks, which target compositions of key-embedding lookup tables. In 2014, Luo, Lai, and You proposed a new WBAC-oriented AES implementation, and claimed that their implementation is secure against both Billet et al.'s attack and De Mulder et al.'s attack. In this study, based on the existing table-composition-targeting cryptanalysis techniques, the authors show that the secret key of the Luo-Lai-You (LLY) implementation can be recovered with a time complexity of about 244. Furthermore, the authors propose a new white-box AES implementation based on table lookups, which is shown to be resistant against the existing table-composition-targeting white-box attacks. The authors, key-embedding tables are obfuscated with large affine mappings, which cannot be cancelled out by table compositions of the existing cryptanalysis techniques. Although their implementation requires twice as much memory as the LLY WBAES to store the tables, its speed is about 63 times of the latter.
DOI10.1049/iet-ifs.2017.0046
Citation Keybai_protect_2018