Abstract
White-box cryptography attempts to protect cryptographic secrets in pure software implementations. Due to their high utility, white-box cryptosystems (WBC) are deployed by the industry even though the security of these constructions is not well defined. A major breakthrough in generic cryptanalysis of WBC was Differential Computation Analysis (DCA), which requires minimal knowledge of the underlying white-box protection and also thwarts many obfuscation methods. To avert DCA, classic masking countermeasures originally intended to protect against highly related side-channel attacks have been proposed for use in WBC. However, due to the controlled environment of WBCs, new algebraic attacks against classic masking schemes have quickly been found. These algebraic DCA attacks break all classic masking countermeasures efficiently, as they are independent of the masking order.In this work, we propose a novel generic masking scheme that can resist both DCA and algebraic DCA attacks. The proposed scheme extends the seminal work by Ishai et al. which is probing secure and thus resists DCA, to also resist algebraic attacks. To prove the security of our scheme, we demonstrate the connection between two main security notions in white-box cryptography: probing security and prediction security. Resistance of our masking scheme to DCA is proven for an arbitrary order of protection, using the well-known strong non-interference notion by Barthe et al. Our masking scheme also resists algebraic attacks, which we show concretely for first and second-order algebraic protection. Moreover, we present an extensive performance analysis and quantify the overhead of our scheme, for a proof-of-concept protection of an AES implementation.
Highlights
Protecting secrets purely in software is a great challenge, especially if a full system compromise is not declared out-of-scope of the security model
White-box cryptography has become a popular method to protect cryptographic keys in an insecure software realm potentially controlled by the adversary
Algebraic attacks have shown the inefficacy of classic side-channel countermeasures when they are applied in the white-box setting
Summary
Protecting secrets purely in software is a great challenge, especially if a full system compromise is not declared out-of-scope of the security model. There exist informal ideas on how to create a secure white-box design that can resist both computational and algebraic attacks, formal and generic constructions with a security analysis are missing. Our contribution: In this paper, we provide the first generic and combined masking scheme that resists state-of-the-art white-box attacks: computational and algebraic attacks. Classic masking schemes can be applied to WBC, none of them can individually achieve security against both attacks To fill this gap, we examine the ISW transformation introduced by Ishai et al [ISW03] and extend it to the white-box context. We prove that our masking scheme is secure against computational attacks by showing that it is secure in the probing model with the given order using the non-interference notions by Barthe et al [BBD+16]. We show that our combined approach outperforms the previous approaches which required to combine two different masking schemes to resist both attacks
Sign-in/Register to view highlights & summary Sign-in/Register to access full text options 
Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have
Schedule a callMore From: IACR Transactions on Cryptographic Hardware and Embedded Systems
Disclaimer: All third-party content on this website/platform is and will remain the property of their respective owners and is provided on "as is" basis without any warranties, express or implied. Use of third-party content does not indicate any affiliation, sponsorship with or endorsement by them. Any references to third-party content is to identify the corresponding services and shall be considered fair use under The CopyrightLaw.
