Abstract
A linear transformation is applied to the white-box cryptographic implementation for the diffusion effect to prevent key-dependent intermediate values from being analyzed. However, it has been shown that there still exists a correlation before and after the linear transformation, and thus this is not enough to protect the key against statistical analysis. So far, the Hamming weight of rows in the invertible matrix has been considered the main cause of the key leakage from the linear transformation. In this study, we present an in-depth analysis of the distribution of intermediate values and the characteristics of block invertible binary matrices. Our mathematical analysis and experimental results show that the balanced distribution of the key-dependent intermediate value is the main cause of the key leakage.
Highlights
From a secret key point of view, a block cipher can be seen as a secret bijection between a plaintext set and a ciphertext set
Our work is motivated by the fact that white-box cryptography can be broken by simple statistical analysis [18], [20] without having to perform cryptanalysis. This implies that the linear and nonlinear transformations of white-box cryptography cannot prevent the key leakage from statistical analysis
We present our mathematical analysis and experimental results showing that the main cause of the key leakage is related to the distribution of the intermediate values rather than some characteristic of the matrix
Summary
From a secret key point of view, a block cipher can be seen as a secret bijection between a plaintext set and a ciphertext set. Our work is motivated by the fact that white-box cryptography can be broken by simple statistical analysis [18], [20] without having to perform cryptanalysis This implies that the linear and nonlinear transformations of white-box cryptography cannot prevent the key leakage from statistical analysis (the term key leakage means that the key is recovered by some technique of the attack). The key leakage happens with overwhelming probability if the invertible matrix used for the linear transformation has rows of HW 1; otherwise, the correct key is supposed to be indistinguishable from the wrong key hypothesis [21], [22] It was recommended in white-box cryptography to choose a block invertible binary matrix consisting of full-rank submatrices for carrying maximum. A white-box cryptographic implementation consisting of lookup tables generated using block invertible matrices should not cause a key leakage.
Sign-in/Register to view highlights & summary Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have
Schedule a callDisclaimer: All third-party content on this website/platform is and will remain the property of their respective owners and is provided on "as is" basis without any warranties, express or implied. Use of third-party content does not indicate any affiliation, sponsorship with or endorsement by them. Any references to third-party content is to identify the corresponding services and shall be considered fair use under The CopyrightLaw.
