Improvement on a Masked White-Box Cryptographic Implementation
White-box cryptography is a software technique to protect secret keys of cryptographic algorithms from attackers who have access to memory. By adapting techniques of differential power analysis to computation traces consisting of runtime information, Differential Computation Analysis (DCA) has recov...
Main Authors: | , |
---|---|
Format: | Article |
Language: | English |
Published: |
IEEE
2020-01-01
|
Series: | IEEE Access |
Subjects: | |
Online Access: | https://ieeexplore.ieee.org/document/9091057/ |
_version_ | 1798001909574926336 |
---|---|
author | Seungkwang Lee Myungchul Kim |
author_facet | Seungkwang Lee Myungchul Kim |
author_sort | Seungkwang Lee |
collection | DOAJ |
description | White-box cryptography is a software technique to protect secret keys of cryptographic algorithms from attackers who have access to memory. By adapting techniques of differential power analysis to computation traces consisting of runtime information, Differential Computation Analysis (DCA) has recovered the secret keys from white-box cryptographic implementations. In order to thwart DCA, a masked white-box implementation was suggested. It was a customized masking technique that randomizes all the values in the lookup tables with different masks. However, the round output was only permuted by byte encodings, not protected by masking. This is the main reason behind the success of DCA variants on the masked white-box implementation. In this paper, we improve the masked white-box cryptography in such a way to protect against DCA variants by obfuscating the round output with random masks. Specifically, we introduce a white-box AES (WB-AES) implementation applying the masking technique to the key-dependent intermediate value and the several outer-round outputs computed by partial bits of the key. Our analysis and experimental results show that the proposed WB-AES can protect against DCA variants including DCA with a 2-byte key guess, collision, and bucketing attacks. This work requires approximately 3.7 times the table size and 0.7 times the number of lookups compared to the previous masked WB-AES. |
first_indexed | 2024-04-11T11:43:46Z |
format | Article |
id | doaj.art-c8943d00df204f4c97a6ab35aea74487 |
institution | Directory Open Access Journal |
issn | 2169-3536 |
language | English |
last_indexed | 2024-04-11T11:43:46Z |
publishDate | 2020-01-01 |
publisher | IEEE |
record_format | Article |
series | IEEE Access |
spelling | doaj.art-c8943d00df204f4c97a6ab35aea744872022-12-22T04:25:43ZengIEEEIEEE Access2169-35362020-01-018909929100410.1109/ACCESS.2020.29936519091057Improvement on a Masked White-Box Cryptographic ImplementationSeungkwang Lee0https://orcid.org/0000-0001-9534-9624Myungchul Kim1https://orcid.org/0000-0001-8077-0053Department of School of Computing, Korea Advanced Institute of Science and Technology (KAIST), Daejeon, South KoreaDepartment of School of Computing, Korea Advanced Institute of Science and Technology (KAIST), Daejeon, South KoreaWhite-box cryptography is a software technique to protect secret keys of cryptographic algorithms from attackers who have access to memory. By adapting techniques of differential power analysis to computation traces consisting of runtime information, Differential Computation Analysis (DCA) has recovered the secret keys from white-box cryptographic implementations. In order to thwart DCA, a masked white-box implementation was suggested. It was a customized masking technique that randomizes all the values in the lookup tables with different masks. However, the round output was only permuted by byte encodings, not protected by masking. This is the main reason behind the success of DCA variants on the masked white-box implementation. In this paper, we improve the masked white-box cryptography in such a way to protect against DCA variants by obfuscating the round output with random masks. Specifically, we introduce a white-box AES (WB-AES) implementation applying the masking technique to the key-dependent intermediate value and the several outer-round outputs computed by partial bits of the key. Our analysis and experimental results show that the proposed WB-AES can protect against DCA variants including DCA with a 2-byte key guess, collision, and bucketing attacks. This work requires approximately 3.7 times the table size and 0.7 times the number of lookups compared to the previous masked WB-AES.https://ieeexplore.ieee.org/document/9091057/White-box cryptographyAESDCAcollision attackbucketing attackcountermeasure |
spellingShingle | Seungkwang Lee Myungchul Kim Improvement on a Masked White-Box Cryptographic Implementation IEEE Access White-box cryptography AES DCA collision attack bucketing attack countermeasure |
title | Improvement on a Masked White-Box Cryptographic Implementation |
title_full | Improvement on a Masked White-Box Cryptographic Implementation |
title_fullStr | Improvement on a Masked White-Box Cryptographic Implementation |
title_full_unstemmed | Improvement on a Masked White-Box Cryptographic Implementation |
title_short | Improvement on a Masked White-Box Cryptographic Implementation |
title_sort | improvement on a masked white box cryptographic implementation |
topic | White-box cryptography AES DCA collision attack bucketing attack countermeasure |
url | https://ieeexplore.ieee.org/document/9091057/ |
work_keys_str_mv | AT seungkwanglee improvementonamaskedwhiteboxcryptographicimplementation AT myungchulkim improvementonamaskedwhiteboxcryptographicimplementation |