Research On White-box Cryptography

Traditionally,cryptographic schemes are designed to protect private information such as secret key against black-box attacks.Under such attacks,an adversary only has knowledge of the scheme and its various input-output values.In contrast,under white-box attacks,a cryptographic scheme is assumed to execute on an un-trusted platform and a white-box adversary is assumed to have full control over the internal details of the execution.Therefore,traditional cryptographic schemes cannot provide protection for private information any longer.White-box cryptography aims at providing robustness of the implementations of cryptographic systems against white-box attacks and constructing cryptographic systems that can succeed in their functionality(such as encryption,decryption and authentication)under white-box attacks.White-box cryptography is a huge step forward in modern cryptography and has received more and more attention in recent years.There are many topics worthy of deeper study in white-box cryptography,because its theoretical framework has not been completed and more secure white-box schemes are needed.This thesis covers three parts of white-box cryptography.In terms of the theoretical frame-work,two discussions and some new results about white-box security are presented;in terms of the cryptanalysis,two attacks against white-box SMS4 implementation are proposed,so their secret keys are recovered efficiently;in terms of the white-box schemes,two fresh white-box en-cryption schemes are proposed and detailed analyses are made on their security and efficiency.The main contributions are as follows:1.For an important progress:white-box property and its negative result and positive result,we make some discussions and achieve some new results.For the negative result,we prove that insufficiently secure obfuscator is the real cause of the negative result.We point out that the security of a white-box scheme cannot be guaranteed if it is instantiated by a weak secure obfuscator,since the obfuscator used in their proof does not satisfy the "Virtual Black-box Property with auxiliary input".From our proof,we also conclude that the notion WBP is equal to "Virtual Black-box Property with auxiliary input" in some sense.For the positive result,we prove that two security notions are misused in the proof,and we conclude that security notion under black-box model should not be used in white-box context without any modification.2.For a white-box implementation of SMS4 proposed in 2009,we present an efficient attack and explain in detail how to extract the embedded round key with worst time complexity of O(247).In our attack,we combine some steps of adjacent rounds,cancel out the internal network encodings,construct some algebraic expressions of affine transformations,solve the equations,and use differential analysis to recover the inserted random transformation,and finally extract the round key.3.For a lightweight white-box symmetric encryption algorithm presented in 2015,we pro-pose an attack based on the affine equivalence algorithm presented by Biryukov et al.First,we add some steps in the affine equivalence algorithm and obtain an adjusted version of affine equivalence algorithm.Second,we combine some look-up tables and construct the affine equivalence problems.Third,we use the adjusted version of affine equivalence algorithm to solve the problems.Consequently,we can recover the key with worst time complexity of O(249).As an improvement,we suggest combining two T-boxes.With the increase of the size of T-boxes,the time complexity of our attack increase to O(292).The attack has been implemented in C++and experimented for enough times.The results of the experimentations show that the round key can be recovered from the encryption algorithm within several seconds.4.We construct a new white-box scheme based on SMS4 framework.In the scheme,we par-tition the basic framework of SMS4 into several steps,and encode every step by inserting random bijections.The encryption process is completed by a series of look-up tables.We do not use network encodings,so the random bijections will not be cancelled out at the end of the scheme.Therefore,the scheme is not an implementation of SMS4 but a fresh white-box scheme.It is advantageous in thwarting extraction attack and reconstitution attack.It also has less space requirement and achieves better performances.5.With the unbalanced Feistel network and AS AS AS A structure,we present a Feistel-type white-box encryption scheme that is not a variant of any existing encryption scheme,but an entirely new white-box solution.Because of the unbalanced Feistel network,the total block length of our scheme is variable,and the space requirement of our solution grows extremely slowly with the growth of the total block length.The block length and S-box size of the AS AS AS A structure are fixed to 16 bits,and the size of affine layer is equal to the S layer,thus thwart the attack specific to ASASASA.Also,our scheme is a fresh scheme,so it is advantageous in bypassing attacks aimed at white-box variants of existing ciphers.Moreover,we present a definition of "white-box security with regard to equivalent key" by modifying the weak white-box security notion.By detailed analysis,we show that our solution has good performance on satisfying basic security standards and our security definition,thwarting known attacks,and space requirement.