white box cryptography
play

White-Box Cryptography Matthieu Rivain CARDIS 2017 How to protect - PowerPoint PPT Presentation

White-Box Cryptography Matthieu Rivain CARDIS 2017 How to protect a cryptographic key? How to protect a cryptographic key? Well, put it in a smartcard of course! ... or any piece of secure hardware But... Secure hardware is expensive


  1. White-Box Cryptography Matthieu Rivain CARDIS 2017

  2. How to protect a cryptographic key?

  3. How to protect a cryptographic key? Well, put it in a smartcard of course! ... or any piece of secure hardware

  4. But... ∎ Secure hardware is expensive (production, integration, infrastructures...) ∎ Long lifecycle, limited updates ∎ Bugs, security flaws might occur ▸ e.g. ROCA vulnerability (October 2017)

  5. Pure software applications ∎ Advantages: cheaper, faster time-to-market, easier to update ∎ Big trend in ICTs: cloud service + mobile app ∎ HCE-based mobile payment ▸ SE not available ▸ Emulated SE in software ▸ Short-term keys (tokens) ▸ Regular authentication to server (“always on” paradigm)

  6. Pure software applications ∎ IoT (without SE) ∎ Content protection, DRM ∎ OS / firmwares

  7. Protecting keys in software? ∎ Potential threats: ▸ malwares ▸ co-hosted applications ▸ users themselves ▸ ... ∎ White-box adversary model ▸ analyse the code ▸ access the memory ▸ tamper with execution ▸ ... ∎ Ex: scan the memory for secret keys Illustration: Shamir, van Someren. Playing hide and seek with stored keys .

  8. White-box cryptography General idea: hide the secret key in an obfuscated cryptographic implementation Illustration: http://www.whiteboxcrypto.com/

  9. A scientific timeline Reign of black-box crypto

  10. A scientific timeline Side-channel attacks power timing Reign of analysis attacks black-box 1996 1999 crypto

  11. Cryptographic obfuscation (Barak et al. CRYPTO 2001) Theoretical foundations & impossibility result Side-channel attacks power timing Reign of analysis attacks black-box 1996 1999 2001 crypto

  12. Cryptographic obfuscation (Barak et al. CRYPTO 2001) Theoretical foundations & impossibility result Side-channel attacks power timing Reign of analysis 2002 attacks black-box 1996 1999 2001 crypto White-box cryptography (Chow et al. SAC 2002, DRM 2002) Introduce WBC terminology Describe obfuscated implemen- tations DES and AES

  13. Cryptographic obfuscation (Barak et al. CRYPTO 2001) Theoretical foundations & impossibility result Side-channel attacks power timing Reign of analysis 2002 attacks No WBC land black-box 1996 1999 2001 2004 crypto White-box cryptography (Chow et al. SAC 2002, DRM 2002) Introduce WBC terminology Describe obfuscated implemen- tations DES and AES

  14. Cryptographic obfuscation First candidates (Barak et al. CRYPTO 2001) of secure constructions Theoretical foundations & impossibility result (Garg et al. EC’13, FOCS’13) Constructions of multilinear maps and indisting. obfuscation (IO) + many many papers Side-channel attacks power timing Reign of analysis 2002 attacks No WBC land black-box 1996 1999 2001 2004 2013 crypto White-box cryptography (Chow et al. SAC 2002, DRM 2002) Introduce WBC terminology Describe obfuscated implemen- tations DES and AES

  15. Cryptographic obfuscation First candidates (Barak et al. CRYPTO 2001) of secure constructions Theoretical foundations & impossibility result (Garg et al. EC’13, FOCS’13) Constructions of multilinear maps and indisting. obfuscation (IO) + many many papers Side-channel attacks power timing Reign of analysis 2002 2015 attacks No WBC land black-box 1996 1999 2001 2004 2013 crypto Generic attacks White-box cryptography Differential Computation Analysis (DCA), Fault (Chow et al. SAC 2002, DRM 2002) Attacks, ... Introduce WBC terminology New paradigm Describe obfuscated implemen- tations DES and AES

  16. Cryptographic obfuscation First candidates (Barak et al. CRYPTO 2001) of secure constructions Theoretical foundations & impossibility result (Garg et al. EC’13, FOCS’13) Constructions of multilinear maps and indisting. obfuscation (IO) + many many papers Side-channel attacks power timing Reign of analysis 2002 2015 2017 attacks No WBC land black-box 1996 1999 2001 2004 2013 crypto Generic attacks White-box cryptography Differential Computation Analysis (DCA), Fault (Chow et al. SAC 2002, DRM 2002) Attacks, ... Introduce WBC terminology New paradigm Describe obfuscated implemen- tations DES and AES ECRYPT / CHES’17 WBC competition

  17. Overview of this talk ∎ White-box crypto theory ▸ Formal definitions & security notions ∎ White-box crypto practice ▸ Practical constructions & attacks ∎ White-box crypto competition ▸ Wrap-up, break of challenge 777

  18. White-Box Crypto Theory

  19. What is a program? ∎ A word in a formal language P ∈ L execute ∶ L × { 0 , 1 } ∗ → { 0 , 1 } ∗ ( P,input ) ↦ output (Universal Turing Machine) ∎ ∣ P ∣ : size of P ∈ L ∎ time ( P ) : # operations for execute ( P, ⋅ )

  20. What is a program? ∎ P ≡ f ( P implements f ) ∀ x ∶ execute ( P,x ) = f ( x ) ∎ P 1 ≡ P 2 (functional equivalence) ∀ x ∶ execute ( P 1 ,x ) = execute ( P 2 ,x ) ∎ Straight-line programs ▸ no conditional statements, no loops ▸ ∣ P ∣ = time ( P )

  21. What is an obfuscator? ∎ An algorithm: randomness O ( P ) ≡ P P ∎ Size and execution time increase (hopefully not too much)

  22. What is a white-box compiler? randomness [ E k ] ≡ E k ( · ) k key encryption program ∎ Specific to an encryption function E ∎ Can be constructed from an obfuscator O → [ E k ] k → P ≡ E k ( ⋅ ) �

  23. What is an adversary? ∎ An algorithm: randomness � 0 O ( P ) 1 obfuscated 1 bit of program information ∎ Ex: msb of k if P ≡ AES k ( ⋅ ) ∎ Wlg: ∄ 1-bit � ⇒ ∄ multi-bit �

  24. [Barak et al. – CRYPTO 2001] On the (Im)possibility of Obfuscating Programs ∎ Virtual Black Box (VBB) security notion ∎ Impossibility result: VBB cannot be achieved for all programs (counterexample) ∎ Indistinguishability Obfuscation (IO)

  25. VBB security notion adversary � 0 ∀ O ( P ) 1 ≃ P ( x ) � 0 ∃ S P 1 x simulator ∎ O ( P ) reveals nothing more than the I/O behavior of P

  26. Impossibility result P ∗ inputs secret keys k P k ∗ 1 , k ∗ 2 ? = k ∗ k 1 yes no output k ∗ 2 ? P ( k ∗ = k ∗ 1 , ⊥ ) 2 yes no output k ∗ output 0 1 P ∗ cannot be VBB obfuscated: ▸ BB access to P ∗ reveals nothing ▸ But O ( P ∗ )( 0 ,O ( P ∗ )) = k ∗ 1

  27. The good news ∎ The impossibility result does not apply to a given encryption algorithm ∎ VBB AES might exist AES k ( · ) m c � � 0 0 S WB-AES k ≃ 1 1 ∎ The bad news: seems very hard to achieve

  28. Indistinguishability Obfuscation (IO) ∎ Notion restricted to straight-line programs ∎ For any ( P 1 ,P 2 ) st P 1 ≡ P 2 and ∣ P 1 ∣ = ∣ P 2 ∣ � � 0 0 O ( P 1 ) O ( P 2 ) ≃ 1 1 ∎ i.e. O ( P 1 ) and O ( P 2 ) are indistinguishable

  29. Why is IO meaningful? ∎ IO ⇔ Best Possible Obfuscation ∎ For any P ′ : ≡ P ′ P � � 0 0 O ( P ) S P ′ ≃ 1 1 ∎ O ( P ) doesn’t reveal anything more than the best obfuscated program P ′

  30. Is IO meaningful for WBC? ∎ IO does not imply resistance to key extraction ∎ For instance Any prog P ≡ AES k ( ⋅ ) � → Ref implem of AES k ( ⋅ ) ∎ Nevertheless ∃ P ∗ ≡ AES k ( ⋅ ) secure ⇒ ∀ P ≡ AES k ( ⋅ ) with ∣ P ∣ ≥ ∣ P ∗ ∣ : IO ( P ) secure

  31. iO AES simple VBB AES AES ? Obfuscation scale

  32. iO AES simple VBB further white-box AES AES ? security notions Obfuscation scale

  33. White-box security notions ∎ Unbreakability : resistance to key extraction WB-AES k k ∎ Basic requirement but insufficient in practice ∎ Other security notions ▸ [SWP09] Towards Security Notions for White-Box Cryptography (ISC 2009) ▸ [DLPR13] White-Box Security Notions for Symmetric Encryption Schemes (SAC 2013)

  34. One-wayness ∎ One-wayness : hardness of inversion m WB-AES k m c ∎ Turns AES into a public-key cryptosystem ∎ PK crypto with light-weight private operations

  35. Incompressibility ∎ Incompressibility : hardness of compression WB-AES k AES k < 10 KB > 10 GB ∎ Makes the implementation less convenient to share at a large scale

  36. Incompressibility ∎ Incompressible primitives recently proposed ▸ Bogdanov et al. (CCS 2015, Asiacrypt 2016) ▸ Fouque et al. (Asiacrypt 2016) ∎ But no white-box implementations of a standard cipher ( e.g. AES)

  37. Security features ∎ Traceability : WB implem traceable T WB-AES k, id Π ≡ AES k ( · ) id

  38. Security features ∎ Traceability : WB implem traceable WB-AES k, id 1 T WB-AES k, id WB-AES k, id 2 Π ≡ AES k ( · ) id ∈ { id 1 , id 2 , . . . , id t } WB-AES k, id t

  39. Security features ∎ Traceability : WB implem traceable WB-AES k, id 1 T WB-AES k, id WB-AES k, id 2 Π ≡ AES k ( · ) id ∈ { id 1 , id 2 , . . . , id t } WB-AES k, id t ∎ Password : WB implem locked by password ˆ m π WB-AES k,π if ( ˆ π == π ) c = AES k ( m ) return AES k ( m ) else return ⊥ max proba 2 −| π | c

  40. Some relations ∎ [DLPR13] Perturbation-Value Hiding notion: PVH ⇒ traceability ∎ If the underlying encryption scheme is secure: INC ⇓ OW ⇒ UBK ⇐ PVH

  41. Some relations ∎ [DLPR13] Perturbation-Value Hiding notion: PVH ⇒ traceability ∎ If the underlying encryption scheme is secure: INC ⇓ VBB ⇒ OW ⇒ UBK ⇐ PVH ⇐ VBB

Recommend


More recommend