White-Box Security Notions for Symmetric Encryption Schemes ee 1 ede - PowerPoint PPT Presentation

White-Box Security Notions for Symmetric Encryption Schemes ee 1 ede Lepoint 1 , 2 C´ ecile Delerabl´ Tancr` Pascal Paillier 1 Matthieu Rivain 1 CryptoExperts 1 , ´ erieure 2 Ecole Normale Sup´ SAC 2013

Outline 1 � What is white-box crypto? 2 � A framework of security notions 3 � Achieving incompressibility 4 � Traceable white-box programs 5 � Conclusion White-Box Security Notions for Symmetric Encryption Schemes

What is NOT white-box crypto? General obfuscation � from any program P , generate an obfuscated program O ( P ) � hide any program property π in the code of O ( P ) � meaning: the code of O ( P ) ≡ a black-box oracle that runs P How realistic is obfuscation? � very strong requirements on the compiler O � known impossibility results [BGI+01] White-Box Security Notions for Symmetric Encryption Schemes

What is white-box crypto? � = general program obfuscation! White-box cryptography [CEJO+02] � considers programs in a restricted class programs ( f ) where f = some keyed function � hides some program properties π in the code (but not all) � code ≡ a black-box oracle only in some adversarial contexts � already provably secure constructions for some f ( f = re-encryption [HRSV07,CCV12]) � no impossibility results so far for f = blockcipher � but no secure construction for e.g. f = AES k ( · ), k ← $ White-Box Security Notions for Symmetric Encryption Schemes

Our approach What do we really want from white-box crypto? 1 . given k ← $, generate (possibly randomly) P = [ AES k ( . )] 2 . it must be hard to recover k by playing around with P OLD 3 . it also must be hard to decrypt under k OLD 4 . we may want P to be big and incompressible NEW 5 . we may want to distribute traceable NEW versions P 1 , . . . , P n This work � we capture 1-5 into concrete security games OLD+NEW � we build a toy blockcipher that provably satisfies 1-4 NEW � we build a construction that provably achieves 5 NEW White-Box Security Notions for Symmetric Encryption Schemes

Outline 1 � What is white-box crypto? 2 � A framework of security notions 3 � Achieving incompressibility 4 � Traceable white-box programs 5 � Conclusion White-Box Security Notions for Symmetric Encryption Schemes

White-box compilers Let E = ( K , E , D ) be a symmetric encryption scheme. Definition A white-box compiler C E takes as input a key k ∈ K and some index r ∈ R and outputs a program P = C E ( k , r ) = [ E r k ]. Huge behavioral differences between program [ E r function E ( · , · ) oracle E ( k , · ) k ] analytic description or remote access, word in a language, algorithmic description input/output only, stateless since rebootable, might be stateful copiable, transferable, observable, modifiable, system calls simulatable (specification) (smart card) (executable software) White-Box Security Notions for Symmetric Encryption Schemes

Attack models Security notion = adversarial goal + attack model What are the attack models against white-box programs? Given the description of C E ( · , · ) and P = [ E r k ] for unknown k ∈ K chosen-plaintext attack – CPA can encrypt any plaintext unavoidable chosen-ciphertext attack – CCA can make decryption queries to an oracle D ( k , · ) recompilation attack – RCA can make recompilation requests to get other programs C E ( k , r ′ ) for unknown r ′ � = r combined attack – RCA + CCA most powerful (?) RCA can be made stronger with known or chosen r ′ ∈ R. What about adversarial goals? White-Box Security Notions for Symmetric Encryption Schemes

Unbreakability – UBK $ D ( k, · ) k ← K () , r ← R m ′ [ E r k ] UBK - CCA [ E r k ] = C E ( k, r ) c ′ A ˆ k ˆ ? k = k UBK - RCA [ E r ′ C E ( k, R ) k ] Challenger There is no ”semantic security” on k since verifying that ˆ k = k is easy. So some information on k always leaks. White-Box Security Notions for Symmetric Encryption Schemes

One-wayness – OW $ k ← K () , r ← R [ E r k ] = C E ( k, r ) D ( k, · ) $ m ′ m ← M [ E r k ] , c OW - CCA c = E ( k, m ) c ′ A m ˆ ? m ˆ = m OW - RCA [ E r ′ C E ( k, R ) k ] Challenger Again, no semantic security on m since verifying that ˆ m = m is easy. Expected since E is a deterministic encryption scheme. White-Box Security Notions for Symmetric Encryption Schemes

Incompressibility – INC Given a large program, build an equivalent yet much smaller one $ k ← K () , r ← R m ′ D ( k, · ) [ E r k ] INC - CCA [ E r k ] = C E ( k, r ) c ′ A P ? ? ∆( P, E ( k, · )) � δ and size ( P ) < λ INC - RCA [ E r ′ C E ( k, R ) k ] Challenger White-Box Security Notions for Symmetric Encryption Schemes

Traceability – TRAC C E admits a tracing scheme if there exists an algorithm trace such that no adversary can win the ”tracing game” TRAC: ← K and P 1 = [ E r 1 $ k ] , . . . , P n = [ E r n � generate a key k k ] � A chooses some T ⊆ [1 , n ] and is provided with { P i , i ∈ T } � A returns some rogue program Q ← A ( { P i , i ∈ T } ) � trace a traitor t ← trace ( Q , k , r 1 , . . . , r n ) � A wins if Q is functional enough and t �∈ T White-Box Security Notions for Symmetric Encryption Schemes

The big picture α ⇐ β : if β can be broken, α can be broken INC ⇐ UBK ⇒ TRAC ⇓ OW CCA ⇐ CPA ⇓ ⇓ RCA + CCA ⇐ RCA The weakest security notion is UBK-CPA. We don’t even know how to achieve it with E = AES . . . White-Box Security Notions for Symmetric Encryption Schemes

Outline 1 � What is white-box crypto? 2 � A framework of security notions 3 � Achieving incompressibility 4 � Traceable white-box programs 5 � Conclusion White-Box Security Notions for Symmetric Encryption Schemes

Achieving incompressibility A toy example. . . G group of secret order w and e = exponent with large entropy Hard problems on G Given desc ( G ) and e UBK[ G ] find the group order w (FACT) ORD[ G ] find the order of a group element ( ≡ FACT) ROOT[ G , e ] find the e -th root of a group element (RSA) GAP[ G , e ] find the group order w with the help of an e -th root extractor (FACT RSA def = GAP-RSA) White-Box Security Notions for Symmetric Encryption Schemes

Achieving incompressibility Key generation: generate k = ( desc ( G ) , e , w ) Encryption: E ( k , m ) = m e Decryption: D ( k , c ) = c 1 / e mod w C E ( k , r = ””) just returns [ m �→ m e ] Then ORD[ G ] ⇐ INC-CPA assuming that the compressed program is algebraic. White-Box Security Notions for Symmetric Encryption Schemes

ORD[ G ] ⇐ INC-CPA $ k ← K () , r ← R m ′ D ( k, · ) [ E r k ] INC - CCA [ E r k ] = C E ( k, r ) c ′ A P ? ? ∆( P, E ( k, · )) � δ and size ( P ) < λ INC - RCA [ E r ′ k ] C E ( k, R ) Challenger Here, [ E r k ] = [ m �→ m e ] and P is algebraic. Using extract , we can find an execution of P where P ( m ) = m α for a known α . Then � either α � = e then e − α ∝ ord ( m ) and we break ORD[ G ] � or α = e then size ( P ) � H ( e ) and P must be big White-Box Security Notions for Symmetric Encryption Schemes

Achieving incompressibility Security profile of C E : ⇐ ORD[ G ] UBK[ G ] ROOT[ G , e ] ⇑ ≡ ≡ INC-CPA ⇐ UBK-CPA ⇒ OW-CPA ⇓ ⇓ ⇓ INC-CCA ⇐ UBK-CCA ⇒ OW-CCA ≡ ≡ ≡ GAP[ G , e ] GAP[ G , e ] trivial (under standard assumptions) White-Box Security Notions for Symmetric Encryption Schemes

Achieving incompressibility Security profile of C E : ⇐ ORD[ G ] UBK[ G ] ROOT[ G , e ] ⇑ ≡ ≡ INC-CPA ⇐ UBK-CPA ⇒ OW-CPA ⇓ ⇓ ⇓ INC-CCA ⇐ UBK-CCA ⇒ OW-CCA ≡ ≡ ≡ GAP[ G , e ] GAP[ G , e ] trivial (under standard assumptions) White-Box Security Notions for Symmetric Encryption Schemes

Achieving incompressibility Security profile of C E : ⇐ ORD[ G ] UBK[ G ] ROOT[ G , e ] ⇑ ≡ ≡ INC-CPA ⇐ UBK-CPA ⇒ OW-CPA ⇓ ⇓ ⇓ INC-CCA ⇐ UBK-CCA ⇒ OW-CCA ≡ ≡ ≡ GAP[ G , e ] GAP[ G , e ] trivial (under standard assumptions) White-Box Security Notions for Symmetric Encryption Schemes

Achieving incompressibility Security profile of C E : ⇐ ORD[ G ] ≡ UBK[ G ] ROOT[ G , e ] ⇑ ≡ ≡ INC-CPA ⇐ UBK-CPA ⇒ OW-CPA ⇓ ⇓ ⇓ INC-CCA ⇐ UBK-CCA ⇒ OW-CCA ≡ ≡ ≡ GAP[ G , e ] GAP[ G , e ] trivial (under standard assumptions) White-Box Security Notions for Symmetric Encryption Schemes

Achieving incompressibility Security profile of C E : ⇐ ORD[ G ] ≡ UBK[ G ] ROOT[ G , e ] ≡ ≡ ≡ INC-CPA ≡ UBK-CPA ⇒ OW-CPA ⇓ ⇓ ⇓ INC-CCA ⇐ UBK-CCA ⇒ OW-CCA ≡ ≡ ≡ GAP[ G , e ] GAP[ G , e ] trivial (under standard assumptions) White-Box Security Notions for Symmetric Encryption Schemes

Achieving incompressibility Security profile of C E : ⇐ ORD[ G ] UBK[ G ] ROOT[ G , e ] ⇑ ≡ ≡ INC-CPA ≡ UBK-CPA ⇒ OW-CPA ⇓ ⇓ ⇓ INC-CCA ⇐ UBK-CCA ⇒ OW-CCA ≡ ≡ ≡ GAP[ G , e ] GAP[ G , e ] trivial (under standard assumptions) White-Box Security Notions for Symmetric Encryption Schemes

Achieving incompressibility Security profile of C E : ⇐ ORD[ G ] UBK[ G ] ROOT[ G , e ] ⇑ ≡ ≡ INC-CPA ≡ UBK-CPA ⇒ OW-CPA ⇓ ⇓ ⇓ INC-CCA ⇐ UBK-CCA ⇒ OW-CCA ≡ ≡ ≡ GAP[ G , e ] GAP[ G , e ] trivial (under standard assumptions) White-Box Security Notions for Symmetric Encryption Schemes