## CryptoDB

### Paper: Structural Attack (and Repair) of Diffused-Input-Blocked-Output White-Box Cryptography

Authors: Claude Carlet , LAGA, Department of Mathematics, University of Paris VIII, Paris, France University of Bergen, Norway Sylvain Guilley , Secure-IC S.A.S. (7th floor), 104 Boulevard du Montparnasse, 75014 Paris, France LTCI, Télécom Paris, Institut Polytechnique de Paris, 91120 Palaiseau, France Sihem Mesnager , Department of Mathematics, University of Paris VIII, F-93526 Saint-Denis, University Sorbonne Paris Cité, LAGA, UMR 7539, CNRS, 93430 Villetaneuse LTCI, Télécom Paris, Polytechnic Institute of Paris, 91120 Palaiseau, France DOI: 10.46586/tches.v2021.i4.57-87 URL: https://tches.iacr.org/index.php/TCHES/article/view/9060 Search ePrint Search Google In some practical enciphering frameworks, operational constraints may require that a secret key be embedded into the cryptographic algorithm. Such implementations are referred to as White-Box Cryptography (WBC). One technique consists of the algorithm’s tabulation specialized for its key, followed by obfuscating the resulting tables. The obfuscation consists of the application of invertible diffusion and confusion layers at the interface between tables so that the analysis of input/output does not provide exploitable information about the concealed key material.Several such protections have been proposed in the past and already cryptanalyzed thanks to a complete WBC scheme analysis. In this article, we study a particular pattern for local protection (which can be leveraged for robust WBC); we formalize it as DIBO (for Diffused-Input-Blocked-Output). This notion has been explored (albeit without having been nicknamed DIBO) in previous works. However, we notice that guidelines to adequately select the invertible diffusion ∅and the blocked bijections B were missing. Therefore, all choices for ∅ and B were assumed as suitable. Actually, we show that most configurations can be attacked, and we even give mathematical proof for the attack. The cryptanalysis tool is the number of zeros in a Walsh-Hadamard spectrum. This “spectral distinguisher” improves on top of the previously known one (Sasdrich, Moradi, Güneysu, at FSE 2016). However, we show that such an attack does not work always (even if it works most of the time).Therefore, on the defense side, we give a straightforward rationale for the WBC implementations to be secure against such spectral attacks: the random diffusion part ∅ shall be selected such that the rank of each restriction to bytes is full. In AES’s case, this seldom happens if ∅ is selected at random as a linear bijection of F322. Thus, specific care shall be taken. Notice that the entropy of the resulting ∅ (suitable for WBC against spectral attacks) is still sufficient to design acceptable WBC schemes.
##### BibTeX
@article{tches-2021-31311,
title={Structural Attack (and Repair) of Diffused-Input-Blocked-Output White-Box Cryptography},
journal={IACR Transactions on Cryptographic Hardware and Embedded Systems},
publisher={Ruhr-Universität Bochum},
volume={2021, Issue 4},
pages={57-87},
url={https://tches.iacr.org/index.php/TCHES/article/view/9060},
doi={10.46586/tches.v2021.i4.57-87},
author={Claude Carlet and Sylvain Guilley and Sihem Mesnager},
year=2021
}