How to reveal the secrets of an obscure white-box implementation

摘要

White-box cryptography (WBC) protects key extraction from software implementations of cryptographic primitives. Many academic works have been done achieving partial results toward WBC, but a complete solution has not been found yet by the cryptography community. As a result, the industry can only on proprietary and non-publicly scrutinized white-box implementations. It is therefore of interest to investigate the obtainable resistance of an AES implementation to thwart a white-box adversary in this paradigm. To this purpose, the ECRYPT CSA project has organized the WhibOx contest as the catch the flag challenge of CHES 2017. Researchers and engineers were invited to participate either as designers by submitting the source code of an AES-128 white-box implementation with a freely chosen key, or as breakers by trying to extract the hard-coded keys in the submissions. The participants were not expected to disclose their identities or the underlying designing/attacking techniques. In the end, 94 submitted challenges were all broken, and only 13 of them held more than one day. The strongest (in terms of surviving time) implementation survived for 28 days (which is more than twice as much as the second one). It was only broken by the authors of the present paper with reverse engineering and algebraic analysis. In this paper, we give a detailed description of the different steps of our cryptanalysis. We then generalize it to an attack methodology to break further obscure white-box implementations. In particular, we formalize and generalize the linear decoding analysis that we use to extract the key from the encoded intermediate variables of the target challenge.