A Tutorial on White-Box AES

Abstract

White-box cryptography concerns the design and analysis of implementations of cryptographic algorithms engineered to execute on untrusted platforms. Such implementations are said to operate in a white-box attack context. This is an attack model where all details of the implementation are completely visible to an attacker: not only do they see input and output, they see every intermediate computation that happens along the way. The goal of a white-box attacker when targeting an implementation of a cipher is typically to extract the cryptographic key; thus, white-box implementations have been designed to thwart this goal (i.e., to make key extraction difficult/infeasible). The academic study of white-box cryptography was initiated in 2002 in the seminal work of Chow et al. (White-box cryptography and an AES implementation. In: Selected areas in cryptography: 9th annual international workshop, SAC 2002. Lecture notes in computer science, vol 2595, pp 250–270, 2003). Here, we review the first white-box AES implementation proposed by Chow et al. and give detailed information on how to construct it. We provide a number of diagrams that summarize the flow of data through the various look-up tables in the implementation, which helps clarify the overall design. We then briefly review the impressive 2004 cryptanalysis by Billet et al. (Cryptanalysis of a white box AES implementation. In: Selected areas in cryptography: 11th international workshop, SAC 2004. Lecture notes in computer science, vol 3357, pp 227–240, 2005). The BGE attack can used to extract an AES key from Chow et al.’s original white-box AES implementation with a work factor of about 230, and this fact has motivated subsequent work on improved AES implementations.