WG2 Isobe

CRYPTACUS Action Meeting
November 6, 2016
Security of Block Ciphers

Beyond Blackbox Model
Takanori Isobe
SONY Corporation
About Me
Researcher/Engineer in Sony Corporation since 2008
As a Researcher
Cryptanalysis of Symmetric-Key Primitive
• First Attack on full GOST(@FSE 2011)
• Plaintext Recovery Attack on RC4 (@FSE 2013) and Spritz (@FSE 2016) and more
Design of Block Cipher
• Lightweight Block Cipher: Piccolo (@CHES2011)
• Low Energy Block Cipher: Midori (@ASIACRYPT 2015)
• Whitebox-secure Block Cipher: SPACE/SPNbox (@ACM CCS 2015/ASIACRYPT 2016)
As an Engineer
Design/Evaluation of Security System of Our Product/Network
• Game(PS Vita/PS4), Camera, TV and more
Write crypto code for products
Today’s Talk
“Security beyond Blackbox Model”

As a engineer, we often face this problem
• Untrusted environments
– Software Only Solution
• Advanced Attack to System/Device
– reverse engineering(cold boot attack) , Malware, APT
• Software vulnerability
– Bufferover flow, Heartbleed, Dirty Cow
This talk shows our approaches to address these issues

Background
Symmetric-Key Cryptography
DES, AES, CMAC, HMAC, GCM
Plaintext Ciphertext
AES key AES

key
Encryption Decryption
Ciphertext Plaintext
Fundamental Primitives for Security

=> Deployed in almost all our products
Background
Symmetric-Key Cryptography
DES, AES, CMAC, HMAC, GCM
Designed to be secure in the black-box model
• Adversary has access to input and output
• Internal state: invisible
key
Plaintext/Ciphertext Encryption/Decryption Ciphertext/Plaintext
adversary
Crypto is Everywhere
The black-box model fails to reflect the reality
Beyond Blackbox
Cold boot attacks
Read the remaining memory contents in the seconds to
minutes after power-off
Software attacks
Binary analysis, reverse engineering
• Ex. Overwrite binary (e.g., S-box) to get the key
Trojans, malware, or software vulnerability

(e.g. heartbleed, buffer overflow)
leak a part of secret key or internal state
Unauthorized access to Server

Hacking, cracking, Privilege escalation
Internal states in memory often leaks in the real world
Our Questions
1. How much memory leakage is enough to break

system, e.g. extract secret key?
2. What is efficient countermeasures against

leakage attack?
Our Questions
1. How much memory leakage is enough to break

system, e.g. extract secret key?
->Security of AES under Leakage @Asiacrypt2015
(Joint work with Andrey Bogdanov)

leakage attack?
Motivation
How secure is AES under memory Leakage?
Weakest Memory Leakage Model
• Only one bit leaks in each execution
• Location of leaked bit is unknown
=> Limited control of the platform
leakage
P
1-bit information at unknown location
Key AES-
128
C
Two Leakage Models
• Fixed Location • Random Location
-Location of leaked bit is fix in each exe. -Location of leaked bit is random in each exe.
=> timing/space randomization
(software protection)
Key Position P Key P
1 round 1 round
2 round 2 round
3 round 3 round
4 round 4 round
5 round 5 round
6 round 6 round
7 round 7 round
8 round 8 round
9 round 9 round
10 round 10 round
C C
Two Leakage Models
1 round 1 round
2 round 2 round
3 round 3 round
4 round 4 round
5 round 5 round
6 round 6 round
7 round 7 round
8 round 8 round
9 round 9 round
10 round 10 round
C C
Two Leakage Models
1 round 1 round
2 round 2 round
3 round 3 round
4 round 4 round
5 round 5 round
6 round 6 round
7 round 7 round
8 round 8 round
9 round 9 round
10 round 10 round
C C
Differential Bias Attack
Regard leaked bits as a bit-stream
Borrow techniques from the stream cipher domain
Z0, Z1, Z2 ,…, ZNs-1

P AES
Zi: leaked bit of i-th execution

Guess 32 bits of key

Z0, Z1, Z2 ,…, ZNs-1
P AES

Use a pair of plaintexts P and P’ having a special difference
which results in the biased (differential) stream only if in
correct key
Z0, Z1, Z2 ,…, ZNs-1
P AES
Guess 32 bits

Δ
P’ AES Z’0, Z’1, Z’2 ,…, Z’Ns - 1

Use a pair of plaintexts P and P’ having a special difference
which results in the biased (differential) stream only if in
correct key
Z0, Z1, Z2 ,…, ZNs-1 -Only if correct key
P AES Pr(Zi XOR Z’j = 0) for all i and j
is biased
Guess 32 bits
Δ
If Zi and Zj are random,
Z’0, Z’1, Z’2 ,…, Z’Ns - 1 Pr(Zi XOR Z’j = 0) = 0.5
P’ AES

Truncated Differential over 3 Rounds
$0
Guess $1 $2 $3
SB SR MC
S S S S S S S S S S S S
S S S S
P S
S
S
S
S
S
S
S
S
S
S
S
S
S
S
S
S
S
S
S
S
S
S
S
S
S
S
S
S
S
S
S
Correct Key
P = #0 #1 #2 #3 #4 #5 #6 #7
A A A A A A A A A A A A A A A A A A A A
A A A A A A A A A A A A A A A A
Wrong Key
A A A A ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ?
A A A A ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ?
A A A A ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ?
A A A A ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ?
: probability-one non-zero difference

: probability-one zero difference
? : unknown difference
- Correct key : ×21, ×27 exploit this gap!

- Wrong key : ×0 , ×12
Bitwise Bias from Truncated Differential
Positive bitwise bias toward zero

In Probability-one zero truncated difference
• If Zi and Z’j are a pair of the same position
– P(Zi Z’j = 0) = 1
Negative bitwise bias toward zero
In Probability-one non-zero truncated difference
• If Zi and Z’j are a pair of the same position
– P(Zi Z’j = 0) = ½ (1 – 2-7.99) (experimental value 1/2(1 − 2−7.92))
Guess 32 bits

Z0, Z1, Z2 ,…, ZNs-1
P AES Pr(Zi XOR Z’j = 0)
= ½ (1 - 2-16.02)
strong bias for correct key
Δ Guess 32 bits
P’ AES Z’0, Z’1, Z’2 ,…, Z’Ns - 1

Evaluation
Attack cost to obtain a full 128-bit key
Time ≈ 233 P
Key
Data ≈ 233 1 round

2 round
3 round
4 round
5 round
6 round
7 round
8 round
9 round
10 round
Even if in weakest leakage assumption (1 bit leakage at
random unknown location), a practical attack is possible!
Extensions
Noisy leakage Setting
Possible but noise make it time consuming work
Known plaintext Attack
Possible for differential bias attack
Bytewise Leakage
Somewhat improves attack complexity
Other granularities
Not only state after round function, but also states after SubBytes,
MixColumns, etc. can be used to mount differential bias attacks
AES-192/256 and some other ciphers
Same attacks are directly applicable
See the paper
Question from Real World
1. How much information of memory is necessary to

extract secret key?
“Only 1-bit leakage is enough to extract a key (AES)”

leakage attack?
Question from Real World

extract secret key?

leakage attack?
-> Whitebox-Secure Block Cipher (ACM CCS 2015)
Joint work with Andrey Bogdanov
Whitebox Cryptography
Implementations of cryptographic algorithms that
is secure in the whitebox model
Adversary
key
Software
Whitebox Model
Adversary has full access to the crypto algorithm
and full control over its execution environment
Internal value : fully accessible (read/write)
key
Plaintext/Ciphertext Encryption/Decryption Ciphertext/Plaintext
modify internal value

read any memory
and algorithm
adversary
Applications
DRM
Protected contents (e.g. movie and music) are decrypted in user
(adversary) device
• Adversary may control over the platform on which the media player
application is executed, and aims to extract a content key
Cloud service provider

Applications
HCE (Host card emulation)
Technology that emulates a payment card on a mobile
device using only software
• Secure element is not necessary
• Android 4.4 support Host card emulation (HCE)
– Google Wallet, VISA, master card
Issuer Cloud Server
credential
Payment Processor
NFC whitebox crypto
Reader
Application
Memory Leakage
Software attacks (Binary analysis)
Trojans, malware
Software vulnerability (e.g. heartbleed, buffer
overflow)
Unauthorized access to server
History of Whitebox Cryptography
Academic Level
In 2002, Cloakware (Irdeto) published a paper presenting the
first scheme of whitebox AES
However, all published whitebox AES were practically broken
by “BGE attack”
Industrial Level
WBC is widely deployed in many applications
• Details are kept secret
• Protected with additional countermeasures
Differential Computational Attack @CHES 2016

• The details of implementations are not required
• Additional countermeasures do not make sense
Academic Level
by “BGE attack”
Industrial Level

Academic Level
by “BGE attack”
Industrial Level

No Secure Whitebox Cipher in the Public Domain

New whitebox-friendly Encryption Scheme
128-bit block cipher called “SPACE”@ACM CCS 2015

Secure in whitebox
• Security against key extraction reduce to key recovery problem of AES
in blackbox model
• Spacehardness: Compression of the code is infeasible
– Mitigate code lifting attacks
High Performance
• Much faster than whitebox AES
– Whitebox AES (published by Cloakware): 0.4 MB/s
– SPACE: 10-100 MB/s
Others
• Not AES functionality but the interfaces are the same as AES
• SPACE can be considered a mode of operation for AES
SPACE Block Cipher
Target-Heavy Feistel Construction
128-bit plaintext is divided into na-bit x words, p0, p1,…px-1
F function: na bits to (128- na)
In the white box, F function becomes a table
p0 p1 px-1
plaintext
na
F0
Table
F1
ciphertext
F-function (Whitebox Table)
Table is created by AES-128
constrains the plaintext: 128 bit to na bits
truncates the ciphertext : 128 bit to 128- na bits
x x
Table Constant na
n - na na
K AES F function
k (Table)
n - na na
disregard
r
y y
Security in WhiteBox
WB attacker has access to input/output of the
table
Full Access
WB adversary
Confidential
table
What WB adversary can do is same as what BB
adversary can do for AES
x Table x
na C
n - nin nin
WB adversary
F function AES
(Table)
K k
n - nin nin
= BB adversary
disregard
y ry
table
What WB adversary can do is same as what BB
adversary can do for AES
x Security of key extraction in

Table x
na Whitebox
C
reduce to Key Recovery Problem of
n - nin nin
AES-128 in Blackbox model WB adversary

F function
(Table)
K k AES
= BB adversary
n - nin nin
disregard
y ry
Space Hardness
In the Whitebox implementation
Key is expanded to large table
A few KB to GB
128 bit
large key
Computationally infeasible
Space hardness
Difficult to find any compact representation
(incompressibility)
• Table decomposition is as hard as AES key recovery
Whitebox Cryptography
Mitigate Code Lifting Attack
Requires a large space to be isolated from execution environments
to copy functionality
• time-consuming work if network is narrow
• Easy to detect copying by monitoring traffic
Discourages the adversary from illegally distributing the code due to
its large size
hard to distribute
execution environment
T hard to get Adversary
T/4
ex. SPACE-16,
T/4 = 230 MB
Summary
Space-hard block cipher: SPACE
Security against key extraction/table decomposition
• White-box security is based on black-box security
• AES key-recovery problem in the blackbox model
Security against code lifting: space hardness
• Infeasible to find a compact implementation
High Performance
• Much faster than whitebox AES
– Whitebox AES (published by Cloakware): 0.4 MB/s
– SPACE: 10-100 MB/s
More efficient WB block cipher: SPNbox @AC16

6.5-20 times Faster than SPACE
Conclusion

extract secret key?

leakage attack?
“SPACE is a first whitebox-friendly cipher”
Thank you for your attention

WG2 Isobe

Uploaded by

Document Information

Original Description:

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

WG2 Isobe

Uploaded by

Copyright:

Available Formats

CRYPTACUS Action Meeting

Security of Block Ciphers

“Security beyond Blackbox Model”

This talk shows our approaches to address these issues

AES key AES

Fundamental Primitives for Security

Plaintext/Ciphertext Encryption/Decryption Ciphertext/Plaintext

Trojans, malware, or software vulnerability

Unauthorized access to Server

1. How much memory leakage is enough to break

2. What is efficient countermeasures against

1. How much memory leakage is enough to break

2. What is efficient countermeasures against

1-­bit information at unknown location

Key Position P Key P

Key Position P Key P

Key Position P Key P

Z0, Z1, Z2 ,…, ZNs-1

Zi: leaked bit of i-­th execution

Guess 32 bits of key

Zi: leaked bit of i-­th execution

Guess 32 bits

P’ AES Z’0, Z’1, Z’2 ,…, Z’Ns - 1

Zi: leaked bit of i-­th execution

Zi: leaked bit of i-­th execution

: probability-­one non-­zero difference

-­ Correct key : ×21, ×27 exploit this gap!

Positive bitwise bias toward zero

Guess 32 bits

P’ AES Z’0, Z’1, Z’2 ,…, Z’Ns - 1

Data ≈ 233 1 round

1. How much information of memory is necessary to

2. What is efficient countermeasures against

1. How much information of memory is necessary to

2. What is efficient countermeasures against

Plaintext/Ciphertext Encryption/Decryption Ciphertext/Plaintext

modify internal value

Cloud service provider

Issuer Cloud Server

Differential Computational Attack @CHES 2016

Differential Computational Attack @CHES 2016

Differential Computational Attack @CHES 2016

No Secure Whitebox Cipher in the Public Domain

128-­bit block cipher called “SPACE”@ACM CCS 2015

x Security of key extraction in

AES-­128 in Blackbox model WB adversary

T hard to get Adversary

More efficient WB block cipher: SPNbox @AC16

1. How much information of memory is necessary to

2. What is efficient countermeasures against

You might also like

1-bit information at unknown location

Zi: leaked bit of i-th execution

Zi: leaked bit of i-th execution

Zi: leaked bit of i-th execution

Zi: leaked bit of i-th execution

: probability-one non-zero difference

- Correct key : ×21, ×27 exploit this gap!

128-bit block cipher called “SPACE”@ACM CCS 2015

AES-128 in Blackbox model WB adversary