在如今科技快速发展的时代，密码技术保证了消息传输的可靠性，有着不可替代的作用。传统的密码算法满足黑盒模型下的安全性，攻击者只能获取算法的输入和输出。但随着攻击者攻击能力的增强，黑盒模型不足以概括当今复杂的网络环境。于是2002年Chow等人提出白盒攻击环境，在该环境下攻击者可完全地控制算法的执行过程，并且能根据需要对算法的细节加以修改。为了应对白盒攻击环境，Chow等人提出白盒密码的概念，利用查找表技术提出了AES算法和DES算法的白盒实现方案，所采用的方法称为CEJO框架。白盒实现将已有的密码算法进行编码混淆，在白盒攻击环境下以软件的形式达到保护密钥的目的，同时保证算法结果的正确性。本论文以分组密码算法为研究对象，主要的研究内容如下：

（1）为我国商用分组密码SM4算法设计了一种白盒实现方案，并进行了软件实现。该方案选取的编码方式为网络化编码和自等价编码，设计的主要思想是将Feistel结构的算法等价地转化为类SP结构的算法，在该结构的基础上，设计三种查找表，实现对算法的编解码操作。将密钥嵌入到查找表中，使用S盒的自等价编码和复杂的输出编码对查找表的输入和输出结果进行混淆。该方案的内存占用为8.125MB，共需要2320次查表操作，1935次128比特串两两异或。在安全性分析方面，该方案可以抵抗一系列的白盒攻击，如BGE型攻击、碰撞攻击、差分计算分析等。

（2）为轻量级分组密码算法SIMON算法设计了两种白盒实现方案。第一种是SIMON-CEJO方案，基于经典的CEJO框架，利用查找表技术，将算法的执行过程转化为一系列的循环移位、表查找操作、仿射变换和异或操作。它的占用内存为369.016KB，需要352次查表操作，88次异或操作和132次仿射变换操作。该方案可以抵抗BGE攻击和仿射等价算法攻击，但在差分计算分析下是不安全的。鉴于上述情况，本文设计了第二种方案，即SIMON-Masking。该方案采取新型编码方式，利用Benaloh编码的同态性，对明文的编码值进行运算；同时添加随机掩码，隐藏秘密信息。该方案占用内存665.81KB，在基于勒让德符号的二阶差分计算分析下的复杂度为O(n²klog₂p)。

With the rapid development of science and technology, cryptography technology ensures the reliability of message transmission and plays an irreplaceable role. Traditional cryptographic algorithms meet the security requirements under the black-box model. But black-box model is not sufficient to summarize the complex network context, with the enhancement of attacker's capability. So, in 2002 Chow et al. proposed white-box attack context, the attacker can completely control the execution process of the algorithm, and can modify the details of the algorithm according to the need in this context. Chow et al. proposed the concept of white-box cryptography, in order to cope with white box attack context. They proposed the white-box implementations of AES algorithm and DES algorithm using the look-up table technology. The method used was called CEJO framework. The white-box implementation confuses the existing cryptographic algorithms, protects the key in the form of software under the white-box attack context, and ensures the correctness of the algorithm results. This thesis takes block ciphers as the research object, and the main research contents are as follows:

 

This dissertation designs a white-box implementation scheme for the information security technology—SM4 block cipher algorithm, and implements the software. In this scheme, the encoding methods selected are network coding and self-equivalence encoding. The main idea of the design is to equivalently convert the algorithm of Feistel structure into an algorithm of SP-like structure. Based on this structure, three lookup tables are designed to implement encoding and decoding operations for the algorithm. The key is embedded in the lookup table, and the results of the lookup table are confused using S-box self-equivalence encoding and the complex output encoding. The memory of this scheme is 8.125MB, requiring a total of 2320 table lookups and 1935 pairwise XOR operations for 128-bit strings. In terms of security analysis, this scheme can resist a series of white-box attacks, such as BGE attack, collision attack, differential computational analysis and so on.

 

Two white-box implementation schemes are designed for the lightweight block cipher—SIMON algorithm. The first is the SIMON-CEJO scheme, which is based on the classic CEJO framework and uses the technology of lookup table. This scheme transforms the execution process of the algorithm into a series of cyclic shifts, table lookup operations, affine transformations and XOR operations. It occupies 369.016KB of memory and requires 352 table lookup operations, 88 XOR operations and 132 affine transformation operations. This scheme can resist BGE attack and affine equivalence algorithm attack, but it is not safe under differential computational analysis. In view of the above, this thesis designs the second scheme, namely SIMON-Masking. This scheme adopts a new encoding method, and uses the homomorphism of Benaloh encoding to operate the encoding value of the plain text. At the same time, random masking is added to hide secret information. The scheme occupies 665.81 KB of memory and the time complexity is O(n²klog₂p) under the second-order differential computational analysis based on Legendre symbols.

[1]Chow S, Eisen P, Johnson H, et al. White-box cryptography and an AES implementation[C]. Selected Areas in Cryptography – SAC 2002. Springer Berlin Heidelberg, 2003: 250-270.
[2]Chow S, Eisen P, Johnson H, et al. A white-box DES implementation for DRM applications[C]. Digital Rights Management – DRM 2002. Springer Berlin Heidelberg, 2003: 1-15.
[3]Jacob M, Boneh D, Felten E. Attacking an obfuscated cipher by injecting faults[C]. Digital Rights Management. Springer Berlin Heidelberg, 2003: 16–31.
[4]Billet O, Gilbert H, Ech-chatbi C. Cryptanalysis of a white box AES implementation[C]. Selected Areas in Cryptography – SAC 2004. Springer Berlin Heidelberg, 2004: 227-240.
[5]Tolhuizen L. Improved cryptanalysis of an AES implementation[C]. The 33rd WIC Symposium on Information Theory, 2012.
[6]Mulder Y D, Roelse P, Preneel B. Revisiting the BGE attack on a white-box AES implementation[J]. IACR Cryptology ePrint Archive, 2013: 450.
[7]Michiels W, Gorissen P, Hollmann H D. Cryptanalysis of a generic class of white-box implementations[C]. Selected Areas in Cryptography – SAC 2008. Springer Berlin Heidelberg, 2008: 414-428.
[8]Bringer J, Chabanne H, Dottax E. White-box cryptography: another attempt[J]. IACR Cryptology ePrint Archive, 2006: 468.
[9]Mulder Y D, Wyseur B, Preneel B. Cryptanalysis of a perturbated white-box AES implementation[C]. Cryptology INDOCRYPT 2010. Springer Berlin Heidelberg, 2010: 292-310.
[10]Xiao Y Y, Lai X J. A Secure Implementation of White-Box AES[C]. Proceedings of the 2009 2nd International Conference on Computer Science and its Applocations. Jeju,Korea: IEEE eXpress Conference Publishing, 2009: 410-415.
[11]Mulder Y D, Roelse P, Preneel B. Cryptanalysis of the Xiao-Lai white-box AES implementation[C]. Selected Areas in Cryptography – SAC 2012. Springer Berlin Heidelberg, 2013: 34-49.
[12]Biryukov A, Cannière C De, Braeken A, et al. A toolbox for cryptanalysis: Linear and affine equivalence algorithms[C]. Advances in Cryptology – EUROCRYPT 2003. Springer, Berlin, Heidelberg, 2003: 33-50.
[13]Karroumi M. Protecting white-box AES with dual ciphers[C]. International Conference on Information Security and Cryptology – ICISC 2010, 2010: 278-291.
[14]Lepoint T, Rivain M, Mulder Y D, et al. Two attacks on a white-box AES implementation[C]. Selected Areas in Cryptography – SAC 2013. Springer Berlin Heidelberg, 2013: 265-285.
[15]McMillion B, Sullivan N. Attacking white-box AES constructions[C]. The 2016 ACM Workshop on Software Protection (SPRO '16). New York, USA, 2016: 85–90.
[16]Ranea A, Preneel B. On self-equivalence encodings in white-box implementations[C]. Selected Areas in Cryptography – SAC 2020. Springer Berlin Heidelberg, 2020: 1325.
[17]肖雅莹, 来学嘉. 白盒密码及 SMS4 算法的白盒实现[C]. 中国密码学会 2009 年会. 北京:科学出版社, 2009: 24-34.
[18]林婷婷, 来学嘉. 对白盒 SMS4 实现的一种有效攻击[J]. 软件学报, 2013. 24(9): 2238-2249.
[19]Shi Y, Wei W, He Z, et al. A lightweight white-box symmetric encryption algorithm against node capture for WSNs[J]. Sensors, 2015, 15(5): 11928-11952.
[20]Bai K P, Wu C K. A secure white-box SM4 implementation[J]. Security and Communication Networks, 2016, 9(10): 996-1006.
[21]潘文伦, 秦体红, 贾音等. 对两个 SM4 白盒方案的分析[J]. 密码学报, 2018, 5(6): 651-670.
[22]姚思, 陈杰. SM4 算法的一种新型白盒实现[J]. 密码学报, 2020, 7(3): 358-374.
[23]Wang R S, Guo H, Lu J Q, et al. Cryptanalysis of a white-box SM4 implementation based on collision attack[J]. IET Information Security, 2021(6): 18-27.
[24]Lu J Q, Li J. Cryptanalysis of two white-box implementations of the SM4 block cipher[C]. Information Security – ISC 2021. Springer, Cham, 2021: 54-69.
[25]原梓清, 陈杰.一种抗差分计算分析的白盒SM4方案[J]. 密码学报, 2023,10(02):386-396.
[26]Zhou L, Su C H, Wen Y M, et al. Towards practical white-box lightweight block cipher implementations for IoTs[J]. Future Generation Computer System. 2018: 507-514.
[27]姚思. 白盒实现的设计与分析[D]. 西安电子科技大学, 2021.
[28]Ranea A, Vandersmissen J, Preneel B. Implicit white-box implementations: white-boxing ARX ciphers[C]. Advances in Cryptology – CRYPTO 2022. Springer, Cham, 2022: 33-63.
[29]Vandersmissen J, Ranea A, Preneel B. A white-box speck implementation using self-equivalence encodings[C]. Applied Cryptography and Network Security – ACNS 2022. Springer, Cham, 2022: 771-791.
[30]Bos J W, Hubain C, Michiels W, et al. Differential computation analysis: Hiding your white-box designs is not enough[C]. Cryptographic Hardware and Embedded Systems – CHES 2016. Springer, Berlin, Heidelberg, 2016: 215-236.
[31]Biryukov A, Udovenko A. Attacks and countermeasures for white-box designs[C]. Advances in Cryptology – ASIACRYPT 2018. Springer, Cham, 2018: 373–402.
[32]Lee S, Kim T, Kang Y. A masked white-box cryptographic implementation for protecting against differential computation analysis[J]. IEEE Transactions on Information Forensics and Security. 2018, 13(10): 2602–2615.
[33]Lee S, Kim M. Improvement on a masked white-box cryptographic implementation[J]. IEEE Access, 2020(8): 90992-91004.
[34]Tang Y F, Gong Z, Sun T, et al. Adaptive side-channel analysis model and its applications to white-box block cipher implementations[C]. Information Security and Cryptology – Inscrypt 2021. Springer, Cham, 2021: 399-417.
[35]Biryukov A, Udovenko A. Dummy shuffling against algebraic attacks in white-box implementations[C]. Advances in Cryptology – EUROCRYPT 2021. Springer, Cham, 2021: 219-248.
[36]Seker O, Eisenbarth T, Liskiewicz M. A white-box masking scheme resisting computational and algebraic attacks[J]. IACR Trans. Cryptogr. Hardw. Embed. Syst., 2021, 2021(2): 61 – 105.
[37]Battistello A, Castelnovi L, Chabrier T. Enhanced encodings for white-box designs[C]. Smart Card Research and Advanced Applications – CARDIS 2021. Springer, Cham, 2021: 254–274.
[38]Biryukov A, Bouillaguet C, Khovratovich D. Cryptographic schemes based on the ASASA structure: black-box,white-box,and public-key[C]. Advances in Cryptology – ASIACRYPT 2014. Springer Berlin Heidelberg, 2014: 63-84.
[39]Bogdanov A, Isobe T. White-box cryptography revisited: space-hard ciphers[C]. Computer and Communications Security, 2015: 1058-1069.
[40]Bogdanov A, Isobe T, Tischhauser E. Towards practical whitebox cryptography: optimizing efficiency and space hardness[C]. Advances in cryptology – ASIACRYPT 2016, 2016: 126-158.
[41]Fouque P A, Karpman P, Kirchner Pet al. Efficient and provable white-box primitives[C]. Advances in Cryptology – ASIACRYPT 2016. Springer Berlin Heidelberg, 2016: 159-188.
[42]Lin T T, Lai X J, Xue W J, et al. A new Feistel-type white-box encryption scheme[J]. Journal of computer science and technology, 2017,32(2): 386–395.
[43]Cho J, Choi K Y, Dinur I, et al. WEM: A new family of white-box block ciphers based on the even mansour construction[C]. The cryptographers’ track at the rsa conference, 2017: 293-308.
[44]Kwon J, Lee B , Lee J , et al. FPL: White-box secure block cipher using parallel table look-ups[C] Topics in Cryptology-CT-RSA 2020. San Francisco, CA, USA, 2020: 24-28.
[45]Koike Y, Isobe T. Yoroi: updatable white-box cryptography[C]. IACR Transactions on Cryptographic Hardware and Embedded Systems. 2021: 587–617.
[46]Liu J, Rijmen V, Hu Y P, et al. WARX: efficient white-box block cipher based on ARX primitives and random MDS matrix[J]. Sci China Inf. Sci. 2022: 132302.
[47]Su S, Dong H, Fu G, et al. A white-box CLEFIA implementation for mobile devices[C]. Communications Security Conference. IET, 2014.
[48]Benaloh J. Dense probabilistic encryption[C]. Selected Areas of Cryptography–SAC 1994. Springer Berlin Heidelberg, 1994: 120-128.
[49]国 家 标 准 化 管 理 委 员 会 . 信 息 安 全 技 术 SM4 分 组 密 码 算 法 [S/OL]. 2016.http://c.gb688.cn/bzgk/gb/showGb?type=online&hcno=7803DE42D3BC5E80B0C3E5D8E873D56A [2023-03-09].
[50]张跃宇, 徐东, 陈杰. 白盒SM4的分析与改进[J]. 电子与信息学报, 2022, 44(08): 2903-2913.
[51]吴文玲, 冯登国, 张文涛. 分组密码的设计与分析[M]. 北京: 清华大学出版社, 2009: 65.
[52]Liu F, Ji W, Hu L, et al. Analysis of the SMS4 Block Cipher[J]. Information Security and Privacy. Springer, Berlin, Heidelberg, 2007: 158–170.
[53]原梓清，陈杰. 对一种白盒SM4方案的差分计算分析[J/OL]. 软件学报:1-14[2023-03-02].
[54]Baek C H, Cheon J H, Hong H. White-box AES implementation revisited[J]. Journal of Communications and Networks, 2016, 18(3): 273-287.
[55]Biryukov A, Shamir A. Structural cryptanalysis of SASAS[C]. Advances in cryptology–EUROCRYPT 2001, Springer, Berlin, Heidelberg, 2001: 395-405.
[56]Gilbert H, Plût J, Treger J. Key-recovery attack on the ASASA cryptosystem with expanding S-boxes[C]. Advances in Cryptology – CRYPTO 2015. Springer, Berlin, Heidelberg, 2015: 475-490.
[57]Minaud B, Derbez P, Fouque P A, Karpman P. Key-recovery attacks on ASASA[C]. Advances in Cryptology – ASIACRYPT 2015. Springer, Berlin, Heidelberg, 2018: 845-884.
[58]Beaulieu R, Shors D, Smith J, et al. The SIMON and SPECK families of lightweight block ciphers[J]. IACR Cryptology ePrint Archive, 2013: 404.
[59]Mangard S, Oswald E, Popp T. Power analysis attacks – revealing the secrets of smart cards[M]. Springer, New York, 2007: 223-244.
[60]Biryukov A, Dinu D, Le Corre Y, et al. Optimal first-order boolean masking for embedded IoT devices[C]. Smart Card Research and Advanced Applications. Springer, Cham, 2017: 22–41.
[61]Trichina E. Combinational logic design for AES SubByte transformation on masked data[J]. IACR Cryptology ePrint Archive, 2003: 236.