화이트박스 ARIA 구현

A White-box ARIA Implementation

Abstract

화이트박스 구현은 암호 시스템의 비밀키를 보호하는데 사용되는 암호화 기술이다. 주로 음악, 비디오 등의 디지털 저작권 관리에 사용된다. 2002년 이후, 안전한 디지털 저작권 관리를 확보하기 위해 많은 화이트박스 구현이 개발되었다. 이는 고급 암호화 표준(AES) 및 데이터 암호화 표준(DES)에 적용되었다. ARIA는 대합(involution) 대입 치환 네트워크(SPN)를 사용하는 128비트 블록 암호로, 2004년에 한국 표준으로 채택되었다. 본 논문에서는 최초의 화이트박스 ARIA 구현을 제안한다. 우리의 구현은 전체 크기가 1,984KB인 7,696개의 조회 테이블로 구성된다. 안전성 측면에서 현저한 화이트박스 다양성과 화이트박스 모호함이 있음을 보인다.

The white-box implementation is a cryptographic technique used to protect the secret key of a cryptographic system. It is primarily employed for digital rights management for music and videos. Since 2002, numerous white-box implementations have been developed to ensure secure digital rights management. These have been applied to AES and DES. ARIA, a 128-bit block cipher with an involution substitution and permutation network (SPN), was selected as a South Korean standard in 2004. In this paper, we propose the first white-box ARIA implementation. Our implementation consists of 7,696 lookup tables, with a total size of 1,984 KB. We demonstrate that it also has considerable white-box diversity and white-box ambiguity from a security perspective.

1. Introduction

In 2002, Chow et al. introduced the first white-box implementations [4, 5]. They proposed a white-box Advanced Encryption Standard (AES) implementation using a table-based method [4]. They could reduce the storage using a lot of small XOR tables instead of a few big tables. Billet et al. provided an algebraic attack on Chow et al.’s white-box AES implementation with less than 2³⁰ computational complexity [3]. Bringer et al. presented a new white-box AES implementation with extra random parts [1]. Some different S-boxes instead of the original AES S-box were used in this scheme. Mulder et al. provided an algebraic attack on Bringer et al.’s white-box AES implementation to get an equivalent key with 2¹⁷ computational complexity [12]. Kim presented modified White-box AES implementations and attacked them [15, 16].

The white-box Data Encryption Standard (DES) implementation was proposed by Chow et al. [5], and then by Link and Neumann [9]. Those schemes were broken in a few years later [6, 14]. According to those papers, white-box DES implementations presented were broken with 2¹⁴ computational complexity.

In 2008, Michiels et al. defined a generic class of white-box implementations over general substitution-linear transformation (SLT) cipher and presented a cryptanalysis on white-box implementations for block cipher with this property [11]. They exploited two main techniques, one by Billet et al. [3] and the other by Biryukov et al. [2]. Karroumi presented a white-box AES implementation to enhance the security using 61,200 dual ciphers of AES [7]. These dual ciphers are made of different types of AES original operations and give the same result as the original AES. Lepoint et al. extracted the key from Karroumi’s white-box AES implementation with 2²² computational complexity [10].

In 2003, Kwon et al. proposed a block cipher called ARIA [8]. The name ARIA comes from the initials of Academy, Research Institute, and Agency which means cooperative efforts of Korean researchers in designing ARIA. It is a Korean standard block cipher which is an involution SPN structure. Also, the Internet Engineering Task Force specifies a set of cipher suites for the Transport Layer Security protocol to support the ARIA encryption algorithm in 2011. We introduce the first white-box ARIA implementation using many lookup tables containing different Exclusive Or (XOR) tables.

The remainder of this paper is organized as follows. In Section 2, we give some notations and introduce the definition of block cipher. The specifications of ARIA are given in Section 3. In Section 4, we give a white-box ARIA implementation. Analysis of the performance and the security is given in Section 5. We end with some remarks in Section 6.

2. Preliminaries

Shannon presented two methods for a secure cipher, confusion, and diffusion, respectively [13]. The method of confusion is to make the relation between the ciphertext and the key complex and involved. The method of diffusion is to make the partial part of the plaintext influence many parts of the ciphertext. By applying these methods iteratively, the cryptosystem can be made more secure. This principle is commonly used in most block ciphers.

An n-bit block cipher is a deterministic function mapping n-bit plaintext blocks to n-bit ciphertext blocks. The block cipher consists of the encryption function E_k and the decryption function D_k. The encryption function E_k is given as follows:

E_k : {0, 1}^m × {0, 1}ⁿ → {0, 1}ⁿ       (1)

where E_k(P)=C for m-bit key k, n-bit plaintext P, and n-bit ciphertext C. The decryption function D_k is given as

D_k : {0, 1}^m × {0, 1}ⁿ → {0, 1}ⁿ       (2)

where D_k(C)=P for m-bit key k, n-bit ciphertext C, and n-bit plaintext P. Two functions must have the property that D_k(E_k(P))=P for all k ∈ {0, 1}^m.

We use notations as follows.

− GF(2⁸) : Finite field with order 2⁸ (or {0, 1}⁸)

− Z₂ : Group of integers modulo 2

− A_i : 8×8 invertible matrix of GL(8, Z₂) where GL(8, Z₂) is a general linear group over Z₂

− · : Multiplication of two operands, matrix and vector, or two matrices

− ⊕ : A bitwise XOR operation

− S_i : GF(2⁸) → GF(2⁸) defined by S_i(x) = A_i · x⁻¹ ⊕ a_i where A_i ∈ GL(8, Z₂) and a_i ∈ GF(2⁸)

− ⋙ n : Right circular rotation of operand by n bits

− ⋘ n : Left circular rotation of operand by n bits

A byte b can be considered as a polynomial b₇x₇ + b₆x₇ + ⋯ + b₀ where b = (b₇b₆ ⋯b₀)₂ and b_i∈{0, 1} for i = 0, 1, ⋯ , 7.

3. ARIA

We focus on the explanation of the block cipher ARIA with 12-round.

3.1 Key schedule

The key schedule of ARIA uses 128-, 196- or 256-bit master key for 12-, 14- or 16-round, respectively. It consists of two processes which are initialization and round key generation, respectively. We omit these and you can get the concrete processes in [8]. The decryption round keys are derived from the encryption round keys. Let B be the diffusion layer of ARIA in Section 3.4. The decryption round keys for ARIA with 12-rounds are given by

DK₁ = EK₁₃, DK₂ = B · EK₁₂,

DK₃ = B · EK₁₁, ⋯ ,

DK₁₂ = B · EK₂, DK₁₃ = EK₁,

where DK_i and EK_i are the i-th round decryption key and encryption key for i = 1, 2, ⋯ , 12, respectively. DK₁₃ and EK₁₃ are the last round decryption key and encryption key of the final round, respectively.

3.2 Key addition

This is done by bitwise XOR operation with 128-bit round key.

3.3 Substitution layer

There exist two s-boxes and their inverses. The s-box S₁ : GF(2⁸) → GF(2⁸) is defined by S₁(x) = A₁ · x⁻¹ ⊕ a₁ where

\(A_{1}=\left(\begin{array}{llllllll}1 & 0 & 0 & 0 & 1 & 1 & 1 & 1 \\ 1 & 1 & 0 & 0 & 0 & 1 & 1 & 1 \\ 1 & 1 & 1 & 0 & 0 & 0 & 1 & 1 \\ 1 & 1 & 1 & 1 & 0 & 0 & 0 & 1 \\ 1 & 1 & 1 & 1 & 1 & 0 & 0 & 0 \\ 0 & 1 & 1 & 1 & 1 & 1 & 0 & 0 \\ 0 & 0 & 1 & 1 & 1 & 1 & 1 & 0 \\ 0 & 0 & 0 & 1 & 1 & 1 & 1 & 1\end{array}\right) \; and \;a_{1}=\left(\begin{array}{l}1 \\ 1 \\ 0 \\ 0 \\ 0 \\ 1 \\ 1 \\ 0\end{array}\right)\).

The s-box S₂ : GF(2⁸) → GF(2⁸) is defined by S₂(x) = A₂ · x²⁴⁷ ⊕ a₂ where

\(\begin{align}A_{2}=\left(\begin{array}{llllllll}0 & 1 & 0 & 1 & 1 & 1 & 1 & 0 \\ 0 & 0 & 1 & 1 & 1 & 1 & 0 & 1 \\ 1 & 1 & 0 & 1 & 0 & 1 & 1 & 1 \\ 1 & 0 & 0 & 1 & 1 & 1 & 0 & 1 \\ 0 & 0 & 1 & 0 & 1 & 1 & 0 & 0 \\ 1 & 0 & 0 & 0 & 0 & 0 & 0 & 1 \\ 0 & 1 & 0 & 1 & 1 & 1 & 0 & 1 \\ 1 & 1 & 0 & 1 & 0 & 0 & 1 & 1\end{array}\right)\; and \; a_{2}=\left(\begin{array}{l}0 \\ 1 \\ 0 \\ 0 \\ 0 \\ 1 \\ 1 \\ 1\end{array}\right)\end{align}\).

The inverse functions of S₁ and S₂ are denoted by S^-1₁ and S^-1₂, respectively.

3.4 Diffusion layer

The diffusion layer B : GF(2⁸)¹⁶ → GF(2⁸)¹⁶ is defined by

\(\begin{align}B \cdot\left(\begin{array}{c}x_{0} \\ x_{1} \\ \vdots \\ x_{15}\end{array}\right)=\left(\begin{array}{c}y_{0} \\ y_{1} \\ \vdots \\ y_{15}\end{array}\right)\end{align}\)

where

\(\begin{align}B=\left(\begin{array}{llllllllllllllll}0 & 0 & 0 & 1 & 1 & 0 & 1 & 0 & 1 & 1 & 0 & 0 & 0 & 1 & 1 & 0 \\ 0 & 0 & 1 & 0 & 0 & 1 & 0 & 1 & 1 & 1 & 0 & 0 & 1 & 0 & 0 & 1 \\ 0 & 1 & 0 & 0 & 1 & 0 & 1 & 0 & 0 & 0 & 1 & 1 & 1 & 0 & 0 & 1 \\ 1 & 0 & 0 & 0 & 0 & 1 & 0 & 1 & 0 & 0 & 1 & 1 & 0 & 1 & 1 & 0 \\ 1 & 0 & 1 & 0 & 0 & 1 & 0 & 0 & 1 & 0 & 0 & 1 & 0 & 0 & 1 & 1 \\ 0 & 1 & 0 & 1 & 1 & 0 & 0 & 0 & 0 & 1 & 1 & 0 & 0 & 0 & 1 & 1 \\ 1 & 0 & 1 & 0 & 0 & 0 & 0 & 1 & 0 & 1 & 1 & 0 & 1 & 1 & 0 & 0 \\ 0 & 1 & 0 & 1 & 0 & 0 & 1 & 0 & 1 & 0 & 0 & 1 & 1 & 1 & 0 & 0 \\ 1 & 1 & 0 & 0 & 1 & 0 & 0 & 1 & 0 & 0 & 1 & 0 & 0 & 1 & 0 & 1 \\ 1 & 1 & 0 & 0 & 0 & 1 & 1 & 0 & 0 & 0 & 0 & 1 & 1 & 0 & 1 & 0 \\ 0 & 0 & 1 & 1 & 0 & 1 & 1 & 0 & 1 & 0 & 0 & 0 & 0 & 1 & 0 & 1 \\ 0 & 0 & 1 & 1 & 1 & 0 & 0 & 1 & 0 & 1 & 0 & 0 & 1 & 0 & 1 & 0 \\ 0 & 1 & 1 & 0 & 0 & 0 & 1 & 1 & 0 & 1 & 0 & 1 & 1 & 0 & 0 & 0 \\ 1 & 0 & 0 & 1 & 0 & 0 & 1 & 1 & 1 & 0 & 1 & 0 & 0 & 1 & 0 & 0 \\ 1 & 0 & 0 & 1 & 1 & 1 & 0 & 0 & 0 & 1 & 0 & 1 & 0 & 0 & 1 & 0 \\ 0 & 1 & 1 & 0 & 1 & 1 & 0 & 0 & 1 & 0 & 1 & 0 & 0 & 0 & 0 & 1\end{array}\right)\end{align}\)

and x_i, y_i are in GF(2⁸) for i = 0, 1, ⋯ , 15. For example, we get

y₀ = x₃ ⊕ x₄ ⊕ x₆ ⊕ x₈ ⊕ x₉ ⊕ x₁₃ ⊕ x₁₄

from the above. This linear map B has an involution structure, i.e. B² = identity where B is a 16×16 matrix with coefficients in {0, 1}.

3.5 The cipher

We explain mainly 12-round ARIA in this paper. The i-th round function(1 ≤ i ≤ 11) is given by DL◦SL◦KA, where KA is the key addition, SL is the substitution layer and DL is the diffusion layer. Figure 1 shows the process of DL◦SL◦KA. The final round function is given by KA◦SL◦KA and the figure of this is given similarly. The decryption process is the reverse of the encryption process and uses different round keys compared to encryption round keys as Section 3.1. The i-th round function(1 ≤ i ≤ 11) is given by KA◦SL◦DL and the final round function is given by KA◦SL◦KA.

<Fig. 1> The i-th round of ARIA (i = 1, 2, ⋯ , 11)

The encryption and decryption processes are given in Figure 2. Both processes have eleven same round functions and a different round function, respectively

We can get the ARIA implementation using the tables in Table 1.

<Fig. 2> Encryption and Decryption processes of ARIA

<Table 1> The number and size of the ARIA implementation

4. White-box ARIA Implementation

We only present a white-box ARIA implementation for the encryption process. White-box ARIA implementation for the decryption process is given by a similar method and we omit this

4.1 Blocking method

White-box implementation for a block cipher was made by adding extra information to the block cipher. After dividing a block cipher into some parts, we hide information about the original part using extra information with linear and nonlinear components. Each part of these is implemented by many input/output tables. There exist 2 types (8-bit input/128-bit output tables, 8-bit input/4-bit output tables) or 3 types (8-bit input/128-bit output tables, 8-bit input/4-bit output tables, 8-bit input/32-bit output tables) of tables according to the implementation method.

4.2 Application to ARIA-128

We divided each round of ARIA as Section 3.5. After this, we suggest a white-box ARIA implementation dividing each round of ARIA into two blocks. Let U_i be the i-th round function of white-box ARIA implementation(i = 1, 2, ⋯ , 12). Then we can make a white-box ARIA implementation as follows:

U_i = (Q_i◦R_i)◦(R⁻¹_i◦DL◦SL◦KA◦P_i),

where i = 1, 2, ⋯ , 11       (3)

where P_i, Q_i(i = 1, 2, ⋯ , 11) are composed of 16 matrices in GL(8, Z₂) and R_i(i = 1, 2, ⋯ , 11) is a matrix in GL(128, Z₂). The 12-th round function U₁₂ of white-box ARIA implementation is given as follows:

U₁₂ = (Q₁₂◦R₁₂)◦(R⁻¹₁₂◦KA◦SL◦KA◦P₁₂)       (4)

where P₁₂, Q₁₂ are composed of 16 matrices in GL(8, Z₂) and R₁₂ is a matrix in GL(128, Z₂).

In Equation (3) and Equation (4), Q_i, P_i+1 have the relation P_i+1 = Q⁻¹_i for i = 1, 2, ⋯ , 11. We add nonlinear input encodings in the previous position of P_i, R_i and nonlinear output encodings in the latter position of R_i-1, Q_i to improve the security of white-box ARIA implementation. Both nonlinear input encodings and nonlinear output encodings are composed of 32 4-bit input/4-bit output nonlinear functions, respectively. The i-th round functions R_i-1◦DL◦SL◦KA◦P_i(i = 1, 2, ⋯ , 11) and Q_i◦R_i(i = 1, 2, ⋯ , 11) of white-box ARIA implementation including nonlinear encodings are shown in Figure 3 and Figure 4, respectively. Input encodings R_i-1◦DL◦SL◦KA◦P_i(i = 1, 2, ⋯ , 11), Q_i◦R_i(i = 1, 2, ⋯ , 12) and R⁻¹₁₂◦KA◦SL◦KA◦P₁₂ are composed of 8-bit input/128-bit output tables. There exist 8-bit input/4-bit output tables (XOR tables) between them.

<Fig. 3> R⁻¹_i◦DL◦SL◦KA◦P_i (i = 1, 2, ⋯ , 11) of white-box ARIA implementation

<Fig. 4> Q_i◦R_i (i = 1, 2, ⋯ , 11) of white-box ARIA implementation

4.3 A variant for efficiency improvement

We can change into 8-bit input/32-bit output tables instead of 8-bit input/128-bit output tables in Q_i◦R_i for i = 1, 2, ⋯ , 11. Since we need fewer numbers of XOR tables in this case, we can reduce the storage of the system.

5. Analysis

5.1 Size and performance

We need many tables and sizes for the white-box ARIA implementation in Section 4.2 as Table 2. Since we need different XOR tables for each calculation, there are many XOR tables to do this implementation.

<Table 2> The number and size of the white-box ARIA implementation

The result of the variant of the white-box ARIA implementation in Section 4.3 is given in Table 3. This white-box ARIA implementation is 2.4 times larger than the original ARIA implementation. Since there are many XOR tables to do this white-box ARIA implementation, it needs 39.9 times tables more than the original ARIA implementation.

<Table 3> The number and size of the variant of the white-box ARIA implementation

5.2 Security

5.2.1 Strength against known attacks

ARIA consists of two s-boxes and a diffusion layer using a 16×16 matrix. Billet et al.’s attack is applied to an implementation using one s-box and a 4×4 matrix for each round. Our implementation is secure against the original Billet et al.’s attack.

5.2.2 White-box diversity and ambiguity

There are two types of measures for white-box cryptography security. These are white-box diversity and white-box ambiguity, respectively. White-box diversity is the total number of existing implementations. White-box ambiguity is the number of the same implementations for a given implementation. There are four types of tables in our implementation. They are input encoding tables, i-th round function R_i-1◦DL◦SL◦KA◦P_i(i = 1, 2, ⋯ , 11) tables, i-th round function Q_i◦R_i(i = 1, 2, ⋯ , 11) tables, and XOR tables.

White-box Diversity

White-box diversity measures the number of distinct implementations for a given type. We have white-box diversity as follows.

• Input decoding tables

: (16!)²×20160⁶⁴×(16!)³² ≈ 2^2419.7

• R_i-1◦DL◦SL◦KA◦P_i(i = 1, 2, ⋯ , 11)

tables : (16!)²×256×2^62.2×2²⁵⁶×(16!)⁸ ≈ 2^768.1

• Q_i◦R_i(i = 1, 2, ⋯ , 11) tables

: (16!)²×2²⁵⁶×(16!)⁸ ≈ 2^698.5

• XOR tables : (16!)²×16! ≈ 2^132.8

White-box Ambiguity

White-box ambiguity measures the number of alternative implementations for a given table. We have white-box diversity as follows.

• Input decoding tables : (16!)²×20160³² ≈ 2^546.1

• R_i-1◦DL◦SL◦KA◦P_i(i = 1, 2, ⋯ , 11)

tables : (16!)²×15! ≈ 2^128.8

• Q_i◦R_i(i = 1, 2, ⋯ , 11) tables

: (16!)²×20160² ≈ 2^117.1

• XOR tables : 16!×16 ≈ 2^48.3

6. Conclusion

The ARIA is a block cipher designed by Korean researchers and widely utilized. It has been designated as a standard cryptographic technique by the Korean Agency for Technology and Standards. In this paper, we presented the first white-box implementation for the ARIA block cipher utilizing a form of obfuscation. This technique is similar to the white-box AES implementation and involves the use of tables. While this implementation necessitates more tables than Chow et al.’s AES implementation, it assures ample security concerning white-box diversity and white-box ambiguity. White-box cryptography is commonly employed in digital rights management to prevent the unauthorized distribution of data such as music and videos. It functions by encrypting the data and furnishing various information types accessible solely to authorized devices. Our white-box ARIA implementation ensures that the data remains secure and only legitimate users can access it. Nevertheless, there is still room for more efficient white-box ARIA implementations and adequate attacks against this white-box ARIA implementation.