DOI QR코드

DOI QR Code

화이트박스 ARIA 구현

A White-box ARIA Implementation

  • 투고 : 2024.01.22
  • 심사 : 2024.03.04
  • 발행 : 2024.03.31

초록

화이트박스 구현은 암호 시스템의 비밀키를 보호하는데 사용되는 암호화 기술이다. 주로 음악, 비디오 등의 디지털 저작권 관리에 사용된다. 2002년 이후, 안전한 디지털 저작권 관리를 확보하기 위해 많은 화이트박스 구현이 개발되었다. 이는 고급 암호화 표준(AES) 및 데이터 암호화 표준(DES)에 적용되었다. ARIA는 대합(involution) 대입 치환 네트워크(SPN)를 사용하는 128비트 블록 암호로, 2004년에 한국 표준으로 채택되었다. 본 논문에서는 최초의 화이트박스 ARIA 구현을 제안한다. 우리의 구현은 전체 크기가 1,984KB인 7,696개의 조회 테이블로 구성된다. 안전성 측면에서 현저한 화이트박스 다양성과 화이트박스 모호함이 있음을 보인다.

The white-box implementation is a cryptographic technique used to protect the secret key of a cryptographic system. It is primarily employed for digital rights management for music and videos. Since 2002, numerous white-box implementations have been developed to ensure secure digital rights management. These have been applied to AES and DES. ARIA, a 128-bit block cipher with an involution substitution and permutation network (SPN), was selected as a South Korean standard in 2004. In this paper, we propose the first white-box ARIA implementation. Our implementation consists of 7,696 lookup tables, with a total size of 1,984 KB. We demonstrate that it also has considerable white-box diversity and white-box ambiguity from a security perspective.

키워드

1. Introduction

In 2002, Chow et al. introduced the first white-box implementations [4, 5]. They proposed a white-box Advanced Encryption Standard (AES) implementation using a table-based method [4]. They could reduce the storage using a lot of small XOR tables instead of a few big tables. Billet et al. provided an algebraic attack on Chow et al.’s white-box AES implementation with less than 230 computational complexity [3]. Bringer et al. presented a new white-box AES implementation with extra random parts [1]. Some different S-boxes instead of the original AES S-box were used in this scheme. Mulder et al. provided an algebraic attack on Bringer et al.’s white-box AES implementation to get an equivalent key with 217 computational complexity [12]. Kim presented modified White-box AES implementations and attacked them [15, 16].

The white-box Data Encryption Standard (DES) implementation was proposed by Chow et al. [5], and then by Link and Neumann [9]. Those schemes were broken in a few years later [6, 14]. According to those papers, white-box DES implementations presented were broken with 214 computational complexity.

In 2008, Michiels et al. defined a generic class of white-box implementations over general substitution-linear transformation (SLT) cipher and presented a cryptanalysis on white-box implementations for block cipher with this property [11]. They exploited two main techniques, one by Billet et al. [3] and the other by Biryukov et al. [2]. Karroumi presented a white-box AES implementation to enhance the security using 61,200 dual ciphers of AES [7]. These dual ciphers are made of different types of AES original operations and give the same result as the original AES. Lepoint et al. extracted the key from Karroumi’s white-box AES implementation with 222 computational complexity [10].

In 2003, Kwon et al. proposed a block cipher called ARIA [8]. The name ARIA comes from the initials of Academy, Research Institute, and Agency which means cooperative efforts of Korean researchers in designing ARIA. It is a Korean standard block cipher which is an involution SPN structure. Also, the Internet Engineering Task Force specifies a set of cipher suites for the Transport Layer Security protocol to support the ARIA encryption algorithm in 2011. We introduce the first white-box ARIA implementation using many lookup tables containing different Exclusive Or (XOR) tables.

The remainder of this paper is organized as follows. In Section 2, we give some notations and introduce the definition of block cipher. The specifications of ARIA are given in Section 3. In Section 4, we give a white-box ARIA implementation. Analysis of the performance and the security is given in Section 5. We end with some remarks in Section 6.

2. Preliminaries

Shannon presented two methods for a secure cipher, confusion, and diffusion, respectively [13]. The method of confusion is to make the relation between the ciphertext and the key complex and involved. The method of diffusion is to make the partial part of the plaintext influence many parts of the ciphertext. By applying these methods iteratively, the cryptosystem can be made more secure. This principle is commonly used in most block ciphers.

An n-bit block cipher is a deterministic function mapping n-bit plaintext blocks to n-bit ciphertext blocks. The block cipher consists of the encryption function Ek and the decryption function Dk. The encryption function Ek is given as follows:

Ek : {0, 1}m × {0, 1}n → {0, 1}n       (1)

where Ek(P)=C for m-bit key k, n-bit plaintext P, and n-bit ciphertext C. The decryption function Dk is given as

Dk : {0, 1}m × {0, 1}n → {0, 1}n       (2)

where Dk(C)=P for m-bit key k, n-bit ciphertext C, and n-bit plaintext P. Two functions must have the property that Dk(Ek(P))=P for all k ∈ {0, 1}m.

We use notations as follows.

− GF(28) : Finite field with order 28 (or {0, 1}8)

− Z2 : Group of integers modulo 2

− Ai : 8×8 invertible matrix of GL(8, Z2) where GL(8, Z2) is a general linear group over Z2

− · : Multiplication of two operands, matrix and vector, or two matrices

− ⊕ : A bitwise XOR operation

− Si : GF(28) → GF(28) defined by Si(x) = Ai · x−1 ⊕ ai where Ai ∈ GL(8, Z2) and ai ∈ GF(28)

− ⋙ n : Right circular rotation of operand by n bits

− ⋘ n : Left circular rotation of operand by n bits

A byte b can be considered as a polynomial b7x7 + b6x7 + ⋯ + b0 where b = (b7b6 ⋯b0)2 and bi∈{0, 1} for i = 0, 1, ⋯ , 7.

3. ARIA

We focus on the explanation of the block cipher ARIA with 12-round.

3.1 Key schedule

The key schedule of ARIA uses 128-, 196- or 256-bit master key for 12-, 14- or 16-round, respectively. It consists of two processes which are initialization and round key generation, respectively. We omit these and you can get the concrete processes in [8]. The decryption round keys are derived from the encryption round keys. Let B be the diffusion layer of ARIA in Section 3.4. The decryption round keys for ARIA with 12-rounds are given by

DK1 = EK13, DK2 = B · EK12,

DK3 = B · EK11, ⋯ ,

DK12 = B · EK2, DK13 = EK1,

where DKi and EKi are the i-th round decryption key and encryption key for i = 1, 2, ⋯ , 12, respectively. DK13 and EK13 are the last round decryption key and encryption key of the final round, respectively.

3.2 Key addition

This is done by bitwise XOR operation with 128-bit round key.

3.3 Substitution layer

There exist two s-boxes and their inverses. The s-box S1 : GF(28) → GF(28) is defined by S1(x) = A1 · x−1 ⊕ a1 where

\(A_{1}=\left(\begin{array}{llllllll}1 & 0 & 0 & 0 & 1 & 1 & 1 & 1 \\ 1 & 1 & 0 & 0 & 0 & 1 & 1 & 1 \\ 1 & 1 & 1 & 0 & 0 & 0 & 1 & 1 \\ 1 & 1 & 1 & 1 & 0 & 0 & 0 & 1 \\ 1 & 1 & 1 & 1 & 1 & 0 & 0 & 0 \\ 0 & 1 & 1 & 1 & 1 & 1 & 0 & 0 \\ 0 & 0 & 1 & 1 & 1 & 1 & 1 & 0 \\ 0 & 0 & 0 & 1 & 1 & 1 & 1 & 1\end{array}\right) \; and \;a_{1}=\left(\begin{array}{l}1 \\ 1 \\ 0 \\ 0 \\ 0 \\ 1 \\ 1 \\ 0\end{array}\right)\).

The s-box S2 : GF(28) → GF(28) is defined by S2(x) = A2 · x247 ⊕ a2 where

\(\begin{align}A_{2}=\left(\begin{array}{llllllll}0 & 1 & 0 & 1 & 1 & 1 & 1 & 0 \\ 0 & 0 & 1 & 1 & 1 & 1 & 0 & 1 \\ 1 & 1 & 0 & 1 & 0 & 1 & 1 & 1 \\ 1 & 0 & 0 & 1 & 1 & 1 & 0 & 1 \\ 0 & 0 & 1 & 0 & 1 & 1 & 0 & 0 \\ 1 & 0 & 0 & 0 & 0 & 0 & 0 & 1 \\ 0 & 1 & 0 & 1 & 1 & 1 & 0 & 1 \\ 1 & 1 & 0 & 1 & 0 & 0 & 1 & 1\end{array}\right)\; and \; a_{2}=\left(\begin{array}{l}0 \\ 1 \\ 0 \\ 0 \\ 0 \\ 1 \\ 1 \\ 1\end{array}\right)\end{align}\).

The inverse functions of S1 and S2 are denoted by S-11 and S-12, respectively.

3.4 Diffusion layer

The diffusion layer B : GF(28)16 → GF(28)16 is defined by

\(\begin{align}B \cdot\left(\begin{array}{c}x_{0} \\ x_{1} \\ \vdots \\ x_{15}\end{array}\right)=\left(\begin{array}{c}y_{0} \\ y_{1} \\ \vdots \\ y_{15}\end{array}\right)\end{align}\)

where

\(\begin{align}B=\left(\begin{array}{llllllllllllllll}0 & 0 & 0 & 1 & 1 & 0 & 1 & 0 & 1 & 1 & 0 & 0 & 0 & 1 & 1 & 0 \\ 0 & 0 & 1 & 0 & 0 & 1 & 0 & 1 & 1 & 1 & 0 & 0 & 1 & 0 & 0 & 1 \\ 0 & 1 & 0 & 0 & 1 & 0 & 1 & 0 & 0 & 0 & 1 & 1 & 1 & 0 & 0 & 1 \\ 1 & 0 & 0 & 0 & 0 & 1 & 0 & 1 & 0 & 0 & 1 & 1 & 0 & 1 & 1 & 0 \\ 1 & 0 & 1 & 0 & 0 & 1 & 0 & 0 & 1 & 0 & 0 & 1 & 0 & 0 & 1 & 1 \\ 0 & 1 & 0 & 1 & 1 & 0 & 0 & 0 & 0 & 1 & 1 & 0 & 0 & 0 & 1 & 1 \\ 1 & 0 & 1 & 0 & 0 & 0 & 0 & 1 & 0 & 1 & 1 & 0 & 1 & 1 & 0 & 0 \\ 0 & 1 & 0 & 1 & 0 & 0 & 1 & 0 & 1 & 0 & 0 & 1 & 1 & 1 & 0 & 0 \\ 1 & 1 & 0 & 0 & 1 & 0 & 0 & 1 & 0 & 0 & 1 & 0 & 0 & 1 & 0 & 1 \\ 1 & 1 & 0 & 0 & 0 & 1 & 1 & 0 & 0 & 0 & 0 & 1 & 1 & 0 & 1 & 0 \\ 0 & 0 & 1 & 1 & 0 & 1 & 1 & 0 & 1 & 0 & 0 & 0 & 0 & 1 & 0 & 1 \\ 0 & 0 & 1 & 1 & 1 & 0 & 0 & 1 & 0 & 1 & 0 & 0 & 1 & 0 & 1 & 0 \\ 0 & 1 & 1 & 0 & 0 & 0 & 1 & 1 & 0 & 1 & 0 & 1 & 1 & 0 & 0 & 0 \\ 1 & 0 & 0 & 1 & 0 & 0 & 1 & 1 & 1 & 0 & 1 & 0 & 0 & 1 & 0 & 0 \\ 1 & 0 & 0 & 1 & 1 & 1 & 0 & 0 & 0 & 1 & 0 & 1 & 0 & 0 & 1 & 0 \\ 0 & 1 & 1 & 0 & 1 & 1 & 0 & 0 & 1 & 0 & 1 & 0 & 0 & 0 & 0 & 1\end{array}\right)\end{align}\)

and xi, yi are in GF(28) for i = 0, 1, ⋯ , 15. For example, we get

y0 = x3 ⊕ x4 ⊕ x6 ⊕ x8 ⊕ x9 ⊕ x13 ⊕ x14

from the above. This linear map B has an involution structure, i.e. B2 = identity where B is a 16×16 matrix with coefficients in {0, 1}.

3.5 The cipher

We explain mainly 12-round ARIA in this paper. The i-th round function(1 ≤ i ≤ 11) is given by DL◦SL◦KA, where KA is the key addition, SL is the substitution layer and DL is the diffusion layer. Figure 1 shows the process of DL◦SL◦KA. The final round function is given by KA◦SL◦KA and the figure of this is given similarly. The decryption process is the reverse of the encryption process and uses different round keys compared to encryption round keys as Section 3.1. The i-th round function(1 ≤ i ≤ 11) is given by KA◦SL◦DL and the final round function is given by KA◦SL◦KA.

SOBTCQ_2024_v24n1_69_4_f0001.png 이미지

<Fig. 1> The i-th round of ARIA (i = 1, 2, ⋯ , 11)

The encryption and decryption processes are given in Figure 2. Both processes have eleven same round functions and a different round function, respectively

We can get the ARIA implementation using the tables in Table 1.

SOBTCQ_2024_v24n1_69_4_f0002.png 이미지

<Fig. 2> Encryption and Decryption processes of ARIA

<Table 1> The number and size of the ARIA implementation

SOBTCQ_2024_v24n1_69_5_t0001.png 이미지

4. White-box ARIA Implementation

We only present a white-box ARIA implementation for the encryption process. White-box ARIA implementation for the decryption process is given by a similar method and we omit this

4.1 Blocking method

White-box implementation for a block cipher was made by adding extra information to the block cipher. After dividing a block cipher into some parts, we hide information about the original part using extra information with linear and nonlinear components. Each part of these is implemented by many input/output tables. There exist 2 types (8-bit input/128-bit output tables, 8-bit input/4-bit output tables) or 3 types (8-bit input/128-bit output tables, 8-bit input/4-bit output tables, 8-bit input/32-bit output tables) of tables according to the implementation method.

4.2 Application to ARIA-128

We divided each round of ARIA as Section 3.5. After this, we suggest a white-box ARIA implementation dividing each round of ARIA into two blocks. Let Ui be the i-th round function of white-box ARIA implementation(i = 1, 2, ⋯ , 12). Then we can make a white-box ARIA implementation as follows:

Ui = (Qi◦Ri)◦(R−1i◦DL◦SL◦KA◦Pi),

where i = 1, 2, ⋯ , 11       (3)

where Pi, Qi(i = 1, 2, ⋯ , 11) are composed of 16 matrices in GL(8, Z2) and Ri(i = 1, 2, ⋯ , 11) is a matrix in GL(128, Z2). The 12-th round function U12 of white-box ARIA implementation is given as follows:

U12 = (Q12◦R12)◦(R−112◦KA◦SL◦KA◦P12)       (4)

where P12, Q12 are composed of 16 matrices in GL(8, Z2) and R12 is a matrix in GL(128, Z2).

In Equation (3) and Equation (4), Qi, Pi+1 have the relation Pi+1 = Q−1i for i = 1, 2, ⋯ , 11. We add nonlinear input encodings in the previous position of Pi, Ri and nonlinear output encodings in the latter position of Ri-1, Qi to improve the security of white-box ARIA implementation. Both nonlinear input encodings and nonlinear output encodings are composed of 32 4-bit input/4-bit output nonlinear functions, respectively. The i-th round functions Ri-1◦DL◦SL◦KA◦Pi(i = 1, 2, ⋯ , 11) and Qi◦Ri(i = 1, 2, ⋯ , 11) of white-box ARIA implementation including nonlinear encodings are shown in Figure 3 and Figure 4, respectively. Input encodings Ri-1◦DL◦SL◦KA◦Pi(i = 1, 2, ⋯ , 11), Qi◦Ri(i = 1, 2, ⋯ , 12) and R−112◦KA◦SL◦KA◦P12 are composed of 8-bit input/128-bit output tables. There exist 8-bit input/4-bit output tables (XOR tables) between them.

SOBTCQ_2024_v24n1_69_5_f0001.png 이미지

<Fig. 3> R−1i◦DL◦SL◦KA◦Pi (i = 1, 2, ⋯ , 11) of white-box ARIA implementation

SOBTCQ_2024_v24n1_69_6_t0002.png 이미지

<Fig. 4> Qi◦Ri (i = 1, 2, ⋯ , 11) of white-box ARIA implementation

4.3 A variant for efficiency improvement

We can change into 8-bit input/32-bit output tables instead of 8-bit input/128-bit output tables in Qi◦Ri for i = 1, 2, ⋯ , 11. Since we need fewer numbers of XOR tables in this case, we can reduce the storage of the system.

5. Analysis

5.1 Size and performance

We need many tables and sizes for the white-box ARIA implementation in Section 4.2 as Table 2. Since we need different XOR tables for each calculation, there are many XOR tables to do this implementation.

<Table 2> The number and size of the white-box ARIA implementation

SOBTCQ_2024_v24n1_69_6_t0001.png 이미지

The result of the variant of the white-box ARIA implementation in Section 4.3 is given in Table 3. This white-box ARIA implementation is 2.4 times larger than the original ARIA implementation. Since there are many XOR tables to do this white-box ARIA implementation, it needs 39.9 times tables more than the original ARIA implementation.

<Table 3> The number and size of the variant of the white-box ARIA implementation

SOBTCQ_2024_v24n1_69_6_t0003.png 이미지

5.2 Security

5.2.1 Strength against known attacks

ARIA consists of two s-boxes and a diffusion layer using a 16×16 matrix. Billet et al.’s attack is applied to an implementation using one s-box and a 4×4 matrix for each round. Our implementation is secure against the original Billet et al.’s attack.

5.2.2 White-box diversity and ambiguity

There are two types of measures for white-box cryptography security. These are white-box diversity and white-box ambiguity, respectively. White-box diversity is the total number of existing implementations. White-box ambiguity is the number of the same implementations for a given implementation. There are four types of tables in our implementation. They are input encoding tables, i-th round function Ri-1◦DL◦SL◦KA◦Pi(i = 1, 2, ⋯ , 11) tables, i-th round function Qi◦Ri(i = 1, 2, ⋯ , 11) tables, and XOR tables.

White-box Diversity

White-box diversity measures the number of distinct implementations for a given type. We have white-box diversity as follows.

• Input decoding tables

: (16!)2×2016064×(16!)32 ≈ 22419.7

• Ri-1◦DL◦SL◦KA◦Pi(i = 1, 2, ⋯ , 11)

tables : (16!)2×256×262.2×2256×(16!)8 ≈ 2768.1

• Qi◦Ri(i = 1, 2, ⋯ , 11) tables

: (16!)2×2256×(16!)8 ≈ 2698.5

• XOR tables : (16!)2×16! ≈ 2132.8

White-box Ambiguity

White-box ambiguity measures the number of alternative implementations for a given table. We have white-box diversity as follows.

• Input decoding tables : (16!)2×2016032 ≈ 2546.1

• Ri-1◦DL◦SL◦KA◦Pi(i = 1, 2, ⋯ , 11)

tables : (16!)2×15! ≈ 2128.8

• Qi◦Ri(i = 1, 2, ⋯ , 11) tables

: (16!)2×201602 ≈ 2117.1

• XOR tables : 16!×16 ≈ 248.3

6. Conclusion

The ARIA is a block cipher designed by Korean researchers and widely utilized. It has been designated as a standard cryptographic technique by the Korean Agency for Technology and Standards. In this paper, we presented the first white-box implementation for the ARIA block cipher utilizing a form of obfuscation. This technique is similar to the white-box AES implementation and involves the use of tables. While this implementation necessitates more tables than Chow et al.’s AES implementation, it assures ample security concerning white-box diversity and white-box ambiguity. White-box cryptography is commonly employed in digital rights management to prevent the unauthorized distribution of data such as music and videos. It functions by encrypting the data and furnishing various information types accessible solely to authorized devices. Our white-box ARIA implementation ensures that the data remains secure and only legitimate users can access it. Nevertheless, there is still room for more efficient white-box ARIA implementations and adequate attacks against this white-box ARIA implementation.

참고문헌

  1. J. Bringer, H. Chabanne and E. Dottax, "White box cryptography: Another attempt", Cryptology ePrint Archive, Report 2006/468, 2006, http://eprint.iacr.org/.
  2. A. Biryukov, C. De Canni'ere, A. Braeken and B. Preneel, "A Toolbox for Cryptanalysis: Linear and Affine Equivalence Algorithms", EUROCRYPT 2003, LNCS Vol. 2656, pp. 33-50. Springer, Heidelberg, 2003.
  3. O. Billet, H. Gilbert and C. Ech-Chatbi, "Cryptanalysis on a white box AES implementation", SAC 2004, LNCS Vol. 3357, pp. 227-240. Springer, Heidelberg, 2004.
  4. S. Chow, P. Eisen, H. Johnson and P. C. van Oorschot, "White-box cryptography and an AES implementation", SAC 2002, LNCS Vol. 2595, pp. 250-270. Springer, Heidelberg, 2003.
  5. S. Chow, P. Eisen, H. Johnson and P. C. van Oorschot, "A White-Box DES Implementation for DRM Applications", DRM 2002, LNCS Vol. 2696, pp. 1-15. Springer, Heidelberg, 2003.
  6. L. Goubin, J. M. Masereel and M. Quisquater, "Cryptanalysis on white box DES implementations", SAC 2007, LNCS Vol. 4876, pp. 278-295. Springer, Heidelberg, 2007.
  7. M. Karroumi, "Protecting White-Box AES with Dual Ciphers", ICISC 2010, LNCS Vol. 6829, pp. 278-291, Springer, Heidelberg, 2011.
  8. D. Kwon, J. Kim, S. Park, S. H. Sung, Y. Sohn, J. H. Song, Y. Yeom, E. Yoon, S. Lee, J. Lee, S. Chee, D. Han and J. Hong, "New Block Cipher: ARIA", ICISC 2003, LNCS 2971, pp.432-445, Springer, Heidelberg, 2004.
  9. H. E. Link and W. D. Neumann, "Clarifying obfuscation: Improving the security of whitebox DES", International Conference on Information Technology: Coding and Computing, Vol. I, pp. 679-684, IEEE Computer Society Press, Washington, DC, USA, 2005.
  10. T. Lepoint, M. Rivain, Y. D. Mulder, P. Roelse and B. Preneel, "Two Attacks on a White-Box AES Implementation", SAC 2013, LNCS Vol. 8282, pp. 265-185. Springer, Heidelberg, 2013.
  11. W. Michiels, P. Gorissen and H. D. L. Hollmann, "Cryptanalysis on a Generic Class of White-Box Implementations", SAC 2008, LNCS Vol. 5381, pp. 414-428. Springer, Heidelberg, 2009.
  12. Y. D. Mulder, B. Wyseur and B. Preneel, "Cryptanalysis on a Perturbated White-box AES Implementation", INDOCRYPT 2010, LNCS Vol. 6498, pp. 292-310. Springer, Heidelberg, 2010.
  13. C. E. Shannon, "Communication Theory of Secrecy Systems", Bell System Technical Journal, Vol. 28, No. 4, pp. 656-715, 1949. https://doi.org/10.1002/j.1538-7305.1949.tb00928.x
  14. B. Wyseur, W. Michiels, P. Gorissen and B. Preneel, "Cryptanalysis on white-box DES implementations with arbitrary external encodings", SAC 2007, LNCS Vol. 4876, pp. 264-277. Springer, Heidelberg, 2007.
  15. H. T. Kim, "Attacks of Modified White-box AES Implementations", Journal of Social Convergence Studies, Vol. 5, No. 2, pp. 1-13, 2021. https://doi.org/10.37181/JSCS.2021.5.2.001
  16. H. T. Kim, "On Conditions to Satisfy White-Box Cryptography", Journal of Security Engineering, Vol. 11, No. 2, pp. 155-164, 2014. https://doi.org/10.14257/jse.2014.04.02