DWB-AES：基于AES的动态白盒实现方法

doi:10.11959/j.issn.1000-436x.2021020

通信学报 ›› 2021, Vol. 42 ›› Issue (2): 177-186.doi: 10.11959/j.issn.1000-436x.2021020

• 学术通信 • 上一篇

DWB-AES：基于AES的动态白盒实现方法

王滨¹^,², 陈思², 陈加栋², 王星¹^,²

¹ 浙江大学电气工程学院，浙江杭州 310058
² 中国电科集团52所海康威视网络与信息安全实验室，浙江杭州 310053

修回日期:2020-12-08 出版日期:2021-02-25 发布日期:2021-02-01
作者简介:王滨（1978- ），男，山东泗水人，博士，浙江大学研究员，主要研究方向为智能终端安全、物联网安全、密码学等。
陈思（1993- ），女，河南商丘人，中国电科集团52所工程师，主要研究方向为物联网安全、密码学及其应用。
陈加栋（1988- ），男，江苏高邮人，中国电科集团52所高级工程师，主要研究方向为信息安全、硬件安全等。
王星（1985- ），男，山西太原人，浙江大学在站博士后，中国电科集团52所高级工程师，主要研究方向为机器学习与物联网安全。
基金资助:
国家重点研发计划基金资助项目(2018YFB2100400);国家电网公司总部科技基金资助项目(5700-202019187A-0-0-00)

DWB-AES: an implementation of dynamic white-box based on AES

Bin WANG¹^,², Si CHEN², Jiadong CHEN², Xing WANG¹^,²

¹ College of Electrical Engineering, Zhejiang University, Hangzhou 310058, China
² Network and Information Security Laboratory of Hikvision, The 52th Research Institute of CETC, Hangzhou 310053, China

Revised:2020-12-08 Online:2021-02-25 Published:2021-02-01
Supported by:
The National Key Research and Development Program of China(2018YFB2100400);Science and Technol-ogy Project of State Grid Corporation of China(5700-202019187A-0-0-00)

摘要/Abstract

摘要：

物联网设备因资源受限，需要兼具安全性、灵活性的轻量级密码模块保障安全，白盒密码能够满足物联网设备的安全需求。在常见的白盒密码实现方法中，往往密钥和查找表是绑定的，因此每次更换密钥都需要重新生成并更换查找表，这在实际应用中不够灵活。为了解决该问题，提出了一种基于 AES 的动态白盒实现方法，即DWB-AES。该方法通过改变轮与轮之间的边界，将加解密过程的所有操作均通过查找表来实现，并对表和密钥分别进行混淆，使整个加解密过程不会暴露密钥信息，且每次更换密钥时不需要更换查找表，所以DWB-AES更加灵活和实用。通过对DWB-AES的安全性分析表明，DWB-AES具有较高的白盒多样性和白盒含混度，且能够有效地抵御BGE和Mulder等常见的白盒攻击方法。

关键词: AES, 白盒密码, 动态白盒, BGE, 查找表

Abstract:

The resources of IoT devices are limited.Therefore, security, flexibility and lightweight cryptographic modules are required.The idea of white-box cryptography can meet the needs of IoT devices.In common AES white-box implementations, keys are bound to look up tables.So the look up tables must be changed when the keys are changed.It is not flexible enough in practical applications.To solve this problem, a dynamic white-box implementation method for AES, which was called DWB-AES, was proposed.By changing the boundary between rounds, all operations of the encryption and decryption process were performed by looking up the tables, and the tables and the keys were respectively confused, so that the entire encryption and decryption process did not expose the key information.The look up tables need not to be changed every time when the keys changed, which was more practical.The security analysis of DWB-AES shows that the DWB-AES has higher white-box diversity and ambiguous, it can resist BGE attack and Mulder attack.

Key words: AES, white-box cryptography, dynamic white-box, BGE, look up table

中图分类号:

TP393

王滨, 陈思, 陈加栋, 王星. DWB-AES：基于AES的动态白盒实现方法[J]. 通信学报, 2021, 42(2): 177-186.

Bin WANG, Si CHEN, Jiadong CHEN, Xing WANG. DWB-AES: an implementation of dynamic white-box based on AES[J]. Journal on Communications, 2021, 42(2): 177-186.

图/表 14

图1

图2

图3

图4

图5

图6

图7

图8

图9

图10

表1

表2

图11

表3

参考文献 19

[1]	CHOW S , EISEN P A , JOHNSON H ,et al. White-box cryptography and an AES implementation[C]// Selected Areas in Cryptography. Berlin:Springer, 2003: 250-270.
[2]	CHOW S , EISEN P , JOHNSON H ,et al. A white-box DES implementation for DRM applications[C]// ACM Workshop on Digital Rights Management. New York:ACM Press, 2003: 1-5.
[3]	JACOB M , BONEH D , FELTEN E . Attacking an obfuscated cipher by injecting faults[C]// Digital Rights Management. Berlin:Springer, 2003: 16-31.
[4]	GOUBIN L , MASEREEL J M , QUISQUATER M . Cryptanalysis of white box DES implementations[J]. Lecture Notes in Computer Science, 2007,4876: 278-295.
[5]	BILLET O , GILBERT H , ECH-CHATBI C . Cryptanalysis of a white box AES implementation[C]// Selected Areas in Cryptography. Berlin:Springer, 2005: 227-240.
[6]	XIAO Y , LAI X . A secure implementation of white-box aes[C]// The 2nd International Conference on Computer Science and Its Applications. Piscataway:IEEE Press, 2009: 1-6.
[7]	MULDER DE Y , ROELSE P , PRENEEL B . Cryptanalysis of the Xiao-Lai white-box AES implementation[C]// Selected Areas in Cryptography. Berlin:Springer, 2013: 34-49.
[8]	LUO R , LAI X J , YOU R . A new attempt of white-box AES implementation[C]// 2014 International Conference on Security,Pattern Analysis,and Cybernetics. Piscataway:IEEE Press, 2014: 423-429.
[9]	KARROUMI M , . Protecting white-box AES with dual ciphers[C]// Information Security and Cryptology-ICISC 2010. Berlin:Springer, 2011: 278-291.
[10]	MULDER DE Y . White-box cryptography:analysis of white-box AES implementations[D]. Belgium:KU Leuven, 2014.
[11]	BIRYUKOV A , BOUILLAGUET C , KHOVRATOVICH D . Cryptographic schemes based on the ASASA structure:black-box,white-box,and public-key[C]// Advances in Cryptology—ASIACRYPT 2014. Berlin:Springer, 2014: 63-84.
[12]	BOGDANOV A , ISOBE T . White-box cryptography revisited:space-hard ciphers[C]// The 22nd ACM SIGSAC Conference on Computer and Communications Security. New York:ACM Press, 2015: 1058-1069.
[13]	KARROUMI M , . Protecting white-box AES with dual ciphers[C]// Proceedings of the 13th International Conference on Information Security and Cryptology. Berlin:Springer, 2011: 278-291.
[14]	XU T , LIU F , WU C . A white-box AES-like implementation based on key-dependent substitution-linear transformations[J]. Multimedia Tools and Applications, 2018,77(14): 18117-18137.
[15]	姚思, 陈杰 . SM4 算法的一种新型白盒实现[J]. 密码学报, 2020,7(3): 358-374.
	YAO S , CHEN J . A new method for white-box implementation of SM4 algorithm[J]. Journal of Cryptologic Research, 2020,7(3): 358-374.
[16]	FUKUSHIMA K , HIDANO S , KIYOMOTO S . White-box implementation of stream cipher[C]// The 3rd International Conference on Information Systems Security and Privacy.[S.n.:s.l.], 2017: 263-269.
[17]	BAI K , WU C . A secure white-box SM4 implementation[J]. Security and Communications Networks, 2016,9(10): 996-1006.
[18]	BAI K P , WU C K , ZHANG Z F . Protect white-box AES to resist table composition attacks[J]. IET Information Security, 2018,12(4): 305-313.
[19]	BIRYUKOV A , CANNIERE DE C , BRAEKEN A ,et al. A toolbox for cryptanalysis:linear and affine equivalence algorithms[C]// Advances in Cryptology-EUROCRYPT 2003. Berlin:Springer, 2003: 33-50.

白盒方案	表大小/KB	矩阵乘法次数/次	每轮查表及异或次数/次	更换密钥时需要更换的查找表大小/KB
Chow	752	0	205	752
Xiao-Lai	20 502	11	12	20 502
DWB-AES	32 280	0	1 048	0

白盒方案	白盒含混度	白盒多样性
Chow	2¹¹⁴	2⁷⁶⁹
Xiao-Lai	2²⁷¹	2^{1 294}
DWB-AES	2^{1 692}	2^{5 052}

白盒方案	抵御BGE攻击	抵御Mulder等攻击
Chow	×	—
Xiao-Lai	√	×
DWB-AES	√	√

DWB-AES：基于AES的动态白盒实现方法

DWB-AES: an implementation of dynamic white-box based on AES

在线阅读

PDF下载

可视化

摘要/Abstract

引用本文

使用本文

图/表 14

参考文献 19

相关文章 9

Metrics

推荐阅读 0

[1]	姜子敬, 丁群. 新的抵抗鬼峰的关联矩阵差分能量分析[J]. 通信学报, 2023, 44(4): 38-49.
[2]	唐明, 胡一凡. Load-to-store: store buffer暂态窗口时间泄露的利用[J]. 通信学报, 2023, 44(4): 64-77.
[3]	杜少宇. 积分攻击改进——随机线性区分与密钥恢复攻击[J]. 通信学报, 2023, 44(4): 145-153.
[4]	郭莹,李伦,王鹏. 基于Lanczos核的实时图像插值算法[J]. 通信学报, 2017, 38(6): 142-147.
[5]	杜之波,孙元华,王燚. 针对AES密码算法的多点联合能量分析攻击[J]. 通信学报, 2016, 37(Z1): 78-84.
[6]	董乐,吴文玲,吴双,邹剑. 构造零和区分器的新方法[J]. 通信学报, 2012, 33(11): 91-99.
[7]	赵新杰,郭世泽,王韬,刘会英. 针对AES和CLEFIA的改进Cache踪迹驱动攻击[J]. 通信学报, 2011, 32(8): 101-110.
[8]	董晓丽,胡予濮,陈杰,李顺波,杨旸. 改进的7轮AES-192和8轮AES-256的中间相遇攻击[J]. 通信学报, 2010, 31(9A): 197-201.
[9]	郭建军,陈铭,张建寅,赵志超. IPTV实时内容保护DRM系统设计研究[J]. 通信学报, 2008, 29(11A): 66-71.