Cryptanalysis of white box DES implementations

Implementations

⋆

LouisGoubin,Jean-MihelMasereel, andMihaëlQuisquater

VersaillesSt-Quentin-en-YvelinesUniversity

45avenuedesEtats-Unis

F-78035VersaillesCedex

{Louis.Goubin,Jean-Mihel.Mas ereel ,Mi hael. Quisq uate r}uv sq.f r

Abstrat. Obfusationisamethodonsistinginhidinginformationof

somepartsofaomputerprogram.AordingtotheKerkhos

prini-ple,aryptographialalgorithm shouldbe keptpubliwhile thewhole

seurity shouldrelyonthe sereyof thekey.Insomeontexts, soure

odesarepublilyavailable,whilethe keyshouldbekeptseret;thisis

thehallenge ofodeobfusation.Thispaperdealswiththe

ryptanal-ysisofsuhmethodsofobfusationappliedtotheDES.Suhmethods,

alledthenaked-DESandnonstandard-DES,wereproposedbyChow

etal.[5℄in2002.Somemethodsfortheryptanalysisofthenaked-DES

were proposedby Chow etal. [5℄, Jaobet al. [6 ℄, and Linkand

Neu-man[7 ℄.Intheirpaper,LinkandNeuman[7℄proposedanothermethod

fortheobfusationoftheDES.

Inthispaper,weproposeageneralmethodthatappliestoallshemes.

Moreover,weprovideatheoretialanalysis.Weimplementedourmethod

with a C ode and applied it suessfully to thousands of obfusated

implementationsofDES(bothnakedandnon-standardDES).Ineah

ase,wereoveredenoughinformationtobeabletoinvertthefuntion.

Keywords:Obfusation,ryptanalysis,DES,symmetriryptography,

blokipher.

1 Introdution

In reentyears, the possibility of obfusatingprograms has been investigated.

From a theoretial point of view, Barak et al. [1℄ have proven impossibility

results for the task of obfusating omputer programs. In partiular, it turns

out that there exists a family of programs suh that: on the one hand eah

programisnonlearnable(i.e.itsexeutiondoesnotgiveanyinformationabout

itsoriginalsoureode),butontheotherhandeveryobfusator(i.e.theprogram

produinganobfusation)failsompletelywhengivenanyprogramofthisfamily

as input. However it has not been proved that spei instanes, partiularly

ryptographiprimitives,areimpossibletoobfusate.

⋆

AES,theotherfortheDES. TheAESobfusationwasryptanalysedbyBillet

et al. [2,3℄ in 2004. Chow et al. [5℄ also mountedan attak ontheir rst DES

obfusationversion(allednaked-DES).Jaobetal.[6℄andLinkandNeuman

[7℄,proposedtwootherattaksonthenaked-DES.Here,breakingthe

naked-DES meansreoveringtheseretkey.

Aseond versionof DES obfusation,allednonstandard-DES, wasgiven

byChowetal.[5℄.Thisnonstandard-DESisobtainedbyobfusatingtheusual

DESomposedwithinitialandnalseretpermutations.Inthisontext,

break-ingsuhanonstandard-DESimplementationmeansreoveringtheseretkey

andtheseretinitial andnalpermutations.

Moreover,manyindustrialatorshavedevelopedobfusatedimplementations

of ryptographialgorithms, in partiular for DRM, Pay-TV, and intelletual

propertyprotetion.(e.g.loakware[12℄,retroguard[13℄, Yguard[14℄).

Thispaperisstruturedasfollows:InSetion2,wegiveanoverviewofthe

obfusationmethodsgivenbyChowetal.andbyLinkandNeumann.Setion3

isdevotedtoourattakonthenaked-DES.InSetion 4,weadapt ourattak

to thenonstandard DES. Setion5is devoted toourimplementationof this

attak. In Setion 6, we ompare our attak to the oneof Wyseur et al. [11℄.

Finally,weonludein Setion7.Allproofsareavailablein theappendies.

2 DES Obfusation Methods

Chow et al. [5℄ proposed two types of DES obfusation. The rst one, alled

naked-DES,produesanusualDES.Theseondone,alledthe

nonstandard-DES,isaslightmodiationofthestandardDESalgorithm.Thislastversion

istheonetheyreommend.

Letusdesribethenaked-DES(seeFigure7).ThestandardDESis

imple-mentedbymeansofmanyfuntions.Therstoneisananefuntion

M

1

,whih istheompositionoftheinitialpermutation,theexpansion(slightlymodiedin

ordertodupliateallthe32rightbits),andabit-permutation

φ

0

: IF

96

2

→

IF

96

2

.

Therole of

φ

0

isto send48 bitsto theorrespondingS-boxentries,the48 re-maining bitsbeingsentrandomlyto theT-boxentries (seeFigure 8). Eightof

theseT-boxesarederivedfromtheeightS-boxesoftheDES(seeFigure1),and

the fourremaining T-boxesare identities (or moregenerallybit permutations,

seeFigure8(

T

12

)).Ananefuntion

M

2

,

1

followstheT-boxes.Thisane fun-tionistheompositionofthePandXoroperationofthestandardDES,anda

bit-permutation

φ

1

(see Figure7). Eahof the16rounds istheomposition of theT-boxesandananefuntion

M

2

,i

.Thelastroundisfollowedbyanane funtion

M

3

whih istheompositionofaseletionfuntion,andthenal per-mutation. This funtion takesforargumentstheoutputs ofthe anefuntion

M

2

,

16

ofthelastroundandreturnstheiphertext(seeFigure 7).

IF

s

2

,

b

k,l

(

s

= 4

or

8

). These permutations are referred by Chow et al. [5℄ as io-blok enoding bijetions. Twenty-four or twelve of these io-blok enoding

bijetions are onatenatedin order to obtainnonlinear permutations on

IF

96

2

,

P

i,j

.Eahomponent

A

i

isobfusatedbetweenpermutations

P

i,

1

and

P

i,

2

.The resulting funtions

P

i,

1

◦

A

i

◦

P

i,

2

are stored in arrays in order to be used by the obfusated program. When onsidering onseutive omponents, the nal

permutation ofthe rst omponent, and the initial permutation of the seond

omponent,anelledout(seeFigure7) i.e.:

(

P

i,

1

◦

A

i

◦

P

i,

2)

◦

(

P

j,

1

◦

A

j

◦

P

j,

2) =

P

i,

1

◦

(

A

i

◦

A

j

)

◦

P

j,

2

.

Thisnaked-DES wasryptanalysedbytheauthorsthemselves[5℄.

Inordertorepairthesheme,theyproposedthenonstandard-DES.It

on-sistsinaddingtwoanebijetions

M

0

and

M

4

beforeandafterthenaked-DES, respetively(seeFigure7).ItisnotspeiedbyChowetal.[5℄whether

M

0

and

M

4

areblokenoded(i.e.respetivelypreededandfollowedbynonlinear ran-dom permutations). In this paper, weonsider that

M

0

and

M

4

are not blok enoded.

Furtherimprovementonthe attak ofthenaked-DES were givenbyLink

andNeumann[7℄.Theysuggestedanothersolutionwhihonsistsinmergingthe

T-boxesand theane funtion

M

2

,i

of eah round. This way, we donothave aess to the T-boxes outputs. Moreover, the

M

2

,i

funtions of the dierent roundsareblokenodedin anotherway.

Inthis paper, we desribe an attak that defeats bothnonstandard-DES

andtheLinkandNeumann'sshemes.

3 Attak on the Naked-DES

Asmentionedbefore,thenaked-DES proposed byChowetal.[5℄wasalready

ryptanalysedinthepapers[5,6,7℄.Inthissetion,weshowhowtoryptanalyse

the improved versionof the naked-DES proposed by Link and Neumann[7℄.

Notethat ourmethod alsoworksforthenaked-DES proposedbyChowetal.

attak.Roughlyspeaking,therstphaseonsistsingeneratingpairsofmessages

(

X

,

X

′

)suhthattherightpartoftheimages,through

IP

andtherstroundof aregularDES,areequal(foragivenkey

K

)(seeFigure2.b).Theseondphase onsists in evaluating thosepairsof messages

(

X, X

′

₎

onthenaked-DES and

in heking a ondition that we speify below. The pairs that satisfy the test

provideakeyandidate.

Fig.2.OneroundofDES,andattakpriniple

Letusgointothedetails.Rememberthat

f

(

., K

)

denotesthefuntionofthe regularDES,wewillalsodenoteitby

f

K

(

.

)

(seeFigure2.a).Let

X

beaninitial message,

(

L

0

, R

0)

denotes its image through

IP

, and

(

L

1

, R

1)

is the image of

(

L

0

, R

0)

throughtherstround, i.e.

(

L

1

, R

1) = (

R

0

, L

0

⊕

f

(

R

0

, K

))

.Consider afuntion

f

,vetors

X

and

∆

,thederivative

f

(

X

)

⊕

f

(

X

⊕

∆

)

willbedenoted by

D

∆

f

(

X

)

.Letusrstmotivateouralgorithm.Let

K

beaxedunknownkey. Assumewewanttondtherstround6-bitsubkeyorrespondingto

S

i

(forthe sakeoflarity,wewill restrainourselvesto

i

= 1

). Wegenerateandidatekeys suhthat onlythe 6keybits of

S

1

oftherst roundare modied.Foreah of thesekeys,weomputepairsofmessages(

X

,

X

′

)suhthat,

1.

∆

=

R

0

⊕

R

′

0

iszero,exeptfortheseond andthirdbits.

2.

L

′

0

=

L

0

⊕

D

∆

f

K

(

R

0)

Observethat the seond and third bits of

R

0

only aet the output of

S

1

(seeFigure2.a).Therefore,

f

(

R

0

, K

)

and

f

(

R

′

0

, K

)

areidentialexeptforthe fourbitsorrespondingtotheoutputof

S

1

.

Underthese onditions,in thenext roundwehave

R

1

=

R

′

1

and

L

′

1

(=

R

′

0

)

is idential to

L

1(=

R

0)

exept for at most two bits. Consider nowthese two messages

X

and

X

′

appliedtothenaked-DESwiththeorretkeyandidate.

We observe that these bits (non-zero bits of

L

′

1

⊕

L

1

) inuene at most two io-blokenoding bijetions

b

i,

3

and

b

j,

3

(see Figure8). If thekeyandidate is wrong, wewill have

R

1

6=

R

′

1

. Therefore many bits will hange at the output

Randomlyhooseamessage

X

.

Compute

(

L

0

, R

0) =

IP

(

X

)

with

IP

publi.

Choose

∆

suhthatonlytheseondandthirdbitsaredierentfrom 0. Foranypossibleandidatevalueof6-bitsubkey:

•

Compute

L

′

0

=

L

0

⊕

D

∆

f

K

(

R

0)

.

•

Compute

X

′

₌

_IP

−

1

₍

_L

′

0

, R

0

⊕

∆

)

.

•

Apply

X

and

X

′

tothe obfusatedDES andsavethevalues

Y

and

Y

′

attheendoftherstround.

•

Compare

Y

and

Y

′

andomputein howmanyio-blokenoding

bije-tionstheydier.

•

Rejettheandidateifthisnumberisstritlygreaterthan2.Otherwise,

theandidateisprobablyorret.

This way, we anreoverthe48 keybits of the rstround of theDES. The8

remainingbitsarefoundbyexhaustivesearh.

Remark 1. This algorithm an produe morethan oneandidate forthe 6-bit

subkey.Itwillprovidewrong6-bitsubkeysintwosituations.

1. Dueto the balanepropertyoftheS-boxesand thefat they mapsix bits

to four bits, four dierent inputs produe the same output. Therefore for

eahS-box,threewrong6-bitsubkeyswillproduethesameoutputasthe

orretkey.Toavoidthisproblem,weanlaunhthisalgorithmwithanother

randominitialmessage,orsimplyanother

∆

.Infat,weonlyhavetohange thevaluesofthebitsof

R

0

and

∆

orrespondingtotheinputof

S

1

(thebits 32,1,...,5). Atually, we an hoose dierent pairs

(

X, X

′

₎

suh that the

intersetionof thekeyandidates assoiatedto eahof themis theorret

key.

2. The seond one is due to a propagation phenomena. Suppose we have a

wrong6-bit subkeyproduing awrong

S

1

output. It means that there are more than three bits of dierene between

(

L

1

, R

1)

and

(

L

′

1

, R

′

1

)

. These dierenesouldbemappedtothesameio-blokenodingbijetion,leading

totheippingofonlytwoio-blokenodingbijetionsattheoutputof

M

2

,

1

. Inthisase,welaunhthisalgorithmwithseveralvaluesfor

R

0

.Itleadsto severallistsofkeyandidatesandtheorretkeybelongstotheintersetion.

Thisway,wrongkeyswillbedisarded.

4 Attak on the Nonstandard-DES

This setionisdediatedto anattakonthenonstandard-DES.Remind that

thenonstandard-DESisanaked-DESwheretheanefuntions

M

1

and

M

0

arereplaedby

M

1

◦

M

0

and

M

4

◦

M

3

respetively(where

M

0

and

M

4

aremixing bijetions,seeChowetal.[5℄).Asmentionedbefore, weassumethattheinputs

that all the other funtions are io-blok enoded using bijetions on

IF

4

2

(the

same priniple applies for the obfusation proposed by Link and Neuman [7℄

wherethebijetionsaredenedon

IF

8

2

).Moreover,weassumethattheT-Boxes

follow the sameordering in the dierent rounds. In what follows, we will not

onsider

IP

(inside

M

1

)w.l.o.g,forthesakeoflarity.

Inwhatfollows,thetermpreimage willimpliitlyrefertothepreimagewith

respet to the linear bijetion

M

0

. Moreover, we say that a bit of a vetor is touhing an io-blok enoding bijetion if this bijetion depends on this bit.

Similarly,wewillsaythatavetortouhes anS-Boxifnon-zerobits touhit.

Our attak on the nonstandard-DES is based on the one on the

naked-DES. Our approah is based ona trunated dierential attak. It onsists in

omputingtheimagesofarandomvetor

X

0

atdierentlevelsintheobfusated DES.Weomparethese values(alled initial-entries)totheorresponding

im-ages of

X

0

⊕

∆

, where

∆

satises some onditions depending on the ontext. Thisapproahallowsprovidinginformationaboutthekeyandthematrix

M

−

1

0

,

gradually. The full key and the matrix

M

−

1

0

will be known at the end of the

proess. Thewaywestore informationabout

M

−

1

0

onsistsin onsidering lists

ofandidatesforpreimagesofunspeiedanonialvetors.Listsofandidates

ontainingonlyonevetorarealleddistinguishedlists.Thisvetoristhena

ol-umnof

M

−

1

0

.Notethattheselistsareatuallyvetorspaesandanbeshared

byseveralanonialvetors.Inpratie,alist

E

willbesharedby

dim

E

anon-ialvetors(thatarenotneessaryspeied).Ouralgorithmworkssequentially

and onsistsin speifying theseanonialvetorsand shortening thelists.Our

methodanthereforebeunderstoodasalteringproess.Thedierentlters

aredesribedbelow.

Setion4.1desribesapreliminarystepalmostindependentofthestruture

oftheblokipher.Itonsistsinndingvetorspaesassoiatedtoapartiular

io-blok enoding bijetion at the input of the rst round. This step allows

gettingglobalinformationabout

M

−

1

0

.

Setion 4.2 desribes a set of lters intending to rene information about

M

0

−

1

.Thesestepsarehighlyrelatedtothestudiedblokipher.Therstlter, desribedinSetion4.2,allowsdistinguishingliststhatareassoiatedto

anon-ial vetors belonging either to right bits or left bits of the input of the rst

round (

L

0

or

R

0

). The seond lter, desribed in Setion 4.2, extrats all the lists(markedasrightinthepreviouslter)touhingasingleS-box(wewillsee

thattheselistsplayanimportantrole).Thethirdlter,desribedinSetion4.2,

gathersthelists(markedasleft inthepreviouslter)insetsassoiatedtothe

outputofS-boxes.Setion4.2linksT-Boxes(obfusationofthekeyedS-boxes)

to S-Boxes.This information allowsthelast lter, presentedin Setion 4.2, to

preiselyspeifythe1-to-1linkbetweenthelists(markedasleft)andthe(left)

anonialvetors.

Setion 4.3explains how to extratthe keyandhowto reoverthe full

in-vertiblematries

M

−

1

4.1 Blok LevelAnalysis of

M

1

◦

M

0

Reoveringof the

B

k

's. Denoteby

K

k

thespae

({0}

4

k

−

4

_×

_IF

4

2

× {0}

96

−

4

k

)

,

and by

K

k

, the spae

(IF

4

k

−

4

2

× {0}

4

×

IF

96

−

4

k

2

)

. In what follows, the vetor

spae spanned by a set of vetors

S

will be denoted

h

S

i

. Also,

e

i

denotes the i

th

anonial vetor (the position of the one is omputed from the left and startfrom one) ofthe vetorspae

IF

64

2

.The sets

{

e

i

∈

IF

64

2

|

i

= 1

. . .

32}

and

{

e

i

∈

IF

64

2

|

i

= 33

. . .

64}

will bedenotedby

S

L

and

S

R

,respetively.

Ideally, wearelookingfor24vetorspaessuhthat theirvetorsinuene

only one io-blok enoding bijetion at the output of

M

1

◦

M

0

. This would allow modifying only the input of one partiular io-blok enoding bijetion.

Unfortunately,duetothedupliationofthebitsin

M

1

(beauseoftheexpansion

E

) this goal is impossible to reah. We will therefore try to approximate this situation and deal with the drawbaks afterwards. First we will have to give

somenotations,denitions andproperties.

Denoteby

F

: IF

64

2

→

IF

96

2

theobfusationof

M

1

◦

M

0

(seeFigure7). Let

X

be avetorin

IF

96

2

.Denote by

π

k

theprojetion

π

k

: (IF

4

2

)

24

→

IF

4

2

:

X

= (

x

1

, . . . , x

24)

7→

x

k

. Let

b

k

be the

k

th

io-blok enoding bijetion at the

outputof

M

1

◦

M

0

.Thefuntion

F

iswrittenas

F

(

X

) = (

b

1

◦

π

1

◦

M

1

◦

M

0(

X

)

, b

2

◦

π

2

◦

M

1

◦

M

0(

X

)

, . . . , b

24

◦

π

24

◦

M

1

◦

M

0(

X

))

.

Denition1. Let

k

beaninteger,

k

∈

[1

,

24]

.Wedenoteby

B

k

thevetorspae

{

X

∈

IF

64

2

|

π

k

◦

M

1(

X

) = 0}

. In other words, it is the subspae of vetor

X

suh that for any non-zeroomponent

e

i

of

X

,

M

1(

e

i

)

does not touh

b

k

, i.e.

B

k

=

h

e

j

|

π

k

◦

M

1(

e

j

) = 0i

.

Denition2. Let

k

beaninteger,

k

∈

[1

,

24]

.Wedenote by

E

k

the subspae of vetor

X

suhthat forany non-zeroomponent

e

i

of

X

,

M

1(

e

i

)

touhes

b

k

,i.e.

E

k

=

h

e

j

|

π

k

◦

M

1(

e

j

)

6= 0i

.

Fig.3.Example

Remark 2. Note that

IF

64

2

is thediret sumof

B

k

and

E

k

for any

k

,i.e.

IF

We will denote by

B

k

the subspae

M

−

1

0

(B

k

)

, and by

E

k

the subspae

M

−

1

0

(E

k

)

.

Proposition1. Forany

k

integer,

k

∈

[1

,

24]

,

B

k

=

{

∆

∈

IF

64

2

|

D

∆

F

(IF

64

2

)

⊂

K

k

}

,theprobabilitythat

∆

belongsto

B

k

,when

∆

israndomlyhosen,isgreater orequalto

1

2

4

=

1

16

,and

60

≤

dim(

B

k

)

<

64

.

CombiningDenition2andProperty1,thevetorspae

E

k

anbedesribedas thesetofvetors

∆

suhthat foranyvetor

X

0

∈

IF

64

2

,

M

0(

X

0)

⊕

M

0(

X

0

⊕

∆

)

hasin totalat mostfournon-zeroomponents

e

i

, allofthem touhingthe

k

th

io-blokenodingbijetionthrough

M

1

.DuetoProperty1,itiseasiertoreover a basis for

B

k

's, than for

E

k

's. That is why we will rst reoverall the

B

k

's. UsingProperty1,weonlyhavetoompute

D

∆

F

(

X

0)

forrandom

∆

∈

IF

64

2

and

determinetowhih spae

K

k

itbelongs.Using

B

k

's,wewillreover

E

k

's,orat least,24vetorspaes

E

b

k

ontaining

E

k

withminimaldimension.

Reovering of the

E

b

k

's. Letus nowexplainhowto reover

E

b

k

.First,letus remark thatforany

X

∈

IF

64

2

andforany

∆

∈

IF

64

2

,wehave

D

∆

F

(

X

)

∈

K

k

if andonlyif

D

∆

π

k

◦

M

1

◦

M

0(

X

)

∈

K

k

.Letusintroduethefollowinglemma. Lemma1. Let

k

be an integer belonging to

[1

,

24]

. If

E

j

∩ E

k

=

{0}

for any integer

j

distintfrom

k

belonging to

[1

,

24]

,then

E

k

=

\

j

6

=

k

B

j

.

Sine

M

0

isabijetion,thislemmameansthat if

E

j

∩ E

k

=

{0}

foranyinteger

j

∈

[1

,

24]

dierent from

k

, then

E

k

=

T

j

6

=

k

B

j

. Nevertheless, due to the

bit-dupliation, there exist indies

k

and

j

suh that

E

j

∩ E

k

6=

{0}

(and then

E

j

∩

E

k

6=

{0}

). Denoteby

J

k

theset

{

j

| E

j

∩ E

k

=

{0}}

,by

E

b

k

thesubspae

T

j

∈

J

k

B

j

,andby

E

b

k

thesubspae

T

j

∈

J

k

B

j

where

k

isanintegerbelongingto

[1

,

24]

.

Proposition2. Foranyinteger

k

∈

[1

,

24]

,

E

k

⊆

E

b

k

.

Letus introdueaproperty that willallow usto giveanother haraterization

of

J

k

.

Proposition3. Foranyinteger

i

∈

[1

,

24]

andfor any integer

j

∈

[1

,

24]

dim(E

i

∩ E

j

) = 64 + dim(

B

i

∩

B

j

)

−

dim(

B

j

)

−

dim(

B

i

)

.

A straightforwardappliation of this property to the denition of

J

k

leads to

J

k

=

{

j

∈

[1

,

24]

|

64 = dim(

B

j

) + dim(

B

k

)

−

dim(

B

k

∩

B

j

)}

.This harater-izationwill beusefulin orderto ompute

E

b

k

.If

dim(

E

b

k

) + dim(

B

k

)

>

64

then

4.2 Bit Level Analysis of

M

−

1

0

Intheprevioussetion,wewerelookingfordierenes

∆

assoiatedtoaspei io-blokenodingbijetion.Itallowedustogetsomeinformationabout

M

−

1

0

.In

thissetion,wereneoursearhandthiswillallowustogetenoughinformation

about

M

−

1

0

inordertoapplyourmethod onthenaked-DESto

nonstandard-DES.Ouralgorithmworkssequentiallyandonsistsinalteringproess.The

dierentltersaredesribedbelow.

Searh for Candidates for Preimages of Elements Belonging to the

Sets

S

L

and

S

R

. Consider

∆

be an element of

IF

64

2

suh that

M

0(

∆

) =

e

i

and

e

i

∈ S

L

. The only non-zero bit of

M

1

◦

M

0(

∆

)

touhes only one io-blok enodingbijetion(reallthat wedonotonsider

IP

).Therefore,

∆

belongsto a single

E

b

k

. Assume now that

∆

∈

IF

64

2

suh that

M

0(

∆

) =

e

i

and

e

i

∈ S

R

then

M

1

◦

M

0(

∆

)

has exatly two non-zero bits that may touh the same or twodistintio-blokenodingbijetionsorequivalently

∆

belongstooneortwo spaes

E

b

k

. In what follows, we will alldouble anelement

∆

∈

IF

64

2

suh that

M

0(

∆

)

∈ S

R

andthetwonon-zerobitsof

M

1

◦

M

0(

∆

)

touh thesameio-blok enodingbijetion.Forexample,onFigure8,thebit

R

2

ouldbeadouble,sine itstwoinstanesareintheinputof

T

1

.Byonsideringintersetionsbetweenthe spaes

E

b

k

,takenpairwise,weandistinguishpreimagesofelementsof

S

R

from doublesorpreimagesofelementsof

S

L

.

Notethat theintersetions betweenspaes

E

b

k

takenpairwise providemore information.Indeed,

E

b

i

∩

E

b

j

ontainspreimagesofunknownanonialvetors. In partiular, if

dim(

E

b

i

∩

E

b

j

) = 1

then

E

b

i

∩

E

b

j

=

h

M

−

1

0

(

e

k

)i

for some

k

. In thisase,wealreadyknowthepreimageofanunknownanonialvetor.When

dim(

E

b

i

∩

E

b

j

)

>

1

weanstilltakeadvantageofthisfatevenifitrequiressome extrasearhes.

Reovering Middle Bits. Inorder toapply our attakpresented in Setion

3, we needto exatlyknow the preimageof anonial vetorstouhing onlya

singleS-Boxoftherstround (e.g.Rightbits2,3,6,7,10,...).Inwhat follows,

wewill refertosuhaanonialvetorasamiddle bit.If amiddle bitis nota

double,thenitstwoopiestouhtwodierentio-blokenodingbijetions.The

rst opy is in input of an S-box, leadingto at least two bits of dierene at

theend of therst round ofaregular DES,and 4bits in ourase,due to the

expansion.Theseondopyisaby-passedbit(seeFigure1),leadingtoonlyone

bitofdiereneattheendoftherstround.ConsidertheboldpathinFigure8

startingfrom

R

3

bit, inorder tohaveaglobalview.Letusexplainhowweuse thisproperty.

Reallthat

X

0

istheinitial-vetordened in Setion4. Foreah dierene

∆

belongingtothelistsmarkedasinputofthestudiedT-box,weapply

X

0

⊕

∆

totheobfusatedDESbymakinganinjetionfault.Thismeansthatwesetthe

T-Ifonlyoneio-blokenodingbijetion(at theoutputoftherstround)diers

fromtheorrespondinginitial-entry,wededuethat

∆

ouldbethepreimageof amiddlebit.Therefore,alistontainingpreimagesofseveralanonialvetors

anbedividedintotwoshorterlists;onelistontainingpreimagesofmiddlebits

whiletheotherontainspreimagesofnon-middlebits.

Fig.4.Injetionfault

Remark 3. IfaT-boxistouhedbymorethanthreemiddlebitsorleftbits,we

deduethatthis T-boxdoesnotontainanyS-box.Notealsothatdoublesan

onlybepreimagesofmiddlebits.Finally,aT-boxtouhedbyadoubleontains

neessarilyanS-box.

Reovering Left Bits. In order to apply our attak presented in Setion

3, we need to know whih group of four anonial vetorsare xored with the

output of eah S-box of the rst round. First, we determine the io-blok

en-oding bijetions that are touhed by the outputs of the studied S-box and

we denote by

BS

this set of bijetions. In Figure 8, we an see that

BS

=

{

b

1

,

3

, b

3

,

3

, b

8

,

3

, b

12

,

3

, b

15

,

3

, b

20

,

3

, b

24

,

3}

fortheS-box

S

1

. Theelements

b

i,

3

of

BS

areharaterisedby

D

∆

m

b

i,

3◦

π

i

◦

M

2

,

1◦

T

◦

M

1◦

M

0(

X

0)

6= 0

,forall

∆

m

belonging toalistmarkedasamiddlebitofthestudiedS-box.Then,westoreinanextra

list

L

eah

∆

markedasleftbitstouhingexatlytwobijetionsof

BS

.Thislist ontains all thepreimages assoiated to anonialvetorsthat are potentially

xoredwiththeoutputoftheS-box.Finally, wend

∆

l

∈ hLi

suhthat forany bijetion

b

i,

3

∈

BS

wehave

D

∆

m

⊕

∆

l

b

i,

3

◦

π

i

◦

M

2

,

1

◦

T

◦

M

1

◦

M

0(

X

0) = 0

,where

∆

m

belongstoalistmarkedasamiddlebit ofthestudiedS-box. Thisproess is repeated with dierent

∆

m

or

X

0

, until we nd four linearly independent

∆

l

orequivalentlythe vetorspae spanned by the preimages of the searhed anonialvetors.Wethenomputetheintersetionbetweenthisspaeandall

thelists.Itallowsusto splitsomeofthemin shorterlists(the intersetionand

theomplementary spaeofthe intersetion).It mayleadto listsontaininga

betweenT-boxesandS-boxes.DuetotheremarkinSetion4.2,weknowwhih

are the T-boxes ontaining an S-box. The probability that a seleted T-box,

denoted by

T

1

, ontains

S

1

is

1

/

8

. We determine the two T-Boxes that are touhed by aanonial vetorassoiated to a list marked asrightbit,

non-middlebit andassoiatedto

T

1

. SeletingoneoftheseT-Boxesrandomly,the probabilitythatit ontains

S

2

is

1

/

2

.Outoftheset ofunseleted T-Boxes,we selettheonethatistouhedbyaanonialvetorassoiatedtoalistmarkedas

rightbit,non-middlebit andassoiated tothepreviousseletedT-Box.We

ontinue theproessuntilall T-Boxeshavebeenseleted (seeFigure 5). Note

thattheprobabilitytodeterminetherightorrespondeneis

1

/

8

×

1

/

2 = 1

/

16

.

Fig.5. Chaining

Bit Positions. Atthisstage,wehavereoveredbetweenothers,32preimages

orresponding to unspeied left anonial vetors. In order to determine the

orrespondene,weusethefollowingobservationontheDES:

Outofthe four left bitsthat arexoredwith the outputof aspeiedS-Box,

exatly twobeome(inthe seondround)middlebits.

Now,wejust have to apply eah of the preimagesto the obfusated DES and

hekwhether theimageofthisvetorin frontoftheseondroundisamiddle

bit(f.4.2).AssumingthattheT-Boxesfollowthesameorderinginthedierent

rounds, preimagesorrespondingtoamiddle bit (resp.non-middlebit) anbe

distinguishedbyobservingtheindiesofthetouhedT-Boxes.

Forexample,fortherstS-box,amongthepreimagesofthefouridentied left

anonialvetors,

oneofsuhvetorsisthepreimage of

e

23

(resp.

e

31

)ifitisthepreimageof amiddlebitof

S

6

(resp.

S

8

)in theseondround.

oneofsuhvetorsisthepreimageof

e

9

(resp.

e

17

)ifitisnotthepreimage ofamiddlebitand itisin theinputof

S

2

and

S

3

(resp.

S

4

and

S

5

)ofthe seondround.

4.3 The Attak

InSetion4.2,wehaveshownhowtoreoverallthepreimagesoftheleft

anon-ial vetors.Inother words,wehavereoveredhalfof

M

−

1

but theirorrespondinganonialvetoris howeverunknown.Therefore,some

olumns of

M

−

1

0

are known up to their positions. Finally, the remaining lists

markedasmiddlebits ontainpreimages ofsomeanonialvetors

e

i

1

, . . . , e

i

n

(theirnumberisthedimensionofthevetorspaespannedbythelist).Inthis

ase, we selet linearly independent vetors in the list and we assoiate eah

of them to oneof theanonialvetor

e

i

j

.Therefore, we arein theontext of

theattakofthenaked-DESuptosomeadaptations.Inpartiular,wehaveto

hoose

X

0

belongingtothevetorspaespannedbytheknownolumnsof

M

−

1

0

.

Theevaluationoftherstroundon

X

0⊕

∆

mayleadtosomediulties.Indeed, wehave to hoose

∆

belonging to the preimage of middle bits spae whih is notneessarily inludedin thevetorspaespanned by theknown olumns of

M

0

−

1

. It turns out that we have to try all the andidates for this part of the matrix

M

−

1

0

.Foreah of theseandidates, wemount anattaklikewedidon

the naked-DES, whih provides 48-bit key andidates. Note that wrong keys

maybereovered.Moreimportantly, heremaybenokeyforthisandidatefor

this partof thematrix

M

−

1

0

. Inotherwords,it meansthatwehavetodisard

thisandidate.

In order to determine the remaining part of

M

−

1

0

(olumns assoiated to

non-middlebits),weapplyasimilarpriniplethatweusedforthenaked-DES.

Indeed,weknowthekeyandweknowthat forthenaked-DES forany

initial-message

X

0

there always exists adierene

∆

with non-zerorightomponent suhthattherightpartofthedierential(evaluatedin

X

0

)oftherstroundis zero.Itmeansthatin theontextofthenonstandard-DES,wrongandidates

for

M

−

1

0

anbedisarded.Denoteby

K

thespaespannedbytheknownolumns ofthe andidatefor

M

−

1

0

andby

U

theunknown olumnsof theandidatefor

M

0

−

1

.Wehave

K

⊕

U

= IF

64

2

.Theandidatefor

M

−

1

0

anbedisardedifthere

exists

X

0

∈

K

suhthat there doesnotexist

∆

withanon zero-omponentin

U

suh thattherightpartofthedierential(evaluated in

X

0

)iszero.

Atthis stage,wehavea48-bit keyandidateandaandidatefor

M

−

1

0

.We

makeanexhaustivesearhinordertodeterminethe8remainingbitsofthekey.

Foreahofthemwetrytosolvealinearsysteminordertondthematrix

M

4

. Ifthere isnosolutionfor

M

4

wededuethat the8-bitkeyandidateis wrong. Ifallthe8-bitkeyandidatesare wrong,wedisardthispartiular

M

−

1

0

. Note

thatthismethodalsoworksif

M

4

hasio-blokenodingbijetionsatitsoutput.

Attak on Link andNeumann obfusation: Ourmethods only usethe outputs

oftherstandseond round.Inpartiular,weneverusetheoutputsofthe

T-boxes.Therefore,ourtwoattaks(naked-DES,andnonstandard-DES)anbe

This attak was implemented with a Code. At eah stage of theattak, the

number ofandidates dereases both forthe keyand for

M

−

1

0

. Finally, it will

lead toa unique48-bit keyandidate, aunique

M

−

1

0

andidate, and aunique

M

4

andidate.Wehavetestedourattakon thousandsofrandomly generated obfusated implementations of DES (both naked and nonstandard DES).

Figure6showstheneessarytimeto ompletetheattak.Weanobservethat

95%oftheattaksrequirelessthan 50seonds,and 75%lessthan17 seonds.

The mean timeis about17 seonds. However,the attaks were exeuted ona

standardPC.Theodewasnotoptimizedandtheperformaneanbefurther

improved.

0

10

20

30

40

50

60

70

80

90

100

0

5

10

15

20

25

30

35

40

45

50

%

ti

m

e

(

s

e

c

)

Fig.6.Repartitionoftheattaksdurations

6 Comparison to Wyseur et al.'s Work

Inthissetion,wetrytolarifythedierenesbetweenourpaperandtheoneof

Wyseuretal.[11℄.Themain advantageoftheirmethodisthattheyareableto

reoverthekeyforthe nonstandard-DES evenwhen thetransformations

M

0

and

M

4

arenonlinear.Nevertheless,theydonotreoverthesetransformations, and the only knowledge of the keyis useless. They laim that theproblem is

straightforwardinthelinearaseprovidedthekeyisknown.Asfarasweknow

andwithoutanyadditionaltriks,thisissuerequirestheuseofalgorithmsthat

allowndingthelinearbijetions

A

and

B

satisfyingtheequation

G

=

A

◦

F

◦

B

, giventhenonlinearfuntions

F

and

G

.Thesealgorithmsareexponentialinthe number of variables of

F

(see Patarin et al. [9℄). Our method reovers these transformationsinashort amountoftime,whentheyarelinear.Thenonlinear

aseisstillanopenproblem.Finally,Wyseuretal.[11℄onsideranobfusation

In this paper, we have given new tehniques of ryptanalysis for the urrent

obfusation methods of DES. These tehniques rely on a theoretial analysis

and have also been implemented as a C program. We have implemented our

methodwithaCodeandhaveapplieditsuessfullytomorethanathousand

obfusatedimplementationsofDES(bothnakedandnonstandardDES).All

thestudiedinstaneshaveleadtoauniqueandidatefortheDESkeyandforthe

M

0

and

M

4

seretlineartransformations.Thekeyandthetwolineartransforms havebeenobtainedwithin 17seondsinaverage.

Referenes

1. B. Barak, O. Goldreih, R. Impagliazzo, S. Rudih, A. Sahai, S.P. Vadhan, and

K.Yang. Onthe(im)possibilityofobfusatingprograms. InProeedingsofthe21st

AnnualInternationalCryptologyConfereneonAdvanesinCryptology-CRYPTO

'01,Aug.19-23,2001,pages118.Springer-Verlag,2001

2. O.Billet. CryptologieMultivariablePh.D.thesisUniversityofVersailles,Deember

2005.

3. O.Billet,H.Gilbert,andC.Eh-Chatbi. CryptanalysisofawhiteboxAES

imple-mentation. InHelenaHandshuhand M.AnwarHasan,editors, SeletedAreasin

Cryptography, volume3357 ofLeture Notes inComputer Siene,pages 227240.

Springer,2004.

4. S.Chow,P.Eisen,H.Johnson,andP.vanOorshot.White-boxryptographyandan

AESimplementation. In

9

th

AnnualWorkshoponSeleted AreasinCryptography,

Aug.15-162002,volume2595ofLNCS,pages250270.Springer-Verlag,2002.

5. S.Chow,H.Johnson,P.vanOorshot,andP.Eisen.Awhite-boxDES

implementa-tionforDRMappliations. InProeedingsofACMCCS-9WorkshopDRM,Nov.18

2002,volume2696ofLNCS,pages115.Springer-Verlag,2003.

6. M. Jaob, D. Boneh,and E. Felten. Attakinganobfusated ipher by injeting

faults.InProeedings2002ACMWorkshoponDigitalRightsManagement,

Novem-ber18,2002, WashingtonDC,USA.,2002.

7. H.E. Linkand W.D. Neumann. Clarifyingobfusation: Improvingtheseurity of

white-boxenoding. 2004. http://eprint.iar.org/.

8. J. Patarin and L. Goubin. Asymmetri ryptographywith S-boxes. InPro. 1st

International Information and Communiations Seurity Conferene, pages 369

380,1997.

9. J. Patarin,L. GoubinandN. Courtois ImprovedAlgorithms for Isomorphismsof

Polynomials. InProeedingsofEurorypt'98,volume1403ofLNCS,pages184200.

Springer-Verlag,1998.

10. http://www.itl.nist.gov/pspubs/p46-2.htm

11. B. Wyseur, W. Mihiels, P. Gorissen, and B.Preneel. Cryptanalysis of

White-BoxDESImplementationswithArbitraryExternalEnodings. CryptologyePrint

Arhive,Report2007/104,2007,http://eprint.iar.org/

12. http://www.loakware.om

Proof ofProperty 1:Let

E

betheset

{

∆

∈

IF

64

2

|

D

∆

F

(IF

64

2

)

⊂

K

k

}

.

Let

∆

be an element belonging to

B

k

. Let

X

be anelement belonging to

IF

64

2

.

D

∆

F

(

X

) = (

D

∆

(

b

1

◦

π

1

◦

M

1

◦

M

0(

X

))

, . . . , D

∆

(

b

24

◦

π

24

◦

M

1

◦

M

0(

X

)))

Aording to the denitions, if

∆

∈

B

k

then

M

0(

∆

)

∈ B

k

or equivalently

π

k

◦

M

1

◦

M

0(

∆

) = 0

.Writting

D

∆

(

b

k

◦

π

k

◦

M

1

◦

M

0(

X

))

as

(1)

,wehave:

(1) =

b

k

◦

π

k

◦

M

1

◦

M

0(

X

)

⊕

b

k

◦

π

k

◦

M

1

◦

M

0(

X

⊕

∆

)

=

b

k

◦

π

k

◦

M

1

◦

M

0(

X

)

⊕

b

k

(

π

k

◦

M

1

◦

M

0(

X

)

⊕

π

k

◦

M

1

◦

M

0(

∆

))

=

b

k

◦

π

k

◦

M

1

◦

M

0(

X

)

⊕

b

k

(

π

k

◦

M

1

◦

M

0(

X

)

⊕

0)

=

b

k

◦

π

k

◦

M

1

◦

M

0(

X

)

⊕

b

k

◦

π

k

◦

M

1

◦

M

0(

X

) = 0

This meansthat

D

∆

F

(

X

)

belongs to

K

k

or equivalently

∆

belongs to

E

. Weonludethat

B

k

⊂

E

.

Let

∆

be any element of

E

. Aording to the denition of

E

, we havein partiular

D

∆

(0)

∈

K

k

.Thismeansthat

b

k

(0)

⊕

b

k

◦

π

k

◦

M

1

◦

M

0(

∆

) = 0

,

orequivalently

b

k

(0) =

b

k

◦

π

k

◦

M

1

◦

M

0(

∆

)

.

Wededuethat

π

k

◦

M

1

◦

M

0(

∆

) = 0

beause

b

k

isabijetion.Aordingto thedenitions, itmeansthat

M

0(

∆

)

∈ B

k

orequivalently

∆

belongsto

B

k

. Therefore

E

⊂

B

k

.Weonludethat

E

=

B

k

.

Notethatinfat

B

k

isthekernelof

π

k

◦

M

1

◦

M

0

.Sinerank

(

π

k

◦

M

1

◦

M

0)

is less or equal to 4, and greater or equal to 1, we have simultaneously

60

≤

dim(

B

k

)

≤

63

and theprobability that

∆

belongs to

B

k

when

∆

is

randomlyhosen,isequalto

dim(

B

k)

2

64

.Theresultsfollows.

⊓

⊔

Proof of Lemma 1: Firstreall that

B

k

=

h

e

j

|

π

k

◦

M

1(

e

j

) = 0i

and

E

k

=

h

e

j

|

π

k

◦

M

1(

e

j

)

6= 0i

. Letj andk betwodistint integers,thenthe following onditionsareequivalent.

E

j

∩ E

k

=

{0}

.

π

k

◦

M

1(

e

i

) = 0

or

π

j

◦

M

1(

e

i

) = 0

foranyinteger

i

∈

[1

,

64]

.

π

k

◦

M

1(

X

) = 0

or

π

j

◦

M

1(

X

) = 0

foranyvetor

X

∈

IF

64

2

.

Weonludethatif

X

∈ E

j

and

E

j

∩E

k

=

{0}

then

π

k

◦

M

1(

X

) = 0

orequivalently

X

∈ B

k

.

Consider

X

6= 0

belonging to

T

j

6

=

k

B

j

. We have that

π

j

◦

M

1(

X

) = 0

for any

onludethatall thebitsof

M

1(

X

)

thattouh

b

j

(

j

6=

k

)arezeros.Therefore, foranynon-zeroomponent

e

i

of

X

,

M

1(

e

i

)

touhes

b

k

orequivalently

X

∈ E

k

, and

T

j

6

=

k

B

j

⊂ E

k

.

Let us use an argumentby ontraposition.Consider

e

i

∈

/

T

j

6

=

k

B

j

. Then, there

exists

j

6=

k

, suh that

e

i

∈ B

/

j

, i.e.

π

j

◦

M

1(

e

i

)

6= 0

or equivalently

e

i

∈ E

j

. Therefore, aording to the previous three equivalent onditions,

e

i

∈ E

/

k

. We dedue thatfor any

e

i

∈ E

k

wehave

e

i

∈

T

j

6

=

k

B

j

.It meansthat

E

k

=

h

e

i

|

e

i

∈

E

k

i ⊂

T

j

6

=

k

B

j

.Weonlude

E

k

=

T

j

6

=

k

B

j

.

Proof of Property 2:Let

e

i

be anelement of

E

k

and

j

beanelement of

J

k

. Wehave

π

k

◦

M

1(

e

i

)

6= 0

and

E

j

∩ E

k

=

{0}

.Itimpliesthat

π

j

◦

M

1(

e

i

) = 0

,and

e

i

∈ B

j

. Therefore,

e

i

∈

T

j

∈

J

k

B

j

,and

h

e

i

|

e

i

∈ E

k

i ⊂

E

b

k

.

⊓

⊔

Proof ofProperty 3:Wewillrstprovethat

(B

i

∩ B

j

)

⊕ hE

i

∪ E

j

i

= IF

64

2

.

Consideraanonialvetor

e

k

∈ B

/

i

∩ B

j

.Thisisequivalentto

π

i

◦

M

1(

e

k

)

6= 0

or

π

j

◦

M

1(

e

k

)

6= 0

.Inotherwords

e

k

∈ E

i

or

e

k

∈ E

j

,orequivalently

e

k

∈ hE

i

∪ E

j

i

. Thismeansthat foranyanonialvetors

e

k

of

IF

64

2

,wehaveeither

e

k

belongs to

B

i

∩ B

j

or

e

k

belongsto

hE

i

∪ E

j

i

.

Assume thatthereexists aanonialvetor

e

k

∈

(B

i

∩ B

j

)

∩ hE

i

∪ E

j

i

. Wehave

π

i

◦

M

1(

e

k

) =

π

j

◦

M

1(

e

k

) = 0

,andeither

π

i

◦

M

1(

e

k

)

6= 0

or

π

j

◦

M

1(

e

k

)

6= 0

.It leadstoaontradition.Hene

(B

i

∩B

j

)∩hE

i

∪E

j

i

ontainsnoanonialvetors.

Assume now that there exists an element

∆

∈

(B

i

∩ B

j

)

∩ hE

i

∪ E

j

i

having a non-zero omponent

e

k

. The vetor

∆

belongs to

(B

i

∩ B

j

)

, hene

e

k

belongs to

(B

i

∩ B

j

)

. Moreover

∆

belongs to

hE

i

∪ E

j

i

, hene

e

k

belongs to

hE

i

∪ E

j

i

. Therefore

e

k

belongsto

(B

i

∩ B

j

)

∩ hE

i

∪ E

j

i

whih is impossible.Weonlude that

(B

i

∩ B

j

)

∩ hE

i

∪ E

j

i

=

{0}

.Therefore

(B

i

∩ B

j

)

⊕ hE

i

∪ E

j

i

= IF

64

2

.

Wededuethat

64 = dim(hE

i

∪ E

j

i) + dim(B

i

∩ B

j

)

= dim(E

i

+

E

j

) + dim(B

i

∩ B

j

)

= dim(E

i

) + dim(E

j

)

−

dim(E

i

∩ E

j

) + dim(B

i

∩ B

j

)

Moreover

E

i

⊕ B

i

= IF

64

2

=

E

j

⊕ B

j

.Hene

64 = 64−

dim

(B

i

) + 64−

dim(B

j

)−

dim(E

i

∩ E

j

) + dim(B

i

∩ B

j

)

.Theresultfollows.

⊓

⊔