Cryptography Reference
In-Depth Information
- The first consists in removing the non-linear part of the mixing bijection
encodings. This step is partially based on the Billet et al. method.
- The second consists in guessing the linear part of the encodings. This step uses
a method for solving linear equivalence problem for matrices (LEPM) [5,12].
- The third is the extraction of the secret key information by algebraic analysis.
In the second step cryptanalysis, a round function is described as a Substitu-
tion Ane-Transformation (SAT) cipher round function. A round function in
a SAT cipher is a cascade of T -boxes T i , followed by an ane transformation
b r . These components T i
and b r
can be computed by an adversary provided
that
operation is known. The last step performs the round key
extraction. This is achieved by obtaining the equivalence between the computed
T i and the inverse S-boxes IS i of the AES decryption algorithm. The algebraic
equations that need to be solved are:
InvMixColomns
d i ,
where c i , d i are the ane functions that describe the ane relation between T i
and IS i . Function c i depends on b r and d i contains the key addition operation.
Solving these equations leads to the secret decryption key.
T i
= c i
IS i
From these two attacks, we learn that the input and output mixing bijec-
tion encodings do not suciently hide the rounds' operations. This is espe-
cially the case if the parameters of the round operations are publicly known.
Indeed, both attacks are based on the fact that coecients of
and
InvSubBytes
are known. Also, they both have a similar complexity when ap-
plied against a white-box AES implementation. Consequently, raising the com-
plexity in the context of Billet et al. attack makes the system to be more dicult
to break with Michiels et al. attack too.
InvMixColumns
4 Our White-Box Implementation
4.1 General Idea
AES is based on simple algebraic operations over the finite field GF (2 8 ). If we
change all the constants in AES, including the irreducible polynomial, matrix
coecients, ane transformations, we could create new dual ciphers. It is men-
tioned in [2] that 240 new dual ciphers of AES can be so created. The list of
these 240 dual ciphers can be found in [1]. There are even more AES dual ci-
phers according to [15,5]. In [5], authors expand the set of 240 ciphers to a set
of 61 , 200 representations that are dual to the AES.
Outputs of AES and dual AES are correlated. There exists a linear transfor-
mation Δ that maps a byte state of AES into a byte state of a dual AES, i.e.
X dual = Δ ( X ). The same transformation maps also the AES input or output
like the plaintext P , the ciphertext C and the decryption key K into the dual
AES input or output (i.e. P dual = Δ ( P ), C dual = Δ ( C )and K dual = Δ ( K )).
Other transformations can be built to map a state of any dual AES into a state
Search WWH ::




Custom Search