Protecting White-Box AES with Dual Ciphers - Information Security and Cryptology-ICISC 2010

Cryptography Reference

In-Depth Information

of another different dual AES. An algorithm described in [5] permits to compute

an ane equivalence for two S -boxes S 1 and S 2 .

We present here a method that uses multiple different dual AES within the

same WB-AES implementation.

- We choose a random dual representation for every AES round (10 in total).

matrix of a given round are

replaced by the one of the corresponding dual AES.

- To construct the new T -boxes ( T i,j ), a key is expanded through all dual AES

key expansions and for each round, we select the corresponding dual subkey.

constants and

InvSubBytes

InvMixColumns

With these modifications, each round takes a byte state of the corresponding

dual AES and outputs a byte state for the same dual AES. In order to keep, for

a given input, the output of the overall implementation unchanged, the round

input and output have to be encoded with the linear transformation Δ .Theen-

coding Δ is used such that a byte state at the input matches the modifications

made in the round internal operations. Considering a round building block B as

a combination of four lookup operations using the new T -boxes and a multipli-

cation by the new matrix IMC , the encoding will correspond to a composition

Δ − 1 .

As the white-box mixing bijections are built using the same principle, our

idea is to incorporate the Δ -encodings within these mixing bijections. There are

two possible strategies. The first uses a single encoding Δ r ×

◦

Δ − 1

r− 1 to perform

at the same time the output Δ -decoding of the previous round and the input

Δ -encoding of the current round and to combine it with the mixing bijection

P i,j . The second uses one encoding Δ r +1 ×

Δ − r to perform at the same time

the output Δ -decoding of the current round and the input Δ -encoding of the

next round and to combine it with the inverse mixing bijection Q i,j .Thetwo

strategies are illustrated in Figure 2. Both strategies are similar from a security

perspective. Nevertheless, the first strategy requires changing only type I and II

tables, whereas the second requires modifications in type I, type II and also in

type III tables. Thus, we choose the first for the description. 2

- We multiply the linear transformation of the first round (i.e. Δ 1 )bythe

mixing bijections of the first round (i.e. P i,j ) resulting in mixing bijections

inserted in type II tables of the first round.

- The linear transformation of the previous round Δ r− 1 is inverted and left-

multiplied with the linear transformation of the current round (i.e. Δ r ×

Δ − 1

r− 1 ). The result of the multiplication is combined with the mixing bijec-

tions P i,j for r in [2..10].

- The linear transformation Δ 10 is inverted and combined with the external

decoding G after the last round.

2 Another strategy consists in combining Δ r

with the mixing bijection P i,j and Δ − 1

with the inverse mixing bijection Q i,j but it brings nothing as the input before type

II tables and the output after type III tables do not change.

Information Security and Cryptology-ICISC 2010

Search WWH ::

Custom Search

Home