Protecting White-Box AES with Dual Ciphers - Information Security and Cryptology-ICISC 2010 - page 287

Cryptography Reference

In-Depth Information

in

G × Δ − 1

σ 10

128x8

in

out

out

out

out

out

out

out

out

Type I.b

in

× Δ − 1

σ r− 1

× P i,j

Δ

σ r

T σ r

i,j

MB x IMC σ r

i

32 x 8

8x8

in

out

out

out

out

out

out

out

out

Type II

Fig. 3. New Type I.b and II Tables

bijections P r

i,j

P i,j . For the first round, we multiply the first

dual transformation with P i,j ; the mixing bijections are then P 1

Δ − 1

= Δ σ r ×

σ r − 1 ×

P i,j .

Regarding type I tables, two encodings F and G are put around the initial

white-box implementation. F and G are both randomly chosen as 128

i,j = Δ σ 1 ×

×

128

matrices in GF (2) in which all aligned 4

4 sub-matrices are of full rank. Prior

to be inserted, F is left-multiplied by Q i,j ,i

×

∈

[0 .. 3] ,j

∈

[0 .. 3] (just like in the

original implementation) and G is multiplied by Δ − 1

σ 10

. This last operation is

new and has first the effect to undo the Δ -encoding of the last round. Finally,

the resulting 128

128 matrices F

and G

×

are split into 128

×

8tablesand

inserted respectively before the first and the after last

operations.

These tables are followed by 4-bit to 4-bit non-linear input decodings and output

encodings implemented with type IV tables (we omit to describe these encodings

here).

AddRoundKey

T σ r

i

Proposition 1 (correctness). Any

[1 .. 10] as constructed above for

D-AES(σ r ), receives as input an AES vector state transformed by Δ σ r .

Proof. Let ( x 0 ,...,x 31 ) be an input word for the round r , for which dual cipher

is D-AES( σ r ). Let ( y 0 ,...,y 31 ) σ r be the output after the table of type III, which

serves as input to type II table of the next round. We have then ( y 0 ,...,y 31 ) σ r =

Q r (( z 0 ,...,z 31 ) σ r ), where ( z 0 ,...,z 31 ) σ r is the output after the

,r

∈

InvMixColumns

operation.

When the data is to be processed with type II tables of the round r +1,the

mixing bijection P r +1 is first applied to the vector ( y 0 ,...,y 31 ). We have then

as input for the round r + 1 the following

= Δ σ r +1 ◦ Δ − 1

σ r ◦ P r +1 (( y 0 ,...,y 31 ) σ r )

= Δ σ r +1 ◦ Δ − 1

σ r ◦ P r +1 ( Q r (( z 0 ,...,z 31 ) σ r ))

= Δ σ r +1 ◦ Δ − 1

(( z 0 ,...,z 31 ) σ r )

= Δ σ r +1 (( z 0 ,...,z 31 ))

=( z 0 ,...,z 31 ) σ r +1 .

σ r

Next Page

Information Security and Cryptology-ICISC 2010

Search WWH ::

Custom Search

Home