White-box AES implementation revisited.

White-box cryptography presented by Chow et al. is an obfuscation technique for protecting secret keys in software implementations even if an adversary has full access to the implementation of the encryption algorithm and full control over its execution platforms. Despite its practical importance, progress has not been substantial. In fact, it is repeated that as a proposal for a white-box implementation is reported, an attack of lower complexity is soon announced. This is mainly because most cryptanalytic methods target specific implementations, and there is no general attack tool for white-box cryptography. In this paper, we present an analytic toolbox on white-box implementations of the Chow et al.'s style using lookup tables. According to our toolbox, for a substitution-linear transformation cipher on n bits with S-boxes on m bits, the complexity for recovering the key obfuscated in the white-box implementation is O((3n/max(m(Q), m))2(3max(mQ,m)) + 2min {(n/m) L(m+3)2(2m), (n/m) L(3)2(3m) + n log L . 2(L/2)}), where m(Q) is the input size of nonlinear encodings, m(A) is the minimized block size of linear encodings, and L = lcm(m(A), m(Q)). As a result, a white-box implementation in the Chow et al.'s framework has complexity atmost O (min {(2(2m)/m) n(m+4), n log n.2(n/2) }), which is much less than 2(n). To overcome this, we introduce an idea that obfuscates two advanced encryption standard (AES)-128 ciphers at once with input/output encoding on 256 bits. To reduce storage, we use a sparse unsplit input encoding. As a result, our white-box AES implementation has up to 110-bit security against our toolbox, close to that of the original cipher. More generally, we may consider a white-box implementation of the t parallel encryption of AES to increase security.