WhibOx 2016

Opening remarks (15 min)

Pascal Paillier

Session 1: Indistinguishability Obfuscation (1h30)

• 09:15 – General-Purpose Obfuscation

  Amit Sahai

  The goal of general-purpose program obfuscation is to make an arbitrary computer program “unintelligible” while preserving its functionality. Obfuscation allows us to achieve a powerful capability: software that can keep a secret. This talk will cover recent advances in obfuscation research, yielding constructions of general-purpose obfuscation mechanisms based on mathematical structures.

• 10:00 – 5Gen: a framework for prototyping applications using multilinear maps and matrix branching programs

  Mariana Raykova

  Secure multilinear maps (mmaps) have been shown to have remarkable applications in cryptography, such as program obfuscation and multi-input functional encryption (MIFE). To date, there has been little evaluation of the performance of these applications. In this paper we initiate a systematic study of mmap-based constructions. We build a general framework, called 5Gen, to experiment with these applications. At the top layer we develop an optimizing compiler that takes in a high-level program and compiles it to an optimized matrix branching program needed for the applications we consider. Next, we optimize and experiment with several obfuscators and MIFE constructions and evaluate their performance. The 5Gen framework is modular and can easily accommodate new mmap constructions as well as new obfuscators and MIFE constructions. 5Gen is an open-source tool that can be used by other research groups to experiment with a variety of mmap-based constructions.

Coffee Break (30 min)

Session 2: White-Box Cryptography (1h30)

• 11:15 – From obfuscation to WBC: relaxation and security notions

  Matthieu Rivain

  White-box cryptography has attracted a growing interest from researchers in the last decade. Several white-box implementations of standard block-ciphers (DES, AES) have been proposed but they have all been broken. On the other hand, neither evidence of existence nor proofs of impossibility have been provided for this particular setting. This might be in part because it is still quite unclear what white-box cryptography really aims to achieve and which security properties are expected from white-box programs in applications. In this presentation, we will try to provide formal answers to these questions. We will first introduce the notion of white-box compiler that turns a symmetric encryption scheme into randomized white-box programs, and discuss how this notion relates to (cryptographically secure) obfuscation. We will then capture several desired security properties for white-box programs, which might be easier to reach than general (cryptographically secure) obfuscation. We will also give concrete examples of white-box compilers that already achieve some of these notions.

• 12:00 – Towards secure whitebox cryptography

  Andrey Bogdanov

  Whitebox cryptography aims to provide security for cryptographic algorithms in an untrusted environment where the adversary has full access to their implementation. This setting poses a fundamental challenge to security designers. Indeed, most whitebox solutions published to date have been practically broken. This talk will be three-fold. First, we will show new attacks on existing whitebox schemes which use techniques from symmetric-key cryptanalysis such as integral, differential and linear attacks. Second, we will give our novel approach to guaranteeing key extraction and decomposition security of whitebox encryption by essentially reducing it to the classical security of block ciphers such as AES in the standard black box setting. Next, we will present several families of whitebox schemes together with rigorous security analysis, detailed implementation study, and real-world applications.

Lunch (1h15)

Session 3: White-Box Cryptography in Practice (1h45)

• 14:00 – Practical white-box topics: design and attacks I

  Joppe Bos

  In this first part of practical white-box topics presentation I will discuss the approach used in practice to convert standardized symmetric cryptographic primitives (AES and DES) into white-box implementations. Next, I will present a new way to perform security assessment on such white-box implementations. I will show how our open source plugins to widely available dynamic binary instrumentation frameworks can create software execution traces which contain information about the memory addresses being accessed during execution. Such software traces can be used in a differential computation analysis (DCA) attack to extract the secret embedded key by identifying secret-key dependent correlations. Finally, I will briefly discuss some ideas to counter such attacks.

• 14:30 – Practical white-box topics: design and attacks II

  Marc Witteman

  The second practical white-box talk will address techniques to speed up analysis, or offer an alternative approach to attack implementations that have basic protection against DCA.

  • Data pre-processing
    Due to size of the memory to observe, and obfuscated bloated code, an attacker often needs to collect huge amounts of samples during a single crypto execution. We discuss how this data can be compressed to reduce computational complexity, and which analysis techniques are then used to identify the relevant part of the leaked data.
  • Differential Fault Analysis
    Another way to attack a crypto implementation is to inject faults in intermediate data, and use mathematical analysis to derive the key from corrupted outputs. This technique requires additional reverse engineering of the WBC implementation as the faults must be injected at a specific moment of execution. But this can be more efficient than DCA in case the implementation is protected by countermeasures.

• 15:00 – Evolution of WBC: from table-based implementations to recent designs

  Mike Wiener

  The first published White-Box Cryptography (WBC) implementations consisted almost exclusively of look-up tables. We will explain, at a high level, how these table-based methods work. However, these methods have been thoroughly broken in a number of different ways. Since then, few people publish their improved designs. We have been working on different approaches that eliminate tables and rely more heavily on software protection methods. In particular, we seek to prevent powerful Differential Fault Analysis (DFA) and Differential Computation Analysis (DCA) attacks.

Coffee Break (30 min)

Session 4: Industrial Applications (45 min)

• 16:15 – Let's get real! We need WBC and Io

  Brecht Wyseur

  In the talk, we give a view on white-box crypto and obfuscation R&D from an industrial perspective. We present industry needs, and what industry is doing to fulfil these needs, and compare this with the academic output. From this presentation, the gap between industrial needs and academic research will be clear. For example, so far the main focus in white-box cryptography has been on fixed-key implementations of symmetric key algorithms. But what industry needs are also 'dynamic-key' implementations and implementations of public key algorithms.

Open Discussion and Closing Remarks (30 min)

Hosted by Pascal Paillier