On behalf of the ECRYPT CSA european initiative, CryptoExperts organizes WhibOx: a one-time workshop on white-box cryptography, and obfuscation. The workshop will be held on Sunday August 14, right before CRYPTO and CHES, also at UCSB. The program intends to cover the following themes:
The workshop will be composed of invited presentations, and of a discussion session aiming at building a vision of the issues faced by theoretical and practical obfuscation, and how to address them.
This workshop is part of the EU Horizon 2020 ECRYPT-CSA project.
Registration is mandatory.
Registration will start at 9:00.
09:15 – General-Purpose Obfuscation
The goal of general-purpose program obfuscation is to make an arbitrary computer program “unintelligible” while preserving its functionality. Obfuscation allows us to achieve a powerful capability: software that can keep a secret. This talk will cover recent advances in obfuscation research, yielding constructions of general-purpose obfuscation mechanisms based on mathematical structures.
10:00 – 5Gen: a framework for prototyping applications using multilinear maps and matrix branching programs
Secure multilinear maps (mmaps) have been shown to have remarkable applications in cryptography, such as program obfuscation and multi-input functional encryption (MIFE). To date, there has been little evaluation of the performance of these applications. In this paper we initiate a systematic study of mmap-based constructions. We build a general framework, called 5Gen, to experiment with these applications. At the top layer we develop an optimizing compiler that takes in a high-level program and compiles it to an optimized matrix branching program needed for the applications we consider. Next, we optimize and experiment with several obfuscators and MIFE constructions and evaluate their performance. The 5Gen framework is modular and can easily accommodate new mmap constructions as well as new obfuscators and MIFE constructions. 5Gen is an open-source tool that can be used by other research groups to experiment with a variety of mmap-based constructions.
11:15 – From obfuscation to WBC: relaxation and security notions
White-box cryptography has attracted a growing interest from researchers in the last decade. Several white-box implementations of standard block-ciphers (DES, AES) have been proposed but they have all been broken. On the other hand, neither evidence of existence nor proofs of impossibility have been provided for this particular setting. This might be in part because it is still quite unclear what white-box cryptography really aims to achieve and which security properties are expected from white-box programs in applications. In this presentation, we will try to provide formal answers to these questions. We will first introduce the notion of white-box compiler that turns a symmetric encryption scheme into randomized white-box programs, and discuss how this notion relates to (cryptographically secure) obfuscation. We will then capture several desired security properties for white-box programs, which might be easier to reach than general (cryptographically secure) obfuscation. We will also give concrete examples of white-box compilers that already achieve some of these notions.
12:00 – Towards secure whitebox cryptography
Whitebox cryptography aims to provide security for cryptographic algorithms in an untrusted environment where the adversary has full access to their implementation. This setting poses a fundamental challenge to security designers. Indeed, most whitebox solutions published to date have been practically broken. This talk will be three-fold. First, we will show new attacks on existing whitebox schemes which use techniques from symmetric-key cryptanalysis such as integral, differential and linear attacks. Second, we will give our novel approach to guaranteeing key extraction and decomposition security of whitebox encryption by essentially reducing it to the classical security of block ciphers such as AES in the standard black box setting. Next, we will present several families of whitebox schemes together with rigorous security analysis, detailed implementation study, and real-world applications.
14:00 – Practical white-box topics: design and attacks I
In this first part of practical white-box topics presentation I will discuss the approach used in practice to convert standardized symmetric cryptographic primitives (AES and DES) into white-box implementations. Next, I will present a new way to perform security assessment on such white-box implementations. I will show how our open source plugins to widely available dynamic binary instrumentation frameworks can create software execution traces which contain information about the memory addresses being accessed during execution. Such software traces can be used in a differential computation analysis (DCA) attack to extract the secret embedded key by identifying secret-key dependent correlations. Finally, I will briefly discuss some ideas to counter such attacks.
14:30 – Practical white-box topics: design and attacks II
The second practical white-box talk will address techniques to speed up analysis, or offer an alternative approach to attack implementations that have basic protection against DCA.
15:00 – Evolution of WBC: from table-based implementations to recent designs
The first published White-Box Cryptography (WBC) implementations consisted almost exclusively of look-up tables. We will explain, at a high level, how these table-based methods work. However, these methods have been thoroughly broken in a number of different ways. Since then, few people publish their improved designs. We have been working on different approaches that eliminate tables and rely more heavily on software protection methods. In particular, we seek to prevent powerful Differential Fault Analysis (DFA) and Differential Computation Analysis (DCA) attacks.
16:15 – Let's get real! We need WBC and Io
In the talk, we give a view on white-box crypto and obfuscation R&D from an industrial perspective. We present industry needs, and what industry is doing to fulfil these needs, and compare this with the academic output. From this presentation, the gap between industrial needs and academic research will be clear. For example, so far the main focus in white-box cryptography has been on fixed-key implementations of symmetric key algorithms. But what industry needs are also 'dynamic-key' implementations and implementations of public key algorithms.
Santa Barbara, California.