Collision-Based Attacks on White-Box Implementations of the AES Block Cipher

Since Chow et al. introduced white-box cryptography with a white-box implementation of the AES block cipher in 2002, a few attacks and improvements on Chow et al.'s white-box AES implementation have been presented, particularly Lepoint et al. gave a collision-based attack with a time complexity of about 2(22) in 2013. Lepoint et al.'s attack involves three phases at a high level: first defining a collision function to recover a round's keyed S-box transformations each from protected input by a white-box encoding to original output, then recovering the output encoding of this round, and finally recovering the round key bytes of the next round by testing every key candidate under a statistical distinguisher. In this paper, we give two extensions to Lepoint et al.'s collision-based attack, one is by executing Lepoint et al.'s first phase for two consecutive rounds and then recovering the round key of the latter round directly from the two recovered SubBytes outputs of the two rounds, and the other is by executing Lepoint et al.'s first phase for two consecutive rounds, then executing Lepoint et al.'s second phase for the former round and finally recovering the round key of the latter round directly from the recovered keyed S-box transformations of the latter round. Compared with Lepoint et al.'s approach, the two extensions avoid the last one or two phases and the associated prerequisites, and thus they can attack a broader range of white-box implementations, specifically, the first extension targets SPN ciphers, and the second extension targets both SPN and Feistel ciphers. As an example, we apply the first extension to attack Bai et al.'s white-box AES implementation with an expected time complexity of about 2(20) S-box computations. Together with some previous work, our work indicates that all the previously published white-box AES implementations with external encodings are not practically secure, and white-box implementation designers should pay attention to these new collision-based approaches.