WO2021201779A1 - Method and system for generating a hash-based message authentication code (hmac) based on white-box implementation - Google Patents
Method and system for generating a hash-based message authentication code (hmac) based on white-box implementation Download PDFInfo
- Publication number
- WO2021201779A1 WO2021201779A1 PCT/SG2021/050181 SG2021050181W WO2021201779A1 WO 2021201779 A1 WO2021201779 A1 WO 2021201779A1 SG 2021050181 W SG2021050181 W SG 2021050181W WO 2021201779 A1 WO2021201779 A1 WO 2021201779A1
- Authority
- WO
- WIPO (PCT)
- Prior art keywords
- white
- box
- bit
- protected
- input
- Prior art date
Links
- 238000000034 method Methods 0.000 title claims abstract description 94
- 230000006870 function Effects 0.000 claims description 130
- 230000008569 process Effects 0.000 claims description 40
- 238000004590 computer program Methods 0.000 claims description 18
- 238000009792 diffusion process Methods 0.000 claims description 13
- 238000007792 addition Methods 0.000 description 39
- 241001074639 Eucalyptus albens Species 0.000 description 22
- 239000011159 matrix material Substances 0.000 description 11
- 230000006835 compression Effects 0.000 description 10
- 238000007906 compression Methods 0.000 description 10
- PXFBZOLANLWPMH-UHFFFAOYSA-N 16-Epiaffinine Natural products C1C(C2=CC=CC=C2N2)=C2C(=O)CC2C(=CC)CN(C)C1C2CO PXFBZOLANLWPMH-UHFFFAOYSA-N 0.000 description 9
- 238000004422 calculation algorithm Methods 0.000 description 6
- 238000004891 communication Methods 0.000 description 6
- 238000010586 diagram Methods 0.000 description 4
- 238000000605 extraction Methods 0.000 description 4
- 230000008878 coupling Effects 0.000 description 3
- 238000010168 coupling process Methods 0.000 description 3
- 238000005859 coupling reaction Methods 0.000 description 3
- 230000000694 effects Effects 0.000 description 3
- 230000003287 optical effect Effects 0.000 description 3
- 230000004075 alteration Effects 0.000 description 2
- 230000008859 change Effects 0.000 description 2
- 230000000295 complement effect Effects 0.000 description 2
- 238000010276 construction Methods 0.000 description 2
- 230000009467 reduction Effects 0.000 description 2
- 230000008901 benefit Effects 0.000 description 1
- 230000005540 biological transmission Effects 0.000 description 1
- 239000000872 buffer Substances 0.000 description 1
- 238000004364 calculation method Methods 0.000 description 1
- 230000007717 exclusion Effects 0.000 description 1
- 230000036039 immunity Effects 0.000 description 1
- 230000000116 mitigating effect Effects 0.000 description 1
- 239000000126 substance Substances 0.000 description 1
- 230000003245 working effect Effects 0.000 description 1
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/602—Providing cryptographic facilities or services
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/10—Protecting distributed programs or content, e.g. vending or licensing of copyrighted material ; Digital rights management [DRM]
- G06F21/12—Protecting executable software
- G06F21/14—Protecting executable software against software analysis or reverse engineering, e.g. by obfuscation
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/06—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols the encryption apparatus using shift registers or memories for block-wise or stream coding, e.g. DES systems or RC4; Hash functions; Pseudorandom sequence generators
- H04L9/0643—Hash functions, e.g. MD5, SHA, HMAC or f9 MAC
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L2209/00—Additional information or applications relating to cryptographic mechanisms or cryptographic arrangements for secret or secure communication H04L9/00
- H04L2209/16—Obfuscation or hiding, e.g. involving white box
Definitions
- HMAC HASH-BASED MESSAGE AUTHENTICATION CODE
- the present invention generally relates to a method of generating a hash-based message authentication code (HMAC) based on white-box implementation, and a system thereof.
- HMAC hash-based message authentication code
- Industrial Internet of Things refers to the extension and use of Internet of Things (IoT) in industrial sectors and applications.
- a digital service distributed by the service provider from a server to a client app running in a physical device (e.g., game console, mobile phone, set-top box).
- the physical device needs to authenticate some attributes associated with the digital contents, e.g., the contents originate from the right server and have not been tampered by a third party to include malware.
- a common authentication method is to use a message authentication code (MAC) where the client’s device will compute the digest of digital content and compare with that received together from the server.
- MAC message authentication code
- IoT devices e.g. mobile phone, game console and TV box
- the device owner has control of the service device and can access the source code and intermediate results of a cryptographic implementation. Therefore, the device may be accessed and attacked by a user for unauthorized use of the service. This security compromise may allow device owner to carry out malicious and unauthorized activities, e.g. accessing paid TV programs without paying.
- the present disclosure generally relates to a method of generating a hash-based message authentication code (HMAC) based on white-box implementation.
- the method may include using at least one processor.
- the method may include receiving an input message; executing a white-box implementation of a cryptographic hash function based on the input message to obtain an inner key and using the inner key to obtain an inner hash function; executing a white-box implementation of the inner hash function to obtain an outer key and using the outer key to obtain the HMAC; wherein the executing of at least one of the white-box implementations of the cryptographic hash function and the white- box implementation of the inner hash function includes a step of executing a white -box implementation of a modular addition operation, and wherein the white-box implementation of the modular addition operation includes a first layer including a first ADD table and a second layer including a second ADD table, wherein the at least one processor is configured to receive two first inputs and process the two first inputs according to the first ADD table to generate a
- the present disclosure generally relates to a system for generating a HMAC based on white-box implementation.
- the system may also include a memory.
- the system may also include at least one processor communicatively coupled to the memory, and configured to: receive an input message; execute a white-box implementation of a cryptographic hash function based on the input message to obtain an inner key and using the inner key to obtain an inner hash function; execute a white-box implementation of the inner hash function to obtain an outer key and using the outer key to obtain the HMAC; wherein the executing of at least one of the white-box implementations of the cryptographic hash function and the white-box implementation of the inner hash function includes a step of executing a white- box implementation of a modular addition operation, and wherein the white-box implementation of the modular addition operation includes a first layer including a first ADD table and a second layer including a second ADD table, wherein the at least one processor is configured to receive two first inputs and process the two first inputs according to the first ADD
- the present disclosure generally relates to computer program product storing computer executable code including instructions for performing a method of generating a hash-based message authentication code (HMAC) based on white-box implementation, using at least one processor.
- the method may include receiving an input message; executing a white-box implementation of a cryptographic hash function based on the input message to obtain an inner key and using the inner key to obtain an inner hash function; executing a white-box implementation of the inner hash function to obtain an outer key and using the outer key to obtain the HMAC; wherein the executing of at least one of the white- box implementations of the cryptographic hash function and the white-box implementation of the inner hash function includes a step of executing a white-box implementation of a modular addition operation, and wherein the white-box implementation of the modular addition operation includes a first layer including a first ADD table and a second layer including a second ADD table, wherein the at least one processor is configured to receive two first inputs and process the two first inputs according to the first
- FIG. 1 depicts a flow diagram illustrating a method of generating a HMAC based on white-box implementation according to various embodiments of the present application
- FIG. 2A depicts a schematic block diagram of a system for generating a HMAC based on white-box implementation, according to various embodiments of the present application
- FIG. 2B depicts an exemplary system for generating a HMAC based on white- box implementation, according to various embodiments of the present application
- FIG. 3A depicts a schematic drawing illustrating a step update function of SHA- 1, according to various embodiments of the present application
- FIG. 3B depicts a schematic drawing illustrating a step update function of SHA- 256 according to various embodiments of the present application
- FIG. 4 illustrates a white -box implementation of X Y operation according to various embodiments of the present application
- FIGS. 4A to 4F are enlarged versions of various portions of FIG. 4 for better clarity
- FIG. 5 illustrates a white-box implementation of (X ⁇ ⁇ ) ® (Y ⁇ ⁇ ) operation according to various embodiments of the present application
- FIGS. 5 A to 5C are enlarged versions of various portions of FIG. 5 for better clarity
- FIG. 6 illustrates a white-box implementation of ( X ⁇ ⁇ ) & ( Y ⁇ ⁇ ) operation according to various embodiments of the present application
- FIGS. 6A to 6D are enlarged versions of various portions of FIG. 6 for better clarity;
- FIG. 7 illustrates a white-box implementation of ( X)&(Y ⁇ ⁇ ) operation according to various embodiments of the present application;
- FIGS. 7A to 7D are enlarged versions of various portions of FIG. 7 for better clarity
- FIG. 8 illustrates a white-box implementation of (X » ⁇ ) Y operation according to various embodiments of the present application
- FIGS. 8 A to 8C are enlarged versions of various portions of FIG. 8 for better clarity
- FIG. 9 illustrates a white-box implementation of X const i operation according to various embodiments of the present application.
- FIGS. 9A to 9F are enlarged versions of various portions of FIG. 9 for better clarity
- FIG. 10 illustrates an exemplary high-level overview of the general white-box HMAC-SHA-1 implementation according to various embodiments of the present application
- FIGS. 10A to 10G are enlarged versions of various portions of FIG. 10 for better clarity
- FIG. 11 illustrates an exemplary high-level overview of the general white-box HMAC-SHA-256 implementation according to various embodiments of the present application.
- Various embodiments of the present invention provide a method of generating a hash-based message authentication code (HMAC) based on white-box implementation, and a system thereof.
- HMAC hash-based message authentication code
- the articles “a”, “an”, and “the” as used with regard to a feature or element include a reference to one or more of the features or elements.
- the terms “at least one” and “one or more” may be understood to include a numerical quantity greater than or equal to one (e.g., one, two, three, four,tinct, etc.).
- the term “a plurality” may be understood to include a numerical quantity greater than or equal to two (e.g., two, three, four, five,tinct, etc.).
- any phrases explicitly invoking the aforementioned words expressly refers more than one of the said objects.
- the terms “proper subset”, “reduced subset”, and “lesser subset” refer to a subset of a set that is not equal to the set, i.e. a subset of a set that contains less elements than the set.
- the term “data” as used herein may be understood to include information in any suitable analog or digital form, e.g., provided as a file, a portion of a file, a set of files, a signal or stream, a portion of a signal or stream, a set of signals or streams, and the like. Further, the term “data” may also be used to mean a reference to information, e.g., in form of a pointer. The term data, however, is not limited to the aforementioned examples and may take various forms and represent any information as understood in the art.
- processor or “controller” as, for example, used herein may be understood as any kind of entity that allows handling data, signals, etc.
- the data, signals, etc. may be handled according to one or more specific functions executed by the processor or controller.
- a processor or a controller may thus be or include an analog circuit, digital circuit, mixed-signal circuit, logic circuit, processor, microprocessor, Central Processing Unit (CPU), Graphics Processing Unit (GPU), Digital Signal Processor (DSP), Field Programmable Gate Array (FPGA), integrated circuit, Application Specific Integrated Circuit (ASIC), etc., or any combination thereof. Any other kind of implementation of the respective functions, which will be described below in further detail, may also be understood as a processor, controller, or logic circuit.
- CPU Central Processing Unit
- GPU Graphics Processing Unit
- DSP Digital Signal Processor
- FPGA Field Programmable Gate Array
- ASIC Application Specific Integrated Circuit
- any two (or more) of the processors, controllers, or logic circuits detailed herein may be realized as a single entity with equivalent functionality or the like, and conversely that any single processor, controller, or logic circuit detailed herein may be realized as two (or more) separate entities with equivalent functionality or the like.
- system may be understood as a set of interacting elements, the elements may be, by way of example and not of limitation, one or more mechanical components, one or more electrical components, one or more instructions (e.g., encoded in storage media), one or more controllers, etc.
- a “circuit” as used herein is understood as any kind of logic-implementing entity, which may include special-purpose hardware or a processor executing software.
- a circuit may thus be an analog circuit, digital circuit, mixed-signal circuit, logic circuit, processor, microprocessor, Central Processing Unit (“CPU”), Graphics Processing Unit (“GPU”), Digital Signal Processor (“DSP”), Field Programmable Gate Array (“FPGA”), integrated circuit, Application Specific Integrated Circuit (“ASIC”), etc., or any combination thereof.
- circuit Any other kind of implementation of the respective functions which will be described below in further detail may also be understood as a “circuit.” It is understood that any two (or more) of the circuits detailed herein may be realized as a single circuit with substantially equivalent functionality, and conversely that any single circuit detailed herein may be realized as two (or more) separate circuits with substantially equivalent functionality. Additionally, references to a “circuit” may refer to two or more circuits that collectively form a single circuit.
- memory may be understood as a non-transitory computer- readable medium in which data or information can be stored for retrieval. References to “memory” included herein may thus be understood as referring to volatile or non-volatile memory, including random access memory (“RAM”), read-only memory (“ROM”), flash memory, solid-state storage, magnetic tape, hard disk drive, optical drive, etc., or any combination thereof. Furthermore, it is appreciated that registers, shift registers, processor registers, data buffers, etc., are also embraced herein by the term memory.
- a single component referred to as “memory” or “a memory” may be composed of more than one different type of memory, and thus may refer to a collective component including one or more types of memory. It is readily understood that any single memory component may be separated into multiple collectively equivalent memory components, and vice versa. Furthermore, while memory may be depicted as separate from one or more other components (such as in the drawings), it is understood that memory may be integrated within another component, such as on a common integrated chip.
- Coupled may be understood as electrically coupled or as mechanically coupled, e.g., attached or fixed or attached, or just in contact without any fixation, and it will be understood that both direct coupling or indirect coupling (in other words: coupling without direct contact) may be provided.
- FIG. 1 depicts a flow diagram illustrating a method 100 of generating a hash- based message authentication code (HMAC) based on white-box implementation, using at least one processor.
- the method 100 includes a step 102 of receiving an input message.
- the method 100 includes a step 104 of obtaining executing a white-box implementation of a cryptographic hash function based on the input message to obtain an inner key.
- the inner key may be used to obtain an inner hash function.
- the method 100 includes a step 106 of executing a white-box implementation of the inner hash function to obtain an outer key.
- the outer key may be used to obtain the HMAC.
- executing of at least one of the white-box implementations of the cryptographic hash function and the white-box implementation of the inner hash function may include a step of executing a white-box implementation of a modular addition operation.
- the white-box implementation of the modular addition operation may include a first layer and a second layer.
- the first layer may include a first ADD table.
- the second layer may include a second ADD table.
- the at least one processor may be configured to receive two first inputs and process the two first inputs according to the first ADD table to generate a first output corresponding to a value of a carry bit of the first ADD table based on the two first inputs.
- the at least one processor is configured to receive a first second-input based on the first output and a second second-input and process the first second-input and the second second-input according to the second ADD table.
- the first output may be subjected to a first mixing operation to produce a protected first output.
- the first mixing operation may be a linear operation to provide diffusion of the first output.
- the first second-input may be based on the protected first output.
- FIG. 2A depicts a schematic block diagram of a system 200 for generating a HMAC based on white-box implementation, according to various embodiments of the present invention, such as corresponding to the method 100 of generating a HMAC based on white-box implementation as described hereinbefore according to various embodiments of the present invention.
- white-box implementation i.e., white-box cryptography
- white-box cryptography combines methods of encryption and obfuscation to embed secret key(s) within the source code. The goal is to combine the source code and the secret key(s) in such a way that the two are indistinguishable to user which allows the white-box implementation of the system to be safely run in an insecure environment.
- the system 200 may include a memory 202.
- the system 200 may include at least one processor 204.
- the at least one processor 204 may be communicatively coupled to the memory 202.
- the at least one processor 204 may be configured to receive an input message.
- the at least one processor 204 may be configured to obtain executing a white-box implementation of a cryptographic hash function based on the input message to obtain an inner key.
- the inner key may be used to obtain an inner hash function.
- the at least one processor 204 may be configured to execute a white-box implementation of the inner hash function to obtain an outer key.
- the outer key may be used to obtain the HMAC.
- executing of at least one of the white-box implementations of the cryptographic hash function and the white-box implementation of the inner hash function may include a step of executing a white-box implementation of a modular addition operation.
- Modular addition operations are addition operations for integers, where values reset to zero and begin to increase again, after reaching a certain predefined value, called the modulo.
- the white-box implementation of the modular addition operation may include a first layer and a second layer. The first layer may include a first ADD table.
- the at least one processor may be configured to receive two first inputs and process the two first inputs according to the first ADD table to generate a first output corresponding to a value of a carry bit of the first ADD table based on the two first inputs.
- the at least one processor is configured to receive a first second-input based on the first output and a second second-input and process the first second-input and the second second-input according to the second ADD table.
- the first output may be subjected to a first mixing operation to produce a protected first output.
- the first mixing operation may be a linear operation to provide diffusion of the first output.
- the first second-input may be based on the protected first output.
- an ADD table is a table including rules of an addition process.
- the processor 204 may be configured to determine an output from two inputs based on the rules of the ADD table.
- the ADD table specifies how two inputs should be added based on the rules.
- the first output has corresponding plaintext and ciphertext.
- diffusion is done on the first output, a character of the plaintext is changed, and several characters of the ciphertext is changed. This means that frequency statistics of in the plaintext are diffused over several characters in the ciphertext, which results in higher security and lower risk of frequency analysis attacks.
- system 200 may also be embodied as a server, a device or an apparatus.
- the at least one processor 204 may be configured to perform the required functions or operations through set(s) of instructions (e.g., software modules) executable by the at least one processor 204 to perform the required functions or operations.
- the system 200 may further include a white-box implementation module (or a white-box implementation circuit) 206 configured to generate a HMAC based on white-box implementation.
- the system 200 may further include a message communication module (or message communication circuit) 208 configured to receive an input message.
- the white-box implementation module 206 may be configured to obtain executing a white-box implementation of a cryptographic hash function based on the input message to obtain an inner key.
- the inner key may be used to obtain an inner hash function.
- the at least one processor 204 may be configured to execute a white-box implementation of the inner hash function to obtain an outer key.
- the outer key may be used to obtain the HMAC.
- executing of at least one of the white-box implementations of the cryptographic hash function and the white-box implementation of the inner hash function may include executing a white-box implementation of a modular addition operation.
- the white-box implementation of the modular addition operation may include a first layer and a second layer.
- the first layer may include a first ADD table.
- the second layer may include a second ADD table.
- the at least one processor may be configured to receive two first inputs and process the two first inputs according to the first ADD table to generate a first output corresponding to a value of a carry bit of the first ADD table based on the two first inputs.
- the at least one processor is configured to receive a first second-input based on the first output and a second second-input and process the first second-input and the second second-input according to the second ADD table.
- the first output may be subjected to a first mixing operation to produce a protected first output.
- the first mixing operation may be a linear operation to provide diffusion of the first output.
- the first second-input may be based on the protected first output.
- the second second-input may be based (e.g., equal to) on a partial sum of the two first inputs.
- the at least one processor may be configured to obtain a protected second output corresponding to a value of a carry bit of the second ADD table.
- the modular addition operation may include a third layer.
- the third layer may be configured to receive the protected second output from the second layer.
- the third layer may include a truncation table.
- the at least one processor configured to process the protected second output according to the truncation table to obtain an addition result of the modular addition operation.
- the at least one processor 204 may be configured to execute at least one of the white-box implementations of the cryptographic hash function and the white-box implementation of the inner hash function by executing a step of a white- box implementation of at least one of a XOR, AND, NOT and rotation operation.
- the inner key is configured to be protected by a first mixing bijection to produce a protected inner key.
- the outer key is configured to be protected by a second mixing bijection to produce a protected outer key.
- the at least one processor is configured to obtain the HMAC based on the protected inner key and the protected outer key.
- the first mixing bijection and the second mixing bijection may be invertible matrices to provide diffusion of the inner key and the outer key.
- the input message is of arbitrary length.
- the input message may be M bits.
- the at least one processor may be configured to use a first specific set of white-box operations for a first N bits of the input message.
- the at least one processor may be configured to use a general set of white-box operations for the remaining M-N bits.
- the length of the input message may change from M bits to P bits.
- the at least one processor may be configured to use a second specific set of white- box operations for a first Q bits of the input message of P bits.
- the at least one processor may be configured to use the general set of white-box operations for the remaining P-Q bits.
- the above-mentioned modules are not necessarily separate modules, and two or more modules may be realized by or implemented as one functional module (e.g., a circuit or a software program) as desired or as appropriate without deviating from the scope of the present invention.
- the white-box implementation module 206, the message communication module 208 may be realized (e.g., compiled together) as one executable software program (e.g., software application or simply referred to as an “app”), which for example may be stored in the memory 202 and executable by the at least one processor 204 to perform the functions/operations as described herein according to various embodiments.
- the system 200 corresponds to the method 100 as described hereinbefore with reference to FIG. 1, therefore, various functions or operations configured to be performed by the least one processor 204 may correspond to various steps of the method 100 described hereinbefore according to various embodiments, and thus need not be repeated with respect to the system 200 for clarity and conciseness.
- various embodiments described herein in context of the methods are analogously valid for the respective systems (e.g., which may also be embodied as devices), and vice versa.
- a computing system, a controller, a microcontroller or any other system providing a processing capability may be provided according to various embodiments in the present disclosure. Such a system may be taken to include one or more processors and one or more computer-readable storage mediums.
- the system 200 described hereinbefore may include a processor (or controller) 204 and a computer-readable storage medium (or memory) 202 which are for example used in various processing carried out therein as described herein.
- the present specification also discloses a system (e.g., which may also be embodied as a device or an apparatus) for performing the operations/functions of the methods described herein.
- a system may be specially constructed for the required purposes, or may comprise a general purpose computer or other device selectively activated or reconfigured by a computer program stored in the computer.
- the algorithms presented herein are not inherently related to any particular computer or other apparatus.
- Various general-purpose machines may be used with computer programs in accordance with the teachings herein. Alternatively, the construction of more specialized apparatus to perform the required method steps may be appropriate.
- the present specification also at least implicitly discloses a computer program or software/functional module, in that it would be apparent to the person skilled in the art that the individual steps of the methods described herein may be put into effect by computer code.
- the computer program is not intended to be limited to any particular programming language and implementation thereof. It will be appreciated that a variety of programming languages and coding thereof may be used to implement the teachings of the disclosure contained herein.
- the computer program is not intended to be limited to any particular control flow. There are many other variants of the computer program, which can use different control flows without departing from the spirit or scope of the invention.
- modules described herein may be software module(s) realized by computer program(s) or set(s) of instructions executable by a computer processor to perform the required functions, or may be hardware module(s) being functional hardware unit(s) designed to perform the required functions. It will also be appreciated that a combination of hardware and software modules may be implemented.
- a computer program/module or method described herein may be performed in parallel rather than sequentially.
- Such a computer program may be stored on any computer readable medium.
- the computer readable medium may include storage devices such as magnetic or optical disks, memory chips, or other storage devices suitable for interfacing with a general purpose computer.
- the computer program when loaded and executed on such a general-purpose computer effectively results in an apparatus that implements the steps of the methods described herein.
- a computer program product embodied in one or more computer-readable storage mediums (non-transitory computer- readable storage medium), which may store computer executable code.
- the computer executable code may include instructions executable by one or more computer processors to perform a method 100 of generating a HMAC based on white-box implementation as described hereinbefore with reference to FIG. 1.
- various computer programs or modules described herein may be stored in a computer program product receivable by a system therein, such as the system 200 as shown in FIG. 2A, for execution by at least one processor 204 of the system 200 to perform the required or desired functions.
- the software or functional modules described herein may also be implemented as hardware modules. More particularly, in the hardware sense, a module is a functional hardware unit designed for use with other components or modules. For example, a module may be implemented using discrete electronic components, or it can form a portion of an entire electronic circuit such as an Application Specific Integrated Circuit (ASIC). Numerous other possibilities exist. Those skilled in the art will appreciate that the software or functional module(s) described herein can also be implemented as a combination of hardware and software modules.
- ASIC Application Specific Integrated Circuit
- FIG. 2B depicts an exemplary system for generating a HMAC based on white- box implementation, according to various embodiments of the present application.
- Various methods/ or functional modules may be implemented as software, such as a computer program being executed within the computer system 250, and instructing the computer system 250 (in particular, one or more processors therein) to conduct the methods/functions of various embodiments described herein.
- the computer system 250 may include a computer module 252, an input module 254 such as a keyboard, and an output device 256 such as a display.
- the computer module 252 may be connected to a computer network 258 to enable access to e.g., the Internet or other network systems such as Local Area Network (LAN) or Wide Area Network (WAN).
- LAN Local Area Network
- WAN Wide Area Network
- the computer module 252 may include a processor 260 for executing various instructions according to embodiments disclosed herein.
- the computer system 250 may include a database 262 which includes data (e.g., video content).
- the computer system 252 may also include a MAC (e.g., HMAC) generator 264 which may generate a MAC.
- the MAC generator 264 may send data (e.g., video content) to a receiver 266 in a message.
- the message includes the MAC.
- the receiver 266 may be a user receiver, and may include a MAC reconstruction unit 268.
- the MAC reconstruction unit 268 may check the MAC in the message in accordance with some predetermined requirements (e.g., secret key is known). If the predetermined requirements are met, the MAC reconstruction unit 268 may output the data (e.g., the video content) to the output device (e.g., display) 256.
- some predetermined requirements e.g., secret key is known
- bits of a value may be numbered from left to right, starting with 0, the rightmost bit of a value is the least significant bit, and its leftmost bit is the most significant bit.
- a number without a prefix may express a decimal number unless stated otherwise.
- a number with prefix Ox may express a hexadecimal number.
- X ° Y denotes the function obtained by first applying X and then applying Y.
- HMAC may use two passes of hash computation.
- a secret key may be used to derive the inner key and the outer key.
- a first pass of a HMAC algorithm may produce an internal hash derived from the message and the inner key.
- a second pass of a HMAC algorithm may produce a final HMAC code derived from the inner hash result and the outer key.
- HMAC provides better immunity against length extension attacks.
- HMAC does not encrypt the message. Instead, the message (encrypted or not) may be sent alongside the HMAC hash. Parties with the secret key may hash the message again themselves, and if it is authentic, the received and computed hashes will match.
- any cryptographic hash function H such as SHA- 1 or SHA-256, may be used in the calculation of a HMAC.
- the cryptographic hash function H which may be an iterative hash function may break up a message into blocks of a fixed size and may iterate over them with a compression function.
- SHA-256 operates on 512-bit blocks.
- the size of the output of HMAC is the same as that of the underlying cryptographic hash function H (e.g., 256 and 512 bits in the case of SHA-256 and SHA-512, respectively), although it can be truncated if desired.
- FIG. 3A depicts a schematic drawing illustrating a step update function of SHA- 1, according to various embodiments of the present application.
- the SHA-1 hash function may take as an input, a message of less than 2 64 bits long.
- the SHA-1 hash function may output a 160-bit message.
- the message may be padded to be a multiple of 512 in bit length.
- the message may be appended with '1' and '0'.
- the padded message may be parsed into a number of blocks for example N blocks.
- Each N block may be of M bits.
- the N blocks may be processed iteratively.
- the N block of M bits may be divided into smaller words of P bits.
- Each word of P bits may be expanded by a message expansion function.
- the expanded words may be processed by a compression function that may be based on the step update function 300.
- a hash function may be obtained at the end of the process.
- the step update function 300 of SHA-1 may be processed using the following phases:
- the message may be padded to be a multiple of 512 in bit length, by first appending the bit ‘1’ to the end of the message. A minimum number of zeros may be appended so that the resulting message may be 448 mod 512 in bit length.
- the 64-bit representation of the bit length of the original message may be appended.
- the padded message may be parsed into a number, e.g., N , of 512-bit blocks M (0) , M (1) , ... M (N-1) ,
- the N 512-bit blocks M (0) , M (1) , ... M (N-1) may be processed iteratively, as follows:
- the 512-bit padded message may be divided into sixteen 32-bit worlds M 0 (n) , M 1 (n) , ... M 15 (n) ,
- Eighty expanded 32-bit message blocks W i (n) 302 may be generated by the following message expansion function (0 ⁇ i ⁇ 80). for 0 ⁇ t ⁇ 15; for 16 ⁇ i ⁇ 79.
- the eighty expanded 32-bit message blocks 302 may be processed by the following compression function that may be based on the step update function 300, wherein inputs 304 (e.g., message blocks 302, a constant consti (i.e., i-th step constant ) 306 are used to obtain outputs 308 (e.g.,
- a message digest of the step function 300 may be
- the message digest may include a string of digits created by a one-way hashing formula.
- the message digest may be designed to protect the integrity of a piece of data or media to detect changes and alterations to any part of a message.
- the cryptographic function 308 may be based on an if function f if , a XOR function f xor and a major function f maj .
- the cryptographic function 308 is defined as follows:
- FIG. 3B depicts a schematic drawing illustrating a step update function of SHA- 256 according to various embodiments of the present application.
- the SHA- 256 hash function may take as an input, a message of less than 2 64 bits long.
- the SHA-256 hash function may output a 256-bit message.
- SHA-256 differs from SHA-1 mainly in message expansion phase, the compression function and feed forwarding part.
- the message may be padded to be a multiple of 2048 in bit length.
- the message may be appended with ‘ 1’ and ‘ 0’.
- the padded message may be parsed into a number of blocks for example N blocks.
- Each N block may be of M bits.
- the N blocks may be processed iteratively.
- the N block of M bits may be divided into smaller words of P bits.
- Each word of P bits may be expanded by a message expansion function.
- the expanded words may be processed by a compression function that may be based on the step update function 350.
- sixty-four expanded 32-bit message blocks 352 may be generated by the following message expansion function (0 ⁇ i ⁇ 63).
- the 64 expanded 32-bit message blocks 352 may be processed by the following compression function that may be based on the step update function 350, wherein inputs 354 (e.g., message blocks 352, a constant const i (i.e., i-th step constant ) 356, a function 360, a Ch function 362, a function 364, a Maj function 366, are used to obtain outputs 358 (e.g.,
- a message digest may be The message digest may include a string of digits created by a one-way hashing formula.
- the message digest may be designed to protect the integrity of a piece of data or media to detect changes and alterations to any part of a message.
- the inputs 354 may be any inputs 354
- initial values (IV) may be the 256-bit IV of SHA-256.
- the function 360, the Ch function 362, the function 364, the Maj function 366 may be defined as,
- a 32-bit addition is divided into eight 4-bit additions and a carry bit is treated as an individual input/output parameter, where 4-bit inputs/outputs are protected with 4-bit encodings and the one -bit carry bits are protected with one-bit encodings.
- the above-mentioned addition procedure can be attacked by frequency analysis.
- the outputs of the addition mod 2 32 are uniformly distributed, where a carry bit overflows if any.
- the outputs of a partial addition are not uniformly distributed, due to the existence of carry bits.
- 15 is the most frequent output, which takes place 16 times (in total), 0 and 30 take place one time each, 1 and 29 takes place twice each, and so on until that 14 and 16 take place 15 times each.
- the above-mentioned addition procedure may be broken by the following way: first deduce the encoding for the most frequent output (i.e. 15), then distinguish the two protected cases of flipped and unflipped carry bits from the case of the most frequent output 15 by frequency analysis, and finally deduce the encodings for the other outputs (i.e. 0,1, ⁇ ,14,16,17, ⁇ ,30) pairwise by frequency analysis. As such, all the encodings for the 4-bit partial addition implementation may be recovered.
- the starting value is plaintext, which is variable. While in HMAC, the staring value is the initial value of the underlying hash function, which is a public constant.
- HMAC processes only either data or key in each step, which can be easily detached.
- steps (a) to (d) can be processed independently.
- the system disclosed herein may process the data and the key separately.
- AES processes data and key in a completely involved way in each round or each fundamental function, which makes it hard to detach the processes on data and key.
- AES processes the data and the key together.
- an AES round takes as input the output of the previous round (if any), while a HMAC-SHA-1/2 step takes as input the output of the previous step (if any) and another extended message block.
- AES has a fixed block size, while HMAC works on a variable-length message.
- the server computes ipad ), where ⁇ may be an inner key
- the server generates a white-box implementation for
- H ⁇ (M) by treating ⁇ as a secret key and M as a message, where H ⁇ means that the hash function H with the initial value replaced by the value ⁇ , p and g are (secret) external encodings of H ⁇ .
- the server generates a white-box implementation (g _1 (y)) ° H ⁇ ° q for
- H ⁇ (H ⁇ (M)) by treating ⁇ as a secret key and y as a message, means that the hash function H with the initial value replaced by the value b , q is the external output encoding of H ⁇ .
- ⁇ (g _1 (y)) ° H ⁇ ° q, where d may be referred as the HMAC or HMAC value.
- White-box implementation of HMAC may involve the following operations: which can be summarised as the following basic operations: where . Note that some other operations can be obtained similarly from these basic operations.
- FIG. 4 illustrates a white -box implementation of XEEIY operation according to various embodiments of the present application.
- FIGS. 4A to 4F are enlarged versions of various portions of FIG. 4 for better clarity.
- the white-box implementation of a modular addition operation may include a first layer and a second layer.
- the first layer may include a first ADD table.
- the second layer may include a second ADD table.
- the first ADD table may be configured to receive two first inputs.
- the first ADD table may produce a first output corresponding to a value of a carry bit of the first ADD table based on the two first inputs.
- the second ADD table may be configured to receive two second inputs.
- the two second inputs may be a first second-input and a second second-input.
- the first second-input may be based on the first output.
- the white-box implementation may include subjecting the first output to a first mixing operation to produce a protected first output.
- the first second-input may be based on the protected first output.
- the second second-input may be based on a partial sum of the two first inputs.
- the second ADD table may be configured to produce a protected second output corresponding to a value of a carry bit of the second ADD table.
- the white-box implementation of the modular addition operation may include a third layer.
- the third layer may include a truncation table.
- the truncation table may be configured to receive the protected second output to produce an addition result of the modular addition operation.
- the white -box implementation of X EQ Y 400 may include two variables X 401A and Y 401B which may be two 32-bit variables and may be protected in their white-box forms and respectively, where MB X and MB Y are 32x32-bit mixing bijections, and are two groups of eight 4 -bit encodings.
- the white-box implementation of 400 may include six layers at a high level, whose dimensional sizes of the segments and white-box operations may be chosen to have a reasonable trade-off between security and storage space.
- a first layer 402 may be made up of eight 8x32-bit tables. For the part processing of the white box form of X each
- the part processing of the white box form of Y is conducted in a similar manner.
- the final output of the tables may be X and may be protected by the mixing bijection DB X and a layer of ten 4-bit or 3-bit encodings .
- the final output of the XOR ; i tables may be Y and may be protected by the mixing bijection DB and a layer of ten 4-bit or 3-bit encodings
- Each table may be generated as follows:
- Either 6-bit input is obtained by applying sequentially the inverses of the two corresponding 3 -bit encodings from the second layer 404 and the inverse (or of the corresponding 6 X 6-bit part (respectively, of the mixing bijection DB X (respectively, DB Y ).
- the two resulting 6-bit values may be added, and may be concatenated into a 7-bit sum with the 6-bit left input operand X j on the left side.
- the sum of the two 6-bit values can be a 7-bit value at most.
- a mixing bijection e.g., a 13 X 13-bit mixing bijection may be applied to a layer of one 4-bit and three 3-bit encodings
- each input operand is 8-bit and it can only produce an 8-bit output (the carry bit overflows if any), and there are an 8x8-bit mixing bijection and a layer of two 4-bit encodings
- a fourth layer 408 may be made up of second ADD tables, for example one 21x32-bit table and three 26xl3-bit tables
- the left 7-bit input may be obtained by applying sequentially the inverses of the four encodings the inverse of the mixing bijection and an addition of 7 left bits (&0x7 F) operation.
- the right 1-bit input may be obtained by applying sequentially the inverses of the four corresponding encodings inverse of the mixing bijection the » 6 operation and an addition of 1 right bit (&0xl) operation. Add the two resulting 7- bit and 1-bit values, and concatenate the 7-bit sum with the leftmost 6 bits (i.e. X 3 ) of the left 13-bit input operand on the left side.
- the resulting 7-bit value is the original result of the A operation, the resulting 1-bit value is the carry bit of the operation, and their sum can be a 7-bit value at most.
- the left 7-bit input may be obtained by applying sequentially the inverses of the four encodings of the mixing bijection and the &0x7F operation; and the right 1-bit input is obtained by applying sequentially the inverses of the four encodings from the right adjacent table, the inverse of the mixing bijection the » 6 operation and the &0xl operation. Add the two resulting 7-bit and 1-bit values, and concatenate the 7-bit sum with the leftmost 6 bits (i.e.
- the table is similar, except that the left input is 8-bit and the output of the table is 8-bit.
- the carry bit overflows if any, and it is the original leftmost byte of X Y.
- the carry bit is directly protected by a 32x8-bit matrix and a layer of eight 4-bit encodings
- a fifth layer 410 may be made up of truncation tables, for example four 13 X 32-bit tables, each of which is generated by applying sequentially the inverses of the four corresponding encodings from the fourth layer, the inverse of the corresponding 13 X 13-bit mixing bijection from the fourth layer, the truncating of the resulting 13-bit value to the rightmost 6 bits &0x3F, a 32x6-bit matrix and a layer of eight 4-bit encodings
- a last (i.e. sixth) layer 412 may be made up of XOR tables, for example 32 8x4-bit tables with the result 414 being protected by the 32 X 32-bit mixing bijection and a layer of eight 4-bit encodings where .
- the outputs of are uniformly distributed, although the outputs of its partial addition operation(s) are not uniformly distributed due to carry bits.
- a stronger white-box implementation of made be obtained by using larger dimensional sizes of segments for a 32-bit word at the expense of a larger storage complexity.
- a 32-bit word may be divided into four 8-bit segments. 4-bit encodings may be used in the first layer and corresponding revisions may be made in the subsequent layers, so that there are significantly more available mixing bijections and encodings against exhaustive search attacks.
- FIG. 5 illustrates a white-box implementation of operation according to various embodiments of the present application.
- FIGS. 5 A to 5C are enlarged versions of various portions of FIG. 5 for better clarity.
- the white-box implementation of f ) 500 may include three layers at a high level, where (
- the white-box implementation of f ) 500 may include two variables X and Y which may be two 32-bit variables and may be protected in their white-box forms respectively, where MB X and MB Y are 32x32-bit mixing bijections, and are two groups of eight 4 -bit encodings.
- a first layer 504 may be made up of eight 8x32-bit tables.
- the process is similar for the part processing of the white box form of , except the ⁇ f operation is applied instead of the ⁇ ⁇ operation.
- the final output of the tables is X which may be protected by the mixing bijection and a layer of eight 4-bit encodings ; and the final output of the tables is Y protected by the mixing bijection and a layer of eight 4-bit encoding
- a last (i.e. third) layer 508 is made up XOR tables, for example of eight 8 X 4-bit tables , with the resul 510 being protected by the mixing bijection and a layer of eight 4-bit encodings where
- the operation is null when (respectively, which is the white-box implementation of and it becomes which is the white-box implementation of .
- FIG. 6 illustrates a white-box implementation of operation according to various embodiments of the present application.
- FIGS. 6A to 6D are enlarged versions of various portions of FIG. 6 for better clarity.
- the white-box implementation of may include four layers at a high level.
- the white-box may include two variables X 602A and Y 602B which may be two 32-bit variables and may be protected in their white-box forms and e respectively, where MB X and MB Y are 32x32-bit mixing bijections, and are two groups of eight 4 -bit encodings.
- a first layer 604 may be made up of eight 8x32-bit tables. For the part processing of the white box form of each
- the final output of the tables is X protected by the mixing bijection DB and a layer of eight 4-bit encodings and the final output of the tables is Y protected by the mixing bijection DB Y and a layer of eight 4-bit encodings
- the affine mixing bijection may be a linear mixing bijection.
- FIG. 7 illustrates a white-box implementation of operation 700 according to various embodiments of the present application.
- FIGS. 7A to 7D are enlarged versions of various portions of FIG. 7 for better clarity.
- the white -box implementation of 700 may include four layers at a high level.
- the white-box may include two variables X 702A and Y 702B which may be two 32-bit variables and may be protected in their white-box forms respectively, where MB X and MB Y are 32x32-bit mixing bijections, and are two groups of eight 4 -bit encodings.
- a first layer 704 may be made up of eight 8x32-bit tables.
- Y operation may be applied immediately before the mixing bijection DB X .
- the final output of the tables is X protected by the mixing bijection DB and a layer of eight 4-bit encodings and the final output of the tables is Y protected by the mixing bijection DB Y and a layer of eight 4-bit encodings
- the final output of the tables is X protected by the mixing bijection DB and a layer of eight 4-bit encodings and the final output of the tables is Y protected by the mixing bijection DB Y and a layer of eight 4-bit encodings
- FIG. 8 illustrates a white -box implementation of operation 800 according to various embodiments of the present application.
- FIGS. 8 A to 8C are enlarged versions of various portions of FIG. 8 for better clarity.
- the operation does not output uniformly.
- it has only two possible values when takes the extreme value 31, so an affine mixing bijection may be used to protect the intermediate value
- the white-box implementation of may include three layers at a high level.
- the white -box implementation of 800 may include two variables X 802A and Y 802B which may be two 32-bit variables and may be protected in their white-box forms respectively, where MB X and MB Y are 32 X 32-bit mixing bijections, and are two groups of eight 4-bit encodings.
- a first layer 804 may be made up of eight 8x32-bit tables.
- second 806 and third 808 layers may be the same as the second 504 and third 506 layers of the white-box implementation of respectively.
- the resul is protected by the mixing bijection and a layer of eight 4-bit encodings
- white-box implementation of X ⁇ Y may be obtained from the above white -box implementation of by removing the operations in the first layer 604 and then applying the OR (i.e.
- the white-box implementation of may be obtained from the above white-box implementation 400 by inserting the operation immediately before the mixing bijection DB X in the first layer 402 of the part processing of the white box form of All the other parts remain unchanged.
- FIG. 9 illustrates a white-box implementation of operation according to various embodiments of the present application.
- FIGS. 9 A to 9F are enlarged versions of various portions of FIG. 9 for better clarity.
- the white-box implementation of may be a simplified version of the above white-box implementation of by removing the operation and the part processing in the first and second layers and simply putting as an input operand to the four ADD tables in the third layer.
- the white-box implementation of may include a variable X 902 which may be a 32-bit variable and may be protected in its white- box forms where MB X is a 32x32-bit mixing bijection, and is a group of eight 4-bit encoding.
- a first layer 904 may be made up of eight 8x32-bit tables.
- each 8x32-bit table may be generated by applying sequentially the inverses of the two 4-bit encodings the corresponding 32x8-bit part of the inverse MB X,_1 of the mixing bijection MB X , a 32 X 32-bit mixing bijection DB X and a layer of eight 4 -bit encodings is of the form: with being an invertible (general) 8 X 8-bit matrix, being invertible (general) 6 X 6-bit matrices, 0,1, 2, 3.
- a second layer 906 may be made up of XOR tables, for example 60 8x4-bit table where The final output of the tables may be X and may be protected by the mixing bijection DB X and a layer of ten 4-bit or 3-bit encodings
- the third layer is made up of one 8 X 8-bit table and three 6x 13-bit tables.
- the 8 X 8-bit table is generated by applying sequentially the inverses of the two corresponding
- a fourth layer 910 may be made up of first
- Each table may be generated as follows:
- Either 6-bit input is obtained by applying sequentially the inverses of the two corresponding 3-bit encodings from the second layer 906 and the inverse of the corresponding 6x6-bit part of the mixing bijection DB X .
- the two resulting 6-bit values may be added, and may be concatenated into a 7-bit sum with the 6-bit left input operand X j on the left side.
- the sum of the two 6-bit values can be a 7-bit value at most.
- a mixing bijection e.g., a 13 X 13-bit mixing bijection may be applied to a layer of one 4-bit and three 3-bit encodings
- each input operand is 8-bit and it can only produce an 8-bit output (the carry bit overflows if any), and there are an 8x8-bit mixing bijection and a layer of two 4-bit encodings
- a fifth layer 912 may be made up of truncation tables, for example four 13 X 32-bit tables, each of which is generated by applying sequentially the inverses of the four corresponding encodings from the fourth layer 910, the inverse of the corresponding 13xl3-bit mixing bijection from the fourth layer 910, the truncating of the resulting 13-bit value to the rightmost 6 bits &0x3 F, a 32x6-bit matrix and a layer of eight 4-bit encodings
- a last (i.e. sixth) layer 914 may be made up of XOR tables, for example 32 8x4-bit tables with the result X EE consti 916 being protected by the 32x32-bit mixing bijection M
- FIG. 10 illustrates an exemplary high-level overview of the general white-box HMAC-SHA-1 implementation according to various embodiments of the present application.
- FIGS. 10A to 10G are enlarged versions of various portions of FIG. 10 for better clarity.
- HMAC-SHA-1 may process an arbitrary-length message. This poses a difficulty to its white-box implementation, since the number of 512- bit message blocks cannot be determined and thus the white-box operations cannot be specified.
- the server after computing the inner key ⁇ and the outer key b, the server does not release them to the client in a clear form, but in a protected form.
- the inner key ⁇ and the outer key ⁇ may be protected by one or more mixing bijections.
- the system 1000 may include a step 1002 of generating a mixing bijection MB X and a layer of eight 4-bit external encodings in FIG. 10A. Representing the inner key ⁇ as five 32-bit blocks ⁇ , the system 1000 may compute ). The system 1000 may send this protected form of the inner key ⁇ to the user.
- the process for protecting the outer key ⁇ is similar to that of the inner key ⁇ .
- ⁇ and ⁇ as well as their protection may not be incorporated into the white-box implementation of the step update function of FIG. 4.
- this results in the ability to deal with an arbitrary-length message of more than one 512-bit blocks.
- SHA-1 may generate additional expanded message words (e.g., 64 additional words) from an original (512-bit) message block, which will be input to the last 64 steps of the compression function.
- additional expanded message words e.g., 64 additional words
- a white-box HMAC-SHA-1 implementation against code lifting should recover the original expanded message word from its manipulated form resulted from the external encoding p under a message expansion function.
- the message expansion function may use rotation and XOR operations to generate the additional (e.g. 64) expanded message blocks.
- additional (e.g. 64) expanded message blocks may be used in step 1004 in step 1004 in step 1004 each (32-bit) message word
- Mi may be protected by a 32x32-bit mixing bijection followed by a layer of eight 4- bit external encodings .
- the white-box form of the expanded message block W t may be achieved by applying two applications of white-box implementation and finally one application of white-box implementation (16 ⁇ protected in white-box form
- step 1006 given and compression function of SHA-1 may be implemented as follows:
- the white-box implementation of the step update function of Step i can be achieved with one application of the white-box implementation of one application of the white-box implementation of , two applications of the white -box implementation of and white-box implementation of , whose white-box implementation depends on the specific form and is described in f xor 1010 in FIG. 10E, 1012 in FIG. 10F and f maj 1014 in FIG. 10G, respectively.
- a i+1 is protected with white-box operations
- f xor can be composed with one application of the above white -box (X ⁇ 30) ( Y ⁇ 30) operation and one application of the above white-box X Y operation, as shown in FIG. 10.
- f if can be composed with one application of the above white -box X&(Y ⁇ 30) operation, one application of the above white-box &( ⁇ ⁇ 30) operation and one application of the above white-box X ⁇ Y operation, as shown in FIG. 10.
- f maj C an be composed with two applications of the above white-box X&(Y ⁇ 30) operation, one application of the above white-box (X ⁇ 30 )&(Y ⁇ 30) operation, and two applications of the above white-box X ⁇ Y operation, as shown in FIG. 10.
- white-Box implementation of Steps 0-3 is slightly different from a general step in the following two points: 1) The input of each of Steps 0- 3 involves one or more of the five initial words A 0 , B 0 , C 0 , D 0 , E 0 , rather than of a general step; and 2) There is no ⁇ 30 operation to one or more of the three input words in each of Steps 0-2.
- white-box implementation of each of Steps 0-3 is slightly different from the white-box implementation of the general step between Steps 4-79, which can be obtained simply by applying (the inverses of) the corresponding mixing bijections and encodings and removing unnecessary ⁇ 30 operation.
- the same set of mixing bijections MB X and external encodings may be used to protect the result of the feed forwarding part: E 80 , SO that the same set of white-box operations may be subsequently reuse for the next 512-bit message blocks (if any).
- H ⁇ ( ⁇ ) there may only be one 512-bit message block in H ⁇ ( ⁇ ), which may include ten 32-bit message words of zero and a message word about the message bit length 160.
- the server may similarly make a white -box implementation on the H ⁇ ( ⁇ ) part, except that there may not be a need to apply white-box operations to the ten message words of zero.
- the last message word about the message bit length may be protected with an affine mixing bijection.
- the same set of white- box tables can be reused for different user keys, as long as the server releases the corresponding protected form of the new key to the client.
- the server does not need to generate another set of white-box tables every time a user key is updated, which reduces computational and communication complexity.
- it is better to limit the maximum number of keys used under a set of white-box tables, to avoid a security loss in this situation.
- FIG. 11 illustrates an exemplary high-level overview of the general white-box HMAC-SHA-256 implementation 1100 according to various embodiments of the present application.
- HAMC-SHA-256 may be obtained using the same principles as the above white-box HAMC-SHA-1 implementation.
- the white-box HMAC-SHA-256 implementation has the following main distinctions from white-box HMAC-SHA-1 implementation:
- white-box implementation of the message expansion function can be constructed with the white-box implementations of [00213]
- each (32-bit) message word M t or expanded message word W t is protected by a 32x32-bit mixing bijection and a layer of eight 4-bit external encodings , that is, [00214] 3.
- White-box implementation of the compression function of SHA-256 Since
- Steps 0-3 slightly different from the white-box implementation of a general step of steps 4 and 63.
- the affected mixing bijections and encodings may need to be change correspondingly.
- the same set of mixing bijections MB X and external encodings may be used to protect the result of the feed forwarding part: A 0 A 64 , B o EE B 64 , ⁇ , and H 0 EE H 64 .
- the same set of white-box operations may be reuse for the next 512-bit message blocks (if any), so as to process an arbitrary-length message.
- these differences are mainly due to the distinctions between SHA-1 and SHA-256, but white-box HMAC-SHA-256 implementation can be built with the above basic white-box operations in the same principles as white-box HMAC-SHA-1.
- white-box HMAC-SHA-1 There are variants with different trade-offs between security and performance. For example, we can use different dimension sizes of mixing bijections, encodings and white-box tables.
- different levels of iteration may be used for the general white-box implementations.
- the same set of white-box operations may be used to iterate step by step for the 80 steps of H ⁇ ( ⁇ ).
- the white-box operations of H ⁇ ( ⁇ ) may be reused for the H ⁇ ( ⁇ ) part.
- a step constant const i may be treated as a known variable.
- some parts may be left unprotected, for example, leave the value H ⁇ (M) and the H ⁇ ( ⁇ ) part unprotected. While this may allow an attacker to produce a right (message, tag) pair under a known message attack scenario, this may be still useful in some applications.
Landscapes
- Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Software Systems (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Multimedia (AREA)
- Signal Processing (AREA)
- Technology Law (AREA)
- Computer Networks & Wireless Communication (AREA)
- Power Engineering (AREA)
- Health & Medical Sciences (AREA)
- Bioethics (AREA)
- General Health & Medical Sciences (AREA)
- Information Transfer Between Computers (AREA)
Abstract
There is provided a method of generating a hash-based message authentication code (HMAC) based on white-box implementation. Using a processor, the method may include receiving an input message; executing a white-box implementation of a cryptographic hash function based on the input message to obtain an inner key and using the inner key to obtain an inner hash function; executing a white-box implementation of the inner hash function to obtain an outer key and using the outer key to obtain the HMAC; wherein the processor is configured to use a first ADD table to receive two first inputs and tp produce a first output corresponding to a value of a carry bit of the first ADD table based on two first inputs, and the processor is configured to use a second ADD table to receive a first second-input based on the first output and a second second-input.
Description
METHOD AND SYSTEM FOR GENERATING A HASH-BASED MESSAGE AUTHENTICATION CODE (HMAC) BASED ON WHITE-BOX
IMPUEMENTATION
CROSS-REFERENCE TO REUATED APPUICATION [0001] This application claims the benefit of priority of Singapore Patent Application No. 10202003013X, filed 31 March 2020, the content of which being hereby incorporated by reference in its entirety for all purposes.
TECHNICAU FIEUD
[0002] The present invention generally relates to a method of generating a hash-based message authentication code (HMAC) based on white-box implementation, and a system thereof.
BACKGROUND
[0003] Industrial Internet of Things (IIoT) refers to the extension and use of Internet of Things (IoT) in industrial sectors and applications. A digital service distributed by the service provider from a server to a client app running in a physical device (e.g., game console, mobile phone, set-top box). The physical device needs to authenticate some attributes associated with the digital contents, e.g., the contents originate from the right server and have not been tampered by a third party to include malware.
[0004] A common authentication method is to use a message authentication code (MAC) where the client’s device will compute the digest of digital content and compare with that received together from the server. However, IoT devices (e.g. mobile phone, game console and TV box) usually operate on a platform which is under partial or full control of the device owner. The device owner has control of the service device and can access the source code and intermediate results of a cryptographic implementation. Therefore, the device may be accessed and attacked by a user for unauthorized use of the service. This security compromise may allow device owner to carry out malicious and unauthorized activities, e.g. accessing paid TV programs without paying.
[0005] There is a need to prevent the device owners from extracting a secret key which is used in a MAC algorithm, which is also known as key extraction attacks, and preventing the device owners from generating the digest of an unauthorized message (known as code
lifting attacks), while performing HMAC operations efficiently on clients’ devices. An input message is divided into a plurality of words of n bits to undergo a series of iterative computations to form a MAC output.
[0006] A need therefore exists to increase security when generating a HMAC, such as but not limited to, addressing or mitigating key extraction and code lifting attacks. It is against this background that the present invention has been developed.
SUMMARY
[0007] The present disclosure generally relates to a method of generating a hash-based message authentication code (HMAC) based on white-box implementation. The method may include using at least one processor. The method may include receiving an input message; executing a white-box implementation of a cryptographic hash function based on the input message to obtain an inner key and using the inner key to obtain an inner hash function; executing a white-box implementation of the inner hash function to obtain an outer key and using the outer key to obtain the HMAC; wherein the executing of at least one of the white-box implementations of the cryptographic hash function and the white- box implementation of the inner hash function includes a step of executing a white -box implementation of a modular addition operation, and wherein the white-box implementation of the modular addition operation includes a first layer including a first ADD table and a second layer including a second ADD table, wherein the at least one processor is configured to receive two first inputs and process the two first inputs according to the first ADD table to generate a first output corresponding to a value of a carry bit of the first ADD table based on the two first inputs, and the at least one processor is configured to receive a first second-input based on the first output and a second second-input and process the first second-input and the second second-input according to the second ADD table; wherein the first output is subjected to a first mixing operation to produce a protected first output, wherein the first mixing operation is a linear operation to provide diffusion of the first output and the first second-input is based on the protected first output.
[0008] The present disclosure generally relates to a system for generating a HMAC based on white-box implementation. The system may also include a memory. The system may also include at least one processor communicatively coupled to the memory, and configured to: receive an input message; execute a white-box implementation of a cryptographic hash function based on the input message to obtain an inner key and using the inner key to obtain
an inner hash function; execute a white-box implementation of the inner hash function to obtain an outer key and using the outer key to obtain the HMAC; wherein the executing of at least one of the white-box implementations of the cryptographic hash function and the white-box implementation of the inner hash function includes a step of executing a white- box implementation of a modular addition operation, and wherein the white-box implementation of the modular addition operation includes a first layer including a first ADD table and a second layer including a second ADD table, wherein the at least one processor is configured to receive two first inputs and process the two first inputs according to the first ADD table to generate a first output corresponding to a value of a carry bit of the first ADD table based on the two first inputs, and the at least one processor is configured to receive a first second-input based on the first output and a second second-input and process the first second-input and the second second-input according to the second ADD table; wherein the first output is subjected to a first mixing operation to produce a protected first output, wherein the first mixing operation is a linear operation to provide diffusion of the first output and the first second-input is based on the protected first output.
[0009] The present disclosure generally relates to computer program product storing computer executable code including instructions for performing a method of generating a hash-based message authentication code (HMAC) based on white-box implementation, using at least one processor. The method may include receiving an input message; executing a white-box implementation of a cryptographic hash function based on the input message to obtain an inner key and using the inner key to obtain an inner hash function; executing a white-box implementation of the inner hash function to obtain an outer key and using the outer key to obtain the HMAC; wherein the executing of at least one of the white- box implementations of the cryptographic hash function and the white-box implementation of the inner hash function includes a step of executing a white-box implementation of a modular addition operation, and wherein the white-box implementation of the modular addition operation includes a first layer including a first ADD table and a second layer including a second ADD table, wherein the at least one processor is configured to receive two first inputs and process the two first inputs according to the first ADD table to generate a first output corresponding to a value of a carry bit of the first ADD table based on the two first inputs, and the at least one processor is configured to receive a first second-input based on the first output and a second second-input and process the first second-input and the second second-input according to the second ADD table; wherein the first output is
subjected to a first mixing operation to produce a protected first output, wherein the first mixing operation is a linear operation to provide diffusion of the first output and the first second-input is based on the protected first output.
BRIEF DESCRIPTION OF THE DRAWINGS [0010] Embodiments of the present invention will be better understood and readily apparent to one of ordinary skill in the art from the following written description, by way of example only, and in conjunction with the drawings, in which:
[0011] FIG. 1 depicts a flow diagram illustrating a method of generating a HMAC based on white-box implementation according to various embodiments of the present application;
[0012] FIG. 2A depicts a schematic block diagram of a system for generating a HMAC based on white-box implementation, according to various embodiments of the present application;
[0013] FIG. 2B depicts an exemplary system for generating a HMAC based on white- box implementation, according to various embodiments of the present application;
[0014] FIG. 3A depicts a schematic drawing illustrating a step update function of SHA- 1, according to various embodiments of the present application;
[0015] FIG. 3B depicts a schematic drawing illustrating a step update function of SHA- 256 according to various embodiments of the present application;
[0016] FIG. 4 illustrates a white -box implementation of X
Y operation according to various embodiments of the present application;
[0017] FIGS. 4A to 4F are enlarged versions of various portions of FIG. 4 for better clarity;
[0018] FIG. 5 illustrates a white-box implementation of (X <<< Φ) ® (Y <<< φ) operation according to various embodiments of the present application;
[0019] FIGS. 5 A to 5C are enlarged versions of various portions of FIG. 5 for better clarity;
[0020] FIG. 6 illustrates a white-box implementation of ( X <<< Φ ) & ( Y <<< φ) operation according to various embodiments of the present application;
[0021] FIGS. 6A to 6D are enlarged versions of various portions of FIG. 6 for better clarity;
[0022] FIG. 7 illustrates a white-box implementation of (
X)&(Y <<< ø) operation according to various embodiments of the present application;
[0023] FIGS. 7A to 7D are enlarged versions of various portions of FIG. 7 for better clarity;
[0024] FIG. 8 illustrates a white-box implementation of (X » ø) Y operation
according to various embodiments of the present application;
[0025] FIGS. 8 A to 8C are enlarged versions of various portions of FIG. 8 for better clarity;
[0026] FIG. 9 illustrates a white-box implementation of X
consti operation according to various embodiments of the present application;
[0027] FIGS. 9A to 9F are enlarged versions of various portions of FIG. 9 for better clarity;
[0028] FIG. 10 illustrates an exemplary high-level overview of the general white-box HMAC-SHA-1 implementation according to various embodiments of the present application;
[0029] FIGS. 10A to 10G are enlarged versions of various portions of FIG. 10 for better clarity;
[0030] FIG. 11 illustrates an exemplary high-level overview of the general white-box HMAC-SHA-256 implementation according to various embodiments of the present application.
DETAILED DESCRIPTION
[0031] Various embodiments of the present invention provide a method of generating a hash-based message authentication code (HMAC) based on white-box implementation, and a system thereof.
[0032] The following detailed description refers to the accompanying drawings that show, by way of illustration, specific details and embodiments in which the invention may be practiced. These embodiments are described in sufficient detail to enable those skilled in the art to practice the invention. Other embodiments may be utilized and structural, and logical changes may be made without departing from the scope of the invention. The various embodiments are not necessarily mutually exclusive, as some embodiments can be combined with one or more other embodiments to form new embodiments.
[0033] Embodiments described in the context of one of the system or methods computer program product or computer executable code are analogously valid for the other systems or methods or computer program product or computer executable code and vice- versa.
[0034] Features that are described in the context of an embodiment may correspondingly be applicable to the same or similar features in the other embodiments. Features that are described in the context of an embodiment may correspondingly be applicable to the other embodiments, even if not explicitly described in these other embodiments. Furthermore, additions and/or combinations and/or alternatives as described for a feature in the context of an embodiment may correspondingly be applicable to the same or similar feature in the other embodiments.
[0035] The word “exemplary” is used herein to mean “serving as an example, instance, or illustration.” Any embodiment or design described herein as “exemplary” is not necessarily to be construed as preferred or advantageous over other embodiments or designs
[0036] In the context of various embodiments, the articles “a”, “an”, and “the” as used with regard to a feature or element include a reference to one or more of the features or elements.
[0037] As used herein, the term “and/or” includes any and all combinations of one or more of the associated listed items.
[0038] The terms “at least one” and “one or more” may be understood to include a numerical quantity greater than or equal to one (e.g., one, two, three, four, [...], etc.). The term “a plurality” may be understood to include a numerical quantity greater than or equal to two (e.g., two, three, four, five, [...], etc.).
[0039] The words “plural” and “multiple” in the description and the claims expressly refer to a quantity greater than one. Accordingly, any phrases explicitly invoking the aforementioned words (e.g. “a plurality of [objects]”, “multiple [objects]”) referring to a quantity of objects expressly refers more than one of the said objects. The terms “group (of)”, “set [of]”, “collection (of)”, “series (of)”, “sequence (of)”, “grouping (of)”, etc., and the like in the description and in the claims, if any, refer to a quantity equal to or greater than one, i.e. one or more. The terms “proper subset”, “reduced subset”, and “lesser subset” refer to a subset of a set that is not equal to the set, i.e. a subset of a set that contains less elements than the set.
[0040] The term “data” as used herein may be understood to include information in any suitable analog or digital form, e.g., provided as a file, a portion of a file, a set of files, a signal or stream, a portion of a signal or stream, a set of signals or streams, and the like. Further, the term “data” may also be used to mean a reference to information, e.g., in form of a pointer. The term data, however, is not limited to the aforementioned examples and may take various forms and represent any information as understood in the art.
[0041] The term “processor” or “controller” as, for example, used herein may be understood as any kind of entity that allows handling data, signals, etc. The data, signals, etc. may be handled according to one or more specific functions executed by the processor or controller.
[0042] A processor or a controller may thus be or include an analog circuit, digital circuit, mixed-signal circuit, logic circuit, processor, microprocessor, Central Processing Unit (CPU), Graphics Processing Unit (GPU), Digital Signal Processor (DSP), Field Programmable Gate Array (FPGA), integrated circuit, Application Specific Integrated Circuit (ASIC), etc., or any combination thereof. Any other kind of implementation of the respective functions, which will be described below in further detail, may also be understood as a processor, controller, or logic circuit. It is understood that any two (or more) of the processors, controllers, or logic circuits detailed herein may be realized as a single entity with equivalent functionality or the like, and conversely that any single processor, controller, or logic circuit detailed herein may be realized as two (or more) separate entities with equivalent functionality or the like.
[0043] The term “system” detailed herein may be understood as a set of interacting elements, the elements may be, by way of example and not of limitation, one or more mechanical components, one or more electrical components, one or more instructions (e.g., encoded in storage media), one or more controllers, etc.
[0044] A “circuit” as used herein is understood as any kind of logic-implementing entity, which may include special-purpose hardware or a processor executing software. A circuit may thus be an analog circuit, digital circuit, mixed-signal circuit, logic circuit, processor, microprocessor, Central Processing Unit (“CPU”), Graphics Processing Unit (“GPU”), Digital Signal Processor (“DSP”), Field Programmable Gate Array (“FPGA”), integrated circuit, Application Specific Integrated Circuit (“ASIC”), etc., or any combination thereof. Any other kind of implementation of the respective functions which will be described below in further detail may also be understood as a “circuit.” It is
understood that any two (or more) of the circuits detailed herein may be realized as a single circuit with substantially equivalent functionality, and conversely that any single circuit detailed herein may be realized as two (or more) separate circuits with substantially equivalent functionality. Additionally, references to a “circuit” may refer to two or more circuits that collectively form a single circuit.
[0045] As used herein, “memory” may be understood as a non-transitory computer- readable medium in which data or information can be stored for retrieval. References to “memory” included herein may thus be understood as referring to volatile or non-volatile memory, including random access memory (“RAM”), read-only memory (“ROM”), flash memory, solid-state storage, magnetic tape, hard disk drive, optical drive, etc., or any combination thereof. Furthermore, it is appreciated that registers, shift registers, processor registers, data buffers, etc., are also embraced herein by the term memory. It is appreciated that a single component referred to as “memory” or “a memory” may be composed of more than one different type of memory, and thus may refer to a collective component including one or more types of memory. It is readily understood that any single memory component may be separated into multiple collectively equivalent memory components, and vice versa. Furthermore, while memory may be depicted as separate from one or more other components (such as in the drawings), it is understood that memory may be integrated within another component, such as on a common integrated chip.
[0046] The following detailed description refers to the accompanying drawings that show, by way of illustration, specific details and aspects in which the present disclosure may be practiced. These aspects are described in sufficient detail to enable those skilled in the art to practice the present disclosure. Various aspects are provided for the present system, and various aspects are provided for the methods. It will be understood that the basic properties of the system also hold for the methods and vice versa. Other aspects may be utilized and structural, and logical changes may be made without departing from the scope of the present disclosure. The various aspects are not necessarily mutually exclusive, as some aspects can be combined with one or more other aspects to form new aspects. [0047] To more readily understand and put into practical effect, the present system, method, and other particular aspects will now be described by way of examples and not limitations, and with reference to the figures. For the sake of brevity, duplicate descriptions of features and properties may be omitted.
[0048] It will be understood that any property described herein for a specific system or device may also hold for any system or device described herein. It will also be understood that any property described herein for a specific method may hold for any of the methods described herein. Furthermore, it will be understood that for any device, system, or method described herein, not necessarily all the components or operations described will be enclosed in the device, system, or method, but only some (but not all) components or operations may be enclosed.
[0049] The term “comprising” shall be understood to have a broad meaning similar to the term “including” and will be understood to imply the inclusion of a stated integer or operation or group of integers or operations but not the exclusion of any other integer or operation or group of integers or operations. This definition also applies to variations on the term “comprising” such as “comprise” and “comprises”.
[0050] The term “coupled” (or “connected”) herein may be understood as electrically coupled or as mechanically coupled, e.g., attached or fixed or attached, or just in contact without any fixation, and it will be understood that both direct coupling or indirect coupling (in other words: coupling without direct contact) may be provided.
[0051] FIG. 1 depicts a flow diagram illustrating a method 100 of generating a hash- based message authentication code (HMAC) based on white-box implementation, using at least one processor. The method 100 includes a step 102 of receiving an input message. In an embodiment, the method 100 includes a step 104 of obtaining executing a white-box implementation of a cryptographic hash function based on the input message to obtain an inner key. The inner key may be used to obtain an inner hash function. In an embodiment, the method 100 includes a step 106 of executing a white-box implementation of the inner hash function to obtain an outer key. The outer key may be used to obtain the HMAC. In various embodiments, executing of at least one of the white-box implementations of the cryptographic hash function and the white-box implementation of the inner hash function may include a step of executing a white-box implementation of a modular addition operation. In various embodiments, the white-box implementation of the modular addition operation may include a first layer and a second layer. The first layer may include a first ADD table. The second layer may include a second ADD table. The at least one processor may be configured to receive two first inputs and process the two first inputs according to the first ADD table to generate a first output corresponding to a value of a carry bit of the first ADD table based on the two first inputs. The at least one processor is configured to
receive a first second-input based on the first output and a second second-input and process the first second-input and the second second-input according to the second ADD table. The first output may be subjected to a first mixing operation to produce a protected first output. The first mixing operation may be a linear operation to provide diffusion of the first output. The first second-input may be based on the protected first output.
[0052] FIG. 2A depicts a schematic block diagram of a system 200 for generating a HMAC based on white-box implementation, according to various embodiments of the present invention, such as corresponding to the method 100 of generating a HMAC based on white-box implementation as described hereinbefore according to various embodiments of the present invention.
[0053] In various embodiments, white-box implementation (i.e., white-box cryptography) of a system, results in users having access to source codes and internal workings of the system. White-box cryptography combines methods of encryption and obfuscation to embed secret key(s) within the source code. The goal is to combine the source code and the secret key(s) in such a way that the two are indistinguishable to user which allows the white-box implementation of the system to be safely run in an insecure environment.
[0054] In various embodiments, the system 200 may include a memory 202. The system 200 may include at least one processor 204. The at least one processor 204 may be communicatively coupled to the memory 202. The at least one processor 204 may be configured to receive an input message. In an embodiment, the at least one processor 204 may be configured to obtain executing a white-box implementation of a cryptographic hash function based on the input message to obtain an inner key. The inner key may be used to obtain an inner hash function. In an embodiment, the at least one processor 204 may be configured to execute a white-box implementation of the inner hash function to obtain an outer key. The outer key may be used to obtain the HMAC. In various embodiments, executing of at least one of the white-box implementations of the cryptographic hash function and the white-box implementation of the inner hash function may include a step of executing a white-box implementation of a modular addition operation. Modular addition operations are addition operations for integers, where values reset to zero and begin to increase again, after reaching a certain predefined value, called the modulo. In various embodiments, the white-box implementation of the modular addition operation may include a first layer and a second layer. The first layer may include a first ADD table.
The at least one processor may be configured to receive two first inputs and process the two first inputs according to the first ADD table to generate a first output corresponding to a value of a carry bit of the first ADD table based on the two first inputs. The at least one processor is configured to receive a first second-input based on the first output and a second second-input and process the first second-input and the second second-input according to the second ADD table. The first output may be subjected to a first mixing operation to produce a protected first output. The first mixing operation may be a linear operation to provide diffusion of the first output. The first second-input may be based on the protected first output.
[0055] In various embodiments, an ADD table is a table including rules of an addition process. The processor 204 may be configured to determine an output from two inputs based on the rules of the ADD table. The ADD table specifies how two inputs should be added based on the rules.
[0056] In various embodiments, the first output has corresponding plaintext and ciphertext. When diffusion is done on the first output, a character of the plaintext is changed, and several characters of the ciphertext is changed. This means that frequency statistics of in the plaintext are diffused over several characters in the ciphertext, which results in higher security and lower risk of frequency analysis attacks.
[0057] Therefore, diffusing of the carry bit in the first ADD table results in a protected carry bit which makes it harder for users to conduct frequency analysis attacks, which increases security and lowers risk of frequency analysis attacks.
[0058] It will be appreciated to a person skilled in the art that the system 200 may also be embodied as a server, a device or an apparatus.
[0059] It will be appreciated by a person skilled in the art that the at least one processor 204 may be configured to perform the required functions or operations through set(s) of instructions (e.g., software modules) executable by the at least one processor 204 to perform the required functions or operations. Accordingly, as shown in FIG. 2A, the system 200 may further include a white-box implementation module (or a white-box implementation circuit) 206 configured to generate a HMAC based on white-box implementation. The system 200 may further include a message communication module (or message communication circuit) 208 configured to receive an input message.
[0060] In various embodiments, the white-box implementation module 206 may be configured to obtain executing a white-box implementation of a cryptographic hash
function based on the input message to obtain an inner key. The inner key may be used to obtain an inner hash function. In an embodiment, the at least one processor 204 may be configured to execute a white-box implementation of the inner hash function to obtain an outer key. The outer key may be used to obtain the HMAC. In various embodiments, executing of at least one of the white-box implementations of the cryptographic hash function and the white-box implementation of the inner hash function may include executing a white-box implementation of a modular addition operation. In various embodiments, the white-box implementation of the modular addition operation may include a first layer and a second layer. The first layer may include a first ADD table. The second layer may include a second ADD table. The at least one processor may be configured to receive two first inputs and process the two first inputs according to the first ADD table to generate a first output corresponding to a value of a carry bit of the first ADD table based on the two first inputs. The at least one processor is configured to receive a first second-input based on the first output and a second second-input and process the first second-input and the second second-input according to the second ADD table. The first output may be subjected to a first mixing operation to produce a protected first output. The first mixing operation may be a linear operation to provide diffusion of the first output. The first second-input may be based on the protected first output.
[0061] In various embodiments, the second second-input may be based (e.g., equal to) on a partial sum of the two first inputs. The at least one processor may be configured to obtain a protected second output corresponding to a value of a carry bit of the second ADD table. [0062] In various embodiments, the modular addition operation may include a third layer. The third layer may be configured to receive the protected second output from the second layer. The third layer may include a truncation table. The at least one processor configured to process the protected second output according to the truncation table to obtain an addition result of the modular addition operation.
[0063] In various embodiments, the at least one processor 204 may be configured to execute at least one of the white-box implementations of the cryptographic hash function and the white-box implementation of the inner hash function by executing a step of a white- box implementation of at least one of a XOR, AND, NOT and rotation operation.
[0064] In various embodiments, the inner key is configured to be protected by a first mixing bijection to produce a protected inner key. The outer key is configured to be protected by a second mixing bijection to produce a protected outer key. The at least one processor is
configured to obtain the HMAC based on the protected inner key and the protected outer key. The first mixing bijection and the second mixing bijection may be invertible matrices to provide diffusion of the inner key and the outer key [0065] In various embodiments, the input message is of arbitrary length.
[0066] In various embodiments, the input message may be M bits. The at least one processor may be configured to use a first specific set of white-box operations for a first N bits of the input message. The at least one processor may be configured to use a general set of white-box operations for the remaining M-N bits.
[0067] In various embodiments, the length of the input message may change from M bits to P bits. The at least one processor may be configured to use a second specific set of white- box operations for a first Q bits of the input message of P bits. The at least one processor may be configured to use the general set of white-box operations for the remaining P-Q bits.
[0068] It will be appreciated by a person skilled in the art that the above-mentioned modules are not necessarily separate modules, and two or more modules may be realized by or implemented as one functional module (e.g., a circuit or a software program) as desired or as appropriate without deviating from the scope of the present invention. For example, the white-box implementation module 206, the message communication module 208 may be realized (e.g., compiled together) as one executable software program (e.g., software application or simply referred to as an “app”), which for example may be stored in the memory 202 and executable by the at least one processor 204 to perform the functions/operations as described herein according to various embodiments.
[0069] In various embodiments, the system 200 corresponds to the method 100 as described hereinbefore with reference to FIG. 1, therefore, various functions or operations configured to be performed by the least one processor 204 may correspond to various steps of the method 100 described hereinbefore according to various embodiments, and thus need not be repeated with respect to the system 200 for clarity and conciseness. In other words, various embodiments described herein in context of the methods are analogously valid for the respective systems (e.g., which may also be embodied as devices), and vice versa. [0070] A computing system, a controller, a microcontroller or any other system providing a processing capability may be provided according to various embodiments in the present disclosure. Such a system may be taken to include one or more processors and one or more computer-readable storage mediums. For example, the system 200 described
hereinbefore may include a processor (or controller) 204 and a computer-readable storage medium (or memory) 202 which are for example used in various processing carried out therein as described herein.
[0071] Some portions of the present disclosure are explicitly or implicitly presented in terms of algorithms and functional or symbolic representations of operations on data within a computer memory. These algorithmic descriptions and functional or symbolic representations are the means used by those skilled in the data processing arts to convey most effectively the substance of their work to others skilled in the art. An algorithm is here, and generally, conceived to be a self-consistent sequence of steps leading to a desired result. The steps are those requiring physical manipulations of physical quantities, such as electrical, magnetic or optical signals capable of being stored, transferred, combined, compared, and otherwise manipulated.
[0072] Unless specifically stated otherwise, and as apparent from the following, it will be appreciated that throughout the present specification, discussions utilizing terms such as “obtaining”, “receiving”, “obtaining”, “modifying”, “inputting”, “executing” or the like, refer to the actions and processes of a computer system, or similar electronic device, that manipulates and transforms data represented as physical quantities within the computer system into other data similarly represented as physical quantities within the computer system or other information storage, transmission or display devices.
[0073] The present specification also discloses a system (e.g., which may also be embodied as a device or an apparatus) for performing the operations/functions of the methods described herein. Such a system may be specially constructed for the required purposes, or may comprise a general purpose computer or other device selectively activated or reconfigured by a computer program stored in the computer. The algorithms presented herein are not inherently related to any particular computer or other apparatus. Various general-purpose machines may be used with computer programs in accordance with the teachings herein. Alternatively, the construction of more specialized apparatus to perform the required method steps may be appropriate.
[0074] In addition, the present specification also at least implicitly discloses a computer program or software/functional module, in that it would be apparent to the person skilled in the art that the individual steps of the methods described herein may be put into effect by computer code. The computer program is not intended to be limited to any particular programming language and implementation thereof. It will be appreciated that a variety of
programming languages and coding thereof may be used to implement the teachings of the disclosure contained herein. Moreover, the computer program is not intended to be limited to any particular control flow. There are many other variants of the computer program, which can use different control flows without departing from the spirit or scope of the invention. It will be appreciated by a person skilled in the art that various modules described herein may be software module(s) realized by computer program(s) or set(s) of instructions executable by a computer processor to perform the required functions, or may be hardware module(s) being functional hardware unit(s) designed to perform the required functions. It will also be appreciated that a combination of hardware and software modules may be implemented.
[0075] Furthermore, one or more of the steps of a computer program/module or method described herein may be performed in parallel rather than sequentially. Such a computer program may be stored on any computer readable medium. The computer readable medium may include storage devices such as magnetic or optical disks, memory chips, or other storage devices suitable for interfacing with a general purpose computer. The computer program when loaded and executed on such a general-purpose computer effectively results in an apparatus that implements the steps of the methods described herein.
[0076] In various embodiments, there is provided a computer program product, embodied in one or more computer-readable storage mediums (non-transitory computer- readable storage medium), which may store computer executable code. The computer executable code may include instructions executable by one or more computer processors to perform a method 100 of generating a HMAC based on white-box implementation as described hereinbefore with reference to FIG. 1. Accordingly, various computer programs or modules described herein may be stored in a computer program product receivable by a system therein, such as the system 200 as shown in FIG. 2A, for execution by at least one processor 204 of the system 200 to perform the required or desired functions.
[0077] The software or functional modules described herein may also be implemented as hardware modules. More particularly, in the hardware sense, a module is a functional hardware unit designed for use with other components or modules. For example, a module may be implemented using discrete electronic components, or it can form a portion of an entire electronic circuit such as an Application Specific Integrated Circuit (ASIC). Numerous other possibilities exist. Those skilled in the art will appreciate that the software
or functional module(s) described herein can also be implemented as a combination of hardware and software modules.
[0078] FIG. 2B depicts an exemplary system for generating a HMAC based on white- box implementation, according to various embodiments of the present application.
[0079] Various methods/ or functional modules (e.g., the white-box implementation module 206 and/or the message communication module 208) may be implemented as software, such as a computer program being executed within the computer system 250, and instructing the computer system 250 (in particular, one or more processors therein) to conduct the methods/functions of various embodiments described herein. The computer system 250 may include a computer module 252, an input module 254 such as a keyboard, and an output device 256 such as a display. The computer module 252 may be connected to a computer network 258 to enable access to e.g., the Internet or other network systems such as Local Area Network (LAN) or Wide Area Network (WAN). The computer module 252 may include a processor 260 for executing various instructions according to embodiments disclosed herein. The computer system 250 may include a database 262 which includes data (e.g., video content). The computer system 252 may also include a MAC (e.g., HMAC) generator 264 which may generate a MAC. The MAC generator 264 may send data (e.g., video content) to a receiver 266 in a message. The message includes the MAC. The receiver 266 may be a user receiver, and may include a MAC reconstruction unit 268. The MAC reconstruction unit 268 may check the MAC in the message in accordance with some predetermined requirements (e.g., secret key is known). If the predetermined requirements are met, the MAC reconstruction unit 268 may output the data (e.g., the video content) to the output device (e.g., display) 256.
[0080] In this disclosure, various notations used herein are provided. The bits of a value may be numbered from left to right, starting with 0, the rightmost bit of a value is the least significant bit, and its leftmost bit is the most significant bit. A number without a prefix may express a decimal number unless stated otherwise. A number with prefix Ox may express a hexadecimal number. The following notations are used herein, bitwise exclusive OR (XOR)
& bitwise AND
<< (>>) left (right) shift of a bit string <<< (>>>) left (right) rotation of a bit string II bit string concatenation o functional composition. When composing functions X and Y , X ° Y denotes the function obtained by first applying X and then applying Y.
[0081] In various embodiments, the HMAC may be defined as HMAC(X, M) = H(( opad ) ||H(( ipad ) ||M)), where M is the message to be authenticated, H is a
cryptographic hash function,
represents the value generated by using the message padding rule of H to append the user key K to the length of a full message block of H, ipad and opad are two public constants that are of the same length as a full message block of H. In particular ipad and opad may be referred as inner and outer keys of the
HMAC, respectively.
[0082] In various embodiments, HMAC may use two passes of hash computation. A secret key may be used to derive the inner key and the outer key. A first pass of a HMAC algorithm may produce an internal hash derived from the message and the inner key. A second pass of a HMAC algorithm may produce a final HMAC code derived from the inner hash result and the outer key. Advantageously, HMAC provides better immunity against length extension attacks.
[0083] In various embodiments, HMAC does not encrypt the message. Instead, the message (encrypted or not) may be sent alongside the HMAC hash. Parties with the secret key may hash the message again themselves, and if it is authentic, the received and computed hashes will match.
[0084] In various embodiments, any cryptographic hash function H , such as SHA- 1 or SHA-256, may be used in the calculation of a HMAC. The cryptographic hash function H which may be an iterative hash function may break up a message into blocks of a fixed size and may iterate over them with a compression function. For example, SHA-256 operates on 512-bit blocks. The size of the output of HMAC is the same as that of the underlying cryptographic hash function H (e.g., 256 and 512 bits in the case of SHA-256 and SHA-512, respectively), although it can be truncated if desired.
[0085] FIG. 3A depicts a schematic drawing illustrating a step update function of SHA- 1, according to various embodiments of the present application.
[0086] In various embodiments, in the step update function 300 of SHA-1, the SHA-1 hash function may take as an input, a message of less than 264 bits long. The SHA-1 hash function may output a 160-bit message.
[0087] In various embodiments, the message may be padded to be a multiple of 512 in bit length. The message may be appended with '1' and '0'. The padded message may be parsed into a number of blocks for example N blocks. Each N block may be of M bits. The N blocks may be processed iteratively. The N block of M bits may be divided into smaller words of P bits. Each word of P bits may be expanded by a message expansion function. The expanded words may be processed by a compression function that may be based on the step update function 300. A hash function may be obtained at the end of the process. [0088] In an exemplary embodiment, the step update function 300 of SHA-1 may be processed using the following phases:
1. The message may be padded to be a multiple of 512 in bit length, by first appending the bit ‘1’ to the end of the message. A minimum number of zeros may be appended so that the resulting message may be 448 mod 512 in bit length. The 64-bit representation of the bit length of the original message may be appended.
2. The padded message may be parsed into a number, e.g., N , of 512-bit blocks M(0), M(1), ... M(N-1),
3. The N 512-bit blocks M(0), M(1), ... M(N-1) may be processed iteratively, as follows:
For n = 0,1, ..., N — 1:
(a) The 512-bit padded message may be divided into sixteen 32-bit worlds M0 (n), M1 (n), ... M15 (n),
(b) Eighty expanded 32-bit message blocks
Wi (n) 302 may be generated by the following message expansion function (0 ≤ i ≤ 80). for 0 ≤ t ≤ 15;
for 16 ≤ i ≤ 79.
(c) The eighty expanded 32-bit message blocks
302 may be processed by the following compression function that may be based on the step update function 300, wherein inputs 304 (e.g., message blocks 302, a constant consti (i.e., i-th step
constant ) 306 are used to obtain outputs 308 (e.g.,
The message digest may include a string of digits created by a one-way hashing formula. The message digest may be designed to protect the integrity of a piece of data or media to detect changes and alterations to any part of a message.
[0089] In the above, are 32-bit variables (0 ≤ l ≤ 80) ,
are the (public and fixed) 160-bit initial value (IV) of SHA-1.
The cryptographic function 308 may be based on an if function fif, a XOR function fxor and a major function fmaj . The cryptographic function 308 is defined as follows:
[0091] FIG. 3B depicts a schematic drawing illustrating a step update function of SHA- 256 according to various embodiments of the present application.
[0092] In various embodiments, in the step update function 350 of SHA-256, the SHA- 256 hash function may take as an input, a message of less than 264 bits long. The SHA-256 hash function may output a 256-bit message. SHA-256 differs from SHA-1 mainly in message expansion phase, the compression function and feed forwarding part.
[0093] In various embodiments, the message may be padded to be a multiple of 2048 in bit length. The message may be appended with ‘ 1’ and ‘ 0’. The padded message may be parsed into a number of blocks for example N blocks. Each N block may be of M bits. The N blocks may be processed iteratively. The N block of M bits may be divided into smaller words of P bits. Each word of P bits may be expanded by a message expansion function. The expanded words may be processed by a compression function that may be based on the step update function 350.
[0094] In an exemplary embodiment, sixty-four expanded 32-bit message blocks
352 may be generated by the following message expansion function (0 ≤ i ≤ 63).
[0095] The 64 expanded 32-bit message blocks
352 may be processed by the following compression function that may be based on the step update function 350, wherein inputs 354 (e.g., message blocks
352, a constant consti (i.e., i-th step
constant ) 356, a function 360, a Ch function 362, a function 364, a Maj function
366, are used to obtain outputs 358 (e.g.,
[0096] A message digest may be
The message digest may include a string of digits created by a one-way hashing formula. The
message digest may be designed to protect the integrity of a piece of data or media to detect changes and alterations to any part of a message.
32-bit variables (0 ≤ l ≤ 64) , initial values (IV)
may be the 256-bit IV of SHA-256. The
function 360, the Ch function 362, the
function 364, the Maj function 366 may be defined as,
[0098] In a known implementation of an addition procedure in an encryption process, a 32-bit addition is divided into eight 4-bit additions and a carry bit is treated as an individual input/output parameter, where 4-bit inputs/outputs are protected with 4-bit encodings and the one -bit carry bits are protected with one-bit encodings.
[0099] However, the above-mentioned addition procedure can be attacked by frequency analysis. Firstly, the outputs of the addition mod 232 are uniformly distributed, where a carry bit overflows if any. However, the outputs of a partial addition are not uniformly distributed, due to the existence of carry bits. In the case of 4-bit partial addition, 15 is the most frequent output, which takes place 16 times (in total), 0 and 30 take place one time each, 1 and 29 takes place twice each, and so on until that 14 and 16 take place 15 times each.
[00100] As a consequence, the above-mentioned addition procedure may be broken by the following way: first deduce the encoding for the most frequent output (i.e. 15), then distinguish the two protected cases of flipped and unflipped carry bits from the case of the most frequent output 15 by frequency analysis, and finally deduce the encodings for the other outputs (i.e. 0,1, ··· ,14,16,17, ··· ,30) pairwise by frequency analysis. As such, all the encodings for the 4-bit partial addition implementation may be recovered.
[00101] The main distinctions between white-box implementations of HMAC-SHA- 1/2 and AES/DES are discussed below. The white-box implementation schema of HMAC aims to resist both key extraction and code lifting, which is generic and is independent from the underlying hash function instantiated, as long as the hash function is based on the Merkle- Damgard construction.
[00102] A few distinctions between HMAC-SHA-1/2 and the AES or DES block cipher that differentiate their white-box implementations:
[00103] 1. In AES, the starting value is plaintext, which is variable. While in HMAC, the staring value is the initial value of the underlying hash function, which is a public constant.
[00104] 2. HMAC processes message and key in four clearly separated passes:
[00105] (a) Process only the inner key in the first block of the first hash computation.
[00106] (b) Process only message in the subsequent block(s) of the first hash computation.
[00107] (c) Process only the outer key in the first block of the second hash computation.
[00108] (d) Compute the message digest in the second block of the second hash computation.
[00109] In short, HMAC processes only either data or key in each step, which can be easily detached. In other words, each of steps (a) to (d) can be processed independently. The system disclosed herein may process the data and the key separately. By comparison, AES processes data and key in a completely involved way in each round or each fundamental function, which makes it hard to detach the processes on data and key. In other words, AES processes the data and the key together.
[00110] 3. Given a key, an AES round takes as input the output of the previous round (if any), while a HMAC-SHA-1/2 step takes as input the output of the previous step (if any) and another extended message block.
[00111] 4. AES has a fixed block size, while HMAC works on a variable-length message.
[00112] These distinctions make the white-box HAMC implementation quite different from the white-box AES/DES implementation. There are also various specific distinctions, for example, SHA-1/2 uses modular addition extensively.
[00113] To generate a HMAC value on a message M, the white-box implementation of HMAC includes four phases:
Hα (M), by treating α as a secret key and M as a message, where Hα means that the hash function H with the initial value replaced by the value α, p and g are (secret) external
encodings of Hα. The output of this phase is denoted by y = (p(M)) ° Hα ° g, where y may be considered as an inner hash
[00116] 3. The server computesβ = H(/f ® opad ), whereβ may be an outer key.
Hβ (Hα(M)), by treatingβ as a secret key and y as a message,
means that the hash function H with the initial value replaced by the value b , q is the external output encoding of Hβ. We denote the output of this phase by δ = (g_1(y)) ° Hβ ° q, where d may be referred as the HMAC or HMAC value.
[00118] As a result, δ = (p(M)) ° Hα ° Hβ° q, wherein p and q can be regarded as external encodings of HMAC.
[00119] In various embodiments, a white -box implementation method according to various example embodiments to prevent key extraction and code lifting attacks to some extent is described. White-box implementation of HMAC may involve the following operations:
which can be summarised as the following basic operations:
where
. Note that some other operations can be obtained similarly from these basic operations.
[00120] FIG. 4 illustrates a white -box implementation of XEEIY operation according to various embodiments of the present application.
[00121] FIGS. 4A to 4F are enlarged versions of various portions of FIG. 4 for better clarity.
[00122] In various embodiments, the white-box implementation of a modular addition operation may include a first layer and a second layer. The first layer may include a first ADD table. The second layer may include a second ADD table. The first ADD table may be configured to receive two first inputs. The first ADD table may produce a first output corresponding to a value of a carry bit of the first ADD table based on the two first inputs. The second ADD table may be configured to receive two second inputs. The two second inputs may be a first second-input and a second second-input. The first second-input may be based on the first output.
[00123] In various embodiments, the white-box implementation may include subjecting the first output to a first mixing operation to produce a protected first output. The first second-input may be based on the protected first output.
[00124] In various embodiments, the second second-input may be based on a partial sum of the two first inputs. The second ADD table may be configured to produce a protected second output corresponding to a value of a carry bit of the second ADD table.
[00125] In various embodiments, the white-box implementation of the modular addition operation may include a third layer. The third layer may include a truncation table. The truncation table may be configured to receive the protected second output to produce an addition result of the modular addition operation.
[00126] In an exemplary embodiment, the white -box implementation of X EQ Y 400 may include two variables X 401A and Y 401B which may be two 32-bit variables and may be protected in their white-box forms
and
respectively, where MBX and MBY are 32x32-bit mixing bijections, and are two groups
of eight 4 -bit encodings.
[00127] As illustrated in Fig. 4, the white-box implementation of
400 may include six layers at a high level, whose dimensional sizes of the segments and white-box operations may be chosen to have a reasonable trade-off between security and storage space.
[00128] In various embodiments, in FIG. 4A, a first layer 402 may be made up of eight 8x32-bit tables. For the part processing of the white box form of X
each
8x32-bit table may generated by applying sequentially the inverses of the two
4-bit encodings
the corresponding 32x8-bit part
of the inverse
of the mixing bijection MBX, a 32x32-bit mixing bijection DBX and a layer of eight 4-bit encodings
, where DBX is of the form:
with being an invertible (general) 8 X 8-bit matrix, being invertible
(general) 6 X 6-bit matrices, and j =
0, 1,2,3· In an embodiment, the part processing of the white box form of Y
is conducted in a similar manner.
[00129] In various embodiments, in FIG. 4B, a second layer 404 may be made up of XOR tables, for example 60 8 X 4-bit or 6 X 3-bit tables where j =
0,1, 2, 3, l = 0,1, ··· ,9. The final output of the tables may be X and may be protected
by the mixing bijection DBX and a layer of ten 4-bit or 3-bit encodings .
The final output of the XOR; i tables may be Y and may be protected by the mixing bijection DB and a layer of ten 4-bit or 3-bit encodings
[00130] In various embodiments, in FIG. 4C, a third layer 406 may be made up of first ADD tables, for example one 16 X 8-bit table
four 12 X 13-bit tables where j = 1,2, 3, 4.
[00132] (i) Either 6-bit input is obtained by applying sequentially the inverses of the two corresponding 3 -bit encodings from the second layer 404 and the inverse (or
of the corresponding 6 X 6-bit part (respectively, of the mixing
bijection DBX (respectively, DBY).
[00133] (ii) The two resulting 6-bit values may be added, and may be concatenated into a 7-bit sum with the 6-bit left input operand Xj on the left side. The sum of the two 6-bit values can be a 7-bit value at most.
[00134] (iii) A mixing bijection e.g., a 13 X 13-bit mixing bijection may be
applied to a layer of one 4-bit and three 3-bit encodings
[00135] In an embodiment, the table is similar, except that each input operand
is 8-bit and it can only produce an 8-bit output (the carry bit overflows if any), and there are an 8x8-bit mixing bijection
and a layer of two 4-bit encodings
[00136] In various embodiments, in FIG. 4D, a fourth layer 408 may be made up of second ADD tables, for example one 21x32-bit table
and three 26xl3-bit tables
[00137] In various embodiments, for the table, the left 7-bit input may be
obtained by applying sequentially the inverses of the four encodings the inverse
of the mixing bijection
and an addition of 7 left bits (&0x7 F) operation. The right 1-bit input may be obtained by applying sequentially the inverses of the four corresponding encodings inverse of the mixing bijection
the » 6 operation and an addition of 1 right bit (&0xl) operation. Add the two resulting 7- bit and 1-bit values, and concatenate the 7-bit sum with the leftmost 6 bits (i.e. X3 ) of the left 13-bit input operand on the left side. The resulting 7-bit value is the original result of the A
operation, the resulting 1-bit value is the carry bit of the
operation, and their sum can be a 7-bit value at most. At last, apply a 13 X 13-bit mixing operation
and a layer of one 4-bit and three 3-bit encodings to protect the
concatenated 13-bit value.
[00138] In various embodiments, for the table (J = 1,2), the left 7-bit input
may be obtained by applying sequentially the inverses of the four encodings of the mixing bijection and the &0x7F
operation; and the right 1-bit input is obtained by applying sequentially the inverses of the four encodings from the right adjacent table, the inverse
of the mixing bijection
the » 6 operation and the &0xl operation. Add the two resulting 7-bit and 1-bit values, and concatenate the 7-bit sum with the leftmost 6 bits (i.e.
Xj ) of the left 13-bit input operand on the left side. At last, apply a 13 X 13-bit mixing operation and a layer of one 4-bit and three 3-bit encodings to
protect the concatenated 13-bit value.
[00139] In various embodiments, the table is similar, except that the left input
is 8-bit and the output of the
table is 8-bit. The carry bit overflows if any, and it is the original leftmost byte of X
Y. The carry bit is directly protected by a 32x8-bit matrix and a layer of eight 4-bit encodings
[00140] In various embodiments, in FIG. 4E, a fifth layer 410 may be made up of truncation tables, for example four 13 X 32-bit tables, each of which is generated by applying sequentially the inverses of the four corresponding encodings from the fourth layer, the inverse of the corresponding 13 X 13-bit mixing bijection from the fourth layer,
the truncating of the resulting 13-bit value to the rightmost 6 bits &0x3F, a 32x6-bit matrix
and a layer of eight 4-bit encodings
[00141] In various embodiments, in FIG. 4F, a last (i.e. sixth) layer 412 may be made up of XOR tables, for example 32 8x4-bit tables
with the result
414 being protected by the 32 X 32-bit mixing bijection
and a layer of eight 4-bit encodings
where .
[00142] In various embodiments, the outputs of
are uniformly distributed, although the outputs of its partial addition operation(s) are not uniformly distributed due to carry bits. A stronger white-box implementation of
made be obtained by using larger dimensional sizes of segments for a 32-bit word at the expense of a larger storage complexity. For example, a 32-bit word may be divided into four 8-bit segments. 4-bit encodings may be used in the first layer and corresponding revisions may be made in the subsequent layers, so that there are significantly more available mixing bijections and encodings against exhaustive search attacks.
[00143] FIG. 5 illustrates a white-box implementation of
operation according to various embodiments of the present application. FIGS. 5 A to 5C are enlarged versions of various portions of FIG. 5 for better clarity.
[00144] In various embodiments, the white-box implementation of
f ) 500 may include three layers at a high level, where (
[00145] In various embodiments, the white-box implementation of
f ) 500 may include two variables X and Y which may be two 32-bit variables and may be protected in their white-box forms respectively,
where MBX and MBY are 32x32-bit mixing bijections, and
are two groups of eight 4 -bit encodings.
[00146] In FIG. 5A, a first layer 504 may be made up of eight 8x32-bit tables. For the part processing of the white box form of X each 8x32-bit table may be
generated by applying sequentially the inverses two 4-bit encodings
the corresponding 32x8-bit part
of the inverse
of the mixing
bijection
operation, a general 32x32-bit mixing bijection
used to protect the result
and a layer of eight 4-bit encodings , where
and j = 0,1, 2, 3. The process is similar for the part
processing of the white box form of , except the <<< f operation is
applied instead of the <<< ø operation.
[00147] In various embodiments, in FIG. 5B,a second layer 506 may be made up of XOR tables, for example 48 8 X 4-bit tables
where j = 0,1,2, l =
0,1, ··· ,7. The final output of the tables is X which may be protected by the mixing
bijection
and a layer of eight 4-bit encodings
; and the final output of the tables is Y protected by the mixing bijection
and a layer of eight 4-bit encoding
[00148] In various embodiments, in FIG. 5C, a last (i.e. third) layer 508 is made up XOR tables, for example of eight 8 X 4-bit tables , with the resul
510 being
protected by the mixing bijection
and a layer of eight 4-bit encodings where
[00149] In various embodiments, the
operation is null when
(respectively, which is
the white-box implementation of
and it becomes
which is the white-box implementation of
.
[00150] FIG. 6 illustrates a white-box implementation of
operation according to various embodiments of the present application. FIGS. 6A to 6D are enlarged versions of various portions of FIG. 6 for better clarity.
[00151] In various embodiments, the white-box implementation of
may include four layers at a high level. The white-box
may include two variables X 602A and Y 602B which may be two 32-bit variables and may be protected in their white-box forms and e respectively,
where MBX and MBY are 32x32-bit mixing bijections, and are two groups
of eight 4 -bit encodings.
[00152] In various embodiments, in FIG. 6A, a first layer 604 may be made up of eight 8x32-bit tables. For the part processing of the white box form of each
8x32-bit table is generated by applying sequentially the inverses of the two 4-
bit encodings the corresponding 32x8-bit part of the inverse
of the mixing bijection
operation, a 32x32-bit mixing bijection DBX and a layer of eight 4-bit encodings where DBX is of the form:
with being an invertible (general) 8 X 8-bit matrix,
and j = 0,1, 2, 3. Similarly, for the part processing of the white
box form of Y
the
operation may be applied instead of the
operation.
[00153] In various embodiments, in FIG. 6B, a second layer 606 may be made up of XOR tables, for example 48 8 X 4-bit tables , where j = 0,1,2, l =
0,1, ··· ,7. The final output of the tables is X protected by the mixing bijection DB
and a layer of eight 4-bit encodings and the final output of the
tables is Y
protected by the mixing bijection DBY and a layer of eight 4-bit encodings
[00154] In various embodiments, in FIG. 6C, a third layer 608 may be made up of ADD tables, for example four 16x32-bit tables
, each of which is generated by applying sequentially the inverses of the two corresponding 4-bit encodings from the second layer, the inverse
respectively) of the corresponding 8x8-bit part (or
, respectively) of the mixing bijection DBX (or DBY, respectively) for either 8-bit input, the AND value of the two resulting 8-bit values, the corresponding 32x8-bit part
out of an affine mixing bijection
used to protect the result
and a layer of eight 4-bit encodings
where
being an invertible (general) 32x32-bit matrix and
being 32-bit constants ( l = 0,1, 2, 3). The affine mixing bijection
may be a linear mixing bijection.
[00155] In various embodiments, in FIG. 6D, a last (i.e. fourth) layer 610 may be made up of XOR tables, for example 24 8 X 4-bit tables
with the result
612 being protected finally by the affine mixing bijection
and a
layer of eight 4-bit encodings
where j = 0,1,2, / = 0,1, 2, 3.
[00156] FIG. 7 illustrates a white-box implementation of
operation 700 according to various embodiments of the present application. FIGS. 7A to 7D are enlarged versions of various portions of FIG. 7 for better clarity.
[00157] In various embodiments, the white -box implementation of
700 may include four layers at a high level. The white-box
may include two variables X 702A and Y 702B which may be two 32-bit variables and may be protected in their white-box forms respectively,
where MBX and MBY are 32x32-bit mixing bijections, and are two groups
of eight 4 -bit encodings.
[00158] In various embodiments, in FIG. 7A, a first layer 704 may be made up of eight 8x32-bit tables. For the part processing of the white box form of
, each 8x32-bit table is generated by applying sequentially the inverses of the two 4-
bit encodings the corresponding 32x8-bit part
of the inverse
of the mixing bijection MBX, a 32x32-bit mixing bijection DBX and a layer of eight 4-bit encodings
the form:
with
being an invertible (general) 8 X 8-bit matrix,
and j = 0,1, 2, 3. Similarly, for the part processing of the white
box form of Y
operation may be applied immediately before the mixing bijection DBX.
[00159] In various embodiments, in FIG. 7B, a second layer 706 may be made up of XOR tables, for example 48 8 X 4-bit tables
where j = 0,1,2, l = 0,1, ··· ,7. The final output of the
tables is X protected by the mixing bijection DB and a layer of eight 4-bit encodings
and the final output of the
tables is Y protected by the mixing bijection DBY and a layer of eight 4-bit encodings
[00160] In various embodiments, in FIG. 7C,a third layer 708 may be made up of ADD tables, for example four 16x32-bit tables
, each of which is generated by applying sequentially the inverses of the two corresponding 4-bit encodings from the second layer, the inverse
respectively) of the corresponding 8x8-bit part
(or
respectively) of the mixing bijection DBX (or DBY, respectively) for either 8-bit input, the bitwise complement
operation only for the 8-bit input from X, the AND value of the two resulting 8-bit values, the corresponding 32 X 8-bit part out of an affine
mixing bijection
used to protect the result
and a layer of eight 4- bit encodings
being an invertible (general) 32x32-bit matrix, b, and b =
being 32-bit constants (l = 0,1, 2, 3).
[00161] In various embodiments, in FIG. 7D, a last (i.e. fourth) layer 710 may be made up of XOR tables, for example 24 8x4-bit tables with the result
712 being protected finally by the affine mixing bijection
and a layer of eight 4-bit encodings where j = 0,1,2, l = 0,1, 2, 3.
[00162] FIG. 8 illustrates a white -box implementation of
operation 800 according to various embodiments of the present application. FIGS. 8 A to 8C are enlarged versions of various portions of FIG. 8 for better clarity.
[00163] In various embodiments, different from th
operation, the
operation does not output uniformly. In particular, it has only two possible values when
takes the extreme value 31, so an affine mixing bijection may be used to protect the intermediate value
[00164] In various embodiments, the white-box implementation of
may include three layers at a high level. The white -box implementation of
800 may include two variables X 802A and Y 802B which may be two 32-bit variables and may be protected in their white-box forms
respectively, where MBX and MBY are 32 X 32-bit mixing bijections, and
are two groups of eight 4-bit encodings.
[00165] In various embodiments, in FIG. 8A, a first layer 804 may be made up of eight 8x32-bit tables. For the part processing of the white box form of X each
8x32-bit table is generated by applying sequentially the inverses
of the two 4- bit encodings the corresponding 32x8-bit part of the inverse
of the mixing bijection
operation, an affine mixing bijection
and a layer of eight 4-bit encodings , where A being an
invertible 32 X 32-bit matrix, being a 32-bit constant,
= 0, 1,2,3. It is similar for the part processing of the white box form of , except that there is no
operation and are
replaced with another invertible 32x32-bit matrix
Y and 32-bit constant
such that
[00166] In various embodiments, in FIGS. 8B and 8C, second 806 and third 808 layers may be the same as the second 504 and third 506 layers of the white-box implementation of
respectively. Finally, the resul is protected
by the mixing bijection
and a layer of eight 4-bit encodings
[00167] In various embodiments, white-box implementation of X\Y may be obtained from the above white -box implementation of
by removing the
operations in the first layer 604 and then applying the OR (i.e. |) operation in the third layer 608, instead of the AND (i.e. &) operation.
[00168] In various embodiments, the white-box implementation of
may be obtained from the above white-box
implementation 400 by inserting the
operation immediately before the mixing bijection DBX in the first layer 402 of the part processing of the white box form of All the other parts remain
unchanged.
[00169] FIG. 9 illustrates a white-box implementation of
operation according to various embodiments of the present application. FIGS. 9 A to 9F are enlarged versions of various portions of FIG. 9 for better clarity.
[00170] In various embodiments, the white-box implementation of
may be a simplified version of the above white-box implementation of
by removing the
operation and the part processing
in the first and second layers and simply putting as an input operand to the four ADD tables in the
third layer.
[00171] In various embodiments, the white-box implementation of
may include a variable X 902 which may be a 32-bit variable and may be protected in its white- box forms
where MBX is a 32x32-bit mixing bijection, and is a
group of eight 4-bit encoding.
[00172] As illustrated in FIG. 9A, a first layer 904 may be made up of eight 8x32-bit tables. For the part processing of the white box form of
each 8x32-bit table may generated by applying sequentially the inverses of the two 4-bit
encodings
the corresponding 32x8-bit part
of the inverse MBX,_1 of the mixing bijection MBX, a 32 X 32-bit mixing bijection DBX and a layer of eight 4 -bit encodings
is of the form:
with being an invertible (general) 8 X 8-bit matrix,
being invertible (general) 6 X 6-bit matrices,
0,1, 2, 3.
[00173] In various embodiments, in FIG. 9B, a second layer 906 may be made up of XOR tables, for example 60 8x4-bit table where The
final output of the
tables may be X and may be protected by the mixing bijection DBX and a layer of ten 4-bit or 3-bit encodings
[00174] The third layer is made up of one 8 X 8-bit table and three 6x 13-bit tables. The 8 X 8-bit table is generated by applying sequentially the inverses of the two corresponding
4-bit encodings from the second layer, the inverse
of the corresponding 8x8-bit part of of the mixing bijection DBX, the addition operation with the corresponding 8-
bit part
of the constant consti, a 8-bit mixing bijection
and finally two 4- bit encodings Each of the three 6x 13-bit tables is generated by applying sequentially
the inverses of the two corresponding 3-bit encodings from the second layer, the inverse of the corresponding 6 X 6-bit part of of the mixing bijection DB , the
addition operation with the corresponding 6-bit part
of the constant consti, a 8-bit mixing bijection and finally two 4-bit encondings
[00175] In various embodiments, in FIG. 9D, a fourth layer 910 may be made up of first
ADD tables, for example one 16x8-bit table
and four 12x 13-bit tables
where j = 1,2, 3, 4. The Y ADD table from FIG.4 is replaced by consti
[00177] (i) Either 6-bit input is obtained by applying sequentially the inverses of the two corresponding 3-bit encodings from the second layer 906 and the inverse of the
corresponding 6x6-bit part
of the mixing bijection DBX.
[00178] (ii) The two resulting 6-bit values may be added, and may be concatenated into a 7-bit sum with the 6-bit left input operand Xj on the left side. The sum of the two 6-bit values can be a 7-bit value at most.
[00179] (iii) A mixing bijection e.g., a 13 X 13-bit mixing bijection may be
applied to a layer of one 4-bit and three 3-bit encodings
[00180] In an embodiment, the A
table is similar, except that each input operand is 8-bit and it can only produce an 8-bit output (the carry bit overflows if any), and there are an 8x8-bit mixing bijection and a layer of two 4-bit encodings
[00181] In various embodiments, in FIG. 9E, a fifth layer 912 may be made up of truncation tables, for example four 13 X 32-bit tables, each of which is generated by applying sequentially the inverses of the four corresponding encodings from the fourth layer 910, the inverse of the corresponding 13xl3-bit mixing bijection from the fourth layer 910, the truncating of the resulting 13-bit value to the rightmost 6 bits &0x3 F, a 32x6-bit matrix
and a layer of eight 4-bit encodings
[00182] In various embodiments, in FIG. 9F, a last (i.e. sixth) layer 914 may be made up of XOR tables, for example 32 8x4-bit tables
with the result X EE consti 916 being protected by the 32x32-bit mixing bijection M
[00183] FIG. 10 illustrates an exemplary high-level overview of the general white-box HMAC-SHA-1 implementation according to various embodiments of the present application. FIGS. 10A to 10G are enlarged versions of various portions of FIG. 10 for better clarity.
[00184] In various embodiments, HMAC-SHA-1 may process an arbitrary-length message. This poses a difficulty to its white-box implementation, since the number of 512- bit message blocks cannot be determined and thus the white-box operations cannot be specified.
[00185] In various embodiments, to solve the problem, a same set of white-box operations for the later (512-bit) message blocks (if any) as the set used in the first 512-bit message block.
[00186] In various embodiments, after computing the inner keyα and the outer key b, the server does not release them to the client in a clear form, but in a protected form. In various embodiments, the inner key α and the outer key β may be protected by one or more mixing bijections.
[00187] In an exemplary embodiment, for each of the five 32-bit words A0, BQ, CQ, DQ, EQ, the system 1000 may include a step 1002 of generating a mixing bijection MBX and a layer of eight 4-bit external encodings
in FIG. 10A. Representing the inner keyα as five 32-bit blocksα
, the system 1000 may compute
). The system 1000 may send this protected form of the inner keyα to the user.
[00188] In various embodiments, the process for protecting the outer keyβ is similar to that of the inner keyα .
[00189] In various embodiments,α andβ as well as their protection may not be incorporated into the white-box implementation of the step update function of FIG. 4. Advantageously, this results in the ability to deal with an arbitrary-length message of more than one 512-bit blocks.
[00190] In various embodiments, SHA-1 may generate additional expanded message words (e.g., 64 additional words) from an original (512-bit) message block, which will be input to the last 64 steps of the compression function. In various embodiments, a white-box HMAC-SHA-1 implementation against code lifting should recover the original expanded message word from its manipulated form resulted from the external encoding p under a message expansion function.
[00191] In various embodiments, the message expansion function may use rotation and XOR operations to generate the additional (e.g. 64) expanded message blocks.
[00192] In various embodiments, in FIG. 10B, in step 1004 each (32-bit) message word
Mi may be protected by a 32x32-bit mixing bijection
followed by a layer of eight 4- bit external encodings
. In an embodiment,
MB and MB may be affine 32x32-bit mixing bijections since the two corresponding message blocks represent message length, which may often be zero, where i = 0,1, ··· ,15. In an embodiment,
where the first 16 expanded message blocks is (i = 0,1, ··· ,15).
[00193] In various embodiments, the message expansion function
for the next 64 message blocks can be represented as Wt =
[00194] In various embodiments, the white-box form of the expanded message block
Wt may be achieved by applying two applications of white-box
implementation and finally one application of white-box
implementation (16 <
protected in white-box form
[00195] In various embodiments, in FIG. IOC, in step 1006, given
and
compression function of SHA-1 may be implemented as follows:
[00196] In various embodiments,
may be used as inputs, and as outputs. In various embodiments, the
operations may be incorporated into other operations. This reduces storage complexity and running time as these steps need not be implemented them with white-box operations.
[00197] White-box implementation for Steps 4-79 is described below:
[00198] In FIG. 10D, in step 1008, take a step between Steps 4-79, Step i say (i =
[00199] Assume that
is protected with white-box operations
Thus,
is protected with white-box operations
, and etc. In an embodiment, the white-box implementation of the step update function of Step i can be achieved with one
application of the white-box implementation of
one application of the white-box implementation of
, two applications of the white -box implementation of
and white-box implementation of
, whose white-box implementation depends on the specific form
and is described in fxor 1010 in FIG. 10E, 1012 in FIG. 10F and fmaj 1014 in FIG. 10G, respectively. At last, Ai+1 is protected with white-box operations
[00200] Depending on the value of i, the
function is fxor , fif or fmaj . fxor can be composed with one application of the above white -box (X <<< 30)
( Y <<< 30) operation and one application of the above white-box X
Y operation, as shown in FIG. 10. fif can be composed with one application of the above white -box X&(Y <<< 30) operation, one application of the above white-box
&(Ύ <<< 30) operation and one application of the above white-box X\Y operation, as shown in FIG. 10. fmaj Can be composed with two applications of the above white-box X&(Y <<< 30) operation, one application of the above white-box (X <<< 30 )&(Y <<< 30) operation, and two applications of the above white-box X\Y operation, as shown in FIG. 10.
[00201] In various embodiments, white-Box implementation of Steps 0-3 is slightly different from a general step in the following two points: 1) The input of each of Steps 0- 3 involves one or more of the five initial words A0, B0, C0, D0, E0 , rather than
of a general step; and 2) There is no <<< 30 operation to one or more of the three input words
in each of Steps 0-2. As a consequence, white-box implementation of each of Steps 0-3 is slightly different from the white-box implementation of the general step between Steps 4-79, which can be obtained simply by applying (the inverses of) the corresponding mixing bijections and encodings and removing unnecessary <<< 30 operation.
[00202] In various embodiments, to be able to process an arbitrary-length message, the same set of mixing bijections MBX and external encodings may be used to protect the
result of the feed forwarding part:
E80, SO that the same set of white-box operations may be subsequently reuse for the next 512-bit message blocks (if any).
[00203] In various embodiments, there may only be one 512-bit message block in Hβ(· ), which may include ten 32-bit message words of zero and a message word about the message bit length 160.
[00204] In various embodiments, the server may similarly make a white -box implementation on the Hβ(·) part, except that there may not be a need to apply white-box operations to the ten message words of zero. Likewise, the last message word about the message bit length may be protected with an affine mixing bijection.
[00205] The ten 32-bit message words of zero results in a reduction in the number of white-box operations in the message expansion phase and the compression function. Reusing the same set of white-box operations may also result in reduction computational and communication complexity. As a result, the white-box HMAC-SHA-1 implementation can be readily obtained from the above white-box implementations of the components of HMAC-SHA-1.
[00206] In various embodiments, when the user key is updated, the same set of white- box tables can be reused for different user keys, as long as the server releases the corresponding protected form of the new key to the client. Thus, the server does not need to generate another set of white-box tables every time a user key is updated, which reduces computational and communication complexity. In various embodiments it is better to limit the maximum number of keys used under a set of white-box tables, to avoid a security loss in this situation.
[00207] FIG. 11 illustrates an exemplary high-level overview of the general white-box HMAC-SHA-256 implementation 1100 according to various embodiments of the present application.
[00208] Similarly, a general white-box implementation of HAMC-SHA-256 may be obtained using the same principles as the above white-box HAMC-SHA-1 implementation. [00209] In various embodiments, given (A0, A1, A2, A3, E0, E1, E2, E3), SHA-256 maybe implemented as follows:
where i = 4,5, ··· ,64.
[00210] In various embodiments, the white-box HMAC-SHA-256 implementation has the following main distinctions from white-box HMAC-SHA-1 implementation:
[00211] 1. Protecting α and β : for each of the eight 32-bit words A0, B0, ··· , H0, the sever generates a mixing bijection MBX and a layer of eight 4-bit encodings , here X ∈
{A,B, C, D,E, F, G, H} . Representing α as eight 32-bit blocks the
server computes
sends it to the client. The process for protecting β is similar to α .
[00212] 2. An instantiation of p with respect to the message expansion function of SHA-
256: white-box implementation of the message expansion function can be constructed with the white-box implementations of
[00213] In a high-level white-box implementation of the message expansion function of SHA-256, each (32-bit) message word Mt or expanded message word Wt is protected by a 32x32-bit mixing bijection
and a layer of eight 4-bit external encodings
, that is,
[00214] 3. White-box implementation of the compression function of SHA-256: Since
(. A0,B0, C0,D0,E0, F0, G0, H0 ) are protected by mixing bijections
(MB^ MBS, MBC, MBD, MBE, MBF, MBG, MBh) and the external encodings this makes white-box implementations of
Steps 0-3 slightly different from the white-box implementation of a general step of steps 4 and 63. Thus, only the affected mixing bijections and encodings may need to be change correspondingly.
4. Protecting the feed forwarding part: the same set of mixing bijections MBX and external encodings may be used to protect the result of the feed forwarding part: A0 A64,
B o EE B64, ···, and H0 EE H64. By this way, the same set of white-box operations may be reuse for the next 512-bit message blocks (if any), so as to process an arbitrary-length message.
[00215] In an embodiment, these differences are mainly due to the distinctions between SHA-1 and SHA-256, but white-box HMAC-SHA-256 implementation can be built with the above basic white-box operations in the same principles as white-box HMAC-SHA-1. [00216] There are variants with different trade-offs between security and performance. For example, we can use different dimension sizes of mixing bijections, encodings and white-box tables.
[00217] In various embodiments, different levels of iteration may be used for the general white-box implementations. In particular, the same set of white-box operations may be used to iterate step by step for the 80 steps of Hα(·). The white-box operations of Hα(·) may be reused for the Hβ(·) part. A step constant const i may be treated as a known variable.
[00218] In various embodiments, some parts may be left unprotected, for example, leave the value Hα(M) and the Hβ(·) part unprotected. While this may allow an attacker to produce a right (message, tag) pair under a known message attack scenario, this may be still useful in some applications.
[00219] While embodiments of the invention have been particularly shown and described with reference to specific embodiments, it should be understood by those skilled in the art that various changes in form and detail may be made therein without departing from the spirit and scope of the invention as defined by the appended claims. The scope of the invention is thus indicated by the appended claims and all changes which come within the meaning and range of equivalency of the claims are therefore intended to be embraced.
Claims
1. A method of generating a hash-based message authentication code (HMAC) based on white-box implementation, using at least one processor, the method comprising: receiving an input message; executing a white-box implementation of a cryptographic hash function based on the input message to obtain an inner key and using the inner key to obtain an inner hash function; executing a white-box implementation of the inner hash function to obtain an outer key and using the outer key to obtain the HMAC; wherein the executing of at least one of the white-box implementations of the cryptographic hash function and the white-box implementation of the inner hash function comprises a step of executing a white-box implementation of a modular addition operation, and wherein the white-box implementation of the modular addition operation comprises a first layer comprising a first ADD table and a second layer comprising a second ADD table, wherein the at least one processor is configured to receive two first inputs and process the two first inputs according to the first ADD table to generate a first output corresponding to a value of a carry bit of the first ADD table based on the two first inputs, and the at least one processor is configured to receive a first second-input based on the first output and a second second- input and process the first second-input and the second second-input according to the second ADD table; and wherein the first output is subjected to a first mixing operation to produce a protected first output, wherein the first mixing operation is a linear operation to provide diffusion of the first output and the first second-input is based on the protected first output.
2. The method of claim 1, wherein the second second-input is equal to a partial sum of the two first inputs, and wherein the at least one processor is configured to obtain a protected second output corresponding to a value of a carry bit of the second ADD table.
3. The method of claim 2, wherein the modular addition operation comprises a third layer configured to receive the protected second output from the second layer, wherein the third
layer comprises a truncation table, the at least one processor configured to process the protected second output according to the truncation table to obtain an addition result of the modular addition operation.
4. The method of claim 1, wherein the executing of at least one of the white-box implementations of the cryptographic hash function and the white-box implementation of the inner hash function comprises a step of executing a white-box implementation of at least one of a XOR, AND, NOT and rotation operation.
5. The method of claim 1, wherein the inner key configured to be protected by a first mixing bijection to produce a protected inner key and the outer key is configured to be protected by a second mixing bijection to produce a protected outer key, and the at least one processor is configured to obtain the HMAC based on the protected inner key and the protected outer key, wherein the first mixing bijection and the second mixing bijection are invertible matrices to provide diffusion of the inner key and the outer key.
6. The method of claim 1, wherein the input message is of arbitrary length.
7. The method of claim 1, wherein the input message is M bits; and the at least one processor is configured to use a first specific set of white-box operations for a first N bits of the input message and configured to use a general set of white-box operations for the remaining M-N bits.
8. The method of claim 7, wherein when the length of the input message changes to P bits, the at least one processor is configured to use a second specific set of white-box operations for a first Q bits of the input message and configured to use the general set of white-box operations for the remaining P-Q bits.
9. A system for generating a HMAC based on white-box implementation, the system comprising: a memory; at least one processor communicatively coupled to the memory, and configured to: receive an input message;
execute a white-box implementation of a cryptographic hash function based on the input message to obtain an inner key and using the inner key to obtain an inner hash function; execute a white-box implementation of the inner hash function to obtain an outer key and using the outer key to obtain the HMAC; wherein the executing of at least one of the white-box implementations of the cryptographic hash function and the white-box implementation of the inner hash function comprises a step of executing a white-box implementation of a modular addition operation, and wherein the white-box implementation of the modular addition operation comprises a first layer comprising a first ADD table and a second layer comprising a second ADD table, wherein the at least one processor is configured to receive two first inputs and process the two first inputs according to the first ADD table to generate a first output corresponding to a value of a carry bit of the first ADD table based on the two first inputs, and the at least one processor is configured to receive a first second-input based on the first output and a second second- input and process the first second-input and the second second-input according to the second ADD table; and wherein the first output is subjected to a first mixing operation to produce a protected first output, wherein the first mixing operation is a linear operation to provide diffusion of the first output and the first second-input is based on the protected first output.
10. The system of claim 9, wherein the second second-input is equal to a partial sum of the two first inputs, and wherein the at least one processor is configured to obtain a protected second output corresponding to a value of a carry bit of the second ADD table.
11. The system of claim 10, wherein the modular addition operation comprises a third layer configured to receive the protected second output from the second layer, wherein the third layer comprises a truncation table, the at least one processor configured to process the protected second output according to the truncation table to obtain an addition result of the modular addition operation.
12. The system of claim 9, wherein the executing of at least one of the white-box implementations of the cryptographic hash function and the white-box implementation of the
inner hash function comprises a step of executing a white-box implementation of at least one of a XOR, AND, NOT and rotation operation.
13. The system of claim 9, wherein the inner key configured to be protected by a first mixing bijection to produce a protected inner key and the outer key is configured to be protected by a second mixing bijection to produce a protected outer key, and the at least one processor is configured to obtain the HMAC based on the protected inner key and the protected outer key, wherein the first mixing bijection and the second mixing bijection are invertible matrices to provide diffusion of the inner key and the outer key.
14. The system of claim 9, wherein the input message is of arbitrary length.
15. The system of claim 9, wherein the input message is M bits; and the at least one processor is configured to use a first specific set of white-box operations for a first N bits of the input message and configured to use a general set of white-box operations for the remaining M-N bits.
16. The system of claim 15, wherein when the length of the input message changes to P bits, the at least one processor is configured to use a second specific set of white-box operations for a first Q bits of the input message and configured to use the general set of white-box operations for the remaining P-Q bits.
17. A computer program product storing computer executable code comprising instructions for performing a method of generating a hash-based message authentication code (HMAC) based on white-box implementation, using at least one processor, the method comprising: receiving an input message; executing a white-box implementation of a cryptographic hash function based on the input message to obtain an inner key and using the inner key to obtain an inner hash function; executing a white-box implementation of the inner hash function to obtain an outer key and using the outer key to obtain the HMAC; wherein the executing of at least one of the white-box implementations of the cryptographic hash function and the white-box implementation of the inner hash function
comprises a step of executing a white-box implementation of a modular addition operation, and wherein the white-box implementation of the modular addition operation comprises a first layer comprising a first ADD table and a second layer comprising a second ADD table, wherein the at least one processor is configured to receive two first inputs and process the two first inputs according to the first ADD table to generate a first output corresponding to a value of a carry bit of the first ADD table based on the two first inputs, and the at least one processor is configured to receive a first second-input based on the first output and a second second- input and process the first second-input and the second second-input according to the second ADD table; and wherein the first output is subjected to a first mixing operation to produce a protected first output, wherein the first mixing operation is a linear operation to provide diffusion of the first output and the first second-input is based on the protected first output.
Applications Claiming Priority (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
SG10202003013X | 2020-03-31 | ||
SG10202003013X | 2020-03-31 |
Publications (1)
Publication Number | Publication Date |
---|---|
WO2021201779A1 true WO2021201779A1 (en) | 2021-10-07 |
Family
ID=77930446
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
PCT/SG2021/050181 WO2021201779A1 (en) | 2020-03-31 | 2021-03-31 | Method and system for generating a hash-based message authentication code (hmac) based on white-box implementation |
Country Status (1)
Country | Link |
---|---|
WO (1) | WO2021201779A1 (en) |
Cited By (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN114584291A (en) * | 2022-02-18 | 2022-06-03 | 杭州代码狗科技有限公司 | Key protection method, device, equipment and storage medium based on HMAC algorithm |
Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20030041242A1 (en) * | 2001-05-11 | 2003-02-27 | Sarver Patel | Message authentication system and method |
US20100080395A1 (en) * | 2006-11-17 | 2010-04-01 | Koninklijke Philips Electronics N.V. | Cryptographic method for a white-box implementation |
US20190132116A1 (en) * | 2017-10-27 | 2019-05-02 | Nxp B.V. | Using white-box in a leakage-resilient primitive |
WO2019129772A1 (en) * | 2017-12-28 | 2019-07-04 | Koninklijke Philips N.V. | Whitebox computation of keyed message authentication codes |
-
2021
- 2021-03-31 WO PCT/SG2021/050181 patent/WO2021201779A1/en active Application Filing
Patent Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20030041242A1 (en) * | 2001-05-11 | 2003-02-27 | Sarver Patel | Message authentication system and method |
US20100080395A1 (en) * | 2006-11-17 | 2010-04-01 | Koninklijke Philips Electronics N.V. | Cryptographic method for a white-box implementation |
US20190132116A1 (en) * | 2017-10-27 | 2019-05-02 | Nxp B.V. | Using white-box in a leakage-resilient primitive |
WO2019129772A1 (en) * | 2017-12-28 | 2019-07-04 | Koninklijke Philips N.V. | Whitebox computation of keyed message authentication codes |
Cited By (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN114584291A (en) * | 2022-02-18 | 2022-06-03 | 杭州代码狗科技有限公司 | Key protection method, device, equipment and storage medium based on HMAC algorithm |
CN114584291B (en) * | 2022-02-18 | 2023-12-29 | 杭州代码狗科技有限公司 | Key protection method, device, equipment and storage medium based on HMAC algorithm |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US7809135B2 (en) | System and method for protecting computer software from a white box attack | |
US20240045670A1 (en) | Obfuscation for protection of streaming media and other data flows | |
CN105049400B (en) | S box is split in whitepack implementation to prevent from attacking | |
CN105187364B (en) | Protect whitepack implementation not under fire | |
CN106888080B (en) | Protecting white-box feistel network implementations from false attacks | |
KR20140051163A (en) | Method and system for protecting execution of cryptographic hash functions | |
US11818245B2 (en) | Cryptographic device and method | |
WO2008101341A1 (en) | System and method for interlocking to protect software-mediated program and device behaviours | |
CN106953723B (en) | Splitting and merging method for preventing DFA attack | |
CN107273724B (en) | Watermarking input and output of white-box implementations | |
US9380033B2 (en) | Implementing use-dependent security settings in a single white-box implementation | |
CN105978680B (en) | Encryption operation method for encryption key | |
EP2960891B1 (en) | Method for introducing dependence of white-box implementationon a set of strings | |
US20210036864A1 (en) | Method and system for generating a keccak message authentication code (kmac) based on white-box implementation | |
CN105281893B (en) | For introducing white box realization to the method for the dependence of set of strings | |
WO2021201779A1 (en) | Method and system for generating a hash-based message authentication code (hmac) based on white-box implementation | |
US9338145B2 (en) | Security patch without changing the key | |
EP3413509B1 (en) | Cmac computation using white-box implementations with external encodings | |
EP2940920B1 (en) | Security patch without changing the key | |
WO2021201780A1 (en) | Method and system for white-box implementation of a stream cipher | |
Sermeno et al. | Modified vigenere cryptosystem using matrix manipulation and base94 encoding scheme |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
121 | Ep: the epo has been informed by wipo that ep was designated in this application |
Ref document number: 21782375 Country of ref document: EP Kind code of ref document: A1 |
|
NENP | Non-entry into the national phase |
Ref country code: DE |
|
122 | Ep: pct application non-entry in european phase |
Ref document number: 21782375 Country of ref document: EP Kind code of ref document: A1 |