WO2021201779A1

WO2021201779A1 - Method and system for generating a hash-based message authentication code (hmac) based on white-box implementation

Info

Publication number: WO2021201779A1
Application number: PCT/SG2021/050181
Authority: WO
Inventors: Jiqiang LU; Sze Ling YEO; Zhigang Zhao; Huaqun Guo
Original assignee: Agency For Science, Technology And Research
Priority date: 2020-03-31
Filing date: 2021-03-31
Publication date: 2021-10-07

Abstract

There is provided a method of generating a hash-based message authentication code (HMAC) based on white-box implementation. Using a processor, the method may include receiving an input message; executing a white-box implementation of a cryptographic hash function based on the input message to obtain an inner key and using the inner key to obtain an inner hash function; executing a white-box implementation of the inner hash function to obtain an outer key and using the outer key to obtain the HMAC; wherein the processor is configured to use a first ADD table to receive two first inputs and tp produce a first output corresponding to a value of a carry bit of the first ADD table based on two first inputs, and the processor is configured to use a second ADD table to receive a first second-input based on the first output and a second second-input.

Description

METHOD AND SYSTEM FOR GENERATING A HASH-BASED MESSAGE AUTHENTICATION CODE (HMAC) BASED ON WHITE-BOX

IMPUEMENTATION

CROSS-REFERENCE TO REUATED APPUICATION [0001] This application claims the benefit of priority of Singapore Patent Application No. 10202003013X, filed 31 March 2020, the content of which being hereby incorporated by reference in its entirety for all purposes.

TECHNICAU FIEUD

[0002] The present invention generally relates to a method of generating a hash-based message authentication code (HMAC) based on white-box implementation, and a system thereof.

BACKGROUND

[0003] Industrial Internet of Things (IIoT) refers to the extension and use of Internet of Things (IoT) in industrial sectors and applications. A digital service distributed by the service provider from a server to a client app running in a physical device (e.g., game console, mobile phone, set-top box). The physical device needs to authenticate some attributes associated with the digital contents, e.g., the contents originate from the right server and have not been tampered by a third party to include malware.

[0004] A common authentication method is to use a message authentication code (MAC) where the client’s device will compute the digest of digital content and compare with that received together from the server. However, IoT devices (e.g. mobile phone, game console and TV box) usually operate on a platform which is under partial or full control of the device owner. The device owner has control of the service device and can access the source code and intermediate results of a cryptographic implementation. Therefore, the device may be accessed and attacked by a user for unauthorized use of the service. This security compromise may allow device owner to carry out malicious and unauthorized activities, e.g. accessing paid TV programs without paying.

[0005] There is a need to prevent the device owners from extracting a secret key which is used in a MAC algorithm, which is also known as key extraction attacks, and preventing the device owners from generating the digest of an unauthorized message (known as code lifting attacks), while performing HMAC operations efficiently on clients’ devices. An input message is divided into a plurality of words of n bits to undergo a series of iterative computations to form a MAC output.

[0006] A need therefore exists to increase security when generating a HMAC, such as but not limited to, addressing or mitigating key extraction and code lifting attacks. It is against this background that the present invention has been developed.

SUMMARY

[0007] The present disclosure generally relates to a method of generating a hash-based message authentication code (HMAC) based on white-box implementation. The method may include using at least one processor. The method may include receiving an input message; executing a white-box implementation of a cryptographic hash function based on the input message to obtain an inner key and using the inner key to obtain an inner hash function; executing a white-box implementation of the inner hash function to obtain an outer key and using the outer key to obtain the HMAC; wherein the executing of at least one of the white-box implementations of the cryptographic hash function and the white- box implementation of the inner hash function includes a step of executing a white -box implementation of a modular addition operation, and wherein the white-box implementation of the modular addition operation includes a first layer including a first ADD table and a second layer including a second ADD table, wherein the at least one processor is configured to receive two first inputs and process the two first inputs according to the first ADD table to generate a first output corresponding to a value of a carry bit of the first ADD table based on the two first inputs, and the at least one processor is configured to receive a first second-input based on the first output and a second second-input and process the first second-input and the second second-input according to the second ADD table; wherein the first output is subjected to a first mixing operation to produce a protected first output, wherein the first mixing operation is a linear operation to provide diffusion of the first output and the first second-input is based on the protected first output.

[0008] The present disclosure generally relates to a system for generating a HMAC based on white-box implementation. The system may also include a memory. The system may also include at least one processor communicatively coupled to the memory, and configured to: receive an input message; execute a white-box implementation of a cryptographic hash function based on the input message to obtain an inner key and using the inner key to obtain an inner hash function; execute a white-box implementation of the inner hash function to obtain an outer key and using the outer key to obtain the HMAC; wherein the executing of at least one of the white-box implementations of the cryptographic hash function and the white-box implementation of the inner hash function includes a step of executing a white- box implementation of a modular addition operation, and wherein the white-box implementation of the modular addition operation includes a first layer including a first ADD table and a second layer including a second ADD table, wherein the at least one processor is configured to receive two first inputs and process the two first inputs according to the first ADD table to generate a first output corresponding to a value of a carry bit of the first ADD table based on the two first inputs, and the at least one processor is configured to receive a first second-input based on the first output and a second second-input and process the first second-input and the second second-input according to the second ADD table; wherein the first output is subjected to a first mixing operation to produce a protected first output, wherein the first mixing operation is a linear operation to provide diffusion of the first output and the first second-input is based on the protected first output.

[0009] The present disclosure generally relates to computer program product storing computer executable code including instructions for performing a method of generating a hash-based message authentication code (HMAC) based on white-box implementation, using at least one processor. The method may include receiving an input message; executing a white-box implementation of a cryptographic hash function based on the input message to obtain an inner key and using the inner key to obtain an inner hash function; executing a white-box implementation of the inner hash function to obtain an outer key and using the outer key to obtain the HMAC; wherein the executing of at least one of the white- box implementations of the cryptographic hash function and the white-box implementation of the inner hash function includes a step of executing a white-box implementation of a modular addition operation, and wherein the white-box implementation of the modular addition operation includes a first layer including a first ADD table and a second layer including a second ADD table, wherein the at least one processor is configured to receive two first inputs and process the two first inputs according to the first ADD table to generate a first output corresponding to a value of a carry bit of the first ADD table based on the two first inputs, and the at least one processor is configured to receive a first second-input based on the first output and a second second-input and process the first second-input and the second second-input according to the second ADD table; wherein the first output is subjected to a first mixing operation to produce a protected first output, wherein the first mixing operation is a linear operation to provide diffusion of the first output and the first second-input is based on the protected first output.

BRIEF DESCRIPTION OF THE DRAWINGS [0010] Embodiments of the present invention will be better understood and readily apparent to one of ordinary skill in the art from the following written description, by way of example only, and in conjunction with the drawings, in which:

[0011] FIG. 1 depicts a flow diagram illustrating a method of generating a HMAC based on white-box implementation according to various embodiments of the present application;

[0012] FIG. 2A depicts a schematic block diagram of a system for generating a HMAC based on white-box implementation, according to various embodiments of the present application;

[0013] FIG. 2B depicts an exemplary system for generating a HMAC based on white- box implementation, according to various embodiments of the present application;

[0014] FIG. 3A depicts a schematic drawing illustrating a step update function of SHA- 1, according to various embodiments of the present application;

[0015] FIG. 3B depicts a schematic drawing illustrating a step update function of SHA- 256 according to various embodiments of the present application;

[0016] FIG. 4 illustrates a white -box implementation of X

Y operation according to various embodiments of the present application;

[0017] FIGS. 4A to 4F are enlarged versions of various portions of FIG. 4 for better clarity;

[0018] FIG. 5 illustrates a white-box implementation of (X <<< Φ) ® (Y <<< φ) operation according to various embodiments of the present application;

[0019] FIGS. 5 A to 5C are enlarged versions of various portions of FIG. 5 for better clarity;

[0020] FIG. 6 illustrates a white-box implementation of ( X <<< Φ ) & ( Y <<< φ) operation according to various embodiments of the present application;

[0021] FIGS. 6A to 6D are enlarged versions of various portions of FIG. 6 for better clarity; [0022] FIG. 7 illustrates a white-box implementation of (

X)&(Y <<< ø) operation according to various embodiments of the present application;

[0023] FIGS. 7A to 7D are enlarged versions of various portions of FIG. 7 for better clarity;

[0024] FIG. 8 illustrates a white-box implementation of (X » ø) Y operation

according to various embodiments of the present application;

[0025] FIGS. 8 A to 8C are enlarged versions of various portions of FIG. 8 for better clarity;

[0026] FIG. 9 illustrates a white-box implementation of X

const_i operation according to various embodiments of the present application;

[0027] FIGS. 9A to 9F are enlarged versions of various portions of FIG. 9 for better clarity;

[0028] FIG. 10 illustrates an exemplary high-level overview of the general white-box HMAC-SHA-1 implementation according to various embodiments of the present application;

[0029] FIGS. 10A to 10G are enlarged versions of various portions of FIG. 10 for better clarity;

[0030] FIG. 11 illustrates an exemplary high-level overview of the general white-box HMAC-SHA-256 implementation according to various embodiments of the present application.

DETAILED DESCRIPTION

[0031] Various embodiments of the present invention provide a method of generating a hash-based message authentication code (HMAC) based on white-box implementation, and a system thereof.

[0032] The following detailed description refers to the accompanying drawings that show, by way of illustration, specific details and embodiments in which the invention may be practiced. These embodiments are described in sufficient detail to enable those skilled in the art to practice the invention. Other embodiments may be utilized and structural, and logical changes may be made without departing from the scope of the invention. The various embodiments are not necessarily mutually exclusive, as some embodiments can be combined with one or more other embodiments to form new embodiments. [0033] Embodiments described in the context of one of the system or methods computer program product or computer executable code are analogously valid for the other systems or methods or computer program product or computer executable code and vice- versa.

[0034] Features that are described in the context of an embodiment may correspondingly be applicable to the same or similar features in the other embodiments. Features that are described in the context of an embodiment may correspondingly be applicable to the other embodiments, even if not explicitly described in these other embodiments. Furthermore, additions and/or combinations and/or alternatives as described for a feature in the context of an embodiment may correspondingly be applicable to the same or similar feature in the other embodiments.

[0035] The word “exemplary” is used herein to mean “serving as an example, instance, or illustration.” Any embodiment or design described herein as “exemplary” is not necessarily to be construed as preferred or advantageous over other embodiments or designs

[0036] In the context of various embodiments, the articles “a”, “an”, and “the” as used with regard to a feature or element include a reference to one or more of the features or elements.

[0037] As used herein, the term “and/or” includes any and all combinations of one or more of the associated listed items.

[0038] The terms “at least one” and “one or more” may be understood to include a numerical quantity greater than or equal to one (e.g., one, two, three, four, [...], etc.). The term “a plurality” may be understood to include a numerical quantity greater than or equal to two (e.g., two, three, four, five, [...], etc.).

[0039] The words “plural” and “multiple” in the description and the claims expressly refer to a quantity greater than one. Accordingly, any phrases explicitly invoking the aforementioned words (e.g. “a plurality of [objects]”, “multiple [objects]”) referring to a quantity of objects expressly refers more than one of the said objects. The terms “group (of)”, “set [of]”, “collection (of)”, “series (of)”, “sequence (of)”, “grouping (of)”, etc., and the like in the description and in the claims, if any, refer to a quantity equal to or greater than one, i.e. one or more. The terms “proper subset”, “reduced subset”, and “lesser subset” refer to a subset of a set that is not equal to the set, i.e. a subset of a set that contains less elements than the set. [0040] The term “data” as used herein may be understood to include information in any suitable analog or digital form, e.g., provided as a file, a portion of a file, a set of files, a signal or stream, a portion of a signal or stream, a set of signals or streams, and the like. Further, the term “data” may also be used to mean a reference to information, e.g., in form of a pointer. The term data, however, is not limited to the aforementioned examples and may take various forms and represent any information as understood in the art.

[0041] The term “processor” or “controller” as, for example, used herein may be understood as any kind of entity that allows handling data, signals, etc. The data, signals, etc. may be handled according to one or more specific functions executed by the processor or controller.

[0042] A processor or a controller may thus be or include an analog circuit, digital circuit, mixed-signal circuit, logic circuit, processor, microprocessor, Central Processing Unit (CPU), Graphics Processing Unit (GPU), Digital Signal Processor (DSP), Field Programmable Gate Array (FPGA), integrated circuit, Application Specific Integrated Circuit (ASIC), etc., or any combination thereof. Any other kind of implementation of the respective functions, which will be described below in further detail, may also be understood as a processor, controller, or logic circuit. It is understood that any two (or more) of the processors, controllers, or logic circuits detailed herein may be realized as a single entity with equivalent functionality or the like, and conversely that any single processor, controller, or logic circuit detailed herein may be realized as two (or more) separate entities with equivalent functionality or the like.

[0043] The term “system” detailed herein may be understood as a set of interacting elements, the elements may be, by way of example and not of limitation, one or more mechanical components, one or more electrical components, one or more instructions (e.g., encoded in storage media), one or more controllers, etc.

[0044] A “circuit” as used herein is understood as any kind of logic-implementing entity, which may include special-purpose hardware or a processor executing software. A circuit may thus be an analog circuit, digital circuit, mixed-signal circuit, logic circuit, processor, microprocessor, Central Processing Unit (“CPU”), Graphics Processing Unit (“GPU”), Digital Signal Processor (“DSP”), Field Programmable Gate Array (“FPGA”), integrated circuit, Application Specific Integrated Circuit (“ASIC”), etc., or any combination thereof. Any other kind of implementation of the respective functions which will be described below in further detail may also be understood as a “circuit.” It is understood that any two (or more) of the circuits detailed herein may be realized as a single circuit with substantially equivalent functionality, and conversely that any single circuit detailed herein may be realized as two (or more) separate circuits with substantially equivalent functionality. Additionally, references to a “circuit” may refer to two or more circuits that collectively form a single circuit.

[0045] As used herein, “memory” may be understood as a non-transitory computer- readable medium in which data or information can be stored for retrieval. References to “memory” included herein may thus be understood as referring to volatile or non-volatile memory, including random access memory (“RAM”), read-only memory (“ROM”), flash memory, solid-state storage, magnetic tape, hard disk drive, optical drive, etc., or any combination thereof. Furthermore, it is appreciated that registers, shift registers, processor registers, data buffers, etc., are also embraced herein by the term memory. It is appreciated that a single component referred to as “memory” or “a memory” may be composed of more than one different type of memory, and thus may refer to a collective component including one or more types of memory. It is readily understood that any single memory component may be separated into multiple collectively equivalent memory components, and vice versa. Furthermore, while memory may be depicted as separate from one or more other components (such as in the drawings), it is understood that memory may be integrated within another component, such as on a common integrated chip.

[0046] The following detailed description refers to the accompanying drawings that show, by way of illustration, specific details and aspects in which the present disclosure may be practiced. These aspects are described in sufficient detail to enable those skilled in the art to practice the present disclosure. Various aspects are provided for the present system, and various aspects are provided for the methods. It will be understood that the basic properties of the system also hold for the methods and vice versa. Other aspects may be utilized and structural, and logical changes may be made without departing from the scope of the present disclosure. The various aspects are not necessarily mutually exclusive, as some aspects can be combined with one or more other aspects to form new aspects. [0047] To more readily understand and put into practical effect, the present system, method, and other particular aspects will now be described by way of examples and not limitations, and with reference to the figures. For the sake of brevity, duplicate descriptions of features and properties may be omitted. [0048] It will be understood that any property described herein for a specific system or device may also hold for any system or device described herein. It will also be understood that any property described herein for a specific method may hold for any of the methods described herein. Furthermore, it will be understood that for any device, system, or method described herein, not necessarily all the components or operations described will be enclosed in the device, system, or method, but only some (but not all) components or operations may be enclosed.

[0049] The term “comprising” shall be understood to have a broad meaning similar to the term “including” and will be understood to imply the inclusion of a stated integer or operation or group of integers or operations but not the exclusion of any other integer or operation or group of integers or operations. This definition also applies to variations on the term “comprising” such as “comprise” and “comprises”.

[0050] The term “coupled” (or “connected”) herein may be understood as electrically coupled or as mechanically coupled, e.g., attached or fixed or attached, or just in contact without any fixation, and it will be understood that both direct coupling or indirect coupling (in other words: coupling without direct contact) may be provided.

[0051] FIG. 1 depicts a flow diagram illustrating a method 100 of generating a hash- based message authentication code (HMAC) based on white-box implementation, using at least one processor. The method 100 includes a step 102 of receiving an input message. In an embodiment, the method 100 includes a step 104 of obtaining executing a white-box implementation of a cryptographic hash function based on the input message to obtain an inner key. The inner key may be used to obtain an inner hash function. In an embodiment, the method 100 includes a step 106 of executing a white-box implementation of the inner hash function to obtain an outer key. The outer key may be used to obtain the HMAC. In various embodiments, executing of at least one of the white-box implementations of the cryptographic hash function and the white-box implementation of the inner hash function may include a step of executing a white-box implementation of a modular addition operation. In various embodiments, the white-box implementation of the modular addition operation may include a first layer and a second layer. The first layer may include a first ADD table. The second layer may include a second ADD table. The at least one processor may be configured to receive two first inputs and process the two first inputs according to the first ADD table to generate a first output corresponding to a value of a carry bit of the first ADD table based on the two first inputs. The at least one processor is configured to receive a first second-input based on the first output and a second second-input and process the first second-input and the second second-input according to the second ADD table. The first output may be subjected to a first mixing operation to produce a protected first output. The first mixing operation may be a linear operation to provide diffusion of the first output. The first second-input may be based on the protected first output.

[0052] FIG. 2A depicts a schematic block diagram of a system 200 for generating a HMAC based on white-box implementation, according to various embodiments of the present invention, such as corresponding to the method 100 of generating a HMAC based on white-box implementation as described hereinbefore according to various embodiments of the present invention.

[0053] In various embodiments, white-box implementation (i.e., white-box cryptography) of a system, results in users having access to source codes and internal workings of the system. White-box cryptography combines methods of encryption and obfuscation to embed secret key(s) within the source code. The goal is to combine the source code and the secret key(s) in such a way that the two are indistinguishable to user which allows the white-box implementation of the system to be safely run in an insecure environment.

[0054] In various embodiments, the system 200 may include a memory 202. The system 200 may include at least one processor 204. The at least one processor 204 may be communicatively coupled to the memory 202. The at least one processor 204 may be configured to receive an input message. In an embodiment, the at least one processor 204 may be configured to obtain executing a white-box implementation of a cryptographic hash function based on the input message to obtain an inner key. The inner key may be used to obtain an inner hash function. In an embodiment, the at least one processor 204 may be configured to execute a white-box implementation of the inner hash function to obtain an outer key. The outer key may be used to obtain the HMAC. In various embodiments, executing of at least one of the white-box implementations of the cryptographic hash function and the white-box implementation of the inner hash function may include a step of executing a white-box implementation of a modular addition operation. Modular addition operations are addition operations for integers, where values reset to zero and begin to increase again, after reaching a certain predefined value, called the modulo. In various embodiments, the white-box implementation of the modular addition operation may include a first layer and a second layer. The first layer may include a first ADD table. The at least one processor may be configured to receive two first inputs and process the two first inputs according to the first ADD table to generate a first output corresponding to a value of a carry bit of the first ADD table based on the two first inputs. The at least one processor is configured to receive a first second-input based on the first output and a second second-input and process the first second-input and the second second-input according to the second ADD table. The first output may be subjected to a first mixing operation to produce a protected first output. The first mixing operation may be a linear operation to provide diffusion of the first output. The first second-input may be based on the protected first output.

[0055] In various embodiments, an ADD table is a table including rules of an addition process. The processor 204 may be configured to determine an output from two inputs based on the rules of the ADD table. The ADD table specifies how two inputs should be added based on the rules.

[0056] In various embodiments, the first output has corresponding plaintext and ciphertext. When diffusion is done on the first output, a character of the plaintext is changed, and several characters of the ciphertext is changed. This means that frequency statistics of in the plaintext are diffused over several characters in the ciphertext, which results in higher security and lower risk of frequency analysis attacks.

[0057] Therefore, diffusing of the carry bit in the first ADD table results in a protected carry bit which makes it harder for users to conduct frequency analysis attacks, which increases security and lowers risk of frequency analysis attacks.

[0058] It will be appreciated to a person skilled in the art that the system 200 may also be embodied as a server, a device or an apparatus.

[0059] It will be appreciated by a person skilled in the art that the at least one processor 204 may be configured to perform the required functions or operations through set(s) of instructions (e.g., software modules) executable by the at least one processor 204 to perform the required functions or operations. Accordingly, as shown in FIG. 2A, the system 200 may further include a white-box implementation module (or a white-box implementation circuit) 206 configured to generate a HMAC based on white-box implementation. The system 200 may further include a message communication module (or message communication circuit) 208 configured to receive an input message.

[0060] In various embodiments, the white-box implementation module 206 may be configured to obtain executing a white-box implementation of a cryptographic hash function based on the input message to obtain an inner key. The inner key may be used to obtain an inner hash function. In an embodiment, the at least one processor 204 may be configured to execute a white-box implementation of the inner hash function to obtain an outer key. The outer key may be used to obtain the HMAC. In various embodiments, executing of at least one of the white-box implementations of the cryptographic hash function and the white-box implementation of the inner hash function may include executing a white-box implementation of a modular addition operation. In various embodiments, the white-box implementation of the modular addition operation may include a first layer and a second layer. The first layer may include a first ADD table. The second layer may include a second ADD table. The at least one processor may be configured to receive two first inputs and process the two first inputs according to the first ADD table to generate a first output corresponding to a value of a carry bit of the first ADD table based on the two first inputs. The at least one processor is configured to receive a first second-input based on the first output and a second second-input and process the first second-input and the second second-input according to the second ADD table. The first output may be subjected to a first mixing operation to produce a protected first output. The first mixing operation may be a linear operation to provide diffusion of the first output. The first second-input may be based on the protected first output.

[0061] In various embodiments, the second second-input may be based (e.g., equal to) on a partial sum of the two first inputs. The at least one processor may be configured to obtain a protected second output corresponding to a value of a carry bit of the second ADD table. [0062] In various embodiments, the modular addition operation may include a third layer. The third layer may be configured to receive the protected second output from the second layer. The third layer may include a truncation table. The at least one processor configured to process the protected second output according to the truncation table to obtain an addition result of the modular addition operation.

[0063] In various embodiments, the at least one processor 204 may be configured to execute at least one of the white-box implementations of the cryptographic hash function and the white-box implementation of the inner hash function by executing a step of a white- box implementation of at least one of a XOR, AND, NOT and rotation operation.

[0064] In various embodiments, the inner key is configured to be protected by a first mixing bijection to produce a protected inner key. The outer key is configured to be protected by a second mixing bijection to produce a protected outer key. The at least one processor is configured to obtain the HMAC based on the protected inner key and the protected outer key. The first mixing bijection and the second mixing bijection may be invertible matrices to provide diffusion of the inner key and the outer key [0065] In various embodiments, the input message is of arbitrary length.

[0066] In various embodiments, the input message may be M bits. The at least one processor may be configured to use a first specific set of white-box operations for a first N bits of the input message. The at least one processor may be configured to use a general set of white-box operations for the remaining M-N bits.

[0067] In various embodiments, the length of the input message may change from M bits to P bits. The at least one processor may be configured to use a second specific set of white- box operations for a first Q bits of the input message of P bits. The at least one processor may be configured to use the general set of white-box operations for the remaining P-Q bits.

[0068] It will be appreciated by a person skilled in the art that the above-mentioned modules are not necessarily separate modules, and two or more modules may be realized by or implemented as one functional module (e.g., a circuit or a software program) as desired or as appropriate without deviating from the scope of the present invention. For example, the white-box implementation module 206, the message communication module 208 may be realized (e.g., compiled together) as one executable software program (e.g., software application or simply referred to as an “app”), which for example may be stored in the memory 202 and executable by the at least one processor 204 to perform the functions/operations as described herein according to various embodiments.

[0069] In various embodiments, the system 200 corresponds to the method 100 as described hereinbefore with reference to FIG. 1, therefore, various functions or operations configured to be performed by the least one processor 204 may correspond to various steps of the method 100 described hereinbefore according to various embodiments, and thus need not be repeated with respect to the system 200 for clarity and conciseness. In other words, various embodiments described herein in context of the methods are analogously valid for the respective systems (e.g., which may also be embodied as devices), and vice versa. [0070] A computing system, a controller, a microcontroller or any other system providing a processing capability may be provided according to various embodiments in the present disclosure. Such a system may be taken to include one or more processors and one or more computer-readable storage mediums. For example, the system 200 described hereinbefore may include a processor (or controller) 204 and a computer-readable storage medium (or memory) 202 which are for example used in various processing carried out therein as described herein.

[0071] Some portions of the present disclosure are explicitly or implicitly presented in terms of algorithms and functional or symbolic representations of operations on data within a computer memory. These algorithmic descriptions and functional or symbolic representations are the means used by those skilled in the data processing arts to convey most effectively the substance of their work to others skilled in the art. An algorithm is here, and generally, conceived to be a self-consistent sequence of steps leading to a desired result. The steps are those requiring physical manipulations of physical quantities, such as electrical, magnetic or optical signals capable of being stored, transferred, combined, compared, and otherwise manipulated.

[0072] Unless specifically stated otherwise, and as apparent from the following, it will be appreciated that throughout the present specification, discussions utilizing terms such as “obtaining”, “receiving”, “obtaining”, “modifying”, “inputting”, “executing” or the like, refer to the actions and processes of a computer system, or similar electronic device, that manipulates and transforms data represented as physical quantities within the computer system into other data similarly represented as physical quantities within the computer system or other information storage, transmission or display devices.

[0073] The present specification also discloses a system (e.g., which may also be embodied as a device or an apparatus) for performing the operations/functions of the methods described herein. Such a system may be specially constructed for the required purposes, or may comprise a general purpose computer or other device selectively activated or reconfigured by a computer program stored in the computer. The algorithms presented herein are not inherently related to any particular computer or other apparatus. Various general-purpose machines may be used with computer programs in accordance with the teachings herein. Alternatively, the construction of more specialized apparatus to perform the required method steps may be appropriate.

[0074] In addition, the present specification also at least implicitly discloses a computer program or software/functional module, in that it would be apparent to the person skilled in the art that the individual steps of the methods described herein may be put into effect by computer code. The computer program is not intended to be limited to any particular programming language and implementation thereof. It will be appreciated that a variety of programming languages and coding thereof may be used to implement the teachings of the disclosure contained herein. Moreover, the computer program is not intended to be limited to any particular control flow. There are many other variants of the computer program, which can use different control flows without departing from the spirit or scope of the invention. It will be appreciated by a person skilled in the art that various modules described herein may be software module(s) realized by computer program(s) or set(s) of instructions executable by a computer processor to perform the required functions, or may be hardware module(s) being functional hardware unit(s) designed to perform the required functions. It will also be appreciated that a combination of hardware and software modules may be implemented.

[0075] Furthermore, one or more of the steps of a computer program/module or method described herein may be performed in parallel rather than sequentially. Such a computer program may be stored on any computer readable medium. The computer readable medium may include storage devices such as magnetic or optical disks, memory chips, or other storage devices suitable for interfacing with a general purpose computer. The computer program when loaded and executed on such a general-purpose computer effectively results in an apparatus that implements the steps of the methods described herein.

[0076] In various embodiments, there is provided a computer program product, embodied in one or more computer-readable storage mediums (non-transitory computer- readable storage medium), which may store computer executable code. The computer executable code may include instructions executable by one or more computer processors to perform a method 100 of generating a HMAC based on white-box implementation as described hereinbefore with reference to FIG. 1. Accordingly, various computer programs or modules described herein may be stored in a computer program product receivable by a system therein, such as the system 200 as shown in FIG. 2A, for execution by at least one processor 204 of the system 200 to perform the required or desired functions.

[0077] The software or functional modules described herein may also be implemented as hardware modules. More particularly, in the hardware sense, a module is a functional hardware unit designed for use with other components or modules. For example, a module may be implemented using discrete electronic components, or it can form a portion of an entire electronic circuit such as an Application Specific Integrated Circuit (ASIC). Numerous other possibilities exist. Those skilled in the art will appreciate that the software or functional module(s) described herein can also be implemented as a combination of hardware and software modules.

[0078] FIG. 2B depicts an exemplary system for generating a HMAC based on white- box implementation, according to various embodiments of the present application.

[0079] Various methods/ or functional modules (e.g., the white-box implementation module 206 and/or the message communication module 208) may be implemented as software, such as a computer program being executed within the computer system 250, and instructing the computer system 250 (in particular, one or more processors therein) to conduct the methods/functions of various embodiments described herein. The computer system 250 may include a computer module 252, an input module 254 such as a keyboard, and an output device 256 such as a display. The computer module 252 may be connected to a computer network 258 to enable access to e.g., the Internet or other network systems such as Local Area Network (LAN) or Wide Area Network (WAN). The computer module 252 may include a processor 260 for executing various instructions according to embodiments disclosed herein. The computer system 250 may include a database 262 which includes data (e.g., video content). The computer system 252 may also include a MAC (e.g., HMAC) generator 264 which may generate a MAC. The MAC generator 264 may send data (e.g., video content) to a receiver 266 in a message. The message includes the MAC. The receiver 266 may be a user receiver, and may include a MAC reconstruction unit 268. The MAC reconstruction unit 268 may check the MAC in the message in accordance with some predetermined requirements (e.g., secret key is known). If the predetermined requirements are met, the MAC reconstruction unit 268 may output the data (e.g., the video content) to the output device (e.g., display) 256.

[0080] In this disclosure, various notations used herein are provided. The bits of a value may be numbered from left to right, starting with 0, the rightmost bit of a value is the least significant bit, and its leftmost bit is the most significant bit. A number without a prefix may express a decimal number unless stated otherwise. A number with prefix Ox may express a hexadecimal number. The following notations are used herein, bitwise exclusive OR (XOR)

& bitwise AND

I bitwise OR the complement (NOT)

addition modulo 2³²

<< (>>) left (right) shift of a bit string <<< (>>>) left (right) rotation of a bit string II bit string concatenation o functional composition. When composing functions X and Y , X ° Y denotes the function obtained by first applying X and then applying Y.

[0081] In various embodiments, the HMAC may be defined as HMAC(X, M) = H(( opad ) ||H(( ipad ) ||M)), where M is the message to be authenticated, H is a

cryptographic hash function,

represents the value generated by using the message padding rule of H to append the user key K to the length of a full message block of H, ipad and opad are two public constants that are of the same length as a full message block of H. In particular ipad and opad may be referred as inner and outer keys of the

HMAC, respectively.

[0082] In various embodiments, HMAC may use two passes of hash computation. A secret key may be used to derive the inner key and the outer key. A first pass of a HMAC algorithm may produce an internal hash derived from the message and the inner key. A second pass of a HMAC algorithm may produce a final HMAC code derived from the inner hash result and the outer key. Advantageously, HMAC provides better immunity against length extension attacks.

[0083] In various embodiments, HMAC does not encrypt the message. Instead, the message (encrypted or not) may be sent alongside the HMAC hash. Parties with the secret key may hash the message again themselves, and if it is authentic, the received and computed hashes will match.

[0084] In various embodiments, any cryptographic hash function H , such as SHA- 1 or SHA-256, may be used in the calculation of a HMAC. The cryptographic hash function H which may be an iterative hash function may break up a message into blocks of a fixed size and may iterate over them with a compression function. For example, SHA-256 operates on 512-bit blocks. The size of the output of HMAC is the same as that of the underlying cryptographic hash function H (e.g., 256 and 512 bits in the case of SHA-256 and SHA-512, respectively), although it can be truncated if desired. [0085] FIG. 3A depicts a schematic drawing illustrating a step update function of SHA- 1, according to various embodiments of the present application.

[0086] In various embodiments, in the step update function 300 of SHA-1, the SHA-1 hash function may take as an input, a message of less than 2⁶⁴ bits long. The SHA-1 hash function may output a 160-bit message.

[0087] In various embodiments, the message may be padded to be a multiple of 512 in bit length. The message may be appended with '1' and '0'. The padded message may be parsed into a number of blocks for example N blocks. Each N block may be of M bits. The N blocks may be processed iteratively. The N block of M bits may be divided into smaller words of P bits. Each word of P bits may be expanded by a message expansion function. The expanded words may be processed by a compression function that may be based on the step update function 300. A hash function may be obtained at the end of the process. [0088] In an exemplary embodiment, the step update function 300 of SHA-1 may be processed using the following phases:

1. The message may be padded to be a multiple of 512 in bit length, by first appending the bit ‘1’ to the end of the message. A minimum number of zeros may be appended so that the resulting message may be 448 mod 512 in bit length. The 64-bit representation of the bit length of the original message may be appended.

2. The padded message may be parsed into a number, e.g., N , of 512-bit blocks M⁽⁰⁾, M⁽¹⁾, ... M^(N-1),

3. The N 512-bit blocks M⁽⁰⁾, M⁽¹⁾, ... M^(N-1) may be processed iteratively, as follows:

For n = 0,1, ..., N — 1:

(a) The 512-bit padded message may be divided into sixteen 32-bit worlds M₀ ⁽ⁿ⁾, M₁ ⁽ⁿ⁾, ... M₁₅ ⁽ⁿ⁾,

(b) Eighty expanded 32-bit message blocks

W_i ⁽ⁿ⁾ 302 may be generated by the following message expansion function (0 ≤ i ≤ 80). for 0 ≤ t ≤ 15;

for 16 ≤ i ≤ 79. (c) The eighty expanded 32-bit message blocks

302 may be processed by the following compression function that may be based on the step update function 300, wherein inputs 304 (e.g., message blocks 302, a constant consti (i.e., i-th step

constant ) 306 are used to obtain outputs 308 (e.g.,

For i = 0 to 79:

4. A message digest of the step function 300 may be

The message digest may include a string of digits created by a one-way hashing formula. The message digest may be designed to protect the integrity of a piece of data or media to detect changes and alterations to any part of a message.

[0089] In the above, are 32-bit variables (0 ≤ l ≤ 80) ,

are the (public and fixed) 160-bit initial value (IV) of SHA-1.

The cryptographic function 308 may be based on an if function f_if, a XOR function f_xor and a major function f_maj . The cryptographic function 308 is defined as follows:

[0090]

[0091] FIG. 3B depicts a schematic drawing illustrating a step update function of SHA- 256 according to various embodiments of the present application.

[0092] In various embodiments, in the step update function 350 of SHA-256, the SHA- 256 hash function may take as an input, a message of less than 2⁶⁴ bits long. The SHA-256 hash function may output a 256-bit message. SHA-256 differs from SHA-1 mainly in message expansion phase, the compression function and feed forwarding part. [0093] In various embodiments, the message may be padded to be a multiple of 2048 in bit length. The message may be appended with ‘ 1’ and ‘ 0’. The padded message may be parsed into a number of blocks for example N blocks. Each N block may be of M bits. The N blocks may be processed iteratively. The N block of M bits may be divided into smaller words of P bits. Each word of P bits may be expanded by a message expansion function. The expanded words may be processed by a compression function that may be based on the step update function 350.

[0094] In an exemplary embodiment, sixty-four expanded 32-bit message blocks

352 may be generated by the following message expansion function (0 ≤ i ≤ 63).

Where

[0095] The 64 expanded 32-bit message blocks

352 may be processed by the following compression function that may be based on the step update function 350, wherein inputs 354 (e.g., message blocks

352, a constant const_i (i.e., i-th step

constant ) 356, a function 360, a Ch function 362, a function 364, a Maj function

366, are used to obtain outputs 358 (e.g.,

For i = 0 to 63:

[0096] A message digest may be

[0097] In the above, the inputs 354 may be

32-bit variables (0 ≤ l ≤ 64) , initial values (IV)

may be the 256-bit IV of SHA-256. The

function 360, the Ch function 362, the

function 364, the Maj function 366 may be defined as,

[0098] In a known implementation of an addition procedure in an encryption process, a 32-bit addition is divided into eight 4-bit additions and a carry bit is treated as an individual input/output parameter, where 4-bit inputs/outputs are protected with 4-bit encodings and the one -bit carry bits are protected with one-bit encodings.

[0099] However, the above-mentioned addition procedure can be attacked by frequency analysis. Firstly, the outputs of the addition mod 2³² are uniformly distributed, where a carry bit overflows if any. However, the outputs of a partial addition are not uniformly distributed, due to the existence of carry bits. In the case of 4-bit partial addition, 15 is the most frequent output, which takes place 16 times (in total), 0 and 30 take place one time each, 1 and 29 takes place twice each, and so on until that 14 and 16 take place 15 times each.

[00100] As a consequence, the above-mentioned addition procedure may be broken by the following way: first deduce the encoding for the most frequent output (i.e. 15), then distinguish the two protected cases of flipped and unflipped carry bits from the case of the most frequent output 15 by frequency analysis, and finally deduce the encodings for the other outputs (i.e. 0,1, ··· ,14,16,17, ··· ,30) pairwise by frequency analysis. As such, all the encodings for the 4-bit partial addition implementation may be recovered.

[00101] The main distinctions between white-box implementations of HMAC-SHA- 1/2 and AES/DES are discussed below. The white-box implementation schema of HMAC aims to resist both key extraction and code lifting, which is generic and is independent from the underlying hash function instantiated, as long as the hash function is based on the Merkle- Damgard construction. [00102] A few distinctions between HMAC-SHA-1/2 and the AES or DES block cipher that differentiate their white-box implementations:

[00103] 1. In AES, the starting value is plaintext, which is variable. While in HMAC, the staring value is the initial value of the underlying hash function, which is a public constant.

[00104] 2. HMAC processes message and key in four clearly separated passes:

[00105] (a) Process only the inner key in the first block of the first hash computation.

[00106] (b) Process only message in the subsequent block(s) of the first hash computation.

[00107] (c) Process only the outer key in the first block of the second hash computation.

[00108] (d) Compute the message digest in the second block of the second hash computation.

[00109] In short, HMAC processes only either data or key in each step, which can be easily detached. In other words, each of steps (a) to (d) can be processed independently. The system disclosed herein may process the data and the key separately. By comparison, AES processes data and key in a completely involved way in each round or each fundamental function, which makes it hard to detach the processes on data and key. In other words, AES processes the data and the key together.

[00110] 3. Given a key, an AES round takes as input the output of the previous round (if any), while a HMAC-SHA-1/2 step takes as input the output of the previous step (if any) and another extended message block.

[00111] 4. AES has a fixed block size, while HMAC works on a variable-length message.

[00112] These distinctions make the white-box HAMC implementation quite different from the white-box AES/DES implementation. There are also various specific distinctions, for example, SHA-1/2 uses modular addition extensively.

[00113] To generate a HMAC value on a message M, the white-box implementation of HMAC includes four phases:

[00114] 1. The server computes

ipad ), whereα may be an inner key

[00115] 2. The server generates a white-box implementation for

H_α (M), by treating α as a secret key and M as a message, where H_α means that the hash function H with the initial value replaced by the value α, p and g are (secret) external encodings of H_α. The output of this phase is denoted by y = (p(M)) ° H_α ° g, where y may be considered as an inner hash

[00116] 3. The server computesβ = H(/f ® opad ), whereβ may be an outer key.

[00117] 4. The server generates a white-box implementation (g^_1(y)) ° H

_β ° q for

H_β (H_α(M)), by treatingβ as a secret key and y as a message,

means that the hash function H with the initial value replaced by the value b , q is the external output encoding of H_β. We denote the output of this phase by δ = (g^_1(y)) ° H_β ° q, where d may be referred as the HMAC or HMAC value.

[00118] As a result, δ = (p(M)) ° H_α ° H_β° q, wherein p and q can be regarded as external encodings of HMAC.

[00119] In various embodiments, a white -box implementation method according to various example embodiments to prevent key extraction and code lifting attacks to some extent is described. White-box implementation of HMAC may involve the following operations:

which can be summarised as the following basic operations:

where

. Note that some other operations can be obtained similarly from these basic operations.

[00120] FIG. 4 illustrates a white -box implementation of XEEIY operation according to various embodiments of the present application.

[00121] FIGS. 4A to 4F are enlarged versions of various portions of FIG. 4 for better clarity.

[00122] In various embodiments, the white-box implementation of a modular addition operation may include a first layer and a second layer. The first layer may include a first ADD table. The second layer may include a second ADD table. The first ADD table may be configured to receive two first inputs. The first ADD table may produce a first output corresponding to a value of a carry bit of the first ADD table based on the two first inputs. The second ADD table may be configured to receive two second inputs. The two second inputs may be a first second-input and a second second-input. The first second-input may be based on the first output. [00123] In various embodiments, the white-box implementation may include subjecting the first output to a first mixing operation to produce a protected first output. The first second-input may be based on the protected first output.

[00124] In various embodiments, the second second-input may be based on a partial sum of the two first inputs. The second ADD table may be configured to produce a protected second output corresponding to a value of a carry bit of the second ADD table.

[00125] In various embodiments, the white-box implementation of the modular addition operation may include a third layer. The third layer may include a truncation table. The truncation table may be configured to receive the protected second output to produce an addition result of the modular addition operation.

[00126] In an exemplary embodiment, the white -box implementation of X EQ Y 400 may include two variables X 401A and Y 401B which may be two 32-bit variables and may be protected in their white-box forms

and

respectively, where MB^X and MB^Y are 32x32-bit mixing bijections, and are two groups

of eight 4 -bit encodings.

[00127] As illustrated in Fig. 4, the white-box implementation of

400 may include six layers at a high level, whose dimensional sizes of the segments and white-box operations may be chosen to have a reasonable trade-off between security and storage space.

[00128] In various embodiments, in FIG. 4A, a first layer 402 may be made up of eight 8x32-bit tables. For the part processing of the white box form of X

each

8x32-bit table may generated by applying sequentially the inverses of the two

4-bit encodings

the corresponding 32x8-bit part

of the inverse

of the mixing bijection MB^X, a 32x32-bit mixing bijection DB^X and a layer of eight 4-bit encodings

, where DB^X is of the form:

with being an invertible (general) 8 X 8-bit matrix, being invertible

(general) 6 X 6-bit matrices, and j =

0, 1,2,3· In an embodiment, the part processing of the white box form of Y

is conducted in a similar manner.

[00129] In various embodiments, in FIG. 4B, a second layer 404 may be made up of XOR tables, for example 60 8 X 4-bit or 6 X 3-bit tables where j =

0,1, 2, 3, l = 0,1, ··· ,9. The final output of the tables may be X and may be protected

by the mixing bijection DB^X and a layer of ten 4-bit or 3-bit encodings .

The final output of the XOR_{; i} tables may be Y and may be protected by the mixing bijection DB and a layer of ten 4-bit or 3-bit encodings

[00130] In various embodiments, in FIG. 4C, a third layer 406 may be made up of first ADD tables, for example one 16 X 8-bit table

four 12 X 13-bit tables where j = 1,2, 3, 4.

[00131] Each

table may be generated as follows:

[00132] (i) Either 6-bit input is obtained by applying sequentially the inverses of the two corresponding 3 -bit encodings from the second layer 404 and the inverse (or

of the corresponding 6 X 6-bit part (respectively, of the mixing

bijection DB^X (respectively, DB^Y).

[00133] (ii) The two resulting 6-bit values may be added, and may be concatenated into a 7-bit sum with the 6-bit left input operand X_j on the left side. The sum of the two 6-bit values can be a 7-bit value at most.

[00134] (iii) A mixing bijection e.g., a 13 X 13-bit mixing bijection may be

applied to a layer of one 4-bit and three 3-bit encodings

[00135] In an embodiment, the table is similar, except that each input operand

is 8-bit and it can only produce an 8-bit output (the carry bit overflows if any), and there are an 8x8-bit mixing bijection

and a layer of two 4-bit encodings

[00136] In various embodiments, in FIG. 4D, a fourth layer 408 may be made up of second ADD tables, for example one 21x32-bit table

and three 26xl3-bit tables

[00137] In various embodiments, for the table, the left 7-bit input may be

obtained by applying sequentially the inverses of the four encodings the inverse

of the mixing bijection

and an addition of 7 left bits (&0x7 F) operation. The right 1-bit input may be obtained by applying sequentially the inverses of the four corresponding encodings inverse of the mixing bijection

the » 6 operation and an addition of 1 right bit (&0xl) operation. Add the two resulting 7- bit and 1-bit values, and concatenate the 7-bit sum with the leftmost 6 bits (i.e. X₃ ) of the left 13-bit input operand on the left side. The resulting 7-bit value is the original result of the A

operation, the resulting 1-bit value is the carry bit of the

operation, and their sum can be a 7-bit value at most. At last, apply a 13 X 13-bit mixing operation

and a layer of one 4-bit and three 3-bit encodings to protect the

concatenated 13-bit value.

[00138] In various embodiments, for the table (J = 1,2), the left 7-bit input

may be obtained by applying sequentially the inverses of the four encodings of the mixing bijection and the &0x7F

operation; and the right 1-bit input is obtained by applying sequentially the inverses of the four encodings from the right adjacent table, the inverse

of the mixing bijection

the » 6 operation and the &0xl operation. Add the two resulting 7-bit and 1-bit values, and concatenate the 7-bit sum with the leftmost 6 bits (i.e.

X_j ) of the left 13-bit input operand on the left side. At last, apply a 13 X 13-bit mixing operation and a layer of one 4-bit and three 3-bit encodings to

protect the concatenated 13-bit value.

[00139] In various embodiments, the table is similar, except that the left input

is 8-bit and the output of the

table is 8-bit. The carry bit overflows if any, and it is the original leftmost byte of X

Y. The carry bit is directly protected by a 32x8-bit matrix and a layer of eight 4-bit encodings

[00140] In various embodiments, in FIG. 4E, a fifth layer 410 may be made up of truncation tables, for example four 13 X 32-bit tables, each of which is generated by applying sequentially the inverses of the four corresponding encodings from the fourth layer, the inverse of the corresponding 13 X 13-bit mixing bijection from the fourth layer, the truncating of the resulting 13-bit value to the rightmost 6 bits &0x3F, a 32x6-bit matrix

and a layer of eight 4-bit encodings

[00141] In various embodiments, in FIG. 4F, a last (i.e. sixth) layer 412 may be made up of XOR tables, for example 32 8x4-bit tables

with the result

414 being protected by the 32 X 32-bit mixing bijection

and a layer of eight 4-bit encodings

where .

[00142] In various embodiments, the outputs of

are uniformly distributed, although the outputs of its partial addition operation(s) are not uniformly distributed due to carry bits. A stronger white-box implementation of

made be obtained by using larger dimensional sizes of segments for a 32-bit word at the expense of a larger storage complexity. For example, a 32-bit word may be divided into four 8-bit segments. 4-bit encodings may be used in the first layer and corresponding revisions may be made in the subsequent layers, so that there are significantly more available mixing bijections and encodings against exhaustive search attacks.

[00143] FIG. 5 illustrates a white-box implementation of

operation according to various embodiments of the present application. FIGS. 5 A to 5C are enlarged versions of various portions of FIG. 5 for better clarity.

[00144] In various embodiments, the white-box implementation of

f ) 500 may include three layers at a high level, where (

[00145] In various embodiments, the white-box implementation of

f ) 500 may include two variables X and Y which may be two 32-bit variables and may be protected in their white-box forms respectively,

where MB^X and MB^Y are 32x32-bit mixing bijections, and

are two groups of eight 4 -bit encodings.

[00146] In FIG. 5A, a first layer 504 may be made up of eight 8x32-bit tables. For the part processing of the white box form of X each 8x32-bit table may be

generated by applying sequentially the inverses two 4-bit encodings

the corresponding 32x8-bit part

of the inverse

of the mixing

bijection

operation, a general 32x32-bit mixing bijection

used to protect the result

and a layer of eight 4-bit encodings , where

and j = 0,1, 2, 3. The process is similar for the part

processing of the white box form of , except the <<< f operation is

applied instead of the <<< ø operation.

[00147] In various embodiments, in FIG. 5B,a second layer 506 may be made up of XOR tables, for example 48 8 X 4-bit tables

where j = 0,1,2, l =

0,1, ··· ,7. The final output of the tables is X which may be protected by the mixing

bijection

and a layer of eight 4-bit encodings

; and the final output of the tables is Y protected by the mixing bijection

and a layer of eight 4-bit encoding

[00148] In various embodiments, in FIG. 5C, a last (i.e. third) layer 508 is made up XOR tables, for example of eight 8 X 4-bit tables , with the resul

510 being

protected by the mixing bijection

and a layer of eight 4-bit encodings where

[00149] In various embodiments, the

operation is null when

(respectively, which is

the white-box implementation of

and it becomes

which is the white-box implementation of

.

[00150] FIG. 6 illustrates a white-box implementation of

operation according to various embodiments of the present application. FIGS. 6A to 6D are enlarged versions of various portions of FIG. 6 for better clarity.

[00151] In various embodiments, the white-box implementation of

may include four layers at a high level. The white-box

may include two variables X 602A and Y 602B which may be two 32-bit variables and may be protected in their white-box forms and e respectively,

where MB^X and MB^Y are 32x32-bit mixing bijections, and are two groups

of eight 4 -bit encodings.

[00152] In various embodiments, in FIG. 6A, a first layer 604 may be made up of eight 8x32-bit tables. For the part processing of the white box form of each

8x32-bit table is generated by applying sequentially the inverses of the two 4-

bit encodings the corresponding 32x8-bit part of the inverse

of the mixing bijection

operation, a 32x32-bit mixing bijection DB^X and a layer of eight 4-bit encodings where DB^X is of the form:

with being an invertible (general) 8 X 8-bit matrix,

and j = 0,1, 2, 3. Similarly, for the part processing of the white

box form of Y

the

operation may be applied instead of the

operation.

[00153] In various embodiments, in FIG. 6B, a second layer 606 may be made up of XOR tables, for example 48 8 X 4-bit tables , where j = 0,1,2, l =

0,1, ··· ,7. The final output of the tables is X protected by the mixing bijection DB

and a layer of eight 4-bit encodings and the final output of the

tables is Y

protected by the mixing bijection DB^Y and a layer of eight 4-bit encodings

[00154] In various embodiments, in FIG. 6C, a third layer 608 may be made up of ADD tables, for example four 16x32-bit tables

, each of which is generated by applying sequentially the inverses of the two corresponding 4-bit encodings from the second layer, the inverse

respectively) of the corresponding 8x8-bit part (or

, respectively) of the mixing bijection DB^X (or DB^Y, respectively) for either 8-bit input, the AND value of the two resulting 8-bit values, the corresponding 32x8-bit part

out of an affine mixing bijection

used to protect the result

and a layer of eight 4-bit encodings

where

being an invertible (general) 32x32-bit matrix and

being 32-bit constants ( l = 0,1, 2, 3). The affine mixing bijection

may be a linear mixing bijection.

[00155] In various embodiments, in FIG. 6D, a last (i.e. fourth) layer 610 may be made up of XOR tables, for example 24 8 X 4-bit tables

with the result

612 being protected finally by the affine mixing bijection

and a

layer of eight 4-bit encodings

where j = 0,1,2, / = 0,1, 2, 3.

[00156] FIG. 7 illustrates a white-box implementation of

operation 700 according to various embodiments of the present application. FIGS. 7A to 7D are enlarged versions of various portions of FIG. 7 for better clarity.

[00157] In various embodiments, the white -box implementation of

700 may include four layers at a high level. The white-box

may include two variables X 702A and Y 702B which may be two 32-bit variables and may be protected in their white-box forms respectively,

where MB^X and MB^Y are 32x32-bit mixing bijections, and are two groups

of eight 4 -bit encodings.

[00158] In various embodiments, in FIG. 7A, a first layer 704 may be made up of eight 8x32-bit tables. For the part processing of the white box form of

, each 8x32-bit table is generated by applying sequentially the inverses of the two 4-

bit encodings the corresponding 32x8-bit part

of the inverse

the form:

with

being an invertible (general) 8 X 8-bit matrix,

and j = 0,1, 2, 3. Similarly, for the part processing of the white

box form of Y

operation may be applied immediately before the mixing bijection DB^X.

[00159] In various embodiments, in FIG. 7B, a second layer 706 may be made up of XOR tables, for example 48 8 X 4-bit tables

where j = 0,1,2, l = 0,1, ··· ,7. The final output of the

tables is X protected by the mixing bijection DB and a layer of eight 4-bit encodings

and the final output of the

tables is Y protected by the mixing bijection DB^Y and a layer of eight 4-bit encodings

[00160] In various embodiments, in FIG. 7C,a third layer 708 may be made up of ADD tables, for example four 16x32-bit tables

respectively) of the corresponding 8x8-bit part

(or

respectively) of the mixing bijection DB^X (or DB^Y, respectively) for either 8-bit input, the bitwise complement

operation only for the 8-bit input from X, the AND value of the two resulting 8-bit values, the corresponding 32 X 8-bit part out of an affine

mixing bijection

used to protect the result

and a layer of eight 4- bit encodings

being an invertible (general) 32x32-bit matrix, b, and b =

being 32-bit constants (l = 0,1, 2, 3).

[00161] In various embodiments, in FIG. 7D, a last (i.e. fourth) layer 710 may be made up of XOR tables, for example 24 8x4-bit tables with the result

712 being protected finally by the affine mixing bijection

and a layer of eight 4-bit encodings where j = 0,1,2, l = 0,1, 2, 3.

[00162] FIG. 8 illustrates a white -box implementation of

operation 800 according to various embodiments of the present application. FIGS. 8 A to 8C are enlarged versions of various portions of FIG. 8 for better clarity.

[00163] In various embodiments, different from th

operation, the

operation does not output uniformly. In particular, it has only two possible values when

takes the extreme value 31, so an affine mixing bijection may be used to protect the intermediate value

[00164] In various embodiments, the white-box implementation of

may include three layers at a high level. The white -box implementation of

800 may include two variables X 802A and Y 802B which may be two 32-bit variables and may be protected in their white-box forms

respectively, where MB^X and MB^Y are 32 X 32-bit mixing bijections, and

are two groups of eight 4-bit encodings.

[00165] In various embodiments, in FIG. 8A, a first layer 804 may be made up of eight 8x32-bit tables. For the part processing of the white box form of X each

8x32-bit table is generated by applying sequentially the inverses

of the two 4- bit encodings the corresponding 32x8-bit part of the inverse

of the mixing bijection

operation, an affine mixing bijection

and a layer of eight 4-bit encodings , where A being an

invertible 32 X 32-bit matrix, being a 32-bit constant,

= 0, 1,2,3. It is similar for the part processing of the white box form of , except that there is no

operation and are

replaced with another invertible 32x32-bit matrix

^Y and 32-bit constant

such that

[00166] In various embodiments, in FIGS. 8B and 8C, second 806 and third 808 layers may be the same as the second 504 and third 506 layers of the white-box implementation of

respectively. Finally, the resul is protected

by the mixing bijection

and a layer of eight 4-bit encodings

[00167] In various embodiments, white-box implementation of X\Y may be obtained from the above white -box implementation of

by removing the

operations in the first layer 604 and then applying the OR (i.e. |) operation in the third layer 608, instead of the AND (i.e. &) operation.

[00168] In various embodiments, the white-box implementation of

may be obtained from the above white-box

implementation 400 by inserting the

operation immediately before the mixing bijection DB^X in the first layer 402 of the part processing of the white box form of All the other parts remain

unchanged.

[00169] FIG. 9 illustrates a white-box implementation of

operation according to various embodiments of the present application. FIGS. 9 A to 9F are enlarged versions of various portions of FIG. 9 for better clarity.

[00170] In various embodiments, the white-box implementation of

may be a simplified version of the above white-box implementation of

by removing the

operation and the part processing

in the first and second layers and simply putting as an input operand to the four ADD tables in the

third layer. [00171] In various embodiments, the white-box implementation of

may include a variable X 902 which may be a 32-bit variable and may be protected in its white- box forms

where MB^X is a 32x32-bit mixing bijection, and is a

group of eight 4-bit encoding.

[00172] As illustrated in FIG. 9A, a first layer 904 may be made up of eight 8x32-bit tables. For the part processing of the white box form of

each 8x32-bit table may generated by applying sequentially the inverses of the two 4-bit

encodings

the corresponding 32x8-bit part

of the inverse MB^X,_1 of the mixing bijection MB^X, a 32 X 32-bit mixing bijection DB^X and a layer of eight 4 -bit encodings

is of the form:

with being an invertible (general) 8 X 8-bit matrix,

being invertible (general) 6 X 6-bit matrices,

0,1, 2, 3.

[00173] In various embodiments, in FIG. 9B, a second layer 906 may be made up of XOR tables, for example 60 8x4-bit table where The

final output of the

tables may be X and may be protected by the mixing bijection DB^X and a layer of ten 4-bit or 3-bit encodings

[00174] The third layer is made up of one 8 X 8-bit table and three 6x 13-bit tables. The 8 X 8-bit table is generated by applying sequentially the inverses of the two corresponding

4-bit encodings from the second layer, the inverse

of the corresponding 8x8-bit part of of the mixing bijection DB^X, the addition operation with the corresponding 8-

bit part

of the constant consti_, a 8-bit mixing bijection

and finally two 4- bit encodings Each of the three 6x 13-bit tables is generated by applying sequentially

the inverses of the two corresponding 3-bit encodings from the second layer, the inverse of the corresponding 6 X 6-bit part of of the mixing bijection DB , the

addition operation with the corresponding 6-bit part

of the constant consti, a 8-bit mixing bijection and finally two 4-bit encondings

[00175] In various embodiments, in FIG. 9D, a fourth layer 910 may be made up of first

ADD tables, for example one 16x8-bit table

and four 12x 13-bit tables

where j = 1,2, 3, 4. The Y ADD table from FIG.4 is replaced by consti

[00176] Each table may be generated as follows:

[00177] (i) Either 6-bit input is obtained by applying sequentially the inverses of the two corresponding 3-bit encodings from the second layer 906 and the inverse of the

corresponding 6x6-bit part

of the mixing bijection DB^X.

[00178] (ii) The two resulting 6-bit values may be added, and may be concatenated into a 7-bit sum with the 6-bit left input operand X_j on the left side. The sum of the two 6-bit values can be a 7-bit value at most.

[00179] (iii) A mixing bijection e.g., a 13 X 13-bit mixing bijection may be

applied to a layer of one 4-bit and three 3-bit encodings

[00180] In an embodiment, the A

table is similar, except that each input operand is 8-bit and it can only produce an 8-bit output (the carry bit overflows if any), and there are an 8x8-bit mixing bijection and a layer of two 4-bit encodings

[00181] In various embodiments, in FIG. 9E, a fifth layer 912 may be made up of truncation tables, for example four 13 X 32-bit tables, each of which is generated by applying sequentially the inverses of the four corresponding encodings from the fourth layer 910, the inverse of the corresponding 13xl3-bit mixing bijection from the fourth layer 910, the truncating of the resulting 13-bit value to the rightmost 6 bits &0x3 F, a 32x6-bit matrix

and a layer of eight 4-bit encodings

[00182] In various embodiments, in FIG. 9F, a last (i.e. sixth) layer 914 may be made up of XOR tables, for example 32 8x4-bit tables

with the result X EE consti 916 being protected by the 32x32-bit mixing bijection M

[00183] FIG. 10 illustrates an exemplary high-level overview of the general white-box HMAC-SHA-1 implementation according to various embodiments of the present application. FIGS. 10A to 10G are enlarged versions of various portions of FIG. 10 for better clarity. [00184] In various embodiments, HMAC-SHA-1 may process an arbitrary-length message. This poses a difficulty to its white-box implementation, since the number of 512- bit message blocks cannot be determined and thus the white-box operations cannot be specified.

[00185] In various embodiments, to solve the problem, a same set of white-box operations for the later (512-bit) message blocks (if any) as the set used in the first 512-bit message block.

[00186] In various embodiments, after computing the inner keyα and the outer key b, the server does not release them to the client in a clear form, but in a protected form. In various embodiments, the inner key α and the outer key β may be protected by one or more mixing bijections.

[00187] In an exemplary embodiment, for each of the five 32-bit words A₀, B_Q, C_Q, D_Q, E_Q, the system 1000 may include a step 1002 of generating a mixing bijection MB^X and a layer of eight 4-bit external encodings

in FIG. 10A. Representing the inner keyα as five 32-bit blocksα

, the system 1000 may compute

). The system 1000 may send this protected form of the inner keyα to the user.

[00188] In various embodiments, the process for protecting the outer keyβ is similar to that of the inner keyα .

[00189] In various embodiments,α andβ as well as their protection may not be incorporated into the white-box implementation of the step update function of FIG. 4. Advantageously, this results in the ability to deal with an arbitrary-length message of more than one 512-bit blocks.

[00190] In various embodiments, SHA-1 may generate additional expanded message words (e.g., 64 additional words) from an original (512-bit) message block, which will be input to the last 64 steps of the compression function. In various embodiments, a white-box HMAC-SHA-1 implementation against code lifting should recover the original expanded message word from its manipulated form resulted from the external encoding p under a message expansion function.

[00191] In various embodiments, the message expansion function may use rotation and XOR operations to generate the additional (e.g. 64) expanded message blocks. [00192] In various embodiments, in FIG. 10B, in step 1004 each (32-bit) message word

Mi may be protected by a 32x32-bit mixing bijection

followed by a layer of eight 4- bit external encodings

. In an embodiment,

MB and MB may be affine 32x32-bit mixing bijections since the two corresponding message blocks represent message length, which may often be zero, where i = 0,1, ··· ,15. In an embodiment,

where the first 16 expanded message blocks is (i = 0,1, ··· ,15).

[00193] In various embodiments, the message expansion function

for the next 64 message blocks can be represented as W_t =

[00194] In various embodiments, the white-box form of the expanded message block

W_t may be achieved by applying two applications of white-box

implementation and finally one application of white-box

implementation (16 <

protected in white-box form

[00195] In various embodiments, in FIG. IOC, in step 1006, given

and

compression function of SHA-1 may be implemented as follows:

That is, can be expressed as a function of

[00196] In various embodiments,

may be used as inputs, and as outputs. In various embodiments, the

operations may be incorporated into other operations. This reduces storage complexity and running time as these steps need not be implemented them with white-box operations.

[00197] White-box implementation for Steps 4-79 is described below:

[00198] In FIG. 10D, in step 1008, take a step between Steps 4-79, Step i say (i =

4,5, "·,79) . Observe that

[00199] Assume that

is protected with white-box operations

Thus,

is protected with white-box operations

, and etc. In an embodiment, the white-box implementation of the step update function of Step i can be achieved with one application of the white-box implementation of

one application of the white-box implementation of

, two applications of the white -box implementation of

and white-box implementation of

, whose white-box implementation depends on the specific form

and is described in f_xor 1010 in FIG. 10E, 1012 in FIG. 10F and f_maj 1014 in FIG. 10G, respectively. At last, A_i+1 is protected with white-box operations

[00200] Depending on the value of i, the

function is f_xor , f_if or f_maj . f_xor can be composed with one application of the above white -box (X <<< 30)

( Y <<< 30) operation and one application of the above white-box X

Y operation, as shown in FIG. 10. f_if can be composed with one application of the above white -box X&(Y <<< 30) operation, one application of the above white-box

&(Ύ <<< 30) operation and one application of the above white-box X\Y operation, as shown in FIG. 10. f_{maj C}an be composed with two applications of the above white-box X&(Y <<< 30) operation, one application of the above white-box (X <<< 30 )&(Y <<< 30) operation, and two applications of the above white-box X\Y operation, as shown in FIG. 10.

[00201] In various embodiments, white-Box implementation of Steps 0-3 is slightly different from a general step in the following two points: 1) The input of each of Steps 0- 3 involves one or more of the five initial words A₀, B₀, C₀, D₀, E₀ , rather than

of a general step; and 2) There is no <<< 30 operation to one or more of the three input words

in each of Steps 0-2. As a consequence, white-box implementation of each of Steps 0-3 is slightly different from the white-box implementation of the general step between Steps 4-79, which can be obtained simply by applying (the inverses of) the corresponding mixing bijections and encodings and removing unnecessary <<< 30 operation.

[00202] In various embodiments, to be able to process an arbitrary-length message, the same set of mixing bijections MB^X and external encodings may be used to protect the

result of the feed forwarding part:

E₈₀, SO that the same set of white-box operations may be subsequently reuse for the next 512-bit message blocks (if any).

[00203] In various embodiments, there may only be one 512-bit message block in H_β(· ), which may include ten 32-bit message words of zero and a message word about the message bit length 160. [00204] In various embodiments, the server may similarly make a white -box implementation on the H_β(·) part, except that there may not be a need to apply white-box operations to the ten message words of zero. Likewise, the last message word about the message bit length may be protected with an affine mixing bijection.

[00205] The ten 32-bit message words of zero results in a reduction in the number of white-box operations in the message expansion phase and the compression function. Reusing the same set of white-box operations may also result in reduction computational and communication complexity. As a result, the white-box HMAC-SHA-1 implementation can be readily obtained from the above white-box implementations of the components of HMAC-SHA-1.

[00206] In various embodiments, when the user key is updated, the same set of white- box tables can be reused for different user keys, as long as the server releases the corresponding protected form of the new key to the client. Thus, the server does not need to generate another set of white-box tables every time a user key is updated, which reduces computational and communication complexity. In various embodiments it is better to limit the maximum number of keys used under a set of white-box tables, to avoid a security loss in this situation.

[00207] FIG. 11 illustrates an exemplary high-level overview of the general white-box HMAC-SHA-256 implementation 1100 according to various embodiments of the present application.

[00208] Similarly, a general white-box implementation of HAMC-SHA-256 may be obtained using the same principles as the above white-box HAMC-SHA-1 implementation. [00209] In various embodiments, given (A₀, A₁, A₂, A₃, E₀, E₁, E₂, E₃), SHA-256 maybe implemented as follows:

where i = 4,5, ··· ,64.

[00210] In various embodiments, the white-box HMAC-SHA-256 implementation has the following main distinctions from white-box HMAC-SHA-1 implementation:

[00211] 1. Protecting α and β : for each of the eight 32-bit words A₀, B₀, ··· , H₀, the sever generates a mixing bijection MB^X and a layer of eight 4-bit encodings , here X ∈

{A,B, C, D,E, F, G, H} . Representing α as eight 32-bit blocks the

server computes

sends it to the client. The process for protecting β is similar to α .

[00212] 2. An instantiation of p with respect to the message expansion function of SHA-

256: white-box implementation of the message expansion function can be constructed with the white-box implementations of

[00213] In a high-level white-box implementation of the message expansion function of SHA-256, each (32-bit) message word M_t or expanded message word W_t is protected by a 32x32-bit mixing bijection

and a layer of eight 4-bit external encodings

, that is,

[00214] 3. White-box implementation of the compression function of SHA-256: Since

(. A₀,B₀, C₀,D₀,E₀, F₀, G₀, H₀ ) are protected by mixing bijections

(MB^ MB^S, MB^C, MB^D, MB^E, MB^F, MB^G, MB^h) and the external encodings this makes white-box implementations of

Steps 0-3 slightly different from the white-box implementation of a general step of steps 4 and 63. Thus, only the affected mixing bijections and encodings may need to be change correspondingly.

4. Protecting the feed forwarding part: the same set of mixing bijections MB^X and external encodings may be used to protect the result of the feed forwarding part: A₀ A₆₄,

B o EE B₆₄, ···, and H₀ EE H₆₄. By this way, the same set of white-box operations may be reuse for the next 512-bit message blocks (if any), so as to process an arbitrary-length message.

[00215] In an embodiment, these differences are mainly due to the distinctions between SHA-1 and SHA-256, but white-box HMAC-SHA-256 implementation can be built with the above basic white-box operations in the same principles as white-box HMAC-SHA-1. [00216] There are variants with different trade-offs between security and performance. For example, we can use different dimension sizes of mixing bijections, encodings and white-box tables.

[00217] In various embodiments, different levels of iteration may be used for the general white-box implementations. In particular, the same set of white-box operations may be used to iterate step by step for the 80 steps of H_α(·). The white-box operations of H_α(·) may be reused for the H_β(·) part. A step constant const i may be treated as a known variable. [00218] In various embodiments, some parts may be left unprotected, for example, leave the value H_α(M) and the H_β(·) part unprotected. While this may allow an attacker to produce a right (message, tag) pair under a known message attack scenario, this may be still useful in some applications.

[00219] While embodiments of the invention have been particularly shown and described with reference to specific embodiments, it should be understood by those skilled in the art that various changes in form and detail may be made therein without departing from the spirit and scope of the invention as defined by the appended claims. The scope of the invention is thus indicated by the appended claims and all changes which come within the meaning and range of equivalency of the claims are therefore intended to be embraced.

Claims

CLAIMS What is claimed is:

1. A method of generating a hash-based message authentication code (HMAC) based on white-box implementation, using at least one processor, the method comprising: receiving an input message; executing a white-box implementation of a cryptographic hash function based on the input message to obtain an inner key and using the inner key to obtain an inner hash function; executing a white-box implementation of the inner hash function to obtain an outer key and using the outer key to obtain the HMAC; wherein the executing of at least one of the white-box implementations of the cryptographic hash function and the white-box implementation of the inner hash function comprises a step of executing a white-box implementation of a modular addition operation, and wherein the white-box implementation of the modular addition operation comprises a first layer comprising a first ADD table and a second layer comprising a second ADD table, wherein the at least one processor is configured to receive two first inputs and process the two first inputs according to the first ADD table to generate a first output corresponding to a value of a carry bit of the first ADD table based on the two first inputs, and the at least one processor is configured to receive a first second-input based on the first output and a second second- input and process the first second-input and the second second-input according to the second ADD table; and wherein the first output is subjected to a first mixing operation to produce a protected first output, wherein the first mixing operation is a linear operation to provide diffusion of the first output and the first second-input is based on the protected first output.

2. The method of claim 1, wherein the second second-input is equal to a partial sum of the two first inputs, and wherein the at least one processor is configured to obtain a protected second output corresponding to a value of a carry bit of the second ADD table.

3. The method of claim 2, wherein the modular addition operation comprises a third layer configured to receive the protected second output from the second layer, wherein the third layer comprises a truncation table, the at least one processor configured to process the protected second output according to the truncation table to obtain an addition result of the modular addition operation.

4. The method of claim 1, wherein the executing of at least one of the white-box implementations of the cryptographic hash function and the white-box implementation of the inner hash function comprises a step of executing a white-box implementation of at least one of a XOR, AND, NOT and rotation operation.

5. The method of claim 1, wherein the inner key configured to be protected by a first mixing bijection to produce a protected inner key and the outer key is configured to be protected by a second mixing bijection to produce a protected outer key, and the at least one processor is configured to obtain the HMAC based on the protected inner key and the protected outer key, wherein the first mixing bijection and the second mixing bijection are invertible matrices to provide diffusion of the inner key and the outer key.

6. The method of claim 1, wherein the input message is of arbitrary length.

7. The method of claim 1, wherein the input message is M bits; and the at least one processor is configured to use a first specific set of white-box operations for a first N bits of the input message and configured to use a general set of white-box operations for the remaining M-N bits.

8. The method of claim 7, wherein when the length of the input message changes to P bits, the at least one processor is configured to use a second specific set of white-box operations for a first Q bits of the input message and configured to use the general set of white-box operations for the remaining P-Q bits.

9. A system for generating a HMAC based on white-box implementation, the system comprising: a memory; at least one processor communicatively coupled to the memory, and configured to: receive an input message; execute a white-box implementation of a cryptographic hash function based on the input message to obtain an inner key and using the inner key to obtain an inner hash function; execute a white-box implementation of the inner hash function to obtain an outer key and using the outer key to obtain the HMAC; wherein the executing of at least one of the white-box implementations of the cryptographic hash function and the white-box implementation of the inner hash function comprises a step of executing a white-box implementation of a modular addition operation, and wherein the white-box implementation of the modular addition operation comprises a first layer comprising a first ADD table and a second layer comprising a second ADD table, wherein the at least one processor is configured to receive two first inputs and process the two first inputs according to the first ADD table to generate a first output corresponding to a value of a carry bit of the first ADD table based on the two first inputs, and the at least one processor is configured to receive a first second-input based on the first output and a second second- input and process the first second-input and the second second-input according to the second ADD table; and wherein the first output is subjected to a first mixing operation to produce a protected first output, wherein the first mixing operation is a linear operation to provide diffusion of the first output and the first second-input is based on the protected first output.

10. The system of claim 9, wherein the second second-input is equal to a partial sum of the two first inputs, and wherein the at least one processor is configured to obtain a protected second output corresponding to a value of a carry bit of the second ADD table.

11. The system of claim 10, wherein the modular addition operation comprises a third layer configured to receive the protected second output from the second layer, wherein the third layer comprises a truncation table, the at least one processor configured to process the protected second output according to the truncation table to obtain an addition result of the modular addition operation.

12. The system of claim 9, wherein the executing of at least one of the white-box implementations of the cryptographic hash function and the white-box implementation of the inner hash function comprises a step of executing a white-box implementation of at least one of a XOR, AND, NOT and rotation operation.

13. The system of claim 9, wherein the inner key configured to be protected by a first mixing bijection to produce a protected inner key and the outer key is configured to be protected by a second mixing bijection to produce a protected outer key, and the at least one processor is configured to obtain the HMAC based on the protected inner key and the protected outer key, wherein the first mixing bijection and the second mixing bijection are invertible matrices to provide diffusion of the inner key and the outer key.

14. The system of claim 9, wherein the input message is of arbitrary length.

15. The system of claim 9, wherein the input message is M bits; and the at least one processor is configured to use a first specific set of white-box operations for a first N bits of the input message and configured to use a general set of white-box operations for the remaining M-N bits.

16. The system of claim 15, wherein when the length of the input message changes to P bits, the at least one processor is configured to use a second specific set of white-box operations for a first Q bits of the input message and configured to use the general set of white-box operations for the remaining P-Q bits.

17. A computer program product storing computer executable code comprising instructions for performing a method of generating a hash-based message authentication code (HMAC) based on white-box implementation, using at least one processor, the method comprising: receiving an input message; executing a white-box implementation of a cryptographic hash function based on the input message to obtain an inner key and using the inner key to obtain an inner hash function; executing a white-box implementation of the inner hash function to obtain an outer key and using the outer key to obtain the HMAC; wherein the executing of at least one of the white-box implementations of the cryptographic hash function and the white-box implementation of the inner hash function comprises a step of executing a white-box implementation of a modular addition operation, and wherein the white-box implementation of the modular addition operation comprises a first layer comprising a first ADD table and a second layer comprising a second ADD table, wherein the at least one processor is configured to receive two first inputs and process the two first inputs according to the first ADD table to generate a first output corresponding to a value of a carry bit of the first ADD table based on the two first inputs, and the at least one processor is configured to receive a first second-input based on the first output and a second second- input and process the first second-input and the second second-input according to the second ADD table; and wherein the first output is subjected to a first mixing operation to produce a protected first output, wherein the first mixing operation is a linear operation to provide diffusion of the first output and the first second-input is based on the protected first output.