Differential Computation Analysis: Hiding Your White-Box Designs is Not Enough


August 24, 2016


Joppe Bos


NXP Semiconductors


Although all current scientific white-box approaches of standardized cryptographic primitives are broken, there is still a large number of companies which sell “secure” white-box products. After an introduction to the concept of white-box cryptography, I will introduce a new approach to assess the security of white-box implementations which requires neither knowledge about the look-up tables used nor any reverse engineering effort. This differential computation analysis (DCA) attack is the software counterpart of the differential power analysis attack as applied by the cryptographic hardware community. We developed plugins to widely available dynamic binary instrumentation frameworks to produce software execution traces which contain information about the memory addresses being accessed. We show how DCA can extract the secret key from all publicly available (non-commercial) white-box programs implementing standardized cryptography by analyzing these traces to identify secret-key dependent correlations. This work received the best paper award at the Conference on Cryptographic Hardware and Embedded Systems (CHES) 2016 and is joint work with Charles Hubain, Wil Michiels, and Philippe Teuwen.