ECDSA White-Box Implementations: Attacks and Designs from CHES 2021 Challenge

Guillaume Barbu; Ward Beullens; Emmanuelle Dottax; Christophe Giraud; Agathe Houzelot; Chaoyun Li; Mohammad Mahzoun; Adrián Ranea; Jianrui Xie

doi:10.46586/tches.v2022.i4.527-552

ECDSA White-Box Implementations: Attacks and Designs from CHES 2021 Challenge

Guillaume Barbu, Ward Beullens, Emmanuelle Dottax, Christophe Giraud, Agathe Houzelot, Chaoyun Li, Mohammad Mahzoun, Adrián Ranea, Jianrui Xie

Coding Theory and Cryptology

Research output: Contribution to journal › Article › Academic › peer-review

4 Citations (Scopus)

44 Downloads (Pure)

Abstract

Despite the growing demand for software implementations of ECDSA secure against attackers with full control of the execution environment, scientific literature on ECDSA white-box design is scarce. The CHES 2021 WhibOx contest was thus held to assess the state-of-the-art and encourage relevant practical research, inviting developers to submit ECDSA white-box implementations and attackers to break the corresponding submissions. In this work, attackers (team TheRealIdefix) and designers (team zerokey) join to describe several attack techniques and designs used during this contest. We explain the methods used by the team TheRealIdefix, which broke the most challenges, and we show the efficiency of each of these methods against all the submitted implementations. Moreover, we describe the designs of the two winning challenges submitted by the team zerokey; these designs represent the ECDSA signature algorithm by a sequence of systems of low-degree equations, which are obfuscated with affine encodings and extra random variables and equations. The WhibOx contest has shown that securing ECDSA in the white-box model is an open and challenging problem, as no implementation survived more than two days. In this context, our designs provide a starting methodology for further research, and our attacks highlight the weak points future work should address.

Original language	English
Pages (from-to)	527-552
Number of pages	26
Journal	IACR Transactions on Cryptographic Hardware and Embedded Systems
Volume	2022
Issue number	4
DOIs	https://doi.org/10.46586/tches.v2022.i4.527-552
Publication status	Published - 31 Aug 2022

Bibliographical note

Funding Information:
The authors would like to thank the other members of the TheRealIdefix team: Yannick Bequer, Luk Bettale, Laurent Castelnovi, Thomas Chabrier, Nicolas Debande, Roch Lescuyer, Sarah Lopez and Nathan Reboud. Adrián Ranea is supported by a PhD Fellowship from the Research Foundation – Flanders (FWO) under grant No. 11E1921N. Chaoyun Li is an FWO post-doctoral fellow under grant No. 1283121N. Ward Beullens is an FWO post-doctoral fellow under grant No. 1S95620N.

Funding

The authors would like to thank the other members of the TheRealIdefix team: Yannick Bequer, Luk Bettale, Laurent Castelnovi, Thomas Chabrier, Nicolas Debande, Roch Lescuyer, Sarah Lopez and Nathan Reboud. Adrián Ranea is supported by a PhD Fellowship from the Research Foundation – Flanders (FWO) under grant No. 11E1921N. Chaoyun Li is an FWO post-doctoral fellow under grant No. 1283121N. Ward Beullens is an FWO post-doctoral fellow under grant No. 1S95620N.

Funders	Funder number
Fonds Wetenschappelijk Onderzoek	11E1921N, 1283121N, 1S95620N

Keywords

ECDSA
WhibOx Contest
White-Box Cryptography

Access to Document

10.46586/tches.v2022.i4.527-552

pdfFinal published version, 668 KBLicence: CC BY

Cite this

@article{ca4085ca13f842d0a128b750142056d1,

title = "ECDSA White-Box Implementations: Attacks and Designs from CHES 2021 Challenge",

abstract = "Despite the growing demand for software implementations of ECDSA secure against attackers with full control of the execution environment, scientific literature on ECDSA white-box design is scarce. The CHES 2021 WhibOx contest was thus held to assess the state-of-the-art and encourage relevant practical research, inviting developers to submit ECDSA white-box implementations and attackers to break the corresponding submissions. In this work, attackers (team TheRealIdefix) and designers (team zerokey) join to describe several attack techniques and designs used during this contest. We explain the methods used by the team TheRealIdefix, which broke the most challenges, and we show the efficiency of each of these methods against all the submitted implementations. Moreover, we describe the designs of the two winning challenges submitted by the team zerokey; these designs represent the ECDSA signature algorithm by a sequence of systems of low-degree equations, which are obfuscated with affine encodings and extra random variables and equations. The WhibOx contest has shown that securing ECDSA in the white-box model is an open and challenging problem, as no implementation survived more than two days. In this context, our designs provide a starting methodology for further research, and our attacks highlight the weak points future work should address.",

keywords = "ECDSA, WhibOx Contest, White-Box Cryptography",

author = "Guillaume Barbu and Ward Beullens and Emmanuelle Dottax and Christophe Giraud and Agathe Houzelot and Chaoyun Li and Mohammad Mahzoun and Adri{\'a}n Ranea and Jianrui Xie",

note = "Funding Information: The authors would like to thank the other members of the TheRealIdefix team: Yannick Bequer, Luk Bettale, Laurent Castelnovi, Thomas Chabrier, Nicolas Debande, Roch Lescuyer, Sarah Lopez and Nathan Reboud. Adri{\'a}n Ranea is supported by a PhD Fellowship from the Research Foundation – Flanders (FWO) under grant No. 11E1921N. Chaoyun Li is an FWO post-doctoral fellow under grant No. 1283121N. Ward Beullens is an FWO post-doctoral fellow under grant No. 1S95620N. ",

year = "2022",

month = aug,

day = "31",

doi = "10.46586/tches.v2022.i4.527-552",

language = "English",

volume = "2022",

pages = "527--552",

journal = "IACR Transactions on Cryptographic Hardware and Embedded Systems",

issn = "2569-2925",

publisher = "Ruhr-University Bochum",

number = "4",

}

TY - JOUR

T1 - ECDSA White-Box Implementations

T2 - Attacks and Designs from CHES 2021 Challenge

AU - Barbu, Guillaume

AU - Beullens, Ward

AU - Dottax, Emmanuelle

AU - Giraud, Christophe

AU - Houzelot, Agathe

AU - Li, Chaoyun

AU - Mahzoun, Mohammad

AU - Ranea, Adrián

AU - Xie, Jianrui

N1 - Funding Information: The authors would like to thank the other members of the TheRealIdefix team: Yannick Bequer, Luk Bettale, Laurent Castelnovi, Thomas Chabrier, Nicolas Debande, Roch Lescuyer, Sarah Lopez and Nathan Reboud. Adrián Ranea is supported by a PhD Fellowship from the Research Foundation – Flanders (FWO) under grant No. 11E1921N. Chaoyun Li is an FWO post-doctoral fellow under grant No. 1283121N. Ward Beullens is an FWO post-doctoral fellow under grant No. 1S95620N.

PY - 2022/8/31

Y1 - 2022/8/31

N2 - Despite the growing demand for software implementations of ECDSA secure against attackers with full control of the execution environment, scientific literature on ECDSA white-box design is scarce. The CHES 2021 WhibOx contest was thus held to assess the state-of-the-art and encourage relevant practical research, inviting developers to submit ECDSA white-box implementations and attackers to break the corresponding submissions. In this work, attackers (team TheRealIdefix) and designers (team zerokey) join to describe several attack techniques and designs used during this contest. We explain the methods used by the team TheRealIdefix, which broke the most challenges, and we show the efficiency of each of these methods against all the submitted implementations. Moreover, we describe the designs of the two winning challenges submitted by the team zerokey; these designs represent the ECDSA signature algorithm by a sequence of systems of low-degree equations, which are obfuscated with affine encodings and extra random variables and equations. The WhibOx contest has shown that securing ECDSA in the white-box model is an open and challenging problem, as no implementation survived more than two days. In this context, our designs provide a starting methodology for further research, and our attacks highlight the weak points future work should address.

AB - Despite the growing demand for software implementations of ECDSA secure against attackers with full control of the execution environment, scientific literature on ECDSA white-box design is scarce. The CHES 2021 WhibOx contest was thus held to assess the state-of-the-art and encourage relevant practical research, inviting developers to submit ECDSA white-box implementations and attackers to break the corresponding submissions. In this work, attackers (team TheRealIdefix) and designers (team zerokey) join to describe several attack techniques and designs used during this contest. We explain the methods used by the team TheRealIdefix, which broke the most challenges, and we show the efficiency of each of these methods against all the submitted implementations. Moreover, we describe the designs of the two winning challenges submitted by the team zerokey; these designs represent the ECDSA signature algorithm by a sequence of systems of low-degree equations, which are obfuscated with affine encodings and extra random variables and equations. The WhibOx contest has shown that securing ECDSA in the white-box model is an open and challenging problem, as no implementation survived more than two days. In this context, our designs provide a starting methodology for further research, and our attacks highlight the weak points future work should address.

KW - ECDSA

KW - WhibOx Contest

KW - White-Box Cryptography

UR - http://www.scopus.com/inward/record.url?scp=85137064127&partnerID=8YFLogxK

U2 - 10.46586/tches.v2022.i4.527-552

DO - 10.46586/tches.v2022.i4.527-552

M3 - Article

SN - 2569-2925

VL - 2022

SP - 527

EP - 552

JO - IACR Transactions on Cryptographic Hardware and Embedded Systems

JF - IACR Transactions on Cryptographic Hardware and Embedded Systems

IS - 4

ER -

ECDSA White-Box Implementations: Attacks and Designs from CHES 2021 Challenge

Abstract

Bibliographical note

Funding

Keywords

Access to Document

Other files and links

Fingerprint

Cite this