A white-box model is a typical model in existing cipher attack models. In a white-box model, it may be considered that an attacker has accessed a system of a computing module used for encryption and decryption computing, and has taken full control of the system. That is, the computing module F( ) is completely transparent to the attacker, and the attacker can view or modify values of all data anytime, and can also view and modify an intermediate result of any computing step.
Because having full control over the system, the white-box attacker can view all data in a memory. In a conventional cryptographic algorithm, a key is directly stored in a memory during a computing process. The attacker can find the key at a high probability by only locating data that is comparatively random in the memory. Therefore, the conventional cryptographic algorithm is very vulnerable to the white-box attacker. To prevent the attacker from stealing the key in the white-box model, Chow and others put forward a concept of white-box cryptography in 2002 and designed a white-box implementation method for the advanced encryption standard (Advanced Encryption Standard, AES) and the data encryption standard (Data Encryption Standard, DES). A white-box cryptographic algorithm C generally includes two parts: one part is a white-box encryption and decryption function generating algorithm G, and the other part is a white-box encryption function E′ and a white-box decryption function D′ that are generated. As shown in FIG. 1, the white-box encryption and decryption function generating algorithm G receives two inputs: an original key K and a random seed, and a white-box encryption function E′ and a white-box decryption function D′ are generated. The white-box cryptographic algorithm C=E′(P) encrypts a plaintext P into a ciphertext C, and the white-box cryptographic algorithm P=D′(C) decrypts the ciphertext C into the plaintext P. In a data segment of E′ and D′ and during a computing process, the original key K itself is completely hidden, and therefore the key can be protected from being stolen by a hacker.
Currently, design ideas for the white-box encryption and decryption function generating algorithms are similar, and a general practice has the following two points:
First, computing is changed to table lookup, and random affine masks layers are added to the input and output of the tables. The output masks will be inverted by the input masks in the next round. As a result, the final output value remains the unchanged. Second, taking the size of the lookup tables into account, if the original table needs to be split into several sub-tables, the sub-tables are computed separately and the computing results are XORed as the output of the original table, where the mask layer has to be affine transformation.
However, currently, the design of the white-box encryption and decryption function generating algorithm is imperfect, because the encryption and decryption function in a white-box AES can generally be split into several 8 bit-to-8 bit pre-computation tables T. The tables T may be considered as adding an unknown affine mask layer F0−1 and an unknown affine mask layer F1 before and after an S-box respectively in the AES, where the input mask layer F0−1 includes 1-byte information of the key. Currently, there is an algorithm, which can recover the input and output mask layers if S and T are known. After the mask layers of T-boxes in two consecutive connected rounds are recovered, the attacker can obtain 1-byte information of the key. Subsequently, by repeating the foregoing process, the whole key can be recovered. Consequently, all disclosed white-box encryption and decryption function generating algorithms can be practically cracked with low attack complexity.