CN105591734A

CN105591734A - White-box cryptograph non-linear encoding protection method based on table lookup

Info

Publication number: CN105591734A
Application number: CN201510202424.0A
Authority: CN
Inventors: 熊婉君; 李灵琛; 韦永壮; 丁勇
Original assignee: Guilin University of Electronic Technology
Current assignee: Guilin University of Electronic Technology
Priority date: 2015-04-24
Filing date: 2015-04-24
Publication date: 2016-05-18

Abstract

The invention discloses a white-box cryptograph non-linear encoding protection method based on table lookup. The white-box cryptograph non-linear encoding protection method comprises the steps of: dividing m variables of a cryptographic algorithm into n groups, wherein each group comprises 16 bits, and subjecting the groups to Q0<1>, Q1<1>, ... , Qn-1<1> nonlinear transformation in sequence; regarding output results as input of an internal obfuscation part of the cryptographic algorithm of an SP structure, taking an AES algorithm for an example, and carrying out T transformation and MixColumns transformation; subjecting obtained results to one-time m bit input and m bit output nonlinear W<1>transformation; and acquiring final results of this turn of iteration, and sending the final results to the subsequent turn of iteration step. According to the white-box cryptograph non-linear encoding protection method, internal and external codes are subjected to non-linear bijective conversion simultaneously, and required operation is small since the algebraic degree of a single S box is no more than 8 and cannot be increased by MixColumn components and external radiation obfuscation codes; in addition, a master cryptography key is not directly restored when facing external algebra interpolation attacks, but an equivalent decrypting Boolean system is constructed, thus the security of the white-box cryptograph non-linear encoding protection method is higher.

Description

A kind of white box password non-uniform encoding guard method based on tabling look-up

Technical field

The present invention relates to information security field, be specifically related to a kind of white box password non-uniform encoding guard method based on tabling look-up.

Background technology

In the Design and implementation of traditional cryptographic algorithm and security protocol, be generally that the running environment terminal of supposition cryptographic algorithm is safe, believable, the security of whole system is the confidentiality of key. But along with the development of digital information technology, research finds that cipher software is normally operated in a unsafe environment, such as malice virus and dishonest user's existence. Under this environment, assailant can, by observing or carry out cipher software, be easy to catch key information. A new security challenge is: under the open environment of software code, how key information is directly hidden in the realization of algorithm, and makes assailant cannot extract key. For this problem, first the people such as Chow have proposed white box attack context (White-BoxAttackContext): assailant is to the complete visible environment of the software execute process of cryptographic algorithm. Under this environment, assailant, by observing or carry out password program, is easy to extract key. And the main purpose of white box password is for Protective Key in white box attack context, takes precautions against assailant and utilize cipher software implementation to catch key information. The fundamental design idea of white box password is: for given cryptographic algorithm and key information, the mapping that expressly transforms to ciphertext has also just been determined; Expressly carrying out scrambling and coding (obfuscationencoding) to the mapping of ciphertext, the implementation of cryptographic algorithm completes by the method for look-up table, and key is hidden in form, but assailant cannot extract key by look-up table. But, at present about all there is a common issue in the scheme of white box password, utilize the input and output feature of look-up table, in eliminating, take turns after the non-linear partial of scrambling and coding, and the only remaining linear scramble computing of external coding, therefore under white box condition, be broken required amount of calculation less, the security of password still needs further raising.

Summary of the invention

For the deficiency of above-mentioned technology, a kind of white box password non-uniform encoding guard method based on tabling look-up of the present invention provides built-in coding and external coding to adopt non-linear dijection conversion to realize simultaneously, attacks thereby can resist algebraically difference, has safe feature.

The technical scheme that realizes the object of the invention is:

A kind of white box password non-uniform encoding guard method, comprises the steps:

1) m in original code algorithm responsive argument is divided into n and organizes every group of 16 bits, pass through successivelyNon-linear scramble;

2) using step 1) in the output of Q conversion as the input of the inside scramble of original code algorithm SP structure, wherein convert through T conversion and MixColumns successively;

3) by step 2) in all outputs, through a W¹Conversion;

4) using step 3) output as the final Output rusults of epicycle iterative process, and send in cryptographic algorithm next round iterative step, to the last one take turns end, thereby obtain the ciphertext of white box password.

Step 1) in, Q is transformed to 16 bits with good Cryptographic Properties of constructing by Properties of Boolean Functions and inputs the external non-linear scramble that 16 bits are exported, and its algebraic degree is at least 8 times.

Step 2) in, each border of taking turns in the encryption and decryption flow process of change original code algorithm, taking aes algorithm as example: change behind the wheel border of AES, AddRoundKey and SubBytes are combined, these two steps combine and can represent with T-Box. The computing formula of T-Box is as follows:

T_{i, j}^{r} (x) = S (x &CirclePlus; K_{i, j}^{r - 1}), r = 1, . . ., 9, i, j = 0, . . ., 3 - - - (1)

T_{i, j}^{10} (x) = S (x &CirclePlus; K_{sr (i, j)}^{10}), i, j = 0, . . ., 3 - - - (2)

Wherein, K_i,j ^rBe the sub-key of r wheel at unit (i, j), sr (i, j) represents that unit (i, j) is in the position after ShiftRows operation, and S represents the S box of AES.

Step 2) in, MixColumn operation acts on each time one and lists, and can represent by the column vector that the matrix M C of 32 × 32 (bit) is multiplied by 32 bits. If whole MixColumn represents with a form, the size of this form is 2³²' 32=16GB. In order to prevent, with big look-up table like this, MC being divided into 2 parts by row, MixColumn operation can represent with following formula:

\begin{matrix} MC \cdot {(x_{0} . . . x_{31})}^{T} \\ = (M C_{0} | | M C_{1}) \cdot {(x_{0} . . . x_{31})}^{T} \\ = M C_{0} \cdot {(x_{0} . . . x_{15})}^{T} &CirclePlus; M C_{1} \cdot {(x_{16} . . . x_{31})}^{T} \end{matrix} - - - (3)

Wherein, the form that MC is MixColumn represents mode, MC₀、MC₁For left and right two parts of MC.

Therefore, the calculating of MixColumns can split into the conversion composition of 2 16 bits to 32 bits, then 2 transformation results is carried out to XOR and obtains last MixColumn result.

Step 3) in, W¹Be transformed to the nonlinear transformation of the input of m bit, the output of m bit.

Beneficial effect of the present invention:

Compared with prior art, the present invention proposes built-in coding and external coding adopts non-linear dijection conversion simultaneously, because the algebraic degree of single S box is no more than 8 times, and row obscure parts and external radiation scrambling and coding can't improve algebraic degree, therefore computing required for the present invention is less; In addition, the present invention, in the time attacking in the face of outside Algebraic interpolation, can directly not recover master key, but construct a deciphering Boolean system of equal value, and therefore confidentiality of the present invention and security are stronger.

Brief description of the drawings

Fig. 1 is a kind of white box design drawing of single-wheel of the white box password non-uniform encoding guard method based on tabling look-up.

Detailed description of the invention

Below in conjunction with accompanying drawing, the present invention is further elaborated, but is not limitation of the invention.

Embodiment:

A kind of white box password non-uniform encoding guard method based on tabling look-up:

3) by step 2) in all outputs, through a W¹Conversion;

T_{i, j}^{r} (x) = S (x &CirclePlus; K_{i, j}^{r - 1}), r = 1, . . ., 9, i, j = 0, . . ., 3 - - - (1)

T_{i, j}^{10} (x) = S (x &CirclePlus; K_{sr (i, j)}^{10}), i, j = 0, . . ., 3 - - - (2)

\begin{matrix} MC \cdot {(x_{0} . . . x_{31})}^{T} \\ = (M C_{0} | | M C_{1}) \cdot {(x_{0} . . . x_{31})}^{T} \\ = M C_{0} \cdot {(x_{0} . . . x_{15})}^{T} &CirclePlus; M C_{1} \cdot {(x_{16} . . . x_{31})}^{T} \end{matrix} - - - (3)

Particularly, the white box password non-uniform encoding guard method based on tabling look-up, its built-in coding and external coding adopt non-linear dijection conversion to realize simultaneously, as shown in Figure 1, comprise the steps:

1, establish the original x of being input as_i, i=0...n-1, wherein x_iRepresent 16 bits, calculate Q_i ¹(x_i)，i＝0...n-1；

2, the result of step 1 is divided into 2n group, every group of 8 bits, are designated as q_i, i=0...2n, then taking four 8 bits as one group, odd number group is calculated

(T_{0,0}^{1} (q_{4 * i + 0}), T_{11}^{1} (q_{4 * i + 1}), T_{2,2}^{1} (q_{4 * i + 2}), T_{3,3}^{1} (q_{4 * i + 3})), i = 0,2,

Even number set calculating (

(T_{0,3}^{1} (q_{4 * i + 3}), T_{1,2}^{1} (q_{4 * i + 1}), T_{2,1}^{1} (q_{4 * i + 2}), T_{3,0}^{1} (q_{4 * i + 3})), i = 1,3;

3, be one group by four 8 bits of the result of step 2, be designated as T_i, i=0...3, calculates MixColumns (T_i)；

4, using all Output rusults of step 3 (m bit) as last W¹Input, be designated as mc, calculate W¹(mc) input that, result is next round.

False code is as follows:

Input(x_i)

Q_i ¹(x_i)

T_i＝T(q)

mc＝MixColumns(T_i)

W¹(mc)

Output(W¹)。

Claims

1. the white box password of the white box non-uniform encoding guard method based on tabling look-up, is characterized in that, comprises the steps:

1) m in original code algorithm responsive argument is divided into n group (every group of 16 bits), passes through successivelyNon-Linear scramble;

2) using step 1) in the output of Q conversion as the input of the inside scramble of original code algorithm SP structure, wherein warp successivelyCross T conversion and MixColumns conversion;

3) by step 2) in all outputs, through a W¹Conversion;

4) using step 3) output as the final Output rusults of epicycle iterative process, and send into cryptographic algorithm next round iteration stepIn rapid, to the last one take turns end, thereby obtain the ciphertext of white box password.

2. the white box password non-uniform encoding guard method based on tabling look-up according to claim 1, is characterized in that, stepRapid 1) in, Q is transformed to 16 bits with good Cryptographic Properties of constructing by Properties of Boolean Functions and inputs 16 bit outputsExternal non-linear scramble, and its algebraic degree is at least 8 times.

3. the white box password non-uniform encoding guard method based on tabling look-up according to claim 1, is characterized in that, stepRapid 2), in, each border of taking turns in the encryption and decryption flow process of change original code algorithm, taking aes algorithm as example: the wheel that changes AESBehind border, AddRoundKey and SubBytes are combined, these two steps combine and can come with T-BoxRepresent. The computing formula of T-Box is as follows:

T_{i, j}^{r} (x) = S (x &CirclePlus; K_{i, j}^{r - 1}), r = 1, . . ., 9, i, j = 0, . . ., 3 - - - (1)

T_{i, j}^{10} (x) = S (x &CirclePlus; K_{i, j}^{10}) &CirclePlus; K_{sr (i, j)}^{10}, i . j = 0, . . ., 3 - - - (2)

Wherein, K_i,j ^rBe the sub-key of r wheel at unit (i, j), sr (i, j) represents that unit (i, j) is at process ShiftRowsPosition after operation, S represents the S box of AES.

4. the white box password non-uniform encoding guard method based on tabling look-up according to claim 1, is characterized in that, stepRapid 2), in, MixColumn operation acts on each time one and lists, and can be multiplied by one with the matrix M C of 32 × 32 bitsThe column vector of individual 32 bits represents. If whole MixColumn represents with a form, the size of this form is2³²× 32=16GB. In order to prevent with big look-up table like this, MC being divided into 2 parts by row, MixColumn operationCan represent with following formula:

\begin{matrix} MC \cdot {(x_{0} . . . x_{31})}^{T} \\ = ({MC}_{0} | | {MC}_{1}) \cdot {(x_{0} . . . x_{31})}^{T} \\ = {MC}_{0} \cdot {(x_{0} . . . x_{15})}^{T} &CirclePlus; {MC}_{1} \cdot {(x_{16} . . . x_{31})}^{T} \end{matrix} - - - (3)

Therefore, the calculating of MixColumns can split into the conversion composition of 2 16 bits to 32 bits, then by 2Individual transformation results is carried out XOR and is obtained last MixColumn result.

5. the white box password non-uniform encoding guard method based on tabling look-up according to claim 1, is characterized in that, stepRapid 3) in, W¹Be transformed to the nonlinear transformation of the input of m bit, the output of m bit.