Is there any open-source white-box implementation of AES or DES?

Question

I googled it, but got no result. There is a binary executable of a white-box implementation of DES (scroll down), but no source code is provided.

The same page also links various papers about white-box cryptography, but these don't contain the implementation.

I want to study such an implementation to learn about the techniques used there.

As I understand, providing the source would make the whole game of If you like, try to extract the secret key trivial. I think an open-source implementation would have to include the compiler (or other tools) used to hide the key in the binary. — Paŭlo Ebermann, Jul 30 '11 at 16:13
Thanks for your comment. Thing that is obvious, the binary executable file produced from a source code. My query is, how can i obtain that code or an example implementation of white-box AES or DES? — ir01, Jul 30 '11 at 19:04
I suppose that as soon as the source code is available (to the attacker), the white-box security breaks down. But this is only my intuitation, I might be wrong here. (I only looked at the slides of the presentation, not the whole dissertation). (And no, I don't know anything. You could try to write an e-mail to the guy which created this thing.) — Paŭlo Ebermann, Jul 30 '11 at 19:14
I assume you already read the two papers linked on the page, from Chow et. al, White-Box Cryptography and an AES Implementation and A White-box DES Implementation for DRM Applications. These do not contain source code, but describe how to do this. (In effect, you are writing a program which generates the implementation, not the implementation itself.) The authors seem to create products from this. — Paŭlo Ebermann, Jul 30 '11 at 20:18
Check out this as well http://crypto.stackexchange.com/questions/6002/where-i-can-find-an-aes-implementation-in-python — curious, Oct 01 '13 at 12:55
Not open source, but nice for learning to break a white-box aes implementation: http://kryptologik.com/demo/js/DemoKey_encrypt.js — j.p., Apr 13 '15 at 16:27
Here is a link to an open implementation https://github.com/neticula/aes-crypt — , Dec 03 '15 at 19:41
@user29587: The AES implementation you link to is not a white-box implementation? — j.p., Dec 04 '15 at 08:01
This question should be opened (some modification in the language is needed). — hola, May 14 '21 at 03:05

score 12 · Answer 1 · edited Jun 17 '20 at 08:17

12

I add my whitebox AES implementation on GitHub in:

C++
Java

C++ version implements both Chow's (mixing bijections, input/output encodings, external encodings) and Karroumi's (dual AES in each column) whitebox AES scheme plus Billet's key recovery attack on both schemes.

Java implements Chow's scheme only.

PS: Due to low reputation I post links to schemes to the comment below.

edited Jun 17 '20 at 08:17

Community

1

answered Apr 06 '15 at 11:18

Dusan Klinec

251
2
4

– Dusan Klinec Apr 06 '15 at 11:18
I read your C++ implementation on github. I am interested in Chow's implementation only. But all of them are mixed together. How to differentiate them? – TJCLK Jun 18 '19 at 07:11
@LiDong try setting useDualAESARelationsIdentity=true; useDualAESIdentity=true; in the generator – Dusan Klinec Jun 18 '19 at 08:34
i can see the generated /tmp/aes-table. there's only one table. why the encrypt & decrypt use the same table? they suppose to use one encrypt table & one inverse decrypt table? – TJCLK Jun 18 '19 at 10:51
you have to generate both tables separately – Dusan Klinec Jun 19 '19 at 09:53
the decryption of Chow's scheme uses the "WBAESGenerator.cpp" and "WBAES.cpp"? – TJCLK Jun 19 '19 at 10:16

score 8 · Accepted Answer · edited Oct 09 '15 at 09:33

8

I've seen two implementations in the wild:

WBACR AES – SecureFW: Protection Framework
A dubious Russian implementation – White-box AES Implementation Generator

edited Oct 09 '15 at 09:33

e-sushi

17,891
12
83
229

answered Aug 19 '11 at 19:53

Samuel Neves

12,460
43
52

I always wanted to learn Slovak, now I have an additional reason ... (I know the papers are in Czech, but the languages are quite similar.) At least the source code has some english comments there, compared to the only russian ones in the second one. – Paŭlo Ebermann Aug 19 '11 at 20:29

e-sushi · Answer 3 · 2015-10-09T09:32:30.400

Adding my 2 cents, I would like to point out that many published methods for white-box cryptography have been broken. This includes…

white-box AES
_{“Cryptanalysis of White Box AES Implementation”

by Olivier Billet, Henri Gilbert, and Charaf Ech-Chatbi}
white-box DES
_{“Cryptanalysis of White-Box DES Implementations with Arbitrary External Encodings“

by Brecht Wyseur and Wil Michiels and Paul Gorissen and Bart Preneel}

… which have been crypto-analyzed and are known to be insecure ever since.

On the other hand, as long as you just plan to study implementation to learn about the techniques and not plan to actually implement them in practice, you should be fine. So, let's mention one of the implementations that haven’t been mentioned here yet – https://github.com/wbaes/wbaes

Junwei WANG · Answer 4 · 2018-02-09T09:29:22.497

3

94 White-box AES implementations can be found at WhibOx contest website.

https://whibox-contest.github.io/

Have fun!

edited Feb 09 '18 at 09:29

answered Feb 09 '18 at 09:10

Junwei WANG

361
4
8

And all of them are broken. :) – Biv Feb 09 '18 at 09:28

score 0 · Answer 5 · answered Aug 04 '11 at 16:30

0

I have a x86 assembly version of the basic AES algorithm I wrote when we briefly tried to remediate some 20 year old POS registers for PCI compliance. Turned out we didn't need it, but it was a great experience to write some assembler again.

I would be happy to share it if you feel it would be valuable. Please keep in mind that it is just the encryption portion, i.e. you supply it the Key and Data block and it returns the encrypted block. So you aren't getting anything that initializes a key, performs any salting, or any sort of rolling block encryption. Give it a 256-bit key, 256-bit data and get out 256-bit encrypted data.

I also have a version of it in .net c# which I wrote to prove my ASM.

answered Aug 04 '11 at 16:30

Bill

125
2

Thanks in advanced. Great implementation.but, i need a white-box implementation with embedded key, but your implementation get the key as an input parameter. – ir01 Aug 04 '11 at 22:12
5

@Bill, it sounds like you have an AES implementation, but I think ir01 wanted an implementation of "white-box AES". "White-box AES" is a somewhat obscure scheme derived from AES -- and in particular, it is not the same as AES. So an AES implementation probably won't help ir01. – D.W. Aug 05 '11 at 01:39

score -1 · Answer 6 · edited Sep 30 '13 at 22:43

-1

I'm not sure I get your Q? but do these links help

edited Sep 30 '13 at 22:43

e-sushi

17,891
12
83
229

answered Aug 04 '11 at 13:10

jspeshu

17
1

5

Take a look at the beginning of the paper http://joye.site88.net/papers/Joy08whitebox.pdf to get an idea what "white box implementation" means in cryptology. – j.p. Aug 04 '11 at 13:42
See this post http://crypto.stackexchange.com/questions/241/what-is-a-white-box-implementation-of-a-cryptographic-algorithm – ir01 Aug 04 '11 at 14:31
ok, I get it, that is dumb version of me, as always. – jspeshu Aug 05 '11 at 05:56

Is there any open-source white-box implementation of AES or DES?

6 Answers6