On Provable White-Box Security in the Strong Incompressibility Model

. Incompressibility is a popular security notion for white-box cryptography and captures that a large encryption program cannot be compressed without losing functionality. Fouque, Karpman, Kirchner and Minaud (FKKM) deﬁned strong incompressibility , where a compressed program should not even help to distinguish encryptions of two messages of equal length. Equivalently, the notion can be phrased as indistinguishability under chosen-plaintext attacks and key-leakage (LK-IND-CPA), where the leakage rate is high. In this paper, we show that LK-IND-CPA security with superlogarithmic-length leakage, and thus strong incompressibility, cannot be proven under standard (i.e. single-stage) assumptions, if the encryption scheme is key-ﬁxing , i.e. a polynomial number of message-ciphertext pairs uniquely determine the key with high probability. Our impossibility result refutes a claim by FKKM that their big-key generation mechanism achieves strong incompressibility when combined with any PRG or any conventional encryption scheme, since the claim is not true for encryption schemes which are key-ﬁxing (or for PRGs which are injective). In particular, we prove that the cipher block chaining (CBC) block cipher mode is key-ﬁxing when modelling the cipher as a truly random permutation for each key. Subsequent to and inspired by our work, FKKM prove that their original big-key generation mechanism can be combined with a random oracle into an LK-IND-CPA-secure encryption scheme, circumventing the impossibility result by the use of an idealised model. Along the way, our work also helps clarifying the relations between incompressible white-box cryptography, big-key symmetric encryption, and general leakage resilient cryptography, and their limitations.


Introduction 1.White-Box Cryptography and Big-Key Encryption
Chow, Eisen, Johnson, and van Oorschot [CEJv03,CEJvO03] introduced the white-box attack model, where an adversary obtains full access to the implementation code of a cryptographic algorithm and is in full control of its execution environment.White-box cryptography aims at designing cryptographic implementations which remain secure in the presence of a white-box adversary.As of today, white-box programs are largely deployed for Digital Rights Management (DRM) and protecting mobile payment applications [EMV19,Sma14].Typically, white-box programs correspond to white-box versions of popular symmetric encryption schemes, such as the Advanced Encryption Standard (AES).
Defining security for white-box cryptography is intricate and has been studied by quite a number of works [SWP09, Wys11, DLPR14, FKKM16a, ABF + 20, AABM20, ABCW23, HITY22].In particular, Delerablée, Lepoint, Paillier, and Rivain (DLPR) [DLPR14] noted that necessary security goals for white-box programs include not leaking the key (security against key extraction) and not leaking the message (one-wayness).In addition, the authors also pointed out that white-box programs might be susceptible to so called code-lifting attacks, where an adversary simply copies the entire execution code of the program and runs a copy on any device of its choice [Bre12].As a mitigation technique against codelifting attacks, DLPR proposed the property of incompressibility.Constructions achieve incompressibility by designing large programs implementing the desired cryptographic operations which only remain functional in their complete forms, i.e. if such a program is compressed, or if fragments of it are removed, the program loses its functionality.The idea behind incompressibility is that a white-box adversary should not be able to copy the complete program due to its large size, e.g. it should be difficult to move such a large program over the network.At the same time, seeing (or copying) only some fractions of the program should not give enough information to the adversary for breaking the security of the program.For instance, an adversary who sees the incompressible program should not be able to derive a functionally equivalent program of smaller size, or should not be able to copy small fragments of the program and use them for decrypting arbitrary ciphertexts.

Incompressibility
As mentioned above, incompressibility was introduced in [DLPR14] as a means for whitebox programs to mitigate code-lifting attacks.In the syntax of an incompressible program, we depart from a symmetric encryption scheme of conventional size and use a white-box compiler to derive an incompressible encryption (or decryption) program.The incompressible program can then be used in combination with the encryption scheme for performing encryptions (or decryptions) in the white-box attack model, while the inverse operation can be performed using the original program of conventional size (and thus retaining the original efficiency).Incompressibility seems particularly interesting for white-box programs as it provides a means of mitigating code-lifting attacks without needing to rely on any external hardware or software components (in contrast to e.g.device-binding [ABF + 20, AABM20, ABCW23]).
Since its introduction, a line of works [DLPR14, FKKM16a, BBK14, BI15, BIT16, AAB + 19, KLLM20, KI21, HITY22] has presented constructions and concrete designs for incompressible ciphers according to various security definitions [DLPR14, FKKM16a, BI15, BIT16, AAB + 19, KI21,HITY22].All these definitions capture incompressibility intuitively as described in the beginning of this section, but differ on how an adversary obtains leakage from the incompressible white-box program, or how/whether the adversary may interact with encryption oracles after receiving key leakage.In particular, Fouque, Karpman, Kirchner, and Minaud (FKKM) [FKKM16a] introduced the strong incompressibility model, which is our main focus.
Adopting the terminology of IND-CPA-security of encryption schemes, the strong incompressibility model can be seen as indistinguishability under chosen plaintext attacks and key-leakage (LK-IND-CPA).The LK-IND-CPA model indeed allows the adversary to make encryption queries after seeing key leakage. 1 Intuitively, if the incompressible construction still has enough min-entropy conditioned on the leakage, e.g. a compressed version of the program, then the adversary should not be able to distinguish between encryptions of different messages.In other words, this model captures confidentiality, which implies security against key extraction and one-wayness.

Big-Key Encryption
A very similar model was considered by Bellare, Kane and Rogaway (BKR) in the context of big-key (symmetric) encryption [BKR16].In big-key encryption, keys of very large size are used as a means to achieve security in the bounded retrieval model (BRM), where we assume that the adversary can only exfiltrate a limited amount of data from a system under attack.BKR propose to use such large keys for deriving shorter subkeys, which can then be used for encrypting messages using conventional encryption schemes.For capturing security, BKR consider IND-CPA under leakage (which BKR refer to as LIND) and thus a model which is essentially identical to strong incompressibility.The two models only differ on their definitional style, since instead of bounding min-entropy directly, BKR consider a bounded-length leakage function which implies an upper bound on the lost min-entropy of the key.Throughout this paper, LK-IND-CPA refers to said IND-CPA under leakage model and we consider this definition in the context of incompressible white-box cryptography.For completeness, Section 5 shows formally that LK-IND-CPA is equivalent to strong incompressibility by FKKM and to the LIND model by BKR.

Similarities and Differences
White-box incompressibility and big-key encryption share not only common intuitive goals, as discussed above, but also possible use cases.Bogdanov and Isobe [BI15] discuss that incompressibility may be useful for thwarting mass surveillance, which BKR [BKR16] also mention as a main motivation of big-key encryption.The idea is that it may be admissible for a local user to store large keys on their own device.However, a large-scale surveillance project might not be able to store the keys of many users, if all users employ large keys.
The main syntactical difference between incompressible white-box cryptography and big-key symmetric encryption is the process of how large keys are generated.In big-key encryption, a large key is simply generated at random, and the same large key is used for both encryption and decryption.In white-box cryptography, however, the large key (or incompressible construction) is derived from a conventional (small-key) encryption scheme via a white-box compiler.The compiler takes the short key of the encryption scheme and compiles it into a functionally equivalent large key/program which performs encryptions secure under leakage.
Having functionally equivalent short and large keys is particularly useful in scenarios where only either encryption or decryption will be performed in the presence of a leakage adversary.For instance, if encryption and decryption are performed in a safe environment and a leaky environment respectively, then short key may be used for encryption while the large key should be used for decryption.

On Strong Incompressibility from Standard Assumptions
The central question that we address in this work is the following: Can white-box incompressible schemes based on conventional ciphers really be provably secure under standard assumptions?This question is motivated by the use of white-box cryptography for conventional ciphers such as AES using conventional cipher modes such as CBC mode.
We answer the above question in the negative.We show that, for some types of encryption schemes, it is impossible to achieve LK-IND-CPA security even with very mild leakage under simple assumptions.More concretely, we present a general negative result showing that, if a symmetric encryption scheme satisfies a property called key-fixing, then it cannot be proven secure under a super-logarithmic amount of leakage based on single-stage assumptions.A single-stage assumption is defined by a game played by a single adversary, which is the case for most standard definitions.For example, IND-CPA security (cf.game indcpa b ske,A (1 n ) in Fig. 1) is a single-stage assumption.In turn, LK-IND-CPA security (cf.game lkindcpa b bke,G,β,m (1 n ) in Fig. 1) is a two-stage assumption since the leakage-producing adversary A 1 and the main adversary A 2 only share a short leakage lkg produced by A 1 , but not their complete states.
Moreover, we show that the CBC mode of symmetric ciphers is key-fixing, when modelling the cipher as an ideal random permutation for each key.In other words, it is impossible to provably compile a CBC-mode-based encryption into its strongly incompressible version under single-stage assumptions.Our result highlights the importance of taking the cipher mode into account when arguing about the incompressibility of whitebox encryption schemes built from symmetric ciphers.Reasoning only about the security of the key generator does not suffice.For example, our result shows that FKKM's key generator cannot be used in combination with key-fixing symmetric-encryption schemes if we wish to have a provably secure white-box encryption scheme.

Technical Overview
Our goal is to show that the LK-IND-CPA security of a symmetric encryption scheme with super-logarithmic-length leakage cannot be reduced to any single-stage assumption in a black-box way.In the following, we will refer to the length of the leakage as β = ω(log n), where n is the security parameter.We will also assume that the a secret key is a bit string in {0, 1} m with m = poly(n).We will use the term WBE to refer to an incompressible white-box encryption scheme.We shall keep in mind, however, that our result also applies to big-key encryption.
Concretely, we prove via a meta-reduction that for any single-stage assumption modelled by a game G b , no PPT reduction R turns a pair of PPT adversaries (A 1 , A 2 ) with nonnegligible advantage against LK-IND-CPA security into a PPT algorithm R (A1,A2) with non-negligible distinguishing advantage against the game G b .

Meta-Reduction Outline
Our proof technique is inspired by the meta-reduction approach of Wichs [Wic13], who shows an impossibility result about leakage-resilient injective one-way functions.We here paraphrase the intuition given by Wichs in our context: Building a reduction to prove leakage-resilience or incompressibility is difficult, because the reduction first needs to give a key k to a first adversary A 1 , and then receives some leakage lkg about k.Then, the reduction gives lkg to a second adversary A 2 and additionally simulates an encryption oracle for A 2 .The reduction does not know how adversary A 1 computes the leakage.Therefore, it seems that the only way in which the reduction can simulate the leakage lkg and the encryption oracle ENC correctly together is by knowing the key k already (see Section 6 for a discussion).If the answers to the encryption oracle fix the key k uniquely, then we can actually formalise the above.Technically, Wichs would have implemented the above intuition using the two following steps.
1. First, sample a pair of inefficient adversaries (A 1 , A 2 ) which do not share any state and break the security of the WBE with non-negligible advantage.
2. Next, design a PPT simulator S that simulates both adversaries with a shared state Assume towards contradiction that there exists a single-stage assumption modelled by a game G b and a PPT reduction R which bases the LK-IND-CPA security of the encryption scheme on said assumption, then it follows that R S is PPT (because both R and S are), and has non-negligible advantage against G b (since (A 1 , A 2 ) comp ≈ S implies R (A1,A2) comp ≈ R S ), which contradicts the single-stage assumption.
Simulation vs. Attack.The above simulation does not give a valid attack against the scheme, because the two adversaries "cheat" by sharing a state.In fact, the shared state gives the second adversary the entire key rather than just the leakage.This difference is significant because there could be exponentially many possible keys which are consistent with the leakage, and thus it is infeasible for the second adversary to guess the key if given just the leakage.
However, if the reduction cannot detect this cheat, then it must be as successful when interacting with the pair of cheating adversaries as with the real (inefficient) adversaries (A 1 , A 2 ).Thus, a key point in the analysis will be to argue that, from the reduction's point of view, the pair of inefficient adversaries (A 1 , A 2 ) is indistinguishable from the efficiently simulated pair of cheating adversaries.Below, we outline the inefficient adversaries (A 1 , A 2 ) and their simulator in more detail.
Sampling Inefficient (A 1 , A 2 ).On a high-level, our simulatable attack works as follows: The adversary pair (A 1 , A 2 ) has a hardwired random function RO, with input space {0, 1} m and output space {0, 1} β .Note that β = ω(log n) therefore it is difficult to guess the output of RO on any given input.As required by the security definition of WBE (Definition 4), A 1 and A 2 do not share any state.
Adversary A 1 .We construct the first-stage adversary A 1 such that it simply outputs lkg ← RO(K) where K is the big key of the WBE.By construction, the length of the leakage is β, as permitted.
Adversary A 2 .The second-stage adversary A 2 receives leakage lkg as input and is given access to an encryption oracle encO.It queries sufficiently many messages to encO, until the key K is uniquely determined2 and then finds K by exhaustive search.If K does not match the leakage lkg, i.e. lkg = RO(K), the adversary A 2 returns 1.In turn, if K matches the leakage, then it will break the IND-CPA game by sending two distinct messages msg 0 and msg 1 to the challenge oracle encO, getting back a challenge ciphertext ctxt * , decrypting ctxt * using K, and returning 0 if the resulting plaintext is msg 0 , and 1, otherwise.
Efficiently Simulating (A 1 , A 2 ).The adversary A 2 is inefficient since it searches for K exhaustively.Nevertheless, it turns out that we can simulate the pair (A 1 , A 2 ) efficiently by a simulator S which emulates A 1 and A 2 jointly, i.e. the simulated adversaries are allowed to share a state.The simulated A 1 (which takes K as input) does not have a hardwired true random function.Instead, it implements RO jointly with the simulated A 2 via lazy sampling, and with queries and responses recorded in a table.The simulated A 2 will not perform an exhaustive search.Instead, it only tries out all polynomially-many values in the table, i.e. values of K that were used for querying A 1 .

Conceptual Reflections
We highlight some key points in the analysis of the above meta-reduction.

Soundness of Simulation.
To detect simulation, the reduction R needs to provide a leakage lkg = RO(K * ) to A 2 without querying A 1 on K * .Here, if the reduction is interacting with the simulated A 2 , it would not be successful, since the simulator wouldn't have the correct value of K * stored in its state.On the other hand, the real (inefficient) A 2 would successfully break IND-CPA as described above.However, R is only able to implement this distinguishing strategy with negligible probability, since random values of length β = ω(log n) are hard to guess.

Key-Fixing.
In order to make the above approach work, we need to assume that the key K is uniquely determined after seeing sufficiently many encryption queries.This property, analogous to Wichs' injectivity requirement [Wic13], seems necessary for our adversary to be successful.This is because, if there were too many keys, then the inefficient A 2 would pick an arbitrary key from multiple possibilities with no guarantee in decryption correctness.Indeed, this is how Hazay, Lopez-Alt, Wee, and Wichs (HLWW) [HLWW13] obtain feasibility results for leakage-resilient encryption.In turn, it is still quite unclear how practical encryption schemes could reasonably avoid key-fixing.As we will see in Section 4, CBC-mode is key-fixing when the cipher is modelled as a truly random permutation for every key.We also show that CBC-mode continues to be key-fixing when using different fractions of a large key for each encryption.
Different Models.Our lower bound conceptually also applies to both strong incompressibility and leakage-resilient encryption when the leakage bounds are chosen appropriately.
We prove the equivalence between strong incompressibility and leakage-resilient encryption in Section 5.

Outline
Section 2 provides additional background and definitions.Section 3 states and proves our main impossibility result.Section 4 illustrates that practical encryption schemes tend to be key-fixing by showing that CBC-mode is key-fixing even when using different chunks from a big key rather than only a small key.This result models the underlying cipher as a random independent permutation for every key.Section 5 relates strong incompressibility and leakage-resilient encryption.Section 6 discusses consequences of our impossibility result and possible avenues to circumvent it, both in theory and in practice.

Preliminaries
Let N = {1, 2, . ..} be the set of positive integers and N 0 = {0, 1, 2, . ..} be the set of non-negative integers.For ∈ N, write [ ] := {1, 2, . . ., }.We write log for log 2 , the base-2 logarithm.We denote the security parameter by n ∈ N. In big-key and white-box primitives, algorithms often take a length parameter m ∈ N as additional input.For conciseness, we often make the parameters n and m implicit.If S is a finite set, we write x ←$ S for sampling from S uniformly at random.For a probabilistic algorithm A, we write y ←$ A(x) for running A on the input x with implicit uniform randomness.If the randomness r is explicit, we write y ← A(x; r) instead.
We formalise security under leakage as a game played by a pair of adversaries (A 1 , A 2 ).Adversary A 1 computes leakage of the secret key and passes it to A 2 .
Definition 1 (Two-Stage Adversary Generators).Let G(1 n ) be an algorithm which outputs a pair of two algorithms (A 1 , A 2 ) forming a two-stage adversary.We call the algorithm G a two-stage adversary generator if G is probablistic polynomial-time and A 1 and A 2 also run in time polynomial in n.

White-Box Encryption
A white-box encryption scheme is derived from a symmetric encryption scheme with a key of conventional size.The small key of the latter can be transformed into a functionally equivalent big key.

White-Box Key Generation:
The randomised white-box key generation algorithm K ←$ wbkgen(k, 1 m ) generates a big key K ∈ {0, 1} m given a small key k ∈ {0, 1} n and a length parameter m ∈ N.
Small-Key Mode: (enc, dec) is an SKE scheme running on the short key.
Big-Key Mode: (Kenc, Kdec) is an SKE scheme running on the large key.
A WBE scheme wbe is correct if the following properties are satisfied: Small-Key Correctness: (enc, dec) is correct (as an SKE scheme).
Encryption Equivalence: In Definition 3, the small-key mode of a WBE works independently of the length parameter chosen for the big-key mode.In other words, a small key of a WBE scheme could have multiple equivalent big keys of different lengths.
We next define LK-IND-CPA security for white-box encryption, as introduced by HLWW, adapted to WBE, with the only difference being the key generation process.Namely, for white-box cryptography, we generate a pseudorandom large key from a smaller key.Note that the LK-IND-CPA model considered by FKKM [FKKM16a] (named strong incompressibility model), provides the adversary access to an additional encryption oracle, so it can obtain ciphertexts for chosen plaintexts.Our models in Fig. 1 do not explicitly provide access to such an encryption oracle, but the adversary can still obtain ciphertexts for chosen plaintexts simply by querying the challenge oracle with two equal messages is negligible, where the experiment lkindcpa b wbe,G,β,m for b ∈ {0, 1} is defined in Fig. 1.

Big-Key Symmetric Encryption
We recall the definition of big-key encryption (BKE) [BKR16].The syntax of BKE is almost identical to that of SKE, except that the (big-)key generation algorithm additionally inputs a length parameter m ∈ N which determines the size of the secret-key.

Impossibility Result
In this section, we prove that the (β, m)-LK-IND-CPA security of a WBE scheme cannot be black-box-reduced to any single-stage assumption, provided that the WBE scheme is key-fixing, and that the leakage β = ω(log n).In Section 3.1, we formalise single-stage assumptions and black-box reductions which establish the (β, m)-LK-IND-CPA security of WBE schemes as well as key-fixing.We then present our impossibility result in Section 3.2.

Single-Stage Assumptions, Black-Box Reductions, and Key-Fixing
Notation.In this section, we use the notation B → G b (1 n ) for the interaction between adversary B and the game G b (1 n ).We denote by 1 = B → G b (1 n ) the even that the adversary returns 1 when interacting with game G b (1 n ).This notation makes the adversary the "main routine" which calls the game (rather than making the game call the adversary).
Remark.The → notation is useful, because we can later write B = R A1,A2 and R A1,A2 → G b (1 n ).This way, the notation distinguishes between R's black-box interface to the twostage adversary (A 1 , A 2 ) and to the game G b (1 n ).In this notation, the security parameter is given to B and R implicitly.
Definition 7 (Single-Stage Assumption).A single-stage assumption is defined via two PPT games G 0 and G 1 which provide the same set of oracles Q to an adversary B. The assumption is then that for all PPT adversaries B, Example.The IND-CPA security game indcpa b ske,A (1 n ) (cf.Fig. 1) is a single-stage game, while the LK-IND-CPA game lkindcpa b bke,G,β,m (1 n ) (cf.Fig. 1) is a two-stage assumption since the leakage-producing adversary A 0 and the main adversary A 1 do not share their complete state.
Style.Definition 7 encodes security without an experiment environment, but instead the adversary B is the main procedure and calls oracles which are exposed by the game.This encoding is w.l.o.g., since one can always add an oracle for setup.It is convenient, since the interface between the adversary and the game is explicit.Moreover, encoding singlestage games as distinguishing games is w.l.o.g., since every search game with efficiently checkable winning condition can be encoded as a decision game by adding an oracle in the real world which returns 1 when the winning condition is satisfied, but always returns 0 in the ideal world.This encoding of single-stage games is borrowed from [BDF + 18] and requires query restrictions on adversaries to be formulated via silencing oracles à la Rogaway-Zhang [RZ18].
We now define what it means for a reduction to base security of a big-key encryption scheme on a single-stage assumption.
Definition 8 (Black-Box Reduction).Let (G 0 , G 1 ) be two games defining a single-stage assumption.Let wbe be a white-box encryption scheme.A PPT oracle algorithm R bases the (β, m)-LK-IND-CPA security of wbe on (G 0 , G 1 ) if for all (possibly inefficient) distributions G over (possibly inefficient) two-stage adversaries (A 1 , A 2 ) the following holds: is also non-negligible.See Fig. 2 for the behaviour of O 0 , O 1 , and O 2 .We call such an algorithm R a black-box reduction.

The reduction R can query O 0 [G] with an integer i to sample a new pair of adversaries
on as many inputs (i, K) as it likes, repeating both i and K. Similarly, R can query O 2 [G] on (i, lkg).It will then obtain several encryption requests from O 2 [G] and eventually obtain a bit b * .Our proof allows rewinding.However, all oracles are stateless and it is w.l.o.g. to assume that A i,1 and A i,2 do not have randomness beyond the randomness that was used by G to generate them.Similarly, we model rewinding of the adversaries by being able to query them multiple times with different inputs.
We now define key-fixing, which roughly means that a polynomial number of ciphertexts uniquely determine the key with high probability.Formally, we say that a scheme is keyfixing if there exists an algorithm UniqueChecker which determines with good probability whether the key associated with a given set of ciphertexts is unique.The number of required ciphertexts to determine uniqueness depends on the key size m, because if their accumulated length is less than m, the ciphertexts cannot determine the key informationtheoretically.Additionally, for local constructions, we need to have sufficiently many samples to access each key bit sufficiently frequently.We do not make the number of necessary ciphertexts explicit, but instead also allow it to depend on the scheme.Definition 9 (Key-Fixing).Let m, be polynomials in n.A symmetric-key encryption scheme (enc, dec) is (m, )-key-fixing if there is a PPT algorithm UniqueChecker such that the following hold: Correctness For any PPT algorithm R, A white-box encryption scheme (wbkgen, enc, dec, Kenc, Kdec) is (m, )-key-fixing if the symmetric-key encryption scheme (Kenc, Kdec) is (m, )-key-fixing.
The key-fixing property above which we require for our impossibility result on strong incompressibility corresponds to Wichs' [Wic13] injectivity requirement for their impossibility result on leakage-resilient one-way functions.Essentially, key-fixing is a probabilistic version of injectivity, saying that for honestly generated ciphertexts, the probability that they fix the key is overwhelming.We remark that the choice of the all zero message 0 is arbitrary -it suffices for the property to hold for some arbitrarily fixed message sequence.

Impossibility Result
Theorem 1.Let m, be polynomials in n.Let wbe be a correct (m, )-key-fixing white-box encryption scheme.If β = ω(log n), then there exists no black-box reduction which bases the (β, m)-LK-IND-CPA-security on a single-stage assumption, or the assumption is false.
In other words, the above theorem states that for all PPT reductions R and all (true) single-state assumption modelled by a pair of games (G 0 , G 1 ), the advantage Adv(R O0,O1,O2 , G 0 , G 1 ) is negligible.Of course, for an incorrect assumption, there might still be a successful adversary.
Proof of Theorem 1.Let the games (G 0 , G 1 ) model a single-stage assumption.If the assumption (G 0 , G 1 ) is false, then we are done.Below, assume that the assumption (G 0 , G 1 ) is true.
Recall that β = ω(log n) and wbe is correct and (m, )-key-fixing.Assume towards contradiction that there exists a PPT black-box reduction which bases the (β, m)-LK-IND-CPA-security of wbe on the assumption (G 0 , G 1 ).
Consider the distribution G of inefficient stateless adversaries defined in the left column of Fig. 3, and the distribution Ĝ of efficient stateful adversaries defined in the right column of Fig. 3. To prove Theorem 1, we will prove the following two claims: Claim 2 (Efficient Simulation).For any PPT reduction R and all b ∈ {0, 1}, Assuming that both claims hold, and that R is a black-box reduction from the (β, m)-LK-IND-CPA security of wbe to the single-stage assumption modeled by (G 0 , G 1 ), we conclude that We first note that, by the overwhelmingly unique condition of key-fixing (Definition 9), with overwhelming probability.Next, by the correctness condition of key-fixing, there is no second K = K * which could have yielded the same ciphertexts.Hence, K must be equal to K * .Finally, by correctness of the encryption scheme, we must have dec(K * , c * ) = b .
Proof of Claim 2. Observe that the only difference between G and Ĝ is that the random function hardwired in (A 1 , A 2 ) is simulated by lazy sampling in ( Â1 , Â2 ).Define R : ) and define R analogously.We observe that R and R produce identically distributed outputs except when there exists a tuple (i, K * , lkg) where all four following events and conditions are satisfied: where RO is the random function hardwired to the i-th instance of (A 1 , A 2 ).Since UniqueChecker(c 1 , . . ., c ) = 1, by the correctness property of key-fixing (Definition 9), there is only a unique key K * which is consistent with these ciphertexts.Since R did not query O 1 [G](i, K * ), the value RO(K * ) for this unique key K * is informationtheoretically hidden from R and thus the probability that the value lkg chosen by R is equal to RO(K * ) is negligible.

CBC-Mode with a Random Permutation is Key-Fixing.
We now prove that CBC mode is key-fixing when modelling the cipher as a (family of) truly random permutation π, i.e. for any key k ∈ {0, 1} n , we treat π(k, •) as a random permutation and π −1 (k, •) its inverse.We first prove this statement for the case where the key is not large (Section 4.1) and then handle the case with a large key (Section 4.2).In order to formalise this statement, we consider an FKKM-like construction where, for each encryption, a number of random indices into the large key are sampled, run through an extractor (which we implement by a random matrix), and then used as a key for CBC-mode (Section 4.2).This second result proves key-fixing for one example of obtaining small keys from large keys.Similar results can be proven for other natural approaches using different extractors as well, as long as all inputs bits are treated equally.

Key-Fixing of Small-Key CBC-mode
We start by describing CBC-mode.Since the length of some messages is not divisible by n, we first need to encode the message into a multiple of n.Definition 10 (Encoding scheme).We call two functions encode n : {0, 1} * → {0, 1} * and decode n : {0, 1} * → {0, 1} * an encoding scheme if the following hold: • encode n and decode n are computable in time polynomial in n and the input length.
• decode n is the inverse of encode n , i.e. for all x ∈ {0, 1} * , decode n can recover x from encode n (x), that is, we have decode n (encode n (x)) = x.In particular, encode n is injective, i.e. if x = x , then encode n (x) = encode n (x ).
• the length encode n only depends on the length of the input, i. • For all x ∈ {0, 1} * , |encode n (x)| is divisible by n.
Proof.Define UniqueChecker(c 1 , . . ., c ) to always return 1.Therefore, the overwhelmingly uniqueness condition is satisfied.We now turn to correctness.We prove that a PPT adversary R cannot come up with a ciphertext c 1 and a key k such that there exists a key k such that dec(k, c 1 ) = dec k (c 1 ) = 0 .Namely, for every nonce nc and keys k and k , there is a probability of 2 −n that π k (nc) = π k (nc).Now, let y := π k (nc) and assume that y = nc.Then, again, the probability that π k (y) = π k (y) is 2 −n .Letting y := π k (y) and again assuming that y / ∈ {y, nc}, the probability that π k (y ) = π k (y ) is 2 −n .And and we get the same probability for the next ciphertext block y := π k (y ) Thus, for triple (k, k , nc) such that |{y , y , y, nc}| = 4, we have that Taking a union bound over all nonces and pairs of distinct keys (nc, k, k ), the probability over π that such a nonce and pair (k, k ) exists, is 2 −n .Moreover, in a polynomial number of queries, R will not be able to find k and nc such that {nc, y, y } contains a collision, so that |{y , y , y, nc}| = 4 for all values that the reduction can compute.This concludes the proof of Theorem 2.

Key-Fixing of Big-Key CBC-Mode
We now construct a big-key symmetric encryption scheme bke π,CBC = (Kenc, Kdec) by augmenting the ske π,CBC scheme constructed above.In the construction below, we derive a subkey by multiplying a random binary matrix M to it.This gives us a subkey of conventional length, which we use for running the CBC-based encryption scheme from the previous subsection.Note that the construction below can equally be turned into an incompressible white-box encryption if the large key K is itself derived from a small key of conventional length.
Proof.As in the proof of Theorem 2, we construct UniqueChecker so that it almost always returns 1, but it now performs an additional check.Concretely, let M i denote the matrix specified in c i .UniqueChecker additionally checks that the matrix M := M 1 || . . .||M is of full rank m over the binary field {0, 1}.If so, UniqueChecker outputs 1. Else, it outputs 0. For a random m-by-t matrix over {0, 1} where t ≥ m, the probability that the matrix is of full rank m is at least 1 − m/2 t−m+1 .Setting t = n , the probability that M is of full rank m is at least 1 − m/2 m which is overwhelming in n.Thus the overwhelmingly unique property holds.
For correctness of UniqueChecker, observe that (a) the analysis of Theorem 2 now applies to each extracted key individually.Bootstrapping from the individual keys and using the full-rank matrix M , we then obtain uniqueness of the entire big-key K.
Remark.We remark that the above impossibility can be extended to the case where M is chosen to be a random sparse matrix (so that, for example, each encryption/decryption only depends on κ m bits of the big key K) as long as M = M 1 || . . .||M is of full rank m with overwhelming probability for some polynomial in m.
is negligible, where the experiment ENC − COM b µ,A (1 n ) runs as described in Section 5.
Definition 12 (LIND-security [BKR16, Figure 10]).A BKE-scheme is β-LIND-secure if for any PPT stateful adversary A the following probability is negligible, where Fig. 5 defines LIND b β,A (1 n ).Our previously defined LK-IND-CPA game defines an upper bound β on the leakage.Instead, LK-IND-CPA can also consider adversary pairs (A 1 , A 2 ) which ensure that the On Provable White-Box Security in the Incompressibility Model min-entropy of K conditioned on the leakage is greater than some value µ.With a strict upper bound β as defined previously, LK-IND-CPA is equivalent to LIND security, and with a min-entropy bound, LK-IND-CPA security is equivalent to strong incompressibility.We now show that if a scheme is LK-IND-CPA secure w.r.t. a strict upper bound β, then it is also LK-IND-CPA secure with a closely related upper bound on the leakage resulting from the following claim.
Proof.The claim follows by a counting argument.There are 2 m values of K and at most 2 β leakage values of lkg.For any fixed leakage lkg, write Let S be the set of lkg such that elements.Thus, the fraction of keys K which lead to leakage that has too low min-entropy is at most 2 m−δ 2 m = 2 −δ , which is negligible, which concludes the proof.
Therefore, when an adversary is a valid adversary w.r.t.leakage bounded by β, then the adversary is also a valid adversary w.r.t.min-entropy |K| − β − δ for any δ = ω(log n).Hence, our impossibility result also applies to models which consider min-entropy.

Discussion
We now discuss consequences of our impossibility result.
Implication to FKKM's Strong Incompressibility Model.FKKM [FKKM16a] use a symmetric-key cipher, e.g.AES, to generate large look-up tables as well as their input queries.These tables are intended as an incompressible key generator for deriving subkeys, to be fed into a PRG or any conventional encryption scheme for encrypting messages.
In their original paper, FKKM claim that this composition yields LK-IND-CPA-security based on the security of the underlying cipher.However, this contradicts our impossibility result, and indeed, FKKM did not provide arguments to support the claim.More concretely, the security proof only argues about indistinguishability of keys, but the reduction does not emulate encryption oracles.Therefore the security argument is insufficient for proving LK-IND-CPA-security, but only a weaker (or incomparable) model of security.Inspired by our impossibility result, FKKM revisited their security analysis [FKKM16b, Appendix D] and now prove that their key generator can be combined with a length-expanding random oracle to yield an LK-IND-CPA-secure encryption scheme in the random oracle model.The use of idealised models circumvents our impossibility result.
(Non-)Implication to Other Models.Our impossibility result does not apply to weaker incompressibility models without encryption oracles, as considered, for example, in [DLPR14, BI15, BIT16, BBK14, CCD + 17, AAB + 19, KLLM20, KI21].Although we present our negative result in the context of incompressible white-box cryptography, it readily generalises to any leakage-resilient encryption scheme whose security implies LK-IND-CPA-security, such as big-key symmetric encryption.For completeness, we showed formally that both FKKM's strong incompressibility and the BKR's LIND-security are equivalent to LK-IND-CPA-security (cf.Section 5).
Circumventing our Impossibility Result.Given that our impossibility result rules out proving key-fixing schemes secure under single-stage assumptions in the standard model, natural approaches towards circumvention include: • proving security in an idealised model such as the random oracle model (ROM), • proving security under two-stage assumptions, or • designing a non-key-fixing scheme.
Using Random Oracles or Two-Stage Assumptions.Highly efficient encryption with provable LK-IND-CPA-security with large leakage was achieved in the context of big-key encryption in BKR [BKR16] and a follow-up work by Bellare and Dai (BD [BD17]) in the random oracle model.In particular, BKR and BD seek to reduce the number of (blocks of) bits accessed by, i.e. the locality of, the encryption algorithm to securely derive a subkey, where the former is modelled as a function of (1) the key size and (2) the output length of the adversarially chosen leakage function.
BKR and BD further show that the random oracle can be instantiated using universal computational extractors (UCE) [BHK13].UCEs are a strong two-stage-assumption for hash-functions which, in some cases, can be instantiated from indistinguishability obfuscation [BFM14] in a provably secure, yet inefficient way.As of now, no practically efficient, provably secure constructions of UCEs based on standard assumptions are known.
Although the BKR construction of big-key encryption falls short of being a white-box encryption scheme due to the lack of functionally equivalent small keys, the latter can be easily added by deriving the big key from a small key using a PRG.
Using Non-Key-Fixing Constructions.A very exciting feasibility result for building LK-IND-CPA-secure encryption schemes under the mere assumption of one-way functions was provided by HLWW [HLWW13].While "natural" encryption schemes tend to satisfy keyfixing, as illustrated by our result for CBC-encryption in Section 4, HLWW demonstrate that there are meaningful ways of introducing redundancy which allows to prove leakageresilience beyond log n many bits and thus circumvent our impossibility result.
Crucially, their scheme has key material which is never accessed for the generation of honest ciphertexts.A sequence of subtle game-hops then moves to a situation where, for the challenge ciphertext, the additional key material is accessed, so that one obtains information-theoretic security for the challenge ciphertext.The difficult argument is to show that this modified challenge ciphertext which accesses the additional information is indistinguishable from a real ciphertext, using hash-proof systems.Specifically, HLWW introduce symmetric-key weak hash proof systems (wHPS), which can be seen as a special type of PRFs which can take as input values from valid and invalid distributions.Given multiple (valid) input-output pairs and one random invalid input, the corresponding output on the invalid input should be uniformly random and statistically independent from the previously obtained input-output pairs.HLWW construct wHPS from weak PRFs (wPRFs) and show how wHPS can be used for constructing leakage resilient wPRFs by simply applying a randomness extractor to the output of the wHPS.Then, given such leakage-resilient wPRF, messages can easily be encrypted in an LK-IND-CPA-secure way by padding them with outputs of the leakageresilient wPRF.Crucially, a leakage-resilient wPRF constructed via the above complicated process is not key-fixing, which circumvents our impossibility result.
The HLWW construction as outlined above achieves a moderate leakage rate of log(n) n and uses the complete secret key for each encryption.HLWW show that using t parallel repetitions of the above construction and random sampling yields a big-key encryption scheme with significantly improved locality while retaining the leakage rate t•log(n) t•n = log(n) n .Recently, Quach, Waters and Wichs (QWW) [QWW21] provide a construction secure against the same leakage rate, based on pseudo-entropy functions which are derived from targeted lossy functions based on injective PRGs.Unlike HLWW, the ciphertext size in QWW do not increase with the leakage bound, but the secret key size does.
Summary.Amongst all options for circumventing our impossibility result, it seems that opting for a weaker security model for incompressibility is not advisable, because the encryption oracle is close to a real-life attacker capability3 .However, when seeking to prevent code-lifting attack [Bre12], if the hardware supports it, a promising alternative is to aim for hardware-binding [CdRP14, SdHM15, BBIJ17, AABM20], since provably secure constructions are feasible in this domain [ABCW23, ABF + 20].
As HLWW and QWW show, developing tailor-made ciphers which are provably strongly incompressible under standard assumptions is theoretically feasible, but at present remains impractical.While this might change at some point in the future, the BKR and BD approaches of using strong (two-stage) assumptions on hash-functions, or the BKR, BD, and FKKM approaches to use a random oracle seem to lead to more practical constructions.
Additionally, it might be feasible to mix ideal-model analysis and cryptanalysis for a higher degree of confidence.For example, hash-functions are usually presented with a proof of indifferentiability, assuming only that smaller building blocks are ideal, and a similar style of results might be possible and desirable for incompressibility.In particular, this latter avenue potentially allows us to still prove security for standard encryption schemes.
In summary, from our perspective, one should either aim for device-binding instead of incompressibility, or, if one needs to aim for incompressibility, then the most promising way to achieve high-confidence security of real-life constructions is to employ a mix of cryptanalysis and ideal-model analysis.

Figure 2 :
Figure 2: Oracles given to black-box reductions which establish (β, m)-LK-IND-CPA security of wbe.The oracle encO is implemented by the caller of O 2 .
which contradicts the single-stage assumption.It remains to prove the two claims.Proof of Claim 1.We argue that G almost always breaks (β, m)-LK-IND-CPA-security when directly interacting with the security game lkindcpa b wbe,G,β,m (n), i.e. the advantage Adv lkindcpa wbe,G,β,m (n) is overwhelming.For sanity check, we note that for any (A 1 , A 2 ) generated by G, A 1 has output length exactly β.It therefore remains to show that A 2 guesses the hidden bit b correctly except with negligible probability.