@article{Tang_Gong_Li_Zhao_2023, title={Revisiting the Computation Analysis against Internal Encodings in White-Box Implementations}, volume={2023}, url={https://tches.iacr.org/index.php/TCHES/article/view/11174}, DOI={10.46586/tches.v2023.i4.493-522}, abstractNote={<p>White-box implementations aim to prevent the key extraction of the cryptographic algorithm even if the attacker has full access to the execution environment. To obfuscate the round functions, Chow <em>et al.</em> proposed a pivotal principle of white-box implementations to convert the round functions as look-up tables which are encoded by random <em>internal encodings</em>. These encodings consist of a linear mapping and a non-linear nibble permutation. At CHES 2016, Bos <em>et al.</em> introduced <em>differential computation analysis</em> (DCA) to extract the secret key from the runtime information, such as accessed memory and registers. Following this attack, many computation analysis methods were proposed to break the white-box implementations by leveraging some properties of the linear internal encodings, such as Hamming weight and imbalance. Therefore, it becomes an alternative choice to use a non-linear byte encoding to thwart DCA. At CHES 2021, Carlet <em>et al.</em> proposed a structural attack and revealed the weakness of the non-linear byte encodings which are combined with a non-invertible linear mapping. However, such a structural attack requires the details of the implementation, which relies on extra reverse engineering efforts in practice. To the best of our knowledge, it still lacks a thorough investigation of whether the non-linear byte encodings can resist the computation analyses.<br>In this paper, we revisit the proposed computation analyses by investigating their capabilities against internal encodings with different algebraic degrees. Particularly, the algebraic degree of encodings is leveraged to explain the key leakage on the non-linear encodings. Based on this observation, we propose a new <em>algebraic degree computation analysis</em> (ADCA), which targets the mappings from the inputs to each sample of the computation traces. Different from the previous computation analyses, ADCA is a higher-degree attack that can distinguish the correct key by matching the algebraic degrees of the mappings. The experimental results prove that ADCA can break the internal encodings from degree 1 to 6 with the lowest time complexity. nstead of running different computation analyses separately, ADCA can be used as a generic tool to attack the white-box implementations.</p>}, number={4}, journal={IACR Transactions on Cryptographic Hardware and Embedded Systems}, author={Tang, Yufeng and Gong, Zheng and Li, Bin and Zhao, Liangju}, year={2023}, month={Aug.}, pages={493–522} }