WO2002046890A2 - System and method for protecting computer software from a white box attack - Google Patents
System and method for protecting computer software from a white box attack Download PDFInfo
- Publication number
- WO2002046890A2 WO2002046890A2 PCT/CA2001/001729 CA0101729W WO0246890A2 WO 2002046890 A2 WO2002046890 A2 WO 2002046890A2 CA 0101729 W CA0101729 W CA 0101729W WO 0246890 A2 WO0246890 A2 WO 0246890A2
- Authority
- WO
- WIPO (PCT)
- Prior art keywords
- steps
- generating
- input
- linear
- software
- Prior art date
Links
- 238000000034 method Methods 0.000 title claims description 200
- 230000006870 function Effects 0.000 claims abstract description 196
- 238000012545 processing Methods 0.000 claims abstract description 44
- 238000004422 calculation algorithm Methods 0.000 claims abstract description 41
- 238000012546 transfer Methods 0.000 claims abstract description 8
- 238000013478 data encryption standard Methods 0.000 claims description 110
- 239000013598 vector Substances 0.000 claims description 91
- 239000011159 matrix material Substances 0.000 claims description 43
- 230000000694 effects Effects 0.000 claims description 33
- 230000009466 transformation Effects 0.000 claims description 33
- 238000006467 substitution reaction Methods 0.000 claims description 24
- 238000000844 transformation Methods 0.000 claims description 24
- 238000012886 linear function Methods 0.000 claims description 19
- 230000000903 blocking effect Effects 0.000 claims description 18
- 240000003537 Ficus benghalensis Species 0.000 claims description 13
- 238000011156 evaluation Methods 0.000 claims description 10
- 230000009467 reduction Effects 0.000 claims description 6
- 239000011888 foil Substances 0.000 claims description 5
- 230000003068 static effect Effects 0.000 claims description 4
- 238000009877 rendering Methods 0.000 claims 3
- 238000005096 rolling process Methods 0.000 claims 2
- 230000000295 complement effect Effects 0.000 claims 1
- 238000005192 partition Methods 0.000 description 26
- 238000010586 diagram Methods 0.000 description 16
- 238000004891 communication Methods 0.000 description 12
- 238000004458 analytical method Methods 0.000 description 11
- 238000013459 approach Methods 0.000 description 11
- 239000000203 mixture Substances 0.000 description 10
- 230000001419 dependent effect Effects 0.000 description 8
- 238000013507 mapping Methods 0.000 description 8
- 235000000332 black box Nutrition 0.000 description 7
- 230000008569 process Effects 0.000 description 7
- 238000010276 construction Methods 0.000 description 6
- 238000005336 cracking Methods 0.000 description 6
- 238000006073 displacement reaction Methods 0.000 description 6
- 238000003860 storage Methods 0.000 description 5
- 230000003044 adaptive effect Effects 0.000 description 4
- 230000006872 improvement Effects 0.000 description 4
- 238000002347 injection Methods 0.000 description 4
- 239000007924 injection Substances 0.000 description 4
- 238000012360 testing method Methods 0.000 description 4
- 230000008901 benefit Effects 0.000 description 3
- 238000004364 calculation method Methods 0.000 description 3
- 238000009826 distribution Methods 0.000 description 3
- 238000002955 isolation Methods 0.000 description 3
- 239000000654 additive Substances 0.000 description 2
- 230000000996 additive effect Effects 0.000 description 2
- 230000015556 catabolic process Effects 0.000 description 2
- 230000008859 change Effects 0.000 description 2
- 238000004590 computer program Methods 0.000 description 2
- 230000002354 daily effect Effects 0.000 description 2
- 238000005206 flow analysis Methods 0.000 description 2
- 230000005055 memory storage Effects 0.000 description 2
- 230000001343 mnemonic effect Effects 0.000 description 2
- 238000004321 preservation Methods 0.000 description 2
- 230000002087 whitening effect Effects 0.000 description 2
- PXFBZOLANLWPMH-UHFFFAOYSA-N 16-Epiaffinine Natural products C1C(C2=CC=CC=C2N2)=C2C(=O)CC2C(=CC)CN(C)C1C2CO PXFBZOLANLWPMH-UHFFFAOYSA-N 0.000 description 1
- 241001074639 Eucalyptus albens Species 0.000 description 1
- 101000888552 Xenopus laevis CLIP-associating protein 1-B Proteins 0.000 description 1
- 125000002015 acyclic group Chemical group 0.000 description 1
- 230000004075 alteration Effects 0.000 description 1
- 230000006399 behavior Effects 0.000 description 1
- 230000003542 behavioural effect Effects 0.000 description 1
- 230000001413 cellular effect Effects 0.000 description 1
- 230000006835 compression Effects 0.000 description 1
- 238000007906 compression Methods 0.000 description 1
- 230000002153 concerted effect Effects 0.000 description 1
- 238000013501 data transformation Methods 0.000 description 1
- 230000003745 detangling effect Effects 0.000 description 1
- 238000009792 diffusion process Methods 0.000 description 1
- 230000008030 elimination Effects 0.000 description 1
- 238000003379 elimination reaction Methods 0.000 description 1
- 230000003203 everyday effect Effects 0.000 description 1
- 238000000605 extraction Methods 0.000 description 1
- 238000005290 field theory Methods 0.000 description 1
- 238000007429 general method Methods 0.000 description 1
- 235000000334 grey box Nutrition 0.000 description 1
- 244000085685 grey box Species 0.000 description 1
- 230000036541 health Effects 0.000 description 1
- 230000010365 information processing Effects 0.000 description 1
- 238000012905 input function Methods 0.000 description 1
- 230000001788 irregular Effects 0.000 description 1
- 238000004519 manufacturing process Methods 0.000 description 1
- 239000000463 material Substances 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 238000005457 optimization Methods 0.000 description 1
- 230000008707 rearrangement Effects 0.000 description 1
- 230000008521 reorganization Effects 0.000 description 1
- 230000004044 response Effects 0.000 description 1
- 239000000243 solution Substances 0.000 description 1
- 238000007619 statistical method Methods 0.000 description 1
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/10—Protecting distributed programs or content, e.g. vending or licensing of copyrighted material ; Digital rights management [DRM]
- G06F21/12—Protecting executable software
- G06F21/121—Restricting unauthorised execution of programs
- G06F21/125—Restricting unauthorised execution of programs by manipulating the program code, e.g. source code, compiled code, interpreted code, machine code
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/10—Protecting distributed programs or content, e.g. vending or licensing of copyrighted material ; Digital rights management [DRM]
- G06F21/12—Protecting executable software
- G06F21/14—Protecting executable software against software analysis or reverse engineering, e.g. by obfuscation
-
- G—PHYSICS
- G09—EDUCATION; CRYPTOGRAPHY; DISPLAY; ADVERTISING; SEALS
- G09C—CIPHERING OR DECIPHERING APPARATUS FOR CRYPTOGRAPHIC OR OTHER PURPOSES INVOLVING THE NEED FOR SECRECY
- G09C1/00—Apparatus or methods whereby a given sequence of signs, e.g. an intelligible text, is transformed into an unintelligible sequence of signs by transposing the signs or groups of signs or by replacing them by others according to a predetermined system
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/002—Countermeasures against attacks on cryptographic mechanisms
- H04L9/003—Countermeasures against attacks on cryptographic mechanisms for power analysis, e.g. differential power analysis [DPA] or simple power analysis [SPA]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/06—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols the encryption apparatus using shift registers or memories for block-wise or stream coding, e.g. DES systems or RC4; Hash functions; Pseudorandom sequence generators
- H04L9/0618—Block ciphers, i.e. encrypting groups of characters of a plain text message using fixed encryption transformation
- H04L9/0625—Block ciphers, i.e. encrypting groups of characters of a plain text message using fixed encryption transformation with splitting of the data block into left and right halves, e.g. Feistel based algorithms, DES, FEAL, IDEA or KASUMI
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/06—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols the encryption apparatus using shift registers or memories for block-wise or stream coding, e.g. DES systems or RC4; Hash functions; Pseudorandom sequence generators
- H04L9/0618—Block ciphers, i.e. encrypting groups of characters of a plain text message using fixed encryption transformation
- H04L9/0631—Substitution permutation network [SPN], i.e. cipher composed of a number of stages or rounds each involving linear and nonlinear transformations, e.g. AES algorithms
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L2209/00—Additional information or applications relating to cryptographic mechanisms or cryptographic arrangements for secret or secure communication H04L9/00
- H04L2209/08—Randomization, e.g. dummy operations or using noise
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L2209/00—Additional information or applications relating to cryptographic mechanisms or cryptographic arrangements for secret or secure communication H04L9/00
- H04L2209/16—Obfuscation or hiding, e.g. involving white box
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L2209/00—Additional information or applications relating to cryptographic mechanisms or cryptographic arrangements for secret or secure communication H04L9/00
- H04L2209/24—Key scheduling, i.e. generating round keys or sub-keys for block encryption
Definitions
- the present invention relates generally to computer software and electronic hardware, and more specifically, to a method, apparatus and system resistant to a
- white box attack that is, a system which will protect certain information from discovery even when the attacker has total visibility into software implementation and execution.
- Information security issues can generally be categorized as one of the following:
- D) non-repudiation where the goal is to prevent a party from denying that they made a certain communication.
- Non-repudiation is often used in electronic commerce transactions, particularly in bidding and negotiation environments.
- One method of maintaining confidentiality or privacy that has demonstrated widespread use and acceptance is encryption of data using secret cryptographic keys. Such methods are generally accepted as secure, as an attacker must perform an impractically large number of mathematical tests to identify the cryptographic key required to decode a given encrypted data file. Cracking the Data Encryption Standard (DES) for example, would require an average of 2 55 different keys to be tested, requiring more than 1 thousand years of testing at a rate of one million key tests per second.
- DES Data Encryption Standard
- DES is just one of several block cipher methods which are very fast and are widely used - block ciphers are schemes in which data is divided up into blocks which are encrypted and decrypted separately from one another. If the cryptographic key is kept secure, it offers very good security.
- Smart Cards are credit card-sized devices which have a small amount of electronic memory and a small microprocessor. They are often used in electronic commerce applications or to record personal information such as health records.
- black box attack This is a situation where the attacker has knowledge of the algorithm and may examine various inputs to and outputs from the algorithm, but has no visibility into the execution of the algorithm itself. Typical black box attacks are categorized as follows:
- DPA Differential Power Analysis
- the DPA attack shows that having very limited access to the execution of an algorithm designed to defend against a black box attack, is sufficient to make that algorithm completely insecure. Therefore, encryption algorithms must be designed to be secure against a much more powerful attack model - the "white box attack".
- a white box attack is simply an attack on a software algorithm in which the attacker has full visibility into the execution of the algorithm (note that the DPA attack may be characterised as a "grey box attack” because the attacker is only able to observe a small part of the execution).
- A) existing general-purpose commercial software obfuscators use a variety of techniques including: removal of debugging information, changing variable names, introducing irreducible flow graphs, and particularly in the case of Java, modifying code structures to avoid stereotyped forms for source control structures. These methods produce superficial changes, but the information exposed by deeper analyses employed by optimizing compilers and similar sophisticated tools is changed very little. The data flow and control flow information exposed by such analyses is either not affected at all, or is only slightly affected, by the above methods of obfuscation; B) attempts have also been made to hide the real code by introducing dummy code, for example, by making every other statement a dummy statement designed to look much like the real code.
- Apparatus issuing to Aucsmith et al. makes two suggestions: i) splitting the cryptographic key into pieces stored in different locations in the software code, and ii) encoding a program in separate sections, decoding only those sections needed, when they are to be executed.
- One aspect of the invention is broadly defined as a method of modifying software algorithms to foil tracing and other static, dynamic, and statistical attacks comprising the steps of: encoding the software algorithm; and widely diffusing sites of information transfer and/or combination and/or loss.
- Another aspect of the invention is defined as a method of protecting computer software comprising the steps of: identifying functions and transforms substantive to the targeted software program; generating new functions and transforms which alter the processing activity visible to the attacker; and replacing those identified functions and transforms with the new functions and transforms in the software program.
- Another aspect of the invention is defined as an apparatus for modifying software algorithms to foil tracing and other static, dynamic, and statistical attacks comprising means for encoding the software algorithm; and means for widely diffusing sites of information transfer and/or combination and/or loss.
- a further aspect of the invention is defined as a computer readable memory medium, storing computer software code executable to perform the steps of: encoding the software algorithm; and widely diffusing sites of information transfer and/or combination and/or loss.
- An additional aspect of the invention is defined as a computer data signal embodied in a carrier wave, the computer data signal comprising a set of machine executable code being executable by a computer to perform the steps of: encoding a software algorithm; and widely diffusing sites of information transfer and/or combination and/or loss.
- Figure 1 presents a flow chart of a general algorithm for implementation of the invention
- Figure 2 presents an exemplary computer system in which the invention may be embodied
- Figure 3 presents a data flow diagram of the outer structure of the DES algorithm
- Figure 4 presents a data flow diagram of a single round of the DES algorithm
- Figure 5 presents a flow chart of a method of partial evaluation in an embodiment of the invention
- Figure 6 presents a flow chart of a method of generating encoded functions and networks in an embodiment of the invention
- Figure 7 presents a flow chart of a method of input/output-blocked encoding in an embodiment of the invention
- Figure 8 presents a flow chart of a method of by-pass encoding in an embodiment of the invention
- Figure 9 presents a data flow diagram of two rounds of DES with targeted sections identified, in an embodiment of the invention
- Figure 10 presents a data flow diagram of two rounds of DES modified in a manner of the invention
- Figure 11 presents a data flow diagram of a technique for effecting a 5-bit permutation using only 3-bit permutation modules, in an embodiment of the invention
- Figure 12 presents a data flow diagram of a technique for effecting a 4-bit permutation using only 3-bit permutation modules, in an embodiment of the invention
- Figure 13 presents a data flow diagram of an 9 x 9 Banyan Network for data mixing in an embodiment of the invention
- Figure 14 presents a flow chart of a method of "red path" encoding in an embodiment of the invention
- Figure 15 presents a flow chart of a method of "big bundle encoding” in an embodiment of the invention
- Figure 16 presents a data flow diagram of a technique for addressing the information configuration problem, in an embodiment of the invention
- Figure 17 presents a flow chart of a method of addressing the information configuration problem, in an embodiment of the invention.
- the invention provides ways to make finding an embedded cryptographic key or other hidden information combinatorially difficult for the attacker, even under this severe threat model, .
- Such methods are inherently bulkier and slower than black-box cryptography, but there are many applications in which the tradeoff is well worthwhile, including, for example, Smart Card and their hardware alternatives.
- processing activity disappear by generating new transforms that eliminate data (like constants, etc.) and processing steps (such as combining two transforms together into one);
- the invention can be employed to protect any manner of software from being analysed, reversed-engineered, or simply observed to discover secure data such as cryptographic keys.
- Cryptographic keys can then be incorporated into software programs without the danger of the cryptographic key being disclosed, or the program being altered to do anything other than what it was originally intended to do.
- Executable music files for example, can be bound to a particular processing device or to a password, and attackers are unable to modify the code to allow it to be used by others or on other devices.
- passwords, biometric data and other secure programs and data files can also be securely stored, transferred and executed using the method of the invention.
- the cost of the invention is very small and the invention can be transported electronically.
- the invention has none of the costly administrative and physical limitations of hardware solutions.
- the degree of complexity of the invention is easily scalable, so that the degree of analysis required to overcome it can be made " unpractically great.
- This computer system 14 includes a display 16, keyboard 18, computer 20 and external devices 22.
- the computer 20 may contain one or more processors or microprocessors, such as a central processing unit (CPU) 24.
- the CPU 24 performs arithmetic calculations and control functions to execute software stored in an internal memory 26, preferably random access memory (RAM) and/or read only memory (ROM), and possibly additional memory 28.
- the additional memory 28 may include, for example, mass memory storage, hard disk drives, floppy disk drives, magnetic tape drives, compact disk drives, program cartridges and cartridge interfaces such as those found in video game devices, removable memory chips such as EPROM or PROMl or similar storage media as known in the art.
- This additional memory 28 may be physically internal to the computer 20, or external as shown in Figure 2.
- the computer system 14 may also include other similar means for allowing computer programs or other instructions to be loaded.
- Such means can include, for example, a communications interface 30 which allows software and data to be transferred between the computer system 14 and external systems.
- communications interface 30 can include a modem, a network interface such as an
- Ethernet card a serial or parallel communications port.
- Software and data transferred via communications interface 30 are in the form of signals which can be electronic, electromagnetic, optical or other signals capable of being received by communications interface 30.
- Input and output to and from the computer 20 is administered by the input/output (I/O) interface 32.
- This I/O interface 32 administers control of the display 16, keyboard 18, external devices 22 and other such components of the computer system 14.
- DES Data Encryption Standard
- DES Data Encryption Standard
- data being encoded or decoded is broken down into sixty-four-bit blocks which are operated upon separately.
- DES inputs a sixty-four-bit block to be encrypted or decrypted and a sixty-four-bit raw key and outputs a sixty-four-bit result. Only fifty-six bits of the raw key are actually used: the low-order bit of each raw key 8-bit byte is discarded, or can be used for parity.
- a function is onto if each element in the set of outputs is the image of at least one element in the set of inputs.)
- Each QPM operation is controlled by a table which for each to-bit of the output bit-string gives the in the input bit-string whose value it has, except for key-shift QPMs, which are simple rotation permutations, each of which is described by a simple signed shift count;
- the outer box 34 represents the entire DES algorithm, whether encryption or decryption.
- the inner structure of DES comprises sixteen rounds of processing 36, which are identical except for one minor variation in the final round and the variations in one of the internal QPM operations, namely, the key shift, QPMe, which is explained hereinafter.
- the initial permutation, QPMa at step 38, and the final permutation, QPMc at step 40 are true permutations, that is, there are no omissions and no duplicated bits.
- QPMc at step 40 is the inverse of QPMa at step 38.
- the key transformation, QPMb at step 42 selects fifty- six of sixty-four bits from the raw key, and rearranges the bits.
- Figure 4 presents a data flow diagram of the internal structure of one of the sixteen DES rounds at step 36.
- Left In and Right In are the left and right halves of the data being encrypted or decrypted as it enters the round, and Left Out and Right
- Key In is the fifty-six-bit key as it enters the round
- Key Out is the fifty-six-bit key as it leaves the round.
- the expansion permutation, QPMd at step 46 repeats certain bits
- the compression permutation, QPMf at step 48 which produces the round sub-key as its output, omits certain bits.
- the key shift, QPMe at step 44 consists of rotations of the left and right halves of the fifty-six-bit key by an identical amount, in a direction and with a number of shift positions determined by the round number and by whether encryption or decryption is being performed.
- LKP hi - h8 at step 50 (performing S-box substitution) are the eight S-box lookup tables performed in the round.
- the indices for the LKP operations hi - h8 at step 50 are each, in effect, preceded by yet another QPM operation, which permutes the six input bits so that the low-order or right-most bit becomes the bit second from the left in the effective index, but this QPM can be eliminated to match what has been shown above by re- ordering the elements of the S-box tables.
- the P-box permutation, QPMi at step 52 permutes the results of LKP h 1 - h8 at step 50, presumably to accelerate diffusion of information across all bits.
- the XORg operation at step 54 is a simple Boolean exclusive OR on the outputs of the QPMd at step 46 and the output from the QPMf at step 48.
- the XORj operation at step 56 is a simple Boolean exclusive OR on the outputs of the Left In and the output from QPMi at step 52.
- the embodiments of the invention are intended to protect software and data from a white-box threat model where the attacker has all of the advantages present for an adaptive chosen plaintext attack (control of the number of plaintexts and their content, and access to the resulting ciphertexts), as well as full access to the encrypting software.
- the attacker can arbitrarily trace execution and examine all sub-results, perform arbitrary static analyses on the software itself, or alter results of sub-computation (e.g., by using breakpoints) to perform perturbation analysis.
- the only restriction in this model is that the attacker does not have access to the processes by which the executing software was produced.
- white-box cryptography is aimed at environments where protection is needed but isolation of the cryptographic computation itself from the attacker is for some reason not practical.
- the specific implementation of the algorithm is considered to be irrelevant to security in the black-box model.
- the white-box model it becomes critical, and changing the specific implementation of the algorithm becomes the primary means for providing security.
- the invention provides ways to make finding hidden information combinatorially difficult for the attacker.
- the invention is described with respect to the embedded key case, as opposed to cases where the key is presented dynamically to the software. Clearly though, the invention could be applied to such cases to limit the amount of information available to an attacker.
- a bit is an element of the Galois field of the integers modulo 2, that is, the binary set of ⁇ 0, 1 ⁇ .
- a bit-vector is a vector over this field, such as the six-bit vector [0 1 0 1 0 0], and a bit-matrix is a matrix over it. Other terms starting with the "bit-" prefix are similarly understood.
- An expression such as (e e 2 , e 3 , ... , e k ) is a vector of k elements (the e s). Whether the elements are bits will be evident from context.
- P' an encoded function derived from the function P.
- P denotes the same function as P, indicating that it maps vectors that are m-bits in length, onto vectors that are n-bits in length.
- n P is simply an abbreviation of "P . k l
- E is the identity function on /c-vectors.
- E (a mnemonic for an en/ropy-transference function) is any function from m-bit long vectors to n-bit long vectors such that, if m ⁇ n, the mapping loses no bits of information, and if m > n, it loses at most n - m bits of information.
- E is, of course, an abbreviation of " E. Multiple occurrences of ", E or
- V is the rth element of vector v, and v, ; is the sub-vector containing the fth through ⁇ h elements.
- k v denotes the same bit-vector as v, indicating that v has k elements.
- k e (a mnemonic for an errtropy-vector) is any vector with k elements.
- ⁇ M denotes M, indicating that M has m columns and n rows. (If we interpret the application of M to a vector as a function application, this notation will be the same as above.) 3.0 De-Linearization and Substitution Boxes
- LTs are useful in mixing and reconfiguring information.
- LTs per se, are of little use in white-box cryptography, because they are so easily decomposed by Gaussian elimination and related methods.
- step 72 When it is detected at step 72 that all possible input values have processed, then control passes to step 78 where the P ( a e : c) function is replaced in its original program with the new " a Q ( a e) transform, and this particular routine is complete. In the encoded program, only transform Q appears, and there is no transform P or constant b c.
- transforms P and Q may or may not be linear, and may or may not be matrices.
- the encoded algorithm must compensate for the F and G encodings so that it will operate properly.
- a straightforward way to do this is to implement a network of encodings. For example, if a software algorithm has successive transformations X and Y, we can generate encoded transforms X' and V" which look nothing like X and Y, but in which the output coding of X is corrected by the input coding of Y. Since the output coding of X is incorporated in X' and the input coding of Y incorporated into Y, the fact that they are complements is not apparent at all.
- a exemplary method of effecting such a process is presented in the flow chart of Figure 6.
- two adjacent transforms X and Y are identified in the target program at step 90.
- a random output coding is generated at step 92, for the first transform X (similarly, of course, one could generate a random input coding for the second transform Y).
- encodings could be implemented a number of ways, for example, the values m F x and n G x could be chosen randomly. By being chosen randomly, it would be possible for one of m F x or "G x to be linear, but it is probably better to rely completely on randomness than to attempt to avoid linear transforms being generated. This technique is also useful for disguising sparse matrices. Sparse matrices may provide an attacker with a weakness to exploit. This can be remedied simply by multiplying the sparse matrix with an encoding function which is random but generally dense, and placing the encoded sparse matrix and the inversion of the encoding function into the software algorithm. Thus, rather than facing a sparse matrix, the attacker will face two dense matrices.
- J and K could simply be randomly generated; whether a certain LT yields the desired mixing depends on the context.
- the only real restriction on J and K is that they be invertible.
- step 114 we now randomly choose non-linear input and output coding bijections F and G, which we partition as: a F y a F ; and b G 1 b G k .
- F input encoding functions
- each F encoding function has dimensions a x a.
- the output coding G which is partitioned into k functions of dimensions: k input bits and k output bits.
- F P ( FA II ⁇ •• II F y ) ° J
- G P ( G, II TM II G k ) ° .
- the original transform P can then be replaced with the encoded transform P' in the targeted software program at step 118.
- the process begins at step 130 by identifying a targeted transform ", P and the extra bits that are to be passed through the encoded
- Input and output encoding transforms Fand G are then generated at step 132, in the manner described herein.
- the encoded transform is then generated at step 134, in a manner consistent with the nature of the transform, for example, by traversing all possible inputs to the original transform ", P, and defining ⁇ p ' as equal to G p b E ° (P II b ⁇ E) ° F ⁇ E .
- E will be a matrix that selects the desired bits from the input, and allows them to be passed through the encoded transform ⁇ + ⁇ P
- function which may be arbitrary. For example, we could encode function ", P into
- This technique adds new redundant processing into the data flow of the program.
- This redundant processing is substantive in that it becomes integral with the encoded transform X, and cannot easily be identified or removed. This is in contrast to "dummy code" used in the art, which does not actually execute and can be identified using data flow analysis techniques. With the method of the invention, it is quite difficult to distinguish which operations are from the original software code, and which have been added. As these redundant arguments ultimately have no impact on the outcome of the software program, they can be generated randomly. Techniques for generating random and pseudo-random numbers are known in the art.
- SB substitution box
- L For an LT, L, we simply partition the matrix and vectors used in the LT into blocks, giving us well-known formulas using the blocks from the partition which subdivide the computation of L We can then encode the functions defined by the blocks, and combine the result into a network, using the methods in section 3.2 above, so that the resulting network is an encoding of L.
- the m-partition partitions the inputs and the columns of M; the n-partition partitions d and the outputs.
- the i, ⁇ h block in partitioned M contains m, columns and n s rows
- the rth partition of the input contains m 1 elements
- the/th partition of d or the output contains n ; elements.
- each is encoded and represented as a non-linear SB.
- a naive version of this consists of a forest of n # trees of binary 'vector add' SBs, with m # (m # - 1 ) 'vector add' nodes per tree.
- DES is performed in 16 rounds, each round employing the same eight DES SBs (DSBs), S 1 through S 8 , and the same LTs, sandwiched between initial and final LTs (the initial and final permutations).
- DSB is an instance of E.
- Two rounds of standard DES are presented in the bock diagram of Figure 9.
- the round structure implements a Feistel network with a by-pass left-side data-path (consisting of blocks L rA , _, L ⁇ ) and an active right-side data-path (the balance of the processing blocks).
- K r is the 48-bit subkey for a given round r, which is constant for a particular application. As noted above, DES only uses 48 bits of the 56 bit key in a given round.
- This section describes how we replace the DSBs with new SBs so that: A) the key is eliminated by partial evaluation (it is encoded into the new SBs; see section 3.2.1 above); and B) sufficient by-pass capacity is added per new SB so that all of the remaining connectivity within a round can be carried via the new SBs.
- a DSB's input is the Boolean exclusive-OR (XOR) of 'unpredictable' information, not determined by the algorithm plus the key, and 'predictable' information, determined by the algorithm and the key.
- XOR exclusive-OR
- the plan is that the first six bits of the input of a transform ⁇ r T, will be the
- transform ⁇ r T preserves all of its input entropy; that is, it is a bijection.
- each ⁇ r T Since each ⁇ r T, must be a bijection to support local security, and we will not use 8 ⁇ 8 decoding, we are therefore prevented from using simultaneous by-pass encoding. As a result, each ⁇ r T, effectively carries only four bits of input to the next round.) This includes two bits from the right side data path of DES, plus the two extra input bits which we can take from wherever we wish. The by-pass capacity of the ⁇ r T s is too small by 32 bits.
- Each is a linear instance of 8 E prior to de-linearization and encoding. They provide the remaining 32 bits: 16 bits of right-side by-pass capacity, and 16 bits of left-side by-pass capacity.
- each M is representable as a matrix, with forms H Treasure 9 9 6 6 M 2 , and 6 6 M 3 , respectively. These transforms and how they are generated are discussed in section 5.2.2.
- each ⁇ r 7 or ⁇ r T is an instance of 96 E.
- the algorithm is the same, except for addition of the "'" characters, after de-linearization and function encoding. ,
- M 1 combines the following: i) the initial permutation of DES (QPMa 38 in Figure 3); ii) the Expansion 46 in Figures 4 and 9, modified to deliver its output bits to the first six inputs of each 7,; combined with iii) the delivery of the 32 left-side data-path bits to be passed through the by-pass provided by inputs 7 and 8 of K r T 1 ⁇ r T 8 and 16 bits of by-pass provided at randomly chosen positions in the four "dummy" transforms, ⁇ r T 9 , ..., ⁇ r T 12 , all in randomly chosen order.
- M 2 combines the following: i) the first P-box transform 52 (see Figure 9); ii) the XOR of the left-side data with the P-box output (the first XOR 56 in Figure 9); iii) extraction of the original input of the right-side data-path using the method of section 3.2J, iv) the second Expansion 46 of Figure 9; and v) the left-side by-pass, as in M y .
- M 3 combines the following: i) ignoring the inputs provided for simultaneous by-pass, ii) the left-side by-pass, as in M l7 iii) inversion of the Expansion, ignoring half of each redundant bit pair, v) swapping the left-side and right-side data (DES effectively swaps the left and right halves after the last round), and v) the final permutation 40 (see Figure 3). 5.2.3 Blocking and Encoding Details
- intext is plaintext (for encryption) or ciphertext (for decryption, or outtext is ciphertext (for encryption) or plaintext (for decryption)
- plaintext for encryption
- plaintext for decryption
- DES implementation can be cracked by statistical bucketing. Thus, one should generally avoid the naive form for DES applications. Instead, one should use an encoded intext and an encoded outtext.
- the attacker cannot possibly extract information from the ⁇ r 7/ transforms themselves as they are locally secure (see section 3.3).
- Attacks should be focussed on the first (1) and final (16) rounds. Cracking either round 1 or round 16 provides 48 key bits; the remaining 8 bits of the 56-bit DES key can then be found by brute-force search on the 256 remaining possibilities using a reference DES implementation.
- round 2 and for an attack on the last round, on the ⁇ r 7/ outputs from round 15.
- the attacker then deals with the input or output information after it has been broken up from (round 1), or before it has been merged into (round 16), the 8-bit bundles input to and output from the ⁇ ⁇ 7/ transforms.
- M., ° M 0 and M 3 is replaced by M 4 ° M 3 , where the M 0 and M 4 LTs are 'mixing' bijections.
- M., and M 0 and M 4 ° M 3 is, of course, a single LT.
- the "recommended variant” effectively makes the input and output unknown to the attacker by prepending and appending what are, in effect, random ciphers.
- the attacker's expectations, based on the original cipher are not met, and the normal statistical approach to an adaptive chosen plaintext attack is foiled. It would be necessary for the attacker to crack: A) the initial random cipher;
- the weakest point would seem to be the block-encoded wide-input LTs.
- weak 4 x 4 blocks ones where an output's entropy is reduced to three bits, say, where there are only 38,976 possible non-linear encodings.
- the first problem is that the output will often depend on multiple such blocks, which will then require some power of 38,976 tries.
- we must still deal with the second, and much more difficult, problem which is: once the attacker has a guess at a set of encodings, partial or otherwise, for certain SBs, how can it be verified? Unless there is some way to verify a guess, such an attack cannot be effective.
- the price we pay (other than the current slowness and size of white-box implementations) is that we are no longer using a standard encryption algorithm.
- the methods of the invention can also be combined with general methods of tamper-proofing software or applied to software other than cryptographic computation software.
- Boolean D with the random Boolean functions, a sometimes linear, and always simple, Boolean function of 2 or 3 inputs relates bits emitted by T-boxes to original bits.
- 2-input Boolean functions there are only 10 functions which can be used, for example, given inputs A and B, you would have: A AND B, A OR B, (NOT A) AND B, etc.
- 3-input Boolean functions there are only 100 functions which can be used.
- Boolean functions will be well below the expected effort for brute-force discovery of a DES key;
- n x n linear function in F 2 is singular if and only if, of the n column vectors (or equivalently, of the n row vectors) of its matrix, either at least one is zero, or a subset of the nonzero vectors yield a zero vector when its members are all added together. That is, either there is a zero vector, or there is a subset S of the vectors such that each member is nonzero and each vector bit position is 1 in an even number of the members of S.
- an n x n linear function is singular in F 2 if and only if there is a non-empty subset S, not necessarily proper, of the column vectors, such that each bit position is 1 in an even number of the members of S.
- any set of vectors which contains S is also linearly dependent.
- (2 ⁇ )l are permutations of the set of all Boolean vectors of length n
- each round of DES simply copies the right 32-bit half of its 64-bit input to the left 32-bit half of its 64-bit output, while placing a mixture of the left and right input halves in the right 32-bit half of its 64-bit output. Accordingly, to mix both halves, we have to perform two rounds; one round is insufficient.
- a "round pair" is typically an odd-numbered round followed by an even-numbered round: 1 and 2, or 5 and 6, or 11 and 12, or 15 and 16.
- Banyan network is a topology of nodes or switches in which there is a single path connecting each input to each output, and there are no internal circuits (or loops).
- Figure 13 presents a Banyan network having 9 inputs, 9 outputs and 6 nodes 170. This is described as a 9 x 9 (because there are 9 inputs and 9 outputs), base 3 Banyan network (base 3 because each node 170 or switch can route an input to any one of 3 outputs).
- a base 3 Omega network has the same properties as detailed above for a base 3 Banyan network.
- a Banyan network addresses among nodes by repeatedly subdividing the network by the base (e.g., if there are 9 nodes, it first selects among the first third, second third, or third of the nodes, and then selects a third of the three nodes: one specific node).
- An Omega network addresses differently. Number the input ports (where each node has a number of input ports specified by the base, and a number of output ports specified by the base) with a 2 digit base 3 number. Then each output port is connected to the succeeding input port found by rotating its number left, circularly, one position.
- each node for a base, b
- each node is a function (which would usually be bijective) of the form E.
- the big advantage is the reduction in spatial complexity from 0(m # 2 n # ) for a given blocking factor, to 0(m # log n # ): a huge savings in space. It also represents the same reduction in computational time, because a lookup must be done on each SB, and the huge reduction in the number of SBs therefore also represents a huge saving in execution time.
- a switching network is generated at step 190; say a sequence of full Banyans for bundles of bits, where K is fairly small.
- the "red" paths are laid down on this switch network, which indicate the bundle path followed by the information to be switched.
- the boxes may be filled in at step 194, such that individual output bundles (or small groups thereof) encode desired output information, but the particular encoding of many used at a particular bundle is a data-dependent function of all of the switch inputs.
- every output bit should be dependent on every input bit.
- switch nodes e.g., bitwise XOR. This would allow switching and computing to be encoded together.
- the initial S-boxes 50 are convert from their 6 bit input, 4 bit output form, to 6 x 6, each modified S-box simply containing a permutation of 0 ... 63.
- the 36-bit S-box input in the 2nd round is rendered down to k bits, where k ⁇ 6.
- This step must be done such that any imbalances in the round-1 S-boxes are overcome; that is, trying to make the buckets equiprobable.
- This step is then repeated for each subsequent round of the DES algorithm, per step 206.
- This technique does not hide the identity of the S-boxes 50, but only hides the key. If we can preserve the secret of the interior coding, then this technique may be effective.
- a bucketing attack can identify the input values representing the same value.
- Exemplary instances of the information reconfiguration problem are the implementation of the Expansion permutation QPMd 46 or P-box permutation 52 in DES.
- each S-box 210 is unconditionally secure by itself, since each S-box table is a permutation of the numbers 0..63 and by manipulating either the input or output encodings we can produce any arbitrary permutation in the table.
- S-boxes 50 at step 224 we preferably encode S-boxes 50 at step 224 as follows: we first create a 6 x 6 S-box by making the low-order 4 bits of output the same as the unencoded outputs, and prepending the two row selection bits. Since each row is a permutation of the integers from 0 to 15, and hence, encodes a 4 x 4 bit-vector bijection, this guarantees that no entropy is lost. We then encode the resulting 6 bits arbitrarily using an arbitrary non-linear permutation of 0 ... 63, and fill the table accordingly.
- a bit-wise XOR of two n-bit vectors is computed by a matrix of n rows and 2n columns where we multiply the matrix by the concatenation of the two input vectors, and the result is the output vector.
- the /("th row of the matrix has (k - 1) binary 0s followed by a 1 , followed by n binary 0s followed by a 1 , followed by (n - k - 1) binary
- the matrix would have linearly independent rows in which each row contained only two 1's and each column contained only a single 1.
- S-boxes 50 in DES can be arranged into a ring, in which each S-box 50 shares two (pre-expansion permutation) inputs with its neighbour to the left in the ring, and two (pre-expansion permutation) inputs with its neighbour to the right in the ring.
- any pair of neighbouring S-boxes 50 can be combined into a single new S-box which has ten inputs and eight outputs.
- the size of such an S-box is 1 K ⁇ bytes, but we only need 4 of the new S-boxes per round, so 4K bytes provides all of the S-boxes needed for one round.
- T-Box lookup we can split into 2 pieces (note that we are going to end up with T-Boxes that are far more complex than those described in the co- pending patent application serial number PCT/CAOO/00677, referred to above): i) 5 bits into 2 bits (basically, the two possible output bits for the two different choices of the 6th bit); and ii) 2 bits from above and 1 original bit to produce T-box result (basically, the new bit chooses one of the bits from step a.
- 51 has inputs 3 4 5 6 7 8
- each S-box computes four partial results, two for each of the neighbours.
- Each T-box output could be computed in two places, but we do not have much freedom to choose - we can partition the 4 outputs of an S-box to the two S-boxes, but that fixes the distribution for the whole ring. (Instead of 2, 2 we could do other distributions; but since we only get to choose once for the whole ring, it is not clear what we gain by security), ii) the complex way to have a ring of 16 S-boxes is as follows: S1' has 2 3 4 5 6 7 8 9 S12' has 4 5 6 7 8 9 10 11
- S2' has 6 7 8 9 10 11 12 13
- S23' has 8 9 10 11 12 13 14 15
- each T-box output can be computed in three different places and we have a lot of freedom to decide where each T-box is actually computed. On average, we could compute each T-box in 2 parts, to be combined later.
- this wiring pattern is dictated by S12' having 5 inputs for each of S1 and S2; C) any function in general (and S-box in particular) can be split into multiple paths.
- a T-box can be split into 2 paths by defining T1 to be random, and T2 to be T XOR T1 ;
- S-box output can have codings that are dependent on other bits. We merely need to bring together the necessary bits to interpret. For example: i) in the case of S1 , the output is already depending on bits 3-8, if we compute it in S1 ⁇ we could code the output to be XOR bit 2; ii) we could chose the output of S1 to be split between S1' and S12'; and code the first part with bit 2, the second part with bit 11.
- C1 is the "nominal" representation across round boundary, and has two copies in L and R; so it can be attacked from several ways, but it is also has the least constraints in that each Rough bit could be a function of all Smooth bits.
- C2 is basically 16 independent codings - one for each S-box input. The dependencies are confined to within each bundle (not strictly true - we could in fact carry over the missing dependencies to our output coding). Within a bundle, the mapping can be arbitrary.
- C3 is basically 16 independent codings - one for each S-box output.
- the dependencies are confined to within each bundle (possibly inheriting missing dependencies, see C2).
- the mapping cannot be arbitrary since we need to be able to route information to follow DES.
- the coding should depend on between 1 to 3 other bits (preferably, output bits of the S- box but could be input bits as well), taking care that we can decode back to Smooth bits.
- C) build E' network i) start with the output layer. Since we need to produce C2 (assuming we duplicate shared bits), we will need 16 T8-boxes. We will build layers towards the input until we end up at C1 ; ii) pick up C2 for each output bit, and drag in the bits necessary to decode; iii) count up the inputs we need for each T8-box, some will want more than others. Pad them out so that the numbers are not too different. It is probably useful to make sure every T8-box gets at least one extra input. Note selection of these extra inputs is interesting; iv) for each T8-box that has more than 8 inputs, insert intermediate T8- boxes, trying to minimize the depth (this is kind of like a 2-3 tree type problem). Remember to add some extra inputs; and v) connect the topmost layer inputs to the R' bits.
- substitution boxes Another way to add confusion in an implementation involving substitution boxes is to split one substitution box into multiple boxes, such that none of the boxes created by the split has sufficient information to compute the original pre-split result, but the information from their combined outputs is sufficient to compute the original pre-split result, assuming that we know how their outputs are encoded.
- U and V are 6 x 4 substitution boxes.
- U takes three S-inputs and three inputs not from S. stakes three S-inputs and three inputs not from S.
- U and Vdo not share any input bits.
- 2 8 3 possible output values (not necessarily distinct) depending on the value of the three S-inputs which go to Vbut not U.
- U can output: ⁇ R 0 , R 1t ... , R 7 > ⁇
- R is the result expected if the value of the three missing inputs
- V we can have V output the index i, a number in the range 0 .. 7, used to index into the 32-bit output of U to select a particular 4-bit block within it. (This has the bad effect of producing one invariant V-output, which we do not want because it narrows the attacker's search space.)
- V-box tables This gives away too much information narrowing down the attacker's search space.
- 51 has inputs 3 4 5 6 7 8
- the method steps of the invention may be embodied in sets of executable machine code stored in a variety of formats such as object code or source code.
- Such code is described generically herein as programming code, or a computer program for simplification.
- the executable machine code may be integrated with the code of other programs, implemented as subroutines, by external program calls or by other techniques as known in the art.
- the embodiments of the invention may be executed by a computer processor or similar device programmed in the manner of method steps, or may be executed by an electronic system which is provided with means for executing these steps.
- an electronic memory medium may be programmed to execute such method steps.
- Suitable memory media would include serial access formats such as magnetic tape, or random access formats such as floppy disks, hard drives, computer diskettes, CD-Roms, bubble memory, EEPROM, Random Access Memory (RAM), Read Only Memory (ROM) or similar computer software storage media known in the art.
- electronic signals representing these method steps may also be transmitted via a communication network.
Abstract
Description
Claims
Priority Applications (5)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
US10/433,966 US7397916B2 (en) | 2000-12-08 | 2001-12-10 | System and method for protecting computer software from a white box attack |
CA002431443A CA2431443A1 (en) | 2000-12-08 | 2001-12-10 | System and method for protecting computer software from a white box attack |
EP01999868A EP1350154A2 (en) | 2000-12-08 | 2001-12-10 | System and method for protecting computer software from a white box attack |
AU2002221414A AU2002221414A1 (en) | 2000-12-08 | 2001-12-10 | System and method for protecting computer software from a white box attack |
US11/020,313 US7809135B2 (en) | 2000-12-08 | 2004-12-27 | System and method for protecting computer software from a white box attack |
Applications Claiming Priority (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CA002327911A CA2327911A1 (en) | 2000-12-08 | 2000-12-08 | Obscuring functions in computer software |
CA2,327,911 | 2000-12-08 |
Publications (2)
Publication Number | Publication Date |
---|---|
WO2002046890A2 true WO2002046890A2 (en) | 2002-06-13 |
WO2002046890A8 WO2002046890A8 (en) | 2003-03-06 |
Family
ID=4167864
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
PCT/CA2001/001729 WO2002046890A2 (en) | 2000-12-08 | 2001-12-10 | System and method for protecting computer software from a white box attack |
Country Status (5)
Country | Link |
---|---|
US (2) | US7397916B2 (en) |
EP (1) | EP1350154A2 (en) |
AU (1) | AU2002221414A1 (en) |
CA (2) | CA2327911A1 (en) |
WO (1) | WO2002046890A2 (en) |
Cited By (19)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
FR2850811A1 (en) * | 2003-01-30 | 2004-08-06 | St Microelectronics Sa | Integrated circuit e.g. chip card, anti-fraud method, involves performing masking of data and unmasking of encryption function result by random number, using two functionally identical operators having respective physical traces |
DE102004011488A1 (en) * | 2004-03-09 | 2005-10-13 | Giesecke & Devrient Gmbh | Anti-virus protection method for protecting software against virus attack, involves changing section of software with regard to its position |
JP2007514193A (en) * | 2003-12-11 | 2007-05-31 | コーニンクレッカ フィリップス エレクトロニクス エヌ ヴィ | Block encryption system using permutation to conceal the core encryption function of each encryption round |
WO2007105126A2 (en) | 2006-03-10 | 2007-09-20 | Koninklijke Philips Electronics N.V. | Method and system for obfuscating a cryptographic function |
WO2007126049A1 (en) * | 2006-04-28 | 2007-11-08 | Panasonic Corporation | System for making program difficult to read, device for making program difficult to read, and method for making program difficult to read |
EP1873676A1 (en) * | 2005-03-25 | 2008-01-02 | Matsushita Electric Industrial Co., Ltd. | Program converting device, secure processing device, computer program, and recording medium |
JP2008518262A (en) * | 2004-10-28 | 2008-05-29 | コーニンクレッカ フィリップス エレクトロニクス エヌ ヴィ | Method and system for obfuscating cryptographic functions |
EP2044723A2 (en) * | 2006-07-12 | 2009-04-08 | Koninklijke Philips Electronics N.V. | Verifying authenticity of an execution environment |
EP2104987A2 (en) * | 2007-01-11 | 2009-09-30 | Koninklijke Philips Electronics N.V. | Tracing copies of an implementation |
WO2010102960A1 (en) | 2009-03-10 | 2010-09-16 | Irdeto B.V. | White-box cryptographic system with input dependent encodings |
US7809135B2 (en) | 2000-12-08 | 2010-10-05 | Cloakware Corporation | System and method for protecting computer software from a white box attack |
WO2010128060A1 (en) * | 2009-05-05 | 2010-11-11 | Giesecke & Devrient Gmbh | Method for protecting software stored on a portable data medium, and portable data medium |
EP2458774A1 (en) * | 2010-11-24 | 2012-05-30 | Nagravision S.A. | A method of processing a cryptographic function in obfuscated form |
US8510571B1 (en) | 2003-03-24 | 2013-08-13 | Hoi Chang | System and method for inserting security mechanisms into a software program |
US8621187B2 (en) | 2008-02-11 | 2013-12-31 | Nxp, B.V. | Method of program obfuscation and processing device for executing obfuscated programs |
US8856500B2 (en) | 2008-02-06 | 2014-10-07 | Nxp B.V. | Obfuscating program by scattering sequential instructions into memory regions such that jumps occur with steps of both signs in equal frequency |
WO2014177400A1 (en) * | 2013-05-01 | 2014-11-06 | Koninklijke Philips N.V. | Electronic block cipher device suitable for obfuscation |
WO2015150391A1 (en) * | 2014-03-31 | 2015-10-08 | Irdeto B.V. | Software protection |
EP3127039A2 (en) * | 2014-03-31 | 2017-02-08 | Irdeto B.V. | Secured electronics device |
Families Citing this family (177)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US7340058B2 (en) * | 2001-04-09 | 2008-03-04 | Lucent Technologies Inc. | Low-overhead secure information processing for mobile gaming and other lightweight device applications |
AUPR970601A0 (en) * | 2001-12-21 | 2002-01-24 | Canon Kabushiki Kaisha | Encoding information in a watermark |
US6970985B2 (en) | 2002-07-09 | 2005-11-29 | Bluerisc Inc. | Statically speculative memory accessing |
EP1595357A4 (en) * | 2003-02-06 | 2006-03-01 | Discretix Technologies Ltd | Device and method of manipulating masked data |
US7469266B2 (en) * | 2003-09-29 | 2008-12-23 | International Business Machines Corporation | Method and structure for producing high performance linear algebra routines using register block data format routines |
US20050114850A1 (en) | 2003-10-29 | 2005-05-26 | Saurabh Chheda | Energy-focused re-compilation of executables and hardware mechanisms based on compiler-architecture interaction and compiler-inserted control |
US7996671B2 (en) | 2003-11-17 | 2011-08-09 | Bluerisc Inc. | Security of program executables and microprocessors based on compiler-architecture interaction |
US9489687B2 (en) * | 2003-12-04 | 2016-11-08 | Black Duck Software, Inc. | Methods and systems for managing software development |
US8700533B2 (en) * | 2003-12-04 | 2014-04-15 | Black Duck Software, Inc. | Authenticating licenses for legally-protectable content based on license profiles and content identifiers |
US8607209B2 (en) | 2004-02-04 | 2013-12-10 | Bluerisc Inc. | Energy-focused compiler-assisted branch prediction |
US8887287B2 (en) * | 2004-10-27 | 2014-11-11 | Alcatel Lucent | Method and apparatus for software integrity protection using timed executable agents |
US8155306B2 (en) * | 2004-12-09 | 2012-04-10 | Intel Corporation | Method and apparatus for increasing the speed of cryptographic processing |
FR2879383A1 (en) * | 2004-12-14 | 2006-06-16 | St Microelectronics Sa | MASKING OF BINARY WORDS PROCESSED BY AN INTEGRATED CIRCUIT |
US20060161612A1 (en) * | 2005-01-14 | 2006-07-20 | International Business Machines Corporation | Method and structure for a generalized cache-register file interface with data restructuring methods for multiple cache levels and hardware pre-fetching |
US20060168401A1 (en) * | 2005-01-26 | 2006-07-27 | International Business Machines Corporation | Method and structure for high-performance linear algebra in the presence of limited outstanding miss slots |
EP1742412B1 (en) * | 2005-07-05 | 2009-01-14 | St Microelectronics S.A. | Verification of a digital message stored in a memory zone |
US7769165B2 (en) * | 2005-10-14 | 2010-08-03 | Microsoft Corporation | Semi-public white-box cipher |
US7743253B2 (en) * | 2005-11-04 | 2010-06-22 | Microsoft Corporation | Digital signature for network coding |
US7853018B2 (en) * | 2005-11-10 | 2010-12-14 | Atallah Mikhail J | Method and apparatus for hiding a private key |
FR2893796B1 (en) * | 2005-11-21 | 2008-01-04 | Atmel Corp | ENCRYPTION PROTECTION METHOD |
DE602006020010D1 (en) * | 2005-12-19 | 2011-03-24 | St Microelectronics Sa | Protection of the execution of a DES algorithm |
US8543835B2 (en) * | 2006-07-12 | 2013-09-24 | Irdeto B.V. | Tamper resistance of a digital data processing unit |
US8997255B2 (en) | 2006-07-31 | 2015-03-31 | Inside Secure | Verifying data integrity in a data storage device |
US8352752B2 (en) * | 2006-09-01 | 2013-01-08 | Inside Secure | Detecting radiation-based attacks |
US7681045B2 (en) * | 2006-10-12 | 2010-03-16 | Black Duck Software, Inc. | Software algorithm identification |
US8010803B2 (en) * | 2006-10-12 | 2011-08-30 | Black Duck Software, Inc. | Methods and apparatus for automated export compliance |
US9361617B2 (en) * | 2008-06-17 | 2016-06-07 | Verifone, Inc. | Variable-length cipher system and method |
US20080126766A1 (en) * | 2006-11-03 | 2008-05-29 | Saurabh Chheda | Securing microprocessors against information leakage and physical tampering |
KR101213156B1 (en) * | 2006-12-21 | 2012-12-17 | 삼성전자주식회사 | Distributed rivest shamir adleman signature method and signature generative node |
JP5133973B2 (en) * | 2007-01-18 | 2013-01-30 | パナソニック株式会社 | Obfuscation support device, obfuscation support method, program, and integrated circuit |
KR101338409B1 (en) * | 2007-01-25 | 2013-12-10 | 삼성전자주식회사 | Method and node for generating distributed rivest shamir adleman signature in ad-hoc network |
US8752032B2 (en) | 2007-02-23 | 2014-06-10 | Irdeto Canada Corporation | System and method of interlocking to protect software-mediated program and device behaviours |
WO2008101340A1 (en) * | 2007-02-23 | 2008-08-28 | Cloakware Corporation | System and method for interlocking to protect software-mediated program and device behaviours |
US20080301448A1 (en) * | 2007-06-01 | 2008-12-04 | Microsoft Corporation | Security Against Corruption for Networked Storage |
KR100969961B1 (en) * | 2007-12-20 | 2010-07-15 | 한국전자통신연구원 | Substitution apparatus of block code aria and method thereof |
KR20100120671A (en) * | 2008-01-31 | 2010-11-16 | 이르데토 비.브이. | Securing a smart card |
US8800048B2 (en) * | 2008-05-20 | 2014-08-05 | Microsoft Corporation | Software protection through interdependent parameter cloud constrained software execution |
KR101597251B1 (en) * | 2008-05-23 | 2016-02-24 | 이르데토 비.브이. | System and method for generating whitebox implementations of software applications |
EP2300954B1 (en) | 2008-06-24 | 2014-12-03 | NDS Limited | Security within integrated circuits |
US8171306B2 (en) * | 2008-11-05 | 2012-05-01 | Microsoft Corporation | Universal secure token for obfuscation and tamper resistance |
JP4687775B2 (en) * | 2008-11-20 | 2011-05-25 | ソニー株式会社 | Cryptographic processing device |
US8151333B2 (en) | 2008-11-24 | 2012-04-03 | Microsoft Corporation | Distributed single sign on technologies including privacy protection and proactive updating |
CN102449951B (en) * | 2009-03-31 | 2015-09-23 | 皇家飞利浦有限公司 | For performing the method for cryptographic tasks in electronic building brick |
CA2761065C (en) | 2009-05-06 | 2018-01-02 | Irdeto Canada Corporation | Interlocked binary protection using whitebox cryptography |
WO2010146140A1 (en) * | 2009-06-19 | 2010-12-23 | Irdeto B.V. | White-box cryptographic system with configurable key using block selection |
CA2765622A1 (en) | 2009-06-19 | 2010-12-23 | Irdeto B.V. | White-box cryptographic system with configurable key using intermediate data modification |
CN102598017B (en) | 2009-11-13 | 2016-03-09 | 爱迪德技术有限公司 | Improve the system and method for its tamper-proof capabilities of Java bytecode |
US8549322B2 (en) * | 2010-03-25 | 2013-10-01 | International Business Machines Corporation | Secure data scanning method and system |
EP2553866B1 (en) * | 2010-03-31 | 2018-11-21 | Irdeto B.V. | System and method for protecting cryptographic assets from a white-box attack |
WO2011120123A1 (en) | 2010-03-31 | 2011-10-06 | Irdeto Canada Corporation | A system and method for encapsulating and enabling protection through diverse variations in software libraries |
EP2388730A1 (en) * | 2010-05-17 | 2011-11-23 | Nagravision S.A. | Method for generating software code |
US20120079462A1 (en) * | 2010-09-24 | 2012-03-29 | SoftKrypt LLC | Systems and methods of source software code obfuscation |
FR2966953B1 (en) * | 2010-11-02 | 2015-08-28 | St Microelectronics Rousset | METHOD OF CRYPTOGRAPHIC COUNTERPRESSION BY DERIVATION OF SECRET DATA |
MY150357A (en) * | 2010-11-04 | 2013-12-31 | Mimos Berhad | A method for linear transformation in substitution-permutation networks symmetric-key block cipher |
US20120201373A1 (en) * | 2011-02-03 | 2012-08-09 | Futurewei Technologies, Inc. | Design of a Good General-Purpose Hash Function with Limited Resources |
KR20140058419A (en) | 2011-03-24 | 2014-05-14 | 이르데토 비.브이. | System and method providing dependency networks throughout applications for attack resistance |
EP3518128B1 (en) * | 2011-03-30 | 2021-04-28 | Irdeto B.V. | Enabling a software application to be executed on a hardware device |
US8621237B1 (en) * | 2011-06-30 | 2013-12-31 | Emc Corporation | Protecting against cryptographic key exposure in source code |
US20130097431A1 (en) * | 2011-10-18 | 2013-04-18 | Paul Marion Hriljac | Systems and methods of source software code modification |
EP2813029B1 (en) * | 2012-02-09 | 2020-12-02 | Irdeto B.V. | System and method for generating and protecting cryptographic keys |
WO2013138895A1 (en) * | 2012-03-22 | 2013-09-26 | Irdeto Canada Corporation | Updating software components |
EP2831791B1 (en) * | 2012-03-30 | 2020-10-21 | Irdeto B.V. | Securing accessible systems using cross-linking |
US8976960B2 (en) | 2012-04-02 | 2015-03-10 | Apple Inc. | Methods and apparatus for correlation protected processing of cryptographic operations |
MX2014014102A (en) * | 2012-05-25 | 2015-01-26 | Koninkl Philips Nv | Method, system and device for protection against reverse engineering and/or tampering with programs. |
DE102012209404A1 (en) * | 2012-06-04 | 2013-12-05 | Robert Bosch Gmbh | Apparatus for executing a cryptographic method and method of operation therefor |
US20140324708A1 (en) * | 2012-06-12 | 2014-10-30 | Square, Inc. | Raw sensor input encryption for passcode entry security |
US10515363B2 (en) | 2012-06-12 | 2019-12-24 | Square, Inc. | Software PIN entry |
US8938796B2 (en) | 2012-09-20 | 2015-01-20 | Paul Case, SR. | Case secure computer architecture |
WO2014059547A1 (en) * | 2012-10-17 | 2014-04-24 | Elliptic Technologies Inc. | Cryptographic sequencing system and method |
US9311489B2 (en) | 2013-03-07 | 2016-04-12 | Microsoft Technology Licensing, Llc | Application forensics |
RU2518950C9 (en) * | 2013-05-06 | 2014-09-10 | Федеральное государственное бюджетное образовательное учреждение высшего профессионального образования "Санкт-Петербургский государственный электротехнический университет "ЛЭТИ" им. В.И. Ульянова (Ленина)" | Method of encrypting n-bit unit m |
KR102133200B1 (en) | 2013-08-08 | 2020-07-13 | 서울대학교산학협력단 | Method and apparatus for protecting of data |
CN104376015B (en) * | 2013-08-15 | 2020-03-17 | 腾讯科技(深圳)有限公司 | Method and device for processing nodes in relational network |
US9773240B1 (en) | 2013-09-13 | 2017-09-26 | Square, Inc. | Fake sensor input for passcode entry security |
US9613356B2 (en) | 2013-09-30 | 2017-04-04 | Square, Inc. | Secure passcode entry user interface |
US9928501B1 (en) | 2013-10-09 | 2018-03-27 | Square, Inc. | Secure passcode entry docking station |
DE102013222218A1 (en) * | 2013-10-31 | 2014-05-22 | Siemens Aktiengesellschaft | Method for constructing circuit used for generating random bits used in asymmetric authentication method, involves linking specific functions with a pretext of a related function as another function, to perform fixed point free mapping |
KR101807259B1 (en) * | 2013-11-04 | 2017-12-08 | 한국전자통신연구원 | Apparatus and methdo for encoding |
US9223995B1 (en) * | 2013-12-10 | 2015-12-29 | Progress Software Corporation | Semantic obfuscation of data in real time |
US9900149B2 (en) * | 2013-12-24 | 2018-02-20 | Synopsys, Inc. | Area efficient cryptographic method and apparatus |
US10075288B1 (en) * | 2014-02-28 | 2018-09-11 | The Governing Council Of The University Of Toronto | Systems, devices, and processes for homomorphic encryption |
US9838198B2 (en) * | 2014-03-19 | 2017-12-05 | Nxp B.V. | Splitting S-boxes in a white-box implementation to resist attacks |
FR3018934B1 (en) * | 2014-03-24 | 2017-05-26 | Morpho | METHOD OF INPUTTING DATA IN A BASE FOR THE PROTECTION OF THESE DATA |
WO2015149826A1 (en) * | 2014-03-31 | 2015-10-08 | Irdeto B.V. | Protecting an item of software |
RU2542880C1 (en) * | 2014-03-31 | 2015-02-27 | Федеральное государственное бюджетное образовательное учреждение высшего профессионального образования "Санкт-Петербургский государственный электротехнический университет"ЛЭТИ" им. В.И. Ульянова (Ленина)" | Method of encrypting binary data unit |
GB201405755D0 (en) | 2014-03-31 | 2014-05-14 | Irdeto Bv | Optimizing and protecting software |
CN106464484B (en) * | 2014-03-31 | 2019-08-09 | 爱迪德技术有限公司 | Predefined function obscures execution |
RU2542929C1 (en) * | 2014-04-14 | 2015-02-27 | Федеральное государственное бюджетное образовательное учреждение высшего профессионального образования "Санкт-Петербургский государственный электротехнический университет "ЛЭТИ" им. В.И. Ульянова (Ленина)" | Method to code data unit represented as bit string |
RU2542926C1 (en) * | 2014-04-14 | 2015-02-27 | Федеральное государственное бюджетное образовательное учреждение высшего профессионального образования "Санкт-Петербургский государственный электротехнический университет "ЛЭТИ" им. В.И. Ульянова (Ленина)" | Method to code message represented as multidigit binary number |
US9338145B2 (en) | 2014-04-28 | 2016-05-10 | Nxp B.V. | Security patch without changing the key |
US9485226B2 (en) * | 2014-04-28 | 2016-11-01 | Nxp B.V. | Method for including an implicit integrity or authenticity check into a white-box implementation |
US9641337B2 (en) * | 2014-04-28 | 2017-05-02 | Nxp B.V. | Interface compatible approach for gluing white-box implementation to surrounding program |
EP2940920B1 (en) * | 2014-04-28 | 2017-03-08 | Nxp B.V. | Security patch without changing the key |
US9858440B1 (en) * | 2014-05-23 | 2018-01-02 | Shape Security, Inc. | Encoding of sensitive data |
US10412054B2 (en) * | 2014-06-24 | 2019-09-10 | Nxp B.V. | Method for introducing dependence of white-box implementation on a set of strings |
KR101527329B1 (en) * | 2014-09-12 | 2015-06-09 | 삼성에스디에스 주식회사 | Apparatus and method for data encryption |
US9252943B1 (en) * | 2014-09-26 | 2016-02-02 | The Boeing Company | Parallelizable cipher construction |
CN106796624B (en) | 2014-09-26 | 2021-05-04 | 爱迪德技术有限公司 | Challenge-response method, associated computing device and associated computer-readable medium |
WO2016050884A1 (en) | 2014-09-30 | 2016-04-07 | Koninklijke Philips N.V. | Electronic calculating device for performing obfuscated arithmetic |
WO2016061118A1 (en) * | 2014-10-13 | 2016-04-21 | Sequent Software, Inc. | Securing host card emulation credentials |
CN104301095A (en) * | 2014-10-13 | 2015-01-21 | 深圳中科讯联科技有限公司 | DES round operation method and circuit |
GB201418815D0 (en) | 2014-10-22 | 2014-12-03 | Irdeto Bv | Providing access to content |
DE102014016548A1 (en) * | 2014-11-10 | 2016-05-12 | Giesecke & Devrient Gmbh | Method for testing and hardening software applications |
US9600672B1 (en) * | 2014-12-04 | 2017-03-21 | Amazon Technologies, Inc. | Dynamic function switching |
RU2710310C2 (en) | 2014-12-12 | 2019-12-25 | Конинклейке Филипс Н.В. | Electronic forming device |
EP3238113B1 (en) | 2014-12-22 | 2018-09-26 | Koninklijke Philips N.V. | Hiding of a program execution |
US10505710B2 (en) * | 2014-12-22 | 2019-12-10 | Koninklijke Philips N.V. | Electronic calculating device |
US10318271B2 (en) | 2015-01-05 | 2019-06-11 | Irdeto Canada Corporation | Updating software components in a program |
US9665699B2 (en) * | 2015-03-13 | 2017-05-30 | Nxp B.V. | Implementing padding in a white-box implementation |
GB201505434D0 (en) * | 2015-03-30 | 2015-05-13 | Irdeto Bv | Cryptographic processing |
CN108064381B (en) | 2015-03-30 | 2021-06-18 | 爱迪德技术有限公司 | Method for data protection |
GB201505553D0 (en) | 2015-03-31 | 2015-05-13 | Irdeto Bv | Online advertisements |
US10372886B2 (en) * | 2015-05-05 | 2019-08-06 | Nxp B.V. | Protecting the input/output of modular encoded white-box RSA/ECC |
CN107592963B (en) * | 2015-05-19 | 2020-05-19 | 皇家飞利浦有限公司 | Method and computing device for performing secure computations |
US10642786B2 (en) * | 2015-05-19 | 2020-05-05 | Cryptomove, Inc. | Security via data concealment using integrated circuits |
US10664439B2 (en) | 2015-05-19 | 2020-05-26 | Cryptomove, Inc. | Security via dynamic data movement in a cloud-based environment |
SG11201804478VA (en) * | 2015-05-19 | 2018-06-28 | Cryptomove Inc | Security via data concealment |
US10037330B1 (en) | 2015-05-19 | 2018-07-31 | Cryptomove, Inc. | Security via dynamic data movement in a cloud-based environment |
RU2580060C1 (en) * | 2015-05-20 | 2016-04-10 | Федеральное государственное автономное образовательное учреждение высшего образования "Санкт-Петербургский государственный электротехнический университет "ЛЭТИ" им. В.И. Ульнова (Ленина)" | Method to encrypt messages, represented as a multi-bit binary number |
CN107667368B (en) * | 2015-07-09 | 2020-12-22 | 赫尔实验室有限公司 | System, method and storage medium for obfuscating a computer program |
US10509918B1 (en) * | 2015-09-18 | 2019-12-17 | Hrl Laboratories, Llc | One-time obfuscation for polynomial-size ordered binary decision diagrams (POBDDs) |
DE102015014038A1 (en) * | 2015-10-30 | 2017-05-04 | Giesecke & Devrient Gmbh | Alternative representation of the crypto algorithm DES |
NL2015745B1 (en) | 2015-11-09 | 2017-05-26 | Koninklijke Philips Nv | A cryptographic device arranged to compute a target block cipher. |
US10015009B2 (en) * | 2015-11-25 | 2018-07-03 | Nxp B.V. | Protecting white-box feistel network implementation against fault attack |
JP6890589B2 (en) * | 2015-12-15 | 2021-06-18 | コーニンクレッカ フィリップス エヌ ヴェKoninklijke Philips N.V. | Computational devices and methods |
US10728028B2 (en) * | 2016-02-18 | 2020-07-28 | Gideon Samid | Transmitter for encoding information with randomly flipped bits and transmitting that information through a communications channel |
US10229282B2 (en) * | 2016-06-12 | 2019-03-12 | Apple Inc. | Efficient implementation for differential privacy using cryptographic functions |
EP3475825B1 (en) | 2016-06-23 | 2023-01-25 | Cryptography Research, Inc. | Cryptographic operations employing non-linear share encoding for protecting from external monitoring attacks |
CN107547193A (en) * | 2016-06-28 | 2018-01-05 | 埃沙尔公司 | Make replacement operation from the method for side Multiple Channel Analysis |
US10243937B2 (en) * | 2016-07-08 | 2019-03-26 | Nxp B.V. | Equality check implemented with secret sharing |
US10771235B2 (en) * | 2016-09-01 | 2020-09-08 | Cryptography Research Inc. | Protecting block cipher computation operations from external monitoring attacks |
CA3047009A1 (en) | 2016-12-15 | 2018-06-21 | Irdeto B.V. | Software integrity verification |
US10615980B2 (en) * | 2017-02-02 | 2020-04-07 | Mastercard International Incorporated | Methods and systems for securely storing sensitive data on smart cards |
FR3063857B1 (en) * | 2017-03-08 | 2020-02-14 | Safran Identity & Security | METHOD FOR ELECTRONIC SIGNING OF A DOCUMENT WITH A PREDETERMINED SECRET KEY |
GB201703864D0 (en) | 2017-03-10 | 2017-04-26 | Irdeto Bv | Secured system operation |
US10862646B2 (en) * | 2017-07-11 | 2020-12-08 | Nokia Technologies Oy | Polar coded broadcast channel |
CN111066077B (en) * | 2017-08-10 | 2023-08-15 | 索尼公司 | Encryption device, encryption method, decryption device, and decryption method |
CN111316315B (en) | 2017-09-12 | 2023-03-28 | 爱迪德有限公司 | Watermarking equipment and method based on GPU |
US11195107B1 (en) * | 2017-09-13 | 2021-12-07 | Hrl Laboratories, Llc | Method of malicious social activity prediction using spatial-temporal social network data |
US10528600B1 (en) * | 2017-09-13 | 2020-01-07 | Hrl Laboratories, Llc | System to identify unknown communication behavior relationships from time series |
DE102017009315B4 (en) * | 2017-10-06 | 2019-11-21 | Sergej Gertje | Protection of automation programs against reverse development |
US10778409B2 (en) | 2017-12-15 | 2020-09-15 | Crypto Lab Inc. | Terminal device performing homomorphic encryption, server device processing ciphertext and methods thereof |
US11010233B1 (en) | 2018-01-18 | 2021-05-18 | Pure Storage, Inc | Hardware-based system monitoring |
US11176300B2 (en) * | 2018-02-03 | 2021-11-16 | Irdeto B.V. | Systems and methods for creating individualized processing chips and assemblies |
US10797868B2 (en) | 2018-05-31 | 2020-10-06 | Irdeto B.V. | Shared secret establishment |
US11206130B2 (en) | 2018-07-31 | 2021-12-21 | Nxp B.V. | Customizing cryptographic keys between multiple hosts |
US11025907B2 (en) * | 2019-02-28 | 2021-06-01 | Google Llc | Receptive-field-conforming convolution models for video coding |
US10869036B2 (en) | 2018-09-18 | 2020-12-15 | Google Llc | Receptive-field-conforming convolutional models for video coding |
US11764940B2 (en) | 2019-01-10 | 2023-09-19 | Duality Technologies, Inc. | Secure search of secret data in a semi-trusted environment using homomorphic encryption |
US20200313850A1 (en) * | 2019-03-29 | 2020-10-01 | Irdeto Canada Corporation | Method and apparatus for implementing a white-box cipher |
WO2020205984A1 (en) * | 2019-04-01 | 2020-10-08 | Cryptomove, Inc. | Security via data concealment using integrated circuits |
US10764029B1 (en) * | 2019-04-02 | 2020-09-01 | Carey Patrick Atkins | Asymmetric Encryption Algorithm |
CA3135046C (en) * | 2019-04-23 | 2022-10-04 | Quantropi Inc. | Enhanced randomness for digital systems |
US11283619B2 (en) * | 2019-06-20 | 2022-03-22 | The Boeing Company | Bit mixer based parallel MAC and hash functions |
US11263316B2 (en) | 2019-08-20 | 2022-03-01 | Irdeto B.V. | Securing software routines |
CN110620671B (en) * | 2019-08-30 | 2024-04-09 | 厦门一通灵信息科技有限公司 | Encryption algorithm evaluation method, medium, equipment and device |
JP7383985B2 (en) * | 2019-10-30 | 2023-11-21 | 富士電機株式会社 | Information processing device, information processing method and program |
US11755751B2 (en) | 2019-11-22 | 2023-09-12 | Pure Storage, Inc. | Modify access restrictions in response to a possible attack against data stored by a storage system |
US11615185B2 (en) | 2019-11-22 | 2023-03-28 | Pure Storage, Inc. | Multi-layer security threat detection for a storage system |
US11651075B2 (en) | 2019-11-22 | 2023-05-16 | Pure Storage, Inc. | Extensible attack monitoring by a storage system |
US11941116B2 (en) | 2019-11-22 | 2024-03-26 | Pure Storage, Inc. | Ransomware-based data protection parameter modification |
US11625481B2 (en) | 2019-11-22 | 2023-04-11 | Pure Storage, Inc. | Selective throttling of operations potentially related to a security threat to a storage system |
US11341236B2 (en) | 2019-11-22 | 2022-05-24 | Pure Storage, Inc. | Traffic-based detection of a security threat to a storage system |
US11520907B1 (en) | 2019-11-22 | 2022-12-06 | Pure Storage, Inc. | Storage system snapshot retention based on encrypted data |
US11657155B2 (en) | 2019-11-22 | 2023-05-23 | Pure Storage, Inc | Snapshot delta metric based determination of a possible ransomware attack against data maintained by a storage system |
US11687418B2 (en) | 2019-11-22 | 2023-06-27 | Pure Storage, Inc. | Automatic generation of recovery plans specific to individual storage elements |
US11720714B2 (en) | 2019-11-22 | 2023-08-08 | Pure Storage, Inc. | Inter-I/O relationship based detection of a security threat to a storage system |
US11720692B2 (en) | 2019-11-22 | 2023-08-08 | Pure Storage, Inc. | Hardware token based management of recovery datasets for a storage system |
US11500788B2 (en) | 2019-11-22 | 2022-11-15 | Pure Storage, Inc. | Logical address based authorization of operations with respect to a storage system |
US11645162B2 (en) | 2019-11-22 | 2023-05-09 | Pure Storage, Inc. | Recovery point determination for data restoration in a storage system |
US11675898B2 (en) | 2019-11-22 | 2023-06-13 | Pure Storage, Inc. | Recovery dataset management for security threat monitoring |
US11204985B2 (en) * | 2020-03-31 | 2021-12-21 | Irdeto Canada Corporation | Systems, methods, and storage media for creating secured computer code having entangled transformations |
US11902424B2 (en) * | 2020-11-20 | 2024-02-13 | International Business Machines Corporation | Secure re-encryption of homomorphically encrypted data |
US20220255726A1 (en) * | 2021-01-29 | 2022-08-11 | Robert Bosch Gmbh | System and method for improving the efficiency of advanced encryption standard in multi-party computation |
US11722292B2 (en) | 2021-01-29 | 2023-08-08 | Robert Bosch Gmbh | System and method for improving the efficiency of advanced encryption standard in multi-party computation with precomputed data |
IT202100012488A1 (en) * | 2021-05-14 | 2022-11-14 | Torino Politecnico | Method of configuring neural networks and method of processing binary files |
EP4339835A1 (en) | 2022-09-16 | 2024-03-20 | Irdeto B.V. | Machine learning model protection |
Family Cites Families (13)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US5892899A (en) * | 1996-06-13 | 1999-04-06 | Intel Corporation | Tamper resistant methods and apparatus |
US6192475B1 (en) * | 1997-03-31 | 2001-02-20 | David R. Wallace | System and method for cloaking software |
CA2293650C (en) * | 1997-06-09 | 2012-09-25 | Christian Sven Collberg | Obfuscation techniques for enhancing software security |
FR2776445A1 (en) * | 1998-03-17 | 1999-09-24 | Schlumberger Ind Sa | Cryptographic algorithm security technique |
JP3600454B2 (en) * | 1998-08-20 | 2004-12-15 | 株式会社東芝 | Encryption / decryption device, encryption / decryption method, and program storage medium therefor |
AU1983300A (en) * | 1998-12-30 | 2000-07-24 | Koninklijke Kpn N.V. | Method and device for cryptographically processing data |
CA2447451C (en) * | 2000-05-12 | 2013-02-12 | Xtreamlok Pty. Ltd. | Information security method and system |
CA2327911A1 (en) | 2000-12-08 | 2002-06-08 | Cloakware Corporation | Obscuring functions in computer software |
CA2369304A1 (en) * | 2002-01-30 | 2003-07-30 | Cloakware Corporation | A protocol to hide cryptographic private keys |
FR2849232B1 (en) * | 2002-12-24 | 2005-02-25 | Trusted Logic | METHOD FOR SECURING COMPUTER SYSTEMS INCORPORATING A CODE INTERPRETATION MODULE |
US7631292B2 (en) * | 2003-11-05 | 2009-12-08 | Microsoft Corporation | Code individualism and execution protection |
US20050223361A1 (en) * | 2004-04-01 | 2005-10-06 | Belbute John L | Software testing based on changes in execution paths |
US8015211B2 (en) * | 2004-04-21 | 2011-09-06 | Architecture Technology Corporation | Secure peer-to-peer object storage system |
-
2000
- 2000-12-08 CA CA002327911A patent/CA2327911A1/en not_active Abandoned
-
2001
- 2001-12-10 EP EP01999868A patent/EP1350154A2/en not_active Withdrawn
- 2001-12-10 WO PCT/CA2001/001729 patent/WO2002046890A2/en not_active Application Discontinuation
- 2001-12-10 US US10/433,966 patent/US7397916B2/en not_active Expired - Fee Related
- 2001-12-10 CA CA002431443A patent/CA2431443A1/en not_active Abandoned
- 2001-12-10 AU AU2002221414A patent/AU2002221414A1/en not_active Abandoned
-
2004
- 2004-12-27 US US11/020,313 patent/US7809135B2/en not_active Expired - Fee Related
Non-Patent Citations (1)
Title |
---|
No Search * |
Cited By (30)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US7809135B2 (en) | 2000-12-08 | 2010-10-05 | Cloakware Corporation | System and method for protecting computer software from a white box attack |
FR2850811A1 (en) * | 2003-01-30 | 2004-08-06 | St Microelectronics Sa | Integrated circuit e.g. chip card, anti-fraud method, involves performing masking of data and unmasking of encryption function result by random number, using two functionally identical operators having respective physical traces |
US8510571B1 (en) | 2003-03-24 | 2013-08-13 | Hoi Chang | System and method for inserting security mechanisms into a software program |
US8023651B2 (en) | 2003-12-11 | 2011-09-20 | Irdeto B.V. | Block ciphering system, using permutations to hide the core ciphering function of each encryption round |
JP4884976B2 (en) * | 2003-12-11 | 2012-02-29 | イルデト・コーポレート・ビー・ヴイ | Block encryption system using permutation to conceal the core encryption function of each encryption round |
JP2012037904A (en) * | 2003-12-11 | 2012-02-23 | Irdeto Corporate Bv | Block encryption system using replacement for concealing core encryption function of each encryption round |
JP2007514193A (en) * | 2003-12-11 | 2007-05-31 | コーニンクレッカ フィリップス エレクトロニクス エヌ ヴィ | Block encryption system using permutation to conceal the core encryption function of each encryption round |
DE102004011488B4 (en) * | 2004-03-09 | 2007-07-05 | Giesecke & Devrient Gmbh | Protection of software against attacks |
DE102004011488A1 (en) * | 2004-03-09 | 2005-10-13 | Giesecke & Devrient Gmbh | Anti-virus protection method for protecting software against virus attack, involves changing section of software with regard to its position |
JP2008518262A (en) * | 2004-10-28 | 2008-05-29 | コーニンクレッカ フィリップス エレクトロニクス エヌ ヴィ | Method and system for obfuscating cryptographic functions |
EP1873676A1 (en) * | 2005-03-25 | 2008-01-02 | Matsushita Electric Industrial Co., Ltd. | Program converting device, secure processing device, computer program, and recording medium |
EP1873676A4 (en) * | 2005-03-25 | 2012-03-07 | Panasonic Corp | Program converting device, secure processing device, computer program, and recording medium |
WO2007105126A2 (en) | 2006-03-10 | 2007-09-20 | Koninklijke Philips Electronics N.V. | Method and system for obfuscating a cryptographic function |
EP1997265B1 (en) * | 2006-03-10 | 2020-08-05 | Irdeto B.V. | Integrity of a data processing system using white-box for digital content protection |
JP4938766B2 (en) * | 2006-04-28 | 2012-05-23 | パナソニック株式会社 | Program obfuscation system, program obfuscation apparatus, and program obfuscation method |
WO2007126049A1 (en) * | 2006-04-28 | 2007-11-08 | Panasonic Corporation | System for making program difficult to read, device for making program difficult to read, and method for making program difficult to read |
EP2044723A2 (en) * | 2006-07-12 | 2009-04-08 | Koninklijke Philips Electronics N.V. | Verifying authenticity of an execution environment |
JP2010515945A (en) * | 2007-01-11 | 2010-05-13 | コーニンクレッカ フィリップス エレクトロニクス エヌ ヴィ | Tracking a copy of the implementation |
EP2104987A2 (en) * | 2007-01-11 | 2009-09-30 | Koninklijke Philips Electronics N.V. | Tracing copies of an implementation |
US8856500B2 (en) | 2008-02-06 | 2014-10-07 | Nxp B.V. | Obfuscating program by scattering sequential instructions into memory regions such that jumps occur with steps of both signs in equal frequency |
US8621187B2 (en) | 2008-02-11 | 2013-12-31 | Nxp, B.V. | Method of program obfuscation and processing device for executing obfuscated programs |
CN102461058A (en) * | 2009-03-10 | 2012-05-16 | 爱迪德有限责任公司 | White-box cryptographic system with input dependent encodings |
WO2010102960A1 (en) | 2009-03-10 | 2010-09-16 | Irdeto B.V. | White-box cryptographic system with input dependent encodings |
US9654280B2 (en) | 2009-03-10 | 2017-05-16 | Irdeto B.V. | White-box cryptographic system with input dependent encodings |
WO2010128060A1 (en) * | 2009-05-05 | 2010-11-11 | Giesecke & Devrient Gmbh | Method for protecting software stored on a portable data medium, and portable data medium |
EP2458774A1 (en) * | 2010-11-24 | 2012-05-30 | Nagravision S.A. | A method of processing a cryptographic function in obfuscated form |
WO2014177400A1 (en) * | 2013-05-01 | 2014-11-06 | Koninklijke Philips N.V. | Electronic block cipher device suitable for obfuscation |
US9998279B2 (en) | 2013-05-01 | 2018-06-12 | Koninklijke Philips N.V. | Electronic block cipher device suitable for obfuscation |
WO2015150391A1 (en) * | 2014-03-31 | 2015-10-08 | Irdeto B.V. | Software protection |
EP3127039A2 (en) * | 2014-03-31 | 2017-02-08 | Irdeto B.V. | Secured electronics device |
Also Published As
Publication number | Publication date |
---|---|
CA2431443A1 (en) | 2002-06-13 |
US7397916B2 (en) | 2008-07-08 |
EP1350154A2 (en) | 2003-10-08 |
US20060140401A1 (en) | 2006-06-29 |
AU2002221414A1 (en) | 2002-06-18 |
US20040139340A1 (en) | 2004-07-15 |
WO2002046890A8 (en) | 2003-03-06 |
CA2327911A1 (en) | 2002-06-08 |
US7809135B2 (en) | 2010-10-05 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US7397916B2 (en) | System and method for protecting computer software from a white box attack | |
Dobraunig et al. | Ascon v1. 2: Lightweight authenticated encryption and hashing | |
Chow et al. | A white-box DES implementation for DRM applications | |
Bogdanov et al. | Towards practical whitebox cryptography: optimizing efficiency and space hardness | |
EP3075097B1 (en) | Construction and uses of variable-input-length tweakable ciphers | |
US5623549A (en) | Cipher mechanisms with fencing and balanced block mixing | |
EP1421461A2 (en) | Space-efficient, side-channel attack resistant table lookups | |
WO2001082524A1 (en) | Cryptographic system for data encryption standard | |
EP3662612B1 (en) | Cryptographic device and method | |
AU2011292312A1 (en) | Apparatus and method for block cipher process for insecure environments | |
Krovetz et al. | OCB (v1. 1) | |
CA2384360A1 (en) | Tamper resistant software encoding | |
US20210036864A1 (en) | Method and system for generating a keccak message authentication code (kmac) based on white-box implementation | |
US8190892B2 (en) | Message authentication code with blind factorization and randomization | |
Saarinen | The CBEAMr1 authenticated encryption algorithm | |
WO2021201779A1 (en) | Method and system for generating a hash-based message authentication code (hmac) based on white-box implementation | |
Lu et al. | White-box implementation of the KMAC message authentication code | |
Krovetz et al. | OCB (v1) | |
Yang et al. | WAS: improved white-box cryptographic algorithm over AS iteration | |
Ashur et al. | Damaging, simplifying, and salvaging p-OMD | |
WO2021201780A1 (en) | Method and system for white-box implementation of a stream cipher | |
Rigot | Útoky na white-box AES | |
Mahmud | A Study on Parallel Implementation of Advanced Encryption Standard (AES) | |
Khajooeizadeh | Applications of cryptanalysis methods to some symmetric key primitives | |
Salomon et al. | Block ciphers |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
AK | Designated states |
Kind code of ref document: A2 Designated state(s): AE AG AL AM AT AU AZ BA BB BG BR BY BZ CA CH CN CO CR CU CZ DE DK DM DZ EC EE ES FI GB GD GE GH GM HR HU ID IL IN IS JP KE KG KP KR KZ LC LK LR LS LT LU LV MA MD MG MK MN MW MX MZ NO NZ OM PH PL PT RO RU SD SE SG SI SK SL TJ TM TN TR TT TZ UA UG US UZ VN YU ZA ZM ZW |
|
AL | Designated countries for regional patents |
Kind code of ref document: A2 Designated state(s): GH GM KE LS MW MZ SD SL SZ TZ UG ZM ZW AM AZ BY KG KZ MD RU TJ TM AT BE CH CY DE DK ES FI FR GB GR IE IT LU MC NL PT SE TR BF BJ CF CG CI CM GA GN GQ GW ML MR NE SN TD TG |
|
121 | Ep: the epo has been informed by wipo that ep was designated in this application | ||
D17 | Declaration under article 17(2)a | ||
WWE | Wipo information: entry into national phase |
Ref document number: 2431443 Country of ref document: CA |
|
WWE | Wipo information: entry into national phase |
Ref document number: 2001999868 Country of ref document: EP |
|
WWP | Wipo information: published in national office |
Ref document number: 2001999868 Country of ref document: EP |
|
REG | Reference to national code |
Ref country code: DE Ref legal event code: 8642 |
|
WWE | Wipo information: entry into national phase |
Ref document number: 10433966 Country of ref document: US |
|
WWW | Wipo information: withdrawn in national office |
Ref document number: 2001999868 Country of ref document: EP |
|
NENP | Non-entry into the national phase |
Ref country code: JP |
|
WWW | Wipo information: withdrawn in national office |
Country of ref document: JP |