Two Attacks on a White-Box AES Implementation

White-box cryptography aims to protect the secret key of a cipher in an environment in which an adversary has full access to the implementation of the cipher and its execution environment. In 2002, Chow, Eisen, Johnson and van Oorschot proposed a white-box implementation of AES. In 2004, Billet, Gilbert and Ech-Chatbi presented an efficient attack (referred to as the BGE attack) on this implementation, extracting its embedded AES key with a work factor of 2. In 2012, Tolhuizen presented an improvement of the most time-consuming phase of the BGE attack. The present paper includes three contributions. First we describe several improvements of the BGE attack. We show that the overall work factor of the BGE attack is reduced to 2 when all improvements are implemented. This paper also presents a new attack on the initial white-box implementation of Chow et al. This attack exploits collisions occurring on internal variables of the implementation and it achieves a work factor of 2. Eventually, we address the white-box AES implementation presented by Karroumi in 2010 which aims to withstand the BGE attack. We show that the implementations of Karroumi and Chow et al. are the same, making them both vulnerable to the same attacks.