White-Box Implementation of the Identity-Based Signature Scheme in the IEEE P1363 Standard for Public Key Cryptography

IEICE TRANS. INF. & SYST., VOL.E103–D, NO.2 FEBRUARY 2020 188

INVITED PAPER Special Section on Security, Privacy, Anonymity and Trust in Cyberspace Computing and Communications White-Box Implementation of the Identity-Based Signature Scheme in the IEEE P1363 Standard for Public Key Cryptography

Yudi ZHANG†,††, Debiao HE†,††a), Xinyi HUANG†††,††††, Ding WANG††,†††††, Kim-Kwang Raymond CHOO††††††, Nonmembers, and Jing WANG†,††, Student Member

SUMMARY Unlike black-box cryptography, an adversary in a white- box security model has full access to the implementation of the cryptographic algorithm. Thus, white-box implementation of cryptographic algorithms is more practical. Nevertheless, in recent years, there is no white- box implementation for public key cryptography. In this paper, we propose Fig. 1 A typical DRM architecture the first white-box implementation of the identity-based signature scheme in the IEEE P1363 standard. Our main idea is to hide the private key to multiple lookup tables, so that the private key cannot be leaked during the algorithm executed in the untrusted environment. We prove its security in both black-box and white-box models. We also evaluate the performance gram. However, the adversary does not have the permis- of our white-box implementations, in order to demonstrate utility for real- sion to access the internal process of the program’s execu- world applications. tion. In practice, an adversary can also observe and mod- key words: white-box implementation, white-box security, IEEE P1363, ify the algorithm’s implementation to obtain the internal de- identity-based signature, key extraction tails, such as the secret key. Many side-channel attacks have been proposed recently, most of them can be mounted on 1. Introduction the existing cryptographic systems, such as timing, power, and fault analysis attacks. For example, the digital rights White-box cryptography was first introduced by Chow et management (DRM) is commonly used to restrict the use of al. [1], [2] in 2002, and is designed to prevent software proprietary hardware and copyrighted works. In the exam- implementation of cryptographic algorithm from being at- ple shown in Fig. 1, a broadcasting company wishes to dis- tacked in untrusted envrionments. Specifically, the key pur- tribute their digital content (e.g., music and movies) on the pose of white-box cryptography is to ensure the confiden- Internet, and set different permissions to the users such that tiality of secret keys. Since the first white-box implementa- only paying users can access the purchased content. How- tions of DES and AES algorithms [1], [2], a number of other ever, these users should not be able to copy or re-distribute white-box implementations have been proposed in the liter- the content. Therefore, the provider should encrypt the con- ature [3], [4]. tent m first, i.e., computes c = Enck(m), then distributes the In the trusted environment, an adversary knows the al- entrypted content c on the public network. If the user has gorithm of the cryptographic system. The adversary can also the license to access the content, then the Rights Expression require a number of inputs and obtain outputs from the pro- Manager can parse the user’s authentication and decrypt the encrypted content, i.e., the corresponding decryption pro- Manuscript received March 3, 2019. gram D computes m = Deck(c) to obtain the original con- Manuscript revised June 19, 2019. tent. However, iTunes DRM has been reportedly cracked Manuscript publicized September 27, 2019. † by Johansen [5], where the vulnerability can be exploited The authors are with Key Laboratory of Aerospace Infor- mation Security and Trusted Computing, Ministry of Education, to re-distribute the content without authentication. Similar School of Cyber Science and Engineering, Wuhan University, vulnerabilities in iOS DRM applications have been revealed Wuhan 430072, China. by D’Orazio and Choo [6], which can be exploited to gain †† The authors are with State Key Laboratory of Cryptology, access to copyrighted materials for free. P.O. Box 5159, Beijing 100878, China. ff ††† As more DRM services are o ered via mobile de- The author is with the College of Mathematics and Informat- vices / applications (apps), it is vital to ensure the secu- ics, Fujian Normal University, Fuzhou 350117, China. / ††††The author is with the Fujian Provincial Key Laboratory of rity of DRM and other services apps, for example the use Network Security and Cryptology, Fuzhou 350117, China. of cryptographic tools such as encryption and digital signa- †††††The author is with School of Electronics Engineering and ture schemes. The latter is indispensable in the Internet es- Computer Science, Peking University, Beijing 100871, China. pecially in e-commerce, due to its capability to demonstrate †††††† The author is with Department of Information Systems and the validity of user’s message and identity. Formally, a valid Cyber Security and the Department of Electrical and Computer En- digital signature ensures that the message was generated by gineering, The University of Texas at San Antonio, San Antonio, / TX 78249, USA. a known signer, the signer cannot deny his her signature, a) E-mail: [email protected] and that the integrity of the message has not been compro- DOI: 10.1587/transinf.2019INP0004 mised. To avoid the limitations inherent in public key-based

Copyright c 2020 The Institute of Electronics, Information and Communication Engineers ZHANG et al.: WHITE-BOX IMPLEMENTATION OF THE IDENTITY-BASED SIGNATURE SCHEME IN THE IEEE P1363 STANDARD 189

2. Related Work

White-box cryptography (WBC) is designed to protect software implementations of cryptographic algorithms when the software is running on untrusted environment, in the sense that the adversary has full access to the implementation [1], [2].Chowet al. [1], [2] proposed the first white-box implementation for both DES and AES algorithms, and the authors also introduced the White-Box At- tack Context (WBAC). In WBAC, the adversary seeks to extract the secret keys from the implementation. In recent years, many other white-box implementations have also been put forward, such as white-box implementations of DES and AES [3], [4], many of these schemes have been shown to be vulnerable to practical key extraction or table- Fig. 2 A use case for white-box implementation in wireless environment decomposition attacks [16]–[18]. For example, using linear algebra, Lepoint et al. [18] demonstrated how Lepoint’s construction can be broken. Biryukov et al. [19] also broke digital signature schemes, such as those of [7]–[9], Shamir Chow et al.’s construction in 2014. introduced the first identity-based cryptography [10]. Since Billet et al. [16] proposed an effective cryptanalysis for the seminal work of Shamir, many other identity-based sig- white-box implementations of AES algorithm in 2004. They nature (IBS) schemes, such as those of [11]–[14], have been used algebraic cryptanalysis to analyze specific lookup ta- proposed in the literature. bles, and removed the non-linear parts of the internal im- While identity-based digital signature is a topic that has plementation. In a later work, Michiels et al. [20] proposed been extensively studied, there is not any known white-box an improved cryptanalysis, which can be used to analyze a implementation of identity-based signature scheme. Thus, generic class of white-box implementations. this is the focus and contribution of the work in this paper. Biryukov et al. [19] also showed that the white-box im- Specifically, in our study, we focus on the white-box imple- plementations of AES and DES [1], [2] can be identified as mentation of identity-based signature scheme in the IEEE a 3-layer ASA (affine-substitution-affine) structure, and they P1363 standard for public key cryptography [15].Asfar proposed a more secure structure (i.e., a 5-layer ASASA as we know, this is the first white-box implementation of construction). Since the work of Biryukov et al. [19], other identity-based signature scheme (in the IEEE P1363 stan- researchers [21], [22] have studied the decomposition of se- dard). Our method is lightweight, and meets the white-box cret nonlinear and linear layers. Theoretically, the more lay- security requirement. As shown in Fig. 2, our method can ers that are employed, the more secure the construction is. be implemented in an untrusted wireless environment, in- However, Biryukov et al. [23] also showed that even a 9- cluding on mobile devices such as Android or iOS device. layer construction SASASASAS is vulnerable. Specifically, the Sign algorithm is implemented on some Delerabl et al. [24] proposed a notion of incompress- user devices in the white-box model. Therefore, the mali- ibility: an adversary has full access to the white-box imple- cious applications or hackers obtaining user’s private key is mentation, but generate a program with the same function impossible. Moreover, even if the device is lost, no one can and dramatically small size is impossible. Such a notion get the user’s private key. is also referred to as weak white-box [19] or space hard- In Sect. 2, we introduce related white-box cryptogra- ness [25] in the literature. In this notion, the adversary can- phy literature, prior to presenting the notations, the identity- not extract the key from the white-box implementation of based signature scheme in the IEEE P1363 standard, math- the cryptographic algorithm, if the implementation is large ematical assumptions and the definitions of white-box se- and incompressible. curity in Sect. 3. In Sect. 4, we propose our white-box im- More recently in 2016, Bellare et al. [26] utilized a plementation of the identity-based signature scheme in the large encryption key to protect the key, which is called the IEEE P1363 standard, and give the description of the de- bounded-retrieval model (BRM), and Fouque et al. [27] pro- tailed construction. In Sect. 5, we lay special stress on an- posed the first construction with provable security guaran- alyzing the black-box and white-box security. We imple- tee. They also introduced a new definition of incompress- ment our proposed method on a personal computer (PC), ibility (i.e. weak and Fouque et al. incompressibility). then we show and evaluate the implementation performance A number of differential cryptanalysis techniques can in Sect. 6. We point that our method is efficient and secure be used to crack white-box implementations [1], [28], espe- in the industrial area and the real-world applications. In the cially on white-box implementations for DES. For example, last section, we conclude the paper. Chow et al. [1] showed that their white-box implementations of DES is vulnerable. They then introduced an attack sim- IEICE TRANS. INF. & SYST., VOL.E103–D, NO.2 FEBRUARY 2020 190 ilar to differential power analysis, i.e. statistical bucketing outputs the user’s private key as follows: attack. The statistical bucketing attack method has been im- a. Computes the identity element h = H (ID) proved subsequently by Link and Neumann [28]. ID 1 where hID ∈ Zp. While there are numerous identity-based signature − b. Outputs K = (h + s) 1Q . schemes, they are generally not white-box attack resilience, ID ID 1 and we are not aware of any white-box implementation for 3. Sign: Taken as input a message m, the user’s identity identity-based signature scheme. Hence, our research has ID, the signer outputs the signature σ as follows:

filled the gap in white-box cryptography. r r a. Randomly selects r ←− Zp, computes u = g . = , = + 3. Preliminaries b. Computes h H2(m u) and S (r h)KID. c. Outputs the signature σ = (h, S ). r We let S denote a set or distribution, and a ←− S denote 4. Verify: Taken as input the signature σ, the correspond- that a is randomly selected from S . In this paper, n de- ing message m, and the identity ID, this algorithm notes the security parameter, for any polynomial p,ifthe should check the validation of the signature. The veri- equation μ(n) = O(1/p(n)) holds, then the function μ(n) fier executes the steps as follows: is negligible. The trusted key generation center denotes in a. Computes hID = H1(ID). KGC, the probabilistic polynomial time algorithm denotes , + = e(S hIDQ2 R) b. Computes u e Q ,Q h . in P. P. T . H1 and H2 are two secure hash functions, such that ( 1 2) ∗ ∗ c. If h = H (m, u), then outputs 1; otherwise, outputs H : {0, 1} → Z , and H : {0, 1} × G → Z . 2 1 p 2 3 p 0. Let Setup be the algorithm that, given the security parameter n, it outputs the bilinear map parameters (g1, g2, G1, G2, G3, e). G1 and G2 are two cyclic additive 3.2 Mathematical Assumptions groups, g1, g2 are generators of G1, G2 respectively, G3 is a multiplicative group, there exists an efficient bilinear map Definition 1. We assume that there exists bilinear map such that e : G1 × G2 → G3, which contains properties as groups G1, G2, and G3, P is the generator of G1,Qis follows: the generator of G2. The q-Strong Diffie-Hellman problem (q-SDHP) in (G , G ) is described as follows: taken as in- 1. For all x , x ∈ G and y , y ∈ G , e(x + x , y ) = 1 2 1 2 1 1 2 2 1 2 1 put (q + 2)-tuple (P, Q, xQ, x2Q,...,xqQ), and output that e(x , y )e(x , y ) and e(x , y + y ) = e(x , y )e(x , y ). ∗ 1 1 2 1 1 1 2 1 1 1 2 (c, 1 P) where c ∈ Z .AP. P. T algorithm A solves q-SDHP 2. For all 0 x ∈ G , there exists y ∈ G such that c+x p 1 2 in (G , G ) with the advantage if e(x, y) 1. 1 2 3. For all 0 x ∈ G , there exists y ∈ G such that 1 2 1 Pr[A(P, Q, xQ, x2Q,...,xqQ) = (c, P)] ≥ . e(x, y) 1. c + x 4. There exists an efficient isomorphism φ : G2 → G1, We say that q-SDHP in (G1, G2) is infeasible if all P. P. T al- such that g1 = φ(g2). gorithms can solve q-SDHP in (G1, G2) with a negligible advantage . 3.1 The Identity-Based Signature Scheme in IEEE P1363 G Standard Definition 2. Let be a cyclic group of prime order q. The DL problem in G is to compute a ∈ Zq for given (P, Y) where Y = aP ∈ G.AP. P. T algorithm A solves DL problem in G In this section, we review the identity-based signature in the IEEE P1363 standard [13] briefly. The detailed algorithms with the advantage if are described below: Pr[A(P, Y) = a : a ∈ Zp, Y = aP] ≥ . 1. Setup: Taken as input the security parameter n,the We say that the DL problem in G is infeasible if all P. P. T KGC outputs the system parameters params as fol- algorithm can solve the DL problem in G with a negligible lows: advantage . a. Chooses G1, G2, G3 and a pairing e : G1 × G2 → G . 3 3.3 White-Box Security b. Picks a random generator Q2 of G2, and calculates Q1 = φ(Q2) ∈ G1. ←−r Z We adapt existing definitions of white-box security [19], c. Randomly selects s p,setss as the mas- [25], presented below. ter secret key, then calculates R = sQ2 and g = e(Q1, Q2). Definition 3. White-Box Attack Context (WBAC) [2]: d. Sets and outputs the system parameters params = • an attack software has full privileges and shares a host (R, g, Q , Q , G , G , G , e) available. 1 2 1 2 3 with the cryptographic software, and it has full access 2. Extract: Taken as input a user’s identity ID,theKGC to the implementation of the algorithm; ZHANG et al.: WHITE-BOX IMPLEMENTATION OF THE IDENTITY-BASED SIGNATURE SCHEME IN THE IEEE P1363 STANDARD 191

• cryptographic software can be executed dynamically identity ID and params,theKGC outputs white-box and observed (i.e. the instantiated cryptographic keys); keys as follows: • the internal details of the algorithm are completely vis- , ··· , ←−r Z ible and alterable. a. Randomly selects x1 x2 xk p where k is a number greater than or equal to 256. x1 x2 xk Definition 4. Strong White-Box Security: We assume that b. Computes {u1 = g , u2 = g , ··· , uk = g } and , the pair of algorithm (E D) is a symmetric key scheme, and {X1 = x1KID, X2 = x2KID, ··· , Xk = xkKID}. O r K is the secret key. Let EK be a function that computes EK. c. Randomly selects y , y ··· , y ←− Z . 1 2 256 p O D y1 y2 y256 Given full access to EK , if obtain a function equivalent d. Computes {v = g , v = g , ··· , v = g } O 1 2 256 to DK is computationally hard, then we say that EK is a and secure strong white-box implementation for EK. {Y1 = KID+y1KID, Y2 = 2KID+y2KID, ··· , Y256 = 2255K + y K }. Based on the definition in [19] and our proposed white- ID 256 ID e. Deletes {x , x ··· , x } and {y , y ··· , y }. box implementation of identity-based signature scheme, we 1 2 k 1 2 256 f. Sends u , X and Y to the signer, and makes v give the definition of weak white-box security. i i i i public. Definition 5. Weak White-Box Security: Let the pair of al- , 4. Sign: Taken as input a message m, the user’s identity gorithms (S V) be a signature scheme, and K is the private ID, the signer outputs the signature σ as follows: key. We generate an equivalent key set F(K) for K, and it is trivial to obtain an algorithm from F(K) which is equiva- a. Generates a k bits number r randomly, where r is O r ···r r lent to S K. The function S K is a T-secure weak white-box a binary and represented as k 2 1. Computes = = implementation for S K, if given the full access to OS ,to u i:r =1 ui, and S 1 i:r =1 Xi. K i i obtain the K of length less than T from F(K) is computa- b. Computes h = H2(m, u ), where h is a binary and ··· tionally hard. represented as h256 h2h1. = = + c. Computes S 2 i:hi=1 Yi, and sets S S 1 S 2. That is, when an adversary is given the full access to d. Outputs σ = (h, S ). the secure weak white-box implementation to find out any compact equivalent function smaller than T, it is computa- 5. Verify: Taken as input the signature σ, the correspond- tionally hard. ing message m, and the identity ID, this algorithm should check the validation of the signature. The veri- 4. White-Box Implementation of the Identity-Based fier executes the steps as follows: Signature Scheme in IEEE P1363 ··· a. Binary h is represented as h256 h2h1, and com- = putes t1 i:hi=1 vi. In this section, we propose our white-box implementation , + = e(S hIDQ2 R) = t2 b. Computes t2 e(Q ,Q )h , and sets u t . of the identity-based signature scheme in the IEEE P1363 = 1 , 2 = 1 standard. c. Computes h H2(m u). If h h , then outputs Our proposed method consists of the following five al- 1; otherwise, outputs 0. gorithms, namely: Setup, Extract, WhiteBoxKeyGen, Sign and Verify. 5. Security Analysis 1. Setup: Taken as input the security parameter n,the KGC outputs the system parameters params as fol- We show the black-box and white-box security analysis sep- lows: arately in this section. G , G , G G × G → a. Chooses 1 2 3 and a pairing e : 1 2 5.1 Black-Box Security Analysis G3. G b. Picks a random generator Q2 of 2, and calculates First, we prove that our proposed method achieves the secu- = φ ∈ G Q1 (Q2) 1. rity requirement in the black-box model. According to exist- ∈ Z c. Randomly selects s p,setss as the mas- ing security model [12], [13], [29] for the identity-based sig- = = ter secret key, and calculates R sQ2 and g natures, an identity-based signature scheme is existentially , e(Q1 Q2). unforgeable under adaptive chosen-message attacks. d. Sets params = (R, g, Q1, Q2, G1, G2, G3, e). Definition 6. If an IBS scheme is existentially unforgeable 2. Extract: Taken as input a user’s identity ID,theKGC under adaptive chosen message and identity attacks, then outputs the user’s private key as follows: for any P. P. T adversary A who interacts with a challenger a. Computes the identity element hID = H1(ID) C will play the game as follows: where h ∈ Z . ID p 1. C executes Setup algorithm to produce the system pa- b. Outputs K = (h + s)−1Q . ID ID 1 rameters, then returns it to A. 3. WhiteBoxKeyGen: Taken as input the user with the 2. A performs the two queries as follows: IEICE TRANS. INF. & SYST., VOL.E103–D, NO.2 FEBRUARY 2020 192

a. Query on Extract oracle. On input an identity ID, Table 1 Lookup table for ui C outputs a private key which corresponds to the Index x1 identity ID. 1 g 2 gx2 b. Query on Sign oracle. On input an identity ID ··· ··· and a message m, C outputs a signature which i gxi corresponds to the ID’s private key. ··· ··· k gxk 3. A outputs the tuple (ID∗, m∗,σ∗), where such ID∗ have never been queried to Extract oracle, and (ID∗, m∗) have never been queried to Sign oracle. If Verify ac- Table 2 Lookup table for Xi ∗ ∗ ∗ cepts (ID , m ,σ ), then A wins the game. Index 1 x K A 1 ID can win this game with a negligible advantage. 2 x2KID ··· ···

Lemma 1. [13] Given an adaptively chosen message and i xiKID A A ··· ··· the identity to the attacker , can make qhi queries to the oracle H1 and the oracle H2,qs queries to the signing ora- k xk KID cle. Within the time bound t, if A can produce a forgery with the advantage ≥ 10(q + 1)(q + q )/2n, then there exists s s h2 Table 3 Lookup table for Y another algorithm B which can solve the q-SDHP problem i Index with the advantage t ≤ 120686q t/. h2 1 KID + y1KID 2 2KID + y2KID Proof. In order to apply the forking lemma [30],forthe ··· ··· 2 q P. P. T B , , , ,..., i−1 algorithm , on input (P Q xQ x Q x Q), it ﬁnds i 2 KID + yiKID a pair (c, 1 P). Similar to the proof in [13], B computes ··· ··· c+x q−2 i 1 256 2255K + y K diψ(x Q) = G, where G is the generator of G1. ID 256 ID i=0 x+ωi Firstly, B initializes l a counter, and sets l = 1, then executes A on the input (H , ID∗), where H ∈ G is the pub pub 2 Table 4 Lookup table for vi public key. Index 1 gy1 • H1-queries: On input an identity ID ∈{0, 1},ifID = y2 ∗ B ∗ ←−r Z∗ 2 g ID , then selects w p randomly and returns it. ··· ··· r y Otherwise, B selects w ←− Z∗ randomly, sets w = w , i g i l p l ··· ··· and answers w together with the increments l. Then, B 256 gy256 stores (ID, w) in the list L1. • Key extraction queries: For an input ID ID∗, B searches the list L1 and recovers the pair (ID, w), then ∗ 1 σ = ∗ G. / + w +x computes (1 (x w))G and returns it. Therefore, if A can forge a signature with the advan- • Sign queries: For an input tuple (m, ID), B ran- n tage ≥ 10(qs + 1)(qs + qh )/2 in time t, then, B can solve ←−r G ←−r Z∗ = 2 domly selects S 1, h p, and computes u q-SDHP within time t . −h e(S, H1(ID)H+Hpub)e(G, H) , then sets H2(m, u) = h, if H2(m, u) is already set, then B aborts. 5.2 White-Box Security Analysis If the adversary A has no knowledge of the private key, , , but he still can simulate the tuple (u h S ), then there exists a We proved that our proposed method is existentially un- A A P. P. T algorithm which can employ to generate two sig- forgeable under chosen-message attacks in the previous sub- , , , , , , natures (m u h1 S 1) and (m u h2 S 2) where h1 h2 with section. Now, we analyze the white-box security of our the time t ≤ 120686 t/. Both signatures can pass the qh2 white-box implementation of identity-based signature in the Verify algorithm. IEEE P1363 standard. Algorithm B executes A and to generate two diﬀerent ∗ ∗ forgeries (m , u, h1, S 1) and (m , u, h2, S 2), the two messages Lemma 2. If a P. P. T algorithm can compute and obtain the ∗ m , u are the same. B searches the list L1 and gets the pair private key KID from the public parameter, then it can solve ∗ ∗ ∗ (ID , w ). Note that, w {w1,...,wq−1}, and the probabil- the DL problem. ity is at least 1−q/2n. If the two forgeries can pass the Verify algorithm, then we have Proof. In our proposed method, the public parameter in- cludes both params and white-box key – see Table 1, Ta- −1 ∗ e((h1 − h2) (S 1 − S 2), (w + x)H) = e(G, H), ble 2, Table 3 and Table 4. In the WhiteBoxKeyGen phase, KGC deletes {x1, − −1 − = 1 B ,..., } { , ,..., } A due to (h1 h2) (S 1 S 2) w∗+x G, then can extract x2 xk and y1 y2 y256 .IfaP. P. T adversary can ZHANG et al.: WHITE-BOX IMPLEMENTATION OF THE IDENTITY-BASED SIGNATURE SCHEME IN THE IEEE P1363 STANDARD 193

Fig. 3 Computation cost (in milliseconds): comparative summary Fig. 4 Time costs for messages of different sizes in the sign algorithm (in milliseconds) compute KID from Table 2 and Table 3, then it means that there exists a P. P. T algorithm A which can solve the DL problem in a non-negligible advantage. In other words, our proposed method meets the requirement of weak white-box security. Definition 7. White-Box Diversity [2]: If we encode the scheme implementation steps, and can count the possible encoded steps, then this is the white-box diversity. The greater the diversity value, the safer the scheme. In our white-box implementation of the identity-based signature scheme in IEEE P1363 standard, the diversity is + 2n log2k. Fig. 5 Time costs for messages of different sizes in the verify algorithm (in milliseconds) 6. Performance Evaluation

In this section, we implement our proposed method using for approximately 11 ms and 8 ms in white-box and black- MIRACL Cryptographic SDK [31], then we show and eval- box implementation, respectively. It takes about 19 ms in uate the implementation performance. In addition, we com- white-box implementation and 15 ms in black-box imple- pare our proposed method with the original IEEE P1363 mentation, respectively, when the length of the message is signature scheme. The implementation of our method is 1M bytes. deployed on a PC (with an Intel Xeon E3-1230 v5 proces- Similarly, shown in Fig. 5 is the time costs for the Verify sor, 12GB memory and the Microsoft Windows 10 operating algorithm. For messages less than or equal to 100K bytes, it system). The curve we used to evaluate is BN curve which takes almost 32 ms and 24 ms in white-box and black-box achieves the AES-128 security. implementation, respectively. However, when the message The comparative summary between our method and the reaches 1M bytes, the time costs for white-box and black- original IEEE P1363 scheme is presented in Fig. 3, where box implementations are respectively 41 ms and 32 ms. the black-box denotes the original scheme and the white- box is our method. Note that only WhiteBoxKeyGen algo- 7. Conclusion rithm is employed in our method, and it is executed by the KGC. Setup and Extract algorithms are same for the both White-box cryptanalysis and attacks are more crucial than schemes; thus, they are omitted from the comparative sum- black-box security in a real-world application, particularly mary. The time costs for both Sign and Verify algorithms in terms of ensuring the security of a user secret key. in the proposed and original schemes are similar, with the In this paper, we proposed a novel white-box imple- exception of the time costs for the WhiteBoxKeyGen algo- mentation for the identity-based signature scheme in the rithm. However, WhiteBoxKeyGen is executed by the KGC, IEEE P1363 standard which is efficient and secure. Specifi- so it has little effect on the user. cally, this allows us to produce a valid signature in a white- We also evaluate using messages of different lengths in box model without leaking the private key. The security both Sign and Verify algorithms. As shown in Fig. 4, the analysis demonstrated that our method can meet the white- lengths of the messages used are 1byte, 32bytes, 1K bytes, box security requirement. According to the performance 10K bytes, 100K bytes and 1M bytes. With the exception of evaluation, our proposed method showed that it is poten- the message of 1M-byte in length, the messages are signed tially useful in the industrial area and the real world appli- IEICE TRANS. INF. & SYST., VOL.E103–D, NO.2 FEBRUARY 2020 194 cations. clouds,” IEEE Systems Journal, vol.13, no.2, pp.1478–1486, June In the future, we intend to conduct a more compre- 2019. hensive evaluation, for example using popular consumer de- [15] IEEE Standards Association, “IEEE 1363-2000 - IEEE standard vices (e.g., a broad range of Android, iOS, Windows Phones specifications for public-key cryptography,” https://standards.ieee.org/standard/1363-2000.html, 2000. devices, as well as IoT devices). [16] O. Billet, H. Gilbert, and C. Ech-Chatbi, “Cryptanalysis of a white box aes implementation,” International Workshop on Selected Areas Acknowledgments in Cryptography, vol.3357, pp.227–240, Springer, 2004. [17] B. Wyseur, W. Michiels, P. Gorissen, and B. Preneel, “Cryptanaly- We greatly appreciate the invaluable suggestions provided sis of white-box des implementations with arbitrary external encod- ings,” International Workshop on Selected Areas in Cryptography, by the anonymous reviewers and the associate editor. The vol.4876 pp.264–277, Springer, 2007. work was supported in part by the National Key Re- [18] T. Lepoint, M. Rivain, Y. De Mulder, P. Roelse, and B. search and Development Program of China under Grant Preneel, “Two attacks on a white-box aes implementation,” Inter- 2017YFB0802500, and in part by the National Natu- national Conference on Selected Areas in Cryptography, vol.8282, ral Science Foundation of China under Grant 61572379, pp.265–285, Springer, 2013. Grant 61501333, Grant 61822202, Grant 61872089, Grant [19] A. Biryukov, C. Bouillaguet, and D. Khovratovich, “Cryptographic schemes based on the asasa structure: Black-box, white-box, and 61902070 and Grant 61972094. public-key (Extended Abstract),” International Conference on the Theory and Application of Cryptology and Information Security, References pp.63–84, Springer, 2014. [20] W. Michiels, P. Gorissen, and H.D.L. Hollmann, “Cryptanalysis of [1] S. Chow, P. Eisen, H. Johnson, and P.C. Van Oorschot, “A white-box a generic class of white-box implementations,” International Work- des implementation for drm applications,” ACM Workshop on Dig- shop on Selected Areas in Cryptography, vol.5381, pp.414–428, ital Rights Management, vol.2696, pp.1–15, Springer, 2002. Springer, 2008. [2] S. Chow, P. Eisen, H. Johnson, and P.C. Van Oorschot, “White-box [21] A. Biryukov and A. Shamir, “Structural cryptanalysis of sasas,” cryptography and an aes implementation,” International Workshop Journal of cryptology, vol.23, no.4, pp.505–518, 2010. on Selected Areas in Cryptography, vol.2595, pp.250–270, Springer, [22] J. Borghoff, L.R. Knudsen, G. Leander, and S.S. Thomsen, 2002. “Slender-set differential cryptanalysis,” Journal of cryptology, [3] J. Bringer, H. Chabanne, and E. Dottax, “White box cryptogra- vol.26, no.1, pp.11–38, 2013. phy: Another attempt,” IACR Cryptology ePrint Archive, vol.2006, [23] A. Biryukov and D. Khovratovich, “Decomposition attack on no.2006, p.468, 2006. SASASASAS,” IACR Cryptology ePrint Archive, p.646, 2015. [4] M. Karroumi, “Protecting white-box aes with dual ciphers,” In- [24] C. Delerablee,´ T. Lepoint, P. Paillier, and M. Rivain, “White-box ternational Conference on Information Security and Cryptology, security notions for symmetric encryption schemes,” Interna- vol.6829, pp.278–291, Springer, 2010. tional Conference on Selected Areas in Cryptography, vol.8282, [5] A. Orlowski, “iTunes DRM cracked wide open for GNU/Linux. se- pp.247–264, Springer, 2013. riously.” https://www.theregister.co.uk/2004/01/05/ [25] A. Bogdanov and T. Isobe, “White-box cryptography revisited: itunes drm cracked wide open/. Jan 5, 2004. Space-hard ciphers,” Proceedings of the 22nd ACM SIGSAC Con- [6] C. D’Orazio and K.-K.R. Choo, “An adversary model to evaluate ference on Computer and Communications Security, pp.1058–1069, drm protection of video contents on ios devices,” Computers & Se- ACM, 2015. curity, vol.56, pp.94–110, 2016. [26] M. Bellare, D. Kane, and P. Rogaway, “Big-key symmetric encryp- [7] T. ElGamal, “A public key cryptosystem and a signature scheme tion: Resisting key exfiltration,” Annual Cryptology Conference, based on discrete logarithms,” IEEE transactions on information the- vol.9814, pp.373–402, Springer, 2016. ory, vol.31, no.4, pp.469–472, 1985. [27] P.-A. Fouque, P. Karpman, P. Kirchner, and B. Minaud, “Efficient [8] M. Abdalla and L. Reyzin, “A new forward-secure digital signa- and provable white-box primitives,” International Conference on the ture scheme,” International Conference on the Theory and Applica- Theory and Application of Cryptology and Information Security, tion of Cryptology and Information Security, vol.1976, pp.116–129, vol.10031, pp.159–188, Springer, 2016. Springer, 2000. [28] H.E. Link and W.D. Neumann, “Clarifying obfuscation: improving [9] D. Johnson, A. Menezes, and S. Vanstone, “The elliptic curve digi- the security of white-box des,” International Conference on Infor- tal signature algorithm (ecdsa),” International journal of information mation Technology: Coding and Computing (ITCC’05) - Volume II, security, vol.1, no.1, pp.36–63, 2001. pp.679–684, IEEE, 2005. [10] A. Shamir, “Identity-based cryptosystems and signature schemes,” [29] M. Bellare, C. Namprempre, and G. Neven, “Security proofs for Workshop on the theory and application of cryptographic tech- identity-based identification and signature schemes,” Journal of niques, vol.196, pp.47–53, Springer, 1984. Cryptology, vol.22, no.1, pp.1–61, 2009. [11] F. Hess, “Efficient identity based signature schemes based on pair- [30] D. Pointcheval and J. Stern, “Security arguments for digital sig- ings,” International Workshop on Selected Areas in Cryptography, natures and blind signatures,” Journal of cryptology, vol.13, no.3, vol.2595, pp.310–324, Springer, 2002. pp.361–396, 2000. [12] J.C. Choon and J.H. Cheon, “An identity-based signature from gap [31] Miracl, “Miracl library,” https://www.miracl.com/, 2017. diffie-hellman groups,” International workshop on public key cryptography, vol.2567, pp.18–30, Springer, 2003. [13] P.S.L.M. Barreto, B. Libert, N. McCullagh, and J.-J. Quisquater, “Efficient and provably-secure identity-based signatures and sign- cryption from bilinear maps,” International conference on the theory and application of cryptology and information security, vol.3788, pp.515–532, Springer, 2005. [14] M. Zhang, Y. Zhang, Y. Jiang, and J. Shen, “Obfuscating eves algorithm and its application in fair electronic transactions in public ZHANG et al.: WHITE-BOX IMPLEMENTATION OF THE IDENTITY-BASED SIGNATURE SCHEME IN THE IEEE P1363 STANDARD 195

Yudi Zhang received the master’s degree Kim-Kwang Raymond Choo received from Hubei University of Technology of China, the Ph.D. in Information Security in 2006 in 2017. He is currently working toward the from Queensland University of Technology, PhD degree in the School of Cyber Science and Australia. He currently holds the Cloud Tech- Engineering, Wuhan University, Wuhan, China. nology Endowed Professorship at The Univer- His main research interests include cryptogra- sity of Texas at San Antonio (UTSA), and has a phy and information security, in particular, cryp- courtesy appointment at the University of South tographic protocols. Australia. In 2016, he was named the Cyberse- curity Educator of the Year - APAC (Cyberse- curity Excellence Awards are produced in coop- eration with the Information Security Commu- nity on LinkedIn), and in 2015 he and his team won the Digital Foren- Debiao He received the PhD degree in sics Research Challenge organized by Germany’s University of Erlangen- applied mathematics from the School of Math- Nuremberg. He is the recipient of the 2018 UTSA College of Business Col. ematics and Statistics, Wuhan University, in Jean Piccione and Lt. Col. Philip Piccione Endowed Research Award for 2009. He is currently a professor of the School Tenured Faculty, TrustCom 2018 Best Paper Award, ESORICS 2015 Best of Cyber Science and Engineering, Wuhan Uni- Research Paper Award, 2014 Highly Commended Award by the Australia versity. His main research interests include New Zealand Policing Advisory Agency, Fulbright Scholarship in 2009, cryptography and information security, in par- 2008 Australia Day Achievement Medallion, and British Computer Soci- ticular, cryptographic protocols. ety’s Wilkes Award in 2008. He is also a Fellow of the Australian Computer Society, and an IEEE Senior Member.

Xinyi Huang received his Ph.D. degree Jing Wang received the B.S. degrees in from the School of Computer Science and Soft- computer science from from Wuhan University, ware Engineering, University of Wollongong, Wuhan, China, in 2016. She is currently purs- Australia, in 2009. He is currently a Professor ing a Ph.D degree in the School of Computer at the College of Mathematics and Informatics, Science, Wuhan University, China. Her main re- Fujian Normal University, China. His research search interests include cryptography and infor- interests include cryptography and information mation security, in particular, secure cloud stor- security. He has published over 160 research age and cryptographic protocols. papers in refereed international conferences and journals.

Ding Wang received the Ph.D. degree in information security from Peking University in 2017. He is currently supported by the Boya Post-Doctoral Fellowship in Peking University, China. He has authored over 40 papers at venues like ACM CCS and IEEE TDSC, and his papers get over 800 citations. His research interests mainly focus on password-based authentication and provable security. He received the Top-10 Distinguished Graduate Academic Award from Harbin Engineering University in 2013 and Peking University in 2016.