Hi, I'm Yuji Koike.In this video, I'm gonna talk about yourUpdatable white box Cryptography.This is a joint work with Takanori Sobe.Now, before I talk about the main point of a work, let me get started with some background.White box Cryptography is Cryptography,which ensures security of the Cryptographic keysIn the white box setting.In this setting,アドファースリーは、エザケーションの中でも実際に抗議されているのです。そのため、アドファースリーは、インプツアップ、カリプトグラフィックのアルグリテム、そしてインターナストレイのアルグリテムを見せることができます。もちろん、インターナストレイのアドファースリーは、インターナストレイのアルグリテムが変化することもできます。このブラックブラックブラックスのセリングは、普通のブラックブラックスセリングからとても違って、アルバスリーを進音するために、アルバスリーと一緒にアルバスリーを見るために、オブジェクトのアルバスリーについて説明しました。もっともっと説明したいのは、 Whitebox Adversaryについて何ができるかわかっていますか? Whitebox Adversaryは、オブジェクトのアルバスリーについて何ができるかに、こちらのアルバスリーについて何ができるかを確認しています。例えば、アルバスリーのアルバスリーについて、アルバスリーについて all the states of the algorithm are modified,それについては、エンジニアリング、コード、コード・テンプリング、そしてその他の方法です。このようなアサンプリングは、新のホワイトボックサイフェルトを作り、ホワイトボックサイフェルトは、キー・エクストラクション・セクリティに必要です。このセクリティは、キー・エクストラクション・アタックに必要があります。その他、キー・エクストラクション・セクリティ方法を出し、针 denominations  announcement 付求を使って、ホワイトボックサイフェルトは、ス野ポイントセクリティに必要です。このセクリティは、コード・テンプリング・エクストラクション・セクリティのコード・テンプブロックサイフェルトを拘束しています。毎日真ん中カードラクション ми humanの答案が必要でしょうか?この答案として波光角のキー・エクストラクション・セクリティーでは、コード・テンプリングは、この2つのセキュリティの必要があります。では、このセキュリティの必要があります。この2つのセキュリティの必要があります。この2つのセキュリティの必要があります。この2つのセキュリティの必要があります。この2つのセキュリティの必要があります。この2つのセキュリティの必要があります。この2つのセキュリティの必要があります。シキュリティーの ボルト heart is to quantify the security level against the cold lifting attack space hardness shows the relationship between the amount ofした rubble rest on data and the corresponding security level for instance t over 4 128 spaced hardness means the adversary has to sit at least one fourth of the table to compute1 4th of the table to compute the input with the probability of more than 2 to the power of minus 128.SBN Box 16 provides this security level in terms of code lifting security.In other words,SBN Box 16 whose total table size T is 128 kilobytes ensures sufficient security even if 1 4th table data is leaked to the adversary.However,space hardness is just mitigation of code lifting attack.Why?Because this security notion cannot deal with continuous leakage.Even if T over 4 128 space hardness ensures some security level in the situation where 1 4th of the table is leaked,by continuously stealing the table data,the amount of stolen data will be more than T over 4,and eventually that amount will reach T,which means the adversary will succeed in code lifting attack in the end.This figure shows relationship between time and corresponding security level Z when considering the leakage of a certain amount on a daily basis.It shows that security level drops constantly to 0.So what can we do about it?Well,as a countermeasure,it is natural to think that we update the secret key or the table in this context.However,this countermeasure would come with two disadvantages.First,this countermeasure will need a lot of computational cost.And second,it will increase security risk.In the following slides,I will talk about these disadvantages in more detail by taking mobile payment application as an example.So mobile payment application is a typical application in which white box cryptography is applicable.In this context,white box cipher is used to protect payment credentials to encrypting them.In this example,let's say SPN box 16 whose table size is 128 kilobytes is used to protect them.And the adversary is insidiously staying in the system and continuously steals the table data for SPN box 16 little by little.In this case,SPN box 16 has the property of T over 4 128 space hardness.So even if the table data of 32 kilobytes is stolen by the adversaries,SPN box 16 can ensure sufficient security.However,the problem is after the leakage amount reached T over 4.If we do nothing,then the security level drops as shown in the upper right figure.So in order to ensure constant security,it is necessary to update the table before the leakage amount reached T over 4.However,this causes us two problems,which are computational cost and security risk.First of all,regarding the computational cost,updating the table means it requires re-encryption of payment credentials.When updating the table,first it is necessary to decrypt the encrypted credentials with the old table and then encrypt the credentials again with a new table.This encryption is an additional cost to avoid if possible.Second,when it comes to security risk,re-encryption gives more chance for the adversary to see the payment credentialsin the plain text form.Right after the decryption of the encrypted credentials with the old table,they are in the plain text form.So if the adversary stays in the system,it is possible to see them.So in order to solve these problems,we believe white box ciphers would need a new property,which ensures constant securitywhile maintaining the same functionality under the continuous leakage.Because a cipher with this property would provide constant security even in the situation of continuous leakage.What's more,since a cipher with this property can maintain the same functionality,it wouldn't need a re-encryption.And we define this new property as z-longivity.The formal definition is in our paper,so if I talk about the definition of the longevity in more casual way,then I would say a cipher with the longevity ensures that even in the situation of continuous leakage,the upper bounds of success probability for code lifting attack is less than 2 part by minus z while keeping the same functionality at every single point.This property deals with continuous leakage and as a result,the z-longivity can enhance code lifting security.In order to ensure z-longivity,we designed a new cryptographic scheme,which can maintain the same functionality even after table updates.By table updates,this scheme aims to ensure constant security,and by keeping the same functionality,it can get rid of re-encryption.In the following slides,I will discuss our approach for the design in more detail step by step.So white box ciphers are basically table-based ciphers,which means they simply look up in the tables repeatedly for encryption and decryption,just like the figure on the left.In order to keep the same functionality even after table updates,we put another encryption algorithm,EKI,and the corresponding decryption algorithm,DKI,between tables,just like the figure on the right.And then we combine one table and EKI to create TI1,and combine one table and DKI to create TI2.With this approach,the functionality of the algorithm on the right and the one on the left are equivalent,because EKI and DKI on the right are cancelled out.Also,by updating the key,KI,for EKI and DKI,and creating different tables,the algorithm on the right can keep the same functionality even after the table updates.However,in reality,white box ciphers are much more complicated.For instance,there might be MDS linear layer between table lookups in the algorithm,so that it can ensure diffusion.In this case,putting EKI and DKI between tables cannot keep same functionality,because once output of EKI goes through MDS linear layer,the value of output will be changed,and the changed output cannot be decrypted by DKI successfully.In other words,this MDS linear layer prevents EKI and DKI from being cancelled out.So,in order to solve this problem,we split the output of table lookup into two parts.In this approach,one part keeps MDS layer,and the other part goes through it.With this approach,EKI and DKI are successfully cancelled out.And we can ensure that the functionality on the left and the one on the right are equivalent.Also,even after updating the key KI for EKI and DKI,the functionality remains equivalent.So,the essential approach is to update key KI for EKI and DKI,so that it can update table TI1 and TI2,and keep the same functionality.In addition,in order to maintain the same functionality,we split the output into two parts.One part goes through EKI,and then directly goes to DKI.And the other part goes through MDS layer,and goes to another table lookup.Now,what's important is that the key of the underlying cipher for S remains unchanged.These approaches helps to keep the same functionality.So,based on the approaches,we constructed UROI,which is composed of five elements.First of table SI,which is based on the dedicated block cipher for SPN box,with different key for S1,S2,and S3.Second,EKI and DKI,in our construction,small scale AES or small scale present are suitable.And an affin layer and MDS matrix layer.It is important to note that the output of EKI never goes through these layers,so that it can keep the same functionality even after the table updates.And finally,ten round AES in the last round.The reason why we put this AES layer is that this simplifies the security evaluation in the black box setting.Based on these elements,we constructed two variants,which are UROI32 and UROI16.They both take 128-bit data as an input.When it comes to UROI32,each table takes 32-bit input,and the output of table lookup is split into two parts.One is 28-bits long,and the other is 4-bits long.Total rounds are for UROI32 is 16.And regarding the MDS layer,we used cyclic matrix,which is used in PICOR.Now,let me discuss security in the standard black box setting.In this setting,the adversary is allowed to observe inputs and outputs of the cryptographic algorithm.In this case,security of UROI in the black box setting is reduced to security of AES.Because UROI has ten round AES in the last round.When it comes to security in the white box setting,where the adversary is allowed to observe inputs,outputs and their internal states of the cryptographic algorithm,there are two requirements.First,regarding key extraction security of UROI,at least it is reduced to the key recovery problem for the underlying cipher of SPN box in the black box setting.This is because even if the adversary can see the internal states,what she can see is inputs and outputs of table,which are inputs and outputs of the underlying ciphers.Moreover,partial outputs is also encrypted by another encryption algorithm.So,at least key extraction security in the white box setting is reduced to the underlying block cipher for the table.Also,regarding the code lifting security,in order to ensure T over for 128 space hardness,which the existing ciphers provides.8 and 16 rounds should be enough for UROI 16 and UROI 32 respectively.Please refer to our paper for how to actually evaluate the code lifting security if you are interested.Now,let me talk about what's missing in the existing ciphers.In other words,longivity.When we consider the continuous leakage,the longevity is useful.Let me take UROI 32 as an example,and let's say 24MB of the table data is leaked on a daily basis.Then,as shown in figure,the security level drops to 2 powered by minus 128 in 512 days.At this point,by updating tables,it can keep this security level for longer.So,by repeating the table updates at proper timings,UROI 32 can maintain this security levels,which means UROI 32 can ensure 128 longevity.Finally,let me talk a little bit about performance of UROI.We measured a single encryption performance and parallel encryption performance of UROI,and compared with those of the existing ciphers.The base of our comparison is table input space.In other words,we compared UROI 32 with SPN box 32,white block 32,space 32,and galaxy 32.And compared UROI 16 with SPN box 16,white block 16,space 16,and galaxy 16,and WEM.From the perspective of encryption performance,for the detail of measurement environment,please refer to our paper.Now,what the performance results shows as a whole is that UROI is competitive with other existing ciphers,while it can ensure the new property called longevity.For instance,compression of UROI 16 with the other ciphers tells us that even though galaxy 16 is the fastest,UROI 16 is competitive with it.In conclusion,in this work,we proposed and defined a new property called longevity for white box ciphers.And we proposed a new design of white box cipher called UROI,which ensures longevity and is as fast as the existing ciphers in terms of encryption performance.Thank you.