A White-Box Implementation of IDEA

Abstract

IDEA is a classic symmetric encryption algorithm proposed in 1991 and widely used in many applications. However, there is little research into white-box IDEA. In traditional white-box implementations of existing block ciphers, S-boxes are always converted into encoded lookup tables. However, the algebraic operations of IDEA without S-boxes, make the implementation not straight forward and challenging. We propose a white-box implementation of IDEA by applying a splitting symmetric encryption method, and verify its security against algebraic analysis and BGE-like attacks. Our white-box implementation requires an average of about 2800 ms to encrypt a 64-bit plaintext, about 60 times more than the original algorithm would take, which is acceptable for practical applications. Its storage requirements are only about 10 MB. To our knowledge, this is the first public white-box IDEA solution, and its design by splitting can be applied to similar algebraic encryption structures.

1. Introduction

Among many classic symmetric encryption algorithms, the International Data Encryption Algorithm (IDEA) was jointly developed and proposed [1,2,3] in 1991. The main encryption process of IDEA includes group operations, a multiplication and addition (MA) structure, and output transformations. Its core operations are modular multiplication, modular addition, and XOR. In addition, the Feistel or SPN structure always uses the S-box as the core structure, while IDEA incorporates three different algebraic operations to replace the traditional S-box non-linear function. Due to its special structure, IDEA differs from these symmetric ciphers and is often selected as an encryption primitive in products such as VLSI and SMS messages [4,5,6].

In 2002, the concepts of a black-box model, gray-box model, and white-box model were proposed by Chow et al. in conjunction with the white-box implementation of AES [7] and DES [8]. As the color lightens, the attacker is given more powerful capabilities. In the white-box model, an attacker can fully monitor and track the contents of memory and cache during dynamic and static execution [9] (for fixed keys), modify the internal operations and memory contents of the algorithm at any time point [10], and so on. Traditional implementations of block ciphers are insecure in these scenarios, because the key simply added (XOR-ed) in the round function will be exposed directly.

More seriously, if an attacker can perform the white-box attacks on legitimate terminal devices securing information such as SMS messages, all of the high-value messages will be obtainable by the attacker. This is a critically serious security risk to both symmetric encryption and asymmetric encryption. White-box cryptography is a solution for preserving the same security level as in the black-box model, with practical significance in applications such as wireless sensor networks, mobile agents, and digital rights management [11,12,13,14,15,16]. Many companies have been working to use white-box encryption solutions, such as the secure chip of a downloadable conditional access system (DCAS) terminal [17] and whiteCryption secure key box (SKB). The latter is the first and only enterprise-ready white-box cryptography solution for web applications, launched by Intertrust company at the RSA Conference, on 24 February 2020.

In the field of white-box research, especially based on symmetric encryption, much work has been done in the design of white-box implementations [18,19,20,21,22], mostly concentrating on DES, AES, SM4, and their variants, which provide a certain degree of protection, but are still breakable [23,24,25,26,27,28]. Since the only non-linear component of the above block ciphers is S-box, a common approach of these white-box schemes is to hide the S-box in lookup tables and use random bijection to confuse inputs and outputs of the lookup tables to protect secret information (the key). As we mentioned before, IDEA has a variety of non-linear operational modes that replace the S-box component. Therefore, the key will be included in multiple non-linear operations. This special behavior brings new challenges to the design of white-box implementations.

In 2019, Lu et al. [29] proposed white-box KMAC, converting modular operations into lookup tables. Since the size of its lookup tables are relatively large and the algebraic operations are different from IDEA, it is not directly usable for implementing a white-box IDEA while preserving IDEA’s throughput. There are no other solutions for transforming algebraic operations into lookup tables, and, as far as we know, no white-box IDEA implementation has been proposed. The research into this topic is scant.

In this paper, we observe the algebraic structure of IDEA’s group operations and reduce the storage cost of the lookup tables by splitting the plaintext blocks into reasonably sized chunks. We split every arithmetic operation, multiplication modulo $(2^{16}+1)$ and addition modulo $2^{16}$, into two parts and use an affine transformation to obscure them. A Type I lookup table is created for each part, such that effective analysis is impossible. The outputs of the Type I lookup tables will be added with corresponding module. A Type II lookup table is generated by encoding the additional module results with a randomly chosen mask to eliminate leakage of key related information from unbalanced encodings. We reorganize the MA structure as four arithmetic operations, with each operation processed similarly as before. We then create a working white-box IDEA solution with adequate performance. The total storage is 10.06 MB with an average encryption time of 2786 ms (based on 50,000 encryptions of 64-bit plaintext using Java 8.0), which is about 60 times as much time as the original IDEA. Compared with other white-box implementations in

Table 1. Efficiency comparison.

Scheme	Operations 1	Delay Cost 2	Storage
white-box KMAC	32,920	375	107.7 MB
white-box AES	3104	55	580 KB
white-box IDEA	264	60	10.06 MB

¹ The operations include: lookups, XORs, and other algebraic operations. ² Times slower, compared with the cost in the black-box model (the plain algorithm).

, our solution offers satisfactory efficiency. The implementation methods that split the blocks with encoding and masks are also usable with other cryptographic primitives using algebraic operations.

The structure of the rest of the paper is as follows. In Section 2, we review the IDEA cipher along with encoding and masking techniques. We present our white-box implementation in Section 3. In Section 4, we present a performance analysis. We measure and analyze the security of the white-box IDEA in Section 5. Section 6 contains an additional discussion and our conclusions.

2. Preliminaries

2.1. Notation

We use the following notations in this paper.

⊙ multiplication mod $(2^{16}+1)$ of 16-bit integers

⊞ addition mod $2^{16}$ of 16-bit integers. During arithmetic operations of IDEA, the all-zero value is never used and is replaced by $(2^{16}+1)$ or $2^{16}$.

⊗ multiplication mod $2^{16}$ of 16-bit integers

⊕ bitwise exclusive OR (XOR of 16-bit strings)

×, −, + arithmetic operation

∥ bit string concatenation

∘ functional composition

2.2. Description of IDEA

We now describe the encryption process of IDEA. The fixed size 64-bit plaintext P is divided into four 16-bit blocks $P=(P_1\parallel P_2\parallel P_3\parallel P_4)$. The entire algorithm includes eight rounds of encryption operations plus the output transformations, with each encryption round selecting six sub-keys $Z_i^{\left(r\right)}$, $i=1,2\dots 6$, $r=1,2\dots 9$. The 128-bit initial master key is divided into eight 16-bit sub-keys from left to right, for 52 total sub-keys (eight rounds × six sub-keys + four sub-keys), generated by left shifting by 25 positions. $X_j^{\left(r\right)}$ and $Y_j^{\left(r\right)}$, $j=1,2,3\dots$, denote the intermediate values, with the final ciphertext being $C=(C_1\parallel C_2\parallel C_3\parallel C_4)$.

The eight encryption rounds are

$$\begin{array}{c}\hfill \left\{\begin{array}{c}groupoperations\left\{\begin{array}{c}{Y}_1^{\left(r\right)}=P_1^{\left(r\right)}\odot Z_1^{\left(r\right)}\hfill \\ Y_2^{\left(r\right)}=P_2^{\left(r\right)}⊞Z_2^{\left(r\right)}\hfill \\ Y_3^{\left(r\right)}=P_3^{\left(r\right)}⊞Z_3^{\left(r\right)}\hfill \\ Y_4^{\left(r\right)}=P_4^{\left(r\right)}\odot Z_4^{\left(r\right)}\hfill \end{array}\right.\hfill \\ XORoperations\left\{\begin{array}{c}{Y}_5^{\left(r\right)}=Y_1^{\left(r\right)}\oplus Y_3^{\left(r\right)}\hfill \\ Y_6^{\left(r\right)}=Y_2^{\left(r\right)}\oplus Y_4^{\left(r\right)}\hfill \end{array}\right.\hfill \\ MAstructure\left\{\begin{array}{c}{Y}_7^{\left(r\right)}=Y_5^{\left(r\right)}\odot Z_5^{\left(r\right)}\hfill \\ Y_8^{\left(r\right)}=Y_7^{\left(r\right)}⊞Y_6^{\left(r\right)}\hfill \\ Y_9^{\left(r\right)}=Y_8^{\left(r\right)}\odot Z_6^{\left(r\right)}\hfill \\ Y_{10}^{\left(r\right)}=Y_9^{\left(r\right)}⊞Y_7^{\left(r\right)}\hfill \end{array}\right.\hfill \\ XORoperations\left\{\begin{array}{c}{Y}_{11}^{\left(r\right)}=Y_1^{\left(r\right)}\oplus Y_9^{\left(r\right)}\hfill \\ Y_{12}^{\left(r\right)}=Y_3^{\left(r\right)}\oplus Y_9^{\left(r\right)}\hfill \\ Y_{13}^{\left(r\right)}=Y_2^{\left(r\right)}\oplus Y_{10}^{\left(r\right)}\hfill \\ Y_{14}^{\left(r\right)}=Y_4^{\left(r\right)}\oplus Y_{10}^{\left(r\right)}\hfill \end{array}\right.\hfill \end{array}\right..\end{array}$$

The output transformations are

$$\begin{array}{c}\hfill \left\{\begin{array}{c}{C}_1=Y_{11}^{\left(8\right)}\odot Z_1^{\left(9\right)},C_2=Y_{13}^{\left(8\right)}⊞Z_2^{\left(9\right)}\hfill \\ C_3=Y_{12}^{\left(8\right)}⊞Z_3^{\left(9\right)},C_4=Y_{14}^{\left(8\right)}\odot Z_4^{\left(9\right)}\hfill \end{array}\right..\end{array}$$

In the group operations, the arithmetic operations, integer multiplication modulo $2^{16}+1$ (1) and integer addition modulo $2^{16}$ (2), are the core operations in IDEA:

$$\begin{array}{cc}\hfill & X_j^{\left(r\right)}\left(or{Y}_j^{\left(r\right)}\right)\odot Z_i^{\left(r\right)}=Y_j^{\left(r\right)},\hfill \end{array}$$

(1)

$$\begin{array}{cc}\hfill & X_j^{\left(r\right)}\left(or{Y}_j^{\left(r\right)}\right)⊞Z_i^{\left(r\right)}\left(or{Y}_j^{\left(r\right)}\right)=Y_j^{\left(r\right)}.\hfill \end{array}$$

(2)

For integer multiplication modulo $2^{16}+1$, direct calculation is expensive. We can use a low–high algorithm to compute integer multiplication, for example:

$$\begin{array}{c}\hfill X_j^{\left(r\right)}\odot Z_i^{\left(r\right)}=\left\{\begin{array}{c}(X_j^{\left(r\right)}\times Z_i^{\left(r\right)}mod{2}^{16})-(X_j^{\left(r\right)}\times Z_i^{\left(r\right)}div{2}^{16}),\hfill \\ if(X_j^{\left(r\right)}\times Z_i^{\left(r\right)}mod{2}^{16})\ge (X_j^{\left(r\right)}\times Z_i^{\left(r\right)}div{2}^{16});\hfill \\ (X_j^{\left(r\right)}\times Z_i^{\left(r\right)}mod{2}^{16})-(X_j^{\left(r\right)}\times Z_i^{\left(r\right)}div{2}^{16})+(2^{16}+1),\hfill \\ if(X_j^{\left(r\right)}\times Z_i^{\left(r\right)}mod{2}^{16})\le (X_j^{\left(r\right)}\times Z_i^{\left(r\right)}div{2}^{16}).\hfill \end{array}\right.\end{array}$$

Thus, the low–high algorithm is available for most CPU, and invertible for the Fermat primes. The two arithmetic operations with XOR operations were added for both confusion and diffusion. The three operations on 16-bit blocks are incompatible, and they are non-associative, non-distributive, or non-isotopic.

2.3. White-Box Cryptography Techniques and Terminology

White-box cryptography is an obfuscation technique that hides the information about the key in a cryptography system. In recent developments, multi-linear mapping technology [30] and masking technology [31] have provided meaningful security guarantees.

2.3.1. Internal Encodings

A popular method for handling a fixed key is to embed it in lookup tables encoded with random bijection [7,8]. Randomness of the bijection makes it difficult for the adversary to recover the key from the encoding lookup tables.

• Encoding: X is the transformation, from m-bit to n-bit:

  $$E\left(X\right)=G\circ X\circ F,$$

  where F is a randomly selected m-bit to m-bit bijection called the input encoding, and G is a randomly selected n-bit to n-bit bijection called the output encoding. $E\left(X\right)$ is called an encoded transformation. The main purpose of constructing $E\left(X\right)$ is to obfuscate the input and output of X.
• Networked encoding: a networked encoding of the compound transformation $Y\circ X$ (Y transformation after X transformation) is

  $$Y^{\prime }\circ X^{\prime }=(N\circ Y\circ M^{-1})\circ (M\circ X\circ H^{-1})=N\circ (Y\circ X)\circ H^{-1},$$

  where N, M, and H are all bijections. The networked encoding confuses the input and output of X and Y and ensures that all the transformations are combined to be functionally equivalent to the original transformation.

2.3.2. External Encodings

An adversary’s extraction of the entire solution to another device is equivalent to possessing the encryption function of the white-box implementation [25]. One possible solution to this problem is the use of external encodings that assumes the encryption function $E_k$ is part of a more powerful environmental system $E_k^{\prime }$:

$$E_k^{\prime }=A\circ E_k\circ B^{-1},$$

where A and B are randomly selected bijective encodings that make it impossible for the attacker to calculate $E_k^{\prime }$ directly by extracting $E_k$.

2.3.3. Masking Technology

When generating the lookup table Y, for a plaintext P and secret key K, before encoding the output of E, one idea [31] is to use a mask $\alpha$ that is selected randomly to perform the XOR operation followed by use of a linear encoding L and a different non-linear encoding N to encode the output:

$$N\circ L\circ \left[E\right(P,K)\oplus \alpha ]\to Y.$$

Using the same linear encoding can protect the encryption operations and cancel the mask via a simple XOR operation.

3. White-Box Implementation of IDEA

The strategy of our solution is to split the IDEA into five parts. Each part is obfuscated and represented as a number of lookup tables. Specifically, we use randomly chosen group members and the additive inverses of ${\mathbb{F}}_{2^{16}+1}$ and ${\mathbb{F}}_{2^{16}}$ to transform the group operations to Type I lookup tables, add different masks to generate the Type II-V tables, and eliminate the masks via XOR operations with the Type II-E tables. Finally, external encodings are used to protect the initial inputs and final outputs.

3.1. Generating the Lookup Tables for Group Operations

A 64-bit initial plaintext P is split into four blocks $P=(P_1\parallel P_2\parallel P_3\parallel P_4)$. Prior to the encryption operations, encoding blocks $L_{(0,1)}$, $L_{(0,2)}$, $L_{(0,3)}$, and $L_{(0,4)}$ are used to encode the plaintext blocks. The encoding blocks are randomly chosen group members from ${\mathbb{F}}_{2^{16}+1}$ or ${\mathbb{F}}_{2^{16}}$:

$$X_1=L_{(0,1)}\odot P_1,X_2=L_{(0,2)}\otimes P_2,$$

$$X_3=L_{(0,3)}\otimes P_3,X_4=L_{(0,4)}\odot P_4.$$

We denote the four blocks of the encryption ROUND-1 as:

$$\begin{array}{cc}\hfill & (L_{(0,1)}\odot P_1\parallel L_{(0,2)}\otimes P_2\parallel L_{(0,3)}\otimes P_3\parallel P_{(0,4)}\odot P_4)\hfill \\ \hfill & =(X_1\parallel X_2\parallel X_3\parallel X_4)=X.\hfill \end{array}$$

The encoding blocks $L_{(0,1)}$, $L_{(0,2)}$, $L_{(0,3)}$, and $L_{(0,4)}$ are the external encodings to protect the initial blocks. The inputs of each encryption round are denoted as

$$X^{\left(r\right)}=(X_1^{\left(r\right)}\parallel X_2^{\left(r\right)}\parallel X_3^{\left(r\right)}\parallel X_4^{\left(r\right)}).$$

We select four group members $Q_{(r,a)}$, $a=1,2,3,4$ from ${\mathbb{F}}_{2^{16}+1}$ and four group members $P_{(r,a)}$ from ${\mathbb{F}}_{2^{16}}$ in each encryption round. We now describe the computations more concretely using the examples $X_1^{\left(r\right)}$ and $X_2^{\left(r\right)}$.

We implement the multiplication modulo (1) by splitting the 16-bit $X_1^{\left(r\right)}$ into two 8-bit parts (see Figure 1):

$$X_1^{\left(r\right)}=2^8\times X_{1-1}^{\left(r\right)}+X_{1-2}^{\left(r\right)}.$$

The two parts of $X_1^{\left(r\right)}$ are encoded by $L_{(r-1,1)}^{-1}$, which is the multiplicative inverse of $L_{(r-1,1)}$, and $Q_{(r,1)}$, resulting in: $X_{1-1}^{{\left(r\right)}^{\prime }}$ and $X_{1-2}^{{\left(r\right)}^{\prime }}$. Thus, the multiplication modulo (1) can be split into two calculations:

$$\begin{array}{cc}\hfill & X_1^{\left(r\right)}\odot Z_1^{\left(r\right)}=[(X_{1-1}^{{\left(r\right)}^{\prime }}+X_{1-2}^{{\left(r\right)}^{\prime }})mod(2^{16}+1)]\odot Z_1^{\left(r\right)}\hfill \\ \hfill & =[X_{1-1}^{{\left(r\right)}^{\prime }}\odot Z_1^{\left(r\right)}+X_{1-2}^{{\left(r\right)}^{\prime }}\odot Z_1^{\left(r\right)}]mod(2^{16}+1).\hfill \end{array}$$

We let

$$Y_{1-1}^{\left(r\right)}=X_{1-1}^{{\left(r\right)}^{\prime }}\odot Z_1^{\left(r\right)},Y_{1-2}^{\left(r\right)}=X_{1-2}^{{\left(r\right)}^{\prime }}\odot Z_1^{\left(r\right)},$$

and then we randomly select the additive inverses ($a_1$,$a_1^{\prime }$) from ${\mathbb{F}}_{2^{16}+1}$, adding them to $Y_{1-1}^{\left(r\right)}$ and $Y_{1-2}^{\left(r\right)}$, respectively:

$$\begin{array}{c}\hfill M{Y}_{1-1}^{\left(r\right)}=(Y_{1-1}^{\left(r\right)}+a_1)mod(2^{16}+1),\\ \hfill M{Y}_{1-2}^{\left(r\right)}=(Y_{1-2}^{\left(r\right)}+a_1^{\prime })mod(2^{16}+1).\end{array}$$

The operations $X_{1-1}^{\left(r\right)}(\to X_{1-1}^{{\left(r\right)}^{\prime }}\to Y_{1-1}^{\left(r\right)})\to M{Y}_{1-1}^{\left(r\right)}$, $X_{1-2}^{\left(r\right)}(\to X_{1-2}^{{\left(r\right)}^{\prime }}\to Y_{1-2}^{\left(r\right)})\to M{Y}_{1-2}^{\left(r\right)}$ are implemented as lookup tables Type I-HB1 and Type I-LB1. We can compute the final result $Y_1^{\left(r\right)}$ using $M{Y}_{1-1}^{\left(r\right)}+M{Y}_{1-2}^{\left(r\right)}mod(2^{16}+1)$.

We perform the addition modulo (2) by splitting $X_2^{\left(r\right)}$ into $X_{2-1}^{\left(r\right)}$ and $X_{2-2}^{\left(r\right)}$, but the difference is that the sub-key $Z_2^{\left(r\right)}$ is also encoded by $P_{(r,1)}$, and as a result, $Z_2^{{\left(r\right)}^{\prime }}$. The multiplicative inverse of $L_{(r-1,2)}$ along with $P_{(r,1)}$ are used to encode $X_{2-1}^{\left(r\right)}$ and $X_{2-2}^{\left(r\right)}$, resulting in $X_{2-1}^{{\left(r\right)}^{\prime }}$ and $X_{2-2}^{{\left(r\right)}^{\prime }}$. This leads to

$$\begin{array}{cc}\hfill & X_2^{\left(r\right)}⊞Z_2^{\left(r\right)}=(X_{2-1}^{{\left(r\right)}^{\prime }}⊞X_{2-2}^{{\left(r\right)}^{\prime }})⊞(2^8\times Z_{2-1}^{{\left(r\right)}^{\prime }}+Z_{2-2}^{{\left(r\right)}^{\prime }})\hfill \\ \hfill & =[X_{2-1}^{{\left(r\right)}^{\prime }}⊞(2^8\times Z_{2-1}^{{\left(r\right)}^{\prime }})]⊞(X_{2-2}^{{\left(r\right)}^{\prime }}⊞Z_{2-2}^{{\left(r\right)}^{\prime }}),\hfill \end{array}$$

where $Z_{2-1}^{{\left(r\right)}^{\prime }}$ and $Z_{2-2}^{{\left(r\right)}^{\prime }}$ are generated by splitting $Z_2^{{\left(r\right)}^{\prime }}$. We then define

$$Y_{2-1}^{\left(r\right)}=X_{2-1}^{{\left(r\right)}^{\prime }}⊞(2^8\times Z_{2-1}^{{\left(r\right)}^{\prime }}),Y_{2-2}^{\left(r\right)}=X_{2-2}^{{\left(r\right)}^{\prime }}⊞Z_{2-2}^{{\left(r\right)}^{\prime }},$$

with further additive inverses ($a_2$,$a_2^{\prime }$) from ${\mathbb{F}}_{2^{16}}$ added into $Y_{2-1}^{\left(r\right)}$ and $Y_{2-2}^{\left(r\right)}$, respectively:

$$M{Y}_{2-1}^{\left(r\right)}=Y_{2-1}^{\left(r\right)}⊞a_2,M{Y}_{2-2}^{\left(r\right)}=Y_{2-2}^{\left(r\right)}⊞a_2^{\prime }.$$

The transformations $X_{2-1}^{\left(r\right)}(\to X_{2-1}^{{\left(r\right)}^{\prime }}\to Y_{2-1}^{\left(r\right)})\to M{Y}_{2-1}^{\left(r\right)}$ and $X_{2-2}^{\left(r\right)}(\to X_{2-2}^{{\left(r\right)}^{\prime }}\to Y_{2-2}^{\left(r\right)})\to M{Y}_{2-2}^{\left(r\right)}$ are denoted as tables Type I-HB2 and Type I-LB2. The final result of the addition modulo (2) is $Y_2^{\left(r\right)}$, the result of computing $M{Y}_{2-1}^{\left(r\right)}⊞M{Y}_{2-2}^{\left(r\right)}$.

In the same way, we obtain the results $Y_3^{\left(r\right)}$ and $Y_4^{\left(r\right)}$, and have other four Type I lookup tables $X_{3-1}^{\left(r\right)}\to M{Y}_{3-1}^{\left(r\right)}$, $X_{3-2}^{\left(r\right)}\to M{Y}_{3-2}^{\left(r\right)}$, $X_{4-1}^{\left(r\right)}\to M{Y}_{4-1}^{\left(r\right)}$, and $X_{4-2}^{\left(r\right)}\to M{Y}_{4-2}^{\left(r\right)}$. Following the strategy, we transform the group operations for IDEA into eight Type I lookup tables. Figure 2 depicts them.

3.2. Incorporating Masks

In this step, we mask four outputs of group operations by randomly selecting $MAS{K}_{N1}$, $MAS{K}_{N2}\in {\left\{0,1\right\}}^{16}$. First, we offset the influences of the four group members. To do so, we design the Calculation boxes, the $C{A}_{(r,b)}$ box, $b=1,2,3,4$, to calculate the additive inverses of $[Q_{(r,a)}-1]\odot {\Gamma }_{(r,b)}$ or $[P_{(r,a)}-1]\otimes {\Gamma }_{(r,b)}$, denoted ${\Psi }_{(r,b)}$, where ${\Gamma }_{(r,b)}$ represents the four group operations (1) and (2). For example, In $C{A}_{(r,1)}$, the additive inverse of $[Q_{(r,1)}-1]\odot {\Gamma }_{(r,1)}$ is ${\Psi }_{(r,1)}$, which is calculated and applied to the $Q_{(r,1)}\odot {\Gamma }_{(r,1)}$ by performing the addition modulo:

$$[{\Psi }_{(r,1)}+(Q_{(r,1)}-1)\odot {\Gamma }_{(r,1)}]mod(2^{16}+1)=0,$$

$$({\Psi }_{(r,1)}+Q_{(r,1)}\odot {\Gamma }_{(r,1)})mod(2^{16}+1)={\Gamma }_{(r,1)}.$$

Second, we randomly select $MAS{K}_{N1}$, $MAS{K}_{N2}\in {\left\{0,1\right\}}^{16}$ to perform the XOR operations and encode the outputs using $S_{\left(r\right)}^{-1}$, $T_{\left(r\right)}^{-1}$, where $S_{\left(r\right)}^{-1}=M_{\left(r\right)}^{-1}\circ A_{(r,1)}$, $T_{\left(r\right)}^{-1}=M_{\left(r\right)}^{-1}\circ A_{(r,2)}$, $M_{\left(r\right)}$, $A_{(r,1)}$, and $A_{(r,2)}$ are all $16\times 16$ randomly selected reversible affine mappings. The overall process is shown in Figure 3.

Because the calculation of ${\Psi }_{(r,b)}$ is related to the keys, it must be invisible to users, and the application of masks is similar to adding round-keys. Thus, we use the Type II lookup table to include these two transformations.

We use $Y_1^{\left(r\right)}\to Y_{1-N1}^{\left(r\right)}$ as an example. In $CA(r,1)$, we perform the calculation $[Q_{(r,1)}-1]\odot {\Gamma }_{(r,1)}$ and then find ${\Psi }_{(r,1)}$ from ${\mathbb{F}}_{2^{16}+1}$. ${\Psi }_{(r,1)}$ is used to offset a part of $Q_{(r,1)}\odot {\Gamma }_{(r,1)}$. This calculation is

$$(Y_1^{\left(r\right)}+{\Psi }_{(r,1)})mod(2^{16}+1)={\Gamma }_{(r,1)}=Y_1^{{\left(r\right)}^{\prime }}.$$

The mask $MAS{K}_{N1}\in {\left\{0,1\right\}}^{16}$ is selected randomly, and XORed with $Y_1^{{\left(r\right)}^{\prime }}$. The composite affine mapping $S_{\left(r\right)}^{-1}$ encodes the output to obtain the result:

$$Y_{1-N1}^{\left(r\right)}=S_{\left(r\right)}^{-1}\circ \left\{[(Y_1^{\left(r\right)}+{\Psi }_{(r,1)})mod(2^{16}+1)]\oplus MAS{K}_{N1}\right\}.$$

The Type II-V1 lookup table includes the operation $Y_1^{\left(r\right)}(\to Y_1^{{\left(r\right)}^{\prime }})\to Y_{1-N1}^{\left(r\right)}$, which uses a 16-bit input and produces a 16-bit output. $Y_{1-N1}^{\left(r\right)}$ is an intermediate value, which is key-sensitive and masked as well (see Figure 4). $MAS{K}_{N1}$ is also encoded by $S_{\left(r\right)}^{-1}$, $MAS{K}_{N1}$→$E-MAS{K}_{N1}$, and denoted as Type II-M1. Note that the encode masks are stored in other security components not in our solution.

Using the same method, we use the Type II-V lookup tables to obtain $Y_1^{\left(r\right)}\to Y_{1-N1}^{\left(r\right)}$, $Y_2^{\left(r\right)}\to Y_{2-N2}^{\left(r\right)}$, $Y_3^{\left(r\right)}\to Y_{3-N1}^{\left(r\right)}$, and $Y_4^{\left(r\right)}\to Y_{4-N2}^{\left(r\right)}$. The corresponding two blocks perform XOR operations to obtain the inputs of the MA structure:

$$Y_5^{\left(r\right)}=Y_{1-N1}\oplus Y_{3-N1},Y_6^{\left(r\right)}=Y_{2-N2}\oplus Y_{4-N2}.$$

Since these XOR operations of IDEA eliminate $MAS{K}_{N1}$ and $MAS{K}_{N2}$ added in this step, the inputs of the MA structure have no masks.

3.3. Generating the Lookup Tables of MA Structure and Adding Another Masks

Although operations in MA structure are different, the four arithmetic calculations are similar to the group operations except for the number of the sub-keys (the group operations have four sub-keys, and the MA structure has two). The table type is also Type I. To encode the outputs of thebMA structure, we use $C{A}_{(r,c)}$, $c=5,6$ to offset the confusion caused by the random group members and add the other two masks to generate the Type II lookup tables. The whole process of the MA structure is shown in Figure 5.

The inputs of the MA structure are $Y_5^{\left(r\right)}$ and $Y_6^{\left(r\right)}$. $Y_5^{\left(r\right)}$ is encoded by the composite affine mapping $R_{\left(r\right)}$ to obtain $Y_5^{{\left(r\right)}^{\prime }}$, where $R_{\left(r\right)}=A_{(r,1)}^{-1}\circ M_{\left(r\right)}$, with $R_{\left(r\right)}$ stored in the encryption system. $Y_5^{{\left(r\right)}^{\prime }}$ is split into two parts, and $Q_{(r,3)}$ is used to encode them. The multiplication modulo can be performed with the sub-key $Z_5^{\left(r\right)}$, and the addition inverses ($a_5$,$a_5^{\prime }$) from ${\mathbb{F}}_{2^{16}+1}$ are added, yielding the operations $Y_{5-1}^{{\left(r\right)}^{\prime }}\to M{Y}_{5-1}^{\left(r\right)}$ and $Y_{5-2}^{{\left(r\right)}^{\prime }}\to M{Y}_{5-2}^{\left(r\right)}$, which are then recorded as lookup tables Type I-HB5 and Type I-LB5. The final result $Y_7^{\left(r\right)}$ is obtained by the calculation $M{Y}_{5-1}^{\left(r\right)}+M{Y}_{5-2}^{\left(r\right)}mod(2^{16}+1)$.

We use the composite affine mapping $T_{\left(r\right)}$ to encode $Y_6^{\left(r\right)}$, where $T_{\left(r\right)}=A_{(r,2)}^{-1}\circ M_{\left(r\right)}$. $T_{\left(r\right)}$ is also stored in the system. In particular, the addition modulo operation will be done with $Y_7^{\left(r\right)}$ rather than a sub-key. We split $Y_6^{{\left(r\right)}^{\prime }}$ into two parts and use $P_{(r,3)}$ to encode $Y_{6-1}^{{\left(r\right)}^{\prime }}$ and $Y_{6-2}^{{\left(r\right)}^{\prime }}$. ${\Phi }_{(r,1)}$ is the multiplicative inverse of $Q_{(r,3)}$ from ${\mathbb{F}}_{2^{16}+1}$ and is used to offset $Q_{(r,3)}$ on $Y_7^{\left(r\right)}$. $P_{(r,3)}$ handles it, yielding $Y_7^{{\left(r\right)}^{\prime }}$. This leads to the following calculations:

$$P_{(r,3)}\otimes (2^8\times Y_{6-1}^{{\left(r\right)}^{\prime }}+Y_{6-2}^{{\left(r\right)}^{\prime }})⊞[P_{(r,3)}\otimes ({\Phi }_{(r,1)}\odot Y_7^{\left(r\right)})]$$

$$=[P_{(r,3)}\otimes (2^8\times Y_{6-1}^{{\left(r\right)}^{\prime }})]⊞[(P_{(r,3)}\otimes Y_{6-2}^{{\left(r\right)}^{\prime }})⊞Y_7^{{\left(r\right)}^{\prime }}].$$

We then let

$$C{Y}_{6-1}^{\left(r\right)}=P_{(r,3)}\otimes (2^8\times Y_{6-1}^{{\left(r\right)}^{\prime }}),C{Y}_{6-2}^{\left(r\right)}=(P_{(r,3)}\otimes Y_{6-2}^{{\left(r\right)}^{\prime }})⊞Y_7^{{\left(r\right)}^{\prime }}.$$

The additive inverses ($a_6$,$a_6^{\prime }$) from ${\mathbb{F}}_{2^{16}}$ should be incorporated to obtain

$$M{Y}_{6-1}^{\left(r\right)}=C{Y}_{6-1}^{\left(r\right)}⊞a_6,M{Y}_{6-2}^{\left(r\right)}=C{Y}_{6-2}^{\left(r\right)}⊞a_6^{\prime }.$$

We implement the calculations $Y_{6-1}^{{\left(r\right)}^{\prime }}\to M{Y}_{6-1}^{\left(r\right)}$ and $Y_{6-2}^{{\left(r\right)}^{\prime }}\to M{Y}_{6-2}^{\left(r\right)}$ using tables Type I-HB6 and Type I-LB6. The final result $Y_8^{\left(r\right)}$ can then be calculated using $M{Y}_{6-1}^{\left(r\right)}⊞M{Y}_{6-2}^{\left(r\right)}$ (see Figure 6).

Using the same method, the second multiplication modulo in the MA structure uses ${\Phi }_{(r,2)}$ to eliminate $P_{(r,3)}$, with the output encoded by $Q_{(r,4)}$ and incorporating the additive inverses ($a_8$,$a_8^{\prime }$). From this, we obtain $Y_{8-1}^{\left(r\right)}\to M{Y}_{8-1}^{\left(r\right)}$ and $Y_{8-2}^{\left(r\right)}\to M{Y}_{8-2}^{\left(r\right)}$, implemented as the tables Type I-HB8 and Type I-LB8. The result of the calculations is $Y_9^{\left(r\right)}$. The two operations of the second addition modulo are $Y_{7-1}^{\left(r\right)}\to M{Y}_{7-1}^{\left(r\right)}$ and $Y_{7-2}^{\left(r\right)}\to M{Y}_{7-2}^{\left(r\right)}$, implemented as tables Type I-HB7 and Type I-LB7, with the calculation result $Y_{10}^{\left(r\right)}$. Finally, the outputs of the MA structure are $Y_9^{\left(r\right)}$ and $Y_{10}^{\left(r\right)}$.

After the MA structure, $MAS{K}_{K1}$ and $MAS{K}_{K2}\in {\left\{0,1\right\}}^{16}$ are selected randomly, and they differ from $MAS{K}_{N1}$ and $MAS{K}_{N2}$. After calculations of $C{A}_{(r,c)}$, the XOR operations are performed via $Y_9^{{\left(r\right)}^{\prime }}$ and $Y_{10}^{{\left(r\right)}^{\prime }}$. Note that $C{A}_{(r,c)}$ uses the same method as $C{A}_{(r,b)}$. The composite affine mappings $T_{\left(r\right)}^{-1}$ and $S_{\left(r\right)}^{-1}$ are used to encode the outputs. We then obtain the Type II lookup tables providing the masked intermediate values $Y_{10-K1}^{\left(r\right)}$ and $Y_{9-K1}^{\left(r\right)}$. The transformation of $Y_{10}^{\left(r\right)}$ can be seen in Figure 7.

3.4. Eliminating the Masks

At this point, we have six blocks: four containing the outputs of group operations and two containing the outputs of the MA structure. We perform four XOR operations to complete the original IDEA design:

$$\begin{array}{cc}\hfill & Y_{11}^{\left(r\right)}=Y_{1-N1}\oplus Y_{9-K2},Y_{12}^{\left(r\right)}=Y_{2-N2}\oplus Y_{10-K1},\hfill \\ \hfill & Y_{13}^{\left(r\right)}=Y_{3-N1}\oplus Y_{9-K2},Y_{14}^{\left(r\right)}=Y_{4-N2}\oplus Y_{10-K1}.\hfill \end{array}$$

There are two different masks for each of the four results $Y_{11}^{\left(r\right)}$, $Y_{12}^{\left(r\right)}$, $Y_{13}^{\left(r\right)}$, and $Y_{14}^{\left(r\right)}$. We remove the masks with the XOR operations and then exchange $Y_{16}^{\left(r\right)}$ and $Y_{17}^{\left(r\right)}$ (see Figure 8).

The same affine layers make it easy to eliminate the masks with table Type II-M. The outputs should be encoded by $L_{(r,1)}$, $L_{(r,3)}$, $L_{(r,2)}$, and $L_{(r,4)}$, with the intermediate values encoded by $T_{\left(r\right)}$ and $S_{\left(r\right)}$. We now show $Y_{11}^{\left(r\right)}$ as an example (see Figure 9). After two masks have been eliminated, $S_{\left(r\right)}$ is used to encode the output, producing $E{Y}_{11}^{{\left(r\right)}^{\prime }}$, and $L_{(r,1)}$ is used to process $E{Y}_{11}^{{\left(r\right)}^{\prime }}$ from ${\mathbb{F}}_{2^{16}+1}$, with a final value of $Y_{15}^{\left(r\right)}$.

Thus far, we have finished one encryption round. The other seven rounds have the same sequence of operations.

3.5. Generating the Lookup Tables for Output Transformation

The output transformation phase performs only group operations, so we also convert these computations into eight Type I lookup tables. Two corresponding tables can be used to compute $E{C}_1$, $E{C}_2$, $E{C}_3$, and $E{C}_4$, respectively. Finally, the ciphertext is

$$EC=(E{C}_1\parallel E{C}_2\parallel E{C}_3\parallel E{C}_4).$$

In particular, we regard the multiplicative inverses of $Q_{(9,1)}$, $P_{(9,1)}$, $P_{(9,2)}$, and $Q_{(9,2)}$ as external encodings embedded in other components of the computer. Using the external encodings, we obtain the same outputs as the original IDEA implementation:

$$\begin{array}{cc}\hfill & ({\Phi }_{(9,1)}\odot E{C}_1\parallel {\Phi }_{(9,2)}\otimes E{C}_2\parallel {\Phi }_{(9,3)}\otimes E{C}_3\parallel {\Phi }_{(9,4)}\odot E{C}_4)\hfill \\ \hfill & =(C_1\parallel C_2\parallel C_3\parallel C_4)=C.\hfill \end{array}$$

4. Performance Analysis

The white-box IDEA requires 68 modular additions, 48 XORs, 216 lookups, and eight composite affine mappings.

All of the arithmetic operations are transformed into Type I lookup tables, requiring $4\times (2\times 2^8\times 16)\times 8+4\times (2\times 2^8\times 16)\times 8+4\times (2\times 2^8\times 16)=65\times 2^{13}$ bits of storage. The two corresponding Type I lookup tables are synthesized (modular addition) and confused by $16\times 16$ affine transformations and 16-bit random masks. The Type II lookup tables require $4\times (2^{16}\times 16)\times 8+2\times (2^{16}\times 16)\times 8+4\times (2^{16}\times 16)\times 8=10240\times 2^{13}$ bits of storage. The storage required for eight composite affine mappings is $8\times 2\times (16\times 16+16)=4115$ bits. The total storage cost is about 10.06 MB.

We used a common laptop with an Intel^® Core(TM) i7-3630QM CPU at 2.40 GHz to test our white-box IDEA implementation written in Java 8.0. Encrypting a 64-bit plaintext 50,000 times with the original IDEA requires about 47 ms on average. Our white-box IDEA required 2786 ms on average, about 60 times slower than the plain algorithm, which is acceptable. Since our solution is the first white-box IDEA implementation, we can only compare efficiency with white-box implementations of other algorithms, such as KMAC [29] and AES [7]. As shown in Table 1, our solution offers competitive computing efficiency.

5. Security Analysis

Since the function of the S-box is replaced by algebraic operations in IDEA, the core idea of our solution is the transformation of the two arithmetic operations into lookup tables. Therefore, we conduct our security analysis on the lookup table structure of our white-box IDEA against algebraic attacks and BGE-like attacks.

5.1. Analysis of the Lookup Tables

We first analyze the Type I lookup tables using $X_1^{\left(r\right)}$ as the example. The adversary can obtain the input $X_{1-1}^{\left(r\right)}$ and the output $M{Y}_{1-1}^{\left(r\right)}$ of a single Type I lookup table. $M{Z}_1^{\left(r\right)}$ can be computed by inverse multiplication:

$$M{Z}_1^{\left(r\right)}=M{Y}_{1-1}^{\left(r\right)}\odot {\left[X_{1-1}^{\left(r\right)}\right]}^{-1}.$$

(3)

On the other hand, by combining the two Type I lookup tables to eliminate the influence of ($a_1$, $a_1^{\prime }$), we can find:

$$M{Z}_1^{{\left(r\right)}^{\prime }}=Y_1^{\left(r\right)}\odot {\left[X_1^{\left(r\right)}\right]}^{-1}.$$

(4)

Due to the randomness of ($a_1$, $a_1^{\prime }$), $Q_{(r,1)}$, and $L_{(0,1)}^{-1}$, where ($a_1$, $a_1^{\prime }$) are additive inverses and $Q_{(r,1)}$, $L_{(0,1)}^{-1}$ are group members from ${\mathbb{F}}_{2^{16}+1}$. They provide $2^{48}$ different values in (3) and $2^{32}$ probabilities in (4). Thus, there is no effective calculation or analysis of the secret key.

Another approach is the 2003 proposal from Biryukov et al. [24] that describes an algorithm for any two substitutions (S-boxes) to solve the affine equivalence problem. The $S_1$ and $S_2$ affine equivalents should satisfy the equation

$$\begin{array}{cc}\hfill & S_2\left(X\right)={\Lambda }_2\circ S_1({\Lambda }_1\circ X\oplus \alpha )\oplus \beta or\hfill \\ & S_2\left(X\right)\oplus \beta ={\Lambda }_2\circ S_1({\Lambda }_1\circ X\oplus \alpha ),\hfill \end{array}$$

where ${\Lambda }_1$ and ${\Lambda }_2$ are $n\times n$ invertible matrices, and $\alpha$ and $\beta$ are n-bit columns. The linearity of ${\Lambda }_1$, ${\Lambda }_2$ means we can check all $\alpha$, $\beta$ that satisfy the above equation to the recovered key with time complexity $O\left(n^3{2}^{2n}\right)$. The core idea of this attack is to construct the affine equivalence problem.

Since the algebraic operations replace the S-boxes, it is not possible to find the S-boxes and the linear relationship directly. However, we can regard the multiplication modulo (or addition modulo) operation as a T-box to try to find a structure equivalent to the S-box. Then, using the idea of the affine equivalence problem to attack the solution, and using the example $X_1^{\left(r\right)}$, we have

$$\begin{array}{cc}\hfill Y_{1-N1}^{\left(r\right)}=& S_{\left(r\right)}^{-1}\circ \{C{A}_{(r,1)}\circ [(Q_{(r,1)}\odot L_{(r,1)}^{-1}\odot X_1^{\left(r\right)})\odot Z_1^{\left(r\right)}]\oplus MAS{K}_{N1}\}\hfill \\ \hfill =& S_{\left(r\right)}^{-1}\circ T_1[{\Lambda }_1\otimes X_1^{\left(r\right)}]\oplus [S_{\left(r\right)}^{-1}\circ MAS{K}_{N1}].\hfill \end{array}$$

Here, we regard ${\Lambda }_1$ as a random group member from ${\mathbb{F}}_{2^{16}+1}$, $\alpha$ as a 16-bit column, and the $T_1$ box as a type of S-box representing the multiplication modulo and the operation of the $C{A}_{(r,1)}$ box. We regard the added masks as a $T_2$ box. This leads to

$$T_2\left(X_1^{\left(r\right)}\right)=Y_{1-N1}^{\left(r\right)}=S_{\left(r\right)}^{-1}\circ T_1[{\Lambda }_1\circ X_1^{\left(r\right)}]\oplus [S_{\left(r\right)}^{-1}\circ MAS{K}_{N1}].$$

We then rewrite the preceding equation as

$$T_2\left(X_1^{\left(r\right)}\right)={\Lambda }_2\circ T_1({\Lambda }_1\circ X_1^{\left(r\right)}\oplus \alpha )\oplus \beta ,$$

where $S_{\left(r\right)}^{-1}$ is represented by ${\Lambda }_2$, which is a randomly selected reversible composite affine mapping, and $S_{\left(r\right)}^{-1}\circ MAS{K}_{N1}$ is represented by $\beta$, which is actually the Type II-M1 lookup tables. Thus, we have constructed the affine equivalence problem.

In our scheme, the above equation is only similar in form to the structure of the affine equivalence problem because the operations of the T-boxes and S-boxes are different. Even if the adversary combines the Type I and Type II tables to obtain the encoded masks’ lookup tables, they also need to determine all possible ${\Lambda }_1$, ${\Lambda }_2$, and $\alpha$ to obtain the key information hidden in the $T_1$ box from the above formula.

5.2. BGE-Like Attacks

Billet et al. [23] proposed a method called BGE to attack the white-box AES designed by Chow et al. [7]. The core idea of the BGE attack is the transformation of the non-linear structure into a linear structure, construction of a linear relationship, and then use the linear relationship to determine the affine or linear encoding. The time complexity of this algorithm is $2^{22}$ at present.

The group operations of the IDEA, multiplication modulo, and addition modulo can be performed separately as non-linear $T_1$- and $T_2$-boxes, which are treated as non-linear S-boxes. We consider the group operations of one encryption round as follows:

$$\begin{array}{cc}\hfill & \left\{\begin{array}{c}M{Y}_{1-1}^{\left(r\right)}=Q_{(r,1)}\odot L_{(r-1,1)}^{-1}\odot (2^8\times X_{1-1}^{\left(r\right)})\odot Z_1^{\left(r\right)}⊞a_1,\hfill \\ M{Y}_{1-2}^{\left(r\right)}=Q_{(r,1)}\odot L_{(r-1,1)}^{-1}\odot X_{1-2}^{\left(r\right)}\odot Z_1^{\left(r\right)}⊞a_1^{\prime }.\hfill \end{array}\right.\hfill \\ \hfill & \left\{\begin{array}{c}M{Y}_{2-1}^{\left(r\right)}=P_{(r,1)}\otimes L_{(r-1,2)}^{-1}\otimes (2^8\times X_{2-1}^{\left(r\right)})⊞(2^8\times Z_{2-1}^{{\left(r\right)}^{\prime }})⊞a_2,\hfill \\ M{Y}_{2-2}^{\left(r\right)}=P_{(r,1)}\otimes L_{(r-1,2)}^{-1}\otimes X_{2-2}^{\left(r\right)}⊞Z_{2-2}^{{\left(r\right)}^{\prime }}⊞a_2^{\prime }.\hfill \end{array}\right.\hfill \\ \hfill & \left\{\begin{array}{c}M{Y}_{3-1}^{\left(r\right)}=P_{(r,2)}\otimes L_{(r-1,3)}^{-1}\otimes (2^8\times X_{3-1}^{\left(r\right)})⊞(2^8\times Z_{3-1}^{{\left(r\right)}^{\prime }})⊞a_3,\hfill \\ M{Y}_{3-2}^{\left(r\right)}=P_{(r,2)}\otimes L_{(r-1,3)}^{-1}\otimes X_{3-2}^{\left(r\right)}⊞Z_{3-2}^{{\left(r\right)}^{\prime }}⊞a_3^{\prime }.\hfill \end{array}\right.\hfill \\ \hfill & \left\{\begin{array}{c}M{Y}_{4-1}^{\left(r\right)}=Q_{(r,2)}\odot L_{(r-1,4)}^{-1}\odot (2^8\times X_{4-1}^{\left(r\right)})\odot Z_4^{\left(r\right)}⊞a_4,\hfill \\ M{Y}_{4-2}^{\left(r\right)}=Q_{(r,2)}\odot L_{(r-1,4)}^{-1}\odot X_{4-2}^{\left(r\right)}\odot Z_4^{\left(r\right)}⊞a_4^{\prime }.\hfill \end{array}\right.\hfill \end{array}$$

We can also consider the MA structure, obtaining the equations:

$$\begin{array}{cc}\hfill & \left\{\begin{array}{c}M{Y}_{5-1}^{\left(r\right)}=Q_{(r,3)}\odot (2^8\times Y_{5-1}^{{\left(r\right)}^{\prime }})\odot Z_5^{\left(r\right)}⊞a_5,\hfill \\ M{Y}_{5-2}^{\left(r\right)}=Q_{(r,3)}\odot Y_{5-2}^{{\left(r\right)}^{\prime }}\odot Z_5^{\left(r\right)}⊞a_5^{\prime }.\hfill \end{array}\right.\hfill \\ \hfill & \left\{\begin{array}{c}M{Y}_{6-1}^{\left(r\right)}=P_{(r,3)}\otimes (2^8\times Y_{6-1}^{{\left(r\right)}^{\prime }})⊞a_6,\hfill \\ M{Y}_{6-2}^{\left(r\right)}=P_{(r,3)}\otimes Y_{6-2}^{{\left(r\right)}^{\prime }}⊞Y_7^{{\left(r\right)}^{\prime }}⊞a_6^{\prime }.\hfill \end{array}\right.\hfill \\ \hfill & \left\{\begin{array}{c}M{Y}_{7-1}^{\left(r\right)}=[P_{(r,4)}\otimes {\Phi }_{(r,1)}\odot (2^8\times Y_{7-1}^{\left(r\right)})]⊞a_7,\hfill \\ M{Y}_{7-2}^{\left(r\right)}=(P_{(r,4)}\otimes {\Phi }_{(r,1)}\odot Y_{7-2}^{\left(r\right)})⊞Y_9^{{\left(r\right)}^{\prime }}⊞a_7^{\prime }.\hfill \end{array}\right.\hfill \\ \hfill & \left\{\begin{array}{c}M{Y}_{8-1}^{\left(r\right)}=[Q_{(r,4)}\odot {\Phi }_{(r,2)}\otimes (2^8\times Y_{8-1}^{\left(r\right)})]\odot Z_6^{\left(r\right)}⊞a_8,\hfill \\ M{Y}_{8-2}^{\left(r\right)}=(Q_{(r,4)}\odot {\Phi }_{(r,2)}\otimes Y_{8-2}^{\left(r\right)})\odot Z_6^{\left(r\right)}⊞a_8^{\prime }.\hfill \end{array}\right.\hfill \end{array}$$

From these eight sets of equations, we can see that the calculation methods of the $T_1$ and $T_2$ boxes are not exactly the same, meaning that a linear relationship $M{Y}_i^{\left(r\right)}=\mathcal{K}\circ Y_j^{\left(r\right)}\circ \sigma$, where $\mathcal{K}$ denotes random group members from ${\mathbb{F}}_{2^{16}+1}$ or ${\mathbb{F}}_{2^{16}}$, and $\sigma$ is a constant, which does not necessarily exist. If the linear relationship is not established, the BGE-like method cannot recover the keys.

In addition, the number of invertible matrices of order 16 is

$$(2^{16}-1)\times \prod _{j=1}^{15}\left(2^{16}-1-\sum _{k=1}^j\left(\genfrac{}{}{0pt}{}{j}{k}\right)\right)=2^{255}.$$

For white-box diversity and white-box ambiguity [7], our scheme has enough randomness to counter brute-force attacks.

In summary, although our scheme is a completely new implementation of a cryptography primitive, it is still sufficiently secure to resist ordinary algebraic analysis and BGE-like attacks.

6. Conclusions and Discussion

In this paper, we proposed a scheme to implement the white-box IDEA. We focused on the computation of two arithmetic operations in IDEA and developed a method to transform these arithmetic operations into lookup tables (Type I) and embedded four different masks to increase the resistance against white-box attacks (Type II). Our implementation presents a new approach for transforming different algebraic operations into lookup tables, and can be applied to other encryption systems with similar algebraic structures with resistance against algebraic attacks, including BGE attacks.

Since the security evaluation method of the white-box model is not as complete as in the black-box model, our future work will have two avenues. One effort will be to test other new white-box implementation methods. For example, we want to design a completely new white-box cipher with much smaller storage costs. The other will be to optimize security and robustness of this white-box IDEA implementation with the expectation that it will provide long-term protection. Since the structures of the three operations are completely different from other block ciphers, we used the relatively large lookup tables (Type II) to convert these calculations. Without the traditional S-box, there are still great difficulties and challenges in optimizing the storage costs and security of the lookup tables.