White Box Implementations Using Non-Commutative Cryptography

Abstract

In this paper, we present a method to create a safe arithmetic that can be used to obfuscate implementations that require operations over commutative groups. The method is based on the structure of the endomorphisms of certain extensions of the original commutative group. The endomorphisms of a commutative group are non-commutative (in general), thus we can use a non-commutative group to emulate the arithmetic of a commutative one. The techniques presented in this paper are very flexible and the programmer has a wide variety of options to obfuscate the algorithms. The system can be parameterized using conjugations, thus it is possible to generate a different arithmetic for each instance of the program with a change in the security parameters, even in cases in which this number is huge (for example, in IoT applications). The security of this method is based not only on the difficulty of the conjugacy search problem (in a harder version because only partial information about the groups is known by the attacker), but also in a number of extra options that can be chosen by the programmer. The paper explains the general method, analyzes its algebraic properties and provides detailed examples based on the vector spaces over ${\mathbb{F}}_2$ and XOR operators.

1. Introduction

The most traditional framework for cryptography is a pair of users, Alice and Bob, where Alice wants to send a message m to Bob through a communication channel. Alice and Bob live in secure bubbles, but the outside world is insecure and other users can be listening to the channel, therefore they agree to two functions E and D such that $D(E(m))=m$ and instead of sending m, Alice sends $E(m)$. Bob knows the function D and can compute $m=D(E(m))$ but any listener through the insecure channel would get $E(m)$ and this information is useless without the function D. The functions E and D can be parameterized by a value k (the key) such that the algorithms can be made public and, if the value k is kept safe, the communication is secure.

This framework (the channel is insecure but the functions E and D are computed in a safe environment) is not valid in many real life situations. Consider the following examples:

• A sensor network with multiple nodes in which an attacker could have full access to some of  them
• A virus or an intruder getting valuable information from a running system
• Cloud or fog computations in which the environment is not completely safe due to malicious nodes or vulnerabilities such as Meltdown, Spectre, etc.
• Content providers broadcasting encrypted data to users that could try to obtain decryption keys to illegally distribute them to other users
• Computer games with limited licenses that could be manipulated by the users to obtain upgraded versions for free

As we can see in these examples, the sensitive information can be the data used in the computation or even the algorithm itself. White box cryptography assumes that the attacker has full access to the hardware and software, and even in that insecure environment, the obfuscated software would not provide sensible information to the attacker.

To define clearly which information is available to the attacker and which design parameters are not visible, we consider that an obfuscated implementation has public and private elements. The code itself is one of these public elements. A system is considered safe if the private elements cannot be (easily) recovered using the public information. Although all the techniques explained in this paper can also be used to hide the algorithm, we consider the worst case in which the attacker knows the algorithm that is implemented.

This case is usually considered in white box cryptography, for example safe implementations of the Data Encryption Standard (DES) and the Advanced Encryption Standard (AES) have been a major target in the development of white box cryptography.

One of the first proposals for DES, made by Chow et al. in [1], attracted great interest, although it was almost immediately broken by Jacob et al. in [2] and Goubin et al. in [3]. Chow et al. also proposed a white-box implementation for AES in [4], broken by Billet et al. in [5]. The algorithms for DES and AES share a similar structure, they have several rounds with combinations of affine transformations, XOR operators and S-boxes. A general attack over this kind of algorithms applied to cases different from DES and AES was given by Michiels et al. in [6]. Another attack based on this structure was given by Biryukov et al. in [7].

One standard technique used in white box cryptography when we have an addition is to spread the information into pieces (called shares) that are combined using the addition and some hidden linear transformations. For example, suppose that a vector v is represented by two vector $v_1$ and $v_2$, and we have secret linear transformations $e_1$ and $e_2$ such that $v=e_1(v_1)+e_2(v_2)$. The attacker can see $v_1$ and $v_2$ but $e_1$ and $e_2$ remain secret. If $w=e_1(w_1)+e_2(w_2)$ is the representation of another vector, we know that $v+w=e_1(v_1+w_1)+e_2(v_2+w_2)$, thus the program can compute additions without revealing $e_1$ and $e_2$. The problem is that the combination of these techniques with nonlinear transformations (S-boxes) can be analyzed to recover information.

A milestone in the history of white box cryptography was the WhibOx challenges that took place in 2017 (see [8]). In this contest, the developers created white box implementations of the advanced encryption standard (AES) following certain rules. The result was that the 94 challenges presented were broken 877 times. All of them were broken, in many cases using known techniques including the ones published in the previously mentioned examples. These kinds of breaks were done in a short period of time. Only 21 required more than one day to be broken for the first time. In general, those were the ones that required more special and unpublished attacks.

The second most resistant implementation on that contest is based on some of the ideas presented in this paper, although this paper is not about that implementation because the method presented in this paper is more sophisticated and it is not limited to the conditions of that contest. More details about the challenge and the attack made to the first implementation can be seen in [9,10].

It is possible to consider several approaches to white-box implementations. One of them is to consider an algorithm as a boolean circuit and implement methods for the basic boolean operators. This  is the idea presented in [10]. In this paper, we assume that the algorithm requires an obfuscated arithmetic over a commutative group V. Vector spaces are commutative groups and they are our main examples, but the theoretical construction is done in general. The role played by square matrices in the case of vector spaces, is played by the endomorphisms $e:V\to V$ in the case of commutative groups.

To represent the elements, we combine endomorphisms and values in V, but instead of having invisible operators $e_i$ and visible values $v_i$, we have visible information related with the operators $e_i$ and invisible values $v_i$. There are many advantages in this new approach. First, we can have a huge number of endomorphisms even in small cases, for example a vector space with $2^8$ vectors has $2^{8^2}=2^{64}$ matrices and we only need a small number of them to represent all the vectors, thus we have a lot of freedom to choose the ones to be used. The actual matrices need not be revealed, only how they operate, and many subsets can have identical operation tables. Moving the representation from V to the side operators is a kind of nonlinear transformation similar to a logarithm. This non-linearity avoids the standard attacks based on linearity and new layers of security can be applied without risk. The problem is that we cannot apply the linearity to compute the addition, thus we have to learn how to add using this new representation. This can be done by introducing new operators that are different from traditional ones. This new arithmetic is also an advantage because it can be parameterized by choosing different subsets of transformations (something similar to having a free choice for the base of the logarithms). The new operators also require smaller tables than the standard ones because the growth of the tables is linear and not quadratic. Finally, the use of non-commutative subgroups given by endomorphisms forces the attacker to solve the conjugacy search problem (CSP), which is considered hard even for quantum computers; thus, systems based on non-commutative groups can be considered as post-quantum cryptosystems. Several protocols and cryptosystems have been developed in recent years based on non-commutative groups (see, for example, [11]).

This paper is structured as follows. After this Introduction, the theory is explained in two steps. The main public and private elements of the theory are explained in Section 2. The second step is given in Section 3, in which we show some mathematical properties of the theory that can be used for an attacker to analyze the system and protections against them. The method is discussed in Section 4. In that section, we include information about use cases and further applications, especially to IoT. In Section 5, we show a big example with the most advanced features. The conclusions are in Section 6. Section 7 has information about patents related with this research. Finally, the paper has two appendices. Appendix A gives some basic mathematical terminology that is used in the paper. Appendix B contains a small obfuscated implementation using the techniques explained in the paper, written in full detail.

2. Private Arithmetic (Basic Version)

In this section, we describe the mathematical structure of an obfuscated implementation using a private arithmetic. Cryptography and cryptanalysis are in many cases “cat-and-mouse” games, in which the cryptographer tries to mislead the attacker by breaking the original rules and the attacker also tries methods that were not originally considered by the cryptographer in order to analyze the system and reveal the secret information.

The intention of this section is to give the definitions that explain the structure of the proposed obfuscation in a logical way. However, these definitions and procedures can be made more flexible to include some traps or difficulties to the attacker. Examples of these traps could be that not all the elements of a group are used in actual computations and we can include some misbehavior in these elements. In this example, we cannot say that A is a commutative group if there are two elements in A that do not have a correct multiplication. These special cases are a nightmare for explanations and we have decided to start with a basic version without tricks and we consider them in Section 3.

The objective of this theory is to obfuscate algorithms or data used in mathematical computations. The computations take place in a commutative group V that is called the external commutative group. This group is considered public.

The idea behind the technique that we explain is to use another commutative group M that is called the internal commutative group to make the internal computations. This group is private and, in fact, is not visible in the implementation. The operations in M are done using tables that do not provide the usual group addition, but certain information that is used to compute other non-standard operators.

In this section, the relation between M and V is simple; we have a projection $p:M\to V$. This is a surjective group homomorphism and every element $v\in V$ is represented using values $m\in M$ such that $p(m)=v$. This relation is much more complex in the non-basic version given in Section 3.

The tables and methods that let us compute with the elements of M are called internal arithmetic. We call external arithmetic any computation that requires the actual value in the external group V and not only the value over M. A private arithmetic is a combination of an internal and an external  arithmetic.

A critical point in the program is a place at which the actual value in V has to be used for the computation. For example, the input and the output of the program are critical points. The  computations that take place in between are called connected components. A more detailed explanation about the connected components is provided in Section 2.10.

We decompose the analysis in two parts: first we analyze the internal arithmetic. This arithmetic can be used for several implementations. The elements of the internal arithmetic are:

• Public:

  -

  Public Group (G)

  -

  Heading Spaces (X)

  -

  G-structure of the heading spaces $(G\times X\to X$)

  -

  Reduction Maps ($r:X\to Y$)

  -

  Dissolving Maps ($D:X\to G^n$)

• Private:

  -

  Internal Commutative Group (M)

  -

  Correspondence between heading spaces and valid elements (${\pi }_X$)

  -

  Extended Arithmetical Group ($H{⋊}_{\phi }G$)

  -

  Action of $H{⋊}_{\phi }G$ on M.

  -

  Base points (B)

The second part is the elements that depend on the implementation and the group V (the external arithmetic). Its elements are:

• Public:

  -

  The external commutative group V

  -

  The program

  -

  Input Tables

  -

  Output Table

  -

  Tables for non-linear operators

• Private:

  -

  Control values and deals

  -

  Extra affine transformations

We have already mentioned the external commutative group V and the internal commutative group M; the rest of the elements are analyzed in different subsections.

2.1. Public Group G (Public)

The arithmetic is ruled by a group G. This group is given up to isomorphism. Therefore, it is possible to give it with its multiplication table or with any other representation that let us compute with the elements of the group. The group G is in general non-commutative.

2.2. Extended Group $H{⋊}_{\phi }G$ (Private)

We select a second group H and a group homomorphism $\phi :G\to \mathsf{Aut}(H)$ to build the semi-direct product of the groups, $H{⋊}_{\phi }G$. The group G is public, but the extension of the group to $H{⋊}_{\phi }G$ is not.

2.3. Representation of $H{⋊}_{\phi }G$ Using Endomorphisms of M (Private)

One of the most critical points in the security of the obfuscation is how the values of $H{⋊}_{\phi }G$ operate over the elements of M. This requires a group homomorphism $\psi :H{⋊}_{\phi }G\to \mathsf{Aut}(M)$. This is known in the literature as a representation of the group $H{⋊}_{\phi }G$ on M, but, in this paper, we use also the word representation for other constructions, for example the representation of an element of V using elements of M, or the representation of elements in M with other arithmetical expressions; therefore, we use the more generic term action of $H{⋊}_{\phi }G$ on M, which is used when M has no additional structure, but is valid in general.

The group G is a subgroup of $H{⋊}_{\phi }G$, thus the action $\psi$ also induces an action of G on M.

Given two actions $\psi ,{\psi }^{\prime }:H{⋊}_{\phi }G\to \mathsf{Aut}(M)$, these are equivalent if there exists a group automorphism $t:M\to M$ such that ${\psi }^{\prime }(u)=t^{-1}\psi (u)t$ for all $u\in H{⋊}_{\phi }G$.

Equivalent actions generate different arithmetics using the same groups. Their similar structures make them difficult to recognize for an attacker.

We next present an example of these kinds of constructions. Let $M={\mathbb{F}}_2^4$ and $h=\left[\begin{array}{cccc}1& 1& 0& 0\\ 1& 0& 0& 0\\ 0& 0& 1& 1\\ 0& 0& 1& 0\end{array}\right]$ and $g=\left[\begin{array}{cccc}0& 1& 0& 0\\ 1& 0& 0& 0\\ 0& 0& 0& 1\\ 0& 0& 1& 0\end{array}\right]$.

Let G be the group generated by the matrix g and H the group generated by h. In this case, G has 2 elements and H has 3. The group H has a nontrivial automorphism $\tau :H\to H$ given by $\tau (h)=h^{-1}$ and one possible homomorphism $\phi :G\to \mathsf{Aut}(H)$ would be $\phi (g^i)={\tau }^i$. The semi-direct product $H{⋊}_{\phi }G$ is a group of six elements and $\psi :H{⋊}_{\phi }G\to \mathsf{Aut}(M)$ is given using the matrices g and h that we have defined previously.

The group $\mathsf{Aut}(M)$ is the group of invertible matrices $4\times 4$ over ${\mathbb{F}}_2$. This group has 20,160 elements and, using invertible matrices t to generate other actions equivalent to $\psi$, we get 540 essentially different actions of $H{⋊}_{\phi }G$ on M.

2.4. Heading Spaces (Public)

A heading space is a set X with an action $G\times X\to X$. It is not even necessary that the set X has an additive structure; it can be any set that could be operated with the elements of G. We can have one or more heading spaces.

In this paper, we see several examples of heading spaces. We can have an additional structure on X, but it is not used; only the multiplication of the elements of G by the elements of X is relevant. It is also possible to have a set X with some values that are not really used in the computation. If this happens, we consider in this section that the real heading space is the subset of X given by the orbits actually used in the computation with legitimate values.

It is always possible to have heading spaces for any number of orbits. If we want to have n orbits, we can use the heading space $X=G\times \{1,2,\cdots ,n\}$ with the action $G\times X\to X$ given by $g·(g^{\prime },i)=(g{g}^{\prime },i)$ for all $g,g^{\prime }\in G$ and all $i\in \{1,2,\cdots ,n\}$. It is also possible to use any other set X with an action for the group G.

Definition 1.

A head is a pair $(h,x)$ where x is in a heading space and $h\in H$. The value h is called the H-modifier of the head. The elements in the program is represented using heads, but the only visible element is the element $x\in X$. The H-modifier is known by the compiler or the programmer, but it is not visible during the computation.

2.5. Correspondence between Heads and Elements of M (Private)

For every heading space X, we have a map ${\pi }_X:X\to M$ such that ${\pi }_X(gx)=g{\pi }_X(x)$ (a map between G-gets with this property is called a G-map).

We say that an element $m\in M$ is represented by the head $(h,x)$ if $m=h{\pi }_X(x)$. In this section, all the elements of M should be representable by heads for any heading space X; therefore, ${\pi }_X:X\to M$ should be surjective.

To get this surjectivity, we have to analyze the orbits of M and get a subset of representatives, $M_0\subseteq M$ such that $M={\cup }_{m\in M_0}Gm$. For these elements m, we need to get values in X such that ${\pi }_X(x)=m$, but this cannot be done without some restrictions.

Let m be an element of $M_0$ and suppose $x\in X$ satisfies ${\pi }_X(x)=m$. Let $G_m=\{g\in G:gm=m\}$ and $G_x=\{g\in G:gx=x\}$ be the stabilizers of these elements. The condition ${\pi }_X(x)=m$ implies that, for all $g\in G_x$, $g{\pi }_X(x)={\pi }_X(gx)={\pi }_X(x)=m$, therefore $g\in G_m$. This proves that the element $x\in X$ that represents m should satisfy the condition for the stabilizers $G_x\subseteq G_m$. This is in fact the only condition required.

If we use a heading space of the type $G\times \{1,2,\cdots ,n\}$, the values $(1,i)$ always have a trivial stabilizer $G_{(1,i)}=\{1\}$ and this is contained in any possible stabilizer $G_{um}$. In this case, we can pick any index i to represent the elements of the orbits $G_{um}$ without restriction.

2.6. Base Points (Private)

We fix a set with one or more elements $B\subseteq M$. They are called base points.

Definition 2.

A link is a triple $(h,g,b)\in H\times G\times B$. The value h is called the H-modifier of the link. The value $hgb\in M$ is called the element represented by the link.

Elements in the program are represented using heads and links. In the case of links, the only visible element in the program is the element $g\in G$; the values h and b are known only by the compiler or the programmer.

Not all the elements of M need to be representable using a single link. In fact, we use multiple links to represent the elements of M.

If we denote $hGb=\{hgb\in M:g\in G\}$, we represent the elements in M as a sum of elements in the subsets $hGb$ for $h\in H$ and $b\in B$. Given a number of subsets, the elements of M that can be written as the sum of elements in the chosen subsets is called a sumset. This problem is well studied in additive number theory (see [12] for details), but, in our case, we have multiple solutions and a simple check lets us find them.

2.7. Reduction Maps (Public)

Let X and Y be heading spaces. A reduction map $r:X\to Y$ is a map for which we can find $h\in H$ and $b\in B$ such that

$$h{\pi }_Y(r(x))={\pi }_X(x)+b$$

for all $x\in X$. The pair $(b,h)$ is called the type of the reduction.

These maps can always be constructed because we can take any $x\in X$, compute $h^{-1}({\pi }_X(x)+b)\in M$ and find a value y such that ${\pi }_Y(y)=h^{-1}({\pi }_X(x)+b)$. Any value y satisfying the condition can be defined as $r(x)$.

Let $r:X\to Y$ and $s:Y\to Z$ be two reduction maps with such that the type of r is $(b,h)$ and the type of s is $(c,l)$. Then, we can make the composition of these reductions to have

$$h(l{\pi }_Z(s(r(x))))=h({\pi }_Y(r(x))+c)=h{\pi }_Y(r(x))+hc={\pi }_X(x)+b+hc.$$

This proves that the composition $sr$ is actually a reduction map with type $(b+hc,hl)$.

2.8. Dissolving Maps (Public)

A dissolving map for the heading space X with dimension d is a map

$$D:X\to G\times G\times \cdots \times G=G^{d}D(x)=(D_1(x),D_2(x),\cdots ,D_d(x)).$$

This map has hidden values $b_1,b_2,\cdots ,b_d\in B$ and $h_1,h_2,\cdots ,h_d\in H$ such that, for all $x\in X$,

$${\pi }_X(x)=h_1{D}_1(x)b_1+h_2{D}_2(x)b_2+\cdots +h_d{D}_d(x)b_d.$$

The values $b_i$ and $h_i$ could be repeated.

The dissolving maps are public, but values $b_i$ and $h_i$ are private. The number of dissolving maps depends on the implementation; it could be possible in some cases to create a full implementation without dissolving maps. The value d is not fixed; we can have dissolving maps with different dimensions in the implementation.

The dissolving maps are used to transform heads into links. This is something that could be necessary during the computation. If we know by construction that this is only applied to a certain subset of heads, it is possible to define the map D only over this subset.

2.9. Control Values and Deals (Private)

All elements in V can be represented in many ways in terms of M. During the computation, it may be reasonable not to reuse the representations, especially in critical points. For example, suppose $V={\mathbb{F}}_2^4$, $M={\mathbb{F}}_2^6$, and P is an invertible matrix $6\times 6$ over ${\mathbb{Z}}_2$. We can define the projection $p:M\to V$ as the first four bits of $Pm$ and consider the last two bits as control values.

If we use different control values at different critical points, we know that the representatives of the elements will never coincide.

There are many ways to define the control values. They can be checked before the H-modifiers or after them. It is also acceptable that the control values are not computed in the same way during the program. The multiple representation of the values and the way to control which representative is used during the computation is something that the programmer can use to increase the security level with great flexibility, but this is considered in Section 3.

A set of representatives that can represent all the elements of V but with a constant control value is called a deal. Using different deals at critical points is a way to protect against code injection.

2.10. The Program (Public)

Under white-box premises, the program is available to the attacker and, therefore, it can be considered as public information. The arithmetical elements in the program are a combination of heads and links. The number of heads and links used to represent a single element is dynamic and it changes during the execution of the program.

Each head or link has a visible part (the element $x\in X$ or the element $g\in G$), and hidden parts, the H-modifier h and a base point $b\in B$ for links. Thus, the element $x\in X$ can represent the value $h{\pi }_X(x)$ for any $h\in H$ and the link with value $g\in G$ in the program, can represent any $hgb$ for $h\in H$ and $b\in B$. These hidden parts of the arithmetical element are known by the compiler or the programmer to decide which operations are possible and which tables have to be used at a particular moment. The heads can be in different heading spaces.

Suppose we have an element given by some heads $x_i$ and some links $g_j$, the real value could be ${\sum }_i{h}_i{\pi }_{X_i}(x_i)+{\sum }_j{h}_j^{\prime }{g}_j{b}_j$. The addition of two arithmetical elements is just the juxtaposition of the values (i.e. it requires no code). The problem is that, after a number of operations, the elements are huge and we need a way to reduce their sizes. This is done with the reduction maps.

Suppose we have a head $x\in X$ and a link g. Internally, we know that they have the same H-modifier (for example $l\in H$) and we also know that the base point for the link is $b\in B$. Suppose  we have a reduction map r such that the associated partition of X is $\cup X_i$ and $x\in X_i$ with associated constants $h_i=h$ and $b_i=b$. In this case, we can proceed as follows:

$$l{\pi }_X(x)+lgb=lg(g^{-1}{\pi }_X(x)+gb)=lg({\pi }_X(g^{-1}x)+b)=lgh{\pi }_Y(r(g^{-1}x))$$

$$=l{\phi }_g(h)g{\pi }_Y(r(g^{-1}x))=l{\phi }_g(h){\pi }_Y(gr(g^{-1}x)).$$

This proves that the new head $gr(g^{-1}x)$ is a head representing the value $l{\pi }_X(x)+lgb$ with hidden H-modifier $l{\phi }_g(h)$. This process lets us reduce the size of the arithmetical elements combining a head with a link if they have the correct hidden modifiers and we have the appropriate reduction map. If  this is not the case, the reduction is not possible.

One of the characteristics of this arithmetic is that the designer has a number of possible reductions and he has to decide the precise order of the reductions. Any attacker wishing to modify a value, or paste a part of the code in another part of the program, or interchange values, immediately gets many meaningless values. At the same time, this makes the generation of the code more difficult, but this is a problem that is not visible in the final result. To have some freedom, it is reasonable to have many reduction maps, although the number required is not excessively large.

The final code is several steps that, in the visible program, look like $gr(g^{-1}x)$ for $g\in G$ and x in a heading space. This long sequence of values is combined with the values coming from the input tables or even constants.

The reduction that we have explained thus far lets us combine a head with a link, but we could need to add two heads. In that case, one of the heads has to be dissolved using a dissolving map into a number of links that let us continue the reduction process. This is not strictly necessary; depending on the design, it could be possible to have an implementation without dissolving maps. We see an example of this in Appendix B.

The designer of the program has to keep track of the H-modifiers for all possible executions of the program. This can be difficult, because the new H-modifier $(l{\phi }_g(h))$ depends on g, which is a value that could be input dependent. To deal with this problem, it is better to have a very simple function $\phi$ that could have at most two or three different values. This would let us classify the elements of G depending on the value ${\phi }_g$ and keep track of the subset of G in which the values can range. If this is too complex for the implementation, a reasonable solution is to take a trivial map $\phi$ and therefore use the direct product $H\times G$ instead of a semi-direct product $H{⋊}_{\phi }G$.

2.11. Input Tables (Public)

One of the critical points in a white-box implementation is the input of new values. The designer has to decide the correct representation that is used for the input values; they can be given by a head, a number of links or a combination of both. The control values let us use different deals in critical points. It is a good idea to use a deal for the input values that are not used at any other critical point of the program.

The H-modifiers of the input values are known by the designer, and the actual values given in the tables have to be checked to guarantee that all possible computations give the correct H-modifier in the following critical point. This is what we have mentioned in the previous subsection regarding the values ${\phi }_g$ for all g in the input table.

2.12. Output Tables (Public)

This is the second critical point in the program. As we have done with the input values, the output uses a deal that has not been used at any other critical point. The H-modifiers of the elements when the output is reached should be known by the designer in order to build the table.

If we use a fixed control value for the output, the number of valid values is not large, thus we can create small output tables.

2.13. Tables for Nonlinear Operators (Public)

It is quite common to have nonlinear operators that have to be applied to the arithmetical operators. These are elements outside the arithmetic and we need a special table to define them. The  input and output of these tables are critical points of the implementation and, as we have done with the input and output tables, it is a good idea to use a unique deal (not used with any other critical point) to define the input entries and the output entries of this table. The tables are usually applied to heads and the output can be a head, a link or a combination of both.

2.14. Additional Affine Transformations (Private)

Consider the flow chart of the algorithm. The general structure is a graph with some critical points and a number of linear operations. Two points in the chart are said to be linearly equivalent if there are no critical points in between. This equivalence relation defines several connected components. All operations in a connected component are group operations, therefore we can apply any affine transformation to a whole connected component with the rule that everything that is done at the entry points of the connected component has to be undone at the exit points of the connected component. These operations can be glued to the tables at the critical points.

Consider, for example, $V={\mathbb{Z}}_7$ and a program that computes a nonlinear operator S, adds a key value k and an input value v, and finally computes another operator T of the result. The graph of this connected component is in Figure 1.

Suppose that, by design, we decide that the output of S is multiplied by a and added to b. Instead of having x, we have $ax+b$ and this has to be considered in the encoding of the input table, which should give us $av$ instead of v. We can now add the value to the output of S, $(ax+b)+av=a(x+v)+b$. At the exit point of the connected component (the input of T), we have to undo the change and add the key k, thus the encoding of the table for T will compute $a^{-1}(y-b)+k$ before computing the real T. All these things can be included in the definition of the tables with no additional cost, but they are constant transformations that remain fixed for all executions of the  program.

3. Additional Security Measures

In Section 2, we are too strict in the definitions and properties required for a private arithmetic. This is a first approach and it is necessary to make a simplified version to introduce the theory. In this section, we are much more flexible. In a real implementation, it is important to include elements that could make the analysis more confusing to the attacker. The ideas of this section and others that could be considered by the programmer help to increase the security.

3.1. The Relation Between the Internal and the External Arithmetic

We have two commutative groups, V and M, and in Section 2 we have defined a projection $p:M\to V$ that lets us represent every element $v\in V$ by at least one element $m\in M$. If we have to add two elements $v_1$ and $v_2$, we simply compute the sum of their representatives, and it is a representative of the sum because p is a homomorphism. However, this is not the only option. We could also have more than one element in M to represent the elements of V. Consider $p:M\times M\times \cdots \times M\to V$ a surjective group homomorphism and $v_1,v_2\in V$ such that $p(m_i^1,m_i^2,\cdots ,m_i^k)=v_i$, then $v_1+v_2=p(m_1^1+m_2^1,m_1^2+m_2^2,\cdots ,m_1^k+m_2^k)$. When this happens, V is said to be a group generated by the group  M.

The most general construction is to have a surjective group homomorphism $p:M^n\to N$ such that V is a subgroup of N. We can emulate the arithmetic of the elements of N using tuples of elements in M, thus we can do it for V because all the elements of V are in N. When V is a subgroup of a group generated by M, it is said to be subgenerated by M.

The category of groups or modules subgenerated by M is denoted by $\sigma [M]$ in the literature (see  [13], Chapter 3, Section 15). This category is closed under submodules, coproducts and quotients, therefore we cannot get any further groups iterating the constructions.

Making the group M quite different from V is something that increase the security, because the group V is public (it is usually described in the algorithm), but the group M and the relation between M and V is not known by the attacker, thus the internal arithmetic would be safe.

3.2. Quasi-Reductions

In Section 2.7, we show that the reductions can be composed. This property could be used by the attacker because, making all possible compositions, some patterns could be revealed. It is also usual to compare different reductions in order to remove some security measures (this is usually called differential cryptanalysis). For example, consider X and Y two heading spaces, $r:X\to Y$ a reduction with type $(b,h)$ and $x_1,x_2\in X$.

The type of r gives

$$h{\pi }_Y(r(x_1))={\pi }_X(x_1)+bh{\pi }_Y(r(x_2))={\pi }_X(x_2)+b.$$

If we subtract these values, we get

$$h({\pi }_Y(r(x_1))-{\pi }_Y(r(x_2)))={\pi }_X(x_1)-{\pi }_X(x_2).$$

This equation has removed the value b and introduced some equations that could be used by the  attacker.

The idea of quasi-reductions is to consider maps $r:X\to Y$ that do not satisfy the condition $h{\pi }_Y(r(x))={\pi }_X(x)+b$ for any $(h,b)$ and mix them with real reduction maps to introduce a non-arithmetical behavior in the program that could make any attack based on arithmetical properties difficult, in particular, differential cryptanalysis. This property also avoids the possibility of  composition.

We show how to deal with these quasi-reductions with an example that is expanded in Section 5. Suppose $V={\mathbb{F}}_2^8$ and $M={\mathbb{F}}_2^{20}$. The projection $p:M\to V$ is given by the first eight bits and consider that the last four bits have a non-arithmetical behavior (let E be the subspace generated by these four bits).

A quasi-reduction $r:X\to Y$ satisfies $h{\pi }_Y(r(x))={\pi }_X(x)+b$ for the first 16 bits, but the last four bits have random values (or any other pattern that could be interesting to hide the real structure). If we have to compute the addition of two elements $m_1$ and $m_2$, we can be sure that the first 16 bits are actually the addition of the first 16 bits of $m_1$ and the first 16 bits of $m_2$, but the last four bits have a value fixed by the definition of r, but not following any addition rule. These extra values break the arithmetical analysis, thus, given two values $x_1$ and $x_2$ in X, we have

$$h({\pi }_Y(r(x_1))-{\pi }_Y(r(x_2)))={\pi }_X(x_1)-{\pi }_X(x_2)+e(x_1)-e(x_2).$$

where $e(x_1)-e(x_2)$ is an error that belongs to E and depends on $x_1$ and $x_2$ and, hence, it is quite difficult to analyze.

The main objective of this subspace E is to introduce values to break the arithmetical properties of the tables but we have to give correct results in spite of these errors. Therefore, we have to keep these values under control. The easiest way is that E would be a $k[H{⋊}_{\phi }G]$-submodule of M. In this way, every element in M can be decomposed in two parts, the error $e\in E$ and a value in $M/E$ that behaves arithmetically (without errors). Space E is not visible, thus only the programmer can clean the errors from the values in order to generate correct computations.

3.3. Valid and Forbidden Elements

Consider an attacker trying to obtain information from the public elements. The attacker has a group G and elements in a heading space X that can be multiplied by elements in G, thus, given $x\in G$, it is quite natural to make all possible multiplications $\{gx:g\in G\}$. This is called the orbit of the action. These orbits over X are related with the orbits of the action $G\times M\to M$ because the element x represents an element in M.

The elements of M can be multiplied by elements of G and elements of H. The elements of H modify the element to be represented using some fixed rules, therefore it is interesting to analyze the orbits of M as $H{⋊}_{\phi }G$-set. The orbit of $m\in M$ is $\{hgm:hg\in H{⋊}_{\phi }G\}=(H{⋊}_{\phi }G)m$.

Our objective is to use orbits that cannot be easily recognized, but some elements could be a problem. For example, the case of $0\in M$ is very particular. The elements of H and G are linear transformations, therefore $hg0=0$ for all $h\in H$ and $g\in G$, thus 0 generates an orbit with only one element. We would prefer orbits not to be very different and this special orbit can be a problem. This can also be true for other special orbits. The idea is to remove these special elements from the arithmetic and use only normal elements. We analyze in a bit more depth why these elements appear.

First, note that the elements of H and G are endomorphisms of M and therefore have linear properties in the multiplication $(H{⋊}_{\phi }G)\times M\to M$. This makes M not only an $H{⋊}_{\phi }G$-set but also a R-module for the group ring $R=\mathbb{Z}[H{⋊}_{\phi }G]$. The commutative group M is thus a R-module and the composition series, $0=M_0\le M_1\le \cdots \le M_n=M$, is unique up to equivalence (by Jordan–Hölder theorem). As we show, the orbit generated by $M_0$ only has one element, but it is possible to have small orbits in $M_1$ and even in $M_2$. The elements of these small orbits are better to be removed.

Let $\tilde{M}$ be a subset of elements in M that we want to remove from the arithmetic (they are called forbidden elements), and we have a reduction $r:X\to Y$ with type $(b,h)$. The elements of $\tilde{M}$ can be removed from the image of ${\pi }_Y$ and ${\pi }_X$; however, what happens if we have $x\in X$ such that $h^{-1}({\pi }_X(x)+b)$ is a forbidden element? In that case, we cannot make the definition of $r(x)$ and the compiler should ensure that this reduction is never going to be executed in the program. If $r:X\to Y$ is the only reduction with origin in X, this implies that ${\pi }_X(x)$ can also be considered a forbidden element for X and it can be included in $\tilde{M}$ although its orbit could be normal.

This shows that the forbidden elements could depend on the heading space X and the projection ${\pi }_X:X\to M$, which could be undefined, not only because ${\pi }_X(x)$ is a forbidden element but also because the reductions would take it to a forbidden element in another heading space, thus the family of forbidden elements is something dynamic. In Section 5, we show how to analyze the orbits and select the forbidden elements with an example.

3.4. Overlapping Orbits and Combinations of Heading Spaces

We show in previous subsections that the attacker can get some information by playing with the reductions and analyzing the orbits. The implementation should make this task as difficult as  possible.

A heading space is a set X with a multiplication by elements of G. It is not even necessary that all the multiplications give correct results, because they could correspond to forbidden elements. If  we have several heading spaces $X_1,X_2,\cdots ,X_k$, we can join them in a single set X as a disjoint union. If  X and Y are combinations of heading spaces, a reduction map $r:X\to Y$ is a combination of reduction maps.

For an attacker, it is not completely trivial to decide if two elements $x_1,x_2\in X$ belong to the same heading space or not. It is even more difficult to know all the elements that belong to the same heading space. The attacker could use the following claims to group the elements that belong to the same heading space.

• All elements that appear at the same position in the program under different valid inputs belong to the same heading space.
• For every $x\in X$, all elements in the orbit of x, $Gx$, belong to the same heading space.
• Let $x\in X$ and $r:X\to Y$ be reduction maps, then all the values $r(gx)$ belong to the same heading space for all $g\in G$.

The first claim is difficult to avoid, but only gives partial information because, at a certain point of the program, the elements not only belong to the same heading space, but also have some fixed control values; therefore, the subset of X obtained using this technique is only a small part of the heading  space.

The second claim can be very useful to incorporate errors into the analysis of the attacker. We  know that not all the elements of the orbit $Gx$ are valid elements. Suppose that the elements not used in the orbit $Gx$ are precisely those needed by other orbit in another heading space to represent their valid elements. Then, we can use the orbit $Gx$ with two different meanings, depending on the value $g\in G$. We call this method overlapping orbits. It is not easy that this property happens by chance, but it could be possible if we select the orbits that belong to each heading space looking for this particular property. We show this in Section 4. Overlapping orbits is not easy, and the tables do not have more than a few of them overlapped, but these can be enough to introduce errors in the analysis of the attacker.

The third claim is not true. Several values of $r(gx)$ are invalid and we can define the tables with any value we want. The values chosen for the invalid elements can be in any heading space. If  the orbit $Gx$ has elements overlapped with another orbit, it is even worse because the values $r(gx)$ are in different heading spaces and they are actually used in the computation.

4. Discussion

We list some of the most notable features of this method. Some of them are qualitative and others can be quantified.

4.1. Flexibility

A private arithmetic assumes that the external commutative group is fixed, but all other constructions can be decided. All the internal arithmetic can be decided by the programmer depending on the resources (time and memory) and his own expertise in automorphism groups.

The selection of the orbits, their representatives, the base points, etc. can be decided freely. The  number of choices is really high.

4.2. Non-Standard Operators

The most natural choice to obfuscate the addition in a commutative group is to have one or more binary operators to be applied over encrypted operands. The standard attacks try to match encrypted values with plain values and to use the algebraic properties of the group addition to find as many plain values as possible.

The method given in this paper has one or more reduction maps. The reduction maps are unary operators. The visible algorithm also provides a multiplication between elements in a group G and the heading spaces. The group G cannot be matched with elements in the external commutative group and the standard attacks do not fit with the arithmetical structure given by the reductions.

4.3. Nonlinear Relations Between Values and Their Representatives

The arithmetical elements in the program are represented by heads and links. The visible elements are elements in the heading space for heads and elements in G for links. The connection between these elements is not linear; for example, suppose $g_1$ and $g_2$ are the visible part of two links. Even if they would have the same H-modifier and the same base point, $h{g}_{1}b+h{g}_{2}b$ is in general not connected with any $hgb$ for any $g\in G$, because G is closed under group multiplication, but the addition is not allowed. Something similar happens for heads. Consider the example given in Appendix B, two heads $x_1,x_2$ could have visible representatives $v_1,v_2\in {\mathbb{Z}}_{10}^2$. The addition $v_1+v_2\in {\mathbb{Z}}_{10}^2$ has no connection at all with the head that represents the addition of ${\pi }_X(x_1)+{\pi }_X(x_2)$

The nonlinear relation between values and their representatives is something that many obfuscations consider, but, in most cases, it is done in an artificial way, which must be undone before the obfuscated additions. In this system, the non-linearity is completely natural and fits the structure of the computations.

4.4. Linear Growth

We have previously mentioned that the arithmetical operators (the reductions) are unary operators instead of binary ones. This property means that the growth of the tables is linear, while the growth of the security elements is quadratic. For example, suppose that $M={\mathbb{F}}_2^k$. The heading spaces has a number of elements with the same order of magnitude of M, and we can say $O(2^k)$. The number of invertible matrices $k\times k$ over ${\mathbb{Z}}_2$ (which could be considered as a measure of the security level, as shown in Section 4.6) is $O({(2^k)}^2)=O(2^{2k})$, a quadratic growth in comparison with the growth of the size of the tables. Using binary operators, the table would require two inputs and thus the growth of the tables would also be quadratic.

The linear growth lets us optimize the security for the resources available, increasing the size of M and getting a much greater increase in the security than when using binary operators. This property is especially relevant in the case of IoT because the resources are usually quite limited.

4.5. Protection against Differential Cryptanalysis

Another noteworthy characteristic of this system is that we can incorporate non-arithmetical behavior to the operators. This is what we have called quasi-reductions, and we explain them in Section 3.2. These quasi-reductions increase the protection against differential cryptanalysis.

4.6. Security and Conjugacy Search Problem

There are algorithms in which we can obtain the secret information only playing with the inputs and outputs. In that case, even a black-box implementation of the algorithm would reveal the secret information and it is worthless to make a white-box implementation that would not increase the security at all, because the attacker has a running implementation by definition of white-box. This is what we call intrinsic vulnerabilities and we show an example of this in Appendix B.1.

There are other vulnerabilities due to naive choices, for example, taking $M=V$, or a group G that generates orbits that can be easily analyzed.

There are also algorithms with many mathematical properties that are not evident at first sight and that can be used to get the secret information despite the encoding. Strictly speaking, these are not intrinsic vulnerabilities because they can be local to a piece of the code. For example, suppose that we have a program given in rounds, such that, if we randomly modify a value at the beginning of a round, this change is spread in a way that depends on the secret values. A blind obfuscation of the algorithm could make it easy to recognize the structure of rounds and independently of the arithmetical obfuscation, it is possible to modify a value at some point with the value given in a previous execution. This code injection combined with the mathematical property of the algorithm known by the attacker could reveal the secret information without actually breaking the arithmetic.

These vulnerabilities make it almost impossible for an automatic program to generate obfuscated code. There are even theoretical studies about the impossibility of having a general virtual black box system. See [14,15] for details.

The advanced encryption standard (AES) is a typical example of this. There are many publications studying the mathematical properties of this algorithm that can be used to break white-box implementations. In particular, AES is inherently vulnerable to differential fault analysis (DFA) and this kind of attacks can be applied to the majority of the public implementations of AES (see, for example, [2]). However, not only DFA, the number of known attacks to white-box implementations of AES is huge. The experience of the WhibOx Challenge (see [8]) shows that many implementations of AES can be broken independently of the arithmetical encoding.

The method presented in this paper helps to protect, mainly because it is possible to use multiple representations of the elements with different control codes, but not all possible design vulnerabilities can be avoided if the structure of the program is revealed in the obfuscated code, and this is something that the designer of the program has to decide, independently of the arithmetic.

What we can analyze here is the security related to the arithmetical elements. We use in this system a group G that is a subgroup of $\mathsf{Aut}(M)$. The natural choice is to have a G much smaller than $\mathsf{Aut}(M)$. For example, if M is ${\mathbb{F}}_2^{20}$, $\mathsf{Aut}(M)$ is the set of invertible matrices $20\times 20$ over ${\mathbb{F}}_2$. The number of them is ${\prod }_{i=0^{19}}(2^{20}-2^i)\approx 2^{398.2}$. The group G, in comparison, is really small; in the example given in Section 5, it has 2520 elements.

In recent years, the number of cryptographic algorithms based on non-commutative groups has increased. We can see in [11] several algorithms based on non-commutative groups and the group-theoretical problems on which they are based. In the system proposed in this paper, we have a group G that it is given by a table or any other method that lets us compute with the elements. The  attacker knows that this group is a subgroup of $\mathsf{Aut}(M)$ but the internal group M is not known. Using the critical points, in particular the input and output tables, it could be possible to get some information about the properties of the values in the external group V compared to their corresponding internal values in M. This information is always partial. In the worst scenario, the attacker could guess that the original representation of the group G in $\mathsf{Aut}(M)$ is made using some special representation. However, this original representation $\psi :G\to \mathsf{Aut}(M)$ can be modified up to conjugacy using any invertible element $t\in \mathsf{Aut}(M)$ with the equivalent representation ${\psi }^{\prime }(g)=t\psi (g)t^{-1}$. The  number of options for t can be huge and these new representations change completely the elements that belong to each orbit and their properties. The attacker needs to determine the conjugacy used with very short information about the effects in the external group. The conjugacy problems are considered hard to solve and the security of group-theoretic cryptography is very often based on them. See [11] for general background on these kinds of problems.

4.7. Use Cases and Further Applications

In the Introduction we give several use cases for white-box cryptography. In general, white-box cryptography should be considered when the attacker has access to the program and can manipulate it without restrictions to obtain the critical information, for example the keys.

As we can see in [16], the problem of mistrust in IoT is one of the main factors that have affected how IoT security is perceived. IoT devices can become adversaries themselves and they can be used to obtain critical information. The protection of our code with a white-box obfuscation makes this impossible, because the valuable information is not visible to the hostile environment.

The method proposed in this paper is not only valid in general as a white-box method. We show above that it is possible to generate a huge number of different arithmetics choosing some parameters, which makes it especially useful for the generation of code for IoT. Another characteristic of the code is the homogeneity. The code generated using this method has long sequences of reduction steps, each requiring a similar table lookup (we can see an example of this in Algorithm A3). The  white-box protection let us delegate the computation of a number of these reductions to other devices without risk, because the program is supposed to be public. As we can see in [17], the security is a major threat in edge and fog computing, but using this method it is possible to avoid that risk.

5. A Huge Private Arithmetic

In this section we analyze an example with all the security measures considered in the paper and a huge size. The arithmetic is generated for the group $V={\mathbb{F}}_2^8$. We also analyze the memory requirements to generate this arithmetic.

The internal commutative group M is ${\mathbb{F}}_2^{20}$. The elements of M are decomposed infive subvectors of four bits each. Thus, we denote $m=(m_0,m_1,m_2,m_3,m_4)$ the vector of M and the $m_i$ is vectors in ${\mathbb{F}}_2^4$. We use the subvector $m_4$ as error space and the others as arithmetical values.

We use block matrices with five blocks of $4\times 4$-matrices in the diagonal to generate G. The group of invertible $4\times 4$-matrices over ${\mathbb{F}}_2$ has $20,160$ matrices and generates some orbits that are too big for our purposes. It is better to consider a subgroup of this group with 2520 elements and combine it with some permutations of the five blocks in the diagonal. In this case, we consider H the subgroup generated by the rotation of the first four blocks. This generates a group H with order four and the elements of H commute with the elements of G, thus we have a direct product instead of a semi-direct product for the extended arithmetical group $H\times G$.

There are many combinations that let us generate the subgroup of 2520 elements. One of them is to use the matrices $a=\left[\begin{array}{cccc}1& 0& 1& 1\\ 0& 1& 0& 0\\ 1& 1& 1& 0\\ 0& 0& 1& 1\end{array}\right]$ and $b=\left[\begin{array}{cccc}1& 0& 1& 0\\ 1& 1& 0& 0\\ 0& 0& 0& 1\\ 0& 1& 0& 0\end{array}\right]$ in ${\mathsf{Mat}}_{4\times 4}({\mathbb{F}}_2)$. Many others can be found by conjugacy.

The group $G_0$ generated by these two matrices has 2520 elements. For each $g\in G_0$, we can make the block matrix $\left[\begin{array}{ccccc}g& 0& 0& 0& 0\\ 0& g& 0& 0& 0\\ 0& 0& g& 0& 0\\ 0& 0& 0& g& 0\\ 0& 0& 0& 0& g\end{array}\right]\in {\mathsf{Mat}}_{20\times 20}({\mathbb{F}}_2)$ that is identified with g. The matrix h to generate H could be the block matrix $h=\left[\begin{array}{ccccc}0& 0& 0& I& 0\\ I& 0& 0& 0& 0\\ 0& I& 0& 0& 0\\ 0& 0& I& 0& 0\\ 0& 0& 0& 0& I\end{array}\right]\in {\mathsf{Mat}}_{20\times 20}({\mathbb{F}}_2)$, where I is the identity matrix in ${\mathsf{Mat}}_{4\times 4}({\mathbb{F}}_2)$.

At this point, it is necessary to decide which elements of M that are valid. This  decision requires some analysis of the group ring and the orbits because our intention is to remove the elements that could have a recognizable behavior in the tables. We have to analyze the $\mathbb{Z}[G]$ structure of M. It is equivalent to use this structure or the ${\mathbb{F}}_2[G]$-structure because m has characteristic two, thus we can take $R=\mathbb{Z}[G]$ or $R={\mathbb{F}}_2[G]$.

The R-module M has a composition series $0=M_0\le M_1\le M_2\le M_3\le M_4\le M_5=M$, in which $M_{i+1}/M_i$ are simple R-modules. The composition series in this case has $M_{i+1}/M_i$ always isomorphic to ${\mathbb{F}}_2^4$, the vector space of 16 elements with the structure given by $G_0\times {\mathbb{F}}_2^4\to {\mathbb{F}}_2^4$ (note that $G_0$ and G are isomorphic). The Jordan–Hölder theorem says that any other composition series $0=M_0^{\prime }\le M_1^{\prime }\le M_2^{\prime }\le M_3^{\prime }\le M_4^{\prime }\le M_5^{\prime }=M$ has the same length and $M_{i+1}^{\prime }/M_i^{\prime }$ is also isomorphic to the same simple module.

We use a very simple decomposition in blocks that makes the structure visible. The structure (up to isomorphism) is not changed if we consider a conjugated action given by $t^{-1}Gt$ with any invertible matrix t. It is better to make the theoretical analysis with the original version and apply the conjugation afterwards.

It is an obvious choice to remove the element 0, but we also remove the elements of the different R-modules that can appear in the first two steps. In the version before conjugation, the elements $(m_0,m_1,m_2,m_3,m_4)\in M$ such that they can appear in the position $M_1$ in the composition series are the ones such that $\mathsf{dim}(\mathsf{span}(m_0,m_1,m_2,m_3,m_4))\le 1$, and the ones that can appear in the position $M_2$ are the ones such that $\mathsf{dim}(\mathsf{span}(m_0,m_1,m_2,m_3,m_4))\le 2$. If we want to consider them as forbidden elements, we have to restrict the subset of valid elements to those ones such that $\mathsf{dim}(\mathsf{span}(m_0,m_1,m_2,m_3,m_4))\ge 3$ or a subset of these elements. There are $1,015,560$ elements satisfying this condition. They are distributed in 403 orbits with 2520 elements per orbit.

They can be classified using matrices $4\times 5$ with columns $(m_0,m_1,m_2,m_3,m_4)$ and defined normal forms for the generator of the orbits. Consider a map $f:\{0,1,2\}\to \{0,1,2,3,4\}$ strictly increasing. We fix in the vectors $\left[\begin{array}{c}1\\ 0\\ 0\\ 0\end{array}\right]$, $\left[\begin{array}{c}0\\ 1\\ 0\\ 0\end{array}\right]$ and $\left[\begin{array}{c}0\\ 0\\ 1\\ 0\end{array}\right]$ in the positions $f(0)$, $f(1)$ and $f(2)$. The rest of the values will be free if they keep the matrix in an almost echelon form. Strictly speaking, it is not an echelon form because the group can reduce only three positions (it is not the full group of invertible matrices). The generators are given in

Table 1. Generators and number of orbits.

f	Generators	Number of Orbits
$(0,1,2)$	$\left[\begin{array}{ccccc}1& 0& 0& \ast & \ast \\ 0& 1& 0& \ast & \ast \\ 0& 0& 1& \ast & \ast \\ 0& 0& 0& \ast & \ast \end{array}\right]$	$2^8=256$
$(0,1,3)$	$\left[\begin{array}{ccccc}1& 0& \ast & 0& \ast \\ 0& 1& \ast & 0& \ast \\ 0& 0& 0& 1& \ast \\ 0& 0& 0& 0& \ast \end{array}\right]$	$2^6=64$
$(0,2,3)$	$\left[\begin{array}{ccccc}1& \ast & 0& 0& \ast \\ 0& 0& 1& 0& \ast \\ 0& 0& 0& 1& \ast \\ 0& 0& 0& 0& \ast \end{array}\right]$	$2^5=32$
$(1,2,3)$	$\left[\begin{array}{ccccc}0& 1& 0& 0& \ast \\ 0& 0& 1& 0& \ast \\ 0& 0& 0& 1& \ast \\ 0& 0& 0& 0& \ast \end{array}\right]$	$2^4=16$
$(0,1,4)$	$\left[\begin{array}{ccccc}1& 0& \ast & \ast & 0\\ 0& 1& \ast & \ast & 0\\ 0& 0& 0& 0& 1\\ 0& 0& 0& 0& 0\end{array}\right]$	$2^4=16$
$(0,2,4)$	$\left[\begin{array}{ccccc}1& \ast & 0& \ast & 0\\ 0& 0& 1& \ast & 0\\ 0& 0& 0& 0& 1\\ 0& 0& 0& 0& 0\end{array}\right]$	$2^3=8$
$(0,3,4)$	$\left[\begin{array}{ccccc}1& \ast & \ast & 0& 0\\ 0& 0& 0& 1& 0\\ 0& 0& 0& 0& 1\\ 0& 0& 0& 0& 0\end{array}\right]$	$2^2=4$
$(1,2,4)$	$\left[\begin{array}{ccccc}0& 1& 0& \ast & 0\\ 0& 0& 1& \ast & 0\\ 0& 0& 0& 0& 1\\ 0& 0& 0& 0& 0\end{array}\right]$	$2^2=4$
$(1,3,4)$	$\left[\begin{array}{ccccc}0& 1& \ast & 0& 0\\ 0& 0& 0& 1& 0\\ 0& 0& 0& 0& 1\\ 0& 0& 0& 0& 0\end{array}\right]$	$2^1=2$
$(2,3,4)$	$\left[\begin{array}{ccccc}0& 0& 1& 0& 0\\ 0& 0& 0& 1& 0\\ 0& 0& 0& 0& 1\\ 0& 0& 0& 0& 0\end{array}\right]$	$2^0=1$
	Total	403

.

For each heading space, we have to choose which elements are used. We have to be careful to have multiple representations for each element in V, but we can choose the orbits we want. We could decide to have heading spaces with a number of orbits between 200 and 300 from these 403 ones. The  selection of these orbits can be made in order to get properties such as overlapping orbits (see Section 3.4). For example, consider X and $X^{\prime }$ as two heading spaces that have an orbit $(G,i)$ overlapped. We define at the same time two reductions $r:X\to Y$ and $r^{\prime }:X^{\prime }\to Y^{\prime }$. The types of the reductions r and $r^{\prime }$ are $(h,b)$ and $(h^{\prime },b^{\prime })$. We select a value $x_i\in X$ and $x_i^{\prime }\in X^{\prime }$ to be the base point on these orbits and finally we compute $u_g:=h^{-1}(g{x}_i+b)$, $v_g:={(h^{\prime })}^{-1}(g{x}_i^{\prime }+b^{\prime })$ for all $g\in G$. The values $u_g$ and $v_g$ will belong to some orbits, the idea is to choose the orbits in Y and $Y^{\prime }$ in such a way that $u_g$ and $v_g$ are not valid elements in Y and $Y^{\prime }$ at the same time. The rest of the orbits can be chosen randomly, bearing in mind that some of them are now forbidden to have a correct definition of r and $r^{\prime }$ in the overlapped orbit $(G,i)$. The forbidden elements in the orbits are filled in tables r and $r^{\prime }$ with fake values that can be part of different heading spaces, as explained in Section 3.4.

Let $k_1,k_2,\cdots ,k_n$ be the number of orbits for each heading space. If they are between 200 and 300, we can consider that the number of elements in the combined heading space will be around $250n$. The  representation of each element is an index i for the orbit (two bytes) and two other bytes for the group element $g\in G$. The size of the tables required for these combinations of heading spaces and reductions are $2520·250·n·4$ bytes, that is $2.5n$ megabytes where n is the number of heading spaces. A big implementation could use eight heading spaces, and therefore a number around 200 megabytes would be reasonable.

The rest of the implementation would require tables for input and output, and also for possible S-boxes, another 200 megabytes could be required and the code depends on the algorithm, but could be another 100 megabytes. If we put together all these numbers, the size of a big implementation would be around 500 megabytes.

If the attacker knows the details of this construction, the security would be based on the choice of an invertible matrix t such that the actual group G would be $tG{t}^{-1}$. The number of choices for the non-arithmetical part is the number of maps $E\to E$. They do not even have to be bijective, thus the number is ${16}^{16}=2^{64}$. The number of choices for t is ${\prod }_{i=0}^{15}(2^{16}-2^i)\approx 2^{254.2}$. The conjugation by t induces a new relation between M and V as well as a change in the base points used to represent the classes. The search for the conjugacy matrix is much more difficult than the standard conjugacy search problem, because only partial information is visible.

6. Conclusions

White box implementations are not a simple task. The protection of the arithmetic is something that requires a lot of resources, which might not be available (especially on IoT applications), therefore it is critical to decide which are the elements that should be protected. The method presented in this paper can be used to obfuscate the arithmetic of a commutative group using a related non-commutative group. The idea of the paper is to completely shuffle the additive structure and use the endomorphisms to make computations.

Non-commutative groups are attracting the attention of the cryptographic community because there are many hard problems related to them that can be used for cryptographic purposes. The  method presented in this paper is very flexible and it is possible to modify the implementations by conjugation. This makes it possible to generate a huge amount of essentially different implementations based on the same original groups. The search for this conjugacy is not the only problem that the attacker has to solve, because many different choices can be made to increase the difficulty of the analysis.

7. Patents

The contents of this paper may be related to the following patent applications: WO2018015325 and WO2018115143.