Mathematical Problems of Computer Science 46, 26–36, 2016.

Review of White-box Implementations of AES Block

Cipher and Known Attacks

Martun M. Karapetyan

Institute for Informatics and Automation Problems of NAS RA

e-mail: martun.karapetyan@gmail.com

Abstract

Conventional encryption algorithms are designed to be secure in the “black-box”
context, i.e. the attacker has access to the input and output of the algorithm, but
cannot observe the intermediate values generated during the software execution. Yet in
some cases, the encryption algorithm runs in a hostile environment, where the attacker
can see not only the input and output values but also has full access to all the internal
values and can change the execution at will. White-box cryptography algorithms are
designed to be executed in such untrusted environments and are said to operate in
the white-box attack context. A white-box implementation of AES cipher was first
presented by Chow, Eisen, Johnson and van Oorschot in 2002 [1], which was shown
to be insecure against the BGE attack presented by Billet, Gilbert and Ech-Chatbi in
2004 [2]. In 2010, another white-box AES implementation was presented by Karroumi,
which was supposed to withstand the BGE attack [3]. In 2013, De Mulder, Roelse,
and Preneel showed, that Karroumis and Chows implementations are equivalent, i.e.
the BGE attack can be successfully applied to both [4]. They also presented several
optimizations, which reduce the work factor of the attack to 222 work steps. In this
paper we will review both AES implementations and the BGE attacks.

Keywords: Cryptography, White-box, AES, BGE attack, Review.

1. Introduction

In the “black-box” encryption model a cryptographic operation is executed in a trusted
environment. The attacker, whose main goal is to extract the cryptographic key, observes
the input and output of encryption/decryption operations, but has no access to the internal
values generated by the algorithm. Conventional encryption algorithms were designed to be
secure in this context. In some cases, cryptographic software runs on a device controlled
by a hostile user. In this case the attacker sees any intermediate value generated by the
execution of a cryptographic operation by observing the memory of the device and can change
the execution routine at will. Examples of such software are Digital Rights Management
(DRM) systems or any client software running on a cloud. White-box implementations of
encryption algorithms are designed to run on these devices, and are said to operate in the
white-box attack context. White-box algorithms are implemented as series of look-up from
tables, which contain the cryptographic key in such a way to prevent its extraction. There

26



M. Karapetyan 27

were numerous attempts to design a white-box implementation of the Advanced Encryption
Standard (AES), all of which were later broken. A white-box implementation of AES cipher
was first presented by Chow, Eisen, Johnson and van Oorschot in 2002 [1]. An attack
presented by Billet, Gilbert and Ech-Chatbi in 2004 (BGE attack) showed that the secure
key can be extracted from Chows implementation in 230 work steps [2]. In 2010, Karroumi
presented a modified version of Chows algorithm based on dual ciphers, which was designed to
withstand the BGE attack and increase the work factory of it to 293 [3]. In 2013, De Mulder,
Roelse , and Preneel proved that Karroumis and Chows implementations are identical and
the BGE attack can be applied to Karroumis implementation with minor modifications
[4]. Also several speed optimizations were presented, after which just 222 work steps are
required to extract the key. In this paper we will review both implementations of AES
and the BGE attack applied on them. The paper is organized as follows: in the sections
2 black-box encryption of AES is briefly represented. Section 3 is devoted to the Chow’s
implementation of AES white-box encryption. Section 4 contains the BGE attack. Section
5 briefly describes Karroumi’s implementation. Section 6 comments on the BGE attack for
Karoumi’s implementation. The paper ends with the conclusion.

2. AES Black-box Encryption

AES is a substitution-permutation network cipher for symmetric encryption also known as
the Rijndael cipher [5]. It supports key lengths of 128, 192 or 256 bits and has 10, 12 or
14 rounds, respectively. AES-128 will be considered as the primary setting in the rest of
this paper. Each round updates a 16-byte state and consists of four operations: SubBytes,
ShiftRows, MixColumns and AddRoundKey, except the final round, where the MixColumns
operation is omitted.

The 128-bit state is interpreted as a 4x4 matrix of 8-bit values. SubBytes operation
substitutes each value of the matrix ai,j with S(ai,j), where S(ai,j) values are built using
inversion in GF(28) modulo an irreducible polynomial m(x) = x8 + x4 + x3 + x + 1.

ShiftRows transformation shifts 2nd, 3rd and 4th rows of the table 1, 2 and 3 times to the
left, respectively.

MixColumns is a transformation applied on the columns of the state matrix. Each column

is multiplied with a fixed matrix MC =




2 3 1 1
1 2 3 1
1 1 2 3
3 1 1 2


.

AddRoundKey operation simply XORs the state with the next key, generated by the key
schedule.

For purpose of creating a white-box implementation for AES, we can view the algorithm 
in a different manner. One can notice, that SubBytes and Shiftrows operations can be 
safely switched without any change in the output. Also because the ShiftRows is a linear 
transformation, AddRoundKey(Ki) followed by ShiftRows is identical to ShiftRows followed 
by AddRoundKey(Ki), where Ki is the result of applying ShiftRows operations on Ki. These 
allow us to change the AES structure to the one in Figure 2.



28 Review of White-box Implementations of AES Block Cipher and Known Attacks

Fig. 1. Structure of AES black-box encryption.

Fig. 2. AES subbytes operation.

3. Chows AES White-box Implementation

In 2002, Chow, Eisen, Johnson and van Oorschot proposed the first white-box implemen-
tation of AES-128 [1]. Instead of calculating the function EK on the plaintext, another
function EK = G · EK · F

−1 is computed, where G and F are input and output encodings,



M. Karapetyan 29

Fig. 3. AES ShiftRows operation.

Fig. 4. AES MixColumns operation.

which are randomly generated independent of K. Since in some cases it’s infeasible to have
input and output encodings of the desired bit length, some encodings can be represented
as a concatenation of smaller bijections. A bijection F of size n = n1 + n2 + + nk can
be built from a list of smaller bijections Fi, where Fi has size ni, and for any n-bit vector
b = (b1, b2, ..., bn) F(b) = F1(b1, ..., bn1)||F2(bn1+1, ..., bn1 + n2)...Fk(bn1+...+nk1+1, ..., bn). In
this case we say F = F1||F2||...||Fk, and call F a concatenated encoding. The encryption al-
gorithm is implemented as a sequence of look-ups from different look-up tables. The output



30 Review of White-box Implementations of AES Block Cipher and Known Attacks

Fig. 5. AES algorithm with modified structure.

encoding of any table matches the input encoding of the table following it, so the encodings
can cancel each other. After the encryption routine is over, the value of EK = G · EK · F −1
is properly computed, as any intermediate encodings are cancelled out. We will present an
unprotected implementation first, to describe the tables we’ll need, and then describe the
modified protected version of the tables.

For each round, AddRoundKey and SubBytes transformations can be made using 16 look-up
tables that map 1 byte to 1 byte for each round. These look-up tables are called T-Boxes,
and are defined as follows:

T ri (x) = S(x ⊕ k̃r−1[i]), for i = 0..15, and r = 1..9, (1)

T 10i (x) = S(x ⊕ k̃9[i]) ⊕ k10[i], for i = 0..15. (2)

It’s obvious, that T-boxes have no security and the attacker can easily extract the keys
from the T-boxes, if those were provided. So additional encoding is applied on the T-boxes,
before they can be used.

After the state vector passes through the T-boxes, MixColumns operations must be
applied on it. MixColumns operation multiplies each 4 bytes of the state vector [x1, x2, x3, x4]

with the MC =




2 3 1 1
1 2 3 1
1 1 2 3
3 1 1 2


 matrix. This can be accomplished by the so called Tyi

3.1 Unprotected Implementation



M. Karapetyan 31

tables, where
Ty0(x) = x · [02 01 01 03]

T , (3)

Ty1(x) = x · [03 02 01 01]
T , (4)

Ty2(x) = x · [01 03 02 01]
T , (5)

Ty3(x) = x · [01 01 03 02]
T . (6)

So Tyi-boxes are 1 byte to 4 byte tables. The outputs of each 4 consecutive Tyi tables
must be XOR-ed to get the output of the round, i.e. Ty0(x)+Ty1(x)+Ty2(x)+Ty3(x). XOR
tables are used for this purpose:

XOR(x, y) = x ⊕ y. (7)

XOR tables operate on 2 nibbles (4-bit values), so they are 1 byte to 4 bits mapping
tables. The XOR of two 32 bit values can be computed using 8 copies of these XOR tables.

One can notice, that T-boxes and Tyi boxes can be combined into a single table. These
tables will look as follows:

Ty0(T
r
i (x)) = S(x + k

r−1[i]) ∗ [03 02 01 01]T . (8)

Ty1(T
r
i (x)) = S(x + k

r−1[i]) ∗ [03 02 01 01]T . (9)

Ty2(T
r
i (x)) = S(x + k

r−1[i]) ∗ [03 02 01 01]T . (10)

Ty3(T
r
i (x)) = S(x + k

r−1[i]) ∗ [03 02 01 01]T . (11)

Then the outputs of these tables must be passed through XOR boxes to get the round’s
output. So there will be 144 composed T − box/Tyi tables, 864 XOR tables and 16 T-boxes
total for all the rounds of AES together. These boxes are not secure against key extraction.
The next section will change these tables to apply some defense mechanisms against different
attacks.

As there are just 256 possible values for kr−1[i], one can build a T − box/Tyi table for each
of these values, and check if the table we provide matches any of those. This will allow an
attacker to extract the key from T − box/Tyi tables. In order to prevent this, input and
output encodings are applied to all the tables. The encodings are applied in a networked
fashion, so all the encodings except the input encoding of the first round F and the output
encoding of the last round G cancel out each other, and the function EK = G · EK · F

−1

is calculated by using these tables. Here G and F are concatenated encodings of 128 bits,
made of 16 bijections of 8 bits each. These encodings dramatically increase the total number
of possible tables. There are (16!)2 possible input encodings and (16!)8 output encodings
per table. It’s obvious that for a fixed input key, the tables constructed for different output
encodings are all different. This means that there are at least (16!)8 possible tables, which
makes it impossible to the attacker to enumerate. As the input/output encodings provide
the confusion step for the tables, linear transformations are applied to produce the diffusion
step. The table input/outputs are multiplied with randomly generated matrices over GF(2)
which are called mixing bijections. 16 8-bit to 8-bit mixing bijections are randomly generated
and applied at the inputs of each round except the first. Lets denote mixing bijection for

3.2 Protected Implementation



32 Review of White-box Implementations of AES Block Cipher and Known Attacks

byte i in round r as Lir. Another 4 32-bit to 32-bit mixing bijections MBri , i = 1..4, r = 1..9
are applied to all the rounds outputs except the last one. So after these changes, the results
that we get after applying XOR tables will need to be multiplied with the inverse of the
mixing bijection (MBri ) − 1 and (L

r+1
i ) − 1, so the effect of MB is cancelled out, and the

inverse of Lr+1i is applied, so it can get cancelled in the next round. This is done with the
same technique as the MixColumns step, and additional XOR tables are created for this.

The total size of the lookup tables of this implementation is 770,048 bytes, and there are
3104 lookups during each execution [1]. For a more detailed tutorial on Chows whitebox
AES refer to [6].

4. BGE Attack

BGE attack, introduced by Billet, Gilbert and Ech-Chatbi in 2004 [2], targets not a single
table from Chows implementation, but a group of tables, which form the AES round. As
each table has good confusion and diffusion properties, it’s hard to extract the key from a
single table, but attacking a group of tables is more reasonable. The AES round is viewed
as four 32-bit to 32-bit mappings Rjr, where the structure of Rrj is shown in figure 6. P

r
i

are a combination of input encodings and mixing bijections, Qri are a combination of mixing
bijections and output encodings. All the intermediate encodings between different tables
have been cancelled out. The BGE attack consists of 3 phases:

1) The values of P ri s and Q
r
i s are recovered up to an unknown affine transformation. This

allows us to change transformations P ri s and Q
r
i s with affine transformations P̃

r
i and

Q̃ri .

2) The values of P ri and Q
r
i are recovered completely.

3) Having P ri and Q
r
i , the AES-128 key is extracted.

Let’s denote the inputs of Rr0 as x0, x1, x2, x3, and the outputs as y0, y1, y2, y3.

y0 = Q0(02 · T r0 · P
r
0 (x0) ⊕ 03 · T

r
1 · P

r
1 (x1) ⊕ 01 · T

r
2 · P

r
2 (x2) ⊕ 01 · T

r
3 · P

r
3 (x3)), (12)

y1 = Q1(01 · T r0 · P
r
0 (x0) ⊕ 02 · T

r
1 · P

r
1 (x1) ⊕ 03 · T

r
2 · P

r
2 (x2) ⊕ 01 · T

r
3 · P

r
3 (x3)), (13)

y2 = Q2(01 · T r0 · P
r
0 (x0) ⊕ 01 · T

r
1 · P

r
1 (x1) ⊕ 02 · T

r
2 · P

r
2 (x2) ⊕ 03 · T

r
3 · P

r
3 (x3)), (14)

y3 = Q3(03 · T r0 · P
r
0 (x0) ⊕ 01 · T

r
1 · P

r
1 (x1) ⊕ 01 · T

r
2 · P

r
2 (x2) ⊕ 02 · T

r
3 · P

r
3 (x3)); (15)

Now, having these tables, we must find a transformation Q̃ri , such that Q̃
r
i = Q

r
i ∗ Ari , i.e.

differs from Qri by an unknown affine transformation A
r
i .

So y0 is a function of 4 parameters x0, x1, x2, x3. Let’s fix the values of x1 and x2 to
c1 and c2, respectively, and give 2 different values to x3, namely c3 and c3. We will get 2
functions:

y0(x0, c1, c2, c3) = Q0(02 · Tr · Pr(x0)) ⊕ Bc1,c2,c3, (16)

y0(x0, c1, c2, c3) = Q0(02 ∗ Tr ∗ Pr(x0)) ⊕ Bc1,c2,c3. (17)

From these 2 equations we get:

y0(x0, a1, c2, c3) · y0(x0, a2, c2, c3)−1 = Q0(Q−10 (x) + B)whereB = Bc1,c2,c3 ⊕ Bc1,c2,c3. (18)



M. Karapetyan 33

Fig. 6. Rr0 mapping, 1 of the 4 mappings that make the AES round.

If we vary the value of c3 so it can take all the possible 256 values in GF(2
8), the

value of B will also take all the 256 different values. This gives us all the 256 functions
Q0(Q

−1
0 (x) + B) for all values of B. This set of bijections forms a commutative group. Bilet

et al provide a technique to recover the value of Q0 up to an unknown affine transformation,
given these group of bijections. Once this is done, we can change all the tables to use Q̃i
instead of Qi, which significantly weakens the confusion properties of the tables. This allows
key extraction, which is described in detail in [2].

5. Karroumis AES White-box Implementation

In 2010 Mohamed Karroumi presented a modification of Chows AES white-box algorithm,
which was supposed to withstand the BGE attack [3]. The algorithm is based on usage of
AES dual ciphers. AES dual ciphers were first presented in [7] with a list of 240 ciphers. This
list was further expanded to 61,200 ciphers that are dual to AES in [8]. For each of these dual
ciphers, there exists an affine transformation ∆ that maps AES plaintext P, ciphertext C and
key K into plaintext Pdual, ciphertext Cdual and key Kdual of a dual AES, i.e. Pdual = ∆(P),
Cdual = ∆(C) and Kdual = ∆(K). In Karroumis white-box implementation, for each of 10
rounds of AES a dual-AES is selected randomly. SubBytes constants, MixColumns matrix
and the key of the corresponding dual-AES cipher are used for building the T − box/Tyi



34 Review of White-box Implementations of AES Block Cipher and Known Attacks

tables. In order to get the same output values for the same input values as Chow’s AES
algorithm, affine transformation ∆r must be applied at the input of each round, and ∆r−1 at
the output of the round. The outputs of each round of this implementation will be different
from Chows outputs as different SubBytes and MixColumns values are used, but the final
round outputs will match.

Fig. 7. AES white-box round structure of Karroumi’s modification.

One can notice, that as each 4 output bytes of an AES round depend on only 4 input
bytes, 4 different dual ciphers may be used in each round, so employing 40 different randomly
chosen dual ciphers in total. These changes will not affect the general structure of the tables,
so the speed and memory requirement will be identical to Chows implementation. Karroumi
argues that the attacker will need to brute-force these randomly chosen dual ciphers, which
will increase the security to 291. The detailed description of this implementation can be
found in [3].

6. BGE attack on Karoumis Implementation

It is shown in [4] that an encoded dual AES subround can be represented as an encoded AES
subround with the same key. This lets the attacker convert Karroumi’s tables into Chow’s
tables, and apply the BGE attack the exact same way. A detailed explanation on how to do
the conversion can be found in section 4.1 of [4].



M. Karapetyan 3 5

In t h is p a p e r we r e vie we d Ch o w's a n d K a r r o u m i's wh it e -b o x im p le m e n t a t io n s o f A E S a lg o -
r it h m a n d b r ie ° y d e s c r ib e d t h e B GE a t t a c k wh ic h wa s s u c c e s s fu lly a p p lie d o n b o t h im p le -
m e n t a t io n s . S o fa r n o kn o wn s e c u r e A E S wh it e -b o xe s we r e c r e a t e d , a ll t h e kn o wn im p le -
m e n t a t io n s we r e b r o ke n wit h a wo r k fa c t o r le s s t h a n 2 30.

Refer ences

[1 ] S . Ch o w, P . E is e n , H . Jo h n s o n a n d P . C. va n Oo r s c h o t , \ W h it e -b o x c r yp t o g r a p h y a n d
a n A E S im p le m e n t a t io n " , In 9th Annual W orkshop on Selected Areas in Cryptography
(SAC 2002), A u g .1 5 -1 6 , p p . 1 { 1 8 , 2 0 0 2 .

[2 ] O. B ille t , H . Gilb e r t a n d C. E c h -Ch a t b i, \ Cr yp t a n a lys is o f a wh it e -b o x A E S im p le m e n -
t a t io n " , In Selected Areas in Cryptography(SAC), p p . 2 2 7 -2 4 0 , 2 0 0 4 .

[3 ] M. K a r r o u m i, \ P r o t e c t in g wh it e -b o x A E S wit h d u a l c ip h e r s " , In K yung-Hyune R hee and
D aeHun Nyang, editors, Information Security and Cryptology - ICISC 2010, of L ecture
Notes in Computer Science, Springer B erlin Heidelberg, vo l.6 8 2 9 , p p . 2 7 8 { 2 9 1 , 2 0 1 1 .

[4 ] Y . D e Mu ld e r , P . R o e ls e a n d B . P r e n e e l, \ R e vis it in g t h e B GE a t t a c k o n a wh it e -b o x
A E S im p le m e n t a t io n " , [On lin e ]. A va ila b le : h t t p :/ / e p r in t .ia c r .o r g / 2 0 1 3 / 4 5 0 .p d f.

[5 ] N a t io n a l In s t it u t e o f S t a n d a r d s a n d Te c h n o lo g y ( N IS T) , \ A d va n c e d E n c r yp t io n S t a n d a r d
( a e s ) " , ¯ p s P u b lic a t io n 1 9 7 , 2 6 N o v. 2 0 0 1 .

[6 ] ( 2 0 1 2 ) J. A . Mu ir , \ A Tu t o r ia l o n W h it e -b o x A E S " , M athematics in Industry [On lin e ].
A va ila b le : h t t p :/ / www.c c s l.c a r le t o n .c a / ja m u ir / p a p e r s / wb -a e s -t u t o r ia l.p d f.

[7 ] ( 2 0 0 2 ) E . B a r ka n a n d E . B ih a m , " Th e b o o k o f R ijn d a e ls " , Cr yp t o lo g y e P r in t A r c h ive ,
R e p o r t 2 0 0 2 / 1 5 8 , [On lin e ]. A va ila b le : h t t p :/ / e p r in t .ia c r .o r g / 2 0 0 2 / 1 5 8 .

[8 ] A .B ir yu ko v, C. D e Ca n n i` e r e , A . B r a e ke n , B . P r e n e e l, \ A t o o lb o x fo r c r yp t a n a lys is :
L in e a r a n d a ± n e e qu iva le n c e a lg o r it h m s " , E UR OCR YP T 2003. L NCS, , vo l. 2 6 5 6 , p p .
3 3 { 5 0 , 2 0 0 3 .

´³ó Ïá¹áí (whitebox) ͳÍϳ·ñÙ³Ý Ñ³Ù³Ï³ñ·»ñÇ í»ñÉáõÍáõÃÛáõÝ ¨
ѳÛïÝÇ Ñ³ñÓ³ÏÙ³Ý Ù»Ãá¹Ý»ñÇ Ñ»ï³½áïáõÃÛáõÝ

Ø. γñ³å»ïÛ³Ý

²Ù÷á÷áõÙ

êï³Ý¹³ñï ͳÍϳ·ñÙ³Ý ³É·áñÇÃÙÝ»ñÁ ݳ˳ï»ëí³Í »Ý “ë¨ ïáõ÷Ç” ѳٳ-
ï»ùëïáõÙ ³Ýíï³Ý· ³ß˳ï»Éáõ ѳٳñ, ³ÛëÇÝùÝÑ̀³ñÓ³ÏíáÕÁ ϳñáÕ ¿ áõëáõÙݳëÇñ»É
³É·áñÇÃÙÇ ÙáõïùÇ ¨ »ÉùÇ ³ñÅ»ùÝ»ñÁ, µ³Ûó ãÇ Ï³ñáÕ ï»ëÝ»É ³É·áñÇÃÙÇ ³ß˳ï³ÝùÇ
ÁÝóóùáõÙ Íñ³·ñÇ ·»Ý»ñ³óñ³Í ÙÇç³ÝÏÛ³É ³ñÅ»ùÝ»ñÁ: ê³Ï³ÛÝ, áñáß ¹»åù»ñáõÙ,
ͳÍϳ·ñÙ³Ý ³É·áñÇÃÙÝ ³ß˳ïáõÙ ¿ ûï³ñ ÙÇç³í³ÛñáõÙ, áñï»Õ ѳñÓ³ÏíáÕÁ
ï»ëÝáõÙ ¿ áã ÙdzÛÝ ³É·áñÇÃÙÇ ÙáõïùÝ áõ »ÉùÁ, ³ÛÉ Ý³¨ ó³Ýϳó³Í ÙÇç³ÝÏÛ³É
³ñÅ»ù` ·»Ý»ñ³óí³Í ³É·áñÇÃÙÇ ÏáÕÙÇó ¨ ó³ÝÏáõÃÛ³Ý ¹»åùáõ٠ϳñáÕ ¿ ÷á÷áË»É

Submitted 08.07.2016, accepted 04.11.2016.

7 7.  Co n c lu s io n



3 6 Review of White-box Implementations of AES Block Cipher and Known Attacks

Êðèïòîãðàôè÷åñêèå àëãîðèòìû ðàáîòàþùèå ïî ïðèíöèïó
áåëîãî ÿùèêà è èçâåñòíûå àòàêè

Ì. Êàðàïåòÿí

Àííîòàöèÿ

Îáû÷íûå ñèììåòðè÷íûå êðèïòîãðàôè÷åñêèå àëãîðèòìû ðàñ÷èòàíû íà
áåçîïàñíîñòü â òàê íàçûâàåìîé ñðåäå “÷åðíîãî ÿùèêà”, ò.å. àòàêóþùèé
èìååò äîñòóï ê âõîäíûì è âûõîäíûì äàííûì àëãîðèòìà, íî íå ìîæåò
âèäåòü ïðîìåæóòî÷íûå çíà÷åíèÿ, ãåíåðèðóåìûå ïðè èñïîëíåíèè. Èíîãäà
êðèïòîãðàôè÷åñêèå ïðîãðàììû ðàáîòàþò â íåçàùèùåííîé ñðåäå, ãäå àòàêóþùèé
èìååò äîñòóï íå òîëüêî ê âõîäíûì è âûõîäíûì äàííûì àëãîðèòìà, íî òàêæå
ê ëþáîìó ïðîìåæóòî÷íîìó çíà÷åíèþ ãåíåðèðóåìîìó àëãîðèòìîì. Àòàêóþùèé
òàêæå ìîæåò èçìåíèòü ïðîìåæóòî÷íûå çíà÷åíèÿ èëè ñàì àëãîðèòì ïî
ñîáñòâåííîìó æåëàíèþ. Àëãîðèòìû, ðàáîòàþùèå ïî ïðèíöèïó áåëîãî ÿùèêà,
ðàñ÷èòàíû äëÿ áåçîïàñíîé ðàáîòû â òàêîé ñðåäå.

Ïåðâîå èñïîëíåíèå àëãîðèòìà AES, ðàáîòàþùåå ïî ïðèíöèïó áåëîãî ÿùèêà,
áûëî ñîçäàíî ×î, Åíñåíîì, Äæîíñîíîì è Âàí Îðøîòîì â 2002 ãîäó, êîòîðûé
áûë óäà÷íî àòàêîâàí ìåòîäîì àòàêè “BGE”, ïðåäëîæåííîì â 2004 ãîäó.  2010
ãîäó äðóãîé ìåòîä ðåàëèçàöèè àëãîðèòìà AES ïî ïðèíöèïó áåëîãî ÿùèêà áûë
ïðåäëîæåí Êàðóìè, íî â 2013 ãîäó Äå Ìþëäåð, Ðîëñå è Ïðåíèë ïîêàçàëè,
÷òî ìåòîäû Êàðóìè è ×î èäåíòè÷íû, ò.å. àòàêà ”BGE” ìîæåò áûòü óñïåøíî
ïðèìåíåíà ê îáîèì ìåòîäàì. Â äàííîé ñòàòüå ïðåäñòàâëåíû ìåòîäû èñïîëíåíèÿ
àëãîðèòìà AES ïî ïðèíöèïó áåëîãî ÿùèêà è èçâåñòíûå àòàêè íà íèõ.

³É·áñÇÃÙÇ ³ß˳ï³ÝùÁ: ´³ó Ïá¹áí ͳÍϳ·ñÙ³Ý ³É·áñÇÃÙÝ»ñÁ ݳ˳ï»ëí³Í »Ý
³ß˳ï»Éáõ ³ÛëåÇëÇ ûï³ñ ÙÇç³í³Ûñ»ñáõÙ: AES ͳÍϳ·ñÙ³Ý ³É·áñÇÃÙÇ µ³ó Ïá¹áí
Çñ³Ï³Ý³óÙ³Ý ë˻ٳ ³é³çÇÝÁ ³é³ç³ñÏí»É ¿ âáÇ, ²Ûë»ÝÇ, æáÝëáÝÇ ¨ ì³Ý úñßáïÇ
ÏáÕÙÇó 2002Ã.-ÇÝ, áñÇ íñ³ ѳçáÕ Ñ³ñÓ³ÏÙ³Ý Ù»ÃáÕ ³é³ç³ñÏí»ó 2004Ã.-ÇÝ, ÇëÏ
ѳñÓ³ÏÙ³Ý Ù»Ãá¹Á Ïáãí»ó “BGE ѳñÓ³ÏáõÙ”: 2010-ÇÝ AES-Ç Ù»Ï ³ÛÉ µ³ó Ïá¹áí
Çñ³Ï³Ý³óáõÙ ³é³ç³ñÏí»ó γéáõÙÇÇ ÏáÕÙÇó, ë³Ï³ÛÝ 2013-ÇÝ ¸» Øáõɹ»ñÁ, èáÉëÁ ¨
äñ»ÝÇÉÁ óáõÛó ïí»óÇÝ, áñ γéáõÙÇÇ ¨ âáÇ Çñ³Ï³Ý³óáõÙÝ»ñÁ ѳٳñÅ»ù »Ý, ³ÛëÇÝùÝ`
“BGE ѳñÓ³ÏáõÙÁ” ѳçáÕáõÃÛ³Ùµ ³ß˳ïáõÙ ¿ ݳ¨ ³Û¹ ë˻ٳÛÇ íñ³: ²Ûë Ñá¹í³ÍáõÙ
Ù»Ýù Ïí»ñÉáõÍ»Ýù AES-Ç ³é³ç³ñÏ³Í µ³ó Ïá¹áí ͳÍϳ·ñÙ³Ý ë˻ٳݻñÁ ¨ ¹ñ³Ýó
Ýϳïٳٵ ѳçáÕáõÃÛ³Ùµ ÏÇñ³éí³Í ѳñÓ³ÏÙ³Ý Ù»Ãá¹Ý»ñÁ:


	Whitebox_AES_review_final.pdf (p.1)
	03.pdf (p.2-11)
	M_abstract.pdf (p.10-11)