Hologram: Shut up! You do not know the power of the Blue Galaxy Energy! Also known as the "B.G.E" Mr. Whereabout: The Loss, Part III, Volume I
BlueGalaxyEnergy is a tool to perform the so-called BGE attack described in
- Cryptanalysis of a White Box AES Implementation, Olivier Billet, Henri Gilbert, Charaf Ech-Chatbi
with the optimizations proposed in:
- Improved cryptanalysis of an AES implementation, Ludo Tolhuizen
- Revisiting the BGE Attack on a White-Box AES Implementation, Yoni De Mulder, Peter Roelse, Bart Preneel
To compile and install the project, install gmp and ntl libraries and development headers (available in your OS package manager), e.g.
$ sudo apt install libgmp-dev libntl-dev
or on Arch
$ sudo pacman -S gmp ntl
or on macOS
$ brew install gmp ntl
$ export CPATH=/opt/homebrew/opt/gmp/include:/opt/homebrew/opt/ntl/include
then compile and install the package locally:
$ pip install bluegalaxyenergy
$ python3 -m bluegalaxyenergy --selftest
from bluegalaxyenergy import WhiteBoxedAES, BGE
class MyWhiteBoxedAES(WhiteBoxedAES):
def __init__(self, ...):
# TODO
def isEncrypt(self):
# return True if the whitebox is an encryption whitebox, False otherwise
return True
def getRoundNumber(self):
# return the number of rounds of the whitebox (10 for AES128,
# 12 for AES192 and 14 for AES256)
return 10
def applyRound(self, data, roundN):
# Apply a round of the whitebox on a buffer
# [param] data a buffer of 16 bytes (type bytes)
# [param] roundN the round number to apply (int in the range [0, self.getRoundNumber()) )
# return 16 bytes of the encrypted data by the round
return ... # TODO
mywb = MyWhiteBoxedAES(...)
# run the attack
bge = BGE(mywb)
bge.run()
# extract the key from the available roundKey
key = bge.computeKey()
if key is not None:
print("key:", key.hex())
By default, the method run
extracts all rounds except for the last one, which
lacks a MixColumns operation. You can restrict the rounds used for the attack
using the roundList
option: run(roundList = [4, 5, 6, 7, 8])
.
However, the attack requires a minimum of three consecutive rounds to extract a single round key.
- AES128 necessitates a minimum of three consecutive rounds for key extraction.
- AES192 and AES256 require a minimum of four consecutive rounds.
If the whitebox's intermediary state is shuffled, specify shuffle=True
in the run
method.
When shuffled, the number of required rounds increases to four for AES128 and AES192, and five for AES256.
Insufficient rounds will result in no key being found or a dictionary containing 16 possible keys.
The bge class can additionally extract the encoding of the intermediary round (with bge.getEncoding()
)
and the permutation of the intermediary round if the whitebox is shuffled (with bge.getShuffle()
).
For more information on these elements, refer to the test implemented in __main__.py
.
Initial Authors and Contributors:
- Laurent Grémy
- Nicolas Surbayrole
- Philippe Teuwen
For subsequent contributions, see the git projet history.
BlueGalaxyEnergy is provided under the Apache 2.0 license.