Evaluation of white-box and grey-box Noekeon implementations in FPGA Zouha Cherif 1,2 , Florent Flament 1 , Jean-Luc Danger 1 , Shivam Bhasin 1 , Sylvain Guilley 1 and Herv´ e Chabanne 1 1 Institut TELECOM, TELECOM ParisTech, CNRS LTCI, 46 rue Barrault 75634 Paris, France. 2 Institut TELECOM, ´ Ecole Sup´ erieure des Communications de Tunis Cit´ e Technologique des Communications 2083 Ariana, Tunisie. <firstname.lastname@telecom-paristech.fr> Abstract—White-box implementations of cryptographic algo- rithms aim to denying the key readout even if the source code embedding the key is disclosed. They are based on sets of large tables perfectly known by the user but including unknown en- coding functions. While former white-box implementations have been proposed in software, hardware white-box implementations are also possible. Their main drawback is the complexity of their architectures, which often requires large tables. In this paper we show that it is possible to implement white-box cryptography in an FPGA by taking advantages of LUTs. We also propose a grey-box approach, where intermediate random variables are unknown to the attacker. We show that such approach allows to reduce the complexity by using fewer tables. The resistance against side channel attacks has been evaluated for different implementations. Our results show the interest of the proposed methods for a better compromise complexity/security. Index Terms—white-box cryptography, grey-box cryptography, FPGA implementations, Noekeon, Side Channel Analysis, SCA, Mutual Information Metric, MIM, random number generator, TRNG. I. I NTRODUCTION Side channel analysis or attacks (SCA) exploit information leaked from the physical implementation of a cryptographic system. The leakage is passively observed via timing infor- mation, power consumption, electromagnetic radiations, etc. Protection against side channel attacks is important because the attacks can be implemented quickly and at a low cost. White-box cryptography has been introduced in the domain of Digital Rights Management with the ambitious goal of protecting keys of a block cipher while leaving to an ad- versary the whole access to the software implementing this algorithm. Practically, this leads to ciphers represented by a network of look-up tables (LUTs), which hide the structure of the cipher as the tables embed external encoding bijections. Software white-box implementations for DES and AES have been proposed in [1], [2], while several cryptanalytic works have been done on such implementations [3]–[6]. Then, a hardware grey-box implementation has been introduced in [7] to thwart Side Channel Attacks against Reverse Engineering (SCARE) [8]. The grey-box approach is a degradation of the white-box approach, where some variables are random, hence reputed unknown. As in the case of the software white- box implementations, the whole computation is done inside tables, whose output are systematically encoded. In this paper, we consider that an attacker has access only to the bitsteam and the power consumption of the device. We note that the bitstream does not reveal the key drowen into the table, which may leak during computation. However, the grey-box implementation uses random bits that cannot be known by the attacker and that dynamically change the encoding functions used to encode the data. In this work we focus on key recovery. We will therefore experimentally evaluate the grey- box hardware implementation of the Noekeon cipher that has been proposed by J. Bringer et al. in [7] and we will propose a white-box alternative using 3-bits encoding functions. As the complexity of architectures based on large tables can be a major issue, we give some feasibility analysis of both white-box and grey-box implementations. To illustrate our results, we implemented the Noekeon cipher [9] as a reference. Nevertheless, without loss of generality, the pro- posed architectures may be ported to classical symmetrical cryptography algorithms as DES or AES. Thereafter we also evaluate the robustness of our implementations on FPGA with regards to security. We use mutual information metric as a distinguisher to characterize the point and amount of leakage without mounting an attack. The remainder of this paper is organized as follows. Sec- tion II gives an overview of the Noekeon cipher. Section III focuses on practical aspects of a hardware white-box imple- mentation. Section IV considers the grey-box implementation where random variables are used. Then section V presents a complexity comparison between the different implementa- tions and assesses their robustness. Finally the conclusion, in section VI, summarizes the impact of the white-box and grey-box approaches to protect hardware implementations of cryptoprocessors. II. NOEKEON IN HARDWARE A. The Noekeon Algorithm This section gives a short overview of the Noekeon cipher. Noekeon was proposed to the NESSIE project in 2000 [9]– [11]. Noekeon is a 128-bit block cipher over 16 rounds. It