Review of White-box Implementations of AES Block Cipher and Known Attacks


  • Martun M. Karapetyan Institute for Informatics and Automation Problems of NAS RA


Cryptography, White-box, AES, BGE attack, Review


Conventional encryption algorithms are designed to be secure in the “black-box” context, i.e. the attacker has access to the input and output of the algorithm, but cannot observe the intermediate values generated during the software execution. Yet in some cases, the encryption algorithm runs in a hostile environment, where the attacker can see not only the input and output values but also has full access to all the internal values and can change the execution at will. White-box cryptography algorithms are designed to be executed in such untrusted environments and are said to operate in the white-box attack context. A white-box implementation of AES cipher was first presented by Chow, Eisen, Johnson and van Oorschot in 2002 [1], which was shown to be insecure against the BGE attack presented by Billet, Gilbert and Ech-Chatbi in 2004 [2]. In 2010, another white-box AES implementation was presented by Karroumi, which was supposed to withstand the BGE attack [3]. In 2013, De Mulder, Roelse, and Preneel showed, that Karroumis and Chows implementations are equivalent, i.e. the BGE attack can be successfully applied to both [4]. They also presented several optimizations, which reduce the work factor of the attack to 222 work steps. In this paper we will review both AES implementations and the BGE attacks.


S. Chow, P. Eisen, H. Johnson and P. C. van Oorschot, “White-box cryptography and an AES implementation", In 9th Annual Workshop on Selected Areas in Cryptography (SAC 2002), Aug. 15-16, pp. 1-18, 2002.

O. Billet, H. Gilbert and C. Ech-Chatbi, “Cryptanalysis of a white-box AES implementation", In Selected Areas in Cryptography (SAC), pp.227-240, 2004.

M. Karroumi, “Protecting white-box AES with dual ciphers", In Kyung-Hyune Rhee and Dae Hun Nyang, editors, Information Security and Cryptology – ICISC 2010, of Lecture Notes in Computer Science, Springer Berlin Heidelberg, vol. 6829, pp. 278-291, 2011.

Y. De Mulder, P. Roelse and B. Preneel, “Revisiting the BGE attack on a white-box AES implementation", [Online]. Available:

National Institute of Standards and Technology (NIST), “Advanced Encryption Standard (aes)", fips Publication 197, 26 Nov. 2001.

(2012) J.A. Muir, “A Tutorial on White-box AES", Mathematics in Industry [Online]. Available:

(2002) E. Barkan and E. Biham, "The book of Rijndaels", Cryptologye Print Archive, Report 2002/158, [Online]. Available:

A.Biryukov, C.De Canni` ere, A. Braeken, B. Preneel, “A toolbox for cryptanalysis: Linear and affine equivalence algorithms", EUROCRYPT 2003. LNCS, , vol.2656, pp. 33-50, 2003.




How to Cite

Karapetyan, M. M. (2021). Review of White-box Implementations of AES Block Cipher and Known Attacks. Mathematical Problems of Computer Science, 46, 26–36. Retrieved from