White Box Implementations Using Non-Commutative Cryptography

In this paper, we present a method to create a safe arithmetic that can be used to obfuscate implementations that require operations over commutative groups. The method is based on the structure of the endomorphisms of certain extensions of the original commutative group. The endomorphisms of a commutative group are non-commutative (in general), thus we can use a non-commutative group to emulate the arithmetic of a commutative one. The techniques presented in this paper are very flexible and the programmer has a wide variety of options to obfuscate the algorithms. The system can be parameterized using conjugations, thus it is possible to generate a different arithmetic for each instance of the program with a change in the security parameters, even in cases in which this number is huge (for example, in IoT applications). The security of this method is based not only on the difficulty of the conjugacy search problem (in a harder version because only partial information about the groups is known by the attacker), but also in a number of extra options that can be chosen by the programmer. The paper explains the general method, analyzes its algebraic properties and provides detailed examples based on the vector spaces over F2 and XOR operators.


Introduction
The most traditional framework for cryptography is a pair of users, Alice and Bob, where Alice wants to send a message m to Bob through a communication channel. Alice and Bob live in secure bubbles, but the outside world is insecure and other users can be listening to the channel, therefore they agree to two functions E and D such that D(E(m)) = m and instead of sending m, Alice sends E(m). Bob knows the function D and can compute m = D(E(m)) but any listener through the insecure channel would get E(m) and this information is useless without the function D. The functions E and D can be parameterized by a value k (the key) such that the algorithms can be made public and, if the value k is kept safe, the communication is secure.
This framework (the channel is insecure but the functions E and D are computed in a safe environment) is not valid in many real life situations. Consider the following examples: • A sensor network with multiple nodes in which an attacker could have full access to some of them • A virus or an intruder getting valuable information from a running system • Cloud or fog computations in which the environment is not completely safe due to malicious nodes or vulnerabilities such as Meltdown, Spectre, etc. • Content providers broadcasting encrypted data to users that could try to obtain decryption keys to illegally distribute them to other users • Computer games with limited licenses that could be manipulated by the users to obtain upgraded versions for free As we can see in these examples, the sensitive information can be the data used in the computation or even the algorithm itself. White box cryptography assumes that the attacker has full access to the hardware and software, and even in that insecure environment, the obfuscated software would not provide sensible information to the attacker.
To define clearly which information is available to the attacker and which design parameters are not visible, we consider that an obfuscated implementation has public and private elements. The code itself is one of these public elements. A system is considered safe if the private elements cannot be (easily) recovered using the public information. Although all the techniques explained in this paper can also be used to hide the algorithm, we consider the worst case in which the attacker knows the algorithm that is implemented.
This case is usually considered in white box cryptography, for example safe implementations of the Data Encryption Standard (DES) and the Advanced Encryption Standard (AES) have been a major target in the development of white box cryptography.
One of the first proposals for DES, made by Chow et al. in [1], attracted great interest, although it was almost immediately broken by Jacob et al. in [2] and Goubin et al. in [3]. Chow et al. also proposed a white-box implementation for AES in [4], broken by Billet et al. in [5]. The algorithms for DES and AES share a similar structure, they have several rounds with combinations of affine transformations, XOR operators and S-boxes. A general attack over this kind of algorithms applied to cases different from DES and AES was given by Michiels et al. in [6]. Another attack based on this structure was given by Biryukov et al. in [7].
One standard technique used in white box cryptography when we have an addition is to spread the information into pieces (called shares) that are combined using the addition and some hidden linear transformations. For example, suppose that a vector v is represented by two vector v 1 and v 2 , and we have secret linear transformations e 1 and e 2 such that v = e 1 (v 1 ) + e 2 (v 2 ). The attacker can see v 1 and v 2 but e 1 and e 2 remain secret. If w = e 1 (w 1 ) + e 2 (w 2 ) is the representation of another vector, we know that v + w = e 1 (v 1 + w 1 ) + e 2 (v 2 + w 2 ), thus the program can compute additions without revealing e 1 and e 2 . The problem is that the combination of these techniques with nonlinear transformations (S-boxes) can be analyzed to recover information.
A milestone in the history of white box cryptography was the WhibOx challenges that took place in 2017 (see [8]). In this contest, the developers created white box implementations of the advanced encryption standard (AES) following certain rules. The result was that the 94 challenges presented were broken 877 times. All of them were broken, in many cases using known techniques including the ones published in the previously mentioned examples. These kinds of breaks were done in a short period of time. Only 21 required more than one day to be broken for the first time. In general, those were the ones that required more special and unpublished attacks.
The second most resistant implementation on that contest is based on some of the ideas presented in this paper, although this paper is not about that implementation because the method presented in this paper is more sophisticated and it is not limited to the conditions of that contest. More details about the challenge and the attack made to the first implementation can be seen in [9,10].
It is possible to consider several approaches to white-box implementations. One of them is to consider an algorithm as a boolean circuit and implement methods for the basic boolean operators. This is the idea presented in [10]. In this paper, we assume that the algorithm requires an obfuscated arithmetic over a commutative group V. Vector spaces are commutative groups and they are our main examples, but the theoretical construction is done in general. The role played by square matrices in the case of vector spaces, is played by the endomorphisms e : V → V in the case of commutative groups.
To represent the elements, we combine endomorphisms and values in V, but instead of having invisible operators e i and visible values v i , we have visible information related with the operators e i and invisible values v i . There are many advantages in this new approach. First, we can have a huge number of endomorphisms even in small cases, for example a vector space with 2 8 vectors has 2 8 2 = 2 64 matrices and we only need a small number of them to represent all the vectors, thus we have a lot of freedom to choose the ones to be used. The actual matrices need not be revealed, only how they operate, and many subsets can have identical operation tables. Moving the representation from V to the side operators is a kind of nonlinear transformation similar to a logarithm. This non-linearity avoids the standard attacks based on linearity and new layers of security can be applied without risk. The problem is that we cannot apply the linearity to compute the addition, thus we have to learn how to add using this new representation. This can be done by introducing new operators that are different from traditional ones. This new arithmetic is also an advantage because it can be parameterized by choosing different subsets of transformations (something similar to having a free choice for the base of the logarithms). The new operators also require smaller tables than the standard ones because the growth of the tables is linear and not quadratic. Finally, the use of non-commutative subgroups given by endomorphisms forces the attacker to solve the conjugacy search problem (CSP), which is considered hard even for quantum computers; thus, systems based on non-commutative groups can be considered as post-quantum cryptosystems. Several protocols and cryptosystems have been developed in recent years based on non-commutative groups (see, for example, [11]). This paper is structured as follows. After this Introduction, the theory is explained in two steps. The main public and private elements of the theory are explained in Section 2. The second step is given in Section 3, in which we show some mathematical properties of the theory that can be used for an attacker to analyze the system and protections against them. The method is discussed in Section 4. In that section, we include information about use cases and further applications, especially to IoT. In Section 5, we show a big example with the most advanced features. The conclusions are in Section 6. Section 7 has information about patents related with this research. Finally, the paper has two appendices. Appendix A gives some basic mathematical terminology that is used in the paper. Appendix B contains a small obfuscated implementation using the techniques explained in the paper, written in full detail.

Private Arithmetic (Basic Version)
In this section, we describe the mathematical structure of an obfuscated implementation using a private arithmetic. Cryptography and cryptanalysis are in many cases "cat-and-mouse" games, in which the cryptographer tries to mislead the attacker by breaking the original rules and the attacker also tries methods that were not originally considered by the cryptographer in order to analyze the system and reveal the secret information.
The intention of this section is to give the definitions that explain the structure of the proposed obfuscation in a logical way. However, these definitions and procedures can be made more flexible to include some traps or difficulties to the attacker. Examples of these traps could be that not all the elements of a group are used in actual computations and we can include some misbehavior in these elements. In this example, we cannot say that A is a commutative group if there are two elements in A that do not have a correct multiplication. These special cases are a nightmare for explanations and we have decided to start with a basic version without tricks and we consider them in Section 3.
The objective of this theory is to obfuscate algorithms or data used in mathematical computations. The computations take place in a commutative group V that is called the external commutative group. This group is considered public.
The idea behind the technique that we explain is to use another commutative group M that is called the internal commutative group to make the internal computations. This group is private and, in fact, is not visible in the implementation. The operations in M are done using tables that do not provide the usual group addition, but certain information that is used to compute other non-standard operators.
In this section, the relation between M and V is simple; we have a projection p : M → V. This is a surjective group homomorphism and every element v ∈ V is represented using values m ∈ M such that p(m) = v. This relation is much more complex in the non-basic version given in Section 3.
The tables and methods that let us compute with the elements of M are called internal arithmetic. We call external arithmetic any computation that requires the actual value in the external group V and not only the value over M. A private arithmetic is a combination of an internal and an external arithmetic.
A critical point in the program is a place at which the actual value in V has to be used for the computation. For example, the input and the output of the program are critical points. The computations that take place in between are called connected components. A more detailed explanation about the connected components is provided in Section 2.10.
We decompose the analysis in two parts: first we analyze the internal arithmetic. This arithmetic can be used for several implementations. The elements of the internal arithmetic are: • Public: Correspondence between heading spaces and valid elements (π X ) - The second part is the elements that depend on the implementation and the group V (the external arithmetic). Its elements are: • Public:

-
The external commutative group V - The program -Input Tables  -Output Table  -Tables for non-linear operators • Private: -Control values and deals -Extra affine transformations We have already mentioned the external commutative group V and the internal commutative group M; the rest of the elements are analyzed in different subsections.

Public Group G (Public)
The arithmetic is ruled by a group G. This group is given up to isomorphism. Therefore, it is possible to give it with its multiplication table or with any other representation that let us compute with the elements of the group. The group G is in general non-commutative.

Extended Group H ϕ G (Private)
We select a second group H and a group homomorphism ϕ : G → Aut(H) to build the semi-direct product of the groups, H ϕ G. The group G is public, but the extension of the group to H ϕ G is not.

Representation of H ϕ G Using Endomorphisms of M (Private)
One of the most critical points in the security of the obfuscation is how the values of H ϕ G operate over the elements of M. This requires a group homomorphism ψ : H ϕ G → Aut(M). This is known in the literature as a representation of the group H ϕ G on M, but, in this paper, we use also the word representation for other constructions, for example the representation of an element of V using elements of M, or the representation of elements in M with other arithmetical expressions; therefore, we use the more generic term action of H ϕ G on M, which is used when M has no additional structure, but is valid in general.
The group G is a subgroup of H ϕ G, thus the action ψ also induces an action of G on M.
Given two actions ψ, ψ : H ϕ G → Aut(M), these are equivalent if there exists a group automorphism t : Equivalent actions generate different arithmetics using the same groups. Their similar structures make them difficult to recognize for an attacker. Let G be the group generated by the matrix g and H the group generated by h. In this case, G has 2 elements and H has 3. The group H has a nontrivial automorphism τ : H → H given by τ(h) = h −1 and one possible homomorphism ϕ : G → Aut(H) would be ϕ(g i ) = τ i . The semi-direct product H ϕ G is a group of six elements and ψ : H ϕ G → Aut(M) is given using the matrices g and h that we have defined previously.
The group Aut(M) is the group of invertible matrices 4 × 4 over F 2 . This group has 20,160 elements and, using invertible matrices t to generate other actions equivalent to ψ, we get 540 essentially different actions of H ϕ G on M.

Heading Spaces (Public)
A heading space is a set X with an action G × X → X. It is not even necessary that the set X has an additive structure; it can be any set that could be operated with the elements of G. We can have one or more heading spaces.
In this paper, we see several examples of heading spaces. We can have an additional structure on X, but it is not used; only the multiplication of the elements of G by the elements of X is relevant. It is also possible to have a set X with some values that are not really used in the computation. If this happens, we consider in this section that the real heading space is the subset of X given by the orbits actually used in the computation with legitimate values.
It is always possible to have heading spaces for any number of orbits. If we want to have n orbits, we can use the heading space X = G × {1, 2, · · · , n} with the action G × X → X given by g · (g , i) = (gg , i) for all g, g ∈ G and all i ∈ {1, 2, · · · , n}. It is also possible to use any other set X with an action for the group G.

Definition 1.
A head is a pair (h, x) where x is in a heading space and h ∈ H. The value h is called the H-modifier of the head. The elements in the program is represented using heads, but the only visible element is the element x ∈ X. The H-modifier is known by the compiler or the programmer, but it is not visible during the computation.

Correspondence between Heads and Elements of M (Private)
For every heading space X, we have a map π X : X → M such that π X (gx) = gπ X (x) (a map between G-gets with this property is called a G-map).
We say that an element m ∈ M is represented by the head (h, x) if m = hπ X (x). In this section, all the elements of M should be representable by heads for any heading space X; therefore, π X : X → M should be surjective.
To get this surjectivity, we have to analyze the orbits of M and get a subset of representatives, M 0 ⊆ M such that M = ∪ m∈M 0 Gm. For these elements m, we need to get values in X such that π X (x) = m, but this cannot be done without some restrictions.
Let m be an element of M 0 and suppose x ∈ X satisfies π X (x) = m. Let G m = {g ∈ G : gm = m} and G x = {g ∈ G : gx = x} be the stabilizers of these elements. The condition π X (x) = m implies that, for all g ∈ G x , gπ X (x) = π X (gx) = π X (x) = m, therefore g ∈ G m . This proves that the element x ∈ X that represents m should satisfy the condition for the stabilizers G x ⊆ G m . This is in fact the only condition required.
If we use a heading space of the type G × {1, 2, · · · , n}, the values (1, i) always have a trivial stabilizer G (1,i) = {1} and this is contained in any possible stabilizer G um . In this case, we can pick any index i to represent the elements of the orbits G um without restriction.

Base Points (Private)
We fix a set with one or more elements B ⊆ M. They are called base points.
The value h is called the H-modifier of the link. The value hgb ∈ M is called the element represented by the link.
Elements in the program are represented using heads and links. In the case of links, the only visible element in the program is the element g ∈ G; the values h and b are known only by the compiler or the programmer.
Not all the elements of M need to be representable using a single link. In fact, we use multiple links to represent the elements of M.
If we denote hGb = {hgb ∈ M : g ∈ G}, we represent the elements in M as a sum of elements in the subsets hGb for h ∈ H and b ∈ B. Given a number of subsets, the elements of M that can be written as the sum of elements in the chosen subsets is called a sumset. This problem is well studied in additive number theory (see [12] for details), but, in our case, we have multiple solutions and a simple check lets us find them.

Reduction Maps (Public)
Let X and Y be heading spaces. A reduction map r : X → Y is a map for which we can find h ∈ H and b ∈ B such that hπ Y (r(x)) = π X (x) + b for all x ∈ X. The pair (b, h) is called the type of the reduction. These maps can always be constructed because we can take any x ∈ X, compute h −1 (π X (x) + b) ∈ M and find a value y such that π Y (y) = h −1 (π X (x) + b). Any value y satisfying the condition can be defined as r(x).
Let r : X → Y and s : Y → Z be two reduction maps with such that the type of r is (b, h) and the type of s is (c, l). Then, we can make the composition of these reductions to have h(lπ Z (s(r(x)))) = h(π Y (r(x)) + c) = hπ Y (r(x)) + hc = π X (x) + b + hc.
This proves that the composition sr is actually a reduction map with type (b + hc, hl).

Dissolving Maps (Public)
A dissolving map for the heading space X with dimension d is a map This map has hidden values b 1 , b 2 , · · · , b d ∈ B and h 1 , h 2 , · · · , h d ∈ H such that, for all x ∈ X, The values b i and h i could be repeated. The dissolving maps are public, but values b i and h i are private. The number of dissolving maps depends on the implementation; it could be possible in some cases to create a full implementation without dissolving maps. The value d is not fixed; we can have dissolving maps with different dimensions in the implementation.
The dissolving maps are used to transform heads into links. This is something that could be necessary during the computation. If we know by construction that this is only applied to a certain subset of heads, it is possible to define the map D only over this subset.

Control Values and Deals (Private)
All elements in V can be represented in many ways in terms of M. During the computation, it may be reasonable not to reuse the representations, especially in critical points. For example, suppose V = F 4 2 , M = F 6 2 , and P is an invertible matrix 6 × 6 over Z 2 . We can define the projection p : M → V as the first four bits of Pm and consider the last two bits as control values.
If we use different control values at different critical points, we know that the representatives of the elements will never coincide.
There are many ways to define the control values. They can be checked before the H-modifiers or after them. It is also acceptable that the control values are not computed in the same way during the program. The multiple representation of the values and the way to control which representative is used during the computation is something that the programmer can use to increase the security level with great flexibility, but this is considered in Section 3.
A set of representatives that can represent all the elements of V but with a constant control value is called a deal. Using different deals at critical points is a way to protect against code injection.

The Program (Public)
Under white-box premises, the program is available to the attacker and, therefore, it can be considered as public information. The arithmetical elements in the program are a combination of heads and links. The number of heads and links used to represent a single element is dynamic and it changes during the execution of the program.
Each head or link has a visible part (the element x ∈ X or the element g ∈ G), and hidden parts, the H-modifier h and a base point b ∈ B for links. Thus, the element x ∈ X can represent the value hπ X (x) for any h ∈ H and the link with value g ∈ G in the program, can represent any hgb for h ∈ H and b ∈ B. These hidden parts of the arithmetical element are known by the compiler or the programmer to decide which operations are possible and which tables have to be used at a particular moment. The heads can be in different heading spaces.
Suppose we have an element given by some heads x i and some links g j , the real value could be ∑ i h i π X i (x i ) + ∑ j h j g j b j . The addition of two arithmetical elements is just the juxtaposition of the values (i.e. it requires no code). The problem is that, after a number of operations, the elements are huge and we need a way to reduce their sizes. This is done with the reduction maps.
Suppose we have a head x ∈ X and a link g. Internally, we know that they have the same H-modifier (for example l ∈ H) and we also know that the base point for the link is b ∈ B. Suppose we have a reduction map r such that the associated partition of X is ∪X i and x ∈ X i with associated constants h i = h and b i = b. In this case, we can proceed as follows: This proves that the new head gr(g −1 x) is a head representing the value lπ X (x) + lgb with hidden H-modifier l ϕ g (h). This process lets us reduce the size of the arithmetical elements combining a head with a link if they have the correct hidden modifiers and we have the appropriate reduction map. If this is not the case, the reduction is not possible.
One of the characteristics of this arithmetic is that the designer has a number of possible reductions and he has to decide the precise order of the reductions. Any attacker wishing to modify a value, or paste a part of the code in another part of the program, or interchange values, immediately gets many meaningless values. At the same time, this makes the generation of the code more difficult, but this is a problem that is not visible in the final result. To have some freedom, it is reasonable to have many reduction maps, although the number required is not excessively large.
The final code is several steps that, in the visible program, look like gr(g −1 x) for g ∈ G and x in a heading space. This long sequence of values is combined with the values coming from the input tables or even constants.
The reduction that we have explained thus far lets us combine a head with a link, but we could need to add two heads. In that case, one of the heads has to be dissolved using a dissolving map into a number of links that let us continue the reduction process. This is not strictly necessary; depending on the design, it could be possible to have an implementation without dissolving maps. We see an example of this in Appendix B.
The designer of the program has to keep track of the H-modifiers for all possible executions of the program. This can be difficult, because the new H-modifier (l ϕ g (h)) depends on g, which is a value that could be input dependent. To deal with this problem, it is better to have a very simple function ϕ that could have at most two or three different values. This would let us classify the elements of G depending on the value ϕ g and keep track of the subset of G in which the values can range. If this is too complex for the implementation, a reasonable solution is to take a trivial map ϕ and therefore use the direct product H × G instead of a semi-direct product H ϕ G.

Input Tables (Public)
One of the critical points in a white-box implementation is the input of new values. The designer has to decide the correct representation that is used for the input values; they can be given by a head, a number of links or a combination of both. The control values let us use different deals in critical points. It is a good idea to use a deal for the input values that are not used at any other critical point of the program.
The H-modifiers of the input values are known by the designer, and the actual values given in the tables have to be checked to guarantee that all possible computations give the correct H-modifier in the following critical point. This is what we have mentioned in the previous subsection regarding the values ϕ g for all g in the input table.

Output Tables (Public)
This is the second critical point in the program. As we have done with the input values, the output uses a deal that has not been used at any other critical point. The H-modifiers of the elements when the output is reached should be known by the designer in order to build the table.
If we use a fixed control value for the output, the number of valid values is not large, thus we can create small output tables.

Tables for Nonlinear Operators (Public)
It is quite common to have nonlinear operators that have to be applied to the arithmetical operators. These are elements outside the arithmetic and we need a special table to define them. The input and output of these tables are critical points of the implementation and, as we have done with the input and output tables, it is a good idea to use a unique deal (not used with any other critical point) to define the input entries and the output entries of this table. The tables are usually applied to heads and the output can be a head, a link or a combination of both.

Additional Affine Transformations (Private)
Consider the flow chart of the algorithm. The general structure is a graph with some critical points and a number of linear operations. Two points in the chart are said to be linearly equivalent if there are no critical points in between. This equivalence relation defines several connected components. All operations in a connected component are group operations, therefore we can apply any affine transformation to a whole connected component with the rule that everything that is done at the entry points of the connected component has to be undone at the exit points of the connected component. These operations can be glued to the tables at the critical points.
Consider, for example, V = Z 7 and a program that computes a nonlinear operator S, adds a key value k and an input value v, and finally computes another operator T of the result. The graph of this connected component is in Figure 1. Suppose that, by design, we decide that the output of S is multiplied by a and added to b. Instead of having x, we have ax + b and this has to be considered in the encoding of the input table, which should give us av instead of v. We can now add the value to the output of S, (ax + b) + av = a(x + v) + b. At the exit point of the connected component (the input of T), we have to undo the change and add the key k, thus the encoding of the table for T will compute a −1 (y − b) + k before computing the real T. All these things can be included in the definition of the tables with no additional cost, but they are constant transformations that remain fixed for all executions of the program.

Additional Security Measures
In Section 2, we are too strict in the definitions and properties required for a private arithmetic. This is a first approach and it is necessary to make a simplified version to introduce the theory. In this section, we are much more flexible. In a real implementation, it is important to include elements that could make the analysis more confusing to the attacker. The ideas of this section and others that could be considered by the programmer help to increase the security.

The Relation Between the Internal and the External Arithmetic
We have two commutative groups, V and M, and in Section 2 we have defined a projection p : M → V that lets us represent every element v ∈ V by at least one element m ∈ M. If we have to add two elements v 1 and v 2 , we simply compute the sum of their representatives, and it is a representative of the sum because p is a homomorphism. However, this is not the only option. We could also have more than one element in M to represent the elements of V. Consider p : . When this happens, V is said to be a group generated by the group M.
The most general construction is to have a surjective group homomorphism p : M n → N such that V is a subgroup of N. We can emulate the arithmetic of the elements of N using tuples of elements in M, thus we can do it for V because all the elements of V are in N. When V is a subgroup of a group generated by M, it is said to be subgenerated by M.
The category of groups or modules subgenerated by M is denoted by σ [M] in the literature (see [13], Chapter 3, Section 15). This category is closed under submodules, coproducts and quotients, therefore we cannot get any further groups iterating the constructions.
Making the group M quite different from V is something that increase the security, because the group V is public (it is usually described in the algorithm), but the group M and the relation between M and V is not known by the attacker, thus the internal arithmetic would be safe.

Quasi-Reductions
In Section 2.7, we show that the reductions can be composed. This property could be used by the attacker because, making all possible compositions, some patterns could be revealed. It is also usual to compare different reductions in order to remove some security measures (this is usually called differential cryptanalysis). For example, consider X and Y two heading spaces, r : X → Y a reduction with type (b, h) and x 1 , The type of r gives If we subtract these values, we get This equation has removed the value b and introduced some equations that could be used by the attacker.
The idea of quasi-reductions is to consider maps r : X → Y that do not satisfy the condition hπ Y (r(x)) = π X (x) + b for any (h, b) and mix them with real reduction maps to introduce a non-arithmetical behavior in the program that could make any attack based on arithmetical properties difficult, in particular, differential cryptanalysis. This property also avoids the possibility of composition.
We show how to deal with these quasi-reductions with an example that is expanded in Section 5. Suppose V = F 8 2 and M = F 20 2 . The projection p : M → V is given by the first eight bits and consider that the last four bits have a non-arithmetical behavior (let E be the subspace generated by these four bits).
A quasi-reduction r : X → Y satisfies hπ Y (r(x)) = π X (x) + b for the first 16 bits, but the last four bits have random values (or any other pattern that could be interesting to hide the real structure). If we have to compute the addition of two elements m 1 and m 2 , we can be sure that the first 16 bits are actually the addition of the first 16 bits of m 1 and the first 16 bits of m 2 , but the last four bits have a value fixed by the definition of r, but not following any addition rule. These extra values break the arithmetical analysis, thus, given two values x 1 and x 2 in X, we have where e(x 1 ) − e(x 2 ) is an error that belongs to E and depends on x 1 and x 2 and, hence, it is quite difficult to analyze.
The main objective of this subspace E is to introduce values to break the arithmetical properties of the tables but we have to give correct results in spite of these errors. Therefore, we have to keep these values under control. The easiest way is that E would be a k[H ϕ G]-submodule of M. In this way, every element in M can be decomposed in two parts, the error e ∈ E and a value in M/E that behaves arithmetically (without errors). Space E is not visible, thus only the programmer can clean the errors from the values in order to generate correct computations.

Valid and Forbidden Elements
Consider an attacker trying to obtain information from the public elements. The attacker has a group G and elements in a heading space X that can be multiplied by elements in G, thus, given x ∈ G, it is quite natural to make all possible multiplications {gx : g ∈ G}. This is called the orbit of the action. These orbits over X are related with the orbits of the action G × M → M because the element x represents an element in M.
The elements of M can be multiplied by elements of G and elements of H. The elements of H modify the element to be represented using some fixed rules, therefore it is interesting to analyze the Our objective is to use orbits that cannot be easily recognized, but some elements could be a problem. For example, the case of 0 ∈ M is very particular. The elements of H and G are linear transformations, therefore hg0 = 0 for all h ∈ H and g ∈ G, thus 0 generates an orbit with only one element. We would prefer orbits not to be very different and this special orbit can be a problem. This can also be true for other special orbits. The idea is to remove these special elements from the arithmetic and use only normal elements. We analyze in a bit more depth why these elements appear.
First, note that the elements of H and G are endomorphisms of M and therefore have linear properties in the multiplication (H ϕ G) × M → M. This makes M not only an H ϕ G-set but also a R-module for the group ring R = Z[H ϕ G]. The commutative group M is thus a R-module and the composition series, 0 = M 0 ≤ M 1 ≤ · · · ≤ M n = M, is unique up to equivalence (by Jordan-Hölder theorem). As we show, the orbit generated by M 0 only has one element, but it is possible to have small orbits in M 1 and even in M 2 . The elements of these small orbits are better to be removed.
LetM be a subset of elements in M that we want to remove from the arithmetic (they are called forbidden elements), and we have a reduction r : X → Y with type (b, h). The elements ofM can be removed from the image of π Y and π X ; however, what happens if we have x ∈ X such that h −1 (π X (x) + b) is a forbidden element? In that case, we cannot make the definition of r(x) and the compiler should ensure that this reduction is never going to be executed in the program. If r : X → Y is the only reduction with origin in X, this implies that π X (x) can also be considered a forbidden element for X and it can be included inM although its orbit could be normal.
This shows that the forbidden elements could depend on the heading space X and the projection π X : X → M, which could be undefined, not only because π X (x) is a forbidden element but also because the reductions would take it to a forbidden element in another heading space, thus the family of forbidden elements is something dynamic. In Section 5, we show how to analyze the orbits and select the forbidden elements with an example.

Overlapping Orbits and Combinations of Heading Spaces
We show in previous subsections that the attacker can get some information by playing with the reductions and analyzing the orbits. The implementation should make this task as difficult as possible.
A heading space is a set X with a multiplication by elements of G. It is not even necessary that all the multiplications give correct results, because they could correspond to forbidden elements. If we have several heading spaces X 1 , X 2 , · · · , X k , we can join them in a single set X as a disjoint union. If X and Y are combinations of heading spaces, a reduction map r : X → Y is a combination of reduction maps.
For an attacker, it is not completely trivial to decide if two elements x 1 , x 2 ∈ X belong to the same heading space or not. It is even more difficult to know all the elements that belong to the same heading space. The attacker could use the following claims to group the elements that belong to the same heading space.

1.
All elements that appear at the same position in the program under different valid inputs belong to the same heading space.

2.
For every x ∈ X, all elements in the orbit of x, Gx, belong to the same heading space.

3.
Let x ∈ X and r : X → Y be reduction maps, then all the values r(gx) belong to the same heading space for all g ∈ G.
The first claim is difficult to avoid, but only gives partial information because, at a certain point of the program, the elements not only belong to the same heading space, but also have some fixed control values; therefore, the subset of X obtained using this technique is only a small part of the heading space.
The second claim can be very useful to incorporate errors into the analysis of the attacker. We know that not all the elements of the orbit Gx are valid elements. Suppose that the elements not used in the orbit Gx are precisely those needed by other orbit in another heading space to represent their valid elements. Then, we can use the orbit Gx with two different meanings, depending on the value g ∈ G. We call this method overlapping orbits. It is not easy that this property happens by chance, but it could be possible if we select the orbits that belong to each heading space looking for this particular property. We show this in Section 4. Overlapping orbits is not easy, and the tables do not have more than a few of them overlapped, but these can be enough to introduce errors in the analysis of the attacker.
The third claim is not true. Several values of r(gx) are invalid and we can define the tables with any value we want. The values chosen for the invalid elements can be in any heading space. If the orbit Gx has elements overlapped with another orbit, it is even worse because the values r(gx) are in different heading spaces and they are actually used in the computation.

Discussion
We list some of the most notable features of this method. Some of them are qualitative and others can be quantified.

Flexibility
A private arithmetic assumes that the external commutative group is fixed, but all other constructions can be decided. All the internal arithmetic can be decided by the programmer depending on the resources (time and memory) and his own expertise in automorphism groups.
The selection of the orbits, their representatives, the base points, etc. can be decided freely. The number of choices is really high.

Non-Standard Operators
The most natural choice to obfuscate the addition in a commutative group is to have one or more binary operators to be applied over encrypted operands. The standard attacks try to match encrypted values with plain values and to use the algebraic properties of the group addition to find as many plain values as possible.
The method given in this paper has one or more reduction maps. The reduction maps are unary operators. The visible algorithm also provides a multiplication between elements in a group G and the heading spaces. The group G cannot be matched with elements in the external commutative group and the standard attacks do not fit with the arithmetical structure given by the reductions.

Nonlinear Relations Between Values and Their Representatives
The arithmetical elements in the program are represented by heads and links. The visible elements are elements in the heading space for heads and elements in G for links. The connection between these elements is not linear; for example, suppose g 1 and g 2 are the visible part of two links. Even if they would have the same H-modifier and the same base point, hg 1 b + hg 2 b is in general not connected with any hgb for any g ∈ G, because G is closed under group multiplication, but the addition is not allowed. Something similar happens for heads. Consider the example given in Appendix B, two heads x 1 , x 2 could have visible representatives v 1 , v 2 ∈ Z 2 10 . The addition v 1 + v 2 ∈ Z 2 10 has no connection at all with the head that represents the addition of π X (x 1 ) + π X (x 2 ) The nonlinear relation between values and their representatives is something that many obfuscations consider, but, in most cases, it is done in an artificial way, which must be undone before the obfuscated additions. In this system, the non-linearity is completely natural and fits the structure of the computations.

Linear Growth
We have previously mentioned that the arithmetical operators (the reductions) are unary operators instead of binary ones. This property means that the growth of the tables is linear, while the growth of the security elements is quadratic. For example, suppose that M = F k 2 . The heading spaces has a number of elements with the same order of magnitude of M, and we can say O(2 k ). The number of invertible matrices k × k over Z 2 (which could be considered as a measure of the security level, as shown in Section 4.6) is O((2 k ) 2 ) = O(2 2k ), a quadratic growth in comparison with the growth of the size of the tables. Using binary operators, the table would require two inputs and thus the growth of the tables would also be quadratic.
The linear growth lets us optimize the security for the resources available, increasing the size of M and getting a much greater increase in the security than when using binary operators. This property is especially relevant in the case of IoT because the resources are usually quite limited.

Protection against Differential Cryptanalysis
Another noteworthy characteristic of this system is that we can incorporate non-arithmetical behavior to the operators. This is what we have called quasi-reductions, and we explain them in Section 3.2. These quasi-reductions increase the protection against differential cryptanalysis.

Security and Conjugacy Search Problem
There are algorithms in which we can obtain the secret information only playing with the inputs and outputs. In that case, even a black-box implementation of the algorithm would reveal the secret information and it is worthless to make a white-box implementation that would not increase the security at all, because the attacker has a running implementation by definition of white-box. This is what we call intrinsic vulnerabilities and we show an example of this in Appendix B.1.
There are other vulnerabilities due to naive choices, for example, taking M = V, or a group G that generates orbits that can be easily analyzed.
There are also algorithms with many mathematical properties that are not evident at first sight and that can be used to get the secret information despite the encoding. Strictly speaking, these are not intrinsic vulnerabilities because they can be local to a piece of the code. For example, suppose that we have a program given in rounds, such that, if we randomly modify a value at the beginning of a round, this change is spread in a way that depends on the secret values. A blind obfuscation of the algorithm could make it easy to recognize the structure of rounds and independently of the arithmetical obfuscation, it is possible to modify a value at some point with the value given in a previous execution. This code injection combined with the mathematical property of the algorithm known by the attacker could reveal the secret information without actually breaking the arithmetic.
These vulnerabilities make it almost impossible for an automatic program to generate obfuscated code. There are even theoretical studies about the impossibility of having a general virtual black box system. See [14,15] for details.
The advanced encryption standard (AES) is a typical example of this. There are many publications studying the mathematical properties of this algorithm that can be used to break white-box implementations. In particular, AES is inherently vulnerable to differential fault analysis (DFA) and this kind of attacks can be applied to the majority of the public implementations of AES (see, for example, [2]). However, not only DFA, the number of known attacks to white-box implementations of AES is huge. The experience of the WhibOx Challenge (see [8]) shows that many implementations of AES can be broken independently of the arithmetical encoding.
The method presented in this paper helps to protect, mainly because it is possible to use multiple representations of the elements with different control codes, but not all possible design vulnerabilities can be avoided if the structure of the program is revealed in the obfuscated code, and this is something that the designer of the program has to decide, independently of the arithmetic.
What we can analyze here is the security related to the arithmetical elements. We use in this system a group G that is a subgroup of Aut(M). The natural choice is to have a G much smaller than Aut(M). For example, if M is F 20 2 , Aut(M) is the set of invertible matrices 20 × 20 over F 2 . The number of them is ∏ i=0 19 (2 20 − 2 i ) ≈ 2 398.2 . The group G, in comparison, is really small; in the example given in Section 5, it has 2520 elements.
In recent years, the number of cryptographic algorithms based on non-commutative groups has increased. We can see in [11] several algorithms based on non-commutative groups and the group-theoretical problems on which they are based. In the system proposed in this paper, we have a group G that it is given by a table or any other method that lets us compute with the elements. The attacker knows that this group is a subgroup of Aut(M) but the internal group M is not known. Using the critical points, in particular the input and output tables, it could be possible to get some information about the properties of the values in the external group V compared to their corresponding internal values in M. This information is always partial. In the worst scenario, the attacker could guess that the original representation of the group G in Aut(M) is made using some special representation. However, this original representation ψ : G → Aut(M) can be modified up to conjugacy using any invertible element t ∈ Aut(M) with the equivalent representation ψ (g) = tψ(g)t −1 . The number of options for t can be huge and these new representations change completely the elements that belong to each orbit and their properties. The attacker needs to determine the conjugacy used with very short information about the effects in the external group. The conjugacy problems are considered hard to solve and the security of group-theoretic cryptography is very often based on them. See [11] for general background on these kinds of problems.

Use Cases and Further Applications
In the Introduction we give several use cases for white-box cryptography. In general, white-box cryptography should be considered when the attacker has access to the program and can manipulate it without restrictions to obtain the critical information, for example the keys.
As we can see in [16], the problem of mistrust in IoT is one of the main factors that have affected how IoT security is perceived. IoT devices can become adversaries themselves and they can be used to obtain critical information. The protection of our code with a white-box obfuscation makes this impossible, because the valuable information is not visible to the hostile environment.
The method proposed in this paper is not only valid in general as a white-box method. We show above that it is possible to generate a huge number of different arithmetics choosing some parameters, which makes it especially useful for the generation of code for IoT. Another characteristic of the code is the homogeneity. The code generated using this method has long sequences of reduction steps, each requiring a similar table lookup (we can see an example of this in Algorithm A3). The white-box protection let us delegate the computation of a number of these reductions to other devices without risk, because the program is supposed to be public. As we can see in [17], the security is a major threat in edge and fog computing, but using this method it is possible to avoid that risk.

A Huge Private Arithmetic
In this section we analyze an example with all the security measures considered in the paper and a huge size. The arithmetic is generated for the group V = F 8 2 . We also analyze the memory requirements to generate this arithmetic.
The internal commutative group M is F 20 2 . The elements of M are decomposed infive subvectors of four bits each. Thus, we denote m = (m 0 , m 1 , m 2 , m 3 , m 4 ) the vector of M and the m i is vectors in F 4 2 . We use the subvector m 4 as error space and the others as arithmetical values.
We use block matrices with five blocks of 4 × 4-matrices in the diagonal to generate G. The group of invertible 4 × 4-matrices over F 2 has 20, 160 matrices and generates some orbits that are too big for our purposes. It is better to consider a subgroup of this group with 2520 elements and combine it with some permutations of the five blocks in the diagonal. In this case, we consider H the subgroup generated by the rotation of the first four blocks. This generates a group H with order four and the elements of H commute with the elements of G, thus we have a direct product instead of a semi-direct product for the extended arithmetical group H × G.
There are many combinations that let us generate the subgroup of 2520 elements. One of them is to use the matrices a = At this point, it is necessary to decide which elements of M that are valid. This decision requires some analysis of the group ring and the orbits because our intention is to remove the elements that could have a recognizable behavior in the tables. We have to analyze the Z[G] structure of M. It is equivalent to use this structure or the F 2 [G]-structure because m has characteristic two, thus we can The R-module M has a composition series 0 The composition series in this case has M i+1 /M i always isomorphic to F 4 2 , the vector space of 16 elements with the structure given by G 0 × F 4 2 → F 4 2 (note that G 0 and G are isomorphic). The Jordan-Hölder theorem says that any other composition series has the same length and M i+1 /M i is also isomorphic to the same simple module.
We use a very simple decomposition in blocks that makes the structure visible. The structure (up to isomorphism) is not changed if we consider a conjugated action given by t −1 Gt with any invertible matrix t. It is better to make the theoretical analysis with the original version and apply the conjugation afterwards.
It is an obvious choice to remove the element 0, but we also remove the elements of the different R-modules that can appear in the first two steps. In the version before conjugation, the elements (m 0 , m 1 , m 2 , m 3 , m 4 ) ∈ M such that they can appear in the position M 1 in the composition series are the ones such that dim(span(m 0 , m 1 , m 2 , m 3 , m 4 )) ≤ 1, and the ones that can appear in the position M 2 are the ones such that dim(span(m 0 , m 1 , m 2 , m 3 , m 4 )) ≤ 2. If we want to consider them as forbidden elements, we have to restrict the subset of valid elements to those ones such that dim(span(m 0 , m 1 , m 2 , m 3 , m 4 )) ≥ 3 or a subset of these elements. There are 1, 015, 560 elements satisfying this condition. They are distributed in 403 orbits with 2520 elements per orbit.  (2). The rest of the values will be free if they keep the matrix in an almost echelon form. Strictly speaking, it is not an echelon form because the group can reduce only three positions (it is not the full group of invertible matrices). The generators are given in Table 1.  For each heading space, we have to choose which elements are used. We have to be careful to have multiple representations for each element in V, but we can choose the orbits we want. We could decide to have heading spaces with a number of orbits between 200 and 300 from these 403 ones. The selection of these orbits can be made in order to get properties such as overlapping orbits (see Section 3.4). For example, consider X and X as two heading spaces that have an orbit (G, i) overlapped. We define at the same time two reductions r : X → Y and r : X → Y . The types of the reductions r and r are (h, b) and (h , b ). We select a value x i ∈ X and x i ∈ X to be the base point on these orbits and finally we compute The values u g and v g will belong to some orbits, the idea is to choose the orbits in Y and Y in such a way that u g and v g are not valid elements in Y and Y at the same time. The rest of the orbits can be chosen randomly, bearing in mind that some of them are now forbidden to have a correct definition of r and r in the overlapped orbit (G, i). The forbidden elements in the orbits are filled in tables r and r with fake values that can be part of different heading spaces, as explained in Section 3.4.
Let k 1 , k 2 , · · · , k n be the number of orbits for each heading space. If they are between 200 and 300, we can consider that the number of elements in the combined heading space will be around 250n. The representation of each element is an index i for the orbit (two bytes) and two other bytes for the group element g ∈ G. The size of the tables required for these combinations of heading spaces and reductions are 2520 · 250 · n · 4 bytes, that is 2.5n megabytes where n is the number of heading spaces. A big implementation could use eight heading spaces, and therefore a number around 200 megabytes would be reasonable.
The rest of the implementation would require tables for input and output, and also for possible S-boxes, another 200 megabytes could be required and the code depends on the algorithm, but could be another 100 megabytes. If we put together all these numbers, the size of a big implementation would be around 500 megabytes.
If the attacker knows the details of this construction, the security would be based on the choice of an invertible matrix t such that the actual group G would be tGt −1 . The number of choices for the non-arithmetical part is the number of maps E → E. They do not even have to be bijective, thus the number is 16 16 The conjugation by t induces a new relation between M and V as well as a change in the base points used to represent the classes. The search for the conjugacy matrix is much more difficult than the standard conjugacy search problem, because only partial information is visible.

Conclusions
White box implementations are not a simple task. The protection of the arithmetic is something that requires a lot of resources, which might not be available (especially on IoT applications), therefore it is critical to decide which are the elements that should be protected. The method presented in this paper can be used to obfuscate the arithmetic of a commutative group using a related non-commutative group. The idea of the paper is to completely shuffle the additive structure and use the endomorphisms to make computations.
Non-commutative groups are attracting the attention of the cryptographic community because there are many hard problems related to them that can be used for cryptographic purposes. The method presented in this paper is very flexible and it is possible to modify the implementations by conjugation. This makes it possible to generate a huge amount of essentially different implementations based on the same original groups. The search for this conjugacy is not the only problem that the attacker has to solve, because many different choices can be made to increase the difficulty of the analysis.

Patents
The contents of this paper may be related to the following patent applications: WO2018015325 and WO2018115143.
Funding: This research was funded by Philips as part of a research contract between Philips and the University of Murcia.
Acknowledgments: This research was made while the author was on the Philips premises at the High Tech Campus (Eindhoven, The Netherlands). The author would like to thank the friendly environment and hospitality of the Philips research group.

Conflicts of Interest:
The author declares no conflict of interest.

Abbreviations
The following abbreviations are used in this manuscript:

Appendix A. Summary of Mathematical Concepts and Notations
This appendix contains some standard mathematical definitions and notations used in this paper. For further references we suggest the book by Bhattacharya et al. ([18], Chapters 1-14) for basic definitions, the book by Wisbauer ([13], Sections 1-6) for rings and modules and the books by Lam [19] and Aschbacher [20] for group representations and more advanced results on group theory and connections with rings and modules.

Group
A set G with an operation · : G × G → G that is associative. There exists an element 1 ∈ G such that 1g = g1 = g for all g ∈ G and for every g ∈ G there exists g −1 ∈ G such that g · g −1 = 1 = g −1 · g.

Commutative Group
A set M with an operation + : M × M → M that is associative and commutative. There exists an element 0 ∈ M such that 0 + m = m + 0 = m for all m ∈ M and for every m ∈ M there exists −m ∈ M such that m + (−m) = (−m) + m = 0.

Ring
A set R with two operations +, · : R × R → R and two special elements 0, 1 ∈ R such that (R, +, 0) is a commutative group, the multiplication · is associative, r · 1 = 1 · r for all r ∈ R, and r(s + t) = rs + rt for all r, s, t ∈ R.

Commutative Ring
A ring R is said to be commutative if the multiplication is commutative. Examples are Z, the ring of integers and Z n the ring of modular integers for any integer n > 1.

Field
A commutative ring in with every nonzero element r there exists r −1 ∈ R such that r · r −1 = 1. Examples of fields are the rationals and the modular integers Z p when p is a prime number. If p is a prime, the field Z p can be denoted F p . For instance, Z 2 and F 2 are exactly the same thing.

Module
Let R be a ring and M be a commutative group, we say that M is a module over the ring R if we have a multiplication · : R × M → M such that (r + s)m = rm + sm, r(m + n) = rm + rn, 1m = m and (rs)m = r(sm) for all r, s ∈ R and m, n ∈ M. Every commutative group M is, in particular, a module over Z using the multiplication rm = m + m + · · · + m (r-times) and (−r)m = r(−m) for any integer r ≥ 0 and m ∈ M. If R is a field, the modules over R are the vector spaces. Group Homomorphism Let G and H be groups. A map f : G → H is said to be a group homomorphism if f (k · g) = f (k) · f (g) for all k, g ∈ G and f (1) = 1. If the groups are commutative, a homomorphism f : M → N should satisfy f (m + k) = f (m) + f (k) for all m, k ∈ M and f (0) = 0.

Group Isomorphism
A group homomorphism f is said to be a group isomorphism if the map f is bijective. The inverse map will also be a group isomorphism.

Group Endomorphism
A group homomorphism between the group and itself is called an endomorphism.

Group Automorphism
A bijective group homomorphism is called automorphism. The set of group automorphisms is itself a group with the composition and the identity map as 1. Let p be a prime number and Z p the field of modular integers. The group of invertible matrices over Z p is an example of an automorphism group, because the automorphisms of Z p × Z p × · · · × Z p can be identified with the invertible square matrices. Module Homomorphism Let M and N be modules over R and f : M → N a group homomorphism considered as abelian groups. We say that f is a module homomorphism if f (rm) = r f (m) for all r ∈ R and m ∈ M. Using this additional property, we can define module isomorphisms, endomorphisms and automorphisms. If R = Z, the module homomorphisms and group homomorphisms are the same thing because f (rm) = f (m + m + · · · + m) = f (m) + f (m) + · · · + f (m) = r f (m). If R is a field, the module homomorphisms are the usual linear maps that can be identified with the matrices over the field.

Endomorphism Ring
Let M be a module over the ring R. The set of endomorphisms of M can be endowed with a ring structure if we define the addition of two endomorphisms f + g as ( f + g)(m) = f (m) + g(m) for all m ∈ M. If R is a field, this ring is the ring of square matrices. If R = Z or any other ring, the endomorphisms are the natural generalization of matrices and play a similar role.

Direct Product
Let H and G be groups, the set H × G can be endowed with a group structure using the multiplication (h, g)(h , g ) = (hh , gg ). With this structure the identity element in H × G is (1, 1). It is straightforward to identify G with the elements {(g, 1) : g ∈ G} and H with {(1, h) : h ∈ H}.
In this way, the direct product can be written as HG and the elements as products hg with the rule that, although the multiplication in H and G might be non-commutative, the elements of H commute with the elements of G, i.e. gh = hg for all g ∈ G and h ∈ H.

Semi-direct Product
Let H and G be groups and ϕ : G → Aut(H) be a group homomorphism. We denote with ϕ g : H → H the automorphism induced by g via ϕ.
The semi-direct product of these groups, denoted by H ϕ G, is given by the pairs (h, g) with h ∈ H and g ∈ G endowed with the product (h, g)(h , g ) = (hϕ g (h ), gg ). As we can see, the homomorphism ϕ acts as a modifier for the product in H. The direct product is a special case of this construction using the trivial homomorphism ϕ : G → Aut(H) such that ϕ g = id H for all g ∈ G. Semi-direct products are a very common construction in group theory to build non-commutative groups, for example, the dihedral groups.

Action of a Group
Let G be a group and X be a set. An action of G over X is a map · : G × X → X such that 1 · x = x for all x and g · (h · x) = (g · h)x for all g, h ∈ G and all x ∈ X. A set X with an action G × X → X is called a G-set.

Orbits and Stabilizers
If we have an action of G on X, the orbit of an element x ∈ G is the subset of X given by {gx : g ∈ G} = Gx. The stabilizer of the element x is the subgroup of G given by the elements that fix x, G x = {g ∈ G : gx = x}.
The number of elements of G x is a divisor of the number of elements of G (by Lagrange's theorem) and the number of elements in the orbit of x is |G|/|G x | (see ([18], Chapter 5, Theorem 4.7)).

Group Ring
Let G be a finite group and R be a ring. The group ring, denoted R[G] or RG, is the set of mappings u : G → R with the multiplication given by the rule (u · v)(h) = ∑ g∈G u(g)v(g −1 h). The standard notation for group rings is to identify the map u : G → R with the formal sum ∑ g∈G u(g) · g and multiply using the standard rules (r · g)(s · h) = (rs) · (gh) for all r, s ∈ R and g, h ∈ G.

Appendix B. Full Detailed Example
In this appendix, we present a small example of the obfuscation of a cryptographic algorithm with the main elements that are commonly used in block ciphers and hash functions, in particular XOR operations and nonlinear permutations combined in several rounds. The example is developed in full detail, including all the tables required for the arithmetic. This requirement makes the example not completely realistic because the tables are much smaller than the ones used in a computer program. The idea of this appendix is to help the reader to reproduce the constructions with a guided example.
In this example, the arithmetic is over the vector space V = F 4 2 , which is the external commutative group. The nonlinear permutation is the first one given in the data encryption standard algorithm S = (14,4,13,1,2,15,11,8,3,10,6,12,5,9,0,7) and the algorithm computes the function The computation combines these values with six hidden keys k 0 , · · · , k 5 ∈ V using rounds. These values are the secret information that has to be protected.

. Intrinsic Vulnerabilities
The first thing that we do with this example is to prove that it is possible to get the key playing with some inputs and outputs, independently of the implementation of the algorithm. This is what we call intrinsic vulnerabilities. Some algorithms reveal information regardless of the implementation. When this happens, it is impossible to get a secure version under the white box premises, because even a black box version of the program would be insecure. In this example, the reason is that the function ξ is too small but we make a white-box version of this function just to show the method, although we know that it is too small to be realistic.
The first and most evident reason this function is insecure is because the number of possible keys is 16 6 = 16777216. This key space is small enough to be analyzed just by checking all the possibilities with a simple PC.
However, here, we give an attack that uses the nonlinearity of S to break the security. This vulnerability is not a special property of the permutation S that we have chosen. This is something general that can be done for all nonlinear permutations. Linear permutations do not have this vulnerability, but they have many others. Therefore, we cannot get rid of the nonlinearity, because it is a property required for the general security of the algorithms. As a question of notation, we write the elements of V = F 4 2 using a single hexadecimal value. Thus, for example, the value b, that in binary form is 1010 represents the vector (1, 0, 1, 0).
We use the auxiliary function f (v, u, k) = k ⊕ S(v ⊕ u) and the associated functions g 1 (u) = f (0, u, k) ⊕ f (3, u, k) and g 2 (u) = f (4, u, k) ⊕ f (a, u, k). The functions g 1 and g 2 do not depend on k because this value is canceled because k ⊕ k = 0. If we compute g 1 (u) and g 2 (u) for all possible values u, we get that the possible outputs for g 1 are {f, 9, a, 4, c, 2} and the outputs for g 2 are {4, 3, 8, 2, e}. If we know the values g 1 (u) and g 2 (u) for a hidden u, we can obtain the value u looking at the following table f 9 a 4 c 2 4 0 e * * * * 3 b 1 * 5 * f 8 8 2 7 6 9 c 2 3 d * * * * e * * 4 * a * The values * are given to inputs that cannot be reached for any correct computation of the functions. Now, we take the black-boxed version of ξ and fix the inputs v 0 , v 1 , v 2 and v 3 . These values produce a value w 4 after the first 4 rounds. We want to compute the hidden value u = k 4 ⊕ w 4 , and, to do that, we see that 4). From the previous table, we get the value u. Now, we only need to compute ξ(v 0 , v 1 , v 2 , v 3 , 0) = k 5 ⊕ S(u) and recover k 5 because . This technique has obtained the last key and reduced the problem to the function ). This function has exactly the same structure but with one round fewer. We can apply the same technique to get the key k 4 and afterwards k 3 , k 2 , k 1 and k 0 by removing the security layers of this algorithm one by one.
A full explanation of the reasons for choosing these particular parameters 0, 3, 4 and a is outside the scope of this paper. It is a general technique to break encodings that is much more general and based on differential cryptanalysis. It is especially powerful on block ciphers and there are many publications on the topic. One general book to learn about these techniques is [21].
The main ideas that should remain after this subsection is that the example is merely to show how the arithmetic works with something small and we do not claim that the obfuscated version of this function is secure, because even the black-box version is insecure. Any algorithm can introduce intrinsic vulnerabilities that have to be studied in detail before starting a white-box implementation.

Appendix B.2. Obfuscated Version (Public Elements)
In this subsection, we see a white-box implementation of the function ξ using the techniques explained in this paper. First, we show the public elements that are visible in the program and we make a simple computation. In the following subsection, we give the private elements of the implementation.
Apart for the external commutative group V = F 4 2 that it is part of the public algorithm, the first public element of this obfuscated implementation is the public group G. This group can be given by its multiplication table (Table A1). The structure of the group up to isomorphisms can also be considered public, because it can be easily computed using the multiplication table. The group G can be represented using endomorphisms over multiple commutative groups. For example, we can represent this group using matrices 2 × 2 over the rings Z 10 and also over Z 11 . The correspondence between the element of the group and the matrices is given in Table A2. We include in this table the inverses of the elements in the group that are used during the computation. The value X is used to represent the number 10 in the ring Z 11 . Table A1. Group operation. g 0 g 1 g 2 g 3 g 4 g 5 g 6 g 7 g 8 g 9 g 10 g 11 g 0 g 0 g 1 g 2 g 3 g 4 g 5 g 6 g 7 g 8 g 9 g 10 g 11 g 1 g 1 g 0 g 5 g 6 g 7 g 2 g 3 g 4 g 10 g 11 g 8 g 9 g 2 g 2 g 5 g 0 g 9 g 8 g 1 g 11 g 10 g 4 g 3 g 7 g 6 g 3 g 3 g 8 g 7 g 10 g 5 g 11 g 1 g 9 g 6 g 2 g 0 g 4 g 4 g 4 g 9 g 6 g 5 g 3 g 10 g 7 g 1 g 2 g 8 g 11 g 0 g 5 g 5 g 2 g 1 g 11 g 10 g 0 g 9 g 8 g 7 g 6 g 4 g 3 g 6 g 6 g 10 g 4 g 8 g 2 g 9 g 0 g 11 g 3 g 5 g 1 g 7 g 7 g 7 g 11 g 3 g 2 g 6 g 8 g 4 g 0 g 5 g 10 g 9 g 1 g 8 g 8 g 3 g 11 g 1 g 9 g 7 g 10 g 5 g 0 g 4 g 6 g 2 g 9 g 9 g 4 g 10 g 7 g 1 g 6 g 5 g 3 g 11 g 0 g 2 g 8 g 10 g 10 g 6 g 9 g 0 g 11 g 4 g 8 g 2 g 1 g 7 g 3 g 5 g 11 g 11 g 7 g 8 g 4 g 0 g 3 g 2 g 6 g 9 g 1 g 5 g 10 These matrices are used to operate the elements of the group with the elements of the heading spaces, which in this case are Z 2 10 and Z 2 11 . The elements of the heading spaces are denoted as column vectors and the operation by the elements of G is done using the standard multiplication of matrices. If we multiply g i with the head [ u v ], we first have to know where the head is. If it is in Z 2 10 , we use the matrix associated to g i over Z 10 in Table A2, and, if the head is in Z 2 11 , we use the matrix over Z 11 given in the same table.
Algorithm A2 Basic reduction step.
Require: w is a head, g i ∈ G 1: if w ∈ Z 2 10 then 2: return g i R 0 (g −1 i w) 3: else {w ∈ Z 2 11 } 4: The multiplication of the elements of a group by the heads is done with the matrix representation of the group elements. Therefore, in the computation g i R j (g −1 i w), the matrices corresponding to g i and g −1 i are over different rings. The full implementation is given in Algorithm A3. The last public element of the implementation is the program itself. Beyond this point, we look at the information that is not available to the attacker, whose only visible elements are those given in the previous subsection. Some of the elements might be guessed by the attacker, but they are not visible.
The keys used in this implementation are k 0 = c, k 1 = 8, k 2 = 1, k 3 = f, k 4 = 1 and k 5 = 4. We can check that the obfuscated computation of ξ(1, 6, a, 5, b) given in the previous subsection is correct using Algorithm A1 and the keys provided. 1: One of the things that could be surprising at first sight to someone not used to this arithmetic is that, although we make computations in the vector space V = F 4 2 , we use matrices over the rings Z 10 and Z 11 . We only need heading spaces that let us define the actions of the group G up to isomorphism, and in this case the group can be described using these particular matrices.
We give an alternative presentation of the public group G that is used to define further private elements of the obfuscation. The group G can be described as a non-commutative group generated by three elements, u, v and w, such that u 3 = v 2 = w 2 = 1. The element w commutes with all the others, but the other two do not commute because uv = vu 2 . All the elements of the group can be written as w i v j v k for i ∈ {0, 1}, j ∈ {0, 1} and k ∈ {0, 1, 2}. One possible correspondence between the elements of G that we have been using and this representation is given in Table A7. Table A7. Group correspondences.
Group w i v j u k g 0 1 g 1 wvu g 2 vu g 3 u 2 g 4 wu g 5 w g 6 wvu 2 g 7 v g 8 wv g 9 vu 2 g 10 u g 11 wu 2 Although this group can be found using 4 × 4-matrices over F 2 (in fact, there are 30,240 ways to select u, v and w matching the conditions in Mat 4×4 (F 2 )), the implementation uses the internal commutative group M = F 6 2 and thus 6 × 6 matrices over F 2 to represent the endomorphisms. The computation of the real value represented by each element and the control values is done with the matrix P =    1 1 1 0 0 1 1 1 0 1 0 0 0 1 1 1 0 0 0 1 0 0 1 1 1 1 1 0 1 0 1 1 1 1 0 1   .
The first four bits are the projection and the last two are a control value. In this case, the control value is computed in the same way during the program.
The representation of G using matrices in Mat 6×6 (F 2 ) is made using the matrices u = The action of the group G on M = F 6 2 using these matrices generates 11 orbits and all of them are valid elements in this implementation. For each of them, we fix an element m i that is the base point to generate the orbit. The other elements of the orbit are Gm i = {gm i : g ∈ G}. For each of these representatives, we have to compute the stabilizer to find other elements in the heading spaces that could represent them. The list of representatives and stabilizers over the vector space F 6 2 is given in Table A8. The vectors in F 6 2 are represented in horizontal form, but they should be considered column vectors.  If we use the action over the heading spaces with the corresponding matrices given in Table A2, we get more than 11 orbits, but we only need to consider representatives that can extend the arithmetic of the m i . Strictly speaking, the heading spaces are the subsets of Z 2 10 and Z 2 11 that belong to the orbits that we select for the representation, but this is not a problem because we define the tables over the other elements with some random values, and they are not reached during a legitimate execution of the program (unless we introduce fake instructions).
As we have seen, the construction of the correspondences between the heads and the elements of M requires the selection of elements x i and y i in the heading spaces such that that the stabilizer of the element(s) that represents m i in the heading spaces is (are) contained in the stabilizer of m i . In this case, we only use one representative for each m i , although more can be used. This would increase the number of possible representations for each element. In this case, we have multiple representations because, in some cases, the stabilizers of the elements in the heading spaces are strictly smaller than the stabilizers of the corresponding values m i . The tables with the corresponding representative in the heading spaces and the stabilizers of these representatives are given in Table A9 for the heading space Z 2 10 and Table A10 for the heading space Z 2 11 .

Representative Stabilizer
To build the internal group of the obfuscation, we consider the group H, which is a cyclic group of order 3 generated by an element h. This group has a nontrivial automorphism τ : H → H given by τ(h t ) = h −t and we can use it to define ϕ : G → Aut(H) by ϕ(w i v j u k ) = τ i . This is a group homomorphism because the subgroup generated by w is a direct summand of G. This direct summand has order 2 and thus it is isomorphic to Aut(H). The homomorphism ϕ can be considered as the projection over the subgroup generated by w and the composition with the isomorphism between this subgroup and Aut(H).
Using ϕ, we can generate the semi-direct product H ϕ G. This is the internal group of the obfuscation and it has 36 elements. This group can be represented on Aut(M) using the matrix h =    1 1 0 1 0 0 1 0 1 1 1 0 0 0 1 0 0 0 1 0 0 1 0 1 1 0 1 1 1 1 1 1 1 0 0 0    and the previous definitions of u, v and w. This means H ϕ G is a subgroup of Aut(M). Note that H ϕ G cannot be given by an extension of G in Mat 2×2 (Z 11 ), but this is not necessary because we need actions only for the group G over the heading spaces.
We have only one base point b = (1, 0, 1, 0, 1, 1). Using these values, we can compute the values associated to the heads and links. Suppose g is a link with H-modifier h 2 , then the real value is h 2 gb ∈ M and we can use the matrix P to compute Ph 2 gb, whose first four bits would be the value in V and the last two the control value.
Given a head x ∈ Z 2 10 with H-modifier h, we have to search for a group value g and a representative of the orbit x i such that x = gx i . This value g is a 2 × 2 matrix over Z 10 , but we have to get the matrix associated to the same group element, but in Mat 6×6 (F 2 ), to compute gm i and finally apply the H-modifier to it. The value in M is hgm i . The value in V and the control values are the first four bits of the vector Phgm i and the last two, respectively.
In this program, we have also included some extra affine transformations that modify the final value in V for heads and links. The flow and the critical points of the program are given in Figure A1.
This figure includes the information for the H-modifiers and the control values at each critical point. The critical points given by inputs with multiples links have H-modifiers for each entry, and they are not equal for all inputs. The only rule is that, at the next critical point, the H-modifier should be correct, and this is checked for all inputs because it depends on the values ϕ g and the previous H-modifiers.
The addition of keys has been combined with the affine transformations on each connected component, thus it is not necessary to make an explicit computation to add the key.
There are four connected components, I, II, III and IV. Each has an affine transformation that is made at the starting points of the component and restored at the ending point. The addition of the key is combined with the affine constant to get the correct result. The linear transformations and the additive constants are listed in Table A11.
Add v 4 IT 4 Output S(v) + k 5   Note that it is not necessary to use an output table because, using different control values, table B can be reused for the output when the control value is (1, 1). In this implementation, we have not used dissolving maps because the program is designed to compute combinations of heads and links and the combination of two heads it not required.