31

What is a white-box implementation?

Does a white-box implementation have specific properties?

Paŭlo Ebermann
  • 22,656
  • 7
  • 79
  • 117
ir01
  • 3,992
  • 3
  • 21
  • 31

2 Answers2

38

This article is a nice introduction to the concept of white-box cryptography. It can be viewed as the devious cousin of code obfuscation.

In simpler words: usually, security of a cryptographic algorithm is studied in the "black-box" model: e.g., for symmetric encryption, the attacker is given access to a "device" which runs the encryption algorithm with a given key, and can submit plaintexts and ciphertexts, the goal of the attacker being to be able to decrypt a given block without submitting that exact block as ciphertext. In the "grey-box" model, the attacker also has access to some partial side-channel information; this is where power analysis fits. In the "white-box" model, the attacker has full access to the internal state. The white-box model is meant for: "the algorithm runs as software on the attacker's own computer".

White-box cryptography is less ambitious, and correspondingly a bit less impossible, than the Holy Grail of video game vendors, namely preventing any kind of reverse engineering; WBC aims at protecting "just" cryptographic keys. WBC studies techniques by which a white-box implementation could be made, and also what security characteristics could be achieved assuming that a white-box implementation exists.

Brecht Wyseur wrote a PhD thesis on white-box cryptography (there is also a downloadable presentation). See also this site (from B. Wyseur).

Peter
  • 103
  • 4
Thomas Pornin
  • 86,974
  • 16
  • 242
  • 314
  • 1
    Am I correct that DRM and protecting proprietary software are the only valid use cases? – Demi Mar 24 '16 at 14:55
  • Not necessarily. If you are operating in some hostile environment and are defending against a "man-at-the-end" attack, WBC is applicable. – samoz May 29 '16 at 16:53
  • 1
    Very common use case is to protect data on mobile devices from even the user especially on open systems like Android (e.g. HCE payment) – Patrick Feb 05 '18 at 12:17
5

The goal of white-box cryptography is to build a compiler for a specific cryptographic algorithm (i.e., AES) such that given a randomly chosen key, it outputs an implementation hard-coded the key and it is hard for an adversary to extract the key. The key extraction is the most basic security notion for white-box cryptography, and it has been formulated as unbreakability in the literature. Besides, the authors also put forward several interesting and related security notions, intuitively:

  1. one-wayness means that it is difficult to reverse a white-box implementation.
  2. incompressibility means that it is hard to dramatically decrease the size of the implementation.
  3. traceability means white-box crypto could put some watermark, which is hard to remove, in order to trace the distribution of the software.

Recently, a large number of publications are discussing (indistinguishability) obfuscation, which seems to have a strong relationship with white-box crypto. Nevertheless, there is no clear link between these notions.

Junwei WANG
  • 361
  • 4
  • 8