31

What is a white-box implementation?

Does a white-box implementation have specific properties?

Paŭlo Ebermann
  • 22,946
  • 7
  • 82
  • 119
ir01
  • 4,092
  • 3
  • 22
  • 31

2 Answers2

38

This article is a nice introduction to the concept of white-box cryptography. It can be viewed as the devious cousin of code obfuscation.

In simpler words: usually, security of a cryptographic algorithm is studied in the "black-box" model: e.g., for symmetric encryption, the attacker is given access to a "device" which runs the encryption algorithm with a given key, and can submit plaintexts and ciphertexts, the goal of the attacker being to be able to decrypt a given block without submitting that exact block as ciphertext. In the "grey-box" model, the attacker also has access to some partial side-channel information; this is where power analysis fits. In the "white-box" model, the attacker has full access to the internal state. The white-box model is meant for: "the algorithm runs as software on the attacker's own computer".

White-box cryptography is less ambitious, and correspondingly a bit less impossible, than the Holy Grail of video game vendors, namely preventing any kind of reverse engineering; WBC aims at protecting "just" cryptographic keys. WBC studies techniques by which a white-box implementation could be made, and also what security characteristics could be achieved assuming that a white-box implementation exists.

Brecht Wyseur wrote a PhD thesis on white-box cryptography (there is also a downloadable presentation). See also this site (from B. Wyseur).

Peter
  • 103
  • 4
Thomas Pornin
  • 88,324
  • 16
  • 246
  • 315
5

The goal of white-box cryptography is to build a compiler for a specific cryptographic algorithm (i.e., AES) such that given a randomly chosen key, it outputs an implementation hard-coded the key and it is hard for an adversary to extract the key. The key extraction is the most basic security notion for white-box cryptography, and it has been formulated as unbreakability in the literature. Besides, the authors also put forward several interesting and related security notions, intuitively:

  1. one-wayness means that it is difficult to reverse a white-box implementation.
  2. incompressibility means that it is hard to dramatically decrease the size of the implementation.
  3. traceability means white-box crypto could put some watermark, which is hard to remove, in order to trace the distribution of the software.

Recently, a large number of publications are discussing (indistinguishability) obfuscation, which seems to have a strong relationship with white-box crypto. Nevertheless, there is no clear link between these notions.

Junwei WANG
  • 371
  • 4
  • 8