White-Box Cryptography: Formal Notions and (Im)possibility Results

A key research question in computer security is whether one can implement software that offers some protection against software attacks from its execution platform. While code obfuscation attempts to hide certain characteristics of a program P , white-box cryptography specifically focusses on software implementations of cryptographic primitives (such as encryption schemes); the goal of a white-box implementation is to offer a certain level of robustness against an adversary who has full access to and control over the implementation of the primitive. Several formal models for obfuscation have been presented before, but it is not clear if any of these definitions can capture the concept of white-box cryptography. In this paper, we discuss the relation between obfuscation and white-box cryptography, and formalize the notion of white-box cryptography by capturing the security requirement using a ‘White-Box Property’ (WBP). In the second part, we present positive and negative results on white-box cryptography. We show that for interesting programs (such as encryption schemes, and digital signature schemes), there are security notions that cannot be satisfied when adversaries have white-box access, while the notion is satisfied when the adversary has black-box access to its functionality. On the positive side, we show that there exists an obfuscator for a symmetric encryption scheme for which a useful security notion (such as CPA security) remains satisfied when an adversary has access to its white-box implementation.

[1]  Amir Herzberg,et al.  Towards a Theory of White-Box Security , 2009, SEC.

[2]  Silvio Micali,et al.  Probabilistic Encryption , 1984, J. Comput. Syst. Sci..

[3]  Mihir Bellare,et al.  The Security of Triple Encryption and a Framework for Code-Based Game-Playing Proofs , 2006, EUROCRYPT.

[4]  Hovav Shacham,et al.  Short Signatures from the Weil Pairing , 2001, J. Cryptol..

[5]  Louis Goubin,et al.  Cryptanalysis of white box DES implementations , 2007, IACR Cryptol. ePrint Arch..

[6]  Silvio Micali,et al.  Probabilistic encryption & how to play mental poker keeping secret all partial information , 1982, STOC '82.

[7]  Hovav Shacham,et al.  Aggregate and Verifiably Encrypted Signatures from Bilinear Maps , 2003, EUROCRYPT.

[8]  Hoeteck Wee,et al.  On obfuscating point functions , 2005, STOC '05.

[9]  Dennis Hofheinz,et al.  Obfuscation for Cryptographic Purposes , 2007, Journal of Cryptology.

[10]  Bart Preneel,et al.  Cryptanalysis of White-Box DES Implementations with Arbitrary External Encodings , 2007, IACR Cryptol. ePrint Arch..

[11]  Paul C. Kocher,et al.  Differential Power Analysis , 1999, CRYPTO.

[12]  Satoshi Hada,et al.  Zero-Knowledge and Code Obfuscation , 2000, ASIACRYPT.

[13]  Amit Sahai,et al.  Positive Results and Techniques for Obfuscation , 2004, EUROCRYPT.

[14]  Matthew K. Franklin,et al.  Identity-Based Encryption from the Weil Pairing , 2001, CRYPTO.

[15]  Paul C. van Oorschot,et al.  White-Box Cryptography and an AES Implementation , 2002, Selected Areas in Cryptography.

[16]  Yael Tauman Kalai,et al.  On the impossibility of obfuscation with auxiliary input , 2005, 46th Annual IEEE Symposium on Foundations of Computer Science (FOCS'05).

[17]  Amit Sahai,et al.  On the (im)possibility of obfuscating programs , 2001, JACM.

[18]  Abhi Shelat,et al.  Securely Obfuscating Re-Encryption , 2007, Journal of Cryptology.

[19]  Mihir Bellare,et al.  Relations among Notions of Security for Public-Key Encryption Schemes , 1998, IACR Cryptol. ePrint Arch..

[20]  Olivier Billet,et al.  Cryptanalysis of a White Box AES Implementation , 2004, Selected Areas in Cryptography.

[21]  Guy N. Rothblum,et al.  On Best-Possible Obfuscation , 2007, TCC.

[22]  Paul C. van Oorschot,et al.  A White-Box DES Implementation for DRM Applications , 2002, Digital Rights Management Workshop.

[23]  Ran Canetti,et al.  Obfuscating Point Functions with Multibit Output , 2008, EUROCRYPT.