white-box crypto Was: consulting question....

Thu May 28 05:27:53 EDT 2009

2009/5/27 Alexander Klimov <alserkli at inbox.ru <mailto:alserkli at inbox.ru>>:
> On Tue, 26 May 2009, James Muir wrote:
>> There is some academic work on how to protect crypto in software from
>> reverse engineering.  Look-up "white-box cryptography".
>>
>> Disclosure:  the company I work for does white-box crypto.
>
> Could you explain what is the point of "white-box cryptography" (even
> if it were possible)?

White-box crypto is about implementing cryptographic primitives in
such a way that they remain /secure/ against software analysis. The
'white-box' refers to the fact that the adversary has full access to
the software implementation and control over its execution
environment.

The prior objective would obviously be the protection of secret keys
in key instantiated implementations of encryption schemes, but often
it goes beyond that. In some practical settings you would want the
resulting white-box implementations to behave as a public-key
primitive, as you mention below.

You can find formal definitions of white-box cryptography in a paper I
recently wrote: http://eprint.iacr.org/2008/273
<http://eprint.iacr.org/2008/273>. More information on
white-box crypto you can find in my PhD dissertation of March this
year.
https://www.cosic.esat.kuleuven.be/publications/thesis-152.pdf
<https://www.cosic.esat.kuleuven.be/publications/thesis-152.pdf>

>
> If I understand correctly, the only plausible result is to be able to
> use the secret key cryptography as if it were the public-key one, for
> example, to have a program that can do (very slow, btw) AES
> encryption, but be unable to deduce the key (unable to decrypt). If
> this is the case, then why not use normal public-key crypto (baksheesh
> aside)?

Consider a DRM application that contains a key-instantiated decryption
algorithm and some authentication scheme. In that case you want to
prevent the extraction of the secret key, otherwise an adversary could
easily circumvent the authentication scheme. Deploying a public-key
cipher wouldn't help achieving this objective, since it is a matter of
how you implement the decryption operation and entangle it with the
authentication scheme.

Another example might be a mobile agent system, where a signing key
would need to be embedded in the software such that the agent can sign
contracts.

Regards,
Brecht
http://whiteboxcrypto.com

-- 
Brecht Wyseur
Katholieke Universiteit Leuven                      tel. +32 16 32 17 21
Dept. Electrical Engineering-ESAT / COSIC           fax. +32 16 32 19 69
Kasteelpark Arenberg 10, B-3001 Leuven-Heverlee, BELGIUM    office 01.53

                       brecht.wyseur at esat.kuleuven.be
                   http://homes.esat.kuleuven.be/~bwyseur

                                                    P=NP if (P=0 or N=1)
GPG Pub key:     https://homes.esat.kuleuven.be/~bwyseur/pubkey
GPG Fingerprint: 890C 7C0B F1D9 597E F205 87C8 B716 D7D3 20F8 353F

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com