International Association for Cryptologic Research

International Association
for Cryptologic Research

CryptoDB

On the Security Goals of White-Box Cryptography

Authors:
Estuardo Alpirez Bock , Aalto University, Finland
Alessandro Amadori , Technische Universiteit Eindhoven, Netherlands
Chris Brzuska , Aalto University, Finland
Wil Michiels , Technische Universiteit Eindhoven, Netherlands; NXP Semiconductors, Netherlands
Download:
DOI: 10.13154/tches.v2020.i2.327-357
URL: https://tches.iacr.org/index.php/TCHES/article/view/8554
Search ePrint
Search Google
Presentation: Slides
Abstract: We discuss existing and new security notions for white-box cryptography and comment on their suitability for Digital Rights Management and Mobile Payment Applications, the two prevalent use-cases of white-box cryptography. In particular, we put forward indistinguishability for white-box cryptography with hardware-binding (IND-WHW) as a new security notion that we deem central. We also discuss the security property of application-binding and explain the issues faced when defining it as a formal security notion. Based on our proposed notion for hardware-binding, we describe a possible white-box competition setup which assesses white-box implementations w.r.t. hardware-binding. Our proposed competition setup allows us to capture hardware-binding in a practically meaningful way.While some symmetric encryption schemes have been proven to admit plain white-box implementations, we show that not all secure symmetric encryption schemes are white-boxeable in the plain white-box attack scenario, i.e., without hardware-binding. Thus, even strong assumptions such as indistinguishability obfuscation cannot be used to provide secure white-box implementations for arbitrary ciphers. Perhaps surprisingly, our impossibility result does not carry over to the hardware-bound scenario. In particular, Alpirez Bock, Brzuska, Fischlin, Janson and Michiels (ePrint 2019/1014) proved a rather general feasibility result in the hardware-bound model. Equally important, the apparent theoretical distinction between the plain white-box model and the hardware-bound white-box model also translates into practically reduced attack capabilities as we explain in this paper.
Video from TCHES 2020
BibTeX
@article{tches-2020-30164,
  title={On the Security Goals of White-Box Cryptography},
  journal={IACR Transactions on Cryptographic Hardware and Embedded Systems},
  publisher={Ruhr-Universität Bochum},
  volume={2020, Issue 2},
  pages={327-357},
  url={https://tches.iacr.org/index.php/TCHES/article/view/8554},
  doi={10.13154/tches.v2020.i2.327-357},
  author={Estuardo Alpirez Bock and Alessandro Amadori and Chris Brzuska and Wil Michiels},
  year=2020
}