Abstract: The white-box attack model was introduced in 2002 by Chow, Eisen, Johnson and van Oorschot. In this attack model, we consider an adversary who gets access to the implementation code of a cryptographic algorithm with an embedded secret key. Additionally, the adversary is assumed to be in control of the execution environment of the implementation. White-box cryptography aims to maintain an implementation secure, even in the presence of such a strong adversary. White-box crypto has been widely deployed to protect digital rights management (DRM) applications and more recently, mobile payment applications. Since its introduction, a number of candidate designs for white-box AES and DES have been proposed. Unfortunately, all of these candidates have been subject to key extraction attacks, and it is not clear which level of security white-box cryptographic implementations can achieve in real life.
In this lecture, we will study the foundations of white-box cryptography, explaining its application scenarios and its security goals. As we explain, the security properties expected from a white-box program may vary depending on the use case we are considering. In this line, we will study formal security notions for white-box cryptography introduced in the literature and discuss their usefulness. Additionally, we will take a look at provably secure constructions which achieve security in these white-box models. While some constructions may achieve security under strong assumptions (e.g. indistinguishability obfuscation), these feasibility results serve as a conceptual validation for how white-box crypto is implemented in real life. Finally, we will take a look at popular attacks on white-box implementations of AES and show how their effectiveness is reflected on recent capture-the-flag competitions.
The slide is available here