

Differential Computation Analysis: Hiding your White-Box Designs is Not Enough [pdf] - joedrew
http://eprint.iacr.org/2015/753.pdf

======
tptacek
White-box crypto is a neat idea: in essence, it encrypts the implementation of
the cipher, transforming straightforward efficient assembly implementations of
AES into huge, difficult-to-analyze sequences of instructions that are
themselves expressive of a higher-level cipher. The goal is to ship to
customers an implementation of a cipher that bakes the key in, in such a way
that it's cryptographically difficult to extract the key and then use it in a
different implementation of the same cipher.

This is, cryptographically speaking, a stretch. In 2004 it get much stretchier
when Billet broke one of the best known AES white-box schemes; you can google
"white box BGE attack" for the details.

Section 2 of this paper is a pretty good overview of white box crypto and the
well-known attacks on it.

Worth mentioning: a big application for white-box crypto is DRM and content
protection. In a DRM setting, defenders are not concerned with _absolute_
protection against attacks, but rather _economic_ protection: it should cost
more to break a DRM scheme than a piece of content is worth. It's still
possible that white-box crypto can provide that level of assurance for some
kinds of content. For instance, with DRM'd movies, studios are mostly
concerned about the new-release window; if it takes 2x the new-release window
to break a white-box DRM scheme, the studios are probably fine with that.

~~~
pbsd
> This is, cryptographically speaking, a stretch.

Not only that, this transforms any symmetric-key encryption scheme into a
public-key encryption scheme---share the obfuscated "white-box" code as the
public-key for encryption, and use the deobfuscated code for decryption. (The
recent cryptographic obfuscation breakthroughs should also be able to do
something close to this, but at a ludicrous computational cost, and who knows
what the security of it actually is.)

The news in this paper is the semi-automation of the attacks using side-
channel techniques. I wonder how this would fare with a white-box cipher that
used standard DPA countermeasures. I suppose that in the white-box setting
there is no guarantee of good randomness, so by zeroing the randomness source
similar attacks as this paper's could be mounted.

