Abstract
We discuss existing and new security notions for white-box cryptography and comment on their suitability for Digital Rights Management and Mobile Payment Applications, the two prevalent use-cases of white-box cryptography. In particular, we put forward indistinguishability for white-box cryptography with hardware-binding (IND-WHW) as a new security notion that we deem central. We also discuss the security property of application-binding and explain the issues faced when defining it as a formal security notion. Based on our proposed notion for hardware-binding, we describe a possible white-box competition setup which assesses white-box implementations w.r.t. hardware-binding. Our proposed competition setup allows us to capture hardware-binding in a practically meaningful way.While some symmetric encryption schemes have been proven to admit plain white-box implementations, we show that not all secure symmetric encryption schemes are white-boxeable in the plain white-box attack scenario, i.e., without hardware-binding. Thus, even strong assumptions such as indistinguishability obfuscation cannot be used to provide secure white-box implementations for arbitrary ciphers. Perhaps surprisingly, our impossibility result does not carry over to the hardware-bound scenario. In particular, Alpirez Bock, Brzuska, Fischlin, Janson and Michiels (ePrint 2019/1014) proved a rather general feasibility result in the hardware-bound model. Equally important, the apparent theoretical distinction between the plain white-box model and the hardware-bound white-box model also translates into practically reduced attack capabilities as we explain in this paper.
Highlights
The white-box attack model was introduced in 2002 by Chow, Eisen, Johnson, and van Oorschot (CEJO [CEJvO03, CEJv03])
We study the considerations that lead to the deployment of white-box cryptography and explicate the expected security properties, in each of the application scenarios
As the attack threats on a Digital Rights Management (DRM) application differ from the attack threats on a mobile payment application, we discuss why the DRM-specific security notions might not be suitable for payment and that further security notions are needed
Summary
The white-box attack model was introduced in 2002 by Chow, Eisen, Johnson, and van Oorschot (CEJO [CEJvO03, CEJv03]) In this model, we consider an adversary which is in complete control of the execution environment of a cryptographic program and which obtains the implementation code of the cryptographic program with an embedded secret key. Effective white-box decryption programs for DRM applications need to implement countermeasures against such code-lifting attacks. Mobile payment applications need protection against code-lifting attacks The observations for both use cases discussed above show that a white-box program needs to achieve more than only security against key extraction and, in particular, that mitigating code-lifting attacks is central to the application of white-box cryptography. As the attack threats on a DRM application differ from the attack threats on a mobile payment application, we discuss why the DRM-specific security notions might not be suitable for payment and that further security notions are needed
Sign-in/Register to view highlights & summary Sign-in/Register to access full text options 
Free) 
Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have
Schedule a call
