2009/5/27 Alexander Klimov <alser...@inbox.ru <mailto:alser...@inbox.ru>>: > On Tue, 26 May 2009, James Muir wrote: >> There is some academic work on how to protect crypto in software from >> reverse engineering. Look-up "white-box cryptography". >> >> Disclosure: the company I work for does white-box crypto. > > Could you explain what is the point of "white-box cryptography" (even > if it were possible)?
White-box crypto is about implementing cryptographic primitives in such a way that they remain /secure/ against software analysis. The 'white-box' refers to the fact that the adversary has full access to the software implementation and control over its execution environment. The prior objective would obviously be the protection of secret keys in key instantiated implementations of encryption schemes, but often it goes beyond that. In some practical settings you would want the resulting white-box implementations to behave as a public-key primitive, as you mention below. You can find formal definitions of white-box cryptography in a paper I recently wrote: http://eprint.iacr.org/2008/273 <http://eprint.iacr.org/2008/273>. More information on white-box crypto you can find in my PhD dissertation of March this year. https://www.cosic.esat.kuleuven.be/publications/thesis-152.pdf <https://www.cosic.esat.kuleuven.be/publications/thesis-152.pdf> > > If I understand correctly, the only plausible result is to be able to > use the secret key cryptography as if it were the public-key one, for > example, to have a program that can do (very slow, btw) AES > encryption, but be unable to deduce the key (unable to decrypt). If > this is the case, then why not use normal public-key crypto (baksheesh > aside)? Consider a DRM application that contains a key-instantiated decryption algorithm and some authentication scheme. In that case you want to prevent the extraction of the secret key, otherwise an adversary could easily circumvent the authentication scheme. Deploying a public-key cipher wouldn't help achieving this objective, since it is a matter of how you implement the decryption operation and entangle it with the authentication scheme. Another example might be a mobile agent system, where a signing key would need to be embedded in the software such that the agent can sign contracts. Regards, Brecht http://whiteboxcrypto.com -- Brecht Wyseur Katholieke Universiteit Leuven tel. +32 16 32 17 21 Dept. Electrical Engineering-ESAT / COSIC fax. +32 16 32 19 69 Kasteelpark Arenberg 10, B-3001 Leuven-Heverlee, BELGIUM office 01.53 brecht.wys...@esat.kuleuven.be http://homes.esat.kuleuven.be/~bwyseur P=NP if (P=0 or N=1) GPG Pub key: https://homes.esat.kuleuven.be/~bwyseur/pubkey GPG Fingerprint: 890C 7C0B F1D9 597E F205 87C8 B716 D7D3 20F8 353F --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to majord...@metzdowd.com