Re: White-Box Cryptography

From: David Wagner (daw_at_taverner.cs.berkeley.edu)
Date: 07/27/04


Date: Tue, 27 Jul 2004 17:23:32 +0000 (UTC)

Stanley Chow wrote:
>The definition of Barak et al. is nice for a
>number of reasons, but the bar is way too high.
>
> "Executable E obfuscates K in the White-Box sense" -
> attacker is given executable E, which has K (a key in this case)
> embedded inside; the attacker must not be able to extract K
> (or otherwise use K in anyway not performed by E)

Ok, this is helping me start to understand what you had in mind; thanks
for taking the time to write this out in more detail.

I agree it is a great goal to look for notions of obfuscation that are
weaker than that proposed by Barak et al. But I'm still not sure I see
how the White-box definition is any weaker than the Barak definition.
I think I probably need more explanation before I will understand.

There are two things an attacker might be able to do with E:
  1) The attacker might be able to learn something about K after
     running E many times without peeking at, or disrupting, the
     execution of E in any way. This is unavoidable. This is what
     Barak formalize as what you can compute given an oracle for E.
  2) The attacker might be able to learn something else about K by
     using the code of E somehow (other than what is available in
     case 1) above). Presumably this category includes everything
     you had in mind as "using K in any way not performed by E".
     But if the attacker can learn anything not already covered
     by case 1), Barak call it an insecure obfuscation.
So I'm having trouble understanding the White-Box definition of
obfuscation. It looks like every scheme that is a secure White-Box
obfuscation will also be a secure Barak obfuscation. Can you give me
any intuition how a scheme might fail to be secure in the Barak sense
but might nonetheless be secure in the White-Box sense?



Relevant Pages

  • Re: White-Box Cryptography
    ... > weaker than that proposed by Barak et al. ... > There are two things an attacker might be able to do with E: ... Barak call it an insecure obfuscation. ... It looks like every scheme that is a secure White-Box ...
    (sci.crypt)
  • Re: White-Box Cryptography
    ... > weaker than that proposed by Barak et al. ... > There are two things an attacker might be able to do with E: ... Barak call it an insecure obfuscation. ... It looks like every scheme that is a secure White-Box ...
    (sci.crypt)
  • Re: White-Box Cryptography
    ... > weaker than that proposed by Barak et al. ... > There are two things an attacker might be able to do with E: ... Barak call it an insecure obfuscation. ... It looks like every scheme that is a secure White-Box ...
    (sci.crypt)
  • Re: White-Box Cryptography
    ... >> 2) The attacker might be able to learn something else about K by ... Barak call it an insecure obfuscation. ... protect, but not a difference between what you're looking for when protecting ...
    (sci.crypt)
  • Re: Running White-Box AES backwards
    ... >>obfuscation to make a public key cipher out of a private key PRP. ... If we assume AES is secure, then the attacker ... private-key block cipher. ...
    (sci.crypt)