Re: White-Box Cryptography
From: David Wagner (daw_at_taverner.cs.berkeley.edu)
Date: Tue, 27 Jul 2004 17:23:32 +0000 (UTC)
Stanley Chow wrote:
>The definition of Barak et al. is nice for a
>number of reasons, but the bar is way too high.
> "Executable E obfuscates K in the White-Box sense" -
> attacker is given executable E, which has K (a key in this case)
> embedded inside; the attacker must not be able to extract K
> (or otherwise use K in anyway not performed by E)
Ok, this is helping me start to understand what you had in mind; thanks
for taking the time to write this out in more detail.
I agree it is a great goal to look for notions of obfuscation that are
weaker than that proposed by Barak et al. But I'm still not sure I see
how the White-box definition is any weaker than the Barak definition.
I think I probably need more explanation before I will understand.
There are two things an attacker might be able to do with E:
1) The attacker might be able to learn something about K after
running E many times without peeking at, or disrupting, the
execution of E in any way. This is unavoidable. This is what
Barak formalize as what you can compute given an oracle for E.
2) The attacker might be able to learn something else about K by
using the code of E somehow (other than what is available in
case 1) above). Presumably this category includes everything
you had in mind as "using K in any way not performed by E".
But if the attacker can learn anything not already covered
by case 1), Barak call it an insecure obfuscation.
So I'm having trouble understanding the White-Box definition of
obfuscation. It looks like every scheme that is a secure White-Box
obfuscation will also be a secure Barak obfuscation. Can you give me
any intuition how a scheme might fail to be secure in the Barak sense
but might nonetheless be secure in the White-Box sense?