Stanley T. Chow

White-Box Cryptography and an AES Implementation

Conventional software implementations of cryptographic algorithms are totally insecure where a hostile user may control the execution environment, or where co-located with malicious software. Yet current trends point to increasing usage in environments so threatened. We discuss encrypted-composed-function methods intended to provide a practical degree of protection against white-box (total access) attacks in untrusted execution environments. As an example, we show how AES can be implemented as a series of lookups in key-dependent tables. The intent is to hide the key by a combination of encoding its tables with random bijections representing compositions rather than individual steps, and extending the cryptographic boundary by pushing it out further into the containing application. We partially justify our AES implementation, and motivate its design, by showing how removal of parts of the recommended implementation allows specified attacks, including one utilizing a pattern in the AES SubBytes table.

A White-Box DES Implementation for DRM Applications

For digital rights management (drm) software implementations incorporating cryptography, white-box cryptography (cryptographic implementation designed to withstand the white-box attack context) is more appropriate than traditional black-box cryptography. In the white-box context, the attacker has total visibility into software implementation and execution. Our objective is to prevent extraction of secret keys from the program. We present methods to make such key extraction difficult, with focus on symmetric block ciphers implemented by substitution boxes and linear transformations. A des implementation (useful also for triple-des) is presented as a concrete example.

An Approach to the Obfuscation of Control-Flow of Sequential Computer Programs

In this paper we present a straightforward approach to the obfuscation of sequential program control-flow in order to design tamperresistant software. The principal idea of our technique is as follows: Let I be an instance of a hard combinatorial problem C, whose solution K is known. Then, given a source program ?, we implant I into ? by applying semantics-preserving transformations and using K as a key. This yields as its result an obfuscated program ?I,K, such that a detection of some property P of ?I,K, which is essential for comprehending the program, gives a solution to I. Varying instances I, we obtain a family ?C of obfuscated programs such that the problem of checking P for ?C is at least as hard as C. We show how this technique works by taking for C the acceptance problem for linear bounded Turing machines, which is known to be pspace-complete.