WhibOx 2016

White-Box Cryptography and Obfuscation

August 2016, Santa-Barbara, California

WhibOx 2016 is a one-day workshop organized by CryptoExperts that will take place in Santa-Barbara, California, on Sunday 14th August 2016, in the same venue as CRYPTO 2016 and CHES 2016.

Workshop focus

On behalf of the ECRYPT CSA european initiative, CryptoExperts organizes WhibOx: a one-time workshop on white-box cryptography, and obfuscation. The workshop will be held on Sunday August 14, right before CRYPTO and CHES, also at UCSB. The program intends to cover the following themes:

  • What are white-box cryptography and (indistinguishability) obfuscation? How are they related together?
  • Constructions and attacks on practical white-box implementations.
  • Constructions and attacks on indistinguishability obfuscation.
  • Use cases showing the growing interest of the industry towards white-box cryptography and obfuscation, in particular in mobile payments or DRMs.

The workshop will be composed of invited presentations, and of a discussion session aiming at building a vision of the issues faced by theoretical and practical obfuscation, and how to address them.

Organized by


This workshop is part of the EU Horizon 2020 ECRYPT-CSA project.

Registration is mandatory.

Confirmed Speakers



Registration will start at 9:00.

Opening remarks (15 min)

Pascal Paillier

Session 1: Indistinguishability Obfuscation (1h30)

  • 09:15 – General-Purpose Obfuscation

    Amit Sahai

    The goal of general-purpose program obfuscation is to make an arbitrary computer program “unintelligible” while preserving its functionality. Obfuscation allows us to achieve a powerful capability: software that can keep a secret. This talk will cover recent advances in obfuscation research, yielding constructions of general-purpose obfuscation mechanisms based on mathematical structures.

  • 10:00 – 5Gen: a framework for prototyping applications using multilinear maps and matrix branching programs

    Mariana Raykova

    Secure multilinear maps (mmaps) have been shown to have remarkable applications in cryptography, such as program obfuscation and multi-input functional encryption (MIFE). To date, there has been little evaluation of the performance of these applications. In this paper we initiate a systematic study of mmap-based constructions. We build a general framework, called 5Gen, to experiment with these applications. At the top layer we develop an optimizing compiler that takes in a high-level program and compiles it to an optimized matrix branching program needed for the applications we consider. Next, we optimize and experiment with several obfuscators and MIFE constructions and evaluate their performance. The 5Gen framework is modular and can easily accommodate new mmap constructions as well as new obfuscators and MIFE constructions. 5Gen is an open-source tool that can be used by other research groups to experiment with a variety of mmap-based constructions.

Coffee Break (30 min)

Session 2: White-Box Cryptography (1h30)

  • 11:15 – From obfuscation to WBC: relaxation and security notions

    Matthieu Rivain

    White-box cryptography has attracted a growing interest from researchers in the last decade. Several white-box implementations of standard block-ciphers (DES, AES) have been proposed but they have all been broken. On the other hand, neither evidence of existence nor proofs of impossibility have been provided for this particular setting. This might be in part because it is still quite unclear what white-box cryptography really aims to achieve and which security properties are expected from white-box programs in applications. In this presentation, we will try to provide formal answers to these questions. We will first introduce the notion of white-box compiler that turns a symmetric encryption scheme into randomized white-box programs, and discuss how this notion relates to (cryptographically secure) obfuscation. We will then capture several desired security properties for white-box programs, which might be easier to reach than general (cryptographically secure) obfuscation. We will also give concrete examples of white-box compilers that already achieve some of these notions.

  • 12:00 – Towards secure whitebox cryptography

    Andrey Bogdanov

    Whitebox cryptography aims to provide security for cryptographic algorithms in an untrusted environment where the adversary has full access to their implementation. This setting poses a fundamental challenge to security designers. Indeed, most whitebox solutions published to date have been practically broken. This talk will be three-fold. First, we will show new attacks on existing whitebox schemes which use techniques from symmetric-key cryptanalysis such as integral, differential and linear attacks. Second, we will give our novel approach to guaranteeing key extraction and decomposition security of whitebox encryption by essentially reducing it to the classical security of block ciphers such as AES in the standard black box setting. Next, we will present several families of whitebox schemes together with rigorous security analysis, detailed implementation study, and real-world applications.

Lunch (1h15)

Session 3: White-Box Cryptography in Practice (1h45)

  • 14:00 – Practical white-box topics: design and attacks I

    Joppe Bos

    In this first part of practical white-box topics presentation I will discuss the approach used in practice to convert standardized symmetric cryptographic primitives (AES and DES) into white-box implementations. Next, I will present a new way to perform security assessment on such white-box implementations. I will show how our open source plugins to widely available dynamic binary instrumentation frameworks can create software execution traces which contain information about the memory addresses being accessed during execution. Such software traces can be used in a differential computation analysis (DCA) attack to extract the secret embedded key by identifying secret-key dependent correlations. Finally, I will briefly discuss some ideas to counter such attacks.

  • 14:30 – Practical white-box topics: design and attacks II

    Marc Witteman

    The second practical white-box talk will address techniques to speed up analysis, or offer an alternative approach to attack implementations that have basic protection against DCA.

    • Data pre-processing
      Due to size of the memory to observe, and obfuscated bloated code, an attacker often needs to collect huge amounts of samples during a single crypto execution. We discuss how this data can be compressed to reduce computational complexity, and which analysis techniques are then used to identify the relevant part of the leaked data.
    • Differential Fault Analysis
      Another way to attack a crypto implementation is to inject faults in intermediate data, and use mathematical analysis to derive the key from corrupted outputs. This technique requires additional reverse engineering of the WBC implementation as the faults must be injected at a specific moment of execution. But this can be more efficient than DCA in case the implementation is protected by countermeasures.

  • 15:00 – Evolution of WBC: from table-based implementations to recent designs

    Mike Wiener

    The first published White-Box Cryptography (WBC) implementations consisted almost exclusively of look-up tables. We will explain, at a high level, how these table-based methods work. However, these methods have been thoroughly broken in a number of different ways. Since then, few people publish their improved designs. We have been working on different approaches that eliminate tables and rely more heavily on software protection methods. In particular, we seek to prevent powerful Differential Fault Analysis (DFA) and Differential Computation Analysis (DCA) attacks.

Coffee Break (30 min)

Session 4: Industrial Applications (45 min)

  • 16:15 – Let's get real! We need WBC and Io

    Brecht Wyseur

    In the talk, we give a view on white-box crypto and obfuscation R&D from an industrial perspective. We present industry needs, and what industry is doing to fulfil these needs, and compare this with the academic output. From this presentation, the gap between industrial needs and academic research will be clear. For example, so far the main focus in white-box cryptography has been on fixed-key implementations of symmetric key algorithms. But what industry needs are also 'dynamic-key' implementations and implementations of public key algorithms.

Open Discussion and Closing Remarks (30 min)

Hosted by Pascal Paillier


Workshop Will Be Held At

University Center State Street Room, UCSB campus

Santa Barbara, California.

(Same venue as CRYPTO and CHES 2016)