Academic research in white-box cryptography can be categorized into three activities.

An in-depth overview can be found in my PhD dissertation, which is a snapshot of the state of the art as it was in 2009, or in some other overview papers listed here:
  • Brecht Wyseur, "White-Box Cryptography", PhD thesis, Katholieke Universiteit Leuven, B. Preneel (promotor), 169+32 pages, March 2009. [Dissertation ] [PhD defense presentation ]
  • Brecht Wyseur, "white-box cryptography: hiding keys in software", MISC magazine, April 2012.

White-box implementations and cryptanalysis results

    A selection of the state of the art:


  • White-Box DES
    • S. Chow, P. Eisen, H. Johnson, P.C. van Oorschot. A White-box DES Implementation for DRM Applications. In Proceedings of 2nd ACM Workshop on Digital Rights Management (DRM 2002), volume 2696 of Lecture Notes in Computer Science, pages 1-15. Jan 13, 2003 version: ps.
    • Matthias Jacob, Dan Boneh, and Edward Felten. Attacking an obfuscated cipher by injecting faults. In Proceedings of 2nd ACM Workshop on Digital Rights Management (DRM 2002), volume 2696 of Lecture Notes in Computer Science.
    • Hamilton E. Link, William D. Neumann. Clarifying Obfuscation: Improving the Security of White-Box DES. ITCC (1) 2005, pages 679-684.
    • B. Wyseur, and Bart Preneel: Condensed White-Box Implementations In Proceedings of the 26th Symposium of Information Theory in the Benelux, 2005
    • Louis Goubin, Jean-Michel Masereel, and Michael Quisquater. Cryptanalysis of White-Box DES Implementations. Cryptology ePrint Archive, Report 2007/035, 2007. http://www.eprint.iacr.org/.
    • Brecht Wyseur, Wil Michiels, Paul Gorissen, and Bart Preneel. Cryptanalysis of White-Box DES Implementations with Arbitrary External Encodings. Cryptology ePrint Archive, Report 2007/104, 2007. http://www.eprint.iacr.org/.
  • White-Box AES
    • S. Chow, P. Eisen, H. Johnson, P.C. van Oorschot. White-Box Cryptography and an AES Implementation. In 9th Annual Workshop on Selected Areas in Cryptography (SAC 2002), Aug.15-16 2002, St. John's, Canada. Proceedings (revised papers): pp.250-270, Springer LNCS 2595 (2003). Sept.30 2002 version: ps. Earlier version (pre-proceedings): ps.
    • Olivier Billet, Henri Gilbert, Charaf Ech-Chatbi. Cryptanalysis of a White Box AES Implementation. In Selected Areas in Cryptography 2004 (SAC 2004), pages 227-240.
    • Julien Bringer, Herve Chabanne, and Emmanuelle Dottax. White Box Cryptography: A New Attempt, Cryptology ePrint Archive, Report 2006/468, 2006
    • Yoni De Mulder, Brecht Wyseur, and Bart Preneel, Cryptanalysis of a Perturbated White-box AES Implementation, In Progress in Cryptology - INDOCRYPT 2010, Lecture Notes in Computer Science 6498, K. Chand Gupta, and G. Gong (eds.), Springer-Verlag, pp. 292-310, 2010.
    • Y. De Mulder, P. Roelse, and B. Preneel, Cryptanalysis of the Xiao - Lai White-Box AES Implementation, In Selected Areas in Cryptography, 19th Annual International Workshop, SAC 2012, Lecture Notes in Computer Science, Springer-Verlag, 16 pages, 2012.


    White-box cryptography is often linked with code obfuscation, since both aim to protect software implementations. Both have received similar scepticism on its feasibility and lack of theoretic foundations. Theoretic research on code obfuscation gained momentum with the seminal paper of Barak et al. Barak01] who showed that it is impossible to construct a generic obfuscator i.e. an obfuscator that can protect any given program. Barak et al. constructed a family of functions that cannot be obfuscated; exploiting the fact that software can always be copied preserving its functionality. Nevertheless, this result does not exclude the existence of secure code obfuscators: Wee [Wee05] presented a provably secure obfuscator for a point function, which can be exploited in practice to construct authentication functionalities.

    Similar theoretic approaches have been conceived for white-box cryptography in [Sax09]. The main difference between code obfuscation and white-box cryptography is that the security of the latter needs to be validated with respect to security notions. A security notion is a formal description of the security of a cryptographic scheme. For example, a scheme is defined CPA-secure if an attacker cannot compute the plaintext from a given ciphertext, or KR-secure when the secret key cannot be recovered.

    It makes sense to define white-box cryptography accordingly since it reflects more reality. Indeed, it does not suffice to only protect an application against extraction of embedded secret keys. For example, to create the equivalent of a smart-card-based AES encryption function in software, it does not suffice that the white-box implementation resists extraction of its embedded key, but it must also be hard to invert. In [Sax09], Saxena and Wyseur have shown that some security notions can never be satisfied in software (IND-CCA2), and they have presented a provably secure construction with respect to the IND-CPA security notion.


  • B. Barak, O. Goldreich, R. Impagliazzo, S. Rudich, A. Sahai, S. Vadhan, and K. Yang. On the (Im)possibility of Obfuscating Programs. In Advances in Cryptology - CRYPTO 2001, volume 2139 of Lecture Notes in Computer Science, pages 1-18. Springer-Verlag, 2001.
  • B. Lynn, M. Prabhakaran, and A. Sahai. Positive Results and Techniques for Obfuscation. In Advances in Cryptology - EUROCRYPT 2004, volume 3027 of Lecture Notes in Computer Science, pages 20-39. Springer-Verlag, 2004.
  • Hoeteck Wee. On Obfuscating Point Functions. In Proceedings of the 37th ACM Symposium on Theory of Computing (STOC 2005), pages 523-532.
  • Shafi Goldwasser and Yael Tauman Kalai. On the Impossibility of Obfuscation with Auxiliary Input. In Proceedings of the 46th Symposium on Foundations of Computer Science (FOCS 2005), IEEE Computer Society, pages 553-562.
  • Dennis Hofheinz, John Malone-Lee, and Martijn Stam. Obfuscation for Cryptographic Purposes. In Proceedings of 4th Theory of Cryptography Conference (TCC 2007), volume 4392 of Lecture Notes in Computer Science, pages 214-232. Springer-Verlag, 2007.
  • Susan Hohenberger, Guy Rothblum, Abhi Shelat, and Vinod Vaikuntanathan. Securely Obfuscating Re-Encryption. In Proceedings of 4th Theory of Cryptography Conference (TCC 2007), volume 4392 of Lecture Notes in Computer Science, pages 233-252. Springer-Verlag, 2007.
  • A. Saxena, B. Wyseur, and B. Preneel, Towards Security Notions for White-Box Cryptography, In Information Security - 12th International Conference, ISC 2009, Lecture Notes in Computer Science 5735, C. A. Ardagna, F. Martinelli, P. Samarati, and M. Yung (eds.), Springer-Verlag, 10 pages, 2009.
  • Ran Canetti and Mayank Varia. Non-Malleable Obfuscation. In Proceedings of 6th Theory of Cryptography Conference (TCC 2009), volume 5444 of Lecture Notes in Computer Science, pages 73-90. Springer, 2009.



  • March 2009 -- slides PhD defense