White-Box Cryptography logo

White-box cryptography turns a keyed cryptographic algorithm into an unintelligible program with the same functionality. The white-box secure program can then be executed in an untrusted environment without fear of exposing the underlying keys. The code itself is tamper-proof, just as a secure element.

Who can I contact?

Dr. Matthieu Rivain

Matthieu Rivain, PhD

Senior Security Expert


Dr. Pascal Paillier

Pascal Paillier, PhD

CEO, Senior Security Expert


Prof. Louis Goubin

Prof. Louis Goubin

Scientific Advisor


Related technology

Embedded Cryptographic Libraries

Give us the instruction set of your microcontroller and we do the rest.

We have more than 16 years of experience in developing and delivering cycle-accurate optimized cryptographic libraries. Our software can be declined on a variety of hardware platforms and support standard and advanced cryptographic algorithms.


The core concept of white-box cryptography

Assume you want to give somebody the ability to decrypt AES ciphertexts under a certain key without giving them the key itself. You can think of a DRM mechanism, for instance, where subscribers must access the secured digital content but should not be able to publish their own key over the Internet.

Hardcoding the key into a ‘‘simple’’ program that just performs decryption with it is not good enough, because disassembly/decompilation techniques are likely to recover it effortlessly. A (more intricate) program that resists such reverse-engineering and successfully keeps the key hidden is said to be white-box secure.

White-box cryptography considers the worst-case attack model where users themselves are malicious and assumed to have full control over the cryptographic program and its execution environment. The goal of the white-box cryptographer is to create a tamper-resistant program that can be safely executed in such an untrusted environment.

A white-box technology consists of a program-generating compiler that, for some specific cryptographic algorithm, takes as input a secret key and produces a white-box secure program that implements the cryptographic algorithm with the specified secret key. Anyone in control of the generated program can execute it on any input and get the expected output, but is unable to learn anything more than such input-output pairs. The white-box program remains unintelligible and securely hides the secret key, just as trusted hardware would.

Use-cases of white-box cryptography

Applications of white-box cryptography are numerous. Here are two typical examples.

EMV payments on NFC-enabled smartphones without secure element

As per the EMV specifications, transactions are validated through the generation of an ISO/IEC 9797 message authentication code (MAC) based on 3DES. Since transaction data provided by the PoS terminal are largely unpredictable, the phone requires the ability to produce MACs dynamically. However, leaking the 3DES key involved would allow an attacker to steal it and complete a rogue payment without the user’s knowledge or consent. When trusted hardware is not available, making use of a white-box implementation of the 3DES MAC algorithm may greatly mitigate the risks of key retrieval.

Software DRM mechanisms for digital contents

Digital Right Management (DRM) is a set of techniques whereby subscribers get access to a protected content under a number of conditions (access rights). Video on-demand and mobile TV are typical examples of DRM-protected services. Here again, in the absence of a hardware cryptographic module, a white-box implementation of the content decryption algorithm under an individual user key prevents the key from being recovered and re-used by third-parties (piracy based on key sharing and redistribution).

Ideally, one should combine the white-box approach with the use of an advanced encryption mechanism that supports many individual decryption keys that can be traced back to the subscribers they were initially assigned to. The STONE encryption mechanism, a technology developed by CryptoExperts, precisely ensures the traceability of keys and enjoys optimal efficiency.

White-box secure digital signatures

General-purpose digital signatures are the core ingredient of the numerous security applications that require undeniable user consent and/or remote entity authentication.

In Europe, the 99/93/EC eSignature directive on electronic signatures used to impose the embedding of signing keys into trusted hardware such as certified smart cards. Starting from July 1, 2016, the new eIDAS regulation will supersede the eSignature directive, generalize the legal recognition of digital signatures across Europe and will relax the requirement of using trusted hardware.

This opens the way to software-only signature generation in a huge number of contexts such as remote access control and contract signing, most particularly on mobile phones and IoT devices. Adopting the white-box approach mitigates the risks of practical key recovery and protects all players against identity theft and other threats such as the voluntary sharing of access rights.

What do we offer?

Custom white-box implementations

CryptoExperts offers beyond-state-of-the-art white-box implementations finely tuned to meet customer-specific requirements. Our white-box implementations are secure by design against any known white-box cryptanalysis technique. We design and develop unique instantiations on demand, taking into account the nature of the cryptographic algorithm in hand and the execution environment. The property rights pertaining to the custom solution are fully transferred to the customer.

Our upcoming white-box technology

CryptoExperts is currently developing its own technology of white-box cryptography, wherein key recovery necessarily requires the breaking of a computational barrier. This project is currently in R&D stage. We expect our technology to be available for licensing in 2016.

Related publications

  • White-Box Security Notions for Symmetric Encryption Schemes.
    portrait ofCécile Delerablée, Tancrède Lepoint, portrait ofPascal Paillier, portrait ofMatthieu Rivain.
    In Selected Areas in Cryptography 2013, pp. 247-264, 2013.
  • Two Attacks on a White-Box AES Implementation.
    Tancrède Lepoint, portrait ofMatthieu Rivain, Yoni De Mulder, Peter Roelse, Bart Preneel.
    In Selected Areas in Cryptography 2013, pp. 265-285, 2013.
  • Cryptanalysis of White Box DES Implementations.
    portrait ofLouis Goubin, Jean-Michel Masereel, Michaël Quisquater.
    In Selected Areas in Cryptography 2007, pp. 278-295, 2007.