Paper 2021/767

White-box Cryptography with Device Binding from Token-based Obfuscation and more

Shashank Agrawal, Estuardo Alpirez Bock, Yilei Chen, and Gaven Watson


White-box cryptography has been proposed as a software countermeasure technique for applications where limited or no hardware-based security is available. In recent years it has been crucial for enabling the security of mobile payment applications. In this paper we continue a recent line of research on device binding for white-box cryptography. Device binding ensures that a white-box program is only executable on one specific device and is unusable elsewhere. Building on this, we ask the following question: is it possible to design a global white-box program which is compiled once, but can be securely shared with multiple users and bound to each of their devices? Acknowledging this question, we provide two new types of provably-secure constructions for white-box programs. First, we consider the use of Token-Based Obfuscation (TBO) and show that TBO can provide us a direct way to construct white-box programs with device-binding, as long as we can securely share a token generation key between the compiling entity and the device running the white-box program. This new feasibility result provides more general and efficient results than previously presented for white-box cryptography and demonstrates a new application of TBO not previously considered. We then consider a stronger family of global white-boxes, where secrets don't need to be shared between users and providers. We show how to extend approaches used in practice based on message recoverable signatures and validate our proposed approach, by providing a construction based on puncturable PRFs and indistinguishability obfuscation.

Available format(s)
Publication info
Preprint. MINOR revision.
White-box cryptographyObfuscationDevice-bindingMobile payments
Contact author(s)
estuardo alpirezbock @ gmail com
gawatson @ visa com
2021-06-09: received
Short URL
Creative Commons Attribution


      author = {Shashank Agrawal and Estuardo Alpirez Bock and Yilei Chen and Gaven Watson},
      title = {White-box Cryptography with Device Binding from Token-based Obfuscation and more},
      howpublished = {Cryptology ePrint Archive, Paper 2021/767},
      year = {2021},
      note = {\url{}},
      url = {}
Note: In order to protect the privacy of readers, does not use cookies or embedded third party content.