International Association for Cryptologic Research

International Association
for Cryptologic Research


Paper: Security Reductions for White-Box Key-Storage in Mobile Payments

Estuardo Alpirez Bock
Chris Brzuska
Marc Fischlin
Christian Janson
Wil Michiels
DOI: 10.1007/978-3-030-64837-4_8
Search ePrint
Search Google
Presentation: Slides
Abstract: The goal of white-box cryptography is to provide security even when the cryptographic implementation is executed in adversarially controlled environments. White-box implementations nowadays appear in commercial products such as mobile payment applications, e.g., those certified by Mastercard. Interestingly, there, white-box cryptography is championed as a tool for secure storage of payment tokens, and importantly, the white-boxed storage functionality is bound to a hardware functionality to prevent code-lifting attacks. In this paper, we show that the approach of using hardware-binding and obfuscation for secure storage is conceptually sound. Following security specifications by Mastercard and also EMVCo, we first define security for a white-box key derivation functions (WKDF) that is bound to a hardware functionality. WKDFs with hardware-binding model a secure storage functionality, as the WKDFs in turn can be used to derive encryption keys for secure storage. We then provide a proof-of-concept construction of WKDFs based on pseudorandom functions (PRF) and obfuscation. To show that our use of cryptographic primitives is sound, we perform a cryptographic analysis and reduce the security of our WKDF to the cryptographic assumptions of indistinguishability obfuscation and PRF-security. The hardware-functionality that our WKDF is bound to is a PRF-like functionality. Obfuscation helps us to hide the secret key used for the verification, essentially emulating a signature functionality as is provided by the Android key store. We rigorously define the required security properties of a hardware-bound white-box payment application (WPAY) for generating and encrypting valid payment requests. We construct a WPAY, which uses a WKDF as a secure building block. We thereby show that a WKDF can be securely combined with any secure symmetric encryption scheme, including those based on standard ciphers such as AES.
Video from ASIACRYPT 2020
  title={Security Reductions for White-Box Key-Storage in Mobile Payments},
  booktitle={Advances in Cryptology - ASIACRYPT 2020},
  author={Estuardo Alpirez Bock and Chris Brzuska and Marc Fischlin and Christian Janson and Wil Michiels},