Help me understand the following. With WBC the question is mainly being stated as can one try to break WBC to identify the key. My question is: Why would one ever want to do that anyways?
If one can locate the WBC itself it should be enough to enc/dec anything she wants with the embedded key. To me it comes to chicken and egg problem where now one would need to "hide" WBC itself within the code to make it any practical.
This is an excellent question. Unfortunately, I'm afraid I don't know of any really convincing answer.
In principle, one possible application of white-box cryptography would be to build a public-key cipher out of a symmetric-key cipher. If you could build a white-box cryptographic implementation of AES encryption (say) where no one can recover the key nor figure out how to perform the decryption process, you'd have a public-key cipher.
However in practice I don't think that's actually the motivation for most work on white-box cryptography. For instance, most published white-box crypto schemes can be easily inverted: given a white-box implementation of encryption, you can easily derive a white-box implementation of decryption. Most published schemes focus on preventing you from recovering the key, instead of preventing you from figuring out how to perform the decryption process. So, building a public-key cipher does not appear to be their motivation.
I don't know any really good answer to your question. I know of two not-very-good answers:
One possible answer is that the code of the white-box cipher might be a lot larger than the key, and if a cracker wants to share it with others, they'll have to spend a lot more bandwidth sharing it than they would sharing the key. However, this seems very weak and unconvincing.
Another possible answer is that white-box encodings are usually randomized: you can give a million people a randomized white-box implementation of AES decryption under key $K$ (the same key for everyone, but they each get a separately randomized white-box implementation). Thus, if someone shares the code of their white-box decryptor, it uniquely identifies them. However, in practice, this doesn't seem like a very effective defense against copyright infringement (prosecution is usually too expensive, and false identity too easy to forge).
So, I'm afraid I don't know of a strong practical motivation for white-box crypto. Maybe someone else will have a better answer for you.
The initial motivation was as follows. If you do not know the key, you are bind to a particular implementation even if you can invert the encryption. The implementation might have some sort of backdoor, which might reveal the attacker's identity.
I do not know how relevant this thinking was, but it has been pursued in mid-00s.
A good white-box implementation does not just implement AES.
Rather, it implements $G(AES(F^-1(x)))$ for a plaintext $x$. These functions $F$ and $G$ are called external encodings and are baked in the white-box.
Now, to use this cryptographic part, you need to undo / apply the encodings elsewhere in your code (usually that code is terribly obfuscated).
This way an attacker cannot just attack the white-box, but has to reverse engineer the rest of the program.
So now the attacker has two choices:
Both are not easy to do (though not impossible).
Also, the white-box only does encryption OR decryption, not both.
Maybe you have just WBC crypto that does decryption (i.e. inver cipher function) and slowly (WBC crypto tends to be fairly slow)?
In this case you can easily decrypt, but cannot very easily encrypt. If you were able to find out the key it would make encryption easier. And thus it would be advantageous to be also able to encrypt efficiently.
Distributing the WBC software implementation (in manner not allowed by the softwares license conditions) is against copyright in almost all countries. (I.e. counts as software piracy.) If you were able to recover key material, the key likely does not have similar protection from the copyright law (however, some other law may protect it, like DMCA).
When Geohot hacked PlayStation 3, they said that if you have access to encryption and decryption you can do practically all, but they still want to hack keys. Apparently getting the keys allows you to brag and makes for more impressive break. Getting the keys can be like making Kessel Run in 12 parsecs.
