Cryptographic algorithms are widely used for encryption of messages, authentication, encryption signatures and identification. The well-known DES (Data Encryption Standard) has been in use for a long time, and was updated by Triple-DES, which has been replaced in many applications by the AES (Advanced Encryption Standard). AES is an approved encryption standard by the U.S. government. AES is a substitution permutation network, that is fast enough to execute in both computer software and hardware implementations, relatively easy to implement, and requires little memory space.
Of note, implementations of AES do not provide much security against an attacker recovering a secret key, if the attacker has privileged access to the system implementing the cipher. However, AES is often used in potentially insecure environments. For instance, AES could be employed in a white box environment. In a white box model, it is presumed that an attacker has total access to the system performing an encryption, including being able to observe directly a state of memory, program execution, and so on. In such a model, an encryption key can be observed in or extracted from memory, and so ways to conceal operations indicative of a secret key are important. For example, the attacker can learn the secret key of an AES software implementation by observing the execution of the key scheduling algorithm.
DRM applications are one instance where it's desired to keep the attacker from finding the secret key even though the attacker has complete control of the execution process. Chow et. al. (Stanley Chow, Philip A. Eisen, Harold Johnson, Paul C. van Oorschot: White-Box Cryptography and an AES Implementation. Selected Areas in Cryptography 2002: 250-270) give a construction of the AES algorithm for such white box model. The security of this construction resides in the use of table lookups and masked data. The input and output mask applied to this data is never removed along the process. In this solution, there is a need for knowing the key value at the compilation time, or at least to be able to derive the tables from the original key in a secure environment.
However, this solution does not solve all the application's needs for block cipher's encryption. Indeed, the case where the key is derived through a given process and then unknown at the compilation time is not included. One typical use-case is when a program is distributed over several users and each of them has their own key. In this case, it is impossible to disseminate different code to each user from a practical point of view. Another use-case is just when generating session keys (different for each session) through a given process. Of course, in this case the key is unknown at compilation time. A last case is when it is necessary to store a plenty of keys. However, it is not reasonable to consider storing around 700 kB for each key.