210 likes | 325 Views
BiTR: Built-in Tamper Resilience. Seung Geol Choi (U. Maryland). Joint work with Aggelos Kiayias (U. Connecticut) Tal Malkin (Columbia U.). Motivation. Traditional cryptography internal state: inaccessible to the adversary. In reality Adv may access/affect the internal state
E N D
BiTR: Built-in Tamper Resilience Seung Geol Choi (U. Maryland) Joint work with Aggelos Kiayias (U. Connecticut) Tal Malkin (Columbia U.)
Motivation • Traditional cryptography • internal state: inaccessible to the adversary. • In reality • Adv may access/affect the internal state • E.g., leaking, tampering • Solution? • Make better hardware • Or, make better cryptography
In this work • Focus on tampering hardware tokens • In the universal composability framework
Tamper-Proof Tokens [Katz07] • Ideal functionality Create ! Forge Run …. Run
Tamperable Tokens • Introduce new functionality Create ! Forge Run Tamper
Built-in Tamper Resilience (BiTR) • M is -BiTR • In any environment w/ M deployed as a token, tampering gives no advantage: s.t. indistinguishable
Questions • Are there BiTR tokens? • Yes, with affine tamperings. • UC computation from tamperable tokens? • Generic UC computation from tamper-proof tokens [Katz07] • Yes, with affine tamperings.
Affine Tampering • Adversary can apply an affine transformation on private data.
Commitment Functionality • Complete for general UC computation. m ! open m
DPG-commitment • DPG: dual-mode parameter generation using hardware tokens • Normal mode • Parameter is unconditionally hiding • Extraction mode • The scheme becomes extractable commitment.
DPG-Commitment from DDH • Parameter: • Com(b) = • Extraction Mode • DH tuple with • Trapdoor r allows extraction • Normal Mode • Random tuple • Com is unconditionally hiding.
Realizing Fmcom from tokens • DPG-Parameter: (pS, pR) • S obtains pR, by running R’s token. • R obtains pS, by running S’s token. • exchange pS and pR • Commit: (Com(m), dpgCompS(m), π) • π: WI (same msg) or (pR from ext mode) • Reveal: (m, π‘) • π': WI (Com(m)) or (pR: ext mode)
UC-security of the scheme • The scheme • Commit: (Com(m), dpgCompS(m), π) • π: WI (same msg) or (pR from ext mode) • Reveal: (m, π‘) • π': WI (Com(m)) or (pR: ext mode) • S*: Make the pS extractable and extract m. • R*: Make the pR extractable and equivocate.
DPG from tamperable tokens • [Katz07] showed DPG-commitment • Unfortunately, the token description is not BiTR. • Our approach: Modify Katz’s scheme to be BiTR.
BiTR DPG • The protocol is affine BiTR • Similar to the case of Schnorr • Compose with a BiTR signature • Okamato signature [Oka06] • In this case, the composition works.
Summary • BiTR security • Affine BiTR protocols • UC computation from tokens tamperable w/ affine functions • In the paper • Composition of BiTR tokens • BiTR from deterministic non-malleable codes