BiTR: Built-in Tamper Resilience
description
Transcript of BiTR: Built-in Tamper Resilience
BiTR: Built-in Tamper Resilience
Joint work with Aggelos Kiayias (U. Connecticut)
Tal Malkin (Columbia U.)
Seung Geol Choi (U. Maryland)
Motivation
• Traditional cryptography – internal state: inaccessible to the adversary.
• In reality– Adv may access/affect the internal state– E.g., leaking, tampering
• Solution?– Make better hardware– Or, make better cryptography
In this work
• Focus on tampering hardware tokens• In the universal composability framework
Modeling Tamper-Resilient Tokensin UC
Tamper-Proof Tokens [Katz07]
• Ideal functionality
Create
Forge
!
Run….Run
Tamperable Tokens
• Introduce new functionality
Create!
Run
Forge
Tamper
Built-in Tamper Resilience (BiTR)
• M is -BiTR – In any environment w/ M deployed as a token,
tampering gives no advantage:
indistinguishable
s.t.
Questions
• Are there BiTR tokens?– Yes, with affine tamperings.
• UC computation from tamperable tokens?– Generic UC computation from tamper-proof
tokens [Katz07] – Yes, with affine tamperings.
Affine Tampering
• Adversary can apply an affine transformation on private data.
Schnorr Identification
Schnorr-token is affine BiTR
UC-secure Computation with Tamperable Tokens
Commitment Functionality
m open! m
• Complete for general UC computation.
DPG-commitment
• DPG: dual-mode parameter generation using hardware tokens
• Normal mode – Parameter is unconditionally hiding
• Extraction mode– The scheme becomes extractable commitment.
DPG-Commitment from DDH
• Parameter: • Com(b) =• Extraction Mode
– DH tuple with – Trapdoor r allows extraction
• Normal Mode – Random tuple – Com is unconditionally hiding.
Realizing Fmcom from tokens
• DPG-Parameter: (pS, pR)– S obtains pR, by running R’s token.– R obtains pS, by running S’s token. – exchange pS and pR
• Commit: (Com(m), dpgCompS(m), π)– π: WI (same msg) or (pR from ext mode)
• Reveal: (m, π‘)– π': WI (Com(m)) or (pR: ext mode)
UC-security of the scheme
• The scheme– Commit: (Com(m), dpgCompS(m), π)
• π: WI (same msg) or (pR from ext mode)– Reveal: (m, π‘)
• π': WI (Com(m)) or (pR: ext mode)
• S*: Make the pS extractable and extract m.• R*: Make the pR extractable and equivocate.
DPG from tamperable tokens
• [Katz07] showed DPG-commitment – Unfortunately, the token description is not BiTR.– Our approach: Modify Katz’s scheme to be BiTR.
BiTR DPG
BiTR DPG
• The protocol is affine BiTR– Similar to the case of Schnorr
• Compose with a BiTR signature– Okamato signature [Oka06]– In this case, the composition works.
Summary
• BiTR security– Affine BiTR protocols – UC computation from tokens tamperable w/
affine functions
• In the paper– Composition of BiTR tokens– BiTR from deterministic non-malleable codes