Presentation on theme: "BiTR: Built-in Tamper Resilience Joint work with Aggelos Kiayias (U. Connecticut) Tal Malkin (Columbia U.) Seung Geol Choi (U. Maryland)"— Presentation transcript:
BiTR: Built-in Tamper Resilience Joint work with Aggelos Kiayias (U. Connecticut) Tal Malkin (Columbia U.) Seung Geol Choi (U. Maryland)
Motivation Traditional cryptography –internal state: inaccessible to the adversary. In reality –Adv may access/affect the internal state –E.g., leaking, tampering Solution? –Make better hardware –Or, make better cryptography
In this work Focus on tampering hardware tokens In the universal composability framework
Modeling Tamper-Resilient Tokens in UC
Tamper-Proof Tokens [Katz07] Ideal functionality Create Forge ! Run …. Run
Tamperable Tokens Introduce new functionality Create ! Run Forge Tamper
Built-in Tamper Resilience (BiTR) M is -BiTR –In any environment w/ M deployed as a token, tampering gives no advantage: indistinguishable s.t.
Questions Are there BiTR tokens? –Yes, with affine tamperings. UC computation from tamperable tokens? –Generic UC computation from tamper-proof tokens [Katz07] –Yes, with affine tamperings.
Affine Tampering Adversary can apply an affine transformation on private data.
Schnorr-token is affine BiTR
UC-secure Computation with Tamperable Tokens
Commitment Functionality m open ! m Complete for general UC computation.
DPG-commitment DPG: dual-mode parameter generation using hardware tokens Normal mode –Parameter is unconditionally hiding Extraction mode –The scheme becomes extractable commitment.
DPG-Commitment from DDH Parameter: Com(b) = Extraction Mode –DH tuple with –Trapdoor r allows extraction Normal Mode –Random tuple –Com is unconditionally hiding.
Realizing F mcom from tokens DPG-Parameter: (pS, pR) –S obtains pR, by running R’s token. –R obtains pS, by running S’s token. –exchange pS and pR Commit: (Com(m), dpgCom pS (m), π) –π: WI (same msg) or (pR from ext mode) Reveal: (m, π‘) –π': WI (Com(m)) or (pR: ext mode)
UC-security of the scheme The scheme –Commit: (Com(m), dpgCom pS (m), π) π: WI (same msg) or (pR from ext mode) –Reveal: (m, π‘) π': WI (Com(m)) or (pR: ext mode) S*: Make the pS extractable and extract m. R*: Make the pR extractable and equivocate.
DPG from tamperable tokens [Katz07] showed DPG-commitment –Unfortunately, the token description is not BiTR. –Our approach: Modify Katz’s scheme to be BiTR.
The protocol is affine BiTR –Similar to the case of Schnorr Compose with a BiTR signature –Okamato signature [Oka06] –In this case, the composition works.
Summary BiTR security –Affine BiTR protocols –UC computation from tokens tamperable w/ affin e functions In the paper – Composition of BiTR tokens – BiTR from deterministic non-malleable codes