Presentation on theme: "BiTR: Built-in Tamper Resilience Joint work with Aggelos Kiayias (U. Connecticut) Tal Malkin (Columbia U.) Seung Geol Choi (U. Maryland)"— Presentation transcript:
BiTR: Built-in Tamper Resilience Joint work with Aggelos Kiayias (U. Connecticut) Tal Malkin (Columbia U.) Seung Geol Choi (U. Maryland)
Motivation Traditional cryptography –internal state: inaccessible to the adversary. In reality –Adv may access/affect the internal state –E.g., leaking, tampering Solution? –Make better hardware –Or, make better cryptography
In this work Focus on tampering hardware tokens In the universal composability framework
Commitment Functionality m open ! m Complete for general UC computation.
DPG-commitment DPG: dual-mode parameter generation using hardware tokens Normal mode –Parameter is unconditionally hiding Extraction mode –The scheme becomes extractable commitment.
DPG-Commitment from DDH Parameter: Com(b) = Extraction Mode –DH tuple with –Trapdoor r allows extraction Normal Mode –Random tuple –Com is unconditionally hiding.
Realizing F mcom from tokens DPG-Parameter: (pS, pR) –S obtains pR, by running R’s token. –R obtains pS, by running S’s token. –exchange pS and pR Commit: (Com(m), dpgCom pS (m), π) –π: WI (same msg) or (pR from ext mode) Reveal: (m, π‘) –π': WI (Com(m)) or (pR: ext mode)
UC-security of the scheme The scheme –Commit: (Com(m), dpgCom pS (m), π) π: WI (same msg) or (pR from ext mode) –Reveal: (m, π‘) π': WI (Com(m)) or (pR: ext mode) S*: Make the pS extractable and extract m. R*: Make the pR extractable and equivocate.
DPG from tamperable tokens [Katz07] showed DPG-commitment –Unfortunately, the token description is not BiTR. –Our approach: Modify Katz’s scheme to be BiTR.