Bi TR Builtin Tamper Resilience Seung Geol Choi
Bi. TR: Built-in Tamper Resilience Seung Geol Choi (U. Maryland) Joint work with Aggelos Kiayias (U. Connecticut) Tal Malkin (Columbia U. )
Motivation • Traditional cryptography – internal state: inaccessible to the adversary. • In reality – Adv may access/affect the internal state – E. g. , leaking, tampering • Solution? – Make better hardware – Or, make better cryptography
In this work • Focus on tampering hardware tokens • In the universal composability framework
Modeling Tamper-Resilient Tokens in UC
Tamper-Proof Tokens [Katz 07] • Ideal functionality Create ! Forge Run …. Run
Tamperable Tokens • Introduce new functionality Create ! Forge Run Tamper
Built-in Tamper Resilience (Bi. TR) • M is -Bi. TR – In any environment w/ M deployed as a token, tampering gives no advantage: s. t. indistinguishable
Questions • Are there Bi. TR tokens? – Yes, with affine tamperings. • UC computation from tamperable tokens? – Generic UC computation from tamper-proof tokens [Katz 07] – Yes, with affine tamperings.
Affine Tampering • Adversary can apply an affine transformation on private data.
Schnorr Identification
Schnorr-token is affine Bi. TR
UC-secure Computation with Tamperable Tokens
Commitment Functionality m ! open • Complete for general UC computation. m
DPG-commitment • DPG: dual-mode parameter generation using hardware tokens • Normal mode – Parameter is unconditionally hiding • Extraction mode – The scheme becomes extractable commitment.
DPG-Commitment from DDH • Parameter: • Com(b) = • Extraction Mode – DH tuple with – Trapdoor r allows extraction • Normal Mode – Random tuple – Com is unconditionally hiding.
Realizing Fmcom from tokens • DPG-Parameter: (p. S, p. R) – S obtains p. R, by running R’s token. – R obtains p. S, by running S’s token. – exchange p. S and p. R • Commit: (Com(m), dpg. Comp. S(m), π) – π: WI (same msg) or (p. R from ext mode) • Reveal: (m, π‘) – π': WI (Com(m)) or (p. R: ext mode)
UC-security of the scheme • The scheme – Commit: (Com(m), dpg. Comp. S(m), π) • π: WI (same msg) or (p. R from ext mode) – Reveal: (m, π‘) • π': WI (Com(m)) or (p. R: ext mode) • S*: Make the p. S extractable and extract m. • R*: Make the p. R extractable and equivocate.
DPG from tamperable tokens • [Katz 07] showed DPG-commitment – Unfortunately, the token description is not Bi. TR. – Our approach: Modify Katz’s scheme to be Bi. TR.
Bi. TR DPG
Bi. TR DPG • The protocol is affine Bi. TR – Similar to the case of Schnorr • Compose with a Bi. TR signature – Okamato signature [Oka 06] – In this case, the composition works.
Summary • Bi. TR security – Affine Bi. TR protocols – UC computation from tokens tamperable w/ affine functions • In the paper – Composition of Bi. TR tokens – Bi. TR from deterministic non-malleable codes
- Slides: 21