BiTR: Built-in Tamper Resilience

Joint work with Aggelos Kiayias (U. Connecticut)

Tal Malkin (Columbia U.)

Seung Geol Choi (U. Maryland)

Motivation

• Traditional cryptography – internal state: inaccessible to the adversary.

• In reality– Adv may access/affect the internal state– E.g., leaking, tampering

• Solution?– Make better hardware– Or, make better cryptography

In this work

• Focus on tampering hardware tokens• In the universal composability framework

Modeling Tamper-Resilient Tokensin UC

Tamper-Proof Tokens [Katz07]

• Ideal functionality

Create

Forge

!

Run….Run

Tamperable Tokens

• Introduce new functionality

Create!

Run

Forge

Tamper

Built-in Tamper Resilience (BiTR)

• M is -BiTR – In any environment w/ M deployed as a token,

tampering gives no advantage:

indistinguishable

s.t.

Questions

• Are there BiTR tokens?– Yes, with affine tamperings.

• UC computation from tamperable tokens?– Generic UC computation from tamper-proof

tokens [Katz07] – Yes, with affine tamperings.

Affine Tampering

• Adversary can apply an affine transformation on private data.

Schnorr Identification

Schnorr-token is affine BiTR

UC-secure Computation with Tamperable Tokens

Commitment Functionality

m open! m

• Complete for general UC computation.

DPG-commitment

• DPG: dual-mode parameter generation using hardware tokens

• Normal mode – Parameter is unconditionally hiding

• Extraction mode– The scheme becomes extractable commitment.

DPG-Commitment from DDH

• Parameter: • Com(b) =• Extraction Mode

– DH tuple with – Trapdoor r allows extraction

• Normal Mode – Random tuple – Com is unconditionally hiding.

Realizing Fmcom from tokens

• DPG-Parameter: (pS, pR)– S obtains pR, by running R’s token.– R obtains pS, by running S’s token. – exchange pS and pR

• Commit: (Com(m), dpgCompS(m), π)– π: WI (same msg) or (pR from ext mode)

• Reveal: (m, π‘)– π': WI (Com(m)) or (pR: ext mode)

UC-security of the scheme

• The scheme– Commit: (Com(m), dpgCompS(m), π)

• π: WI (same msg) or (pR from ext mode)– Reveal: (m, π‘)

• π': WI (Com(m)) or (pR: ext mode)

• S*: Make the pS extractable and extract m.• R*: Make the pR extractable and equivocate.

DPG from tamperable tokens

• [Katz07] showed DPG-commitment – Unfortunately, the token description is not BiTR.– Our approach: Modify Katz’s scheme to be BiTR.

BiTR DPG

BiTR DPG

• The protocol is affine BiTR– Similar to the case of Schnorr

• Compose with a BiTR signature– Okamato signature [Oka06]– In this case, the composition works.

Summary

• BiTR security– Affine BiTR protocols – UC computation from tokens tamperable w/

affine functions

• In the paper– Composition of BiTR tokens– BiTR from deterministic non-malleable codes