BiTR: Built-in Tamper Resilience
Seung Geol Choi (U. Maryland)
Joint work with
Aggelos Kiayias (U. Connecticut)
Tal Malkin (Columbia U.)
Motivation
• Traditional cryptography
– internal state: inaccessible to the adversary.
• In reality
– Adv may access/affect the internal state
– E.g., leaking, tampering
• Solution?
– Make better hardware
– Or, make better cryptography
In this work
• Focus on tampering hardware tokens
• In the universal composability framework
Modeling Tamper-Resilient Tokens
in UC
Tamper-Proof Tokens [Katz07]
• Ideal functionality
Create
!
Forge
Run
….
Run
Tamperable Tokens
• Introduce new functionality
Create
!
Forge
Run
Tamper
Built-in Tamper Resilience (BiTR)
• M is -BiTR
– In any environment w/ M deployed as a token,
tampering gives no advantage:
s.t.
indistinguishable
Questions
• Are there BiTR tokens?
– Yes, with affine tamperings.
• UC computation from tamperable tokens?
– Generic UC computation from tamper-proof
tokens [Katz07]
– Yes, with affine tamperings.
Affine Tampering
• Adversary can apply an affine transformation
on private data.
Schnorr Identification
Schnorr-token is affine BiTR
UC-secure Computation
with Tamperable Tokens
Commitment Functionality
m
!
open
• Complete for general UC computation.
m
DPG-commitment
• DPG: dual-mode parameter generation using
hardware tokens
• Normal mode
– Parameter is unconditionally hiding
• Extraction mode
– The scheme becomes extractable commitment.
DPG-Commitment from DDH
• Parameter:
• Com(b) =
• Extraction Mode
– DH tuple with
– Trapdoor r allows extraction
• Normal Mode
– Random tuple
– Com is unconditionally hiding.
Realizing Fmcom from tokens
• DPG-Parameter: (pS, pR)
– S obtains pR, by running R’s token.
– R obtains pS, by running S’s token.
– exchange pS and pR
• Commit: (Com(m), dpgCompS(m), π)
– π: WI (same msg) or (pR from ext mode)
• Reveal: (m, π‘)
– π': WI (Com(m)) or (pR: ext mode)
UC-security of the scheme
• The scheme
– Commit: (Com(m), dpgCompS(m), π)
• π: WI (same msg) or (pR from ext mode)
– Reveal: (m, π‘)
• π': WI (Com(m)) or (pR: ext mode)
• S*: Make the pS extractable and extract m.
• R*: Make the pR extractable and equivocate.
DPG from tamperable tokens
• [Katz07] showed DPG-commitment
– Unfortunately, the token description is not BiTR.
– Our approach: Modify Katz’s scheme to be BiTR.
BiTR DPG
BiTR DPG
• The protocol is affine BiTR
– Similar to the case of Schnorr
• Compose with a BiTR signature
– Okamato signature [Oka06]
– In this case, the composition works.
Summary
• BiTR security
– Affine BiTR protocols
– UC computation from tokens tamperable w/ affin
e functions
• In the paper
– Composition of BiTR tokens
– BiTR from deterministic non-malleable codes