BiTR: Built-in Tamper Resilience Seung Geol Choi (U. Maryland) Joint work with Aggelos Kiayias (U. Connecticut) Tal Malkin (Columbia U.) Motivation • Traditional cryptography – internal state: inaccessible to the adversary. • In reality – Adv may access/affect the internal state – E.g., leaking, tampering • Solution? – Make better hardware – Or, make better cryptography In this work • Focus on tampering hardware tokens • In the universal composability framework Modeling Tamper-Resilient Tokens in UC Tamper-Proof Tokens [Katz07] • Ideal functionality Create ! Forge Run …. Run Tamperable Tokens • Introduce new functionality Create ! Forge Run Tamper Built-in Tamper Resilience (BiTR) • M is -BiTR – In any environment w/ M deployed as a token, tampering gives no advantage: s.t. indistinguishable Questions • Are there BiTR tokens? – Yes, with affine tamperings. • UC computation from tamperable tokens? – Generic UC computation from tamper-proof tokens [Katz07] – Yes, with affine tamperings. Affine Tampering • Adversary can apply an affine transformation on private data. Schnorr Identification Schnorr-token is affine BiTR UC-secure Computation with Tamperable Tokens Commitment Functionality m ! open • Complete for general UC computation. m DPG-commitment • DPG: dual-mode parameter generation using hardware tokens • Normal mode – Parameter is unconditionally hiding • Extraction mode – The scheme becomes extractable commitment. DPG-Commitment from DDH • Parameter: • Com(b) = • Extraction Mode – DH tuple with – Trapdoor r allows extraction • Normal Mode – Random tuple – Com is unconditionally hiding. Realizing Fmcom from tokens • DPG-Parameter: (pS, pR) – S obtains pR, by running R’s token. – R obtains pS, by running S’s token. – exchange pS and pR • Commit: (Com(m), dpgCompS(m), π) – π: WI (same msg) or (pR from ext mode) • Reveal: (m, π‘) – π': WI (Com(m)) or (pR: ext mode) UC-security of the scheme • The scheme – Commit: (Com(m), dpgCompS(m), π) • π: WI (same msg) or (pR from ext mode) – Reveal: (m, π‘) • π': WI (Com(m)) or (pR: ext mode) • S*: Make the pS extractable and extract m. • R*: Make the pR extractable and equivocate. DPG from tamperable tokens • [Katz07] showed DPG-commitment – Unfortunately, the token description is not BiTR. – Our approach: Modify Katz’s scheme to be BiTR. BiTR DPG BiTR DPG • The protocol is affine BiTR – Similar to the case of Schnorr • Compose with a BiTR signature – Okamato signature [Oka06] – In this case, the composition works. Summary • BiTR security – Affine BiTR protocols – UC computation from tokens tamperable w/ affin e functions • In the paper – Composition of BiTR tokens – BiTR from deterministic non-malleable codes