bitr: built-in tamper resilience joint work with aggelos kiayias (u. connecticut) tal malkin...
TRANSCRIPT
BiTR: Built-in Tamper Resilience
Joint work with Aggelos Kiayias (U. Connecticut)
Tal Malkin (Columbia U.)
Seung Geol Choi (U. Maryland)
Motivation
• Traditional cryptography – internal state: inaccessible to the adversary.
• In reality– Adv may access/affect the internal state– E.g., leaking, tampering
• Solution?– Make better hardware– Or, make better cryptography
Built-in Tamper Resilience (BiTR)
• M is -BiTR – In any environment w/ M deployed as a token,
tampering gives no advantage:
indistinguishable
s.t.
Questions
• Are there BiTR tokens?– Yes, with affine tamperings.
• UC computation from tamperable tokens?– Generic UC computation from tamper-proof
tokens [Katz07] – Yes, with affine tamperings.
DPG-commitment
• DPG: dual-mode parameter generation using hardware tokens
• Normal mode – Parameter is unconditionally hiding
• Extraction mode– The scheme becomes extractable commitment.
DPG-Commitment from DDH
• Parameter: • Com(b) =• Extraction Mode
– DH tuple with – Trapdoor r allows extraction
• Normal Mode – Random tuple – Com is unconditionally hiding.
Realizing Fmcom from tokens
• DPG-Parameter: (pS, pR)– S obtains pR, by running R’s token.– R obtains pS, by running S’s token. – exchange pS and pR
• Commit: (Com(m), dpgCompS(m), π)– π: WI (same msg) or (pR from ext mode)
• Reveal: (m, π‘)– π': WI (Com(m)) or (pR: ext mode)
UC-security of the scheme
• The scheme– Commit: (Com(m), dpgCompS(m), π)
• π: WI (same msg) or (pR from ext mode)– Reveal: (m, π‘)
• π': WI (Com(m)) or (pR: ext mode)
• S*: Make the pS extractable and extract m.• R*: Make the pR extractable and equivocate.
DPG from tamperable tokens
• [Katz07] showed DPG-commitment – Unfortunately, the token description is not BiTR.– Our approach: Modify Katz’s scheme to be BiTR.
BiTR DPG
• The protocol is affine BiTR– Similar to the case of Schnorr
• Compose with a BiTR signature– Okamato signature [Oka06]– In this case, the composition works.