bitr: built-in tamper resilience joint work with aggelos kiayias (u. connecticut) tal malkin...

BiTR: Built-in Tamper Resilience Joint work with Aggelos Kiayias (U. Connecticut) Tal Malkin (Columbia U.) Seung Geol Choi (U. Maryland)

Upload: tavion-dory

Post on 15-Dec-2015

215 views

Category:

Documents

1 download

Report

Download

Tags:

Embed Size (px):

TRANSCRIPT

BiTR: Built-in Tamper Resilience

Joint work with Aggelos Kiayias (U. Connecticut)

Tal Malkin (Columbia U.)

Seung Geol Choi (U. Maryland)

Motivation

• Traditional cryptography – internal state: inaccessible to the adversary.

• In reality– Adv may access/affect the internal state– E.g., leaking, tampering

• Solution?– Make better hardware– Or, make better cryptography

Page 3: BiTR: Built-in Tamper Resilience Joint work with Aggelos Kiayias (U. Connecticut) Tal Malkin (Columbia U.) Seung Geol Choi (U. Maryland)

In this work

• Focus on tampering hardware tokens• In the universal composability framework

Page 4: BiTR: Built-in Tamper Resilience Joint work with Aggelos Kiayias (U. Connecticut) Tal Malkin (Columbia U.) Seung Geol Choi (U. Maryland)

Modeling Tamper-Resilient Tokensin UC

Page 5: BiTR: Built-in Tamper Resilience Joint work with Aggelos Kiayias (U. Connecticut) Tal Malkin (Columbia U.) Seung Geol Choi (U. Maryland)

Tamper-Proof Tokens [Katz07]

• Ideal functionality

Create

Forge

Run….Run

Page 6: BiTR: Built-in Tamper Resilience Joint work with Aggelos Kiayias (U. Connecticut) Tal Malkin (Columbia U.) Seung Geol Choi (U. Maryland)

Tamperable Tokens

• Introduce new functionality

Create!

Run

Forge

Tamper

Built-in Tamper Resilience (BiTR)

• M is -BiTR – In any environment w/ M deployed as a token,

tampering gives no advantage:

indistinguishable

s.t.

Page 8: BiTR: Built-in Tamper Resilience Joint work with Aggelos Kiayias (U. Connecticut) Tal Malkin (Columbia U.) Seung Geol Choi (U. Maryland)

Questions

• Are there BiTR tokens?– Yes, with affine tamperings.

• UC computation from tamperable tokens?– Generic UC computation from tamper-proof

tokens [Katz07] – Yes, with affine tamperings.

Page 9: BiTR: Built-in Tamper Resilience Joint work with Aggelos Kiayias (U. Connecticut) Tal Malkin (Columbia U.) Seung Geol Choi (U. Maryland)

Affine Tampering

• Adversary can apply an affine transformation on private data.

Page 10: BiTR: Built-in Tamper Resilience Joint work with Aggelos Kiayias (U. Connecticut) Tal Malkin (Columbia U.) Seung Geol Choi (U. Maryland)

Schnorr Identification

Page 11: BiTR: Built-in Tamper Resilience Joint work with Aggelos Kiayias (U. Connecticut) Tal Malkin (Columbia U.) Seung Geol Choi (U. Maryland)

Schnorr-token is affine BiTR

Page 12: BiTR: Built-in Tamper Resilience Joint work with Aggelos Kiayias (U. Connecticut) Tal Malkin (Columbia U.) Seung Geol Choi (U. Maryland)

UC-secure Computation with Tamperable Tokens

Page 13: BiTR: Built-in Tamper Resilience Joint work with Aggelos Kiayias (U. Connecticut) Tal Malkin (Columbia U.) Seung Geol Choi (U. Maryland)

Commitment Functionality

m open! m

• Complete for general UC computation.

Page 14: BiTR: Built-in Tamper Resilience Joint work with Aggelos Kiayias (U. Connecticut) Tal Malkin (Columbia U.) Seung Geol Choi (U. Maryland)

DPG-commitment

• DPG: dual-mode parameter generation using hardware tokens

• Normal mode – Parameter is unconditionally hiding

• Extraction mode– The scheme becomes extractable commitment.

Page 15: BiTR: Built-in Tamper Resilience Joint work with Aggelos Kiayias (U. Connecticut) Tal Malkin (Columbia U.) Seung Geol Choi (U. Maryland)

DPG-Commitment from DDH

• Parameter: • Com(b) =• Extraction Mode

– DH tuple with – Trapdoor r allows extraction

• Normal Mode – Random tuple – Com is unconditionally hiding.

Page 16: BiTR: Built-in Tamper Resilience Joint work with Aggelos Kiayias (U. Connecticut) Tal Malkin (Columbia U.) Seung Geol Choi (U. Maryland)

Realizing Fmcom from tokens

• DPG-Parameter: (pS, pR)– S obtains pR, by running R’s token.– R obtains pS, by running S’s token. – exchange pS and pR

• Commit: (Com(m), dpgCompS(m), π)– π: WI (same msg) or (pR from ext mode)

• Reveal: (m, π‘)– π': WI (Com(m)) or (pR: ext mode)

Page 17: BiTR: Built-in Tamper Resilience Joint work with Aggelos Kiayias (U. Connecticut) Tal Malkin (Columbia U.) Seung Geol Choi (U. Maryland)

UC-security of the scheme

• The scheme– Commit: (Com(m), dpgCompS(m), π)

• π: WI (same msg) or (pR from ext mode)– Reveal: (m, π‘)

• π': WI (Com(m)) or (pR: ext mode)

• S*: Make the pS extractable and extract m.• R*: Make the pR extractable and equivocate.

Page 18: BiTR: Built-in Tamper Resilience Joint work with Aggelos Kiayias (U. Connecticut) Tal Malkin (Columbia U.) Seung Geol Choi (U. Maryland)

DPG from tamperable tokens

• [Katz07] showed DPG-commitment – Unfortunately, the token description is not BiTR.– Our approach: Modify Katz’s scheme to be BiTR.

Page 19: BiTR: Built-in Tamper Resilience Joint work with Aggelos Kiayias (U. Connecticut) Tal Malkin (Columbia U.) Seung Geol Choi (U. Maryland)

BiTR DPG

Page 20: BiTR: Built-in Tamper Resilience Joint work with Aggelos Kiayias (U. Connecticut) Tal Malkin (Columbia U.) Seung Geol Choi (U. Maryland)

BiTR DPG

• The protocol is affine BiTR– Similar to the case of Schnorr

• Compose with a BiTR signature– Okamato signature [Oka06]– In this case, the composition works.

Page 21: BiTR: Built-in Tamper Resilience Joint work with Aggelos Kiayias (U. Connecticut) Tal Malkin (Columbia U.) Seung Geol Choi (U. Maryland)

Summary

• BiTR security– Affine BiTR protocols – UC computation from tokens tamperable w/

affine functions

• In the paper– Composition of BiTR tokens– BiTR from deterministic non-malleable codes

Edinburgh Research Explorer€¦ · Edinburgh Research Explorer A Puff of Steem: Security Analysis of Decentralized Content Curation Citation for published version: Kiayias, A, Livshits,

W ! % !Ç Ó e r á { N!Ê ¡ < M @ | û DX )1$# · 2020. 9. 15. · w ! % f l n s l k j u u u u 1 9 z ? Ì u u u u u u u u u$$ õ u u u u u u u u u u u u$$ Ú u u u u u u u u u u

Faculty engaged in the graduate study programme · Anders Haraldsson, Ph. D., Linköping 1977. Associate professor (bitr professor), computer science. Head of the department of computer

Fair and Robust Multi-Party Computation using a Global … · 2015-10-29 · Fair and Robust Multi-Party Computation using a Global Transaction Ledger Aggelos Kiayias [email protected]

Automating Voting Terminal Event Log Analysis · 2019-02-25 · Automating Voting Terminal Event Log Analysis Tigran Antonyan Seda Davtyan Sotirios Kentros Aggelos Kiayias Laurent

Group Encryption - Cryptology ePrint Archive · 2007. 1. 19. · Group Encryption Aggelos Kiayias∗ Yiannis Tsiounis† Moti Yung‡ January 19, 2007 Abstract We present group encryption,

TILLSTÅNDSKONTROLL AV SPÅRVÄXLAR MED MÄTUTRUSTNING ...1149216/FULLTEXT01.pdf · Stephen Mayowa amFurewa, bitr. universitetslektor, TUL Göran Henning, Arbetsledare, Infranord

Open File 2000-2 · u% %u %u %u %u %u %u %u %u %u%u% u% %u% %u %u %u %u %u u% %u %u %u%u %u %u %u %u %u %u %u u% ÊÚÚÊÚÊÚÊÊÚ ÊÚÊ ÊÚ Ê ÊÚÊÚÊÊÚ ÊÚÊÚ ÊÚ ÊÚ

CH4.1 CSE244 Sections 4.1-4.4: Syntax Analysis Aggelos Kiayias Computer Science & Engineering Department The University of Connecticut 371 Fairfield Road

Ouroboros: A Provably Secure Proof-of-Stake … · Ouroboros: A Provably Secure Proof-of-Stake Blockchain Protocol Aggelos Kiayias∗ Alexander Russell† Bernardo David‡ Roman

CH1.1 CSE244 Chapter 1: Introduction to Compiling Aggelos Kiayias Computer Science & Engineering Department The University of Connecticut 371 Fairfield

c O c u o c o u u c c u u o 0 u u u c o u u c o c u o u u o C u u o c u u o N c o C c o u O u U u u u u u o u u u o u c c c u o u c u c u o u u c u o c u u o o u u o

CH4.1 CSE244 More on LR Parsing Aggelos Kiayias Computer Science & Engineering Department The University of Connecticut 191 Auditorium Road, Box U-155

Ouroboros: A Provably Secure Proof-of-Stake Blockchain Protocol · 2018-09-11 · Ouroboros: A Provably Secure Proof-of-Stake Blockchain Protocol Aggelos Kiayias∗ Alexander Russell†

hengwelcome5000.files.wordpress.com · 1 erobcMdMeNIrCIvit 3 mnusSeyIgenH EdlnwgGacmannUvesckþIsuxy:ag BitR)akdeTA)anenaH KWRtÚvmandMeNIrCIvity:agRtwmRtÚv eBalKW RtÚvbdibtþi[)anRtwmRtÚvcMeBaHCIvitrbs;xøÜn

Aggelos Kiayias - Blockchain Foundations · 2017-05-01 · Ouroboros : Static Stake B 0 U 1,s 1 U n,s n R … E 1 E 2 E 3 E 4 E 5 … E 6 E k B 1 B 2 B 3 B 4 B m weighted by stake

· 2012-02-10 · u u z o o u u 0 u u u u u u u u o u u u u u 0 u u u u u u o u o 0 u u u u 0 2 o u o u u o -c u u o E u u 0 2 o o 0 o . m ; u U u z O < (5 o z A m r < z o a. z o

ntrs.nasa.gov,; u lj u li u u u u u u u u u u tj tl u u =)u!ju&juul 30on ,, ljo uu.uuuu°uuuuuuu uuu i_ltu u u uuu uliu u u u_uuue ,.uuouuuuu iuuuuuuu uuuuuu uuuu tiuuuuu'lu uuuuuuuu

Cryptography on the Blockchain - bitcoinschool.gr · Cryptography on the Blockchain IACR Summer School on Blockchain Techs Vassilis Zikas RPI Aggelos Kiayias, Hong-Shen Zhou, and

u experience u The Woodhouse Day Spa...u u u u u u u u u u u u u u u u u u u u 6 menu of services t h e wo o d h o u s e day s pa® facial enhancements powerful, professional enhancements

Secure Computation and the Combinatorics of Hidden Diversity Juan Garay ( AT&T Research) David Johnson (AT&T Research) Aggelos Kiayias (U. Athens) Moti

Edinburgh Research Explorer€¦ · Karakostas, D, Kiayias, A, Nasikas, C & Zindros, D 2019, Cryptocurrency Egalitarianism: A Quantitative Approach. in Proceedings of the 1st Edition

DIPUTACIÓNbogajo.com/archivos/MapaSalamanca2002.pdf · %u u% %u %u %u %u %u u% %u %u u% %u %u u% u% %u u% %u %u %u u% %u %u %u %u %u u% %u %u %u %u %u u% %u %u u% %u %u %u %u %u

zelan.listedcompany.comzelan.listedcompany.com/misc/ar/ar2010.pdf · u u u u u u u u u u u u u u u u u u contents 1 Mission 2 At A Glance corporate responsibility 38 Our Policies

Tree Homomorphic Encryption with Scalable Decryption Moti Yung Columbia University Joint work with Aggelos Kiayias University of Connecticut

u u uuu uuu u , uu u U WILSON GLOVES · 2020. 4. 30. · u u U u uuu uuu u P U u J U U U u J I J U uuU U U U UUU u U uuUuuU u \ u u uuu uuu u , uu u U WILSON GLOVES

dec.vermont.gov · $t $t $t $t $t $t $t $t $t $t %u %u u% %u %u %u %u %u u% %u %u %u %u %u u% %u %u %u %u%u %u %u %u u% %u u

VNRRU% LFVX 0...5 5 5 5 5 5 5 5 U U U U U U U U U U U U U U U U U U U U U U U U U U U U U U U U U U U U U U U U U U U U U U U U U U U U U U U U U U U U U U U U

Resource-Restricted Cryptography: Revisiting MPC Bounds in ... · Resource-Restricted Cryptography: Revisiting MPC Bounds in the Proof-of-Work Era Juan A. Garay ∗ Aggelos Kiayias†

Proof-of-Stake SidechainsProof-of-Stake Sidechains Peter Ga zi 1, Aggelos Kiayias;2, and Dionysis Zindros 3 1 IOHK 2 University of Edinburgh 3 National and Kapodistrian University

札幌市公式ホームページ - City of Sapporo...Nz jgJ * yPJ + b ² u ² u Z ¥ { u ¢ Z ¥ ² u u v u u ¬^ u u © u u ´ ´U U ¸ H ¸ t¹³ u ¸ 3 u L u ®L u u q u u u u

( U *. .#)(U? U7576@ (. ,( .#)( &U )( & 0 U (U &' . U (! U

for Blockchain Economy · 2019-05-21 · Phil Godsiff, University of Exeter Zeynep Gurguc, Imperial College London Aggelos Kiayias, University of Edinburgh Mario Larangeira, IOHK/Tokyo

Aggelos Kiayias, Nikos Leonardos, Helger Lipmaa, Kateryna Pavlyk, and Qiang Tang FIT 2016, February 6, 2016

bitr: built-in tamper resilience joint work with aggelos kiayias (u. connecticut) tal malkin...

Documents

affine bitr slide

bitr dpg slide

uc slide

ext mode slide

maryland slide

forge tamper slide

better cryptography

tokens dpgparameter