The Cryptographic Strength of Tamper-Proof Hardware

Tamper-proof hardware has found its way into our everyday life in various forms, be it SIM cards, credit cards or passports. Usually, a cryptographic key is embedded in these hardware tokens that allows the execution of simple cryptographic operations, such as encryption or digital signing. The inherent security guarantees of tamper-proof hardware, however, allow more complex and diverse applications

Efficient Resettably Secure Two-Party Computation

In 2000, Canetti, Goldreich, Goldwasser and Micali (STOC\u2700) proposed the notion of resettable zero-knowledge, which considers the scenario where a malicious verifier can reset the prover and force it to reuse its random tape. They provided a construction that resists such attacks, and in the following, the notion of resettability was considered in various other scenarios. Starting with resettably-sound zero-knowledge, over general resettable computation with one resettable party, to protocols where all parties are resettable. Most of these results are only concerned with the feasibility of resettable computation, while efficiency is secondary. There is a considerable gap in the round- and communication-efficiency between actively secure protocols and resettably secure protocols. Following the work of Goyal and Sahai (EUROCRYPT\u2709), we study the round- and communication-efficiency of resettable two-party computation in the setting where one of the two parties is resettable, and close the gap between the two notions of security: - We construct a fully simulatable resettable CRS in the plain model that directly yields constant-round resettable zero-knowledge and constant-round resettable two-party computation protocols in the plain model. - We present a new resettability compiler that follows the approach of Ishai, Prabhakaran and Sahai (CRYPTO\u2708) and yields constant-rate resettable two-party computation

An Algebraic Approach to Maliciously Secure Private Set Intersection

Private set intersection is an important area of research and has been the focus of many works over the past decades. It describes the problem of finding an intersection between the input sets of at least two parties without revealing anything about the input sets apart from their intersection. In this paper, we present a new approach to compute the intersection between sets based on a primitive called Oblivious Linear Function Evaluation (OLE). On an abstract level, we use this primitive to efficiently add two polynomials in a randomized way while preserving the roots of the added polynomials. Setting the roots of the input polynomials to be the elements of the input sets, this directly yields an intersection protocol with optimal asymptotic communication complexity $O(m\kappa)$. We highlight that the protocol is information-theoretically secure assuming OLE. We also present a natural generalization of the 2-party protocol for the fully malicious multi-party case. Our protocol does away with expensive (homomorphic) threshold encryption and zero-knowledge proofs. Instead, we use simple combinatorial techniques to ensure the security. As a result we get a UC-secure protocol with asymptotically optimal communication complexity $O((n^2+nm)\kappa)$, where $n$ is the number of parties, $m$ is the set size and $\kappa$ the security parameter. Apart from yielding an asymptotic improvement over previous works, our protocols are also conceptually simple and require only simple field arithmetic. Along the way we develop tools that might be of independent interest

Reusing Tamper-Proof Hardware in UC-Secure Protocols

Universally composable protocols provide security even in highly complex environments like the Internet. Without setup assumptions, however, UC-secure realizations of cryptographic tasks are impossible. Tamper-proof hardware tokens, e.g. smart cards and USB tokens, can be used for this purpose. Apart from the fact that they are widely available, they are also cheap to manufacture and well understood. Currently considered protocols, however, suffer from two major drawbacks that impede their practical realization: - The functionality of the tokens is protocol-specific, i.e. each protocol requires a token functionality tailored to its need. - Different protocols cannot reuse the same token even if they require the same functionality from the token, because this would render the protocols insecure in current models of tamper-proof hardware. In this paper we address these problems. First and foremost, we propose formalizations of tamper-proof hardware as an untrusted and global setup assumption. Modeling the token as a global setup naturally allows to reuse the tokens for arbitrary protocols. Concerning a versatile token functionality we choose a simple signature functionality, i.e. the tokens can be instantiated with currently available signature cards. Based on this we present solutions for a large class of cryptographic tasks

Maliciously Secure Oblivious Linear Function Evaluation with Constant Overhead

BUG REPORT: In early 2021 we were made aware of a bug in Lemma 9.1 by Carmit Hazay, Muthu Venkitasubramaniam, Laasya Bangalore, and Rishabh Bhadauria. The bug does not have an easy fix and we are currently exploring whether a different proof can be found. Until then the results of this paper should not be considered proven and in particular the protocols should not be considered secure. We will later either update the e-print version with a new proof or withdraw the paper. ORIGINAL ABSTRACT: In this work we consider the problem of oblivious linear function evaluation (OLE). OLE is a special case of oblivious polynomial evaluation (OPE) and deals with the oblivious evaluation of a linear function $f(x)=ax+b$. This problem is non-trivial in the sense that the sender chooses $a,b$ and the receiver $x$, but the receiver may only learn $f(x)$. We present a highly efficient and UC-secure construction of OLE in the OT-hybrid model that requires only $O(1)$ OTs per OLE. The construction is based on noisy encodings introduced by Naor and Pinkas (STOC\u2799). Our main technical contribution solves a problem left open in their work, namely we show in a generic way how to achieve full simulation-based security from noisy encodings. All previous constructions using noisy encodings achieve only passive security. Our result requires novel techniques that might be of independent interest. Using our highly efficient OLE as a black box, we obtain a direct construction of an OPE protocol that simultaneously achieves UC-security and requires only $O(d)$ OTs, where $d$ is the degree of the polynomial that shall be evaluated

Basing Obfuscation on Simple Tamper-Proof Hardware Assumptions

Code obfuscation is one of the most powerful concepts in cryptography. It could yield functional encryption, digital rights management, and maybe even secure cloud computing. However, general code obfuscation has been proven impossible and the research then focused on obfuscating very specific functions, studying weaker security definitions for obfuscation, and using tamper-proof hardware tokens to achieve general code obfuscation. Following this last line this work presents the first scheme which bases general code obfuscation of multiple programs on one single stateless hardware token. Our construction is proven secure in the UC-framework and proceeds in three steps: 1. We construct an obfuscation scheme based on fully homomorphic encryption (FHE) and a hybrid functionality conditional decrypt, which decrypts the result of a homomorphic computation given a proof that the computation was performed as intended. One difficulty of the first step are possible decryptions errors in the FHE. These decryption errors can occur whenever the randomness for the encryption is chosen maliciously by the receiver of the obfuscated code. Such decryption errors then could make a real obfuscated computation distinguishable from a black box use of the non-obfuscated program. 2. Given two common reference strings (CRS) we construct a UC-protocol realizing the functionality conditional decrypt with a stateless hardware token. As the token is stateless it is resettable by a dishonest receiver and the proofs given to the token must be resettably sound. One additional difficulty occurs when the issuer of the token can be corrupted. A malicious token can be stateful and it cannot be prevented that it aborts after a hardwired number of invocations. To prevent adaptive behavior of a malicious token the data of the receiver has to be hidden from the token and the proofs given to the token must even hide the size of the program and the length of the computation. 3. Last we construct a protocol constructing a CRS with a stateless hardware token. Care has to be taken here to not let the token learn anything about the resulting CRS which could not be simulated, because the very same token will later be used in a protocol based on the security of this CRS