Feasibility and Infeasibility of Secure Computation with Malicious PUFs

Dachman-Soled, Dana; Fleischhacker, Nils; Katz, Jonathan; Lysyanskaya, Anna; Schröder, Dominique

doi:10.1007/978-3-662-44381-1_23

Cited by 11 publications

(4 citation statements)

References 21 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…It was shown that PUFs can be used to achieve oblivious transfer [27] and UC-secure commitments [12]. However, if the PUFs can be created maliciously, oblivious transfer is impossible [10].…”

Section: Is It Possible To Obtain Uc-secure Protocols Even If There E...mentioning

confidence: 99%

Weakening the Isolation Assumption of Tamper-Proof Hardware Tokens

Dowsley

Müller-Quade

Nilges

2015

Lecture Notes in Computer Science

View full text Add to dashboard Cite

Recent results have shown the usefulness of tamper-proof hardware tokens as a setup assumption for building UC-secure two-party computation protocols, thus providing broad security guarantees and allowing the use of such protocols as buildings blocks in the modular design of complex cryptography protocols. All these works have in common that they assume the tokens to be completely isolated from their creator, but this is a strong assumption. In this work we investigate the feasibility of cryptographic protocols in the setting where the isolation of the hardware token is weakened.We consider two cases: (1) the token can relay messages to its creator, or (2) the creator can send messages to the token after it is sent to the receiver. We provide a detailed characterization for both settings, presenting both impossibilities and information-theoretically secure solutions.We first show that the existing solution of Döttling, Kraschewski and Müller-Quade [13] for OTM with 2 tokens can be modified to UC-realize OTM with abort. Then we show that using a single token, it is impossible to obtain an information-theoretically secure OTM protocol, if Goliath can send messages to the token. We sketch how a information-theoretically UC-secure OT protocol from a single token can be obtained and give a construction of a compuationally UC-secure OTM protocol from a single hardware token.The formalization of the ideal functionality for stateful tamper-proof hardware tokens in this section uses a wrapper functionality as in the previous works [20,22,13], but as one-way communication from the token issuer to the token is now allowed, the wrapper functionality needs to be modified to capture this fact. A sender G (Goliath) provides as input to F stateful wrap-owc a deterministic Turing machine T (the token). Note that stateful tokens can be hard-coded with sufficiently long randomness tapes. The receiver D (David) can query F stateful wrap-owc to run T with inputs of his choice and receives the output produced by the token. The current state of T is stored between consecutive queries. In addition, and in order to capture the one-way communication property, we add the possibility of Goliath sending messages to the token, in which case T is run on the received string and changes to a new state. The complete description of the functionality is shown in Figure 3. This model captures the fact that on the one hand

show abstract

Section: Is It Possible To Obtain Uc-secure Protocols Even If There E...mentioning

confidence: 99%

Weakening the Isolation Assumption of Tamper-Proof Hardware Tokens

Dowsley

Müller-Quade

Nilges

2015

Lecture Notes in Computer Science

View full text Add to dashboard Cite

show abstract

“…Reproducibility informally says that, the responses produced by the PUF when queried on the same random challenge are always close. Many PUF definitions in the literature [3,4,12,30] have had problems with the superpolynomial nature of PUFs. In particular, the possibility of PUFs solving hard computational problems, such as discrete logarithms or factoring, was not excluded, or excluded in an awkward way.…”

Section: Physically Uncloneable Functions (Pufs)mentioning

confidence: 99%

“…Dachman-Soled et al [12] 2PC Unconditional PUF ✗ Badrinarayanan et al [4] 2PC Unconditional PUF ✗ Our scheme (Sect. 6) Commitments Everlasting PUF ✓…”

mentioning

confidence: 91%

“…However, as shown by [4] in the form of an attack, the construction of [17] completely breaks when the adversary is allowed to generate encapsulated PUFs. Dachman-Soled, Fleischhacker, Katz, Lysyanskaya, and Schröder [12] investigated the possibility of secure two-party computation based on malicious PUFs. Badrinarayanan, Khurana, Ostrovsky, and Visconti [4] introduced a model where the adversary is allowed to generate malicious PUFs that encapsulate other PUFs inside of it; the outer PUF has oracle access to all its inner PUFs.…”

mentioning

confidence: 99%

See 1 more Smart Citation

Everlasting UC Commitments from Fully Malicious PUFs

et al. 2022

Self Cite

View full text Add to dashboard Cite

Everlasting security models the setting where hardness assumptions hold during the execution of a protocol but may get broken in the future. Due to the strength of this adversarial model, achieving any meaningful security guarantees for composable protocols is impossible without relying on hardware assumptions (Müller-Quade and Unruh, JoC’10). For this reason, a rich line of research has tried to leverage physical assumptions to construct well-known everlasting cryptographic primitives, such as commitment schemes. The only known everlastingly UC secure commitment scheme, due to Müller-Quade and Unruh (JoC’10), assumes honestly generated hardware tokens. The authors leave the possibility of constructing everlastingly UC secure commitments from malicious hardware tokens as an open problem. Goyal et al. (Crypto’10) constructs unconditionally UC-secure commitments and secure computation from malicious hardware tokens, with the caveat that the honest tokens must encapsulate other tokens. This extra restriction rules out interesting classes of hardware tokens, such as physically uncloneable functions (PUFs). In this work, we present the first construction of an everlastingly UC-secure commitment scheme in the fully malicious token model without requiring honest token encapsulation. Our scheme assumes the existence of PUFs and is secure in the common reference string model. We also show that our results are tight by giving an impossibility proof for everlasting UC-secure computation from non-erasable tokens (such as PUFs), even with trusted setup.

show abstract