Feasibility and Infeasibility of Secure Computation with Malicious - PowerPoint PPT Presentation

Feasibility and Infeasibility of Secure Computation with Malicious PUFs Dana Dachman-Soled 1 Nils Fleischhacker 2 Jonathan Katz 1 Anna Lysyanskaya 3 oder 2 Dominique Schr¨ 1 University of Maryland, College Park 2 Saarland University 3 Brown University August 20, 2014

What are PUFs? Physically Uncloneable Function

What are PUFs? Physically Uncloneable Function y x

What are PUFs? Physically Uncloneable Function y x � = x y ′

What are PUFs? Physically Uncloneable Function y x � = x y ′

What are PUFs... ... And why do we care? 1. Avoiding cryptographic assumptions. — ”Unconditional Security” 2. UC from physical assumptions (and no trusted setup)

Honest or Malicious PUFs? [BFSK11][OSVW13] Here’s my PUF!

Honest or Malicious PUFs? [BFSK11][OSVW13] Here’s my PUF! Are you sure that thing works correctly?

Maliciously generated PUFs Stateless Stateful

Maliciously generated PUFs Stateless Stateful x F k ( x ) k

Maliciously generated PUFs Stateless Stateful x 1 y 1 x F k ( x ) x 1 y 1 k

Maliciously generated PUFs Stateless Stateful x 2 y 2 x F k ( x ) x 1 y 1 k x 2 y 2

Maliciously generated PUFs Stateless Stateful x 3 y 3 x F k ( x ) x 1 y 1 k x 2 y 2 x 3 y 3

Secure Computation from PUFs Honest Malicious Malicious Stateless Stateful ? ? [BFSK11] Unconditional Under [OSVW13] Assumptions

Secure Computation from PUFs Honest Malicious Malicious Stateless Stateful [BFSK11] This Paper This Paper Unconditional Under [OSVW13] Assumptions

Our Results Stateless There exists an unconditionally UC-secure OT-protocol if the attacker is limited to creating stateless malicious PUFs. Stateful If the attacker can create stateful malicious PUFs, then OT cannot exist without additional assumptions.

Oblivious Transfer Did she choose 0 or 1 ? s 0 , s 1 b BP Ok, now what’s s 1 − b ? s b

Stateless Malicious PUFs Honest Malicious Malicious Stateless Stateful [BFSK11] This Paper This Paper Unconditional Under [OSVW13] Assumptions

Oblivious Transfer from honest PUFs [BFSK11] Setup Phase S R Create PUF c ← { 0 , 1 } λ r := PUF ( c ) PUF

Oblivious Transfer from honest PUFs Protocol Phase S ( s 0 , s 1 ) R ( b ) x 0 , x 1 ← { 0 , 1 } λ x 0 , x 1 v := c ⊕ x b v S 0 := s 0 ⊕ PUF ( v ⊕ x 0 ) S 1 := s 1 ⊕ PUF ( v ⊕ x 1 ) S 0 , S 1 s b := S b ⊕ r

Oblivious Transfer from stateless malicious PUFs Protocol adapted from [BFSK11]: Setup Phase S R Create PUF S PUF S Create PUF R c ← { 0 , 1 } λ r := PUF S ( c ) ⊕ PUF R ( c ) PUF S , PUF R

Oblivious Transfer from stateless malicious PUFs Protocol Phase S ( s 0 , s 1 ) R ( b ) x 0 , x 1 ← { 0 , 1 } λ x 0 , x 1 v := c ⊕ x b v S 0 := s 0 ⊕ PUF S ( v ⊕ x 0 ) ⊕ PUF R ( v ⊕ x 0 ) S 1 := s 1 ⊕ PUF S ( v ⊕ x 1 ) ⊕ PUF R ( v ⊕ x 1 ) S 0 , S 1 s b := S b ⊕ r

Stateful Malicious PUFs Honest Malicious Malicious Stateless Stateful [BFSK11] This Paper This Paper Unconditional Under [OSVW13] Assumptions

Barak and Mahmoody for Key Exchange [BM09][IR89] RO 00101010010000011100011 0010000011111100001110 BP 1011101100110001111001 0010101001000001110001 001000001111110000111 101110110011000111100 B P A

Extending Barak and Mahmoody for OT s 0 , s 1 b RO 00101010010000011100011 0010000011111100001110 BP 1011101100110001111001 s b B P A

Impossibility of OT The Distribution of Alice’s Views... B P A B P

Impossibility of OT The Distribution of Alice’s Views... B P A B P Views with b = 0 Views with b = 1

Impossibility of OT The Distribution of Alice’s Views... B P A B P Views with b = 0 Views with b = 1 s 0 s 1

Impossibility of OT The Distribution of Alice’s Views... B P A B P Obviously Bob’s secrets are “ s 0 ” and “ s 1 ”! Views with b = 0 Views with b = 1 s 0 s 1

Impossibility of OT The Distribution of Alice’s Views... B P A B P Views with b = 0 Views with b = 1

Impossibility of OT The Distribution of Alice’s Views... B P A B P Views with b = 0 Views with b = 1 1 8

Impossibility of OT The Distribution of Alice’s Views... B P A B P Clearly Alice used b = 1 ! Views with b = 0 Views with b = 1 1 8

Extending Barak and Mahmoody for OT s 0 , s 1 b RO 00101010010000011100011 0010000011111100001110 BP 1011101100110001111001 s b B P A

Handling PUFs Constructed Constructed by Alice by Bob Currently held by Alice Currently held by Bob

Handling PUFs Constructed Constructed by Alice by Bob Currently held by Alice t -wise Currently independent held by Bob function

Handling PUFs Constructed Constructed by Alice by Bob Currently t -wise held by independent Alice function Currently held by Bob

Handling PUFs Constructed Constructed by Alice by Bob Currently held by State Alice Currently State held by Bob

Handling PUFs “Intersection Queries”: Constructed Constructed All actual intersection queries by Alice by Bob made to B and C. Currently A B held by + Alice All queries made to A by Bob. Currently C D + held by Bob All queries made to D by Alice.

Summary & Conclusion Stateless There exists an unconditionally UC-secure multiparty computation protocol if the attacker is limited to creating stateless malicious PUFs. Stateful If the attacker can create stateful malicious PUFs, then OT cannot exist without additional assumptions. Thanks! Nils Fleischhacker fleischhacker@cs.uni-saarland.de