ACMCCS2017论文集PART1资源-CSDN文库

共50个文件

pdf：50个

2017

1星需积分: 50 104 浏览量 2018-01-03 16:00:21 上传评论收藏 72.95MB RAR 举报

资源详情

资源评论

收起资源包目录

CCS2017 PART1.rar （50个子文件）

CCS2017 PART1

Defending Against Key Exfiltration_ Efficiency Improvements for Big-Key Cryptography via Large-Alphabet Subkey Prediction.pdf 1.5MB

DEFTL_ Implementing Plausibly Deniable Encryption in Flash Translation Layer.pdf 2.77MB

Automated Crowdturfing Attacks and Defenses in Online Review Systems.pdf 2.36MB

Algorithm Substitution Attacks from a Steganographic Perspective.pdf 1.25MB

Efficient Public Trace-and-Revoke from Standard Assumptions.pdf 1.05MB

Concurrency and Privacy with Payment-Channel Networks.pdf 1.63MB

Deterministic, Stash-Free Write-Only ORAM.pdf 1.37MB

A Type System for Privacy Properties.pdf 1.21MB

Betrayal, Distrust, and Rationality_ Smart Counter-Collusion Contracts for Verifiable Cloud Computing.pdf 1.27MB

CCCP_ Closed Caption Crypto Phones to Resist MITM Attacks, Human Errors and Click-Through.pdf 1.88MB

A Comprehensive Symbolic Analysis of TLS 1.3.pdf 1.14MB

Deterministic Browser.pdf 1.09MB

A Formal Foundation for Secure Remote Execution of Enclaves.pdf 1.23MB

AUTHSCOPE_ Towards Automatic Discovery of Vulnerable Access Control in Online Services.pdf 805KB

Bolt_ Anonymous Payment Channels for Decentralized Currencies.pdf 1.35MB

Certified Verification of Algebraic Properties on Low-Level Mathematical Constructs in Cryptographic Programs.pdf 1.23MB

A Stitch in Time_ Supporting Android Developers in Writing Secure Code.pdf 1.15MB

A Touch of Evil_ High-Assurance Cryptographic Hardware from Untrusted Components.pdf 3.72MB

Better Bounds for Block Cipher Modes of Operation via Nonce-Based Key Derivation.pdf 1.39MB

Checking Open-Source License Violation and 1-day Security Risk at Large Scale.pdf 1.6MB

Composing Differential Privacy and Secure Computation_ A case study on scaling private record linkage.pdf 1.4MB

Code-reuse attacks for the Web_ Breaking Cross-Site Scripting Mitigations via Script Gadgets.pdf 1MB

DUPLO_ Unifying Cut-and-Choose for Garbled Circuits.pdf 1.3MB

Compressive Traffic Analysis_ A New Paradigm for Scalable Traffic Analysis.pdf 2.05MB

Data breaches, phishing, or malware_ Understanding the risks of stolen credentials.pdf 1.15MB

Cryptographically Secure Information Flow Control on Key-Value Stores.pdf 1.53MB

Economic Factors of Vulnerability Trade and Exploitation_ Empirical evidence from a prominent Russian cybercrime market.pdf 718KB

Designing New Operating Primitives to Improve Fuzzing Performance.pdf 1.42MB

Authenticated Garbling and Efficient Maliciously Secure Two-Party Computation.pdf 1.37MB

Be Selfish and Avoid Dilemmas_ Fork After Withholding (FAW) Attacks on Bitcoin.pdf 2.4MB

Back to the drawing board_ Revisiting the design of optimal location privacy-preserving mechanisms.pdf 2.27MB

A Framework for Constructing Fast MPC over Arithmetic Circuits with Malicious Adversaries and an Honest-Majority.pdf 1.49MB

Capturing Malware Propagations with Code Injections and Code-Reuse attacks.pdf 1.19MB

A Large-Scale Empirical Study of Security Patches.pdf 1.75MB

Don’t Let One Rotten Apple Spoil the Whole Barrel_ Towards Automated Detection of Shadowed Domains.pdf 1.11MB

Directed Greybox Fuzzing.pdf 1.4MB

Attribute-Based Encryption in the Generic Group Model_ Automated Proofs and New Constructions.pdf 1.47MB

Distributed Measurement with Private Set-Union Cardinality.pdf 1.41MB

Certified Malware_ Measuring Breaches of Trust in the Windows Code-Signing PKI.pdf 1.52MB

DIFUZE_ Interface Aware Fuzzing for Kernel Drivers.pdf 1.03MB

Client-side Name Collision Vulnerability in the New gTLD Era_ A Systematic Study.pdf 1.01MB

DeepLog_ Anomaly Detection and Diagnosis from System Logs through Deep Learning.pdf 1.79MB

Detecting Structurally Anomalous Logins Within Enterprise Networks.pdf 1.43MB

BBA+_ Improving the Security and Applicability of Privacy-Preserving Point Collection.pdf 1.3MB

DolphinAttack_ Inaudible Voice Commands.pdf 1.58MB

Better Than Advertised_ Improved Collision-Resistance Guarantees for MD-Based Hash Functions.pdf 1.32MB

A Fast and Verified Software Stack for Secure Function Evaluation.pdf 1.38MB

Deep Models Under the GAN_ Information Leakage from Collaborative Deep Learning.pdf 2.96MB

5Gen-C_ Multi-input Functional Encryption and Program Obfuscation for Arithmetic Circuits.pdf 1.43MB

Deemon_ Detecting CSRF with Dynamic Analysis and Property Graphs.pdf 2.82MB

A Touch of Evil: High-Assurance Cryptographic

Hardware from Untrusted Components

Vasilios Mavroudis

University College London

v.mavroudis@cs.ucl.ac.uk

Andrea Cerulli

University College London

andrea.cerulli.13@ucl.ac.uk

Petr Svenda

Masaryk University

svenda@.muni.cz

Dan Cvrcek

EnigmaBridge

dan@enigmabridge.com

Dusan Klinec

EnigmaBridge

dusan@enigmabridge.com

George Danezis

University College London

g.danezis@ucl.ac.uk

ABSTRACT

The semiconductor industry is fully globalized and integrated cir-

cuits (ICs) are commonly dened, designed and fabricated in dier-

ent premises across the world. This reduces production costs, but

also exposes ICs to supply chain attacks, where insiders introduce

malicious circuitry into the nal products. Additionally, despite

extensive post-fabrication testing, it is not uncommon for ICs with

subtle fabrication errors to make it into production systems. While

many systems may be able to tolerate a few byzantine components,

this is not the case for cryptographic hardware, storing and comput-

ing on condential data. For this reason, many error and backdoor

detection techniques have been proposed over the years. So far

all attempts have been either quickly circumvented, or come with

unrealistically high manufacturing costs and complexity.

This paper proposes Myst, a practical high-assurance architec-

ture, that uses commercial o-the-shelf (COTS) hardware, and pro-

vides strong security guarantees, even in the presence of multi-

ple malicious or faulty components. The key idea is to combine

protective-redundancy with modern threshold cryptographic tech-

niques to build a system tolerant to hardware trojans and errors.

To evaluate our design, we build a Hardware Security Module that

provides the highest level of assurance possible with COTS compo-

nents. Specically, we employ more than a hundred COTS secure

cryptocoprocessors, veried to FIPS140-2 Level 4 tamper-resistance

standards, and use them to realize high-condentiality random

number generation, key derivation, public key decryption and sign-

ing. Our experiments show a reasonable computational overhead

(less than

for both Decryption and Signing) and an exponential

increase in backdoor-tolerance as more ICs are added.

KEYWORDS

cryptographic hardware; hardware trojans; backdoor-tolerance;

secure architecture

Permission to make digital or hard copies of all or part of this work for personal or

classroom use is granted without fee provided that copies are not made or distributed

for prot or commercial advantage and that copies bear this notice and the full citation

on the rst page. Copyrights for components of this work owned by others than the

author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or

republish, to post on servers or to redistribute to lists, requires prior specic permission

and/or a fee. Request permissions from permissions@acm.org.

CCS ’17, October 30-November 3, 2017, Dallas, TX, USA

2017 Copyright held by the owner/author(s). Publication rights licensed to Associa-

tion for Computing Machinery.

ACM ISBN 978-1-4503-4946-8/17/10... $15.00

https://doi.org/10.1145/3133956.3133961

1 INTRODUCTION

Many critical systems with high security needs rely on secure

cryptoprocessors to carry out sensitive security tasks (e.g., key gen-

eration and storage, legally binding digital signature, code signing)

and provide a protection layer against cyber-attacks and security

breaches. These systems are typically servers handling sensitive

data, banking infrastructure, military equipment and space sta-

tions. In most cases, secure cryptoprocessors come embedded into

Hardware Security Modules, Trusted Platform Modules and Cryp-

tographic Accelerators, which are assumed to be both secure and

reliable. This entails that errors in any of the Integrated Circuits

(ICs) would be devastating for the security of the nal system. For

this reason, the design and fabrication of the underlying ICs must

abide f to high-quality specications and standards. These ensure

that there are no intentional or unintentional errors in the circuits,

but more importantly ensure the integrity of the hardware supply

chain. [52].

Unfortunately, vendors are not always able to oversee all parts of

the supply chain [

]. The constant reduction in transistor size

makes IC fabrication an expensive process, and IC designers often

outsource the fabrication task to overseas foundries to reduce their

costs [

]. This limits vendors to run only post-fabrication

tests to uncover potential defects. Those tests are very ecient

against common defects, but subtle errors are hard to uncover.

For instance, cryptoprocessors with defective RNG modules and

hardware cipher implementations have made it into production in

the past [31, 39].

Additionally, parts of the IC’s supply chain are left vulnera-

ble to attacks from malicious insiders [

] and have a

higher probability of introducing unintentional errors in the nal

product. In several documented real-world cases, contained errors,

backdoors or trojan horses. For instance, recently an exploitable

vulnerability was discovered on Intel processors that utilize Intel

Active Management Technology (AMT) [

], while vulnerable ICs

have been reported in military [

] applications, networking

equipment [

], and various other application [

]. Fur-

thermore, the academic community has designed various types of

hardware trojans (HT), and backdoors that demonstrate the extent

of the problem and its mitigation diculty [

–

Due to the severity of these threats, there is a large body of

work on the mitigation of malicious circuitry. Existing works have

pursued two dierent directions: detection and prevention. De-

tection techniques aim to determine whether any HTs exist in a

given circuit [

], while prevention techniques either

Session G5: Hardening Hardware

CCS’17, October 30-November 3, 2017, Dallas, TX, USA

1583

impede the introduction of HTs, or enhance the eciency of HT

detection [

]. Unfortunately, both detection and pre-

vention techniques are brittle, as new threats are able to circumvent

them quickly [

]. For instance, analog malicious hardware [

] was

able to evade known defenses, including split manufacturing, which

is considered one of the most promising and eective prevention

approaches. Furthermore, most prevention techniques come with a

high manufacturing cost for higher levels of security [

which contradicts the motives of fabrication outsourcing. To make

matters worse, vendors that use commercial o-the-shelf (COTS)

components are constrained to use only post-fabrication detec-

tion techniques, which further limits their mitigation toolchest. All

in all, backdoors being triggered by covert means and mitigation

countermeasures are in an arms race that seems favorable to the

attackers [94, 96].

In this paper, we propose Myst a new approach to the problem of

building trustworthy cryptographic hardware. Instead of attempt-

ing to detect or prevent hardware trojans and errors, we proposed

and provide evidence to support the hypothesis:

“We can build high-assurance cryptographic hardware from a set of un-

trusted components, as long as at least one of them is not compromised,

even if benign and malicious components are indistinguishable.”

Our key insight is that by combining established privacy en-

hancing technologies (PETs), with mature fault-tolerant system

architectures, we can distribute trust between multiple components

originating from non-crossing supply chains, thus reducing the

likelihood of compromises. To achieve this, we deploy distributed

cryptographic schemes on top of an N-variant system architec-

ture, and build a trusted platform that supports a wide-range of

commonly used cryptographic operations (e.g., random number

and key generation, decryption, signing). This design draws from

protective-redundancy and component diversication [

] and is

built on the assumption that multiple processing units and com-

munication controllers may be compromised by the same adver-

sary. However, unlike N-variant systems, instead of replicating the

computations on all processing units, Myst uses multi-party cryp-

tographic schemes to distribute the secrets so that the components

hold only shares of the secrets (and not the secrets themselves), at

all times. As long as one of the components remains honest, the

secret cannot be reconstructed or leaked. Moreover, we can tolerate

two or more non-colluding adversaries who have compromised

100% of the components.

Our proposed architecture is of particular interest for two distinct

categories of hardware vendors:

❖ Design houses that outsource the fabrication of their ICs.

❖

COTS vendors that rely on commercial components to build

their high-assurance hardware.

Understandably, design houses have much better control over the

IC fabrication and the supply chain, and this allows them to take full

advantage of our architecture. In particular, they can combine exist-

ing detection [

] and prevention techniques [

]

with our proposed design, to reduce the likelihood of compromises

for individual components. On the other hand, COTS vendors have

less control as they have limited visibility in the fabrication process

and the supply chain. However, they can still mitigate risk by using

ICs from sources, known to run their own fabrication facilities.

To our knowledge, this is the rst work that uses distributed

cryptographic protocols to build and evaluate a hardware module

architecture that is tolerant to multiple components carrying tro-

jans or errors. The eectiveness of this class of protocols for the

problem of hardware trojans has been also been studied in previous

theoretical works [6, 34].

To summarize, this paper makes the following contributions:

❖ Concept:

We introduce backdoor-tolerance, where a system

can still preserve its security properties in the presence of

multiple compromised components.

❖ Design:

We demonstrate how cryptographic schemes (§4)

can be combined with N-variant system architectures (§3),

to build high-assurance systems. Moreover, we introduce a

novel distributed signing scheme based on the Schnorr blind

signatures (§4.5).

❖ Implementation:

We implement the proposed architecture

by building a custom board featuring 120 highly-tamper

resistant ICs, and realize secure variants of random number

and key generation, public key decryption and signing (§5).

❖ Optimizations:

We implement a number of optimizations

to ensure the Myst architecture is competitive in terms of

performance compared to single ICs. Some optimizations

also concern embedded mathematical libraries which are of

independent interest.

❖ Evaluation:

We evaluate the performance of Myst, and use

micro-benchmarks to assess the cost of all operations and

bottlenecks (§6).

Related works and their relation to Myst are discussed in Sec-

tion 7.

2 PRELIMINARIES

In this section, we introduce backdoor-tolerance, and outline our

security assumptions for adversaries residing in the IC’s supply

chain.

2.1 Denition

A Backdoor-Tolerant system is able to ensure the condentiality

of the secrets it stores, the integrity of its computations and its

availability, against an adversary with dened capabilities. Such

a system can prevent data leakages and protect the integrity of

the generated keys and random numbers. Note that the denition

makes no distinction between honest design or fabrication mistakes

and hardware trojans, and accounts only for the impact these errors

have on the security properties of the system.

2.2 Threat Model

We assume an adversary is able to incorporate errors (e.g., a hard-

ware trojan) in some ICs but not all of them. This is because, ICs are

manufactured in many dierent fabrication facilities and locations

by dierent vendors and the adversary is assumed not to be able to

breach all their supply chains. Malicious ICs aim to be as stealthy

as possible, and conceal their presence as best as possible, while be-

nign components may have hard to detect errors (e.g., intermittent

faults) that cannot be trivially uncovered by post-fabrication tests.

Session G5: Hardening Hardware

CCS’17, October 30-November 3, 2017, Dallas, TX, USA

1584

Hence, malicious and defective components are indistinguishable

from benign/non-faulty ones.

The adversary can gain access to the secrets stored in the mali-

cious ICs and may also breach the integrity of any cryptographic

function run by the IC (e.g., a broken random number generator).

Moreover, the adversary has full control over the communication

buses used to transfer data to and from the ICs. Hence, they are able

to exltrate any information on the bus and the channel controller,

and inject and drop messages to launch attacks. Additionally, they

are able to connect and issue commands to the ICs, and if a sys-

tem features more that one malicious ICs, the adversary is able to

orchestrate attacks using all of them (i.e., colluding ICs). We also

assume that the adversary may use any other side-channel that a

hardware Trojan has been programmed to emit on – such as RF [

acoustic [

] or optical [

] channels. Additionally, the adversary

can trigger malicious ICs to cease functioning (i.e., availability at-

tacks). We also make standard cryptographic assumptions about

the adversary being computationally bound.

Finally, we assume a software developer or device operator builds

and signs the applications to be run on the ICs. From our point of

view they are trusted to provide high-integrity software without

backdoors or other aws. This integrity concern may be tackled

though standard high- integrity software development techniques,

such as security audits, public code repository trees, determinis-

tic builds, etc. The operator is also trusted to initialize the device

properly and choose ICs and dene diverse quorums so that the

probability of compromises is minimized.

3 ARCHITECTURE

In this section, we introduce the Myst architecture (build and eval-

utation in § 5 and 6), which draws from fault-tolerant designs and

N-variant systems [

]. The proposed design is based on the

thesis that given a diverse set of

ICs sourced from

untrusted sup-

pliers, a trusted system can be build, as long as at least one of them

is honest. Alternatively, our architecture can tolerate up to 100%

compromised or defective components, if not all of them collude

with each other. As illustrated in Figure 1, Myst has three types of

components: (1) a remote host, (2) an untrusted IC controller, and

(3) the processing ICs.

Processing ICs.

The ICs form the core of Myst, as they are col-

lectively entrusted to perform high-integrity computations, and

provide secure storage space. The ICs are programmable processors

or microprocessors. They have enough persistent memory to store

keys and they feature a secure random number generator. Protec-

tion against physical tampering or side-channels is also desirable

in most cases and mandated by the industry standards and best

practices for cryptographic hardware. For this reason, our proto-

type (Section 5), comprises of components that verify to the a very

high level of tamper-resistance (i.e., FIPS140-2 Level 4), and feature

a reliable random number generator (i.e., FIPS140-2 Level 3). Each

implementation must feature two or more ICs, of which at least

one must be free of backdoors. We dene this coalition of ICs, as a

quorum. The exact number of ICs in a quorum is determined by the

user depending on the degree of assurance she wants to achieve

(see also Subsection 3.2 and the Assessment Subsection 6).

Figure 1: An overview of the Myst’s distributed architec-

ture, featuring all the integral components and communi-

cation buses. The gray area represents the cryptographic de-

vice, featuring several untrusted cryptoprocessors (ICs). As

shown, the trusted operator interacts with individual ICs,

while the host interacts with the device as a whole.

IC controller.

The controller enables communication between the

ICs, and makes Myst accessible to the outside world. It manages

the bus used by the processing ICs to communicate with each other

and the interface where user requests are delivered to. Specically,

it enables:

❖

Unicast, IC-to-IC: an IC A sends instructions an IC B, and

receives the response.

❖

Broadcast, IC-to-ICs: an IC A broadcasts instructions to all

other ICs, and receive their responses.

❖

Unicast, Host-to-IC: a remote client send commands to a

specic IC, and receives the response.

❖

Broadcast, Host-to-ICs: a remote client broadcasts commands

to all ICs, and receive their responses.

The controller is also an IC and is also untrusted. For instance

it may drop, modify packets or forge new ones, in order to launch

attacks against the protocols executed. It may also collude with one

or more processing ICs.

Operator.

The operator is responsible for setting up the system

and conguring it. In particular, they are responsible for sourcing

the ICs and making sure the quorums are as diverse as possible.

Moreover, the operator determines the size of the quorums, and

sets the security parameters of the cryptosystem (Section 4). They

are assumed to make a best eort to prevent compromises and may

also be the owner of the secrets stored in the device.

Remote Host.

The remote host connects to Myst through the IC

controller; it issues high level commands and retrieves the results.

The remote host can be any kind of computer either in the local

network or in a remote one. In order for the commands to be exe-

cuted by the ICs, the host must provide proof of its authorization

to issue commands, usually by signing them with a public key as-

sociated with the user’s identity (e.g., certicate by a trusted CA).

Each command issued must include: 1) the requested operation, 2)

any input data, and 3) the host’s signature (see also Section 3.1).

We note that a corrupt host may use Myst to perform operations,

but cannot extract any secrets, or forge signatures (see also § 3.1).

Session G5: Hardening Hardware

CCS’17, October 30-November 3, 2017, Dallas, TX, USA

1585

Communication Channels.

At the physical level, the ICs, the

controller, and the hosts are connected through buses and network

interfaces. Hence, all messages containing commands, as well as

their eventual responses are routed to and from the ICs through

untrusted buses. We assume that the adversary is able to eavesdrop

on these buses and tamper with their trac (e.g., inject or modify

packets). To address this, we use established cryptographic mecha-

nisms to ensure integrity and condentiality for transmitted data.

More specically, all unicast and broadcast packets are signed using

the sender IC’s certicate, so that their origin and integrity can be

veried by recipients. Moreover, in cases where the condentiality

of the transmitted data needs to be protected, encrypted end-to-end

channels are also established. Such encrypted channels should be

as lightweight as possible to minimize performance overhead, yet

able to guarantee both the condentiality and the integrity of the

transmitted data.

3.1 Access Control Layer

Access Control (AC) is critical for all systems operating on conden-

tial data. In Myst, AC determines which hosts can submit service

requests to the system, and which quorums they can interact with.

Despite the distributed architecture of Myst, we can simply repli-

cate established AC techniques on each IC. More specically, each

IC is provided with the public keys of the hosts that are allowed to

have access to its shares and submit requests. Optionally, this list

may distinguish between hosts that have full access to the system,

and hosts that may only perform a subset of the operations. Once a

request is received, the IC veries the signature of the host against

this public key list. The list can be provided either when setting up

Myst, or when storing a secret or generating a key.

We note that it is up to the operator to decide the parameters of

each quorum (i.e., size

, ICs participating), and provide the AC lists

to the ICs. This is a critical procedure, as if one of the hosts turns out

to be compromised, the quorum can be misused in order to either

decrypt condential ciphertexts or sign bogus statements. However,

the secrets stored in the quorum will remain safe as there is no

way for the adversary to extract them, unless they use physical-

tampering (which our prototype (§5) is also resilient against). This

is also true in the case where one of the authorized hosts gets

compromised. For instance, a malware taking over a host can use

Myst to sign documents, but it cannot under any circumstances

extract any secrets.

3.2 Reliability Estimation

In the case of cryptographic hardware, in order for the operator

to decide on the threshold

and the quorum composition, an es-

timation of the likelihood of hardware errors is needed. For this

purpose we introduce k-tolerance, which given

foundries and

an independent error probability, computes the probability that a

quorum is secure.

Pr[secure] = 1 − Pr[error]

(1)

The quantication of the above parameters depends on the par-

ticular design and case, and as there is not commonly accepted way

of evaluation, it largely depends on the information and testing

capabilities each vendor has. For instance, hardware designers that

use split manufacturing [

] can estimate the probability of

a backdoored component using the k-security metric [

]. On the

other hand, COTS vendors cannot easily estimate the probability

of a compromised component, as they are not always aware of the

manufacturing technical details. Despite that, it is still possible for

them to achieve very high levels of error and backdoor-tolerance by

increasing the size of the quorums and sourcing ICs from distinct

facilities (i.e., minimizing the collusion likelihood). It should be

noted that as

grows the cost increases linearly, while the security

exponentially towards one.

4 SECURE DISTRIBUTED COMPUTATIONS

In this section, we introduce a set of protocols that leverage the

diversity of ICs in Myst to realize standard cryptographic opera-

tions manipulating sensitive keying material. More specically, our

cryptosystem comprises of a key generation operation (§4.1), the

ElGamal encryption operation (§4.2), distributed ElGamal decryp-

tion (§4.3), and distributed signing based on Schnorr signatures

(§4.5) [

]. These operations are realized using interactive cryp-

tographic protocols that rely on standard cryptographic assump-

tions. For operational purposes, we also introduce a key propaga-

tion protocol that enables secret sharing between non-overlapping

quorums (§4.6).

Prior to the execution of any protocols, the ICs must be initialized

with the domain parameters

T = (p, a, b, G, n, h)

of the elliptic curve

to be used, where

is a prime specifying the nite eld

and

are the curve coecients,

is the base point of the curve, with order

, and

is the curve’s cofactor. More details on the technical aspects

of the initialization procedure are provided in the provisioning

Section 6.4.

Distributed Key Pair Generation.

The Distributed Key Pair Gen-

eration (DKPG) is a key building block for most other protocols.

In a nutshell, DKPG enables a quorum

ICs to collectively

generate a random secret

, which is an element of a nite eld and

a public value

a дд

= x · G

for a given public elliptic curve point

At the end of the DKPG protocol, each player holds a share of the

secret

, denoted as

and the public value

a дд

. All steps of the

protocol are illustrated in Figure 2, and explained in turn below.

The execution of the protocol is triggered when an authorized

host sends the corresponding instruction (

❶

). At the rst step of

the protocol, each member of

runs Algorithm 4.1 and generates

a triplet consisting of: 1) a share

, which is a randomly sampled

element from

, 2) an elliptic curve point

, and 3) a commitment

to Y

denoted h

. (❷)

Algorithm 4.1:

TripletGen: Generation of a pair and its com-

mitment.

Input : The domain parameters λ

Output : A key triplet (x

, Y

, h

)

1 x

← Rand(λ)

2 Y

← x

· G

3 h

← Hash(Y

)

4 return (x

, Y

, h

)

Session G5: Hardening Hardware

CCS’17, October 30-November 3, 2017, Dallas, TX, USA

1586

Figure 2: The interaction between the dierent participants

during the execution of the Distributed Key Pair Generation

(DKPG) protocol.

Upon the generation of the triplet, the members perform a pair-

wise exchange of their commitments (

❸

), by the end of which, they

all hold a set

H = {h

, h

, .., h

}

. The commitment exchange ter-

minates when

| = t ∀q ∈ Q

. Another round of exchanges then

starts, this time for the shares of

a дд

(

❹

)

Y = {Y

, Y

, .., Y

}

. The

commitment exchange round is of uttermost importance as it forces

the participants to commit to a share of

a дд

, before receiving the

shares of others. This prevents attacks where an adversary rst

collects the shares of others, and then crafts its share so as to bias

the nal pair, towards a secret key they know.

Algorithm 4.2:

CommitVerify: Checks

, against their respec-

tive commitments.

Input : (Y, H )

Output : Bool

1 for i ∈ {1, |Y |} do

2 if Hash(Y

) , h

then

3 return False

4 return True

Once each member of the quorum receives

shares (i.e.,

|Y | = k

it executes Algorithm 4.2 to verify the validity of

’s elements

against their commitments in

. (

❺

) If one or more commitments

fail the verication then the member infers that an error (either

intentional or unintentional) occurred and the protocol is termi-

nated. Otherwise, if all commitments are successfully veried, then

the member executes Algorithm 4.3 (

❻

) and returns the result to

the remote host (

❼

). Note that it is important to return

a дд

, as

well as the individual shares

, as this protects against integrity

attacks, where malicious ICs return a dierent share than the one

they committed to during the protocol [

]. Moreover, since

are shares of the public key, they are also assumed to be public, and

available to any untrusted party.

Algorithm 4.3:

ShareAggr: Aggregates elements in a set of

shares (e.g., ECPoints, eld elements).

Input : Set of shares Q

Output : The aggregate of the shares q

1 q ← 0

2 for q

∈ Q do

3 q ← q + q

4 return q

In the following sections, we rely on DKPG as a building block

of more complex operations.

4.1 Distributed Public Key Generation

The distributed key generation operation enables multiple ICs to

collectively generate a shared public and private key pair with

shares distributed between all participating ICs. This is important

in the presence of hardware trojans, as a single IC never gains

access to the full private key at any point, while the integrity and

secrecy of the pair is protected against maliciously crafted shares.

We opt for a scheme that oers the maximum level of conden-

tiality (t-of-t,

k = t

), and whose execution is identical to DKPG seen

in Figure 2. However, there are numerous protocols that allow for

dierent thresholds, such as Pedersen’s VSS scheme [

The importance of the security threshold is discussed in more detail

in Section 6.3.

Once a key pair has been generated, the remote host can encrypt

a plaintext using the public key

, request the decryption of a

ciphertext, or ask for a plaintext to be signed. In the following

sections we will outline the protocols that realize these operations.

4.2 Encryption

For encryption, we use the Elliptic Curve ElGamal scheme [

]

(Algorithm 4.4). This operation does not use the secret key, and

can be performed directly on the host, or remotely by any party

holding the public key, hence there is no need to perform it in a

distributed manner.

Algorithm 4.4:

Encrypts a plaintext using the agreed common

public key.

Input : The domain parameters T , the plaintext m encoded

as an element of the group G, and the calculated

public key Y

a дд

Output : The Elgamal ciphertext tuple, (C

, C

)

1 r ← Rand(T )

2 C

← r · G

3 C

← m + r · Y

a дд

4 return (C

, C

)

Session G5: Hardening Hardware

CCS’17, October 30-November 3, 2017, Dallas, TX, USA

1587

评论收藏

内容反馈

chengyouling

2018-04-06

？？要密码。。

ACM CCS 2017论文集 PART1

评论1

最新资源

ACM CCS 2017论文集 PART1

评论1

最新资源

相关推荐

一篇ACM上的文章

ACM经典论文，这是acm经典论文集。

ccs顶级会议2018年论文合集part1

CCS 2013-ACM Conference on Computer and Communications Security 2013年论文集

ccs顶级会议2018年论文合集part2

ACM CCS2017论文集 PART2

ACM CCS 2018（一）.7z

CCS 2011-ACM Conference on Computer and Communications Security 2011年论文集

CCS 2008-ACM Conference on Computer and Communications Security 2008论文集

CCS 2010-ACM Conference on Computer and Communications Security 2010年论文集

CCS 2012-ACM Conference on Computer and Communications Security 2012年论文集

ACM CCS2017论文集 PART3

ACM SIGCOMM 2015 Program 论文集 Part 1

ACM CSS 2017.7z

IMCCC2017会议论文集

2019CCS论文集已分类session1-5.zip

TI开发工具Code Composer Studio (CCS) 在线安装包（2017版）

CCS 2017下.rar

CCS 2012论文集(part2)_ACM Conference on Computer and Communications Security

ccs顶级会议2018年论文合集part3

ACM SIGCOMM 2015 Program 论文集 part1

ACM SIGCOMM 2014论文集

ACM SIGKDD 2015 论文集，第一部分

ACM SIGKDD 2015 论文集，第四部分

NDSS 2020论文集.7z

ACM国家集训队2006论文集