Steel: Composable Hardware-based Stateful and Randomised Functional Encryption

Trusted execution environments (TEEs) enable secure execution of programs on untrusted hosts and cryptographically attest the correctness of outputs. As these are complex systems, it is essential to formally capture the exact security achieved by protocols employing TEEs, and ultimately, prove their security under composition, as TEEs are typically employed in multiple protocols, simultaneously. Our contribution is twofold. On the one hand, we show that under existing definitions of attested execution setup, we can realise cryptographic functionalities that are unrealisable in the standard model. On the other hand, we extend the adversarial model to capture a broader class of realistic adversaries, we demonstrate weaknesses of existing security definitions this class, and we propose stronger ones. Specifically, we first define a generalization of Functional Encryption that captures Stateful and Randomised functionalities (FESR). Then, assuming the ideal functionality for attested execution of Pass et al. (Eurocrypt ’2017), we construct the associated protocol, Steel, and we prove that Steel realises FESR in the universal composition with global subroutines model by Badertscher et al. (TCC ’2020). Our work is also a validation of the compositionality of the Iron protocol by Fisch et al. (CCS ’2017), capturing (non-stateful) hardware-based functional encryption. As the existing functionality for attested execution of Pass et al. is too strong for real world use, we propose a weaker functionality that allows the adversary to conduct rollback and forking attacks. We demonstrate that Steel (realising stateful functionalities), contrary to the stateless variant corresponding to Iron, is not secure in this setting and discuss possible mitigation techniques.

[1]  Ilan Komargodski,et al.  Functional Encryption for Randomized Functionalities in the Private-Key Setting from Minimal Assumptions , 2015, Journal of Cryptology.

[2]  A. Shamm Identity-based cryptosystems and signature schemes , 1985 .

[3]  Dan Boneh,et al.  IRON: Functional Encryption using Intel SGX , 2017, CCS.

[4]  Bogdan Warinschi,et al.  Foundations of Hardware-Based Attested Computation and Application to SGX , 2016, 2016 IEEE European Symposium on Security and Privacy (EuroS&P).

[5]  Aggelos Kiayias,et al.  Secure Outsourcing of Cryptographic Circuits Manufacturing , 2018, ProvSec.

[6]  Dawn Xiaodong Song,et al.  Ekiden: A Platform for Confidentiality-Preserving, Trustworthy, and Performant Smart Contract Execution , 2018, ArXiv.

[7]  Georg Fuchsbauer,et al.  Blind Schnorr Signatures and Signed ElGamal Encryption in the Algebraic Group Model , 2020, EUROCRYPT.

[8]  Damian Vizár,et al.  Online Authenticated-Encryption and its Nonce-Reuse Misuse-Resistance , 2015, CRYPTO.

[9]  Adrian Perrig,et al.  Bootstrapping Trust in Commodity Computers , 2010, 2010 IEEE Symposium on Security and Privacy.

[10]  Markulf Kohlweiss,et al.  Decentralizing Inner-Product Functional Encryption , 2019, IACR Cryptol. ePrint Arch..

[11]  Ioannis Tselekounis Cryptographic techniques for hardware security , 2018 .

[12]  Srdjan Capkun,et al.  ROTE: Rollback Protection for Trusted Execution , 2017, USENIX Security Symposium.

[13]  Ran Canetti,et al.  Universally Composable Authentication and Key-Exchange with Global PKI , 2016, Public Key Cryptography.

[14]  Markulf Kohlweiss,et al.  Another Look at Extraction and Randomization of Groth's zk-SNARK , 2021, Financial Cryptography.

[15]  Scott Yilek,et al.  Resettable Public-Key Encryption: How to Encrypt on a Virtual Machine , 2010, CT-RSA.

[16]  Vassilis Zikas,et al.  Collusion-Preserving Computation without a Mediator , 2022, 2022 IEEE 35th Computer Security Foundations Symposium (CSF).

[17]  Yvo Desmedt,et al.  Public-Key Systems Based on the Difficulty of Tampering (Is There a Difference Between DES and RSA?) , 1986, CRYPTO.

[18]  Aggelos Kiayias,et al.  Consistency for Functional Encryption , 2020, IACR Cryptol. ePrint Arch..

[19]  Kartik Nayak,et al.  HOP: Hardware makes Obfuscation Practical , 2017, NDSS.

[20]  Dawn Song,et al.  Keystone: an open framework for architecting trusted execution environments , 2020, EuroSys.

[21]  Adi Shamir,et al.  Identity-Based Cryptosystems and Signature Schemes , 1984, CRYPTO.

[22]  Frank Piessens,et al.  Ariadne: A Minimal Approach to State Continuity , 2016, USENIX Security Symposium.

[23]  Elaine Shi,et al.  Formal Abstractions for Attested Execution Secure Processors , 2017, EUROCRYPT.

[24]  Brent Waters,et al.  Fuzzy Identity-Based Encryption , 2005, EUROCRYPT.

[25]  Christof Fetzer,et al.  SPEICHER: Securing LSM-based Key-Value Stores using Shielded Execution , 2019, FAST.

[26]  Rafail Ostrovsky,et al.  Robust Non-interactive Zero Knowledge , 2001, CRYPTO.

[27]  Fan Zhang,et al.  Sealed-Glass Proofs: Using Transparent Enclaves to Prove and Sell Knowledge , 2017, 2017 IEEE European Symposium on Security and Privacy (EuroS&P).

[28]  Aggelos Kiayias,et al.  Practical Non-Malleable Codes from l-more Extractable Hash Functions , 2016, CCS.

[29]  Srinivas Devadas,et al.  Intel SGX Explained , 2016, IACR Cryptol. ePrint Arch..

[30]  Keita Emura,et al.  Verifiable Functional Encryption using Intel SGX , 2020, IACR Cryptol. ePrint Arch..

[31]  Insik Shin,et al.  OBFUSCURO: A Commodity Obfuscation Engine on Intel SGX , 2019, NDSS.

[32]  Ran Canetti,et al.  Universally composable protocols with relaxed set-up assumptions , 2004, 45th Annual IEEE Symposium on Foundations of Computer Science.

[33]  Ueli Maurer,et al.  A Definitional Framework for Functional Encryption , 2015, 2015 IEEE 28th Computer Security Foundations Symposium.

[34]  Matthew Green,et al.  Fairness in an Unfair World: Fair Multiparty Computation from Public Bulletin Boards , 2017, CCS.

[35]  Ueli Maurer,et al.  Bitcoin as a Transaction Ledger: A Composable Treatment , 2017, CRYPTO.

[36]  Sandro Pinto,et al.  Demystifying Arm TrustZone , 2019, ACM Comput. Surv..

[37]  David J. Wu,et al.  Functional Encryption: Deterministic to Randomized Functions from Simple Assumptions , 2017, EUROCRYPT.

[38]  Jonathan Katz,et al.  Functional Encryption from (Small) Hardwae Tokens , 2015, IACR Cryptol. ePrint Arch..

[39]  Valerio Schiavoni,et al.  Trust Management as a Service: Enabling Trusted Execution in the Face of Byzantine Stakeholders , 2020, 2020 50th Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN).

[40]  David Pointcheval,et al.  Decentralized Multi-Client Functional Encryption for Inner Product , 2018, IACR Cryptol. ePrint Arch..

[41]  Ahmad-Reza Sadeghi,et al.  Secure Multiparty Computation from SGX , 2017, Financial Cryptography.

[42]  Vinod Vaikuntanathan,et al.  Functional Encryption: New Perspectives and Lower Bounds , 2013, IACR Cryptol. ePrint Arch..

[43]  Ran Canetti,et al.  Universally composable security: a new paradigm for cryptographic protocols , 2001, Proceedings 2001 IEEE International Conference on Cluster Computing.

[44]  Ran Canetti,et al.  Universal Composition with Global Subroutines: Capturing Global Setup within plain UC , 2020, IACR Cryptol. ePrint Arch..

[45]  Jacob R. Lorch,et al.  TrInc: Small Trusted Hardware for Large Distributed Systems , 2009, NSDI.

[46]  Amit Sahai,et al.  Functional Encryption for Randomized Functionalities , 2015, TCC.

[47]  Ran Canetti,et al.  Universally Composable Security with Global Setup , 2007, TCC.

[48]  Kai-Min Chung,et al.  On Extractability Obfuscation , 2014, IACR Cryptol. ePrint Arch..

[49]  Rüdiger Kapitza,et al.  Rollback and Forking Detection for Trusted Execution Environments Using Lightweight Collective Memory , 2017, 2017 47th Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN).

[50]  Robert H. Deng,et al.  ObliDC: An SGX-based Oblivious Distributed Computing Framework with Formal Proof , 2019, AsiaCCS.

[51]  Amit Sahai,et al.  Functional Encryption: Decentralised and Delegatable , 2015, IACR Cryptol. ePrint Arch..

[52]  Brent Waters,et al.  Functional Encryption: Definitions and Challenges , 2011, TCC.

[53]  Aggelos Kiayias,et al.  Tamper Resilient Circuits: The Adversary at the Gates , 2013, IACR Cryptol. ePrint Arch..

[54]  Aggelos Kiayias,et al.  Non-Malleable Codes for Partial Functions with Manipulation Detection , 2018, IACR Cryptol. ePrint Arch..

[55]  Markus Jakobsson,et al.  Security of Signed ElGamal Encryption , 2000, ASIACRYPT.