Showing papers by "Srinivas Devadas published in 2006"

Virtual monotonic counters and count-limited objects using a TPM without a trusted OS

Abstract: A trusted monotonic counter is a valuable primitive that enables a wide variety of highly scalable offline and decentralized applications that would otherwise be prone to replay attacks, including offline payment, e-wallets, virtual trusted storage, and digital rights management (DRM). In this paper, we show how one can implement a very large number of virtual monotonic counters on an untrusted machine with a Trusted Platform Module (TPM) or similar device, without relying on a trusted OS. We first present a log-based scheme that can be implemented with the current version of the TPM (1.2) and used in certain applications. We then show how the addition of a few simple features to the TPM makes it possible to implement a hash-tree-based scheme that not only offers improved performance and scalability compared to the log-based scheme, but also makes it possible to implement count-limited objects (or ``clobs'' for short) -- i.e., encrypted keys, data, and other objects that can only be used when an associated virtual monotonic counter is within a certain range. Such count-limited objects include n-time use keys, n-out-of-m data blobs, n-copy migratable objects, and other variants, which have many potential uses in digital rights management (DRM), digital cash, itinerant computing, and other application areas.

Virtual Monotonic Counters and Count-Limited Objects using a TPM without a Trusted OS (Extended Version)

Abstract: A trusted monotonic counter is a valuable primitive that enables a wide variety of highly scalable offline and decentralized applications that would otherwise be prone to replay attacks, including offline payment, e-wallets, virtual trusted storage, and digital rights management (DRM). In this paper, we show how one can implement a very large number of virtual monotonic counters on an untrusted machine with a Trusted Platform Module (TPM) or similar device, without relying on a trusted OS. We first present a log-based scheme that can be implemented with the current version of the TPM (1.2) and used in certain applications. We then show how the addition of a few simple features to the TPM makes it possible to implement a hash-tree-based scheme that not only offers improved performance and scalability compared to the log-based scheme, but also makes it possible to implement count-limited objects (or “clobs” for short) – i.e., encrypted keys, data, and other objects that can only be used when an associated virtual monotonic counter is within a certain range. Such count-limited objects include n-time use keys, n-out-of-m data blobs, n-copy migratable objects, and other variants, which have many potential uses in digital rights management (DRM), digital cash, digital voting, itinerant computing, and other application areas.

Reliable generation of a device-specific value

Abstract: A device-specific value is reliably generated in a device. In a first component of the device, a first digital value is generated that is substantially dependent fabrication variation among like device. Redundancy information is computed based on the first digital value. A subsequent digital value is later generated in the first component of the device. The first digital value is then determined in a second component of the device from the subsequent digital value and the redundancy information.

Integrated Circuit That Uses A Dynamic Characteristic Of The Circuit

Abstract: An integrated circuit has a first component that has a dynamic characteristic that varies among like integrated circuits, for example, among integrated circuits fabricated using the same lithography mask. Operating the first component produces an output that is dependent on the dynamic characteristic of the first component. A digital value associated with the integrated circuit is generated using the output of the first component, and then the generated digital value is used in operation of the integrated circuit.

Speeding up Exponentiation using an Untrusted Computational Resource

Abstract: We present protocols for speeding up fixed-base variable-exponent exponentiation and variable-base fixed-exponent exponentiation using an untrusted computational resource. In the fixed-base protocols, the exponent may be blinded. In the variable-base protocols, the base may be blinded. The protocols are described for exponentiation in a cyclic group. We describe how to extend them to exponentiation modulo an integer where the modulus is the product of primes with single multiplicity. The protocols provide a speedup of $$\frac{3}{2}((\log k)-1)$$ over the square-and-multiply algorithm, where k is the bitlength of the exponent. One application of the protocols is to speed up exponentiation-based verification in discrete log-based signature and credential schemes. The protocols also allow signature verifiers to dynamically choose, for each message, the amount of work it would like to perform to verify the signature. This results in a work-security tradeoff. We introduce a fifth protocol to perform variable-base variable- exponent exponentiation, which also has this feature. Our model allows the trusted resource to perform computations in its idle time. The protocols facilitate the offloading of work to the offline stage, such that the work the trusted resource performs when it has to do an exponentiation is smaller. Our protocols are unconditionally secure.

Data protection and cryptographic functions using a device-specific value

Abstract: A digital value is generated in an integrated circuit such that the generated value substantially depends on circuit parameters that vary among like devices. The generated digital value is then used, for example, to access protected information in the device or to perform a cryptographic function in the integrated circuit.

A Low Cost Solution to Authentication in Passive RFID Systems

Abstract: Auto-ID Lab University of Adelaide (c) 2006 Copyright. The document attached has been archived with permission.

Controlling access to device-specific information

Abstract: A method for providing access to device-specific information includes providing a first value to the device, and then, in the device, using a second value that is a first one-way function of the provided first value to determine a third value such that the third value is a device-specific function of the second value. The third value is then accepted from the device and stored outside the device. Subsequent to accepting the third value from the device, the second value is provided to the device. In the device, the provided second value is used to determine the third value once again and a fourth value is determined that is a second one-way function of the third value. This determining of the fourth value is performed without disclosing the third value outside the device. The fourth value is accepted from the device.

Predicting secondary structure of all-helical proteins using hidden markov support vector machines

Abstract: Our goal is to develop a state-of-the-art secondary structure predictor with an intuitive and biophysically-motivated energy model through the use of Hidden Markov Support Vector Machines (HM- SVMs), a recent innovation in the field of machine learning. We focus on the prediction of alpha helices and show that by using HM-SVMs, a simple 7-state HMM with 302 parameters can achieve a Qα value of 77.6% and a SOVα value of 73.4%. As detailed in an accompanying technical report [11], these performance numbers are among the best for techniques that do not rely on external databases (such as multiple sequence alignments).

A Generalized Two-Phase Analysis of Knowledge Flows in Security Protocols

Abstract: We introduce knowledge flow analysis, a simple and flexible formalism for checking cryptographic protocols. Knowledge flows provide a uniform language for expressing the actions of principals, assump- tions about intruders, and the properties of cryptographic primitives. Our approach enables a generalized two-phase analysis: we extend the two-phase theory by identifying the necessary and sufficient proper- ties of a broad class of cryptographic primitives for which the theory holds. We also contribute a library of standard primitives and show that they satisfy our criteria.