Library > Steel: Composable Hardware-based Stateful and Randomised Functional Encryption
May/2021, PKC '21
Trusted execution environments (TEEs) enable secure execution of programs on untrusted hosts and cryptographically attest the correctness of outputs. As these are complex systems, it is essential to formally capture the exact security achieved by protocols employing TEEs, and ultimately, prove their security under composition, as TEEs are typically employed in multiple protocols, simultaneously.
Our contribution is twofold. On the one hand, we show that under existing definitions of attested execution setup, we can realise cryptographic functionalities that are unrealisable in the standard model. On the other hand, we extend the adversarial model to capture a broader class of realistic adversaries, we demonstrate weaknesses of existing security definitions this class, and we propose stronger ones.
Specifically, we first define a generalization of Functional Encryption that captures Stateful and Randomised functionalities (FESR). Then, assuming the ideal functionality for attested execution of Pass et al. (Eurocrypt ’2017), we construct the associated protocol, Steel, and we prove that Steel realises FESR in the universal composition with global subroutines model by Badertscher et al. (TCC ’2020). Our work is also a validation of the compositionality of the Iron protocol by Fisch et al. (CCS ’2017), capturing (non-stateful) hardware-based functional encryption.
As the existing functionality for attested execution of Pass et al. is too strong for real world use, we propose a weaker functionality that allows the adversary to conduct rollback and forking attacks. We demonstrate that Steel (realising stateful functionalities), contrary to the stateless variant corresponding to Iron, is not secure in this setting and discuss possible mitigation techniques.