Presentation is loading. Please wait.

Presentation is loading. Please wait.

Detection of Algebraic Manipulation with Applications to Robust Secret Sharing and Fuzzy Extractors Ronald Cramer, Yevgeniy Dodis, Serge Fehr, Carles Padro,

Published byJace Finkley Modified over 10 years ago

Similar presentations

Presentation on theme: "Detection of Algebraic Manipulation with Applications to Robust Secret Sharing and Fuzzy Extractors Ronald Cramer, Yevgeniy Dodis, Serge Fehr, Carles Padro,"— Presentation transcript:

1 Detection of Algebraic Manipulation with Applications to Robust Secret Sharing and Fuzzy Extractors Ronald Cramer, Yevgeniy Dodis, Serge Fehr, Carles Padro, Daniel Wichs

2 Properties of § ( G ): 1. § ( G ) provides privacy. 2. § ( G ) allows algebraic manipulation. 2 G + Storage § ( G ) Whats g ? ¢ 2 G Abstract Storage Device § ( G ) g

3 Q: Why study devices with these properties? A: They appear implicitly in crypto applications: – –Secret Sharing – –Fuzzy Extractors Problem: Because of algebraic manipulation, the above primitives are vulnerable to certain active adversarial attacks. Task: A general method that helps us addrobustness to secret sharing and fuzzy extractors.

4 s = Cut the blue wire! Application: Secret Sharing g 2 G S1S1 S2S2 S3S3 S4S4 S5S5 S6S6 Qualified sets: can recover g. Unqualified sets: learn nothing about g.

5 Application: Secret Sharing S1S1 S2S2 S3S3 S4S4 S5S5 S6S6 S 4 S 3 S 2 Whats g ? Unqualified Set

6 g= Rec( S 1, S 2, S 3, S 4, S 5, S 6 ) s = Cut the red wire! Application: Secret Sharing Robust Secret Sharing: An adversary who corrupts an unqualified set of players cannot cause the recovery of s s.

7 g =Rec( ) = Rec( S 1, S 2, S 3, S 4, S 5, S 6 ) + Rec(0, ¢ 2, ¢ 3, ¢ 4, 0, 0) = g + ¢ Linear Secret Sharing S 1, S 2, S 3, S 4, S 5, S 6 So is limited to algebraic manipulation!. Assume Secret Sharing is Linear (i.e. [Sha79,KW93,…] )

8 Linear Secret Sharing S1S1 S2S2 S3S3 S4S4 S5S5 S6S6 §(G)§(G) Privacy of SS ) Privacy of § (G). Linearity of SS ) Algebraic Manipulation. Need: A way to store data on § ( G ) so that algebraic manipulation can be detected.

9 Algebraic Manipulation Detection (AMD) Codes An AMD Code consists of – –A probabilistic encoding function E : S ! G – –A decoding function D : G ! S [ { ? } For any s, D ( E ( s )) = s For any s 2 S, ¢ 2 G Pr[ D ( E ( s ) + ¢ ) { s, ? }] · ² Robust Secret Sharing: Share E ( s ).

10 g =Rec( S 1, S 2, S 3, S 4, S 5, S 6 ) = g + ¢ = E ( s )+ ¢ D ( g) = D ( E ( s ) + ¢ ) 2 { s, ? } Robust Linear Secret Sharing Recall:

11 Construction of AMD Code Systematic AMD code: E ( s ) = ( s, k, h ( s, k )) where k is random. G = S £ G 1 £ G 2 Construction: h ( s, k ) = k d +2 + § s i k i Construction: h ( s, k ) = k d +2 + § s i k i Intuition: ¢ 3 = h ( s + ¢ 1, k + ¢ 2 ) – h ( s, k ) Intuition: ¢ 3 = h ( s + ¢ 1, k + ¢ 2 ) – h ( s, k ) is a non-zero polynomial in k. is a non-zero polynomial in k. –hence hard to guess for a random k. i =0 d

12 Parameters and Optimality To get robustness security ² = 2 - ·, encoding of s adds overhead 2 · + O(log(| s |)) bits. Almost matches lower bound of 2 · bits. Previous constructions of Robust SS implicitly defined AMD codes with overhead linear in | s |. [CPS02, OK96, PSV99] To share a 1MB message with robustness ² = 2 -128 – Previous construction had an overhead of 2 MB. – We get an overhead of less than 300 bits.

13 Application #2 Fuzzy Extractors

14 Fuzzy Extractors Fuzzy Extractors Secret w : secret_Password Secret w : Secret~password w ¼ w w Gen P R Robust P Rep w R Fuzzy Extractor: R looks uniformly random even after I see P. P * R * Robust fuzzy extractor: I will detect P * P. ?

15 Robust Fuzzy Extractors Robust Fuzzy Extractors Secret w w Gen P R Rep w P * R / ? (Bob in the future) Does not allow interaction!

16 The Price of Robustness Non-robust fuzzy extractors with good parameters were constructed for several natural metrics. [DORS04] Until now, to get robustness, you had to choose: – –Interaction + computational assumptions + CRS [BDKOS05] – –Random Oracle model [BDKOS05] – –Entropy rate of w more than ½ + extract short keys [DKRS06] Would like to get a non-interactive protocol that works for all entropy rates and does not require random oracles. I.T. robustness requires that the entropy rate of w is more than ½, even in the non-fuzzy case w = w. – –The price of robustness, w.o. RO/CRS/assumptions, is HIGH! [DS02] This talk: Robustness is essentially FREE in the CRS model!

17 Randomness Extractors Ext Secret: w Public Seed: i R Can extract almost all entropy in w. The extracted string is random, even given The public seed ( i, R ) ¼ ( i, U )

18 Non-fuzzy Key Exchange R =Ext( w, i ) i Choose i Not robust!

19 Non-fuzzy Key Exchange CRS: Extractor seed i R =Ext( w, i ) Trivial! No communication necessary! But does not generalize to fuzzy case… Robust!

20 Correcting Errors using a Secure Sketch SS w S Rec w w S SS( w ) is very short and does not leak out much info about w.

21 Fuzzy Extractor w P = ( i, S ) R Ext SS i S Gen() : Rep( w, P ) : w w w w Rec S w w R Ext i Cannot put in CRS since S is user- specific. Lets try to only put i in the CRS and authenticate S.

22 Robust Fuzzy Extractor? w P = ( S, ¾ ) R,kR,k Ext SS i S Gen(): Rep( w, P ): w w w w Rec S w w Ext i CRS: Extractor seed i MAC k ¾ S Ver S ¾ RkRk yes, no k R R Split extracted randomness Into 2 parts. Use k as a key to a MAC to authenticate S Might not be secure! But lets see - how insecure is it? Assume that the secure sketch and extractor are linear...

23 Robust Fuzzy Extractor? w P = ( S, ¾ ) R,kR,k Ext SS i S Gen(): Rep( w, P ): w w w w Rec S w w Ext i CRS: Extractor seed i MAC k ¾ S Ver S ¾ RkRk yes, no k R R Split extracted randomness Into 2 parts. Use k as a key to a MAC to authenticate S

24 Robust Fuzzy Extractor? w P * = ( S *, ¾ *) R,kR,k Ext SS i S Gen(): Rep( w, P ): w w w w Rec S * w w Ext i CRS: Extractor seed i MAC k ¾ S Ver ¾*¾* RkRk yes, no k S *

25 Robust Fuzzy Extractor? w P * = ( S *, ¾ *) R,kR,k Ext SS i S Gen(): Rep( w, P ): w w w w Rec S * w*w* Ext i CRS: Extractor seed i MAC k ¾ S Ver ¾*¾* RkRk yes, no k S * w*w*

26 Robust Fuzzy Extractor? w P * = ( S *, ¾ *) R,kR,k Ext SS i S Gen(): Rep( w, P ): w w w w Rec S * w*w* Ext i CRS: Extractor seed i MAC k ¾ S Ver ¾*¾* Rk*Rk* yes, no k*k* S * w*w* Might not be secure! But lets see - how insecure is it? Assume that the secure sketch and extractor are linear...

27 Robust Fuzzy Extractor? w R,kR,k Ext SS i S Gen(): Rep( w, P ): w w w w Rec Ext i CRS: Extractor seed i MAC k ¾ S Ver yes, no S+¢SS+¢S w*w* w*w* Rk*Rk* k*k* ¾*¾* S * P * = ( S *, ¾ *)

28 w+¢ww+¢w w+¢ww+¢w Robust Fuzzy Extractor? w R,kR,k Ext SS i S Gen(): Rep( w, P ): w w w w Rec S+¢SS+¢S Ext i CRS: Extractor seed i MAC k ¾ S Ver yes, no Rk*Rk* k*k* ¾*¾* S * P * = ( S *, ¾ *)

29 k+¢kk+¢k R k + ¢ k w+¢ww+¢w Robust Fuzzy Extractor? w R,kR,k Ext SS i S Gen(): Rep( w, P ): w w w w Rec Ext i CRS: Extractor seed i MAC k ¾ S Ver yes, no w+¢ww+¢w S+¢SS+¢S P * = ( S *, ¾ *) ¾*¾* S *

30 k R Robust Fuzzy Extractor? w P = ( S, ¾ ) R Ext SS i S Gen(): Rep( w, P ): w w w w Rec Ext i CRS: Extractor seed i MAC k ¾ S Ver yes, no §(G)§(G) Can think of MAC key k as stored on a device § ( G ). Cant encode k using an AMD code. Need a new MAC primitive. S * w*w* ¾*¾* w*w*

31 MAC with Key Manipulation Security (KMS-MAC) A (one-time) MAC that is secure even if the key used for verification is stored on § ( G ). Given ¾ = MAC k ( s ) cant come up with ¢ and ¾ = MAC k + ¢ ( s). Systematic AMD code ) KMS-MAC: Systematic AMD code ) KMS-MAC: – E ( s ) = ( s, k, h ( s, k )) –MAC ( k 1, k 2 ) ( s ) = h ( s, k 1 )+ k 2

32 k R Robust Fuzzy Extractor? w R Ext SS i S Gen(): Rep( w, P ): w w w w Rec Ext i CRS: Extractor seed i MAC k ¾ S Ver yes, no §(G)§(G) S * w*w* ¾*¾* w*w* Use a KMS-MAC! P * = ( S *, ¾ *)

33 Parameters Because our KMS-MAC has short keys, we loose very little randomness to achieve robustness! Because our KMS-MAC has short keys, we loose very little randomness to achieve robustness! In the CRS model, robustness comes essentially for FREE. In the CRS model, robustness comes essentially for FREE. – At least for linear fuzzy extractors

34 Review Devices § ( G ) appear naturally in crypto applications. Devices § ( G ) appear naturally in crypto applications. –Linear Secret Sharing. –Fuzzy Extractors in CRS model. Use AMD codes or KMS-MACs to get robustness. Use AMD codes or KMS-MACs to get robustness.

35 THANK YOU! Questions?

Download ppt "Detection of Algebraic Manipulation with Applications to Robust Secret Sharing and Fuzzy Extractors Ronald Cramer, Yevgeniy Dodis, Serge Fehr, Carles Padro,"

Similar presentations

Polylogarithmic Private Approximations and Efficient Matching

Polylogarithmic Private Approximations and Efficient Matching
Dov Gordon & Jonathan Katz University of Maryland.

Dov Gordon & Jonathan Katz University of Maryland.
Invertible Zero-Error Dispersers and Defective Memory with Stuck-At Errors Ariel Gabizon Ronen Shaltiel.

Invertible Zero-Error Dispersers and Defective Memory with Stuck-At Errors Ariel Gabizon Ronen Shaltiel.
PROOFS OF RETRIEVABILITY VIA HARDNESS AMPLIFICATION Yevgeniy Dodis, Salil Vadhan and Daniel Wichs.

PROOFS OF RETRIEVABILITY VIA HARDNESS AMPLIFICATION Yevgeniy Dodis, Salil Vadhan and Daniel Wichs.
Short seed extractors against quantum storage Amnon Ta-Shma Tel-Aviv University 1.

Short seed extractors against quantum storage Amnon Ta-Shma Tel-Aviv University 1.
Extracting Randomness From Few Independent Sources Boaz Barak, IAS Russell Impagliazzo, UCSD Avi Wigderson, IAS.

Extracting Randomness From Few Independent Sources Boaz Barak, IAS Russell Impagliazzo, UCSD Avi Wigderson, IAS.
Foundations of Cryptography Lecture 7 Lecturer:Danny Harnik.

Foundations of Cryptography Lecture 7 Lecturer:Danny Harnik.
Efficient Non-Malleable Codes and Key-derivations against Poly-size Tampering Circuits PRATYAY MUKHERJEE (Aarhus University) Joint work with Sebastian.

Efficient Non-Malleable Codes and Key-derivations against Poly-size Tampering Circuits PRATYAY MUKHERJEE (Aarhus University) Joint work with Sebastian.
PRATYAY MUKHERJEE Aarhus University Joint work with

PRATYAY MUKHERJEE Aarhus University Joint work with
Computational Privacy. Overview Goal: Allow n-private computation of arbitrary funcs. –Impossible in information-theoretic setting Computational setting:

Computational Privacy. Overview Goal: Allow n-private computation of arbitrary funcs. –Impossible in information-theoretic setting Computational setting:
Approximate List- Decoding and Hardness Amplification Valentine Kabanets (SFU) joint work with Russell Impagliazzo and Ragesh Jaiswal (UCSD)

Approximate List- Decoding and Hardness Amplification Valentine Kabanets (SFU) joint work with Russell Impagliazzo and Ragesh Jaiswal (UCSD)
Cryptography for Unconditionally Secure Message Transmission in Networks Kaoru Kurosawa.

Cryptography for Unconditionally Secure Message Transmission in Networks Kaoru Kurosawa.
Strong Key Derivation from Biometrics

Strong Key Derivation from Biometrics
Fuzzy Stuff 6.857 Lecture 24, 2006. Outline Motivation: Biometric Architectures Motivation: Biometric Architectures New Tool (for us): Error Correcting.

Fuzzy Stuff Lecture 24, Outline Motivation: Biometric Architectures Motivation: Biometric Architectures New Tool (for us): Error Correcting.
Tight Bounds for Unconditional Authentication Protocols in the Moni Naor Gil Segev Adam Smith Weizmann Institute of Science Israel Modeland Shared KeyManual.

Tight Bounds for Unconditional Authentication Protocols in the Moni Naor Gil Segev Adam Smith Weizmann Institute of Science Israel Modeland Shared KeyManual.
Cynthia Kuo, Mark Luk, Rohit Negi, Adrian Perrig Carnegie Mellon University Message-In-a-Bottle: User-Friendly and Secure Cryptographic Key Deployment.

Cynthia Kuo, Mark Luk, Rohit Negi, Adrian Perrig Carnegie Mellon University Message-In-a-Bottle: User-Friendly and Secure Cryptographic Key Deployment.
Foundations of Cryptography Lecture 5 Lecturer: Moni Naor.

Foundations of Cryptography Lecture 5 Lecturer: Moni Naor.
Isolated PoK and Isolated ZK Ivan Damgård, Jesper Buus Nielsen and Daniel Wichs.

Isolated PoK and Isolated ZK Ivan Damgård, Jesper Buus Nielsen and Daniel Wichs.
Eran Omri, Bar-Ilan University Joint work with Amos Beimel and Ilan Orlov, BGU Ilan Orlov…!??!!

Eran Omri, Bar-Ilan University Joint work with Amos Beimel and Ilan Orlov, BGU Ilan Orlov…!??!!
NON-MALLEABLE EXTRACTORS AND SYMMETRIC KEY CRYPTOGRAPHY FROM WEAK SECRETS Yevgeniy Dodis and Daniel Wichs (NYU) STOC 2009.

NON-MALLEABLE EXTRACTORS AND SYMMETRIC KEY CRYPTOGRAPHY FROM WEAK SECRETS Yevgeniy Dodis and Daniel Wichs (NYU) STOC 2009.

Similar presentations

Ads by Google