Download presentation

Presentation is loading. Please wait.

Published byLitzy Atkeson Modified over 2 years ago

1
Tight Bounds for Unconditional Authentication Protocols in the Moni Naor Gil Segev Adam Smith Weizmann Institute of Science Israel Modeland Shared KeyManual Channels

2
2 Pairing of Wireless Devices Scenario: Buy a new wireless camera Want to establish a secure channel for the first time E.g., Diffie-Hellman key agreement gxgx gygy

3
3 “I thought this is a wireless camera…” Simple Cheap Authenticated channel DevicesPairing of Wireless Cable pairing

4
4 Pairing of Wireless Devices Problem: Active adversaries (“man-in-the-middle”) Wireless pairing

5
5 Pairing of Wireless Devices Wireless pairing gxgx gygy gaga gbgb Problem: Active adversaries (“man-in-the-middle”)

6
6 Message Authentication Assure the receiver of a message that it has not been changed by an active adversary AliceBobEve m m ^

7
7 Pairing of Wireless Devices gxgx gygy gaga gbgb m = g x || g a m = g b || g y ^

8
8 Message Authentication Assure the receiver of a message that it has not been changed by an active adversary Without additional setup: Impossible !! Public Key: Signatures Problem: No trusted PKI This Paper: Manual Channel AliceBobEve m m ^

9
9 The Manual Channel gxgx gygy gaga gbgb 141 User can compare two short strings

10
10 Manual Channel Model Insecure communication channel Low-bandwidth auxiliary channel: Enables Alice to “manually” authenticate one short string s AliceBob s... s s Adversarial power: Choose the input message m Insecure channel: Full control Manual channel: Read, delay Delivery timing m

11
11 Manual Channel Model Insecure communication channel Low-bandwidth auxiliary channel: Enables Alice to “manually” authenticate one short string s AliceBob s s Goal: Minimize the length of the manually authenticated string m... s

12
12 Manual Channel Model AliceBob s s No trusted infrastructure, such as: Public key infrastructure Shared secret key Common reference string....... Suitable for ad hoc networks: Pairing of wireless devices Wireless USB, Bluetooth Secure phones AT&T, PGP, Zfone Many more...... m s

13
13 The Manual Channel 141 So how many bits can we manually authenticate? 20 ? 40 ? 160 ????? Constants do matter!

14
14 Forgery probabilit y Previous Work [Vaudenay `05]: Formal model Computationally secure protocol for arbitrary long messages log(1/ ) manually authenticated bits [LAN `05, DDN `00]: Can be based on any one-way function (non-malleable commitments) Efficient implementations: Rely on a random oracle Assume a common reference string [DIO `98, DKOS `01] or [Rivest & Shamir `84]: The “Interlock” protocol Mutual authentication of public keys No trusted infrastructure AT&T, PGP,…, Zfone Optimal !

15
15 Forgery probabilit y Previous Work [Vaudenay `05]: Formal model Computationally secure protocol for arbitrary long messages log(1/ ) manually authenticated bits [LAN `05, DDN `00]: Can be based on any one-way function (non-malleable commitments) Efficient implementations: Rely on a random oracle Assume a common reference string [DIO `98, DKOS `01] or [Rivest & Shamir `84]: The “Interlock” protocol Mutual authentication of public keys No trusted infrastructure AT&T, PGP,…, Zfone Optimal ! Computational Assumptions !! Are those really necessary?

16
16... m s Our Results - Tight Bounds n -bit ℓ -bit forgery probability Upper bound: Constructed log*n -round protocol in which ℓ = 2log(1/ ) + O(1) No setup or computational assumptions Matching lower bound: n 2log(1/ ) ℓ 2log(1/ ) - 2 One-way functions are necessary (and sufficient) for breaking the lower bound in the computational setting Only twice as many as [V05]

17
17 Some advantages over computational security: Security against unbounded adversaries Exact evaluation of error probabilities Protocols are often easier to compose more efficient Key agreement protocols Unconditional Security

18
18 ℓ ℓ = 2log(1/ )ℓ = log(1/ ) Unconditional security Computational security Impossible One-way functions Our Results - Tight Bounds log(1/ )

19
19 Preliminaries: For m = m 1... m k GF[Q] k and x GF[Q], let m(x) = m i x i i = 1 k Then, for any m ≠ m and for any c, c GF[Q], ^ ^ Prob x R GF[Q] [ m(x) + c = m(x) + c ] k/Q ^ ^ Based on the [GN93] hashing technique In each round, the parties: Cooperatively choose a hash function Reduce to authenticating a shorter message A short message is manually authenticated Our Protocol (simplified)

20
20 We hash m to x || m(x) + c One party chooses x Other party chooses c Preliminaries: For m = m 1... m k GF[Q] k and x GF[Q], let m(x) = m i x i i = 1 k Then, for any m ≠ m and for any c, c GF[Q], ^ ^ Prob x R GF[Q] [ m(x) + c = m(x) + c ] k/Q ^ ^ Our Protocol (simplified)

21
21 AliceBob m b1b1 a 1 R GF[Q 1 ] a 2 R GF[Q 2 ] b 1 R GF[Q 1 ] b 2 R GF[Q 2 ] Accept iff m 2 is consistent m 1 = b 1 || m(b 1 ) + a 1 m 2 = a 2 || m 1 (a 2 ) + b 2 Both parties set: a1a1 m2m2 Q 1 n/ , Q 2 log(n)/ 2log(1/ ) + 2loglog(n) + O(1) manually authenticated bits Two GF[Q 2 ] elements k rounds 2loglog(n) is reduced to 2log (k-1) (n) b2b2 Our Protocol (simplified)

22
22 Lower Bound - Intuition AliceBob x2x2 s m, x 1 m R {0,1} n M, X 1, X 2, S are well defined random variables

23
23 Goal: H(S) 2log(1/ ) AliceBob X2X2 S M, X 1 Evolving intuition: The parties must use at least log(1/ ) random bits H(S) = H(S) - H(S | M, X 1 ) + H(S | M, X 1 ) - H(S | M, X 1, X 2 ) + H(S | M, X 1, X 2 ) Each party must independently reduce H(S) by log(1/ ) bits Each party must use at least log(1/ ) random bits Alice’s randomnes s Bob’s randomnes s Lower Bound - Intuition

24
24 Goal: H(S) 2log(1/ ) AliceBob X2X2 S M, X 1 H(S) = H(S) - H(S | M, X 1 ) + H(S | M, X 1 ) - H(S | M, X 1, X 2 ) + H(S | M, X 1, X 2 ) Alice’s randomnes s Bob’s randomnes s Lower Bound - Intuition H(S) - H(S | M, X 1 ) + H(S | M, X 1, X 2 ) log(1/ ) H(S | M, X 1 ) - H(S | M, X 1, X 2 ) log(1/ )

25
25 Summary Manual Channel Computational assumptions are not necessary Protocol Matching lower bound Sharp threshold between unconditional and computational ℓ ℓ = 2log(1/ ) ℓ = log(1/ ) Unconditional security Computational security Impossible One-way functions log(1/ )

26
Thank you ! Research supported by Adi Shamir’s Turing Award fund Israel Science Foundation Trip to CRYPTO supported by

27
Backup

28
28 Shared Secret Key Known upper bound: [GN93] Interactive protocol with ℓ = 2log(1/ ) + O(1) Lower bound (interactive!): ℓ 2log(1/ ) Even when authenticating one bit Again, one-way functions are necessary for breaking the lower bound in the computational setting Known lower bound (only non-interactive): ℓ 2log(1/ ) [GMS74, S84, S85, S88, M00] Our results:

Similar presentations

OK

On the (Im)Possibility of Key Dependent Encryption Iftach Haitner Microsoft Research TexPoint fonts used in EMF. Read the TexPoint manual before you delete.

On the (Im)Possibility of Key Dependent Encryption Iftach Haitner Microsoft Research TexPoint fonts used in EMF. Read the TexPoint manual before you delete.

© 2018 SlidePlayer.com Inc.

All rights reserved.

Ads by Google

Ppt on wildlife conservation in india Download ppt on coordinate geometry for class 9th physics Ppt on different types of farming in india Ppt on history of indian mathematicians and mathematics Ppt on channels of distribution in marketing Ppt on ram and rom differences Ppt on introduction to product management Ppt on waxes and wanes Ppt on carl friedrich gauss mathematician Ppt on principles of object-oriented programming language