Presentation is loading. Please wait.

Presentation is loading. Please wait.

Tight Bounds for Unconditional Authentication Protocols in the Moni Naor Gil Segev Adam Smith Weizmann Institute of Science Israel Modeland Shared KeyManual.

Similar presentations


Presentation on theme: "Tight Bounds for Unconditional Authentication Protocols in the Moni Naor Gil Segev Adam Smith Weizmann Institute of Science Israel Modeland Shared KeyManual."— Presentation transcript:

1 Tight Bounds for Unconditional Authentication Protocols in the Moni Naor Gil Segev Adam Smith Weizmann Institute of Science Israel Modeland Shared KeyManual Channels

2 2 Pairing of Wireless Devices Scenario: Buy a new wireless camera Want to establish a secure channel for the first time E.g., Diffie-Hellman key agreement gxgx gygy

3 3 “I thought this is a wireless camera…” Simple Cheap Authenticated channel DevicesPairing of Wireless Cable pairing

4 4 Pairing of Wireless Devices Problem: Active adversaries (“man-in-the-middle”) Wireless pairing

5 5 Pairing of Wireless Devices Wireless pairing gxgx gygy gaga gbgb Problem: Active adversaries (“man-in-the-middle”)

6 6 Message Authentication Assure the receiver of a message that it has not been changed by an active adversary AliceBobEve m m ^

7 7 Pairing of Wireless Devices gxgx gygy gaga gbgb m = g x || g a m = g b || g y ^

8 8 Message Authentication Assure the receiver of a message that it has not been changed by an active adversary Without additional setup: Impossible !! Public Key: Signatures Problem: No trusted PKI This Paper: Manual Channel AliceBobEve m m ^

9 9 The Manual Channel gxgx gygy gaga gbgb 141 User can compare two short strings

10 10 Manual Channel Model Insecure communication channel Low-bandwidth auxiliary channel: Enables Alice to “manually” authenticate one short string s AliceBob s... s s Adversarial power: Choose the input message m Insecure channel: Full control Manual channel: Read, delay Delivery timing m

11 11 Manual Channel Model Insecure communication channel Low-bandwidth auxiliary channel: Enables Alice to “manually” authenticate one short string s AliceBob s s Goal: Minimize the length of the manually authenticated string m... s

12 12 Manual Channel Model AliceBob s s No trusted infrastructure, such as: Public key infrastructure Shared secret key Common reference string Suitable for ad hoc networks: Pairing of wireless devices Wireless USB, Bluetooth Secure phones AT&T, PGP, Zfone Many more m s

13 13 The Manual Channel 141 So how many bits can we manually authenticate? 20 ? 40 ? 160 ????? Constants do matter!

14 14 Forgery probabilit y Previous Work [Vaudenay `05]: Formal model Computationally secure protocol for arbitrary long messages log(1/  ) manually authenticated bits [LAN `05, DDN `00]: Can be based on any one-way function (non-malleable commitments) Efficient implementations: Rely on a random oracle Assume a common reference string [DIO `98, DKOS `01] or [Rivest & Shamir `84]: The “Interlock” protocol Mutual authentication of public keys No trusted infrastructure AT&T, PGP,…, Zfone Optimal !

15 15 Forgery probabilit y Previous Work [Vaudenay `05]: Formal model Computationally secure protocol for arbitrary long messages log(1/  ) manually authenticated bits [LAN `05, DDN `00]: Can be based on any one-way function (non-malleable commitments) Efficient implementations: Rely on a random oracle Assume a common reference string [DIO `98, DKOS `01] or [Rivest & Shamir `84]: The “Interlock” protocol Mutual authentication of public keys No trusted infrastructure AT&T, PGP,…, Zfone Optimal ! Computational Assumptions !! Are those really necessary?

16 16... m s Our Results - Tight Bounds n -bit ℓ -bit  forgery probability Upper bound: Constructed log*n -round protocol in which ℓ = 2log(1/  ) + O(1) No setup or computational assumptions Matching lower bound: n  2log(1/  )  ℓ  2log(1/  ) - 2 One-way functions are necessary (and sufficient) for breaking the lower bound in the computational setting Only twice as many as [V05]

17 17 Some advantages over computational security: Security against unbounded adversaries Exact evaluation of error probabilities Protocols are often easier to compose more efficient Key agreement protocols Unconditional Security

18 18 ℓ ℓ = 2log(1/  )ℓ = log(1/  ) Unconditional security Computational security Impossible One-way functions Our Results - Tight Bounds log(1/  )

19 19 Preliminaries: For m = m 1... m k  GF[Q] k and x  GF[Q], let m(x) = m i x i  i = 1 k Then, for any m ≠ m and for any c, c  GF[Q], ^ ^ Prob x  R GF[Q] [ m(x) + c = m(x) + c ]  k/Q ^ ^ Based on the [GN93] hashing technique In each round, the parties: Cooperatively choose a hash function Reduce to authenticating a shorter message A short message is manually authenticated Our Protocol (simplified)

20 20 We hash m to x || m(x) + c One party chooses x Other party chooses c Preliminaries: For m = m 1... m k  GF[Q] k and x  GF[Q], let m(x) = m i x i  i = 1 k Then, for any m ≠ m and for any c, c  GF[Q], ^ ^ Prob x  R GF[Q] [ m(x) + c = m(x) + c ]  k/Q ^ ^ Our Protocol (simplified)

21 21 AliceBob m b1b1 a 1  R GF[Q 1 ] a 2  R GF[Q 2 ] b 1  R GF[Q 1 ] b 2  R GF[Q 2 ] Accept iff m 2 is consistent m 1 = b 1 || m(b 1 ) + a 1 m 2 = a 2 || m 1 (a 2 ) + b 2 Both parties set: a1a1 m2m2 Q 1  n/ , Q 2  log(n)/  2log(1/  ) + 2loglog(n) + O(1) manually authenticated bits Two GF[Q 2 ] elements k rounds  2loglog(n) is reduced to 2log (k-1) (n) b2b2 Our Protocol (simplified)

22 22 Lower Bound - Intuition AliceBob x2x2 s m, x 1 m  R {0,1} n  M, X 1, X 2, S are well defined random variables

23 23 Goal: H(S)  2log(1/  ) AliceBob X2X2 S M, X 1 Evolving intuition: The parties must use at least log(1/  ) random bits H(S) = H(S) - H(S | M, X 1 ) + H(S | M, X 1 ) - H(S | M, X 1, X 2 ) + H(S | M, X 1, X 2 ) Each party must independently reduce H(S) by log(1/  ) bits Each party must use at least log(1/  ) random bits Alice’s randomnes s Bob’s randomnes s Lower Bound - Intuition

24 24 Goal: H(S)  2log(1/  ) AliceBob X2X2 S M, X 1 H(S) = H(S) - H(S | M, X 1 ) + H(S | M, X 1 ) - H(S | M, X 1, X 2 ) + H(S | M, X 1, X 2 ) Alice’s randomnes s Bob’s randomnes s Lower Bound - Intuition H(S) - H(S | M, X 1 ) + H(S | M, X 1, X 2 )  log(1/  ) H(S | M, X 1 ) - H(S | M, X 1, X 2 )  log(1/  )

25 25 Summary Manual Channel Computational assumptions are not necessary Protocol Matching lower bound Sharp threshold between unconditional and computational ℓ ℓ = 2log(1/  ) ℓ = log(1/  ) Unconditional security Computational security Impossible One-way functions log(1/  )

26 Thank you ! Research supported by Adi Shamir’s Turing Award fund Israel Science Foundation Trip to CRYPTO supported by

27 Backup

28 28 Shared Secret Key Known upper bound: [GN93] Interactive protocol with ℓ = 2log(1/  ) + O(1) Lower bound (interactive!): ℓ  2log(1/  ) Even when authenticating one bit Again, one-way functions are necessary for breaking the lower bound in the computational setting Known lower bound (only non-interactive): ℓ  2log(1/  ) [GMS74, S84, S85, S88, M00] Our results:


Download ppt "Tight Bounds for Unconditional Authentication Protocols in the Moni Naor Gil Segev Adam Smith Weizmann Institute of Science Israel Modeland Shared KeyManual."

Similar presentations


Ads by Google