Download presentation

Presentation is loading. Please wait.

Published byLitzy Atkeson Modified about 1 year ago

1
Tight Bounds for Unconditional Authentication Protocols in the Moni Naor Gil Segev Adam Smith Weizmann Institute of Science Israel Modeland Shared KeyManual Channels

2
2 Pairing of Wireless Devices Scenario: Buy a new wireless camera Want to establish a secure channel for the first time E.g., Diffie-Hellman key agreement gxgx gygy

3
3 “I thought this is a wireless camera…” Simple Cheap Authenticated channel DevicesPairing of Wireless Cable pairing

4
4 Pairing of Wireless Devices Problem: Active adversaries (“man-in-the-middle”) Wireless pairing

5
5 Pairing of Wireless Devices Wireless pairing gxgx gygy gaga gbgb Problem: Active adversaries (“man-in-the-middle”)

6
6 Message Authentication Assure the receiver of a message that it has not been changed by an active adversary AliceBobEve m m ^

7
7 Pairing of Wireless Devices gxgx gygy gaga gbgb m = g x || g a m = g b || g y ^

8
8 Message Authentication Assure the receiver of a message that it has not been changed by an active adversary Without additional setup: Impossible !! Public Key: Signatures Problem: No trusted PKI This Paper: Manual Channel AliceBobEve m m ^

9
9 The Manual Channel gxgx gygy gaga gbgb 141 User can compare two short strings

10
10 Manual Channel Model Insecure communication channel Low-bandwidth auxiliary channel: Enables Alice to “manually” authenticate one short string s AliceBob s... s s Adversarial power: Choose the input message m Insecure channel: Full control Manual channel: Read, delay Delivery timing m

11
11 Manual Channel Model Insecure communication channel Low-bandwidth auxiliary channel: Enables Alice to “manually” authenticate one short string s AliceBob s s Goal: Minimize the length of the manually authenticated string m... s

12
12 Manual Channel Model AliceBob s s No trusted infrastructure, such as: Public key infrastructure Shared secret key Common reference string Suitable for ad hoc networks: Pairing of wireless devices Wireless USB, Bluetooth Secure phones AT&T, PGP, Zfone Many more m s

13
13 The Manual Channel 141 So how many bits can we manually authenticate? 20 ? 40 ? 160 ????? Constants do matter!

14
14 Forgery probabilit y Previous Work [Vaudenay `05]: Formal model Computationally secure protocol for arbitrary long messages log(1/ ) manually authenticated bits [LAN `05, DDN `00]: Can be based on any one-way function (non-malleable commitments) Efficient implementations: Rely on a random oracle Assume a common reference string [DIO `98, DKOS `01] or [Rivest & Shamir `84]: The “Interlock” protocol Mutual authentication of public keys No trusted infrastructure AT&T, PGP,…, Zfone Optimal !

15
15 Forgery probabilit y Previous Work [Vaudenay `05]: Formal model Computationally secure protocol for arbitrary long messages log(1/ ) manually authenticated bits [LAN `05, DDN `00]: Can be based on any one-way function (non-malleable commitments) Efficient implementations: Rely on a random oracle Assume a common reference string [DIO `98, DKOS `01] or [Rivest & Shamir `84]: The “Interlock” protocol Mutual authentication of public keys No trusted infrastructure AT&T, PGP,…, Zfone Optimal ! Computational Assumptions !! Are those really necessary?

16
16... m s Our Results - Tight Bounds n -bit ℓ -bit forgery probability Upper bound: Constructed log*n -round protocol in which ℓ = 2log(1/ ) + O(1) No setup or computational assumptions Matching lower bound: n 2log(1/ ) ℓ 2log(1/ ) - 2 One-way functions are necessary (and sufficient) for breaking the lower bound in the computational setting Only twice as many as [V05]

17
17 Some advantages over computational security: Security against unbounded adversaries Exact evaluation of error probabilities Protocols are often easier to compose more efficient Key agreement protocols Unconditional Security

18
18 ℓ ℓ = 2log(1/ )ℓ = log(1/ ) Unconditional security Computational security Impossible One-way functions Our Results - Tight Bounds log(1/ )

19
19 Preliminaries: For m = m 1... m k GF[Q] k and x GF[Q], let m(x) = m i x i i = 1 k Then, for any m ≠ m and for any c, c GF[Q], ^ ^ Prob x R GF[Q] [ m(x) + c = m(x) + c ] k/Q ^ ^ Based on the [GN93] hashing technique In each round, the parties: Cooperatively choose a hash function Reduce to authenticating a shorter message A short message is manually authenticated Our Protocol (simplified)

20
20 We hash m to x || m(x) + c One party chooses x Other party chooses c Preliminaries: For m = m 1... m k GF[Q] k and x GF[Q], let m(x) = m i x i i = 1 k Then, for any m ≠ m and for any c, c GF[Q], ^ ^ Prob x R GF[Q] [ m(x) + c = m(x) + c ] k/Q ^ ^ Our Protocol (simplified)

21
21 AliceBob m b1b1 a 1 R GF[Q 1 ] a 2 R GF[Q 2 ] b 1 R GF[Q 1 ] b 2 R GF[Q 2 ] Accept iff m 2 is consistent m 1 = b 1 || m(b 1 ) + a 1 m 2 = a 2 || m 1 (a 2 ) + b 2 Both parties set: a1a1 m2m2 Q 1 n/ , Q 2 log(n)/ 2log(1/ ) + 2loglog(n) + O(1) manually authenticated bits Two GF[Q 2 ] elements k rounds 2loglog(n) is reduced to 2log (k-1) (n) b2b2 Our Protocol (simplified)

22
22 Lower Bound - Intuition AliceBob x2x2 s m, x 1 m R {0,1} n M, X 1, X 2, S are well defined random variables

23
23 Goal: H(S) 2log(1/ ) AliceBob X2X2 S M, X 1 Evolving intuition: The parties must use at least log(1/ ) random bits H(S) = H(S) - H(S | M, X 1 ) + H(S | M, X 1 ) - H(S | M, X 1, X 2 ) + H(S | M, X 1, X 2 ) Each party must independently reduce H(S) by log(1/ ) bits Each party must use at least log(1/ ) random bits Alice’s randomnes s Bob’s randomnes s Lower Bound - Intuition

24
24 Goal: H(S) 2log(1/ ) AliceBob X2X2 S M, X 1 H(S) = H(S) - H(S | M, X 1 ) + H(S | M, X 1 ) - H(S | M, X 1, X 2 ) + H(S | M, X 1, X 2 ) Alice’s randomnes s Bob’s randomnes s Lower Bound - Intuition H(S) - H(S | M, X 1 ) + H(S | M, X 1, X 2 ) log(1/ ) H(S | M, X 1 ) - H(S | M, X 1, X 2 ) log(1/ )

25
25 Summary Manual Channel Computational assumptions are not necessary Protocol Matching lower bound Sharp threshold between unconditional and computational ℓ ℓ = 2log(1/ ) ℓ = log(1/ ) Unconditional security Computational security Impossible One-way functions log(1/ )

26
Thank you ! Research supported by Adi Shamir’s Turing Award fund Israel Science Foundation Trip to CRYPTO supported by

27
Backup

28
28 Shared Secret Key Known upper bound: [GN93] Interactive protocol with ℓ = 2log(1/ ) + O(1) Lower bound (interactive!): ℓ 2log(1/ ) Even when authenticating one bit Again, one-way functions are necessary for breaking the lower bound in the computational setting Known lower bound (only non-interactive): ℓ 2log(1/ ) [GMS74, S84, S85, S88, M00] Our results:

Similar presentations

© 2017 SlidePlayer.com Inc.

All rights reserved.

Ads by Google