Presentation is loading. Please wait.

Presentation is loading. Please wait.

NON-MALLEABLE EXTRACTORS AND SYMMETRIC KEY CRYPTOGRAPHY FROM WEAK SECRETS Yevgeniy Dodis and Daniel Wichs (NYU) STOC 2009.

Published byShonda Gregory Modified over 9 years ago

Similar presentations

Presentation on theme: "NON-MALLEABLE EXTRACTORS AND SYMMETRIC KEY CRYPTOGRAPHY FROM WEAK SECRETS Yevgeniy Dodis and Daniel Wichs (NYU) STOC 2009."— Presentation transcript:

1 NON-MALLEABLE EXTRACTORS AND SYMMETRIC KEY CRYPTOGRAPHY FROM WEAK SECRETS Yevgeniy Dodis and Daniel Wichs (NYU) STOC 2009

2 Symmetric-Key Cryptography  Alice and Bob share a secret W and want to communicate securely over a public channel.  Privacy: Eve does not learn anything about the message  Authenticity: Eve cannot modify or insert messages.  This is a well-studied problem with many solutions:  Information-theoretic security (going back to Shannon in1949).  Computational security (formally studied since the 1970s). e.g. One Way Functions, Block Ciphers (AES). Bob Alice W W message Eve ?? message’ Not valid!

3 Symmetric-Key Cryptography with Imperfect Keys  Standard symmetric-key primitives require that Alice and Bob share a uniformly random secret W.  May not be a necessary, always better to require less.  May not be the case in practice:  Human Memorable Passwords, Biometrics, …  Physical devices leak “side-channel” information about keys.  Question: Can we base symmetric-key cryptography on weakly random (non-uniform) shared secrets?

4 General View of Weak Secrets  Model shared secrets as a random variable W. Distribution is arbitrary, but “sufficiently hard to guess”.  Formally, require that the min-entropy of W is at least k: (max over i of Pr[W = i]) ≤ 2 -k.  Goal: Base symmetric-key cryptography on weak secrets.  Authenticated Key Agreement:  Alice and Bob start out with a shared weak secret W and execute a protocol to agree on a uniformly random key R.  Secure even if Eve observes/modifies protocol execution.  This talk: An information theoretic solution.

5 Randomness Extractors (Solution for passive Eve)  Randomness Extractor.  Input: a weak secret W and a uniformly random seed X.  Output: extracted randomness R = Ext(W;X).  R looks (almost) uniformly random, even given the seed X. Size |R| ≈ Entropy of W. Bob Alice WW Eve X R= Ext(W;X) Choose seed X.

6 R= Ext(W;X)R’= Ext(W;X’) What if Eve is active?  Can modify the seed X to some other value X’ and cause Bob to recover an incorrect key R’ = Ext(W;X’).  Eve may even fully know R’!  Bad if Bob encrypts a message to Alice using R’. Bob Alice WW Eve X R= Ext(W;X) Choose seed X. XX’

7 Let k = entropy of W, n = length of W.  One-Round solutions for k > n/2 [MW97, DKRS06, KR08].  Extracted key is short: k-n/2 bits. Communication is n-k bits.  Multi-Round solutions for arbitrary k [RW03, KR09].  Number of rounds is proportional to the security parameter and not constant. In practice, would require 100s of rounds.  This paper:  Impossibility of one-round solutions when k ≤ n/2.  Construction of a two-round solution for arbitrary k. Prior Work on Authenticated Key Agreement

8 Two-Round Authenticated Key Agreement  Main Part of Construction: A two-round message authentication protocol.  Alice and Bob share a weak secret W.  Alice wants to authenticate a message m to Bob.  Relatively easy to build Authenticated Key Agreement from a Message Authentication Protocol.  Alice authenticates a random extractor seed X to Bob.  Was also done in [RW03], but with a message authentication protocol which required many rounds.  Our construction relies on (variants of) two tools:  Extractors  I.T. Message Authentication Codes (MACs)

9 I.T. Message Authentication Codes (MACs)  Use uniform key R to c ompute tag σ = MAC R (m) for message m.  Security: For any m, Adversary gets σ = MAC R (m) cannot forge σ’ = MAC R (m’) for m’ ≠ m.  Known constructions with excellent parameters. Bob Alice R R Eve Message: m σ = MAC R (m) m, σ σ = MAC R (m) ?

10  Idea: If Eve is passive in round 1, then Alice shares a “good” key with Bob and can authenticate a message in round 2.  Problem: What if Eve modifies X? Bob Alice W W Eve Message: m X R= Ext(W;X) σ = MAC R (m) m, σ R= Ext(W;X) σ = MAC R (m) ? Challenge-Response Authentication: Protocol Template

11 Bob Alice W W Eve Message: m X R= Ext(W;X) X’ R’= Ext(W;X’) Challenge-Response Authentication: Protocol Template

12 Bob Alice W W Eve Message: m X R= Ext(W;X) X’ R’= Ext(W;X’) σ = MAC R’ (m) m, σ Challenge-Response Authentication: Protocol Template  Not a problem if Eve knows R’.

13 Bob Alice W W Eve Message: m X R= Ext(W;X) X’ R’= Ext(W;X’) σ = MAC R’ (m) m, σ m’, σ ’ σ ’ = MAC R (m’) ?  Problem: R and R’ may be related!  After Eve sees σ = MAC R’ (m) may be able to forge σ ’=MAC R (m’). Challenge-Response Authentication: Protocol Template

14  Goal: Construct special extractors and MACs for which the protocol is secure.  Build a special non-malleable extractor Ext so that R = Ext(W;X) and R’ = Ext(W;X’) are related in only a limited way.  Build a special MAC which is resistant to the limited types of related key attacks that are allowed by the extractor. Seeing MAC R’ (m) does not allow the adversary to forge MAC R (m’).  Two approaches:  Approach 1: A very strong non-malleability property for Ext + standard MAC. (Non-Constructive)  Approach 2: A weaker non-malleability property for Ext + special MAC. (Constructive) Challenge-Response Authentication: Instantiating the Template

15 Approach 1: Fully Non-Malleable Extractors  Adversary sees a random seed X and produces an arbitrarily related seed X’≠X. Let R=nmExt(W;X), R’=nmExt(W;X’). Non-malleable Extractor: R look uniformly random, even given X, X’,R’.  Extremely strong property. No existing constructions achieve it. Natural constructions susceptible to many possible malleability attacks.  Surprising result: Non-malleable extractors exist.  Can extract almost ½ of the entropy of W (optimal).  Follows from a probabilistic method argument and does not give us an efficient candidate.

16 Bob Alice W W Eve Message: m X R= nmExt(W;X) X’ R’= nmExt(W;X’) σ = MAC R’ (m) m, σ m’, σ ’ σ ’ = MAC R (m’) ?  If Eve does not modify X, then Alice and Bob share a uniformly random key R’= R.  Standard MAC security suffices.  If Eve modifies X, then Bob’s key R is random and independent of Alice’s R’.  MAC R’ (m) does not reveal anything about R. Approach 1: Fully Non-Malleable Extractors

17 Approach 2: “Look-Ahead” Extractors  Much weaker non-malleability property. The extracted randomness consists of t blocks: laExt(W;X) = [R 1, R 2, R 3, R 4, R 5, …, R t ] laExt(W;X’) = [R’ 1, R’ 2, R’ 3, R’ 4, R’ 5 …, R’ t ]  Adversary sees a random seed X and modifies it to X’. Require: Any suffix of laExt(W;X) looks random given a prefix of laExt(W; X’).  Cannot use modified sequence to “look-ahead” into the original sequence.

18 Approach 2: Constructing “look-ahead” extractors.  Based on “alternating- extraction” from [DP07].  Two party interactive protocol between Quentin and Wendy.  In each round i:  Quentin sends S i to Wendy.  Wendy sends R i = Ext(W;S i ).  Quentin computes S i+1 = Ext(Q;R i ) QuentinWendy Q, S 1 W S1S1 R 1 = Ext(W;S 1 )R1R1 S 2 = Ext(Q;R 1 ) S2S2 R 2 = Ext(W;S 2 )R2R2 S 3 = Ext(Q;R 2 ) S3S3 R 3 = Ext(W;S 3 )R3R3 S 4 = Ext(Q;R 3 ) …

19 Approach 2: Alternating-Extraction Theorem  Alternating-Extraction Theorem: No matter what strategy Quentin and Wendy employ in the first i rounds, the values [R i+1, R i+2, …,R t ] look uniformly random to Quentin given [R’ 1, R’ 2, …,R’ i ]. QuentinWendy Q, S 1 W S1S1 R 1 = Ext(W;S 1 )R1R1 S 2 = Ext(Q;R 1 ) S2S2 R 2 = Ext(W;S 2 )R2R2 S 3 = Ext(Q;R 2 ) S3S3 R 3 = Ext(W;S 3 )R3R3 S 4 = Ext(Q;R 3 ) QuentinWendy Q, S 1 W S’ 1 R’ 1 S’ 2 R’ 2 S’ 3 R’ 3  Assume that:  W is (weakly) secret for Quentin and Q is secret for Wendy.  Wendy and Quentin can communicate only a few bits in each round.  Can they compute R i, S i in fewer rounds?

20 Approach 2: Look-Ahead Extractor Construction Define: laExt(W;X) = [R 1, R 2, R 3, …, R t ] where the extractor seed is X = (Q, S 1 ). QuentinWendy Q, S 1 W S1S1 R 1 = Ext(W;S 1 )R1R1 S 2 = Ext(Q;R 1 ) S2S2 R 2 = Ext(W;S 2 )R2R2 S 3 = Ext(Q;R 2 ) S3S3 R 3 = Ext(W;S 3 )R3R3 S 4 = Ext(Q;R 3 ) QuentinWendy Q, S 1 W S’ 1 R’ 1 S’ 2 R’ 2 S’ 3 R’ 3

21 Define: laExt(W;X) = [R 1, R 2, R 3, …, R t ] where the extractor seed is X = (Q, S 1 ). QuentinWendy Q, S 1 W S1S1 R 1 = Ext(W;S 1 )R1R1 S 2 = Ext(Q;R 1 ) S2S2 R 2 = Ext(W;S 2 )R2R2 S 3 = Ext(Q;R 2 ) S3S3 R 3 = Ext(W;S 3 )R3R3 S 4 = Ext(Q;R 3 ) QuentinWendy Q, S 1 W S’ 1 R’ 1 S’ 2 R’ 2 S’ 3 R’ 3 Bob Alice X=(Q,S 1 )X’ =(Q’,S’ 1 ) Sample X=(Q,S 1 ) W W Eve Alternating-Extraction in Bob’s head Alternating-Extraction in Alice’s head Approach 2: Look-Ahead Extractor Construction

22 Approach 2: Look-Ahead Extractor based on Alternating Extraction  A modified seed X’ corresponds to a modified strategy by Quentin in Alice’s head. laExt(W;X) = [R 1, R 2, R 3, …, R t ] laExt(W;X’) = [R’ 1, R’ 2, R’ 3,…, R’ t ] QuentinWendy Q, S 1 W S1S1 R 1 = Ext(W;S 1 )R1R1 S 2 = Ext(Q;R 1 ) S2S2 R 2 = Ext(W;S 2 )R2R2 S 3 = Ext(Q;R 2 ) S3S3 R 3 = Ext(W;S 3 )R3R3 S 4 = Ext(Q;R 3 ) QuentinWendy Q’, S’ 1 W S’ 1 R’ 1 S’ 2 R’ 2 S’ 3 R’ 3 R’ 1 = Ext(W;S’ 1 ) S’ 2 = Ext(Q’;R’ 1 ) R’ 2 = Ext(W;S’ 2 ) S’ 3 = Ext(Q’;R’ 2 ) R’ 3 = Ext(W;S’ 3 ) S’ 4 = Ext(Q’;R’ 3 )

23 Bob Alice W W Eve Message: m X R= laExt(W;X) X’ R’= laExt(W;X’) σ = laMAC R’ (m) m, σ m’, σ ’ σ ’ = laMAC R (m’) ?  laExt ensures that “look-ahead” property holds between R, R’.  Need: laMAC which ensures that Eve cannot predict laMAC R (m’) given laMAC R’ (m). Approach 2: “Look-Ahead” Extractors

24 Approach 2: Authentication using Look-Ahead  Ensure that given laMAC R’ (m) it is hard to predict laMAC R (m’) where R = [R 1,R 2,..,R t ], R’= [R’ 1,R’ 2,…,R’ t ] have “look-ahead” property.  No guarantees from standard MACs.  Idea for 1 bit (t=4): R= [R 1, R 2, R 3, R 4 ].  laMAC R (0) = [R 1, R 4 ] laMAC R (1) = [R 2, R 3 ]

25 Approach 2: Authentication using Look-Ahead  Ensure that given laMAC R’ (m) it is hard to predict laMAC R (m’) where R = [R 1,R 2,..,R t ], R’= [R’ 1,R’ 2,…,R’ t ] have “look-ahead” property.  No guarantees from standard MACs.  Idea for 1 bit (t=4): R= [R 1, R 2, R 3, R 4 ].  laMAC R (0) = [R 1, R 4 ] laMAC R (1) = [ R 2, R 3 ]  laMAC R’ (1) = [ R’ 2, R’ 3 ] laMAC R’ (0) = [R’ 1, R’ 4 ]  R 4 looks random given R’ 2, R’ 3  R 2, R 3 look random given R’ 1. R’ 4 isn’t long enough to “reveal” both of them.  Easy to generalize to m bits with t=4m.

26 Authenticated Key Agreement Parameters (W has length n, entropy k, security param λ )  Approach 1 - Existential Result:  Exchanged key is of length: k – O(log(n) + λ )  Communication complexity: O(log(n) + λ ).  Approach 2 - Efficient construction:  Exchanged key is of length: k – O(log 2 (n) + λ 2 )  Communication complexity: O(log 2 (n) + λ 2 )

27 Summary  Show how to base symmetric key cryptography (information theoretic, computational) on weak secrets.  Build a round-optimal “authenticated key agreement protocol”. Did not talk about…  Extension to the “Fuzzy” setting.  Extension to the Bounded Retrieval Model.  Interesting new tool: “non-malleable” randomness extractors: (1) fully non-malleable (2) “look-ahead”.  Other applications?  Open Problem: Efficient construction of fully non-malleable extractors.

Download ppt "NON-MALLEABLE EXTRACTORS AND SYMMETRIC KEY CRYPTOGRAPHY FROM WEAK SECRETS Yevgeniy Dodis and Daniel Wichs (NYU) STOC 2009."

Similar presentations

PROOFS OF RETRIEVABILITY VIA HARDNESS AMPLIFICATION Yevgeniy Dodis, Salil Vadhan and Daniel Wichs.

PROOFS OF RETRIEVABILITY VIA HARDNESS AMPLIFICATION Yevgeniy Dodis, Salil Vadhan and Daniel Wichs.
Detection of Algebraic Manipulation with Applications to Robust Secret Sharing and Fuzzy Extractors Ronald Cramer, Yevgeniy Dodis, Serge Fehr, Carles Padro,

Detection of Algebraic Manipulation with Applications to Robust Secret Sharing and Fuzzy Extractors Ronald Cramer, Yevgeniy Dodis, Serge Fehr, Carles Padro,
Foundations of Cryptography Lecture 7 Lecturer:Danny Harnik.

Foundations of Cryptography Lecture 7 Lecturer:Danny Harnik.
Efficient Non-Malleable Codes and Key-derivations against Poly-size Tampering Circuits PRATYAY MUKHERJEE (Aarhus University) Joint work with Sebastian.

Efficient Non-Malleable Codes and Key-derivations against Poly-size Tampering Circuits PRATYAY MUKHERJEE (Aarhus University) Joint work with Sebastian.
Cryptography and Game Theory: Designing Protocols for Exchanging Information Gillat Kol and Moni Naor.

Cryptography and Game Theory: Designing Protocols for Exchanging Information Gillat Kol and Moni Naor.
Foundations of Cryptography Lecture 10 Lecturer: Moni Naor.

Foundations of Cryptography Lecture 10 Lecturer: Moni Naor.
NON-MALLEABLE CODES AND TAMPER-RESILIENT SECURITY ( ICS 2010 ) Joint work with: Stefan Dziembowski, Krzysztof Pietrzak Speaker: Daniel Wichs.

NON-MALLEABLE CODES AND TAMPER-RESILIENT SECURITY ( ICS 2010 ) Joint work with: Stefan Dziembowski, Krzysztof Pietrzak Speaker: Daniel Wichs.
Tight Bounds for Unconditional Authentication Protocols in the Moni Naor Gil Segev Adam Smith Weizmann Institute of Science Israel Modeland Shared KeyManual.

Tight Bounds for Unconditional Authentication Protocols in the Moni Naor Gil Segev Adam Smith Weizmann Institute of Science Israel Modeland Shared KeyManual.
Digital Signatures and Hash Functions. Digital Signatures.

Digital Signatures and Hash Functions. Digital Signatures.
Foundations of Cryptography Lecture 5 Lecturer: Moni Naor.

Foundations of Cryptography Lecture 5 Lecturer: Moni Naor.
Foundations of Cryptography Lecture 4 Lecturer: Moni Naor.

Foundations of Cryptography Lecture 4 Lecturer: Moni Naor.
Short course on quantum computing Andris Ambainis University of Latvia.

Short course on quantum computing Andris Ambainis University of Latvia.
Public-Key Encryption in the Bounded-Retrieval Model Joël Alwen, Yevgeniy Dodis, Moni Naor, Gil Segev, Shabsi Walfish, Daniel Wichs Earlier Today: Yevgeniy.

Public-Key Encryption in the Bounded-Retrieval Model Joël Alwen, Yevgeniy Dodis, Moni Naor, Gil Segev, Shabsi Walfish, Daniel Wichs Earlier Today: Yevgeniy.
TAMPER DETECTION AND NON-MALLEABLE CODES Daniel Wichs (Northeastern U)

TAMPER DETECTION AND NON-MALLEABLE CODES Daniel Wichs (Northeastern U)
Yan Huang, Jonathan Katz, David Evans University of Maryland, University of Virginia Efficient Secure Two-Party Computation Using Symmetric Cut-and-Choose.

Yan Huang, Jonathan Katz, David Evans University of Maryland, University of Virginia Efficient Secure Two-Party Computation Using Symmetric Cut-and-Choose.
Fuzzy extractor based on universal hashes

Fuzzy extractor based on universal hashes
 Secure Authentication Using Biometric Data Karen Cui.

 Secure Authentication Using Biometric Data Karen Cui.
Session 5 Hash functions and digital signatures. Contents Hash functions – Definition – Requirements – Construction – Security – Applications 2/44.

Session 5 Hash functions and digital signatures. Contents Hash functions – Definition – Requirements – Construction – Security – Applications 2/44.
Feb 25, 2003Mårten Trolin1 Previous lecture More on hash functions Digital signatures Message Authentication Codes Padding.

Feb 25, 2003Mårten Trolin1 Previous lecture More on hash functions Digital signatures Message Authentication Codes Padding.
Explorations in Anonymous Communication Andrew Bortz with Luis von Ahn Nick Hopper Aladdin Center, Carnegie Mellon University, 8/19/2003.

Explorations in Anonymous Communication Andrew Bortz with Luis von Ahn Nick Hopper Aladdin Center, Carnegie Mellon University, 8/19/2003.

Similar presentations

Ads by Google