Tight Bounds for Unconditional Authentication Protocols in the Moni Naor Gil Segev Adam Smith Weizmann Institute of Science Israel Modeland Shared KeyManual.

Slides:



Advertisements
Similar presentations
Optimal Space Lower Bounds for All Frequency Moments David Woodruff MIT
Advertisements

Detection of Algebraic Manipulation with Applications to Robust Secret Sharing and Fuzzy Extractors Ronald Cramer, Yevgeniy Dodis, Serge Fehr, Carles Padro,
Foundations of Cryptography Lecture 7 Lecturer:Danny Harnik.
1 Complexity ©D.Moshkovitz Cryptography Where Complexity Finally Comes In Handy…
Pairwise Key Agreement in Broadcasting Networks Ik Rae Jeong.
Self-Organized Anonymous Authentication in Mobile Ad Hoc Networks Julien Freudiger, Maxim Raya and Jean-Pierre Hubaux SECURECOMM, 2009.
Gillat Kol (IAS) joint work with Ran Raz (Weizmann + IAS) Interactive Channel Capacity.
11 Provable Security. 22 Given a ciphertext, find the corresponding plaintext.
Foundations of Cryptography Lecture 5 Lecturer: Moni Naor.
Computer Science Dr. Peng NingCSC 774 Adv. Net. Security1 CSC 774 Advanced Network Security Topic 5 Group Key Management.
Foundations of Cryptography Lecture 4 Lecturer: Moni Naor.
Eran Omri, Bar-Ilan University Joint work with Amos Beimel and Ilan Orlov, BGU Ilan Orlov…!??!!
NON-MALLEABLE EXTRACTORS AND SYMMETRIC KEY CRYPTOGRAPHY FROM WEAK SECRETS Yevgeniy Dodis and Daniel Wichs (NYU) STOC 2009.
Modeling Insider Attacks on Group Key Exchange Protocols Jonathan Katz Ji Sun Shin University of Maryland.
CMSC 414 Computer (and Network) Security Lecture 26 Jonathan Katz.
Public-key based. Public-key Techniques based Protocols –may use either weak or strong passwords –high computation complexity (Slow) –high deployment.
Information Security for Sensors Overwhelming Random Sequences and Permutations Shlomi Dolev, Niv Gilboa, Marina Kopeetsky, Giuseppe Persiano, and Paul.
Session 5 Hash functions and digital signatures. Contents Hash functions – Definition – Requirements – Construction – Security – Applications 2/44.
CS555Spring 2012/Topic 161 Cryptography CS 555 Topic 16: Key Management and The Need for Public Key Cryptography.
EEC 693/793 Special Topics in Electrical Engineering Secure and Dependable Computing Lecture 6 Wenbing Zhao Department of Electrical and Computer Engineering.
Seminar in Foundations of Privacy Gil Segev Message Authentication in the Manual Channel Model.
BY MUKTADIUR RAHMAN MAY 06, 2010 INTERODUCTION TO CRYPTOGRAPHY.
Lecturer: Moni Naor Foundations of Cryptography Lecture 4: One-time Signatures, UOWHFs.
CMSC 414 Computer and Network Security Lecture 5 Jonathan Katz.
Asymmetric Cryptography part 1 & 2 Haya Shulman Many thanks to Amir Herzberg who donated some of the slides from
Sketching in Adversarial Environments Or Sublinearity and Cryptography 1 Moni Naor Joint work with: Ilya Mironov and Gil Segev.
CMSC 414 Computer and Network Security Lecture 22 Jonathan Katz.
Introduction to Modern Cryptography, Lecture 7/6/07 Zero Knowledge and Applications.
Non-interactive and Reusable Non-malleable Commitments Ivan Damgård, BRICS, Aarhus University Jens Groth, Cryptomathic A/S.
CMSC 414 Computer and Network Security Lecture 6 Jonathan Katz.
W O R L D W I D E L E A D E R I N S E C U R I N G T H E I N T E R N E T IKE Tutorial.
Chapter 9 Cryptographic Protocol Cryptography-Principles and Practice Harbin Institute of Technology School of Computer Science and Technology Zhijun Li.
Public Key Algorithms 4/17/2017 M. Chatterjee.
1 CIS 5371 Cryptography 9. Data Integrity Techniques.
On Everlasting Security in the Hybrid Bounded Storage Model Danny Harnik Moni Naor.
Collecting Correlated Information from a Sensor Network Micah Adler University of Massachusetts, Amherst.
1 Deniable Ring Authentication Moni Naor Weizmann Institute of Science.
Foundations of Cryptography Lecture 8 Lecturer: Moni Naor.
Adaptively Secure Broadcast, Revisited
8. Data Integrity Techniques
Information Security and Management 13. Digital Signatures and Authentication Protocols Chih-Hung Wang Fall
SafeSlinger Easy-to-Use and Secure Public-Key Exchange Michael Farb (CMU), Yue-Hsun Lin (CMU), Tiffany Hyun-Jin Kim (CMU), Jonathan McCune (Google), Adrian.
(Multimedia University) Ji-Jian Chin Swee-Huay Heng Bok-Min Goi
CMSC 414 Computer and Network Security Lecture 6 Jonathan Katz.
A Linear Lower Bound on the Communication Complexity of Single-Server PIR Weizmann Institute of Science Israel Iftach HaitnerJonathan HochGil Segev.
Topic 22: Digital Schemes (2)
Digital Signatures A primer 1. Why public key cryptography? With secret key algorithms Number of key pairs to be generated is extremely large If there.
Cryptography Wei Wu. Internet Threat Model Client Network Not trusted!!
Foundations of Cryptography Lecture 6 Lecturer: Moni Naor.
Rei Safavi-Naini University of Calgary Joint work with: Hadi Ahmadi iCORE Information Security.
Byzantine fault-tolerance COMP 413 Fall Overview Models –Synchronous vs. asynchronous systems –Byzantine failure model Secure storage with self-certifying.
Chapter 3 (B) – Key Management; Other Public Key Cryptosystems.
Cryptography 1 Crypto Cryptography 2 Crypto  Cryptology  The art and science of making and breaking “secret codes”  Cryptography  making “secret.
Game-based composition for key exchange Cristina Brzuska, Marc Fischlin (University of Darmstadt) Nigel Smart, Bogdan Warinschi, Steve Williams (University.
Attacking RSA Brian Winant Reference “Twenty Years of Attacks on the RSA Cryptosystem” By Dan Boneh In Notices of the American Mathematical.
Identity based signature schemes by using pairings Parshuram Budhathoki Department of Mathematical Science FAU 02/21/2013 Cyber Security Seminar, FAU.
Fall, Privacy&Security - Virginia Tech – Computer Science Click to edit Master title style Cryptographic Security Identity-Based Encryption.
Computer and Network Security - Message Digests, Kerberos, PKI –
Cryptography In the Bounded Quantum-Storage Model
Interleaving and Collusion Attacks on a Dynamic Group Key Agreement Scheme for Low-Power Mobile Devices * Junghyun Nam 1, Juryon Paik 2, Jeeyeon Kim 2,
Jonathan Katz University of Maryland Andrew Lindell Aladdin Knowledge Systems and Bar-Ilan University 04/08/08 CRYP-108 Aggregate Message- Authentication.
Quantum Cryptography Antonio Acín
1 Diffie-Hellman (Key Exchange) Protocol Rocky K. C. Chang 9 February 2007.
Threshold password authentication against guessing attacks in Ad hoc networks ► Chai, Zhenchuan; Cao, Zhenfu; Lu, Rongxing ► Ad Hoc Networks Volume: 5,
1 4.1 Hash Functions and Data Integrity A cryptographic hash function can provide assurance of data integrity. ex: Bob can verify if y = h K (x) h is a.
Round-Efficient Multi-Party Computation in Point-to-Point Networks Jonathan Katz Chiu-Yuen Koo University of Maryland.
1 Introduction to Quantum Information Processing CS 467 / CS 667 Phys 467 / Phys 767 C&O 481 / C&O 681 Richard Cleve DC 3524 Course.
Lower bounds for Unconditionally Secure MPC Ivan Damgård Jesper Buus Nielsen Antigoni Polychroniadou Aarhus University.
Cryptography and Network Security Chapter 13
Cryptographic Hash Functions Part I
Presentation transcript:

Tight Bounds for Unconditional Authentication Protocols in the Moni Naor Gil Segev Adam Smith Weizmann Institute of Science Israel Modeland Shared KeyManual Channels

2 Pairing of Wireless Devices Scenario: Buy a new wireless camera Want to establish a secure channel for the first time E.g., Diffie-Hellman key agreement gxgx gygy

3 “I thought this is a wireless camera…” Simple Cheap Authenticated channel DevicesPairing of Wireless Cable pairing

4 Pairing of Wireless Devices Problem: Active adversaries (“man-in-the-middle”) Wireless pairing

5 Pairing of Wireless Devices Wireless pairing gxgx gygy gaga gbgb Problem: Active adversaries (“man-in-the-middle”)

6 Message Authentication Assure the receiver of a message that it has not been changed by an active adversary AliceBobEve m m ^

7 Pairing of Wireless Devices gxgx gygy gaga gbgb m = g x || g a m = g b || g y ^

8 Message Authentication Assure the receiver of a message that it has not been changed by an active adversary Without additional setup: Impossible !! Public Key: Signatures Problem: No trusted PKI This Paper: Manual Channel AliceBobEve m m ^

9 The Manual Channel gxgx gygy gaga gbgb 141 User can compare two short strings

10 Manual Channel Model Insecure communication channel Low-bandwidth auxiliary channel: Enables Alice to “manually” authenticate one short string s AliceBob s... s s Adversarial power: Choose the input message m Insecure channel: Full control Manual channel: Read, delay Delivery timing m

11 Manual Channel Model Insecure communication channel Low-bandwidth auxiliary channel: Enables Alice to “manually” authenticate one short string s AliceBob s s Goal: Minimize the length of the manually authenticated string m... s

12 Manual Channel Model AliceBob s s No trusted infrastructure, such as: Public key infrastructure Shared secret key Common reference string Suitable for ad hoc networks: Pairing of wireless devices Wireless USB, Bluetooth Secure phones AT&T, PGP, Zfone Many more m s

13 The Manual Channel 141 So how many bits can we manually authenticate? 20 ? 40 ? 160 ????? Constants do matter!

14 Forgery probabilit y Previous Work [Vaudenay `05]: Formal model Computationally secure protocol for arbitrary long messages log(1/  ) manually authenticated bits [LAN `05, DDN `00]: Can be based on any one-way function (non-malleable commitments) Efficient implementations: Rely on a random oracle Assume a common reference string [DIO `98, DKOS `01] or [Rivest & Shamir `84]: The “Interlock” protocol Mutual authentication of public keys No trusted infrastructure AT&T, PGP,…, Zfone Optimal !

15 Forgery probabilit y Previous Work [Vaudenay `05]: Formal model Computationally secure protocol for arbitrary long messages log(1/  ) manually authenticated bits [LAN `05, DDN `00]: Can be based on any one-way function (non-malleable commitments) Efficient implementations: Rely on a random oracle Assume a common reference string [DIO `98, DKOS `01] or [Rivest & Shamir `84]: The “Interlock” protocol Mutual authentication of public keys No trusted infrastructure AT&T, PGP,…, Zfone Optimal ! Computational Assumptions !! Are those really necessary?

16... m s Our Results - Tight Bounds n -bit ℓ -bit  forgery probability Upper bound: Constructed log*n -round protocol in which ℓ = 2log(1/  ) + O(1) No setup or computational assumptions Matching lower bound: n  2log(1/  )  ℓ  2log(1/  ) - 2 One-way functions are necessary (and sufficient) for breaking the lower bound in the computational setting Only twice as many as [V05]

17 Some advantages over computational security: Security against unbounded adversaries Exact evaluation of error probabilities Protocols are often easier to compose more efficient Key agreement protocols Unconditional Security

18 ℓ ℓ = 2log(1/  )ℓ = log(1/  ) Unconditional security Computational security Impossible One-way functions Our Results - Tight Bounds log(1/  )

19 Preliminaries: For m = m 1... m k  GF[Q] k and x  GF[Q], let m(x) = m i x i  i = 1 k Then, for any m ≠ m and for any c, c  GF[Q], ^ ^ Prob x  R GF[Q] [ m(x) + c = m(x) + c ]  k/Q ^ ^ Based on the [GN93] hashing technique In each round, the parties: Cooperatively choose a hash function Reduce to authenticating a shorter message A short message is manually authenticated Our Protocol (simplified)

20 We hash m to x || m(x) + c One party chooses x Other party chooses c Preliminaries: For m = m 1... m k  GF[Q] k and x  GF[Q], let m(x) = m i x i  i = 1 k Then, for any m ≠ m and for any c, c  GF[Q], ^ ^ Prob x  R GF[Q] [ m(x) + c = m(x) + c ]  k/Q ^ ^ Our Protocol (simplified)

21 AliceBob m b1b1 a 1  R GF[Q 1 ] a 2  R GF[Q 2 ] b 1  R GF[Q 1 ] b 2  R GF[Q 2 ] Accept iff m 2 is consistent m 1 = b 1 || m(b 1 ) + a 1 m 2 = a 2 || m 1 (a 2 ) + b 2 Both parties set: a1a1 m2m2 Q 1  n/ , Q 2  log(n)/  2log(1/  ) + 2loglog(n) + O(1) manually authenticated bits Two GF[Q 2 ] elements k rounds  2loglog(n) is reduced to 2log (k-1) (n) b2b2 Our Protocol (simplified)

22 Lower Bound - Intuition AliceBob x2x2 s m, x 1 m  R {0,1} n  M, X 1, X 2, S are well defined random variables

23 Goal: H(S)  2log(1/  ) AliceBob X2X2 S M, X 1 Evolving intuition: The parties must use at least log(1/  ) random bits H(S) = H(S) - H(S | M, X 1 ) + H(S | M, X 1 ) - H(S | M, X 1, X 2 ) + H(S | M, X 1, X 2 ) Each party must independently reduce H(S) by log(1/  ) bits Each party must use at least log(1/  ) random bits Alice’s randomnes s Bob’s randomnes s Lower Bound - Intuition

24 Goal: H(S)  2log(1/  ) AliceBob X2X2 S M, X 1 H(S) = H(S) - H(S | M, X 1 ) + H(S | M, X 1 ) - H(S | M, X 1, X 2 ) + H(S | M, X 1, X 2 ) Alice’s randomnes s Bob’s randomnes s Lower Bound - Intuition H(S) - H(S | M, X 1 ) + H(S | M, X 1, X 2 )  log(1/  ) H(S | M, X 1 ) - H(S | M, X 1, X 2 )  log(1/  )

25 Summary Manual Channel Computational assumptions are not necessary Protocol Matching lower bound Sharp threshold between unconditional and computational ℓ ℓ = 2log(1/  ) ℓ = log(1/  ) Unconditional security Computational security Impossible One-way functions log(1/  )

Thank you ! Research supported by Adi Shamir’s Turing Award fund Israel Science Foundation Trip to CRYPTO supported by

Backup

28 Shared Secret Key Known upper bound: [GN93] Interactive protocol with ℓ = 2log(1/  ) + O(1) Lower bound (interactive!): ℓ  2log(1/  ) Even when authenticating one bit Again, one-way functions are necessary for breaking the lower bound in the computational setting Known lower bound (only non-interactive): ℓ  2log(1/  ) [GMS74, S84, S85, S88, M00] Our results:

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.