Presentation is loading. Please wait.

Presentation is loading. Please wait.

Tight Bounds for Unconditional Authentication Protocols in the Moni Naor Gil Segev Adam Smith Weizmann Institute of Science Israel Modeland Shared KeyManual.

Published byLitzy Atkeson Modified over 9 years ago

Similar presentations

Presentation on theme: "Tight Bounds for Unconditional Authentication Protocols in the Moni Naor Gil Segev Adam Smith Weizmann Institute of Science Israel Modeland Shared KeyManual."— Presentation transcript:

1 Tight Bounds for Unconditional Authentication Protocols in the Moni Naor Gil Segev Adam Smith Weizmann Institute of Science Israel Modeland Shared KeyManual Channels

2 2 Pairing of Wireless Devices Scenario: Buy a new wireless camera Want to establish a secure channel for the first time E.g., Diffie-Hellman key agreement gxgx gygy

3 3 “I thought this is a wireless camera…” Simple Cheap Authenticated channel DevicesPairing of Wireless Cable pairing

4 4 Pairing of Wireless Devices Problem: Active adversaries (“man-in-the-middle”) Wireless pairing

5 5 Pairing of Wireless Devices Wireless pairing gxgx gygy gaga gbgb Problem: Active adversaries (“man-in-the-middle”)

6 6 Message Authentication Assure the receiver of a message that it has not been changed by an active adversary AliceBobEve m m ^

7 7 Pairing of Wireless Devices gxgx gygy gaga gbgb m = g x || g a m = g b || g y ^

8 8 Message Authentication Assure the receiver of a message that it has not been changed by an active adversary Without additional setup: Impossible !! Public Key: Signatures Problem: No trusted PKI This Paper: Manual Channel AliceBobEve m m ^

9 9 The Manual Channel gxgx gygy gaga gbgb 141 User can compare two short strings

10 10 Manual Channel Model Insecure communication channel Low-bandwidth auxiliary channel: Enables Alice to “manually” authenticate one short string s AliceBob s... s s Adversarial power: Choose the input message m Insecure channel: Full control Manual channel: Read, delay Delivery timing m

11 11 Manual Channel Model Insecure communication channel Low-bandwidth auxiliary channel: Enables Alice to “manually” authenticate one short string s AliceBob s s Goal: Minimize the length of the manually authenticated string m... s

12 12 Manual Channel Model AliceBob s s No trusted infrastructure, such as: Public key infrastructure Shared secret key Common reference string....... Suitable for ad hoc networks: Pairing of wireless devices Wireless USB, Bluetooth Secure phones AT&T, PGP, Zfone Many more...... m s

13 13 The Manual Channel 141 So how many bits can we manually authenticate? 20 ? 40 ? 160 ????? Constants do matter!

14 14 Forgery probabilit y Previous Work [Vaudenay `05]: Formal model Computationally secure protocol for arbitrary long messages log(1/  ) manually authenticated bits [LAN `05, DDN `00]: Can be based on any one-way function (non-malleable commitments) Efficient implementations: Rely on a random oracle Assume a common reference string [DIO `98, DKOS `01] or [Rivest & Shamir `84]: The “Interlock” protocol Mutual authentication of public keys No trusted infrastructure AT&T, PGP,…, Zfone Optimal !

15 15 Forgery probabilit y Previous Work [Vaudenay `05]: Formal model Computationally secure protocol for arbitrary long messages log(1/  ) manually authenticated bits [LAN `05, DDN `00]: Can be based on any one-way function (non-malleable commitments) Efficient implementations: Rely on a random oracle Assume a common reference string [DIO `98, DKOS `01] or [Rivest & Shamir `84]: The “Interlock” protocol Mutual authentication of public keys No trusted infrastructure AT&T, PGP,…, Zfone Optimal ! Computational Assumptions !! Are those really necessary?

16 16... m s Our Results - Tight Bounds n -bit ℓ -bit  forgery probability Upper bound: Constructed log*n -round protocol in which ℓ = 2log(1/  ) + O(1) No setup or computational assumptions Matching lower bound: n  2log(1/  )  ℓ  2log(1/  ) - 2 One-way functions are necessary (and sufficient) for breaking the lower bound in the computational setting Only twice as many as [V05]

17 17 Some advantages over computational security: Security against unbounded adversaries Exact evaluation of error probabilities Protocols are often easier to compose more efficient Key agreement protocols Unconditional Security

18 18 ℓ ℓ = 2log(1/  )ℓ = log(1/  ) Unconditional security Computational security Impossible One-way functions Our Results - Tight Bounds log(1/  )

19 19 Preliminaries: For m = m 1... m k  GF[Q] k and x  GF[Q], let m(x) = m i x i  i = 1 k Then, for any m ≠ m and for any c, c  GF[Q], ^ ^ Prob x  R GF[Q] [ m(x) + c = m(x) + c ]  k/Q ^ ^ Based on the [GN93] hashing technique In each round, the parties: Cooperatively choose a hash function Reduce to authenticating a shorter message A short message is manually authenticated Our Protocol (simplified)

20 20 We hash m to x || m(x) + c One party chooses x Other party chooses c Preliminaries: For m = m 1... m k  GF[Q] k and x  GF[Q], let m(x) = m i x i  i = 1 k Then, for any m ≠ m and for any c, c  GF[Q], ^ ^ Prob x  R GF[Q] [ m(x) + c = m(x) + c ]  k/Q ^ ^ Our Protocol (simplified)

21 21 AliceBob m b1b1 a 1  R GF[Q 1 ] a 2  R GF[Q 2 ] b 1  R GF[Q 1 ] b 2  R GF[Q 2 ] Accept iff m 2 is consistent m 1 = b 1 || m(b 1 ) + a 1 m 2 = a 2 || m 1 (a 2 ) + b 2 Both parties set: a1a1 m2m2 Q 1  n/ , Q 2  log(n)/  2log(1/  ) + 2loglog(n) + O(1) manually authenticated bits Two GF[Q 2 ] elements k rounds  2loglog(n) is reduced to 2log (k-1) (n) b2b2 Our Protocol (simplified)

22 22 Lower Bound - Intuition AliceBob x2x2 s m, x 1 m  R {0,1} n  M, X 1, X 2, S are well defined random variables

23 23 Goal: H(S)  2log(1/  ) AliceBob X2X2 S M, X 1 Evolving intuition: The parties must use at least log(1/  ) random bits H(S) = H(S) - H(S | M, X 1 ) + H(S | M, X 1 ) - H(S | M, X 1, X 2 ) + H(S | M, X 1, X 2 ) Each party must independently reduce H(S) by log(1/  ) bits Each party must use at least log(1/  ) random bits Alice’s randomnes s Bob’s randomnes s Lower Bound - Intuition

24 24 Goal: H(S)  2log(1/  ) AliceBob X2X2 S M, X 1 H(S) = H(S) - H(S | M, X 1 ) + H(S | M, X 1 ) - H(S | M, X 1, X 2 ) + H(S | M, X 1, X 2 ) Alice’s randomnes s Bob’s randomnes s Lower Bound - Intuition H(S) - H(S | M, X 1 ) + H(S | M, X 1, X 2 )  log(1/  ) H(S | M, X 1 ) - H(S | M, X 1, X 2 )  log(1/  )

25 25 Summary Manual Channel Computational assumptions are not necessary Protocol Matching lower bound Sharp threshold between unconditional and computational ℓ ℓ = 2log(1/  ) ℓ = log(1/  ) Unconditional security Computational security Impossible One-way functions log(1/  )

26 Thank you ! Research supported by Adi Shamir’s Turing Award fund Israel Science Foundation Trip to CRYPTO supported by

27 Backup

28 28 Shared Secret Key Known upper bound: [GN93] Interactive protocol with ℓ = 2log(1/  ) + O(1) Lower bound (interactive!): ℓ  2log(1/  ) Even when authenticating one bit Again, one-way functions are necessary for breaking the lower bound in the computational setting Known lower bound (only non-interactive): ℓ  2log(1/  ) [GMS74, S84, S85, S88, M00] Our results:

Download ppt "Tight Bounds for Unconditional Authentication Protocols in the Moni Naor Gil Segev Adam Smith Weizmann Institute of Science Israel Modeland Shared KeyManual."

Similar presentations

Optimal Space Lower Bounds for All Frequency Moments David Woodruff MIT

Optimal Space Lower Bounds for All Frequency Moments David Woodruff MIT
Detection of Algebraic Manipulation with Applications to Robust Secret Sharing and Fuzzy Extractors Ronald Cramer, Yevgeniy Dodis, Serge Fehr, Carles Padro,

Detection of Algebraic Manipulation with Applications to Robust Secret Sharing and Fuzzy Extractors Ronald Cramer, Yevgeniy Dodis, Serge Fehr, Carles Padro,
Foundations of Cryptography Lecture 7 Lecturer:Danny Harnik.

Foundations of Cryptography Lecture 7 Lecturer:Danny Harnik.
1 Complexity ©D.Moshkovitz Cryptography Where Complexity Finally Comes In Handy…

1 Complexity ©D.Moshkovitz Cryptography Where Complexity Finally Comes In Handy…
Pairwise Key Agreement in Broadcasting Networks - 2005.11.11 - Ik Rae Jeong.

Pairwise Key Agreement in Broadcasting Networks Ik Rae Jeong.
Self-Organized Anonymous Authentication in Mobile Ad Hoc Networks Julien Freudiger, Maxim Raya and Jean-Pierre Hubaux SECURECOMM, 2009.

Self-Organized Anonymous Authentication in Mobile Ad Hoc Networks Julien Freudiger, Maxim Raya and Jean-Pierre Hubaux SECURECOMM, 2009.
Gillat Kol (IAS) joint work with Ran Raz (Weizmann + IAS) Interactive Channel Capacity.

Gillat Kol (IAS) joint work with Ran Raz (Weizmann + IAS) Interactive Channel Capacity.
11 Provable Security. 22 Given a ciphertext, find the corresponding plaintext.

11 Provable Security. 22 Given a ciphertext, find the corresponding plaintext.
Foundations of Cryptography Lecture 5 Lecturer: Moni Naor.

Foundations of Cryptography Lecture 5 Lecturer: Moni Naor.
Computer Science Dr. Peng NingCSC 774 Adv. Net. Security1 CSC 774 Advanced Network Security Topic 5 Group Key Management.

Computer Science Dr. Peng NingCSC 774 Adv. Net. Security1 CSC 774 Advanced Network Security Topic 5 Group Key Management.
Foundations of Cryptography Lecture 4 Lecturer: Moni Naor.

Foundations of Cryptography Lecture 4 Lecturer: Moni Naor.
Eran Omri, Bar-Ilan University Joint work with Amos Beimel and Ilan Orlov, BGU Ilan Orlov…!??!!

Eran Omri, Bar-Ilan University Joint work with Amos Beimel and Ilan Orlov, BGU Ilan Orlov…!??!!
NON-MALLEABLE EXTRACTORS AND SYMMETRIC KEY CRYPTOGRAPHY FROM WEAK SECRETS Yevgeniy Dodis and Daniel Wichs (NYU) STOC 2009.

NON-MALLEABLE EXTRACTORS AND SYMMETRIC KEY CRYPTOGRAPHY FROM WEAK SECRETS Yevgeniy Dodis and Daniel Wichs (NYU) STOC 2009.
Modeling Insider Attacks on Group Key Exchange Protocols Jonathan Katz Ji Sun Shin University of Maryland.

Modeling Insider Attacks on Group Key Exchange Protocols Jonathan Katz Ji Sun Shin University of Maryland.
CMSC 414 Computer (and Network) Security Lecture 26 Jonathan Katz.

CMSC 414 Computer (and Network) Security Lecture 26 Jonathan Katz.
Public-key based. Public-key Techniques based Protocols –may use either weak or strong passwords –high computation complexity (Slow) –high deployment.

Public-key based. Public-key Techniques based Protocols –may use either weak or strong passwords –high computation complexity (Slow) –high deployment.
Information Security for Sensors Overwhelming Random Sequences and Permutations Shlomi Dolev, Niv Gilboa, Marina Kopeetsky, Giuseppe Persiano, and Paul.

Information Security for Sensors Overwhelming Random Sequences and Permutations Shlomi Dolev, Niv Gilboa, Marina Kopeetsky, Giuseppe Persiano, and Paul.
Session 5 Hash functions and digital signatures. Contents Hash functions – Definition – Requirements – Construction – Security – Applications 2/44.

Session 5 Hash functions and digital signatures. Contents Hash functions – Definition – Requirements – Construction – Security – Applications 2/44.
CS555Spring 2012/Topic 161 Cryptography CS 555 Topic 16: Key Management and The Need for Public Key Cryptography.

CS555Spring 2012/Topic 161 Cryptography CS 555 Topic 16: Key Management and The Need for Public Key Cryptography.
EEC 693/793 Special Topics in Electrical Engineering Secure and Dependable Computing Lecture 6 Wenbing Zhao Department of Electrical and Computer Engineering.

EEC 693/793 Special Topics in Electrical Engineering Secure and Dependable Computing Lecture 6 Wenbing Zhao Department of Electrical and Computer Engineering.

Similar presentations

Ads by Google