Presentation is loading. Please wait.

Presentation is loading. Please wait.

Position Based Cryptography* Nishanth Chandran Vipul Goyal Ryan Moriarty Rafail Ostrovsky UCLA CRYPTO ‘09.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "Position Based Cryptography* Nishanth Chandran Vipul Goyal Ryan Moriarty Rafail Ostrovsky UCLA CRYPTO ‘09."— Presentation transcript:

1 Position Based Cryptography* Nishanth Chandran Vipul Goyal Ryan Moriarty Rafail Ostrovsky UCLA CRYPTO ‘09

2 What constitutes an identity? Your public key Your biometric Email ID How about where you are? PK abc@gmail.com z x y

3 Geographical Position as an Identity US Military Base in USA sk Enc sk (m) sk US Military Base in Iraq Reveal sk or else…..

4 Geographical Position as an Identity US Military Base in USA We trust physical security Guarantee that those inside a particular geographical region are good US Military Base in Iraq

5 Geographical Position as an Identity US Military Base in USA Enc (m) Only someone at a particular geographical position can decrypt US Military Base in Iraq

6 Other Applications Position-based Authentication: guarantee that a message came from a person at a particular geographical position Position-based access control: allow access to resource only if user is at particular geographical position Many more….

7 Problem (informally) A set of verifiers present at various geographical positions in space A prover present at some geographical position P GOAL: Exchange a key with the prover if and only if prover is in fact at position P

8 Secure Positioning Set of verifiers wish to verify the position claim of a prover at position P Run an interactive protocol with the prover at P to verify this Studied in the security community [SSW03, B04, SP05, CH05, CCS06]

9 Previous Techniques for Secure Positioning VerifierProver Random nonce r r Time of response Prover cannot be farther away from verifier than he claims to be

10 Triangulation [CH05] V1V1 V2V2 V3V3 P r1r1 r1r1 r2r2 r2r2 r3r3 r3r3 3 Verifiers measure Time of response and verify position claim

11 Triangulation [CH05] Works, but assumes a single adversary V1V1 V2V2 V3V3 P3P3 P2P2 P1P1 r1r1 r1r1 r2r2 r2r2 r3r3 r3r3 Position P P i can delay response to V i as if it were coming from P Attack with multiple colluding provers

12 Talk Outline  Vanilla Model  Secure Positioning - Impossible in vanilla model - Positive information-theoretic results in the Bounded Retrieval Model  Position-based Key Exchange - Positive information-theoretic results in the BRM

13 Vanilla Model V1V1 V2V2 V3V3 P Verifiers can send messages at any time to prover with speed of light All verifiers share a secret channel P3P3 P2P2 P1P1 Multiple, coordinating adversaries, possibly computationally bounded Verifiers can record time of sent and received messages P lies inside Tetrahedron

14 Lower Bound Theorem: There does not exist any protocol to achieve secure positioning in the Vanilla model Corollary: Position-based key exchange is impossible in the Vanilla model

15 Lower Bound – Proof sketch V4V4 V1V1 V2V2 V3V3 P1P1 P2P2 P4P4 P3P3 Position P P j internally delays every msg from V j and sends msg to P i Blue path not shorter than red path P i can run exact copy of prover and respond to V i Generalization of attack presented earlier

16 Lower bound implications Secure positioning and hence position- based cryptography is impossible in Vanilla model (even with computational assumptions!) Search for alternate models where position-based cryptography is possible?

17 CONSTRUCTIONS & PROOFS

18 Bounded Retrieval Model (BRM) [Maurer’92, CLW06, Dziembowski06] Assumes long string X (of length n and high min- entropy) in the sky or generated by some party Assumes all parties (including honest) have retrieval bound βn for some 0<β<1 Adversaries can retrieve information from X (even possibly after honest parties have used the key generated from X), as long as the total information retrieved is bounded Several works have studied the model in great detail

19 V1V1 V2V2 P1P1 BRM in the context of Position- based Cryptography P2P2 X Verifiers can broadcast HUGE X Like Vanilla Model except Adversaries are not computationally bounded V3V3 Adversaries can store only a small f(X) as X passes by…i.e. (Total |f(X)| < retrieval bound) X Note that Adversaries can NOT “reflect” X (violates BSM)

20 Physically realizing BRM Seems reasonable that an adversary can only retrieve small amount of information as a string passes by (the string need to not even be super huge for this to hold). Verifiers could split X and broadcast the portions on different frequencies. The key could tell a prover which frequencies to listen in to.

21 BSM/BRM primitives needed BSM PRG from [Vad04] PRG takes as input string X with high min- entropy and short seed K PRG(X,K) ≈ Uniform, even given K and A(X) for arbitrary bounded output length function A

22 Secure Positioning in 1- Dimensional Space V1V1 V2V2 Position P X KK K PRG(X,K) V 1 measures time of response and accepts if response is correct and received at the right time Correctness of protocol follows from 1.Prover at P can compute PRG(X,K) 2. V 1 can compute PRG(X,K) when broadcasting X 3. Response of prover from P will be on time

23 Secure Positioning in 1- Dimensional Space V1V1 V2V2 Position P X KK K P1P1 P2P2 Can store A(X)Can store K P 1 can respond in time, but has only A(X) and K P 2 can compute PRG(X,K), but cannot respond in time Proof Intuition

24 First, we will make an UNREASONABLE assumption… Then show how to get rid of it! Secure Positioning in 3- Dimensional Space

25 V1V1 V2V2 V3V3 V4V4 Position P K1K1 X1X1 X2X2 X3X3 Prover computes K i+1 = PRG(X i, K i ), 1≤ i ≤ 3 Prover broadcasts K 4 to all verifiers Verifiers check response & time of response K4K4 K4K4 K4K4 K4K4 CHEATING ASSUMPTION: For now, assume V i can store X’s!

26 Secure Positioning in 3- Dimensional Space Security will follow from security of position based based key exchange protocol presented later What about correctness?? V1V1 V2V2 V3V3 V4V4 K1K1 X1X1 X2X2 X3X3 Verifiers cannot compute K 4 if they don’t store X i ’s V 3 needs K 2 before broadcasting X 2 to compute K 3 But, V 3 might have to broadcast X 2 before or same time as V 2 broadcasts X 1 K4K4

27 Secure Positioning in 3- Dimensional Space ELIMINATING CHEATING: Protocol when Verifiers cannot store X i ’s V 1, V 2, V 3, V 4 pick K 1, K 2, K 3, K 4 at random before protocol Now, Verifiers know K 4 ; they must help prover compute it V 1 broadcasts K 1 V 2 broadcasts X 1 and K 2 ’ = PRG(X 1,K 1 ) xor K 2 V 3 broadcasts X 2 and K 3 ’ = PRG(X 2,K 2 ) xor K 3 V 4 broadcasts X 3 and K 4 ’ = PRG(X 3,K 3 ) xor K 4 Verifiers secret share K i s and broadcast one share according to X i s

28 Secure Positioning in 3- Dimensional Space V1V1 V2V2 V3V3 V4V4 Position P K1K1 X 3, K 4 ’ X 2, K 3 ’ X 1, K 2 ’ Note that prover can compute K 4 and broadcast K 4

29 Secure Positioning: Bottom line We can do secure positioning in 3D in the bounded storage model We can obtain a protocol even if there is a small variance in delivery time when small positioning error is allowed

30 What else can we do in this model? What about key agreement?

31 Information-theoretic Key Exchange in 1-Dimensional Space V1V1 V2V2 Position P P1P1 P2P2 Could not compute key Could compute key, but cannot respond in time Secure positioning

32 Information-theoretic Key Exchange in 1-Dimensional Space V1V1 V2V2 Position P K 1, X 2 X1X1 K 3 = PRG(X 2, PRG(X 1, K 1 )) P1P1 P2P2 Can store A(X 2,K 1 ),K 1 Can store A(X 1, K 1 ) Seems like no adversary can compute PRG(X 2, K 2 ) Intuition works!!

33 Information-theoretic Key Exchange in 3-Dimensional Space V1V1 V2V2 V3V3 V4V4 Position P K 1,X 4 X 1, X 5 X2X2 X3X3 Prover computes K i+1 = PRG(X i, K i ) 1 ≤ i ≤ 5 K 6 is final key Again assume Verifiers can store X’s

34 Subtleties in proof V1V1 V2V2 V3V3 V4V4 Position P K 1,X 4 X 1, X 5 X2X2 X3X3 P1P1 P2P2 P3P3 A(X 4, K 1 ) A(X 3 ) P4P4 A(X 1, A(X 3 ), A(X 4, K 1 ))

35 Proof Ideas A lemma ruling out any adversary simultaneously receiving all messages of the verifiers – Characterizes regions within tetrahedron where position-based key exchange is possible Combination of geometric arguments to characterize information that adversaries at different positions can obtain Part 1: Geometric Arguments

36 Proof Ideas Part 2: Extractor Arguments Build on techniques from Intrusion-Resilient Random Secret Sharing scheme of Dziembowski-Pietrzak [DP07] Show a reduction of the security of our protocol to a (slight) generalization of [DP07] allowing multiple adversaries working in parallel

37 A REMINDER: Intrusion-Resilient Random Secret Sharing Scheme (IRRSS) [DP07] S1S1 S2S2 S3S3 SnSn X1X1 X2X2 X3X3 XnXn K 1 is chosen at random and given to S 1 S i computes K i+1 = PRG(X i, K i ) and sends K i+1 to S i+1 S n outputs key K n+1 Bounded adversary can corrupt a sequence of players (with repetition) as long as sequence is valid Valid sequence does not contain S 1,S 2,..,S n as a subsequence Eg: If n = 5; 13425434125 is invalid, but 134525435 is valid Then, K n+1 is statistically close to uniform

38 Reduction to IRRSS V1V1 V2V2 V3V3 V4V4 K 1,X 4 X 1, X 5 X2X2 X3X3 P1P1 P2P2 A(X 4, K 1 ) P3P3 A(X 1, A(X 3 ), A(X 4, K 1 )) S1S1 S2S2 S3S3 S4S4 X2X2 X3X3 X4X4 X1X1 S5S5 X5X5 P 1 : corrupts S 4 P 2 : corrupts S 3 P 3 : corrupts S 4, S 3, S 1 All adversaries given K 1 for free Combining all this, proves the theorem A(X 3 )

39 Conclusions WE HAVE SHOWN IN THE PAPER: –Position based Key Exchange in BRM for entire tetrahedron region (but computational security) –Protocol for position based Public Key Infrastructure –Protocol for position based MPC OPEN: –Other models? (we are currently looking at quantum, seems plausible!) –Other applications of position-based crypto?

40 Thank you

Download ppt "Position Based Cryptography* Nishanth Chandran Vipul Goyal Ryan Moriarty Rafail Ostrovsky UCLA CRYPTO ‘09."

Similar presentations

Multi-Party Contract Signing Sam Hasinoff April 9, 2001.

Multi-Party Contract Signing Sam Hasinoff April 9, 2001.
Detection of Algebraic Manipulation with Applications to Robust Secret Sharing and Fuzzy Extractors Ronald Cramer, Yevgeniy Dodis, Serge Fehr, Carles Padro,

Detection of Algebraic Manipulation with Applications to Robust Secret Sharing and Fuzzy Extractors Ronald Cramer, Yevgeniy Dodis, Serge Fehr, Carles Padro,
Foundations of Cryptography Lecture 7 Lecturer:Danny Harnik.

Foundations of Cryptography Lecture 7 Lecturer:Danny Harnik.
Spreading Alerts Quietly and the Subgroup Escape Problem Aleksandr Yampolskiy (Yale) Joint work with James Aspnes, Zoë Diamadi, Kristian Gjøsteen, and.

Spreading Alerts Quietly and the Subgroup Escape Problem Aleksandr Yampolskiy (Yale) Joint work with James Aspnes, Zoë Diamadi, Kristian Gjøsteen, and.
Secure Multiparty Computations on Bitcoin

Secure Multiparty Computations on Bitcoin
ECE454/CS594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2011.

ECE454/CS594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2011.
Efficient Two-party and Multiparty Computation against Covert Adversaries Vipul Goyal Payman Mohassel Adam Smith Penn Sate UCLAUC Davis.

Efficient Two-party and Multiparty Computation against Covert Adversaries Vipul Goyal Payman Mohassel Adam Smith Penn Sate UCLAUC Davis.
1 Identity-Based Zero-Knowledge Jonathan Katz Rafail Ostrovsky Michael Rabin U. Maryland U.C.L.A. Harvard U.

1 Identity-Based Zero-Knowledge Jonathan Katz Rafail Ostrovsky Michael Rabin U. Maryland U.C.L.A. Harvard U.
Christian Schaffner CWI Amsterdam, Netherlands Position-Based Quantum Cryptography: Impossibility and Constructions Seminar Eindhoven, Netherlands Wednesday,

Christian Schaffner CWI Amsterdam, Netherlands Position-Based Quantum Cryptography: Impossibility and Constructions Seminar Eindhoven, Netherlands Wednesday,
1 Vipul Goyal Abhishek Jain UCLA On the Round Complexity of Covert Computation.

1 Vipul Goyal Abhishek Jain UCLA On the Round Complexity of Covert Computation.
Gillat Kol joint work with Ran Raz Competing Provers Protocols for Circuit Evaluation.

Gillat Kol joint work with Ran Raz Competing Provers Protocols for Circuit Evaluation.
1 Introduction CSE 5351: Introduction to cryptography Reading assignment: Chapter 1 of Katz & Lindell.

1 Introduction CSE 5351: Introduction to cryptography Reading assignment: Chapter 1 of Katz & Lindell.
Computational Security. Overview Goal: Obtain computational security against an active adversary. Hope: under a reasonable cryptographic assumption, obtain.

Computational Security. Overview Goal: Obtain computational security against an active adversary. Hope: under a reasonable cryptographic assumption, obtain.
Eran Omri, Bar-Ilan University Joint work with Amos Beimel and Ilan Orlov, BGU Ilan Orlov…!??!!

Eran Omri, Bar-Ilan University Joint work with Amos Beimel and Ilan Orlov, BGU Ilan Orlov…!??!!
NON-MALLEABLE EXTRACTORS AND SYMMETRIC KEY CRYPTOGRAPHY FROM WEAK SECRETS Yevgeniy Dodis and Daniel Wichs (NYU) STOC 2009.

NON-MALLEABLE EXTRACTORS AND SYMMETRIC KEY CRYPTOGRAPHY FROM WEAK SECRETS Yevgeniy Dodis and Daniel Wichs (NYU) STOC 2009.
Short course on quantum computing Andris Ambainis University of Latvia.

Short course on quantum computing Andris Ambainis University of Latvia.
On the Composition of Public- Coin Zero-Knowledge Protocols Rafael Pass (Cornell) Wei-Lung Dustin Tseng (Cornell) Douglas Wiktröm (KTH) 1.

On the Composition of Public- Coin Zero-Knowledge Protocols Rafael Pass (Cornell) Wei-Lung Dustin Tseng (Cornell) Douglas Wiktröm (KTH) 1.
SIA: Secure Information Aggregation in Sensor Networks Bartosz Przydatek, Dawn Song, Adrian Perrig Carnegie Mellon University Carl Hartung CSCI 7143: Secure.

SIA: Secure Information Aggregation in Sensor Networks Bartosz Przydatek, Dawn Song, Adrian Perrig Carnegie Mellon University Carl Hartung CSCI 7143: Secure.
Information Security for Sensors Overwhelming Random Sequences and Permutations Shlomi Dolev, Niv Gilboa, Marina Kopeetsky, Giuseppe Persiano, and Paul.

Information Security for Sensors Overwhelming Random Sequences and Permutations Shlomi Dolev, Niv Gilboa, Marina Kopeetsky, Giuseppe Persiano, and Paul.
 Secure Authentication Using Biometric Data Karen Cui.

 Secure Authentication Using Biometric Data Karen Cui.

Similar presentations

Ads by Google