Presentation is loading. Please wait.

Presentation is loading. Please wait.

Position Based Cryptography Nishanth Chandran Vipul Goyal Ryan Moriarty Rafail Ostrovsky UCLA.

Published byLesley Evans Modified over 8 years ago

Similar presentations

Presentation on theme: "Position Based Cryptography Nishanth Chandran Vipul Goyal Ryan Moriarty Rafail Ostrovsky UCLA."— Presentation transcript:

1 Position Based Cryptography Nishanth Chandran Vipul Goyal Ryan Moriarty Rafail Ostrovsky UCLA

2 What constitutes an identity? Your public key Your biometric Email ID How about where you are? PK abc@gmail.com z x y

3 Geographical Position as an Identity US Military Base in USA sk Enc sk (m) sk US Military Base in Iraq Reveal sk or else…..

4 Geographical Position as an Identity US Military Base in USA We trust physical security Guarantee that those inside a particular geographical region are good US Military Base in Iraq

5 Geographical Position as an Identity US Military Base in USA Enc (m) Only someone at a particular geographical position can decrypt US Military Base in Iraq

6 Other Applications Position-based Authentication: guarantee that a message came from a person at a particular geographical position Position-based access control: allow access to resource only if user is at particular geographical position Many more….

7 Problem (informally) A set of verifiers present at various geographical positions in space A prover present at some geographical position P GOAL: Exchange a key with the prover if and only if prover is in fact at position P

8 Secure Positioning Set of verifiers wish to verify the position claim of a prover at position P Run an interactive protocol with the prover at P to verify this Studied in wireless security [SSW03, B04, SP05, CH05, CCS06]

9 Previous Techniques for Secure Positioning VerifierProver Random nonce r r Time of response Prover cannot claim to be closer to the verifier than he actually is All messages travel at speed of light Radio waves, GPS….

10 Triangulation [CH05] V1V1 V2V2 V3V3 P r1r1 r1r1 r2r2 r2r2 r3r3 r3r3 3 Verifiers measure Time of response and verify position claim

11 Triangulation [CH05] Works, but assumes a single adversary V1V1 V2V2 V3V3 P3P3 P2P2 P1P1 r1r1 r1r1 r2r2 r2r2 r3r3 r3r3 Position P P i can delay response to V i as if it were coming from P Attack with multiple colluding provers

12 Talk Outline  Vanilla Model  Secure Positioning - Impossible in vanilla model - Positive information-theoretic results in the Bounded Retrieval Model  Position-based Key Exchange - Positive information-theoretic results in the BRM

13 Vanilla Model V1V1 V2V2 V3V3 P Verifiers can send messages at any time to prover with speed of light All verifiers share a secret channel P3P3 P2P2 P1P1 Multiple, coordinating adversaries, possibly computationally bounded Verifiers can record time of sent and received messages P lies inside Convex Hull

14 Lower Bound Theorem: There does not exist any protocol to achieve secure positioning in the Vanilla model Corollary: Position-based key exchange is impossible in the Vanilla model

15 Lower Bound – Proof sketch V4V4 V1V1 V2V2 V3V3 P1P1 P2P2 P4P4 P3P3 Position P P j internally delays every msg from V j and sends msg to P i Blue path not shorter than red path P i can run exact copy of prover and respond to V i Generalization of attack presented earlier

16 Lower bound implications Secure positioning and hence position- based cryptography is impossible in Vanilla model (even with computational assumptions!) Search for alternate models where position-based cryptography is possible?

17 CONSTRUCTIONS & PROOFS

18 Bounded Retrieval Model (BRM) [Maurer’92, Dziembowski06, CLW06] Assumes long string X (of length n and high min- entropy) in the sky or generated by some party Assumes all parties (including honest) have retrieval bound βn for some 0<β<1 Adversaries can retrieve any information from X as long as the total information retrieved is bounded Several works have studied the model in great detail

19 V1V1 V2V2 P1P1 BRM in the context of Position- based Cryptography P2P2 X Verifiers can broadcast HUGE X Like Vanilla Model except Adversaries are not computationally bounded V3V3 Adversaries can store only a small f(X) as X passes by…i.e. (Total |f(X)| < retrieval bound) X Note that Adversaries can NOT “reflect” X (violates BRM framework)

20 To make things more clear Computation is instantaneous – modern GPS perform computation while using speed of light assumption (relaxation  error in position) Huge X travels in its entirety when broadcast and not as a stream (again, relaxation  error in position)

21 Physically realizing BRM Seems reasonable that an adversary can only retrieve small amount of information as a string passes by Verifiers could split X and broadcast the portions on different frequencies. Adversary cannot listen on all frequencies

22 BSM/BRM primitives needed Locally computable PRG from [Vad04] PRG takes as input string X with high min- entropy and short seed K PRG(X,K) ≈ Uniform, even given K and A(X) for arbitrary bounded output length function A

23 Secure Positioning in 1- Dimensional Space V1V1 V2V2 Position P X KK K PRG(X,K) V 1 measures time of response and accepts if response is correct and received at the right time Correctness of protocol follows from 1.Prover at P can compute PRG(X,K) 2. V 1 can compute PRG(X,K) when broadcasting X 3. Response of prover from P will be on time

24 Secure Positioning in 1- Dimensional Space V1V1 V2V2 Position P X KK K P1P1 P2P2 Can store A(X)Can store K Proof Intuition P 1 closer to V 1 than P, but has only A(X) and K P 2 can compute PRG(X,K), but farther away from V 1 than P

25 First, we will make an UNREASONABLE assumption… Then show how to get rid of it! Secure Positioning in 3- Dimensional Space

26 V1V1 V2V2 V3V3 V4V4 Position P K1K1 X1X1 X2X2 X3X3 Prover computes K i+1 = PRG(X i, K i ), 1≤ i ≤ 3 Prover broadcasts K 4 to all verifiers Verifiers check response & time of response K4K4 K4K4 K4K4 K4K4 CHEATING ASSUMPTION: For now, assume V i can store X’s!

27 Secure Positioning in 3- Dimensional Space Security will follow from security of position based based key exchange protocol presented later What about correctness?? V1V1 V2V2 V3V3 V4V4 K1K1 X1X1 X2X2 X3X3 Verifiers cannot compute K 4 if they don’t store X i ’s V 3 needs K 2 before broadcasting X 2 to compute K 3 But, V 3 might have to broadcast X 2 before or same time as V 2 broadcasts X 1 K4K4

28 Secure Positioning in 3- Dimensional Space ELIMINATING CHEATING: Protocol when Verifiers cannot store X i ’s V 1, V 2, V 3, V 4 pick K 1, K 2, K 3, K 4 at random before protocol Now, Verifiers know K 4 ; they must help prover compute it V 1 broadcasts K 1 V 2 broadcasts X 1 and K 2 ’ = PRG(X 1,K 1 ) xor K 2 V 3 broadcasts X 2 and K 3 ’ = PRG(X 2,K 2 ) xor K 3 V 4 broadcasts X 3 and K 4 ’ = PRG(X 3,K 3 ) xor K 4 Verifiers secret share K i s and broadcast one share according to X i s

29 Secure Positioning in 3- Dimensional Space V1V1 V2V2 V3V3 V4V4 Position P K1K1 X 3, K 4 ’ X 2, K 3 ’ X 1, K 2 ’ Note that prover can compute K 4 and broadcast K 4

30 Secure Positioning: Bottom line We can do secure positioning in 3D in the bounded retrieval model We can obtain a protocol even if there is a small variance in delivery time when small positioning error is allowed

31 What else can we do in this model? What about key agreement?

32 Information-theoretic Key Exchange in 1-Dimensional Space V1V1 V2V2 Position P P1P1 P2P2 Could not compute key Could compute key, but cannot respond in time Secure positioning

33 Information-theoretic Key Exchange in 1-Dimensional Space V1V1 V2V2 Position P K 1, X 2 X1X1 K 3 = PRG(X 2, PRG(X 1, K 1 )) P1P1 P2P2 Can store A(X 2,K 1 ),K 1 Can store A(X 1, K 1 ) Seems like no adversary can compute PRG(X 2, K 2 ) Intuition works!!

34 Information-theoretic Key Exchange in 3-Dimensional Space V1V1 V2V2 V3V3 V4V4 Position P K 1,X 4 X 1, X 5 X2X2 X3X3 Prover computes K i+1 = PRG(X i, K i ) 1 ≤ i ≤ 5 K 6 is final key Again assume Verifiers can store X’s

35 Subtleties in proof V1V1 V2V2 V3V3 V4V4 Position P K 1,X 4 X 1, X 5 X2X2 X3X3 P1P1 P2P2 P3P3 A(X 4, K 1 ) A(X 3 ) P4P4 A(X 1, A(X 3 ), A(X 4, K 1 ))

36 Proof Ideas A lemma ruling out any adversary simultaneously receiving all messages of the verifiers – Characterizes regions within convex hull where position-based key exchange is possible Combination of geometric arguments to characterize information that adversaries at different positions can obtain Part 1: Geometric Arguments

37 Proof Ideas Part 2: Extractor Arguments Build on techniques from Intrusion-Resilient Random Secret Sharing scheme of Dziembowski-Pietrzak [DP07] Show a reduction of the security of our protocol to a (slight) generalization of [DP07] allowing multiple adversaries working in parallel

38 A REMINDER: Intrusion-Resilient Random Secret Sharing Scheme (IRRSS) [DP07] S1S1 S2S2 S3S3 SnSn X1X1 X2X2 X3X3 XnXn K 1 is chosen at random and given to S 1 S i computes K i+1 = PRG(X i, K i ) and sends K i+1 to S i+1 S n outputs key K n+1 Bounded adversary can corrupt a sequence of players (with repetition) as long as sequence is valid Valid sequence does not contain S 1,S 2,..,S n as a subsequence Eg: If n = 5; 13425434125 is invalid, but 134525435 is valid Then, K n+1 is statistically close to uniform

39 Reduction to IRRSS V1V1 V2V2 V3V3 V4V4 K 1,X 4 X 1, X 5 X2X2 X3X3 P1P1 P2P2 A(X 4, K 1 ) P3P3 A(X 1, A(X 3 ), A(X 4, K 1 )) S1S1 S2S2 S3S3 S4S4 X2X2 X3X3 X4X4 X1X1 S5S5 X5X5 P 1 : corrupts S 4 P 2 : corrupts S 3 P 3 : corrupts S 4, S 3, S 1 All adversaries given K 1 for free A(X 3 )

40 Reduction to IRRSS For every adversary A that receives information only from a verifier (not from other adversaries), we show a corresponding adversary B for [DP07] with valid corruption sequence C. If the corresponding adversary for A has an invalid corruption sequence in [DP07], then A must have received info from all verifiers simultaneously (Not possible by geometric lemma) Given two adversaries A 1 and A 2 with corresponding adversaries B 1 and B 2 (in [DP07]) and sequences C 1 and C 2, show how to get corresponding adversary B for A 1 U A 2 with corruption sequence C.

41 Conclusions WE HAVE SHOWN IN THE PAPER: –Position based Key Exchange in BRM for entire convex hull region (but computational security) –Protocol for position based Public Key Infrastructure –Protocol for position based MPC OPEN: –Other models? (Quantum: [C–Fehr–Goyal–Ostrovsky’09]) –Other applications of position-based crypto?

42 Thank you Full version available at http://eprint.iacr.org/2009/364

Download ppt "Position Based Cryptography Nishanth Chandran Vipul Goyal Ryan Moriarty Rafail Ostrovsky UCLA."

Similar presentations

Multi-Party Contract Signing Sam Hasinoff April 9, 2001.

Multi-Party Contract Signing Sam Hasinoff April 9, 2001.
Detection of Algebraic Manipulation with Applications to Robust Secret Sharing and Fuzzy Extractors Ronald Cramer, Yevgeniy Dodis, Serge Fehr, Carles Padro,

Detection of Algebraic Manipulation with Applications to Robust Secret Sharing and Fuzzy Extractors Ronald Cramer, Yevgeniy Dodis, Serge Fehr, Carles Padro,
Foundations of Cryptography Lecture 7 Lecturer:Danny Harnik.

Foundations of Cryptography Lecture 7 Lecturer:Danny Harnik.
Secure Location Verification with Hidden and Mobile Base Stations -TMC Apr, 2008 Srdjan Capkun, Kasper Bonne Rasmussen, Mario Cagalj, Mani Srivastava.

Secure Location Verification with Hidden and Mobile Base Stations -TMC Apr, 2008 Srdjan Capkun, Kasper Bonne Rasmussen, Mario Cagalj, Mani Srivastava.
Secure Multiparty Computations on Bitcoin

Secure Multiparty Computations on Bitcoin
ECE454/CS594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2011.

ECE454/CS594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2011.
Efficient Two-party and Multiparty Computation against Covert Adversaries Vipul Goyal Payman Mohassel Adam Smith Penn Sate UCLAUC Davis.

Efficient Two-party and Multiparty Computation against Covert Adversaries Vipul Goyal Payman Mohassel Adam Smith Penn Sate UCLAUC Davis.
Polling With Physical Envelopes A Rigorous Analysis of a Human–Centric Protocol Tal Moran Joint work with Moni Naor.

Polling With Physical Envelopes A Rigorous Analysis of a Human–Centric Protocol Tal Moran Joint work with Moni Naor.
1 Identity-Based Zero-Knowledge Jonathan Katz Rafail Ostrovsky Michael Rabin U. Maryland U.C.L.A. Harvard U.

1 Identity-Based Zero-Knowledge Jonathan Katz Rafail Ostrovsky Michael Rabin U. Maryland U.C.L.A. Harvard U.
Christian Schaffner CWI Amsterdam, Netherlands Position-Based Quantum Cryptography: Impossibility and Constructions Seminar Eindhoven, Netherlands Wednesday,

Christian Schaffner CWI Amsterdam, Netherlands Position-Based Quantum Cryptography: Impossibility and Constructions Seminar Eindhoven, Netherlands Wednesday,
1 Vipul Goyal Abhishek Jain UCLA On the Round Complexity of Covert Computation.

1 Vipul Goyal Abhishek Jain UCLA On the Round Complexity of Covert Computation.
Tight Bounds for Unconditional Authentication Protocols in the Moni Naor Gil Segev Adam Smith Weizmann Institute of Science Israel Modeland Shared KeyManual.

Tight Bounds for Unconditional Authentication Protocols in the Moni Naor Gil Segev Adam Smith Weizmann Institute of Science Israel Modeland Shared KeyManual.
1 Introduction CSE 5351: Introduction to cryptography Reading assignment: Chapter 1 of Katz & Lindell.

1 Introduction CSE 5351: Introduction to cryptography Reading assignment: Chapter 1 of Katz & Lindell.
Computational Security. Overview Goal: Obtain computational security against an active adversary. Hope: under a reasonable cryptographic assumption, obtain.

Computational Security. Overview Goal: Obtain computational security against an active adversary. Hope: under a reasonable cryptographic assumption, obtain.
Eran Omri, Bar-Ilan University Joint work with Amos Beimel and Ilan Orlov, BGU Ilan Orlov…!??!!

Eran Omri, Bar-Ilan University Joint work with Amos Beimel and Ilan Orlov, BGU Ilan Orlov…!??!!
NON-MALLEABLE EXTRACTORS AND SYMMETRIC KEY CRYPTOGRAPHY FROM WEAK SECRETS Yevgeniy Dodis and Daniel Wichs (NYU) STOC 2009.

NON-MALLEABLE EXTRACTORS AND SYMMETRIC KEY CRYPTOGRAPHY FROM WEAK SECRETS Yevgeniy Dodis and Daniel Wichs (NYU) STOC 2009.
Short course on quantum computing Andris Ambainis University of Latvia.

Short course on quantum computing Andris Ambainis University of Latvia.
On the Composition of Public- Coin Zero-Knowledge Protocols Rafael Pass (Cornell) Wei-Lung Dustin Tseng (Cornell) Douglas Wiktröm (KTH) 1.

On the Composition of Public- Coin Zero-Knowledge Protocols Rafael Pass (Cornell) Wei-Lung Dustin Tseng (Cornell) Douglas Wiktröm (KTH) 1.
Modeling Insider Attacks on Group Key Exchange Protocols Jonathan Katz Ji Sun Shin University of Maryland.

Modeling Insider Attacks on Group Key Exchange Protocols Jonathan Katz Ji Sun Shin University of Maryland.
Complexity 26-1 Complexity Andrei Bulatov Interactive Proofs.

Complexity 26-1 Complexity Andrei Bulatov Interactive Proofs.

Similar presentations

Ads by Google