Download presentation
Presentation is loading. Please wait.
1
Seminar in Foundations of Privacy Gil Segev Message Authentication in the Manual Channel Model
2
2 Pairing of Wireless Devices Scenario: Buy a new wireless camera Want to establish a secure channel for the first time Diffie-Hellman key agreement protocol
3
3 Diffie-Hellman Key Agreement Alice and Bob wish to agree on a secret key Public parameters: Group G Generator g 2 G gxgx gygy AliceBob Both parties compute K A,B = g xy Security: Even when given (G, g, g x, g y ) it is still hard to compute g xy
4
4 Diffie-Hellman Key Agreement Decisional Diffie-Hellman assumption (DDH): {(g, g x, g y, g xy )} {(g, g x, g y, g c )} c for random x, y and c. Computational Indistinguishability Computational Diffie-Hellman assumption (CDH): For every probabilistic polynomial-time algorithm A, every polynomial p(n) and for all sufficiently large n, Pr[A(G n,g n,g n x,g n y ) = g n xy ] < 1/p(n) The probability is taken over A ’s internal coins tosses and over the random choice of (x,y)
5
5 Diffie-Hellman Key Agreement Alice and Bob wish to agree on a secret key Public parameters: Group G Generator g 2 G gxgx gygy AliceBob Both parties compute K A,B = g xy CDH assumption: K A,B is hard to guess DDH assumption: K A,B is as good as a random secret Secure against passive adversaries Eve is only allowed to read the sent messages
6
6 Pairing of Wireless Devices Scenario: Buy a new wireless camera Want to establish a secure channel for the first time Diffie-Hellman key agreement protocol gxgx gygy
7
7 “I thought this is a wireless camera…” Simple Cheap Authenticated channel DevicesPairing of Wireless Cable pairing
8
8 Pairing of Wireless Devices Problem: Active adversaries (“man-in-the-middle”) Wireless pairing
9
9 Pairing of Wireless Devices Wireless pairing gxgx gygy gaga gbgb Problem: Active adversaries (“man-in-the-middle”)
10
10 Diffie-Hellman Key Agreement Suppose now that Eve is an active adversary “man-in-the-middle” attacker gxgx gaga AliceBob K A,E = g xa gygy gbgb K E,B = g by Eve Completely insecure: Eve can decrypt m, and then re-encrypt it AliceBobEve ENC(K A,E,m)ENC(K E,B,m)
11
11 Diffie-Hellman Key Agreement Suppose now that Eve is an active adversary “man-in-the-middle” attacker gxgx gaga AliceBob K A,E = g xa gygy gbgb K E,B = g by Eve Solution - Message authentication: Alice and Bob authenticate g x and g y
12
12 Message Authentication Assure the receiver of a message that it has not been changed by an active adversary AliceBobEve m m ^ Problem specification: Completeness: No interference m Bob accepts m (with high probability) Soundness: m Pr[ Bob accepts m m ] ^
13
13 H = {h| h: {0,1} n → {0,1} k } is a family of hash functions One-Time Authentication The secret key enables a single authentication of a message m {0,1} n Alice and Bob share a random function h H h is not known to Eve To authenticate m {0,1} n Alice sends (m,h(m)) Upon receiving (m,z) : If z = h(m), then Bob outputs m and halts Otherwise, Bob outputs ? and halts ^ ^^
14
14 What properties do we require from H ? One-Time Authentication Hard to guess h(m) Success probability at most Should hold for any m ^ ^
15
15 What properties do we require from H ? One-Time Authentication Hard to guess h(m) even given h(m) Success probability at most Should hold for any m and m Short representation for h - must have small log|H| ^ ^ Easy to compute h(m) given h and m
16
16 Given h: {0,1} n → {0,1} k we can always guess a correct output with probability at least 2 -k A family where this is tight is called universal 2 Definition: a family H = {h| h: {0,1} n → {0,1} k } is called Strongly Universal 2 or pair-wise independent if: for all m 1 m 2 {0,1} n and y 1, y 2 {0,1} k we have Pr[h(m 1 ) = y 1 and h(m 2 ) = y 2 ] = 2 -2k where the probability is over a randomly chosen h H In particular Pr[h(m 2 ) = y 2 | h(m 1 ) = y 1 ] = 2 -k Theorem: when a strongly universal 2 family is used in the protocol, Eve’s probability of cheating is at most 2 -k Universal Hash Functions
17
17 The linear polynomial construction: Fix a finite field F of size at least the message space 2 n Could be either GF[2 n ] or GF[P] for some prime P ≥ 2 n The family H of functions h: F → F is defined as H= {h a,b (m) = a∙m + b | a, b F} Claim: the family above is strongly universal 2 Proof: for every m 1 ≠m 2, y 1, y 2 F there are unique a, b F such that a∙m 1 +b = y 1 a∙m 2 +b = y 2 Size: each h H represented by 2n bits Constructing Universal Hash Functions
18
18 Theorem: Let H= {h| h: {0,1} n → {0,1} } be a family of pair-wise independent functions. Then |H| is Ω(2 n ) More precisely, to obtain a d -wise independence family |H| should be Ω(2 n └ d/2 ┘ ) Lower Bound N. Alon and J. Spencer The Probabilistic Method Chapter 15 (derandomization), Proposition 2.3
19
19 More on Authentication Reducing the length of the secret key Almost-pair-wise independent hash functions Interaction Using the same secret key to authenticate any polynomial number of messages Requires computational assumptions Pseudorandom functions Authentication in the public-key world Much more to discuss…
20
20 Pairing of Wireless Devices gxgx gygy gaga gbgb m = g x || g a m = g b || g y ^ Wireless pairing Impossible without additional setup
21
21 Pairing of Wireless Devices gxgx gygy gaga gbgb Wireless pairing Solution: Manual Channel
22
22 The Manual Channel gxgx gygy gaga gbgb 141 User can compare two short strings Wireless pairing
23
23 Manual Channel Model Insecure communication channel Low-bandwidth auxiliary channel: Enables Alice to “manually” authenticate one short string s AliceBob s... s s Adversarial power: Choose the input message m Insecure channel: Full control Manual channel: Read, delay Delivery timing m Interactive Non-interactive
24
24 Manual Channel Model Insecure communication channel Low-bandwidth auxiliary channel: Enables Alice to “manually” authenticate one short string s AliceBob s s Goal: Minimize the length of the manually authenticated string m... s Interactive Non-interactive
25
25 Manual Channel Model AliceBob s s No trusted infrastructure, such as: Public key infrastructure Shared secret key Common reference string....... Suitable for ad hoc networks: Pairing of wireless devices Wireless USB, Bluetooth Secure phones AT&T, PGP, Zfone Many more...... m s
26
26 Implementing the manual channel: Compare two strings displayed by the devices Why Is This Model Reasonable? 141
27
27 Implementing the manual channel: Compare two strings displayed by the devices Type a string, displayed by one device, into the other device 141 Why Is This Model Reasonable?
28
28 Implementing the manual channel: Compare two strings displayed by the devices Type a string, displayed by one device, into the other device Visual hashing Why Is This Model Reasonable?
29
29 Implementing the manual channel: Compare two strings displayed by the devices Type a string, displayed by one device, into the other device Visual hashing Voice channel 141 Why Is This Model Reasonable?
30
30 The Naive Solution AliceBob H - collision resistant hash function (e.g., SHA-256) No efficient algorithm can find m m s.t. H(m) = H(m) with noticeable probability Any adversary that forges a message can be used to find a collision for H m H(m) ^ ^ AliceBob m H(m) Eve m ^
31
31 The Naive Solution AliceBob H - collision resistant hash function (e.g., SHA-256) No efficient algorithm can find m m s.t. H(m) = H(m) with noticeable probability Any adversary that forges a message can be used to find a collision for H m H(m) ^ ^ Are we done? No. The output length of SHA-256 is too long (160 bits) Cannot be easily compared or typed by humans
32
32... m s Tight Bounds n -bit ℓ -bit forgery probability Upper bound: log*n -round protocol in which ℓ = 2log(1/ ) + O(1) No setup or computational assumptions Matching lower bound: n 2log(1/ ) ℓ 2log(1/ ) - 2 One-way functions are necessary (and sufficient) for breaking the lower bound in the computational setting
33
33 ℓ ℓ = 2log(1/ )ℓ = log(1/ ) Unconditional security Computational security Impossible One-way functions Our Results - Tight Bounds log(1/ )
34
34 Outline Security definition Tight bounds The protocol Lower bound
35
35... m s n -bit ℓ -bit Security Definition Unconditionally secure (n, ℓ, k, ) -authentication protocol: Completeness: No interference m Bob accepts m (with high probability) Unforgeability: m Pr[ Bob accepts m m ] n -bit input message ℓ manually authenticated bits k rounds ^
36
36 Outline Security definition Tight bounds The protocol Lower bound
37
37 Preliminaries: For m = m 1... m k GF[Q] k and x GF[Q], let m(x) = m i x i i = 1 k Then, for any m ≠ m and for any c, c GF[Q], ^ ^ Prob x R GF[Q] [ m(x) + c = m(x) + c ] k/Q ^ ^ Based on the [GN93] hashing technique In each round, the parties: Cooperatively choose a hash function Reduce to authenticating a shorter message A short message is manually authenticated The Protocol (simplified)
38
38 We hash m to x || m(x) + c One party chooses x Other party chooses c Preliminaries: For m = m 1... m k GF[Q] k and x GF[Q], let m(x) = m i x i i = 1 k Then, for any m ≠ m and for any c, c GF[Q], ^ ^ Prob x R GF[Q] [ m(x) + c = m(x) + c ] k/Q ^ ^ The Protocol (simplified)
39
39 AliceBob m b1b1 a 1 R GF[Q 1 ] a 2 R GF[Q 2 ] b 1 R GF[Q 1 ] b 2 R GF[Q 2 ] Accept iff m 2 is consistent m 1 = b 1 || m 0 (b 1 ) + a 1 m 2 = a 2 || m 1 (a 2 ) + b 2 m 0 = m Both parties set: a1a1 m2m2 Q 1 n/ , Q 2 log(n)/ 2log(1/ ) + 2loglog(n) + O(1) manually authenticated bits Two GF[Q 2 ] elements k rounds 2loglog(n) is reduced to 2log (k-1) (n) b2b2 The Protocol (simplified)
40
40 Security Analysis Must consider all generic man-in-the-middle attacks. Three attacks in our case: Alice BobEve m b1b1 a1a1 b2b2 ma1a1 m2m2 ^ ^ b1b1 b2b2 ^ ^ Attack #1
41
41 Security Analysis Must consider all generic man-in-the-middle attacks. Three attacks in our case: Alice BobEve m b1b1 a1a1 b2b2 ma1a1 ^ ^ b1b1 b2b2 ^ ^ Attack #2 m2m2
42
42 Security Analysis Must consider all generic man-in-the-middle attacks. Three attacks in our case: Alice BobEve m b1b1 a1a1 b2b2 ma1a1 ^ ^ b1b1 b2b2 ^ ^ Attack #3 m2m2 m2m2
43
43 Security Analysis – Attack #1 m 1,A = b 1 || m 0,A (b 1 ) + a 1 m 2,A = a 2 || m 1,A (a 2 ) + b 2 m 0,A = m ^^ ^ m 1,B = b 1 || m 0,B (b 1 ) + a 1 m 2,B = a 2 || m 1,B (a 2 ) + b 2 m 0,B = m ^ ^ Alice BobEve m b1b1 a1a1 b2b2 ma1a1 ^ ^ b1b1 b2b2 ^ ^ m 0,A m 0,B and m 2,A = m 2,B m 1,A = m 1,B m 1,A m 1,B and m 2,A = m 2,B Pr[]+ /2 + /2] m2m2
44
44 Security Analysis – Attack #1 m 1,A = b 1 || m 0,A (b 1 ) + a 1 m 0,A = m ^^ m 1,B = b 1 || m 0,B (b 1 ) + a 1 m 0,B = m ^ ^ Alice BobEve ma1a1 ma1a1 ^ ^ b1b1 ^ m 1,A = m 1,B Pr[] /2 b1b1 Claim: Eve chooses b 1 b 1 Eve chooses b 1 = b 1 Pr[ m 0,A (b 1 ) + a 1 = m 0,B (b 1 ) + a 1 ] /2 m 1,A m 1,B ^ ^ ^
45
45 Outline Security definition Tight bounds The protocol Lower bound
46
46 Lower Bound AliceBob x2x2 m, x 1 m R {0,1} n M, X 1, X 2, S are well defined random variables s
47
47 Lower Bound Goal: H(S) 2log(1/ ) AliceBob X2X2 S M, X 1
48
48 Let X be random variable over domain X with probability distribution P X The Shannon entropy of X is Shannon Entropy (where 0log0 = 0 ) H(X) = - ∑ x 2 X P X (x) log P X (x) Measures the amount of randomness in X on average Measures how much we can compress X on average 0 · H(X) · log| X | Equality, X is constant Equality, X is uniform
49
49 Let X be random variable over domain X with probability distribution P X The min-entropy of X is H 1 (X) = - log max x 2 X P X (x) Measures the amount of randomness in X in the worst-case Represents the most likely value(s) 0 · H 1 (X) · H(X) · log| X | Equality, X is constant Equality, X is uniform A Related Notion: Min-Entropy Equality, X is uniform
50
50 Let X and Y be two random variables over domains X and Y with probability distributions P X and P Y The conditional Shannon entropy of X given Y is H(X,Y) = H(X) + H(Y|X) Conditional Shannon Entropy H(X|Y) = ∑ y 2 Y P Y (y) H(X|Y=y) H(X,Y) = H(Y) + H(X|Y) Observation:
51
51 The mutual information between X and Y is Shannon Mutual Information I(X;Y) = H(X) – H(X|Y) Observation: I(X;Y) = I(Y;X) Conditional mutual information: I(X;Y|Z) = H(X|Z) – H(X|Y,Z)
52
52 Lower Bound Goal: H(S) 2log(1/ ) AliceBob X2X2 S M, X 1 Evolving intuition: The parties must use at least log(1/ ) random bits H(S) = H(S) - H(S | M, X 1 ) + H(S | M, X 1 ) - H(S | M, X 1, X 2 ) + H(S | M, X 1, X 2 ) = I(S ; M, X 1 ) + I(S ; X 2 | M, X 1 ) + H(S | M, X 1, X 2 ) Each party must independently reduce H(S) by log(1/ ) bits Each party must use at least log(1/ ) random bits
53
53 Lower Bound AliceBob X2X2 M, X 1 H(S)= I(S ; M, X 1 ) + I(S ; X 2 | M, X 1 ) + H(S | M, X 1, X 2 ) Alice’s randomnes s Bob’s randomnes s S Goal: H(S) 2log(1/ ) Evolving intuition: The parties must use at least log(1/ ) random bits Each party must independently reduce H(S) by log(1/ ) bits Each party must use at least log(1/ ) random bits
54
54 Lower Bound AliceBob X2X2 M, X 1 H(S)= I(S ; M, X 1 ) + I(S ; X 2 | M, X 1 ) + H(S | M, X 1, X 2 ) Alice’s randomnes s Bob’s randomnes s Lemma 1: I(S ; M, X 1 ) + H(S | M, X 1, X 2 ) log(1/ ) Lemma 2: I(S ; X 2 | M, X 1 ) log(1/ ) S Goal: H(S) 2log(1/ )
55
55 Proof of Lemma 1 Chooses m R {0,1} n ^ Alice BobEve mx1x1 x2x2 s m ^ x1x1 ^ x2x2 ^ Consider the following attack: Eve wants Alice to manually authenticate s ^ Samples x 2 from the distribution of X 2 given m, x 1 and s ^ ^ If Pr[ s | m, x 1 ] = 0 Eve quits ^ Eve acts as follows: Chooses m R {0,1} n Forwards s and hopes that s = s ^
56
56 Proof of Lemma 1 By the protocol requirements: Since n log(1/ ), we get which implies (S ; M, X 1 ) + H(S | M, X 1, X 2 ) log(1/ ) - 1 Pr[ s = s and m ≠ m ] Pr[ s = s ] - 2 -n ^^^ 2 Pr[ s = s ] ^ Claim: Pr[ s = s ] 2 - { (S ; M, X 1 ) + H(S | M, X 1, X 2 ) } ^
57
57 Lower Bound AliceBob X2X2 M, X 1 H(S)= I(S ; M, X 1 ) + I(S ; X 2 | M, X 1 ) + H(S | M, X 1, X 2 ) Alice’s randomnes s Bob’s randomnes s Lemma 1: I(S ; M, X 1 ) + H(S | M, X 1, X 2 ) log(1/ ) - 1 Lemma 2: I(S ; X 2 | M, X 1 ) log(1/ ) - 1 S Goal: H(S) 2log(1/ ) - 2
58
58 References Peter Gemmell and Moni Naor Codes for Interactive Authentication CRYPTO 1993 Moni Naor, Gil Segev and Adam Smith Tight Bounds for Unconditionally Secure Authentication Protocols in the Manual Channel and Shared Key Models CRYPTO 2006 Whitfield Diffie and Martin E. Hellman New Directions in Cryptography IEEE Transactions on Information Theory 1976 T. Cover and J. A. Thomas Elements of information Theory
Similar presentations
© 2025 SlidePlayer.com. Inc.
All rights reserved.