Presentation is loading. Please wait.

Presentation is loading. Please wait.

Seminar in Foundations of Privacy Gil Segev Message Authentication in the Manual Channel Model.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "Seminar in Foundations of Privacy Gil Segev Message Authentication in the Manual Channel Model."— Presentation transcript:

1 Seminar in Foundations of Privacy Gil Segev Message Authentication in the Manual Channel Model

2 2 Pairing of Wireless Devices Scenario: Buy a new wireless camera Want to establish a secure channel for the first time Diffie-Hellman key agreement protocol

3 3 Diffie-Hellman Key Agreement Alice and Bob wish to agree on a secret key Public parameters: Group G Generator g 2 G gxgx gygy AliceBob Both parties compute K A,B = g xy Security: Even when given (G, g, g x, g y ) it is still hard to compute g xy

4 4 Diffie-Hellman Key Agreement Decisional Diffie-Hellman assumption (DDH): {(g, g x, g y, g xy )}  {(g, g x, g y, g c )} c for random x, y and c. Computational Indistinguishability Computational Diffie-Hellman assumption (CDH): For every probabilistic polynomial-time algorithm A, every polynomial p(n) and for all sufficiently large n, Pr[A(G n,g n,g n x,g n y ) = g n xy ] < 1/p(n) The probability is taken over A ’s internal coins tosses and over the random choice of (x,y)

5 5 Diffie-Hellman Key Agreement Alice and Bob wish to agree on a secret key Public parameters: Group G Generator g 2 G gxgx gygy AliceBob Both parties compute K A,B = g xy CDH assumption: K A,B is hard to guess DDH assumption:  K A,B is as good as a random secret Secure against passive adversaries Eve is only allowed to read the sent messages

6 6 Pairing of Wireless Devices Scenario: Buy a new wireless camera Want to establish a secure channel for the first time Diffie-Hellman key agreement protocol gxgx gygy

7 7 “I thought this is a wireless camera…” Simple Cheap Authenticated channel DevicesPairing of Wireless Cable pairing

8 8 Pairing of Wireless Devices Problem: Active adversaries (“man-in-the-middle”) Wireless pairing

9 9 Pairing of Wireless Devices Wireless pairing gxgx gygy gaga gbgb Problem: Active adversaries (“man-in-the-middle”)

10 10 Diffie-Hellman Key Agreement Suppose now that Eve is an active adversary “man-in-the-middle” attacker gxgx gaga AliceBob K A,E = g xa gygy gbgb K E,B = g by Eve Completely insecure: Eve can decrypt m, and then re-encrypt it AliceBobEve ENC(K A,E,m)ENC(K E,B,m)

11 11 Diffie-Hellman Key Agreement Suppose now that Eve is an active adversary “man-in-the-middle” attacker gxgx gaga AliceBob K A,E = g xa gygy gbgb K E,B = g by Eve Solution - Message authentication: Alice and Bob authenticate g x and g y

12 12 Message Authentication Assure the receiver of a message that it has not been changed by an active adversary AliceBobEve m m ^ Problem specification: Completeness: No interference   m Bob accepts m (with high probability) Soundness:  m Pr[ Bob accepts m  m ]   ^

13 13 H = {h| h: {0,1} n → {0,1} k } is a family of hash functions One-Time Authentication The secret key enables a single authentication of a message m  {0,1} n Alice and Bob share a random function h  H h is not known to Eve To authenticate m  {0,1} n Alice sends (m,h(m)) Upon receiving (m,z) : If z = h(m), then Bob outputs m and halts Otherwise, Bob outputs ? and halts ^ ^^

14 14 What properties do we require from H ? One-Time Authentication Hard to guess h(m) Success probability at most  Should hold for any m ^ ^

15 15 What properties do we require from H ? One-Time Authentication Hard to guess h(m) even given h(m) Success probability at most  Should hold for any m and m Short representation for h - must have small log|H| ^ ^ Easy to compute h(m) given h and m

16 16 Given h: {0,1} n → {0,1} k we can always guess a correct output with probability at least 2 -k A family where this is tight is called universal 2 Definition: a family H = {h| h: {0,1} n → {0,1} k } is called Strongly Universal 2 or pair-wise independent if: for all m 1  m 2  {0,1} n and y 1, y 2  {0,1} k we have Pr[h(m 1 ) = y 1 and h(m 2 ) = y 2 ] = 2 -2k where the probability is over a randomly chosen h  H In particular Pr[h(m 2 ) = y 2 | h(m 1 ) = y 1 ] = 2 -k Theorem: when a strongly universal 2 family is used in the protocol, Eve’s probability of cheating is at most 2 -k Universal Hash Functions

17 17 The linear polynomial construction: Fix a finite field F of size at least the message space 2 n Could be either GF[2 n ] or GF[P] for some prime P ≥ 2 n The family H of functions h: F → F is defined as H= {h a,b (m) = a∙m + b | a, b  F} Claim: the family above is strongly universal 2 Proof: for every m 1 ≠m 2, y 1, y 2  F there are unique a, b  F such that a∙m 1 +b = y 1 a∙m 2 +b = y 2 Size: each h  H represented by 2n bits Constructing Universal Hash Functions

18 18 Theorem: Let H= {h| h: {0,1} n → {0,1} } be a family of pair-wise independent functions. Then |H| is Ω(2 n ) More precisely, to obtain a d -wise independence family |H| should be Ω(2 n └ d/2 ┘ ) Lower Bound N. Alon and J. Spencer The Probabilistic Method Chapter 15 (derandomization), Proposition 2.3

19 19 More on Authentication Reducing the length of the secret key Almost-pair-wise independent hash functions Interaction Using the same secret key to authenticate any polynomial number of messages Requires computational assumptions Pseudorandom functions Authentication in the public-key world Much more to discuss…

20 20 Pairing of Wireless Devices gxgx gygy gaga gbgb m = g x || g a m = g b || g y ^ Wireless pairing Impossible without additional setup

21 21 Pairing of Wireless Devices gxgx gygy gaga gbgb Wireless pairing Solution: Manual Channel

22 22 The Manual Channel gxgx gygy gaga gbgb 141 User can compare two short strings Wireless pairing

23 23 Manual Channel Model Insecure communication channel Low-bandwidth auxiliary channel: Enables Alice to “manually” authenticate one short string s AliceBob s... s s Adversarial power: Choose the input message m Insecure channel: Full control Manual channel: Read, delay Delivery timing m Interactive Non-interactive

24 24 Manual Channel Model Insecure communication channel Low-bandwidth auxiliary channel: Enables Alice to “manually” authenticate one short string s AliceBob s s Goal: Minimize the length of the manually authenticated string m... s Interactive Non-interactive

25 25 Manual Channel Model AliceBob s s No trusted infrastructure, such as: Public key infrastructure Shared secret key Common reference string....... Suitable for ad hoc networks: Pairing of wireless devices Wireless USB, Bluetooth Secure phones AT&T, PGP, Zfone Many more...... m s

26 26 Implementing the manual channel: Compare two strings displayed by the devices Why Is This Model Reasonable? 141

27 27 Implementing the manual channel: Compare two strings displayed by the devices Type a string, displayed by one device, into the other device 141 Why Is This Model Reasonable?

28 28 Implementing the manual channel: Compare two strings displayed by the devices Type a string, displayed by one device, into the other device Visual hashing Why Is This Model Reasonable?

29 29 Implementing the manual channel: Compare two strings displayed by the devices Type a string, displayed by one device, into the other device Visual hashing Voice channel 141 Why Is This Model Reasonable?

30 30 The Naive Solution AliceBob H - collision resistant hash function (e.g., SHA-256) No efficient algorithm can find m  m s.t. H(m) = H(m) with noticeable probability Any adversary that forges a message can be used to find a collision for H m H(m) ^ ^ AliceBob m H(m) Eve m ^

31 31 The Naive Solution AliceBob H - collision resistant hash function (e.g., SHA-256) No efficient algorithm can find m  m s.t. H(m) = H(m) with noticeable probability Any adversary that forges a message can be used to find a collision for H m H(m) ^ ^ Are we done? No. The output length of SHA-256 is too long (160 bits) Cannot be easily compared or typed by humans

32 32... m s Tight Bounds n -bit ℓ -bit  forgery probability Upper bound: log*n -round protocol in which ℓ = 2log(1/  ) + O(1) No setup or computational assumptions Matching lower bound: n  2log(1/  )  ℓ  2log(1/  ) - 2 One-way functions are necessary (and sufficient) for breaking the lower bound in the computational setting

33 33 ℓ ℓ = 2log(1/  )ℓ = log(1/  ) Unconditional security Computational security Impossible One-way functions Our Results - Tight Bounds log(1/  )

34 34 Outline Security definition Tight bounds The protocol Lower bound

35 35... m s n -bit ℓ -bit Security Definition Unconditionally secure (n, ℓ, k,  ) -authentication protocol: Completeness: No interference   m Bob accepts m (with high probability) Unforgeability:  m Pr[ Bob accepts m  m ]   n -bit input message ℓ manually authenticated bits k rounds ^

36 36 Outline Security definition Tight bounds The protocol Lower bound

37 37 Preliminaries: For m = m 1... m k  GF[Q] k and x  GF[Q], let m(x) = m i x i  i = 1 k Then, for any m ≠ m and for any c, c  GF[Q], ^ ^ Prob x  R GF[Q] [ m(x) + c = m(x) + c ]  k/Q ^ ^ Based on the [GN93] hashing technique In each round, the parties: Cooperatively choose a hash function Reduce to authenticating a shorter message A short message is manually authenticated The Protocol (simplified)

38 38 We hash m to x || m(x) + c One party chooses x Other party chooses c Preliminaries: For m = m 1... m k  GF[Q] k and x  GF[Q], let m(x) = m i x i  i = 1 k Then, for any m ≠ m and for any c, c  GF[Q], ^ ^ Prob x  R GF[Q] [ m(x) + c = m(x) + c ]  k/Q ^ ^ The Protocol (simplified)

39 39 AliceBob m b1b1 a 1  R GF[Q 1 ] a 2  R GF[Q 2 ] b 1  R GF[Q 1 ] b 2  R GF[Q 2 ] Accept iff m 2 is consistent m 1 = b 1 || m 0 (b 1 ) + a 1 m 2 = a 2 || m 1 (a 2 ) + b 2 m 0 = m Both parties set: a1a1 m2m2 Q 1  n/ , Q 2  log(n)/  2log(1/  ) + 2loglog(n) + O(1) manually authenticated bits Two GF[Q 2 ] elements k rounds  2loglog(n) is reduced to 2log (k-1) (n) b2b2 The Protocol (simplified)

40 40 Security Analysis Must consider all generic man-in-the-middle attacks. Three attacks in our case: Alice BobEve m b1b1 a1a1 b2b2 ma1a1 m2m2 ^ ^ b1b1 b2b2 ^ ^ Attack #1

41 41 Security Analysis Must consider all generic man-in-the-middle attacks. Three attacks in our case: Alice BobEve m b1b1 a1a1 b2b2 ma1a1 ^ ^ b1b1 b2b2 ^ ^ Attack #2 m2m2

42 42 Security Analysis Must consider all generic man-in-the-middle attacks. Three attacks in our case: Alice BobEve m b1b1 a1a1 b2b2 ma1a1 ^ ^ b1b1 b2b2 ^ ^ Attack #3 m2m2 m2m2

43 43 Security Analysis – Attack #1 m 1,A = b 1 || m 0,A (b 1 ) + a 1 m 2,A = a 2 || m 1,A (a 2 ) + b 2 m 0,A = m ^^ ^ m 1,B = b 1 || m 0,B (b 1 ) + a 1 m 2,B = a 2 || m 1,B (a 2 ) + b 2 m 0,B = m ^ ^ Alice BobEve m b1b1 a1a1 b2b2 ma1a1 ^ ^ b1b1 b2b2 ^ ^ m 0,A  m 0,B and m 2,A = m 2,B m 1,A = m 1,B m 1,A  m 1,B and m 2,A = m 2,B Pr[]+   /2 +  /2] m2m2

44 44 Security Analysis – Attack #1 m 1,A = b 1 || m 0,A (b 1 ) + a 1 m 0,A = m ^^ m 1,B = b 1 || m 0,B (b 1 ) + a 1 m 0,B = m ^ ^ Alice BobEve ma1a1 ma1a1 ^ ^ b1b1 ^ m 1,A = m 1,B Pr[]   /2 b1b1 Claim: Eve chooses b 1  b 1 Eve chooses b 1 = b 1 Pr[ m 0,A (b 1 ) + a 1 = m 0,B (b 1 ) + a 1 ]  /2  m 1,A  m 1,B  ^ ^ ^

45 45 Outline Security definition Tight bounds The protocol Lower bound

46 46 Lower Bound AliceBob x2x2 m, x 1 m  R {0,1} n  M, X 1, X 2, S are well defined random variables s

47 47 Lower Bound Goal: H(S)  2log(1/  ) AliceBob X2X2 S M, X 1

48 48 Let X be random variable over domain X with probability distribution P X The Shannon entropy of X is Shannon Entropy (where 0log0 = 0 ) H(X) = - ∑ x 2 X P X (x) log P X (x) Measures the amount of randomness in X on average Measures how much we can compress X on average 0 · H(X) · log| X | Equality, X is constant Equality, X is uniform

49 49 Let X be random variable over domain X with probability distribution P X The min-entropy of X is H 1 (X) = - log max x 2 X P X (x) Measures the amount of randomness in X in the worst-case Represents the most likely value(s) 0 · H 1 (X) · H(X) · log| X | Equality, X is constant Equality, X is uniform A Related Notion: Min-Entropy Equality, X is uniform

50 50 Let X and Y be two random variables over domains X and Y with probability distributions P X and P Y The conditional Shannon entropy of X given Y is H(X,Y) = H(X) + H(Y|X) Conditional Shannon Entropy H(X|Y) = ∑ y 2 Y P Y (y) H(X|Y=y) H(X,Y) = H(Y) + H(X|Y) Observation:

51 51 The mutual information between X and Y is Shannon Mutual Information I(X;Y) = H(X) – H(X|Y) Observation: I(X;Y) = I(Y;X) Conditional mutual information: I(X;Y|Z) = H(X|Z) – H(X|Y,Z)

52 52 Lower Bound Goal: H(S)  2log(1/  ) AliceBob X2X2 S M, X 1 Evolving intuition: The parties must use at least log(1/  ) random bits H(S) = H(S) - H(S | M, X 1 ) + H(S | M, X 1 ) - H(S | M, X 1, X 2 ) + H(S | M, X 1, X 2 ) = I(S ; M, X 1 ) + I(S ; X 2 | M, X 1 ) + H(S | M, X 1, X 2 ) Each party must independently reduce H(S) by log(1/  ) bits Each party must use at least log(1/  ) random bits

53 53 Lower Bound AliceBob X2X2 M, X 1 H(S)= I(S ; M, X 1 ) + I(S ; X 2 | M, X 1 ) + H(S | M, X 1, X 2 ) Alice’s randomnes s Bob’s randomnes s S Goal: H(S)  2log(1/  ) Evolving intuition: The parties must use at least log(1/  ) random bits Each party must independently reduce H(S) by log(1/  ) bits Each party must use at least log(1/  ) random bits

54 54 Lower Bound AliceBob X2X2 M, X 1 H(S)= I(S ; M, X 1 ) + I(S ; X 2 | M, X 1 ) + H(S | M, X 1, X 2 ) Alice’s randomnes s Bob’s randomnes s Lemma 1: I(S ; M, X 1 ) + H(S | M, X 1, X 2 )  log(1/  ) Lemma 2: I(S ; X 2 | M, X 1 )  log(1/  ) S Goal: H(S)  2log(1/  )

55 55 Proof of Lemma 1 Chooses m  R {0,1} n ^ Alice BobEve mx1x1 x2x2 s m ^ x1x1 ^ x2x2 ^ Consider the following attack: Eve wants Alice to manually authenticate s ^ Samples x 2 from the distribution of X 2 given m, x 1 and s ^ ^ If Pr[ s | m, x 1 ] = 0 Eve quits ^ Eve acts as follows: Chooses m  R {0,1} n Forwards s and hopes that s = s ^

56 56 Proof of Lemma 1 By the protocol requirements: Since n  log(1/  ), we get which implies  (S ; M, X 1 ) + H(S | M, X 1, X 2 )  log(1/  ) - 1   Pr[ s = s and m ≠ m ]  Pr[ s = s ] - 2 -n ^^^ 2   Pr[ s = s ] ^ Claim: Pr[ s = s ]  2 - {  (S ; M, X 1 ) + H(S | M, X 1, X 2 ) } ^

57 57 Lower Bound AliceBob X2X2 M, X 1 H(S)= I(S ; M, X 1 ) + I(S ; X 2 | M, X 1 ) + H(S | M, X 1, X 2 ) Alice’s randomnes s Bob’s randomnes s Lemma 1: I(S ; M, X 1 ) + H(S | M, X 1, X 2 )  log(1/  ) - 1 Lemma 2: I(S ; X 2 | M, X 1 )  log(1/  ) - 1 S Goal: H(S)  2log(1/  ) - 2

58 58 References Peter Gemmell and Moni Naor Codes for Interactive Authentication CRYPTO 1993 Moni Naor, Gil Segev and Adam Smith Tight Bounds for Unconditionally Secure Authentication Protocols in the Manual Channel and Shared Key Models CRYPTO 2006 Whitfield Diffie and Martin E. Hellman New Directions in Cryptography IEEE Transactions on Information Theory 1976 T. Cover and J. A. Thomas Elements of information Theory

Download ppt "Seminar in Foundations of Privacy Gil Segev Message Authentication in the Manual Channel Model."

Similar presentations

Lecturer: Moni Naor Weizmann Institute of Science

Lecturer: Moni Naor Weizmann Institute of Science
Foundations of Cryptography Lecture 2: One-way functions are essential for identification. Amplification: from weak to strong one-way function Lecturer:

Foundations of Cryptography Lecture 2: One-way functions are essential for identification. Amplification: from weak to strong one-way function Lecturer:
Foundations of Cryptography Lecture 10 Lecturer: Moni Naor.

Foundations of Cryptography Lecture 10 Lecturer: Moni Naor.
Digital Signatures Good properties of hand-written signatures: 1. Signature is authentic. 2. Signature is unforgeable. 3. Signature is not reusable (it.

Digital Signatures Good properties of hand-written signatures: 1. Signature is authentic. 2. Signature is unforgeable. 3. Signature is not reusable (it.
Tight Bounds for Unconditional Authentication Protocols in the Moni Naor Gil Segev Adam Smith Weizmann Institute of Science Israel Modeland Shared KeyManual.

Tight Bounds for Unconditional Authentication Protocols in the Moni Naor Gil Segev Adam Smith Weizmann Institute of Science Israel Modeland Shared KeyManual.
Digital Signatures and Hash Functions. Digital Signatures.

Digital Signatures and Hash Functions. Digital Signatures.
Foundations of Cryptography Lecture 5 Lecturer: Moni Naor.

Foundations of Cryptography Lecture 5 Lecturer: Moni Naor.
Foundations of Cryptography Lecture 13 Lecturer: Moni Naor.

Foundations of Cryptography Lecture 13 Lecturer: Moni Naor.
Foundations of Cryptography Lecture 4 Lecturer: Moni Naor.

Foundations of Cryptography Lecture 4 Lecturer: Moni Naor.
Eran Omri, Bar-Ilan University Joint work with Amos Beimel and Ilan Orlov, BGU Ilan Orlov…!??!!

Eran Omri, Bar-Ilan University Joint work with Amos Beimel and Ilan Orlov, BGU Ilan Orlov…!??!!
NON-MALLEABLE EXTRACTORS AND SYMMETRIC KEY CRYPTOGRAPHY FROM WEAK SECRETS Yevgeniy Dodis and Daniel Wichs (NYU) STOC 2009.

NON-MALLEABLE EXTRACTORS AND SYMMETRIC KEY CRYPTOGRAPHY FROM WEAK SECRETS Yevgeniy Dodis and Daniel Wichs (NYU) STOC 2009.
1 Algorithms for Large Data Sets Ziv Bar-Yossef Lecture 13 June 25, 2006

1 Algorithms for Large Data Sets Ziv Bar-Yossef Lecture 13 June 25, 2006
Session 5 Hash functions and digital signatures. Contents Hash functions – Definition – Requirements – Construction – Security – Applications 2/44.

Session 5 Hash functions and digital signatures. Contents Hash functions – Definition – Requirements – Construction – Security – Applications 2/44.
1 Algorithms for Large Data Sets Ziv Bar-Yossef Lecture 12 June 18, 2006

1 Algorithms for Large Data Sets Ziv Bar-Yossef Lecture 12 June 18, 2006
CNS2010handout 10 :: digital signatures1 computer and network security matt barrie.

CNS2010handout 10 :: digital signatures1 computer and network security matt barrie.
Analysis of Security Protocols (V) John C. Mitchell Stanford University.

Analysis of Security Protocols (V) John C. Mitchell Stanford University.
Lecturer: Moni Naor Foundations of Cryptography Lecture 4: One-time Signatures, UOWHFs.

Lecturer: Moni Naor Foundations of Cryptography Lecture 4: One-time Signatures, UOWHFs.
ACT1 Slides by Vera Asodi & Tomer Naveh. Updated by : Avi Ben-Aroya & Alon Brook Adapted from Oded Goldreich’s course lecture notes by Sergey Benditkis,

ACT1 Slides by Vera Asodi & Tomer Naveh. Updated by : Avi Ben-Aroya & Alon Brook Adapted from Oded Goldreich’s course lecture notes by Sergey Benditkis,
Cryptography1 CPSC 3730 Cryptography Chapter 10 Key Management.

Cryptography1 CPSC 3730 Cryptography Chapter 10 Key Management.
Co-operative Private Equality Test(CPET) Ronghua Li and Chuan-Kun Wu (received June 21, 2005; revised and accepted July 4, 2005) International Journal.

Co-operative Private Equality Test(CPET) Ronghua Li and Chuan-Kun Wu (received June 21, 2005; revised and accepted July 4, 2005) International Journal.

Similar presentations

Ads by Google