Foundations of Cryptography

Lecturer: Gil Segev

Lecture 7:

Message Authentication in the Manual Channel Model

2

Diffie-Hellman Key Agreement

DDH assumption:

{(g, gx, gy, gxy)} {(g, gx, gy, gc)}c

for random x, y and c.

Alice and Bob wish to agree on a secret key

gx

gyAlice Bob

Both parties compute KA,B = gxy

Computational Indistinguishability

3

Diffie-Hellman Key Agreement Alice and Bob wish to agree on a secret key

gx

gyAlice Bob

Both parties compute KA,B = gxy

DDH assumption:KA,B as good as a random secret Secure against passive adversaries

Eve is only allowed to read the sent messages

Alice BobKA,B z

Can now use KA,B as a one-time pad:

4

Diffie-Hellman Key Agreement Suppose now that Eve is an active adversary

“man-in-the-middle” attacker

gx

gaAlice Bob

KA,E = gxa

gy

gb

KE,B = gby

Eve

Completely insecure: Eve can decrypt z, and then re-encrypt it

Alice BobEveKA,E z KE,B z

5

Diffie-Hellman Key Agreement Suppose now that Eve is an active adversary

“man-in-the-middle” attacker

gx

gaAlice Bob

KA,E = gxa

gy

gb

KE,B = gby

Eve

Solution - Message authentication: Alice and Bob authenticate gx and gy

Problem - Authentication requires setup, such as: Shared secret key Public key infrastructure

6

PracticalScenario

7

Pairing of Wireless Devices

Scenario: Buy a new wireless camera Want to establish a secure channel for the first time

E.g., Diffie-Hellman key agreement

gx

gy

8

“I thought this is a wireless

camera…”

Simple Cheap Authenticated channel

DevicesPairing of WirelessCable pairing

9

Pairing of Wireless Devices

Problem: Active adversaries (“man-in-the-middle”)

Wireless pairing

10

Pairing of Wireless DevicesWireless pairing

gx gy

ga gb

Problem: Active adversaries (“man-in-the-middle”)

11

Message Authentication Assure the receiver of a message that it has not been

changed by an active adversary

Alice BobEvem m

12

Pairing of Wireless Devices

gx gy

ga gb

m = gx || ga

m = gb || gy

^

13

Message Authentication Assure the receiver of a message that it has not been

changed by an active adversary

Without additional setup: Impossible !! Public Key: Signatures Problem: No trusted PKI

Solution:

Manual Channel

Alice BobEvem m

14

The Manual Channel

gx gy

ga gb

141141

User can compare two short strings

15

Manual Channel Model

Insecure communication channel Low-bandwidth auxiliary channel:

Enables Alice to “manually” authenticate one short string s

Alice Bob

s

. . .

ss

Adversarial power: Choose the input message m Insecure channel: Full control Manual channel: Read, delay Delivery timing

m

Interactive

Non-interactive

16

Manual Channel Model

Insecure communication channel Low-bandwidth auxiliary channel:

Enables Alice to “manually” authenticate one short string s

Alice Bob

ss

Goal:Minimize the length of the manually authenticated string

m

. . .

s

Interactive

Non-interactive

17

Manual Channel ModelAlice Bob

ss

No trusted infrastructure, such as: Public key infrastructure Shared secret key Common reference string .......

Suitable for ad hoc networks: Pairing of wireless devices

Wireless USB, Bluetooth Secure phones

AT&T, PGP, Zfone Many more...

. . .

m

s

18

Implementing the manual channel: Compare two strings displayed by the devices

Why Is This Model Reasonable?

141141

19

Implementing the manual channel: Compare two strings displayed by the devices Type a string, displayed by one device, into the other device

141141

Why Is This Model Reasonable?

20

Implementing the manual channel: Compare two strings displayed by the devices Type a string, displayed by one device, into the other device Visual hashing

Why Is This Model Reasonable?

21

Implementing the manual channel: Compare two strings displayed by the devices Type a string, displayed by one device, into the other device Visual hashing Voice channel

141141

Why Is This Model Reasonable?

22

The Naive SolutionAlice Bob

H - collision resistant hash function (e.g., SHA-256) No efficient algorithm can find m m s.t. H(m) = H(m) with

noticeable probability Any adversary that forges a message can be used to find a

collision for H

m

H(m)

^ ^

Alice Bobm

H(m)

Evem

23

The Naive SolutionAlice Bob

H - collision resistant hash function (e.g., SHA-256) No efficient algorithm can find m m s.t. H(m) = H(m) with

noticeable probability Any adversary that forges a message can be used to find a

collision for H

m

H(m)

^ ^

Are we done?

No. The output length of SHA-256 is too long (160 bits) Cannot be easily compared or typed by humans

24

Forgery probabilit

y

Previous Work

[Vaudenay `05]: Formal model Computationally secure protocol for arbitrary long messages log(1/) manually authenticated bits [LAN `05, DDN `00]: Can be based on any one-way function

(non-malleable commitments) Efficient implementations:

Rely on a random oracle

Assume a common reference string [DIO `98, DKOS `01]

or

[Rivest & Shamir `84]: The “Interlock” protocol Mutual authentication of public keys No trusted infrastructure

AT&T, PGP,…, Zfone

Optimal !

25

Forgery probabilit

y

Previous Work

[Vaudenay `05]: Formal model Computationally secure protocol for arbitrary long messages log(1/) manually authenticated bits [LAN `05, DDN `00]: Can be based on any one-way function

(non-malleable commitments) Efficient implementations:

Rely on a random oracle

Assume a common reference string [DIO `98, DKOS `01]

or

[Rivest & Shamir `84]: The “Interlock” protocol Mutual authentication of public keys No trusted infrastructure

AT&T, PGP,…, Zfone

Optimal !

Computational Assumptions !!Computational Assumptions !!

Are those really necessary?

26

. . .

m

s

Our Results - Tight Boundsn-bit

ℓ-bit forgery probability

Upper bound:Constructed log*n-round protocol in which ℓ = 2log(1/) + O(1)

No setup or computational assumptions

Matching lower bound: n 2log(1/) ℓ 2log(1/) - 2

One-way functions are necessary (and sufficient) for breaking the lower bound in the computational setting

Only twice as many as [V05]

27

Some advantages over computational security:

Security against unbounded adversaries

Exact evaluation of error probabilities

Protocols are often easier to compose

more efficient Key agreement protocols

Unconditional Security

28

ℓ ℓ = 2log(1/) ℓ = log(1/)

Unconditional security

Computational security

Impossible

One-way functions

Our Results - Tight Bounds

log(1/)

29

Outline

Security definition Our results

The protocol Lower bound One-way functions are necessary for

breaking the lower bound

Conclusions

30

. . .

m

s

n-bit

ℓ-bit

Security Definition

Unconditionally secure (n, ℓ, k, )-authentication protocol:

Completeness: No interference m Bob accepts m (with high probability)

Unforgeability: m Pr[ Bob accepts m m ]

n-bit input message ℓ manually authenticated bits k rounds

^

31

Outline

Security definition Our results

The protocol Lower bound One-way functions are necessary for

breaking the lower bound

Conclusions

32

Preliminaries:

For m = m1 ... mk GF[Q]k and x GF[Q], let m(x) = mixi

i = 1

k

Then, for any m ≠ m and for any c, c GF[Q], ^ ^

Prob x R GF[Q] [ m(x) + c = m(x) + c ] k/Q ^ ^

Based on the [GN93] hashing technique In each round, the parties:

Cooperatively choose a hash function Reduce to authenticating a shorter message

A short message is manually authenticated

The Protocol (simplified)

33

We hash m to x || m(x) + c

One party chooses x

Other party chooses c

Preliminaries:

For m = m1 ... mk GF[Q]k and x GF[Q], let m(x) = mixi

i = 1

k

Then, for any m ≠ m and for any c, c GF[Q], ^ ^

Prob x R GF[Q] [ m(x) + c = m(x) + c ] k/Q ^ ^

The Protocol (simplified)

34

Alice Bobm

b1a1 R GF[Q1]

a2 R GF[Q2]

b1 R GF[Q1]

b2 R GF[Q2]

Accept iff m2 is consistent

m1 = b1 || m0(b1) + a1 m2 = a2 || m1(a2) + b2

m0 = mBoth parties set:

a1

m2

Q1 n/ , Q2 log(n)/

2log(1/) + 2loglog(n) + O(1) manually authenticated bits

Two GF[Q2] elements

k rounds 2loglog(n) is reduced to 2log(k-1)(n)

b2

The Protocol (simplified)

35

Security Analysis Must consider all generic man-in-the-middle attacks. Three attacks in our case:

Alice BobEvem

b1

a1

b2

m a1

m2

^ ^

b1 b2^ ^

Attack #1

36

Security Analysis Must consider all generic man-in-the-middle attacks. Three attacks in our case:

Alice BobEve

m

b1

a1

b2

m a1 ^ ^

b1 b2^ ^

Attack #2

m2

37

Security Analysis Must consider all generic man-in-the-middle attacks. Three attacks in our case:

Alice BobEvem

b1

a1

b2

m a1 ^ ^

b1 b2^ ^

Attack #3

m2

m2

38

Security Analysis – Attack #1

m1,A = b1 || m0,A(b1) + a1

m2,A = a2 || m1,A(a2) + b2

m0,A = m ^ ^

^

m1,B = b1 || m0,B(b1) + a1 m2,B = a2 || m1,B(a2) + b2

m0,B = m ^

^

Alice BobEvem

b1

a1

b2

m a1 ^ ^

b1 b2^ ^

m0,A m0,B and m2,A = m2,B

m1,A = m1,B

m1,A m1,B and m2,A = m2,B

Pr[ ] + Pr[ /2 + /2

]

m2

39

Security Analysis – Attack #1

m1,A = b1 || m0,A(b1) + a1

m0,A = m ^ ^ m1,B = b1 || m0,B(b1) +

a1

m0,B = m ^

^

Alice BobEvem a1 m a1 ^ ^

b1^

m1,A = m1,B

Pr[ ] /2

b1

Claim:

Eve chooses b1 b1

Eve chooses b1 = b1

Pr[ m0,A(b1) + a1 = m0,B(b1) + a1 ] /2

m1,A m1,B

^

^

^

40

Outline

Manual channel model Our results

The protocol Lower bound One-way functions are necessary for

breaking the lower bound

Conclusions

41

Lower BoundAlice Bob

x2

m, x1

m R {0,1}n M, X1, X2, S are well defined random variables

s

42

Lower Bound

Goal: H(S) 2log(1/)

Alice BobX2

S

M, X1

Basic Information Theory: Shannon entropy Conditional entropy Mutual information Cond. mutual information

H(X) = - x p(x) logp(x)

H(X | Y) = Expy H(X | Y=y)

I(X ; Y) = H(X) - H(X | Y)I(X ; Y | Z) = H(X | Z) - H(X | Y,Z)

43

Lower Bound

Goal: H(S) 2log(1/)

Alice BobX2

S

M, X1

Evolving intuition: The parties must use at least log(1/) random bits

H(S) = H(S) - H(S | M, X1)

+ H(S | M, X1) - H(S | M, X1, X2)

+ H(S | M, X1, X2)

= I(S ; M, X1)

+ I(S ; X2 | M, X1)

+ H(S | M, X1, X2)

Each party must independently reduce H(S) by log(1/) bits

Each party must use at least log(1/) random bits

44

Lower BoundAlice Bob

X2

M, X1

H(S) = I(S ; M, X1)

+ I(S ; X2 | M, X1)

+ H(S | M, X1, X2)

Alice’s randomnes

s

Bob’s randomnes

s

S

Goal: H(S) 2log(1/)

Evolving intuition: The parties must use at least log(1/) random bits

Each party must independently reduce H(S) by log(1/) bits

Each party must use at least log(1/) random bits

45

Lower BoundAlice Bob

X2

M, X1

H(S) = I(S ; M, X1)

+ I(S ; X2 | M, X1)

+ H(S | M, X1, X2)

Alice’s randomnes

s

Bob’s randomnes

s

Lemma 1: I(S ; M, X1) + H(S | M, X1, X2) log(1/)Lemma 2: I(S ; X2 | M, X1) log(1/)

S

Goal: H(S) 2log(1/)

46

Proof of Lemma 1

Chooses m R {0,1}n^

Alice BobEve

m x1

x2

s

m x1 ^

x2

Consider the following attack:

Eve wants Alice to manually authenticate s

Samples x2 from the distribution of X2 given m, x1 and s^

If Pr[ s | m, x1 ] = 0 Eve quits

^

Eve acts as follows:

Chooses m R {0,1}n

Forwards s

and hopes that s = s

47

Proof of Lemma 1By the protocol requirements:

Since n log(1/), we get

which implies

(S ; M, X1) + H(S | M, X1, X2) log(1/) - 1

Pr[ s = s and m ≠ m ] Pr[ s = s ] - 2-n ^^ ^

2 Pr[ s = s ]^

Claim: Pr[ s = s ] 2 - { (S ; M, X1

) + H(S | M, X1

, X2

) }^

48

Lower BoundAlice Bob

X2

M, X1

H(S) = I(S ; M, X1)

+ I(S ; X2 | M, X1)

+ H(S | M, X1, X2)

Alice’s randomnes

s

Bob’s randomnes

s

Lemma 1: I(S ; M, X1) + H(S | M, X1, X2) log(1/) - 1Lemma 2: I(S ; X2 | M, X1) log(1/) - 1

S

Goal: H(S) 2log(1/) - 2

49

Outline

Manual channel model Our results

The protocol Lower bound One-way functions are necessary for

breaking the lower bound

Conclusions

50

One-Way Functions

One-way functions are necessary for breaking the 2log(1/) lower bound in the computational setting

Theorem:

No one-way functions

The attacks of the lower bound can be carried out by a poly-time adversary

51

Recall: Proof of Lemma 1

Chooses m R {0,1}n^

Alice BobEve

m x1

x2

m x1 ^

x2

Consider the following attack:

Samples x2 from the distribution of X2 given m, x1 and s^

Eve acts as follows:

Chooses m R {0,1}n

Forwards s

Randomly inverting a function

s

52

One-Way Functions One-way functions:

Easy to compute Hard to invert given the image of a random input

Distributionally one-way functions [IL89]: Easy to compute Hard to randomly invert given the image of a random input

Any one-way function is also distributionally one-way [IL89]: The existence of both primitives is equivalent

Hard to find even one inverse

May be easy to find some inverses

53

One-Way Functions

Eve has to sample X2 given m, x1 and s.

f(m, rA, rB) = (m, x1, x2, s)Message

Alice’s coins Bob’s coins

Transcript of the protocol

g(m, rA, rB) = (m, x1, s)

54

One-Way Functions

g is not distributionally one-way Eve can randomly invert g and apply f to compute x2. statistically

close to uniform

f(m, rA, rB) = (m, x1, x2, s)

g(m, rA, rB) = (m, x1, s)

Bob cannot distinguish between the two executions with significant probability.

Eve has to sample X2 given m, x1 and s.

55

Conclusions Manual Channel Computational assumptions are not necessary

Protocol Matching lower bound

Sharp threshold between unconditional and computational

ℓ ℓ = 2log(1/)ℓ = log(1/)

Unconditional security Computational

security

Impossible

One-way functions

log(1/)

56

Reference

Moni Naor, Gil Segev, and Adam SmithTight Bounds for Unconditionally Secure Authentication Protocols in the Manual Channel and Shared Key ModelsAdvances in Cryptology - CRYPTO 2006.