Upload
olympia-baxter
View
26
Download
0
Embed Size (px)
DESCRIPTION
Foundations of Cryptography. Lecture 7: Message Authentication in the Manual Channel Model. Lecturer: Gil Segev. Diffie-Hellman Key Agreement. g x. Alice. Bob. Alice and Bob wish to agree on a secret key. g y. Both parties compute K A,B = g xy. DDH assumption:. c. - PowerPoint PPT Presentation
Citation preview
Foundations of Cryptography
Lecturer: Gil Segev
Lecture 7:
Message Authentication in the Manual Channel Model
2
Diffie-Hellman Key Agreement
DDH assumption:
{(g, gx, gy, gxy)} {(g, gx, gy, gc)}c
for random x, y and c.
Alice and Bob wish to agree on a secret key
gx
gyAlice Bob
Both parties compute KA,B = gxy
Computational Indistinguishability
3
Diffie-Hellman Key Agreement Alice and Bob wish to agree on a secret key
gx
gyAlice Bob
Both parties compute KA,B = gxy
DDH assumption:KA,B as good as a random secret Secure against passive adversaries
Eve is only allowed to read the sent messages
Alice BobKA,B z
Can now use KA,B as a one-time pad:
4
Diffie-Hellman Key Agreement Suppose now that Eve is an active adversary
“man-in-the-middle” attacker
gx
gaAlice Bob
KA,E = gxa
gy
gb
KE,B = gby
Eve
Completely insecure: Eve can decrypt z, and then re-encrypt it
Alice BobEveKA,E z KE,B z
5
Diffie-Hellman Key Agreement Suppose now that Eve is an active adversary
“man-in-the-middle” attacker
gx
gaAlice Bob
KA,E = gxa
gy
gb
KE,B = gby
Eve
Solution - Message authentication: Alice and Bob authenticate gx and gy
Problem - Authentication requires setup, such as: Shared secret key Public key infrastructure
6
PracticalScenario
7
Pairing of Wireless Devices
Scenario: Buy a new wireless camera Want to establish a secure channel for the first time
E.g., Diffie-Hellman key agreement
gx
gy
8
“I thought this is a wireless
camera…”
Simple Cheap Authenticated channel
DevicesPairing of WirelessCable pairing
9
Pairing of Wireless Devices
Problem: Active adversaries (“man-in-the-middle”)
Wireless pairing
10
Pairing of Wireless DevicesWireless pairing
gx gy
ga gb
Problem: Active adversaries (“man-in-the-middle”)
11
Message Authentication Assure the receiver of a message that it has not been
changed by an active adversary
Alice BobEvem m
12
Pairing of Wireless Devices
gx gy
ga gb
m = gx || ga
m = gb || gy
^
13
Message Authentication Assure the receiver of a message that it has not been
changed by an active adversary
Without additional setup: Impossible !! Public Key: Signatures Problem: No trusted PKI
Solution:
Manual Channel
Alice BobEvem m
14
The Manual Channel
gx gy
ga gb
141141
User can compare two short strings
15
Manual Channel Model
Insecure communication channel Low-bandwidth auxiliary channel:
Enables Alice to “manually” authenticate one short string s
Alice Bob
s
. . .
ss
Adversarial power: Choose the input message m Insecure channel: Full control Manual channel: Read, delay Delivery timing
m
Interactive
Non-interactive
16
Manual Channel Model
Insecure communication channel Low-bandwidth auxiliary channel:
Enables Alice to “manually” authenticate one short string s
Alice Bob
ss
Goal:Minimize the length of the manually authenticated string
m
. . .
s
Interactive
Non-interactive
17
Manual Channel ModelAlice Bob
ss
No trusted infrastructure, such as: Public key infrastructure Shared secret key Common reference string .......
Suitable for ad hoc networks: Pairing of wireless devices
Wireless USB, Bluetooth Secure phones
AT&T, PGP, Zfone Many more...
. . .
m
s
18
Implementing the manual channel: Compare two strings displayed by the devices
Why Is This Model Reasonable?
141141
19
Implementing the manual channel: Compare two strings displayed by the devices Type a string, displayed by one device, into the other device
141141
Why Is This Model Reasonable?
20
Implementing the manual channel: Compare two strings displayed by the devices Type a string, displayed by one device, into the other device Visual hashing
Why Is This Model Reasonable?
21
Implementing the manual channel: Compare two strings displayed by the devices Type a string, displayed by one device, into the other device Visual hashing Voice channel
141141
Why Is This Model Reasonable?
22
The Naive SolutionAlice Bob
H - collision resistant hash function (e.g., SHA-256) No efficient algorithm can find m m s.t. H(m) = H(m) with
noticeable probability Any adversary that forges a message can be used to find a
collision for H
m
H(m)
^ ^
Alice Bobm
H(m)
Evem
23
The Naive SolutionAlice Bob
H - collision resistant hash function (e.g., SHA-256) No efficient algorithm can find m m s.t. H(m) = H(m) with
noticeable probability Any adversary that forges a message can be used to find a
collision for H
m
H(m)
^ ^
Are we done?
No. The output length of SHA-256 is too long (160 bits) Cannot be easily compared or typed by humans
24
Forgery probabilit
y
Previous Work
[Vaudenay `05]: Formal model Computationally secure protocol for arbitrary long messages log(1/) manually authenticated bits [LAN `05, DDN `00]: Can be based on any one-way function
(non-malleable commitments) Efficient implementations:
Rely on a random oracle
Assume a common reference string [DIO `98, DKOS `01]
or
[Rivest & Shamir `84]: The “Interlock” protocol Mutual authentication of public keys No trusted infrastructure
AT&T, PGP,…, Zfone
Optimal !
25
Forgery probabilit
y
Previous Work
[Vaudenay `05]: Formal model Computationally secure protocol for arbitrary long messages log(1/) manually authenticated bits [LAN `05, DDN `00]: Can be based on any one-way function
(non-malleable commitments) Efficient implementations:
Rely on a random oracle
Assume a common reference string [DIO `98, DKOS `01]
or
[Rivest & Shamir `84]: The “Interlock” protocol Mutual authentication of public keys No trusted infrastructure
AT&T, PGP,…, Zfone
Optimal !
Computational Assumptions !!Computational Assumptions !!
Are those really necessary?
26
. . .
m
s
Our Results - Tight Boundsn-bit
ℓ-bit forgery probability
Upper bound:Constructed log*n-round protocol in which ℓ = 2log(1/) + O(1)
No setup or computational assumptions
Matching lower bound: n 2log(1/) ℓ 2log(1/) - 2
One-way functions are necessary (and sufficient) for breaking the lower bound in the computational setting
Only twice as many as [V05]
27
Some advantages over computational security:
Security against unbounded adversaries
Exact evaluation of error probabilities
Protocols are often easier to compose
more efficient Key agreement protocols
Unconditional Security
28
ℓ ℓ = 2log(1/) ℓ = log(1/)
Unconditional security
Computational security
Impossible
One-way functions
Our Results - Tight Bounds
log(1/)
29
Outline
Security definition Our results
The protocol Lower bound One-way functions are necessary for
breaking the lower bound
Conclusions
30
. . .
m
s
n-bit
ℓ-bit
Security Definition
Unconditionally secure (n, ℓ, k, )-authentication protocol:
Completeness: No interference m Bob accepts m (with high probability)
Unforgeability: m Pr[ Bob accepts m m ]
n-bit input message ℓ manually authenticated bits k rounds
^
31
Outline
Security definition Our results
The protocol Lower bound One-way functions are necessary for
breaking the lower bound
Conclusions
32
Preliminaries:
For m = m1 ... mk GF[Q]k and x GF[Q], let m(x) = mixi
i = 1
k
Then, for any m ≠ m and for any c, c GF[Q], ^ ^
Prob x R GF[Q] [ m(x) + c = m(x) + c ] k/Q ^ ^
Based on the [GN93] hashing technique In each round, the parties:
Cooperatively choose a hash function Reduce to authenticating a shorter message
A short message is manually authenticated
The Protocol (simplified)
33
We hash m to x || m(x) + c
One party chooses x
Other party chooses c
Preliminaries:
For m = m1 ... mk GF[Q]k and x GF[Q], let m(x) = mixi
i = 1
k
Then, for any m ≠ m and for any c, c GF[Q], ^ ^
Prob x R GF[Q] [ m(x) + c = m(x) + c ] k/Q ^ ^
The Protocol (simplified)
34
Alice Bobm
b1a1 R GF[Q1]
a2 R GF[Q2]
b1 R GF[Q1]
b2 R GF[Q2]
Accept iff m2 is consistent
m1 = b1 || m0(b1) + a1 m2 = a2 || m1(a2) + b2
m0 = mBoth parties set:
a1
m2
Q1 n/ , Q2 log(n)/
2log(1/) + 2loglog(n) + O(1) manually authenticated bits
Two GF[Q2] elements
k rounds 2loglog(n) is reduced to 2log(k-1)(n)
b2
The Protocol (simplified)
35
Security Analysis Must consider all generic man-in-the-middle attacks. Three attacks in our case:
Alice BobEvem
b1
a1
b2
m a1
m2
^ ^
b1 b2^ ^
Attack #1
36
Security Analysis Must consider all generic man-in-the-middle attacks. Three attacks in our case:
Alice BobEve
m
b1
a1
b2
m a1 ^ ^
b1 b2^ ^
Attack #2
m2
37
Security Analysis Must consider all generic man-in-the-middle attacks. Three attacks in our case:
Alice BobEvem
b1
a1
b2
m a1 ^ ^
b1 b2^ ^
Attack #3
m2
m2
38
Security Analysis – Attack #1
m1,A = b1 || m0,A(b1) + a1
m2,A = a2 || m1,A(a2) + b2
m0,A = m ^ ^
^
m1,B = b1 || m0,B(b1) + a1 m2,B = a2 || m1,B(a2) + b2
m0,B = m ^
^
Alice BobEvem
b1
a1
b2
m a1 ^ ^
b1 b2^ ^
m0,A m0,B and m2,A = m2,B
m1,A = m1,B
m1,A m1,B and m2,A = m2,B
Pr[ ] + Pr[ /2 + /2
]
m2
39
Security Analysis – Attack #1
m1,A = b1 || m0,A(b1) + a1
m0,A = m ^ ^ m1,B = b1 || m0,B(b1) +
a1
m0,B = m ^
^
Alice BobEvem a1 m a1 ^ ^
b1^
m1,A = m1,B
Pr[ ] /2
b1
Claim:
Eve chooses b1 b1
Eve chooses b1 = b1
Pr[ m0,A(b1) + a1 = m0,B(b1) + a1 ] /2
m1,A m1,B
^
^
^
40
Outline
Manual channel model Our results
The protocol Lower bound One-way functions are necessary for
breaking the lower bound
Conclusions
41
Lower BoundAlice Bob
x2
m, x1
m R {0,1}n M, X1, X2, S are well defined random variables
s
42
Lower Bound
Goal: H(S) 2log(1/)
Alice BobX2
S
M, X1
Basic Information Theory: Shannon entropy Conditional entropy Mutual information Cond. mutual information
H(X) = - x p(x) logp(x)
H(X | Y) = Expy H(X | Y=y)
I(X ; Y) = H(X) - H(X | Y)I(X ; Y | Z) = H(X | Z) - H(X | Y,Z)
43
Lower Bound
Goal: H(S) 2log(1/)
Alice BobX2
S
M, X1
Evolving intuition: The parties must use at least log(1/) random bits
H(S) = H(S) - H(S | M, X1)
+ H(S | M, X1) - H(S | M, X1, X2)
+ H(S | M, X1, X2)
= I(S ; M, X1)
+ I(S ; X2 | M, X1)
+ H(S | M, X1, X2)
Each party must independently reduce H(S) by log(1/) bits
Each party must use at least log(1/) random bits
44
Lower BoundAlice Bob
X2
M, X1
H(S) = I(S ; M, X1)
+ I(S ; X2 | M, X1)
+ H(S | M, X1, X2)
Alice’s randomnes
s
Bob’s randomnes
s
S
Goal: H(S) 2log(1/)
Evolving intuition: The parties must use at least log(1/) random bits
Each party must independently reduce H(S) by log(1/) bits
Each party must use at least log(1/) random bits
45
Lower BoundAlice Bob
X2
M, X1
H(S) = I(S ; M, X1)
+ I(S ; X2 | M, X1)
+ H(S | M, X1, X2)
Alice’s randomnes
s
Bob’s randomnes
s
Lemma 1: I(S ; M, X1) + H(S | M, X1, X2) log(1/)Lemma 2: I(S ; X2 | M, X1) log(1/)
S
Goal: H(S) 2log(1/)
46
Proof of Lemma 1
Chooses m R {0,1}n^
Alice BobEve
m x1
x2
s
m x1 ^
x2
Consider the following attack:
Eve wants Alice to manually authenticate s
Samples x2 from the distribution of X2 given m, x1 and s^
If Pr[ s | m, x1 ] = 0 Eve quits
^
Eve acts as follows:
Chooses m R {0,1}n
Forwards s
and hopes that s = s
47
Proof of Lemma 1By the protocol requirements:
Since n log(1/), we get
which implies
(S ; M, X1) + H(S | M, X1, X2) log(1/) - 1
Pr[ s = s and m ≠ m ] Pr[ s = s ] - 2-n ^^ ^
2 Pr[ s = s ]^
Claim: Pr[ s = s ] 2 - { (S ; M, X1
) + H(S | M, X1
, X2
) }^
48
Lower BoundAlice Bob
X2
M, X1
H(S) = I(S ; M, X1)
+ I(S ; X2 | M, X1)
+ H(S | M, X1, X2)
Alice’s randomnes
s
Bob’s randomnes
s
Lemma 1: I(S ; M, X1) + H(S | M, X1, X2) log(1/) - 1Lemma 2: I(S ; X2 | M, X1) log(1/) - 1
S
Goal: H(S) 2log(1/) - 2
49
Outline
Manual channel model Our results
The protocol Lower bound One-way functions are necessary for
breaking the lower bound
Conclusions
50
One-Way Functions
One-way functions are necessary for breaking the 2log(1/) lower bound in the computational setting
Theorem:
No one-way functions
The attacks of the lower bound can be carried out by a poly-time adversary
51
Recall: Proof of Lemma 1
Chooses m R {0,1}n^
Alice BobEve
m x1
x2
m x1 ^
x2
Consider the following attack:
Samples x2 from the distribution of X2 given m, x1 and s^
Eve acts as follows:
Chooses m R {0,1}n
Forwards s
Randomly inverting a function
s
52
One-Way Functions One-way functions:
Easy to compute Hard to invert given the image of a random input
Distributionally one-way functions [IL89]: Easy to compute Hard to randomly invert given the image of a random input
Any one-way function is also distributionally one-way [IL89]: The existence of both primitives is equivalent
Hard to find even one inverse
May be easy to find some inverses
53
One-Way Functions
Eve has to sample X2 given m, x1 and s.
f(m, rA, rB) = (m, x1, x2, s)Message
Alice’s coins Bob’s coins
Transcript of the protocol
g(m, rA, rB) = (m, x1, s)
54
One-Way Functions
g is not distributionally one-way Eve can randomly invert g and apply f to compute x2. statistically
close to uniform
f(m, rA, rB) = (m, x1, x2, s)
g(m, rA, rB) = (m, x1, s)
Bob cannot distinguish between the two executions with significant probability.
Eve has to sample X2 given m, x1 and s.
55
Conclusions Manual Channel Computational assumptions are not necessary
Protocol Matching lower bound
Sharp threshold between unconditional and computational
ℓ ℓ = 2log(1/)ℓ = log(1/)
Unconditional security Computational
security
Impossible
One-way functions
log(1/)
56
Reference
Moni Naor, Gil Segev, and Adam SmithTight Bounds for Unconditionally Secure Authentication Protocols in the Manual Channel and Shared Key ModelsAdvances in Cryptology - CRYPTO 2006.