1 / 43

I nformation-Theoretic Key Agreement from Close Secrets: A Survey

This survey explores information-theoretic key agreement protocols and their guarantees, including information reconciliation and privacy amplification, against a passive adversary. It discusses various constructions, including the use of error-correcting codes and fuzzy extractors.

katherinerussell
Download Presentation

I nformation-Theoretic Key Agreement from Close Secrets: A Survey

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Information-Theoretic Key Agreement from Close Secrets: A Survey Leonid ReyzinBoston University March 1, 2011 IPAM Workshop on Mathematics of Information-Theoretic Cryptography

  2. Information-Theoretic Key Agreement fromClose Secrets: A Survey Alice Bob w w′

  3. Information-Theoretic Key Agreement from Close Secrets: A Survey Alice Bob w w′ R R

  4. info-theoretic guarantees Information-Theoretic Key Agreement from Close Secrets: A Survey Alice Bob w w′ R R

  5. info-theoretic guarantees Information-Theoretic Key Agreement from Close Secrets: A Survey Biased bywhat I know andtime constraints Alice Bob w w′ R R

  6. w basic paradigm Alice Bob w w′ Eve

  7. some information about w basic paradigm: passive adversary Alice Bob Conversation about their differences w w′ also known as information reconciliation w w Conversation about removing Eve’s information also known as privacy amplification R R Eve

  8. w w R Ext Ext R i i minentropy k uniform uniform jointly uniform privacy amplification not uniform w i Alice Bob R i Eve (e.g., knows something about it) Goal: from a nonuniform secret w agree on a uniform secret R Simple solution: use an extractor w Ext R seed i

  9. w w R Ext Ext R i i privacy amplification not uniform w i Alice Bob R i Eve • [Ozarow-Wyner 84]: nonconstructive solution • [Bennett-Brassard-Robert 85]: universal hashing for any Eve’s knowledge • Much early work for specific distributions of w and classes of Eve’s knowledge, motivated by quantum key agreement • Much early analysis using Shannon entropy and mutual information • [Bennett-Brassard-Crépeau-Maurer 94]: - Renyi entropy (collision entropy) of w is better than Shannon; - low mutual information between R and Eve may not be enough

  10. w w R Ext Ext R i i conditional min-entropy, defined in Dodis-Ostrovsky-Reyzin-Smith, 2004, as log Pr[Eve can guess w correctly given E] w privacy amplification not uniform w i Alice Bob R i Eve • Let E denote Eve’s knowledge • Requirement: H(W|E) is sufficiently high • End result: (R, i, E)  (U, U, E)

  11. basic paradigm: passive adversary Alice Bob Conversation about their differences w w′ also known as information reconciliation w w Conversation about removing Eve’s information also known as privacy amplification R R Eve

  12. seed i to a strong extractor Goal: minimize amount of information leaked about w, i.e., maximize H(W|protocol messages) basic paradigm: passive adversary Alice Bob Conversation about their differences w w′ also known as information reconciliation w w R R Eve

  13. basic paradigm: passive adversary Alice Bob focus: single-message,starting with Bennett-Brassard-Robert 85 (interactive protocols more rare e.g., Brassard-Salvail 93) w w′ s w Goal: minimize amount of information leaked about w, i.e., maximize H(W|protocol messages) Eve

  14. minentropy k entropy loss l definition: secure sketch • Alice computes sketchs = S (w) • Bob recovers w from s and w′ w • Def [Dodis-Ostrovsky-R-Smith 04]: (k, kl)-secure sketch if H(W| S(W)) ≥ kl S s w same definition regardless of metric w′ Rec w s

  15. background: error-correcting codes Code C: {0,1}m  {0,1}n • encodes m-bit messages into n-bit codewords • any two codewords differ in at least d locations • fewer than d/2 errors  unique correct decoding • If C is linear, there is parity-check matrixH • syndrome Hx = “errors in x”; Hx = 0 x is a codeword x Hx C

  16. building secure sketches • Idea: what if w is a codeword in an ECC? • Decoding finds w from w′ • If w not a codeword, simply shift the ECC • S(w) is the shift to randomcodeword:S(w) = w ECC(R) • Rec: dec(w′S)  S • Linear codes: save space S(w) = “errors in w” = syndrome(w) = Hw(H: parity check matrix) w′ w –S +S dec S(w)

  17. syndrome or code-offset construction S(w) = HwORS(w) = w ECC(R) • If ECC m bits  n bits and has distance d: • Correct d/2 errors • S(w) has n– m bits  entropy loss l = n– m bits • Optimal if code is optimal (because secure sketch  ECC) • higher error-tolerance means higher entropy loss(trade error-tolerance for security) • Bennett-Brassard-Robert 1985: different construction from systematic codes • Bennet-Brassard-Crépeau-Skubiszewska 1991: Hw • Juels-Watenberg 2002: w ECC(R)

  18. solution for passive adversary Alice Bob w w′ s S w R s,i Ext i w′ w Rec s R Ext i Eve information reconciliation + privacy amplification = fuzzy extractor [Dodis-Ostrovsky-R-Smith 04]

  19. [Dodis-Ostrovsky-R-Smith 04] [Linnartz-Tuyls 03],[Li-Sutcu-Memon 06] Starts in [Juels-Sudan 02];relates to efficient set reconciliation [Minsky-Trachtenberg 02] Chang-Fedyukovich-Li 06 definition: fuzzy extractor • First time: generate random R from w (+ seed) • Subsequently: reproduceR from P and w′ w • R is nearly uniform given Pif w has sufficient minentropy • Applications beyond key agreement • Sketch+extractor is not the only way to build them • Constructions exist for Hamming, set difference, edit, point-set, some continuous, … w R Gen seed P =(s, i) in our construction w′ Rep R P

  20. active adversary • Starting in Maurer and Maurer-Wolf 1997 • Interesting even if w = w′ Alice Bob Eve w w′ R R or  or 

  21. same paradigm: active adversary Alice Bob Conversation about their differences w w′ also known as information reconciliation w w or  or  Conversation about removing Eve’s information also known as privacy amplification R R or  or 

  22. extractor seed i extractor seed i′ same paradigm: active adversary Alice Bob Conversation about their differences w w′ also known as information reconciliation w w or  or  Eve ′ R R or  or  Need: robust extractor[Boyen-Dodis-Katz-Ostrovsky-Smith 05]

  23. Key??? building robust extractors w Idea 0: Ext R i MAC P = (i,)  R? But if i changes  R changes Let’s use w! [Maurer-Wolf 03] But w is not uniform  need MACs secure even with nonuniform keys Random oracle is such a MAC[Boyen-Dodis-Katz-Ostrovsky-Smith 05]

  24. n/2 n/2  + MACs with nonuniform keys (no R.O.) a b key= i MACa,b(i) =  = ai + b

  25. n/2 n/2 gapg entropy k MACs with nonuniform keys (no R.O.) a b key w = MACa,b(i) =  = ai + b Let |a,b|= n,H(a,b) = k Let “entropy gap” n  k = g. Security: k  n/2=n/2 g

  26. n/3 n/3 n/3 a c w = b extract from here using i MAC i usingthese building robust extractors [Maurer-Wolf 03]: Circularity! iextracts from ww authenticates i w 1/3 of Ext R i Use independentparts of w MAC  w 2/3 of P = (i,) Extract k 2n/3 bits; thus, need k> 2n/3 Can we do better? [Dodis-Katz-R-Smith 06] idea: use circularity to our advantage!

  27. nv v +  = [ai]1 + b R = [ai]v+1 v nv i  building robust extractors Notation: |w| = n,H(w) = k, “entropy gap” n  k = g Analysis: • Extraction: (R, )=ai + b is a universal hash family (few collisions)(i is the key, w=(a, b) is the input) • Robustness:  = [ai]1 + b is strongly universal (2-wise indep.)(w=(a, b) is the key, i is the input); need v > g [Dodis-Katz-R.-Smith 06] construction: a w = b Extractn2v < n2g = k g = 2(kn/2) bits w = lossg gapg

  28. active adversary Alice Bob Conversation about their differences w w′ also known as information reconciliation w w Conversation about removing Eve’s information also known as privacy amplification R R Eve

  29. output P=(i,) of a robust extractor Use secure sketch s=S(w) Authenticate it using w in same MAC active adversary Alice Bob Conversation about their differences w w′ also known as information reconciliation w w R R Eve

  30. Ext seed i ai]1 + b  s MAC v S key R = [ai]v+1 nv How to MAC long messages? w’ s seed linear function building robust fuzzy extractors w a5+ = [ a2s+ w authenticates ss reconstructs w Need: MAC that is secure even when key is corrupted! What does Bob do? First appearance [Dodis-Katz-R-Smith 06]Generalized by Cramer-Dodis-Fehr-Padró-Wichs ‘08,Key-Manipulation-Secure MACs (against additive changes) (and detection of additive manipulation in other contexts) (relates to codes for detection of hardware errors/tampering [Karpovsky-Nagvajara 89]) ~ w ~ Rec Ext ~ R i ~ ~ ~ Ver() ok/ s ~ key

  31. ~ P P w′ Rep R or  ~ P robust fuzzy extractor solution for active adversary Bob Alice w′ w = lossg gapg w R, P= s,i, Ext i Eve Extract k g = 2(k n/2) bits[Dodis-Spencer 02, Dodis-Wichs 09] even if w=w′ What if k< n/2? -- shared random string model [Cramer-Dodis-Fehr-Padró-Wichs 08] -- interaction (can’t be used when A&B separated in time!)

  32. beating active adversary with interaction Alice Bob Conversation about their differences w w′ also known as information reconciliation w w or  or  Conversation about removing Eve’s information also known as privacy amplification R R or  or  Interactive version: Renner-Wolf 2003 Need to authenticate extractor seed i Problem: if H(w)<|w|/2, w can’t be used as a MAC key Idea: use interaction, one bit in two rounds

  33. authenticating a bit b [Renner-Wolf 03] w Ext responsey y = Extx(w) x iff b=1; else just send 0 Note: Eve can make Bob’s view  Alice’s view x′ x w Eve w Ext y′ Ext y y′ y x′ x Alice Bob w w challenge x Accept 1 if Extx(w) is correct w′ But Eve can’t change 0 to 1! (To prevent change of 1 to 0, make #0s = #1s) Even if Bob has a different w′ as long as it has entropy! Note that each bit authenticated reduces entropy by |y|

  34. and secure sketch s Authenticate extractor seed i one bit at a time (make seed “balanced”, so #0s = #1s) beating active adversary with interaction Alice Bob Conversation about their differences w w′ also known as information reconciliation w w or  or  Conversation about removing Eve’s information also known as privacy amplification R R or  or  Problem: s too long, not enough entropy!

  35. information reconciliation with weakw • [Kanukurthi-R. 09]: Reduce entropy loss using a MAC • MAC needs a symmetric key k • Where does k come from? Generate random k and authenticate it Alice Bob w w′≈ w Interactive authentication reveals k! interactive authent. of k S(w),  = MACk(S(w)) Main idea: Even though Auth reveals k, once Bob has , it is too late for Eve to come up with forgery!

  36. Information-Theoretic Key Agreement from Close Secrets: A Survey Alice Bob w w′ R R

  37. improving efficiency w Ext responsey y = Extx(w) x iff b=1; else just send 0 recall: interactive bit-by-bit authentication Alice Bob w w challenge x Accept 1 if Extx(w) is correct Two problems: 1) For  security, you send () bits, so need () rounds 2) For  security, |y| = , so each round loses  entropy

  38. improving entropy loss w Ext responsey y = Extx(w) x iff b=1; else just send 0 Alice Bob w w challenge x Accept 1 if Extx(w) is correct Two problems: 1) For  security, you send () bits, so need () rounds 2) For  security, |y| = , so each round loses  entropy Getting optimal entropy loss [Chandran-Kanukurthi-Ostrovsky-R ’10]: -- Make |y| = constant. -- Now Eve can change/insert/delete a constant fraction of bits-- Encode whatever you are sending in an edit distance code [Schulman-Zuckerman99] of const. rate, correcting constant fraction

  39. improving entropy loss w Ext responsey y = Extx(w) x iff b=1; else just send 0 Alice Bob w w challenge x Accept 1 if Extx(w) is correct Two problems: 1) For  security, you send () bits, so need () rounds 2) For  security, |y| = , so each round loses  entropy

  40. improving round complexity [Dodis-Wichs09] w w y y Ext Ext x x Uses alternating extractor of [Dziembowski-Pietrzak 08, leakage-resilient PRGs] Alice Bob Goal: to authenticate m w w seed x  = MACy(m) Problem: w x′ x Ext y w Eve x Ext y′ x′ Forged MAC′ onm′ ?   = MACy′ (m) Need: MAC that is secure even when key is corrupted! Idea: limit the types of corruption by building a (somewhat) non-malleable extractor (need |y| = (2))

  41. improving efficiency w Ext responsey y = Extx(w) x iff b=1; else just send 0 recall: interactive bit-by-bit authentication Alice Bob w w challenge x Accept 1 if Extx(w) is correct Two problems: 1) For  security, you send () bits, so need () rounds 2) For  security, |y| = , so each round loses  entropy 1) solved by [Dodis-Wichs 09] 2) solved by [Chandran-Kanukurthi-Ostrovsky-R 10] Open: solving 1) and 2) simultaneously: get 2 rounds and () loss [Wooley-Zuckerman Saturday]: no longer open for k > n/2

  42. conclusions • Even very weak secrets suffice • Even against active attackers • Lots of applications, e.g., • user authentication [too many to list] • bounded storage model [Ding 05, Dodis-Smith 05] • differential privacy [Dwork 06] • protection against hardware tampering [Karpovsky-Taubin 04] • security based on physical components [Yu-Devadas 10] • Many protocols practical enough to be implemented

  43. needs/open problems • Better theoretical efficiency • 1 round and () loss when at least half-entropic • 2 rounds and () loss when less than half-entropic • Better practical efficiency • Constructions for other metric spaces • Beating coding bounds for better error correction (e.g., use of randomness [Smith 07] or interaction [Brassard-Salvail 93]) • Modeling of key agreement beyond two parties (a la computational case) • Understanding reusability of w [Boyen 04, Fehr-Bouman 11 (Fri)]

More Related