Seminar in Foundations of Privacy

Seminar in Foundations of Privacy Message Authenticationin the Manual Channel Model Gil Segev

Pairing of Wireless Devices Scenario: • Buy a new wireless camera • Want to establish a secure channel for the first time • Diffie-Hellman key agreement protocol

Diffie-Hellman Key Agreement • Alice and Bob wish to agree on a secret key • Public parameters: • Group G • Generator g2G gx Alice Bob gy Both parties computeKA,B = gxy • Security: Even when given (G, g, gx, gy) it is still hard to compute gxy

Diffie-Hellman Key Agreement • Computational Diffie-Hellman assumption (CDH):For every probabilistic polynomial-time algorithm A, every polynomial p(n) and for all sufficiently large n, Pr[A(Gn,gn,gnx,gny) = gnxy] < 1/p(n) The probability is taken over A’s internal coins tosses and over the random choice of (x,y) • Decisional Diffie-Hellman assumption (DDH): c {(g, gx, gy, gxy)}  {(g, gx, gy, gc)} for random x, y and c. Computational Indistinguishability

Diffie-Hellman Key Agreement • Alice and Bob wish to agree on a secret key • Public parameters: • Group G • Generator g2G gx Alice Bob gy Both parties computeKA,B = gxy • CDH assumption: KA,B is hard to guess • DDH assumption:KA,Bis as good as a random secret • Secure against passive adversaries • Eve is only allowed to read the sent messages

Pairing of Wireless Devices gx Scenario: • Buy a new wireless camera • Want to establish a secure channel for the first time • Diffie-Hellman key agreement protocol gy

Pairing of Devices Wireless Cable pairing • Simple • Cheap • Authenticated channel “I thought this is a wireless camera…”

Pairing of Wireless Devices Wireless pairing Problem: Active adversaries (“man-in-the-middle”)

Pairing of Wireless Devices Wireless pairing gy gx ga gb Problem: Active adversaries (“man-in-the-middle”)

ENC(KA,E,m) ENC(KE,B,m) Alice Eve Bob Diffie-Hellman Key Agreement gx gy • Suppose now that Eve is an active adversary • “man-in-the-middle” attacker Alice Eve Bob ga gb KA,E = gxa KE,B = gby • Completely insecure: • Eve can decrypt m, and then re-encrypt it

Diffie-Hellman Key Agreement gx gy • Suppose now that Eve is an active adversary • “man-in-the-middle” attacker Alice Eve Bob ga gb KA,E = gxa KE,B = gby • Solution - Message authentication: • Alice and Bob authenticate gx and gy

^ m Message Authentication • Assure the receiver of a message that it has not been changed by an active adversary m Alice Eve Bob Problem specification: Completeness: No interference m Bob accepts m (with high probability) Soundness: mPr[Bob accepts m  m ] ^

One-Time Authentication • The secret key enables a single authentication of a message m  {0,1}n • H = {h| h: {0,1}n → {0,1}k } is a family of hash functions • Alice and Bob share a random function hH • h is not known to Eve • To authenticate m  {0,1}n Alice sends (m,h(m)) ^ • Upon receiving (m,z): • If z = h(m), then Bob outputs m and halts • Otherwise, Bob outputs ? and halts ^ ^

One-Time Authentication • Hard to guess h(m) • Success probability at most  • Should hold for any m ^ • What properties do we require from H? ^

One-Time Authentication • Hard to guess h(m) even given h(m) • Success probability at most  • Should hold for any m and m ^ • What properties do we require from H? ^ • Short representation for h- must have small log|H| • Easy to compute h(m)given h and m

Universal Hash Functions • Given h: {0,1}n → {0,1}k we can always guess a correct output with probability at least 2-k • A family where this is tight is called universal2 Definition: a family H = {h| h: {0,1}n → {0,1}k } is called Strongly Universal2or pair-wise independent if: • for allm1 m2 {0,1}nand y1, y2 {0,1}kwe have Pr[h(m1) = y1 and h(m2) = y2 ] = 2-2k where the probability is over a randomly chosen hH In particularPr[h(m2) = y2 | h(m1) = y1 ] = 2-k Theorem: when a strongly universal2 family is used in the protocol, Eve’s probability of cheating is at most 2-k

Constructing Universal Hash Functions The linear polynomial construction: • Fix a finite field F of size at least the message space 2n • Could be either GF[2n] or GF[P] for some prime P ≥ 2n • The family Hof functionsh: F→ Fis defined as H= {ha,b(m) = a∙m + b | a, b  F} Claim: the family above is strongly universal2 Proof: for everym1≠m2,y1, y2 Fthere are uniquea, b  Fsuch that a∙m1+b = y1 a∙m2+b = y2 Size: each hHrepresented by 2n bits

Lower Bound Theorem:Let H= {h| h: {0,1}n → {0,1}} be a family of pair-wise independent functions. Then |H| isΩ(2n) More precisely, to obtain a d-wise independence family |H| should beΩ(2n└d/2┘) • N. Alon and J. SpencerThe Probabilistic MethodChapter 15 (derandomization), Proposition 2.3

More on Authentication • Reducing the length of the secret key • Almost-pair-wise independent hash functions • Interaction • Using the same secret key to authenticate any polynomial number of messages • Requires computational assumptions • Pseudorandom functions • Authentication in the public-key world • Much more to discuss…

^ m = gb || gy Pairing of Wireless Devices Wireless pairing gy gx ga gb m = gx || ga • Impossible without additional setup

Pairing of Wireless Devices Wireless pairing gy gx ga gb Solution: Manual Channel

The Manual Channel Wireless pairing gy gx 141 ga gb 141 User can compare two short strings

Manual Channel Model m Alice Bob s . . . s • Insecure communication channel • Low-bandwidth auxiliary channel: • Enables Alice to “manually” authenticate one short string s s Interactive Non-interactive • Adversarial power: • Choose the input message m • Insecure channel: Full control • Manual channel: Read, delay • Delivery timing

Manual Channel Model m Alice Bob s . . . s • Insecure communication channel • Low-bandwidth auxiliary channel: • Enables Alice to “manually” authenticate one short string s s Interactive Non-interactive Goal:Minimize the length of the manually authenticated string

Manual Channel Model m Alice Bob s . . . s s • No trusted infrastructure, such as: • Public key infrastructure • Shared secret key • Common reference string • ....... Suitable for ad hoc networks: • Pairing of wireless devices • Wireless USB, Bluetooth • Secure phones • AT&T, PGP, Zfone • Many more...

Why Is This Model Reasonable? • Implementing the manual channel: • Compare two strings displayed by the devices 141 141

Why Is This Model Reasonable? • Implementing the manual channel: • Compare two strings displayed by the devices • Type a string, displayed by one device, into the other device 141 141

Why Is This Model Reasonable? • Implementing the manual channel: • Compare two strings displayed by the devices • Type a string, displayed by one device, into the other device • Visual hashing

Why Is This Model Reasonable? • Implementing the manual channel: • Compare two strings displayed by the devices • Type a string, displayed by one device, into the other device • Visual hashing • Voice channel 141 141

Alice Eve Bob ^ m m H(m) The Naive Solution m Alice Bob H(m) • H - collision resistant hash function (e.g., SHA-256) • No efficient algorithm can find m  m s.t. H(m) = H(m) with noticeable probability • Any adversary that forges a message can be used to find a collision for H ^ ^

The Naive Solution m Alice Bob H(m) • H - collision resistant hash function (e.g., SHA-256) • No efficient algorithm can find m  m s.t. H(m) = H(m) with noticeable probability • Any adversary that forges a message can be used to find a collision for H ^ ^ Are we done? • No. The output length of SHA-256 is too long (160 bits) • Cannot be easily compared or typed by humans

Tight Bounds m n-bit . . . s ℓ-bit  forgery probability No setup or computational assumptions • Upper bound: log*n-round protocol in which ℓ = 2log(1/) + O(1) • Matching lower bound: n  2log(1/)  ℓ  2log(1/) - 2 • One-way functions are necessary (and sufficient) for breaking the lower bound in the computational setting

Our Results - Tight Bounds ℓ ℓ = 2log(1/) ℓ = log(1/) One-way functions Unconditional security Computational security Impossible log(1/)

Outline • Security definition • Tight bounds • The protocol • Lower bound

Security Definition m n-bit . . . s ℓ-bit Unconditionally secure(n, ℓ, k, )-authentication protocol: • n-bit input message • ℓ manually authenticated bits • k rounds Completeness: No interference m Bob accepts m (with high probability) ^ Unforgeability: mPr[ Bob accepts m  m ]

Preliminaries: For m = m1 ... mk GF[Q]k and x GF[Q], let m(x) = mixi k  i = 1 The Protocol (simplified) • Based on the [GN93] hashing technique • In each round, the parties: • Cooperatively choose a hash function • Reduce to authenticating a shorter message • A short message is manually authenticated ^ Then, for any m ≠ m and for any c, c  GF[Q], ^ ^ ^ Prob x RGF[Q] [ m(x) + c = m(x) + c ]  k/Q

Preliminaries: For m = m1 ... mk GF[Q]k and x GF[Q], let m(x) = mixi k  i = 1 ^ Then, for any m ≠ m and for any c, c  GF[Q], ^ ^ ^ Prob x RGF[Q] [ m(x) + c = m(x) + c ]  k/Q The Protocol (simplified) x || m(x) + c We hash m to Other party chooses c One party chooses x

The Protocol (simplified) Alice Bob m a1 a1R GF[Q1] b1R GF[Q1] b2 b1 a2R GF[Q2] b2R GF[Q2] m2 Accept iff m2 is consistent m0 = m Both parties set: Q1 n/ , Q2 log(n)/ m1 = b1 || m0(b1) + a1 m2 = a2 || m1(a2) + b2 2log(1/) + 2loglog(n) + O(1)manually authenticated bits Two GF[Q2]elements • k rounds 2loglog(n) is reduced to 2log(k-1)(n)

Security Analysis • Must consider all generic man-in-the-middle attacks. • Three attacks in our case: Attack #1 Alice Eve Bob ^ ^ m a1 m a1 ^ ^ b2 b2 b1 b1 m2

Security Analysis • Must consider all generic man-in-the-middle attacks. • Three attacks in our case: Attack #2 Alice Eve Bob ^ ^ m a1 b2 b1 m a1 ^ ^ b2 b1 m2

Security Analysis • Must consider all generic man-in-the-middle attacks. • Three attacks in our case: Attack #3 Alice Eve Bob m a1 ^ ^ b2 b1 m2 ^ ^ m a1 b2 b1 m2

Security Analysis – Attack #1 Alice Eve Bob ^ ^ m a1 m a1 ^ ^ b2 b2 b1 b1 m2 ^ m0,A = m m0,B = m ^ ^ ^ m1,A = b1 || m0,A(b1) + a1 m1,B = b1 || m0,B(b1) + a1 ^ m2,A = a2 || m1,A(a2) + b2 m2,B = a2 || m1,B(a2) + b2 m0,A m0,B and m2,A = m2,B Pr[ m1,A = m1,B ] + Pr[ m1,A m1,B and m2,A = m2,B ] /2 + /2

Pr[ m1,A = m1,B ] Security Analysis – Attack #1 Alice Eve Bob ^ ^ m a1 m a1 ^ b1 b1 ^ m0,A = m m0,B = m ^ ^ ^ m1,A = b1 || m0,A(b1) + a1 m1,B = b1 || m0,B(b1) + a1 Claim: ^ • Eve chooses b1 b1 • Eve chooses b1 = b1 m1,A m1,B ^  /2 ^ Pr[ m0,A(b1) + a1 = m0,B(b1) + a1 ]  /2

Lower Bound Alice Bob m, x1 x2 s • mR {0,1}n M, X1, X2, S are well defined random variables

Lower Bound Alice Bob M, X1 X2 S • Goal: H(S)  2log(1/)

Shannon Entropy • Let X be random variable over domain X with probabilitydistribution PX • The Shannon entropy of X is H(X) = - ∑x2XPX(x) log PX(x) (where 0log0 = 0) • Measures the amount of randomness in X on average • Measures how much we can compress X on average 0 · H(X) · log|X| Equality ,X is constant Equality ,X is uniform

A Related Notion: Min-Entropy • Let X be random variable over domain X with probabilitydistribution PX • The min-entropy of X is H1(X) = - log maxx2XPX(x) • Measures the amount of randomness in X in the worst-case • Represents the most likely value(s) 0 · H1(X) · H(X) · log|X| Equality ,X is uniform Equality ,X is constant Equality ,X is uniform

Conditional Shannon Entropy • Let X and Y be two random variables over domains X and Ywith probability distributions PX andPY • The conditional Shannon entropy of X given Y is H(X|Y) = ∑y2YPY(y) H(X|Y=y) • Observation: H(X,Y) = H(X) + H(Y|X) H(X,Y) = H(Y) + H(X|Y)

Seminar in Foundations of Privacy