1 / 28

Tight Bounds for Unconditional Authentication Protocols in the

Tight Bounds for Unconditional Authentication Protocols in the. Manual Channel. and Shared Key. Model. s. Gil Segev. Moni Naor. Adam Smith. Weizmann Institute of Science Israel. Pairing of Wireless Devices. g x. Scenario: Buy a new wireless camera

ovid
Download Presentation

Tight Bounds for Unconditional Authentication Protocols in the

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Tight BoundsforUnconditional Authentication Protocolsin the Manual Channel and Shared Key Model s Gil Segev Moni Naor Adam Smith Weizmann Institute of ScienceIsrael

  2. Pairing of Wireless Devices gx Scenario: • Buy a new wireless camera • Want to establish a secure channel for the first time • E.g., Diffie-Hellman key agreement gy

  3. Pairing of Devices Wireless Cable pairing • Simple • Cheap • Authenticated channel “I thought this is a wireless camera…”

  4. Pairing of Wireless Devices Wireless pairing Problem: Active adversaries (“man-in-the-middle”)

  5. Pairing of Wireless Devices Wireless pairing gy gx ga gb Problem: Active adversaries (“man-in-the-middle”)

  6. ^ m Message Authentication • Assure the receiver of a message that it has not been changed by an active adversary m Alice Eve Bob

  7. ^ m = gb || gy Pairing of Wireless Devices gy gx ga gb m = gx || ga

  8. ^ m Message Authentication • Assure the receiver of a message that it has not been changed by an active adversary m Alice Eve Bob • Without additional setup: Impossible !! • Public Key: Signatures • Problem: No trusted PKI This Paper: Manual Channel

  9. The Manual Channel gy gx 141 ga gb 141 User can compare two short strings

  10. Manual Channel Model m Alice Bob s . . . s • Insecure communication channel • Low-bandwidth auxiliary channel: • Enables Alice to “manually” authenticate one short string s s • Adversarial power: • Choose the input message m • Insecure channel: Full control • Manual channel: Read, delay • Delivery timing

  11. Manual Channel Model m Alice Bob s . . . s • Insecure communication channel • Low-bandwidth auxiliary channel: • Enables Alice to “manually” authenticate one short string s s Goal:Minimize the length of the manually authenticated string

  12. Manual Channel Model m Alice Bob s . . . s s • No trusted infrastructure, such as: • Public key infrastructure • Shared secret key • Common reference string • ....... Suitable for ad hoc networks: • Pairing of wireless devices • Wireless USB, Bluetooth • Secure phones • AT&T, PGP, Zfone • Many more...

  13. The Manual Channel 141 141 Constants do matter! So how many bits can we manually authenticate? 20 ?40 ?160 ?????

  14. Previous Work • [Rivest & Shamir `84]: The “Interlock” protocol • Mutual authentication of public keys • No trusted infrastructure • AT&T, PGP,…, Zfone • [Vaudenay `05]: • Formal model • Computationally secure protocol for arbitrary long messages • log(1/)manually authenticated bits • [LAN `05, DDN `00]: Can be based on any one-way function (non-malleable commitments) • Efficient implementations: Forgery probability Optimal ! • Rely on a random oracle or • Assume a common reference string [DIO `98, DKOS `01]

  15. Previous Work • [Rivest & Shamir `84]: The “Interlock” protocol • Mutual authentication of public keys • No trusted infrastructure • AT&T, PGP,…, Zfone Computational Assumptions !! • [Vaudenay `05]: • Formal model • Computationally secure protocol for arbitrary long messages • log(1/)manually authenticated bits • [LAN `05, DDN `00]: Can be based on any one-way function (non-malleable commitments) • Efficient implementations: Forgery probability Optimal ! Are those really necessary? • Rely on a random oracle or • Assume a common reference string [DIO `98, DKOS `01]

  16. Our Results - Tight Bounds m n-bit . . . s ℓ-bit  forgery probability No setup or computational assumptions Only twice as many as [V05] • Upper bound:Constructed log*n-round protocol in which ℓ = 2log(1/) + O(1) • Matching lower bound: n  2log(1/)  ℓ  2log(1/) - 2 • One-way functions are necessary (and sufficient) for breaking the lower bound in the computational setting

  17. Unconditional Security Some advantages over computational security: • Security against unbounded adversaries • Exact evaluation of error probabilities • Protocols are often • easier to compose • more efficient Key agreement protocols

  18. Our Results - Tight Bounds ℓ ℓ = 2log(1/) ℓ = log(1/) One-way functions Unconditional security Computational security Impossible log(1/)

  19. Preliminaries: For m = m1 ... mk GF[Q]k and x GF[Q], let m(x) = mixi k  i = 1 Our Protocol (simplified) • Based on the [GN93] hashing technique • In each round, the parties: • Cooperatively choose a hash function • Reduce to authenticating a shorter message • A short message is manually authenticated ^ Then, for any m ≠ m and for any c, c  GF[Q], ^ ^ ^ Prob x RGF[Q] [ m(x) + c = m(x) + c ]  k/Q

  20. Preliminaries: For m = m1 ... mk GF[Q]k and x GF[Q], let m(x) = mixi k  i = 1 ^ Then, for any m ≠ m and for any c, c  GF[Q], ^ ^ ^ Prob x RGF[Q] [ m(x) + c = m(x) + c ]  k/Q Our Protocol (simplified) x || m(x) + c We hash m to One party chooses x Other party chooses c

  21. Our Protocol (simplified) Alice Bob m a1 a1R GF[Q1] b1R GF[Q1] b2 b1 a2R GF[Q2] b2R GF[Q2] m2 Accept iff m2 is consistent m1 = b1 || m(b1) + a1 Both parties set: Q1 n/ , Q2 log(n)/ m2 = a2 || m1(a2) + b2 2log(1/) + 2loglog(n) + O(1)manually authenticated bits Two GF[Q2]elements • k rounds 2loglog(n) is reduced to 2log(k-1)(n)

  22. Lower Bound - Intuition Alice Bob m, x1 x2 s • mR {0,1}n M, X1, X2, S are well defined random variables

  23. Lower Bound - Intuition Alice Bob M, X1 X2 S • Goal: H(S)  2log(1/) Evolving intuition: • The parties must use at least log(1/) random bits • Each party must use at least log(1/) random bits • Each party must independently reduce H(S) by log(1/) bits Alice’s randomness H(S) = H(S) - H(S | M, X1) + H(S | M, X1) - H(S | M, X1, X2) Bob’s randomness + H(S | M, X1, X2)

  24. Lower Bound - Intuition Alice Bob M, X1 X2 S • Goal: H(S)  2log(1/) H(S) - H(S | M, X1) + H(S | M, X1, X2)  log(1/) H(S | M, X1) - H(S | M, X1, X2)  log(1/) Alice’s randomness H(S) = H(S) - H(S | M, X1) + H(S | M, X1) - H(S | M, X1, X2) Bob’s randomness + H(S | M, X1, X2)

  25. ℓ = 2log(1/) ℓ ℓ = log(1/) One-way functions Unconditional security Computational security Impossible log(1/) Summary • Manual Channel • Computational assumptions are not necessary • Protocol • Matching lower bound • Sharp threshold between unconditional and computational

  26. Thank you ! • Research supported by • Adi Shamir’s Turing Award fund • Israel Science Foundation • Trip to CRYPTO supported by

  27. Backup

  28. Shared Secret Key • Known upper bound: [GN93]Interactive protocol withℓ = 2log(1/) + O(1) • Known lower bound (only non-interactive): ℓ  2log(1/)[GMS74, S84, S85, S88, M00] Our results: • Lower bound (interactive!): ℓ  2log(1/) • Even when authenticating one bit • Again, one-way functions are necessary for breaking the lower bound in the computational setting

More Related