Foundations of Cryptography Lecture 7: Message Authentication in the Manual Channel Model Lecturer: Gil Segev.

Download Report

Transcript Foundations of Cryptography Lecture 7: Message Authentication in the Manual Channel Model Lecturer: Gil Segev. 

Foundations of Cryptography
Lecture 7:
Message Authentication in the Manual Channel Model
Lecturer: Gil Segev
Diffie-Hellman Key Agreement

Alice and Bob wish to agree on a secret key
gx
Alice
Bob
gy
Both parties compute KA,B = gxy

DDH assumption:
{(g,
gx,
gy,
for random x, y and c.
c
xy
g )} 
{(g, gx, gy, gc)}
Computational
Indistinguishability
2
Diffie-Hellman Key Agreement

Alice and Bob wish to agree on a secret key
Alice
gx
gy
Bob
Both parties compute KA,B = gxy


DDH assumption: KA,B as good as a random secret
Secure against passive adversaries


Eve is only allowed to read the sent messages
Can now use KA,B as a one-time pad:
Alice
KA,B  z
Bob
3
Diffie-Hellman Key Agreement

Suppose now that Eve is an active adversary

“man-in-the-middle” attacker
Alice
gx
ga
Eve
KA,E = gxa

gy
gb
Bob
KE,B = gby
Completely insecure:

Eve can decrypt z, and then re-encrypt it
Alice
KA,E  z
Eve
KE,B  z
Bob
4
Diffie-Hellman Key Agreement

Suppose now that Eve is an active adversary

“man-in-the-middle” attacker
Alice
gx
ga
Eve
KA,E = gxa

gb
Bob
KE,B = gby
Solution - Message authentication:


gy
Alice and Bob authenticate gx and gy
Problem - Authentication requires setup, such as:


Shared secret key
Public key infrastructure
5
Practical
Scenario
6
Pairing of Wireless Devices
gx
gy
Scenario:
 Buy a new wireless camera
 Want to establish a secure channel for the first time

E.g., Diffie-Hellman key agreement
7
Pairing of Wireless Devices
Cable pairing



Simple
Cheap
Authenticated channel
“I thought this is a
wireless
camera…”
8
Pairing of Wireless Devices
Wireless pairing
Problem: Active adversaries (“man-in-the-middle”)
9
Pairing of Wireless Devices
Wireless pairing
gx
gy
ga
gb
Problem: Active adversaries (“man-in-the-middle”)
10
Message Authentication

Assure the receiver of a message that it has not been
changed by an active adversary
Alice
m
Eve
^
m
Bob
11
Pairing of Wireless Devices
gx
gy
ga
gb
m = gx || ga
^ = gb || gy
m
12
Message Authentication

Assure the receiver of a message that it has not been
changed by an active adversary
Alice



m
Eve
^
m
Bob
Without additional setup: Impossible !!
Public Key: Signatures
Problem: No trusted PKI
Solution:
Manual Channel
13
The Manual Channel
gx
gy
ga
gb
141
User can
compare two
short strings
14
Manual Channel Model
Bob
...
Alice
m
s
s
Interactive


Insecure communication channel
Low-bandwidth auxiliary channel:


Non-interactive
Enables Alice to “manually” authenticate one short string s
Adversarial power:




Choose the input message m
Insecure channel: Full control
Manual channel: Read, delay
Delivery timing
15
Manual Channel Model
Bob
...
Alice
m
s
s
Interactive


Insecure communication channel
Low-bandwidth auxiliary channel:

Non-interactive
Enables Alice to “manually” authenticate one short string s
Goal:
Minimize the length of the manually authenticated string
16
Manual Channel Model
Bob
...
Alice
m
s
s

No trusted infrastructure, such as:




Public key infrastructure
Shared secret key
Common reference string
.......
Suitable for ad hoc networks:

Pairing of wireless devices


Secure phones


Wireless USB, Bluetooth
AT&T, PGP, Zfone
Many more...
17
Why Is This Model Reasonable?
Implementing the manual channel:
 Compare two strings displayed by the devices
141
18
Why Is This Model Reasonable?
Implementing the manual channel:
 Compare two strings displayed by the devices
 Type a string, displayed by one device, into the other device
141
19
Why Is This Model Reasonable?
Implementing the manual channel:
 Compare two strings displayed by the devices
 Type a string, displayed by one device, into the other device
 Visual hashing
20
Why Is This Model Reasonable?
Implementing the manual channel:
 Compare two strings displayed by the devices
 Type a string, displayed by one device, into the other device
 Visual hashing
 Voice channel
21
The Naive Solution
m
Alice
Bob
H(m)

H - collision resistant hash function (e.g., SHA-256)


^ = H(m) with noticeable
^  m s.t. H(m)
No efficient algorithm can find m
probability
Any adversary that forges a message can be used to find a collision
for H
Alice
m
Eve
^
m
Bob
H(m)
22
The Naive Solution
Alice
m
Bob
H(m)

H - collision resistant hash function (e.g., SHA-256)


^ = H(m) with noticeable
^  m s.t. H(m)
No efficient algorithm can find m
probability
Any adversary that forges a message can be used to find a collision
for H
Are we done?

No. The output length of SHA-256 is too long (160 bits)

Cannot be easily compared or typed by humans
23
Previous Work

[Rivest & Shamir `84]: The “Interlock” protocol


Mutual authentication of public keys
No trusted infrastructure

AT&T, PGP,…, Zfone

[Vaudenay `05]:





Forgery
probabilit
y
Formal model
Computationally secure protocol for arbitrary long messages
log(1/) manually authenticated bits Optimal !
[LAN `05, DDN `00]: Can be based on any one-way function
(non-malleable commitments)
Efficient implementations:


Rely on a random oracle
or
Assume a common reference string [DIO `98, DKOS `01]
24
Previous Work

[Rivest & Shamir `84]: The “Interlock” protocol


Mutual authentication of public keys
No trusted infrastructure

AT&T, PGP,…, Zfone

[Vaudenay `05]:





Computational
Assumptions !!
Forgery
probabilit
y
Formal model
Computationally secure protocol for arbitrary long messages
log(1/) manually authenticated bits Optimal !
[LAN `05, DDN `00]: Can be based on any one-way function
(non-malleable commitments)
Are those really
Efficient implementations:


necessary?
Rely on a random oracle
or
Assume a common reference string [DIO `98, DKOS `01]
25
Our Results - Tight Bounds
n-bit
...
m
s
ℓ-bit
 forgery probability
No setup or computational assumptions
Only twice as
many as [V05]



Upper bound:
Constructed log*n-round protocol in which ℓ = 2log(1/) + O(1)
Matching lower bound: n  2log(1/)

ℓ  2log(1/) - 2
One-way functions are necessary (and sufficient) for breaking the
lower bound in the computational setting
26
Unconditional Security
Some advantages over computational security:

Security against unbounded adversaries

Exact evaluation of error probabilities

Protocols are often

easier to compose

more efficient
Key agreement
protocols
27
Our Results - Tight Bounds
ℓ = 2log(1/)
ℓ
ℓ = log(1/)
One-way
functions
Unconditional
security
Computational
security
Impossible
log(1/)
28
Outline

Security definition

Our results


The protocol

Lower bound

One-way functions are necessary for
breaking the lower bound
Conclusions
29
Security Definition
n-bit
...
m
s
ℓ-bit
Unconditionally secure (n, ℓ, k, )-authentication protocol:



n-bit input message
ℓ manually authenticated bits
k rounds
Completeness: No interference  m Bob accepts m
(with high probability)
^ m]
Unforgeability: m Pr[ Bob accepts m
30
Outline

Security definition

Our results


The protocol

Lower bound

One-way functions are necessary for
breaking the lower bound
Conclusions
31
The Protocol (simplified)


Based on the [GN93] hashing technique
In each round, the parties:



Cooperatively choose a hash function
Reduce to authenticating a shorter message
A short message is manually authenticated
Preliminaries:
For m = m1 ... mk  GF[Q]k and x  GF[Q], let m(x) =
k

i=1
mixi
^ ≠ m and for any c,
^ c  GF[Q],
Then, for any m
Prob x R GF[Q] [ m(x) + c = ^
m(x) + ^c ]  k/Q
32
The Protocol (simplified)
Preliminaries:
x || m(x) + c
For
= m1 ... m
Wem hash
mk toGF[Q]k and x  GF[Q], let m(x) =
^ ≠ m and for any c,
^ c  GF[Q],
Then, for any m
One party
chooses x
k

i=1
mixi
Other party
chooses c
Prob x R GF[Q] [ m(x) + c = ^
m(x) + ^c ]  k/Q
33
The Protocol (simplified)
m
Alice
R GF[Q1]
a2 R GF[Q2]
a1
a1
Bob
b1 R GF[Q1]
b1 b2
b2 R GF[Q2]
m2
Both parties set: m0 = m
m1 = b1 || m0(b1) + a1
Accept iff
m2 is consistent
Q1  n/ , Q2  log(n)/
m2 = a2 || m1(a2) + b2
2log(1/) + 2loglog(n) + O(1) manually authenticated bits
Two GF[Q2] elements

k rounds

2loglog(n) is reduced to 2log(k-1)(n)
34
Security Analysis


Must consider all generic man-in-the-middle attacks.
Three attacks in our case:
Attack #1
Alice
Eve
Bob
m a1
^ a^1
m
^
^
b1 b
2
b1 b2
m2
35
Security Analysis


Must consider all generic man-in-the-middle attacks.
Three attacks in our case:
Attack #2
Alice
Eve
Bob
^ a^1
m
b1 b2
m a1
^
^
b1 b
2
m2
36
Security Analysis


Must consider all generic man-in-the-middle attacks.
Three attacks in our case:
Attack #3
Alice
Eve
Bob
m a1
^
^
b1 b
2
m2
^ a^1
m
b1 b2
m2
37
Security Analysis – Attack #1
Alice
Eve
Bob
m a1
^ a^1
m
^
^
b1 b
2
b1 b2
m2
^
m0,B = m
m0,A = m
^)+a
m1,A = ^
b1 || m0,A(b
1
1
m1,B = b1 || m0,B(b1) + ^
a1
m2,A = a2 || m1,A(a2) + ^
b2
m2,B = a2 || m1,B(a2) + b2
m0,A  m0,B and m2,A = m2,B
Pr[ m1,A = m1,B ] + Pr[ m1,A  m1,B and m2,A = m2,B ]  /2 + /2
38
Security Analysis – Attack #1
Alice
Eve
Bob
m a1
^ a^1
m
^
b1
b1
^
m0,B = m
m0,A = m
^)+a
m1,A = ^
b1 || m0,A(b
1
1
m1,B = b1 || m0,B(b1) + ^
a1
Claim:

Eve chooses ^b1  b1
^b1 = b1
chooses
Pr[mEve
=
m
]
1,A
1,B

m1,A  m1,B

Pr[ m0,A(b1) + a1 = m0,B(b1) + ^a1 ]  /2
 /2
39
Outline

Manual channel model

Our results


The protocol

Lower bound

One-way functions are necessary for
breaking the lower bound
Conclusions
40
Lower Bound
Alice
m, x1
Bob
x2
s

m R {0,1}n  M, X1, X2, S are well defined random variables
41
Lower Bound
Alice
M, X1
Bob
X2
S

Goal: H(S)  2log(1/)
Basic Information Theory:

Shannon entropy
 Conditional entropy

Mutual information

Cond. mutual information
H(X) = - x p(x) logp(x)
H(X | Y) = Expy H(X | Y=y)
I(X ; Y) = H(X) - H(X | Y)
I(X ; Y | Z) = H(X | Z) - H(X | Y,Z)
42
Lower Bound
M, X1
Alice
Bob
X2
S

Goal: H(S)  2log(1/)
Evolving intuition:

The parties must use at least log(1/) random bits

Each party must use at least log(1/) random bits

Each party must independently reduce H(S) by log(1/) bits
H(S) = H(S) - H(S | M, X1)
= I(S ; M, X1)
+ H(S | M, X1) - H(S | M, X1, X2)
+ H(S | M, X1, X2)
+ I(S ; X2 | M, X1)
+ H(S | M, X1, X2)
43
Lower Bound
Alice
M, X1
Bob
X2
S

Goal: H(S)  2log(1/)
Evolving intuition:

The parties must use at least log(1/) random bits

Each party must use at least log(1/) random bits
Each party must independently reduce H(S) by log(1/) bits
Alice’s
randomnes
H(S)
= I(S ; M, X1)
s
+ I(S ; X2 | M, X1)
Bob’s
+ H(S | M, X1, X2)
randomnes
s
44

Lower Bound
Alice
M, X1
Bob
X2
S

Goal: H(S)  2log(1/)
Lemma 1: I(S ; M, X1) + H(S | M, X1, X2)  log(1/)
Lemma 2: I(S ; X2 | M, X1)  log(1/)
H(S) = I(S ; M, X1)
+ I(S ; X2 | M, X1)
+ H(S | M, X1, X2)
Alice’s
randomnes
s
Bob’s
randomnes
s
45
Proof of Lemma 1
Consider the following attack:
Alice
Eve
m x1
^2
x
^ ^
m
x1
x2
Bob
Eve wants Alice to
manually authenticate ^
s
s
Eve acts as follows:




^ R {0,1}n
Chooses m
Chooses m R {0,1}n
Samples ^
x2 from the distribution of X2 given m, x1 and ^s
Forwards s
and hopes
that s = ^
s
If Pr[ ^
s | m, x1 ] = 0
Eve quits
46
Proof of Lemma 1
By the protocol requirements:
^ ]  Pr[ s = ^s ] - 2-n
  Pr[ s = ^
s and m ≠ m
Since n  log(1/), we get
2  Pr[ s = ^s ]
Claim: Pr[ s = ^s ]  2
- { (S ; M, X ) + H(S | M, X , X ) }
1
1 2
which implies
(S ; M, X1) + H(S | M, X1, X2)  log(1/) - 1
47
Lower Bound
Alice
M, X1
Bob
X2
S

Goal: H(S)  2log(1/) - 2
Lemma 1: I(S ; M, X1) + H(S | M, X1, X2)  log(1/) - 1
Lemma 2: I(S ; X2 | M, X1)  log(1/) - 1
H(S) = I(S ; M, X1)
+ I(S ; X2 | M, X1)
+ H(S | M, X1, X2)
Alice’s
randomnes
s
Bob’s
randomnes
s
48
Outline

Manual channel model

Our results


The protocol

Lower bound

One-way functions are necessary for
breaking the lower bound
Conclusions
49
One-Way Functions
Theorem:
One-way functions are necessary for breaking the 2log(1/) lower
bound in the computational setting
No one-way functions
The attacks of the lower bound can be
carried out by a poly-time adversary
50
Recall: Proof of Lemma 1
Consider the following attack:
Alice
Eve
^ ^
m
x1
x2
Bob
m x1
^2
x
s
Eve acts as follows:




Randomly inverting
a function
^ R
Chooses m
Chooses m R {0,1}n
Samples ^
x2 from the distribution of X2 given m, x1 and ^s
{0,1}n
Forwards s
51
One-Way Functions

One-way functions:
 Easy to compute
 Hard to invert given the image of a random input
Hard to find even one inverse

Distributionally one-way functions [IL89]:
 Easy to compute
 Hard to randomly invert given the image of a random input
May be easy to
find some
inverses


Any one-way function is also distributionally one-way
[IL89]: The existence of both primitives is equivalent
52
One-Way Functions

Eve has to sample X2 given m, x1 and s.
f(m, rA, rB) = (m, x1, x2, s)
Message
Alice’s coins
Transcript of
the protocol
Bob’s coins
g(m, rA, rB) = (m, x1, s)
53
One-Way Functions

Eve has to sample X2 given m, x1 and s.
f(m, rA, rB) = (m, x1, x2, s)

g is not distributionally one-way  Eve can randomly
rA, rB) = x(m,
x1, s)
invert g and applyg(m,
f to compute
2.
-statistically
close to uniform

Bob cannot distinguish between the two executions with
significant probability.
54
Conclusions


Manual Channel
Computational assumptions are not necessary



Protocol
Matching lower bound
Sharp threshold between unconditional and computational
ℓ = 2log(1/)
ℓ
ℓ = log(1/)
One-way
functions
Unconditional
security
Computational
security
Impossible
log(1/)
55
Reference

Moni Naor, Gil Segev, and Adam Smith
Tight Bounds for Unconditionally Secure Authentication Protocols in
the Manual Channel and Shared Key Models
Advances in Cryptology - CRYPTO 2006.
56