Transcript itc2011 9710

Information-Theoretic
Key Agreement
from
Close Secrets:
A Survey
Leonid Reyzin
Boston University
March 1, 2011
IPAM Workshop on Mathematics of Information-Theoretic Cryptography
1
Information-Theoretic
Key Agreement
from
Close Secrets:
A Survey
Alice
Bob
w
w′
2
Information-Theoretic
Key Agreement
from
Close Secrets:
A Survey
Alice
Bob
w
w′
R
R
3
Information-Theoretic
Key Agreement
from
Close Secrets:
A Survey
Alice
Bob
w
w′
R
info-theoretic
guarantees
R
4
Information-Theoretic
Key Agreement
from
Close Secrets:
A Survey
Biased by
what I know and
time constraints
Alice
Bob
w
w′
R
info-theoretic
guarantees
R
5
basic paradigm
Alice
w
Bob
w
w′
Eve
6
basic paradigm: passive adversary
Alice
w
w
R
Conversation about
their differences
also known as
information reconciliation
Bob
w′
w
Conversation about
removing Eve’s information
also known as
R
privacy amplification
some information
about w
Eve
7
privacy amplification
not uniform
Alice
w
i
Ext
w
Bob
i
w
i
R
Ext
R
(e.g., Eve knows something about it)
Goal: from a nonuniform secret w
agree on a uniform secret R
Simple solution: use an extractor
minentropy k
w
seed i
Ext
R
uniform
jointly uniform
uniform
8
privacy amplification
not uniform
w
Alice
w
i
Ext
Bob
i
w
i
R
Ext
R
Eve
• [Ozarow-Wyner 84]: nonconstructive solution
• [Bennett-Brassard-Robert 85]: universal hashing for any Eve’s knowledge
• Much early work for specific distributions of w and classes of Eve’s
knowledge, motivated by quantum key agreement
• Much early analysis using Shannon entropy and mutual information
• [Bennett-Brassard-Crépeau-Maurer 94]:
- Renyi entropy (collision entropy) of w is better than Shannon;
- low mutual information between R and Eve may not be enough
9
privacy amplification
not uniform
w
Alice
w
i
Ext
Bob
i
w
i
R
Ext
R
Eve
• Let E denote Eve’s knowledge
• Requirement: H(W|E) is sufficiently high
conditional min-entropy, defined in
Dodis-Ostrovsky-Reyzin-Smith, 2004, as
 log Pr[Eve can guess w correctly given E]
w
• End result: (R, i, E)  (U, U, E)
10
basic paradigm: passive adversary
Alice
w
w
R
Conversation about
their differences
also known as
information reconciliation
Conversation about
removing Eve’s information
also known as
privacy amplification
Eve
Bob
w′
w
R
11
basic paradigm: passive adversary
Alice
w
w
Conversation about
their differences
also known as
information reconciliation
Bob
w′
w
seed i to a strong extractor
RGoal: minimize amount of information
leaked about w,
i.e., maximize H(W|protocol messages)
Eve
R
12
basic paradigm: passive adversary
Alice
w
focus: single-message,
starting with Bennett-Brassard-Robert 85
(interactive protocols more rare
e.g., Brassard-Salvail 93)
Bob
w′
s
w
Goal: minimize amount of information
leaked about w,
i.e., maximize H(W|protocol messages)
Eve
13
definition: secure sketch
• Alice computes sketch s = S (w)
w
S
s
same definition
regardless of metric
• Bob recovers w from s and w′  w
w′
s
Rec
w
• Def [Dodis-Ostrovsky-R-Smith 04]: minentropy k
(k, kl)-secure sketch if H(W| S(W)) ≥ kl
entropy loss l
14
background: error-correcting codes
Code C: {0,1}m  {0,1}n
• encodes m-bit messages into n-bit codewords
• any two codewords differ in at least d locations
– fewer than d/2 errors  unique correct decoding
Hx x
C
• If C is linear, there is parity-check matrix H
– syndrome Hx = “errors in x”; Hx = 0  x is a codeword
15
building secure sketches
•
•
•
•
Idea: what if w is a codeword in an ECC?
Decoding finds w from w′
If w not a codeword, simply shift the ECC
S(w) is the shift to random
codeword:
S(w) = w  ECC(R)
w′
• Rec: dec(w′  S)  S
w –S
+S dec
• Linear codes: save space
S(w)
S(w) = “errors in w”
= syndrome(w)
= Hw (H: parity check matrix)
16
syndrome or code-offset construction
S(w) = Hw OR S(w) = w  ECC(R)
• If ECC m bits  n bits and has distance d:
– Correct d/2 errors
– S(w) has n – m bits  entropy loss l = n – m bits
– Optimal if code is optimal (because secure sketch  ECC)
– higher error-tolerance means higher entropy loss
(trade error-tolerance for security)
• Bennett-Brassard-Robert 1985:
different construction from systematic codes
• Bennet-Brassard-Crépeau-Skubiszewska 1991: Hw
• Juels-Watenberg 2002: w  ECC(R)
17
solution for passive adversary
w
i
Alice
Bob
w
w′
S
s
Ext
R
s,i
w′
s
Rec
w
i
Ext
R
Eve
information reconciliation + privacy amplification =
fuzzy extractor
[Dodis-Ostrovsky-R-Smith 04]
18
definition: fuzzy extractor
• First time: generate random R from w (+ seed)
•
•
•
•
•
w
R
Gen
P =(s, i) in our construction
seed
Subsequently: reproduce R from P and w′  w
w′
R
Rep
P
Starts
02];minentropy
R is nearly uniform given
P ifinw[Juels-Sudan
has sufficient
relates to efficient set [Dodis-Ostrovskyreconciliation
Applications beyond key agreement
[Minsky-Trachtenberg
02] 04]
R-Smith
Chang-Fedyukovich-Li
06
Sketch+extractor
is not[Linnartz-Tuyls
the only way03],
to build them
[Li-Sutcu-Memon 06]
Constructions exist for Hamming, set difference, edit,
point-set, some continuous, …
19
active adversary
Alice
w
R
or 
E
v
e
Bob
w′
R or 
• Starting in Maurer and Maurer-Wolf 1997
• Interesting even if w = w′
20
same paradigm: active adversary
Alice
w
w or 
R or 
Conversation about
their differences
also known as
information reconciliation
Conversation about
removing Eve’s information
also known as
privacy amplification
Bob
w′
w or 
R or 
21
same paradigm: active adversary
Alice
w
w or 
Conversation about
their differences
also known as
information reconciliation
extractor seed i
R or 
E
v
e
Bob
w′
w or 
extractor seed i′
R′ or 
Need: robust extractor
[Boyen-Dodis-Katz-Ostrovsky-Smith 05]
22
building robust extractors
Idea 0:
w
i
Key???
Ext
R
MAC

P = (i, )
R? But if i changes  R changes
Let’s use w! [Maurer-Wolf 03]
But w is not uniform 
need MACs secure even with nonuniform keys
Random oracle is such a MAC
[Boyen-Dodis-Katz-Ostrovsky-Smith 05]
23
MACs with nonuniform keys (no R.O.)
key =
i
n/2
n/2
a
b

+
MACa,b(i) =  = ai + b
24
MACs with nonuniform keys (no R.O.)
key w =
n/2
n/2
a
b
gap g
entropy k
MACa,b(i) =  = ai + b
Let |a,b|= n, H(a,b) = k
Let “entropy gap” n  k = g.
Security: k  n/2=n/2  g
25
building robust extractors
[Maurer-Wolf 03]:
1/3 of w
i
Ext
MAC
2/3 of w
w=
Circularity!
i extracts from w
R
w authenticates i
Use independent

parts of w
P = (i, )
n/3
n/3
n/3
a
b
c
extract from
Extract  k  2n/3
thus, need k > 2n/3
MACbits;
i using
here using i
these
Can we do better?
[Dodis-Katz-R-Smith 06] idea: use circularity to our advantage!
26
building robust extractors
Notation: |w| = n, H(w) = k, “entropy gap” n  k = g
v
nv
[Dodis-Katza
b
R.-Smith 06] w =
construction:

+
i
v
nv

=
[ai]
R = [ai]v +1
1+b
Analysis:
• Extraction: (R, )=ai + b is a universal hash family (few collisions)
(i is the key, w = (a, b) is the input)
• Robustness:  = [ai]1 + b is strongly universal (2-wise indep.)
(w = (a, b) is the key, i is the input); need v > g
Extract n 2v < n 2g = k g = 2(kn/2) bits
w=
loss g
gap g
27
active adversary
Alice
w
w
R
Conversation about
their differences
also known as
information reconciliation
Conversation about
removing Eve’s information
also known as
privacy amplification
Eve
Bob
w′
w
R
28
active adversary
Alice
w
w
Conversation about
their differences
also known as
information reconciliation
Bob
w′
w
output P=(i, ) of a robust extractor
R
Use secure sketch s=S(w)
R
Authenticate it using w in same MAC
Eve
29
building robust fuzzy extractors
w
i
S
seed
s
Ext
R = [ai]nv
v +1
MAC
=
v
5
2
[a
aai]s++1 +
b
key
w authenticates s
Need:
MAC
that
is
secure
How to MAC long messages?
s reconstructs w
even when key is corrupted!
What doesFirst
Bobappearance
do?
[Dodis-Katz-R-Smith 06]
~by Cramer-Dodis-Fehr-Padró-Wichs ‘08,
Generalizedw
w’
~
Key-Manipulation-Secure
MACs
(against
additive
changes)
~s Rec
seed
R
Ext
i
(and detection of additive
manipulation in other contexts)
~
~
~
s Verfor
ok/
linear function(relates to codes
()detection
of hardware errors/tampering
[Karpovsky-Nagvajara
89])
~
key
30
solution for active adversary
Bob
Alice
w
i
w =
R,
P=
s,i,

Ext
P
w′
loss g
E
v
e
gap g
~
P
w′
~
P
Rep
R or 
robust fuzzy extractor
Extract  k  g = 2(k  n/2) bits
What if k < n/2? [Dodis-Spencer 02, Dodis-Wichs 09] even if w=w′
-- shared random string model [Cramer-Dodis-Fehr-Padró-Wichs 08]
-- interaction (can’t be used when A&B separated in time!)
31
beating active adversary with interaction
Alice
Bob
Conversation about
w′
their differences
also known as
w or  information reconciliation
w or 
Conversation about
removing Eve’s information
also
known
as
or

R
R or 
privacy amplification
Interactive version: Renner-Wolf 2003
Need to authenticate extractor seed i
Problem: if H(w)<|w|/2, w can’t be used as a MAC key
Idea: use interaction, one bit in two rounds
w
32
authenticating a bit b [Renner-Wolf 03]
Alice
Bob
challenge x
w
w
x
Ext
y
w
response y = Extx(w) Accept 1 if Extx(w)
iff b=1; else just send 0
is correct
Note: Eve can make Bob’s view  Alice’s view
x′
x
E
w
v
y′
y′
y
x′ Ext
e
w′
w
x
Ext
y
But Eve can’t change 0 to 1! (To prevent change of 1 to 0, make #0s = #1s)
Even if Bob has a different w′ as long as it has entropy!
Note that each bit authenticated reduces entropy by |y|
33
beating active adversary with interaction
Alice
Bob
Conversation about
w′
their differences
also known as
w or  information reconciliation
w or 
Conversation about
removing Eve’s information
also
known
as
R or  privacy amplification
R or 
Problem: s too long,
w
not enough entropy!
and secure sketch s
Authenticate extractor seed i one bit at a time
(make seed “balanced”, so #0s = #1s)
34
information reconciliation with weak w
[Kanukurthi-R. 09]: Reduce entropy loss using a MAC
• MAC needs a symmetric key k
• Where does k come from? Generate random k and
authenticate it
Alice
Bob
w′≈ w
w
interactive authent. of k
Interactive
authentication
reveals k!
S(w),Auth
 = reveals
MACk(S(w))
Main idea: Even though
k, once Bob has ,
it is too late for Eve to come up with forgery!
35
Information-Theoretic
Key Agreement
from
Close Secrets:
A Survey
Alice
Bob
w
w′
R
R
36
improving efficiency
recall: interactive bitby-bit authentication
Alice
challenge x
w
w
x
Ext
Bob
y
Two problems:
w
response y = Extx(w) Accept 1 if Extx(w)
iff b=1; else just send 0
is correct
1) For  security, you send () bits, so need () rounds
2) For  security, |y| = , so each round loses  entropy
37
improving entropy loss
Alice
Bob
challenge x
w
w
x
Ext
y
Two problems:
w
response y = Extx(w) Accept 1 if Extx(w)
iff b=1; else just send 0
is correct
1) For  security, you send () bits, so need () rounds
2) For  security, |y| = , so each round loses  entropy
Getting optimal entropy loss [Chandran-Kanukurthi-Ostrovsky-R ’10]:
-- Make |y| = constant.
-- Now Eve can change/insert/delete a constant fraction of bits
-- Encode whatever you are sending in an edit distance code
[Schulman-Zuckerman99] of const. rate, correcting constant fraction
38
improving entropy loss
Alice
Bob
challenge x
w
w
x
Ext
y
Two problems:
w
response y = Extx(w) Accept 1 if Extx(w)
iff b=1; else just send 0
is correct
1) For  security, you send () bits, so need () rounds
2) For  security, |y| = , so each round loses  entropy
39
improving round complexity [Dodis-Wichs09]
Goal: to authenticate m
Alice
w
w
x
Ext
w
seed x
y
 = MACy(m)
Problem:
w
x′
x′
Bob
x
w
x
Ext
y
w
x
Ext
y
E
ExtUsesy′alternating extractor
of MAC
v Forged
′ on m′ ?
e 08,

[Dziembowski-Pietrzak
 = MACy′ (m)
leakage-resilient PRGs]
Need: MAC that is secure even when key is corrupted!
Idea: limit the types of corruption by building
a (somewhat) non-malleable extractor (need |y| = (2))
40
improving efficiency
recall: interactive bitby-bit authentication
Alice
challenge x
w
w
x
Ext
Bob
y
Two problems:
w
response y = Extx(w) Accept 1 if Extx(w)
iff b=1; else just send 0
is correct
1) For  security, you send () bits, so need () rounds
2) For  security, |y| = , so each round loses  entropy
1) solved by [Dodis-Wichs 09]
2) solved by [Chandran-Kanukurthi-Ostrovsky-R 10]
Open: solving 1) and 2) simultaneously: get 2 rounds and () loss
[Wooley-Zuckerman Saturday]: no longer open for k > n/2
41
conclusions
• Even very weak secrets suffice
• Even against active attackers
• Lots of applications, e.g.,
–
–
–
–
–
user authentication [too many to list]
bounded storage model [Ding 05, Dodis-Smith 05]
differential privacy [Dwork 06]
protection against hardware tampering [Karpovsky-Taubin 04]
security based on physical components [Yu-Devadas 10]
• Many protocols practical enough to be implemented
42
needs/open problems
• Better theoretical efficiency
– 1 round and () loss when at least half-entropic
– 2 rounds and () loss when less than half-entropic
• Better practical efficiency
• Constructions for other metric spaces
• Beating coding bounds for better error correction
(e.g., use of randomness [Smith 07] or interaction
[Brassard-Salvail 93])
• Modeling of key agreement beyond two parties
(a la computational case)
• Understanding reusability of w [Boyen 04, Fehr-Bouman 11 (Fri)]
43