Tight Bounds for Unconditional Authentication Protocols in the - PowerPoint PPT Presentation

1 / 28
About This Presentation
Title:

Tight Bounds for Unconditional Authentication Protocols in the

Description:

Buy a new wireless camera. Want to establish a secure channel for the ... easier to compose. more efficient. Key agreement protocols. Unconditional Security. l ... – PowerPoint PPT presentation

Number of Views:41
Avg rating:3.0/5.0
Slides: 29
Provided by: MAST180
Category:

less

Transcript and Presenter's Notes

Title: Tight Bounds for Unconditional Authentication Protocols in the


1
Tight BoundsforUnconditional Authentication
Protocolsin the
Model
and Shared Key
Manual Channel
s
Gil Segev
Moni Naor
Adam Smith
Weizmann Institute of ScienceIsrael
2
Pairing of Wireless Devices
gx
gy
  • Scenario
  • Buy a new wireless camera
  • Want to establish a secure channel for the first
    time
  • E.g., Diffie-Hellman key agreement

3
Devices
Pairing of
Wireless
Cable pairing
I thought this is a wireless camera
  • Simple
  • Cheap
  • Authenticated channel

4
Pairing of Wireless Devices
Wireless pairing
Problem Active adversaries (man-in-the-middle)
5
Pairing of Wireless Devices
Wireless pairing
gy
gx
ga
gb
Problem Active adversaries (man-in-the-middle)
6
Message Authentication
  • Assure the receiver of a message that it has not
    been changed by an active adversary

m
Alice
Bob
Eve
7
Pairing of Wireless Devices
gy
gx
ga
gb
m gx ga
8
Message Authentication
  • Assure the receiver of a message that it has not
    been changed by an active adversary

m
Alice
Bob
Eve
  • Without additional setup Impossible !!
  • Public Key Signatures
  • Problem No trusted PKI

This Paper Manual Channel
9
The Manual Channel
gy
gx
141
ga
gb
141
User can compare two short strings
10
Manual Channel Model
m
Alice
Bob
s
. . .
s
s
Interactive
  • Insecure communication channel
  • Low-bandwidth auxiliary channel
  • Enables Alice to manually authenticate one
    short string s

Non-interactive
  • Adversarial power
  • Choose the input message m
  • Insecure channel Full control
  • Manual channel Read, delay
  • Delivery timing

11
Manual Channel Model
m
Alice
Bob
s
. . .
s
s
Interactive
  • Insecure communication channel
  • Low-bandwidth auxiliary channel
  • Enables Alice to manually authenticate one
    short string s

Non-interactive
GoalMinimize the length of the manually
authenticated string
12
Manual Channel Model
m
Alice
Bob
s
. . .
s
s
  • No trusted infrastructure, such as
  • Public key infrastructure
  • Shared secret key
  • Common reference string
  • .......
  • Suitable for ad hoc networks
  • Pairing of wireless devices
  • Wireless USB, Bluetooth
  • Secure phones
  • ATT, PGP, Zfone
  • Many more...

13
The Manual Channel
141
141
Constants do matter!
So how many bits can we manually authenticate?
20 ?40 ?160 ?????
14
Previous Work
  • Rivest Shamir 84 The Interlock protocol
  • Mutual authentication of public keys
  • No trusted infrastructure
  • ATT, PGP,, Zfone
  • Vaudenay 05
  • Formal model
  • Computationally secure protocol for arbitrary
    long messages
  • log(1/?) manually authenticated bits
  • LAN 05, DDN 00 Can be based on any one-way
    function
    (non-malleable commitments)
  • Efficient implementations

Forgery probability
Optimal !
  • Rely on a random oracle

or
  • Assume a common reference string DIO 98, DKOS
    01

15
Previous Work
  • Rivest Shamir 84 The Interlock protocol
  • Mutual authentication of public keys
  • No trusted infrastructure
  • ATT, PGP,, Zfone

Computational Assumptions !!
  • Vaudenay 05
  • Formal model
  • Computationally secure protocol for arbitrary
    long messages
  • log(1/?) manually authenticated bits
  • LAN 05, DDN 00 Can be based on any one-way
    function
    (non-malleable commitments)
  • Efficient implementations

Forgery probability
Optimal !
Are those really necessary?
  • Rely on a random oracle

or
  • Assume a common reference string DIO 98, DKOS
    01

16
Our Results - Tight Bounds
m
n-bit
. . .
s
l-bit
? forgery probability
No setup or computational assumptions
Only twice as many as V05
  • Upper boundConstructed logn-round protocol in
    which l 2log(1/?) O(1)
  • Matching lower bound n ? 2log(1/?) ? l
    ? 2log(1/?) - 2
  • One-way functions are necessary (and sufficient)
    for breaking the lower bound in the computational
    setting

17
Unconditional Security
  • Some advantages over computational security
  • Security against unbounded adversaries
  • Exact evaluation of error probabilities
  • Protocols are often
  • easier to compose
  • more efficient

Key agreement protocols
18
Our Results - Tight Bounds
l
l 2log(1/?)
l log(1/?)
One-way functions
Unconditional security
Computational security
Impossible
log(1/?)
19
Our Protocol (simplified)
  • Based on the GN93 hashing technique
  • In each round, the parties
  • Cooperatively choose a hash function
  • Reduce to authenticating a shorter message
  • A short message is manually authenticated


Then, for any m ? m and for any c, c ? GFQ,


Prob x ?R GFQ m(x) c m(x) c ? k/Q

20
Our Protocol (simplified)
x m(x) c
We hash m to
One party chooses x
Other party chooses c
21
Our Protocol (simplified)
Alice
Bob
m
a1
a1 ?R GFQ1
b1 ?R GFQ1
b2
b1
a2 ?R GFQ2
b2 ?R GFQ2
m2
Accept iff m2 is consistent
m1 b1 m(b1) a1
Both parties set
Q1 ? n/? , Q2 ? log(n)/?
m2 a2 m1(a2) b2
2log(1/?) 2loglog(n) O(1) manually
authenticated bits
Two GFQ2 elements
  • k rounds ? 2loglog(n) is reduced to
    2log(k-1)(n)

22
Lower Bound - Intuition
Alice
Bob
m, x1
x2
s
  • m ?R 0,1n ? M, X1, X2, S are well defined
    random variables

23
Lower Bound - Intuition
Alice
Bob
M, X1
X2
S
  • Goal H(S) ? 2log(1/?)
  • Evolving intuition
  • The parties must use at least log(1/?) random bits
  • Each party must use at least log(1/?) random bits
  • Each party must independently reduce H(S) by
    log(1/?) bits

Alices randomness
H(S) H(S) - H(S M, X1)
H(S M, X1) - H(S M, X1, X2)
Bobs randomness
H(S M, X1, X2)
24
Lower Bound - Intuition
Alice
Bob
M, X1
X2
S
  • Goal H(S) ? 2log(1/?)

H(S) - H(S M, X1) H(S M, X1, X2) ? log(1/?)
H(S M, X1) - H(S M, X1, X2) ? log(1/?)
Alices randomness
H(S) H(S) - H(S M, X1)
H(S M, X1) - H(S M, X1, X2)
Bobs randomness
H(S M, X1, X2)
25
Summary
  • Manual Channel
  • Computational assumptions are not necessary
  • Protocol
  • Matching lower bound
  • Sharp threshold between unconditional and
    computational

26
One MoreSlide
27
Shared Key Model
  • Traditional authentication model
  • Insecure channel
  • Shared secret key

...
  • Known upper bound GN93Interactive protocol
    with l 2log(1/?) O(1)
  • Known lower bound (only non-interactive) l ?
    2log(1/?)GMS74, S84, S85, S88, M00

Our results
  • Lower bound (interactive!) l ? 2log(1/?)
  • Even when authenticating one bit
  • Again, one-way functions are necessary for
    breaking the lower bound in the computational
    setting

28
Thank you !
  • Research supported by
  • Adi Shamirs Turing Award fund
  • Israel Science Foundation
  • Trip to CRYPTO supported by
Write a Comment
User Comments (0)
About PowerShow.com
Home About Us Terms and Conditions Privacy Policy Presentation Removal Request Contact Us
Copyright 2024 CrystalGraphics, Inc. — All rights Reserved. PowerShow.com is a trademark of CrystalGraphics, Inc.
The PowerPoint PPT presentation: "Tight Bounds for Unconditional Authentication Protocols in the" is the property of its rightful owner.
Do you have PowerPoint slides to share? If so, share your PPT presentation slides online with PowerShow.com. It's FREE!