Title: Tight Bounds for Unconditional Authentication Protocols in the
1Tight BoundsforUnconditional Authentication
Protocolsin the
Model
and Shared Key
Manual Channel
s
Moni Naor
Gil Segev
Adam Smith
Weizmann Institute of ScienceIsrael
2Pairing of Wireless Devices
gx
gy
- Scenario
- Buy a new wireless camera
- Want to establish a secure channel for the first
time - E.g., Diffie-Hellman key agreement
3Devices
Pairing of
Wireless
Cable pairing
I thought this is a wireless camera
- Simple
- Cheap
- Authenticated channel
4Pairing of Wireless Devices
Wireless pairing
Problem Active adversaries (man-in-the-middle)
5Pairing of Wireless Devices
Wireless pairing
gy
gx
ga
gb
Problem Active adversaries (man-in-the-middle)
6Message Authentication
- Assure the receiver of a message that it has not
been changed by an active adversary
m
Alice
Bob
Eve
7Pairing of Wireless Devices
gy
gx
ga
gb
m gx ga
8Message Authentication
- Assure the receiver of a message that it has not
been changed by an active adversary
m
Alice
Bob
Eve
- Without additional setup Impossible !!
- Public Key Signatures
- Problem No trusted PKI
This Paper Manual Channel
9The Manual Channel
gy
gx
141
ga
gb
141
User can compare two short strings
10Manual Channel Model
m
Alice
Bob
s
. . .
s
s
Interactive
- Insecure communication channel
- Low-bandwidth auxiliary channel
- Enables Alice to manually authenticate one
short string s
Non-interactive
- Adversarial power
- Choose the input message m
- Insecure channel Full control
- Manual channel Read, delay
- Delivery timing
11Manual Channel Model
m
Alice
Bob
s
. . .
s
s
Interactive
- Insecure communication channel
- Low-bandwidth auxiliary channel
- Enables Alice to manually authenticate one
short string s
Non-interactive
GoalMinimize the length of the manually
authenticated string
12Manual Channel Model
m
Alice
Bob
s
. . .
s
s
- No trusted infrastructure, such as
- Public key infrastructure
- Shared secret key
- Common reference string
- .......
- Suitable for ad hoc networks
- Pairing of wireless devices
- Wireless USB, Bluetooth
- Secure phones
- ATT, PGP, Zfone
- Many more...
13Why Is This Model Reasonable?
- Implementing the manual channel
- Compare two strings displayed by the devices
141
141
14Why Is This Model Reasonable?
- Implementing the manual channel
- Compare two strings displayed by the devices
- Type a string, displayed by one device, into the
other device
141
141
15Why Is This Model Reasonable?
- Implementing the manual channel
- Compare two strings displayed by the devices
- Type a string, displayed by one device, into the
other device - Visual hashing
16Why Is This Model Reasonable?
- Implementing the manual channel
- Compare two strings displayed by the devices
- Type a string, displayed by one device, into the
other device - Visual hashing
- Voice channel
141
141
17Why Is This Model Reasonable?
- Implementing the manual channel
- Compare two strings displayed by the devices
- Type a string, displayed by one device, into the
other device - Visual hashing
- Voice channel
Constants do matter!
So how many bits can you manually authenticate?
20 ?40 ?160 ?????
18Previous Work
- Rivest Shamir 84 The Interlock protocol
- Mutual authentication of public keys
- No trusted infrastructure
- Vaudenay 05
- Formal model
- Computationally secure protocol for arbitrary
long messages - log(1/?) manually authenticated bits
- LAN 05, DDN 00 Can be based on any one-way
function
(non-malleable commitments) - Efficient implementations
Forgery probability
Optimal !
or
- Assume a common reference string DIO 98, DKOS
01
19Previous Work
- Rivest Shamir 84 The Interlock protocol
- Mutual authentication of public keys
- No trusted infrastructure
Computational Assumptions !!
- Vaudenay 05
- Formal model
- Computationally secure protocol for arbitrary
long messages - log(1/?) manually authenticated bits
- LAN 05, DDN 00 Can be based on any one-way
function
(non-malleable commitments) - Efficient implementations
Forgery probability
Optimal !
Are those really necessary?
or
- Assume a common reference string DIO 98, DKOS
01
20Our Results - Tight Bounds
m
n-bit
. . .
s
l-bit
? forgery probability
No setup or computational assumptions
Only twice as many as V05
- Upper boundConstructed logn-round protocol in
which l 2log(1/?) O(1)
- Matching lower bound n ? 2log(1/?) ? l
? 2log(1/?) - 2
- One-way functions are necessary (and sufficient)
for breaking the lower bound in the computational
setting
21Unconditional Security
- Some advantages over computational security
- Security against unbounded adversaries
- Exact evaluation of error probabilities
- Protocols are often
- easier to compose
- more efficient
Key agreement protocols
22Our Results - Tight Bounds
l
l 2log(1/?)
l log(1/?)
One-way functions
Unconditional security
Computational security
Impossible
log(1/?)
23Outline
- Security definition
- Our results
- The protocol
- Lower bound
- One-way functions are necessary for breaking the
lower bound - Conclusions
24Security Definition
m
n-bit
. . .
s
l-bit
Unconditionally secure (n, l, k,
?)-authentication protocol
- n-bit input message
- l manually authenticated bits
- k rounds
Completeness No interference ? ?m Bob accepts
m
(with high probability)
Unforgeability ?m Pr Bob accepts m ? m ? ?
25Outline
- Security definition
- Our results
- The protocol
- Lower bound
- One-way functions are necessary for breaking the
lower bound - Conclusions
26The Protocol (simplified)
- Based on the GN93 hashing technique
- In each round, the parties
- Cooperatively choose a hash function
- Reduce to authenticating a shorter message
- A short message is manually authenticated
Then, for any m ? m and for any c, c ? GFQ,
Prob x ?R GFQ m(x) c m(x) c ? k/Q
27The Protocol (simplified)
x m(x) c
We hash m to
One party chooses x
Other party chooses c
28The Protocol (simplified)
Alice
Bob
m
a1
a1 ?R GFQ1
b1 ?R GFQ1
b2
b1
a2 ?R GFQ2
b2 ?R GFQ2
m2
Accept iff m2 is consistent
m0 m
Both parties set
Q1 ? n/? , Q2 ? log(n)/?
m1 b1 m0(b1) a1
m2 a2 m1(a2) b2
2log(1/?) 2loglog(n) O(1) manually
authenticated bits
Two GFQ2 elements
- k rounds ? 2loglog(n) is reduced to
2log(k-1)(n)
29Security Analysis
- Must consider all generic man-in-the-middle
attacks. - Three attacks in our case
Attack 1
Alice
Bob
Eve
m
a1
m
a1
b1
b2
b1
b2
m2
30Security Analysis
- Must consider all generic man-in-the-middle
attacks. - Three attacks in our case
Attack 2
Alice
Bob
Eve
m
a1
b1
b2
m
a1
b1
b2
m2
31Security Analysis
- Must consider all generic man-in-the-middle
attacks. - Three attacks in our case
Attack 3
Alice
Bob
Eve
m
a1
b2
b1
m2
m
a1
b2
b1
m2
32Security Analysis Attack 1
Alice
Bob
Eve
m
a1
m
a1
b2
b2
b1
b1
m2
m0,A m
m0,B m
m1,A b1 m0,A(b1) a1
m1,B b1 m0,B(b1) a1
m2,A a2 m1,A(a2) b2
m2,B a2 m1,B(a2) b2
m0,A ? m0,B and m2,A m2,B
m1,A m1,B
m1,A ? m1,B and m2,A m2,B
Pr
Pr
? ?/2 ?/2
33Security Analysis Attack 1
Alice
Bob
Eve
m
a1
m
a1
b1
b1
m0,A m
m0,B m
m1,A b1 m0,A(b1) a1
m1,B b1 m0,B(b1) a1
Claim
- Eve chooses b1 ? b1
- Eve chooses b1 b1
? m1,A ? m1,B
?
? ?/2
Pr m0,A(b1) a1 m0,B(b1) a1 ? ?/2
34Outline
- Manual channel model
- Our results
- The protocol
- Lower bound
- One-way functions are necessary for breaking the
lower bound - Conclusions
35Lower Bound
Alice
Bob
m, x1
x2
s
- m ?R 0,1n ? M, X1, X2, S are well defined
random variables
36Lower Bound
Alice
Bob
M, X1
X2
S
- Basic Information Theory
- Shannon entropy
- Conditional entropy
- Mutual information
- Cond. mutual information
H(X) - ?x p(x) logp(x) H(X Y) Expy H(X
Yy) I(X Y) H(X) - H(X Y) I(X Y Z)
H(X Z) - H(X Y,Z)
37Lower Bound
Alice
Bob
M, X1
X2
S
- Evolving intuition
- The parties must use at least log(1/?) random bits
- Each party must use at least log(1/?) random bits
- Each party must independently reduce H(S) by
log(1/?) bits
H(S) H(S) - H(S M, X1)
I(S M, X1)
H(S M, X1) - H(S M, X1, X2)
I(S X2 M, X1)
H(S M, X1, X2)
H(S M, X1, X2)
38Lower Bound
Alice
Bob
M, X1
X2
S
- Evolving intuition
- The parties must use at least log(1/?) random bits
- Each party must use at least log(1/?) random bits
- Each party must independently reduce H(S) by
log(1/?) bits
Alices randomness
H(S)
Bobs randomness
39Lower Bound
Alice
Bob
M, X1
X2
S
Lemma 1 I(S M, X1) H(S M, X1, X2) ?
log(1/?)
Lemma 2 I(S X2 M, X1) ? log(1/?)
Alices randomness
H(S)
Bobs randomness
40Proof of Lemma 1
Consider the following attack
Alice
Bob
Eve
x2
m
x1
s
Eve acts as follows
41Proof of Lemma 1
By the protocol requirements
Since n ? log(1/?), we get
which implies
?(S M, X1) H(S M, X1, X2) ? log(1/?) - 1
42Lower Bound
Alice
Bob
M, X1
X2
S
- Goal H(S) ? 2log(1/?) - 2
Lemma 1 I(S M, X1) H(S M, X1, X2) ?
log(1/?) - 1
Lemma 2 I(S X2 M, X1) ? log(1/?) - 1
Alices randomness
H(S)
Bobs randomness
43Outline
- Manual channel model
- Our results
- The protocol
- Lower bound
- One-way functions are necessary for breaking the
lower bound - Conclusions
44One-Way Functions
Theorem
One-way functions are necessary for breaking the
2log(1/?) lower bound in the computational setting
No one-way functions
The attacks of the lower bound can be carried out
by a poly-time adversary
45Recall Proof of Lemma 1
Consider the following attack
Alice
Bob
Eve
x2
m
x1
s
Eve acts as follows
Randomly inverting a function
46One-Way Functions
- One-way functions
- Easy to compute
- Hard to invert given the image of a random input
Hard to find even one inverse
- Distributionally one-way functions IL89
- Easy to compute
- Hard to randomly invert given the image of a
random input
May be easy to find some inverses
- Any one-way function is also distributionally
one-way - IL89 The existence of both primitives is
equivalent
47One-Way Functions
- Eve has to sample X2 given m, x1 and s.
f(m, rA, rB) (m, x1, x2, s)
Message
Transcript of the protocol
Alices coins
Bobs coins
g(m, rA, rB) (m, x1, s)
48One-Way Functions
- Eve has to sample X2 given m, x1 and s.
f(m, rA, rB) (m, x1, x2, s)
- g is not distributionally one-way ? Eve can
randomly invert g and apply f to compute x2.
g(m, rA, rB) (m, x1, s)
?-statistically close to uniform
- Bob cannot distinguish between the two executions
with significant probability.
49Outline
- Manual channel model
- Our results
- The protocol
- Lower bound
- One-way functions are necessary for breaking the
lower bound - Conclusions
50Conclusions
- Manual Channel
- Computational assumptions are not necessary
- Protocol
- Matching lower bound
- Sharp threshold between unconditional and
computational
51One MoreSlide
52Shared Key Model
- Traditional authentication model
- Insecure channel
- Shared secret key
...
- Known upper bound GN93Interactive protocol
with l 2log(1/?) O(1)
- Known lower bound (only non-interactive) l ?
2log(1/?)GMS74, S84, S85, S88, M00
Our results
- Lower bound (interactive!) l ? 2log(1/?)
- Even when authenticating one bit
- Again, one-way functions are necessary for
breaking the lower bound in the computational
setting
53Thank you !