Position Based Cryptography*

1
Position Based Cryptography

• Nishanth Chandran Vipul Goyal Ryan Moriarty
  Rafail Ostrovsky
• UCLA

CRYPTO 09
2
What constitutes an identity?

• Your public key

PK

• Your biometric

• Email ID

abc_at_gmail.com
z
x

• How about where you are?

y
3
Geographical Position as an Identity
sk
sk
Encsk(m)
US Military Base in USA
US Military Base in Iraq
Reveal sk or else..
sk
4
Geographical Position as an Identity
US Military Base in USA
US Military Base in Iraq

• We trust physical security

• Guarantee that those inside
• a particular geographical region
• are good

5
Geographical Position as an Identity
Enc (m)
US Military Base in USA
US Military Base in Iraq
Only someone at a particular geographical
position can decrypt
6
Other Applications

• Position-based Authentication guarantee that a
  message came from a person at a particular
  geographical position
• Position-based access control allow access to
  resource only if user is at particular
  geographical position
• Many more.

7
Problem (informally)

• A set of verifiers present at various
  geographical positions in space
• A prover present at some geographical position P

GOAL Exchange a key with the prover if and only
if prover is in fact at position P
8
Secure Positioning

• Set of verifiers wish to verify the position
  claim of a prover at position P
• Run an interactive protocol with the prover at P
  to verify this
• Studied in the security community
• SSW03, B04, SP05, CH05, CCS06

9
Previous Techniques for Secure Positioning
Random nonce r
Verifier
Prover
r
Time of response
Prover cannot be farther away from verifier than
he claims to be
10
Triangulation CH05
V1
3 Verifiers measure Time of response and verify
position claim
r1
r1
P
r2
r3
r3
r2
V2
V3
11
Triangulation CH05
Works, but assumes a single adversary
Attack with multiple colluding provers
V1
Pi can delay response to Vi as if it were coming
from P
r1
r1
Position P
P1
P3
P2
r2
r3
V2
V3
r3
r2
12
Talk Outline

• Vanilla Model
• Secure Positioning
• - Impossible in vanilla model
• - Positive information-theoretic results in the
  Bounded Retrieval Model

• Position-based Key Exchange - Positive
  information-theoretic results in the BRM

13
Vanilla Model

• Verifiers can send messages at
• any time to prover with speed of light

All verifiers share a secret channel
V1
P1

• Verifiers can record time of sent and received
  messages

• Multiple, coordinating
• adversaries, possibly
• computationally
• bounded

P
P3
P2
V2
V3
P lies inside Tetrahedron
14
Lower Bound
Theorem There does not exist any protocol to
achieve secure positioning in the Vanilla model
Corollary Position-based key exchange is
impossible in the Vanilla model
15
Lower Bound Proof sketch
V1

• Generalization of attack
• presented earlier

V4

• Pi can run exact copy of
• prover and respond to Vi

P1
P4

• Pj internally delays every
• msg from Vj and sends
• msg to Pi

• Blue path not
• shorter than red path

P2
P3
V3
V2
Position P
16
Lower bound implications

• Secure positioning and hence position-based
  cryptography is impossible in Vanilla model (even
  with computational assumptions!)
• Search for alternate models where position-based
  cryptography is possible?

17
CONSTRUCTIONS PROOFS
18
Bounded Retrieval Model (BRM) Maurer92, CLW06,
Dziembowski06

• Assumes long string X (of length n and high
  min-entropy) in the sky or generated by some
  party
• Assumes all parties (including honest) have
  retrieval bound ßn for some 0ltßlt1
• Adversaries can retrieve information from X (even
  possibly after honest parties have used the key
  generated from X), as long as the total
  information retrieved is bounded
• Several works have studied the model in great
  detail

19
BRM in the context of Position-based Cryptography
Like Vanilla Model except Adversaries are
not computationally bounded
Adversaries can store only a small f(X) as X
passes byi.e. (Total f(X) lt retrieval bound)
V1
X
P1
P2
X
V3
V2
Note that Adversaries can NOT reflect
X (violates BSM)
Verifiers can broadcast HUGE X
20
Physically realizing BRM

• Seems reasonable that an adversary can only
  retrieve small amount of information as a string
  passes by (the string need to not even be super
  huge for this to hold).
• Verifiers could split X and broadcast the
  portions on different frequencies.
• The key could tell a prover which frequencies to
  listen in to.

21
BSM/BRM primitives needed

• BSM PRG from Vad04
• PRG takes as input string X with high min-entropy
  and short seed K
• PRG(X,K) Uniform, even given K and A(X) for
  arbitrary bounded output length function A

22
Secure Positioning in 1-Dimensional Space
PRG(X,K)
K
K
X
K
V1
V2
Position P

• Correctness of protocol follows from
• Prover at P can compute PRG(X,K)
• 2. V1 can compute PRG(X,K) when broadcasting X
• 3. Response of prover from P will be on time

V1 measures time of response and accepts if
response is correct and received at the right time
23
Secure Positioning in 1-Dimensional Space
Proof Intuition
K
K
X
K
V1
V2
P1
P2
Position P
Can store A(X)
Can store K

• P1 can respond in time, but has only A(X) and K
• P2 can compute PRG(X,K), but cannot respond in
  time

24
Secure Positioning in 3-Dimensional Space

• First, we will make an UNREASONABLE assumption
• Then show how to get rid of it!

25
Secure Positioning in 3-Dimensional Space
CHEATING ASSUMPTION For now, assume Vi can
store Xs!
V1

• Prover computes
• Ki1 PRG(Xi, Ki), 1 i 3

K1
V4
X3

• Prover broadcasts K4
• to all verifiers

K4
K4
K4
K4

• Verifiers check
• response time
• of response

X2
X1
V3
V2
Position P
26
Secure Positioning in 3-Dimensional Space

• Security will follow from security of position
  based
• based key exchange protocol presented later

• What about correctness??

• Verifiers cannot compute K4 if they
• dont store Xis
• V3 needs K2 before broadcasting
• X2 to compute K3
• But, V3 might have to
• broadcast X2 before or
• same time as V2 broadcasts X1

K1
V1
X3
V4
K4
X1
V3
V2
X2
27
Secure Positioning in 3-Dimensional Space
ELIMINATING CHEATING Protocol when Verifiers
cannot store Xis

• V1, V2, V3, V4 pick K1, K2, K3, K4 at random
  before protocol
• Now, Verifiers know K4 they must help prover
  compute it

• V1 broadcasts K1
• V2 broadcasts X1 and K2 PRG(X1,K1) xor K2
• V3 broadcasts X2 and K3 PRG(X2,K2) xor K3
• V4 broadcasts X3 and K4 PRG(X3,K3) xor K4

Verifiers secret share Kis and broadcast one
share according to Xis
28
Secure Positioning in 3-Dimensional Space
V1
K1
Position P
V4
X3, K4

• Note that prover
• can compute K4
• and broadcast K4

X2, K3
X1, K2
V3
V2
29
Secure Positioning Bottom line

• We can do secure positioning in 3D in the bounded
  storage model
• We can obtain a protocol even if there is a small
  variance in delivery time when small positioning
  error is allowed

30
What else can we do in this model?

• What about key agreement?

31
Information-theoretic Key Exchange in
1-Dimensional Space
Position P
Secure positioning
V1
V2
P1
P2
Could not compute key
Could compute key, but cannot respond in time
32
Information-theoretic Key Exchange in
1-Dimensional Space
K3 PRG(X2, PRG(X1, K1))
K1, X2
X1
V1
V2
P1
P2
Position P
Can store A(X1, K1)
Can store A(X2,K1),K1
Seems like no adversary can compute PRG(X2, K2)
Intuition works!!
33
Information-theoretic Key Exchange in
3-Dimensional Space
V1
Again assume Verifiers can store Xs
K1,X4
Position P
V4
X3
Prover computes Ki1 PRG(Xi, Ki)
1 i 5 K6 is final key
X1, X5
X2
V3
V2
34
Subtleties in proof
P4
V1
A(X1, A(X3), A(X4, K1))
K1,X4
Position P
V4
A(X4, K1)
P1
X3
P2
A(X3)
P3
X1, X5
X2
V3
V2
35
Proof Ideas
Part 1 Geometric Arguments

• A lemma ruling out any adversary simultaneously
• receiving all messages of the verifiers
• Characterizes regions within tetrahedron
• where position-based key exchange is possible

• Combination of geometric arguments to
  characterize
• information that adversaries at different
  positions can
• obtain

36
Proof Ideas
Part 2 Extractor Arguments

• Build on techniques from Intrusion-Resilient
  Random
• Secret Sharing scheme of Dziembowski-Pietrzak
  DP07

• Show a reduction of the security of our protocol
  to a
• (slight) generalization of DP07 allowing
  multiple
• adversaries working in parallel

37
A REMINDER Intrusion-Resilient Random Secret
Sharing Scheme (IRRSS) DP07
X1
X2
X3
Xn
S1
S2
S3
Sn

• K1 is chosen at random and given to S1
• Si computes Ki1 PRG(Xi, Ki) and sends Ki1 to
  Si1
• Sn outputs key Kn1

Bounded adversary can corrupt a sequence of
players (with repetition) as long as sequence is
valid
Valid sequence does not contain S1,S2,..,Sn as a
subsequence Eg If n 5 13425434125 is invalid,
but 134525435 is valid
Then, Kn1 is statistically close to uniform
38
Reduction to IRRSS
X2
X3
X4
X1
X5
A(X1, A(X3), A(X4, K1))
K1,X4
P3
V1
S1
S2
S3
S4
S5
V4
P1 corrupts S4 P2 corrupts S3 P3 corrupts S4,
S3, S1
P1
X3
P2
A(X4, K1)
A(X3)
All adversaries given K1 for free
X2
X1, X5
V3
Combining all this, proves the theorem
V2
39
Conclusions

• WE HAVE SHOWN IN THE PAPER
• Position based Key Exchange in BRM for entire
  tetrahedron region (but computational security)
• Protocol for position based Public Key
  Infrastructure
• Protocol for position based MPC
• OPEN
• Other models? (we are currently looking at
  quantum, seems plausible!)
• Other applications of position-based crypto?

40
Thank you