Seminar in Foundations of Privacy

1
Seminar in Foundations of Privacy
Message Authenticationin the Manual Channel Model
Gil Segev
2
Pairing of Wireless Devices

• Scenario
• Buy a new wireless camera
• Want to establish a secure channel for the first
  time
• Diffie-Hellman key agreement protocol

3
Diffie-Hellman Key Agreement

• Alice and Bob wish to agree on a secret key
• Public parameters
• Group G
• Generator g 2 G

gx
Alice
Bob
gy
Both parties compute KA,B gxy

• Security Even when given (G, g, gx, gy) it is
  still hard to compute gxy

4
Diffie-Hellman Key Agreement

• Computational Diffie-Hellman assumption
  (CDH)For every probabilistic polynomial-time
  algorithm A, every polynomial p(n) and for all
  sufficiently large n,

PrA(Gn,gn,gnx,gny) gnxy lt 1/p(n)
The probability is taken over As internal coins
tosses and over the random choice of (x,y)

• Decisional Diffie-Hellman assumption (DDH)

c
(g, gx, gy, gxy) ? (g, gx, gy, gc)
for random x, y and c.
Computational Indistinguishability
5
Diffie-Hellman Key Agreement

• Alice and Bob wish to agree on a secret key
• Public parameters
• Group G
• Generator g 2 G

gx
Alice
Bob
gy
Both parties compute KA,B gxy

• CDH assumption KA,B is hard to guess
• DDH assumption KA,B is as good as a random
  secret
• Secure against passive adversaries
• Eve is only allowed to read the sent messages

6
Pairing of Wireless Devices
gx
gy

• Scenario
• Buy a new wireless camera
• Want to establish a secure channel for the first
  time
• Diffie-Hellman key agreement protocol

7
Devices
Pairing of
Wireless
Cable pairing
I thought this is a wireless camera

• Simple
• Cheap
• Authenticated channel

8
Pairing of Wireless Devices
Wireless pairing
Problem Active adversaries (man-in-the-middle)
9
Pairing of Wireless Devices
Wireless pairing
gy
gx
ga
gb
Problem Active adversaries (man-in-the-middle)
10
Diffie-Hellman Key Agreement

• Suppose now that Eve is an active adversary
• man-in-the-middle attacker

gx
gy
Alice
Bob
Eve
ga
gb
KA,E gxa
KE,B gby

• Completely insecure
• Eve can decrypt m, and then re-encrypt it

11
Diffie-Hellman Key Agreement

• Suppose now that Eve is an active adversary
• man-in-the-middle attacker

gx
gy
Alice
Bob
Eve
ga
gb
KA,E gxa
KE,B gby

• Solution - Message authentication
• Alice and Bob authenticate gx and gy

12
Message Authentication

• Assure the receiver of a message that it has not
  been changed by an active adversary

m
Alice
Bob
Eve
Problem specification
Completeness No interference ? ?m Bob accepts
m
(with high probability)
Soundness ?m Pr Bob accepts m ? m ? ?

13
One-Time Authentication

• The secret key enables a single authentication of
  a message m ? 0,1n

• H h h 0,1n ? 0,1k is a family of hash
  functions

• Alice and Bob share a random function h?H
• h is not known to Eve

• To authenticate m ? 0,1n Alice sends (m,h(m))

• Upon receiving (m,z)
• If z h(m), then Bob outputs m and halts
• Otherwise, Bob outputs ? and halts

14
One-Time Authentication

• What properties do we require from H?

• Hard to guess h(m)
• Success probability at most ?
• Should hold for any m

15
One-Time Authentication

• What properties do we require from H?

• Hard to guess h(m) even given h(m)
• Success probability at most ?
• Should hold for any m and m

• Short representation for h - must have small
  logH

• Easy to compute h(m) given h and m

16
Universal Hash Functions

• Given h 0,1n ? 0,1k we can always guess a
  correct output with probability at least 2-k
• A family where this is tight is called universal2
  
• Definition a family H h h 0,1n ? 0,1k
  is called Strongly Universal2 or pair-wise
  independent if
• for all m1? m2 ?0,1n and y1, y2 ?0,1k we have
  
• Prh(m1) y1 and h(m2) y2 2-2k
• where the probability is over a randomly chosen
  h? H
• In particular Prh(m2) y2 h(m1) y1 2-k
  
• Theorem when a strongly universal2 family is
  used in the protocol, Eves probability of
  cheating is at most 2-k

17
Constructing Universal Hash Functions

• The linear polynomial construction
• Fix a finite field F of size at least the
  message space 2n
• Could be either GF2n or GFP for some prime P
  2n
• The family H of functions h F? F is defined as
• H ha,b(m) am b a, b ? F
• Claim the family above is strongly universal2
• Proof for every m1?m2, y1, y2 ?F there are
  unique a, b ? F such that
• am1b y1
• am2b y2
• Size each h?H represented by 2n bits

18
Lower Bound

• TheoremLet H h h 0,1n ? 0,1 be a
  family of pair-wise independent functions. Then
• H is O(2n)
• More precisely, to obtain a d-wise independence
  family H should be O(2nd/2)

• N. Alon and J. SpencerThe Probabilistic
  MethodChapter 15 (derandomization), Proposition
  2.3

19
More on Authentication

• Reducing the length of the secret key
• Almost-pair-wise independent hash functions
• Interaction

• Using the same secret key to authenticate any
  polynomial number of messages
• Requires computational assumptions
• Pseudorandom functions

• Authentication in the public-key world

• Much more to discuss

20
Pairing of Wireless Devices
Wireless pairing
gy
gx
ga
gb
m gx ga

• Impossible without additional setup

21
Pairing of Wireless Devices
Wireless pairing
gy
gx
ga
gb
Solution Manual Channel
22
The Manual Channel
Wireless pairing
gy
gx
141
ga
gb
141
User can compare two short strings
23
Manual Channel Model
m
Alice
Bob
s
. . .
s
s
Interactive

• Insecure communication channel
• Low-bandwidth auxiliary channel
• Enables Alice to manually authenticate one
  short string s

Non-interactive

• Adversarial power
• Choose the input message m
• Insecure channel Full control
• Manual channel Read, delay
• Delivery timing

24
Manual Channel Model
m
Alice
Bob
s
. . .
s
s
Interactive

• Insecure communication channel
• Low-bandwidth auxiliary channel
• Enables Alice to manually authenticate one
  short string s

Non-interactive
GoalMinimize the length of the manually
authenticated string
25
Manual Channel Model
m
Alice
Bob
s
. . .
s
s

• No trusted infrastructure, such as
• Public key infrastructure
• Shared secret key
• Common reference string
• .......

• Suitable for ad hoc networks
• Pairing of wireless devices
• Wireless USB, Bluetooth
• Secure phones
• ATT, PGP, Zfone
• Many more...

26
Why Is This Model Reasonable?

• Implementing the manual channel
• Compare two strings displayed by the devices

141
141
27
Why Is This Model Reasonable?

• Implementing the manual channel
• Compare two strings displayed by the devices
• Type a string, displayed by one device, into the
  other device

141
141
28
Why Is This Model Reasonable?

• Implementing the manual channel
• Compare two strings displayed by the devices
• Type a string, displayed by one device, into the
  other device
• Visual hashing

29
Why Is This Model Reasonable?

• Implementing the manual channel
• Compare two strings displayed by the devices
• Type a string, displayed by one device, into the
  other device
• Visual hashing
• Voice channel

141
141
30
The Naive Solution
m
Alice
Bob
H(m)

• H - collision resistant hash function (e.g.,
  SHA-256)
• No efficient algorithm can find m ? m s.t. H(m)
  H(m) with noticeable probability
• Any adversary that forges a message can be used
  to find a collision for H

31
The Naive Solution
m
Alice
Bob
H(m)

• H - collision resistant hash function (e.g.,
  SHA-256)
• No efficient algorithm can find m ? m s.t. H(m)
  H(m) with noticeable probability
• Any adversary that forges a message can be used
  to find a collision for H

Are we done?

• No. The output length of SHA-256 is too long (160
  bits)
• Cannot be easily compared or typed by humans

32
Tight Bounds
m
n-bit
. . .
s
l-bit
? forgery probability
No setup or computational assumptions

• Upper bound logn-round protocol in which l
  2log(1/?) O(1)

• Matching lower bound n ? 2log(1/?) ? l
  ? 2log(1/?) - 2

• One-way functions are necessary (and sufficient)
  for breaking the lower bound in the computational
  setting

33
Our Results - Tight Bounds
l
l 2log(1/?)
l log(1/?)
One-way functions
Unconditional security
Computational security
Impossible
log(1/?)
34
Outline

• Security definition
• Tight bounds
• The protocol
• Lower bound

35
Security Definition
m
n-bit
. . .
s
l-bit
Unconditionally secure (n, l, k,
?)-authentication protocol

• n-bit input message
• l manually authenticated bits
• k rounds

Completeness No interference ? ?m Bob accepts
m
(with high probability)
Unforgeability ?m Pr Bob accepts m ? m ? ?

36
Outline

• Security definition
• Tight bounds
• The protocol
• Lower bound

37
The Protocol (simplified)

• Based on the GN93 hashing technique
• In each round, the parties
• Cooperatively choose a hash function
• Reduce to authenticating a shorter message
• A short message is manually authenticated

Then, for any m ? m and for any c, c ? GFQ,


Prob x ?R GFQ m(x) c m(x) c ? k/Q

38
The Protocol (simplified)
x m(x) c
We hash m to
One party chooses x
Other party chooses c
39
The Protocol (simplified)
Alice
Bob
m
a1
a1 ?R GFQ1
b1 ?R GFQ1
b2
b1
a2 ?R GFQ2
b2 ?R GFQ2
m2
Accept iff m2 is consistent
m0 m
Both parties set
Q1 ? n/? , Q2 ? log(n)/?
m1 b1 m0(b1) a1
m2 a2 m1(a2) b2
2log(1/?) 2loglog(n) O(1) manually
authenticated bits
Two GFQ2 elements

• k rounds ? 2loglog(n) is reduced to
  2log(k-1)(n)

40
Security Analysis

• Must consider all generic man-in-the-middle
  attacks.
• Three attacks in our case

Attack 1
Alice
Bob
Eve


m
a1
m
a1


b1
b2
b1
b2
m2
41
Security Analysis

• Must consider all generic man-in-the-middle
  attacks.
• Three attacks in our case

Attack 2
Alice
Bob
Eve


m
a1
b1
b2
m
a1


b1
b2
m2
42
Security Analysis

• Must consider all generic man-in-the-middle
  attacks.
• Three attacks in our case

Attack 3
Alice
Bob
Eve
m
a1


b2
b1
m2


m
a1
b2
b1
m2
43
Security Analysis Attack 1
Alice
Bob
Eve


m
a1
m
a1


b2
b2
b1
b1
m2
m0,A m
m0,B m




m1,A b1 m0,A(b1) a1
m1,B b1 m0,B(b1) a1

m2,A a2 m1,A(a2) b2
m2,B a2 m1,B(a2) b2
m0,A ? m0,B and m2,A m2,B
m1,A m1,B
m1,A ? m1,B and m2,A m2,B
Pr


Pr
? ?/2 ?/2

44
Security Analysis Attack 1
Alice
Bob
Eve


m
a1
m
a1

b1
b1
m0,A m
m0,B m




m1,A b1 m0,A(b1) a1
m1,B b1 m0,B(b1) a1
Claim

• Eve chooses b1 ? b1
• Eve chooses b1 b1

? m1,A ? m1,B

?
? ?/2

Pr m0,A(b1) a1 m0,B(b1) a1 ? ?/2
45
Outline

• Security definition
• Tight bounds
• The protocol
• Lower bound

46
Lower Bound
Alice
Bob
m, x1
x2
s

• m ?R 0,1n ? M, X1, X2, S are well defined
  random variables

47
Lower Bound
Alice
Bob
M, X1
X2
S

• Goal H(S) ? 2log(1/?)

48
Shannon Entropy

• Let X be random variable over domain X with
  probabilitydistribution PX
• The Shannon entropy of X is

H(X) - ?x 2 X PX(x) log PX(x)
(where 0log0 0)

• Measures the amount of randomness in X on average
• Measures how much we can compress X on average

0 H(X) logX
Equality , X is constant
Equality , X is uniform
49
A Related Notion Min-Entropy

• Let X be random variable over domain X with
  probabilitydistribution PX
• The min-entropy of X is

H1(X) - log maxx 2 X PX(x)

• Measures the amount of randomness in X in the
  worst-case
• Represents the most likely value(s)

0 H1(X) H(X) logX
Equality , X is constant
Equality , X is uniform
Equality , X is uniform
50
Conditional Shannon Entropy

• Let X and Y be two random variables over domains
  X and Ywith probability distributions PX and PY
• The conditional Shannon entropy of X given Y is

H(XY) ?y 2 Y PY(y) H(XYy)

• Observation

H(X,Y) H(X) H(YX)
H(X,Y) H(Y) H(XY)
51
Shannon Mutual Information

• The mutual information between X and Y is

I(XY) H(X) H(XY)

• Observation

I(XY) I(YX)

• Conditional mutual information

I(XYZ) H(XZ) H(XY,Z)
52
Lower Bound
Alice
Bob
M, X1
X2
S

• Goal H(S) ? 2log(1/?)

• Evolving intuition
• The parties must use at least log(1/?) random bits

• Each party must use at least log(1/?) random bits

• Each party must independently reduce H(S) by
  log(1/?) bits

H(S) H(S) - H(S M, X1)
I(S M, X1)
H(S M, X1) - H(S M, X1, X2)
I(S X2 M, X1)
H(S M, X1, X2)
H(S M, X1, X2)
53
Lower Bound
Alice
Bob
M, X1
X2
S

• Goal H(S) ? 2log(1/?)

• Evolving intuition
• The parties must use at least log(1/?) random bits

• Each party must use at least log(1/?) random bits

• Each party must independently reduce H(S) by
  log(1/?) bits

Alices randomness
H(S)
Bobs randomness
54
Lower Bound
Alice
Bob
M, X1
X2
S

• Goal H(S) ? 2log(1/?)

Lemma 1 I(S M, X1) H(S M, X1, X2) ?
log(1/?)
Lemma 2 I(S X2 M, X1) ? log(1/?)
Alices randomness
H(S)
Bobs randomness
55
Proof of Lemma 1
Consider the following attack
Alice
Bob
Eve
x2
m
x1
s
Eve acts as follows

• Chooses m ?R 0,1n

• Chooses m ?R 0,1n

• Forwards s

56
Proof of Lemma 1
By the protocol requirements
Since n ? log(1/?), we get
which implies
?(S M, X1) H(S M, X1, X2) ? log(1/?) - 1
57
Lower Bound
Alice
Bob
M, X1
X2
S

• Goal H(S) ? 2log(1/?) - 2

Lemma 1 I(S M, X1) H(S M, X1, X2) ?
log(1/?) - 1
Lemma 2 I(S X2 M, X1) ? log(1/?) - 1
Alices randomness
H(S)
Bobs randomness
58
References

• Whitfield Diffie and Martin E. HellmanNew
  Directions in CryptographyIEEE Transactions on
  Information Theory 1976

• Peter Gemmell and Moni NaorCodes for Interactive
  AuthenticationCRYPTO 1993

• Moni Naor, Gil Segev and Adam SmithTight Bounds
  for Unconditionally Secure Authentication
  Protocols in the Manual Channel and Shared Key
  ModelsCRYPTO 2006

• T. Cover and J. A. ThomasElements of information
  Theory