Tight Bounds for Unconditional Authentication Protocols in the - PowerPoint PPT Presentation

1 / 28

About This Presentation

Title:

Tight Bounds for Unconditional Authentication Protocols in the

Description:

Buy a new wireless camera. Want to establish a secure channel for the ... easier to compose. more efficient. Key agreement protocols. Unconditional Security. l ... – PowerPoint PPT presentation

Number of Views:41

Avg rating:3.0/5.0

Slides: 29

Provided by: MAST180

Category:

more less

Transcript and Presenter's Notes

Title: Tight Bounds for Unconditional Authentication Protocols in the

1
Tight BoundsforUnconditional Authentication
Protocolsin the
Model
and Shared Key
Manual Channel
s
Gil Segev
Moni Naor
Adam Smith
Weizmann Institute of ScienceIsrael
2
Pairing of Wireless Devices
gx
gy

Scenario
Buy a new wireless camera
Want to establish a secure channel for the first
time
E.g., Diffie-Hellman key agreement

3
Devices
Pairing of
Wireless
Cable pairing
I thought this is a wireless camera

Simple
Cheap
Authenticated channel

4
Pairing of Wireless Devices
Wireless pairing
Problem Active adversaries (man-in-the-middle)
5
Pairing of Wireless Devices
Wireless pairing
gy
gx
ga
gb
Problem Active adversaries (man-in-the-middle)
6
Message Authentication

Assure the receiver of a message that it has not
been changed by an active adversary

m
Alice
Bob
Eve
7
Pairing of Wireless Devices
gy
gx
ga
gb
m gx ga
8
Message Authentication

Assure the receiver of a message that it has not
been changed by an active adversary

m
Alice
Bob
Eve

Without additional setup Impossible !!
Public Key Signatures
Problem No trusted PKI

This Paper Manual Channel
9
The Manual Channel
gy
gx
141
ga
gb
141
User can compare two short strings
10
Manual Channel Model
m
Alice
Bob
s
. . .
s
s
Interactive

Insecure communication channel
Low-bandwidth auxiliary channel
Enables Alice to manually authenticate one
short string s

Non-interactive

Adversarial power
Choose the input message m
Insecure channel Full control
Manual channel Read, delay
Delivery timing

11
Manual Channel Model
m
Alice
Bob
s
. . .
s
s
Interactive

Insecure communication channel
Low-bandwidth auxiliary channel
Enables Alice to manually authenticate one
short string s

Non-interactive
GoalMinimize the length of the manually
authenticated string
12
Manual Channel Model
m
Alice
Bob
s
. . .
s
s

No trusted infrastructure, such as
Public key infrastructure
Shared secret key
Common reference string
.......

Suitable for ad hoc networks
Pairing of wireless devices
Wireless USB, Bluetooth
Secure phones
ATT, PGP, Zfone
Many more...

13
The Manual Channel
141
141
Constants do matter!
So how many bits can we manually authenticate?
20 ?40 ?160 ?????
14
Previous Work

Rivest Shamir 84 The Interlock protocol
Mutual authentication of public keys
No trusted infrastructure

ATT, PGP,, Zfone

Vaudenay 05
Formal model
Computationally secure protocol for arbitrary
long messages
log(1/?) manually authenticated bits
LAN 05, DDN 00 Can be based on any one-way
function
(non-malleable commitments)
Efficient implementations

Forgery probability
Optimal !

Rely on a random oracle

Assume a common reference string DIO 98, DKOS
01

15
Previous Work

Rivest Shamir 84 The Interlock protocol
Mutual authentication of public keys
No trusted infrastructure

ATT, PGP,, Zfone

Computational Assumptions !!

Vaudenay 05
Formal model
Computationally secure protocol for arbitrary
long messages
log(1/?) manually authenticated bits
LAN 05, DDN 00 Can be based on any one-way
function
(non-malleable commitments)
Efficient implementations

Forgery probability
Optimal !
Are those really necessary?

Rely on a random oracle

Assume a common reference string DIO 98, DKOS
01

16
Our Results - Tight Bounds
m
n-bit
. . .
s
l-bit
? forgery probability
No setup or computational assumptions
Only twice as many as V05

Upper boundConstructed logn-round protocol in
which l 2log(1/?) O(1)

Matching lower bound n ? 2log(1/?) ? l
? 2log(1/?) - 2

One-way functions are necessary (and sufficient)
for breaking the lower bound in the computational
setting

17
Unconditional Security

Some advantages over computational security
Security against unbounded adversaries
Exact evaluation of error probabilities
Protocols are often
easier to compose
more efficient

Key agreement protocols
18
Our Results - Tight Bounds
l
l 2log(1/?)
l log(1/?)
One-way functions
Unconditional security
Computational security
Impossible
log(1/?)
19
Our Protocol (simplified)

Based on the GN93 hashing technique
In each round, the parties
Cooperatively choose a hash function
Reduce to authenticating a shorter message
A short message is manually authenticated

Then, for any m ? m and for any c, c ? GFQ,

Prob x ?R GFQ m(x) c m(x) c ? k/Q

20
Our Protocol (simplified)
x m(x) c
We hash m to
One party chooses x
Other party chooses c
21
Our Protocol (simplified)
Alice
Bob
m
a1
a1 ?R GFQ1
b1 ?R GFQ1
b2
b1
a2 ?R GFQ2
b2 ?R GFQ2
m2
Accept iff m2 is consistent
m1 b1 m(b1) a1
Both parties set
Q1 ? n/? , Q2 ? log(n)/?
m2 a2 m1(a2) b2
2log(1/?) 2loglog(n) O(1) manually
authenticated bits
Two GFQ2 elements

k rounds ? 2loglog(n) is reduced to
2log(k-1)(n)

22
Lower Bound - Intuition
Alice
Bob
m, x1
x2
s

m ?R 0,1n ? M, X1, X2, S are well defined
random variables

23
Lower Bound - Intuition
Alice
Bob
M, X1
X2
S

Goal H(S) ? 2log(1/?)

Evolving intuition
The parties must use at least log(1/?) random bits

Each party must use at least log(1/?) random bits

Each party must independently reduce H(S) by
log(1/?) bits

Alices randomness
H(S) H(S) - H(S M, X1)
H(S M, X1) - H(S M, X1, X2)
Bobs randomness
H(S M, X1, X2)
24
Lower Bound - Intuition
Alice
Bob
M, X1
X2
S

Goal H(S) ? 2log(1/?)

H(S) - H(S M, X1) H(S M, X1, X2) ? log(1/?)
H(S M, X1) - H(S M, X1, X2) ? log(1/?)
Alices randomness
H(S) H(S) - H(S M, X1)
H(S M, X1) - H(S M, X1, X2)
Bobs randomness
H(S M, X1, X2)
25
Summary