Tight Bounds for Unconditional Authentication Protocols in the

1
Tight BoundsforUnconditional Authentication
Protocolsin the
Model
and Shared Key
Manual Channel
s
Moni Naor
Gil Segev
Adam Smith
Weizmann Institute of ScienceIsrael
2
Pairing of Wireless Devices
gx
gy

• Scenario
• Buy a new wireless camera
• Want to establish a secure channel for the first
  time
• E.g., Diffie-Hellman key agreement

3
Devices
Pairing of
Wireless
Cable pairing
I thought this is a wireless camera

• Simple
• Cheap
• Authenticated channel

4
Pairing of Wireless Devices
Wireless pairing
Problem Active adversaries (man-in-the-middle)
5
Pairing of Wireless Devices
Wireless pairing
gy
gx
ga
gb
Problem Active adversaries (man-in-the-middle)
6
Message Authentication

• Assure the receiver of a message that it has not
  been changed by an active adversary

m
Alice
Bob
Eve
7
Pairing of Wireless Devices
gy
gx
ga
gb
m gx ga
8
Message Authentication

• Assure the receiver of a message that it has not
  been changed by an active adversary

m
Alice
Bob
Eve

• Without additional setup Impossible !!
• Public Key Signatures
• Problem No trusted PKI

This Paper Manual Channel
9
The Manual Channel
gy
gx
141
ga
gb
141
User can compare two short strings
10
Manual Channel Model
m
Alice
Bob
s
. . .
s
s
Interactive

• Insecure communication channel
• Low-bandwidth auxiliary channel
• Enables Alice to manually authenticate one
  short string s

Non-interactive

• Adversarial power
• Choose the input message m
• Insecure channel Full control
• Manual channel Read, delay
• Delivery timing

11
Manual Channel Model
m
Alice
Bob
s
. . .
s
s
Interactive

• Insecure communication channel
• Low-bandwidth auxiliary channel
• Enables Alice to manually authenticate one
  short string s

Non-interactive
GoalMinimize the length of the manually
authenticated string
12
Manual Channel Model
m
Alice
Bob
s
. . .
s
s

• No trusted infrastructure, such as
• Public key infrastructure
• Shared secret key
• Common reference string
• .......

• Suitable for ad hoc networks
• Pairing of wireless devices
• Wireless USB, Bluetooth
• Secure phones
• ATT, PGP, Zfone
• Many more...

13
Why Is This Model Reasonable?

• Implementing the manual channel
• Compare two strings displayed by the devices

141
141
14
Why Is This Model Reasonable?

• Implementing the manual channel
• Compare two strings displayed by the devices
• Type a string, displayed by one device, into the
  other device

141
141
15
Why Is This Model Reasonable?

• Implementing the manual channel
• Compare two strings displayed by the devices
• Type a string, displayed by one device, into the
  other device
• Visual hashing

16
Why Is This Model Reasonable?

• Implementing the manual channel
• Compare two strings displayed by the devices
• Type a string, displayed by one device, into the
  other device
• Visual hashing
• Voice channel

141
141
17
Why Is This Model Reasonable?

• Implementing the manual channel
• Compare two strings displayed by the devices
• Type a string, displayed by one device, into the
  other device
• Visual hashing
• Voice channel

Constants do matter!
So how many bits can you manually authenticate?
20 ?40 ?160 ?????
18
Previous Work

• Rivest Shamir 84 The Interlock protocol
• Mutual authentication of public keys
• No trusted infrastructure

• ATT, PGP,, Zfone

• Vaudenay 05
• Formal model
• Computationally secure protocol for arbitrary
  long messages
• log(1/?) manually authenticated bits
• LAN 05, DDN 00 Can be based on any one-way
  function
  (non-malleable commitments)
• Efficient implementations

Forgery probability
Optimal !

• Rely on a random oracle

or

• Assume a common reference string DIO 98, DKOS
  01

19
Previous Work

• Rivest Shamir 84 The Interlock protocol
• Mutual authentication of public keys
• No trusted infrastructure

• ATT, PGP,, Zfone

Computational Assumptions !!

• Vaudenay 05
• Formal model
• Computationally secure protocol for arbitrary
  long messages
• log(1/?) manually authenticated bits
• LAN 05, DDN 00 Can be based on any one-way
  function
  (non-malleable commitments)
• Efficient implementations

Forgery probability
Optimal !
Are those really necessary?

• Rely on a random oracle

or

• Assume a common reference string DIO 98, DKOS
  01

20
Our Results - Tight Bounds
m
n-bit
. . .
s
l-bit
? forgery probability
No setup or computational assumptions
Only twice as many as V05

• Upper boundConstructed logn-round protocol in
  which l 2log(1/?) O(1)

• Matching lower bound n ? 2log(1/?) ? l
  ? 2log(1/?) - 2

• One-way functions are necessary (and sufficient)
  for breaking the lower bound in the computational
  setting

21
Unconditional Security

• Some advantages over computational security
• Security against unbounded adversaries
• Exact evaluation of error probabilities
• Protocols are often
• easier to compose
• more efficient

Key agreement protocols
22
Our Results - Tight Bounds
l
l 2log(1/?)
l log(1/?)
One-way functions
Unconditional security
Computational security
Impossible
log(1/?)
23
Outline

• Security definition
• Our results
• The protocol
• Lower bound
• One-way functions are necessary for breaking the
  lower bound
• Conclusions

24
Security Definition
m
n-bit
. . .
s
l-bit
Unconditionally secure (n, l, k,
?)-authentication protocol

• n-bit input message
• l manually authenticated bits
• k rounds

Completeness No interference ? ?m Bob accepts
m
(with high probability)
Unforgeability ?m Pr Bob accepts m ? m ? ?

25
Outline

• Security definition
• Our results
• The protocol
• Lower bound
• One-way functions are necessary for breaking the
  lower bound
• Conclusions

26
The Protocol (simplified)

• Based on the GN93 hashing technique
• In each round, the parties
• Cooperatively choose a hash function
• Reduce to authenticating a shorter message
• A short message is manually authenticated

Then, for any m ? m and for any c, c ? GFQ,


Prob x ?R GFQ m(x) c m(x) c ? k/Q

27
The Protocol (simplified)
x m(x) c
We hash m to
One party chooses x
Other party chooses c
28
The Protocol (simplified)
Alice
Bob
m
a1
a1 ?R GFQ1
b1 ?R GFQ1
b2
b1
a2 ?R GFQ2
b2 ?R GFQ2
m2
Accept iff m2 is consistent
m0 m
Both parties set
Q1 ? n/? , Q2 ? log(n)/?
m1 b1 m0(b1) a1
m2 a2 m1(a2) b2
2log(1/?) 2loglog(n) O(1) manually
authenticated bits
Two GFQ2 elements

• k rounds ? 2loglog(n) is reduced to
  2log(k-1)(n)

29
Security Analysis

• Must consider all generic man-in-the-middle
  attacks.
• Three attacks in our case

Attack 1
Alice
Bob
Eve


m
a1
m
a1


b1
b2
b1
b2
m2
30
Security Analysis

• Must consider all generic man-in-the-middle
  attacks.
• Three attacks in our case

Attack 2
Alice
Bob
Eve


m
a1
b1
b2
m
a1


b1
b2
m2
31
Security Analysis

• Must consider all generic man-in-the-middle
  attacks.
• Three attacks in our case

Attack 3
Alice
Bob
Eve
m
a1


b2
b1
m2


m
a1
b2
b1
m2
32
Security Analysis Attack 1
Alice
Bob
Eve


m
a1
m
a1


b2
b2
b1
b1
m2
m0,A m
m0,B m




m1,A b1 m0,A(b1) a1
m1,B b1 m0,B(b1) a1

m2,A a2 m1,A(a2) b2
m2,B a2 m1,B(a2) b2
m0,A ? m0,B and m2,A m2,B
m1,A m1,B
m1,A ? m1,B and m2,A m2,B
Pr


Pr
? ?/2 ?/2

33
Security Analysis Attack 1
Alice
Bob
Eve


m
a1
m
a1

b1
b1
m0,A m
m0,B m




m1,A b1 m0,A(b1) a1
m1,B b1 m0,B(b1) a1
Claim

• Eve chooses b1 ? b1
• Eve chooses b1 b1

? m1,A ? m1,B

?
? ?/2

Pr m0,A(b1) a1 m0,B(b1) a1 ? ?/2
34
Outline

• Manual channel model
• Our results
• The protocol
• Lower bound
• One-way functions are necessary for breaking the
  lower bound
• Conclusions

35
Lower Bound
Alice
Bob
m, x1
x2
s

• m ?R 0,1n ? M, X1, X2, S are well defined
  random variables

36
Lower Bound
Alice
Bob
M, X1
X2
S

• Goal H(S) ? 2log(1/?)

• Basic Information Theory
• Shannon entropy
• Conditional entropy
• Mutual information
• Cond. mutual information

H(X) - ?x p(x) logp(x) H(X Y) Expy H(X
Yy) I(X Y) H(X) - H(X Y) I(X Y Z)
H(X Z) - H(X Y,Z)
37
Lower Bound
Alice
Bob
M, X1
X2
S

• Goal H(S) ? 2log(1/?)

• Evolving intuition
• The parties must use at least log(1/?) random bits

• Each party must use at least log(1/?) random bits

• Each party must independently reduce H(S) by
  log(1/?) bits

H(S) H(S) - H(S M, X1)
I(S M, X1)
H(S M, X1) - H(S M, X1, X2)
I(S X2 M, X1)
H(S M, X1, X2)
H(S M, X1, X2)
38
Lower Bound
Alice
Bob
M, X1
X2
S

• Goal H(S) ? 2log(1/?)

• Evolving intuition
• The parties must use at least log(1/?) random bits

• Each party must use at least log(1/?) random bits

• Each party must independently reduce H(S) by
  log(1/?) bits

Alices randomness
H(S)
Bobs randomness
39
Lower Bound
Alice
Bob
M, X1
X2
S

• Goal H(S) ? 2log(1/?)

Lemma 1 I(S M, X1) H(S M, X1, X2) ?
log(1/?)
Lemma 2 I(S X2 M, X1) ? log(1/?)
Alices randomness
H(S)
Bobs randomness
40
Proof of Lemma 1
Consider the following attack
Alice
Bob
Eve
x2
m
x1
s
Eve acts as follows

• Chooses m ?R 0,1n

• Chooses m ?R 0,1n

• Forwards s

41
Proof of Lemma 1
By the protocol requirements
Since n ? log(1/?), we get
which implies
?(S M, X1) H(S M, X1, X2) ? log(1/?) - 1
42
Lower Bound
Alice
Bob
M, X1
X2
S

• Goal H(S) ? 2log(1/?) - 2

Lemma 1 I(S M, X1) H(S M, X1, X2) ?
log(1/?) - 1
Lemma 2 I(S X2 M, X1) ? log(1/?) - 1
Alices randomness
H(S)
Bobs randomness
43
Outline

• Manual channel model
• Our results
• The protocol
• Lower bound
• One-way functions are necessary for breaking the
  lower bound
• Conclusions

44
One-Way Functions
Theorem
One-way functions are necessary for breaking the
2log(1/?) lower bound in the computational setting
No one-way functions
The attacks of the lower bound can be carried out
by a poly-time adversary
45
Recall Proof of Lemma 1
Consider the following attack
Alice
Bob
Eve
x2
m
x1
s
Eve acts as follows
Randomly inverting a function

• Chooses m ?R 0,1n

• Forwards s

46
One-Way Functions

• One-way functions
• Easy to compute
• Hard to invert given the image of a random input

Hard to find even one inverse

• Distributionally one-way functions IL89
• Easy to compute
• Hard to randomly invert given the image of a
  random input

May be easy to find some inverses

• Any one-way function is also distributionally
  one-way
• IL89 The existence of both primitives is
  equivalent

47
One-Way Functions

• Eve has to sample X2 given m, x1 and s.

f(m, rA, rB) (m, x1, x2, s)
Message
Transcript of the protocol
Alices coins
Bobs coins
g(m, rA, rB) (m, x1, s)
48
One-Way Functions

• Eve has to sample X2 given m, x1 and s.

f(m, rA, rB) (m, x1, x2, s)

• g is not distributionally one-way ? Eve can
  randomly invert g and apply f to compute x2.

g(m, rA, rB) (m, x1, s)
?-statistically close to uniform

• Bob cannot distinguish between the two executions
  with significant probability.

49
Outline

• Manual channel model
• Our results
• The protocol
• Lower bound
• One-way functions are necessary for breaking the
  lower bound
• Conclusions

50
Conclusions

• Manual Channel
• Computational assumptions are not necessary
• Protocol
• Matching lower bound
• Sharp threshold between unconditional and
  computational

51
One MoreSlide
52
Shared Key Model

• Traditional authentication model
• Insecure channel
• Shared secret key

...

• Known upper bound GN93Interactive protocol
  with l 2log(1/?) O(1)

• Known lower bound (only non-interactive) l ?
  2log(1/?)GMS74, S84, S85, S88, M00

Our results

• Lower bound (interactive!) l ? 2log(1/?)
• Even when authenticating one bit

• Again, one-way functions are necessary for
  breaking the lower bound in the computational
  setting

53
Thank you !