Non-malleable extractors and symmetric key cryptography From weak secrets

  • Published on
    11-Jan-2016

  • View
    33

  • Download
    0

DESCRIPTION

Non-malleable extractors and symmetric key cryptography From weak secrets. Yevgeniy Dodis and Daniel Wichs (NYU). STOC 2009. Symmetric-Key Cryptography. Eve. Alice and Bob share a secret W and want to communicate securely over a public channel. - PowerPoint PPT Presentation

Transcript

<p>Cryptography with Partially Compromised and Imperfect Keys</p> <p>Non-malleable extractorsandsymmetric key cryptography From weak secretsYevgeniy Dodis and Daniel Wichs (NYU)STOC 20091Symmetric-Key Cryptography</p> <p>Alice and Bob share a secret W and want to communicate securely over a public channel.Privacy: Eve does not learn anything about the messageAuthenticity: Eve cannot modify or insert messages. This is a well-studied problem with many solutions:Information-theoretic security (going back to Shannon in1949).Computational security (formally studied since the 1970s).e.g. One Way Functions, Block Ciphers (AES).BobAliceWWmessage</p> <p>Eve??messageNot valid!2Symmetric-Key Cryptography with Imperfect KeysStandard symmetric-key primitives require that Alice and Bob share a uniformly random secret W. </p> <p>May not be a necessary, always better to require less.May not be the case in practice:Human Memorable Passwords, Biometrics, Physical devices leak side-channel information about keys.</p> <p>Question: Can we base symmetric-key cryptography on weakly random (non-uniform) shared secrets?</p> <p>3General View of Weak SecretsModel shared secrets as a random variable W. Distribution is arbitrary, but sufficiently hard to guess.Formally, require that the min-entropy of W is at least k: (max over i of Pr[W = i]) 2-k.</p> <p>Goal: Base symmetric-key cryptography on weak secrets.Authenticated Key Agreement:Alice and Bob start out with a shared weak secret W and execute a protocol to agree on a uniformly random key R. Secure even if Eve observes/modifies protocol execution.</p> <p>This talk: An information theoretic solution.4Randomness Extractors (Solution for passive Eve)Randomness Extractor. Input: a weak secret W and a uniformly random seed X.Output: extracted randomness R = Ext(W;X).R looks (almost) uniformly random, even given the seed X. Size |R| Entropy of W.</p> <p>BobAliceWW</p> <p>EveXR= Ext(W;X)R= Ext(W;X)Chooseseed X.5R= Ext(W;X)R= Ext(W;X)What if Eve is active?Can modify the seed X to some other value X and cause Bob to recover an incorrect key R = Ext(W;X).Eve may even fully know R! Bad if Bob encrypts a message to Alice using R.</p> <p>BobAliceWW</p> <p>EveXR= Ext(W;X)Chooseseed X.XX6Let k = entropy of W, n = length of W.</p> <p>One-Round solutions for k &gt; n/2 [MW97, DKRS06, KR08].Extracted key is short: k-n/2 bits. Communication is n-k bits.Multi-Round solutions for arbitrary k [RW03, KR09]. Number of rounds is proportional to the security parameter and not constant. In practice, would require 100s of rounds.This paper:Impossibility of one-round solutions when k n/2. Construction of a two-round solution for arbitrary k.Prior Work on Authenticated Key Agreement7Two-Round Authenticated Key AgreementMain Part of Construction: A two-round message authentication protocol.Alice and Bob share a weak secret W.Alice wants to authenticate a message m to Bob.</p> <p>Relatively easy to build Authenticated Key Agreement from a Message Authentication Protocol.Alice authenticates a random extractor seed X to Bob.Was also done in [RW03], but with a message authentication protocol which required many rounds.</p> <p>Our construction relies on (variants of) two tools:ExtractorsI.T. Message Authentication Codes (MACs)</p> <p>8I.T. Message Authentication Codes (MACs)Use uniform key R to compute tag = MACR(m) for message m.Security: For any m, Adversary gets = MACR(m) cannot forge = MACR(m) for m m.Known constructions with excellent parameters.</p> <p>BobAliceRR</p> <p>EveMessage:m= MACR(m)m, = MACR(m)?9Idea: If Eve is passive in round 1, then Alice shares a good key with Bob and can authenticate a message in round 2.Problem: What if Eve modifies X?</p> <p>BobAliceWW</p> <p>EveMessage:mXR= Ext(W;X)= MACR(m)m, R= Ext(W;X) = MACR(m)?Challenge-Response Authentication: Protocol Template10</p> <p>BobAliceWW</p> <p>EveMessage:mXR= Ext(W;X)XR= Ext(W;X)Challenge-Response Authentication: Protocol Template11</p> <p>BobAliceWW</p> <p>EveMessage:mXR= Ext(W;X)XR= Ext(W;X)= MACR(m)m, Challenge-Response Authentication: Protocol TemplateNot a problem if Eve knows R.12</p> <p>BobAliceWW</p> <p>EveMessage:mXR= Ext(W;X)XR= Ext(W;X)= MACR(m)m, m, = MACR(m)?Problem: R and R may be related!After Eve sees = MACR(m) may be able to forge =MACR(m).</p> <p>Challenge-Response Authentication: Protocol Template13Goal: Construct special extractors and MACs for which the protocol is secure.Build a special non-malleable extractor Ext so that R = Ext(W;X) and R = Ext(W;X) are related in only a limited way. Build a special MAC which is resistant to the limited types of related key attacks that are allowed by the extractor.Seeing MACR(m) does not allow the adversary to forge MACR(m).Two approaches:Approach 1: A very strong non-malleability property for Ext + standard MAC. (Non-Constructive)Approach 2: A weaker non-malleability property for Ext + special MAC. (Constructive)Challenge-Response Authentication: Instantiating the Template14Approach 1: Fully Non-Malleable ExtractorsAdversary sees a random seed X and produces an arbitrarily related seed XX.Let R=nmExt(W;X) , R=nmExt(W;X). Non-malleable Extractor: R look uniformly random, even given X, X,R.Extremely strong property. No existing constructions achieve it.Natural constructions susceptible to many possible malleability attacks.</p> <p>Surprising result: Non-malleable extractors exist.Can extract almost of the entropy of W (optimal).Follows from a probabilistic method argument and does not give us an efficient candidate. </p> <p>15</p> <p>BobAliceWW</p> <p>EveMessage:mXR= nmExt(W;X)XR= nmExt(W;X)= MACR(m)m, m, = MACR(m)?If Eve does not modify X, then Alice and Bob share a uniformly random key R= R.Standard MAC security suffices.If Eve modifies X, then Bobs key R is random and independent of Alices R.MACR(m) does not reveal anything about R.Approach 1: Fully Non-Malleable Extractors16Approach 2: Look-Ahead ExtractorsMuch weaker non-malleability property. The extracted randomness consists of t blocks: </p> <p> laExt(W;X) = [R1, R2, R3, R4, R5, , Rt ] laExt(W;X) = [R1, R2, R3, R4 , R5 , Rt]</p> <p>Adversary sees a random seed X and modifies it to X.</p> <p>Require: Any suffix of laExt(W;X) looks random given a prefix of laExt(W; X).</p> <p>Cannot use modified sequence to look-ahead into the original sequence.</p> <p>17Approach 2: Constructing look-ahead extractors.Based on alternating-extraction from [DP07].Two party interactive protocol between Quentin and Wendy.In each round i:Quentin sends Si to Wendy.Wendy sends Ri = Ext(W;Si).Quentin computes Si+1 = Ext(Q;Ri) </p> <p>QuentinWendyQ, S1WS1R1 = Ext(W;S1)R1S2 = Ext(Q;R1)S2R2 = Ext(W;S2)R2S3 = Ext(Q;R2)S3R3 = Ext(W;S3)R3S4 = Ext(Q;R3)18Approach 2: Alternating-Extraction TheoremAlternating-Extraction Theorem: No matter what strategy Quentin and Wendy employ in the first i rounds, the values [Ri+1, Ri+2, ,Rt] look uniformly random to Quentin given [R1, R2, ,Ri].</p> <p>QuentinWendyQ, S1WS1R1 = Ext(W;S1)R1S2 = Ext(Q;R1)S2R2 = Ext(W;S2)R2S3 = Ext(Q;R2)S3R3 = Ext(W;S3)R3S4 = Ext(Q;R3)</p> <p>QuentinWendyQ, S1WS1R1S2R2S3R3Assume that:W is (weakly) secret for Quentin and Q is secret for Wendy.Wendy and Quentin can communicate only a few bits in each round.Can they compute Ri, Si in fewer rounds?</p> <p>19Approach 2: Look-Ahead Extractor ConstructionDefine:laExt(W;X) = [R1, R2, R3, , Rt ]where the extractor seed is X = (Q, S1). </p> <p>QuentinWendyQ, S1WS1R1 = Ext(W;S1)R1S2 = Ext(Q;R1)S2R2 = Ext(W;S2)R2S3 = Ext(Q;R2)S3R3 = Ext(W;S3)R3S4 = Ext(Q;R3)</p> <p>QuentinWendyQ, S1WS1R1S2R2S3R320Define:laExt(W;X) = [R1, R2, R3, , Rt ]where the extractor seed is X = (Q, S1). </p> <p>QuentinWendyQ, S1WS1R1 = Ext(W;S1)R1S2 = Ext(Q;R1)S2R2 = Ext(W;S2)R2S3 = Ext(Q;R2)S3R3 = Ext(W;S3)R3S4 = Ext(Q;R3)</p> <p>QuentinWendyQ, S1WS1R1S2R2S3R3</p> <p>BobAliceX=(Q,S1)X =(Q,S1)</p> <p>Sample X=(Q,S1)WW</p> <p>EveAlternating-Extraction in Bobs headAlternating-Extraction in Alices headApproach 2: Look-Ahead Extractor Construction21Approach 2: Look-Ahead Extractor based on Alternating ExtractionA modified seed X corresponds to a modified strategy by Quentin in Alices head. laExt(W;X) = [R1, R2, R3, , Rt ] laExt(W;X) = [R1, R2, R3,, Rt]</p> <p>QuentinWendyQ, S1WS1R1 = Ext(W;S1)R1S2 = Ext(Q;R1)S2R2 = Ext(W;S2)R2S3 = Ext(Q;R2)S3R3 = Ext(W;S3)R3S4 = Ext(Q;R3)</p> <p>QuentinWendyQ, S1WS1R1S2R2S3R3R1 = Ext(W;S1)S2 = Ext(Q;R1)R2 = Ext(W;S2)S3 = Ext(Q;R2)R3 = Ext(W;S3)S4 = Ext(Q;R3)</p> <p>22</p> <p>BobAliceWW</p> <p>EveMessage:mXR= laExt(W;X)XR= laExt(W;X)= laMACR(m)m, m, = laMACR(m)?laExt ensures that look-ahead property holds between R, R.Need: laMAC which ensures that Eve cannot predict laMACR(m) given laMACR(m).Approach 2: Look-Ahead Extractors23Approach 2: Authentication using Look-AheadEnsure that given laMACR(m) it is hard to predict laMACR(m) where R = [R1,R2,..,Rt], R= [R1,R2,,Rt] have look-ahead property.No guarantees from standard MACs.Idea for 1 bit (t=4): R= [R1, R2, R3, R4 ].laMACR(0) = [R1, R4] laMACR(1) = [R2, R3 ]</p> <p>24Approach 2: Authentication using Look-AheadEnsure that given laMACR(m) it is hard to predict laMACR(m) where R = [R1,R2,..,Rt], R= [R1,R2,,Rt] have look-ahead property.No guarantees from standard MACs.Idea for 1 bit (t=4): R= [R1, R2, R3, R4 ].laMACR(0) = [R1, R4] laMACR(1) = [ R2, R3 ]laMACR(1) = [ R2, R3 ] laMACR(0) = [R1, R4] R4 looks random given R2, R3 R2, R3 look random given R1. R4 isnt long enough to reveal both of them.Easy to generalize to m bits with t=4m.</p> <p>25Authenticated Key AgreementParameters (W has length n, entropy k, security param ) </p> <p>Approach 1 - Existential Result: Exchanged key is of length: k O(log(n) + )Communication complexity: O(log(n) + ).</p> <p>Approach 2 - Efficient construction:Exchanged key is of length: k O(log2(n) + 2)Communication complexity: O(log2(n) + 2) </p> <p>26SummaryShow how to base symmetric key cryptography (information theoretic, computational) on weak secrets.</p> <p>Build a round-optimal authenticated key agreement protocol. Did not talk aboutExtension to the Fuzzy setting.Extension to the Bounded Retrieval Model.</p> <p>Interesting new tool: non-malleable randomness extractors: (1) fully non-malleable (2) look-ahead.Other applications?Open Problem: Efficient construction of fully non-malleable extractors.Thank You!!!</p> <p>27</p>

Recommended

View more >