Results 1  10
of
25
Robust fuzzy extractors and authenticated key agreement from close secrets
 In Advances in Cryptology — Crypto 2006, volume 4117 of LNCS
, 2006
"... Consider two parties holding samples from correlated distributions W and W ′, respectively, where these samples are within distance t of each other in some metric space. The parties wish to agree on a closetouniformly distributed secret key R by sending a single message over an insecure channel co ..."
Abstract

Cited by 37 (16 self)
 Add to MetaCart
Consider two parties holding samples from correlated distributions W and W ′, respectively, where these samples are within distance t of each other in some metric space. The parties wish to agree on a closetouniformly distributed secret key R by sending a single message over an insecure channel controlled by an allpowerful adversary who may read and modify anything sent over the channel. We consider both the keyless case, where the parties share no additional secret information, and the keyed case, where the parties share a longterm secret SKBSM that they can use to generate a sequence of session keys {Rj} using multiple pairs {(Wj, W ′ j)}. The former has applications to, e.g., biometric authentication, while the latter arises in, e.g., the boundedstorage model with errors. We show solutions that improve upon previous work in several respects: • The best prior solution for the keyless case with no errors (i.e., t = 0) requires the minentropy of W to exceed 2n/3, where n is the bitlength of W. Our solution applies whenever the minentropy of W exceeds the minimal threshold n/2, and yields a longer key. • Previous solutions for the keyless case in the presence of errors (i.e., t> 0) required random oracles. We give the first constructions (for certain metrics) in the standard model. • Previous solutions for the keyed case were stateful. We give the first stateless solution. 1
Nonmalleable extractors and symmetric key cryptography from weak secrets
 In Proceedings of the 41stACM Symposium on the Theory of Computing
, 2009
"... We study the question of basing symmetric key cryptography on weak secrets. In this setting, Alice and Bob share an nbit secret W, which might not be uniformly random, but the adversary has at least k bits of uncertainty about it (formalized using conditional minentropy). Since standard symmetrick ..."
Abstract

Cited by 19 (9 self)
 Add to MetaCart
We study the question of basing symmetric key cryptography on weak secrets. In this setting, Alice and Bob share an nbit secret W, which might not be uniformly random, but the adversary has at least k bits of uncertainty about it (formalized using conditional minentropy). Since standard symmetrickey primitives require uniformly random secret keys, we would like to construct an authenticated key agreement protocol in which Alice and Bob use W to agree on a nearly uniform key R, by communicating over a public channel controlled by an active adversary Eve. We study this question in the information theoretic setting where the attacker is computationally unbounded. We show that singleround (i.e. one message) protocols do not work when k ≤ n 2, and require poor parameters even when n 2 < k ≪ n. On the other hand, for arbitrary values of k, we design a communication efficient tworound (challengeresponse) protocol extracting nearly k random bits. This dramatically improves the previous construction of Renner and Wolf [RW03], which requires Θ(λ + log(n)) rounds where λ is the security parameter. Our solution takes a new approach by studying and constructing “nonmalleable” seeded randomness extractors — if an attacker sees a random seed X and comes up with an arbitrarily related seed X ′, then we bound the relationship between R = Ext(W; X) and R ′ = Ext(W; X ′). We also extend our tworound key agreement protocol to the “fuzzy ” setting, where Alice and Bob share “close ” (but not equal) secrets WA and WB, and to the Bounded Retrieval Model (BRM) where the size of the secret W is huge.
Informationtheoretically secret key generation for fading wireless channels
 IEEE Trans on Information Forensics and Security
, 2010
"... Abstract—The multipathrich wireless environment associated with typical wireless usage scenarios is characterized by a fading channel response that is timevarying, locationsensitive, and uniquely shared by a given transmitter–receiver pair. The complexity associated with a richly scattering envir ..."
Abstract

Cited by 17 (1 self)
 Add to MetaCart
Abstract—The multipathrich wireless environment associated with typical wireless usage scenarios is characterized by a fading channel response that is timevarying, locationsensitive, and uniquely shared by a given transmitter–receiver pair. The complexity associated with a richly scattering environment implies that the shortterm fading process is inherently hard to predict and best modeled stochastically, with rapid decorrelation properties in space, time, and frequency. In this paper, we demonstrate how the channel state between a wireless transmitter and receiver can be used as the basis for building practical secret key generation protocols between two entities. We begin by presenting a scheme based on level crossings of the fading process, which is wellsuited for the Rayleigh and Rician fading models associated with a richly scattering environment. Our level crossing algorithm is simple, and incorporates a selfauthenticating mechanism to prevent adversarial manipulation of message exchanges during the protocol. Since the level crossing algorithm is best suited for fading processes that exhibit symmetry in their underlying distribution, we present a second and more powerful approach that is suited for more general channel state distributions. This second approach is motivated by observations from quantizing jointly Gaussian processes, but exploits empirical measurements to set quantization boundaries and a heuristic log likelihood ratio estimate to achieve an improved secret key generation rate. We validate both proposed protocols through experimentations using a customized 802.11a platform, and show for the typical WiFi channel that reliable secret key establishment can be accomplished at rates on the order of 10 b/s. Index Terms—Informationtheoretic security, key generation, PHY layer security. I.
Key agreement from close secrets over unsecured channels
, 2009
"... We consider informationtheoretic key agreement between two parties sharing somewhat different versions of a secret w that has relatively little entropy. Such key agreement, also known as information reconciliation and privacy amplification over unsecured channels, was shown to be theoretically feas ..."
Abstract

Cited by 10 (3 self)
 Add to MetaCart
We consider informationtheoretic key agreement between two parties sharing somewhat different versions of a secret w that has relatively little entropy. Such key agreement, also known as information reconciliation and privacy amplification over unsecured channels, was shown to be theoretically feasible by Renner and Wolf (Eurocrypt 2004), although no protocol that runs in polynomial time was described. We propose a protocol that is not only polynomialtime, but actually practical, requiring only a few seconds on consumergrade computers. Our protocol can be seen as an interactive version of robust fuzzy extractors (Boyen et al., Eurocrypt 2005, Dodis et al., Crypto 2006). While robust fuzzy extractors, due to their noninteractive nature, require w to have entropy at least half its length, we have no such constraint. In fact, unlike in prior solutions, in our solution the entropy loss is essentially unrelated to the length or the entropy of w, and depends only on the security parameter.
Algebraic manipulation detection codes and their applications for design of secure cryptographic devices
 in IEEE 17th International OnLine Testing Symposium (IOLTS
"... Abstract—Cryptographic devices are vulnerable to fault injection attacks. All previous countermeasures against fault injection attacks based on error detecting codes assume that the attacker cannot simultaneously control the faultfree outputs of a deviceunderattack and error patterns. For advance ..."
Abstract

Cited by 5 (5 self)
 Add to MetaCart
Abstract—Cryptographic devices are vulnerable to fault injection attacks. All previous countermeasures against fault injection attacks based on error detecting codes assume that the attacker cannot simultaneously control the faultfree outputs of a deviceunderattack and error patterns. For advanced attackers who are able to control both of the above two aspects, traditional protections can be easily compromised. In this paper, we propose optimal algebraic manipulation detection (AMD) codes based on the nonlinear encoding functions and the random number generators. The proposed codes can provide a guaranteed high error detecting probability even if the attacker can fully control the faultfree outputs of a deviceunderattack as well as the error patterns. As a case study, we present the protection architectures based on AMD codes for multipliers in Galois fields used for the elliptic curve cryptography. The results show that the proposed architecture can provide a very low error masking probability at the cost of a reasonable area overhead. The protected multiplier has no latency penalty when the predictor is pipelined.
RKA Security beyond the Linear Barrier: IBE, Encryption and Signatures
, 2012
"... We provide a framework enabling the construction of IBE schemes that are secure under relatedkey attacks (RKAs). Specific instantiations of the framework yield RKAsecure IBE schemes for sets of related key derivation functions that are nonlinear, thus overcoming a current barrier in RKA security. ..."
Abstract

Cited by 5 (3 self)
 Add to MetaCart
We provide a framework enabling the construction of IBE schemes that are secure under relatedkey attacks (RKAs). Specific instantiations of the framework yield RKAsecure IBE schemes for sets of related key derivation functions that are nonlinear, thus overcoming a current barrier in RKA security. In particular, we obtain IBE schemes that are RKA secure for sets consisting of all affine functions and all polynomial functions of bounded degree. Based on this we obtain the first constructions of RKAsecure schemes for the same sets for the following primitives: CCAsecure publickey encryption, CCAsecure symmetric encryption and Signatures. All our results are in the standard model and hold under reasonable hardness assumptions.
Secure Communication with a Byzantine Relay
 In IEEE International Symposium on Information Theory
, 2009
"... Abstract—We consider a communication scenario where the source and the destination can communicate only via a relay node who is both an eavesdropper and a Byzantine attacker. Hence for secure communication, two requirements must be met simultaneously: the transmitted message must be kept secret, and ..."
Abstract

Cited by 3 (2 self)
 Add to MetaCart
Abstract—We consider a communication scenario where the source and the destination can communicate only via a relay node who is both an eavesdropper and a Byzantine attacker. Hence for secure communication, two requirements must be met simultaneously: the transmitted message must be kept secret, and a Byzantine attack must be detected reliably. Both a discrete noiseless adder model with the relay receiving the real sum of two signals and a Gaussian model are considered. In both models, the loss in rate due to Byzantine detection can be made arbitrarily small. For the discrete adder model, we show that the probability that the adversary wins decreases exponentially with the number of channel uses. For the Gaussian model, we show that this probability decreases exponentially with the square root of the number of channel uses. The rate derived in this paper is the strong secrecy rate, and the rate loss incurred due to the untrusted and Byzantine relay is measured with respect to the achievable secrecy rate when the relay is untrusted but honest. The result is obtained via a careful combination of the algebraic manipulation detection (AMD) code, the linear wiretap code constructed from low density parity check (LDPC) code, randomly generated wiretap code and for the Gaussian model the lattice code. I.
1 Reliable and Secure Memories Based on Algebraic Manipulation Detection Codes and Robust Error Correction
"... Abstract—The reliability and security of memories are crucial considerations in the modern digital system design. Traditional codes usually concentrate on detecting and correcting errors of certain types, e.g. errors with small multiplicities or byte errors, and cannot detect or correct unanticipate ..."
Abstract

Cited by 2 (2 self)
 Add to MetaCart
Abstract—The reliability and security of memories are crucial considerations in the modern digital system design. Traditional codes usually concentrate on detecting and correcting errors of certain types, e.g. errors with small multiplicities or byte errors, and cannot detect or correct unanticipated errors. Thereby, they may not be sufficient to protect memories against malicious attackers with strong fault injection capabilities and cannot correct unexpected errors with high multiplicities.In this paper we present a reliable and secure memory architecture based on robust Algebraic Manipulation Detection (AMD) codes. These codes can provide a guaranteed error detection probability even if both the user defined messages (data stored in the memory) and the error patterns are controllable by an attacker. Moreover, the code can correct any error regardless of its multiplicity as long as the error stays for several consecutive clock cycles. The construction and the error correction procedure for the code will be described. The probability that an error can be successfully detected and/or corrected and the hardware overhead of the proposed memory architecture will be estimated. The presented approach is most efficient for protecting security/reliability critical memories used to store the most important information on the chip (e.g. a secret key in a cryptographic device). I.
Nonmalleable Codes from Additive Combinatorics
, 2013
"... Nonmalleable codes provide a useful and meaningful security guarantee in situations where traditional errorcorrection (and even errordetection) is impossible; for example, when the attacker can completely overwrite the encoded message. Informally, a code is nonmalleable if the message contained ..."
Abstract

Cited by 2 (0 self)
 Add to MetaCart
Nonmalleable codes provide a useful and meaningful security guarantee in situations where traditional errorcorrection (and even errordetection) is impossible; for example, when the attacker can completely overwrite the encoded message. Informally, a code is nonmalleable if the message contained in a modified codeword is either the original message, or a completely unrelated value. Although such codes do not exist if the family of “tampering functions ” F is completely unrestricted, they are known to exist for many broad tampering families F. One such natural family is the family of tampering functions in the so called splitstate model. Here the message m is encoded into two shares L and R, and the attacker is allowed to arbitrarily tamper with L and R individually. The splitstate tampering arises in many realistic applications, such as the design of nonmalleable secret sharing schemes, motivating the question of designing efficient nonmalleable codes in this model. Prior to this work, nonmalleable codes in the splitstate model received considerable attention in the literature, but were constructed either (1) in the random oracle model [14], or (2) relied on advanced cryptographic assumptions (such as noninteractive zeroknowledge proofs and leakageresilient