Results 1  10
of
52
Robust fuzzy extractors and authenticated key agreement from close secrets
 In Advances in Cryptology — Crypto 2006, volume 4117 of LNCS
, 2006
"... Consider two parties holding samples from correlated distributions W and W ′, respectively, where these samples are within distance t of each other in some metric space. The parties wish to agree on a closetouniformly distributed secret key R by sending a single message over an insecure channel co ..."
Abstract

Cited by 71 (20 self)
 Add to MetaCart
(Show Context)
Consider two parties holding samples from correlated distributions W and W ′, respectively, where these samples are within distance t of each other in some metric space. The parties wish to agree on a closetouniformly distributed secret key R by sending a single message over an insecure channel controlled by an allpowerful adversary who may read and modify anything sent over the channel. We consider both the keyless case, where the parties share no additional secret information, and the keyed case, where the parties share a longterm secret SKBSM that they can use to generate a sequence of session keys {Rj} using multiple pairs {(Wj, W ′ j)}. The former has applications to, e.g., biometric authentication, while the latter arises in, e.g., the boundedstorage model with errors. We show solutions that improve upon previous work in several respects: • The best prior solution for the keyless case with no errors (i.e., t = 0) requires the minentropy of W to exceed 2n/3, where n is the bitlength of W. Our solution applies whenever the minentropy of W exceeds the minimal threshold n/2, and yields a longer key. • Previous solutions for the keyless case in the presence of errors (i.e., t> 0) required random oracles. We give the first constructions (for certain metrics) in the standard model. • Previous solutions for the keyed case were stateful. We give the first stateless solution. 1
Informationtheoretically secret key generation for fading wireless channels
 IEEE TRANS ON INFORMATION FORENSICS AND SECURITY
, 2010
"... The multipathrich wireless environment associated with typical wireless usage scenarios is characterized by a fading channel response that is timevarying, locationsensitive, and uniquely shared by a given transmitter–receiver pair. The complexity associated with a richly scattering environment i ..."
Abstract

Cited by 51 (2 self)
 Add to MetaCart
(Show Context)
The multipathrich wireless environment associated with typical wireless usage scenarios is characterized by a fading channel response that is timevarying, locationsensitive, and uniquely shared by a given transmitter–receiver pair. The complexity associated with a richly scattering environment implies that the shortterm fading process is inherently hard to predict and best modeled stochastically, with rapid decorrelation properties in space, time, and frequency. In this paper, we demonstrate how the channel state between a wireless transmitter and receiver can be used as the basis for building practical secret key generation protocols between two entities. We begin by presenting a scheme based on level crossings of the fading process, which is wellsuited for the Rayleigh and Rician fading models associated with a richly scattering environment. Our level crossing algorithm is simple, and incorporates a selfauthenticating mechanism to prevent adversarial manipulation of message exchanges during the protocol. Since the level crossing algorithm is best suited for fading processes that exhibit symmetry in their underlying distribution, we present a second and more powerful approach that is suited for more general channel state distributions. This second approach is motivated by observations from quantizing jointly Gaussian processes, but exploits empirical measurements to set quantization boundaries and a heuristic log likelihood ratio estimate to achieve an improved secret key generation rate. We validate both proposed protocols through experimentations using a customized 802.11a platform, and show for the typical WiFi channel that reliable secret key establishment can be accomplished at rates on the order of 10 b/s.
Nonmalleable extractors and symmetric key cryptography from weak secrets
 In Proceedings of the 41stACM Symposium on the Theory of Computing
, 2009
"... We study the question of basing symmetric key cryptography on weak secrets. In this setting, Alice and Bob share an nbit secret W, which might not be uniformly random, but the adversary has at least k bits of uncertainty about it (formalized using conditional minentropy). Since standard symmetrick ..."
Abstract

Cited by 38 (12 self)
 Add to MetaCart
We study the question of basing symmetric key cryptography on weak secrets. In this setting, Alice and Bob share an nbit secret W, which might not be uniformly random, but the adversary has at least k bits of uncertainty about it (formalized using conditional minentropy). Since standard symmetrickey primitives require uniformly random secret keys, we would like to construct an authenticated key agreement protocol in which Alice and Bob use W to agree on a nearly uniform key R, by communicating over a public channel controlled by an active adversary Eve. We study this question in the information theoretic setting where the attacker is computationally unbounded. We show that singleround (i.e. one message) protocols do not work when k ≤ n 2, and require poor parameters even when n 2 < k ≪ n. On the other hand, for arbitrary values of k, we design a communication efficient tworound (challengeresponse) protocol extracting nearly k random bits. This dramatically improves the previous construction of Renner and Wolf [RW03], which requires Θ(λ + log(n)) rounds where λ is the security parameter. Our solution takes a new approach by studying and constructing “nonmalleable” seeded randomness extractors — if an attacker sees a random seed X and comes up with an arbitrarily related seed X ′, then we bound the relationship between R = Ext(W; X) and R ′ = Ext(W; X ′). We also extend our tworound key agreement protocol to the “fuzzy ” setting, where Alice and Bob share “close ” (but not equal) secrets WA and WB, and to the Bounded Retrieval Model (BRM) where the size of the secret W is huge.
Key agreement from close secrets over unsecured channels
, 2009
"... We consider informationtheoretic key agreement between two parties sharing somewhat different versions of a secret w that has relatively little entropy. Such key agreement, also known as information reconciliation and privacy amplification over unsecured channels, was shown to be theoretically feas ..."
Abstract

Cited by 24 (3 self)
 Add to MetaCart
We consider informationtheoretic key agreement between two parties sharing somewhat different versions of a secret w that has relatively little entropy. Such key agreement, also known as information reconciliation and privacy amplification over unsecured channels, was shown to be theoretically feasible by Renner and Wolf (Eurocrypt 2004), although no protocol that runs in polynomial time was described. We propose a protocol that is not only polynomialtime, but actually practical, requiring only a few seconds on consumergrade computers. Our protocol can be seen as an interactive version of robust fuzzy extractors (Boyen et al., Eurocrypt 2005, Dodis et al., Crypto 2006). While robust fuzzy extractors, due to their noninteractive nature, require w to have entropy at least half its length, we have no such constraint. In fact, unlike in prior solutions, in our solution the entropy loss is essentially unrelated to the length or the entropy of w, and depends only on the security parameter.
Nonmalleable Codes from Additive Combinatorics
, 2013
"... Nonmalleable codes provide a useful and meaningful security guarantee in situations where traditional errorcorrection (and even errordetection) is impossible; for example, when the attacker can completely overwrite the encoded message. Informally, a code is nonmalleable if the message contained ..."
Abstract

Cited by 19 (5 self)
 Add to MetaCart
(Show Context)
Nonmalleable codes provide a useful and meaningful security guarantee in situations where traditional errorcorrection (and even errordetection) is impossible; for example, when the attacker can completely overwrite the encoded message. Informally, a code is nonmalleable if the message contained in a modified codeword is either the original message, or a completely unrelated value. Although such codes do not exist if the family of “tampering functions ” F is completely unrestricted, they are known to exist for many broad tampering families F. One such natural family is the family of tampering functions in the so called splitstate model. Here the message m is encoded into two shares L and R, and the attacker is allowed to arbitrarily tamper with L and R individually. The splitstate tampering arises in many realistic applications, such as the design of nonmalleable secret sharing schemes, motivating the question of designing efficient nonmalleable codes in this model. Prior to this work, nonmalleable codes in the splitstate model received considerable attention in the literature, but were constructed either (1) in the random oracle model [14], or (2) relied on advanced cryptographic assumptions (such as noninteractive zeroknowledge proofs and leakageresilient
RKA Security beyond the Linear Barrier: IBE, Encryption and Signatures
, 2012
"... We provide a framework enabling the construction of IBE schemes that are secure under relatedkey attacks (RKAs). Specific instantiations of the framework yield RKAsecure IBE schemes for sets of related key derivation functions that are nonlinear, thus overcoming a current barrier in RKA security. ..."
Abstract

Cited by 19 (4 self)
 Add to MetaCart
We provide a framework enabling the construction of IBE schemes that are secure under relatedkey attacks (RKAs). Specific instantiations of the framework yield RKAsecure IBE schemes for sets of related key derivation functions that are nonlinear, thus overcoming a current barrier in RKA security. In particular, we obtain IBE schemes that are RKA secure for sets consisting of all affine functions and all polynomial functions of bounded degree. Based on this we obtain the first constructions of RKAsecure schemes for the same sets for the following primitives: CCAsecure publickey encryption, CCAsecure symmetric encryption and Signatures. All our results are in the standard model and hold under reasonable hardness assumptions.
NonMalleable Coding Against Bitwise and SplitState Tampering
"... Nonmalleable coding, introduced by Dziembowski, Pietrzak and Wichs (ICS 2010), aims for protecting the integrity of information against tampering attacks in situations where errordetection is impossible. Intuitively, information encoded by a nonmalleable code either decodes to the original messag ..."
Abstract

Cited by 10 (0 self)
 Add to MetaCart
Nonmalleable coding, introduced by Dziembowski, Pietrzak and Wichs (ICS 2010), aims for protecting the integrity of information against tampering attacks in situations where errordetection is impossible. Intuitively, information encoded by a nonmalleable code either decodes to the original message or, in presence of any tampering, to an unrelated message. Nonmalleable coding is possible against any class of adversaries of bounded size. In particular, Dziembowski et al. show that such codes exist and may achieve positive rates for any class of tampering functions of size at most 22αn, for any constant α ∈ [0, 1). However, this result is existential and has thus attracted a great deal of subsequent research on explicit constructions of nonmalleable codes against natural classes of adversaries. In this work, we consider constructions of coding schemes against two wellstudied classes of tampering functions; namely, bitwise tampering functions (where the adversary tampers each bit of the encoding independently) and the much more general class of splitstate adversaries (where two independent adversaries arbitrarily tamper each half of the encoded sequence). We obtain the following results for these models. 1. For bittampering adversaries, we obtain explicit and efficiently encodable and decodable nonmalleable
From singlebit to multibit publickey encryption via nonmalleable codes
 IACR Cryptology ePrint Archive
, 2014
"... One approach towards basing publickey encryption schemes on weak and credible assumptions is to build “stronger ” or more general schemes generically from “weaker ” or more restricted schemes. One particular line of work in this context, which has been initiated by Myers and Shelat (FOCS ’09) and c ..."
Abstract

Cited by 9 (5 self)
 Add to MetaCart
One approach towards basing publickey encryption schemes on weak and credible assumptions is to build “stronger ” or more general schemes generically from “weaker ” or more restricted schemes. One particular line of work in this context, which has been initiated by Myers and Shelat (FOCS ’09) and continued by Hohenberger, Lewko, and Waters (Eurocrypt ’12), is to build a multibit chosenciphertext (CCA) secure publickey encryption scheme from a singlebit CCAsecure one. While their approaches achieve the desired goal, it is fair to say that the employed techniques are complicated and that the resulting ciphertext lengths are impractical. We propose a completely different and surprisingly simple approach to solving this problem. While it is wellknown that encrypting each bit of a plaintext string independently is insecure—the resulting scheme is malleable—we show that applying a suitable nonmalleable code (Dziembowski et al., ICS ’10) to the plaintext and subsequently encrypting the resulting codeword bitbybit results in a secure scheme. Our result is the one of the first applications of nonmalleable codes in a context other than memory tampering. The original notion of nonmalleability is, however, not sufficient. We therefore prove that
Strong Secrecy and Reliable Byzantine Detection in the Presence of an Untrusted Relay
 IEEE Transactions on Information Theory
, 2009
"... Abstract—We consider a Gaussian twohop network where the source and the destination can communicate only via a relay node who is both an eavesdropper and a Byzantine adversary. Both the source and the destination nodes are allowed to transmit, and the relay receives a superposition of their transmi ..."
Abstract

Cited by 8 (5 self)
 Add to MetaCart
(Show Context)
Abstract—We consider a Gaussian twohop network where the source and the destination can communicate only via a relay node who is both an eavesdropper and a Byzantine adversary. Both the source and the destination nodes are allowed to transmit, and the relay receives a superposition of their transmitted signals. We propose a new coding scheme that satisfies two requirements simultaneously: the transmitted message must be kept secret from the relay node, and the destination must be able to detect any Byzantine attack that the relay node might launch reliably and fast. The three main components of the proposed schemearethenestedlattice code, the privacy amplification scheme, and the algebraic manipulation detection (AMD) code. Specifically, for the Gaussian twohop network, we show that lattice coding can successfully pair with AMD codes enabling its first application to a noisy channel model. We prove, using this new coding scheme, that the probability that the Byzantine attack goes undetected decreases exponentially fast with respect to the number of channel uses, while the loss in the secrecy rate, compared to the rate achievable when the relay is honest, can be made arbitrarily small. In addition, in contrast with prior work in Gaussian channels, the notion of secrecy provided here is strong secrecy. Index Terms—Algebraic manipulation detection (AMD) code, Byzantine detection, informationtheoretic secrecy, lattice code, relay channel, strong secrecy. I.