SLIDE 1
2
in Group Messaging: Computational, Statistical, Optimal Lior Rotem - - PowerPoint PPT Presentation
in Group Messaging: Computational, Statistical, Optimal Lior Rotem - - PowerPoint PPT Presentation
Out-of-Band Authentication in Group Messaging: Computational, Statistical, Optimal Lior Rotem Gil Segev Hebrew University Messaging is Popular 2 Major Effort: E2E-Encrypted Messaging Government surveillance and/or coercion
SLIDE 2
SLIDE 3
3
Major Effort: E2E-Encrypted Messaging
- Government surveillance
and/or coercion
- Untrusted or corrupted
messaging servers Key challenge: Detecting man-in-the-middle attacks when setting up E2E-encrypted channels
SLIDE 4
4
Alice’s phone Bob’s phone
Man-in-the-Middle Attacks
SLIDE 5
5
Man-in-the-Middle Attacks
Alice’s phone Bob’s phone
𝒉𝒄 𝒉𝒃 𝒉ෝ
𝒃
𝒉
𝒄
- Impossible to detect without any setup
Impractical to assume a trusted PKI in messaging platforms…
SLIDE 6
6
Out-of-Band Authentication
Practical to assume: Users can “out-of-band” authenticate one short value
- Users can compare a short string displayed on their devices
- Assuming that they recognize each other’s voice, this is a low-bandwidth
authenticated channel
𝒉𝒄 𝒉𝒃 𝒉ෝ
𝒃
𝒉
𝒄
Bob
Bob’s phone Alice’s phone
SLIDE 7
7
Out-of-Band Authentication
Facebook Signal Telegram WhatsApp Allo Wire
SLIDE 8
8
Out-of-Band Authentication
Within the cryptography community:
- Considered by Rivest and Shamir in ’84 (“Interlock” protocol)
- Formalized by Vaudenay ’05 (computational security)
and by Naor, Segev and Smith ’06 (statistical security) Bounded vs. unbounded adversaries
SLIDE 9
9
The User-to-User Setting
- An equivalent problem: Detecting MitM attacks in message authentication
𝑛 ෝ 𝑛
Detect with prob. 1 − 𝜗 whenever ෝ 𝑛 ≠ 𝑛 ⇒ Given a shared key: MAC the message ⇐ Given a message authentication protocol: Run any key exchange protocol and authenticate the transcript
Bob’s phone Alice’s phone
SLIDE 10
10
The User-to-User Setting
𝒉𝒄 𝒉𝒃 𝒉ෝ
𝒃
𝒉
𝒄
Bob’s phone Alice’s phone
ෝ 𝒏 = 𝒉ෝ
𝒃||𝒉𝒄
𝒏 = 𝒉𝒃||𝒉
𝒄
SLIDE 11
11
Out-of-band channel
The User-to-User Setting
Detect with prob. 1 − 𝜗 whenever ෝ 𝑛 ≠ 𝑛
Bob’s phone Alice’s phone
ℓ-bit value
How low-bandwidth is the out-of-band channel?
- WhatsApp\Signal ℓ = 200 bits (60 digits)
- Telegram ℓ = 288 bits (64 characters)
- …
- Lower bound: ℓ ≥ log(1/𝜗) [PV06]
…
𝑛 ෝ 𝑛
…
𝑛 ෝ 𝑛
… …
SLIDE 12
12
The User-to-User Setting
Detect with prob. 1 − 𝜗 whenever ෝ 𝑛 ≠ 𝑛
Alice’s phone
Out-of-band channel
ℓ-bit value Goal: Optimal tradeoff between ℓ and 𝜗
Minimize user effort Maximize security
𝑛 ෝ 𝑛
… … Bob’s phone
SLIDE 13
13
User-to-User Bounds
Protocols Lower Bounds Computational Security
[Vau05, PV06]
log(1/𝜗) log(1/𝜗) − 𝑃(1)
Statistical Security
[NSS06]
2 log(1/𝜗) + 𝑃 1 2 log(1/𝜗) − 𝑃 1
SLIDE 14
14
This Talk: The Group Setting
✓ ✓ ?
x
User-to-User Setting Group Setting
Tightly characterized Not yet studied Practical protocols deployed Impractical protocols deployed
SLIDE 15
15
Our Contributions
A framework modeling out-of-band authentication in the group setting
- Users communicate over an insecure channel
- Group administrator can out-of-band authenticate one short value to all users
- Consistent with and supported by existing messaging platforms
… … …
Out-of-band channel
SLIDE 16
16
Tight bounds for out-of-band authentication in the group setting Protocols Lower Bounds Computational Security
log(1/𝜗) + log 𝑙 log(1/𝜗) + log 𝑙 − 𝑃(1)
Statistical Security
𝑙 + 1 ⋅ log(1/𝜗) + log 𝑙 + 𝑃 1 𝑙 + 1 ⋅ log(1/𝜗) − 𝑙
Our Contributions
Our computationally-secure protocol is practically relevant, and substantially improves the currently-deployed protocols: A framework modeling out-of-band authentication in the group setting E.g., 𝑙 = 32 and 𝜗 = 2−80: 32 × 85 = 2720 bits vs. 85 bits!!
𝑙 – number of receivers
SLIDE 17
17
Talk Outline
- Communication model & notions of security
- The naïve protocol
- Our protocols & lower bounds
Protocols Lower Bounds Computational Security
log(1/𝜗) + log 𝑙 log(1/𝜗) + log 𝑙 − 𝑃(1)
Statistical Security
𝑙 + 1 ⋅ log(1/𝜗) + log 𝑙 + 𝑃 1 𝑙 + 1 ⋅ log(1/𝜗) − 𝑙
SLIDE 18
18
Talk Outline
- Communication model & notions of security
- The naïve protocol
- Our protocols & lower bounds
Protocols Lower Bounds Computational Security
log(1/𝜗) + log 𝑙 log(1/𝜗) + log 𝑙 − 𝑃(1)
Statistical Security
𝑙 + 1 ⋅ log(1/𝜗) + log 𝑙 + 𝑃 1 𝑙 + 1 ⋅ log(1/𝜗) − 𝑙
SLIDE 19
19
Communication Model
… …
…
Out-of-band channel
𝑇 𝑆1 𝑆2 𝑆𝑙
- Insecure channel: Adversary can read, remove and insert messages
- Out-of-band channel:
Adversary can read, remove and delay messages, for all or for some of the users Adversary cannot modify messages/insert new ones in an undetectable manner
SLIDE 20
20
+𝜉 𝜇
Correctness & Security
… …
Out-of-band channel
𝑇
Input: 𝑛 Output: ෝ 𝑛1 Output: ෝ 𝑛2 Output: ෝ 𝑛𝑙
- Correctness: In an honest execution ∀𝑗: ෝ
𝑛𝑗 = 𝑛
- Unforgeability: Pr ∃𝑗: ෝ
𝑛𝑗 ∉ 𝑛, ⊥ ≤ 𝜗
- Computational vs. statistical security
𝑆1 𝑆2 𝑆𝑙
…
SLIDE 21
21
Talk Outline
- Communication model & notions of security
- The naïve protocol
- Our protocols & lower bounds
Protocols Lower Bounds Computational Security
log(1/𝜗) + log 𝑙 log(1/𝜗) + log 𝑙 − 𝑃(1)
Statistical Security
𝑙 + 1 ⋅ log(1/𝜗) + log 𝑙 + 𝑃 1 𝑙 + 1 ⋅ log(1/𝜗) − 𝑙
SLIDE 22
22
The Naïve Protocol
- Independently invoke a user-to-user
protocol 𝜌 with each 𝑆𝑗
𝑇 𝑆1 𝑆2 𝑆𝑙
…
𝜌 𝜌 𝜌
…
- 𝑇 out-of-band authenticates at least 𝑙 ⋅ log 𝑙/𝜗 bits
- E.g., 𝑙 = 210 and 𝜗 = 2−80: 210 × 90 bits
𝑙 = 32 and 𝜗 = 2−80: 32 × 85 bits
SLIDE 23
23
Talk Outline
- Communication model & notions of security
- The naïve protocol
- Our protocols & lower bounds
Protocols Lower Bounds Computational Security
log(1/𝜗) + log 𝑙 log(1/𝜗) + log 𝑙 − 𝑃(1)
Statistical Security
𝑙 + 1 ⋅ log(1/𝜗) + log 𝑙 + 𝑃 1 𝑙 + 1 ⋅ log(1/𝜗) − 𝑙
SLIDE 24
24
Warm-Up: Vaudenay’s Protocol
𝑇 𝑆
𝑛, 𝑑 = com 𝑛||𝑠
𝑇
𝑠
𝑆
decom 𝑑 𝑠
𝑇 ⊕ 𝑠 𝑆
𝑠
𝑇 ← 0,1 ℓ
𝑠
𝑆 ← 0,1 ℓ
Possibly interactive Theorem [Vau05,LN06]: If (com, decom) is non-malleable then for any ℓ ∈ ℕ it holds that 𝜗 = 2−ℓ
Input: 𝑛 Accept 𝑛 if and only if 𝑠
𝑇 ⊕ 𝑠𝑆 is consistent
with insecure channel
Proof sketch:
- Consider all possible synchronizations of a MitM attack
- Reduce each one to the security of the commitment scheme
Out-of-band channel
SLIDE 25
25
Our First Attempt
𝑇 𝑆1 𝑆2
𝑛, 𝑑 = com(𝑛| 𝑠
𝑡
𝑠
𝑇 ← 0,1 ℓ
𝑠
1 ← 0,1 ℓ
decom(𝑑) 𝑠
𝑇 ⊕ 𝑠 1 ⊕ 𝑠 2
𝑠
2 ← 0,1 ℓ
Out-of-band channel Input: 𝑛 1 1 2 2 2 2 3 3 4 4
SLIDE 26
26
Our First Failure
𝑇 𝑆1 𝑆2
𝑛, 𝑑 = com(𝑛| 𝑠
𝑡
decom(𝑑) 𝑠
𝑇 ⊕ 𝑠 1 ⊕ 𝑠 2
𝑠
1, 𝑠 2
𝑠
𝑇 ⊕ 𝑠 1 ⊕ 𝑠 2 = ෝ
𝑠
𝑇 ⊕ 𝑠 1 ⊕ ෝ
𝑠
2
Out-of-band channel
Knows 𝑠
𝑇 and 𝑠 2
- Solution: Avoid sending 𝑠
1 and 𝑠 2 in the clear
Input: 𝑛
Output: ෝ 𝑛
SLIDE 27
27
Our Computationally-Secure Protocol
𝑇 𝑆1 𝑆2
𝑛, 𝑑𝑇 = com(𝑛| 𝑠
𝑡
𝑠
𝑇 ← 0,1 ℓ
𝑠
1 ← 0,1 ℓ
decom(𝑑𝑇) 𝑠
𝑇 ⊕ 𝑠 1 ⊕ 𝑠 2
𝑠2 ← 0,1 ℓ
Out-of-band channel 1 1 1 2 1 3 3 2 3 3 4 5 4 5
SLIDE 28
28
Theorem: If (com, decom) is statistically-binding & concurrent non-malleable, then for any 𝑙, ℓ ∈ ℕ it holds that 𝜗 = 𝑙 ⋅ 2−ℓ Proof sketch:
- Focus individually on each receiver 𝑆𝑗
- Consider all possible synchronizations of a MitM attack
- Today: Exemplify 2 notable attacks
- Reduce each one to the security of the commitment scheme
- Statistical binding or concurrent non-malleability
Our Computationally-Secure Protocol
SLIDE 29
29
Attack #1
𝑇 𝑆1
𝑠
𝑇 ← 0,1 ℓ
𝑠
1 ← 0,1 ℓ
𝑑1 = com 𝑠
1
com 𝑠2 ෝ 𝑛, com ෝ 𝑛||ෝ 𝑠
𝑇
decom(𝑑1) com ෝ 𝑠
1 , com(ෝ
𝑠2) 𝑑𝑇 = com(𝑛| 𝑠
𝑇
- 𝑇 chooses 𝑠
𝑇 after 𝑆1 decommits
- 𝑆1 accepts ෝ
𝑛 if and only if 𝑠
𝑡 ⊕ ෝ
𝑠
1 ⊕ ෝ
𝑠
2 = ෝ
𝑠
𝑇 ⊕ 𝑠 1 ⊕
𝑠
2
- Statistical binding implies that, by the time 𝑠
𝑡 is chosen, all values except for 𝑠 𝑡 are
already determined
Pr
𝑠𝑇← 0,1 ℓ 𝑠 𝑡 = ෝ
𝑠
1 ⊕ ෝ
𝑠
2 ⊕ ෝ
𝑠
𝑇 ⊕ 𝑠 1 ⊕
𝑠
2 = 2−ℓ
SLIDE 30
30
Attack #2
𝑇 𝑆1
𝑠
𝑇 ← 0,1 ℓ
𝑠
1 ← 0,1 ℓ
𝑑1 = com 𝑠
1
𝑑2 = com 𝑠
2
ෝ 𝑑𝑇 = com ෝ 𝑛||ෝ 𝑠
𝑇
decom(𝑑1) ෝ 𝑑1 = com ෝ 𝑠
1
ෝ 𝑑2 = com(ෝ 𝑠
2)
𝑑𝑇 = com(𝑛| 𝑠
𝑇
- 𝑇 chooses 𝑠
𝑇 before 𝑆1 decommits
- Fix “worst-case” 𝑠
1, ෝ
𝑠
1 and ෝ
𝑠
2
- Attacker gets com(𝑛| 𝑠
𝑇 and needs to
- utput com
𝑠
2 and com ෝ
𝑛||ෝ 𝑠
𝑇 such that 𝑠 𝑡 ⊕ ෝ
𝑠
1 ⊕ ෝ
𝑠
2 = ෝ
𝑠
𝑇 ⊕ 𝑠 1 ⊕
𝑠
2
- Concurrent non-malleability implies that either 𝑛 = ෝ
𝑛 or
Pr 𝑠
𝑡 ⊕ ෝ
𝑠
1 ⊕ ෝ
𝑠
2 = ෝ
𝑠
𝑇 ⊕ 𝑠 1 ⊕
𝑠
2 = 2−ℓ + 𝜉 𝜇
SLIDE 31
31
Concurrent Non-Malleable Commitments
𝑇
com(𝑤)
𝑆1 𝑆𝑙
… com ෞ 𝑤1 com ෞ 𝑤𝑙
- Constant-round schemes from any one-way function
[PR05, PR06, LPV08, LP11, Goy11, GRRV14, GPR16, COSV17, …]
- Simple, efficient and non-interactive in the random-oracle model
com 𝑤; 𝑠 = Hash(𝑤||𝑠)
- Infeasible to “non-trivially correlate” concurrent executions
SLIDE 32
32
Talk Outline
- Communication model & notions of security
- The naïve protocol
- Our protocols & lower bounds
Protocols Lower Bounds Computational Security
log(1/𝜗) + log 𝑙 log(1/𝜗) + log 𝑙 − 𝑃(1)
Statistical Security
𝑙 + 1 ⋅ log(1/𝜗) + log 𝑙 + 𝑃 1 𝑙 + 1 ⋅ log(1/𝜗) − 𝑙
SLIDE 33
33
𝑆1 𝑆2 𝑆𝑙
Our Statistical Lower Bound
- Denote by Σ the out-of-band value in an honest execution with a random 𝑛
- During any execution Σ’s Shannon entropy decreases from 𝐼 Σ to 0
- Intuition [NSS06]: Each party must “independently reduce” at least log(1/𝜗)
bits from 𝐼 Σ 𝐼 Σ ≥ 𝑙 + 1 ⋅ log(1/𝜗)
⇒
… …
…
Out-of-band channel
𝑇
Σ
𝑙 = 1
SLIDE 34
34
Our Statistical Lower Bound
- We present 𝑙 + 1 attacks that succeed with probabilities 𝜗0, … , 𝜗𝑙 such that
2−𝐼 Σ −𝑙 ≤ ෑ
𝑗=0 𝑙
𝜗𝑗
- The security of the protocol guarantees that
ෑ
𝑗=0 𝑙
𝜗𝑗 ≤ 𝜗𝑙+1 𝐼 Σ ≥ 𝑙 + 1 ⋅ log 1/𝜗 − 𝑙
⇓
SLIDE 35
35
Protocol Structure
- Assume that the protocol has 𝑢 rounds over the insecure channel
- If 𝑗 ≡ 0 mod 𝑙 + 1 then 𝑇 is active
- Otherwise, 𝑆𝑗 mod (𝑙+1) is active
- In each round 𝑗 a single party is “active” and sends messages
- Denote by 𝑦𝑗 the vector of messages sent in round 𝑗
𝑇 𝑆1 𝑆2
𝑦0 𝑦1 𝑦2 𝑦3 𝑦4 𝑦5
SLIDE 36
36
Understanding 𝐼 Σ
- Random variables 𝑁, 𝑌0, … , 𝑌𝑢−1, Σ
- Split 𝐼 Σ according to the marginal contribution of each round:
𝐼 Σ = 𝐼 Σ − 𝐼 Σ 𝑁, 𝑌0 + 𝐼 Σ 𝑁, 𝑌0 − 𝐼 Σ 𝑁, 𝑌0, 𝑌1 + 𝐼 Σ 𝑁, 𝑌0, 𝑌1 = 𝐽 Σ; 𝑁, 𝑌0 +
𝑘∈ 𝑢 :𝑘≡0 mod (𝑙+1)
𝐽 Σ; 𝑌
𝑘 𝑁, 𝑌0, … , 𝑌 𝑘−1
+
𝑗∈ 𝑙
𝑘≡𝑗 mod (𝑙+1)
𝐽 Σ; 𝑌
𝑘 𝑁, 𝑌0, … , 𝑌 𝑘−1
+𝐼 Σ 𝑁, 𝑌0, … , 𝑌𝑢−1 − … − 𝐼 Σ 𝑁, 𝑌0, … , 𝑌𝑢−1 + 𝐼 Σ 𝑁, 𝑌0, … , 𝑌𝑢−1
Entropy reduction by 𝑇 Entropy reduction by 𝑆𝑗
SLIDE 37
37
Lemma 2: For every 𝑗 ∈ 𝑙 there exists a man-in-the-middle attacker that succeeds with probability
Understanding 𝐼 Σ
−
𝑘≡𝑗 mod (𝑙+1)
𝐽 Σ; 𝑌
𝑘 𝑁, 𝑌0, … , 𝑌 𝑘−1
Lemma 1: There exists a man-in-the-middle attacker that succeeds with probability
𝜗0 ≥ 2
− 𝐽 Σ; 𝑁, 𝑌0 +
𝑘≡0 mod (𝑙+1)
𝐽 Σ; 𝑌
𝑘 𝑁, 𝑌0, … , 𝑌 𝑘−1 + 𝐼 Σ 𝑁, 𝑌0, … , 𝑌𝑢−1
𝜗𝑗 ≥ 2
SLIDE 38
38
Simplified Case
- Two receivers, three rounds
𝑇 𝑆1 𝑆2
𝑦0 𝑦1 𝑦2 𝐼 Σ = 𝐽 Σ; 𝑁, 𝑌0 +𝐽(Σ; 𝑌1|𝑁, 𝑌0) +𝐽 Σ; 𝑌2 𝑁, 𝑌0, 𝑌1 +𝐼 Σ 𝑁, 𝑌0, 𝑌1, 𝑌2 Entropy reduction by 𝑇 Entropy reduction by 𝑆1 Entropy reduction by 𝑆2
SLIDE 39
39
Lemma 1 - Simplified Case
The attack:
- Run an honest execution with (𝑆1, 𝑆2) while simulating 𝑇 on a random ෝ
𝑛
- Run an execution with 𝑇 on a random 𝑛 while simulating (𝑆1, 𝑆2)
- However, instead of sampling (ෞ
𝑦1, ෞ 𝑦2) from the conditional distribution 𝑌1, 𝑌2 |𝑛, 𝑦0, sample them from 𝑌1, 𝑌2 |𝑛, 𝑦0, ො 𝜏
𝑇 𝑆1 𝑆2
ෞ 𝑦0 𝑦1 𝑦2 Input: ෝ 𝑛 ← 0,1 𝑜 Input: 𝑛 ← 0,1 𝑜 𝑦0 Out-of-band value: 𝜏
- If 𝜏 = ො
𝜏 then 𝑆1 and 𝑆2 will accept ෝ 𝑛
Out-of-band value: ො 𝜏 ෞ 𝑦1, ෞ 𝑦2
- Forward 𝜏 to (𝑆1, 𝑆2)
Pr 𝜏 = ො 𝜏 ≥ 2− 𝐽 Σ; 𝑁, 𝑌0 + 𝐼 Σ 𝑁, 𝑌0, 𝑌1, 𝑌2
SLIDE 40
40
Tight bounds for out-of-band authentication in the group setting Protocols Lower Bounds Computational Security
log(1/𝜗) + log 𝑙 log(1/𝜗) + log 𝑙 − 𝑃(1)
Statistical Security
𝑙 + 1 ⋅ log(1/𝜗) + log 𝑙 + 𝑃 1 𝑙 + 1 ⋅ log(1/𝜗) − 𝑙
Summary
A framework modeling out-of-band authentication in the group setting