randomness extractors secure communication in practice
play

Randomness Extractors. Secure Communication in Practice Lecture - PowerPoint PPT Presentation

Aug 16, 2022 •569 likes •816 views

Randomness Extractors. Secure Communication in Practice Lecture 17

  1. Randomness Extractors. 
 Secure Communication in Practice Lecture 17

  2. ����������������������� ����������� � 
 ������������������������������������� 11:00 - 12:30 What is MPC? Manoj Monday 2:00 - 3:00 Zero Knowledge Muthu Yuval Ishai 
 3:30 - 5:00 Garbled Circuits Arpita Technion & UCLA 9:00 - 10:30 Randomized Encoding Yuval Muthu Venkitasubramaniam 11:00 - 12:30 Oblivious Transfer Arpita U Rochester Tuesday 2:00 - 3:30 Composition Muthu Arpita Patra 
 4:00 - 5:00 MPC Complexity Manoj IISc 9:00 - 10:30 Honest-Majority MPC Vassilis Vassilis Zikas Wednesday 11:00 - 12:30 "MPC in the head” Yuval RPI 2:00 - 3:00 Asynchronous MPC Vassilis Manoj Prabhakaran 
 IIT Bombay

  3. Randomness Extraction

  4. Randomness Extractors Consider a PRG which outputs a pseudorandom group element in some complicated group A standard bit-string representation of a random group element may not be (pseudo)random Can we efficiently map it to a pseudorandom bit string? Depends on the group... Suppose a chip for producing random bits shows some complicated dependencies/biases, but still is highly unpredictable Can we purify it to extract uniform randomness? Depends on the specific dependencies... A general tool for purifying randomness: Randomness Extractor

  5. Randomness Extractors Statistical guarantees (output not just pseudorandom, but truly random, if input has sufficient entropy) 2-Universal Hash Functions “Optimal” in all parameters except seed length Constructions with shorter seeds known e.g. Based on expander graphs

  6. Randomness Extractors Strong extractor : output is random even when the seed for extraction is revealed 2-UHF is an example Useful in key agreement Alice and Bob exchange a non-uniform key, with a lot of pseudoentropy for Eve (say, g xy ) Alice sends a random seed for a strong extractor to Bob, in the clear Key derivation: Alice and Bob extract a new key, which is pseudorandom (i.e., indistinguishable from a uniform bit string)

  7. Randomness Extractors Pseudorandomness Extractors (a.k.a. computational extractors): output is guaranteed only to be pseudorandom if input has sufficient (pseudo)entropy Key Derivation Function: Strong pseudorandomness extractor Cannot directly use a block-cipher, because pseudorandomness required even when the randomly chosen seed is public (“salt”) Extract-Then-Expand: Enough to extract a key for a PRF Can be based on HMAC or CBC-MAC: Statistical guarantee, if compression function/block-cipher is a random function/ random permutation Models IPsec Key Exchange (IKE) protocol. HMAC version later standardised as HKDF .

  8. Randomness Extractors Extractors for use in system Random Number Generator (think /dev/random) Additional issues: Online model, with a variable (and unknown) rate of entropy accumulation Should recover from compromise due to low entropy phases Constructions provably secure in such models known Using PRG (e.g., AES in CTR mode), universal hashing and “pool scheduling” (similar to Fortuna, used in Windows)

  9. Secure Communication In Practice

  10. We saw... Symmetric-Key Components SKE, MAC Public-Key Components PKE, Digital Signatures Building blocks: Block-ciphers (AES), Hash-functions (SHA-3), Trapdoor PRG/OWP for PKE (e.g., DDH, RSA) and 
 Random Oracle heuristics (in RSA-OAEP, RSA-PSS) Symmetric-Key primitives much faster than Public-Key ones Hybrid Encryption gets best of both worlds

  11. Secure Communication in Practice Can do at application-level e.g. between web-browser and web-server Or lower-level infrastructure to allow use by more applications e.g. between OS kernels, or between network gateways Standards in either case To be interoperable To not insert bugs by doing crypto engineering oneself e.g.: SSL/TLS (used in https), IPSec (in the “network layer”)

  12. Security Architectures (An example) Security architecture (client perspective) From the IBM WebSphere Developer Technical Journal

  13. Secure Communication Infrastructure Goal: a way for Alice and Bob to get a private and authenticated communication channel (can give a detailed SIM-definition) Simplest idea: Use a (SIM-CCA secure) public-key encryption (possibly a hybrid encryption) to send signed (using an existentially unforgeable signature scheme) messages (with sequence numbers and channel id) Limitation: Alice, Bob need to know each other’ s public-keys But typically Alice and Bob engage in “transactions,” exchanging multiple messages, maintaining state throughout the transaction Makes several efficiency improvements possible

  14. Secure Communication Infrastructure Secure Communication Sessions (Authenticated) 
 Handshake protocol: establish private shared keys Key-Exchange Record protocol: use efficient symmetric-key schemes Server-to-server communication: Both parties have (certified) public-keys Client-server communication: server has (certified) public-keys Client “knows” server. Server willing to talk to all clients Client-Client communication (e.g., email) 
 Server may “know” (some) clients Clients share public-keys in ad hoc 
 too, using passwords, pre-shared keys, or if they have (certified) ways public-keys. Often implemented in application-layer

  15. Certificate Authorities How does a client know a server’ s public-key? Based on what is received during a first session? (e.g., first ssh connection to a server) Better idea: Chain of trust Client knows a certifying authority’ s public key (for signature)

  16. Certificate Authorities How does a client know a server’ s public-key? Based on what is received during a first session? (e.g., first ssh connection to a server) Better idea: Chain of trust Client knows a certifying authority’ s public key (for signature) Bundled with the software/hardware Certifying Authority signs the signature PK of the server CA is assumed to have verified that the PK was generated by the “correct” server before signing Validation standards: Domain/Extended validation

  17. Forward Secrecy Servers have long term public keys that are certified Would be enough to have long term signature keys, but in practice long term encryption keys too Problem: if the long term key is leaked, old communications are also revealed Adversary may have already stored, or even actively participated in old sessions Solution: Use fresh public-keys/do a fresh key-exchange for each session (authenticated using signatures)

  18. A Simple Secure Communication Scheme Handshake Server’ s PK either trusted (from a previous session for e.g) or Client sends session keys for MAC and certified by a trusted CA, using SKE to the server using SIM-CCA a Digital Signature scheme secure PKE, with server’ s PK (i.e. over Need to avoid replay attacks an unauthenticated, but private channel) (infeasible for server to explicitly check for replayed ciphertexts) For authentication only: use MAC Recall “inefficient” domain- In fact, a “stream-MAC”: To send more extension of MAC: Add a than one message, but without allowing session-specific nonce and a reordering sequence number to each message before MAC’ing For authentication + (CCA secure) encryption: encrypt-then-MAC Authentication for free: MAC serves dual purposes! stream-cipher, and “stream-MAC”

  19. Negotiations on protocol version etc. and “cipher suites” (i.e., which PKE/ TLS (SSL) key-exchange, SKE, MAC (and CRHF)). e.g. cipher-suite: RSA-OAEP for key- exchange, AES for SKE, 
 HMAC-SHA256 for MAC Handshake Server sends a certificate of its PKE Client sends session keys for MAC and public-key, which the client verifies SKE to the server using SIM-CCA Server also “contributes” to key- secure PKE, with server’ s PK (i.e. over generation (to avoid replay attack an unauthenticated, but private channel) issues): Roughly, client sends a key K for a PRF; a master key generated as For authentication only: use MAC PRF K (x,y) where x from client and y from server. SKE and MAC keys In fact, a “stream-MAC”: To send more derived from master key than one message, but without allowing Uses MAC-then-encrypt! Not CCA reordering secure in general, but secure with stream-cipher (and with some other For authentication + (CCA secure) modes of block-ciphers, like CBC) encryption: encrypt-then-MAC Several details on closing sessions, stream-cipher, and “stream-MAC” session caching, resuming sessions …

  20. TLS: Some Considerations Overall security goal: Authenticated and Confidential Channel Establishment (ACCE), or Server-only ACCE Handshake Protocol Cipher suites are negotiated, not fixed → “Downgrade attacks” Doesn’ t use CCA secure PKE, but overall CCA secure if error in decryption “never revealed” (tricky to ensure!) Record Protocol Using MAC-then-Encrypt is tricky: CCA-secure when using SKE implemented using a stream cipher (or block-cipher in CTR mode) or CBC-MAC But insecure if it reveals information from decryption phase. e.g., different times taken by MAC check (or different error messages!) when a format error in decrypted message

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

2-source Randomness Extractors for Elliptic Curves Abdoul Aziz Ciss Laboratoire de Traitement de

2-source Randomness Extractors for Elliptic Curves Abdoul Aziz Ciss Laboratoire de Traitement de

Motivations Extractors Character sums Randomness extractors for EC 2-source Randomness Extractors for Elliptic Curves Abdoul Aziz Ciss Laboratoire de Traitement de lInformation et Syst` emes Intelligents Ecole Polytechnique de Thi`

348 views • 22 slides
Physical Randomness Extractors Kai-Min Chung Academia Sinica, Taiwan Xiaodi Wu Yaoyun Shi

Physical Randomness Extractors Kai-Min Chung Academia Sinica, Taiwan Xiaodi Wu Yaoyun Shi

Physical Randomness Extractors Kai-Min Chung Academia Sinica, Taiwan Xiaodi Wu Yaoyun Shi MIT/UC Berkeley University of Michigan Presented in QIP14 as plenary talk (joint with [MS14]) 1 Randomness Randomness is a vital resource

391 views • 17 slides
Quantum-proof randomness extractors via operator space theory Mario Berta, Omar Fawzi,

Quantum-proof randomness extractors via operator space theory Mario Berta, Omar Fawzi,

Quantum-proof randomness extractors via operator space theory Mario Berta, Omar Fawzi, Volkher B. Scholz based on arXiv:1409.3563 Introduction to (Classical) Randomness Extractors Goal: transform only partly random classical

276 views • 24 slides
Wrap Up: Cryptographic Primitives Lecture 18 Alternate Assumptions for PKE Randomness

Wrap Up: Cryptographic Primitives Lecture 18 Alternate Assumptions for PKE Randomness

Wrap Up: Cryptographic Primitives Lecture 18 Alternate Assumptions for PKE Randomness Extractors Story So Far Basic primitives for secure communication: Shared-Key Public-Key SKE PKE Encryption MAC

498 views • 17 slides
Randomness Extractors Alex Block Purdue University April 25, 2016 Alex Block (Purdue

Randomness Extractors Alex Block Purdue University April 25, 2016 Alex Block (Purdue

Randomness Extractors Alex Block Purdue University April 25, 2016 Alex Block (Purdue University) Randomness Extractors April 25, 2016 1 / 28 Table of Contents Preliminaries 1 What is an Extractor? 2 Seeded Extractors 3 Deterministic

400 views • 28 slides
Quantum to Classical Randomness Extractors Mario Berta, Omar Fawzi, Stephanie Wehner - Full

Quantum to Classical Randomness Extractors Mario Berta, Omar Fawzi, Stephanie Wehner - Full

Quantum to Classical Randomness Extractors Mario Berta, Omar Fawzi, Stephanie Wehner - Full version preprint available at arXiv: 1111.2026v3 08/23/2012 - CRYPTO University of California, Santa Barbara Outline (Classical to Classical)

558 views • 53 slides
Extractors and Pseudorandom Generators Luca Trevisan Columbia University Extractors and

Extractors and Pseudorandom Generators Luca Trevisan Columbia University Extractors and

Extractors and Pseudorandom Generators Luca Trevisan Columbia University Extractors and Pseudorandom Generators 1 Contents We present a new approach to construct extractors. Extractors transform a weakly random (realistic)

391 views • 27 slides
Secure Communication Secure Communication Lecture 14 Wrap-Up We saw... Symmetric-Key

Secure Communication Secure Communication Lecture 14 Wrap-Up We saw... Symmetric-Key

Secure Communication Secure Communication Lecture 14 Wrap-Up We saw... Symmetric-Key Components SKE, MAC Public-Key Components PKE, Digital Signatures Building blocks: Block-ciphers (AES), Hash-functions (SHA-3), Trapdoor PRG/OWP for PKE

1.07k views • 72 slides
Error Detection and Correction: Nim; Secure Communication; RAID Greg Plaxton Theory in

Error Detection and Correction: Nim; Secure Communication; RAID Greg Plaxton Theory in

Error Detection and Correction: Nim; Secure Communication; RAID Greg Plaxton Theory in Programming Practice, Fall 2005 Department of Computer Science University of Texas at Austin The Game of Nim Initially, there are a number of piles of

361 views • 13 slides
Simple and Communication Complexity Efficient Almost Secure and Perfectly Secure Message

Simple and Communication Complexity Efficient Almost Secure and Perfectly Secure Message

Simple and Communication Complexity Efficient Almost Secure and Perfectly Secure Message Transmission Schemes Yvo Desmedt 1 , 2 Stelios Erotokritou 1 Reihaneh Safavi-Naini 3 1 Department of Computer Science University College London, UK 2

459 views • 33 slides
A New Approach for Constructing Low-Error Two-Source Extractors DEAN DORON TEL-AVIV

A New Approach for Constructing Low-Error Two-Source Extractors DEAN DORON TEL-AVIV

A New Approach for Constructing Low-Error Two-Source Extractors DEAN DORON TEL-AVIV UNIVERSITY Joint work with AVRAHAM BEN-AROYA ESHAN CHATTOPADHYAY XIN LI AMNON TA-SHMA Todays talk Two-source extractors and the low-error challenge.

1.28k views • 113 slides
Extractors for circuit sources Emanuele Viola December 20, 2011 Abstract We obtain the first

Extractors for circuit sources Emanuele Viola December 20, 2011 Abstract We obtain the first

Extractors for circuit sources Emanuele Viola December 20, 2011 Abstract We obtain the first deterministic extractors for sources generated (or sampled) by small circuits of bounded depth. Our main results are: (1) We extract k ( k/nd ) O

785 views • 21 slides
Firmware Insider Bluetooth Randomness is Mostly Random RANDOMNESS IS MY PASSION Jrn

Firmware Insider Bluetooth Randomness is Mostly Random RANDOMNESS IS MY PASSION Jrn

Firmware Insider Bluetooth Randomness is Mostly Random RANDOMNESS IS MY PASSION Jrn Tillmanns, Jiska Classen, Felix Rohrbach, Matthias Hollick Technische Universitt Darmstadt, Germany ??? 2 How to acquire randomness? A: 42 B: Random

562 views • 32 slides
Secure Cryptographic Protocol Execution based on Runtime Verification Secure Communication in

Secure Cryptographic Protocol Execution based on Runtime Verification Secure Communication in

Secure Cryptographic Protocol Execution based on Runtime Verification Secure Communication in the Quantum Era (SPS G5448) February 5th, 2020 Christian Colombo Mark Vella Cryptographic Protocols Design Proofs to validate design against

467 views • 20 slides
On the Security of Election Audits with Low Entropy Randomness Eric Rescorla ekr@rtfm.com

On the Security of Election Audits with Low Entropy Randomness Eric Rescorla ekr@rtfm.com

On the Security of Election Audits with Low Entropy Randomness Eric Rescorla ekr@rtfm.com EVT/WOTE 2009 On the Security of Election Audits with Low Entropy Randomness 1 Overview Secure auditing requires random sampling The units to be

478 views • 23 slides
Lecture 19 Randomness, Pseudo Randomness, and Confidentiality Stephen Checkoway University

Lecture 19 Randomness, Pseudo Randomness, and Confidentiality Stephen Checkoway University

Lecture 19 Randomness, Pseudo Randomness, and Confidentiality Stephen Checkoway University of Illinois at Chicago CS 487 Fall 2017 Slides from Miller and Baileys ECE 422 Randomness and Pseudorandomness Review Problem:

1.69k views • 33 slides
Countering Cryptographic Subversion Post-Snowden Cryptography Workshop Brussels 8/12/2015 Kenny

Countering Cryptographic Subversion Post-Snowden Cryptography Workshop Brussels 8/12/2015 Kenny

Countering Cryptographic Subversion Post-Snowden Cryptography Workshop Brussels 8/12/2015 Kenny Paterson Information Security Group @kennyog ; www.isg.rhul.ac.uk/~kp The post-Snowden adversary Since the Snowden revelations beginning in

481 views • 27 slides
Communication Protocols Lecture 19 TLS We saw... Symmetric-Key Components SKE, MAC Public-Key

Communication Protocols Lecture 19 TLS We saw... Symmetric-Key Components SKE, MAC Public-Key

Communication Protocols Lecture 19 TLS We saw... Symmetric-Key Components SKE, MAC Public-Key Components PKE, Digital Signatures Building blocks: Block-ciphers (AES), Hash-functions (SHA-3), Trapdoor PRG/OWP for PKE (e.g., DDH, RSA) and

444 views • 16 slides
Abbey - Chesterton Bridge Stakeholder Group Meeting 3 Agenda Introductory words

Abbey - Chesterton Bridge Stakeholder Group Meeting 3 Agenda Introductory words

Abbey - Chesterton Bridge Stakeholder Group Meeting 3 Agenda Introductory words Introduction to the Project Team Strategic context for a bridge Presentation by Project Sponsor Presentation by Architect Question cards

481 views • 21 slides
Scamper http://www.wand.net.nz/scamper/ Matthew Luckie mjl@wand.net.nz Introduction It is

Scamper http://www.wand.net.nz/scamper/ Matthew Luckie mjl@wand.net.nz Introduction It is

Scamper http://www.wand.net.nz/scamper/ Matthew Luckie mjl@wand.net.nz Introduction It is coming up towards the end of a years contract between the University of Waikato and WIDE that funded the development of scamper 1 April

1.35k views • 39 slides
OUR ROAD TO IOT: SECURE DEVICE GRID 5 October 2015 Kresten Krab Thorup @drkrab

OUR ROAD TO IOT: SECURE DEVICE GRID 5 October 2015 Kresten Krab Thorup @drkrab

OUR ROAD TO IOT: SECURE DEVICE GRID 5 October 2015 Kresten Krab Thorup @drkrab Introduction IoT and SSL/TLS landscape Secure Device Grid design Lessons Learned ABOUT THE SPEAKER Kresten Krab Thorup, Ph.D. Trifork CTO - since 1999

948 views • 56 slides
Verification of security protocols: from confidentiality to privacy Stphanie Delaune Univ

Verification of security protocols: from confidentiality to privacy Stphanie Delaune Univ

Verification of security protocols: from confidentiality to privacy Stphanie Delaune Univ Rennes, CNRS, IRISA, France Thursday, June 28th, 2018 Research at IRISA (Rennes) 800 members (among which about 400 reasearchers) EMSEC team

1.05k views • 86 slides
Development in the Civil Infrastructure Platform Yoshitake Kobayashi Open Source Summit Japan,

Development in the Civil Infrastructure Platform Yoshitake Kobayashi Open Source Summit Japan,

SLTS Kernel and Base-Layer Development in the Civil Infrastructure Platform Yoshitake Kobayashi Open Source Summit Japan, Tokyo, June 2, 2017 Our Civilization is Run by Linux Open Source Summit Japan 2017 2

1.03k views • 46 slides
Dominig ar Foll Senior Software Architect Intel Open Source Fosdem 2017, Brussel, Be

Dominig ar Foll Senior Software Architect Intel Open Source Fosdem 2017, Brussel, Be

Dominig ar Foll Senior Software Architect Intel Open Source Fosdem 2017, Brussel, Be dominig.arfoll@fridu.net 1/30 A harden Embedded Linux Applicable to any Industrial IoT Linux 2/30 3/30 4/30 Top 25 Git Commituers in 2016 Commits Name

1.37k views • 30 slides

More recommend