Non-malleable extractors and symmetric key cryptography from weak secrets

Yevgeniy Dodis, Daniel Wichs

Research output: Chapter in Book/Report/Conference proceedingConference contribution

Abstract

We study the question of basing symmetric key cryptography on weak secrets. In this setting, Alice and Bob share an n-bit secret W, which might not be uniformly random, but the adversary has at least k bits of uncertainty about it (formalized using conditional min-entropy). Since standard symmetric-key primitives require uniformly random secret keys, we would like to construct an authenticated key agree- ment protocol in which Alice and Bob use W to agree on a nearly uniform key R, by communicating over a public channel controlled by an active adversary Eve. We study this question in the information theoretic setting where the attacker is computationally unbounded. We show that single- round (i.e. one message) protocols do not work when k ≤ n/2 , and require poor parameters even when n/2 < k « n. On the other hand, for arbitrary values of k, we design a communication e±cient two-round (challenge-response) protocol extracting nearly k random bits. This dramatically improves the prior construction of Renner and Wolf [32], which requires θ(λ±log(n)) rounds where λ is the security parameter. Our solution takes a new approach by studying and constructing \non-malleable" seeded randomness extractors - if an attacker sees a random seed X and comes up with an arbitrarily related seed X, then we bound the relationship between R' = Ext(W;X) and R0 = Ext(W;X'). We also extend our two-round key agreement protocol to the ""fuzzy" setting, where Alice and Bob share "close" (but not equal) secrets WA and WB, and to the Bounded Retrieval Model (BRM) where the size of the secret W is huge.

Original languageEnglish (US)
Title of host publicationSTOC'09 - Proceedings of the 2009 ACM International Symposium on Theory of Computing
Pages601-610
Number of pages10
DOIs
StatePublished - 2009
Event41st Annual ACM Symposium on Theory of Computing, STOC '09 - Bethesda, MD, United States
Duration: May 31 2009Jun 2 2009

Other

Other41st Annual ACM Symposium on Theory of Computing, STOC '09
CountryUnited States
CityBethesda, MD
Period5/31/096/2/09

Fingerprint

Cryptography
Seed
Entropy
Communication
Uncertainty

Keywords

  • Authenti- cated key agreement
  • Authentication
  • Bounded retrieval model
  • Encryption
  • Information reconcilliation
  • Information theoretic security
  • Privacy amplification
  • Randomness extractors

ASJC Scopus subject areas

  • Software

Cite this

Dodis, Y., & Wichs, D. (2009). Non-malleable extractors and symmetric key cryptography from weak secrets. In STOC'09 - Proceedings of the 2009 ACM International Symposium on Theory of Computing (pp. 601-610) https://doi.org/10.1145/1536414.1536496

Non-malleable extractors and symmetric key cryptography from weak secrets. / Dodis, Yevgeniy; Wichs, Daniel.

STOC'09 - Proceedings of the 2009 ACM International Symposium on Theory of Computing. 2009. p. 601-610.

Research output: Chapter in Book/Report/Conference proceedingConference contribution

Dodis, Y & Wichs, D 2009, Non-malleable extractors and symmetric key cryptography from weak secrets. in STOC'09 - Proceedings of the 2009 ACM International Symposium on Theory of Computing. pp. 601-610, 41st Annual ACM Symposium on Theory of Computing, STOC '09, Bethesda, MD, United States, 5/31/09. https://doi.org/10.1145/1536414.1536496
Dodis Y, Wichs D. Non-malleable extractors and symmetric key cryptography from weak secrets. In STOC'09 - Proceedings of the 2009 ACM International Symposium on Theory of Computing. 2009. p. 601-610 https://doi.org/10.1145/1536414.1536496
Dodis, Yevgeniy ; Wichs, Daniel. / Non-malleable extractors and symmetric key cryptography from weak secrets. STOC'09 - Proceedings of the 2009 ACM International Symposium on Theory of Computing. 2009. pp. 601-610
@inproceedings{db34a1d1da6d4a86b81175ebf27965d6,
title = "Non-malleable extractors and symmetric key cryptography from weak secrets",
abstract = "We study the question of basing symmetric key cryptography on weak secrets. In this setting, Alice and Bob share an n-bit secret W, which might not be uniformly random, but the adversary has at least k bits of uncertainty about it (formalized using conditional min-entropy). Since standard symmetric-key primitives require uniformly random secret keys, we would like to construct an authenticated key agree- ment protocol in which Alice and Bob use W to agree on a nearly uniform key R, by communicating over a public channel controlled by an active adversary Eve. We study this question in the information theoretic setting where the attacker is computationally unbounded. We show that single- round (i.e. one message) protocols do not work when k ≤ n/2 , and require poor parameters even when n/2 < k « n. On the other hand, for arbitrary values of k, we design a communication e±cient two-round (challenge-response) protocol extracting nearly k random bits. This dramatically improves the prior construction of Renner and Wolf [32], which requires θ(λ±log(n)) rounds where λ is the security parameter. Our solution takes a new approach by studying and constructing \non-malleable{"} seeded randomness extractors - if an attacker sees a random seed X and comes up with an arbitrarily related seed X, then we bound the relationship between R' = Ext(W;X) and R0 = Ext(W;X'). We also extend our two-round key agreement protocol to the {"}{"}fuzzy{"} setting, where Alice and Bob share {"}close{"} (but not equal) secrets WA and WB, and to the Bounded Retrieval Model (BRM) where the size of the secret W is huge.",
keywords = "Authenti- cated key agreement, Authentication, Bounded retrieval model, Encryption, Information reconcilliation, Information theoretic security, Privacy amplification, Randomness extractors",
author = "Yevgeniy Dodis and Daniel Wichs",
year = "2009",
doi = "10.1145/1536414.1536496",
language = "English (US)",
isbn = "9781605585062",
pages = "601--610",
booktitle = "STOC'09 - Proceedings of the 2009 ACM International Symposium on Theory of Computing",

}

TY - GEN

T1 - Non-malleable extractors and symmetric key cryptography from weak secrets

AU - Dodis, Yevgeniy

AU - Wichs, Daniel

PY - 2009

Y1 - 2009

N2 - We study the question of basing symmetric key cryptography on weak secrets. In this setting, Alice and Bob share an n-bit secret W, which might not be uniformly random, but the adversary has at least k bits of uncertainty about it (formalized using conditional min-entropy). Since standard symmetric-key primitives require uniformly random secret keys, we would like to construct an authenticated key agree- ment protocol in which Alice and Bob use W to agree on a nearly uniform key R, by communicating over a public channel controlled by an active adversary Eve. We study this question in the information theoretic setting where the attacker is computationally unbounded. We show that single- round (i.e. one message) protocols do not work when k ≤ n/2 , and require poor parameters even when n/2 < k « n. On the other hand, for arbitrary values of k, we design a communication e±cient two-round (challenge-response) protocol extracting nearly k random bits. This dramatically improves the prior construction of Renner and Wolf [32], which requires θ(λ±log(n)) rounds where λ is the security parameter. Our solution takes a new approach by studying and constructing \non-malleable" seeded randomness extractors - if an attacker sees a random seed X and comes up with an arbitrarily related seed X, then we bound the relationship between R' = Ext(W;X) and R0 = Ext(W;X'). We also extend our two-round key agreement protocol to the ""fuzzy" setting, where Alice and Bob share "close" (but not equal) secrets WA and WB, and to the Bounded Retrieval Model (BRM) where the size of the secret W is huge.

AB - We study the question of basing symmetric key cryptography on weak secrets. In this setting, Alice and Bob share an n-bit secret W, which might not be uniformly random, but the adversary has at least k bits of uncertainty about it (formalized using conditional min-entropy). Since standard symmetric-key primitives require uniformly random secret keys, we would like to construct an authenticated key agree- ment protocol in which Alice and Bob use W to agree on a nearly uniform key R, by communicating over a public channel controlled by an active adversary Eve. We study this question in the information theoretic setting where the attacker is computationally unbounded. We show that single- round (i.e. one message) protocols do not work when k ≤ n/2 , and require poor parameters even when n/2 < k « n. On the other hand, for arbitrary values of k, we design a communication e±cient two-round (challenge-response) protocol extracting nearly k random bits. This dramatically improves the prior construction of Renner and Wolf [32], which requires θ(λ±log(n)) rounds where λ is the security parameter. Our solution takes a new approach by studying and constructing \non-malleable" seeded randomness extractors - if an attacker sees a random seed X and comes up with an arbitrarily related seed X, then we bound the relationship between R' = Ext(W;X) and R0 = Ext(W;X'). We also extend our two-round key agreement protocol to the ""fuzzy" setting, where Alice and Bob share "close" (but not equal) secrets WA and WB, and to the Bounded Retrieval Model (BRM) where the size of the secret W is huge.

KW - Authenti- cated key agreement

KW - Authentication

KW - Bounded retrieval model

KW - Encryption

KW - Information reconcilliation

KW - Information theoretic security

KW - Privacy amplification

KW - Randomness extractors

UR - http://www.scopus.com/inward/record.url?scp=70350700885&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=70350700885&partnerID=8YFLogxK

U2 - 10.1145/1536414.1536496

DO - 10.1145/1536414.1536496

M3 - Conference contribution

AN - SCOPUS:70350700885

SN - 9781605585062

SP - 601

EP - 610

BT - STOC'09 - Proceedings of the 2009 ACM International Symposium on Theory of Computing

ER -