Bhavana Kanukurthi scite author profile

Consider two parties holding samples from correlated distributions W and W , respectively, where these samples are within distance t of each other in some metric space. The parties wish to agree on a close-to-uniformly distributed secret key R by sending a single message over an insecure channel controlled by an all-powerful adversary who may read and modify anything sent over the channel. We consider both the keyless case, where the parties share no additional secret information, and the keyed case, where the parties share a long-term secret SK Ext that they can use to generate a sequence of session keys {R j } using multiple pairs {(W j , W j )}. The former has applications to, e.g., biometric authentication, while the latter arises in, e.g., the bounded-storage model with errors.We show solutions that improve upon previous work in several respects:• The best prior solution for the keyless case with no errors (i.e., t = 0) requires the minentropy of W to exceed 2n/3, where n is the bit-length of W . Our solution applies whenever the min-entropy of W exceeds the minimal threshold n/2, and yields a longer key.• Previous solutions for the keyless case in the presence of errors (i.e., t > 0) required random oracles. We give the first constructions (for certain metrics) in the standard model.• Previous solutions for the keyed case were stateful. We give the first stateless solution.

show abstract

Key Agreement from Close Secrets over Unsecured Channels

Kanukurthi

Reyzin

2009

View full text Add to dashboard Cite

We consider information-theoretic key agreement between two parties sharing somewhat different versions of a secret w that has relatively little entropy. Such key agreement, also known as information reconciliation and privacy amplification over unsecured channels, was shown to be theoretically feasible by Renner and Wolf (Eurocrypt 2004), although no protocol that runs in polynomial time was described. We propose a protocol that is not only polynomial-time, but actually practical, requiring only a few seconds on consumer-grade computers.Our protocol can be seen as an interactive version of robust fuzzy extractors (Boyen et al., Eurocrypt 2005, Dodis et al., Crypto 2006. While robust fuzzy extractors, due to their noninteractive nature, require w to have entropy at least half its length, we have no such constraint. In fact, unlike in prior solutions, in our solution the entropy loss is essentially unrelated to the length or the entropy of w, and depends only on the security parameter.

show abstract

Locally Updatable and Locally Decodable Codes

Chandran

Kanukurthi²,

Ostrovsky³

2014

View full text Add to dashboard Cite

Cryptography with Tamperable and Leaky Memory

Kalai

Kanukurthi

Sahai³

2011

View full text Add to dashboard Cite

A large and growing body of research has sought to secure cryptographic systems against physical attacks. Motivated by a large variety of real-world physical attacks on memory, an important line of work was initiated by Akavia, Goldwasser, and Vaikuntanathan [1] where security is sought under the assumptions that: (1) all memory is leaky, and (2) leakage can be an arbitrarily chosen (efficient) function of the memory. However, physical attacks on memory are not limited to leakagethrough side-channels, but can also include active tampering attacks through a variety of physical attacks, including heat and EM radiation. Nevertheless, protection against the analogous model for tampering-where (1) all memory is tamperable, and (2) where the tampering can be an arbitrarily chosen (efficient) function applied to the memory-has remained an elusive target, despite significant effort on tampering-related questions. In this work, we tackle this question by considering a model where we assume that both of these pairs of statements are true-that all memory is both leaky and (arbitrarily) tamperable. Furthermore, we assume that this leakage and tampering can happen repeatedly and continually (extending the model of [10,7] in the context of leakage). We construct a signature scheme and an encryption scheme that are provably secure against such attacks, assuming that memory can be updated in a randomized fashion between episodes of tampering and leakage. In both schemes we rely on the linear assumption over bilinear groups. We also separately consider a model where only continual and repeated tampering (but only bounded leakage) is allowed, and we are able to obtain positive results assuming only that "self-destruct" is possible, without the need for memory updates. Our results also improve previous results in the continual leakage regime without tampering [10,7]. Whereas previous schemes secure against continual leakage (of arbitrary bounded functions of the secret key), could tolerate only 1/2 − leakage-rate between key updates under the linear assumption over bilinear groups, our schemes can tolerate 1− leakage-rate between key updates, under the same assumption.

show abstract

Privacy amplification with asymptotically optimal entropy loss

Chandran

Kanukurthi

Ostrovsky

et al. 2014

J. ACM

View full text Add to dashboard Cite

We study the problem of "privacy amplification": key agreement between two parties who both know a weak secret w, such as a password. (Such a setting is ubiquitous on the internet, where passwords are the most commonly used security device.) We assume that the key agreement protocol is taking place in the presence of an active computationally unbounded adversary Eve. The adversary may have partial knowledge about w, so we assume only that w has some entropy from Eve's point of view. Thus, the goal of the protocol is to convert this non-uniform secret w into a uniformly distributed string R that is fully secret from Eve. R may then be used as a key for running symmetric cryptographic protocols (such as encryption, authentication, etc.).Because we make no computational assumptions, the entropy in R can come only from w. Thus such a protocol must minimize the entropy loss during its execution, so that R is as long as possible. The best previous results have entropy loss of Θ(κ 2 ), where κ is the security parameter, thus requiring the password to be very long even for small values of κ. In this work, we present the first protocol for information-theoretic key agreement that has entropy loss linear in the security parameter. The result is optimal up *

show abstract

scite is a Brooklyn-based organization that helps researchers better discover and understand research articles through Smart Citations–citations that display the context of the citation and describe whether the article provides supporting or contrasting evidence. scite is used by students and researchers from around the world and is funded in part by the National Science Foundation and the National Institute on Drug Abuse of the National Institutes of Health.

Contact Info

customersupport@researchsolutions.com

10624 S. Eastern Ave., Ste. A-614

Henderson, NV 89052, USA

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Blog Terms and Conditions API Terms Privacy Policy Contact Cookie Preferences Do Not Sell or Share My Personal Information

Made with 💙 for researchers

Part of the Research Solutions Family.