Common use of Extraction Clause in Contracts

Extraction. Letting C denote an active ▇▇▇’s view of the protocol, SD ((kA, C,E | kA /=⊥), (Uλk , C, E)) ≤ ϵ and SD ((kB, C,E | kB /=⊥), (Uλk , C, E)) ≤ ϵ. Our Protocol Before going into details in subsequent sections, we present here a high-level overview of our protocol. We start with an authentication sub-protocol Auth presented in [RW03] that achieves the following: using the secret w that is common to ▇▇▇▇▇ and ▇▇▇, it allows ▇▇▇▇▇ to send to ▇▇▇ an authentic (but nonsecret) message M of length λM bit-by-bit in 2λM messages. ▇▇▇▇▇ and ▇▇▇ [RW03] can use this sub-protocol in order to agree on a key k as follows: they use Auth to get an extractor seed s from ▇▇▇▇▇ to ▇▇▇, and then extract k from w using s.1 We modify this protocol by using Auth to authenticate a MAC key instead of an extractor seed. The MAC key, in turn, is used to authenticate the extractor seed s (which can be done very efficiently using simple information-theoretic MACs). This seems counterintuitive, because ▇▇▇▇ reveals what is being authenticated, while MAC keys need to remain secret. The insight is to use the MAC key before Auth begins.2 Our modification is beneficial for three reasons. First, MAC keys can be made shorter than extractor keys, so Auth is used on a shorter string, thus reducing the number of rounds and the entropy loss. Second, this modification allows us to use the same MAC key to authenticate not only the extractor seed s, but also the error-correction information (the so-called “secure sketch” of w [DORS08]) in the case ▇▇▇’s w' is different from ▇▇▇▇▇’s w. Third, because there are MACs that are secure even against (limited) key modification [DKRS06, CDF+08], we can lower the security parameters in Auth, further increasing efficiency and reducing entropy loss. The rest of the paper is devoted to filling in the details of the above overview, including smaller improvements not discussed here, and proving the following theorem. 1For technical reasons, since the adversary can modify message of Auth, she may have some information about the string extracted from w; this problem is easily handled, see Section 4. 2This idea has been used before in several contexts; to the best of our knowledge it was first used in [Che97] in the context of secure link state routing. Theorem 1. Given an [n, κ, 2η +1]2 linear error correcting code, the protocol presented in Section 4 is an ( , hW , λk, η, δ, ϵ)-interactive robust fuzzy extraction protocol, where is the Hamming space over 0, 1 n with the following parameters: Setting security δ = 2−L, the protocol can extract λk = hW (n κ) 2 log 1 (L2/2 + O(L(log n + log L))) bits (assuming n < 2L and λk (n κ)+ 2 log 1 > 10L). The protocol involves an exchange of L + log n + 5 messages between the two The constant hidden by the O in the entropy loss is small, with O(L(log n + log L)) really being less than 3L log 2L + 1 L log n + 3(log 8L)(log 16n). We obtain similar results for other metric spaces, with the only difference being that n κ in the entropy loss gets replaced by the entropy loss of the secure sketch for that metric space (see Section 3.2).

Extraction. Letting C denote an active ▇▇▇’s view of the protocol, SD ((kA, C,, E | kA /=⊥⊥), (Uλk , C, E)) ≤ ϵ s and SD ((kB, C,, E | kB /=⊥ƒ=⊥), (Uλk , C, E)) ≤ ϵ. s . Our Protocol Before going into details in subsequent sections, we present here a high-level overview of our protocol. We start with an authentication sub-protocol Auth presented in [RW03] that achieves the following: using the secret w that is common to ▇▇▇▇▇ and ▇▇▇, it allows ▇▇▇▇▇ to send to ▇▇▇ Bob an authentic (but nonsecretnonse- cret) message M of length λM bit-by-bit in 2λM messages. ▇▇▇▇▇ and ▇▇▇ [RW03] can use this sub-protocol in order to agree on a key k as follows: they use Auth to get an extractor seed s from ▇▇▇▇▇ to ▇▇▇Bob, and then extract k from w using s.1 We modify this protocol by using Auth to authenticate a MAC key instead of an extractor seed. The MAC key, in turn, is used to authenticate the extractor extrac- tor seed s (which can be done very efficiently using simple information-theoretic MACs). This seems counterintuitive, because ▇▇▇▇ reveals what is being authenticatedauthen- ticated, while MAC keys need to remain secret. The insight is to use the MAC key before Auth begins.2 Our modification is beneficial for three reasons. First, MAC keys can be made shorter than extractor keys, so Auth is used on a shorter string, thus reducing the number of rounds and the entropy loss. Second, this modification allows us to use the same MAC key to authenticate not only the extractor seed s, but also the error-correction information (the so-called “secure sketch” of w [DORS08]) in the case ▇▇▇Bob’s w' wj is different from ▇▇▇▇▇’s w. Third, because there are MACs that are secure even against (limited) key modification modifica- tion [DKRS06, CDF+08DKRS06,CDF+08], we can lower the security parameters in Auth, further increasing efficiency and reducing entropy loss. The rest of the paper is devoted to filling in the details of the above overview, including smaller improvements not discussed here, and proving the following theorem. 1For technical reasons, since the adversary can modify message of Auth, she may have some information about the string extracted from w; this problem is easily handled, see Section 4. 2This idea has been used before in several contexts; to the best of our knowledge it was first used in [Che97] in the context of secure link state routing. M { } M Theorem 1. Given an [n, κ, 2η +1]2 + 1]2 linear error correcting code, the protocol proto- col presented in Section 4 is an ( , hW , λk, η, δ, ϵ)-interactive s)-interactive robust fuzzy extraction ex- traction protocol, where is the Hamming space over 0, 1 n with the following fol- lowing parameters: Setting security δ = 2−L, the protocol can extract λk = hW − (n − κ) − 2 log 1 − (L2/2 + O(L(log n + log L))) bits (assuming n < 2L and 1ε λk − (n κ)+ − κ) + 2 log 1 ε > 10L). The protocol involves an exchange of L + log n + 5 messages between the two The constant hidden by the O in the entropy loss is small, with O(L(log n + log L)) really being less than 3L log 2L + 1 L log n + 3(log 8L)(log 16n). − We obtain similar results for other metric spaces, with the only difference being that n κ in the entropy loss gets replaced by the entropy loss of the secure sketch for that metric space (see Section 3.2). Comparison with Prior Work When no error-correction is needed (i.e., w = wj and η = 0), then n − κ = 0, and we get an improvement of the result of [RW03]. 1 For technical reasons, since the adversary can modify message of Auth, she may have some information about the string extracted from w; this problem is easily handled, see Section 4. 2 This idea has been used before in several contexts; to the best of our knowledge it was first used in [Che97] in the context of secure link state routing. The result of [RW03] sets L = Θ(√n/ log n) and loses Θ(n/ log n) bits of entropy. This can be seen in the description of protocol Auth in [RW03], which has Θ(√n) rounds, each losing Θ(L) bits. Our protocol has only Θ(L) rounds, with each also losing Θ(L) bits. Thus, our result is a Θ(log n)-factor improvement in efficiency and entropy loss for the same security (moreover, the constant hidden by Θ, although difficult to compute exactly, is substantial, likely bigger than log n in real applications). A precise comparison with [RW04], which uses [RW03] as a building block and adds error-correction, is even more complicated. Our advantage in the number of rounds remains the same, though the constant factor improves even further. To compare the entropy loss, we can fix the secure sketch code used in our protocol (which can be based on any linear error-correcting code) to the one implicitly used in [RW04]. In that case, the entropy loss due to added error- correction is asymptotically the same for our protocol and for the protocol of [RW04], though the constant in our protocol is substantially lower. On the other hand, an important advantage of our protocol is that we can choose a code that is efficiently decodable, in which case the entropy loss due to error-correction may increase, but the protocol will run in polynomial-time. − We now compare our result to the construction of [DKRS06]. The advantage of the [DKRS06] construction is that it takes only a single message and the entropy loss is linear in L rather than quadratic. The disadvantage is that it loses additional n hW bits of entropy, which means that it is most effective when W has very high entropy. In particular, it becomes inapplicable when hW ≤ n/2. 3 Building Blocks