Non-Malleable Extractors and Symmetric Key Cryptography from Weak Secrets

Transcription

1 Non-Malleable Extractors and Symmetrc Key Cryptography from Weak Secrets Yevgeny Dods Danel Wchs Aprl 6, 2009 Abstract We study the queston of basng symmetrc key cryptography on weak secrets. In ths settng, Alce and Bob share an n-bt secret W, whch mght not be unformly random, but the adversary has at least k bts of uncertanty about t formalzed usng condtonal mn-entropy). Snce standard symmetrckey prmtves requre unformly random secret keys, we would lke to construct an authentcated key agreement protocol n whch Alce and Bob use W to agree on a nearly unform key R, by communcatng over a publc channel controlled by an actve adversary Eve. We study ths queston n the nformaton theoretc settng where the attacker s computatonally unbounded. We show that sngle-round.e. one message) protocols do not work when k n 2, and requre poor parameters even when n 2 < k n. On the other hand, for arbtrary values of k, we desgn a communcaton effcent two-round challenge-response) protocol extractng nearly k random bts. Ths dramatcally mproves the prevous constructon of Renner and Wolf [RW03], whch requres Θλ + logn)) rounds where λ s the securty parameter. Our soluton takes a new approach by studyng and constructng non-malleable seeded randomness extractors f an attacker sees a random seed X and comes up wth an arbtrarly related seed X, then we bound the relatonshp between R = ExtW;X) and R = ExtW;X ). We also extend our two-round key agreement protocol to the fuzzy settng, where Alce and Bob share close but not equal) secrets W A and W B, and to the Bounded Retreval Model BRM) where the sze of the secret W s huge. Computer Scence Dept. NYU. Emal: dods@cs.nyu.edu. Computer Scence Dept. NYU. Emal: wchs@cs.nyu.edu.

2 1 Introducton In ths paper, we study the fundamental problem of symmetrc key cryptography: Alce and Bob share a secret W and wsh to communcate securely over a publc channel controlled by an actve adversary Eve. In partcular, we want the communcaton to be prvate and authentc. Of course, ths problem s well studed and can be solved usng basc cryptographc prmtves, ether under computatonal assumptons, or even n the nformaton theoretc settng. However, the standard solutons for both settngs assume that the secret W s perfectly unformly) random. In practce, many secrets, such as human-memorable passphrases and bometrcs, are not unformly random. Even keys that start out perfectly random may become compromsed, for example through sde-channel attacks aganst hardware or due to a malware nfltraton of the storage devce. Although all securty s lost f the adversary learns the secret n ts entrety, t s often reasonable to assume that the compromse s only partal. Ths assumpton s natural for sde-channel attacks and was formalzed n [MR04, DP08, AGV09]) where the adversary does not have full access to the devce, and for malware nfltraton n the Bounded Retreval Model [Dz06, CLW06], where the secret s made ntentonally huge so that a malcous program cannot communcate t fully to an adversary. Lastly, t s concevable that Alce and Bob, who do not share a secret ntally, can use some physcal means to agree on a key about whch an eavesdroppng adversary wll only have partal nformaton. Ths s, for example, the case n Quantum Key Agreement [BB84] and n the wretap channel model [Wyn75]. In ths work, we study a general settng whch encompasses all of the above examples. We assume that Alce and Bob share a weak secret, modeled as a random varable W arbtrarly dstrbuted over bt-strngs of length n, about whch an adversary Eve has some sde nformaton, modeled as a random varable Z correlated wth W. We want to base symmetrc key cryptography on mnmal assumptons about the secrecy of W, and only requre that W has at least k bts of entropy condtoned on the sde-nformaton Z), where k s roughly proportonal to the securty parameter. As already mentoned, standard symmetrc key prmtves can be used n the case where Alce and Bob share a truly random key, and therefore we ask the followng natural queston. Queston 1: Can Alce and Bob use a shared weak secret W to securely agree on a nearly unform secret key R, by communcatng over a publc and unauthentcated channel, controlled by an actve attacker Eve? One possble soluton to ths problem, s to use password authentcated key exchange PAK) [BMP00, BPR00, KOY01, GL01, CHK + 05, GL06], where the secret W s used as a password. PAK allows Alce and Bob to agree on arbtrarly many random sesson keys usng the secret W, and acheves strong securty guarantees even when the entropy k s very low. On the other hand, all of the practcal constructons of PAK ether use the random oracle model or rely on a trusted common reference strng. The only excepton s the constructon of [GL01] whch, nstead, requres many rounds of nteracton and s not practcally effcent. In addton, all of the constructons requre the use of publc key cryptography. Thus, even though we are n a symmetrc key settng where Alce and Bob share a secure secret W, the use of PAK requres publc key assumptons and expensve publc key operatons) to take advantage of t. Also, PAK s a computatonal prmtve, and only provdes securty when the attacker Eve s computatonally bounded. In contrast, we wll study Queston 1 n the nformaton theoretc settng, where the adversary Eve s computatonally unbounded. We call protocols that solve the problem of Queston 1 n our settng nformaton-theoretc) authentcated key agreement IT-AKA) protocols. Of course, IT-AKA cannot acheve all of the securty guarantees of PAK. For example, IT-AKA can only be used once to convert a weak secret W nto a unformly random key R, and cannot be used to generate arbtrarly many sesson keys. Also, authentcated key agreement does not provde any securty guarantees when the entropy k s very low.e. when the secret can be guessed wth a reasonable probablty). On the other hand, IT- AKA acheves nformaton theoretc securty and thus allows us to base all of symmetrc key cryptography 1

3 nformaton-theoretc as well computatonal) on weak secrets. Moreover, our constructons wll be effcent no publc key operatons) and do not requre a common reference strng or any other setup. For the rest of the paper, we wll therefore assume that the adversary Eve s computatonally unbounded. A weaker varant of the our problem, called prvacy amplfcaton [BBR88, Mau92, BBCM95], requres that Alce and Bob communcate over an authentcated channel alternatvely, that the attacker Eve s passve). In ths settng, key agreement can be solved usng a strong) randomness extractor [NZ96], whch uses a seed X that s made publc to the adversary, to extract nearly unform randomness R = ExtW; X) from a weak secret W. Prvacy amplfcaton can therefore be done n a one-round protocol, where Alce sends a seed X to Bob and both partes share the extracted key R. The queston of authentcated key agreement when there s no authentcated channel and the adversary s actve) was frst studed by Maurer and Wolf n [MW97], who constructed an IT-AKA protocol for the case when W has entropy k > 2n 3 where n s the bt-length of W). Ths was later mproved to k > n 2 n the work of [DKRS06]. Both of the above constructons are sngle-round, but only acheve authentcty at a prce n the communcaton complexty requrng at least n k bts) and the sze of extracted key whch s at most l < 2k n bts long, and thus far below the full entropy of W). The most troublng aspect of these constructons, however, s the requrement that the entropy must exceed k > n 2, whch conflcts wth our goal of basng symmetrc key cryptography on mnmal secrecy assumptons. Moreover, many natural sources of secret randomness, such as bometrcs, are unlkely to satsfy ths requrement. In terms of negatve results, Dods and Spencer [DS02] showed mpossblty of one-round message authentcaton f the only randomness avalable to Alce and Bob comes from a weak secret W whose entropy s k n 2. However, n our settng, we assume that the partes also have access to a local non-shared) source of perfect randomness. These two settngs are very dfferent and, when no perfect randomness s avalable, most cryptographc prmtves ncludng prvacy amplfcaton) are mpossble even f k > n 2 [MP90, DOPS04, BD07]. Therefore, we feel that the result of Dods and Spencer has often been ncorrectly nterpreted for example n [RW03, DKRS06, CDF + 08]) as showng the mpossblty of one-round authentcated key agreement protocols n our more general settng, where perfect nonshared) randomness s avalable. In ths paper we rectfy ths dscrepancy by provng a non-trval) generalzaton of the [DS02] lower bound for our settng, thus showng that, unfortunately, sngle-round protocols do not exst when the entropy s k n 2. In terms of postve results, an nteractve IT-AKA for arbtrarly weak secrets.e. allowng entropy k n 2 ) was constructed by Renner and Wolf n [RW03] usng a protocol whch requres Θλ + logn)) rounds of nteracton, where λ s the securty parameter. Several optmzatons to the above protocol were proposed by Kanukurth and Reyzn [KR09], leadng to mportant practcal effcency gans, but wthout mprovng the large) asymptotc round complexty of the orgnal protocol. Thus, there s a huge gap between the lower bound whch shows that at least two rounds of nteracton are requred) and the best pror constructons. We therefore turn our attenton to the followng queston, whch wll be the central queston of ths work. Queston 2: What s the mnmal amount of nteracton requred to acheve authentcated key agreement IT-AKA) from arbtrarly weak secrets? In partcular, s a two-round protocol possble? In ths paper, we answer Queston 2 n the affrmatve by gvng an effcent constructon of the frst two-round IT-AKA protocol for arbtrarly weak secrets, and so brdge the gap between lower bound and constructon. Our protocol only requres k polyλ, logn)), where λ s the securty parameter, and thus allows for entropy k whch s sub-lnear n the sze n of the secret. 1 Hence our constructon 1 Our man effcent) constructon requres k Oλ 2 + log 2 n)) whch asymptotcally matches the requrements on entropy needed n [KR09]. We show that ths can be mproved further, by gvng a non-constructve) argument for the exstence of IT-AKA protocols requrng only k Oλ + logn)). 2

4 s optmal n the amount of nteracton and requres essentally) mnmal assumptons on the entropy of the secret W. Our protocol s also effcent n terms of communcaton complexty and extracts essentally all of the entropy of W nto the fnal shared key. Therefore, even n the settng n 2 < k n, where less effcent one-round protocols are possble, our two-round constructon may be preferred. Our results employ a new technque whch dffers sgnfcantly from the pror work. The man novelty n our constructon s the desgn of non-malleable extractors, whch are an nterestng prmtve of ndependent nterest. For non-malleablty, we consder an attacker who sees a random extractor seed X and produces an arbtrarly related seed X. We requre that the relatonshp between R = ExtW; X) and R = ExtW; X ) s bounded n some well-defned manner. To our knowledge, ths s the frst work to explore the non-)malleablty propertes of extractors, a problem whch s partcularly dffcult snce we must analyze securty wth respect to a very large class of dstrbutons for W and methods for modfyng the seed X. Our man constructon of non-malleable extractors s based on the seemngly unrelated) concept of alternatng extracton, recently ntroduced n [DP07]. Usng nonmalleable extractors, we show how Alce can authentcate a message to Bob n a smple two-round challenge-response) protocol. Lastly, we use ths message authentcaton protocol as a tool for our constructon of two-round authentcated key agreement. We also present two orthogonal extensons of our basc scheme. In the frst extenson, we consder the fuzzy case where Alce and Bob have two dfferent but correlated secrets W A, W B. In the second extenson, we consder the case where the shared secret W s huge e.g. as n the bounded retreval model) and hence effcent protocols requre localty.e. Alce and Bob can only access a small porton of W to run ther protocol. 2 Notaton and Prelmnares Notaton. If W s a probablty dstrbuton or a random varable then w W denotes that a value w s sampled randomly accordng to W. For a randomzed algorthm or functon f, we use the semcolon to make the randomness explct.e. fw; r) s the output of f wth nput w usng randomness r. Otherwse, we let fw) denote a random varable for the output of f on the value w. Smlarly, for a random varable W, we let fw) denote the output of f on an nput sampled accordng to W. We use U l to denote a unformly random dstrbuton over l bt strngs. Mn-entropy and Statstcal Dstance. The statstcal dstance between two random varables A, B s defned by SDA, B) = 1 2 v Pr[A = v] Pr[B = v]. We use A ε B as shorthand for SDA, B) ε. The mn-entropy of a random varable W s H W) def = logmax w Pr[W = w]). Ths noton of entropy s useful n cryptography snce t measures the predctablty of W by an adversary. However, cryptographc secrets cannot usually be analyzed n a vacuum and we have to consder the condtonal predctablty of W when sampled accordng to some jont dstrbuton W, Z) where the adversary sees Z. Followng [DORS08], the correct correspondng noton s average condtonal mn entropy defned by H W Z) def = log E z Z max w Pr[W = w Z = z]). We say that a random varable W s an n, k)- source f t s dstrbuted over {0, 1} n and H W) k. We say that W Z) s an n, k) source f W takes values over {0, 1} n and H W Z) k. Several mportant background lemmas regardng mn-entropy and statstcal dstance are gven n Appendx B. Extractors and MACs: We revew two nformaton theoretc prmtves that we wll use extensvely throughout the paper: randomness extractors and one-tme) MACs. A randomness extractor uses a random seed X as a catalyst to extract nearly unform randomness R = ExtW; X) from a weak source W. A message authentcaton code MAC) uses a prvate key R to produce a tag σ for a message µ such that an adversary who sees µ, σ cannot produce a vald tag σ for a modfed message µ µ. 3

5 Defnton 1. We say that an effcent functon Ext : {0, 1} n {0, 1} d {0, 1} l s an n, k, d, l, ε)- extractor f for all n, k)-sources W Z), Z, X, ExtW; X)) ε Z, X, U l ) where X s unform on {0, 1} d. Defnton 2. We say that a famly of functons {MAC r : {0, 1} m {0, 1} s } r {0,1} n s a δ-secure one-tme) message authentcaton code MAC) f for any µ µ, σ, σ, Pr[MAC R µ) = σ MAC R µ ) = σ ] δ where R s unformly random on {0, 1} n. Some further notes about the above defntons and the parameters of known constructons for extractors and MACs are deferred to Appendx A. 3 Interactve Message Authentcaton In ths secton we study the problem of message authentcaton when Alce and Bob share an arbtrarly weak secret W about whch an adversary Eve has some sde-nformaton Z. Alce wants to send an authentcated message µ A to Bob, n the presence of an actve attacker Eve, who has complete control over the network and can modfy protocol messages arbtrarly. Bob should ether correctly receve µ A, or detect an actve attack and qut by outputtng. Defnton 3. An n, k, m, δ)-message authentcaton protocol AUTH s a protocol n whch Alce starts wth a source message µ A {0, 1} m and, at the concluson of the protocol, Bob outputs a receved message µ B {0, 1} m { }. We requre the followng propertes: Correctness. If the adversary Eve s passve then, for any source message µ A {0, 1} m, Pr[µ B = µ A ] = 1. Securty. If W Z) s an n, k)-source then, for any source message µ A {0, 1} m and any actve adversaral strategy employed by Eve, Pr[µ B {µ A, }] δ. For the case of perfectly random secrets W, t s well-known how to solve the above problem usng message authentcaton codes MAC), where the authentcaton protocol conssts of a sngle round n whch Alce sends her message µ A along wth a tag σ = MAC W µ A ). We show that ths strategy does not n general) extend to the case of weak secrets. Namely, one-round message authentcaton protocols are only possble f the entropy of the secret s at least k > n 2. In addton, even when ths condton does hold, a sngle-round protocol wll have a communcaton complexty of roughly n k bts. Ths lower bound often makes one-round protocols mpossble, as n the settng of bometrcs where the entropy-rate s often k < n 2, or mpractcal, as n the Bounded Retreval Model where a communcaton complexty of n k bts would be huge and on the order of several ggabytes. Our lower bound apples to authentcaton protocols n whch Alce can authentcate even a sngle bt. As mentoned n the ntroducton, ths result can be thought of as a non-trval) extenson of [DS02] to the settng where Alce and Bob have access to a local non-shared) source of perfect randomness. The proof of the followng theorem appears n Appendx C. Theorem 4. Any one-round n, k, m, δ)-message authentcaton protocol wth securty δ < 1 4 must satsfy k > n 2 and must have a communcaton complexty of at least n k 2 bts. In the rest of ths secton, we construct an effcent two-round authentcaton protocol that can tolerate entropy k n 2, thus showng that the above lower bound does not extend beyond a sngle round. Our protocol see Fgure 1) has a smple challenge-response structure; Bob ntates the conversaton by sendng a random challenge to Alce, who then uses the secret W to compute a response that authentcates her message. In our protocol, the challenge that Bob sends to Alce s a seed X for some randomness extractor Ext. If the adversary does not modfy the seed, then Alce and Bob wll use t to derve a shared random key R = ExtW; X). Alce can then authentcate her message µ A, by usng R as a key for a message authentcaton code MAC and sendng the tag σ = MAC R µ A ) along wth 4

6 µ A as her response to Bob. Ths gves us a very natural constructon of a two-round authentcaton protocol based on an extractor and a MAC. Unfortunately, the constructon s not secure n general. The problem s that Eve can modfy the extractor seed X to some arbtrarly related value X, causng Alce to derve some ncorrect, but possbly related, key R = ExtW; X ). Alce then uses R to ncorrectly) compute her response σ = MAC R µ A ). In general, the ncorrectly computed tag σ may allow the adversary to forge a vald tag σ = MAC R µ B ) for a new message µ B µ A under the correct key R. One can thnk of ths as a related key attack where Eve learns the tag computed under a related key and forges a tag for a new message under the orgnal key. Therefore, we must somehow restrct the adversaral attacks that Eve can perform by modfyng the seed X. We use a two-pronged approach to combat ths problem. Frstly, we construct an extractor whch has some non-malleablty property meanng that f an attacker sees a random seed X and comes up wth a related seed X then we bound the relatonshp between the Bob s key R = ExtW; X) and Alce s ncorrect key R = ExtW; X ). Secondly, we construct specal MACs whch are resstant to the lmted types of related key attacks that our extractor allows. We then plug our specal constructons of extractors and a MACs nto the framework shown n Fgure 1, to construct a two round authentcaton protocol. Alce: W,µ A Eve: Z Bob: W R = ExtW;X ) σ MAC R µ A ) X X µ A,σ ) µ B, σ) Sample X. R = ExtW;X) σ? = MAC R µ B ) Fgure 1: A Framework for Message Authentcaton Protocols. We present two nstantatons of the above framework. As our frst nstantaton, we defne fully non-malleable extractors, whch essentally guarantee that randomness extracted under a modfed seed s completely unrelated to that extracted under the orgnal seed. We prove that surprsngly) such extractors do ndeed exst and can acheve very good parameters. We do so usng a probablstc method argument and therefore ths approach does not help us n fndng an effcent mplementaton. The strong non-malleablty property essentally prevents Eve from performng any knd of related key attack and therefore, n the frst approach, we can use standard one-tme MACs for the response. In our second approach, we defne a weaker non-malleablty property that we call look-ahead and gve an effcent constructon of look-ahead extractors. We then construct a new message authentcaton code whch s specfcally talored to wthstand the lmted types of related key attacks that look-ahead extractors allow. 3.1 Approach 1: Fully Non-Malleable Extractors non-constructve) In ths secton, we defne a powerful prmtve called a fully) non-malleable extractor. Ths s a seeded extractor whch takes a weak secret W and extracts randomness R usng a seed X. For the nonmalleablty property, we consder the followng attack game. The adversary gets the seed X and comes up wth an arbtrarly related seed X X. The adversary then learns the value R extracted from W under the seed X. We requre that the orgnal randomness R stll looks unformly random even when gven R, and thus the two values are completely unrelated. Defnton 5. A functon nmext : {0, 1} n {0, 1} d {0, 1} l s a n, k, d, l, ε) non-malleable extractor 5

7 NM-EXT) f, for any n, k)-source W Z) and any adversaral functon A: Z, X, nmextw; AX, Z)), nmextw; X)) ε Z, X, nmextw; AX, Z)), U l ) where X s unformly random over {0, 1} d and AX, Z) X. Upon seeng the defnton, t s not clear f non-malleable extractors can exst at all. In fact, one obvous attack would be for the adversary to choose a random seed X unrelated to X and thus learn some l bts of nformaton about W from R. In order for nmextw; X) to then look random, we need to make sure that W stll has at least l bts of resdual entropy left after l bts are revealed, showng that we need l < k 2.e. we can extract at most half of the entropy) just to protect aganst an adversary who sees the value of the extractor at a random and unrelated seed X. Of course, an adversary that can choose an arbtrarly related seed X has sgnfcantly more power and there s no mmedate reason to beleve that we can defend aganst such an adversary at all. Surprsngly, usng the probablstc method, we show that non-malleable extractors do ndeed exst and that the condton l < k 2 s essentally suffcent. The proof appears n Appendx D.1. It requres a careful analyss of the dependences ntroduced by the ncluson of a related-seed attacker A and thus s sgnfcantly more nvolved than the smple probablstc method argument for standard extractors. Theorem 6. There exsts an n, k, d, l, ε) non-malleable extractor for any ntegers n k, d, l and any ε > 0 as long as k > 2l + 3 log 1/ε) + logd) + 9 and d > logn k + 1) + 2 log 1/ε) + 7. Pluggng n a non-malleable extractor and a one-tme MAC nto our man constructon Fgure 1) gves us a two-round authentcaton protocol: Bob pcks an extractor seed X, computes R = nmextw; X) and sends X to Alce. Alce receves a possbly modfed) seed X and computes R = nmextw; X ). She then uses R as a key to a standard MAC to authentcate her message µ A to Bob. It s farly smple to analyze the securty of the protocol. If X X then, by non-malleablty, the value R s unrelated to the random key R and hence the value σ = MAC R µ A ) wll not help the adversary produce a vald tag σ under the key R not even to authentcate Alce s actual message µ A! On the other hand, f X = X then R = R and hence we can rely drectly on the securty of the MAC to ensure that µ B = µ A. Therefore we get the followng theorem and corollary for the exstence of two-round message authentcaton protocols wth nearly optmal parameters. See Appendx D.2 and Appendx D.3 for proofs. Theorem 7. Assume that nmext s a n, k, d, l, ε) non-malleable extractor and that the collecton {MAC r : {0, 1} m {0, 1} s }, ndexed by keys r {0, 1} l, s a δ-secure one-tme MAC. Then our constructon outlned above gves us a n, k, m, 2δ + ε))-message authentcaton protocol wth two rounds of nteracton and a communcaton complexty of d + s + m bts. Corollary 1. There exst n, k, m, δ)-message authentcaton protocols wth two rounds of nteracton for any ntegers n k, m and any δ > 0 as long as k > O loglogn)) + logm) + log 1 δ)). Moreover, the communcaton complexty of such protocols s m + O logn) + logm) + log 1 δ)). 3.2 Approach 2: Look-Ahead Extractors effcent constructon) In ths secton, we defne a weaker noton of non-malleablty called look-ahead. A look-ahead extractor uses a random seed X to extract t blocks of randomness R 1,...,R t from a secret W. Assume that a seed X s arbtrarly related to X and that the blocks R 1,...,R t are extracted from W usng X. We nsst that any suffx R +1,...,R t of the orgnal sequence looks unformly random, even when gven the prefx R 1,...,R n the related sequence. In other words, the adversary cannot modfy the seed and use the ncorrectly) extracted blocks to look ahead nto the the orgnal sequence of blocks. 6

8 Defnton 8. Let laext : {0, 1} n {0, 1} d {0, 1} l ) t be a functon such that laextw; X) outputs blocks R 1,...,R t wth R {0, 1} l. We say that laext s a n, k, d, l, t, ε)-look-ahead extractor f, for any n, k)-source W Z), any adversaral functon A and any {0,...,t 1}, Z, X, [R 1,...,R ], [R +1,...,R t ] ) ε Z, X, [R 1,...,R ], U lt ) ) 1) where [R 1,...,R t ] = laextw; X), X = AX, Z), [R 1,...,R t] = laextw; X ). We note that ths s a sgnfcantly weaker property than full non-malleablty. For example, gven a random seed X, there mght be a related seed X such that laextw; X) = laextw; X ) wth hgh probablty. Nevertheless, we wll show that look-ahead suffces for our needs. Our constructon of a lookahead extractor s based on the dea of alternatng extracton, whch was ntroduced by Dzembowsk and Petrzak n [DP07] as a tool for buldng an ntruson reslent secret sharng scheme. In the followng secton we revew ths concept usng our own termnology and present an alternatng-extracton theorem whch captures the man deas mplct n [DP07], n an abstracted and slghtly) generalzed form. Quentn: Q,S 1 Wendy W S 1 S 1 R 1 R 1 = Ext w W;S 1 ) S 2 = Ext q Q;R 1 ) S 2 R 2 R 2 = Ext w W;S 2 )... S t = Ext q Q;R t 1 ) S t R t = Ext w W;S t ) Fgure 2: Alternatng Extracton Alternatng Extracton. Assume that two partes, Quentn and Wendy, have values Q, W respectvely such that W s kept secret from Quentn and Q s kept secret from Wendy. Let Ext q, Ext w be randomness extractors wth possbly dfferent parameters) and assume that Quentn also has a random seed S 1 for the extractor Ext w. The alternatng extracton protocol see Fgure 2) s an nteractve process between Quentn and Wendy, whch runs n t teratons. In the frst teraton, Quentn sends hs seed S 1 to Wendy, Wendy computes R 1 = Ext w W; S 1 ), sends R 1 to Quentn, and Quentn computes S 2 = Ext q Q; R 1 ). In each subsequent teraton, Quentn sends S to Wendy, who reples wth R = Ext w W; S ), and Quentn computes S +1 = Ext q Q; R ). Thus Quentn and Wendy together produce the sequence: S 1, R 1 = Ext w W; S 1 ), S 2 = Ext q Q; R 1 ),...,S t = Ext q Q; R t 1 ), R t = Ext w W; S t ) 2) The alternatng-extracton theorem says that there s no better strategy that Quentn and Wendy can use to compute the above sequence. More precsely, let us assume that, n each teraton, Quentn s lmted to sendng at most s q bts to Wendy who can then reply by sendng at most s w bts to Quentn where s q and s w are much smaller than the entropy of Q, W preventng Quentn from sendng hs entre value Q). Then, for any possble strategy cooperatvely employed by Quentn and Wendy n the frst teratons, the values R +1, R +2,...,R t look unformly random to Quentn and, symmetrcally, S +1, S +2,...,S t look random to Wendy). In other words, Quentn and Wendy actng together cannot 7

9 speed up the process n some clever way so that Quentn would learn R j or even dstngush t from random) n fewer than j teratons. We prove the followng theorem n Appendx E.1, essentally usng the technques of [DP07]. 2 Theorem 9 Alternatng Extracton). Let W Z) be an n w, k w )-source and Q be an n q, k q )-source ndependent of W, Z. For any ntegers s q, s w, t, l, let Ext w, Ext q be extractors wth respectve parameters n w, k w s w + l)t, l, l, ε w ), n q, k q s q + l)t, l, l, ε q ) so that the seed sze and extracted key length s l n both cases. Let S 1 be unformly random on {0, 1} l and defne R 1, S 2, R 2,...,S t, R t as n equaton 2). Let A q Q, S 1, Z), A w W, Z) be nteractve machnes such that, n each teraton, A q sends at most s q bts to A w whch reples wth at most s w bts to A q. Let Vw, Vq denote the vews of the machnes A w, A q respectvely, ncludng ther nputs and transcrpts of communcaton, after the frst teratons. Then, for all 0 t 1, V q, R +1, R +2,...,R t ε V q, U lt ) and V w, S +1, S +2,...,S t ε V w, U lt ) 3) where ε = t 2 ε w + ε q ). Constructon of a Look-Ahead Extractor. At frst t may seem surprsng that alternatng extracton whch s an nteractve protocol) can help us n the constructon of a non-malleable extractor whch s a non-nteractve prmtve). Our constructon of a look-ahead extractor s relatvely smple. We let X = Q, S 1 ) be a seed, and defne laextw; Q, S 1 )) def = R 1,...,R t. 4) where R 1,...,R t are generated as n equaton 2). Essentally, the extractor uses the seed X = Q, S 1 ) to run Quentn s sde and the secret W to run Wendy s sde n the alternatng-extracton protocol for t teratons and outputs all of Wendy s blocks R 1,...,R t at the concluson. We use the alternatngextracton theorem to analyze resstance of ths constructon to malleablty attacks. Suppose that a modfed seed X = Q, S 1 ) = AQ, S 1), Z) s used to extract R 1,...,R t. Then that corresponds to an adversaral strategy A q for Quentn where he runs A on hs nputs, and then contnues runnng the protocol wth the values S 1, Q. Wendy s strategy s unchanged and she sends the values R 1,...,R t to Quentn. Note that Quentn s vew s therefore Vq = Z, X, R 1,...,R ) and hence the look-ahead property equaton 1)) follows drectly from the alternatng-extracton theorem equaton 3)). Theorem 10. Gven an n w, k w 2l)t, l, l, ε w )-extractor Ext w and an n q, n q 2l)t, l, l, ε q )-extractor Ext q, our constructon yelds an n w, k w, n q + l, l, t, t 2 ε w + ε q ))-look-ahead extractor. Proof. Follows from the above dscusson showng how to construct a strategy A q for Quentn gven a malleablty attacker A. Notce that the strategy A q sends s q = l bts n each teraton. Also, we assume that Q s chosen to be unformly random over {0, 1} nq and therefore k q = n q. The rest of the parameters follow drectly from Theorem 9. As shown n Appendx E.2, we can plug n the concrete effcent extractor constructon of [GUV07] and get the followng parameters. Theorem 11. For all ntegers n k and all ε > 0 there exst n, k, d, l, t, ε)-look-ahead extractors as long as k 2t + 2)maxl, Ologn) + logt) + log1/ε))) Otl + logn) + logt) + log1/ε))) and d Otl + logn) + logt) + log1/ε))). 2 One dfference between us and [DP07], s that we need all of R +1,..., R t to look random and not just R +1. The other dfference s that they should look random even gven the vew V q whch ncludes Q. 8

10 Authentcaton usng Look-Ahead. We wll plug the look-ahead extractor nto our framework Fgure 1) to construct a message authentcaton protocol. However, f Eve now modfes the extractor seed durng the ntal flow then she gets to perform some lmted) related key attack and, therefore, we cannot analyze the securty of the constructon usng standard MACs. Instead, we must carefully construct and analyze a new message authentcaton code wth look-ahead securty.e. one whch s secure under the types of related key attacks allowed by the look-ahead extractor. Defnton 12. A famly of functons {MAC r : {0, 1} m {0, 1} s } ndexed by keys r {0, 1} l ) t s a m, s, l, t, ε, δ)-mac wth look-ahead securty f, for any random varables R = [R 1,...,R t ], R = [R 1,...,R t], V whch satsfy the look-ahead property: V, [R 1,...,R ], [R +1,...,R t ] ) ε V, [R 1,...,R ], U t )l ) {0,...,t 1} 5) any µ A {0, 1} m and any adversaral functon A, we have [ Pr µ B µ A, MAC R µ B ) = σ σ MAC R µ A ) µ B, σ) AV, σ ) ] δ It s smple to show that our constructon Fgure 1) s a secure message authentcaton protocol f we plug-n a look-ahead extractor and a MAC wth look-ahead securty. Theorem 13. Pluggng a n, k, d, l, t, ε)-look-ahead extractor and a m, s, l, t, ε, δ)-mac wth lookahead securty nto our framework Fgure 1) yelds a n, k, m, δ)-message authentcaton protocol wth a communcaton complexty of d + m + s bts. Proof. We can descrbe Eve through two adversaral functons A 1, A 2 where X = A 1 X, Z) s the functon used to modfy the ntal flow, and µ B, σ) = A 2 X, Z, MAC R µ A )) s the functon used to modfy the response flow. Now, for any functon A 1 ncludng ones whch can leave the ntal flow unmodfed) the defnton of look-ahead extractors ensures that the varables V = X, Z), R = laextw; X), R = laextw; X ) satsfy the look-ahead property 5) n Defnton 12). Therefore, Defnton 12 ensures that the probablty of A 2 successfully producng µ B, σ) such that µ B µ A and Bob accepts µ B, σ) s upper-bounded by δ. We now proceed to construct a MAC wth look-ahead securty. To show the ntuton behnd our constructon, we frst nformally) analyze a smple varant for 1 bt messages. For a key R = [R 1, R 2, R 3, R 4 ], let us defne MAC R 0) = [R 1, R 4 ] and MAC R 1) = [R 2, R 3 ]. Then, f the adversary learns MAC R 1) = [R 2, R 3 ], the random varable R 4 stll looks random and so t s hard to predct MAC R 0) = [R 1, R 4 ]. On the other hand, f the adversary learns MAC R 0) = [R 1, R 4 ], the varable R 1 s useless n helpng predct [R 2, R 3 ], and R 4 s too short only l bts long) to reveal enough nformaton about [R 2, R 3 ] whch has almost 2l bts of entropy). In the rest of the secton, we formalze the above dea and generalze t to longer messages. All proofs appear n Appendx E. Defnton 14. Gven S 1, S 2 {1,...,t}, we say that the ordered par S 1, S 2 ) s top-heavy f there s some nteger j such that, S j 1 > S j 2, where S j def = {s S s j}. Note that t s possble that S 1, S 2 ) and S 2, S 1 ) are both top-heavy. For a collecton Ψ of sets S {1,...,t} we say that Ψ s parwse top-heavy f every ordered par S, S j ) of sets S, S j Ψ wth j, s top-heavy. For example, f S 1 := {1, 4}, S 2 := {2, 3}, then both of the ordered pars S 1, S 2 ) and S 2, S 1 ) are top heavy. Therefore the collecton Ψ = {S 1, S 2 } s parwse top-heavy. We show that any collecton of parwse top-heavy sets can be used to construct a MAC wth look-ahead securty. 9

11 Lemma 15. Assume that a collecton Ψ = {S 1,...,S 2 m} of sets S {1,...,t} s parwse top-heavy. Then the famly of functons MAC r µ) def = [r S µ ], ndexed by r {0, 1} l ) t, s a m, s, l, t, ε, δ)- MAC wth look-ahead securty where s = lmax S Ψ S ), δ 2 m l + 2 m ε ). Furthermore, f there s an effcent mappng of µ {0, 1} m to S µ, then the constructon s effcent. Therefore, to construct effcent MACs wth look-ahead securty, we must construct a large collecton of sets whch s parwse top-heavy. We generalze our example of Ψ = { {1, 4}, {2, 3} } to many bts, by mappng an m bt message µ = b 1,...,b m ) {0, 1} m to a subset S {1,...,4m} usng the functon fb 1,...,b m ) def = {4 3 + b, 4 b = 1,...,m} 6).e. each bt b decdes f to nclude the values {4 3, 4} f b = 0) or the values {4 2, 4 1} f b = 1). Lemma 16. The above constructon gves us a parwse top-heavy collecton Ψ of 2 m sets S {1,...,t} where t = 4m. Furthermore, the functon f s an effcent mappng of µ {0, 1} m to S µ. Corollary 2. We get an m, s, l, t, ε, δ)-mac wth look-ahead securty for any m, l, ε, wth t = 4m, s = 4ml, δ 2 m l + 2 m ε ). Pluggng n our parameters for look-ahead extractors Theorem 11) wth those for MACs wth lookahead securty Corollary 2), we construct message authentcaton protocols wth the followng parameters. Theorem 17. We construct an effcent two-round n, k, m, δ)-message authentcaton protocol for any ntegers n k, m and any δ > 0 as long as k > Omm + logn) + log1/δ))). The protocol has communcaton complexty Omm + logn) + log1/δ))). Moreover, the sze of the MAC key and thus the entropy loss of the protocol) s bounded by τ = 4mm + log1/δ)). The parameters of our above constructon are vastly sub-optmal for all but very short messages especally compared to our non-constructve exstental results). However, we wll see that we can use the above protocol effcently as buldng block for authentcated key agreement by authentcatng only a very short message. In turn, authentcated key agreement wll allow us to buld an authentcaton protocol for longer messages. Therefore, n Theorem 21, we wll see that we can get effcent two-round message authentcaton proctors wth sgnfcantly better parameters by constructng authentcated key agreement protocols frst. 4 Authentcated Key Agreement We now turn to the problem of authentcated key agreement IT-AKA). As before, Alce and Bob share a secret W about whch Eve has some sde-nformaton Z. They would lke to run a protocol, n whch they agree on a shared random key. More concretely, Alce and Bob each have canddate keys r A, r B respectvely, whch are ntally set to the specal value. At some pont durng the protocol executon, Alce can reach a KeyDerved state and Bob can reach a KeyConfrmed state. Upon reachng ether of these states, a party sets ts canddate key to some l-bt value not ) and does not modfy t afterwards. Informally, the KeyDerved,KeyConfrmed states should be nterpreted as follows: 1) If Alce reaches the KeyDerved state, then she possesses a unformly random canddate key, whch remans prvate no matter how the adversary acts durng the remander of the protocol executon. However, she s not sure f her key s shared wth Bob, or f Bob s even nvolved n the protocol executon at all. 2) If Bob reaches the KeyConfrmed state and gets a canddate key r B, then Alce must have been 10

12 nvolved n the protocol executon, must have reached the KeyDerved state, and the two partes have shared key r A = r B whch s prvate from Eve. Defnton 18. In a n, k, l, ε, δ)-nformaton theoretc) authentcated key agreement protocol IT- AKA), Alce and Bob have canddate keys r A, r B {0, 1} l { } respectvely. For any actve adversaral strategy A employed by Eve, let R A, R B be random varables whch denote the values of the canddate keys r A, r B at the concluson of the protocol executon and let T be a random varable whch denotes the transcrpt of the entre) protocol executon as seen by Eve. We requre that the protocol satsfes the followng three propertes: Correctness.) If Eve s passve, then Alce reaches the KeyDerved state, Bob reaches the KeyConfrmed state, and R A = R B wth probablty 1). Key Prvacy.) If W Z) s an n, k)-source then, for any adversaral strategy A employed by Eve, f Alce reaches the KeyDerved state durng the protocol executon, then Z, T, R A ) ε Z, T, U l ). Key Authentcty.) We say that the protocol has pre-applcaton authentcty f for any n, k)- source W Z) and any adversaral strategy A employed by Eve, the probablty that Bob reaches the KeyConfrmed state and R A R B s at most δ. We say that the protocol has post-applcaton authentcty f the above holds even f the adversary s gven R A mmedately after Alce reaches the KeyDerved state. Notes on the Defnton. To understand the defnton, we need to thnk of key agreement n a broader context where the key s used for some cryptographc task for example to encrypt and authentcate a message. Generally, the sender Alce) would lke to be assured that her key s prvate and wll reman prvate), but she does not need the key to be shared at the tme that she prepares/sends her authentcated-cphertext. On the other hand, the recpent Bob) would lke to know that the key he uses for decrypton/valdaton s the same shared prvate key whch was used by Alce. For ths reason, we make our defnton asymmetrc, only requrng that Alce reaches KeyDerved at whch pont she can prepare/send her authentcated-cphertext) and Bob alone reaches KeyConfrmed at whch pont he can valdate/decrypt). Notce, that ths defnton captures and generalzes pror defntons for oneround key agreement protocols [MW03, DKRS06]) where Alce dstlls a key r A on her own, goes nto the KeyDerved state, and sends a sngle message to Bob. We therefore also generalze the noton of pre/post-applcaton authentcty from [DKRS06], where t was noted that, f Alce wants to use her key r A mmedately after reachng KeyDerved.e. to encrypt and authentcate a message to Bob), we need to make sure that her use of the key does not help the adversary Eve break authentcty. Therefore, we wll construct a two-round protocol meetng the stronger post-applcaton authentcty guarantee where, even f the adversary s gven the entre) key r A, she cannot cause Bob to derve r B r A. In partcular, usng ths protocol, Alce can encrypt and authentcate a message to Bob n two rounds of nteracton. We begn wth a lower-bound showng that sngle-round authentcated key agreement even wth preapplcaton securty) s essentally mpossble when k < n 2 and neffcent n communcaton complexty) when n 2 < k n 2. Theorem 19. A one-round n, k, l, ε, δ)-it-aka wth pre-applcaton authentcty havng key length l 4, and securty δ < 1 2, ε < 1 16, must satsfy k > n 2 and have a communcaton complexty s at least n k 2 bts. Constructon. We proceed to construct an effcent, two-round, IT-AKA protocol where Bob sends a message to Alce, Alce goes ntokeyderved and sends a reply to Bob, and Bob goes ntokeyconfrmed. Our constructon uses the message-authentcaton protocols from Secton 3 as buldng blocks. The man dea behnd our constructon s farly smple; Alce uses the authentcaton protocol to authentcate an extractor seed X key to Bob who then uses t to extract a shared key wth Alce. Essentally the same 11

13 dea was used n [RW03] to construct authentcated key agreement from authentcaton protocols wth many rounds of nteracton). However, the basc dea of authentcatng a seed X key mght not work n general, snce the adversary Eve can potentally learn some nformaton about W whch s dependant on X key durng the course of the authentcaton protocol, thus compromsng the secrecy of the fnal key. Indeed, to overcome ths complcaton, [RW03] needed to add extra rounds to ther constructon on top of the authentcaton protocol. In contrast, we show that ths complcaton does not arse when the authentcaton protocol follows our framework Fgure 1) and so our constructon of IT-AKA as descrbed above and shown n Fgure 3 s secure and we do not need addtonal rounds. Alce: W Eve: Z Bob: W Sample X key Sample X auth R A := Ext key W;X key ) R auth := Ext auth W;X auth ) X auth X auth KeyDerved R auth := Ext authw;x auth ) σ MAC R auth X key ) X key,σ ) X key, σ) If σ? = MAC Rauth X key ) KeyConfrmed R B := Ext key W;X key ) Fgure 3: Authentcated Key Agreement Protocol The securty of the above constructon s easy to explan on an ntutve level. By the securty of the authentcaton protocol, f Bob reaches the KeyConfrmed state, then X key = X key and therefore R A = R B, showng authentcty even f Eve sees R A ). For prvacy, on the other hand, the only nformaton that an actve adversary mght possbly get about W and whch depends on X key, s the tag σ = MAC R auth X key ). However, σ s ndependent of W when condtoned on R auth. Therefore, the keys R A, R B are secure as long as there s enough entropy left over n W condtoned on R auth and Z. We formalze ths argument n Theorem 20. We then plug n the parameters for our two authentcaton protocols non-constructve and constructve) to state the fnal parameters acheved by our IT-AKA protocols n Corollares 3 and 4. The proofs appear n Appendx F. Theorem 20. Let AUTH be an n, k, m, δ)-message authentcaton protocol whch nstantates our framework wth the functons Ext auth, MAC such that key sze for MAC s τ bts long. Let Ext key be an n, k τ, d = m, l, ε)-extractor. Then the our constructon n Fgure 3 s an n, k, l, ε, δ)-it-aka wth pre-applcaton authentcty. If we assume that AUTH s an n, k l, m, δ) message authentcaton protocol, then we get post-applcaton authentcty. Corollary 3. There exsts a possbly neffcent) two-round n, k, l, ε, δ)-authentcated key agreement protocol wth post-applcaton authentcty for any ntegers n k, any ε > 0, δ > 0 wth key length l = k Ologn) + log1/δ) + log1/ε)) and communcaton complexty Ologn) + log1/δ) + log1/ε)). Corollary 4. We construct an effcent two-round n, k, l, ε, δ)-authentcated key agreement protocol wth post-applcaton authentcty for any constant α > 0, and any ntegers n k, any ε > 0, δ > 0 wth key length l = 1 α)k O log 2 n) + log 2 1/δ) + log 2 1/ε) ) and communcaton complexty O log 2 n) + log 2 1/δ) + log 2 1/ε) ). 12

14 As mentoned at the end of Secton 3.2, we can use our constructon of IT-AKA whch uses nteractve message authentcaton as a buldng block) to mprove the effcency of message authentcaton based on the look-ahead extractor. The dea s to perform key agreement wth post-applcaton authentcty and let Alce use her key r A as a key for a standard MAC to authentcate a long message effcently n the second flow. We prove the followng theorem n Appendx F.4. Theorem 21. We construct an effcent two-round n, k, m, δ)-message authentcaton protocols for any ntegers n k, m and any δ > 0 as long as k > O log 2 n) + log 2 1/δ) + logm) ). 5 Extensons: The Fuzzy Case and Bounded Retreval Model The Fuzzy Case. We now extend our result to the fuzzy case where Alce and Bob have some hghly-correlated, but possbly unequal, secrets W A, W B respectvely. Ths can happen, for example, when the secret s a bometrc and the varables W A, W B represent dfferent but hopefully very smlar) scans of the same bometrc. 3 Non-nteractve one-round) solutons for ths settng n the case of passve attackers are called fuzzy extractors and were orgnally studed by [DRS04, DORS08]. For the case of actve attackers, such solutons are called robust fuzzy extractors and were orgnally constructed by [DKRS06] and mproved upon n [KR08]. Of course, such solutons nhert our lower-bound, and requre that the entropy of the secrets s at least k > n/2. Interactve solutons for ths settng, whch allow k n/2 appear n [RW04] and are optmzed n [KR09]. Agan, as n the non-fuzzy case, the pror solutons requre many rounds of nteracton proportonal to the securty parameter). We now gve a hgh-level outlne for extendng our two-round IT-AKA protocol to the fuzzy settng. In the fuzzy settng, Alce and Bob need to perform nformaton reconclaton to agree on the same shared secret. Usng termnology from [DORS08], non-nteractve nformaton-reconclaton s called a secure-sketch and conssts of two procedures SS, Rec). Bob frst computes a sketch Skt = SSW B ) of hs secret value W B, and sends ths sketch to Alce. Alce then runs an effcent recovery procedure to compute Bob s verson of the secret W B = RecW A, Skt). The sketch s secure f t does not reveal much nformaton about W B so that, for any Z, H W B Z,SSW B )) H W B Z) α for some small value α called the entropy loss. See [DORS08] for a formal defnton of secure sketches and effcent secure sketch constructons for several specfc types of correlatons of W A, W B e.g. closeness wth respect to hammng dstance). Also, see the work of [RW04] for a general, but neffcent, constructon of secure sketches for arbtrarly correlated varables based on hash functons). We show how to mplement effcent) two-round authentcated key agreement n the fuzzy settng for any correlaton of W A, W B for whch there s an effcent) secure sketch constructon. One dea of a constructon for ths settng s to frst perform nformaton-reconclaton where Bob sends a sketch Skt of hs secret to Alce) and then have Alce and Bob run the standard authentcated key agreement protocol usng a shared secret W B. 4 Unfortunately, ths may not be secure n general snce Eve gets addtonal attack power by beng able to modfy the value of the sketch Skt = SSW B ) sent by Bob to Alce. We argue that the above dea s secure when mplemented wth our IT-AKA protocol based on the alternatng-extracton constructon of look-ahead extractors. The key realzaton s that the look-ahead property see Defnton 12) holds between the values [R 1,...,R t] = laextw B ; X ) extracted by Alce and the values [R 1,...,R t ] = laextw B ; X) extracted by Bob, even f Alce uses a modfed seed X and a modfed secret W B = RecW A, Skt ) where X, Skt are adversarally chosen based on Skt, X. Intutvely, any such substtuton attack translates drectly to an adversaral strategy for Quentn n the 3 For example, Alce s a clent who stores an ntal scan W B of her bometrc wth some server. Later, Alce takes a new scan W A and would lke to agree on a key wth the server. 4 For our constructons, ths means that Bob sends Skt durng the frst round along wth the random seed X, and hence preserves the two-round structure. 13

15 alternatng-extracton protocol and hence cannot break the look-ahead property. Theorem 22. Assume that W A, W B, Z) s some jont dstrbuton such that W B Z), W A Z) are both n, k)-sources and that SS, Rec) s a secure sketch constructon for the jont dstrbuton W A, W B ), where the sze of the sketch s bounded by α. Let Ext w be an n, k α 2lt), l, l, ε w )-extractor and Ext q be an n q, n q 2l + α)t, l, l, ε q )-extractor for some l, t and let laext be the look-ahead extractor constructed from Ext w and Ext q as n Theorem 10, usng t teratons of alternatng-extracton. Then we get: Z,SSWB ), X, [R 1,...,R ], [R +1,...,R t ] ) ε Z,SSWB ), X, [R 1,...,R ], ) U lt ) 7) where [R 1,...,R t ] = laextw B ; X), X, Skt ) = AZ,SSW B ), X), W = RecW A, Skt ), [R 1,...,R t] = laextw ; X ) and the acheved securty s ε t 2 ε q + ε w ). Proof. We use the alternatng-extracton theorem where, n the honest executon, Quentn uses X = Q, S 1 ) and Wendy uses W B. Let Z = Z,SSW B )). Then an adversaral strategy n whch Eve modfes X = Q, S 1 ), Skt = SSW B ) to X = Q, S 1 ) and Skt corresponds to a jont adversaral strategy by Quentn and Wendy where Quentn uses X = Q, S 1 ) and also sends Skt to Wendy n the frst teraton. Wendy samples from the dstrbuton W A W B = w B ) where w B s hs secret.e he samples from what Alce s secret would be condtoned on Bob s value). He then apples W B = RecW A, Skt ) and follows the rest of the alternatng-extracton protocol honestly. Notce that Quentn s vew n ths protocol s Z, Q, R 1,...,R t whose jont dstrbuton s dentcal to that n the statement of the theorem. Therefore, our theorem follows drectly from alternatng extracton. For parameters, notce that H W B Z ) k w α and the communcaton from Quentn to Wendy s lmted to l + α bts. Informally, snce the look-ahead property s all we needed to prove the securty of our authentcaton protocol and fnally IT-AKA, we see that the securty of these protocols carres over to the fuzzy settng. The Bounded Retreval Model. The Bounded Retreval Model was frst proposed concurrently) by [Dz06, CLW06] and has snce also been studed by [CDD + 07, DP07]. The man dea s to make Alce and Bob share an ntentonally huge secret key e.g. 10 GB). The sze of the key s crucal n protectng aganst ntruson attacks where the adversary gets complete control over the storage devce through some malware.e. a vrus or trojan horse) whch nfltrates Alce s or Bob s storage. It s assumed that, although the malware has complete access to secret data, t cannot communcate too much of t to the adversary e.g. more than 4 GB), because of lmts on bandwdth or mplemented securty measures aganst excessve communcaton. Therefore ths scenaro falls nto our framework where Alce and Bob share a now huge) secret W about whch the adversary has sde-nformaton Z, such that the entropy of W gven Z s large e.g. more than 6 GB). Our lower bounds show that, even f the entropy of W s k n/2, the communcaton complexty of non-nteractve.e. sngle-round) protocols wll be at least n k bts e.g. 4GB), whch s unrealstc. Interacton s therefore essental n ths settng and, as presented, our protocols already acheve low communcaton complexty relatve to the sze of the secret W. However, the current solutons may not be effcent snce they requre the partes to read the entre secret to run the protocol. Therefore, we would lke to have more effcent constructon whch also acheve localty: the partes need only read a small number of postons n W to run the protocol. We notce that, n our IT-AKA protocol based on the alternatng-extracton constructon of look-ahead extractors, the secret W s only read by the standard) extractor Ext key and a look-ahead extractor, whch s constructed usng two standard) extractors Ext q, Ext w. By substtutng local extractors defned and constructed by Vadhan [Vad04]) for all of the above mplementatons, we get a constructon of message authentcaton and IT-AKA protocols whch also acheve localty. 14