Attacking Cryptographic Schemes Based on Perturbation Polynomials Martin Albrecht (Royal Holloway), Craig Gentry (IBM), Shai Halevi (IBM), Jonathan Katz.

Slides:



Advertisements
Similar presentations
Asymptotically Optimal Communication for Torus- Based Cryptography David Woodruff MIT Joint work with Marten van Dijk Philips/MIT.
Advertisements

Rectangle-Efficient Aggregation in Spatial Data Streams Srikanta Tirthapura David Woodruff Iowa State IBM Almaden.
The Future (and Past) of Quantum Lower Bounds by Polynomials Scott Aaronson UC Berkeley.
Lower Bounds for Local Search by Quantum Arguments Scott Aaronson.
Adaptively Attribute-Hiding ( Hierarchical ) Inner Product Encryption
Trusted Data Sharing over Untrusted Cloud Storage Provider Gansen Zhao, Chunming Rong, Jin Li, Feng Zhang, and Yong Tang Cloud Computing Technology and.
Ulams Game and Universal Communications Using Feedback Ofer Shayevitz June 2006.
Estimation of Means and Proportions
I have a DREAM! (DiffeRentially privatE smArt Metering) Gergely Acs and Claude Castelluccia {gergely.acs, INRIA 2011.
5.4 Basis And Dimension.
Computational Privacy. Overview Goal: Allow n-private computation of arbitrary funcs. –Impossible in information-theoretic setting Computational setting:
Shahzad Basiri Imam Hossein university Workshop on key distribution Tuesday, May 24, 2011 Linear Key Predistribution Scheme.
Spreading Alerts Quietly and the Subgroup Escape Problem Aleksandr Yampolskiy (Yale) Joint work with James Aspnes, Zoë Diamadi, Kristian Gjøsteen, and.
Introduction to Computer Science 2 Lecture 7: Extended binary trees
Xiutao Feng Institute of Software Chinese Academy of Sciences A Byte-Based Guess and Determine Attack on SOSEMANUK.
Group Protocols for Secure Wireless Ad hoc Networks Srikanth Nannapaneni Sreechandu Kamisetty Swethana pagadala Aparna kasturi.
Distribution and Revocation of Cryptographic Keys in Sensor Networks Amrinder Singh Dept. of Computer Science Virginia Tech.
Agrawal-Kayal-Saxena Presented by: Xiaosi Zhou
Computer Science Dr. Peng NingCSC 774 Adv. Net. Security1 CSC 774 Advanced Network Security Topic 7. Wireless Sensor Network Security.
Improving the Round Complexity of VSS in Point-to-Point Networks Jonathan Katz (University of Maryland) Chiu-Yuen Koo (Google Labs) Ranjit Kumaresan (University.
Yan Huang, Jonathan Katz, David Evans University of Maryland, University of Virginia Efficient Secure Two-Party Computation Using Symmetric Cut-and-Choose.
Session 5 Hash functions and digital signatures. Contents Hash functions – Definition – Requirements – Construction – Security – Applications 2/44.
A Pairwise Key Pre-Distribution Scheme for Wireless Sensor Networks Wenliang (Kevin) Du, Jing Deng, Yunghsiang S. Han and Pramod K. Varshney Department.
Beneficial Caching in Mobile Ad Hoc Networks Bin Tang, Samir Das, Himanshu Gupta Computer Science Department Stony Brook University.
Random Key Predistribution Schemes for Sensor Networks Authors: Haowen Chan, Adrian Perrig, Dawn Song Carnegie Mellon University Presented by: Johnny Flowers.
Basis of a Vector Space (11/2/05)
1 Identity-Based Encryption form the Weil Pairing Author : Dan Boneh Matthew Franklin Presentered by Chia Jui Hsu Date :
Asymmetric Cryptography part 1 & 2 Haya Shulman Many thanks to Amir Herzberg who donated some of the slides from
The Goldreich-Levin Theorem: List-decoding the Hadamard code
Session 6: Introduction to cryptanalysis part 1. Contents Problem definition Symmetric systems cryptanalysis Particularities of block ciphers cryptanalysis.
ITIS 6010/8010 Wireless Network Security Dr. Weichao Wang.
On Everlasting Security in the Hybrid Bounded Storage Model Danny Harnik Moni Naor.
Establishing Pairwise Keys in Distributed Sensor Networks Donggang Liu, Peng Ning Jason Buckingham CSCI 7143: Secure Sensor Networks October 12, 2004.
1 Adjoint Method in Network Analysis Dr. Janusz A. Starzyk.
1 NTRU: A Ring-Based Public Key Cryptosystem Jeffrey Hoffstein, Jill Pipher, Joseph H. Silverman LNCS 1423, 1998.
Tallinn University of Technology Quantum computer impact on public key cryptography Roman Stepanenko.
Primal-Dual Meets Local Search: Approximating MST’s with Non-uniform Degree Bounds Author: Jochen Könemann R. Ravi From CMU CS 3150 Presentation by Dan.
CS548 Advanced Information Security Presented by Gowun Jeong Mar. 9, 2010.
KAIS T Decentralized key generation scheme for cellular-based heterogeneous wireless ad hoc networks 임 형 인 Ananya Gupta, Anindo Mukherjee, Bin.
Selecting Class Polynomials for the Generation of Elliptic Curves Elisavet Konstantinou joint work with Aristides Kontogeorgis Department of Information.
Public Key Encryption and the RSA Public Key Algorithm CSCI 5857: Encoding and Encryption.
Learning Parities with Structured Noise Sanjeev Arora, Rong Ge Princeton University.
Disclosure risk when responding to queries with deterministic guarantees Krish Muralidhar University of Kentucky Rathindra Sarathy Oklahoma State University.
Group Rekeying for Filtering False Data in Sensor Networks: A Predistribution and Local Collaboration-Based Approach Wensheng Zhang and Guohong Cao.
Cryptanalysis and Improvement of an Access Control in User Hierarchy Based on Elliptic Curve Cryptosystem Reporter : Tzer-Long Chen Information Sciences.
Yu-Li Lin and Chien-Lung Hsu Department of Information Management, Chang-Gung University Information Science(SCI) Reporter: Tzer-Long Chen.
Great Theoretical Ideas in Computer Science.
Linkability of Some Blind Signature Schemes Swee-Huay Heng 1, Wun-She Yap 1 Khoongming Khoo 2 1 Multimedia University, 2 DSO National Laboratories.
Attacking Cryptographic Schemes Based on ‘Perturbation Polynomials’ Martin Albrecht (Royal Holloway), Craig Gentry (IBM), Shai Halevi (IBM), Jonathan Katz.
Secure and Energy-Efficient Disjoint Multi-Path Routing for WSNs Presented by Zhongming Zheng.
A Passive Approach to Sensor Network Localization Rahul Biswas and Sebastian Thrun International Conference on Intelligent Robots and Systems 2004 Presented.
Chapter 3 – Public Key Cryptography and RSA (A). Private-Key Cryptography traditional private/secret/single-key cryptography uses one key shared by both.
A new provably secure certificateless short signature scheme Authors: K.Y. Choi, J.H. Park, D.H. Lee Source: Comput. Math. Appl. (IF:1.472) Vol. 61, 2011,
Author: Hangyang Dai and Hongbing Xu
Lattice-based cryptography and quantum Oded Regev Tel-Aviv University.
Key Pre-distribution Approach in Wireless Sensor Networks Using LU Matrix Authors: Hangyang Dai and Hongbing Xu Source: IEEE Sensor Journal, vol.10, no.8,
Mix networks with restricted routes PET 2003 Mix Networks with Restricted Routes George Danezis University of Cambridge Computer Laboratory Privacy Enhancing.
Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.
1/16 Seeing through M IST given a Small Fraction of an RSA Private Key Colin D. Walter Comodo Research Lab (Bradford, UK)
1 Diffie-Hellman (Key Exchange) Protocol Rocky K. C. Chang 9 February 2007.
1 Diffie-Hellman (Key Exchange) Protocol Rocky K. C. Chang 9 February 2007.
Key Exchange in Systems VPN usually has two phases –Handshake protocol: key exchange between parties sets symmetric keys –Traffic protocol: communication.
A Key Pre-Distribution Scheme Using Deployment Knowledge for Wireless Sensor Networks Zhen Yu & Yong Guan Department of Electrical and Computer Engineering.
On the Size of Pairing-based Non-interactive Arguments
MinJi Kim, Muriel Médard, João Barros
Privacy and Fault-Tolerance in Distributed Optimization Nitin Vaidya University of Illinois at Urbana-Champaign.
Digital Signature Schemes and the Random Oracle Model
Background: Lattices and the Learning-with-Errors problem
RS – Reed Solomon List Decoding.
Lattices. Svp & cvp. lll algorithm. application in cryptography
Presentation transcript:

Attacking Cryptographic Schemes Based on Perturbation Polynomials Martin Albrecht (Royal Holloway), Craig Gentry (IBM), Shai Halevi (IBM), Jonathan Katz (Univ. of MD)

Very high level summary Implementing secure protocols in MANETs can be challenging –Low bandwidth, memory, computational power –Limited battery life Much work designing new and highly efficient protocols tailored to this setting Often, provable security sacrificed for better efficiency –Replaced with heuristic analysis This is a bad idea!

Outline of the talk Key predistribution An optimal, information-theoretic scheme A proposal by Zhang et al. Attacking their scheme Extensions and conclusions

Key predistribution Goal: distribute keying material to a set of N nodes, such that each pair of nodes can compute a shared key Two trivial solutions: –One key shared by all nodes Compromise of one node compromises entire network –Independent key shared by each pair of nodes O(N) storage per node

Optimal schemes [Blom], [Blundo et al.] These schemes guarantee the following: –Any pair of nodes shares a key –The key shared by any uncompromised nodes remains information-theoretically secret as long as t or fewer nodes are compromised Storage O(t) per node –This is known to be optimal for schemes satisfying the above

An optimal scheme Choose random symmetric, bivariate polynomial F(x,y) of degree t in each variable Node i given the (univariate) polynomial s i (y) = F(i,y) Key shared by i and j is s i (j) = F(i,j) = s j (i)

Better than Blundo? If t large, even O(t) storage is prohibitive… Smaller t always better… How can we hope to do better? –Relax requirements? –Computational security

A new proposal [Zhang et al., MobiHoc 2007] –Extensions by Zhang et al. (INFOCOM 08), Subramanian et al. (PerCom 07) Basic idea: –Give node i a polynomial s i (y) that is close, but not equal, to F(i,y) Nodes i and j can still generate a shared key using the high-order bits of s i (j), s j (i), respectively Harder(?) for an adversary to recover F(x,y) given multiple s i (y)

The scheme I Let p be a prime, r < p a noise parameter Choose random, symmetric F(x,y) of degree t in each variable Choose random univariate g(y), h(y) –Set SMALL = {i : 0 g(i), h(i) r}; these will be the node-IDs Each node i gets s i (y) = F(i,y) + b i g(y) + (1-b i ) h(y), where b i is chosen randomly

The scheme II Note that |s i (j) – s j (i)| r Nodes i and j can agree on a key using the high-order bits Suggested parameters: p2 32, r2 22, t=76 –Storage per node (per key-bit): 240 bits –Blundo et al. scheme would give security for 240 corruptions –Zhang et al. claim resistance to unbounded number of corruptions

Note Expected size of SMALL is r 2 /p –Need r 2 /p N Setup requires O(Np 2 /r 2 ) work Shared key has length O(log(p/r)) –Run many schemes in parallel to increase key length

Attacks using list decoding Compromise n=4t+1 nodes to get s 1 (y), …, s n (y) Choose any uncorrupted j *, set y i = s i (j * ) Note: y i {f 0 (i), f 1 (i)}, where f 0 (y) = F(y,j * ) + h(j * ) and f 1 (y) = F(y,j * ) + g(j * ) –So for some b and at least 2t+1 values of i, we have y i =f b (i) –We can use list decoding to recover f b (y) –Can then compute f b (i * )s j* (i * ) for any i *

Improved attack Corrupt n=3t+1 nodes Choose any uncorrupted j *, set y i = s i (j * ) Assume =g(j * )-h(j * ) known Let S={(i, y i )} –Add to S the n tuples (i, y i - ) For all (i,y) S, we have y {f 0 (i), f 1 (i), f 0 (i)- } For every i, either f 0 (i)=y i or f 0 (i)=y i - –So for n tuples (i,y) S (out of 2n tuples total) we have f 0 (i)=y –Use list decoding to recover f 0 (y)

Improvements What if we add even more noise? Resistance to 4t+1 corruptions (or an attack with O(r) work) may be acceptable Next: a more efficient attack, corrupting fewer nodes, that works even when more noise is added

Adding more noise Let u be small Now set s i (y) = F(i,y) + i g(y) + i h(y), where i, i [-u, u] –u=1 corresponds to the original scheme

Attack using lattices Associate degree-t polynomials with vectors of length t+1 –I.e., p(y) = a 0 + … + a t y t (a 0, …, a t ) Define the vector f i = F(i, y) So s i = f i + i g + i h Crucial observation –Noise added to f i drawn from 2-dimensional subspace

Attack outline Crucial observation –Noise added to f i drawn from 2-dimensional subspace Attack: –Identify the noise subspace –Find g, h –Solve for F

Step 1 Corrupt n=t+3 nodes, get s i = f i + i g + i h We know f t+1 = Σ i=0…t i f i and f t+2 = Σ i=0…t i f i So: s t+1 - Σ i=0…t i s i span(g, h) s t+2 - Σ i=0…t i s i span(g, h) Likely to be linearly independent –Likely to be a basis for span(g, h)!

Step 2: find g and h We have v, v with span(v,v) = span(g,h) Find g, h using the fact that g(id), h(id) are small modulo p To do this, find short vectors in the lattice: v(x 1 )v(x 2 )…v(x k ) v(x 1 )v(x 2 )…v(x k ) p0…0 0p…0 ………… 00…p

Step 3: find F Since F is symmetric, for all i, j we have s i (j) - i g(j) - i h(j) = s j (i) - j g(i) - j h(i) –Gives O(n 2 ) equations in 2n unknowns –But under-determined! Can find the i, i using the fact that they lie in [- u, u] –Takes time O(t 3 + t u 3 ) Note: u cannot be too large –Need 4ur < p to share a 1-bit key, even then the attack takes time O(t 3 + t (p/r) 3 ) –Setup takes time O(N (p/r) 2 )

Implementation Attack implemented on a desktop PC Our attacks extend to other schemes that use the same approach –Apply to various other extensions as well prtsetup timeattack time min 1060 min 10 min 8 min

Conclusions The perturbation polynomials approach is dead! Moral: provable security is crucial

Thank you!