Attacking Cryptographic Schemes Based on Perturbation Polynomials Martin Albrecht (Royal Holloway), Craig Gentry (IBM), Shai Halevi (IBM), Jonathan Katz (Univ. of MD)
Very high level summary Implementing secure protocols in MANETs can be challenging –Low bandwidth, memory, computational power –Limited battery life Much work designing new and highly efficient protocols tailored to this setting Often, provable security sacrificed for better efficiency –Replaced with heuristic analysis This is a bad idea!
Outline of the talk Key predistribution An optimal, information-theoretic scheme A proposal by Zhang et al. Attacking their scheme Extensions and conclusions
Key predistribution Goal: distribute keying material to a set of N nodes, such that each pair of nodes can compute a shared key Two trivial solutions: –One key shared by all nodes Compromise of one node compromises entire network –Independent key shared by each pair of nodes O(N) storage per node
Optimal schemes [Blom], [Blundo et al.] These schemes guarantee the following: –Any pair of nodes shares a key –The key shared by any uncompromised nodes remains information-theoretically secret as long as t or fewer nodes are compromised Storage O(t) per node –This is known to be optimal for schemes satisfying the above
An optimal scheme Choose random symmetric, bivariate polynomial F(x,y) of degree t in each variable Node i given the (univariate) polynomial s i (y) = F(i,y) Key shared by i and j is s i (j) = F(i,j) = s j (i)
Better than Blundo? If t large, even O(t) storage is prohibitive… Smaller t always better… How can we hope to do better? –Relax requirements? –Computational security
A new proposal [Zhang et al., MobiHoc 2007] –Extensions by Zhang et al. (INFOCOM 08), Subramanian et al. (PerCom 07) Basic idea: –Give node i a polynomial s i (y) that is close, but not equal, to F(i,y) Nodes i and j can still generate a shared key using the high-order bits of s i (j), s j (i), respectively Harder(?) for an adversary to recover F(x,y) given multiple s i (y)
The scheme I Let p be a prime, r < p a noise parameter Choose random, symmetric F(x,y) of degree t in each variable Choose random univariate g(y), h(y) –Set SMALL = {i : 0 g(i), h(i) r}; these will be the node-IDs Each node i gets s i (y) = F(i,y) + b i g(y) + (1-b i ) h(y), where b i is chosen randomly
The scheme II Note that |s i (j) – s j (i)| r Nodes i and j can agree on a key using the high-order bits Suggested parameters: p2 32, r2 22, t=76 –Storage per node (per key-bit): 240 bits –Blundo et al. scheme would give security for 240 corruptions –Zhang et al. claim resistance to unbounded number of corruptions
Note Expected size of SMALL is r 2 /p –Need r 2 /p N Setup requires O(Np 2 /r 2 ) work Shared key has length O(log(p/r)) –Run many schemes in parallel to increase key length
Attacks using list decoding Compromise n=4t+1 nodes to get s 1 (y), …, s n (y) Choose any uncorrupted j *, set y i = s i (j * ) Note: y i {f 0 (i), f 1 (i)}, where f 0 (y) = F(y,j * ) + h(j * ) and f 1 (y) = F(y,j * ) + g(j * ) –So for some b and at least 2t+1 values of i, we have y i =f b (i) –We can use list decoding to recover f b (y) –Can then compute f b (i * )s j* (i * ) for any i *
Improved attack Corrupt n=3t+1 nodes Choose any uncorrupted j *, set y i = s i (j * ) Assume =g(j * )-h(j * ) known Let S={(i, y i )} –Add to S the n tuples (i, y i - ) For all (i,y) S, we have y {f 0 (i), f 1 (i), f 0 (i)- } For every i, either f 0 (i)=y i or f 0 (i)=y i - –So for n tuples (i,y) S (out of 2n tuples total) we have f 0 (i)=y –Use list decoding to recover f 0 (y)
Improvements What if we add even more noise? Resistance to 4t+1 corruptions (or an attack with O(r) work) may be acceptable Next: a more efficient attack, corrupting fewer nodes, that works even when more noise is added
Adding more noise Let u be small Now set s i (y) = F(i,y) + i g(y) + i h(y), where i, i [-u, u] –u=1 corresponds to the original scheme
Attack using lattices Associate degree-t polynomials with vectors of length t+1 –I.e., p(y) = a 0 + … + a t y t (a 0, …, a t ) Define the vector f i = F(i, y) So s i = f i + i g + i h Crucial observation –Noise added to f i drawn from 2-dimensional subspace
Attack outline Crucial observation –Noise added to f i drawn from 2-dimensional subspace Attack: –Identify the noise subspace –Find g, h –Solve for F
Step 1 Corrupt n=t+3 nodes, get s i = f i + i g + i h We know f t+1 = Σ i=0…t i f i and f t+2 = Σ i=0…t i f i So: s t+1 - Σ i=0…t i s i span(g, h) s t+2 - Σ i=0…t i s i span(g, h) Likely to be linearly independent –Likely to be a basis for span(g, h)!
Step 2: find g and h We have v, v with span(v,v) = span(g,h) Find g, h using the fact that g(id), h(id) are small modulo p To do this, find short vectors in the lattice: v(x 1 )v(x 2 )…v(x k ) v(x 1 )v(x 2 )…v(x k ) p0…0 0p…0 ………… 00…p
Step 3: find F Since F is symmetric, for all i, j we have s i (j) - i g(j) - i h(j) = s j (i) - j g(i) - j h(i) –Gives O(n 2 ) equations in 2n unknowns –But under-determined! Can find the i, i using the fact that they lie in [- u, u] –Takes time O(t 3 + t u 3 ) Note: u cannot be too large –Need 4ur < p to share a 1-bit key, even then the attack takes time O(t 3 + t (p/r) 3 ) –Setup takes time O(N (p/r) 2 )
Implementation Attack implemented on a desktop PC Our attacks extend to other schemes that use the same approach –Apply to various other extensions as well prtsetup timeattack time min 1060 min 10 min 8 min
Conclusions The perturbation polynomials approach is dead! Moral: provable security is crucial
Thank you!