10/25/04 Security of Ad Hoc and Sensor Networks (SASN) 1/22 An Attack on the Proactive RSA Signature Scheme in the URSA Ad Hoc Network Access Control Protocol Stanislaw Jarecki, Nitesh Saxena, Jeong Hyun Yi School of Information and Computer Science University of California, Irvine

10/25/04 Security of Ad Hoc and Sensor Networks (SASN) 2/22 Outline Introduction: Access control in ad hoc groups Threshold cryptography Proactive signatures URSA proactive RSA scheme Our attack: efficient key recovery Discussion: Insecurity of URSA Open issues

10/25/04 Security of Ad Hoc and Sensor Networks (SASN) 3/22 Access Control in Ad Hoc Groups Access control is required to  prevent unauthorized entities from joining the group  bootstrap other security services, e.g., secure routing  remove misbehaving members  in general, make group decisions However, ad hoc group has  no infrastructure  no trusted group authority  dynamic membership Challenge: How to provide secure access control in a such a decentralized and dynamic environment?

10/25/04 Security of Ad Hoc and Sensor Networks (SASN) 4/22 Zhou and Haas [IEEE Comm. Mag’99] (t+1,n) secret sharing of group secret; Shamir [ACM COMM.’79] Threshold signatures  any set of t+1 members can sign messages on behalf of the group  tolerate up to t corruptions in the lifetime of the system Proactive Signatures  threshold signatures with increased resilience,  lifetime is divided into intervals  secret shares are updated  tolerate up to t corruptions in every interval Distribution of Trust using Threshold Cryptography

10/25/04 Security of Ad Hoc and Sensor Networks (SASN) 5/22 Access Control using Proactive Signatures Step 1: Certification request Step 2: Join commit (Signed Vote) Step 3: Certificate acquisition M new New member (M new ) wants to join the group If a quorum of t+1 current members approve, M new is issued a signed certificate via proactive signing protocol If no quorum found, membership is denied Vote 1 Vote 2

10/25/04 Security of Ad Hoc and Sensor Networks (SASN) 6/22 Provably Secure Proactive Signatures RSA based  Frankel, et al. [FOCS’97] [Crypto’97], Rabin [Crypto’98] DSA based;  Gennaro, et al. [EC’96] [IANDC’01] Schnorr based  Gennaro, et al. [RSA Security’03] BLS based  Boldyreva [PKC’03] None applicable for access control in ad hoc groups

10/25/04 Security of Ad Hoc and Sensor Networks (SASN) 7/22 Recent Access Control Schemes URSA URSA: Ubiquitous and Robust Access Control  Luo, et al. [ICNP’01, ISCC’02, WCMC’02, ToN’04]  Proposes a new proactive RSA scheme Others  Based on proactive DSA; Narasimha, et al. [ICNP’03], Saxena, et al. [SASN’03]  Based on proactive BLS; Saxena, et al. [ICISC’04] Under scrutiny in this work

10/25/04 Security of Ad Hoc and Sensor Networks (SASN) 8/22 URSA Proactive RSA Scheme (1/3) Setup Setup  Dealer generates RSA private key d and public key (e, N)  Randomly picks polynomial f(x) of degree t  Member M j is issued a secret share: f(x) = d + a 1 x + a 2 x 2 + … + a t x t (mod N) Signature generation Signature generation (signing group G, |G|=t+1)  Polynomial interpolation:,, where partial key:  M j outputs partial signature: ss j = f(j) (mod N) Recall: RSA signature s = m d (mod N)

10/25/04 Security of Ad Hoc and Sensor Networks (SASN) 9/22 URSA Proactive RSA Scheme (2/3) Signature reconstruction Signature reconstruction: Since  Try all (t+1) values of α, s.t. s e = m (mod N) Note: α is revealed

10/25/04 Security of Ad Hoc and Sensor Networks (SASN) 10/22 Problems with URSA Proactive RSA Robustness; Narasimha, et al. [ICNP’03]  Shares are computed mod N  Regular verifiability mechanisms fail  No verifiability  No robustness Fix  Share secret d modulo a large prime q  Use special purpose zero-knowledge proofs; Boudot [EC’00] & Camenisch and Michels [Crypto’99]

10/25/04 Security of Ad Hoc and Sensor Networks (SASN) 11/22 Problems with URSA Proactive RSA Is this scheme (modified with the robustness fix) secure in the presence of a coalition of t corrupt members? The answer is: negative

10/25/04 Security of Ad Hoc and Sensor Networks (SASN) 12/22 Our Attack (example): Binary Search t=1, n=2 Players M 1, M 2, Signing group G={1,2} Adversary A corrupts M 1 Recall: d = d 1 + d 2 – αN Signing protocol reveals α  If α = 0,  d = d 1 + d 2  d ≥ d 1  o/w if α = 1,  d = d 1 + (d 2 - N)  d < d 1 During proactive updates, A can choose ss 1 s.t. With every update round, the search interval is halved Binary search recovers d in log 2 (N) rounds 0 d 1 N Recall d 1 = ss 1 l 1 (mod N)

10/25/04 Security of Ad Hoc and Sensor Networks (SASN) 13/22 Our Attack: (t+1)-ary Search Adversary A corrupts M 1, M 2, …,M t (w.l.o.g) Signing group G p ={1,2,…,t, p}, where p > t A learns if d ≥ D p or d < D p, where During proactive updates, A can choose ss 1, ss 2,…, ss t s.t. Every round reveals log 2 (t+1) MSBs of d (t+1)-ary search recovers d inrounds 0D p1 D p2 D pt N

10/25/04 Security of Ad Hoc and Sensor Networks (SASN) 14/22 Optimal Choice of New Shares Solve following set of deterministic equations for ss 1, ss 2, …, ss t

10/25/04 Security of Ad Hoc and Sensor Networks (SASN) 15/22 URSA Proactive Update Simplified Classic protocol; Herzberg et al. [Crypto’95]  Update the shares but keep the same group secret d  A set of at least t+1 members update the polynomials  Each M i chooses random poly. δ i (z) of degree t s.t. δ i (0) = 0  M j gives δ j (i) to M i  M i ’s new share becomes ss i (old share was ss i ‘)  ss i ’ is deleted

10/25/04 Security of Ad Hoc and Sensor Networks (SASN) 16/22 Adversarial Behavior in Share Update B : t members corrupted by A M b B : member who “speaks last ” Update polynomial New shares are computed as M b waits until it receives all other shares and chooses its polynomial δ b (z) s.t. This sets A’s share to be ss 1, ss 2,…,ss t

10/25/04 Security of Ad Hoc and Sensor Networks (SASN) 17/22 Speeding-up the Attack Attack requires r = rounds Recover last 40-bits of d by brute-force given RSA public key (e,N)  r = Apply known results on RSA partial key exposure; Boneh, et al. [AC’01], Blomer-May [Crypto’03], Thm1: log 2 (e) MSBs of d determine 512-MSBs  r = e.g., for t = 7, |N|=1024, e =  r = 163 e = 3  r = 158

10/25/04 Security of Ad Hoc and Sensor Networks (SASN) 18/22 Speeding-up the Attack Number of proactive update rounds required for a given log N (e) value, for t=7 & |N|=1024

10/25/04 Security of Ad Hoc and Sensor Networks (SASN) 19/22 Attack Assumptions 1. Adversary corrupts t members of the update group Ω, one of whom “speaks last ” 2. In every round, t runs of the signing protocol are executed, the signing groups consisting of all bad and one (distinct) good player.

10/25/04 Security of Ad Hoc and Sensor Networks (SASN) 20/22 Insecurity of URSA For a modest threshold t=7, |N|=1024 and e=65537, the attack requires 163 proactive update rounds and a total of 1148 runs of the signing protocol The leakage is very fast  e.g. in just 34 rounds, 600 MSBs of d are revealed Other faster attacks are possible with signing group consisting of less than t bad players

10/25/04 Security of Ad Hoc and Sensor Networks (SASN) 21/22 Positive Result in a Related Work Jarecki and Saxena [in submission] URSA proactive RSA scheme (plus robustness fix) with additive-secret sharing is provably secure 2-4 times faster than the state-of-the-art Rabin’s proactive RSA [Crypto’98] However, not applicable for access control in ad hoc groups Open Problem: to design a provably secure proactive RSA scheme that yields an efficient access control mechanism for ad hoc groups!!

10/25/04 Security of Ad Hoc and Sensor Networks (SASN) 22/22 Thank You!

10/25/04 Security of Ad Hoc and Sensor Networks (SASN) 23/22

10/25/04 Security of Ad Hoc and Sensor Networks (SASN) 24/22

10/25/04 Security of Ad Hoc and Sensor Networks (SASN) 25/22 Speeding-up the Attack Thm2: For prime e ε [2 m, 2 m+1 ], with m ε [|N|/4,|N|/2], m MSBs of d determine d Thm3: For e ε [2 m, 2 m+1 ] and product of at most r primes, with m ε [|N|/4,|N|/2], m MSBs determine d given factorization of e  Thm4: For e ε [N 0.5, N 0.25 ], MSBs of d determine d, where α = log N (e) 

10/25/04 Security of Ad Hoc and Sensor Networks (SASN) 26/22 Our Attack: (t+1)-ary search Adversary A corrupts M 1, M 2, …,M t (w.l.o.g) Signing group G p ={1,2,…,t, p}, where p ε [t+1,..2t] Recall Signing protocol reveals α (Gp)  Compute  If S p ≥ α (Gp) N, A learns d ≥ D p  o/w if S p < α (Gp) N, A learns d < D p During proactive updates, A chooses ss 1, ss 2,…, ss t such that Every round reveals log 2 (t+1) MSBs of d (t+1)-ary search recovers d in rounds 0D t+1 D t+2 D 2t N-1