Upload
timothy-oneill
View
214
Download
0
Tags:
Embed Size (px)
Citation preview
Attacking Cryptographic Schemes Based on
‘Perturbation Polynomials’
Martin Albrecht (Royal Holloway), Craig Gentry (IBM), Shai Halevi
(IBM), Jonathan Katz (Univ. of MD)
Very high level summary
• Implementing secure protocols in MANETs can be challenging– Low bandwidth, memory, computational power– Limited battery life
• Much work designing new and highly efficient protocols tailored to this setting
• Often, provable security sacrificed for better efficiency– Replaced with heuristic analysis
This is a bad idea!
Outline of the talk
• Key predistribution
• An optimal, information-theoretic scheme
• A proposal by Zhang et al.
• Attacking their scheme
• Extensions and conclusions
Key predistribution
• Goal: distribute keying material to a set of N nodes, such that each pair of nodes can compute a shared key
• Two trivial solutions:– One key shared by all nodes
• Compromise of one nodecompromises entire network
– Independent key sharedby each pair of nodes
• O(N) storage per node
‘Optimal’ schemes
• [Blom], [Blundo et al.]• These schemes guarantee the following:
– Any pair of nodes shares a key– The key shared by any uncompromised nodes
remains information-theoretically secret as long as t or fewer nodes are compromised
• Storage O(t) per node– This is known to be optimal for schemes
satisfying the above
An ‘optimal’ scheme
• Choose random symmetric, bivariate polynomial F(x,y) of degree t in each variable
• Node i given the (univariate) polynomial si(y) = F(i,y)
• Key shared by i and j is si(j) = F(i,j) = sj(i)
Better than Blundo?
• If t large, even O(t) storage is prohibitive…
• Smaller t always better…
• How can we hope to do better?– Relax requirements?– Computational security
A new proposal
• [Zhang et al., MobiHoc 2007]– Extensions by Zhang et al. (INFOCOM ’08),
Subramanian et al. (PerCom ’07)
• Basic idea:– Give node i a polynomial si(y) that is “close”,
but not equal, to F(i,y)• Nodes i and j can still generate a shared key using
the high-order bits of si(j), sj(i), respectively• Harder(?) for an adversary to recover F(x,y) given
multiple si(y)
The scheme I
• Let p be a prime, r < p a “noise parameter”• Choose random, symmetric F(x,y) of
degree t in each variable• Choose random univariate g(y), h(y)
– Set SMALL = {i : 0 ≤ g(i), h(i) ≤ r}; these will be the node-IDs
• Each node i gets si(y) = F(i,y) + bi g(y) + (1-bi) h(y),where bi is chosen randomly
The scheme II
• Note that |si(j) – sj(i)| ≤ r• Nodes i and j can agree on a key using the
high-order bits• Suggested parameters: p≈232, r≈222, t=76
– Storage per node (per key-bit): ≈240 bits– Blundo et al. scheme would give security for
≈240 corruptions– Zhang et al. claim resistance to unbounded
number of corruptions
Note
• Expected size of SMALL is r2/p– Need r2/p ≥ N
• Setup requires O(Np2/r2) work
• Shared key has length O(log(p/r))– Run many schemes in parallel to increase key
length
Attacks using list decoding
• Compromise n=4t+1 nodes to get s1(y), …, sn(y)
• Choose any uncorrupted j*, set yi = si(j*)
• Note: yi {f0(i), f1(i)}, where f0(y) = F(y,j*) + h(j*) and f1(y) = F(y,j*) + g(j*)
– So for some b and at least 2t+1 values of i, we have yi=fb(i)
– We can use list decoding to recover fb(y)
– Can then compute fb(i*)≈sj*(i*) for any i*
Improved attack
• Corrupt n=3t+1 nodes• Choose any uncorrupted j*, set yi = si(j*)• Assume =g(j*)-h(j*) known• Let S={(i, yi)}
– Add to S the n tuples (i, yi-)
• For all (i,y) S, we have y {f0(i), f1(i), f0(i)-}• For every i, either f0(i)=yi or f0(i)=yi-
– So for n tuples (i,y) S (out of 2n tuples total) we have f0(i)=y
– Use list decoding to recover f0(y)
Improvements
• What if we add even more noise?
• Resistance to 4t+1 corruptions (or an attack with O(r) work) may be acceptable
• Next: a more efficient attack, corrupting fewer nodes, that works even when more noise is added
Adding more noise
• Let u be small
• Now set si(y) = F(i,y) + i g(y) + i h(y), where i, i [-u, u]
– u=1 corresponds to the original scheme
Attack using lattices
• Associate degree-t polynomials with vectors of length t+1– I.e., p(y) = a0 + … + at yt (a0, …, at)
• Define the vector fi = F(i, y)
• So si = fi + i g + i h
• Crucial observation– “Noise” added to fi drawn from 2-dimensional
subspace
Attack outline
• Crucial observation– “Noise” added to fi drawn from 2-dimensional
subspace
• Attack:– Identify the “noise subspace”– Find g, h– Solve for F
Step 1
• Corrupt n=t+3 nodes, get si = fi + i g + i h
• We know ft+1 = Σi=0…t i fi and ft+2 = Σi=0…t ’i fi
• So: st+1 - Σi=0…t i si span(g, h) st+2 - Σi=0…t ’i si span(g, h)
• Likely to be linearly independent– Likely to be a basis for span(g, h)!
Step 2: find g and h
• We have v, v’ with span(v,v’) = span(g,h)
• Find g, h using the fact that g(id), h(id) are “small” modulo p
• To do this, find short vectors in the lattice:v(x1) v(x2) … v(xk)
v’(x1) v’(x2) … v’(xk)p 0 … 00 p … 0… … … …0 0 … p
Step 3: find F
• Since F is symmetric, for all i, j we have si(j) - i g(j) - i h(j) = sj(i) - j g(i) - j h(i) – Gives O(n2) equations in 2n unknowns– But under-determined!
• Can find the i, i using the fact that they lie in [-u, u]– Takes time O(t3 + t u3)
• Note: u cannot be too large– Need 4ur < p to share a 1-bit key, even then the
attack takes time O(t3 + t (p/r)3)– Setup takes time O(N (p/r)2)
Implementation
• Attack implemented on a desktop PC
• Our attacks extend to other schemes that use the same approach– Apply to various other extensions as well
p r t setup time attack time
232-5 222 76
236-5 224 77
60 min
1060 min
10 min
8 min
Conclusions
The ‘perturbation polynomials’ approach is dead!
Moral: provable security is crucial
Thank you!