attacking cryptographic schemes based on perturbation polynomials martin albrecht (royal holloway),...
TRANSCRIPT
![Page 1: Attacking Cryptographic Schemes Based on Perturbation Polynomials Martin Albrecht (Royal Holloway), Craig Gentry (IBM), Shai Halevi (IBM), Jonathan Katz](https://reader036.vdocuments.us/reader036/viewer/2022062511/5514ceb6550346b0338b4f79/html5/thumbnails/1.jpg)
Attacking Cryptographic Schemes Based on
‘Perturbation Polynomials’
Martin Albrecht (Royal Holloway), Craig Gentry (IBM), Shai Halevi
(IBM), Jonathan Katz (Univ. of MD)
![Page 2: Attacking Cryptographic Schemes Based on Perturbation Polynomials Martin Albrecht (Royal Holloway), Craig Gentry (IBM), Shai Halevi (IBM), Jonathan Katz](https://reader036.vdocuments.us/reader036/viewer/2022062511/5514ceb6550346b0338b4f79/html5/thumbnails/2.jpg)
Very high level summary
• Implementing secure protocols in MANETs can be challenging– Low bandwidth, memory, computational power– Limited battery life
• Much work designing new and highly efficient protocols tailored to this setting
• Often, provable security sacrificed for better efficiency– Replaced with heuristic analysis
This is a bad idea!
![Page 3: Attacking Cryptographic Schemes Based on Perturbation Polynomials Martin Albrecht (Royal Holloway), Craig Gentry (IBM), Shai Halevi (IBM), Jonathan Katz](https://reader036.vdocuments.us/reader036/viewer/2022062511/5514ceb6550346b0338b4f79/html5/thumbnails/3.jpg)
Outline of the talk
• Key predistribution
• An optimal, information-theoretic scheme
• A proposal by Zhang et al.
• Attacking their scheme
• Extensions and conclusions
![Page 4: Attacking Cryptographic Schemes Based on Perturbation Polynomials Martin Albrecht (Royal Holloway), Craig Gentry (IBM), Shai Halevi (IBM), Jonathan Katz](https://reader036.vdocuments.us/reader036/viewer/2022062511/5514ceb6550346b0338b4f79/html5/thumbnails/4.jpg)
Key predistribution
• Goal: distribute keying material to a set of N nodes, such that each pair of nodes can compute a shared key
• Two trivial solutions:– One key shared by all nodes
• Compromise of one nodecompromises entire network
– Independent key sharedby each pair of nodes
• O(N) storage per node
![Page 5: Attacking Cryptographic Schemes Based on Perturbation Polynomials Martin Albrecht (Royal Holloway), Craig Gentry (IBM), Shai Halevi (IBM), Jonathan Katz](https://reader036.vdocuments.us/reader036/viewer/2022062511/5514ceb6550346b0338b4f79/html5/thumbnails/5.jpg)
‘Optimal’ schemes
• [Blom], [Blundo et al.]• These schemes guarantee the following:
– Any pair of nodes shares a key– The key shared by any uncompromised nodes
remains information-theoretically secret as long as t or fewer nodes are compromised
• Storage O(t) per node– This is known to be optimal for schemes
satisfying the above
![Page 6: Attacking Cryptographic Schemes Based on Perturbation Polynomials Martin Albrecht (Royal Holloway), Craig Gentry (IBM), Shai Halevi (IBM), Jonathan Katz](https://reader036.vdocuments.us/reader036/viewer/2022062511/5514ceb6550346b0338b4f79/html5/thumbnails/6.jpg)
An ‘optimal’ scheme
• Choose random symmetric, bivariate polynomial F(x,y) of degree t in each variable
• Node i given the (univariate) polynomial si(y) = F(i,y)
• Key shared by i and j is si(j) = F(i,j) = sj(i)
![Page 7: Attacking Cryptographic Schemes Based on Perturbation Polynomials Martin Albrecht (Royal Holloway), Craig Gentry (IBM), Shai Halevi (IBM), Jonathan Katz](https://reader036.vdocuments.us/reader036/viewer/2022062511/5514ceb6550346b0338b4f79/html5/thumbnails/7.jpg)
Better than Blundo?
• If t large, even O(t) storage is prohibitive…
• Smaller t always better…
• How can we hope to do better?– Relax requirements?– Computational security
![Page 8: Attacking Cryptographic Schemes Based on Perturbation Polynomials Martin Albrecht (Royal Holloway), Craig Gentry (IBM), Shai Halevi (IBM), Jonathan Katz](https://reader036.vdocuments.us/reader036/viewer/2022062511/5514ceb6550346b0338b4f79/html5/thumbnails/8.jpg)
A new proposal
• [Zhang et al., MobiHoc 2007]– Extensions by Zhang et al. (INFOCOM ’08),
Subramanian et al. (PerCom ’07)
• Basic idea:– Give node i a polynomial si(y) that is “close”,
but not equal, to F(i,y)• Nodes i and j can still generate a shared key using
the high-order bits of si(j), sj(i), respectively• Harder(?) for an adversary to recover F(x,y) given
multiple si(y)
![Page 9: Attacking Cryptographic Schemes Based on Perturbation Polynomials Martin Albrecht (Royal Holloway), Craig Gentry (IBM), Shai Halevi (IBM), Jonathan Katz](https://reader036.vdocuments.us/reader036/viewer/2022062511/5514ceb6550346b0338b4f79/html5/thumbnails/9.jpg)
The scheme I
• Let p be a prime, r < p a “noise parameter”• Choose random, symmetric F(x,y) of
degree t in each variable• Choose random univariate g(y), h(y)
– Set SMALL = {i : 0 ≤ g(i), h(i) ≤ r}; these will be the node-IDs
• Each node i gets si(y) = F(i,y) + bi g(y) + (1-bi) h(y),where bi is chosen randomly
![Page 10: Attacking Cryptographic Schemes Based on Perturbation Polynomials Martin Albrecht (Royal Holloway), Craig Gentry (IBM), Shai Halevi (IBM), Jonathan Katz](https://reader036.vdocuments.us/reader036/viewer/2022062511/5514ceb6550346b0338b4f79/html5/thumbnails/10.jpg)
The scheme II
• Note that |si(j) – sj(i)| ≤ r• Nodes i and j can agree on a key using the
high-order bits• Suggested parameters: p≈232, r≈222, t=76
– Storage per node (per key-bit): ≈240 bits– Blundo et al. scheme would give security for
≈240 corruptions– Zhang et al. claim resistance to unbounded
number of corruptions
![Page 11: Attacking Cryptographic Schemes Based on Perturbation Polynomials Martin Albrecht (Royal Holloway), Craig Gentry (IBM), Shai Halevi (IBM), Jonathan Katz](https://reader036.vdocuments.us/reader036/viewer/2022062511/5514ceb6550346b0338b4f79/html5/thumbnails/11.jpg)
Note
• Expected size of SMALL is r2/p– Need r2/p ≥ N
• Setup requires O(Np2/r2) work
• Shared key has length O(log(p/r))– Run many schemes in parallel to increase key
length
![Page 12: Attacking Cryptographic Schemes Based on Perturbation Polynomials Martin Albrecht (Royal Holloway), Craig Gentry (IBM), Shai Halevi (IBM), Jonathan Katz](https://reader036.vdocuments.us/reader036/viewer/2022062511/5514ceb6550346b0338b4f79/html5/thumbnails/12.jpg)
Attacks using list decoding
• Compromise n=4t+1 nodes to get s1(y), …, sn(y)
• Choose any uncorrupted j*, set yi = si(j*)
• Note: yi {f0(i), f1(i)}, where f0(y) = F(y,j*) + h(j*) and f1(y) = F(y,j*) + g(j*)
– So for some b and at least 2t+1 values of i, we have yi=fb(i)
– We can use list decoding to recover fb(y)
– Can then compute fb(i*)≈sj*(i*) for any i*
![Page 13: Attacking Cryptographic Schemes Based on Perturbation Polynomials Martin Albrecht (Royal Holloway), Craig Gentry (IBM), Shai Halevi (IBM), Jonathan Katz](https://reader036.vdocuments.us/reader036/viewer/2022062511/5514ceb6550346b0338b4f79/html5/thumbnails/13.jpg)
Improved attack
• Corrupt n=3t+1 nodes• Choose any uncorrupted j*, set yi = si(j*)• Assume =g(j*)-h(j*) known• Let S={(i, yi)}
– Add to S the n tuples (i, yi-)
• For all (i,y) S, we have y {f0(i), f1(i), f0(i)-}• For every i, either f0(i)=yi or f0(i)=yi-
– So for n tuples (i,y) S (out of 2n tuples total) we have f0(i)=y
– Use list decoding to recover f0(y)
![Page 14: Attacking Cryptographic Schemes Based on Perturbation Polynomials Martin Albrecht (Royal Holloway), Craig Gentry (IBM), Shai Halevi (IBM), Jonathan Katz](https://reader036.vdocuments.us/reader036/viewer/2022062511/5514ceb6550346b0338b4f79/html5/thumbnails/14.jpg)
Improvements
• What if we add even more noise?
• Resistance to 4t+1 corruptions (or an attack with O(r) work) may be acceptable
• Next: a more efficient attack, corrupting fewer nodes, that works even when more noise is added
![Page 15: Attacking Cryptographic Schemes Based on Perturbation Polynomials Martin Albrecht (Royal Holloway), Craig Gentry (IBM), Shai Halevi (IBM), Jonathan Katz](https://reader036.vdocuments.us/reader036/viewer/2022062511/5514ceb6550346b0338b4f79/html5/thumbnails/15.jpg)
Adding more noise
• Let u be small
• Now set si(y) = F(i,y) + i g(y) + i h(y), where i, i [-u, u]
– u=1 corresponds to the original scheme
![Page 16: Attacking Cryptographic Schemes Based on Perturbation Polynomials Martin Albrecht (Royal Holloway), Craig Gentry (IBM), Shai Halevi (IBM), Jonathan Katz](https://reader036.vdocuments.us/reader036/viewer/2022062511/5514ceb6550346b0338b4f79/html5/thumbnails/16.jpg)
Attack using lattices
• Associate degree-t polynomials with vectors of length t+1– I.e., p(y) = a0 + … + at yt (a0, …, at)
• Define the vector fi = F(i, y)
• So si = fi + i g + i h
• Crucial observation– “Noise” added to fi drawn from 2-dimensional
subspace
![Page 17: Attacking Cryptographic Schemes Based on Perturbation Polynomials Martin Albrecht (Royal Holloway), Craig Gentry (IBM), Shai Halevi (IBM), Jonathan Katz](https://reader036.vdocuments.us/reader036/viewer/2022062511/5514ceb6550346b0338b4f79/html5/thumbnails/17.jpg)
Attack outline
• Crucial observation– “Noise” added to fi drawn from 2-dimensional
subspace
• Attack:– Identify the “noise subspace”– Find g, h– Solve for F
![Page 18: Attacking Cryptographic Schemes Based on Perturbation Polynomials Martin Albrecht (Royal Holloway), Craig Gentry (IBM), Shai Halevi (IBM), Jonathan Katz](https://reader036.vdocuments.us/reader036/viewer/2022062511/5514ceb6550346b0338b4f79/html5/thumbnails/18.jpg)
Step 1
• Corrupt n=t+3 nodes, get si = fi + i g + i h
• We know ft+1 = Σi=0…t i fi and ft+2 = Σi=0…t ’i fi
• So: st+1 - Σi=0…t i si span(g, h) st+2 - Σi=0…t ’i si span(g, h)
• Likely to be linearly independent– Likely to be a basis for span(g, h)!
![Page 19: Attacking Cryptographic Schemes Based on Perturbation Polynomials Martin Albrecht (Royal Holloway), Craig Gentry (IBM), Shai Halevi (IBM), Jonathan Katz](https://reader036.vdocuments.us/reader036/viewer/2022062511/5514ceb6550346b0338b4f79/html5/thumbnails/19.jpg)
Step 2: find g and h
• We have v, v’ with span(v,v’) = span(g,h)
• Find g, h using the fact that g(id), h(id) are “small” modulo p
• To do this, find short vectors in the lattice:v(x1) v(x2) … v(xk)
v’(x1) v’(x2) … v’(xk)p 0 … 00 p … 0… … … …0 0 … p
![Page 20: Attacking Cryptographic Schemes Based on Perturbation Polynomials Martin Albrecht (Royal Holloway), Craig Gentry (IBM), Shai Halevi (IBM), Jonathan Katz](https://reader036.vdocuments.us/reader036/viewer/2022062511/5514ceb6550346b0338b4f79/html5/thumbnails/20.jpg)
Step 3: find F
• Since F is symmetric, for all i, j we have si(j) - i g(j) - i h(j) = sj(i) - j g(i) - j h(i) – Gives O(n2) equations in 2n unknowns– But under-determined!
• Can find the i, i using the fact that they lie in [-u, u]– Takes time O(t3 + t u3)
• Note: u cannot be too large– Need 4ur < p to share a 1-bit key, even then the
attack takes time O(t3 + t (p/r)3)– Setup takes time O(N (p/r)2)
![Page 21: Attacking Cryptographic Schemes Based on Perturbation Polynomials Martin Albrecht (Royal Holloway), Craig Gentry (IBM), Shai Halevi (IBM), Jonathan Katz](https://reader036.vdocuments.us/reader036/viewer/2022062511/5514ceb6550346b0338b4f79/html5/thumbnails/21.jpg)
Implementation
• Attack implemented on a desktop PC
• Our attacks extend to other schemes that use the same approach– Apply to various other extensions as well
p r t setup time attack time
232-5 222 76
236-5 224 77
60 min
1060 min
10 min
8 min
![Page 22: Attacking Cryptographic Schemes Based on Perturbation Polynomials Martin Albrecht (Royal Holloway), Craig Gentry (IBM), Shai Halevi (IBM), Jonathan Katz](https://reader036.vdocuments.us/reader036/viewer/2022062511/5514ceb6550346b0338b4f79/html5/thumbnails/22.jpg)
Conclusions
The ‘perturbation polynomials’ approach is dead!
Moral: provable security is crucial
![Page 23: Attacking Cryptographic Schemes Based on Perturbation Polynomials Martin Albrecht (Royal Holloway), Craig Gentry (IBM), Shai Halevi (IBM), Jonathan Katz](https://reader036.vdocuments.us/reader036/viewer/2022062511/5514ceb6550346b0338b4f79/html5/thumbnails/23.jpg)
Thank you!