Presentation is loading. Please wait.

Presentation is loading. Please wait.

Attacking Cryptographic Schemes Based on Perturbation Polynomials Martin Albrecht (Royal Holloway), Craig Gentry (IBM), Shai Halevi (IBM), Jonathan Katz.

Published byTimothy O'Neill Modified over 10 years ago

Similar presentations

Presentation on theme: "Attacking Cryptographic Schemes Based on Perturbation Polynomials Martin Albrecht (Royal Holloway), Craig Gentry (IBM), Shai Halevi (IBM), Jonathan Katz."— Presentation transcript:

1 Attacking Cryptographic Schemes Based on Perturbation Polynomials Martin Albrecht (Royal Holloway), Craig Gentry (IBM), Shai Halevi (IBM), Jonathan Katz (Univ. of MD)

2 Very high level summary Implementing secure protocols in MANETs can be challenging –Low bandwidth, memory, computational power –Limited battery life Much work designing new and highly efficient protocols tailored to this setting Often, provable security sacrificed for better efficiency –Replaced with heuristic analysis This is a bad idea!

3 Outline of the talk Key predistribution An optimal, information-theoretic scheme A proposal by Zhang et al. Attacking their scheme Extensions and conclusions

4 Key predistribution Goal: distribute keying material to a set of N nodes, such that each pair of nodes can compute a shared key Two trivial solutions: –One key shared by all nodes Compromise of one node compromises entire network –Independent key shared by each pair of nodes O(N) storage per node

5 Optimal schemes [Blom], [Blundo et al.] These schemes guarantee the following: –Any pair of nodes shares a key –The key shared by any uncompromised nodes remains information-theoretically secret as long as t or fewer nodes are compromised Storage O(t) per node –This is known to be optimal for schemes satisfying the above

6 An optimal scheme Choose random symmetric, bivariate polynomial F(x,y) of degree t in each variable Node i given the (univariate) polynomial s i (y) = F(i,y) Key shared by i and j is s i (j) = F(i,j) = s j (i)

7 Better than Blundo? If t large, even O(t) storage is prohibitive… Smaller t always better… How can we hope to do better? –Relax requirements? –Computational security

8 A new proposal [Zhang et al., MobiHoc 2007] –Extensions by Zhang et al. (INFOCOM 08), Subramanian et al. (PerCom 07) Basic idea: –Give node i a polynomial s i (y) that is close, but not equal, to F(i,y) Nodes i and j can still generate a shared key using the high-order bits of s i (j), s j (i), respectively Harder(?) for an adversary to recover F(x,y) given multiple s i (y)

9 The scheme I Let p be a prime, r < p a noise parameter Choose random, symmetric F(x,y) of degree t in each variable Choose random univariate g(y), h(y) –Set SMALL = {i : 0 g(i), h(i) r}; these will be the node-IDs Each node i gets s i (y) = F(i,y) + b i g(y) + (1-b i ) h(y), where b i is chosen randomly

10 The scheme II Note that |s i (j) – s j (i)| r Nodes i and j can agree on a key using the high-order bits Suggested parameters: p2 32, r2 22, t=76 –Storage per node (per key-bit): 240 bits –Blundo et al. scheme would give security for 240 corruptions –Zhang et al. claim resistance to unbounded number of corruptions

11 Note Expected size of SMALL is r 2 /p –Need r 2 /p N Setup requires O(Np 2 /r 2 ) work Shared key has length O(log(p/r)) –Run many schemes in parallel to increase key length

12 Attacks using list decoding Compromise n=4t+1 nodes to get s 1 (y), …, s n (y) Choose any uncorrupted j *, set y i = s i (j * ) Note: y i {f 0 (i), f 1 (i)}, where f 0 (y) = F(y,j * ) + h(j * ) and f 1 (y) = F(y,j * ) + g(j * ) –So for some b and at least 2t+1 values of i, we have y i =f b (i) –We can use list decoding to recover f b (y) –Can then compute f b (i * )s j* (i * ) for any i *

13 Improved attack Corrupt n=3t+1 nodes Choose any uncorrupted j *, set y i = s i (j * ) Assume =g(j * )-h(j * ) known Let S={(i, y i )} –Add to S the n tuples (i, y i - ) For all (i,y) S, we have y {f 0 (i), f 1 (i), f 0 (i)- } For every i, either f 0 (i)=y i or f 0 (i)=y i - –So for n tuples (i,y) S (out of 2n tuples total) we have f 0 (i)=y –Use list decoding to recover f 0 (y)

14 Improvements What if we add even more noise? Resistance to 4t+1 corruptions (or an attack with O(r) work) may be acceptable Next: a more efficient attack, corrupting fewer nodes, that works even when more noise is added

15 Adding more noise Let u be small Now set s i (y) = F(i,y) + i g(y) + i h(y), where i, i [-u, u] –u=1 corresponds to the original scheme

16 Attack using lattices Associate degree-t polynomials with vectors of length t+1 –I.e., p(y) = a 0 + … + a t y t (a 0, …, a t ) Define the vector f i = F(i, y) So s i = f i + i g + i h Crucial observation –Noise added to f i drawn from 2-dimensional subspace

17 Attack outline Crucial observation –Noise added to f i drawn from 2-dimensional subspace Attack: –Identify the noise subspace –Find g, h –Solve for F

18 Step 1 Corrupt n=t+3 nodes, get s i = f i + i g + i h We know f t+1 = Σ i=0…t i f i and f t+2 = Σ i=0…t i f i So: s t+1 - Σ i=0…t i s i span(g, h) s t+2 - Σ i=0…t i s i span(g, h) Likely to be linearly independent –Likely to be a basis for span(g, h)!

19 Step 2: find g and h We have v, v with span(v,v) = span(g,h) Find g, h using the fact that g(id), h(id) are small modulo p To do this, find short vectors in the lattice: v(x 1 )v(x 2 )…v(x k ) v(x 1 )v(x 2 )…v(x k ) p0…0 0p…0 ………… 00…p

20 Step 3: find F Since F is symmetric, for all i, j we have s i (j) - i g(j) - i h(j) = s j (i) - j g(i) - j h(i) –Gives O(n 2 ) equations in 2n unknowns –But under-determined! Can find the i, i using the fact that they lie in [- u, u] –Takes time O(t 3 + t u 3 ) Note: u cannot be too large –Need 4ur < p to share a 1-bit key, even then the attack takes time O(t 3 + t (p/r) 3 ) –Setup takes time O(N (p/r) 2 )

21 Implementation Attack implemented on a desktop PC Our attacks extend to other schemes that use the same approach –Apply to various other extensions as well prtsetup timeattack time 2 32 -52 22 76 2 36 -52 24 77 60 min 1060 min 10 min 8 min

22 Conclusions The perturbation polynomials approach is dead! Moral: provable security is crucial

23 Thank you!

Download ppt "Attacking Cryptographic Schemes Based on Perturbation Polynomials Martin Albrecht (Royal Holloway), Craig Gentry (IBM), Shai Halevi (IBM), Jonathan Katz."

Similar presentations

Asymptotically Optimal Communication for Torus- Based Cryptography David Woodruff MIT Joint work with Marten van Dijk Philips/MIT.

Asymptotically Optimal Communication for Torus- Based Cryptography David Woodruff MIT Joint work with Marten van Dijk Philips/MIT.
Rectangle-Efficient Aggregation in Spatial Data Streams Srikanta Tirthapura David Woodruff Iowa State IBM Almaden.

Rectangle-Efficient Aggregation in Spatial Data Streams Srikanta Tirthapura David Woodruff Iowa State IBM Almaden.
The Future (and Past) of Quantum Lower Bounds by Polynomials Scott Aaronson UC Berkeley.

The Future (and Past) of Quantum Lower Bounds by Polynomials Scott Aaronson UC Berkeley.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 1 23 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 Lower Bounds for Local Search by Quantum Arguments Scott Aaronson.

Lower Bounds for Local Search by Quantum Arguments Scott Aaronson.
Adaptively Attribute-Hiding ( Hierarchical ) Inner Product Encryption

Adaptively Attribute-Hiding ( Hierarchical ) Inner Product Encryption
Trusted Data Sharing over Untrusted Cloud Storage Provider Gansen Zhao, Chunming Rong, Jin Li, Feng Zhang, and Yong Tang Cloud Computing Technology and.

Trusted Data Sharing over Untrusted Cloud Storage Provider Gansen Zhao, Chunming Rong, Jin Li, Feng Zhang, and Yong Tang Cloud Computing Technology and.
Ulams Game and Universal Communications Using Feedback Ofer Shayevitz June 2006.

Ulams Game and Universal Communications Using Feedback Ofer Shayevitz June 2006.
Estimation of Means and Proportions

Estimation of Means and Proportions
I have a DREAM! (DiffeRentially privatE smArt Metering) Gergely Acs and Claude Castelluccia {gergely.acs, INRIA 2011.

I have a DREAM! (DiffeRentially privatE smArt Metering) Gergely Acs and Claude Castelluccia {gergely.acs, INRIA 2011.
5.4 Basis And Dimension.

5.4 Basis And Dimension.
Computational Privacy. Overview Goal: Allow n-private computation of arbitrary funcs. –Impossible in information-theoretic setting Computational setting:

Computational Privacy. Overview Goal: Allow n-private computation of arbitrary funcs. –Impossible in information-theoretic setting Computational setting:
Shahzad Basiri Imam Hossein university Workshop on key distribution Tuesday, May 24, 2011 Linear Key Predistribution Scheme.

Shahzad Basiri Imam Hossein university Workshop on key distribution Tuesday, May 24, 2011 Linear Key Predistribution Scheme.
Spreading Alerts Quietly and the Subgroup Escape Problem Aleksandr Yampolskiy (Yale) Joint work with James Aspnes, Zoë Diamadi, Kristian Gjøsteen, and.

Spreading Alerts Quietly and the Subgroup Escape Problem Aleksandr Yampolskiy (Yale) Joint work with James Aspnes, Zoë Diamadi, Kristian Gjøsteen, and.
Introduction to Computer Science 2 Lecture 7: Extended binary trees

Introduction to Computer Science 2 Lecture 7: Extended binary trees
Xiutao Feng Institute of Software Chinese Academy of Sciences A Byte-Based Guess and Determine Attack on SOSEMANUK.

Xiutao Feng Institute of Software Chinese Academy of Sciences A Byte-Based Guess and Determine Attack on SOSEMANUK.
Group Protocols for Secure Wireless Ad hoc Networks Srikanth Nannapaneni Sreechandu Kamisetty Swethana pagadala Aparna kasturi.

Group Protocols for Secure Wireless Ad hoc Networks Srikanth Nannapaneni Sreechandu Kamisetty Swethana pagadala Aparna kasturi.
Distribution and Revocation of Cryptographic Keys in Sensor Networks Amrinder Singh Dept. of Computer Science Virginia Tech.

Distribution and Revocation of Cryptographic Keys in Sensor Networks Amrinder Singh Dept. of Computer Science Virginia Tech.
Agrawal-Kayal-Saxena Presented by: Xiaosi Zhou

Agrawal-Kayal-Saxena Presented by: Xiaosi Zhou
Computer Science Dr. Peng NingCSC 774 Adv. Net. Security1 CSC 774 Advanced Network Security Topic 7. Wireless Sensor Network Security.

Computer Science Dr. Peng NingCSC 774 Adv. Net. Security1 CSC 774 Advanced Network Security Topic 7. Wireless Sensor Network Security.
Improving the Round Complexity of VSS in Point-to-Point Networks Jonathan Katz (University of Maryland) Chiu-Yuen Koo (Google Labs) Ranjit Kumaresan (University.

Improving the Round Complexity of VSS in Point-to-Point Networks Jonathan Katz (University of Maryland) Chiu-Yuen Koo (Google Labs) Ranjit Kumaresan (University.

Similar presentations

Ads by Google