Spreading Alerts Quietly and the Subgroup Escape Problem - PowerPoint PPT Presentation

About This Presentation
Title:

Spreading Alerts Quietly and the Subgroup Escape Problem

Description:

Title: Slide 1 Created Date: 6/4/2004 5:54:40 PM Document presentation format: On-screen Show Company: Microsoft Corporation Other titles: Arial Times New Roman ... – PowerPoint PPT presentation

Number of Views:45
Avg rating:3.0/5.0
Slides: 28
Provided by: csYaleEd4
Learn more at: http://www.cs.yale.edu
Category:

less

Transcript and Presenter's Notes

Title: Spreading Alerts Quietly and the Subgroup Escape Problem


1
Spreading Alerts Quietly and the Subgroup Escape
Problem
  • Aleksandr Yampolskiy (Yale)
  • Joint work with James Aspnes,
    Zoë Diamadi, Kristian Gjøsteen, and
    René Peralta

2
Outline
  • Motivation
  • Blind coupon mechanism
  • Abstract group structure
  • Instantiating the abstract group structure
  • How to spread alerts
  • Conclusions and open problems

3
Our model
  • Message-passing network of n nodes.
  • Two types of nodes regular or sentinel.
  • Sentinel nodes run Intrusion Detection Software
    which looks for attackers presence.

4
The attacker
  • Observes all network traffic.
  • Controls the timing and content of delivered
    messages.

5
Our goal
  • Can sentinel nodes quickly alert all network
    nodes to attackers presence?
  • We want to prevent the attacker from
  • - fabricating false alerts
  • - identifying the presence or source of alert

We are attacked!
We are attacked!
We are attacked!
We are attacked!
6
Blind coupon mechanism
  • A blind coupon mechanism (BCM) is a PPT tuple (G,
    V, C, D)
  • Key generation G(1k)
  • Outputs public and secret keys (PK, SK) and two
    strings (d, s).
  • Secret key defines the sets of dummy coupons DSK
    and signal coupons SSK. We call (DSK ? SSK) valid
    coupons. Also, d2 DSK, s2 SSK.

7
Blind coupon mechanism (cont.)
  • Verification algorithm VPK(y) returns 1 if y is
    valid, 0 otherwise.
  • Decoding algorithm DSK(y) outputs 0 if y is a
    dummy coupon 1 if it is a signal coupon.
  • Combining algorithm z à CPK(x, y) outputs a
    signal coupon iff one of the inputs is a signal
    coupon.

8
Blind coupon mechanism (cont.)
  • Def A BCM (G, V, C, D) is secure if
  • signal and dummy coupons look similar
  • cannot generate a signal coupon from scratch
  • combining algorithm is blinding

C( , )
C( , )
¼
¼
9
Abstract group structure (U, G, D)
  • Special group structure yields an efficient BCM.
  • A finite set U, a cyclic group GµU, generated by
    s, and its subgroup DG, generated by d.
  • G/D is prime. Also, G/U and D/G are
    small.

signal
dummy
G
D
U
invalid
10
Hardness assumptions
  • Subgroup Membership Problem given a tuple (U, G,
    D, d, s) and y2 G, it is hard to decide whether
    y2 D or y2 GnD.
  • Many examples DDH, QRA, Paillier, etc.

¼
???
G
G
D
11
Hardness assumptions (cont.)
  • Subgroup Escape Problem given a tuple (U, G,
    D, d), it is hard to find an element y2
    GnD
  • Has not appeared in the literature before.

¼
???
G
G
D
12
The BCM construction on (U, G, D)
  • The BCM (G, C, V, D) is as follows
  • Key generation Let PK(U, G, d) and SKD.
  • Combining algorithm CPK(x, y) outputs
    dr0?xr1?yr2, where r0,r1,r22r 0,, 22k-1
  • Verification algorithm VPK(y) checks that y2G.
  • Decoding algorithm DSK(y) outputs 0 (dummy) if
    ySK1 and outputs 1 (signal) otherwise.

13
Security theorem
  • Theorem If the subgroup membership problem and
    subgroup escape problems for (U, G, D) are hard,
    then our BCM is secure.
  • Proof idea
  • CPK(x, y)dr0?xr1?yr2 ) it is blinding
  • x,y2 D ) CPK(x,y) uniform in D
  • x 2 G\D) xr1D uniform in G\D ) CPK(x, y) uniform
    in G
  • subgroup membership hard )
  • subgroup escape hard )

Pr ?
14
Security theorem (cont.)
  • Challenge Find concrete (U, G, D) for which
    subgroup membership and subgroup escape problems
    are hard.
  • Answer
  • Elliptic curves over Zn, where npq.
  • Bilinear groups with specific order.

15
Elliptic Curves over Zn
  • Set of (xyz) such that y2 z x3 axz2 bz3
    (mod n) where gcd(4a2-27b3,n)1.
  • Fact Points of elliptic curve form an additive
    group E(Zn) for npq.
  • Key property of E(Zn) hard to find new group
    elements except by using group operation on
    previously known group elements.
  • Previously considered a nuisance Lenstra 87,
    Demytko 98 rather than a useful cryptographic
    property Gjøsteen 04.

16
Elliptic Curves over Zn (cont.)
  • Challenge Find (xyz) such that
    y2z x3 axz2 bz3 (mod
    n).
  • Answer It seems hard!
  • Choose x and solve for y compute vmod n.
  • Choose y and solve for x solve cubic equation.
  • Find x and y simultaneously not obvious.
  • LLL-based methods dont seem to pose a threat.
  • Finding rational non-torsion points on curves
    over Q seems hard.

17
Elliptic Curves over Zn (cont.)
  • Let p,q,l1,l2,l3 be primes.
  • Using complex multiplication techniques
    Lay-Zimmer 94, we can find curves Ep/Fp and
    Eq/Fq with Ep(Fp)l1l2, Eq(Fq)l3.
  • Let npq. Then E(Zn) ¼ Ep(Fp)Eq(Fq) with
    E(Zn)l1l2l3.
  • Let U be projective plane, G be E(Zn), and DG be
    its subgroup of order l1l3. Let PK(G,D,n),
    SK(p,q,l1,l2,l3).

18
Elliptic Curves over Zn (cont.)
  • Verification Algorithm Given a coupon (xyz),
    it is easy to check if y2z x3axz2bz3 (mod n).
  • Subgroup Membership Problem Hard to distinguish
    elements of D (order l1l3) from elements of GnD.
  • For EP(FP), distinguishing elements of prime
    order from elements of composite order is hard
    unless can factor EP(FP) Gjo05.
  • Computing E(Zn) is as hard as factoring n
    Kunihiro-Koyama 98.
  • Thus, Ep(Fp) is hidden.
  • Subgroup Escape Problem Hard as long as
    adversary cannot find random group elements in
    GE(Zn).

19
Spreading alerts with the BCM
  • During initial network setup, the administrator
    generates keys for BCM (G, C, V, D).
  • He gives dummy coupons to all nodes. Sentinel
    nodes also receive signal coupons.

20
Spreading alerts with the BCM
  • Nodes continually broadcast coupons to their
    neighbors.
  • Initially, everyone transmits dummy coupons.
  • Sentinel nodes switch to sending signal coupons
    upon detecting an attacker.
  • Attacker may tamper with messages.

1
!_at_
21
Spreading alerts with the BCM
  • Upon receiving a coupon, a node verifies that the
    coupon is valid.

V( )0
1
!_at_
V( )1
V( )1
22
Spreading alerts with the BCM
  • Upon receiving a coupon, a node verifies that the
    coupon is valid.
  • If the coupon is valid, the node combines it with
    its own coupon. Otherwise, the coupon is
    discarded.

C( , )
C( , )
23
Security theorem
  • Theorem If the BCM is secure, then so is the
    alert propagation mechanism.
  • Proof idea Because adversary cannot distinguish
    between dummy and signal coupons, he cannot test
    their presence or absence in the network traffic.
    Same for coupon forgery.

24
Efficiency
  • Synchronous flooding model All nodes receive an
    alert in ? steps, where ? is the diameter of the
    subgraph of non-faulty nodes.
  • Simple epidemic model Communication graph is
    complete. All nodes receive an alert in O(n log
    n) steps.

25
Conclusion
  • Useful crypto primitive BCM (Æ-homomorphic bit
    commitment).
  • It can be used to construct an undetectable
    anonymous private channel.
  • New crypto tool? Subgroup escape assumption.
  • Non-interactive proofs of circuit satisfiability
    of length linear in the number of Æ gates.
  • Applications to i-voting Chaum et al. 04.

26
Open problems
  • Can BCM with constant expansion ratio be
    constructed using standard assumptions?
  • Can we transmit multiple bits without a linear
    blow up in message size?

27
(No Transcript)
Write a Comment
User Comments (0)
About PowerShow.com