Spreading Alerts Quietly and the Subgroup Escape Problem

1
Spreading Alerts Quietly and the Subgroup Escape
Problem

• Aleksandr Yampolskiy (Yale)
• Joint work with James Aspnes,
  Zoë Diamadi, Kristian Gjøsteen, and
  René Peralta

2
Outline

• Motivation
• Blind coupon mechanism
• Abstract group structure
• Instantiating the abstract group structure
• How to spread alerts
• Conclusions and open problems

3
Our model

• Message-passing network of n nodes.
• Two types of nodes regular or sentinel.
• Sentinel nodes run Intrusion Detection Software
  which looks for attackers presence.

4
The attacker

• Observes all network traffic.
• Controls the timing and content of delivered
  messages.

5
Our goal

• Can sentinel nodes quickly alert all network
  nodes to attackers presence?
• We want to prevent the attacker from
• - fabricating false alerts
• - identifying the presence or source of alert

We are attacked!
We are attacked!
We are attacked!
We are attacked!
6
Blind coupon mechanism

• A blind coupon mechanism (BCM) is a PPT tuple (G,
  V, C, D)
• Key generation G(1k)
• Outputs public and secret keys (PK, SK) and two
  strings (d, s).
• Secret key defines the sets of dummy coupons DSK
  and signal coupons SSK. We call (DSK ? SSK) valid
  coupons. Also, d2 DSK, s2 SSK.

7
Blind coupon mechanism (cont.)

• Verification algorithm VPK(y) returns 1 if y is
  valid, 0 otherwise.
• Decoding algorithm DSK(y) outputs 0 if y is a
  dummy coupon 1 if it is a signal coupon.
• Combining algorithm z à CPK(x, y) outputs a
  signal coupon iff one of the inputs is a signal
  coupon.

8
Blind coupon mechanism (cont.)

• Def A BCM (G, V, C, D) is secure if
• signal and dummy coupons look similar
• cannot generate a signal coupon from scratch
• combining algorithm is blinding

C( , )
C( , )
¼
¼
9
Abstract group structure (U, G, D)

• Special group structure yields an efficient BCM.
• A finite set U, a cyclic group GµU, generated by
  s, and its subgroup DG, generated by d.
• G/D is prime. Also, G/U and D/G are
  small.

signal
dummy
G
D
U
invalid
10
Hardness assumptions

• Subgroup Membership Problem given a tuple (U, G,
  D, d, s) and y2 G, it is hard to decide whether
  y2 D or y2 GnD.
• Many examples DDH, QRA, Paillier, etc.

¼
???
G
G
D
11
Hardness assumptions (cont.)

• Subgroup Escape Problem given a tuple (U, G,
  D, d), it is hard to find an element y2
  GnD
• Has not appeared in the literature before.

¼
???
G
G
D
12
The BCM construction on (U, G, D)

• The BCM (G, C, V, D) is as follows
• Key generation Let PK(U, G, d) and SKD.
• Combining algorithm CPK(x, y) outputs
  dr0?xr1?yr2, where r0,r1,r22r 0,, 22k-1
• Verification algorithm VPK(y) checks that y2G.
• Decoding algorithm DSK(y) outputs 0 (dummy) if
  ySK1 and outputs 1 (signal) otherwise.

13
Security theorem

• Theorem If the subgroup membership problem and
  subgroup escape problems for (U, G, D) are hard,
  then our BCM is secure.
• Proof idea
• CPK(x, y)dr0?xr1?yr2 ) it is blinding
• x,y2 D ) CPK(x,y) uniform in D
• x 2 G\D) xr1D uniform in G\D ) CPK(x, y) uniform
  in G
• subgroup membership hard )
• subgroup escape hard )

Pr ?
14
Security theorem (cont.)

• Challenge Find concrete (U, G, D) for which
  subgroup membership and subgroup escape problems
  are hard.
• Answer
• Elliptic curves over Zn, where npq.
• Bilinear groups with specific order.

15
Elliptic Curves over Zn

• Set of (xyz) such that y2 z x3 axz2 bz3
  (mod n) where gcd(4a2-27b3,n)1.
• Fact Points of elliptic curve form an additive
  group E(Zn) for npq.
• Key property of E(Zn) hard to find new group
  elements except by using group operation on
  previously known group elements.
• Previously considered a nuisance Lenstra 87,
  Demytko 98 rather than a useful cryptographic
  property Gjøsteen 04.

16
Elliptic Curves over Zn (cont.)

• Challenge Find (xyz) such that
  y2z x3 axz2 bz3 (mod
  n).
• Answer It seems hard!
• Choose x and solve for y compute vmod n.
• Choose y and solve for x solve cubic equation.
• Find x and y simultaneously not obvious.
• LLL-based methods dont seem to pose a threat.
• Finding rational non-torsion points on curves
  over Q seems hard.

17
Elliptic Curves over Zn (cont.)

• Let p,q,l1,l2,l3 be primes.
• Using complex multiplication techniques
  Lay-Zimmer 94, we can find curves Ep/Fp and
  Eq/Fq with Ep(Fp)l1l2, Eq(Fq)l3.
• Let npq. Then E(Zn) ¼ Ep(Fp)Eq(Fq) with
  E(Zn)l1l2l3.
• Let U be projective plane, G be E(Zn), and DG be
  its subgroup of order l1l3. Let PK(G,D,n),
  SK(p,q,l1,l2,l3).

18
Elliptic Curves over Zn (cont.)

• Verification Algorithm Given a coupon (xyz),
  it is easy to check if y2z x3axz2bz3 (mod n).
• Subgroup Membership Problem Hard to distinguish
  elements of D (order l1l3) from elements of GnD.
• For EP(FP), distinguishing elements of prime
  order from elements of composite order is hard
  unless can factor EP(FP) Gjo05.
• Computing E(Zn) is as hard as factoring n
  Kunihiro-Koyama 98.
• Thus, Ep(Fp) is hidden.
• Subgroup Escape Problem Hard as long as
  adversary cannot find random group elements in
  GE(Zn).

19
Spreading alerts with the BCM

• During initial network setup, the administrator
  generates keys for BCM (G, C, V, D).
• He gives dummy coupons to all nodes. Sentinel
  nodes also receive signal coupons.

20
Spreading alerts with the BCM

• Nodes continually broadcast coupons to their
  neighbors.
• Initially, everyone transmits dummy coupons.
• Sentinel nodes switch to sending signal coupons
  upon detecting an attacker.
• Attacker may tamper with messages.

1
!_at_
21
Spreading alerts with the BCM

• Upon receiving a coupon, a node verifies that the
  coupon is valid.

V( )0
1
!_at_
V( )1
V( )1
22
Spreading alerts with the BCM

• Upon receiving a coupon, a node verifies that the
  coupon is valid.
• If the coupon is valid, the node combines it with
  its own coupon. Otherwise, the coupon is
  discarded.

C( , )
C( , )
23
Security theorem

• Theorem If the BCM is secure, then so is the
  alert propagation mechanism.
• Proof idea Because adversary cannot distinguish
  between dummy and signal coupons, he cannot test
  their presence or absence in the network traffic.
  Same for coupon forgery.

24
Efficiency

• Synchronous flooding model All nodes receive an
  alert in ? steps, where ? is the diameter of the
  subgraph of non-faulty nodes.
• Simple epidemic model Communication graph is
  complete. All nodes receive an alert in O(n log
  n) steps.

25
Conclusion

• Useful crypto primitive BCM (Æ-homomorphic bit
  commitment).
• It can be used to construct an undetectable
  anonymous private channel.
• New crypto tool? Subgroup escape assumption.
• Non-interactive proofs of circuit satisfiability
  of length linear in the number of Æ gates.
• Applications to i-voting Chaum et al. 04.

26
Open problems

• Can BCM with constant expansion ratio be
  constructed using standard assumptions?
• Can we transmit multiple bits without a linear
  blow up in message size?

27
(No Transcript)