Attacking Cryptographic Schemes Based on

‘Perturbation Polynomials’

Martin Albrecht (Royal Holloway), Craig Gentry (IBM), Shai Halevi

(IBM), Jonathan Katz (Univ. of MD)

Very high level summary

• Implementing secure protocols in MANETs can be challenging– Low bandwidth, memory, computational power– Limited battery life

• Much work designing new and highly efficient protocols tailored to this setting

• Often, provable security sacrificed for better efficiency– Replaced with heuristic analysis

This is a bad idea!

Outline of the talk

• Key predistribution

• An optimal, information-theoretic scheme

• A proposal by Zhang et al.

• Attacking their scheme

• Extensions and conclusions

Key predistribution

• Goal: distribute keying material to a set of N nodes, such that each pair of nodes can compute a shared key

• Two trivial solutions:– One key shared by all nodes

• Compromise of one nodecompromises entire network

– Independent key sharedby each pair of nodes

• O(N) storage per node

‘Optimal’ schemes

• [Blom], [Blundo et al.]• These schemes guarantee the following:

– Any pair of nodes shares a key– The key shared by any uncompromised nodes

remains information-theoretically secret as long as t or fewer nodes are compromised

• Storage O(t) per node– This is known to be optimal for schemes

satisfying the above

An ‘optimal’ scheme

• Choose random symmetric, bivariate polynomial F(x,y) of degree t in each variable

• Node i given the (univariate) polynomial si(y) = F(i,y)

• Key shared by i and j is si(j) = F(i,j) = sj(i)

Better than Blundo?

• If t large, even O(t) storage is prohibitive…

• Smaller t always better…

• How can we hope to do better?– Relax requirements?– Computational security

A new proposal

• [Zhang et al., MobiHoc 2007]– Extensions by Zhang et al. (INFOCOM ’08),

Subramanian et al. (PerCom ’07)

• Basic idea:– Give node i a polynomial si(y) that is “close”,

but not equal, to F(i,y)• Nodes i and j can still generate a shared key using

the high-order bits of si(j), sj(i), respectively• Harder(?) for an adversary to recover F(x,y) given

multiple si(y)

The scheme I

• Let p be a prime, r < p a “noise parameter”• Choose random, symmetric F(x,y) of

degree t in each variable• Choose random univariate g(y), h(y)

– Set SMALL = {i : 0 ≤ g(i), h(i) ≤ r}; these will be the node-IDs

• Each node i gets si(y) = F(i,y) + bi g(y) + (1-bi) h(y),where bi is chosen randomly

The scheme II

• Note that |si(j) – sj(i)| ≤ r• Nodes i and j can agree on a key using the

high-order bits• Suggested parameters: p≈232, r≈222, t=76

– Storage per node (per key-bit): ≈240 bits– Blundo et al. scheme would give security for

≈240 corruptions– Zhang et al. claim resistance to unbounded

number of corruptions

Note

• Expected size of SMALL is r2/p– Need r2/p ≥ N

• Setup requires O(Np2/r2) work

• Shared key has length O(log(p/r))– Run many schemes in parallel to increase key

length

Attacks using list decoding

• Compromise n=4t+1 nodes to get s1(y), …, sn(y)

• Choose any uncorrupted j*, set yi = si(j*)

• Note: yi {f0(i), f1(i)}, where f0(y) = F(y,j*) + h(j*) and f1(y) = F(y,j*) + g(j*)

– So for some b and at least 2t+1 values of i, we have yi=fb(i)

– We can use list decoding to recover fb(y)

– Can then compute fb(i*)≈sj*(i*) for any i*

Improved attack

• Corrupt n=3t+1 nodes• Choose any uncorrupted j*, set yi = si(j*)• Assume =g(j*)-h(j*) known• Let S={(i, yi)}

– Add to S the n tuples (i, yi-)

• For all (i,y) S, we have y {f0(i), f1(i), f0(i)-}• For every i, either f0(i)=yi or f0(i)=yi-

– So for n tuples (i,y) S (out of 2n tuples total) we have f0(i)=y

– Use list decoding to recover f0(y)

Improvements

• What if we add even more noise?

• Resistance to 4t+1 corruptions (or an attack with O(r) work) may be acceptable

• Next: a more efficient attack, corrupting fewer nodes, that works even when more noise is added

Adding more noise

• Let u be small

• Now set si(y) = F(i,y) + i g(y) + i h(y), where i, i [-u, u]

– u=1 corresponds to the original scheme

Attack using lattices

• Associate degree-t polynomials with vectors of length t+1– I.e., p(y) = a0 + … + at yt (a0, …, at)

• Define the vector fi = F(i, y)

• So si = fi + i g + i h

• Crucial observation– “Noise” added to fi drawn from 2-dimensional

subspace

Attack outline

• Crucial observation– “Noise” added to fi drawn from 2-dimensional

subspace

• Attack:– Identify the “noise subspace”– Find g, h– Solve for F

Step 1

• Corrupt n=t+3 nodes, get si = fi + i g + i h

• We know ft+1 = Σi=0…t i fi and ft+2 = Σi=0…t ’i fi

• So: st+1 - Σi=0…t i si span(g, h) st+2 - Σi=0…t ’i si span(g, h)

• Likely to be linearly independent– Likely to be a basis for span(g, h)!

Step 2: find g and h

• We have v, v’ with span(v,v’) = span(g,h)

• Find g, h using the fact that g(id), h(id) are “small” modulo p

• To do this, find short vectors in the lattice:v(x1) v(x2) … v(xk)

v’(x1) v’(x2) … v’(xk)p 0 … 00 p … 0… … … …0 0 … p

Step 3: find F

• Since F is symmetric, for all i, j we have si(j) - i g(j) - i h(j) = sj(i) - j g(i) - j h(i) – Gives O(n2) equations in 2n unknowns– But under-determined!

• Can find the i, i using the fact that they lie in [-u, u]– Takes time O(t3 + t u3)

• Note: u cannot be too large– Need 4ur < p to share a 1-bit key, even then the

attack takes time O(t3 + t (p/r)3)– Setup takes time O(N (p/r)2)

Implementation

• Attack implemented on a desktop PC

• Our attacks extend to other schemes that use the same approach– Apply to various other extensions as well

p r t setup time attack time

232-5 222 76

236-5 224 77

60 min

1060 min

10 min

8 min

Conclusions

The ‘perturbation polynomials’ approach is dead!

Moral: provable security is crucial

Thank you!