Spreading Rumors Quietly and the Subgroup Escape Problem

1,399 views

Published on

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
1,399
On SlideShare
0
From Embeds
0
Number of Embeds
9
Actions
Shares
0
Downloads
6
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Spreading Rumors Quietly and the Subgroup Escape Problem

  1. 1. Spreading Rumors Quietly and the Subgroup Escape Problem Aleksandr Yampolskiy Joint work with James Aspnes, Zoë Diamadi, Kristian Gjøsteen, and René Peralta
  2. 2. Outline <ul><li>Our model </li></ul><ul><li>Blind coupon mechanism </li></ul><ul><li>Abstract group structure </li></ul><ul><li>Instantiating the abstract group structure </li></ul><ul><li>How to spread rumors </li></ul><ul><li>Conclusions and open problems </li></ul>
  3. 3. Our model <ul><li>Message-passing network of n processes p 1 ,…, p n . </li></ul><ul><li>Some of the processes want to spread a signal. </li></ul>The British are coming!
  4. 4. Our model (cont.) <ul><li>In epidemic algorithms [Demers et al. ’87], information is copied randomly from process to process. </li></ul><ul><li>Signal spreads quickly ( O(log n) rounds), yet it is highly vulnerable to traffic analysis. </li></ul>The British are coming! The British are coming! The British are coming! The British are coming!
  5. 5. The adversary… <ul><li>Observes all message traffic. </li></ul><ul><li>Controls the timing and content of delivered messages. </li></ul>You started a rumor!
  6. 6. The goal <ul><li>One-shot signal: 0 (all clear) , 1 (British are coming!) </li></ul><ul><li>Can we spread a signal rapidly, yet prevent the adversary from </li></ul><ul><ul><li>identifying the presence or source of signal </li></ul></ul><ul><ul><li>being able to forge a signal </li></ul></ul>
  7. 7. Outline <ul><li>Our model </li></ul><ul><li>Blind coupon mechanism </li></ul><ul><li>Abstract group structure </li></ul><ul><li>Instantiating the abstract group structure </li></ul><ul><li>How to spread rumors </li></ul><ul><li>Conclusions and open problems </li></ul>
  8. 8. Blind coupon mechanism <ul><li>A blind coupon mechanism (BCM) is a PPT tuple (G, V, C, D) : </li></ul><ul><li>Key generation G(1 k ) : </li></ul><ul><ul><li>Outputs public and secret keys (PK, SK) and two strings (d, s). </li></ul></ul><ul><ul><li>Secret key defines the sets of dummy coupons D SK and signal coupons S SK . We call (D SK  S SK ) valid coupons . Also, d 2 D SK , s 2 S SK . </li></ul></ul>
  9. 9. Blind coupon mechanism (cont.) <ul><li>Verification algorithm V PK (y) returns 1 if y is valid, 0 otherwise. </li></ul><ul><li>Decoding algorithm D SK (y) outputs 0 if y is a dummy coupon; 1 if it is a signal coupon. </li></ul><ul><li>Combining algorithm z à C PK (x, y) outputs a signal coupon iff one of the inputs is a signal coupon. </li></ul>
  10. 10. Blind coupon mechanism (cont.) <ul><li>Def: A BCM (G, V, C, D) is secure if </li></ul><ul><ul><li>cannot distinguish between signal and dummy coupons </li></ul></ul><ul><ul><li>cannot generate a signal coupon without another signal coupon </li></ul></ul><ul><ul><li>combining algorithm is blinding </li></ul></ul>¼ <ul><ul><li>C( , ) </li></ul></ul>¼ <ul><ul><li>C( , ) </li></ul></ul>¼ 0 1 1 <ul><ul><li>Pr[ ] =  </li></ul></ul>0 0 0 c 0 1 1 c , 1 0 , 1 1
  11. 11. Simple inefficient construction <ul><li>Use a set-homomorphic signature SIG( ¢ ) : given sets x, y and SIG(x), SIG(y), can compute SIG(x [ y) [Johnson et al. ‘02]. </li></ul><ul><li>Coupons are tuples (x, SIG(x)) , where x is </li></ul><ul><ul><li>(E(0),E(0), … ,E(0)) for dummy coupons </li></ul></ul><ul><ul><li>(E(0),E(1), ... ,E(0)) for signal coupons </li></ul></ul><ul><li>Combining operation is simply set union: C PK ((x, SIG(x)), (y, SIG(y))=(x [ y,SIG(x [ y)) </li></ul>
  12. 12. Outline <ul><li>Our model </li></ul><ul><li>Blind coupon mechanism </li></ul><ul><li>Abstract group structure </li></ul><ul><li>Instantiating the abstract group structure </li></ul><ul><li>How to spread rumors </li></ul><ul><li>Conclusions and open problems </li></ul>
  13. 13. Abstract group structure (U, G, D) <ul><li>A specific group structure will allow us to construct an efficient BCM. </li></ul><ul><li>A finite set U , a cyclic group G µ U , generated by s, and its subgroup D · G , generated by d. </li></ul><ul><li>|G|/|U| and |D|/|G| are small. </li></ul>U G D invalid dummy signal
  14. 14. Hardness assumptions <ul><li>Subgroup Membership Problem : given a tuple (U, G, D, d, s) and y 2 G , it is hard to decide whether y 2 D or y 2 G n D. </li></ul><ul><li>Many examples: DDH, QRA, Paillier, etc. </li></ul>G D G ??? ¼
  15. 15. Hardness assumptions (cont.) <ul><li>Subgroup Escape Problem : given a tuple (U, G, D, d) , it is hard to find an element y 2 G n D </li></ul><ul><li>Has not appeared in the literature before. </li></ul>G G ¼ ??? D
  16. 16. Generic security of subgroup escape problem <ul><li>Generic group model [Shoup ‘97]. </li></ul><ul><li>Group elements encoded as unique random strings. </li></ul><ul><li>Algorithms have access to group oracle </li></ul><ul><li>Theorem: A generic algorithm that solves the subgroup escape problem and makes at most q oracle queries succeeds with probability at most </li></ul>negligible if |G|/|U| is small
  17. 17. Outline <ul><li>Our model </li></ul><ul><li>Blind coupon mechanism </li></ul><ul><li>Abstract group structure </li></ul><ul><li>Instantiating the abstract group structure </li></ul><ul><li>How to spread rumors </li></ul><ul><li>Conclusions and open problems </li></ul>
  18. 18. The BCM on abstract group structure (U, G, D) <ul><li>The BCM (G, C, V, D) is as follows: </li></ul><ul><li>Key generation : Let PK=(U, G, d) and SK=|D| . </li></ul><ul><li>Combining algorithm : C PK (x, y) outputs d r 0 ◦x r 1 ◦y r 2 , where r 0 ,r 1 ,r 2 2 r {0,…, 2 2k -1} </li></ul><ul><li>Verification algorithm : V PK (y) checks that y 2 G . </li></ul><ul><li>Decoding algorithm : D SK (y) outputs 0 (dummy) if y SK =1 and 1 (signal) otherwise. </li></ul>{
  19. 19. The BCM on abstract group structure (U, G, D) (cont.) <ul><li>Theorem: If the subgroup membership problem and subgroup escape problems for (U, G, D) are hard, then our BCM is secure. </li></ul>
  20. 20. The BCM on abstract group structure (U, G, D) (cont.) <ul><li>Challenge: Find a concrete group structure (U, G, D) for which subgroup membership and subgroup escape problems are hard. </li></ul><ul><li>Answer: </li></ul><ul><li>Elliptic curves over Z n , where n=pq . </li></ul><ul><li>Bilinear groups with specific order. </li></ul>
  21. 21. Elliptic Curves over Z n <ul><li>Set of (x:y:z) such that y 2 z ≡ x 3 + axz 2 + bz 3 (mod n) where gcd(4a 2 -27b 3 ,n)=1) </li></ul><ul><li>Points of elliptic curve form an additive group E(Z n ) . </li></ul><ul><li>Key property of E(Z n ) : It is hard to find new group elements except by using group operation on previously known group elements. </li></ul><ul><li>Noted many times, but previously considered a nuisance [Lenstra ‘87, Demytko ‘98] rather than a useful cryptographic property [Gjøsteen ’04]. </li></ul>P 1 P 2 P 1 + P 2
  22. 22. Elliptic Curves over Z n (cont.) <ul><li>Problem: Find (x:y:z) such that y 2 z ≡ x 3 +axz 2 +bz 3 (mod n). </li></ul><ul><li>Choose x and solve for y : compute </li></ul><ul><li>Choose y and solve for x : solve cubic equation . </li></ul><ul><li>Find x and y simultaneously: not obvious. </li></ul><ul><li>LLL-based methods don’t seem to pose a threat. </li></ul><ul><li>Finding rational non-torsion points on curves over Q seems hard. </li></ul>
  23. 23. Elliptic Curves over Z n (cont.) <ul><li>Let p,q,l 1 ,l 2 ,l 3 be primes. </li></ul><ul><li>Using complex multiplication techniques [Lay-Zimmer ‘94], we can find curves E p /F p and E q /F q with #E p (F p )=l 1 l 2 , #E q (F q )=l 3 . </li></ul><ul><li>Let n=pq. Then E(Z n ) ¼ E p (F p ) £ E q (F q ) with #E(Z n )=l 1 l 2 l 3 . </li></ul><ul><li>Let U be projective plane, G be E(Z n ) , and D · G be its subgroup of order l 1 l 3 . </li></ul>U G D invalid signal dummy
  24. 24. Elliptic Curves over Z n (cont.) <ul><li>Verification Algorithm : Given a coupon (x:y:z), it is easy to check if y 2 z ≡ x 3 +axz 2 +bz 3 (mod n) . </li></ul><ul><li>Subgroup Membership Problem: Computing #E(Z n ) is as hard as factoring n [Kunihiro-Koyama ’98]. Seems hard to distinguish elements of D (order l 1 l 3 ) from elements of order G n D (order l 1 l 2 l 3 ). </li></ul><ul><li>Subgroup Escape Problem: Hard as long as adversary cannot find random group elements in G=E(Z n ) . </li></ul>
  25. 25. Bilinear groups <ul><li>Let p, l 1 , l 2 , l 3 be primes. Also, p+1 = 6l 1 l 2 l 3 and p ≡ 2 (mod 3) . </li></ul><ul><li>There exists a modified Weil pairing ê: E(F p ) £ E(F p )  E(F p 2 * ) [Boneh-Franklin ‘01] </li></ul><ul><li>Let U = E(F p ) and G,D · U be its subgroups of order l 1 l 2 and l 2 , respectively. </li></ul>U G D invalid signal dummy
  26. 26. Bilinear groups (cont.) <ul><li>Verification Algorithm : Let P be a point of order 6l 1 l 2 l 3 and R=P l 1 l 2 . Then a point Q 2 U is in G iff ê (Q, R) = ê(P 6sl 3 , P l 1 l 2 )=1. </li></ul><ul><li>Subgroup Membership Problem: Because we do not reveal elements of order l 2 or l 2 l 3 , seems hard to distinguish elements of D (order l 1 ) from G (order l 1 l 2 ). </li></ul><ul><li>Subgroup Escape Problem: Unless l 3 is known, it is hard to find elements of order l 1 l 2 and knowing elements of order l 1 does not help. </li></ul>
  27. 27. Outline <ul><li>Our model </li></ul><ul><li>Blind coupon mechanism </li></ul><ul><li>Abstract group structure </li></ul><ul><li>Instantiating the abstract group structure </li></ul><ul><li>How to spread rumors </li></ul><ul><li>Conclusions and open problems </li></ul>Yay! Almost there!
  28. 28. Spreading rumors with the BCM <ul><li>We have a BCM (G, C, V, D). </li></ul><ul><li>At start, trusted dealer runs G(1 k ) and distributes signal coupons to select processes. All others get dummy coupons. </li></ul>1 0 0 0
  29. 29. Spreading rumors with the BCM <ul><li>Then each process continually broadcasts its coupon to its neighbors. </li></ul>$#!@ 1 1 0 0 0 1
  30. 30. Spreading rumors with the BCM <ul><li>Upon receiving a coupon, the process verifies that the coupon is valid. </li></ul><ul><li>If so, the process combines it with its own coupon. Otherwise, a process discards it. </li></ul>$#!@ <ul><ul><li>C( , ) </li></ul></ul><ul><ul><li>V( ) </li></ul></ul><ul><ul><li>V( ) </li></ul></ul>1 0 0 0 1 1
  31. 31. Spreading rumors with the BCM (cont.) <ul><li>Theorem: If the BCM is secure, then so is the rumor-spreading mechanism. </li></ul><ul><li>Proof idea: Because adversary cannot distinguish between dummy and signal coupons, he cannot test their presence or absence in the network traffic. Same for coupon forgery. </li></ul>
  32. 32. Spreading rumors with the BCM (cont.) <ul><li>Synchronous flooding model : All processes receive a signal in  steps, where  is the diameter of the subgraph of non-faulty processes. </li></ul><ul><li>Simple epidemic model : Communication graph is complete. All processes receive a signal in O(n log n) steps. </li></ul>
  33. 33. Outline <ul><li>Our model </li></ul><ul><li>Blind coupon mechanism </li></ul><ul><li>Abstract group structure </li></ul><ul><li>Instantiating the abstract group structure </li></ul><ul><li>How to spread rumors </li></ul><ul><li>Conclusions and open problems </li></ul>
  34. 34. Conclusion <ul><li>We give a BCM construction with constant expansion ratio. </li></ul><ul><li>It can be used to construct an undetectable, anonymous private channel. </li></ul><ul><li>New crypto tool? Subgroup escape assumption. </li></ul><ul><li>Non-interactive proofs of circuit satisfiability of length linear in the number of Æ gates. </li></ul><ul><li>Applications to i-voting [Chaum et al. ’04]. </li></ul>
  35. 35. Open problems <ul><li>Can a BCM be constructed using more standard assumptions? </li></ul><ul><li>Can we transmit multiple bits without a linear blow up in message size? </li></ul>?

×