spreading rumors quietly and the subgroup escape problem

Spreading Rumors Quietly and the Subgroup Escape Problem

Aleksandr YampolskiyJoint work with James Aspnes, Zoë Diamadi, Kristian Gjøsteen,

and René Peralta

Outline

Our model Blind coupon mechanism Abstract group structure Instantiating the abstract group structure How to spread rumors Conclusions and open problems

Our model Message-passing network of n processes p1,…, pn.

Some of the processes want to spread a

signal.

The British

are comin

g!

Our model (cont.) In epidemic algorithms [Demers et al. ’87], information is copied randomly from process to process. Signal spreads quickly (O(log n) rounds), yet it is highly vulnerable to traffic analysis.

The British

are comin

g!

The British

are comin

g!

The British

are comin

g!

The British

are comin

g!

The adversary…

Observes all message traffic. Controls the timing and content of delivered messages.

You started

a rumor!

The goal

One-shot signal: 0 (all clear), 1 (British are coming!)

Can we spread a signal rapidly, yet prevent the adversary from identifying the presence or source of signal being able to forge a signal

Outline


Blind coupon mechanism

A blind coupon mechanism (BCM) is a PPT tuple (G, V, C, D):

Key generation G(1k): Outputs public and secret keys (PK, SK) and

two strings (d, s). Secret key defines the sets of dummy coupons

DSK and signal coupons SSK. We call (DSK SSK) valid coupons. Also, d2 DSK, s2 SSK.

Blind coupon mechanism (cont.)

Verification algorithm VPK(y) returns 1 if y is valid, 0 otherwise.

Decoding algorithm DSK(y) outputs 0 if y is a dummy coupon; 1 if it is a signal coupon.

Combining algorithm z Ã CPK(x, y) outputs a signal coupon iff one of the inputs is a signal coupon.

Blind coupon mechanism (cont.)Def: A BCM (G, V, C, D) is secure if

cannot distinguish between signal and dummy coupons

cannot generate a signal coupon without another signal coupon

combining algorithm is blinding

¼0 1

1Pr[ ] =

¼0 0C( , ) 0 c ¼0 1C( , ) 1 c,1 0

,1 1

Simple inefficient construction

Use a set-homomorphic signature SIG(¢): given sets x, y and SIG(x), SIG(y), can compute SIG(x[y) [Johnson et al. ‘02].

Coupons are tuples (x, SIG(x)), where x is (E(0),E(0), … ,E(0)) for dummy coupons (E(0),E(1), ... ,E(0)) for signal coupons

Combining operation is simply set union: CPK((x, SIG(x)), (y, SIG(y))=(x[y,SIG(x[y))

Outline


Abstract group structure (U, G, D)

A specific group structure will allow us to construct an efficient BCM.

A finite set U, a cyclic group GµU, generated by s, and its subgroup D·G, generated by d.

|G|/|U| and |D|/|G| are small.

UGD

invalid

dummy

signal

GD

Hardness assumptions

Subgroup Membership Problem: given a tuple (U, G, D, d, s) and y2 G, it is hard to decide whether y2 D or y2 GnD.

Many examples: DDH, QRA, Paillier, etc.

G???¼

Hardness assumptions (cont.)

Subgroup Escape Problem: given a tuple (U, G, D, d), it is hard to find an element y2 GnD

Has not appeared in the literature before.

G G¼??? D

Generic security of subgroup escape problem Generic group model [Shoup ‘97]. Group elements encoded as unique random

strings. Algorithms have access to group oracle

Theorem: A generic algorithm that solves the subgroup escape problem and makes at most q oracle queries succeeds with probability at most

negligible if |G|/|U| is small

Outline


The BCM on abstract group structure (U, G, D)

The BCM (G, C, V, D) is as follows:

Key generation: Let PK=(U, G, d) and SK=|D|. Combining algorithm: CPK(x, y) outputs

dr0◦xr1◦yr2, where r0,r1,r22r {0,…, 22k-1} Verification algorithm: VPK(y) checks that y2G. Decoding algorithm: DSK(y) outputs 0 (dummy)

if ySK=1 and 1 (signal) otherwise.

The BCM on abstract group structure (U, G, D) (cont.)

Theorem: If the subgroup membership problem and subgroup escape problems for (U, G, D) are hard, then our BCM is secure.

The BCM on abstract group structure (U, G, D) (cont.)

Challenge: Find a concrete group structure (U, G, D) for which subgroup membership and subgroup escape problems are hard.

Answer: Elliptic curves over Zn, where n=pq. Bilinear groups with specific order.

Elliptic Curves over Zn

Set of (x:y:z) such that y2 z ≡ x3 + axz2 + bz3 (mod n) where gcd(4a2-27b3,n)=1)

Points of elliptic curve form an additive group E(Zn).

Key property of E(Zn): It is hard to find new group elements except by using group operation on previously known group elements.

Noted many times, but previously considered a nuisance [Lenstra ‘87, Demytko ‘98] rather than a useful cryptographic property [Gjøsteen ’04].

P1P2

P1 + P2

Elliptic Curves over Zn (cont.)

Problem: Find (x:y:z) such that y2z ≡ x3+axz2+bz3 (mod n).

Choose x and solve for y: compute Choose y and solve for x: solve cubic

equation. Find x and y simultaneously: not obvious. LLL-based methods don’t seem to pose a

threat. Finding rational non-torsion points on

curves over Q seems hard.


Let p,q,l1,l2,l3 be primes. Using complex multiplication techniques [Lay-

Zimmer ‘94], we can find curves Ep/Fp and Eq/Fq with #Ep(Fp)=l1l2, #Eq(Fq)=l3.

Let n=pq. Then E(Zn) ¼ Ep(Fp)£Eq(Fq) with #E(Zn)=l1l2l3.

Let U be projective plane, G be E(Zn), and D·G be its subgroup of order l1l3.

UGD

invalid

signal

dummy


Verification Algorithm: Given a coupon (x:y:z), it is easy to check if y2z ≡ x3+axz2+bz3 (mod n).

Subgroup Membership Problem: Computing #E(Zn) is as hard as factoring n [Kunihiro-Koyama ’98]. Seems hard to distinguish elements of D (order l1l3) from elements of order GnD (order l1l2l3).

Subgroup Escape Problem: Hard as long as adversary cannot find random group elements in G=E(Zn).

Bilinear groups

Let p, l1, l2, l3 be primes. Also, p+1 = 6l1l2l3 and p ≡ 2 (mod 3).

There exists a modified Weil pairing ê: E(Fp) £ E(Fp) E(Fp2

*) [Boneh-Franklin ‘01]

Let U = E(Fp) and G,D · U be its subgroups of order l1l2 and l2, respectively.

UGD

invalid

signal

dummy

Bilinear groups (cont.)

Verification Algorithm: Let P be a point of order 6l1l2l3 and R=Pl1l2. Then a point Q2U is in G iff ê(Q, R)= ê(P6sl3, Pl1l2)=1.

Subgroup Membership Problem: Because we do not reveal elements of order l2 or l2l3, seems hard to distinguish elements of D (order l1) from G (order l1 l2).

Subgroup Escape Problem: Unless l3 is known, it is hard to find elements of order l1l2 and knowing elements of order l1 does not help.

Outline


Yay! Almost there!

Spreading rumors with the BCM

We have a BCM (G, C, V, D). At start, trusted dealer runs G(1k) and

distributes signal coupons to select processes. All others get dummy coupons.

1

0

0

0


Then each process continually broadcasts its coupon to its neighbors.

1

0

0

01

$#!@1


Upon receiving a coupon, the process verifies that the coupon is valid.

If so, the process combines it with its own coupon. Otherwise, a process discards it.

1

0

0

0 1

$#!@

C( , )

V( )

V( )1

Spreading rumors with the BCM (cont.)

Theorem: If the BCM is secure, then so is the rumor-spreading mechanism.

Proof idea: Because adversary cannot distinguish between dummy and signal coupons, he cannot test their presence or absence in the network traffic. Same for coupon forgery.

Spreading rumors with the BCM (cont.) Synchronous flooding model: All

processes receive a signal in steps, where is the diameter of the subgraph of non-faulty processes.

Simple epidemic model: Communication graph is complete. All processes receive a signal in O(n log n) steps.

Outline


Conclusion

We give a BCM construction with constant expansion ratio.

It can be used to construct an undetectable, anonymous private channel.

New crypto tool? Subgroup escape assumption. Non-interactive proofs of circuit satisfiability of

length linear in the number of Æ gates. Applications to i-voting [Chaum et al. ’04].

Open problems

Can a BCM be constructed using more standard assumptions?

Can we transmit multiple bits without a linear blow up in message size?

?

spreading rumors quietly and the subgroup escape problem

Technology

abstract group structureu

group operation

specific group structure

subgroupd g

u g d invalid dummy

signal coupon iff

d sk youtputs0dummy

known group elements