spreading rumors quietly and the subgroup escape problem
TRANSCRIPT
Spreading Rumors Quietly and the Subgroup Escape Problem
Aleksandr YampolskiyJoint work with James Aspnes, Zoë Diamadi, Kristian Gjøsteen,
and René Peralta
Outline
Our model Blind coupon mechanism Abstract group structure Instantiating the abstract group structure How to spread rumors Conclusions and open problems
Our model Message-passing network of n processes p1,…, pn.
Some of the processes want to spread a
signal.
The British
are comin
g!
Our model (cont.) In epidemic algorithms [Demers et al. ’87], information is copied randomly from process to process. Signal spreads quickly (O(log n) rounds), yet it is highly vulnerable to traffic analysis.
The British
are comin
g!
The British
are comin
g!
The British
are comin
g!
The British
are comin
g!
The adversary…
Observes all message traffic. Controls the timing and content of delivered messages.
You started
a rumor!
The goal
One-shot signal: 0 (all clear), 1 (British are coming!)
Can we spread a signal rapidly, yet prevent the adversary from identifying the presence or source of signal being able to forge a signal
Outline
Our model Blind coupon mechanism Abstract group structure Instantiating the abstract group structure How to spread rumors Conclusions and open problems
Blind coupon mechanism
A blind coupon mechanism (BCM) is a PPT tuple (G, V, C, D):
Key generation G(1k): Outputs public and secret keys (PK, SK) and
two strings (d, s). Secret key defines the sets of dummy coupons
DSK and signal coupons SSK. We call (DSK SSK) valid coupons. Also, d2 DSK, s2 SSK.
Blind coupon mechanism (cont.)
Verification algorithm VPK(y) returns 1 if y is valid, 0 otherwise.
Decoding algorithm DSK(y) outputs 0 if y is a dummy coupon; 1 if it is a signal coupon.
Combining algorithm z à CPK(x, y) outputs a signal coupon iff one of the inputs is a signal coupon.
Blind coupon mechanism (cont.)Def: A BCM (G, V, C, D) is secure if
cannot distinguish between signal and dummy coupons
cannot generate a signal coupon without another signal coupon
combining algorithm is blinding
¼0 1
1Pr[ ] =
¼0 0C( , ) 0 c ¼0 1C( , ) 1 c,1 0
,1 1
Simple inefficient construction
Use a set-homomorphic signature SIG(¢): given sets x, y and SIG(x), SIG(y), can compute SIG(x[y) [Johnson et al. ‘02].
Coupons are tuples (x, SIG(x)), where x is (E(0),E(0), … ,E(0)) for dummy coupons (E(0),E(1), ... ,E(0)) for signal coupons
Combining operation is simply set union: CPK((x, SIG(x)), (y, SIG(y))=(x[y,SIG(x[y))
Outline
Our model Blind coupon mechanism Abstract group structure Instantiating the abstract group structure How to spread rumors Conclusions and open problems
Abstract group structure (U, G, D)
A specific group structure will allow us to construct an efficient BCM.
A finite set U, a cyclic group GµU, generated by s, and its subgroup D·G, generated by d.
|G|/|U| and |D|/|G| are small.
UGD
invalid
dummy
signal
GD
Hardness assumptions
Subgroup Membership Problem: given a tuple (U, G, D, d, s) and y2 G, it is hard to decide whether y2 D or y2 GnD.
Many examples: DDH, QRA, Paillier, etc.
G???¼
Hardness assumptions (cont.)
Subgroup Escape Problem: given a tuple (U, G, D, d), it is hard to find an element y2 GnD
Has not appeared in the literature before.
G G¼??? D
Generic security of subgroup escape problem Generic group model [Shoup ‘97]. Group elements encoded as unique random
strings. Algorithms have access to group oracle
Theorem: A generic algorithm that solves the subgroup escape problem and makes at most q oracle queries succeeds with probability at most
negligible if |G|/|U| is small
Outline
Our model Blind coupon mechanism Abstract group structure Instantiating the abstract group structure How to spread rumors Conclusions and open problems
The BCM on abstract group structure (U, G, D)
The BCM (G, C, V, D) is as follows:
Key generation: Let PK=(U, G, d) and SK=|D|. Combining algorithm: CPK(x, y) outputs
dr0◦xr1◦yr2, where r0,r1,r22r {0,…, 22k-1} Verification algorithm: VPK(y) checks that y2G. Decoding algorithm: DSK(y) outputs 0 (dummy)
if ySK=1 and 1 (signal) otherwise.
The BCM on abstract group structure (U, G, D) (cont.)
Theorem: If the subgroup membership problem and subgroup escape problems for (U, G, D) are hard, then our BCM is secure.
The BCM on abstract group structure (U, G, D) (cont.)
Challenge: Find a concrete group structure (U, G, D) for which subgroup membership and subgroup escape problems are hard.
Answer: Elliptic curves over Zn, where n=pq. Bilinear groups with specific order.
Elliptic Curves over Zn
Set of (x:y:z) such that y2 z ≡ x3 + axz2 + bz3 (mod n) where gcd(4a2-27b3,n)=1)
Points of elliptic curve form an additive group E(Zn).
Key property of E(Zn): It is hard to find new group elements except by using group operation on previously known group elements.
Noted many times, but previously considered a nuisance [Lenstra ‘87, Demytko ‘98] rather than a useful cryptographic property [Gjøsteen ’04].
P1P2
P1 + P2
Elliptic Curves over Zn (cont.)
Problem: Find (x:y:z) such that y2z ≡ x3+axz2+bz3 (mod n).
Choose x and solve for y: compute Choose y and solve for x: solve cubic
equation. Find x and y simultaneously: not obvious. LLL-based methods don’t seem to pose a
threat. Finding rational non-torsion points on
curves over Q seems hard.
Elliptic Curves over Zn (cont.)
Let p,q,l1,l2,l3 be primes. Using complex multiplication techniques [Lay-
Zimmer ‘94], we can find curves Ep/Fp and Eq/Fq with #Ep(Fp)=l1l2, #Eq(Fq)=l3.
Let n=pq. Then E(Zn) ¼ Ep(Fp)£Eq(Fq) with #E(Zn)=l1l2l3.
Let U be projective plane, G be E(Zn), and D·G be its subgroup of order l1l3.
UGD
invalid
signal
dummy
Elliptic Curves over Zn (cont.)
Verification Algorithm: Given a coupon (x:y:z), it is easy to check if y2z ≡ x3+axz2+bz3 (mod n).
Subgroup Membership Problem: Computing #E(Zn) is as hard as factoring n [Kunihiro-Koyama ’98]. Seems hard to distinguish elements of D (order l1l3) from elements of order GnD (order l1l2l3).
Subgroup Escape Problem: Hard as long as adversary cannot find random group elements in G=E(Zn).
Bilinear groups
Let p, l1, l2, l3 be primes. Also, p+1 = 6l1l2l3 and p ≡ 2 (mod 3).
There exists a modified Weil pairing ê: E(Fp) £ E(Fp) E(Fp2
*) [Boneh-Franklin ‘01]
Let U = E(Fp) and G,D · U be its subgroups of order l1l2 and l2, respectively.
UGD
invalid
signal
dummy
Bilinear groups (cont.)
Verification Algorithm: Let P be a point of order 6l1l2l3 and R=Pl1l2. Then a point Q2U is in G iff ê(Q, R)= ê(P6sl3, Pl1l2)=1.
Subgroup Membership Problem: Because we do not reveal elements of order l2 or l2l3, seems hard to distinguish elements of D (order l1) from G (order l1 l2).
Subgroup Escape Problem: Unless l3 is known, it is hard to find elements of order l1l2 and knowing elements of order l1 does not help.
Outline
Our model Blind coupon mechanism Abstract group structure Instantiating the abstract group structure How to spread rumors Conclusions and open problems
Yay! Almost there!
Spreading rumors with the BCM
We have a BCM (G, C, V, D). At start, trusted dealer runs G(1k) and
distributes signal coupons to select processes. All others get dummy coupons.
1
0
0
0
Spreading rumors with the BCM
Then each process continually broadcasts its coupon to its neighbors.
1
0
0
01
$#!@1
Spreading rumors with the BCM
Upon receiving a coupon, the process verifies that the coupon is valid.
If so, the process combines it with its own coupon. Otherwise, a process discards it.
1
0
0
0 1
$#!@
C( , )
V( )
V( )1
Spreading rumors with the BCM (cont.)
Theorem: If the BCM is secure, then so is the rumor-spreading mechanism.
Proof idea: Because adversary cannot distinguish between dummy and signal coupons, he cannot test their presence or absence in the network traffic. Same for coupon forgery.
Spreading rumors with the BCM (cont.) Synchronous flooding model: All
processes receive a signal in steps, where is the diameter of the subgraph of non-faulty processes.
Simple epidemic model: Communication graph is complete. All processes receive a signal in O(n log n) steps.
Outline
Our model Blind coupon mechanism Abstract group structure Instantiating the abstract group structure How to spread rumors Conclusions and open problems
Conclusion
We give a BCM construction with constant expansion ratio.
It can be used to construct an undetectable, anonymous private channel.
New crypto tool? Subgroup escape assumption. Non-interactive proofs of circuit satisfiability of
length linear in the number of Æ gates. Applications to i-voting [Chaum et al. ’04].
Open problems
Can a BCM be constructed using more standard assumptions?
Can we transmit multiple bits without a linear blow up in message size?
?