Spreading Rumors Quietly and the Subgroup Escape Problem
-
Upload
aleksandr-yampolskiy -
Category
Technology
-
view
1.176 -
download
1
Transcript of Spreading Rumors Quietly and the Subgroup Escape Problem
![Page 1: Spreading Rumors Quietly and the Subgroup Escape Problem](https://reader035.fdocuments.in/reader035/viewer/2022070316/5559c516d8b42a236c8b54ce/html5/thumbnails/1.jpg)
Spreading Rumors Quietly and the Subgroup Escape Problem
Aleksandr YampolskiyJoint work with James Aspnes, Zoë Diamadi, Kristian Gjøsteen,
and René Peralta
![Page 2: Spreading Rumors Quietly and the Subgroup Escape Problem](https://reader035.fdocuments.in/reader035/viewer/2022070316/5559c516d8b42a236c8b54ce/html5/thumbnails/2.jpg)
Outline
Our model Blind coupon mechanism Abstract group structure Instantiating the abstract group structure How to spread rumors Conclusions and open problems
![Page 3: Spreading Rumors Quietly and the Subgroup Escape Problem](https://reader035.fdocuments.in/reader035/viewer/2022070316/5559c516d8b42a236c8b54ce/html5/thumbnails/3.jpg)
Our model Message-passing network of n processes p1,…, pn.
Some of the processes want to spread a
signal.
The British
are comin
g!
![Page 4: Spreading Rumors Quietly and the Subgroup Escape Problem](https://reader035.fdocuments.in/reader035/viewer/2022070316/5559c516d8b42a236c8b54ce/html5/thumbnails/4.jpg)
Our model (cont.) In epidemic algorithms [Demers et al. ’87], information is copied randomly from process to process. Signal spreads quickly (O(log n) rounds), yet it is highly vulnerable to traffic analysis.
The British
are comin
g!
The British
are comin
g!
The British
are comin
g!
The British
are comin
g!
![Page 5: Spreading Rumors Quietly and the Subgroup Escape Problem](https://reader035.fdocuments.in/reader035/viewer/2022070316/5559c516d8b42a236c8b54ce/html5/thumbnails/5.jpg)
The adversary…
Observes all message traffic. Controls the timing and content of delivered messages.
You started
a rumor!
![Page 6: Spreading Rumors Quietly and the Subgroup Escape Problem](https://reader035.fdocuments.in/reader035/viewer/2022070316/5559c516d8b42a236c8b54ce/html5/thumbnails/6.jpg)
The goal
One-shot signal: 0 (all clear), 1 (British are coming!)
Can we spread a signal rapidly, yet prevent the adversary from identifying the presence or source of signal being able to forge a signal
![Page 7: Spreading Rumors Quietly and the Subgroup Escape Problem](https://reader035.fdocuments.in/reader035/viewer/2022070316/5559c516d8b42a236c8b54ce/html5/thumbnails/7.jpg)
Outline
Our model Blind coupon mechanism Abstract group structure Instantiating the abstract group structure How to spread rumors Conclusions and open problems
![Page 8: Spreading Rumors Quietly and the Subgroup Escape Problem](https://reader035.fdocuments.in/reader035/viewer/2022070316/5559c516d8b42a236c8b54ce/html5/thumbnails/8.jpg)
Blind coupon mechanism
A blind coupon mechanism (BCM) is a PPT tuple (G, V, C, D):
Key generation G(1k): Outputs public and secret keys (PK, SK) and
two strings (d, s). Secret key defines the sets of dummy coupons
DSK and signal coupons SSK. We call (DSK SSK) valid coupons. Also, d2 DSK, s2 SSK.
![Page 9: Spreading Rumors Quietly and the Subgroup Escape Problem](https://reader035.fdocuments.in/reader035/viewer/2022070316/5559c516d8b42a236c8b54ce/html5/thumbnails/9.jpg)
Blind coupon mechanism (cont.)
Verification algorithm VPK(y) returns 1 if y is valid, 0 otherwise.
Decoding algorithm DSK(y) outputs 0 if y is a dummy coupon; 1 if it is a signal coupon.
Combining algorithm z à CPK(x, y) outputs a signal coupon iff one of the inputs is a signal coupon.
![Page 10: Spreading Rumors Quietly and the Subgroup Escape Problem](https://reader035.fdocuments.in/reader035/viewer/2022070316/5559c516d8b42a236c8b54ce/html5/thumbnails/10.jpg)
Blind coupon mechanism (cont.)Def: A BCM (G, V, C, D) is secure if
cannot distinguish between signal and dummy coupons
cannot generate a signal coupon without another signal coupon
combining algorithm is blinding
¼0 1
1Pr[ ] =
¼0 0C( , ) 0 c ¼0 1C( , ) 1 c,1 0
,1 1
![Page 11: Spreading Rumors Quietly and the Subgroup Escape Problem](https://reader035.fdocuments.in/reader035/viewer/2022070316/5559c516d8b42a236c8b54ce/html5/thumbnails/11.jpg)
Simple inefficient construction
Use a set-homomorphic signature SIG(¢): given sets x, y and SIG(x), SIG(y), can compute SIG(x[y) [Johnson et al. ‘02].
Coupons are tuples (x, SIG(x)), where x is (E(0),E(0), … ,E(0)) for dummy coupons (E(0),E(1), ... ,E(0)) for signal coupons
Combining operation is simply set union: CPK((x, SIG(x)), (y, SIG(y))=(x[y,SIG(x[y))
![Page 12: Spreading Rumors Quietly and the Subgroup Escape Problem](https://reader035.fdocuments.in/reader035/viewer/2022070316/5559c516d8b42a236c8b54ce/html5/thumbnails/12.jpg)
Outline
Our model Blind coupon mechanism Abstract group structure Instantiating the abstract group structure How to spread rumors Conclusions and open problems
![Page 13: Spreading Rumors Quietly and the Subgroup Escape Problem](https://reader035.fdocuments.in/reader035/viewer/2022070316/5559c516d8b42a236c8b54ce/html5/thumbnails/13.jpg)
Abstract group structure (U, G, D)
A specific group structure will allow us to construct an efficient BCM.
A finite set U, a cyclic group GµU, generated by s, and its subgroup D·G, generated by d.
|G|/|U| and |D|/|G| are small.
UGD
invalid
dummy
signal
![Page 14: Spreading Rumors Quietly and the Subgroup Escape Problem](https://reader035.fdocuments.in/reader035/viewer/2022070316/5559c516d8b42a236c8b54ce/html5/thumbnails/14.jpg)
GD
Hardness assumptions
Subgroup Membership Problem: given a tuple (U, G, D, d, s) and y2 G, it is hard to decide whether y2 D or y2 GnD.
Many examples: DDH, QRA, Paillier, etc.
G???¼
![Page 15: Spreading Rumors Quietly and the Subgroup Escape Problem](https://reader035.fdocuments.in/reader035/viewer/2022070316/5559c516d8b42a236c8b54ce/html5/thumbnails/15.jpg)
Hardness assumptions (cont.)
Subgroup Escape Problem: given a tuple (U, G, D, d), it is hard to find an element y2 GnD
Has not appeared in the literature before.
G G¼??? D
![Page 16: Spreading Rumors Quietly and the Subgroup Escape Problem](https://reader035.fdocuments.in/reader035/viewer/2022070316/5559c516d8b42a236c8b54ce/html5/thumbnails/16.jpg)
Generic security of subgroup escape problem Generic group model [Shoup ‘97]. Group elements encoded as unique random
strings. Algorithms have access to group oracle
Theorem: A generic algorithm that solves the subgroup escape problem and makes at most q oracle queries succeeds with probability at most
negligible if |G|/|U| is small
![Page 17: Spreading Rumors Quietly and the Subgroup Escape Problem](https://reader035.fdocuments.in/reader035/viewer/2022070316/5559c516d8b42a236c8b54ce/html5/thumbnails/17.jpg)
Outline
Our model Blind coupon mechanism Abstract group structure Instantiating the abstract group structure How to spread rumors Conclusions and open problems
![Page 18: Spreading Rumors Quietly and the Subgroup Escape Problem](https://reader035.fdocuments.in/reader035/viewer/2022070316/5559c516d8b42a236c8b54ce/html5/thumbnails/18.jpg)
The BCM on abstract group structure (U, G, D)
The BCM (G, C, V, D) is as follows:
Key generation: Let PK=(U, G, d) and SK=|D|. Combining algorithm: CPK(x, y) outputs
dr0◦xr1◦yr2, where r0,r1,r22r {0,…, 22k-1} Verification algorithm: VPK(y) checks that y2G. Decoding algorithm: DSK(y) outputs 0 (dummy)
if ySK=1 and 1 (signal) otherwise.
![Page 19: Spreading Rumors Quietly and the Subgroup Escape Problem](https://reader035.fdocuments.in/reader035/viewer/2022070316/5559c516d8b42a236c8b54ce/html5/thumbnails/19.jpg)
The BCM on abstract group structure (U, G, D) (cont.)
Theorem: If the subgroup membership problem and subgroup escape problems for (U, G, D) are hard, then our BCM is secure.
![Page 20: Spreading Rumors Quietly and the Subgroup Escape Problem](https://reader035.fdocuments.in/reader035/viewer/2022070316/5559c516d8b42a236c8b54ce/html5/thumbnails/20.jpg)
The BCM on abstract group structure (U, G, D) (cont.)
Challenge: Find a concrete group structure (U, G, D) for which subgroup membership and subgroup escape problems are hard.
Answer: Elliptic curves over Zn, where n=pq. Bilinear groups with specific order.
![Page 21: Spreading Rumors Quietly and the Subgroup Escape Problem](https://reader035.fdocuments.in/reader035/viewer/2022070316/5559c516d8b42a236c8b54ce/html5/thumbnails/21.jpg)
Elliptic Curves over Zn
Set of (x:y:z) such that y2 z ≡ x3 + axz2 + bz3 (mod n) where gcd(4a2-27b3,n)=1)
Points of elliptic curve form an additive group E(Zn).
Key property of E(Zn): It is hard to find new group elements except by using group operation on previously known group elements.
Noted many times, but previously considered a nuisance [Lenstra ‘87, Demytko ‘98] rather than a useful cryptographic property [Gjøsteen ’04].
P1P2
P1 + P2
![Page 22: Spreading Rumors Quietly and the Subgroup Escape Problem](https://reader035.fdocuments.in/reader035/viewer/2022070316/5559c516d8b42a236c8b54ce/html5/thumbnails/22.jpg)
Elliptic Curves over Zn (cont.)
Problem: Find (x:y:z) such that y2z ≡ x3+axz2+bz3 (mod n).
Choose x and solve for y: compute Choose y and solve for x: solve cubic
equation. Find x and y simultaneously: not obvious. LLL-based methods don’t seem to pose a
threat. Finding rational non-torsion points on
curves over Q seems hard.
![Page 23: Spreading Rumors Quietly and the Subgroup Escape Problem](https://reader035.fdocuments.in/reader035/viewer/2022070316/5559c516d8b42a236c8b54ce/html5/thumbnails/23.jpg)
Elliptic Curves over Zn (cont.)
Let p,q,l1,l2,l3 be primes. Using complex multiplication techniques [Lay-
Zimmer ‘94], we can find curves Ep/Fp and Eq/Fq with #Ep(Fp)=l1l2, #Eq(Fq)=l3.
Let n=pq. Then E(Zn) ¼ Ep(Fp)£Eq(Fq) with #E(Zn)=l1l2l3.
Let U be projective plane, G be E(Zn), and D·G be its subgroup of order l1l3.
UGD
invalid
signal
dummy
![Page 24: Spreading Rumors Quietly and the Subgroup Escape Problem](https://reader035.fdocuments.in/reader035/viewer/2022070316/5559c516d8b42a236c8b54ce/html5/thumbnails/24.jpg)
Elliptic Curves over Zn (cont.)
Verification Algorithm: Given a coupon (x:y:z), it is easy to check if y2z ≡ x3+axz2+bz3 (mod n).
Subgroup Membership Problem: Computing #E(Zn) is as hard as factoring n [Kunihiro-Koyama ’98]. Seems hard to distinguish elements of D (order l1l3) from elements of order GnD (order l1l2l3).
Subgroup Escape Problem: Hard as long as adversary cannot find random group elements in G=E(Zn).
![Page 25: Spreading Rumors Quietly and the Subgroup Escape Problem](https://reader035.fdocuments.in/reader035/viewer/2022070316/5559c516d8b42a236c8b54ce/html5/thumbnails/25.jpg)
Bilinear groups
Let p, l1, l2, l3 be primes. Also, p+1 = 6l1l2l3 and p ≡ 2 (mod 3).
There exists a modified Weil pairing ê: E(Fp) £ E(Fp) E(Fp2
*) [Boneh-Franklin ‘01]
Let U = E(Fp) and G,D · U be its subgroups of order l1l2 and l2, respectively.
UGD
invalid
signal
dummy
![Page 26: Spreading Rumors Quietly and the Subgroup Escape Problem](https://reader035.fdocuments.in/reader035/viewer/2022070316/5559c516d8b42a236c8b54ce/html5/thumbnails/26.jpg)
Bilinear groups (cont.)
Verification Algorithm: Let P be a point of order 6l1l2l3 and R=Pl1l2. Then a point Q2U is in G iff ê(Q, R)= ê(P6sl3, Pl1l2)=1.
Subgroup Membership Problem: Because we do not reveal elements of order l2 or l2l3, seems hard to distinguish elements of D (order l1) from G (order l1 l2).
Subgroup Escape Problem: Unless l3 is known, it is hard to find elements of order l1l2 and knowing elements of order l1 does not help.
![Page 27: Spreading Rumors Quietly and the Subgroup Escape Problem](https://reader035.fdocuments.in/reader035/viewer/2022070316/5559c516d8b42a236c8b54ce/html5/thumbnails/27.jpg)
Outline
Our model Blind coupon mechanism Abstract group structure Instantiating the abstract group structure How to spread rumors Conclusions and open problems
Yay! Almost there!
![Page 28: Spreading Rumors Quietly and the Subgroup Escape Problem](https://reader035.fdocuments.in/reader035/viewer/2022070316/5559c516d8b42a236c8b54ce/html5/thumbnails/28.jpg)
Spreading rumors with the BCM
We have a BCM (G, C, V, D). At start, trusted dealer runs G(1k) and
distributes signal coupons to select processes. All others get dummy coupons.
1
0
0
0
![Page 29: Spreading Rumors Quietly and the Subgroup Escape Problem](https://reader035.fdocuments.in/reader035/viewer/2022070316/5559c516d8b42a236c8b54ce/html5/thumbnails/29.jpg)
Spreading rumors with the BCM
Then each process continually broadcasts its coupon to its neighbors.
1
0
0
01
$#!@1
![Page 30: Spreading Rumors Quietly and the Subgroup Escape Problem](https://reader035.fdocuments.in/reader035/viewer/2022070316/5559c516d8b42a236c8b54ce/html5/thumbnails/30.jpg)
Spreading rumors with the BCM
Upon receiving a coupon, the process verifies that the coupon is valid.
If so, the process combines it with its own coupon. Otherwise, a process discards it.
1
0
0
0 1
$#!@
C( , )
V( )
V( )1
![Page 31: Spreading Rumors Quietly and the Subgroup Escape Problem](https://reader035.fdocuments.in/reader035/viewer/2022070316/5559c516d8b42a236c8b54ce/html5/thumbnails/31.jpg)
Spreading rumors with the BCM (cont.)
Theorem: If the BCM is secure, then so is the rumor-spreading mechanism.
Proof idea: Because adversary cannot distinguish between dummy and signal coupons, he cannot test their presence or absence in the network traffic. Same for coupon forgery.
![Page 32: Spreading Rumors Quietly and the Subgroup Escape Problem](https://reader035.fdocuments.in/reader035/viewer/2022070316/5559c516d8b42a236c8b54ce/html5/thumbnails/32.jpg)
Spreading rumors with the BCM (cont.) Synchronous flooding model: All
processes receive a signal in steps, where is the diameter of the subgraph of non-faulty processes.
Simple epidemic model: Communication graph is complete. All processes receive a signal in O(n log n) steps.
![Page 33: Spreading Rumors Quietly and the Subgroup Escape Problem](https://reader035.fdocuments.in/reader035/viewer/2022070316/5559c516d8b42a236c8b54ce/html5/thumbnails/33.jpg)
Outline
Our model Blind coupon mechanism Abstract group structure Instantiating the abstract group structure How to spread rumors Conclusions and open problems
![Page 34: Spreading Rumors Quietly and the Subgroup Escape Problem](https://reader035.fdocuments.in/reader035/viewer/2022070316/5559c516d8b42a236c8b54ce/html5/thumbnails/34.jpg)
Conclusion
We give a BCM construction with constant expansion ratio.
It can be used to construct an undetectable, anonymous private channel.
New crypto tool? Subgroup escape assumption. Non-interactive proofs of circuit satisfiability of
length linear in the number of Æ gates. Applications to i-voting [Chaum et al. ’04].
![Page 35: Spreading Rumors Quietly and the Subgroup Escape Problem](https://reader035.fdocuments.in/reader035/viewer/2022070316/5559c516d8b42a236c8b54ce/html5/thumbnails/35.jpg)
Open problems
Can a BCM be constructed using more standard assumptions?
Can we transmit multiple bits without a linear blow up in message size?
?
![Page 36: Spreading Rumors Quietly and the Subgroup Escape Problem](https://reader035.fdocuments.in/reader035/viewer/2022070316/5559c516d8b42a236c8b54ce/html5/thumbnails/36.jpg)