Key Search via Facehuggers

The notion of using viruses to solve computationally difficult problems is well known. For instance, a virus can by brute force try to determine the DES key that was used to produce a particular symmetric encryption [320]. Also, viruses can be used to steal CPU time to try to factor composites, compute discrete logarithms, and so on.

In this subsection a particular cryptovirus attack is detailed that is geared towards solving the discrete logarithm problem in a prime order subgroup. The prime order subgroup discrete-log problem is believed to

be intractable and is the basis for many cryptographic algorithms such as DSA. Recall that the DSA private key is x and the DSA public key is (y, g, p) (see Subsection C.2.7). DSA utilizes a public prime q that is 160 bits in length. The order of g modulo p is q and hence q divides p−1 evenly.

The attack utilizes the approach of Feigenbaum et al to hide informa- tion from an oracle [1, 2, 99] (see Section 6.8). The virus writer chooses

r < q randomly and computes yr = ygr mod p thus randomizing y. It is

simple enough to place yr = ygr mod p in a virus and let the offspring

try to compute the base g discrete log of yr. If it is found, then it can be

posted to a bulletin board so that the virus writer can obtain it. Since the virus writer knowsr, the virus writer can recoverxfrom the posting. This allows the virus writer to try to determine someone’s DSA private key x

iny =gx _{mod p by brute force in such a way that the owner of the public}

key has no way of knowing that the private key has been compromised. Consider the case that one of these viruses is found. The virus would likely be chewing up a fair amount of CPU time, and would be a nuisance in general, and would simply be removed. So in this straightforward attack a machine is lost whenever the virus on that machine is found, that is, there is one less machine to perform the distributed brute-force computation.

However, if the virus were more like a facehugger then there would be consequences for removing it. The goal then is to devise a mechanism that optimizes the number of machines that are actively trying to solve the discrete logarithm problem instance. The following is a virus attack that seeks to achieve this goal. We call the virus a facehugger and give a very high level description of it.10

To mount the attack the virus writer chooses r < q randomly and computes yr = ygr mod p. The value (yr, p, g, q) is placed within the

virus. It is assumed that the virus is given a grace period in which it can infect many machines and remotely store sensitive data without hindrance, and so on. The virus operates much like the virus in the attack on the brokerage firm. Each virus generates a large random identifier ID, each virus generates a key pair, and they communicate securely11 _{with each}

other over a mix network and bulletin board, and so on. The identifiers serve as digital pseudonyms. Each virus searches its host for sensitive host dataDthat would be damaging if published. This data is encrypted using

10_{We thank C. C. Michael for helpful discussions regarding this distributed cryptovi-}

ral attack.

the Vernam cipher. The resulting ciphertext C and One-time pad R are securely sent to the two other viruses involved in the attack on the host.

So far the attack is almost exactly the same as the attack on the brokerage firm. However, the attack would be on a much larger scale since any host machine that contains sensitive data Dis a viable host for the attack. Brokerage firms are not sought after explicitly. Let the total number of viruses be denoted by N and for simplicity assume that all N

machines contain sensitive data. The viruses partition the key space into

N roughly equal partitions each of which is a contiguous set of numbers. The viruses are each responsible for making their respective hosts search a given partition. Let s1 denote the starting value for the partition of a

given virus V1.

It is important not to overload a virus in terms of the Vernam cipher- texts and One-time pads that it stores from other virus attacks. To avoid this the viruses carefully arrange the way they store the sensitive data. The arrangement of viruses can be expressed as a bipartite graph (see Figure 7.2). Each virus is represented by two vertices of the same color. The figure shows the case ofN = 5,4,3 from left to right.

Although it is not shown in the figure, the vertices are labeled using the identifiers of the viruses. The vertex at the top has the highest value forID, the one below that has the second highest value forID, and so on. When a virus computes a One-time pad and Vernam ciphertext it sends them to the two viruses indicated by the directed edges.

The bipartite graphs in the figures are all quite similar since each vertex connects to the two vertices directly below it and to the right, except for the bottom two vertices. The bottom vertex always connects to the top two vertices on the right. The vertex second from the bottom always connects to the top and bottom vertices on the right. Also, the

arrangement is constructed such that each virus is responsible for storing a Vernam ciphertext from one machine and a One-time pad from another. When the grace period ends each virus immediately begins searching the keyspace. For example, V1 immediately starts searching the partition

that begins withs1. VirusV1 checks to see ifyr =gs1,gs1g,gs1+1g, and so

on. The partition is exponentially large so the virus, which is polynomially bounded, will not finish the search. If the logarithm of yr is found, then

it is posted to the bulletin board.

Each virus also demands that two other hosts conduct searches. Con- sider the case that V1 stores the Vernam ciphertext C2 and One-time pad

R3 corresponding to the senstive data on two other infected machines M2

and M3, respectively. Also, let the viruses on these machines be denoted

byV2 andV3, respectively. V1demands thatV2andV3search the key space

as well. This is accomplished by having V1 send each of these two ma-

chines challenge sequences. The following is how the challenge sequences for V2 are constructed. It is the same for V3.

At regular intervals (e.g., once every couple of hours or so)V1 chooses

r1, r2 < q randomly, choosesj randomly from{0,1,2, ...,220−1}, and then

flips a coin. If the result is heads thenV1 setsw=r2 andt =yrgr1 mod p.

If the result is tails then V1 sets w=r1−j mod q and t =gr1 mod p. V1

sends the pair (t, w) to V2 securely.

If there exists an i contained in {0,1,2, ...,220 − 1} such that t =

gw+i _{mod p then V}

1 expectsV2 to respond with i. If no such iexists then

V1 expectsV2 to respond with “no exponent found.” Failure to produce a

valid answer, that is, isuch that 0≤i <220 or “no exponent found” after time T elapses always results in the publication of C2 in retaliation. For

concreteness let T = 2 hours. This interval must be chosen to give plenty of elbow room for V2 to solve two challenge sequences at once.

If the result is heads and V2 responds with i then V1 checks to see if

gw+i =? t = yrgr1 mod p. If this equality does not hold then V1 publishes

C2 to the bulletin board. If the equality does hold then V1 publishes

w+i−r1 ≡ x+r mod q to the bulletin board. This allows the virus

writer to recover x since the virus writer knows r. If the result is heads and V2 responds with “no exponent found” then V1 assumes on faith that

there is no i contained in {0,1,2, ...,220_{−1} such that g}w+i _{= t mod p}

and so V2 passes the challenge sequence.

Now consider the case that the result is tails. If V2 responds with “no

to the bulletin board in retaliation. If i=j then V2 passes the challenge

sequence.

So what is really going on here? V1 is conducting a sting operation of

sorts against the host of V2. With 50 percent probability a sequence is

sent to M2 for which, if V2 is still running properly on M2, V2 will find

the discrete logarithm and give it to V1. With 50 percent probability M2

is given a portion of the keyspace to search. M2 has no way of knowing

which is the case. So, it can do no better than guess. To be uncooperative the operator of M2 can refuse to send a discrete logarithm when one is

found. However, the operator will be caught with probability 1/2. This interactive protocol is intimately related to the notion of a proof of work. Informally speaking, a proof of work allows a prover to demonstrate to a verifier that the prover has performed a certain amount of computational work in a specified interval of time [136].

The operator of M2 can decide to ignore V1’s challenge sequences en-

tirely under the assumption that only C2 will be published and not the

One-time pad R2. However, this increases the chances that both C2 and

R2 will become available, thus compromisingC2⊕R2. M2 will still receive

challenge sequences from the other virus, unless it has been tampered with.

The attack is intriguing since it creates a form of deadlock when the victims do not trust each other. For instance, if the operator of the ma- chine that hostsV1 decides to be a good samaritan and delete the Vernam

ciphertext and One-time pad that V1 is storing, there is no reason to

believe that the operators of the machines that store the ciphertext and One-time pad thatV1 sent out will reciprocate. They might in fact publish

them. This can cause the good samaritan to loose the game.

The payload of the facehugger forces victims to perform intensive com- putations under the threat of sensitive information disclosure. This would clearly be a hassle and a nuisance for the victim. It is related to the use of puzzles to defend against connection depletion attacks [146]. However, it uses puzzles as a malicious payload rather than a defense. Also, the payload is not simply destructive since these intensive computations are geared towards breaking a public key.

There are also other issues to consider. For example, when the viruses are never found this scheme creates needless extra work for the virus. This results from the phoney challenge sequences that must be searched. However, when the viruses are brought to near extinction the virus has a chance to continue the search on machines in which the virus has been

discovered. Open issues include ways of improving the attacks as well as identifying new attacks along these lines.

A similar sort of attack can be carried out against composite public keys. Let n =pq be the product of two large primes p and q. This could be a Rabin public key, an RSA public key, and so on. The virus contains

n and attempts to discover the factorization ofn. Already a complication exists since if the owner of the public key n learns that a virus is trying to break it, the owner will immediately revoke the public keyn. However, if the virus writer has a ciphertext c that was computed using n, then breaking n is still useful in trying to decrypt c. The attack will not be described in detail, but the general idea will be sketched out.

In the attack the virus writer tries to obtain twoambivalent rootsof a quadratic residue modulo n. The values x and y are ambivalent roots of

x2 _{mod n if x}2 _≡y2 _{mod n and x6=±y mod n. These two values allown}

to be factored since gcd(x+y, n) or gcd(x−y, n) is a non-trivial divisor of n.

The virus writer places a=x2 _{mod n in the virus and hopes that the}

viruses will find a y that is ambivalent with respect to x. Also, the virus contains a random function H that maps {0,1}∗ _{onto the set ZZ}∗

n. Let

Hj(s) =H(J||s) where J is the 20-bit binary representation of j and s is

any input string. It may be assumed that Hj(·) is publicly known.

The victim’s machine is challenged by the virus as follows. The virus chooses r1 randomly from ZZ∗n, w randomly from ZZ

∗

n2, j randomly from

{0,1,2, ...,220_{−1}, and flips a coin. If the result is heads then the virus}

computes t = ar₁2 mod n. If the result is tails then the virus computes

t =Hj(w)2 mod n. The virus sends the challenge (t, w) to the victim.

If the victim does not respond withi∈ {0,1,2, ...,220_{−1} or “no root}

found” on time then the sensitive data is published in retaliation. If the victim responds with i∈ {0,1,2, ...,220_{−1} then the virus checks to see}

if Hi(w)2 mod n

?

=t. If this does not hold then the sensitive data (either the Vernam ciphertext or the One-time pad) is published. If this does hold and the coin toss resulted in heads then Hi(w)/r1 mod n =

√

a is asymmetrically encrypted under the public key of the virus writer that is contained in the virus. This ciphertext is published to a bulletin board so that the virus writer can obtain it. If Hi(w)/r1 is ambivalent with respect