On-The-Fly Verification of Rateless Erasure Codes Max Krohn (MIT CSAIL) Michael Freedman and David Mazières (NYU)

Slides:

Advertisements

Similar presentations

Chapter 3 Public Key Cryptography and Message authentication.

Advertisements

Signatures for Network Coding Denis Charles Kamal Jain Kristin Lauter Microsoft Research.

Efficient Signature Generation by Smart Cards Suk Ki Kim Sunyeong Kim.

On-the-fly Verification of Erasure-Encoded File Transfers Mike Freedman & Max Krohn NYU Dept of Computer Science.

Spreading Alerts Quietly and the Subgroup Escape Problem Aleksandr Yampolskiy (Yale) Joint work with James Aspnes, Zoë Diamadi, Kristian Gjøsteen, and.

Advanced Security Constructions and Key Management Class 16.

Authentication and Digital Signatures CSCI 5857: Encoding and Encryption.

Data Persistence in Sensor Networks: Towards Optimal Encoding for Data Recovery in Partial Network Failures Abhinav Kamra, Jon Feldman, Vishal Misra and.

CS426Fall 2010/Lecture 351 Computer Security CS 426 Lecture 35 Commitment & Zero Knowledge Proofs.

1 Authenticated key agreement without using one-way hash functions Harn, L.; Lin, H.-Y. Electronics Letters, Volume: 37 Issue: 10, 10 May 2001 Presented.

Security Chapters 14,15. The Security Environment Threats Security goals and threats.

Network Coding for Large Scale Content Distribution Christos Gkantsidis Georgia Institute of Technology Pablo Rodriguez Microsoft Research IEEE INFOCOM.

CNS2010handout 10 :: digital signatures1 computer and network security matt barrie.

Dr Alejandra Flores-Mosri Message Authentication Internet Management & Security 06 Learning outcomes At the end of this session, you should be able to:

Fountain Codes Amin Shokrollahi EPFL and Digital Fountain, Inc.

Introduction to Modern Cryptography Homework assignments.

1 How to securely outsource cryptographic computations Susan Hohenberger and Anna Lysyanskaya TCC2005.

CMSC 414 Computer and Network Security Lecture 9 Jonathan Katz.

Secure Hashing and DSS Sultan Almuhammadi ICS 454 Principles of Cryptography.

Electronic Voting Schemes and Other stuff. Requirements Only eligible voters can vote (once only) No one can tell how voter voted Publish who voted (?)

Authenticating streamed data in the presence of random packet loss March 17th, Philippe Golle, Stanford University.

DNA Research Group 1 Growth Codes: Maximizing Sensor Network Data Persistence Vishal Misra Joint work with Abhinav Kamra, Jon Feldman (Google) and Dan.

Theory I Algorithm Design and Analysis (9 – Randomized algorithms) Prof. Dr. Th. Ottmann.

Introduction to Modern Cryptography, Lecture 9 More about Digital Signatures and Identification.

The School of Electrical Engineering and Computer Science (EECS) CS/ECE Network Security Dr. Attila Altay Yavuz Topic 5 Essential Public Key Crypto Methods.

MIS: Malicious Nodes Identification Scheme Network-Coding-Based Peer-to-Peer Streaming Qiyan Wang, Long Vu, Klara Nahrstedt, Himanshu Khurana Department.

1 CS 194: Distributed Systems Security Scott Shenker and Ion Stoica Computer Science Division Department of Electrical Engineering and Computer Sciences.

Computer Science CSC 474Dr. Peng Ning1 CSC 474 Information Systems Security Topic 2.5 Public Key Algorithms.

CSE 597E Fall 2001 PennState University1 Digital Signature Schemes Presented By: Munaiza Matin.

Computer Science CSC 774 Adv. Net. SecurityDr. Peng Ning1 CSC 774 Advanced Network Security Topic 4. Broadcast Authentication.

CRYPTOGRAPHIC DATA INTEGRITY ALGORITHMS

Introduction to Public Key Cryptography

Digital Signatures (DSs) The digital signatures cannot be separated from the message and attached to another The signature is not only tied to signer but.

XMSS - A Practical Forward Secure Signature Scheme based on Minimal Security Assumptions J. Buchmann, E. Dahmen, A. Hülsing | TU Darmstadt |

Information Security and Management 13. Digital Signatures and Authentication Protocols Chih-Hung Wang Fall

Bob can sign a message using a digital signature generation algorithm

Construction of efficient PDP scheme for Distributed Cloud Storage. By Manognya Reddy Kondam.

Organization  Introduction to Network Coding  Practical Network Coding  Secure Network Coding  Structured File Sharing  Conclusion.

Message Authentication  message authentication is concerned with: protecting the integrity of a message protecting the integrity of a message validating.

Low-Overhead Byzantine Fault-Tolerant Storage James Hendricks, Gregory R. Ganger Carnegie Mellon University Michael K. Reiter University of North Carolina.

02/22/2005 Joint Seminer Satoshi Koga Information Technology & Security Lab. Kyushu Univ. A Distributed Online Certificate Status Protocol with Low Communication.

Topic 22: Digital Schemes (2)

1 Lect. 13 : Public Key Encryption RSA ElGamal. 2 Shamir Rivest Adleman RSA Public Key Systems  RSA is the first public key cryptosystem  Proposed in.

CS526: Information Security Prof. Sam Wagstaff September 16, 2003 Cryptography Basics.

Fall 2004/Lecture 201 Cryptography CS 555 Lecture 20-b Zero-Knowledge Proof.

Lecture 4.1: Hash Functions, and Message Authentication Codes CS 436/636/736 Spring 2015 Nitesh Saxena.

Cryptography Wei Wu. Internet Threat Model Client Network Not trusted!!

Threshold Phenomena and Fountain Codes Amin Shokrollahi EPFL Joint work with M. Luby, R. Karp, O. Etesami.

CprE 545 project proposal Long.  Introduction  Random linear code  LT-code  Application  Future work.

Intrusion Tolerant Software Architectures Bruno Dutertre, Valentin Crettaz, Victoria Stavridou System Design Laboratory, SRI International

Efficient Downloading and Updating Application on Smart Cards Yongsu Park, Junyoung Heo, Yookun Cho School of Computer Science and Engineering Seoul National.

15-853:Algorithms in the Real World

Merkle trees Introduced by Ralph Merkle, 1979 An authentication scheme

Cryptography 1 Crypto Cryptography 2 Crypto  Cryptology  The art and science of making and breaking “secret codes”  Cryptography  making “secret.

On Detecting Pollution Attacks in Inter-Session Network Coding Anh Le, Athina Markopoulou University of California, Irvine.

Computer Science 1 TinySeRSync: Secure and Resilient Time Synchronization in Wireless Sensor Networks Speaker: Sangwon Hyun Acknowledgement: Slides were.

Computer Science Division

Optimizing Robustness while Generating Shared Secret Safe Primes Emil Ong and John Kubiatowicz University of California, Berkeley.

10/25/04 Security of Ad Hoc and Sensor Networks (SASN) 1/22 An Attack on the Proactive RSA Signature Scheme in the URSA Ad Hoc Network Access Control Protocol.

Lecture 5.1: Message Authentication Codes, and Key Distribution

Lecture 4.1: Hash Functions, and Message Authentication Codes CS 436/636/736 Spring 2014 Nitesh Saxena.

SCP: A Computationally Scalable Byzantine Consensus Protocol for Blockchains Loi Luu, Viswesh Narayanan, Kunal Baweja, Chaodong Zheng, Seth Gilbert, Prateek.

DIGITAL SIGNATURE(DS) IN VIDEO. Contents  What is Digital Signature(DS)?  General Signature Vs. Digital Signatures  How DS is Different from Encryption?

1 An Ordered Multi-Proxy Multi-Signature Scheme Authors: Min-Shiang Hwang, Shiang-Feng Tzeng, Shu-Fen Chiou Speaker: Shu-Fen Chiou.

Raptor Codes Amin Shokrollahi EPFL. BEC(p 1 ) BEC(p 2 ) BEC(p 3 ) BEC(p 4 ) BEC(p 5 ) BEC(p 6 ) Communication on Multiple Unknown Channels.

International Conference Security in Pervasive Computing(SPC’06) MMC Lab. 임동혁.

Bit Commitment, Fair Coin Flips, and One-Way Accumulators Matt Ashoff 11/9/2004 Cryptographic Protocols.

Cryptographic Hash Function. A hash function H accepts a variable-length block of data as input and produces a fixed-size hash value h = H(M). The principal.

Problem: Internet diagnostics and forensics

CS/ECE 478 Introduction to Network Security

Presentation transcript:

On-The-Fly Verification of Rateless Erasure Codes Max Krohn (MIT CSAIL) Michael Freedman and David Mazières (NYU)

On-The-Fly Verification of Rateless Erasure Codes Max Krohn (MIT CSAIL) Michael Freedman and David Mazières (NYU) Multicast Authentication: Dead/Exhausted

The Setting A large file F  Linux ISO (650MB) H(F) is available  signed by Publisher (RedHat) A handful of untrusted sources/mirrors S 1,…S 8

A Handful of Senders

The Setting A large file F  Linux ISO (650MB) H(F) is available  signed by Publisher (RedHat) A handful of untrusted sources S 1,…S 8  Their aggregate BW is limited A slew of receivers R 1,...,R 1,000,000  Version 81.3 just released! Want it Now!

Three Desirable Properties Sources Can Multicast Clients Get Fast Downloads Clients Can Verify Blocks On-the-Fly

Receivers Get Fast, Verifiable Downloads The trusted publisher (RedHat)  Splits up F into n blocks  Hashes all blocks  Signs all hashes (or hash tree) Receivers:  Download and verify hashes  Download needed file blocks in parallel

R1R1 S1S1 S3S3 S4S4 S2S2 R3R3 R2R2 R4R4 R5R5 R6R6 R7R7 R8R8 R9R9 R 10 R 11 R 12 R 13 Everyone for Themselves

Everyone For Themselves Sources Can Multicast Clients Get Fast Downloads Clients Can Verify Blocks On-the-Fly

R1R1 S1S1 S3S3 S4S4 S2S2 R3R3 R2R2 R4R4 R5R5 R6R6 R7R7 R8R8 R9R9 R 10 R 11 R 12 R 13 Verifiable Multicast (BitTorrent)

Sources Can Multicast Clients Get Fast Downloads Clients Can Verify Blocks On-the-Fly

Multicast With Erasure Codes Sources erasure encode the file F n blocks blocks F … ?? ? ? ?? ? ? ?? ? ? ?? ? ? ?? ? ? ?? ? ? ?? ? ? ?? ? ? ? ? ? ? ? ? ? ? ? ? ? ?? ? ? ? ? ? … … … …

Multicast With Erasure Codes Sources erasure encode the file F Receivers collect blocks and decode n blocks blocks ?? ?? ?? ? ? ?? ? ? ?? ? ? ?? ? ? ?? ? ? ?? ? ? ?? ? ? ? ? ? ? ? ? ? ? ? ? ? ?? ? ? ? ? ? ? ?? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ?? ? ? ? 1.03n blocks n blocks F F … … … … …

R1R1 S1S1 S3S3 S4S4 S2S2 R3R3 R2R2 R4R4 R5R5 R6R6 R7R7 R8R8 R9R9 R 10 R 11 R 12 R 13 Multicast With Erasure Codes

Bullet [SOSP 2003] SplitStream [SOSP 2003] Big Downloads [IPTPS 2003] Informed Content Delivery [SIGCOMM 2002]

R1R1 S1S1 S3S3 S4S4 S2S2 Receivers Cannot Verify Content ? ? ? ? ? ? ? ? ? ? ? ? ? ?

R1R1 S1S1 S3S3 S4S4 S2S2 ? ? ? ? ? ? ? ? ? ?

Multicast With Erasure Codes Sources Can Multicast Clients Get Fast Downloads Clients Can Verify Blocks On-the-Fly

Multicast With Erasure Codes Sources Can Multicast Clients Get Fast Downloads Clients Can Verify Blocks On-the-Fly

What is the Attack Goal? To corrupt the file. To waste bandwidth. R S1S1 S3S3 S2S2

How To Attack? Send correct blocks but with skewed distributions.  “Distribution Attack” Send incorrect blocks  “Pollution Attack” Karlof et al. [NDSS ’04] R S1S1 S3S3 S2S2

Properties of a Solution to Pollution OK: Receivers can tell good from bad. Much better: Receivers can finger bad blocks as they arrive. R S1S1 S3S3 S2S2 CONTRIBUTION

Outline Introduction Review of LT Codes Strawman #1 Strawman #2 Efficiently Catching Bad Blocks as They Arrive

LT-Codes [Luby, FOCS 2002] b1b1 b2b2 b3b3 b4b4 b5b5 F= n=5 input blocks

LT-Codes – How To Encode b1b1 b2b2 b3b3 b4b4 b5b5 c1c1 1.Pick degree d 1 from a pre-specified distribution. ( d 1 =2) 2.Select d 1 input blocks uniformly at random. (Pick b 1 and b 4 ) 3.Compute their sum. 4.Output E(F)= F=

LT-Codes – How To Encode (cont’d) b1b1 b2b2 b3b3 b4b4 b5b5 c1c1 c2c2 c3c3 c4c4 c5c5 c6c6 c7c7 E(F)= F=

How To Decode b1b1 b2b2 b3b3 b4b4 b5b5 c1c1 c2c2 c3c3 c4c4 c5c5 c6c6 c7c7 E(F)= F=

How To Decode b1b1 b2b2 b3b3 b4b4 b5b5 c1c1 c2c2 c3c3 c4c4 c5c5 c6c6 c7c7 E(F)= F=

How To Decode b1b1 b2b2 b3b3 b4b4 b5b5 c1c1 c2c2 c3c3 c4c4 c5c5 c6c6 c7c7 E(F)= F=

b1b1 b2b2 b3b3 b4b4 b5b5 c1c1 c2c2 c3c3 c4c4 c5c5 c6c6 c7c7 E(F)= F= How To Decode

b1b1 b2b2 b3b3 b4b4 b5b5 c1c1 c2c2 c3c3 c4c4 c5c5 c6c6 c7c7 E(F)= F= b5b5 b5b5 b5b5

How To Decode b1b1 b2b2 b3b3 b4b4 b5b5 c1c1 c2c2 c3c3 c5c5 c6c6 c7c7 E(F)= F= b5b5 c4c4 b5b5 b5b5

How To Decode b1b1 b2b2 b3b3 b4b4 b5b5 c1c1 c2c2 c3c3 c5c5 c6c6 c7c7 E(F)= F= b5b5 c4c4 b5b5 b5b5

How To Decode b1b1 b2b2 b3b3 b4b4 b5b5 c1c1 c2c2 c3c3 c5c5 c6c6 c7c7 E(F)= F= b5b5 c4c4 b5b5 b5b5

How To Decode b1b1 b2b2 b3b3 b4b4 b5b5 c1c1 c2c2 c3c3 c5c5 c6c6 c7c7 E(F)= F= b5b5 c4c4 b5b5 b5b5 b2b2 b2b2

How To Decode b1b1 b2b2 b3b3 b4b4 b5b5 c1c1 c2c2 c3c3 c5c5 c6c6 c7c7 E(F)= F= b5b5 c4c4 b5b5 b5b5 b2b2 b2b2

Outline Introduction Review of LT Codes Strawman #1  Simple Solution To Tell Good Blocks From Bad Strawman #2 Efficiently Catching Bad Blocks as They Arrive

“Smart Decoder” for LT-Codes b1b1 b2b2 b3b3 b4b4 b5b5 c1c1 c2c2 c3c3 c4c4 c5c5 c6c6 c7c7 E(F)= F=

“Smart Decoder” for LT-Codes b1b1 b2b2 b3b3 b4b4 b5b5 c1c1 c2c2 c3c3 c4c4 c5c5 c6c6 c7c7 E(F)= F=

“Smart Decoder” for LT-Codes b1b1 b2b2 b3b3 b4b4 b5b5 c1c1 c2c2 c3c3 c4c4 c5c5 c6c6 c7c7 E(F)= F=

“Smart Decoder” for LT-Codes b1b1 b2b2 b3b3 b4b4 b5b5 c1c1 c2c2 c3c3 c4c4 c5c5 c6c6 c7c7 E(F)= F=

“Smart Decoder” for LT-Codes b1b1 b2b2 b3b3 b4b4 b5b5 c1c1 c2c2 c3c3 c4c4 c5c5 c6c6 c7c7 E(F)= F=

“Smart Decoder” for LT-Codes b1b1 b2b2 b3b3 b4b4 b5b5 c1c1 c2c2 c3c3 c4c4 c5c5 c6c6 c7c7 E(F)= F= b5b5 b5b5 b5b5

“Smart Decoder” for LT-Codes b1b1 b2b2 b3b3 b4b4 b5b5 c1c1 c2c2 c3c3 c4c4 c5c5 c6c6 c7c7 E(F)= F= b5b5 b5b5 b5b5

“Smart Decoder” for LT-Codes b1b1 b2b2 b3b3 b4b4 b5b5 c1c1 c2c2 c3c3 c4c4 c5c5 c6c6 c7c7 E(F)= F= b5b5 b5b5 b5b5 X

“Smart Decoder” for LT-Codes b1b1 b2b2 b3b3 b4b4 b5b5 c1c1 c2c2 c3c3 c4c4 c5c5 c6c6 c7c7 E(F)= F= b5b5 b5b5 b5b5 X

“Smart Decoder” for LT-Codes b1b1 b2b2 b3b3 b4b4 b5b5 c1c1 c2c2 c3c3 c4c4 c5c5 c6c6 c7c7 E(F)= F= b5b5 b5b5 b5b5

“Smart Decoder:” Problem Data collected from 50 random Online encodings of a 10,000 block file.

Outline Introduction Review of LT Codes Strawman #1 Strawman #2  Hashing/Signing Encoded Blocks Efficiently Catching the Bad as They Arrive

Hashing/Signing Encoded Blocks Trusted Publisher (RedHat)  Picks e, computes e·n encoded blocks  Hashes all encoded blocks  Signs the hashes. n blocks e · n blocks ?? ? ? ?? ? ? ?? ? ? ?? ? ? ?? ? ? ?? ? ? ?? ? ? ?? ? ? ? ? ? ? ? ? ? ? ? ? ? ?? ? ? ? ? ? F

Hashing/Signing Encoded Blocks Expansion factor e should be big to avoid duplicate blocks. e should be small to make crypto overhead acceptable. Our analysis shows there’s no “sweet spot”.

Hashing/Signing Encoded Blocks Expansion factor e should be big to avoid duplicate blocks. e should be small to make crypto overhead acceptable. Our analysis shows there’s no “sweet spot”.  e.g., best case bandwidth requirements: +5%  e.g., generating hashes is very expensive as e gets large.

Outline Introduction Review of LT Codes Strawman #1 Strawman #2 Efficiently Catching the Bad as They Arrive

Best of Both Worlds Goal:  Crypto overhead of one hash for every block in the input file (Strawman #1)  Verify blocks as they arrive (Strawman #2) Idea:  Distribute hashes of file blocks, and use them to verify encoded blocks.  Need a better hash function.

Insight: Homomorphic Hashing Assume function h exists such that: 1. is homomorphic: 2. is a CRHF:

R knows: R wants proof that: Homomorphic Hashing: Intuition R receives the block c b2b2 b5b5 c

R knows: R wants proof that: Homomorphic Hashing: Intuition c b2b2 b5b5 c R receives the block

R knows: R wants proof that: Homomorphic Hashing: Intuition c b2b2 b5b5 c R receives the block

R knows: R wants proof that: Homomorphic Hashing: Intuition R receives the block

R knows: R wants proof that: Homomorphic Hashing: Intuition Property 1 R receives the block

R knows: R wants proof that: Homomorphic Hashing: Intuition Property 1 Property 2 R receives the block

Homomorphic Hashing: Protocol R receives the block  Compute h(c)  If Accept block; mark as valid  else Suspect sender of being bad guy, and switch.

Homomorphic Hashing: Protocol R receives the block  Compute h(c)  If Accept block; mark as valid  else Suspect sender of being bad guy, and switch. Can such an h possibly exist?

Homomorphic Hashing: Related Work DLog-Based CRHF  Pederson Commitment [CRYPTO ’91]  Chaum et al. [CRYPTO ’91] One-Way Accumulators  Benaloh and de Mare [EUROCRYPT ’93]  Barić and Pfitzmann [EUROCRYPT ’93] Incremental Hashing  Bellare et al. [CRYPTO ’94] Homomorphic Signatures  Micali and Rivest [RSA ’02]  Johnson et al. [RSA ’02]

Mechanics of Homomorphic Hashing Discrete Log Hash Pick 1024-bit prime p and 256-bit prime q, q divides (p-1) Pick from 512 generators of order q : Write F as elements in F= 256-bit “fragment” 16K “block”

How to Encode (example) Standard LT-Codes: Homomorphic Scheme:

How To DLog Hash Hashes are elements in (128 bytes big) Hash reduces 16K block by a factor of 128

How To DLog Hash Hashes are elements in (128 bytes big) Hash reduces 16K block by a factor of 128  +1% overhead

DLog-Hash: Key Property Note that:

DLog-Hash: Key Property Note that: Goal achieved!

“This Seems Really Expensive” Operation on a 16K Block Throughput (kB/sec) DLog Hash39 Arrival on 1.5Mbps DSL190 SHA1 Hash57,600

Key Optimizations Hash Generation  Each publisher picks her own parameters,  compute with 1 exponentiation (not 512) Hash Verification  Receiver verifies hashes probabilistically and in batches. Bellare et al. [EUROCRYPT ’98]

Much Better Operation on a 16K Block Throughput (MB/sec) Naïve DLog Hash0.038 Per-publisher Generation Batch Verification7.620 Arrival on 1.5 Mbps DSL0.186 SHA1 Hash56.250

Homomorphic Hashing: Key Points + Key Algebraic Feature + Homomorphism: Receivers can compose hashes the way encoders sum file blocks. + Can check encoded blocks as they arrive. + Fast + Can be optimized to achieve good generation and verification throughputs + Provably Secure + As hard as discrete log (SHA1/MD5 not needed)

Conclusion Sources Can Multicast Clients Get Fast Downloads Clients Can Verify Blocks On-the-Fly

Thank you. Now accepting questions.