Presentation is loading. Please wait.

Presentation is loading. Please wait.

Round-Efficient Broadcast Authentication Protocols for Fixed Topology Classes Haowen Chan, Adrian Perrig Carnegie Mellon University 1.

Published byJeffrey Hood Modified over 8 years ago

Similar presentations

Presentation on theme: "Round-Efficient Broadcast Authentication Protocols for Fixed Topology Classes Haowen Chan, Adrian Perrig Carnegie Mellon University 1."— Presentation transcript:

1 Round-Efficient Broadcast Authentication Protocols for Fixed Topology Classes Haowen Chan, Adrian Perrig Carnegie Mellon University 1

2 Talk Outline Background / Motivation Optimizations for the Path Topology Summary of Other Results 2

3 Talk Outline Background / Motivation Optimizations for the Path Topology Summary of Other Results 3

4 Multi-receiver Authentication in Sensor/Ad-hoc Networks 4 S R1R1 R4R4 R2R2 R3R3 R5R5 R6R6 R7R7 R8R8 M M M Is M from S ? Yes = accept No = drop Is M from S ? Yes = accept No = drop

5 Authentication Methods Signature: Sender S signs M using private key Need support for public key crypto Multi-receiver Message Authentication Codes Additional O(n) overhead in message size TESLA [Perrig et al, 2002] : Need time synchronization Communication-Efficient with Minimal Assumptions Guy Fawkes [Anderson et al. 1998] Hash Tree-based [Chan & Perrig 2008] 5

6 Assumptions Sender knows full network topology Sender shares a unique symmetric key K i with each receiver R i 6

7 Hash Tree Based Broadcast Construct a hash tree with MACs at the leaves Idea: Adversary can’t compute r for forged M’ since it does not know any of the MAC values of the legitimate nodes Hash Tree … LaLa LbLb LzLz r 7 r acts as an authenticator for M

8 Receiver Verification Given Message M, hash tree root vertex r Receiver R i verifies that is a leaf in hash tree with root r Verification path = all siblings on path to root 8 LiLi v1v1 u1u1 v2v2 u2u2 v3v3 u3u3 v4v4 r

9 General Tree Topology: 3 Passes 1.Sender broadcasts message M with hash tree root r 2.Receivers reconstruct hash tree with leaves 3.Verification paths disseminated 9 S R1R1 R5R5 R4R4 R2R2 R3R3 M, r Reconstruct hash tree Disseminate verification paths

10 Talk Outline Background / Motivation Optimizations for the Path Topology Summary of Other Results 10

11 Path Topology Common applications Actual linear topologies (roadway, corridor) Path from leaf to root in spanning tree Along a routing path 1 round = one interaction between neighbors Message from S to R n takes n rounds Unoptimized: 3 passes = 3 n rounds 11 R1R1 R2R2 R3R3 RnRn S …

12 Observation Can start reconstructing the hash tree immediately upon receiving M “Piggy-back” the two outgoing passes together Achieve 2 n rounds Outgoing pass: left-siblings computed Incoming pass: right-siblings computed 12

13 2 n -Round Protocol 13 S R7R7 R1R1 R2R2 R3R3 R4R4 R5R5 R6R6 R8R8 L7L7 L1L1 L2L2 L3L3 L4L4 L5L5 L6L6 L8L8 v1v1 v4v4 v2v2 v3v3 v5v5 v6v6 r S precomputes the whole tree

14 2 n -Round Protocol 14 S R7R7 R1R1 R2R2 R3R3 R4R4 R5R5 R6R6 R8R8 L7L7 L1L1 L2L2 L3L3 L4L4 L5L5 L6L6 L8L8 v1v1 v4v4 v2v2 v3v3 v5v5 v6v6 r M,r

15 2 n -Round Protocol 15 S R7R7 R1R1 R2R2 R3R3 R4R4 R5R5 R6R6 R8R8 L7L7 L1L1 L2L2 L3L3 L4L4 L5L5 L6L6 L8L8 v1v1 v4v4 v2v2 v3v3 v5v5 v6v6 r M,r L1L1

16 2 n -Round Protocol 16 S R7R7 R1R1 R2R2 R3R3 R4R4 R5R5 R6R6 R8R8 L7L7 L1L1 L2L2 L3L3 L4L4 L5L5 L6L6 L8L8 v1v1 v4v4 v2v2 v3v3 v5v5 v6v6 r M,r v1v1

17 2 n -Round Protocol 17 S R7R7 R1R1 R2R2 R3R3 R4R4 R5R5 R6R6 R8R8 L7L7 L1L1 L2L2 L3L3 L4L4 L5L5 L6L6 L8L8 v1v1 v4v4 v2v2 v3v3 v5v5 v6v6 r M,r v 1,L 3

18 2 n -Round Protocol 18 S R7R7 R1R1 R2R2 R3R3 R4R4 R5R5 R6R6 R8R8 L7L7 L1L1 L2L2 L3L3 L4L4 L5L5 L6L6 L8L8 v1v1 v4v4 v2v2 v3v3 v5v5 v6v6 r M,r v5v5

19 2 n -Round Protocol 19 S R7R7 R1R1 R2R2 R3R3 R4R4 R5R5 R6R6 R8R8 L7L7 L1L1 L2L2 L3L3 L4L4 L5L5 L6L6 L8L8 v1v1 v4v4 v2v2 v3v3 v5v5 v6v6 r M,r v 5,L 5

20 2 n -Round Protocol 20 S R7R7 R1R1 R2R2 R3R3 R4R4 R5R5 R6R6 R8R8 L7L7 L1L1 L2L2 L3L3 L4L4 L5L5 L6L6 L8L8 v1v1 v4v4 v2v2 v3v3 v5v5 v6v6 r M,r v 5,v 3

21 2 n -Round Protocol 21 S R7R7 R1R1 R2R2 R3R3 R4R4 R5R5 R6R6 R8R8 L7L7 L1L1 L2L2 L3L3 L4L4 L5L5 L6L6 L8L8 v1v1 v4v4 v2v2 v3v3 v5v5 v6v6 r M,r v 5,v 3,L 7

22 2 n -Round Protocol 22 S R7R7 R1R1 R2R2 R3R3 R4R4 R5R5 R6R6 R8R8 L7L7 L1L1 L2L2 L3L3 L4L4 L5L5 L6L6 L8L8 v1v1 v4v4 v2v2 v3v3 v5v5 v6v6 r L8L8

23 2 n -Round Protocol 23 S R7R7 R1R1 R2R2 R3R3 R4R4 R5R5 R6R6 R8R8 L7L7 L1L1 L2L2 L3L3 L4L4 L5L5 L6L6 L8L8 v1v1 v4v4 v2v2 v3v3 v5v5 v6v6 r v4v4

24 2 n -Round Protocol 24 S R7R7 R1R1 R2R2 R3R3 R4R4 R5R5 R6R6 R8R8 L7L7 L1L1 L2L2 L3L3 L4L4 L5L5 L6L6 L8L8 v1v1 v4v4 v2v2 v3v3 v5v5 v6v6 r v 4,L 6

25 2 n -Round Protocol 25 S R7R7 R1R1 R2R2 R3R3 R4R4 R5R5 R6R6 R8R8 L7L7 L1L1 L2L2 L3L3 L4L4 L5L5 L6L6 L8L8 v1v1 v4v4 v2v2 v3v3 v5v5 v6v6 r v6v6

26 2 n -Round Protocol 26 S R7R7 R1R1 R2R2 R3R3 R4R4 R5R5 R6R6 R8R8 L7L7 L1L1 L2L2 L3L3 L4L4 L5L5 L6L6 L8L8 v1v1 v4v4 v2v2 v3v3 v5v5 v6v6 r v 6,L 4

27 2 n -Round Protocol 27 S R7R7 R1R1 R2R2 R3R3 R4R4 R5R5 R6R6 R8R8 L7L7 L1L1 L2L2 L3L3 L4L4 L5L5 L6L6 L8L8 v1v1 v4v4 v2v2 v3v3 v5v5 v6v6 r v 2,v 6

28 2 n -Round Protocol 28 S R7R7 R1R1 R2R2 R3R3 R4R4 R5R5 R6R6 R8R8 L7L7 L1L1 L2L2 L3L3 L4L4 L5L5 L6L6 L8L8 v1v1 v4v4 v2v2 v3v3 v5v5 v6v6 r v 2,v 6,L 2

29 Further Optimizations Computation of Node v 6 causes delay If Sender precomputes and sends v 6 Nodes 1-4 can build verification paths independently of 5-8 Split apart the two subtrees 29 L7L7 L1L1 L2L2 L3L3 L4L4 L5L5 L6L6 L8L8 v1v1 v4v4 v2v2 v3v3 v5v5 v6v6 r

30 1.5n -Round Protocol 30 S R7R7 R1R1 R2R2 R3R3 R4R4 R5R5 R6R6 R8R8 L7L7 L1L1 L2L2 L3L3 L4L4 L5L5 L6L6 L8L8 v1v1 v4v4 v2v2 v3v3 v5v5 v6v6 M,v 5,v 6

31 1.5n -Round Protocol 31 S R7R7 R1R1 R2R2 R3R3 R4R4 R5R5 R6R6 R8R8 L7L7 L1L1 L2L2 L3L3 L4L4 L5L5 L6L6 L8L8 v1v1 v4v4 v2v2 v3v3 v5v5 v6v6 M,v 5,v 6 L1L1

32 1.5n -Round Protocol 32 S R7R7 R1R1 R2R2 R3R3 R4R4 R5R5 R6R6 R8R8 L7L7 L1L1 L2L2 L3L3 L4L4 L5L5 L6L6 L8L8 v1v1 v4v4 v2v2 v3v3 v5v5 v6v6 M,v 5,v 6 v1v1

33 1.5n -Round Protocol 33 S R7R7 R1R1 R2R2 R3R3 R4R4 R5R5 R6R6 R8R8 L7L7 L1L1 L2L2 L3L3 L4L4 L5L5 L6L6 L8L8 v1v1 v4v4 v2v2 v3v3 v5v5 v6v6 M,v 5,v 6 v 1, L 3

34 1.5n -Round Protocol 34 S R7R7 R1R1 R2R2 R3R3 R4R4 R5R5 R6R6 R8R8 L7L7 L1L1 L2L2 L3L3 L4L4 L5L5 L6L6 L8L8 v1v1 v4v4 v2v2 v3v3 v5v5 v6v6 M,v 6

35 1.5n -Round Protocol 35 S R7R7 R1R1 R2R2 R3R3 R4R4 R5R5 R6R6 R8R8 L7L7 L1L1 L2L2 L3L3 L4L4 L5L5 L6L6 L8L8 v1v1 v4v4 v2v2 v3v3 v5v5 v6v6 M,v 6 L5L5 L4L4

36 1.5n -Round Protocol 36 S R7R7 R1R1 R2R2 R3R3 R4R4 R5R5 R6R6 R8R8 L7L7 L1L1 L2L2 L3L3 L4L4 L5L5 L6L6 L8L8 v1v1 v4v4 v2v2 v3v3 v5v5 v6v6 M,v 6 v3v3 v2v2

37 1.5n -Round Protocol 37 S R7R7 R1R1 R2R2 R3R3 R4R4 R5R5 R6R6 R8R8 L7L7 L1L1 L2L2 L3L3 L4L4 L5L5 L6L6 L8L8 v1v1 v4v4 v2v2 v3v3 v5v5 v6v6 M,v 6 v 3, L 7 v 2, L 2

38 1.5n -Round Protocol 38 S R7R7 R1R1 R2R2 R3R3 R4R4 R5R5 R6R6 R8R8 L7L7 L1L1 L2L2 L3L3 L4L4 L5L5 L6L6 L8L8 v1v1 v4v4 v2v2 v3v3 v5v5 v6v6 L8L8

39 1.5n -Round Protocol 39 S R7R7 R1R1 R2R2 R3R3 R4R4 R5R5 R6R6 R8R8 L7L7 L1L1 L2L2 L3L3 L4L4 L5L5 L6L6 L8L8 v1v1 v4v4 v2v2 v3v3 v5v5 v6v6 v4v4

40 1.5n -Round Protocol 40 S R7R7 R1R1 R2R2 R3R3 R4R4 R5R5 R6R6 R8R8 L7L7 L1L1 L2L2 L3L3 L4L4 L5L5 L6L6 L8L8 v1v1 v4v4 v2v2 v3v3 v5v5 v6v6 v 4,L 6

41 General Optimization 41 ½ n 1 1/2 n rounds ½ n 1/4 n 1 1/4 n rounds 1/4 n ½ n 1/4 n 1 1/8 n rounds 1/8 n

42 n -Round Protocol Break the receiver set into log n groups Doubles communication overhead but halves the number of rounds No protocol can be faster than this 42

43 Talk Outline Background / Motivation Optimizations for the Path Topology Summary of Other Results 43

44 Guy Fawkes on the Path Topology Optimization to reduce Guy Fawkes to 2 n rounds Reduce that to n rounds using the same divide-and-conquer technique 44

45 Round Complexity Lower Bounds Any Signature-free Broadcast Authentication Protocol that completes in (2-  ) log n rounds for  must have  ( n  ) comm. overhead per node Proven using a reduction to a known result for multi-receiver MACs Protocols with polylog communication overhead must take 2 log n rounds or more 45

46 Tightness of the Bound Optimization of protocols for fully connected topologies Achieves 2 log n rounds with O( log 2 n ) communication per node No protocol with polylog per node communication overhead can take fewer rounds 46

47 Lower Bounds for Trees Any Signature-free Broadcast Authentication Protocol that completes in (2.44-  ) log n + O(1) rounds in a tree topology must have  ( n  ) comm. overhead per node Strictly more than 2 passes are needed for trees Known protocols are likely already optimal for trees 47

48 Thank You! Haowen Chan haowenchan@cmu.edu 48

Download ppt "Round-Efficient Broadcast Authentication Protocols for Fixed Topology Classes Haowen Chan, Adrian Perrig Carnegie Mellon University 1."

Similar presentations

An Alternative to Short Lived Certificates By Vipul Goyal Department of Computer Science & Engineering Institute of Technology Banaras Hindu University.

An Alternative to Short Lived Certificates By Vipul Goyal Department of Computer Science & Engineering Institute of Technology Banaras Hindu University.
Giuseppe Bianchi Lecture 6.1: Extras: Merkle Trees.

Giuseppe Bianchi Lecture 6.1: Extras: Merkle Trees.
Computer Networking A Top-Down Approach Chapter 4.7.

Computer Networking A Top-Down Approach Chapter 4.7.
Leader Election Let G = (V,E) define the network topology. Each process i has a variable L(i) that defines the leader.  i,j  V  i,j are non-faulty.

Leader Election Let G = (V,E) define the network topology. Each process i has a variable L(i) that defines the leader.  i,j  V  i,j are non-faulty.
Haowen chan  cmu Outline  The Secure Aggregation Problem  Algorithm Description  Algorithm Analysis Proof (sketch) of correctness Proof (sketch) of.

Haowen chan  cmu Outline  The Secure Aggregation Problem  Algorithm Description  Algorithm Analysis Proof (sketch) of correctness Proof (sketch) of.
Distribution and Revocation of Cryptographic Keys in Sensor Networks Amrinder Singh Dept. of Computer Science Virginia Tech.

Distribution and Revocation of Cryptographic Keys in Sensor Networks Amrinder Singh Dept. of Computer Science Virginia Tech.
A Survey of Secure Wireless Ad Hoc Routing

A Survey of Secure Wireless Ad Hoc Routing
An Efficient Scheme for Authenticating Public Keys in Sensor Networks Wenliang (Kevin) Du (Syracuse) Ronghua Wang (Syracuse) Peng Ning (North Carolina.

An Efficient Scheme for Authenticating Public Keys in Sensor Networks Wenliang (Kevin) Du (Syracuse) Ronghua Wang (Syracuse) Peng Ning (North Carolina.
Packet Leashes: Defense Against Wormhole Attacks Authors: Yih-Chun Hu (CMU), Adrian Perrig (CMU), David Johnson (Rice)

Packet Leashes: Defense Against Wormhole Attacks Authors: Yih-Chun Hu (CMU), Adrian Perrig (CMU), David Johnson (Rice)
1 Vipul Goyal Abhishek Jain Rafail Ostrovsky Silas Richelson Ivan Visconti Microsoft Research India MIT and BU UCLA University of Salerno, Italy Constant.

1 Vipul Goyal Abhishek Jain Rafail Ostrovsky Silas Richelson Ivan Visconti Microsoft Research India MIT and BU UCLA University of Salerno, Italy Constant.
SIA: Secure Information Aggregation in Sensor Networks Bartosz Przydatek, Dawn Song, Adrian Perrig Carnegie Mellon University Carl Hartung CSCI 7143: Secure.

SIA: Secure Information Aggregation in Sensor Networks Bartosz Przydatek, Dawn Song, Adrian Perrig Carnegie Mellon University Carl Hartung CSCI 7143: Secure.
IC-29 Security and Cooperation in Wireless Networks 1 Secure and Robust Aggregation in Sensor Networks Parisa Haghani Supervised by: Panos Papadimitratos.

IC-29 Security and Cooperation in Wireless Networks 1 Secure and Robust Aggregation in Sensor Networks Parisa Haghani Supervised by: Panos Papadimitratos.
1 Complexity of Network Synchronization Raeda Naamnieh.

1 Complexity of Network Synchronization Raeda Naamnieh.
Efficiently Authenticating Code Images in Dynamically Reprogrammed Wireless Sensor Networks PerSec 2006 Speaker: Prof. Rick Han Coauthors Jing Deng and.

Efficiently Authenticating Code Images in Dynamically Reprogrammed Wireless Sensor Networks PerSec 2006 Speaker: Prof. Rick Han Coauthors Jing Deng and.
Security Issues In Sensor Networks By Priya Palanivelu.

Security Issues In Sensor Networks By Priya Palanivelu.
Packet Leashes: A Defense against Wormhole Attacks in Wireless Networks Yih-Chun Hu (Carnegie Mellon University) Adrian Perrig (Carnegie Mellon University)

Packet Leashes: A Defense against Wormhole Attacks in Wireless Networks Yih-Chun Hu (Carnegie Mellon University) Adrian Perrig (Carnegie Mellon University)
Idit Keidar, Principles of Reliable Distributed Systems, Technion EE, Spring 2009 1 Principles of Reliable Distributed Systems Lecture 6: Synchronous Byzantine.

Idit Keidar, Principles of Reliable Distributed Systems, Technion EE, Spring Principles of Reliable Distributed Systems Lecture 6: Synchronous Byzantine.
Random Key Predistribution Schemes for Sensor Networks Authors: Haowen Chan, Adrian Perrig, Dawn Song Carnegie Mellon University Presented by: Johnny Flowers.

Random Key Predistribution Schemes for Sensor Networks Authors: Haowen Chan, Adrian Perrig, Dawn Song Carnegie Mellon University Presented by: Johnny Flowers.
Slide Set 15: IP Multicast. In this set What is multicasting ? Issues related to IP Multicast Section 4.4.

Slide Set 15: IP Multicast. In this set What is multicasting ? Issues related to IP Multicast Section 4.4.
Sencun Zhu Sanjeev Setia Sushil Jajodia Presented by: Harel Carmit

Sencun Zhu Sanjeev Setia Sushil Jajodia Presented by: Harel Carmit

Similar presentations

Ads by Google