Download presentation
Presentation is loading. Please wait.
1
Authenticating streamed data in the presence of random packet loss March 17th, 2000. Philippe Golle, Stanford University.
2
Signing streams Stream: sequence of packets Signature: authenticity, non-repudiation E.g: Internet radio station Efficiency Cost of computation (real-time) Communication overhead Robustness Packet loss (UDP)
3
Outline 1. Existing solutions and their limitations Efficient signatures Amortized signatures 2. Our proposal Construction Optimality applications
4
Sign each Sign each packet (RSA, DSA,…) “Optimal” solution: Immediate authentication Packets individually verifiable Unpractical: Computational load too high. Maximum: 100 signatures / second 1 digital signature = 100 hashes 1234 AliceBob
5
Optimization Numerous tricks Small exponent (faster verification) Chinese Remainder Theorem (divide and conquer multiplications) Precomputations (time/memory trade-off) Gain: factor of 2. Incremental verification Variable level of security Signature very large
6
Hash 12 Hash(2) Digital signature Collision-resistant hash function h: Given h(x), hard to find y such that h(x)=h(y) Example: MD5, SHA-1 Verify the signature on Packet 1. This also authenticates Packet 2.
7
Hash chain (Gennaro, Rohatgi) Sender processes the stream backwards Append the hash of P i+1 to P i Sign only the first packet Extremely efficient: 1 hash computation / packet Overhead: 20 bytes / packet Problems: Offline case only Packet loss 1234 AliceBob h(2) h(3)h(4) …
8
One-time Signatures: generation One-time signature scheme: Choose a one-way function f: D->D and 168 elements {a i } of D. Private signing key: family {a i } Public verification key: family {f(a i )} To sign a message M: Hash: h(M) = b 1 b 2 b 3 …………b 160 (in binary) Append to h(M) the number of 0 in h(M): b 1 b 2 b 3 …………b 160 b 161 b 162 …………b 168 Signature: s 0 s 1 s 2 …………s 168 where: S i = a i if b i = 0, otherwise S i = f(a i )
9
OTS: verification To verify a signature s 0 s 1 s 2 …………s 168 on M: Hash M Append to h(M) the number of 0 in h(M): b 1 b 2 b 3 …………b 160 b 161 b 162 …………b 168 Verify that f(S i )= f(a i ) if b i = 0, otherwise S i = f(a i ) OTS are secure: Can’t flip a 1 to a 0 Can’t flip a 0 to a 1
10
OTS: efficiency Fast compared to digital signatures : Verify: as fast as RSA with small exponent Sign: twice as fast as DSA Can be used only once Very large: 1000 bytes
11
OTS chain (Gennaro, Rohatgi) Packet P i contains the public-key to sign P i+1 Faster than “sign each” for online streams Limitations: Overhead: 1000 bytes / packet Issue of packet loss 1234 AliceBob K(2) K(3)K(4)
12
OTS: optimization Size of OTS proportional to the number of bits of the quantity being signed. MD5: 128 bits, SHA-1: 160 bits Use shorter output? Family of hash functions: 2^40 80-bit hash functions Cost of birthday attack: 2^80 Total output length: 120 bits
13
Packet groups (Wong & Lam) Sender: Packet 3 is sent as: Receiver: same in reverse 134562 h(1) Sign hash 3 24561
14
Packet groups: efficiency Trade-off: Efficiency: many packets / group Communication overhead: few packets / group
15
Packet groups: Tree Sender: Packet 3 is sent as: Receiver: same in reverse 134562 Sign 3 78
16
Motivations Communication overhead: USER_DATA section (MPEG video and audio) Watermarking Open parallel connection Existing solutions Resistant to worst-case packet loss Space / time trade-off We propose: Resistant to average loss New trade-off: efficiency and authentication speed
17
Model Random loss Bursts (UDP) Maximize length of single worst-case burst Sender Packet buffer (size p) Hash buffer (size h) Receiver Packet buffer Hash buffer Overhead: m: maximum number of hashes / packet
18
Simple case: no packet buffering Chain of strength a: the hash of packet P i is appended to two other packets: P i+1 and P i+a Only the last packet is signed. Algorithm for generation and verification of the sequence 1345672 Example: chain of strength 3
19
Characteristics of a chain Sender: Buffers 1 packet Stores a hashes Receiver Buffer OK: 1 hash Buffer loss: 2 hashes Resistance to loss B = a-1 (optimal) Avg(B) = a-1
20
Generic Construction (p>1) p=2: one new packet: 1345672 Example: augmented chain of strength 3
21
Generalization Sender buffers: p packets h hashes Start with a chain of strength (h-p) Insert (p-1) new packets in-between with the extremity property. 1913175 234 101112 678 141516
22
Insertion 1 Very simple to implement Optimally resistant to loss But: m grows linearly with p
23
Insertion 2 Constant m Recursive embedding AB21 AB21
24
Characteristics Sender Buffers p packets Hash buffer of size h = a+p Receiver Buffer OK: (p+3)/2 Buffer loss: 2 + (p+3)/2 Resistance to loss: B=p(a-1) (optimal) fast recovery B = p (h-p)
25
Comparison with other schemes SchemeSignaturehashOverhead (bytes) lossverification WL star 117340anyimmediate WL tree 121160anyimmediate LW tree full 131120anyimmediate Chains 11643burstsdelayed
26
Alternate models Hash buffer of average capacity Average burst Recall B = p (h-p) Average hash: B = p(h-p/2) Average burst: B = p.h
27
Offline stream authentication Offline stream entirely known to sender signed only once Solution: hash chain Resistance to loss use augmented chains efficiency concern: receiver
28
Insertion 3 Focus: reduce Buffer OK Buffer Loss = Buffer OK + constant Consider forward edges are never taken.
29
Conclusion Efficient and flexible authentication scheme. Strength: resistance to random loss (bursts) Implemented as plug-in to Real Audio Player
Similar presentations
© 2024 SlidePlayer.com. Inc.
All rights reserved.