Presentation is loading. Please wait.

Presentation is loading. Please wait.

Authenticating streamed data in the presence of random packet loss March 17th, 2000. Philippe Golle, Stanford University.

Similar presentations


Presentation on theme: "Authenticating streamed data in the presence of random packet loss March 17th, 2000. Philippe Golle, Stanford University."— Presentation transcript:

1 Authenticating streamed data in the presence of random packet loss March 17th, 2000. Philippe Golle, Stanford University.

2 Signing streams Stream: sequence of packets Signature: authenticity, non-repudiation E.g: Internet radio station Efficiency Cost of computation (real-time) Communication overhead Robustness Packet loss (UDP)

3 Outline 1. Existing solutions and their limitations Efficient signatures Amortized signatures 2. Our proposal Construction Optimality applications

4 Sign each Sign each packet (RSA, DSA,…) “Optimal” solution: Immediate authentication Packets individually verifiable Unpractical: Computational load too high. Maximum: 100 signatures / second 1 digital signature = 100 hashes 1234 AliceBob

5 Optimization Numerous tricks Small exponent (faster verification) Chinese Remainder Theorem (divide and conquer multiplications) Precomputations (time/memory trade-off) Gain: factor of 2. Incremental verification Variable level of security Signature very large

6 Hash 12 Hash(2) Digital signature Collision-resistant hash function h: Given h(x), hard to find y such that h(x)=h(y) Example: MD5, SHA-1 Verify the signature on Packet 1. This also authenticates Packet 2.

7 Hash chain (Gennaro, Rohatgi) Sender processes the stream backwards Append the hash of P i+1 to P i Sign only the first packet Extremely efficient: 1 hash computation / packet Overhead: 20 bytes / packet Problems: Offline case only Packet loss 1234 AliceBob h(2) h(3)h(4) …

8 One-time Signatures: generation One-time signature scheme: Choose a one-way function f: D->D and 168 elements {a i } of D. Private signing key: family {a i } Public verification key: family {f(a i )} To sign a message M: Hash: h(M) = b 1 b 2 b 3 …………b 160 (in binary) Append to h(M) the number of 0 in h(M): b 1 b 2 b 3 …………b 160 b 161 b 162 …………b 168 Signature: s 0 s 1 s 2 …………s 168 where: S i = a i if b i = 0, otherwise S i = f(a i )

9 OTS: verification To verify a signature s 0 s 1 s 2 …………s 168 on M: Hash M Append to h(M) the number of 0 in h(M): b 1 b 2 b 3 …………b 160 b 161 b 162 …………b 168 Verify that f(S i )= f(a i ) if b i = 0, otherwise S i = f(a i ) OTS are secure: Can’t flip a 1 to a 0 Can’t flip a 0 to a 1

10 OTS: efficiency Fast compared to digital signatures : Verify: as fast as RSA with small exponent Sign: twice as fast as DSA Can be used only once Very large: 1000 bytes

11 OTS chain (Gennaro, Rohatgi) Packet P i contains the public-key to sign P i+1 Faster than “sign each” for online streams Limitations: Overhead: 1000 bytes / packet Issue of packet loss 1234 AliceBob K(2) K(3)K(4)

12 OTS: optimization Size of OTS proportional to the number of bits of the quantity being signed. MD5: 128 bits, SHA-1: 160 bits Use shorter output? Family of hash functions: 2^40 80-bit hash functions Cost of birthday attack: 2^80 Total output length: 120 bits

13 Packet groups (Wong & Lam) Sender: Packet 3 is sent as: Receiver: same in reverse 134562 h(1) Sign hash 3 24561

14 Packet groups: efficiency Trade-off: Efficiency: many packets / group Communication overhead: few packets / group

15 Packet groups: Tree Sender: Packet 3 is sent as: Receiver: same in reverse 134562 Sign 3 78

16 Motivations Communication overhead: USER_DATA section (MPEG video and audio) Watermarking Open parallel connection Existing solutions Resistant to worst-case packet loss Space / time trade-off We propose: Resistant to average loss New trade-off: efficiency and authentication speed

17 Model Random loss Bursts (UDP) Maximize length of single worst-case burst Sender Packet buffer (size p) Hash buffer (size h) Receiver Packet buffer Hash buffer Overhead: m: maximum number of hashes / packet

18 Simple case: no packet buffering Chain of strength a: the hash of packet P i is appended to two other packets: P i+1 and P i+a Only the last packet is signed. Algorithm for generation and verification of the sequence 1345672 Example: chain of strength 3

19 Characteristics of a chain Sender: Buffers 1 packet Stores a hashes Receiver Buffer OK: 1 hash Buffer loss: 2 hashes Resistance to loss B = a-1 (optimal) Avg(B) = a-1

20 Generic Construction (p>1) p=2: one new packet: 1345672 Example: augmented chain of strength 3

21 Generalization Sender buffers: p packets h hashes Start with a chain of strength (h-p) Insert (p-1) new packets in-between with the extremity property. 1913175 234 101112 678 141516

22 Insertion 1 Very simple to implement Optimally resistant to loss But: m grows linearly with p

23 Insertion 2 Constant m Recursive embedding AB21 AB21

24 Characteristics Sender Buffers p packets Hash buffer of size h = a+p Receiver Buffer OK: (p+3)/2 Buffer loss: 2 + (p+3)/2 Resistance to loss: B=p(a-1) (optimal) fast recovery B = p (h-p)

25 Comparison with other schemes SchemeSignaturehashOverhead (bytes) lossverification WL star 117340anyimmediate WL tree 121160anyimmediate LW tree full 131120anyimmediate Chains 11643burstsdelayed

26 Alternate models Hash buffer of average capacity Average burst Recall B = p (h-p) Average hash: B = p(h-p/2) Average burst: B = p.h

27 Offline stream authentication Offline stream entirely known to sender signed only once Solution: hash chain Resistance to loss use augmented chains efficiency concern: receiver

28 Insertion 3 Focus: reduce Buffer OK Buffer Loss = Buffer OK + constant Consider forward edges are never taken.

29 Conclusion Efficient and flexible authentication scheme. Strength: resistance to random loss (bursts) Implemented as plug-in to Real Audio Player


Download ppt "Authenticating streamed data in the presence of random packet loss March 17th, 2000. Philippe Golle, Stanford University."

Similar presentations


Ads by Google