Authenticating streamed data in the presence of

random packet loss

March 17th, 2000.

Philippe Golle,Stanford University.

Signing streams Stream: sequence of packets Signature: authenticity, non-repudiation E.g: Internet radio station Efficiency

• Cost of computation (real-time)• Communication overhead

Robustness• Packet loss (UDP)

Outline

1. Existing solutions and their limitations

Efficient signatures Amortized signatures

2. Our proposal Construction Optimality applications

Sign each

Sign each packet (RSA, DSA,…) “Optimal” solution:

Immediate authentication Packets individually verifiable

Unpractical: Computational load too high. Maximum: 100 signatures / second 1 digital signature = 100 hashes

1 2 3 4 AliceBob

Optimization Numerous tricks

Small exponent (faster verification) Chinese Remainder Theorem (divide and conquer

multiplications) Precomputations (time/memory trade-off)

Gain: factor of 2.

Incremental verification Variable level of security Signature very large

Hash

1 2

Hash(2)

Digital signature

•Collision-resistant hash function h:Given h(x), hard to find y such that h(x)=h(y)Example: MD5, SHA-1

•Verify the signature on Packet 1.•This also authenticates Packet 2.

Hash chain (Gennaro, Rohatgi)

Sender processes the stream backwards Append the hash of Pi+1 to Pi

Sign only the first packet Extremely efficient:

1 hash computation / packet Overhead: 20 bytes / packet

Problems: Offline case only Packet loss

1 2 3 4 AliceBob

h(2) h(3) h(4)

…

One-time Signatures: generation One-time signature scheme:

Choose a one-way function f: D->D and 168 elements {ai} of D.

Private signing key: family {ai} Public verification key: family {f(ai)}

To sign a message M: Hash: h(M) = b1b2b3…………b160 (in binary) Append to h(M) the number of 0 in h(M):

b1b2b3…………b160 b161b162…………b168

Signature: s0s1s2…………s168 where:

Si = ai if bi = 0 , otherwise Si = f(ai)

OTS: verification

To verify a signature s0s1s2…………s168 on M: Hash M Append to h(M) the number of 0 in h(M):

b1b2b3…………b160 b161b162…………b168

Verify that f(Si)= f(ai) if bi = 0 , otherwise Si = f(ai)

OTS are secure: Can’t flip a 1 to a 0 Can’t flip a 0 to a 1

OTS: efficiency Fast compared to digital signatures:

Verify: as fast as RSA with small exponent Sign: twice as fast as DSA

Can be used only once Very large: 1000 bytes

OTS chain (Gennaro, Rohatgi)

Packet Pi contains the public-key to sign Pi+1 Faster than “sign each” for online streams Limitations:

Overhead: 1000 bytes / packet Issue of packet loss

1 2 3 4 AliceBob

K(2) K(3) K(4)

OTS: optimization Size of OTS proportional to the number of bits of

the quantity being signed. MD5: 128 bits, SHA-1: 160 bits

Use shorter output?

Family of hash functions: 2^40 80-bit hash functions Cost of birthday attack: 2^80 Total output length: 120 bits

Packet groups (Wong & Lam)

Sender:

Packet 3 is sent as:

Receiver: same in reverse

1 3 4 5 62

h(1)

Sign

hash

3 24561

Packet groups: efficiency Trade-off:

Efficiency: many packets / group Communication overhead: few packets / group

Packet groups: Tree

Sender:

Packet 3 is sent as:

Receiver: same in reverse

1 3 4 5 62

Sign

3

7 8

Motivations Communication overhead:

USER_DATA section (MPEG video and audio) Watermarking Open parallel connection

Existing solutions Resistant to worst-case packet loss Space / time trade-off

We propose: Resistant to average loss New trade-off: efficiency and authentication speed

Model Random loss

Bursts (UDP) Maximize length of single worst-case burst

Sender Packet buffer (size p) Hash buffer (size h)

Receiver Packet buffer Hash buffer

Overhead: m: maximum number of hashes / packet

Simple case: no packet buffering

Chain of strength a: the hash of packet Pi is appended to two other packets: Pi+1 and Pi+a

Only the last packet is signed.

Algorithm for generation and verification of the sequence

1 3 4 5 6 72

Example: chain of strength 3

Characteristics of a chain

Sender: Buffers 1 packet Stores a hashes

Receiver Buffer OK: 1 hash Buffer loss: 2 hashes

Resistance to loss B = a-1 (optimal) Avg(B) = a-1

Generic Construction (p>1)

p=2: one new packet:

1 3 4 5 6 72

Example: augmented chain of strength 3

Generalization Sender buffers:

p packets h hashes

Start with a chain of strength (h-p) Insert (p-1) new packets in-between with the

extremity property.

1 9 13 1752 3 4 10 11 126 7 8 14 15 16

Insertion 1

Very simple to implement Optimally resistant to loss But: m grows linearly with p

Insertion 2

Constant m

Recursive embedding

A B21

A B21

Characteristics Sender

Buffers p packets Hash buffer of size h = a+p

Receiver Buffer OK: (p+3)/2 Buffer loss: 2 + (p+3)/2

Resistance to loss: B=p(a-1) (optimal) fast recovery B = p (h-p)

Comparison with other schemes

Scheme Signature hash Overhead (bytes)

loss verification

WL star 1 17 340 any immediate

WL tree 1 21 160 any immediate

LW tree full

1 31 120 any immediate

Chains 1 16 43 bursts delayed

Alternate models Hash buffer of average capacity Average burst

Recall B = p (h-p) Average hash: B = p(h-p/2) Average burst: B = p.h

Offline stream authentication

Offline stream entirely known to sender signed only once

Solution: hash chain Resistance to loss

use augmented chains efficiency concern: receiver

Insertion 3 Focus: reduce BufferOK

BufferLoss = BufferOK + constant

Consider forward edges are never taken.

Conclusion

Efficient and flexible authentication scheme.

Strength: resistance to random loss (bursts)

Implemented as plug-in to Real Audio Player