View
216
Download
3
Tags:
Embed Size (px)
Citation preview
Authenticating streamed data in the presence of
random packet loss
March 17th, 2000.
Philippe Golle,Stanford University.
Signing streams Stream: sequence of packets Signature: authenticity, non-repudiation E.g: Internet radio station Efficiency
• Cost of computation (real-time)• Communication overhead
Robustness• Packet loss (UDP)
Outline
1. Existing solutions and their limitations
Efficient signatures Amortized signatures
2. Our proposal Construction Optimality applications
Sign each
Sign each packet (RSA, DSA,…) “Optimal” solution:
Immediate authentication Packets individually verifiable
Unpractical: Computational load too high. Maximum: 100 signatures / second 1 digital signature = 100 hashes
1 2 3 4 AliceBob
Optimization Numerous tricks
Small exponent (faster verification) Chinese Remainder Theorem (divide and conquer
multiplications) Precomputations (time/memory trade-off)
Gain: factor of 2.
Incremental verification Variable level of security Signature very large
Hash
1 2
Hash(2)
Digital signature
•Collision-resistant hash function h:Given h(x), hard to find y such that h(x)=h(y)Example: MD5, SHA-1
•Verify the signature on Packet 1.•This also authenticates Packet 2.
Hash chain (Gennaro, Rohatgi)
Sender processes the stream backwards Append the hash of Pi+1 to Pi
Sign only the first packet Extremely efficient:
1 hash computation / packet Overhead: 20 bytes / packet
Problems: Offline case only Packet loss
1 2 3 4 AliceBob
h(2) h(3) h(4)
…
One-time Signatures: generation One-time signature scheme:
Choose a one-way function f: D->D and 168 elements {ai} of D.
Private signing key: family {ai} Public verification key: family {f(ai)}
To sign a message M: Hash: h(M) = b1b2b3…………b160 (in binary) Append to h(M) the number of 0 in h(M):
b1b2b3…………b160 b161b162…………b168
Signature: s0s1s2…………s168 where:
Si = ai if bi = 0 , otherwise Si = f(ai)
OTS: verification
To verify a signature s0s1s2…………s168 on M: Hash M Append to h(M) the number of 0 in h(M):
b1b2b3…………b160 b161b162…………b168
Verify that f(Si)= f(ai) if bi = 0 , otherwise Si = f(ai)
OTS are secure: Can’t flip a 1 to a 0 Can’t flip a 0 to a 1
OTS: efficiency Fast compared to digital signatures:
Verify: as fast as RSA with small exponent Sign: twice as fast as DSA
Can be used only once Very large: 1000 bytes
OTS chain (Gennaro, Rohatgi)
Packet Pi contains the public-key to sign Pi+1 Faster than “sign each” for online streams Limitations:
Overhead: 1000 bytes / packet Issue of packet loss
1 2 3 4 AliceBob
K(2) K(3) K(4)
OTS: optimization Size of OTS proportional to the number of bits of
the quantity being signed. MD5: 128 bits, SHA-1: 160 bits
Use shorter output?
Family of hash functions: 2^40 80-bit hash functions Cost of birthday attack: 2^80 Total output length: 120 bits
Packet groups (Wong & Lam)
Sender:
Packet 3 is sent as:
Receiver: same in reverse
1 3 4 5 62
h(1)
Sign
hash
3 24561
Packet groups: efficiency Trade-off:
Efficiency: many packets / group Communication overhead: few packets / group
Packet groups: Tree
Sender:
Packet 3 is sent as:
Receiver: same in reverse
1 3 4 5 62
Sign
3
7 8
Motivations Communication overhead:
USER_DATA section (MPEG video and audio) Watermarking Open parallel connection
Existing solutions Resistant to worst-case packet loss Space / time trade-off
We propose: Resistant to average loss New trade-off: efficiency and authentication speed
Model Random loss
Bursts (UDP) Maximize length of single worst-case burst
Sender Packet buffer (size p) Hash buffer (size h)
Receiver Packet buffer Hash buffer
Overhead: m: maximum number of hashes / packet
Simple case: no packet buffering
Chain of strength a: the hash of packet Pi is appended to two other packets: Pi+1 and Pi+a
Only the last packet is signed.
Algorithm for generation and verification of the sequence
1 3 4 5 6 72
Example: chain of strength 3
Characteristics of a chain
Sender: Buffers 1 packet Stores a hashes
Receiver Buffer OK: 1 hash Buffer loss: 2 hashes
Resistance to loss B = a-1 (optimal) Avg(B) = a-1
Generic Construction (p>1)
p=2: one new packet:
1 3 4 5 6 72
Example: augmented chain of strength 3
Generalization Sender buffers:
p packets h hashes
Start with a chain of strength (h-p) Insert (p-1) new packets in-between with the
extremity property.
1 9 13 1752 3 4 10 11 126 7 8 14 15 16
Insertion 1
Very simple to implement Optimally resistant to loss But: m grows linearly with p
Insertion 2
Constant m
Recursive embedding
A B21
A B21
Characteristics Sender
Buffers p packets Hash buffer of size h = a+p
Receiver Buffer OK: (p+3)/2 Buffer loss: 2 + (p+3)/2
Resistance to loss: B=p(a-1) (optimal) fast recovery B = p (h-p)
Comparison with other schemes
Scheme Signature hash Overhead (bytes)
loss verification
WL star 1 17 340 any immediate
WL tree 1 21 160 any immediate
LW tree full
1 31 120 any immediate
Chains 1 16 43 bursts delayed
Alternate models Hash buffer of average capacity Average burst
Recall B = p (h-p) Average hash: B = p(h-p/2) Average burst: B = p.h
Offline stream authentication
Offline stream entirely known to sender signed only once
Solution: hash chain Resistance to loss
use augmented chains efficiency concern: receiver
Insertion 3 Focus: reduce BufferOK
BufferLoss = BufferOK + constant
Consider forward edges are never taken.
Conclusion
Efficient and flexible authentication scheme.
Strength: resistance to random loss (bursts)
Implemented as plug-in to Real Audio Player