Round-Efficient Broadcast Authentication Protocols for Fixed Topology Classes - PowerPoint PPT Presentation

About This Presentation
Title:

Round-Efficient Broadcast Authentication Protocols for Fixed Topology Classes

Description:

Title: Authenticated Communication and Computation in Fixed Topology Networks with a Trusted Authority Author: Haowen Chan Last modified by: Haowen Chan – PowerPoint PPT presentation

Number of Views:67
Avg rating:3.0/5.0
Slides: 49
Provided by: Haowe
Category:

less

Transcript and Presenter's Notes

Title: Round-Efficient Broadcast Authentication Protocols for Fixed Topology Classes


1
Round-Efficient Broadcast Authentication
Protocols for Fixed Topology Classes
  • Haowen Chan, Adrian Perrig
  • Carnegie Mellon University

2
Talk Outline
  • Background / Motivation
  • Optimizations for the Path Topology
  • Summary of Other Results

3
Talk Outline
  • Background / Motivation
  • Optimizations for the Path Topology
  • Summary of Other Results

4
Multi-receiver Authentication in Sensor/Ad-hoc
Networks
S
M
R1
M
R4
R8
R2
M
R3
R5
R7
Is M from S? Yes accept No drop
R6
5
Authentication Methods
  • Signature Sender S signs M using private key
  • Need support for public key crypto
  • Multi-receiver Message Authentication Codes
  • Additional O(n) overhead in message size
  • TESLA Perrig et al, 2002
  • Need time synchronization
  • Communication-Efficient with Minimal Assumptions
  • Guy Fawkes Anderson et al. 1998
  • Hash Tree-based Chan Perrig 2008

6
Assumptions
  • Sender knows full network topology
  • Sender shares a unique symmetric key Ki with each
    receiver Ri

7
Hash Tree Based Broadcast
  • Construct a hash tree with MACs at the leaves
  • Idea Adversary cant compute r for forged M
    since it does not know any of the MAC values of
    the legitimate nodes

r
r acts as an authenticator for M
Hash Tree

Lz
La
Lb
8
Receiver Verification
r
  • Given Message M, hash tree root vertex r
  • Receiver Ri verifies that is a leaf in hash
    tree with root r
  • Verification path all siblings on path to root

u3
v4
u2
v3
v2
u1
Li
v1
9
General Tree Topology 3 Passes
  1. Sender broadcasts message M with hash tree root r
  2. Receivers reconstruct hash treewith leaves
  3. Verification paths disseminated

S
Disseminate verification paths
M, r
Reconstruct hash tree
R1
R5
R2
R4
R3
10
Talk Outline
  • Background / Motivation
  • Optimizations for the Path Topology
  • Summary of Other Results

11
Path Topology

R1
R2
R3
Rn
S
  • Common applications
  • Actual linear topologies (roadway, corridor)
  • Path from leaf to root in spanning tree
  • Along a routing path
  • 1 round one interaction between neighbors
  • Message from S to Rn takes n rounds
  • Unoptimized 3 passes 3n rounds

12
Observation
  • Can start reconstructing the hash tree
    immediately upon receiving M
  • Piggy-back the two outgoing passes together
  • Achieve 2n rounds
  • Outgoing pass left-siblings computed
  • Incoming pass right-siblings computed

13
2n-Round Protocol
r
v5
v6
v1
v4
v2
v3
L7
L1
L2
L3
L4
L5
L6
L8
S
S precomputes the whole tree
14
2n-Round Protocol
r
v5
v6
v1
v4
v2
v3
L7
L1
L2
L3
L4
L5
L6
L8
S
M,r
15
2n-Round Protocol
r
v5
v6
v1
v4
v2
v3
L7
L1
L2
L3
L4
L5
L6
L8
S
M,r
L1
16
2n-Round Protocol
r
v5
v6
v1
v4
v2
v3
L7
L1
L2
L3
L4
L5
L6
L8
S
M,r
v1
17
2n-Round Protocol
r
v5
v6
v1
v4
v2
v3
L7
L1
L2
L3
L4
L5
L6
L8
S
M,r
v1,L3
18
2n-Round Protocol
r
v5
v6
v1
v4
v2
v3
L7
L1
L2
L3
L4
L5
L6
L8
S
M,r
v5
19
2n-Round Protocol
r
v5
v6
v1
v4
v2
v3
L7
L1
L2
L3
L4
L5
L6
L8
S
M,r
v5,L5
20
2n-Round Protocol
r
v5
v6
v1
v4
v2
v3
L7
L1
L2
L3
L4
L5
L6
L8
S
M,r
v5,v3
21
2n-Round Protocol
r
v5
v6
v1
v4
v2
v3
L7
L1
L2
L3
L4
L5
L6
L8
S
M,r
v5,v3,L7
22
2n-Round Protocol
r
v5
v6
v1
v4
v2
v3
L7
L1
L2
L3
L4
L5
L6
L8
S
L8
23
2n-Round Protocol
r
v5
v6
v1
v4
v2
v3
L7
L1
L2
L3
L4
L5
L6
L8
S
v4
24
2n-Round Protocol
r
v5
v6
v1
v4
v2
v3
L7
L1
L2
L3
L4
L5
L6
L8
S
v4,L6
25
2n-Round Protocol
r
v5
v6
v1
v4
v2
v3
L7
L1
L2
L3
L4
L5
L6
L8
S
v6
26
2n-Round Protocol
r
v5
v6
v1
v4
v2
v3
L7
L1
L2
L3
L4
L5
L6
L8
S
v6 ,L4
27
2n-Round Protocol
r
v5
v6
v1
v4
v2
v3
L7
L1
L2
L3
L4
L5
L6
L8
S
v2 ,v6
28
2n-Round Protocol
r
v5
v6
v1
v4
v2
v3
L7
L1
L2
L3
L4
L5
L6
L8
S
v2 ,v6 ,L2
29
Further Optimizations
r
v5
v6
v1
v4
v2
v3
L7
L1
L2
L3
L4
L5
L6
L8
  • Computation of Node v6 causes delay
  • If Sender precomputes and sends v6
  • Nodes 1-4 can build verification paths
    independently of 5-8
  • Split apart the two subtrees

30
1.5n-Round Protocol
v5
v6
v1
v4
v2
v3
L7
L1
L2
L3
L4
L5
L6
L8
S
M,v5,v6
31
1.5n-Round Protocol
v5
v6
v1
v4
v2
v3
L7
L1
L2
L3
L4
L5
L6
L8
S
M,v5,v6
L1
32
1.5n-Round Protocol
v5
v6
v1
v4
v2
v3
L7
L1
L2
L3
L4
L5
L6
L8
S
M,v5,v6
v1
33
1.5n-Round Protocol
v5
v6
v1
v4
v2
v3
L7
L1
L2
L3
L4
L5
L6
L8
S
M,v5,v6
v1, L3
34
1.5n-Round Protocol
v5
v6
v1
v4
v2
v3
L7
L1
L2
L3
L4
L5
L6
L8
S
M,v6
35
1.5n-Round Protocol
v5
v6
v1
v4
v2
v3
L7
L1
L2
L3
L4
L5
L6
L8
S
L4
M,v6
L5
36
1.5n-Round Protocol
v5
v6
v1
v4
v2
v3
L7
L1
L2
L3
L4
L5
L6
L8
S
v2
M,v6
v3
37
1.5n-Round Protocol
v5
v6
v1
v4
v2
v3
L7
L1
L2
L3
L4
L5
L6
L8
S
v2,L2
M,v6
v3,L7
38
1.5n-Round Protocol
v5
v6
v1
v4
v2
v3
L7
L1
L2
L3
L4
L5
L6
L8
S
L8
39
1.5n-Round Protocol
v5
v6
v1
v4
v2
v3
L7
L1
L2
L3
L4
L5
L6
L8
S
v4
40
1.5n-Round Protocol
v5
v6
v1
v4
v2
v3
L7
L1
L2
L3
L4
L5
L6
L8
S
v4 ,L6
41
General Optimization
½ n
½ n
1 1/2 n rounds
½ n
1/4 n
1/4 n
1 1/4 n rounds
½ n
1/4 n
1/8 n
1/8 n
1 1/8 n rounds
42
n-Round Protocol
  • Break the receiver set into log n groups
  • Doubles communication overhead but halves the
    number of rounds
  • No protocol can be faster than this

43
Talk Outline
  • Background / Motivation
  • Optimizations for the Path Topology
  • Summary of Other Results

44
Guy Fawkes on the Path Topology
  • Optimization to reduce Guy Fawkes to 2n rounds
  • Reduce that to n rounds using the same
    divide-and-conquer technique

45
Round Complexity Lower Bounds
  • Any Signature-free Broadcast Authentication
    Protocol that completes in (2-r)log n rounds for
    0 ltr 1 must have W(nr) comm. overhead per node
  • Proven using a reduction to a known result for
    multi-receiver MACs
  • Protocols with polylog communication overhead
    must take 2 log n rounds or more

46
Tightness of the Bound
  • Optimization of protocols for fully connected
    topologies
  • Achieves 2log n rounds with O(log2 n)
    communication per node
  • No protocol with polylog per node communication
    overhead can take fewer rounds

47
Lower Bounds for Trees
  • Any Signature-free Broadcast Authentication
    Protocol that completes in (2.44-r)log n O(1)
    rounds in a tree topology must have W(nr) comm.
    overhead per node
  • Strictly more than 2 passes are needed for trees
  • Known protocols are likely already optimal for
    trees

48
Thank You!
  • Haowen Chan
  • haowenchan_at_cmu.edu
Write a Comment
User Comments (0)
About PowerShow.com