1 / 48

Round-Efficient Broadcast Authentication Protocols for Fixed Topology Classes

Explore multi-receiver authentication in network topologies, hash tree-based broadcast, sender-receiver interactions, and optimization strategies. Talk covers path topologies, protocols, and efficient round strategies in broadcast authentication. Carnegie Mellon University's Haowen Chan and Adrian Perrig outline protocols and motivations for secure network communication.

cchancellor
Download Presentation

Round-Efficient Broadcast Authentication Protocols for Fixed Topology Classes

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Round-Efficient Broadcast Authentication Protocols for Fixed Topology Classes Haowen Chan, Adrian Perrig Carnegie Mellon University

  2. Talk Outline • Background / Motivation • Optimizations for the Path Topology • Summary of Other Results

  3. Talk Outline • Background / Motivation • Optimizations for the Path Topology • Summary of Other Results

  4. Multi-receiver Authentication in Sensor/Ad-hoc Networks S M R1 M R4 R8 R2 M R3 R5 R7 Is M from S? Yes = accept No = drop R6

  5. Authentication Methods • Signature: Sender S signs M using private key • Need support for public key crypto • Multi-receiver Message Authentication Codes • Additional O(n) overhead in message size • TESLA [Perrig et al, 2002]: • Need time synchronization • Communication-Efficient with Minimal Assumptions • Guy Fawkes [Anderson et al. 1998] • Hash Tree-based [Chan & Perrig 2008]

  6. Assumptions • Sender knows full network topology • Sender shares a unique symmetric key Ki with each receiver Ri

  7. Hash Tree Based Broadcast • Construct a hash tree with MACs at the leaves • Idea: Adversary can’t compute r for forged M’ since it does not know any of the MAC values of the legitimate nodes r r acts as an authenticator for M Hash Tree … Lz La Lb

  8. Receiver Verification r • Given Message M, hash tree root vertex r • Receiver Ri verifies that is a leaf in hash tree with root r • Verification path = all siblings on path to root v4 u3 v3 u2 v2 u1 Li v1

  9. General Tree Topology: 3 Passes • Sender broadcasts message M with hash tree root r • Receivers reconstruct hash treewith leaves • Verification paths disseminated Disseminate verification paths S M, r Reconstruct hash tree R1 R5 R2 R4 R3

  10. Talk Outline • Background / Motivation • Optimizations for the Path Topology • Summary of Other Results

  11. Path Topology … S R1 R2 R3 Rn • Common applications • Actual linear topologies (roadway, corridor) • Path from leaf to root in spanning tree • Along a routing path • 1 round = one interaction between neighbors • Message from Sto Rn takes n rounds • Unoptimized: 3 passes = 3n rounds

  12. Observation • Can start reconstructing the hash tree immediately upon receiving M • “Piggy-back” the two outgoing passes together • Achieve 2n rounds • Outgoing pass: left-siblings computed • Incoming pass: right-siblings computed

  13. 2n-Round Protocol r v5 v6 v1 v2 v3 v4 R6 R2 R7 R1 R5 R4 R3 R8 L1 L2 L3 L4 L5 L6 L7 L8 S S precomputes the whole tree

  14. 2n-Round Protocol r v5 v6 v1 v2 v3 v4 R6 R2 R7 R1 R5 R4 R3 R8 L1 L2 L3 L4 L5 L6 L7 L8 S M,r

  15. 2n-Round Protocol r v5 v6 v1 v2 v3 v4 R6 R2 R1 R7 R5 R4 R3 R8 L1 L2 L3 L4 L5 L6 L7 L8 S M,r L1

  16. 2n-Round Protocol r v5 v6 v1 v2 v3 v4 R6 R2 R1 R7 R5 R4 R3 R8 L1 L2 L3 L4 L5 L6 L7 L8 S M,r v1

  17. 2n-Round Protocol r v5 v6 v1 v2 v3 v4 R6 R2 R1 R7 R5 R4 R3 R8 L1 L2 L3 L4 L5 L6 L7 L8 S M,r v1,L3

  18. 2n-Round Protocol r v5 v6 v1 v2 v3 v4 R6 R2 R1 R7 R5 R4 R3 R8 L1 L2 L3 L4 L5 L6 L7 L8 S M,r v5

  19. 2n-Round Protocol r v5 v6 v1 v2 v3 v4 R6 R2 R1 R7 R5 R4 R3 R8 L1 L2 L3 L4 L5 L6 L7 L8 S M,r v5,L5

  20. 2n-Round Protocol r v5 v6 v1 v2 v3 v4 R6 R2 R1 R7 R5 R4 R3 R8 L1 L2 L3 L4 L5 L6 L7 L8 S M,r v5,v3

  21. 2n-Round Protocol r v5 v6 v1 v2 v3 v4 R6 R2 R1 R7 R5 R4 R3 R8 L1 L2 L3 L4 L5 L6 L7 L8 S M,r v5,v3,L7

  22. 2n-Round Protocol r v5 v6 v1 v2 v3 v4 R6 R2 R7 R1 R5 R4 R3 R8 L1 L2 L3 L4 L5 L6 L7 L8 S L8

  23. 2n-Round Protocol r v5 v6 v1 v2 v3 v4 R6 R2 R7 R1 R5 R4 R3 R8 L1 L2 L3 L4 L5 L6 L7 L8 S v4

  24. 2n-Round Protocol r v5 v6 v1 v2 v3 v4 R6 R2 R7 R1 R5 R4 R3 R8 L1 L2 L3 L4 L5 L6 L7 L8 S v4,L6

  25. 2n-Round Protocol r v5 v6 v1 v2 v3 v4 R6 R2 R7 R1 R5 R4 R3 R8 L1 L2 L3 L4 L5 L6 L7 L8 S v6

  26. 2n-Round Protocol r v5 v6 v1 v2 v3 v4 R6 R2 R7 R1 R5 R4 R3 R8 L1 L2 L3 L4 L5 L6 L7 L8 S v6 ,L4

  27. 2n-Round Protocol r v5 v6 v1 v2 v3 v4 R6 R2 R7 R1 R5 R4 R3 R8 L1 L2 L3 L4 L5 L6 L7 L8 S v2 ,v6

  28. 2n-Round Protocol r v5 v6 v1 v2 v3 v4 R6 R2 R7 R1 R5 R4 R3 R8 L1 L2 L3 L4 L5 L6 L7 L8 S v2 ,v6 ,L2

  29. Further Optimizations r • Computation of Node v6 causes delay • If Sender precomputes and sends v6 • Nodes 1-4 can build verification paths independently of 5-8 • Split apart the two subtrees v5 v6 v1 v2 v3 v4 L1 L2 L3 L4 L5 L6 L7 L8

  30. 1.5n-Round Protocol v5 v6 v1 v2 v3 v4 R8 R6 R4 R5 R2 R1 R7 R3 L1 L2 L3 L4 L5 L6 L7 L8 S M,v5,v6

  31. 1.5n-Round Protocol v5 v6 v1 v2 v3 v4 R8 R6 R4 R5 R2 R1 R7 R3 L1 L2 L3 L4 L5 L6 L7 L8 S M,v5,v6 L1

  32. 1.5n-Round Protocol v5 v6 v1 v2 v3 v4 R8 R6 R4 R5 R2 R1 R7 R3 L1 L2 L3 L4 L5 L6 L7 L8 S M,v5,v6 v1

  33. 1.5n-Round Protocol v5 v6 v1 v2 v3 v4 R8 R6 R4 R5 R2 R1 R7 R3 L1 L2 L3 L4 L5 L6 L7 L8 S M,v5,v6 v1, L3

  34. 1.5n-Round Protocol v5 v6 v1 v2 v3 v4 R8 R6 R4 R5 R2 R1 R7 R3 L1 L2 L3 L4 L5 L6 L7 L8 S M,v6

  35. 1.5n-Round Protocol v5 v6 v1 v2 v3 v4 R6 R7 R8 R1 R4 R3 R2 R5 L1 L2 L3 L4 L5 L6 L7 L8 S L4 M,v6 L5

  36. 1.5n-Round Protocol v5 v6 v1 v2 v3 v4 R6 R7 R8 R1 R4 R3 R2 R5 L1 L2 L3 L4 L5 L6 L7 L8 S v2 M,v6 v3

  37. 1.5n-Round Protocol v5 v6 v1 v2 v3 v4 R6 R7 R8 R1 R4 R3 R2 R5 L1 L2 L3 L4 L5 L6 L7 L8 S v2,L2 M,v6 v3,L7

  38. 1.5n-Round Protocol v5 v6 v1 v2 v3 v4 R8 R6 R4 R5 R2 R1 R7 R3 L1 L2 L3 L4 L5 L6 L7 L8 S L8

  39. 1.5n-Round Protocol v5 v6 v1 v2 v3 v4 R8 R6 R4 R5 R2 R1 R7 R3 L1 L2 L3 L4 L5 L6 L7 L8 S v4

  40. 1.5n-Round Protocol v5 v6 v1 v2 v3 v4 R8 R6 R4 R5 R2 R1 R7 R3 L1 L2 L3 L4 L5 L6 L7 L8 S v4 ,L6

  41. General Optimization ½ n ½ n 1 1/2 n rounds 1/4 n ½ n 1/4 n 1 1/4 n rounds 1/8 n 1/8 n ½ n 1/4 n 1 1/8 n rounds

  42. n-Round Protocol • Break the receiver set into log n groups • Doubles communication overhead but halves the number of rounds • No protocol can be faster than this

  43. Talk Outline • Background / Motivation • Optimizations for the Path Topology • Summary of Other Results

  44. Guy Fawkes on the Path Topology • Optimization to reduce Guy Fawkes to 2n rounds • Reduce that to n rounds using the same divide-and-conquer technique

  45. Round Complexity Lower Bounds • Any Signature-free Broadcast Authentication Protocol that completes in(2-r)lognrounds for0 <r £1must haveW(nr) comm. overhead per node • Proven using a reduction to a known result for multi-receiver MACs • Protocols with polylog communication overhead must take 2 log n rounds or more

  46. Tightness of the Bound • Optimization of protocols for fully connected topologies • Achieves 2lognrounds with O(log2n) communication per node • No protocol with polylog per node communication overhead can take fewer rounds

  47. Lower Bounds for Trees • Any Signature-free Broadcast Authentication Protocol that completes in(2.44-r)logn +O(1) rounds in a tree topology must haveW(nr) comm. overhead per node • Strictly more than 2 passes are needed for trees • Known protocols are likely already optimal for trees

  48. Thank You! Haowen Chan haowenchan@cmu.edu

More Related