Round-Efficient Broadcast Authentication Protocols for Fixed Topology Classes Haowen Chan, Adrian Perrig Carnegie Mellon University 1
Talk Outline Background / Motivation Optimizations for the Path Topology Summary of Other Results 2
Talk Outline Background / Motivation Optimizations for the Path Topology Summary of Other Results 3
Multi-receiver Authentication in Sensor/Ad-hoc Networks 4 S R1R1 R4R4 R2R2 R3R3 R5R5 R6R6 R7R7 R8R8 M M M Is M from S ? Yes = accept No = drop Is M from S ? Yes = accept No = drop
Authentication Methods Signature: Sender S signs M using private key Need support for public key crypto Multi-receiver Message Authentication Codes Additional O(n) overhead in message size TESLA [Perrig et al, 2002] : Need time synchronization Communication-Efficient with Minimal Assumptions Guy Fawkes [Anderson et al. 1998] Hash Tree-based [Chan & Perrig 2008] 5
Assumptions Sender knows full network topology Sender shares a unique symmetric key K i with each receiver R i 6
Hash Tree Based Broadcast Construct a hash tree with MACs at the leaves Idea: Adversary can’t compute r for forged M’ since it does not know any of the MAC values of the legitimate nodes Hash Tree … LaLa LbLb LzLz r 7 r acts as an authenticator for M
Receiver Verification Given Message M, hash tree root vertex r Receiver R i verifies that is a leaf in hash tree with root r Verification path = all siblings on path to root 8 LiLi v1v1 u1u1 v2v2 u2u2 v3v3 u3u3 v4v4 r
General Tree Topology: 3 Passes 1.Sender broadcasts message M with hash tree root r 2.Receivers reconstruct hash tree with leaves 3.Verification paths disseminated 9 S R1R1 R5R5 R4R4 R2R2 R3R3 M, r Reconstruct hash tree Disseminate verification paths
Talk Outline Background / Motivation Optimizations for the Path Topology Summary of Other Results 10
Path Topology Common applications Actual linear topologies (roadway, corridor) Path from leaf to root in spanning tree Along a routing path 1 round = one interaction between neighbors Message from S to R n takes n rounds Unoptimized: 3 passes = 3 n rounds 11 R1R1 R2R2 R3R3 RnRn S …
Observation Can start reconstructing the hash tree immediately upon receiving M “Piggy-back” the two outgoing passes together Achieve 2 n rounds Outgoing pass: left-siblings computed Incoming pass: right-siblings computed 12
2 n -Round Protocol 13 S R7R7 R1R1 R2R2 R3R3 R4R4 R5R5 R6R6 R8R8 L7L7 L1L1 L2L2 L3L3 L4L4 L5L5 L6L6 L8L8 v1v1 v4v4 v2v2 v3v3 v5v5 v6v6 r S precomputes the whole tree
2 n -Round Protocol 14 S R7R7 R1R1 R2R2 R3R3 R4R4 R5R5 R6R6 R8R8 L7L7 L1L1 L2L2 L3L3 L4L4 L5L5 L6L6 L8L8 v1v1 v4v4 v2v2 v3v3 v5v5 v6v6 r M,r
2 n -Round Protocol 15 S R7R7 R1R1 R2R2 R3R3 R4R4 R5R5 R6R6 R8R8 L7L7 L1L1 L2L2 L3L3 L4L4 L5L5 L6L6 L8L8 v1v1 v4v4 v2v2 v3v3 v5v5 v6v6 r M,r L1L1
2 n -Round Protocol 16 S R7R7 R1R1 R2R2 R3R3 R4R4 R5R5 R6R6 R8R8 L7L7 L1L1 L2L2 L3L3 L4L4 L5L5 L6L6 L8L8 v1v1 v4v4 v2v2 v3v3 v5v5 v6v6 r M,r v1v1
2 n -Round Protocol 17 S R7R7 R1R1 R2R2 R3R3 R4R4 R5R5 R6R6 R8R8 L7L7 L1L1 L2L2 L3L3 L4L4 L5L5 L6L6 L8L8 v1v1 v4v4 v2v2 v3v3 v5v5 v6v6 r M,r v 1,L 3
2 n -Round Protocol 18 S R7R7 R1R1 R2R2 R3R3 R4R4 R5R5 R6R6 R8R8 L7L7 L1L1 L2L2 L3L3 L4L4 L5L5 L6L6 L8L8 v1v1 v4v4 v2v2 v3v3 v5v5 v6v6 r M,r v5v5
2 n -Round Protocol 19 S R7R7 R1R1 R2R2 R3R3 R4R4 R5R5 R6R6 R8R8 L7L7 L1L1 L2L2 L3L3 L4L4 L5L5 L6L6 L8L8 v1v1 v4v4 v2v2 v3v3 v5v5 v6v6 r M,r v 5,L 5
2 n -Round Protocol 20 S R7R7 R1R1 R2R2 R3R3 R4R4 R5R5 R6R6 R8R8 L7L7 L1L1 L2L2 L3L3 L4L4 L5L5 L6L6 L8L8 v1v1 v4v4 v2v2 v3v3 v5v5 v6v6 r M,r v 5,v 3
2 n -Round Protocol 21 S R7R7 R1R1 R2R2 R3R3 R4R4 R5R5 R6R6 R8R8 L7L7 L1L1 L2L2 L3L3 L4L4 L5L5 L6L6 L8L8 v1v1 v4v4 v2v2 v3v3 v5v5 v6v6 r M,r v 5,v 3,L 7
2 n -Round Protocol 22 S R7R7 R1R1 R2R2 R3R3 R4R4 R5R5 R6R6 R8R8 L7L7 L1L1 L2L2 L3L3 L4L4 L5L5 L6L6 L8L8 v1v1 v4v4 v2v2 v3v3 v5v5 v6v6 r L8L8
2 n -Round Protocol 23 S R7R7 R1R1 R2R2 R3R3 R4R4 R5R5 R6R6 R8R8 L7L7 L1L1 L2L2 L3L3 L4L4 L5L5 L6L6 L8L8 v1v1 v4v4 v2v2 v3v3 v5v5 v6v6 r v4v4
2 n -Round Protocol 24 S R7R7 R1R1 R2R2 R3R3 R4R4 R5R5 R6R6 R8R8 L7L7 L1L1 L2L2 L3L3 L4L4 L5L5 L6L6 L8L8 v1v1 v4v4 v2v2 v3v3 v5v5 v6v6 r v 4,L 6
2 n -Round Protocol 25 S R7R7 R1R1 R2R2 R3R3 R4R4 R5R5 R6R6 R8R8 L7L7 L1L1 L2L2 L3L3 L4L4 L5L5 L6L6 L8L8 v1v1 v4v4 v2v2 v3v3 v5v5 v6v6 r v6v6
2 n -Round Protocol 26 S R7R7 R1R1 R2R2 R3R3 R4R4 R5R5 R6R6 R8R8 L7L7 L1L1 L2L2 L3L3 L4L4 L5L5 L6L6 L8L8 v1v1 v4v4 v2v2 v3v3 v5v5 v6v6 r v 6,L 4
2 n -Round Protocol 27 S R7R7 R1R1 R2R2 R3R3 R4R4 R5R5 R6R6 R8R8 L7L7 L1L1 L2L2 L3L3 L4L4 L5L5 L6L6 L8L8 v1v1 v4v4 v2v2 v3v3 v5v5 v6v6 r v 2,v 6
2 n -Round Protocol 28 S R7R7 R1R1 R2R2 R3R3 R4R4 R5R5 R6R6 R8R8 L7L7 L1L1 L2L2 L3L3 L4L4 L5L5 L6L6 L8L8 v1v1 v4v4 v2v2 v3v3 v5v5 v6v6 r v 2,v 6,L 2
Further Optimizations Computation of Node v 6 causes delay If Sender precomputes and sends v 6 Nodes 1-4 can build verification paths independently of 5-8 Split apart the two subtrees 29 L7L7 L1L1 L2L2 L3L3 L4L4 L5L5 L6L6 L8L8 v1v1 v4v4 v2v2 v3v3 v5v5 v6v6 r
1.5n -Round Protocol 30 S R7R7 R1R1 R2R2 R3R3 R4R4 R5R5 R6R6 R8R8 L7L7 L1L1 L2L2 L3L3 L4L4 L5L5 L6L6 L8L8 v1v1 v4v4 v2v2 v3v3 v5v5 v6v6 M,v 5,v 6
1.5n -Round Protocol 31 S R7R7 R1R1 R2R2 R3R3 R4R4 R5R5 R6R6 R8R8 L7L7 L1L1 L2L2 L3L3 L4L4 L5L5 L6L6 L8L8 v1v1 v4v4 v2v2 v3v3 v5v5 v6v6 M,v 5,v 6 L1L1
1.5n -Round Protocol 32 S R7R7 R1R1 R2R2 R3R3 R4R4 R5R5 R6R6 R8R8 L7L7 L1L1 L2L2 L3L3 L4L4 L5L5 L6L6 L8L8 v1v1 v4v4 v2v2 v3v3 v5v5 v6v6 M,v 5,v 6 v1v1
1.5n -Round Protocol 33 S R7R7 R1R1 R2R2 R3R3 R4R4 R5R5 R6R6 R8R8 L7L7 L1L1 L2L2 L3L3 L4L4 L5L5 L6L6 L8L8 v1v1 v4v4 v2v2 v3v3 v5v5 v6v6 M,v 5,v 6 v 1, L 3
1.5n -Round Protocol 34 S R7R7 R1R1 R2R2 R3R3 R4R4 R5R5 R6R6 R8R8 L7L7 L1L1 L2L2 L3L3 L4L4 L5L5 L6L6 L8L8 v1v1 v4v4 v2v2 v3v3 v5v5 v6v6 M,v 6
1.5n -Round Protocol 35 S R7R7 R1R1 R2R2 R3R3 R4R4 R5R5 R6R6 R8R8 L7L7 L1L1 L2L2 L3L3 L4L4 L5L5 L6L6 L8L8 v1v1 v4v4 v2v2 v3v3 v5v5 v6v6 M,v 6 L5L5 L4L4
1.5n -Round Protocol 36 S R7R7 R1R1 R2R2 R3R3 R4R4 R5R5 R6R6 R8R8 L7L7 L1L1 L2L2 L3L3 L4L4 L5L5 L6L6 L8L8 v1v1 v4v4 v2v2 v3v3 v5v5 v6v6 M,v 6 v3v3 v2v2
1.5n -Round Protocol 37 S R7R7 R1R1 R2R2 R3R3 R4R4 R5R5 R6R6 R8R8 L7L7 L1L1 L2L2 L3L3 L4L4 L5L5 L6L6 L8L8 v1v1 v4v4 v2v2 v3v3 v5v5 v6v6 M,v 6 v 3, L 7 v 2, L 2
1.5n -Round Protocol 38 S R7R7 R1R1 R2R2 R3R3 R4R4 R5R5 R6R6 R8R8 L7L7 L1L1 L2L2 L3L3 L4L4 L5L5 L6L6 L8L8 v1v1 v4v4 v2v2 v3v3 v5v5 v6v6 L8L8
1.5n -Round Protocol 39 S R7R7 R1R1 R2R2 R3R3 R4R4 R5R5 R6R6 R8R8 L7L7 L1L1 L2L2 L3L3 L4L4 L5L5 L6L6 L8L8 v1v1 v4v4 v2v2 v3v3 v5v5 v6v6 v4v4
1.5n -Round Protocol 40 S R7R7 R1R1 R2R2 R3R3 R4R4 R5R5 R6R6 R8R8 L7L7 L1L1 L2L2 L3L3 L4L4 L5L5 L6L6 L8L8 v1v1 v4v4 v2v2 v3v3 v5v5 v6v6 v 4,L 6
General Optimization 41 ½ n 1 1/2 n rounds ½ n 1/4 n 1 1/4 n rounds 1/4 n ½ n 1/4 n 1 1/8 n rounds 1/8 n
n -Round Protocol Break the receiver set into log n groups Doubles communication overhead but halves the number of rounds No protocol can be faster than this 42
Talk Outline Background / Motivation Optimizations for the Path Topology Summary of Other Results 43
Guy Fawkes on the Path Topology Optimization to reduce Guy Fawkes to 2 n rounds Reduce that to n rounds using the same divide-and-conquer technique 44
Round Complexity Lower Bounds Any Signature-free Broadcast Authentication Protocol that completes in (2- ) log n rounds for must have ( n ) comm. overhead per node Proven using a reduction to a known result for multi-receiver MACs Protocols with polylog communication overhead must take 2 log n rounds or more 45
Tightness of the Bound Optimization of protocols for fully connected topologies Achieves 2 log n rounds with O( log 2 n ) communication per node No protocol with polylog per node communication overhead can take fewer rounds 46
Lower Bounds for Trees Any Signature-free Broadcast Authentication Protocol that completes in (2.44- ) log n + O(1) rounds in a tree topology must have ( n ) comm. overhead per node Strictly more than 2 passes are needed for trees Known protocols are likely already optimal for trees 47
Thank You! Haowen Chan 48