Transcript Asynchronous VSS and Proactive Cryptosystems

Multicast Authentication in
Fully Adversarial Networks
A. Lysyanskaya, R. Tamassia, N. Triandopoulos
IEEE Symposium on Security and Privacy
Oakland, May 2004.
Presented by Michael Sirivianos
Outline








Problem Statement
Prior Work
Preliminaries
Crypto Primitives and ECC’s
Network Model and Auth. Framework
Scheme Description
Comparison with other schemes
Conclusions
Multicast Authentication
Problem

The underlying network, is controlled by an
adversary, which may




(a) drop or delay chosen packets,
(b) rearrange the order of the packets in an arbitrary
way, and
(c) inject new packets into the transmitted stream.
Prior work focused on less general models, where
random and not selected, packets may be dropped
and altered, or no additional packets may be
injected into the stream.
Introduction



Any authentication scheme for multicast streams
should verify as many as possible of the received
packets without assuming the availability of the
entire original stream.
Should resist against any types of attacks by an
adversary, even when the adversary controls the
underlying network.
Their solution is based on a combination of error
correcting codes with standard cryptographic
primitives.
Prior Work

Sender signs all packets and receiver verifies all



Computationally expensive, B/W consuming.
Receiver/Verifier vulnerable to DoS attacks.
Signature amortization

Hash chain,


each packet pi includes ai. ai = h(pi+1).
p1 is digitally signed.
No packet loss is tolerated
Merkle-tree-based authentication


Each packet contains signed root hash and co-path node
hashes. Tolerates losses.
Communication overhead grows logarithmically with the number of
packets sent.
Prior Work

Graph-Based Authentication.





Amortizing a signature over multiple hash chains. Tolerates
losses.
A single-sink directed acyclic graph where each vertex
corresponds to a packet.
A directed edge from packet pi to packet pj indicates that the
authentication information aj in packet pj includes the
h(pi ). p1 is the sink of the DAG and is digitally signed.
Validation proceeds backward along the edges of the graph.
If pj has been validated and edge (pi, pj) exists,
the validation of packet pi can be obtained comparing aj with
h(pi) .
Offers probabilistic security guarantees.
Hash Chain Authentication

Hash chain authentication

Any packet loss prevents authentication
Graph-based Authentication


Graph based authentication
If we lose Pi and Pi+2, Pi+3 cannot be authenticated.
You should not lose P1.
Prior Work



Erasure codes are used to tolerate losses by
dispersing packet information over multiple
packets.
However a single packet injection by adv. can
compromise correctness of the encoding.
Their solution involves one signature operation per
stream and a constant size authentication
overhead per packet and tolerates a bounded nonrandom adversary.
Contributions




Formally define multicast authentication in an (a,
b) fully adversarial network. They define
correctness and security of this scheme.
Propose scalable multicast authentication based on
digital signatures, crypto hash functions and ReedSolomon error correcting codes.
Prove correctness/security. All valid packets are
recognized and invalid are rejected.
Analyze performance, discuss implementation
choices. Transmission overhead is / b/a2
Crypto Primitives


Public key signature scheme
 Correct. Probability of the Verification
algorithm accepting a correctly obtained
signature is 1.
 Secure against adaptive chosen-message
attacks
Collision Resistant Hash Function H.
 Efficient. Takes PT to compute H(x)
 Collision Resistant. A probabilistic PT A can
obtain x1 x2 s.t H(x1) = H(x2) with negligible
probability
Error Correcting Codes



Let S be an alphabet S = {1, 2, ..., q}, with |S| = q.
An error correcting code [n, k]q is a function
C : Sk ! Sn, n > k
The redundancy helps in correcting up to e errors in a
received message.
If C(x) is received as y 2 Sn at most e characters of
the alphabet in y can be unambiguously corrected to
retrieve the original C(x). e depends on the code.
If all symbols of x appear among the symbols of C(x),
then the code is systematic.
Reed Solomon Code


Based on properties of univariete polynomials over
finite fields.
A systematic [n, k+1]q Reed-Solomon code,
where k < n · q, consists off:
 Alphabet: A finite field Fq with q being a prime
power.

Encoder: A function C: Fqk+1 ! Fqn, where n > k.
Reed Solomon Encoder


Takes input the parameters n and k, and k+1 points
(i, yi), i 2 Fq, yi 2 Fq, for 1 · i · k + 1.
Use polynomial interpolation to find a unique
polynomial p 2 Fq[x] over Fq and of degree at most
k, s.t. p(i) = yi.

Outputs points (i, p(i)), for 1 · i · n.

The ratio n / k < 1 is called the rate of the code.

This is a systematic code.
Reed Solomon Decoder



The decoder takes as input n and k, the max
number of errors e, and n points
(xi, yi), 1 · i · n and list-decodes.
It outputs a list of polynomials p 2 Fq[x] of degree
at most k, s.t. in no more than e values of i, we
have yi  p(xi)
The used decoder for [n, k+1]q Reed-Solomon code
is PT and is due to Guruswami and Sudan.
Reed Solomon Decoder

The GS-Decoder is based on an algorithm
that performs polynomial reconstruction

given k and t, and given n points
{(xi, yi), 1 · i · n}, where xi, yi 2 Fq,
find a list of all the polynomials p 2 Fq[x] of
degree at most k s.t. yi = p(xi) for at least t
values of i.
Network Model


A fully adversarial network is controlled by an
adversary. The adversary can:
 cause packets of her choice to be lost;
 inject packets (either random ones or with a
specific malicious structure)
 arbitrarily alter, delay or rearrange packets
Reasonable to expect some reliability from the
network and that the adversary will not drop or
inject too much packets because the receiver will
not use and authenticate the received stream.
Network Model


Parameters:
 Packets in send stream, n
 Packets in received stream, r
 Survival rate, a
 Flood rate, b
An (a, b)-network
 The receiver stream contains at least a¢ n
valid packets.
 The received stream contains at most b¢n
packets.
 If r < a¢n, the problem is packet loss.
 If r > b¢n, the problem is DoS
Authentication Model

The authentication algorithm has input:






(SK, PK): secret and public key.
GID: the group ID
n: the number of packets to be authenticated
a, b: the survival and flood rate.
DP: the data packets to be authenticated.
It outputs the authenticated (signed)
packets.

AP = {a1, …an}
Authentication Model

The decoder algorithm has input


PK, GID, n, (a, b) and RP = {r1, … rm}, the
received packets. In the absence of adversarial
behavior RP = AP.
The decoder


Rejects the input when the # of valid received
packets is less than an, or more than
(b-a)n packets are injected by the adversary.
Or produces the output packets OP = {p1’,..pn’}
pi =  corresponds to not received
authenticated packet.
Authentication Correctness
and Security

The scheme is secure and correct if the
adversary A wins negligibly often in this
game:


A has access to the auth, thus it can give it
input the values (PK, GIDi, ni, ai, bi, DPI) and
obtain APi. But, A cannot issue more than one
query for the same GID.
A outputs a GID, the values, n, a, b and a set of
packets RP.
Authentication Correctness
and Security

The adversary wins if:



Violates the (a, b)-correctness property.
Managed to construct RP set s.t. even if it
contains at least aini packets of some
authenticated packet set APi for GIDi = GID,
the decoder failed to identify all the correct
packets.
The following must hold: 
Authentication Correctness
and Security

(a, b)-correctness property violation.

For some i, the adversary’s query i contained GIDi = GID,
ni = n, ai = a, DPi = {p1, … pn} = DP and got
APi = {a1, …an} = AP

At least a n of the authenticated packets are in RP.

|RP| · b n

For some 1 · j · n, pj is the j’th packet in DP, s.t. a
corresponding authenticated aj was received.
However, it was not decoded correctly, i.e:
pj’ <- Decode(PK, GID, a, b, RP), but pj’  pj
Authentication Correctness
and Security

The adversary also wins if:



Violates the security property.
Managed to construct RP set s.t. the decoder
outputs packets {p1’, … pk’} that were not
authenticated by the authenticator for GID.
The following must hold: 
Authentication Correctness
and Security

security property violation.


The authenticator was not queried with GID
and n. However, the decoder did not reject,
instead output unauthenticated packets.
The authenticator was queried with GID, n, a, b
and the original data packets. The decoder
does not reject, however an output packet
pj’   is different from the original pj.
Scheme DescriptionAuthenticator

On input PK, SK, DP = {p1, pn}, a and b. e
1.
For 1 · i · n, compute the hash hi = H(pi).
Digitally sign: s à (h1 || h2 || … hn || GID)
2.
S = (h1 || h2 || … hn || s) is authentication information.
3.
Need to guarantee that if only an packets survive and a
large number (b-a)n are injected, the receiver still gets all
the authentication information.
S is encoded using a [n, pn+1]q Reed-Solomon Code with
and 0 < e < 1 (decoder
error tolerance)
Reed Solomon Encoder


Takes input the parameters n and k, and k+1 points
(i, yi), i 2 Fq, yi 2 Fq, for 1 · i · k + 1.
Use polynomial interpolation to find a unique
polynomial p 2 Fq[x] over Fq and of degree at most
k, s.t. p(i) = yi.

Outputs points (i, p(i)), for 1 · i · n.

The ratio n / k < 1 is called the rate of the code.

This is a systematic code.
Scheme DescriptionAuthenticator
4. Split S into pn+1 substrings of equal size s =
If S is not an exact multiple of pn + 1, pad S with 0’s.
Each substring is viewed as a value in Fq, with q = 2s.
5. Treat the resulting set of pn+1 field elements as an input
to the Reed-Solomon encoder.
Compute codeword C(S) using the [n, pn + 1]q ReedSolomon code. C(S) consists of n elements
in Fq, denoted as (s1, . . . , sn).

Output AP = {a1, . . . , an}, where for 1 · i · n, we
have ai = GID || i || pi || si.
Reed Solomon Decoder

The GS-Decoder is based on an algorithm
that performs polynomial reconstruction

given k and t, and given n points
{(xi, yi), 1 · i · n}, where xi, yi 2 Fq,
find a list of all the polynomials p 2 Fq[x] of
degree at most k s.t. yi = p(xi) for at least t
values of i.
Scheme DescriptionGS-Decoder

On Input: n, a, b, and m points (xi, yi), 1· i · m.
1. Run the GS-Decoder, on input and get L. If L is empty,
reject.
2. Process L = {Q1(x), . . . ,Qf(x)}
for each Qj(i) 2 L, evaluate Qj(i) for 1 · i · pn + 1
and let the string Qj(1) || Qj(2) ||· · ·|| Qf(pn + 1) be a
candidate codeword ci.

Output: List of all computed candidates {c1, . . . , cf} or
reject.
Scheme DescriptionTheir Decoder

On Input: PK, GID, n, a, b, and received packets
RP = {r1,… rm}
1. View ri 2 RP as ri = GIDi || ji || pi || si
2. Discard non conforming packets, e.g GIDi  GID or
ji  [1..n] . Let (r1’, … rm’) be the remaining in RP.
3.
If m’ < an or m’ > bn reject
4.
For 1 · i · m’, set (xi, yi) = (ji, si)
5.
Run Modified GS-decoder on n, a, b, and the m’ points
(xi, yi). If it rejects reject, o.w. obtain candidate
codewords for S, (ci … cf)
Scheme DescriptionDecoder
6. For 1 · i · n, set hi = , j = 1. While j · f
1.
Parse cj as string h1j || … hnj || s
2.
If VerifyPK(GID|| h1j || … hnj, s) = 1
set hi = hij and break; o.w. increase j
7. If hi =  for 1 · i · n, reject. Else compute the output
packets. As follows:
1.
2.
8.
Initialize pi’ = , 1 · i · n.
For 1 · i · m’:
View ri as ri = GID || j || pj || sj, s.t. j 2 [1..n]
If H(pj) = hj, set pj’ = pj .
Output {pi’,… pn’}
Proof of correctness &
security

Proof by contradiction:
Suppose there is adversary A who manages to break
the (a, b)-correctness or security of the scheme with nonnegligible probability p(k). Then one of these events must be
true:
• With probability (at least) p(k)/2, A violates
the (a, b)-correctness property.
• With probability (at least) p(k)/2, A violates
the security property.

They show that a non-negligible probability of either events
contradicts the security properties of the used signature
scheme and hash function
Correctness-Proof sketch

Prove the claim by exhibiting a reduction.
This reduction transforms an attack that violates the
correctness of their scheme, into an attack on the
underlying signature scheme.



Input to reduction is the PK. Reduction gets oracle access to
the signer. It sets up PK = (PKs, H).
Invokes the adversary on input PK
Now needs to answer adversaries queries to authenticator.
Correctness Proof sketch

The reduced authenticator in order to respond to a query
(GIDi, ai, bi, ni, DPi) runs with the following modification:





Don’t compute signature sI obtain it my querying the sign
oracle.
Everything else proceeds as before.
The view of the adversary in this reduction is identical to
the real-life view.
Thus, with same prob. A violates the correctness property.
The following hold for its output.
Correctness Proof Sketch

(a, b)-correctness property violation.

For some i, the adversary’s query i contained GIDi = GID,
ni = n, ai = a, DPi = {p1, … pn} = DP and got
APi = {a1, …an} = AP

At least a n of the authenticated packets are in RP.

|RP| · b n

For some 1 · j · n, pj is the j’th packet in DP, s.t. a
corresponding authenticated aj was received.
However, it was not decoded correctly, i.e:
pj’ <- Decode(PK, GID, a, b, RP), but pj’  pj
Security Proof sketch


Set up the reduction in exactly the same way as before. The
adversary’s view in the reduction is the same as in real life.
So, as often as in real life, the adversary will violate the
security property of their scheme, namely, one of the
following will hold:
 The authenticator was not queried with GID and n.
However, the decoder did not reject, instead output
unauthenticated packets.

The authenticator was queried with GID, n, a, b and the
original data packets. The decoder does not reject,
however an output packet pj’   is different from the
original pj.
Analysis


Authenticator computational cost:
 n constant cost hashes and one signature
 Reed-Solomon is a poly-interpolation of pn+1
positions and poly-evaluation in n – pn-1
positions.
Requires O(nlogn) field ops
Decoder computational cost:
2
 O(n ) processing time and O(1) signature
verifications and O(n) hash values are
computed.
Analysis

Communication cost:
 The total size of authentication information is


So, constant per-packet overhead
The larger the p, the smaller the overhead.
Largerp means larger a and/or smaller b.
Comparisons
Conclusion




General framework for the multicast
authentication problem in network controlled by
bounded adversary. Which is the most realistic!
Unlike previous works does not address just
randomly erroneous networks but fully adversarial
ones.
Shown to be secure as the sign-all solution but
incurs constant overhead
Decouples verification and attack detection using
the an and bn thresholds
Discussion

How to determine the a, b parameters in a pragmatic
way? (The adv. could inject enough packets to prevent authentication without
triggering a DDoS alarm. Could drop enough packets to prevent authentication without
excessive packet loss)

In Merkle trees the computational cost is O(n) while in
this scheme it is O(n^2). However, its communication
cost scales much better.

Implementation?

Other ECC’s?

Uses the signature crypto primitive to unambiguously
list-decode an ECC.
Thank you