Digital Signatures for Flows and Multicasts by Chung Kei Wong and - PDF document

Digital Signatures for Flows and Multicasts by Chung Kei Wong and Simon S. Lam in IEEE/ACM Transactions on Networking , August 1999 Digital Signature  Examples: RSA, DSA  Provide authenticity, integrity and non- repudiation  How to sign/verify?  signing key k s , verification key k v , message digest h ( m )  signature = sign ( h ( m ), k s )  signature = sign ( h ( m ) k )  verify ( signature , h ( m ), k v ) = True/False  Signing & verification operations are slow compared to symmetric key operations Digital Signatures (Simon Lam) 2 1

Motivation  Traditional network applications (circa 1998)  message-oriented unicast, e.g., email, file transfer, client-server  Emerging network applications E k l  flow-oriented, e.g., audio, video, stock quotes  multicast, e.g., teleconference, software distribution  Problem: How to sign efficiently?  high-speed transmissions hi h d t i i  real-time generated flows  delay-sensitive packet flows Digital Signatures (Simon Lam) 3 All-or-nothing flows  The signer generates a message digest of the entire flow (file) and signs the message the entire flow (file) and signs the message digest  But most Internet applications do not create all-or-nothing flows  a flow is sent as a sequence of packets fl is s t s s f k ts  each packet is used as soon as it is received Digital Signatures (Simon Lam) 4 2

Sign-each Approach  A flow is a sequence of data packets  Sign each packet individually  Inefficient: one signing/verification  Inefficient: one signing/verification operation per packet  Rates on a Pentium-II 300 MHz using 100% processing time (with 512-bit modulus) Packet Rate (packets/sec) size Signing g g Verification (bytes) RSA DSA RSA DSA 512 78.8 176 2180 128 1024 78.7 175 1960 127 Digital Signatures (Simon Lam) 5 Prior work on signing digital streams  [Gennaro and Rohatgi 1997]  One signing/verification op for an entire flow flow—only the first packet is signed only the f rst packet s s gned  Each packet contains authentication info for next  Verification of each packet depends on previous ones  Reliable delivery required P 1 P 2 P 3 P 4 message digest of digital signature following packet Digital Signatures (Simon Lam) 6 3

Flow Signing Problem  Each packet may be used as soon as it is received  Subsequences of a flow are received and  S b f fl i d d used  best-effort delivery, e.g., UDP, IP multicast  different needs/capabilities, e.g., layered video  How to efficiently sign flows with each  How to efficiently sign flows with each packet being individually verifiable ? Digital Signatures (Simon Lam) 7 Our Approach: Chaining  Partition a flow into blocks of packets  Sign the digest of each block instead of each p packet individually y  Each packet carries its own authentication information to prove it is in the block  Authentication info provided by chaining . . . P 1 P 2 P 3 P 4 P 5 P 6 P 7 1 2 3 4 5 6 7 Block Block signature Chaining info Digital Signatures (Simon Lam) 8 4

Star Chaining – Signing Block digest D 1-8 = h ( D 1 , …, D 8 ) Packet digests D 1 D 2 D 3 D 4 D 5 D 6 D 7 D 8  Block signature = sign ( D 1-8 )  Packet signature for packet P 3 : ac t gnatur f r pac t 3 sign ( D 1-8 ), D 1 , D 2 , D 4 , …, D 8  Chaining overhead is O (block size) Digital Signatures (Simon Lam) 9 Star Chaining – Verification  Verifying first received packet (say P 3 ) Block digest D' 1-8 = h ( D 1 , D 2 , D' 3 , D 4 , …, D 8 )  verify ( D' 1-8 , sign ( D 1-8 )) D 1 D 2 D' 3 D 4 D 5 D 6 D 7 D 8 Packet digests  Caching of verified nodes  no verification op for other packets in the block Digital Signatures (Simon Lam) 10 5

Tree Chaining – Signing  [Merkle 1989] Block digest D 1-8 = h ( D 1-4 , D 5-8 )  Block signature sign ( D 1-8 )  Block signature = sign ( D 1 8 ) D 1-4 D 5-8  Packet signature for packet P 3 : D 1-2 D 3-4 D 5-6 D 7-8 sign ( D 1-8 ), D 4 , D 1-2 , D 5-8 D 1 D 2 D 3 D 4 D 5 D 6 D 7 D 8 1 2 3 4 5 6 7 8 Packet digests  Chaining overhead is O ( log (block size)) Digital Signatures (Simon Lam) 11 Tree Chaining – Verification  Verifying first received packet (say P 3 )  verify ( D' 1-8 , sign ( D 1-8 )) Bl Block digest D' 1-8 = h ( D' 1-4 , D 5-8 ) k di t D' h ( D' D )  Caching of verified nodes  no verification op for other packets in the block D' 1-4 D 5-8 D 1-2 D' 3-4 D 5-6 D 7-8 D 1 D 2 D' 3 D 4 D 5 D 6 D 7 D 8 Packet digests Digital Signatures (Simon Lam) 12 6

Chaining Technique: Signer Overhead Digest comp time Compute packet digests Tree build time Build authentication tree Signature comp time Sign block digest Build packet signatures Packet signature build time Chaining time = Tree build time + Packet signature build time Digital Signatures (Simon Lam) 13 Chaining Technique: Verifier Overhead Build authentication tree Build authentication tree Tree build time Tree build time Digest comp time Compute packet digests Chaining verification time Verify chaining information Signature verifying time Si if i i Verify block signature Chaining time = Tree build time + Chaining verification time Digital Signatures (Simon Lam) 14 7

Chaining Time Overheads 10.00 10.00 ver (ms) der (ms) tree deg 2 tree deg 2 tree deg 4 tree deg 4 chaining time at send chaining time at receiv t tree deg 8 d 8 tree deg 8 1.00 1.00 star star 0.10 0.10 0.01 0.01 2 4 8 16 32 64 128 2 4 8 16 32 64 128 block size (no. of packets) block size (no. of packets) at sender d at receiver  Overheads increase linearly with block size (in log scale)  Much smaller than signing/verification times Digital Signatures (Simon Lam) 15 Chaining Overhead Size 300 g overhead star 200 ytes) tree deg 8 chaining (by tree deg 4 100 tree deg 2 0 2 4 8 16 32 64 128 block size (no. of packets)  Smallest when tree degree is 2  Increases linearly with logarithm of block size  Packet signature = block signature + chaining overhead Digital Signatures (Simon Lam) 16 8

Flow Signing/Verification Rates 5000 10000 star ation rate 4000 8000 tree deg 8 ing rate kets/sec) kets/sec) tree deg 4 3000 6000 tree deg 2 g verifica signi (pack (pack 2000 4000 sign-each 1000 2000 0 0 2 4 8 16 32 64 128 2 4 8 16 32 64 128 block size (no. of packets) block size (no. of packets)  1024-byte packets, RSA with 512-bit modulus d l  Increases with block size  Varies only slightly with tree degree  we recommend degree 2 tree chaining Digital Signatures (Simon Lam) 17 Flow Signing/Verification Rates 6000 14000 512-byte 12000 5000 e signing rate (packets/sec) 1024-byte verification rat (packets/sec) 10000 4000 2048-byte 8000 3000 6000 2000 4000 1000 2000 0 0 2 4 8 16 32 64 128 2 4 8 16 32 64 128 block size (no. of packets) block size (no. of packets)  Degree two tree, RSA with 512-bit modulus, three different packet sizes Digital Signatures (Simon Lam) 18 9

Real-time Generated Flows  Fixed block size for non-real-time generated flows  Fixed time period T for real-time generated flows  Bounded delay signing since for any packet delay ≤ T + T chain + T sign T chain ( m 1 ) + T sign T chain ( m 2 ) + T sign period T period T time m packets m 1 packets m packets m 2 packets  T should be larger than T chain + T sign  delay cannot be smaller than 2( T chain + T sign ) Digital Signatures (Simon Lam) 19 Selecting a Signature Scheme  RSA: signing rate not high enough  DSA: both rates not high and  DSA: both rates not high and verification rate < signing rate  In a group, receivers may have widely different resources, e.g., PDAs, notebooks, desktops  We proposed several extensions to FFS  We proposed several extensions to FFS [Feige, Fiat and Shamir 1986] Digital Signatures (Simon Lam) 20 10

FFS Signer  choose two large primes p and q  compute modulus n = pq t d l   choose integers v 1 , …, v k s 1 , …, s k 2 = v i –1 mod n such that s i  signing key is { s 1 , …, s k , n } g g y { 1 , , k , }  verification key is { v 1 , …, v k , n } Digital Signatures (Simon Lam) 21 How to Sign Message m  choose t random integers, r 1 , …, r t , between 1 and n 2 mod n , for i = 1, …, t  compute x i = r i  compute message digest h ( m , x 1 , …, x t ) where function h (•) is public knowledge and produces a digest of at least k x t bits let { b ij } be the first k x t bits of the digest  compute y i = r i x ( s 1 p y i b i 1 x … x s k b ik ) mod n i 1 k for i = 1, …, t  signature of m consists of { y i } and { b ij } for i = 1, …, t and j = 1, …, k Digital Signatures (Simon Lam) 22 11