On-The-Fly Verification of Rateless Erasure Codes
description
Transcript of On-The-Fly Verification of Rateless Erasure Codes
![Page 1: On-The-Fly Verification of Rateless Erasure Codes](https://reader036.fdocuments.us/reader036/viewer/2022062521/56816843550346895dde1911/html5/thumbnails/1.jpg)
On-The-Fly Verification of Rateless Erasure CodesMax Krohn (MIT CSAIL)
Michael Freedman and David Mazières (NYU)
![Page 2: On-The-Fly Verification of Rateless Erasure Codes](https://reader036.fdocuments.us/reader036/viewer/2022062521/56816843550346895dde1911/html5/thumbnails/2.jpg)
On-The-Fly Verification of Rateless Erasure CodesMax Krohn (MIT CSAIL)
Michael Freedman and David Mazières (NYU)
Multicast Authentication:Dead/Exhausted
![Page 3: On-The-Fly Verification of Rateless Erasure Codes](https://reader036.fdocuments.us/reader036/viewer/2022062521/56816843550346895dde1911/html5/thumbnails/3.jpg)
The Setting A large file F
Linux ISO (650MB)
H(F) is available signed by Publisher (RedHat)
A handful of untrusted sources/mirrors S1,…S8
![Page 4: On-The-Fly Verification of Rateless Erasure Codes](https://reader036.fdocuments.us/reader036/viewer/2022062521/56816843550346895dde1911/html5/thumbnails/4.jpg)
A Handful of Senders
![Page 5: On-The-Fly Verification of Rateless Erasure Codes](https://reader036.fdocuments.us/reader036/viewer/2022062521/56816843550346895dde1911/html5/thumbnails/5.jpg)
The Setting A large file F
Linux ISO (650MB)
H(F) is available signed by Publisher (RedHat)
A handful of untrusted sources S1,…S8
Their aggregate BW is limited
A slew of receivers R1,...,R1,000,000
Version 81.3 just released! Want it Now!
![Page 6: On-The-Fly Verification of Rateless Erasure Codes](https://reader036.fdocuments.us/reader036/viewer/2022062521/56816843550346895dde1911/html5/thumbnails/6.jpg)
Three Desirable Properties
Sources CanMulticast
ClientsGet Fast
Downloads
Clients Can Verify
Blocks On-the-Fly
![Page 7: On-The-Fly Verification of Rateless Erasure Codes](https://reader036.fdocuments.us/reader036/viewer/2022062521/56816843550346895dde1911/html5/thumbnails/7.jpg)
Receivers Get Fast, Verifiable Downloads The trusted publisher (RedHat)
Splits up F into n blocks Hashes all blocks Signs all hashes (or hash tree)
Receivers: Download and verify hashes Download needed file blocks in parallel
![Page 8: On-The-Fly Verification of Rateless Erasure Codes](https://reader036.fdocuments.us/reader036/viewer/2022062521/56816843550346895dde1911/html5/thumbnails/8.jpg)
R1
S1
S3 S4S2
R3R2
R4 R5 R6
R7R8R9 R10R11
R12R13
Everyone for Themselves
![Page 9: On-The-Fly Verification of Rateless Erasure Codes](https://reader036.fdocuments.us/reader036/viewer/2022062521/56816843550346895dde1911/html5/thumbnails/9.jpg)
Everyone For Themselves
Sources CanMulticast
ClientsGet Fast
Downloads
Clients Can Verify
Blocks On-the-Fly
![Page 10: On-The-Fly Verification of Rateless Erasure Codes](https://reader036.fdocuments.us/reader036/viewer/2022062521/56816843550346895dde1911/html5/thumbnails/10.jpg)
R1
S1
S3 S4S2
R3
R2R4
R5 R6
R7
R8R9
R10
R11
R12R13
Verifiable Multicast (BitTorrent)
![Page 11: On-The-Fly Verification of Rateless Erasure Codes](https://reader036.fdocuments.us/reader036/viewer/2022062521/56816843550346895dde1911/html5/thumbnails/11.jpg)
Verifiable Multicast (BitTorrent)
Sources CanMulticast
ClientsGet Fast
Downloads
Clients Can Verify
Blocks On-the-Fly
![Page 12: On-The-Fly Verification of Rateless Erasure Codes](https://reader036.fdocuments.us/reader036/viewer/2022062521/56816843550346895dde1911/html5/thumbnails/12.jpg)
Multicast With Erasure Codes Sources erasure encode the file F
n blocks blocksF
…? ?
? ?
? ?
? ?
? ?
? ?
? ?
? ?
? ?
? ?
? ?
? ?
? ?
? ?
? ?
? ?
?
?
?
?
? ? ? ? ? ? ? ? ?
?
?
?
?
?
…………
n
![Page 13: On-The-Fly Verification of Rateless Erasure Codes](https://reader036.fdocuments.us/reader036/viewer/2022062521/56816843550346895dde1911/html5/thumbnails/13.jpg)
Multicast With Erasure Codes Sources erasure encode the file F
Receivers collect blocks and decode
n blocks blocks
? ?
? ?
? ?
? ?
? ?
? ?
? ?
? ?
? ?
? ?
? ?
? ?
? ?
? ?
? ?
? ?
?
?
?
?
? ? ? ? ? ? ? ? ?
?
?
?
?
?
?
? ?
?
?
?
? ?
?
?
?
?
? ?
? ?
?
?
? ? ? ? ? ?
?
?
?
1.03n blocks n blocks F
F n
……………
![Page 14: On-The-Fly Verification of Rateless Erasure Codes](https://reader036.fdocuments.us/reader036/viewer/2022062521/56816843550346895dde1911/html5/thumbnails/14.jpg)
R1
S1S3 S4
S2
R3
R2
R4R5
R6
R7
R8R9 R10
R11
R12
R13
Multicast With Erasure Codes
![Page 15: On-The-Fly Verification of Rateless Erasure Codes](https://reader036.fdocuments.us/reader036/viewer/2022062521/56816843550346895dde1911/html5/thumbnails/15.jpg)
Multicast With Erasure Codes Bullet [SOSP 2003] SplitStream [SOSP 2003] Big Downloads [IPTPS 2003] Informed Content Delivery [SIGCOMM 2002]
![Page 16: On-The-Fly Verification of Rateless Erasure Codes](https://reader036.fdocuments.us/reader036/viewer/2022062521/56816843550346895dde1911/html5/thumbnails/16.jpg)
R1
S1
S3 S4
S2
Receivers Cannot Verify Content
??
?
?
??
?
??
?
?
? ?
?
![Page 17: On-The-Fly Verification of Rateless Erasure Codes](https://reader036.fdocuments.us/reader036/viewer/2022062521/56816843550346895dde1911/html5/thumbnails/17.jpg)
Receivers Cannot Verify Content
R1
S1
S3 S4
S2
??
?
?
?
?
?
?
? ?
![Page 18: On-The-Fly Verification of Rateless Erasure Codes](https://reader036.fdocuments.us/reader036/viewer/2022062521/56816843550346895dde1911/html5/thumbnails/18.jpg)
Multicast With Erasure Codes
Sources CanMulticast
ClientsGet Fast
Downloads
Clients Can Verify
Blocks On-the-Fly
![Page 19: On-The-Fly Verification of Rateless Erasure Codes](https://reader036.fdocuments.us/reader036/viewer/2022062521/56816843550346895dde1911/html5/thumbnails/19.jpg)
Multicast With Erasure Codes
Sources CanMulticast
ClientsGet Fast
Downloads
Clients Can Verify
Blocks On-the-Fly
![Page 20: On-The-Fly Verification of Rateless Erasure Codes](https://reader036.fdocuments.us/reader036/viewer/2022062521/56816843550346895dde1911/html5/thumbnails/20.jpg)
What is the Attack Goal? To corrupt the file. To waste bandwidth.
R
S1 S3S2
![Page 21: On-The-Fly Verification of Rateless Erasure Codes](https://reader036.fdocuments.us/reader036/viewer/2022062521/56816843550346895dde1911/html5/thumbnails/21.jpg)
How To Attack? Send correct blocks but with
skewed distributions. “Distribution Attack”
Send incorrect blocks “Pollution Attack”
Karlof et al. [NDSS ’04]
R
S1 S3S2
![Page 22: On-The-Fly Verification of Rateless Erasure Codes](https://reader036.fdocuments.us/reader036/viewer/2022062521/56816843550346895dde1911/html5/thumbnails/22.jpg)
Properties of a Solution to Pollution OK: Receivers can tell
good from bad. Much better: Receivers
can finger bad blocks as they arrive.
R
S1 S3S2
CONTRIBUTION
![Page 23: On-The-Fly Verification of Rateless Erasure Codes](https://reader036.fdocuments.us/reader036/viewer/2022062521/56816843550346895dde1911/html5/thumbnails/23.jpg)
Outline Introduction Review of LT Codes Strawman #1 Strawman #2 Efficiently Catching Bad Blocks as They
Arrive
![Page 24: On-The-Fly Verification of Rateless Erasure Codes](https://reader036.fdocuments.us/reader036/viewer/2022062521/56816843550346895dde1911/html5/thumbnails/24.jpg)
LT-Codes [Luby, FOCS 2002]
b1 b2 b3 b4 b5F=
n=5 input blocks
![Page 25: On-The-Fly Verification of Rateless Erasure Codes](https://reader036.fdocuments.us/reader036/viewer/2022062521/56816843550346895dde1911/html5/thumbnails/25.jpg)
LT-Codes – How To Encode
b1 b2 b3 b4 b5
c1
1. Pick degree d1 from a pre-specified distribution. (d1=2)
2. Select d1 input blocks uniformly at random. (Pick b1 and b4 )
3. Compute their sum.
4. Output
1 1 4( )c b b
E(F)=
F=
1,{1, 4}c
![Page 26: On-The-Fly Verification of Rateless Erasure Codes](https://reader036.fdocuments.us/reader036/viewer/2022062521/56816843550346895dde1911/html5/thumbnails/26.jpg)
LT-Codes – How To Encode (cont’d)
b1 b2 b3 b4 b5
c1 c2 c3 c4 c5 c6 c7 E(F)=
F=
![Page 27: On-The-Fly Verification of Rateless Erasure Codes](https://reader036.fdocuments.us/reader036/viewer/2022062521/56816843550346895dde1911/html5/thumbnails/27.jpg)
How To Decode
b1 b2 b3 b4 b5
c1 c2 c3 c4 c5 c6 c7E(F)=
F=
![Page 28: On-The-Fly Verification of Rateless Erasure Codes](https://reader036.fdocuments.us/reader036/viewer/2022062521/56816843550346895dde1911/html5/thumbnails/28.jpg)
How To Decode
b1 b2 b3 b4 b5
c1 c2 c3 c4 c5 c6 c7E(F)=
F=
![Page 29: On-The-Fly Verification of Rateless Erasure Codes](https://reader036.fdocuments.us/reader036/viewer/2022062521/56816843550346895dde1911/html5/thumbnails/29.jpg)
How To Decode
b1 b2 b3 b4 b5
c1 c2 c3 c4 c5 c6 c7E(F)=
F=
![Page 30: On-The-Fly Verification of Rateless Erasure Codes](https://reader036.fdocuments.us/reader036/viewer/2022062521/56816843550346895dde1911/html5/thumbnails/30.jpg)
b1 b2 b3 b4 b5
c1 c2 c3 c4 c5 c6 c7
3 3 5
4 4 5
5 5 5
c c bc c bc c b
E(F)=
F=
How To Decode
![Page 31: On-The-Fly Verification of Rateless Erasure Codes](https://reader036.fdocuments.us/reader036/viewer/2022062521/56816843550346895dde1911/html5/thumbnails/31.jpg)
How To Decode
b1 b2 b3 b4 b5
c1 c2 c3 c4 c5 c6 c7E(F)=
F=
b5 b5 b5
![Page 32: On-The-Fly Verification of Rateless Erasure Codes](https://reader036.fdocuments.us/reader036/viewer/2022062521/56816843550346895dde1911/html5/thumbnails/32.jpg)
How To Decode
b1 b2 b3 b4 b5
c1 c2 c3 c5 c6 c7E(F)=
F=
b5 c4
b5 b5
![Page 33: On-The-Fly Verification of Rateless Erasure Codes](https://reader036.fdocuments.us/reader036/viewer/2022062521/56816843550346895dde1911/html5/thumbnails/33.jpg)
How To Decode
b1 b2 b3 b4 b5
c1 c2 c3 c5 c6 c7E(F)=
F=
b5 c4
b5 b5
![Page 34: On-The-Fly Verification of Rateless Erasure Codes](https://reader036.fdocuments.us/reader036/viewer/2022062521/56816843550346895dde1911/html5/thumbnails/34.jpg)
How To Decode
b1 b2 b3 b4 b5
c1 c2 c3 c5 c6 c7E(F)=
F=
b5 c4
b5 b5
![Page 35: On-The-Fly Verification of Rateless Erasure Codes](https://reader036.fdocuments.us/reader036/viewer/2022062521/56816843550346895dde1911/html5/thumbnails/35.jpg)
How To Decode
b1 b2 b3 b4 b5
c1 c2 c3 c5 c6 c7E(F)=
F=
b5 c4
b5 b5b2b2
![Page 36: On-The-Fly Verification of Rateless Erasure Codes](https://reader036.fdocuments.us/reader036/viewer/2022062521/56816843550346895dde1911/html5/thumbnails/36.jpg)
How To Decode
b1 b2 b3 b4 b5
c1 c2 c3 c5 c6 c7E(F)=
F=
b5 c4
b5 b5b2b2
![Page 37: On-The-Fly Verification of Rateless Erasure Codes](https://reader036.fdocuments.us/reader036/viewer/2022062521/56816843550346895dde1911/html5/thumbnails/37.jpg)
Outline Introduction Review of LT Codes Strawman #1
Simple Solution To Tell Good Blocks From Bad
Strawman #2 Efficiently Catching Bad Blocks as They
Arrive
![Page 38: On-The-Fly Verification of Rateless Erasure Codes](https://reader036.fdocuments.us/reader036/viewer/2022062521/56816843550346895dde1911/html5/thumbnails/38.jpg)
“Smart Decoder” for LT-Codes
b1 b2 b3 b4 b5
c1 c2 c3 c4 c5 c6 c7E(F)=
F=
1( )h b 2( )h b 3( )h b 4( )h b 5( )h b
24 5c b b
![Page 39: On-The-Fly Verification of Rateless Erasure Codes](https://reader036.fdocuments.us/reader036/viewer/2022062521/56816843550346895dde1911/html5/thumbnails/39.jpg)
“Smart Decoder” for LT-Codes
b1 b2 b3 b4 b5
c1 c2 c3 c4 c5 c6 c7
7 5( ) ( )h c h b
E(F)=
F=
1( )h b 2( )h b 3( )h b 4( )h b 5( )h b
![Page 40: On-The-Fly Verification of Rateless Erasure Codes](https://reader036.fdocuments.us/reader036/viewer/2022062521/56816843550346895dde1911/html5/thumbnails/40.jpg)
“Smart Decoder” for LT-Codes
b1 b2 b3 b4 b5
c1 c2 c3 c4 c5 c6 c7E(F)=
F=
1( )h b 2( )h b 3( )h b 4( )h b 5( )h b
![Page 41: On-The-Fly Verification of Rateless Erasure Codes](https://reader036.fdocuments.us/reader036/viewer/2022062521/56816843550346895dde1911/html5/thumbnails/41.jpg)
“Smart Decoder” for LT-Codes
b1 b2 b3 b4 b5
c1 c2 c3 c4 c5 c6 c7E(F)=
F=
1( )h b 2( )h b 3( )h b 4( )h b 5( )h b
![Page 42: On-The-Fly Verification of Rateless Erasure Codes](https://reader036.fdocuments.us/reader036/viewer/2022062521/56816843550346895dde1911/html5/thumbnails/42.jpg)
“Smart Decoder” for LT-Codes
b1 b2 b3 b4 b5
c1 c2 c3 c4 c5 c6 c7
4 4
3 3 5
5
5 5 5
c cc c b
bc c b
E(F)=
F=
1( )h b 2( )h b 3( )h b 4( )h b 5( )h b
![Page 43: On-The-Fly Verification of Rateless Erasure Codes](https://reader036.fdocuments.us/reader036/viewer/2022062521/56816843550346895dde1911/html5/thumbnails/43.jpg)
“Smart Decoder” for LT-Codes
b1 b2 b3 b4 b5
c1 c2 c3 c4 c5 c6 c7E(F)=
F=
b5 b5 b5
1( )h b 2( )h b 3( )h b 4( )h b 5( )h b
![Page 44: On-The-Fly Verification of Rateless Erasure Codes](https://reader036.fdocuments.us/reader036/viewer/2022062521/56816843550346895dde1911/html5/thumbnails/44.jpg)
“Smart Decoder” for LT-Codes
b1 b2 b3 b4 b5
c1 c2 c3 c4 c5 c6 c7E(F)=
F=
b5 b5 b5
1( )h b 2( )h b 3( )h b 4( )h b 5( )h b
![Page 45: On-The-Fly Verification of Rateless Erasure Codes](https://reader036.fdocuments.us/reader036/viewer/2022062521/56816843550346895dde1911/html5/thumbnails/45.jpg)
“Smart Decoder” for LT-Codes
b1 b2 b3 b4 b5
c1 c2 c3 c4 c5 c6 c7
4
4
2 5
5 2
implies( ) ( )
b b
h b b
c
c h
E(F)=
F=
b5 b5 b5
X1( )h b 2( )h b 3( )h b 4( )h b 5( )h b
![Page 46: On-The-Fly Verification of Rateless Erasure Codes](https://reader036.fdocuments.us/reader036/viewer/2022062521/56816843550346895dde1911/html5/thumbnails/46.jpg)
“Smart Decoder” for LT-Codes
b1 b2 b3 b4 b5
c1 c2 c3 c4 c5 c6 c7E(F)=
F=
b5 b5 b5X
1( )h b 2( )h b 3( )h b 4( )h b 5( )h b
![Page 47: On-The-Fly Verification of Rateless Erasure Codes](https://reader036.fdocuments.us/reader036/viewer/2022062521/56816843550346895dde1911/html5/thumbnails/47.jpg)
“Smart Decoder” for LT-Codes
b1 b2 b3 b4 b5
c1 c2 c3 c4 c5 c6 c7E(F)=
F=
b5 b5 b5
1( )h b 2( )h b 3( )h b 4( )h b 5( )h b
![Page 48: On-The-Fly Verification of Rateless Erasure Codes](https://reader036.fdocuments.us/reader036/viewer/2022062521/56816843550346895dde1911/html5/thumbnails/48.jpg)
“Smart Decoder:” Problem
•Data collected from 50 random Online encodings of a 10,000 block file.
![Page 49: On-The-Fly Verification of Rateless Erasure Codes](https://reader036.fdocuments.us/reader036/viewer/2022062521/56816843550346895dde1911/html5/thumbnails/49.jpg)
Outline Introduction Review of LT Codes Strawman #1 Strawman #2
Hashing/Signing Encoded Blocks Efficiently Catching the Bad as They Arrive
![Page 50: On-The-Fly Verification of Rateless Erasure Codes](https://reader036.fdocuments.us/reader036/viewer/2022062521/56816843550346895dde1911/html5/thumbnails/50.jpg)
Hashing/Signing Encoded Blocks
Trusted Publisher (RedHat) Picks e, computes e·n encoded blocks Hashes all encoded blocks Signs the hashes.
n blocks e·n blocks
? ?
? ?
? ?
? ?
? ?
? ?
? ?
? ?
? ?
? ?
? ?
? ?
? ?
? ?
? ?
? ?
?
?
?
?
? ? ? ? ? ? ? ? ?
?
?
?
?
?
F
![Page 51: On-The-Fly Verification of Rateless Erasure Codes](https://reader036.fdocuments.us/reader036/viewer/2022062521/56816843550346895dde1911/html5/thumbnails/51.jpg)
Hashing/Signing Encoded Blocks Expansion factor e should be big to avoid
duplicate blocks. e should be small to make crypto overhead
acceptable. Our analysis shows there’s no “sweet spot”.
![Page 52: On-The-Fly Verification of Rateless Erasure Codes](https://reader036.fdocuments.us/reader036/viewer/2022062521/56816843550346895dde1911/html5/thumbnails/52.jpg)
Hashing/Signing Encoded Blocks Expansion factor e should be big to avoid
duplicate blocks. e should be small to make crypto overhead
acceptable. Our analysis shows there’s no “sweet spot”.
e.g., best case bandwidth requirements: +5% e.g., generating hashes is very expensive as e
gets large.
![Page 53: On-The-Fly Verification of Rateless Erasure Codes](https://reader036.fdocuments.us/reader036/viewer/2022062521/56816843550346895dde1911/html5/thumbnails/53.jpg)
Outline Introduction Review of LT Codes Strawman #1 Strawman #2 Efficiently Catching the Bad as They
Arrive
![Page 54: On-The-Fly Verification of Rateless Erasure Codes](https://reader036.fdocuments.us/reader036/viewer/2022062521/56816843550346895dde1911/html5/thumbnails/54.jpg)
Best of Both Worlds Goal:
Crypto overhead of one hash for every block in the input file (Strawman #1)
Verify blocks as they arrive (Strawman #2) Idea:
Distribute hashes of file blocks, and use them to verify encoded blocks.
Need a better hash function.
![Page 55: On-The-Fly Verification of Rateless Erasure Codes](https://reader036.fdocuments.us/reader036/viewer/2022062521/56816843550346895dde1911/html5/thumbnails/55.jpg)
Insight: Homomorphic Hashing Assume function h exists such that:
1. is homomorphic:
2. is a CRHF: ( ) ( ) iff h x h y x y
( ) ( ) ( )h x h z h x z
![Page 56: On-The-Fly Verification of Rateless Erasure Codes](https://reader036.fdocuments.us/reader036/viewer/2022062521/56816843550346895dde1911/html5/thumbnails/56.jpg)
R knows: R wants proof that:
Homomorphic Hashing: Intuition R receives the block ,{2,5}c
2 5c b b
c
2( )h b 5( )h b b2 b5
c
![Page 57: On-The-Fly Verification of Rateless Erasure Codes](https://reader036.fdocuments.us/reader036/viewer/2022062521/56816843550346895dde1911/html5/thumbnails/57.jpg)
R knows: R wants proof that:
Homomorphic Hashing: Intuition
c
2( )h b 5( )h b b2 b5
c( )h c
2 5c b b
R receives the block ,{2,5}c
![Page 58: On-The-Fly Verification of Rateless Erasure Codes](https://reader036.fdocuments.us/reader036/viewer/2022062521/56816843550346895dde1911/html5/thumbnails/58.jpg)
R knows: R wants proof that:
Homomorphic Hashing: Intuition
c
2( )h b 5( )h b
( )h c
b2 b5
c
2 5c b b 2 5( ) ( ) ( )h c h b h b
R receives the block ,{2,5}c
![Page 59: On-The-Fly Verification of Rateless Erasure Codes](https://reader036.fdocuments.us/reader036/viewer/2022062521/56816843550346895dde1911/html5/thumbnails/59.jpg)
R knows: R wants proof that:
Homomorphic Hashing: Intuition
2 5c b b
2 5( ) ( ) ( )h c h b h b
R receives the block ,{2,5}c
![Page 60: On-The-Fly Verification of Rateless Erasure Codes](https://reader036.fdocuments.us/reader036/viewer/2022062521/56816843550346895dde1911/html5/thumbnails/60.jpg)
R knows: R wants proof that:
Homomorphic Hashing: Intuition
2 5c b b
Property 1
2 5( ) ( ) ( )h c h b h b
2 5( ) ( )h c h b b
R receives the block ,{2,5}c
![Page 61: On-The-Fly Verification of Rateless Erasure Codes](https://reader036.fdocuments.us/reader036/viewer/2022062521/56816843550346895dde1911/html5/thumbnails/61.jpg)
R knows: R wants proof that:
Homomorphic Hashing: Intuition
2 5c b b
Property 1
2 5( ) ( ) ( )h c h b h b
2 5( ) ( )h c h b b Property 2
R receives the block ,{2,5}c
![Page 62: On-The-Fly Verification of Rateless Erasure Codes](https://reader036.fdocuments.us/reader036/viewer/2022062521/56816843550346895dde1911/html5/thumbnails/62.jpg)
Homomorphic Hashing: Protocol R receives the block
Compute h(c) If
Accept block; mark as valid else
Suspect sender of being bad guy, and switch.
,{2,5}c
2 5( ) ( ) ( )h c h b h b
![Page 63: On-The-Fly Verification of Rateless Erasure Codes](https://reader036.fdocuments.us/reader036/viewer/2022062521/56816843550346895dde1911/html5/thumbnails/63.jpg)
Homomorphic Hashing: Protocol R receives the block
Compute h(c) If
Accept block; mark as valid else
Suspect sender of being bad guy, and switch. Can such an h possibly exist?
,{2,5}c
2 5( ) ( ) ( )h c h b h b
![Page 64: On-The-Fly Verification of Rateless Erasure Codes](https://reader036.fdocuments.us/reader036/viewer/2022062521/56816843550346895dde1911/html5/thumbnails/64.jpg)
Homomorphic Hashing: Related Work DLog-Based CRHF
Pederson Commitment [CRYPTO ’91] Chaum et al. [CRYPTO ’91]
One-Way Accumulators Benaloh and de Mare [EUROCRYPT ’93] Barić and Pfitzmann [EUROCRYPT ’93]
Incremental Hashing Bellare et al. [CRYPTO ’94]
Homomorphic Signatures Micali and Rivest [RSA ’02] Johnson et al. [RSA ’02]
![Page 65: On-The-Fly Verification of Rateless Erasure Codes](https://reader036.fdocuments.us/reader036/viewer/2022062521/56816843550346895dde1911/html5/thumbnails/65.jpg)
Mechanics of Homomorphic Hashing Discrete Log Hash Pick 1024-bit prime p and 256-bit prime q, q divides (p-1) Pick from 512 generators of order q: Write F as elements in
1 512( ,..., )g gg
qZ
F=
,i j qb 256-bit “fragment”
512
k qb
16K “block”
pZ
![Page 66: On-The-Fly Verification of Rateless Erasure Codes](https://reader036.fdocuments.us/reader036/viewer/2022062521/56816843550346895dde1911/html5/thumbnails/66.jpg)
How to Encode (example)
1,2 1,3 1,5
3
512,2 512,3 512,5
b b b
b b b
c
Standard LT-Codes:
Homomorphic Scheme:
3 2 3 5c b b b
3 2 3 5 (mod )q c b b b
![Page 67: On-The-Fly Verification of Rateless Erasure Codes](https://reader036.fdocuments.us/reader036/viewer/2022062521/56816843550346895dde1911/html5/thumbnails/67.jpg)
How To DLog Hash
Hashes are elements in (128 bytes big)
Hash reduces 16K block by a factor of 128
pZ
1,1
2,11,1 2,1 512,1
512,1
1
11,1
2,1 21 2 512
512,1 512
( )
x
b
bb b b
b
h
gbb g
g g g
b g
g
b
Π
![Page 68: On-The-Fly Verification of Rateless Erasure Codes](https://reader036.fdocuments.us/reader036/viewer/2022062521/56816843550346895dde1911/html5/thumbnails/68.jpg)
How To DLog Hash
Hashes are elements in (128 bytes big)
Hash reduces 16K block by a factor of 128
+1% overhead
pZ
1,1
2,11,1 2,1 512,1
512,1
1
11,1
2,1 21 2 512
512,1 512
( )
x
b
bb b b
b
h
gbb g
g g g
b g
g
b
Π
![Page 69: On-The-Fly Verification of Rateless Erasure Codes](https://reader036.fdocuments.us/reader036/viewer/2022062521/56816843550346895dde1911/html5/thumbnails/69.jpg)
DLog-Hash: Key Property Note that: ,,
,,
, ,
( ) ( )
( )
k jk i
k jk i
k i k j
bbi j k k
k k
bbk k
k
b bk
k
i j
h h g g
g g
g
h
b b
b b
![Page 70: On-The-Fly Verification of Rateless Erasure Codes](https://reader036.fdocuments.us/reader036/viewer/2022062521/56816843550346895dde1911/html5/thumbnails/70.jpg)
DLog-Hash: Key Property Note that:
Goal achieved!
,,
,,
, ,
( ) ( )
( )
k jk i
k jk i
k i k j
bbi j k k
k k
bbk k
k
b bk
k
i j
h h g g
g g
g
h
b b
b b
![Page 71: On-The-Fly Verification of Rateless Erasure Codes](https://reader036.fdocuments.us/reader036/viewer/2022062521/56816843550346895dde1911/html5/thumbnails/71.jpg)
“This Seems Really Expensive”
Operation on a 16K BlockThroughput
(kB/sec)DLog Hash 39
Arrival on 1.5Mbps DSL 190
SHA1 Hash 57,600
![Page 72: On-The-Fly Verification of Rateless Erasure Codes](https://reader036.fdocuments.us/reader036/viewer/2022062521/56816843550346895dde1911/html5/thumbnails/72.jpg)
Key Optimizations Hash Generation
Each publisher picks her own parameters, compute with 1 exponentiation (not 512)
Hash Verification Receiver verifies hashes probabilistically and in
batches. Bellare et al. [EUROCRYPT ’98]
( )ih b
![Page 73: On-The-Fly Verification of Rateless Erasure Codes](https://reader036.fdocuments.us/reader036/viewer/2022062521/56816843550346895dde1911/html5/thumbnails/73.jpg)
Much BetterOperation on a 16K Block
Throughput (MB/sec)
Naïve DLog Hash 0.038
Per-publisher Generation 11.210
Batch Verification 7.620
Arrival on 1.5 Mbps DSL 0.186
SHA1 Hash 56.250
![Page 74: On-The-Fly Verification of Rateless Erasure Codes](https://reader036.fdocuments.us/reader036/viewer/2022062521/56816843550346895dde1911/html5/thumbnails/74.jpg)
Homomorphic Hashing: Key Points+ Key Algebraic Feature
+ Homomorphism: Receivers can compose hashes the way encoders sum file blocks.
+ Can check encoded blocks as they arrive.
+ Fast+ Can be optimized to achieve good generation and
verification throughputs+ Provably Secure
+ As hard as discrete log (SHA1/MD5 not needed)
![Page 75: On-The-Fly Verification of Rateless Erasure Codes](https://reader036.fdocuments.us/reader036/viewer/2022062521/56816843550346895dde1911/html5/thumbnails/75.jpg)
Conclusion
Sources CanMulticast
ClientsGet Fast
Downloads
Clients Can Verify
Blocks On-the-Fly
![Page 76: On-The-Fly Verification of Rateless Erasure Codes](https://reader036.fdocuments.us/reader036/viewer/2022062521/56816843550346895dde1911/html5/thumbnails/76.jpg)
Thank you.
Now accepting questions.