A Mechanism for CommunicationEfficient Broadcast Encryption over Wireless
A Mechanism for Communication-Efficient Broadcast Encryption over Wireless Ad Hoc Networks Reza Curtmola Seny Kamara Johns Hopkins University Department of Computer Science Seny Kamara WCAN 2006 1
The problem • Secure content distribution (SCD) in MANETs – source disseminates data to a group of authorized receivers – group is dynamically changing due to revocation and addition of users Seny Kamara WCAN 2006 2
Secure content distribution • network layer: delivery of data secure multicast routing • application layer: secrecy of data broadcast encryption Seny Kamara WCAN 2006 3
The Setting • MANETs – low bandwidth – lossy links – mobility Seny Kamara WCAN 2006 4
Broadcast Encryption (BE) • BE deals with methods to efficiently broadcast information to a group of authorized users • A center broadcasts messages, but only a set of privileged users can decrypt them • Dynamically changing group of users Seny Kamara WCAN 2006 5
Two flavors of BE • Stateful – Users receive initial secrets – Revocation and addition require re-keying – Nodes need to be online to receive key updates • Stateless – Users receive initial secrets – No re-keying message size storage at the receiver key update size Stateful O(1) O(log n) Stateless O(r) O(1) N/A Seny Kamara WCAN 2006 6
Stateful vs. Stateless • Simple scenario: – n = # of users r = # of revocations – l = size of each message k = size of session key – d = # of messages between two revocations Stateful Stateless message Key Update revocation Seny Kamara WCAN 2006 7
Stateful vs. Stateless • Transmission cost: – stateful: O(r·d·l + r·log(n) ·k) – stateless: O(r·d·l + d·r 2·k) • When r = Ω(log n), stateful is better than stateless (e. g. for n=1024, after r=10 revocations, stateful is more efficient) Seny Kamara WCAN 2006 8
Limitations of MANETs • Limited bandwidth favors the use of stateful BE • Standard application of stateful BE is not possible • Key updates may be lost: – lossy links – network partitions caused by node mobility – receivers go offline • How to still take advantage of the low communication cost of stateful BE? Reliable message delivery! Seny Kamara WCAN 2006 9
Reliable message delivery • interactive solutions – scalability and connectivity issues – undesirable • Focus of this talk: – a mechanism for non-interactive reliable message delivery – application to stateful BE in MANETs Seny Kamara WCAN 2006 10
Reliable message delivery • scalability • storage per node • recovery time • scalability – rules out interactive solutions • simple non-interactive solution: – connected nodes store all messages from the source – disconnected nodes need to encounter one node – high storage requirement per node: r · q bits Seny Kamara WCAN 2006 11
Reliable message delivery – our approach • Each node stores a “piece” of the message • Partitioned nodes can leverage node mobility to recover missed messages • Mechanism based on erasure codes • Allows trade-off between: – message recovery time – amount of storage at each node • Mobility is crucial and beneficial Seny Kamara WCAN 2006 12
Erasure codes • 1 2 3 … l encode message m • C has minimum distance d 1 2 3 … λ codeword c (m can be recovered from any λ – d + 1 symbols of c) decode 1 2 3 … l message m • examples: Reed-Solomon codes Seny Kamara WCAN 2006 , Tornado codes 13
Example Seny Kamara WCAN 2006 14
Recovery Time • Each node stores a symbol uniformly at random • How many encounters are needed (on average) – to recover a message? – to recover multiple messages? Seny Kamara WCAN 2006 15
Recovery Time - single message • Symbols are equally dispersed throughout network • Symbols are uniformly distributed over network • Each encounter is equivalent to sampling a symbol uniformly at random • Coupon collector’s problem – Uniform distribution of n elements – Number of samples to collect all n elements Seny Kamara WCAN 2006 16
Recovery Time - single message • • Expected recovery time as a func. of symbols • Expected recovery time as a func. of storage Seny Kamara WCAN 2006 17
Reliable Stateful Broadcast Encryption • • Take stateful BE scheme (e. g. , LKH) Distribute key updates with RMDM Instantiated with Rejoining node needs to encounter (on average) at most Size of key update Size of symbol – Each node stores σ bits – n = 1024, k = 128, = 160 (20 bytes) • E[T] = 11 Seny Kamara WCAN 2006 18
Advantages of our solution • leverages mobility to achieve reliable message delivery • allows trade-off between message recovery time and node storage • ability to leverage the resources of unauthorized nodes Seny Kamara WCAN 2006 19
Simulation Setup • node density varied between 50 -200 nodes / km 2 • nodes randomly placed within a 1500 x 1500 meter square area • random way-point mobility model • node maximum speed varied between 2 and 20 m/s Seny Kamara WCAN 2006 20
Experiments Time required to encounter ten nodes Time required to encounter one node 8 seconds 77 seconds Reasonable time values for high node densities Seny Kamara WCAN 2006 21
Conclusions • Limitations of MANETs – Low bandwidth calls for stateful BE – Node mobility precludes standard stateful BE • Can be overcome by provisioning with RMDM • Our solution – Tradeoff between storage & recovery time – Leverage unauthorized nodes Seny Kamara WCAN 2006 22
Thank You Questions? Authors Reza Curtmola (crix@cs. jhu. edu) Seny Kamara (seny@cs. jhu. edu) Johns Hopkins University Department of Computer Science Seny Kamara WCAN 2006 23
- Slides: 23