340 likes | 434 Vues
On-the-fly Verification of Erasure-Encoded File Transfers. Mike Freedman & Max Krohn NYU Dept of Computer Science. Downloading Large Files From P2P Networks. For large files, transfer times are much bigger than average node uptimes.
E N D
On-the-fly Verification of Erasure-Encoded File Transfers Mike Freedman & Max Krohn NYU Dept of Computer Science
Downloading Large Files From P2P Networks • For large files, transfer times are much bigger than average node uptimes. • Some files are very popular: multiple sources and multiple requesting nodes. • Is it possible to have multicast, even though sources and receivers frequently enter and leave the network.
Solution: Rateless Erasure Codes Source (S1) Source (S2) Source (S3) Source (S4) Receiver (R1)
Solution: Rateless Erasure Codes Source (S1) Source (S2) Source (S3) Source (S4) Receiver (R1) Wants file F
Mutli-Sourced Downloads Source (S1) Source (S2) Source (S3) Source (S4) Receiver (R1)
Mutli-Sourced Downloads Source (S1) Source (S2) Source (S3) Source (S4) @ @ @ Receiver (R1)
“Overlapping Multicast Trees” Source (S1) Source (S2) Source (S3) Source (S4) @ Receiver (R3) Receiver (R4) Receiver (R1) Receiver (R3) Receiver (R2)
Resuming Truncated Downloads Source (S1) Receiver (R1) Receiver (R2)
Resuming Truncated Downloads Source (S1) Receiver (R1) Receiver (R2)
Resuming Truncated Downloads @ Source (S1) Receiver (R1) Receiver (R2)
Threat Model KaZaa Morpheus eDonkey 2000 Gnutella
Threat Model KaZaa Morpheus eDonkey 2000 Gnutella
Threat Model KaZaa Morpheus eDonkey 2000 Gnutella
Threat Model KaZaa Morpheus eDonkey 2000 Gnutella
KaZaa Morpheus eDonkey 2000 Gnutella Bogus Data Attack
KaZaa Morpheus eDonkey 2000 Gnutella Unwanted Data Attack
Attacking Erasure Encoded Transfers Source (S1) Source (S2) Source (S3) Source (S4) Receiver (R1)
Attacking Erasure Encoded Transfers Source (S1) Source (S2) Source (S3) Source (S4) Receiver (R1)
…but Not on the Fly Source (S1) Source (S2) Source (S3) Source (S4) Receiver (R1)
What Happened? • R1received checkblock cfrom S4. S4claims: blah
What Happened? • R1received checkblock cfrom S4. S4claims: • R1knows: But how can R1 verify c? Wouldn’t it be nice if: Not true for SHA1!
What Happened? • R1received checkblock cfrom S4. S4claims: • R1knows: • But how can R1 verify c? Wouldn’t it be nice if: Not true for SHA1!
What Happened? • R1received checkblock cfrom S4. S4claims: • R1knows: • But how can R1 verify c? • Wouldn’t it be nice if: Not true for SHA1!
What Happened? • R1received checkblock cfrom S4. S4claims: • R1knows: • But how can R1 verify c? • Wouldn’t it be nice if: • Not true for SHA1!
A Homomorphic Hashing Scheme • Assume file block size of 8kB • Pick large prime (about 1024 bits) and small prime (about 256 bits) that divides , and 256 generators of order q: • Writes the file F as matrix, elements in
How To Hash • The hash of a message or check block is an element in :
How To Hash • The hash of a message or check block is an element in : • The hash of the entire file is an n-element vector of the hashes of the blocks:
The Only Important Slide implies that Why?
How To Encode • Checkblocks are constructed using modular addition over . • To generate a checkblock, pick a set And compute
How To Verify Given the correct hash: And a check block: verify that: • Note: LHS computation is expensive!
Success! Source (S1) Source (S2) Source (S3) Source (S4) Receiver (R1)
Analysis • Security of the hash function based on hardness of the discrete log. • Hashes are big (1/256 the size of the file), but we can apply this process recursively. • Our paper details a batched, probabilistic verification scheme that drastically reduces exponentiations. • Verifying rate is 40x faster than download rates on a T1.