On Optimal Hash Tree Traversal for Interval Time-Stamping (Lipmaa)

Transcription

1 On Optimal Hash Tree Traversal for Interval Time-Stamping Helger Lipmaa Helsinki University of Technology helger 1

2 Overview of the talk Interval time-stamping Skewed trees Hash traversal Main result: Hash traversal algorithm Complexity analysis Warning: The only -sign in the proceedings! 2

3 Overview of the talk Interval time-stamping Skewed trees Hash traversal Main result: Hash traversal algorithm Complexity analysis 3

4 Need for time-stamping To use digital signatures one needs to bind the signatory with the key PKI Revocation Alice may claim that document was signed after revocation of her key Need to establish temporal relationships 4

5 Time-stamping (classical) Problem given documents X and Y, which one was stamped before? Example: X = signature key revocation, Y = document signed with this key Objective solve this problem for any X and Y 5

6 Time-stamping with graphs [BLLV98] Use directed acyclic hash graphs with a root Hash value R of the root is committed R = round stamp Time-stamp of X shows that R depends on X Return partial time-stamp (freshness token) when X stamped, and rest after R has been committed has been 6

7 Time-stamping with T(d) x 0 x 1 x 2 x 3 x 4 x 5 x 6 x 7 7

8 Time-stamping with T(d) x 0 x 1 x 2 x 3 x 4 x 5 x 6 x 7 Optimal for conventional time-stamping [BLS00] Picture corresponds to [BdM93]. [BLS00] scheme is more complicated 8

9 [BdM93] verification x 0 x 1 x 2 x 3 x 4 x 5 x 6 x 7 Verify that two paths are consistent More left = earlier, more right = later 9

10 Need for interval time-stamping Assume x i is Bob s signature on some document D i Time-stamping authority can time-stamp x 1, x 2 and x 3 := x 1 If Alice has timestamps of x 1 and x 2, she thinks that x 1 was stamped earlier If Alice has timestamps of x 3 = x 1 and x 2, she thinks that x 2 was stamped earlier Solution: bind signing time also from above 10

11 Idea of interval time-stamping Time-stamp a nonce x i := σ Let x j := Sign Bob (D, σ) (j > i) Time-stamp x j Interval time-stamp = the union of two conventional time-stamps 11

12 Example: interval time-stamping x 0 x 1 x 2 = σ x 3 x 5 x 6 x 7 x 4 = Sign Bob (D, σ) Time-stamp has more elements, binary complete tree T(d) is not optimal 12

13 Overview of the talk Interval time-stamping Skewed trees Hash traversal Main result: Hash traversal algorithm Complexity analysis 13

14 Skewed trees w\d

15 Skewed trees A two-parameter family S(d, w) of trees, d, w 0 S(0, w) = S(d, 0) = I (singleton) S(d, w) = S(d 1, w 1) S(d 1, w) for d, w 0 Clearly S(d, w) = S(d, d) = T(d) when w > d [Wil02]: Skewed trees are optimal for interval time-stamping when α := w/d

16 Overview of the talk Interval time-stamping Skewed trees Hash traversal Main result: Hash traversal algorithm Complexity analysis 16

17 Hash traversal The elements x 0, x 1,... arrive in this order Final objective: compute root hash R Intermediate objectives: after i steps return the ith freshness token Question: how to do it efficiently? Wil02 proposed a suboptimal algorithm 17

18 Hash traversal example: S(4, 2) x 0 x 1 x 2 x 3 x 4 x 5 x 6 x 7 x 8 x 9 x 10 x 0, x 1,..., arrive in this order Initially no information 18

19 Hash traversal example: S(4, 2) x 0 x 1 x 2 x 3 x 4 x 5 x 6 x 7 x 8 x 9 x 10 x 0 has just arrived The red nodes are stored, but also returned as 0th freshness token 19

20 Hash traversal example: S(4, 2) x 0 x 1 x 2 x 3 x 4 x 5 x 6 x 7 x 8 x 9 x 10 x 1 has just arrived The red nodes are stored, but also returned as 1st freshness token 20

21 Hash traversal example: S(4, 2) x 0 x 1 x 2 x 3 x 4 x 5 x 6 x 7 x 8 x 9 x 10 x 2 has just arrived The red nodes are stored, but also returned as 2nd freshness token 21

22 Hash traversal example: S(4, 2) x 0 x 1 x 2 x 3 x 4 x 5 x 6 x 7 x 8 x 9 x 10 x 3 has just arrived The red nodes are stored, but also returned as 3rd freshness token The cyan nodes were already calculated but not anymore stored 22

23 Hash traversal example: S(4, 2) x 0 x 1 x 2 x 3 x 4 x 5 x 6 x 7 x 8 x 9 x 10 x 4 has just arrived The red nodes are stored, but also returned as 4th freshness token The cyan nodes were already calculated but not anymore stored 23

24 Hash traversal example: S(4, 2) x 0 x 1 x 2 x 3 x 4 x 5 x 6 x 7 x 8 x 9 x 10 x 5 has just arrived The red nodes are stored, but also returned as 5th freshness token The cyan nodes were already calculated but not anymore stored 24

25 Hash traversal example: S(4, 2) x 0 x 1 x 2 x 3 x 4 x 5 x 6 x 7 x 8 x 9 x 10 x 6 has just arrived The red nodes are stored, but also returned as 6th freshness token The cyan nodes were already calculated but not anymore stored 25

26 Hash traversal example: S(4, 2) x 0 x 1 x 2 x 3 x 4 x 5 x 6 x 7 x 8 x 9 x 10 x 7 has just arrived The red nodes are stored, but also returned as 7th freshness token The cyan nodes were already calculated but not anymore stored 26

27 Hash traversal example: S(4, 2) x 0 x 1 x 2 x 3 x 4 x 5 x 6 x 7 x 8 x 9 x 10 x 8 has just arrived The red nodes are stored, but also returned as 8th freshness token The cyan nodes were already calculated but not anymore stored 27

28 Hash traversal example: S(4, 2) x 0 x 1 x 2 x 3 x 4 x 5 x 6 x 7 x 8 x 9 x 10 x 9 has just arrived The red nodes are stored, but also returned as 9th freshness token The cyan nodes were already calculated but not anymore stored 28

29 Hash traversal example: S(4, 2) x 0 x 1 x 2 x 3 x 4 x 5 x 6 x 7 x 8 x 9 x 10 x 10 has just arrived The red nodes are stored, but also returned as 10th freshness token The cyan nodes were already calculated but not anymore stored 29

30 Overview of the talk Interval time-stamping Skewed trees Hash traversal Main result: Hash traversal algorithm Complexity analysis 30

31 Algorithm for skewed tree traversal 1 funct initialization(d, w) 2 state := 0; 3 if w > d then w = d fi; 4 Store w, d; 5 Create an empty stack of maximum possible size w. 7 funct update(value) 8 if state 2 d then return(error!); fi 9 push(value); 10 for i := 1 to ntz(state + 1) do 11 push(h(pop(), pop())); end 12 state := state + (1<<<(w h (state). w)). 31

32 Algorithm for skewed tree traversal initialization creates an empty stack of maximum size w Stack has the red nodes update updates the stack, based on x i = value and state state encodes the position in tree w h, ntz and. are all simple operations In the case of traversal of T(d) the only difference is in the last line 32

33 Good properties of algorithm Algorithm has minimal number of hashings Apart from that, only very simple operations Very clean pseudocode (easy to implement) Minimal number of memory usage: d(k + 1), k length of hash output A very simple nonrecursive algorithm for simple recursive family of trees 33

34 Overview of the talk Interval time-stamping Skewed trees Hash traversal Main result: Hash traversal algorithm Complexity analysis 34

35 Motivation Storage on any step: rk + d, where r is the number of red nodes Communication on any step: rk(1 + o(1)) Worst-case: r d What is the average-case value ft(d, w) of r? 35

36 Computing ft(d, w) Let l(d, w, t) be the number of leaves in S(d, w) that are at depth t and let L(d, w) be the total number of leaves Then ft(d, w) = t l(d, w, t) t Lemma L(d, w) = ( w d k=0 k and l(d, w, t) = ( t 1 w 1 ) = 2 d (d w) ( d w ) y d w 1 (1 y) w dy 0, t < w, ), t [w, d 1], ( ) d 1 k=0 k = 2L(d 1, w 1), t = d, 0, t > d. 2 w 1 36

37 Average size of the stack Theorem 1 ft(d, w) = d 2 + w 1 2 d+1 (w + 1) y d w 1 (1 y) w dy Proof Use the results from previous slide. Nice, but how to compute the integral? Cannot be done exactly, but can be approximated asymptotically Nice fact: approximation error is exponentially small 37

38 Laplace s method An integral of form b a e d h(y) g(y) dy Approximate it, given h(y) has only one maximum in [a, b] More precise descriptions in any good book on analysis of algorithms Perform separate analysis for the cases the maximum is inside the region or on its border 38

39 Laplace s method Maximum value 39

40 Laplace s method Maximum value Step 1: contract Exponentially small errors 40

41 Laplace s method Maximum value Step 2: approximate (use only leading terms in power series) Exponentially small errors 41

42 Laplace s method Maximum value Step 3: expand to [, ] Exponentially small errors 42

43 Laplace s method: application to our case Let w = αd. In our case, h(y) = (1 α) ln y + α ln(1 y), g(y) = 1/y, a = 0, b = 0.5 If α 0.5 then maximum is on the border and ft(d, w) d 2 + (w 1)(d 2w) 2(w+1) If α 0.5 then maximum is inside the interval and ft(d, w) d 2 43

44 Example Actual Approx

45 Conclusions We introduced a very elegant algorithm for skewed tree traversal that is optimal in almost every imaginable sense A rigourous correctness proof Analyzed the average case of algorithm The analysis is very precise because of Laplace s method. First time this method has been used in cryptography(?) Skewed trees are very natural and thus our research might have noncryptographic applications 45