The Performance of Group Diffie-Hellman in Simulated Ad-Hoc

Networks

Hans-Peter Bischof

Kieran Hagzan

Rochester Institute of Technology

Rochester/NY

Agenda

• Background• Communication Scheme• Problem description• Work Done

• Result

• Conclusion

Future Hardware Infrastructure

• Ad hoc• Minimized Resources

– Battery power– Computing power

• Dynamic– Devices come– and leave unannounced

• No server• No system administrator

QuickTime™ and aTIFF (Uncompressed) decompressorare needed to see this picture.

Software Infrastructure

• An invocation is broadcast throughout the network and every object that implements the method executes the method.

QuickTime™ and aTIFF (Uncompressed) decompressor

are needed to see this picture.

Photographs courtesy Philip Greenspun

Anhinga Projectwww.cs.rit.edu/~anhinga

Security In the New World?

• Left out in the initial Anhinga Project

• Why was it not included?– Was considered a separate problem– To solve both problems had been

considered too big

Traditional Solutions

Security is enabled by centralized, dedicated entities:– Perimeter defenses – Authentication servers– Localized access policies – Security administrators

Ad Hoc Security Ideas

• Nodes cannot rely on the presence of a fixed, well-defined entity to protect them from security threats

• Nodes must levy their trust in other nodes to form an infrastructure for secure communication

Photograph by Hans-Peter Bischof

Ungulate Projectwww.cs.rit.edu/~ungulate

QuickTime™ and aTIFF (Uncompressed) decompressor

are needed to see this picture.

Ad Hoc Network Security Requirements

• Security paradigm must accommodate the networking paradigm– distributed, – dynamic, and – fault-tolerant

• Cannot rely on persistent or centralized entities

• Underlying algorithms should minimize bandwidth consumption and computation cycles

Problem Definition

• Dynamic nature of the network requires modified security techniques to preserve backwards/forwards security

• Form contributory keys by extending a two-party algorithm to an arbitrary number of participants

• Algorithm must be robust and scalable

Two-Party Diffie-Hellman (DH)

Alice Bob

Well know g and m

Picks b

Ka = ga mod m Kb = gb mod m

Picks a

Kab = gab mod m Kab = gba mod m

Kb Kb

=

g, m g, m

Two-Party Diffie-Hellman Security

• An instance of the discrete logarithm problem [Riv92a],

• Since it is assumed an attacker does not know a/b, the problem reduces to computing the value a * b by finding the discrete logarithm of both the public values ga and gb.

• Computing the discrete logarithm in this fashion is considered as hard as factoring, making Diffie-Hellman a candidate algorithm (Purdue mathematician claims proof for Riemann hypothesis)

Extension

• Two part DH does not work for a group, if the group size is ≥ 2

• Additional structure is needed– List– Tree– Hyber Cube

Linear Group Diffie-Hellman (LGDH)

• Nodes are arrange in a sequential list• Exchange goes from left to right• Parallelism is not possible• All nodes can then compute the final shared

key.

Linear Group Diffie-Hellman (LGDH) - cont

Tree Based Group Diffie-Hellman (TGDH)

• TGDH is an algorithm attempting to reduce the computation per device by utilizing the O(log2(n)) traversal properties of a binary-tree.

• Structure is a tree

• Parallelism is possible

Tree Based Group Diffie-Hellman (cont.)

Hypercube Group Diffie-Hellman (HGDH)

• Parallel Programming:– The hypercube is a structure commonly used in

parallel programming that boasts no storage waste and fully parallelized traversal.

• Minimize the Computational Overhead:– The HGDH algorithm is an effort to minimize the

computational overhead seen with LGDH, but also to avoid the communication overhead and structure waste experienced due to the intermediary nodes in LGDH.

• Parallelism is possible

HGDH Key Generation

Theoretical Complexity Bounds of LGDH, TGDH, and

HGDH• N nodes• LGDH:

– Communication: 2(n-1) keys transferred + 1 broadcast.– Complexity: each node must perform (n-1) DH

computations.• TGDH

– Communication: For n nodes, there are at most 2(n-1)-1 intermediates, each requiring 1 key transfer. The entire tree's worth of blinded keys are also broadcast.

– Complexity: Each node will require at most h  = tree height = log2(n) computations.

• HGDH:– Communication: 2 * ceiling(log2(n)) keys – Complexity: Each node will perform at most log2(n) DH

computations

Implementation Notes

• A modular framework was implemented to handle all basic I/O

functions.• The framework supports any Group Diffie-Hellman paradigm that

defines the operations of – add(), – remove(), – merge(), – partition(), and – keyUpdate().

• The 100 result sets were averaged, and Taylor- Expansion performed

on the data to map a well-fit curve.

Results

Analysis

• As expected, Linear Group Diffie-Hellman becomes unusable for large networks. Surprisingly enough, it performs very well for small networks.

• Hypercubic Group Diffie-Hellman performs far worse than expected. Being the most mathematically scalable algorithm, why does it perform worse than TGDH and even LGDH??

Two Reasons: 1. Parallelism causes synchronization issues. This is a common experience in

parallel programming.

2. There is no elimination of backward-propagation for HGDH. Each exchange in HGDH is actually twice as expensive as an LGDH or TGDH exchange.

Analysis - cont

• Synchronization issues arise when one node attempts to begin an exchange with another, not ready node.

• LGDH is not parallelized at all. Therefore, there are never synchronization issues.

• TGDH is logarithmically parallelized. That is, all nodes are active in the first round, then half drop-out. Each subsequent round, the number of active nodes also drops by half. Therefore, the probability of synchronization issues occurring is halved in each round as well.

• HGDH is fully parallelized. In every round, all nodes have the probability of facing some synchronization problems.

Conclusion - LGDH

• LGDH is a suitable algorithm for networks of ~75 devices or less.

• The algorithm is memory-efficient by wasting no storage space for the structure, and the elimination of backward-propagation causes it to perform well for small environments.

• Therefore it very useful for small devices.

• For larger networks of 100 devices or more, LGDH is overwhelmed by computational complexity and is unusable.

Conclusion - HGDH

• HGDH is a fully parallel algorithm.

• HGDH suffers from tremendous synchronization issues, and is communication-intensive.

• The key-generation and topology-maintenance algorithm are non-intuitive.

Conclusion - TGDH

• TGDH offers the best of both worlds.

• The logarithmic-parallelism improves scalability as group size increases, and backward propagation is eliminated. The structure does however, waste 2(n-1)-1 memory portions.

• Most likely not well suited for small devices

Future Work

• An Ad-hoc network is a set and not an ordered structure

• Synchronization is a problem

• Should a tuple space be used?

• Authentication is not solved yet

• Zero Knowledge Proofs are great but not practical

References1.) Stevens, W. Richard., UNIX Network Programming, Volume 1, Second Edition: Networking APIs: Sockets

and XTI, Prentice Hall, 1998, ISBN 0-13-490012-X. 2.) Amir, Y., Nita-Rotaru, C., Stanton, J., Tsudik,G., Scaling Secure Group Communication Systems: Beyond

Peer-to-Peer., 2003 DARPA Information Security Conference and Exposition (DISCEX 03), April 2003. 3.) Amir, Y., Kim, Y., Nita-Rotaru, C., Tsudik, G., On the Performance of Key Agreement Protocols. IEEE ICDCS

2002, July 2002. 4.) Amir, Y., Kim, Y., Nita-Rotaru, C., Schultz, J., Stanton, J., Tsudik, G., Exploring Robustness in Group Key

Agreement. IEEE ICDCS 2001, April 2001. 5.) Obraczka, K., Tsudik, G., Viswanath, K., Pushing the Limits of Multicast in Ad Hoc Networks. IEEE ICDCS

2001, April 2001. 6.) Steiner, M. Tsudik, G., Waidner, M., CLIQUES: A New Approach to Group Key Agreement. IEEE ICDCS 98 ,

May 1998. 7.) Steiner, M. Tsudik, G., Waidner, M., Diffie-Hellman Key Distribution Extended to Groups. 1996 ACM Conference on Computer and Communications Security, March 1996. 8.) Kim, Y., Perrig, A., Tsudik, G., Tree-based Group Key Agreement. IEEE ICDCS 2002, July 2002. 9.) Lee, P.P.C., Lui, J.C.S., Yau, D.K.Y., Distributed Collaborative Key Agreement Protocols for Dynamic Peer

Groups. IEEE ICDCS 2002, July 2002. Page 21 10.) McGraw, D. A., Sherman, A. T., Key Establishment in Large Dynamic Groups Using One-Way Function

Trees. IEEE ICDCS 98 , May 1998. 11.)Adamson, B., Bormann, C., Handley, M., Macker, J., NACK-Oriented Reliable Multicast Protocol (NORM).

I.E.T.F. Reliable Multicast Transport, draft-ietf-rmt-pi-norm-06

Questions?

QuickTime™ and aTIFF (Uncompressed) decompressorare needed to see this picture.