View
225
Download
0
Category
Preview:
Citation preview
1
Digital Signatures forFlows and Multicasts
by Chung Kei Wong and Simon S. Lamin IEEE/ACM Transactions on Networking, August
1999
Digital Signature Examples: RSA, DSA
Provide authenticity, integrity and non-repudiation
How to sign/verify? signing key ks , verification key kv , message
digest h(m) signature = sign(h(m) k )
Digital Signatures (Simon Lam) 2
signature = sign(h(m), ks) verify(signature, h(m), kv) = True/False
Signing & verification operations are slow compared to symmetric key operations
2
Motivation Traditional network applications (circa 1998)
message-oriented unicast,e.g., email, file transfer, client-server
E k l Emerging network applications flow-oriented, e.g., audio, video, stock quotesmulticast, e.g., teleconference, software
distribution Problem: How to sign efficiently?
hi h d t i i
Digital Signatures (Simon Lam) 3
high-speed transmissions real-time generated flows delay-sensitive packet flows
All-or-nothing flows
The signer generates a message digest of the entire flow (file) and signs the message the entire flow (file) and signs the message digest
But most Internet applications do not create all-or-nothing flows
fl is s t s s f k ts
Digital Signatures (Simon Lam) 4
a flow is sent as a sequence of packets each packet is used as soon as it is received
3
Sign-each ApproachA flow is a sequence of data packets Sign each packet individually Inefficient: one signing/verification Inefficient: one signing/verification
operation per packet Rates on a Pentium-II 300 MHz using 100%
processing time (with 512-bit modulus)Packet
size Signing VerificationRate (packets/sec)
Digital Signatures (Simon Lam) 5
(bytes) RSA DSA RSA DSA512 78.8 176 2180 128
1024 78.7 175 1960 127
g g
Prior work on signing digital streams [Gennaro and Rohatgi 1997]One signing/verification op for an entire
flow—only the first packet is signedflow only the f rst packet s s gned Each packet contains authentication info for
next Verification of each packet depends on
previous ones Reliable delivery required
Digital Signatures (Simon Lam) 6
P1 P2 P3 P4
digital signaturemessage digest of following packet
4
Flow Signing Problem Each packet may be used as soon as it is
received S b f fl i d d Subsequences of a flow are received and
used best-effort delivery, e.g., UDP, IP multicast different needs/capabilities, e.g., layered video
How to efficiently sign flows with each
Digital Signatures (Simon Lam) 7
How to efficiently sign flows with each packet being individually verifiable?
Our Approach: Chaining Partition a flow into blocks of packets
Sign the digest of each block instead of each packet individuallyp y
Each packet carries its own authentication information to prove it is in the block Authentication info provided by chaining
P1 P2 P3 P4 P5 P6 P7 . . .
Digital Signatures (Simon Lam) 8
1 2 3 4 5 6 7
Block signature Chaining info
Block
5
Block digest D1-8 = h(D1, …, D8)
Star Chaining – Signing
Block signature = sign(D1-8) Packet signature for packet P3:
D1 D2 D3 D4 D5 D6 D7 D8Packet digests
Digital Signatures (Simon Lam) 9
ac t gnatur f r pac t 3sign(D1-8), D1, D2, D4, …, D8
Chaining overhead is O(block size)
Star Chaining – Verification Verifying first received packet (say P3)
Block digest D'1-8 = h(D1, D2, D'3, D4, …, D8)
verify(D'1-8 , sign(D1-8)) D1 D2 D'3 D4 D5 D6 D7 D8
Packet digests
Digital Signatures (Simon Lam) 10
Caching of verified nodes no verification op for other packets in the
block
6
Tree Chaining – Signing
Block digest D1-8 = h(D1-4, D5-8)
[Merkle 1989]
Block signature = sign(D1 8)
D1 D2 D3 D4 D5 D6 D7 D8
D1-4 D5-8
D1-2 D3-4 D5-6 D7-8
Block signature sign(D1-8)
Packet signature forpacket P3:sign(D1-8), D4, D1-2, D5-8
Digital Signatures (Simon Lam) 11
1 2 3 4 5 6 7 8
Packet digests Chaining overhead is
O(log(block size))
Verifying first received packet (say P3) verify(D'1-8, sign(D1-8))
Tree Chaining – Verification
Bl k di t D' h(D' D )
Caching of verified nodes no verification op for
other packets in the block
Block digest D'1-8 = h(D'1-4, D5-8)
D'1-4 D5-8
D1-2 D'3-4 D5-6 D7-8
Digital Signatures (Simon Lam) 12
Packet digests
D1 D2 D'3 D4 D5 D6 D7 D8
7
Chaining Technique: Signer Overhead
Compute packet digests Digest comp time
Build authentication tree
Sign block digest
Build packet signatures
Tree build time
Signature comp time
Packet signature build time
Digital Signatures (Simon Lam) 13
Chaining time = Tree build time + Packet signature build time
Chaining Technique: Verifier Overhead
Build authentication tree Tree build timeBuild authentication tree
Compute packet digests
Verify chaining information
Tree build time
Digest comp time
Chaining verification time
Si if i i
Digital Signatures (Simon Lam) 14
Chaining time = Tree build time + Chaining verification time
Verify block signature Signature verifying time
8
Chaining Time Overheads10.00
de
r (m
s) tree deg 2
tree deg 4
t d 8
10.00
ve
r (m
s)
tree deg 2
tree deg 4
0.01
0.10
1.00
2 4 8 16 32 64 128
block size (no. of packets)
chai
nin
g t
ime
at
sen
d tree deg 8
star
0.01
0.10
1.00
2 4 8 16 32 64 128
block size (no. of packets)
chai
nin
g t
ime
at
rece
iv tree deg 8
star
d
Digital Signatures (Simon Lam) 15
Overheads increase linearly with block size (in log scale)
Much smaller than signing/verification times
at sender at receiver
Chaining Overhead Size
200
300
g o
ve
rhe
ad
yt
es
)
star
tree deg 8
Smallest when tree degree is 2
0
100
2 4 8 16 32 64 128block size (no. of packets)
ch
ain
ing
(by
tree deg 4
tree deg 2
Digital Signatures (Simon Lam) 16
Increases linearly with logarithm of block size
Packet signature = block signature + chaining overhead
9
Flow Signing/Verification Rates
6000
8000
10000
atio
n r
ate
kets
/sec
)
3000
4000
5000in
g r
ate
kets
/sec
)startree deg 8tree deg 4tree deg 2
1024-byte packets, RSA with 512-bit d l
0
2000
4000
2 4 8 16 32 64 128block size (no. of packets)
ver
ific
a(p
ack
0
1000
2000
2 4 8 16 32 64 128block size (no. of packets)
sig
ni
(pac
k
gsign-each
Digital Signatures (Simon Lam) 17
modulus Increases with block size Varies only slightly with tree degree
we recommend degree 2 tree chaining
Flow Signing/Verification Rates
5000
6000
512-byte 12000
14000
e
0
1000
2000
3000
4000
2 4 8 16 32 64 128block size (no. of packets)
sig
nin
g r
ate
(pac
kets
/sec
) 1024-byte
2048-byte
0
2000
4000
6000
8000
10000
2 4 8 16 32 64 128block size (no. of packets)
ver
ific
atio
n r
at(p
acke
ts/s
ec)
Digital Signatures (Simon Lam) 18
Degree two tree, RSA with 512-bit modulus, three different packet sizes
10
Real-time Generated Flows Fixed block size for non-real-time generated flows
Fixed time period T for real-time generated flows
Bounded delay signing since for any packetdelay ≤ T + Tchain + Tsign
period T
m packets
period T
Tchain(m1) + Tsign
m packets
Tchain(m2) + Tsign
time
Digital Signatures (Simon Lam) 19
T should be larger than Tchain + Tsign delay cannot be smaller than 2(Tchain + Tsign )
m1 packets m2 packets
Selecting a Signature Scheme RSA: signing rate not high enough
DSA: both rates not high andDSA: both rates not high andverification rate < signing rate
In a group, receivers may have widely different resources, e.g., PDAs, notebooks, desktops
We proposed several extensions to FFS
Digital Signatures (Simon Lam) 20
We proposed several extensions to FFS[Feige, Fiat and Shamir 1986]
11
FFS Signer
choose two large primes p and q t d l compute modulus n = pq choose integers v1, …, vk
s1, …, sksuch that si
2 = vi–1 mod n
signing key is {s1, …, sk , n}
Digital Signatures (Simon Lam) 21
g g y { 1, , k , } verification key is {v1, …, vk , n}
How to Sign Message m choose t random integers, r1, …, rt , between 1
and n compute xi = ri
2 mod n, for i = 1, …, t compute message digest h(m, x1, …, xt)
where function h(•) is public knowledge andproduces a digest of at least k x t bits
let {bij} be the first k x t bits of the digest compute yi = ri x (s1
bi1 x … x skbik) mod n
Digital Signatures (Simon Lam) 22
p yi i 1 kfor i = 1, …, t
signature of m consists of{yi} and {bij} for i = 1, …, t and j = 1, …, k
12
How to Verify Signature of Message m
signature of m{yi} and {bij} for i = 1, …, t and j = 1, …, k
compute zi = yi2 x (v1
bi1 x … x vkbik) mod n
for i = 1, …, tit can be shown that zi is equal to xi at the signer
signature is valid if and only if the first k x t bits of h(m z1 zt) are equal to the {bij}
Digital Signatures (Simon Lam) 23
k x t bits of h(m, z1, …, zt) are equal to the {bij} received in signature
FFS(k,t)
security level increases with size of modulus n (or size of primes p and q) size of modulus n (or size of primes p and q) value of product kt
key size is (k+1) x |n| assuming |n| = |vi| or |si| in bits
Digital Signatures (Simon Lam) 24
signature size is t x | n | + k x t bitsminimized for t=1
13
FFS key and signature sizes
Digital Signatures (Simon Lam) 25
For a fixed kt product, signature size is minimized for t=1, but key size is maximized
eFFS Signature Scheme Several extensions to FFS [Feige, Fiat and Shamir
1986] Faster signing
• Chinese remainder theorem (crt)• Chinese remainder theorem (crt)• Precomputation (4-bit, 8-bit)
Faster verification• Small verification key (sv-key) [Micali & Shamir 1990]
Adjustable and incremental verification
Digital Signatures (Simon Lam) 26
• multilevel signature• lower security level with less processor time at receiver• security level can be increased later by more processor
time
14
eFFS extension (1) Chinese remainder theorem
instead of yi = ri x (s1bi1 x … x sk
bik) mod nsigner computes
ai = ri x (s1bi1 x … x sk
bik) mod pbi = ri x (s1
bi1 x … x skbik) mod q
yi = ((ai – bi) x q x qp–1 + bi) mod n
where qp–1 denotes q –1 mod p ,
Digital Signatures (Simon Lam) 27
qp q pmultiplications in mod p and mod q faster than in
mod n
Only signer knows p and q
eFFS extension (2)
small verification key [Micali & Shamir]:
use first k prime numbers that satisfys 2 = p -1 mod n
where p is prime and s is an integer
Digital Signatures (Simon Lam) 28
faster verifying time and smaller key size
15
eFFS extension (3) To compute yi = ri x (s1
bi1 x … x skbik) mod n
for i = 1, …, t, ,
precomputation of (s1bi1 x … x sk
bik)
additional memory of 31 KB and 261 KB required for 4-bit and 8-bit precomp
Digital Signatures (Simon Lam) 29
respectively
only minor improvement at verifier when used with small v-key
eFFS – Signingbasic FFS
sv-key
crt+s ke
0 5 10 15
crt+sv-key
4-bit+crt+sv-key
8-bit+crt+sv-key
eFFS(128,1) signing time (ms)
Digital Signatures (Simon Lam) 30
sv-key does not reduce signing time crt reduces signing time by 10-20% 8-bit + crt reduces signing time by 60-70%
16
eFFS – Verification
basic FFS
0 2 4 6 8 10 12
sv-key
4-bit+sv-key
8-bit+sv-key
FFS(128 1) ifi ti ti ( )
Digital Signatures (Simon Lam) 31
sv-key reduces verification time by 90% 4-bit or 8-bit slightly reduces verification
time
eFFS(128,1) verification time (ms)
eFFS Key Size
512
ize
(b
its
)
Rabin
RSA
512
ize
(b
its
)
RabinRSA
L i i k 8000 17000 b t
0 5000 10000 15000 20000
1024
mo
du
lus
si
signing key size (bytes)
eFFS(128,1)
DSA
ElGamal
0 100 200 300 400 500
1024
mo
du
lus
si
verification key size (bytes)
eFFS(128,1)DSAElGamal
Digital Signatures (Simon Lam) 32
Large signing key 8000-17000 bytes private to signer
Verification key 300-400 bytes
17
eFFS Signature Size
512
ze (
bit
s)
RabinRSA
0 100 200 300
1024
mo
du
lus
siz
signature size (bytes)
eFFS(128,1)DSAElGamal
Digital Signatures (Simon Lam) 33
Signature size comparable to RSA and Rabin
Signing Time Comparison
512
e (b
its) Rabin
RSA
0 20 40 60 80 100
1024
mo
du
lus
siz e
signing time (ms)
eFFS(128,1)
DSA
ElGamal
Digital Signatures (Simon Lam) 34
8-bit + crt + sv-key extensions eFFS has the smallest signing time
signing time (ms)
18
Verification Time Comparison
512
ze (
bit
s) Rabin
RSA
0 100 200 300 400
1024
mo
du
lus
siz
verification time (ms)
eFFS(128,1)
DSA
ElGamal
Digital Signatures (Simon Lam) 35
DSA and ElGamal verification times very large
Rabin, RSA and eFFS too small to see
Verification Time Comparison
512
ze (
bit
s)
Rabin
0.0 0.2 0.4 0.6 0.8 1.0 1.2
102
4
mo
du
lus
si z
verification time (ms)
RSAeFFS(128,1)
Digital Signatures (Simon Lam) 36
eFFS verification time comparable to RSA(Rabin most efficient verification)
( )
19
Flow Signing/Verification Rates51
2
s s
ize
(b
its
)
Rabin
RSA
eFFS(128,1)
S
512 Rabin
RSAeFFS(128,1)DSA
1024-byte packets, block size 16,
0 1000 2000 3000 4000
1024
mo
du
lus
signing rate (packets/sec)
DSA
ElGamal
0 2000 4000 6000 8000
1024
verification rate (packets/sec)
DSAElGamal
Digital Signatures (Simon Lam) 37
y pdegree two tree chaining
eFFS has highest signing rate eFFS verification rate comparable to RSA
eFFS Adjustable and Incremental Verification Security level of eFFS(k,t) depends on
modulus size and product ktmodulus size and product kt same kt and modulus size ~ same security level
Adjustable and incremental verification using t > 1 with additional info in signature up to t steps
Digital Signatures (Simon Lam) 38
up to t steps adjustable and incremental:
receiver verifies steps one by one
20
eFFS Adjustable and Incremental Verification (cont.)
t-level signature includes {xi} for i = 2, …, tnote that {x } can be computed from originalnote that {xi} can be computed from originalsignature together with verification key
verify a t-level signature at security level l t,(1) compute zi = yi
2 x (v1bi1 x … x vk
bik) mod n for i = 1, …, l,(2) verify that the first k x t bits of h(m, z1, x2, …, xt)
l h {b } i d d l
Digital Signatures (Simon Lam) 39
are equal to the {bij} received, and z2, …, zl are equal to x2, …, xl
eFFS Adjustable and Incremental Verification (cont.) increase security level from l1 to l2,
b b(1) compute zi = yi2 x (v1
bi1 x … x vkbik) mod n for
i = l1 + 1, …, l2 ,(2) verify that zl1+1, …, zl2 are equal to xl1+1, …, xl2
Digital Signatures (Simon Lam) 40
21
Incremental signing times
Digital Signatures (Simon Lam) 41
2-level signature takes less time to sign than two 1-level signatures
Incremental verification times
Digital Signatures (Simon Lam) 42
22
Conclusions Flow signing/verification procedures
much more efficient than sign-each small communication overhead
b d b d h i l can be used by a sender that signs a large number of packets to different receivers
• there is no requirement that the packets belong to a flow but if they do, verification is also more efficient
eFFS digital signature schememost efficient signing compared to RSA Rabin
Digital Signatures (Simon Lam) 43
most efficient signing compared to RSA, Rabin, DSA, and ElGamal
highly efficient verification and comparable to RSA (only Rabin is more efficient)
adjustable and incremental verification
End
Digital Signatures (Simon Lam) 44
Recommended