Slide 1

10/11/2013 Attila Altay Yavuz University of Pittsburgh, School of Information Sciences 135 N. Bellefield Avenue, Pittsburgh, PA 15260 attila.yavuz@gmail.com ETA: Efficient and Tiny Authentication for Heterogeneous Wireless Systems 6 th ACM Conference on Security and Privacy in Wireless and Mobile Networks

Slide 2

Motivation Heterogeneous wireless systems are everywhere. Many devices with different capability are interconnected Internet of Things and Systems (IoTS): Smart home and smart campus applications, sensors and high-end devices (e.g., laptops) Payment Systems: Intelligent transport and mobile payment systems. E-Z pass, Metrocards in NYC, token-based access (e.g., with USB) Mass producible low-cost devices and verifiers Cyber Physical Systems (CPS): Several sensors (e.g., PMU) collect and transmit data to the control centers 2 WiSec 2013

Slide 3

Motivation (Cont) Providing authentication and integrity is vital Scalability Public verifiability and non-repudiation Payment Systems: Financial transactions on low-end devices (e.g., smart-card/RFID tag) must be digitally signed CPS and IoTS: Sensor readings (frequency, voltage, temperature) must be signed before their transmission to the control center Challenge: Computational, storage and bandwidth limited signers, resourceful verifiers. 3 WiSec 2013

Slide 4

Limitations of Existing Approaches Symmetric crypto methods: Unscalable for large-distributed systems, lack of non-repudiation and public verifiability. Traditional PKC Signatures: e.g., RSA [2] and ECDSA [3], Schnorr [4] Too computational costly, require modular exp. (ExpOp) at the signer side Pre-computation: Token-ECDSA [5] and online/offline signatures [6,7] do not require ExpOp the signer side Linear Overhead: K items require storing O(K) keys at the signer One-time/multiple-time Signatures: HORS [8], HORS++ [9], HORSE [10]. They are very computationally efficient Very large signature size (2.5/5 KB) and communication overhead Very large one-time public key (5 KB) for each item to be signed 4 WiSec 2013

Slide 5

Our Contribution: Efficient and Tiny Authentication (ETA) Compact Signature: Smallest signature size among counterparts (240 bits). Smaller than ECDSA (320 bits). Significantly smaller than RSA (1KB), one- time/multiple (2.5 KB) and online/offline (2KB) signatures Small Key Sizes: Small-constant private key (i.e., 320 bits). Much smaller than pre-computation and multiple-time signatures (i.e., linear overhead O(K)) Highly Efficient Signing: An order of magnitude faster than traditional signatures, as efficient as pre-computation methods and one-time signatures Immediate Verification and No Time Sync: More practical than TESLA and its variants. Suitable for applications requiring immediate authentication Individual Message Verification: More resilient to packet loss Limitation : ETA requires O(K) storage at the verifier 5 WiSec 2013

Slide 6

Digression: Schnorr Signature Scheme [4] 6 WiSec 2013 Key Generation: a) Generate (q,p, ), where p>q such that q | (p-1), is a generator of the subgroup G of order q. b) Private/public key pair Signature Generation: a)a) b)b) Signature Verification: Remarks: - Pre-computability and hashing: (r,R) and e=H(M||R) - Message recovery during verification

Slide 7

Intuition Dilemma: ExpOp-free Signing vs. O(K) overhead (Token-ECDSA and Schnorr) R 0,,R k are an essential part of signing algorithm. Either store or compute 7 WiSec 2013 Challenge: No exponentiation at the signer and yet achieve O(1) storage? Strategy: Eliminate R from Signature Generation and Transmission Unlike R, r can be evolved efficiently via a hash chain: Mimic R in H(.) by replacing it with a random number x j. How to verify signature? Provable security Argument?? (Theorem 1) ETA: Schnorr:

Slide 8

Intuition (Cont) Strategy: Offload Ephemeral PK Storage to the Verifier Side: R is removed from signing process, store it at the verifier side (not disclose r)! Store the hash of each R_j instead of R_j itself: 8 WiSec 2013 Each R_j is authenticated (despite excluded from signature), since PK is certified Verification via Schnorr Message Recovery: Verification is as efficient as Schnorr, but signing does not need Exp. or O(K) storage

Slide 9

Key Generation Algorithm a) Generate a Schnorr private/public key pair 9 WiSec 2013 KGC (OFFLINE, once) Signer Verifiers ETA Signature (online) c) ETA private/public key pairs are as follows: b) Generate seed random r 0 verification tokens v 0,,v K-1 as follows: Reminder: Verifiers are storage resourceful, online computation is important

Slide 10

Signature Generation and Verification Signature Generation: 10 WiSec 2013 a)a) b)b) Private key size: Constant and 320 bits constant Signature Size: 240 bits No expensive operation Signature Verification:

Slide 11

Performance Analysis (Brief) ETA has the smallest signature size (30 bytes) among all of its counterparts. The private key is constant-size and much smaller than other signer efficient schemes (e.g., HORS, HORSE, HORS++, offline/online) K-time public key is much smaller than other K-time schemes Signer efficiency: Signing takes 4 usec in ETA, while it is 1330, 15 and 6 usecs in ECDSA, HORSE (HORS variant) and token-ECDSA, respectively Intel(R) Core(TM) i7 Q720 at 1.60GHz CPU and 2GB RAM running Ubuntu 10.10 using MIRACL library Limitations: Public key size is O(K), larger than ECDSA and online/offline. 11 WiSec 2013

Slide 12

Security Analysis (Brief) ETA is (K-time) Existential Unforgeable Under Chosen Message Attacks (EU- CMA) in Theorem 1 (please see details in paper). ETA is as secure as Schnorr signature scheme given that H is a secure cryptographic hash function. Schnorr uses the hash of ephemeral public key R instead of R itself (like DSA). This allows us to replace Random Oracle (RO) answers (e). Use of randomness x_j in H(M_j||j|x_j) prevents crypto simulator to abort (adversary has to predict x_j to make SIM abort) Cryptographic simulation is statistically indistinguishable 12 WiSec 2013

Slide 13

Conclusion A new signature scheme for heterogeneous wireless systems Highly efficient for the resource-constrained signers Smallest signature size among counterparts ExpOp-free signing (longer battery life and fast processing) Constant-size private key Verification is as computationally efficient as traditional DLP signatures Storage heavy (i.e., O(K) ) at the verifier side (resourceful verifiers) Suitable for use-cases where signer efficiency is very important Token-based payment, IoTS, some CPS applications 13 WiSec 2013

Slide 14

References 14 [1] A. Perrig, R. Canetti, D. Song, and D. Tygar. Efficient authentication and signing of multicast streams over lossy channels. In Proceedings of the IEEE Symposium on Security and Privacy, May 2000 [2] R.L. Rivest, A. Shamir, and L.A. Adleman. A method for obtaining digital signatures and public-key cryptosystems. Communications of the ACM, 21(2):120126, 1978 [3] American Bankers Association. ANSI X9.62-1998: Public Key Cryptography for the Financial Services Industry: The Elliptic Curve Digital Signature Algorithm (ECDSA), 1999 [4] C. Schnorr. Efficient signature generation by smart cards. Journal of Cryptology, 4(3):161174, 1991 [5] D. Naccache, D. MRahi, S. Vaudenay, and D. Raphaeli. Can D.S.A. be improved? Complexity trade-offs with the digital signature standard. In Proceedings of the 13th International Conference on the Theory and Application of Cryptographic Techniques (EUROCRYPT 94), pages 7785, 1994 [6] D. Catalano, M. D. Raimondo, D. Fiore, and R. Gennaro. Off-line/on-line signatures: Theoretical aspects and experimental results. Public Key Cryptography (PKC), pages 101120. Springer-Verlag, 2008 [7] A. Shamir and Y. Tauman. Improved online/offline signature schemes. In Proceedings of the 21st Annual International Cryptology Conference on Advances in Cryptology, CRYPTO 01, pages 355367, London, UK, 2001 [8] L. Reyzin and N. Reyzin. Better than BiBa: Short one-time signatures with fast signing and verifying. In Proceedings of the 7th Australian Conference on Information Security and Privacy (ACIPS 02), pages 144153. Springer-Verlag, 2002. [9] W.D. Neumann. HORSE: An extension of an r-time signature scheme with fast signing and verification. In Information Technology: Coding and Computing, 2004. Proceedings. ITCC 2004. International Conference on, volume 1, pages 129 134 Vol.1, april 2004. [10] J. Pieprzyk, H. Wang, and C. Xing. Multiple-time signature schemes against adaptive chosen message attacks. In Selected Areas in Cryptography (SAC), pages 88100, 2003.

Slide 15

WiSec 2013 15

Slide 16

Outline Motivation: Efficient authentication in heterogeneous systems Limitations of existing methods Our contribution and desirable properties of ETA ETA: The proposed scheme Intuition and detailed description Performance Analysis Security Analysis Conclusion 16 WiSec 2013