10/11/2013 Attila Altay Yavuz University of Pittsburgh, School of Information Sciences 135 N....
15
10/11/2013 Attila Altay Yavuz University of Pittsburgh, School of Information Sciences 135 N. Bellefield Avenue, Pittsburgh, PA 15260 [email protected]ETA: Efficient and Tiny Authentication for Heterogeneous Wireless Systems 6 th ACM Conference on Security and Privacy in Wireless and Mobile Networks 6 th ACM Conference on Security and Privacy in Wireless and Mobile Networks
10/11/2013 Attila Altay Yavuz University of Pittsburgh, School of Information Sciences 135 N. Bellefield Avenue, Pittsburgh, PA 15260 [email protected]
10/11/2013 Attila Altay Yavuz University of Pittsburgh, School
of Information Sciences 135 N. Bellefield Avenue, Pittsburgh, PA
15260 [email protected] ETA: Efficient and Tiny Authentication
for Heterogeneous Wireless Systems 6 th ACM Conference on Security
and Privacy in Wireless and Mobile Networks
Slide 2
Motivation Heterogeneous wireless systems are everywhere. Many
devices with different capability are interconnected Internet of
Things and Systems (IoTS): Smart home and smart campus
applications, sensors and high-end devices (e.g., laptops) Payment
Systems: Intelligent transport and mobile payment systems. E-Z
pass, Metrocards in NYC, token-based access (e.g., with USB) Mass
producible low-cost devices and verifiers Cyber Physical Systems
(CPS): Several sensors (e.g., PMU) collect and transmit data to the
control centers 2 WiSec 2013
Slide 3
Motivation (Cont) Providing authentication and integrity is
vital Scalability Public verifiability and non-repudiation Payment
Systems: Financial transactions on low-end devices (e.g.,
smart-card/RFID tag) must be digitally signed CPS and IoTS: Sensor
readings (frequency, voltage, temperature) must be signed before
their transmission to the control center Challenge: Computational,
storage and bandwidth limited signers, resourceful verifiers. 3
WiSec 2013
Slide 4
Limitations of Existing Approaches Symmetric crypto methods:
Unscalable for large-distributed systems, lack of non-repudiation
and public verifiability. Traditional PKC Signatures: e.g., RSA [2]
and ECDSA [3], Schnorr [4] Too computational costly, require
modular exp. (ExpOp) at the signer side Pre-computation:
Token-ECDSA [5] and online/offline signatures [6,7] do not require
ExpOp the signer side Linear Overhead: K items require storing O(K)
keys at the signer One-time/multiple-time Signatures: HORS [8],
HORS++ [9], HORSE [10]. They are very computationally efficient
Very large signature size (2.5/5 KB) and communication overhead
Very large one-time public key (5 KB) for each item to be signed 4
WiSec 2013
Slide 5
Our Contribution: Efficient and Tiny Authentication (ETA)
Compact Signature: Smallest signature size among counterparts (240
bits). Smaller than ECDSA (320 bits). Significantly smaller than
RSA (1KB), one- time/multiple (2.5 KB) and online/offline (2KB)
signatures Small Key Sizes: Small-constant private key (i.e., 320
bits). Much smaller than pre-computation and multiple-time
signatures (i.e., linear overhead O(K)) Highly Efficient Signing:
An order of magnitude faster than traditional signatures, as
efficient as pre-computation methods and one-time signatures
Immediate Verification and No Time Sync: More practical than TESLA
and its variants. Suitable for applications requiring immediate
authentication Individual Message Verification: More resilient to
packet loss Limitation : ETA requires O(K) storage at the verifier
5 WiSec 2013
Slide 6
Digression: Schnorr Signature Scheme [4] 6 WiSec 2013 Key
Generation: a) Generate (q,p, ), where p>q such that q | (p-1),
is a generator of the subgroup G of order q. b) Private/public key
pair Signature Generation: a)a) b)b) Signature Verification:
Remarks: - Pre-computability and hashing: (r,R) and e=H(M||R) -
Message recovery during verification
Slide 7
Intuition Dilemma: ExpOp-free Signing vs. O(K) overhead
(Token-ECDSA and Schnorr) R 0,,R k are an essential part of signing
algorithm. Either store or compute 7 WiSec 2013 Challenge: No
exponentiation at the signer and yet achieve O(1) storage?
Strategy: Eliminate R from Signature Generation and Transmission
Unlike R, r can be evolved efficiently via a hash chain: Mimic R in
H(.) by replacing it with a random number x j. How to verify
signature? Provable security Argument?? (Theorem 1) ETA:
Schnorr:
Slide 8
Intuition (Cont) Strategy: Offload Ephemeral PK Storage to the
Verifier Side: R is removed from signing process, store it at the
verifier side (not disclose r)! Store the hash of each R_j instead
of R_j itself: 8 WiSec 2013 Each R_j is authenticated (despite
excluded from signature), since PK is certified Verification via
Schnorr Message Recovery: Verification is as efficient as Schnorr,
but signing does not need Exp. or O(K) storage
Slide 9
Key Generation Algorithm a) Generate a Schnorr private/public
key pair 9 WiSec 2013 KGC (OFFLINE, once) Signer Verifiers ETA
Signature (online) c) ETA private/public key pairs are as follows:
b) Generate seed random r 0 verification tokens v 0,,v K-1 as
follows: Reminder: Verifiers are storage resourceful, online
computation is important
Slide 10
Signature Generation and Verification Signature Generation: 10
WiSec 2013 a)a) b)b) Private key size: Constant and 320 bits
constant Signature Size: 240 bits No expensive operation Signature
Verification:
Slide 11
Performance Analysis (Brief) ETA has the smallest signature
size (30 bytes) among all of its counterparts. The private key is
constant-size and much smaller than other signer efficient schemes
(e.g., HORS, HORSE, HORS++, offline/online) K-time public key is
much smaller than other K-time schemes Signer efficiency: Signing
takes 4 usec in ETA, while it is 1330, 15 and 6 usecs in ECDSA,
HORSE (HORS variant) and token-ECDSA, respectively Intel(R)
Core(TM) i7 Q720 at 1.60GHz CPU and 2GB RAM running Ubuntu 10.10
using MIRACL library Limitations: Public key size is O(K), larger
than ECDSA and online/offline. 11 WiSec 2013
Slide 12
Security Analysis (Brief) ETA is (K-time) Existential
Unforgeable Under Chosen Message Attacks (EU- CMA) in Theorem 1
(please see details in paper). ETA is as secure as Schnorr
signature scheme given that H is a secure cryptographic hash
function. Schnorr uses the hash of ephemeral public key R instead
of R itself (like DSA). This allows us to replace Random Oracle
(RO) answers (e). Use of randomness x_j in H(M_j||j|x_j) prevents
crypto simulator to abort (adversary has to predict x_j to make SIM
abort) Cryptographic simulation is statistically indistinguishable
12 WiSec 2013
Slide 13
Conclusion A new signature scheme for heterogeneous wireless
systems Highly efficient for the resource-constrained signers
Smallest signature size among counterparts ExpOp-free signing
(longer battery life and fast processing) Constant-size private key
Verification is as computationally efficient as traditional DLP
signatures Storage heavy (i.e., O(K) ) at the verifier side
(resourceful verifiers) Suitable for use-cases where signer
efficiency is very important Token-based payment, IoTS, some CPS
applications 13 WiSec 2013
Slide 14
References 14 [1] A. Perrig, R. Canetti, D. Song, and D. Tygar.
Efficient authentication and signing of multicast streams over
lossy channels. In Proceedings of the IEEE Symposium on Security
and Privacy, May 2000 [2] R.L. Rivest, A. Shamir, and L.A. Adleman.
A method for obtaining digital signatures and public-key
cryptosystems. Communications of the ACM, 21(2):120126, 1978 [3]
American Bankers Association. ANSI X9.62-1998: Public Key
Cryptography for the Financial Services Industry: The Elliptic
Curve Digital Signature Algorithm (ECDSA), 1999 [4] C. Schnorr.
Efficient signature generation by smart cards. Journal of
Cryptology, 4(3):161174, 1991 [5] D. Naccache, D. MRahi, S.
Vaudenay, and D. Raphaeli. Can D.S.A. be improved? Complexity
trade-offs with the digital signature standard. In Proceedings of
the 13th International Conference on the Theory and Application of
Cryptographic Techniques (EUROCRYPT 94), pages 7785, 1994 [6] D.
Catalano, M. D. Raimondo, D. Fiore, and R. Gennaro.
Off-line/on-line signatures: Theoretical aspects and experimental
results. Public Key Cryptography (PKC), pages 101120.
Springer-Verlag, 2008 [7] A. Shamir and Y. Tauman. Improved
online/offline signature schemes. In Proceedings of the 21st Annual
International Cryptology Conference on Advances in Cryptology,
CRYPTO 01, pages 355367, London, UK, 2001 [8] L. Reyzin and N.
Reyzin. Better than BiBa: Short one-time signatures with fast
signing and verifying. In Proceedings of the 7th Australian
Conference on Information Security and Privacy (ACIPS 02), pages
144153. Springer-Verlag, 2002. [9] W.D. Neumann. HORSE: An
extension of an r-time signature scheme with fast signing and
verification. In Information Technology: Coding and Computing,
2004. Proceedings. ITCC 2004. International Conference on, volume
1, pages 129 134 Vol.1, april 2004. [10] J. Pieprzyk, H. Wang, and
C. Xing. Multiple-time signature schemes against adaptive chosen
message attacks. In Selected Areas in Cryptography (SAC), pages
88100, 2003.
Slide 15
WiSec 2013 15
Slide 16
Outline Motivation: Efficient authentication in heterogeneous
systems Limitations of existing methods Our contribution and
desirable properties of ETA ETA: The proposed scheme Intuition and
detailed description Performance Analysis Security Analysis
Conclusion 16 WiSec 2013