Compact Energy and Delay-Aware Authentication Muslum Ozgur Ozmen, Rouzbeh Behnia & Attila A. Yavuz Corvallis, Oregon, 97331 {ozmenmu, behniar, attila.yavuz}@oregonstate.edu

Motivation Critical vulnerabilities: False data injection attacks Tampering commands Cascade failures Authentication of commands/measurements is vital! Real-time: up to 500-1000 messages per second [1] Scalable: Broadcast authentication for large number of components Fast and Scalable Authentication There are vulnerabilities such as false data injection attacks, tampering commands and cascade failures in some critical systems. These attacks can be prevented with authentication mechanisms. However some systems require real-time and scalable authentication that is a challenging problem. For instance, in vehicular networks, messages may include directives for sudden brakes/turns, which require the timely reaction of the receiving parties. Therefore, there is a need for fast and scalable authentication mechanism.

Research Gap Symmetric crypto methods: Unscalable for large and distributed systems, lack of non-repudiation and public verifiability. Traditional Digital Signatures: (e.g., RSA [2], ECDSA [3], and Schnorr [4]) High computational cost: they require modular exponentiation at the signer’s side.

Preliminaries Digital Signature 𝑆𝐺𝑁= 𝐾𝐺,𝑆𝑖𝑔,𝑉𝑒𝑟 𝑠𝑘,𝑃𝐾 ←𝑆𝐺𝑁.𝐾𝐺(1^𝜅) 𝜎←𝑆𝐺𝑁.𝑆𝑖𝑔 𝑚,𝑠𝑘 0,1 ←𝑆𝐺𝑁.𝑉𝑒𝑟(𝑚,𝜎,𝑃𝐾) A required property: EU-CMA A PPT adversary cannot forge a new (valid) signature, even after seeing a polynomially bounded number of signatures outputted by 𝑆𝐺𝑁.𝑆𝑖𝑔(⋅) Given a security parameter KG generates a public and private key pair (probabilistic algorithm) Given a message and private key, Sig outputs a signature \sigma (probabilistic algorithm) Given a message, signature and public key of the alleged signer, it outputs valid or invalid (0 or 1) (determinisic algorithm)

Preliminaries RSA Permutation Function 𝑁,𝑒 ,⟨𝑁,𝑑⟩ ←𝐺𝑒 𝑛 𝑅𝑆𝐴 1 𝜅 : Given 𝜅, generates secure parameters of RSA 𝑦←𝐸𝑣𝑎 𝑙 𝑅𝑆𝐴 ( 𝑁,𝑒 ,𝑥): Given 𝑥∈ ℤ 𝑁 ∗ and (𝑁,𝑒), computes 𝑦← 𝑥 𝑒 𝑚𝑜𝑑 𝑁 𝑥←𝐼𝑛𝑣𝑒𝑟 𝑡 𝑅𝑆𝐴 𝑁,𝑑 ,𝑦 : Given y∈ ℤ 𝑁 ∗ and (𝑁,𝑑), computes x← 𝑦 𝑑 𝑚𝑜𝑑 𝑁 𝑒=65537, the Evaluation function is much faster than Inversion. Inverting RSA without 𝑑 is known to be hard. One can see that RSA encryption are signature are directly due to RSA permutation function. Due to the small size of evaluation exponent 𝑒=65537, the Evaluation function is much faster than Inversion, since 𝑑≫𝑒.

CEDA We propose Compact Energy and Delay-Aware Authentication (CEDA) that can potentially meet the real-time requirements of critical applications. Fast Signing: Signing algorithm only requires ONE exponentiation (over a small modulus) and a few cryptographic hash function calls. Low End-to-End Delay: Verification algorithm requires ONE exponentiation (over a small modulus) and a few multiplications. 4.69x lower end-to-end delay as compared to ECDSA

Attain a multiple-time signature!!! Main Idea HORS [5] : Subset-resilient hash function 𝐻(⋅) and a one-way function 𝑓(⋅). GOAL: Efficiently prevent the leakage: Algebraic structure for the signature Maintaining the efficiency of HORS 𝑠 𝑘 1 𝑓 𝑠 𝑘 1 𝑠𝑘 2 𝑓 𝑠 𝑘 2 …. 𝑠 𝑘 𝑡 …. 𝑓 𝑠 𝑘 𝑡 𝑝𝑘 2 𝑝𝑘 1 𝑝 𝑘 𝑡 (i 1 ,…, 𝑖 𝑘 )←𝐻(𝑚) where {i 𝑗 } 𝑗=1 𝑘 ∈[1,𝑡] 𝜎=( sk 𝑖 1 ,…,𝑠 𝑘 𝑖 𝑘 ) 𝑓(⋅) (pk 𝑖 1 ,…, pk 𝑖 𝑘 ) Every signature leaks a subset of private keys HORS design is a development on Lamport’s one time signature where user generates t randomly selected values as her private key and applies a one-way functions on these values to get her public key. HORS is a one time signature where signature consists of a subset of the signer’s private key. HORS is very efficient. Our goal is to maintain the efficiency which transforming HORS to a (polynomially bounded) multiple time signature. This can be only done if we have an algebraic structure in the outputted signature. Attain a multiple-time signature!!!

Main Idea RSA function offers multiplicative homomorphic properties! Private keys will not be leaked! Generate t random values Aggregate k-out-of-t, and multiply them with random r We make use of a homomorphic property of RSA function (to be used as a one way function) We first generate t random values, and then to prevent the leakage of the private keys we aggregate k of them and mask them using a one-time randomness. Via this approach, we attain algebraic structure and prevent the leakage of private keys.

CEDA Design The KeyGen starts by drawing a \kappa bit private key (z) and initializing the counter. To generate the public keys, the signer generates the 𝑠 𝑖 ’s and applied the 𝑅𝑆𝐴_𝐸𝑣𝑎𝑙 on them to obtain 𝑣 𝑖 ’s. To sign a message, the signer first generate a one-time randomness (the one-timeness is guaranteed with counter 𝑐). She then applies 𝑅𝑆𝐴_𝐸𝑣𝑎𝑙 on r and computes its hash ℎ. It hashes the message and ℎ and then derives 𝑘 number of log 2 𝑡 -bit strings ( 𝑖 1 ,…, 𝑖 𝑘 ), and uses each 𝑖 along with 𝑧 to generate signature components 𝑠 𝑖 ’s. It then aggregates (multiplicatively) the 𝑠 𝑖 ’s and uses the one time randomness to mask them (prevent their leakage). Given a message signature pair, the verification algorithm hashes the given message along with the hash value ℎ, to compute the indexes 𝑖’s which are used to pull the corresponding public key components 𝑣 𝑖 ’s. It then computes the (multiplicative) aggregation of the public key components 𝑣 𝑖 ’s and uses them to reduce 𝛽 from 𝛾 and checks if the hash of 𝛾 is equal to ℎ, it outputs valid.

𝐴𝑑 𝑣 𝐶𝐸𝐷𝐴 𝐸𝑈−𝐶𝑀𝐴 ( 𝑡 𝒜 , 𝑞 𝐻 , 𝑞 𝑆 )≤𝐴𝑑 𝑣 𝑅𝑆𝐴 ( 𝑡 ℬ , 𝑞 𝐻 , 𝑞 𝑆 ) Security If a PPT adversary 𝒜 can break CEDA (after 𝑞 𝑆 sign queries and 𝑞 𝐻 hash queries), then another algorithm ℬ can use 𝒜 as a subroutine and invert the RSA permutation function. 𝐴𝑑 𝑣 𝐶𝐸𝐷𝐴 𝐸𝑈−𝐶𝑀𝐴 ( 𝑡 𝒜 , 𝑞 𝐻 , 𝑞 𝑆 )≤𝐴𝑑 𝑣 𝑅𝑆𝐴 ( 𝑡 ℬ , 𝑞 𝐻 , 𝑞 𝑆 ) CEDA also relies on the subset resiliency of the underlying hash function. This also implies the selection of (𝑡,𝑘) After 𝑞 𝑆 sign queries, the target collision resiliency of our hash function is 𝑞 𝑆 ⋅𝑘! 2 𝑘⋅ log 2 𝑡 The advantage of the adversary in breaking CEDA is upper-bounded by the advantage of algorithm B in breaking the RSA one-way permutation function. We should set parameters k,t such that our hash output is large enough that is secure against the target collision attack.

Experimental Settings Hardware A laptop equipped with Intel i7 6th generation CPU ARM Cortex A53 processor Software GMP library – for fast arithmetic operations B2 library – Blake2 hash function is used to instantiate PRFs and random oracles in CEDA. We implemented and compared to cost of CEDA with its state-of-the-art counterparts. As hardware, we ran our codes and the open-sourced implementations of our counterparts on a commodity hardware equipped with Intel i7 6th generation CPU and an ARM Cortex A53 processor. We used GMP library due to its fast arithmetic operations and b2 library for its portable Blake2 hash function that is used to instantiate PRFs and random oracles in CEDA. Our source code can be openly find at the following address. https://github.com/ozgurozmen/CEDA

Analytical Comparison Here we present the analytical cost comparison of CEDA with its RSA and elliptic curve based counterparts. In CEDA, signature generation only requires an exponentiation over the small exponent (e) and a small-constant number of hash calls. The signer does not need to store a pre-computed table or the RSA private key $d$, and therefore has a compact private key. CEDA has a compact signature that has the same size with standard RSA signature scheme. However, elliptic curve based schemes offer more compact signatures. CEDA has an ultra efficient verification algorithm since it only requires an exponentiation over e and k multiplications. However, CEDA has a relatively large public key size, that requires storing a table. On the other hand, all elliptic curve based counterparts have a very small public key of size 32 bytes, but they require a double scalar multiplication for verification. Our analytical analysis shows that CEDA only requires a small-constant number of inexpensive operations at the signer's and verifier's sides, which makes it a suitable alternative for delay-aware applications. The main limitation of CEDA is its relatively large public key size, which can be potentially stored by verifiers for some real-life applications.

Parameter Selection We selected our parameters to provide 𝜅=128-bit security. RSA Parameters 𝑁 =3072-bits, 𝑒=65537 (t,k) Pair Selection 𝑡=1024, 𝑘=26 We selected our parameters to provide 𝜅=128-bit security. Note that, t,k pair selection offers a storage/computation trade-off. For instance, CEDA can be instantiated with t=256 and k=32, which also provides 128-bit security. That would increase the computation overhead, but decrease the public key size of CEDA.

Performance Evaluation CEDA has the fastest signature generation, fastest end-to-end delay and second fastest signature verification, behind the RSA verification, among its counterparts. CEDA can generate 18,070 signatures per second. This can meet the ultra-high throughput requirements of various real-life applications.

Performance Evaluation CEDA outperforms its counterparts in terms of computation on the ARM processor as well. Specifically, CEDA has a 1.5 times lower end-to-end delay compared to its closest counterpart, and 4.7 times lower end-to-end delay compared to ECDSA.

Performance Evaluation The limitation of CEDA is its relatively larger public key. CEDA requires storing a public key of almost 393KB. However, note that this storage can be decreased with a trade-off with computation speed, when t,k parameters are selected differently. For instance, t = 256 would decrease the public key size of CEDA by a factor of 4. This table shows that most compact sizes are achieved with elliptic curve based schemes such as ECDSA and Ed25519.

Conclusion CEDA achieves fast signature generation and low end-to-end delay that are confirmed by our experiments. CEDA may be an ideal authentication tool for delay-aware critical systems such as energy delivery (e.g., smart-grids) and mobile cyber-physical systems (e.g., vehicular and networks).

Thank you!

References [1] IEEE standard communication delivery time performance requirements for electric power substation automation. IEEE Std 1646-2004, pages 1–24, 2005. [2] R.L. Rivest, A. Shamir, and L.A. Adleman. A method for obtaining digital signatures and public-key cryptosystems. Communications of the ACM, 21(2):120–126, 1978 [3] American Bankers Association. ANSI X9.62-1998: Public Key Cryptography for the Financial Services Industry: The Elliptic Curve Digital Signature Algorithm (ECDSA), 1999 [4] C. Schnorr. Efficient signature generation by smart cards. Journal of Cryptology, 4(3):161–174, 1991 [5] L. Reyzin and N. Reyzin. Better than BiBa: Short one-time signatures with fast signing and verifying. In Proceedings of the 7th Australian Conference on Information Security and Privacy (ACIPS ’02), pages 144–153. Springer-Verlag, 2002.