Oregon State University 6th ACM Conference on Security and Privacy in Wireless and Mobile Networks 6th ACM Conference on Security and Privacy in Wireless and Mobile Networks ETA: Efficient and Tiny Authentication for Heterogeneous Wireless Systems Attila Altay Yavuz Oregon State University attila.yavuz@oregonstate.edu
WiSec 2013 Motivation Heterogeneous wireless systems are everywhere. Many devices with different capability are interconnected Internet of Things and Systems (IoTS): Smart home and smart campus applications, sensors and high-end devices (e.g., laptops) Payment Systems: Intelligent transport and mobile payment systems. E-Z pass, Metrocards in NYC, token-based access (e.g., with USB) Mass producible low-cost devices and verifiers Cyber Physical Systems (CPS): Several sensors (e.g., PMU) collect and transmit data to the control centers
Motivation (Cont’) Providing authentication and integrity is vital WiSec 2013 Motivation (Cont’) Providing authentication and integrity is vital Scalability Public verifiability and non-repudiation Payment Systems: Financial transactions on low-end devices (e.g., smart-card/RFID tag) must be digitally signed CPS and IoTS: Sensor readings (frequency, voltage, temperature) must be signed before their transmission to the control center Challenge: Computational, storage and bandwidth limited signers, resourceful verifiers. Give exmaples of CPS things, Give exampleon token-based payment system, cite them … Kick animations
Limitations of Existing Approaches WiSec 2013 Limitations of Existing Approaches Symmetric crypto methods: Unscalable for large-distributed systems, lack of non-repudiation and public verifiability. Traditional PKC Signatures: e.g., RSA [2] and ECDSA [3], Schnorr [4] Too computational costly, require modular exp. (ExpOp) at the signer side Pre-computation: Token-ECDSA [5] and online/offline signatures [6,7] do not require ExpOp the signer side Linear Overhead: K items require storing O(K) keys at the signer One-time/multiple-time Signatures: HORS [8], HORS++ [9], HORSE [10]. They are very computationally efficient Very large signature size (2.5/5 KB) and communication overhead Very large one-time public key (5 KB) for each item to be signed Put a horse association visually Think same about ETA, the girl
Our Contribution: Efficient and Tiny Authentication (ETA) WiSec 2013 Our Contribution: Efficient and Tiny Authentication (ETA) Compact Signature: Smallest signature size among counterparts (240 bits). Smaller than ECDSA (320 bits). Significantly smaller than RSA (1KB), one-time/multiple (2.5 KB) and online/offline (2KB) signatures Small Key Sizes: Small-constant private key (i.e., 320 bits). Much smaller than pre-computation and multiple-time signatures (i.e., linear overhead O(K)) Highly Efficient Signing: An order of magnitude faster than traditional signatures, as efficient as pre-computation methods and one-time signatures Immediate Verification and No Time Sync: More practical than TESLA and its variants. Suitable for applications requiring immediate authentication Individual Message Verification: More resilient to packet loss Limitation : ETA requires O(K) storage at the verifier
Digression: Schnorr Signature Scheme [4] WiSec 2013 Digression: Schnorr Signature Scheme [4] Key Generation: a) Generate (q,p,), where p>q such that q | (p-1), is a generator of the subgroup G of order q. b) Private/public key pair Signature Generation: a) b) Signature Verification: Remarks: Pre-computability and hashing: (r,R) and e=H(M||R) Message recovery during verification
WiSec 2013 Intuition Dilemma: ExpOp-free Signing vs. O(K) overhead (Token-ECDSA and Schnorr) R0,…,Rk are an essential part of signing algorithm. Either store or compute Challenge: No exponentiation at the signer and yet achieve O(1) storage? Strategy: Eliminate R from Signature Generation and Transmission Unlike R, r can be evolved efficiently via a hash chain: Mimic R in H(.) by replacing it with a random number xj. Schnorr: ETA: How to verify signature? Provable security Argument?? (Theorem 1)
Intuition (Cont’) WiSec 2013 Strategy: Offload Ephemeral PK Storage to the Verifier Side: R is removed from signing process, store it at the verifier side (not disclose r)! Store the hash of each R_j instead of R_j itself: Each R_j is authenticated (despite excluded from signature), since PK is certified Verification via Schnorr Message Recovery: Verification is as efficient as Schnorr, but signing does not need Exp. or O(K) storage
Key Generation Algorithm WiSec 2013 Key Generation Algorithm KGC (OFFLINE, once) Signer Verifiers ETA Signature (online) a) Generate a Schnorr private/public key pair b) Generate seed random r0 verification tokens v0,…,vK-1 as follows: c) ETA private/public key pairs are as follows: Reminder: Verifiers are storage resourceful, online computation is important
Signature Generation and Verification WiSec 2013 Signature Generation and Verification Signature Generation: a) b) Private key size: Constant and 320 bits constant Signature Size: 240 bits No expensive operation Signature Verification:
Performance Analysis (Brief) WiSec 2013 Performance Analysis (Brief) ETA has the smallest signature size (30 bytes) among all of its counterparts. The private key is constant-size and much smaller than other signer efficient schemes (e.g., HORS, HORSE, HORS++, offline/online) K-time public key is much smaller than other K-time schemes Signer efficiency: Signing takes 4 usec in ETA, while it is 1330, 15 and 6 usecs in ECDSA, HORSE (HORS variant) and token-ECDSA, respectively Intel(R) Core(TM) i7 Q720 at 1.60GHz CPU and 2GB RAM running Ubuntu 10.10 using MIRACL library Limitations: Public key size is O(K), larger than ECDSA and online/offline. That is, the signature size of ETA is 6, 8, 1.3 and orders of magnitudes times smaller than that of HORS/HORSE, online/offline signatures, ECDSA/token-ECDSA and HORS++, re- spectively.
Security Analysis (Brief) WiSec 2013 Security Analysis (Brief) ETA is (K-time) Existential Unforgeable Under Chosen Message Attacks (EU-CMA) in Theorem 1 (please see details in paper). ETA is as secure as Schnorr signature scheme given that H is a secure cryptographic hash function. Schnorr uses the hash of ephemeral public key R instead of R itself (like DSA). This allows us to replace Random Oracle (RO) answers (e). Use of randomness x_j in H(M_j||j|x_j) prevents crypto simulator to abort (adversary has to predict x_j to make SIM abort) Cryptographic simulation is statistically indistinguishable
WiSec 2013 Conclusion A new signature scheme for heterogeneous wireless systems Highly efficient for the resource-constrained signers Smallest signature size among counterparts ExpOp-free signing (longer battery life and fast processing) Constant-size private key Verification is as computationally efficient as traditional DLP signatures Storage heavy (i.e., O(K) ) at the verifier side (resourceful verifiers) Suitable for use-cases where signer efficiency is very important Token-based payment, IoTS, some CPS applications
WiSec 2013 References [1] A. Perrig, R. Canetti, D. Song, and D. Tygar. Efficient authentication and signing of multicast streams over lossy channels. In Proceedings of the IEEE Symposium on Security and Privacy, May 2000 [2] R.L. Rivest, A. Shamir, and L.A. Adleman. A method for obtaining digital signatures and public-key cryptosystems. Communications of the ACM, 21(2):120–126, 1978 [3] American Bankers Association. ANSI X9.62-1998: Public Key Cryptography for the Financial Services Industry: The Elliptic Curve Digital Signature Algorithm (ECDSA), 1999 [4] C. Schnorr. Efficient signature generation by smart cards. Journal of Cryptology, 4(3):161–174, 1991 [5] D. Naccache, D. M’Raïhi, S. Vaudenay, and D. Raphaeli. Can D.S.A. be improved? Complexity trade-offs with the digital signature standard. In Proceedings of the 13th International Conference on the Theory and Application of Cryptographic Techniques (EUROCRYPT ’94), pages 77–85, 1994 [6] D. Catalano, M. D. Raimondo, D. Fiore, and R. Gennaro. Off-line/on-line signatures: Theoretical aspects and experimental results. Public Key Cryptography (PKC), pages 101–120. Springer-Verlag, 2008 [7] A. Shamir and Y. Tauman. Improved online/offline signature schemes. In Proceedings of the 21st Annual International Cryptology Conference on Advances in Cryptology, CRYPTO ’01, pages 355–367, London, UK, 2001 [8] L. Reyzin and N. Reyzin. Better than BiBa: Short one-time signatures with fast signing and verifying. In Proceedings of the 7th Australian Conference on Information Security and Privacy (ACIPS ’02), pages 144–153. Springer-Verlag, 2002. [9] W.D. Neumann. HORSE: An extension of an r-time signature scheme with fast signing and verification. In Information Technology: Coding and Computing, 2004. Proceedings. ITCC 2004. International Conference on, volume 1, pages 129 – 134 Vol.1, april 2004. [10] J. Pieprzyk, H. Wang, and C. Xing. Multiple-time signature schemes against adaptive chosen message attacks. In Selected Areas in Cryptography (SAC), pages 88–100, 2003.
WiSec 2013