Presentation is loading. Please wait.

Presentation is loading. Please wait.

Oregon State University

Published byJosephine Sullivan Modified over 6 years ago

Similar presentations

Presentation on theme: "Oregon State University"— Presentation transcript:

1 Oregon State University
6th ACM Conference on Security and Privacy in Wireless and Mobile Networks 6th ACM Conference on Security and Privacy in Wireless and Mobile Networks ETA: Efficient and Tiny Authentication for Heterogeneous Wireless Systems Attila Altay Yavuz Oregon State University

2 WiSec 2013 Motivation Heterogeneous wireless systems are everywhere. Many devices with different capability are interconnected Internet of Things and Systems (IoTS): Smart home and smart campus applications, sensors and high-end devices (e.g., laptops) Payment Systems: Intelligent transport and mobile payment systems. E-Z pass, Metrocards in NYC, token-based access (e.g., with USB) Mass producible low-cost devices and verifiers Cyber Physical Systems (CPS): Several sensors (e.g., PMU) collect and transmit data to the control centers

3 Motivation (Cont’) Providing authentication and integrity is vital
WiSec 2013 Motivation (Cont’) Providing authentication and integrity is vital Scalability Public verifiability and non-repudiation Payment Systems: Financial transactions on low-end devices (e.g., smart-card/RFID tag) must be digitally signed CPS and IoTS: Sensor readings (frequency, voltage, temperature) must be signed before their transmission to the control center Challenge: Computational, storage and bandwidth limited signers, resourceful verifiers. Give exmaples of CPS things, Give exampleon token-based payment system, cite them … Kick animations

4 Limitations of Existing Approaches
WiSec 2013 Limitations of Existing Approaches Symmetric crypto methods: Unscalable for large-distributed systems, lack of non-repudiation and public verifiability. Traditional PKC Signatures: e.g., RSA [2] and ECDSA [3], Schnorr [4] Too computational costly, require modular exp. (ExpOp) at the signer side Pre-computation: Token-ECDSA [5] and online/offline signatures [6,7] do not require ExpOp the signer side Linear Overhead: K items require storing O(K) keys at the signer One-time/multiple-time Signatures: HORS [8], HORS++ [9], HORSE [10]. They are very computationally efficient Very large signature size (2.5/5 KB) and communication overhead Very large one-time public key (5 KB) for each item to be signed Put a horse association visually Think same about ETA, the girl

5 Our Contribution: Efficient and Tiny Authentication (ETA)
WiSec 2013 Our Contribution: Efficient and Tiny Authentication (ETA) Compact Signature: Smallest signature size among counterparts (240 bits). Smaller than ECDSA (320 bits). Significantly smaller than RSA (1KB), one-time/multiple (2.5 KB) and online/offline (2KB) signatures Small Key Sizes: Small-constant private key (i.e., 320 bits). Much smaller than pre-computation and multiple-time signatures (i.e., linear overhead O(K)) Highly Efficient Signing: An order of magnitude faster than traditional signatures, as efficient as pre-computation methods and one-time signatures Immediate Verification and No Time Sync: More practical than TESLA and its variants. Suitable for applications requiring immediate authentication Individual Message Verification: More resilient to packet loss Limitation : ETA requires O(K) storage at the verifier

6 Digression: Schnorr Signature Scheme [4]
WiSec 2013 Digression: Schnorr Signature Scheme [4] Key Generation: a) Generate (q,p,), where p>q such that q | (p-1),  is a generator of the subgroup G of order q. b) Private/public key pair Signature Generation: a) b) Signature Verification: Remarks: Pre-computability and hashing: (r,R) and e=H(M||R) Message recovery during verification

7 WiSec 2013 Intuition Dilemma: ExpOp-free Signing vs. O(K) overhead (Token-ECDSA and Schnorr) R0,…,Rk are an essential part of signing algorithm. Either store or compute Challenge: No exponentiation at the signer and yet achieve O(1) storage? Strategy: Eliminate R from Signature Generation and Transmission Unlike R, r can be evolved efficiently via a hash chain: Mimic R in H(.) by replacing it with a random number xj. Schnorr: ETA: How to verify signature? Provable security Argument?? (Theorem 1)

8 Intuition (Cont’) WiSec 2013
Strategy: Offload Ephemeral PK Storage to the Verifier Side: R is removed from signing process, store it at the verifier side (not disclose r)! Store the hash of each R_j instead of R_j itself: Each R_j is authenticated (despite excluded from signature), since PK is certified Verification via Schnorr Message Recovery: Verification is as efficient as Schnorr, but signing does not need Exp. or O(K) storage

9 Key Generation Algorithm
WiSec 2013 Key Generation Algorithm KGC (OFFLINE, once) Signer Verifiers ETA Signature (online) a) Generate a Schnorr private/public key pair b) Generate seed random r0 verification tokens v0,…,vK-1 as follows: c) ETA private/public key pairs are as follows: Reminder: Verifiers are storage resourceful, online computation is important

10 Signature Generation and Verification
WiSec 2013 Signature Generation and Verification Signature Generation: a) b) Private key size: Constant and 320 bits constant Signature Size: 240 bits No expensive operation Signature Verification:

11 Performance Analysis (Brief)
WiSec 2013 Performance Analysis (Brief) ETA has the smallest signature size (30 bytes) among all of its counterparts. The private key is constant-size and much smaller than other signer efficient schemes (e.g., HORS, HORSE, HORS++, offline/online) K-time public key is much smaller than other K-time schemes Signer efficiency: Signing takes 4 usec in ETA, while it is 1330, 15 and 6 usecs in ECDSA, HORSE (HORS variant) and token-ECDSA, respectively Intel(R) Core(TM) i7 Q720 at 1.60GHz CPU and 2GB RAM running Ubuntu using MIRACL library Limitations: Public key size is O(K), larger than ECDSA and online/offline. That is, the signature size of ETA is 6, 8, 1.3 and orders of magnitudes times smaller than that of HORS/HORSE, online/offline signatures, ECDSA/token-ECDSA and HORS++, re- spectively.

12 Security Analysis (Brief)
WiSec 2013 Security Analysis (Brief) ETA is (K-time) Existential Unforgeable Under Chosen Message Attacks (EU-CMA) in Theorem 1 (please see details in paper). ETA is as secure as Schnorr signature scheme given that H is a secure cryptographic hash function. Schnorr uses the hash of ephemeral public key R instead of R itself (like DSA). This allows us to replace Random Oracle (RO) answers (e). Use of randomness x_j in H(M_j||j|x_j) prevents crypto simulator to abort (adversary has to predict x_j to make SIM abort) Cryptographic simulation is statistically indistinguishable

13 WiSec 2013 Conclusion A new signature scheme for heterogeneous wireless systems Highly efficient for the resource-constrained signers Smallest signature size among counterparts ExpOp-free signing (longer battery life and fast processing) Constant-size private key Verification is as computationally efficient as traditional DLP signatures Storage heavy (i.e., O(K) ) at the verifier side (resourceful verifiers) Suitable for use-cases where signer efficiency is very important Token-based payment, IoTS, some CPS applications

14 WiSec 2013 References [1] A. Perrig, R. Canetti, D. Song, and D. Tygar. Efficient authentication and signing of multicast streams over lossy channels. In Proceedings of the IEEE Symposium on Security and Privacy, May 2000 [2] R.L. Rivest, A. Shamir, and L.A. Adleman. A method for obtaining digital signatures and public-key cryptosystems. Communications of the ACM, 21(2):120–126, 1978 [3] American Bankers Association. ANSI X : Public Key Cryptography for the Financial Services Industry: The Elliptic Curve Digital Signature Algorithm (ECDSA), 1999 [4] C. Schnorr. Efficient signature generation by smart cards. Journal of Cryptology, 4(3):161–174, 1991 [5] D. Naccache, D. M’Raïhi, S. Vaudenay, and D. Raphaeli. Can D.S.A. be improved? Complexity trade-offs with the digital signature standard. In Proceedings of the 13th International Conference on the Theory and Application of Cryptographic Techniques (EUROCRYPT ’94), pages 77–85, 1994 [6] D. Catalano, M. D. Raimondo, D. Fiore, and R. Gennaro. Off-line/on-line signatures: Theoretical aspects and experimental results. Public Key Cryptography (PKC), pages 101–120. Springer-Verlag, 2008 [7] A. Shamir and Y. Tauman. Improved online/offline signature schemes. In Proceedings of the 21st Annual International Cryptology Conference on Advances in Cryptology, CRYPTO ’01, pages 355–367, London, UK, 2001 [8] L. Reyzin and N. Reyzin. Better than BiBa: Short one-time signatures with fast signing and verifying. In Proceedings of the 7th Australian Conference on Information Security and Privacy (ACIPS ’02), pages 144–153. Springer-Verlag, 2002. [9] W.D. Neumann. HORSE: An extension of an r-time signature scheme with fast signing and verification. In Information Technology: Coding and Computing, Proceedings. ITCC International Conference on, volume 1, pages 129 – 134 Vol.1, april 2004. [10] J. Pieprzyk, H. Wang, and C. Xing. Multiple-time signature schemes against adaptive chosen message attacks. In Selected Areas in Cryptography (SAC), pages 88–100, 2003.

15 WiSec 2013

Download ppt "Oregon State University"

Similar presentations

Efficient Public Key Infrastructure Implementation in Wireless Sensor Networks Wireless Communication and Sensor Computing, 2010. ICWCSC 2010. International.

Efficient Public Key Infrastructure Implementation in Wireless Sensor Networks Wireless Communication and Sensor Computing, ICWCSC International.
Digital Signatures Good properties of hand-written signatures: 1. Signature is authentic. 2. Signature is unforgeable. 3. Signature is not reusable (it.

Digital Signatures Good properties of hand-written signatures: 1. Signature is authentic. 2. Signature is unforgeable. 3. Signature is not reusable (it.
10/11/2013 Attila Altay Yavuz University of Pittsburgh, School of Information Sciences 135 N. Bellefield Avenue, Pittsburgh, PA 15260

10/11/2013 Attila Altay Yavuz University of Pittsburgh, School of Information Sciences 135 N. Bellefield Avenue, Pittsburgh, PA 15260
1 An Efficient Strong Key-Insulated Signature Scheme and Its Application 5 th European PKI Workshop June 16-17, 2008 NTNU, Trondheim, Norway Go Ohtake.

1 An Efficient Strong Key-Insulated Signature Scheme and Its Application 5 th European PKI Workshop June 16-17, 2008 NTNU, Trondheim, Norway Go Ohtake.
CMSC 414 Computer and Network Security Lecture 7 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 7 Jonathan Katz.
November 1, 2006Sarah Wahl / Graduate Student UCCS1 Public Key Infrastructure By Sarah Wahl.

November 1, 2006Sarah Wahl / Graduate Student UCCS1 Public Key Infrastructure By Sarah Wahl.
CS470, A.SelcukElGamal Cryptosystem1 ElGamal Cryptosystem and variants CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk.

CS470, A.SelcukElGamal Cryptosystem1 ElGamal Cryptosystem and variants CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk.
KIANOOSH MOKHTARIAN SCHOOL OF COMPUTING SCIENCE SIMON FRASER UNIVERSITY 3/24/2008 Secure Multimedia Streaming.

KIANOOSH MOKHTARIAN SCHOOL OF COMPUTING SCIENCE SIMON FRASER UNIVERSITY 3/24/2008 Secure Multimedia Streaming.
Authenticating streamed data in the presence of random packet loss March 17th, 2000. Philippe Golle, Stanford University.

Authenticating streamed data in the presence of random packet loss March 17th, Philippe Golle, Stanford University.
SPINS: Security Protocols for Sensor Networks Adrian Perrig, Robert Szewczyk, Victor Wen, David Culler, J.D. Tygar Research Topics in Security in the context.

SPINS: Security Protocols for Sensor Networks Adrian Perrig, Robert Szewczyk, Victor Wen, David Culler, J.D. Tygar Research Topics in Security in the context.
Security Arguments for Digital Signatures and Blind Signatures Journal of Cryptology, (2000) 13: 361-396 Authors: D. Pointcheval and J. Stern Presented.

Security Arguments for Digital Signatures and Blind Signatures Journal of Cryptology, (2000) 13: Authors: D. Pointcheval and J. Stern Presented.
CMSC 414 Computer and Network Security Lecture 6 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 6 Jonathan Katz.
Cryptography1 CPSC 3730 Cryptography Chapter 9 Public Key Cryptography and RSA.

Cryptography1 CPSC 3730 Cryptography Chapter 9 Public Key Cryptography and RSA.
Security Arguments for Digital Signatures and Blind Signatures Journal of Cryptology, (2000) 13: 361-396 Authors: D. Pointcheval and J. Stern Presented.

Security Arguments for Digital Signatures and Blind Signatures Journal of Cryptology, (2000) 13: Authors: D. Pointcheval and J. Stern Presented.
Fall 2010/Lecture 311 CS 426 (Fall 2010) Public Key Encryption and Digital Signatures.

Fall 2010/Lecture 311 CS 426 (Fall 2010) Public Key Encryption and Digital Signatures.
Computer Science CSC 774 Adv. Net. SecurityDr. Peng Ning1 CSC 774 Advanced Network Security Topic 4. Broadcast Authentication.

Computer Science CSC 774 Adv. Net. SecurityDr. Peng Ning1 CSC 774 Advanced Network Security Topic 4. Broadcast Authentication.
07/16/2013 Attila Altay Yavuz Robert Bosch Research and Technology Center Pittsburgh, PA 15203, USA Practical Immutable Signature.

07/16/2013 Attila Altay Yavuz Robert Bosch Research and Technology Center Pittsburgh, PA 15203, USA Practical Immutable Signature.
Cryptography and Network Security Chapter 13

Cryptography and Network Security Chapter 13
Andreas Steffen, 17.10.2011, 4-PublicKey.pptx 1 Internet Security 1 (IntSi1) Prof. Dr. Andreas Steffen Institute for Internet Technologies and Applications.

Andreas Steffen, , 4-PublicKey.pptx 1 Internet Security 1 (IntSi1) Prof. Dr. Andreas Steffen Institute for Internet Technologies and Applications.
Security Considerations for Wireless Sensor Networks Prabal Dutta (614) 975-3658 Security Considerations for Wireless Sensor Networks.

Security Considerations for Wireless Sensor Networks Prabal Dutta (614) Security Considerations for Wireless Sensor Networks.

Similar presentations

Ads by Google