Digital Signatures for Flows and Multicasts by Chung Kei Wong and - - PDF document

1

Digital Signatures for Flows and Multicasts

by Chung Kei Wong and Simon S. Lam in IEEE/ACM Transactions on Networking, August 1999

Digital Signature

 Examples: RSA, DSA  Provide authenticity, integrity and non-

repudiation

 How to sign/verify?

 signing key ks , verification key kv , message

digest h(m)

 signature = sign(h(m) k )

Digital Signatures (Simon Lam) 2

 signature = sign(h(m), ks)  verify(signature, h(m), kv) = True/False

 Signing & verification operations are slow

compared to symmetric key operations

2

Motivation

 Traditional network applications (circa 1998)

 message-oriented unicast,

e.g., email, file transfer, client-server

E k l

 Emerging network applications

 flow-oriented, e.g., audio, video, stock quotes  multicast, e.g., teleconference, software

distribution  Problem: How to sign efficiently? hi h d t i i

Digital Signatures (Simon Lam) 3

 high-speed transmissions  real-time generated flows  delay-sensitive packet flows

All-or-nothing flows

 The signer generates a message digest of

the entire flow (file) and signs the message the entire flow (file) and signs the message digest

 But most Internet applications do not

create all-or-nothing flows

fl is s t s s f k ts

Digital Signatures (Simon Lam) 4

 a flow is sent as a sequence of packets  each packet is used as soon as it is received

3

Sign-each Approach

 A flow is a sequence of data packets  Sign each packet individually  Inefficient: one signing/verification  Inefficient: one signing/verification

• peration per packet

 Rates on a Pentium-II 300 MHz using 100%

processing time (with 512-bit modulus)

Packet size Signing Verification Rate (packets/sec)

Digital Signatures (Simon Lam) 5

(bytes) RSA DSA RSA DSA 512 78.8 176 2180 128 1024 78.7 175 1960 127 g g

Prior work on signing digital streams

 [Gennaro and Rohatgi 1997]  One signing/verification op for an entire

flow—only the first packet is signed flow

• nly the f rst packet s s gned

 Each packet contains authentication info for

next  Verification of each packet depends on

previous ones

 Reliable delivery required

Digital Signatures (Simon Lam) 6

P1 P2 P3 P4 digital signature message digest of following packet

4

Flow Signing Problem

 Each packet may be used as soon as it is

received

 S b

f fl i d d

 Subsequences of a flow are received and

used

 best-effort delivery, e.g., UDP, IP multicast  different needs/capabilities, e.g., layered video

 How to efficiently sign flows with each

Digital Signatures (Simon Lam) 7

 How to efficiently sign flows with each

packet being individually verifiable?

Our Approach: Chaining

 Partition a flow into blocks of packets

 Sign the digest of each block instead of each

packet individually p y  Each packet carries its own authentication

information to prove it is in the block

 Authentication info provided by chaining

P1 P2 P3 P4 P5 P6 P7

. . .

Digital Signatures (Simon Lam) 8 1 2 3 4 5 6 7

Block signature Chaining info Block

5

Block digest D1-8 = h(D1, …, D8)

Star Chaining – Signing

 Block signature = sign(D1-8)  Packet signature for packet P3: D1 D2 D3 D4 D5 D6 D7 D8 Packet digests

Digital Signatures (Simon Lam) 9

ac t gnatur f r pac t 3 sign(D1-8), D1, D2, D4, …, D8

 Chaining overhead is O(block size)

Star Chaining – Verification

 Verifying first received packet (say P3) Block digest D'1-8 = h(D1, D2, D'3, D4, …, D8)

 verify(D'1-8 , sign(D1-8))

D1 D2 D'3 D4 D5 D6 D7 D8 Packet digests

Digital Signatures (Simon Lam) 10

 Caching of verified nodes

 no verification op for other packets in the

block

6

Tree Chaining – Signing

Block digest D1-8 = h(D1-4, D5-8)  [Merkle 1989]  Block signature = sign(D1 8)

D1 D2 D3 D4 D5 D6 D7 D8 D1-4 D5-8 D1-2 D3-4 D5-6 D7-8

 Block signature sign(D1-8)  Packet signature for

packet P3: sign(D1-8), D4, D1-2, D5-8

Digital Signatures (Simon Lam) 11 1 2 3 4 5 6 7 8

Packet digests  Chaining overhead is

O(log(block size))

 Verifying first received packet (say P3)

 verify(D'1-8, sign(D1-8))

Tree Chaining – Verification

Bl k di t D' h(D' D )  Caching of verified nodes

 no verification op for

• ther packets in the block

Block digest D'1-8 = h(D'1-4, D5-8)

D'1-4 D5-8 D1-2 D'3-4 D5-6 D7-8

Digital Signatures (Simon Lam) 12

Packet digests

D1 D2 D'3 D4 D5 D6 D7 D8

7

Chaining Technique: Signer Overhead

Compute packet digests Digest comp time Build authentication tree Sign block digest Build packet signatures Tree build time Signature comp time Packet signature build time

Digital Signatures (Simon Lam) 13

Chaining time = Tree build time + Packet signature build time

Chaining Technique: Verifier Overhead

Build authentication tree Tree build time Build authentication tree Compute packet digests Verify chaining information Tree build time Digest comp time Chaining verification time Si if i i

Digital Signatures (Simon Lam) 14

Chaining time = Tree build time + Chaining verification time

Verify block signature Signature verifying time

8

Chaining Time Overheads

10.00 der (ms) tree deg 2 tree deg 4 t d 8 10.00 ver (ms) tree deg 2 tree deg 4 0.01 0.10 1.00 2 4 8 16 32 64 128 block size (no. of packets) chaining time at send tree deg 8 star 0.01 0.10 1.00 2 4 8 16 32 64 128 block size (no. of packets) chaining time at receiv tree deg 8 star

d

Digital Signatures (Simon Lam) 15

 Overheads increase linearly with block size

(in log scale)

 Much smaller than signing/verification

times

at sender at receiver

Chaining Overhead Size

200 300 g overhead ytes)

star tree deg 8

 Smallest when tree degree is 2

100 2 4 8 16 32 64 128 block size (no. of packets) chaining (by

tree deg 4 tree deg 2

Digital Signatures (Simon Lam) 16

 Increases linearly with logarithm of block

size

 Packet signature = block signature +

chaining overhead

9

Flow Signing/Verification Rates

6000 8000 10000

ation rate kets/sec)

3000 4000 5000

ing rate kets/sec)

star tree deg 8 tree deg 4 tree deg 2

 1024-byte packets, RSA with 512-bit

d l

2000 4000 2 4 8 16 32 64 128

block size (no. of packets) verifica (pack

1000 2000 2 4 8 16 32 64 128

block size (no. of packets) signi (pack

g sign-each

Digital Signatures (Simon Lam) 17

modulus

 Increases with block size  Varies only slightly with tree degree

 we recommend degree 2 tree chaining

Flow Signing/Verification Rates

5000 6000

512-byte

12000 14000

e

1000 2000 3000 4000 2 4 8 16 32 64 128

block size (no. of packets) signing rate (packets/sec)

1024-byte 2048-byte

2000 4000 6000 8000 10000 2 4 8 16 32 64 128

block size (no. of packets) verification rat (packets/sec) Digital Signatures (Simon Lam) 18

 Degree two tree, RSA with 512-bit

modulus, three different packet sizes

10

Real-time Generated Flows

 Fixed block size for non-real-time generated flows  Fixed time period T for real-time generated flows  Bounded delay signing since for any packet

delay ≤ T + Tchain + Tsign

period T m packets period T Tchain(m1) + Tsign m packets Tchain(m2) + Tsign time

Digital Signatures (Simon Lam) 19

 T should be larger than Tchain + Tsign  delay cannot be smaller than 2(Tchain + Tsign )

m1 packets m2 packets

Selecting a Signature Scheme

 RSA: signing rate not high enough  DSA: both rates not high and  DSA: both rates not high and

verification rate < signing rate

 In a group, receivers may have widely different

resources, e.g., PDAs, notebooks, desktops  We proposed several extensions to FFS

Digital Signatures (Simon Lam) 20

 We proposed several extensions to FFS

[Feige, Fiat and Shamir 1986]

11

FFS Signer

 choose two large primes p and q 

t d l

 compute modulus n = pq  choose integers

v1, …, vk s1, …, sk such that si

2 = vi –1 mod n

 signing key is {s1, …, sk , n}

Digital Signatures (Simon Lam) 21

g g y { 1, ,

k ,

}

 verification key is {v1, …, vk , n}

How to Sign Message m

 choose t random integers, r1, …, rt , between 1

and n

 compute xi = ri

2 mod n, for i = 1, …, t

 compute message digest h(m, x1, …, xt) where function h(•) is public knowledge and produces a digest of at least k x t bits

let {bij} be the first k x t bits of the digest

 compute yi = ri x (s1

bi1 x … x sk bik) mod n

Digital Signatures (Simon Lam) 22

p yi

i 1 k

for i = 1, …, t

 signature of m consists of

{yi} and {bij} for i = 1, …, t and j = 1, …, k

12

How to Verify Signature of Message m

 signature of m {yi} and {bij} for i = 1, …, t and j = 1, …, k  compute zi = yi

2 x (v1 bi1 x … x vk bik) mod n

for i = 1, …, t

it can be shown that zi is equal to xi at the signer  signature is valid if and only if the first

k x t bits of h(m z1 zt) are equal to the {bij}

Digital Signatures (Simon Lam) 23

k x t bits of h(m, z1, …, zt) are equal to the {bij} received in signature

FFS(k,t)

 security level increases with

 size of modulus n (or size of primes p and q)  size of modulus n (or size of primes p and q)  value of product kt

 key size is (k+1) x |n|

assuming |n| = |vi| or |si| in bits

Digital Signatures (Simon Lam) 24

 signature size is t x | n | + k x t bits minimized for t=1

13

FFS key and signature sizes

Digital Signatures (Simon Lam) 25

For a fixed kt product, signature size is minimized for t=1, but key size is maximized

eFFS Signature Scheme

 Several extensions to FFS [Feige, Fiat and Shamir

1986]

 Faster signing

• Chinese remainder theorem (crt)
• Chinese remainder theorem (crt)
• Precomputation (4-bit, 8-bit)

 Faster verification

• Small verification key (sv-key) [Micali & Shamir 1990]

 Adjustable and incremental verification

Digital Signatures (Simon Lam) 26

• multilevel signature
• lower security level with less processor time at receiver
• security level can be increased later by more processor

time

14

eFFS extension (1)

 Chinese remainder theorem

instead of yi = ri x (s1

bi1 x … x sk bik) mod n

signer computes ai = ri x (s1

bi1 x … x sk bik) mod p

bi = ri x (s1

bi1 x … x sk bik) mod q

yi = ((ai – bi) x q x qp

–1 + bi) mod n

where qp

–1 denotes q –1 mod p ,

Digital Signatures (Simon Lam) 27

qp q p

 multiplications in mod p and mod q faster than in

mod n  Only signer knows p and q

eFFS extension (2)

 small verification key [Micali & Shamir]: use first k prime numbers that satisfy s 2 = p -1 mod n where p is prime and s is an integer

Digital Signatures (Simon Lam) 28

 faster verifying time and smaller key size

15

eFFS extension (3)

 To compute yi = ri x (s1

bi1 x … x sk bik) mod n

for i = 1, …, t , ,

 precomputation of (s1

bi1 x … x sk bik)

additional memory of 31 KB and 261 KB required for 4-bit and 8-bit precomp

Digital Signatures (Simon Lam) 29

respectively

• nly minor improvement at verifier when

used with small v-key

eFFS – Signing

basic FFS sv-key crt+s ke 5 10 15 crt+sv-key 4-bit+crt+sv-key 8-bit+crt+sv-key

eFFS(128,1) signing time (ms)

Digital Signatures (Simon Lam) 30

 sv-key does not reduce signing time  crt reduces signing time by 10-20%  8-bit + crt reduces signing time by 60-70%

16

eFFS – Verification

basic FFS 2 4 6 8 10 12 sv-key 4-bit+sv-key 8-bit+sv-key

FFS(128 1) ifi ti ti ( )

Digital Signatures (Simon Lam) 31

 sv-key reduces verification time by 90%  4-bit or 8-bit slightly reduces verification

time

eFFS(128,1) verification time (ms)

eFFS Key Size

512

ize (bits)

Rabin RSA

512

ize (bits) Rabin RSA

L i i k 8000 17000 b t

5000 10000 15000 20000 1024

modulus si signing key size (bytes)

eFFS(128,1) DSA ElGamal

100 200 300 400 500 1024

modulus si verification key size (bytes) eFFS(128,1) DSA ElGamal Digital Signatures (Simon Lam) 32

 Large signing key 8000-17000 bytes

 private to signer

 Verification key 300-400 bytes

17

eFFS Signature Size

512

ze (bits) Rabin RSA

100 200 300 1024

modulus siz signature size (bytes) eFFS(128,1) DSA ElGamal

Digital Signatures (Simon Lam) 33

 Signature size comparable to RSA and

Rabin

Signing Time Comparison

512 e (bits)

Rabin RSA

20 40 60 80 100 1024 modulus size signing time (ms)

eFFS(128,1) DSA ElGamal

Digital Signatures (Simon Lam) 34

 8-bit + crt + sv-key extensions  eFFS has the smallest signing time

signing time (ms)

18

Verification Time Comparison

512 ze (bits)

Rabin RSA

100 200 300 400 1024 modulus siz verification time (ms)

eFFS(128,1) DSA ElGamal

Digital Signatures (Simon Lam) 35

 DSA and ElGamal verification times very

large

 Rabin, RSA and eFFS too small to see

Verification Time Comparison

512 ze (bits)

Rabin

0.0 0.2 0.4 0.6 0.8 1.0 1.2 1024 modulus siz verification time (ms)

RSA eFFS(128,1)

Digital Signatures (Simon Lam) 36

 eFFS verification time comparable to RSA

(Rabin most efficient verification)

( )

19

Flow Signing/Verification Rates

512

s size (bits)

Rabin RSA eFFS(128,1) S

512

Rabin RSA eFFS(128,1) DSA

 1024-byte packets, block size 16,

1000 2000 3000 4000 1024

modulus signing rate (packets/sec)

DSA ElGamal

2000 4000 6000 8000 1024

verification rate (packets/sec) DSA ElGamal Digital Signatures (Simon Lam) 37

y p degree two tree chaining

 eFFS has highest signing rate  eFFS verification rate comparable to RSA

eFFS Adjustable and Incremental Verification

 Security level of eFFS(k,t) depends on

modulus size and product kt modulus size and product kt

 same kt and modulus size ~ same security level

 Adjustable and incremental verification

 using t > 1 with additional info in signature  up to t steps

Digital Signatures (Simon Lam) 38

 up to t steps  adjustable and incremental:

receiver verifies steps one by one

20

eFFS Adjustable and Incremental Verification (cont.)

 t-level signature includes {xi} for i = 2, …, t

note that {x } can be computed from original note that {xi} can be computed from original signature together with verification key

 verify a t-level signature at security level l  t, (1) compute zi = yi

2 x (v1 bi1 x … x vk bik) mod n for i = 1, …, l,

(2) verify that the first k x t bits of h(m, z1, x2, …, xt) l h {b } i d d l

Digital Signatures (Simon Lam) 39

are equal to the {bij} received, and z2, …, zl are equal to x2, …, xl

eFFS Adjustable and Incremental Verification (cont.)

 increase security level from l1 to l2,

b b

(1) compute zi = yi

2 x (v1 bi1 x … x vk bik) mod n for

i = l1 + 1, …, l2 , (2) verify that zl1+1, …, zl2 are equal to xl1+1, …, xl2

Digital Signatures (Simon Lam) 40

21

Incremental signing times

Digital Signatures (Simon Lam) 41

2-level signature takes less time to sign than two 1-level signatures

Incremental verification times

Digital Signatures (Simon Lam) 42

22

Conclusions

 Flow signing/verification procedures

 much more efficient than sign-each  small communication overhead

b d b d h i l

 can be used by a sender that signs a large

number of packets to different receivers

• there is no requirement that the packets belong to a

flow but if they do, verification is also more efficient

 eFFS digital signature scheme

 most efficient signing compared to RSA Rabin

Digital Signatures (Simon Lam) 43

 most efficient signing compared to RSA, Rabin,

DSA, and ElGamal

 highly efficient verification and comparable to

RSA (only Rabin is more efficient)

 adjustable and incremental verification

End

Digital Signatures (Simon Lam) 44