[PPT] - Digital Signatures for Flows and Multicasts by Chung Kei Wong and PowerPoint Presentation

SLIDE 1

1

Digital Signatures for Flows and Multicasts

by Chung Kei Wong and Simon S. Lam in IEEE/ACM Transactions on Networking, August 1999

1 Digital Signatures (Simon S. Lam)

3/8/2017

SLIDE 2

2

Digital Signature

 Examples: RSA, DSA  Provide authenticity integrity and non  Provide authenticity, integrity and non-

repudiation

 How to sign and verify?

 signing key ks , verification key kv , message

d h( ) digest h(m)

 signature = sign(h(m), ks)  verify(signature h(m) k ) = True/False  verify(signature, h(m), kv) = True/False

 Signing & verification operations are slow

Digital Signatures (Simon S. Lam) 2

g g p compared to symmetric key operations

SLIDE 3

3

Motivation

d l k l ( 1998)

 Traditional network applications (circa 1998)

 message-oriented unicast,

e g email file transfer client server e.g., email, file transfer, client-server  Emerging network applications

 flow-oriented e g

audio video stock quotes

 flow-oriented, e.g., audio, video, stock quotes  multicast, e.g., teleconference, software

distribution  Problem: How to sign/verify efficiently for

high-speed transmissions?

 real-time generated flows  delay-sensitive packet flows

Digital Signatures (Simon S. Lam) 3

SLIDE 4

4

All-or-nothing flows All or noth ng flows

 The signer generates a message digest of  The signer generates a message digest of

the entire flow (file) and signs the message digest

 But many Internet applications do not

y pp create all-or-nothing flows

 a flow is sent as a sequence of packets – also, a

b b bl subsequence may be usable

 each packet is used as soon as it is received

Digital Signatures (Simon S. Lam) 4

SLIDE 5

5

Sign-each Approach

 A flow is a sequence of data packets  Sign each packet individually  Inefficient: one signing/verification

peration per packet

 Rates on a Pentium-II 300 MHz using 100%

processing time (with 512-bit modulus)

Packet size (bytes) RSA DSA RSA DSA Signing Verification Rate (packets/sec) 512 78.8 176 2180 128 1024 78.7 175 1960 127 Update: today’s processor speed is much higher but Cisco’s recommended

Digital Signatures (Simon S. Lam) 5

Update: today s processor speed is much higher but Cisco s recommended RSA modulus size is 2048 bits to 4096 bits

SLIDE 6

6

Prior work on signing digital streams

 [Gennaro and Rohatgi 1997]  One signing/verification op for an entire

flow—only the first packet is signed

 Each packet contains authentication info for

n xt next  Verification of each packet depends on

previous ones previous ones

 Reliable delivery required

P1 P2 P3 P4 message digest of

Digital Signatures (Simon S. Lam) 6

digital signature message digest of following packet

SLIDE 7

7

Flow Signing Problem

 Each packet may be used as soon as it is

received received

 Subsequences of a flow are received and used

 best-effort delivery, e.g., UDP, IP multicast

best effort del very, e.g., UDP, IP mult cast

 different needs/capabilities, e.g., layered video

 How to efficiently sign flows with each packet

being individually verifiable?

 Actually, packets do not have to belong to the same

flow to reduce signing cost! E.g. in a multicast

Digital Signatures (Simon S. Lam) 7

SLIDE 8

8

Our Approach: Chaining

 Partition a flow into blocks of packets

 Sign the digest of each block instead of each

packet individually  Each packet carries its own authentication

i f ti t it i i th bl k information to prove it is in the block

 Authentication info provided by chaining

P1 P2 P3 P4 P5 P6 P7

. . .

Block signature Chaining info Block

Digital Signatures (Simon S. Lam) 8

Block signature Chaining info

SLIDE 9

9

Star Chaining – Signing

Block digest D1-8 = h(D1, …, D8)  Block signature = sign(D

)

D1 D2 D3 D4 D5 D6 D7 D8 Packet digests  Block signature = sign(D1-8)  Packet signature for packet P3:

sign(D1 ) D1 D D4 D sign(D1-8), D1, D2, D4, …, D8

 Chaining overhead is O(block size)

Digital Signatures (Simon S. Lam) 9

SLIDE 10

10

Star Chaining – Verification

 Verifying first received packet (say P3) Block digest D' = h(D D D' D D ) Block digest D 1-8 = h(D1, D2, D 3, D4, …, D8)

 verify(D'1 8 , sign(D1 8))

D1 D2 D'3 D4 D5 D6 D7 D8

 verify(D 1-8 , sign(D1-8))

 Caching of verified nodes Packet digests  Caching of verified nodes

 no verification op for other packets in the

block

Digital Signatures (Simon S. Lam) 10

SLIDE 11

11

Tree Chaining – Signing

Block digest D1-8 = h(D1-4, D5-8)  Merkle tree (hash tree) [1989]

D1-4 D5-8

 Block signature = sign(D1-8)

1-4 5-8

D1-2 D3-4 D5-6 D7-8

 Packet signature for

packet P3: (D ) D D D

D1 D2 D3 D4 D5 D6 D7 D8

Packet digests

sign(D1-8), D4, D1-2, D5-8

Packet digests  Chaining overhead is

O(log(block size))

Digital Signatures (Simon S. Lam) 11

SLIDE 12

12

Tree Chaining – Verification

 Verifying first received packet (say P3)

 verify(D'1 8, sign(D1 8))

ver fy(D 1-8, s gn(D1-8))  Caching of verified nodes Block digest D'1-8 = h(D'1-4, D5-8)

g

 no verification op for

ther packets in the block

D'1-4 D5-8 D1-2 D'3-4 D5-6 D7-8

P k t di t

D1 D2 D'3 D4 D5 D6 D7 D8

Digital Signatures (Simon S. Lam) 12

Packet digests

SLIDE 13

13

Chaining Technique: Signer Overhead

Compute packet digests Digest comp time Compute packet digests Build authentication tree Digest comp time Tree build time Sign block digest Signature comp time Build packet signatures Packet signature build time

Chaining time = Tree build time + Packet signature build time

Digital Signatures (Simon S. Lam) 13

SLIDE 14

14

Chaining Technique: Verifier Overhead

Build authentication tree Tree build time Di t ti Compute packet digests Verify chaining information Digest comp time Chaining verification time Verify chaining information Chaining verification time Verify block signature Signature verifying time

Chaining time = Tree build time + Chaining verification time

Digital Signatures (Simon S. Lam) 14

time

SLIDE 15

15

Chaining Time Overheads

10.00 der (ms)

tree deg 2 tree deg 4 tree deg 8

1 00 10.00 iver (ms)

tree deg 2 tree deg 4 tree deg 8

0.10 1.00 ng time at send

tree deg 8 star

0.10 1.00 ng time at rece

tree deg 8 star

0.01 2 4 8 16 32 64 128 chaini block size (no. of packets) 0.01 2 4 8 16 32 64 128 chaini block size (no. of packets)

 Overheads increases with block size (both

at sender at receiver

 Overheads increases with block size (both

axes in log scale)

 Much smaller than signing/verification

Digital Signatures (Simon S. Lam) 15

 Much smaller than signing/verification

times

SLIDE 16

16

Chaining Overhead Size

200 300 erhead )

star

100 haining ove (bytes

tree deg 8 tree deg 4 tree deg 2

2 4 8 16 32 64 128 block size (no. of packets) ch

g

 Smallest when tree degree is 2  Increases linearly with logarithm of block

( p )

 Increases linearly with logarithm of block

size

 Packet signature = block signature +

Digital Signatures (Simon S. Lam) 16

 Packet signature block signature

chaining overhead

SLIDE 17

17

Flow Signing/Verification Rates

6000 8000 10000

n rate /sec)

3000 4000 5000

rate /sec)

star tree deg 8 tree deg 4

2000 4000 6000

verification (packets/

1000 2000 3000

signing r (packets/

g tree deg 2 sign-each

2 4 8 16 32 64 128

block size (no. of packets)

2 4 8 16 32 64 128

block size (no. of packets)

 1024-byte packets, RSA with 512-bit

modulus

 Increases with block size  Varies only slightly with tree degree

Digital Signatures (Simon S. Lam) 17

y g y g

 we recommend degree 2 tree chaining

SLIDE 18

18

Real-time Generated Flows

 Fixed block size for non-real-time generated

flows

 Fixed time period T for real time generated  Fixed time period T for real-time generated

flows

Bounded delay signing since for any packet:

y g g y p delay ≤ T + Tchain + Tsign

Tchain(m1) + Tsign Tchain(m2) + Tsign period T m packets period T m packets time

 T should be larger than Tchain + Tsign  delay cannot be smaller than 2(T

+ T )

m1 packets m2 packets

Digital Signatures (Simon S. Lam) 18

 delay cannot be smaller than 2(Tchain + Tsign )

SLIDE 19

19

Selecting a Signature Scheme

 RSA: signing rate not high enough  DSA: both rates not high and

verification rate < signing rate

 In a group, receivers may have widely different

resources, e.g., sensors, phones, notebooks, desktops desktops  We proposed several extensions to FFS  We proposed several extensions to FFS

[Feige, Fiat and Shamir 1986]

Digital Signatures (Simon S. Lam) 19

SLIDE 20

20

FFS Signer FFS S gner

 choose two large primes p and q  choose two large primes p and q  compute modulus n = pq  choose integers

v1 vk

 choose integers

v1, …, vk s1, …, sk such that s 2 = v –1 mod n such that si

2 = vi 1 mod n

 signing key is {s1, …, sk , n}  verification key is {v

v n}

 verification key is {v1, …, vk , n}

Digital Signatures (Simon S. Lam) 20

SLIDE 21

21

How to Sign Message m

 choose t random integers r

r between 1

 choose t random integers, r1, …, rt , between 1

and n

 compute x = r 2 mod n for i = 1

t

 compute xi = ri

2 mod n, for i = 1, …, t

 compute digest h(m, x1, …, xt) of message m h f n ti n h( ) is p bli kn l d nd where function h(•) is public knowledge and produces a digest of at least k x t bits

let {bij} be the first k x t bits of the digest let {bij} be the first k x t bits of the digest

 compute yi = ri x (s1

bi1 x … x sk bik) mod n

for i = 1 t for i = 1, …, t

 signature of m consists of

{yi} and {bij} for i = 1 t and j = 1 k

Digital Signatures (Simon S. Lam) 21

{yi} and {bij} for i = 1, …, t and j = 1, …, k

SLIDE 22

22

How to Verify Signature of Message m

 signature of m {y } and {b } for i = 1 t and j = 1 k {yi} and {bij} for i = 1, …, t and j = 1, …, k  compute zi = yi

2 x (v1 bi1 x … x vk bik) mod n

for i = 1 t for i = 1, …, t

it can be shown that zi is equal to xi at the signer  i

t i lid if d l if th fi t

 signature is valid if and only if the first

k x t bits of h(m, z1, …, zt) are equal to the {bij} received in signature received in signature

Digital Signatures (Simon S. Lam) 22

SLIDE 23

23

FFS(k,t) ( )

 security level increases with

y

 size of modulus n (or size of primes p and q)  value of product kt

 key size is (k+1) x |n|

assuming |n| = |v | or |s | in bits assuming |n| = |vi| or |si| in bits

 signature size is t x | n | + k x t bits  signature size is t x | n | + k x t bits minimized for t=1

Digital Signatures (Simon S. Lam) 23

SLIDE 24

24

FFS key and signature sizes

For a fixed kt product, signature size is p , g minimized for t =1, but key size is maximized

Digital Signatures (Simon S. Lam) 24

SLIDE 25

25

eFFS Signature Scheme

l

 Several extensions to FFS [Feige, Fiat and Shamir

1986]

 Faster signing  Faster signing

Chinese remainder theorem (crt)
Precomputation (4-bit, 8-bit)

 Faster verification

Small verification key (sv-key) [Micali & Shamir 1990]

 Adjustable and incremental verification

multilevel signature
lower security level with less processor time at receiver
security level can be increased later by more processor

time

Digital Signatures (Simon S. Lam) 25

time

SLIDE 26

26

eFFS extension (1) eFFS extens on ( )

 Chinese remainder theorem

instead of y r x (s bi1 x x s bik) mod n instead of yi = ri x (s1

bi1 x … x sk bik) mod n

signer computes a = r x (s bi1 x x s bik) mod p ai = ri x (s1

bi1 x … x sk bik) mod p

bi = ri x (s1

bi1 x … x sk bik) mod q

y = ((a – b ) x q x q –1 + b ) mod n yi = ((ai – bi) x q x qp + bi) mod n where qp

–1 denotes q –1 mod p ,

 multiplications in mod p and mod q faster than in

multiplications in mod p and mod q faster than in mod n  Only signer knows p and q

Digital Signatures (Simon S. Lam) 26

y g p q

SLIDE 27

27

eFFS extension (2) eFFS extension (2)



ll ifi ti k [Mi li & Sh i ]

 small verification key [Micali & Shamir]: fi t k i b th t ti f use first k prime numbers that satisfy s 2 = p -1 mod n where p is prime and s is an integer where p is prime and s is an integer  faster verifying time and smaller key size  faster verifying time and smaller key size

Digital Signatures (Simon S. Lam) 27

SLIDE 28

28

eFFS extension (3) eFFS extension (3)

 To compute yi = ri x (s1

bi1 x … x sk bik) mod n

for i = 1, …, t

 precomputation of (s1

bi1 x … x sk bik)

additional memory of 31 KB and 261 KB additional memory of 31 KB and 261 KB required for 4-bit and 8-bit precomp respectively p y

only minor improvement at verifier when

used with small v-keys

Digital Signatures (Simon S. Lam) 28

u w t ma y

SLIDE 29

29

eFFS – Signing

basic FFS sv-key sv key crt+sv-key 4-bit+crt+sv-key 5 10 15 8-bit+crt+sv-key

 sv-key does not reduce signing time

eFFS(128,1) signing time (ms)

 sv key does not reduce signing time  crt reduces signing time by 10-20%  8-bit + crt reduces signing time by 60-70%

Digital Signatures (Simon S. Lam) 29

 8-bit + crt reduces signing time by 60-70%

SLIDE 30

30

eFFS – Verification eFFS Ver f cat on

b i FFS basic FFS sv-key 4-bit+sv-key 8-bit+sv-key 2 4 6 8 10 12

eFFS(128,1) verification time (ms)

 sv-key reduces verification time by 90%  4 bit or 8 bit slightly reduces verification

Digital Signatures (Simon S. Lam) 30

 4-bit or 8-bit slightly reduces verification

time

SLIDE 31

31

eFFS Key Size y

12

(bits)

R bi

12

bits)

Rabin

5 024

dulus size (

Rabin RSA eFFS(128,1) DSA ElGamal

51 024

ulus size (b

Rabin RSA eFFS(128,1) DSA ElGamal

5000 10000 15000 20000 10

mod signing key size (bytes)

100 200 300 400 500 10

verification key size (bytes) modu

ElGamal

 Large signing key 8000-17000 bytes

signing key size (bytes)

verification key size (bytes)

 private to signer

 Verification key 300-400 bytes

Digital Signatures (Simon S. Lam) 31

SLIDE 32

32

eFFS Signature Size

12

bits) Rabin

51 4

us size ( RSA eFFS(128,1) DSA

1024

modulu ElGamal

100 200 300

signature size (bytes)

 Signature size comparable to RSA and

Rabin

Digital Signatures (Simon S. Lam) 32

SLIDE 33

33

Signing Time Comparison

12 bits)

Rabin RSA

51 us size (b

RSA eFFS(128,1) DSA

1024 modul

DSA ElGamal

20 40 60 80 100 signing time (ms)

 8-bit + crt + sv-key extensions

h h ll

Digital Signatures (Simon S. Lam) 33

 eFFS has the smallest signing time

SLIDE 34

34

Verification Time Comparison

512 bits)

Rabin RSA

5 4 ulus size (

RSA eFFS(128,1) DSA

1024 modu

DSA ElGamal

D d ElG l f

100 200 300 400 verification time (ms)

 DSA and ElGamal verification times very

large R bi RSA d FFS t ll t

Digital Signatures (Simon S. Lam) 34

 Rabin, RSA and eFFS too small to see

SLIDE 35

35

Verification Time Comparison

512 bits) 5 4 ulus size (b

Rabin RSA eFFS(128,1)

1024 modu

( )

FFS ifi i i bl RSA

0.0 0.2 0.4 0.6 0.8 1.0 1.2 verification time (ms)

 eFFS verification time comparable to RSA

(Rabin most efficient verification)

Digital Signatures (Simon S. Lam) 35

SLIDE 36

36

Flow Signing/Verification Rates

512

ze (bits)

Rabin RSA

512

Rabin RSA FFS(128 1)

1024

modulus siz

RSA eFFS(128,1) DSA ElGamal

1024

eFFS(128,1) DSA ElGamal

1000 2000 3000 4000

m signing rate (packets/sec)

2000 4000 6000 8000

verification rate (packets/sec)

 1024-byte packets, block size 16,

degree two tree chaining degree two tree chaining

 eFFS has highest signing rate  eFFS verification rate comparable to RSA

Digital Signatures (Simon S. Lam) 36

 eFFS verification rate comparable to RSA

SLIDE 37

37

eFFS Adjustable and I l V ifi i Incremental Verification

 Security level of eFFS(k,t) depends on  Security level of eFFS(k,t) depends on

modulus size and product kt

 same kt and modulus size ~ same security level

y  Adjustable and incremental verification

 using t > 1 with additional info in signature  up to t steps

d bl d l

 adjustable and incremental:

receiver verifies steps one by one

Digital Signatures (Simon S. Lam) 37

SLIDE 38

38

eFFS Adjustable and Incremental Verification (cont ) Incremental Verification (cont.)

 t-level signature includes {xi} for i = 2, …, t

g

i

note that {xi} can be computed from original signature together with verification key

 verify a t-level signature at security level l ≤ t,

(1) compute zi = yi

2 x (v1 bi1 x

x vk

bik) mod n for i = 1

l

(1) compute zi = yi x (v1 i1 x … x vk ik) mod n for i = 1, …, l, (2) verify that the first k x t bits of h(m, z1, x2, …, xt)

are equal to the {bij} received

j

and z2, …, zl are equal to x2, …, xl

Digital Signatures (Simon S. Lam) 38

SLIDE 39

39

eFFS Adjustable and I l V ifi i ( ) Incremental Verification (cont.)

 increase security level from l1 to l2,  increase security level from l1 to l2, (1) compute zi = yi

2 x (v1 bi1 x … x vk bik) mod n for

i = l + 1 l i = l1 + 1, …, l2 , (2) verify that zl1+1, …, zl2 are equal to xl1+1, …, xl2

Digital Signatures (Simon S. Lam) 39

SLIDE 40

40

Incremental signing times g g

2-level signature takes less time to sign than two 2 level signature takes less time to sign than two 1-level signatures

Digital Signatures (Simon S. Lam) 40

SLIDE 41

41

Incremental verification times

Digital Signatures (Simon S. Lam) 41

SLIDE 42

42

Conclusions

 Flow signing/verification procedures  Flow signing/verification procedures

 much more efficient than sign-each  small communication overhead  small communication overhead  can be used by a sender that signs a large

number of packets to different receivers

there is no requirement that the packets belong to a
there is no requirement that the packets belong to a

flow but if they do, verification is also more efficient; else, each receiver has to do a bit more work

 eFFS digital signature scheme

 most efficient signing compared to RSA, Rabin,

g g p , , DSA, and ElGamal

 highly efficient verification and comparable to

RSA (only Rabin is more efficient)

Digital Signatures (Simon S. Lam) 42

RSA (only Rabin is more efficient)

 adjustable and incremental verification

SLIDE 43

43

Th E d The End

Digital Signatures (Simon S. Lam) 43