Securing WSNs and the IoT: Performance Analysis of Identity-based - - PowerPoint PPT Presentation

Securing WSNs and the IoT: Performance Analysis of Identity-based Signatures

Tobias Markmann

tobias.markmann@haw-hamburg.de

23.04.2014

2

Outline

1. Introduction

• 2. Background
• 3. Identity-based Signature Schemes
• 4. Evaluation
• 5. Results
• 6. Discussion

3

• 1. Introduction

Constrained devices communicating in a network Identification of devices/things Varying communication media Secure identification and communication between devices

4

Identification in Networks

Identification by address: − EMail address: alice@wonderland.lit − Internet: 2a02:2028:ad:d411:be05:43ff:fe18:2bf Authenticaiton of identiy − Unique private data only the true identity knows − Authenticate communication using secret keys

5

• 2. Cryptography Background

Asymmetric Signatures − Public key/private key signatures − Widespread use: World Wide Web, Passports, ... − Easy and flexible trust concepts Identity-based Signatures − Form of asymmetric signature − Arbitrary choice of public key − Trust via central commonly trusted authority

6

ID-based Cryptography Workflow

1. Setup → system parameters (𝑇𝑄) and master secret key (𝑛𝑡𝑙)

• 2. KeyExtraction(𝑇𝑄, 𝑛𝑡𝑙, 𝐽𝐸) → secret key for ID (𝑡𝐽𝐸)
• 3. Authentication and Verification

Sign(𝑇𝑄, 𝑡𝐽𝐸, 𝑛) → (𝜏) Verify(𝑇𝑄, 𝐽𝐸, 𝑛, 𝜏) → 1⁄0

7

• 2. Mathematical Background

RSA Elliptic Curves Pairings

1 2

8

2.1. RSA

RSA Cryptosystem 2 large primes p, q at random 𝑂 = 𝑞 ⋅ 𝑟 1 < 𝑓 < 𝜔(𝑂) and 𝑕𝑑𝑒(𝑓, 𝜔(𝑂)) = 1 𝑒 = 𝑓−1 mod 𝑂 Sign: 𝑡 = 𝐼(𝑛)𝑒 mod 𝑂 Verify: ℎ = 𝑡𝑓 mod 𝑂 , ℎ

?

= 𝐼(𝑛) Complexity Signature verification and generation equally expensive Practice: pick small 𝑓, e.g. 65537 Result: Faster verification than generation

9

2.2. Elliptic Curves

Motivation Basics Group Law

10

Motivation for Elliptic Curves

Discrete logarithm problem in finite fields (𝔾𝑞) − Let 𝑞 = 128(2800 + 25) + 1, 807-bit prime − Problem: find 𝜇 ∈ ℤ, such that 2 ≡ 3𝜇 mod 𝑞 − For modern security, 𝑞 needs to be greater than 3000 bits DLOG in 𝔾𝑞: subexponential complexity ⟶ security requires big 𝑞 DLOG in elliptic curves:

• nly exponential complexity algorithm known ⟶ smaller numbers

11

Basics of Elliptic Curve Crypto

Elliptic curve formula of form: 𝐹𝐵,𝐶 : 𝑍 2 = 𝑌3 + 𝐵𝑌 + 𝐶 Curve defined over 𝔾𝑞, 𝔾2𝑛 or 𝔾𝑞𝑛 Example: "Curve25519" − 𝐹 : 𝑍 2 = 𝑌3 + 486662𝑌2 + 𝑌, − over 𝔾𝑞, 𝑞 = 2255 − 19

12

Groups over Elliptic Curves

𝐹(𝐿) = 󰙈(𝑦, 𝑧) ∈ 𝐿 2 : x,y satisfy the elliptic curve equation󰙉 ⋃ {𝒫𝐹} Point addition

a b a+b

1 2 3

• 1
• 2
• 3

1 2 3

• 1
• 2
• 3

Point doubling

a 2a

1 2 3

• 1
• 2
• 3

1 2 3

• 1
• 2
• 3

Scalar multiplication: 𝑜𝑄 = (𝑦, 𝑧) + (𝑦, 𝑧) + ... + (𝑦, 𝑧) ⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟

𝑜 times

Point 𝑄 as generator of group 𝐻(𝐹(𝐿)) with a large prime order

13

2.3. Pairing-based Cryptography

Definition (symmetric): 𝐻, 𝐻𝑢 two abelian groups 𝑓 : 𝐻 × 𝐻 ⟶ 𝐻𝑢 𝑄, 𝑅 ∈ 𝐻, 𝑏, 𝑐 ∈ ℤ Properties: 1. Bilinearity: 𝑓(𝑏𝑄, 𝑐𝑅) = 𝑓(𝑄, 𝑅)𝑏𝑐

• 2. Non-degenerate: 𝑓(𝑄, 𝑅) ≠ 1
• 3. Efficiently computable: Miller’s algorithm

Groups: Example: 𝐻 ⊆ 𝐹(𝔾𝑞) and 𝐻𝑢 ⊆ 𝔾∗

𝑞𝛽

𝛽 = 2, 6, ...

14

PBC Example: BLS Signature

Key Generation: Random 𝑡𝑙 ∈ ℤ𝑟 as secret key Public key is 𝑞𝑙 = 𝑕𝑡𝑙, 𝑕 is generator of group 𝐻 Signature Generation: Sign(𝑡𝑙, 𝑛) → 𝐼(𝑛)𝑡𝑙 Signature Verification: Verify(𝑞𝑙, 𝑛, 𝜏) → valid if 𝑓(𝑕, 𝜏) = 𝑓(𝑞𝑙, 𝐼(𝑛)) 𝑓(𝑕, 𝜏) = 𝑓(𝑕, 𝐼(𝑛)𝑡𝑙) = 𝑓(𝑕𝑡𝑙, 𝐼(𝑛)) = 𝑓(𝑞𝑙, 𝐼(𝑛))

15

3.1 SH-IBS

Original proposal by Adi Shamir in 1984 Based on the RSA cryptosystem

16

SH-IBS: Description

Setup: Like RSA: master private key (MPK) and master secret key (MSK) Define two hash functions: 1. 𝐼1 : {0, 1}∗ → ℤ𝑜

• 2. 𝐼2 : ℤ𝑜 × {0, 1}∗ → ℤ𝑜

Key Extraction: Identity 𝐽𝐸, ID’s secret key 𝑡𝐽𝐸 𝑡𝐽𝐸 = 𝐼1 (𝐽𝐸)𝑒 mod 𝑜 Signature Generation: Random 𝑠 ∈ ℤ𝑜 𝑢 = 𝑠𝑓 mod 𝑜 𝑡 = 𝑡𝐽𝐸 ⋅ 𝑠𝐼2(𝑢,𝑛) mod 𝑜 𝜏𝑛 = (𝑡, 𝑢) Signature Verification: Holds if the signature is valid: 𝑡𝑓 ? = 𝐼1(𝐽𝐸) ⋅ 𝑢𝐼2(𝑢,𝑛) mod 𝑜

17

SH-IBS: Complexity

Storage Complexity: Signature size: ℤ𝑂 × ℤ𝑂 Computational Complexity: Generation: 2 modular exponentiation in ℤ𝑂 ≡ 𝒫(log 𝑓 + log 𝑂

2 )

Verification: 2 modular exponentiation in ℤ𝑂 ≡ 𝒫(log 𝑓 + log 𝑂

2 )

𝑓 being the master public key

18

3.2 vBNN-IBS

Proposed by Cao, Kou, Dang and Zhao in 2008 As part of "IMBAS: Identity-based multi-user broadcast authentica- tion in wireless sensor networks" Security based on elliptic curve discrete logarithm problem

19

vBNN-IBS: Description

Setup: Elliptic-curve setup according to security parameter Random master secret key 𝑦 ∈ ℤ𝑞 Master public key: 𝑄0 = 𝑦𝑄 Define two hash functions: 1. 𝐼1 : {0, 1}∗ × 𝔿 → ℤ𝑞

• 2. 𝐼2 : {0, 1}∗×{0, 1}∗×𝔿×

𝔿 → ℤ𝑞 Key Extraction: Random 𝑠 ∈ ℤ𝑞, 𝑆 = 𝑠𝑄 𝑡 = 𝑠 + 𝐼1(𝐽𝐸, 𝑆) ⋅ 𝑦 𝑡𝐽𝐸 = (𝑆, 𝑡)

20

vBNN-IBS: Description (cont.)

Signature Generation: Random 𝑧 ∈ ℤ𝑞, 𝑍 = 𝑧𝑄 ℎ = 𝐼2(𝐽𝐸, 𝑛, 𝑆, 𝑍 ) 𝑨 = 𝑧 + ℎ𝑡 𝜏 = (𝑆, ℎ, 𝑨) Signature Verification: 𝑑 = 𝐼1(𝐽𝐸, 𝑆) 𝑈 = 𝑨𝑄 − ℎ(𝑆 + 𝑑𝑄0) Holds if signature is valid: ℎ

?

= 𝐼2(𝐽𝐸, 𝑛, 𝑆, 𝑈)

21

vBNN-IBS: Complexity

Storage Complexity: Signature size: 𝐻(𝐹(𝔾𝑟)) × ℤ𝑞 × ℤ𝑞 Computational Complexity: Generation: 1 exponentiation in 𝐻(𝐹(𝔾𝑞)) Verification: 3 exponentiations in 𝐻(𝐹(𝔾𝑞))

22

3.3 TSO-IBS

Proposed by Tso, Gu, Okamoto and Okamoto in 2007 Utilizes bilinear pairings over elliptic curves Provides ID-based signatures with message recovery − For fixed size messages − For variable size messages Message recovery: − Signature includes message − Recoverable by any receiver − Reduce overall size of authenticated message

23

TSO-IBS: Description

Setup: ECC setup 𝐻1 and 𝐻2 of order 𝑟, |𝑟| = 𝑚1 + 𝑚2 Random 𝑡 ∈ ℤ∗

𝑟 (MSK)

𝑄𝑄𝑣𝑐 = 𝑡𝑄 (MPK) 𝜈 = ˆ 𝑓(𝑄, 𝑄) 4 hash functions:

• 1. 𝐼 : {0, 1}∗ ⟶ ℤ∗

𝑞

• 2. 𝐼1 : {0, 1}∗ ⟶ {0, 1}𝑚1+𝑚2
• 3. 𝐺1 : {0, 1}𝑚1 ⟶ {0, 1}𝑚2
• 4. 𝐺2 : {0, 1}𝑚2 ⟶ {0, 1}𝑚1

Key Extraction: 𝑡𝐽𝐸 = (𝐼(𝐽𝐸) + 𝑡)−1𝑄

24

TSO-IBS: Description (cont.)

Signature Generation: 𝑛 ∈ {0, 1}𝑚1 and compute random 𝑠1 ∈ ℤ∗

𝑟

𝛽 = 𝐼1(𝐽𝐸, 𝜈𝑠1) ∈ {0, 1}𝑚1+𝑚2 𝛾 = 𝐺1(𝑛)‖ (𝐺2 (𝐺1 (𝑛)) ⨁ 𝑛) and 𝑠2 = [𝛽 ⨁ 𝛾] 𝑉 = (𝑠1 + 𝑠2)𝑡𝐽𝐸, final signature 𝜏 = (𝑠2, 𝑉) Signature Verification: 𝑄𝐽𝐸 = 𝐼(𝐽𝐸)𝑄 + 𝑄𝑄𝑣𝑐 ˜ 𝛽 = 𝐼1(𝐽𝐸, ˆ 𝑓(𝑉, 𝑄𝐽𝐸) ⋅ 𝜈−𝑠2) ˜ 𝛾 = 𝑠2 ⨁ ˜ 𝛽 and ˜ 𝑛 = | ˜ 𝛾|𝑚1 ⨁ 𝐺2(𝑚2| ˜ 𝛾|) Valid if 𝑚2| ˜ 𝛾| = 𝐺1( ˜ 𝑛)

25

TSO-IBS: Complexity

Storage Complexity: Authenticated message size: |𝑟| + |𝐻1| Signature size: |𝑟| + |𝐻1| − 𝑚1, for messages of size 𝑚1 Implemented with |𝐻1| = 193 bytes and 𝑚1 = 32 bytes Computational Complexity: Generation: 1 exponentiation in 𝐻2, 1 EC multiplication in 𝐻1 Verification: 1 pairing, 1 exponentiation in 𝐻2, 1 EC multiplication in 𝐻1

26

3.4 Comparative Overview

Scheme Signing Verification Size SH-IBS 2 mod. exp. in ℤ𝑂 2 mod exp. in ℤ𝑂

ℤ𝑂 × ℤ𝑂

vBNN-IBS 1 ⋅ in 𝐻(𝐹(𝔾𝑞)) 3 ⋅ in 𝐻(𝐹(𝔾𝑞))

𝐻(𝐹(𝔾𝑟)) × ℤ𝑞 × ℤ𝑞

TSO-IBS 1 ˆ in 𝐻2, 1 EC ⋅ in 𝐻1 1 ˆ

𝑓(), 1 ˆ in 𝐻2, 1 EC ⋅ in 𝐻1 |𝑟| + |𝐻1| − 𝑚1

27

• 4. Evaluation

All IBS schemes implemented in C/C++ Using Relic Toolkit − Open source (LGPL) − C library, some assembler − Protocols, big numbers, elliptic curve, pairings − Supported architectures: AVR, MSP, ARM, X86, X86_64 C++ wrapper − Safety: memory management and bounds checking − Convenience: operator overloading (+, *, ^, %, ==, =)

28

Benchmark

Benchmark size of signature Benchmark timings for − Signature generation − Signature verification For SH-IBS 𝑂 of size 512, 1024, 2048 and 4096 bits For vBNN-IBS curves over 𝔾𝑞 with size of 𝑞 192, 256 and 384 bits For TSO-IBS a super-singular curve over 𝔾𝑞 with size of 𝑞 1536 bits (SLOW) Security levels converted to symmetric level according ECRYPT II

29

Benchmark: Signature Size

200 400 600 800 1000 1200 Keysize (bytes) 40 60 80 100 120 140 160 180 200 Symmetric Security Level (bits)

Signature Size Comparison of ID-based Signature Schemes SH-IBS vBNN-IBS TSO-IBS

30

Benchmark: Timings

100 101 102 103 104 105 Time (µs) 40 60 80 100 120 140 160 180 200 Symmetric Security Level (bits)

Performance Comparison of ID-based Signature Schemes SH-IBS (sig. generation) SH-IBS (sig. verification) vBNN-IBS (sig. generation) vBNN-IBS (sig. verification) TSO-IBS (sig. generation) TSO-IBS (sig. verification)

31

Discussion

vBNN-IBS shows a speed advantage at good security levels VBNN-IBS has smaller signatures overall TSO-IBS shows bad performance, due to SS-P1536 curve SH-IBS performance shines at lower security levels (like ECDSA vs. RSA)

32

Outlook

Evaluation on constrained hardware − e.g. Rasberry Pi or sensor nodes Signature schemes based on asymmetric pairings − Higher efficiency Investigating use of Edwards curves − Requires dedicated implementation for improved security/perfor- mance

33

Further Reading / Watching

Upcoming Project 1 Report 3rd BIU Winter School on Cryptography 2013

https://www.youtube.com/playlist?list=PLXF_IJaFk-9C4p3b2tK7H9a9axOm3EtjA http://crypto.biu.ac.il/winterschool2013/

Math ⋂ Programming

http://jeremykun.com/category/cryptography/

Relic Toolkit

https://code.google.com/p/relic-toolkit/

34

Thanks!

Questions?

35

Image Sources

http://upload.wikimedia.org/wikipedia/commons/2/23/Bugaboo_for- est_fire.jpg http://i1.ytimg.com/vi/L8TkhHgkBsg/maxresdefault.jpg http://www.blogcdn.com/www.engadget.com/media/2013/01/peb- ble2f0a6577.jpg http://en.wikipedia.org/wiki/File:ECClines-3.svg https://www.imperialviolet.org/2010/12/04/ecc.html