Securing WSNs and the IoT: Performance Analysis of Identity-based - PowerPoint PPT Presentation

Securing WSNs and the IoT: Performance Analysis of Identity-based Signatures Tobias Markmann tobias.markmann@haw-hamburg.de 23.04.2014

Outline 1. Introduction 2. Background 3. Identity-based Signature Schemes 4. Evaluation 5. Results 6. Discussion 2

1. Introduction Constrained devices communicating in a network Identification of devices/things Varying communication media Secure identification and communication between devices 3

Identification in Networks Identification by address: − EMail address: alice@wonderland.lit − Internet: 2a02:2028:ad:d411:be05:43ff:fe18:2bf Authenticaiton of identiy − Unique private data only the true identity knows − Authenticate communication using secret keys 4

2. Cryptography Background Asymmetric Signatures − Public key/private key signatures − Widespread use: World Wide Web, Passports, ... − Easy and flexible trust concepts Identity-based Signatures − Form of asymmetric signature − Arbitrary choice of public key − Trust via central commonly trusted authority 5

ID-based Cryptography Workflow 1. Setup → system parameters (𝑇𝑄) and master secret key (𝑛𝑡𝑙) 2. KeyExtraction (𝑇𝑄, 𝑛𝑡𝑙, 𝐽𝐸) → secret key for ID (𝑡 𝐽𝐸 ) 3. Authentication and Verification Sign (𝑇𝑄, 𝑡 𝐽𝐸 , 𝑛) → (𝜏) Verify (𝑇𝑄, 𝐽𝐸, 𝑛, 𝜏) → 1⁄0 6

2. Mathematical Background RSA Elliptic Curves Pairings 1 2 7

𝑂 = 𝑞 ⋅ 𝑟 ? = 𝐼(𝑛) 2.1. RSA RSA Cryptosystem 2 large primes p, q at random 1 < 𝑓 < 𝜔(𝑂) and 𝑕𝑑𝑒(𝑓, 𝜔(𝑂)) = 1 𝑒 = 𝑓 −1 mod 𝑂 Sign: 𝑡 = 𝐼(𝑛) 𝑒 mod 𝑂 Verify: ℎ = 𝑡 𝑓 mod 𝑂 , ℎ Complexity Signature verification and generation equally expensive Practice: pick small 𝑓 , e.g. 65537 Result: Faster verification than generation 8

2.2. Elliptic Curves Motivation Basics Group Law 9

Motivation for Elliptic Curves Discrete logarithm problem in finite fields ( 𝔾 𝑞 ) − Let 𝑞 = 128(2 800 + 25) + 1 , 807-bit prime − Problem: find 𝜇 ∈ ℤ , such that 2 ≡ 3 𝜇 mod 𝑞 − For modern security, 𝑞 needs to be greater than 3000 bits DLOG in 𝔾 𝑞 : subexponential complexity ⟶ security requires big 𝑞 DLOG in elliptic curves: only exponential complexity algorithm known ⟶ smaller numbers 10

Basics of Elliptic Curve Crypto Elliptic curve formula of form: 𝐹 𝐵,𝐶 : 𝑍 2 = 𝑌 3 + 𝐵𝑌 + 𝐶 Curve defined over 𝔾 𝑞 , 𝔾 2 𝑛 or 𝔾 𝑞 𝑛 Example: "Curve25519" − 𝐹 : 𝑍 2 = 𝑌 3 + 486662𝑌 2 + 𝑌 , − over 𝔾 𝑞 , 𝑞 = 2 255 − 19 11

⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟ Groups over Elliptic Curves 𝐹(𝐿) = 󰙈(𝑦, 𝑧) ∈ 𝐿 2 : x,y satisfy the elliptic curve equation 󰙉 ⋃ {𝒫 𝐹 } Point addition Point doubling 3 3 a 2 2 b a 1 1 -3 -2 -1 1 -3 -2 -1 1 2 3 2 3 -1 -1 a+b -2 -2 2a -3 -3 Scalar multiplication: 𝑜𝑄 = (𝑦, 𝑧) + (𝑦, 𝑧) + ... + (𝑦, 𝑧) 𝑜 times Point 𝑄 as generator of group 𝐻(𝐹(𝐿)) with a large prime order 12

𝑓 : 𝐻 × 𝐻 ⟶ 𝐻 𝑢 𝑄, 𝑅 ∈ 𝐻, 𝑏, 𝑐 ∈ ℤ 𝑞 𝛽 𝛽 = 2, 6, ... 2.3. Pairing-based Cryptography Definition (symmetric): 𝐻, 𝐻 𝑢 two abelian groups Properties: 1. Bilinearity: 𝑓(𝑏𝑄, 𝑐𝑅) = 𝑓(𝑄, 𝑅) 𝑏𝑐 2. Non-degenerate: 𝑓(𝑄, 𝑅) ≠ 1 3. Efficiently computable: Miller’s algorithm Groups: Example: 𝐻 ⊆ 𝐹(𝔾 𝑞 ) and 𝐻 𝑢 ⊆ 𝔾 ∗ 13

𝑓(𝑕, 𝜏) = 𝑓(𝑕, 𝐼(𝑛) 𝑡𝑙 ) = 𝑓(𝑕 𝑡𝑙 , 𝐼(𝑛)) = 𝑓(𝑞𝑙, 𝐼(𝑛)) PBC Example: BLS Signature Key Generation: Random 𝑡𝑙 ∈ ℤ 𝑟 as secret key Public key is 𝑞𝑙 = 𝑕 𝑡𝑙 , 𝑕 is generator of group 𝐻 Signature Generation: Sign( 𝑡𝑙 , 𝑛 ) → 𝐼(𝑛) 𝑡𝑙 Signature Verification: Verify( 𝑞𝑙 , 𝑛 , 𝜏 ) → valid if 𝑓(𝑕, 𝜏) = 𝑓(𝑞𝑙, 𝐼(𝑛)) 14

3.1 SH-IBS Original proposal by Adi Shamir in 1984 Based on the RSA cryptosystem 15

𝑡 𝐽𝐸 SH-IBS: Description Setup: Signature Generation: Like RSA: master private key Random 𝑠 ∈ ℤ 𝑜 (MPK) and master secret key 𝑢 = 𝑠 𝑓 mod 𝑜 (MSK) 𝑡 = 𝑡 𝐽𝐸 ⋅ 𝑠 𝐼 2 (𝑢,𝑛) mod 𝑜 Define two hash functions: 𝜏 𝑛 = (𝑡, 𝑢) 1. 𝐼 1 : {0, 1} ∗ → ℤ 𝑜 2. 𝐼 2 : ℤ 𝑜 × {0, 1} ∗ → ℤ 𝑜 Signature Verification: Holds if the signature is valid: Key Extraction: Identity 𝐽𝐸 , ID’s secret key 𝑡 𝑓 ? = 𝐼 1 (𝐽𝐸) ⋅ 𝑢 𝐼 2 (𝑢,𝑛) mod 𝑜 𝑡 𝐽𝐸 = 𝐼 1 (𝐽𝐸) 𝑒 mod 𝑜 16

SH-IBS: Complexity Storage Complexity: Signature size: ℤ 𝑂 × ℤ 𝑂 Computational Complexity: Generation: 2 modular exponentiation in ℤ 𝑂 ≡ 𝒫(log 𝑓 + log 𝑂 2 ) Verification: 2 modular exponentiation in ℤ 𝑂 ≡ 𝒫(log 𝑓 + log 𝑂 2 ) 𝑓 being the master public key 17

3.2 vBNN-IBS Proposed by Cao, Kou, Dang and Zhao in 2008 As part of "IMBAS: Identity-based multi-user broadcast authentica- tion in wireless sensor networks" Security based on elliptic curve discrete logarithm problem 18

𝑦 ∈ ℤ 𝑞 𝑡 = 𝑠 + 𝐼 1 (𝐽𝐸, 𝑆) ⋅ 𝑦 𝔿 → ℤ 𝑞 vBNN-IBS: Description Setup: Elliptic-curve setup according 2. 𝐼 2 : {0, 1} ∗ ×{0, 1} ∗ ×𝔿× to security parameter Random master secret key Key Extraction: Random 𝑠 ∈ ℤ 𝑞 , 𝑆 = 𝑠𝑄 Master public key: 𝑄 0 = 𝑦𝑄 Define two hash functions: 𝑡 𝐽𝐸 = (𝑆, 𝑡) 1. 𝐼 1 : {0, 1} ∗ × 𝔿 → ℤ 𝑞 19

ℎ = 𝐼 2 (𝐽𝐸, 𝑛, 𝑆, 𝑍 ) 𝑨 = 𝑧 + ℎ𝑡 𝜏 = (𝑆, ℎ, 𝑨) 𝑑 = 𝐼 1 (𝐽𝐸, 𝑆) 𝑈 = 𝑨𝑄 − ℎ(𝑆 + 𝑑𝑄 0 ) ℎ ? = 𝐼 2 (𝐽𝐸, 𝑛, 𝑆, 𝑈) vBNN-IBS: Description (cont.) Signature Generation: Signature Verification: Random 𝑧 ∈ ℤ 𝑞 , 𝑍 = 𝑧𝑄 Holds if signature is valid: 20

vBNN-IBS: Complexity Storage Complexity: Signature size: 𝐻(𝐹(𝔾 𝑟 )) × ℤ 𝑞 × ℤ 𝑞 Computational Complexity: Generation: 1 exponentiation in 𝐻(𝐹(𝔾 𝑞 )) Verification: 3 exponentiations in 𝐻(𝐹(𝔾 𝑞 )) 21

3.3 TSO-IBS Proposed by Tso, Gu, Okamoto and Okamoto in 2007 Utilizes bilinear pairings over elliptic curves Provides ID-based signatures with message recovery − For fixed size messages − For variable size messages Message recovery: − Signature includes message − Recoverable by any receiver − Reduce overall size of authenticated message 22

𝑓(𝑄, 𝑄) 𝜈 = ˆ 𝑞 TSO-IBS: Description Setup: ECC setup 4 hash functions: 𝐻 1 and 𝐻 2 of order 𝑟 , 1. 𝐼 : {0, 1} ∗ ⟶ ℤ ∗ 2. 𝐼 1 : {0, 1} ∗ ⟶ {0, 1} 𝑚 1 +𝑚 2 |𝑟| = 𝑚 1 + 𝑚 2 Random 𝑡 ∈ ℤ ∗ 𝑟 (MSK) 3. 𝐺 1 : {0, 1} 𝑚 1 ⟶ {0, 1} 𝑚 2 𝑄 𝑄𝑣𝑐 = 𝑡𝑄 (MPK) 4. 𝐺 2 : {0, 1} 𝑚 2 ⟶ {0, 1} 𝑚 1 Key Extraction: 𝑡 𝐽𝐸 = (𝐼(𝐽𝐸) + 𝑡) −1 𝑄 23

𝑛) ˜ 𝛾| = 𝐺 1 ( ˜ ˜ 𝑓(𝑉, 𝑄 𝐽𝐸 ) ⋅ 𝜈 −𝑠 2 ) 𝛽 = 𝐼 1 (𝐽𝐸, ˆ 𝑟 𝛽 = 𝐼 1 (𝐽𝐸, 𝜈 𝑠 1 ) ∈ {0, 1} 𝑚 1 +𝑚 2 TSO-IBS: Description (cont.) Signature Generation: 𝑛 ∈ {0, 1} 𝑚 1 and compute random 𝑠 1 ∈ ℤ ∗ 𝛾 = 𝐺 1 (𝑛)‖ (𝐺 2 (𝐺 1 (𝑛)) ⨁ 𝑛) and 𝑠 2 = [𝛽 ⨁ 𝛾] 𝑉 = (𝑠 1 + 𝑠 2 )𝑡 𝐽𝐸 , final signature 𝜏 = (𝑠 2 , 𝑉) Signature Verification: 𝑄 𝐽𝐸 = 𝐼(𝐽𝐸)𝑄 + 𝑄 𝑄𝑣𝑐 𝛽 and ˜ 𝛾| ) 𝑛 = | ˜ 𝛾| 𝑚 1 ⨁ 𝐺 2 ( 𝑚 2 | ˜ 𝛾 = 𝑠 2 ⨁ ˜ Valid if 𝑚 2 | ˜ 24

TSO-IBS: Complexity Storage Complexity: Authenticated message size: |𝑟| + |𝐻 1 | Signature size: |𝑟| + |𝐻 1 | − 𝑚 1 , for messages of size 𝑚 1 Implemented with |𝐻 1 | = 193 bytes and 𝑚 1 = 32 bytes Computational Complexity: Generation: 1 exponentiation in 𝐻 2 , 1 EC multiplication in 𝐻 1 Verification: 1 pairing, 1 exponentiation in 𝐻 2 , 1 EC multiplication in 𝐻 1 25

× ℤ 𝑂 ℤ 𝑂 3.4 Comparative Overview Scheme Signing Verification Size SH-IBS 2 mod. exp. in ℤ 𝑂 2 mod exp. in ℤ 𝑂 vBNN-IBS 1 ⋅ in 𝐻(𝐹(𝔾 𝑞 )) 3 ⋅ in 𝐻(𝐹(𝔾 𝑞 )) 𝐻(𝐹(𝔾 𝑟 )) × ℤ 𝑞 × ℤ 𝑞 TSO-IBS 1 ˆ in 𝐻 2 , 1 EC ⋅ in 𝐻 1 1 ˆ 𝑓() , 1 ˆ in 𝐻 2 , 1 EC ⋅ in 𝐻 1 |𝑟| + |𝐻 1 | − 𝑚 1 26

4. Evaluation All IBS schemes implemented in C/C++ Using Relic Toolkit − Open source (LGPL) − C library, some assembler − Protocols, big numbers, elliptic curve, pairings − Supported architectures: AVR, MSP, ARM, X86, X86_64 C++ wrapper − Safety: memory management and bounds checking − Convenience: operator overloading ( +, *, ^, %, ==, = ) 27

Benchmark Benchmark size of signature Benchmark timings for − Signature generation − Signature verification For SH-IBS 𝑂 of size 512, 1024, 2048 and 4096 bits For vBNN-IBS curves over 𝔾 𝑞 with size of 𝑞 192, 256 and 384 bits For TSO-IBS a super-singular curve over 𝔾 𝑞 with size of 𝑞 1536 bits (SLOW) Security levels converted to symmetric level according ECRYPT II 28