The secure and efficient operation of time-critical networks is of primary importance in today’s society. It is crucial to minimize the impact of security mechanisms over such networks so that the safe and reliable operations of time-critical systems are not being interfered. In particular, as a primary authentication mechanism, existing digital signatures introduce a significant computation and communication overhead, and there-fore are unable to fully meet the real-time processing requirements of such time-critical networks. This Seminar Approach introduce a new suite of real-time digital signatures referred to as Structure-free and Compact Real-time Authentication (SCRA) which is supported by hardware acceleration, to provide delay-aware authentication in time-critical networks. SCRA is a novel signature framework that can transform any secure aggregate signature into a signer efficient signature.
Technological advances in sensors and embedded systems are making the deployment of smart infrastructures possible. Such infrastructures will usher automation in a large number of application domains such as transportation, manufacturing, smart-grid and urban life. Because of their control capabilities and pervasive data acquisition, securing such smart-infrastructures is a critical requirement. Even though many security techniques are available, their application to smart infrastructures is not straightforward, especially when such infrastructures are based on networks that include mobile devices, and for safety reasons, they have to meet real-time requirements, and these networks are referred to as Time-critical networks. It is critical that devices in such a network should be able to respond and/or to initiate a large number of authentications in a smalltime-frame.
To address such a requirement, a series of fast digital signatures is developed to enable real-time authentication in time-critical networks. Hence a generic signature framework, referred to as Structure-free and Compact Real-time Authentication (SCRA), is introduced and that can be instantiated with any secure aggregate signature and then developed specific SCRA instantiations from Condensed-RSA, BGLS, NTRU, and demonstrated that these SCRA schemes are significantly more computationally efficient than their counterparts in modern CPUs.
State-of-the-Art Methods and Limitations
Advantages and limitations of authentication mechanisms that are most relevant to the work
Message Authentication Codes and Standard Digital Signatures
Symmetric crypto-based authentication mechanisms rely on Message Authentication Code (MAC). Despite their computational efficiency, these methods are not practical for broadcast authentication in large-scale distributed systems, as they require pairwise key distribution among all signers and verifiers. They also cannot achieve non-repudiation and public verifiability.
Digital signatures rely on the Public Key Infrastructures (PKIs), which makes them publicly verifiable and scalable for large systems. Hence, they are considered as a primary authentication mechanism for large-scale delay-aware systems. For instance, the vehicular WAVE architecture mandates the use of PKI mechanisms to sign critical messages. Despite their scalability, standard digital signature schemes require several expensive operations such as modular exponentiation and pairing. Therefore, they are not suitable for time-critical authentication.
It has been shown that they introduce significant delays, which are unacceptable in time-critical networks such as vehicular networks.
Delayed Key Disclosure and Amortized Signatures
Delayed key disclosure methods are efficient as they introduce an asymmetry between signer and verifier via a time factor. However, these methods require packet buffering, and therefore cannot achieve immediate verification (which is vital for delay-aware authentication).Signature amortization computes a signature over a set of messages instead of individual messages. Hence, the cost of signature generation and verification is amortized over multiple messages. However, these methods require packet buffering and introduce packet loss risk due to the use of hash chains.
One-Time Signatures (OTSs) offer fast signature generation and verification. How-ever, they incur very large signature and public key sizes, and also public keys must be renewed frequently. However, these schemes still suffer from computational in-efficiency (due to heavy use of pairings) or public key distribution issues (OTSs).
The offline-online signatures pre-compute a token for each message to be signed at the offline-phase, and then use it to compute a signature on a message very efficiently at the online-phase. Despite their merits, offline-online signatures incur significant storage overhead. Moreover, they require heavy computation for applications with high message throughput, since the signer depletes pre-computed tokens rapidly and is forced to regenerate them at the online- phase. Hence, offline-online signatures are not suitable for time-critical networks with high message throughput.
Rapid Authentication (RA) is an efficient offline-online signature, which lever-ages the already available pre-defined message structures in certain applications to reduce the computational and storage overhead of RSA-type offline-online constructions. Despite its advantages, RA is only suitable for applications that havea predefined message structure with a limited number of message components.
Moreover, RA requires pre-computed tokens to be stored/renewed per item as in traditional offline-online techniques.
Hardware-Accelerated Authentication (HAA) exploits hardware acceleration to speed up RA in various settings. HAA demonstrates the benefit of hardware acceleration to reduce the end-to-end delay of digital signature schemes. In particular, HAA shows the performance advantages offered by GPUs for offline-online signatures to batch regenerate tokens as they are depleted.
SCRA is based on the observation that the signature aggregation operation of some signature schemes is several magnitudes of times faster than that of their signature generation and leveraged this fact to shift the expensive operations of signature generation phase to the key generation phase. That is, at the key generation, a set of signatures are computed on the bit-structures of a hash output domain. Later, these pre-computed signatures are combined very efficiently based on the hash of each message without enforcing a message format or storage/regeneration of a token per-message. This simple but elegant strategy enables SCRA to achieve very fast signature generation, a low end-to-end cryptographic delay, small-constant signature sizes with a constant- size private/public key.
Generic and Simple Design: SCRA can be instantiated from any aggregate signature and shows that SCRAis at least a magnitude times faster than standard signatures even without optimization.
Highly Fast Signing, Low Delay and Compactness
Developed several instantiations of SCRA offering performance trade-offs with different computational overhead, signature and key sizes. SCRA-C-RSA is constructed from C-RSA, which transforms the highly costly exponentiation of RSA signing into a few modular exponentiations, followed by already efficient signature verification. Therefore, SCRA-C-RSA offers the lowest end-to-end delay among all of its counterparts with a signature size of standard RSA. This makes SCRA-C-RSA an ideal choice for time-critical applications with a reasonable signature size. SCRA-BGLS is constructed from BGLS, which reduces the signing cost from an exponentiation to a few modular multiplications. SCRA-BGLS offers the smallest signature size among all counterparts with a minimal signer overhead, making it suitable for resource-limited devices. SCRA-NTRU is based on the NTRU signature scheme. Signatures are aggregated using the lattice based aggregation technique. The lattice based sequential aggregate signature is proven to be secure in the random oracle security model. Due to its moderate signature and key sizes and low end-to-end delay, SCRA-NTRU is ideal for time-critical applications.
System and Threat Model
System model follows the traditional PKC-based broadcast authentication model, in which a signer computes a digital signature on a message and broadcasts a message-signature pair to the verifiers. This model is compatible with our target time-critical applications. For instance, in vehicular networks, a vehicle or road infrastructure broad-casts authenticated messages to the surrounding entities as described in vehicular communication standards.
Threat model reflects how a standard digital signature-based broadcast authentication works. That is, an adversary A can observe message-signature pairs computed under a private key. A also can actively intercept, modify, inject and replay messages transmitted over the network. A aims at producing existential forgeries against the digital signatures computed by signers.
Structure-free and Compact Real-time Authentication
SCRA can transform any aggregate signature into a signer efficient signature scheme, whose signing operation is as fast as just the aggregation of a small set of pre-computed signatures. SCRA has several advantages over the state-of-the-art sig- natures:(i) SCRA is a magnitude(s) of times more efficient with respect to signature generation than standard signatures(ii) Unlike message-formatted signature schemes, SCRA does not require any pre-defined message formats.(iii) Unlike offline-online signatures, SCRA does not require linear sized token storage.(iv) SCRA offers compact signature and public key sizes, and therefore is more scalable than one-time signatures.
Instantiations of SCRA
An ideal aggregate signature to instantiate SCRA must achieve very efficient signature aggregation. Identified three signatures to instantiate SCRA: (i) Condensed-RSA (C -RSA) based on RSA, (ii) BGLS based on pairing, (iii) Aggregate- NTRU signatures based on NTRU.
SCRA-C-RSA is based on Condensed-RSA (C-RSA) and therefore it obtains the highest computational efficiency benefit from SCRA among all instantiations. That is, C-RSA is by default a verifier efficient signature scheme but its signature generation is expensive. Since the SCRA significantly reduces the signing cost, SCRA-C-RSA achieves the lowest end-to-end delay among all instantiations with a moderate signature size.
SCRA-BGLS is based the BGLS signatures, and therefore has the smallest sig-nature/key size among all instantiations. The SCRA strategy also significantly increases the signature efficiency of BGLS. However, since BGLS has an expensive signature verification due to cryptographic pairing operations, SCRA-BGLS has a larger end-to- end cryptographic delay compared to our other instantiations.
SCRA-NTRU is based on NTRU aggregate signature. SCRA-NTRU achieves the highest signing efficiency among all instantiations. It also has a low end-to-end delay, which is comparable to SCRA-C -RSA but slightly less efficient, since NTRU aggregate signature verification algorithm is less efficient than that of SCRA-NTRU and a low end-to-end delay but with a larger signature size.
Performance Analysis And Comparison
Table 1.1 shows the clear superiority of SCRA in terms of signature generation efficiency and end-to-end cryptographic delay using a powerful CPU. That is, the signature generation of SCRA instantiations are 24, 18 and 516 times faster than their non-SCRA counterparts for RSA, BGLS, and NTRU, respectively. This indicates that SCRA is an ideal choice for a very high-throughput signature generation, especially for resource-limited devices in IoT deployments. Similarly, SCRA-C -RSA and SCRA-NTRU offer18 and 7 times lower end-to-end crypto delay compared to RSA and NTRU, respectively, making them ideal choices for time-critical authentication.
In addition to their computational efficiency, the SCRA schemes are also com-pact, since the signature and public key sizes remain the same with their base signature scheme. By comparing to each other, SCRA-C-RSA achieves the lowest end-to-end de-lay with a moderate signature size, while SCRA-BGLS offers the smallest signature but the highest end-to-end delay. SCRA-NTRU has the lowest signing delay, low end-to-end delay but with large signatures.
Developed a new series of delay-aware digital signatures for time-critical applications, which we refer to as Structure-Free Compact Authentication (SCRA). SCRA can transform any secure aggregate signature into a signer efficient signature via a novel constant-size precomputation strategy and also proposed several instantiations of SCRA schemes based on Condensed-RSA, BGLS, and NTRU signatures, each offering a unique computation time, key and signature size trade-offs.
Implementations and performance comparison with the existing alternatives showed that the SCRA schemes achieve significantly faster signature generation and lower end-to-end delay and also formally proved that SCRA schemes are secure (in ROM). Finally, pushed the performance of SCRA schemes to their edge by fully implementing them on server-grade GPUs and SoCs, which indicated significant performance gains. All these properties make the SCRA schemes a suitable alternative for delay-aware authentication for time-critical applications.