One-time signature based schemes

Our work in [31] was focused on the use of one-time signatures to assure broadcast authentication.

This was a natural approach since one-time signatures were specifically designed to sign messages by the use of simple trapdoor-less one-way functions rather than by more expensive public key primitives. We do of course not intend to achieve non-repudiation, as we just want to authenticate

2The results presented in this section are based on author’s previously published work: Bogdan Groza, Stefan Mur- vay,Secure Broadcast with One-time Sigantures in Controller Area Networks. Proceedings of International Conference on Availability, Reliability and Security (ARES’11), IEEE Comp. Soc., 2011.

0 20 40 60 80 100 120 Σ 0.2

0.4 0.6 0.8 1.0

∆ HiL

4 levels 3 levels

0 50 100 150 200 250 Σ 0.2

0.4 0.6 0.8 1.0

BUS

HiiL

4 levels

3 levels

2 3 4 5 6 {

1000 2000 3000 4000 5000 6000 7000

MEM

HiiiL

2 3 4 5 6 {

2 4 6 8 10 12 14

BUS

HivL

Figure 3.3: Variation of overheads and delays with length or levels: (i) disclosure delay , (ii) overhead caused by keys and commitments on the bus, (iii) keys stored in memory and (iv) com- mitments on the bus (per second). (as depicted in [29])

0.002 0.004 0.006 0.008 0.010

∆ 100000

200000 300000 400000

MEM

HiL

200 400 600 800 1000 Σ 100000

200000 300000 400000

MEM

HiiL

0.004 0.006 0.008 0.010 1.0´10⁷ ∆

1.5´10⁷ 2.0´10⁷ 2.5´10⁷ 3.0´10⁷ 3.5´10⁷

BUS

HiiiL

400 600 800 1000 1.0´10⁸ Σ

1.5´10⁸ 2.0´10⁸ 2.5´10⁸ 3.0´10⁸ 3.5´10⁸

BUS

HivL

Figure 3.4: Comparison between BET A (continuous line) and GET A (dotted line) schemes at MEM and BUS requirements for: fixedσ = 1000and variableδ_norm in (i) and (iii), variableδ_norm and fixedσ= 1000in (ii) and (iv). (as depicted in [29])

Table 3.1: Some overheads at initialization and run-time (as established in [29])

BETA-CAN Ad-BETA-CAN

MEM^?_key `·σ·m σ·P

i=1,`m<sub>i</sub> CPU<sup>init</sup><sub>key</sub> `·σ·c σ·P

i=1,`c<sub>i</sub> CPU<sup>init</sup><sub>com</sub> `·c c₀+P

i=1,`−1c<sub>i</sub> BUS<sup>init</sup><sub>com</sub> `·m m₀+P

i=1,`−1m<sub>i</sub> CPU<sup>run</sup><sub>key</sub> [(σ+ 1)<sup>`</sup>−σ·`−1]·c σ·P

i=2,`[(σ+ 1)ⁱ⁻¹−1]·ci

BUS^run_key [(σ+ 1)^`−1]·m σ·P

i=1,`(σ+ 1)<sup>i−1</sup>·m<sub>i</sub> CPU<sup>run</sup><sub>com</sub> [<sup>(σ+1)</sup><sub>σ</sub><sup>`−1</sup> −`]·c P

i=2,`[(σ+ 1)ⁱ⁻¹−1]·ci

BUS^run_com [^(σ+1)_σ<sup>`−1</sup> −`]·m P

i=2,`[(σ+ 1)ⁱ⁻¹−1]·m_i

the messages, a reason for which we can drop on Merkle trees to re-initialize the keys. The follow- ing subsection presents the signature schemes, then we proceed to the protocol design and finally to some efficiency results. The results prove that these scheme are not the best alternative, they may perform better than standard public-key cryptography but there is still much before competing with the standard MAC-based schemes. From the following exposition we skip some of the arguments on security which can be retrieved from the original version of the work [31].

3.2.1 The employed signature schemes: a Merkle based scheme and HORS

We first present the one-time signature schemes as considered by us in [31]. The generic principle behind both of the one-time signature schemes is to apply a simple on-way function, e.g., a hash function, over some input that plays the role of a secret key and use the output as public key.

However if bits are signed individually this results in an inefficient scheme, not necessarily due to the number of hash computations since these are cheap, but mainly due to the size of the signature itself, e.g., in the worst case one hash for each bit. For this purpose, several improvements were proposed in the literature. The enhanced Merkle signature and HORS [69] that we discuss next employ the one-way chains in two highly distinctive fashions, a reason for which we choose to evaluate both of them in our CAN broadcast scenario.

Enhanced Merkle Signature Scheme (EMS). Given one-way functionf, signature schemeEMS is a triplet of polynomial time algorithmsGen,Sign,Ver where:

1. Genis a probabilistic algorithm that takes as input the security levelkalong with two integers λ, µand outputs the public-private key pairpk, pv, i.e.,pb ={(f^λ(uµ), f^λ(vµ)),...,(f^λ(u2), f^λ(v₂)),(f^λ(u₁), f^λ(v₁))},pv ={(u_µ, v_µ), ...,(u₁, v₁)} ←Gen(1^k, λ, µ)(here all u_i, v_i are random values ofkbits each),

2. Sign is a deterministic algorithm that takes as input the private key pv, a message m of blog₂(λ)c ·µbits which can be written as m = m_µ...m₂m₁ (where each m_i hasblog₂(λ)c bits), and outputs a signatures, i.e., s = {(f^λ−mµ(u_µ), f^mµ(v_µ)), ...,(f^λ−m2(u₂), f^m2(v₂)), (f^λ−m1(u₁), f^m1(v₁))},

3. Ver is a deterministic algorithm that takes as input the signature and the public key and outputs messagem = m_µ...m₂m₁ if and only if ∀i = 1..µ, f^λ−mi(s_i) = f^λ(u_i), f^mi(s_i) = f^λ(v_i)or⊥otherwise.

HORS Signature Scheme[69]. Given one-way functionf, signature schemeHORSis a triplet of polynomial time algorithmsGen,Sign,Ver where:

1. Gen is a probabilistic algorithm that takes as input the security parametersl, kand integers λ, µthen generatesλrandomk-bit valuess₁, s₂, ..., s_λ then computesv_i =f(s_i)and outputs the public-private key pair pk, pv, i.e., pb = {µ, f(s₁) ,..., f(s_λ)}, pv = (k, s₁, ..., v_λ) ← Gen(1^k, l, λ),

2. Sign is a deterministic algorithm that takes as input the private keypv and messagem then computes h = hash(m) and splits h into k substrings h₁, ..., h_µ each of log₂(t) bits and outputss = (s_h1, ..., s_hµ)(where eachh_i is interpreted as an integer index),

3. Ver is a deterministic algorithm that takes as input the signature s, the public keypb and messagemthen outputs 1 if and only iff(s⁰_i) =v_ifor eachiextracted as integer index from h(m).

3.2.2 The broadcast protocol

We now describe the broadcast protocol that was studied by us in [31]. For each of the signature schemes we use a broadcast protocol that relies on one-way key chains. In the case of the EMS signature, the key chain is used to commit future public keys, while in the case of the HORS signature each element of the key chain forms a public key for the signature (this happens in a similar fashion to the BiBa protocol from Perrig [63]).

Time synchronization is loose and is done with synchronization errorR,S which is the round- trip time of a handshake between the receiver and the sender. How to achieve this synchronization was already discussed in the previous section dedicated to TESLA-like protocols.

CONSTRUCTION2. (Broadcast with EMS) Given signature schemeEMSand the roles sender S and receiver R we define protocol Broadcast-EMSS,R[λ, µ, δ] as the following actions per- formed byS:

1. Initialization:Sgenerates a key chain by using a randomk0and computingkn =f(kⁿ⁻¹),∀i= 1..n, then he commits the tip of its top level-chain, i.e.,kn, the disclosure delayδand the pub- lic key obtained by runningGen(1^k, λ, µ),

2. Commitment: S sends at any point in time interval[t_start+i·δ, t_start + (i+ 1)·δ−ξ]

(hereξis a tolerance value to prevent the sender to commit aMACto close to the disclosure point which will increase the chance for a receiver to drop the packet) a fresh public keypb generated by usingGen(1^k, λ, µ)and aMACcomputed withki+1 on it, i.e,MAC_ki+1(pb), 3.Key Disclosure:S sends at timet_start+i·δthe corresponding key from the key chain, i.e., kⁱ,

4. Authentic Broadcast:S sends at any time in[t_start+i·δ, t_start+ (i+ 1)·δ−ξ]message mas a signature with message recoverys =Sign(m, pvlast)(herepvlast is the most recently generated private key);

andRrespectively:

1. Initialization:Rreceives the initialization information of the sender, i.e.,kⁿ, the disclosure intervalδand the public keypk,

2. Time Synchronization: R performs a loose time synchronization with S, such that the synchronization error_R,S << δ,

3. Receive Keys and Commitments: R receives ki and checks iff(ki) = kⁱ⁻¹ and discards it otherwise. AnyMACcomputed withki that is received afterTS,R(i·δ)is discarded. Any public key for which there exists a validMACand keykthat can verify it is deemed authentic, 4. Message Verification:RrunsVer(pk_i, sig_i)for any valid public key and deems authentic any output different from⊥.

CONSTRUCTION 3. (Broadcast with HORS). Given signature schemeHORS and the roles sender S and receiver Rwe define protocol Broadcast-HORS_S,R[λ, µ, δ]as the set of following actions performed byS:

1.Initialization: S generates a key chain starting from random k0, ...,kλ and computing kⁱj =f(k^j−1i ),∀i= 1..λ, j = 1..µ, then he commits the tip each chain, i.e.,k^µi,

2.Authentic Broadcast:S sends at any time in[t_start+i·δ, t_start+ (i+ 1)·δ−ξ]message malong with its signature computed withHORShaving as secret key input the keys from the current disclosure intervalkⁱ0,kⁱ1, ...,kⁱλ(the number of messages signed in each time interval depends on the security level and signature parameters);

3.Key Disclosure:Ssends at timet_start+i·δall the keys from the current interval that were not disclosed as HORS signature (to save some bandwidth, sending these keys can be skipped since the receivers can validate future signatures with previously received keys, but note that this will increase verification time on receivers)

andRrespectively:

1.Initialization: R receives the initialization information of the sender, i.e., k^µi,∀i = 1..λ and the disclosure intervalδ,

2.Time Synchronization: R performs a loose time synchronization with S, such that the synchronization errorR,S << δ,

3.Receive Keys and Commitments: R receives keys k^ji and checks if f(k^j−1i ) = k^ji and discards it otherwise.

4.Message Verification: RrunsVer(pk_i, sig_i)for any signature that is received in the cor- rect time interval and deems authentic any input that is correctly verified.

3.2.3 Efficiency analysis and comparison

For the complete efficiency analysis we do refer the reader to our original report in [31], here we only give a short overview of the results. In [31] we analysed various trade-offs that can be achieved with the enhanced Merkle signature then we compare it to RSA signatures and finally to HORS. The

main conclusion was that in general HORS would be more efficient in terms of verification speed and bus load while it is less efficient in terms of memory requirements. A theoretical estimation for the EMSsignature example on fault tolerant CAN at 128kbps, led to the conclusion that number of signed bits will not exceed 1.2kbps even if a hash computation does not exceed 100µs. For a bus speed at 1 Mbps, i.e., high speed CAN, the number of signed bits can get up to 2.5 kbps. Both these values seem to be too low for practical needs. The original version of our work [31] reports verification dealys in the order of a dozen milliseconds. For this reason, the scheme cannot be considered more efficient than TESLA (previously presented) or with LiBrA-CAN (presented in the following section).