TL;DR
ARIS is a novel signature scheme optimized for real-time IoT systems, achieving high verification speeds, low energy consumption, and minimal delay, suitable for delay-sensitive applications despite increased storage needs.
Contribution
The paper introduces ARIS, a new signature scheme that significantly improves verification speed and energy efficiency for IoT, leveraging message encoding and elliptic curve functions.
Findings
Verifies 83,333 signatures per second on commodity hardware
Achieves the fastest signature generation with lowest energy consumption
Provides an open-source implementation for testing and verification
Abstract
Efficient authentication is vital for IoT applications with stringent minimum-delay requirements (e.g., energy delivery systems). This requirement becomes even more crucial when the IoT devices are battery-powered, like small aerial drones, and the efficiency of authentication directly translates to more operation time. Although some fast authentication techniques have been proposed, some of them might not fully meet the needs of the emerging delay-aware IoT. In this paper, we propose a new signature scheme called ARIS that pushes the limits of the existing digital signatures, wherein commodity hardware can verify 83,333 signatures per second. ARIS also enables the fastest signature generation along with the lowest energy consumption and end-to-end delay among its counterparts. These significant computational advantages come with a larger storage requirement, which is a highly…
Peer Reviews
No public reviews on file for this paper yet. If you reviewed it on a platform where reviews are public (OpenReview, ICLR, NeurIPS, ICML), you can paste yours below so the community can read it here.
Code & Models
Videos
No videos yet. Explain this paper in a talk, walkthrough, or lecture? Add one.
ARIS: Authentication for Real-Time IoT Systems
Rouzbeh Behnia⋆ ⋆Work done in part when Rouzbeh Behnia and Muslum Ozgur Ozmen were at Oregon State University. University of South Florida
Tampa, Florida
Muslum Ozgur Ozmen⋆
University of South Florida
Tampa, Florida
Attila A. Yavuz
University of South Florida
Tampa, Florida
Abstract
Efficient authentication is vital for IoT applications with stringent minimum-delay requirements (e.g., energy delivery systems). This requirement becomes even more crucial when the IoT devices are battery-powered, like small aerial drones, and the efficiency of authentication directly translates to more operation time. Although some fast authentication techniques have been proposed, some of them might not fully meet the needs of the emerging delay-aware IoT.
In this paper, we propose a new signature scheme called ARIS that pushes the limits of the existing digital signatures, wherein a commodity hardware can verify 83,333 signatures per second. ARIS also enables the fastest signature generation along with the lowest energy consumption and end-to-end delay among its counterparts. These significant computational advantages come with a larger storage requirement, which is a favorable trade-off for some critical delay-aware applications. These desirable features are achieved by harnessing message encoding with cover-free families and a special elliptic curve based one-way function. We prove the security of ARIS under the hardness of the elliptic curve discrete logarithm problem in the random oracle model. We provide an open-sourced implementation of ARIS on commodity hardware and 8-bit AVR microcontroller for public testing and verification. ††© 2019 IEEE. Personal use of this material is permitted. Permission from IEEE must be obtained for all other uses, in any current or future media, including reprinting/republishing this material for advertising or promotional purposes, creating new collective works, for resale or redistribution to servers or lists, or reuse of any copyrighted component of this work in other works.
Keywords:
Authentication; Internet of Things; digital signatures; delay-aware systems; applied cryptography.
I Introduction
IoT systems often need authentication for applications that need to verify a large volume of incoming transactions or commands. While symmetric key primitives (e.g., HMAC) can provide very fast authentication, they fail to offer non-repudiation which is often vital for these applications. For instance, Visa handles millions of transactions every day [1]. Each transaction corresponds to multiple authentications of the user’s request and card information on merchant’s side, payment gateway and credit card issuer [2]. Therefore, creating more efficient solutions can significantly reduce the overall authentication overhead of such systems that results in substantial financial gains.
The need for efficient authentication becomes even more imperative for applications in which IoT devices must operate in safety-critical settings and/or with battery limitations. For instance, battery-powered aerial drones [3] might communicate and authenticate streams of commands and measurements with an operation center in a short period of time. A fast and energy-efficient authentication can improve the flight and response time of such aerial drones [4]. Other IoT applications such as smart grid systems, which involve battery-powered sensors, will also benefit from fast and energy-efficient digital signatures which minimize the authentication delay/overhead and improve the operation time of the sensors [5]. Additionally, in vehicular networks, safety significantly hinges on the end-to-end delay [6], and therefore attaining a signature scheme with the lowest end-to-end delay is always desired.
I-A Our Contributions
In this paper, we propose a new efficient signature scheme called ARIS. ARIS makes use of an Elliptic Curve Discrete Logarithm Problem (ECDLP) based one-way function and exploits the homomorphic properties of such functions to (i) linearly add the private key elements to attain a shorter signature and (ii) mask this addition with a one-time randomness to achieve a (polynomially-bounded) multiple-time signature scheme. We outline the main properties of ARIS as below.
- •
Fast Verification:* ARIS provides the fastest signature verification among its counterparts. More specifically, ARIS pushes the limits of elliptic curve (EC) based signature schemes by providing nearly faster verification as compared to its fastest counterpart [7].*
- •
Fast Signing: The signature generation of ARIS avoids expensive computations such as fixed-base scalar multiplication. Therefore, ARIS achieves 33% faster signing as compared to its fastest counterpart [7].
- •
Low End-to-End Delay:* Due to having the fastest signature generation and verification algorithms, ARIS achieves nearly lower end-to-end delay, as compared to its fastest counterpart [7]. This might encourage the potential adoption of ARIS for applications that require delay-aware authentication.*
- •
Energy Efficiency: By avoiding any computationally expensive operation in the signing and verification algorithms, ARIS achieves the lowest energy consumption as compared to its state-of-the-art efficient counterparts. Specifically, as shown in Figure 2, the verification algorithm in ARIS attains lower energy consumption as compared to its most energy efficient counterpart. This makes ARIS potentially suitable for IoT applications wherein the battery-powered devices authenticate telemetry and commands (e.g., aerial drones).
- •
Tunable Parameters:* ARIS enjoys from a highly tunable set of parameters. This allows ARIS to be instantiated with different properties for different applications. For instance, the parameters set that we considered for our implementation on AVR microcontroller enjoys from a smaller public key and private key pair, and if the same scheme is implemented on commodity hardware, it can enjoy from a faster signature generation ( faster than the scheme in [7]) by incurring a few microseconds on the verification algorithm.*
**Limitations: ** All of the desired properties and efficiency gains in ARIS come with the cost of larger key sizes. For instance, in the verification efficient instantiation of ARIS (as in Table I), which has the largest key sizes, the size of the public key and private key could be as large as KB. However, this can be decreased to KB and KB for the private key and public key sizes (respectively) while still maintaining the fastest signature generation and verification algorithms among its counterparts. We have shown that even with these parameters sizes, ARIS can be implemented on 8-bit AVR while enjoying from the most computation and energy efficient algorithms as shown in Figure 2, Figure 2 and Table II.
II Related Work
One-time signatures (e.g. HORS [8]) have been proposed to offer fast signing and verification. Following HORS, many schemes with different performance and security trade-offs such as time valid one-time signatures (i.e., TV-HORS [9]) have been proposed. However, these schemes suffer from security and performance penalties incurred due to the need for time-synchronization and their low tolerance for packet loss. Multiple-time hash-based signatures (e.g., XMSS [10]) utilize Merkle-Tree and can sign multiple messages by keeping the signer’s state. Recently, stateless variations (e.g., SPHINCS [11]) have been proposed, however such schemes suffer from large signatures ( 41 KB) and slow signing algorithms.
Recently, a polynomially-bounded multiple-time signature scheme based on HORS design is proposed [12]. The scheme utilizes the additive homomorphic property of the underlying one-way function to obtain fast signatures where the signer only aggregates private key components during the online phase. However, despite its efficiency, it cannot meet the stringent delay requirement of some IoT applications. Another proposed scheme called CEDA [13] exploits the aggregatable property of RSA-based one-way permutation functions and message encoding (as proposed in [8]) to attain efficient signing. However, the large parameter sizes not only incur very large public keys but also make the exponentiations that takes place during signature generation and verification quite costly. Therefore CEDA, while being among the most efficient schemes, does not surpass the latest implementations of signatures on fast elliptic curves.
In the line of proposing fast elliptic curves, Renes et al. [14] presented an efficient instantiations of the scheme in [15] based on Kummer surface that shows significant performance gains as compared to its base scheme [15]. In 2016, Costello et al. [7] proposed a new implementation of [15] based on another elliptic curve called FourQ which shows to even outperform the implementation in [14].
III Preliminaries
Notation. Given two primes and we define a finite field and a group . We also work on as an elliptic curve over . We commonly denote as a generator of the points on the curve. x\stackrel{{\scriptstyle\}}{{\leftarrow}}{}SxSxP\mathbf{P}|x||x|=\log_{2}xxP\texttt{PRF}{1}:{0,1}^{*}\rightarrow\mathbb{Z}{p}{}\texttt{PRF}{2}:{0,1}^{*}\rightarrow{0,1}^{\kappa}\texttt{H}{}{1}:{0,1}^{}\times\mathbb{Z}{p}{}\rightarrow{0,1}^{l{1}}\texttt{H}{}{2}:E(\mathbb{F}{q}{}){}\rightarrow{0,1}^{l_{2}}\texttt{H}{}_{3}:{0,1}^{}\times{0,1}^{l_{2}}\rightarrow{0,1}^{l_{1}}l_{1}l_{2}$, to be defined in Section VI.
Definition 1**.**
(Elliptic Curve Discrete Logarithm Problem) For as an elliptic curve over a finite field , given , the Elliptic Curve Discrete Log Problem (ECDLP) asks to find , if it exists, such that .
Definition 2**.**
A signature scheme consists of three algorithms defined as follows.
- –
: Given the security parameter , it outputs the private and public key pair .
- –
: Given the message and the signer’s private key , it outputs the signature .
- –
: Given a message-signature pair (), and the claimed signer’s public key , it outputs a decision bit .
In the following definition, we define the security of signature schemes based on the methodology proposed in [16]. After the initialization phase i.e., , The adversary is given access to the signature generation oracle. wins, if it outputs a valid message-signature pair (that was not previously outputted from the sign oracle) after making polynomially-bounded number of queries.
Definition 3**.**
Existential Unforgeability under Chosen Message Attack (EU-CMA) experiment is defined as follows.
- –
- –
- –
If and was not queried to , return 1, else, return 0.
The EMU-CMA advantage of is defined as .
IV Proposed Scheme
ARIS leverages the homomorphic property of its underlying ECDLP-based one-way function, which is due to the exponent product of powers property, to achieve (polynomially-bounded) multiple-time signatures from the one-time signature scheme proposed in [17], with more compact signatures. More specifically, in ARIS, the private key consists of randomly generated values (generated using a bit seed ) and the corresponding public key consists of all for .
To sign a message, the signer obtains indexes by hashing the message (and a random input), uses the indexes to retrieve the corresponding private key elements (i.e., where ) and sums them along with a one-time randomness . The signature consists of and , which is obtained by applying the hash function on , that is computed as the output of applying the one-way function on the one-time randomness .
Verification takes place by computing the summation of the corresponding public key elements (i.e., ) and their subtraction from the output of the ECDLP-based one-way function applied on . The verifier outputs valid if the subtraction yields the same value of as computed in the signature generation. Additionally, ARIS uses the BPV method in [18] to convert an EC scalar multiplication to only (where or for our proposed parameter sets) EC point additions with the cost of storing a small, constant-size table.
Our scheme consists of the following algorithms. : Given the security parameter , this algorithm selects parameters such that and z\stackrel{{\scriptstyle\}}{{\leftarrow}}{}\mathbb{Z}_{p}{}$ and works as follows.
Compute and for and set . 2. 2.
Compute and for and set . 3. 3.
Output and as the public key and private key, respectively.
: Given a message to be signed, this algorithm works as follows.
Compute where for . 2. 2.
Compute for , set . 3. 3.
Retrieve for , compute and . 4. 4.
Compute (where ) and for . 5. 5.
Compute and output .
: Given a message-signature pair and , this algorithm works as follows.
Parse and compute , where for . 2. 2.
Retrieve for ) and set . 3. 3.
Compute and check if holds output valid, and *invalid * otherwise.
V Security Analysis
We prove that ARIS is EU-CMA secure, as defined in Definition 3, in the Random Oracle Model (ROM) [19]. The proof uses the Forking Lemma [20].
Theorem 1**.**
In the ROM, if adversary can -break the EU-CMA security of ARIS after making and random oracles and signature queries, respectively; then we can build another algorithm that runs as a subroutine and can solve an instance of the ECDLP (as in Definition 1).
Proof.
We let Y^{*}\stackrel{{\scriptstyle\}}{{\leftarrow}}{}E(\mathbb{F}{q}{}){}\mathcal{B}Y^{*}z\stackrel{{\scriptstyle$}}{{\leftarrow}}{}\mathbb{Z}{p}{}\mathcal{B}$ works as follows.
Setup: keeps three lists for to keep track of the outputs of the random oracles and a list to store the messages submitted to the sign oracle. sets up the random oracle - to handle the hash functions and generates the users’ public keys as follows.
- •
Setup -: implements - to handle queries to hash functions and , which are modeled as random oracles, as follows.
-: If , it returns the corresponding value . Else, it returns \alpha_{1}\stackrel{{\scriptstyle\}}{{\leftarrow}}{}{0,1}^{l_{1}}(m,z,\alpha_{1})\mathcal{L}{}_{1}$. 2. 2.
-: If , it returns the corresponding value . Else, it returns \alpha_{2}\stackrel{{\scriptstyle\}}{{\leftarrow}}{}{0,1}^{l_{2}}(R,\alpha_{2})\mathcal{L}{}_{2}$. 3. 3.
-: If , it returns the corresponding value . Else, it returns \alpha_{3}\stackrel{{\scriptstyle\}}{{\leftarrow}}{}{0,1}^{l_{1}}(m,h,\alpha_{3})\mathcal{L}{}_{3}$.
- •
Setup Public Key: Given the parameters , works as follows to generate the user public key.
Select j\stackrel{{\scriptstyle\}}{{\leftarrow}}{}[1,t]Y_{j}\leftarrow Y^{*}$. 2. 2.
Generate x_{i}\stackrel{{\scriptstyle\}}{{\leftarrow}}{}\mathbb{Z}_{p}{}i\in{1,\dots,t}i\neq j$. 3. 3.
Compute for and . 4. 4.
Set and .
’s Queries: queries the hash functions for and the sign oracle for up to and times, respectively. works as follows to handle these queries.
- •
Hash Queries: ’s queries to hash functions and are handled by the - function described above.
- •
Signature Queries: works as follows to answer ’s signature query on message . If , retrieves the corresponding signature from and returns to . Else, if , it works as follows.
Select s\stackrel{{\scriptstyle\}}{{\leftarrow}}{}\mathbb{Z}_{p}{}S\leftarrow sP$. 2. 2.
Select indexes (i_{1},\dots i_{k})\stackrel{{\scriptstyle\}}{{\leftarrow}}{}[1,\dots,t]$. 3. 3.
Set and and add to . 4. 4.
If abort. Else, add to . 5. 5.
Output to and add .
’s Forgery: Eventually, outputs a forgery on message and public key . Following the EU-CMA definition (as in Definition 3), only wins the game if returns and was never submitted to signature queries in the previous stage (i.e., ).
Solving the ECDLP: If does not output a valid forgery before making hash queries and signature queries, also fails to solve the instance of ECDLP. Otherwise, if outputs a valid forgery , using the forking lemma, rewinds with the same random tape as in [20], to get a second forgery where, with an overwhelming probability and . Based on [20, Lemma 1], , therefore, given and , can solve a random instance of the ECDLP problem (i.e., ) if one of the following conditions hold.
- •
Case 1: For and we have and .
- •
Case 2: For and we have and .
If any of the above cases holds, works as follows. If Case 1 holds, . Else, if Case 2 hold, . ∎
VI Performance Evaluation
We have fully implemented ARIS on Four curve [21] which is known to be the fastest EC that provides 128-bit of security. We provide implementations of ARIS on both commodity hardware and 8-bit microcontroller to evaluate its performance since most IoT applications are comprised of them both (e.g., commodity hardware as servers or control centers and microcontrollers as IoT devices connected to sensors). We compare the performance of ARIS with state-of-the-art digital signature schemes on both of these platforms, in terms of computation, storage and communication. Our implementation is open-sourced at the following link.
https://github.com/rbehnia/ARIS
VI-A Performance on Commodity Hardware
VI-A1 Hardware Configurations
We used a laptop equipped with Intel i7 Skylake processor @ GHz and GB RAM.
VI-A2 Software Libraries
We implemented ARIS using the open-sourced Four implementation [21], that offers the fastest EC operations, specifically EC additions that is critical for the performance of ARIS. We used an Intel processor as our commodity hardware and leveraged Intel intrinsics to optimize our implementation. Specifically, we implemented our PRF functions with Intel intrinsics (AES in counter mode). We used blake2 as our hash function [22] due to its efficiency.
We ran the open-source implementations of our counterparts on our hardware to compare their performance with ARIS.
VI-A3 Parameter Choice
Since we implement ARIS on Four curve, we use its parameters given in [21], which provide -bit security. Other than the curve parameters, the choice of also plays a crucial role for the security of ARIS. Specifically, -out-of- combinations should also provide -bit security to offer this level of security overall. On the other hand, we can tune these parameters to achieve our desired security level with different performance trade-offs. If we increase and decrease , this results in a larger storage with faster computations, and vice versa. For our commodity hardware implementation, we choose and , that we believe offers a reasonable trade-off between storage and computation as well as offering the desired -bit security level. We set and .
VI-A4 Experimental Results
We present the results of our experiments in Table I. We observe that ARIS offers very fast signature generation and verification. It only takes 9 microseconds to generate a signature and 12 microseconds to verify it. This is the fastest among our counterparts, where the closest is SchnorrQ. Furthermore, if we use the same parameters set as for the AVR microcontroller, we can further speed up the signature generation to microseconds, with the cost of a few microseconds on the verification speed. In SchnorrQ, a scalar multiplication is required in signature generation and a double scalar multiplication in verification. In ARIS, EC additions are required for signature generation and verification is done with a scalar multiplication and EC additions. This corresponds to a faster signature generation and faster verification for ARIS, compared to SchnorrQ. Therefore, we believe ARIS can be an ideal alternative for real-time applications.
ARIS signature size is the same with its EC-based counterparts [23, 15, 14, 7] , that is significantly lower than its RSA-based and hash-based counterparts [24, 13, 11]. On the other hand, ARIS comes with a larger private and public key, that is KB.
VI-B Performance on 8-bit AVR
VI-B1 Hardware Configurations
We used an 8-bit AVR ATmega 2560 microcontroller as our IoT device to implement ARIS. ATmega 2560 is equipped with KB flash memory, KB SRAM and KB EEPROM, with a maximum clock frequency of MHz. ATmega 2560 is extensively used in practice for IoT applications (especially in medical implantables) due to its energy efficiency [28].
VI-B2 Software Libraries
We implemented ARIS on ATmega 2560 using the 8-bit AVR implementation of Four curve [27], that provides the basic EC operations and a blake2 hash function. We implemented our scheme with IAR embedded workbench and used its cycle-accurate simulator for our benchmarks.
As for our counterparts, we used their open-sourced implementations [25, 26, 27, 29]. Note that we only compare ARIS with its EC-based counterparts, due to their communication and storage efficiency. Moreover, resource-contrained processors such as ATmega 2560 may not be suitable for heavy computations (e.g., exponentiation with 3072-bit numbers in RSA [24] and CEDA [13]).
VI-B3 Parameter Choice
As mentioned, ARIS can be instantiated with different values that offers a trade-off between storage and computation. Since ATmega 2560 is a storage-limited device, we select our parameters as and to offer storage efficiency. Moreover, this allows us to store the private components ( and ), instead of deterministically generating them at signature generation, and still have a tolerable storage even for an 8-bit microcontroller. We also set and .
VI-B4 Experimental Results
Table II shows the performance of ARIS compared with its counterparts. The speed improvements of ARIS can also be observed for ATmega 2560. ARIS is faster in signature generation and faster in signature verification compared to its closest counterpart [7]. This can translate into a significant practical difference when considered real-time applications that require fast authentication. Note that these benchmarks are obtained with a more “storage friendly” parameter choice, and can be further accelerated with different parameter choices where the microcontroller is not memory-constraint.
One may notice that due to our parameter choice, the key sizes in our 8-bit microcontroller implementation are smaller. As aforementioned, this is because we select a different parameter set for . Moreover, we store the private components as well, that correspond the 8 KB of the signer storage. Since we store these keys on the flash memory of ATmega 2560, they only correspond to and of the total memory, for private key and public key, respectively. Therefore, although we have significantly larger keys than our EC-based counterparts, it is still feasible to store them even on highly resource-constrained 8-bit microcontrollers.
VI-B5 Energy Efficiency
It is highly desirable to minimize the energy consumption of cryptographic primitives in IoT applications to offer a longer battery life. For microcontrollers, energy consumption of the device can be measured with the formula , where is voltage, is current and is the computation time [30]. Considering that the voltage and the current of a microcontroller are constant when the device is active, the energy consumption linearly increases with the computation time. Since ARIS offers the fastest signature generation and verification, energy consumption of ARIS is the lowest among its counterparts, and therefore would be preferred in applications that require longer battery life.
VII Conclusion
In this paper, we presented a new efficient signature scheme to meet the strict minimum delay requirements of some real-time IoT systems. This is achieved by harnessing the homomorphic property of the underlying ECDLP-based one-way function and the precomputation technique proposed in [18]. Our experimental results showed that the proposed scheme outperforms its state-of-the-art counterparts in signing and verification speed as well as in energy efficiency. The proposed scheme is shown to be secure, in the Random Oracle Model, under the hardness of the ECDLP. We open-sourced our implementation to enable public testing and verification.
**Acknowledgment. ** This work is supported by the Department of Energy award DE-OE0000780 and NSF award #1652389.
The reference list from the paper itself. Each links out to its DOI / PubMed record.
- 1[1] J. Steele. (2018) Debit card statistics. [Online]. Available: https://www.creditcards.com/credit-card-news/debit-card-statistics-1276.php
- 2[2] O. Papadimitriou. (2009) How credit card transaction processing works: Steps, fees & participants. [Online]. Available: https://wallethub.com/edu/credit-card-transaction/25511/
- 3[3] J. Won, S.-H. Seo, and E. Bertino, “A secure communication protocol for drones and smart objects,” in Proceedings of the 10th ACM Symposium on Information, Computer and Communications Security , ser. ASIA CCS ’15. ACM, 2015, pp. 249–260.
- 4[4] M. O. Ozmen and A. A. Yavuz, “Dronecrypt - an efficient cryptographic framework for small aerial drones,” in Milcom 2018 Track 3 - Cyber Security and Trusted Computing (Milcom 2018 Track 3) , Los Angeles, USA, 2018.
- 5[5] T. Tesfay and J. Y. L. Boudec, “Experimental comparison of multicast authentication for wide area monitoring systems,” IEEE Transactions on Smart Grid , vol. PP, no. 99, 2017.
- 6[6] “IEEE standard for wireless access in vehicular environments security services for applications and management messages,” IEEE Std 1609.2-2013 (Revision of IEEE Std 1609.2-2006) , pp. 1–289, April 2013.
- 7[7] C. Costello and P. Longa, “Schnorrq: Schnorr signatures on fourq,” MSR Tech Report, 2016. Available at: https://www. microsoft. com/en-us/research/wp-content/uploads/2016/07/Schnorr Q. pdf, Tech. Rep., 2016.
- 8[8] L. Reyzin and N. Reyzin, “Better than Bi Ba: Short one-time signatures with fast signing and verifying,” in Proceedings of the 7th Australian Conference on Information Security and Privacy (ACIPS ’02) . Springer-Verlag, 2002, pp. 144–153.
