Documents
Resources
Learning Center
Upload
Plans & pricing Sign in
Sign Out

Digital Signature for Flows and Multicast

VIEWS: 0 PAGES: 33

									Digital Signature for Flows and
Multicast

  Chung Kei Wong, student Member,IEEE and
         Simon S. LAM, Fellow,IEEE
 IEEE/ACM TRANSACTIONS ON NETWORKING,
               AUGUST 1999
Outline
   Introduction
   Main idea
   Detail design
   Conclusion
Introduction
   Basic concerns of securing data
       Confidentiality
       Authentication
       Integrity
       Nonrepudiation
Main idea
   We present chaining techniques for
    signing/verifying multiple packets using a
    single signing/verification operation.
   To further improve our procedures, we
    propose several extensions to the Feige–
    Fiat–Shamir digital signature scheme.
Existing Techniques for
Signing Flows
   Sign-each
   Flow
       Nonreal-time generated flow
       Real-time generated flow
            Signing rate is important
       Delay-sensitive flow
            verification rate is important
Characteristics in delivery of
flows and multicast
   For a multicasted flow, many receivers are limited
    in resource compared to sender, which is typically
    a dedicated server machine. In some environments,
    both senders and receivers may be limited in
    resource, e.g.,mobile computers using wireless
    communication.
Characteristics in delivery of
flows and multicast (cont.)
   Delay sensitive flows require fast processing at
    receivers.Real-time generated flows require fast processing
    at senders as well.
   Receivers may have widely different capabilities/resource.
    For example, receivers may be personal digital assistants,
    notebook computers, or desktop machine. Moreover, the
    resource available to a receiver for verifying signatures
    may vary over time.
Requirements
   The signing procedure is efficient and, for
    real-time generated flows, delay bounded.
   The verification procedure is efficient(since
    many receivers have limited resource).
   Packet in a flow are individually verifiable.
   Packet signatures are small (I.e., small
    communication overhead).
Chaining techniques
   A. Star Chaining
   D1,…D8,D1-8=h(D1,…,D8)
       Di:message digest of packeti
   D’1-8 = h(D1,D2,D3’,…,D8)
Chaining techniques
   B. Tree Chaining
       Comparison of Chaining
       Techniques
16 packets,deg = 2
Total:0.21+12.7 =
12.9ms
Ave:12.9/16 =
0.81ms
12.7/0.81=15.68




                    Chaining time (milliseconds) for a block (a) at a signer
       Comparison of Chaining
       Techniques
16 packets,deg = 2
Total:0.4+0.24 =
0.64ms
Ave:0.64/16 =
0.04ms
0.4/0.04=10




                Chaining time (milliseconds) for a block (b) at a verifier (with
                caching of verified nodes).
Flow Signing and Verification
Procedures
    Bounded Delay Signing
   Ds = T + chains(m) + Tsign
       in period T at most m packets are generated and their
        packet digests computed.
        chains(m):chaining time
       Tsign:block digest signing time
       Ds:delay upper bound


   Real-time generated flow
       Ds > 2(Tsign + chains(m))
THE eFFS SIGNATURE
SCHEME
   A. Basic FFS Scheme
       Parameter
            (k,t)
            N = p * q ( p , q : large prime)
            V1,v2,…,vk(k random integers)
            Si^2 = vi^-1 mod n
            Signing key {s1,…sk,n}
            Verifacation key {v1,v2,…,vk,n}
THE eFFS SIGNATURE
SCHEME
   Signing step
       1)r1,…rt : t random integers between 1 to n.
        Compute xi = ri^2 mod n. for I = 1,..t.
       2)Calculate message digest:h(m,x1,…xt)
         {bij} : first k*t bits of message digest
       3)yi = ri * (s1^bi1 * … * sk^bik) mod n
THE eFFS SIGNATURE
SCHEME
   Verify step
       1) zi = yi^2 * (v1^bi1 * … * v^bik) mod n
       First k*t bits of message digest h(m,z1,…zt)
        = {bij}?
Extensions to Speed up FFS
   1) Small Verification Key (small v-key)
       To use the first k prime numbers as verification key
        components {vi}.
   2) Chinese Remainder Theorem (crt)
       yi = ri * (s1^bi1 * … * sk^bik) mod n
             ((ai – bi) * q *qp^-1 +bi)
        qp^-1 = q^-1 mod p
        ai = ri * (s1^bi1 * … * sk^bik) mod p
        bi = ri * (s1^bi1 * … * sk^bik) mod q
Extensions to Speed up FFS
   3) Precomputation (precomp)
        k=4
        yi = ri * (s1^bi1 * … s4^bi4) mod n
        sb1…b4 = s1^bi1 * … s4^bi4
       4-bit precomp,k=128,512modulus
        128/4 * (2^4 – 1) = 480
        additional memory :480*512 bits or 31kB
       8-bit,12bit,16bit:261kB,2.88Mb,33.6MB
Extensions to Speed up FFS
Performance Comparison
Adjustable and Incremental
Verification
   Multiple keys(with different modulus size)
   t-level signature
       xi = yi^2 * (v1^bi1 * … * v^bik) mod n
   To verify a t-level signature of message at security
    level l
       (1) compute zi = yi^2 * (v1^bi1 * … * v^bik) mod n for
        I=1…l
       (2) verify that z2,…,zl are equal to x2,…,xl
        respectively
Adjustable and Incremental
Verification
   To increase the verification security level l1 from
    to l2
       1) compute zi = yi^2 * (v1^bi1 * … * v^bik) mod n for I
        = l1+1 … l2
       2) verify that zl1+1,…,z2 are equal to xl1+1,…,xl2
        respectively
   The size of a t-level signature
       Kt + (2t - 1) * |n|
       For 512-bit modulus and product kt = 128, a 1-level
        signature is 80 bytes and a 2-level signature is 208
        bytes.
Adjustable and Incremental
Verification
COMPARISON WITH OTHER
SIGNATURE SCHEMES
   1024-byte packets
   Pentium II 300-MHz machine running
    Linux.
   Four different modulus sizes, 384, 512, 768,
    and 1024 bits,
A. Key and Signature Sizes
A. Key and Signature Sizes
B. Signing and Verification Times
C. Flow Signing and Verification
Rates
Conclusion
   We have designed flow signing and verification
    procedures, based upon a tree-chaining technique, to meet
    the following requirements:
       1)flow signing is efficient and, for real-time generated flows,delay-
        bounded;
       2) flow verification is efficient (for receivers with limited
        resources);
       3) packets in a flow are individually verifiable (for best-effort
        multicast delivery);
        4) packet signatures are small (for a small communication
        overhead); and
       5) verification at a receiver is adjustable to different security levels
        and can be carried out incrementally (for receivers with limited
        resources).
Conclusion
   we propose several extensions to the Feige–Fiat–
    Shamir digital signature scheme to speed up both
    the signing and verification operations.
       1) eFFS is the fastest in signing (by a large margin over
        any of the other four schemes) and as fast as RSA in
        verification (tie for a close second behind Rabin).
        2) eFFS allows a tradeoff between memory and
        signing/verification time.
       3) eFFS allows adjustable and incremental verification
        by receivers.
Conclusion
   Question
       Key management
       Signing key size is very large
       If the signer has only few resource?

								
To top