Embed Size (px)
Citation preview
Implementation of LSI forPrivacy Enhancing Computation
Kazue Sako, Sumio Morioka
2011.2.10
© NEC Corporation 2008(20080401)Page 2 NEC Confidential
Group Signatures
▐ Generating a single authentication data which provides two levels of verification
Authorized Group
Group SIg.
Zero KnowledgeProof
Encrypted ID
Authority
Server ID?
Group OK!
IDOK!
Level2
Level1
Digital Sig.
IDOK!
Verify Group attribute
Cannot Identify User
Only the authority with a secret key
canidentify the user
Group Public Key
Anyone can verify andidentify the userOrdinary PKI
authentication data(signature)
authentication data(signature)
© NEC Corporation 2008(20080401)Page 3 NEC Confidential
Group Signatures
▐ Generating a single authentication data which provides two levels of verification
Authorized Group
Group SIg.
Zero KnowledgeProof
Encrypted ID
Authority
Server ID?
Group OK!
IDOK!
Level2
Level1
Verify Group attribute
Cannot Identify User
Only the authority with a secret key
canidentify the user
Group Public Key
authentication data(signature)
Authority is not unique for the group. Can be assingned by signer per authenticat
ion
© NEC Corporation 2008(20080401)Page 4 NEC Confidential
Application of Group Signatures: Internet shopping
web store
User
Credit Card
Company
Current scheme
Proposed scheme
Card No
BILL
web store
User
Credit Card Company
BILL
auth. data auth.data
Card No
Card NoNo Card no.
Breach threat
EnsuresPayment
Level 2
Level 1
© NEC Corporation 2008(20080401)Page 5 NEC Confidential
Application of Group Signatures: Outsourcing scenario
Entrance
GateUser
CompanyCurrent scheme
Proposed scheme
Group, ID
Entrance
GateUser
Company
auth. data auth.data
Group,ID
ID
No Card no.
Breach threat
EnsuresGroup
Level 2
Level 1Work Record
© NEC Corporation 2008(20080401)Page 6 NEC Confidential
Some applications: Car to Car communication
Car
Current
Proposed
Vehicle ID
Car
Police
Vehicle maker
authN dataVehicle ID
Authenticates message
messages arebroadcasted with Vehicle
ID
Traffic Jam!
Makes it easy to trace cars
Traffic Jam!
Level 2Level 1
© NEC Corporation 2008(20080401)Page 7 NEC Confidential
Application example : Passports
HotelsSupermarke
tsUser
Current
Proposed
Passport No
User
Japanese Embassy
identification
authN data authN data
Passport NoNo ID
Leakage
Ensuresnationality
Level 2
Level 1
Problem
HotelsSupermarke
ts
© NEC Corporation 2008(20080401)Page 8 NEC Confidential
What Group Signature brings…
▐ Enhances user’s privacy by hiding user’s identity information until when it is needed ID-tag with a cover
▐ Servers do not have to receive unnecessary informationNeed not to spend cost to prevent information breach
▐ Enhances user’s privacy even when user is not a signer Issuer of certificates uses group signature to sign certificatesEx. Drivers License: Users can hide in which country he obtained the
license.
▐ Issue: computation is so heavy to be used in portable devices to ensure location privacy of usersPortable devices: mobile phones, smart cards, other low-power embedded
CPUNeed for development of LSI for group signature computation
© NEC Corporation 2008(20080401)Page 9 NEC Confidential
Implementation of LSI for group signature
© NEC Corporation 2008(20080401)Page 10 NEC Confidential
Issues regarding implementation
▐ High computational complexity.Algorithm based on RSA and DDH on Elliptic curves Isshiki,Mori,Sako,Teranishi,Yonezawa ‘Using Group Signature for Identity
Management and its Implementation’ Workshop on Digital Identity Management (DIM2006) http://www2.pflab.ecl.ntt.co.jp/dim2006/slide9.pdf
10 times or more computation steps compared to conventional digital signature algorithms over RSA or ECC.
Combination of different kinds of mathematical computations.• Large integer computation• Modular exponentiation and modular multiplication• Scalar multiplication and point addition on elliptic curve• Pseudo random number generation• Hash computation
Implementing 10 K lines of C codes in a single LSI is … unusual!
▐ GOAL: good performance on low-power embedded CPUs.
© NEC Corporation 2008(20080401)Page 11 NEC Confidential
The world’s first (to our knowledge) LSI for group signatures▐ Features
Fast signature generation/verification speed.• 0.1 seconds at 150MHz clock
• Same speed with S/W on 3GHz clock PC
Low power consumption.• Less than 0.6W at 150MHz clock
• 1/100 or less power compared to PC (60W or more)
Usable not only as an independent LSI chip but as
an IP core (2mm2)
▐ Development story3 years efforts of exploring design
strategy and H/W architecture.Achieved best trade-off balance of
performance, circuit size and power
consumption.
RSAcore
ECCcore
INTcore
Parallelcomputation
sequence
HASH/PRNGcore
Computationcontroller
temp.memory
I/Ointerface
© NEC Corporation 2008(20080401)Page 12 NEC Confidential
LSI for group signatures (2/2)
▐ What helped us …NEC original HW synthesizerWith the help of behavioral synthesizer, 10K lines of C code resulted in
800 K gates of group signature computation accelerator▐ Merits of H/W solution
Low mass-production cost.Suitable for battery driven compact
devices.High tamper resistance for critical
security applications.▐ The same architecture can be used to
accelerate other cryptographic protocols
NEC’s original H/W synthesizer
© NEC Corporation 2008(20080401)Page 13 NEC Confidential
Security and Privacy concerns
Mr. Tanaka
Tanaka passedShibuya station
at 13:19
Tanaka walked
by Shibuya Station at 14:35
Tanaka boughtglasses at
Shibuya for 10,000yen
Tanaka arrived office at 14:53
Like being supervised everywhere
© NEC Corporation 2008(20080401)Page 14 NEC Confidential
Better world with anonymous digital signatures
Mr. Tanaka
Good Passholder passed Shibuya station at 13:19
Kawasaki Citizen walked
by Shibuya Station at 14:35
Credit Card holder bought
glasses at hibuya for 10,000yen
Employee arrived office at 14:53
Enhanced Privacy with Minimum Disclosure
© NEC Corporation 2008(20080401)Page 15 NEC Confidential
This work was partly supported by Ministry of Internal Affairs and Communications.
