|Scheme||CPU cycles||Signing Speed (ms)||Code Size (Byte)||Signature Size (Byte)||Private Key (Byte)||CPU energy (mJ)|
|ECDSA||79 185 664||4949||11 990||64||32||494.91|
|BPV-ECDSA||23 519 232||1470||27 912||64||10 272||146.99|
|Ed25519||34 342 230||2146||17 373||64||32||214.64|
|SchnorrQ||5 174 800||323||29 894||64||32||32.34|
|ESEM||616 896||38||18 465||48||32||3.85|
We use low-are implementations due to the memory constraints of ATmega 2560. Note that ESEM does not store any precomputed components (e.g., tables)
It is essential to provide authentication and integrity services for the emerging Internet of Things (IoT) systems that include resource-constrained devices. Due to their computational efficiency, symmetric key primitives (e.g., message authentication codes) are usually preferred for such systems. On the other hand, these primitives might not be scalable for large and ubiquitous systems, and they also do not offer public verifiability and non-repudiation properties, which are essential for some IoT applications [1, 2, 3]. For instance, in financial IoT applications and implantable medical devices, digital forensics (e.g., legal cases) need non-repudiation and public verifiability [2, 3, 4]. Moreover, such systems may include many devices that require scalability.
Digital signatures rely on public key infrastructures and offer scalable authentication with non-repudiation and public verifiability. Therefore, they are ideal authentication tools for the security of IoT applications. On the other hand, most of the compact digital signatures (e.g., elliptic curve (EC) based signatures) require costly operations such as EC scalar multiplication and addition during signature generation. It has been shown [5, 6, 7], and further demonstrated by our experiments that, these operations can be energy costly, and therefore, can negatively impact the battery life of highly resource-limited embedded devices. For instance, as one of the many potential applications, we can refer to a resource-limited sensor (e.g., a medical device ) that frequently generates and signs sensitive data (medical readings), which are verified by a resourceful cloud service provider. There is a need for lightweight signatures that can meet the computation, memory and battery limitations of these IoT applications.
The goal of this paper is to devise an energy-aware and compact digital signature scheme that can meet some of the stringent battery and memory requirements of highly resource-limited IoTs (e.g., implantable medical devices) that must operate for long periods of time with minimal intervention.
Design Objectives: (i) The signature generation should not require any costly operation (e.g., exponentiation, EC operations), but only symmetric cryptographic functions (e.g., pseudorandom functions) and basic arithmetics (e.g., modular addition) (ii) The low-end devices are generally not only computation/battery but also memory limited. Hence, the objective (i) should be achieved without consorting precomputed storage (e.g., Boyko-Peinado-Venkatesan () tables , or online/offline signatures ). (iii) The signing should not draw new randomness  to avoid potential hurdles of weak pseudo-random number generators. (iv) The size of the signature should be small and constant-size as in Schnorr-like signatures. (v) The size of the public key should be constant.
Our Contributions: (i) We create an Energy-aware Signature for Embedded Medical devices (ESEM), which is ideal for the signature generation on highly resource-limited IoT devices. We observe that the realizations of Schnorr-like signatures on efficient elliptic curves (e.g., FourQ ) are currently the most efficient solutions, and a generation of the commitment value via a scalar multiplication is the main performance bottleneck in these schemes. Our main idea is to completely eliminate the generation, storage, and transmission of this commitment from the signing of Schnorr signature. To achieve this, we first develop a new algorithm that we call as Signer NOn-interactive Distributed BPV (SNODBPV), which permits a distributed construction of the commitment for a given signature at verifier’s side, without requiring any interaction with the signer. We then transform the signature generation process such that the correctness and provable security are preserved once the commitment value is separated from message hashing and SNODBPV is incorporated into ESEM. We present our proposed algorithms in Section III. In Section IV, we prove that ESEM is secure in the random oracle model  under a semi-honest distributed setting for SNODBPV.
(ii) We implemented ESEM and its counterparts both on an AVR ATmega 2560 microcontroller and a commodity hardware, and provided a detailed comparison in Section V. We also conducted experiments to assess the battery consumption of ESEM and its counterparts when they are used with common IoT sensors (e.g., a pulse and pressure sensor). We make our implementation open-source for broad testing and adoption.
Desirable Properties of ESEM: We summarize the desirable properties of our scheme as follows (Table I gives a comparison of ESEM with its counterparts in terms of signing efficiency on 8-bit AVR processor):
Signing and Energy Efficiency: The signature generation of ESEM does not require any EC operations (e.g., scalar multiplication, addition) or exponentiation, but only pseudo-random function (PRF) calls, modular additions and a single modular multiplication. Therefore, ESEM achieves the lowest energy consumption among their counterparts. For example, ESEM consumes and less battery than SchnorrQ , and Ed25519 , respectively. Our experiments indicate that ESEM can substantially extend the battery life of low-end devices integrated with IoT applications (see Section V). Similarly, ESEM is at least a magnitude of times faster than Ed25519 both in an 8-bit microcontroller and commodity hardware. This gap further increases when our high-speed variant ESEM (introduced in Section III) is considered.
Small Private Key and Signature Sizes: ESEM has the smallest signature size among its counterparts ( Bytes for ) with an identical private key size. ESEM does not require any precomputation tables to be stored at the signer, and therefore it is significantly more storage and computation efficient than schemes relying on at the signer’s side. Moreover, ESEM has a small code size at the signer since it only requires symmetric primitives and basic arithmetics.
High Security: (i) Side-channel attacks exploiting the EC scalar multiplication implementations in ECDSA were proposed . Since ESEM does not require any EC operations at the signer, it is not vulnerable to these types of attacks. (ii) The security of Schnorr-like signatures are sensitive to weak random number generators. The signing of ESEM does not consume new randomness (as in ), and therefore can avoid these problems. (iii) We prove that ESEM is secure in the random oracle model .
Potential Use-cases: In many IoT applications, extending the battery life of low-end processors (i.e., usually signers) is a priority, while verifiers generally use a commodity hardware (e.g., a server) with reasonable storage and communication capabilities. In particular, energy efficiency is a vital concern for embedded medical devices, as they are expected to operate reliably for long periods of time. Currently, symmetric cryptography is preferred to provide security for such devices . At the same time, the ability to produce publicly verifiable authentication tags with non-repudiation is desirable for medical systems [2, 3, 4] (e.g., digital forensics and legal cases). Moreover, scalable integration of various medical apparatus to IoT realm will receive a significant benefit from the ability to deploy digital signatures on these devices . ESEM takes a step towards meeting this need, as it is currently the most energy efficient alternative with small signature and private key sizes. Essentially, any IoT application involving energy/resource limited signers and more capable verifiers (e.g., wireless sensor networks and IoT sensors in smart cities) are expected to receive benefit from ESEM.
Limitations: The signature verification of ESEM is distributed, wherein a verifier reconstructs the commitment value of a signature with parties. Therefore, verification of ESEM is not real-time, and the verifier should wait for a response from all parties. However, as confirmed with our experiments, this only results in a few milliseconds of delay. Moreover, the signer does not need interaction with any parties to compute signatures. Parties aiding the verification are assumed to be semi-honest (do not deviate from the protocol, but try to learn information) and non-colluding (as in traditional semi-honest secure multi-party computation). In our case, even parties collude, ESEM remains EU-CMA secure. Since ESEM is designed for a near-optimal signer performance, we believe that ESEM is suitable for applications as outlined above, where a small delay and interaction can be tolerated at the verifier.
Ii Preliminaries and Models
We first give the notations and definitions used by our schemes, and then describe our system/security model.
Ii-a Notation and Definitions
Notation: and denote concatenation and the bit length of variable , respectively. means variable is randomly selected from set . denotes the cardinality of set . We denote by the set of binary strings of any finite length. The set of items for is denoted by . denotes . denotes algorithm is provided with oracles . For example, denotes algorithm is provided with a signing oracle of algorithm of signature scheme under a private key . We define a pseudo-random function (PRF) and three hash functions to be used in our schemes as follows: , , and , where are BPV parameters and is the security parameter.
A signature scheme is a tuple of three algorithms defined as follows:
: Given the security parameter , the key generation algorithm returns a private/public key pair .
: The signing algorithm takes a message and a , and returns a signature .
: The verification algorithm takes a message , signature and the public key as input. It returns a bit : means valid and means invalid.
Our schemes are based on Schnorr signature .
Schnorr signature scheme is a tuple of three algorithms defined as follows:
: Given as the input,
The system-wide , where and are large primes such that and , and a generator of the subgroup of order in .
Generate private/public key pair . We suppress afterwards for the brevity.
: Given and as the input, it returns a signature , where is a full domain hash function.
: The signature verification algorithm takes , and as the input. It computes and returns a bit , with indicating valid, if and otherwise.
We use Boyko-Peinado-Venkatesan () generator .
The generator is a tuple of two algorithms defined as follows:
: The offline algorithm takes as the input and generate system-wide parameters as in .
parameters and are the number of pairs to be precomputed and the number of elements to be randomly selected out pairs, respectively, for .
Set precomputation table .
: The online algorithm takes the table and as input.
Generate a random set , where .
The distribution of output is statistically close to the uniform random distribution with an appropriate choice of parameters .
Ii-B System and Security Model
As depicted in Figure 1, our system model includes a highly resource-limited signer that computes signatures to be verified by any receiver. Our system model also includes distinct parties () that are involved in signature verification. In the line of , after the initialization phase, we consider a synchronous network which consists of a client (verifier in ESEM) and semi-honest servers . We assume that the communication channels are secure.
The security notion for a digital signature is Existential Unforgeability against Chosen Message Attack () .
EU-CMA experiment for a signature scheme is defined as follows.
wins the above experiment if and was not queried to oracle. The EMU-CMA advantage of is defined as
A protocol is -private  if any set of parties with are not able to compute or achieve any output or knowledge any different than what they could have done individually from their set of private input and outputs.
We assume that the servers are semi-honest - always follow the protocol, but try to learn as much as possible from the shared or observed information.
For , where is the total number of the servers, our proposed scheme is -private. The signature generation in our scheme does not require the participation of the servers. In other words, the signer does not need to interact with any of the servers during the signature generation. The participation of all servers is however required on the verifier’s side.
Iii Proposed Schemes
We first discuss the design challenges to achieve our objectives outlined in Section I. We elaborate our Signer NOn-interactive Distributed BPV (SNODBPV) algorithm that addresses some of them. We then present ESEM that uses SNODBPV and other strategies to achieve our objectives.
Iii-a High-Level Design
Schnorr-like signatures with implementations on recent ECs (e.g., FourQ ) are currently among the most efficient and compact digital signatures. Hence, we take them as our starting point. In these schemes, the signer generates a random value and its commitment , which is incorporated into both signing and verification (as an input to hash along with a message). This exponentiation (EC scalar multiplication) constitutes the main cost of the signature generation, and therefore we aim to completely eliminate it from the signing. However, this is a highly challenging task.
Iii-A1 Commitment Generation without Signer Interaction
The elimination of commitment from the signing permits removal of EC operations such as scalar multiplication/additions. It also eliminates the transmission of and a storage of table at the signer. However, the commitment is necessary for the signature verification. Hence, the verifier should obtain a correct commitment for each signature with the following requirements: (i) The verifier cannot interact with the signer to obtain the commitment (i.e., the signer does not have it). (ii) The signer non-interactive construction of the commitment should not reveal the ephemeral randomness . (iii) Unlike some multiple-time signatures , the verifier should not have a fixed limit on the number of signature verifications and/or a linear-size public key.
We propose a new algorithm that we refer to as SNODBPV, to achieve these requirements. Our idea is to create a distributed BPV technique that permits a set of parties to construct a commitment on behalf of the signer. This distributed scheme permits the verifiers to obtain the corresponding commitment of a signature from these parties on demand without revealing or an interaction with the signer. We elaborate on SNODBPV in Section III-B.
Iii-A2 Separation of the Commitment from Signature Generation with SnodBpv
The commitment value is generally used as a part of message hashing (e.g., in Schnorr) in Schnorr-like signatures. To eliminate from the signature, the commitment must be separated from the message. However, the use of commitment in the message hashing plays a role in the security analysis of Schnorr-like signatures. Moreover, the removal of commitment from the signing while using with SNODBPV algorithm requires a design adjustment.
We propose our main scheme ESEM that achieves these goals. In the line of , we use a one-time random value in the message hashing, but also devise an index encoding and aggregate BPV approach to integrate SNODBPV into signature generation. This permits a constant-size public key at the verifier without any interaction with the signer. We give the details of ESEM in Algorithm 2.
Iii-B Signer NOn-interactive Distributed BPV (SnodBpv)
We conceive SNODBPV as a distributed realization of  where parties hold public values of tables, and then can collaboratively derive without learning its corresponding private key unless all of them collude. We stress that one cannot simply shift the storage of public values in a table to a single verifier. This is because the indexes needed to compute the commitment should remain hidden in order to protect the one-time randomness . We overcome this challenge by creating a distributed approach that can be integrated into a Schnorr-like signature. At SNODBPV.Offline, in Step 2, the secret key is used as a seed to derive secret values . Each is used to deterministically generate secret values , whose corresponding public values are computed in Step 4-5 and given to parties .
At the online phase, the sender (i.e., signer) generates the aggregated on its own and the receiver (i.e., verifier) generates the aggregated cooperatively with the parties . The sender first derives a random value from a keyed hash function (at SNODBPV.Sender Step 1), and then deterministically derives values (Step 3) as in SNODBPV.Offline. Sender uses the , that is only shared with the corresponding party, and the one-time random value to generate the set (indexes) to be used to aggregate the values. This step is of high importance since this way, the sender commits to the one-time random value . Sender repeats this process for all parties and aggregates (adds) all the corresponding s to derive the resulting (Step 5).
The verifier proceeds as follows to generate the corresponding . At Step 1 in SNODBPV.Receiver, the verifier communicates with parties to derive each from them. Upon request, parties first derive the same set (indexes) as the sender (Step 1 in ). Then, each party aggregates the corresponding that were assigned to them in SNODBPV.Offline, and returns the results to the verifier. The verifier aggregates all these values at Step 2, to derive the corresponding . Please note that only the parties can create the set (indexes) since only they have their corresponding values. Moreover, since all servers provide that can be generated only by them, unless all of the servers collude, they cannot learn any information about the other indexes or the one-time randomness . This makes our scheme -private, as shown in Lemma 2.
Iii-C Energy-aware Signature for Embedded Medical devices
We summarize our main scheme ESEM (see Algorithm 2), which permits a near-optimal signing by integrating SNODBPV into Schnorr signature with alternations.
During key generation, secret/public key pair () and parameters are generated (Step 1-2), followed by SNODBPV.Offline algorithm to obtain the distributed public values to be stored by parties . In ESEM.Sig, the signer generates the ephemeral random value and one-time randomness to be used as the commitment. Instead of the commitment in Schnorr (), the signer uses as the commitment in Step 2. This separation of the commitment from the message hashing is inspired from . Note that, unlike the multiple-time signature in  that can only compute a constant pre-determined number of signatures with a very large linear-size public key, ESEM can compute polynomially unbounded number of signatures with a constant public key size. Finally, the verifier first calls the SNODBPV.Receiver algorithm to generate the public value , by collaborating with the parties. The signature verification, which is similar to Schnorr with the exception of the commitment , is performed at Step 2.
We point out a trade-off between the private key size and signing speed, which can increase the signature generation performance with the cost of some storage. The signer can store private keys in the memory, and therefore avoid PRF invocations. We refer to this simple variant as ESEM. As demonstrated in Section V, an extra storage of KB can boost the performance of ESEM commodity hardware.
Iv Security Analysis
The random values are generated uniformly at random in the SNODBPV.Offline via private seed , which is given to each server . The security of SNODBPV (i.e., ESEM) relies on the secrecy of . Given each is generated uniformly at random via ’s, and due to Lemma 1, for the adversary to infer , it must know all private seeds or corrupt all of the servers. ∎
In the random oracle model, based on Assumption 1 and Lemma 2, if a polynomial-time adversary can break the EU-CMA security of ESEM in time and after hash and signature queries, then one can build polynomial-time algorithm that breaks the EU-CMA security of Schnorr signature in time and signature queries.
Proof: Please refer to the Appendix.
V Performance Analysis
V-a Parameter Selection
We select FourQ curve  that offers fast elliptic curve operations (that is desirable for our verification process, remark that signer has no EC operations) with -bit security level. The selection of parameters relies on the number of -out-of- different combinations possible. We select , for ESEM and , and for ESEM, where both offers over different combinations. Lastly, we select (i.e., 3 parties are involved in verification).
V-B Evaluation Metrics and Experimental Setup
Evaluation Metrics: We implemented ESEM and its counterparts both on the low-end device (8-bit microcontroller) and a commodity hardware. (i) At the signer’s side, the signature generation time and private key size were evaluated on both types of devices. The energy consumption and code size were evaluated on a low-end device. (ii) The signature size is evaluated as the communication overhead. (iii) At the verifier’s side, the signature verification time and the size of public key were evaluated on the commodity hardware.
Note that the time required to transmit the ESEM signature (only Bytes) is already smaller than all of its counterparts. Therefore, we do not include this in our experiments. The bandwidth overhead to construct between the verifier and parties is only Bytes, and highly depends on the geographic location of the server (i.e., round trip time). We conservatively benchmark this network delay and include in our signature verification time, with an Amazon EC2 server in North Virginia.
Hardware Configurations and Software Libraries: We selected AVR ATmega 2560 microcontroller as our low-end device due to its low power consumption and extensive use in practice, especially for medical devices [1, 2, 20]. It is an 8-bit microcontroller with KB flash memory, KB SRAM, KB EEPROM and maximum clock speed is MHz.
We implemented our schemes using Rhys Weatherley’s library111https://github.com/rweather/arduinolibs/tree/master/libraries/Crypto, which enables Barrett reduction to compute modulo . We used BLAKE2s  as our hash function from the same library, since it is optimized for low-end devices in terms of speed and code size. We instantiated our PRF function as CHACHA20 stream cipher  which offers high efficiency. To assess our counterparts, we used ECDSA implementation in microECC222https://github.com/kmackay/micro-ecc, with which we also implemented BPV-ECDSA. We used the implementations on same microcontroller to assess Ed25519  and SchnorrQ .
We powered the microcontroller with a mAh power pack. ATmega 2560 operates at a voltage level of V and takes mA current333http://www.atmel.com/Images/Atmel-2549-8-bit-AVR-Microcontroller-ATmega640-1280-1281-2560-2561_datasheet.pdf. We verified the current readings taken from datasheets by connecting an ammeter between the battery and ATmega 2560, and we observed an insignificant difference. Therefore, we measured the energy consumption with the formula where is the computation time. To account the variations in time , we run each scheme times and took the average.
We also investigated the effect of cryptography on the battery life in some real-life IoT applications. For this purpose, we measured the energy consumption of a pulse sensor444https://pulsesensor.com/ and a BMP183 pressure sensor555https://cdn-shop.adafruit.com/datasheets/1900_BMP183.pdf. We expect that the pulse and pressure sensors provide some ideas on the use of digital signatures with sensors in medical devices and daily IoT applications, respectively.
Commodity Hardware: We used an Intel i7-6700HQ GHz processor with GB of RAM as the commodity hardware in our experiments. We implemented the arithmetic and curve operations of our scheme with FourQlib666https://github.com/Microsoft/FourQlib. We used BLAKE2b  as our hash function since it is optimized for commodity hardware. Lastly, we instantiated our PRF with AES in counter mode using Intel intrinsics. For our counterparts, we used their base implementations.
As the semi-honest party, we used an Amazon EC2 instance located in North Virginia. Our EC2 instance was equipped with an Intel Xeon E5 processor that operates at GHz.
Our implementations are open-sourced at:
V-C Performance Evaluation and Comparisons
Low-end Device: Table I shows the results obtained from our implementations on 8-bit AVR ATmega 2560.
Signature Generation Speed: ESEM has the fastest signing speed, which is and faster than that of SchnorrQ and Ed25519, respectively.
System wide parameters (e.g., p,q,) for each scheme are included in their corresponding codes, and private key size denote to specific private key size.
represents the communication between the verifier and servers. Since the verifier communicates with servers, the maximum communication delay is included in our end-to-end delay. This communication is measured to be ms on average by our experiments, with an Amazon EC2 instance in N. Virginia.
Energy Consumption of Signature Generation: With a mAh battery, ESEM can generate nearly signatures, whereas SchnorrQ, Ed25519 and ECDSA can generate only , and signatures, respectively. This shows that, ESEM can generate significantly higher number of signatures with the same battery.
Energy Consumption of Signature Generation versus IoT Sensors: We considered a pulse and a pressure sensor to exemplify the potential medical and home automation IoT applications, respectively. We selected the sampling time (i.e., the frequency of data being read from the sensor) as every 10 seconds and every 10 minutes for the pulse and pressure sensor, respectively, to reflect their corresponding use-cases. We measured the energy consumption by considering three aspects: (i) Each sensor by default draws a certain energy as specified in its datasheet. The pulse sensor operates at V and draws mA of current, while pressure sensor operates at V and draws 5 A of current. These values are multiplied by their corresponding sampling rates to calculate the energy consumption of the sensor. (ii) AVR ATmega 2560 consumes energy to make readings from the sensor as well as during its waiting time. We measured the time that takes the microcontroller to have a reading from the sensor as ms. Therefore, we calculated the energy consumption of the microcontroller on active time as . (iii) ATmega 2560 requires A in power-save mode, which is used to calculate the energy consumption in the idle time.
We compared the energy consumption of signature generation and IoT sensors in Figure 2. ESEM reduces the energy consumption of signature generation to % and % compared to that of pulse and pressure sensors, respectively. Observe that, compared with the pressure sensor, SchnorrQ as the fastest counterpart of ESEM, requires %, while Ed25519 demands % of the energy consumption. When the pulse sensor is used, while ESEM requires an almost negligible energy consumption (%), its closest counterpart requires %. The energy efficiency of ESEM also translates into longer battery life in these applications. More specifically, when pressure sensor is deployed with ESEM, it takes days to drain a mAh battery, while it is days for our closest counterpart (SchnorrQ).
Our experiments show that the existing ECC-based digital signatures consume more energy than IoT sensors, which make them the primary source of battery consumption. On the other hand, ESEM was able to reduce the signature generation overhead to a potentially negligible level in some cases, at minimum offering improvements over its counterparts.
Commodity Hardware: The benchmarks of ESEM and its counterparts on commodity hardware are shown in Table II.
Signature Generation: ESEM and ESEM schemes offer the fastest signature generation on commodity hardware as well. Especially ESEM (the high-speed variant where private key components are stored instead of generating them from a seed), is 3 faster than its closest counterpart.
Signature Verification: The signature verification in ESEM includes verifier computation, server computation and communication between the verifier and servers. Due to the computational efficiency of FourQ curve, verifier and server computation of ESEM verification is highly efficient. Specifically, verifier computation takes s in ESEM and ESEM; and server computation takes s, and s for ESEM and ESEM, respectively. The communication between server and verifier is experimented with our commodity hardware and an Amazon EC2 instance at N. Virginia. This delay was measured as ms on average.
The fastest verification is observed at SchnorrQ scheme, that is s. This scheme should be preferred if the verification speed is of high importance. However recall that for our envisioned applications, the signer efficiency (energy efficiency) is of top priority and a small delay at the verifier is tolerable.
Vi Related Work
There are two main lines of work to offer authentication for embedded medical devices: symmetric key primitives (e.g., MACs) and public key primitives (e.g., digital signatures). In this section, we only mention lightweight digital signature schemes that are most relevant to our work.
One-time signatures (e.g., [6, 25, 26]) offer high computational efficiency, but usually have very large key and signature sizes that hinder their adoption in implantable medical devices. Moreover, they can only sign a pre-defined number of messages with a key pair, which introduce a key renewal overhead. The extensions of hash-based one-time signatures to multiple-time signatures (e.g., SPHINCS ) have high signing overhead, and therefore are not suitable for medical implantables. Some MAC based alternatives (e.g., TESLA [28, 29]) use time asymmetries to offer computational efficient and compactness, they cannot offer non-repudiation and require a continuous time synchronization. EC-based digital signatures (e.g., [11, 13, 24, 30, 31, 32]) are currently the most prevalent alternatives to be used on embedded devices due to their compact size and higher signing efficiency compared to RSA-based signatures (e.g., CEDA ). We provided a detailed performance comparison of ESEM with its most recent EC-based alternatives in Section V.
In this paper, we proposed ESEM, that achieves the least energy consumption, the fastest signature generation along with the smallest signature among its ECC-based counterparts. ESEM is also immune to side-channel attacks aiming EC operations/exponentiations as well as to weak pseudo random number generators at the signer’s side, since ESEM does not require any of these operations in its signature generation algorithm. We believe ESEM is highly preferable for applications wherein the signer efficiency is a paramount requirement, such as implantable medical devices. We implemented ESEM and its counterparts both on a resource-contrained device commonly used in medical devices and a commodity hardware. Our experiments validate the significant energy efficiency and speed advantages of ESEM at the signer’s side over its counterparts.
Acknowledgments. This work is supported by the NSF Award #1652389.
-  M. Rushanan, A. D. Rubin, D. F. Kune, and C. M. Swanson, “Sok: Security and privacy in implantable medical devices and body area networks,” in Proceedings of the 2014 IEEE Symposium on Security and Privacy, ser. SP ’14. IEEE Computer Society, 2014, pp. 524–539.
-  M. O. Ozmen and A. A. Yavuz, “Low-cost standard public key cryptography services for wireless iot systems,” in Proceedings of the 2017 Workshop on Internet of Things Security and Privacy, ser. IoTS&P ’17. New York, NY, USA: ACM, 2017, pp. 65–70. [Online]. Available: http://doi.acm.org/10.1145/3139937.3139940
-  C. Camara, P. Peris-Lopez, and J. E. Tapiador, “Security and privacy issues in implantable medical devices: A comprehensive survey,” Journal of Biomedical Informatics, vol. 55, pp. 272 – 289, 2015.
-  M. Vigil, J. Buchmann, D. Cabarcas, C. Weinert, and A. Wiesmaier, “Integrity, authenticity, non-repudiation, and proof of existence for long-term archiving: A survey,” Computers & Security, vol. 50, pp. 16 – 32, 2015. [Online]. Available: http://www.sciencedirect.com/science/article/pii/S0167404814001849
-  A. Ometov, P. Masek, L. Malina, R. Florea, J. Hosek, S. Andreev, J. Hajny, J. Niutanen, and Y. Koucheryavy, “Feasibility characterization of cryptographic primitives for constrained (wearable) iot devices,” in 2016 IEEE International Conference on Pervasive Computing and Communication Workshops (PerCom Workshops), March 2016, pp. 1–6.
-  A. A. Yavuz, “Eta: efficient and tiny and authentication for heterogeneous wireless systems,” in Proceedings of the sixth ACM conference on Security and privacy in wireless and mobile networks, ser. WiSec ’13. New York, NY, USA: ACM, 2013, pp. 67–72.
-  G. Ateniese, G. Bianchi, A. T. Capossele, C. Petrioli, and D. Spenza, “Low-cost standard signatures for energy-harvesting wireless sensor networks,” ACM Trans. Embed. Comput. Syst., vol. 16, no. 3, pp. 64:1–64:23, apr 2017.
-  V. Boyko, M. Peinado, and R. Venkatesan, “Speeding up discrete log and factoring based schemes via precomputations,” in Advances in Cryptology — EUROCRYPT’98: International Conference on the Theory and Application of Cryptographic Techniques Espoo, Finland, May 31 – June 4, 1998 Proceedings. Springer Berlin Heidelberg, 1998, pp. 221–235.
-  A. Shamir and Y. Tauman, “Improved online/offline signature schemes,” in Proceedings of the 21st Annual International Cryptology Conference on Advances in Cryptology, ser. CRYPTO ’01. London, UK: Springer-Verlag, 2001, pp. 355–367.
-  D. Bernstein, N. Duif, T. Lange, P. Schwabe, and B.-Y. Yang, “High-speed high-security signatures,” Journal of Cryptographic Engineering, vol. 2, no. 2, pp. 77–89, 2012.
-  C. Costello and P. Longa, “Four : Four-dimensional decompositions on a -curve over the mersenne prime,” in Advances in Cryptology – ASIACRYPT 2015, T. Iwata and J. H. Cheon, Eds. Springer Berlin Heidelberg, 2015, pp. 214–235.
-  M. Bellare and P. Rogaway, “Random oracles are practical: A paradigm for designing efficient protocols,” in Proceedings of the 1st ACM conference on Computer and Communications Security (CCS ’93). NY, USA: ACM, 1993, pp. 62–73.
-  D. J. Bernstein, N. Duif, T. Lange, P. Schwabe, and B.-Y. Yang, “High-speed high-security signatures,” Journal of Cryptographic Engineering, vol. 2, no. 2, pp. 77–89, Sep 2012. [Online]. Available: https://doi.org/10.1007/s13389-012-0027-1
-  C. Pereida García, B. B. Brumley, and Y. Yarom, “"make sure dsa signing exponentiations really are constant-time",” in Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security, ser. CCS ’16. New York, NY, USA: ACM, 2016, pp. 1639–1650.
-  R. R. Jueneman, “Securing wireless medicine confidentiality, integrity, nonrepudiation, malware prevention,” in Emerging Technologies for a Smarter World (CEWIT), 2011 8th International Conference Expo on, Nov 2011, pp. 1–5.
-  C. Schnorr, “Efficient signature generation by smart cards,” Journal of Cryptology, vol. 4, no. 3, pp. 161–174, 1991.
-  I. Goldberg, “Improving the robustness of private information retrieval,” in 2007 IEEE Symposium on Security and Privacy (SP ’07), 2007, pp. 131–148.
-  J. Katz and Y. Lindell, Introduction to Modern Cryptography. Chapman & Hall/CRC, 2007.
-  I. S. P. Nguyen and J. Stern, “Distribution of modular sums and the security of the server aided exponentiation,” in Proc. Workshop on Cryptography and Computational Number Theory (CCNT’99), vol. 20. Springer Berlin Heidelberg, pp. 257–268.
-  P. Szakacs-Simon, S. A. Moraru, and F. Neukart, “Signal conditioning techniques for health monitoring devices,” in 2012 35th International Conference on Telecommunications and Signal Processing (TSP), July 2012, pp. 610–614.
-  J.-P. Aumasson, L. Henzen, W. Meier, and R. C.-W. Phan, “Sha-3 proposal blake,” Submission to NIST (Round 3), 2010. [Online]. Available: http://131002.net/blake/blake.pdf
-  D. J. Bernstein, “New stream cipher designs,” M. Robshaw and O. Billet, Eds. Berlin, Heidelberg: Springer-Verlag, 2008, ch. The Salsa20 Family of Stream Ciphers, pp. 84–97. [Online]. Available: http://dx.doi.org/10.1007/978-3-540-68351-3_8
-  M. Hutter and P. Schwabe, “NaCl on 8-bit AVR microcontrollers,” in Progress in Cryptology – AFRICACRYPT 2013, ser. Lecture Notes in Computer Science, vol. 7918. Springer-Verlag Berlin Heidelberg, 2013, pp. 156–172, http://cryptojedi.org/papers/#avrnacl.
-  Z. Liu, P. Longa, G. C. C. F. Pereira, O. Reparaz, and H. Seo, “Four on embedded devices with strong countermeasures against side-channel attacks,” in Cryptographic Hardware and Embedded Systems – CHES 2017, W. Fischer and N. Homma, Eds. Cham: Springer International Publishing, 2017, pp. 665–686.
-  L. Reyzin and N. Reyzin, “Better than BiBa: Short one-time signatures with fast signing and verifying,” in Proceedings of the 7th Australian Conference on Information Security and Privacy (ACIPS ’02). Springer-Verlag, 2002, pp. 144–153.
-  K. Kalach and R. Safavi-Naini, “An efficient post-quantum one-time signature scheme,” in Selected Areas in Cryptography – SAC 2015, O. Dunkelman and L. Keliher, Eds. Cham: Springer International Publishing, 2016, pp. 331–351.
-  D. J. Bernstein, D. Hopwood, A. Hülsing, T. Lange, R. Niederhagen, L. Papachristodoulou, M. Schneider, P. Schwabe, and Z. Wilcox-O’Hearn, “SPHINCS: Practical stateless hash-based signatures,” in Advances in Cryptology – EUROCRYPT 2015: 34th Annual International Conference on the Theory and Applications of Cryptographic Techniques. Springer Berlin Heidelberg, April 2015, pp. 368–397.
-  A. Perrig, R. Canetti, D. Song, and D. Tygar, “Efficient and secure source authentication for multicast,” in Proceedings of Network and Distributed System Security Symposium, February 2001.
-  W. B. Jaballah, M. Conti, R. D. Pietro, M. Mosbah, and N. V. Verde, “Mass: An efficient and secure broadcast authentication scheme for resource constrained devices,” in 2013 International Conference on Risks and Security of Internet and Systems (CRiSIS), Oct 2013, pp. 1–6.
-  ANSI X9.62-1998: Public Key Cryptography for the Financial Services Industry: The Elliptic Curve Digital Signature Algorithm (ECDSA), American Bankers Association, 1999.
-  M. Wazid, A. K. Das, N. Kumar, M. Conti, and A. V. Vasilakos, “A novel authentication and key agreement scheme for implantable medical devices deployment,” IEEE Journal of Biomedical and Health Informatics, vol. 22, no. 4, pp. 1299–1309, July 2018.
-  R. Behnia, M. O. Ozmen, and A. A. Yavuz, “ARIS: authentication for Real-Time IoT systems,” in 2019 IEEE International Conference on Communications (ICC): Communication and Information Systems Security Symposium (IEEE ICC’19 - CISS Symposium), Shanghai, P.R. China, May 2019.
-  M. O. Ozmen, R. Behnia, and A. A. Yavuz, “Compact energy and delay-aware authentication,” in 2018 IEEE Conference on Communications and Network Security (CNS), May 2018, pp. 1–9.
-  D. Pointcheval and J. Stern, “Security proofs for signature schemes,” in Proc. of the 15th International Conference on the Theory and Application of Cryptographic Techniques (EUROCRYPT ’96). Springer-Verlag, 1996, pp. 387–398.
-  M. Bellare and G. Neven, “Multi-signatures in the plain public-key model and a general forking lemma,” in Proceedings of the 13th ACM Conference on Computer and Communications Security, ser. CCS ’06. New York, NY, USA: ACM, 2006, pp. 390–399.