This presentation discusses the use of Garbled Circuits for improving security and simplifying implementation of Secure Credential Management Systems (SCMS) in the Automotive industry

1. SCMS Simplifications and
Security Improvements
using Secure Computation

2. Outline
§ Introduction and Motivation
§ Review of Relevant SCMS Protocols
§ Secure Computation and Yao’s Garbled Circuit
§ Secure Computation for Linkage Value Generation
§ Demo of Linkage Value Generation
§ Secure Computation for Misbehavior Identification
§ Demo of Misbehavior Identification

3. Introduction and Motivation

4. Overview
4
• Organizational separation à More people
and resources à More cost
• Necessity due to low trust
• One (bad) solution is to sacrifice privacy
• We have a better solution!
• Our goals: reduce organizational complexity
and hence cost, while at the same time
improve overall security/privacy
• Our approach: replace distributed
computation with secure computation
protocols
• Our focus: Linkage Value (LV) generation
and Misbehavior Identification (MID)

5. Problems with Distributed Computation
§ Different authorities are required to have organizational separation
– Extremely difficult and costly
– Not realistic under many scenarios, e.g., when an OEM wants to build and
operate its own SCMS
§ Different authorities are assumed to follow the protocols as specified
– Malicious insiders can deviate from the protocol without the fear of detection
– Malicious insiders can collude to subvert the protocol
§ Secure computation protocols remove both these problems
– Trade-off: increased communication and computation complexity
– OnBoard Security research has been working to address both of these
– Long-term, advancements in microelectronics and CPU architecture, and
economies of scale for cloud computing are also on our side
5

6. Review of Relevant SCMS
Protocols

7. Linkage Value Generation
7
• Pseudonym certificate provisioning
• Request for pseudonym certificates
• Pseudonym certificate generation
• Initial download of pseudonym
certificates
• Schedule generation of subsequent
batch of pseudonym certificates
• Top-off pseudonym certificates
• Only Linkage Value (LV) generation, which
is embedded inside pseudonym certificate
generation, requires distributed computation
among multiple authorities

8. Current Process of LV Generation
8
LS0 LS1 LSi… …
PLVi,j
EPLVi,j EPLVi,j
LS0LS1LSi ……
PLVi,j
LA1 LA2
PCA
PLVi,j PLVi,j
LVi,j
EPLVi,j EPLVi,j
H H H H H H H H
E E
E: Encryption
EPLV: Encrypted PLV
H: Hash
LS: Linkage seed
PLV: Pre-linkage value
LV: Linkage value
One-way computation
RAShuffle across multiple devices

9. Malicious Security
9
§ Current SCMS design is vulnerable to malicious insiders
– Malicious LA: A malicious LA can provide pre-linkage values that look “normal”, but completely subvert
misbehavior detection, e.g.
§ by using multiple seeds (instead of a single seed) per device
§ by using random 9-bit values instead of following the pre-linkage value generation algorithm
– Malicious RA: A malicious RA can subvert misbehavior detection and revocation, e.g.
§ by using pre-linkage values from different chains for a given device
§ by provisioning a revoked device with certificates using a new linkage chain
– Malicious LA/PCA: A malicious LA/PCA can subvert misbehavior investigation by, e.g.
§ on MA’s query (plv1, plv2), LA responding that they don’t belong to a device, even if they do
§ on MA’s query lv (=plv1 ⊕ plv2) PCA responding with (plv3, lv ⊕ plv3), where plv3 ≠ (plv1 or plv2)
§ This is not an exhaustive list of attacks. In fact, creating an exhaustive list seems infeasible
§ Some attacks can possibly be addressed by small changes in the current protocols, but we
need a holistic approach that counters all attacks, even those we have not discovered yet.

10. Global Misbehavior Detection FAQ
Q: Do we really need it?
A: Yes, because whether you like it or not, misbehavior will happen.
Q: Why can’t each OEM take care of misbehavior on their own?
A: In a cooperative system like V2V, misbehavior will impact everyone
not just a particular OEM.
Q: As an OEM, we handle far more sensitive information, so why can’t
we also handle linkage value generation?
A: Even if OEM 1 is doing everything alright, OEM 2 can set the
system such that its vehicles will never get revoked, as illustrated in
the last slide.
10

11. Misbehavior Identification
11
• Global misbehavior detection and revocation
• Misbehavior report validation
• Misbehavior analysis
• Misbehavior investigation
• Revocation
• Misbehavior post-processing
• Only misbehavior investigation and part of
revocation require distributed computation
among multiple authorities, which we call
Misbehavior Identification (MID)

12. Current Misbehavior Investigation
12
{sLV1, rLV1}
…
{sLVi, rLVi}
…
{sLVn, rLVn}
LV à EPLVEPLV à LS
MA
PCALA
1. LV
2. EPLV
3. {sEPLV1, rEPLV1}
…
{sEPLV50, rEPLV50}
MA’s query size and LA’s response are deliberately limited due to privacy concern.
4. {sEPLV, sCount, UniqueRCount}
EPLV: Encrypted PLV
LS: Linkage seed
LV: Linkage value
rEPLV: Reporter EPLV
rLV: Reporter LV
sEPLV: Suspect EPLV
sLV: Suspect LV

13. Current Revocation
13
Revoked LV list
LV à HRPRHRPRà LCI1, LCI2
MA
PCARA
LCI1 -> LS1
LA1
LCI2 -> LS2
LA2
HRPR: Hash of RA-PCA
request
LCI: Linkage chain identifier
LS: Linkage seed
LV: Linkage value
1. LV
2. HPRR
3. HPRR
4. LCI1, LCI2 5. LCI1 7. LCI2
6. LS1 8. LS2

14. All Misbehavior Detection
§ MA should be able to detect all
misbehavior in reports as per the policy.
Perfect Privacy Protection
§ MA should only learn linkage seeds
of vehicles to be revoke.
§ No one should learn anything else.
14
Goals of MID
Suspect Threshold: 5
Reporter Threshold: 3
Color: Suspect Vehicle
Shape: Reporter Vehicle

15. Issues with current MID - Effectiveness
15
Assume:
a) Suspect Threshold: 5
b) Reporter Threshold: 3
Color: Suspect Vehicle
Shape: Reporter Vehicle
Due to the limited query size,
MA does not detect all
misbehaviors, i.e. red color
vehicle goes undetected
Misbehavior Report Database Query 1 Query 2
A smart attacker can easily create a strategy that defeats the current algorithm of MA.

16. Issues with current MID - Privacy
16
§ PCA learns which LVs are being investigated.
§ LA also learns which EPLV and LS are being investigated.
§ MA learns information also about honest vehicles.
§ Our goals for MID
– Make sure all misbehavior can be detected
– Achieve security and privacy via a theoretically sound mechanism

17. Secure Computation and Yao’s
Garbled Circuit

18. Secure Computation to the Rescue
§ In theory, secure computation can solve all the previously identified
problems
§ But even the most efficient previously known solutions for secure
computation are extremely impractical for use in SCMS
– LV Generation: Even if one can generate one linkage value in a reasonable
amount of time, generating 30 years’ worth for 300 million vehicles is
extremely impractical
– MID: Due to current one-way design of linkage values, the inputs of LAs will
consist of 300 million linkage seeds, which makes the protocol extremely
impractical
18

19. Real Life Computation Problems
19
Solution: Trusted third party
But, do we really have to?

20. Secure Computation
§ Parties P1, P2, …, Pn with private inputs x1, x2, …, xn can jointly
compute any arbitrary function f(x1, x2, …, xn), s.t.
– Correctness: Output is guaranteed to be correct.
– Privacy: Inputs are guaranteed to remain private.
– …
§ [Yao ’82] achieved this for n = 2.
§ [Goldreich-Micali-Wigderson ’87] achieved this for n ≥ 2.
§ Active area of cryptographic research.
20

21. Garbled Circuits [Yao ’82]
21
f(x1, x2)

22. Garbled Circuits contd.
22
w1 w2
w3
k10, k11 k20, k21
k30, k31
Garbling
w1 w2 w3 Garbling
0 0 0 G1 = E(k10, k20, k30)
0 1 1 G2 = E(k10, k21, k31)
1 0 1 G3 = E(k11, k20, k31)
1 1 1 G4 = E(k11, k21, k31)
P1 (x1 = 0) P2 (x2 = 1)G2, G1, G3, G4
(k30, 0), (k31, 1)
k10
OT for k21
1. Try to decrypt G1, …, G4.
2. With k10 and k21, can decrypt
only G2 to obtain k31.
3. k31 maps to 1, so the output is 1.
Output = 1

23. Secure Computation for
Linkage Value Generation

24. Secure Computation for LV Generation
§ AStraightforward 4-Party Secure Computation for LV generation
– Inputs
§ LA1: entire database of linkage seeds
§ LA2: entire database of linkage seeds
§ RA: (EE, i, j)
§ PCA: nothing
– Outputs
§ LA1, LA2, RA: nothing
§ PCA: linkage value for (EE, i, j)
§ It is inefficient because protocol complexity grows with the number of parties and
linkage seed database is extremely large
§ Our protocol V1
– Functionality of LAs is merged with PCA, so it is a 2-party protocol between PCA and RA
– Linkage seed is computed on the fly inside secure computation using a hash function, so parties’
inputs become very small and manageable
24

25. V1: Hash-based Initial Linkage Seed Generation
25
SHA-256RA
EE
PCA
KPCA
PCA
ls1(EE,0), ls2(EE,0)
PCA RA
Private Inputs KPCA EE, i, j
Private Outputs lv(EE, i, j) lv pointer

26. V2: Batched Generation
26

27. V3: Stateful Generation
§ V2 is a huge improvement over V1, e.g., for weekly batches
– 1st week: 3 vs. 41 SHA-256,
– 2nd week: 5 vs. (41+81) SHA-256,
– 3rd week: 7 vs. (41+81+121) SHA-256, and so on
§ However, V2 is a trade-off
– Maximum benefit only if batch size = life of vehicle, i.e., 30 years
– Generating all 30 years’ worth at once has drawbacks
§ Huge waste, as average lifespan is only 13 – 17 years (https://berla.co/average-us-vehicle-lifespan/)
§ Large storage and communication requirements
§ Stateful Generation in V3
– Last week’s linkage seed is stored at PCA in garbled form
– Has performance similar to V2 with batch size = life of vehicle
– Doesn’t have any of the drawbacks of V2
27

28. Compatibility and Further Improvements
§ V1 – V3 are fully compatible with current LV design, i.e., vehicles
won’t notice any difference
§ V4: Privacy is guaranteed by secure computation, so only one
(instead of two) linkage chain per vehicle is sufficient
– No obvious security weaknesses compared to current design
– Currently deployed devices need software update for new CRL expansion
– Cuts CRL size in half (or, doubles the number of devices that can be revoked)
– Cuts CRL expansion time in half, a big plus for resource-constrained devices
– Cuts LV generation time and resources in (almost) half
– Makes misbehavior identification more efficient
28

29. Results of GC Implementations for LV generation
29
One LV (MB) One Vehicle for 30
Years (GB)
300 Million Vehicles
for 1 Week (TB)
Improvement Factor
(V1/Vx)
V1 (Hash-based Initial
Linkage Seed) 6,019 183,390 34,440,744 N/A
V2 (Batched
Generation) 301 9,184 1,726,169 20
V3 (Stateful
Generation) 1.13 35 6,481 5,314
V4 (One Linkage
Chain per Vehicle) 0.69 21 3,953 8,713
§ Table shows average garbled circuit sizes for 20 LVs per week
§ Garbling of V4, on AWS t2.micro takes about 0.02 seconds per LV
– Hardware: Intel Xeon CPU at 2.4 GHz and 1GB RAM
– Cost: $0.0035 per hour (https://aws.amazon.com/ec2/spot/pricing/).
§ LV generation for 300 million vehicles without the LA-pair would cost $15,000/year
§ CAMP’s cost model puts a price tag on the LA-pair at $150,000/year

30. Demo of Linkage Value
Generation

31. Secure Computation for
Misbehavior Identification

32. Secure Computation for MID
§ A Straightforward 5-Party Secure Computation for MID
– Inputs
§ MA: misbehavior reports containing suspect and reporter linkage values
§ PCA: entire database of (linkage value, hash of RA-PCArequest) mapping
§ RA: entire database of (hash of RA-PCArequest, LCI1, LCI2) mapping
§ LA1, LA2: entire database of (LCI1, LS1) and (LCI2, LS2), respectively
– Outputs
§ MA: linkage seeds of devices satisfying the revocation criteria
§ PCA, RA, LA1, LA2: nothing
§ It is inefficient because protocol complexity grows with the number of parties and
databases of PCA, RA, LA1 and LA2 are extremely large
§ Our protocol V1
– LAs are replaced by our novel design of Misbehavior Helper (MH), so it is a 3-party protocol
– No database lookups, MH is decrypted jointly by PCA and RA to retrieve linkage seeds
32

33. V1: Misbehavior Helper Info
33
Misbehavior Helper Info (MH) = Enc(KRA+KPCA, LV||LS)
LS0 LS1 LSi… …
MH
RA
KRA
LVi,j
PCA
KPCA
MA PCA RA
Private Inputs {(Suspect MH, Reporter MH)} KPCA KRA
Private Outputs Linkage seeds for CRL Nothing Nothing

34. V2: Boolean Circuit Improvements
34
§ V1’s Boolean circuit grows quadratically with input size
§ Novel approach for “Filtering over Threshold”
– Sorting using bitonic sorting network: O(n * log2n)
– Counting the sorted input: O(n)
– Filtering based on threshold: O(n)
§ O(n2
) à O(n * log2
n): Improvement factor grows dramatically
– Boolean circuits are 9 times smaller for input size = 1,000
– Extrapolations for larger input sizes are below
Input Size 1,000 10,000 100,000 1,000,000
Improvement Factor 9 51 324 2,250

35. Results of GC Implementations for MID
35
Number of Gates
in Boolean Circuit
Garbled Circuit Size (GB) Garbling Time
(seconds)
Improvement Factor
(V1/Vx)
V1 (Misbehavior
Helper Info)
1.1 Billion 12 27 N/A
V2 (Boolean Circuit
Improvements)
121 Million 1.3 3 9
§ Table shows MID for 1024 inputs (suspect, reporter LVs) and 1 linkage chain per vehicle
§ Garbling times are on AWS c5d.xlarge
§ Hardware: Intel Xeon CPU at 2.4 GHz and 8GB RAM
§ Cost: $0.0388 per hour (https://aws.amazon.com/ec2/spot/pricing/).
§ Current code utilizes only 1 core, significant improvements are expected by our (upcoming)
research on parallelization

36. Demo of Misbehavior
Identification

37. Conclusions
§ Linkage Value (LV) Generation
– Better security and privacy at a fraction of the original cost
– Simpler overall system
– Opportunities for significant improvements in CRL efficiency and other parts of
SCMS by switching to one linkage chain per vehicle
§ Misbehavior Identification (MID)
– Best possible security and privacy
– Highly effective, i.e., MA can catch all misbehavior in reports as per the policy
§ Ongoing research at OnBoard Security and academia will further
improve efficiencies for both LV Generation and MID
37

38. Thank you!
38
We hope it was worth your time.