Jonathan KatzUniversity of Maryland
Andrew LindellAladdin Knowledge Systems and Bar-Ilan University
04/08/08 CRYP-108
Aggregate Message-Aggregate Message-Authentication CodesAuthentication Codes
Insert presenter logo here on slide master
Message Authentication Codes
Message authentication codes, or MACs, are the private-key (symmetric) analogue of digital signatures» Two parties Alice and Bob share a secret-key K» Given a message m and a key K, Alice computes a MAC-
tag t = MACK(m) and sends (m,t) to Bob
» Bob verifies that t = MACK(m) and if yes, accepts the message as legitimate (i.e., sent by Alice)
» Security: as for signatures
message MAC tag
K
Insert presenter logo here on slide master
Security of Message Authentication Codes
Existential unforgeability against chosen message attacks» An adversary can ask for a MAC on any message it wishes» At some stage, the adversary outputs a pair (m,t)» It succeeds in its attack if
1) t is a valid MAC tag; i.e., t = MACK(m)
2) The adversary did not receive a MAC on m
Popular MACs: HMAC, CBC-MAC,…
Insert presenter logo here on slide master
MAC Aggregation
Consider the case that many messages are MACed and sent» The overhead due to the MAC tag can be large» E.g., for HMAC-SHA1, 160 bits overhead per message
The aim:» Aggregate the tags into something smaller» Note: MAC aggregation must take place without knowledge
of the secret key Otherwise, could just view all the messages as one, and
recompute a single MAC tag
Insert presenter logo here on slide master
Motivation – Sensor Networks
Many sensors with weak processing power need to communicate with a base station» The sensors are arranged in a network that leads to the
base station, and each sensor communicates only with its neighbors
» The base station shares a secret key with each node, and messages from nodes are authenticated
Authentication is needed for security-sensitive applications
Insert presenter logo here on slide master
A Sensor Network Without Aggregation Consider a sensor network as follows
» There are t nodes that must transmit to a base station Arrange nodes in a binary tree
» Only the leaf nodes transmit messages» Each message is 16 bits long, and HMAC-SHA1 is used
Communication» Distance from leaf node to root is log t» Communication due to each leaf is (16+160)log t» Overall, we have (16+160)2t log t
For t = 104: 4.6 x 107 bits transmitted» Root node transmits (16+160)t bits to base
Insert presenter logo here on slide master
A Sensor Network With Aggregation Take the same sensor network and assume that
internal nodes can aggregate MAC tags from child nodes into a single tag
Communication» Distance from leaf node to root is log t» Communication due to each leaf is 16log t plus MAC overhead» Overall, we have 162t log t + 160t
For t = 104: 5.7 x 106 bits transmitted (almost a 10th)» Root node transmits 16t +160 bits to base, less than a 10th
Each node transmits on average a 10th
Insert presenter logo here on slide master
Related Work
Aggregate signatures» Motivated by compressing signature chains and reducing
the message size in routing protocols» Much work (see paper for references)» Solutions rely on specific algebraic properties and come at
some cost This is the first work to consider aggregate
message authentication codes
Insert presenter logo here on slide master
Our Results
Formal definitions» See the paper
A simple aggregate MAC scheme» With a formal proof by our definition…
A lower bound
Insert presenter logo here on slide master
A Simple & Efficient Aggregate MAC Scheme Let MAC be a deterministic message authentication
code An aggregate scheme MAC*
» Tags are computed exactly as in the underlying MAC MAC*
K(m) = MACK(m)
» Aggregation is carried out by just XORing Given (m1,tag1),…,(mn,tagn), an aggregate tag on m1,…,mn is
given by
» Verification is carried out by re-computing all tags
tagii=1
n
Insert presenter logo here on slide master
Intuition – Security
If an adversary can forge an aggregate MAC then it must be able to forge the underlying MAC» The use of XOR means that the forgery for the underlying
MAC can be extracted from the aggregate MAC» For details of the reduction, see the paper
Insert presenter logo here on slide master
Properties of Our Construction MAC computation equal to original scheme Tag aggregation is linear
» Just requires a basic XOR operation Size of MAC tag is minimal
» A single MAC tag suffices for any number of messages Aggregate verification of n messages takes the same
time as in basic scheme Another advantage
» Construction is simple and can use widely deployed MAC schemes like HMAC, CBC-MAC and so on
Insert presenter logo here on slide master
A Caveat
In our sensor network example, the base station needs to verify the MAC on all messages
What about applications where only one or some of the messages need to be authenticated at any given time?» Our solution still requires the verifier to re-compute all the
MAC tags Is it possible to achieve random access?
Insert presenter logo here on slide master
A Simple Optimization
Split n messages into n/B buckets of size B» Each bucket is authenticated separately
Complexity» Number of MAC tags: n/B» Time to verify a single message: B
Tradeoff:» The product of the size and time is essentially n» Can set B=n and have a single tag (like above)» Can set B=1 and aggregate by just concatenating» Can set B= n and have size=time= n
Insert presenter logo here on slide master
A Lower Bound
Can we do better than this tradeoff? We prove that:
» If verification can be carried out in constant or logarithmic time (measured as a function of the number of messages)
» Then, the length of the aggregate MAC tag must be n
This proves that it is impossible to achieve constant (or logarithmic) time and short tags
Insert presenter logo here on slide master
The Proof Idea
Assume that verification can be carried out in logarithmic time
Let x=x1…xn be an n-bit string» Code x into n messages where mi = (i,xi)» Example:
Message: x=1100 Coding: m1=(1,1), m2=(2,1), m3=(3,0), m4=(4,0)
» Apply the aggregate MAC to m1,…,mn and let t be the tag
Claim: x can be reconstructed given t alone
Insert presenter logo here on slide master
The Proof Idea (continued) Reconstruction x from t:
» Guess m1=(1,0)
» Run MAC verification algorithm on message m1 and tag t If the verification algorithm wishes to read mi for some i, branch
and run it twice Once with mi = (i,0)
Once with mi = (i,1)
If the MAC verification algorithm accepts in any branch, then take x1=0
If it rejects in all branches, then take x1=1» Repeat for m2,…,mn to obtain x = x1…xn
Insert presenter logo here on slide master
The Proof Idea (continued)
Claim 1: the correct x is reconstructed» Otherwise, the algorithm found a message mi = (i,zi) and a
valid MAC tag for it» But this is a successful forgery because the MAC was
computed upon (i,xi) and xi ≠ zi
» Contradiction!
Insert presenter logo here on slide master
The Proof Idea (continued)
Claim 2: the reconstruction algorithm is efficient» There are only a logarithmic number of messages read by the
reconstruction algorithm each time» Each such message causes a branch» There are therefore 2log different branches, but this is linear in
the length of x
Insert presenter logo here on slide master
Completing the Proof
We have seen that x can be reconstructed from t
But it is impossible to compress all n-bit strings into less than n bits» The formal proof is based on communication complexity
(makes it easier to deal with probabilistic arguments) Therefore the length of the tag t must be at
least n
Insert presenter logo here on slide master
Summary We provide the first formal treatment of aggregate
MACs» These can be very useful for sensor networks where power
optimizations are essential» However, they have even wider applicability
We provide a simple construction with extremely high efficiency
Our lower bound shows optimality to some extent» It’s still open whether the product of time/size can be made lower
than n, when the time is super-logarithmic
Insert presenter logo here on slide master
Legal Notice
© Copyright 2007 Aladdin Knowledge Systems Ltd. All rights reserved.Aladdin, Aladdin Knowledge Systems, the Aladdin Knowledge Systems logo, eToken and eSafe are trademarks
of Aladdin Knowledge Systems Ltd. covered by patents www.aladdin.com/patents; other patents pending.
You may not copy, reproduce (or the like), or use in any other way whatsoever, whether directly or indirectly, any of the materials represented and/or disclosed herein without the express written consent of Aladdin.
Some of the information contained herein may be proprietary information of Aladdin or third parties and all text, images, graphics, trademarks, service marks, logos, trade names and other materials which are part of this communication are subject to intellectual property rights of Aladdin or third parties. The information herein is provided “as is” without any warranty, express or implied (by statute or otherwise), of any kind whatsoever. Aladdin does not undertake any obligation to update the information herein and it does not assume responsibility for errors or omissions.
Top Related