Jonathan Katz University of Maryland Andrew Lindell Aladdin Knowledge Systems and Bar-Ilan University 04/08/08 CRYP-108 Aggregate Message- Authentication

Jonathan KatzUniversity of Maryland

Andrew LindellAladdin Knowledge Systems and Bar-Ilan University

04/08/08 CRYP-108

Aggregate Message-Aggregate Message-Authentication CodesAuthentication Codes

Insert presenter logo here on slide master

Message Authentication Codes

Message authentication codes, or MACs, are the private-key (symmetric) analogue of digital signatures» Two parties Alice and Bob share a secret-key K» Given a message m and a key K, Alice computes a MAC-

tag t = MACK(m) and sends (m,t) to Bob

» Bob verifies that t = MACK(m) and if yes, accepts the message as legitimate (i.e., sent by Alice)

» Security: as for signatures

message MAC tag

K


Security of Message Authentication Codes

Existential unforgeability against chosen message attacks» An adversary can ask for a MAC on any message it wishes» At some stage, the adversary outputs a pair (m,t)» It succeeds in its attack if

1) t is a valid MAC tag; i.e., t = MACK(m)

2) The adversary did not receive a MAC on m

Popular MACs: HMAC, CBC-MAC,…


MAC Aggregation

Consider the case that many messages are MACed and sent» The overhead due to the MAC tag can be large» E.g., for HMAC-SHA1, 160 bits overhead per message

The aim:» Aggregate the tags into something smaller» Note: MAC aggregation must take place without knowledge

of the secret key Otherwise, could just view all the messages as one, and

recompute a single MAC tag


Motivation – Sensor Networks

Many sensors with weak processing power need to communicate with a base station» The sensors are arranged in a network that leads to the

base station, and each sensor communicates only with its neighbors

» The base station shares a secret key with each node, and messages from nodes are authenticated

Authentication is needed for security-sensitive applications


A Sensor Network Without Aggregation Consider a sensor network as follows

» There are t nodes that must transmit to a base station Arrange nodes in a binary tree

» Only the leaf nodes transmit messages» Each message is 16 bits long, and HMAC-SHA1 is used

Communication» Distance from leaf node to root is log t» Communication due to each leaf is (16+160)log t» Overall, we have (16+160)2t log t

For t = 104: 4.6 x 107 bits transmitted» Root node transmits (16+160)t bits to base


A Sensor Network With Aggregation Take the same sensor network and assume that

internal nodes can aggregate MAC tags from child nodes into a single tag

Communication» Distance from leaf node to root is log t» Communication due to each leaf is 16log t plus MAC overhead» Overall, we have 162t log t + 160t

For t = 104: 5.7 x 106 bits transmitted (almost a 10th)» Root node transmits 16t +160 bits to base, less than a 10th

Each node transmits on average a 10th


Related Work

Aggregate signatures» Motivated by compressing signature chains and reducing

the message size in routing protocols» Much work (see paper for references)» Solutions rely on specific algebraic properties and come at

some cost This is the first work to consider aggregate

message authentication codes


Our Results

Formal definitions» See the paper

A simple aggregate MAC scheme» With a formal proof by our definition…

A lower bound


A Simple & Efficient Aggregate MAC Scheme Let MAC be a deterministic message authentication

code An aggregate scheme MAC*

» Tags are computed exactly as in the underlying MAC MAC*

K(m) = MACK(m)

» Aggregation is carried out by just XORing Given (m1,tag1),…,(mn,tagn), an aggregate tag on m1,…,mn is

given by

» Verification is carried out by re-computing all tags

tagii=1

n


Intuition – Security

If an adversary can forge an aggregate MAC then it must be able to forge the underlying MAC» The use of XOR means that the forgery for the underlying

MAC can be extracted from the aggregate MAC» For details of the reduction, see the paper


Properties of Our Construction MAC computation equal to original scheme Tag aggregation is linear

» Just requires a basic XOR operation Size of MAC tag is minimal

» A single MAC tag suffices for any number of messages Aggregate verification of n messages takes the same

time as in basic scheme Another advantage

» Construction is simple and can use widely deployed MAC schemes like HMAC, CBC-MAC and so on


A Caveat

In our sensor network example, the base station needs to verify the MAC on all messages

What about applications where only one or some of the messages need to be authenticated at any given time?» Our solution still requires the verifier to re-compute all the

MAC tags Is it possible to achieve random access?


A Simple Optimization

Split n messages into n/B buckets of size B» Each bucket is authenticated separately

Complexity» Number of MAC tags: n/B» Time to verify a single message: B

Tradeoff:» The product of the size and time is essentially n» Can set B=n and have a single tag (like above)» Can set B=1 and aggregate by just concatenating» Can set B= n and have size=time= n


A Lower Bound

Can we do better than this tradeoff? We prove that:

» If verification can be carried out in constant or logarithmic time (measured as a function of the number of messages)

» Then, the length of the aggregate MAC tag must be n

This proves that it is impossible to achieve constant (or logarithmic) time and short tags


The Proof Idea

Assume that verification can be carried out in logarithmic time

Let x=x1…xn be an n-bit string» Code x into n messages where mi = (i,xi)» Example:

Message: x=1100 Coding: m1=(1,1), m2=(2,1), m3=(3,0), m4=(4,0)

» Apply the aggregate MAC to m1,…,mn and let t be the tag

Claim: x can be reconstructed given t alone


The Proof Idea (continued) Reconstruction x from t:

» Guess m1=(1,0)

» Run MAC verification algorithm on message m1 and tag t If the verification algorithm wishes to read mi for some i, branch

and run it twice Once with mi = (i,0)

Once with mi = (i,1)

If the MAC verification algorithm accepts in any branch, then take x1=0

If it rejects in all branches, then take x1=1» Repeat for m2,…,mn to obtain x = x1…xn


The Proof Idea (continued)

Claim 1: the correct x is reconstructed» Otherwise, the algorithm found a message mi = (i,zi) and a

valid MAC tag for it» But this is a successful forgery because the MAC was

computed upon (i,xi) and xi ≠ zi

» Contradiction!


The Proof Idea (continued)

Claim 2: the reconstruction algorithm is efficient» There are only a logarithmic number of messages read by the

reconstruction algorithm each time» Each such message causes a branch» There are therefore 2log different branches, but this is linear in

the length of x


Completing the Proof

We have seen that x can be reconstructed from t

But it is impossible to compress all n-bit strings into less than n bits» The formal proof is based on communication complexity

(makes it easier to deal with probabilistic arguments) Therefore the length of the tag t must be at

least n


Summary We provide the first formal treatment of aggregate

MACs» These can be very useful for sensor networks where power

optimizations are essential» However, they have even wider applicability

We provide a simple construction with extremely high efficiency

Our lower bound shows optimality to some extent» It’s still open whether the product of time/size can be made lower

than n, when the time is super-logarithmic


Legal Notice

© Copyright 2007 Aladdin Knowledge Systems Ltd. All rights reserved.Aladdin, Aladdin Knowledge Systems, the Aladdin Knowledge Systems logo, eToken and eSafe are trademarks

of Aladdin Knowledge Systems Ltd. covered by patents www.aladdin.com/patents; other patents pending.

You may not copy, reproduce (or the like), or use in any other way whatsoever, whether directly or indirectly, any of the materials represented and/or disclosed herein without the express written consent of Aladdin.

Some of the information contained herein may be proprietary information of Aladdin or third parties and all text, images, graphics, trademarks, service marks, logos, trade names and other materials which are part of this communication are subject to intellectual property rights of Aladdin or third parties. The information herein is provided “as is” without any warranty, express or implied (by statute or otherwise), of any kind whatsoever. Aladdin does not undertake any obligation to update the information herein and it does not assume responsibility for errors or omissions.

http://www.aladdin.com/patents

Documents

Jonathan Katz University of Maryland Andrew Lindell Aladdin Knowledge Systems and Bar-Ilan University 04/08/08 CRYP-108 Aggregate Message- Authentication