Jonathan Katz University of Maryland Andrew Lindell Aladdin Knowledge Systems and Bar-Ilan University 04/08/08 CRYP-108 Aggregate Message- Authentication.

Slides:



Advertisements
Similar presentations
MAC Raushan. DES simple fiestel network 3131 PlainText Blocks 2*4=8bits 31 f f =0011 xor 0011=0000 = 0 f(r,k)=(2*r+k^2)%8 f(1,5)=(2*1+5^2)%8=3 xor 3 3.
Advertisements

Hash Function. What are hash functions? Just a method of compressing strings – E.g., H : {0,1}*  {0,1} 160 – Input is called “message”, output is “digest”
Distribution and Revocation of Cryptographic Keys in Sensor Networks Amrinder Singh Dept. of Computer Science Virginia Tech.
Cryptography and Network Security
Tight Bounds for Unconditional Authentication Protocols in the Moni Naor Gil Segev Adam Smith Weizmann Institute of Science Israel Modeland Shared KeyManual.
Digital Signatures and Hash Functions. Digital Signatures.
Foundations of Cryptography Lecture 5 Lecturer: Moni Naor.
Bounds on Code Length Theorem: Let l ∗ 1, l ∗ 2,..., l ∗ m be optimal codeword lengths for a source distribution p and a D-ary alphabet, and let L ∗ be.
Foundations of Cryptography Lecture 13 Lecturer: Moni Naor.
Foundations of Cryptography Lecture 4 Lecturer: Moni Naor.
Eran Omri, Bar-Ilan University Joint work with Amos Beimel and Ilan Orlov, BGU Ilan Orlov…!??!!
NON-MALLEABLE EXTRACTORS AND SYMMETRIC KEY CRYPTOGRAPHY FROM WEAK SECRETS Yevgeniy Dodis and Daniel Wichs (NYU) STOC 2009.
Yan Huang, Jonathan Katz, David Evans University of Maryland, University of Virginia Efficient Secure Two-Party Computation Using Symmetric Cut-and-Choose.
Session 5 Hash functions and digital signatures. Contents Hash functions – Definition – Requirements – Construction – Security – Applications 2/44.
CMSC 414 Computer and Network Security Lecture 4 Jonathan Katz.
CMSC 414 Computer and Network Security Lecture 3 Jonathan Katz.
CNS2010handout 10 :: digital signatures1 computer and network security matt barrie.
CMSC 414 Computer and Network Security Lecture 7 Jonathan Katz.
Lecturer: Moni Naor Foundations of Cryptography Lecture 4: One-time Signatures, UOWHFs.
CMSC 414 Computer and Network Security Lecture 5 Jonathan Katz.
Introduction to Modern Cryptography Homework assignments.
A Designer’s Guide to KEMs Alex Dent
CMSC 414 Computer and Network Security Lecture 9 Jonathan Katz.
Derandomizing LOGSPACE Based on a paper by Russell Impagliazo, Noam Nissan and Avi Wigderson Presented by Amir Rosenfeld.
Tirgul 6 B-Trees – Another kind of balanced trees Problem set 1 - some solutions.
CMSC 414 Computer and Network Security Lecture 6 Jonathan Katz.
Network Security – Part 2 V.T. Raja, Ph.D., Oregon State University.
Foundations of Cryptography Lecture 8 Lecturer: Moni Naor.
CRYPTOGRAPHIC DATA INTEGRITY ALGORITHMS
13.1 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Chapter 13 Digital Signature.
Cryptography and Network Security Chapter 11 Fifth Edition by William Stallings Lecture slides by Lawrie Brown.
Information Security and Management 13. Digital Signatures and Authentication Protocols Chih-Hung Wang Fall
Bob can sign a message using a digital signature generation algorithm
CS555Topic 211 Cryptography CS 555 Topic 21: Digital Schemes (1)
CMSC 414 Computer and Network Security Lecture 6 Jonathan Katz.
Andrew Lindell Aladdin Knowledge Systems and Bar-Ilan University 04/09/08 CRYP-202 Legally-Enforceable Fairness in Secure Two-Party Computation.
Message Authentication Code July Message Authentication Problem  Message Authentication is concerned with:  protecting the integrity of a message.
Lecture 4.1: Hash Functions, and Message Authentication Codes CS 436/636/736 Spring 2015 Nitesh Saxena.
Cryptography Lecture 9 Stefan Dziembowski
Foundations of Cryptography Lecture 6 Lecturer: Moni Naor.
A l a d d i n. c o m eSafe 6 FR2 Product Overview.
CMSC 414 Computer and Network Security Lecture 5 Jonathan Katz.
On the Communication Complexity of SFE with Long Output Daniel Wichs (Northeastern) joint work with Pavel Hubáček.
Prepared by Dr. Lamiaa Elshenawy
Network Security Continued. Digital Signature You want to sign a document. Three conditions. – 1. The receiver can verify the identity of the sender.
Lecture 5.1: Message Authentication Codes, and Key Distribution
Vertex Coloring Distributed Algorithms for Multi-Agent Networks
Andrew Lindell Aladdin Knowledge Systems and Bar-Ilan University 04/08/08 CRYP-106 Efficient Fully-Simulatable Oblivious Transfer.
Complexity 24-1 Complexity Andrei Bulatov Interactive Proofs.
IT 221: Introduction to Information Security Principles Lecture 5: Message Authentications, Hash Functions and Hash/Mac Algorithms For Educational Purposes.
CS555Spring 2012/Topic 151 Cryptography CS 555 Topic 15: HMAC, Combining Encryption & Authentication.
Cryptography Lecture 10 Arpita Patra © Arpita Patra.
Round-Efficient Multi-Party Computation in Point-to-Point Networks Jonathan Katz Chiu-Yuen Koo University of Maryland.
Round-Efficient Broadcast Authentication Protocols for Fixed Topology Classes Haowen Chan, Adrian Perrig Carnegie Mellon University 1.
CMSC 414 Computer and Network Security Lecture 2 Jonathan Katz.
Data Integrity / Data Authentication. Definition Authentication (Signature) algorithm - A Verification algorithm - V Authentication key – k Verification.
@Yuan Xue 285: Network Security CS 285 Network Security Message Authentication Code Data integrity + Source authentication.
Cryptographic Hash Function. A hash function H accepts a variable-length block of data as input and produces a fixed-size hash value h = H(M). The principal.
Understanding Cryptography by Christof Paar and Jan Pelzl These slides were prepared by Christof Paar and Jan Pelzl Chapter 12.
@Yuan Xue 285: Network Security CS 285 Network Security Hash Algorithm Yuan Xue Fall 2012.
Cryptographic Hash Function
Authenticated encryption
Digital signatures.
Cryptographic Hash Functions Part I
Data Integrity: Applications of Cryptographic Hash Functions
Information-Theoretic Security
Topic 13: Message Authentication Code
Lecture 4.1: Hash Functions, and Message Authentication Codes
Introduction to Modern Cryptography
Cryptography Lecture 26.
Presentation transcript:

Jonathan Katz University of Maryland Andrew Lindell Aladdin Knowledge Systems and Bar-Ilan University 04/08/08 CRYP-108 Aggregate Message- Authentication Codes

Insert presenter logo here on slide master Message Authentication Codes  Message authentication codes, or MACs, are the private-key (symmetric) analogue of digital signatures » Two parties Alice and Bob share a secret-key K » Given a message m and a key K, Alice computes a MAC- tag t = MAC K (m) and sends (m,t) to Bob » Bob verifies that t = MAC K (m) and if yes, accepts the message as legitimate (i.e., sent by Alice) » Security: as for signatures message MAC tag K K

Insert presenter logo here on slide master Security of Message Authentication Codes  Existential unforgeability against chosen message attacks » An adversary can ask for a MAC on any message it wishes » At some stage, the adversary outputs a pair (m,t) » It succeeds in its attack if 1) t is a valid MAC tag; i.e., t = MAC K (m) 2) The adversary did not receive a MAC on m  Popular MACs: HMAC, CBC-MAC,…

Insert presenter logo here on slide master MAC Aggregation  Consider the case that many messages are MACed and sent » The overhead due to the MAC tag can be large » E.g., for HMAC-SHA1, 160 bits overhead per message  The aim: » Aggregate the tags into something smaller » Note: MAC aggregation must take place without knowledge of the secret key  Otherwise, could just view all the messages as one, and recompute a single MAC tag

Insert presenter logo here on slide master Motivation – Sensor Networks  Many sensors with weak processing power need to communicate with a base station » The sensors are arranged in a network that leads to the base station, and each sensor communicates only with its neighbors » The base station shares a secret key with each node, and messages from nodes are authenticated  Authentication is needed for security-sensitive applications

Insert presenter logo here on slide master A Sensor Network Without Aggregation  Consider a sensor network as follows » There are t nodes that must transmit to a base station  Arrange nodes in a binary tree » Only the leaf nodes transmit messages » Each message is 16 bits long, and HMAC-SHA1 is used  Communication » Distance from leaf node to root is log t » Communication due to each leaf is (16+160)  log t » Overall, we have (16+160)  2t log t  For t = 10 4 : 4.6 x 10 7 bits transmitted » Root node transmits (16+160)  t bits to base

Insert presenter logo here on slide master A Sensor Network With Aggregation  Take the same sensor network and assume that internal nodes can aggregate MAC tags from child nodes into a single tag  Communication » Distance from leaf node to root is log t » Communication due to each leaf is 16  log t plus MAC overhead » Overall, we have 16  2t log t  t  For t = 10 4 : 5.7 x 10 6 bits transmitted (almost a 10 th ) » Root node transmits 16  t +160 bits to base, less than a 10 th  Each node transmits on average a 10 th

Insert presenter logo here on slide master Related Work  Aggregate signatures » Motivated by compressing signature chains and reducing the message size in routing protocols » Much work (see paper for references) » Solutions rely on specific algebraic properties and come at some cost  This is the first work to consider aggregate message authentication codes

Insert presenter logo here on slide master Our Results  Formal definitions » See the paper  A simple aggregate MAC scheme » With a formal proof by our definition…  A lower bound

Insert presenter logo here on slide master A Simple & Efficient Aggregate MAC Scheme  Let MAC be a deterministic message authentication code  An aggregate scheme MAC * » Tags are computed exactly as in the underlying MAC  MAC * K (m) = MAC K (m) » Aggregation is carried out by just XORing  Given (m 1,tag 1 ),…,(m n,tag n ), an aggregate tag on m 1,…,m n is given by » Verification is carried out by re-computing all tags  tag i i=1 n

Insert presenter logo here on slide master Intuition – Security  If an adversary can forge an aggregate MAC then it must be able to forge the underlying MAC » The use of XOR means that the forgery for the underlying MAC can be extracted from the aggregate MAC » For details of the reduction, see the paper

Insert presenter logo here on slide master Properties of Our Construction  MAC computation equal to original scheme  Tag aggregation is linear » Just requires a basic XOR operation  Size of MAC tag is minimal » A single MAC tag suffices for any number of messages  Aggregate verification of n messages takes the same time as in basic scheme  Another advantage » Construction is simple and can use widely deployed MAC schemes like HMAC, CBC-MAC and so on

Insert presenter logo here on slide master A Caveat  In our sensor network example, the base station needs to verify the MAC on all messages  What about applications where only one or some of the messages need to be authenticated at any given time? » Our solution still requires the verifier to re-compute all the MAC tags  Is it possible to achieve random access?

Insert presenter logo here on slide master A Simple Optimization  Split n messages into n/B buckets of size B » Each bucket is authenticated separately  Complexity » Number of MAC tags: n/B » Time to verify a single message: B  Tradeoff: » The product of the size and time is essentially n » Can set B=n and have a single tag (like above) » Can set B=1 and aggregate by just concatenating » Can set B=  n and have size=time=  n

Insert presenter logo here on slide master A Lower Bound  Can we do better than this tradeoff?  We prove that: » If verification can be carried out in constant or logarithmic time (measured as a function of the number of messages) » Then, the length of the aggregate MAC tag must be n  This proves that it is impossible to achieve constant (or logarithmic) time and short tags

Insert presenter logo here on slide master The Proof Idea  Assume that verification can be carried out in logarithmic time  Let x=x 1 …x n be an n-bit string » Code x into n messages where m i = (i,x i ) » Example:  Message: x=1100  Coding: m 1 =(1,1), m 2 =(2,1), m 3 =(3,0), m 4 =(4,0) » Apply the aggregate MAC to m 1,…,m n and let t be the tag  Claim: x can be reconstructed given t alone

Insert presenter logo here on slide master The Proof Idea (continued)  Reconstruction x from t: » Guess m 1 =(1,0) » Run MAC verification algorithm on message m 1 and tag t  If the verification algorithm wishes to read m i for some i, branch and run it twice  Once with m i = (i,0)  Once with m i = (i,1)  If the MAC verification algorithm accepts in any branch, then take x 1 =0  If it rejects in all branches, then take x 1 =1 » Repeat for m 2,…,m n to obtain x = x 1 …x n

Insert presenter logo here on slide master The Proof Idea (continued)  Claim 1: the correct x is reconstructed » Otherwise, the algorithm found a message m i = (i,z i ) and a valid MAC tag for it » But this is a successful forgery because the MAC was computed upon (i,x i ) and x i ≠ z i » Contradiction!

Insert presenter logo here on slide master The Proof Idea (continued)  Claim 2: the reconstruction algorithm is efficient » There are only a logarithmic number of messages read by the reconstruction algorithm each time » Each such message causes a branch » There are therefore 2 log different branches, but this is linear in the length of x

Insert presenter logo here on slide master Completing the Proof  We have seen that x can be reconstructed from t  But it is impossible to compress all n-bit strings into less than n bits » The formal proof is based on communication complexity (makes it easier to deal with probabilistic arguments)  Therefore the length of the tag t must be at least n

Insert presenter logo here on slide master Summary  We provide the first formal treatment of aggregate MACs » These can be very useful for sensor networks where power optimizations are essential » However, they have even wider applicability  We provide a simple construction with extremely high efficiency  Our lower bound shows optimality to some extent » It’s still open whether the product of time/size can be made lower than n, when the time is super-logarithmic

Insert presenter logo here on slide master Legal Notice © Copyright 2007 Aladdin Knowledge Systems Ltd. All rights reserved. Aladdin, Aladdin Knowledge Systems, the Aladdin Knowledge Systems logo, eToken and eSafe are trademarks of Aladdin Knowledge Systems Ltd. covered by patents other patents pending. You may not copy, reproduce (or the like), or use in any other way whatsoever, whether directly or indirectly, any of the materials represented and/or disclosed herein without the express written consent of Aladdin. Some of the information contained herein may be proprietary information of Aladdin or third parties and all text, images, graphics, trademarks, service marks, logos, trade names and other materials which are part of this communication are subject to intellectual property rights of Aladdin or third parties. The information herein is provided “as is” without any warranty, express or implied (by statute or otherwise), of any kind whatsoever. Aladdin does not undertake any obligation to update the information herein and it does not assume responsibility for errors or omissions.