Presentation is loading. Please wait.

Presentation is loading. Please wait.

Jonathan Katz University of Maryland Andrew Lindell Aladdin Knowledge Systems and Bar-Ilan University 04/08/08 CRYP-108 Aggregate Message- Authentication.

Published byNoah Martin Modified over 8 years ago

Similar presentations

Presentation on theme: "Jonathan Katz University of Maryland Andrew Lindell Aladdin Knowledge Systems and Bar-Ilan University 04/08/08 CRYP-108 Aggregate Message- Authentication."— Presentation transcript:

1 Jonathan Katz University of Maryland Andrew Lindell Aladdin Knowledge Systems and Bar-Ilan University 04/08/08 CRYP-108 Aggregate Message- Authentication Codes

2 Insert presenter logo here on slide master Message Authentication Codes  Message authentication codes, or MACs, are the private-key (symmetric) analogue of digital signatures » Two parties Alice and Bob share a secret-key K » Given a message m and a key K, Alice computes a MAC- tag t = MAC K (m) and sends (m,t) to Bob » Bob verifies that t = MAC K (m) and if yes, accepts the message as legitimate (i.e., sent by Alice) » Security: as for signatures message MAC tag K K

3 Insert presenter logo here on slide master Security of Message Authentication Codes  Existential unforgeability against chosen message attacks » An adversary can ask for a MAC on any message it wishes » At some stage, the adversary outputs a pair (m,t) » It succeeds in its attack if 1) t is a valid MAC tag; i.e., t = MAC K (m) 2) The adversary did not receive a MAC on m  Popular MACs: HMAC, CBC-MAC,…

4 Insert presenter logo here on slide master MAC Aggregation  Consider the case that many messages are MACed and sent » The overhead due to the MAC tag can be large » E.g., for HMAC-SHA1, 160 bits overhead per message  The aim: » Aggregate the tags into something smaller » Note: MAC aggregation must take place without knowledge of the secret key  Otherwise, could just view all the messages as one, and recompute a single MAC tag

5 Insert presenter logo here on slide master Motivation – Sensor Networks  Many sensors with weak processing power need to communicate with a base station » The sensors are arranged in a network that leads to the base station, and each sensor communicates only with its neighbors » The base station shares a secret key with each node, and messages from nodes are authenticated  Authentication is needed for security-sensitive applications

6 Insert presenter logo here on slide master A Sensor Network Without Aggregation  Consider a sensor network as follows » There are t nodes that must transmit to a base station  Arrange nodes in a binary tree » Only the leaf nodes transmit messages » Each message is 16 bits long, and HMAC-SHA1 is used  Communication » Distance from leaf node to root is log t » Communication due to each leaf is (16+160)  log t » Overall, we have (16+160)  2t log t  For t = 10 4 : 4.6 x 10 7 bits transmitted » Root node transmits (16+160)  t bits to base

7 Insert presenter logo here on slide master A Sensor Network With Aggregation  Take the same sensor network and assume that internal nodes can aggregate MAC tags from child nodes into a single tag  Communication » Distance from leaf node to root is log t » Communication due to each leaf is 16  log t plus MAC overhead » Overall, we have 16  2t log t + 160  t  For t = 10 4 : 5.7 x 10 6 bits transmitted (almost a 10 th ) » Root node transmits 16  t +160 bits to base, less than a 10 th  Each node transmits on average a 10 th

8 Insert presenter logo here on slide master Related Work  Aggregate signatures » Motivated by compressing signature chains and reducing the message size in routing protocols » Much work (see paper for references) » Solutions rely on specific algebraic properties and come at some cost  This is the first work to consider aggregate message authentication codes

9 Insert presenter logo here on slide master Our Results  Formal definitions » See the paper  A simple aggregate MAC scheme » With a formal proof by our definition…  A lower bound

10 Insert presenter logo here on slide master A Simple & Efficient Aggregate MAC Scheme  Let MAC be a deterministic message authentication code  An aggregate scheme MAC * » Tags are computed exactly as in the underlying MAC  MAC * K (m) = MAC K (m) » Aggregation is carried out by just XORing  Given (m 1,tag 1 ),…,(m n,tag n ), an aggregate tag on m 1,…,m n is given by » Verification is carried out by re-computing all tags  tag i i=1 n

11 Insert presenter logo here on slide master Intuition – Security  If an adversary can forge an aggregate MAC then it must be able to forge the underlying MAC » The use of XOR means that the forgery for the underlying MAC can be extracted from the aggregate MAC » For details of the reduction, see the paper

12 Insert presenter logo here on slide master Properties of Our Construction  MAC computation equal to original scheme  Tag aggregation is linear » Just requires a basic XOR operation  Size of MAC tag is minimal » A single MAC tag suffices for any number of messages  Aggregate verification of n messages takes the same time as in basic scheme  Another advantage » Construction is simple and can use widely deployed MAC schemes like HMAC, CBC-MAC and so on

13 Insert presenter logo here on slide master A Caveat  In our sensor network example, the base station needs to verify the MAC on all messages  What about applications where only one or some of the messages need to be authenticated at any given time? » Our solution still requires the verifier to re-compute all the MAC tags  Is it possible to achieve random access?

14 Insert presenter logo here on slide master A Simple Optimization  Split n messages into n/B buckets of size B » Each bucket is authenticated separately  Complexity » Number of MAC tags: n/B » Time to verify a single message: B  Tradeoff: » The product of the size and time is essentially n » Can set B=n and have a single tag (like above) » Can set B=1 and aggregate by just concatenating » Can set B=  n and have size=time=  n

15 Insert presenter logo here on slide master A Lower Bound  Can we do better than this tradeoff?  We prove that: » If verification can be carried out in constant or logarithmic time (measured as a function of the number of messages) » Then, the length of the aggregate MAC tag must be n  This proves that it is impossible to achieve constant (or logarithmic) time and short tags

16 Insert presenter logo here on slide master The Proof Idea  Assume that verification can be carried out in logarithmic time  Let x=x 1 …x n be an n-bit string » Code x into n messages where m i = (i,x i ) » Example:  Message: x=1100  Coding: m 1 =(1,1), m 2 =(2,1), m 3 =(3,0), m 4 =(4,0) » Apply the aggregate MAC to m 1,…,m n and let t be the tag  Claim: x can be reconstructed given t alone

17 Insert presenter logo here on slide master The Proof Idea (continued)  Reconstruction x from t: » Guess m 1 =(1,0) » Run MAC verification algorithm on message m 1 and tag t  If the verification algorithm wishes to read m i for some i, branch and run it twice  Once with m i = (i,0)  Once with m i = (i,1)  If the MAC verification algorithm accepts in any branch, then take x 1 =0  If it rejects in all branches, then take x 1 =1 » Repeat for m 2,…,m n to obtain x = x 1 …x n

18 Insert presenter logo here on slide master The Proof Idea (continued)  Claim 1: the correct x is reconstructed » Otherwise, the algorithm found a message m i = (i,z i ) and a valid MAC tag for it » But this is a successful forgery because the MAC was computed upon (i,x i ) and x i ≠ z i » Contradiction!

19 Insert presenter logo here on slide master The Proof Idea (continued)  Claim 2: the reconstruction algorithm is efficient » There are only a logarithmic number of messages read by the reconstruction algorithm each time » Each such message causes a branch » There are therefore 2 log different branches, but this is linear in the length of x

20 Insert presenter logo here on slide master Completing the Proof  We have seen that x can be reconstructed from t  But it is impossible to compress all n-bit strings into less than n bits » The formal proof is based on communication complexity (makes it easier to deal with probabilistic arguments)  Therefore the length of the tag t must be at least n

21 Insert presenter logo here on slide master Summary  We provide the first formal treatment of aggregate MACs » These can be very useful for sensor networks where power optimizations are essential » However, they have even wider applicability  We provide a simple construction with extremely high efficiency  Our lower bound shows optimality to some extent » It’s still open whether the product of time/size can be made lower than n, when the time is super-logarithmic

22 Insert presenter logo here on slide master Legal Notice © Copyright 2007 Aladdin Knowledge Systems Ltd. All rights reserved. Aladdin, Aladdin Knowledge Systems, the Aladdin Knowledge Systems logo, eToken and eSafe are trademarks of Aladdin Knowledge Systems Ltd. covered by patents www.aladdin.com/patents; other patents pending.www.aladdin.com/patents You may not copy, reproduce (or the like), or use in any other way whatsoever, whether directly or indirectly, any of the materials represented and/or disclosed herein without the express written consent of Aladdin. Some of the information contained herein may be proprietary information of Aladdin or third parties and all text, images, graphics, trademarks, service marks, logos, trade names and other materials which are part of this communication are subject to intellectual property rights of Aladdin or third parties. The information herein is provided “as is” without any warranty, express or implied (by statute or otherwise), of any kind whatsoever. Aladdin does not undertake any obligation to update the information herein and it does not assume responsibility for errors or omissions.

Download ppt "Jonathan Katz University of Maryland Andrew Lindell Aladdin Knowledge Systems and Bar-Ilan University 04/08/08 CRYP-108 Aggregate Message- Authentication."

Similar presentations

MAC Raushan. DES simple fiestel network 3131 PlainText Blocks 2*4=8bits 31 f f =0011 xor 0011=0000 = 0 f(r,k)=(2*r+k^2)%8 f(1,5)=(2*1+5^2)%8=3 xor 3 3.

MAC Raushan. DES simple fiestel network 3131 PlainText Blocks 2*4=8bits 31 f f =0011 xor 0011=0000 = 0 f(r,k)=(2*r+k^2)%8 f(1,5)=(2*1+5^2)%8=3 xor 3 3.
Hash Function. What are hash functions? Just a method of compressing strings – E.g., H : {0,1}*  {0,1} 160 – Input is called “message”, output is “digest”

Hash Function. What are hash functions? Just a method of compressing strings – E.g., H : {0,1}*  {0,1} 160 – Input is called “message”, output is “digest”
Distribution and Revocation of Cryptographic Keys in Sensor Networks Amrinder Singh Dept. of Computer Science Virginia Tech.

Distribution and Revocation of Cryptographic Keys in Sensor Networks Amrinder Singh Dept. of Computer Science Virginia Tech.
Cryptography and Network Security

Cryptography and Network Security
Tight Bounds for Unconditional Authentication Protocols in the Moni Naor Gil Segev Adam Smith Weizmann Institute of Science Israel Modeland Shared KeyManual.

Tight Bounds for Unconditional Authentication Protocols in the Moni Naor Gil Segev Adam Smith Weizmann Institute of Science Israel Modeland Shared KeyManual.
Digital Signatures and Hash Functions. Digital Signatures.

Digital Signatures and Hash Functions. Digital Signatures.
Foundations of Cryptography Lecture 5 Lecturer: Moni Naor.

Foundations of Cryptography Lecture 5 Lecturer: Moni Naor.
Bounds on Code Length Theorem: Let l ∗ 1, l ∗ 2,..., l ∗ m be optimal codeword lengths for a source distribution p and a D-ary alphabet, and let L ∗ be.

Bounds on Code Length Theorem: Let l ∗ 1, l ∗ 2,..., l ∗ m be optimal codeword lengths for a source distribution p and a D-ary alphabet, and let L ∗ be.
Foundations of Cryptography Lecture 13 Lecturer: Moni Naor.

Foundations of Cryptography Lecture 13 Lecturer: Moni Naor.
Foundations of Cryptography Lecture 4 Lecturer: Moni Naor.

Foundations of Cryptography Lecture 4 Lecturer: Moni Naor.
Eran Omri, Bar-Ilan University Joint work with Amos Beimel and Ilan Orlov, BGU Ilan Orlov…!??!!

Eran Omri, Bar-Ilan University Joint work with Amos Beimel and Ilan Orlov, BGU Ilan Orlov…!??!!
NON-MALLEABLE EXTRACTORS AND SYMMETRIC KEY CRYPTOGRAPHY FROM WEAK SECRETS Yevgeniy Dodis and Daniel Wichs (NYU) STOC 2009.

NON-MALLEABLE EXTRACTORS AND SYMMETRIC KEY CRYPTOGRAPHY FROM WEAK SECRETS Yevgeniy Dodis and Daniel Wichs (NYU) STOC 2009.
Yan Huang, Jonathan Katz, David Evans University of Maryland, University of Virginia Efficient Secure Two-Party Computation Using Symmetric Cut-and-Choose.

Yan Huang, Jonathan Katz, David Evans University of Maryland, University of Virginia Efficient Secure Two-Party Computation Using Symmetric Cut-and-Choose.
Session 5 Hash functions and digital signatures. Contents Hash functions – Definition – Requirements – Construction – Security – Applications 2/44.

Session 5 Hash functions and digital signatures. Contents Hash functions – Definition – Requirements – Construction – Security – Applications 2/44.
CMSC 414 Computer and Network Security Lecture 4 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 4 Jonathan Katz.
CMSC 414 Computer and Network Security Lecture 3 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 3 Jonathan Katz.
CNS2010handout 10 :: digital signatures1 computer and network security matt barrie.

CNS2010handout 10 :: digital signatures1 computer and network security matt barrie.
CMSC 414 Computer and Network Security Lecture 7 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 7 Jonathan Katz.
Lecturer: Moni Naor Foundations of Cryptography Lecture 4: One-time Signatures, UOWHFs.

Lecturer: Moni Naor Foundations of Cryptography Lecture 4: One-time Signatures, UOWHFs.
CMSC 414 Computer and Network Security Lecture 5 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 5 Jonathan Katz.

Similar presentations

Ads by Google