A Note on Aggregate MAC Schemes Shoichi Hirose 1 Junji Shikata 2 1 - PowerPoint PPT Presentation

A Note on Aggregate MAC Schemes Shoichi Hirose 1 Junji Shikata 2 1 University of Fukui, Japan 2 Yokohama National University, Japan 13/11/2018 ASK 2018, Kolkata S. Hirose (Univ. Fukui) A Note on Aggregate MAC Schemes ASK 2018 (13-16/11/2018) 1 / 33

Introduction Message authentication code (MAC) Sender Receiver ( M 1 , t 1 ) t i = F K ( M i ) t i = F K ( M i ) ? ( M 2 , t 2 ) . . . Aggregate MAC [Katz, Lindell 2008] • Inspired by aggregate signature • Generate an aggregate tag for multiple messages T ← Aggregate (( M 1 , I 1 , t 1 ) , . . . , ( M n , I n , t n )) • Check the validity of messages in a single verification w.r.t. T • Reduce the amount of storage and/or communication S. Hirose (Univ. Fukui) A Note on Aggregate MAC Schemes ASK 2018 (13-16/11/2018) 2 / 33

Two Flavours of Aggregation (Non-sequential) aggregation: The order does not matter ( M 1 , I 1 , t 1 ) ( M 2 , I 2 , t 2 ) Agg T . . . ( M n , I n , t n ) Often T ← Agg ( t 1 , t 2 , . . . , t n ) Sequential aggregation: The order matters ( M 1 , I 1 ) ( M 1 , I 1 ) ( M 2 , I 2 ) ( M 1 , I 1 ); T 1 ( M 2 , I 2 ); T 2 ( M 3 , I 3 ); T 3 I 1 I 2 I 3 Called history-free if T j ← SeqAgg K j ( M j , I j , T j − 1 ) S. Hirose (Univ. Fukui) A Note on Aggregate MAC Schemes ASK 2018 (13-16/11/2018) 3 / 33

Brief Overview Topics of This Talk • Application of non-adaptive group-testing to aggregate MAC • Sequential aggregate MAC Related Work • (Non-sequential) Aggregate MAC • Katz, Lindell (2008) • Sequential aggregate MAC • Eikemeier, Fischlin, et al. (2010) • Forward-secure sequential aggregate MAC (for secure logging) • Schneier and Kelsey (1999) • Ma and Tsudik (2007) • Hirose and Kuwakado (2014) S. Hirose (Univ. Fukui) A Note on Aggregate MAC Schemes ASK 2018 (13-16/11/2018) 4 / 33

1 Non-adaptive Group Testing Aggregate MAC 2 Sequential Aggregate MAC S. Hirose (Univ. Fukui) A Note on Aggregate MAC Schemes ASK 2018 (13-16/11/2018) 5 / 33

Motivation Aggregate MAC • Generate an aggregate tag for multiple messages T ← Aggregate (( M 1 , I 1 , t 1 ) , . . . , ( M n , I n , t n )) • Check the validity of messages in a single verification w.r.t. T • If valid, all messages are OK. • Otherwise, some are invalid, but we can’t see which. Problem: Identify the invalid messages with fewer than n agg. tags Our solution: Apply group testing to aggregate MAC Two types of group testing • Non-adaptive: All tests are chosen in advance • Adaptive: A new test can be chosen after the current test S. Hirose (Univ. Fukui) A Note on Aggregate MAC Schemes ASK 2018 (13-16/11/2018) 6 / 33

Non-adaptive Group Testing Specified by a binary matrix (Group-testing matrix): s1 s2 s3 s4   test1 1 1 0 0 test2 1 0 1 0   test3 0 1 1 1 • s1, s2, s3, and s4 are samples. • Each sample is either negative or positive. • The result of a test is • negative ⇐ ⇒ All the involved samples are negative • positive ⇐ ⇒ Some of the involved samples are positive • Identify the positive samples with ( # of tests ) < ( # of samples ) Assumption: # of positive samples is upper-bounded S. Hirose (Univ. Fukui) A Note on Aggregate MAC Schemes ASK 2018 (13-16/11/2018) 7 / 33

d -disjunct GT Matrix Definition (GT matrix G is d -disjunct) For any ( d + 1) columns g j 1 , g j 2 , . . . , g j d +1 , there exists some i s.t. • i -th coordinate of g j 1 ∨ g j 2 ∨ · · · ∨ g j d is 0 • i -th coordinate of g j d +1 is 1 d -disjunctness guarantees: ( # of positive samples ) ≤ d = ⇒ each negative sample is included in a test only with negative samples Non-adaptive group testing based on d -disjunct GT matrix • identifies all the positive samples if ( # of them ) ≤ d • All samples involved in negative tests are negative. • All the remaining samples are positive. S. Hirose (Univ. Fukui) A Note on Aggregate MAC Schemes ASK 2018 (13-16/11/2018) 8 / 33

Agenda • Syntax • Security requirements • Unforgeability • Identifiability: Completeness and soundness • Generic construction • Two instantiations • Analysis of provable security S. Hirose (Univ. Fukui) A Note on Aggregate MAC Schemes ASK 2018 (13-16/11/2018) 9 / 33

Related Work Agregate MAC for multiple users [Katz-Lindell 08] • Formalized the syntax and security requirement • Proposed scheme: For ( M 1 , I 1 ) , ( M 2 , I 2 ) , . . . , ( M n , I n ) , • t j = MAC ( K j , M j ) • The aggregate tag is T = t 1 ⊕ t 2 ⊕ · · · ⊕ t n • Proved the security Application of group-testing to MAC [Goodrich et al. 05], [Minematsu 15] • Both of them assumes a single-user setting • Tag aggregate requires a secret key S. Hirose (Univ. Fukui) A Note on Aggregate MAC Schemes ASK 2018 (13-16/11/2018) 10 / 33

Aggregate MAC: Syntax Aggregate MAC (AM) consists of the following algorithms: Key generation K ← KG (1 p ) • p is a security parameter Tagging t ← Tag ( K I , M, I ) Aggregate T ← Agg (( M 1 , I 1 , t 1 ) , . . . , ( M n , I n , t n )) • Secret keys are not used • Often T ← Agg ( t 1 , . . . , t n ) Verification d ← Ver (( K 1 , . . . , K n ) , (( M 1 , I 1 ) , . . . , ( M n , I n )) , T ) • The decision d is either ⊤ (valid) or ⊥ (invalid) S. Hirose (Univ. Fukui) A Note on Aggregate MAC Schemes ASK 2018 (13-16/11/2018) 11 / 33

Aggregate MAC: Security Requirement The security requirement is unforgeability An adversary A against AM is given access to the following oracles: Tagging receives ( M, I ) and returns tag t ← Tag ( K I , M, I ) Corrupt receives I and returns K I Verification receives ((( M 1 , I 1 ) , . . . , ( M n , I n )) , T ) and returns d ∈ {⊤ , ⊥} Adv uf AM ( A ) � Pr[ A succeeds in forgery ] Adv uf AM ( A ) should be negligibly small for any efficient A A succeeds in forgery if A asks Q = ((( M 1 , I 1 ) , . . . , ( M n , I n )) , T ) to VO satisfying the following conditions: • Q is judged valid • A asks neither ( M j , I j ) to T O nor I j to CO for ∃ j before Q S. Hirose (Univ. Fukui) A Note on Aggregate MAC Schemes ASK 2018 (13-16/11/2018) 12 / 33

Group-Testing Aggregate (GTA) MAC GTA MAC scheme using a u × n group-testing matrix Key generation K ← KG (1 p ) Tagging t ← Tag ( K I , M, I ) Group-testing aggre ( T 1 , . . . , T u ) ← GTA (( M 1 , I 1 , t 1 ) , . . . , ( M n , I n , t n )) • Secret keys are not used • An aggregate tag is produced for each test Group-testing verif J ← GTV (( K 1 , . . . , K n ) , (( M 1 , I 1 ) , . . . , ( M n , I n )) , ( T 1 , . . . , T u )) • J is a set of ( M j ′ , I j ′ ) ’s judged invalid Security requirements • Unforgeability • Identifiability • Completeness: GTV judges any valid ( M, I, t ) to be valid • Soundness: GTV judges any invalid ( M, I, t ) to be invalid S. Hirose (Univ. Fukui) A Note on Aggregate MAC Schemes ASK 2018 (13-16/11/2018) 13 / 33

Unforgeability (1/2) An adversary A against GTAM is given access to the oracles: Tagging receives ( M, I ) and returns t ← Tag ( K I , M, I ) Corrupt receives I and returns K I Group-testing verification receives ((( M 1 , I 1 ) , . . . , ( M n , I n )) , ( T 1 , . . . , T u )) and returns the set of invalid ( M j , I j ) ’s J The advantage of A against GTAM w.r.t. unforgeability Adv uf GTAM ( A ) � Pr[ A succeeds in forgery ] Adv uf GTAM ( A ) should be negligibly small for any efficient A S. Hirose (Univ. Fukui) A Note on Aggregate MAC Schemes ASK 2018 (13-16/11/2018) 14 / 33

Unforgeability (2/2) A succeeds in forgery if A asks GT VO a query Q = ((( M 1 , I 1 ) , . . . , ( M n , I n )) , ( T 1 , . . . , T u )) satisfying that there exists some ( M j , I j ) s.t. • ( M j , I j ) is judged valid by GT VO • A asks neither ( M j , I j ) to T O nor I j to CO before asking Q S. Hirose (Univ. Fukui) A Note on Aggregate MAC Schemes ASK 2018 (13-16/11/2018) 15 / 33

Identifiability: Completeness and Soundness An adversary A is given access to the following oracles: Tagging receives ( M, I ) and returns t ← Tag ( K I , M, I ) Corrupt receives I and returns K I Group-testing receives Q = (( M 1 , I 1 , t 1 ) , . . . , ( M n , I n , t n )) 1 applies group testing to Q 2 returns the result The advantage of A against GTAM w.r.t. • completeness Adv id-c GTAM ( A ) � Pr � � GT O judges some valid ( M j , I j , t j ) invalid • soundness Adv id-s GTAM ( A ) � Pr � � GT O judges some invalid ( M j , I j , t j ) valid Both advantages should be negligibly small for any efficient A S. Hirose (Univ. Fukui) A Note on Aggregate MAC Schemes ASK 2018 (13-16/11/2018) 16 / 33

Generic Construction Generic GTA MAC using • Aggre MAC AM = ( KG , Tag , Agg , Ver ) • GT matrix G Key generation KG Tagging Tag Group-testing aggre ( T 1 , . . . , T u ) ← GTA ( t 1 , . . . , t n ) t 1 t 2 t 3 t 4   T 1 ← Agg ( t 1 , t 2 ) 1 1 0 0 T 2 ← Agg ( t 1 , t 3 ) 1 0 1 0   T 3 ← Agg ( t 2 , t 3 , t 4 ) 0 1 1 1 Group-testing verif For ((( M 1 , I 1 ) , . . . , ( M n , I n )) , ( T 1 , . . . , T u )) , 1 t ′ j ← Tag ( K j , M j , I j ) for 1 ≤ j ≤ n 2 ( T ′ 1 , . . . , T ′ u ) ← GTA ( t ′ 1 , . . . , t ′ n ) 3 For 1 ≤ i ≤ u , if T i = T ′ i , all the involved ( M j , I j ) ’s are valid 4 Remaining ( M j , I j ) ’s are invalid S. Hirose (Univ. Fukui) A Note on Aggregate MAC Schemes ASK 2018 (13-16/11/2018) 17 / 33