Aggregate Message Authentication Codes
Jonathan Katz
Dept. of Computer Science
University of Maryland, USA
jkatz@cs.umd.edu
Yehuda Lindell
Dept. of Computer Science
Bar-Ilan University, Israel
lindell@cs.biu.ac.il
Abstract
We propose and investigate the notion of aggregate message authentication codes (MACs)
which have the prope rty that multiple MAC tags, computed by (po ssibly) different senders on
multiple (possibly different) messages, can be aggregated into a shorter tag that can still be
verified by a recipient who shares a distinct key with each sender. We suggest aggregate MACs
as an appropriate tool for authenticated communication in mobile a d-hoc networks or other
settings where resource-cons trained devices share distinct keys with a single entity (such as a
base station), and communication is an expensive r e source.
1 Introduction
Aggregate signatures, intr oduced by Boneh et al. [5, 14], allow t distinct signatures by t (possibly
different) signers on t (possibly different) messages to be aggregated into a shorter signature that
still s uffices to convince a verifier that each signer did indeed sign the appropr iate message. Since
their introduction, various aggregate signature schemes have been proposed [12, 11, 8, 4]. No formal
attention has yet been dedicated to the private-key analogue of aggregate signatures: aggregate
message authentication codes (MACs). In this paper, we initiate a formal s tudy of this primitive.
One reason for the r elative lack of attention focused on aggregate MAC s may be the (incorrect)
perception that they are of limited value. Indeed, the applications suggested in [5] — such as
compressing certificate chains, or redu cing the message size in secure routing protocols — are
all specific to the pub lic-key (rather than the private-key) setting. Nevertheless, we suggest that
aggregate MACs can be useful in specific domains. As perhaps the most compelling example,
consider the problem of authenticated communication in a mobile ad-hoc network (MANET),
where commun ication is considered an “expensive” resource because of its effect on the battery life
of the nodes. Here, there is a collection of t nodes U
1
, . . . , U
t
, each of whom is interested in sending
messages to a base station B. We assume that the b ase station s hares in advance a key k
i
with each
node U
i
, and that node U
i
authenticates any outgoing message m
i
by computing tag
i
= Mac
k
i
(m
i
).
Most nodes cannot communicate directly with the base station du e to the limited range of their
wireless devices, and so all communication is instead routed among the nodes themselves until it
reaches the base station. For simplicity in this example, let us assume that nodes are arranged
in a (logical) binary tree so that each node U
i
at a leaf sends (m
i
, tag
i
) to its parent, and each
internal node U
j
forwards to its own parent all the communication from its children in addition
to (m
j
, tag
j
). The root U
∗
in this example is the only node that is able to communicate d irectly
with the base station, and it forwards to the base station the communication from all nodes in the
network along with its own contribution (m
∗
, tag
∗
).
1
The messages themselves may be very short — corresponding, e.g., to temperature readings or
even just an indicator bit. For concreteness, say messages are 16 bits long. (Replay attacks can
be addressed by usin g a counter shared by the base station and all the nodes; this counter would
be authenticated by each node along with the message, bu t would not need to be transmitted and
so does not affect the communication complexity in the calculation that follows.) Furthermore,
assume the length of a MAC tag is 160 bits (e.g., if HMAC is used), and take t = 10
4
. The
communication from the root node alone to the base station is then (160 + 16) ·t = 1.76 ×10
6
bits,
while the total communication in the network is (roughly) (160 + 16) · (t log t) ≈ 2.3 ×10
7
bits.
The above description assumes MACs used in the standard fashion, meaning that all MAC
tags are transmitted together with the messages. If an aggregate MAC were available, however,
then each node U
j
would be able to combine its own MAC tag with those of its children. Say
this aggregation can be perform ed while maintaining the MAC tag length, even of aggregated tags,
at 160 bits. (Our construction will achieve this.) T he communication from the root to the base
station will n ow be only 160 + 16t ≈ 1.6 × 10
5
bits, and the total communication in the network
will be improved to roughly 16(t log t) + 160t ≈ 3.7 × 10
6
bits, for roughly an order of magnitude
improvement in each case.
Aggregate MACs could also be used to improve the communication complexity in schemes such
as those of [13] or [10] which deal with aggregation of data. We do not explore this further here, as
we view the use of such techniques as tangential to the main thrust of this paper.
1.1 Our Contributions
Motivated in part by s cenarios such as the above, we formally introduce the notion of aggregate
MACs and initiate the first detailed study of this primitive. After giving appropriate definitions,
we show a simp le and highly efficient construction of aggregate MACs based on a wide variety
of existing (standard) MACs. The existence of efficient aggregate MACs is somewhat surprising
since, in the setting of aggregate signatures, algebraic (i.e., number-theoretic) properties of the
underlying signature scheme are used to perf orm aggregation. In contrast, here we would like to
avoid number-theoretic constru ctions and base aggregate MACs on primitives like block ciphers
and hash functions that have limited algebraic structure.
Summarizing, we prove the f ollowing (informally stated) theorem:
Theorem If there exists a secure message authentication code, then there exists a secure aggregate
message authentication code with complexity as follows:
• Aggregate MAC tag length: the same as for the basic MAC scheme
• Computation of a MAC tag in the aggregate scheme: the same as for the basic MAC
scheme
• Computation of MAC tag aggregation: linear in the number of tags to be aggregated
• Verification of aggregated MAC tags: linear in the number of tags to be verified.
As can be seen from above, the complexity of our aggregate construction is essentially the same
as for a regular MAC scheme. This m ay be somewhat surprising since in the public-key setting
of aggregate signatures, it is significantly harder to obtain secure aggregation. The reason for this
will become clear after seeing our construction in Section 3.
2
Verifying individual messages. Our aggregate scheme wor ks very well when the receiver wishes
to verify the authenticity of all the aggregated messages. However, if the receiver wishes to verify
only one or a few messages, it mu s t still ver ify them all. In Section 4, we explore a variant of
our main construction that offers a trade-off between the length of an aggregate tag and the time
required to verify individual messages. We also prove a lower bound showing that if constant or
logarithmic-time verification of individual messages is desired, then the aggregated tag length must
be linear in the total number of messages whose tags are aggregated (and so the trivial approach
of concatenating individual tags is optimal up to a multiplicative factor).
1.2 Related Work
Subsequent to our work, we became aware of two other recent papers [6, 3] that, inter alia, use
what are essentially aggregate MACs (and, in fact, use essentially the same construction we show
in Section 3). The key additional contributions of our work are: (1) we provide a formal definition
of the problem and a proof of security for our construction; (2) we suggest extensions of the
construction offering the time/length trade-off discussed above; and (3) we show a lower bound on
the r equ ired tag length when fast verification of individual messages is r equired.
Following our work, Eikemeier et al. [7] have explored the notion of history freeness for aggre-
gate MACs.
2 Definitions
Our definitions are based on those given in [5, 14] for aggregate signatures. Rather than exploring
num erous possible special cases of the definitions, we make our definitions as general as possible
(and our construction will ach ieve these definitions). We begin with a functional definition. The
security parameter, which d etermines the length of the key, will be denoted by n.
Definition 1 An aggregate message-authentication code (MAC) is a tuple of probabilistic polynomial-
time algorithms (Mac, Agg, Vrfy) such that:
• Authentication algorithm Mac: upon input a key k ∈ {0, 1}
n
and a message m ∈ {0, 1}
∗
,
algorithm Mac outputs a tag tag. We denote this procedure by tag ← Mac
k
(m).
• Aggregation algorithm Agg: upon input two sets of message/identifier
1
pairs M
1
=
{(m
1
1
, id
1
1
), . . ., (m
1
ℓ
1
, id
1
ℓ
1
}, M
2
= {(m
2
1
, id
2
1
), . . . , (m
2
ℓ
2
, id
2
ℓ
2
)} an d associated tags tag
1
, tag
2
,
algorithm Agg outputs a new tag tag. We stress that this algorithm is unkeyed.
• Verification algorithm Vrfy: upon receiving a set of key/identifier pairs {(k
1
, id
1
), . . .,
(k
t
, id
t
)}, a set of message/identifier pairs M = {(m
1
, id
′
1
), . . ., (m
ℓ
, id
′
ℓ
)}, and a tag tag,
algorithm Vrfy outp uts a single bit, with ‘1’ denoting acceptance and ‘0’ denoting rejection.
We denote th is by Vrfy
(k
1
,id
1
),...,(k
n
,id
t
)
(M, tag). (In normal usage, id
′
i
∈ {id
1
, . . . , id
t
} for all i.)
The following cor rectness conditions are required to hold:
• For all k, id, m ∈ {0, 1}
∗
, it holds that Vrfy
k,id
((m, id), Mac
k
(m)) = 1. (This is essentially the
correctness condition for standard MACs.)
• Let M
1
, M
2
be sets of message/identifier pairs with
2
M
1
∩ M
2
= ∅. If :
1
We discuss the role of the identifiers below.
2
This technical condition ensures that the same message/identifier pair does not appear in both M
1
and M
2
.
3
1. Vrfy
(k
1
,id
1
),...,(k
t
,id
t
)
(M
1
, tag
1
) = 1, and
2. Vrfy
(k
1
,id
1
),...,(k
t
,id
t
)
(M
2
, tag
2
) = 1,
then Vrfy
(k
1
,id
1
),...,(k
n
,id
n
)
(M, Agg(M
1
, M
2
, tag
1
, tag
2
)) = 1, where M = M
1
∪ M
2
. Thus,
aggregation of MAC tags preserves correct verification.
The use of identifi ers provides a way to differentiate between different senders; in order to know
which secret key to use for verification, the receiver needs to know which message is associated
with which sender. (Thus enforcing M
1
∩ M
2
= ∅ in the second correctness condition just means
that aggregation is not applied if the same sen der authenticated th e same message tw ice.) Identi-
fiers are not needed in the setting of aggregate signatures where each sender is associated w ith a
unique public key which, in effect, serves as an identifier. For simplicity in w hat follows, we write
Vrfy
k
1
,...,k
t
(·, ·) for the verification algorithm , and we sometimes find it convenient to set id
i
= i
(this h as no effect on our results).
An aggregate MAC can be used as follows. A receiver R who wants to receive authenticated
messages from t senders begins by sharing uniform keys k
1
, . . . , k
t
∈ {0, 1}
n
with each sender (i.e.,
key k
i
is shared with the sender with identity id
i
). When sen der id
i
wishes to authenticate a message
m
i
, it simply computes tag
i
← Mac
k
i
(m
i
). Given a tag computed in this way, and a second tag
tag
j
computed by send er id
j
on the message m
j
, these two tags can be aggregated by computing
the value tag ← Agg({(m
i
, id
i
)}, {(m
j
, id
j
)}, tag
i
, tag
j
). Given the result tag, the receiver can check
that sender id
i
authenticated m
i
and that sender id
j
authenticated m
j
by computing
Vrfy
k
i
,k
j
{(m
i
, id
i
), (m
j
, id
j
)}, tag
and verifying that the output is 1. Note that we do not assume id
i
6= id
j
but, as per footnote 2, we
do assume (m
i
, id
i
) 6= (m
j
, id
j
).
As in the case of aggregate signatures, our definition of security correspond s to existential un-
forgeability under an adaptive chosen-message attack [9]. Because we are in the shared-key setting,
however, there are some technical differences between our definition and the s ecur ity d efi nition for
aggregate signatures. In particular, we consider an adversary who may adaptively corrupt various
senders and learn their secret keys, and require security to hold also in such a setting.
Definition 2 Let A be an adversary, and consider the following experiment parameter ized by a
security parameter n:
• Key generation: Keys k
1
, . . . , k
t
∈ {0, 1}
n
are generated.
• Attack phase: A may query the following oracles:
– Message-authentication oracle Mac: On input (i, m), the oracle returns Mac
k
i
(m).
– Corruption oracle Corrupt: upon input i, the oracle return s k
i
.
• Output: T he adversary A outputs a set of message/identifier pairs M = {(m
1
, id
1
), . . . , (m
ℓ
, id
ℓ
)}
and a tag tag. All the pairs in M are required to be distinct.
• Success determination: We say A succeeds if (1) Vrfy
k
1
,...,k
t
(M, tag) = 1 and (2) there
exists a pair (m
i
∗
, id
i
∗
) ∈ M such that
4
1. A never queried Corrupt(id
i
∗
), and
2. A never queried Mac(id
i
∗
, m
i
∗
).
Aggregate MAC (Mac, Agg, Vrfy) is secure if for all t = poly(n) and all probabilistic polynomial-time
adversaries A, the pr obab ility that A succeeds in the above experiment is negligible.
We d o not consider verifi cation queries even though, in general, they may give th e adversary
additional power [1]. This is justified by the fact that our eventual construction satisfies the
conditions stated in [1] for which verifi cation queries do not give any additional power. (Of course,
they prove this only for standard MACs but it is easy to see that their proof carries over to our
setting as well.) Note also that we need not allow “aggregate” queries in the above definition, since
the aggregation algorithm Agg is u nkeyed.
3 Constructing Aggregate MACs
In this section, we show that aggregate MACs can be constructed from essentially any standard
message authentication code. We begin by illustrating the idea using as a bu ilding block th e simple
(standard) message authentication code constructed from a pseudorandom function F with outpu t
length n as follows: Mac
k
(m) = F
k
(m). In this case, given tags tag
1
, . . . , tag
ℓ
associated with
message/identifier pairs (m
i
, i), respectively, we can aggregate these tags by simply computing the
XOR of all the tag values; i.e.,
tag = tag
1
⊕ tag
2
⊕ ··· ⊕ tag
ℓ
.
(For simplicity, we consider identifiers 1, . . . , ℓ above. However , as we will see in the formal descrip-
tion below, these identifiers need not be distinct.) Verification is carried out in the obvious way:
given a set of message/identifier pairs M = {(m
1
, 1), . . . , (m
ℓ
, ℓ)} and tag, the receiver outputs 1 if
and only if
tag =
ℓ
M
i=1
F
k
i
(m
i
).
As for the security of this scheme, we may argue informally as follows: say an adversary outputs
{(m
1
, id
′
1
), . . . , (m
ℓ
, id
′
ℓ
)} and tag such that there exists an i for which A did not query either
Corrupt(id
′
i
) or Mac(id
′
i
, m
i
). Let i
∗
= id
′
i
. Then, from th e point of view of the adversary, the value
F
k
i
∗
(m
i
) looks random. Since XORing a random(-looking) value with any other (uncorrelated)
strings yields a random(-looking) string, we see that the value
L
ℓ
i=1
F
k
id
′
i
(m
i
) computed by the
receiver also looks random to the adversary, and cannot be guessed by the adversary with probability
much better than 2
−n
. We conclude that tag is a valid forgery with p robability only negligibly better
than 2
−n
, and so the adversary cannot output a valid forgery except with negligible probability.
Extending the above ideas, we may realize that the proof does not require the individual MAC
tag F
k
i
∗
(m
i
) to be pseudorandom, but instead only requires that it be unpredictable. But this holds
for any secure (standard) MAC, by the definition of security for MACs. Thus, as far as security
is concerned, the above approach works for any underlying MAC. On the other hand, verification
in the aggregate MAC requires that verification in the und erlying MAC be done by re-computing
the MAC tag and checking equality with what is received. (I.e., Vrfy
k
(m, tag) outputs 1 if and
only if Mac
k
(m) = tag.) We may assume, without loss of gen erality, that verification is done
5