Aggregate message authentication codes
Summary (3 min read)
1 Introduction
- No formal attention has yet been dedicated to the private-key analogue of aggregate signatures: aggregate message authentication codes (MACs).
- Nevertheless, the authors suggest that aggregate MACs can be useful in specific domains.
- As perhaps the most compelling example, consider the problem of authenticated communication in a mobile ad-hoc network , where communication is considered an "expensive" resource because of its effect on the battery life of the nodes.
- If an aggregate MAC were available, however, then each node U j would be able to combine its own MAC tag with those of its children.
1.1 Our Contributions
- Motivated in part by scenarios such as the above, the authors formally introduce the notion of aggregate MACs and initiate the first detailed study of this primitive.
- After giving appropriate definitions, the authors show a simple and highly efficient construction of aggregate MACs based on a wide variety of existing MACs.
- In contrast, here the authors would like to avoid number-theoretic constructions and base aggregate MACs on primitives like block ciphers and hash functions that have limited algebraic structure.
- Summarizing, the authors prove the following (informally stated) theorem: Theorem.
- The authors also prove a lower bound showing that if constant or logarithmic-time verification of individual messages is desired, then the aggregated tag length must be linear in the total number of messages whose tags are aggregated (and so the trivial approach of concatenating individual tags is optimal up to a multiplicative factor).
2 Definitions
- The authors definitions are based on those given in [5, 14] for aggregate signatures.
- The authors stress that this algorithm is unkeyed.
- Identifiers are not needed in the setting of aggregate signatures where each sender is associated with a unique public key which, in effect, serves as an identifier.
- Attack phase: A may query the following oracles: -Message-authentication oracle Mac: (Of course, they prove this only for standard MACs but it is easy to see that their proof carries over to their setting as well.).
3 Constructing Aggregate MACs
- The authors show that aggregate MACs can be constructed from essentially any standard message authentication code.
- Thus, as far as security is concerned, the above approach works for any underlying MAC.
- On the other hand, verification in the aggregate MAC requires that verification in the underlying MAC be done by re-computing the MAC tag and checking equality with what is received.
- (We will ignore the Vrfy algorithm from now on since, as noted above, the authors can perform verification by simply re-running Mac.).the authors.
- The authors have the following construction: Construction 1 (Aggregate MAC Scheme) Let Mac be a deterministic algorithm.
5. Assuming id
- The proof follows easily from the following observations: .
- The probability that F does not abort is exactly 1/t, which is inverse polynomial.
- The authors construction of aggregate MACs is highly efficient.
- Consider the example of a mobile ad-hoc network as described in the introduction.
- If the nodes are arranged in a tree, then each node receives a set of messages together with a single tag from each of its children.
4 An Extension and a Lower Bound
- A limitation of the construction given in the previous section is that the receiver must re-compute the MAC tags on all ℓ messages whose tags have been aggregated.
- In such cases, the requirement to re-compute the MAC tags of all the messages is undesirable.
- The authors present a simple idea that offers a trade-off between the length of the aggregate tag and the time required to verify integrity of a single message.
- The authors approach, described below, allows essentially anything in between.
- That is, the authors show that any aggregate MAC scheme that enables authentication in time O(log ℓ) must have a tag of length at least Ω(ℓ).
4.1 The Construction
- Before presenting their construction, the authors first describe the problem in a bit more detail.
- (We stress that each sender still holds only one key, the verifier still holds one key per sender, and the Mac * algorithm is unchanged.the authors.the authors.
- All that changes is the way aggregation and verification are performed.).
- The authors remark that the time required to verify all the messages is essentially the same as before.
- Achieving constant verification time for any single message using this approach would result in a tag of length linear in the number of messages being authenticated.
4.2 A Lower Bound
- This is rather disappointing and it would be highly desirable to improve this situation.
- In this section the authors show that the scheme presented above is essentially optimal.
- Before proceeding further, the authors observe this does not contradict the positive result obtained above.
- Fix a secure aggregate MAC (Mac, Agg, Vrfy) with perfect correctness, and fix some ℓ = poly(n) ≥.
- The authors show how the aggregate MAC can be used to transmit an ℓ-bit message from one party to another, with low probability of error, by sending only T bits.
Did you find this useful? Give us your feedback
Citations
179 citations
163 citations
161 citations
Cites background or methods from "Aggregate message authentication co..."
...The aggregate message authentication codes (AMACs) [150] are used by both schemes [37, 61]....
[...]
...Aggregate message authentication codes (AMACs) [150] ✓ ✓...
[...]
140 citations
85 citations
References
3,150 citations
"Aggregate message authentication co..." refers background in this paper
...) As in the case of aggregate signatures, our definition of security corresponds to existential unforgeability under an adaptive chosen-message attack [8]....
[...]
2,004 citations
1,859 citations
Related Papers (5)
Frequently Asked Questions (17)
Q2. What could be used to improve the communication complexity in schemes such as those of [13] or?
Aggregate MACs could also be used to improve the communication complexity in schemes such as those of [13] or [10] which deal with aggregation of data.
Q3. What is the reason why the authors conclude that tag is a valid forgery?
The authors conclude that tag is a valid forgery with probability only negligibly better than 2−n, and so the adversary cannot output a valid forgery except with negligible probability.
Q4. What is the main idea behind the introduction of aggregate signatures?
Aggregate signatures, introduced by Boneh et al. [5, 14], allow t distinct signatures by t (possibly different) signers on t (possibly different) messages to be aggregated into a shorter signature that still suffices to convince a verifier that each signer did indeed sign the appropriate message.
Q5. What is the probability of an error of this type?
Assume that, for infinitely many values of n, an error of this type occurs with probability p(n) ≥ 1/4 (where the probability is over choice of k and x).
Q6. What is the role of identifiers in a message?
A receiver R who wants to receive authenticated messages from t senders begins by sharing uniform keys k1, . . . , kt ∈ {0, 1}n with each sender (i.e., key ki is shared with the sender with identity idi).
Q7. How many MAC tags can be used to verify the authenticity of a message?
To verify the authenticity of any particular message mi, the verifier need only re-compute MAC tags for (at most) ℓ′ messages in total.
Q8. What is the procedure for B to set x′i?
B’s procedure is such that B sets x′i = 0 iff there exists a subset of O(log ℓ) messages such that Vrfy accepts mi = 〈i〉‖0 relative to this subset.
Q9. How many instances of the MAC scheme can be used?
Then run multiple instances of the “base aggregation scheme” from the previous section in parallel, but only aggregating at most ℓ′ messages/tags using any given instance.
Q10. What is the limitation of the construction of aggregate MACs?
A limitation of the construction given in the previous section is that the receiver must re-compute the (individual) MAC tags on all ℓ messages whose tags have been aggregated.
Q11. What is the reason for the existence of efficient aggregate MACs?
The existence of efficient aggregate MACs is somewhat surprising since, in the setting of aggregate signatures, algebraic (i.e., number-theoretic) properties of the underlying signature scheme are used to perform aggregation.
Q12. Why does the scheme not have a positive result?
This is because the authors must have T = ω(log n) (otherwise an adversary can guess a valid MAC tag, in the underlying scheme, with non-negligible probability) and because ℓ, the number of aggregated MACs, can be at most polynomial in n (or else it does not make much sense to talk about security of the scheme).
Q13. What is the MAC used to transmit an l-bit message?
The authors show how the aggregate MAC can be used to transmit an ℓ-bit message from one party to another, with low (constant) probability of error, by sending only T bits.
Q14. What is the compelling example of an aggregate signature?
As perhaps the most compelling example, consider the problem of authenticated communication in a mobile ad-hoc network (MANET), where communication is considered an “expensive” resource because of its effect on the battery life of the nodes.
Q15. What is the simplest way to verify the security of the algorithm?
As for security, the authors have:Theorem 1 If (Mac,Vrfy) is existentially unforgeable under an adaptive chosen-message attack, then (Mac∗,Agg∗,Vrfy∗) given in Construction 1 is a secure aggregate message authentication code.
Q16. What is the XOR of the tag values?
In this case, given tags tag1, . . . , tagℓ associated with message/identifier pairs (mi, i), respectively, the authors can aggregate these tags by simply computing the XOR of all the tag values; i.e.,tag = tag1 ⊕ tag2 ⊕ · · · ⊕ tagℓ.
Q17. What is the probability that A succeeds in the experiment?
Aggregate MAC (Mac,Agg,Vrfy) is secure if for all t = poly(n) and all probabilistic polynomial-time adversaries A, the probability that A succeeds in the above experiment is negligible.