a note on aggregate mac schemes
play

A Note on Aggregate MAC Schemes Shoichi Hirose 1 Junji Shikata 2 1 - PowerPoint PPT Presentation

Nov 15, 2022 •847 likes •1.2k views

A Note on Aggregate MAC Schemes Shoichi Hirose 1 Junji Shikata 2 1 University of Fukui, Japan 2 Yokohama National University, Japan 13/11/2018 ASK 2018, Kolkata S. Hirose (Univ. Fukui) A Note on Aggregate MAC Schemes ASK 2018 (13-16/11/2018) 1

  1. A Note on Aggregate MAC Schemes Shoichi Hirose 1 Junji Shikata 2 1 University of Fukui, Japan 2 Yokohama National University, Japan 13/11/2018 ASK 2018, Kolkata S. Hirose (Univ. Fukui) A Note on Aggregate MAC Schemes ASK 2018 (13-16/11/2018) 1 / 33

  2. Introduction Message authentication code (MAC) Sender Receiver ( M 1 , t 1 ) t i = F K ( M i ) t i = F K ( M i ) ? ( M 2 , t 2 ) . . . Aggregate MAC [Katz, Lindell 2008] • Inspired by aggregate signature • Generate an aggregate tag for multiple messages T ← Aggregate (( M 1 , I 1 , t 1 ) , . . . , ( M n , I n , t n )) • Check the validity of messages in a single verification w.r.t. T • Reduce the amount of storage and/or communication S. Hirose (Univ. Fukui) A Note on Aggregate MAC Schemes ASK 2018 (13-16/11/2018) 2 / 33

  3. Two Flavours of Aggregation (Non-sequential) aggregation: The order does not matter ( M 1 , I 1 , t 1 ) ( M 2 , I 2 , t 2 ) Agg T . . . ( M n , I n , t n ) Often T ← Agg ( t 1 , t 2 , . . . , t n ) Sequential aggregation: The order matters ( M 1 , I 1 ) ( M 1 , I 1 ) ( M 2 , I 2 ) ( M 1 , I 1 ); T 1 ( M 2 , I 2 ); T 2 ( M 3 , I 3 ); T 3 I 1 I 2 I 3 Called history-free if T j ← SeqAgg K j ( M j , I j , T j − 1 ) S. Hirose (Univ. Fukui) A Note on Aggregate MAC Schemes ASK 2018 (13-16/11/2018) 3 / 33

  4. Brief Overview Topics of This Talk • Application of non-adaptive group-testing to aggregate MAC • Sequential aggregate MAC Related Work • (Non-sequential) Aggregate MAC • Katz, Lindell (2008) • Sequential aggregate MAC • Eikemeier, Fischlin, et al. (2010) • Forward-secure sequential aggregate MAC (for secure logging) • Schneier and Kelsey (1999) • Ma and Tsudik (2007) • Hirose and Kuwakado (2014) S. Hirose (Univ. Fukui) A Note on Aggregate MAC Schemes ASK 2018 (13-16/11/2018) 4 / 33

  5. 1 Non-adaptive Group Testing Aggregate MAC 2 Sequential Aggregate MAC S. Hirose (Univ. Fukui) A Note on Aggregate MAC Schemes ASK 2018 (13-16/11/2018) 5 / 33

  6. Motivation Aggregate MAC • Generate an aggregate tag for multiple messages T ← Aggregate (( M 1 , I 1 , t 1 ) , . . . , ( M n , I n , t n )) • Check the validity of messages in a single verification w.r.t. T • If valid, all messages are OK. • Otherwise, some are invalid, but we can’t see which. Problem: Identify the invalid messages with fewer than n agg. tags Our solution: Apply group testing to aggregate MAC Two types of group testing • Non-adaptive: All tests are chosen in advance • Adaptive: A new test can be chosen after the current test S. Hirose (Univ. Fukui) A Note on Aggregate MAC Schemes ASK 2018 (13-16/11/2018) 6 / 33

  7. Non-adaptive Group Testing Specified by a binary matrix (Group-testing matrix): s1 s2 s3 s4   test1 1 1 0 0 test2 1 0 1 0   test3 0 1 1 1 • s1, s2, s3, and s4 are samples. • Each sample is either negative or positive. • The result of a test is • negative ⇐ ⇒ All the involved samples are negative • positive ⇐ ⇒ Some of the involved samples are positive • Identify the positive samples with ( # of tests ) < ( # of samples ) Assumption: # of positive samples is upper-bounded S. Hirose (Univ. Fukui) A Note on Aggregate MAC Schemes ASK 2018 (13-16/11/2018) 7 / 33

  8. d -disjunct GT Matrix Definition (GT matrix G is d -disjunct) For any ( d + 1) columns g j 1 , g j 2 , . . . , g j d +1 , there exists some i s.t. • i -th coordinate of g j 1 ∨ g j 2 ∨ · · · ∨ g j d is 0 • i -th coordinate of g j d +1 is 1 d -disjunctness guarantees: ( # of positive samples ) ≤ d = ⇒ each negative sample is included in a test only with negative samples Non-adaptive group testing based on d -disjunct GT matrix • identifies all the positive samples if ( # of them ) ≤ d • All samples involved in negative tests are negative. • All the remaining samples are positive. S. Hirose (Univ. Fukui) A Note on Aggregate MAC Schemes ASK 2018 (13-16/11/2018) 8 / 33

  9. Agenda • Syntax • Security requirements • Unforgeability • Identifiability: Completeness and soundness • Generic construction • Two instantiations • Analysis of provable security S. Hirose (Univ. Fukui) A Note on Aggregate MAC Schemes ASK 2018 (13-16/11/2018) 9 / 33

  10. Related Work Agregate MAC for multiple users [Katz-Lindell 08] • Formalized the syntax and security requirement • Proposed scheme: For ( M 1 , I 1 ) , ( M 2 , I 2 ) , . . . , ( M n , I n ) , • t j = MAC ( K j , M j ) • The aggregate tag is T = t 1 ⊕ t 2 ⊕ · · · ⊕ t n • Proved the security Application of group-testing to MAC [Goodrich et al. 05], [Minematsu 15] • Both of them assumes a single-user setting • Tag aggregate requires a secret key S. Hirose (Univ. Fukui) A Note on Aggregate MAC Schemes ASK 2018 (13-16/11/2018) 10 / 33

  11. Aggregate MAC: Syntax Aggregate MAC (AM) consists of the following algorithms: Key generation K ← KG (1 p ) • p is a security parameter Tagging t ← Tag ( K I , M, I ) Aggregate T ← Agg (( M 1 , I 1 , t 1 ) , . . . , ( M n , I n , t n )) • Secret keys are not used • Often T ← Agg ( t 1 , . . . , t n ) Verification d ← Ver (( K 1 , . . . , K n ) , (( M 1 , I 1 ) , . . . , ( M n , I n )) , T ) • The decision d is either ⊤ (valid) or ⊥ (invalid) S. Hirose (Univ. Fukui) A Note on Aggregate MAC Schemes ASK 2018 (13-16/11/2018) 11 / 33

  12. Aggregate MAC: Security Requirement The security requirement is unforgeability An adversary A against AM is given access to the following oracles: Tagging receives ( M, I ) and returns tag t ← Tag ( K I , M, I ) Corrupt receives I and returns K I Verification receives ((( M 1 , I 1 ) , . . . , ( M n , I n )) , T ) and returns d ∈ {⊤ , ⊥} Adv uf AM ( A ) � Pr[ A succeeds in forgery ] Adv uf AM ( A ) should be negligibly small for any efficient A A succeeds in forgery if A asks Q = ((( M 1 , I 1 ) , . . . , ( M n , I n )) , T ) to VO satisfying the following conditions: • Q is judged valid • A asks neither ( M j , I j ) to T O nor I j to CO for ∃ j before Q S. Hirose (Univ. Fukui) A Note on Aggregate MAC Schemes ASK 2018 (13-16/11/2018) 12 / 33

  13. Group-Testing Aggregate (GTA) MAC GTA MAC scheme using a u × n group-testing matrix Key generation K ← KG (1 p ) Tagging t ← Tag ( K I , M, I ) Group-testing aggre ( T 1 , . . . , T u ) ← GTA (( M 1 , I 1 , t 1 ) , . . . , ( M n , I n , t n )) • Secret keys are not used • An aggregate tag is produced for each test Group-testing verif J ← GTV (( K 1 , . . . , K n ) , (( M 1 , I 1 ) , . . . , ( M n , I n )) , ( T 1 , . . . , T u )) • J is a set of ( M j ′ , I j ′ ) ’s judged invalid Security requirements • Unforgeability • Identifiability • Completeness: GTV judges any valid ( M, I, t ) to be valid • Soundness: GTV judges any invalid ( M, I, t ) to be invalid S. Hirose (Univ. Fukui) A Note on Aggregate MAC Schemes ASK 2018 (13-16/11/2018) 13 / 33

  14. Unforgeability (1/2) An adversary A against GTAM is given access to the oracles: Tagging receives ( M, I ) and returns t ← Tag ( K I , M, I ) Corrupt receives I and returns K I Group-testing verification receives ((( M 1 , I 1 ) , . . . , ( M n , I n )) , ( T 1 , . . . , T u )) and returns the set of invalid ( M j , I j ) ’s J The advantage of A against GTAM w.r.t. unforgeability Adv uf GTAM ( A ) � Pr[ A succeeds in forgery ] Adv uf GTAM ( A ) should be negligibly small for any efficient A S. Hirose (Univ. Fukui) A Note on Aggregate MAC Schemes ASK 2018 (13-16/11/2018) 14 / 33

  15. Unforgeability (2/2) A succeeds in forgery if A asks GT VO a query Q = ((( M 1 , I 1 ) , . . . , ( M n , I n )) , ( T 1 , . . . , T u )) satisfying that there exists some ( M j , I j ) s.t. • ( M j , I j ) is judged valid by GT VO • A asks neither ( M j , I j ) to T O nor I j to CO before asking Q S. Hirose (Univ. Fukui) A Note on Aggregate MAC Schemes ASK 2018 (13-16/11/2018) 15 / 33

  16. Identifiability: Completeness and Soundness An adversary A is given access to the following oracles: Tagging receives ( M, I ) and returns t ← Tag ( K I , M, I ) Corrupt receives I and returns K I Group-testing receives Q = (( M 1 , I 1 , t 1 ) , . . . , ( M n , I n , t n )) 1 applies group testing to Q 2 returns the result The advantage of A against GTAM w.r.t. • completeness Adv id-c GTAM ( A ) � Pr � � GT O judges some valid ( M j , I j , t j ) invalid • soundness Adv id-s GTAM ( A ) � Pr � � GT O judges some invalid ( M j , I j , t j ) valid Both advantages should be negligibly small for any efficient A S. Hirose (Univ. Fukui) A Note on Aggregate MAC Schemes ASK 2018 (13-16/11/2018) 16 / 33

  17. Generic Construction Generic GTA MAC using • Aggre MAC AM = ( KG , Tag , Agg , Ver ) • GT matrix G Key generation KG Tagging Tag Group-testing aggre ( T 1 , . . . , T u ) ← GTA ( t 1 , . . . , t n ) t 1 t 2 t 3 t 4   T 1 ← Agg ( t 1 , t 2 ) 1 1 0 0 T 2 ← Agg ( t 1 , t 3 ) 1 0 1 0   T 3 ← Agg ( t 2 , t 3 , t 4 ) 0 1 1 1 Group-testing verif For ((( M 1 , I 1 ) , . . . , ( M n , I n )) , ( T 1 , . . . , T u )) , 1 t ′ j ← Tag ( K j , M j , I j ) for 1 ≤ j ≤ n 2 ( T ′ 1 , . . . , T ′ u ) ← GTA ( t ′ 1 , . . . , t ′ n ) 3 For 1 ≤ i ≤ u , if T i = T ′ i , all the involved ( M j , I j ) ’s are valid 4 Remaining ( M j , I j ) ’s are invalid S. Hirose (Univ. Fukui) A Note on Aggregate MAC Schemes ASK 2018 (13-16/11/2018) 17 / 33

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Aggregate Blending Aggregate Blending To meet the gradation specifications for a concrete or

Aggregate Blending Aggregate Blending To meet the gradation specifications for a concrete or

Aggregate Blending Aggregate Blending To meet the gradation specifications for a concrete or asphalt mix, we usually have to blend aggregate from several sources together. To find an aggregate source with exactly the right gradation is highly

390 views • 18 slides
The Aggregate Prediction Index and Non-Symmetric Correspondence Analysis of Aggregate Data: The

The Aggregate Prediction Index and Non-Symmetric Correspondence Analysis of Aggregate Data: The

The Aggregate Prediction Index and Non-Symmetric Correspondence Analysis of Aggregate Data: The 2 x 2 Table Eric J. Beh School of Mathematical and Physical Sciences University of Newcastle, Australia Rosaria Lombardo Economics Faculty,

422 views • 19 slides
EBA WORK ON DEPOSIT GUARANTEE SCHEMES MATTERS FOR CONSIDERATION REGARDING EDIS This information

EBA WORK ON DEPOSIT GUARANTEE SCHEMES MATTERS FOR CONSIDERATION REGARDING EDIS This information

EBA WORK ON DEPOSIT GUARANTEE SCHEMES MATTERS FOR CONSIDERATION REGARDING EDIS This information note covers the following questions: 1. What is the role of the EBA in the area of deposit guarantee schemes? 2. What are the main regulatory

187 views • 15 slides
Unique Aggregate Signatures with Applications to Distributed Verifiable Random Functions

Unique Aggregate Signatures with Applications to Distributed Verifiable Random Functions

Unique Aggregate Signatures with Applications to Distributed Verifiable Random Functions Veronika Kuchta and Mark Manulis CANS 2013, Paraty, Brazil November 21, 2013 Overview Unique Signature Schemes Verifiable Random Functions Unique

420 views • 13 slides
The Axiom of Interdependence The Role of Aggregate Demand and Aggregate Supply in the New

The Axiom of Interdependence The Role of Aggregate Demand and Aggregate Supply in the New

The Axiom of Interdependence The Role of Aggregate Demand and Aggregate Supply in the New Economics Presentation prepared for the International Conference New Economics as Mainstream Economics, Murray Edwards College, Cambridge (UK),

487 views • 22 slides
Range-Consistent Answers of Aggregate Queries under Aggregate Constraints Sergio Flesca, Filippo

Range-Consistent Answers of Aggregate Queries under Aggregate Constraints Sergio Flesca, Filippo

Introduction Preliminaries Query Answering Conclusion and Future Work Range-Consistent Answers of Aggregate Queries under Aggregate Constraints Sergio Flesca, Filippo Furfaro, Francesco Parisi DEIS University of Calabria 87036 Rende (CS),

1.82k views • 116 slides
NTA, Aggregate Level Lao 2008 By: Lao NTA team Advised by: Sang-Hyop Lee Michael

NTA, Aggregate Level Lao 2008 By: Lao NTA team Advised by: Sang-Hyop Lee Michael

NTA, Aggregate Level Lao 2008 By: Lao NTA team Advised by: Sang-Hyop Lee Michael Ralph M. Abrigo Lai Mun Sim A Framework of NTA Flow Account Aggregate 1. What is the source of aggregate data? -System of National Account:

609 views • 35 slides
Asphalt Aggregate Specifications Aggregate Specifications In order to make good asphalt

Asphalt Aggregate Specifications Aggregate Specifications In order to make good asphalt

Asphalt Aggregate Specifications Aggregate Specifications In order to make good asphalt concrete, you need to start with good aggregate. The aggregate 1. must be dense-graded because the strength of the asphalt concrete comes from good

688 views • 39 slides
Aggregate Sampling Aggregate Stockpiles CIVL 3137 2 Stockpile Segregation CIVL 3137 3

Aggregate Sampling Aggregate Stockpiles CIVL 3137 2 Stockpile Segregation CIVL 3137 3

Aggregate Sampling Aggregate Stockpiles CIVL 3137 2 Stockpile Segregation CIVL 3137 3 Stockpile Segregation CIVL 3137 4 Aggregate Sampling Aggregate sampling is the process of taking a sample of aggregate that is truly representative of

394 views • 27 slides
Aggregate Demand and Aggregate Supply 2013 Outline Friday 14 th : Chapter 16 (AS-AD, demand

Aggregate Demand and Aggregate Supply 2013 Outline Friday 14 th : Chapter 16 (AS-AD, demand

Aggregate Demand and Aggregate Supply 2013 Outline Friday 14 th : Chapter 16 (AS-AD, demand policies) 1. Monday 18 th 2. Bas Jacobs (45 to 60 minutes interactive lecture on current crisis) Chapter 17 (debt and stabilization policies)

556 views • 53 slides
Introduction to the Council For Medical Schemes and the Medical Schemes Act Namaf Annual Trustee

Introduction to the Council For Medical Schemes and the Medical Schemes Act Namaf Annual Trustee

Introduction to the Council For Medical Schemes and the Medical Schemes Act Namaf Annual Trustee Training 2 August 2019 Presented by Craig Burton-Durham General Manager: Legal Services Unit ABOUT THE CMS The Council for Medical Schemes is a

580 views • 20 slides
Section 1 Commitment Schemes Commitment Schemes Commitment Schemes Digital analogue of a safe.

Section 1 Commitment Schemes Commitment Schemes Commitment Schemes Digital analogue of a safe.

Commitment Schemes Section 1 Commitment Schemes Commitment Schemes Commitment Schemes Digital analogue of a safe. Commitment Schemes Commitment Schemes Digital analogue of a safe. Definition 1 (Commitment scheme) An efficient two-stage

605 views • 23 slides
New Figure Schemes for Stata: blindschemes The Schemes plotplain &amp; plottig Adaptation

New Figure Schemes for Stata: blindschemes The Schemes plotplain &amp; plottig Adaptation

The Issue Solutions New Figure Schemes for Stata: blindschemes The Schemes plotplain &amp; plottig Adaptation Conclusion Daniel Bischof 1 1 University of Zurich November 17, 2016 1/17 The Default Stata Figure Schemes 6 The Issue

207 views • 20 slides
December 2018 Note: To know more about the Sponsor PPFAS Pvt Ltd,

December 2018 Note: To know more about the Sponsor PPFAS Pvt Ltd,

December 2018 Note: To know more about the Sponsor PPFAS Pvt Ltd, please click here. No flavour of the month schemes No Sectoral Funds No Closed end funds Equity Focus Equity Buy and hold

355 views • 21 slides
August 2018 Note: To know more about the Sponsor PPFAS Pvt Ltd,

August 2018 Note: To know more about the Sponsor PPFAS Pvt Ltd,

August 2018 Note: To know more about the Sponsor PPFAS Pvt Ltd, please click here. No flavour of the month schemes No Sectoral Funds No Closed end funds Equity Focus Equity Buy and hold

363 views • 21 slides
Positivity- -preserving Lagrangian schemes for preserving Lagrangian schemes for Positivity

Positivity- -preserving Lagrangian schemes for preserving Lagrangian schemes for Positivity

Sino-German Symposium on Advanced Numerical Methods for Compressible Fluid Mechanics and Related Problems, May 22-26, 2014 Beijing Positivity- -preserving Lagrangian schemes for preserving Lagrangian schemes for Positivity multi-

746 views • 53 slides
Class n-gram models for very large vocabulary speech recognition of Finnish and Estonian Matti

Class n-gram models for very large vocabulary speech recognition of Finnish and Estonian Matti

Class n-gram models for very large vocabulary speech recognition of Finnish and Estonian Matti Varjokallio, Mikko Kurimo and Sami Virpioja Department of Signal Processing and Acoustics School of Electrical Engineering Aalto University, Espoo,

648 views • 16 slides
Morphology 11-711 Algorithms for NLP 1 November 2018 Part I (Some slides from Lori Levin,

Morphology 11-711 Algorithms for NLP 1 November 2018 Part I (Some slides from Lori Levin,

Morphology 11-711 Algorithms for NLP 1 November 2018 Part I (Some slides from Lori Levin, David Mortenson) Types of Lexical and Morphological Processing Tokenization Input: raw text Output: sequence of tokens normalized for

1.09k views • 62 slides
Lecture 4 : Clustering wyang@ntu.edu.tw Introduction to

Lecture 4 : Clustering wyang@ntu.edu.tw Introduction to

Introduction to Information Retrieval Lecture 4 : Clustering wyang@ntu.edu.tw Introduction to Information Retrieval Ch 16 &amp; 17 1 Introduction to Information Retrieval Clustering :

970 views • 75 slides
Parallel Programming and Heterogeneous Computing Non-Uniform Memory Access Max Plauth, Sven

Parallel Programming and Heterogeneous Computing Non-Uniform Memory Access Max Plauth, Sven

Parallel Programming and Heterogeneous Computing Non-Uniform Memory Access Max Plauth, Sven Khler, Felix Eberhardt , Lukas Wenzel and Andreas Polze Operating Systems and Middleware Group Non-Uniform Memory Access Context: Uniform Memory Access

762 views • 50 slides
Aggregation and Selection in Relational Data Mining Celine Vens Anneleen Van Assche Hendrik

Aggregation and Selection in Relational Data Mining Celine Vens Anneleen Van Assche Hendrik

Introduction Aggregation and Selection Relational Decision Trees Relational Random Forests Experimental Results Conclusions Aggregation and Selection in Relational Data Mining Celine Vens Anneleen Van Assche Hendrik Blockeel Sa so D

775 views • 32 slides
Test-Driven Apache Module Development Geoffrey Young geoff@modperlcookbook.org 1

Test-Driven Apache Module Development Geoffrey Young geoff@modperlcookbook.org 1

Test-Driven Apache Module Development Geoffrey Young geoff@modperlcookbook.org 1 http://www.modperlcookbook.org/ Goals Introduction to Apache-Test Perl module support C module support Automagic configuration Test-driven

1.21k views • 98 slides
An Introduc+on To Fossils Dr Liam Herringshaw Palaeontologist, Hidden Horizons Director,

An Introduc+on To Fossils Dr Liam Herringshaw Palaeontologist, Hidden Horizons Director,

11/23/20 An Introduc+on To Fossils Dr Liam Herringshaw Palaeontologist, Hidden Horizons Director, Yorkshire Fossil Festival 1 Ver ertebr ebrates es ? Image from Telford et al. (2015) 2 1 11/23/20 Ver ertebr ebrates es Otodus

352 views • 7 slides
Long-Range Forecasting of 2m-Temperature with Machine Learning Etienne Vos Ashley Gritzman

Long-Range Forecasting of 2m-Temperature with Machine Learning Etienne Vos Ashley Gritzman

Long-Range Forecasting of 2m-Temperature with Machine Learning Etienne Vos Ashley Gritzman Sibusisiwe Makhanya Thabang Mashinini Campbell Watson IBM Research Motivation Why Long-Range Temp. &amp; Precip. Forecasts? Temperature and

339 views • 12 slides

More recommend