Aggregate Message Authentication Codes with Detecting Functionality - PowerPoint PPT Presentation

IEEE IS IE ISIT IT 20 2020 Aggregate Message Authentication Codes with Detecting Functionality from Biorthogonal Codes Yoshinori Ogawa *, Shingo Sato** Junji Shikata*, Hideki Imai*** *Yokohama National University, Japan **NICT, Japan ***Japan Datacom Co., Ltd., Japan

Background: What is a problem? ⚫ The number of IoT devices is increasing, and there will be an enormous number of devices connected to networks including 5G in the near future. ⚫ Even in such a situation, it is required to realize efficient communications or data transmissions in an authenticated manner in the network. O ne-to-one authenticated communication by MACs Receiver IoT device 1 Authenticated data 1 Data 1 Tag Verify Generation OK/NG IoT device 2 Total amount Data 2 Authenticated data 2 Tag Verify of transmitted Generation data is large! OK/NG IoT device n Data n Tag Authenticated data n Verify Generation OK/NG "𝐎𝐯𝐧𝐜𝐟𝐬 𝐩𝐠 𝐍𝐁𝐃_𝐮𝐛𝐡" ∝ 𝒐

Aggregate Message Authentication Code (Having Detecting Functionality) ⚫ [KL08] proposed the aggregate message authentication code (AMAC): AMAC can compress MAC tags on multiple messages into a short aggregate-tag. ⚫ [HS18] proposed AMAC with detecting functionality (AMAD): AMAD is an AMAC that can detect an invalid message even if a verification algorithm outputs NG. IoT device 1 Data 1 Authenticated data 1 Receiver Tag Generation IoT device 2 Authenticated data 2 Aggregated data Data 2 Tag Aggregation Verify Generation ★ Total amount of transmitted data is small. OK/NG IoT device n Authenticated data n Data n Tag 3 Generation

Our Purpose and Related Work Proposing construction of practical AMAD from error-correcting codes; The essential point is to reduce the number of rows for disjunct matrices. ◆ [HS18] utilized disjunct matrices for constructing AMAD. ◆ Merit: Construction is very simple. ◆ Demerit: There is theoretical limitation on the number of rows for disjunct matrices, by which we cannot reduce size of tags drastically. ◆ [MK19] designed disjunct matrices from quasi-cyclic LDPC codes using finite geometry. ◆ Merit: The resulting matrix achieved high disjunctness and its description requires less memory by using quasi-cyclic property (i.e., we do not need to store a whole disjunct matrix). ◆ Demerit: Disjunctness 𝑒 = 𝑃( 𝑜) is determined from the number 𝑜 of columns, and there is no solution to reduce the number of rows for smaller 𝑒 . 4

Our Approach and Contribution ⚫ Approach: Suppose that 𝑇 is a generator matrix of a binary error-correcting code having size 𝑙 × 𝑜 . Then, let Σ be a (2 𝑙 − 1) × 𝑜 matrix obtained by arranging all codewords in its rows except the zero-vector. Then, design a matrix 𝑇 such that Σ is an almost disjunct matrix. In particular, we consider a generator matrix 𝑇 of biorthogonal codes. ⚫ Contribution: 1. Analysis of disjunctness for biorthogonal codes 2. Extension of AMAD construction in [HS18] 3. Evaluation on performance of our AMAD construction 5

(Almost) Disjunct Matrices Definition. A 𝑣 × 𝑜 binary matrix 𝐻 is a 𝑒 -disjunct matrix, if for arbitrary 𝑒 + 1 columns selected from the matrix, the resulting 𝑣 × (𝑒 + 1) matrix contains all the unit vectors with length 𝑒 + 1 in its rows. Definition. A 𝑣 × 𝑜 binary matrix 𝐻 is said to be a (𝑒, 𝑞) -almost- disjunct matrix if the following conditions are satisfied: Let 𝑡 be the number of selecting 𝑒 + 1 columns of 𝐻 , {g 𝑗 1 , g 𝑗 2 … , g 𝑗 𝑒+1 } such that the matrix (g 𝑗 1 , g 𝑗 2 … , g 𝑗 𝑒+1 ) contains all the unit vectors with length 𝑒 + 1 in its rows; 𝑜 Then, we define 𝑞 = 𝑡/ 𝑒+1 . Remark. 𝑒 -disjunctness implies (𝑒, 1) -almost-disjunctness. 6

Biorthogonal code and its disjunctness(1/2) Definition. ⚫ Let 𝐷 ℓ be an extended binary Hamming code having length 𝑜 = 2 ℓ , dimension 𝑙 = 2 ℓ − 1 − ℓ , and minimum distance 𝑒 𝑛𝑗𝑜 = 4 . ⊥ be the dual of 𝐷 ℓ , and it is called an ℓ -order ⚫ Let 𝐷 ℓ biorthogonal code . ⊥ has length length 𝑜 = 2 ℓ , dimension 𝑙 = ℓ + 1 , and minimum 𝐷 ℓ distance 𝑒 𝑛𝑗𝑜 = 𝑜/2 = 2 ℓ−1 . More precisely, the code contains all 0s vector, all 1s vector, and 2𝑜 − 2 vectors of weight 𝑜/2 . 7

Biorthogonal code and its disjunctness(2/2) Theorem. Suppose that 𝑇 is a generator matrix of an ℓ -order ⊥ with code length 𝑜 = 2 ℓ . Then, let Σ be a matrix biorthogonal code 𝐷 ℓ obtained from 𝑇 by arranging all codewords in its rows except the zero- vector. Then, (𝑒, 𝑞) -almost-disjunctness of Σ is shown as follows. 𝑞 = 𝑄 𝐺 (𝑒 + 1, 𝑒 + 1, 𝑜) , where 𝑄 𝐺 𝑢, 𝑠, 𝑜 = 𝐺(𝑢, 𝑠, 𝑜)/ 𝑜 and 𝐺(𝑢, 𝑠, 𝑜) is the number of all 𝑢 combinations for choosing 𝑢 columns from 𝑜 columns in 𝑇 such that the rank of 𝑇 is 𝑠 . In addition, 𝐺(𝑢, 𝑠, 𝑜) is computed as follows: 1 𝑠−1 𝑠−1 𝑢 𝐺 𝑢 − 1, 𝑠 − 1, 𝑜 𝑜 − σ 𝑗=1,𝑗:𝑝𝑒𝑒 (1) 𝐺 𝑢, 𝑠, 𝑜 = + 𝑗 1 𝑠 𝑠 𝑢 𝐺 𝑢 − 1, 𝑠, 𝑜 σ 𝑗=1,𝑗:𝑝𝑒𝑒 𝑗 − (𝑢 − 1) if 𝑢 > 𝑠 , 1 𝑗−1 𝑢 𝑗−1 𝑢! ς 𝑗=1 𝑜 − σ 𝑘=1,𝑘:𝑝𝑒𝑒 (2) 𝐺 𝑢, 𝑢, 𝑜 = if 𝑢 ≥ 2 , 𝑘 (3) 𝐺 1,1, 𝑜 = 𝑜. 8

Our Construction of AMAD (1/2) Suppose that: ◆ A MAC function F is given; and ◆ 𝑇 = (𝑇 𝑗,𝑘 ) is a generator matrix of a biorthogonal code having 𝑜, 𝑙, 𝑒 𝑛𝑗𝑜 = 2 ℓ , ℓ + 1, 2 ℓ−1 with ℓ ≥ 3 . ◆ Σ is a matrix whose rows consist of all codewords generated by 𝑇 except for the zero-vector. ◆ 𝐻 is an (ℓ + 1) × 𝑜 matrix with entries in 𝐻𝐺(2 ℎ ) and its 𝑗 -th row 𝐻 𝑗 is given by 𝐻 𝑗 = (𝑇 𝑗,1 , 𝛽𝑇 𝑗,2 , 𝛽 2 𝑇 𝑗,3 , … , 𝛽 𝑜−1 𝑇 𝑗,𝑜 ) , where 𝛽 is a primitive element of 𝐻𝐺(2 ℎ ) . ◆ Γ is a (2 ℓ+1 − 1) × 𝑜 matrix whose rows consist of all codewords generated by 𝐻 except for the zero-vector. Then, AMAD=(KGen, Tag, Agg, TVrfy) is constructed as follows. Key Generation. 𝐿 𝑗𝑒 ← KGen(1 𝜇 , 𝑗𝑒) : ⚫ For each 𝑗𝑒 , generate a random key 𝐿 , and set 𝐿 𝑗𝑒 ≔ (𝑗𝑒, 𝐿) . ⚫ Tagging. 𝑢 ← Tag 𝐿 𝑗𝑒 , 𝑛 : For a pair of an ID and a message (𝑗𝑒, 𝑛) and 𝐿 𝑗𝑒 ≔ (𝑗𝑒, 𝐿) , define 𝑢 ← 𝐺 𝐿, 𝑛 . 9

Our Construction of AMAD (2/2) ⚫ Aggregation. 𝑈 ← Agg 𝑗𝑒 1 , 𝑛 1 , 𝑢 1 , … , 𝑗𝑒 𝑜 , 𝑛 𝑜 , 𝑢 𝑜 : 1 = 𝒖𝑇 𝑈 . For 𝒖 = (𝑢 1 , … , 𝑢 𝑜 ) , it computes 𝑈 ′ ∈ {0,1} ℎ be last ℎ bits of 𝑢 𝑗 , and regard For each 1 ≤ 𝑗 ≤ 𝑜, let 𝑢 𝑗 ′ ∈ 𝐻𝐺(2 ℎ ) . Set 𝒖′ = 𝑢 1 ′, … , 𝑢 𝑜 ′ . It computes 𝑈 2 = 𝒖′𝐻 𝑈 . Then, output 𝑈 ≔ 𝑈 𝑢 𝑗 1 , 𝑈 2 . ⚫ Verification. 𝐾 ← TVrfy( 𝐿 1 , … , 𝐿 𝑜 , 𝑗𝑒 1 , 𝑛 1 , … , 𝑗𝑒 𝑜 , 𝑛 𝑜 , 𝑈) For each 1 ≤ 𝑗 ≤ 𝑜 , compute 𝑢 𝑗 ← Tag 𝐿 𝑗𝑒 𝑗 , 𝑛 , and set 𝒖 = (𝑢 1 , … , 𝑢 𝑜 ) . It computes 𝒕 = 1 − 𝒖𝑇 𝑈 . If 𝒕 = 0 , output 𝐾 ≔ ∅ ; Otherwise, do the following. 𝑈 1) 𝐸 ← 1,2, … , 𝑜 , 𝑀 ← 1,2, … , 2 ℓ+1 − 1 . 2) By using 𝒕 and Σ , compute 𝜏 = 𝒇 Σ 𝑈 , where 𝒇 is an error-vector such that 𝒕 = 𝒇 𝑇 𝑈 . 3) For 1 ≤ 𝑗 ≤ 2 ℓ+1 − 1 , do the following: If 𝜏 𝑗 = 0 , set 𝐸 ← 𝐸 ∖ {𝑘 𝑗,1 , … , 𝑘 𝑗,𝑥 𝑗 } , and 𝑀 ← 𝑀 ∖ {𝑗} , where 𝑘 𝑗,1 , … , 𝑘 𝑗,𝑥 𝑗 are integers such that Σ 𝑗,𝑘 𝑗,1 = ⋯ = Σ 𝑗,𝑘 𝑗,𝑥𝑗 = 1 in the 𝑗 -th row of Σ . 4) compute 𝒖′ as in the aggregation process. Compute 𝒉 = 𝑈 2 − 𝒖′𝐻 𝑈 = 𝑓 ′ 𝐻 𝑈 . By using 𝒉 and Γ , compute 𝛿 = 𝑓 ′ Γ 𝑈 ′ ∈ {0,1} ℎ be last ℎ bits of 𝜏 𝑗 , and regard 5) For each each 1 ≤ 𝑗 ≤ 2 ℓ+1 − 1 , let let 𝜏 𝑗 ′ ∈ 𝐻𝐺(2 ℎ ) . Compute 𝐸 ′ = 𝑘 Σ 𝑗,𝑘 𝛽 𝑘−1 𝜏 𝑗 ′ = 𝛿 𝑗 for 𝑗 ∈ 𝑀 and 𝑘 ∈ 𝐸} . 𝜏 𝑗 6) Output a list 𝐾 consisting of all 𝑗𝑒 𝑘 with 𝑘 ∈ 𝐸 ′ . 10

LB on detecting probability of our AMAD Theorem. For an integer 1 ≤ 𝑒 ≤ ℓ , the lower bound of detecting probability 𝑄(ℓ, 𝑒) in our AMAD construction is given by 𝑄 ℓ, 𝑒 ≥ 𝑄 𝐺 𝑒, 𝑒, 𝑜 + 𝑄 𝐻 (𝑒, 𝑜) , where the function 𝑄 𝐺 is defined by 𝑄 𝐺 𝑢, 𝑠, 𝑜 = 𝐺(𝑢, 𝑠, 𝑜)/ 𝑜 𝑢 , 𝑄 𝐻 𝑢, 𝑜 ≔ 𝐻(𝑢, 𝑜)/ 𝑜 𝑢 , and 𝐻(𝑢, 𝑜) meets the following relationships: 1 𝑢−1 (1) 𝐻 𝑢, 𝑜 = 𝑢 𝐺 𝑢 − 1, 𝑢 − 1, 𝑜 × + 3 1 𝑢−2 𝑢−2 𝑜 − σ 𝑗=1,𝑗:𝑝𝑒𝑒 𝑢 𝐻 𝑢 − 1, 𝑜 if 𝑢 ≥ 5 , 𝑗 1 (2) 𝐻 4, 𝑜 = 4 𝐺 3,3, 𝑜 . 11