IEEE IS IE ISIT IT 20 2020 Aggregate Message Authentication Codes with Detecting Functionality from Biorthogonal Codes Yoshinori Ogawa *, Shingo Sato** Junji Shikata*, Hideki Imai*** *Yokohama National University, Japan **NICT, Japan ***Japan Datacom Co., Ltd., Japan
Background: What is a problem? โซ The number of IoT devices is increasing, and there will be an enormous number of devices connected to networks including 5G in the near future. โซ Even in such a situation, it is required to realize efficient communications or data transmissions in an authenticated manner in the network. O ne-to-one authenticated communication by MACs Receiver IoT device 1 Authenticated data 1 Data 1 Tag Verify Generation OK/NG IoT device 2 Total amount Data 2 Authenticated data 2 Tag Verify of transmitted Generation data is large! OK/NG IoT device n Data n Tag Authenticated data n Verify Generation OK/NG "๐๐ฏ๐ง๐๐๐ฌ ๐ฉ๐ ๐๐๐_๐ฎ๐๐ก" โ ๐
Aggregate Message Authentication Code (Having Detecting Functionality) โซ [KL08] proposed the aggregate message authentication code (AMAC): AMAC can compress MAC tags on multiple messages into a short aggregate-tag. โซ [HS18] proposed AMAC with detecting functionality (AMAD): AMAD is an AMAC that can detect an invalid message even if a verification algorithm outputs NG. IoT device 1 Data 1 Authenticated data 1 Receiver Tag Generation IoT device 2 Authenticated data 2 Aggregated data Data 2 Tag Aggregation Verify Generation โ Total amount of transmitted data is small. OK/NG IoT device n Authenticated data n Data n Tag 3 Generation
Our Purpose and Related Work Proposing construction of practical AMAD from error-correcting codes; The essential point is to reduce the number of rows for disjunct matrices. โ [HS18] utilized disjunct matrices for constructing AMAD. โ Merit: Construction is very simple. โ Demerit: There is theoretical limitation on the number of rows for disjunct matrices, by which we cannot reduce size of tags drastically. โ [MK19] designed disjunct matrices from quasi-cyclic LDPC codes using finite geometry. โ Merit: The resulting matrix achieved high disjunctness and its description requires less memory by using quasi-cyclic property (i.e., we do not need to store a whole disjunct matrix). โ Demerit: Disjunctness ๐ = ๐( ๐) is determined from the number ๐ of columns, and there is no solution to reduce the number of rows for smaller ๐ . 4
Our Approach and Contribution โซ Approach: Suppose that ๐ is a generator matrix of a binary error-correcting code having size ๐ ร ๐ . Then, let ฮฃ be a (2 ๐ โ 1) ร ๐ matrix obtained by arranging all codewords in its rows except the zero-vector. Then, design a matrix ๐ such that ฮฃ is an almost disjunct matrix. In particular, we consider a generator matrix ๐ of biorthogonal codes. โซ Contribution: 1. Analysis of disjunctness for biorthogonal codes 2. Extension of AMAD construction in [HS18] 3. Evaluation on performance of our AMAD construction 5
(Almost) Disjunct Matrices Definition. A ๐ฃ ร ๐ binary matrix ๐ป is a ๐ -disjunct matrix, if for arbitrary ๐ + 1 columns selected from the matrix, the resulting ๐ฃ ร (๐ + 1) matrix contains all the unit vectors with length ๐ + 1 in its rows. Definition. A ๐ฃ ร ๐ binary matrix ๐ป is said to be a (๐, ๐) -almost- disjunct matrix if the following conditions are satisfied: Let ๐ก be the number of selecting ๐ + 1 columns of ๐ป , {g ๐ 1 , g ๐ 2 โฆ , g ๐ ๐+1 } such that the matrix (g ๐ 1 , g ๐ 2 โฆ , g ๐ ๐+1 ) contains all the unit vectors with length ๐ + 1 in its rows; ๐ Then, we define ๐ = ๐ก/ ๐+1 . Remark. ๐ -disjunctness implies (๐, 1) -almost-disjunctness. 6
Biorthogonal code and its disjunctness(1/2) Definition. โซ Let ๐ท โ be an extended binary Hamming code having length ๐ = 2 โ , dimension ๐ = 2 โ โ 1 โ โ , and minimum distance ๐ ๐๐๐ = 4 . โฅ be the dual of ๐ท โ , and it is called an โ -order โซ Let ๐ท โ biorthogonal code . โฅ has length length ๐ = 2 โ , dimension ๐ = โ + 1 , and minimum ๐ท โ distance ๐ ๐๐๐ = ๐/2 = 2 โโ1 . More precisely, the code contains all 0s vector, all 1s vector, and 2๐ โ 2 vectors of weight ๐/2 . 7
Biorthogonal code and its disjunctness(2/2) Theorem. Suppose that ๐ is a generator matrix of an โ -order โฅ with code length ๐ = 2 โ . Then, let ฮฃ be a matrix biorthogonal code ๐ท โ obtained from ๐ by arranging all codewords in its rows except the zero- vector. Then, (๐, ๐) -almost-disjunctness of ฮฃ is shown as follows. ๐ = ๐ ๐บ (๐ + 1, ๐ + 1, ๐) , where ๐ ๐บ ๐ข, ๐ , ๐ = ๐บ(๐ข, ๐ , ๐)/ ๐ and ๐บ(๐ข, ๐ , ๐) is the number of all ๐ข combinations for choosing ๐ข columns from ๐ columns in ๐ such that the rank of ๐ is ๐ . In addition, ๐บ(๐ข, ๐ , ๐) is computed as follows: 1 ๐ โ1 ๐ โ1 ๐ข ๐บ ๐ข โ 1, ๐ โ 1, ๐ ๐ โ ฯ ๐=1,๐:๐๐๐ (1) ๐บ ๐ข, ๐ , ๐ = + ๐ 1 ๐ ๐ ๐ข ๐บ ๐ข โ 1, ๐ , ๐ ฯ ๐=1,๐:๐๐๐ ๐ โ (๐ข โ 1) if ๐ข > ๐ , 1 ๐โ1 ๐ข ๐โ1 ๐ข! ฯ ๐=1 ๐ โ ฯ ๐=1,๐:๐๐๐ (2) ๐บ ๐ข, ๐ข, ๐ = if ๐ข โฅ 2 , ๐ (3) ๐บ 1,1, ๐ = ๐. 8
Our Construction of AMAD (1/2) Suppose that: โ A MAC function F is given; and โ ๐ = (๐ ๐,๐ ) is a generator matrix of a biorthogonal code having ๐, ๐, ๐ ๐๐๐ = 2 โ , โ + 1, 2 โโ1 with โ โฅ 3 . โ ฮฃ is a matrix whose rows consist of all codewords generated by ๐ except for the zero-vector. โ ๐ป is an (โ + 1) ร ๐ matrix with entries in ๐ป๐บ(2 โ ) and its ๐ -th row ๐ป ๐ is given by ๐ป ๐ = (๐ ๐,1 , ๐ฝ๐ ๐,2 , ๐ฝ 2 ๐ ๐,3 , โฆ , ๐ฝ ๐โ1 ๐ ๐,๐ ) , where ๐ฝ is a primitive element of ๐ป๐บ(2 โ ) . โ ฮ is a (2 โ+1 โ 1) ร ๐ matrix whose rows consist of all codewords generated by ๐ป except for the zero-vector. Then, AMAD=(KGen, Tag, Agg, TVrfy) is constructed as follows. Key Generation. ๐ฟ ๐๐ โ KGen(1 ๐ , ๐๐) : โซ For each ๐๐ , generate a random key ๐ฟ , and set ๐ฟ ๐๐ โ (๐๐, ๐ฟ) . โซ Tagging. ๐ข โ Tag ๐ฟ ๐๐ , ๐ : For a pair of an ID and a message (๐๐, ๐) and ๐ฟ ๐๐ โ (๐๐, ๐ฟ) , define ๐ข โ ๐บ ๐ฟ, ๐ . 9
Our Construction of AMAD (2/2) โซ Aggregation. ๐ โ Agg ๐๐ 1 , ๐ 1 , ๐ข 1 , โฆ , ๐๐ ๐ , ๐ ๐ , ๐ข ๐ : 1 = ๐๐ ๐ . For ๐ = (๐ข 1 , โฆ , ๐ข ๐ ) , it computes ๐ โฒ โ {0,1} โ be last โ bits of ๐ข ๐ , and regard For each 1 โค ๐ โค ๐, let ๐ข ๐ โฒ โ ๐ป๐บ(2 โ ) . Set ๐โฒ = ๐ข 1 โฒ, โฆ , ๐ข ๐ โฒ . It computes ๐ 2 = ๐โฒ๐ป ๐ . Then, output ๐ โ ๐ ๐ข ๐ 1 , ๐ 2 . โซ Verification. ๐พ โ TVrfy( ๐ฟ 1 , โฆ , ๐ฟ ๐ , ๐๐ 1 , ๐ 1 , โฆ , ๐๐ ๐ , ๐ ๐ , ๐) For each 1 โค ๐ โค ๐ , compute ๐ข ๐ โ Tag ๐ฟ ๐๐ ๐ , ๐ , and set ๐ = (๐ข 1 , โฆ , ๐ข ๐ ) . It computes ๐ = 1 โ ๐๐ ๐ . If ๐ = 0 , output ๐พ โ โ ; Otherwise, do the following. ๐ 1) ๐ธ โ 1,2, โฆ , ๐ , ๐ โ 1,2, โฆ , 2 โ+1 โ 1 . 2) By using ๐ and ฮฃ , compute ๐ = ๐ ฮฃ ๐ , where ๐ is an error-vector such that ๐ = ๐ ๐ ๐ . 3) For 1 โค ๐ โค 2 โ+1 โ 1 , do the following: If ๐ ๐ = 0 , set ๐ธ โ ๐ธ โ {๐ ๐,1 , โฆ , ๐ ๐,๐ฅ ๐ } , and ๐ โ ๐ โ {๐} , where ๐ ๐,1 , โฆ , ๐ ๐,๐ฅ ๐ are integers such that ฮฃ ๐,๐ ๐,1 = โฏ = ฮฃ ๐,๐ ๐,๐ฅ๐ = 1 in the ๐ -th row of ฮฃ . 4) compute ๐โฒ as in the aggregation process. Compute ๐ = ๐ 2 โ ๐โฒ๐ป ๐ = ๐ โฒ ๐ป ๐ . By using ๐ and ฮ , compute ๐ฟ = ๐ โฒ ฮ ๐ โฒ โ {0,1} โ be last โ bits of ๐ ๐ , and regard 5) For each each 1 โค ๐ โค 2 โ+1 โ 1 , let let ๐ ๐ โฒ โ ๐ป๐บ(2 โ ) . Compute ๐ธ โฒ = ๐ ฮฃ ๐,๐ ๐ฝ ๐โ1 ๐ ๐ โฒ = ๐ฟ ๐ for ๐ โ ๐ and ๐ โ ๐ธ} . ๐ ๐ 6) Output a list ๐พ consisting of all ๐๐ ๐ with ๐ โ ๐ธ โฒ . 10
LB on detecting probability of our AMAD Theorem. For an integer 1 โค ๐ โค โ , the lower bound of detecting probability ๐(โ, ๐) in our AMAD construction is given by ๐ โ, ๐ โฅ ๐ ๐บ ๐, ๐, ๐ + ๐ ๐ป (๐, ๐) , where the function ๐ ๐บ is defined by ๐ ๐บ ๐ข, ๐ , ๐ = ๐บ(๐ข, ๐ , ๐)/ ๐ ๐ข , ๐ ๐ป ๐ข, ๐ โ ๐ป(๐ข, ๐)/ ๐ ๐ข , and ๐ป(๐ข, ๐) meets the following relationships: 1 ๐ขโ1 (1) ๐ป ๐ข, ๐ = ๐ข ๐บ ๐ข โ 1, ๐ข โ 1, ๐ ร + 3 1 ๐ขโ2 ๐ขโ2 ๐ โ ฯ ๐=1,๐:๐๐๐ ๐ข ๐ป ๐ข โ 1, ๐ if ๐ข โฅ 5 , ๐ 1 (2) ๐ป 4, ๐ = 4 ๐บ 3,3, ๐ . 11
Recommend
More recommend