Aggregate Message Authentication Codes with Detecting Functionality - - PowerPoint PPT Presentation

aggregate message
SMART_READER_LITE
LIVE PREVIEW

Aggregate Message Authentication Codes with Detecting Functionality - - PowerPoint PPT Presentation

Sep 22, 2022 117 likes •257 views

IEEE IS IE ISIT IT 20 2020 Aggregate Message Authentication Codes with Detecting Functionality from Biorthogonal Codes Yoshinori Ogawa *, Shingo Sato** Junji Shikata*, Hideki Imai*** *Yokohama National University, Japan **NICT, Japan

slide-1
SLIDE 1

Aggregate Message Authentication Codes with Detecting Functionality from Biorthogonal Codes

Yoshinori Ogawa *, Shingo Sato** Junji Shikata*, Hideki Imai*** *Yokohama National University, Japan **NICT, Japan ***Japan Datacom Co., Ltd., Japan

IE IEEE IS ISIT IT 20 2020

slide-2
SLIDE 2

One-to-one authenticated communication by MACs

Background: What is a problem?

"𝐎𝐯𝐧𝐜𝐟𝐬 𝐩𝐠 𝐍𝐁𝐃_𝐮𝐛𝐡" ∝ 𝒐

IoT device 2 IoT device 1

Tag Generation

Authenticated data 1

Verify OK/NG

Data 1 Data 2

IoT device n

Tag Generation

Data n

Verify OK/NG Verify OK/NG

Receiver

Tag Generation

Authenticated data 2 Authenticated data n

Total amount

  • f transmitted

data is large!

⚫ The number of IoT devices is increasing, and there will be an enormous number of devices connected to networks including 5G in the near future. ⚫ Even in such a situation, it is required to realize efficient communications or data transmissions in an authenticated manner in the network.

slide-3
SLIDE 3

Aggregate Message Authentication Code (Having Detecting Functionality)

⚫ [KL08] proposed the aggregate message authentication code (AMAC): AMAC can compress MAC tags on multiple messages into a short aggregate-tag. ⚫ [HS18] proposed AMAC with detecting functionality (AMAD): AMAD is an AMAC that can detect an invalid message even if a verification algorithm

  • utputs NG.

3

IoT device 2 IoT device 1

Tag Generation

Authenticated data 1

Verify

OK/NG

Data 1

Tag Generation

Data 2

IoT device n

Tag Generation

Data n

Aggregation

Aggregated data

★ Total amount of transmitted data is small.

Receiver

Authenticated data 2 Authenticated data n

slide-4
SLIDE 4

Our Purpose and Related Work

Proposing construction of practical AMAD from error-correcting codes; The essential point is to reduce the number of rows for disjunct matrices.

◆ [HS18] utilized disjunct matrices for constructing AMAD. ◆ Merit: Construction is very simple. ◆ Demerit: There is theoretical limitation on the number of rows for disjunct matrices, by which we cannot reduce size of tags drastically. ◆ [MK19] designed disjunct matrices from quasi-cyclic LDPC codes using finite geometry. ◆ Merit: The resulting matrix achieved high disjunctness and its description requires less memory by using quasi-cyclic property (i.e., we do not need to store a whole disjunct matrix). ◆ Demerit: Disjunctness 𝑒 = 𝑃( 𝑜) is determined from the number 𝑜

  • f columns, and there is no solution to reduce the number of rows for

smaller 𝑒.

4

slide-5
SLIDE 5

Our Approach and Contribution

⚫ Approach: Suppose that 𝑇 is a generator matrix of a binary error-correcting code having size 𝑙 × 𝑜. Then, let Σ be a (2𝑙 − 1) × 𝑜 matrix obtained by arranging all codewords in its rows except the zero-vector. Then, design a matrix 𝑇 such that Σ is an almost disjunct matrix. In particular, we consider a generator matrix 𝑇 of biorthogonal codes. ⚫ Contribution:

  • 1. Analysis of disjunctness for biorthogonal codes
  • 2. Extension of AMAD construction in [HS18]
  • 3. Evaluation on performance of our

AMAD construction 5

slide-6
SLIDE 6

(Almost) Disjunct Matrices

  • Definition. A 𝑣 × 𝑜 binary matrix 𝐻 is a 𝑒-disjunct matrix, if for

arbitrary 𝑒 + 1 columns selected from the matrix, the resulting 𝑣 × (𝑒 + 1) matrix contains all the unit vectors with length 𝑒 + 1 in its rows.

  • Definition. A 𝑣 × 𝑜 binary matrix 𝐻 is said to be a (𝑒, 𝑞)-almost-

disjunct matrix if the following conditions are satisfied: Let 𝑡 be the number of selecting 𝑒 + 1 columns of 𝐻, {g𝑗1, g𝑗2 … , g𝑗𝑒+1} such that the matrix (g𝑗1, g𝑗2 … , g𝑗𝑒+1) contains all the unit vectors with length 𝑒 + 1 in its rows; Then, we define 𝑞 = 𝑡/

𝑜 𝑒+1 .

  • Remark. 𝑒-disjunctness implies

(𝑒, 1)-almost-disjunctness.

6

slide-7
SLIDE 7

Biorthogonal code and its disjunctness(1/2)

Definition. ⚫ Let 𝐷ℓ be an extended binary Hamming code having length 𝑜 = 2ℓ, dimension 𝑙 = 2ℓ − 1 − ℓ, and minimum distance 𝑒𝑛𝑗𝑜 = 4. ⚫ Let 𝐷ℓ

⊥ be the dual of 𝐷ℓ, and it is called an ℓ-order

biorthogonal code.

𝐷ℓ

⊥ has length length 𝑜 = 2ℓ, dimension 𝑙 = ℓ + 1, and minimum

distance 𝑒𝑛𝑗𝑜 = 𝑜/2 = 2ℓ−1. More precisely, the code contains all 0s vector, all 1s vector, and 2𝑜 − 2 vectors of weight 𝑜/2.

7

slide-8
SLIDE 8

Biorthogonal code and its disjunctness(2/2)

  • Theorem. Suppose that 𝑇 is a generator matrix of an ℓ-order

biorthogonal code 𝐷ℓ

⊥ with code length 𝑜 = 2ℓ. Then, let Σ be a matrix

  • btained from 𝑇 by arranging all codewords in its rows except the zero-
  • vector. Then, (𝑒, 𝑞)-almost-disjunctness of Σ is shown as follows.

𝑞 = 𝑄𝐺(𝑒 + 1, 𝑒 + 1, 𝑜), where 𝑄𝐺 𝑢, 𝑠, 𝑜 = 𝐺(𝑢, 𝑠, 𝑜)/ 𝑜

𝑢

and 𝐺(𝑢, 𝑠, 𝑜) is the number of all combinations for choosing 𝑢 columns from 𝑜 columns in 𝑇 such that the rank of 𝑇 is 𝑠. In addition, 𝐺(𝑢, 𝑠, 𝑜) is computed as follows: (1) 𝐺 𝑢, 𝑠, 𝑜 =

1 𝑢 𝐺 𝑢 − 1, 𝑠 − 1, 𝑜 𝑜 − σ𝑗=1,𝑗:𝑝𝑒𝑒 𝑠−1 𝑠−1 𝑗

+

1 𝑢 𝐺 𝑢 − 1, 𝑠, 𝑜 σ𝑗=1,𝑗:𝑝𝑒𝑒 𝑠 𝑠 𝑗 − (𝑢 − 1) if 𝑢 > 𝑠,

(2) 𝐺 𝑢, 𝑢, 𝑜 =

1 𝑢! ς𝑗=1 𝑢

𝑜 − σ𝑘=1,𝑘:𝑝𝑒𝑒

𝑗−1 𝑗−1 𝑘

if 𝑢 ≥ 2, (3) 𝐺 1,1, 𝑜 = 𝑜.

8

slide-9
SLIDE 9

Our Construction of AMAD (1/2)

Suppose that: ◆ A MAC function F is given; and ◆ 𝑇 = (𝑇𝑗,𝑘) is a generator matrix of a biorthogonal code having 𝑜, 𝑙, 𝑒𝑛𝑗𝑜 = 2ℓ, ℓ + 1, 2ℓ−1 with ℓ ≥ 3. ◆ Σ is a matrix whose rows consist of all codewords generated by 𝑇 except for the zero-vector. ◆ 𝐻 is an (ℓ + 1) × 𝑜 matrix with entries in 𝐻𝐺(2ℎ) and its 𝑗-th row 𝐻𝑗 is given by 𝐻𝑗 = (𝑇𝑗,1, 𝛽𝑇𝑗,2, 𝛽2𝑇𝑗,3, … , 𝛽𝑜−1𝑇𝑗,𝑜), where 𝛽 is a primitive element of 𝐻𝐺(2ℎ). ◆ Γ is a (2ℓ+1 − 1) × 𝑜 matrix whose rows consist of all codewords generated by 𝐻 except for the zero-vector. Then, AMAD=(KGen, Tag, Agg, TVrfy) is constructed as follows. ⚫ Key Generation. 𝐿𝑗𝑒 ← KGen(1𝜇, 𝑗𝑒): For each 𝑗𝑒 , generate a random key 𝐿, and set 𝐿𝑗𝑒 ≔ (𝑗𝑒, 𝐿). ⚫

  • Tagging. 𝑢 ← Tag 𝐿𝑗𝑒, 𝑛 :

For a pair of an ID and a message (𝑗𝑒, 𝑛) and 𝐿𝑗𝑒 ≔ (𝑗𝑒, 𝐿), define 𝑢 ← 𝐺 𝐿, 𝑛 .

9

slide-10
SLIDE 10

Our Construction of AMAD (2/2)

  • Aggregation. 𝑈 ← Agg

𝑗𝑒1, 𝑛1, 𝑢1 , … , 𝑗𝑒𝑜, 𝑛𝑜, 𝑢𝑜 : For 𝒖 = (𝑢1, … , 𝑢𝑜), it computes 𝑈

1 = 𝒖𝑇𝑈.

For each 1 ≤ 𝑗 ≤ 𝑜, let 𝑢𝑗

′ ∈ {0,1}ℎ be last ℎ bits of 𝑢𝑗, and regard

𝑢𝑗

′ ∈ 𝐻𝐺(2ℎ). Set 𝒖′ = 𝑢1′, … , 𝑢𝑜′ . It computes 𝑈2 = 𝒖′𝐻𝑈. Then, output 𝑈 ≔ 𝑈 1, 𝑈2 .

  • Verification. 𝐾 ← TVrfy( 𝐿1, … , 𝐿𝑜 , 𝑗𝑒1, 𝑛1 , … , 𝑗𝑒𝑜, 𝑛𝑜 , 𝑈)

For each 1 ≤ 𝑗 ≤ 𝑜, compute 𝑢𝑗 ← Tag 𝐿𝑗𝑒𝑗, 𝑛 , and set 𝒖 = (𝑢1, … , 𝑢𝑜). It computes 𝒕 = 𝑈

1 − 𝒖𝑇𝑈. If 𝒕 = 0, output 𝐾 ≔ ∅; Otherwise, do the following.

1) 𝐸 ← 1,2, … , 𝑜 , 𝑀 ← 1,2, … , 2ℓ+1 − 1 . 2) By using 𝒕 and Σ, compute 𝜏 = 𝒇 Σ𝑈, where 𝒇 is an error-vector such that 𝒕 = 𝒇 𝑇𝑈. 3) For 1 ≤ 𝑗 ≤ 2ℓ+1 − 1, do the following: If 𝜏𝑗 = 0, set 𝐸 ← 𝐸 ∖ {𝑘𝑗,1, … , 𝑘𝑗,𝑥𝑗}, and 𝑀 ← 𝑀 ∖ {𝑗}, where 𝑘𝑗,1, … , 𝑘𝑗,𝑥𝑗 are integers such that Σ𝑗,𝑘𝑗,1 = ⋯ = Σ𝑗,𝑘𝑗,𝑥𝑗 = 1 in the 𝑗-th row

  • f Σ.

4) compute 𝒖′ as in the aggregation process. Compute 𝒉 = 𝑈2 − 𝒖′𝐻𝑈 = 𝑓′𝐻𝑈. By using 𝒉 and Γ, compute 𝛿 = 𝑓′Γ𝑈 5) For each each 1 ≤ 𝑗 ≤ 2ℓ+1 − 1, let let 𝜏𝑗

′ ∈ {0,1}ℎ be last ℎ bits of 𝜏𝑗, and regard

𝜏𝑗

′ ∈ 𝐻𝐺(2ℎ). Compute 𝐸′ = 𝑘 Σ𝑗,𝑘𝛽𝑘−1𝜏𝑗 ′ = 𝛿𝑗 for 𝑗 ∈ 𝑀 and 𝑘 ∈ 𝐸}.

6) Output a list 𝐾 consisting of all 𝑗𝑒𝑘 with 𝑘 ∈ 𝐸′.

10

slide-11
SLIDE 11

LB on detecting probability of our AMAD

  • Theorem. For an integer 1 ≤ 𝑒 ≤ ℓ, the lower bound of detecting

probability 𝑄(ℓ, 𝑒) in our AMAD construction is given by 𝑄 ℓ, 𝑒 ≥ 𝑄𝐺 𝑒, 𝑒, 𝑜 + 𝑄𝐻(𝑒, 𝑜), where the function 𝑄𝐺 is defined by 𝑄𝐺 𝑢, 𝑠, 𝑜 = 𝐺(𝑢, 𝑠, 𝑜)/ 𝑜

𝑢 , 𝑄𝐻 𝑢, 𝑜 ≔ 𝐻(𝑢, 𝑜)/ 𝑜 𝑢 , and 𝐻(𝑢, 𝑜)

meets the following relationships: (1) 𝐻 𝑢, 𝑜 =

1 𝑢 𝐺 𝑢 − 1, 𝑢 − 1, 𝑜 × 𝑢−1 3

+

1 𝑢 𝐻 𝑢 − 1, 𝑜

𝑜 − σ𝑗=1,𝑗:𝑝𝑒𝑒

𝑢−2 𝑢−2 𝑗

if 𝑢 ≥ 5, (2) 𝐻 4, 𝑜 =

1 4 𝐺 3,3, 𝑜 .

11

slide-12
SLIDE 12

Comparison

12

Compression rate= “size of aggregation tag”/ “size of all MAC tags” Detecting probability Explanation [HS18] 𝑣 𝑜 1 𝑣 × 𝑜 disjunct matrices were generated by the algorithm [Mieg06]. [MK19] 3𝑡 22𝑡 + 2𝑡 1 𝑡 is a positive integer, and disjunct matrices are compressed by the property of quasi-cyclic LDPC codes Ours (ℎ + 𝑢)(ℓ + 1) ℎ𝑜 ≥ 𝑄𝐺 𝑒, 𝑒, 𝑜 + 𝑄𝐻(𝑒, 𝑜) Disjunct matrices are compressed by the property of biorthogonal codes

Suppose that 𝑜 is the number of devices of which there are at most 𝑒 invalid ones, 𝑢(= 128) is bit-length of MAC tags, and ℎ(= 32) is bit-length of elements in GF(2ℎ) used in our AMAD.

[HS18] Comp. rate Det. prob. 𝑜 = 100, 𝑒 = 6 0.77 1.0 𝑜 = 1000 , 𝑒 = 9 0.361 1.0 [MK19] Comp. rate Det. prob. 𝑜 = 272, 𝑒 = 15 0.298 1.0 𝑜 = 1056, 𝑒 = 31 0.230 1.0 Ours Comp. rate Det. prob. 𝑜 = 128, 𝑒 = 6 0.078 0.99 𝑜 = 256, 𝑒 = 7 0.044 0.97 𝑜 = 1024, 𝑒 = 9 0.013 0.91

slide-13
SLIDE 13

Conclusion

We have shown the following: 1. Analysis of disjunctness for biorthogonal codes: If 𝑇 is a generator matrix of biorthogonal code, the resulting matrix Σ is an almost disjunct matrix: 2-disjunct and 𝑒-almost disjunct with 3 ≤ 𝑒 ≤ log 𝑜 (i.e., 𝑒 = 𝑃(log 𝑜)), where 𝑜 is the number of columns in the matrix. 2. Extension of AMAD construction in [HS18]: For constructing AMAD from the almost disjunct matrix Σ above, we extended the construction of [HS18] to reduce error-probability of detection for almost disjunct matrices. 3. Performance of our AMAD construction: Our AMAD from biorthogonal codes achieved a compression rate better than the

  • ther existing constructions [HS18], [MK19].

13