aggregate message

Aggregate Message Authentication Codes with Detecting Functionality - PowerPoint PPT Presentation

IEEE IS IE ISIT IT 20 2020 Aggregate Message Authentication Codes with Detecting Functionality from Biorthogonal Codes Yoshinori Ogawa *, Shingo Sato** Junji Shikata*, Hideki Imai*** *Yokohama National University, Japan **NICT, Japan


  1. IEEE IS IE ISIT IT 20 2020 Aggregate Message Authentication Codes with Detecting Functionality from Biorthogonal Codes Yoshinori Ogawa *, Shingo Sato** Junji Shikata*, Hideki Imai*** *Yokohama National University, Japan **NICT, Japan ***Japan Datacom Co., Ltd., Japan

  2. Background: What is a problem? โšซ The number of IoT devices is increasing, and there will be an enormous number of devices connected to networks including 5G in the near future. โšซ Even in such a situation, it is required to realize efficient communications or data transmissions in an authenticated manner in the network. O ne-to-one authenticated communication by MACs Receiver IoT device 1 Authenticated data 1 Data 1 Tag Verify Generation OK/NG IoT device 2 Total amount Data 2 Authenticated data 2 Tag Verify of transmitted Generation data is large! OK/NG IoT device n Data n Tag Authenticated data n Verify Generation OK/NG "๐Ž๐ฏ๐ง๐œ๐Ÿ๐ฌ ๐ฉ๐  ๐๐๐ƒ_๐ฎ๐›๐ก" โˆ ๐’

  3. Aggregate Message Authentication Code (Having Detecting Functionality) โšซ [KL08] proposed the aggregate message authentication code (AMAC): AMAC can compress MAC tags on multiple messages into a short aggregate-tag. โšซ [HS18] proposed AMAC with detecting functionality (AMAD): AMAD is an AMAC that can detect an invalid message even if a verification algorithm outputs NG. IoT device 1 Data 1 Authenticated data 1 Receiver Tag Generation IoT device 2 Authenticated data 2 Aggregated data Data 2 Tag Aggregation Verify Generation โ˜… Total amount of transmitted data is small. OK/NG IoT device n Authenticated data n Data n Tag 3 Generation

  4. Our Purpose and Related Work Proposing construction of practical AMAD from error-correcting codes; The essential point is to reduce the number of rows for disjunct matrices. โ—† [HS18] utilized disjunct matrices for constructing AMAD. โ—† Merit: Construction is very simple. โ—† Demerit: There is theoretical limitation on the number of rows for disjunct matrices, by which we cannot reduce size of tags drastically. โ—† [MK19] designed disjunct matrices from quasi-cyclic LDPC codes using finite geometry. โ—† Merit: The resulting matrix achieved high disjunctness and its description requires less memory by using quasi-cyclic property (i.e., we do not need to store a whole disjunct matrix). โ—† Demerit: Disjunctness ๐‘’ = ๐‘ƒ( ๐‘œ) is determined from the number ๐‘œ of columns, and there is no solution to reduce the number of rows for smaller ๐‘’ . 4

  5. Our Approach and Contribution โšซ Approach: Suppose that ๐‘‡ is a generator matrix of a binary error-correcting code having size ๐‘™ ร— ๐‘œ . Then, let ฮฃ be a (2 ๐‘™ โˆ’ 1) ร— ๐‘œ matrix obtained by arranging all codewords in its rows except the zero-vector. Then, design a matrix ๐‘‡ such that ฮฃ is an almost disjunct matrix. In particular, we consider a generator matrix ๐‘‡ of biorthogonal codes. โšซ Contribution: 1. Analysis of disjunctness for biorthogonal codes 2. Extension of AMAD construction in [HS18] 3. Evaluation on performance of our AMAD construction 5

  6. (Almost) Disjunct Matrices Definition. A ๐‘ฃ ร— ๐‘œ binary matrix ๐ป is a ๐‘’ -disjunct matrix, if for arbitrary ๐‘’ + 1 columns selected from the matrix, the resulting ๐‘ฃ ร— (๐‘’ + 1) matrix contains all the unit vectors with length ๐‘’ + 1 in its rows. Definition. A ๐‘ฃ ร— ๐‘œ binary matrix ๐ป is said to be a (๐‘’, ๐‘ž) -almost- disjunct matrix if the following conditions are satisfied: Let ๐‘ก be the number of selecting ๐‘’ + 1 columns of ๐ป , {g ๐‘— 1 , g ๐‘— 2 โ€ฆ , g ๐‘— ๐‘’+1 } such that the matrix (g ๐‘— 1 , g ๐‘— 2 โ€ฆ , g ๐‘— ๐‘’+1 ) contains all the unit vectors with length ๐‘’ + 1 in its rows; ๐‘œ Then, we define ๐‘ž = ๐‘ก/ ๐‘’+1 . Remark. ๐‘’ -disjunctness implies (๐‘’, 1) -almost-disjunctness. 6

  7. Biorthogonal code and its disjunctness(1/2) Definition. โšซ Let ๐ท โ„“ be an extended binary Hamming code having length ๐‘œ = 2 โ„“ , dimension ๐‘™ = 2 โ„“ โˆ’ 1 โˆ’ โ„“ , and minimum distance ๐‘’ ๐‘›๐‘—๐‘œ = 4 . โŠฅ be the dual of ๐ท โ„“ , and it is called an โ„“ -order โšซ Let ๐ท โ„“ biorthogonal code . โŠฅ has length length ๐‘œ = 2 โ„“ , dimension ๐‘™ = โ„“ + 1 , and minimum ๐ท โ„“ distance ๐‘’ ๐‘›๐‘—๐‘œ = ๐‘œ/2 = 2 โ„“โˆ’1 . More precisely, the code contains all 0s vector, all 1s vector, and 2๐‘œ โˆ’ 2 vectors of weight ๐‘œ/2 . 7

  8. Biorthogonal code and its disjunctness(2/2) Theorem. Suppose that ๐‘‡ is a generator matrix of an โ„“ -order โŠฅ with code length ๐‘œ = 2 โ„“ . Then, let ฮฃ be a matrix biorthogonal code ๐ท โ„“ obtained from ๐‘‡ by arranging all codewords in its rows except the zero- vector. Then, (๐‘’, ๐‘ž) -almost-disjunctness of ฮฃ is shown as follows. ๐‘ž = ๐‘„ ๐บ (๐‘’ + 1, ๐‘’ + 1, ๐‘œ) , where ๐‘„ ๐บ ๐‘ข, ๐‘ , ๐‘œ = ๐บ(๐‘ข, ๐‘ , ๐‘œ)/ ๐‘œ and ๐บ(๐‘ข, ๐‘ , ๐‘œ) is the number of all ๐‘ข combinations for choosing ๐‘ข columns from ๐‘œ columns in ๐‘‡ such that the rank of ๐‘‡ is ๐‘  . In addition, ๐บ(๐‘ข, ๐‘ , ๐‘œ) is computed as follows: 1 ๐‘ โˆ’1 ๐‘ โˆ’1 ๐‘ข ๐บ ๐‘ข โˆ’ 1, ๐‘  โˆ’ 1, ๐‘œ ๐‘œ โˆ’ ฯƒ ๐‘—=1,๐‘—:๐‘๐‘’๐‘’ (1) ๐บ ๐‘ข, ๐‘ , ๐‘œ = + ๐‘— 1 ๐‘  ๐‘  ๐‘ข ๐บ ๐‘ข โˆ’ 1, ๐‘ , ๐‘œ ฯƒ ๐‘—=1,๐‘—:๐‘๐‘’๐‘’ ๐‘— โˆ’ (๐‘ข โˆ’ 1) if ๐‘ข > ๐‘  , 1 ๐‘—โˆ’1 ๐‘ข ๐‘—โˆ’1 ๐‘ข! ฯ‚ ๐‘—=1 ๐‘œ โˆ’ ฯƒ ๐‘˜=1,๐‘˜:๐‘๐‘’๐‘’ (2) ๐บ ๐‘ข, ๐‘ข, ๐‘œ = if ๐‘ข โ‰ฅ 2 , ๐‘˜ (3) ๐บ 1,1, ๐‘œ = ๐‘œ. 8

  9. Our Construction of AMAD (1/2) Suppose that: โ—† A MAC function F is given; and โ—† ๐‘‡ = (๐‘‡ ๐‘—,๐‘˜ ) is a generator matrix of a biorthogonal code having ๐‘œ, ๐‘™, ๐‘’ ๐‘›๐‘—๐‘œ = 2 โ„“ , โ„“ + 1, 2 โ„“โˆ’1 with โ„“ โ‰ฅ 3 . โ—† ฮฃ is a matrix whose rows consist of all codewords generated by ๐‘‡ except for the zero-vector. โ—† ๐ป is an (โ„“ + 1) ร— ๐‘œ matrix with entries in ๐ป๐บ(2 โ„Ž ) and its ๐‘— -th row ๐ป ๐‘— is given by ๐ป ๐‘— = (๐‘‡ ๐‘—,1 , ๐›ฝ๐‘‡ ๐‘—,2 , ๐›ฝ 2 ๐‘‡ ๐‘—,3 , โ€ฆ , ๐›ฝ ๐‘œโˆ’1 ๐‘‡ ๐‘—,๐‘œ ) , where ๐›ฝ is a primitive element of ๐ป๐บ(2 โ„Ž ) . โ—† ฮ“ is a (2 โ„“+1 โˆ’ 1) ร— ๐‘œ matrix whose rows consist of all codewords generated by ๐ป except for the zero-vector. Then, AMAD=(KGen, Tag, Agg, TVrfy) is constructed as follows. Key Generation. ๐ฟ ๐‘—๐‘’ โ† KGen(1 ๐œ‡ , ๐‘—๐‘’) : โšซ For each ๐‘—๐‘’ , generate a random key ๐ฟ , and set ๐ฟ ๐‘—๐‘’ โ‰” (๐‘—๐‘’, ๐ฟ) . โšซ Tagging. ๐‘ข โ† Tag ๐ฟ ๐‘—๐‘’ , ๐‘› : For a pair of an ID and a message (๐‘—๐‘’, ๐‘›) and ๐ฟ ๐‘—๐‘’ โ‰” (๐‘—๐‘’, ๐ฟ) , define ๐‘ข โ† ๐บ ๐ฟ, ๐‘› . 9

  10. Our Construction of AMAD (2/2) โšซ Aggregation. ๐‘ˆ โ† Agg ๐‘—๐‘’ 1 , ๐‘› 1 , ๐‘ข 1 , โ€ฆ , ๐‘—๐‘’ ๐‘œ , ๐‘› ๐‘œ , ๐‘ข ๐‘œ : 1 = ๐’–๐‘‡ ๐‘ˆ . For ๐’– = (๐‘ข 1 , โ€ฆ , ๐‘ข ๐‘œ ) , it computes ๐‘ˆ โ€ฒ โˆˆ {0,1} โ„Ž be last โ„Ž bits of ๐‘ข ๐‘— , and regard For each 1 โ‰ค ๐‘— โ‰ค ๐‘œ, let ๐‘ข ๐‘— โ€ฒ โˆˆ ๐ป๐บ(2 โ„Ž ) . Set ๐’–โ€ฒ = ๐‘ข 1 โ€ฒ, โ€ฆ , ๐‘ข ๐‘œ โ€ฒ . It computes ๐‘ˆ 2 = ๐’–โ€ฒ๐ป ๐‘ˆ . Then, output ๐‘ˆ โ‰” ๐‘ˆ ๐‘ข ๐‘— 1 , ๐‘ˆ 2 . โšซ Verification. ๐พ โ† TVrfy( ๐ฟ 1 , โ€ฆ , ๐ฟ ๐‘œ , ๐‘—๐‘’ 1 , ๐‘› 1 , โ€ฆ , ๐‘—๐‘’ ๐‘œ , ๐‘› ๐‘œ , ๐‘ˆ) For each 1 โ‰ค ๐‘— โ‰ค ๐‘œ , compute ๐‘ข ๐‘— โ† Tag ๐ฟ ๐‘—๐‘’ ๐‘— , ๐‘› , and set ๐’– = (๐‘ข 1 , โ€ฆ , ๐‘ข ๐‘œ ) . It computes ๐’• = 1 โˆ’ ๐’–๐‘‡ ๐‘ˆ . If ๐’• = 0 , output ๐พ โ‰” โˆ… ; Otherwise, do the following. ๐‘ˆ 1) ๐ธ โ† 1,2, โ€ฆ , ๐‘œ , ๐‘€ โ† 1,2, โ€ฆ , 2 โ„“+1 โˆ’ 1 . 2) By using ๐’• and ฮฃ , compute ๐œ = ๐’‡ ฮฃ ๐‘ˆ , where ๐’‡ is an error-vector such that ๐’• = ๐’‡ ๐‘‡ ๐‘ˆ . 3) For 1 โ‰ค ๐‘— โ‰ค 2 โ„“+1 โˆ’ 1 , do the following: If ๐œ ๐‘— = 0 , set ๐ธ โ† ๐ธ โˆ– {๐‘˜ ๐‘—,1 , โ€ฆ , ๐‘˜ ๐‘—,๐‘ฅ ๐‘— } , and ๐‘€ โ† ๐‘€ โˆ– {๐‘—} , where ๐‘˜ ๐‘—,1 , โ€ฆ , ๐‘˜ ๐‘—,๐‘ฅ ๐‘— are integers such that ฮฃ ๐‘—,๐‘˜ ๐‘—,1 = โ‹ฏ = ฮฃ ๐‘—,๐‘˜ ๐‘—,๐‘ฅ๐‘— = 1 in the ๐‘— -th row of ฮฃ . 4) compute ๐’–โ€ฒ as in the aggregation process. Compute ๐’‰ = ๐‘ˆ 2 โˆ’ ๐’–โ€ฒ๐ป ๐‘ˆ = ๐‘“ โ€ฒ ๐ป ๐‘ˆ . By using ๐’‰ and ฮ“ , compute ๐›ฟ = ๐‘“ โ€ฒ ฮ“ ๐‘ˆ โ€ฒ โˆˆ {0,1} โ„Ž be last โ„Ž bits of ๐œ ๐‘— , and regard 5) For each each 1 โ‰ค ๐‘— โ‰ค 2 โ„“+1 โˆ’ 1 , let let ๐œ ๐‘— โ€ฒ โˆˆ ๐ป๐บ(2 โ„Ž ) . Compute ๐ธ โ€ฒ = ๐‘˜ ฮฃ ๐‘—,๐‘˜ ๐›ฝ ๐‘˜โˆ’1 ๐œ ๐‘— โ€ฒ = ๐›ฟ ๐‘— for ๐‘— โˆˆ ๐‘€ and ๐‘˜ โˆˆ ๐ธ} . ๐œ ๐‘— 6) Output a list ๐พ consisting of all ๐‘—๐‘’ ๐‘˜ with ๐‘˜ โˆˆ ๐ธ โ€ฒ . 10

  11. LB on detecting probability of our AMAD Theorem. For an integer 1 โ‰ค ๐‘’ โ‰ค โ„“ , the lower bound of detecting probability ๐‘„(โ„“, ๐‘’) in our AMAD construction is given by ๐‘„ โ„“, ๐‘’ โ‰ฅ ๐‘„ ๐บ ๐‘’, ๐‘’, ๐‘œ + ๐‘„ ๐ป (๐‘’, ๐‘œ) , where the function ๐‘„ ๐บ is defined by ๐‘„ ๐บ ๐‘ข, ๐‘ , ๐‘œ = ๐บ(๐‘ข, ๐‘ , ๐‘œ)/ ๐‘œ ๐‘ข , ๐‘„ ๐ป ๐‘ข, ๐‘œ โ‰” ๐ป(๐‘ข, ๐‘œ)/ ๐‘œ ๐‘ข , and ๐ป(๐‘ข, ๐‘œ) meets the following relationships: 1 ๐‘ขโˆ’1 (1) ๐ป ๐‘ข, ๐‘œ = ๐‘ข ๐บ ๐‘ข โˆ’ 1, ๐‘ข โˆ’ 1, ๐‘œ ร— + 3 1 ๐‘ขโˆ’2 ๐‘ขโˆ’2 ๐‘œ โˆ’ ฯƒ ๐‘—=1,๐‘—:๐‘๐‘’๐‘’ ๐‘ข ๐ป ๐‘ข โˆ’ 1, ๐‘œ if ๐‘ข โ‰ฅ 5 , ๐‘— 1 (2) ๐ป 4, ๐‘œ = 4 ๐บ 3,3, ๐‘œ . 11

Recommend


More recommend