A Generic Message Authentication Code: A combination of the Inter MAC and Carter-Wegman MAC

05/10/2020
by   Chi Tran, et al.
0

Message Authentication Code (MAC) is a method for providing integrity and authenticity assurances on the message by allowing the receiver to detect any changes to the message content. In this paper, we present a generic MAC named InterCW-MAC which can prevent replay attack and can deal with a untrusted receiver who may search the secret keys of the sender.

READ FULL TEXT VIEW PDF
POST COMMENT

Comments

There are no comments yet.

Authors

page 1

page 2

page 3

page 4

04/28/2020

Specifying a Cryptographical Protocol in Lustre and SCADE

We present SCADE and Lustre models of the Message Authenticator Algorith...
01/15/2020

Cumulative Message Authentication Codes for Resource-Constrained Networks

In emerging applications, such as intelligent automotive systems, Intern...
10/03/2021

Architecture of Network Camera Photo Authentication Scheme using Steganography Approach

The aim of integrity protection process is not only to secure the send m...
04/05/2018

Composable, Unconditionally Secure Message Authentication without any Secret Key

We consider a setup in which the channel from Alice to Bob is less noisy...
09/13/2019

Supervised Learning for Physical Layer based Message Authentication in URLLC scenarios

PHYSEC based message authentication can, as an alternative to convention...
03/27/2018

Comparative Study of Eight Formal Specifications of the Message Authenticator Algorithm

The Message Authenticator Algorithm (MAA) is one of the first cryptograp...
10/23/2020

Detection of Replay Attacks to GNSS based on Partial Correlations and Authentication Data Unpredictability

Intentional interference, and in particular GNSS spoofing, is currently ...
This week in AI

Get the week's most popular data science and artificial intelligence research sent straight to your inbox every Saturday.

1 Introduction

Consider a scenario in which a sender owns a message and wants to send to a receiver. Because can be modified or loss during being transmitted, the receiver would like to check whether is intact or not. A MAC is proposed to provide integrity and authenticity assurances on the message by allowing the receiver (who also possess the shared secret key of the sender) to detect any changes to the message content. A MAC consists of a tuple of algorithms (, , ) as follows:

  • : The sender runs this algorithm which inputs a security parameter , and outputs a secret key . The sender then sends to the receiver via a secure channel.

  • : The sender runs this algorithm which inputs and a message , and outputs a tag .

  • : The receiver runs this algorithm which inputs , and , and outputs 1 if is a valid tag and 0 otherwise.

Definition 1

A MAC is an additive homomorphic MAC if it satisfies:

(1)
Definition 2

A MAC is a multiplicative homomorphic MAC if it satisfies:

(2)

1.1 Inner-product MAC

The simplest additive MAC is the inner-product MAC. This MAC consists of the following algorithms:

  • : The sender runs this algorithm which inputs a security parameter , and outputs a secret key where denotes a -dimensional finite field of a prime order . The sender then shares to the receiver via a secure channel.

  • : The sender runs this algorithm which inputs and a message , and outputs a tag such that:

    (3)

    The sender then transmits to the receiver.

  • : The receiver runs this algorithm which inputs and checks if:

    (4)

    The algorithms outputs 1 if the equality holds ( is a valid tag) and outputs 0 otherwise.

Theorem 1.1

The inner-product MAC is a additive homomorphic MAC.

Proof

1.1.1 Security Analysis.

The inner-product MAC is secured from the brute forge search if is chosen large enough. This is because

, the probability to find

via a brute force search is . If is chosen large enough (i.e., 160 bits), the probability is , which is negligible.

However, this MAC is not secured from the replay attack because:

  • In the first transmission:

    • The sender sends to the receiver.

    • The attacker captures and when they are transmitted.

    • The receiver verifies iff: . Suppose that the equality holds ( is intact), the receiver then outputs 1.

  • In the next transmission:

    • The sender sends to the receiver.

    • The attacker re-uses the old message and the old tag . It is clear that:

      (5)
    • The attacker drops and sends to the receiver.

    • The receiver verifies iff: . This equality will hold because of Eq. 5 but the receiver cannot know that the message was replaced.

1.2 Carter-Wegman MAC

To address replay attack which is a drawback of the inner-product MAC, the Wegman-Carten MAC [1, 3] has been proposed with an additional pseudorandom function. This MAC consists of the following algorithms:

  • : The sender runs this algorithm which inputs a security parameter , and outputs a secret key which is used for tagging the message , a secret key which is used for permuting the tag. After that, the sender shares to the receiver via a secure channel.

  • : The sender runs this algorithm which inputs the message and , and outputs a tag such that:

    (6)

    where denotes a random value and denotes a pseudorandom function such that ( is the space of and is the space of ). The sender then transmits to the receiver. Note that (i) can be public, and (ii) is re-generated very transmission and is transmitted to the receiver via a secure channel like the keys (or is chosen large enough).

  • : The receiver runs this algorithm which inputs and checks if:

    (7)

    The algorithm outputs 1 if the equality holds ( is a valid tag), and outputs 0 otherwise.

1.2.1 Security Analysis.

Similar to the inner-product MAC, the keys of the Wegman-Carten MAC is not disclosed from the brute force search if and are chosen large enough. Furthermore, the Wegman-Carten MAC is secured from the replay attack:

  • In the first transmission:

    • The sender sends to the receiver.

    • The attacker captures and when they are transmitted.

    • The receiver verifies iff: . Suppose that the equality holds (which means that is intact), the receiver then outputs 1.

  • In the next transmission:

    • The sender sends to the receiver.

    • The attacker re-uses the old message and the old tag . It is clear that:

      (8)
    • The attacker drops and sends to the receiver.

    • The receiver verifies iff: . This equality will not hold because of Eq. 8. The receiver then outputs 0.

1.3 Inter MAC

Most of the MACs consider a scenario in which the sender sends a message along with the corresponding tag to the receiver. The receiver can check whether the message is intact using a shared key with the sender. However, the receiver can be untrusted (the sender should not share his/her secret key to the receiver). To address this problem, the inter MAC has been proposed [4, 11, 12, 2, 7] as follows:

  • : The sender runs this algorithm which inputs a security parameter and a message , and outputs secret keys where . The sender then computes , and sends to the receiver.

  • : The sender runs this algorithm which inputs the message and the secret key , and outputs a tag such that:

    (9)

    The sender then transmits to the receiver.

  • : The receiver runs this algorithm which inputs and checks if:

    (10)

    The algorithm outputs 1 if the equality holds ( is a valid tag) and outputs 0 otherwise.

Theorem 1.2

The inter MAC is a additive homomorphic MAC.

Proof

1.3.1 Security Analysis.

Given , which is the summation , the receiver cannot obtain the secret keys and of the sender. This is because , the probability for an attacker to search (or ) via a brute force search and then to obtain (or ) is . If is chosen large enough (i.e., 160 bits), the probability to find and is , which is negligible. However, similar to the inner-product MAC, this inter MAC cannot be secured from replay attack.

2 The Proposed InterCW-MAC

The InterCW-MAC is a combination between the Carter-Wegman MAC and the inter MAC. The InterCW-MAC is proposed to deal with two problems of the Carter-Wegman MAC and the inter MAC: preventing the replay attack and preventing the untrusted receiver to learn the secret key of the sender.

2.1 Construction

The InterCW-MAC consists of the following algorithms:

  • : The sender runs this algorithm which inputs a security parameter , and outputs a secret key which is used for tagging the message , and a key which is used for permuting the tag. The sender then computes . The sender sends and to the receiver via a secure channel.

  • : The sender runs this algorithm which inputs a message and , and outputs a tag such that:

    (11)

    where denotes a random value and denotes a pseudorandom function such that ( is the space of and is the space of ). The sender then transmits to the receiver. Note that (i) can be public, and (ii) is re-generated very transmission and is transmitted to the receiver via a secure channel like the keys (or is chosen large enough).

  • : The receiver runs this algorithm which inputs and checks if:

    (12)

    The algorithm outputs 1 if the equality holds ( is a valid tag), and outputs 0 otherwise.

2.2 Application of InterCW-MAC

We believe the InterCW-MAC can be applied in several scenarios. In this section, we describe an application of the InterCW-MAC in network coding-based distributed storage system.

2.2.1 Network coding-based distributed storage system.

Network coding has been applied to distributed storage system [5, 6, 8, 9]. In this scenario, the system model consists of two types of entities: a client (trusted) and servers (untrusted). Suppose that a client owns an original file which consists of file blocks: . where . The client wants to store redundantly encoded blocks in the servers in a way that the client can reconstructs the original file and can repair the encoded blocks in a corrupted server. From these file blocks, the client firstly creates augmented blocks in which where has the form as follows:

(13)

The client then randomly chooses coding coefficients and computes coded blocks using the linear combination as follows:

(14)

The coded blocks are then stored these coded blocks in the servers. To reconstruct the original file , any coded blocks are required to solve augmented blocks using the accumulated coefficients contained in the last coordinates of each coded block. After these augmented blocks are solved, file blocks are obtained from the first coordinate of each augmented block. Finally, the original file is reconstructed by concatenating the file blocks. Note that the matrix consisting of the coefficients used to construct any coded blocks should have full rank. Koetter et al. [10] proved that if the prime is chosen large enough and the coefficients are chosen randomly, the probability for the matrix having full rank is high.

2.2.2 Checking the data stored in the servers.

Because the servers may be untrusted, the client must check the servers periodically to ensure that his/her data stored in the servers is always available and intact. In this case, the client can use the same secret keys to tag and to verify.

However, when the client does not want to be burdened in checking the servers periodically, the client can delegate this task to another entity called third party verifier (verifier for short), which may be also untrusted. This entity is supposed to not collude with the servers. To deal with this scenario, we can apply the InterCW-MAC.

2.2.3 How to apply InterCW-MAC.

The InterCW-MAC can be applied to the above scenario as follows:

a)

: The client runs this algorithm which inputs a security parameter and the set of augmented blocks , and outputs secret keys as follows:

  • .

  • such that for all .

The client then computes . The client sends and to the verifier.

The introduces a challenge that how to generate such that it is orthogonal to all augmented blocks. Formally, for all . The algorithm to generate is given as follows.

  • :

    • Find the span of .

    • Construct the matrix in which are the rows of .

    • Find the null-space of , denoted by

      , which is the set of all vectors

      such that .

    • Find the basis vectors of , denoted by // Theorem 2.1 will explain why the number of the basis vectors is .

    • Let

    • Compute .

  • : this is the sub-algorithm used in

    • Let be a Pseudorandom function such that .

    • Generate where .

    • Compute .

Theorem 2.1

Given , the number of basis vectors of is .

Proof

. Let be the space spanned by the rows of . For any matrix, the rank-nullity theorem gives:

(15)

where is the dimension of . Therefore,

(16)

In other words, the number of basis vectors of is . In the , we denoted the basis vectors by . ∎

b)

: The client runs this algorithm which inputs and where is the -th coded block in the -th server. is computed as a linear combination of using network coding: . The algorithm outputs the tag for such that:

(17)

for all . denotes the server index and denotes the coded block index in a server. Suppose the number of servers is (). Suppose the number of coded block in a server is ().

c)

: The verifier runs this algorithm to check a server where . The algorithm inputs where and are the linear combinations of and , respectively. Namely, and . The algorithm checks if:

(18)

This algorithm outputs 1 if the equality holds ( is healthy), and outputs 0 otherwise.

The correctness of Eq. 18 is proved as follows:

Proof

= = = = = // because = =

3 Future work

In the proposed InterCW-MAC, the verifier is given and . The probability for the verifier to search each secret key is . This probability can be reduced if the verifier is given and . For future work, a potential solution is to design a pseudo-random function such that it is homomorphic (to suit network coding) and such that given , and cannot be obtained.

References

  • [1]

    Carter J and Wegman M (1977) Universal classes of hash functions. In: Proceedings of the 9th ACM Symposium on Theory of Computing (STOC’77), pp. 106-112. ACM SIGACT, DOI:

    https://doi.org/10.1145/800105.803400.
  • [2] Omote K and Thao TP (2016) D2-POR: Direct Repair and Dynamic Operations in Network Coding-based Proof of Retrievability. In: IEICE Transactions on Information and Systems, vol. E99-D, no. 4, pp.816-829, April 2016, DOI: https://doi.org/10.1587/transinf.2015ICP0014.
  • [3] Carter L and Wegman MN, (1979) Universal Classes of Hash Functions”. In: Journal of Computer and System Sciences, 18(2):143-154, DOI:10.1016/0022-0000(79)90044-8.
  • [4] Le A and Markopoulou A (2012) On detecting pollution attacks in inter-session network coding. In: Proceedings of the 31st IEEE conference on Computer Communications (INFOCOM’12), pp. 343-351.
  • [5] Dimakis A, Godfrey P, Wu Y, Wainwright M, and Ramchandran K (2010) Network coding for distributed storage systems. In: IEEE Transactions on Information Theory, 56(9):4539-4551.
  • [6] Chen B, Curtmola R, Ateniese G, and Burns R (2010) Remote Data Checking for Network Coding-based Distributed Storage Systems. In: Proceedings of ACM Cloud Computing Security Workshop (CCSW’10), pp. 31-42.
  • [7] Omote K and Thao TP (2015) MD-POR: Multi-source and Direct Repair for Network Coding-based Proof of Retrievability. In: International Journal of Distributed Sensor Networks (IJDSN), vol. 2015, article ID: 586720, article no: 3, January 2015, DOI: https://doi.org/10.1155/2015/586720.
  • [8] Chen H.C.H, Hu Y, Lee P.P.C, and Tang Y (2014) NCCloud: A Network-Coding-Based Storage System in a Cloud-of-Clouds. In: IEEE Transactions on Computers, 63(1):31-44.
  • [9] Le A and Markopoulou A (2012) NC-Audit: Auditing for network coding storage, International Symposium on Network Coding (NetCod’12), pp. 155-160.
  • [10] Koetter R and Medard M (2003) An Algebraic Approach to Network Coding. In: IEEE/ACM Transactions on Networking (TON), 11(5):782-795.
  • [11] Thao TP and Omote K (2016) ELAR: Extremely Lightweight Auditing and Repairing for Cloud Security. In: Proceedings of the 32nd Annual Computer Security Applications Conference (ACSAC’16), pp. 40-51, ISBN: 978-1-4503-4771-6, DOI: https://doi.org/10.1145/2991079.2991082.
  • [12] Omote K and Thao TP (2015) DD-POR: Dynamic Operations and Direct Repair in Network Coding-based Proof of Retrievability. In: Proceedings of the 21st Annual International Computing and Combinatorics Conference (COCOON’15), pp.713-730. Available: https://link.springer.com/chapter/10.1007/978-3-319-21398-9_56.