Aggregate message authentication codes

Question

1. What have the authors contributed in "Aggregate message authentication codes" ?

2. What could be used to improve the communication complexity in schemes such as those of [13] or?

3. What is the reason why the authors conclude that tag is a valid forgery?

4. What is the main idea behind the introduction of aggregate signatures?

Accepted Answer

The authors propose and investigate the notion of aggregate message authentication codes ( MACs ) which have the property that multiple MAC tags, computed by ( possibly ) different senders on multiple ( possibly different ) messages, can be aggregated into a shorter tag that can still be verified by a recipient who shares a distinct key with each sender.. The authors suggest aggregate MACs as an appropriate tool for authenticated communication in mobile ad-hoc networks or other settings where resource-constrained devices share distinct keys with a single entity ( such as a base station ), and communication is an expensive resource.

Accepted Answer

Aggregate MACs could also be used to improve the communication complexity in schemes such as those of [13] or [10] which deal with aggregation of data.

Accepted Answer

The authors conclude that tag is a valid forgery with probability only negligibly better than 2−n, and so the adversary cannot output a valid forgery except with negligible probability.

Accepted Answer

Aggregate signatures, introduced by Boneh et al. [5, 14], allow t distinct signatures by t (possibly different) signers on t (possibly different) messages to be aggregated into a shorter signature that still suffices to convince a verifier that each signer did indeed sign the appropriate message.

Accepted Answer

Assume that, for infinitely many values of n, an error of this type occurs with probability p(n) ≥ 1/4 (where the probability is over choice of k and x).

Accepted Answer

A receiver R who wants to receive authenticated messages from t senders begins by sharing uniform keys k1, . . . , kt ∈ {0, 1}n with each sender (i.e., key ki is shared with the sender with identity idi).

Accepted Answer

To verify the authenticity of any particular message mi, the verifier need only re-compute MAC tags for (at most) ℓ′ messages in total.

Accepted Answer

B’s procedure is such that B sets x′i = 0 iff there exists a subset of O(log ℓ) messages such that Vrfy accepts mi = 〈i〉‖0 relative to this subset.

Accepted Answer

Then run multiple instances of the “base aggregation scheme” from the previous section in parallel, but only aggregating at most ℓ′ messages/tags using any given instance.

Accepted Answer

A limitation of the construction given in the previous section is that the receiver must re-compute the (individual) MAC tags on all ℓ messages whose tags have been aggregated.

Accepted Answer

The existence of efficient aggregate MACs is somewhat surprising since, in the setting of aggregate signatures, algebraic (i.e., number-theoretic) properties of the underlying signature scheme are used to perform aggregation.

Accepted Answer

This is because the authors must have T = ω(log n) (otherwise an adversary can guess a valid MAC tag, in the underlying scheme, with non-negligible probability) and because ℓ, the number of aggregated MACs, can be at most polynomial in n (or else it does not make much sense to talk about security of the scheme).

Accepted Answer

The authors show how the aggregate MAC can be used to transmit an ℓ-bit message from one party to another, with low (constant) probability of error, by sending only T bits.

Accepted Answer

As perhaps the most compelling example, consider the problem of authenticated communication in a mobile ad-hoc network (MANET), where communication is considered an “expensive” resource because of its effect on the battery life of the nodes.

Accepted Answer

As for security, the authors have:Theorem 1 If (Mac,Vrfy) is existentially unforgeable under an adaptive chosen-message attack, then (Mac∗,Agg∗,Vrfy∗) given in Construction 1 is a secure aggregate message authentication code.

Accepted Answer

In this case, given tags tag1, . . . , tagℓ associated with message/identifier pairs (mi, i), respectively, the authors can aggregate these tags by simply computing the XOR of all the tag values; i.e.,tag = tag1 ⊕ tag2 ⊕ · · · ⊕ tagℓ.

Accepted Answer

Aggregate MAC (Mac,Agg,Vrfy) is secure if for all t = poly(n) and all probabilistic polynomial-time adversaries A, the probability that A succeeds in the above experiment is negligible.

Aggregate message authentication codes

Chat with Paper

AI Agents for this Paper

Most frequently asked questions

1. What have the authors contributed in "Aggregate message authentication codes" ?

2. What could be used to improve the communication complexity in schemes such as those of [13] or?

3. What is the reason why the authors conclude that tag is a valid forgery?

4. What is the main idea behind the introduction of aggregate signatures?

5. What is the probability of an error of this type?

6. What is the role of identifiers in a message?

7. How many MAC tags can be used to verify the authenticity of a message?

8. What is the procedure for B to set x′i?

9. How many instances of the MAC scheme can be used?

10. What is the limitation of the construction of aggregate MACs?

11. What is the reason for the existence of efficient aggregate MACs?

12. Why does the scheme not have a positive result?

13. What is the MAC used to transmit an l-bit message?

14. What is the compelling example of an aggregate signature?

15. What is the simplest way to verify the security of the algorithm?

16. What is the XOR of the tag values?

17. What is the probability that A succeeds in the experiment?

Citations

CiteSpace II: Detecting and visualizing emerging trends and transient patterns in scientific literature

Graph Evolution: Densification and Shrinking Diameters

Creativity in scientific teams: : Unpacking novelty and impact

Authentication Protocols for Internet of Things: A Comprehensive Survey

Security for 4G and 5G cellular networks

References

A digital signature scheme secure against adaptive chosen-message attacks

Aggregate and verifiably encrypted signatures from bilinear maps

Communication Complexity

Advances in Cryptology - EUROCRYPT 2004

SIA: secure information aggregation in sensor networks

Related Papers (5)

Aggregate and verifiably encrypted signatures from bilinear maps

Keying Hash Functions for Message Authentication

SIA: secure information aggregation in sensor networks

Secure hierarchical in-network aggregation in sensor networks

The Security of the Cipher Block Chaining Message Authentication Code