Sequential Aggregate MACs with Detecting Functionality Revisited

Abstract

We revisit sequential aggregate message authentication codes with detecting functionality (SAMDs) where aggregation is a keyless procedure. SAMDs enable us to compress multiple MAC-tags into a shorter aggregate tag and to identify invalid messages or invalid positions of messages once the aggregate tag is regarded as invalid. Therefore, the SAMD is an extended model from aggregate message authentication codes (AMACs) and sequential AMACs. In this paper, we propose a refined model of SAMDs: we classify SAMD into two types, SAMD-MOBT and SAMD-MOAT, and formalize security notions along with each model of SAMDs. Furthermore, we present generic constructions of SAMD-MOBT and SAMD-MOAT from any MAC, a cryptographic hash function, and a disjunct matrix. Our results show that SAMD-MOAT is more convenient than SAMD-MOBT, however it is more difficult to construct SAMD-MOAT that meets all the security notions defined in this paper. These results clarify suitable applications of SAMDs by taking into account both convenience and achievable security levels.

Appendices

Appendix A: Cryptanalysis of [9] and [10]

Regarding sequential aggregate message authentication codes (SAMACs) with keyless aggregation, the hash-based SAMAC scheme in [9, 10] which we call \(\mathsf {HSAMAC}\) was constructed. The authors claim that if the underlying MAC scheme meets pseudorandomness, then \(\mathsf {HSAMAC}\) satisfies aggUF-CMA security. However, there exists a counterexample that \(\mathsf {HSAMAC}\) is broken in the aggUF-CMA game [9, 10] due to the corrupt setting even though the underlying MAC scheme meets pseudorandomness. In this setting, an adversary can issue some IDs to a corrupt oracle and get the corresponding secret keys before accessing a tagging oracle. The attack is as follows: An adversary obtains a secret key \(k_{id}\) by submitting a query id to the corrupt oracle, submits a message-sequence query \((\ldots ,m,\ldots )\) to the tagging oracle, and receives an aggregate tag \(\tau \). Then, he/she computes a MAC-tag t on the message m included in the queried sequence and finds a collision \(m^\prime \) such that \(t = Tag(k,m^\prime )\). The adversary submits an aggregate tag \(\tau \) and a message sequence replaced m by \(m^\prime \). Notice that although \(\mathsf {HSAMAC}\) may not be broken by this attack if the underlying MAC is NMAC/HMAC, the claim in [9, 10] is not correct in the sense that \(\mathsf {HSAMAC}\) obtained from any pseudorandom MAC does not always fulfill the security.

However, it should be noted that HSAMAC meets aggUF-CMA security without the corrupt setting. The security proof without the corrupt setting can be provided in a similar way as [9, 10] without considering the corrupt oracle. In addition, its application to data-partitioning considered in [9, 10] is still valid, since we do not need to consider the corrupt setting in this application.

As for SAMD schemes, the hash-based scheme was proposed in [10] and we call it \(\mathsf {HSAMD}\). This scheme meets the unforgeability defined in [10]. However, in the case where \(\mathsf {A}\) outputs a forgery including some invalid message/tag pairs, \(\mathsf {HSAMD}\) does not guarantee that the order of valid message/tag pairs is unchanged. This type of attacks will be possible by using the attacking technique for HSAMAC mentioned above.

Appendix B: Proofs of Theorems 3 and 4

We provide security proofs of Theorems 3 and 4 in which \(\mathsf {A}\) is a PPT adversary against \(\mathsf {HSAMD}_2\). Let n be the bit-length of MAC-tags, \(Q_h\) be the number of queries issued to the random oracle \(H(\cdot )\), \(Q_t\) be the number of queries issued to the tagging oracle, and \(\mathcal {L}_{H}\) be the list of query/answer pairs submitted to \(H(\cdot )\).

Proof of Theorem 3. We prove that \(\mathsf {HSAMD}_2\) meets d-\(\mathsf {aggUF}\text {-}\mathsf {CMA}\) security. In the same way as the proof of Theorem 1, we consider the following events:

• \([\mathsf {Coll}]\): The event that \(\mathsf {A}\) finds a collision of the random oracle \(H(\cdot )\).

• \([\mathsf {Change}]\): The event that \(\mathsf {A}\) changes the orders of valid ID/message pairs for a queried message sequence.

• \([\mathsf {Combine}]\): The event that \(\mathsf {A}\) makes a forgery by combining subsequences in queried ID/message sequences.

• \([\mathsf {Forge}]\): The event that \(\mathsf {A}\) makes forgeries of the underlying MACs.

Then, we have

$$\begin{aligned} Adv_{\mathsf {HSAMD}_2,\mathsf {A}}^{\mathrm{agg}\text {-}\mathrm{uf}}(\mathsf {\lambda })&\le \Pr [\mathsf {Coll}] + \Pr [\mathsf {Change} \mid \overline{\mathsf {Coll}}] \\&\quad + \Pr [\mathsf {Combine} \mid \overline{\mathsf {Change}} \wedge \overline{\mathsf {Coll}}] \\&\quad + \Pr [\mathsf {Forge} \mid \overline{\mathsf {Combine}} \wedge \overline{\mathsf {Change}} \wedge \overline{\mathsf {Coll}}]. \end{aligned}$$

We consider the event \([\mathsf {Coll}]\). It is possible to construct a PPT algorithm breaking the collision-resistance of the random oracle and get \(\Pr [\mathsf {Coll}] \le \frac{(Q_h + uQ_t)^2}{2^{n+1}}\) since the number of queries submitted to the random oracle is at most \((Q_h + uQ_t)\).

We consider \([\mathsf {Change} \mid \overline{\mathsf {Coll}}]\). If \(\mathsf {A}\) knows MAC-tags, it is possible to swap orders for a queried message sequence. Namely, \(\mathsf {A}\) can generate any order swapping forgery (or valid sequence forgery). Thus, we show that if the underlying MACs meet \(\mathsf {pseudorandomness}\), the probability that those events happen is negligible. We construct a PPT algorithm \(\mathsf {D}\) breaking \(\mathsf {pseudorandomness}\) as follows:

• Setup: Given the tagging oracle \(\mathsf {Tag}(\cdot )\) in \(\mathsf {pseudorandomness}\) game, do the following:

  • \(\mathsf {k}_{\mathsf {id}_i} \leftarrow \mathsf {KGen}(\mathsf {1^\lambda },\mathsf {id}_i)\) for all \(i \in [N]\) and \(K \leftarrow \{(\mathsf {k}_{\mathsf {id}_i},\mathsf {id}_i)\}_{i \in [N]}\).

  • \(\mathsf {id}^* \overset{U}{\leftarrow }\{\mathsf {id}_i\}_{i \in [N]}\), \(\mathcal {L}_{\mathrm {SA}} \leftarrow \emptyset \), \(\mathcal {L}_{H} \leftarrow \emptyset \), and \(\mathsf {count}\leftarrow 1\).

  • Simulate the random oracle \(H(\mathsf {count},(i_1,\mathsf {t}_{i_1}),\ldots ,(i_k,\mathsf {t}_{i_k}))\):

    1. 1.

       If \(((\mathsf {count},(i_1,\mathsf {t}_{i_1}),\ldots ,(i_k,\mathsf {t}_{i_k})), \tau _i) \in \mathcal {L}_H\) holds, return \(\tau _i\).

    2. 2.

       Otherwise, return \(\tau _i \overset{U}{\leftarrow }\mathcal {T}\) and set \(\mathcal {L}_{H} \leftarrow \mathcal {L}_{H} \cup \{((\mathsf {count}, (i_1,\mathsf {t}_{i_1}),\ldots ,(i_k,\mathsf {t}_{i_k})), \tau _i)\}\).

• Tagging: For each query \(M^{(j)} = ((\mathsf {id}_{i}^{(j)},m_i^{(j)}))_{i \in [N]}\) to \(\mathsf {DSATag}_K(\cdot )\), do the following:

  1. 1.

     For all \(i \in [N]\), do the following:

     • If \(\mathsf {id}_{i}^{(j)} = \mathsf {id}^*\), \(\mathsf {t}_i^{(j)} \leftarrow \mathsf {Tag}(m_i^{(j)})\).

     • If \(\mathsf {id}_{i}^{(j)} \ne \mathsf {id}^*\), \(\mathsf {t}_i^{(j)} \leftarrow \mathsf {MAC}.\mathsf {Tag}(\mathsf {k}_{\mathsf {id}_i^{(j)}}, m_i^{(j)})\).

  2. 2.

     Return \((\mathsf {count},(\tau _i^{(j)})_{i \in [u]}) \leftarrow \mathsf {DSeqAgg}(((\mathsf {id}_{i}^{(j)}, \mathsf {t}_i^{(j)}))_{i \in [N]})\) to \(\mathsf {A}\).

  3. 3.

     Set \(\mathcal {L}_{\mathrm {SA}} \leftarrow \mathcal {L}_{\mathrm {SA}} \cup \{M^{(j)} \}\).

• Output: When \(\mathsf {A}\) outputs an ID/message sequence \(M^* = ((\mathsf {id}_{\ell _i^*},m_i^*))_{i \in [N]}\) and an aggregate tag \(\tau ^* = (\mathsf {count}^*,(\tau _i^*)_{i \in [u]})\), do the following:

  1. 1.

     Let v be the order of \(id^*\) in \(M^*\).

  2. 2.

     \(\mathsf {t}_i^* \leftarrow \mathsf {MAC}.\mathsf {Tag}(\mathsf {k}_{\mathsf {id}_{\ell _i^*}}, m_i^*)\) for all \(i \in [N] \backslash \{v\}\), and \(\mathsf {t}_v^* \leftarrow \mathsf {Tag}(m_v^*)\).

  3. 3.

     Find \(((\mathsf {count}^*, (i_1,\mathsf {t}_{i_1}^*), \ldots , (i_k,\mathsf {t}_{i_k}^*)),\tau _i^*) \in \mathcal {L}_{H}\) including \(\mathsf {t}_v^*\).

  4. 4.

     Abort this game if there does not exist such a pair.

  5. 5.

     \(J \leftarrow \mathsf {DSAVrfy}(K,M^*,\tau ^*)\). (note that \(\mathsf {id}^*\) is valid since it is included in \(\mathcal {L}_{H}\).)

  6. 6.

     Output 1 if \(J \ne \bot \), \(|J| \le d\), and \(((i,\mathsf {id}_{\ell _i^*},m_i^*))_{i \in [N] \wedge \mathsf {id}_{\ell _i^*} \notin J} \ne ((i,\bar{\mathsf {id}}_i,\bar{m}_i))_{i \in [N] \wedge \bar{\mathsf {id}}_{i} \notin J}\) for all \(((\bar{\mathsf {id}}_i,\bar{m}_i))_{i \in [N]} \in \mathcal {L}_{\mathrm {SA}}\). Output 0 otherwise.

\(\mathsf {D}\) simulates the view of \(\mathsf {A}\). If \(\mathsf {A}\) submits the valid MAC-tag of the target ID, \(\mathsf {D}\) can find it from \(\mathcal {L}_{H}\). Besides, the probability that \(\mathsf {A}\) wins without querying the tag is at most \(2^{-n}\). Thus, the success probability of these algorithms is at least \(N^{-1} (\Pr [\mathsf {Change} \mid \overline{\mathsf {Coll}}] - 2^{- n})\).

As for \([\mathsf {Combine} \mid \overline{\mathsf {Change}} \wedge \overline{\mathsf {Coll}}]\), we can apply the same discussion as \([\mathsf {Change} \mid \overline{\mathsf {Coll}}]\) since it is possible to generate any forgery by using MAC-tags if these tags are known. So, we can construct a PPT algorithm breaking the \(\mathsf {pseudorandomness}\) of MACs in the same way as \(\mathsf {D}\) with at least success probability \(N^{-1} (\Pr [\mathsf {Combine} \mid \overline{\mathsf {Change}} \wedge \overline{\mathsf {Coll}}] - 2^{- n})\).

Regarding \([\mathsf {Forge} \mid \overline{\mathsf {Combine}} \wedge \overline{\mathsf {Change}} \wedge \overline{\mathsf {Coll}}]\), we construct a PPT algorithm \(\mathsf {F}\) breaking the \(\mathsf {UF}\text {-}\mathsf {CMA}\) security of MACs. This algorithm is the same as \(\mathsf {D}\) except that when \(\mathsf {A}\) outputs \(M^* = ((\mathsf {id}_{\ell _i^*},m_i^*))_{i \in [N]}\) and \(\tau ^* = (\mathsf {count}^*,(\tau _i^*)_{i \in [u]})\), do the following:

1. 1.

   Let v be the order of \(\mathsf {id}^*\) in \(M^*\).

2. 2.

   \(t_i^* \leftarrow \mathsf {MAC}.\mathsf {Tag}(\mathsf {k}_{\mathsf {id}_{\ell _i^*}}, m_i^*)\) for all \(i \in [N] \backslash \{v\}\).

3. 3.

   Find a pair \(((\mathsf {count}^*, (i_1, \mathsf {t}_{i_1}^*), \ldots , (i_k, \mathsf {t}_{i_k}^*)),\tau _i^*) \in \mathcal {L}_{H}\) including \(i_{j} = v\). (\(j \in [k]\))

4. 4.

   Abort if there does not exist such a pair or \(m_v\) has been submitted to the given oracle \(\mathsf {Tag}(\cdot )\).

5. 5.

   \(J \leftarrow \mathsf {DSAVrfy}(K,M^*,\tau ^*)\). (assume that \(\mathsf {id}^*\) is valid.)

6. 6.

   Output \((m_v^*,\mathsf {t}_v^*)\) if \(J \ne \bot \), \(|J| \le d\), and \(((i,\mathsf {id}_{\ell _i^*},m_i^*))_{i \in [N] \wedge \mathsf {id}_{\ell _i^*} \notin J} \ne ((i,\bar{\mathsf {id}}_i,\bar{m}_i))_{i \in [N] \wedge \bar{\mathsf {id}}_{i} \notin J}\) for all \(((\bar{\mathsf {id}}_i,\bar{m}_i))_{i \in [N]} \in \mathcal {L}_{\mathrm {SA}}\). Abort this game otherwise.

The output of \(\mathsf {F}\) is a valid forgery of a MAC. If \(\mathsf {A}\) wins in the security game without submitting MAC-tags to \(H(\cdot )\), the abort event happens in Output phase. The probability that this abort event happens is at most \(2^{- n}\). Hence, the success probability of \(\mathsf {F}\) is at least \(N^{-1} (\Pr [\mathsf {Forge} \mid \overline{\mathsf {Combine}} \wedge \overline{\mathsf {Change}} \wedge \overline{\mathsf {Coll}}] - 2^{- n})\).

From the discussion above, we obtain

$$\begin{aligned} Adv_{\mathsf {HSAMD}_2,\mathsf {A}}^{\mathrm{agg}\text {-}\mathrm{uf}}(\mathsf {\lambda }) \le 3N \cdot Adv_{\mathsf {MAC},\mathsf {D}}^{\mathrm{pr}}(\mathsf {\lambda }) + \frac{(Q_h + uQ_t)^2}{2^{n+1}} + \frac{N+3}{2^{n}}. \end{aligned}$$

Therefore, the proof is completed.

Proof of Theorem 4. \(\mathsf {HSAMD}_2\) satisfies both of d-\(\mathsf {message}\text {-}\mathsf {completeness}\) and d-\(\mathsf {message}\text {-}\mathsf {soundness}\) in the same way as the proof of Theorem 2. That is, it meets d-\(\mathsf {message}\text {-}\mathsf {completeness}\) from the property of d-disjunct matrices and soundness from d-disjunct matrices and the collision-resistance of the random oracle.

We consider d-\(\mathsf {order}\text {-}\mathsf {completeness}\) and d-\(\mathsf {weak}\)-\(\mathsf {order}\text {-}\mathsf {soundness}\). From the property of d-disjunct matrices and the correctness of MACs, \(\mathsf {HSAMD}_2\) meets d-\(\mathsf {order}\text {-}\mathsf {completeness}\). And, it also meets d-\(\mathsf {weak}\)-\(\mathsf {order}\text {-}\mathsf {soundness}\) from Proposition 1 and Theorem 3. Therefore, the proof is completed.