Aggregate Message Authentication Codes

Transcription

1 Aggregate Message Authentcaton Codes Jonathan Katz Dept. of Computer Scence Unversty of Maryland, USA. Yehuda Lndell Dept. of Computer Scence Bar-Ilan Unversty, Israel. Abstract We propose and nvestgate the noton of aggregate message authentcaton codes (MACs) whch have the property that multple MAC tags, computed by (possbly) dfferent senders on multple (possbly dfferent) messages, can be aggregated nto a shorter tag that can stll be verfed by a recpent who shares a dstnct key wth each sender. We suggest aggregate MACs as an approprate tool for authentcated communcaton n moble ad-hoc networks or other settngs where resource-constraned devces share dstnct keys wth a sngle entty (such as a base staton), and communcaton s an expensve resource. 1 Introducton Aggregate sgnatures, ntroduced by Boneh et al. [5, 16], allow t dstnct sgnatures by t (possbly dfferent) sgners on t (possbly dfferent) messages to be aggregated nto a shorter sgnature that stll suffces to convnce a verfer that each sgner dd ndeed sgn the approprate message. Snce ther ntroducton, varous aggregate sgnature schemes have been proposed [12, 11, 6, 13, 4]. To the best of our knowledge, however, no formal attenton has yet been dedcated to the prvate-key analogue of aggregate sgnatures: aggregate message authentcaton codes (MACs). In ths paper, we ntate a formal study of ths prmtve. One reason for the relatve lack of attenton focused on aggregate MACs may be the (ncorrect) percepton that they are of lmted value. Indeed, the applcatons suggested n [5] such as compressng certfcate chans, or reducng the message sze n secure routng protocols are all specfc to the publc-key (rather than the shared-key) settng. Nevertheless, we suggest that aggregate MACs can be very useful n specfc domans. As perhaps the most compellng example, consder the problem of authentcated communcaton n a moble ad-hoc network (MANET), where communcaton s consdered a hghly expensve resource because of ts effect on the battery lfe of the nodes. Here, there s a collecton of t nodes U 1,..., U t, each of whom s nterested n sendng messages to a base staton B. We assume that the base staton shares n advance a key k wth each node U, and that node U authentcates any outgong message m by computng tag = Mac k (m ). Most nodes cannot communcate drectly wth the base staton due to the lmted range of ther wreless devces, and so all communcaton s nstead routed among the nodes themselves untl t reaches the base staton. For smplcty n ths example, let us assume that nodes are arranged n a (logcal) bnary tree so that each node U at a leaf sends (m, tag ) to ts parent, and each nternal node U j forwards to ts own parent all the communcaton from ts chldren n addton Ths work was supported by a US-Israel Bnatonal Scence Foundaton grant #

2 to (m j, tag j ). The root U n ths example s the only node that s able to communcate drectly wth the base staton, and t forwards to the base staton the communcaton from all nodes n the network along wth ts own contrbuton (m, tag ). The messages themselves may be very short correspondng, e.g., to temperature readngs or even just an ndcator bt. For the sake of argument, let us say that messages are 16 bts long. (Replay attacks can be addressed by usng a counter shared by the base staton and all nodes n the network; ths counter would be authentcated by each node along wth the message, but would not need to be transmtted and so does not affect the communcaton complexty n the calculaton that follows.) Furthermore, let us assume that the length of a MAC tag s 160 bts (e.g., f HMAC s used), and take t = The communcaton from the root node alone to the base staton s then ( ) t = bts, whle the total communcaton n the network s (approxmately) ( ) (2t log t) bts. The above descrpton assumes MACs used n the standard manner, meanng that all MAC tags are transmtted together wth the messages. If an aggregate MAC were avalable, however, then each node U j would be able to combne ts own MAC tag wth those of ts chldren. Say ths aggregaton can be performed whle mantanng the MAC tag length, even of aggregated tags, at 160 bts. (Our constructon wll acheve ths.) The communcaton from the root to the base staton wll now be only t bts, and the total communcaton n the network wll be mproved to roughly 16(2t log t) + 160t bts; ths s roughly an order of magntude mprovement n each case. Aggregate MACs could also be used to mprove the communcaton complexty n schemes such as those of [14] or [9] whch deal wth aggregaton of data. We do not explore ths further here, as we vew the use of such technques as tangental to the man thrust of ths paper. 1.1 Our Contrbutons Motvated n part by scenaros such as the above, we formally ntroduce here the noton of aggregate MACs and ntate the frst detaled study of ths prmtve. After gvng approprate defntons, we show a smple and hghly effcent constructon of aggregate MACs based on a wde varety of exstng (standard) MACs. We remark that the exstence of effcent aggregate MACs s somewhat surprsng snce algebrac (.e., number-theoretc) propertes of the underlyng sgnature scheme are used to perform aggregaton n the settng of aggregate sgnatures. In contrast, here we would lke to avod number-theoretc constructons and base aggregate MACs on prmtves lke block cphers and hash functons that have lmted algebrac structure. Summarzng, we prove the followng nformally-stated theorem: Theorem (basc constructon nformally stated): If there exsts a secure message authentcaton code, then there exsts a secure aggregate message authentcaton code wth complexty as outlned below. The complexty of our constructon s as follows: Aggregate MAC tag length: equal to a sngle tag n the basc MAC scheme Computaton of a MAC tag n the aggregate scheme: the same as for the basc MAC scheme Computaton of MAC tag aggregaton: lnear n the length of the tags to be aggregated Verfcaton of l aggregated MACs: equal to the tme t takes to verfy l MACs n basc scheme 2

3 As can be seen from above, the complexty of our aggregate constructon s essentally the same as for a regular MAC scheme. Ths may be somewhat surprsng snce n the publc-key settng of aggregate sgnatures, t s sgnfcantly harder to obtan secure aggregaton. Nevertheless, the reason for ths wll become clear after seeng our constructon n Secton 3. Lower bound. Our aggregate scheme works very well when the recever wshes to verfy the authentcty of all the aggregated messages. However, f the recever wshes to verfy only one or a few messages, t must stll verfy them all. (Ths s smlar to the case of CBC encrypton that requres the recever to decrypt the entre message even f t only wants to read the last block.) In Secton 4, we explore a varant of our man constructon that offers a trade-off between the length of an aggregate tag and the tme requred to verfy ndvdual messages. We also show a lower bound showng that f constant or logarthmc-tme verfcaton of ndvdual messages s desred, then the aggregated tag length must be lnear n the total number of messages whose tags are aggregated (and so the trval approach of concatenatng ndvdual tags s optmal up to a multplcatve factor n the securty parameter). Related work. Subsequent to our work on ths paper, we became aware of two other recent papers [7, 3] that, nter ala, use what are essentally aggregate MACs (and, n fact, use essentally the same constructon we show n Secton 3). The key addtonal contrbutons of our work are: (1) we provde a formal defnton of the problem and a proof of securty for our constructon; (2) we suggest extensons of the constructon offerng the tme/length trade-off dscussed above; and (3) we show a lower bound on the requred tag length when fast verfcaton of ndvdual messages s requred. 2 Defntons Our defntons are based on those gven n [5, 16] for aggregate sgnatures. Rather than explorng numerous possble specal cases of the defntons, we make our defntons as general as possble (and our constructon wll acheve these defntons). We begn wth a functonal defnton. The securty parameter, whch determnes the length of the key, wll be denoted by n. Defnton 0 An aggregate message authentcaton code s a tuple of probablstc polynomal-tme algorthms (Mac, Agg, Vrfy) such that: Authentcaton algorthm Mac: upon nput a key k {0, 1} n and a message m {0, 1}, algorthm Mac outputs a tag tag. We denote ths procedure by tag Mac k (m). Aggregaton algorthm Agg: upon nput two sets of message/dentfer 1 pars M 1 = {(m 1 1, d1 1),..., (m 1 l 1, d 1 l 1 }, M 2 = {(m 2 1, d2 1),..., (m 2 l 2, d 2 l 2 )} and assocated tags tag 1, tag 2, algorthm Agg outputs a new tag tag. We stress that ths algorthm s unkeyed. Verfcaton algorthm Vrfy: upon recevng a set of key/dentfer pars {(k 1, d 1 ),..., (k t, d t )}, a set of message/dentfer pars M = {(m 1, d 1),..., (m l, d l )}, and a tag tag, algorthm Vrfy outputs a sngle bt, wth 1 denotng acceptance and 0 denotng rejecton. We denote ths procedure by Vrfy (k1,d 1 ),...,(k n,d t)(m, tag). (In normal usage, d {d 1,..., d t } for all.) 1 We dscuss the role of the dentfers below. 3

4 The followng correctness condtons are requred to hold: For all k, d, m {0, 1}, t holds that Vrfy k,d (m, Mac k (m)) = 1. correctness condton for standard MACs.) (Ths s essentally the Let M 1, M 2 be two sets of message/dentfer pars wth 2 M 1 M 2 =, and let M = M 1 M 2. If: 1. Vrfy (k1,d 1 ),...,(k t,d t )(M 1, tag 1 ) = 1, and 2. Vrfy (k1,d 1 ),...,(k t,d t)(m 2, tag 2 ) = 1, then Vrfy (k1,d 1 ),...,(k n,d n )(M, Agg(M 1, M 2, tag 1, tag 2 )) = 1. The second correctness condton states that the aggregaton of MAC tags stll enables correct verfcaton. The use of dentfers s merely a techncal way to dfferentate between dfferent senders: n order to know whch secret key to use for verfcaton, the recever needs to know whch message s assocated wth whch sender. (Thus, n the second correctness condton, enforcng M 1 M 2 = just means that aggregaton s not appled f the same sender authentcated the same message twce.) Note that dentfers are not needed n the settng of aggregate sgnatures where each sender s assocated wth a unque publc key whch, n effect, serves as an dentfer. For smplcty n what follows, we wrte Vrfy k1,...,k t (, ) for the verfcaton algorthm, and we sometmes fnd t convenent to set d = (t can be checked that ths has no effect on our results). An aggregate MAC would be used as follows. A recever R who wants to receve authentcated messages from t senders begns by sharng unformly random keys k 1,..., k t {0, 1} n wth each sender (.e., key k s shared wth the sender wth dentty d ). When sender d wshes to authentcate a message m, t smply computes tag Mac k (m ). Gven a tag computed n ths way, and a second tag tag j computed by sender d j on the message m j, these two tags can be aggregated by computng the value tag Agg({(m, d )}, {(m j, d j )}, tag, tag j ). The recever can then check that sender d authentcated m, and that sender d j authentcated m j, by computng ( Vrfy k,k j {(m, d ), (m j, d j )}, tag ) and verfyng that the output s 1. Note that we do not assume d d j. (But, as per footnote 2, we do assume (m, d ) (m j, d j ).) As n the case of aggregate sgnatures, our defnton of securty corresponds to exstental unforgeablty under an adaptve chosen-message attack [8]. Because we are n the shared-key settng, however, there are some techncal dfferences between our defnton and the securty defnton for aggregate sgnatures. In partcular, we consder an adversary who may adaptvely corrupt varous senders and learn ther secret keys, and requre securty to hold also n such a settng. Defnton 1 Let A be a non-unform probablstc polynomal-tme adversary, and consder the followng experment nvolvng A and parameterzed by a securty parameter n: Key generaton: Keys k 1,..., k t {0, 1} n, for t = poly(n), are generated. Attack phase: A may query the followng oracles: Message authentcaton oracle Mac: On nput (, m), the oracle returns Mac k (m). 2 Ths techncal condton ensures that the same message/dentfer par does not appear n both M 1 and M 2. 4

5 Corrupton oracle Corrupt: upon nput, the oracle returns k. Output: The adversary A outputs a set of message/dentfer pars M = {(m 1, d 1 ),..., (m l, d l )} and a tag tag. (We stress that all the pars n M are requred to be dstnct.) Success determnaton: We say A succeeds f (1) Vrfy k1,...,k t (M, tag) = 1 and (2) there exsts a par (m, d ) M such that 1. A never quered Corrupt(d ), and 2. A never quered Mac(d, m ). We say that the aggregate MAC scheme (Mac, Agg, Vrfy) s secure f for all t = poly(n) and all non-unform probablstc polynomal-tme adversares A, the probablty that A succeeds n the above experment s neglgble. We do not consder verfcaton queres even though, n general, they may gve the adversary addtonal power [1]. Ths s justfed by the fact that our eventual constructon satsfes the condtons stated n [1] for whch verfcaton queres do not gve any addtonal power. (Of course, they prove ths only for the case of standard MACs but t s easy to see that ther proof carres over to our settng as well.) Note also that we need not allow aggregate queres, snce the aggregaton algorthm Agg s unkeyed. 3 Constructng Aggregate MACs In ths secton, we show that aggregate MACs can be constructed from essentally any standard message authentcaton code. We begn by llustratng the dea usng as a buldng block the smple (standard) message authentcaton code constructed from a pseudorandom functon F wth output length n as follows: Mac k (m) = F k (m). In ths case, gven tags tag 1,..., tag l assocated wth message/dentfer pars (m, ), respectvely, we can aggregate these tags by smply computng the XOR of all the tag values;.e., tag = tag 1 tag 2 tag l. (For smplcty, we consder dentfers 1,..., l above. However, as we wll see n the formal descrpton below, these dentfers need not be dstnct.) Verfcaton s carred out n the obvous way: gven a set of message/dentfer pars M = {(m 1, 1),..., (m l, l)} and tag, the recever outputs 1 f and only f l tag = F k (m ). =1 As for the securty of ths scheme, we may argue nformally as follows: say an adversary outputs {(m 1, d 1),..., (m l, d l )} and tag such that there exsts an for whch A dd not query ether Corrupt(d ) or Mac(d, m ). Let = d. Then, from the pont of vew of the adversary, the value F k (m ) looks random. Snce XORng a random(-lookng) value wth any other (uncorrelated) strngs yelds a random(-lookng) strng, we see that the value l =1 F k d (m ) computed by the recever also looks random to the adversary, and cannot be guessed by the adversary wth probablty much better than 2 n. We conclude that tag s a vald forgery wth probablty only neglgbly better than 2 n, and so the adversary does not succeed n outputtng a vald forgery except wth neglgble probablty. 5

6 Extendng the above deas, we may realze that the proof does not requre the ndvdual MAC tag F k (m ) to be pseudorandom, but nstead only requres that t be unpredctable. But ths holds for any secure (standard) MAC, by the defnton of securty for MACs. Thus, as far as securty s concerned, the above approach works for any underlyng MAC. On the other hand, verfcaton n the aggregate MAC requres that verfcaton n the underlyng MAC be done by re-computng the MAC tag and checkng equalty wth what s receved. (I.e., Vrfy k (m, tag) outputs 1 f and only f Mac k (m) = tag.) We may assume, wthout loss of generalty, that verfcaton s done ths way for any determnstc MAC; for randomzed MACs (and, n partcular, MACs where messages have more than one vald tag for a gven key), however, verfcaton cannot be done ths way. Ths means that certan randomzed MACs (e.g., XOR-MAC [2]) cannot be utlzed drectly n the above constructon, although we remark that any randomzed MAC could be derandomzed usng a pseudorandom functon. In any case, most commonly-used MACs are determnstc, and thus the restrcton s not a serous one. We now descrbe our aggregate MAC scheme formally, and rgorously prove ts securty wth respect to Defnton 2. Let (Mac, Vrfy) denote a standard message authentcaton code where Mac s a determnstc algorthm. (We wll gnore the Vrfy algorthm from now on snce, as noted above, we can perform verfcaton by smply re-runnng Mac.) We have the followng constructon: Constructon 1 (Aggregate MAC Scheme) Let Mac be a determnstc algorthm. We defne (Mac, Agg, Vrfy ) as follows: Algorthm Mac : upon nput k {0, 1} n and m {0, 1}, outputs Mac k (m). Algorthm Agg : upon nput two sets M 1, M 2 of message/dentfer pars and two tags tag 1, tag 2, the algorthm outputs tag = tag 1 tag 2. Algorthm Vrfy : upon nput a set of keys k 1,..., k t {0, 1} n and a set M = {(m 1, 1 ),..., (m l, l )} of message/dentfer pars where l {1,..., t} for all l, algorthm Vrfy computes tag = l j=1 Mac k j (m j ), and outputs 1 f and only f tag = tag. (We stress that the nput to Vrfy s taken to be a set, and so all the tuples n M are dstnct.) It s easy to verfy correctness of the above scheme. As for securty, we have: Theorem 1 If (Mac, Vrfy) s exstentally unforgeable under an adaptve chosen-message attack and Mac s determnstc, then (Mac, Agg, Vrfy ) gven n Constructon 1 s a secure aggregate message authentcaton code. Proof: Fx a probablstc polynomal-tme adversary A and some t = poly(n) as n Defnton 2. We construct a probablstc polynomal-tme algorthm F that nteracts wth an nstance of (Mac, Vrfy) and attempts to produce a vald forgery for a prevously-unauthentcated message. F s gven access to an oracle Mac k ( ) for an unknown key k, and proceeds as follows: 1. It chooses a random {1,..., t(n)}. 2. For = 1 to t(n): (a) If, choose k {0, 1} n. (b) If =, do nothng (however, we mplctly set k = k ). 3. Run A(1 n ), answerng ts queres as follows: 6

7 Query Mac(, m): If then F answers the query usng the known key k. If = then F queres ts own MAC oracle Mac k ( ) and returns the result. Query Corrupt(): If then gve A the known key k. If = then abort. 4. At some pont, A outputs M = {(m 1, d 1),..., (m l, d l )} and tag. Let j be the frst ndex such that (1) A never quered Corrupt(d j) and (2) A never quered Mac(d j, m j ). (We assume wthout loss of generalty that some such j exsts.) If d j then abort; otherwse, proceed as descrbed below. 5. Assumng d j =, algorthm F computes tag = tag Mac kd (m ), j where F computes Mac kd (m ) usng the known key k d when d, and computes Mac d (m ) by queryng ts MAC oracle Mac k ( ) when d =. Fnally, F outputs (m j, tag ). The proof follows easly from the followng observatons: The probablty that F aborts s exactly 1/t(n), whch s nverse polynomal. Furthermore, condtoned on not abortng, the smulaton that F provdes for A s perfect. If A succeeds n a gven executon (and F does not abort), then F outputs a vald forgery. To see ths, note that when A succeeds ths means that l Mac kd (m ) = tag, =1 where we stress that Mac kd (m ) s a fxed, well-defned value by vrtue of the fact that Mac s determnstc. Thus, the value tag output by F s equal to the (well-defned) value Mac k (m j ) = Mac k (m j ). Furthermore, F has never quered ts own MAC oracle wth the message m j snce, by assumpton, A never quered Mac(, m j ) pror to step 5 of F s executon, above, and F wll not query m j to ts MAC oracle n step 5 snce all tuples n the set M must be dstnct. Ths completes the proof. Effcency. Our constructon for aggregate MACs s hghly effcent. Consder the example of a moble ad-hoc networks (MANET) as descrbed n the ntroducton. If the nodes are arranged as a bnary (or any other) tree, then each node receves a set of messages together wth a sngle tag from each of ts chldren. In order to forward the messages on, all the node needs to do s to concatenate the lsts of messages, compute ts own MAC, and XOR all the tags together. 4 An Extenson and a Lower Bound A lmtaton of the constructon gven n the prevous secton s that the recever must re-compute the (ndvdual) MAC tags on all l messages whose tags have been aggregated. Ths s not a 7

8 lmtaton n the MANET example gven above. However, n some cases, the recever may only be nterested n verfyng the authentcty of a sngle message (or some small subset of the messages). In such cases, the requrement to re-compute the MAC tags of all the messages s undesrable. In ths secton, we present a smple dea that offers a trade-off between the length of the aggregate tag and the tme requred to verfy a sngle message. To acheve authentcaton of a sngle message n constant tme (.e., ndependent of the number of aggregated tags l), our approach yelds a tag of length O(l T ), where we take T to be the length of the tag n some underlyng (standard) MAC. Ths s not of much nterest because we can acheve a tag of length O(l T ) by just concatenatng the tags of a standard MAC (.e., aggregaton equals concatenaton). However, our approach yelds a tradeoff where the product of the authentcaton tme and tag length s O(l T ). In the prevous secton, we acheved authentcaton n tme l wth a tag of length T. At the other extreme, concatenatng MAC tags gves authentcaton n constant tme (.e., requres verfyng a sngle MAC) but has a tag of length l T. Our approach, descrbed below, allows essentally anythng n between. In partcular, one can acheve authentcaton n tme O( l) wth a tag of length O( l T ). It s nterestng to wonder whether ths s optmal. In ths drecton, we also present a lower bound showng that ths approach s asymptotcally optmal (up to a multplcatve factor of T ) when consderng verfcaton that takes constant, or at most logarthmc, tme. That s, we show that any aggregate MAC scheme that enables authentcaton n logarthmc tme (n l, the number of aggregated MACs) must have a tag of length at least Ω(l). We stress that n ths secton, we consder the runnng tme as a functon of the number l of messages. Of course, t also takes tme to compute and verfy a sngle MAC tags. However, ths s a fxed overhead for every value of the securty parameter, and so what s really of nterest s how many MAC tags need to be computed to verfy a sngle message, when the number of aggregated MACs s l. 4.1 The Constructon Before presentng our constructon, we frst descrbe the problem n a bt more detal. Recall from Defnton 1 that the recever holds a set of keys k 1,..., k t, and s assumed to receve a set of message/dentfer pars M = {(m 1, d 1 ),..., (m l, d l )} and a tag tag. In ths secton, we assume the recever does not care to smultaneously verfy the authentcty of all messages n M (wth respect to the dentfer assocated wth each message) as n the prevous secton, but nstead s nterested only n verfyng authentcty of one of the messages m (wth respect to the assocated dentfer d ). Obvously, the only solutons of nterest are those that are more effcent than verfyng everythng. A farly straghtforward soluton s as follows. Fx some parameter l. Then run multple nstances of the base aggregaton scheme from the prevous secton n parallel, but only aggregatng at most l messages/tags usng any gven nstance. (We stress that each sender stll holds only one key, the verfer stll holds one key per sender, and the Mac algorthm s unchanged. All that changes s the way aggregaton and verfcaton are performed.) The net result s that a set of message/dentfer pars M = {(m 1, d 1 ),..., (m l, d l )} s now authentcated by a sequence of l = l/l tags tag 1,..., tag l generated accordng to the base scheme, where tag 1 authentcates m 1,..., m l (wth respect to the approprate assocated denttes), tag 2 authentcates m l +1,..., m 2l, etc. To verfy the authentcty of any partcular message m, the verfer need only re-compute MAC tags for (at most) l 1 other messages. The tag when l messages are authentcated s now the length of l/l basc MAC tags (.e., length l/l T ), and the tme for verfyng any partcular message s mproved to O(l ) (nstead 8

9 of O(l) as prevously). Thus, for example, settng l = l we obtan verfcaton of tme O( l) and a tag that s comprsed of l basc MAC tags. We remark that the tme requred to verfy all the messages s essentally the same as before. Achevng constant verfcaton tme for any sngle message usng ths approach would result n a tag of (total) length lnear n the number of messages beng authentcated. In partcular, when l = 1 we obtan an aggregate scheme whch smply concatenates MAC tags of all the messages beng authentcated. 4.2 A Lower Bound As we have mentoned, when constant verfcaton tme s desred (.e., l = 1 n the scheme of the prevous secton), the result s a MAC tag that conssts of l basc MAC tags (.e., the aggregaton works by just concatenatng MAC tags). Ths s rather dsappontng and t would be hghly desrable to mprove ths stuaton. In ths secton we show that t s mpossble to acheve a better result snce the above s essentally optmal. Informally speakng, we show that f verfcaton can be carred out n constant tme (or even n tme O(log l)), then the tag must be at least Ω(l) bts long. Before proceedng further, we observe ths does not contradct the postve result we obtaned above. Ths s because we must have T = ω(log n) (otherwse an adversary can guess a vald MAC tag, n the underlyng scheme, wth non-neglgble probablty) and because l, the number of aggregated MACs, can be at most polynomal n n (or else t does not make much sense to talk about securty of the scheme). Thus, the tag length of our prevous constructon when l = O(log l) s T l/ log l = ω(log n) l/o(log n) = ω(l), as requred. We now formally state and prove the lower bound: Clam 1 Any aggregate MAC scheme n whch verfcaton of a sngle message can be carred out n tme O(log l) (where l denote the total number of messages authentcated by an aggregate tag) has tags whose length s Ω(l). Proof: We begn by provdng ntuton as to why the clam s true. Assume that there exsts an aggregate MAC scheme where verfcaton of a sngle message takes tme log l, and the tags are of length less than l. The man observaton s that f verfcaton takes tme log l, then the Vrfy algorthm can only read at most log l of the messages whose MACs are aggregated. If each of these messages conssts of one bt only, then t s possble to try all possble combnatons of the log l bts to see whch passes verfcaton (ths takes tme 2 log l = l whch s feasble). A key pont here, of course, s that only a correct combnaton should pass or ths could be used to effcently construct a forgery of the aggregate MAC scheme. Ths mples that t s possble to reconstruct log l of the (sngle-bt) messages gven only the MAC tag. However, ths holds for all subsets of log l bts and so all of the messages can be reconstructed n polynomal-tme gven only the MAC tag. But ths means that t s possble to reconstruct any l-bt message from a tag of length less than l. Stated dfferently, t means that an arbtrary l-bt message can be compressed, somethng that s known to be mpossble! Our formal proof follows ths ntuton wth some mnor changes, the man one beng that we show how to reconstruct one bt at a tme rather than blocks of log l bts. Furthermore, we derve our contradcton through lower bounds for probablstc communcaton complexty rather than through compresson; ths s easer because of the neglgble probablty of error that exsts when workng wth any cryptographc prmtve. We wll use the publc random strng model of communcaton complexty, where two partes share a common random strng and the queston s how many bts must they communcate n order to correctly compute a functon f. Gven a protocol Π, the error of ths protocol s gven 9

10 by max x,y {Pr[Π(x, y) = f(x, y)]} where the probablty s taken over the partes common random strng as well as any nternal randomness they mght use. We let CC ɛ (f) denote the mnmum number of bts need to compute f, where ths mnmum s taken over all possble protocols wth error at most ɛ. It s known that there exst functons f : {0, 1} l {0, 1} l {0, 1} for whch CC ɛ (f) = Ω(l); the nner-product functon IP (x, y) = l =1 x y mod 2 s one example. See [10, 15] for more on communcaton complexty. Let (Mac, Agg, Vrfy ) be an aggregate MAC scheme n whch verfcaton of any message can be carred out n tme O(log l). At the very least, ths mples that gven any set of messages M = {m 1,..., m l } and a sngle dentfer d (usng a sngle dentfer just smplfes the proof), verfcaton of a sngle message m (wth respect to d) can be carred out by examnng only w = O(log l) other messages n M. (Ths s due to the fact that t s not possble to read more than log l messages n log l tme.) We show that such a scheme mples that the probablstc communcaton complexty (n the publc random strng model) of every functon f : {0, 1} l {0, 1} l {0, 1} s essentally the length of a tag for l messages. However, snce there exst functons wth communcaton complexty Ω(l) (see the dscusson n the prevous paragraph) t follows that the tag length must also be Ω(l). We begn by descrbng a protocol for computng any functon f : {0, 1} l {0, 1} l {0, 1} wth communcaton complexty that s equal to the tag length plus 1. We stress that ths protocol s for the settng of communcaton complexty and not cryptography. Thus, the partes A and B are fully honest and the only queston s how many bts must be sent (there s no requrement on prvacy, etc.). Loosely speakng, the protocol we descrbe works by havng A compute an aggregate MAC on her nput and then send the tag to B. Party B then reconstructs A s nput from the tag, as descrbed n the ntutve dscusson above. Fnally, gven A s full nput, B computes the output and sends t to A. Before formally descrbng the protocol, we show how to encode a sngle l-bt nput nto an aggregate MAC over l messages. Let x = x 1 x l be A s nput. Then, A defnes messages m 1,..., m l by m = x, where s the bnary encodng of. The set {m 1,..., m l } s a vald encodng of x because t fully defnes x (all bts of x are represented, and ther postons n x are gven by the encodng of j that s ncluded n every m j ). We remark that snce only one d s used here, we gnore t from here on. We now descrbe the protocol: Protocol 1 (communcaton complexty protocol for any functon f) Inputs: A has x {0, 1} l and B has y {0, 1} l. Publc random strng: both partes share a random strng k {0, 1} n for some suffcently large n. The protocol: 1. A s frst step: (a) Party A encodes ts nput x = x 1 x l nto a set of l messages M = {m 1,..., m l } where m = x for every. (b) A computes tag Mac k (m ) for all, and then aggregates all the results nto a sngle tag tag by usng the algorthm Agg. (c) A sends tag to B. 2. Upon recevng tag from A, party B works as follows for = 1,..., l: 10

11 (a) B sets m = 0 (ths can be vewed as a guess that x = 0) and attempts to run Vrfy k (M, tag ). However, Vrfy expects to receve M and n general may read up to log l other messages n M. 3 Therefore, B proceeds as follows: (b) Let Vrfy k ((j 1, m j1 ),..., (j t, m jt ), tag ) be the algorthm defned by Vrfy after t has read the t messages ndexed by j 1,..., j t wth content m j1,..., m jt ; note that m s not ncluded n ths notaton as we assume t s read frst. (Essentally, ths algorthm s defned by fxng the prefx of ts executon untl ths pont.) (c) For t = 0,..., log l, B works as follows:. If t = l, then return the output bt of Vrfy k ((j 1, m j1 ),..., (j t, m jt ), tag ). Else, nvoke Vrfy k ((j 1, m j1 ),..., (j t, m jt ), tag ) and let j t+1 be the next message read by Vrfy k ((j 1, m j1 ),..., (j t, m jt ), tag ).. Recursvely nvoke Vrfy k ((j 1, m j1 ),..., (j t, m jt ), (j t+1, 0), tag ) and Vrfy k ((j 1, m j1 ),..., (j t, m jt ), (j t+1, 1), tag ), and return the logcal OR of ther outputs. If the output of Vrfy from the above procedure equals 1, then B sets x = 0. Otherwse, t sets x = Gven x = x 1,..., x l, B computes f(x, y) and returns the result to A. 4. Both partes output f(x, y). Note that B s procedure s such that f any of the recursve threads returns 1 then B sets x = 0. However, f ths occurs, then ths means that there exsts a subset of log l messages m j1,..., m jlog l such that Vrfy accepts m = 0 relatve to ths subset. On the other hand, f ths does not occur, then Vrfy rejects for all such sets, n whch case B sets x = 1. It s clear that f B reconstructs x correctly then the protocol s correct. It therefore remans to show that B correctly reconstructs x except wth neglgble probablty. (Actually, n the context of communcaton complexty t suffces to show that ths holds except wth some constant probablty. However, we show somethng stronger.) We separately analyze the case that x = 0 and x = 1. In the case of x = 0 we have that A generated tag wth x = 0 and some settng of the other bts. Therefore, there must exst some subset of log l messages that results n Vrfy acceptng (ths subset s defned by A s real nput x). Thus, when x = 0, party B always sets x = 0. (Ths follows from the correctness condton of MACs that states that f a tag s correctly constructed, then Vrfy wll always output 1.) The more challengng case s that of x = 1. Assume that there exsts a message x = x 1,..., x l and an such that wth probablty p, party B s procedure on an aggregate tag tag computed from x s such that x = 1 but B sets x = 0. We use ths to construct an adversary A that breaks the MAC scheme (Mac, Agg, Vrfy ) wth probablty p/l. 4 Adversary A encodes x nto a set M exactly as party A does. It then uses ts Mac oracle to compute an aggregate MAC on the set of l messages M; let tag be the result. Next, A chooses unformly dstrbuted bts b 1,..., b l {0, 1} and constructs a new set M where m = 0 and for all j, m j = j b j. Fnally, A outputs the set M and the tag tag. (We note that A uses oracles whereas the party A used the publc 3 Wthout loss of generalty we assume that Vrfy frst reads m and then up to log l other messages. 4 We are beng slghtly nformal here. What we prove s that for a gven n and par (x, ), a non-unform adversary wll succeed n breakng the MAC scheme wth probablty that s polynomally related to the probablty that B s procedure errs regardng the th bt. Ths wll then mply that for all suffcently large n s, the probablty p = p(n) must be neglgble, as requred. 11

12 random strng k. However, party A s procedure does not use k n any way except to compute Mac legtmately and so A can smulate ths usng ts Mac oracle.) We clam that A succeeds n breakng the MAC scheme wth probablty p/l. Ths s due to the followng facts: 1. The set M s such that A never quered Mac(m ) (because m = 1 but m = 0). 2. A dd not send any Corrupt queres 3. Wth probablty 2 log l = 1/l the random bts chosen by A that are read by Vrfy k are equal to those that result n B s procedure errng. Therefore, Prob[Vrfy k (M, tag )] = p l. We conclude that A succeeds n ts attack wth probablty p/l, mplyng that p must be neglgble (by the assumpton that the scheme s secure). Ths mples that Protocol 1 (probablstcally) computes f wth communcaton complexty tag + 1. Snce there exst functons f for whch the communcaton complexty s Ω(l), ths therefore mples that tag = Ω(l) as requred. We conclude by remarkng that t s actually only requred that the adversary A run n polynomal-tme n order to reach a contradcton regardng the MAC. In contrast, B can run n tme 2 l and ths makes no dfference (the bounds n communcaton complexty hold rrespectve of the computatonal complexty of the partes). The crucal pont s that A does not run B and so ts complexty does not depend on B. Thus B could just try all 2 l strngs to see f one results n the MAC beng accepted. The probablty of A generatng a successful forgery remans the same because t s smply based on a random guess. In summary, t s not possble to do (much) better than our soluton of the prevous secton when constant- or logarthmc-tme verfcaton s requred. An nterestng queston remans as to whether t s possble to do better than the tradeoff acheved by our constructon when l s asymptotcally larger than log l. It would also be nterestng to close the remanng multplcatve factor of T (the tag length of the underlyng MAC). Acknowledgments The work of the frst author was supported by NSF grant # , and by the US Army Research Laboratory and the UK Mnstry of Defence under Agreement Number W911NF The vews and conclusons contaned n ths document are those of the authors and should not be nterpreted as representng the offcal polces, ether expressed or mpled, of the US Army Research Laboratory, the US Government, the UK Mnstry of Defense, or the UK Government. The US and UK Governments are authorzed to reproduce and dstrbute reprnts for Government purposes, notwthstandng any copyrght notaton heren. References [1] M. Bellare, O. Goldrech, and A. Mtyagn. The Power of Verfcaton Queres n Message Authentcaton and Authentcated Encrypton. Avalable at 12

13 [2] M. Bellare, R. Guérn, and P. Rogaway. XOR MACs: New Methods for Message Authentcaton Usng Fnte Pseudorandom Functons. In CRYPTO 95, Sprnger-Verlag (LNCS 963), pages 15 28, [3] R. Bhaskar, J. Herranz, and F. Lagullaume. Aggregate Desgnated Verfer Sgnatures and Applcaton to Secure Routng. Intl. J. Securty and Networks 2(3/4): , [4] A. Boldyreva, C. Gentry, A. O Nell, and D.H. Yum. Ordered Multsgnatures and Identty- Based Sequental Aggregate Sgnatures, wth Applcatons to Secure Routng. In ACM CCCS, pages [5] D. Boneh, C. Gentry, B. Lynn, and H. Shacham. Aggregate and Verfably Encrypted Sgnatures from Blnear Maps. In EUROCRYPT 2003, Sprnger-Verlag (LNCS 2656), pages , [6] C. Gentry and Z. Ramzan. Identty-Based Aggregate Sgnatures. In Publc Key Cryptography 2006, Sprnger-Verlag (LNCS 3958), pages, , [7] H. Chan, A. Perrg, and D. Song. Secure Herarchcal In-Network Aggregaton n Sensor Networks. In ACM CCCS, pages , [8] S. Goldwasser, S. Mcal, and R. Rvest. A Dgtal Sgnature Scheme Secure aganst Adaptve Chosen-Message Attacks. SIAM J. Computng 17(2): , [9] L. Hu and D. Evans. Secure Aggregaton for Wreless Networks. Workshop on Securty and Assurance n Ad-Hoc Networks, page , [10] E. Kushlevtz and N. Nsan. Communcaton Complexty. Cambrdge Unversty Press, [11] S. Lu, R. Ostrovsky, A. Saha, H. Shacham, and B. Waters. Sequental Aggregate Sgnatures and Multsgnatures Wthout Random Oracles. In EUROCRYPT 2006, Sprnger-Verlag (LNCS 4004), pages , [12] A. Lysyanskaya, S. Mcal, L. Reyzn, and H. Shacham. Sequental Aggregate Sgnatures from Trapdoor Permutatons. In EUROCRYPT 2004, Sprnger-Verlag (LNCS 3027), pages 74 90, [13] Y. Mu, W. Suslo and H. Zhu. Compact Sequental Aggregate Sgnatures. In 2007 ACM Symposum on Appled Computng (SAC), pages , [14] B. Przydatek, D. Song, and A. Perrg. SIA: Secure Informaton Aggregaton n Sensor Networks. In SenSys 2003, pages , [15] R. Raz. Lecture Notes on Crcut Complexty and Communcaton Complexty. IAS Summer School. Avalable for download from ranraz/lecturenotes/ndex.html. [16] H. Shacham. New Paradgms n Sgnature Schemes. PhD Thess, Stanford Unversty,