Non-adaptive Group-Testing Aggregate MAC Scheme

This paper applies non-adaptive group testing to aggregate message authentication code (MAC) and introduces non-adaptive group-testing aggregate MAC. After formalization of its syntax and security requirements, simple and generic construction is presented, which can be applied to any aggregate MAC scheme formalized by Katz and Lindell in 2008. Then, two instantioations of the construction is presented. One is based on the aggregate MAC scheme by Katz and Lindell and uses addition for tag aggregate. The other uses cryptographic hashing for tag aggregate. Provable security of the generic construction and two instantiations are also discussed

Digital Signatures for PTP Using Transparent Clocks

Smart grids use synchronous real-time measurements from phasor measurement units (PMU) across portions of a grid to provide grid-wide integrity. Achieving synchronicity requires either accurate GPS clocks at each PMU or a high-resolution clock synchronization protocol, such as the Precision Time Protocol (PTP), specified in IEEE 1588 with the power profile in IEEE C37.238-2011. PTP does not natively include measures to provide authenticity or integrity for timestamps transmitted across an Ethernet network, though there has been recent work in providing end-to-end integrity of transmitted timestamps. However, PTP for use in the smart grid requires a version of the protocol in which network switches update the trusted timestamp in flight, meaning that an end-to-end approach is no longer sufficient. We propose two methods to provide for the integrity of the transmitted and updated timestamps as well as to ensure the authority of all network devices altering the time. In the first, we amend the PTP standard to include signatures as part of the time packet itself at the cost of increased jitter in the system. In the second, we transmit these signatures over a wireless network, reducing congestion on the original network. We test both methods on a simulated PTP switch intended for experimentation only and demonstrate that the use of a second network dedicated to verification-related information is better for current networks, as including signatures in the original packet causes more jitter than is acceptable for synchronizing PMUs in particular

Digital Signatures for PTP Using Transparent Clocks

Smart grids use synchronous real-time measurements from phasor measurement units (PMU) across portions of a grid to provide grid-wide integrity. Achieving synchronicity requires either accurate GPS clocks at each PMU or a high-resolution clock synchronization protocol, such as the Precision Time Protocol (PTP), specified in IEEE 1588 with the power profile in IEEE C37.238-2011. PTP does not natively include measures to provide authenticity or integrity for timestamps transmitted across an Ethernet network, though there has been recent work in providing end-to-end integrity of transmitted timestamps. However, PTP for use in the smart grid requires a version of the protocol in which network switches update the trusted timestamp in flight, meaning that an end-to-end approach is no longer sufficient. We propose two methods to provide for the integrity of the transmitted and updated timestamps as well as to ensure the authority of all network devices altering the time. In the first, we amend the PTP standard to include signatures as part of the time packet itself at the cost of increased jitter in the system. In the second, we transmit these signatures over a wireless network, reducing congestion on the original network. We test both methods on a simulated PTP switch intended for experimentation only and demonstrate that the use of a second network dedicated to verification-related information is better for current networks, as including signatures in the original packet causes more jitter than is acceptable for synchronizing PMUs in particular

When and How to Aggregate Message Authentication Codes on Lossy Channels?

Aggregation of message authentication codes (MACs) is a proven and efficient method to preserve valuable bandwidth in resource-constrained environments: Instead of appending a long authentication tag to each message, the integrity protection of multiple messages is aggregated into a single tag. However, while such aggregation saves bandwidth, a single lost message typically means that authentication information for multiple messages cannot be verified anymore. With the significant increase of bandwidth-constrained lossy communication, as applications shift towards wireless channels, it thus becomes paramount to study the impact of packet loss on the diverse MAC aggregation schemes proposed over the past 15 years to assess when and how to aggregate message authentication. Therefore, we empirically study all relevant MAC aggregation schemes in the context of lossy channels, investigating achievable goodput improvements, the resulting verification delays, processing overhead, and resilience to denial-of-service attacks. Our analysis shows the importance of carefully choosing and configuring MAC aggregation, as selecting and correctly parameterizing the right scheme can, e.g., improve goodput by 39% to 444%, depending on the scenario. However, since no aggregation scheme performs best in all scenarios, we provide guidelines for network operators to select optimal schemes and parameterizations suiting specific network settings

Message-Recovery MACs and Verification-Unskippable AE

This paper explores a new type of MACs called message-recovery MACs (MRMACs). MRMACs have an additional input $R$ that gets recovered upon verification. Receivers must execute verification in order to recover $R$, making the verification process unskippable. Such a feature helps avoid mis-implementing verification algorithms. The syntax and security notions of MRMACs are rigorously formulated. In particular, we formalize the notion of unskippability and present a construction of an unskippable MRMAC from a tweakable cipher and a universal hash function. Our construction is provided with formal security proofs. We extend the idea of MRMACs to a new type of authenticated encryption called verification-unskippable AE (VUAE). We propose a generic Enc-then-MRMAC composition which realizes VUAE. The encryption part needs to satisfy a new security notion called one-time undecipherability. We provide three constructions that are one-time undecipherable, and they are proven secure under various security models

LCPR: High Performance Compression Algorithm for Lattice-Based Signatures

Many lattice-based signature schemes have been proposed in recent years. However, all of them suffer from huge signature sizes as compared to their classical counterparts. We present a novel and generic construction of a lossless compression algorithm for Schnorr-like signatures utilizing publicly accessible randomness. Conceptually, exploiting public randomness in order to reduce the signature size has never been considered in cryptographic applications. We illustrate the applicability of our compression algorithm using the example of a current state-of-the-art signature scheme due to Gentry et al. (GPV scheme) instantiated with the efficient trapdoor construction from Micciancio and Peikert. This scheme benefits from increasing the main security parameter $n$, which is positively correlated with the compression rate measuring the amount of storage savings. For instance, GPV signatures admit improvement factors of approximately $\lg n$ implying compression rates of about $65$\% at a security level of about 100 bits without suffering loss of information or decrease in security, meaning that the original signature can always be recovered from its compressed state. As a further result, we propose a multi-signer compression strategy in case more than one signer agree to share the same source of public randomness. Such a strategy of bundling compressed signatures together to an aggregate has many advantages over the single signer approach

Critical Perspectives on Provable Security: Fifteen Years of Another Look Papers

We give an overview of our critiques of “proofs” of security and a guide to our papers on the subject that have appeared over the past decade and a half. We also provide numerous additional examples and a few updates and errata

History-Free Aggregate Message Authentication Codes

Abstract. Aggregate message authentication codes, as introduced by Katz and Lindell (CT-RSA 2008), combine several MACs into a single value, which has roughly the same size as an ordinary MAC. These schemes reduce the communication overhead significantly and are therefore a promising approach to achieve authenticated communication in mobile ad-hoc networks, where communication is prohibitively expensive. Here we revisit the unforgeability notion for aggregate MACs and discuss that the definition does not prevent “mix-and-match ” attacks in which the adversary turns several aggregates into a “fresh” combination, i.e., into a valid aggregate on a sequence of messages which the attacker has not requested before. In particular, we show concrete attacks on the previous scheme. To capture the broader class of combination attacks, we provide a stronger security notion of aggregation unforgeability. While we can provide stateful transformations lifting (nonordered) schemes to meet our stronger security notion, for the statefree case we switch to the new notion of history-free sequential aggregation. This notion is somewhat between non-ordered and sequential schemes and basically says that the aggregation algorithm is carried out in a sequential order but must not depend on the preceding messages in the sequence, but only on the shorter input aggregate and the local message. We finally show that we can build an aggregation-unforgeable, history-free sequential MAC scheme based on general assumptions.