1

Efficient Authentication for Mobile and PervasiveComputing

Basel Alomair, Member, IEEE and Radha Poovendran, Senior Member, IEEE

AbstractWith todays technology, many applications rely on the existence of small devices that can exchange information and formcommunication networks. In a significant portion of such applications, the confidentiality and integrity of the communicated messagesare of particular interest. In this work, we propose two novel techniques for authenticating short encrypted messages that are directedto meet the requirements of mobile and pervasive applications. By taking advantage of the fact that the message to be authenticatedmust also be encrypted, we propose provably secure authentication codes that are more efficient than any message authenticationcode in the literature. The key idea behind the proposed techniques is to utilize the security that the encryption algorithm can provideto design more efficient authentication mechanisms, as opposed to using standalone authentication primitives.

Index TermsAuthentication, unconditional security, computational security, universal hash-function families, pervasive computing

F

1 INTRODUCTION AND RELATED WORK

P RESERVING the integrity of messages exchanged overpublic channels is one of the classic goals in cryptographyand the literature is rich with message authentication code(MAC) algorithms that are designed for the sole purpose ofpreserving message integrity. Based on their security, MACscan be either unconditionally or computationally secure. Un-conditionally secure MACs provide message integrity againstforgers with unlimited computational power. On the otherhand, computationally secure MACs are only secure whenforgers have limited computational power.

A popular class of unconditionally secure authentication isbased on universal hash-function families, pioneered by Carterand Wegman [1][4]. Since then, the study of uncondition-ally secure message authentication based on universal hashfunctions has been attracting research attention, both from thedesign and analysis standpoints (see, e.g., [5][11]). The basicconcept allowing for unconditional security is that the authen-tication key can only be used to authenticate a limited numberof exchanged messages. Since the management of one-timekeys is considered impractical in many applications, computa-tionally secure MACs have become the method of choice formost real-life applications. In computationally secure MACs,keys can be used to authenticate an arbitrary number ofmessages. That is, after agreeing on a key, legitimate userscan exchange an arbitrary number of authenticated messageswith the same key. Depending on the main building blockused to construct them, computationally secure MACs canbe classified into three main categories: block cipher based,cryptographic hash function based, or universal hash-functionfamily based.

CBC-MAC is one of the most known block cipher basedMACs, specified in the Federal Information Processing Stan-

B. Alomair and R. Poovendran are with the Department of Electri-cal Engineering, University of Washington, Seattle, WA, 98195 e-mail:{alomair,rp3}@uw.edu.

dards publication 113 [12] and the International Organizationfor Standardization ISO/IEC 9797-1 [13]. CMAC, a modifiedversion of CBC-MAC, is presented in the NIST specialpublication 800-38B [14], which was based on the OMACof [15]. Other block cipher based MACs include, but are notlimited to, XOR-MAC [16] and PMAC [17]. The security ofdifferent MACs has been exhaustively studied (see, e.g., [18][20]).

The use of one-way cryptographic hash functions for mes-sage authentication was introduced by Tsudik in [21]. Apopular example of the use of iterated cryptographic hashfunctions in the design of message authentication codes isHMAC, which was proposed by Bellare et al. in [22]. HMACwas later adopted as a standard [23]. Another cryptographichash function based MAC is the MDx-MAC proposed byPreneel and Oorschot [24]. HMAC and two variants of MDx-MAC are specified in the International Organization for Stan-dardization ISO/IEC 9797-2 [25]. Bosselaers et al. describedhow cryptographic hash functions can be carefully coded totake advantage of the structure of the Pentium processor tospeed up the authentication process [26].

The use of universal hash-function families in the Carter-Wegman style is not restricted to the design of unconditionallysecure authentication. Computationally secure MACs based onuniversal hash functions can be constructed with two roundsof computations. In the first round, the message to be authen-ticated is compressed using a universal hash function. Then, inthe second round, the compressed image is processed with acryptographic function (typically a pseudorandom function1).Popular examples of computationally secure universal hashingbased MACs include, but are not limited to, [27][33].

Indeed, universal hashing based MACs give better per-formance when compared to block cipher or cryptographichashing based MACs. In fact, the fastest MACs in the cryp-

1. Earlier designs used one-time pad encryption to process the compressedimage. However, due to the difficulty to manage such on-time keys, recentdesigns resorted to computationally secure primitives (see, e.g., [27])

IEEE TRANSACTIONS ON MOBILE COMPUTING VOL:13 NO:3 YEAR 2014

tographic literature are based on universal hashing [34]. Themain reason behind the performance advantage of universalhashing based MACs is the fact that processing messagesblock by block using universal hash functions is orders ofmagnitude faster than processing them block by block usingblock ciphers or cryptographic hash functions.

One of the main differences between unconditionally secureMACs based on universal hashing and computationally secureMACs based on universal hashing is the requirement toprocess the compressed image with a cryptographic primitivein the latter class of MACs. This round of computation is nec-essary to protect the secret key of the universal hash function.That is, since universal hash functions are not cryptographicfunctions, the observation of multiple message-image pairs canreveal the value of the hashing key. Since the hashing key isused repeatedly in computationally secure MACs, the exposureof the hashing key will lead to breaking the security of theMAC. Thus, processing the compressed image with a crypto-graphic primitive is necessary for the security of this class ofMACs. This implies that unconditionally secure MACs basedon universal hashing are more efficient than computationallysecure ones. On the negative side, unconditionally secureuniversal hashing based MACs are considered impractical inmost modern applications, due to the difficulty of managingone-time keys.

There are two important observations to make about existingMAC algorithms. First, they are designed independently of anyother operations required to be performed on the message tobe authenticated. For instance, if the authenticated messagemust also be encrypted, existing MACs are not designed toutilize the functionality that can be provided by the under-lying encryption algorithm. Second, most existing MACs aredesigned for the general computer communication systems,independently of the properties that messages can possess. Forexample, one can find that most existing MACs are inefficientwhen the messages to be authenticated are short. (For instance,UMAC, the fastest reported message authentication code in thecryptographic literature [34], has undergone large algorithmicchanges to increase its speed on short messages [35].)

Nowadays, however, there is an increasing demand for thedeployment of networks consisting of a collection of smalldevices. In many practical applications, the main purpose ofsuch devices is to communicate short messages. A sensornetwork, for example, can be deployed to monitor certainevents and report some collected data. In many sensor networkapplications, reported data consist of short confidential mea-surements. Consider, for instance, a sensor network deployedin a battlefield with the purpose of reporting the existence ofmoving targets or other temporal activities. In such applica-tions, the confidentiality and integrity of reported events areof critical importance [36][38].

In another application, consider the increasingly spreadingdeployment of radio frequency identification (RFID) systems.In such systems, RFID tags need to identify themselves toauthorized RFID readers in an authenticated way that alsopreserves their privacy. In such scenarios, RFID tags usuallyencrypt their identity, which is typically a short string (forexample, tags unique identifiers are 64-bit long in the EPC

Class-1 Generation-2 standard [39]), to protect their privacy.Since the RFID reader must also authenticate the identity ofthe RFID tag, RFID tags must be equipped with a messageauthentication mechanism [40][42].

Another application that is becoming increasingly importantis the deployment of body sensor networks. In such applica-tions, small sensors can be embedded in the patients bodyto report some vital signs. Again, in some applications theconfidentiality and integrity of such reported messages can beimportant [43][45].

There have been significant efforts devoted to the designof hardware efficient implementations that suite such smalldevices. For instance, hardware efficient implementations ofblock ciphers have been proposed in, e.g., [46][51]. Imple-mentations of hardware efficient cryptographic hash functionshave also been proposed in, e.g., [52][55]. However, there hasbeen little or no effort in the design of special algorithms thatcan be used for the design of message authentication codesthat can utilize other operations and the special properties ofsuch networks. In this paper, we provide the first such work.

CONTRIBUTIONS. In this work, we pose the followingresearch question: if there is an application in which messagesthat need to be exchanged are short and both their privacyand integrity need to be preserved, can one do better thansimply encrypting the messages using an encryption algorithmand authenticating them using standard MAC algorithm? Weanswer the question by proposing two new techniques forauthenticating short encrypted messages that are more efficientthan existing approaches. In the first technique, we utilize thefact that the message to be authenticated is also encrypted,with any secure encryption algorithm, to append a short ran-dom string to be used in the authentication process. Since therandom strings used for different operations are independent,the authentication algorithm can benefit from the simplicityof unconditional secure authentication to allow for faster andmore efficient authentication, without the difficulty to manageone-time keys. In the second technique, we make the extraassumption that the used encryption algorithm is block cipherbased to further improve the computational efficiency of thefirst technique. The driving motive behind our investigation isthat using a general purpose MAC algorithm to authenticateexchanged messages in such systems might not be the mostefficient solution and can lead to waste of resources alreadyavailable, namely, the security that is provided by the encryp-tion algorithm.

ORGANIZATION. The rest of the paper is organized asfollows. In Section 2 we list our notations and discuss somepreliminaries. In Section 3 we describe the first authenticationtechnique assuming messages do not exceed a maximumlength, discuss its performance advantages over existing tech-niques, and prove its security. In Section 4, we propose amodification to the scheme of Section 3 that provides astronger notion of integrity. In Section 5, we describe thesecond technique assuming the encryption is block cipherbased, discuss its performance, and prove its security. InSection 6, we conclude the paper.

2

2 NOTATIONS AND PRELIMINARIES2.1 Notations

- We use Zp as the usual notation for the finite integerring with the addition and multiplication operationsperformed modulo p.

- We use Zp as the usual notation for the multiplicativegroup modulo p; i.e., Zp contains the integers that arerelatively prime to p.

- For two strings a and b of the same length, (a b)denotes the bitwise exclusive-or (XOR) operation.

- For any two strings a and b, (a||b) denotes the concate-nation operation.

- For a nonempty set S, the notation s $ S denotesthe operation of selecting an element from the set Suniformly at random and assigning it to s.

2.2 Negligible Functions

Another term that will be used in the reminder of the paperis the definition of negligible functions. A function negl :N R is said to be negligible if for any nonzero polynomialpoly, there exists N0 such that for all N > N0, |negl(N)|