Aggregate Entity Authentication Identifying Invalid Entities with Group Testing

: It is common to implement challenge-response entity authentication with a MAC function. In such an entity authentication scheme, aggregate MAC is effective when a server needs to authenticate many entities. Aggregate MAC aggregates multiple tags (responses to a challenge) generated by entities into one short aggregate tag so that the entities can be authenticated simultaneously regarding only the aggregate tag. Then, all associated entities are valid if the pair of a challenge and the aggregate tag is valid. However, a drawback of this approach is that invalid entities cannot be identiﬁed when they exist. To resolve the drawback, we propose group-testing aggregate entity authentication by incorporating group testing into entity authentication using aggregate MAC. We ﬁrst formalize the security requirements and present a generic construction. Then, we reduce the security of the generic construction to that of aggregate MAC and group testing. We also enhance the generic construction to instantiate a secure scheme from a simple and practical but weaker aggregate MAC scheme. Finally, we show some results on performance evaluation.


Background
A MAC function is one of the most basic symmetric-key primitives for cryptography. Its typical application is challenge-response entity authentication, which assumes that a server and an entity share a secret key. In this scheme, the server first sends a challenge to the entity. Next, the entity computes a tag for the challenge using the MAC function with the shared secret key and returns it to the server. Finally, the server computes the tag in the same way and verifies the received tag.
Entity authentication is often crucial in identifying invalid entities to secure network applications and services. Additionally, a server may need to authenticate many devices simultaneously in an IoT network. In scenarios where an edge device plays the role of an aggregator, as shown in Figure 1, aggregate MAC [1] is suitable for efficient communication between the server and the aggregator for entity authentication. Aggregate MAC allows users to aggregate multiple tags into a tag so that the aggregate tag is as short as each of the multiple tags. In the situation shown in Figure 1, if the aggregator aggregates tags from devices and sends the aggregate tag to the server, then the server can authenticate the devices based only on the aggregate tag. If the aggregate tag is valid, then the server knows that all devices are valid. On the other hand, if the aggregate tag is invalid, then the server only knows that one or more invalid devices are included, which cannot be identified. The problem is if the server can identify invalid devices without knowing individual tags. As far as we know, it has not been addressed for entity authentication.

Our Contribution
We observe that group testing [2] can be employed to solve the above problem. For group testing, each item is assumed to be positive or negative. Multiple items are assumed to be able to be inspected by a test whose result is positive only if one or more positive items are included. All positive items can be identified with fewer tests than individual tests if the number of positive items is relatively small [3].
We introduce and explore group-testing aggregate authentication. It is a protocol participated in by multiple entities, an aggregator, and a server. Each entity has its own secret key shared with the server. The aggregator broadcasts a challenge from the server to the entities and collects their responses. The server then identifies the invalid entities by verifying the responses with the help of the aggregator.
We first formalizesd the scheme and its security requirements. The security requirements are impersonation resistance, completeness, and soundness. Impersonation resistance represents the notion that adversaries cannot impersonate an entity without knowing its secret key. Completeness requires that a valid response must not be judged invalid. Soundness requires that an invalid response must not be judged valid.
Furthermore, we present a generic construction combining a group-testing scheme and an aggregate MAC scheme. For each test in group testing, it aggregates the tags of entities examined by the test and verifies the aggregate tag. The aggregate tag is valid (negative) if all the involved tags are valid. Thus, invalid entities can be identified with fewer tests than by examining them individually. We also show that the generic construction satisfies impersonation resistance if the underlying aggregate MAC scheme is unforgeable, completeness if the underlying group-testing scheme satisfies completeness, and soundness if the underlying aggregate MAC scheme satisfies soundness. Furthermore, considering that the simple and practical Katz-Lindell aggregate MAC scheme [1] does not satisfy soundness, we enhance the generic construction to instantiate group-testing aggregate entity authentication satisfying soundness by using aggregate MAC not satisfying soundness.
Finally, we evaluate the performance of the proposed construction instantiated with SHA-256 [4] and HMAC [5] by software implementation.

Related Work
Katz and Lindell [1] introduced and investigated aggregate MAC. They presented a provably secure scheme for generating an aggregate tag by XOR of the associated tags. Eikemeier et al. [6] formalized sequential aggregate MAC and presented provably secure schemes. Sato et al. [7] proposed a sequential aggregate MAC scheme for aggregating tags without using the secret keys of associated users. Ishii and Tada [8] presented an aggregate MAC scheme that aggregates tags following the structure represented by a series-parallel graph.
Goodrich et al. [9] applied group testing to MAC schemes for identifying tampered data items. Along this line of research, Minematsu [10] proposed a computationally efficient scheme of group testing MAC based on PMAC [11]. Minematsu and Kamiya [12] proposed a method for reducing the number of tags.
Hirose and Shikata [13,14] applied group testing to aggregate MAC for identifying invalid messages from multiple senders. They used non-adaptive group testing for a generic construction. Sato and Shikata [15] presented a generic construction using adaptive group testing. Anada and Kamibayashi [16] followed the discussion by Sato and Shikata [17] and discussed the quantum security of aggregate MAC combined with non-adaptive grouptesting. Ogawa et al. [18] presented a scheme reducing the number of aggregate tags based on biorthogonal codes.

Organization
Section 2 defines notations and cryptographic primitives and describes group testing. Section 3 provides the syntax and security requirements of aggregate MAC and its concrete schemes. Section 4 formalizes group-testing aggregate entity authentication and presents its generic construction, combining group-testing and aggregate MAC. Section 5 discusses the security of the generic construction and presents its enhancement. Section 6 shows some results of the performance evaluation by software implementation. Section 7 gives a brief concluding remark.
This article is an extended and improved version of our conference paper [19]. We refine the formalization of security requirements, which are described in Section 4, based on the idea by Bellare and Rogaway [20]. Accordingly, we revise the theorems and proofs, which are given in Section 5. We also add the results on performance evaluation.

Notation
{0, 1} l is regarded as the set of all binary sequences of length l. Let {0, 1} * := l≥0 {0, 1} l . For binary sequences x, y, their concatenation is denoted by x y.
Let S be a set. For v := (v 1 , . . . , v n ) ∈ {0, 1} n and s := (s 1 , . . . , s n ) ∈ S n , let v s := (s j 1 , . . . , s j w ), where 1 ≤ j 1 < · · · < j w ≤ n and v j = 1 iff j ∈ {j 1 , . . . , j w }. For u, u ∈ {0, 1} n , let u ∨ u be their component-wise disjunction. Let s ← ← S represent that s is sampled uniformly at random from S. f is called a secure pseudorandom function (PRF) if it is intractable to distinguish f K with K ← ← K from a uniform random function ρ : X → Y. An adversary A is given either f K or ρ as an oracle and is allowed to make adaptive queries in X . A outputs 0 or 1. The where A is regarded as a random variable which takes values in {0, 1}. It is easy to see that a secure PRF is a secure MAC function, and that a secure MAC function is not necessarily a secure PRF.

Cryptographic Hash Function
A cryptographic hash function H : {0, 1} * → {0, 1} τ is often simply called a hash function. Among its various security requirements, our work is concerned with the random oracle model and collision resistance.
The random oracle model [21] assumes that H is an ideal function such that, for any X ∈ {0, 1} * , H(X) is chosen uniformly at random from {0, 1} τ . H is called a random oracle.
H is said to satisfy collision resistance if it is intractable to find a pair of distinct inputs of H mapped to the same output. The advantage of an adversary A against H is Notice that the above definition is not theoretically precise: H should be sampled from a sufficiently large number of hash functions at random.

Group Testing
Suppose that there exists a set of items, each of which is either positive or negative. It is assumed that a test can inspect multiple items simultaneously and that the result is positive iff one or more positive items exist among them. Then, it may be possible to identify positive items with fewer tests than by inspecting all the items individually.
A group-testing algorithm can be described as a sequence of sets of tests. Suppose that there are n items. Then, each test can be denoted by a vector in {0, 1} n such that the j-th element equals 1 iff the test examines the j-th item. Let G 1 , G 2 , . . . , G u ⊆ {0, 1} n be a sequence of sets of tests, where u is the number of its stages. The sets of tests are conducted in this order, and the order of the tests in each stage is arbitrary. A group-testing algorithm is called non-adaptive if all the tests are determined beforehand. Thus, it has only a single stage. A group-testing algorithm is called adaptive if the tests in the next stage are determined after the tests in the current stage.
Let G := G 1 ∪ G 2 ∪ · · · ∪ G u . It is reasonable to assume that each test examines at least one item and that the whole set of tests examines all items. Namely, 0 n ∈ G and g∈G g = 1 n . The group-testing algorithm extracts candidates of positive items in the following way. For We call the group-testing algorithm complete if J u does not include any negative elements. We call it sound if J u includes all the positive elements. It is sound if the results of the tests are always correct. On the other hand, it may not be complete in general.
For non-adaptive group testing, let us see the matrix G whose rows are the vectors in a set G of tests, which is called a group-testing matrix. We call G d-disjunct if the componentwise disjunction of any d columns in G does not equal the component-wise disjunction of itself and any other single column. Suppose that non-adaptive group testing is represented by a d-disjunct matrix. Then, it is complete if there are at most d positive items. Specifically, all the positive items are identified.

Syntax
A tuple of algorithms AM := (KG, Tag, Agg, Ver) formalizes an aggregate MAC scheme. It is associated with an ID space I, a key space K, a message space M, a tag space T , and an aggregate-tag space A. • KG is a key-generation algorithm such that k ← KG(1 κ ), where κ is a security parameter and k ∈ K. Each entity is assigned a secret key independently generated by KG.

•
Tag is a tagging algorithm such that and T are valid if d = 1 and invalid otherwise.

Security Requirement
Unforgeability and soundness are formalized as security requirements for aggregate MAC. Soundness is required for applying group testing to aggregate MAC [14].

Unforgeability
We introduce a game G uf AM,A to define unforgeability, where A is an adversary allowed to make queries adaptively to the oracles T G, KD, and V R. • T G is called a tagging oracle. It returns t ← Tag(k id , m) in response to a query (id, m), where k id is the key of the entity id. • KD is called a key-disclosure oracle. It accepts a query id and returns k id . • V R is called a verification oracle. It accepts a query (((id 1 , m 1 ), . . . , (id p , m p )), T) and returns d ← Ver(((id 1 , k 1 ), . . . , (id p , k p )), ((id 1 , m 1 ), . . . , (id p , m p )), T). For a query (((id 1 , m 1 ), . . . , (id p , m p )), T) made by A to V R, we call (id j , m j ) a fresh pair if A does not ask it to T G and does not ask id j to KD prior to the query. V R does not accept a query with no fresh pair. G uf AM,A outputs 1 iff A gets 1 from V R for at least one query. The advantage of A against AM for unforgeability is defined by It is informally stated that AM is unforgeable or satisfies unforgeability if, for any efficient A, Adv uf AM (A) is negligible.

Soundness
To define soundness, we specify a game G snd AM,A , where A is an adversary allowed to make queries adaptively to the aggregate-then-verify oracle AV R in addition to the oracles T G, KD, and V R. AV R accepts a query ((id 1 , m 1 , t 1 ), . . . , (id p , m p , t p )) and computes 1.
. G snd AM,A outputs 1 iff A gets 1 from AV R for at least one query. The advantage of A against AM for soundness is defined by It is informally stated that AM is sound or satisfies soundness if, for any efficient A, Adv snd AM (A) is negligible.

Aggregate MAC Scheme by Katz and Lindell
Let F : K × M → {0, 1} τ be a MAC function. The Katz-Lindell aggregate MAC scheme [1] using F is specified as follows: • Each entity id ∈ I is given a secret key k id ← ← K. • The tagging algorithm returns a tag t ← F k (m) in response to (k, m) ∈ K × M. Let AM X denote the Katz-Lindell aggregate MAC scheme. AM X is shown to be unforgeable for any efficient adversary asking the verification oracle a single query [1]. It is also shown to be unforgeable even for any efficient adversary asking the verification oracle multiple queries: ). Let A be any adversary against AM X with users. Suppose that A asks the tagging oracle q t queries and the verification oracle q v queries. Suppose that each verification query by A consists of at most p pairs of ID and message. Then, there exists some adversaryȦ satisfying A asks the tagging oracle at most (q t + p) queries and the verification oracle at most one query.Ȧ's running time is at most about that of G uf AM X ,A .

Aggregate MAC Scheme Using Hashing
We refer to the aggregate MAC scheme using a hash function H : {0, 1} * → {0, 1} τ to aggregate tags [14] as AM H . AM H is specified as follows: • The key generation and tagging algorithms are identical to those of AM X . • For (id 1 , m 1 , t 1 ), . . . , (id p , m p , t p ), the aggregate algorithm returns T ← H(t 1 · · · t p ). For the uniqueness of the aggregate tag T, (id 1 , m 1 , t 1 ), . . . , (id p , m p , t p ) are assumed to be ordered in a lexicographic order. • Taking (id 1 , k 1 ), . . . , (id p , k p ) and ((id 1 , m 1 ), . . . , (id p , m p ), T) as input, the verification algorithm outputs 1 if H(F k 1 (m 1 ) · · · F k p (m p )) = T and 0 otherwise. AM H is shown to be unforgeable if F is unforgeable and H is a random oracle [14]: Proposition 2. Let A be any adversary against AM H with users. Suppose that A asks the random oracle H q h queries, the tagging oracle q t queries, and the verification oracle q v queries. Suppose that each verification query by A consists of at most p pairs of ID and message. Then, there exists some adversaryȦ satisfying A asks the random oracle at most (q h + q v ) queries, the tagging oracle at most (q t + p) queries, and the verification oracle at most one query.Ȧ's running time is at most about that of G uf AM H ,A .

Scheme
We present a group-testing aggregate entity authentication scheme. It is a challengeresponse protocol between a server and a set of entities, and they communicate through an aggregator ( Figure 1). It consists of a group-testing algorithm GT and an aggregate MAC scheme AM := (KG, Tag, Agg, Ver) and is denoted by EA[GT, AM].
Let P := {P 1 , P 2 , . . . , P n } denote the set of entities. Each P j has an ID id j and shares a secret key k j ← KG(1 κ ) with the server. EA[GT, AM] proceeds as follows: Step 1: The server sends a challenge c ← ← {0, 1} ν to the aggregator, which broadcasts it to the entities.
Step 2: In response to c, each entity P j returns (id j , t j ) to the aggregator, where t j ← Tag(k j , c).
Step 4: With the help of the aggregator, the server identifies the valid entities using GT, Agg, and Ver in the following way: 1. J 0 ← {id 1 , id 2 , . . . , id n }.

2.
Let u be the number of stages of GT. For 1 ≤ i ≤ u, (a) According to GT, both the server and the aggregator determine the set of tests G i := {g i,1 , . . . , g i,|G i | }.
For the description above, Step 3 can be merged with the first move of 2(b) in Step 4 if the server knows the number of entities to be authenticated in advance. If GT is nonadaptive, then u = 1, and both the server and the aggregator know all the tests in advance. In addition, the server does not have to send the results of the tests to the aggregator in Step 4(c). If GT is adaptive, then the results of G 1 , . . . , G j determine G j+1 . Since the server sends the results of the current tests to the aggregator, the aggregator can also determine the new set of tests.

Security Requirement
The security requirements of EA[GT, AM] are impersonation resistance, completeness, and soundness.

Impersonation Resistance
We introduce a game G im EA[GT,AM],A to formalize impersonation resistance. In this game, the adversary A is supplied with oracles {S (i) | i ∈ N} working as the server. For the i-th run of EA[GT, AM], A triggers S (i) , which starts the protocol by returning a challenge c (i) to G im EA[GT,AM],A outputs 1 iff there exist some i * and j * such that id j * ∈ J (i * ) , A does not ask c (i * ) to P (i * ) j * , and A does not ask corrupt to P

Completeness and Soundness
Completeness and soundness are security requirements for the identifiability of (in)valid responses to a challenge. We introduce games G cmp EA[GT,AM],A and G snd EA[GT,AM],A . In both games, the adversary A is not allowed to corrupt the server and the aggregator, and the communication channel between them is authenticated. Notice that, if A is allowed to tamper aggregate tags, then any valid response by an entity can be judged invalid by the server.
In both of the games, the adversary A is supplied with oracles {SA (i) | i ∈ N} playing the roles of the server and the aggregator. A is also supplied with oracles {P   respectively.

Remark 1.
The unforgeability of the tagging algorithm is irrelevant to soundness. This is because, for soundness, A is allowed to ask (tag, c (i) ) and corrupt to P (i) j for any i and j. If the tagging algorithm is unforgeable and A is not allowed to ask them to P (i) j , then it cannot return a valid tag to c (i) . Thus, impersonation resistance can be regarded as weak soundness in that All in all, impersonation resistance is sufficient to identify invalid entities. Soundness is required to achieve the same function as individual verification of each response, that is, to identify invalid responses.

Impersonation Resistance
The impersonation resistance of EA[GT, AM] is reduced to the unforgeability of AM: Theorem 1. For any adversary A against EA[GT, AM] for impersonation resistance, triggering at most q r runs of EA[GT, AM] and making at most q t tagging queries and q c corrupt queries, there exists some adversaryȦ satisfying The number of queries made byȦ to T G is at most q t . The number of queries made byȦ to KD is at most q c . The number of queries made byȦ to V R is at most the total number of tests completed by S (i) 's in G im EA[GT,AM],A . The running time ofȦ is at most about that of G im EA[GT,AM],A .
Proof. In G uf AM,Ȧ ,Ȧ runs G im EA[GT,AM],A . If A makes a tagging query (tag, c) to P (i) j , thenȦ asks (id j , c) to T G and gets t j ← Tag(k j , c), which is returned to A. If A makes a corrupt query to P (i) j , thenȦ asks id j to KD and gets k j , which is returned to A.Ȧ simulates S (1) , S (2) , . . . , S (q r ) by making use of V R.
Suppose that G im EA[GT,AM],A outputs 1. Then, there are two cases: 1.
There exists some i * such that the challenge c (i * ) of the i * -th run of EA[GT, AM] collides with some previous challenge c (i ) (i < i * ) or c in a previous tagging query.

Enhancing the Generic Construction
EEA[GT, AM] is equipped with a PRF R : R × I × {0, 1} ν+τ → {0, 1} τ , where R is its key space. A shared secret key r ∈ R is given to the server and the aggregator. Notice that, for soundness, the communication channel between the server and the aggregator is assumed to be authenticated. Thus, the assumption is not critical that the server and the aggregator share a secret key. EEA[GT, AM] is specified as follows: Steps 1 to 3: Identical to those of EA[GT, AM].
Step 4: t j ← R r (id j , c t j ) for 1 ≤ j ≤ n.
Step 5: Identical to Step For G snd EEA ρ [GT,AM X ],A , let Col be the event that there exists a collision among the challenges generated in the runs of EEA ρ [GT, AM X ]. Then, Since A triggers at most q r runs of EEA[GT, AM X ], Finally, let us see that Let c (i) be the challenge in the i-th run of EEA ρ [GT, AM X ] and t i,j := F k j (c (i) ). If Col does not occur, then ρ(id j , c (i) t i,j ) is chosen uniformly at random. Thus, the probability that the result of a test involving (id j , t i,j ) such that t i,j = t i,j happens to be valid is at most 1/2 τ .

Performance Evaluation
We implemented the verification algorithms of group-testing aggregate entity authentication for EA[GT, AM X ], EEA[GT, AM X ], and EA[GT, AM H ]. We used the MAC function HMAC-SHA-256 for tagging and SHA-256 to aggregate tags for AM H . For GT, we adopted non-adaptive group testing and used d-disjunct matrices generated by the shifted transversal design (STD) [30], where d is the upper bound on the number of invalid entities.
We implemented the algorithms in Python 3.10.9 and utilized the modules hmac and hashlib for SHA-256 and HMAC-SHA-256. We evaluated the performance of our implementations on a MacBook Pro with Apple M1, 16 GB of memory, and macOS Ventura 13.3.1.
Each time presented in Table 1 is the smallest of ten measurements. The "Tagging" column shows the time required to generate all the tags for the entities. Thus, they almost equal the time to verify all the tags of the entities one by one. For the same number of entities, there is no significant difference in the times required for verification by EA[GT, AM X ], EEA[GT, AM X ], and EA[GT, AM H ]. They depend on the numbers of 1's in the group-testing matrices, which are 600, 18,000, and 690,000 for 100, 1000, and 10,000 entities, respectively.   Table 2 presents the number of rows and the number of 1's in the group-testing matrices used for the experiments. If d ≥ 27, then EEA[GT, AM X ] cannot reduce the amount of communication between the server and the aggregator.
In Figure 3, the orange dots represent the times. For reference, we also give the blue dots representing the values of (the number of 1's in the group-testing matrix)/5000. As shown in Table 2, for group-testing matrices based on STD, the number of rows increases with the value of d. On the other hand, this is not necessarily the case for the number of 1's.

Concluding Remark
We have introduced and explored group-testing aggregate authentication. We have first formalized the scheme and security requirements. Then, we have presented a general construction utilizing a group-testing scheme and an aggregate MAC scheme. We have reduced the security properties of the generic construction and its enhancement to those of the underlying group testing and aggregate MAC. Finally, we have shown results on the performance evaluation of the proposed construction instantiated with SHA-256 and HMAC.
The proposed construction can easily be deployed due to its simplicity. In addition, any progress in group testing and aggregate MAC will benefit it. Future work is to improve the performance further. It is interesting to see if the idea of Minematsu and Kamiya [12] is effective for our proposed construction.