arXiv:2001.05211v2 [cs.CR] 15 Oct 2020 lsl nertdwt h xsigcmue infrastruct computer existing the through with integrated closely ninIsiueo ehooy eh,Ida(-al vire (e-mail: India Delhi, Technology, of Institute Indian optrEgneig ignaTc,Bakbr,Virgini Blacksburg, [email protected]). [email protected], Tech, [email protected], Virginia Engineering, Computer adit-osrie)ntok ene ocnie two consider to need and/or energy we (i.e., network, resource-constrained a bandwidth-constrained) in applicatio network MACs authen- wired/wireless employ message in providing integrity for and and ticity method the forgery used is se (MAC) message commonly thwart code most including authentication to message threats, ability Today, ap- tampering. privacy our those on and of depend curity adoption partially successful will The plications [26]. (IoT) of-Things nutilcnrlssesadsatct ewrs large a networks, city smart of and number systems control industrial hstaeofmyb ncetbe epooeavratof variant a propose we authenticatio as unacceptable, wh to the refer be messages we of that may CuMAC latency-sensitive processing trade-off some to in this for cryptograph receiver latency Furthermore, the the the tags. between enables and trade-off CuMAC Embod strength advantageous tags. procedures, an authentication two achieve the these verifying M receiv using underlying with and a the by collecting accumulation, of MACs strength by In cryptographic multiple procedure. the of accumulates encoding segments systematic from a tags procedures: thentication distinctive two accumulation of consists authentic message which for approach called t novel tion naive address which a we MAC proposing exchange paper, yet by truncated this in problem straightforward In a overhead. strength employ A communication cryptographic reduced to output. is sacrifices MAC problem to undesirably this due the to possible of solution not provi is size to integrity large (MACs) and authentication codes message authentication message conventional fCMCadCMCStruhsmlto n prototype a car. and real simulation a through on CuMAC/S implementation evalua and comprehensive out CuMAC crypt carried of the have compromising We strength. without graphic latency red verification significantly messages MAC CuMAC/S spec- speculated, the the reliably For a be segments. can and employ MAC which values corresponding to message procedures the receiver future accumulation computing predicting and for and sender procedure aggregation ulation the the enables to CuMAC/S addition In fTig IT;Cnrle rantok(CAN). network area Controller (IoT); of-Things eL,VrswrKumar, Vireshwar Li, He .Kmri ihteDprmn fCmue cec n Engin and Science Computer of Department the with is Kumar V. .L,J ak n .Yn r ihteDprmn fElectric of Department the with are Yang Y. appeared and work Park, this J. of portions Li, some H. of version preliminary A Abstract neegn plctos uha nelgn automobiles intelligent as such applications, emerging In Terms Index uuaieMsaeAtetcto oe for Codes Authentication Message Cumulative bandwidth-constrained I eorecntandITntok,teueof use the networks, IoT resource-constrained —In uuaieMsaeAtetcto Code Authentication Message Cumulative energy-constrained nageain edrgnrtscmatau- compact generates sender a aggregation, In . Msaeatetcto oe(A) Internet- (MAC); code authentication —Message eoreCntandITNetworks IoT Resource-Constrained .I I. NTRODUCTION uA ihSpeculation with CuMAC ebr IEEE, Member, optn eie r getting are devices computing ewrst omteInternet- the form to networks [email protected]). aggregation ugMn(er)Park, (Jerry) Jung-Min ,UA(e-mail: USA a, (CuMAC/S). (CuMAC), n[18]. in s To ns. eering, land al uces pre- tion and ure AC the ere ied for his de er o- a- ic n - , , A ota tfisamsaepce 2] 3] 3] This [35]. a [32], called [28], is packet message MAC convention a a of fits of it type output that the so truncate MAC to is tag authentication Work. [26]. MAC Related conventional the an include of to usage spared m the is not be prohibiting such, can packet As bits [24]. each few bits a hundred of than a size than less payload i.e., short, the very network), area controller in-ve wi bandwidth-constrained network and devices wide-area cryptographic battery-powered low-power of energy-constrained level net IoT sufficient (e.g., resource-constrained a in ensure Unfortunately, to strength. output MAC of a Hence, quality output. and MAC the size MAC of the size cipher), the and block key, or the cryptograp hash underlying a the (e.g. of primitive strength cryptographic the address. on to easy as Problem. not is problem second [ the each However, accelerators by in [31]. cryptographic addressed MAC and be hardware the can dedicated of problem using first inclusion The the frame/packet. to message gen- due communicati for incurred additional devices overhead the and the MAC, on the burden erating/verifying computational the problems: ontcueuacpal easi h aktprocessing. packet the in delays minimal processe unacceptable incurring verification cause and (3) not generation do MAC and the application, that so the latency meets of strength cryptographic need a the security in that fit ensuring can MAC (2) the packet, that so incurrin overhead (1) communication networks: minimal IoT for MACs employing MAC. in challenges the of validity the Challenges. verify to messages able associ the being all process of before and packets receive verification to needs schemes the receiver MAC the in because compound latency and significant [2 aggregate incur packets the successive a over both distributed However, propose and al. messages, et tiple Nilson over MAC Similarly, transmitted compound [16]. and MAC, packets aggregate successive one into combined of are concept the propose enhan MAC al. gregate with et authentication Katz strength, enable cryptographic To vulnerabl [4]. application some attacks sufficien the in collision without renders MAC unacceptable, strength truncated even cryptographic the or that Note undesirable, applications. be may consumption which energy exchang and overhead in communication reduced strength for cryptographic sacrifices MAC truncated ceetpclyeposa es e ude bits hundred few a least at employs typically scheme elw IEEE, Fellow, h rporpi tegho A depends MAC a of strength cryptographic The nteaoedsuso,w dniytrecritical three identify we discussion, above the In hr ovninlMC fmlil messages multiple of MACs conventional where hc scluae nacmon fmul- of compound a on calculated is which h eayslto o eeaigashort a generating for solution legacy The n aigYang, Yaling and rnae MAC truncated ebr IEEE Member, uhniaintag authentication oee,the However, . conventional works hicle ated to e 11], ced ag- ore the hic 4]. on of th al g e s 1 t , , Proposed Solution. In this paper, we addresses the afore- mentioned challenges through a novel approach for message Cloud layer: authentication that we refer to as Cumulative Message Au- resource abundant thentication Code (CuMAC). In CuMAC, a sender utilizes a procedure called aggregation through which the sender first Edge layer: divides the full-sized MAC of each message into multiple short resource sufficient MAC segments, and then “aggregates” the MAC segments of multiple messages using a systematic encoding procedure to form a short authentication tag. This procedure resolves the

first challenge of ensuring low communication overhead. Smart meters in Further, the receiver utilizes a procedure called accumula- smart building Sensor networks for smart tion through which it first verifies the MAC segments aggre- In-vehicle controller Device layer: city infrastructure gated into the authentication tag of each received packet, and resource constrained area network (CAN) then “accumulates” the cryptographic strength by collecting the verified MAC segments associated with the target mes- Fig. 1: Architecture of typical IoT networks. sage. In this procedure, the receiver may incur delay that is proportional to the accumulated cryptographic strength since it of two novel concepts that we refer to as aggregation needs to wait for the relevant tags to be received and processed. (which reduces the communication overhead) and accu- Hence, while the accumulation procedure caters to the second mulation (which increases the cryptographic strength). and the third challenge, it brings up a novel and flexible trade- • We propose a variant of CuMAC called CuMAC/S that off between the cryptographic strength and latency. CuMAC meets the security need of delay-sensitive, resource- enables the receiver to authenticate the message in real-time constrained IoT applications. CuMAC/S enables accumu- with the cryptographic strength which is commensurate with lation of cryptographic strength while incurring minimal the size of each tag. Meanwhile, CuMAC also enables the delay by employing the novel idea of speculation. authentication with the highest level of cryptographic strength • We have thoroughly evaluated the effectiveness of after accumulating all segments of the MAC that covers the CuMAC and CuMAC/S through a simulated in-vehicle message in the associated packets. controller area network and a prototype implementation Moreover, in latency-sensitive IoT applications, the receiver on a real car. Our results illustrate that while incurring may be required to immediately authenticate a message with the same communication overhead as the truncated MAC high cryptographic strength as it arrives. In such cases, the scheme, CuMAC achieves the cryptographic strength trade-off made by CuMAC may not be sufficient. To address equivalent to the conventional MAC scheme at the cost this need, we propose a variant of CuMAC called CuMAC with of increased latency. Further, for the messages which can Speculation (CuMAC/S) that enables a receiver to accumulate be accurately speculated, CuMAC/S achieves the cryp- the MAC’s cryptographic strength while incurring minimal tographic strength equivalent to the conventional MAC delay. The core concept of CuMAC/S is motivated by the scheme without any additional latency. technique of speculative execution1 which is widely employed in modern computer systems [7], [23]. CuMAC/S can be II. MOTIVATION FOR SHORT MACS utilized in IoT applications where future messages can be IoT networks consist of resource-constrained devices at predicted correctly with high reliability with an appropriate the lowest layer as shown in Figure 1. To enable message speculation model using the current and past messages. authentication in such networks, it is imperative to use short In CuMAC/S, a sender speculates future messages, com- MACs as demonstrated by the following discussion of two spe- putes the corresponding MACs, and aggregates the MAC cific application scenarios – one with the energy-constrained segments of the speculated messages into the authentication devices and another with the bandwidth-constrained devices. tag of the current packet. If the speculated value of a received message is equal to the actual value, then all its segments can be verified in current and previous tags, and hence the receiver A. Low-Power Wide-Area Network (LPWAN) can accumulate cryptographic strength without having to wait Many IoT applications (e.g., smart metering and smart city for tags included in forthcoming packets; this significantly cuts infrastructure) require a densely deployed network of low- down on the MAC verification delay. cost energy-constrained battery-operated wireless devices. The The paper’s main contributions are summarized as follows. paradigm of LPWAN is aimed at fulfilling these requirements • We propose a novel message authentication scheme called of IoT networks [26], [35]. Sigfox [29] is one example of CuMAC, which meets the security need of resource- a widely-known LPWAN technology. In Sigfox, each uplink constrained IoT applications. CuMAC is an embodiment packet contains a counter, a message (with length between 0 and 96 bits), and an authentication tag (with length between 1Speculative execution is an optimization technique in which a computer 16 and 40 bits). To enable robust communication over the system performs speculative execution where some outcome is predicted, and unreliable wireless channel, the sender in Sigfox transmits execution proceeds along a predicted path. Work is done before it is known whether it is actually needed, so as to prevent a delay that would have to be multiple copies of the same packet sequentially. After trans- incurred by doing the work after it is known that it is needed. mitting the fixed number of copies of the packet, Sigfox waits Instrument Power 16 Body Cluster Steering Wireless Access No tag Control Unit Control Unit Control Unit 16-bit tag Remote Attack 14 On-board 128-bit tag Diagnostics Port CAN bus Telematics 12 Communication Unit 10 Electronic Engine Transmission Brake Control Unit Control Unit 8 Control Unit

Service life (year) 6 Fig. 3: Architecture of an in-vehicle controller area network. 4 0 20 40 60 80 100 Size of message (bits) A CAN packet consists of an 11-bit or a 29-bit identifier Fig. 2: Effect of the size of message and authentication tag field and a message field with length between 0 and 64 bits. on the service life of a sensor node in Sigfox (the results are Except the identifier and message fields, we cannot arbitrarily obtained using the battery consumption data from a Sigfox change the length or the content of other fields in the CAN compliant transceiver produced by ON Semiconductor [25].) packet as that would make the modified packet incompatible with the existing CAN protocol. Hence, in the prior art [32], [33], to realize MAC-based authentication in each packet, the for an acknowledgement from the receiver. In the absence of identifier field is used to accommodate an 18-bit counter, the acknowledgement, the packet is considered lost. We note and the message field is used to accommodate the message that Sigfox does not support retransmission of lost packets. payload as well as the authentication tag. Although such a The battery-powered Sigfox devices are expected to have a design of the modified packet ensures that it is backward- service/battery life of several years. As the energy consump- compatible, inserting a full-sized MAC in the modified packet tion of a Sigfox device is directly proportional to the size is not possible because the maximum allowed length of the of communicated packets, it is imperative to communicate message field in a CAN packet is only 64 bits. using short packets to ensure a long service life. Figure 2 Proposed Design. In both the above application scenarios illustrates that in comparison to the standard benchmark of (LPWAN and CAN), the constraints of the IoT network – 48-bit messages without any tags, while utilizing a short MAC either in terms of the MAC size or energy/bandwidth consump- with 16-bit tags achieves modest (around 10%) reduction in the tion of the networked devices – prohibit the use of the con- service life, utilizing the conventional MAC with 128-bit tags ventional MAC scheme. To address this challenge, we propose results in a significant loss of around 45% of the service life. CuMAC and CuMAC/S which can be readily employed in As such, although the message integrity and authentication are these scenarios to achieve the desired level of security provided of prime importance in applications supported by Sigfox [27], by short MACs. In this paper, we utilize CAN as a concrete the energy overhead of communicating the full-sized MAC application scenario to highlight the advantages of CuMAC output in the Sigfox packet is undesirably high. and CuMAC/S. However, these two schemes can be applied to other resource-constrained network applications, including IoT applications (e.g. LPWAN, Bluetooth Low Energy (BLE) [13], B. In-Vehicle Controller Area Network (CAN) Constrained Access Protocol (CoAP) [5] or Message Queue Today’s high-end cars use a hundred or more electronic Telemetry Transport (MQTT) [30]). control units (ECUs) to enable advanced functionalities, such as adaptive cruise control. As shown in Figure 3, these ECUs III. MODEL AND SECURITY OBJECTIVES communicate with each other over a bandwidth-constrained Here we discuss the network model and define the security wired broadcast channel called the CAN bus [6], [14]. Because objectives of the proposed MAC schemes. the messages communicated among ECUs directly affect vital functions of a vehicle, some of which are safety related (e.g., A. Model and Assumptions dynamics control system [15]), the security and reliability of the CAN bus and the integrity of the messages on it are System Model. We consider an energy-constrained and/or critical [31]. We note that while the state-of-the-art CAN bandwidth-constrained IoT network where a sender needs to bus supports robust mechanisms for message acknowledge- transmit security-critical messages to a receiver using small ment and retransmission of corrupted/lost packets, it does not packets. Hence, the sender and the receiver (after sharing a support any security mechanism [36]. Several studies have secret key) employ a MAC scheme for message authentication. shown that a car’s in-vehicle network can be compromised We let the sender employ a packet format which contains through either direct physical access (e.g., using the on-board at least three fields: a packet counter, a message, and an diagnostics port) or a remote connection (e.g., using Bluetooth) authentication tag. We note that these three fields are critical to the CAN bus [8], [17]. Due to one such vulnerability, Jeep for ensuring any secure message authentication scheme in- had to recall 1.4 million vehicles in 2015 [20]. To counter cluding CuMAC and CuMAC/S. If the network protocol (e.g., such attacks and protect the messages on the CAN bus, the Sigfox as discussed in Section II-A) employs these fields in the US National Highway Traffic Safety Administration (NHTSA) conventional packets by design, we can readily utilize them; recommends the inclusion of MACs [22]. otherwise, the packet contents can be modified in the target network protocol (e.g., CAN as discussed in Section II-B) to Real-time authentication include these fields. We assume that there exists a message acknowledgement mechanism which enables the sender to mi-n+1 τi-n+1 mi τi mi+1 τi+1 mi+n-1 τi+n-1 know if a particular packet was correctly delivered to the receiver [34]. The acknowledgement mechanism assisted with Partially accumulated authentication the packet counter enables the sender and the receiver to main- tain the same sequence of packets. Note that we do not make Full authentication any assumption about the message retransmission mechanism, Fig. 4: Illustrative distribution of the segments of the MAC of i.e., the network may or may not support retransmission. message mi, and definition of the authentication levels. Threat Model. We consider an adversary which aims to forge valid authentication tags for its malicious messages so that it current tag τi and the previous tags τi−n+1, ··· , τi−1. With can deceive the authentication scheme at the receiver. While real-time authentication, the receiver performs authentication the adversary can eavesdrop the communication channel to without any delay, but it achieves the lowest cryptographic obtain packets transmitted by the sender, it does not know the strength since there is no security accumulation using the secret key (used for generating and verifying authentication subsequent tags. On the other hand, the receiver can perform tags) shared between the sender and the receiver. full authentication after receiving all of the segments of the Cryptographic Strength. We convey the cryptographic MAC associated with message mi in tags τi−n+1, ··· , τi+n−1. strength in bits, where a cryptographic strength of λ bits With full authentication, the receiver achieves the highest cryp- for a scheme means that for any adversary making at most tographic strength, but needs to incur a latency of n−1 packets. λ λ 2 queries or taking at most 2 time, the probability of The receiver can perform partially accumulated authentication successfully launching an attack against the scheme is negli- by accumulating and processing tags τi−n+1, ··· , τi+r−1, gibly small [3]. The cryptographic strength of a conventional where 1 cryptographic primitive, (2) the strength and message verification latency to meet the security size and quality of the secret key, and (3) the size of the and performance needs of the application. MAC output. In this paper, we assume that the first and Security Objectives. The security objective of the proposed second criteria have been satisfied, and focus only on the third MAC scheme is to ensure that the probability with which an criterion. As such, to achieve a cryptographic strength of λ adversary succeeds in breaking each of the three authentication bits, the minimum size of the MAC output (denoted by ) L features is negligible (i.e, as difficult as random guessing). should be bits. λ Specifically, to break the real-time authentication feature, the adversary needs to forge a message and a valid tag. The forgery B. Proposed Approach and Security Objectives need to be fresh which means that the sender has not generated MAC Design. In this paper, we present a novel approach the MAC of the same counter and message pair using the to design a MAC scheme, which consists of two distinctive same shared key. As such, the cryptographic strength of real- procedures: aggregation and accumulation. In aggregation, the time authentication is limited by the size of the MAC segment sender generates short authentication tags from segments of l. To break the partially accumulated authentication feature multiple MACs. In accumulation, the receiver accumulates the with r accumulated segments, the adversary need to forge a cryptographic strength of the underlying MAC by collecting sequence of r messages with valid tags. In this sequence, the and verifying the authentication tags. For the scenarios where forgery for only the first message needs to be fresh. Hence, the future messages can be speculated and their corresponding cryptographic strength of partially accumulated authentication MACs can be pre-computed, the aggregation and accumulation depends on the size of the MAC segment l and the number may happen even before the messages are transmitted. of accumulated segments r. Similarly, to break the full au- We discuss the above approach through the illustration thentication feature, the adversary needs to forge a sequence shown in Figure 4. We consider that an L-bit MAC of a of n messages with valid tags, where forgery for at least the message mi is divided into n segments each of length l, and first message is fresh. Hence, the cryptographic strength of full distributed in tags τi, ··· , τi+n−1. Also, if after generating the authentication is limited by the size of MAC L. In the case of message mi−n+1, the message mi can be speculated as mi, the the speculation of future messages, the cryptographic strengths corresponding MAC is computed as σi. The MAC σi is dividedb of the real-time and the partially accumulated authentication into n segments, and the last n − 1bsegments areb distributed also depend on the message speculation accuracy. in tags τi−n+1, ··· , τi−1, which are transmitted before τi. A formal discussion of the security properties and associated Authentication Levels. To compare the proposed approach proofs corresponding to CuMAC and CuMAC/S are provided with prior art, we define three levels/features of authentica- appendix A and appendix B. tion: (1) real-time authentication, (2) full authentication, and (3) partially accumulated authentication. Figure 4 illustrates IV. TECHNICAL DETAILS OF CUMAC these different levels of authentication, when applied to mes- CuMAC comprises of two major algorithms: tag generation sage mi. Here the receiver can perform real-time authentica- and tag verification. In the tag generation algorithm, the tion immediately after receiving message mi by processing the sender computes the authentication tag through two major th is l bits, i.e., L = n · l. The j segment of σi is represented j by si , and is extracted from σi as j si ← (σi)↓[(j−1)·l+1,j·l]. (1) j It means that the bits in si correspond to the bits from Fig. 5: Schematic of the procedures at the sender in CuMAC. th th ((j − 1) · l + 1) bit to (j · l) bit in σi. Further, this al- gorithm extracts n elements from segArray (n − 1 previous steps (Figure 5). In the first step, the sender generates the MAC segments and one current MAC segment), and computes MAC of the message, breaks the MAC into short segments, the authentication tag τi as follows. and stores them into a segment array. In the second step, the n τ ← sj . (2) sender retrieves one MAC segment of the current message, and i M i−j+1 several segments of the MACs of the previously transmitted j=1,i−j+1>0 messages from the segment array, and aggregates the segments This algorithm outputs the authentication tag τi. to generate a tag. Having received each packet, the receiver τ ← TagGen(k,i,m ) runs the tag verification algorithm which includes two major i i This tag generation algorithm is run by the sender to steps. In the first step, the receiver generates an authentication generate an authentication tag. It takes as inputs the secret tag of the received message using the same procedure em- key k, a counter i and a message m . It utilizes an array ployed in the tag generation algorithm. In the second step, the i of MAC segments segTx which is stored and maintained by receiver compares the generated authentication tag with the the sender. This algorithm proceeds as follows to output the received authentication tag. If the authentication tags match, authentication tag τ . the receiver accumulates the MAC segment (aggregated in i 1) Compute the MAC of the message and set it as , the authentication tag) with the previously received MAC mi σi MacGen segments of the corresponding message. i.e., σi ← (k,i,mi). 2) Divide the MAC σ into n segments as shown in equa- Below we present the technical details of the algorithms i tion (1) and append the segments to the array segTx. in CuMAC, and an instantiation that illustrates the generation 3) Compute and output the tag τ by aggregating the and verification of the tags in CuMAC. i segments of MACs in segTx as shown in equation (2), i.e., τi ← SegAgg(segTx). A. Algorithms After receiving a positive acknowledgment of the delivery of the packet at the receiver, the sender increments the counter i CuMAC is composed of the following algorithms. by one for the next packet. We note that the counter i can k ← KeyGen(1λ) be readily employed to handle the case of a lost packet. The This probabilistic key generation algorithm is utilized by the sender gets to know that the ith packet is lost when it does not sender and receiver to obtain the secret key. The input to this receive the acknowledgement from the receiver or it receives algorithm is the security parameter λ ∈ N, and the output is a negative acknowledgement. In this case, if the sender does the secret key denoted by k. In a resource-constrained network, not support any retransmission mechanism, the sender does this algorithm can be efficiently realized by leveraging a not increment the packet counter, removes the ith row (i.e., trusted third party [28]. In the absence of such a party, it can the most recently appended row) of segments in segTx, and also be realized using an efficient key distribution scheme [9]. then proceeds with the tag generation of the next message.

σi ← MacGen(k,i,mi) valid/invalid ← TagVerify(k,i,mi, τi) This deterministic MAC generation algorithm is utilized This verification algorithm is run by the receiver for ver- by the sender and the receiver (as a sub-algorithm of tag ifying the authenticity of the received message and tag. It generation and verification algorithms) to compute the MAC of takes as inputs the secret key k, the received counter i, the a message using the secret key. The inputs to this algorithm are received message mi, and the received tag τi. It also utilizes the secret key k, a counter i and a message mi. This algorithm an array of MAC segments segRx and an array of verified outputs the L bits long MAC represented by σi. This algorithm MAC segments accRx. These arrays are stored and maintained can be realized using a cipher-based (e.g., AES-CMAC [2]) by the receiver. This algorithm first generates the tag for the or a hash-based (e.g., SHA-3) MAC scheme. In this paper, we received message using the TagGen algorithm while updating utilize the widely used AES-CMAC. the MAC segments in segRx, i.e., τi ← TagGen(k,i,mi). It then verifies whether the generated tag τ is equal to the τ ← SegAgg(segArray) e i i received tag τ . If the verification succeeds, it updates the array This segment aggregation algorithm is utilized by the sender i e of accumulated MAC segments accRx and outputs the value and the receiver as a sub-algorithm of tag generation and valid; otherwise, it outputs the value invalid. tag verification algorithms, respectively. It takes as input a two-dimensional array of MAC segments segArray. This algorithm proceeds as follows. The ith row of segments in B. Illustration segArray is generated as follows. The L-bit MAC σi is Table I presents an example of CuMAC. The size of the divided into n segments, such that the size of each segment tag in each packet is 32 bits (i.e., l = 32). The MAC is TABLE I: Example illustrating CuMAC with L = 128, n =4, and l = 32. 1 1

Packet Previous Current Aggregation of MAC segments Tag 0.5 0.5 Counter MACs MAC 4 3 2 1 5 σ2, σ3, σ4 σ5 s2 ⊕ s3 ⊕ s4 ⊕ s5 τ5 ACF ACF 4 3 2 1 0 0 6 σ3, σ4, σ5 σ6 s3 ⊕ s4 ⊕ s5 ⊕ s6 τ6 4 3 2 1 7 σ4, σ5, σ6 σ7 s4 ⊕ s5 ⊕ s6 ⊕ s7 τ7 4 3 2 1 -0.5 -0.5 8 σ5, σ6, σ7 σ8 s5 ⊕ s6 ⊕ s7 ⊕ s8 τ8 0 10 20 30 0 10 20 30 Lag Lag

1 1 generated using the AES-CMAC algorithm. Hence, the size of the MAC output is 128 bits (i.e., L = 128), which provides 0.5 0.5 cryptographic strength of 128 bits. Each MAC is divided into PACF 0 PACF 0 four segments (i.e., n =4). In the fifth packet, the MAC σ5 of the message m5 is computed. To compute the corresponding -0.5 -0.5 1 0 10 20 30 0 10 20 30 tag τ5, the sender aggregates the segment s of the MAC σ5 5 Lag Lag and the segments of the MACs of the previously generated messages, σ2, σ3 and σ3. Further, the tags τ6, τ7 and τ8 are (a) Original data. (b) First-order differenced data. 2 3 4 computed using the segments s5, s5 and s5 of σ5, respectively. Fig. 6: Example illustrating the feasibility of speculation of a When the receiver receives the fifth packet with the message vehicle’s transmission torque values through an ARIMA model m5, the successful verification of the tag τ5 enables the real- whose parameters are determined using the autocorrelation time authentication of message m5 with the cryptographic function (ACF) and partial autocorrelation function (PACF). strength of 32 bits. Next, the receiver receives and verifies the validity of tags τ6, τ7, and τ8. If all four tags are verified as 1 2 3 4 valid, the receiver combines the segments s5, s5, s5 and s5— The ARIMA model with hyper parameters (p, d, q) implies th which are contained in tags τ5, τ6, τ7 and τ8, respectively— that for the d -order difference of the time series values, a to accumulate the cryptographic strength. This enables the speculated future message value is the linear combination of p receiver to perform full authentication of message m5 with previous values, and q previous error values in the speculation. the cryptographic strength of 128 (= 4 × 32) bits. However, We utilize the Box-Jenkins [19] method to compute the hyper if the receiver is restricted to process the fifth packet only parameters of the ARIMA model for each type of CAN after receiving the seventh packet due to latency requirements, messages. In this method, we determine the values for p, d and it may also perform partially accumulated authentication of q by observing the autocorrelation and partial autocorrelation message m5 with a cryptographic strength of 96 bits after of the message values. We illustrate this procedure in Figure6 verifying tags τ5, τ6 and τ7. We highlight that this ability to which presents the autocorrelation and partial autocorrelation perform the partially accumulated authentication is the most of the values of the message corresponding to the torque at unique feature of CuMAC when compared to prior art. transmission in a vehicle. From the results shown in Figure 6a, we observe that there is high autocorrelation between message V. TECHNICAL DETAILS OF CUMAC/S values. Further, from the results shown in Figure 6b, we observe that the autocorrelation decays gradually, and the In latency-sensitive applications, the receiver must authen- partial autocorrelation is close to zero after a lag of 3 message ticate a message as it arrives. For such applications, the trade- values. Hence, according to the rules of Box-Jenkins approach, off between the cryptographic strength and latency made by we set ARIMA(3,1,0) model to speculate the message values CuMAC may not be sufficient. To address this challenge, we corresponding to the torque at transmission. present CuMAC/S, which employs a novel concept of message In our analysis, we train the ARIMA model using the first speculation for MAC generation. Equipped with an accurate message speculation algorithm, CuMAC/S achieves both high 90% of the message values, and then we employ the model on the last 10 of message values for the test. Here, the accuracy cryptographic strength and low verification latency. % of correct speculation/prediction of future message values is measured using a metric called speculation error rate (SER), A. Feasibility of Speculation which is defined as the ratio between the number of incorrect We discuss the feasibility of speculation of future messages speculations and the total number of speculations. Note that by analyzing the messages communicated on a CAN bus in the speculation is correct only if the message is correctly a typical vehicle. To evaluate the speculation accuracy for predicted up to the least significant bit (LSB). Table II shows different CAN messages, we utilize trace files of a real vehicle, the speculation error rate of ten message-types. We observe which have been recorded using the OpenXC platform [12]. that certain types of CAN messages (e.g. the first five message These files present different types of CAN messages which can types listed in Table II) can be predicted with high reliability be identified and interpreted by OpenXC libraries. To speculate using the ARIMA model. future message values, we utilize autoregressive integrated We can improve the speculation accuracy by using more moving average (ARIMA) model, which is a widely used sophisticated and further tuned models. Moreover, we can model for time series analysis. mitigate the impact of speculation errors by increasing robust- TABLE II: Speculation accuracy for typical CAN messages. Segments of MACs of previous messages Signal SER SER after ignoring 3 LSBs Break Longitude <0.0001 <0.0001 Compute Compute Message MAC into Tag MAC tag by < < segments aggregation Latitude 0.0001 0.0001 Store in Store in Speculate Odometer <0.0001 <0.0001 message segment message array array Break Compute Fuel level <0.0001 <0.0001 MAC into Speculated message MAC Fuel consumed since restart <0.0001 <0.0001 segments Accelerator pedal position 0.0030 0.0002 Torque at transmission 0.0100 0.0020 Fig. 7: Schematic of the procedures at the sender in CuMAC/S. Engine speed 0.2329 0.0880 Vehicle speed 0.2478 0.0975 segments), and computes the authentication tag τi as follows. Steering wheel angle 0.4763 0.3595 n n τ ←  sj  ⊕  sj  . (3) i M i−j+1 M i+j−1 j=1,i−j+1>0  j=2  ness of the MAC scheme against such errors. For example, b if the message contains some values for which some of the This algorithm outputs the authentication tag τi. least significant bits can be safely ignored (without impacting τi ← TagGen(k,i,mi) performance or security), then these bits do not need to be This tag generation algorithm is utilized by the sender to protected by a MAC, and hence the MAC calculation can be generate an authentication tag. It takes as inputs the secret limited to only the part of a message that can be predicted with key k, a counter i and a message mi. It utilizes an array of high reliability. In the rightmost column of Table II, we show the transmitted and speculated messages msgTx, and an array that the SER can be significantly improved for some types of of MAC segments of the transmitted and speculated messages messages by ignoring the last three least LSBs. segTx. The arrays msgTx and segTx are stored and maintained Now we present the technical details of the algorithms in by the sender. Figure 7 presents an overview of the algorithm CuMAC/S, and an instantiation that illustrates the generation which proceeds as follows. and verification of the tags in CuMAC/S. 1) Extract mi from msgTx and verify whether mi = mi. a) If mb i = mi, set σi = σi. b b) Otherwise,b if mi 6= bmi, compute the MAC of B. Algorithms the message mi andb set it as σi, i.e., σi ← MacGen(k,i,mi). Divide the MAC σi into n seg- The KeyGen and MacGen algorithms in CuMAC (discussed ments and replace the MAC segments of σi in the in Section IV) and those in CuMAC/S are the same, and hence array segTx. b we do not provide their details in this section. We present the 2) Predict the value of the message mi+n−1 and append details of other algorithms in CuMAC/S as follows. the speculated message mi+n−1 to the array msgTx, i.e., msgTx′ ← MsgSpec(msgTx). msgArray′ ← MsgSpec(msgArray) b 3) Compute the MAC of the message mi+n−1 and set it as This deterministic message speculation algorithm is uti- σi+n−1, i.e., σi+n−1 ← MacGen(k, i, mi+n−1). Divide lized by the sender and receiver for the speculation of b the MAC σi+n−1 into n segments and append to the future message values. It takes an array of the transmit- b b b array segTxb. ted and speculated messages msgArray as input. At the 4) Compute the current tag τ by aggregating the segments th i i instance, the array msgArray can be represented as of MACs of the previous, current and future messages, {m1,m2, ··· ,mi−1,mi, mi+1, mi+2, ··· mi+n−2}. This al- i.e., τi ← SegAgg(segTx). gorithm generates the predictedb valueb of theb message mi+n−1, valid/invalid ← TagVerify(k,i,m , τ ) which is represented by mi+n−1, appends it to the array i i ′ This verification algorithm is utilized by the receiver for msgArray, and outputs theb updated array msgArray . Since the speculation model used in this algorithm is deterministic, verifying the authenticity of the received message and tag. the sender and the receiver run the same set of steps, and obtain It takes as inputs the secret key k, the received counter i, the same speculated messages given the same input messages. the received message mi, and the received tag τi. It stores and manages an array of previously received and speculated τi ← SegAgg(segArray) messages msgRx, an array of MAC segments segRx, and This segment aggregation algorithm is run by the sender an array of verified segments accRx. This algorithm first and the receiver. It takes as input a two-dimensional array generates the tag for the received message using the TagGen of MAC segments segArray. The segArray comprises of algorithm while updating the speculated message in msgRx the segments of the MACs of the transmitted and speculated and MAC segments in segRx, i.e., τi ← TagGen(k,i,mi). th messages. The i entry in segArray is generated by the It then verifies whether the generated tag τi is equal to the j e segment si ∀j ∈ [1,n] using the equation (1). This algorithm received tag τi. If the verification succeeds, ite updates the array extracts 2n−1 elements from segArray (n−1 previous MAC of accumulated MAC segments accRx and outputs the value segments, current MAC segment, and n − 1 speculated MAC valid; otherwise, it outputs the value invalid. TABLE III: Example illustrating CuMAC/S with L = 128, n =4, and l = 32.

Packet Previous Current Previous Current Aggregation of MAC segments Tag Counter MACs MAC speculated MACs speculated MAC 2 1 2 3 4 2 σ1 σ2 σb3, σb4 σb5 s1 ⊕ s2 ⊕ sb3 ⊕ sb4 ⊕ sb5 τ2 3 2 1 2 3 4 3 σ1, σ2 σ3 σb4, σb5 σb6 s1 ⊕ s2 ⊕ s3 ⊕ sb4 ⊕ sb5 ⊕ sb6 τ3 4 3 2 1 2 3 4 4 σ1, σ2, σ3 σ4 σb5, σb6 σb7 s1 ⊕ s2 ⊕ s3 ⊕ s4 ⊕ sb5 ⊕ sb6 ⊕ sb7 τ4 4 3 2 1 2 3 4 5 σ2, σ3, σ4 σ5 σb6, σb7 σb8 s2 ⊕ s3 ⊕ s4 ⊕ s5 ⊕ sb6 ⊕ sb7 ⊕ sb8 τ5 4 3 2 1 2 3 4 6 σ3, σ4, σ5 σ6 σb7, σb8 σb9 s3 ⊕ s4 ⊕ s5 ⊕ s6 ⊕ sb7 ⊕ sb8 ⊕ sb9 τ6 4 3 2 1 2 3 4 7 σ4, σ5, σ6 σ7 σb8, σb9 σb10 s4 ⊕ s5 ⊕ s6 ⊕ s7 ⊕ sb8 ⊕ sb9 ⊕ sb10 τ7 4 3 2 1 2 3 4 8 σ5, σ6, σ7 σ8 σb9, σb10 σb11 s5 ⊕ s6 ⊕ s7 ⊕ s8 ⊕ sb9 ⊕ sb10 ⊕ sb11 τ8

C. Illustration 140 100

Table III presents an example of CuMAC/S, which follows 120 80 the example of CuMAC presented in Section IV-B. When 100

60 the receiver receives the fifth packet with the message m5, 80 it verifies whether it matches the speculated message m5. If 60 40 they do not match, the successful verification of the tag τ5 b 40 Trucated MAC enables the real-time authentication of message m5 with a 20 Compound MAC Packet processing rate(%) Trucated MAC Cryptographic strength (bits) 20 cryptographic strength of 32 bits, which is the same as in CuMAC Compound/Aggregate MAC CuMAC/S CuMAC, CuMAC/S 0 0 CuMAC. Next, the receiver receives and verifies the validity 0 1 2 3 4 5 6 7 8 0 5 10 Delay (packets) Packet drop rate(%) of tags τ5, ··· , τ8. If all four tags are verified as valid, 1 2 3 4 the receiver combines the segments s5, s5, s5 and s5— (a) Trade-off between crypto- (b) Effect of unreliable commu- which are contained in tags τ5, τ6, τ7 and τ8, respectively— graphic strength and delay. nication channel. to accumulate the cryptographic strength. This enables the Fig. 8: Illustration of the higher cryptographic strength and receiver to perform full authentication of message m5 with higher packet processing rate achieved by CuMAC and a cryptographic strength of 128 (= 4 × 32) bits. CuMAC/S in comparison with the prior art. However, if the message m5 and m5 match, and tags τ2, τ , τ and τ are verified as valid, the receiver combines the 3 4 5 b each tag is generated by aggregating segments of seven pre- segments s1, s2, s3 and s4—which are contained in tags τ , 5 5 5 5 5 viously transmitted messages, the current message, and seven τ , τ and τ , respectively. This enables the receiver to perform 4 3 2 b b b speculated messages. real-time authentication of message m5 with a cryptographic strength of 128 bits. We highlight that this unique ability Cryptographic Strength. Figure 8a presents the crypto- to achieve equal cryptographic strengths for the real-time graphic strengths of the MAC schemes versus their authen- authentication and full authentication in spite of using short tication delay. In the figure, we observe that CuMAC provides authentication tags distinguishes CuMAC/S from prior art. real-time authentication with cryptographic strength of 16 bits, which is the same for the truncated MAC. As more packets are received, partially accumulated authentication VI. SIMULATION RESULTS is achieved and CuMAC provides increasing cryptographic In this section, we consider a simulated IoT environment, strength. Finally, CuMAC provides full authentication with and evaluate the performance of CuMAC and CuMAC/S by cryptographic strength of 128 bits, which is the same as comparing them with three other schemes from the prior art: the compound/aggregate MAC. This way, CuMAC enables a the truncated MAC [32], the compound MAC [24], and the receiver to make a trade-off between (accumulated) crypto- aggregate MAC [16]. For all five schemes, AES-CMAC with graphic strength and authentication delay. In some latency- a MAC output of 128 bits is utilized as the underlying MAC tolerant IoT applications, this attribute provides the receiver algorithm. We set the size of the tag in all schemes to 16 bits. with operational flexibility to vary the security level and/or In the truncated MAC scheme, each MAC is truncated to packet processing delay based on particular needs of a protocol 16 bits, and transmitted as the tag. In the compound MAC or rules prescribed by network traffic processing policies. scheme, a compound MAC of 128 bits is computed over Further, in Figure 8a, we observe that CuMAC/S enables eight messages. In the aggregate MAC scheme, an aggregate the receiver to achieve 128 bits of cryptographic strength MAC of 128 bits is computed by aggregating the MACs for real-time authentication. In other words, for the messages of eight messages. The compound MAC and the aggregate which can be reliably predicted, the receiver achieves the MAC are divided into eight segments each of size 16 bits, cryptographic strength of the full authentication without any and transmitted in each of the eight packets as the tag. In delay (i.e., immediately after the message is received). CuMAC and CuMAC/S, each MAC of 128 bits is divided Unreliable Communication Channel. The unreliability of into eight segments each of size 16 bits. In CuMAC, each the channel is measured by the packet drop rate which is tag is generated by aggregating segments of seven previously equal to the ratio of the lost packets and the total number transmitted messages and the current message. In CuMAC/S, of transmitted packets. The performance of each scheme is TABLE IV: Comparison of the MAC schemes using the prototype implementation on a real car.

Increase in Real-Time Auth. Full Auth. Partially Accum. Auth. Scheme Code Space Bus Load Delay Strength Delay Strength Delay Strength Trailing MAC 7410 bytes 200 % 3.451 ms 0 bit 5.616 ms 128 bits 50.000 ms 128 bits Truncated MAC 7410 bytes 8 % 3.440 ms 16 bits 3.440 ms 16 bits 50.000 ms 16 bits Compound/Aggregate MAC 7450 bytes 8 % 3.887 ms 0 bit 84.143 ms 128 bits 50.000 ms 0 bits CuMAC 7522 bytes 8 % 3.798 ms 16 bits 83.983 ms 128 bits 50.000 ms 64 bits CuMAC/S 7640 bytes 8 % 3.809 ms 128 bits 83.994 ms 128 bits 50.000 ms 128 bits

to emulate the controller unit of an ECU, and the Seeed Studio CAN shield worked as the interface between the Arduino UNO board and the CAN bus. The Arduino UNO board utilizes an Atmel ATmega328P chip, which includes a low-power 8-bit micro-controller running at 16 MHz clock speed along with a 32 KB flash memory and a 2 KB RAM. These specifications of the ECU prototype are representative of a typical state-of- the-art automotive-grade controller [21]. With the above experimental setup, we compared six schemes: the trailing MAC, the truncated MAC, the compound MAC, the aggregate MAC, CuMAC, and CuMAC/S. For all schemes, AES-CMAC with a MAC output of 128 bits was uti- lized as the underlying MAC algorithm. We utilized an open- source cryptography library [1] to implement AES-CMAC. We found that the average computation time (calculated by Fig. 9: Prototype connected to a car’s CAN bus. averaging the computation time over 1000 executions) of generating a MAC was 0.786 ms. For the truncated MAC, the measured in terms of the packet processing rate which is equal compound MAC, the aggregate MAC and CuMAC, the size to the ratio of successfully authenticated packets at the receiver of the tag was set to 16 bits, and the message and tag were and the total number of transmitted packets. inserted into the data field of the same CAN packet. For the We evaluate the effect of unreliable communication channel trailing MAC, the 128-bit MAC was split into two tags of 64 on the MAC schemes in Figure 8b. In the figure, we observe bits, and inserted into the data fields of two consecutive CAN that the packet processing rate in CuMAC and CuMAC/S packets. These packets were transmitted immediately after the is equal to that in the truncated MAC. However, the com- CAN packet containing only the message. pound/aggregate MAC can enable processing of significantly To evaluate the delay performance, we utilized one ECU lower number of packets than CuMAC and CuMAC/S. This prototype (called Tx-ECU) to transmit 6-byte messages with is because in compound/aggregate MAC, the verification of the tags on the CAN bus, and another ECU prototype (called a MAC requires the receiver to receive all of the packets Rx-ECU) to measure the end-to-end delay. In the experiment, that contain the messages utilized to compute that particular the Rx-ECU requested the Tx-ECU (through an external MAC, and loss of any one of those packets leads to the synchronization channel) to send a message, and started the failure in processing of other packets. For instance, with a timer. The Rx-ECU stopped the timer after verifying the tag typical 10% packet drop rate, the packet processing rate in the and authenticating the message. The delay was measured as compound/aggregate MAC is around 43% which might lead the time between starting the timer and stopping the timer. to unacceptable performance in any typical IoT application. Also, we let the message processing deadline for the message type utilized in the experiment be 50 ms. Note that the VII.IMPLEMENTATION RESULTS processing deadline represents the time within which the authentication tags corresponding to the message are expected Here we discuss the results obtained from a prototype to be generated, communicated and verified. implementation of CuMAC and CuMAC/S on a real car.

A. Details of Prototype Implementation B. Results Figure 9 illustrates the prototype implementation and the Table IV summarizes the results from the experiments. The setup that were used for running our experiments. The pro- end-to-end delay shown in the table is the worst case delay totype implementation comprised of two ECU prototypes in processing 1000 CAN messages. The table also presents connected to the on-board diagnostics (OBD) port of the CAN the cryptographic strengths for real-time, full and partially bus (with the bus speed of 500 kbps) of a 2016 Toyota Corolla. accumulated authentication in each scheme. From Table IV, The ECU prototype consisted of an Arduino UNO board and a we observe that: (1) In comparison to other MAC schemes, Seeed studio CAN shield. The Arduino UNO board was used additional storage is required in CuMAC and CuMAC/S; (2) Unlike the trailing MAC, CuMAC and CuMAC/S does not Definition 1. CuMAC is (t,q,ǫ,r)-uf-cma secure if for any increase the bus load significantly; (3) Unlike the compound probabilistic polynomial time (PPT) adversary A running in MAC and the aggregate MAC, CuMAC and CuMAC/S pro- uf-cma-r time t, PrhExpCuMAC (A, λ, q)=1i ≤ ǫ. vide real-time authentication; and (4) In comparison with the uf-cma-r truncated MAC, the compound MAC and the aggregate MAC Similar to the experiment ExpCuMAC (A, λ, q), the uf-cma-r schemes, CuMAC and CuMAC/S provide significantly higher experiment for CuMAC/S can be readily defined as follows. cryptographic strength for partially accumulated authentication uf-cma-r ExpCuMAC/S(A, λ, q) within the processing deadline. k ← KeyGen(1λ) k Invoke AOCuMAC/S( ,·) who can make up to q queries to the VIII. CONCLUSION tagging oracle of CuMAC/S OCuMAC/S(k, ·). A can query We proposed a novel concept for message authentication OCuMAC/S(k, ·) with 2n − 1 arbitrarily chosen messages that we refer to as cumulative MAC (CuMAC). CuMAC and receive their CuMAC/S tags in response. incurs low communication overhead, and provides high cryp- 2n−1 2n−1 A outputs a set of 2n − 1 pairs {mi} , {τi} . tographic strength which is commensurate with the delay in  i=1 i=1  Return 1 if valid ← TagVerify (k,i,m , τ ) for all 1 ≤ authentication. We also proposed a variant of CuMAC called i i i ≤ 2n − 1, and A did not make the query for mi∗ to CuMAC with speculation (CuMAC/S) that is more suitable ∗ OCuMAC S(k, ·), where i =2n − r. for latency-sensitive applications. Our promising simulation / Return 0 otherwise. and experimental results validate that CuMAC and CuMAC/S provide significant advantages over the MAC schemes in prior Definition 2. CuMAC/S is (t,q,ǫ,r)-uf-cma secure art when deployed in emerging IoT applications, including if for any PPT adversary A running in time t, those that run on energy/bandwidth-constrained networks. Expuf-cma-r Prh CuMAC/S(A, λ, q)=1i ≤ ǫ.

APPENDIX A Note that if CuMAC and CuMAC/S are (t,q,ǫ,r)-uf-cma SECURITY DEFINITION secure for all r, then they are also (t,q,ǫ)-uf-cma secure which is the standard notion of security for a MAC scheme. We Here we present the formal security definitions for CuMAC utilize the aforementioned uf-cma-r security model to define and CuMAC/S. Katz et al. provide the first concrete proof the cryptographic strength for full authentication, partially which illustrates that if multiple conventional MACs with accumulated authentication and real-time authentication. Note cryptographic strength of λ bits are aggregated by XOR that in the uf-cma-r experiment, when the experiment returns operation to form an aggregate MAC, then the aggregate a value of 1, it implies that A is able to forge a valid tag for MAC is secure with the cryptographic strength of bits [10], λ a packet at which point the receiver has already accumulated [16]. The aggregation procedure employed in CuMAC and r packets. Therefore, if CuMAC or CuMAC/S is (t,q,ǫ,n) CuMAC/S share similar attributes with the scheme proposed secure, i.e., r = n, then CuMAC or CuMAC/S is secure in by Katz et al. Hence, we present the security definitions which terms of full authentication. Similarly, if CuMAC or CuMAC/S closely follow those presented by Katz et al. is (t,q,ǫ,r) secure for all 2 ≤ r ≤ n − 1, then the scheme is The security evaluation for CuMAC is centered around secure for partially accumulated authentication; and if CuMAC the notion of unforgeability under chosen message attack or CuMAC/S is (t, q, ǫ, 1) secure, i.e., r =1, then the scheme with parameter (uf-cma- ), where indicates the number r r r is secure in terms of real-time authentication. We provide of packets accumulated for tag verification. We denote by the rigorous proofs of security of CuMAC and CuMAC/S in Advuf-cma-r , the advantage of the adversary in CuMAC (A, λ, q) A Appendix B. The security of CuMAC and CuMAC/S is based forging a message for a random key k KeyGen λ , where ← (1 ) on the following assumption that defines the security of the A can make q queries to the tag generating oracle of CuMAC underlying MAC algorithm [2]. OCuMAC(k, ·), and verification is performed after accumulating r segments of each MAC. CuMAC is considered to be secure if Assumption 1. The underlying deterministic MAC algorithm, the advantage of the adversary A is negligibly small. Formally, MacGen, is (t,q,ǫ)-uf-cma secure—i.e., the probability that the advantage can be expressed by the probability (represented an adversary will be successful in producing a forged tag by Pr[]) that the following experiment returns 1. after running for a polynomial time t and making q queries uf-cma-r is negligible. ExpCuMAC (A, λ, q) k ← KeyGen(1λ) Invoke AOCuMAC (k,·) who can make up to q queries to the APPENDIX B ECURITY ROOF tagging oracle of CuMAC OCuMAC(k, ·). A can query S P OCuMAC(k, ·) with n arbitrarily chosen messages and Here we present theorems and corresponding proofs for receive their CuMAC tags in response. the security for CuMAC and CuMAC/S. Let CuMAC be n n A outputs a set of n pairs ({mi}i=1, {τi}i=1). instantiated with parameters (l,n), i.e., each MAC is divided Return 1 if valid ← TagVerify (k,i,mi, τi) for all into n segments, each of length l bits. Let CuMAC/S be 1 ≤ i ≤ n, and A did not make the query for mi∗ to instantiated with parameters (β,l,n), i.e., the speculation error ∗ OCuMAC(k, ·), where i = n − r +1. rate for the messages is β, and each MAC is divided into n Return 0 otherwise. segments, each of length l bits. Note that in CuMAC and CuMAC/S, the receiver performs real-time authentication by Theorem 2. For any t, q ∈ N and ǫ> 0, if the underlying de- setting r =1, partially accumulated authentication by setting terministic MAC algorithm, MacGen, is (t,q,ǫ)-uf-cma secure, 1 0, if the underly- q − 3n +3 ǫ ing deterministic MAC algorithm, MacGen, is (t,q,ǫ)-uf-cma t′ ≈ t, q′ = , ǫ′ = . secure, then CuMAC with parameters (l,n) is (t′, q′,ǫ′, r)-uf- 2n − 1 (1 − β)+ β2−l(n−r) cma secure, where q − n +1 t′ ≈ t, q′ = , ǫ′ =2l(n−r) · ǫ. Proof: Let there be an adversary A which succeeds to n create a forgery of an authentication tag for CuMAC/S with Proof: Let there be an adversary A which succeeds to a non-negligible probability. We construct a simulator S that create a forgery of an authentication tag for CuMAC with interacts with the adversary A and creates a forgery of a MAC a non-negligible probability. We construct a simulator S that for the MacGen algorithm with a non-negligible probability. interacts with the adversary A and creates a forgery of a MAC Let CuMAC/S and the MacGen algorithm utilize the same for the MacGen algorithm with a non-negligible probability. secret key k which is unknown to the adversary A. Also, Let CuMAC and the MacGen algorithm utilize the same let the MAC of a message in CuMAC/S be computed by secret key k which is not known to the adversary A. Also, let a query to OMacGen(k, ·). In this way, S perfectly simu- the MAC of a message in CuMAC be computed by a query lates OCuMAC/S(k, ·), and hence the uf-cma-r experiment for to the tag generating oracle of underlying MAC, which is CuMAC/S. Suppose the uf-cma-r experiment for CuMAC/S denoted as OMacGen(k, ·). In this way, S perfectly simulates returns 1 with the probability ǫ′ in time t′, where an adversary OCuMAC(k, ·), and hence, the uf-cma-r experiment. Suppose 2n−1 2n−1 ′ A outputs a successful forgery {mi} , {τi} after q the uf-cma-r experiment for CuMAC returns 1 with the  i=1 i=1  queries to OCuMAC S(k, ·) simulated by S. To create a forgery probability ǫ′ in time t′, where an adversary A outputs a valid / n n ′ of a MAC for the MacGen algorithm, the simulator S proceeds forgery ({m } , {τ } ) after q queries to OCuMAC(k, ·) i i=1 i i=1 as follows. simulated by S. To create a forgery of a MAC for the MacGen For all i ∈ [1, 2n − 1] and i 6= i∗, the simulator S algorithm, the simulator S proceeds as follows. queries OMacGen(k, ·) for the MAC of m , and obtains the For all i ∈ [1,n] and i 6= i∗, the simulator S queries the i corresponding σ . Additionally, it queries OMacGen(k, ·) for the OMacGen(k, ·) for the MAC of m , and obtains the correspond- i i MAC of the speculated messages m and obtains σ for all ing σ . It divides each MAC into n segments as shown in i i i ∗ ∗ . It divides each MAC into segments equation (1). It recovers the MAC segments of the message i ∈ [i +1,i + n − 1] b nb as shown in equation (1). It recovers the MAC segments of the mi∗ by removing the mask by the MAC segments of other message ∗ by removing the mask by the MAC segments of messages as follows: mi other messages as follows: n k j n n ∗ ∗ si ← τi +k−1 ⊕ si∗+k−j . (4) k j j M s ∗ ← τ ∗ ⊕ s ∗ ⊕ s ∗ . (5) j=1,j=6 k i i +k−1 M i −j+k M i +j+k−2 j=1,j=6 k j=2 b Since i∗ = n − r + 1, the simulator S cannot recover k By following the above procedure, the simulator S recovers r the segments si∗ with k ≥ r + 1. Hence, it makes a random guess for the rest of the n − r segments, such that MAC segments. For all k ≥ r +1, the simulator S attempts to k k l ∗ ∗ ∗ recover si from the tags received before tag τi as follows: si ←$ {0, 1} for all k ∈ [r + 1,n]. Finally, to create the forgery for the underlying MAC algorithm, MacGen, it con- n n e j j k ∗ catenates all the recovered segments and the guessed segments: si∗ ← τi −k+1 ⊕ si∗−k−j+2 ⊕ si∗−k+j . (6) 1 2 r r+1 n M M ∗ ∗ ∗ ∗ ∗ ∗ j=1 6 σi ← si ||si · · · ||si ||si || · · · si . This means that given a j=2,j=k b successful forgery of thee authenticatione tag in CuMAC, the −l(n−r) These segments can be recovered with a probability 1 − β. probability of creating the forgery of MacGen is 2 . If a speculation error occurs, then the corresponding MAC To achieve the forgery of MacGen as shown above, the ′ segment is not recovered. In this case, S sets the value of simulator S conducts at most n·q queries to the OMacGen(k, ·) ′ the MAC segment by randomly guessing the bits. Finally, to reply the q queries by A to OCuMAC(k, ·). Also, the the simulator S creates a fresh forgery for the underlying simulator S conducts n − 1 queries to OMacGen(k, ·) to obtain n deterministic MAC algorithm, MacGen, by concatenating all {τi}i=1,i=6 i∗ . Therefore, if these exists an adversary A running recovered and guessed segments. The probability that such ′ uf-cma-r ′ ′ −l(n−r) in time t and achieving PrhExpCuMAC (A, λ, q )=1i ≤ ǫ , forgery is correct is (1 − β)+ β · 2 . then it can be leveraged to create a forgery for the underlying To achieve the forgery of MacGen as shown above, the sim- ′ MAC algorithm, MacGen, in time t′ plus the time required to ulator S conducts at most (2n − 1)q queries to OMacGen(k, ·) ′ ′ evaluate the equation (4), by making nq + n − 1 queries, and to answer q queries by A to OCuMAC/S(k, ·). In order to with probability 2−l(n−r)ǫ′. Hence, if the underlying MAC compute operations in equations (5) and (6), the simulator conducts at most queries to MacGen k to obtain algorithm, MacGen, is (t,q,ǫ)-uf-cma secure, then CuMAC S 2n − 2 O ( , ·) ∗ ′ ′ ′ ′ ′ q−n+1 2n−1 i +n−1 is (t , q ,ǫ , r)-uf-cma secure, where t ≈ t, q = n , and {τi}i=1,i=6 i∗ , and at most n − 1 queries to obtain {σi}i=i∗+1 . ′ l(n−r) ′ ǫ =2 ǫ. Therefore, if for an adversary A running in time tb, we have uf-cma- Exp r ′ ′ [22] National Highway Traffic Safety Administration. Cybersecurity best Prh CuMAC/S(A, λ, q )=1i ≤ ǫ , then we can leverage it to break the underlying MAC algorithm, MacGen, in time practices for modern vehicles. No. DOT HS 812, 333, 2016. [23] Edmund B. Nightingale, Peter M. Chen, and Jason Flinn. Speculative ′ t plus the time required to evaluate equations (5) and (6), execution in a distributed file system. In Proceedings of the Twentieth by making (2n − 1)q′ +3n − 3 queries, and with probability ACM Symposium on Operating Systems Principles (SOSP), pages 191– ′ −l(n−r) . Hence, if the underlying MAC algo- 205, 2005. ǫ (1 − β + β2 ) [24] D. K. Nilsson, U. E. Larson, and E. Jonsson. Efficient in-vehicle delayed rithm, MacGen, is (t,q,ǫ)-uf-cma secure, then CuMAC/S is data authentication based on compound message authentication codes. ′ ′ ′ ′ ′ q−3n+3 In IEEE 68th Vehicular Technology Conference, pages 1–5, 2008. (t , q ,ǫ , r)-uf-cma secure, where t ≈ t, q = 2n−1 , and ′ ǫ [25] ON Semiconductor. Ultra-low power, AT command controlled, Sigfox − − . ǫ = 1−β+β2 l(n r) compliant transceiver IC for up-link and down-link. Accessed: July 1, 2019. REFERENCES [26] U. Raza, P. Kulkarni, and M. Sooriyabandara. Low power wide area networks: An overview. IEEE Communications Surveys Tutorials, [1] Arduino cryptography library. Accessed: July 1, 2019. 19(2):855–873, 2017. [2] M. Bellare, J. Kilian, and P. Rogaway. The security of the cipher block [27] Rodrigo Roman, Jianying Zhou, and Javier Lopez. On the features chaining message authentication code. Journal of Computer and System and challenges of security and privacy in distributed internet of things. Sciences, 61(3):362–399, 2000. Computer Networks, 57(10):2266–2279, 2013. [3] Daniel J Bernstein and Tanja Lange. Non-uniform cracks in the concrete: [28] Hendrik Schweppe, Yves Roudier, Benjamin Weyl, Ludovic Apvrille, the power of free precomputation. In International Conference on the and Dirk Scheuermann. Car2x communication: securing the last meter- Theory and Application of Cryptology and Information Security, pages a cost-effective approach for ensuring trust in car2x applications using 321–340, 2013. in-vehicle symmetric cryptography. In 2011 IEEE Vehicular Technology [4] Karthikeyan Bhargavan and Ga¨etan Leurent. Transcript collision attacks: Conference (VTC Fall), pages 1–5. IEEE, 2011. Breaking authentication in TLS, IKE, and SSH. In Network and [29] Sigfox. Technical overview. Accessed: July 1, 2019. Distributed System Security Symposium (NDSS), 2016. [30] Meena Singh, MA Rajan, VL Shivraj, and P Balamuralidhar. Secure [5] Carsten Bormann, Angelo P Castellani, and Zach Shelby. CoAP: An MQTT for Internet of Things (IoT). In Fifth International Conference application protocol for billions of tiny internet nodes. IEEE Internet on Communication Systems and Network Technologies, pages 746–751, Computing, (2):62–67, 2012. 2015. [6] R. Bosch. CAN specification - Version 2.0, 1991. [31] R. Soja. Automotive security: From standards to implementation. [7] Fay Chang and Garth A. Gibson. Automatic I/O hint generation through Accessed: July 1, 2019. speculative execution. In Proceedings of the Third Symposium on [32] C. Szilagyi and P. Koopman. A flexible approach to embedded network Operating Systems Design and Implementation (OSDI), pages 1–14, multicast authentication. In Proceedings of the 2nd Workshop on 1999. Embedded Systems Security (WESS), 2008. [8] S. Checkoway, D. Mccoy, B. Kantor, D. Anderson, H. Shacham, S. Sav- [33] H. Ueda, R. Kurachi, H. Takada, T. Mizutani, M. Inoue, and S. Horihata. age, K. Koscher, A. Czeskis, F. Roesner, and T. Kohno. Comprehensive Security authentication system for in-vehicle network. SEI Technical experimental analyses of automotive attack surfaces. In Proceedings of Review, (81), 2015. the 20th USENIX Security Symposium, 2011. [34] F. Wang and J. Liu. Networked wireless sensor data collection: Issues, [9] Wenliang Du, Jing Deng, Yunghsiang S Han, Pramod K Varshney, challenges, and approaches. IEEE Communications Surveys Tutorials, Jonathan Katz, and Aram Khalili. A pairwise key predistribution scheme 13(4):673–687, 2011. for wireless sensor networks. ACM Transactions on Information and [35] H. Wang and A. O. Fapojuwo. A survey of enabling technologies of System Security (TISSEC), 8(2):228–258, 2005. low power and long range machine-to-machine communications. IEEE [10] O. Eikemeier, M. Fischlin, J.-F. G¨otzmann, A. Lehmann, D. Schr¨oder, Communications Surveys Tutorials, 19(4):2621–2639, 2017. P. Schr¨oder, and D. Wagner. History-free aggregate message authentica- [36] G. M. Zago and E. P. de Freitas. A quantitative performance study on tion codes. In International Conference on Security and Cryptography CAN and CAN FD vehicular networks. IEEE Transactions on Industrial for Networks, pages 309–328, 2010. Electronics, 65(5):4413–4422, 2018. [11] R. Escherich, I. Ledendecker, C. Schmal, B. Kuhls, C. Grothe, and F. Scharberth. SHE: Secure hardware extension - Functional specifi- cation, Version 1.1. Hersteller Initiative Software (HIS) AK Security, 2009. [12] Ford Motor Company, CrossChasm, and Bug Labs. OpenXC platform. Accessed: July 1, 2019. [13] Carles Gomez, Joaquim Oller, and Josep Paradells. Overview and evaluation of Bluetooth Low Energy: An emerging low-power wireless technology. Sensors, 12(9):11734–11753, 2012. [14] International Organization for Standardization. ISO/IEC 11898-1:2015: Road vehicles - Controller area network (CAN) - Part 1: Data link layer and physical signalling. Standard. [15] K. H. Johansson, M. T¨orngren, and L. Nielsen. Vehicle applications of controller area network. In Handbook of Networked and Embedded Control Systems, pages 741–765. 2005. [16] J. Katz and A. Lindell. Aggregate message authentication codes. Topics in Cryptology–CT-RSA, pages 155–169, 2008. [17] K. Koscher, A. Czeskis, F. Roesner, S. Patel, T. Kohno, S. Checkoway, D. McCoy, B. Kantor, D. Anderson, H. Shacham, and S. Savage. Experimental security analysis of a modern automobile. In IEEE Symposium on Security and Privacy, pages 447–462, 2010. [18] H. Li, V. Kumar, J. J. Park, and Y. Yang. Cumulative message authen- tication codes for resource-constrained networks. In IEEE Conference on Communications and Network Security (CNS), pages 1–9, 2020. [19] Spyros Makridakis and Michele Hibon. Arma models and the box– jenkins methodology. Journal of Forecasting, 16(3):147–163, 1997. [20] C. Miller and C. Valasek. Remote exploitation of an unaltered passenger vehicle. Black Hat USA, 2015. [21] P.-S. Murvay, A. Matei, C. Solomon, and B. Groza. Development of an AUTOSAR compliant cryptographic library on state-of-the-art automotive grade controllers. In 11th IEEE International Conference on Availability, Reliability and Security (ARES), pages 117–126, 2016.