Modified Vanstone’s construction of lightweight MAC for Vehicular On-Board IT Systems

We propose a lightweight construction, a modification of Vanstone’s MAC construction, for the message authentication of the communication between Electronic Control Units (ECUs) in distributed car control systems. The proposed approach can solve the task of error control and authentication in unified algorithmic technology, called MAC (Message Authentication Code) with ECC (Error Correction Code). We follow a provable approach in the design of the cryptographic primitive, where we quantify the security measures in the parameters of the system. Provable security approaches are missing in the field of secure in-vehicle communication.

symmetric ECU key is established for all ECU. In the online phase, cryptographic computations are fully controlled by the security module. For encryption of messages transmitted between ECUs, unique keystreams are generated and sent to the ECUs by the module on request of ECUs. Their other idea (called stream authorization) eliminates the need for explicit authentication directly between pairs of ECUs. A drawback of security solutions based on HSM is that they are costly and require additional physical area and power.
Note, even public key technology cannot eliminate the exposure of private keys to compromising attacks on ECUs as the private part of the key pair needs such protection.
The approach in [16] tries to minimize this problem by avoiding long-term keys on ECUs.
They assume that a special physical source of entropy (PUF, Physically Unclonable Function) is deployed on each ECUs and also on a key server. (A PUF can generate unique random elements and can reproduce it when it is queried with the same challenge value.) The key server plays the role of a simplified public key directory. Each time when the engine is ignited a registration phase is run and each ECU generates a new public-private key pair using the PUF. The public keys of all ECUs are sent to the key server and stored on the server. The private part is erased. Note, this communication phase is unprotected, the public key is transmitted without any cryptographic protection (authentication), so a timely adversary may attack this transmission. This is a serious vulnerability as this public key is used in the subsequent phase as an authenticator tag (see subsequently).
The session key establishment between two ECUs goes as follows. The ECU regenerates the same public/private key pair by using the PUF. The ECU initiating the key establishment and the server generate an auxiliary symmetric key, by applying public-key algorithm ECC DH on input the public key of the server and the private key of the ECU (note, already we are in the online phase of computation and a public key algorithm is used). The public key of the ECU is encrypted with the auxiliary key. The server decrypts the plaintext (i.e. the public key) and compares it to the registered one (the decryption key is computed from the secret key of the server and the public key of the ECU). The server sends the list of ECUs public keys encrypted with the public key of the requesting ECU. Now, the initiating ECU can establish a session key with the wanted peer ECU by sending random elements encrypted with the party's public key (note, another public key algorithm is used).
Once the session key is established the ECUs erase the private key.
In sum, this approach efficiently decreases the time the private key of ECUs is exposed. Note, however, the private key is implicitly stored in the PUF, therefore an adversary accessing the PUF can regenerate the key. There is an unprotected phase of communication and several different algorithms have to be run to establish a single session key between two ECUs. Furthermore, public key algorithms are run in the online phase.  Typically, related primitives include the AES encryption algorithm for privacy   protection, the AES-based Cipher-based Message Authentication Code (CMAC) and keyed hash functions (HMAC (e.g. [14]), SHA-3 (e.g. [15]) for message authentication.
Proposals have also been made to use public-key cryptography (e.g. [16], [10]. One of the fundamental problems is secure key management for the automotive environment. The proposed solutions show a wide variety. It is a difficult task to strike a balance between cost, latency requirement, and security. At one end pre-programmed, lifetime group keys (e.g. [14], [15], [8]), at the other adapted public key management (e.g. [16]).
This important problem is open, there is no final solution yet.
The current ECU architecture can only be loaded with limited computational overhead.
In contrast, cryptographic algorithms are typically computationally intensive. Separate special hardware components are needed to resolve this contradiction within the recent architecture. Examples of related suggestions are Secure Hardware Extension (SHE) [17], security module [10], key server [16], tamperproof key storage [4].
In this work, we present a construction for a symmetric-key lightweight MAC algorithm with a formal proof of security. Our proved claims quantify the corresponding security notions in variables of system dimensions. This provides the advantage of finding trade-offs between dimensions-related complexity and the level of security. The approach is inherently able to handle the tasks of authentication and error control together in a unified computational approach.
The full-fledged realization remains also provably secure under the reasonable assumption that AES in CTR mode generates a pseudorandom stream. (Informally, a pseudorandom stream cannot be distinguished from the ideally random one for an efficient adversary except a negligible probability.) This implies security even against quantum attackers: when the one-time stream is realized with AES-CTR mode keystream it remains quantum secure when the key length of the underlying AES is doubled [18]. Recall, post-quantum security may be a decisive advantage even within 10 years.
As for the complexity of our construction, one-time pads, MAC keys can be generated independently from the (next) message(s) between peer ECUs (in sync with the peer). It follows that the MAC generator polynomials can also be precomputed. Therefore, the as- The organization of the paper is as follows. In Section 2 we give related works. In Section 3 we present our constructions. Conclusions are given in Section 4.

Related works
An approach for the integration of MAC and error detection can be found in [19]. In some sense, this is the closest work to our approach. Briefly, they process a message to be forwarded the following way. First MAC is computed (they use CMAC) and truncated to a small size. The truncated MAC is appended to the message and CRC is computed for the extended message. In the last step, the truncated MAC is removed and the message is forwarded together with the CRC. Intuitively, this keyed CRC implicitly will incorporate "some information" from the MAC. No analysis (not to mention formal proof) is presented about quantifiable security properties.
Our main result is a lightweight MAC construction with formal proof of security. Additional value (and option) that error control can naturally be integrated into the MAC construction. In contrast to the above-cited publications (except publication [19]) we use the attribute lightweight directly for the complexity of the MAC and not for the lightening of the surrounding key management. (Of course, our symmetric key construction can be used with any secure key management, in particular, with a secure session key protocol.) Our solution envisions both privacy and authentication issues. We are considering symmetric key cryptographic primitives. Lightweight MAC authentication is combined with CTR mode encryption.
The idea of the construction comes from a classic result of Krawczyk [20]. Briefly and informally, the two parties (transmitter and receiver) chooses an ECC code from a large set of such codes using a symmetric secret key. Assuming the adversary cannot guess the current key except a negligible probability, she will not know the algorithm for the computation of the MAC.
Error control capability can be integrated completely into the MAC construction.
Vanstone's [21] construction is essentially such an approach, they take randomly (and secretly) an e-error correcting code from a set of codes with parameters (N,K,e) over GF(q).
The receiver knowing the (symmetric) key can identify the actual code can run the error correction algorithm and remove the channel errors in the received packet. As the next step, Our algorithm is a modification of Vanstone's approach for improved characteristics.
We divide the set of roots of the keyed MAC generator polynomial into two disjoint subsets.
In one of the subsets, the roots are taken randomly from the whole set of roots, in the other subset the roots follow the algebraic relation dictated by the ECC code. By choosing the roots randomly we can increase the size of the set of the keyed MAC generator polynomials and we can set a finer trade-off between secrecy and error-control capabilities.
The published security constructions for automotive applications almost exclusively miss formal proofs of security. We provide formal security proof for our MAC construction.
One step of the construction uses a random pad ( [20]). The security proof refers to the hybrid MAC protocol with an ideal random pad. The security guarantee is statistical, meaning that the best strategy of an adversary is guessing the actual key. Concretely, we provide upper bounds on this probability of guessing in the parameters of the algorithm. In a fullfledged realization for random pads, we can use the keystream generated in CTR mode by the AES algorithm. We can claim quantum security is extended for the full realization.
Indeed, the attacks by using quantum Grover's algorithm against symmetric ciphers can be blocked effectively by doubling the key size [19]. Resistance to replay attacks is included in the construction. Furthermore, the construction allows offline precomputations: the computation of MAC can be started as soon as the first message symbols are accessible (i.e. without waiting for the arrival of the whole message).

Constructions
The basic idea of the MAC construction from linear codes comes from the classic paper of Krawczyk [20]. A keyed CRC generator polynomial was used and the MAC was the CRC plus a random pad. Vanstone [21] noticed that an error correction capability is inherent in this construction. In construction [21]  The idea of our modified construction and corresponding improvement is as follows. We also start from systematic cyclic ECC code over ( ), where we also will consider binary ( = 2) and non-binary ( = 2 , > 1) codes. We compose generator polynomial ( ) from two-component polynomials. Assume ( ) is a generator polynomial of the ECC.
We choose also another polynomial ( ) that is keyed with symmetric MAC-key k. The We adapt the definitions of security measures from [20], [21]. In the analysis, we assume ideal one-time-key k and ideal random pad r. In other words, we analyze a hybrid MAC protocol ideal in these keys. The best strategy for an adversary in an attack against the hybrid MAC protocol is guessing. Essentially, in the analysis, we give upper bounds on this probability of guessing. In an application, this probability should be set negligible by appropriate selection of the parameters of the construction. In a (provably secure) realization the ideal keystream is substituted by a pseudorandom stream. For example, assuming that AES in CTR mode produces a pseudorandom stream, a full-fledged MAC protocol with AES becomes a secure realization.

Constructions based on Reed-Solomon codes
Following publications [20], [21], the security of MAC constructs are measured with the following two characteristics: -balanced property and e-error-forgery-resistance.    The size of set B is ( − )/2. Recall, minimal polynomials are irreducible. We will choose the factors of ( ) randomly from set B. We modify Construction 1 in its first step as shown below: as well as formulae for the evaluation of their security performance. This provides the advantage that in concrete applications with corresponding concrete values for size/security parameters the designer can find a matching construction from our set.
We presented a set of numerical evaluation examples (Table 1-3) showing that our constructions meet the expectations with respect the dimensions and security for the intended field of application. An implementation can essentially use the well-established and computationally optimized tools error control technology, e.g. the complexity of GF(q) operations (multiplication, inversion) can be drastically decreased by using look-up tables (LUTs) [22] or light-weight Galois Field (GF) processor in case of HW-supported solutions [23].