3

I am building a small embedded system of two nodes that communicate wirelessly. The microcontrollers I'm using are very limited: they only have 256 bytes of RAM. I would like to be able to authenticate messages sent and received between the nodes, but traditional methods such as HMAC aren't possible because of the constraints of the system (lack of RAM).

I do have a large (2 megabit) EEPROM that is largely unused. I would like to use this space to store a (relatively) large one-time pad that could be used to authenticate the messages, which are only a few bytes long. I do not care about the secrecy of the messages, only their unforgeability and integrity. If only, say, 4 bytes of pad are used per message, the pad should far outlast the system's expected usefulness. Finally, messages are not guaranteed to be received by the other node (for example, due to interference, malicious or not).

Are there any schemes that use a one-time pad for message authentication? Assume the one-time pad is truly random. Or is this an entirely hair-brained idea that is inherently insecure?

thirtythreeforty
  • 163
  • 7

1 Answers1

5

Actually, it's not a hare-brained idea at all; you certainly can do integrity checking using a one-time pad. However, I believe that you'll need to use the one-time pad bits a bit faster than you'd expect, to achieve a forgery probability of at most $2^{-32}$, I believe you'll need at least 64 pad bits per packet (assuming informational theoretical security - that is, we don't include any computational problems that are too difficult for the attacker to solve).

One way to do this would be do a polynomial hash over $GF(2^{32})$; that is, you use 32 bits of the pad as a value $H$, and compute the value $V = X_i H^i + X_{i-1} H^{i-1} + ... + X_1 H^1 + R$ (where the message is $(X_i, X_{i-1}, ..., X_1$, and $R$ is 32 other bits from your pad, and where the computation is done within $GF(2^{32})$; the value $V$ is your tag that you send with the packet. This provably has a forgery probability of a modified packet of at most $i 2^{-32}$ and a blind forgery probability of $2^{-32}$. You'd need to implement a $GF(2^{32})$ multiply routine; assuming you don't need extreme speed, that's not that difficult.

That being said, might I suggest a totally different approach: how about using Speck in a Davies-Meyer construction with a key? Speck is a block cipher that can be evaluated with minimal memory, and a Davies-Meyer construction would't require much memory. You'd start the construction with a secret state; assuming that you don't use the block size of 128, you'd also want to end the hash with hashing some other secret data). The advantages of this approach: you can reuse the same secret data (keying material) for every packet (and so there's no possibility of running out); you don't need to worry about packet drops (as this construction is stateless), and it should fit within your restrictions.

yyyyyyy
  • 12,261
  • 4
  • 48
  • 68
poncho
  • 154,064
  • 12
  • 239
  • 382