on homomorphic signatures for network coding
DESCRIPTION
On Homomorphic Signatures for Network CodingTRANSCRIPT
![Page 1: On Homomorphic Signatures for Network Coding](https://reader036.vdocuments.net/reader036/viewer/2022081808/55cf8589550346484b8f2315/html5/thumbnails/1.jpg)
7/18/2019 On Homomorphic Signatures for Network Coding
http://slidepdf.com/reader/full/on-homomorphic-signatures-for-network-coding 1/2
Brief Contributions________________________________________________________________________________
On Homomorphic Signaturesfor Network Coding
Aaram Yun, Jung Hee Cheon, and
Yongdae Kim, Member , IEEE
Abstract—In this paper, we examine homomorphic signatures that can be used to
protect the integrity of network coding. In particular, Yu et al. proposed an RSA-
based homomorphic signature scheme recently for this purpose. We show that
their scheme in fact does not satisfy the required homomorphic property, and
further, even though it can be fixed easily, still it allows no-message forgery
attacks.
Index Terms—Network coding, homomorphic signature, homomorphic hashing.
Ç
1 INTRODUCTION
NETWORK coding refers to a new class of routing techniques wherea router not only forwards incoming packets but also processesthem to produce ‘new’ outgoing packets. It was originallyproposed in Ahlswede et al. [1] as a method for maximizing theinformation flow of a multicast network, and subsequently foundmany applications, for example, in sensor networks, wirelessnetworks, and peer-to-peer networks. Li et al. [2] showed thatlinear network coding is sufficient to achieve the maximumthroughput of multicast network, and Ho et al. [3] introducedthe idea of random linear network coding, where each node choosesits own coding coefficients randomly and independently. It has
been shown that a random linear network coding achieves themaximum throughput of multicast network with high probability.Also, because of the random and de-central selection of coding, therandom linear network coding can be used even when the networktopology changes, and can potentially give resilience to random
network failures.For practical application of network coding, protecting integrity
of packets is especially important: a malicious node can ‘pollute’the entire network by injecting a few false packets. Because of thecoding capability of intermediate nodes, any unfiltered false packetwill soon propagate to all other nodes, and prevent properdecoding, even when all the other received packets are correct.Note that a conventional cryptographic signature cannot solve thisproblem, since nodes other than the source not only relay givenpackets but also ‘create’ new packets by linear combination. Forthis reason, some solutions based on the idea of homomorphichashing or homomorphic signature are proposed [4], [5], [6], [7].Because these schemes are homomorphic, an intermediate nodecan combine signatures of incoming packets to form a signature foran outgoing packet, without having the private key of the source.
In INFOCOM 2008, Yu et al. [5] proposed a new homomorphicsignature scheme which is based on both discrete logarithm andRSA. In this paper, first we show that in fact their scheme does not
satisfy the homomorphic property. The reason for this failure isdue to use of two different moduli, and can be fixed by modifyingthe scheme to use a single modulus. We show that this modifiedscheme is also not secure, by showing that an attacker cansuccessfully mount a no-message attack, and a more powerful
single-message attack.
2 NETWORK CODING SECURITY
First, let us describe linear network coding briefly. Let G ¼ ðV ;E Þ be a directed graph. Suppose a source s 2 V wants to send a largefile F to a set T V of clients. We assume that the file F isrepresented as a sequence of m vectors f 1; . . . ; f m 2 F
n, where Fn
is the n dimensional vector space over a finite field F. Then thesource creates augmented vectors of f i ¼ ð f i;1; . . . ; f i;nÞ by setting
f i ¼def
ð f i;1; . . . ; f i;n; 0; . . . ; 0; 1
|fflfflfflfflfflffl{zfflfflfflfflfflffl} i
; 0; . . . ; 0 zfflfflfflfflfflfflfflfflfflfflfflfflfflfflffl}|fflfflfflfflfflfflfflfflfflfflfflfflfflfflffl{ m
Þ;
that is, each augmented vector f i is of dimension t ¼
def
m þ n, andthe last m entries are all zero except at ðn þ iÞth, where it is 1.The source then propagates linear combinations (over F) of the
augmented vectors to other nodes. Each node, after receivingpackets v1; . . . ;vl 2 F
t from its l incoming channels, computes alinear combination
wi ¼Xl j¼1
i;jv j;
for some i;j 2 F, and transmits wi to its ith outgoing channel.Therefore, assuming that all transmissions are done without error,each packet is a linear combination of the original augmentedvectors f 1; . . . ; f m of the file over F.
The coefficients i;j can be determined centrally given a staticnetwork topology, or can be randomly chosen by each nodes inthe case of random linear network coding. It has proven that arandomly chosen linear network coding can achieve the optimalnetwork performance with high probability. Moreover, becausecoefficients are chosen randomly, it is also usable even when thenetwork topology changes.
3 CORRECTNESS OF THE SCHEME of YU ET AL
In [5], Yu et al. proposed a homomorphic signature scheme fornetwork coding. We will quickly describe their scheme: twoprimes p, q satisfying q j p 1 are chosen. Let G be the subgroupof order q in Z
p. Then, t ¼ m þ n elements g 1; . . . ; g t are chosenfrom G. Let N be an RSA modulus of same bit length as p, i.e.,N is a product of two primes of the same bit length. Choose e
and d such that ed 1 ðmod ðN ÞÞ. Then the public key isPK ¼ ð p; q; g 1; . . . ; g t;N ;eÞ, and the private key is SK ¼ d . The
base field for the network coding operation is F ¼ Zq .Given a packet v ¼ ðv1; . . . ; vtÞ, the signature is calculated as
SigðSK; vÞ ¼def Yt j¼1
g v j j mod p
!d
mod N:
And given a packet v and a corresponding signature , theverification Vf ðPK; v; Þ can be done by checking
e ? Yt
j¼1
g v j j mod p
! ðmod N Þ:
Note that Vf
ðPK;v;
SigðSK;
v
ÞÞ ¼ true holds.
IEEE TRANSACTIONS ON COMPUTERS, VOL. 59, NO. 9, SEPTEMBER 2010 1295
. A. Yun and Y. Kim are with the Deptartment of Computer Science &Engineering, University of Minnesota, 4-192 EE/CS Bldg, 200 Union St,
Minneapolis, MN 55455-0159. E-mail: {aaram, kyd}@cs.umn.edu.. J.H. Cheon is with the Deptartment of Mathematical Sciences, Seoul
National University, Bldg. 27, Room 403, SNU, 599 Gwanangno,Gwanak-gu, Seoul 151-747, Korea. E-mail: [email protected].
Manuscript received 16 Feb. 2009; accepted 20 July 2009; published online 26 Mar. 2010.For information on obtaining reprints of this article, please send e-mail to:[email protected], and reference IEEECS Log Number TC-2009-02-0077.
Digital Object Identifier no. 10.1109/TC.2010.73.0018-9340/10/$26.00 2010 IEEE Published by the IEEE Computer Society
![Page 2: On Homomorphic Signatures for Network Coding](https://reader036.vdocuments.net/reader036/viewer/2022081808/55cf8589550346484b8f2315/html5/thumbnails/2.jpg)
7/18/2019 On Homomorphic Signatures for Network Coding
http://slidepdf.com/reader/full/on-homomorphic-signatures-for-network-coding 2/2
They claim that this is a homomorphic signature scheme.Specifically, if i is a valid signature for a packet vi, and if w ¼P
i ivi for some i 2 Zq , then ¼ Q
i ii mod N is supposed to
be a valid signature for w.However, it is easy to see that this does not hold: consider
the simplest case of w ¼ 2v. Let be the signature for v. Then 2 mod N should be a valid signature for w. This means that,if e Qt
j¼1 g v j j mod p ðmod N Þ, then 2e Qt
j¼1 g 2v j j mod pðmod N Þ. Letting X ¼ e and Y ¼ Qt
j¼1 g v j j mod p, this means
that if X Y ðmod N Þ, then X 2 ðY 2 mod pÞ ðmod N Þ, whichcannot be true in general.
This can be also seen from a small example: consider the case of t ¼ 4, N ¼ 143 ¼ 11 13, p ¼ 139 ¼ 1 þ 2 3 23, q ¼ 23, e ¼ 7,d ¼ 103, and ðg 1; g 2; g 3; g 4Þ ¼ ð55; 64; 65; 129Þ. This set of parameterssatisfy all the requirements of the parameter setup for the scheme.If v ¼ ð1; 0; 1; 0Þ, then the signature is
ðg 1g 3 mod pÞd mod N ¼ ð55 65 mod 139Þ103mod 143
¼ 100103 mod 143
¼ 100
Then 0 ¼ 2 mod N , which is 1002 mod 143 ¼ 133 should be avalid signature of w ¼ 2v ¼ ð2; 0; 2; 0Þ. This means that
1337 ?
ð55 65Þ2mod 139 ðmod 143Þ:
But 13 37 mod 143 ¼ 133, and on the other hand,
ð55 65Þ2mod 139 mod 143 ¼ 131 mod 143 ¼ 131:
4 A SIMPLE FIX, AND MORE FORGERIES
The signature scheme of Yu et al. is constructed analoguous tothe traditional ‘hash-and-sign’ paradigm: it is a composition of ahomomorphic hash function v 7!
Qg v j j mod p and the ‘bare’
RSA signature scheme x 7! xd mod N . In fact, this is very similarto the Full Domain Hash [8], which is H ðM Þd mod N , except that
instead of a regular hash function like SHA-1, a homomorphichash function is used for retaining the homomorphic property.Essentially, the reason for the failure of homomorphic property
of the scheme of Yu et al. is because they use two differentmoduli p and N : both the inner hash function and the outerRSA signature are homomorphic, but they are homomorphic withrespect to different, incompatible operations. Therefore, one simpleway to regain the homomorphic property is to let ‘ p ¼ N ’:
SigðSK; vÞ¼def
Yt j¼1
g v j j
!d
mod N :
This modified scheme is clearly homomorphic. Unfortunately,we can show that this scheme is insecure by exhibiting a simple no-message attack, that is, the attacker can make a successful forgery
based only on the public key and public parameters. Consider thepacket v ¼ ðe; 0; 0; . . . ; 0Þ. Then SigðSK; vÞ ¼ ðg e1Þd mod N ¼ g 1.Therefore g 1 is a valid signature for v ¼ ðe;0; 0; . . . ; 0Þ, but on theother hand this v clearly does not belong to the subspace spanned
by the augmented vectors of the original file.One way to cope with this problem might be to restrict the
message space to vectors of entries smaller than the publicexponent e. This would eliminate one benefit of RSA signatures,namely, we can pick e to be very small for faster verification. Here,we need to pick e large enough so that all packets are smaller thane given the size of the network.
Still, even this version can be easily broken: the attacker has toeavesdrop at leastone packetv ¼ ðv1; . . . ; vtÞ andits signature .Theattacker then forms yet another packet w ¼ ðw1; . . . ; wtÞ ¼
def v þ
ð 1e; . . . ; teÞ. Clearly, ¼def
g 11 g tt is a valid signature of w.The problem is to select and i’s so that all of wi ¼ vi þ te are
greater than or equal to 0 and less than e
, which is equivalent to
0 vi
e þ i < 1:
We see that for each choice of , there is one unique i satisfyingthe above. Pick , which should not be divisible by e, large enoughso that at least some of i are nonzero. This produces a successfulforgery.
5 CONCLUDING REMARKS
In this paper, we pointed out that the signature scheme of Yu et al.is in fact not homomorphic. This is due to the use of two differentmoduli, which gives a composition of an homomorphic hashfunction and a homomorphic signature, with incompatible groupstructures. We further examined the security of the modifiedscheme where only one modulus is used. We found out that thiswas not enough to produce a secure homomorphic signaturescheme. The main reason for this failure was that the schemeallows a trivial no-message attack. Combined with the homo-morphic property, this leads to even more stronger forgery whenthe attacker eavesdrops a few packets.
This is unfortunate, because the idea of Yu et al. is a naturaldirection to design an RSA-based homomorphic signature; if wepursue the approach of following ‘hash-and-sign’ paradigm butusing a homomorphic hash function instead of a regular crypto-
graphic hash function,there arenot many choices forhash functionsother than ones involving group operations, like in the scheme of Yu et al. For the signature scheme, one possibility is to use theBLS short signature [9], and indeed this combination is used toconstruct the homomorphic signature scheme of Boneh et al. [4]. If the combination of the homomorphic hash function and the plainRSA signature would have been secure, it would have all thetraditional benefits of RSA schemes, like faster signatureverificationand simpler implementation. It would be an interesting openproblem to design a secure RSA-based homomorphic signaturescheme.
ACKNOWLEDGMENTS
The first and the third authors were supported, in part, by theUS National Science Foundation (NFS) grants CCF-0621462 and
CNS-0716025. The second author was supported by NAP of KoreaResearch Council of Fundamental Science & Technology.
REFERENCES
[1] R. Ahlswede, N. Cai, S.-Y.R. Li, and R.W. Yeung, “Network InformationFlow,” IEEE Trans. Information Theory, vol. 46, no. 4, pp. 1204-1216, July2000.
[2] S.-Y.R. Li, R.W. Yeung, and N. Cai, “Linear Network Coding,” IEEE Trans.on Information Theory, vol. 49, no. 2, pp. 371-381, 2003.
[3] T. Ho, R. Koetter, M. Medard, D.R. Karger, and M. Effros, “The Benefits of Coding over Routing in a Randomized Setting,” Proc. of IEEE Int’l Symp. onInformation Theory, p. 442, 2003.
[4] D. Boneh, D. Freeman, J. Katz, and B. Waters, “Signing a Linear Subspace:Signature Schemes for Network Coding,” Proc. 12th Int’l Conf. Practice andTheory in Public Key Cryptography (PKC), http://eprint.iacr.org/2008/316,2009.
[5] Z. Yu, Y. Wei, B. Ramkumar, and Y. Guan, “An Efficient Signature-Based
Scheme for Securing Network Coding Against Pollution Attacks,” Proc.IEEE 27th Conf. Computer Communications (INFOCOM), pp. 1409-1417, Apr.2008.
[6] D. Charles, K. Jain, and K. Lauter, “Signatures for Network Coding,” Proc.40th Ann. Conf. Information Sciences and Systems (CISS), pp. 857-863, Mar.2006.
[7] M.N. Krohn, M.J. Freedman, and D. Mazieres, “On-the-Fly Verification of Rateless Erasure Codes for Efficient Content Distribution,” IEEE Symp.Security and Privacy, pp. 226-240, 2004.
[8] M. Bellare and P. Rogaway, “Random Oracles Are Practical: A Paradigmfor Designing Efficient Protocols,” Proc. First ACM Conf. Computer andComm. Security pp. 62-73, 1993.
[9] D. Boneh, B. Lynn, and H. Shacham, “Short Signatures from the WeilPairing,” J. Cryptology, vol. 17, no. 4, pp. 297-319, Sept. 2004.
. For more information on this or any other computing topic, please visit ourDigital Library at www.computer.org/publications/dlib.
1296 IEEE TRANSACTIONS ON COMPUTERS, VOL. 59, NO. 9, SEPTEMBER 2010