7/18/2019 On Homomorphic Signatures for Network Coding

http://slidepdf.com/reader/full/on-homomorphic-signatures-for-network-coding 1/2

Brief Contributions________________________________________________________________________________

On Homomorphic Signaturesfor Network Coding

Aaram Yun, Jung Hee Cheon, and

Yongdae Kim,  Member ,   IEEE 

Abstract—In this paper, we examine homomorphic signatures that can be used to

protect the integrity of network coding. In particular, Yu et al. proposed an RSA-

based homomorphic signature scheme recently for this purpose. We show that

their scheme in fact does not satisfy the required homomorphic property, and

further, even though it can be fixed easily, still it allows no-message forgery

attacks.

Index Terms—Network coding, homomorphic signature, homomorphic hashing.

Ç

1 INTRODUCTION

NETWORK coding refers to a new class of routing techniques wherea router not only forwards incoming packets but also processesthem to produce ‘new’ outgoing packets. It was originallyproposed in Ahlswede et al. [1] as a method for maximizing theinformation flow of a multicast network, and subsequently foundmany applications, for example, in sensor networks, wirelessnetworks, and peer-to-peer networks. Li et al. [2] showed thatlinear   network coding is sufficient to achieve the maximumthroughput of multicast network, and Ho et al. [3] introducedthe idea of  random linear network coding, where each node choosesits own coding coefficients randomly and independently. It has

 been shown that a random linear network coding achieves themaximum throughput of multicast network with high probability.Also, because of the random and de-central selection of coding, therandom linear network coding can be used even when the networktopology changes, and can potentially give resilience to random

network failures.For practical application of network coding, protecting integrity

of packets is especially important: a malicious node can ‘pollute’the entire network by injecting a few false packets. Because of thecoding capability of intermediate nodes, any unfiltered false packetwill soon propagate to all other nodes, and prevent properdecoding, even when all the other received packets are correct.Note that a conventional cryptographic signature cannot solve thisproblem, since nodes other than the source not only relay givenpackets but also ‘create’ new packets by linear combination. Forthis reason, some solutions based on the idea of homomorphichashing or homomorphic signature are proposed [4], [5], [6], [7].Because these schemes are homomorphic, an intermediate nodecan combine signatures of incoming packets to form a signature foran outgoing packet, without having the private key of the source.

In INFOCOM 2008, Yu et al. [5] proposed a new homomorphicsignature scheme which is based on both discrete logarithm andRSA. In this paper, first we show that in fact their scheme does not

satisfy the homomorphic property. The reason for this failure isdue to use of two different moduli, and can be fixed by modifyingthe scheme to use a single modulus. We show that this modifiedscheme is also not secure, by showing that an attacker cansuccessfully mount a no-message attack, and a more powerful

single-message attack.

2 NETWORK CODING SECURITY

First, let us describe linear network coding briefly. Let  G  ¼ ðV ;E Þ be a directed graph. Suppose a source s  2  V   wants to send a largefile   F   to a set   T    V    of clients. We assume that the file   F   isrepresented as a sequence of  m  vectors  f 1; . . . ;   f m  2 F

n, where  Fn

is the  n  dimensional vector space over a finite field   F. Then thesource creates  augmented vectors  of  f i ¼ ð f i;1; . . . ;  f i;nÞ by setting

f i   ¼def 

ð f i;1; . . . ;  f i;n; 0; . . . ; 0; 1

 |fflfflfflfflfflffl{zfflfflfflfflfflffl} i

; 0; . . . ; 0 zfflfflfflfflfflfflfflfflfflfflfflfflfflfflffl}|fflfflfflfflfflfflfflfflfflfflfflfflfflfflffl{ m

Þ;

that is, each augmented vector  f i  is of dimension  t  ¼

def 

m þ n, andthe last  m  entries are all zero except at  ðn þ iÞth, where it is 1.The source then propagates linear combinations (over  F) of the

augmented vectors to other nodes. Each node, after receivingpackets   v1; . . . ;vl  2 F

t from its   l  incoming channels, computes alinear combination

wi ¼Xl j¼1

i;jv j;

for some   i;j 2 F, and transmits   wi   to its   ith outgoing channel.Therefore, assuming that all transmissions are done without error,each packet is a linear combination of the original augmentedvectors   f 1; . . . ; f m  of the file over  F.

The coefficients   i;j  can be determined centrally given a staticnetwork topology, or can be randomly chosen by each nodes inthe case of   random   linear network coding. It has proven that arandomly chosen linear network coding can achieve the optimalnetwork performance with high probability. Moreover, becausecoefficients are chosen randomly, it is also usable even when thenetwork topology changes.

3 CORRECTNESS OF THE  SCHEME of YU ET AL

In [5], Yu et al. proposed a homomorphic signature scheme fornetwork coding. We will quickly describe their scheme: twoprimes  p,   q  satisfying  q  j  p 1  are chosen. Let  G  be the subgroupof order   q   in   Z

 p. Then,   t ¼  m þ n  elements   g 1; . . . ; g t   are chosenfrom  G. Let  N   be an RSA modulus of same bit length as  p, i.e.,N   is a product of two primes of the same bit length. Choose   e

and   d    such that   ed    1  ðmod  ðN ÞÞ. Then the public key isPK  ¼ ð p; q; g 1; . . . ; g t;N ;eÞ, and the private key is   SK  ¼  d . The

 base field for the network coding operation is   F ¼  Zq .Given a packet  v ¼ ðv1; . . . ; vtÞ, the signature is calculated as

SigðSK; vÞ ¼def  Yt j¼1

g v j j   mod  p

!d 

mod  N:

And given a packet   v   and a corresponding signature    , theverification Vf ðPK; v;  Þ can be done by checking

 e ?  Yt

 j¼1

g v j j   mod p

! ðmod  N Þ:

Note that Vf 

ðPK;v;

SigðSK;

v

ÞÞ ¼   true holds.

IEEE TRANSACTIONS ON COMPUTERS, VOL. 59, NO. 9, SEPTEMBER 2010 1295

.   A. Yun and Y. Kim are with the Deptartment of Computer Science &Engineering, University of Minnesota, 4-192 EE/CS Bldg, 200 Union St,

 Minneapolis, MN 55455-0159. E-mail: {aaram, kyd}@cs.umn.edu..   J.H. Cheon is with the Deptartment of Mathematical Sciences, Seoul

National University, Bldg. 27, Room 403, SNU, 599 Gwanangno,Gwanak-gu, Seoul 151-747, Korea. E-mail: jhcheon@snu.ac.kr.

 Manuscript received 16 Feb. 2009; accepted 20 July 2009; published online 26 Mar. 2010.For information on obtaining reprints of this article, please send e-mail to:tc@computer.org, and reference IEEECS Log Number TC-2009-02-0077.

Digital Object Identifier no. 10.1109/TC.2010.73.0018-9340/10/$26.00     2010 IEEE Published by the IEEE Computer Society

7/18/2019 On Homomorphic Signatures for Network Coding

http://slidepdf.com/reader/full/on-homomorphic-signatures-for-network-coding 2/2

They claim that this is a homomorphic signature scheme.Specifically, if   i   is a valid signature for a packet   vi, and if  w ¼P

i ivi   for some   i 2 Zq , then     ¼ Q

i  ii   mod  N   is supposed to

 be a valid signature for  w.However, it is easy to see that this does not hold: consider

the simplest case of   w ¼ 2v. Let      be the signature for   v. Then 2 mod  N   should be a valid signature for   w. This means that,if     e Qt

 j¼1 g v j j   mod  p ðmod  N Þ, then    2e Qt

 j¼1 g 2v j j   mod  pðmod  N Þ. Letting   X  ¼   e and   Y    ¼ Qt

 j¼1 g v j j   mod  p, this means

that if   X    Y    ðmod  N Þ, then   X 2 ðY  2 mod  pÞ ðmod  N Þ, whichcannot be true in general.

This can be also seen from a small example: consider the case of t ¼  4,   N  ¼  143  ¼  11 13,   p ¼  139  ¼  1 þ 2 3 23,   q  ¼  23,   e ¼  7,d  ¼  103, and ðg 1; g 2; g 3; g 4Þ ¼ ð55; 64; 65; 129Þ. This set of parameterssatisfy all the requirements of the parameter setup for the scheme.If  v ¼ ð1; 0; 1; 0Þ, then the signature    is

ðg 1g 3  mod  pÞd  mod  N  ¼ ð55 65 mod 139Þ103mod 143

¼ 100103 mod 143

¼ 100

Then    0 ¼  2 mod  N , which is   1002 mod 143 ¼  133   should be avalid signature of  w ¼ 2v ¼ ð2; 0; 2; 0Þ. This means that

1337 ?

ð55 65Þ2mod 139 ðmod 143Þ:

But  13 37 mod 143 ¼  133, and on the other hand,

ð55 65Þ2mod 139 mod 143  ¼  131 mod 143  ¼  131:

4 A SIMPLE FIX,   AND  MORE  FORGERIES

The signature scheme of Yu et al. is constructed analoguous tothe traditional ‘hash-and-sign’ paradigm: it is a composition of ahomomorphic hash function   v 7!

 Qg v j j   mod  p   and the ‘bare’

RSA signature scheme  x 7! xd  mod  N . In fact, this is very similarto the Full Domain Hash [8], which is  H ðM Þd  mod  N , except that

instead of a regular hash function like SHA-1, a homomorphichash function is used for retaining the homomorphic property.Essentially, the reason for the failure of homomorphic property

of the scheme of Yu et al. is because they use two differentmoduli   p   and   N : both the inner hash function and the outerRSA signature are homomorphic, but they are homomorphic withrespect to different, incompatible operations. Therefore, one simpleway to regain the homomorphic property is to let ‘ p ¼  N ’:

SigðSK; vÞ¼def 

Yt j¼1

g v j j

!d 

mod  N :

This modified scheme is clearly homomorphic. Unfortunately,we can show that this scheme is insecure by exhibiting a simple no-message attack, that is, the attacker can make a successful forgery

 based only on the public key and public parameters. Consider thepacket   v ¼ ðe; 0; 0; . . . ; 0Þ. Then   SigðSK; vÞ ¼ ðg e1Þd  mod  N  ¼  g 1.Therefore  g 1  is a valid signature for  v ¼ ðe;0; 0; . . . ; 0Þ, but on theother hand this  v  clearly does not belong to the subspace spanned

 by the augmented vectors of the original file.One way to cope with this problem might be to restrict the

message space to vectors of entries smaller than the publicexponent   e. This would eliminate one benefit of RSA signatures,namely, we can pick e  to be very small for faster verification. Here,we need to pick  e  large enough so that all packets are smaller thane given the size of the network.

Still, even this version can be easily broken: the attacker has toeavesdrop at leastone packetv ¼ ðv1; . . . ; vtÞ andits signature .Theattacker then forms yet another packet   w ¼ ðw1; . . . ; wtÞ ¼

def v þ

ð 1e; . . . ;  teÞ. Clearly,      ¼def 

  g  11   g  tt   is a valid signature of  w.The problem is to select    and   i’s so that all of  wi ¼  vi þ  te are

greater than or equal to 0 and less than e

, which is equivalent to

0   vi

e þ  i  <  1:

We see that for each choice of  , there is one unique   i  satisfyingthe above. Pick , which should not be divisible by e, large enoughso that at least some of   i  are nonzero. This produces a successfulforgery.

5 CONCLUDING REMARKS

In this paper, we pointed out that the signature scheme of Yu et al.is in fact not homomorphic. This is due to the use of two differentmoduli, which gives a composition of an homomorphic hashfunction and a homomorphic signature, with incompatible groupstructures. We further examined the security of the modifiedscheme where only one modulus is used. We found out that thiswas not enough to produce a secure homomorphic signaturescheme. The main reason for this failure was that the schemeallows a trivial no-message attack. Combined with the homo-morphic property, this leads to even more stronger forgery whenthe attacker eavesdrops a few packets.

This is unfortunate, because the idea of Yu et al. is a naturaldirection to design an RSA-based homomorphic signature; if wepursue the approach of following ‘hash-and-sign’ paradigm butusing a homomorphic hash function instead of a regular crypto-

graphic hash function,there arenot many choices forhash functionsother than ones involving group operations, like in the scheme of Yu et al. For the signature scheme, one possibility is to use theBLS short signature [9], and indeed this combination is used toconstruct the homomorphic signature scheme of Boneh et al. [4]. If the combination of the homomorphic hash function and the plainRSA signature would have been secure, it would have all thetraditional benefits of RSA schemes, like faster signatureverificationand simpler implementation. It would be an interesting openproblem to design a secure RSA-based homomorphic signaturescheme.

ACKNOWLEDGMENTS

The first and the third authors were supported, in part, by theUS National Science Foundation (NFS) grants CCF-0621462 and

CNS-0716025. The second author was supported by NAP of KoreaResearch Council of Fundamental Science & Technology.

REFERENCES

[1] R. Ahlswede, N. Cai, S.-Y.R. Li, and R.W. Yeung, “Network InformationFlow,”  IEEE Trans. Information Theory,   vol. 46, no. 4, pp. 1204-1216, July2000.

[2]   S.-Y.R. Li, R.W. Yeung, and N. Cai, “Linear Network Coding,”  IEEE Trans.on Information Theory,  vol. 49, no. 2, pp. 371-381, 2003.

[3]   T. Ho, R. Koetter, M. Medard, D.R. Karger, and M. Effros, “The Benefits of Coding over Routing in a Randomized Setting,”  Proc. of IEEE Int’l Symp. onInformation Theory,  p. 442, 2003.

[4]   D. Boneh, D. Freeman, J. Katz, and B. Waters, “Signing a Linear Subspace:Signature Schemes for Network Coding,”  Proc. 12th Int’l Conf. Practice andTheory in Public Key Cryptography (PKC),   http://eprint.iacr.org/2008/316,2009.

[5]   Z. Yu, Y. Wei, B. Ramkumar, and Y. Guan, “An Efficient Signature-Based

Scheme for Securing Network Coding Against Pollution Attacks,”   Proc.IEEE 27th Conf. Computer Communications (INFOCOM),  pp. 1409-1417, Apr.2008.

[6]   D. Charles, K. Jain, and K. Lauter, “Signatures for Network Coding,” Proc.40th Ann. Conf. Information Sciences and Systems (CISS),  pp. 857-863, Mar.2006.

[7]   M.N. Krohn, M.J. Freedman, and D. Mazieres, “On-the-Fly Verification of Rateless Erasure Codes for Efficient Content Distribution,”   IEEE Symp.Security and Privacy,  pp. 226-240, 2004.

[8]   M. Bellare and P. Rogaway, “Random Oracles Are Practical: A Paradigmfor Designing Efficient Protocols,”   Proc. First ACM Conf. Computer andComm. Security   pp. 62-73, 1993.

[9]   D. Boneh, B. Lynn, and H. Shacham, “Short Signatures from the WeilPairing,”   J. Cryptology,  vol. 17, no. 4, pp. 297-319, Sept. 2004.

. For more information on this or any other computing topic, please visit ourDigital Library at www.computer.org/publications/dlib.

1296 IEEE TRANSACTIONS ON COMPUTERS, VOL. 59, NO. 9, SEPTEMBER 2010