IEICE TRANS. FUNDAMENTALS, VOL.E96–A, NO.9 SEPTEMBER 2013

1889

LETTER

An Eﬃcient Hybrid Cryptographic Scheme for Wireless Sensor Network with Network Coding∗ Man LIANG†a) , Nonmember and Haibin KAN†b) , Member

SUMMARY Wireless sensor network (WSN) using network coding is vulnerable to pollution attacks. Existing authentication schemes addressing this attack either burden the sensor node with a higher computation overhead, or fail to provide an eﬃcient way to mitigate two recently reported attacks: tag pollution attacks and repetitive attacks, which makes them inapplicable to WSN. This paper proposes an eﬃcient hybrid cryptographic scheme for WSN with securing network coding. Our scheme can resist not only normal pollution attacks, but the emerging tag pollution and repetitive attacks in an eﬃcient way. In particular, our scheme is immediately suited for distributing multiple generations using a single public key. Experimental results show that our scheme can significantly improve the computation eﬃciency at a sensor node under the two above-mentioned attacks. key words: wireless sensor network, network coding, hybrid cryptographic, pollution attack, tag pollution, repetitive attack

1.

Introduction

Network coding [1] has been applied in wireless sensor networks (WSN) for achieving the optimal throughput [5]. However, network coding based WSN is notoriously vulnerable to pollution attacks, where a malicious node may inject a small number of polluted packets into the network, aiming at causing a large scale of pollution propagation [13]. For combatting this attack, many cryptographic based solutions [6]–[13] have been proposed when network coding is used. Some of these cryptographic solutions are public-key based approaches [6]–[9], where a sender has a public key known to all other nodes in the network, and the integrity of a packet can be checked using the public key. For example, homomorphic signature schemes [6]–[8] based on bilinear groups have been introduced. The homomorphic properties can ensure that the signature operation on a linear combination of packets makes a corresponding valid homomorphic combination of signatures. However, the pairing operation needed by these schemes is computationally expensive. This is not suitable for WSN, where sensor nodes have a limited power resource and constrained computation capacity [9]. Manuscript received April 30, 2013. The authors are with the Shanghai Key Laboratory of Intelligent Information Processing and Institute of Theoretical Computer Science, School of Computer Science, Fudan University, Shanghai, China. ∗ This work was supported by the National Natural Science Foundations of China (Grant No.61170208), Shanghai Key Program of Basic Research (Grant No.12JC1401400), Shanghai Shuguang Project (Grant No.10SG01) and National Defence PreResearch Project (Grant No.2012004). a) E-mail: [email protected] b) E-mail: [email protected] DOI: 10.1587/transfun.E96.A.1889 †

The ineﬃciency of public-key schemes has led to the emergence of the more eﬃcient symmetric-key based methods. For example, two eﬃcient MAC-based schemes have been proposed for single source [10] and for multi-source [12]. However, both of them can only detect and filter out a polluted packet at recipients, not intermediate nodes. An additional drawback of two schemes is that they cannot efficiently thwart tag pollution attacks, where an adversary aims to tamper with the MAC tags carried by packets instead of the contents of them [11]. To address this issue, Li et al. [11] present a time-based authentication protocol RIPPLE that requires a global synchronization among all nodes in the network, which is considered more diﬃcult to be implemented in WSN context. Zhang et al. [13] propose another tag-pollution-resistant multi-generation-transmission authentication scheme MagSig, but this scheme does not provide any defense mechanisms to ensure that packets from diﬀerent generations are not combined, which is susceptible to repetitive attacks. A repetitive attack is an active relay attack in network coding context where the transmission consists of multiple generations. In such an attack, an adversary may intentionally collect the legal packets of previous generation and use them to fake packets for subsequent ones [13]. These aforementioned deficiencies motivate us to design a more eﬃcient solution for WSN with securing network coding under attacks. This paper proposes an eﬃcient hybrid cryptographic network coding scheme for WSN, which combines the convenience of a public-key approach [6]–[9] with the eﬃciency of a symmetric-key method [10]–[12], and uses both homomorphic MAC and signature for packet authentication. This new design brings us following primary properties: (1) both intermediate and recipient nodes can resist normal pollution attacks, and recipient nodes can rapidly filter out the polluted packets forged from the emerging tag pollution or repetitive attacks. (2) it is immediately suited for distributing multiple generations using a single public key. (3) it divides the verification process at a recipient node into two steps, which can greatly reduce the sensor nodes’ computational overhead under a tag pollution or a repetitive attack. In addition, our scheme does not rely on any pairing operations [6]–[8] in signature generation or verification, and can be proven secure based on the lower-level cryptographic assumptions without random oracles. Experimental results show that our scheme is much more eﬃcient than existing solutions on verification eﬃciency under the two abovementioned attacks.

c 2013 The Institute of Electronics, Information and Communication Engineers Copyright

IEICE TRANS. FUNDAMENTALS, VOL.E96–A, NO.9 SEPTEMBER 2013

1890

2.

we say y = (y1 , . . . , ym , ym+1 , . . . , ym+n ) is a polluted packet with respect to the kth generation if we have y V ⇐⇒ y m i=1 yi vi , where yi is the first m coordinates of packet y.

Network Model and Threat Model

We present a description of a network that uses linear network coding [2]. There are three parties in this network: a source node, some intermediate nodes, and some recipient nodes. We support that in the network the source node intends to send some packets to the recipient nodes through the intermediate nodes. To do this, the source node first divides packets into multiple generations [4], each of which consists of m packets. The source node then transforms m packets into an ordered sequence of m vectors v1 , . . . , vm in an n-dimensional vector space over a finite field F p , where p is a prime number, and then creates m source augmented packets, v1 , . . . , vm defined as m

vi = (0, . . . , 0, 1, 0, . . . , 0, vi ) ∈ Fm+n p , i−1

(1)

m−i

i.e., the first m coordinates of vi form a unit vector with “1” is a linear in the ith position. We may notice that if y ∈ Fm+n p combination of v1 , . . . , vm , then the first m coordinates of the vector y are exactly the linear combination coeﬃcients. The source sends these augmented packets into the network, generation by generation. Intermediate nodes in the network perform generationbased random linear network coding [3]. Namely, they linearly combine packets that come from the same generation. For example, on receiving packets wk1 , . . . , wk of kth gen eration from its incoming links, a node sends y = i=1 ci wki , where each ci ∈ F p is chosen randomly and independently by the node, to its outgoing links. If the transmission is error-free, all packets of the kth generation in the network are linear combinations of the m source augmented packets v1 , . . . , vm . After receiving m linearly independent packets of the kth generation, a recipient node may reconstruct the initial file vectors v1 , . . . , vm by applying Gaussian elimination on a m × (m + n) matrix that is formed by the m received linearly independent packets. 2.1 Threat Model We assume that the source node and recipient nodes are trusted, whereas all intermediate nodes in the network could be compromised by adversary. Adversarial nodes may create and inject polluted packets into the network, or tamper with the packets passing through them, i.e., modifying the tags of a legal packet; collecting legal packets of previous generation and using them to fake packets for subsequent ones. Finally, we assume that the adversaries know about the construction of our authentication scheme and have the ability to perform polynomial-time (PPT) algorithms. To detect polluted packets, we formally define a polluted packet as follows: Definition 1: We denote V as a linear vector space spanned by m basis vectors v1 , . . . , vm of the kth generation, and then

3.

A Homomorphic Hybrid Cryptographic Scheme for WSN with Securing Network Coding

We begin by defining a hybrid scheme and its security. As mentioned previously, we want our hybrid cryptographic scheme to be useful for the distribution of multiple generations using a single public key, to allow both intermediate node and recipient to mitigate pollution attacks, and particularly, to allow recipient nodes to rapidly detect a received packet generated from the tag pollution or repetitive attacks. Let V = span(v1 , . . . , vm ) denote a vector space. In our scheme, each V is identified by an unique identifier id that is an element of a randomly samplable set I [7]. The source generates a public key and a private key (pk, sk), where pk is known to all other nodes, and then chooses a secret key k and shares it with all recipient nodes. The source uses the private key sk and the secret key k to compute a signature σi and a MAC ti for each of the basis vector vi , and then transmits a packet (id, vi , σi , ti ) into the network. Intermediate nodes use the pk to verify the content and signature of a received packet, and employ the homomorphic property to create a valid signature and MAC for the linear combinations they produce. Recipient nodes use both pk and k to verify a packet and rapidly drop the packets with ill-formed tags. We denote I as the set of vector space identifiers, K as the set of secret keys, and define our scheme as follows: Definition 2: A homomorphic hybrid cryptographic scheme for network coding is defined as a tuple of four probabilistic polynomial-time algorithms (Setup, Sign, Combine, Verify): • Setup(1λ ): Input: a security parameter 1λ and two integers m and n. Output: a prime number p, a public key pk, a private key sk, and a secret key k. • Sign(sk, k, id, v): Input: a private key sk, a secret key k, a vector space identifier id ∈ I, and a vector v ∈ Fm+n p . Output: a signature σ and a MAC value t on v. • Combine(id, {(ci , yi , σi , ti )} i=1 ): Input: a vector space identifier id, and pairs consisting of a coeﬃcient ci ∈ F p , a vector yi ∈ Fm+n p , a signature σi and a MAC ti . Output: a signature σ and a MAC value t on a vector . y = i=1 ci yi ∈ Fm+n p • Verify(pk, k, id, y, σ, t): Input: a public key pk, a secret key k, a vector space identifier id ∈ I, a vector y ∈ Fm+n p , a signature σ, and a MAC t. Output: a boolean value, i.e., 0 (reject) or 1 (accept). Correctness. We require that for all the tuples (p, pk, sk, k) output by the Setup(1λ ), the following correctness condition denote m source vectors. Let holds. Let vi , . . . , vm ∈ Fm+n p 1, . . . , m. σi , ti ← Sign(sk, k, id, vi ), and ci ∈ F p for all i = m ), and y = If σ, t ← Combine(id, {(ci , vi , σi , ti )} m i=1 i=1 ci vi , then we require that Verify(pk, k, id, y, σ, t) = 1.

LETTER

1891

Security. The security of a hybrid cryptographic scheme for network coding is defined using the following game, which is played between an adversary A and a challenger C. Definition 3: Let Π = (Setup, Sign, Combine, Verify) be a hybrid cryptographic scheme for network coding. We say that Π is secure if the advantage of all PPT adversaries A in the following game is negligible in the security parameter λ: • Setup. A sends two positive integers m and n to C. C runs Setup(1λ ) to generate (pk, sk, p), and sends (p, pk) R

to A. And C generates a random key k ← K. • Queries. A adaptively queries C. Each query is of the form (id , V ), where V is a linear subspace represented by a basis of m vectors v1 , . . . , vm ∈ Fm+n p , and id is a space identifier. We require that all identifiers id are distinct. In respond to a query (idi , Vi ) from A, C runs σ j , t j ← Sign(sk, k, idi , v j ) for all j = 1, . . . , m, and sends (σ1 , . . . , σm ) and (t1 , . . . , tm ) to A. • Output. Finally, A outputs a tuple (id∗ , y∗ , σ∗ , t∗ ). It wins the security game if Verify(pk, k, id∗ , y∗ , σ∗ , t∗ ) = 1, and either (1) id∗ idi for all i and y∗ 0 (forgery 1), or (2) id∗ = idi for some i and y∗ Vi that is identified by idi (forgery 2). The advantage NC-Adv[A, Π] of A is defined to be the probability that A wins the above security game. Construction. Our construction uses both the classic MAC of Carter and Wegman [16] and a secure Homomorphic Subspace Signature (HSS) [13]. The HSS provides a mechanism for both intermediate and recipient nodes to verify packets under a normal pollution attack, but the HSS can only be used to sign a single generation, after which the public key must be refreshed. To overcome the deficiency of HSS, our construction carefully has a MAC of Carter-Wegman related to a signature of HSS. In the Carter-Wegman MAC system, the source and recipient have a shared secret key. The source uses the secret key and a vector space identifier to compute a MAC tag for each of the source vectors. Thus, a Carter-Wegman MAC tag can provide a mechanism for recipient nodes to distinguish packets associated with diﬀerent generations. Having a MAC of Carter-Wegman related to a signature of HSS brings our construction many advantages: (1) the HSS is immediately suited for distributing multiple generations using a single public key; (2) the intermediate nodes in the Cater-Wegman MAC system immediately have the ability to verify a received packet under a normal pollution attack; and (3) the recipient nodes immediately have the ability to rapidly verify authenticity of the signature and MAC carried by a received packet, without checking the payload part (the last n coordinates of the packet, and n m is an usual setting [7]). We notice that the above-mentioned advantages cannot be gained by using either a signature or a MAC tag alone. Let be a Pseudo Random Function (PRF) : K × (I×[1, m]) → F p , where I denotes the domain of the vector space identifier. Our construction is as follows:

• Setup(1λ ): Given a security parameter 1λ and two integers m and n, we can: (1) choose a prime number p satisfying p > 2λ ; (2) choose a multiplicative cyclic group G of order p; (3) choose a generator g of G, samR

∗ s1 sm+n+1 ); (4) ple s ← Fm+n p F p , and set h := (g , . . . , g choose a secret key k ∈ K and assign it to each recipient; and (5) output a public key pk := (h, g), a private key sk := s and a secret key k. • Sign(sk, k, id, v): Given a private key sk, a secret key k, a vector space identifier id ∈ I, and the ith basis vector vi = (vi,1 , . . . , vi,m+n ) ∈ Fm+n p , we can: (1) compute bi = m+n s v ∈ F ; (2) set di ← (k, (id, i)) ∈ F p , and j i, j p j=1 output the signature σi = bi /sm+n+1 ∈ F p and the MAC value ti = bi + di ∈ F p on the vector vi . • Combine: Given a vector space identifier id, and pairs that consist of a vector yi ∈ Fm+n p , a signature σi , a coeﬃcient ci ∈ F p , we can output a a MAC ti , and signature σ := i=1 ci σi and a MAC t := i=1 ci ti on a vector y := i=1 ci yi . • Verify(pk, k, id, y, σ, t): Given a public key pk, a secret key k, a vector space identifier id, a signature σ, a MAC value t, and avector y = (y1 , . . . , ym+n ) ∈ Fm+n p , we can: (1) set d ← m i=1 [yi · (k, (id, i))] ∈ F p and first check

gd · hσm+n+1 = gt . ?

(2)

This algorithm outputs 0 if Eq. (2) does not hold; otherwise the Step (2) of Verify is to further check m+n

hyi i · h−σ m+n+1 = 1. ?

(3)

i=1

If Eq. (3) holds, output 1; otherwise output 0. Remarks. Intermediate nodes only perform the Step (2) of the Verify because they do not have the secret key k. Recipient nodes first check authenticity of the signature and MAC carried by a packet as Eq. (2), and then verify the payload part of the packet as Eq. (3). We now prove the correctness condition as in Definition 2. Suppose a vector y = m y v , where y1 , . . . , ym are the first i i i=1 m coordinates of y, and v1 , . . . , vm are the m source basis vectors with their signatures and MACs being σ1 , . . . , σm and t1 , . . . , tm , respectively. If σ, t ← Sign(sk, k, id, y), then the Step (1) of the Verify algorithm computes m

gd · hσm+n+1 = g = = = =

i=1 [yi ·(k,(id,i))]

m

· g(

g i=1 yi ·[(k,(id,i))+ m g i=1 yi ·[di +bi ] m g i=1 yi ti gt ,

m

i=1 yi σi

m+n j=1

)·sm+n+1 ·s−1 m+n+1

s j vi, j ]

(4)

which is exactly the output of the Combine as required. If the σ and t are correct, then Step (2) of the Verify computes m+n m −1 m+n yi −σ i=1 si yi · g−( i=1 yi σi )·sm+n+1 ·sm+n+1 i=1 hi · hm+n+1 = g m

=g

i=1 yi ·[

m+n j=1

s j vi, j −

m+n j=1

s j vi, j ]

.

IEICE TRANS. FUNDAMENTALS, VOL.E96–A, NO.9 SEPTEMBER 2013

1892 m

=g = g0 = 1.

i=1 yi ·[bi −bi ]

R

(5) m

If y ∈ V spanned by v1 , . . . , vm , then we have y = i=1 yi vi . Since the private key sk is orthogonal to V, the entire product of Eq. (5) is the identity in G as required. Thus, we complete the proof of correctness. 4.

Security Proof

and

We prove security assuming is a secure PRF and the hardness of discrete logarithm problem in G. For a PRF adversary B1 , we denote PRF-Adv[B1 , ] as the advantage that B1 wins in the PRF security game with respect to . Similarly, for a PPT adversary B2 , we denote DL-Adv[B2 , G] as the advantage that B2 computes discrete logarithms in G. Both have the same running time as A. Theorem 1: The proposed hybrid cryptographic scheme for network coding Hbd-NCS is secure assuming the PRF is a secure PRF, and hardness of the discrete logarithm problem in G. Particularly, let A be a PPT adversary as in Definition 3. Then, there is a PRF adversary B1 and a PPT adversary B2 computing discrete logarithms in G such that NC-Adv[A, Hbd-NCS] ≤ PRF-Adv[B1 , ] + DL-Adv [B2 , G] + (1/p). Proof 1: The proof is by using a sequence of three games denoted by Game 0, 1, 2. Let W0 , W1 , W2 denote the events that A wins the homomorphic hybrid-key security in Game 0, 1, 2, respectively. Let Game 0 be identical to the Attack game. Hence, we have Pr[W0 ] = NC-Adv[A, Hbd-NCS].

(6)

In Game 1, the private key s is replaced by a truly random string, i.e., in response to the signing queries, the challenger R

instead of using a real private key s computes s ← Fm+n+1 p in step (1) of the Sign algorithm. Everything else remains the same. Then, there is a PPT adversary B2 computing DL problem in G such that |Pr[W0 ] − Pr[W1 ]| = DL-Adv[B2 , G].

(7)

In Game 2, the PRF is replaced by a truly random function, i.e., in response to the signing queries, the challenger R

computes d ← F p instead of d ← (k, (idi , j)) in step (2) of the Sign algorithm. Everything else remains the same. Then, there is a PRF adversary B1 such that |Pr[W1 ] − Pr[W2 ]| = PRF-Adv[B1 , ].

(8)

The complete challenger in Game 2 works as follows: R

bi, j ← s · v j and di, j ← F p for j = 1, . . . , m, and computes σi, j ← bi, j /sm+n+1 and ti, j ← (bi, j + di, j ) for j = 1, . . . , m. Then C sends (σi,1 , . . . , σi,m ) and (ti,1 , . . . , ti,m ) to A. Output. Finally, A outputs a tuple (id∗ , y∗ , σ∗ , t∗ ), where y∗ = (y∗1 , . . . , y∗m , y∗m+1 , . . . , y∗m+n ). We say A wins the security game, i.e., W2 happens, if the following two equations simultaneously hold: m ∗ ∗ (9) t∗ = y∗ · s + j=1 y j · d j

. Then, vector s can be denoted Init. C chooses s ← Fm+n+1 p as s (s, sm+n+1 ), where s = (s1 , . . . , sm+n ) is the first m + n coordinates of s, and sm+n+1 is the last coordinate of s. Queries. A submits the ith query (idi , Vi ) to C, where Vi = span(v1 , . . . , vm ). In responds to the ith query, C computes

σ∗ = y∗ · s /sm+n+1 .

(10)

In what follows, we will demonstrate that Pr[W2 ] ≤ 1/p. Let E1 denote the event that A outputs forgery 1 and we write this as Pr[W2 E1 ]. Then we know that id∗ idi for some i and y∗ 0. To check if A wins the game, we set R

d∗j ← F p for j = 1, . . . , m. A may use a vector y∗ ∈ Vi and its signature σ∗ returned by C in some query to satisfy Eq. (10) (analogous to repetitive attacks), but the right hand side of Eq. (9) is an element uniform in F p and is independent of the A’s view. So, when E1 happens, the probability that Eqs. (9) and (10) hold simultaneously is at most 1/p. Hence, we have Pr[W2 E1 ] = Pr[W2 |E1 ] · Pr[E1 ] ≤ (1/p) · Pr[E1 ]. Let E2 denote the event that A outputs forgery 2 and we write this as Pr[W2 E2 ]. Then we know that id∗ = idi is an identifier returned on some query Vi and y∗ Vi . To check if A wins the game, we set (d1∗ , . . . , dm∗ ) ← (di,1 , . . . , di,m ). We denote v1 , . . . , vm as the basis vectors of Vi , and denote ˆ m } and {tˆ1 , . . . , tˆm } as their signatures and MACs, {σ ˆ 1, . . . , σ respectively. Thus, we can define a vector yˆ ∈ Vi such that yˆ = mj=1 y∗j · v j with its signature and MAC is defined as m ∗ m ∗ ˆ ˆ j and tˆ = (11) σ ˆ = j=1 y j · σ j=1 y j · t j . With (ˆy, σ, ˆ tˆ), we know following two equations hold: m ∗ t = y∗ · s + (12) j=1 y j · di, j and tˆ = yˆ · s +

m ˆj j=1 y

· di, j .

(13)

With (ˆy, σ, ˆ tˆ), we know following two equations also hold:

(14) σ = y∗ · s /sm+n+1 and

σ ˆ = yˆ · s /sm+n+1 .

(15)

We subtract Eq. (13) from Eq. (12) and obtain that t − tˆ = (y∗ − yˆ ) · s. We subtract Eq. (15) from Eq. (14) and obtain that

σ−σ ˆ = (y∗ − yˆ ) · s /sm+n+1 .

(16)

(17)

We claim that E2 happens if A is able to find a pair (y∗ , t) which satisfies Eq. (16), and simultaneously a pair (y∗ , σ)

LETTER

1893

which satisfies Eq. (17). Since we know that yˆ ∈ Vi , but y∗ Vi , we have yˆ y∗ . Since sm+n+1 is an element uniform in F p and s is a vector uniformly distributed in Fm+n p , both of which are independent of the A’s view. So, when E2 happens, the probability that both Eqs. (16) and (17) hold is exactly 1/p2 . Hence, Pr[W2 E2 ] = Pr[W2 |E2 ] · Pr[E2 ] = (1/p2 ) · Pr[E2 ]. According to the arbitrary adversary principle in [15], we cannot assume anything about the adversary’s strategy, thus we calculate Pr[W2 ] as follows: Pr[W2 ] = ≤ ≤ ≤

Pr[W2 ∩ E1 ] + Pr[W2 ∩ E2 ] 1/p · Pr[E1 ] + 1/p2 · Pr[E2 ] 1/p · (Pr[E1 ] + Pr[E2 ]) 1/p. //(∵ E1 = E¯2 )

Fig. 1 The per-packet verification time of our hybrid scheme and the prior public-key based signature schemes [7]–[9] under a tag pollution attack (TPA), a repetitive attack (RA), and a normal pollution attack (NPA).

(18)

Joining Eqs. (6), (7), (8), and (18) together, we complete the proof. 5.

Performance Evaluation

We implement our hybrid cryptographic scheme to evaluate its performance under a tag pollution attack [11], a repetitive attack [13] and a normal pollution attack. And we compare our scheme with those of the public-key based signature schemes [7]–[9]. We focus on the online computation overhead that is introduced by the operation performed at each recipient node per packet. To facilitate comparison, we conduct the benchmark as in [13] on a 2.00 GHz Intel Core 2 CPU, where approximately 2.5 × 105 finite field multiplications over F p can be performed per second for |p| = 128 bits. Since MACs t and signatures σ are defined over F p , they both have size of |p| = log2 p bits, as message symbols. The size of an element of G is represented using log2 p bits. So, if prime |p| = 128 bits (as adopted in [12], [13]), the size of MACs, signatures, and elements of G is 128 bits. We let n = 20m [13]. The computation overhead by various operations can be evaluated by the number of finite field multiplications. The verification time per packet is a key metric for evaluating the performance of the schemes [9]. Figure 1 shows that the average verification time per packet of the publickey based signature schemes [7]–[9] and our scheme under a tag pollution attack, a repetitive attack, and a normal pollution attack. We observe that the prior public-key solutions [7]–[9] have the same verification time per packet under the three diﬀerent attacks. We also observe that under a normal pollution attack if a recipient node performs the whole two-step verification process, our scheme has comparable eﬃciency to those of the prior public-key solutions. This is not surprise because our hybrid cryptosystem is itself a public-key system. However, our hybrid scheme are much faster than the prior public-key solutions in packet verification under a tag pollution attack and a repetitive attack. Eﬃcient verification approaches can eliminate the performance bottleneck and help the source to achieve an op-

timal message-sending rate [8]. When the system is suﬀering a tag pollution attack, an adversary may tamper with the MAC tag of a packet (we may assume that the adversary also tamper with the signature of the packet). To detect whether a packet contains an ill-formed MAC tag (or an ill-formed signature), previous solutions [6]–[12] need to check the whole packet symbols (i.e., the m+n coordinates) in order to determine whether the MAC tag (or the signature) of the packet is polluted. This explains why the verification time of prior public-key based solutions [7]–[9] increases linearly along with the growth of the length of a packet under a tag pollution attack (and the other two attacks) in Fig. 1. This also explains why our scheme has comparable eﬃciency to prior public-key solutions if a recipient node performs the whole two-step verification process under a normal pollution attack. In our scheme, every packet forwarded in the system is associated with a signature as well as a MAC tag. Particularly, the MAC tag is related to the signature. This nice property of our scheme enable the recipient nodes to rapidly check if the signature of a packet matches the MAC tag of the packet (the Step (1) of the Verify), without verifying the payload part (the last n coordinates of the packet, and n m is an usual setting [7]). In particular, the Step (1) verification at recipient nodes uses a vector space identifier id as input, so if a packet is forged from a repetitive attack, the packet can also be detected during this verification process. In fact, the Step (1) of the Verify only needs a recipient node to perform three exponentiations for the verification (see Eq. (2)). This explains why the verification time of our scheme does not increases linearly along with the growth of the length of a packet under a tag pollution or a repetitive attack in Fig. 1. 5.1 Discussion Diﬀerent from the schemes [10] and [12], in our scheme an intermediate node is able to verify the whole packet symbols (i.e., the m + n coordinates) and signature of a received packet (by using the Step (2) of the Verify). Thus, from this point of view, our scheme is analogous to that of a signature scheme. However, our scheme does not rely on any pairing operations [6]–[8] in signature generation or verifi-

IEICE TRANS. FUNDAMENTALS, VOL.E96–A, NO.9 SEPTEMBER 2013

1894

cation, and can be proven secure based on the lower-level cryptographic assumptions without random oracles. Thus, our scheme is essentially optimal in this regard and can be easily implemented in a sensor node of the wireless sensor networks. An additional advantage of our scheme is that dividing the verification process at recipient nodes into two steps can greatly reduce the recipient nodes’ computational overhead under a tag pollution and a repetitive attack. In our scheme, although the intermediate nodes have the ability to check a packet under a normal pollution attack, it is not suﬃcient to guarantee the security. This is due to the fact that: (I) the Step (2) verification at intermediate nodes cannot check the MAC tag carried by a packet; and (II) the Step (2) verification at intermediate nodes is performed without using a vector space identifier id as input (see Eq. (3)). As a result, the Step (2) verification at intermediate nodes is incapable of filtering out a polluted packet that is forged from either a tag pollution or a repetitive attack. Fortunately, the Step (1) of the Verify that is performed at a recipient node will be suﬃcient to filter out such a polluted packet in most cases. This is due to the fact that: (I) in most cases, a polluted packet received by the recipient nodes most likely only contains an ill-formed MAC tag (since the rest part of the packet has already been checked by intermediate nodes); and (II) the Step (1) verification at recipient nodes only checks whether the signature of a packet matches the MAC tag of the packet, and if not, the packet will be discarded immediately; and (III) the Step (1) verification at recipient nodes indeed uses a vector space identifier id as input (see Eq. (2)). As a result, if a polluted packet contains an ill-formed MAC tag or is forged from a repetitive attack, the polluted packet will be rapidly filtered out during this verification process. Thus, in the sense of reducing the sensor nodes’ computational overhead, the time-consuming Step (2) of the Verify at recipient nodes can be avoided under the two attacks. Although the Step (1) of the Verify at recipient nodes is suﬃcient in most cases, the recipient nodes should continue to verify those of the packets that pass the Step (1) verification (i.e., to perform the Step (2) verification at recipient nodes) in order to guarantee complete security. 6.

Conclusion

In this paper, we introduce an eﬃcient homomorphic hybrid cryptographic scheme for wireless sensor networks that use network coding. Our scheme combines the convenience of a public-key approach with the eﬃciency of a symmetric-key method. We demonstrate that our scheme not only can resist normal pollution attacks, but also can rapidly filter out the polluted packets forged from the emerging tag pollution and repetitive attacks. On the other hand, our scheme supports

the distribution of multiple generations using a single public key. In addition, our scheme does not rely on any pairing operations in signature generation or verification, and can be proven secure based on the lower-level cryptographic assumptions without random oracles. Thus, our scheme is ideally suitable for the network coding based wireless sensor networks. References [1] R. Ahlswede, N. Cai, S.Y.R. Li, and R.W. Yeung, “Network information flow,” IEEE Trans. Inf. Theory, vol.6, no.4, pp.1204–1216, July 2000. [2] S.-Y.R. Li, W. Yeung, and N. Cai, “Linear network coding,” IEEE Trans. Inf. Theory, vol.49, no.2, pp.371–381, Feb. 2003. [3] T. Ho, R. Koetter, M. Medard, D. Karger, and M. Eﬀros, “The benefits of coding over routing in a randomized setting,” Proc. 2003 IEEE Int. Symp. Inf. Theory, pp.442–, Yokohama, Japan, Sept. 2003. [4] P.A. Chou, Y. Wu, and K. Jain, “Practical network coding,” Proc. 41st Annual Allerton Conf. Commun. Control and Computing, pp.40–49, Monticello, IL, USA, Oct. 2003. [5] S. Ktti, H. Rahul, W. Hu, D. Katabi, M. Medard, and J. Crowcroft, “XORs in the Air: Practical wireless network coding,” IEEE/ACM Trans. Netw., vol.16, no.3, pp.497–510, June 2008. [6] D. Charles, K. Jain, and K. Lauter, “Signatures for network coding,” Proc. 40th Annual Conf. Informa, Sciences and Systems, pp.857– 863, New Jersey, USA, March 2006. [7] D. Boneh, D. Freeman, J. Katz, and B. Waters, “Signing a linear subspace: Signature schemes for network coding,” Proc. PKC 2009, LNCS 5443, pp.68–87, Irvine, USA, June 2009. [8] Y. Jiang, H. Zhu, M. Shi, X. Shen, and C. Lin, “An eﬃcient dynamicIdentity based signature scheme for secure network coding,” Comput. Netw., vol.54, no.1, pp.28–40, Jan. 2010. [9] Z. Yu, Y. Wei, B. Ramkumar, and Y. Guan, “An eﬃcient signaturebased scheme for securing network coding against pollution attacks,” Proc. 2008 IEEE INFOCOM, 27th Conf. Computer Commun., pp.1409–1417, Phoenix, USA, April 2008. [10] S. Agrawal and D. Bonth, “Homomorphic MACs: MAC-based integrity for network coding,” Proc. ACNS 2009, LNCS 5536, pp.292–305, Paris-Rocquencourt, France, June 2009. [11] Y. Li, H. Yao, M. Chen, S. Jaggi, and A. Rosen, “RIPPLE authentication for network coding,” Proc. 2010 IEEE INFOCOM, 29th Conf. Computer Commun., pp.1–9, San Diego, USA, March 2010. [12] A. Le and A. Markopoulou, “On detecting pollution attacks in intersession network coding,” Proc. 2012 IEEE INFOCOM, 31th Conf. Computer Commun., pp.343–351, Orlando, Florida, USA, March 2012. [13] P. Zhang, Y. Jiang, C. Lin, H. Yao, A. Wasef, and X.S. Shen, “Padding for orthogonality: Eﬃcient subspace authentication for network coding,” Proc. 2011 IEEE INFOCOM, 30th Conf. Computer Commun., pp.1026–1034, Shanghai, China, April 2011. [14] M. Bellare, O. Goldreich, and S. Goldwasser, “Incremental cryptography: The case of hashing and signing,” Proc. CRYPTO’94, International Cryptology Conference on Advances in Cryptology, pp.216–233, Santa Barbara, CA, Aug. 1994. [15] J. Katz and Y. Lindell, Introduction to Modern Cryptography, Chapman & Hall/CRC Press, Boca Raton, FL, 2008. [16] L. Carter and M. Wegman, “Universal classes of hash functions,” J. Computer and System Sciences, vol.18, no.2, pp.143–154, 1979.

1889

LETTER

An Eﬃcient Hybrid Cryptographic Scheme for Wireless Sensor Network with Network Coding∗ Man LIANG†a) , Nonmember and Haibin KAN†b) , Member

SUMMARY Wireless sensor network (WSN) using network coding is vulnerable to pollution attacks. Existing authentication schemes addressing this attack either burden the sensor node with a higher computation overhead, or fail to provide an eﬃcient way to mitigate two recently reported attacks: tag pollution attacks and repetitive attacks, which makes them inapplicable to WSN. This paper proposes an eﬃcient hybrid cryptographic scheme for WSN with securing network coding. Our scheme can resist not only normal pollution attacks, but the emerging tag pollution and repetitive attacks in an eﬃcient way. In particular, our scheme is immediately suited for distributing multiple generations using a single public key. Experimental results show that our scheme can significantly improve the computation eﬃciency at a sensor node under the two above-mentioned attacks. key words: wireless sensor network, network coding, hybrid cryptographic, pollution attack, tag pollution, repetitive attack

1.

Introduction

Network coding [1] has been applied in wireless sensor networks (WSN) for achieving the optimal throughput [5]. However, network coding based WSN is notoriously vulnerable to pollution attacks, where a malicious node may inject a small number of polluted packets into the network, aiming at causing a large scale of pollution propagation [13]. For combatting this attack, many cryptographic based solutions [6]–[13] have been proposed when network coding is used. Some of these cryptographic solutions are public-key based approaches [6]–[9], where a sender has a public key known to all other nodes in the network, and the integrity of a packet can be checked using the public key. For example, homomorphic signature schemes [6]–[8] based on bilinear groups have been introduced. The homomorphic properties can ensure that the signature operation on a linear combination of packets makes a corresponding valid homomorphic combination of signatures. However, the pairing operation needed by these schemes is computationally expensive. This is not suitable for WSN, where sensor nodes have a limited power resource and constrained computation capacity [9]. Manuscript received April 30, 2013. The authors are with the Shanghai Key Laboratory of Intelligent Information Processing and Institute of Theoretical Computer Science, School of Computer Science, Fudan University, Shanghai, China. ∗ This work was supported by the National Natural Science Foundations of China (Grant No.61170208), Shanghai Key Program of Basic Research (Grant No.12JC1401400), Shanghai Shuguang Project (Grant No.10SG01) and National Defence PreResearch Project (Grant No.2012004). a) E-mail: [email protected] b) E-mail: [email protected] DOI: 10.1587/transfun.E96.A.1889 †

The ineﬃciency of public-key schemes has led to the emergence of the more eﬃcient symmetric-key based methods. For example, two eﬃcient MAC-based schemes have been proposed for single source [10] and for multi-source [12]. However, both of them can only detect and filter out a polluted packet at recipients, not intermediate nodes. An additional drawback of two schemes is that they cannot efficiently thwart tag pollution attacks, where an adversary aims to tamper with the MAC tags carried by packets instead of the contents of them [11]. To address this issue, Li et al. [11] present a time-based authentication protocol RIPPLE that requires a global synchronization among all nodes in the network, which is considered more diﬃcult to be implemented in WSN context. Zhang et al. [13] propose another tag-pollution-resistant multi-generation-transmission authentication scheme MagSig, but this scheme does not provide any defense mechanisms to ensure that packets from diﬀerent generations are not combined, which is susceptible to repetitive attacks. A repetitive attack is an active relay attack in network coding context where the transmission consists of multiple generations. In such an attack, an adversary may intentionally collect the legal packets of previous generation and use them to fake packets for subsequent ones [13]. These aforementioned deficiencies motivate us to design a more eﬃcient solution for WSN with securing network coding under attacks. This paper proposes an eﬃcient hybrid cryptographic network coding scheme for WSN, which combines the convenience of a public-key approach [6]–[9] with the eﬃciency of a symmetric-key method [10]–[12], and uses both homomorphic MAC and signature for packet authentication. This new design brings us following primary properties: (1) both intermediate and recipient nodes can resist normal pollution attacks, and recipient nodes can rapidly filter out the polluted packets forged from the emerging tag pollution or repetitive attacks. (2) it is immediately suited for distributing multiple generations using a single public key. (3) it divides the verification process at a recipient node into two steps, which can greatly reduce the sensor nodes’ computational overhead under a tag pollution or a repetitive attack. In addition, our scheme does not rely on any pairing operations [6]–[8] in signature generation or verification, and can be proven secure based on the lower-level cryptographic assumptions without random oracles. Experimental results show that our scheme is much more eﬃcient than existing solutions on verification eﬃciency under the two abovementioned attacks.

c 2013 The Institute of Electronics, Information and Communication Engineers Copyright

IEICE TRANS. FUNDAMENTALS, VOL.E96–A, NO.9 SEPTEMBER 2013

1890

2.

we say y = (y1 , . . . , ym , ym+1 , . . . , ym+n ) is a polluted packet with respect to the kth generation if we have y V ⇐⇒ y m i=1 yi vi , where yi is the first m coordinates of packet y.

Network Model and Threat Model

We present a description of a network that uses linear network coding [2]. There are three parties in this network: a source node, some intermediate nodes, and some recipient nodes. We support that in the network the source node intends to send some packets to the recipient nodes through the intermediate nodes. To do this, the source node first divides packets into multiple generations [4], each of which consists of m packets. The source node then transforms m packets into an ordered sequence of m vectors v1 , . . . , vm in an n-dimensional vector space over a finite field F p , where p is a prime number, and then creates m source augmented packets, v1 , . . . , vm defined as m

vi = (0, . . . , 0, 1, 0, . . . , 0, vi ) ∈ Fm+n p , i−1

(1)

m−i

i.e., the first m coordinates of vi form a unit vector with “1” is a linear in the ith position. We may notice that if y ∈ Fm+n p combination of v1 , . . . , vm , then the first m coordinates of the vector y are exactly the linear combination coeﬃcients. The source sends these augmented packets into the network, generation by generation. Intermediate nodes in the network perform generationbased random linear network coding [3]. Namely, they linearly combine packets that come from the same generation. For example, on receiving packets wk1 , . . . , wk of kth gen eration from its incoming links, a node sends y = i=1 ci wki , where each ci ∈ F p is chosen randomly and independently by the node, to its outgoing links. If the transmission is error-free, all packets of the kth generation in the network are linear combinations of the m source augmented packets v1 , . . . , vm . After receiving m linearly independent packets of the kth generation, a recipient node may reconstruct the initial file vectors v1 , . . . , vm by applying Gaussian elimination on a m × (m + n) matrix that is formed by the m received linearly independent packets. 2.1 Threat Model We assume that the source node and recipient nodes are trusted, whereas all intermediate nodes in the network could be compromised by adversary. Adversarial nodes may create and inject polluted packets into the network, or tamper with the packets passing through them, i.e., modifying the tags of a legal packet; collecting legal packets of previous generation and using them to fake packets for subsequent ones. Finally, we assume that the adversaries know about the construction of our authentication scheme and have the ability to perform polynomial-time (PPT) algorithms. To detect polluted packets, we formally define a polluted packet as follows: Definition 1: We denote V as a linear vector space spanned by m basis vectors v1 , . . . , vm of the kth generation, and then

3.

A Homomorphic Hybrid Cryptographic Scheme for WSN with Securing Network Coding

We begin by defining a hybrid scheme and its security. As mentioned previously, we want our hybrid cryptographic scheme to be useful for the distribution of multiple generations using a single public key, to allow both intermediate node and recipient to mitigate pollution attacks, and particularly, to allow recipient nodes to rapidly detect a received packet generated from the tag pollution or repetitive attacks. Let V = span(v1 , . . . , vm ) denote a vector space. In our scheme, each V is identified by an unique identifier id that is an element of a randomly samplable set I [7]. The source generates a public key and a private key (pk, sk), where pk is known to all other nodes, and then chooses a secret key k and shares it with all recipient nodes. The source uses the private key sk and the secret key k to compute a signature σi and a MAC ti for each of the basis vector vi , and then transmits a packet (id, vi , σi , ti ) into the network. Intermediate nodes use the pk to verify the content and signature of a received packet, and employ the homomorphic property to create a valid signature and MAC for the linear combinations they produce. Recipient nodes use both pk and k to verify a packet and rapidly drop the packets with ill-formed tags. We denote I as the set of vector space identifiers, K as the set of secret keys, and define our scheme as follows: Definition 2: A homomorphic hybrid cryptographic scheme for network coding is defined as a tuple of four probabilistic polynomial-time algorithms (Setup, Sign, Combine, Verify): • Setup(1λ ): Input: a security parameter 1λ and two integers m and n. Output: a prime number p, a public key pk, a private key sk, and a secret key k. • Sign(sk, k, id, v): Input: a private key sk, a secret key k, a vector space identifier id ∈ I, and a vector v ∈ Fm+n p . Output: a signature σ and a MAC value t on v. • Combine(id, {(ci , yi , σi , ti )} i=1 ): Input: a vector space identifier id, and pairs consisting of a coeﬃcient ci ∈ F p , a vector yi ∈ Fm+n p , a signature σi and a MAC ti . Output: a signature σ and a MAC value t on a vector . y = i=1 ci yi ∈ Fm+n p • Verify(pk, k, id, y, σ, t): Input: a public key pk, a secret key k, a vector space identifier id ∈ I, a vector y ∈ Fm+n p , a signature σ, and a MAC t. Output: a boolean value, i.e., 0 (reject) or 1 (accept). Correctness. We require that for all the tuples (p, pk, sk, k) output by the Setup(1λ ), the following correctness condition denote m source vectors. Let holds. Let vi , . . . , vm ∈ Fm+n p 1, . . . , m. σi , ti ← Sign(sk, k, id, vi ), and ci ∈ F p for all i = m ), and y = If σ, t ← Combine(id, {(ci , vi , σi , ti )} m i=1 i=1 ci vi , then we require that Verify(pk, k, id, y, σ, t) = 1.

LETTER

1891

Security. The security of a hybrid cryptographic scheme for network coding is defined using the following game, which is played between an adversary A and a challenger C. Definition 3: Let Π = (Setup, Sign, Combine, Verify) be a hybrid cryptographic scheme for network coding. We say that Π is secure if the advantage of all PPT adversaries A in the following game is negligible in the security parameter λ: • Setup. A sends two positive integers m and n to C. C runs Setup(1λ ) to generate (pk, sk, p), and sends (p, pk) R

to A. And C generates a random key k ← K. • Queries. A adaptively queries C. Each query is of the form (id , V ), where V is a linear subspace represented by a basis of m vectors v1 , . . . , vm ∈ Fm+n p , and id is a space identifier. We require that all identifiers id are distinct. In respond to a query (idi , Vi ) from A, C runs σ j , t j ← Sign(sk, k, idi , v j ) for all j = 1, . . . , m, and sends (σ1 , . . . , σm ) and (t1 , . . . , tm ) to A. • Output. Finally, A outputs a tuple (id∗ , y∗ , σ∗ , t∗ ). It wins the security game if Verify(pk, k, id∗ , y∗ , σ∗ , t∗ ) = 1, and either (1) id∗ idi for all i and y∗ 0 (forgery 1), or (2) id∗ = idi for some i and y∗ Vi that is identified by idi (forgery 2). The advantage NC-Adv[A, Π] of A is defined to be the probability that A wins the above security game. Construction. Our construction uses both the classic MAC of Carter and Wegman [16] and a secure Homomorphic Subspace Signature (HSS) [13]. The HSS provides a mechanism for both intermediate and recipient nodes to verify packets under a normal pollution attack, but the HSS can only be used to sign a single generation, after which the public key must be refreshed. To overcome the deficiency of HSS, our construction carefully has a MAC of Carter-Wegman related to a signature of HSS. In the Carter-Wegman MAC system, the source and recipient have a shared secret key. The source uses the secret key and a vector space identifier to compute a MAC tag for each of the source vectors. Thus, a Carter-Wegman MAC tag can provide a mechanism for recipient nodes to distinguish packets associated with diﬀerent generations. Having a MAC of Carter-Wegman related to a signature of HSS brings our construction many advantages: (1) the HSS is immediately suited for distributing multiple generations using a single public key; (2) the intermediate nodes in the Cater-Wegman MAC system immediately have the ability to verify a received packet under a normal pollution attack; and (3) the recipient nodes immediately have the ability to rapidly verify authenticity of the signature and MAC carried by a received packet, without checking the payload part (the last n coordinates of the packet, and n m is an usual setting [7]). We notice that the above-mentioned advantages cannot be gained by using either a signature or a MAC tag alone. Let be a Pseudo Random Function (PRF) : K × (I×[1, m]) → F p , where I denotes the domain of the vector space identifier. Our construction is as follows:

• Setup(1λ ): Given a security parameter 1λ and two integers m and n, we can: (1) choose a prime number p satisfying p > 2λ ; (2) choose a multiplicative cyclic group G of order p; (3) choose a generator g of G, samR

∗ s1 sm+n+1 ); (4) ple s ← Fm+n p F p , and set h := (g , . . . , g choose a secret key k ∈ K and assign it to each recipient; and (5) output a public key pk := (h, g), a private key sk := s and a secret key k. • Sign(sk, k, id, v): Given a private key sk, a secret key k, a vector space identifier id ∈ I, and the ith basis vector vi = (vi,1 , . . . , vi,m+n ) ∈ Fm+n p , we can: (1) compute bi = m+n s v ∈ F ; (2) set di ← (k, (id, i)) ∈ F p , and j i, j p j=1 output the signature σi = bi /sm+n+1 ∈ F p and the MAC value ti = bi + di ∈ F p on the vector vi . • Combine: Given a vector space identifier id, and pairs that consist of a vector yi ∈ Fm+n p , a signature σi , a coeﬃcient ci ∈ F p , we can output a a MAC ti , and signature σ := i=1 ci σi and a MAC t := i=1 ci ti on a vector y := i=1 ci yi . • Verify(pk, k, id, y, σ, t): Given a public key pk, a secret key k, a vector space identifier id, a signature σ, a MAC value t, and avector y = (y1 , . . . , ym+n ) ∈ Fm+n p , we can: (1) set d ← m i=1 [yi · (k, (id, i))] ∈ F p and first check

gd · hσm+n+1 = gt . ?

(2)

This algorithm outputs 0 if Eq. (2) does not hold; otherwise the Step (2) of Verify is to further check m+n

hyi i · h−σ m+n+1 = 1. ?

(3)

i=1

If Eq. (3) holds, output 1; otherwise output 0. Remarks. Intermediate nodes only perform the Step (2) of the Verify because they do not have the secret key k. Recipient nodes first check authenticity of the signature and MAC carried by a packet as Eq. (2), and then verify the payload part of the packet as Eq. (3). We now prove the correctness condition as in Definition 2. Suppose a vector y = m y v , where y1 , . . . , ym are the first i i i=1 m coordinates of y, and v1 , . . . , vm are the m source basis vectors with their signatures and MACs being σ1 , . . . , σm and t1 , . . . , tm , respectively. If σ, t ← Sign(sk, k, id, y), then the Step (1) of the Verify algorithm computes m

gd · hσm+n+1 = g = = = =

i=1 [yi ·(k,(id,i))]

m

· g(

g i=1 yi ·[(k,(id,i))+ m g i=1 yi ·[di +bi ] m g i=1 yi ti gt ,

m

i=1 yi σi

m+n j=1

)·sm+n+1 ·s−1 m+n+1

s j vi, j ]

(4)

which is exactly the output of the Combine as required. If the σ and t are correct, then Step (2) of the Verify computes m+n m −1 m+n yi −σ i=1 si yi · g−( i=1 yi σi )·sm+n+1 ·sm+n+1 i=1 hi · hm+n+1 = g m

=g

i=1 yi ·[

m+n j=1

s j vi, j −

m+n j=1

s j vi, j ]

.

IEICE TRANS. FUNDAMENTALS, VOL.E96–A, NO.9 SEPTEMBER 2013

1892 m

=g = g0 = 1.

i=1 yi ·[bi −bi ]

R

(5) m

If y ∈ V spanned by v1 , . . . , vm , then we have y = i=1 yi vi . Since the private key sk is orthogonal to V, the entire product of Eq. (5) is the identity in G as required. Thus, we complete the proof of correctness. 4.

Security Proof

and

We prove security assuming is a secure PRF and the hardness of discrete logarithm problem in G. For a PRF adversary B1 , we denote PRF-Adv[B1 , ] as the advantage that B1 wins in the PRF security game with respect to . Similarly, for a PPT adversary B2 , we denote DL-Adv[B2 , G] as the advantage that B2 computes discrete logarithms in G. Both have the same running time as A. Theorem 1: The proposed hybrid cryptographic scheme for network coding Hbd-NCS is secure assuming the PRF is a secure PRF, and hardness of the discrete logarithm problem in G. Particularly, let A be a PPT adversary as in Definition 3. Then, there is a PRF adversary B1 and a PPT adversary B2 computing discrete logarithms in G such that NC-Adv[A, Hbd-NCS] ≤ PRF-Adv[B1 , ] + DL-Adv [B2 , G] + (1/p). Proof 1: The proof is by using a sequence of three games denoted by Game 0, 1, 2. Let W0 , W1 , W2 denote the events that A wins the homomorphic hybrid-key security in Game 0, 1, 2, respectively. Let Game 0 be identical to the Attack game. Hence, we have Pr[W0 ] = NC-Adv[A, Hbd-NCS].

(6)

In Game 1, the private key s is replaced by a truly random string, i.e., in response to the signing queries, the challenger R

instead of using a real private key s computes s ← Fm+n+1 p in step (1) of the Sign algorithm. Everything else remains the same. Then, there is a PPT adversary B2 computing DL problem in G such that |Pr[W0 ] − Pr[W1 ]| = DL-Adv[B2 , G].

(7)

In Game 2, the PRF is replaced by a truly random function, i.e., in response to the signing queries, the challenger R

computes d ← F p instead of d ← (k, (idi , j)) in step (2) of the Sign algorithm. Everything else remains the same. Then, there is a PRF adversary B1 such that |Pr[W1 ] − Pr[W2 ]| = PRF-Adv[B1 , ].

(8)

The complete challenger in Game 2 works as follows: R

bi, j ← s · v j and di, j ← F p for j = 1, . . . , m, and computes σi, j ← bi, j /sm+n+1 and ti, j ← (bi, j + di, j ) for j = 1, . . . , m. Then C sends (σi,1 , . . . , σi,m ) and (ti,1 , . . . , ti,m ) to A. Output. Finally, A outputs a tuple (id∗ , y∗ , σ∗ , t∗ ), where y∗ = (y∗1 , . . . , y∗m , y∗m+1 , . . . , y∗m+n ). We say A wins the security game, i.e., W2 happens, if the following two equations simultaneously hold: m ∗ ∗ (9) t∗ = y∗ · s + j=1 y j · d j

. Then, vector s can be denoted Init. C chooses s ← Fm+n+1 p as s (s, sm+n+1 ), where s = (s1 , . . . , sm+n ) is the first m + n coordinates of s, and sm+n+1 is the last coordinate of s. Queries. A submits the ith query (idi , Vi ) to C, where Vi = span(v1 , . . . , vm ). In responds to the ith query, C computes

σ∗ = y∗ · s /sm+n+1 .

(10)

In what follows, we will demonstrate that Pr[W2 ] ≤ 1/p. Let E1 denote the event that A outputs forgery 1 and we write this as Pr[W2 E1 ]. Then we know that id∗ idi for some i and y∗ 0. To check if A wins the game, we set R

d∗j ← F p for j = 1, . . . , m. A may use a vector y∗ ∈ Vi and its signature σ∗ returned by C in some query to satisfy Eq. (10) (analogous to repetitive attacks), but the right hand side of Eq. (9) is an element uniform in F p and is independent of the A’s view. So, when E1 happens, the probability that Eqs. (9) and (10) hold simultaneously is at most 1/p. Hence, we have Pr[W2 E1 ] = Pr[W2 |E1 ] · Pr[E1 ] ≤ (1/p) · Pr[E1 ]. Let E2 denote the event that A outputs forgery 2 and we write this as Pr[W2 E2 ]. Then we know that id∗ = idi is an identifier returned on some query Vi and y∗ Vi . To check if A wins the game, we set (d1∗ , . . . , dm∗ ) ← (di,1 , . . . , di,m ). We denote v1 , . . . , vm as the basis vectors of Vi , and denote ˆ m } and {tˆ1 , . . . , tˆm } as their signatures and MACs, {σ ˆ 1, . . . , σ respectively. Thus, we can define a vector yˆ ∈ Vi such that yˆ = mj=1 y∗j · v j with its signature and MAC is defined as m ∗ m ∗ ˆ ˆ j and tˆ = (11) σ ˆ = j=1 y j · σ j=1 y j · t j . With (ˆy, σ, ˆ tˆ), we know following two equations hold: m ∗ t = y∗ · s + (12) j=1 y j · di, j and tˆ = yˆ · s +

m ˆj j=1 y

· di, j .

(13)

With (ˆy, σ, ˆ tˆ), we know following two equations also hold:

(14) σ = y∗ · s /sm+n+1 and

σ ˆ = yˆ · s /sm+n+1 .

(15)

We subtract Eq. (13) from Eq. (12) and obtain that t − tˆ = (y∗ − yˆ ) · s. We subtract Eq. (15) from Eq. (14) and obtain that

σ−σ ˆ = (y∗ − yˆ ) · s /sm+n+1 .

(16)

(17)

We claim that E2 happens if A is able to find a pair (y∗ , t) which satisfies Eq. (16), and simultaneously a pair (y∗ , σ)

LETTER

1893

which satisfies Eq. (17). Since we know that yˆ ∈ Vi , but y∗ Vi , we have yˆ y∗ . Since sm+n+1 is an element uniform in F p and s is a vector uniformly distributed in Fm+n p , both of which are independent of the A’s view. So, when E2 happens, the probability that both Eqs. (16) and (17) hold is exactly 1/p2 . Hence, Pr[W2 E2 ] = Pr[W2 |E2 ] · Pr[E2 ] = (1/p2 ) · Pr[E2 ]. According to the arbitrary adversary principle in [15], we cannot assume anything about the adversary’s strategy, thus we calculate Pr[W2 ] as follows: Pr[W2 ] = ≤ ≤ ≤

Pr[W2 ∩ E1 ] + Pr[W2 ∩ E2 ] 1/p · Pr[E1 ] + 1/p2 · Pr[E2 ] 1/p · (Pr[E1 ] + Pr[E2 ]) 1/p. //(∵ E1 = E¯2 )

Fig. 1 The per-packet verification time of our hybrid scheme and the prior public-key based signature schemes [7]–[9] under a tag pollution attack (TPA), a repetitive attack (RA), and a normal pollution attack (NPA).

(18)

Joining Eqs. (6), (7), (8), and (18) together, we complete the proof. 5.

Performance Evaluation

We implement our hybrid cryptographic scheme to evaluate its performance under a tag pollution attack [11], a repetitive attack [13] and a normal pollution attack. And we compare our scheme with those of the public-key based signature schemes [7]–[9]. We focus on the online computation overhead that is introduced by the operation performed at each recipient node per packet. To facilitate comparison, we conduct the benchmark as in [13] on a 2.00 GHz Intel Core 2 CPU, where approximately 2.5 × 105 finite field multiplications over F p can be performed per second for |p| = 128 bits. Since MACs t and signatures σ are defined over F p , they both have size of |p| = log2 p bits, as message symbols. The size of an element of G is represented using log2 p bits. So, if prime |p| = 128 bits (as adopted in [12], [13]), the size of MACs, signatures, and elements of G is 128 bits. We let n = 20m [13]. The computation overhead by various operations can be evaluated by the number of finite field multiplications. The verification time per packet is a key metric for evaluating the performance of the schemes [9]. Figure 1 shows that the average verification time per packet of the publickey based signature schemes [7]–[9] and our scheme under a tag pollution attack, a repetitive attack, and a normal pollution attack. We observe that the prior public-key solutions [7]–[9] have the same verification time per packet under the three diﬀerent attacks. We also observe that under a normal pollution attack if a recipient node performs the whole two-step verification process, our scheme has comparable eﬃciency to those of the prior public-key solutions. This is not surprise because our hybrid cryptosystem is itself a public-key system. However, our hybrid scheme are much faster than the prior public-key solutions in packet verification under a tag pollution attack and a repetitive attack. Eﬃcient verification approaches can eliminate the performance bottleneck and help the source to achieve an op-

timal message-sending rate [8]. When the system is suﬀering a tag pollution attack, an adversary may tamper with the MAC tag of a packet (we may assume that the adversary also tamper with the signature of the packet). To detect whether a packet contains an ill-formed MAC tag (or an ill-formed signature), previous solutions [6]–[12] need to check the whole packet symbols (i.e., the m+n coordinates) in order to determine whether the MAC tag (or the signature) of the packet is polluted. This explains why the verification time of prior public-key based solutions [7]–[9] increases linearly along with the growth of the length of a packet under a tag pollution attack (and the other two attacks) in Fig. 1. This also explains why our scheme has comparable eﬃciency to prior public-key solutions if a recipient node performs the whole two-step verification process under a normal pollution attack. In our scheme, every packet forwarded in the system is associated with a signature as well as a MAC tag. Particularly, the MAC tag is related to the signature. This nice property of our scheme enable the recipient nodes to rapidly check if the signature of a packet matches the MAC tag of the packet (the Step (1) of the Verify), without verifying the payload part (the last n coordinates of the packet, and n m is an usual setting [7]). In particular, the Step (1) verification at recipient nodes uses a vector space identifier id as input, so if a packet is forged from a repetitive attack, the packet can also be detected during this verification process. In fact, the Step (1) of the Verify only needs a recipient node to perform three exponentiations for the verification (see Eq. (2)). This explains why the verification time of our scheme does not increases linearly along with the growth of the length of a packet under a tag pollution or a repetitive attack in Fig. 1. 5.1 Discussion Diﬀerent from the schemes [10] and [12], in our scheme an intermediate node is able to verify the whole packet symbols (i.e., the m + n coordinates) and signature of a received packet (by using the Step (2) of the Verify). Thus, from this point of view, our scheme is analogous to that of a signature scheme. However, our scheme does not rely on any pairing operations [6]–[8] in signature generation or verifi-

IEICE TRANS. FUNDAMENTALS, VOL.E96–A, NO.9 SEPTEMBER 2013

1894

cation, and can be proven secure based on the lower-level cryptographic assumptions without random oracles. Thus, our scheme is essentially optimal in this regard and can be easily implemented in a sensor node of the wireless sensor networks. An additional advantage of our scheme is that dividing the verification process at recipient nodes into two steps can greatly reduce the recipient nodes’ computational overhead under a tag pollution and a repetitive attack. In our scheme, although the intermediate nodes have the ability to check a packet under a normal pollution attack, it is not suﬃcient to guarantee the security. This is due to the fact that: (I) the Step (2) verification at intermediate nodes cannot check the MAC tag carried by a packet; and (II) the Step (2) verification at intermediate nodes is performed without using a vector space identifier id as input (see Eq. (3)). As a result, the Step (2) verification at intermediate nodes is incapable of filtering out a polluted packet that is forged from either a tag pollution or a repetitive attack. Fortunately, the Step (1) of the Verify that is performed at a recipient node will be suﬃcient to filter out such a polluted packet in most cases. This is due to the fact that: (I) in most cases, a polluted packet received by the recipient nodes most likely only contains an ill-formed MAC tag (since the rest part of the packet has already been checked by intermediate nodes); and (II) the Step (1) verification at recipient nodes only checks whether the signature of a packet matches the MAC tag of the packet, and if not, the packet will be discarded immediately; and (III) the Step (1) verification at recipient nodes indeed uses a vector space identifier id as input (see Eq. (2)). As a result, if a polluted packet contains an ill-formed MAC tag or is forged from a repetitive attack, the polluted packet will be rapidly filtered out during this verification process. Thus, in the sense of reducing the sensor nodes’ computational overhead, the time-consuming Step (2) of the Verify at recipient nodes can be avoided under the two attacks. Although the Step (1) of the Verify at recipient nodes is suﬃcient in most cases, the recipient nodes should continue to verify those of the packets that pass the Step (1) verification (i.e., to perform the Step (2) verification at recipient nodes) in order to guarantee complete security. 6.

Conclusion

In this paper, we introduce an eﬃcient homomorphic hybrid cryptographic scheme for wireless sensor networks that use network coding. Our scheme combines the convenience of a public-key approach with the eﬃciency of a symmetric-key method. We demonstrate that our scheme not only can resist normal pollution attacks, but also can rapidly filter out the polluted packets forged from the emerging tag pollution and repetitive attacks. On the other hand, our scheme supports

the distribution of multiple generations using a single public key. In addition, our scheme does not rely on any pairing operations in signature generation or verification, and can be proven secure based on the lower-level cryptographic assumptions without random oracles. Thus, our scheme is ideally suitable for the network coding based wireless sensor networks. References [1] R. Ahlswede, N. Cai, S.Y.R. Li, and R.W. Yeung, “Network information flow,” IEEE Trans. Inf. Theory, vol.6, no.4, pp.1204–1216, July 2000. [2] S.-Y.R. Li, W. Yeung, and N. Cai, “Linear network coding,” IEEE Trans. Inf. Theory, vol.49, no.2, pp.371–381, Feb. 2003. [3] T. Ho, R. Koetter, M. Medard, D. Karger, and M. Eﬀros, “The benefits of coding over routing in a randomized setting,” Proc. 2003 IEEE Int. Symp. Inf. Theory, pp.442–, Yokohama, Japan, Sept. 2003. [4] P.A. Chou, Y. Wu, and K. Jain, “Practical network coding,” Proc. 41st Annual Allerton Conf. Commun. Control and Computing, pp.40–49, Monticello, IL, USA, Oct. 2003. [5] S. Ktti, H. Rahul, W. Hu, D. Katabi, M. Medard, and J. Crowcroft, “XORs in the Air: Practical wireless network coding,” IEEE/ACM Trans. Netw., vol.16, no.3, pp.497–510, June 2008. [6] D. Charles, K. Jain, and K. Lauter, “Signatures for network coding,” Proc. 40th Annual Conf. Informa, Sciences and Systems, pp.857– 863, New Jersey, USA, March 2006. [7] D. Boneh, D. Freeman, J. Katz, and B. Waters, “Signing a linear subspace: Signature schemes for network coding,” Proc. PKC 2009, LNCS 5443, pp.68–87, Irvine, USA, June 2009. [8] Y. Jiang, H. Zhu, M. Shi, X. Shen, and C. Lin, “An eﬃcient dynamicIdentity based signature scheme for secure network coding,” Comput. Netw., vol.54, no.1, pp.28–40, Jan. 2010. [9] Z. Yu, Y. Wei, B. Ramkumar, and Y. Guan, “An eﬃcient signaturebased scheme for securing network coding against pollution attacks,” Proc. 2008 IEEE INFOCOM, 27th Conf. Computer Commun., pp.1409–1417, Phoenix, USA, April 2008. [10] S. Agrawal and D. Bonth, “Homomorphic MACs: MAC-based integrity for network coding,” Proc. ACNS 2009, LNCS 5536, pp.292–305, Paris-Rocquencourt, France, June 2009. [11] Y. Li, H. Yao, M. Chen, S. Jaggi, and A. Rosen, “RIPPLE authentication for network coding,” Proc. 2010 IEEE INFOCOM, 29th Conf. Computer Commun., pp.1–9, San Diego, USA, March 2010. [12] A. Le and A. Markopoulou, “On detecting pollution attacks in intersession network coding,” Proc. 2012 IEEE INFOCOM, 31th Conf. Computer Commun., pp.343–351, Orlando, Florida, USA, March 2012. [13] P. Zhang, Y. Jiang, C. Lin, H. Yao, A. Wasef, and X.S. Shen, “Padding for orthogonality: Eﬃcient subspace authentication for network coding,” Proc. 2011 IEEE INFOCOM, 30th Conf. Computer Commun., pp.1026–1034, Shanghai, China, April 2011. [14] M. Bellare, O. Goldreich, and S. Goldwasser, “Incremental cryptography: The case of hashing and signing,” Proc. CRYPTO’94, International Cryptology Conference on Advances in Cryptology, pp.216–233, Santa Barbara, CA, Aug. 1994. [15] J. Katz and Y. Lindell, Introduction to Modern Cryptography, Chapman & Hall/CRC Press, Boca Raton, FL, 2008. [16] L. Carter and M. Wegman, “Universal classes of hash functions,” J. Computer and System Sciences, vol.18, no.2, pp.143–154, 1979.