Security analysis of a homomorphic signature scheme for network coding

Published online 11 August 2015 in Wiley Online Library (wileyonlinelibrary.com). DOI: 10.1002/sec.1321

RESEARCH ARTICLE

Security analysis of a homomorphic signature scheme

for network coding

Chi Cheng

_{, Tao Jiang}

_{, Yining Liu}

_{and Mingwu Zhang}

2 _{Guangxi Key Laboratory of Trusted Software, Guilin University of Electronic Technology, Guangxi, China}

3 _{School of Electronics and Information Engineering, Huazhong University of Science and Technology, Wuhan, China} 4 _{State Key Laboratory for Novel Software Technology, Nanjing University, Jiangsu, China}

5 _{School of Computer Science, Hubei University of Technology, Wuhan, China}

ABSTRACT

Recently, Liu and Wang proposed a homomorphic signature scheme for network coding, which was claimed to resist against pollution attacks. However, we show that in Liu and Wang’s scheme, after several generations, the adversary is able to launch a successful forgery attack with a high probability. Therefore, Liu and Wang’s scheme is not secure. After analyzing the cause of the attack, an improved scheme is given, which can combat against the proposed attack in an efficient way. Copyright © 2015 John Wiley & Sons, Ltd.

KEYWORDS

network coding; pollution attack; homomorphic signature *Correspondence

Chi Cheng, School of Computer Science, China University of Geosciences, Wuhan 430074, China. E-mail: [email protected]

1. INTRODUCTION

The network coding theory, first introduced in [1], has attracted much attention because of its applications in areas such as wireless communication [2], P2P content distri-bution [3], and distributed storage system [4]. However, network coding is vulnerable to pollution attacks, and var-ious primitives have been proposed to resist against these attacks [5–7].

Due to the fact that cryptographic solutions only assume the adversary owns limited computation power, schemes based on cryptography have been proposed and attracted much attention. Generally, cryptographic solutions can be classified into approaches that are based on homomor-phic hashing [8,9], homomorhomomor-phic signatures [10–12], and homomorphic messages authentication codes [13–15]. A survey of the cryptographic schemes against pollution attacks for wireless network coding is given in [16].

The advantage of homomorphic signature schemes is that the intermediate node could verify the validity of received packets without knowing the secret keys of the sender. A homomorphic signature scheme was given in [11], which employs pairing operations on bilinear groups to achieve security based on the computational

Diffie–Hellman assumption. Then, a homomorphic signa-ture scheme based on the RSA assumption is proposed, and proved to be secure in the random oracle model [12]. In [17], two homomorphic signature schemes for network coding are given, which can be proven in the standard model. It is worth mentioning that the recent work on homomorphic message authenticators has also attracted a lot of attention [18,19].

Recently, based on the work of [11], Liu and Wang proposed a homomorphic signature scheme for network coding [20], in which they employed the generation identi-fier and the secret keys to sign the messages, instead of the expensive pairing operations in [11]. However, we show that in Liu and Wang’s scheme the adversary is able to launch a forgery attack successfully with a high probabil-ity. The reason is that, the secrecy keys are employed to generate the signatures without protection, which means that the adversary is able to obtain linear combinations of the secret keys after receiving the messages and their corre-sponding signatures. Although the linear combinations in one generation are not enough for the adversary to launch a successful forgery attack, after several generations, we show that the accumulated linear combinations are suffi-cient for the adversary to obtain the needed information

on sender’s secret keys from solving a system of linear equations. Therefore, after several generations the adver-sary is able to launch a successful forgery attack with a high probability, which means that Liu and Wang’s scheme is not secure. In addition, an improved scheme is given, which can combat against the proposed attack.

2. SYSTEM MODEL

We focus on a typical network coding-based communica-tion scenario, in which a source node S aims to send a file F to a number of receivers. In accordance with random linear network coding, the source nodeS first divides the file F into multiple generations. Without loss of general-ity, we assume that each generation consists of m messages Nu1, Nu2, : : : , Num 2 Fqn, where Fqis a finite field with q ele-ments. Before sending messages to its downstream nodes, the source nodeS appends each messages Nuiwith a length

m vector which contains a single 1 in the i-th position to

obtain a new message ui. Specifically,

ui= 0 B @Nui, m ‚ …„ ƒ 0, : : : , 0, 1 „ ƒ‚ … i , 0, : : : , 0 1 C A 2 Fqn+m, (1) Then, the sourceS randomly selects coefficients ˛i 2 Fq, and generates u = m X i=1 ˛iui (2) = m X i=1 ˛iNui, ˛1, : : : , ˛i–1, ˛i, : : : , ˛m ! 2 F_qn+m. (3)

We can see that the last m bits of u store all the coef-ficients selected by the source S. Therefore, the source

S only needs to send the message u to the downstream

nodes without having to find another way to send the coef-ficients {˛i}m_i=1, which are also called the global coding coefficients.

All the messages are transmitted from the source to the destination nodes with the help of intermediate nodes, which generate linear combinations of the received pack-ets, and then forward them to the downstream nodes. To be specific, suppose there are d incoming links for an intermediate node N and y_i is the received packet from the incoming link i. Next, for the outgoing link j, the intermediate node N generates the output packet y as follows: y = d X i=1 ˛i,jyi (4) = (˛_i,1, : : : , ˛i,m) 0 @: : :y1 y_m 1 A (5)

where the coefficients ˛i,jare randomly selected from Fq. For a destination node R, all the received packets are the linear combinations of the original sent packets

u₁, u₂, : : : , um, and the coefficients are carried by the last

m bits of the received packets. Fortunately, when q 

256, it is sufficient for the receivers to achieve a suc-cessful decoding probability no less than 99% [21]. We assume that the receiverR has received m messages {wi= ( Nwi, vi)}m_i=1, in which v1, v2, : : : , vmare linearly indepen-dent. Set U, V, and W the matrix whose rows are {ui}m_i=1, {vi}m_i=1, and { Nwi}m_i=1, respectively. Then, from linear alge-bra, we know that the matrix V is invertible, and we could recover the original messages u1, u2, : : : , umas

U = V–1W (6)

3. SECURITY ANALYSIS OF LIU

AND WANG’S SCHEME

3.1. Liu and Wang’s Scheme

We give a brief description of Liu and Wang’s scheme [20]. According to the security requirement of the system, a cyclic group G with order q is chosen, where q is a prime number and is set big enough to avoid brute-force attack. Then, let g be a generator of G, and H : {0, 1}* ! Fq a one-way collision-free hash function, where {0, 1}*is a binary string of arbitrary length.

Set N = m + n, then the secret key is

SK =  r FR q, ri R Fq|1  i  N + 1  (7)

Here, FR qmeans that the element is randomly selected from Fq.

Next, the public key is

PK = {H, p = gr, pi= gri|1  i  N + 1} (8)

Recall that there are m messages u₁, u₂, : : : , um in a generation with a randomly chosen generation identifier id, where id is an integer that ranges from 1 to the max-imum number of the generations. To sign a vector ui = (u_i,1, u_i,2, : : : , ui,N) (1  i  m), the source node S first calculates

kid,j= H(id, j) (9)

for 1  j  N, then generates

s = {s1, s2, : : : , sN+1} (10)

Next, the signature of ui= (ui,1, ui,2, : : : , ui,N) for each 1  i  m is i= – PN j=1sjui,j sN+1 (11) Or equivalently, for each 1  i  m, we have

N X

j=1

sjui,j+ sN+1i= 0 (12)

To verify the validation of the received (vector, signa-ture) pair (v,  ), suppose that v = (v1, v2, : : : , vN) and its generation identity is id, an intermediate node checks whether the following equation holds:

p_N+1 N Y j=1  pjpkid,j vj ? = 1 (13) 3.2. Security analysis

In the following, we show that the adversary could recover the secret key of the source node after several generations. For one generation, the adversary could obtain m lin-early independent vectors u1, u2, : : : , umand their corre-sponding signatures ₁, ₂, : : : , m.

Recall that sj = rj+ rkid,jfor 1  j  N, and sN+1 =

r_N+1. Then from (12), for each 1  i  m, we have N

X j=1 

rj+ rkid,jui,j+ rN+1i= 0 (14)

In other words, for each 1  i  m, there holds N X j=1 ui,jrj+ irN+1+ r N X j=1 kid,jui,j= 0 (15)

Then, from Equation (15), we have the following sys-tem of Equation (16), 0 B B B B B B B B B B @ u1,1    u1,N 1 N P j=1 kid,ju1,ju2,1    u2,N 2 N P j=1 kid,ju2,j    um,1    um,N m N P j=1 k_id,jum,j 1 C C C C C C C C C C A 0 B B B B B @ r1 .. . rN rN+1 r 1 C C C C C A = 0 (16) which is a system of m equations with N + 2 unknowns

r1, r2, : : : , rN+1, and r. Because N + 2 > m, we can-not obtain the solutions of this system of equations right

now. However, we show that after several generations, the equations are enough for us to obtain the solutions.

0 B B B B B B B B B B B B B B B B B B B B B B B B B B B B B B B B B B B B B B B B B @ u1_1,1 u1_1,2    u1_1,N ₁1 N P t=1 k_id1_,tu1_1,t u1_2,1 u1_2,2    u1_2,N ₂1 N P t=1 k_id1_,tu1_2,t    u1_m,1 u1_m,2    u1_m,N m1 N P t=1 k_id1_,tu1m,t u2_1,1 u2_1,2    u2_1,N ₁2 N P t=1 k_id2_,tu2_1,t u2_2,1 u2_2,2    u2_2,N ₂2 N P t=1 k_id2_,tu2_2,t    u2_m,1 u2_m,2    u2_m,N _m2 N P t=1 k_id2_,tu2m,t ul_1,1 ul_1,2    ul_1,N ₁l N P t=1 k_idl_,tul_1,t ul_2,1 ul_2,2    ul_2,N ₂l N P t=1 k_idl_,tul_2,t    ul_m,1 ul_m,2    ul_m,N _ml N P t=1 k_idl_,tulm,t 1 C C C C C C C C C C C C C C C C C C C C C C C C C C C C C C C C C C C C C C C C C A 0 B B B B B B B @ r1 r₂ .. . rN rN+1 r 1 C C C C C C C A = 0 (17) Without loss of generality, suppose that after l genera-tions, the attacker has got N + 2 equations. For 1  i  l and 1  j  m, let idibe the identity of the i-th generation,

k_idi_,j = H(idi, j), and (ui_j,1, ui_j,2, : : : , ui_j,N) be the j-th vector

that belongs to the i-th generation. Then, from system (16), we have a system of N + 2 equations with N + 2 unknowns as shown in system (17).

The following result is taken from the Lemma 4.3 in [22]:

Lemma 1. The probability that there exists a dd matrix

invertible mod q is d Y i=1  1 – 1 qi (18)

The following lemma can be derived from linearity of the equations.

Lemma 2. If r₁ = r*₁, r₂ = r*₂, : : : , r_N+1 = r*_N+1, r =

r* is a solution of system (17), then r1 = ˛r*1, r2 =

˛r*₂, : : : , rN+1 = ˛r_N+1* , r = ˛r*is also a solution of

system (17), where˛ is an arbitrary element in Fq.

Lemma 3. For arbitrary message u, suppose the corre-sponding signature of u using secret keys r1 = r*₁, r2 = r*₂, : : : , rN+1 = r_N+1* , r = r*is . Then the

correspond-ing signature of u uscorrespond-ing r1= ˛r*1, r2= ˛r2*, : : : , rN+1= ˛r*_N+1, r = ˛r*is also .

Proof. In Liu and Wang’s scheme, the signature of

u = (u₁, u₂, : : : , uN) using secret keys r1 = r1*, r2 = r*₂, : : : , rN+1= r*N+1, r = r*is calculated as  = – PN j=1sjuj sN+1 (19)

Here, each sj= r*j + r*kid,jfor j = 1, 2, : : : , N and sN+1 =

r*_N+1. To generate the signature of u using r1= ˛r*₁, r2=

˛r*₂, : : : , r_N+1 = ˛r_N+1* , r = ˛r*, we first calculate

s0_j = ˛r*_j + ˛r*kid,j = ˛(r*j + r*kid,j) for j = 1, 2, : : : , N

and s0_N+1 = ˛r_N+1* . Then, the signature of u using r1 =

˛r*₁, r₂= ˛r*₂, : : : , r_N+1= ˛r*_N+1is 0= – PN j=1s0juj s0_N+1 (20) = – PN j=1˛  r*_j + r*kid,j  uj ˛r*_N+1 (21) = – PN j=1  r_j*+ r*kid,j  uj r*_N+1 (22) = – PN j=1sjuj sN+1 (23) =  (24)

From Lemma 3, we know that for the valid secret key

r1= r₁*, r2= r₂*, : : : , rN+1= r*_N+1, r = r*if the adversary can obtain r₁ = ˛r*₁, r₂ = ˛r₂*, : : : , r_N+1 = ˛r*_N+1, r = ˛r*, then the adversary is able to pick the messages at his own will and generate the corresponding signature that can successfully pass the verification test. Therefore, it is free for the adversary to launch a successful forgery attack.

Theorem 1. After l generations, the adversary is able to successfully launch a forgery attack with a high probability.

Proof. Let A be the coefficient matrix of system (17), then from linear algebra, we know that the solution of system (17) are determined by the rank of the coefficient matrix A. Let R(A) be the rank of matrix A. If R(A) = N + 2, then the matrix A is invertible, and the solution of system (17) is r1= r2=    rN+1 = r = 0, which is impossible from the setting of r₁, r₂, : : : , r_N+1, and r. Therefore, we have

R(A)  N + 1 (25) B = 0 B B B B B B B B B B B B B B B B B B B B B B B B B B B B B B B B B B B B B B B B B B B B B @ u1_1,1 u1_1,2    u1_1,N N P t=1 k_id1_,tu1_1,t u1_2,1 u1_2,2    u1_2,N N P t=1 k_id1_,tu1_2,t    u1_m,1 u1_m,2    u1_m,N N P t=1 k_id1_,tu1m,t u2_1,1 u2_1,2    u2_1,N N P t=1 k_id2_,tu2_1,t u2_2,1 u2_2,2    u2_2,N N P t=1 k_id2_,tu2_2,t    u2_m,1 u2_m,2    u2_m,N N P t=1 k_id2_,tu2m,t ul_1,1 ul_1,2    ul_1,N N P t=1 k_idl_,tul_1,t ul_2,1 ul_2,2    ul_2,N N P t=1 k_idl_,tul_2,t    ul_m–2,1 ul_m–2,2    ul_m–2,N N P t=1 k_idl_,tul_m–2,t ul_m,1 ul_m,2    ul_m,N N P t=1 k_idl_,tulm,t 1 C C C C C C C C C C C C C C C C C C C C C C C C C C C C C C C C C C C C C C C C C C C C C A (26)

Next, set B the sub-matrix of A, which is derived from deleting the (N + 1)-th row and (N + 1)-th column of A, as shown in (26). For 1  i  l, 1  j  m, and 1  t  N, due to the fact that ui_j,t is an element of the transmitted message, it can be viewed as random. Since

k_idi_,t = H(idi, t), and H is a one-way collision-free hash

function, we have k_idi_,t¤ k_idk_,tfor 1  i, k  l. Then, we

can also view the last column of B as random. Therefore,

B is a (N + 1)  (N + 1) matrix of which elements are

ran-domly selected from Fq. From Lemma 1, the probability that B invertible is N+1_Y i=1  1 – 1 qi (27)

Recall that q is a large prime, then B is invertible with a high probability, which means that the rank of B is N + 1 with a high probability. Because B is a sub-matrix of A, we have

R(A)  R(B)  N + 1. (28) From (25) and (28), we have R(A) = N + 1. There are N + 2 unknowns in system (17); from linear algebra we know that there are totally q(N+2)–(N+1)= q solutions for system (17). On the other side, from Lemma 3, if r1 = r1*, r2 = r*₂, : : : , rN+1 = r*N+1, r = r* is a solution of sys-tem (17), we can obtain other solutions of syssys-tem (17) as

r1= ˛r*1, r2 = ˛r2*, : : : , rN+1 = ˛r*N+1, r = ˛r*. Because ˛ can be arbitrary element in Fq, in total we can obtain

solu-tion of system (17), we can obtain all the q solusolu-tions of system (17).

Without loss of generality, we set rN+1 = 1, then the system (17) becomes a system with N + 1 unknowns as shown in (29). 0 B B B B B B B B B B B B B B B B B B B B B B B B B B B B B B B B B B B B B B B B B @ u1_1,1 u1_1,2    u1 1,N N P t=1 k_id1_,tu1_1,t u1_2,1 u1_2,2    u1_2,N N P t=1 k_id1_,tu1_2,t    u1_m,1 u1_m,2    u1 m,N N P t=1 k_id1_,tu1m,t u2_1,1 u2_1,2    u2_1,N N P t=1 k_id2_,tu2_1,t u2_2,1 u2_2,2    u2_2,N N P t=1 k_id2_,tu2_2,t    u2_m,1 u2_m,2    u2_m,N N P t=1 k_id2_,tu2m,t ul_1,1 ul_1,2    ul_1,N N P t=1 k_idl_,tul_1,t ul_2,1 ul_2,2    ul_2,N N P t=1 k_idl_,tul_2,t    ul_m,1 ul_m,2    ul_m,N N P t=1 k_idl_,tulm,t 1 C C C C C C C C C C C C C C C C C C C C C C C C C C C C C C C C C C C C C C C C C A 0 B B B B B @ r1 r2 .. . rN r 1 C C C C C A = 0 B B B B B B B B B B B B B B B B B B B @ –₁1 –₂1    –_m1 –₁2 –₂2    –_m2 –₁l –₂l    –_ml 1 C C C C C C C C C C C C C C C C C C C A (29) Observing that the coefficient matrix C of system (29) is a (N + 2)  (N + 1) matrix, and the matrix B is a sub-matrix of C, then the rank of C is R(C) = N + 1 because N + 1 = R(B)  R(C)  N + 1. There are

N + 1 unknowns in (29); from linear algebra, we know

that there are totally q(N+1)–(N+1)= 1 solution for system (29). Hence, we can obtain one solution of system (17) as r₁ = r*₁, r₂ = r*₂, : : : , r_N+1 = 1, r = r*. Then, from Lemma 2, we can obtain all the solutions of system (17) as

r₁ = ˛r₁*, r₂ = ˛r*₂, : : : , r_N+1 = ˛, r = ˛r*. Finally, from Lemma 3, we know that the adversary is able to launch a forgery attack successfully.

From Theorem 1, we can see that when the adver-sary can obtain an invertible matrix B, which is of size (N + 1)  (N + 1), the adversary is able to launch a forgery attack successfully. Since matrix B consists of the mes-sages transmitted in each generation and the adversary can obtain at most m linearly independent messages in each generation, the adversaries need to wait dN+1_m e generations to make sure that they can obtain N +1 linearly independent messages, here dxe is the smallest integer not less than x. Hence, in Liu and Wang’s scheme, messages can be trans-mitted securely for dN+1_m e – 1 generations, after which the secret keys and public keys should be updated.

In the following, we give an example to show that indeed the solution of system (17) can be obtained with a high probability.

Example 1. Set N = 10, q = 13, l = 3, and m = 4. For each 1  i  l, 1  j  m, and 1  t  N, the messages ui_j,tand k_idi_,t = H(idi, t) are randomly selected

from F13. The reported result is averaged over 105runs,

and the probability that the matrix B invertible is 0.91709, which is in accordance with the probability we give in (27):

10+1_Y i=1  1 – 1 13i  0.91716 (30)

When N = 10, q = 4999, l = 3, and m = 4, then the probability that the matrix B invertible is 0.999790, which is also in accordance with the probability we give in (27):

10+1_Y i=1  1 – 1 13i  0.99979991 (31)

When q = 22303, the resulted probability is 0.999980, and the probability given in (27) is 0.999955. Therefore, it is almost definitely that the solution of system (17) can be obtained.

4. AN IMPROVED SCHEME

Liu and Wang have showed that their scheme is resistant against Intra-generation pollution attack. However, they do not take into consideration the case that the attacker is able to get enough (message and signature) pairs to recover the secret keys after multiple generation. Specifically, in Liu and Wang’s scheme, secret keys are employed to sign the messages without protection, which gives the adver-sary a chance to accumulate linear combinations of the secret keys, and then finally obtain the needed informa-tion on launching the forgery attack by solving a system of linear equations.

For the concern on how to resist against the proposed attack, first, a dynamic r uniquely chosen for one genera-tion is still not secure. The reason is as follows: For each generation, the adversary can obtain m linearly indepen-dent messages with their corresponding signatures, which result in m equations with N + 2 unknowns. By choosing each generation with a unique r, after l generations, there are ml equations with N + l + 1 unknowns. By choosing an integer l  dN+1_m–1e, we have ml  N + l + 1. Hence, using the similar idea in our proposed attack, the adversary can accumulate enough equations to launch a successful attack. Another way to avoid the proposed attack is changing the value of the secret key SK = {r, ri|1  i  N + 1} after each generation. However, to update the correspond-ing public key PK = {H, p = gr, pi= gri|1  i  N + 1}, we need to transmit N + 2 additional signatures to update the corresponding p = gr and pi = gri, 1  i  N + 1. In the following, we propose an improved scheme, which is able to combat against the proposed attack using only one additional signature.

Table I. Computation cost and resistance against multi-generation pollution attack.

Schemes Sign Verify Multi-generation attacks

BFKW (N + 1)1.5|q| multiplications (N + 1)1.5|q| multiplications + 2 pairings Resistant LW (N + 2) multiplications [(2N + 1)1.5|q| + 2N] multiplications No Proposed (N + 2 + 1.5|q|) multiplications [(2N + 1)1.5|q| + 3N + 2] multiplications Resistant

We also let g be a generator of G, which is a cyclic group with order q. The secret key is

SK =  r FR q, ri R Fq|1  i  N + 1  (32)

Next, the public key is

PK = {H, p = gr, pi= gri|1  i  N + 1} (33) We assume that there exists a cryptographically secure pseudorandom function (PRF) F : KFI ! Fq [23], where we letKFdenote the set of all the keys input to the PRF F, andI the set of all the generation identifiers. The source nodeS randomly selects k 2 KF, then for messages transmitted in generation with identifier id, the source node

S computes ˇid = F(k, id) 2 Fq, and then updates the secret key as

SK = {rid= r + ˇ_id, rid_i = ri+ ˇid|1  i  N + 1}. (34)

It is worth mentioning that the source node S can choose to update the secret key after dN+1_m e – 1 genera-tions, which is also secure from the security analysis in Section 3.2 For the sake of clarity, here we choose to let the source nodeS update the secret key for every generation, which is certainly more secure than updating the secret key after dN+1_m e – 1 generations.

Then, by setting H : {0, 1}*! Fq, a one-way collision-free hash function, the source nodeS first calculates

kid,j= H(id, j) (35)

for 1  j  N, and generates

sid=nsid₁, sid₂, : : : , sid_N+1o, (36)

with each sid_j = rid_j + ridk_id,jand sid_N+1= rid_N+1.

Next, the signature of ui= (ui,1, ui,2, : : : , ui,N) for each 1  i  m is

i= – PN

j=1sidj ui,j

sid_N+1 . (37)

The source node S computes gˇid_{, and sends it} with the packets and its corresponding signature. After

receiving gˇid_{, all the nodes in the network can update the} public key as PK = n H, pid= pgˇid_{, p}id i = pigˇid|1  i  N + 1 o . (38) With the updated public key, all the nodes in the net-work can verify the validity of the received (vector, signa-ture) pair (v,  ) transmitted in generation with identifier id. Suppose that v = (v1, v2, : : : , vN), all the nodes can check whether the following equation holds:

 pid_N+1 N Y i=1 pid_i pidkid,i vi _? = 1. (39)

From the above key update scheme, we can see that the private key and public keys are dependent on both the generation identifier id and the key k. Therefore, the secret keys and public keys used in different generations are also different, which shows that the improved scheme can combat against the proposed attack.

In Table I, we summarize the computation cost and resistance against multi-generation pollution attack of the BFKW scheme in [11], Liu and Wang’s scheme (LW Scheme) in [20], and the proposed scheme. Similar to [20], we assume that one exponentiation in the finite field Fq is equivalent to 1.5|q| multiplications in Fq, where |q| = dlog₂qe. We can see from Table I that the proposed scheme brings only one additional exponentiation and N +2 multiplications, compared with the LW Scheme in [20].

5. CONCLUSION AND

FUTURE WORK

In this paper, we have shown that there exists an attack on Liu and Wang’s homomorphic signature scheme for network coding, in which after several generations, the adversary is able to launch a forgery attack with a proba-bility that approaches 1. The reason is that the secret keys are employed to sign the messages without protection, and the adversary can accumulate linear combinations of the secret keys to finally recover needed information by solv-ing a system of linear equations. After that, an improved scheme is also given, which is believed to combat against the proposed attack with only one additional signature. In the future work, we will check whether there exist similar attacks on the improved scheme.

ACKNOWLEDGEMENTS

The authors would like to thank the anonymous review-ers for their constructive and helpful comments. The work presented in this paper was supported in part by the National Natural Science Foundation of China under grant nos. 61301166, 61370224, and 61363069, the Fundamen-tal Research Funds for the Central Universities, China Uni-versity of Geosciences (Wuhan) (grant nos. CUGL150831 and CUGL150416), the Guangxi Key Laboratory of Trusted Software (nos. kx201326 and KX201215), the State Key Laboratory for Novel Software Technology (no. KFKT2013B10), Guangxi Natural Science Founda-tion(no. 2014GXNSFAA118364), the High Level Inno-vation Team of Guangxi Colleges and Universities, and Program for Innovative Research Team of Guilin Uni-versity of Electronic Technology. Part of this work was done while Chi Cheng was an International Research Fellow of the Japan Society for the Promotion of Sci-ence, Institute of Mathematics for Industry, Kyushu Uni-versity, and was supported by JSPS KAKENHI grant no. 26.04347.

REFERENCES

1. Ahlswede R, Cai N, Li SYR, Yeung RW. Network information flow. IEEE Transactions on Information

Theory 2000; 46(4): 1204–1216.

2. Katti S, Rahul H, Hu W, Katabi D, Medard M, Crowcroft J. XORs in the air: practical wireless net-work coding. IEEE/ACM Transactions on Netnet-working 2008; 16(3): 497–510.

3. Gkantsidis C, Rodriguez PR. Network coding for large scale content distribution. In Proceedings of IEEE

INFOCOM, Miami, USA, 2005; 2235–2245.

4. Dimakis AG, Godfrey PB, Wainwright MJ, Ramchan-dran K. Network coding for distributed storage sys-tems. In Proceedings of IEEE INFOCOM, Anchorage, Alaska, USA, 2007; 2000–2008.

5. Cai N, Yeung RW. Network coding and error correc-tion. In Proceedings of IEEE International Symposium

on Information Theory (ISIT), Bangalore, India, 2002;

119–122.

6. Jaggi S, Langberg M, Katti S, Ho T, Katabi D, Medard M, Effros M. Resilient network coding in the pres-ence of Byzantine adversaries. IEEE Transactions on

Information Theory 2008; 54(6): 2596–2603.

7. Cheng F, Yeung RW. Performance bounds on a wiretap network with arbitrary wiretap sets. IEEE

Transactions on Information Theory 2014; 60 (6):

3345–3358.

8. Krohn M, Freedman M, Mazieres D. On-the-fly verification of rateless erasure codes for efficient content distribution. In Proceedings of the IEEE

Symposium on Security and Privacy, Oakland, USA,

2004; 226–240.

9. Gkantsidis C, Rodriguez Rodriguez P. Cooperative security for network coding file distribution. In

Pro-ceedings of the IEEE INFOCOM, Barcelona, Spain,

2006; 1–3.

10. Charles D, Jain K, Lauter K. Signatures for network coding. In Proceedings of the 40th Annual Conference

on Information Sciences and Systems, Princeton, NJ,

USA, 2006; 857–863.

11. Boneh D, Freeman D, Katz J, Waters B. Signing a lin-ear subspace: signature schemes for network coding. In Public Key Cryptography (PKC), California, USA, 2009; 68–87.

12. Gennaro R, Katz J, Krawczyk H, Rabin T. Secure network coding over the integers. In Proceedings

of International Conference on Practice and The-ory in Public Key Cryptography, Paris, France, 2010;

142–160.

13. Agrawal S, Boneh D. Homomorphic MACs: MAC-based integrity for network coding. In Proceedings

of the Applied Cryptography and Network Security,

Paris-Rocquencourt, France, 2009; 292–305.

14. Cheng C, Jiang T. An efficient homomorphic MAC with small key size for authentication in network cod-ing. IEEE Transactions on Computers 2013; 62 (10): 2096–2100.

15. Cheng C, Jiang T, Zhang Q. TESLA-based homo-morphic MAC for authentication in P2P system for live streaming with network coding. IEEE Journal

on Selected Areas in Communications 2013; 31 (9):

291–298.

16. Newell A, Dong J, Nita-Rotaru C. On the practical-ity of cryptographic defenses against pollution attacks in wireless network coding. ACM Computing Surveys 2013; 45(3): 39:1–39:26.

17. Catalano D, Fiore D, WarinsChi B. Efficient network coding signatures in the standard model. In

Proceed-ings of the 15th International Conference on Prac-tice and Theory in Public Key Cryptography (PKC),

Darmstadt, Germany, 2012; 680–696.

18. Gennaro R, Wichs D. Fully homomorphic message authenticators. In ASIACRYPT 2013, Bengaluru, India, vol. 8270, Lecture Notes in Computer Science. Springer: Berlin Germany, 2013; 301–320.

19. Backes M, Fiore D, Reischuk RM. Verifiable dele-gation of computation on outsourced data. In

Pro-ceedings of the 2013 ACM SIGSAC Conference on Computer & Communications Security (CCS), Berlin,

Germany, 2013; 863–874.

20. Liu G, Wang B. Secure network coding against intra/inter-generation pollution attacks. China

21. Chou P, Wu Y, Jain K. Practical network coding. In Proceedings of Allerton Conference on

Commu-nication, Control, and Computing, Montecillo, IL,

USA, 2003.

22. Overbey J, Traves W, Wojdylo J. On the keyspace of the Hill cipher. Cryptologia 2005; 29(1): 59–72.

23. Katz J, Lindell Y. Introduction to Modern

Cryptog-raphy. Chapman & Hall/CRC Press: Boca Raton,