1 Introduction
Consider a scenario in which a sender owns a message and wants to send to a receiver. Because can be modified or loss during being transmitted, the receiver would like to check whether is intact or not. A MAC is proposed to provide integrity and authenticity assurances on the message by allowing the receiver (who also possess the shared secret key of the sender) to detect any changes to the message content. A MAC consists of a tuple of algorithms (, , ) as follows:

: The sender runs this algorithm which inputs a security parameter , and outputs a secret key . The sender then sends to the receiver via a secure channel.

: The sender runs this algorithm which inputs and a message , and outputs a tag .

: The receiver runs this algorithm which inputs , and , and outputs 1 if is a valid tag and 0 otherwise.
Definition 1
A MAC is an additive homomorphic MAC if it satisfies:
(1) 
Definition 2
A MAC is a multiplicative homomorphic MAC if it satisfies:
(2) 
1.1 Innerproduct MAC
The simplest additive MAC is the innerproduct MAC. This MAC consists of the following algorithms:

: The sender runs this algorithm which inputs a security parameter , and outputs a secret key where denotes a dimensional finite field of a prime order . The sender then shares to the receiver via a secure channel.

: The sender runs this algorithm which inputs and a message , and outputs a tag such that:
(3) The sender then transmits to the receiver.

: The receiver runs this algorithm which inputs and checks if:
(4) The algorithms outputs 1 if the equality holds ( is a valid tag) and outputs 0 otherwise.
Theorem 1.1
The innerproduct MAC is a additive homomorphic MAC.
Proof



∎
1.1.1 Security Analysis.
The innerproduct MAC is secured from the brute forge search if is chosen large enough. This is because
, the probability to find
via a brute force search is . If is chosen large enough (i.e., 160 bits), the probability is , which is negligible.However, this MAC is not secured from the replay attack because:

In the first transmission:

The sender sends to the receiver.

The attacker captures and when they are transmitted.

The receiver verifies iff: . Suppose that the equality holds ( is intact), the receiver then outputs 1.


In the next transmission:

The sender sends to the receiver.

The attacker reuses the old message and the old tag . It is clear that:
(5) 
The attacker drops and sends to the receiver.

The receiver verifies iff: . This equality will hold because of Eq. 5 but the receiver cannot know that the message was replaced.

1.2 CarterWegman MAC
To address replay attack which is a drawback of the innerproduct MAC, the WegmanCarten MAC [1, 3] has been proposed with an additional pseudorandom function. This MAC consists of the following algorithms:

: The sender runs this algorithm which inputs a security parameter , and outputs a secret key which is used for tagging the message , a secret key which is used for permuting the tag. After that, the sender shares to the receiver via a secure channel.

: The sender runs this algorithm which inputs the message and , and outputs a tag such that:
(6) where denotes a random value and denotes a pseudorandom function such that ( is the space of and is the space of ). The sender then transmits to the receiver. Note that (i) can be public, and (ii) is regenerated very transmission and is transmitted to the receiver via a secure channel like the keys (or is chosen large enough).

: The receiver runs this algorithm which inputs and checks if:
(7) The algorithm outputs 1 if the equality holds ( is a valid tag), and outputs 0 otherwise.
1.2.1 Security Analysis.
Similar to the innerproduct MAC, the keys of the WegmanCarten MAC is not disclosed from the brute force search if and are chosen large enough. Furthermore, the WegmanCarten MAC is secured from the replay attack:

In the first transmission:

The sender sends to the receiver.

The attacker captures and when they are transmitted.

The receiver verifies iff: . Suppose that the equality holds (which means that is intact), the receiver then outputs 1.


In the next transmission:

The sender sends to the receiver.

The attacker reuses the old message and the old tag . It is clear that:
(8) 
The attacker drops and sends to the receiver.

The receiver verifies iff: . This equality will not hold because of Eq. 8. The receiver then outputs 0.

1.3 Inter MAC
Most of the MACs consider a scenario in which the sender sends a message along with the corresponding tag to the receiver. The receiver can check whether the message is intact using a shared key with the sender. However, the receiver can be untrusted (the sender should not share his/her secret key to the receiver). To address this problem, the inter MAC has been proposed [4, 11, 12, 2, 7] as follows:

: The sender runs this algorithm which inputs a security parameter and a message , and outputs secret keys where . The sender then computes , and sends to the receiver.

: The sender runs this algorithm which inputs the message and the secret key , and outputs a tag such that:
(9) The sender then transmits to the receiver.

: The receiver runs this algorithm which inputs and checks if:
(10) The algorithm outputs 1 if the equality holds ( is a valid tag) and outputs 0 otherwise.
Theorem 1.2
The inter MAC is a additive homomorphic MAC.
Proof



∎
1.3.1 Security Analysis.
Given , which is the summation , the receiver cannot obtain the secret keys and of the sender. This is because , the probability for an attacker to search (or ) via a brute force search and then to obtain (or ) is . If is chosen large enough (i.e., 160 bits), the probability to find and is , which is negligible. However, similar to the innerproduct MAC, this inter MAC cannot be secured from replay attack.
2 The Proposed InterCWMAC
The InterCWMAC is a combination between the CarterWegman MAC and the inter MAC. The InterCWMAC is proposed to deal with two problems of the CarterWegman MAC and the inter MAC: preventing the replay attack and preventing the untrusted receiver to learn the secret key of the sender.
2.1 Construction
The InterCWMAC consists of the following algorithms:

: The sender runs this algorithm which inputs a security parameter , and outputs a secret key which is used for tagging the message , and a key which is used for permuting the tag. The sender then computes . The sender sends and to the receiver via a secure channel.

: The sender runs this algorithm which inputs a message and , and outputs a tag such that:
(11) where denotes a random value and denotes a pseudorandom function such that ( is the space of and is the space of ). The sender then transmits to the receiver. Note that (i) can be public, and (ii) is regenerated very transmission and is transmitted to the receiver via a secure channel like the keys (or is chosen large enough).

: The receiver runs this algorithm which inputs and checks if:
(12) The algorithm outputs 1 if the equality holds ( is a valid tag), and outputs 0 otherwise.
2.2 Application of InterCWMAC
We believe the InterCWMAC can be applied in several scenarios. In this section, we describe an application of the InterCWMAC in network codingbased distributed storage system.
2.2.1 Network codingbased distributed storage system.
Network coding has been applied to distributed storage system [5, 6, 8, 9]. In this scenario, the system model consists of two types of entities: a client (trusted) and servers (untrusted). Suppose that a client owns an original file which consists of file blocks: . where . The client wants to store redundantly encoded blocks in the servers in a way that the client can reconstructs the original file and can repair the encoded blocks in a corrupted server. From these file blocks, the client firstly creates augmented blocks in which where has the form as follows:
(13) 
The client then randomly chooses coding coefficients and computes coded blocks using the linear combination as follows:
(14) 
The coded blocks are then stored these coded blocks in the servers. To reconstruct the original file , any coded blocks are required to solve augmented blocks using the accumulated coefficients contained in the last coordinates of each coded block. After these augmented blocks are solved, file blocks are obtained from the first coordinate of each augmented block. Finally, the original file is reconstructed by concatenating the file blocks. Note that the matrix consisting of the coefficients used to construct any coded blocks should have full rank. Koetter et al. [10] proved that if the prime is chosen large enough and the coefficients are chosen randomly, the probability for the matrix having full rank is high.
2.2.2 Checking the data stored in the servers.
Because the servers may be untrusted, the client must check the servers periodically to ensure that his/her data stored in the servers is always available and intact. In this case, the client can use the same secret keys to tag and to verify.
However, when the client does not want to be burdened in checking the servers periodically, the client can delegate this task to another entity called third party verifier (verifier for short), which may be also untrusted. This entity is supposed to not collude with the servers. To deal with this scenario, we can apply the InterCWMAC.
2.2.3 How to apply InterCWMAC.
The InterCWMAC can be applied to the above scenario as follows:
a)
: The client runs this algorithm which inputs a security parameter and the set of augmented blocks , and outputs secret keys as follows:

.

such that for all .
The client then computes . The client sends and to the verifier.
The introduces a challenge that how to generate such that it is orthogonal to all augmented blocks. Formally, for all . The algorithm to generate is given as follows.

: this is the subalgorithm used in

Let be a Pseudorandom function such that .

Generate where .

Compute .

Theorem 2.1
Given , the number of basis vectors of is .
Proof
. Let be the space spanned by the rows of . For any matrix, the ranknullity theorem gives:
(15) 
where is the dimension of . Therefore,
(16) 
In other words, the number of basis vectors of is . In the , we denoted the basis vectors by . ∎
b)
: The client runs this algorithm which inputs and where is the th coded block in the th server. is computed as a linear combination of using network coding: . The algorithm outputs the tag for such that:
(17) 
for all . denotes the server index and denotes the coded block index in a server. Suppose the number of servers is (). Suppose the number of coded block in a server is ().
c)
: The verifier runs this algorithm to check a server where . The algorithm inputs where and are the linear combinations of and , respectively. Namely, and . The algorithm checks if:
(18) 
This algorithm outputs 1 if the equality holds ( is healthy), and outputs 0 otherwise.
The correctness of Eq. 18 is proved as follows:
Proof
= = = = = // because = = ∎
3 Future work
In the proposed InterCWMAC, the verifier is given and . The probability for the verifier to search each secret key is . This probability can be reduced if the verifier is given and . For future work, a potential solution is to design a pseudorandom function such that it is homomorphic (to suit network coding) and such that given , and cannot be obtained.
References

[1]
Carter J and Wegman M (1977) Universal classes of hash functions. In: Proceedings of the 9th ACM Symposium on Theory of Computing (STOC’77), pp. 106112. ACM SIGACT, DOI:
https://doi.org/10.1145/800105.803400.  [2] Omote K and Thao TP (2016) D2POR: Direct Repair and Dynamic Operations in Network Codingbased Proof of Retrievability. In: IEICE Transactions on Information and Systems, vol. E99D, no. 4, pp.816829, April 2016, DOI: https://doi.org/10.1587/transinf.2015ICP0014.
 [3] Carter L and Wegman MN, (1979) Universal Classes of Hash Functions”. In: Journal of Computer and System Sciences, 18(2):143154, DOI:10.1016/00220000(79)900448.
 [4] Le A and Markopoulou A (2012) On detecting pollution attacks in intersession network coding. In: Proceedings of the 31st IEEE conference on Computer Communications (INFOCOM’12), pp. 343351.
 [5] Dimakis A, Godfrey P, Wu Y, Wainwright M, and Ramchandran K (2010) Network coding for distributed storage systems. In: IEEE Transactions on Information Theory, 56(9):45394551.
 [6] Chen B, Curtmola R, Ateniese G, and Burns R (2010) Remote Data Checking for Network Codingbased Distributed Storage Systems. In: Proceedings of ACM Cloud Computing Security Workshop (CCSW’10), pp. 3142.
 [7] Omote K and Thao TP (2015) MDPOR: Multisource and Direct Repair for Network Codingbased Proof of Retrievability. In: International Journal of Distributed Sensor Networks (IJDSN), vol. 2015, article ID: 586720, article no: 3, January 2015, DOI: https://doi.org/10.1155/2015/586720.
 [8] Chen H.C.H, Hu Y, Lee P.P.C, and Tang Y (2014) NCCloud: A NetworkCodingBased Storage System in a CloudofClouds. In: IEEE Transactions on Computers, 63(1):3144.
 [9] Le A and Markopoulou A (2012) NCAudit: Auditing for network coding storage, International Symposium on Network Coding (NetCod’12), pp. 155160.
 [10] Koetter R and Medard M (2003) An Algebraic Approach to Network Coding. In: IEEE/ACM Transactions on Networking (TON), 11(5):782795.
 [11] Thao TP and Omote K (2016) ELAR: Extremely Lightweight Auditing and Repairing for Cloud Security. In: Proceedings of the 32nd Annual Computer Security Applications Conference (ACSAC’16), pp. 4051, ISBN: 9781450347716, DOI: https://doi.org/10.1145/2991079.2991082.
 [12] Omote K and Thao TP (2015) DDPOR: Dynamic Operations and Direct Repair in Network Codingbased Proof of Retrievability. In: Proceedings of the 21st Annual International Computing and Combinatorics Conference (COCOON’15), pp.713730. Available: https://link.springer.com/chapter/10.1007/9783319213989_56.
Comments
There are no comments yet.