E-HMAC : An Efﬁcient Secure Homomorphic MAC Scheme for NC- Enabled WSNs

The main goal of Network Coding (NC) is to find an optimal transmission of data in a network. NC presents an advantage for wireless sensor networks (WSNs) in term of network lifetime. However, the Network Coding-enabled WSNs are affected by various attacks, such as pollution attacks. Many HMAC schemes have been proposed in the literature to secure packets against pollution attacks. In 2015, Esfahani et al. proposed a dual-homomorphic MAC scheme based to the construction of two different MACs to ensure the integrity of coded packets. Their solution has many weaknesses in terms of security against tag pollution attacks. In this paper, we improve their scheme by proposing a novel HMAC scheme for NC enabled WSNs, called E-HMAC, based on multi-linear space to check the integrity of coded packets. The simulation results demonstrate the ability of our proposed scheme to secure the coded packets with a low key storage overhead and communication overhead, compared to Esfahani et al.’s scheme.


Introduction
WSNs [1] consist of a set of devices having limited computing resources. This type of network has attracted much attention in recent years, not only in academia but also in industry, for the study and development of a number of potential applications. However, the resource constraint is the most important feature of this network. Network Coding (NC) find an optimal transmission of data in a network. Network Coding can also improve network resiliency against attacks. Wireless Sensor Networks (WSNs) can benefit from the benefits of NC.

Motivations
In many applications of Network Coding-enabled WSNs, data can be threatened by external events that should not * Email: haythem.hayouni@supcom.tn occur during normal network operation. Among these attacks, we find pollution attacks [2]. There are two types of pollution attacks: data pollution attack and tag pollution attack. In data pollution attack, the mission of an adversary is to insert fake data and to realize the verification of other innocent sensors which causes. In tag pollution attack, the objective of adversary is to get correct data packets be beaked as false and be isolated by intermediate sinks or nodes, which discard the correct packets. If a data pollution attack is not detected at the forwarders nodes, the base station cannot be able to verify if the received message is correct or not, and cannot check the source messages correctly. In WSN, as long as the polluted packets propagates via recording, a small number of these packets can affect the security of large number of downstream nodes. There are several cryptographic methods [3] providing the security and integrity of transmitted data such as Homomorphic MAC [4] coded packets. Their solution has many drawbacks in terms of security against tag pollution attacks. Among the proposed schemes in the literature, to prevent data against pollution attacks, Homomorphic MAC is considered as a low-complexity method for this. But, the generated MACs can be polluted during their transmission between nodes until the base station, which make the solution of HMAC vulnerable to tag pollution attacks. For this reason, it is necessary to produce a secure homomorphic MACs which mitigate both partially tag pollution attacks and data pollution attacks. In this paper, we improve the Esfahani et al.'s scheme [9], which is the most well-known tag pollution scheme taking advantage of homomorphic MACs, by proposing for Network Coding-enabled WSNs an efficient HMAC scheme, called E-HMAC, to ensure the integrity of packets transmitted in the network. The objective is to protect data against pollution attacks.

Our contributions
The main contributions of our proposal are as follows:  We review the state-of-the-art regarding the multiple proposals that use homomorphic MAC to secure the transmitted messages against pollution attacks in NCenabled networks.  We reviewed the scheme of Esfahani et al. and pointed out the weaknesses in terms of security against tag pollution attacks.  We propose an efficient HMAC scheme, called E-HMAC, to ensure the integrity of packets transmitted in the network, by we improving the Esfahani et al.'s scheme.  We introduce some new concepts to protect data against pollution attacks.  We secure the coded packets with a low consumption of network resources.  We prove our scheme secure using a security analysis against Data Pollution Attack and Tag Pollution Attack by proving some theorems.  We evaluate the performance of the proposed scheme with respect to its key storage and communication overhead.  We compare our findings to Esfahani et al.'s scheme and discuss our results.
The rest of the paper is outlined as follows. In Section 2, we presented some related works for ensuring security against pollution attacks, based on HMAC method. In Section 3, some preliminaries are presented and discussed.

Related works
However, jointly ensuring the security, such as integrity, of the packets exchanged in WSNs is a challenge as the nodes are deployed in hostile environments. Sensor nodes are exposed to several attacks such as pollution attacks. However, an HMAC mechanism must resist to these attacks when part of nodes is compromised. In this section, we present some proposed HMAC schemes for NCenabled WSNs. Agrawal and Boneh [5] proposed a HMAC scheme to provide the integrity of the data in network coding. The objective of scheme is to prevent pollution attacks in the case of network coding by the generation of different tags associated to coded packets In [6], the authors proposed an algorithm which allows the sink node to accept the data with a high probability if the result of the checking of integrity is within an acceptable limit, or to reject the result s 'he's out of bounds. By building a random sampling mechanism and interactive verification, this algorithm offers several methods to securely calculate the HMAC. However, this scheme concerns the security of transmitted data and not the security of generated HMAC tags. In [7], the authors have proposed a scheme which aims to solve the problem of data authentication by adding several HMAC tags without signature to the payload of the packet. This scheme affects the communication overhead provided by the generated tags.
In [8], the authors presented an efficient aggregation of encrypted data. This solution is designed to provide efficiency and confidentiality in WSNs. The authors propose an additive homomorphic MAC while providing security of aggregated data. The basic idea is to replace the XOR operation by a simple modular addition. This solution is robust against repetitive attacks. Indeed, the security against data pollution attack is not provided since a length key associated with each message. In [9], the authors proposed a dual-homomorphic MAC scheme based the generation of two different MACs to ensure the integrity of coded packets. The second MAC checks the integrity of the first generated MAC. However, the signature used for the generation of MAC and DMAC for providing security against tag pollution attack is a timeconsuming process.
We summarize the related works of secure HMAC schemes for network coding in Table 1, in terms of vulnerability against pollution attacks.

Preliminaries
In this section, we specify some notions on the network architecture used by our proposed scheme as well as the type of attack considered. Finally, we present the homomorphic MAC method.

Basic Notation
We present in Table 2 the different parameters which will be used in this paper and to formulate our proposed scheme.

Network model
For our proposed scheme, we use the model of linear networking presented in Figure 1. A message m is divided into a sequence of vectors: in . These vectors are then sent into the network in the form of coded packets u, where there are u vectors for the message m. that is, each packet u represents a vector. The packet is prefixing with the ith unit vector represented as: Intermediate nodes combine the packets into a single code as a vector which it subsequently sends across the network. The sink node receives the result and builds the original message after checking its integrity.

Adversary Model
Pollution attacks [10] aims to add malicious packets in the network which can be used later to start other types of attacks. There are two types of pollution attacks:  Data Pollution Attack: The mission of an adversary is to insert fake data and to realize the verification of other innocent sensors which causes.
 Tag Pollution Attack: The objective of adversary is to get correct data packets be beaked as false and be isolated by intermediate sinks or nodes, which discard the correct packets.

Homomorphic MAC
The homomorphic MAC [5] consists of the data of three probabilistic algorithms and in polynomial time (Sign, Combine, Verify):

Review of Esfahani et al.'s Scheme
Esfahani et al.'s [9] proposed a HMAC scheme by using two types of tags: MAC, DMAC, to ensure the vulnerability against pollution attacks. Each MAC ensures the integrity of the coded packets while each DMAC ensures the integrity of these generated MACs. This scheme comprises four phases: Key setup, MAC generation, Combine, and verify.

Key Setup
Key Setup Generate in the output a public parameter PK, and sample secret key SK from the key space KE.

MAC Generation
Before generated the MAC, the scheme generates as input the parameters (PK, SK, id,Vect, b). In the output, the algorithm generates a tag tg for the vector Vect.

Combine
The input of this step is the public parameter PK, a sequence of triples ( 1 , 1 , 1 ),…, ( , , ), where, is the corresponding tag of under the secret key SK. In the output, the algorithm generates a tag for the combined vector:

Verify
This step verify the integrity of generated vector V and the tag. The Output is 1 or 0 (reject).

Security Flaws of Esfahani et al.'s Scheme
We discuss the security flaws of Esfahani et al.'s scheme. Furthermore, we discover that Esfahani et al.'s scheme cannot ensure vulnerability against pollution attacks. In the setup step, an adversary A obtains the public and secret keys (PK, SK), and form the parameters ( , ). After, A computes, for j=1,...,l: Finally, the adversary A outputs a tuple ( * , * , * ), and A wins the attack if: ( , , * , * , * ) =1 (4) In conclusion, Esfahani et al.'s scheme [9] is not secure against tag pollution attack.

Proposed Scheme
We present an Efficient Homomorphic MAC scheme based on multi-linear space for wireless sensor networks, called E-HMAC, to improve the security flaws of Esfahani et al.'s scheme [9]. Our scheme proposes a new algorithm that supports multi-vector transmission, which supports multilinear space. The proposed E-HMAC comprises the same process as that Esfahani et al.'s scheme. The details of the four processes are shown below.

Key Setup
Choose four integer numbers r; s; q; x and a prime number l, where, q,x are the numbers of tags generate for each vector. Let : → ( + , ) be a pseudo random generator,and : × × ( + ) → be a pseudo random field. Choose a random SK : Output : the public parameters is PK = (l; r; s; q; G; F) and the secret key is SK.

MAC Generation
In this step, the MAC (PK; SK; id; Vect; b) is generated, where b indicating that the vector Vect is the bth basis vector of the vector space identified by id. Firstly, compute: ,where ′ is the corresponding transition matrix. Let Denote y(Vect) the x-dimensional vector, where : Let Mt be the following × matrix over : Thirdly, compute for i = 1,…,q and j = 1,…,x : Finally, output the tag :

Combine
In this step, compute and output: , where ℎ is a random coefficient and w is the number of relay nodes.

Verify
In this step, we verify the sequence (PK,SK,id,V,TAG). Firsty, compute : , and compute the dimensional vector a(Vect): Denote y(Vect) the x-dimensional vector, where : Let Mt' be the following × matrix over : After, compute all the items I: Finally, Check if: ( ) = ( ) for i = 1,…,q and j = 1,…,x.
If all of them hold, output 1 ; otherwise output 0.

Security Analysis
The security analysis of our E-HMAC scheme is based on security against the two types of pollution attacks presented in our adversary model in Section 3.
Theorem 1: Without making any changes in the MACs, and suppose that there are m MACs and N neighbor sensor nodes for the adversary A, the probability that the polluted data can succeeds the verification of the neighbor sensor nodes depends on number of keys they have and is not greater than 1/ .
Proof: According to Theorem 1, the probability that the next hops will treat the polluted data as a legal one depends on the number keys that they have. Particularly, if the next hops only have the same key with the compromised node, it will treat the polluted data as a legitimate one. However, for N nodes and m MACs, it happens with the probability of 1/ . Proof: The probability of recovering the same shared key between two nodes is , so the probability of the from a user i located in next hop i + 1 is 1 2( +1) , and this probability would be ( 1 2( +1) ) 2 , if this key is found in two hops later. However, if the total number of hops between an intermediate node and a base station is (N-i), then the probability that a downstream user receives the same key as of node i is: In fact, the polluted TAG can traverse some hops, before it is detected, by this probability Pr. Now, A uses * in one of the MAC queries, i.e. there exists some 0 satisfying * = 0 . Therefore, Let * = ( 1 * , … , + * ), define : Obviously, 0 is a valid tag for 0 under to the Combine step. In addition, we have, for 1 ≤ ≤ , Since the basis 1 , … , is properly augmented. In conclusion of this analysis, compared to the original HMAC scheme in [9], our proposed scheme E-HMAC protects 50% of the tags from pollution. Table 3 presents a comparison between our schemes and some schemes presented in the related works, in terms of in terms of vulnerability against pollution attacks.

Key Storage Overhead
We evaluate the key storage overhead of E-HMAC and compare it to the overheads provided by Esfahani et al.'s scheme. Compared to Esfahani et al.'s scheme, E-HMAC ensure almost 50% less key storage overhead at the source node, in terms of the total key storage size required at each source node, which shown in Figure 3.

Conclusions
In Network Coding enabled WSNs, data is split into multiple packets that will be combined and encoded together so that they are transmitted and routed to sink node. The security of these packets presents a challenge in WSNs in order to ensure their integrity. In this paper, we have proposed a new HMAC scheme to ensure an efficient integrity of coded packets in the network. Our scheme is based on multi-linear space, by directly employing mapping over finite fields. The security analysis shows that our scheme is secure against data pollution attack and tag pollution attack. The performance evaluation demonstrates the ability of our proposed scheme to secure the coded packets with a low key storage overhead and communication overhead, compared to Esfahani et al.'s scheme. Extensions to our scheme can be considered to offer additional services such as security of location of sensor nodes in the network.