A covert authentication and security solution for GMOs.

BACKGROUND: Proliferation and expansion of security risks necessitates new measures to ensure authenticity and validation of GMOs. Watermarking and other cryptographic methods are available which conceal and recover the original signature, but in the process reveal the authentication information. In many scenarios watermarking and standard cryptographic methods are necessary but not sufficient and new, more advanced, cryptographic protocols are necessary.
RESULTS: Herein, we present a new crypto protocol, that is applicable in broader settings, and embeds the authentication string indistinguishably from a random element in the signature space and the string is verified or denied without disclosing the actual signature. Results show that in a nucleotide string of 1000, the algorithm gives a correlation of 0.98 or higher between the distribution of the codon and that of E. coli, making the signature virtually invisible.
CONCLUSIONS: This algorithm may be used to securely authenticate and validate GMOs without disclosing the actual signature. While this protocol uses watermarking, its novelty is in use of more complex cryptographic techniques based on zero knowledge proofs to encode information.

Background

The dramatically increasing worldwide utilization of genetically modified plants, animals and microbes (GMOs) presents challenges to ensure security, authenticity and validation of material goods and legal agreements. Similarly to the evolution witnessed in internet protocols, strategic focus is required to anticipate, track and address potential infringements of GMO security. It is imperative that unimpeachable protocols assure product ownership, provide data to track the product supply chain, and to preempt malicious attacks especially related to bioagents, such as weaponized anthrax spores. As GMOs are not tamper proof or invulnerable to outside attack, it is necessary to encode and embed cyber-security data within the GMO genome. An ideal GMO based security mechanism should provide a secure authentication process accessible to relevant parties without revealing the specific signature components to outside parties. Watermarking has been used extensively to establish authentication signatures that validate ownership by providing a mechanism to conceal and recover the required data necessary to authenticate the identification signature of the originator [1-4]. However, in watermarking applications, the identity of the authentication information is disclosed as validity is verified [5-11]. Although these methods would be useful under many scenarios, they are unacceptable in the context of sophisticated GMO security because they would fail under concerted attack based on malicious transfer and signature duplication. For example, Clelland et al. [5], although establishing significant message secrecy, does not protect the key decoding signatures after access by a third party. It also appears that their approach would be best suited to small message concealment because the DNA based message length must be similar to that of the background sonicated genomic DNA (ca 50-150 nucleotides). Ideally, the signature should not be transferrable, and should remain concealed even from third parties utilizing the cryptographic code. Integrating this sophisticated cryptographic modification is critical for sustained next generation security of GMOs. A focused adversary should only be able to speculate whether a given sequence of nucleotides is a random sequence or a valid signature sequence. Considering a scenario where an attacker might seek to modify a GMO or weaponized bioagent in order to adversely affect function, coercion of individuals having information components or even alignment of whole genome sequences from target and wild type stains via BLAST or other programs should have an extremely low probability of identifying and/or validating an authentic signature. Clearly any security approach also must align with prokaryotic and eukaryotic GMO development and application technologies.

In this paper we demonstrate a novel algorithm that addresses these concerns using advanced cryptographic techniques. For every signature string generated, the developer generates a populating subset with fake signatures (a random sequence of nucleotides of the same length as a valid signature). Thus, each clone would contain adequate information for identification whether or not it is a signature carrying clone. The valid signature can be established by techniques developed in [12] and would be available to the developer and/or third party inspector. Those techniques assure that the input information is correctly received on the output side, i.e. when they are stored and read out there is no loss or change of information, while there is no concern that someone would actively modify or manipulate the data. Since each clone contains a valid or fake signature element, it would be virtually impossible to correctly select the authentic signature. We emphasize that while our algorithm uses watermarking, it is not a watermarking protocol per se. The process of watermarking by itself does not provide adequate security during its verification as it allows potentially malicious transfer and signature duplication. Our protocol uses sophisticated novel cryptanalytic attack models and protection mechanisms. While many of the existing methods use classic cryptography such as symmetric - AES, nonsymmetric -RSA and more classical approaches, we use zero-knowledge and confirmer signature techniques applied to GMOs. These are much more advanced crypto systems than AES and RSA. This algorithm should become the standard in implementation of this technology in practice.

Practical realization and combination with data-encoding mechanisms into DNA

Embedding of data in DNA has received a lot of attention. Previous algorithm proposals primarily concerned about biological aspects and correct and efficient decoding. Heider and Barnekow [13, 14] focus on error detection and correcting properties - not in the sense of cryptography - but inside the genome, to detect and correct mutations occurring during cell division that might destroy the information that is ’encrypted’ (i.e., hidden), inside the genome. As such the DNA medium can be interpreted as a noisy channel and has been addressed by tools of digital coding and information theory [11]. Depending on usage requirements in living cells, our watermarking step might benefit from such additional features and could easily be combined with theirs or related algorithms. Yachie et al. [15] considered error detection and correction of the data-encoded DNA sequence inside of living organisms. Their approach is a refined repetition code that avoids multiple segments of the same DNA sequence within a single genome. Our method can be combined with their alignment-based DNA-data storage and retrieval method, or any of the sequence alignment methods. In fact, we propose a modern alignment method with provably secure decoding properties in [12].

However, no attention has been placed on the cryptographic aspect of the problem. In particular, in the case of ownership watermarks, biocompatibility along with the correct and efficient encoding is not enough. The embedded information that is stored and retrieved additionally requires specific cryptographic security requirements unique to this situation. It is imperative that the secret key remains hidden during watermark verification to prevent the unintended copying of signature data or specified information. These are independent cryptographic security considerations established in this paper.

Clarification about utilization of cryptography

In contrast to correctness of encoding and decoding and efficiency, cryptography considers the security aspects of a (digital) communication medium. These security concerns are unique to the DNA setting. An example can be seen work by Gibson et al. [16] who established the synthesis and assembly of a synthetically designed bacterial cell. Watermark sequences are included which distinguish the synthetically designed from naturally occurring DNA and cells. This type of watermark does not yield unique ownership in that watermark verification is only done by multiplex PCR and the entire watermarking procedure could be imitated by others. They were not concerned about cryptographic security features, e.g., if someone were to produce a harmful bacterial clone carrying their watermark information. How would they refute this clone was not theirs?

Haughton and Balado [11] first incorporated a secret k to keep the encoding secret. The key is shared only between an encoder and decoder. This has the advantage that only the encoder and decoder will have knowledge of the secret message that is embedded in DNA. In the context of ownership watermarking, unfortunately, this scenario is not fully satisfactory. It requires that verification of the watermark is only possible to a selected list of decoders which has to be determined prior to embedding the watermark. Once the watermark is placed, the watermark verification process is only possible within this fixed set of users. In the case of verification of a watermark ownership to a user outside of this fixed set, this scenario is not applicable.

Heider and Barnekow [13] suggest to integrate several private and public key cryptographic algorithms, by employing encryption or a one-time pad. Both are done to create a short binary message. Although the authors did not make this explicit in their work, the first obvious advantage of this approach is that by doing so the information to be hidden inside the DNA is now scrambled inside a binary string. However, it is imperative to note that they do not utilize any of the mentioned cryptographic algorithms. What is needed for DNA-Crypt is a plaintext message (the information to be hidden inside the DNA) that is efficiently converted to a binary string. Thus, they correctly argue, that any function, mapping, or algorithm, which takes meaningful input and coverts it to binary, can be used for their purpose. Their main concern is only the output binary string. They do not incorporate any cryptographic features. They do not consider security, cryptographic approaches, or utilize encryption and decryption. In fact, they argue that the keys used for these cryptographic algorithms could be exchanged with other users. However, precisely for private key crypto, keeping the keys secret is the most important requirement to ensure security. Clearly, their concern is not to utilize the mentioned algorithms for their cryptographic features, but mainly to generate a binary string. Their concern is for better storage utilization, and hence, the cryptographic integration is only for compression purposes of text data into binary (source compression into binary). In summary, all that is utilized by DNA-Crypt is a binary encoding table [14].

In summary, while data embedding methods have benefited from numerous disciplines of digital communication theory, unique requirements of cryptography and security requirements are first addressed in this work. It is crucial to note, that our work can seamlessly be combined with previous data embedding methods. Balado-Haughton [17] determine the maximal number of ways that DNA watermarking can be done, by considering it as a special data hiding problem. Their basic requirement is the primary structure preservation achieved via the redundancy of the genetic code. This does not lead to a unique solution. Depending on biocompatibility constraints and other practical considerations, the tagging of DNA can be performed in various ways. We have not focused on length requirements of the signature sequence, how easily the signatures can be inserted and read, as our method can easily be combined with any others that focus on such issues.

Our work complements these proven practical realizations, can easily be combined with related successful in vivo experiments to hide the secret information in non-coding regions, and addresses the missing security issues not considered before.

Each of [11, 13–16] use some watermarking as a means to ensure tracking or ownership of DNA or organism. Table 1 gives a comparison with our work.

Table 1

Comparison with other work

Feature	[11]	[13]	[14]	[15]	[16]	Our method
Added security features in addition to the sequences	yes	no	no	n/a	no	yes
Source compression (via any cryptographic encoding, substitution cipher, or coding theory)	yes	yes	yes	n/a	n/a	yes
Explicit formulation and identification of broader security requirements and goals	no	no	no	n/a	no	yes
Adaptation and incorporation of novel cryptographic techniques to ensure that sensitive information remains concealed during the verification process	no	no	no	no	no	yes

Methods

The basic cryptographic building block is defined as a zero-knowledge (ZK) proof of knowledge [18] of a hidden signature to constitute the designated confirmer signature [19]. ZK proofs are both convincing and yet yield no identifying key code information beyond the validity of the assertion being proved. They are typically used to force malicious parties to behave according to a predetermined protocol.

The specific cyber-security protocol is as follows: Let Σ be a digital signature scheme given by its key generation protocol Σ.keygen which generates a key pair Σ.sk and Σ.pk consisting of the secret and private key for the signature generation and verification protocols, respectively. Let Γ be a cryptosystem described by Γ.keygen that generates the pair (public key =Γ.pk, private key =Γ.sk) to be used for encryption and decryption. Classes and properties required for Σ and Γ suitable for designated confirmer signatures have been described and analyzed in [19, 20]. To give a specific example, Σ will be represented by a suitable RSA signature scheme and Γ by ElGamal.

The Full Domain Hash RSA [21] signature scheme Σ is given by the key pair (Σ.pk=(N,e), Σ.sk=d) where N is an RSA modulus and ed≡1 mod ϕ(N). The keys here are those used by the signer. With all computations in , a valid signature σ on a message m is defined via σ=H(m)d, where H is a public hash function. The verification equation will make use of the following one-way function and image

Importantly, f is homomorphic as for all , f(xy)=f(x)f(y).

For the encryption scheme Γ we use ElGamal’s encyption [22]. It operates in a group of large enough order where computing discrete logarithms to base g is difficult. The confirmer’s secret key is Γ.sk=x and the corresponding public key is Γ.pk=y=g. To encrypt a message , one chooses a random r and computes the ciphertext as the pair To decrypt a ciphertext (K1,K2), one first obtains the session key and then computes m as K2·k−1.

Let ∘, the binary operation defined on , be the term-wise product (a,b)∘(c,d)=(ac,bd). Fundamental for the construction is the fact that ElGamal is homomorphic since [20],

The space of signatures produced by Σ must be the same as the space of messages encrypted by Γ. This can be done as follows: the signer chooses two sufficiently large primes p and q such that p′=(p−1)/2 and q′=(q−1)/2 are prime. The signer sets N=pq and chooses such that (with overwhelming probability) and sets . The signatures produced by Σ are mapped into by squaring all the parameters (even the bases) before performing any modular operations with them. We also assume that the respective keys are verified with a certificate authority and the respective public parameters are publicly accessible. The symbol || will denote the operation which when applied to two strings m and z results in the ‘usual’ concatenation of the string m, and the string z.

The individual steps of our cryptographic protocol are described next. Let the given message m be the signature data to be signed. Throughout, if m is given in its binary representation (quartic representation as DNA), then after appropriate parsing m∈Z () is considered to be the representation of the integer m modulo N (in ). The signer first generates a verifiable signature μ on m using the following steps:

The signer chooses and computes z←g in .

The signer uses his secret key Σ.sk=d of RSA-FDH to compute σ=H(m||z)2.

σ is converted into DNA bases via our watermarking protocol below and hidden inside the GMO.

The signer encrypts σ via ElGamal with the confirmer’s public key Γ.pk=y=g and the random r, .

μ=(K1,K2) is stored in an electronic database as the designated confirmer signature of m.

A candidate signature μ of m from a public database can only be validated by the TTP according to the following verification protocol.

Given m and μ=(K1,K2), the confirmer computes σ as the decryption of the ElGamal ciphertext (K1=z,K2) using the secret key x.

The confirmer verifies if σ is a valid RSA-FDH signature of m||z by testing σ=H(m||z)2 using the signer’s public key e.

The signature μ is accepted as valid if and only if this verification step passes.

Therefore, the algorithm runs as follows:

Determine the number of occurrences N of each codon C in the host genome, see e.g. [23].

Determine the number M of binary triplets B in the given binary sequence (with filling in of mock elements to yield a number of characters divisible by 3).

Let be the set of nucleotides. There are 24 ways in which these can be ordered. Let n1,n2 be the first two nucleotides, and n3,n4 the latter two in an arbitrary ordering.

Associate with each triplets B of a given binary string a set of possible codons C, B1↦{n1n1n1, n1n1n2, n1n2n1,…,n2n2n2},…B8↦{n3n3n3, n3n3n4, n3n4n3,…,n4n4n4}, where the associated codon list excludes the ATG start codon [11].

The number of times each text triplet is represented by each associated codon C is determined according to the following: For each B determine the number of occurrences N of each of the eight codons C that is associated to B via the above mapping. Spread out the N occurrences of each B according to match the individual numbers of occurrences of their associated codons C.

Results and discussion

The main difference between confirmer signatures and ordinary electronic signatures based on watermarking techniques is that confirmer signatures are not self-authenticating. Our algorithm is essentially based on the confirmer signature concept. In this case, the entity requiring proof of authentication (the “verifer”) cannot check the ownership or the validity of a signature unless a legitimate party confirms or disavows it [24, 25]. While the original signer (the originating product owner, developer or a delegate) can confirm the signature, it also may be verified by a semi-trusted third party (TTP) “confirmer” [26]. There are several advantages to limiting signature validation access to the confirmer and verifier. First, it protects the signer against coercion. Second, it protects the buyer if the signer becomes unavailable. Third, it validates the authentic signature without disclosing the actual signature sequence to an adversary who may even masquerade as a verifier. While the constant involvement of a TTP in the cryptographic protocol gives more power to the TTP, it also enables the TTP to obtain and disclose the signature in case of dispute and has additional important forensic implications. Following successful protocol implementation, the verifier and TTP have certifiable validation that the GMO contains a specific identifying signature although the verifier never acquires the exact signature [20].

Specifically, the confirmer and/or signer provides a ZK proof to demonstrate the validity of this signature to the verifier (Fig. 1). A valid signature is not accepted without the confirmation protocol, and a falsely alleged signature can only be repudiated via the denial protocol. In Figs. 1 and 2, the prover is either the confirmer of the signature who can undo encryption via ElGamal with the knowledge of the private key, or the signer who wishes to confirm the validity of signature μ. Thus, signature verification can be established by the signer without the involvement of the TTP. The TTP has the ability to undo ElGamal encryption and is the only party who can obtain the signature σ. Signature verification is therefore solely based on the encrypted signature , not the signature σ itself. In case of dispute the TTP can make σ public, convert it into nucleotides, and determine presence in the GMO.

Fig. 1

ZK proof of knowledge to verify authenticity. The prover and verifier are given the public input, an alleged signature (K 1,K 2)=μ with z=K 1, and the message (signature data) m. If is generated as above, then t 1=(s ′·σ) and t 2=(g ,s ′ σ·y ) where s is the randomness used in ElGamal to encrypt s ′, and r is that used to encrypt σ. In this case, the protocol allows the prover to confirm the signature in ZK. If μ is a falsely implied signature, the protocol allows the prover to deny the signature in ZK

Fig. 2

Proof that (K 1,K 2) is the encryption of the given message M under ElGamal. If the prover can successfully answer two distinct challenges c 1,c 2 with two acceptable answers s 1,s 2 then the verification step results in (see [27]). Thus, if c 1−c 2

Proof that (K 1,K 2) is the encryption of the given message M under ElGamal. If the prover can successfully answer two distinct challenges c 1,c 2 with two acceptable answers s 1,s 2 then the verification step results in (see [27]). Thus, if c 1−c 2