Transcript Fast Signature Scheme for Network Coding

DCABES 2009
Fast Signature Scheme for
Network Coding
Mingxi Yang, Wenjie Yan
Reporter: Wenjie Yan
Mingxi Yang, Wenjie Yan
1
DCABES 2009
Outline
Network Coding
 Challenge to Network Coding
 Related Work
 Our Signature Scheme
 Security Analysis
 Verification Efficiency

Mingxi Yang, Wenjie Yan
2
DCABES 2009
What is Network Coding
S
S
b1
U
T
b1
T
b2
b2
U
b1
b1
b2
b2
b2
X
b2
W
W
b1
Y
b1
b2
b1
b1+b2
b2
X
b1
b1+b2
Z
Y
b1+b2
Z
(b)Network coding
(a)Traditional network
Mingxi Yang, Wenjie Yan
3
DCABES 2009
Network Coding Simplified
Block 1
Block 2
Block 3
File to Transfer
Encoding
Prerequisite for decoding: any node receives enough(n
in our scheme) linear independent message vectors
Mingxi Yang, Wenjie Yan
4
DCABES 2009
Challenge to Network Coding
Drawback
Network coding is very vulnerable to
pollution attacks. An adverse node injecting
garbage can quickly affect many receivers.
Mingxi Yang, Wenjie Yan
5
DCABES 2009
Pollution Attack
S
b1
T
b2
U
b1
b2
W
b1
b1  b2
b2
X
b1  b2
b1  b2
Y
Z
Mingxi Yang, Wenjie Yan
6
DCABES 2009
Related Work



Krohn et al. [7] first proposed homomorphic
scheme using homomorphic hash function.
Zhen Yu et al. [8] use RSA to sign the source
messages and append the signatures to
corresponding messages;
Charles et al.[9] proposed a new
homomorphic hashing scheme which is
built on top of expensive Weil pairing
operations [10], [11] over elliptic curves.
Mingxi Yang, Wenjie Yan
7
DCABES 2009
Related Work (Cont.)
Drawback
All the schemes described above require
expensive computation in verification,
which greatly slow down the efficiency of
verification.
Mingxi Yang, Wenjie Yan
8
DCABES 2009
Our Signature Scheme
Model : S is a source node; M is a file.
m1
1
0
0
… 0
σ(m1)
m2
0
1
0
… 0
σ(m2)
......
File M

mn
network
... ...
0
0
0
… 1
σ(mn)
Mi=(mi  Z q ,0,…,0,1,0,…,0 Z
data part
n
p
)
coding vector part
Mingxi Yang, Wenjie Yan
9
DCABES 2009
Our Signature Scheme (Cont.-1)

Our signature scheme is based on this
homomorphic function:
h(x)=(1+xq) mod q2 [13]
h(x)×h(y)=(1+xq)×(1+yq)mod q2
=[1+(x+y)q+xyq2]mod q2
=[1+(x+y)q]modq2
=h(x+y)
Mingxi Yang, Wenjie Yan
10
DCABES 2009
Our Signature Scheme (Cont.-2)
Set up
 Sign
 Combine
 Verify
 Correctness

Mingxi Yang, Wenjie Yan
11
DCABES 2009
Set up





Large primes: u, v, q, length(u)≈length(v),
length(uv)≈length(q2) and q2<uv.
N=uv, keep u and v secretly.
n different elements r1,…,rn from G, G is a
multiplicative group with prime order p.
d, e<φ(N) , and d×e≡1modφ(N), where
φ(N)=(u-1)×(v-1).
private key : d
public key : pk=(N, e, r1,…,rn).
Mingxi Yang, Wenjie Yan
12
DCABES 2009
Sign

Given message Mi=(mi, 0,…,0,1,0,…,0) and
private key d, compute signature σ(Mi) on
source message Mi as: :
(1  mi q)mod q 2 d
 (M i )  [
] mod N
ri
Mingxi Yang, Wenjie Yan
13
DCABES 2009
Combine


Given: coefficients (c1, c2, … , cl), messages
and signatures: W1||σ(W1),…,Wl||σ(Wl),
where Wi=(wi,ci1,…,cin),
l
Combine: w0 
, q
ci wi mod

i 1
(c01, c02 ,..., c0n )  i 1 ci (ci1,..., cin )mod p
l
W0=(w0, c01,…,c0n) and
 (W0 )  i 1 (Wi )c mod N
l
Mingxi Yang, Wenjie Yan
i
14
Combine (Cont.)
Verified messages
w1, c11, c12,..,c1n
encoding of messages
+
σ(Wl)
w, c1, c2,..,cn
+
w2, c21, c22,..,c2n
σ(W2)
……
wl, cl1, cl2,..,cln
σ(W1)
×
σ(W)
×
Combination of signatures
Mingxi Yang, Wenjie Yan
15
DCABES 2009
Verify

Given
encoded
message
W0=(w0,
c01,…,c0n) and signature σ(W0), σ(W0) is a
valid signature on W0 iff
 (W0 ) 
e
h(W0 )
c0 i
r
 i 1 i
n
Mingxi Yang, Wenjie Yan
16
DCABES 2009
Correctness
 (W0 ) i 1 (M i )
n
c0 i
 h( M i ) d 
  i 1  [
] 
 ri

c0 i
n
h( M )

[
 r
n
i 1
i
n
c0 i
c0 i
d
]
3.1
i 1 i
Mingxi Yang, Wenjie Yan
17
DCABES 2009
Correctness (Cont.)
h( M )

[
 r
n
 (W0 ) mod N
e
i 1
i
n
c0 i
c0 i
d e
] mod N
i 1 i
c0 i
h
(
M
)
i 1 i
n



n
r

mod N
i 1 i
h(W0 )
n
c0 i
r
c0 i
mod N
i 1 i
Mingxi Yang, Wenjie Yan
18
DCABES 2009
Security Analysis

Definition: A signature scheme is secure
under an adaptive chosen message attack
For every probabilistic polynomial time
forger algorithm F if there is no nonnegligible probability ε such that:
Adv( F ) 
 PK   H , N , e, r1 ,..., rn  ;



Pr  M 1 ||  ( M 1 ),..., M n ||  ( M n ); verfy (W , (W )  1  
 W  span{M , M ,..., M }

1
2
n


Mingxi Yang, Wenjie Yan
19
DCABES 2009
Security Analysis (Cont.-1)

Compute a valid signature on message W V
in our scheme
break RSA signature scheme
Where V  span{M 1 , M 2 ,..., M n }

Mingxi Yang, Wenjie Yan
20
DCABES 2009
Security Analysis (Cont.-2)

Theorem: If there exists a (t,ε)-forger F
using adaptive chosen message attack for
the proposed signature scheme, then there
exists a (t’,ε’)-algorithm A to solving RSA
signature scheme, where t’≥t, and ε’=ε.
Mingxi Yang, Wenjie Yan
21
DCABES 2009
Security Analysis (Cont.-3)

Proof: F is a (t,ε)-breaks forger, now we
construct algorithm A breaks RSA in (t’ , ε’).
A is given every signature σ(Mi) on original
message Mi for i=1,2,…,n.
For any message W=(w,c1,…,cn)V ,
 X  ( x, c1,..., cn ) V , x  i 1 ci mi
n
Where w≠x.
σ(W) is a valid signature generated by A.
Mingxi Yang, Wenjie Yan
22
DCABES 2009
Security Analysis (Cont.-4)

Case 1: σ(W)=σ(X),
 h(W)=h(X)
 assume w>x.
Since h(W)-h(X)=0,
[(1+wq) - (1+xq)] mod q2=0
(w-x)q mod q2=0, (w-x)q=r×q2,
thus w-x=rq.
We know that w-x<q, then r=0, thus w=x,
this is contradictory to w>x.

Mingxi Yang, Wenjie Yan
23
DCABES 2009
Security Analysis (Cont.-5)
ci
r
i 1 i ,
Case 2: σ(W)≠σ(X), then  (W )  h(w)
n
e
Thus  (W )  [h(w)
ci d
r
i 1 i ]
n
.
As σ(W) is generated by A, thus
A(W )  [h(w)
We use y denote h(w)
ci d
r
i 1 i ]
n
ci
r
i 1 i , thus
n
A(W)=yd
Mingxi Yang, Wenjie Yan
24
DCABES 2009
Security Analysis (Cont.-6)


The probability ε’ of generating a RSA
signature in case 2 is ε,
T is the maximum time for computing those
operations except A, then t’=t+T, thus t’≥t.
Mingxi Yang, Wenjie Yan
25
DCABES 2009
Verification Efficiency

Let φ be a prime number and ψ a power of
different prime with φ<<ψ, E is an elliptic
curve over Zψ. In scheme [8] and [9], every
original message is a vector with dimension
k, the source then append a n-dimension
coding vector on it, such as X=(x1, x2, …, xk,
c1 ,…, cn), where xi,
c i Zφ .
Mingxi Yang, Wenjie Yan
26
DCABES 2009
Verification Efficiency (Cont.-1)
Table 1. Verification of message (bit operation)
Signature scheme
Our scheme
Verification time
(bit operation)
O[(1+n)log(1+Є)(log2φ)]
Zhen’s[8]
O[(1+k+n)log(1+Є)(log2φ)]
CJL’s[9]
O(klog2+Єψ)
Mingxi Yang, Wenjie Yan
27
DCABES 2009
Verification Efficiency (Cont.-2)
[9]=O(klog2+Єψ)
= O(k logЄψ log2ψ)
> O(k logЄψ log2φ)
> O[(k+1)log(1+Є)(log2φ)] =[8]
> O[(n+2)log(1+Є)(log2φ)]
=ours
so [9] >[8]>ours.
Mingxi Yang, Wenjie Yan
28
DCABES 2009
Verification Efficiency (Cont.-3)
The comparing results shows that our scheme lays over any other
signature schemes else of the kind in the verification speed.
Mingxi Yang, Wenjie Yan
29
DCABES 2009
References
[1]D.Petrovic, K.Ramchandran, and J.Rabaey, “Overcoming Unturned Radios
in Wireless Networks with Network Coding”, in IEEE Transactions on
Information Theory, Vol. 52, No. 6, pp. 2649-2657, 2006.
[2]C.Gkantsidis and P.Rodriguez, “Network Coding for Large Scale File
Distribution”, in Proc. IEEE INFOCOM, 2005.
[3]R. Ahlswede, N. Cai, S.Li, and R. W. Yeung, “Network information flow,”
IEEE Trans. Inf. Theory, vol. 46(4), pp. 1204-1216, 2000.
[4]S. Li, R. Yeung, and N. Cai, “Linear Network Coding”, in IEEE Transactions
on Information Theory, Vol 49, No. 2, pp. 371381, 2003.
[5]T. Ho, R. Koetter, M. M´edard, D. R. Karger, and M. Effros, “The benefits of
coding over routing in a randomized setting,” in International
Symposium on Information Theory (ISIT), 2003.
[6]T. Ho, M. M´edard, J. Shi, M. Effros and D. R. Karger, “On randomized
network coding,” In proc. 41st Annual Allerton Conference on
Communication Control and Computing, Oct. 2003.
Mingxi Yang, Wenjie Yan
30
DCABES 2009
References (Cont.)
[7] M.N.Krohn, M.J.Freedman, and D.Mazi´eres, “On-the-fly verification of rateless era-sure codes for
efficient content distribution,” IEEE Symp. Security and Privacy, Oak-land, CA, pp. 226-240, May 2004.
[8] Zhen Yu, YaWen Wei, Bhuvaneswari Ramkumar, and Yong Guan, “An Efficient Signature-based Scheme
for Securing Network Coding against Pollution Attacks” INFOCOM 2008. The 27th Conference on
Computer Communications. IEEE, April 2008.
[9] D. Charles, K. Jian, and K. Lauter, “Signature for Network Coding”, Technique Report MSR-TR-2005159, Microsoft, 2005.
[10] A. Menezes, T. Okamoto, and S. Vanstone, “Reducing Elliptic Curve Logorithms to Logorithms in a Finite
Field”, in IEEE Transactions on Information Theory, Vol 39, No. 5, pp. 1639-1646, 1993.
[11] V. Miller, “Short Programs for Functions over Curve”, unpublished manuscript,
crypto.stanford.edu/miller/, 1986.
[12] Jing Dong, Reza Curtmola, Cristina Nita-Rotaru, Practical Defenses Against Pollution Attacks in IntraFlow Network Coding for Wireless Mesh Networks, Proc. of The Second ACM Conference on Wireless
Network Security(WiSec 2009), Zurich, Switzerland, March 2009.
[13]Bresson E, Catalano D, Pointcheval D. “A simple public key cryptosystem with a double trapdoor
decryption mechanism and its applications,” In: Laih CS, ed. Aciacrypt 2003. LNCS 2894, Berlin:
Springer-Verlag, 2003. 37−54.
[14]SUN Zhong-Wei, FENG Deng-Guo, WU Chuan-Kun, “An Anonymous Fingerprinting Scheme Based on
Additively Homomorphic Public Key Cryptosystem”. In Journal of Software: 2005,vol.16,
No.10,pp1816-1821.
Mingxi Yang, Wenjie Yan
31
DCABES 2009
Any Question ?
Mingxi Yang, Wenjie Yan
32
DCABES 2009
THANK YOU!
Mingxi Yang, Wenjie Yan
33