Fast Signature Scheme for Network Coding

Mingxi Yang, Wenjie Yan

Reporter: Wenjie Yan

Mingxi Yang, Wenjie Yan 1

DCABES 2009

DCABES 2009

Outline

Network Coding Challenge to Network Coding Related Work Our Signature Scheme Security Analysis Verification Efficiency

Mingxi Yang, Wenjie Yan 2

DCABES 2009

S

T U

Y Z

W

X

S

T U

Y Z

W

X

b1 b2

b1

b1

b1

b1

b2

b2 b2

b2

b2

b2

b2

b1

b1

b1 b1+b2

b1+b2 b1+b2

(a)Traditional network (b)Network coding

What is Network Coding

Mingxi Yang, Wenjie Yan 3

Network Coding Simplified

File to Transfer

Block 1 Block 2 Block 3

Encoding

Mingxi Yang, Wenjie Yan 4

DCABES 2009

Prerequisite for decoding: any node receives enough(n in our scheme) linear independent message vectors

DCABES 2009

Challenge to Network Coding

Drawback Network coding is very vulnerable to

pollution attacks. An adverse node injecting garbage can quickly affect many receivers.

Mingxi Yang, Wenjie Yan 5

S

T U

Y Z

W

X

b2

b2

b1

b1

b1

Pollution Attack

Mingxi Yang, Wenjie Yan 6

DCABES 2009

2b

1 2b b

1 2b b 1 2b b

DCABES 2009

Related Work

Krohn et al. [7] first proposed homomorphic scheme using homomorphic hash function.

Zhen Yu et al. [8] use RSA to sign the source messages and append the signatures to corresponding messages;

Charles et al.[9] proposed a new homomorphic hashing scheme which is built on top of expensive Weil pairing operations [10], [11] over elliptic curves.

Mingxi Yang, Wenjie Yan 7

DCABES 2009

Related Work (Cont.)

Drawback All the schemes described above require

expensive computation in verification, which greatly slow down the efficiency of verification.

Mingxi Yang, Wenjie Yan 8

DCABES 2009

m1

m2

mn

1 0 0 … 0

0 1 0 … 0

0 0 0 … 1

(mσ 1)

(mσ 2)

(mσ n)

File

M . . . . . .

. . . . .

.

network

Our Signature Scheme

Model : S is a source node; M is a file.

data part coding vector part

Mi=(mi ,0,…,0,1,0,…,0 ) qZ npZ

Mingxi Yang, Wenjie Yan 9

Our signature scheme is based on this homomorphic function:

h(x)=(1+xq) mod q2 [13]

h(x)×h(y)=(1+xq)×(1+yq)mod q2

=[1+(x+y)q+xyq2]mod q2

=[1+(x+y)q]modq2

=h(x+y)

Our Signature Scheme (Cont.-1)

Mingxi Yang, Wenjie Yan 10

DCABES 2009

DCABES 2009

Set up Sign Combine Verify Correctness

Mingxi Yang, Wenjie Yan 11

Our Signature Scheme (Cont.-2)

Large primes: u, v, q, length(u)≈length(v), length(uv)≈length(q2) and q2<uv. N=uv, keep u and v secretly. n different elements r1,…,rn from G, G is a

multiplicative group with prime order p. d, e<φ(N) , and d×e≡1modφ(N), where φ(N)=(u-1)×(v-1).

private key : d public key : pk=(N, e, r1,…,rn).

Set up

Mingxi Yang, Wenjie Yan 12

DCABES 2009

DCABES 2009

Given message Mi=(mi, 0,…,0,1,0,…,0) and private key d, compute signature σ(Mi) on source message Mi as: :

2(1 )mod( ) [ ] moddi

ii

m q qM N

r

Sign

Mingxi Yang, Wenjie Yan 13

DCABES 2009

Given: coefficients (c1, c2, … , cl), messages and signatures: W1||σ(W1),…,Wl||σ(Wl),

where Wi=(wi,ci1,…,cin), Combine: ,

W0=(w0, c01,…,c0n) and

0 1mod

l

i iiw c w q

01 02 0 11( , ,..., ) ( ,..., )mod

l

n i i inic c c c c c p

0 1( ) ( ) modi

l cii

W W N

Combine

Mingxi Yang, Wenjie Yan 14

Mingxi Yang, Wenjie Yan 15

w1, c11, c12,..,c1n

w2, c21, c22,..,c2n

wl, cl1, cl2,..,cln

…

σ(W1

)

σ(W2

)

σ(Wl

)

+

+

w, c1, c2,..,cn

σ(W)×

×

w1, c11, c12,..,c1n

w2, c21, c22,..,c2n

wl, cl1, cl2,..,cln

…

σ(W1

)

σ(W2

)

σ(Wl

)

Verified messages encoding of messages

Combination of signatures

Combine (Cont.)

DCABES 2009

Given encoded message W0=(w0, c01,…,c0n) and signature σ(W0), σ(W0) is a valid signature on W0 iff

0

00

1

( )( )

i

en c

ii

h WW

r

Verify

Mingxi Yang, Wenjie Yan 16

DCABES 2009

0( )W 0

1( )

in c

iiM

0

1

( )[ ]

icn di

ii

h M

r

0

0

1

1

( )[ ]

i

i

n ci di

n cii

h M

r

Correctness

Mingxi Yang, Wenjie Yan 17

3.1

DCABES 2009

0( ) modeW N0

0

1

1

( )[ ] mod

i

i

n ci d ei

n cii

h MN

r

0

0

1

1

( )mod

i

i

n cii

n cii

h MN

r

0

0

1

( )mod

in c

ii

h WN

r

Correctness (Cont.)

Mingxi Yang, Wenjie Yan 18

DCABES 2009

Definition: A signature scheme is secure under an adaptive chosen message attack For every probabilistic polynomial time forger algorithm F if there is no non-negligible probability ε such that:

1

1 1

1 2

( )

, , , ,..., ;

Pr || ( ),..., || ( ); ( , ( ) 1

{ , ,..., }

n

n n

n

Adv F

PK H N e r r

M M M M verfy W W

W span M M M

Security Analysis

Mingxi Yang, Wenjie Yan 19

DCABES 2009

Compute a valid signature on message in our scheme

break RSA signature scheme

Where

W V

Security Analysis (Cont.-1)

Mingxi Yang, Wenjie Yan 20

1 2{ , ,..., }nV span M M M

DCABES 2009

Theorem: If there exists a (t,ε)-forger F using adaptive chosen message attack for the proposed signature scheme, then there exists a (t’, ’ε )-algorithm A to solving RSA signature scheme, where t’≥t, and ’=ε ε.

Security Analysis (Cont.-2)

Mingxi Yang, Wenjie Yan 21

DCABES 2009

Proof: F is a (t,ε)-breaks forger, now we construct algorithm A breaks RSA in (t’ , ε’).

A is given every signature σ(Mi) on original message Mi for i=1,2,…,n.

For any message W=(w,c1,…,cn) ,

Where w≠x.

σ(W) is a valid signature generated by A.

Security Analysis (Cont.-3)

V

1 1( , ,..., ) ,

n

n i iiX x c c V x c m

Mingxi Yang, Wenjie Yan 22

DCABES 2009

Case 1: σ(W)=σ(X), h(W)=h(X) assume w>x. Since h(W)-h(X)=0, [(1+wq) - (1+xq)] mod q2=0 (w-x)q mod q2=0, (w-x)q=r×q2, thus w-x=rq. We know that w-x<q, then r=0, thus w=x,

this is contradictory to w>x.

Security Analysis (Cont.-4)

Mingxi Yang, Wenjie Yan 23

DCABES 2009

Case 2: σ(W)≠σ(X), then , Thus . As σ(W) is generated by A, thus

We use y denote , thus

A(W)=yd

1( ) ( ) i

n ceii

W h w r

1( ) [ ( ) ]i

n c dii

W h w r

1( ) [ ( ) ]i

n c dii

A W h w r

1

( ) in c

iih w r

Security Analysis (Cont.-5)

Mingxi Yang, Wenjie Yan 24

DCABES 2009

The probability ’ε of generating a RSA signature in case 2 is ε,

T is the maximum time for computing those operations except A, then t’=t+T, thus t’≥t.

Security Analysis (Cont.-6)

Mingxi Yang, Wenjie Yan 25

DCABES 2009

Verification Efficiency

Let φ be a prime number and ψ a power of different prime with <<φ ψ, E is an elliptic curve over Zψ. In scheme [8] and [9], every original message is a vector with dimension k, the source then append a n-dimension coding vector on it, such as X=(x1, x2, …, xk, c1 ,…, cn), where xi, ci Zφ.

Mingxi Yang, Wenjie Yan 26

DCABES 2009

Table 1. Verification of message (bit operation)

Signature scheme Verification time (bit operation)

Our scheme O[(1+n)log(1+Є)(log2φ)]

Zhen’s[8] O[(1+k+n)log(1+Є)(log2φ)]

CJL’s[9] O(klog2+Єψ)

Verification Efficiency (Cont.-1)

Mingxi Yang, Wenjie Yan 27

DCABES 2009

[9]=O(klog2+Єψ)

= O(k logЄ logψ 2ψ)

> O(k logЄ logψ 2φ)

> O[(k+1)log(1+Є)(log2φ)] =[8]

> O[(n+2)log(1+Є)(log2φ)]

=ours

so [9] >[8]>ours.

Verification Efficiency (Cont.-2)

Mingxi Yang, Wenjie Yan 28

Verification Efficiency (Cont.-3)

Mingxi Yang, Wenjie Yan 29

DCABES 2009

The comparing results shows that our scheme lays over any other signature schemes else of the kind in the verification speed.

DCABES 2009

References[1]D.Petrovic, K.Ramchandran, and J.Rabaey, “Overcoming Unturned Radios

in Wireless Networks with Network Coding”, in IEEE Transactions on Information Theory, Vol. 52, No. 6, pp. 2649-2657, 2006.

[2]C.Gkantsidis and P.Rodriguez, “Network Coding for Large Scale File Distribution”, in Proc. IEEE INFOCOM, 2005.

[3]R. Ahlswede, N. Cai, S.Li, and R. W. Yeung, “Network information flow,” IEEE Trans. Inf. Theory, vol. 46(4), pp. 1204-1216, 2000.

[4]S. Li, R. Yeung, and N. Cai, “Linear Network Coding”, in IEEE Transactions on Information Theory, Vol 49, No. 2, pp. 371381, 2003.

[5]T. Ho, R. Koetter, M. M´edard, D. R. Karger, and M. Effros, “The benefits of coding over routing in a randomized setting,” in International Symposium on Information Theory (ISIT), 2003.

[6]T. Ho, M. M´edard, J. Shi, M. Effros and D. R. Karger, “On randomized network coding,” In proc. 41st Annual Allerton Conference on Communication Control and Computing, Oct. 2003.

Mingxi Yang, Wenjie Yan 30

DCABES 2009

[7] M.N.Krohn, M.J.Freedman, and D.Mazi´eres, “On-the-fly verification of rateless era-sure codes for efficient content distribution,” IEEE Symp. Security and Privacy, Oak-land, CA, pp. 226-240, May 2004.

[8] Zhen Yu, YaWen Wei, Bhuvaneswari Ramkumar, and Yong Guan, “An Efficient Signature-based Scheme for Securing Network Coding against Pollution Attacks” INFOCOM 2008. The 27th Conference on Computer Communications. IEEE, April 2008.

[9] D. Charles, K. Jian, and K. Lauter, “Signature for Network Coding”, Technique Report MSR-TR-2005-159, Microsoft, 2005.

[10] A. Menezes, T. Okamoto, and S. Vanstone, “Reducing Elliptic Curve Logorithms to Logorithms in a Finite Field”, in IEEE Transactions on Information Theory, Vol 39, No. 5, pp. 1639-1646, 1993.

[11] V. Miller, “Short Programs for Functions over Curve”, unpublished manuscript, crypto.stanford.edu/miller/, 1986.

[12] Jing Dong, Reza Curtmola, Cristina Nita-Rotaru, Practical Defenses Against Pollution Attacks in Intra-Flow Network Coding for Wireless Mesh Networks, Proc. of The Second ACM Conference on Wireless Network Security(WiSec 2009), Zurich, Switzerland, March 2009.

[13]Bresson E, Catalano D, Pointcheval D. “A simple public key cryptosystem with a double trapdoor decryption mechanism and its applications,” In: Laih CS, ed. Aciacrypt 2003. LNCS 2894, Berlin: Springer-Verlag, 2003. 37−54.

[14]SUN Zhong-Wei, FENG Deng-Guo, WU Chuan-Kun, “An Anonymous Fingerprinting Scheme Based on Additively Homomorphic Public Key Cryptosystem”. In Journal of Software: 2005,vol.16, No.10,pp1816-1821.

Mingxi Yang, Wenjie Yan 31

References (Cont.)

DCABES 2009

Any Question ?

Mingxi Yang, Wenjie Yan 32

THANK YOU!

Mingxi Yang, Wenjie Yan 33

DCABES 2009