1 / 10

Signatures for Network Coding

Signatures for Network Coding. Denis Charles Kamal Jain Kristin Lauter Microsoft Research. Network Coding Set-up. A directed graph of users G A server (source) distributing content Content is divided into packets and represented as vectors in a vector space

nubia
Download Presentation

Signatures for Network Coding

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Signatures for Network Coding Denis Charles Kamal Jain Kristin Lauter Microsoft Research

  2. Network Coding Set-up • A directed graph of users G • A server (source) distributing content • Content is divided into packets and represented as vectors in a vector space • Each node receives linear combinations of packets from other nodes • At each node, new linear combinations of received packets are formed and sent out along new edges • Extra bits keep track of which linear combination at each step

  3. Pollution attacks • A malicious node can inject garbage into the distribution network • If undetected, the garbage will pollute the whole network, as meaningless packets are combined with others and redistributed • Signatures on received packets can be used to check for garbage

  4. Assumptions • Public key digital signatures • Only the server possesses the secret key for signing • Any node can verify signatures using public information • So how can nodes re-sign linear combinations of received packets?

  5. Homomorphic signature scheme • Our solution is based on: • Elliptic curves • Bilinear pairing (Weil pairing) • Homomorphic hashing of content onto points on the elliptic curve • BLS-type signatures (Boneh-Lynn-Schacham) • Security reduction to ECDLP (Elliptic curve discrete logarithm problem)

  6. Elliptic curves over finite fields • Finite field Fq with q elements, A, B in Fq • Elliptic curve over Fq with equation y2 = x3 + Ax + B • E(Fq)={(x, y): y2 = x3 + Ax + B} Ụ ∞ has a group structure and a bilinear pairing • em : E[m] × E[m]  alg(Fq)* satisfying • em(S1 + S2, T) = e(S1, T)e(S2, T) • em(S, T1 + T2) = e(S, T1)e(S, T2).

  7. Homomorphic hashing and signing • Vectors (packets) with coefficients vi in Fp are hashed to linear combinations of public p-torsion points on E/Fq R1, · · · ,Rk, P1, · · · , Pd in E(Fq)[p] k=# of vectors, d = dimension of vector space • Server has secret keys for signing s1, · · · , sk and r1, · · · , rd in Fp signs the packet by computing the signature of hash ΣsiviRi +ΣriviPi • Server also publishes Q, sjQ and riQ • Q is another point in E(Fq)[p] which is linearly independent from the points R1,…,Rk, P1,…, Pd

  8. Bilinearity of the pairing • Verification of signatures uses bilinearity of the pairing since em(siviRi, Q) = em(viRi, siQ) • Received valid signatures can be recombined to accompany new outgoing combinations of packets since the signature of the sum is the sum of the signatures

  9. Security • Theorem: Finding a collision of the hash function h is polynomial-time equivalent to computing the discrete log on the elliptic curve E. • Fact: Forging signatures is as hard as the computational Diffie-Hellman problem on the curve E. • Our scheme establishes authentication in addition to detecting pollution.

  10. Implementation • If we take the prime p 170-bits, this is equivalent to 1024 bits of RSA security. We can setup the system with q ~ p2. • Communication overhead per vector is two elements of Fp (the x and y coordinates of a point) = 340 bits. We can reduce this overhead to 171 bits at the cost of increasing computational cost. • Computation of signature of vector at an edge e is O(indeg(in(e)) operations in Fp. • Verification requires O((d+k) log2+εq) bit operations • Complete setup of the system at the server can be done in polynomial time (assuming a number theoretic conjecture of Hardy-Littlewood).

More Related