signatures for network coding l.
Skip this Video
Loading SlideShow in 5 Seconds..
Signatures for Network Coding PowerPoint Presentation
Download Presentation
Signatures for Network Coding

Loading in 2 Seconds...

play fullscreen
1 / 10

Signatures for Network Coding - PowerPoint PPT Presentation

  • Uploaded on

Signatures for Network Coding. Denis Charles Kamal Jain Kristin Lauter Microsoft Research. Network Coding Set-up. A directed graph of users G A server (source) distributing content Content is divided into packets and represented as vectors in a vector space

I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
Download Presentation

PowerPoint Slideshow about 'Signatures for Network Coding' - nubia

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
signatures for network coding
Signatures for Network Coding

Denis Charles

Kamal Jain

Kristin Lauter

Microsoft Research

network coding set up
Network Coding Set-up
  • A directed graph of users G
  • A server (source) distributing content
  • Content is divided into packets and represented as vectors in a vector space
  • Each node receives linear combinations of packets from other nodes
  • At each node, new linear combinations of received packets are formed and sent out along new edges
  • Extra bits keep track of which linear combination at each step
pollution attacks
Pollution attacks
  • A malicious node can inject garbage into the distribution network
  • If undetected, the garbage will pollute the whole network, as meaningless packets are combined with others and redistributed
  • Signatures on received packets can be used to check for garbage
  • Public key digital signatures
  • Only the server possesses the secret key for signing
  • Any node can verify signatures using public information
  • So how can nodes re-sign linear combinations of received packets?
homomorphic signature scheme
Homomorphic signature scheme
  • Our solution is based on:
    • Elliptic curves
    • Bilinear pairing (Weil pairing)
    • Homomorphic hashing of content onto points on the elliptic curve
    • BLS-type signatures (Boneh-Lynn-Schacham)
  • Security reduction to ECDLP

(Elliptic curve discrete logarithm problem)

elliptic curves over finite fields
Elliptic curves over finite fields
  • Finite field Fq with q elements, A, B in Fq
  • Elliptic curve over Fq with equation

y2 = x3 + Ax + B

  • E(Fq)={(x, y): y2 = x3 + Ax + B} Ụ ∞

has a group structure and a bilinear pairing

  • em : E[m] × E[m]  alg(Fq)* satisfying
    • em(S1 + S2, T) = e(S1, T)e(S2, T)
    • em(S, T1 + T2) = e(S, T1)e(S, T2).
homomorphic hashing and signing
Homomorphic hashing and signing
  • Vectors (packets) with coefficients vi in Fp are hashed to linear combinations of public p-torsion points on E/Fq

R1, · · · ,Rk, P1, · · · , Pd in E(Fq)[p]

k=# of vectors, d = dimension of vector space

  • Server has secret keys for signing

s1, · · · , sk and r1, · · · , rd in Fp

signs the packet by computing the signature of hash

ΣsiviRi +ΣriviPi

  • Server also publishes Q, sjQ and riQ
  • Q is another point in E(Fq)[p] which is linearly independent from the points R1,…,Rk, P1,…, Pd
bilinearity of the pairing
Bilinearity of the pairing
  • Verification of signatures uses bilinearity of the pairing since em(siviRi, Q) = em(viRi, siQ)
  • Received valid signatures can be recombined to accompany new outgoing combinations of packets since the signature of the sum is the sum of the signatures
  • Theorem: Finding a collision of the hash function h is polynomial-time equivalent to computing the discrete log on the elliptic curve E.
  • Fact: Forging signatures is as hard as the computational Diffie-Hellman problem on the curve E.
  • Our scheme establishes authentication in addition to detecting pollution.
  • If we take the prime p 170-bits, this is equivalent to 1024 bits of RSA security. We can setup the system with q ~ p2.
  • Communication overhead per vector is two elements of Fp (the x and y coordinates of a point) = 340 bits. We can reduce this overhead to 171 bits at the cost of increasing computational cost.
  • Computation of signature of vector at an edge e is O(indeg(in(e)) operations in Fp.
  • Verification requires O((d+k) log2+εq) bit operations
  • Complete setup of the system at the server can be done in polynomial time (assuming a number theoretic conjecture of Hardy-Littlewood).