Fast Signature Scheme for Network Coding
Mingxi Yang, Wenjie Yan
Reporter: Wenjie Yan
Mingxi Yang, Wenjie Yan 1
DCABES 2009
DCABES 2009
Outline
Network Coding Challenge to Network Coding Related Work Our Signature Scheme Security Analysis Verification Efficiency
Mingxi Yang, Wenjie Yan 2
DCABES 2009
S
T U
Y Z
W
X
S
T U
Y Z
W
X
b1 b2
b1
b1
b1
b1
b2
b2 b2
b2
b2
b2
b2
b1
b1
b1 b1+b2
b1+b2 b1+b2
(a)Traditional network (b)Network coding
What is Network Coding
Mingxi Yang, Wenjie Yan 3
Network Coding Simplified
File to Transfer
Block 1 Block 2 Block 3
Encoding
Mingxi Yang, Wenjie Yan 4
DCABES 2009
Prerequisite for decoding: any node receives enough(n in our scheme) linear independent message vectors
DCABES 2009
Challenge to Network Coding
Drawback Network coding is very vulnerable to
pollution attacks. An adverse node injecting garbage can quickly affect many receivers.
Mingxi Yang, Wenjie Yan 5
S
T U
Y Z
W
X
b2
b2
b1
b1
b1
Pollution Attack
Mingxi Yang, Wenjie Yan 6
DCABES 2009
2b
1 2b b
1 2b b 1 2b b
DCABES 2009
Related Work
Krohn et al. [7] first proposed homomorphic scheme using homomorphic hash function.
Zhen Yu et al. [8] use RSA to sign the source messages and append the signatures to corresponding messages;
Charles et al.[9] proposed a new homomorphic hashing scheme which is built on top of expensive Weil pairing operations [10], [11] over elliptic curves.
Mingxi Yang, Wenjie Yan 7
DCABES 2009
Related Work (Cont.)
Drawback All the schemes described above require
expensive computation in verification, which greatly slow down the efficiency of verification.
Mingxi Yang, Wenjie Yan 8
DCABES 2009
m1
m2
mn
1 0 0 … 0
0 1 0 … 0
0 0 0 … 1
(mσ 1)
(mσ 2)
(mσ n)
File
M . . . . . .
. . . . .
.
network
Our Signature Scheme
Model : S is a source node; M is a file.
data part coding vector part
Mi=(mi ,0,…,0,1,0,…,0 ) qZ npZ
Mingxi Yang, Wenjie Yan 9
Our signature scheme is based on this homomorphic function:
h(x)=(1+xq) mod q2 [13]
h(x)×h(y)=(1+xq)×(1+yq)mod q2
=[1+(x+y)q+xyq2]mod q2
=[1+(x+y)q]modq2
=h(x+y)
Our Signature Scheme (Cont.-1)
Mingxi Yang, Wenjie Yan 10
DCABES 2009
DCABES 2009
Set up Sign Combine Verify Correctness
Mingxi Yang, Wenjie Yan 11
Our Signature Scheme (Cont.-2)
Large primes: u, v, q, length(u)≈length(v), length(uv)≈length(q2) and q2<uv. N=uv, keep u and v secretly. n different elements r1,…,rn from G, G is a
multiplicative group with prime order p. d, e<φ(N) , and d×e≡1modφ(N), where φ(N)=(u-1)×(v-1).
private key : d public key : pk=(N, e, r1,…,rn).
Set up
Mingxi Yang, Wenjie Yan 12
DCABES 2009
DCABES 2009
Given message Mi=(mi, 0,…,0,1,0,…,0) and private key d, compute signature σ(Mi) on source message Mi as: :
2(1 )mod( ) [ ] moddi
ii
m q qM N
r
Sign
Mingxi Yang, Wenjie Yan 13
DCABES 2009
Given: coefficients (c1, c2, … , cl), messages and signatures: W1||σ(W1),…,Wl||σ(Wl),
where Wi=(wi,ci1,…,cin), Combine: ,
W0=(w0, c01,…,c0n) and
0 1mod
l
i iiw c w q
01 02 0 11( , ,..., ) ( ,..., )mod
l
n i i inic c c c c c p
0 1( ) ( ) modi
l cii
W W N
Combine
Mingxi Yang, Wenjie Yan 14
Mingxi Yang, Wenjie Yan 15
w1, c11, c12,..,c1n
w2, c21, c22,..,c2n
wl, cl1, cl2,..,cln
…
σ(W1
)
σ(W2
)
σ(Wl
)
+
+
w, c1, c2,..,cn
σ(W)×
×
w1, c11, c12,..,c1n
w2, c21, c22,..,c2n
wl, cl1, cl2,..,cln
…
σ(W1
)
σ(W2
)
σ(Wl
)
Verified messages encoding of messages
Combination of signatures
Combine (Cont.)
DCABES 2009
Given encoded message W0=(w0, c01,…,c0n) and signature σ(W0), σ(W0) is a valid signature on W0 iff
0
00
1
( )( )
i
en c
ii
h WW
r
Verify
Mingxi Yang, Wenjie Yan 16
DCABES 2009
0( )W 0
1( )
in c
iiM
0
1
( )[ ]
icn di
ii
h M
r
0
0
1
1
( )[ ]
i
i
n ci di
n cii
h M
r
Correctness
Mingxi Yang, Wenjie Yan 17
3.1
DCABES 2009
0( ) modeW N0
0
1
1
( )[ ] mod
i
i
n ci d ei
n cii
h MN
r
0
0
1
1
( )mod
i
i
n cii
n cii
h MN
r
0
0
1
( )mod
in c
ii
h WN
r
Correctness (Cont.)
Mingxi Yang, Wenjie Yan 18
DCABES 2009
Definition: A signature scheme is secure under an adaptive chosen message attack For every probabilistic polynomial time forger algorithm F if there is no non-negligible probability ε such that:
1
1 1
1 2
( )
, , , ,..., ;
Pr || ( ),..., || ( ); ( , ( ) 1
{ , ,..., }
n
n n
n
Adv F
PK H N e r r
M M M M verfy W W
W span M M M
Security Analysis
Mingxi Yang, Wenjie Yan 19
DCABES 2009
Compute a valid signature on message in our scheme
break RSA signature scheme
Where
W V
Security Analysis (Cont.-1)
Mingxi Yang, Wenjie Yan 20
1 2{ , ,..., }nV span M M M
DCABES 2009
Theorem: If there exists a (t,ε)-forger F using adaptive chosen message attack for the proposed signature scheme, then there exists a (t’, ’ε )-algorithm A to solving RSA signature scheme, where t’≥t, and ’=ε ε.
Security Analysis (Cont.-2)
Mingxi Yang, Wenjie Yan 21
DCABES 2009
Proof: F is a (t,ε)-breaks forger, now we construct algorithm A breaks RSA in (t’ , ε’).
A is given every signature σ(Mi) on original message Mi for i=1,2,…,n.
For any message W=(w,c1,…,cn) ,
Where w≠x.
σ(W) is a valid signature generated by A.
Security Analysis (Cont.-3)
V
1 1( , ,..., ) ,
n
n i iiX x c c V x c m
Mingxi Yang, Wenjie Yan 22
DCABES 2009
Case 1: σ(W)=σ(X), h(W)=h(X) assume w>x. Since h(W)-h(X)=0, [(1+wq) - (1+xq)] mod q2=0 (w-x)q mod q2=0, (w-x)q=r×q2, thus w-x=rq. We know that w-x<q, then r=0, thus w=x,
this is contradictory to w>x.
Security Analysis (Cont.-4)
Mingxi Yang, Wenjie Yan 23
DCABES 2009
Case 2: σ(W)≠σ(X), then , Thus . As σ(W) is generated by A, thus
We use y denote , thus
A(W)=yd
1( ) ( ) i
n ceii
W h w r
1( ) [ ( ) ]i
n c dii
W h w r
1( ) [ ( ) ]i
n c dii
A W h w r
1
( ) in c
iih w r
Security Analysis (Cont.-5)
Mingxi Yang, Wenjie Yan 24
DCABES 2009
The probability ’ε of generating a RSA signature in case 2 is ε,
T is the maximum time for computing those operations except A, then t’=t+T, thus t’≥t.
Security Analysis (Cont.-6)
Mingxi Yang, Wenjie Yan 25
DCABES 2009
Verification Efficiency
Let φ be a prime number and ψ a power of different prime with <<φ ψ, E is an elliptic curve over Zψ. In scheme [8] and [9], every original message is a vector with dimension k, the source then append a n-dimension coding vector on it, such as X=(x1, x2, …, xk, c1 ,…, cn), where xi, ci Zφ.
Mingxi Yang, Wenjie Yan 26
DCABES 2009
Table 1. Verification of message (bit operation)
Signature scheme Verification time (bit operation)
Our scheme O[(1+n)log(1+Є)(log2φ)]
Zhen’s[8] O[(1+k+n)log(1+Є)(log2φ)]
CJL’s[9] O(klog2+Єψ)
Verification Efficiency (Cont.-1)
Mingxi Yang, Wenjie Yan 27
DCABES 2009
[9]=O(klog2+Єψ)
= O(k logЄ logψ 2ψ)
> O(k logЄ logψ 2φ)
> O[(k+1)log(1+Є)(log2φ)] =[8]
> O[(n+2)log(1+Є)(log2φ)]
=ours
so [9] >[8]>ours.
Verification Efficiency (Cont.-2)
Mingxi Yang, Wenjie Yan 28
Verification Efficiency (Cont.-3)
Mingxi Yang, Wenjie Yan 29
DCABES 2009
The comparing results shows that our scheme lays over any other signature schemes else of the kind in the verification speed.
DCABES 2009
References[1]D.Petrovic, K.Ramchandran, and J.Rabaey, “Overcoming Unturned Radios
in Wireless Networks with Network Coding”, in IEEE Transactions on Information Theory, Vol. 52, No. 6, pp. 2649-2657, 2006.
[2]C.Gkantsidis and P.Rodriguez, “Network Coding for Large Scale File Distribution”, in Proc. IEEE INFOCOM, 2005.
[3]R. Ahlswede, N. Cai, S.Li, and R. W. Yeung, “Network information flow,” IEEE Trans. Inf. Theory, vol. 46(4), pp. 1204-1216, 2000.
[4]S. Li, R. Yeung, and N. Cai, “Linear Network Coding”, in IEEE Transactions on Information Theory, Vol 49, No. 2, pp. 371381, 2003.
[5]T. Ho, R. Koetter, M. M´edard, D. R. Karger, and M. Effros, “The benefits of coding over routing in a randomized setting,” in International Symposium on Information Theory (ISIT), 2003.
[6]T. Ho, M. M´edard, J. Shi, M. Effros and D. R. Karger, “On randomized network coding,” In proc. 41st Annual Allerton Conference on Communication Control and Computing, Oct. 2003.
Mingxi Yang, Wenjie Yan 30
DCABES 2009
[7] M.N.Krohn, M.J.Freedman, and D.Mazi´eres, “On-the-fly verification of rateless era-sure codes for efficient content distribution,” IEEE Symp. Security and Privacy, Oak-land, CA, pp. 226-240, May 2004.
[8] Zhen Yu, YaWen Wei, Bhuvaneswari Ramkumar, and Yong Guan, “An Efficient Signature-based Scheme for Securing Network Coding against Pollution Attacks” INFOCOM 2008. The 27th Conference on Computer Communications. IEEE, April 2008.
[9] D. Charles, K. Jian, and K. Lauter, “Signature for Network Coding”, Technique Report MSR-TR-2005-159, Microsoft, 2005.
[10] A. Menezes, T. Okamoto, and S. Vanstone, “Reducing Elliptic Curve Logorithms to Logorithms in a Finite Field”, in IEEE Transactions on Information Theory, Vol 39, No. 5, pp. 1639-1646, 1993.
[11] V. Miller, “Short Programs for Functions over Curve”, unpublished manuscript, crypto.stanford.edu/miller/, 1986.
[12] Jing Dong, Reza Curtmola, Cristina Nita-Rotaru, Practical Defenses Against Pollution Attacks in Intra-Flow Network Coding for Wireless Mesh Networks, Proc. of The Second ACM Conference on Wireless Network Security(WiSec 2009), Zurich, Switzerland, March 2009.
[13]Bresson E, Catalano D, Pointcheval D. “A simple public key cryptosystem with a double trapdoor decryption mechanism and its applications,” In: Laih CS, ed. Aciacrypt 2003. LNCS 2894, Berlin: Springer-Verlag, 2003. 37−54.
[14]SUN Zhong-Wei, FENG Deng-Guo, WU Chuan-Kun, “An Anonymous Fingerprinting Scheme Based on Additively Homomorphic Public Key Cryptosystem”. In Journal of Software: 2005,vol.16, No.10,pp1816-1821.
Mingxi Yang, Wenjie Yan 31
References (Cont.)
DCABES 2009
Any Question ?
Mingxi Yang, Wenjie Yan 32
THANK YOU!
Mingxi Yang, Wenjie Yan 33
DCABES 2009
Top Related