Homomorphic signatures for network coding explained

Network coding has been shown to optimally use bandwidth in a network, maximizing information flow but the scheme is very inherently vulnerable to pollution attacks by malicious nodes in the network. A node injecting garbage can quickly affect many receivers. The pollution of network packets spreads quickly since the output of (even an) honest node is corrupted if at least one of the incoming packets is corrupted.

An attacker can easily corrupt a packet even if it is encrypted by either forging the signature or by producing a collision under the hash function. This will give an attacker access to the packets and the ability to corrupt them. Denis Charles, Kamal Jain and Kristin Lauter designed a new homomorphic encryption signature scheme for use with network coding to prevent pollution attacks.[1]

The homomorphic property of the signatures allows nodes to sign any linear combination of the incoming packets without contacting the signing authority. In this scheme it is computationally infeasible for a node to sign a linear combination of the packets without disclosing what linear combination was used in the generation of the packet. Furthermore, we can prove that the signature scheme is secure under well known cryptographic assumptions of the hardness of the discrete logarithm problem and the computational Elliptic curve Diffie–Hellman.

Network coding

Let

G=(V,E)

be a directed graph where

V

is a set, whose elements are called vertices or nodes, and

E

is a set of ordered pairs of vertices, called arcs, directed edges, or arrows. A source

s\inV

wants to transmit a file

D

to a set

T\subseteqV

of the vertices. One chooses a vector space

W/Fp

(say of dimension

d

), where

p

is a prime, and views the data to be transmitted as a bunch of vectors

w1,\ldots,wk\inW

. The source then creates the augmented vectors

v1,\ldots,vk

by setting

vi=(0,\ldots,0,1,\ldots,0,

w
i1

,\ldots,w{id})

where
w
ij
is the

j

-th coordinate of the vector

wi

. There are

(i-1)

zeros before the first '1' appears in

vi

. One can assume without loss of generality that the vectors

vi

are linearly independent. We denote the linear subspace (of
k+d
F
p
) spanned by these vectors by

V

. Each outgoing edge

e\inE

computes a linear combination,

y(e)

, of the vectors entering the vertex

v=in(e)

where the edge originates, that is to say

y(e)=\sumf:out(f)=v(me(f)y(f))

where

me(f)\inFp

. We consider the source as having

k

input edges carrying the

k

vectors

wi

. By induction, one has that the vector

y(e)

on any edge is a linear combination

y(e)=\sum1(gi(e)vi)

and is a vector in

V

. The k-dimensional vector

g(e)=(g1(e),\ldots,gk(e))

is simply the first k coordinates of the vector

y(e)

. We call the matrix whose rows are the vectors

g(e1),\ldots,g(ek)

, where

ei

are the incoming edges for a vertex

t\inT

, the global encoding matrix for

t

and denote it as

Gt

. In practice the encoding vectors are chosen at random so the matrix

Gt

is invertible with high probability. Thus, any receiver, on receiving

y1,\ldots,yk

can find

w1,\ldots,wk

by solving

\begin{bmatrix}y'\y2'\\vdots\yk'\end{bmatrix}=Gt\begin{bmatrix}w1\w2\\vdots\wk\end{bmatrix}

where the

yi'

are the vectors formed by removing the first

k

coordinates of the vector

yi

.

Decoding at the receiver

Each receiver,

t\inT

, gets

k

vectors

y1,\ldots,yk

which are random linear combinations of the

vi

’s.In fact, if

yi=

(\alpha
i1

,\ldots,

\alpha
ik

,

a
i1

,\ldots,

a
id

)

then

yi=\sum1(\alphaijvj).

Thus we can invert the linear transformation to find the

vi

’s with high probability.

History

Krohn, Freedman and Mazieres proposed a theory[2] in 2004 that if we have a hash function

H:V\longrightarrowG

such that:

H

is collision resistant – it is hard to find

x

and

y

such that

H(x)=H(y)

;

H

is a homomorphism

H(x+y)=H(x)+H(y)

.

Then server can securely distribute

H(vi)

to each receiver, and to check if

y=\sum1(\alphaivi)

we can check whether

H(y)=\sum1(\alphaiH(vi))

The problem with this method is that the server needs to transfer secure information to each of the receivers. The hash functions

H

needs to be transmitted to all the nodes in the network through a separate secure channel.

H

is expensive to compute and secure transmission of

H

is not economical either.

Advantages of homomorphic signatures

  1. Establishes authentication in addition to detecting pollution.
  2. No need for distributing secure hash digests.
  3. Smaller bit lengths in general will suffice. Signatures of length 180 bits have as much security as 1024 bit RSA signatures.
  4. Public information does not change for subsequent file transmission.

Signature scheme

The homomorphic property of the signatures allows nodes to sign any linear combination of the incoming packets without contacting the signing authority.

Elliptic curves cryptography over a finite field

Elliptic curve cryptography over a finite field is an approach to public-key cryptography based on the algebraic structure of elliptic curves over finite fields.

Let

Fq

be a finite field such that

q

is not a power of 2 or 3. Then an elliptic curve

E

over

Fq

is a curve given by an equation of the form

y2=x3+ax+b,

where

a,b\inFq

such that

4a3+27b2\not=0

Let

K\supseteqFq

, then,

E(K)=\{(x,y)|y2=x3+ax+b\}cup\{O\}

forms an abelian group with O as identity. The group operations can be performed efficiently.

Weil pairing

E

, in such a way as to constitute a pairing (bilinear form, though with multiplicative notation) on the torsion subgroup of

E

. Let

E/Fq

be an elliptic curve and let

\bar{F

}_q be an algebraic closure of

Fq

. If

m

is an integer, relatively prime to the characteristic of the field

Fq

, then the group of

m

-torsion points,

E[m]={P\inE(\bar{F

}_q) : mP = O}.

If

E/Fq

is an elliptic curve and

\gcd(m,q)=1

then

E[m]\cong(Z/mZ)*(Z/mZ)

There is a map

em:E[m]*E[m]\mum(Fq)

such that:
  1. (Bilinear)

em(P+R,Q)=em(P,Q)em(R,Q)andem(P,Q+R)=em(P,Q)em(P,R)

.
  1. (Non-degenerate)

em(P,Q)=1

for all P implies that

Q=O

.
  1. (Alternating)

em(P,P)=1

.

Also,

em

can be computed efficiently.[3]

Homomorphic signatures

Let

p

be a prime and

q

a prime power. Let

V/Fp

be a vector space of dimension

D

and

E/Fq

be an elliptic curve such that

P1,\ldots,PD\inE[p]

.Define

h:V\longrightarrowE[p]

as follows:

h(u1,\ldots,uD)=\sum1(uiPi)

.The function

h

is an arbitrary homomorphism from

V

to

E[p]

.

The server chooses

s1,\ldots,sD

secretly in

Fp

and publishes a point

Q

of p-torsion such that

ep(Pi,Q)\not=1

and also publishes

(Pi,siQ)

for

1\leqi\leqD

.The signature of the vector

v=u1,\ldots,uD

is

\sigma(v)=\sum1(uisiPi)

Note: This signature is homomorphic since the computation of h is a homomorphism.

Signature verification

Given

v=u1,\ldots,uD

and its signature

\sigma

, verify that

\begin{align} ep(\sigma,Q)&=ep\left(\sum1(uisiPi),Q\right)\\ &=\prodiep(uisiPi,Q)\ &=\prodiep(uiPi,siQ) \end{align}

The verification crucially uses the bilinearity of the Weil-pairing.

System setup

The server computes

\sigma(vi)

for each

1\leqi\leqk

. Transmits

vi,\sigma(vi)

.At each edge

e

while computing

y(e)=\sumf(me(f)y(f))

also compute

\sigma(y(e))=\sumf(me(f)\sigma(y(f)))

on the elliptic curve

E

.

The signature is a point on the elliptic curve with coordinates in

Fq

. Thus the size of the signature is

2logq

bits (which is some constant times

log(p)

bits, depending on the relative size of

p

and

q

), and this is the transmission overhead. The computation of the signature

h(e)

at each vertex requires

O(dinlogplog1+\epsilonq)

bit operations, where

din

is the in-degree of the vertex

in(e)

. The verification of a signature requires

O((d+k)log2+\epsilonq)

bit operations.

Proof of security

Attacker can produce a collision under the hash function.

If given

(P1,\ldots,Pr)

points in

E[p]

find

a=(a1,\ldots,ar)\in

r
F
p
and

b=(b1,\ldots,br)\in

r
F
p

such that

a\not=b

and

\sum1(aiPi)=\sum1(bjPj).

Proposition: There is a polynomial time reduction from discrete log on the cyclic group of order

p

on elliptic curves to Hash-Collision.

If

r=2

, then we get

xP+yQ=uP+vQ

. Thus

(x-u)P+(y-v)Q=0

.We claim that

x\not=u

and

y\not=v

. Suppose that

x=u

, then we would have

(y-v)Q=0

, but

Q

is a point of order

p

(a prime) thus

y-u\equiv0\bmodp

. In other words

y=v

in

Fp

. This contradicts the assumption that

(x,y)

and

(u,v)

are distinct pairs in

F2

. Thus we have that

Q=-(x-u)(y-v)-1P

, where the inverse is taken as modulo

p

.

If we have r > 2 then we can do one of two things. Either we can take

P1=P

and

P2=Q

as before and set

Pi=O

for

i

> 2 (in this case the proof reduces to the case when

r=2

), or we can take

P1=r1P

and

Pi=riQ

where

ri

are chosen at random from

Fp

. We get one equation in one unknown (the discrete log of

Q

). It is quite possible that the equation we get does not involve the unknown. However, this happens with very small probability as we argue next. Suppose the algorithm for Hash-Collision gave us that

ar1P+\sum2(biriQ)=0.

Then as long as

\sum2biri\not\equiv0\bmodp

, we can solve for the discrete log of Q. But the

ri

’s are unknown to the oracle for Hash-Collision and so we can interchange the order in which this process occurs. In other words, given

bi

, for

2\leqi\leqr

, not all zero, what is the probability that the

ri

’s we chose satisfies

\sum2(biri)=0

? It is clear that the latter probability is

1\overp

. Thus with high probability we can solve for the discrete log of

Q

.

We have shown that producing hash collisions in this scheme is difficult. The other method by which an adversary can foil our system is by forging a signature. This scheme for the signature is essentially the Aggregate Signature version of the Boneh-Lynn-Shacham signature scheme.[4] Here it is shown that forging a signature is at least as hard as solving the elliptic curve Diffie–Hellman problem. The only known way to solve this problem on elliptic curves is via computing discrete-logs. Thus forging a signature is at least as hard as solving the computational co-Diffie–Hellman on elliptic curves and probably as hard as computing discrete-logs.

See also

External links

  1. Comprehensive View of a Live Network Coding P2P System
  2. Signatures for Network Coding(presentation) CISS 2006, Princeton
  3. University at Buffalo Lecture Notes on Coding Theory – Dr. Atri Rudra

Notes and References

  1. 10.1.1.60.4738 . Signatures for Network Coding . 2006 . https://web.archive.org/web/20211121060603/https://citeseerx.ist.psu.edu/viewdoc/summary?doi=10.1.1.60.4738 . 2021-11-21 . bot: unknown . 2021-11-21 .
  2. Book: Krohn . Maxwell N. . Freedman . Michael J . Mazières . David . IEEE Symposium on Security and Privacy, 2004. Proceedings. 2004 . On-the-fly verification of rateless erasure codes for efficient content distribution . 2004 . 226–240 . 10.1109/SECPRI.2004.1301326 . https://www.cs.princeton.edu/~mfreed/docs/authcodes-sp04.pdf . 17 November 2022 . Berkeley, California, USA . en-us . 1081-6011. 0-7695-2136-3. 6976686 .
  3. 10.1.1.88.8848. Improved Weil and Tate pairings for elliptic and hyperelliptic curves. 169–183. 2004. 2003math.....11391E. Eisentraeger. Kirsten. Lauter. Kristin. Montgomery. Peter L.. math/0311391.
  4. Book: Boneh . Dan . Lynn . Ben . Shacham . Hovav . Advances in Cryptology — ASIACRYPT 2001 . Short Signatures from the Weil Pairing . Lecture Notes in Computer Science . 2001 . 2248 . 514–532 . 10.1007/3-540-45682-1_30 . https://hovav.net/ucsd/dist/sigs.pdf . 17 November 2022 . en. 978-3-540-45682-7.

This article is licensed under the GNU Free Documentation License. It uses material from the Wikipedia article "Homomorphic signatures for network coding".

Except where otherwise indicated, Everything.Explained.Today is © Copyright 2009-2024, A B Cryer, All Rights Reserved. Cookie policy.