fast signature scheme for network coding mingxi yang, wenjie yan reporter: wenjie yan mingxi yang,...
TRANSCRIPT
![Page 1: Fast Signature Scheme for Network Coding Mingxi Yang, Wenjie Yan Reporter: Wenjie Yan Mingxi Yang, Wenjie Yan1 DCABES 2009](https://reader035.vdocuments.mx/reader035/viewer/2022062518/56649eff5503460f94c14988/html5/thumbnails/1.jpg)
Fast Signature Scheme for Network Coding
Mingxi Yang, Wenjie Yan
Reporter: Wenjie Yan
Mingxi Yang, Wenjie Yan 1
DCABES 2009
![Page 2: Fast Signature Scheme for Network Coding Mingxi Yang, Wenjie Yan Reporter: Wenjie Yan Mingxi Yang, Wenjie Yan1 DCABES 2009](https://reader035.vdocuments.mx/reader035/viewer/2022062518/56649eff5503460f94c14988/html5/thumbnails/2.jpg)
DCABES 2009
Outline
Network Coding Challenge to Network Coding Related Work Our Signature Scheme Security Analysis Verification Efficiency
Mingxi Yang, Wenjie Yan 2
![Page 3: Fast Signature Scheme for Network Coding Mingxi Yang, Wenjie Yan Reporter: Wenjie Yan Mingxi Yang, Wenjie Yan1 DCABES 2009](https://reader035.vdocuments.mx/reader035/viewer/2022062518/56649eff5503460f94c14988/html5/thumbnails/3.jpg)
DCABES 2009
S
T U
Y Z
W
X
S
T U
Y Z
W
X
b1 b2
b1
b1
b1
b1
b2
b2 b2
b2
b2
b2
b2
b1
b1
b1 b1+b2
b1+b2 b1+b2
(a)Traditional network (b)Network coding
What is Network Coding
Mingxi Yang, Wenjie Yan 3
![Page 4: Fast Signature Scheme for Network Coding Mingxi Yang, Wenjie Yan Reporter: Wenjie Yan Mingxi Yang, Wenjie Yan1 DCABES 2009](https://reader035.vdocuments.mx/reader035/viewer/2022062518/56649eff5503460f94c14988/html5/thumbnails/4.jpg)
Network Coding Simplified
File to Transfer
Block 1 Block 2 Block 3
Encoding
Mingxi Yang, Wenjie Yan 4
DCABES 2009
Prerequisite for decoding: any node receives enough(n in our scheme) linear independent message vectors
![Page 5: Fast Signature Scheme for Network Coding Mingxi Yang, Wenjie Yan Reporter: Wenjie Yan Mingxi Yang, Wenjie Yan1 DCABES 2009](https://reader035.vdocuments.mx/reader035/viewer/2022062518/56649eff5503460f94c14988/html5/thumbnails/5.jpg)
DCABES 2009
Challenge to Network Coding
Drawback Network coding is very vulnerable to
pollution attacks. An adverse node injecting garbage can quickly affect many receivers.
Mingxi Yang, Wenjie Yan 5
![Page 6: Fast Signature Scheme for Network Coding Mingxi Yang, Wenjie Yan Reporter: Wenjie Yan Mingxi Yang, Wenjie Yan1 DCABES 2009](https://reader035.vdocuments.mx/reader035/viewer/2022062518/56649eff5503460f94c14988/html5/thumbnails/6.jpg)
S
T U
Y Z
W
X
b2
b2
b1
b1
b1
Pollution Attack
Mingxi Yang, Wenjie Yan 6
DCABES 2009
2b
1 2b b
1 2b b 1 2b b
![Page 7: Fast Signature Scheme for Network Coding Mingxi Yang, Wenjie Yan Reporter: Wenjie Yan Mingxi Yang, Wenjie Yan1 DCABES 2009](https://reader035.vdocuments.mx/reader035/viewer/2022062518/56649eff5503460f94c14988/html5/thumbnails/7.jpg)
DCABES 2009
Related Work
Krohn et al. [7] first proposed homomorphic scheme using homomorphic hash function.
Zhen Yu et al. [8] use RSA to sign the source messages and append the signatures to corresponding messages;
Charles et al.[9] proposed a new homomorphic hashing scheme which is built on top of expensive Weil pairing operations [10], [11] over elliptic curves.
Mingxi Yang, Wenjie Yan 7
![Page 8: Fast Signature Scheme for Network Coding Mingxi Yang, Wenjie Yan Reporter: Wenjie Yan Mingxi Yang, Wenjie Yan1 DCABES 2009](https://reader035.vdocuments.mx/reader035/viewer/2022062518/56649eff5503460f94c14988/html5/thumbnails/8.jpg)
DCABES 2009
Related Work (Cont.)
Drawback All the schemes described above require
expensive computation in verification, which greatly slow down the efficiency of verification.
Mingxi Yang, Wenjie Yan 8
![Page 9: Fast Signature Scheme for Network Coding Mingxi Yang, Wenjie Yan Reporter: Wenjie Yan Mingxi Yang, Wenjie Yan1 DCABES 2009](https://reader035.vdocuments.mx/reader035/viewer/2022062518/56649eff5503460f94c14988/html5/thumbnails/9.jpg)
DCABES 2009
m1
m2
mn
1 0 0 … 0
0 1 0 … 0
0 0 0 … 1
(mσ 1)
(mσ 2)
(mσ n)
File
M . . . . . .
. . . . .
.
network
Our Signature Scheme
Model : S is a source node; M is a file.
data part coding vector part
Mi=(mi ,0,…,0,1,0,…,0 ) qZ npZ
Mingxi Yang, Wenjie Yan 9
![Page 10: Fast Signature Scheme for Network Coding Mingxi Yang, Wenjie Yan Reporter: Wenjie Yan Mingxi Yang, Wenjie Yan1 DCABES 2009](https://reader035.vdocuments.mx/reader035/viewer/2022062518/56649eff5503460f94c14988/html5/thumbnails/10.jpg)
Our signature scheme is based on this homomorphic function:
h(x)=(1+xq) mod q2 [13]
h(x)×h(y)=(1+xq)×(1+yq)mod q2
=[1+(x+y)q+xyq2]mod q2
=[1+(x+y)q]modq2
=h(x+y)
Our Signature Scheme (Cont.-1)
Mingxi Yang, Wenjie Yan 10
DCABES 2009
![Page 11: Fast Signature Scheme for Network Coding Mingxi Yang, Wenjie Yan Reporter: Wenjie Yan Mingxi Yang, Wenjie Yan1 DCABES 2009](https://reader035.vdocuments.mx/reader035/viewer/2022062518/56649eff5503460f94c14988/html5/thumbnails/11.jpg)
DCABES 2009
Set up Sign Combine Verify Correctness
Mingxi Yang, Wenjie Yan 11
Our Signature Scheme (Cont.-2)
![Page 12: Fast Signature Scheme for Network Coding Mingxi Yang, Wenjie Yan Reporter: Wenjie Yan Mingxi Yang, Wenjie Yan1 DCABES 2009](https://reader035.vdocuments.mx/reader035/viewer/2022062518/56649eff5503460f94c14988/html5/thumbnails/12.jpg)
Large primes: u, v, q, length(u)≈length(v), length(uv)≈length(q2) and q2<uv. N=uv, keep u and v secretly. n different elements r1,…,rn from G, G is a
multiplicative group with prime order p. d, e<φ(N) , and d×e≡1modφ(N), where φ(N)=(u-1)×(v-1).
private key : d public key : pk=(N, e, r1,…,rn).
Set up
Mingxi Yang, Wenjie Yan 12
DCABES 2009
![Page 13: Fast Signature Scheme for Network Coding Mingxi Yang, Wenjie Yan Reporter: Wenjie Yan Mingxi Yang, Wenjie Yan1 DCABES 2009](https://reader035.vdocuments.mx/reader035/viewer/2022062518/56649eff5503460f94c14988/html5/thumbnails/13.jpg)
DCABES 2009
Given message Mi=(mi, 0,…,0,1,0,…,0) and private key d, compute signature σ(Mi) on source message Mi as: :
2(1 )mod( ) [ ] moddi
ii
m q qM N
r
Sign
Mingxi Yang, Wenjie Yan 13
![Page 14: Fast Signature Scheme for Network Coding Mingxi Yang, Wenjie Yan Reporter: Wenjie Yan Mingxi Yang, Wenjie Yan1 DCABES 2009](https://reader035.vdocuments.mx/reader035/viewer/2022062518/56649eff5503460f94c14988/html5/thumbnails/14.jpg)
DCABES 2009
Given: coefficients (c1, c2, … , cl), messages and signatures: W1||σ(W1),…,Wl||σ(Wl),
where Wi=(wi,ci1,…,cin), Combine: ,
W0=(w0, c01,…,c0n) and
0 1mod
l
i iiw c w q
01 02 0 11( , ,..., ) ( ,..., )mod
l
n i i inic c c c c c p
0 1( ) ( ) modi
l cii
W W N
Combine
Mingxi Yang, Wenjie Yan 14
![Page 15: Fast Signature Scheme for Network Coding Mingxi Yang, Wenjie Yan Reporter: Wenjie Yan Mingxi Yang, Wenjie Yan1 DCABES 2009](https://reader035.vdocuments.mx/reader035/viewer/2022062518/56649eff5503460f94c14988/html5/thumbnails/15.jpg)
Mingxi Yang, Wenjie Yan 15
w1, c11, c12,..,c1n
w2, c21, c22,..,c2n
wl, cl1, cl2,..,cln
…
σ(W1
)
σ(W2
)
σ(Wl
)
+
+
w, c1, c2,..,cn
σ(W)×
×
w1, c11, c12,..,c1n
w2, c21, c22,..,c2n
wl, cl1, cl2,..,cln
…
σ(W1
)
σ(W2
)
σ(Wl
)
Verified messages encoding of messages
Combination of signatures
Combine (Cont.)
![Page 16: Fast Signature Scheme for Network Coding Mingxi Yang, Wenjie Yan Reporter: Wenjie Yan Mingxi Yang, Wenjie Yan1 DCABES 2009](https://reader035.vdocuments.mx/reader035/viewer/2022062518/56649eff5503460f94c14988/html5/thumbnails/16.jpg)
DCABES 2009
Given encoded message W0=(w0, c01,…,c0n) and signature σ(W0), σ(W0) is a valid signature on W0 iff
0
00
1
( )( )
i
en c
ii
h WW
r
Verify
Mingxi Yang, Wenjie Yan 16
![Page 17: Fast Signature Scheme for Network Coding Mingxi Yang, Wenjie Yan Reporter: Wenjie Yan Mingxi Yang, Wenjie Yan1 DCABES 2009](https://reader035.vdocuments.mx/reader035/viewer/2022062518/56649eff5503460f94c14988/html5/thumbnails/17.jpg)
DCABES 2009
0( )W 0
1( )
in c
iiM
0
1
( )[ ]
icn di
ii
h M
r
0
0
1
1
( )[ ]
i
i
n ci di
n cii
h M
r
Correctness
Mingxi Yang, Wenjie Yan 17
3.1
![Page 18: Fast Signature Scheme for Network Coding Mingxi Yang, Wenjie Yan Reporter: Wenjie Yan Mingxi Yang, Wenjie Yan1 DCABES 2009](https://reader035.vdocuments.mx/reader035/viewer/2022062518/56649eff5503460f94c14988/html5/thumbnails/18.jpg)
DCABES 2009
0( ) modeW N0
0
1
1
( )[ ] mod
i
i
n ci d ei
n cii
h MN
r
0
0
1
1
( )mod
i
i
n cii
n cii
h MN
r
0
0
1
( )mod
in c
ii
h WN
r
Correctness (Cont.)
Mingxi Yang, Wenjie Yan 18
![Page 19: Fast Signature Scheme for Network Coding Mingxi Yang, Wenjie Yan Reporter: Wenjie Yan Mingxi Yang, Wenjie Yan1 DCABES 2009](https://reader035.vdocuments.mx/reader035/viewer/2022062518/56649eff5503460f94c14988/html5/thumbnails/19.jpg)
DCABES 2009
Definition: A signature scheme is secure under an adaptive chosen message attack For every probabilistic polynomial time forger algorithm F if there is no non-negligible probability ε such that:
1
1 1
1 2
( )
, , , ,..., ;
Pr || ( ),..., || ( ); ( , ( ) 1
{ , ,..., }
n
n n
n
Adv F
PK H N e r r
M M M M verfy W W
W span M M M
Security Analysis
Mingxi Yang, Wenjie Yan 19
![Page 20: Fast Signature Scheme for Network Coding Mingxi Yang, Wenjie Yan Reporter: Wenjie Yan Mingxi Yang, Wenjie Yan1 DCABES 2009](https://reader035.vdocuments.mx/reader035/viewer/2022062518/56649eff5503460f94c14988/html5/thumbnails/20.jpg)
DCABES 2009
Compute a valid signature on message in our scheme
break RSA signature scheme
Where
W V
Security Analysis (Cont.-1)
Mingxi Yang, Wenjie Yan 20
1 2{ , ,..., }nV span M M M
![Page 21: Fast Signature Scheme for Network Coding Mingxi Yang, Wenjie Yan Reporter: Wenjie Yan Mingxi Yang, Wenjie Yan1 DCABES 2009](https://reader035.vdocuments.mx/reader035/viewer/2022062518/56649eff5503460f94c14988/html5/thumbnails/21.jpg)
DCABES 2009
Theorem: If there exists a (t,ε)-forger F using adaptive chosen message attack for the proposed signature scheme, then there exists a (t’, ’ε )-algorithm A to solving RSA signature scheme, where t’≥t, and ’=ε ε.
Security Analysis (Cont.-2)
Mingxi Yang, Wenjie Yan 21
![Page 22: Fast Signature Scheme for Network Coding Mingxi Yang, Wenjie Yan Reporter: Wenjie Yan Mingxi Yang, Wenjie Yan1 DCABES 2009](https://reader035.vdocuments.mx/reader035/viewer/2022062518/56649eff5503460f94c14988/html5/thumbnails/22.jpg)
DCABES 2009
Proof: F is a (t,ε)-breaks forger, now we construct algorithm A breaks RSA in (t’ , ε’).
A is given every signature σ(Mi) on original message Mi for i=1,2,…,n.
For any message W=(w,c1,…,cn) ,
Where w≠x.
σ(W) is a valid signature generated by A.
Security Analysis (Cont.-3)
V
1 1( , ,..., ) ,
n
n i iiX x c c V x c m
Mingxi Yang, Wenjie Yan 22
![Page 23: Fast Signature Scheme for Network Coding Mingxi Yang, Wenjie Yan Reporter: Wenjie Yan Mingxi Yang, Wenjie Yan1 DCABES 2009](https://reader035.vdocuments.mx/reader035/viewer/2022062518/56649eff5503460f94c14988/html5/thumbnails/23.jpg)
DCABES 2009
Case 1: σ(W)=σ(X), h(W)=h(X) assume w>x. Since h(W)-h(X)=0, [(1+wq) - (1+xq)] mod q2=0 (w-x)q mod q2=0, (w-x)q=r×q2, thus w-x=rq. We know that w-x<q, then r=0, thus w=x,
this is contradictory to w>x.
Security Analysis (Cont.-4)
Mingxi Yang, Wenjie Yan 23
![Page 24: Fast Signature Scheme for Network Coding Mingxi Yang, Wenjie Yan Reporter: Wenjie Yan Mingxi Yang, Wenjie Yan1 DCABES 2009](https://reader035.vdocuments.mx/reader035/viewer/2022062518/56649eff5503460f94c14988/html5/thumbnails/24.jpg)
DCABES 2009
Case 2: σ(W)≠σ(X), then , Thus . As σ(W) is generated by A, thus
We use y denote , thus
A(W)=yd
1( ) ( ) i
n ceii
W h w r
1( ) [ ( ) ]i
n c dii
W h w r
1( ) [ ( ) ]i
n c dii
A W h w r
1
( ) in c
iih w r
Security Analysis (Cont.-5)
Mingxi Yang, Wenjie Yan 24
![Page 25: Fast Signature Scheme for Network Coding Mingxi Yang, Wenjie Yan Reporter: Wenjie Yan Mingxi Yang, Wenjie Yan1 DCABES 2009](https://reader035.vdocuments.mx/reader035/viewer/2022062518/56649eff5503460f94c14988/html5/thumbnails/25.jpg)
DCABES 2009
The probability ’ε of generating a RSA signature in case 2 is ε,
T is the maximum time for computing those operations except A, then t’=t+T, thus t’≥t.
Security Analysis (Cont.-6)
Mingxi Yang, Wenjie Yan 25
![Page 26: Fast Signature Scheme for Network Coding Mingxi Yang, Wenjie Yan Reporter: Wenjie Yan Mingxi Yang, Wenjie Yan1 DCABES 2009](https://reader035.vdocuments.mx/reader035/viewer/2022062518/56649eff5503460f94c14988/html5/thumbnails/26.jpg)
DCABES 2009
Verification Efficiency
Let φ be a prime number and ψ a power of different prime with <<φ ψ, E is an elliptic curve over Zψ. In scheme [8] and [9], every original message is a vector with dimension k, the source then append a n-dimension coding vector on it, such as X=(x1, x2, …, xk, c1 ,…, cn), where xi, ci Zφ.
Mingxi Yang, Wenjie Yan 26
![Page 27: Fast Signature Scheme for Network Coding Mingxi Yang, Wenjie Yan Reporter: Wenjie Yan Mingxi Yang, Wenjie Yan1 DCABES 2009](https://reader035.vdocuments.mx/reader035/viewer/2022062518/56649eff5503460f94c14988/html5/thumbnails/27.jpg)
DCABES 2009
Table 1. Verification of message (bit operation)
Signature scheme Verification time (bit operation)
Our scheme O[(1+n)log(1+Є)(log2φ)]
Zhen’s[8] O[(1+k+n)log(1+Є)(log2φ)]
CJL’s[9] O(klog2+Єψ)
Verification Efficiency (Cont.-1)
Mingxi Yang, Wenjie Yan 27
![Page 28: Fast Signature Scheme for Network Coding Mingxi Yang, Wenjie Yan Reporter: Wenjie Yan Mingxi Yang, Wenjie Yan1 DCABES 2009](https://reader035.vdocuments.mx/reader035/viewer/2022062518/56649eff5503460f94c14988/html5/thumbnails/28.jpg)
DCABES 2009
[9]=O(klog2+Єψ)
= O(k logЄ logψ 2ψ)
> O(k logЄ logψ 2φ)
> O[(k+1)log(1+Є)(log2φ)] =[8]
> O[(n+2)log(1+Є)(log2φ)]
=ours
so [9] >[8]>ours.
Verification Efficiency (Cont.-2)
Mingxi Yang, Wenjie Yan 28
![Page 29: Fast Signature Scheme for Network Coding Mingxi Yang, Wenjie Yan Reporter: Wenjie Yan Mingxi Yang, Wenjie Yan1 DCABES 2009](https://reader035.vdocuments.mx/reader035/viewer/2022062518/56649eff5503460f94c14988/html5/thumbnails/29.jpg)
Verification Efficiency (Cont.-3)
Mingxi Yang, Wenjie Yan 29
DCABES 2009
The comparing results shows that our scheme lays over any other signature schemes else of the kind in the verification speed.
![Page 30: Fast Signature Scheme for Network Coding Mingxi Yang, Wenjie Yan Reporter: Wenjie Yan Mingxi Yang, Wenjie Yan1 DCABES 2009](https://reader035.vdocuments.mx/reader035/viewer/2022062518/56649eff5503460f94c14988/html5/thumbnails/30.jpg)
DCABES 2009
References[1]D.Petrovic, K.Ramchandran, and J.Rabaey, “Overcoming Unturned Radios
in Wireless Networks with Network Coding”, in IEEE Transactions on Information Theory, Vol. 52, No. 6, pp. 2649-2657, 2006.
[2]C.Gkantsidis and P.Rodriguez, “Network Coding for Large Scale File Distribution”, in Proc. IEEE INFOCOM, 2005.
[3]R. Ahlswede, N. Cai, S.Li, and R. W. Yeung, “Network information flow,” IEEE Trans. Inf. Theory, vol. 46(4), pp. 1204-1216, 2000.
[4]S. Li, R. Yeung, and N. Cai, “Linear Network Coding”, in IEEE Transactions on Information Theory, Vol 49, No. 2, pp. 371381, 2003.
[5]T. Ho, R. Koetter, M. M´edard, D. R. Karger, and M. Effros, “The benefits of coding over routing in a randomized setting,” in International Symposium on Information Theory (ISIT), 2003.
[6]T. Ho, M. M´edard, J. Shi, M. Effros and D. R. Karger, “On randomized network coding,” In proc. 41st Annual Allerton Conference on Communication Control and Computing, Oct. 2003.
Mingxi Yang, Wenjie Yan 30
![Page 31: Fast Signature Scheme for Network Coding Mingxi Yang, Wenjie Yan Reporter: Wenjie Yan Mingxi Yang, Wenjie Yan1 DCABES 2009](https://reader035.vdocuments.mx/reader035/viewer/2022062518/56649eff5503460f94c14988/html5/thumbnails/31.jpg)
DCABES 2009
[7] M.N.Krohn, M.J.Freedman, and D.Mazi´eres, “On-the-fly verification of rateless era-sure codes for efficient content distribution,” IEEE Symp. Security and Privacy, Oak-land, CA, pp. 226-240, May 2004.
[8] Zhen Yu, YaWen Wei, Bhuvaneswari Ramkumar, and Yong Guan, “An Efficient Signature-based Scheme for Securing Network Coding against Pollution Attacks” INFOCOM 2008. The 27th Conference on Computer Communications. IEEE, April 2008.
[9] D. Charles, K. Jian, and K. Lauter, “Signature for Network Coding”, Technique Report MSR-TR-2005-159, Microsoft, 2005.
[10] A. Menezes, T. Okamoto, and S. Vanstone, “Reducing Elliptic Curve Logorithms to Logorithms in a Finite Field”, in IEEE Transactions on Information Theory, Vol 39, No. 5, pp. 1639-1646, 1993.
[11] V. Miller, “Short Programs for Functions over Curve”, unpublished manuscript, crypto.stanford.edu/miller/, 1986.
[12] Jing Dong, Reza Curtmola, Cristina Nita-Rotaru, Practical Defenses Against Pollution Attacks in Intra-Flow Network Coding for Wireless Mesh Networks, Proc. of The Second ACM Conference on Wireless Network Security(WiSec 2009), Zurich, Switzerland, March 2009.
[13]Bresson E, Catalano D, Pointcheval D. “A simple public key cryptosystem with a double trapdoor decryption mechanism and its applications,” In: Laih CS, ed. Aciacrypt 2003. LNCS 2894, Berlin: Springer-Verlag, 2003. 37−54.
[14]SUN Zhong-Wei, FENG Deng-Guo, WU Chuan-Kun, “An Anonymous Fingerprinting Scheme Based on Additively Homomorphic Public Key Cryptosystem”. In Journal of Software: 2005,vol.16, No.10,pp1816-1821.
Mingxi Yang, Wenjie Yan 31
References (Cont.)
![Page 32: Fast Signature Scheme for Network Coding Mingxi Yang, Wenjie Yan Reporter: Wenjie Yan Mingxi Yang, Wenjie Yan1 DCABES 2009](https://reader035.vdocuments.mx/reader035/viewer/2022062518/56649eff5503460f94c14988/html5/thumbnails/32.jpg)
DCABES 2009
Any Question ?
Mingxi Yang, Wenjie Yan 32
![Page 33: Fast Signature Scheme for Network Coding Mingxi Yang, Wenjie Yan Reporter: Wenjie Yan Mingxi Yang, Wenjie Yan1 DCABES 2009](https://reader035.vdocuments.mx/reader035/viewer/2022062518/56649eff5503460f94c14988/html5/thumbnails/33.jpg)
THANK YOU!
Mingxi Yang, Wenjie Yan 33
DCABES 2009