Short signature scheme for multi-source network coding

Short signature scheme for multi-source network coding

Computer Communications 35 (2012) 344–351 Contents lists available at SciVerse ScienceDirect Computer Communications journal homepage: www.elsevier...

465KB Sizes 3 Downloads 58 Views

Computer Communications 35 (2012) 344–351

Contents lists available at SciVerse ScienceDirect

Computer Communications journal homepage: www.elsevier.com/locate/comcom

Short signature scheme for multi-source network coding Wenjie Yan a,c, Mingxi Yang a,⇑, Layuan Li a, Huajing Fang b a

School of Computer Science and Technology, Wuhan University of Technology, Wuhan 430070, China Dept. of Control Science and Engineering, Huazhong University of Science and Technology, China c Dept. of Planning and Information, SINOPEC Chemical Sales Central China Company, China b

a r t i c l e

i n f o

Article history: Received 20 January 2010 Received in revised form 13 September 2011 Accepted 13 October 2011 Available online 23 October 2011 Keywords: Multi-source network coding Signature Homomorphic hash function Pollution attacks

a b s t r a c t It has been proven that network coding can provide significant benefits to networks. However, network coding is very vulnerable to pollution attacks. In recent years, many schemes have been designed to defend against these attacks, but as far as we know almost all of them are inapplicable for multi-source network coding system. This paper proposed a novel homomorphic signature scheme based on bilinear pairings to stand against pollution attacks for multi-source network coding, which has a broader application background than single-source network coding. Our signatures are publicly verifiable and the public keys are independent of the files so that our scheme can be used to authenticate multiple files without having to update public keys. The signature length of our proposed scheme is as short as the shortest signatures of a single-source network coding. The verification speed of our scheme is faster than those signature schemes based on elliptic curves in the single-source network. Ó 2011 Elsevier B.V. All rights reserved.

1. Introduction Network coding was first proposed by Ahlswede et al. [1] in order to maximize the throughput of multicast networks. In contrast to traditional ‘‘store and forward’’ routing, network coding allows intermediate nodes to process and modify the data packets in transit. Later, Li et al. [2] further proved that linear network coding is sufficient to achieve this purpose. Based on it, Ho et al. [3,4] proposed a random linear network coding, and as a result, which no longer needs for decoders to know the topology of the network. Network coding has been shown to offer a number of advantages, such as lesser network congestion, higher reliability, and lower power consumption. However, network coding poses new security challenges. One main challenge is pollution attacks, in which the adversary nodes intentionally modify or forge the transmitted packets and inject them into the coding packets. What is more, the polluted packets will quickly spread into the networks and infect a large number of packets, as they are transmitted by the downstream nodes. 1.1. Related work Recently, several schemes have been proposed to provide protection against pollution attacks for network coding applications. These schemes can be classified in two categories: information theoretic approaches and cryptographic approaches. ⇑ Corresponding author. E-mail address: [email protected] (M. Yang). 0140-3664/$ - see front matter Ó 2011 Elsevier B.V. All rights reserved. doi:10.1016/j.comcom.2011.10.012

Information theoretic approaches: A major method of information theoretic approaches is introducing redundant information into original packets for enabling recovery from malicious faults, such as in [5–7]. These approaches have the advantage of not relying on any computational assumptions so the process speed is faster, but they are secure only against relatively limited kinds of adversaries, and the communication overhead of these approaches is heavier. Cryptographic approaches: Cryptographic approaches rely on the computational assumptions. By this kind of approaches the source node uses cryptographic techniques to generate authentication information and append it to corresponding packets and allow the intermediate node to encode, sign or verify the packets. In the following, we mainly introduce the cryptographic approaches. Homomorpic hashing function is first proposed by Krohn et al. [8]. In their scheme the source node computes the hash values h1, h2, . . . , hm for the packets X1, X2, . . . , Xm and distributes these hash values to all the nodes in the networks. When a packet w combined from X1, X2, . . . , Xm is received, a receiver can compare the hash value hw of w, which is worked out from the hash values h1, h2, . . . , hm via additive homomorphic computation, with HASH (w), then the encoded packet w is verified. In this scheme the source node needs to renew a batch of hash values for every new massage. Zhao et al. [9] uses a signature vector X to authenticate the vector space V = span{v1, . . . , vm}, but the size of this signature vector is as long as that of each packet. And the scheme requires updating the public keys for authenticating new files.

345

W. Yan et al. / Computer Communications 35 (2012) 344–351

Dong et al. [10] proposed a scheme which uses time-based checksum to allow the intermediate nodes to authenticate the received packets. However, this scheme requires time synchronization between senders and receivers, which is unpractical. In addition the size of each checksum is twice as long as the size of the packet and the received packet cannot be verified at once until the right checksum arrived. Besides, the checksums are flooded in the networks. This would greatly consume the bandwidth. All of these schemes in [8–10] require the sender to know the entire file in advance, before the authentication information can be computed, so these schemes do not support the transmission of streaming packets, where the sender transmits packets as they are generated rather than buffering them and transmitting them all at once. Yu et al. [11] take advantage of a homomorphic signature function RSA to sign the hash value of packets and append these signatures to corresponding packets so the forwarders can compose the signatures for their encoded packets without knowing the source private key and its downstream nodes can verify the encoded packets with the source public key. One of the drawbacks of this scheme is the signature size is a bit too long and it has to refresh the public keys while to sign a new file in case of being replay attacked. And furthermore, Aaram Yun et al. [21] point out that this scheme is in fact not homomorphic. Charles et al. [12] proposed a homomorphic signature scheme which is built on Weil pairing operations [13,14] over elliptic curves, but this scheme also need to refresh the public key when used to sign a new file. Katz and Waters [15] proposed also a signature scheme based on bilinear pairing to defend against pollution attacks, in which a file number id was introduced to thwart the replay attacks. Jiang et al. [16] proposed a homomorphic scheme on the elliptic curves. Especially in their scheme, a file identifier k dynamically updated by a one way hash chain was introduced against the replay attacks. That paper described an efficient method and allowed the forwarders to verify multiple received packets synchronously. Here we want to point out especially that the above published authentication schemes could only be applicable to single source network coding system, and not for multi-source network coding system which has a broader application background in networks. In the signature scheme for multi-source network coding system, there are multiple source nodes. Each source has to generate signature with distinct private key so that other source nodes cannot fake it. However in the previous signature schemes for network coding [11,12,15,16], these distinct private keys will destroy the homomorphism of the signature algorithms, which means that the intermediate nodes cannot generate a valid homormophic signature for an encoded packet without knowing the source private keys. The authentication schemes in [8–10] cannot be applied in multi-source network coding too, the authentication information generated by a source node can only be used to verify those packets from this single node, while combination of different source packets could not be verified correctly by forwarders. Recently, Agrawal et al. [19] and [20] proposed their schemes to defend against pollution attacks in multi-source network coding. Agrawal et al. [19] introduced a merge algorithm into their work to generate hthe public keys and signatures at intermediate nodes. Laszlo’s work [20] is built on bilinear pairing, and the way they sign the packets is similar to Jonathan’s [15] method. Both [19,20], however, have a common drawback that the size of signature grows linearly with the number of the sources. If a packet is mixed by l original packets, then the length of the signature on this packet is l times the signature length in single source network coding. That is unpractical.

1.2. Our contribution In this paper, we proposed a homomorphic signature scheme based on bilinear pairings to provide protection against pollution attacks for multi-source linear network coding models even when the adversaries can corrupt an arbitrary number of nodes, eavesdrop on all links in networks. Every source node in our scheme has its own distinct private key pair and public key and that our signature scheme will remain its homomorphism. Thus the intermediate nodes in our scheme can authenticate the received encoded packets signed by different source nodes with the corresponding public keys, and can also sign the encoded packets without knowing the various source private keys. In addition, the public keys are independent of the transmitted file, which means our signature scheme supports transmitting multiple files without having to update the public keys. The signature in our scheme has constant size, which is as short as the shortest signatures of a single-source network (about 160 bits in practical networks). All of these signatures are elements in a single group. Our scheme also supports the transmission of streaming data packets, i.e. each source node need not to know all the packets in advance. From a computational point of view, we define that there are m source packets, and each packet is a (m + n)-dimension vector. With signatures size equally short, the verification in our scheme requires only once of pairing computation and m + n times of point multiplications. In contrast to similar schemes based on bilinear pairings, e.g. [12], which require m + n + 1 times of pairing computations, and [15,16], which need twice of pairing computations and m + n times of point multiplications, and so on, our signature scheme is more efficient. 1.3. Outline of this paper The remainder of the paper is organized as follows: Section 2 introduces the system model and threat model; Section 3 introduces our proposed signature scheme; Section 4 proves its security; Section 5 analyzes our scheme’s performance; and Section 6 is the conclusion. 2. Background 2.1. System model Multi-source network coding is a very rich model which encompasses many communication situations, but our model is only relevant to multiple sources in the networks and the random linear network coding approach, so we give the model as follows. We model the network similar to [12,17] by a directed graph Gd = (E, V), where E is a set of links and V is a set of vertices in the network. We assume that there are m source nodes S = (s1, s2, . . . , sm)  V in the network, each source wants to send a file to a set of destination nodes T  V and each destination node wants to receive all m source files, we suppose that each source file is a vector of dimension n, thus the source file from source si can be considered as: X i ¼ ð xi1 ; . . . ;  xin Þ, before outputting this file, source si augments its X i by appending an original coding vector to create Xi as follows:

0

1 m zfflfflfflfflfflfflfflfflfflfflfflfflfflfflfflffl}|fflfflfflfflfflfflfflfflfflfflfflfflfflfflfflffl{ @ X i ¼ xi1 ; . . . ; xin ; 0; . . . ; 0; 1; 0; . . . ; 0A ¼ ðxi1 ; . . . ; xi;mþn Þ 2 F mþn ; q |fflfflfflffl{zfflfflfflffl} i1

where F is a finite field, prime q is a pre-determined security paramm

zfflfflfflfflfflfflfflfflfflfflfflfflfflfflfflffl}|fflfflfflfflfflfflfflfflfflfflfflfflfflfflfflffl{ eter and vector 0; . . . ; 0; 1; 0; . . . ; 0 can be considered as the identifier |fflfflfflffl{zfflfflfflffl} i1

346

W. Yan et al. / Computer Communications 35 (2012) 344–351

of source si, we called Xi a source packet in this paper. Source si then outputs the source packet into the network. Each intermediate node in network processes the received packets as follows: upon receiving packets (vectors) y1, y2, . . . , yl on its l incoming edges, a node computes and transmits encoded P packet w ¼ li¼1 ci yi on its outgoing edges, where each coefficient ci is randomly picked from Zq. A destination node can recover the source files when it receives m linearly-independent vectors z1 ; z2 ; . . . ; zm 2 F mþn , where zi = q (zi1, . . . , zin, zi,n + 1, . . . , zi,m+n). We set zLi be the left-most n positions of zi, and zRi are the right-most m positions of zi, let D be m  m matrix  whose ithTrow consists of global coding vector of zi, thus D ¼ zR1 ; zR2 ; . . . ; zRm . In practice, the global vectors are chosen at random so the matrix D is invertible with high probability, then the source files can be computed as:

0

X1

1

0

zL1

BX B 2 B B .. @ .

C B zL C B 2 C ¼ D1 B C B .. A @ .

Xm

zLm

1 C C C C A

depicts the concept of generation in a simple system model in which there are 2 source nodes and each source node wants to send k packets to the destination nodes R1 and R2. We consider all the m source packets with identifier id1 as a generation whose identifier is id1, thus:

generationid1 ¼ fX 1 kid1 ; X 2 kid1 ; . . . ; X m kid1 g This identifier id1 could be generated at the sources by a common function. If the sources want to send new files, they need to generate a new identifier id2 for their own source packet (id2 – id1), thus:

  generationid2 ¼ X 01 kid2 ; X 02 kid2 ; . . . ; X 0m kid2

  where X 01 ; X 02 ; . . . ; X 0m is a set of new source packets. Only the packets with the same generation identifier can be encoded together at the intermediate nodes. In generally, we suppose that each source has k files to be sent, we can group these source packets into k generations: Generation

s1

s2

...

sm

id1

ð1Þ X 1 kid1 ð2Þ X 1 kid2

ð1Þ X 2 kid1 ð2Þ X 2 kid2

...

X ð1Þ m kid1

...

...

...

... ...

X ð2Þ m kid2 ...

id2

Let N = jTj be the number of destination nodes, the probability that all N destination nodes can decode all m source files is at least (1  N/q)g, where g 6 jEj is the maximum number of coding points employed by any destination nodes [4]. As shown in Fig. 1, two source nodes s1 and s2 multicast two packets X1 and X2, respectively, to both the destination nodes Y and Z. In the Fig. 1(a), every channel carries either the packet X1 or the packet X2 as indicated, and every forwarder simply replicates and sends out the packet(s) received from upstream. Therefore, the channel from W to X is used twice. Fig. 1(b) depicts a different way which used in network coding to multicast the two packets X1 and X2 on the same network as in Fig. 1(a). This time, the node W derives the combination X1 + X2 from the received packets X1 and X2, the channel from W to X transmits X1 + X2, which is then replicated at X for passing onto Y and Z. Then, the node Y receives X1 and X1 + X2, from which the X2 can be decoded, and the same to Z to decode X1 from X2 and X1 + X2, in this way, all the channels in the network are used exactly once. More details about random linear network coding in [4]. In network coding, as each source may have several files to be sent, but the sources may produce the packets asynchronously, and the Internet packets between a source–destination pair subject to random delays and follow different routers, on the one hand, it’s difficult to implement a centralized network coding algorithm, on the other hand, an adversary may attack this system by injecting an old packet into network. A good solution to deal with these problems is to group packets into generation. Packets will be combined only with those packets in the same generation [24]. Fig. 2

... idk

ðkÞ

X 1 kidk

ðkÞ

X 2 kidk

X ðkÞ m kidk

ðjÞ

where X i 2 F mþn (i = 1, 2, . . . , m, j = 1, 2, . . . , k) is the jth packet from q source si, id1, id2, . . . , idk could be a sequence of natural numbers such as 1, 2, 3, . . ., k, or generated by an common function at the source node. 2.2. Threat model def

Let V i ¼ spanðX 1 ; . . . ; X m Þ be a subspace in ith generation, a packet w can be considered as a forged packet in the ith generation if and only if w R Vi. This study focuses on the condition that both the source node and the intermediate node are not trustable. A source node may pretend to be another source node to forge packets, and the intermediate node can intentionally pollute its output packets or directly inject forged packets into the network, such as shown in Fig. 1(c), the dotted lines denote the paths along which the polluted packets propagate, X 02 is a corrupted packet from node U, when the corrupted packet X 02 combine with X1, the new combination X 1 þ X 02 is also corrupted, then the pollution passed down to the path WX, XY and XZ. When Y receive packet X1 and X 1 þ X 02 , it cannot decode X1 and X2 correctly. Therefore, it is necessary for each node in the network coding system to authenticate the integrity of every received encoded packet.

Fig. 1. (a) Traditional network, (b) network coding, (c) pollution attacks.

347

W. Yan et al. / Computer Communications 35 (2012) 344–351

Fig. 2. Generation in multi-source network coding.

2.3. Bilinear map G1 and G2 are (multiplicative) cyclic groups of same order q. A bilinear map is a map e : G1  G1 ? G2 with the following properties:   (1) Bilinear: for any g1, g2 2 G1 and a; b 2 Z; e g a1 ; g b2 ¼ eðg 1 ; g 2 Þab . (2) No-degenerate: if g is a generator of G1, then e(g, g) is a generator of G2, in other words e(g, g) – 1. (3) Computable: for any u, v 2 G1, there exists an efficient algorithm to compute e(u, v). Now we give some computational problems, which will form the basis of security for our scheme. Discrete Logarithm Problem(DLP): Given two elements g, ga 2 G1, compute a 2 Zq. Computational Diffie  Hellman Problem (CDHP): Given g, h, ga 2 G1, compute ha 2 G1. 3. Our signature scheme As shown in Fig. 3, each source node in this scheme first augments the original packets by appending the coding vectors, and then uses its distinct private key pair to sign the augmented packets and appends signatures to the corresponding packets. The intermediate nodes can verify the encoded packets without decoding it, where the encoded packets are made of different sources’ packets, and also they can generate new packets and the corresponding signature by combining the received packets without knowing the source private keys, this is due to our signature is based on the homomorphic hash function. The destination node can recover the original packets when it receives m linear-independent verified packets.

 Setup: PKG initializes our scheme as: (1) ParameterGen Chooses q = uv secretly, where u and v are primes and u  v; G1 and G2 are (multiplicative) cyclic groups of same order q, g is the generator of G1; e : G1  G1 ? G2 is a bilinear map between the groups G1 and G2; g1, g2, . . . , gn are different elements chosen from G1n{1}, g0 = gu; r is secretly picked from Z q , and r – kv for any integer k – 0; h0 ¼ g r0 ; Note that only PKG knows u and r; g, g0, h0 are shared among multiple intermediate nodes. (2) Original coding vector For i = 1, 2, . . . , m, PKG assigns original coding vector m

zfflfflfflfflfflfflfflfflfflfflfflfflfflfflfflffl}|fflfflfflfflfflfflfflfflfflfflfflfflfflfflfflffl{ ð0; . . . ; 0; 1; 0; . . . ; 0Þ for source si. |fflfflfflffl{zfflfflfflffl} i1

(3) KeyGen For i = 1, 2, . . . , m, PKG do: Chooses secretly ai from Z u such that ai – aj (j = 1, 2, . . . , i  1) and computes ski1 ¼ ai v  r R F qmþn ; Chooses secretly ski2 from G1n{1}, where ski2 – skj2 for j = 1, 2, . . . , i  1; Let ski = (ski1, ski2) as source si’s private key pair and delivers it to source si; Computes pki = e(ski2, g0) as the public key for source si; Define d1, d2, . . . , dn+m are n + m elements in G2,

0

1

sets@d1 ; d2 ; . . . ; dn ; dnþ1 ; . . . ; dnþm A |fflfflfflfflfflfflfflfflfflffl{zfflfflfflfflfflfflfflfflfflffl} |fflfflfflfflfflfflfflfflfflfflffl{zfflfflfflfflfflfflfflfflfflfflffl} 0

n

m

1

¼ @eðg 1 ; h0 Þ; . . . ; eðg n ; h0 Þ; pk1 ; . . . ; pkm A; |fflfflfflfflfflfflfflfflfflfflfflfflfflfflfflfflfflfflffl{zfflfflfflfflfflfflfflfflfflfflfflfflfflfflfflfflfflfflffl} |fflfflfflfflfflfflfflfflffl{zfflfflfflfflfflfflfflfflffl} m

n

3.1. Proposed signature scheme Our signature scheme requires a trusted Private Key Generator (PKG) to generate original coding vector, private key pair and publish public keys for each source. Our scheme is defined as follows:

Defines a hash function for packet w ¼ ðw1 ; w2 ; . . . ; wn ; wnþ1 ; . . . ; wnþm Þ 2 F mþn as: q

Hðid; wÞ ¼ Hðid; wL Þ ¼

Fig. 3. Signature scheme for multi-source network coding.

n Y i¼1

ðidþiÞwi

gi

;

348

W. Yan et al. / Computer Communications 35 (2012) 344–351

where id is the identifier of generation and wL is the most-left n positions of vector w. This function is a homomorphic function (the proof is shown in Section 3.2); PKG publishes the public key for all m source nodes as PK = {H, g, g0, h0, d1, d2, . . . , dn+m}. Note that the setup phase requires PKG to deliver private key pair of the sources secretly, which can be provided efficiently by the secure issuing protocol proposed in [18].  Signski(id, Xi): For source node si, given private key pair ski = (ski1,

m Y Hðid; X i Þski1

Signðid; wÞ ¼

then we have



m X

ynþi X i ;



m X

i¼1

znþi X i

i¼1

and

m

Signðid; YÞ ¼

m Y Hðid; X i Þski1

idþnþi

ski2

ski2

i¼1

ðxi1 ; . . . ; xi;mþn Þ 2 F qmþn ; si signs the packet Xi as follows:

m Y Hðid; X i Þski1

Signðid; ZÞ ¼

!ynþi ;

idþnþi

i1

ri ¼

;

idþnþi

ski2

i¼1

zfflfflfflfflfflfflfflfflfflfflfflfflfflfflfflffl}|fflfflfflfflfflfflfflfflfflfflfflfflfflfflfflffl{ ski2) and source packet X i ¼ ð xi1 ; . . . ;  xin ; 0; . . . ; 0; 1; 0; . . . ; 0Þ ¼ |fflfflfflffl{zfflfflfflffl}

Hðid; X i Þski1

!wnþi

!znþi :

idþnþi

ski2

i¼1

; Then:

where i = 1, 2, . . . , m.  Combine: Given a set of coding coefficients c1, c2, . . . , cl 2 Fq, a sequence of packet y1 ; . . . ; yl 2 F mþn along with their signatures q r1, . .Q. , rl, the intermediate node output the combined signature P r ¼ li¼1 rci i on the encoded packet w ¼ li¼1 ci yi . It can be concluded that the intermediate nodes can compute def valid signature for any packet vector in V i ¼ spanðX 1 ; . . . ; X m Þ without knowing sources’ private keys, where Xi (i = 1, . . . , m) is the source packet.  VrfyPK(id, w, r): Given an identifier id, a public key PK = {H, g, g0, h0, d1, d2, . . . , dn+m}, a signature r and a packet vector w ¼ def ðw1 ; w2 ; . . . ; wn ; wnþ1 ; . . . ; wnþm Þ 2 F mþn , define hðPK; id; wÞ ¼ q Qmþn ðidþiÞwi , the signature r is a valid signature on packet w iff: i¼1 di

eðr; g 0 Þ  hðPK; id; wÞ ¼ 1:

ð3-1Þ

Note that the computation of verification requires only one pairing operation and m + n point multiplications. We can find that all the phases in this scheme is based on the additive homomorphic function, the intermediate nodes combine the packet in a linear way, and no matter who generates the signature and where the packet going, the intermediate nodes just verify and compose the signature in a homomorphic way independently, therefore, this scheme is suitable for all kinds of multi-source models if only these models are based on the linear network coding approach.

m Y Hðid; X i Þski1

Signðid; Y þ ZÞ ¼

idþnþi

ski2

i¼1

m Y Hðid; X i Þski1

¼

P Qm wnþi Proof. We know that: w ¼ m ; i¼1 wnþi X i ; Hðid; wÞ ¼ i¼1 Hðid; X i Þ Qm wnþi r ¼ i¼1 ri , where Xi is the augmented original packet from si and ri is the signature on Xi, i = 1, 2, . . . , m, then:

eðr; g 0 Þ  hðPK; id; wÞ mþn n m Y ðidþiÞw Y Y ðidþnþiÞwnþi i di ¼ eðr; g 0 Þ  eðg i ; h0 ÞðidþiÞwi  pki ¼ eðr; g 0 Þ  i¼1

¼ eðr; g 0 Þ  e

n Y

ðidþiÞwi

gi

; h0

i¼1

¼ eðr; g 0 Þ  e

n Y

i¼1

! 

m Y

ðidþnþiÞwnþi

pki

i¼1

! ðidþiÞwi gi ; g r0

m Y

e

! ðidþnþiÞwnþi ski2 ; g0

i¼1 m Y

¼ eðr; g 0 Þ  eðHðid; wÞ ; g 0 Þ  e r

r  Hðid; wÞ 

m Y

!

ðidþnþiÞwnþi ski2 ; g0

i¼1

¼e

i¼1

!

ðidþnþiÞwnþi ski2 ; g0

i¼1

¼e

m Y i¼1 m Y

rwi nþi 

m Y

Hðid; wÞwnþi r 

i¼1

ðri  Hðid; X i Þ

m Y

! ðidþnþiÞwnþi

ski2

i¼1 r

n Y

ðidþiÞðyi þzi Þ

gi

¼

i¼1

¼

n Y i¼1

n  Y

ðidþiÞyi

gi

ðidþiÞzi

gi



i¼1 ðidþiÞyi

gi

n Y

ðidþiÞzi

gi

¼e ¼e

(b) For any packet w = (w1, w2, . . . , wn, wn+1, . . . , wn+m), we know that w is a linear combination of source packets, and (wn+1, . . . , wn+m) is the global coding vector of packet w, then P we have w ¼ m i¼1 wnþi X i . From phases sign and combine, we can conclude that the signature on packet w can be written as:

idþnþi

i¼1

!

m Y

ski2

½Hðid; X i Þ

!wnþi  Hðid; X i Þ

¼e

m Y

ski1 þr wnþi



; g0

½Hðid; X i Þai wnþi uv ; g

i¼1

¼e

m Y

r

ðidþnþiÞ  ski2

!

i¼1

¼ Hðid; YÞ  Hðid; ZÞ

i¼1

m Y Hðid; X i Þski1

; g0

ðidþnþiÞ wnþi  ski2 Þ ; g0

i¼1

Hðid; Y þ ZÞ ¼

idþnþi

ski2

i¼1

(2) Now we prove the correctness of Eq. (3-1).

¼e

(a) From the definition of function H, we can get:

!znþi

Thus both functions H(, ) and Sign(, ) are additive homomorphic functions. h

r

Y þ Z ¼ ðy1 þ z1 ; y2 þ z2 ; . . . ; ymþn þ zmþn Þ:



idþnþi

m Y Hðid; X i Þski1

¼ Signðid; YÞ  Signðid; ZÞ:

3.2. Correctness

Proof. We suppose that Y = (y1, y2, . . . , ym+n) and Z = (z1, z2, . . . , zm+n), then we have:

!ynþi

ski2

i¼1

i¼1

(1) We first prove hash function H(, ) and signature function Sign(, ) are homomorphic functions, thus for any vector Y; Z 2 F qmþn , we have H(id, Y + Z) = H(id, Y)  H(id, Z) and Sign(id, Y + Z) = Sign(id, Y)  Sign(id, Z).

!ðynþi þznþi Þ

¼e

ai v uwnþi

½Hðid; X i Þ



m Y

! ;g

!

½Hðid; X i Þai wnþi q ; g

i¼1

¼ 1==ðG2 is a group of order qÞ

i¼1

This completes the proof.

; g0

i¼1

!

!q Hðid; X i Þai wnþi ; g

¼e

m Y

!

h

349

W. Yan et al. / Computer Communications 35 (2012) 344–351

4. Security of our signature In this section, the security analysis for our signature contains three parts. Firstly we analyze the possibility for a source node to forge a valid packet belonging to other sources, and then we will prove that our scheme is secure against the pollution attacks from the intermediate nodes. The proof for replay attacks is shown at the end.

obvious that it can also forge any source packet, that means for any adversary, to forge an encode packet is equivalent to forge a source packet. Therefore, in our proof, we assume that the adversary only forges the packets from a source node. We could model the proof of security as follows. Assume S is a source node, its private key is sk, sk = av  r, where a, v, and r are selected secretly by PKG. The public key is k = gsk. For a packet Xi = (xi1, . . . , xi,m+n), the hash value of this packet could be redefined as:

4.1. Attacks from the adversary source node

Hðid; X i Þ ¼ It is infeasible for the adversary source node to compute other source’s private keys from the public keys. The probability to brute force search for private keys is negligible. Theorem 1. For i = 1, . . . , m, given a public key pki, it is infeasible to compute ski2 such that e(ski2, g0) = pki assuming CDHP is hard.

m þn Y

x

ij g id;j :

i¼1

The signature on Xi is computed as:

ri ¼

mþn Y

xij g id;j

!sk :

j¼1

The receivers verify the signature as follows. Proof. If there is an algorithm f which takes pki and g0 as input and outputs ski2 (namely ski2 = f(pki, g0)), then one could use f to compute ha from h and ga as ha = f(g, e(h, ga)), thus the assuming CDHP is broken, this is contradictory to our assuming. h Now let’s see the probability for an adversary to brute force search for private keys. We have proved that ski2 cannot be derived from pki, the adversary may brute force search for ski2. In our scheme, ski2 is selected randomly by si in G1, so the probability to find ski2 with brute force is 1/q, when q is large enough (e.g., q = 2160), this probability is negligible. Ski1 is computed as Ski1 = aiv  r, but ai, v and r are unknown to all of the nodes in network (except PKG). Therefore, the adversary cannot compute this private key, the probability for the adversary to brute force search is still 1/q. 4.2. Attacks from the adversarial intermediate node In our signature schemes, the packets signed by sources via using a private key pair: (sk1, sk2). We have said that sk2 is mainly used to defend against the pollution attacks from source nodes, for the intermediate node, we assume that the packets are signed only by one private key: sk1. Theorem 2. IF an adversary F can forge source packet X 0i which from source node Si (i = 1, 2, . . ., m), then it can forge any encoded packets w0 .  Proof. For any encoded packet w0 ¼ w01 ; w02 ; . . . ; w0n ; w0nþ1 ; . . . ; mþn w0nþm Þ 2 F q , we know it’s combined as:

0

X1

B  0 0  B X2 w1 ; w2 ; . . . ; w0m  B B .. @ . Xm

1

C C C ¼ w0 C A

  there are infinitely many roots for this equation. Let X 01 ; X 02 ; . . . ; X 0m be a root of this equation. If F can forge source packet from Si, from the arbitrariness of the sources, we can conclude that adversary F can also forge source packet from any other source nodes by using the same method,   thus adversary F can forge source packets X 01 ; X 02 ; . . . ; X 0m and 0 compute the encoded packet w . On the one hand, from Theorem 2 we know that if an adversary can forge a source packet, it can forge any encoded packet. On the other hand, if an adversary can forge any encode packet, it’s

eðr; g 0 Þ  eðHðid; X i Þ; h0 Þ ¼ 1: Our signature scheme is secure against pollution attacks from the intermediate nodes if CDHP is hard, we prove it by the following theorem. h Theorem 3. If an adversary F forges a valid packet with probability e, then there is an algorithm A solves the CDHP with a probability related to e. As defined in Section 3, our hash function is deterministic, efficient and has uniform output values, so we prove this theorem based on random oracle model. Proof. Let F be an adversary attacking the scheme with the success probability e, then an algorithm A will solve the CDHP with probability related to e. Algorithm A is given G1, G2, e, g, h, g0, h0, k, where k ¼ g sk ; g 0 ¼ u g ; h0 ¼ g r0 ; sk is unknown to A. algorithm A then sets the public key PK = {H, g, g0, h0, d1, d2, . . . , dn+m}, simulates the challenger and interact with adversary F as follows: Random oracle queries. At any time F can query the random oracle H. A maintains an H-list as explain below to respond to queries. The H-list is initially empty. When F queries the value of gid,i, algorithm A responds as follows: 1. If the value of gid,i already appears on the H-list, then A simply returns that value. 2. Otherwise, A choose random y,z Zq and returns g id;i ¼ z g yi h i 2 G1 , A then adds this value to H-list. 3. The adversary F can get the hash value of any packet w ¼ ðw1 ; w2 ; . . . ; wn ; wnþ1 ; . . . ; wnþm Þ 2 F qmþn as:

Hðid; wÞ ¼

mþn Y

z

ðg yi h i Þwi :

i¼1

Signing queries. If F requests a signature on the vector subspace V, then A proceeds as follows: 1. Choose random id in Zq. If the same id was queried in some point earlier, then abort. 2. Choose Z = (z1, . . . , zm+n) V\; thus for any W 2 V, Z  W = (z1w1, . . . , zm+nwm+n) = 0. 3. Choose Y ¼ ðy1 ; . . . ; ymþn Þ F mþn . q z

4. For i ¼ 1; . . . ; m þ n; g id;i ¼ g yi h i 2 G1 . If the value of gid,i has been defined at some point earlier, then abort. 5. For i = 1, . . . , m, the signature ri on packet Xi is computed as: ri = kYX.

350

W. Yan et al. / Computer Communications 35 (2012) 344–351

6. Output id and r1, . . . , rm.

Table 1 Comparisons of performance.

We next show that the signatures ri outputted by A are identical to the signature that would produced by the real signing algorithm given the public key PK and hash queries produced by A. Since the signature in this algorithm is computed as follows:

ri ¼

mþn Y

!sk

x

ij g id;j

¼

mþn Y

j¼1

!sk z

ðg yj h j Þxij

¼

j¼1

mþn Y

!sk zx

ðg yj xij h j ij Þ

j¼1

 sk ZX ¼ g YX i h i As vector Z is orthogonal to Xi, so

 sk ZX YX g YXi h i ¼ g YX i sk ¼ g skYX i ¼ k i

mþn Y

r ¼ HðX Þ ¼

ðg

yi xi

h

zi xi

!sk Þ

¼ ðg Y



X 

Z  X  sk

h

Þ

j¼1 Y  X 

¼k

sk

ðh ÞZ

sk



X 

Y  X 



Verification operations

Communication overhead

Zhen’s [11] CJL’s [12] Jonathan’s [15] Jiang’s [16] Laszló’s [20]

No No No

(m + n + 1)Tme 1024 bits (m + n + 1)Tpair + (m + n)Tpm 160 bits 160 bits 2Tpair + (m + n)Tpm

No Yes

2Tpair + (m + n)Tpm (m + 1)Tpair + (m + n)Tpm

Fragouli’s [19] Our scheme

Yes

–a

Yes

Tpair + (m + n)Tpm

160 bits 160  l bits (1 6 l 6 m) 160  l bits (1 6 l 6 m) 160 bits

The verification operations in [19] depends on the specific hash function applied in this scheme.

1. X⁄ is not orthogonal to Z⁄, thus Z⁄  X⁄ – 0, then A outputs the  z correct answer. To see this, let g id;i ¼ g yi h i as above, and we have e(r⁄, g0)  e(H(id, X⁄), h0) = 1 then  sk

Multisource support

a

Exactly as returned by A. At some point, F outputs (id⁄, X⁄, r⁄), before outputting such a tuple, F queries g id ;i for i = 1, . . . , m + n, and A returns  z g id;i ¼ g yi h i 2 G1 , where yi and zi only known to A. If F succeeds with the probability e, thus tuple (X⁄, r⁄) is a valid packet-signature pair in generation id⁄, then we have the following two conditions:     We set Z i ¼ z1 ; . . . ; zmþn and Y i ¼ y1 ; . . . ; ymþn .



Scheme

 1

Thus h ¼ ðr k ÞðZ X Þ , then A solves the CDHP with probability negligible close to e. 2. If Z⁄  X⁄ = 0, then A outputs fail. As the vector Z⁄ only known to A, and this vector is uniformly distributed in F mþn , then the q probability that Z⁄  X⁄ = 0 is only 1/q, which is negligible. This completes the proof. h 4.3. Replay attacks

and Tpm the time cost to perform once point multiplication over an elliptic curve. Table 1 shows the comparison of computation complexity and signature length in six signature schemes. The schemes based on the elliptic curve in [12,15,16] and ours require the signature length with 160 bits, which is shorter than 1024 bits in Zhen’s scheme (based on the discrete logarithm with the same security level in practical networks) and 160  l bits in Laszlo’s [20] schemes. To verify a packet, our signature scheme has optimal computation complexity of verification among these schemes with the same communication overhead (160 bits), it requires only Tpair + (m + n)Tpm, while CJL’s [12] requires (m + n + 1)Tpair + (m + n)Tpm, Jonathan’s [15] and Jiang’s [16] requires 2 Tpair + (m + n)Tpm, Zhen’s [11] requires (m + n + 1) Tme and Laszlo’s [20] requires (m + 1)Tpair + (m + n)Tpm. From this table, we can compute the memory-times computational cost as:

Memory  times computational cost ¼ computation time  size of signature: By this way, we compared these schemes in experiment, the implementation of these scheme is built on MATLAB and tested on core i3 2.26 GHz Windows XP machine. We chose time parameters as: Tpair = 11 ms [22], Tpm = 2.56 ms [23] and Tme = 2.25 ms

Adversary may inject an old packet-signature tuple (w0 , r0 ) from a previous generation into current generation of network coding, so it is necessary for our scheme to filter out these replayed tuples. Let (w0 , r0 ) denotes an old packet-signature pair from a previous generation id0 , id is the identifier of current generation. For the same packet w0 , we have h(PK, id0 , w0 ) – h(PK, id, w0 ), then 0

eðr0 ; g 0 Þ  hðPK; id; w0 Þ – eðr0 ; g 0 Þ  hðPK; id ; w0 Þ: As we know e(r0 , g0)  h(PK, id0 , w0 ) = 1, then we can get:

eðr0 ; g 0 Þ  hðPK; id; w0 Þ – 1: Thus vrfyPK(id, w0 , r0 ) – 1 in current generation. To sum up, we can conclude that our signature scheme is secure enough to defend against pollution attacks and replay attacks. 5. Performance analysis In this section, we compare the proposed scheme with schemes in [11,12,15,16,20] in terms of computation overhead, communication overhead and multi-source supporting, respectively. Let Tpair denote the time cost to perform once pairing operation, Tme the time cost to perform once modular exponent operation,

Fig. 4. Comparison of memory-times computational cost in [11,12,19,20] and ours.

W. Yan et al. / Computer Communications 35 (2012) 344–351

[23]. The result is shown in the Fig. 4. From the picture we can see it is obvious that our scheme has the smallest compute the memory-times computational cost. As we introduced the concept of generation into this system model, our scheme is not only suitable for the condition that each source in network only has one file to be sent, but also can be applied in the networks that all the source nodes need to transmit multiple files constantly without changing private keys and public keys. 6. Conclusion We studied several security challenges in multi-source network coding, proposed a novel homomorphic signature scheme for multi-source network coding to defend against the pollution attacks, and proved the security of this proposed signature scheme. Though there are multiple sources for signing the packets, the size of signature in our scheme is still as short as the sizes in [12,15,16] (about 160 bits in practical networks) and shorter than the size in [11,19] (whose size are 1024 bits and 160  l, respectively). The verification in our scheme requires only one pairing computation and m + n point multiplications; meanwhile, it is faster than those 160 bits signature schemes in the single-source network. Acknowledgment This research was supported by the National Natural Science Foundation of China (under Grant No. 60672137, 60874053). References [1] R. Ahlswede, N. Cai, S. Li, R.W. Yeung, Network information flow, IEEE Trans. Inf. Theory 46 (4) (2000) 1204–1216. [2] S. Li, R. Yeung, N. Cai, Linear network coding, IEEE Transactions on Information Theory 49 (2) (2003) 37138. [3] T. Ho, R. Koetter, M. M’edard, D.R. Karger, M. Effros, The benefits of coding over routing in a randomized setting, in: International Symposium on Information Theory (ISIT), 2003. [4] T. Ho, M. M’edard, J. Shi, M. Effros, D.R. Karger, On randomized network coding, in: Proceedings of the 41st Annual Allerton Conference on Communication Control and Computing, October 2003.

351

[5] T. Ho, B. Leong, R. Koetter, M. Medard, M. Effros, D. Karger. Byzantine modification detection in multicast networks using randomized network coding, in: IEEE International Symposium on Information Theory (ISIT), 2004. [6] S. Jaggi, Design and Analysis of network Codes, Ph.D. Thesis, California Institute of Technology, 2006. [7] S. Jaggi, M. Langberg, S. Katti, T. Ho, D. Katabi, M. Medard, Resilient network coding in the presence of Byzantine adversaries, IEEE Infocom (2007). [8] M.N.Krohn, M.J.Freedman, D.Mazi’eres, On-the-fly verification of rateless erasure codes for efficient content distribution, in: IEEE Symposium on Security and Privacy, Oak-land, CA, 2004, pp. 226–240. [9] Fang Zhao, Ton Kalker, M. M’edard, Keesook J. Han, Signatures for content distribution with network coding, in: ISIT2007, Nice, France, June 24–June 29, 2007. [10] Jing Dong, Reza Curtmola, Cristina Nita-Rotaru, Practical defenses against pollution attacks in intra-flow network coding for wireless mesh networks, in: Proceedings of the Second ACM Conference on Wireless Network Security(WiSec 2009), Zurich, Switzerland, 2009. [11] Zhen Yu, YaWen Wei, Bhuvaneswari Ramkumar, Yong Guan, An efficient signature-based scheme for securing network coding against pollution attacks, in: INFOCOM 2008, The 27th Conference on Computer Communications, IEEE, 2008. [12] D. Charles, K. Jian, K. Lauter, Signature for network coding, Technique Report MSR-TR-2005-159, Microsoft, 2005. [13] A. Menezes, T. Okamoto, S. Vanstone, Reducing elliptic curve logarithms to logorithms in a finite field, IEEE Transactions on Information Theory 1646 (5) (1993) 1639. [14] V. Miller, Short Programs for Functions over Curve, unpublished manuscript, 1986. . [15] Jonathan Katz, Brent Waters, Compact signatures for network coding, 2008. . [16] Yixin Jiang, Haojin Zhu, Minghui Shi, Xuemin Shen, Chuang Lin, An efficient dynamic-identity based signature scheme for secure network coding, Computer Networks (2009). [17] C. Gkantsides, P. Rodriguez, Cooperative security for network coding file distribution, in: Proceedings of the IEEE INFOCOM, 2006. [18] R. Gangishetti, M.C. Gorantla, M.L. Das, A. Saxena, V.P. Gulati, An efficient secure key issuing protocol in ID-based cryptosystems, Proceedings of the International Conference on Information Technology: Coding and Computing (ITCC 2005), vol. 1, IEEE Computer Society, 2005, pp. 674–678. [19] Shweta Agrawal, Dan Boneh, Xavier Boyen, David Mandell Freeman, Preventing pollution attacks in multi-source network coding, in: Proceedings of PKC 2010. [20] L’aszl’o Czap, Istv’an Vajda, Signatures for multi-source network coding. . [21] Aaram Yun, Jung Hee Cheon, Yongdae Kim, Brief contributions on homomorphic signatures for network coding, IEEE Transactions on Computers 59 (9) (2010). [22] Ben Lynn, PBC Library. . [23] Wei Dai, Crypto++Ò Library 5.6.1. . [24] Christina Fragouli, Emina Soljanin, Network coding fundamentals, Foundations and TrendsÒ in Networking 2 (1) (2007) 1–133. pp .86.