Signatures for Network Coding

1
Signatures for Network Coding

• Denis Charles
• Kamal Jain
• Kristin Lauter
• Microsoft Research

2
Network Coding Set-up

• A directed graph of users G
• A server (source) distributing content
• Content is divided into packets and represented
  as vectors in a vector space
• Each node receives linear combinations of packets
  from other nodes
• At each node, new linear combinations of received
  packets are formed and sent out along new edges
• Extra bits keep track of which linear combination
  at each step

3
Pollution attacks

• A malicious node can inject garbage into the
  distribution network
• If undetected, the garbage will pollute the whole
  network, as meaningless packets are combined with
  others and redistributed
• Signatures on received packets can be used to
  check for garbage

4
Assumptions

• Public key digital signatures
• Only the server possesses the secret key for
  signing
• Any node can verify signatures using public
  information
• So how can nodes re-sign linear combinations of
  received packets?

5
Homomorphic signature scheme

• Our solution is based on
• Elliptic curves
• Bilinear pairing (Weil pairing)
• Homomorphic hashing of content onto points on the
  elliptic curve
• BLS-type signatures (Boneh-Lynn-Schacham)
• Security reduction to ECDLP
• (Elliptic curve discrete logarithm problem)

6
Elliptic curves over finite fields

• Finite field Fq with q elements, A, B in Fq
• Elliptic curve over Fq with equation
• y2 x3 Ax B
• E(Fq)(x, y) y2 x3 Ax B ? 8
• has a group structure and a bilinear pairing
• em Em Em ? alg(Fq) satisfying
• em(S1 S2, T) e(S1, T)e(S2, T)
• em(S, T1 T2) e(S, T1)e(S, T2).

7
Homomorphic hashing and signing

• Vectors (packets) with coefficients vi in Fp are
  hashed to linear combinations of public p-torsion
  points on E/Fq
• R1, ,Rk, P1, , Pd in E(Fq)p
• k of vectors, d dimension of vector space
• Server has secret keys for signing
• s1, , sk and r1, , rd in Fp
• signs the packet by computing the signature of
  hash
• SsiviRi SriviPi
• Server also publishes Q, sjQ and riQ
• Q is another point in E(Fq)p which is linearly
  independent from the points R1,,Rk, P1,, Pd

8
Bilinearity of the pairing

• Verification of signatures uses bilinearity of
  the pairing since em(siviRi, Q) em(viRi, siQ)
• Received valid signatures can be recombined to
  accompany new outgoing combinations of packets
  since the signature of the sum is the sum of the
  signatures

9
Security

• Theorem Finding a collision of the hash function
  h is polynomial-time equivalent to computing the
  discrete log on the elliptic curve E.
• Fact Forging signatures is as hard as the
  computational Diffie-Hellman problem on the curve
  E.
• Our scheme establishes authentication in addition
  to detecting pollution.

10
Implementation

• If we take the prime p 170-bits, this is
  equivalent to 1024 bits of RSA security. We can
  setup the system with q p2.
• Communication overhead per vector is two elements
  of Fp (the x and y coordinates of a point) 340
  bits. We can reduce this overhead to 171 bits at
  the cost of increasing computational cost.
• Computation of signature of vector at an edge e
  is O(indeg(in(e)) operations in Fp.
• Verification requires O((dk) log2eq) bit
  operations
• Complete setup of the system at the server can be
  done in polynomial time (assuming a number
  theoretic conjecture of Hardy-Littlewood).