An efficient ECC-based mechanism for securing network ...idc.hust.edu.cn/~rxli/publications/2014/PPNA2014_ESNC.pdf · topologies, and can support systems with any size. It is an integrated

An efficient ECC-based mechanism for securing networkcoding-based P2P content distribution

Heng He & Ruixuan Li & Zhiyong Xu & Weijun Xiao

Received: 30 December 2011 /Accepted: 30 September 2013 /Published online: 10 November 2013# Springer Science+Business Media New York 2013

Abstract Network coding has been demonstrated to be ableto improve the performance of P2P content distribution.However, it is vulnerable to pollution attacks where maliciouspeers can flood the network with corrupted blocks easily,leading to substantial performance degradation. Moreover,existing corruption detection schemes for network codingare not well suited to P2P systems. Effective scheme to detectthe corruption and identify the attacker is required to thwartsuch attacks. In this paper, we propose an efficient ECC-basedmechanism for securing network coding-based P2P contentdistribution, namely ESNC, which includes an efficient net-work coding signature scheme and an identity-based mali-cious peer identification scheme. The two schemes cooperateto thwart pollution attacks on network coding effectively inP2P networks, not only detecting corrupted blocks on-the-flyefficiently, but also precisely identifying all the maliciouspeers quickly. ESNC is mainly based on elliptic curve cryp-tography (ECC) and can provide high level of security. Itincurs significantly less computation and communicationoverheads than other comparable state-of-the-art schemes forP2P systems. ESNC can work with arbitrary topologies, as it

is the case in P2P networks. Security analysis demonstratesthat ESNC can resist hash collision attacks, signature forgeryattacks, and collusion attacks with arbitrary number of collud-ing malicious peers. Simulation results show that ESNC ef-fectively limits the corruption spread and identifies all themalicious peers in a short time under different practicalsettings.

Keywords Peer-to-peer . Network coding . Contentdistribution . Pollution attack . Attacker identification .

Elliptic curve cryptography

1 Introduction

Peer-to-peer (P2P) overlay networks have proven to be a verysuccessful distributed architecture for content distribution.However, P2P content distribution systems often suffer fromlow efficiency which decreases their overall performance [1].Such inefficiency often arises from the facts that there isrelatively no central scheduler that decides how contentshould propagate through the network; peers make decisionsonly with local information in a large distributed environment;and peers are inherently dynamic. These facts may cause somecontent blocks to become rare or even unavailable when theoriginal peers (referred to as seeds) are no longer available,which will affect the availability of the content.

Network coding was initially proposed to maximize thenetwork throughput and robustness to link failures [2] ininformation dissemination, and has since received extensiveresearch attention. It is a promising approach in many practi-cal network applications, such as traditional multicast orbroadcast networks [3], wireless sensor networks [4, 5], andP2P networks [1, 6–11]. The essence of network coding is thatinformation to be transmitted in a communication session canbe encoded rather than simply forwarded by the participating

H. He :R. Li (*)School of Computer Science and Technology, Huazhong Universityof Science and Technology, Wuhan, People’s Republic of Chinae-mail: [email protected]

H. Hee-mail: [email protected]

Z. XuDepartment of Mathematics and Computer Science, SuffolkUniversity, Boston, TX, USAe-mail: [email protected]

W. XiaoDepartment of Electrical and Computer Engineering, VirginiaCommonwealth University, Richmond, VA, USAe-mail: [email protected]

Peer-to-Peer Netw. Appl. (2014) 7:572–589DOI 10.1007/s12083-013-0239-x

peers. Recent studies [1, 10, 12] have demonstrated thatnetwork coding can bring great benefit for P2P content distri-bution, since it can improve the resilience to peer churn,decrease bandwidth costs, and achieve high efficient distribu-tion. Network coding distributes encoded content blocks rath-er than original content blocks, and all encoded blocks areequivalent and useful to any peer, thus the need for selectingblocks and locating rare blocks is eliminated.

However, these main advantages of network coding areapplicable in a P2P network only consisting of trustworthypeers, which is not the case in many realistic scenarios. Inlarge scale P2P distributed systems, there exists the possibilitythat some peers are malicious and may alter and corrupt theencoded content blocks. These malicious peers injectcorrupted blocks which do not carry valid information in thenetwork to jam the download. The receiving peer will obtaincorrupted blocks, and, if the receiving peer uses these blocksto produce new encoded blocks, it will inject more corruptedblocks in the network involuntarily. As a result, a singlecorrupted block can rapidly pollute the network. A receivingpeer may discover after downloading the entire file that it wasreceiving corrupted blocks from malicious peers and cannotdecode the file. Since each peer produces unique encodedblocks which cannot be signed by the server individually,commonly used methods for protecting the integrity of eachblock by using digital signatures or hashes do not work withnetwork coding.

The network-coding pollution attack in P2P network canbe defined as that a malicious peer can inject corrupted blocks,which do not carry valid information, to its downstream peers,and further contaminate the entire downstream, preventingproper decoding. Network coding-based content distributionis vulnerable to such kind of attack. The attack can causesubstantial performance degradation of the distribution net-work, wasting bandwidth in distributing corrupted content,and increasing the time to download the entire file. Therefore,it is critical to design mechanisms to thwart such attacks inP2P networks.

Corruption detection schemes for network coding havebeen well studied, in which peers verify encoded blocks on-the-fly to prevent downloading corrupted blocks.Homomorphic hashing functions have first been introducedby Krohn et al. [13] to allow intermediate peers to verifyblocks on-the-fly that are encoded at the source using ratelesscodes. However, homomorphic hash functions are computa-tionally expensive and if each peer verifies all incomingblocks before using them, the computation overheads maybe very large. Gkantsidis et al. [6] proposed a cooperativesecurity scheme based on homomorphic hashing technologyfor network coding in P2P networks. The scheme reduces thecomputational time of the homomorphic hashes by only re-quiring peers to verify blocks probabilistically and makespeers cooperate to protect themselves against malicious peers

by alerting affected peers when a corrupted block is discov-ered. However, the scheme cannot identify and remove mali-cious peers, which means attackers can continuously generatecorrupted blocks that will cause more computation and com-munication overheads. Several other schemes [14–22] havealso been proposed to thwart pollution attacks on networkcoding, but they are generally rather expensive or not appli-cable to P2P systems. These schemes either incur high com-putation overheads [15–17], cause relatively high extra trans-mission overheads [6, 15], endure weak scalability [18, 20,21], work only on fixed, known topologies [19], suffer fromcollusion attacks [14, 18, 22], or provide low level of security[14, 18, 19] compared to homomorphic hashing. Compared tothe research on corruption detection schemes, identifyingattackers has received much less attention. However, attackeridentification is a more desirable and efficient scheme becauseit addresses the pollution attack at its root, not just detectingcorrupted blocks. Therefore, it prevents network resources,such as bandwidth and CPU time from being continuallywasted on dealing with corrupted blocks from maliciouspeers.

These aforementioned deficiencies and the new researchdirection motivate us to explore more efficient schemes. Inthis paper, we propose an efficient ECC-based mechanism forSecuring Network Coding-based P2P content distribution,namely ESNC. ESNC does not require any special or fixedtopologies, and can support systems with any size. It is anintegrated mechanism because it consists of both an efficientnetwork coding signature scheme and an identity-based mali-cious peer identification scheme. The two schemes cooperateto thwart pollution attacks on network coding effectively inP2P systems. More specifically, we present a network codingsignature scheme, using which every peer can verify encodedblocks on-the-fly efficiently. The scheme is designed on ellip-tic curve cryptography (ECC) [23] and can achieve both highsecurity and performance. To further optimize computationalperformance, we employ batch verification approach in thescheme, by which a peer can quickly verify multiple encodedblocks in batch such that the total verification costs can bedramatically reduced. Furthermore, we present a maliciouspeer identification scheme, which can precisely pinpoint allthe malicious peers and eliminate them from the networkquickly. To achieve rapid identification of malicious peers,in our scheme, we introduce a fast block verification approachbased on the property of the orthogonal space of vectors, andpresent a lightweight block signature approach which holdsevery peer accountable for the blocks it sends out. We alsoevaluate ESNC through detailed analysis and simulations, andresults demonstrate the high security and performance of theproposed schemes.

ESNC is a unique and complete mechanism for securingnetwork coding-based P2P content distribution, which simul-taneously possesses the following notable properties: (1)

Peer-to-Peer Netw. Appl. (2014) 7:572–589 573

Corruption detection: each peer can check the validity ofencoded blocks on-the-fly efficiently. (2) Attacker identifica-tion: all the malicious peers in the network can be identifiedquickly. (3) High level of security: ESNC is mainly based onECC and its security is based on elliptic curve discrete loga-rithm problem (ECDLP) [23]. It can resist hash collisionattacks, signature forgery attacks, and collusion attacks witharbitrary number of colluding malicious peers. (4) Low over-heads: ESNC incurs low computation and communicationoverheads. For the proposed network coding signaturescheme, since it is based on ECC and supports batch verifica-tion, the computation overheads are lower than other compa-rable state-of-the-art schemes [6, 15–17] for P2P systems. Todistribute a file, the signature of the file is only about 0.29 %the total file size. For the malicious peer identification scheme,since some fast verification approaches are used, the compu-tation overheads are trivial, compared with those of the net-work coding signature scheme. Besides, the signature, servingas evidence, is only 48 B for a block. (5) Topology indepen-dent: ESNC does not require any special or fixed topologies,which makes it suitable for P2P systems.

The rest of the paper is organized as follows. Section 2gives some preliminaries related to the proposed research.Section 3 describes the network coding signature scheme.Section 4 describes the identity-based malicious peer identifi-cation scheme. Section 5 analyzes the hash collision andsignature forgery attacks, and discusses some security prob-lems of ESNC. Section 6 gives the evaluation results of ESNCin terms of computation overheads, communication overheadsand efficiency respectively. Section 7 presents the relatedwork. Section 8 concludes the paper.

2 Preliminaries

In this section, we briefly present practical P2P content distri-bution with network coding, followed by introduction toorthogonal space and elliptic curve cryptography, which isthe foundation of ESNC. At last, we present the networkmodel, the attack model and some assumptions of ESNC.

2.1 Content distribution with network coding

We consider a mesh-structured P2P content distribution net-work that involves a potentially large number of overlay peersand a source server that distributes contents (e.g. softwareupdates, critical patches, videos, and other large files) to thepeers. Assume that a file originally exists on the source. Todistribute file, the source first divides the file into multiplegenerations, each of which consists of m content blocks. Forclarity, we focus on a single generation.We denote the originalblocks of the generation as b1' , …, bm′ . Each block bi′ issubdivided into r codewords bi ′=(b1i,…,bri)∈Fqr, 1≤i ≤m .

To perform encoding operations of network coding, the sourcethen augments each block bi’ with m symbols, with 1 atposition i and 0 elsewhere, to form the augmented block bi.Hence, the generation can be considered as a (r + m ) × mmatrix G of elements in the finite field Fq, where prime q isthe field size and m << r.

G ¼ b1; b2;…; bmð Þ ¼

b1;1 b1;2 ⋯ b1;mb2;1 b2;2 ⋯ b2;m⋮ ⋮ ⋱ ⋮br;1 br;2 ⋯ br;m1 0 ⋯ 00 1 ⋯ 0⋮ ⋮ ⋱ ⋮0 0 ⋯ 1

0BBBBBBBBBB@

1CCCCCCCCCCA

With network coding, both the source and the peers per-form encoding operations. Whenever a peer or the sourceneeds to forward an encoded block of the generation toanother peer, it produces a linear combination of all the blocksof the generation it currently stores. The operation of thesystem is best described in Fig. 1.

When the source attempts to send an encoded block en topeerA , it first picksm random coefficients (c1n,…, cmn) fromFq. Then the source creates en = (e1n, …, ern, c1n, …, cmn)by linearly combining the blocks b1, …, bm with (c1n, …,cmn) as

en ¼Xm

i¼1cinbi ¼

Xm

i¼1cinb1;i;⋯;

Xm

i¼1cinbr;i; c1n;…; cmn

� �;

ð1Þ

where (c1n, …, cmn) is referred to as the global coefficientvector. In other words, en is obtained by multiplying itscoefficient vector with matrix G in Fq.

Assume that peer A has received n (n ≤m) encoded blockse1, …, en of the generation, either from the source or from

Fig. 1 Sample description of network coding system

574 Peer-to-Peer Netw. Appl. (2014) 7:572–589

other peers. When A needs to send an encoded blocke t = (e 1t , …, e rt , c 1t , …, cmt) to its downstream peerB , it first picks n random local coefficients (l 1, …, l n)from Fq , then produces e t as

et ¼Xn

j¼1l je j: ð2Þ

According to Equations (1) and (2), the global coefficientvector (c1t,…, cmt) of e t(s.t., e t=∑ i=1

m citb i) is computed byc it=∑ j=1

n l jc ij, where (c1j, …, cmj) is the global coefficientvector of encoded block e j, 1 ≤ j ≤ n . Therefore,

et ¼Xm

i¼1

Xn

j¼1l jcij

� �bi: ð3Þ

A peer can reconstruct the original blocks of the generationas soon as receiving m encoded blocks of the generation forwhich the associated global coefficient vectors are linearlyindependent to each other. The decoding process is similarto solving a system of linear equations.

Consider the case that encoded block e t is a corrupted one,then we have

et≠Xm

i¼1citbi: ð4Þ

2.2 Orthogonal space

The orthogonal space of matrix G , denoted as V, is the set ofall the vectors v for which vG = 0. According to the propertyof the orthogonal space, we have

rank Gð Þ þ dim Vð Þ ¼ mþ r;

where rank(G) denotes the rank ofG , and dim(V) denotes thedimension of V. Since rank(G ) = m , dim(V) = r. Therefore, Vis spanned by the basis vectors (v1,…, vr) which can be foundfrom G using Gaussian elimination.

Thus, each encoded block is orthogonal to any combina-tion of the basis vectors (v1,…, vr) of V. That is, for encodedblock e t, we have

etvT ¼ 0:

2.3 Elliptic curve cryptography

Elliptic curve cryptography (ECC) is a type of public keycryptography (PKC) based on elliptic curve theory [23].Compared with other PKC systems such as RSA and DSA,ECC uses significantly smaller parameters, but providesequivalent level of security. Some benefits of having smallerkey sizes include faster computations, and reductions in pro-cessing power, storage space and bandwidth.

The operation of ECC-based schemes involves arithmeticoperations on an elliptic curve E over a finite field Fp (denot-ed as E (Fp)) determined by some elliptic curve domain pa-rameters T = (p , o1, o2, P, q ), which are comprised of a primepower p specifying the field size of Fp, two field elements o1

and o2 that specify the equation of the elliptic curve E(Fp), apoint P = (xP, yP) on E(Fp), and a prime q which is the orderof P. Then the cyclic subgroup of E (Fp) generated by P is<P> = {O , P, 2P, 3P, …, (q − 1)P}, where point O denotesthe point at infinity.

With the elliptic curve domain parameters, an entity A’sprivate key is defined as a random integerd , 1 ≤ d ≤ q − 1, andits public key is defined as a point Q on E (Fp),Q = dP. Notethat the security of all the ECC-based schemes is based on theapparent intractability of the following elliptic curve discretelogarithm problem (ECDLP):

Given an elliptic curve E (Fp), a point P ∈ E(Fp) of orderq , and a pointQ ∈ <P>, determine the integer g , 0 ≤ g ≤ q − 1,such that Q = gP.

Note that the central operation of ECC-based schemes ispoint multiplication (e.g. Q = gP ), which dominates theexecution time of most schemes.

2.4 Network model

ESNC can work with arbitrary topologies. Without loss ofgenerality, we consider a mesh-structured P2P content distri-bution network connecting a source server and a potentiallylarge number of overlay peers, with no regular topology, asshown in Fig. 2.

We assume that a file originally exists on the source server.When the server wishes to publish the file, it encodes the fileand distributes encoded blocks to multiple peers simulta-neously. Peers download blocks from the server or other peers,and then distribute new encoded blocks which are produced aslinear combinations of encoded blocks they hold. In Fig. 2,peer B can upload blocks to peers D , E , F, and downloadblocks from peers A , C . This subset of peers that B cancontact with are called as the neighbors of B and B knowsthe identities of its neighbors, more specifically, peers A , C

Fig. 2 Network model of mesh-structured P2P network


are the upstream neighbors of B and peers D , E , F are itsdownstream neighbors.

2.5 Attack model and assumptions

We assume that an arbitrary subset of the total peers is mali-cious. These malicious peers try to disrupt the distribution ofthe file by launching network-coding pollution attacks, so thatlegitimate peers cannot decode the file and the network per-formance will be reduced significantly. A malicious peercould send any corrupted blocks to any of its downstreamneighbors. To disturb security schemes, it can also eavesdrop,modify or drop any messages passing through it, and even tryto disparage innocent peers. In addition, multiple maliciouspeers can collude to launch attacks. P2P networks can sufferfrom a kind of attack called Sybil attack. In this attack, amalicious user can control multiple malicious peers, eachone associated to an identity. This way, if there is not alimitation on the number of identities he can obtain, he couldcontrol a big part of peers, which can enhance the power ofpollution attacks. In this paper, we focus on the pollutionattack in network coding-based P2P content distribution, anddesign schemes to detect corrupted blocks on-the-fly andprecisely identifymalicious peers. How to thwart Sybil attacksexceeds the scope of this paper, which has been extensivelystudied (e.g. [24]).

We assume the source server is trusted, and publicly knownso that each peer can contact it directly. To implement ESNC,we make the source server perform some security operationsas a central authority like the related schemes [6, 9]. Tomaintain good system scalability and security, we make theoperations performed by the server as few as possible.Although we use such a server, ESNC can be extended to afully distributed mechanism, for example, the signature of thefile can be generated by the peer itself who want to publish thefile, instead of the server; when cooperating with reputationsystems [25–28] in P2P networks, ESNC can delegate themalicious peer identification to the peers with high reputation.In this paper, we focus on the design and implementation ofESNC. The extension work is out of the scope of this paperand we leave it as our future work.

3 An efficient network coding signature scheme

When using network coding for P2P content distribution, thesystem is vulnerable to pollution attacks. However, the com-monly used methods for protecting the integrity of contentblocks by using digital signatures or hashes do not work withnetwork coding, since each peer produces unique encodedblocks which cannot be signed by the server. In this section,we propose an efficient network coding signature scheme todetect corrupted blocks on-the-fly effectively. It can provide

high level of security as the homomorphic hashing and homo-morphic signatures proposed in [6, 15–17], which are consid-ered as some of the best solutions to prevent pollution attackson network coding.Moreover, compared to these schemes, ourscheme incurs less computation and communication over-heads. Thus our scheme is more applicable to P2P systems.

3.1 Basic scheme

The proposed signature scheme is based on ECC. The basicscheme mainly consists of three parts: setup, sign, andverification.

Setup: The source server sets up the ECC domain pa-rameters and the signature keys.

(1) Generate ECC parameters T = (p , o1, o2, P, q ),which are described in Section 2.3. Then generate arandom integer d from the interval [1, q–1] as itsprivate key, and compute its public key as Q = dP.

(2) Generate r random points K = {K1, K2, …, Kr} ∈<P> as its signature keys.

(3) Publicize the security parameters {T, Q , K} to allpeers. In the following, H denotes a cryptographichash function such that MD5 or SHA-1. For clarity,we focus on a single generation of the file in thefollowing sign and verification algorithms.

Sign: The source computes the signature of the genera-tion as Algorithm 1. The signature S can be denoted as(σ1, …, σm, x , z ). In S , (σ1, …, σm) is the hash of thisgeneration, which is simply the vector of the hash of eachoriginal block in this generation, and it will be used toverify encoded blocks on-the-fly; (x , z) is the signature of(σ1, …, σm). The signatures of other generations arecomputed in the same way. Signatures of all the genera-tions constitute the signature of the file and the sourcedistributes them to its downstream peers before propagat-ing encoded content blocks.

Algorithm 1 Signature computation of the generation

INPUT: ECC parameters T, private key d , m originalblocks bi′ (i = 1, …, m ) of the generation, file identifieridF, generation identifier idG, signature keys K .OUTPUT: Signature of the generation S = (σ1,…,σm, x, z).

(1) Compute the hash value for each block bi′ = (b1i,…, bri) as a point σ i=(x i,y i)=∑ j=1

r b jiKj, for i = 1,…, m .

(2) Compute h = H(σ1, …, σm, idF, idG).(3) Select a random integer s from [1, q − 1].(4) Compute sP = (x′ , y′ ) and x = x′ mod q . If x = 0 then

go to step 3.


(5) Compute z = s − d − hx (mod q ). If z = 0 then go tostep 3.

(6) Return S = (σ1, …, σm, x , z).

Verification: When a peer B joins the system, it firstdownloads the signature of the file from its neighbors.Since signatures of different generations are generatedseparately, B can download them simultaneously frommultiple neighbors quickly. To verify the signature of ageneration, B performs Algorithm 2. If B receivesinvalid signatures from a neighbor, B disconnectsfrom it and re-downloads these signatures from otherneighbors. Our evaluation results in Section 6.2 showthat the signature of the file is quite small, so it can bepropagated quickly to all the peers. After downloadingthe signature of a generation, B can start downloadingencoded blocks of this generation immediately.

Algorithm 2 Signature verification of the generation

INPUT: ECC parameters T, public key Q , signature ofthe generation S = (σ1, …, σm, x , z ), file identifier idF,generation identifier idG.OUTPUT: Acceptance or rejection of the signature.

(1) Verify that x and z are integers in the interval [1, q − 1].If any verification fails, then return (“Reject thesignature”).

(2) Compute h = H(σ1, …, σm, idF, idG).(3) Compute w = z + hx (mod q ).(4) Compute R = wP + Q = (x′ , y′) and u = x′ mod q .(5) If u = x then return (“Accept the signature”); else

return (“Reject the signature”).

Verification: Then peer B uses the signature of thefile, which consists of signatures of all the generations,to verify encoded blocks on-the-fly. The signatures ofdifferent generations are used to verify encoded blocksof different generations correspondingly. For anencoded block of a generation, B uses the signatureof this generation to verify the block as Algorithm 3.

Algorithm 3 Encoded block verification

INPUT: ECC parameters T, signature of the generationS = (σ 1, …, σm , x , z ), signature keys K , an encodedblock e t = (e1t, …, ert, c1t, …, cmt) of the generation.OUTPUT: Acceptance or rejection of the block.

(1) Compute the hash value of the block as θ t=∑ j =1

r e jtK j .(2) Compute the hash value of the block as ω t =

∑ i=1m citσ i.

(3) If θ t = ω t, e t is valid, then return (“Accept theblock”); else return (“Reject the block”).

In this algorithm, the computation of the hash value of anencoded block requires multiple point multiplication opera-tions, which may be expensive for some participating peers. Ifpeers verify every encoded block, the system performancemay decrease significantly. To reduce the computation over-heads, we employ batch verification approach. More specifi-cally, each peer verifies blocks probabilistically and blocksthat have not been verified are kept in an insecure window;every time a peer receives an encoded block, it verifies all theencoded blocks of the same generation in the insecure windowusing batch verification with some probability. Batch verifi-cation is based on Algorithm 3 and will be described inSection 3.3.

Note that batching block verification has the risk of lettingsome corrupted blocks propagate since blocks are transmittedwithout being verified. Moreover, with network coding,corrupted blocks are quickly re-combined with other validblocks at each peer. Therefore, a large portion of peersmay be corrupted and the system performance willdecrease significantly. To prevent corrupted blocks frominfecting large portions of the network, we incorporateinto our scheme a cooperative protection approach pro-posed in [6] where well-behaved peers cooperate toprotect themselves against malicious peers by informingaffected peers when corrupted blocks are discovered.We will describe the approach in Section 3.4.

3.2 Proof

Proof that signature verification works If a signature S = (σ1,…, σm, x , z) is indeed generated by the source, then z≡ s − d −hx (mod q). Rearranging gives

s ≡ zþ d þ hx ≡ wþ d mod qð Þ:ThusR =wP +Q = (w + d )P = sP and so u = x as required. □

Proof that encoded block verification works If the encodedblock e t = (e1t, …, ert, c1t, …, cmt) is valid (not corrupted),according to Equations (1),(3),(4), then

θt ¼Xr

j¼1ejtK j ¼

Xr

j¼1

Xm

i¼1citbji

� �K j

¼Xm

i¼1cit

Xr

j¼1bjiK j

� �¼

Xm

i¼1citσi ¼ ωt:□

Note that encoded block verification possesses homomor-phic property, as the hash value of a linear combination ofsome input blocks can be constructed by a combination of thehashes of the input blocks.


3.3 Batch verification

Because of the homomorphic property possessed by blockverification, we can verify bocks of the same generation usingbatch verification, which can verify multiple blocks of thegeneration synchronously instead of sequentially. The batchverification can accelerate the verification process significant-ly and thus optimize the system performance.

Assume that we have a batch of n (n ≤ m) encoded blockse j ( j = 1,…, n ) of the same generation to verify all together.The batch verification works as follows.

(1) Build a batched encoded block eb as eb=∑ j =1n l je j,

where the coefficients (l1, l2, …, ln) are randomly cho-sen from Fq.

(2) Go to step (1) and (2) of Algorithm 3 to compute the hashvalues of eb as θb and ωb.

(3) If θb = ωb, then all the n encoded blocks are valid;otherwise, one or more encoded blocks of them arecorrupted.

When peers detect corrupted blocks using batch verifica-tion, we further use a binary verification method to efficientlyidentify every corrupted block. The binary verification meth-od is based on the data structure, namely binary verificationtree, which is shown in Fig. 3. We construct it as follows.

(1) The leaf nodes ( f , j ) ( j= 1, 2, …, n , n =2 f–1) areassociated with the n encoded blocks e j respectively,where f denotes the height of the tree.

(2) Root node (1, 1) is associated to the batched encodedblock eb.

(3) The other node (i , j ) (1 < i < f ) is associated with thebatched encoded block e (i, j) for the leaf nodes of a sub-

tree rooted at (i , j), where e i; jð Þ ¼ ∑k2k¼k1

lkek , k1 = 2 f–i ·

( j − 1) + 1, k2 = 2 f–i · j . The validity of e (i, j) can beverified by checking if θ (i, j) = ω (i, j).

The binary verification method is to identify all thecorrupted blocks in the binary verification tree, which is aprocess that recursively verifies the sub-tree dictated by thecurrent verification status of batched encoded blocks.Consider the first step to verify eb at root node (1, 1). If ebis valid, all the blocks in the leaf nodes are valid. Otherwise, it

further verifies the batched encoded block e (2, 1) at the left-child node (2, 1) or e (2, 2) at the right-child node (2, 2) in thesame way, respectively. This binary verifying process will beiteratively carried out in up-to-bottom way until all corruptedblocks are discovered.

3.4 Cooperative protection

As mentioned above, a peer keeps the blocks that have notbeen verified in an insecure window. Then every peer main-tains a table which contains the identities of 1) those peers thatdownloaded blocks encoded with insecure window blocks,and 2) those peers that delivered blocks inside the insecurewindow. As shown in Fig. 2, when peer B detects corruptedblocks using batch verification, it sends alert messages to all itsneighbors A , C , D , E , F. On receiving the message, A checksif B is in its table. If true, A continues to send alert messages toall its neighbors except B ; otherwise, it discards the message.Any other peer that receives the alert message from a neighborchecks if the neighbor is in its table and then acts like A . Asdiscussed in [6], the table can prevent peers that have not beeninfected from processing the alert message. Alert messages arepropagated from one peer to another until all infected peers areinformed. A peer starts verifying all the blocks in the insecurewindow using batch verification right after sending alert mes-sages. To prevent corrupted blocks from propagating, theblocks included in the verifying process will not be used toencode new blocks until they are verified as secure.

3.5 Scheme workflow

We present the complete workflow of the proposed networkcoding signature scheme through a detailed example, as Fig. 4shows. In this example, peer A connects with the server, and

Fig. 3 Sample of the binary verification tree with height f=3 Fig. 4 An example of the work flow of network coding signature scheme


peer B is A’s downstream neighbor, as shown in Fig. 2. Bjoins the system after A has downloaded some encodedblocks. The steps are as follows:

Step 1: Set up the security parameters and publicize them toall peers;

Step 2: Compute the signature of the file using Algorithm 1;Step 3: Distribute the signature to its downstream peers;Step 4: Verify the signatures of generations usingAlgorithm 2;Step 5: Distribute encoded blocks to its downstream peers;Step 6: Verify encoded blocks on-the-fly using batch verifi-

cation with some probability, which is based onAlgorithm 3;

Step 7: Send the signatures of generations;Step 8: Verify the signatures using Algorithm 2 and if any

signatures are invalid, disconnect from A and re-download them from other neighbors;

Step 9: Send encoded blocks if B sends a request;Step 10: Verify encoded blocks on-the-fly using batch verifi-

cation with some probability, which is based onAlgorithm 3; when detect corrupted blocks, sendalert messages to all its neighbors.

4 An identity-based malicious peer identification scheme

Previous schemes [6, 14–19, 22] only fight with corruptedblocks, but do not address the network-coding pollution attackat its root, which is the identification of malicious peers.Consequently, malicious peers can keep generating corruptedblocks to continuously degrade the network performance. Inthis section, we propose an identity-based malicious peeridentification scheme which can precisely pinpoint all themalicious peers in the network quickly.

4.1 Basic scheme

First, every peer appends its generated encoded block with atime stamp that records the time when the block generated.Then peers augment the table mentioned in Section 3.4 andthe augmented table contains 1) the identities of those peersthat downloaded blocks encoded with insecure windowblocks, together with the time stamps of the encoded blocks,and 2) the identities of those peers that delivered blocks insidethe insecure window, with the time stamps of those insecurewindow blocks. To make a rapid malicious peer identificationprocess, we introduce a fast verification approach for encodedblocks based on the property of the orthogonal space ofvectors, which is described in Section 2.2.

As shown in Fig. 2, when peer B detects corrupted blocksin its insecure window using batch verification, it sends theserver an identification message, which contains the identifier

of the polluted generation idG, to trigger the process of iden-tifying malicious peers.

On receiving the message, the server generates a randomlinear combination vB of the basis vectors (v1, …, vr) of theorthogonal space of the generation, and sends vB to peer B .

On receiving vB, B switches to verify the blocks of thepolluted generation in its insecure window as below: Forblock e t, checking whether it satisfies the following condition,

etvTB ¼ 0; ð5Þ

If Equation (5) holds, e t is valid. The correctness of theverification is straightforward according to Section 2.2. Notethat Equation (5) is a simple multiplication, so B can rapidlyperform the verification. If peer A sent B some corruptedblocks, B randomly chooses one and sends the server a report,which contains this corrupted block, its time stamp and theidentity of A (i.e. IDA).

On receiving the report from B , the server verifies thereported blocks. If B reported a valid block, the server iden-tifies B as malicious. If B reported a corrupted block e t withIDA, then the server knows that A sent e t to B . However, atthis point, the server cannot confirm that A is malicious, sinceit may be innocent and received corrupted blocks from itsupstream neighbors, with which A produced e t. Therefore, ifA is truely innocent, then it will discover at least one corruptedblock it has received from its upstream neighbors, and corre-spondingly it will report the upstream neighbors to the server.Note that if A is malicious and it is also a downstreamneighbor of other malicious peers, receiving corrupted blocksfrom these peers, then A can still report these malicious peers.As a result, A can hide itself and try to escape from beingidentified in this case.

To confirm whether A is malicious, the server sends thetime stamp t t of e t and a random linear combination vA of thevectors (v1, …, vr) to A . Then A verifies the blocks of thepolluted generation in its insecure window using vA like B . Ifpeer C sent A some corrupted blocks, to prove the innocenceof itself, A should pick out the corrupted blocks of which thetime stamps are less than t t and send the server a report, whichcontains such blocks, their time stamps and the identity of C(i.e. IDC). If no such blocks exist, A randomly chooses onecorrupted block to report.

On receiving the report from A , the server verifies thereported blocks and acts as follows:

(1) If A reported a valid block, the server identifies A asmalicious.

(2) If A reported one or more corrupted blocks, the servercontinues to contact the peers which sent these corruptedblocks. The process is the same as the contact with A .



Note that if A reported more than one corrupted blockfrom the same peer, the server randomly chooses one tosend its time stamp to the peer. Assume that A reportedcorrupted blocks e1, e2 of which the time stamps are lessthan t t. Then the server generates a linear combination vof the vectors (v 1, …, v r), which also satisfies thecondition:

e1vT ¼ 0 and e2v

T ¼ 0: ð6Þ

The server further checks the following equation:

etvT ¼ 0: ð7Þ

If Equation (7) holds, A is identified as innocent at thispoint. Otherwise, A is treated as malicious.

The identification process operates in this way until all themalicious peers are discovered in the identification route.After that, the server broadcasts the identification result bysending to peers a message which contains the identities ofmalicious peers. The peers then verify the blocks in theirinsecure windows in batch and put these malicious peers intotheir blacklists, stop any transmission with them.

As shown in Fig. 2, when peer B detects corrupted blocksusing batch verification, it sends an identification message tothe server and alert messages to all its neighbors. Note thatafter the server accepts the message from B , it will ignoremessages from other peers until this identification process iscomplete. Since during this identification process, some ma-licious peers which have received alert messages from theirneighbors may deliberately send identification messages tothe server, if the server accepts all these messages, a lot ofsystem resources, especially server resources, will be wastedon the identification processes which will not discover anynewmalicious peers in most cases. Although such design maycause missing malicious peers occasionally in the early peri-od, these peers will still be discovered quickly, as shown inSection 6.3. So it is necessary to make such a trade-off.

4.2 Proof

As Section 2.2, we assume that an encoded block e t=l1e1+l2e2+∑ j=3

n l je j, where e t, e1, e2 are corrupted, e3,…, en arevalid, and l1,…, l n are n random local coefficients in Fq. Thevector v is a linear combination of the vectors (v1, …, vr),which are basis vectors of the orthogonal space of thegeneration.

According to Section 2.2, v is orthogonal to all the validencoded blocks e3, …, en. Thus,

Xn

j¼3l je j

� �vT ¼ 0: ð8Þ

FromEquations (6) and (8), if we have e1vT = 0 and e2v

T =0, then (l1e1+l2e2+∑ j=3

n l je j)vT=0. As a result, if A is inno-

cent and received corrupted blocks e1, e2 from its upstreamneighbors, with which A produced the corrupted block e t,then Equation (7) holds. Otherwise, A is malicious and e t≠l1e1+l2e2+∑ j=3

n l je j, then e tvT ≠ 0. □

4.3 Block signature

The feasibility of the above identification scheme relies on therequirement that any peer in the identification route mustreport the true checking result to the server. And the maliciouspeer cannot deny its behavior. In order to achieve these re-quirements, we present a lightweight block signature ap-proach which holds every peer accountable for the blocks itsends out. Every peer signs the blocks before sending themout, and the signature associated with a block can be used asevidence by the reporting peer to demonstrate that the reportedpeer has really sent this block. Given ECC parameters T = (p ,o1, o2, P, q ), a cryptographic hash function H , which aredescribed in Section 2.3, for peer A , we suppose its privatekey is dA and its public key is QA = dAP. Then it signs anencoded block as follows:

Algorithm 4 Signature computation of the block

INPUT: ECC parameters T, private key dA, an encodedblock e t, time stamp t t of the block, generation identifieridG.OUTPUT: Signature of the block φ t = (xA, zA).

(1) Compute hA = H(e t, t t, idG).(2) Select a random integer sA from [1, q–1].(3) Compute sAP = (xA ′ , yA ′ ) and xA = xA ′ mod

q . If xA = 0 then go to step 2.(4) Compute zA = sA–dA–hAxA (mod q ). If zA = 0 then

go to step 2.(5) Return φ t = (xA, zA).

When a peer or the server receives an encoded blockproduced by A , it verifies the signature appended to the blockas follows:

Algorithm 5 Signature verification of the block

INPUT: ECC parameters T, public key QA, an encodedblock e t, time stamp t t of the block, signature of the blockφ t = (xA, zA), generation identifier idG.OUTPUT: Acceptance or rejection of the block.

(1) Verify that xA and zA are integers in the interval [1,q–1]. If any verification fails, then return (“Rejectthe block”).

(2) Compute hA = H(e t, t t, idG).

Proposition 1 Given r distinct points K1, K2, …, Kr on anelliptic curve E(Fp) contained in a cyclic subgroup of primeorder q, an encoded block et=(e1t,…,ert,c1t,…,cmt)∈Fqr+m

and its hash value θ t=∑ j=1r ejtKj, generating a hash-collision

block et ′=(e1t ′,…,ert ′,c1t,…,cmt)∈Fqr+m from et is equivalentto solve a hard ECDLP problem, where et ≠ et′ and θ t = θ t′ .

Proof First we treat the case when r =2. Let K1 and K2 be twodistinct points of order q on E(Fp). Given a valid block et =(e1t, e2t, c1t,…, cmt) with its hash value θ t = e1tK1 + e2tK2, amalicious peer attempts to generate a hash-collision block et′ =(e1t′ , e2t′ , c1t,…, cmt) (et ≠ et′) such that e1tK1 + e2tK2 = e1t′K1 + e2t′K2. This means (e1t–e1t′)K1 + (e2t–e2t′)K2 = O .Suppose that e1t = e1t′ , then (e2t–e2t′)K2 = O . Since K2 is apoint of order q , we have (e2t–e2t′) ≡ 0 mod q , that is, e2t =e2t′ in Fq. This contradicts the assumption that et ≠ et′ in Fq

2.Thus we have that K2 = −(e1t − e1t′)(e2t − e2t′)

−1 K1, wherethe inverse is taken modulo q . This is a hard ECDLP problem.So we cannot determine et′ .

Next, consider the case that r >2. Given a valid block et =(e1t,…, ert, c1t,…, cmt) with its hash value θ t=∑ j=1

r e jtKj, aFig. 5 An example of the work flow of malicious peer identificationscheme


(3) Compute wA = zA + hAxA (mod q ).(4) Compute RA = wAP + QA = (xA′ , yA′) and uA = xA′

mod q .(5) If uA = xA, φ t is valid to e t, t t, idG, then return

(“Accept the block”); else return (“Reject theblock”).

Signature computation and verification of the block aresimilar to those of the generation in Algorithm 1 andAlgorithm 2. Note that both the signature computation andverification of the block only need one point multiplicationoperation, thus the algorithms are lightweight and the signa-ture can be processed quickly.

When a peer receives an encoded block, it verifies thesignature appended to the block immediately, and then verifiesencoded blocks using batch verification with some probabil-ity, as described in Section 3.1.

4.4 Scheme workflow

We present the complete workflow of the proposed maliciouspeer identification scheme through a detailed example, asFig. 5 shows. In this example, peer B is A’s downstreamneighbor and has received corrupted blocks from A , as shownin Fig. 2. All notations used in Fig. 5 have occurred inSections 4.1 and 4.3. They have the same meaning corre-spondingly, so the explanation of the notations is omitted forsimplicity in the figure. The steps are as follows:

Step 1: Detect corrupted blocks;Step 2: Send an identification message, containing idG;

Step 3: Generate vB;Step 4: Send vB;Step 5: Verify blocks using Equation (5) and discover e t;Step 6: Send a report, containing {e t, φ t, t t, IDA};Step 7: Verify e t and if e t is corrupted, verify φ t. Identify B

as malicious if e t is not corrupted or φ t is not valid;Step 8: Send {t t,vA} if e t is corrupted and φ t is valid;Step 9: Verify blocks using vA and discover e1, e2;Step 10: Send a report, containing the information of e1, e2;Step 11: Verify e1, φ1 and e2, φ2 to identify A ; use Equations

(6), (7) to further identify A ;Step 12: Identification process operates in this way until all

the malicious peers are discovered in the route;Step 13: Broadcast the identification result;Step 14: Put identified malicious peers into blacklist.

5 Security analysis and discussion

In this section, we will analyze the hash collision and signa-ture forgery respectively. Then we will discuss some securityproblems of ESNC. We preserve the notations of previoussections here.

5.1 Hash collision

To thwart the network coding signature scheme, a maliciouspeer can produce a hash-collision block which can pass theverification. However, producing such a block is as hard ascomputing elliptic curve discrete logarithm problem (ECDLP).

malicious peer attempts to generate a hash-collision block et′ =(e1t′ , …, ert′ , c1t, …, cmt) (et ≠ et′) such that ∑ j=1

r e jtKj=∑ j=1

r e jt ′Kj. This means ∑ j=1r(ejt−ejt ′)Kj=O . Similar to the

case when r =2, it is easy to prove that in order to satisfy∑ j =1

r (e jt −e jt ′)K j =O , there exist at least two distinctelements in (e 1t, …, e rt) and (e 1t ′ , …, e rt ′ ). Withoutloss of generality, we assume that e it ≠ e it ′ and e kt ≠e kt ′ . Consider that Kj = g jP (1 ≤ j ≤ r ), where secret g j

are chosen at random from Fq, we have (e it–e it ′)Ki+∑ j =1, j ≠ i

r (e jt −e jt ′)g k−1g jK k =O . Thus Ki= –(e it–e it ′)

–1

∑ j=1, j ≠ir (e jt−e jt ′)g k

−1gjKk, where the inverse is taken mod-ulo q . This is also a hard ECDLP problem. So we cannotdetermine e t′ .□

5.2 Signature forgery

A malicious peer may attempt to forge signatures to makepeers receive invalid signatures of generations, or disparageinnocent peers with corrupted blocks not sent by these peers.A malicious peerM is able to forge the signature of the sourceor other peers as follows. We assume that Q is the public keyof the peer whose signature is forged by M .

First,M selects an arbitrary integer sM and compute sMP =(xM′ , yM′ ). According to Section 3.2, RM = sMP. ThenM setsxM = xM′ mod q . Next,M must determine zM to generate thesignature which contains (xM, zM). According to Algorithm 2and Algorithm 5, we know if M can find zM such that (zM +hMxM)P = RM − Q , then it can forge the signature success-fully. However, determining zM from the equation is obvious-ly a hard ECDLP problem. So the malicious peer cannotlaunch signature forging attacks.

Note that inAlgorithm 1 andAlgorithm 4, the random integers selected from [1, q − 1] has the same security requirement asthe private key. If a malicious peerM learns sA that peer A usedto generate a signature on a block, then M can recover A’sprivate key since dA = sA − zA − hAxA (mod q). So the randominteger s must be kept secret. In addition, s should be generatedrandomly. This ensures that s never repeats, which is importantbecause otherwise the malicious peer can forge signatures oncegetting a valid signature. To see this, suppose that peer A usesthe same sA to generate signatures and (xA, zA) is one signature.Then the malicious peer M can forge a signature of Aas (xM , zM), where xM = xA and zM = zA + hAxA −hMxM (mod q ). According to Algorithms 2, 5 andSection 3.2, RM = wMP + QA = (zM + hMxM)P +QA = (zA + hAxA + dA)P = sAP. Thus, the maliciouspeer can forge the signature of A successfully.

5.3 Discussions

Security level The implementation of ESNC is mainly basedon ECC and its security is based on ECDLP. The best

algorithm known for solving the underlying hard mathemati-cal problems in ECC (ECDLP) takes fully exponential time.On the other hand, the best algorithms known for solving theunderlying hardmathematical problems in RSA and DSA (theinteger factorization problem, and the discrete logarithm prob-lem respectively) take sub-exponential time. This means thatsignificantly smaller parameters can be used in ECC than inother systems such as RSA and DSA, but with equivalentlevel of security. A typical example of the size in bits of thekeys used in different systems, with a comparable level ofsecurity, is that a 160-bit ECC key is equivalent to RSA andDSA with a modulus of 1024 bits. Thus, ESNC can providehigh level of security with small ECC parameters whilepossessing performance advantages (e.g. |p | = |q | = 192 bits).

To accelerate the malicious peer identification process, weintroduce a fast verification approach based on the property ofthe orthogonal space of vectors. The probability that a corruptedblock of a generation can be verified as valid using the vector inthe orthogonal space of the generation is only 1/q (e.g. 2−192

when |q | = 192 bits). Note that the fast verification approachcannot replace the proposed network coding signature schemeto verify encoded blocks on-the-fly for the reason that thevectors in the orthogonal space of generations cannot be dis-seminated to peers before the propagation of blocks, or elsemalicious peers can easily launch attacks which can producecorrupted blocks that can pass the verification, or launch otherkinds of attacks, such as collusion attacks and DoS attacks.

DoS attacks Malicious peers may send a lot of blocks to theserver in the identification process to waste the resources ofthe server. To thwart this kind of DoS attacks, in our scheme,the server verifies the block and its signature using fast veri-fication approaches presented in Section 4.1 and 4.3.Moreover, once a block or its signature fails to pass theverification, the peer who sent them to the server is identifiedas malicious immediately.

Collusion attacks ESNC can deal with arbitrary number ofcolluding malicious peers. This is because no matter howmany or which peers are colluding, they still cannot learnthe private key of the source or legitimate peers; thus, theycannot make a legitimate peer accept invalid signatures ofgenerations, or disparage innocent peers with corrupted blocksnot sent by them.

We consider the situation where multiple malicious peerscollude to hide themselves. Consider a transmission pathC →A → B , where A ,C are twomalicious peers, and B is infectedby A or C . When B detects corrupted blocks and reports A tothe server, A may not reportC even if A has verified that it hasreceived corrupted blocks from C . However, C will still beidentified if it sends corrupted blocks to any legitimate down-stream peers. If C only sends corrupted blocks to A , then Awill be identified as malicious and the pollution flow from C


to A will be stopped at A , without infecting any legitimatepeers.

Peer churn Our scheme can effectively identify maliciouspeers even if they leave right after sending corrupted blocks,because the malicious peer identification process does notrequire the involvement of malicious peers. With a blacklistmaintained by the server and the peers, our system can preventmalicious peers from rejoining the system to launch pollutionattacks again. Besides, if a legitimate peer A who is a down-stream neighbor of a malicious peer C leaves, then A can notreport C to the server. However, as long as any other down-stream neighbor of C is alive, C will be identified.

6 Performance evaluation

In this section, we evaluate ESNC in terms of computationoverheads, communication overheads and efficiencyrespectively.

6.1 Computation overheads

We start by evaluating the computation overheads of the pro-posed network coding signature scheme, comparing it withthose of other four comparable schemes with equivalent levelof security for encoded block verification [6, 15–17]. Table 1shows the main computation overheads of the five schemes interms of the initializing cost, signing cost of an encoded block,combining cost of signatures and verifying cost of an encodedblock respectively. We define the computation costs of theprimarily cryptographic operations of the five schemes asfollows. Let mul. denote the time cost to perform a pointmultiplication over an elliptic curve, exp. the time cost toperform one modular exponent operation, and par. the timecost of a pairing operation. Note that the paring operation ismore time-consuming than the other two operations, and thepoint multiplication has a lower cost than the modular expo-nential operation, when the schemes are at the same securitylevel.We neglect all the trivial operations for the sake of clarity.

Yu et al.’s scheme, Charles et al.’s scheme and Bonehet al.’s scheme are homomorphic signature schemes for

network coding. In these schemes, every time the source sendsan encoded block, it needs to generate a signature appended tothis block. The computation overheads of generating such asignature are described in Table 1 as signing cost.Furthermore, each peer can generate a signature for its pro-duced encoded block as a random linear combination of thesignatures of incoming blocks. The computation overheads ofgenerating the signature are described in Table 1 as combiningcost. From the table, we can see that these homomorphicsignature schemes incur substantial signing overheads whenencoded blocks are propagating in the network. Unlike thesehomomorphic signature schemes for network coding,Gkantsidis et al.’s scheme and our scheme don’t incur anysigning cost and combining cost for the reason that there is nosuch signature appended to encoded blocks. In these twoschemes, the signature of the file is produced and disseminat-ed to peers before the propagation of encoded blocks. Theoverheads of producing the signature of one generation aredescribed in the table as initializing cost. Note that blocks of ageneration can start propagating as soon as the signature ofthis generation is disseminated to peers. Compared withGkantsidis et al.’s scheme, our scheme incurs less computa-tion overheads for the point multiplication over an ellipticcurve has a lower cost than modular exponential operations.

Block verification is critical for the system performance. Tocompare the verifying costs of these schemes with equivalentlevel of security, we give the benchmarks of the cryptographicoperations on Intel Core™ 2 Duo 2.0 GHz Linux machine:mul. = 0.68 ms; par. = 2.50 ms, and exp. = 0.75 ms. Thechoice of elliptic curve can influence the computation costs ofpoint multiplication and pairing operations. Existing studies[29, 30] have shown that these operations, especially the time-consuming paring operation, can be performed fast on afamily of super-singular Koblitz elliptic curves of characteris-tic 3. Thus, we implement a super-singular Koblitz curve y2 =x3 − x ± 1 over F397 . The point multiplication and pairingoperation are based on this curve. According to Table 1, weplot the verifying costs of an encoded block with differentnumbers of codewords in these schemes, as shown in Fig. 6.The verifying cost of Charles et al.’s scheme is always thelargest. Boneh et al.’s scheme has slightly larger verifying costthan Gkantsidis et al.’s scheme. Yu et al.’s scheme has thesame approximate verifying cost as Gkantsidis et al.’s scheme.

Table 1 Comparisons of computation overheads

Gkantsidis et al. [6] Yu et al. [15] Charles et al. [16] Boneh et al. [17] ESNC

Initializing cost mr exp. N/A (m + r) mul. N/A (mr + 1) mul.

Signing cost N/A (m + r + 1) exp. (m + r) mul. (m + r + 1) exp. N/A

Combining cost N/A n exp. n mul. n exp. N/A

Verifying cost (m + r) exp. (m + r + 1) exp. (m + r + 1) par. + (m + r) mul. (m + r) exp. + 2 par. (m + r) mul.

We preserve the notations of previous sections in the table


It is evident that the basic verifying cost of our scheme (notapplying batch verification) is smaller than the other threeschemes. Moreover, when applying batch verification in ourscheme, the verifying cost can be significantly reduced further.From Section 3.3, we know the averaged verifying cost perblock is inverse proportional to the number of blocks in batchverification, which is (m + r)/n mul. In Fig. 6, we show theaveraged cost per block for verifying only two blocks in batchverification of our scheme. Hence, the proposed network cod-ing signature scheme can efficiently verify blocks on-the-flywith low computation overheads. Figure 6 shows the compar-ison of the verifying costs of an encoded block in five schemes.As the number of blocks increases, the total verifying costs willincur much more computation overheads in the schemes withlarger verifying cost per block. Besides, in our scheme, for thesignature of a generation, only one point multiplication isrequired to verify the signature, so we omit it in Table 1.

To make malicious peer identification process rapid, weintroduce a fast verification approach based on the property ofthe orthogonal space of vectors, and present a lightweightblock signature approach where the signature appended to ablock serves as evidence to demonstrate that the block is reallysent by some peer. For the latter, both the signing cost andverifying cost of a block are only one point multiplicationoperation. Comparing to the network coding signatureschemes analysed above, the computation overheads of theapproach is trivial. For the former, the processing speed of theapproach is extremely fast. For example, it takes only about1 μs to verify a block.

6.2 Communication overheads

Homomorphic signature schemes [15–17] require appendinga signature to every transmitted block, which not only incurlarge computation overheads, but also incur significant com-munication overheads to the system. For example, Yu et al.’sscheme can be considered as a RSA-based signature, and the

size of a signature is 128 B per block with RSA modulus of1024 bits.

For the proposed network coding signature scheme andGkantsidis et al.’s scheme, peers only need to downloadsignature of the file once and no signature is appended totransmitted blocks. In our scheme, the signature mainly con-sists of points on elliptic curve E(Fp) and the size of a point is2log2p bits, or 48 B when |p | = 192 bits, according to ECC.The point is only 0.0029 times the size of a block with size16 KB. Thus, the signature of the file is only about 0.29 % thetotal file size. In Gkantsidis et al.’s scheme, the signature of thefile is much larger. The signature consists of the same numberof elements while the size of an element is 128 B. Thus, theirsignature is 2.67 times the size of the signature in our scheme.

In our scheme, some extra communication overheads areneeded for the proposed lightweight block signature approach.However, the overheads are small. The signature associatedwith a block is only 48 B when |p | = 192 bits.

6.3 Efficiency

In this section, we present simulations to evaluate the efficien-cy of ESNC. For the simulation methodology, we refer to therelated work [1, 6], in which the simulation model can capturemany important properties of network coding-based P2P con-tent propagation, and we conduct simulations using PeerSim[31], which is a widely used P2P simulation framework undervarious settings and scenarios. Our purpose is not to constructa perfectly realistic simulation, but to demonstrate the effi-ciency of ESNC in some specific scenarios, which, we be-lieve, are of practical importance. In the simulations, we usethe percentage or the number of corrupted peers as a metric tomeasure the efficiency of security schemes (the efficiency isinversely proportional to the percentage or the number ofcorrupted peers).

We start by generating the overlay topology of the network.We construct a random mesh-structured topology with onesource server, where peers randomly select their neighbors.The topology is a directed random graph. The out-degree foreach peer is set to 5; but other values give similar results. Thenetwork size is fixed to 500–2000 peers and will be specifiedin different simulation scenarios. We randomly choose a frac-tion of all peers to be malicious, and each of them injectscorrupted blocks to all its downstream neighbors. The per-centage of malicious peers varies between 5 %–20 % and thepercentage of corrupted blocks injected by malicious peersvaries between 10 %–100 % in simulations. The rest of thepeers cooperate to distribute a file that has a large number ofblocks using network coding. Note that when network codingis used, encoded blocks of a generation are equivalent anduseful to any peer, thus block select policy such as rarest firstpolicy in traditional P2P content distribution network is notneeded; moreover, file blocks satisfy uniform distribution in

Fig. 6 Verifying cost as a function of the number of codewords perencoded block (the generation size is set to 128 blocks)


the network and optimal network transmission can beachieved. Peers rely on local information and then downloadthe encoded blocks of required generations. The generationsize of the file is set to 128 blocks. The simulation is round-based, where in each round a peer can upload encoded blocksto its neighbors at random. We assume that the upload capac-ity of each peer is 5 blocks per round. Every time a legitimatepeer receives a block, it verifies the insecure window blocksusing batch verification with some probability and, if one ormore of them are corrupted, then the peer alerts other infectedpeers and triggers a malicious peer identification process. Wewill also vary the probability of verifying insecure windowblocks from 1 %–10 % in different simulation scenarios. Allthe results are averaged over 50 runs.

Impact of the probability of verifying blocks In Fig. 7 weshow how the corruption varies in a network of 1,000 peerswhere 10 % of them are malicious and each malicious peerinjects corrupted blocks at a rate of 50 %, with differentprobabilities of verifying blocks for each legitimate peer.When we increase the verifying probability from 1 % to5 %, the percentage of corrupted peers decreases significantly,and while when we further increase the verifying probabilityfrom 5 % to 10 %, there is a small decrease in the percentageof corrupted peers, hence, larger verifying probability does notjustify the extra computational effort in this case. Note thateven when the verifying probability is 1 %, the mean percent-age of corrupted peers per round in the corruption period isstill small, about 8.2 %. In all the three cases, the corruptioncan be cleared quickly, which means all the malicious peerscan be identified by our scheme quickly. Thus, ESNC canachieve high efficiency with small verifying probabilities.

Impact of the rate of injecting corrupted blocks In Fig. 8 weshow how the corruption varies in a network of 1,000 peerswhere 10 % of them are malicious and each legitimate peerverifies blocks with 5 % probability, with different rates ofinjecting corrupted blocks for each malicious peer. Obviously,when we increase the attack rate from 10 % to 100 %, thepercentage of corrupted peers also increases. To make more

corruption, malicious peers may inject corrupted blocks at ahigh rate. Note that even when the attack rate is 100 %, themean percentage of corrupted peers per round in the corrup-tion period is still small, about 8.1 %; moreover, in this case,the corruption is cleared the most quickly and it takes only 66rounds to identify all the malicious peers. To make the iden-tification time longer, malicious peers may inject corruptedblocks at a low rate. However, even when the attack rate is10 %, it just takes 92 rounds to identify all the malicious peersand the mean percentage of corrupted peers per round is quitesmall, about 1.5 %. Thus, ESNC can achieve high efficiencyregardless of the attack rate.

Comparison with Gkantsidis et al.’s scheme We implementthe cooperative security scheme proposed by Gkantsidis et al.[6]. In their scheme, homomorphic hashing is used, wherepeers cooperate to protect themselves by sending alert mes-sages. Gkantsidis et al. show by simulations that their schemeguarantees higher efficiency than other probabilistic schemesthat use homomorphic hashing. Figure 9 shows the corruptionvariation comparison between ESNC and their scheme. Weconsider a network of 1,000 peers where 10 % of them aremalicious and each malicious peer injects corrupted blocks ata rate of 50 %. Each legitimate peer verifies blocks with 5 %probability. In the case of cooperative security, since theirscheme can not identify malicious peers, the corruption is

Fig. 8 Corruption variation with different attack rates

0

5

10

15

20

25

10 20 30 40 50 60 70 80 90Perc

enta

ge o

f C

orru

pted

Pee

rs(%

)

Round

Verifying Probability=1%Verifying Probability=5%

Verifying Probability=10%

Fig. 7 Corruption variation with different verifying probabilitiesFig. 9 Corruption variation comparison between ESNC and cooperativesecurity


continual in the entire process of content distribution, hence,malicious peers can continuously degrade the network perfor-mance by injecting corrupted blocks. Compared with theirscheme, the percentage of corrupted peers in ESNC is muchsmaller, thus, ESNC can achieve much higher efficiency.

Impact of the percentage of malicious peers In Fig. 10 weshow how the corruption varies in a network of 1,000 peerswhere each malicious peer injects corrupted blocks at a rate of50 % and each legitimate peer verifies blocks with 5 %probability, with different percentages of malicious peers.Obviously, as we increase the percentage of malicious peersfrom 5 % to 20 %, the percentage of corrupted peers alsoincreases. Note that even when the percentage of maliciouspeers is up to 20 %, the mean percentage of corrupted peersper round is about only 9.7 %, until the corruption is cleared.The rounds required for identifying all the malicious peersalso increase as malicious peers are increased. To evaluate thetime for identifying all the malicious peers, we conduct sim-ulation study as described in the next paragraph.

Evaluation of the time for identification In Fig. 11 we showthe number of valid blocks that have been downloaded bypeers at the time when all the malicious peers are identified.We consider a network of 1,000 peers where 10% of them aremalicious and each malicious peer injects corrupted blocks ata rate of 50 %. Each legitimate peer verifies blocks with 5 %probability. In the figure, the number of the downloadedblocks is sorted in an ascending order. Since the generationsize of the file is 128 blocks, most peers have onlydownloaded 2 generations at this time. Generally, a file con-sists of many generations. For example, if the size of a file is256MB and the size of a block is 16 KB, then the file consistsof 16384 blocks and 128 generations. Thus, for distributing afile, all the malicious peers can be identified and the corrup-tion can be cleared quickly when most peers have just com-pleted downloading 2 generations. In our simulations, whenthe block size and the generation size are smaller (e.g. in P2Psystems distributing media streaming content), the identifica-tion process will be faster.

Impact of the network size In Fig. 12 we show how thecorruption varies in the network with different network sizes.The number of malicious peers is fixed to 100 and each mali-cious peer injects corrupted blocks at a rate of 50 %. Eachlegitimate peer verifies blocks with 5 % probability. Figure 12shows that the tails of the three curves are close, which meansthat with different network sizes, the time required for identifyingall the malicious peers is close and, hence, the identification timemainly depends on the number of malicious peers, rather thannetwork size. When we decrease the network size from 2000 to500, there is a small decrease in the number of corrupted peers.The mean number of corrupted peers per round is 55.4, 46.3 and34.3 in the network of size 2000, 1000 and 500 respectively.Because as the network size is decreased, the overlap in thecorrupted regionswill increase, and the total number of corruptedpeers will decrease. This is an important result. This means that,if we fix the network size and increase the number of maliciouspeers, the overlap in the corrupted regions will also increase andwhile the total number of corrupted peers increases, the efficien-cy of malicious peers decreases.

7 Related work

Besides the relevant work conducted by Krohn et al. [13] andGkantsidis et al. [6], some schemes utilizing homomorphic

Fig. 10 Corruption variation with different percentages of malicious peers

Fig. 11 Number of blocks downloaded by peers at the time when all themalicious peers are identified

Fig. 12 Corruption variation with different network sizes


signatures are also proposed in [15–17]. These schemes, howev-er, incur more computation or communication overheads, whichresult in high delays when encoded blocks are propagating in thenetwork. Thus, they are too expensive for P2P systems.

Zhao et al. [32] implemented a middleware that usesNVIDIA GPUs to accelerate homomorphic hashing, and theyhave achieved much higher hashing throughput. The mainissue of this scheme is that the middleware is only applicablefor NVIDIA GPUs. Because there are a lot of different GPUvendors, this scheme is not suitable for many realistic P2Psystems which may contain peers that have various GPUs, ordon’t have any GPU.

Agrawal and Boneh [18] proposed a homomorphic MACscheme for linear network coding. The scheme allows peers toefficiently verify encoded blocks on-the-fly using MAC tags.However, it provides much lower level of security for encodedblock verification than the schemes based on homomorphichashing and homomorphic signatures. Moreover, it relies onthe assumption that the source and all the legitimate peers sharesecret keys, which is not the case in P2P systems. In otherwords, the scheme will not be able to defeat network-codingpollution attacks in P2P systems. The authors in [18] furtherextended their scheme to pre-distribute different keys to systempeers based on the cover free family concept so that peers inP2P systems could verify blocks. However, this scheme is onlyc -collusion resistant for some pre-determined c . It is alsosusceptible to tag-pollution attacks, where malicious peerstamper with subsets of tags of the blocks they receive, aspresented in [19]. For P2P systems, collusion attacks are com-mon. Thus, the scheme is not suitable for P2P systems.

Li et al. [19] proposed RIPPLE, also a homomorphic MACscheme utilizing time asymmetry (inspired by TESLA [33]) toachieve collusion and tag-pollution resistance. This scheme,however, only works on fixed directed acyclic graph net-works: it needs to know the longest path from each peer tothe source in order to pre-compute theMAC tags for the peers.Thus, the scheme can not be used in P2P systems with generalrandom network topologies.

Zhang et al. [22] introduced both a homomorphic MACscheme and a homomorphic signature scheme, based on whichthey further proposed a hybrid scheme. This hybrid scheme haslower computation overheads than the schemes based on ho-momorphic signatures; however, the overheads are still signif-icantly higher than those of the other two schemes based onhomomorphic MAC. This scheme is not susceptible to tag-pollution attacks but only c-collusion resistant.

In [14], Kehdi and Li proposed a light-weight schemebased on the null-space property of network coding. Thereare still some drawbacks of this scheme. First, the schemeprovides low level of security, and is vulnerable to collusionattacks, where multiple malicious peers can collude to inferthe null keys employed for the verification of network coding

and let legitimate peers accept corrupted blocks. Next, the nullkeys distribution phase may be attacked; to protect the nullkeys, homomorphic hashing must be used, which will causeextra overheads.

Some schemes [20, 21] aim at correcting errors at decoders.However, these schemes are applicable only when less than athreshold number of corrupted blocks injected into the networkor specified number of network links can be eavesdropped andcorrupted.

All the above schemes focus on the corruption detection orerror correction for network coding. Research work on iden-tifying attackers is much lesser. However, attacker identifica-tion is a more efficient scheme to thwart network-codingpollution attacks.

Jafarisiavoshani et al. [34] leverages the subspace propertiesof randomized network coding to locate pollution attackers. In ageneral network topology having a single attacker, the schemecan only locate the attacker with an uncertainty of two peers;when there are multiple attackers, the uncertainty is within a setof peers including the attackers and their parents and children.Thus, the scheme can not locate attackers precisely.

Wang et al. [9] proposed a malicious peer identificationscheme which achieves high computational efficiency.However, the identification requires the server to distributemultiple checksums of all the blocks in the polluted generationto all the peers every time pollution attacks are detected, whichincurs significant communication overheads. In their scheme,pollution attacks are detected when some peer fails in thedecoding process. In other words, pollution attacks cannotbe detected until some peer has completed downloading theentire generation. In network coding-based P2P content dis-tribution, a corrupted block can rapidly pollute the networkand, hence, by the time pollution attacks are detected, a lot ofnetwork bandwidth has been already wasted on transmittingcorruption blocks. In dynamic P2P networks, because of thechurn of malicious peers, the bandwidth waste would be moreserious. Next, because the success of the identification relieson peers receiving all the checksums, this makes the identifi-cation vulnerable to collusion attacks. Multiple maliciouspeers may collude to prevent some peers from receiving thechecksums. Moreover, the scheme cannot identify all themalicious peers for a kind of non-functional malicious peerscannot be identified. A peer is called as a non-functionalmalicious peer if it exhibits malicious behaviors but replacingit with a legitimate peer will not change the set of infectedpeers. More explanation can be found in [9].

The content pollution is a widespread problem in P2Pnetworks, and not only exists in network coding-based P2Pnetworks. Reputation systems are long-term solutions whichare used to reduce content pollution and are mainly dividedinto three categories: peer reputation systems such asEigentrust [25] and Scrubber [26], object reputation systems


such as Credence [27] and hybrid peer and object reputationsystems such as Xrep [28]. In peer reputation systems, eachpeer assigns reputations to each other and malicious peerswith low reputation will be identified, and in object reputationsystems, peers assign reputations to the objects (files) theydownload regarding their authenticity and the object reputa-tion is then used to decide whether the object should bedownloaded. Hybrid peer and object reputation systems com-bine the benefits of both strategies. By maintaining reliablereputation information about peers or objects, reputation sys-tems can form the basis of an incentive system and can guidepeers in their decision making, thus reducing the contentpollution in P2P networks.

In traditional P2P networks, hash authentication codes areused to check the validity of content blocks, thus providing thebasis for reputation systems. When using network coding inP2P networks, content pollution is more serious due to the“combination” nature of network coding and traditional hashverification mechanism is no longer useful, so reputationsystems cannot be established and run efficiently in this case.ESNC can thwart pollution attacks on network coding.Moreover, it can cooperate with reputation systems to copewith content pollution effectively in network coding-basedP2P networks in the long run.

8 Conclusion

In this paper, we propose a novel and efficient ECC-basedmechanism for securing network coding-based P2P contentdistribution, namely ESNC, which provides both an efficientcorruption detection scheme and a precise attacker identifica-tion scheme for P2P systems to thwart network-coding pollu-tion attacks. ESNC is mainly based on ECC and can providehigh level of security at low computation and communicationoverheads. We also demonstrate that ESNC effectively limitsthe corruption spread and identifies all the malicious peersquickly under practical settings. Compared to the existingrelated state-of-the-art schemes, ESNC is especially suitablefor P2P content distribution. It can achieve high security andhas high overall performance. Despite the rich literature innetwork coding, we are not aware of any operational networkcoding-based P2P content distribution system except the com-mercial P2Pmedia streaming distribution systemUUSee [10].We plan on developing a real system using network coding,deploying ESNC on it, and then reporting our experiences infuture work.

Acknowledgments This work is supported by National Natural Sci-ence Foundation of China under grants 61173170, 60873225, 61300222and 61303117, National High Technology Research and DevelopmentProgram of China under grant 2007AA01Z403, Innovation Fund of

Huazhong University of Science and Technology under grants2013QN120, 2012TS052 and 2012TS053, and Innovation Fund of Wu-han University of Science and Technology under grants 2013xz012.

References

1. Gkantsidis C, Rodriguez P (2005) Network coding for largescale content distribution. Proc IEEE INFOCOM 2005:2235–2245

2. Ahlswede R, Cai N, Li SR, Yeung RW (2000) Network informationflow. IEEE Trans Inf Theory 46(4):1204–1216

3. Zhu Y, Li B, Guo J (2004) Multicast with network coding in appli-cation layer overlay networks. IEEE J Sel Areas Commun 22(1):107–120

4. Petrovic D, Ramchandran K, Rabaey J (2006) Overcoming untunedradios in wireless networks with network coding. IEEE Trans InfTheory 52(6):2649–2657

5. Katti S, Rahul H, Hu W, Katabi D, Medard W, Crowcroft J (2008)Xors in the air: practical wireless network coding. IEEE/ACM TransNetworking 16(3):497–510

6. Gkantsidis C, Rodriguez P (2006) Cooperative security for net-work coding file distribution. Proceedings IEEE INFOCOM2006:1–13

7. Jain K, Lovasz L, Chou PA (2005) Building scalable and robust peer-to-peer overlay networks for broadcasting using network coding.Proc ACM Symp Princ Distrib Comput 2005:51–59

8. Small T, Li B, Liang B (2008) Topology affects the efficiency ofnetwork coding in peer-to-peer networks. Proc IEEE ICC 2008:5591–5597

9. Wang Q, Vu L, Nahrstedt K, Khurana H (2010) Identifyingmaliciousnodes in network-coding-based peer-to-peer streaming networks.Proc IEEE INFOCOM 2010:1–5

10. Liu Z,Wu C, Li B, Zhao S (2010) UUSee: large-scale operational on-demand streaming with random network coding. Proc IEEEINFOCOM 2010:2070–2078

11. Liu F, Shen S, Li B, Li B, Yin H, Li S (2011) Novasky: cinematic-quality VoD in a P2P storage cloud. Proc IEEE INFOCOM 2011:936–944

12. Li B, Niu D (2011) Random network coding in peer-to-peer net-works: from theory to practice. Proc IEEE 99(3):513–523

13. KrohnM, FreedmanM,Mazieres D (2004) On-the-fly verification ofrateless erasure codes for efficient content distribution. Proc IEEESymp Secur Priv 2004:226–240

14. Kehdi E, Li B (2009) Null Keys: limiting malicious attacks via nullspace properties of network coding. Proc IEEE INFOCOM 2009:1224–1232

15. Yu Z, Wei T, Ramkumar B, Guan Y (2008) An efficient signature-based scheme for securing network coding against pollution attacks.Proc IEEE INFOCOM 2008:1409–1417

16. Charles D, Jain K, Lauter K (2009) Signatures for network coding.Int J Inf Coding Theory 1(1):3–14

17. Boneh D, Freeman D, Katz J, Waters B (2009) Signing a linearsubspace: signature schemes for network coding. Proc PKC 2009:68–87

18. Agrawal S, Boneh D (2009) Homomorphic MACs: MAC-basedintegrity for network coding. Proc ACNS 2009:292–305

19. Li Y, Yao H, Chen M, Jaggi S, Rosen A (2010) RIPPLE authen-tication for network coding. Proc IEEE INFOCOM 2010:2258–2266

20. Jaggi S, Langberg M, Katti S, Ho T, Katabi D, Medard M (2008)Resilient network coding in the presence of Byzantine adversaries.IEEE Trans Inf Theory 54(6):2596–2603


21. Koetter R, Kschischang FR (2008) Coding for errors and era-sures in random network coding. IEEE Trans Inf Theory 54(8):3579–3591

22. Zhang P, Jiang Y, Lin C, Yao H,Wasef A, Shen X (2011) Padding fororthogonality: efficient subspace authentication for network coding.Proc IEEE INFOCOM 2011:1026–1034

23. Darrel H, Alfred M, Scott V (2004) Guide to Elliptic CurveCryptography. Springer, New York

24. Touceda DS, Sierra JM, SorianoM (2012) Decentralized certificationscheme for secure admission in on-the-fly peer-to-peer systems. Peer-to-Peer Netw Appl 5(2):105–124

25. Kamvar S, Schlosser M,Molina HG (2003) The Eigentrust algorithmfor reputation management in P2P networks. In Proceedings ofWWW 2003:640–651

26. Costa C, Soares V, Almeida J, Almeida V (2007) Fighting pollutiondissemination in peer-to-peer networks. Proc ACM Symp ApplComput 2007:1586–1590

27. Walsh K, Sirer EG (2005) Fighting peer-to-peer SPAM anddecoys with object reputation. In Proceedings of the ACMSIGCOMM Workshop on Economics of Peer-to-Peer Systems,2005:138–143

28. Damiani E, Vimercati S, Paraboschi S, Samarati P, Violante F (2002)A reputation-based approach for choosing reliable resources in peer-to-peer networks. Proc ACM Conf Comput Commun Secur 2002:207–216

29. Barreto P, Kim H, Lynn B, Scott M (2002) Efficient algorithms forpairing-based cryptosystems. Proc CRYPTO 2002:354–368

30. Boneh D, Lynn B, Shacham H (2004) Short signatures from the Weilpairing. J Cryptol 17(4):297–319

31. Montresor A, Jelasity M (2009). PeerSim: A scalable P2P simulator.In Proceedings of the IEEE International Conference on Peer-to-PeerComputing, IEEE Computer Society, Washington, DC, 2009, 99–100

32. Zhao K, Chu X, Wang M, Jiang Y (2009) Speeding uphomomorpic hashing using GPUs. Proc IEEE ICC 2009:856–860

33. Perrig A, Canetti R, Tygar JD, Song D (2002) The TESLA broadcastauthentication protocol. RSA Cryptobytes 5(2):2–13

34. Jafarisiavoshani M, Fragouli C, Diggavi S (2008) On locatingByzantine attackers. Proc Netw CodingWork Theory Appl 2008:1–6

HengHe received the B.S. degreefrom School of Computer Scienceat Wuhan University of Technol-ogy in 2004 and his M.S. degreefrom School of Computer Scienceand Technology at HuazhongUniversity of Science and Tech-nology in 2007. Now he is aPh.D. candidate in the School ofComputer Science and Technolo-gy, Huazhong University of Sci-ence and Technology. His re-search interests include P2P com-puting, cloud computing, networkcoding and network security.

Ruixuan Li received the B.S.,M.S. and Ph.D. in Computer Sci-ence from Huazhong Universityof Science and Technology, Chinain 1997, 2000 and 2004 respec-tively. He was a Visiting Re-searcher in Department of Electri-cal and Computer Engineering atUniversity of Toronto from 2009to 2010. He is currently a Profes-sor in the School of ComputerScience and Technology atHuazhong University of Scienceand Technology. His research in-terests include peer-to-peer com-

puting, distributed data management, and distributed system security. Heis a member of IEEE and ACM.

Zhiyong Xu received the re-ceived the B.S. and M.S. inCompu t e r S c i e n c e f r omHuazhong University of Scienceand Technology, China in 1994and 1997 respectively., andPh.D. degrees in Computer En-gineering from University ofCincinnati in 2003. He is cur-rently an Associate Professor inthe Department of Mathematicsand Computer Science at SuffolkUniversity. His research interestsinclude Peer-to-Peer Computing,High performance I/O and File

systems, Multimedia Applications, Parallel and Distributed Computing.He is a member of IEEE.

Weijun Xiao received the B.S.and M.S. in computer sciencefrom Huazhong University ofScience and Technology, Chinain 1995 and 1998 respectively,and Ph.D. in electrical engi-neering from University ofRhode Island, USA. He is cur-rently an Assistant Professor inthe Department of Electricaland Computer Engineering,Virginia Commonwealth Uni-versity, USA. His research in-terests include computer archi-tecture, networked storage sys-

tem, embedded system, and performance evaluation. He is a mem-ber of the IEEE.


Documents

An efficient ECC-based mechanism for securing network ...idc.hust.edu.cn/~rxli/publications/2014/PPNA2014_ESNC.pdf · topologies, and can support systems with any size. It is an integrated