Signatures for Network Coding

Denis CharlesKamal JainKristin Lauter

Microsoft Research

Network Coding Set-up

A directed graph of users G A server (source) distributing content Content is divided into packets and

represented as vectors in a vector space Each node receives linear combinations of

packets from other nodes At each node, new linear combinations of

received packets are formed and sent out along new edges

Extra bits keep track of which linear combination at each step

Pollution attacks

A malicious node can inject garbage into the distribution network

If undetected, the garbage will pollute the whole network, as meaningless packets are combined with others and redistributed

Signatures on received packets can be used to check for garbage

Assumptions

Public key digital signatures Only the server possesses the

secret key for signing Any node can verify signatures

using public information So how can nodes re-sign linear

combinations of received packets?

Homomorphic signature scheme

Our solution is based on: Elliptic curves Bilinear pairing (Weil pairing)

Homomorphic hashing of content onto points on the elliptic curve

BLS-type signatures (Boneh-Lynn-Schacham)

Security reduction to ECDLP (Elliptic curve discrete logarithm problem)

Elliptic curves over finite fields Finite field Fq with q elements, A, B in Fq

Elliptic curve over Fq with equation

y2 = x3 + Ax + B

E(Fq)={(x, y): y2 = x3 + Ax + B} Ụ ∞

has a group structure and a bilinear pairing

em : E[m] × E[m] alg(Fq)* satisfying em(S1 + S2, T) = e(S1, T)e(S2, T) em(S, T1 + T2) = e(S, T1)e(S, T2).

Homomorphic hashing and signing

Vectors (packets) with coefficients vi in Fp are hashed to linear combinations of public p-torsion points on E/Fq

R1, · · · ,Rk, P1, · · · , Pd in E(Fq)[p]k=# of vectors, d = dimension of vector space

Server has secret keys for signing s1, · · · , sk and r1, · · · , rd in Fp

signs the packet by computing the signature of hash ΣsiviRi + ΣriviPi

Server also publishes Q, sjQ and riQ

Q is another point in E(Fq)[p] which is linearly independent from the points R1,…,Rk, P1,…, Pd

Bilinearity of the pairing

1. Verification of signatures uses bilinearity of the pairing since em(siviRi, Q) = em(viRi, siQ)

2. Received valid signatures can be recombined to accompany new outgoing combinations of packets since the signature of the sum is the sum of the signatures

Security

Theorem: Finding a collision of the hash function h is polynomial-time equivalent to computing the discrete log on the elliptic curve E.

Fact: Forging signatures is as hard as the computational Diffie-Hellman problem on the curve E.

Our scheme establishes authentication in addition to detecting pollution.

Implementation

If we take the prime p 170-bits, this is equivalent to 1024 bits of RSA security. We can setup the system with q ~ p2.

Communication overhead per vector is two elements of Fp (the x and y coordinates of a point) = 340 bits. We can reduce this overhead to 171 bits at the cost of increasing computational cost.

Computation of signature of vector at an edge e is O(indeg(in(e)) operations in Fp.

Verification requires O((d+k) log2+εq) bit operations

Complete setup of the system at the server can be done in polynomial time (assuming a number theoretic conjecture of Hardy-Littlewood).