Presentation is loading. Please wait.

Presentation is loading. Please wait.

Fast Signature Scheme for Network Coding Mingxi Yang, Wenjie Yan Reporter: Wenjie Yan Mingxi Yang, Wenjie Yan1 DCABES 2009.

Published byBeatrix Green Modified over 8 years ago

Similar presentations

Presentation on theme: "Fast Signature Scheme for Network Coding Mingxi Yang, Wenjie Yan Reporter: Wenjie Yan Mingxi Yang, Wenjie Yan1 DCABES 2009."— Presentation transcript:

1 Fast Signature Scheme for Network Coding Mingxi Yang, Wenjie Yan Reporter: Wenjie Yan Mingxi Yang, Wenjie Yan1 DCABES 2009

2 Outline  Network Coding  Challenge to Network Coding  Related Work  Our Signature Scheme  Security Analysis  Verification Efficiency Mingxi Yang, Wenjie Yan2

3 DCABES 2009 S T U YZ W X S T U YZ W X b1b1 b2b2 b1b1 b1b1 b1b1 b1b1 b2b2 b2b2 b2b2 b2b2 b2b2 b2b2 b2b2 b1b1 b1b1 b1b1 b 1 +b 2 (a)Traditional network (b)Network coding What is Network Coding Mingxi Yang, Wenjie Yan3

4 Network Coding Simplified File to Transfer Block 1Block 2Block 3 Encoding Mingxi Yang, Wenjie Yan4 DCABES 2009 Prerequisite for decoding: any node receives enough(n in our scheme) linear independent message vectors

5 DCABES 2009 Challenge to Network Coding Drawback Network coding is very vulnerable to pollution attacks. An adverse node injecting garbage can quickly affect many receivers. Mingxi Yang, Wenjie Yan5

6 S T U YZ W X b2b2 b2b2 b1b1 b1b1 b1b1 Pollution Attack Mingxi Yang, Wenjie Yan6 DCABES 2009

7 Related Work  Krohn et al. [7] first proposed homomorphic scheme using homomorphic hash function.  Zhen Yu et al. [8] use RSA to sign the source messages and append the signatures to corresponding messages;  Charles et al.[9] proposed a new homomorphic hashing scheme which is built on top of expensive Weil pairing operations [10], [11] over elliptic curves. Mingxi Yang, Wenjie Yan7

8 DCABES 2009 Related Work (Cont.) Drawback All the schemes described above require expensive computation in verification, which greatly slow down the efficiency of verification. Mingxi Yang, Wenjie Yan8

9 DCABES 2009 m1m1 m2m2 mnmn 100…0 010…0 000…1 σ(m 1 ) σ(m 2 ) σ(m n ) File M... network Our Signature Scheme  Model : S is a source node; M is a file. data partcoding vector part M i =(m i,0,…,0,1,0,…,0 ) Mingxi Yang, Wenjie Yan9

10  Our signature scheme is based on this homomorphic function: h(x)=(1+xq) mod q 2 [13] h(x)×h(y)=(1+xq)×(1+yq)mod q 2 =[1+(x+y)q+xyq 2 ]mod q 2 =[1+(x+y)q]modq 2 =h(x+y) Our Signature Scheme (Cont.-1) Mingxi Yang, Wenjie Yan10 DCABES 2009

11  Set up  Sign  Combine  Verify  Correctness Mingxi Yang, Wenjie Yan11 Our Signature Scheme (Cont.-2)

12 Large primes: u, v, q, length(u)≈length(v), length(uv)≈length(q 2 ) and q 2 <uv. N=uv, keep u and v secretly. n different elements r 1,…,r n from G, G is a multiplicative group with prime order p. d, e<φ(N), and d×e≡1modφ(N), where φ(N)=(u-1)×(v-1). private key : d public key : pk=(N, e, r 1,…,r n ). Set up Mingxi Yang, Wenjie Yan12 DCABES 2009

13 Given message M i =(m i, 0,…,0,1,0,…,0) and private key d, compute signature σ(M i ) on source message M i as: : Sign Mingxi Yang, Wenjie Yan13

14 DCABES 2009 Given: coefficients (c 1, c 2, …, c l ), messages and signatures: W 1 ||σ(W 1 ),…,W l ||σ(W l ), where W i =(w i,c i1,…,c in ), Combine:, W 0 =(w 0, c 01,…,c 0n ) and Combine Mingxi Yang, Wenjie Yan14

15 Mingxi Yang, Wenjie Yan15 w 1, c 11, c 12,..,c 1n w 2, c 21, c 22,..,c 2n w l, c l1, c l2,..,c ln … σ(W 1 ) σ(W 2 ) σ(W l ) + + w, c 1, c 2,..,c n σ(W) × × w 1, c 11, c 12,..,c 1n w 2, c 21, c 22,..,c 2n w l, c l1, c l2,..,c ln … σ(W 1 ) σ(W 2 ) σ(W l ) Verified messages encoding of messages Combination of signatures Combine (Cont.)

16 DCABES 2009 Given encoded message W 0 =(w 0, c 01,…,c 0n ) and signature σ(W 0 ), σ(W 0 ) is a valid signature on W 0 iff Verify Mingxi Yang, Wenjie Yan16

17 DCABES 2009 Correctness Mingxi Yang, Wenjie Yan17 3.1

18 DCABES 2009 Correctness (Cont.) Mingxi Yang, Wenjie Yan18

19 DCABES 2009  Definition: A signature scheme is secure under an adaptive chosen message attack For every probabilistic polynomial time forger algorithm F if there is no non- negligible probability ε such that: Security Analysis Mingxi Yang, Wenjie Yan19

20 DCABES 2009  Compute a valid signature on message in our scheme break RSA signature scheme Where Security Analysis (Cont.-1) Mingxi Yang, Wenjie Yan20

21 DCABES 2009  Theorem: If there exists a (t,ε)-forger F using adaptive chosen message attack for the proposed signature scheme, then there exists a (t’,ε’)-algorithm A to solving RSA signature scheme, where t’≥t, and ε’=ε. Security Analysis (Cont.-2) Mingxi Yang, Wenjie Yan21

22 DCABES 2009  Proof: F is a (t,ε)-breaks forger, now we construct algorithm A breaks RSA in (t’, ε’). A is given every signature σ(M i ) on original message M i for i=1,2,…,n. For any message W=(w,c 1,…,c n ), Where w ≠x. σ(W) is a valid signature generated by A. Security Analysis (Cont.-3) Mingxi Yang, Wenjie Yan22

23 DCABES 2009  Case 1: σ(W)=σ(X), h(W)=h(X) assume w>x. Since h(W)-h(X)=0, [(1+wq) - (1+xq)] mod q 2 =0 (w-x)q mod q 2 =0, (w-x)q=r×q 2, thus w-x=rq. We know that w-x x. Security Analysis (Cont.-4) Mingxi Yang, Wenjie Yan23

24 DCABES 2009 Case 2: σ(W)≠σ(X), then, Thus. As σ(W) is generated by A, thus We use y denote, thus A(W)=y d Security Analysis (Cont.-5) Mingxi Yang, Wenjie Yan24

25 DCABES 2009  The probability ε’ of generating a RSA signature in case 2 is ε,  T is the maximum time for computing those operations except A, then t’=t+T, thus t’≥t. Security Analysis (Cont.-6) Mingxi Yang, Wenjie Yan25

26 DCABES 2009 Verification Efficiency  Let φ be a prime number and ψ a power of different prime with φ<<ψ, E is an elliptic curve over Z ψ. In scheme [8] and [9], every original message is a vector with dimension k, the source then append a n-dimension coding vector on it, such as X=(x 1, x 2, …, x k, c 1,…, c n ), where x i, c i Z φ. Mingxi Yang, Wenjie Yan26

27 DCABES 2009 Table 1. Verification of message (bit operation) Signature schemeVerification time (bit operation) Our schemeO[(1+n)log(1+Є)(log 2 φ)] Zhen’s[8]O[(1+k+n)log(1+Є)(log 2 φ)] CJL’s[9]O(klog 2+Є ψ) Verification Efficiency (Cont.-1) Mingxi Yang, Wenjie Yan27

28 DCABES 2009 [9]=O(klog 2+Є ψ) = O(k log Є ψ log 2 ψ) > O(k log Є ψ log 2 φ) > O[(k+1)log(1+Є)(log 2 φ)] =[8] > O[(n+2)log(1+Є)(log 2 φ)] =ours so [9] >[8]>ours. Verification Efficiency (Cont.-2) Mingxi Yang, Wenjie Yan28

29 Verification Efficiency (Cont.-3) Mingxi Yang, Wenjie Yan29 DCABES 2009 The comparing results shows that our scheme lays over any other signature schemes else of the kind in the verification speed.

30 DCABES 2009 References [1]D.Petrovic, K.Ramchandran, and J.Rabaey, “Overcoming Unturned Radios in Wireless Networks with Network Coding”, in IEEE Transactions on Information Theory, Vol. 52, No. 6, pp. 2649-2657, 2006. [2]C.Gkantsidis and P.Rodriguez, “Network Coding for Large Scale File Distribution”, in Proc. IEEE INFOCOM, 2005. [3]R. Ahlswede, N. Cai, S.Li, and R. W. Yeung, “Network information flow,” IEEE Trans. Inf. Theory, vol. 46(4), pp. 1204-1216, 2000. [4]S. Li, R. Yeung, and N. Cai, “Linear Network Coding”, in IEEE Transactions on Information Theory, Vol 49, No. 2, pp. 371381, 2003. [5]T. Ho, R. Koetter, M. M´edard, D. R. Karger, and M. Effros, “The benefits of coding over routing in a randomized setting,” in International Symposium on Information Theory (ISIT), 2003. [6]T. Ho, M. M´edard, J. Shi, M. Effros and D. R. Karger, “On randomized network coding,” In proc. 41st Annual Allerton Conference on Communication Control and Computing, Oct. 2003. Mingxi Yang, Wenjie Yan30

31 DCABES 2009 [7] M.N.Krohn, M.J.Freedman, and D.Mazi´eres, “On-the-fly verification of rateless era-sure codes for efficient content distribution,” IEEE Symp. Security and Privacy, Oak-land, CA, pp. 226-240, May 2004. [8] Zhen Yu, YaWen Wei, Bhuvaneswari Ramkumar, and Yong Guan, “An Efficient Signature-based Scheme for Securing Network Coding against Pollution Attacks” INFOCOM 2008. The 27th Conference on Computer Communications. IEEE, April 2008. [9] D. Charles, K. Jian, and K. Lauter, “Signature for Network Coding”, Technique Report MSR-TR-2005- 159, Microsoft, 2005. [10] A. Menezes, T. Okamoto, and S. Vanstone, “Reducing Elliptic Curve Logorithms to Logorithms in a Finite Field”, in IEEE Transactions on Information Theory, Vol 39, No. 5, pp. 1639-1646, 1993. [11] V. Miller, “Short Programs for Functions over Curve”, unpublished manuscript, crypto.stanford.edu/miller/, 1986. [12] Jing Dong, Reza Curtmola, Cristina Nita-Rotaru, Practical Defenses Against Pollution Attacks in Intra- Flow Network Coding for Wireless Mesh Networks, Proc. of The Second ACM Conference on Wireless Network Security(WiSec 2009), Zurich, Switzerland, March 2009.WiSec 2009 [13]Bresson E, Catalano D, Pointcheval D. “A simple public key cryptosystem with a double trapdoor decryption mechanism and its applications,” In: Laih CS, ed. Aciacrypt 2003. LNCS 2894, Berlin: Springer-Verlag, 2003. 37−54. [14]SUN Zhong-Wei, FENG Deng-Guo, WU Chuan-Kun, “An Anonymous Fingerprinting Scheme Based on Additively Homomorphic Public Key Cryptosystem”. In Journal of Software: 2005,vol.16, No.10,pp1816-1821. Mingxi Yang, Wenjie Yan31 References (Cont.)

32 DCABES 2009 Any Question ? Mingxi Yang, Wenjie Yan32

33 THANK YOU! Mingxi Yang, Wenjie Yan33 DCABES 2009

Download ppt "Fast Signature Scheme for Network Coding Mingxi Yang, Wenjie Yan Reporter: Wenjie Yan Mingxi Yang, Wenjie Yan1 DCABES 2009."

Similar presentations

Signatures for Network Coding Denis Charles Kamal Jain Kristin Lauter Microsoft Research.

Signatures for Network Coding Denis Charles Kamal Jain Kristin Lauter Microsoft Research.
ONE WAY FUNCTIONS SECURITY PROTOCOLS CLASS PRESENTATION.

ONE WAY FUNCTIONS SECURITY PROTOCOLS CLASS PRESENTATION.
Public Key Cryptography INFSCI 1075: Network Security – Spring 2013 Amir Masoumzadeh.

Public Key Cryptography INFSCI 1075: Network Security – Spring 2013 Amir Masoumzadeh.
On-the-fly Verification of Erasure-Encoded File Transfers Mike Freedman & Max Krohn NYU Dept of Computer Science.

On-the-fly Verification of Erasure-Encoded File Transfers Mike Freedman & Max Krohn NYU Dept of Computer Science.
Spreading Alerts Quietly and the Subgroup Escape Problem Aleksandr Yampolskiy (Yale) Joint work with James Aspnes, Zoë Diamadi, Kristian Gjøsteen, and.

Spreading Alerts Quietly and the Subgroup Escape Problem Aleksandr Yampolskiy (Yale) Joint work with James Aspnes, Zoë Diamadi, Kristian Gjøsteen, and.
Efficient Public Key Infrastructure Implementation in Wireless Sensor Networks Wireless Communication and Sensor Computing, 2010. ICWCSC 2010. International.

Efficient Public Key Infrastructure Implementation in Wireless Sensor Networks Wireless Communication and Sensor Computing, ICWCSC International.
Digital Signatures Good properties of hand-written signatures: 1. Signature is authentic. 2. Signature is unforgeable. 3. Signature is not reusable (it.

Digital Signatures Good properties of hand-written signatures: 1. Signature is authentic. 2. Signature is unforgeable. 3. Signature is not reusable (it.
Network Coding in Peer-to-Peer Networks Presented by Chu Chun Ngai 1008624233.

Network Coding in Peer-to-Peer Networks Presented by Chu Chun Ngai
Session 4 Asymmetric ciphers.

Session 4 Asymmetric ciphers.
1 University of Freiburg Computer Networks and Telematics Prof. Christian Schindelhauer Mobile Ad Hoc Networks Network Coding and Xors in the Air 7th Week.

1 University of Freiburg Computer Networks and Telematics Prof. Christian Schindelhauer Mobile Ad Hoc Networks Network Coding and Xors in the Air 7th Week.
Dr Alejandra Flores-Mosri Message Authentication Internet Management & Security 06 Learning outcomes At the end of this session, you should be able to:

Dr Alejandra Flores-Mosri Message Authentication Internet Management & Security 06 Learning outcomes At the end of this session, you should be able to:
Elliptic Curve. p2. Outline EC over Z p EC over GF(2 n )

Elliptic Curve. p2. Outline EC over Z p EC over GF(2 n )
Network Coding Theory: Consolidation and Extensions Raymond Yeung Joint work with Bob Li, Ning Cai and Zhen Zhan.

Network Coding Theory: Consolidation and Extensions Raymond Yeung Joint work with Bob Li, Ning Cai and Zhen Zhan.
Co-operative Private Equality Test(CPET) Ronghua Li and Chuan-Kun Wu (received June 21, 2005; revised and accepted July 4, 2005) International Journal.

Co-operative Private Equality Test(CPET) Ronghua Li and Chuan-Kun Wu (received June 21, 2005; revised and accepted July 4, 2005) International Journal.
Network Coding Project presentation Communication Theory 16:332:545 Amith Vikram Atin Kumar Jasvinder Singh Vinoo Ganesan.

Network Coding Project presentation Communication Theory 16:332:545 Amith Vikram Atin Kumar Jasvinder Singh Vinoo Ganesan.
Chapter 7-1 Signature Schemes.

Chapter 7-1 Signature Schemes.
Secure Hashing and DSS Sultan Almuhammadi ICS 454 Principles of Cryptography.

Secure Hashing and DSS Sultan Almuhammadi ICS 454 Principles of Cryptography.
On-The-Fly Verification of Rateless Erasure Codes Max Krohn (MIT CSAIL) Michael Freedman and David Mazières (NYU)

On-The-Fly Verification of Rateless Erasure Codes Max Krohn (MIT CSAIL) Michael Freedman and David Mazières (NYU)
1 Lecture #10 Public Key Algorithms HAIT Summer 2005 Shimrit Tzur-David.

1 Lecture #10 Public Key Algorithms HAIT Summer 2005 Shimrit Tzur-David.
Security Arguments for Digital Signatures and Blind Signatures Journal of Cryptology, (2000) 13: 361-396 Authors: D. Pointcheval and J. Stern Presented.

Security Arguments for Digital Signatures and Blind Signatures Journal of Cryptology, (2000) 13: Authors: D. Pointcheval and J. Stern Presented.

Similar presentations

Ads by Google