Content deleted Content added
Citation bot (talk | contribs) Alter: title, template type. Add: chapter-url, chapter. Removed or converted URL. | Use this bot. Report bugs. | Suggested by AManWithNoPlan | #UCB_toolbar |
Rescuing 1 sources and tagging 0 as dead.) #IABot (v2.0.9.5 |
||
| (2 intermediate revisions by one other user not shown) | |||
Line 1:
[[Network coding]] has been shown to optimally use [[Bandwidth (computing)|bandwidth]] in a network, maximizing information flow but the scheme is very inherently vulnerable to pollution attacks by malicious nodes in the network. A node injecting garbage can quickly affect many receivers. The pollution of [[network packet]]s spreads quickly since the output of (even an) honest node is corrupted if at least one of the incoming packets is corrupted.
An attacker can easily corrupt a packet even if it is encrypted by either forging the signature or by producing a collision under the [[hash function]]. This will give an attacker access to the packets and the ability to corrupt them. Denis Charles, Kamal Jain and Kristin Lauter designed a new [[homomorphic encryption]] signature scheme for use with network coding to prevent pollution attacks.<ref>{{Cite journal |citeseerx = 10.1.1.60.4738 |title = Signatures for Network Coding |year = 2006 |url = https://citeseerx.ist.psu.edu/viewdoc/summary?doi=10.1.1.60.4738 |archive-url = https://web.archive.org/
The homomorphic property of the signatures allows nodes to sign any linear combination of the incoming packets without contacting the signing authority. In this scheme it is computationally infeasible for a node to sign a linear combination of the packets without disclosing what [[linear combination]] was used in the generation of the packet. Furthermore, we can prove that the signature scheme is secure under well known [[Cryptography|cryptographic]] assumptions of the hardness of the [[discrete logarithm]] problem and the computational [[Elliptic curve Diffie–Hellman]].
Line 29:
==History==
Krohn, Freedman and Mazieres proposed a theory<ref>{{cite book |last1=Krohn |first1=Maxwell N. |last2=Freedman |first2=Michael J |last3=Mazières |first3=David |title=IEEE Symposium on Security and Privacy, 2004. Proceedings. 2004 |chapter=On-the-fly verification of rateless erasure codes for efficient content distribution
<math>H : V \longrightarrow G</math> such that:
* <math>H</math> is [[Collision resistance|collision resistant]] – it is hard to find <math>x</math> and <math>y</math> such that <math>H(x) = H(y)</math>;
Line 141:
Then as long as <math>\sum_{2 \leq i \leq r} b_ir_i \not\equiv 0 \bmod p</math>, we can solve for the discrete log of Q. But the <math>r_i</math>’s are unknown to the oracle for Hash-Collision and so we can interchange the order in which this process occurs. In other words, given <math>b_i</math>, for <math>2 \leq i \leq r</math>, not all zero, what is the probability that the <math>r_i</math>’s we chose satisfies <math>\sum_{2 \leq i \leq r} (b_ir_i) = 0</math>? It is clear that the latter probability is <math>1 \over p</math> . Thus with high probability we can solve for the discrete log of <math>Q</math>.
We have shown that producing hash collisions in this scheme is difficult. The other method by which an adversary can foil our system is by forging a signature. This scheme for the signature is essentially the Aggregate Signature version of the Boneh-Lynn-Shacham signature scheme.<ref>{{cite book |last1=Boneh |first1=Dan |last2=Lynn |first2=Ben |last3=Shacham |first3=Hovav |title=Advances in Cryptology — ASIACRYPT 2001 |chapter=Short Signatures from the Weil Pairing
==See also==
| |||