Homomorphic signatures for network coding: Difference between revisions

[[Network coding]] has been shown to optimally use [[Bandwidth (computing)|bandwidth]] in a network, maximizing information flow but the scheme is very inherently vulnerable to pollution attacks by malicious nodes in the network. A node injecting garbage can quickly affect many receivers. The pollution of [[network packet]]s spreads quickly since the output of (even an) honest node is corrupted if at least one of the incoming packets is corrupted.

An attacker can easily corrupt a packet even if it is encrypted by either forging the signature or by producing a collision under the [[hash function]]. This will give an attacker access to the packets and the ability to corrupt them. Denis Charles, Kamal Jain and Kristin Lauter designed a new [[homomorphic encryption]] signature scheme for use with network coding to prevent pollution attacks.<ref>http{{Cite journal |citeseerx = 10.1.1.60.4738 |title = Signatures for Network Coding |year = 2006 |url = https://citeseerx.ist.psu.edu/viewdoc/downloadsummary?doi=10.1.1.60.4738&rep |archive-url =rep1&type https://web.archive.org/web/20211121060603/https://citeseerx.ist.psu.edu/viewdoc/summary?doi=pdf10.1.1.60.4738 |archive-date = 2021-11-21 |url-status = bot: unknown |access-date = 2021-11-21 }}</ref>.

The homomorphic property of the signatures allows nodes to sign any linear combination of the incoming packets without contacting the signing authority. In this scheme it is computationally infeasible for a node to sign a linear combination of the packets without disclosing what [[linear combination]] was used in the generation of the packet. Furthermore, we can prove that the signature scheme is secure under well known [[Cryptography|cryptographic]] assumptions of the hardness of the [[discrete logarithm]] problem and the computational [[Elliptic curve Diffie–Hellman]].

Let <math>G = (V, E)</math> be a [[directed graph]] where <math>V</math> is a set, whose elements are called vertices or [[Node (networking)|node]]s, and <math>E</math> is a set of [[ordered pair]]s of vertices, called arcs, directed edges, or arrows. A source <math>s \in V</math> wants to transmit a file <math>D</math> to a set <math>T \subseteq V</math> of the vertices. One chooses a [[vector space]] <math>W/\mathbb{F}_p</math>(say of dimension <math>d</math>), where <math>p</math> is a prime, and views the data to be transmitted as a bunch of vectors <math>w_1 . . .,\ldots , w_k \in W</math>. The source then creates the augmented vectors <math>v_1, . . .\ldots , v_k</math> by setting <math> v_i = (0, . . .\ldots , 0, 1, . . .\ldots , 0, w_{i_1}, . . .\ldots , w{i_d})</math> where <math>w_{i_j}</math> is the <math>j</math>-th coordinate of the vector <math>w_i</math>. There are <math>(i-1)</math> zeros before the first '1' appears in <math>v_i</math>. One can assume without loss of generality that the vectors <math>v_i</math> are [[Linear independence|linearly independent]]. We denote the [[linear subspace]] (of <math>\mathbb{F}_p^{k+d}</math> ) spanned by these vectors by <math>V</math> . Each outgoing edge <math>e \in E</math> computes a linear combination, <math>y(e)</math>, of the vectors entering the vertex <math>v = in(e)</math> where the edge originates, that is to say

: <math>y(e) = \sum_{f:\mathrm{out}(f)=v}(m_e(f)y(f))</math>

where <math>m_e(f) \in \mathbb{F}_p</math>. We consider the source as having <math>k</math> input edges carrying the <math>k</math> vectors <math>w_i</math>. By [[Mathematical induction|induction]], one has that the vector <math>y(e)</math> on any edge is a linear combination <math>y(e) = \sum_{1 \le i \le k}(g_i(e)v_i)</math> and is a vector in <math>V</math> . The k-dimensional vector <math>g(e) = (g_1(e), . . .\ldots , g_k(e))</math> is simply the first ''k-'' coordinates of the vector <math>y(e)</math>. We call the [[Matrix (mathematics)|matrix]] whose rows are the vectors <math>g(e_1), . . .\ldots , g(e_k)</math>, where <math>e_i</math> are the incoming edges for a vertex <math>t \in T</math>, the global encoding matrix for <math>t</math> and denote it as <math>G_t</math>. In practice the encoding vectors are chosen at random so the matrix <math>G_t</math> is invertible with high probability. Thus, any receiver, on receiving <math>y_1, . . .\ldots , y_k</math> can find <math>w_1, . . .\ldots ,w_k</math> by solving

: <math>\begin{bmatrix} y'\\ y_2' \\. \\. \\.vdots \\ y_k' \end{bmatrix} = G_t \begin{bmatrix} w_1\\ w_2 \\. \\. \\.vdots \\ w_k \end{bmatrix}</math>

Each [[Receiver (information theory)|receiver]], <math>t \in T</math>, gets <math>k</math> vectors <math>y_1, . . .\ldots , y_k</math> which are random linear combinations of the <math>v_i</math>’s.

: <math>y_i = (\alpha_{i_1}, . . .\ldots , \alpha_{i_k}, a_{i_1}, . . .\ldots , a_{i_d})</math>

: <math>y_i = \sum_{1 \le j \le k}(\alpha_{ij}v_j).</math>.

Krohn, Freedman and Mazieres proposed a theory<ref>http{{cite book |last1=Krohn |first1=Maxwell N. |last2=Freedman |first2=Michael J |last3=Mazières |first3=David |title=IEEE Symposium on Security and Privacy, 2004. Proceedings. 2004 |chapter=On-the-fly verification of rateless erasure codes for efficient content distribution |date=2004 |pages=226–240 |doi=10.1109/SECPRI.2004.1301326 |chapter-url=https://www.cs.princeton.edu/~mfreed/docs/authcodes-ieee04sp04.pdf |access-date=17 November 2022 |___location=Berkeley, California, USA |language=en-us |issn=1081-6011|isbn=0-7695-2136-3|s2cid=6976686 }}</ref> in 2004 that if we have a hash function

* <math>H</math> is [[Collision resistance|collision resistant]] – it is hard to find <math>x</math> and <math>y</math> such that <math>H(x)</math> = <math>H(y)</math>;

* <math>H</math> is a [[homomorphism]] – <math>H(x</math> + <math>y</math>) = <math>H(x) + H(y)</math>.

: <math>y = \sum_{1 \leq i\leq k} (\alpha_iv_i)</math>

we can check ifwhether

: <math>H(y) = \sum_{1 \leq i\leq k} (\alpha_iH(v_i))</math>

: <math> y^2 = x^3 + ax + b, \, </math>,

: <math>E(K) = \{(x, y) | y^2 = x^3 + ax + b\} \bigcup \{O\}</math>

forms an [[abelian group]] with O as identity. The [[Group (mathematics)|group operations]] can be performed efficiently.

If <math>E/\mathbb{F}_q</math> is an elliptic curve and <math>\gcd(m, q) = 1</math> then

: <math>E[m] \cong (\mathbb{Z}/m\mathbb{Z}) * (\mathbb{Z}/m\mathbb{Z})</math>

#(Bilinear) <math>e_m(P + R,Q) = e_m(P,Q)e_m(R,Q)</math>\text{ &and <math>}e_m(P,Q + R) = e_m(P,Q)e_m(P, R)</math>.

#(Non-degenerate) <math>e_m(P,Q) = 1</math> for all ''P'' implies that <math>Q = O</math>.

Let <math>p</math> be a prime and <math>q</math> a prime power. Let <math>V/\mathbb{F}_p</math> be a vector space of dimension <math>D</math> and <math>E/\mathbb{F}_q</math> be an elliptic curve such that <math>P_1, . . .\ldots , P_D \in E[p]</math>.

<math>h(u_1, . . .\ldots , u_D) = \sum_{1 \leq i\leq D} (u_iP_i)</math>.

The server chooses <math>s_1, . . .\ldots , s_D</math> secretly in <math>\mathbb{F}_p</math> and publishes a point <math>Q</math> of p-torsion such that <math>e_p(P_i,Q) \not= 1</math> and also publishes <math>(P_i, s_iQ)</math> for <math>1 \leq i \leq D</math>.

The signature of the vector <math>v = u_1, . . .\ldots , u_D</math> is

Given <math>v = u_1, . . .\ldots , u_D</math> and its signature <math>\sigma</math>, verify that

<math> e_p(\sigma,Q) & = e_p \left(\sum_{1 \leq =i \prod_ileq D} e_p(u_i s_i P_i), Q \right)</math> \\

<math> & = \prod_i e_p(u_i P_i, s_iQ)</math>

<math>y(e) = \sum_{f \in E:\mathrm{out}(f)=\mathrm{in}(e)} (m_e(f)y(f))</math>

<math>\sigma(y(e)) = \sum_{f \in E:\mathrm{out}(f)=\mathrm{in}(e)} (m_e(f)\sigma(y(f)))</math>

The signature is a point on the elliptic curve with coordinates in <math>\mathbb{F}_q</math>. Thus the size of the signature is <math>2 \log q</math> bits (which is some constant times <math>log(p)</math> bits, depending on the relative size of <math>p</math> and <math>q</math>), and this is the transmission overhead. The computation of the signature <math>h(e)</math> at each vertex requires <math>O(d_{in} \log p \log^{1+\epsilon} q)</math> bit operations, where <math>d_{in}</math> is the in-degree of the vertex <math>in(e)</math>. The verification of a signature requires <math>O((d + k) \log^{2+\epsilon} q)</math> bit operations.

If given <math>(P_1, . . .\ldots , P_r)</math> points in <math>E[p]</math> find

<math>a = (a_1, . . .\ldots , a_r) \in \mathbb{F}_p^r</math> and <math>b = (b_1, . . .\ldots , b_r) \in \mathbb{F}_p^r</math>

We claim that <math>x \not = u</math> and <math>y \not = v</math>. Suppose that <math>x = u</math>, then we would have <math>(y-v)Q = 0</math>, but <math>Q</math> is a point of order <math>p</math> (a prime) thus <math>y-u \equiv 0 mod\bmod p</math>. In other words <math>y = v</math> in <math>\mathbb{F}_p</math>. This contradicts the assumption that <math>(x, y)</math> and <math>(u, v)</math> are distinct pairs in <math>\mathbb{F}_2</math>. Thus we have that <math>Q = -(x-u)(y-v)^{-1}P</math>, where the inverse is taken as modulo <math>p</math>.

: <math>ar_1P + \sum_{2 \leq i \leq r}(b_ir_iQ) = 0.</math>.

Then as long as <math>\sum_{2 \leq i \leq r} b_ir_i \not\equiv 0 mod\bmod p</math>, we can solve for the discrete log of Q. But the <math>r_i</math>’s are unknown to the oracle for Hash-Collision and so we can interchange the order in which this process occurs. In other words, given <math>b_i</math>, for <math>2 \leq i \leq r</math>, not all zero, what is the probability that the <math>r_i</math>’s we chose satisfies <math>\sum_{2 \leq i \leq r} (b_ir_i) = 0</math>? It is clear that the latter probability is <math>1 \over p</math> . Thus with high probability we can solve for the discrete log of <math>Q</math>.

We have shown that producing hash collisions in this scheme is difficult. The other method by which an adversary can foil our system is by forging a signature. This scheme for the signature is essentially the Aggregate Signature version of the Boneh-Lynn-Shacham signature scheme.<ref>http{{cite book |last1=Boneh |first1=Dan |last2=Lynn |first2=Ben |last3=Shacham |first3=Hovav |title=Advances in Cryptology — ASIACRYPT 2001 |chapter=Short Signatures from the Weil Pairing |series=Lecture Notes in Computer Science |date=2001 |volume=2248 |pages=514–532 |doi=10.1007/3-540-45682-1_30 |chapter-url=https://csewebhovav.ucsd.edunet/~hovavucsd/dist/sigs.pdf |access-date=17 November 2022 |language=en|isbn=978-3-540-45682-7}}</ref>. Here it is shown that forging a signature is at least as hard as solving the [[Ellipticelliptic curve Diffie-HellmanDiffie–Hellman]] problem. The only known way to solve this problem on elliptic curves is via computing discrete-logs. Thus forging a signature is at least as hard as solving the computational co-Diffie-HellmanDiffie–Hellman on elliptic curves and probably as hard as computing discrete-logs.

*[[Homomorphic Encryptionencryption]]

*[[Elliptic-curve Curve Cryptographycryptography]]

*[[Elliptic-curve Curve Diffie-HellmanDiffie–Hellman]]

*[[Elliptic Curve DSADigital Signature Algorithm]]

#[https://web.archive.org/web/20110606191907/http://www.cse.buffalo.edu/~atri/courses/coding-theory/fall07.html University at Buffalo Lecture Notes on Coding Theory – Dr. Atri Rudra]