Signatures for Network Coding Denis Charles Kamal Jain Kristin Lauter Microsoft Research

Network Coding Set-up A directed graph of users G A server (source) distributing content Content is divided into packets and represented as vectors in a vector space Each node receives linear combinations of packets from other nodes At each node, new linear combinations of received packets are formed and sent out along new edges Extra bits keep track of which linear combination at each step

Pollution attacks A malicious node can inject garbage into the distribution network If undetected, the garbage will pollute the whole network, as meaningless packets are combined with others and redistributed Signatures on received packets can be used to check for garbage

Assumptions Public key digital signatures Only the server possesses the secret key for signing Any node can verify signatures using public information So how can nodes re-sign linear combinations of received packets?

Homomorphic signature scheme Our solution is based on: Elliptic curves Bilinear pairing (Weil pairing) Homomorphic hashing of content onto points on the elliptic curve BLS-type signatures (Boneh-Lynn-Schacham) Security reduction to ECDLP (Elliptic curve discrete logarithm problem)

Elliptic curves over finite fields Finite field F q with q elements, A, B in F q Elliptic curve over F q with equation y 2 = x 3 + Ax + B E(F q )={(x, y): y 2 = x 3 + Ax + B} has a group structure and a bilinear pairing e m : E[m] × E[m] alg(F q ) * satisfying e m (S 1 + S 2, T) = e(S 1, T)e(S 2, T) e m (S, T 1 + T 2 ) = e(S, T 1 )e(S, T 2 ).

Homomorphic hashing and signing Vectors (packets) with coefficients v i in F p are hashed to linear combinations of public p-torsion points on E/F q R 1, · · ·,R k, P 1, · · ·, P d in E(F q )[p] k=# of vectors, d = dimension of vector space Server has secret keys for signing s 1, · · ·, s k and r 1, · · ·, r d in F p signs the packet by computing the signature of hash Σs i v i R i + Σr i v i P i Server also publishes Q, s j Q and r i Q Q is another point in E(F q )[p] which is linearly independent from the points R 1,…,R k, P 1,…, P d

Bilinearity of the pairing 1. Verification of signatures uses bilinearity of the pairing since e m (s i v i R i, Q) = e m (v i R i, s i Q) 2. Received valid signatures can be recombined to accompany new outgoing combinations of packets since the signature of the sum is the sum of the signatures

Security Theorem: Finding a collision of the hash function h is polynomial-time equivalent to computing the discrete log on the elliptic curve E. Fact: Forging signatures is as hard as the computational Diffie-Hellman problem on the curve E. Our scheme establishes authentication in addition to detecting pollution.

Implementation If we take the prime p 170-bits, this is equivalent to 1024 bits of RSA security. We can setup the system with q ~ p 2. Communication overhead per vector is two elements of F p (the x and y coordinates of a point) = 340 bits. We can reduce this overhead to 171 bits at the cost of increasing computational cost. Computation of signature of vector at an edge e is O(indeg(in(e)) operations in F p. Verification requires O((d+k) log 2+ε q) bit operations Complete setup of the system at the server can be done in polynomial time (assuming a number theoretic conjecture of Hardy-Littlewood).