Signatures for Network Coding Denis Charles Kamal Jain Kristin Lauter Microsoft Research Network Coding Set-up A directed graph of users G A server (source) distributing content Content is divided into packets and represented as vectors in a vector space Each node receives linear combinations of packets from other nodes At each node, new linear combinations of received packets are formed and sent out along new edges Extra bits keep track of which linear combination at each step Pollution attacks A malicious node can inject garbage into the distribution network If undetected, the garbage will pollute the whole network, as meaningless packets are combined with others and redistributed Signatures on received packets can be used to check for garbage Assumptions Public key digital signatures Only the server possesses the secret key for signing Any node can verify signatures using public information So how can nodes re-sign linear combinations of received packets? Homomorphic signature scheme Our solution is based on: Elliptic curves Bilinear pairing (Weil pairing) Homomorphic hashing of content onto points on the elliptic curve BLS-type signatures (Boneh-Lynn-Schacham) Security reduction to ECDLP (Elliptic curve discrete logarithm problem) Elliptic curves over finite fields Finite field Fq with q elements, A, B in Fq Elliptic curve over Fq with equation y2 = x3 + Ax + B E(Fq)={(x, y): y2 = x3 + Ax + B} Ụ ∞ has a group structure and a bilinear pairing em : E[m] × E[m] alg(Fq)* satisfying em(S1 + S2, T) = e(S1, T)e(S2, T) em(S, T1 + T2) = e(S, T1)e(S, T2). Homomorphic hashing and signing Vectors (packets) with coefficients vi in Fp are hashed to linear combinations of public p-torsion points on E/Fq R1, · · · ,Rk, P1, · · · , Pd in E(Fq)[p] k=# of vectors, d = dimension of vector space Server has secret keys for signing s1, · · · , sk and r1, · · · , rd in Fp signs the packet by computing the signature of hash ΣsiviRi + ΣriviPi Server also publishes Q, sjQ and riQ Q is another point in E(Fq)[p] which is linearly independent from the points R1,…,Rk, P1,…, Pd Bilinearity of the pairing 1. 2. Verification of signatures uses bilinearity of the pairing since em(siviRi, Q) = em(viRi, siQ) Received valid signatures can be recombined to accompany new outgoing combinations of packets since the signature of the sum is the sum of the signatures Security Theorem: Finding a collision of the hash function h is polynomial-time equivalent to computing the discrete log on the elliptic curve E. Fact: Forging signatures is as hard as the computational Diffie-Hellman problem on the curve E. Our scheme establishes authentication in addition to detecting pollution. Implementation If we take the prime p 170-bits, this is equivalent to 1024 bits of RSA security. We can setup the system with q ~ p2. Communication overhead per vector is two elements of Fp (the x and y coordinates of a point) = 340 bits. We can reduce this overhead to 171 bits at the cost of increasing computational cost. Computation of signature of vector at an edge e is O(indeg(in(e)) operations in Fp. Verification requires O((d+k) log2+εq) bit operations Complete setup of the system at the server can be done in polynomial time (assuming a number theoretic conjecture of Hardy-Littlewood).