Signatures for Network Coding
Denis Charles
Kamal Jain
Kristin Lauter
Microsoft Research
Network Coding Set-up






A directed graph of users G
A server (source) distributing content
Content is divided into packets and
represented as vectors in a vector space
Each node receives linear combinations of
packets from other nodes
At each node, new linear combinations of
received packets are formed and sent out
along new edges
Extra bits keep track of which linear
combination at each step
Pollution attacks



A malicious node can inject garbage
into the distribution network
If undetected, the garbage will
pollute the whole network, as
meaningless packets are combined
with others and redistributed
Signatures on received packets can
be used to check for garbage
Assumptions




Public key digital signatures
Only the server possesses the
secret key for signing
Any node can verify signatures
using public information
So how can nodes re-sign linear
combinations of received packets?
Homomorphic signature scheme

Our solution is based on:





Elliptic curves
Bilinear pairing (Weil pairing)
Homomorphic hashing of content onto
points on the elliptic curve
BLS-type signatures (Boneh-Lynn-Schacham)
Security reduction to ECDLP
(Elliptic curve discrete logarithm problem)
Elliptic curves over finite fields


Finite field Fq with q elements, A, B in Fq
Elliptic curve over Fq with equation
y2 = x3 + Ax + B
E(Fq)={(x, y): y2 = x3 + Ax + B} Ụ ∞
has a group structure and a bilinear pairing


em : E[m] × E[m]  alg(Fq)* satisfying
 em(S1 + S2, T) = e(S1, T)e(S2, T)
 em(S, T1 + T2) = e(S, T1)e(S, T2).
Homomorphic hashing and signing
Vectors (packets) with coefficients vi in Fp are
hashed to linear combinations of public p-torsion
points on E/Fq
R1, · · · ,Rk, P1, · · · , Pd in E(Fq)[p]
k=# of vectors, d = dimension of vector space

Server has secret keys for signing
s1, · · · , sk and r1, · · · , rd in Fp
signs the packet by computing the signature of hash
ΣsiviRi + ΣriviPi
 Server also publishes Q, sjQ and riQ


Q is another point in E(Fq)[p] which is linearly
independent from the points R1,…,Rk, P1,…, Pd
Bilinearity of the pairing
1.
2.
Verification of signatures uses
bilinearity of the pairing since
em(siviRi, Q) = em(viRi, siQ)
Received valid signatures can be
recombined to accompany new
outgoing combinations of packets
since the signature of the sum is
the sum of the signatures
Security



Theorem: Finding a collision of the hash
function h is polynomial-time equivalent
to computing the discrete log on the
elliptic curve E.
Fact: Forging signatures is as hard as the
computational Diffie-Hellman problem on
the curve E.
Our scheme establishes authentication in
addition to detecting pollution.
Implementation





If we take the prime p 170-bits, this is equivalent
to 1024 bits of RSA security. We can setup the
system with q ~ p2.
Communication overhead per vector is two
elements of Fp (the x and y coordinates of a point)
= 340 bits. We can reduce this overhead to 171
bits at the cost of increasing computational cost.
Computation of signature of vector at an edge e is
O(indeg(in(e)) operations in Fp.
Verification requires O((d+k) log2+εq) bit
operations
Complete setup of the system at the server can be
done in polynomial time (assuming a number
theoretic conjecture of Hardy-Littlewood).