Signatures for Network Coding

Transcription

1 Conference on Random network codes and Designs over F q Signatures for Network Coding Oliver Gnilke, Claude-Shannon-Institute, University College Dublin 18. September / 14

2 Network Coding Signature Signing a Vector Space: Denition A digital signature is a triple of algorithms: Setup: Sign: 1 k (PK, SK), generates key pairs (pk, sk). (SK, G(k)) Σ, signs vector spaces with a secret key. Verify: (PK, V, Σ) {0, 1} accepts or rejects a signature on a vector. It holds that for a set of keys Setup(1 k ) = (pk, sk) and any vector y V Verify(pk, y, Sign(sk, V )) = 1. It is hard to generate valid signatures without knowing the secret key. 2 / 14

3 A Construction by Boneh et. al. Boneh et. al. suggest using homomorphic hashes to generate a network signature. A packet would contain three parts. Vector Hash Signature The Signature is a standard digital signature on the hash to prevent attackers from changing the hash unnoticed. The hash is then used to verify that the vector is from the vector space that was sent. 3 / 14

4 Hashing a Vector Space Only consider vector spaces given as the rowspace of a matrix in standard form For a xed vector e F n k p such that ( ) V = rows E k X, X F k (n k) p. ( E k X We want to use h as our hash, since [ ] h y V, y = 0. there is a unique vector h F k p ) [ ] h = 0. e e 4 / 14

5 Hashing a Vector Space Can not publish h or even e directly. Instead we use a DLP group G of order p with generator g. We then use the elements g e i as the constants and can easily calculate g h i when given V. Verication of a vector y is then done by checking whether k i=1 (g h i )y i n i=k+1 (g e i )y i = e G It can be seen that a probabilistic algorithm that produces collisions can be used to break the DLP. 4 / 14

6 An Example using intermediate Verication S Consider this subgraph G S of a T network consisting of all paths from the source S to one of the sinks T. T 5 / 14

7 An Example using intermediate Verication S Consider this subgraph G S of a T network consisting of all paths from the source S to one of the sinks T. Assume errors are introduced by the red nodes. T 5 / 14

8 An Example using intermediate Verication S A We simplify the setting by introducing a central attacker node A. We can now dene the strength of the attackers as the max ow from A to T. And the actual capacity of the network as the maxow from S to T in G S T \ G A T. T 5 / 14

9 An Example using intermediate Verication A S In this example the maxow from A and S to T are both 2 and therefore network coding can not prevent A from disrupting communication. T 5 / 14

10 An Example using intermediate Verication S A N When using a network coding signature node N could verify the incoming packets and discard the faulty one. T would then receive 3 valid packets and only one error vector which it could discard using the network coding signature. T 5 / 14

11 In some applications verication at intermediate nodes might not be possible because of the computational expense or the delay. Even when not using intermediate verication of packets network coding signatures can outperform network codes in settings where malicious nodes might be present. We will compare the numbers of dierent messages that can be sent when using network coding C to when using network coding signatures S. 6 / 14

12 Choosing Parameters The IPv6 standard has a 16 bit eld reserved in its standard header to contain the payload size in bytes (octets). Therefore packetes can have a maximum usable size of 2 19 bits 65kB. We choose the packet length b to be either 4kB, 8kB, or 16kB. (an extended standard allows for packets of sizes up to 4.295GB, so called Jumbograms) 7 / 14

13 NIST provides a list of approved curves and parameters for elliptic curve cryptography in FIPS We choose curve B-283 dened over F with a basepoint of order < p = < We therefore use network coding over F p in the vector part or the packets and every element of the group generated by the basepoint will need 284 bits. 8 / 14

14 Message Space for NCS F k p E k k Header Information homomorphic hash ECDSA b bits Header The vector space has to be in fully normalized form, i.e. it has the unit matrix as the leading block. Hash Unchanged in every packet, consists of k elements from E. ECDSA The Signature consists of a pair of elements from F p, the public key is one element in E. 9 / 14

15 Message Space for NCS F k p E k k Header Information homomorphic hash ECDSA b bits The number of dierent messages that can be sent is therefore given by log 2 (S(b, k) ) b kp 2 k(q 2 + 1) 2p 2 (q 2 + 1) := k log 2 (p) where q 2 = 283 and p 2 = 282 are the bit requirements by elements in F p and F p. p 2 9 / 14

16 Singleton Bound To estimate the number of codewords we use the Singleton bound [ ] N d 2 2 C Singl(N, k, d, q) :=. max(k, N k) Since we work with a xed packet size b we calculate. N = b q2 Furthermore we x q = q 10 / 14

17 Comparision d/ kB kB kB k k d log 2 (Singl)) log 2 (Sign) / 14

18 Comparision d/ kB kB kB k 12 / 14

19 Conclusions Intermediate verication of packets can be used to stop error propagation in networks. Network Coding Signatures can outperform Network Coding Schemes in settings with many adversaries. Network Coding Signatures are especially useful for big packet lengths and small k. 13 / 14

20 Thank You for Your Attention 14 / 14