Secure Network Coding Over the Integers

Transcription

1 Secure Network Codng Over the Integers Rosaro Gennaro Jonathan Katz Hugo Krawczyk Tal Rabn Abstract Network codng has receved sgnfcant attenton n the networkng communty for ts potental to ncrease throughput and mprove robustness wthout any centralzed control. Unfortunately, network codng s hghly susceptble to polluton attacks n whch malcous nodes modfy packets n a way that prevents the reconstructon of nformaton at recpents; such attacks cannot be prevented usng standard end-to-end cryptographc authentcaton because network codng requres that ntermedate nodes modfy data packets n transt. Specalzed solutons to the problem have been developed n recent years based on homomorphc hashng and homomorphc sgnatures. The latter are more bandwdth-effcent but requre more computaton; n partcular, the only known constructon uses blnear maps. We contrbute to ths area n several ways. We present the frst homomorphc sgnature scheme based solely on the RSA assumpton (n the random oracle model), and present a homomorphc hashng scheme based on composte modul that s computatonally more effcent than exstng schemes (and whch leads to secure network codng sgnatures based solely on the hardness of factorng n the standard model). Both schemes use shorter publc keys than prevous schemes. In addton, we show varants of exstng schemes that reduce the communcaton overhead sgnfcantly for moderate-sze networks, and whch mprove computatonal effcency n some cases qute dramatcally (e.g., we acheve a 20-fold speedup n the computaton of ntermedate nodes). At the core of our technques s a modfed approach to network codng where nstead of workng n a vector space over a feld, we work drectly over the ntegers (wth small coeffcents). IBM T.J. Watson Research Center, Hawthorne, NY. Emal: rosaro@us.bm.com, hugo@ee.technon.ac.l, talr@us.bm.com. Research sponsored by the US Army Research laboratory and the UK Mnstry of Defence under agreement number W911NF Dept. of Computer Scence, Unversty of Maryland. Work done whle vstng IBM. Research supported by NSF CAREER award # , NSF Trusted Computng grant # , the U.S. DoD/ARO MURI program, and the US Army Research Laboratory and the UK Mnstry of Defence under agreement number W911NF

2 1 Introducton Network codng (NC) [2, 15] offers an alternatve, decentralzed approach to tradtonal multcast routng. We consder a network settng where a source node has a pece of nformaton (a fle) that t wants to dstrbute to a set of target nodes. The source parttons the fle nto m network packets whch t transmts to ts neghborng nodes. Further transmsson happens through ntermedate nodes who receve packets va ncomng lnks and produce modfed packets sent over outgong lnks. These outgong packets are computed as lnear combnatons of ncomng packets, where packets are vewed as vectors n a lnear space over some feld. We focus on the case of random lnear network codng [7, 10], where scalars are chosen at random from the underlyng feld. Ths strategy nduces a fully decentralzed soluton to the routng problem snce nodes do not need to coordnate ther actons as each chooses ts own lnear combnatons ndependently of other nodes. Target nodes reconstruct the orgnal fle sent by the source from the packets they receve. Fortunately, ths does not requre knowledge by the target of all scalars chosen by ntermedate nodes. Instead, t suffces to augment each nformaton vector travelng the network wth m addtonal codng coordnates that encode n a compact way the hstory of all lnear combnatons that resulted n that vector. A target that receves a set of augmented vectors for whch the attached codng coordnates nduce a full rank matrx can recover the orgnal nformaton sent by the source va a smple matrx nverson operaton (see Secton 2.1). A fundamental queston s what s the decodng probablty at the targets, namely, the probablty wth whch a target s able to reconstruct the orgnal fle (or, equvalently, the probablty for the target to collect enough lnearly ndependent codng vectors). The NC lterature, and actual applcatons, show that small-sze felds (e.g., of sze 256) provde very good decodng probablty for networks wth suffcent connectvty. However, whle random lnear NC can ncrease throughput and relablty relatve to alternatve technques, t suffers from a serous weakness: ts susceptblty to polluton attacks n whch malcous nodes nject nto the network nvald packets that prevent the reconstructon of nformaton at the targets. Here, an nvald packet s any packet that s not n the lnear span of the orgnal augmented vectors sent by the source. By the way vectors are propagated and combned n the network, a sngle nvald packet njected by the attacker can nvaldate many more packets, eventually preventng the reconstructon of nformaton at the targets. Ths consttutes a serous denal of servce attack whch an attacker can mount effortlessly and whch n real-lfe scenaros can be suffcent to outwegh the benefts of network codng. Clearly, what s needed s a way for ntermedate nodes to be able to verfy the valdty of ncomng vectors. Note, however, that snce packets are modfed by ntermedate nodes, a regular sgnature by the source on the orgnal nformaton s not suffcent. Pror work has shown, however, that dedcated network codng sgnatures can be used to solve ths problem. These are based on one of two prmtves: eother (collson-resstant) homomorphc hash functons [14, 17] or homomorphc sgnature schemes [13, 4, 3] In both cases, the homomorphc propertes are used such that the sgnature (or hashng) operaton on a lnear combnaton of vectors results n a correspondng homomorphc combnaton of sgnatures (or hash values). See Secton 2.2 for detals, and [3] for a complete survey. Constructons of homomorphc hash functons are well known, and can be mplemented over any prme-order group where the dscrete logarthm problem s hard. Buldng homomorphc sgnatures s more challengng. So far the only known constructon s based on blnear groups [3] and nvolves costly parng operatons. In partcular, NC sgnatures based on homomorphc sgnatures are computatonally more expensve than those bult from homomorphc hashng. However, the latter 1

3 are less communcaton-effcent snce they requre each packet sent n the network to be sent wth some authentcaton data whose length s proportonal to m (the number of nformaton vectors). One drawback of both approaches s that they replace the small felds used n NC wth very large ones. Thus, nstead of usng vectors over an 8-bt feld as n tradtonal NC, the cryptographc approaches use vectors over a 160-bt (.e., cryptographcally strong) feld nstead. Ths results n a factor of 20 ncrease n the bandwdth overhead. Our contrbutons. We contrbute to ths area n several ways. We present the frst homomorphc sgnature scheme based on the RSA assumpton n the random oracle model. 1 In partcular, t s the frst homomorphc sgnature scheme to avod blnear groups and parngs, and thus has more effcent processng at the ntermedate nodes. Bandwdth overhead s lower than n exstng schemes for networks of moderate sze (e.g., where the maxmum path length between source and target nodes s hops). In addton, the scheme uses a publc key of constant sze. We also present a new homomorphc hashng scheme that works modulo a composte number N. However, nstead of the many random generators used by known schemes, ours uses a sngle fxed generator whch can be set to 2, speedng up sgnfcantly the exponentaton operaton. Concretely, by consderng each nformaton vector v transmtted over the network as a sngle (large) nteger, we defne our hash functon smply as H N (v) = 2 v mod N. The hash functon s homomorphc over the ntegers and can be proven collson resstant based on the hardness of factorng. In partcular, t leads to a provably secure NC sgnature scheme based on the factorng assumpton and wthout random oracles. A core technque we must develop for the above constructons s to apply network codng over the ntegers rather than over a feld as s tradtonally done. By workng over the ntegers we enable the homomorphc propertes of the above two schemes (where the group order s unknown), and furthermore can work wth small coeffcents. As noted earler, a major dsadvantage of pror cryptographc technques n the context of NC s ther use of large (160-bt) coordnates and equally large coeffcents for the lnear combnatons. In contrast, by workng over the ntegers we are able to choose small (e.g., 8-bt) nteger coeffcents for the lnear combnatons. Ths has the mmedate effect of mprovng the computaton at ntermedate nodes by a factor of 20, and t also reduces the total bandwdth overhead for networks wth moderate-length paths between source and targets. A crucal queston we need to answer s how ths affects the decodng probablty. Fortunately, we can show that f the nteger coeffcents are taken from a set Q = {0,..., q 1}, for prme q, then the decodng probablty s at least as good as workng over a feld of sze q and therefore 8-bt coeffcents are good enough for most applcatons. The ablty to work wth NC wth small nteger coeffcents allows us also to mprove the performance of exstng schemes. We show that by smply choosng coeffcents for the lnear combnatons n exstng schemes from a small set Q as above (but stll performng computatons modulo the large prme p as requred by these schemes) we are able to mprove sgnfcantly the performance: we obtan a 20-fold mprovement on sgnature generaton and a reducton on the communcaton overhead as well. We menton that our approach to NC over the ntegers may also enable constructons of lattcebased homomorphc sgnatures, and we are currently nvestgatng ths possblty. 1 Yu et al. [16] recently proposed an RSA-based homomorphc sgnature scheme, but ther scheme s flawed as verfcaton of ther sgnatures always fals. The source of the problem s that Yu et al. ncorrectly assume (cf. equatons (11) and (12) n secton III-B) that for ntegers A, b, d, a prme p, and (ndependent) RSA composte r, t holds that ((A b mod p) d mod r) = (A mod p) bd mod r. 2

4 2 Background 2.1 Network Codng We present a hgh-level descrpton of lnear network codng (the only type wth whch we are concerned n ths work); for further detals see [9]. In ths settng, we have a network wth a dstngushed node S, called the source, and a subset of nodes known as targets. The objectve s for S to transmt a fle F to all the target nodes, where F s represented as an ordered sequence of m vectors v (1),..., v (m) F n over some fnte feld F. Before transmsson, the source S creates m augmented vectors w (1),..., w (m) defned as m { }} { w () = ( 0,..., 0, 1, 0,..., 0 v () ) F m+n ; } {{ }.e., each orgnal vector v () of the fle s pre-pended wth the vector of length m contanng a sngle 1 n the th poston. These augmented vectors are sent by the source to ts neghborng nodes. Each (well-behaved) ntermedate node I n the network processes packets (.e., ncomng vectors) as follows. Upon recevng packets w (1),..., w (l) F m+n on ts l ncomng communcaton edges, I computes a packet w for each of ts outgong lnks as a lnear combnaton of the packets that t receved. That s, each outgong packet w transmtted by I takes the form w = l =1 α w (), where α F. We say a vector w transmtted n the network (n the scenaro above) s vald f t les n the lnear span of the orgnal augmented vectors w (1),..., w (m). It s easy to see that f all nodes follow the protocol honestly, then every packet transmtted n the network s vald. Dfferent strateges for choosng the coeffcents α yeld dfferent varants of network codng. When the {α } are chosen randomly and ndependently by each transmttng node, for each of ts outgong communcaton lnks, the resultng scheme s referred to as random lnear network codng [5, 7, 10]. For the purposes of analyzng effcency, we assume n our work that ths mechansm s used for choosng the coeffcents; our constructons, however, ensure securty regardless of how the coeffcents are chosen. To recover the orgnal fle, a target node must receve m (vald) vectors {w () = (u () v () )} m =1 for whch u (1),..., u (m) are lnearly ndependent. If we defne a matrx U whose rows are the vectors u (1),..., u (m) and a matrx V whose rows are the vectors v (1),..., v (m), then the orgnal fle can be recovered as V = U 1 V, (1) where V s a matrx whose rows are the orgnal nformaton vectors v (1),..., v (m). Assumng the coeffcents are chosen randomly and ndependently by the ntermedate nodes, the decodng probablty.e., the probablty wth whch a gven target node wll be able to recover the fle (or, equvalently, the probablty wth whch a gven target node wll receve m lnearly ndependent vectors, as requred above) s determned by the network topology and the sze of the feld F. To mnmze the communcaton overhead (due to the frst m coordnates of every transmtted vector), t s desrable to keep F as small as possble; on the other hand, choosng F too small would reduce the decodng probablty too much. For typcal networks encountered n practce, takng F 256 has been shown to gve a probablty of decodng falure of less than 1%. 3

5 2.2 Network Codng Sgnatures The benefts of network codng can be outweghed by polluton attacks n whch ntermedate nodes forward nvald vectors to ther neghbors. Even a sngle nvald vector that reaches a target node may be suffcent to cause ncorrect reconstructon of the orgnal fle; furthermore, an nvald packet sent by a malcous node wll, wth hgh probablty, render all subsequent packets downstream nvald as well. Note that the n-network processng requred by network codng makes t mpossble to apply tradtonal sgnatures or message authentcaton codes to ndvdual packets. It s not hard to desgn cryptographc schemes that prevent targets from reconstructng an ncorrect fle: e.g., a standard sgnature can be appended to the fle before transmsson, and verfed upon reconstructon. Ths technque, however, s not suffcent to enable the target to reconstruct the correct fle f multple nvald vectors are present. Moreover, t does not provde any way for ntermedate nodes to drop nvald packets they receve. Early efforts to deal wth polluton attacks focused on nformaton-theoretc solutons that use error-correcton technques to ensure that targets can reconstruct the fle as long as the rato of vald to nvald vectors receved s suffcently hgh [8, 11, 12]. Unfortunately, these technques (nherently) mpose lmtatons on the number of nodes the adversary can corrupt, the number of packets that can be modfed, and/or the number of lnks on whch the adversary can eavesdrop. For the above reasons, researchers have more recently turned to cryptographc approaches that place no bounds on the adversary other than the assumpton that the adversary s computatonally bounded [14, 4, 17, 3]. These approaches gve network codng sgnature schemes that allow anyone holdng the publc key 2 of the source to determne whether a gven vector s vald. In partcular, ths allows target nodes to reject nvald vectors before reconstructng the fle; t also allows ntermedate nodes to flter out nvald vectors before generatng ther outgong messages, thus preventng contamnaton of honestly generated vectors further downstream. A precse defnton of network codng sgnatures and ther securty requrements s presented n Appendx A. Two classes of network codng sgnature schemes are known: those based on homomorphc hashng, and those usng homomorphc sgnatures. Schemes based on homomorphc hashng [14, 17, 3]. A homomorphc hash functon H s a collson-resstant hash functon wth the property that for any vectors a, b and scalars α, β t holds that H(αa + βb) = H(a) α H(b) β. Collson resstance mples (va standard arguments) that f one knows vectors a, b, c for whch H(c) = H(a) α H(b) β then t must be the case that c = αa + βb. A concrete example [14] of a homomorphc hash functon s gven by what we call the exponental homomorphc hash (EHH) scheme. Let G be a cyclc group of order p, and let the publc key contan a descrpton of G along wth random generators g 1,..., g n G. Defne a functon H on vectors v = (v 1,..., v n ) Z n p as H(v) = n j=1 g v j j. (2) The homomorphc property s easly verfed, and collson resstance s mpled by the dscrete logarthm assumpton n G. Homomorphc hash functons can be used for network codng as follows: For each orgnal vector v (), the source S computes h = H( v () ); t then sgns h 1,..., h m (together wth a unque fle dentfer fd) usng a standard sgnature scheme. The {h } and ther sgnature are then appended 2 A symmetrc-key analogue s also possble [6, 1], but ths allows only a (sngle) target to verfy valdty of vectors. 4

6 to every packet sent n the network. 3 A node can determne whether a vector w = (u v) s vald by checkng the sgnature on the {h } (and the fd), and then verfyng whether m =1 hu? = H(v). In partcular, for the EHH scheme ths verfcaton takes the form: m =1 h u? = H(v) def = n j=1 g v j j. (3) The resultant sgnature scheme can be proven secure n the standard model (no random oracles) based on the dscrete logarthm assumpton [14, 3]. When usng homomorphc hashng, the only change n the processng done by ntermedate nodes s to verfy the hash and forward the authentcaton nformaton. However, the lnear network codng operatons performed by ntermedate nodes are now done over the (large) feld F = Z p. Homomorphc sgnature schemes [13, 4, 3]. Here, the full sgnature (and not just the hash) s homomorphc. Namely, the sgnature scheme has the property that for any vectors a, b and scalars α, β, t holds that Sgn(αa + βb) = Sgn(a) α Sgn(b) β. The securty property, roughly speakng, s that gven sgnatures on some set of vectors w (1),..., w (m), t s only feasble to generate sgnatures on vectors n the lnear span of w (1),..., w (m). The applcaton to network codng s mmedate: The source S sgns each augmented vector w () and then transmts each w () together wth ts sgnature Sgn( w () ). An ntermedate node I that receves a set of ncomng vectors wth ther correspondng sgnatures wll () verfy the sgnatures (dscardng any vector whose sgnature s nvald) and () compute (usng the homomorphc property) a vald sgnature on each outgong vector that I generates. Thus, n addton to the normal network codng processng, ntermedate nodes must now compute a sgnature on each outgong packet. On the other hand, the per-packet communcaton overhead due to the sgnature s now constant rather than lnear n m as n the case of homomorphc hashng. A concrete example of a homomorphc sgnature scheme (the BFKW scheme) was gven by Boneh et al. [3]; the scheme can be proven secure based on the CDH assumpton n the random oracle model. We provde a descrpton here for completeness and further reference. To begn, the source S establshes a publc key as follows: 1. Generate G = (G, G T, p, e) such that G, G T have prme order p, and ê : G G G t s a blnear map. Choose random generators h, g 1,..., g n G. 2. Choose s Z p, and set f := h s. 3. Let H : Z Z G be a hash functon, modeled as a random oracle. 4. Output the publc key P K = (G, H, g 1,..., g n, h, f) and the prvate key s. To sgn a vector w = (u v) Z m+n p assocated wth the fle dentfer fd, the source S computes the sgnature s m n σ := H(fd, ) u. =1 As dscussed prevously, S then sends each augmented vector w () along wth ts sgnature. 3 In some settngs, there may be alternate ways to dstrbute the {h } authentcally. j=1 g v j j 5

7 An ntermedate node who knows P K can verfy valdty of a vector w = (u v) wth assocated sgnature σ by computng m n γ 1 (P K, σ) def = e (σ, h) and γ 2 (P K, fd, m, w) def = e H(fd, ) u g v j j, f, (4) and then checkng whether γ 1 (P K, σ) =? γ 2 (P K, fd, m, w). Upon recevng vectors w (1),..., w (l) wth vald sgnatures σ 1,..., σ l, an ntermedate node can generate a vald sgnature on any lnear combnaton w = α 1w () by computng σ := l =1 σα. 3 Network Codng over the Integers In ths secton we ntroduce the man technque that underles the results n ths paper: runnng random lnear network codng over the ntegers wth coeffcents taken from a set of small (e.g., 8-bt) ntegers. Ths departs from the tradtonal lnear codng schemes n that operatons wll be performed over the ntegers and wll sgnfcantly depart from exstng network codng sgnature schemes whch use very large coeffcents (typcally, 160-bt long). Ths approach allows us to mprove sgnfcantly on exstng network codng sgnature schemes and, even more mportantly, wll enable the creaton of new schemes, n partcular one based solely on RSA. Examnng the two sgnature schemes from the prevous secton, one can see that the cryptographc technques ncur sgnfcant penaltes relatve to the basc (nsecure) network codng protocols, both n terms of communcaton and computaton. The addtonal computaton s nherent to the cryptographc technques and results manly from the exponentatons used n these schemes. Communcaton ncrease s due to the fact that nstead of workng over a small (e.g., 8-bt) feld, as n basc network codng, we are now workng modulo a 160-bt prme p. Ths means that each nformaton vector s augmented wth m coordnates each of sze at least 160 as opposed to m coordnates of sze 8 each n basc network codng. Ths s a 20-fold ncrease n the communcaton overhead of the scheme. The sze of the scalars used n these schemes also mpacts computaton. For example, the sze of exponents n the left-hand sde of Eq. (3) s drectly proportonal to the sze of the u coordnates. Even more sgnfcant s the negatve mpact of these larger scalars when computng sgnature at ntermedate nodes n the BFKW scheme of Secton 2.2. In the Combne phase of ths scheme a node computes l =1 σα where the cost of exponentaton s drectly proportonal to the sze of scalars α each of length 160 bts or more. To allevate these performance costs and allow for new schemes, our approach wll be to choose small coeffcents (say, of sze 8 bts) as opposed to the 160-bt scalars of prevous schemes. However, ths rases the queston of what effect these small nteger coeffcents (and workng over the ntegers) has on the decodng probablty of these schemes. Fortunately, we show that ths approach mproves performance wthout sacrfcng decodng probablty and wthout compromsng the securty of the resultant cryptographc sgnatures. 3.1 Network Codng Over the Integers We modfy the tradtonal random lnear network codng schemes to work over the ntegers (rather than over a feld) as follows. The orgnal fle F transmtted by the source S s encoded as a sequence of vectors v (1),..., v (m) wth nteger coordnates (at ths pont we do not specfy the dmenson of these vectors or the subset of ntegers from whch these coordnates are taken these 6 =1 j=1

8 detals wll depend on the specfc cryptographc scheme used). These vectors are augmented wth unt vectors ū (1),..., ū (m) as n regular network codng. Lnear combnatons of ncomng vectors at ntermedate nodes wll use random coeffcents α from a set of small ntegers Q = {0,..., q 1} for some small prme q, e.g., q = 257. These lnear combnatons wll be performed over the ntegers (n partcular, ths wll be the settng for the schemes presented n Secton 4 and Secton 5) 4. We stress that these computatons are not done modulo q. Also, the coordnates n the nformaton vectors v () do no have to be taken from the set Q, only the scalars for the lnear combnaton do. Recall (from Secton 2.1) that the success of a random lnear network codng scheme depends on the decodng probablty, namely, the probablty wth whch a target n the network succeeds n correctly reconstructng the vectors v (1),..., v (m) transmtted by the source. Equvalently, ths s the probablty that the target collects m vectors whose u parts form an nvertble matrx U (see Eq. (1)). The network codng lterature studes ths probablty when lnear operatons are carred out over a feld, but what happens to the decodng probablty when the lnear combnatons are performed over the ntegers (no modular operatons)? In ths case, we need to consder the probablty that the ncomng vectors to the target nduce a matrx U that s nvertble (over the ratonals) or, equvalently, that the determnant det(u) (computed over the ntegers) s non-zero. The followng smple (but sgnfcant) lemma shows how the decodng probablty for network codng over the ntegers related to the decodng probablty n the usual case, when network codng s performed over some base feld: Lemma 1 For any network, the decodng probablty when coeffcents α are taken from the set Q = {0,..., q 1}, for prme q, and all lnear combnatons are computed over the ntegers, s the no worse than the decodng probablty n the same network usng a tradtonal network codng scheme over a feld of sze q. Proof: Fx a sequence of coeffcents α chosen by all nodes durng a run of the network codng protocol. We need to show that f these α s resulted n a matrx U avalable to a target such that U s nvertble modulo q then the same set of α s, when used to compute lnear combnatons over the ntegers, would result n a matrx U (not reduced modulo q) that s nvertble n Z. But ths follows drectly from the fact that f det(u) s non-zero modulo q then t s non-zero over the ntegers and hence nvertble. The lemma mples that n order to get a good decodng probablty when workng wth lnear combnatons over the ntegers, t suffces to choose q such that the decodng probablty when performng the lnear combnatons modulo q s suffcently good. Ths puts us back n the standard settng of network codng (wthout cryptography) where the requred sze of the underlyng feld s well-studed. The approprate sze of q depends on the network topology, requred fault tolerance, etc. In most practcal applcatons a feld of 8 bts (e.g., Z q for q = 251 or q = 257) provdes for good decodng probablty and hence s suffcent also for our purposes. In fact, we expect that workng over the ntegers wth coeffcents from the set Q = {0,..., q 1} wll nduce a decodng probablty that s notceably better than workng over a feld of sze q. If so, one could save more n bandwdth and computaton by further reducng the sze of q (e.g., usng a 6-bt q). Another varant to nvestgate s choosng coeffcents from the set { q/2... q/2} (n ths case, one has to adjust the bounds on coordnates tested n the Nsg scheme of Secton 4). Coordnate growth. When we work over the ntegers wthout any modular reducton, the sze of the coordnates of the vectors transmtted n the network ncreases wth each traversed hop. Specf- 4 A hybrd approach where we work wth small coeffcents but modulo a large prme s studed n Secton

9 cally, each hop ncreases the maxmal coordnate n a vector by a factor of at most mn{mq, lq}, where l s the n-degree of a node. 5 (Note that l can be larger than m but n ths case a node can replace the ncomng vectors wth an equvalent set of at most m lnearly ndependent vectors.) So, after L hops the frst m coordnates each have sze at most (mq) L (snce the ntal m coordnates n the augmented vectors sent by the source are 0/1-valued), whle the remanng coordnates have sze at most M(mq) L, where M s the maxmal sze of coordnates n the orgnal fle vectors v (). The ncrease n bt-sze of coordnates s the logarthm of the above numbers. As we wll see, n spte of ths growth of coordnates the smaller coeffcents wll mpact favorably the bandwdth overhead of exstng sgnature schemes and the new ones we present. We note that one way to acheve a bandwdth-effcent mplementaton of the vectors w transmtted n the network s to represent all coordnates n the vector by the same number of bts (determned by the largest coordnate n the vector) and nclude ths length n the vector representaton; when vectors are combned and coordnates grow ths length ndcator wll ncrease too. As another mplementaton note, we comment that n our settng Eq. (1) can be computed modulo p for a prme p that s larger than the largest coordnate n any nformaton vector v () ; n partcular, computng U 1 can be done modulo such p. Note also that an attacker can generate unnecessarly large vald packets usng lnear combnatons wth large coeffcents. Ths can counter some of the bandwdth gans acheved by workng wth small coordnates. In general, network codng sgnatures do not prevent all forms of denal of servce (the very cryptographc operatons create such opportuntes). The pont, however, s to prevent the trval attack n whch arbtrary packets nserted nto the network have a catastrophc denal of servce effect wthout the attacker spendng any resources. In the partcular case of an attacker njectng vald packets wth unnecessarly large coordnates, several measures can be taken. For example, a node can dscard suspcous packets based on an estmate of the sze of packets t s supposed to get (based on other packets t receves, or ts poston n the network, etc), and t can make sure not to mx packets wth small coordnates wth those wth large ones. 3.2 Improvements to Exstng Schemes Lemma 1 s nstrumental n enablng the new schemes presented n Sectons 4 and 5. Here, we deal wth a hybrd varant where we choose small nteger coeffcents as above but do the lnear combnaton modulo a large prme p. Ths approach wll allows us to mmedately acheve some sgnfcant performance mprovements on the exstng schemes descrbed n Secton 2.2 whle keepng the securty guarantees of these schemes ntact (.e., the securty proofs of those schemes [3] reman vald). Recall that n these two sgnature schemes, network codng works modulo a large prme p, of sze at least 160 bts. That s, the orgnal vectors v (1),..., v (m) transmtted by the source are n Z n p, the coeffcents for the lnear combnatons are chosen at random from Z p, and the lnear combnatons are performed mod p. Here we suggest to keep these schemes unchanged except that the scalars chosen by each ntermedate node for performng lnear combnatons of ncomng vectors wll be taken from the set Q = {0,..., q 1}, for small prme q (q 256) (we stress that n ths case the lnear combnatons are stll computed mod p). Before we see the benefcal effect on performance that small coeffcents have, we need to make sure that we have a a good decodng probablty wth such coeffcents even when computatons are carred modulo a large prme p. Lemma 1 shows that ths s the case f we work strctly over 5 If w = P l j=1 αjw(j), then w = P l j=1 αjw(j) lq max{w (1),..., w (l) }. 8

10 the ntegers, but what s the effect on the decodng probablty when we carry lnear combnatons modulo p? The answer s that the statement of the lemma essentally holds n ths case too provded that the value m (the number of vectors v () ) and the maxmal path n the network from source to target, that we denote by L, are both neglgble relatve to 2 k where k s the length of prmes from whch p s chosen at random (typcally, k 160). More formally: Lemma 2 For any network, the decodng probablty of the above scheme (where coeffcents for the lnear combnatons are chosen at random from the set Q = {0, 1,..., q}, and the lnear combnatons are performed modulo a random k-bt prme p) s, up to a neglgble addtve term O(Lm log q/2 k ), the same or better than the decodng probablty of a standard random lnear codng scheme over a feld of sze q on the same network. Proof: We extend the proof of Lemma 1 to ths settng (the only dfference s that we now perform the lnear operatons modulo p). Let U be the matrx generated at a target and whose nvertblty defnes the successful reconstructon of nformaton. Snce we are now performng lnear combnatons modulo p then ths matrx has entres n Z p. Let s consder a run that led to the matrx U, but ths tme we wll perform the operatons over the ntegers wthout the modular reducton. We denote by U the correspondng matrx n ths modfed run. Clearly, we have that U = U mod p (where the modular congruence s entry-wse). We then have that det(u) = 0 mod p f and only f det(u ) = 0 or det(u ) 0 but p dvdes det(u ). The case that det(u ) = 0 s the same as n Lemma 1. Thus, all we need to show s that the probablty that det(u ) 0 but p dvdes det(u ) s neglgble. Snce all computatons leadng to the nteger matrx U are ndependent of p, and p s an ndependent random prme of length k then we can bound the probablty that p dvdes det(u ) as follows. Let s denote by d the bt-length of det(u ). The number of prmes of length k dvdng det(u ) s at most d/k, and the total number of prmes of length k s (up to constant factors) 2 k /k. Thus the probablty to choose p of length k that dvdes det(u ) s bounded by d/k dvded by 2 k /k,.e., by d/2 k. It remans to show that d s neglgble relatve to 2 k. For ths we proceed to bound the value d = det(u ). The matrx U s composed of the augmented part u of vectors w = u v receved by the target. Recall from Secton 3.1 that u coordnates traversng L hops wll be ntegers (mq) L. (In the actual runnng of the protocol, f the entres u grow above p these wll be reduced mod p but here we are consderng the entres of U where the modular operaton s omtted.) Thus, U s a m m matrx wth each entry at most (mq) L and then det(u ) m!(mq) Lm (mq) m(l+1), and we have d = det(u ) m(l + 1)(log m + log q) whch s neglgble relatve to 2 k (for any practcal parameters m, L we wll have ml << ). We proceed to examne how the use of small coeffcents benefts the performance of the network codng sgnature schemes dscussed n Secton 2.2. In subsequent sectons we use the small coeffcent technque n essental ways to obtan new sgnature schemes. Savng bandwdth. Recall that n the two schemes revewed n Secton 2.2 one prepends to each nformaton vector a codng vector u composed of m coordnates each carryng a 160-bt number (here we use 160 nstead of p for clarty and concreteness). Ths s n strong contrast to the 8-bt per coordnate n the tradtonal (non-cryptographc) lnear codng schemes. Usng small coeffcents as we propose allevates the communcaton penalty of the cryptographc schemes. Savngs are acheved for any sze network, however, the savngs are more notceable n those networks where the typcal dstance from source to target s relatvely small (say 20 nodes or less). For an example, 9

11 let s assume frst a case where one adds 10 bts to the sze of each u-coordnate for each node traversed (say, we use q = 253 and a node has an average of 4 ncomng nodes) and the path from source to target has 20 nodes. After the frst node s traversed the u coordnates are 10-bt long, after the second they are 20-bt long, etc. After 16 nodes, the coordnate s 160-bt long. Up to ths pont we have not appled any mod p to the computaton of these u coordnates snce they were smaller than p. Whenever these coordnates grow above 160 bts the mod p reducton keeps them up to 160 bts (they do not grow further). In total, for the frst 16 hops we spent, on average, 80 bts per coordnate whch s half the bandwdth consumed by the 160-bt coordnates n the basc schemes descrbed n Secton 2.2. The total number of bts saved s m. If each node added 16 bts (assumng a large n-degree per node) the savngs would have been m. In general, f each node adds t bts to the coordnates and we have a path length of 160/t or more then the savngs n bandwdth over the frst 160/t hops s /t m. For shorter paths the savngs n total number of bts s smaller but larger n proporton to the total bandwdth. For network wth small (say, 10-hop or less) source-target paths, as n some wreless network settngs, the bandwdth benefts can be partcularly sgnfcant. Note that the coordnates of the v vectors are not affected by the use of small coeffcents, these start at p -bt each and reman of ths sze throughout the computaton. Savng computaton. The savngs n the sze of the u coordnates descrbed above mmedately translate to computatonal savngs n the homomorphc hashng based scheme of Secton 2.2 as shorter u s mply shorter exponents n the verfcaton equaton (3). Smlar savngs apply to the BFKW verfcaton formula (4) from Secton 2.2. However, the most mpressve computatonal savngs due to the use of small coeffcents are acheved n the Combne operaton (.e., sgnature generaton at ntermedate nodes) of the BFKW scheme. Ths operaton, of the form l =1 σα s expensve snce the exponents α are each of sze 160. But when applyng our small-coeffcent strategy we have the α s of sze 8-bt thus nducng a 20-fold (!) computatonal savngs n the most crtcal operaton of the scheme (see the followng remark). Remark 1 Note that sgnature verfcaton can be done on an opportunstc bass (e.g., for a random subset of vectors) such that f a node fals to dentfy an nvald packet, other nodes n the vcnty wll do so. In contrast, sgnature computaton must be done by all nodes for each outgong packet and hence t consttutes the computatonal bottleneck of homomorphc sgnatures. 4 An RSA-Based Network Codng Sgnature Scheme In ths secton we present our RSA-based network codng sgnature whch bulds on the ablty to perform random lnear codng over the ntegers as descrbed n Secton 3.1. The scheme enjoys a proof of securty n the random oracle model under the standard RSA assumpton, and consttutes the frst homomorphc sgnature scheme based on tradtonal cryptography (.e., wthout relyng on blnear maps). The scheme performs best n networks where the dstance from source to targets s not too large (say, up to 20 or 30 hops), where t offers sgnfcant performance benefts relatve the blnear-based homomorphc sgnature schemes. The basc dea of the scheme s smple, and smlar to the BFKW scheme from Secton 2.2. Specfcally, the dea s to compose a multplcatvely homomorphc sgnature that works on fxedlength nputs wth a multplcatve hash functon appled to the vectors n the underlyng lnear space. The homomorphc hash s smlar to the functon H from Secton 2.2 but rather than workng modulo a prme one works modulo an RSA composte N (more precsely, ths hash functon uses 10

12 generators of the cyclc group QR N of quadratc resdues modulo N). The homomorphc sgnature on fxed length messages s the plan RSA transformaton x d mod N. The result of ths composton s shown n Eq. (5) below. In order to use ths functon n the context of lnear network codng, one needs that the lnear space and lnear operatons appled to network packets correspond to arthmetc modulo φ(n)/4. Ths s so snce for preservng the homomorphc propertes, the lnear operatons translate nto operatons n the exponent of the generators g whose order s φ(n)/4. Ths, however, presents a dffculty: ntermedate nodes n the network that need to compute these lnear operatons do not know φ(n) snce revealng ths value allows to factor N. To overcome ths problem we wll perform lnear network codng over the ntegers (wthout ever reducng these values modulo φ(n)/4) as descrbed n Secton 3.1. Followng the descrpton n Secton 3.1, we are gong to represent the nformaton (or fle) held by the source S as a sequence of vectors v (1),..., v (m), where each v () Z n for some value n. Note that once the sze of the fle F to be transmtted and the number m of vectors s set by the applcaton, the total length of the nformaton n each of the vectors v () s determned (we denote ths length by v ). Then the value n can be chosen to be any number between 1 and v. The freedom n choosng n s mportant snce, as we wll see later, there s a performance tradeoff related to n: smaller n s save communcaton whle larger n save computaton. As n regular network codng, before sendng the v () vectors to the network, the source pre-pends to them unt vectors ū () thus producng w (1),..., w (m) Z m+n. The rest s carred out as n Secton 3.1; namely, ntermedate nodes wll perform the random lnear combnatons of ncomng packets over the ntegers wth coeffcents chosen from the set Q = {0,..., q 1} for a small prme q (say, q 256). From Lemma 1 we know that ths strategy leads to good decodng probabltes. We now descrbe our basc RSA-based homomorphc sgnature scheme and then proceed to show how to use t n the network codng settng. 4.1 Basc Homomorphc RSA-Based Sgnature We start by defnng an RSA-based homomorphc sgnature that acts on vectors of ntegers of dmenson n; we denote ths Basc scheme by Bsg. RSA Group: Z N where N s the product of two prmes. We requre that QR N, the subgroup of quadratc resdues, be cyclc and that random elements n QR N be generators of the group wth hgh probablty. One way to ensure these propertes s to choose the factors of N as safe prmes. Publc key: (N, e, g 1,..., g n ) where N s an RSA composte as above, e a publc exponent, and g 1,..., g n are random generators of QR N. Prvate sgnng key: d, such that ed = 1 mod φ(n). Sgnature: Let v = (v 1,..., v n ) Z n, we defne ( n ) d Bsg(v) = g v mod N (5) =1 It s easy to see that ths sgnature s homomorphc: for any v, v Z n and α, β Z, Bsg(αv+βv ) = (Bsg(v)) α (Bsg(v )) β. 11

13 4.2 The Network Codng Sgnature Nsg Here we descrbe how the above sgnature Bsg s used as a network codng sgnature that we denote by Nsg (N for Network codng ). Boundng coordnates. The Nsg scheme below wll have a parameter L such that packets that traverse more than L nodes may be rejected; thus, L wll serve as an upper bound on the dstance from source to targets (more generally, L can be chosen such that the network codng scheme has good decodng probablty when restrcted to nodes at dstance L from the source). Gven L we defne a bound B = (mq) L, whch represents the largest possble coordnate n any vector u transmtted n the network (as dscussed n Secton 3.1, ths ths s the maxmal value a u coordnate can assume after traversng L or less nodes from the source). We use M to denote an upper bound on each of the coordnates of the ntal vectors v (1),..., v (m) transmtted by the source (namely, we assume that for = 1,..., m, v () {0,..., M} n ). Then, the maxmal coordnate n a vald vector v transmtted n the network s BM, whch we denote by B. The Nsg Scheme. Parameters: m, n, M, and B (as defned above) and B = BM Publc key: The source (sender) S n the network codng settng has a publc key of the form (N, e, g 1,..., g n ) as defned for Bsg; the exponent e s chosen as specfed below and the prvate key d s set accordngly. In addton, the scheme uses a publc (determnstc) hash functon H that maps arbtrary strngs nto the set QR N. Publc exponent e: The publc RSA exponent e s chosen as a prme larger than mb. To optmze performance e can be chosen such that ts bnary representaton contans very few 1 s (e.g., 2 log mb + a for small nteger a); ths also allows for a short representaton of e. Prvate sgnng key: d, such that ed = 1 mod φ(n) (d φ(n) as n regular RSA). Sgnng data by the source. On nput a fle represented by m vectors v (1),..., v (m) Z n the source S generates the augmented vectors w () = ū () v () n Z m+n (where ū () s the -th unt vector). S chooses a random dentfer for the fle, whch we denote by fd, and uses the hash functon H to defne m values n QR N, h = H(, fd), = 1,..., m. We extend the defnton of the basc sgnature Bsg above to vectors n Z m+n of the form w = (u 1,..., u m, v 1,..., v n ) and defne: m Nsg(w) = =1 h u n j=1 g v j j d mod N (6) where the g j s are part of the publc key and the h s are defned above as a functon of the fle dentfer fd (namely, the h values are fle-specfc). The source S computes for each vector w () ts correspondng sgnature Nsg( w () ), and transmts w () and ts sgnature along wth the fle dentfer fd. Verfcaton Vrfy(w, σ, S, fd). A node recevng a vector w = u v = (u 1,..., u m, v 1,..., v n ) n Z m+n, a fle dentfer fd and a sgnature value σ proceeds as follows. If any of the u-coordnates s negatve or larger than B, or any of the v-coordnates s negatve or larger than B, reject w as nvald (.e., set Vrfy(w, σ, S, fd) = 0). Else retreve the publc key (N, e, g 1,..., g n ) of S, compute 12

14 h = H(, fd) for = 1,..., m, and accept w as vald (.e., set Vrfy(w, σ, S, fd) = 1) f and only f σ e? = m =1 h u n j=1 g v j j mod N. (7) Sgnature combnaton by an ntermedate node I. Upon recevng l vectors w (1),..., w (l), correspondng to fle fd, and ther correspondng sgnatures σ 1,..., σ l, check that Vrfy(w (), σ, S, fd) = 1, = 1,..., l. Dscard those w () that do not pass verfcaton and also any w () = u () v () for whch any of the u coordnates s larger than B/mq or any of the v coordnates s larger than B /mq. 6 For the non-dscarded vectors (for smplcty we denote them by w (1),..., w (l) ), I apples the Combne(w (1),..., w (l), σ 1,..., σ l ) operaton defned as: choose random coeffcents α 1,..., α l Q = {0,..., q 1}, set w = l =1 α w (), and compute the sgnature on w as: σ = l =1 σ α mod N (8) It s easy to see that the sgnatures generated by the source on the orgnal vectors w (1),..., w (m) pass verfcaton, and so do the sgnatures generated by honest ntermedate nodes. We prove securty of ths scheme n the followng subsecton. Performance. The Nsg scheme provdes better computatonal performance than the alternatve blnear-based homomorphc sgnature schemes thanks to ts avodance of parng computatons and the use of small coeffcents. Ths s partcularly the case for the schemes that exsted before our paper, such as BFKW [3], though the computatonal gap s reduced when usng our own verson of BFKW as descrbed n Secton 3.2. Even n ths case, the cost of parng computatons (and the cost of hashng nto the blnear groups) make Nsg more effcent. Nsg (wth small n) s also more effcent regardng the publc key sze. Regardng bandwdth, Nsg has some bandwdth advantages relatve to the orgnal BFKW, at least for moderate-sze networks, say 20 to 30 hops, but our own verson of BFKW usng small coeffcents has less communcaton overhead at least for dstances above 15 from the source. We provde a somewhat more detaled analyss next. Bandwdth: The coordnates of the vectors w transmtted n the network ncrease by a number of bts equal to s = log(mq) for each traversed hop. Thus, after t hops each u coordnate wll be of sze at most ts (remember that the u vectors start as unt vector,.e., wth 0/1 coordnates). Thus, f we take for example s = 10 then t wll take 32 hops before the total overhead of the u coordnates exceeds that of the orgnal BFKW scheme from Secton 2.2 (where u coordnates are always of sze 160 bts). Thus, wth such s and for networks wth total length L 32, Nsg performs better n the total overhead due to the u vectors. For s = 16, whch s probably more than needed for practcal networks, Nsg wll be better up to L = 20. In general for moderate sze networks Nsg s lkely to ncur less overhead n the u coordnates. If we compare Nsg to our own mproved varant of the BFKW scheme of Secton 3.2, usng small coeffcents, then the two schemes have the same overhead up to the pont that the ncreasng coordnates reach 160 bts; after that the advantage s on the modfed BFKW sde (snce n Nsg coordnates keep growng whle n BFKW they do not). The above, however, does not take nto account the fact that n Nsg also the v coordnates 6 These bounds are slghtly more restrctve than those requred n the verfcaton procedure Vrfy and are ntended to ensure that the vector w generated n ths step satsfes the coordnate bounds requred by Vrfy. 13

15 ncrease whle n BFKW they do not. Here, every hop adds s bts to each of the n coordnates n the v vectors, for a total of ns bts per hop. Fortunately, we can choose n to be as small as 1, thus essentally makng ths overhead nsgnfcant (see more below on the choce of n). Computaton: The most crtcal operaton from performance pont of vew s sgnature generaton at ntermedate nodes (see Remark 1 n Secton 3.2); ths operaton s very effcent n Nsg snce the exponents α n Eq. (8) are small (8 bts each). Ths s 20 tmes faster than the correspondng operaton n the orgnal BFKW scheme and smlar to the cost of ths operaton n our mproved verson of BFKW. The more expensve operaton s verfcaton at ntermedate nodes gven by Eq. (7). Its rght hand sde has an exponentaton wth exponent of sze at most v + mb + nb (where b = log B s the maxmal number of bts by whch coordnates ncrease durng the protocol and v denotes the total btsze of each of the vectors v () ). The left sde has exponent of sze e = mbm = log m + b + v /n. To mnmze the total sze of exponents one computes the mnmum respect to n of v /n + bn whch s attaned at n = v /b. However, snce the value of n s more sgnfcant n the way t mpacts bandwdth than computaton then n most cases t makes sense to choose n = 1 (ths nduces an ncrease n the sze of n by at most v bts; however, snce the rght hand sde of Eq. (7) s already larger than v then the addtonal overhead s relatvely small especally consderng that due to ts sparsty a longer e only ncurs n addtonal squarngs). The resultant cost of verfcaton s stll better than BFKW s due to the addtonal costs of BFKW: the parng operaton and the cost of hashng nto the blnear groups (whch has the cost of an addtonal exponentaton per hash operaton and s requred for computng the values H(fd, ) n BFKW). Moreover, f one s to decrease the publc key sze n BFKW usng the hash functon H to generate the generators g 1,..., g n then one has to perform n addtonal expensve hashng operatons. If nodes can cache these generators then the hashng expense s reduced. In the case of Nsg the computatonal cost of the hashng operatons s neglgble. Moreover, f one uses n = 1 n Nsg the resultant publc key has a sngle generator whle n BFKW one needs v /160 of them (e.g., for a 4 Kbyte v, BFKW requres 200 generators) 4.3 Proof of Securty of the Nsg Scheme We prove that the Nsg scheme s secure accordng to the securty defnton [3] presented n Appendx A; nformally, the essence of the model s represented by the followng game. The attacker F (for forger) s provded wth a publc key for the Nsg scheme chosen by the sgner runnng the key setup algorthm. F chooses fles for sgnng (possbly adaptvely), each of whch s represented as a set of vectors v (1),..., v (m). For each such fle, the sgner returns a random fle dentfer fd (such that for any two dfferent fles the correspondng dentfers are dfferent) and the Nsg sgnatures on the correspondng augmented vectors w (1),..., w (m). Eventually, F outputs a forgery, namely, a fle d fd, a vector w, and a sgnature s. F wns f fd s one of the dentfers chosen by the sgner, s s a vald Nsg sgnature on w under fle d fd, and w s not n the lnear span of the vectors w (1),..., w (m) correspondng to fle fd. Our analyss models the hash functon H as random oracle and s based on the RSA assumpton: Gven a composte N (product of safe prmes) an exponent e as defned for Nsg and C R Z N, t s hard to fnd C d mod N. We note that n the proof we use the equvalent formulaton of the assumpton n whch C s chosen at random from QR N rather than from Z N. Theorem 3 Under the RSA Assumpton and n the random oracle model, the scheme Nsg s a secure (homomorphc) network codng sgnature. 14

16 Proof: Gven a forger F that breaks, wth non-neglgble probablty, the sgnature scheme Nsg (wth parameters as descrbed above), we buld an algorthm S that nverts RSA on Z N. Here S stands for Smulator and also for Source snce S wll be smulatng the actons of the source whose sgnature F s attackng. Algorthm S receves nput N, e, C where N, e are dstrbuted as n a Nsg sgnature and C R QR N. Its goal s to output C d mod N wth non-neglgble probablty. S calls F on an nstance of the Nsg scheme where the N, e values are those that S receved as nput and the generators g 1,,..., g n are chosen by S as follows. S chooses 0 R {1,..., n} and sets g 0 = C (where C s the challenge nput to S). For 0, S chooses r R QR N, and sets g = r e. For each fle, or set v (1),..., v (m), chosen by F, S (now actng as the data source) chooses a random fle dentfer fd and sets (usng the programmablty of the random oracle H) the values h = H(, fd), = 1,..., m, as follows h = H(, fd) def = s e n j=1 g v() j j where s R QR N (9) It s easy to verfy, by the above choce of h 1,..., h m, that the sgnature on the vector w () = ū () v () equals s (as chosen by S n Eq. (9)). S returns to F the fle dentfer fd and the sgnatures s 1,..., s m correspondng to vectors w (1),..., w (m), respectvely. We also specfy that f n the above procedure S chooses fd for whch one of the pars (, fd), = 1,..., m, was prevously quered from the functon H, then S aborts. By assumpton, wth non-neglgble probablty, F outputs a forgery,.e., a fle d fd, a vector w / Span( w (1),..., w (m) ) (where the w () are the vectors correspondng to fd ) and a vald sgnature s = Nsg(w ) on w (.e., a vald Nsg sgnature under the publc key values set by S). Denote w = u v = (u 1,..., u m, v 1,..., v n), and defne the vector z = w m u w () (10) It s easy to see that z has the form (0,..., 0, z 1,..., z n ), namely, all ts frst m coordnates are zero (remember that the ū () part n the vectors w () are unt vectors and hence m =1 u ū() = (u 1,..., u m)). Moreover, snce w / Span( w (1),..., w (m) ) then t must be that at least one of the values z s non-zero (otherwse we would have z = 0 and then w = m =1 u w() ). Thus, wth probablty at least 1/n, z 0 0 (remember that S chose 0 at random n {1,..., n}). We now show how S can fnd C d mod N gven the above nformaton. Note by the defnton of z and the homomorphc property of Nsg we have =1 m m Nsg(z ) = Nsg(w u w () ) = Nsg(w ) Nsg( w () ) u =1 =1 On the other hand, we can also represent Nsg(z ) as = s m =1 s u (11) ( m Nsg(z ) = Nsg(0,..., 0, z 1,..., z n ) = n h 0 =1 =1 ) d g z = (C z 0 ) d (g z )d = (C z 0 ) d r z (12)

17 Combnng (11) and (12) we get that (C z 0 ) d = s m =1 s u r z (13) 0 Snce S knows all the values on the rght-hand sde of (13) t can compute s = (C z 0 ) d mod N. Now, usng the well-known Shamr s trck, we can derve the value s = C d mod N from s provded that gcd(z 0, e) = 1. Indeed, choosng a, b such that ae + bz 0 = 1, t can be verfed that s = C d mod N = C a s b whch S can compute. Thus, S nverts C provded that z 0 s coprme to e. But ths s the case snce e s prme and e < z 0 < e. Indeed, snce w passes verfcaton then t must be that 0 u B, 0 v MB. From Eq. (10) t follows, for j = 1,... n, that z j = vj m =1 u w() j m =1 BM mbm e where the last nequalty follows the defnton of e. The case z j e s smlar. Remark. Note that the above proof uses the fact that we choose the exponent e larger than any coordnate. Interestngly, ths s not just an artfact of the proof but essental for securty. If coordnates are allowed to grow above e then an attacker can generate a sgnature for a non-vald vector as follows. Gven a vald vector w = u v wth vald sgnature σ, the attacker can generate a vald sgnature σ for w = u v where v = v + (e, 0,..., 0) by settng σ = σ g 1. Ths wll generate a vald sgnature even though w / Span( w (1),..., w (m) ). 5 Homomorphc Hashng Modulo a Composte As shown n Secton 2.2, a homomorphc collson-resstant hash functon that acts on a lnear space can be used to buld a network codng sgnature. The dea s that a node that holds the authentcated hash values correspondng to the orgnal nformaton vectors v (1),..., v (m), can valdate any ncomng (augmented) vector by comparng the hash of ths vector wth the correspondng (homomorphc) combnaton of the orgnal hash values as descrbed n Eq. (3). Network codng sgnatures based on homomorphc hashng, where nodes do not generate sgnatures on outgong vectors, offer sgnfcant computatonal advantages over fully homomorphc sgnature schemes. In partcular, a node that chooses not to verfy an ncomng vector (see Remark 1) does not need to take any cryptographc acton. In addton, schemes based solely on homomorphc hashng are often more effcent for sgnature verfcaton (for example, avodng a costly parng computaton or a long RSA exponentaton). On the other hand, these schemes requre that verfyng nodes obtan, for each fle, the authentcated hash values of the orgnal vectors v (1),..., v (m) (.e., m hash values plus the source s sgnature on them). In settngs where delverng these authentcated values to nodes, possbly n some off-lne way 7, s practcal, homomorphc hash schemes provde for attractve alternatves to network codng sgnatures based on homomorphc sgnatures. In ths secton we study a homomorphc hashng scheme, denoted H N, that s smlar to the EHH scheme n Secton 2.2 but works n a network codng framework smlar to the RSA case. That s, the hash functon s computed modulo a composte N and the packet vectors (and ther lnear combnatons) are defned over the ntegers. The resultant scheme s sgnfcantly more effcent than the RSA scheme of Secton 4 and also computatonally more effcent than the EHH scheme 7 Assumng that the m hash values are much shorter than the m vectors to be transmtted, ther delvery can be done by alternatve means such as pont-to-pont or broadcast mechansms, or at the tme when nodes regster to receve some content (such n the case of peer-to-peer networks) 16

18 (over prme order groups) from Secton 2.2. And, whle t produces larger hash values, t requres a mnmal publc key (just an RSA modulus) wthout the overhead of the many generators of EHH. We use the lnear network codng settng of Secton 3.1 (also used n Secton 4), namely, workng over the ntegers and wth random lnear coeffcents taken from a set Q = {0,..., q 1} for small prme q. In partcular, the fle to be transmtted s represented by m n-dmensonal nteger vectors v (1),..., v (m) Z n. For concreteness, the reader can thnk of n = 1 and each vector v () beng a large nteger (ndeed, ths wll be the most effcent nstantaton of our scheme). Let s consder the followng smple adaptaton to the composte case of the EHH scheme from Secton 2.2. Let N be the product of two safe prmes so that the group QR N of quadratc resdues modulo N s cyclc, and let g 1,..., g n be generators of QR N. For v = (v 1,..., v n ) Z n we defne (analogously to Eq. (2)) H N (v) = n j=1 g v j j mod N. (14) For v Z n ths s a homomorphc hash functon that s collson resstant f factorng N s hard. Thus, H N can serve as a bass for a network codng sgnature scheme as dscussed n Secton 2.2. In partcular, a node recevng a vector w = (u 1,..., u m, v 1,..., v n ) can verfy t as m =1 h u? = H N (v) = n j=1 g v j j mod N (15) where h 1,..., h m are the hash values of the nformaton vectors v (1),..., v (m). Bandwdth consderatons for ths scheme, whch uses nteger coeffcents that grow over tme, are smlar to those of the RSA-based scheme from Secton 4; one addtonal beneft of H N s that there s no need to determne an a-pror bound on these coeffcents. As n the case of the RSA scheme from Secton 4, one way to lmt the effect of coordnate growth n total communcaton s by settng n = 1. As we see below, not only ths reduces bandwdth overhead but also mproves computatonal performance sgnfcantly. Indeed, we are gong to represent each block of nformaton v () (and subsequent vectors v transmtted n the network) as a sngle (long) nteger so that n = 1. Ths s possble snce the functon g v mod N s collson resstant even for very large ntegers and for a sngle generator g (securty follows from the hardness of factorzaton snce f values v and v collde then v v s a multple of φ(n))/4 whch suffces to factor N). Moreover, by choosng N approprately 8, we can fx the sngle generator of QR N to the value 2, thus obtanng: H N (v) = 2 v mod N, v Z (16) Not only does ths reduce communcaton overhead but t provdes the most salent advantage of the H N scheme, namely, fast exponentaton. Compare ths to the prme order group scheme of Eq. (2) whch uses n random generators as the bases (and due to n beng typcally large one cannot use mult-base optmzatons). Ths mples a sgnfcant speedup of the hash verfcaton at ntermedate nodes when usng the H N scheme n the context of network codng. Yet another advantage of ths homomorphc hash s that t mproves consderably the sze of publc parameters relatve to the prme order group mplementaton from Secton 2.2. To see ths, 8 Choose N = pq where p = 2p + 1, q = 2q + 1 wth p, q, p, q are all prmes, and p, q are congruent to 3 mod 8 and p, q are congruent to 7 mod 8. Ths ensures that 2 s a quadratc resdue n QR p and snce QR p s of prme order then 2 s also a generator of QR p. Same holds for QR q, and therefore 2 s a generator of QR N. 17

19 let s frst note that n the prme order case of Eq. (2), the total length of the set of generators g 1,..., g n s n p whch s as large as each nformaton vector v (). Indeed, each ndvdual g can only hash values smaller than p and t must be chosen at random to ensure that fndng collsons s as hard as computng dscrete logarthms. Also, the number of generators s usually very large, e.g., for vectors v () of sze 4KB and p of 160 bts one needs 200 random generators. In the case of H N the generator s fxed (to 2) so t does not requre extra publc parameters except for N. We note that n the prme order case, one can avod ncludng explctly the values g 1,..., g n n the descrpton of the publc parameters f these generators are derved usng a fxed hash functon. Ths, however, looses one of the securty advantages of the homomorphc hash scheme descrbed n Secton 2.2, namely, the fact that securty could be proven wthout relyng on the random oracle model. Also, note that n mplementatons that use ellptc curves a hash operaton may cost as much as a full exponentaton. Workng modulo N dspenses of these extra complextes. In all we have that the homomorphc hashng scheme from Eq. (16) leads to a computatonally effcent and secure network codng sgnature scheme whose securty can be proven solely based on the factorng assumpton n the standard model. Acknowledgments The vews and conclusons contaned n ths document are those of the authors and should not be nterpreted as representng the offcal polces, ether expressed or mpled, of the US Army Research Laboratory, the U.S. Government, the UK Mnstry of Defense, or the UK Government. The US and UK Governments are authorzed to reproduce and dstrbute reprnts for Government purposes notwthstandng any copyrght notaton hereon. References [1] S. Agrawal and D. Boneh. Homomorphc MACs: MAC-based ntegrty for network codng. In Appled Cryptography and Network Securty (ACNS), [2] R. Ahlswede, N. Ca, S. L, and R. Yeung. Network nformaton flow. IEEE Transactons on Informaton Theory, 46(4): , [3] D. Boneh, D. Freeman, J. Katz, and B. Waters. Sgnng a lnear subspace: Sgnature schemes for network codng. In Publc Key Cryptography (PKC), [4] D. Charles, K. Jan, and K. Lauter. Sgnatures for network codng. In 40th Annual Conference on Informaton Scences and Systems (CISS 06), To appear n Internatonal Journal of Informaton and Codng Theory. [5] P. A. Chou, Y. Wu, and K. Jan. Practcal network codng. In 41st Allerton Conference on Communcaton, Control, and Computng, [6] C. Gkantsds and P. Rodrguez. Cooperatve securty for network codng fle dstrbuton. In Proc. of IEEE INFOCOM 2006, pages 1 13, [7] T. Ho, R. Koetter, M. Médard, D. Karger, and M. Effros. The benefts of codng over routng n a randomzed settng. In Proc. of Internatonal Symposum on Informaton Theory (ISIT),

20 [8] T. Ho, B. Leong, R. Koetter, M. Médard, M. Effros, and D. Karger. Byzantne modfcaton detecton n multcast networks usng randomzed network codng. In Proc. of Internatonal Symposum on Informaton Theory (ISIT), pages , [9] T. Ho and D. Lun. Network Codng: An Introducton. Cambrdge Unversty Press, [10] Tracey Ho, Murel Médard, Ralf Koetter, Davd R. Karger, Mchelle Effros, Jun Sh, and Ben Leong. A random lnear network codng approach to multcast. IEEE Trans. Inform. Theory, 52(10): , [11] S. Jagg. Desgn and Analyss of Network Codes. PhD thess, Calforna Insttute of Technology, [12] S. Jagg, M. Langberg, S. Katt, T. Ho, D. Katab, M. Médard, and M. Effros. Reslent network codng n the presence of Byzantne adversares. IEEE Trans. on Informaton Theory, 54(6): , [13] Robert Johnson, Davd Molnar, Dawn Song, and Davd Wagner. Homomorphc sgnature schemes. In Proc. of CT-RSA 2002, volume 2271 of Sprnger LNCS, pages , [14] M. Krohn, M. Freedman, and D. Mazeres. On the-fly verfcaton of rateless erasure codes for effcent content dstrbuton. In Proc. of IEEE Symposum on Securty and Prvacy, pages , [15] Shuo-Yen Robert L, Raymond W. Yeung, and Nng Ca. Lnear network codng. IEEE Trans. Inform. Theory, 49(2): , [16] Z. Yu, Y. We, B. Ramkumar, and Y. Guan. An effcent sgnature-based scheme for securng network codng aganst polluton attacks. In INFOCOM, [17] Fang Zhao, Ton Kalker, Murel Médard, and Keesook Han. Sgnatures for content dstrbuton wth network codng. In Proc. of Internatonal Symposum on Informaton Theory (ISIT), A Formal Defntons For convenence, we repeat the defntons from [3]. We frst defne the general noton of a network codng sgnature scheme. Defnton 4 A network codng sgnature scheme s a trple of probablstc, polynomal-tme algorthms (Setup, Sgn, Vrfy) wth the followng functonalty: Setup(1 k, N). Gven a securty parameter 1 k and an nteger N (denotng the length of vectors to be sgned 9 ), ths algorthm outputs a publc key P K and a secret key SK. We assume P K and SK contan N, and mplctly defne a feld F. Sgn(SK, fd, V ). Gven a secret key SK, a fle dentfer fd {0, 1}, and an m-dmensonal subspace V F N, wth 0 < m N, descrbed as a set of bass vectors v 1,..., v m, ths algorthm outputs a sgnature σ. 9 In our treatment N corresponds to m + n. 19