Professional Documents
Culture Documents
Cop: An Ultra-Lightweight Secure Network Coding Scheme Via Last Forwarder'S Proof
Cop: An Ultra-Lightweight Secure Network Coding Scheme Via Last Forwarder'S Proof
A and
B does not improve the opportunity to compute
f.A
0
/ and f.B
0
/.
Therefore, the computation of f.A
0
/ and f.B
0
/ only
Wei Ren et al.: CoP: An Ultra-Lightweight Secure Network Coding Scheme 603
relies on random guess, which is 1=2
jf./j
. It is the same
with the situation of one-wayness, as desired.
Proposition 4 If f./ is not collision resistant, the
protocol is still secure.
Proof f./ is not collision resistant. That is, it is
computationally feasible to nd x; x
0
X; x = x
0
, such
that f.x
0
/ = f.x/.
Suppose F manipulates A B to .A B/
0
and
send it to N1 and N2 before checking stage, thus N1
holds incorrect B
0
and N2 holds incorrect A
0
. A
0
equals
certain bit ipping of A; B
0
equals certain bit ipping
of B. The ipping locations in A
0
and B
0
are the exactly
same. F can fool RN1 or RN2 only if it can generate
correct f.A
0
/ and f.B
0
/. As it is computationally
infeasible for F to compute A and B from f.A/ and
f.B/, as well as A
0
and B
0
. Thus it is computationally
infeasible to compute f.A
0
/ and f.B
0
/.
Next, proof the ability of nding collision cannot
improve the chance to compute f.A
0
/ and f.B
0
/.
Even though F can choose two values x and x
0
such
that f.x
0
/ = f.x/ before checking stage, it cannot
manipulate AB to .AB/
0
such that A
0
; B
0
x; x
0
.
Thus F does not improve the possibility to compute
f.A
0
/ and f.B
0
/.
Therefore, the computation of f.A
0
/ and f.B
0
/ only
relies on random guess, which is 1=2
jf./j
. It is the same
with situation of one-wayness, as desired.
From above observations we thereby can draw
the conclusion that one-wayness of f./ is sufcient
condition for protocols security. Next, we will explore
whether it is a necessary condition, in other words,
whether the requirement of one-wayness of f./ can be
further loosened.
2.3 Partial One-way-based checking Protocol
pOwP
We observe that one-wayness of f./ can be further
loosened to partial one-way function, but security
becomes probabilistically secure. We rstly dene t -bit
one-way function as follows:
Denition 3 t-bit (1 t [X[) one-way function
t -bit one-way function is a function f :XY has
following properties:
(1) Given Vx X, it is computationally feasible to
compute f.x/.
(2) Given Vy Y , it is computationally infeasible to
nd t bits of x X, such that f.x/ = y.
The extreme case of t -bit one-way function is 1-bit
one-way function and [X[-bit one-way function.
Proposition 5 If f./ is t -bit one-wayness, OwP
protocol can nd data forgery with probability of 1
1=2
t
.
Proof If f./ is t -bit one-wayness, F cannot nd
full A and B from f.A/ and f.B/ (due to t bits cannot
be conjectured). F has to random guess t bits to obtain
A and B from f.A/ and f.B/. The probability of
successful guess is 1=2
t
. If guess is right, F ips
corresponding bits to compute A
0
and B
0
according to
the knowledge on former manipulation of .A B/
0
.
Finally, compute f.A
0
/ and f.B
0
/ to fool N1 and N2
successfully. Therefore, the probability of successful
forgery avoiding detection is 1=2
t
. In other words,
the successful probability that can nd data forgery by
checking protocol is 1 1=2
t
.
Corollary 1 1-bit one-wayness of f./ is necessary
condition for OwP protocols security.
Proof The security of OwP can be dened as
follows.
Given f.A/, attacker wants to compute f.A
0
/ where
A
0
is certain bit ipping of A and ipping locations are
known by attacker before given f.A/. If the probability
of success is negligible, the protocol OwP is secure.
That is,
Adv
Forge
A
= Pr{Succ
f.A
0
/
[f.A/; {A
0
; A] {0; 1]
n
;
[A[ = [A
0
[ = n; A
0
= BitFlip.A; i
1
; i
2
; ; i
n
/;
1 i
1
; i
2
; ; i
n
n] < .[f./[/;
where ./ is a negligible function with a security
parameter [f./[, Adv
Forge
A
is the advantage of attackers
fool receiving nodes (for example, N1) to regard a
forged data (for example, A) as an authenticated data.
It relies on the possibility of the event computing
correct f.A
0
/ successfully, namely Pr{Succ
f.A
0
/
].
BitFlip.A; i
1
; i
2
; ; i
n
/ is a function that ips A at
location i
1
; ; i
n
bits.
Adv
Forge
A
= Pr{Succ
f.A
0
/
[A f.A/;
A
0
BitFlip.A; i
1
; i
2
; ; i
n
/] Pr{Succ
f.A
0
/
[Guess];
where Guess is the event of randomly guessing correct
value f.A
0
/.
We have
Pr{Succ
f.A
0
/
[A f.A/;
A
0
BitFlip.A; i
1
; i
2
; ; i
n
/] < .[f./[/;
Pr{Succ
f.A
0
/
[Guess] 1=2
jf./j
:
Thus,
Adv
Forge
A
< .[f./[/;
604 Tsinghua Science and Technology, October 2012, 17(5): 599-605
since both .[f./[/ and 1=2
jf./j
are negligible function
in [f./[. It completes the proof.
Next, we further consider whether we can shorten the
length of communication messages in protocol. In other
words, we explore whether it is possible to only transmit
partial information of f.A/ and f.B/ in the protocol
without sacricing security. We propose a revised
protocol with short message length in next section.
2.4 Coding-based checking ProtocolCoP
To further reduce the communication overhead due to
large message length, we thus propose an XOR-based
coding scheme to shorten message length as follows:
(1) N1 sends A
m
=
L
iD.nm/=m
iD0
Trunc.f.A/; 1
i + m; m/ to F, where Trunc.P; Q; R/ is a truncate
function for cutting bit string P from starting point
Q.1 Q [P[ with length R.1 R [P[ Q/.
(2) N2 sends B
m
=
L
iD.nm/=m
iD0
Trunc.f.B/; 1
i + m; m/, to F;
(3) F sends A
m
B
m
to N1 and N2.
We assume m is a system parameter and m[L; .L =
[f.A/[ = [f.B/[/, so that N1 and N2 can send the
message with same length. N1 obtains A
m
B
m
and
compute A
m
by itself so as to obtain B
m
. N1 uses
computed B
m
to check whether its holding B is correct.
Similarly, N2 can obtain A
m
so as to check whether its
possessing A is correct.
If m = n, CoP is the same with OwP. If m = 1, the
message has only one bit.
Proposition 6 CoP can nd the data forgery with
probability of 1 1=2
m
.
Proof As f./ is one-way,
L
iD.nm/=m
iD0
Trunc.f./;
1 i +m; m/ is also one-way. Thus the security of CoP
is guaranteed. As F can manipulate the A
0
or B
0
and
random guess A
m
or B
m
, the probability of successful
guess is 1=2
m
. Thus it can nd the data forgery with
probability of 1 1=2
m
, as desired.
Regrading the performance, the communication
overhead is 3 messages with length of m. The induced
cost is low. More specically, induced computation
overhead is only i = .n m/=m times exclusive or
and function Tranc./ computation on strings of length
m bits at N1 and N2; former computation is one
time exclusive or on string of length L at N1 and
N2. Computation overhead of exclusive or at F also
decreases from length L to length m.
If N1 and N2 assume to send the rst or last chunk
with m-bit of f.A/ or f.B/, exclusive or operation can
be omitted. The probability of nding data forgery by
CoP is 1 1=2
m
.
Corollary 2 If only one bit of f.A/ is sent, for
example, the rst bit or last bit of f.A/, the probability
of nding data forgery of CoP is 1=2.
Proof Straightforward.
Finally, we proof the message rounds in the proposed
protocols (HaP, OwP, and CoP) is minimal.
Proposition 7 CoP protocol has the least rounds in
terms of messages exchanging.
Proof N1 (or N2) needs the others credential of B
(or A) to verify derived B (or A) from received AB.
Thus N2 (or N1) need to send credential of B (or A).
It costs at least two messages. To forward these two
messages to N1 and N2 via F, it will cost at least
two messages without network coding. Using network
coding, it costs at least one message. Therefore, the
minimal number of messages for the secure protocol is
3.
2.5 Extended applicability
In previous section, we discuss the typical network
coding scenariobuttery network. Next, we explore
the applicability of our proposed protocol in extended
scenarios with more than one last-hop forwarding
nodes, depicted in Fig. 2.
Our protocol can be easily extended to above scenario
by forwarding the f.A/ and f.B/ by last-hop node
until to the last common forwarding node, namely FN.
The FN will send f.A/ f.B/ and it is forwarded
through different last-hop nodes until to RN1 and RN2.
Proposition 8 Proposed protocols are secure in the
extended scenarios where there exist multiple last-hop
forwarding nodes.
Proof In extended scenario, nodes in different
Fig. 2 Extended scenario with more than one last-hop
forwarding nodes.
Wei Ren et al.: CoP: An Ultra-Lightweight Secure Network Coding Scheme 605
forwarding paths to RN1 and RN2 are more. As
proposed protocols are secure even though FN is
untrustworthy, the additional nodes have the same
information as FN. Thus even if they are untrustworthy,
the protocol still remain secure.
Next, we explore the applicability of our proposed
protocol in extended scenario where network coding
function is other operations except for exclusive or.
Proposition 9 Proposed protocols are secure in
extended scenarios where network coding function is
not exclusive or but others.
Proof Network coding function only affects the
performance before the checking stage. Checking
protocol veries the network coding result, so it
does not concern underlying concrete network coding
functions. Proposed protocols thus secure in extended
scenarios where network coding function is not
exclusive or. That is, network coding function could
be any function, linear or not.
3 Conclusions
In this paper, we propose several ultra-lightweight
security protocols in network coding context, to
check the correctness of received data yet maintaining
the condentiality of coded original data as well.
HaP is a hash function based checking protocol for
illustrating the motivation. OwP is a one-way function
based checking protocol to loosen the requirement
from cryptographically secure hash function to one-
way function. We proof one-wayness is the sufcient
condition, and 1-bit one-wayness is the necessary
condition for the checking protocol. t -bit one-wayness
function based OwP protocol can nd data forgery
with the probability 1 1=2
t
. It thus loosens the
requirement from one-way function to partial (or t -
bit) one-way function. To further shorten the message
length, we nally propose a one-way function and
coding schemeCoP, which uses simple exclusive-
or operation to code one-way functions result. The
security of CoP relies on the length of coding result (i.e.,
1 1=2
m
, where m is the length). CoP protocol has
the least rounds in terms of messages exchanging. The
proposed protocols are secure in the extended scenarios
where there exist multiple last-hop forwarding nodes,
and network coding function in applications is not
exclusiveor but others.
References
[1] Ahlswede R, Cai N, Li S, Yeung R W. Network informa-
tion ow. IEEE Trans. on Information Theory, 2000, 46(4):
1204-1216.
[2] Jaggi S, Sanders P, Chou P A, Effros M, Egner S, Jain
K, Tolhuizen L. Polynomial time algorithms for multicast
network code construction. IEEE Trans. on Information
Theory, 2005, 51(6): 1973-1982.
[3] Gkantsidis G, Rodriguez P. Cooperative security for
net-work coding le distribution. In: Proc. of IEEE
INFOCOM06, 2006: 1-13.
[4] Lima L, Gheorghiu S, Barros J, Medard M, Toledo
A. Secure network coding for multi-resolution wireless
video streaming. IEEE Journal of Selected Areas in
Communications, 2010, 28(3): 377-388.
[5] Oliveira P, Lima L, Vinhoza T, Barros J, Medard M.
Trusted storage over untrusted networks. In: Proc. of IEEE
Globecom Communication Theory Workshop10, 2010:
1-5.
[6] Yu Z, Wei T, Ramkumar B, Guan Y. An efcient signature-
based scheme for securing network coding against pollution
attacks. In: Proc. of IEEE INFOCOM08, 2008: 1409-1417.
[7] Yu Z, Wei Y, Ramkumar B, Guan Y. An efcient scheme
for securing xor network coding against pollution attacks.
In: Proc. of IEEE INFOCOM09, 2009: 406-414.
[8] Krohn M, Freedman M, Mazieres D. On-the-y verica-
tion of rateless erasure codes for efcient content distribu-
tion. In: Proc. of IEEE Security and Privacy (SP04), 2004:
226-240.
[9] Gennaro R, Katz J, Krawczyk H, Rabin T. Secure network
coding over the integers. In: Proc. of PKC10, LNCS 6056,
2010: 142-160.
[10] Zhao F, Kalker T, Medard M, Han K. Signatures for con-
tent distribution with network coding. In: Proc. of IEEE
ISIT07, 2007: 556-560.
[11] Boneh D, Freeman D, Katz J, Waters B. Signing a linear
subspace: Signature schemes for network coding. In: Proc.
of PKC09, 2009: 68-87.
[12] Czap L, Vajda I. Signatures for multi-source network cod-
ing. IACR 2010/328, 2010.
[13] Agrawal S, Boneh D. Homomorphic macs: Mac-based
integrity for network coding. In: Proc. of ACNS09, 2009:
292-305.
[14] Li Y, Yao H, Chen M, Jaggi S, Rosen A. Ripple authenti-
cation for network coding. In: Proc. of IEEE INFOCOM10,
2010: 1-9.
[15] Oggier F, Fathi H. An authentication code against pollution
attacks in network coding. IEEE/ACM Transactions on
Networking, 2011, 19(6): 1587-1596.
[16] Wang Y. Insecure provably secure network coding and
homomorphic authentication schemes for network coding.
IACR 2010/060, 2010.
[17] Dong J, Curtmola R, Nita-Rotaru C. Practical defenses
against pollution attacks in intra-ow network coding for
wireless mesh networks. In: Proc. of ACM WiSec09, 2009:
111-122.
[18] Kehdi E, Li B. Null keys: Limiting malicious attacks via
null space properties of network coding. In: Proc. of IEEE
INFOCOM09, 2009: 1224-1232.
[19] Zhang P, Jiang Y, Lin C, Fan Y, Shen (Sherman) X.
P-coding: Secure network coding against eavesdropping
attacks. In: Proc. of IEEE INFOCOM10, 2010: 1-9.