INTRODUCTION
Network coding has been proven to maximize network throughput (Ahlswede
et al., 2000) by mixing the received information before forwarding
them to the next nodes, however, network coding is vulnerable to pollution attacks
by malicious nodes in the network. Once a packet is corrupted, a single error
further will cause pollution of downstream nodes like the plague spread on the
network. Thus, even a faulty transmission on a single edge will eventually cause
almost all messages being forwarded in the network to be incorrect and will
thus prevent reconstruction of even a portion of the messages.
The algorithms of detecting misbehaved wireless nodes have been described by
Raja et al. (2008) and Jun
and Wei-Hua (2010). Some network error correcting algorithms (Cai
and Yeung, 2002; Zhang, 2008; Wei
et al., 2011) based on different techniques have been proposed. Zhou
et al. (2010) have designed a network coded non-orthogonal Interleave-division
Multiple-access (IDMA) cooperation system. The design of secure network coding
is mainly against two types of pollution attacks, including wiretapping attacks
(passive attacks) (Meng, 2011) and Byzantine attacks
(active attacks) (Lamport et al., 1982; Wang
et al., 2003; Yan and Wang, 2004; Meng,
2011). A Byzantine attacker is a malicious adversary hidden in a network,
capable of intercepting, tampering or inserting packets in the original information
flow. We have surveyed some techniques for combating data pollution when network
coding is used. The literatures (Silva and Kschischang,
2008; Chanl and Grant, 2008; Zhou
et al., 2009) studied different encoding methods for preventing eavesdropping
attackers. Ho et al. (2004) have proposed a Byzantine
attack detection model that based on the attacker did not know the random coding
coefficients. The first efficient scheme to design and implement error-correction
against Byzantine adversaries has been used in the distributed network coding
setting (Jaggi et al., 2008). It should be noted
that in these papers, the adversary model is based on the threshold number of
communication links that could be controlled by the adversary. Yu
et al. (2008) have designed a RSA homomorphic signature scheme for
network coding against pollution attacks but it is pointed out in a recent paper
(Gennaro et al., 2010), that this protocol is
incorrect indeed. Agrawal and Boneh (2009) have proposed
a homomorphic MAC mechanism but only at the receiving node could detect malicious
packets; intermediate nodes could not detect them. RIPPLE mechanism (Li
et al., 2010) has been designed to prevent pollution attacks. Recently,
Wang (2010) shows that there are serious flaws in these
schemes (Jaggi et al., 2008; Yu
et al., 2008; Agrawal and Boneh, 2009; Gennaro
et al., 2010; Li et al., 2010).
Our previous study (Feng et al., 2011) have
presented a security random network coding model against Byzantine attack based
on CBC (Hayat et al., 2004; Zaidan
et al., 2010). In the model, the source adopts CBC packet encryption,
intermediate nodes use ElGamal signature scheme. However, the security of the
scheme is also dependent on limiting the numbers of eavesdropping links and
this signature technology can not be combined at downstream nodes. To solve
the problems, this study proposes a UC secure network coding model in view of
the single-source multi-sinks directed acyclic network. We adopt AONT encryption
instead of previous CBC encryption, no matter how many channels are wiretapped;
the attacker can not get any meaningful information of the source messages.
In order to ensure the participation of legitimate nodes, the source and intermediate
nodes sign encoded message based on homomorphic signature scheme NCS1 by
Boneh et al. (2009), intermediate nodes and sinks
can verify the integrity and legitimacy of the received information. NCS1
signature scheme has the advantage that signatures can be associated with individual
vectors rather than an entire subspace. Both the public key and per-vector signatures
in this scheme have constant size, making the scheme ideally suited for network
coding. This scheme also supports the transmission of streaming data, in the
sense that the sender need not be aware of the entire file before computing
the signature first packet. The novel approach to solve the problem of concurrent
network coding against pollution attack within the framework of Universally
Composable (UC) security is described by Meng (2011).
The most outstanding nature of UC framework is its modular design concept: may
alone design a protocol, so long as the protocol satisfies the UC security,
it can be guaranteed secure while running concurrently with other protocols.
By the security proof and comprehensive analysis, it is showed that the proposed
scheme has greatly improved security and efficiency compared to the previous
schemes.
PRELIMINARIES
Encoding kernel: The pair G = (VG, EG) is called a single-source acyclic network, where VG and EG are the node set and the edge set. The node SεVG called the source node, T = {t1, t2, …tm} called the sink set. For every node v, let In(v) denote the set of incoming channels to v and Out(v) the set of outgoing channels from v. Meanwhile, let S’ denote an imaginary source at the upstream of S.
Local description of a linear network code on an acyclic network: Let F be a finite field and ω a positive integer. An ω-dimensional F-valued linear network code on an acyclic communication network consists of a scalar kd,e, called the local encoding kernel, for every adjacent pair (d, e). Meanwhile, the local encoding kernel at the node v means: the |In(v)|x|Out(v)| matrix Kv = [kd,e]dε In(v),eε Out(v).
Global description of a linear network code on an acyclic network: Let F be a finite field and ω a positive integer. An ω-dimensional F-valued linear network code on an acyclic communication network consists of a scalar kd,e for every adjacent pair (d, e) in the network as well as an ω-dimensional column vector fe for every channel e such that:
| • |
 ,
where, eε Out(v) |
| • |
The vector fe for the ω imaginary channels
eε In(S) form the natural basis of the vector space Fω.
The vector fe is called the global encoding kernel for the channel
e |
Let the source generate a message x in the form of an ω-dimensional row vector. A node v receives the symbols x.fd, dεIn(v), from which it calculates the symbol x.fe for sending onto each channel eεOut(v) via the linear Eq. 1:
UC framework: Universally composable security (UC security) is a kind
of computational complexity model which was proposed by Canetti
(2001) to represent and analyze cryptographic protocols under concurrent
circumstances. The framework provides a rigorous method for defining the security
of cryptographic tasks. A protocol is represented as a system of probabilistic
Interactive Turing Machines (ITMs), where each ITM represents the program to
be run within a different party. Adversarial entities are also modeled as ITMs.
An additional adversarial entity called the environment Z is introduced. This
environment generates the inputs to all parties, reads all outputs and in addition
interacts with the adversary in an arbitrary way throughout the computation.
The real-life model: A probabilistic polynomial-time adversary. A participates
in a run of the interactive protocol π with a set of parties P1,
…, Pl. All parties are connected through point-to-point communication
channels. The channels are public; the adversary can read all data transmitted
between parties. The adversary is also responsible for delivery of messages.
Each party is initially honest and follows the predetermined program of π.
The adversary may corrupt parties, either at the outset only (non-adaptive or
static adversaries) or at any point during the execution (adaptive adversaries).
Once a party is corrupted by A, the party hands over all internal data including
its input, previous incoming and outgoing communication and the content of the
random tape to the adversary. If a party becomes corrupted by the adversary,
the party follows the adversary’s instructions from then on. Let REALπ,A,Z
denote the output of environment Z when interacting with adversary A and parties
running protocol π.
The ideal process: A probabilistic polynomial-time adversary S (also
called simulator) participates in an execution of (dummy) parties P1’,…,Pl’
with some ideal and trustworthy functionality F. All parties are only connected
to the functionality by secure channels and the simulator can not read the content
of transmissions. Once an honest dummy party receives some input, it immediately
forwards this input to the functionality, at some point which may reply with
output for some parties (including the simulator S). Corruptions are dealt with
as in the real-life setting. Let IDEALF,S,Z denote the output of
environment Z after interacting in the ideal process with adversary S and ideal
functionality F.
In both settings an interactive distinguisher, the probabilistic polynomial-time environment Z, is present. This environment can interact with honest parties by determining the inputs and reading the output of these parties. Additionally, Z can communicate with the adversary A or S, respectively.
We say that a protocol π UC realizes an ideal functionality F if for any real-life adversary A there exists an ideal-process adversary S such that no environment Z, on any input, can tell with non-negligible probability whether it is interacting with A and parties running π in the real-life process or with S and F in the ideal process. We have the following:
Definition 1: Let lεL. Let F be an ideal functionality and let π be an l-party protocol. We say that π securely realizes F if for any adversary A there exists an ideal-process adversary S such that for any environment Z, we define Eq. 2 as follows:
The hybrid model. In order to state the composition theorem and in particular in order to formalize the notion of a real-life protocol with access to an ideal functionality, the hybrid model of computation with access to an ideal functionality F is formulated. The parties of this model may send messages to and receive messages from an unbounded number of copies of F. Each copy of F is identified via a unique session identifier (sid); all messages addressed to this copy and all message sent by this copy carry the corresponding sid. (The sids are chosen by the protocol run by the parties).
SECURE NETWORK CODING SCHEME
In this study, we present a UC secure network coding scheme in view of single-source
multi-sinks directed acyclic network. The source messages are divided into m+1
packets, every packet has the same message length. Assume that the network maximum
transmission rate is m+1 and each link throughput is 1. We obtain new m+1 packets
by AONT encryption. Furthermore, the source node transforms 
into m augmented vectors x1, x2…, xm.
Finally, the source makes initial sub-signatures for x1, x2…,
xm based on the signature mechanism NCS1 and sends them
to participate in encoding at the downstream nodes. The (m+1)th packet 
is sent directly to the sinks by a shared secret channel between the source
and every sink rather than participate in encoding. The intermediate nodes combine
and encode the received information and sign the encoded message based on signature
mechanism NCS1, after that, the intermediate nodes and sinks can
verify the receiving information, thereby effectively prevent pollution caused
by the attacker and ultimately the sinks can decode and decrypt correctly.
The all-or-nothing transform: Rivest (1997)
presented a model of encryption for block ciphers which is called All-Or-Nothing
Transform (AONT). AONT is defined for information-theoretic security (Stinson,
2001).
Definition 2: Let Fq be a finite field and Fnq be an n-dimensional space over Fq. Suppose that Φ:Fnq→Fnq, Φ is named as an (n, q)-AONT if Φ satisfies the following properties:
| • |
If any m of the m+1 output values 
is fixed, then the value of any input value wi (1≤I≤ m+1)
is completely undetermined |
NCS1 signature scheme: The signature scheme operates over a bilinear group tuple ξ = (G1, G2, GT, q, e, Φ) with the following properties:
| • |
G1, G2 and GT are cyclic
multiplicative groups of the same prime order q. The discrete logarithm
problem is assumed to be computationally infeasible in these groups |
| • |
e: G1xG2→GT is an efficiently
computable map satisfying the following: |
| |
• |
Bilinearity: for any gεG1, hεG2
and a, bεZ, e(ga,hb) = e(g,h)ab |
| |
• |
Non-degeneracy: if g generates G1 and h generates
G2, then e(g,h) generates GT |
| • |
φ: G2→G1 is an efficiently computable
isomorphism |
Given a security parameter 1k and a positive integer N, N-m = n, do:
| • |
Generate a bilinear group tuple ξ = (G1, G2,
GT, q, e,φ), such that q>2k, where k is the security
parameter of the system. Generate N-m random numbers g1,…,gnεG1\{1},
Choose a generator  |
| • |
Choose 
and set u=hα, hence  |
| • |
Let H:{0,1}*x{0,1}*→G1
be a hash function |
| • |
Output q, the public key PK:= (ξ,H,h,u) and the
private key SK:=α |
In the following section, We will discuss in detail how NCS1 signature is applied to the network coding.
NETWORK CODING SCHEME
Source node: In the finite field Fq, we construct a linear
ANOT according to the literature (Rivest, 1997), such
that Φ(w) = wM-1 ,where M is an invertible (m+1)-by-(m+1) matrix,
function Φ is a linear ANOT. As in definition 2, a file to be transmitted
is viewed as an ordered sequence of (m+1)-dimensional vectors w1,w2…,wm,wm+1εFnq.
In another word, individual vectors refer to as packets, each wi
consists of n elements from Fq. If the source messages have not enough
length, the source node pads the messages with corresponding 0 elements. Through
the AONT encryption, we get the new ciphertext as 
.The
transformation is defined by Eq. 3:
Let q = pk, where p is prime and k is a positive integer. Let λεFq be such that λ∉{m mod p, m-1 mod p}(this can be done since q>2). We can define γ = (m-λ)-1, define M to be the following symmetric matrix by Eq. 4:
It is straightforward to verify that M is invertible; indeed, M-1 is indicated by Eq. 5:
Next, we start to encode the first packets 
FnqxFmq→Fqn+m
to the input information 1εFnq and some
randomly chosen rεFmq. According to the AONT properties,
the attacker is unable to get any meaningful information about source even if
eavesdropping all of the m coding channel. The source node pads the messages
with the mxm identity matrix I by Eq. 6:
where, N = n+m and the m augmented vectors x1, x2,…, xm are given by Eq. 7:
that is, each original vector 
is appended with the vector of length m containing a single ‘1’ in
the ith position. The source makes initial sub-signature σi
for xi (1≤i≤m), respectively based on the signature mechanism
NCS1 as follows.
Source sub-signatures (SK, id, v) the source selects randomly a private key SK:= αεFq, given an identifier idε{0,1}k, the source computes signature σi on vector xi = (xi,1,…, xi, N)εFNq by Eq. 8:
Intermediate nodes: First verify the signatures on the received signed packets, then produce linear combinations of the verified packets and compute a signature for the encoded packet using the received signatures without the need to access the private keys.
At this point, the combining process has to check if all input packets that
contain a signature for an xi contain the same value of σi.
If not, the combining process fails and an adversary is recognized. Setting
y is the encoded payload and y is defined by Eq. 9:
βi = (βi,1,…, βi,m) is the corresponding randomly chosen global encoding kernel. All intermediate nodes in the network to sign and verify received packets as follows:
| • |
Combine(PK, id,  :
Given a public key PK, an identifier id and {(βi, σi)}Ii
= I with βiεFq, this algorithm outputs: |
| • |
Verify (PK,id,y,σ): Given a public key PK:= (ξ,
H, h, u), an identifier id, a signature σ and a vector y = (y1,y2,…,yN)εF,
we describe Eq. 11 and 12, respectively: |
If Υ1 (PK, σ) = Υ2 (PK, id, y), this algorithm outputs 1; otherwise it outputs 0.
Sink node: The sinks receive the former level transmitted message and verify the signature as the above method. The verified message can be ultimately decoded and decrypted. If tiεT, the sink ti final received message is message Y that has a valid signature. Let Am be system transfer matrix of input vector X and the output vector Y, where Y=Am. X given by Eq. 13:
If the sink ti receives correct information from at least m incoming
channels and global encoding kernel of the m incoming channels are linearly
independent, only in this way can ti recovery source information.
Koetter R (Koetter and Medard, 2003) has proved a coding
scheme to be secure, as long as the system transfer matrix Am=A(I-F)-1BT
is full rank, the destination can decode correctly and output X = Am-1.Y.
The vector X is column vector and we write XT to denote the corresponding
row vector, that is XT = (x1,..,xm),obviously
we can obtain 
,
then we have 
where,
has been transmitted through a secret channel. Finally, we will obtain source
original information by AONT inverse transformation matrix M. The process can
be described by Eq. 14:
PROOF SECURITY OF CODING SCHEME
Our protocols are based on the following cryptographic assumptions. Adversaries can adaptively corrupt as many parties as they wish. The protocol is secure against adaptive adversaries in the so-called non-erasing model, where the parties are not allowed to erase any information. Our protocols need UC security even in non-erasing model.
Construction of UC secure network coding protocol: In this section,
we formulate a universally composable network coding scheme πcoding
in (FCPKE, Fsig )-hybrid model. Here, FCPKE is
the encryption ideal functionality and Fsig is the signature ideal
functionality. In the following graphs, the definition of function Φ, matrix
M, M-1, y and Y as above. We start by presenting FCPKE and
Fsig. Next we present the real protocol πcoding.
According to the UC secure framework (Canetti, 2004),
we modify the definition of FCPKE (Canetti and
Herzog, 2006), as indicated in Fig. 1.
|
| Fig. 1: |
The certified public-key encryption functionality |
|
| Fig. 2: |
The functionality of network coding signature |
According to the UC secure framework, we modify the definition of Fsig
(Canetti, 2001) as indicated in Fig.
2. In Fig. 2, ZS denotes sub-signature function
and C combination function.
Note that all our functionalities receive initially a session id sid=(P, sid’) where P is the set of players who participate in realizing the functionality and sid’ is a number identifying this particular instance of the functionality. Next we present the real protocol πcoding in Fig. 3.
Construction of network coding against pollution attacks ideal functionality Fcoding: In this section, we present our formulation of an ideal functionality for network coding against pollution attacks in the UC framework. An exact definition of the ideal functionality, denoted Fcoding, appears in Fig. 4.
SECURITY PROOF OF πCODING
Theorem 1: Protocol πcoding securely realizes Fcoding in the (FCPKE, Fsig )-hybrid model.
Proof: Let A be an adaptive adversary that interacts with the parties
running πcoding in the (FCPKE, Fsig )-hybrid
model.
|
| Fig. 3: |
The protocol πcoding |
We construct an ideal adversary S such that any environment Z can not distinguish
with a non-negligible probability whether it is interacting with A and πcoding
in the (FCPKE, Fsig )-hybrid model (denoted REALUC-coding,A,Z)
or it is interacting with S and Fcoding in the ideal world (denoted
IDEALFcoding,S,Z).
Construction of the adversary S: The adversary S shown below runs a simulated copy of the adversary A, thus S is often called a simulator. Any input from Z is forwarded to A and any output of A is copied to the output of S.
Simulating the sender: When an uncorrupted party P is activated with input (Encrypt,sid,wi), S obtains this value from Fcoding and simulates for A the protocol πcoding.
Whenever, S obtains (Encrypt,sid,wi) from FCPKE, S sends the message (Encrypt,sid,wi) to A with sid = (P, sid’), then forwards the response xi (1≤i≤m+1)from A to Fsig.
Whenever, S receives a message (KenGen,sid) from Fsig, S sends to A the message (KenGen,sid) with sid = (P, sid’), then forwards the response (Verification key, sid, ZS, C, V) from A to Fsig.
Whenever, S receives a message (Sign, sid, xi) from Fsig, S sends (Sign,sid,xi) to A, then forwards the response (signature, sid, xi, σi) from A to Fsig.
|
| Fig. 4: |
Secure network coding ideal functionality |
Simulating the intermediate nodes: Whenever S receives a message (Encoding,Combine,x1,σ1,...,xm,σm) from Fsig, S sends (Encoding,Combine,x1,σ1,...,xm,σm) to A, then forwards the response(y,σ,C) from A to Fsig.
Simulating the recipients: When A delivers a message (y,σ,C) to an uncorrupted party t, S simulates for A the protocol πcoding.
Whenever, S receives a message (Verify,sid,y’,σ,V) from Fsig, S sends (Verify,sid,y’,σ,V) to A, where a sink receives a encoded message y’ at a previous level, then forwards the response (Verified,sid, y’, f) from A to Fsig.
If FCPKE receives (Verify,sid, y’,σ,V,f=1) from Fsig, then records (x,V) and sends (y,σ,C) to t. Otherwise, do nothing.
If t receives (Decrypt, sid, 
i)
from FCPKE, if there is a recorded pair (wi, i)
then hands wi to t. Otherwise, computes wi = D(i)
and hands wi (1≤i≤m+1) to t.
Simulating party corruption: Whenever, a corrupts a party, S
corrupts the same party and provides A with the internal state of the corrupted
party. Whenever a corrupted party P receives (Encrypt, sid, wi),
S obtains xi from Fcoding and simulates for A only the
interaction with Fsig and FCPKE. Whenever S obtains (Encrypt,sid,wi)
from FCPKE, S sends the message (Encrypt, sid, wi) to
A with sid = (P, sid’), then forwards the response xi (1≤i≤m+1)from
A to Fsig. Whenever, S receives a message (KenGen,sid) from Fsig,
S sends to A the message (KenGen,sid) with sid = (P,sid’), then forwards
the response (Verificationkey, sid, ZS, C, V’) from A to Fsig.
(V’ may be different from V). Whenever, S receives a message (Sign, sid,
xi) from Fsig, S sends (Sign, sid, xi) to A,
then forwards the response (signature, sid, xi, σi)
from A to Fsig. Assume that πcoding can not securely
realize Fcoding, then existing Z can distinguish with a non-negligible
probability whether it is interacting with A and πcoding or
it is interacting with S and Fcoding. Assume that we can construct
an adversary B who can forge signature. B can activate environment Z, when C
is activated with input (Encoding,Combine,x1,σ1,...,xm,σm)
by Z and B computes the signature of xi by sub-signatures combination
algorithm and submits it to Z. When P is activated with input (Verify,sid,y,σ,V)
by Z, B first checks whether (y,σ,C) is a forged signature or not. If it
is a forged signature, then B outputs (y,σ,C) and stops operation. Next,
we analysis the probability of success of B. We first denote D as the event
where the receiver obtains (Verified,sid,y,f = 1),while party P is uncorrupted
at the time when the message is delivered and has never sent (y,σ,C). However,
according to the protocol and the logics of FCPKE and Fsig,
the event D would not happen. The reason being is that, firstly the receiver
should obtain a valid verified key from Fsig (Otherwise (Verified,sid,y,f
= 1) would not be sent by Fsig ); secondly, if an uncorrupted P never
sent (y,σ,C), then the message y is never signed by Fsig. Thus,
P would always obtain (Verified,sid,yi,f = 0) from Fsig.
Otherwise, this is incompatible with the existential unforgeability(EU-COMA)
(Even et al., 1989; Canetti,
2001) property of Fsig. Therefore, the simulation above is perfect
based on the fact that the event D will not occur. In another word, Z can not
distinguish with a non-negligible probability whether it is interacting with
A and πcoding or it is interacting with S and Fcoding.
Thus, we realize indistinguishability of REALUC-coding,A,Z and IDEALFcoding,S,Z,
in other words, πcoding securely realizes the functionality
Fcoding in the (FCPKE, Fsig )-hybrid model.
(If we use y’ instead of y, the operation is in the same way).
COMPARISON WITH RELATED WORK
The scheme for network coding against pollution attacks in this article is
compared with other representative schemes in Table 1, including
security model, the adversary’s capability model and complexity of computation.
The literature (Li et al., 2010) gave a MAC-based
approach supporting in-network verification and resisting an arbitrary number
of collusions.
| Table 1: |
Comparison between the different schemes for secure network
coding |
 |
| In the table above, ‘Mults’ is the abbreviation
of multiplications and ‘exps’ is the abbreviation of exponentiations |
The adversary does not have access to the randomness used by the source in
order to produce the various cryptographic keys. The computation complexity
includes three algorithms: generation MAC, combination of signatures and verification.
The computation complexity of literature (Feng et al.,
2011) includes two parts: source encryption’s complex is O (logN) and
intermediate nodes’s discrete logarithm complex loggyrr.
Our protocol is secure against adaptive adversaries in the so-called non-erasing model, Existing equipment or software can achieve AONT encryption, so we need not consider the encryption computational complexity. The computational complexity is mainly reflected in the following aspects. Signing a raw packet requires N exponentiations and N-1 multiplications. Combining is extremely simple, m packets require mN exponentiations and m (N-1) multiplications. Verification is computationally more expensive, if m packets are combined together, computing Υ1 requires m mappings, m exponentiations and m-1 multiplications, while Υ2 requires N modulo exponentiations, N-1 multiplications and one mapping.
CONCLUSION
We presented a new random network coding scheme within the framework of Universally
Composable (UC). In this work, we realized indistinguishability of wiretapping
messages by means of ANOT encryption. In order to prevent malicious nodes, we
adopted the signature mechanism NCS1 to authenticate nodes identity
and the transmitted data. Finally, according to the composition theorem, our
construction using FCPKE and Fsig was a secure network
coding scheme. Through comparison between the different representative schemes,
show that the new scheme having better performance. However, the scheme NCS1
is based on bilinear maps which may require more powerful computing capabilities
for the intermediate nodes. Our next work is to design protocol using more effective
signature scheme in network coding.
ACKNOWLEDGMENTS
First and foremost, I am most grateful to my senior, Professor Mr Guo, whose useful suggestions, incisive comments and constructive criticism have contributed greatly to the completion of this paper. I am also greatly indebted to all my friends who have helped me directly and indirectly in my studies. Any progress that I have made is the result of their profound concern and selfless devotion. Among them the following require mentioning: Mr. Liang, Miss Chen and Mr. Jiao.
