**ABSTRACT**

Considering the pollution attacks in network coding, in the single-source multi-sinks directed acyclic network, we present a Universally Composable (UC) secure random network coding scheme based on All-Or-Nothing Transform (AONT) encryption and homomorphic Network Coding Signature (NCS

_{1}). At the source node, by means of AONT encryption an eavesdropper is unable to get any meaningful information no matter how many channels are wiretapped. To prevent malicious modification of data packets, in this study, we adopt the signature scheme NCS

_{1}for authentication the integrity of the transmitted data and the node identity. Lastly, we have proved the novel scheme is secure in the UC security model. By the security proof and comprehensive analysis, it is showed that the proposed scheme not only has the ability of resistance eavesdropper and the Byzantine attacker but also achieves the maximum flow of information transmission.

PDF Abstract XML References Citation

**Received:**January 19, 2012;

**Accepted:**March 31, 2012;

**Published:**June 04, 2012

####
**How to cite this article**

*Information Technology Journal, 11: 1175-1183.*

**DOI:**10.3923/itj.2012.1175.1183

**URL:**https://scialert.net/abstract/?doi=itj.2012.1175.1183

**INTRODUCTION**

Network coding has been proven to maximize network throughput (Ahlswede *et al*., 2000) by mixing the received information before forwarding them to the next nodes, however, network coding is vulnerable to pollution attacks by malicious nodes in the network. Once a packet is corrupted, a single error further will cause pollution of downstream nodes like the plague spread on the network. Thus, even a faulty transmission on a single edge will eventually cause almost all messages being forwarded in the network to be incorrect and will thus prevent reconstruction of even a portion of the messages.

The algorithms of detecting misbehaved wireless nodes have been described by Raja * et al*. (2008) and Jun and Wei-Hua (2010). Some network error correcting algorithms (Cai and Yeung, 2002; Zhang, 2008; Wei *et al*., 2011) based on different techniques have been proposed. Zhou *et al*. (2010) have designed a network coded non-orthogonal Interleave-division Multiple-access (IDMA) cooperation system. The design of secure network coding is mainly against two types of pollution attacks, including wiretapping attacks (passive attacks) (Meng, 2011) and Byzantine attacks (active attacks) (Lamport *et al*., 1982; Wang *et al*., 2003; Yan and Wang, 2004; Meng, 2011). A Byzantine attacker is a malicious adversary hidden in a network, capable of intercepting, tampering or inserting packets in the original information flow. We have surveyed some techniques for combating data pollution when network coding is used. The literatures (Silva and Kschischang, 2008; Chanl and Grant, 2008; Zhou *et al*., 2009) studied different encoding methods for preventing eavesdropping attackers. Ho *et al*. (2004) have proposed a Byzantine attack detection model that based on the attacker did not know the random coding coefficients. The first efficient scheme to design and implement error-correction against Byzantine adversaries has been used in the distributed network coding setting (Jaggi *et al*., 2008). It should be noted that in these papers, the adversary model is based on the threshold number of communication links that could be controlled by the adversary. Yu *et al*. (2008) have designed a RSA homomorphic signature scheme for network coding against pollution attacks but it is pointed out in a recent paper (Gennaro *et al*., 2010), that this protocol is incorrect indeed. Agrawal and Boneh (2009) have proposed a homomorphic MAC mechanism but only at the receiving node could detect malicious packets; intermediate nodes could not detect them. RIPPLE mechanism (Li *et al*., 2010) has been designed to prevent pollution attacks. Recently, Wang (2010) shows that there are serious flaws in these schemes (Jaggi *et al*., 2008; Yu * et al*., 2008; Agrawal and Boneh, 2009; Gennaro *et al*., 2010; Li *et al*., 2010).

Our previous study (Feng *et al*., 2011) have presented a security random network coding model against Byzantine attack based on CBC (Hayat *et al*., 2004; Zaidan *et al*., 2010). In the model, the source adopts CBC packet encryption, intermediate nodes use ElGamal signature scheme. However, the security of the scheme is also dependent on limiting the numbers of eavesdropping links and this signature technology can not be combined at downstream nodes. To solve the problems, this study proposes a UC secure network coding model in view of the single-source multi-sinks directed acyclic network. We adopt AONT encryption instead of previous CBC encryption, no matter how many channels are wiretapped; the attacker can not get any meaningful information of the source messages. In order to ensure the participation of legitimate nodes, the source and intermediate nodes sign encoded message based on homomorphic signature scheme NCS_{1 }by Boneh *et al*. (2009), intermediate nodes and sinks can verify the integrity and legitimacy of the received information. NCS_{1} signature scheme has the advantage that signatures can be associated with individual vectors rather than an entire subspace. Both the public key and per-vector signatures in this scheme have constant size, making the scheme ideally suited for network coding. This scheme also supports the transmission of streaming data, in the sense that the sender need not be aware of the entire file before computing the signature first packet. The novel approach to solve the problem of concurrent network coding against pollution attack within the framework of Universally Composable (UC) security is described by Meng (2011). The most outstanding nature of UC framework is its modular design concept: may alone design a protocol, so long as the protocol satisfies the UC security, it can be guaranteed secure while running concurrently with other protocols. By the security proof and comprehensive analysis, it is showed that the proposed scheme has greatly improved security and efficiency compared to the previous schemes.

**PRELIMINARIES**

**Encoding kernel:** The pair G = (V_{G}, E_{G}) is called a single-source acyclic network, where V_{G} and E_{G} are the node set and the edge set. The node SεV_{G} called the source node, T = {t_{1}, t_{2}, …t_{m}} called the sink set. For every node v, let In(v) denote the set of incoming channels to v and Out(v) the set of outgoing channels from v. Meanwhile, let S’ denote an imaginary source at the upstream of S.

**Local description of a linear network code on an acyclic network:** Let F be a finite field and ω a positive integer. An ω-dimensional F-valued linear network code on an acyclic communication network consists of a scalar k_{d,e}, called the local encoding kernel, for every adjacent pair (d, e). Meanwhile, the local encoding kernel at the node v means: the |In(v)|x|Out(v)| matrix K_{v} = [k_{d,e}]_{dε In(v),eε Out(v)}.

**Global description of a linear network code on an acyclic network:** Let F be a finite field and ω a positive integer. An ω-dimensional F-valued linear network code on an acyclic communication network consists of a scalar k_{d,e} for every adjacent pair (d, e) in the network as well as an ω-dimensional column vector f_{e} for every channel e such that:

• | , where, eε Out(v) |

• | The vector f_{e} for the ω imaginary channels eε In(S) form the natural basis of the vector space F^{ω}. The vector f_{e} is called the global encoding kernel for the channel e |

Let the source generate a message *x* in the form of an ω-dimensional row vector. A node v receives the symbols x.f_{d}, dεIn(v), from which it calculates the symbol x.f_{e }for sending onto each channel eεOut(v) via the linear Eq. 1:

(1) |

**UC framework:** Universally composable security (UC security) is a kind of computational complexity model which was proposed by Canetti (2001) to represent and analyze cryptographic protocols under concurrent circumstances. The framework provides a rigorous method for defining the security of cryptographic tasks. A protocol is represented as a system of probabilistic Interactive Turing Machines (ITMs), where each ITM represents the program to be run within a different party. Adversarial entities are also modeled as ITMs. An additional adversarial entity called the environment Z is introduced. This environment generates the inputs to all parties, reads all outputs and in addition interacts with the adversary in an arbitrary way throughout the computation.

**The real-life model:** A probabilistic polynomial-time adversary. A participates in a run of the interactive protocol π with a set of parties P_{1}, …, P_{l}. All parties are connected through point-to-point communication channels. The channels are public; the adversary can read all data transmitted between parties. The adversary is also responsible for delivery of messages. Each party is initially honest and follows the predetermined program of π. The adversary may corrupt parties, either at the outset only (non-adaptive or static adversaries) or at any point during the execution (adaptive adversaries). Once a party is corrupted by A, the party hands over all internal data including its input, previous incoming and outgoing communication and the content of the random tape to the adversary. If a party becomes corrupted by the adversary, the party follows the adversary’s instructions from then on. Let REAL_{π,A,Z} denote the output of environment Z when interacting with adversary A and parties running protocol π.

**The ideal process:** A probabilistic polynomial-time adversary S (also called simulator) participates in an execution of (dummy) parties P_{1}’,…,P_{l}’ with some ideal and trustworthy functionality F. All parties are only connected to the functionality by secure channels and the simulator can not read the content of transmissions. Once an honest dummy party receives some input, it immediately forwards this input to the functionality, at some point which may reply with output for some parties (including the simulator S). Corruptions are dealt with as in the real-life setting. Let IDEAL_{F,S,Z} denote the output of environment Z after interacting in the ideal process with adversary S and ideal functionality F.

In both settings an interactive distinguisher, the probabilistic polynomial-time environment Z, is present. This environment can interact with honest parties by determining the inputs and reading the output of these parties. Additionally, Z can communicate with the adversary A or S, respectively.

We say that a protocol π UC realizes an ideal functionality F if for any real-life adversary A there exists an ideal-process adversary *S *such that no environment Z, on any input, can tell with non-negligible probability whether it is interacting with A and parties running π in the real-life process or with S and F in the ideal process. We have the following:

**Definition 1:** Let lεL. Let F be an ideal functionality and let π be an l-party protocol. We say that π securely realizes F if for any adversary A there exists an ideal-process adversary S such that for any environment Z, we define Eq. 2 as follows:

(2) |

The hybrid model. In order to state the composition theorem and in particular in order to formalize the notion of a real-life protocol with access to an ideal functionality, the hybrid model of computation with access to an ideal functionality F is formulated. The parties of this model may send messages to and receive messages from an unbounded number of copies of F. Each copy of F is identified via a unique session identifier (sid); all messages addressed to this copy and all message sent by this copy carry the corresponding sid. (The sids are chosen by the protocol run by the parties).

**SECURE NETWORK CODING SCHEME**

In this study, we present a UC secure network coding scheme in view of single-source multi-sinks directed acyclic network. The source messages are divided into m+1 packets, every packet has the same message length. Assume that the network maximum transmission rate is m+1 and each link throughput is 1. We obtain new m+1 packets by AONT encryption. Furthermore, the source node transforms into m augmented vectors x_{1}, x_{2}…, x_{m}. Finally, the source makes initial sub-signatures for x_{1}, x_{2}…, x_{m} based on the signature mechanism NCS_{1} and sends them to participate in encoding at the downstream nodes. The (m+1)th packet is sent directly to the sinks by a shared secret channel between the source and every sink rather than participate in encoding. The intermediate nodes combine and encode the received information and sign the encoded message based on signature mechanism NCS_{1}, after that, the intermediate nodes and sinks can verify the receiving information, thereby effectively prevent pollution caused by the attacker and ultimately the sinks can decode and decrypt correctly.

**The all-or-nothing transform:** Rivest (1997) presented a model of encryption for block ciphers which is called All-Or-Nothing Transform (AONT). AONT is defined for information-theoretic security (Stinson, 2001).

**Definition 2:** Let F_{q }be a finite field and F^{n}_{q} be an n-dimensional space over F_{q}. Suppose that Φ:F^{n}_{q}→F^{n}_{q}, Φ is named as an (n, q)-AONT if Φ satisfies the following properties:

• | Φ is a bijection |

• | If any m of the m+1 output values is fixed, then the value of any input value w_{i }(1≤I≤ m+1) is completely undetermined |

**NCS _{1} signature scheme:** The signature scheme operates over a bilinear group tuple ξ = (G

_{1}, G

_{2}, G

_{T}, q, e, Φ) with the following properties:

• | G_{1}, G_{2} and G_{T }are cyclic multiplicative groups of the same prime order q. The discrete logarithm problem is assumed to be computationally infeasible in these groups |

• | e: G_{1}xG_{2}→G_{T }is an efficiently computable map satisfying the following: |

• | Bilinearity: for any gεG_{1}, hεG_{2} and a, bεZ, e(g^{a},h^{b}) = e(g,h)^{ab} |

• | Non-degeneracy: if g generates G_{1} and h generates G_{2}, then e(g,h) generates G_{T} |

• | φ: G_{2}→G_{1} is an efficiently computable isomorphism |

Given a security parameter 1^{k} and a positive integer N, N-m = n, do:

• | Generate a bilinear group tuple ξ = (G_{1}, G_{2}, G_{T}, q, e,φ), such that q>2^{k}, where k is the security parameter of the system. Generate N-m random numbers g_{1},…,g_{n}εG_{1}\{1}, Choose a generator |

• | Choose and set u=h^{α}, hence |

• | Let H:{0,1}^{*}x{0,1}^{*}→G_{1} be a hash function |

• | Output q, the public key PK:= (ξ,H,h,u) and the private key SK:=α |

In the following section, We will discuss in detail how NCS_{1 }signature is applied to the network coding.

**NETWORK CODING SCHEME**

**Source node:** In the finite field F_{q}, we construct a linear ANOT according to the literature (Rivest, 1997), such that Φ(w) = wM^{-1 },where M is an invertible (m+1)-by-(m+1) matrix, function Φ is a linear ANOT. As in definition 2, a file to be transmitted is viewed as an ordered sequence of (m+1)-dimensional vectors w_{1},w_{2}…,w_{m},w_{m+1}εF^{n}_{q}. In another word, individual vectors refer to as packets, each w_{i} consists of n elements from F_{q}. If the source messages have not enough length, the source node pads the messages with corresponding 0 elements. Through the AONT encryption, we get the new ciphertext as .The transformation is defined by Eq. 3:

(3) |

Let q = p^{k}, where p is prime and k is a positive integer. Let λεF_{q} be such that λ∉{m mod p, m-1 mod p}(this can be done since q>2). We can define γ = (m-λ)^{-1}, define M to be the following symmetric matrix by Eq. 4:

(4) |

It is straightforward to verify that *M* is invertible; indeed, M^{-1} is indicated by Eq. 5:

(5) |

Next, we start to encode the first packets F^{n}_{q}xF^{m}_{q}→F_{q}^{n+m} to the input information _{1}εF^{n}_{q} and some randomly chosen rεF^{m}_{q}. According to the AONT properties, the attacker is unable to get any meaningful information about source even if eavesdropping all of the m coding channel. The source node pads the messages with the mxm identity matrix I by Eq. 6:

(6) |

where, N = n+m and the m augmented vectors x_{1}, x_{2},…, x_{m} are given by Eq. 7:

(7) |

that is, each original vector _{} is appended with the vector of length m containing a single ‘1’ in the ith position. The source makes initial sub-signature σ_{i} for x_{i }(1≤i≤m), respectively based on the signature mechanism NCS_{1} as follows.

Source sub-signatures (SK, id, v) the source selects randomly a private key SK:= αεF_{q}, given an identifier idε{0,1}^{k}, the source computes signature σ_{i} on vector x_{i} = (x_{i,1},…, x_{i, N})εF^{N}_{q} by Eq. 8:

(8) |

**Intermediate nodes:** First verify the signatures on the received signed packets, then produce linear combinations of the verified packets and compute a signature for the encoded packet using the received signatures without the need to access the private keys.

At this point, the combining process has to check if all input packets that contain a signature for an x_{i }contain the same value of σ_{i}. If not, the combining process fails and an adversary is recognized. Setting y is the encoded payload and y is defined by Eq. 9:

(9) |

β_{i} = (β_{i,1},…, β_{i,m}) is the corresponding randomly chosen global encoding kernel. All intermediate nodes in the network to sign and verify received packets as follows:

• | Combine(PK, id, : Given a public key PK, an identifier id and {(β_{i}, σ_{i})}^{I}_{i = I} with β_{i}εF_{q}, this algorithm outputs: |

(10) |

• | Verify (PK,id,y,σ): Given a public key PK:= (ξ, H, h, u), an identifier id, a signature σ and a vector y = (y_{1},y_{2},…,y_{N})εF, we describe Eq. 11 and 12, respectively: |

(11) |

(12) |

If Υ_{1 }(PK, σ) = Υ_{2} (PK, id, y), this algorithm outputs 1; otherwise it outputs 0.

**Sink node:** The sinks receive the former level transmitted message and verify the signature as the above method. The verified message can be ultimately decoded and decrypted. If t_{i}εT, the sink t_{i} final received message is message Y that has a valid signature. Let A_{m} be system transfer matrix of input vector X and the output vector Y, where Y=A_{m}. X given by Eq. 13:

(13) |

If the sink t_{i} receives correct information from at least m incoming channels and global encoding kernel of the m incoming channels are linearly independent, only in this way can t_{i} recovery source information. Koetter R (Koetter and Medard, 2003) has proved a coding scheme to be secure, as long as the system transfer matrix A_{m}=A(I-F)^{-1}B^{T} is full rank, the destination can decode correctly and output X = A_{m}^{-1}.Y. The vector X is column vector and we write X^{T} to denote the corresponding row vector, that is X^{T} = (x_{1},..,x_{m}),obviously we can obtain , then we have _{ }where, _{ } has been transmitted through a secret channel. Finally, we will obtain source original information by AONT inverse transformation matrix M. The process can be described by Eq. 14:

(14) |

**PROOF SECURITY OF CODING SCHEME**

Our protocols are based on the following cryptographic assumptions. Adversaries can adaptively corrupt as many parties as they wish. The protocol is secure against adaptive adversaries in the so-called non-erasing model, where the parties are not allowed to erase any information. Our protocols need UC security even in non-erasing model.

**Construction of UC secure network coding protocol:** In this section, we formulate a universally composable network coding scheme π_{coding} in (F_{CPKE}, F_{sig} )-hybrid model. Here, F_{CPKE }is the encryption ideal functionality and F_{sig }is the signature ideal functionality. In the following graphs, the definition of function Φ, matrix M, M^{-1}, y and Y as above. We start by presenting F_{CPKE }and F_{sig}. Next we present the real protocol π_{coding}. According to the UC secure framework (Canetti, 2004), we modify the definition of F_{CPKE} (Canetti and Herzog, 2006), as indicated in Fig. 1.

Fig. 1: | The certified public-key encryption functionality |

Fig. 2: | The functionality of network coding signature |

According to the UC secure framework, we modify the definition of F_{sig }(Canetti, 2001) as indicated in Fig. 2. In Fig. 2,* ZS *denotes sub-signature function and C combination function.

Note that all our functionalities receive initially a session id sid=(P, sid’) where P is the set of players who participate in realizing the functionality and sid’ is a number identifying this particular instance of the functionality. Next we present the real protocol π_{coding} in Fig. 3.

**Construction of network coding against pollution attacks ideal functionality F _{coding}:** In this section, we present our formulation of an ideal functionality for network coding against pollution attacks in the UC framework. An exact definition of the ideal functionality, denoted F

_{coding}, appears in Fig. 4.

**SECURITY PROOF OF π _{CODING}**

**Theorem 1:** Protocol π_{coding} securely realizes F_{coding} in the (F_{CPKE}, F_{sig} )-hybrid model.

**Proof:** Let A be an adaptive adversary that interacts with the parties running π_{coding} in the (F_{CPKE}, F_{sig} )-hybrid model.

Fig. 3: | The protocol π_{coding} |

We construct an ideal adversary S such that any environment Z can not distinguish with a non-negligible probability whether it is interacting with A and π_{coding} in the (F_{CPKE}, F_{sig} )-hybrid model (denoted REAL_{UC-coding,A,Z}) or it is interacting with S and F_{coding} in the ideal world (denoted IDEAL_{Fcoding,S,Z}).

**Construction of the adversary S:** The adversary S shown below runs a simulated copy of the adversary A, thus S is often called a simulator. Any input from Z is forwarded to A and any output of A is copied to the output of S.

**Simulating the sender:** When an uncorrupted party P is activated with input (Encrypt,sid,w_{i}), S obtains this value from F_{coding} and simulates for A the protocol π_{coding}.

Whenever, S obtains (Encrypt,sid,w_{i}) from F_{CPKE}, S sends the message (Encrypt,sid,w_{i}) to A with sid = (P, sid’), then forwards the response x_{i} (1≤i≤m+1)from A to F_{sig}.

Whenever, S receives a message (KenGen,sid) from F_{sig}, S sends to A the message (KenGen,sid) with sid = (P, sid’), then forwards the response (Verification key, sid, ZS, C, V) from A to F_{sig}.

Whenever, S receives a message (Sign, sid, x_{i}) from F_{sig}, S sends (Sign,sid,x_{i}) to A, then forwards the response (signature, sid, x_{i}, σ_{i}) from A to F_{sig}.

Fig. 4: | Secure network coding ideal functionality |

**Simulating the intermediate nodes:** Whenever S receives a message (Encoding,Combine,x_{1},σ_{1},...,x_{m},σ_{m}) from F_{sig}, S sends (Encoding,Combine,x_{1},σ_{1},...,x_{m},σ_{m}) to A, then forwards the response(y,σ,C) from A to F_{sig}.

**Simulating the recipients:** When A delivers a message (y,σ,C) to an uncorrupted party t, S simulates for A the protocol π_{coding}.

Whenever, S receives a message (Verify,sid,y’,σ,V) from F_{sig}, S sends (Verify,sid,y’,σ,V) to A, where a sink receives a encoded message y’ at a previous level, then forwards the response (Verified,sid, y’, f) from A to F_{sig}.

If F_{CPKE} receives (Verify,sid, y’,σ,V,f=1) from F_{sig}, then records (x,V) and sends (y,σ,C) to t. Otherwise, do nothing.

If t receives (Decrypt, sid, _{i}) from F_{CPKE}, if there is a recorded pair (w_{i}, _{i}) then hands w_{i} to t. Otherwise, computes w_{i} = D(_{i}) and hands w_{i} (1≤i≤m+1) to t.

**Simulating party corruption:** Whenever, a corrupts a party, *S* corrupts the same party and provides A with the internal state of the corrupted party. Whenever a corrupted party P receives (Encrypt, sid, w_{i}), S obtains x_{i} from F_{coding} and simulates for A only the interaction with F_{sig} and F_{CPKE}. Whenever S obtains (Encrypt,sid,w_{i}) from F_{CPKE}, S sends the message (Encrypt, sid, w_{i}) to A with sid = (P, sid’), then forwards the response x_{i }(1≤i≤m+1)from A to F_{sig}. Whenever, S receives a message (KenGen,sid) from F_{sig}, S sends to A the message (KenGen,sid) with sid = (P,sid’), then forwards the response (Verificationkey, sid, ZS, C, V’) from A to F_{sig}. (V’ may be different from V). Whenever, S receives a message (Sign, sid, x_{i}) from F_{sig}, S sends (Sign, sid, x_{i}) to A, then forwards the response (signature, sid, x_{i}, σ_{i}) from A to F_{sig}. Assume that π_{coding }can not securely realize F_{coding}, then existing Z can distinguish with a non-negligible probability whether it is interacting with A and π_{coding} or it is interacting with S and F_{coding}. Assume that we can construct an adversary B who can forge signature. B can activate environment Z, when C is activated with input (Encoding,Combine,x_{1},σ_{1},...,x_{m},σ_{m}) by Z and B computes the signature of x_{i} by sub-signatures combination algorithm and submits it to Z. When P is activated with input (Verify,sid,y,σ,V) by Z, B first checks whether (y,σ,C) is a forged signature or not. If it is a forged signature, then B outputs (y,σ,C) and stops operation. Next, we analysis the probability of success of B. We first denote D as the event where the receiver obtains (Verified,sid,y,f = 1),while party P is uncorrupted at the time when the message is delivered and has never sent (y,σ,C). However, according to the protocol and the logics of F_{CPKE} and F_{sig}, the event D would not happen. The reason being is that, firstly the receiver should obtain a valid verified key from F_{sig} (Otherwise (Verified,sid,y,f = 1) would not be sent by F_{sig} ); secondly, if an uncorrupted P never sent (y,σ,C), then the message y is never signed by F_{sig}. Thus, P would always obtain (Verified,sid,y_{i},f = 0) from F_{sig}. Otherwise, this is incompatible with the existential unforgeability(EU-COMA) (Even *et al*., 1989; Canetti, 2001) property of F_{sig}. Therefore, the simulation above is perfect based on the fact that the event D will not occur. In another word, Z can not distinguish with a non-negligible probability whether it is interacting with A and π_{coding} or it is interacting with S and F_{coding}. Thus, we realize indistinguishability of REAL_{UC-coding,A,Z }and IDEAL_{Fcoding,S,Z}, in other words, π_{coding} securely realizes the functionality F_{coding} in the (F_{CPKE,} F_{sig} )-hybrid model. (If we use y’ instead of y, the operation is in the same way).

**COMPARISON WITH RELATED WORK**

The scheme for network coding against pollution attacks in this article is compared with other representative schemes in Table 1, including security model, the adversary’s capability model and complexity of computation. The literature (Li *et al*., 2010) gave a MAC-based approach supporting in-network verification and resisting an arbitrary number of collusions.

Table 1: | Comparison between the different schemes for secure network coding |

In the table above, ‘Mults’ is the abbreviation of multiplications and ‘exps’ is the abbreviation of exponentiations |

The adversary does not have access to the randomness used by the source in order to produce the various cryptographic keys. The computation complexity includes three algorithms: generation MAC, combination of signatures and verification. The computation complexity of literature (Feng *et al*., 2011) includes two parts: source encryption’s complex is O (logN) and intermediate nodes’s discrete logarithm complex log_{g}y^{r}r.

Our protocol is secure against adaptive adversaries in the so-called non-erasing model, Existing equipment or software can achieve AONT encryption, so we need not consider the encryption computational complexity. The computational complexity is mainly reflected in the following aspects. Signing a raw packet requires N exponentiations and N-1 multiplications. Combining is extremely simple, m packets require mN exponentiations and m (N-1) multiplications. Verification is computationally more expensive, if m packets are combined together, computing Υ_{1} requires m mappings, m exponentiations and m-1 multiplications, while Υ_{2} requires N modulo exponentiations, N-1 multiplications and one mapping.

**CONCLUSION**

We presented a new random network coding scheme within the framework of Universally Composable (UC). In this work, we realized indistinguishability of wiretapping messages by means of ANOT encryption. In order to prevent malicious nodes, we adopted the signature mechanism NCS_{1} to authenticate nodes identity and the transmitted data. Finally, according to the composition theorem, our construction using F_{CPKE} and F_{sig} was a secure network coding scheme. Through comparison between the different representative schemes, show that the new scheme having better performance. However, the scheme NCS_{1 }is based on bilinear maps which may require more powerful computing capabilities for the intermediate nodes. Our next work is to design protocol using more effective signature scheme in network coding.

**ACKNOWLEDGMENTS**

First and foremost, I am most grateful to my senior, Professor Mr Guo, whose useful suggestions, incisive comments and constructive criticism have contributed greatly to the completion of this paper. I am also greatly indebted to all my friends who have helped me directly and indirectly in my studies. Any progress that I have made is the result of their profound concern and selfless devotion. Among them the following require mentioning: Mr. Liang, Miss Chen and Mr. Jiao.

####
**REFERENCES**

- Agrawal, S. and D. Boneh, 2009. Homomorphic MACs: MAC-based integrity for network coding. Applied Cryptography Network Security, 5536: 292-305.

CrossRef - Ahlswede, R., N. Cai, S.Y.R. Li and R.W. Yeung, 2000. Network infomation ﬂow. IEEE Trans. Inform. Theor., 46: 1204-1216.

Direct Link - Boneh, D., D. Freeman, J. Katz and B. Waters, 2009. Signing a linear subspace: Signature schemes for network coding. Proceedings of the 12th International Conference on Practice and Theory in Public Key Cryptography, March 18-20, 2009, Irvine, CA, USA., pp: 68-87.

CrossRef - Cai, N. and R.W. Yeung, 2002. Network coding and error correction. Proceedings of the IEEE Information Theory Workshop, October 20-25, 2002, Bangalore, India, pp: 119-122.

CrossRef - Canetti, R. and J. Herzog, 2006. Universally composable symbolic analysis of mutual authentication and key exchange protocols. Theory Cryptography, 3876: 380-403.

CrossRef - Canetti, R., 2001. Universally composable security: A new paradigm for cryptographic protocols. Proceedings of the 42nd IEEE Symposium on Foundations of Computer Science, October 14-17, 2001, Las Vegas, Nevada , pp: 136-145.

Direct Link - Chanl, T. and A. Grant, 2008. Capacity bounds for secure network coding. Proceedings of the Australian Communications Theory Workshop, January 30-February 1, 2008, Christchurch, pp: 95-100.

Direct Link - Gennaro, R., J. Katz, H. Krawczyk and T. Rabin, 2010. Secure network coding over the integers. Public Key Cryptography, 6056: 142-160.

Direct Link - Hayat, K.A., U.W. Anis and Tauseef ur Rahman, 2004. Password interception in a SSL/TLS channel. Inform. Technol. J., 3: 327-331.

CrossRefDirect Link - Ho, T., B. Leong, R. Koetter, M. Medard, M. Effros and D.R. Karger, 2004. Byzantine modification detection in multicast networks using randomized network coding. Proceedings of the International Symposium on Information Theory, June 27-July 2, 2004, Chicago, IL., pp: 144.

CrossRef - Jun, D. and L. Wei-Hua, 2010. A security routing optimization scheme for multi-hop wireless networks. Inform. Technol. J., 9: 506-511.

CrossRefDirect Link - Koetter, R. and M. Medard, 2003. An algebraic approach to network coding. IEEE/ACM Trans. Networking, 11: 782-796.

CrossRef - Lamport, L., R. Shostak and M. Pease, 1982. The byzantine generals problem. ACM Trans. Programm Languages Syst., 4: 382-401.

Direct Link - Meng, B., 2011. A survey on analysis of selected cryptographic primitives and security protocols in symbolic model and computational model. Inform. Technol. J., 10: 1068-1091.

CrossRefDirect Link - Raja, P.C.K., M. Suganthi and R. Sunder, 2008. Wireless node misbehavior detection using genetic algorithm. Inform. Technol. J., 7: 143-148.

CrossRefDirect Link - Rivest, R.L., 1997. All-or-nothing Encryption and the package transform. Fast Software Encryption, 1267: 210-218.

Direct Link - Silva, D. and F.R. Kschischang, 2008. Security for wiretap networks via rank-metric codes. Proceedings of the IEEE International Symposium on Information Theory, July 6-11, 2008, Toronto, ON., pp: 176-180.

Direct Link - Stinson, D.R., 2001. Something about all or nothing (transforms). Designs Codes Cryptography, 22: 133-138.

CrossRef - Wang, S.C., K.Q. Yan and C.F. Cheng, 2003. Byzantine agreement under unreliable multicasting network. Inform. Technol. J., 2: 104-115.

CrossRefDirect Link - Wei, W., P. Qian, B. Zhang and B. Huang, 2011. Adaptive symbol-level network coding for broadcasting retransmission. Inform. Technol. J., 10: 1264-1267.

CrossRefDirect Link - Yan, K.Q. and S.C. Wang, 2004. Detecting the faulty communication links under the loose coupled distributed system. Inform. Technol. J., 3: 275-282.

CrossRefDirect Link - Yu, Z., Y. Wei, B. Ramkumar and Y. Guan, 2008. An efficient signature-based scheme for securing network coding against pollution attacks. Proceedings of the 27th Conference on Computer Communications, April 13-18, 2008, Phoenix, AZ, USA., pp: 1409-1417.

CrossRefDirect Link - Zaidan, B.B., A.A. Zaidan, A.K. Al-Frajat and H.A. Jalab, 2010. On the differences between hiding information and cryptography techniques: An overview. J. Applied Sci., 10: 1650-1655.

CrossRefDirect Link - Zhang, Z., 2008. Linear network error correction codes in packet networks. IEEE Trans. Inform. Theory, 54: 209-218.

CrossRef - Zhou, X., Y. Yang, H. Shan and Z. Wang, 2010. Performance study of a network coded non-orthogonal user cooperation system over nakagami-m channels. Inform. Technol. J., 9: 1353-1360.

CrossRefDirect Link