How to Use Linear Homomorphic Signature in Network Coding

Similar documents
Multikey Homomorphic Encryption from NTRU

Post-quantum security models for authenticated encryption

From Fixed-Length Messages to Arbitrary-Length Messages Practical RSA Signature Padding Schemes

Authentication. Chapter Message Authentication

Classical hardness of Learning with Errors

Leftovers from Lecture 3

Short Signatures Without Random Oracles

Classical hardness of the Learning with Errors problem

Digital Signature Schemes and the Random Oracle Model. A. Hülsing

Katz, Lindell Introduction to Modern Cryptrography

5199/IOC5063 Theory of Cryptology, 2014 Fall

REU 2015: Complexity Across Disciplines. Introduction to Cryptography

Improved Security for Linearly Homomorphic Signatures: A Generic Framework

How to Use Short Basis : Trapdoors for Hard Lattices and new Cryptographic Constructions

Cosc 412: Cryptography and complexity Lecture 7 (22/8/2018) Knapsacks and attacks

Available online at J. Math. Comput. Sci. 6 (2016), No. 3, ISSN:

Cryptography and Security Final Exam

Some Security Comparisons of GOST R and ECDSA Signature Schemes

Sampling Lattice Trapdoors

Homomorphic Network Coding Signatures in the Standard Model

Digital Signatures. p1.

THE RANK METHOD AND APPLICATIONS TO POST- QUANTUM CRYPTOGRAPHY

Smooth Projective Hash Function and Its Applications

Homomorphic Signatures for Polynomial Functions

Cryptographical Security in the Quantum Random Oracle Model

Lattice Cryptography

Schnorr Signature. Schnorr Signature. October 31, 2012

Cryptographic Solutions for Data Integrity in the Cloud

1 Number Theory Basics

Cryptanalysis of Threshold-Multisignature Schemes

Linearly Homomorphic Signatures over Binary Fields and New Tools for Lattice-Based Signatures

Security Analysis of an Identity-Based Strongly Unforgeable Signature Scheme

Cryptology. Scribe: Fabrice Mouhartem M2IF

SIS-based Signatures

Lossy Trapdoor Functions and Their Applications

Public-Key Encryption Based on LPN

Gentry IBE Paper Reading

Winter 2008 Introduction to Modern Cryptography Benny Chor and Rani Hod. Assignment #2

COS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2017

Lattice-based Multi-signature with Linear Homomorphism

Lecture V : Public Key Cryptography

Some security bounds for the DGHV scheme

From Fixed-Length to Arbitrary-Length RSA Encoding Schemes Revisited

REU 2015: Complexity Across Disciplines. Introduction to Cryptography

Lecture 1: Introduction to Public key cryptography

Efficient Identity-Based Encryption Without Random Oracles

Lattice Based Crypto: Answering Questions You Don't Understand

Public Key Cryptography

EXAM IN. TDA352 (Chalmers) - DIT250 (GU) 12 January 2018, 08:

Cryptography and Security Final Exam

Improved Security for Linearly Homomorphic Signatures: A Generic Framework

Notes for Lecture 17

Comparing With RSA. 1 ucl Crypto Group

Lecture 4 Chiu Yuen Koo Nikolai Yakovenko. 1 Summary. 2 Hybrid Encryption. CMSC 858K Advanced Topics in Cryptography February 5, 2004

Practice Final Exam Winter 2017, CS 485/585 Crypto March 14, 2017

Lecture 18: Message Authentication Codes & Digital Signa

John Hancock enters the 21th century Digital signature schemes. Table of contents

Background. Data hiding Data verification

Strongly Unforgeable Signatures Based on Computational Diffie-Hellman

A Key Recovery Attack on MDPC with CCA Security Using Decoding Errors

Notes for Lecture 16

A Strong Identity Based Key-Insulated Cryptosystem

Transitive Signatures Based on Non-adaptive Standard Signatures

An Introduction to Probabilistic Encryption

Side-channel analysis in code-based cryptography

CIS 6930/4930 Computer and Network Security. Topic 5.2 Public Key Cryptography

Secure Signatures and Chosen Ciphertext Security in a Post-Quantum World

A Full Homomorphic Message Authenticator with Improved Efficiency

A CVP-BASED LATTICE SIGNATURE SCHEME FOR NETWORK CODING

Blind Signature Protocol Based on Difficulty of. Simultaneous Solving Two Difficult Problems

Quantum-resistant cryptography

Digital Signature Algorithm

Lattice-Based Cryptography. Chris Peikert University of Michigan. QCrypt 2016

Lecture 24: MAC for Arbitrary Length Messages. MAC Long Messages

Random Oracles in a Quantum World

Lattice Cryptography

Practice Exam Winter 2018, CS 485/585 Crypto March 14, 2018

Identity-Based Online/Offline Encryption

Lecture 7: Boneh-Boyen Proof & Waters IBE System

A survey on quantum-secure cryptographic systems

Lattice Reduction Attack on the Knapsack

II. Digital signatures

Cryptographic Hash Functions

Increased efficiency and functionality through lattice-based cryptography

A Digital Signature Scheme based on CVP

Secure and Practical Identity-Based Encryption

Digital Signatures from Strong RSA without Prime Genera7on. David Cash Rafael Dowsley Eike Kiltz

Semantic Security and Indistinguishability in the Quantum World

CS 355: Topics in Cryptography Spring Problem Set 5.

FPGA-based Niederreiter Cryptosystem using Binary Goppa Codes

Lattice-based DAPS and Generalizations

Outline Proxy Re-Encryption NTRU NTRUReEncrypt PS-NTRUReEncrypt Experimental results Conclusions. NTRUReEncrypt

New Identity-based Key-exposure Free Chameleon Hash from Bilinear Pairings

Attacks on hash functions. Birthday attacks and Multicollisions

Pairing-Based Identification Schemes

DATA PRIVACY AND SECURITY

Lecture 8 Alvaro A. Cardenas Nicholas Sze Yinian Mao Kavitha Swaminathan. 1 Introduction. 2 The Dolev-Dwork-Naor (DDN) Scheme [1]

Notes 10: Public-key cryptography

Asymmetric Encryption

Instructor: Daniele Venturi. Master Degree in Data Science Sapienza University of Rome Academic Year

Transcription:

How to Use Linear Homomorphic Signature in Network Coding Li Chen lichen.xd at gmail.com Xidian University September 28, 2013

How to Use Linear Homomorphic Signature in Network Coding Outline 1 Linear Homomorphic Signature 2 Linearly Homomorphic Hash and Sign 3 How to Use Linearly Homomorphic Hash and Sign 3.1 Private Hash model 3.2 Secrete Channel model 3.3 Other Solution Li Chen Xidian University 2/12

1 Linear Homomorphic Signature Definition 1.1 A linearly homomorphic signature scheme is a trituple S = (KeyGen, Sign, Veri). KeyGen: sets (pk, sk) KeyGen(1 n ). Sign: sets s Sign(sk, m). where m is a message, s is the signature. Veri: sets 1 Veri(pk, m, s) if and only if s is a valid signature of m. Let F be a field such that m F n and s F k, if for arbitrary m 1, m 2 F n, s 1 Sign(sk, m 1), s 2 Sign(sk, m 2), and c 1, c 2 F, it implies Sign(sk, c 1m 1 + c 2m 2) = c 1s 1 + c 2s 2, then we say S is linearly homomorphic. Li Chen Xidian University 3/12

Linearly homomorphic signature scheme has a superiority over other signature scheme in network coding. In random network coding, an router just compute a random linear combination of the messages it received and sent this linear combination to a next router. Thus if we use linear signature, a router just compute the same linear combination on the corresponding signatures, and need no extra computation. Li Chen Xidian University 4/12

One typical linearly homomorphic signature scheme was presented by Boneh[1], it is based on a lattice problem of SIS and enjoys the worst-case security of lattice-based cryptosystems. Bonch s linearly homomorphic signature scheme use GF (2) as the base field, which is very convenient for applying in network coding. But before we use linearly homomorphic signature scheme into network coding, we must solve a key problem. Li Chen Xidian University 5/12

A randomized signature scheme outputs a signature that has a bigger size than its corresponding message, thus considering the communication overhead we can not sign directly on the ordinary message, but to hash it and sign. Here the main effect of the hash function is compressing the message, then we can sign on the hash value of the ordinary message. The key problem is the hash function and signature scheme must be homomorphic serially, which means the hash function is homomorphic for the operation message, and signature scheme is homomorphic for the operation on hash values. Li Chen Xidian University 6/12

2 Linearly Homomorphic Hash and Sign A simple choice is using linearly homomorphic hash function and linearly homomorphic signature scheme, but unfortunatily we can show that there is no collision resistant linearly homomorphic hash function. Definition 2.1 (Linearly Homomorphic hash) Let H be a hash function from F n to F k, where k < n. If for arbitrary m 1, m 2 and h 1 = H(m 1), h 2 = H(m 2), the following equation holds H(c 1m 1 + c 2m 2) = c 1h 1 + c 2h 2 where c 1, c 2 F. Then, we call H a linearly homomorphic hash function. Li Chen Xidian University 7/12

Theorem 2.2 Let H be a linearly homomorphic hash function from F n to F k with k < n, for an arbitrary m F n and h = H(m), we can compute a m F n in polynomial time, such that h = H(m ). Proof Since H is linearly homomorphic, we just need to show we can find a m F n /0 in polynomial time, such that H(m ) = 0. Let e i F n with the ith coordinate is 1, and the others are 0. we can compute h i = H(e i ), i [1, n]. Since h i F k, k < n, so h 1,, h n must be linearly dependent, i.e., there exists c 1,, c n, not all of which are zero, such that n i=1 c n ih i = 0, therefore, H( i=1 c n ie i ) = 0, and i=1 c ie i is obviously not zero. Li Chen Xidian University 8/12

The following will show that linearly homomorphic hash and sign can not against to pollution attack. To show that, we just need to illuminate a attacker can forge a valid polluted packet, i.e., he can generate a polluted message and a valid hash and signature of this polluted message. Suppose the attacker obtain a clean message m and its corresponding valid hash value h and signature s, by the assumption that the hash function is linearly homomorphic, then the attacker can compute a message m such that h and s are the valid hash value and signature of m, here we omit the details that m can be independent with all clean messages, thus the attacker can use the m to pollute the whole network. Li Chen Xidian University 9/12

3 How to Use Linearly Homomorphic Hash and Sign 3.1 Private Hash model By the analysis of above, if the attacker can not obtain the hash value of any message, then he will not forge a valid signature for a polluted message. So a simple fix method is to share the hash function as a secrete parameter with all legal routers. 3.2 Secrete Channel model If there exist a secrete channel, we can transmit a secrete key to keep the hash oblivious to any unlegal note. This may be view as a improvement of the secrete channel model of Jaggi et al[2] 3.3 Other Solution under discussing... Li Chen Xidian University 10/12

References References References [1] Dan Boneh and David Mandell Freeman. Linearly homomorphic signatures over binary fields and new tools for lattice-based signatures. In: Public Key Cryptography PKC 2011. Springer, 2011, pp. 1 16. [2] Sidharth Jaggi et al. Resilient network coding in the presence of byzantine adversaries. In: INFOCOM 2007. 26th IEEE International Conference on Computer Communications. IEEE. IEEE. 2007, pp. 616 624. Li Chen Xidian University 11/12

Thanks! & Questions?

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback