Download - Network coding security
![Page 1: Network coding security](https://reader036.vdocuments.us/reader036/viewer/2022062810/56815d71550346895dcb7a5e/html5/thumbnails/1.jpg)
Network coding security
Tracey Ho Sidharth Jaggi
NetCod2009
Raymond Yeung
Frank KschischangDanilo Silva Zhen Zhang
Ning Cai
Michael Langberg
Muriel MedardFang Zhao
Kamal Jain
Many MANY others
![Page 2: Network coding security](https://reader036.vdocuments.us/reader036/viewer/2022062810/56815d71550346895dcb7a5e/html5/thumbnails/2.jpg)
Obligatory Example/History
s
t1 t2
b1 b2
b2
b2
b1
b1 b1
b1 b1
b1 (b1,b2)
b1+b2
b1+b2b1+b2
(b1,b2)
[ACLY00] [ACLY00] Characterization Non-constructive
[LYC03], [KM02] Constructive (linear) Exp-time design
[JCJ03], [SET03] Poly-time design Centralized design
[HKMKE03], [JCJ03] Decentralized design
EVER
BETTER
.
.
.
C=2
[This talk] All the above, plus security
Tons of work
[SET03] Gap provably exists
![Page 3: Network coding security](https://reader036.vdocuments.us/reader036/viewer/2022062810/56815d71550346895dcb7a5e/html5/thumbnails/3.jpg)
Multicast
Wired
Wireless
Simplifying assumptions• All links unit capacity
• (1 packet/transmission)• Acyclic network
Network = Hypergraph
ALL of Alice’sinformationdecodableEXACTLYbyEACH Bob
Network Model
![Page 4: Network coding security](https://reader036.vdocuments.us/reader036/viewer/2022062810/56815d71550346895dcb7a5e/html5/thumbnails/4.jpg)
Multicast Network Model
ALL of Alice’sinformationdecodableEXACTLYbyEACH Bob
3
2
2
Upper bound for multicast capacity C,C ≤ min{Ci}
[ACLY00] With mixing, C = min{Ci} achievable!
[LCY02],[KM01],[JCJ03],[HKMKE03] Simple (linear) distributed codes suffice!
![Page 5: Network coding security](https://reader036.vdocuments.us/reader036/viewer/2022062810/56815d71550346895dcb7a5e/html5/thumbnails/5.jpg)
Mixing
)2(1,0)...( 21mm
m Fxbbb
2x
kx
b1b2 bmx
1x
kk xxx ...2211
β1
β2
βk
F(2m)-linear network[KM01]
Source:- Group together m bits,
Every node:- Perform linear combinations over finite field F(2m)
Generalization: The X arelength n vectors over F(2m)
X1
X2
Xk
kkXXX ...2211
![Page 6: Network coding security](https://reader036.vdocuments.us/reader036/viewer/2022062810/56815d71550346895dcb7a5e/html5/thumbnails/6.jpg)
• Source: Sends packets.
Distributed multicast
X IC packets
“Small” rate-loss
[HKMKE03] X
![Page 7: Network coding security](https://reader036.vdocuments.us/reader036/viewer/2022062810/56815d71550346895dcb7a5e/html5/thumbnails/7.jpg)
• Source: Sends packets.
• Sink gets Y (Each column encoded with same transform T)
• Now sink knows T and can decode.
Distributed multicast
X I
TX T
C packets
“Small” rate-loss
[HKMKE03]
Y=
X
Y
TX
![Page 8: Network coding security](https://reader036.vdocuments.us/reader036/viewer/2022062810/56815d71550346895dcb7a5e/html5/thumbnails/8.jpg)
Problems!
Eavesdropped links
Attacked/noisy links
Corrupted links
![Page 9: Network coding security](https://reader036.vdocuments.us/reader036/viewer/2022062810/56815d71550346895dcb7a5e/html5/thumbnails/9.jpg)
This talk• Errors
– Types of errors/erasures• Random• Malicious
– Types of solutions proffered• Error detection• Error correction
– Tools• Information theory• Cryptography
• Wiretappers/secrecy
![Page 10: Network coding security](https://reader036.vdocuments.us/reader036/viewer/2022062810/56815d71550346895dcb7a5e/html5/thumbnails/10.jpg)
Random errors
Noisy links
Corrupted links
[SYC06], [B02] Linkwise independent noise,Channel/network coding separable
![Page 11: Network coding security](https://reader036.vdocuments.us/reader036/viewer/2022062810/56815d71550346895dcb7a5e/html5/thumbnails/11.jpg)
Random errors
[SYC06], [B02] Linkwise independent noise,Channel/network coding separable
• Routers/relays have to do extra work• Not for malicious (packetwise) errors
GOAL: END-TO-END ERASURE/ERROR-DETECTION/CORRECTION
![Page 12: Network coding security](https://reader036.vdocuments.us/reader036/viewer/2022062810/56815d71550346895dcb7a5e/html5/thumbnails/12.jpg)
Point-to-point Codes
Y=TX+E
Generator matrix
Low-weightvector
YX
(Linear) Channel Code
10000
c
T
E
![Page 13: Network coding security](https://reader036.vdocuments.us/reader036/viewer/2022062810/56815d71550346895dcb7a5e/html5/thumbnails/13.jpg)
X
TY
TZ
Z
Y=TX+E=TX+TZZ
Networktransform matrices
Low-weightvector
(Un)known
Network Codes
![Page 14: Network coding security](https://reader036.vdocuments.us/reader036/viewer/2022062810/56815d71550346895dcb7a5e/html5/thumbnails/14.jpg)
Example (Coherent ECCs)
1X2X
3X
Z
ZX 111
ZX 222
ZX 333 C=3
ZO=1
ZβXαYZβXαYZβXαY
33 33
22 22
11 11
n-length vectors (packets)
3n known 4n unknown
6 known scalars (“coherence”)
X3=X1+X2R = C - Zo
2 3 1
4n known
Redundancy addedat source
1 1 1 1
2 2 2 2
3 3 3 3
α 0 β X Y0 α β X Yα α β Z Y
Invertible with high probability
![Page 15: Network coding security](https://reader036.vdocuments.us/reader036/viewer/2022062810/56815d71550346895dcb7a5e/html5/thumbnails/15.jpg)
Example (Partially Coherent ECCs)
1X2X
3X
Z
ZX 111
ZX 222
ZX 333 C=3
ZO=1
ZβXαYZβXαYZβXαY
33 33
22 22
11 11
3 known scalars (“partial coherence”)
Network transform known,Adversarial location unknown
R = C - Zo
1 1 1 1
2 2 2 2
3 3 3 3
α 0 β X Y0 α β X Yα α β Z Y
Still invertible with high probability,regardless of adversarial location.
Basis from columns of
'
'
' '
1 1 1 1
2 2 2 2
3 3 3 3
α 0 β X Y0 α β X Yα α β Z Y
[MU07,SK07,BZ08] (Fast implementations via Gaussian elimination)
![Page 16: Network coding security](https://reader036.vdocuments.us/reader036/viewer/2022062810/56815d71550346895dcb7a5e/html5/thumbnails/16.jpg)
Incoherent?
![Page 17: Network coding security](https://reader036.vdocuments.us/reader036/viewer/2022062810/56815d71550346895dcb7a5e/html5/thumbnails/17.jpg)
When stuck…“ε-rate secret uncorrupted channels”
• Useful abstraction/ building block
![Page 18: Network coding security](https://reader036.vdocuments.us/reader036/viewer/2022062810/56815d71550346895dcb7a5e/html5/thumbnails/18.jpg)
Example
1X2X
3X
Z
ZX 111
ZX 222
ZX 333 C=3
ZO=1ZβXαYZβXαYZβXαY
33 33
22 22
11 11
4n+6 unknown
non-linear
6 secret hashes of X
4n+6 known4n known
)1()1(0)1()1()1(0)1(
)1()1(0)1(
333
222
111
yzxyzxyzx
)2()2(22)2()2()2(1)2(
)2()2(1)2(
3333
2222
1111
yzxyzxyzx
3
2
1
)1(
z
'''
)2(2 3
2
1
3
2
1
z
'''
3
2
1
)3()3(33)3()3()3(22)3(
)3()3(1)3(
3333
2222
1111
yzxyzx
yzx
'''
)3(32
3
2
1
3
2
1
zZ''βXαYZ''βXαYZ''βXαY
33 33
22 22
11 11
'β,'β,'βααα 3213,2,1,Solve forX3=X1+X2
![Page 19: Network coding security](https://reader036.vdocuments.us/reader036/viewer/2022062810/56815d71550346895dcb7a5e/html5/thumbnails/19.jpg)
Example
1X2X
3X
Z
ZX 111
ZX 222
ZX 333 C=3
ZO=1
X3=X1+X2
6 secret hashes of X
4n+6 known4n+6 unknown
3
2
1
2
1
333
22
11
YYY
Z'XX
'βαα'βα0'β0α
Z''βXαYZ''βXαYZ''βXαY
33 33
22 22
11 11
Invertible with high probability
3
2
1
3
2
1
)1('''
zZ=(0 z(2) z(3)… z(n))
3
2
1
3
2
1
0'''
3
2
1
2
1
33
2
1
YYY
Z'XX
0αα0α000α
![Page 20: Network coding security](https://reader036.vdocuments.us/reader036/viewer/2022062810/56815d71550346895dcb7a5e/html5/thumbnails/20.jpg)
“Small” shared secret
Theorem [JLKHHE07]: Rate C-ZO-ε achievable with ZI={E},ε-rate secret uncorrupted channel
![Page 21: Network coding security](https://reader036.vdocuments.us/reader036/viewer/2022062810/56815d71550346895dcb7a5e/html5/thumbnails/21.jpg)
Incoherent Example
1X2X
3X
Z
ZX 111
ZX 222
ZX 333
ZβXαYZβXαYZβXαY
33 33
22 22
11 11
X3=X1+X2
n more constraints added on X
3
2
1
3
2
1
)1('''
z
Z=(0 z(2) z(3)… z(n))
3
2
1
3
2
1
0'''
DX=0
Z=(0 0 0… 0)R = C – Zo - redundancyR = C – Zo
2 3 11 3 1 1R = C – 2Zo
![Page 22: Network coding security](https://reader036.vdocuments.us/reader036/viewer/2022062810/56815d71550346895dcb7a5e/html5/thumbnails/22.jpg)
Omniscient adversary
Theorem [JLKHHE07]: Rate C-2ZO-ε achievable with ZI={E}
![Page 23: Network coding security](https://reader036.vdocuments.us/reader036/viewer/2022062810/56815d71550346895dcb7a5e/html5/thumbnails/23.jpg)
Partially omniscient adversary
Theorem [JLKHHE07]: Rate C-ZO-ε achievable, if ZI+2ZO<C
ZI<C-2ZO
Using algorithm 2 for small header, can transmit secret, correct information…… which can be used foralgorithm 1 decoding!
Algorithm 2 rate
Eavesdropping rate
ZI<R Information-theoretic Privacy
Theorem [JL07]: Rate C-ZO-ε achievable, if ZI+ZO<C
![Page 24: Network coding security](https://reader036.vdocuments.us/reader036/viewer/2022062810/56815d71550346895dcb7a5e/html5/thumbnails/24.jpg)
Summary
Optimal rates Poly-timeDistributedUnknown topologyEnd-to-endRatelessInformation theoretically secure/privateWired/wireless
Scenario Rate
Coherent C-ZO
Partially coherent C-ZO
Shared secret C-ZO
Omniscient C-2ZO
Partially oblivious C-ZO
![Page 25: Network coding security](https://reader036.vdocuments.us/reader036/viewer/2022062810/56815d71550346895dcb7a5e/html5/thumbnails/25.jpg)
A Fresh Approach
Slide courtesy of Frank Kschischang
![Page 26: Network coding security](https://reader036.vdocuments.us/reader036/viewer/2022062810/56815d71550346895dcb7a5e/html5/thumbnails/26.jpg)
Slide courtesy of Frank Kschischang
![Page 27: Network coding security](https://reader036.vdocuments.us/reader036/viewer/2022062810/56815d71550346895dcb7a5e/html5/thumbnails/27.jpg)
Slide courtesy of Frank Kschischang
![Page 28: Network coding security](https://reader036.vdocuments.us/reader036/viewer/2022062810/56815d71550346895dcb7a5e/html5/thumbnails/28.jpg)
Slide courtesy of Frank Kschischang
![Page 29: Network coding security](https://reader036.vdocuments.us/reader036/viewer/2022062810/56815d71550346895dcb7a5e/html5/thumbnails/29.jpg)
Slide courtesy of Frank Kschischang
![Page 30: Network coding security](https://reader036.vdocuments.us/reader036/viewer/2022062810/56815d71550346895dcb7a5e/html5/thumbnails/30.jpg)
Slide courtesy of Frank Kschischang
![Page 31: Network coding security](https://reader036.vdocuments.us/reader036/viewer/2022062810/56815d71550346895dcb7a5e/html5/thumbnails/31.jpg)
Slide courtesy of Frank Kschischang
![Page 32: Network coding security](https://reader036.vdocuments.us/reader036/viewer/2022062810/56815d71550346895dcb7a5e/html5/thumbnails/32.jpg)
Slide courtesy of Frank Kschischang
![Page 33: Network coding security](https://reader036.vdocuments.us/reader036/viewer/2022062810/56815d71550346895dcb7a5e/html5/thumbnails/33.jpg)
Slide courtesy of Frank Kschischang
![Page 34: Network coding security](https://reader036.vdocuments.us/reader036/viewer/2022062810/56815d71550346895dcb7a5e/html5/thumbnails/34.jpg)
Slide courtesy of Frank Kschischang
![Page 35: Network coding security](https://reader036.vdocuments.us/reader036/viewer/2022062810/56815d71550346895dcb7a5e/html5/thumbnails/35.jpg)
Slide courtesy of Frank Kschischang
![Page 36: Network coding security](https://reader036.vdocuments.us/reader036/viewer/2022062810/56815d71550346895dcb7a5e/html5/thumbnails/36.jpg)
Slide courtesy of Frank Kschischang
![Page 37: Network coding security](https://reader036.vdocuments.us/reader036/viewer/2022062810/56815d71550346895dcb7a5e/html5/thumbnails/37.jpg)
Slide courtesy of Frank Kschischang
![Page 38: Network coding security](https://reader036.vdocuments.us/reader036/viewer/2022062810/56815d71550346895dcb7a5e/html5/thumbnails/38.jpg)
Slide courtesy of Frank Kschischang
![Page 39: Network coding security](https://reader036.vdocuments.us/reader036/viewer/2022062810/56815d71550346895dcb7a5e/html5/thumbnails/39.jpg)
Slide courtesy of Frank Kschischang
![Page 40: Network coding security](https://reader036.vdocuments.us/reader036/viewer/2022062810/56815d71550346895dcb7a5e/html5/thumbnails/40.jpg)
Slide courtesy of Frank Kschischang
![Page 41: Network coding security](https://reader036.vdocuments.us/reader036/viewer/2022062810/56815d71550346895dcb7a5e/html5/thumbnails/41.jpg)
Slide courtesy of Frank Kschischang
![Page 42: Network coding security](https://reader036.vdocuments.us/reader036/viewer/2022062810/56815d71550346895dcb7a5e/html5/thumbnails/42.jpg)
Slide courtesy of Frank Kschischang
![Page 43: Network coding security](https://reader036.vdocuments.us/reader036/viewer/2022062810/56815d71550346895dcb7a5e/html5/thumbnails/43.jpg)
Slide courtesy of Frank Kschischang
![Page 44: Network coding security](https://reader036.vdocuments.us/reader036/viewer/2022062810/56815d71550346895dcb7a5e/html5/thumbnails/44.jpg)
Slide courtesy of Frank Kschischang
![Page 45: Network coding security](https://reader036.vdocuments.us/reader036/viewer/2022062810/56815d71550346895dcb7a5e/html5/thumbnails/45.jpg)
Slide courtesy of Frank Kschischang
![Page 46: Network coding security](https://reader036.vdocuments.us/reader036/viewer/2022062810/56815d71550346895dcb7a5e/html5/thumbnails/46.jpg)
Problem formulation• A source s wishes to send a large file to a group of peers, T.• View the data to be transmitted as vectors in n-dimensional vector space ,
where p is a prime. The source node augments these vector to given by
where the first m elements are zero except the i-th one is 1, and .• Each packets received by a peer is a linear combination of all the pieces.
mvv ,,1 mvv ,,1
),,,0,,1,,0( 1 inii vv v
Slide courtesy of Fang Zhao
![Page 47: Network coding security](https://reader036.vdocuments.us/reader036/viewer/2022062810/56815d71550346895dcb7a5e/html5/thumbnails/47.jpg)
Signature for network coding• The vectors span a subspace V of .• A received packet is a valid linear combination if and only if it belongs to V.• Each node verifies the integrity of a received vector w by checking the
membership of w in V.• Our approach has the following ingredients:
– q: a large prime such that p is a divisor of q -1.– g: a generator of the group G of order p in .– Private key: , a random set of elements in .– Public key: .
mvv ,,1
nmpF
qF
nmiipr aK ,,1}{
*qF
nmia
ipuighK ,,1}{
Slide courtesy of Fang Zhao
![Page 48: Network coding security](https://reader036.vdocuments.us/reader036/viewer/2022062810/56815d71550346895dcb7a5e/html5/thumbnails/48.jpg)
Signature for network coding• The scheme works as follows:
1. The source finds a vector u that is orthogonal to all vectors in V.2. The source computes vector .3. The source signs x with some standard signature scheme and publishes it.4. When a node receives a vector w and wants to verify that w is in V, it computes
and verifies that d =1.
)/,,/( 11 nmnm auau x
nm
i
wxi
iihd1
Slide courtesy of Fang Zhao
![Page 49: Network coding security](https://reader036.vdocuments.us/reader036/viewer/2022062810/56815d71550346895dcb7a5e/html5/thumbnails/49.jpg)
Discussion• It can be shown that it is as hard as the Discrete Logarithm problem to find
new vectors that also satisfy the verification criterion other than those that are in V.
• Overheads– Part of the public key Kpu has to be re-generated for each file,
otherwise a malicious node can use the information from the previous file to crack the system.
– Signature vector, x.
Slide courtesy of Fang Zhao
![Page 50: Network coding security](https://reader036.vdocuments.us/reader036/viewer/2022062810/56815d71550346895dcb7a5e/html5/thumbnails/50.jpg)
Discussion• If the file sizes are large, after the initial setup, each additional file distributed only
incurs a negligible amount of overhead using our signature scheme.• Under our assumptions that
1. there is no secure side-channel to transfer hash values from the source to all the peer nodes, and;
2. all peers have full knowledge of the public information of the security scheme,our signature scheme has to be applied on the original file, not on hashes.
Slide courtesy of Fang Zhao
![Page 51: Network coding security](https://reader036.vdocuments.us/reader036/viewer/2022062810/56815d71550346895dcb7a5e/html5/thumbnails/51.jpg)
Conclusions• Proposed a solution to the security problem in content distribution with
network coding.• Use a signature vector for each file that can be used to easily check the
integrity of all the packets received for this file.• This scheme is secure and has low overhead.
Slide courtesy of Fang Zhao