Upload
courtney
View
51
Download
2
Tags:
Embed Size (px)
DESCRIPTION
Frank Kschischang. Zhen Zhang. Danilo Silva. Network coding security. Raymond Yeung. Muriel Medard Fang Zhao. Ning Cai. Many MANY others. Kamal Jain. Michael Langberg. Tracey HoSidharth Jaggi NetCod2009. Obligatory Example/History. s. [ACLY00]. - PowerPoint PPT Presentation
Citation preview
Network coding security
Tracey Ho Sidharth Jaggi
NetCod2009
Raymond Yeung
Frank KschischangDanilo Silva Zhen Zhang
Ning Cai
Michael Langberg
Muriel MedardFang Zhao
Kamal Jain
Many MANY others
Obligatory Example/History
s
t1 t2
b1 b2
b2
b2
b1
b1 b1
b1 b1
b1 (b1,b2)
b1+b2
b1+b2b1+b2
(b1,b2)
[ACLY00] [ACLY00] Characterization Non-constructive
[LYC03], [KM02] Constructive (linear) Exp-time design
[JCJ03], [SET03] Poly-time design Centralized design
[HKMKE03], [JCJ03] Decentralized design
EVER
BETTER
.
.
.
C=2
[This talk] All the above, plus security
Tons of work
[SET03] Gap provably exists
Multicast
Wired
Wireless
Simplifying assumptions• All links unit capacity
• (1 packet/transmission)• Acyclic network
Network = Hypergraph
ALL of Alice’sinformationdecodableEXACTLYbyEACH Bob
Network Model
Multicast Network Model
ALL of Alice’sinformationdecodableEXACTLYbyEACH Bob
3
2
2
Upper bound for multicast capacity C,C ≤ min{Ci}
[ACLY00] With mixing, C = min{Ci} achievable!
[LCY02],[KM01],[JCJ03],[HKMKE03] Simple (linear) distributed codes suffice!
Mixing
)2(1,0)...( 21mm
m Fxbbb
2x
kx
b1b2 bmx
1x
kk xxx ...2211
β1
β2
βk
F(2m)-linear network[KM01]
Source:- Group together m bits,
Every node:- Perform linear combinations over finite field F(2m)
Generalization: The X arelength n vectors over F(2m)
X1
X2
Xk
kkXXX ...2211
• Source: Sends packets.
Distributed multicast
X IC packets
“Small” rate-loss
[HKMKE03] X
• Source: Sends packets.
• Sink gets Y (Each column encoded with same transform T)
• Now sink knows T and can decode.
Distributed multicast
X I
TX T
C packets
“Small” rate-loss
[HKMKE03]
Y=
X
Y
TX
Problems!
Eavesdropped links
Attacked/noisy links
Corrupted links
This talk• Errors
– Types of errors/erasures• Random• Malicious
– Types of solutions proffered• Error detection• Error correction
– Tools• Information theory• Cryptography
• Wiretappers/secrecy
Random errors
Noisy links
Corrupted links
[SYC06], [B02] Linkwise independent noise,Channel/network coding separable
Random errors
[SYC06], [B02] Linkwise independent noise,Channel/network coding separable
• Routers/relays have to do extra work• Not for malicious (packetwise) errors
GOAL: END-TO-END ERASURE/ERROR-DETECTION/CORRECTION
Point-to-point Codes
Y=TX+E
Generator matrix
Low-weightvector
YX
(Linear) Channel Code
10000
c
T
E
X
TY
TZ
Z
Y=TX+E=TX+TZZ
Networktransform matrices
Low-weightvector
(Un)known
Network Codes
Example (Coherent ECCs)
1X2X
3X
Z
ZX 111
ZX 222
ZX 333 C=3
ZO=1
ZβXαYZβXαYZβXαY
33 33
22 22
11 11
n-length vectors (packets)
3n known 4n unknown
6 known scalars (“coherence”)
X3=X1+X2R = C - Zo
2 3 1
4n known
Redundancy addedat source
1 1 1 1
2 2 2 2
3 3 3 3
α 0 β X Y0 α β X Yα α β Z Y
Invertible with high probability
Example (Partially Coherent ECCs)
1X2X
3X
Z
ZX 111
ZX 222
ZX 333 C=3
ZO=1
ZβXαYZβXαYZβXαY
33 33
22 22
11 11
3 known scalars (“partial coherence”)
Network transform known,Adversarial location unknown
R = C - Zo
1 1 1 1
2 2 2 2
3 3 3 3
α 0 β X Y0 α β X Yα α β Z Y
Still invertible with high probability,regardless of adversarial location.
Basis from columns of
'
'
' '
1 1 1 1
2 2 2 2
3 3 3 3
α 0 β X Y0 α β X Yα α β Z Y
[MU07,SK07,BZ08] (Fast implementations via Gaussian elimination)
Incoherent?
When stuck…“ε-rate secret uncorrupted channels”
• Useful abstraction/ building block
Example
1X2X
3X
Z
ZX 111
ZX 222
ZX 333 C=3
ZO=1ZβXαYZβXαYZβXαY
33 33
22 22
11 11
4n+6 unknown
non-linear
6 secret hashes of X
4n+6 known4n known
)1()1(0)1()1()1(0)1(
)1()1(0)1(
333
222
111
yzxyzxyzx
)2()2(22)2()2()2(1)2(
)2()2(1)2(
3333
2222
1111
yzxyzxyzx
3
2
1
)1(
z
'''
)2(2 3
2
1
3
2
1
z
'''
3
2
1
)3()3(33)3()3()3(22)3(
)3()3(1)3(
3333
2222
1111
yzxyzx
yzx
'''
)3(32
3
2
1
3
2
1
zZ''βXαYZ''βXαYZ''βXαY
33 33
22 22
11 11
'β,'β,'βααα 3213,2,1,Solve forX3=X1+X2
Example
1X2X
3X
Z
ZX 111
ZX 222
ZX 333 C=3
ZO=1
X3=X1+X2
6 secret hashes of X
4n+6 known4n+6 unknown
3
2
1
2
1
333
22
11
YYY
Z'XX
'βαα'βα0'β0α
Z''βXαYZ''βXαYZ''βXαY
33 33
22 22
11 11
Invertible with high probability
3
2
1
3
2
1
)1('''
zZ=(0 z(2) z(3)… z(n))
3
2
1
3
2
1
0'''
3
2
1
2
1
33
2
1
YYY
Z'XX
0αα0α000α
“Small” shared secret
Theorem [JLKHHE07]: Rate C-ZO-ε achievable with ZI={E},ε-rate secret uncorrupted channel
Incoherent Example
1X2X
3X
Z
ZX 111
ZX 222
ZX 333
ZβXαYZβXαYZβXαY
33 33
22 22
11 11
X3=X1+X2
n more constraints added on X
3
2
1
3
2
1
)1('''
z
Z=(0 z(2) z(3)… z(n))
3
2
1
3
2
1
0'''
DX=0
Z=(0 0 0… 0)R = C – Zo - redundancyR = C – Zo
2 3 11 3 1 1R = C – 2Zo
Omniscient adversary
Theorem [JLKHHE07]: Rate C-2ZO-ε achievable with ZI={E}
Partially omniscient adversary
Theorem [JLKHHE07]: Rate C-ZO-ε achievable, if ZI+2ZO<C
ZI<C-2ZO
Using algorithm 2 for small header, can transmit secret, correct information…… which can be used foralgorithm 1 decoding!
Algorithm 2 rate
Eavesdropping rate
ZI<R Information-theoretic Privacy
Theorem [JL07]: Rate C-ZO-ε achievable, if ZI+ZO<C
Summary
Optimal rates Poly-timeDistributedUnknown topologyEnd-to-endRatelessInformation theoretically secure/privateWired/wireless
Scenario Rate
Coherent C-ZO
Partially coherent C-ZO
Shared secret C-ZO
Omniscient C-2ZO
Partially oblivious C-ZO
A Fresh Approach
Slide courtesy of Frank Kschischang
Slide courtesy of Frank Kschischang
Slide courtesy of Frank Kschischang
Slide courtesy of Frank Kschischang
Slide courtesy of Frank Kschischang
Slide courtesy of Frank Kschischang
Slide courtesy of Frank Kschischang
Slide courtesy of Frank Kschischang
Slide courtesy of Frank Kschischang
Slide courtesy of Frank Kschischang
Slide courtesy of Frank Kschischang
Slide courtesy of Frank Kschischang
Slide courtesy of Frank Kschischang
Slide courtesy of Frank Kschischang
Slide courtesy of Frank Kschischang
Slide courtesy of Frank Kschischang
Slide courtesy of Frank Kschischang
Slide courtesy of Frank Kschischang
Slide courtesy of Frank Kschischang
Slide courtesy of Frank Kschischang
Slide courtesy of Frank Kschischang
Problem formulation• A source s wishes to send a large file to a group of peers, T.• View the data to be transmitted as vectors in n-dimensional vector space ,
where p is a prime. The source node augments these vector to given by
where the first m elements are zero except the i-th one is 1, and .• Each packets received by a peer is a linear combination of all the pieces.
mvv ,,1 mvv ,,1
),,,0,,1,,0( 1 inii vv v
Slide courtesy of Fang Zhao
Signature for network coding• The vectors span a subspace V of .• A received packet is a valid linear combination if and only if it belongs to V.• Each node verifies the integrity of a received vector w by checking the
membership of w in V.• Our approach has the following ingredients:
– q: a large prime such that p is a divisor of q -1.– g: a generator of the group G of order p in .– Private key: , a random set of elements in .– Public key: .
mvv ,,1
nmpF
qF
nmiipr aK ,,1}{
*qF
nmia
ipuighK ,,1}{
Slide courtesy of Fang Zhao
Signature for network coding• The scheme works as follows:
1. The source finds a vector u that is orthogonal to all vectors in V.2. The source computes vector .3. The source signs x with some standard signature scheme and publishes it.4. When a node receives a vector w and wants to verify that w is in V, it computes
and verifies that d =1.
)/,,/( 11 nmnm auau x
nm
i
wxi
iihd1
Slide courtesy of Fang Zhao
Discussion• It can be shown that it is as hard as the Discrete Logarithm problem to find
new vectors that also satisfy the verification criterion other than those that are in V.
• Overheads– Part of the public key Kpu has to be re-generated for each file,
otherwise a malicious node can use the information from the previous file to crack the system.
– Signature vector, x.
Slide courtesy of Fang Zhao
Discussion• If the file sizes are large, after the initial setup, each additional file distributed only
incurs a negligible amount of overhead using our signature scheme.• Under our assumptions that
1. there is no secure side-channel to transfer hash values from the source to all the peer nodes, and;
2. all peers have full knowledge of the public information of the security scheme,our signature scheme has to be applied on the original file, not on hashes.
Slide courtesy of Fang Zhao
Conclusions• Proposed a solution to the security problem in content distribution with
network coding.• Use a signature vector for each file that can be used to easily check the
integrity of all the packets received for this file.• This scheme is secure and has low overhead.
Slide courtesy of Fang Zhao