1 / 51

Network coding security

Frank Kschischang. Zhen Zhang. Danilo Silva. Network coding security. Raymond Yeung. Muriel Medard Fang Zhao. Ning Cai. Many MANY others. Kamal Jain. Michael Langberg. Tracey Ho Sidharth Jaggi NetCod2009. Obligatory Example/History. s. [ACLY00].

courtney
Télécharger la présentation

Network coding security

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Frank Kschischang Zhen Zhang Danilo Silva Network coding security Raymond Yeung Muriel Medard Fang Zhao Ning Cai Many MANY others Kamal Jain Michael Langberg Tracey Ho Sidharth Jaggi NetCod2009

  2. Obligatory Example/History s [ACLY00] [ACLY00] Characterization Non-constructive b1 b2 E V E R B E T T E R C=2 [LYC03], [KM02] Constructive (linear) Exp-time design b1 b2 [JCJ03], [SET03] Poly-time design Centralized design b1 b1 b2 [HKMKE03], [JCJ03]Decentralized design b1+b2 . . . b1 b1 b1+b2 b1+b2 Tons of work t1 t2 [This talk]All the above, plus security (b1,b2) b1 (b1,b2) [SET03] Gap provably exists

  3. Multicast Network Model ALL of Alice’s information decodable EXACTLY by EACH Bob Wireless Wired Network = Hypergraph Simplifying assumptions • All links unit capacity • (1 packet/transmission) • Acyclic network

  4. Multicast Network Model 2 ALL of Alice’s information decodable EXACTLY by EACH Bob 2 3 Upper bound for multicast capacity C, C ≤ min{Ci} [ACLY00] With mixing, C = min{Ci} achievable! [LCY02],[KM01],[JCJ03],[HKMKE03] Simple (linear) distributed codes suffice!

  5. Mixing F(2m)-linear network [KM01] b1 b2 bm Source:- Group together m bits, Every node:- Perform linear combinations over finite field F(2m) X1 β1 X2 β2 Generalization: The X are length n vectors over F(2m) βk Xk

  6. Distributed multicast [HKMKE03] X • Source: Sends packets. “Small” rate-loss I X C packets

  7. Distributed multicast [HKMKE03] X • Source: Sends packets. • Sink gets Y (Each column encoded with same transform T) • Now sink knows Tand can decode. “Small” rate-loss I X C packets TX T TX Y= Y

  8. Problems! Corrupted links Eavesdropped links Attacked/noisy links

  9. This talk • Errors • Types of errors/erasures • Random • Malicious • Types of solutions proffered • Error detection • Error correction • Tools • Information theory • Cryptography • Wiretappers/secrecy

  10. Random errors Corrupted links Noisy links [SYC06], [B02] Linkwise independent noise, Channel/network coding separable

  11. Random errors • Routers/relays have to do extra work • Not for malicious (packetwise) errors [SYC06], [B02] Linkwise independent noise, Channel/network coding separable GOAL: END-TO-END ERASURE/ERROR-DETECTION/CORRECTION

  12. Point-to-point Codes T Y X Y=TX+E Generator matrix Low-weight vector (Linear) Channel Code E

  13. Network Codes T Y X Y=TX+E =TX+TZZ TZ Network transform matrices Low-weight vector (Un)known Z

  14. Example (Coherent ECCs) C=3 Invertible with high probability 6 known scalars (“coherence”) n-length vectors (packets) ZO=1 3n known 4n known 4n unknown R = C - Zo X3=X1+X2 Redundancy added at source 2 3 1

  15. Example (Partially Coherent ECCs) Still invertible with high probability, regardless of adversarial location. C=3 3 known scalars (“partial coherence”) ZO=1 Basis from columns of R = C - Zo Network transform known, Adversarial location unknown [MU07,SK07,BZ08] (Fast implementations via Gaussian elimination)

  16. Incoherent?

  17. When stuck… • Useful abstraction/ • building block “ε-rate secret uncorrupted channels”

  18. Example 6 secret hashes of X C=3 non-linear ZO=1 4n+6 known 4n+6 unknown 4n known X3=X1+X2 Solve for

  19. Example 6 secret hashes of X C=3 Invertible with high probability ZO=1 4n+6 known 4n+6 unknown X3=X1+X2 Z=(0 z(2) z(3)… z(n))

  20. “Small” shared secret Theorem [JLKHHE07]: Rate C-ZO-ε achievable with ZI={E}, ε-rate secret uncorrupted channel

  21. Incoherent Example R = C – Zo - redundancy R = C – Zo R = C – 2Zo X3=X1+X2 2 3 1 1 3 1 1 Z=(0 z(2) z(3)… z(n)) Z=(0 0 0… 0) n more constraints added on X DX=0

  22. Omniscient adversary Theorem [JLKHHE07]: Rate C-2ZO-ε achievable with ZI={E}

  23. Partially omniscient adversary Theorem [JLKHHE07]: Rate C-ZO-ε achievable, if ZI+2ZO<C Theorem [JL07]: Rate C-ZO-ε achievable, if ZI+ZO<C ZI<C-2ZO ZI<R Algorithm 2 rate Information-theoretic Privacy Eavesdropping rate Using algorithm 2 for small header, can transmit secret, correct information… … which can be used for algorithm 1 decoding!

  24. Summary Optimal rates Poly-time Distributed Unknown topology End-to-end Rateless Information theoretically secure/private Wired/wireless

  25. A Fresh Approach Slide courtesy of Frank Kschischang

  26. Slide courtesy of Frank Kschischang

  27. Slide courtesy of Frank Kschischang

  28. Slide courtesy of Frank Kschischang

  29. Slide courtesy of Frank Kschischang

  30. Slide courtesy of Frank Kschischang

  31. Slide courtesy of Frank Kschischang

  32. Slide courtesy of Frank Kschischang

  33. Slide courtesy of Frank Kschischang

  34. Slide courtesy of Frank Kschischang

  35. Slide courtesy of Frank Kschischang

  36. Slide courtesy of Frank Kschischang

  37. Slide courtesy of Frank Kschischang

  38. Slide courtesy of Frank Kschischang

  39. Slide courtesy of Frank Kschischang

  40. Slide courtesy of Frank Kschischang

  41. Slide courtesy of Frank Kschischang

  42. Slide courtesy of Frank Kschischang

  43. Slide courtesy of Frank Kschischang

  44. Slide courtesy of Frank Kschischang

  45. Slide courtesy of Frank Kschischang

  46. Problem formulation • A source s wishes to send a large file to a group of peers, T. • View the data to be transmitted as vectors in n-dimensional vector space , where p is a prime. The source node augments these vector to given by where the first m elements are zero except the i-th one is 1, and . • Each packets received by a peer is a linear combination of all the pieces. Slide courtesy of Fang Zhao

  47. Signature for network coding • The vectors span a subspace V of . • A received packet is a valid linear combination if and only if it belongs to V. • Each node verifies the integrity of a received vector w by checking the membership of w in V. • Our approach has the following ingredients: • q: a large prime such that p is a divisor of q -1. • g: a generator of the group G of order p in . • Private key: , a random set of elements in . • Public key: . Slide courtesy of Fang Zhao

  48. Signature for network coding • The scheme works as follows: • The source finds a vector u that is orthogonal to all vectors in V. • The source computes vector . • The source signs x with some standard signature scheme and publishes it. • When a node receives a vector w and wants to verify that w is in V, it computes and verifies that d =1. Slide courtesy of Fang Zhao

  49. Discussion • It can be shown that it is as hard as the Discrete Logarithm problem to find new vectors that also satisfy the verification criterion other than those that are in V. • Overheads • Part of the public key Kpu has to be re-generated for each file, otherwise a malicious node can use the information from the previous file to crack the system. • Signature vector, x. Slide courtesy of Fang Zhao

  50. Discussion • If the file sizes are large, after the initial setup, each additional file distributed only incurs a negligible amount of overhead using our signature scheme. • Under our assumptions that • there is no secure side-channel to transfer hash values from the source to all the peer nodes, and; • all peers have full knowledge of the public information of the security scheme, our signature scheme has to be applied on the original file, not on hashes. Slide courtesy of Fang Zhao

More Related