Efficient Post-Quantum Secure Network Coding Signatures in the Standard Model

Abstract

In contrast to traditional "store-and-forward" routing mechanisms, network coding offers an elegant solution for achieving maximum network throughput. The core idea is that intermediate network nodes linearly combine received data packets so that the destination nodes can decode original files from some authenticated packets. Although network coding has many advantages, especially in wireless sensor network and peer-to-peer network, the encoding mechanism of intermediate nodes also results in some additional security issues. For a powerful adversary who can control arbitrary number of malicious network nodes and can eavesdrop on the entire network, cryptographic signature schemes provide undeniable authentication mechanisms for network nodes. However, with the development of quantum technologies, some existing network coding signature schemes based on some traditional number-theoretic primitives vulnerable to quantum cryptanalysis. In this paper we first present an efficient network coding signature scheme in the standard model using lattice theory, which can be viewed as the most promising tool for designing post-quantum cryptographic protocols. In the security proof, we propose a new method for generating a random lattice and the corresponding trapdoor, which may be used in other cryptographic protocols. Our scheme has many advantages, such as supporting multi-source networks, low computational complexity and low communication overhead.

1. Introduction

The traditional manner of data transmitting in communication network is “store-and-forward”, i.e., every intermediate node plays the role of transponder and do not do any calculations for the received data packets. In order to guarantee correct transmission of packets, every intermediate node need to verify the integrity of the received packet before forwarding it. However, this multicast routing pattern does not achieve the optimal throughput. In 2000, Ahlswede et.al. [1] proposed a brand-new method for achieving the optimal throughput in computer networks, called network coding. In a nutshell, network coding is a message-switching technique which simultaneously has the function of encoding and routing. The core idea is to allow intermediate nodes to perform a linear or nonlinear operation on some received packets, and then forward it to the downstream nodes. In addition to increase network throughput, network coding also improves the robustness of the network. That is to say, even if a large fraction of packets are discard in transmission, the destination nodes still can accurately recover the original files once it has received sufficiently many correct packets.

Although network coding has so many advantages, it is extremely vulnerable to pollution attacks by even a single malicious intermediate node. If there is no verification procedure for packets, the malicious node can modify received messages and forward them to its downstream nodes. It can cause pollution diffusion to the whole network and thus the destination nodes can not recover the original files. Up to now, all existing method for solving this security issue can be categorized into two types: information-theoretic solution [2][3][4] and cryptographic solution [5][6]. Information-theoretic solutions add some redundant information into an original file and the destination nodes can accurately reconstruct the file only when the proportion of modified messages to the whole file is sufficiently low. This restriction implies that information-theoretic solutions is only suitable for a relatively weak class of adversaries. Cryptographic solutions are that the source nodes use some cryptographic protocols, such as signature schemes and Message Authentication Codes (MACs), to generate some additional verification information which are transmitted together with original packets. However, standard signature schemes or MACs can not be directly applied to network coding settings. Because the intermediate nodes is not only a simple “store-and-forward”, but also need to perform operations on some received packets. Thus, the intermediate nodes can not produce a valid verification information on a combined packets if we use the standard cryptographic primitives mentioned above. Since the related homomorphic schemes have the property that any intermediate node can produce a valid verification information for the combined packet without knowing the private key, they are suitable for solving security issues in network coding no matter what kind of adversaries it face.

1.1 Urgent Demand of Post-Quantum Cryptographic Schemes

There exist some network coding signature schemes based on some traditional number-theoretic primitives, such as the discrete logarithm problem and the integer factorization problem. However, all of these traditional hard problems can be easily solved on a sufficiently large quantum computer running Shor’s algorithm [7][8]. Though current existing quantum computers are too small to attack some real cryptographic schemes, we must to research post-quantum cryptographic schemes before this disaster comes. So in recent ten years, post-quantum cryptography becomes a hot research topic in the field of network security. As one of the most promising candidates, lattice-based cryptography, has many advantages described below:

• Resistance to quantum attacks: Unlike more widely used and known public key cryptography such as the RSA or Diffie-Hellman cryptosystems which are easily attacked by a quantum computer, some lattice-based cryptosystems appear to be resistant to attack by both classical and quantum computers.

• High efficiency: The operations of lattice-based cryptographic schemes can be extremely efficient and conceptually simple. It usually requires only linear matrix/vector arithmetic operations modulo some small primes. By contrast, the analogous operations in traditional number-theoretic cryptosystems are much more complex.

• Resistance to unforeseen structural attacks: Lattice-based cryptography connects the average-case complexity of hard lattice problems to their complexity in the worst-case [9] [10], which provide strong theoretical evidence that their random instances are indeed asymptotically hard. Notice that random instances of some number-theoretic hard problems may suffer from some unforeseen structural attacks.

1.2 Related Work

From cryptographic perspective, existing solutions for resisting malicious attacks in network coding systems can be divided into two categories: Homomorphic Hashes and Homomorphic Signatures. In the scheme of [11] or [12], the sender computers a homomorphic hash of each block of the file, and any intermediated node can verify whether the received packet is the linear combination of the original files. The drawback of this method is that both the public keys and the authentication information are large. Agrawal and Boneh [13] designed a keyed homomorphic hash function, i.e., homomorphic MAC, which can be used to mitigate pollution attacks. Esfahani et al. [14] proposed a dual-homomorphic MAC for NC-enabled wireless sensor networks. Wang [15] pointed out some drawbacks of some existing cryptographic protocols and proposed a secure an efficient homomorphic authentication scheme for secure network coding. Chen et al. [16] proposed an efficient symmetric key based authentication scheme for P2P live streaming system with network coding. In addition, there are some other related studies [17][18][19] about that topic. In the aspect of homomorphic signatures, Charles et al. [20] introduced a homomorphic signature scheme for network coding system based on the discrete logarithm problem. The drawback of this scheme is that public/private key pairs must be updated when the next file is transmitted. Zhao et al. [21] presented a scheme that the sender computed a authentication information for a file, but their scheme only handle a single file every time and both the authentication information and public keys are large. The schemes in [20][21] cannot prevent inter-session pollution efficiently. Boneh et al. [5] proposed a homomorphic signature scheme in the random model that can be viewed as authenticating linear subspaces. The public key of their scheme has constant size and their construction can directly take into account the distribution of multiple files using a single public key ( in contrast to [20][21]). Subsequently, Agrawal et al. [22] mainly focused on the integrity of packets in the setting of multi-source network coding, and presented a generic construction for this setting. Catalano et al. [23] introduced two homomorphic network coding signatures with security proofs in the standard model. Their schemes achieve communication and computational efficiency comparable to those of the random oracle implementation [5] and outperform the two related constructions [24][25]. Liu and Wang [26] proposed a novel homomorphic signature scheme using a dynamic public key technique, which not only can resist intra-generation pollution attacks but also can prevent inter-generation pollution attacks. Chen et al. [27] introduced an improved homomorphic signature scheme. Zhang et al. [31] presented a hybrid-key cryptographic method and the source node produce a number of MACs and a signature for every transmitted message. There are also some other related research results about this direction, e.g., [28][29][30].

However, almost all above-mentioned linear homomorphic signature schemes for network coding system (also known as network coding signature schemes) are based on traditional number-theoretic primitives (e.g., the discrete logarithm problem and the integer factorization problem) . These constructions are vulnerable to quantum cryptanalysis [7][8]. As one of the best promising tools of designing cryptographic protocols resistance to quantum attack, lattice theory, has many advantages just as described in Section 1.1. Up to now, there are several network coding signature schemes based on lattice. Boneh and Freeman [32] presented a network coding signature scheme in the random model based on the Small Integer Solution (SIS) problem. Different from previous number-theoretic schemes whose linear combination coefficients are chosen from relatively large finite field, their scheme is the first one that authenticates vectors defined over binary field. Wang et al. [33] designed an efficient lattice-based network coding signature scheme in the random model, in which both the public key size and the signature size are shorter than those in [32]. Unfortunately, these two constructions only support the case of single source network coding systems. Through the improvement of [32], Zhang et al. [34] proposed a scheme which can support multi-source network coding settings. Recently, Jing [35] improved the scheme [32] and constructed an efficient network coding signature scheme in the random oracle for the multi-source case.

1.3 Our Contribution

However, we note that the lattice-based network coding signature schemes mentioned above are all in the random oracle. In this paper we propose an efficient post-quantum secure network coding signature scheme in the standard model. Specifically, our contributions mainly consist of the following aspects:

(1) We present a lattice-based network coding signature scheme over binary field in the standard model. Although some signature and encryption schemes can be proved secure in the random oracle model, it is not enough to cover a practical implementation [36]. The problem with random oracle model is that it turns out to be very difficult to build a really "random" oracle. And any implementation of the random oracle may results in insecure schemes.

(2) We give a new sampling method for generating a random lattice and the corresponding short basis. The algorithm takes a random matrix B as input, and outputs a matrix C (with small norm), a random lattice Λ⊥(Α) and its short basis TA such that A = BC . As a matter of independent interest, the proposed sampling algorithm may be useful in many other lattice-based cryptographic constructions.

(3) In general, almost all existing lattice-based cryptosystems are time-consuming. Compared to schemes based on traditional number-theoretic primitives, our scheme has low computational complexity (just need linear matrix/vector arithmetic operations) when it generates the combined signature at each intermediate node. In addition, our scheme has low communication overhead compared to existing lattice-based network coding signature schemes.

1.4 Organization

Section 2 recalls some basic background knowledge, including the fundamentals of network coding, lattice theory and the formal definition of network coding signature scheme. Section 3 presents a new sampling algorithm used in our security proof, which may also be applied in other cryptographic protocols. Section 4 describes our scheme in detail and proves some important properties, including correctness, unforgeability, and privacy. Section 5 analyzes the efficiency of our scheme. Finally, we conclude this paper in Section 6.

 

2. Preliminaries

For any positive integer N , [N] denotes the set {1,2,⋯,N}. Let Fq denote the finite field of order q . Vectors are assumed to be in column form and are written using bold lower-case letters (e.g. x ). Similarly, we use bold capital-case letters (e.g. A ) to represent matrices. Given two matrices we use[A1║A2] to denote the n×(m1 + m2) matrix formed by concatenating A1 and A2 . For a matrix , we use ║A║ to denote the maximum norm of column vector ai of the matrix, i.e., ║A║ = maxi∈[m]{║ai║}. If the column vectors of A are linearly independent, let denote the Gram-Schmidt orthogonalization of vectors a1,⋯,am taken in that order.

2.1 Network Coding

The concept of network coding was initially proposed by Ahlswede et al. [1]. Without loss of generality, we just recall the fundamentals of the single source network coding here [5] [22]. A file is represented by an ordered sequence of r -dimensional vectors is a block of the file and q is a prime. Prior to transmission, the source node S creates the augmented vectors v1, v2,⋯, vk given by:

Namely, the augmented vector vi is formed by appending a vector which is the i column of k -dimensional identity matrix. Then S sends {vi}i∈[k] to some intermediate nodes.

Fig. 2 shows the encoding process of each intermediate node when it receives l packets. It first chooses randomly l weight coefficients αi ∈ {0,1} and computes the output . When any destination node receives k linearly independent vectors w1, w2,⋯,wk, it can accurately recover the original file using Gaussian elimination. Specifically, let αij be the j-th weight coefficient of node i . It is easy to see that each packet transmitted in the network can be viewed as a linear combination of the augmented vector vi . I.e.,

Fig. 1.The common topology of a single source multicast network system.

Fig. 2.The encoding process of each intermediate node.

Thus, the destination nodes can recover the original file through the above linear equation. We stress that the dimension of augmented vector should be small. Because the augmented data increases communication overhead and the destination nodes just need a small number of packets to recover the original files.

2.2 Lattice and Hard Assumption

Informally, a m -dimensional lattice is a set of points in Rm with a periodic structure. It also can be viewed as a algebraic additive subgroup of Rm . Let B = {b1, b2,⋯, bn} be a set of n linearly independent vectors in Rm . The lattice ∧(B) is the set of all integer linear combinations of these vectors, i.e., . We say that B is a basis for ∧(B) , and the positive integers n and m are the rank and dimension of the lattice respectively. If m = n , we say the lattice is full-rank. In the lattice-based cryptography, we always focus on the integer lattice where the lattice points are contained in Zm . For any positive integers n , m(≥ n) and q ≥ 2 , let be a matrix. The two kinds of random lattice related to A are defined as follows:

In fact, the lattice is a coset of ∧⊥(Α) . That is to say, , where the vector t satisfies that A · t = umod q .

For any real s > 0 and vector c ∈ Rn , the n -dimensional Gaussian function ρs,c(x) on Rn centered at c with parameter s is defined as ρs,c(x) = exp(-π║x-c║2/s2), where x is an n -dimensional vector in Rn . For a n -dimensional lattice ∧ , the discrete Gaussian distribution is defined as D∧,s,c(x) = ρs,c(x)/ρs,c(∧) , where x is a vector in ∧. We omit c and s when they are taken to 0 and 1, respectively. For a positive real ε > 0 , the smoothing parameter ηε(∧) is the smallest real s such that ρ1/s(∧*╲{0}) ≤ ε , where ∧* is the dual lattice of ∧ , defined by ∧* = {z ∈ Rm|∀y ∈ ∧,〈z, y〉 ∈ Z} .

Some advanced lattice-based cryptographic constructions require generating a matrix A (statistically close to uniform distribution) together with a short basis of the lattice ∧⊥(Α). Next, we state some important lemmas that will be used in our paper.

Lemma 1([38]). There exists a Probabilistic Polynomial Time (PPT) algorithm TrapGen (1n,1m,q) that, on input positive integers n , q , and m ≥ 6nlog q , outputs a matrix statistically close to uniform over and a basis T ∈ Zm×m of the lattice ∧⊥(Α) such that with overwhelming probability.

Lemma 2([38]). Given a basis T of m -dimension lattice ∧, a parameter , and a vector c ∈ Rm , there is a PPT algorithm that output a sample from a distribution that is statistically close to D∧,s,c .

Lemma 3([38]). Let n , q ≥ 2 , m > 2n log q be three positive integers. For a random matrix , let T be a basis of ∧⊥(Α) and . Then,

(1) Given a vector v ∈ Zn , there is a PPT algorithm SamplePre(A, T, s , v) that outputs a sample u from a distribution that is statistically close to and u satisfies with overwhelming probability.

(2) For any t ← DZm ,s , the distribution of syndrome u = A·tmod q is statistically close to uniform over .

Lemma 4([35] [39]). For an arbitrary basis T ∈ Zm×m of the lattice ∧⊥(Α) about a random matrix , an additional matrix and the parameter ,then

(1) There is a deterministic polynomial time algorithm ExtBasis(T,B = A║A') that outputs a new short basis T' of the lattice ∧⊥(B) such that

(2) There is a PPT algorithm RandBasis(T, s ) that outputs another short basis T' of the lattice ∧⊥(Α) , which is independent of the original basis T and is still short.

Lemma 5([32]). Let ∧ ⊆ Zm be a lattice and s ∈ R be a parameter . For i = 1,2,⋯,k , let ti ∈ Zm and let Xi be mutually independent random variables sampled from D∧+ti,s . Let c = (c1,⋯, ck) ∈ Zk and define g = gcd(c1,⋯, ck) , . If s > ║c║‧ηε(∧) for some negligible ε, then is statistically close to Dg∧+t,║c║s.

Similar to existing lattice-based network coding signature schemes, the security of our scheme is also based on the problem of finding short vectors in ∧⊥(Α) for a random matrix A. This is known as the Small Integer Solution (SIS) problem, and is defined as follows.

Definition 1([32][33]). Given positive integers n , m , q , a real constant β and a random matrix , the SISq,m,β problem is find a nonzero vector u ∈ Zm such that A · u = 0 mod q and ║u║≤ β .

2.3 Network Coding Signature Scheme

In this subsection we first describe the formal definition of general network coding signature scheme, and then provide two security games related to unforgeability and privacy. For the sake of convenience, every original file represented by a set of block vectors is associated with an identifier [32] [35]. Here we state that the intermediate nodes in the network combine the block vectors tagged the same identifier. We adapt the model of [32] and consider the multi-source case. Throughout this paper, let n be the security parameter and L ≥ 1 be the maximum number of linear combinations that can be authenticated. There is a trusted Private Key Generator (PKG), which can distribute public/private key pairs for source nodes. A network coding signature scheme is a tuple of polynomial time algorithms Π = (KeyGen, Sign, Com, Verify) with the following syntax.

• KeyGen(1n , L). This PPT algorithm takes the security parameter n and L as inputs. It outputs a public/private key pair (pki, ski) for the source node i . (This is run by the PKG.)

• Sign( id , vi , ski) For the i -th source node, this PPT algorithm takes as input the identifier id ∈ {0,1}n , a message vi and the secret key , and outputs a signature δi . (This is run by the source nodes.)

• This PPT algorithm takes as input public keys of all source nodes, an identifier id , and l( ≤ L) message-signature pairs . It outputs a combined signature δ on the combined message . (This is run by the intermediate nodes.)

• This deterministic algorithm takes as input the public keys of all source nodes, an identifier id , a message v and a signature δ , and outputs either 0 (reject) or 1 (accept). (This is run by the intermediate nodes and destination nodes.)

For correctness, we require that both the original signatures (generated by Sign) and the combined signatures (generated by Com) are accepted. Specifically, we require that the following two conditions hold:

1. For all id and vi , if δi ← Sign( id , vi , ski) then

2. For all id and all sets of triples , if it holds that for all i , then

For the security of network coding signature scheme, we also consider the properties of unforgeability and privacy of combined signature [32][35]. For the unforgeability, the security model allows an adversary to make adaptive signature queries on files what he can choose arbitrarily, but he must query all the blocks in a file at once. Formally, we give the definition of existential unforgeability of network coding signatures under chosen file attacks.

Definition 2([5][32]). A network coding signature scheme Π = (KeyGen, Sign, Com, Verify) is unforgeable if the advantage of PPT adversary in the following security game is negligible in the security parameter n :

• The challenger runs KeyGen(1n , L) to get (pki, ski) , and gives pki to the adversary.

• Proceeding adaptively, the adversary specifies a sequence of signature queries on files represented by Vi = {vi1, vi2,⋯, vik} . For each file Vi , the challenger choose idi uniformly from {0,1}n and give the adversary the identifier idi and the j -th signature δij ← Sign(id , vij , ski) for j = 1,2,⋯,k .

• The adversary outputs an identifier id* , a new message v* , and a signature δ* .

If , then the adversary wins the game. In fact, there are two types of forgers: One is id* ≠ idi for all queried i , and the other is id* = idi for some index i but v* is not a linear combination of message blocks vi1, vi2,⋯, vik .

The definition of privacy for network coding signatures captures the idea that given signatures on a number of combined messages in one of two different files, the adversary cannot tell which file the combined signatures came from even the adversary knows the secret keys. This property was called weakly context hiding, which is introduced in [32] in the case of single source. Next we give the formal definition for the case of multi-source settings.

Definition 3([32]). A network coding signature scheme Π = (KeyGen, Sign, Com, Verify) is weakly context hiding if the advantage of any PPT adversary in the following security game is negligible in the security parameter n :

• The challenger runs KeyGen(1n , L) to get (pki, ski) , and gives pki and ski to the adversary.

• The adversary outputs (V0, V1, f1, f2,⋯, fk) where Vb is represented by a vector set for b =0,1. The functions f1, f2,⋯, fk are satisfying for i = 1,⋯, k . In response, the challenger generates a random bit b ∈ {0,1}, a random identifier id ∈ {0,1}n and signs using the corresponding private ski . Subsequently, the challenger uses Com to derive signatures δi on and sends δ1, δ2,⋯, δk to the adversary. The functions f1, f2,⋯, fk can be output adaptively after V0 , V1 are output.

• The adversary outputs a bit b' .

If b = b' , the adversary wins the game. The advantage of the adversary is defined as the probability that the adversary wins the game.

 

3. A New Trapdoor Sampling Algorithm

We present a new trapdoor sampling algorithm in this section. Our constructing method is very similar to that of SuperSamp in [40], which samples a random superlattice with a short basis. In our construction, the algorithm takes a random matrix as input, and outputs a matrix , a matrix and a short basis T ∈ Zm×m of the lattice ∧⊥(A) , where A = BCmod q and . Next, we state our theorem.

Theorem 1. There is a PPT algorithm ProductSamp that on input 1n , 1m , q ≥ 2 with m = O(nlogq) , and a random matrix , outputs a pair such that (1) A = BCmodq; (2) A is statistically close to uniform over ; (3) T is a short basis of the lattice

Proof . Let B = [B1║B2] , where . Without loss of generality, we assume that B2 is invertible. In fact, such decomposition can be found with overwhelming probability if we permute the columns of B. Algorithm ProductSamp works as follows:

(1) Let B1 = [B11║B12] , where B11 is the first square matrix of B1 and . Compute (A1, T) ← TrapGen(1n,1m-n,q) and let A2 be B11 . Since B2 is invertible, the matrix C can be computed as

(2) Compute the short basis T ← ExtBasis(T1,A) . Output A, T and C.

Now, we prove that this algorithm satisfies the required properties above. First,

Thus,

A is statistically close to uniform over because Α1 is statistically close to uniform over and B is a random matrix (Lemma 1). (3) and (4) can be obtained directly from Lemma 4. (5) holds because every entry of matrix C is not larger than q . This completes the proof.

 

4. Our Network Coding Signature Scheme

In this section we present our lattice-based network coding signature scheme in the standard model. Our scheme achieves the desired properties of correctness, unforgeability and privacy. In our scheme, n is the security parameter. Let L ≥ 1 be the maximum number of linear combinations and the maximum number of source nodes. Suppose that the augmented message blocks transmitted in the network are represented by n -dimensional binary vectors. We set the Gaussian parameter . Now we first give the specific scheme as follows:

• KeyGen(1n , L). The algorithm takes the security parameter n and L as inputs:

(1) Choose parameters m and q , where m = O(nlogq) and q = poly(n) .

(2) Sample a random matrix and its corresponding trapdoor short basis T1 ∈ Zm×m using the TrapGen algorithm.

(3) Generate L - 1 independent short basis Ti(1 < i ≤ L) of the lattice ∧⊥(A) using the RandBasis algorithm.

(4) Choose a random matrix

Let (A, Ti) be the public/private pair of the i -th source node. Output the common public key A and B, and send Ti to the i -th source node secretly.

• Sign(id , vi , Ti). For the i -th source node, the algorithm takes an identifier id ∈ {0,1}n , a message and the secret key Ti as inputs:

(1) For i = 1,2,⋯, n , let hi = id║00⋯00║BitSring(i) ∈ {0,1}m , where the number of ‘0’ added in front of BitSring(i) is m - n - ⌈log n⌉ and BitSring(i) ∈ {0,1}⌈log n⌉ is the binary representation of i .

(2) Let . Output the signature δi ← SamplePre(A, Ti , s , BHvi).

• . The algorithm takes the public key A and B , an identifier id and l( ≤ L) message/signature pairs tagged the same identifier id as inputs:

(1) Choose l encoding coefficients

(2) Output the combined signature on the message

• Verify(A, B, id , v , δ ). This algorithm takes the public key A and B, an identifier id , a message v and signature δ as inputs:

(1) Check that Aδ = BHvmod q and

(2) Output 1 (accept) if and only if the above two conditions hold. Otherwise, output 0 (reject).

4.1 Correctness

Since the parameter , two important algorithms SamplePre and RandBasis in our scheme can work correctly with overwhelming probability from Lemma 2 and Lemma 4. From Lemma 3, the signatures produced by the Sign algorithm can be accepted by the Verify algorithm obviously. If the signatures are generated by the Com algorithm, we have

Thus, they also can be accept by the Verify algorithm.

4.2 Unforgeability

Here we show the existential unforgeability of our lattice-based network coding signature scheme under chosen file attacks. Given an adversary that breaks our proposed signature scheme, we can construct an challenger that simulates the signature scheme and solves the SIS problem.

Theorem 2. If there is a PPT adversary that can win the security game defined in Definition 2 with advantage ε, then there is a challenger that can solve the SISq,m,β problem with the same advantage, where

Proof. Suppose that there is a PPT adversary that wins the game of existential unforgeability with advantage ε. Our aim is to construct a challenger that takes a random instance of the SIS problem as input and outputs a nonzero vector u such that Bu = 0modq and ║u║ ≤ β. The simulation step is as follows:

• The challenger computes (A, T1, C) ← ProductSam(1n , 1m , q , B) , Ti ← RandBasis(T1, s) and outputs the public key A and B.

• The adversary adaptively makes a polynomial (in n) number of queries. For the i -th query, he chooses a file represented by k vectors and the challenger does the following:

(1) Choose a random idi from {0,1}n .

(2) Compute the hi and H according to the Sign algorithm.

(3) Output the signature δij using the algorithm SamplePre(A, Ti , s , BHvij).

(4) Output the signed data {δij}j∈[k] and sends it to the adversary.

• Eventually the adversary outputs an identifier id* , a non-zero vector v* , and a signature δ* .

In fact, the distribution of the challenger’s outputs is statistically indistinguishable from the distribution of the outputs in the real signature scheme. In the real scheme, the public key A is sampled from the algorithm TrapGen and B is chosen uniformly at random. In the simulation step, A is the output of the algorithm ProductSamp and B is a random instance of the SIS problem. From the result in Section 3, we can easily know that the distribution of public keys (A,B) is statistically indistinguishable in real and simulated execution. In addition, the output distributions of the signatures in both executions are statistically indistinguishable because all signatures are generated by the algorithm PreSample using the trapdoor short basis of ∧⊥(A) .

If the adversary outputs a forgery (v* , δ*) for the identifier id* , we can solve the SIS solution for a random instance . The forgeries can be divided into the following two different classes:

(1) id* ≠ idi for all queried i , i.e., the adversary never makes signature queries for any block message tagged by the identifier id* . Naturally we have Aδ* = BH*v* mod q. From Theorem 1, we can obtain that B(Cδ* - H*v*) = 0mod q , where is generated by the identifier id* using the same method in the Sign algorithm.

Let u = Cδ* - H*v* . Obviously, we have

and

Similar to previous lattice-based network coding schemes [32] [33], we can obtain that u ≠ 0 with overwhelming probability.

(2) id* = idi for some index i but v* is not a linear combination of vi1, vi2,⋯, vik . We have Aδ* = BH*v* mod q . Since the adversary have requested the signatures of L vectors vi1, vi2,⋯, vik , the challenger can output a combined signature δ on the combined messages v . Thus, we also have Aδ = BHivmodq, where Hi = H* because id* = idi. Hence,

Let u = C(δ* - δ) - H*(v* - v) . Obviously, we have

and

From [32] [33], we also can obtain that u ≠ 0 with overwhelming probability.

4.3 Privacy

In order to guarantee the privacy of signature packets in our scheme, we also consider the property of weakly context hiding. Every intermediate node generate a combined signature δ on a combined message v using the Com algorithm when it receives l message/signature pairs (vi, δi)i∈[l] . The weakly context hiding means that the combined signature does not leak any information about v1, v2,⋯, vl beyond what is revealed by v .

Theorem 3. Our network coding signature scheme Π = (KeyGen, Sign, Com, Verify) is weakly context hiding.

Proof. In the privacy game, suppose that the challenger runs the algorithm KeyGen to get the common public key A and all private keys {Ti}i∈[L] and give them to the adversary. Let (V0, V1, f1, f2,⋯,fk) be the adversary’s output in the challenge phase, where for b =0,1. Let for all i = 1,2,⋯, k . For j = 1,2,⋯, k , let be the challenger’s signature on the message . For i = 1,2,⋯, k , let be a combined signature on ci computed using the Com algorithm applied to the signature and the function fi . The challenger chooses a random bit b and gives the adversary the signatures

Suppose b = 0 . By the definition of the algorithm Sign every signature is generated from a distribution statistically close to Dtj+∧⊥(A),s , and these signatures are mutually independent, where tj ∈ Zm is an arbitrary solution to Atj = BHvj mod q . Therefore, by Lemma 5 the combined signature is statistically close to Dt+g∧⊥(A),║c║s , where and g = gcd(c1, c2,⋯, ck) . Since the same holds for b = 1, the distribution of is statistically close. Consequently, the advantage of any PPT adversary in the privacy game defined in Section 2.3 is negligible.

Note that in our scheme we set . Since c is a 0/1 vector and for some negligible ε [35][38]. Thus, s ≥ ║c║ηε(∧⊥(A)) and the condition of Lemma 5 holds. This completes our proof.

 

5. Efficiency

On the one hand, we provide a comparison of our scheme to previous lattice-based network coding signature schemes [32-35] in terms of model supporting, multi-source supporting, public key size, signature length, signing cost, respectively. In the Sign algorithm, source nodes mainly use three time-consuming algorithms, SamplePre, ExtBasis and RandBasis. For the sake of convenience, we denote the time cost to run once SamplePre algorithm, once ExtBasis algorithm and once RandBasis algorithm by Tsp , Teb and Trb , respectively. Because the length of id is the same for each scheme, and therefore we omit it in the comparison of the signature length. In the Com and the Verify algorithms, they mainly involve simple addition and multiplication operations over a finite field. Thus, each intermediate node in our scheme has low computational complexity. In fact, each intermediate node requires more complex operations in some number-theoretic protocol for secure network coding schemes. Table 1 shows that compared to other related schemes, our scheme has low communication overhead. The size of all signatures in our scheme is very small, which achieves the minimum value of those in the five schemes. It is a pity that in order to design secure network coding scheme in the standard model, the public key size of our proposed scheme is two times of that in [33] [34] [35]. Although the signing cost is more than Wang’s [33], our scheme is in the standard model. In addition, our scheme can support multi-source network system. Thus from the perspective of communication overhead and computational complexity, our scheme is competitive.

Table 1.Comparison of existing lattice-based network coding signature schemes

On the other hand, we provide a comparison between our lattice-based scheme and some typical schemes based on number-theoretic assumptions in terms of communication overhead and computational complexity. We use a desktop which has a 8-core Intel(R) Core (TM) i7-4770 processor running at 3.40 GHz and 8 GB of RAM. Let CN be the maximal number of compromised nodes that the network system can tolerate and N be the number of nodes in the network. Agrawal et al. [13] proposed a homomorphic MAC for checking the integrity of network coded data, and its key distribution protocol was based on the cover-free family constructed from polynomials [42]. In their scheme, the source node has t2 keys for generating tags and each intermediate node has t keys for correctness verification. From [42], we know that CN , N and t must satisfy t - 1 ≥ CN·⌈logt N⌉ . Because N ≥ t usually, t ≥ CN + 1. In order to minimize the communication overhead, we set t = CN + 1 in our simulations. Esfahani et al. [14] presented a dual-homomorphic MAC for network coding-enabled wireless sensor networks. Zhang et al. [31] proposed a hybrid-key cryptographic approach to network coding authentication, called MacSig scheme. We assume that the lengths of the seeds used in [14] and [31] are 500bit. All other relevant parameters in our experiments are the same as the three schemes mentioned above. In our scheme, we set n = 200 and m = 500. Note that in practical network coding setting, the order of the finite field is equal to 28 or 216 . Thus, we consider these two cases. Fig. 3 shows the comparison of communication overhead and Table 2 shows the computational complexity of each intermediate node. From Fig. 3 we can see that when the number of compromised nodes is larger than 20, the signature length of each data packet in our scheme is the shortest one. The size of keys distributed to each source node in our scheme are smaller than that in [31], which are very similar to that in [13] and [14]. In addition, our scheme does not distribute any private key to intermediate nodes. Simultaneously, the signature length and the private keys distributed to source nodes or intermediate nodes are not influenced by the number of compromised nodes. In Table 2, we investigate the time of processing data packets of each intermediate node, including the verification time and the combination time. This experiment was perform 1000 times and took the average value. Because the verification procedure in [31] needs the modular exponentiation operation, the time overhead is huge when the modulus q is very large. In all, from an experimental point of view, our proposed scheme is competitive compared to some number-theoretic schemes for secure network coding.

Fig. 3.The comparison of communication overhead between some existing schemes based on number-theoretic assumptions and our lattice-based scheme.

Table 2.The operation time of each intermediate node.

 

6. Conclusion

In this work, we propose a lattice-based network coding signature scheme in the standard model. In order to prove the security, we introduce a new trapdoor sampling method ProductSamp for generating random lattice and the corresponding short basis, which may also be used in many other cryptographic protocols. In fact, our scheme can achieve existential unforgeability under full chosen-message attacks [41], where the adversary can make adaptive queries on individual message blocks within a given file, possibly even interleaving those queries across several files.

Although our scheme can prevent multisource network system from pollution attacks, there is still much work to be done in order to improve the capability of the scheme. Note that ideal lattice can be used to decrease the public key size, and our future work mainly focuses on designing network coding signature schemes using that technique.