Top-Rated Free Essay
Preview

Cop: an Ultra-Lightweight Secure Network Coding Scheme Via Last Forwarder’s Proof

Best Essays
5228 Words
Grammar
Grammar
Plagiarism
Plagiarism
Writing
Writing
Score
Score
Cop: an Ultra-Lightweight Secure Network Coding Scheme Via Last Forwarder’s Proof
TSINGHUA SCIENCE AND TECHNOLOGY ISSN ll 1007-0214 ll10/10 llpp599-605 Volume 17, Number 5, October 2012

CoP: An Ultra-Lightweight Secure Network Coding Scheme via Last Forwarder’s Proof
Wei Ren1;2; , Linchen Yu1 , Liangli Ma3

1. School of Computer Science, China University of Geosciences, Wuhan 430074, China; 2. Shandong Provincial Key Laboratory of Computer Network, Jinan 250014, China; 3. Department of Computer Engineering, Naval University of Engineering, Wuhan 430033, China Abstract: Network coding can improve network efficiency by extending copy-and-forward paradigm to code-andforward paradigm. It thus imposes a security problem called pollution attack that some network coding or forwarding nodes may intentionally fabricate, modify, forge, or drop packets. Recently, many authentication methods are proposed to guarantee the correctness of encoding and forwarding results via the verification from receivers. Those methods include homomorphic hashing, homomorphic message authentication code, and homomorphic signature. However, those schemes result in expensive computation overhead due to the homomorphic cryptographic primitives, so that those methods will not be able to work in most applications that confront resource constraints. In this paper, we propose an ultra-lightweight checking protocol to guarantee the secure network coding without any homomorphic cryptographic primitives. The extensive analysis proofs that it has following advantages: the least security assumption for intermediate nodes, the least cryptographic primitive requirement, ultra-lightweight computation, flexible message length with probably proof, and minimal rounds in terms of message exchanging. Key words: covert network coding; security; pollution attack; secure protocol

Introduction
Network coding technique extends traditional copyand-forward paradigm to code-and-forward paradigm to improve efficiency of network by reducing the total number of forwarding packets—forwarding single coded packet instead of forwarding multiple individual packets[1, 2] . This technique has been extensively
Received: 2012-07-20; revised: 2012-08-20 Supported by the Open Research Fund from the Shandong Provincial Key Laboratory of Computer Networks (No. SDKLCN-2011-01), the Fundamental Research Funds for the Central Universities, China University of Geosciences (Wuhan) (Nos. 110109 and 090109), and the National Natural Science Foundation of China (No. 61170217) To whom correspondence should be addressed. E-mail: weirencs@cug.edu.cn

applied in numerous applications such as content distribution[3] , wireless video streaming[4] , and cloud computing[5] . As the packets are manipulated by encoding node or transferred by forwarding node, they may be polluted by those intermediate nodes. For example, the coding node or forwarding node may intentionally manipulate, modify, forge, and delete packets upon encoding or forwarding. Such problem is called pollution attack[6, 7] and is addressed in many research works. However, these works have extensively relied on attaching an authentication tag, such as homomorphic hashing[3, 8, 9] , homomorphic signature[10-12] , or homomorphic [13-15] message authentication code , onto original packets at sending nodes. The coding nodes and forwarding nodes have to verify the correctness of tags to justify the former operations on packets. It thus induces expensive computations in intermediate

600

Tsinghua Science and Technology, October 2012, 17(5): 599-605

nodes, especially for each packet. Moreover, some proposed schemes rely on cryptographic functions such as modular exponential operations[6, 9, 10] or elliptic curve bilinear pairing[11, 12] , which cannot be applied in devices with resource constraints such as sensor nodes. Additionally and unfortunately, some of proposed schemes are proofed to be insecure by recently conducted rigorous security analysis[16] . Different from all current related works such as cryptography-based schemes and other codingbased schemes[17-19] , we address the problem from a different viewpoint—relying on final receivers and last forwarders. Our scheme does not rely any expensive homomorphic cryptographic primitives, and thus does not incur any heavy computations at intermediate nodes. Hence, our scheme can be applied to any network that consists of resource constraint devices. The contributions of this paper are as follows: (1) we propose a novel checking protocol with ultralightweight computation for defending pollution attack in general network coding scenarios; (2) we discover the sufficient security requirement for cryptographic primitive and proof the necessary condition for protocol security; (3) we prove that the proposed protocols induce the least rounds so as to have the best communication performance. Moreover, our scheme assume that there exist the most powerful attackers in the network, for example, intermediate nodes can be Byzantine or any active attackers.

(3) FD: Forwarded Data. It is the data forwarded by FN. (4) RD: Recovery Data. It is the data recovered by RN. We also assume all nodes have computational resource-constraints. The communication link also has resource-constraint. 1.2 Attack model, security requirement, and design goals

1
1.1

Problem Formulation
Network model and system model

In typical butterfly scenario, we specify the role of nodes. (1) SN: Sending Node. It is the node who sends out original packets; (2) CN: Coding Node. It is an intermediate node who encodes the receiving packets and sends encoding results to next intermediate node. (3) FN: Forwarding Node. It is an intermediate node who forwards encoding results to intended receivers. (4) RN: Receiving Node. It is the node who is intended to receive the original packets. The data involved in network coding scenarios has four types as follows: (1) SD: Sent Data. It is the original data sent by SN and coded by CN. (2) CD: Coded Data. It is the coding result of SD.

CN and FN are assumed to be untrustworthy. CN and FN may present Byzantine failure. They may also malfunction or misbehave, such as dropping, arbitrary coding, or tampering packet. The links between all nodes are exposed to active or passive attacks, such as packet fabrication, modification, and eavesdropping. The only assumption is that SN and RN are assumed to be trustworthy. Thus, the security assumption is maintained to the minimum to let proposed scheme be suitable to more general scenarios. Our security scheme fulfills security requirements as follows: (1) Authenticity of RD Data coding correctness at CN: The CD at CN is indeed the correct coding result of SD. Data integrity: It includes the integrity of SD, CD, and FD. Data source authentication: The source of the SD must be verifiable to confirm that the data indeed comes from SN. (2) Data confidentiality of FD It includes the data confidentiality at FN, among FNs, between FN and RN. The design goal is thus to guarantee above requirements to defend against pollution attack via an ultra-lightweight manner.

2

Proposed Schemes and Analysis

In this section, we investigate a family of schemes for better understanding. Each later scheme improves over the previous one by addressing some of its limitations. The available schemes for authentication of SD largely relies on the homomorphic properties of cryptographic functions, such as homomorphic hash functions, homomorphic Message Authentication Codes (MACs), and homomorphic signatures. Such kind of cryptographic primitives are generated at SN sides and verified at FN sides. However, totally different from current schemes, we tackle the problem from RN. The motivation is that the operations for

Wei Ren et al.: CoP: An Ultra-Lightweight Secure Network Coding Scheme

601

homomorphic tag generation and verification can all be avoided. Figure 1 depicts the typical scenario of network coding called butterfly network. Suppose SN1’s SD is A, and SN2’s SD is B. Upon the receipt of FD from FN, RN1 can recover RD that is assumed to be B. RN1 can guarantee to have received correct A, as A is received from SN who is assumed to be trustworthy, instead of from CN and FN. Hence, RN1 only needs to verify the correctness of data B. In contrast, RN2 can guarantee to have received correct B, and only needs to verify the correctness of data A. Suppose A and B have the same length L. We list all major notations used in the remainder of the paper in Table 1. 2.1 Hash-based checking Protocol—HaP

Suppose H. / is a cryptographically secure hash function. (1) RN1 sends H.A/ to FN. That is, RN1! FN W H.A/; (2) RN2 sends H.B/ to FN. That is, RN2! FN W H.B/; (3) FN sends (usually broadcasts) H.A/ ˚ H.B/ to RN1 and RN2. That is, FN ! RN1I RN2 W H.A/ ˚ H.B/: Thus, RN1 can obtain H.B/ so as to check whether its holding B is correct. Similarly, RN2 can obtain H.A/ so as to check whether its possessing A is correct. Regrading the security, as H. / is a cryptographically secure hash function, FN cannot recover A (or B) from H.A/ (or H.B/). Regrading the performance, the computation overhead is only hash function computation at RN1 and RN2 and exclusive or (namely, XOR) computation at FN side. The communication overhead is three messages with length of jH. /j. 2.2 One-way-based checking Protocol - OwP We observe that the requirement of cryptographically secure hash function H. / can be loosen to any oneway function. That is, even if H. / is a one-way function, the protocol is still secure. The requirement for second pre-image resistance and collision resistance for hash function can be omitted. Therefore, more lightweight computation is enough for security and in implementation more choices can be provided. The function f :X ! Y is one-way, if and only if the following two conditions are satisfied. (1) Given 8x 2 X , it is computationally feasible to compute f .x/. (2) Given 8y 2 Y; it is computationally infeasible to find x 2 X , such that f .x/ D y. Definition 1 A general model for HaP protocol The model consists of three parties. One is untrustworthy, called F , the other two are trustworthy, called N1 and N2. Each trustworthy party holds two values, denoted by A and B. One value is guaranteed to be true. The other value requirs to be verified by proof from the other party. In other words, the possessed trustworthy value by one party is coincidentally the value that the other party wants to check. More specifically, N1 has authenticated A and wants to check B; N2 has authenticated B and wants to check A. The untrustworthy party F is an intermediate party between two trustworthy parties. A and B have to

We firstly propose a basic scheme called HaP to illustrate our motivation. We propose a data checking protocol between RN1, RN2, and FN. As RN1 and RN2 cannot communicate directly, we needs to rely on intermediate node FN. RN1 and RN2 are assumed to be trustworthy, which is the minimal security assumption for network communication. FN is assumed to be untrustworthy. Even if FN does not follow the protocol, for example, presents Byzantine failure, fabricates received packets, and forwards to others, or even drops packets, we will prove that FN still cannot fool RNs to accept unauthenticated data (so that the data authenticity is protected).

Fig. 1

Typical scenario for network coding. Table 1 Notations Length of A and B in bits Forwarding node Receiving node Length of block in bits Hash function One-way function

n FN RN m H. / f. /

602

Tsinghua Science and Technology, October 2012, 17(5): 599-605

rely on F to communicate each other. Untrustworthy parties have no idea of these two values (namely, A and B), but it can manipulate (and know) the values upon forwarding, including A ˚ B and values in HaP protocol. We call the stage conducting HaP protocol as a checking stage. Our one-way function based checking protocol can be modeled as follows, called OwP: N1 ! F W f .A/; N2 ! F W f .B/; F ! A.andB/ W f .A/ ˚ f .B/; where f . / is a one-way function. Definition 2 The security definition of OwP protocol The security of OwP protocol is defined as follows: (1) Confidentiality of A and B. After the OwP protocol, intermediate party almost has no idea of two values. That is, F almost has no idea about A and B. (2) Unforgeability of coded values A and B. It is the major functionality of the proposed protocol. Untrustworthy party cannot fool trustworthy parties to regard a fabricated value as a trustworthy value. For example, suppose F manipulates A ˚ B and sends it to N1, so B is forged with respect to N1. Besides, A ˚ B is also sent to N2, so A is forged with respect to N2. After the protocol OwP, F cannot fool N1 to believe her computed B is authenticated, and F cannot fool N2 to believe her computed A is authenticated. Proposition 1 The confidentiality of A and B is guaranteed. Proof Before checking stage, F only knows A ˚ B. Thus PrfA D aja 2 f0; 1gn g D PrfB D bjb 2 f0; 1gn g D 1=2n : That is, A and B have information-theoretic secrecy. After OwP protocol, F only knows f .A/ and f .B/. As the one-wayness of f . /, given f .A/ and f .B/, F is computationally infeasible to find A and B. F only knows f .A/ for A and f .B/ for B. Thus PrfA D aja 2 f0; 1gn ; f .a/ ¤ f .A/g D PrfB D bjb 2 f0; 1gn ; f .b/ ¤ f .B/g D 1=.2n 1/: Besides, PrfA D aja 2 f0; 1gn ; f .a/ D f .A/gD PrfB D bjb 2f0; 1gn ; f .b/ D f .B/g D 1. That is, F finds A (or B) only by brute-force search for x 2 2n such that f .x/ D f .A/ (or f .x/ D f .B/). Proposition 2 The unforgeability of coded values A and B are guaranteed. Proof After OwP protocol, N1 (or N2) can obtain f .B/ (or f .A/) by letting received f .A/ ˚ f .B/

exclusive-or with holding correct f .A/ (or f .B/). Next, N1 (or N2) checks the correctness of B (or A) by means of f .B/ (or f .A/), respectively. We next prove that the following situation is computationally impossible: F forges A ˚ B before the launching of checking protocol OwP, and then F successfully forges either (both) f .A/ or (and) f .B/, which can fool N1 or (both) N2 to deem they receive correct A ˚ B. F manipulates A ˚ B 2 f0; 1gn to .A ˚ B/0 2 f0; 1gn and sends it to N1 and N2 before the checking stage (namely, launching the checking protocol), thus N1 holds incorrect B 0 and N2 holds incorrect A0 . Obviously, A0 equals partial bit flipping of A; B 0 equals partial bit flipping of B at the same location. Next, checking stage starts. F wants to manipulate received f .A/ and (or) f .B/ so as to fool N1 and (or) N2. As F is computationally infeasible to compute A and B from f .A/ and f .B/, F is computationally infeasible to compute B 0 and A0 from .A ˚ B/0 . F thus can only compute f .B 0 / and f .A0 / by random guess with correct probability 1=2jf . /j . If jf . /j is large enough, this value is negligible, as desired. This ends the proof. Proposition 3 If f . / is not second pre-image resistant, the protocol is still secure. Proof f . / is not second pre-image resistant. That is, given x 2 X , it is computationally feasible to find x ¤ x 2 X such that f .x/ D f .x/. N N Suppose F manipulates A ˚ B to .A ˚ B/0 and sends it to N1 and N2 before checking stage, thus N1 holds incorrect B 0 and N2 holds incorrect A0 . A0 equals certain bit flipping of A; B 0 equals certain bit flipping of B. The flipping locations in A0 and B 0 are exactly the same. F can fool RN1 or RN2 only if it can generate correct f .A0 / and f .B 0 /. As it is computationally infeasible for F to compute A and B from f .A/ and f .B/, as well as A0 and B 0 . Thus it is computationally infeasible to compute f .A0 / and f .B 0 /. Next, we proof that the ability of finding second preimage cannot improve the chance to compute f .A0 / and f .B 0 /. After F receives f .A/ and f .B/, its additional N N ability is thus to find A ¤ A and B ¤ B such that N D f .A/ and f .B/ D f .B/. (Strictly speaking, N f .A/ it is not a scenario of second pre-image because preimage of f .A/ is not given.) The knowledge of N N A and B does not improve the opportunity to compute 0 f .A / and f .B 0 /. Therefore, the computation of f .A0 / and f .B 0 / only

Wei Ren et al.: CoP: An Ultra-Lightweight Secure Network Coding Scheme

603

relies on random guess, which is 1=2jf . /j . It is the same with the situation of one-wayness, as desired. Proposition 4 If f . / is not collision resistant, the protocol is still secure. Proof f . / is not collision resistant. That is, it is computationally feasible to find x; x 0 2 X; x ¤ x 0 , such that f .x 0 / D f .x/. Suppose F manipulates A ˚ B to .A ˚ B/0 and send it to N1 and N2 before checking stage, thus N1 holds incorrect B 0 and N2 holds incorrect A0 . A0 equals certain bit flipping of A; B 0 equals certain bit flipping of B. The flipping locations in A0 and B 0 are the exactly same. F can fool RN1 or RN2 only if it can generate correct f .A0 / and f .B 0 /. As it is computationally infeasible for F to compute A and B from f .A/ and f .B/, as well as A0 and B 0 . Thus it is computationally infeasible to compute f .A0 / and f .B 0 /. Next, proof the ability of finding collision cannot improve the chance to compute f .A0 / and f .B 0 /. Even though F can choose two values x and x 0 such that f .x 0 / D f .x/ before checking stage, it cannot manipulate A ˚ B to .A ˚ B/0 such that A0 ; B 0 2 x; x 0 . Thus F does not improve the possibility to compute f .A0 / and f .B 0 /. Therefore, the computation of f .A0 / and f .B 0 / only relies on random guess, which is 1=2jf . /j . It is the same with situation of one-wayness, as desired. From above observations we thereby can draw the conclusion that one-wayness of f . / is sufficient condition for protocol’s security. Next, we will explore whether it is a necessary condition, in other words, whether the requirement of one-wayness of f . / can be further loosened. 2.3 Partial One-way-based checking Protocol— pOwP

Proposition 5 If f . / is t -bit one-wayness, OwP protocol can find data forgery with probability of 1 1=2t . Proof If f . / is t-bit one-wayness, F cannot find full A and B from f .A/ and f .B/ (due to t bits cannot be conjectured). F has to random guess t bits to obtain A and B from f .A/ and f .B/. The probability of successful guess is 1=2t . If guess is right, F flips corresponding bits to compute A0 and B 0 according to the knowledge on former manipulation of .A ˚ B/0 . Finally, compute f .A0 / and f .B 0 / to fool N1 and N2 successfully. Therefore, the probability of successful forgery avoiding detection is 1=2t . In other words, the successful probability that can find data forgery by checking protocol is 1 1=2t . Corollary 1 1-bit one-wayness of f . / is necessary condition for OwP protocol’s security. Proof The security of OwP can be defined as follows. Given f .A/, attacker wants to compute f .A0 / where A0 is certain bit flipping of A and flipping locations are known by attacker before given f .A/. If the probability of success is negligible, the protocol OwP is secure. That is, Forge AdvA D PrfSuccf .A0 / jf .A/; fA0 ; Ag 2 f0; 1gn ; jAj D jA0 j D n; A0 D BitFlip.A; i1 ; i2 ; 1 i1 ; i2 ; ; in ng < .jf . /j/; ; in /;

We observe that one-wayness of f . / can be further loosened to partial one-way function, but security becomes probabilistically secure. We firstly define t -bit one-way function as follows: Definition 3 t-bit (1 t jXj) one-way function t -bit one-way function is a function f WX !Y has following properties: (1) Given 8x 2 X , it is computationally feasible to compute f .x/. (2) Given 8y 2 Y , it is computationally infeasible to find t bits of x 2 X , such that f .x/ D y. The extreme case of t-bit one-way function is 1-bit one-way function and jX j-bit one-way function.

where . / is a negligible function with a security Forge parameter jf . /j, AdvA is the advantage of attackers fool receiving nodes (for example, N1) to regard a forged data (for example, A) as an authenticated data. It relies on the possibility of the event computing correct f .A0 / successfully, namely PrfSuccf .A0 / g. BitFlip.A; i1 ; i2 ; ; in / is a function that flips A at location i1 ; ; in bits. Forge AdvA D PrfSuccf .A0 / jA f .A/; A0 BitFlip.A; i1 ; i2 ; ; in /g C PrfSuccf .A0 / jGuessg; where Guess is the event of randomly guessing correct value f .A0 /. We have PrfSuccf .A0 / jA f .A/; A0 BitFlip.A; i1 ; i2 ; PrfSuccf .A0 / jGuessg Thus,
Forge AdvA < .jf . /j/;

; in /g < .jf . /j/; 1=2jf . /j :

604

Tsinghua Science and Technology, October 2012, 17(5): 599-605

since both .jf . /j/ and 1=2jf . /j are negligible function in jf . /j. It completes the proof. Next, we further consider whether we can shorten the length of communication messages in protocol. In other words, we explore whether it is possible to only transmit partial information of f .A/ and f .B/ in the protocol without sacrificing security. We propose a revised protocol with short message length in next section. 2.4 Coding-based checking Protocol—CoP

To further reduce the communication overhead due to large message length, we thus propose an XOR-based coding scheme to shorten message length as follows: Li D.n m/=m (1) N1 sends Am D Trunc.f .A/; 1 C i D0 i m; m/ to F , where Trunc.P; Q; R/ is a truncate function for cutting bit string P from starting point Q.1 Q jP j with length R.1 R jP j Q/. Li D.n m/=m (2) N2 sends Bm D Trunc.f .B/; 1 C i D0 i m; m/, to F ; (3) F sends Am ˚ Bm to N1 and N2. We assume m is a system parameter and mjL; .L D jf .A/j D jf .B/j/, so that N1 and N2 can send the message with same length. N1 obtains Am ˚ Bm and compute Am by itself so as to obtain Bm . N1 uses computed Bm to check whether its holding B is correct. Similarly, N2 can obtain Am so as to check whether its possessing A is correct. If m D n, CoP is the same with OwP. If m D 1, the message has only one bit. Proposition 6 CoP can find the data forgery with probability of 1 1=2m . L Proof As f . / is one-way, i D.n m/=m Trunc.f . /; i D0 1 C i m; m/ is also one-way. Thus the security of CoP is guaranteed. As F can manipulate the A0 or B 0 and random guess Am or Bm , the probability of successful guess is 1=2m . Thus it can find the data forgery with probability of 1 1=2m , as desired. Regrading the performance, the communication overhead is 3 messages with length of m. The induced cost is low. More specifically, induced computation overhead is only i D .n m/=m times exclusive or and function Tranc./ computation on strings of length m bits at N1 and N2; former computation is one time exclusive or on string of length L at N1 and N2. Computation overhead of exclusive or at F also decreases from length L to length m. If N1 and N2 assume to send the first or last chunk with m-bit of f .A/ or f .B/, exclusive or operation can be omitted. The probability of finding data forgery by

CoP is 1 1=2m . Corollary 2 If only one bit of f .A/ is sent, for example, the first bit or last bit of f .A/, the probability of finding data forgery of CoP is 1=2. Proof Straightforward. Finally, we proof the message rounds in the proposed protocols (HaP, OwP, and CoP) is minimal. Proposition 7 CoP protocol has the least rounds in terms of messages exchanging. Proof N1 (or N2) needs the other’s credential of B (or A) to verify derived B (or A) from received A ˚ B. Thus N2 (or N1) need to send credential of B (or A). It costs at least two messages. To forward these two messages to N1 and N2 via F , it will cost at least two messages without network coding. Using network coding, it costs at least one message. Therefore, the minimal number of messages for the secure protocol is 3. 2.5 Extended applicability

In previous section, we discuss the typical network coding scenario—butterfly network. Next, we explore the applicability of our proposed protocol in extended scenarios with more than one last-hop forwarding nodes, depicted in Fig. 2. Our protocol can be easily extended to above scenario by forwarding the f .A/ and f .B/ by last-hop node until to the last common forwarding node, namely FN. The FN will send f .A/ ˚ f .B/ and it is forwarded through different last-hop nodes until to RN1 and RN2. Proposition 8 Proposed protocols are secure in the extended scenarios where there exist multiple last-hop forwarding nodes. Proof In extended scenario, nodes in different

Fig. 2 Extended scenario with more than one last-hop forwarding nodes.

Wei Ren et al.: CoP: An Ultra-Lightweight Secure Network Coding Scheme

605

forwarding paths to RN1 and RN2 are more. As proposed protocols are secure even though FN is untrustworthy, the additional nodes have the same information as FN. Thus even if they are untrustworthy, the protocol still remain secure. Next, we explore the applicability of our proposed protocol in extended scenario where network coding function is other operations except for exclusive or. Proposition 9 Proposed protocols are secure in extended scenarios where network coding function is not exclusive or but others. Proof Network coding function only affects the performance before the checking stage. Checking protocol verifies the network coding result, so it does not concern underlying concrete network coding functions. Proposed protocols thus secure in extended scenarios where network coding function is not exclusive or. That is, network coding function could be any function, linear or not.

[2]

[3]

[4]

[5]

[6]

[7]

[8]

3

Conclusions
[9]

In this paper, we propose several ultra-lightweight security protocols in network coding context, to check the correctness of received data yet maintaining the confidentiality of coded original data as well. HaP is a hash function based checking protocol for illustrating the motivation. OwP is a one-way function based checking protocol to loosen the requirement from cryptographically secure hash function to oneway function. We proof one-wayness is the sufficient condition, and 1-bit one-wayness is the necessary condition for the checking protocol. t-bit one-wayness function based OwP protocol can find data forgery with the probability 1 1=2t . It thus loosens the requirement from one-way function to partial (or t bit) one-way function. To further shorten the message length, we finally propose a one-way function and coding scheme—CoP, which uses simple exclusiveor operation to code one-way function’s result. The security of CoP relies on the length of coding result (i.e., 1 1=2m , where m is the length). CoP protocol has the least rounds in terms of messages exchanging. The proposed protocols are secure in the extended scenarios where there exist multiple last-hop forwarding nodes, and network coding function in applications is not exclusiveor but others. References
[1] Ahlswede R, Cai N, Li S, Yeung R W. Network information flow. IEEE Trans. on Information Theory, 2000, 46(4):

[10]

[11]

[12] [13]

[14]

[15]

[16]

[17]

[18]

[19]

1204-1216. Jaggi S, Sanders P, Chou P A, Effros M, Egner S, Jain K, Tolhuizen L. Polynomial time algorithms for multicast network code construction. IEEE Trans. on Information Theory, 2005, 51(6): 1973-1982. Gkantsidis G, Rodriguez P. Cooperative security for net-work coding file distribution. In: Proc. of IEEE INFOCOM06, 2006: 1-13. Lima L, Gheorghiu S, Barros J, Medard M, Toledo A. Secure network coding for multi-resolution wireless video streaming. IEEE Journal of Selected Areas in Communications, 2010, 28(3): 377-388. Oliveira P, Lima L, Vinhoza T, Barros J, Medard M. Trusted storage over untrusted networks. In: Proc. of IEEE Globecom Communication Theory Workshop10, 2010: 1-5. Yu Z, Wei T, Ramkumar B, Guan Y. An efficient signaturebased scheme for securing network coding against pollution attacks. In: Proc. of IEEE INFOCOM08, 2008: 1409-1417. Yu Z, Wei Y, Ramkumar B, Guan Y. An efficient scheme for securing xor network coding against pollution attacks. In: Proc. of IEEE INFOCOM09, 2009: 406-414. Krohn M, Freedman M, Mazieres D. On-the-fly verification of rateless erasure codes for efficient content distribution. In: Proc. of IEEE Security and Privacy (SP04), 2004: 226-240. Gennaro R, Katz J, Krawczyk H, Rabin T. Secure network coding over the integers. In: Proc. of PKC10, LNCS 6056, 2010: 142-160. Zhao F, Kalker T, Medard M, Han K. Signatures for content distribution with network coding. In: Proc. of IEEE ISIT07, 2007: 556-560. Boneh D, Freeman D, Katz J, Waters B. Signing a linear subspace: Signature schemes for network coding. In: Proc. of PKC09, 2009: 68-87. Czap L, Vajda I. Signatures for multi-source network coding. IACR 2010/328, 2010. Agrawal S, Boneh D. Homomorphic macs: Mac-based integrity for network coding. In: Proc. of ACNS09, 2009: 292-305. Li Y, Yao H, Chen M, Jaggi S, Rosen A. Ripple authentication for network coding. In: Proc. of IEEE INFOCOM10, 2010: 1-9. Oggier F, Fathi H. An authentication code against pollution attacks in network coding. IEEE/ACM Transactions on Networking, 2011, 19(6): 1587-1596. Wang Y. Insecure “provably secure network coding” and homomorphic authentication schemes for network coding. IACR 2010/060, 2010. Dong J, Curtmola R, Nita-Rotaru C. Practical defenses against pollution attacks in intra-flow network coding for wireless mesh networks. In: Proc. of ACM WiSec09, 2009: 111-122. Kehdi E, Li B. Null keys: Limiting malicious attacks via null space properties of network coding. In: Proc. of IEEE INFOCOM09, 2009: 1224-1232. Zhang P, Jiang Y, Lin C, Fan Y, Shen (Sherman) X. P-coding: Secure network coding against eavesdropping attacks. In: Proc. of IEEE INFOCOM10, 2010: 1-9.

References: [1] Ahlswede R, Cai N, Li S, Yeung R W. Network information flow. IEEE Trans. on Information Theory, 2000, 46(4): [10]

You May Also Find These Documents Helpful

Related Topics