Abstract
In this paper, we consider the related-key attack (RKA) on the network coding signature (NCS) scheme, which is widely used to protect network coding against pollution attacks. In particular, based on the original security model proposed by Boneh et al. in PKC 2009, we first give the definition of RKA security for general NCS schemes. Then, by presenting a concrete pollution attack on the random-model (RO) based NCS scheme of Boneh et al., we prove that their scheme is not RKA secure in a “weaker” sense (w.r.t. linear functions). Lastly, we show that a slight modification of it yields a “stronger” RKA secure (w.r.t. d-order polynomial functions) NCS scheme under the d-co-computational Diffie-Hellman (d-co-CDH) assumption of bilinear groups.
This is a preview of subscription content, log in via an institution.
Buying options
Tax calculation will be finalised at checkout
Purchases are for personal use only
Learn about institutional subscriptionsNotes
- 1.
The properly augmented basis \( \{ \mathbf{v}_{i} \}_{i=1}^m\) of V means that for \(1\le i\le m\),
$$\begin{aligned} \mathbf v _i=\{v_{i,1},\cdots ,v_{i,N-m},\underbrace{\overbrace{0,\cdots 0,1}^i,0\cdots ,0}_{m}\}.\end{aligned}$$ - 2.
We remark that the signing algorithm \(\texttt {Sign}\) may sign subspaces with different dimensions.
- 3.
We remark that, in this situation, the signature \(\sigma ^{(\xi )}\) should be a valid one under the public key \(\texttt {PK}^{(\xi )}\) that is corresponding to \(\phi _\xi (\texttt {SK})\). That is,
$$\begin{aligned} \texttt {Verify}(\texttt {PK}^{(\xi )},id_\xi ,\mathbf y ^{(\xi )},\sigma ^{(\xi )})=1, \end{aligned}$$for all \(\mathbf y ^{(\xi )}\in V_\xi \).
- 4.
Here, we remark that the submitted subspace \( \{ \mathbf{v} \} \) is 1-dimensional and the last element \(v_N=1\) since \(\mathbf v \) is the properly augmented basis. Hence, it is obvious that \(m=1\) and \(n=N-m=N-1\).
- 5.
Performing a completely similar analysis, we know that Lemma 7 of [3] still holds in the RKA case.
References
Bellare, M., Cash, D., Miller, R.: Cryptography secure against related-key attacks and tampering. In: International Conference on the Theory and Application of Cryptology and Information Security, pp. 486–503. Springer, Heidelberg (2011)
Bellare, M., Kohno, T.: A theoretical treatment of related-key attacks: RKA-PRPs, RKA-PRFs, and applications. In: Biham, E. (ed.) EUROCRYPT 2003. LNCS, vol. 2656, pp. 491–506. Springer, Heidelberg (2003). doi:10.1007/3-540-39200-9_31
Boneh, D., Freeman, D., Katz, J., Waters, B.: Signing a linear subspace: signature schemes for network coding. In: Jarecki, S., Tsudik, G. (eds.) PKC 2009. LNCS, vol. 5443, pp. 68–87. Springer, Heidelberg (2009). doi:10.1007/978-3-642-00468-1_5
Cui, H., Mu, Y., Au, M.H.: Proof of retrievability with public verifiability resilient against related-key attacks. IET Inf. Secur. 9(1), 43–49 (2015)
Dong, J., Curtmola, R., Nita-Rotaru, C.: Practical defenses against pollution attacks in wireless network coding. ACM Trans. Inf. Syst. Secur. (TISSEC) 14(1), 7 (2011)
Lu, X., Li, B., Jia, D.: KDM-CCA security from RKA secure authenticated encryption. In: Oswald, E., Fischlin, M. (eds.) EUROCRYPT 2015. LNCS, vol. 9056, pp. 559–583. Springer, Heidelberg (2015). doi:10.1007/978-3-662-46800-5_22
Morita, H., Schuldt, J.C.N., Matsuda, T., Hanaoka, G., Iwata, T.: On the security of the schnorr signature scheme and DSA against related-key attacks. In: Kwon, S., Yun, A. (eds.) ICISC 2015. LNCS, vol. 9558, pp. 20–35. Springer, Heidelberg (2016). doi:10.1007/978-3-319-30840-1_2
Oggier, F., Datta, A.: Byzantine fault tolerance of regenerating codes. In: 2011 IEEE International Conference on Peer-to-Peer Computing (P2P), pp. 112–121. IEEE (2011)
Wee, H.: Public key encryption against related key attacks. In: Fischlin, M., Buchmann, J., Manulis, M. (eds.) PKC 2012. LNCS, vol. 7293, pp. 262–279. Springer, Heidelberg (2012). doi:10.1007/978-3-642-30057-8_16
Zhao, F., Kalker, T., Médard, M., Han, K.J.: Signatures for content distribution with network coding. In: 2007 IEEE International Symposium on Information Theory, pp. 556–560. IEEE (2007)
Acknowledgement
This work is supported by National Natural Science Foundation of China (No. 61602061; No. 61672059; No. 61272499; No. 61472016; No. 61472414; No. 61402471), the Strategic Priority Research Program of Chinese Academy of Sciences (No. XDA06010701), the Foundation of Institute of Information Engineering for Cryptography, and the Project of College Students’ Innovation and Entrepreneurship of Shanxi (No. 2016431).
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Appendix
Appendix
The BFKW-NCS scheme \(\varPi _1=(\texttt {Setup}_1,\texttt {Sign}_1,\texttt {Verify}_1)\) constructed from BFKW-HNCS scheme \(\varPi '_1=(\texttt {Setup}'_1,\) \(\texttt {Sign}'_1,\texttt {Combine}'_1,\texttt {Verify}'_1)\) is as follows.
-
\(\texttt {Setup}_1\): Take as inputs \(1^\lambda \), and N. Run the algorithm \(\texttt {GenBiGroup}(1^\lambda )\) to obtain \(\mathcal G\). Parse \(\mathcal G\) as \((p,\mathbb G_1,\mathbb G_2,\mathbb G_T,e,\varphi )\). Then choose
$$\begin{aligned} h\xleftarrow {\$}\mathbb G_2\backslash \{1\},\ g_1,\cdots ,g_N\xleftarrow {\$}\mathbb G_1\backslash \{1\}, \text { and } \ x\xleftarrow {\$}\mathbb F_p. \end{aligned}$$Let \(u=h^x\) and define \(H:\,\mathbb Z\times \mathbb Z\rightarrow \mathbb G_1\) as a hash function. Finally, output p, \(\texttt {PK}=(\mathcal G,g_1,\cdots ,g_N,h,u,H)\) and \(\texttt {SK}=x\).
-
\(\texttt {Sign}_1\): Take as inputs \(\texttt {SK}=x\), \(id\in \{0,1\}^\lambda \), and \(V:=\text {span}\{ \mathbf{v}_{1},\cdots , \mathbf{v}_{m} \}\subset \mathbb F_p^N\), where \( \{ \mathbf{v}_{i} \} \) is a properly augmented basis of V. Compute
$$\begin{aligned} \sigma _1=\left( \prod _{i=1}^mH(id,\right.&\left. i)^{v_{1,n+i}}\prod _{j=1}^ng_j^{v_{1,j}}\right) ^x,\,\\&\vdots \\ \sigma _m=\left( \prod _{i=1}^mH(id,\right.&\left. i)^{v_{m,n+i}}\prod _{j=1}^ng_j^{v_{m,j}}\right) ^x. \end{aligned}$$Output id and \(\sigma =(\sigma _1,\cdots ,\sigma _m)\).
-
\(\texttt {Verify}_1\): Take as inputs \(\texttt {PK},\) id, \(\mathbf y \in \mathbb F_p^N\), and \(\sigma \). Parse \(\sigma \) as \(\sigma _1,\cdots ,\sigma _m\) and define \(n:=N-m\). Then compute
$$\begin{aligned} \sigma '=\prod _{i=1}^m\sigma _i^{y_{n+i}}. \end{aligned}$$Finally, output
$$\begin{aligned} \left( e\left( \prod _{i=1}^mH(id,i)^{y_{n+i}}\prod _{j=1}^ng_j^{y_j},u\right) \overset{?}{=}e\left( \sigma ',h\right) \right) . \end{aligned}$$
Rights and permissions
Copyright information
© 2017 Springer International Publishing AG
About this paper
Cite this paper
Chang, J., Dai, H., Xu, M., Xue, R. (2017). Network Coding Signature Schemes Against Related-Key Attacks in the Random Oracle Model. In: Hong, S., Park, J. (eds) Information Security and Cryptology – ICISC 2016. ICISC 2016. Lecture Notes in Computer Science(), vol 10157. Springer, Cham. https://doi.org/10.1007/978-3-319-53177-9_13
Download citation
DOI: https://doi.org/10.1007/978-3-319-53177-9_13
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-53176-2
Online ISBN: 978-3-319-53177-9
eBook Packages: Computer ScienceComputer Science (R0)