Network Coding Signature Schemes Against Related-Key Attacks in the Random Oracle Model

Abstract

In this paper, we consider the related-key attack (RKA) on the network coding signature (NCS) scheme, which is widely used to protect network coding against pollution attacks. In particular, based on the original security model proposed by Boneh et al. in PKC 2009, we first give the definition of RKA security for general NCS schemes. Then, by presenting a concrete pollution attack on the random-model (RO) based NCS scheme of Boneh et al., we prove that their scheme is not RKA secure in a “weaker” sense (w.r.t. linear functions). Lastly, we show that a slight modification of it yields a “stronger” RKA secure (w.r.t. d-order polynomial functions) NCS scheme under the d-co-computational Diffie-Hellman (d-co-CDH) assumption of bilinear groups.

Appendix

The BFKW-NCS scheme \(\varPi _1=(\texttt {Setup}_1,\texttt {Sign}_1,\texttt {Verify}_1)\) constructed from BFKW-HNCS scheme \(\varPi '_1=(\texttt {Setup}'_1,\) \(\texttt {Sign}'_1,\texttt {Combine}'_1,\texttt {Verify}'_1)\) is as follows.

• \(\texttt {Setup}_1\): Take as inputs \(1^\lambda \), and N. Run the algorithm \(\texttt {GenBiGroup}(1^\lambda )\) to obtain \(\mathcal G\). Parse \(\mathcal G\) as \((p,\mathbb G_1,\mathbb G_2,\mathbb G_T,e,\varphi )\). Then choose

  $$\begin{aligned} h\xleftarrow {\$}\mathbb G_2\backslash \{1\},\ g_1,\cdots ,g_N\xleftarrow {\$}\mathbb G_1\backslash \{1\}, \text { and } \ x\xleftarrow {\$}\mathbb F_p. \end{aligned}$$

  Let \(u=h^x\) and define \(H:\,\mathbb Z\times \mathbb Z\rightarrow \mathbb G_1\) as a hash function. Finally, output p, \(\texttt {PK}=(\mathcal G,g_1,\cdots ,g_N,h,u,H)\) and \(\texttt {SK}=x\).

• \(\texttt {Sign}_1\): Take as inputs \(\texttt {SK}=x\), \(id\in \{0,1\}^\lambda \), and \(V:=\text {span}\{ \mathbf{v}_{1},\cdots , \mathbf{v}_{m} \}\subset \mathbb F_p^N\), where \( \{ \mathbf{v}_{i} \} \) is a properly augmented basis of V. Compute

  $$\begin{aligned} \sigma _1=\left( \prod _{i=1}^mH(id,\right.&\left. i)^{v_{1,n+i}}\prod _{j=1}^ng_j^{v_{1,j}}\right) ^x,\,\\&\vdots \\ \sigma _m=\left( \prod _{i=1}^mH(id,\right.&\left. i)^{v_{m,n+i}}\prod _{j=1}^ng_j^{v_{m,j}}\right) ^x. \end{aligned}$$

  Output id and \(\sigma =(\sigma _1,\cdots ,\sigma _m)\).

• \(\texttt {Verify}_1\): Take as inputs \(\texttt {PK},\) id, \(\mathbf y \in \mathbb F_p^N\), and \(\sigma \). Parse \(\sigma \) as \(\sigma _1,\cdots ,\sigma _m\) and define \(n:=N-m\). Then compute

  $$\begin{aligned} \sigma '=\prod _{i=1}^m\sigma _i^{y_{n+i}}. \end{aligned}$$

  Finally, output

  $$\begin{aligned} \left( e\left( \prod _{i=1}^mH(id,i)^{y_{n+i}}\prod _{j=1}^ng_j^{y_j},u\right) \overset{?}{=}e\left( \sigma ',h\right) \right) . \end{aligned}$$