Trapezoid graph: Difference between revisions

From formulasearchengine
Jump to navigation Jump to search
en>ChrisGualtieri
m Typo fixing, typos fixed: et al → et al. (2) using AWB
 
en>Yuval pi
m links for all authors
 
Line 1: Line 1:
The fad with celebrity motivated jewelry first started with the diamond gemstone distributed by Ben Affleck to Jennifer Lopez. A big emerald-cut red stone takes center stage as the main focal point with this beauty. One each aspect, white baguett... <br><br>Everybody else wants the red carpet look minus the million-dollar price, as of late. If this seems too good to be true, think again. Thanks to celebrity motivated jewelry, its now feasible for one to own the very best on a budget. Be taught more on [http://armorgames.com/user/guidecelebritysqi book a celebrity] by going to our unusual portfolio. <br><br>The fad with celebrity motivated jewelry first began with the diamond gemstone distributed by Ben Affleck to Jennifer Lopez. A large emerald-cut green stone takes center stage as the major focus of this beauty. One each side, white baguette diamonds proudly accentuate the great center stone. Supporters fell deeply in love with this ring around the world, which cause the need for designers to re-create the ring in a look that anyone can manage. The result was a gold development featuring a large emerald-cut red cubic zirconia center stone, which is highlighted by white baguette cubic zirconia on each side. <br><br>It wasnt long prior to the trend of wearing celebrity influenced diamond bands became the following big part of style jewelry. A beautiful pear-cut band came into fashion in a major way, when Nick Lachey proposed to Jessica Simpson. This bold beauty dazzled the media and fans a-like. With one stone located on each side of the gorgeous pear-cut center stone, Simpsons new band was as brilliant while the spotlight itself. Yet again, manufacturers got through having a development that everyone could afford. A bold sterling silver band with a large white cubic zirconia pear-cut center stone, which is adorned by white cubic zirconia on each side, began turning up on jewelry fans world wide. <br><br>When it came to styles, Lachey and Simpson werent the only musical pair making their way in to the line of star impressed jewelry. Kevin Federline gave Britney Spears a stunning ring having a cushion-cut center stone sitting atop a double line of connected diamond-encrusted rings. The design was recreated in gold and gleaming white cubic zirconia. The cushion-cut middle stone, which replicates an exquisite stone, sits boldly above a double band of cubic zirconia accessories. <br><br>What type of star impressed jewelry will be complete with out a pair of earrings? In terms of pattern setters get, Oprah Winfrey is one of the best. Not merely has she made a name for herself in the media, but additionally for her fantastic fashion sense. Oprahs popular pear drop diamond stud earrings won her supporters over very quickly. This influential [http://www.hummaa.com/user/guidecelebritywfj found it] article directory has many pictorial warnings for the meaning behind this enterprise. The style features a large pear-cut diamond dangling below and a round white diamond stud. In an attempt to re-create this design, jewelry companies introduced their own version done in inexpensive gold. Like Oprahs traditional diamonds, the earring attributes a white cubic zirconia stud and a pear shaped cubic zirconia dangling below. Fans might have the look of the actual diamond earring for a lot less money, since the earring will come in cubic zirconia and gold. <br><br>The styles are both dramatic and unique, as it pertains to red carpet wear. Any woman who watches the annual prize shows will probably agree that seeing the jewelry is among the most fascinating facets of the red carpet arrivals. Not many can afford a million-dollar ring or ring, but many could afford that look if it were developed in gold and cubic zirconia. Thanks to celebrity manufacturers, including Nolan Miller and Charles Winston, many of todays most high-priced looks could be used by those who just watch the red carpet from afar instead of actually walking on it.. If you believe anything, you will possibly need to explore about [http://armorgames.com/user/bookcelebritysxm bookcelebritysxm"s Profile | Armor Games].<br><br>If you want to find out more info regarding [http://www.purevolume.com/listeners/ossifieddonor5075 group health insurance] take a look at our web-page.
[[Network coding]] has been shown to optimally use [[Bandwidth (computing)|bandwidth]] in a network, maximizing information flow but the scheme is very inherently vulnerable to pollution attacks by malicious nodes in the network. A node injecting garbage can quickly affect many receivers.  The pollution of [[network packet]]s spreads quickly since the output of (even an) honest node is corrupted if at least one of the incoming packets is corrupted. An attacker can easily corrupt a packet even if it is encrypted by either forging the signature or by producing a collision under the [[hash function]]. This will give an attacker access to the packets and the ability to corrupt them. Denis Charles, Kamal Jain and Kristin Lauter designed a new [[homomorphic encryption]] signature scheme for use with network coding to prevent pollution attacks.<ref>http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.60.4738&rep=rep1&type=pdf</ref> The homomorphic property of the signatures allows nodes to sign any linear combination of the incoming packets without contacting the signing authority. In this scheme it is computationally infeasible for a node to sign a linear combination of the packets without disclosing what [[linear combination]] was used in the generation of the packet. Furthermore, we can prove that the signature scheme is secure under well known [[Cryptography|cryptographic]] assumptions of the hardness of the [[discrete logarithm]] problem and the computational [[Elliptic curve Diffie–Hellman]].
 
==Network coding==
Let <math>G = (V, E)</math> be a [[directed graph]] where <math>V</math> is a set, whose elements are called vertices or [[Node (networking)|node]]s, and <math>E</math> is a set of [[ordered pair]]s of vertices, called arcs, directed edges, or arrows. A source <math>s \in V</math> wants to transmit a file <math>D</math> to a set <math>T \subseteq V</math> of the vertices. One chooses a [[vector space]] <math>W/\mathbb{F}_p</math>(say of dimension <math>d</math>), where <math>p</math> is a prime, and views the data to be transmitted as a bunch of vectors <math>w_1 ,\ldots , w_k \in W</math>. The source then creates the augmented vectors <math>v_1,\ldots , v_k</math> by setting <math> v_i = (0, \ldots , 0, 1, \ldots , 0, w_{i_1}, \ldots , w{i_d})</math> where <math>w_{i_j}</math> is the <math>j</math>-th coordinate of the vector <math>w_i</math>. There are <math>(i-1)</math> zeros before the first '1' appears in <math>v_i</math>. One can assume without loss of generality that the vectors <math>v_i</math> are [[Linear independence|linearly independent]]. We denote the [[linear subspace]] (of <math>\mathbb{F}_p^{k+d}</math> ) spanned by these vectors by <math>V</math> . Each outgoing edge <math>e \in E</math> computes a linear combination, <math>y(e)</math>, of the vectors entering the vertex <math>v = in(e)</math> where the edge originates, that is to say
 
: <math>y(e) = \sum_{f:\mathrm{out}(f)=v}(m_e(f)y(f))</math>
 
where <math>m_e(f) \in \mathbb{F}_p</math>. We consider the source as having <math>k</math> input edges carrying the <math>k</math> vectors <math>w_i</math>. By [[Mathematical induction|induction]], one has that the vector <math>y(e)</math> on any edge is a linear combination <math>y(e) = \sum_{1 \le i \le k}(g_i(e)v_i)</math> and is a vector in <math>V</math> . The k-dimensional vector <math>g(e) = (g_1(e), \ldots , g_k(e))</math> is simply the first ''k'' coordinates of the vector <math>y(e)</math>. We call the [[Matrix (mathematics)|matrix]] whose rows are the vectors <math>g(e_1), \ldots , g(e_k)</math>, where <math>e_i</math> are the incoming edges for a vertex <math>t \in T</math>, the global encoding matrix for <math>t</math> and denote it as <math>G_t</math>. In practice the encoding vectors are chosen at random so the matrix <math>G_t</math> is invertible with high probability. Thus any receiver, on receiving <math>y_1, \ldots , y_k</math> can find <math>w_1,\ldots ,w_k</math> by solving
 
: <math>\begin{bmatrix} y'\\ y_2' \\  \vdots \\ y_k' \end{bmatrix} = G_t \begin{bmatrix} w_1\\ w_2 \\ \vdots \\ w_k \end{bmatrix}</math>
 
where the <math>y_i'</math> are the vectors formed by removing the first <math>k</math> coordinates of the vector <math>y_i</math>.
 
==Decoding at the receiver==
Each [[Receiver (information theory)|receiver]], <math>t \in T</math>, gets <math>k</math> vectors <math>y_1, \ldots , y_k</math> which are random linear combinations of the <math>v_i</math>’s.
In fact, if
 
: <math>y_i = (\alpha_{i_1}, \ldots , \alpha_{i_k}, a_{i_1}, \ldots , a_{i_d})</math>
 
then
 
: <math>y_i = \sum_{1 \le j \le k}(\alpha_{ij}v_j).</math>
 
Thus we can invert the linear transformation to find the <math>v_i</math>’s with high [[probability]].
 
==History==
Krohn, Freedman and Mazieres proposed a theory<ref>http://www.cs.princeton.edu/~mfreed/docs/authcodes-ieee04.pdf</ref> in 2004 that if we have a hash function
<math>H : V \longrightarrow G</math> such that:
*  <math>H</math> is [[Collision resistance|collision resistant]] – it is hard to find <math>x</math> and <math>y</math> such that <math>H(x) = H(y)</math>;
* <math>H</math> is a [[homomorphism]] – <math>H(x+y) = H(x) + H(y)</math>.
 
Then server can securely distribute <math>H(v_i)</math> to each receiver, and to check if
 
: <math>y =  \sum_{1 \leq i\leq k} (\alpha_iv_i)</math>
 
we can check whether
 
: <math>H(y) =    \sum_{1 \leq i\leq k} (\alpha_iH(v_i))</math>
 
The problem with this method is that the server needs to transfer secure information to each of the receivers. The hash functions <math>H</math> needs to be transmitted to all the nodes in the network through a separate secure channel.<math>H</math> is expensive to compute and secure transmission of <math>H</math> is not economical either.
 
==Advantages of homomorphic signatures==
# Establishes authentication in addition to detecting pollution.
# No need for distributing secure hash digests.
# Smaller bit lengths in general will suffice. Signatures of length 180 bits have as much security as 1024 bit RSA signatures.
# Public information does not change for subsequent file transmission.
 
==Signature scheme==
The homomorphic property of the signatures allows nodes to sign any linear combination of the incoming packets without contacting the signing authority.
 
===Elliptic curves cryptography over a finite field===
[[Elliptic curve cryptography]] over a finite field is an approach to [[public-key cryptography]] based on the algebraic structure of [[elliptic curves]] over [[finite field]]s.
 
Let <math>\mathbb{F}_q</math> be a finite field such that <math>q</math> is not a power of 2 or 3. Then an elliptic curve <math>E</math> over <math>\mathbb{F}_q</math> is a curve given by an equation of the form
: <math> y^2 = x^3 + ax + b, \, </math>
 
where <math>a, b  \in   \mathbb{F}_q</math> such that <math>4a^3 + 27b^2 \not= 0</math>
 
Let <math>K \supseteq \mathbb{F}_q</math>, then,
 
: <math>E(K) = \{(x, y) | y^2 = x^3 + ax + b\} \bigcup  \{O\}</math>
 
forms an [[abelian group]] with O as identity. The [[Group (mathematics)|group operations]] can be performed efficiently.
 
===Weil pairing===
[[Weil pairing]] is a construction of [[roots of unity]] by means of functions on an [[elliptic curve]] <math>E</math>, in such a way as to constitute a [[pairing]] ([[bilinear form]], though with [[multiplicative notation]]) on the [[torsion subgroup]] of <math>E</math>. Let <math>E/\mathbb{F}_q</math> be an elliptic curve and let <math>\mathbb{\bar{F}}_q</math> be an algebraic closure of <math>\mathbb{F}_q</math>. If <math>m</math> is an integer, relatively prime to the characteristic of the field <math>\mathbb{F}_q</math>, then the group of <math>m</math>-torsion points,
<math>E[m] = {P \in  E(\mathbb{\bar {F}}_q) : mP = O}</math>.
 
If <math>E/\mathbb{F}_q</math> is an elliptic curve and <math>\gcd(m, q) = 1</math> then
 
: <math>E[m] \cong  (\mathbb{Z}/m\mathbb{Z}) * (\mathbb{Z}/m\mathbb{Z})</math>
 
There is a map <math>e_m : E[m] * E[m] \rightarrow \mu_m(\mathbb{F}_q)</math> such that:
 
#(Bilinear) <math>e_m(P + R,Q) = e_m(P,Q)e_m(R,Q)\text{ and }e_m(P,Q + R) = e_m(P,Q)e_m(P, R)</math>.
#(Non-degenerate) <math>e_m(P,Q) = 1</math> for all ''P'' implies that <math>Q = O</math>.
#(Alternating) <math>e_m(P, P) = 1</math>.
 
Also, <math>e_m</math> can be computed efficiently.<ref>http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.88.8848&rep=rep1&type=pdf</ref>
 
===Homomorphic signatures===
 
Let <math>p</math> be a prime and <math>q</math> a prime power. Let <math>V/\mathbb{F}_p</math> be a vector space of dimension <math>D</math> and <math>E/\mathbb{F}_q</math> be an elliptic curve such that <math>P_1, \ldots , P_D  \in  E[p]</math>.
Define <math>h : V \longrightarrow E[p]</math> as follows:
<math>h(u_1, \ldots , u_D) =  \sum_{1 \leq i\leq D} (u_iP_i)</math>.
The function <math>h</math> is an arbitrary homomorphism from <math>V</math> to <math>E[p]</math>.
 
The server chooses <math>s_1, \ldots , s_D</math> secretly in <math>\mathbb{F}_p</math> and publishes a point <math>Q</math> of p-torsion such that <math>e_p(P_i,Q) \not=  1</math> and also publishes  <math>(P_i, s_iQ)</math> for <math>1 \leq i \leq D</math>.
The signature of the vector <math>v = u_1, \ldots , u_D</math> is
<math>\sigma(v) =  \sum_{1 \leq i\leq D} (u_is_iP_i)</math>
Note: This signature is homomorphic since the computation of h is a homomorphism.
 
===Signature verification===
 
Given <math>v = u_1, \ldots , u_D</math> and its signature <math>\sigma</math>, verify that
 
: <math>
\begin{align}
e_p(\sigma,Q) & = e_p \left(\sum_{1 \leq i \leq D} (u_i s_i P_i), Q \right) \\
& = \prod_i e_p(u_i s_i P_i,Q) \\
& = \prod_i e_p(u_i P_i, s_iQ)
\end{align}
</math>
 
The verification crucially uses the bilinearity of the Weil-pairing.
 
==System setup==
The server computes <math>\sigma(v_i)</math> for each <math>1 \leq i \leq k</math>. Transmits <math>v_i, \sigma(v_i)</math>.
At each edge <math>e</math> while computing
<math>y(e) =  \sum_{f \in E:\mathrm{out}(f)=\mathrm{in}(e)} (m_e(f)y(f))</math>
also compute
<math>\sigma(y(e)) =  \sum_{f \in E:\mathrm{out}(f)=\mathrm{in}(e)} (m_e(f)\sigma(y(f)))</math>
on the elliptic curve <math>E</math>.
 
The signature is a point on the elliptic curve with coordinates in <math>\mathbb{F}_q</math>. Thus the size of the signature is <math>2 \log q</math> bits (which is some constant times <math>log(p)</math> bits, depending on the relative size of <math>p</math> and <math>q</math>), and this is the transmission overhead. The computation of the signature <math>h(e)</math> at each vertex requires <math>O(d_{in} \log p \log^{1+\epsilon} q)</math> bit operations, where <math>d_{in}</math> is the in-degree of the vertex <math>in(e)</math>. The verification of a signature requires <math>O((d + k) \log^{2+\epsilon} q)</math> bit operations.
 
==Proof of security==
 
Attacker can produce a collision under the hash function.
 
If given <math>(P_1, \ldots , P_r)</math> points in <math>E[p]</math> find
<math>a = (a_1, \ldots , a_r)  \in  \mathbb{F}_p^r</math> and <math>b = (b_1, \ldots , b_r)  \in  \mathbb{F}_p^r</math>
 
such that <math>a \not= b</math> and
 
: <math>\sum_{1 \leq i \leq r} (a_iP_i) = \sum_{1 \leq j \leq r} (b_jP_j).</math>
 
Proposition: There is a polynomial time reduction from discrete log on the [[cyclic group]] of order <math>p</math> on elliptic curves to Hash-Collision.
 
If <math>r = 2</math>, then we get <math>xP+yQ = uP+vQ</math>. Thus <math>(x-u)P+(y-v)Q = 0</math>.
We claim that <math>x \not = u</math> and <math>y \not =  v</math>. Suppose that <math>x = u</math>, then we would have <math>(y-v)Q = 0</math>, but <math>Q</math> is a point of order <math>p</math> (a prime) thus <math>y-u \equiv 0 \bmod p</math>. In other words <math>y = v</math> in <math>\mathbb{F}_p</math>. This contradicts the assumption that <math>(x, y)</math> and <math>(u, v)</math> are distinct pairs in <math>\mathbb{F}_2</math>. Thus we have that <math>Q = -(x-u)(y-v)^{-1}P</math>, where the inverse is taken as modulo <math>p</math>.
 
If we have r > 2 then we can do one of two things. Either we can take <math>P_1 = P</math> and <math>P_2 = Q</math> as before and set <math>P_i = O</math> for <math>i</math> > 2 (in this case the proof reduces to the case when <math>r = 2</math>), or we can take <math>P_1 = r_1P</math> and <math>P_i = r_iQ</math> where <math>r_i</math> are chosen at random from <math>\mathbb{F}_p</math>. We get one equation in one unknown (the discrete log of <math>Q</math>). It is quite possible that the equation we get does not involve the unknown. However, this happens with very small probability as we argue next. Suppose the algorithm for Hash-Collision gave us that
 
: <math>ar_1P + \sum_{2 \leq i \leq r}(b_ir_iQ) = 0.</math>
 
Then as long as <math>\sum_{2 \leq i \leq r} b_ir_i \not\equiv 0 \bmod p</math>, we can solve for the discrete log of Q. But the <math>r_i</math>’s are unknown to the oracle for Hash-Collision and so we can interchange the order in which this process occurs. In other words, given <math>b_i</math>, for <math>2 \leq i \leq r</math>, not all zero, what is the probability that the <math>r_i</math>’s we chose satisfies <math>\sum_{2 \leq i \leq r} (b_ir_i) = 0</math>? It is clear that the latter probability is <math>1 \over p</math> . Thus with high probability we can solve for the discrete log of <math>Q</math>.
 
We have shown that producing hash collisions in this scheme is difficult. The other method by which an adversary can foil our system is by forging a signature. This scheme for the signature is essentially the Aggregate Signature version of the Boneh-Lynn-Shacham signature scheme.<ref>http://cseweb.ucsd.edu/~hovav/dist/sigs.pdf</ref> Here it is shown that forging a signature is at least as hard as solving the [[elliptic curve Diffie–Hellman]] problem. The only known way to solve this problem on elliptic curves is via computing discrete-logs. Thus forging a signature is at least as hard as solving the computational co-Diffie–Hellman on elliptic curves and probably as hard as computing  discrete-logs.
 
==See also==
*[[Network coding]]
*[[Homomorphic encryption]]
*[[Elliptic curve cryptography]]
*[[Weil pairing]]
*[[Elliptic curve Diffie–Hellman]]
*[[Elliptic curve DSA]]
*[[Digital Signature Algorithm]]
 
==References==
{{Reflist}}
 
==External links==
#[http://research.microsoft.com/pubs/69452/imc06.pdf Comprehensive View of a Live Network Coding P2P System]
#[http://research.microsoft.com/en-us/um/people/klauter/CISS_06.pdf Signatures for Network Coding(presentation) CISS 2006, Princeton]
#[http://www.cse.buffalo.edu/~atri/courses/coding-theory/fall07.html University at Buffalo Lecture Notes on Coding Theory – Dr. Atri Rudra]
 
[[Category:Finite fields]]
[[Category:Coding theory]]
[[Category:Information theory]]
[[Category:Error detection and correction]]

Latest revision as of 16:33, 28 September 2013

Network coding has been shown to optimally use bandwidth in a network, maximizing information flow but the scheme is very inherently vulnerable to pollution attacks by malicious nodes in the network. A node injecting garbage can quickly affect many receivers. The pollution of network packets spreads quickly since the output of (even an) honest node is corrupted if at least one of the incoming packets is corrupted. An attacker can easily corrupt a packet even if it is encrypted by either forging the signature or by producing a collision under the hash function. This will give an attacker access to the packets and the ability to corrupt them. Denis Charles, Kamal Jain and Kristin Lauter designed a new homomorphic encryption signature scheme for use with network coding to prevent pollution attacks.[1] The homomorphic property of the signatures allows nodes to sign any linear combination of the incoming packets without contacting the signing authority. In this scheme it is computationally infeasible for a node to sign a linear combination of the packets without disclosing what linear combination was used in the generation of the packet. Furthermore, we can prove that the signature scheme is secure under well known cryptographic assumptions of the hardness of the discrete logarithm problem and the computational Elliptic curve Diffie–Hellman.

Network coding

Let G=(V,E) be a directed graph where V is a set, whose elements are called vertices or nodes, and E is a set of ordered pairs of vertices, called arcs, directed edges, or arrows. A source sV wants to transmit a file D to a set TV of the vertices. One chooses a vector space W/𝔽p(say of dimension d), where p is a prime, and views the data to be transmitted as a bunch of vectors w1,,wkW. The source then creates the augmented vectors v1,,vk by setting vi=(0,,0,1,,0,wi1,,wid) where wij is the j-th coordinate of the vector wi. There are (i1) zeros before the first '1' appears in vi. One can assume without loss of generality that the vectors vi are linearly independent. We denote the linear subspace (of 𝔽pk+d ) spanned by these vectors by V . Each outgoing edge eE computes a linear combination, y(e), of the vectors entering the vertex v=in(e) where the edge originates, that is to say

y(e)=f:out(f)=v(me(f)y(f))

where me(f)𝔽p. We consider the source as having k input edges carrying the k vectors wi. By induction, one has that the vector y(e) on any edge is a linear combination y(e)=1ik(gi(e)vi) and is a vector in V . The k-dimensional vector g(e)=(g1(e),,gk(e)) is simply the first k coordinates of the vector y(e). We call the matrix whose rows are the vectors g(e1),,g(ek), where ei are the incoming edges for a vertex tT, the global encoding matrix for t and denote it as Gt. In practice the encoding vectors are chosen at random so the matrix Gt is invertible with high probability. Thus any receiver, on receiving y1,,yk can find w1,,wk by solving

[yy2yk]=Gt[w1w2wk]

where the yi are the vectors formed by removing the first k coordinates of the vector yi.

Decoding at the receiver

Each receiver, tT, gets k vectors y1,,yk which are random linear combinations of the vi’s. In fact, if

yi=(αi1,,αik,ai1,,aid)

then

yi=1jk(αijvj).

Thus we can invert the linear transformation to find the vi’s with high probability.

History

Krohn, Freedman and Mazieres proposed a theory[2] in 2004 that if we have a hash function H:VG such that:

Then server can securely distribute H(vi) to each receiver, and to check if

y=1ik(αivi)

we can check whether

H(y)=1ik(αiH(vi))

The problem with this method is that the server needs to transfer secure information to each of the receivers. The hash functions H needs to be transmitted to all the nodes in the network through a separate secure channel.H is expensive to compute and secure transmission of H is not economical either.

Advantages of homomorphic signatures

  1. Establishes authentication in addition to detecting pollution.
  2. No need for distributing secure hash digests.
  3. Smaller bit lengths in general will suffice. Signatures of length 180 bits have as much security as 1024 bit RSA signatures.
  4. Public information does not change for subsequent file transmission.

Signature scheme

The homomorphic property of the signatures allows nodes to sign any linear combination of the incoming packets without contacting the signing authority.

Elliptic curves cryptography over a finite field

Elliptic curve cryptography over a finite field is an approach to public-key cryptography based on the algebraic structure of elliptic curves over finite fields.

Let 𝔽q be a finite field such that q is not a power of 2 or 3. Then an elliptic curve E over 𝔽q is a curve given by an equation of the form

y2=x3+ax+b,

where a,b𝔽q such that 4a3+27b2=0

Let K𝔽q, then,

E(K)={(x,y)|y2=x3+ax+b}{O}

forms an abelian group with O as identity. The group operations can be performed efficiently.

Weil pairing

Weil pairing is a construction of roots of unity by means of functions on an elliptic curve E, in such a way as to constitute a pairing (bilinear form, though with multiplicative notation) on the torsion subgroup of E. Let E/𝔽q be an elliptic curve and let F¯q be an algebraic closure of 𝔽q. If m is an integer, relatively prime to the characteristic of the field 𝔽q, then the group of m-torsion points, E[m]=PE(F¯q):mP=O.

If E/𝔽q is an elliptic curve and gcd(m,q)=1 then

E[m](/m)*(/m)

There is a map em:E[m]*E[m]μm(𝔽q) such that:

  1. (Bilinear) em(P+R,Q)=em(P,Q)em(R,Q) and em(P,Q+R)=em(P,Q)em(P,R).
  2. (Non-degenerate) em(P,Q)=1 for all P implies that Q=O.
  3. (Alternating) em(P,P)=1.

Also, em can be computed efficiently.[3]

Homomorphic signatures

Let p be a prime and q a prime power. Let V/𝔽p be a vector space of dimension D and E/𝔽q be an elliptic curve such that P1,,PDE[p]. Define h:VE[p] as follows: h(u1,,uD)=1iD(uiPi). The function h is an arbitrary homomorphism from V to E[p].

The server chooses s1,,sD secretly in 𝔽p and publishes a point Q of p-torsion such that ep(Pi,Q)=1 and also publishes (Pi,siQ) for 1iD. The signature of the vector v=u1,,uD is σ(v)=1iD(uisiPi) Note: This signature is homomorphic since the computation of h is a homomorphism.

Signature verification

Given v=u1,,uD and its signature σ, verify that

ep(σ,Q)=ep(1iD(uisiPi),Q)=iep(uisiPi,Q)=iep(uiPi,siQ)

The verification crucially uses the bilinearity of the Weil-pairing.

System setup

The server computes σ(vi) for each 1ik. Transmits vi,σ(vi). At each edge e while computing y(e)=fE:out(f)=in(e)(me(f)y(f)) also compute σ(y(e))=fE:out(f)=in(e)(me(f)σ(y(f))) on the elliptic curve E.

The signature is a point on the elliptic curve with coordinates in 𝔽q. Thus the size of the signature is 2logq bits (which is some constant times log(p) bits, depending on the relative size of p and q), and this is the transmission overhead. The computation of the signature h(e) at each vertex requires O(dinlogplog1+ϵq) bit operations, where din is the in-degree of the vertex in(e). The verification of a signature requires O((d+k)log2+ϵq) bit operations.

Proof of security

Attacker can produce a collision under the hash function.

If given (P1,,Pr) points in E[p] find a=(a1,,ar)𝔽pr and b=(b1,,br)𝔽pr

such that a=b and

1ir(aiPi)=1jr(bjPj).

Proposition: There is a polynomial time reduction from discrete log on the cyclic group of order p on elliptic curves to Hash-Collision.

If r=2, then we get xP+yQ=uP+vQ. Thus (xu)P+(yv)Q=0. We claim that x=u and y=v. Suppose that x=u, then we would have (yv)Q=0, but Q is a point of order p (a prime) thus yu0modp. In other words y=v in 𝔽p. This contradicts the assumption that (x,y) and (u,v) are distinct pairs in 𝔽2. Thus we have that Q=(xu)(yv)1P, where the inverse is taken as modulo p.

If we have r > 2 then we can do one of two things. Either we can take P1=P and P2=Q as before and set Pi=O for i > 2 (in this case the proof reduces to the case when r=2), or we can take P1=r1P and Pi=riQ where ri are chosen at random from 𝔽p. We get one equation in one unknown (the discrete log of Q). It is quite possible that the equation we get does not involve the unknown. However, this happens with very small probability as we argue next. Suppose the algorithm for Hash-Collision gave us that

ar1P+2ir(biriQ)=0.

Then as long as 2irbiri≢0modp, we can solve for the discrete log of Q. But the ri’s are unknown to the oracle for Hash-Collision and so we can interchange the order in which this process occurs. In other words, given bi, for 2ir, not all zero, what is the probability that the ri’s we chose satisfies 2ir(biri)=0? It is clear that the latter probability is 1p . Thus with high probability we can solve for the discrete log of Q.

We have shown that producing hash collisions in this scheme is difficult. The other method by which an adversary can foil our system is by forging a signature. This scheme for the signature is essentially the Aggregate Signature version of the Boneh-Lynn-Shacham signature scheme.[4] Here it is shown that forging a signature is at least as hard as solving the elliptic curve Diffie–Hellman problem. The only known way to solve this problem on elliptic curves is via computing discrete-logs. Thus forging a signature is at least as hard as solving the computational co-Diffie–Hellman on elliptic curves and probably as hard as computing discrete-logs.

See also

References

43 year old Petroleum Engineer Harry from Deep River, usually spends time with hobbies and interests like renting movies, property developers in singapore new condominium and vehicle racing. Constantly enjoys going to destinations like Camino Real de Tierra Adentro.

External links

  1. Comprehensive View of a Live Network Coding P2P System
  2. Signatures for Network Coding(presentation) CISS 2006, Princeton
  3. University at Buffalo Lecture Notes on Coding Theory – Dr. Atri Rudra