Solutions to Pollution Attacks

2.3.3.1 Filtering Pollution Attacks by Forwarders

Krohn et al. [47] proposed using a homomorphic hash function to verify the check blocks of a downloaded file in peer-to-peer systems, where the check blocks are linear combinations of original file blocks. Gkantsidis and Rodriguez [30] extended Krohn’s approach and presented a homomorphic hashing scheme (called GR’s scheme for short) for securing peer-to-peer file distribution systems with network coding against pollution attacks. Assuming multiple users want to download a file that is divided into n blocks b1, b2, · · · , bn. The source (and the

system) transmits these blocks with linear network coding, that is, each forwarder transmits some encoded block e = Pn

i=1cibi mod q, where (c1, c2, · · · , cn) denotes the encoding vector

and q is a prime. With a homomorphic hash function, the hash of this encoded block can be represented as h(e) =Qn

i=1hci(bi) mod p, where p is another prime. Hence, if a downstream

node obtains the source blocks’ hashes in advance, it is able to verify the encoded block e. However, GR’s scheme has a severe drawback, i.e., it needs some extra secure channels for the source to transmit all of its hashes to the forwarders and sinks before sending the source blocks. Unfortunately, such secure channels do not exist in most networks. Otherwise, if we can find such a secure channel, we can directly send all the source blocks to the sinks and easily solve the pollution attack problem. So, the requirement of extra secure channels makes GR’s scheme inapplicable or impractical in most cases. In addition, GR’s scheme is based on heavy modular exponentiations and hence inefficient for wireless sensor networks.

Charles, Jain and Lauter [19] designed a new homomorphic signature scheme (called CJL’s scheme for short) based on Weil pairing [54, 56] over elliptic curves. CJL’s scheme utilizes a ”linear” signature function based on some torsion points over elliptic curves, while the signature of an encoded message covers the contents of the message and the corresponding encoding vector. This allows forwarders to calculate the signatures of their encoded messages without contacting the source. Hence, CJL’s scheme does not need any secure channels and can even provide source authentication. The main disadvantage of CJL’s scheme is that its underlying pairing operations are extremely time-consuming. So, it is too slow to be used in wireless sensor networks.

Zhao et al. [93] studied the content distribution applications adopting network coding and proposed a signature scheme (called Zhao’s scheme) that allows the forwarders to filter pollution attacks. They divided a source file into multiple vectors that span a subspace. In their scheme, the source calculates a signature of the spanned subspace, then broadcasts it to all the forwarders for them to verify if a received encoded vector is in that subspace or not. To verify one vector, a forwarder should calculate m + n modular exponentiations, which is the same as GR’s scheme, where m is the length of each vector and n is the total number of source vectors. The authors claimed that their approach does not need extra secure channels. However, the public keys and the signature used in Zhao’s scheme are both related to the downloaded file. In the case that a lot of files should be downloaded continuously from the source, this scheme still requires secure channels to update the public keys or signature to all forwarders.

2.3.3.2 Filtering Pollution Attacks by Sinks

Ho et al. [35] studied Byzantine modification attacks in multicast networks and illustrated how randomized network coding can be utilized to detect these attacks without the use of cryptographic functions. In Ho’s scheme, the source attaches each packet with a hash calculated from a polynomial hash function. If Byzantine modification attacks (i.e., pollution attacks) exist, a sink can detect inconsistency between the packets and corresponding hashes with a high

probability, as long as the sink receives some unmodified packet whose content is unknown to the adversaries. The detection probability can be traded off against communication overhead and the number of unmodified packets. Ho’s scheme is computationally efficient for the use of a simple polynomial hash function. However, it only allows the sinks, instead of the forwarders, to detect modification attacks. Hence, it cannot reduce the amount of energy consumed by the forwarders for transmitting the useless polluted packets. In addition, it can only detect (but not filter) polluted packets. So, it cannot help the sinks recover the source packets correctly, given that some polluted packets are detected.

Jaggi et al. [39] discussed how to build resilient network coding in the presence of Byzantine adversaries. Their idea is to append the source messages with extra parity information that can be used by the sinks to correctly recover the source messages even suffering Byzantine attacks. The tradeoff is the sacrifice of data transmission rate. They analyzed the optimal rate that network coding can achieve under different threat models and proposed some polynomial time algorithms to attain these optimal rates. Suppose the network capacity is C. When the adversaries can eavesdrop on all links and jam zo links, their algorithm can achieve a rate of

C − 2zo. However, when the adversaries have limited snooping capabilities, their algorithm

can achieve a higher rate of C − zo. Similar to Ho’s scheme, Jaggi’s algorithms filter pollution

attacks only by the sinks, so they cannot reduce the energy consumption of the forwarders for forwarding polluted information and are not efficient for wireless sensor networks.

CHAPTER 3 ENHANCING CONFIDENTIALITY: Providing Key