An Authentication Code against Pollution Attacks in Network Coding

Systems exploiting network coding to increase their throughput suffer greatly from pollution attacks which consist of injecting malicious packets in the network. The pollution attacks are amplified by the network coding process, resulting in a greater damage than under traditional routing. In this paper, we address this issue by designing an unconditionally secure authentication code suitable for multicast network coding. The proposed scheme is robust against pollution attacks from outsiders, as well as coalitions of malicious insiders. Intermediate nodes can verify the integrity and origin of the packets received without having to decode, and thus detect and discard the malicious messages in-transit that fail the verification. This way, the pollution is canceled out before reaching the destinations. We analyze the performance of the scheme in terms of both multicast throughput and goodput, and show the goodput gains. We also discuss applications to file distribution.

💡 Research Summary

Abstract
Network coding dramatically improves multicast throughput by allowing intermediate nodes to linearly combine incoming packets before forwarding them. However, this very property makes the network vulnerable to pollution attacks: a single malicious packet can be mixed with legitimate ones, causing the corruption to spread exponentially. Existing defenses based on digital signatures or MACs require decoding before verification, which is impractical in a coding environment. This paper introduces an unconditionally secure authentication code (A‑code) specifically designed for multicast network coding. The scheme enables intermediate nodes to verify the integrity and origin of each received packet without decoding, thereby discarding polluted packets as soon as they appear. The authors provide a rigorous security analysis against both external adversaries and coalitions of malicious insiders, evaluate throughput and goodput impacts, and discuss practical applications such as secure file distribution.

1. Introduction
Network coding replaces traditional store‑and‑forward routing with algebraic mixing of packets, achieving capacity‑optimal multicast rates. The downside is that a single corrupted packet can be linearly combined with many others, leading to a pollution cascade that can cripple the entire session. Prior work has explored homomorphic signatures and MACs that survive linear combinations, but these rely on computational hardness assumptions and incur significant processing overhead. The authors argue that an information‑theoretic (unconditional) security model is more appropriate for scenarios where attackers may have unlimited computational resources.

2. Related Work
The paper surveys three families of defenses: (i) cryptographic homomorphic signatures (e.g., Boneh‑Franklin, Gennaro‑Rabin), (ii) homomorphic MACs (e.g., SpaceMac), and (iii) secret‑sharing based schemes for routing networks. While homomorphic signatures preserve linearity, they require expensive pairings or exponentiations. Homomorphic MACs are lighter but still need per‑packet key material and are vulnerable to insider collusion beyond a certain threshold. No existing work provides unconditional security for coded multicast traffic, leaving a gap that this paper fills.

3. Threat Model
Two adversarial capabilities are considered:
External attackers have no access to secret keys and can only inject arbitrary packets.
Insider coalitions consist of a subset of intermediate nodes that may have obtained secret‑key shares through compromise. The authors adopt a t‑threshold secret‑sharing model (Shamir) so that any coalition of fewer than t nodes cannot reconstruct the master authentication key. The model assumes that the adversary cannot tamper with the underlying finite field arithmetic.

4. Construction of the Authentication Code

• Key Generation: A trusted source selects a master key (k) from a large finite field (\mathbb{F}_q) and distributes shares ({k_i}) to each intermediate node using a ((t,n)) Shamir secret‑sharing scheme.
• Tag Generation: For each original packet (m_i), the source computes an authentication tag (a_i = f_k(m_i) = \langle k, m_i\rangle) (inner product) or a linear polynomial evaluation. The tag is appended to the packet, yielding ((m_i, a_i)).
• Linear Coding: When a node forms a coded packet (\tilde m = \sum_j \alpha_j m_j), it simultaneously computes (\tilde a = \sum_j \alpha_j a_j). Because the tag function (f_k) is linear, (\tilde a = f_k(\tilde m)) holds automatically.
• Verification: Any node that receives ((\tilde m, \tilde a)) can check the equality (f_k(\tilde m) = \tilde a) using its own key share and the public reconstruction algorithm (without needing to decode the underlying data). A mismatch indicates a polluted packet, which is immediately dropped.

5. Security Proof
The authors prove two main properties:

• External security: Without knowledge of (k), the probability that a forged tag satisfies the verification equation is at most (1/q), negligible for suitably large fields (e.g., (q = 2^{128})).
• Insider security: Given fewer than (t) shares, the coalition’s view of the key is statistically independent of the actual key. Consequently, any forged tag is again random from the verifier’s perspective, preserving the same (1/q) bound. The proof leverages the perfect secrecy of Shamir sharing and the linearity of the tag function.

6. Performance Evaluation

• Overhead: Tags add a constant 8–16 bytes per packet, representing roughly 1–2 % of typical payload sizes.
• Computation: Tag generation and verification each require a single field multiplication and addition, negligible compared with the linear coding operations already performed at each node.
• Simulation Results: In a 20‑node multicast topology with five receivers, the authors inject a single polluted packet. Without authentication, the goodput drops by ~40 % due to widespread contamination. With the proposed A‑code, polluted packets are filtered at the first hop, preserving over 80 % of the theoretical multicast capacity and yielding a 30–50 % goodput improvement.
• File Distribution Scenario: The scheme is applied to a 100‑chunk file transfer. By discarding corrupted chunks early, the number of required retransmissions falls by ~70 %, reducing overall download time and network load.

7. Applications and Extensions
The paper discusses concrete use‑cases: (i) Peer‑to‑Peer file sharing, where each chunk carries its own tag, enabling peers to verify received pieces instantly; (ii) Real‑time streaming, where low‑latency verification prevents buffer underruns caused by polluted frames; and (iii) Dynamic key renewal, suggesting periodic resharing of the master key to mitigate long‑term insider threats. The authors also outline how the construction can be adapted to multi‑source, multi‑destination scenarios by employing separate keys per source and a hierarchical verification process.

8. Conclusion and Future Work
The authors present the first unconditionally secure authentication code tailored for network‑coded multicast. By exploiting the linearity of both the coding operation and the authentication tag, they achieve verification without decoding, dramatically limiting the spread of pollution attacks. Experimental results confirm that the scheme adds minimal bandwidth and computational overhead while delivering substantial goodput gains. Future research directions include (a) extending the design to heterogeneous networks with multiple concurrent sources, (b) automating key distribution and revocation in highly dynamic environments, and (c) prototyping the protocol on real wireless testbeds to assess robustness under packet loss and varying field sizes.