1
Authenticated Adversarial Routing
Yair Amir, Paul Bunn, Rafail Ostrovsky
6th IACR Theory of Cryptography ConferenceMarch 15, 2009
2
Authenticated Adversarial Routing Problem Statement Solution Ideas Conclusion
3
AuthenticatedAdversarial Routing Problem Statement
Adversarial Networks Statement of Result Previous Work
Solution Ideas Conclusion
4
The Network
SR
{m1, m2, m3, …}
Most basic task: two “uncorrupted” nodes need to communicate
5
The Adversary
For clarity, break-up adversary into 2 (collaborating) adversaries: Node-controlling Malicious Adversary Edge-scheduling Adversary
6
Edge-Scheduling Adversary
SR
End-to-End, Synchronous Only 1 packet can cross an edge per round
Controls Edges (Up/Down)
{m1, m2, m3, …}
7
Edge-Scheduling Adversary End-to-End, Synchronous
Only 1 packet can cross an edge per round
Controls Edges (Up/Down) Conforming (Always a Path!)
SR
{m1, m2, m3, …}
8
Node-Controlling Adversary
Controls Nodes “Malicious” ⇒ Nodes act arbitrarily “Dynamic” ⇒ Adaptive corruption Conforming (Always a Path!) Polynomially Bounded
SR
{m1, m2, m3, …}
9
Node-Controlling Adversary
SR
Controls Nodes “Malicious” ⇒ Nodes act arbitrarily “Dynamic” ⇒ Adaptive corruption Conforming (Always a Path!)
# Malicious nodes allowed >> n/2
{m1, m2, m3, …}
10
The Problem: Goals of Routing
SR
Correctness: “Packets are output by R without duplication or omission”
Throughput: Number of messages received as a function of time
Memory per Node
{m1, m2, m3, …}
11
Our Main Result
Theorem (informal): If OWF’s exist THEN routing that is resilient against any poly-time conforming (node-controlling + edge-scheduling) adversary can be achieved with: Throughput: Linear
O(t ) rounds t packets delivered Memory per Node: O(n4 log n)
Proof is constructive, local control
12
History of Routing in Malicious Networks Fault Detection, Fault Localization
[Awerbuch Holmer Nita-Rotaru Rubens 02] [Barak Goldberg Xiao 08]
A priori select a single-path Fault Detection/Localization performed
on this path After identifying fault, new path selected
Open in [BGX 08]: how do we handle adaptive routing?
13
AuthenticatedAdversarial Routing
Problem Statement Solution Ideas
Naïve Solutions Dynamic Topology Networks
- [AG 88] [AMS 89] [AGR 92] [AAGMRS 97] [KOR 98]
Highlights of our Solution
Conclusion
14
Naïve Solutions Flooding:
Sender floods one message + index + signature Nodes broadcast message with highest index Receiver floods confirmation of receipt + signature Nodes broadcast confirmation with highest index
SR
{m1, m2, m3, …}
15
Naïve Solutions Flooding:
Slow: Delivery is sublinear Expensive (Pay for Bandwidth Used)
SR
{m1, m2, m3, …}
16
Slide Protocol “Slide” Protocol:
[Afek Gafni 88], [Awerbuch Mansour Shavit 89], [Afek Gafni Rosen 92], [Afek Awerbuch Gafni Mansour Rosen Shavit 97]
How it works: Edges viewed as directional Internal nodes maintain buffers on every edge (size n) Protocol proceeds in 3 steps:
{…
…
…
…
…
…n
17
…
…
…
…
…
…
…… … … ……
RS
……
“Slide” Protocol: [Afek Gafni 88], [Awerbuch Mansour Shavit 89], [Afek
Gafni Rosen 92], [Afek Awerbuch Gafni Mansour Rosen Shavit 97]
How it works: Edges viewed as directional Internal nodes maintain buffers on every edge (size n) Protocol proceeds in 3 steps:
Slide Protocol
n{
18
“Slide” Protocol: [Afek Gafni 88], [Awerbuch Mansour Shavit 89], [Afek
Gafni Rosen 92], [Afek Awerbuch Gafni Mansour Rosen Shavit 97]
How it works: Edges viewed as directional Internal nodes maintain buffers on every edge (size
n) Protocol proceeds in 3 steps:
… ……… … … ……
RSH = n H = n-1 H = 2 H = 1
H = n-1 H = 2 H = 1 H = 0
1) Communicate Heights
2) Transfer Packets 3) Re-Shuffle Locally
Slide Protocol
19
RS
“Slide” Protocol: [Afek Gafni 88], [Awerbuch Mansour Shavit 89], [Afek
Gafni Rosen 92], [Afek Awerbuch Gafni Mansour Rosen Shavit 97]
How it works: Edges viewed as directional Internal nodes maintain buffers on every edge (size
n) Protocol proceeds in 3 steps:
1) Communicate Heights
2) Transfer Packets 3) Re-Shuffle Locally
Slide Protocol
Packets “flow” downhill from S to R
20
Correctness: Throughput: Memory:
Linear (Optimal with respect to Conforming Adversary!)O(n2 log n)
“Slide” Protocol: [Afek Gafni 88], [Awerbuch Mansour Shavit 89], [Afek
Gafni Rosen 92], [Afek Awerbuch Gafni Mansour Rosen Shavit 97]
How it works: Edges viewed as directional Internal nodes maintain buffers on every edge (size
n) Protocol proceeds in 3 steps:
1) Communicate Heights
2) Transfer Packets 3) Re-Shuffle Locally
Slide Protocol
21
Towards Our Solution
SR
Assume signatures for all packets Adv cannot insert “new” packets – are we done?
NO! We must counter all malicious behavior: Examples: Message Deletion; Message Duplication;
“Play-Dead”; …
{m1, m2, m3, …}
22
Sketch of Proof Start with “Slide” protocol
Every message of O(n3) bits is expanded into a codeword of O(n3) packets
Sender signs all packets he inserts
“Routing with Responsibility”: Every time a packet is transferred across an edge, adjacent nodes sign various forms of communication
23
After the O(n3) rounds allotted to the transfer of any message, we prove one of the following happens: 1. R can decode the codeword
Successful message transmission Great, proceed to the next message!
2. R did not receive 8 n3 packets Packet Deletion Keep track (signed) volume across each edge of total volume
3. R has received a duplicated packet Packet Duplication + Packet Deletion Keep track (signed) # of appearances of each packet across each edge
4. S was not able to insert 12n3 packets Packet Duplication Keep track (signed) of potential changes across each edge
Sketch of Proof
24
Blacklist Non-responding nodes put on blacklist
by sender Control information is flooded Control info is much smaller then messages,
so does not impact throughput Blacklisted nodes don’t transfer
messages (until they are removed) Nodes crucial to link S and R won’t
remain on blacklist for long
25
AuthenticatedAdversarial Routing
Problem Statement Solution Approach and Description Conclusion
26
Conclusion 1st routing protocol secure against
(node-controlling+edge-scheduling) conforming adversary
Same Throughput as non-secure protocols: Throughput: Linear (Optimal!)
More Memory as non-secure protocols, but still polynomial: Memory: O(n4 log n) vs. O(n2 log n)
27
After the O(n3) rounds allotted to the transfer of any message, we prove one of the following happens:
1. R can decode the codeword “Successful” message transmission
2. R did not receive 8 n3 packets Packet Deletion
3. R has received a duplicated packet Packet Duplication + Packet Deletion
4. S was not able to insert 12n3 packets Packet Duplication
Sketch of Proof
A B
57
57
28
Sketch of Proof
A BP102
(5, P102)
(5, P102)
After the O(n3) rounds allotted to the transfer of any message, we prove one of the following happens:
1. R can decode the codeword “Successful” message transmission
2. R did not receive 8 n3 packets Packet Deletion
3. R has received a duplicated packet Packet Duplication + Packet Deletion
4. S was not able to insert 12n3 packets Packet Duplication
29
Sketch of Proof
A B
(-5,3)
(-5, 3) 2
5 3
4
1
1
(-3, 2) (-3, 2)
C
D
-3
3
-3
2
After the O(n3) rounds allotted to the transfer of any message, we prove one of the following happens:
1. R can decode the codeword “Successful” message transmission
2. R did not receive 8 n3 packets Packet Deletion
3. R has received a duplicated packet Packet Duplication + Packet Deletion
4. S was not able to insert 12n3 packets Packet Duplication