![Page 1: Secure Message Transmission In Asynchronous Directed Networks Kannan Srinathan, Center for Security, Theory and Algorithmic Research, IIIT-Hyderabad. In](https://reader036.vdocument.in/reader036/viewer/2022062716/56649dd15503460f94ac76fa/html5/thumbnails/1.jpg)
Secure Message Secure Message Transmission In Transmission In Asynchronous Directed Asynchronous Directed NetworksNetworks
Kannan Srinathan,Center for Security, Theory and Algorithmic Research,
IIIT-Hyderabad.
In collaboration with Shashank Agrawal and Abhinav Mehta
![Page 2: Secure Message Transmission In Asynchronous Directed Networks Kannan Srinathan, Center for Security, Theory and Algorithmic Research, IIIT-Hyderabad. In](https://reader036.vdocument.in/reader036/viewer/2022062716/56649dd15503460f94ac76fa/html5/thumbnails/2.jpg)
MotivationMotivation
Spy S is in a far away land. He wants to send a secret message to R.
Spy RFaithful messengers but no timing guarantee; may not be able to deliver messages in both directions
Not all intermediaries are faithful – who knows what’s on their mind.
A B
![Page 3: Secure Message Transmission In Asynchronous Directed Networks Kannan Srinathan, Center for Security, Theory and Algorithmic Research, IIIT-Hyderabad. In](https://reader036.vdocument.in/reader036/viewer/2022062716/56649dd15503460f94ac76fa/html5/thumbnails/3.jpg)
AbstractionAbstractionNetwork Model
◦ A directed graph N=(V,E)◦ Two special nodes S and R in the graph
Timing Model◦ Completely Asynchronous system
All nodes know◦ the topology of the network◦ the protocol specification
![Page 4: Secure Message Transmission In Asynchronous Directed Networks Kannan Srinathan, Center for Security, Theory and Algorithmic Research, IIIT-Hyderabad. In](https://reader036.vdocument.in/reader036/viewer/2022062716/56649dd15503460f94ac76fa/html5/thumbnails/4.jpg)
AbstractionAbstractionFault Model
◦ An adversary structure A = {B1,B2,B3,B4,…} where each Bi is a subset of V\{S,R}
◦ One of the Bi’s can be Byzantine corrupt in an execution
◦ Adversary knows the topology of the network the protocol specification
◦ Edges in the network are secure – messages cannot be read or altered but messages can be arbitrarily delayed
![Page 5: Secure Message Transmission In Asynchronous Directed Networks Kannan Srinathan, Center for Security, Theory and Algorithmic Research, IIIT-Hyderabad. In](https://reader036.vdocument.in/reader036/viewer/2022062716/56649dd15503460f94ac76fa/html5/thumbnails/5.jpg)
The problem - PSMTThe problem - PSMTS wants to send a secret message m
chosen from a field to R.
For every corruption Bi and every schedule◦ Reliability: R always terminates with the secret m.
◦ Privacy: Adversary does not know anything about the secret.
Compromising on reliability and/or privacy we can get different flavors of secure message transmission.
![Page 6: Secure Message Transmission In Asynchronous Directed Networks Kannan Srinathan, Center for Security, Theory and Algorithmic Research, IIIT-Hyderabad. In](https://reader036.vdocument.in/reader036/viewer/2022062716/56649dd15503460f94ac76fa/html5/thumbnails/6.jpg)
Routers or Computational Devices?Does it matter? YES!
No protocol for SMT if store-and-forward intermediate nodesSMT protocol exists if routers can compute on their payloads
![Page 7: Secure Message Transmission In Asynchronous Directed Networks Kannan Srinathan, Center for Security, Theory and Algorithmic Research, IIIT-Hyderabad. In](https://reader036.vdocument.in/reader036/viewer/2022062716/56649dd15503460f94ac76fa/html5/thumbnails/7.jpg)
Secret Sharing – an Secret Sharing – an important toolimportant toolWe use the simple (k,n) threshold scheme (n≥k) to create n shares of a secret
Knowledge of any set of at most k-1 shares reveals no information about the secret.
Suppose m shares are available (where k≤m≤n) ◦ The secret can be efficiently reconstructed if at
least (m+k)/2 shares are correct.◦ As long as at least (m-k)/2 shares are correct, an
incorrect secret will not be reconstructed.
![Page 8: Secure Message Transmission In Asynchronous Directed Networks Kannan Srinathan, Center for Security, Theory and Algorithmic Research, IIIT-Hyderabad. In](https://reader036.vdocument.in/reader036/viewer/2022062716/56649dd15503460f94ac76fa/html5/thumbnails/8.jpg)
Reducing Adversary Reducing Adversary structure’s sizestructure’s sizeA protocol for an arbitrary sized adversary
structure exists iff protocols for all its three sized subsets exist
Going from 3 to size 4◦ Consider A={B1,B2,B3,B4}
◦ Consider 4 subsets of A: A1={B1,B2,B3}, A2={B2,B3,B4}, A3={B1,B2,B4}, A4={B1,B3,B4}
Let Pi be the protocol tolerating Ai.
◦ At least 3 Ai’s tolerate the actual corrupt set
◦ S does a (2,4) secret sharing to obtain 4 shares of secret m
◦ The share mi is sent through the protocol Pi tolerating Ai
◦ R waits till 3 of the 4 protocols terminate with a consistent set of shares, and outputs the reconstructed secret
![Page 9: Secure Message Transmission In Asynchronous Directed Networks Kannan Srinathan, Center for Security, Theory and Algorithmic Research, IIIT-Hyderabad. In](https://reader036.vdocument.in/reader036/viewer/2022062716/56649dd15503460f94ac76fa/html5/thumbnails/9.jpg)
Assume BAssume B11 is corrupt is corrupt
S R
P1
P2
P3
P4
m1
m2
m3
m4
![Page 10: Secure Message Transmission In Asynchronous Directed Networks Kannan Srinathan, Center for Security, Theory and Algorithmic Research, IIIT-Hyderabad. In](https://reader036.vdocument.in/reader036/viewer/2022062716/56649dd15503460f94ac76fa/html5/thumbnails/10.jpg)
Paths in a directed graphPaths in a directed graphStrong path
◦ (the usual path)
Weak path◦ u1, u2 blocked nodes
◦ y1 head node
u1
y1
u2
![Page 11: Secure Message Transmission In Asynchronous Directed Networks Kannan Srinathan, Center for Security, Theory and Algorithmic Research, IIIT-Hyderabad. In](https://reader036.vdocument.in/reader036/viewer/2022062716/56649dd15503460f94ac76fa/html5/thumbnails/11.jpg)
Minimum connectivityMinimum connectivityAdversary structure A={B1,B2,B3}
Theorem◦ There must exist an honest weak path q1
such that every blocked node along the path q1 has a path to R avoiding nodes in B2 and B3.
◦ Similarly, path q2 and q3 must exist.
![Page 12: Secure Message Transmission In Asynchronous Directed Networks Kannan Srinathan, Center for Security, Theory and Algorithmic Research, IIIT-Hyderabad. In](https://reader036.vdocument.in/reader036/viewer/2022062716/56649dd15503460f94ac76fa/html5/thumbnails/12.jpg)
k1+k2
k2k1
m+k1
k1
m k2
k1
S R
If B1 is corrupt, sub-protocols P2 and P3, which use weak paths q2 and q3 respectively, terminate securely.
B1
Sub-protocol P1 using the weak path q1
![Page 13: Secure Message Transmission In Asynchronous Directed Networks Kannan Srinathan, Center for Security, Theory and Algorithmic Research, IIIT-Hyderabad. In](https://reader036.vdocument.in/reader036/viewer/2022062716/56649dd15503460f94ac76fa/html5/thumbnails/13.jpg)
ImpossibilityImpossibility
S R
b1
b2
b3
Showing impossibility in this graph suffices.A passive strategy of b1 coupled with an active strategy of b2, along with delaying messages from b3, creates indistinguishability at R.
![Page 14: Secure Message Transmission In Asynchronous Directed Networks Kannan Srinathan, Center for Security, Theory and Algorithmic Research, IIIT-Hyderabad. In](https://reader036.vdocument.in/reader036/viewer/2022062716/56649dd15503460f94ac76fa/html5/thumbnails/14.jpg)
Efficient protocol for Efficient protocol for threshold adv.threshold adv.At most t nodes could be corrupt (t≤n)
Exponential sized adversary structure containing (n-2)Ct subsets
Assume graph is 3t+1 weakly connected and 2t+1 strongly connected
Claim: We can have an efficient protocol for PSMT between any two nodes.
![Page 15: Secure Message Transmission In Asynchronous Directed Networks Kannan Srinathan, Center for Security, Theory and Algorithmic Research, IIIT-Hyderabad. In](https://reader036.vdocument.in/reader036/viewer/2022062716/56649dd15503460f94ac76fa/html5/thumbnails/15.jpg)
k1+k2
k2k1
m+k1
k1
m k2
k1
S R
Important: Every blocked node now has 2t+1 paths to R
Assume that a weak path is honest, run a sub-protocol.Overall, 3t+1 sub-protocols are run out of which 2t+1 terminate securely.
![Page 16: Secure Message Transmission In Asynchronous Directed Networks Kannan Srinathan, Center for Security, Theory and Algorithmic Research, IIIT-Hyderabad. In](https://reader036.vdocument.in/reader036/viewer/2022062716/56649dd15503460f94ac76fa/html5/thumbnails/16.jpg)
More results in this workMore results in this workMinimum connectivity requirements
for two variants of (0, ∆)-USMT◦ Monte Carlo◦ Las Vegas
Requirements match for Las Vegas (0, ∆)-USMT and (0,0)-USMT (referred so far as PSMT)
Requirements for Monte Carlo (0, ∆)-USMT turn out to be the same as (1, ∆)-USMT – security for free!
![Page 17: Secure Message Transmission In Asynchronous Directed Networks Kannan Srinathan, Center for Security, Theory and Algorithmic Research, IIIT-Hyderabad. In](https://reader036.vdocument.in/reader036/viewer/2022062716/56649dd15503460f94ac76fa/html5/thumbnails/17.jpg)
Open questionsOpen questionsHow connectivity is affected by
◦ Limited topology knowledge◦ Compromising security a little bit
This variant has recently been studied (ICITS 2011)
Graph Testing: Given a graph, two special nodes in it and the value of t, can we efficiently find out if it has sufficient connectivity for the existence of a protocol
![Page 18: Secure Message Transmission In Asynchronous Directed Networks Kannan Srinathan, Center for Security, Theory and Algorithmic Research, IIIT-Hyderabad. In](https://reader036.vdocument.in/reader036/viewer/2022062716/56649dd15503460f94ac76fa/html5/thumbnails/18.jpg)
Thank youThank you