Authenticated Adversarial Routing

1
Authenticated Adversarial Routing

• Yair Amir, Paul Bunn, Rafail Ostrovsky
• 6th IACR Theory of Cryptography Conference
• March 15, 2009

2
Authenticated Adversarial Routing

• Problem Statement
• Solution Ideas
• Conclusion

3
AuthenticatedAdversarial Routing

• Problem Statement
• Adversarial Networks
• Statement of Result
• Previous Work

• Solution Ideas
• Conclusion

4
The Network

• Most basic task two uncorrupted nodes need to
  communicate

R
S
m1, m2, m3,
5
The Adversary

• For clarity, break-up adversary into 2
  (collaborating) adversaries
• Node-controlling Malicious Adversary
• Edge-scheduling Adversary

6
Edge-Scheduling Adversary

• End-to-End, Synchronous
• Only 1 packet can cross an edge per round
• Controls Edges (Up/Down)

R
S
m1, m2, m3,
7
Edge-Scheduling Adversary

• End-to-End, Synchronous
• Only 1 packet can cross an edge per round
• Controls Edges (Up/Down)
• Conforming (Always a Path!)

R
S
m1, m2, m3,
8
Node-Controlling Adversary

• Controls Nodes
• Malicious ? Nodes act arbitrarily
• Dynamic ? Adaptive corruption
• Conforming (Always a Path!)
• Polynomially Bounded

R
S
m1, m2, m3,
9
Node-Controlling Adversary

• Controls Nodes
• Malicious ? Nodes act arbitrarily
• Dynamic ? Adaptive corruption
• Conforming (Always a Path!)
• Malicious nodes allowed gtgt n/2

R
S
m1, m2, m3,
10
The Problem Goals of Routing

• Correctness Packets are output by R without
  duplication or omission
• Throughput Number of messages received as a
  function of time
• Memory per Node

R
S
m1, m2, m3,
11
Our Main Result

• Theorem (informal) If OWFs
  exist THEN routing that is resilient against any
  poly-time conforming (node-controlling
  edge-scheduling) adversary can be achieved with
• Throughput Linear
• O(t ) rounds ? t packets delivered
• Memory per Node O(n4 log n)
• Proof is constructive, local control

12
History of Routing in Malicious Networks

• Fault Detection, Fault Localization
• Awerbuch Holmer Nita-Rotaru Rubens 02
  Barak Goldberg Xiao 08
• A priori select a single-path
• Fault Detection/Localization performed on this
  path
• After identifying fault, new path selected
• Open in BGX 08 how do we handle adaptive
  routing?

13
AuthenticatedAdversarial Routing

• Problem Statement
• Solution Ideas
• Naïve Solutions
• Dynamic Topology Networks
• AG 88 AMS 89 AGR 92 AAGMRS 97 KOR 98
• Highlights of our Solution

• Conclusion

14
Naïve Solutions

• Flooding
• Sender floods one message index signature
• Nodes broadcast message with highest index
• Receiver floods confirmation of receipt
  signature
• Nodes broadcast confirmation with highest index

R
S
m1, m2, m3,
15
Naïve Solutions

• Flooding
• Slow Delivery is sublinear
• Expensive (Pay for Bandwidth Used)

R
S
m1, m2, m3,
16
Slide Protocol

• Slide Protocol
• Afek Gafni 88, Awerbuch Mansour Shavit 89,
  Afek Gafni Rosen 92, Afek Awerbuch Gafni
  Mansour Rosen Shavit 97
• How it works
• Edges viewed as directional
• Internal nodes maintain buffers on every edge
  (size n)
• Protocol proceeds in 3 steps

n




17
Slide Protocol

• Slide Protocol
• Afek Gafni 88, Awerbuch Mansour Shavit 89,
  Afek Gafni Rosen 92, Afek Awerbuch Gafni
  Mansour Rosen Shavit 97
• How it works
• Edges viewed as directional
• Internal nodes maintain buffers on every edge
  (size n)
• Protocol proceeds in 3 steps

n










R
S


18
Slide Protocol

• Slide Protocol
• Afek Gafni 88, Awerbuch Mansour Shavit 89,
  Afek Gafni Rosen 92, Afek Awerbuch Gafni
  Mansour Rosen Shavit 97
• How it works
• Edges viewed as directional
• Internal nodes maintain buffers on every edge
  (size n)
• Protocol proceeds in 3 steps

2) Transfer Packets
3) Re-Shuffle Locally
1) Communicate Heights








R
S
H 2
H 1
H 0
H n-1
H 2
H n
H n-1
H 1
19
Slide Protocol

• Slide Protocol
• Afek Gafni 88, Awerbuch Mansour Shavit 89,
  Afek Gafni Rosen 92, Afek Awerbuch Gafni
  Mansour Rosen Shavit 97
• How it works
• Edges viewed as directional
• Internal nodes maintain buffers on every edge
  (size n)
• Protocol proceeds in 3 steps

2) Transfer Packets
3) Re-Shuffle Locally
1) Communicate Heights
Packets flow downhill from S to R
R
S
20
Slide Protocol

• Slide Protocol
• Afek Gafni 88, Awerbuch Mansour Shavit 89,
  Afek Gafni Rosen 92, Afek Awerbuch Gafni
  Mansour Rosen Shavit 97
• How it works
• Edges viewed as directional
• Internal nodes maintain buffers on every edge
  (size n)
• Protocol proceeds in 3 steps

2) Transfer Packets
3) Re-Shuffle Locally
1) Communicate Heights

• Correctness
• Throughput
• Memory

Linear (Optimal with respect to Conforming
Adversary!)
O(n2 log n)
21
Towards Our Solution

• Assume signatures for all packets
• Adv cannot insert new packets are we done?
• NO! We must counter all malicious behavior
• Examples Message Deletion Message Duplication
  Play-Dead

R
S
m1, m2, m3,
22
Sketch of Proof

• Start with Slide protocol
• Every message of O(n3) bits is expanded into a
  codeword of O(n3) packets
• Sender signs all packets he inserts
• Routing with Responsibility Every time a
  packet is transferred across an edge, adjacent
  nodes sign various forms of communication

23
Sketch of Proof

• After the O(n3) rounds allotted to the transfer
  of any message, we prove one
  of the following happens
• 1. R can decode the codeword
• Successful message transmission
• Great, proceed to the next message!
• 2. R did not receive 8 n3 packets
• Packet Deletion
• Keep track (signed) volume across each edge of
  total volume
• 3. R has received a duplicated packet
• Packet Duplication Packet Deletion
• Keep track (signed) of appearances of each
  packet across each edge
• 4. S was not able to insert 12n3 packets
• Packet Duplication
• Keep track (signed) of potential changes across
  each edge

24
Blacklist

• Non-responding nodes put on blacklist by sender
• Control information is flooded
• Control info is much smaller then messages, so
  does not impact throughput
• Blacklisted nodes dont transfer messages (until
  they are removed)
• Nodes crucial to link S and R wont remain on
  blacklist for long

25
AuthenticatedAdversarial Routing

• Problem Statement
• Solution Approach and Description
• Conclusion

26
Conclusion
Thank You !

• 1st routing protocol secure against
  (node-controllingedge-scheduling) conforming
  adversary
• Same Throughput as non-secure protocols
• Throughput Linear (Optimal!)
• More Memory as non-secure protocols, but still
  polynomial
• Memory O(n4 log n) vs. O(n2 log n)

27
Sketch of Proof

• After the O(n3) rounds allotted to the transfer
  of any message, we prove one of the
  following happens
• 1. R can decode the codeword
• Successful message transmission
• 2. R did not receive 8 n3 packets
• Packet Deletion
• 3. R has received a duplicated packet
• Packet Duplication Packet Deletion
• 4. S was not able to insert 12n3 packets
• Packet Duplication

57
A
B
57
28
Sketch of Proof

• After the O(n3) rounds allotted to the transfer
  of any message, we prove one of the
  following happens
• 1. R can decode the codeword
• Successful message transmission
• 2. R did not receive 8 n3 packets
• Packet Deletion
• 3. R has received a duplicated packet
• Packet Duplication Packet Deletion
• 4. S was not able to insert 12n3 packets
• Packet Duplication

(5, P102)
P102
A
B
(5, P102)
29
Sketch of Proof

• After the O(n3) rounds allotted to the transfer
  of any message, we prove one of the
  following happens
• 1. R can decode the codeword
• Successful message transmission
• 2. R did not receive 8 n3 packets
• Packet Deletion
• 3. R has received a duplicated packet
• Packet Duplication Packet Deletion
• 4. S was not able to insert 12n3 packets
• Packet Duplication

1
-3
C
(-5,3)
(-3, 2)
(-3, 2)
5
4
3
2
2
(-5, 3)
3
A
B
-3
1
D