Title: Authenticated Adversarial Routing
1Authenticated Adversarial Routing
- Yair Amir, Paul Bunn, Rafail Ostrovsky
- 6th IACR Theory of Cryptography Conference
- March 15, 2009
2Authenticated Adversarial Routing
- Problem Statement
- Solution Ideas
- Conclusion
3AuthenticatedAdversarial Routing
- Problem Statement
- Adversarial Networks
- Statement of Result
- Previous Work
- Solution Ideas
- Conclusion
4The Network
- Most basic task two uncorrupted nodes need to
communicate
R
S
m1, m2, m3,
5The Adversary
- For clarity, break-up adversary into 2
(collaborating) adversaries - Node-controlling Malicious Adversary
- Edge-scheduling Adversary
6Edge-Scheduling Adversary
- End-to-End, Synchronous
- Only 1 packet can cross an edge per round
- Controls Edges (Up/Down)
R
S
m1, m2, m3,
7Edge-Scheduling Adversary
- End-to-End, Synchronous
- Only 1 packet can cross an edge per round
- Controls Edges (Up/Down)
- Conforming (Always a Path!)
R
S
m1, m2, m3,
8Node-Controlling Adversary
- Controls Nodes
- Malicious ? Nodes act arbitrarily
- Dynamic ? Adaptive corruption
- Conforming (Always a Path!)
- Polynomially Bounded
R
S
m1, m2, m3,
9Node-Controlling Adversary
- Controls Nodes
- Malicious ? Nodes act arbitrarily
- Dynamic ? Adaptive corruption
- Conforming (Always a Path!)
- Malicious nodes allowed gtgt n/2
R
S
m1, m2, m3,
10The Problem Goals of Routing
- Correctness Packets are output by R without
duplication or omission - Throughput Number of messages received as a
function of time - Memory per Node
R
S
m1, m2, m3,
11Our Main Result
- Theorem (informal) If OWFs
exist THEN routing that is resilient against any
poly-time conforming (node-controlling
edge-scheduling) adversary can be achieved with - Throughput Linear
- O(t ) rounds ? t packets delivered
- Memory per Node O(n4 log n)
- Proof is constructive, local control
12History of Routing in Malicious Networks
- Fault Detection, Fault Localization
- Awerbuch Holmer Nita-Rotaru Rubens 02
Barak Goldberg Xiao 08 - A priori select a single-path
- Fault Detection/Localization performed on this
path - After identifying fault, new path selected
- Open in BGX 08 how do we handle adaptive
routing?
13AuthenticatedAdversarial Routing
- Problem Statement
- Solution Ideas
- Naïve Solutions
- Dynamic Topology Networks
- AG 88 AMS 89 AGR 92 AAGMRS 97 KOR 98
- Highlights of our Solution
14Naïve Solutions
- Flooding
- Sender floods one message index signature
- Nodes broadcast message with highest index
- Receiver floods confirmation of receipt
signature - Nodes broadcast confirmation with highest index
R
S
m1, m2, m3,
15Naïve Solutions
- Flooding
- Slow Delivery is sublinear
- Expensive (Pay for Bandwidth Used)
R
S
m1, m2, m3,
16Slide Protocol
- Slide Protocol
- Afek Gafni 88, Awerbuch Mansour Shavit 89,
Afek Gafni Rosen 92, Afek Awerbuch Gafni
Mansour Rosen Shavit 97 - How it works
- Edges viewed as directional
- Internal nodes maintain buffers on every edge
(size n) - Protocol proceeds in 3 steps
n
17Slide Protocol
- Slide Protocol
- Afek Gafni 88, Awerbuch Mansour Shavit 89,
Afek Gafni Rosen 92, Afek Awerbuch Gafni
Mansour Rosen Shavit 97 - How it works
- Edges viewed as directional
- Internal nodes maintain buffers on every edge
(size n) - Protocol proceeds in 3 steps
n
R
S
18Slide Protocol
- Slide Protocol
- Afek Gafni 88, Awerbuch Mansour Shavit 89,
Afek Gafni Rosen 92, Afek Awerbuch Gafni
Mansour Rosen Shavit 97 - How it works
- Edges viewed as directional
- Internal nodes maintain buffers on every edge
(size n) - Protocol proceeds in 3 steps
2) Transfer Packets
3) Re-Shuffle Locally
1) Communicate Heights
R
S
H 2
H 1
H 0
H n-1
H 2
H n
H n-1
H 1
19Slide Protocol
- Slide Protocol
- Afek Gafni 88, Awerbuch Mansour Shavit 89,
Afek Gafni Rosen 92, Afek Awerbuch Gafni
Mansour Rosen Shavit 97 - How it works
- Edges viewed as directional
- Internal nodes maintain buffers on every edge
(size n) - Protocol proceeds in 3 steps
2) Transfer Packets
3) Re-Shuffle Locally
1) Communicate Heights
Packets flow downhill from S to R
R
S
20Slide Protocol
- Slide Protocol
- Afek Gafni 88, Awerbuch Mansour Shavit 89,
Afek Gafni Rosen 92, Afek Awerbuch Gafni
Mansour Rosen Shavit 97 - How it works
- Edges viewed as directional
- Internal nodes maintain buffers on every edge
(size n) - Protocol proceeds in 3 steps
2) Transfer Packets
3) Re-Shuffle Locally
1) Communicate Heights
- Correctness
- Throughput
- Memory
Linear (Optimal with respect to Conforming
Adversary!)
O(n2 log n)
21Towards Our Solution
- Assume signatures for all packets
- Adv cannot insert new packets are we done?
- NO! We must counter all malicious behavior
- Examples Message Deletion Message Duplication
Play-Dead
R
S
m1, m2, m3,
22Sketch of Proof
- Start with Slide protocol
- Every message of O(n3) bits is expanded into a
codeword of O(n3) packets - Sender signs all packets he inserts
- Routing with Responsibility Every time a
packet is transferred across an edge, adjacent
nodes sign various forms of communication
23Sketch of Proof
- After the O(n3) rounds allotted to the transfer
of any message, we prove one
of the following happens - 1. R can decode the codeword
- Successful message transmission
- Great, proceed to the next message!
- 2. R did not receive 8 n3 packets
- Packet Deletion
- Keep track (signed) volume across each edge of
total volume - 3. R has received a duplicated packet
- Packet Duplication Packet Deletion
- Keep track (signed) of appearances of each
packet across each edge - 4. S was not able to insert 12n3 packets
- Packet Duplication
- Keep track (signed) of potential changes across
each edge
24Blacklist
- Non-responding nodes put on blacklist by sender
- Control information is flooded
- Control info is much smaller then messages, so
does not impact throughput - Blacklisted nodes dont transfer messages (until
they are removed) - Nodes crucial to link S and R wont remain on
blacklist for long
25AuthenticatedAdversarial Routing
- Problem Statement
- Solution Approach and Description
- Conclusion
26Conclusion
Thank You !
- 1st routing protocol secure against
(node-controllingedge-scheduling) conforming
adversary - Same Throughput as non-secure protocols
- Throughput Linear (Optimal!)
- More Memory as non-secure protocols, but still
polynomial - Memory O(n4 log n) vs. O(n2 log n)
27Sketch of Proof
- After the O(n3) rounds allotted to the transfer
of any message, we prove one of the
following happens - 1. R can decode the codeword
- Successful message transmission
- 2. R did not receive 8 n3 packets
- Packet Deletion
- 3. R has received a duplicated packet
- Packet Duplication Packet Deletion
- 4. S was not able to insert 12n3 packets
- Packet Duplication
57
A
B
57
28Sketch of Proof
- After the O(n3) rounds allotted to the transfer
of any message, we prove one of the
following happens - 1. R can decode the codeword
- Successful message transmission
- 2. R did not receive 8 n3 packets
- Packet Deletion
- 3. R has received a duplicated packet
- Packet Duplication Packet Deletion
- 4. S was not able to insert 12n3 packets
- Packet Duplication
(5, P102)
P102
A
B
(5, P102)
29Sketch of Proof
- After the O(n3) rounds allotted to the transfer
of any message, we prove one of the
following happens - 1. R can decode the codeword
- Successful message transmission
- 2. R did not receive 8 n3 packets
- Packet Deletion
- 3. R has received a duplicated packet
- Packet Duplication Packet Deletion
- 4. S was not able to insert 12n3 packets
- Packet Duplication
1
-3
C
(-5,3)
(-3, 2)
(-3, 2)
5
4
3
2
2
(-5, 3)
3
A
B
-3
1
D