1

Authenticated Adversarial Routing

Yair Amir, Paul Bunn, Rafail Ostrovsky

6th IACR Theory of Cryptography ConferenceMarch 15, 2009

2

Authenticated Adversarial Routing Problem Statement Solution Ideas Conclusion

3

AuthenticatedAdversarial Routing Problem Statement

Adversarial Networks Statement of Result Previous Work

Solution Ideas Conclusion

4

The Network

SR

{m1, m2, m3, …}

Most basic task: two “uncorrupted” nodes need to communicate

5

The Adversary

For clarity, break-up adversary into 2 (collaborating) adversaries: Node-controlling Malicious Adversary Edge-scheduling Adversary

6

Edge-Scheduling Adversary

SR

End-to-End, Synchronous Only 1 packet can cross an edge per round

Controls Edges (Up/Down)

{m1, m2, m3, …}

7

Edge-Scheduling Adversary End-to-End, Synchronous

Only 1 packet can cross an edge per round

Controls Edges (Up/Down) Conforming (Always a Path!)

SR

{m1, m2, m3, …}

8

Node-Controlling Adversary

Controls Nodes “Malicious” ⇒ Nodes act arbitrarily “Dynamic” ⇒ Adaptive corruption Conforming (Always a Path!) Polynomially Bounded

SR

{m1, m2, m3, …}

9

Node-Controlling Adversary

SR

Controls Nodes “Malicious” ⇒ Nodes act arbitrarily “Dynamic” ⇒ Adaptive corruption Conforming (Always a Path!)

# Malicious nodes allowed >> n/2

{m1, m2, m3, …}

10

The Problem: Goals of Routing

SR

Correctness: “Packets are output by R without duplication or omission”

Throughput: Number of messages received as a function of time

Memory per Node

{m1, m2, m3, …}

11

Our Main Result

Theorem (informal): If OWF’s exist THEN routing that is resilient against any poly-time conforming (node-controlling + edge-scheduling) adversary can be achieved with: Throughput: Linear

O(t ) rounds t packets delivered Memory per Node: O(n4 log n)

Proof is constructive, local control

12

History of Routing in Malicious Networks Fault Detection, Fault Localization

[Awerbuch Holmer Nita-Rotaru Rubens 02] [Barak Goldberg Xiao 08]

A priori select a single-path Fault Detection/Localization performed

on this path After identifying fault, new path selected

Open in [BGX 08]: how do we handle adaptive routing?

13

AuthenticatedAdversarial Routing

Problem Statement Solution Ideas

Naïve Solutions Dynamic Topology Networks

- [AG 88] [AMS 89] [AGR 92] [AAGMRS 97] [KOR 98]

Highlights of our Solution

Conclusion

14

Naïve Solutions Flooding:

Sender floods one message + index + signature Nodes broadcast message with highest index Receiver floods confirmation of receipt + signature Nodes broadcast confirmation with highest index

SR

{m1, m2, m3, …}

15

Naïve Solutions Flooding:

Slow: Delivery is sublinear Expensive (Pay for Bandwidth Used)

SR

{m1, m2, m3, …}

16

Slide Protocol “Slide” Protocol:

[Afek Gafni 88], [Awerbuch Mansour Shavit 89], [Afek Gafni Rosen 92], [Afek Awerbuch Gafni Mansour Rosen Shavit 97]

How it works: Edges viewed as directional Internal nodes maintain buffers on every edge (size n) Protocol proceeds in 3 steps:

{…

…

…

…

…

…n

17

…

…

…

…

…

…

…… … … ……

RS

……

“Slide” Protocol: [Afek Gafni 88], [Awerbuch Mansour Shavit 89], [Afek

Gafni Rosen 92], [Afek Awerbuch Gafni Mansour Rosen Shavit 97]

How it works: Edges viewed as directional Internal nodes maintain buffers on every edge (size n) Protocol proceeds in 3 steps:

Slide Protocol

n{

18

“Slide” Protocol: [Afek Gafni 88], [Awerbuch Mansour Shavit 89], [Afek

Gafni Rosen 92], [Afek Awerbuch Gafni Mansour Rosen Shavit 97]

How it works: Edges viewed as directional Internal nodes maintain buffers on every edge (size

n) Protocol proceeds in 3 steps:

… ……… … … ……

RSH = n H = n-1 H = 2 H = 1

H = n-1 H = 2 H = 1 H = 0

1) Communicate Heights

2) Transfer Packets 3) Re-Shuffle Locally

Slide Protocol

19

RS

“Slide” Protocol: [Afek Gafni 88], [Awerbuch Mansour Shavit 89], [Afek

Gafni Rosen 92], [Afek Awerbuch Gafni Mansour Rosen Shavit 97]

How it works: Edges viewed as directional Internal nodes maintain buffers on every edge (size

n) Protocol proceeds in 3 steps:

1) Communicate Heights

2) Transfer Packets 3) Re-Shuffle Locally

Slide Protocol

Packets “flow” downhill from S to R

20

Correctness: Throughput: Memory:

Linear (Optimal with respect to Conforming Adversary!)O(n2 log n)

“Slide” Protocol: [Afek Gafni 88], [Awerbuch Mansour Shavit 89], [Afek

Gafni Rosen 92], [Afek Awerbuch Gafni Mansour Rosen Shavit 97]

How it works: Edges viewed as directional Internal nodes maintain buffers on every edge (size

n) Protocol proceeds in 3 steps:

1) Communicate Heights

2) Transfer Packets 3) Re-Shuffle Locally

Slide Protocol

21

Towards Our Solution

SR

Assume signatures for all packets Adv cannot insert “new” packets – are we done?

NO! We must counter all malicious behavior: Examples: Message Deletion; Message Duplication;

“Play-Dead”; …

{m1, m2, m3, …}

22

Sketch of Proof Start with “Slide” protocol

Every message of O(n3) bits is expanded into a codeword of O(n3) packets

Sender signs all packets he inserts

“Routing with Responsibility”: Every time a packet is transferred across an edge, adjacent nodes sign various forms of communication

23

After the O(n3) rounds allotted to the transfer of any message, we prove one of the following happens: 1. R can decode the codeword

Successful message transmission Great, proceed to the next message!

2. R did not receive 8 n3 packets Packet Deletion Keep track (signed) volume across each edge of total volume

3. R has received a duplicated packet Packet Duplication + Packet Deletion Keep track (signed) # of appearances of each packet across each edge

4. S was not able to insert 12n3 packets Packet Duplication Keep track (signed) of potential changes across each edge

Sketch of Proof

24

Blacklist Non-responding nodes put on blacklist

by sender Control information is flooded Control info is much smaller then messages,

so does not impact throughput Blacklisted nodes don’t transfer

messages (until they are removed) Nodes crucial to link S and R won’t

remain on blacklist for long

25

AuthenticatedAdversarial Routing

Problem Statement Solution Approach and Description Conclusion

26

Conclusion 1st routing protocol secure against

(node-controlling+edge-scheduling) conforming adversary

Same Throughput as non-secure protocols: Throughput: Linear (Optimal!)

More Memory as non-secure protocols, but still polynomial: Memory: O(n4 log n) vs. O(n2 log n)

27

After the O(n3) rounds allotted to the transfer of any message, we prove one of the following happens:

1. R can decode the codeword “Successful” message transmission

2. R did not receive 8 n3 packets Packet Deletion

3. R has received a duplicated packet Packet Duplication + Packet Deletion

4. S was not able to insert 12n3 packets Packet Duplication

Sketch of Proof

A B

57

57

28

Sketch of Proof

A BP102

(5, P102)

(5, P102)

After the O(n3) rounds allotted to the transfer of any message, we prove one of the following happens:

1. R can decode the codeword “Successful” message transmission

2. R did not receive 8 n3 packets Packet Deletion

3. R has received a duplicated packet Packet Duplication + Packet Deletion

4. S was not able to insert 12n3 packets Packet Duplication

29

Sketch of Proof

A B

(-5,3)

(-5, 3) 2

5 3

4

1

1

(-3, 2) (-3, 2)

C

D

-3

3

-3

2

After the O(n3) rounds allotted to the transfer of any message, we prove one of the following happens:

1. R can decode the codeword “Successful” message transmission

2. R did not receive 8 n3 packets Packet Deletion

3. R has received a duplicated packet Packet Duplication + Packet Deletion

4. S was not able to insert 12n3 packets Packet Duplication