Secure Message Transmission In Asynchronous Directed Networks

1
Secure Message Transmission In Asynchronous
Directed Networks

• Kannan Srinathan,
• Center for Security, Theory and Algorithmic
  Research,
• IIIT-Hyderabad.
• In collaboration with Shashank Agrawal and
  Abhinav Mehta

2
Motivation
A
B
Faithful messengers but no timing guarantee may
not be able to deliver messages in both directions
Spy R
Spy S is in a far away land. He wants to send a
secret message to R.
Not all intermediaries are faithful who knows
whats on their mind.
3
Abstraction

• Network Model
• A directed graph N(V,E)
• Two special nodes S and R in the graph
• Timing Model
• Completely Asynchronous system
• All nodes know
• the topology of the network
• the protocol specification

4
Abstraction

• Fault Model
• An adversary structure A B1,B2,B3,B4, where
  each Bi is a subset of V\S,R
• One of the Bis can be Byzantine corrupt in an
  execution
• Adversary knows
• the topology of the network
• the protocol specification
• Edges in the network
• are secure messages cannot be read or altered
• but messages can be arbitrarily delayed

5
The problem - PSMT

• S wants to send a secret message m chosen from a
  field to R.
• For every corruption Bi and every schedule
• Reliability R always terminates with the secret
  m.
• Privacy Adversary does not know anything about
  the secret.
• Compromising on reliability and/or privacy we can
  get different flavors of secure message
  transmission.

6
Routers or Computational Devices?

• Does it matter? YES!

No protocol for SMT if store-and-forward
intermediate nodes SMT protocol exists if routers
can compute on their payloads
7
Secret Sharing an important tool

• We use the simple (k,n) threshold scheme (nk) to
  create n shares of a secret
• Knowledge of any set of at most k-1 shares
  reveals no information about the secret.
• Suppose m shares are available (where kmn)
• The secret can be efficiently reconstructed if at
  least (mk)/2 shares are correct.
• As long as at least (m-k)/2 shares are correct,
  an incorrect secret will not be reconstructed.

8
Reducing Adversary structures size

• A protocol for an arbitrary sized adversary
  structure exists iff protocols for all its three
  sized subsets exist
• Going from 3 to size 4
• Consider AB1,B2,B3,B4
• Consider 4 subsets of A
• A1B1,B2,B3, A2B2,B3,B4, A3B1,B2,B4,
  A4B1,B3,B4
• Let Pi be the protocol tolerating Ai.
• At least 3 Ais tolerate the actual corrupt set
• S does a (2,4) secret sharing to obtain 4 shares
  of secret m
• The share mi is sent through the protocol Pi
  tolerating Ai
• R waits till 3 of the 4 protocols terminate with
  a consistent set of shares, and outputs the
  reconstructed secret

9
Assume B1 is corrupt
P1
m1
P2
m2
R
S
P3
m3
P4
m4
10
Paths in a directed graph

• Strong path
• (the usual path)

• Weak path
• u1, u2 blocked nodes
• y1 head node

u1
u2
y1
11
Minimum connectivity

• Adversary structure AB1,B2,B3
• Theorem
• There must exist an honest weak path q1 such that
  every blocked node along the path q1 has a path
  to R avoiding nodes in B2 and B3.
• Similarly, path q2 and q3 must exist.

12
Sub-protocol P1 using the weak path q1
k1
k1
k1
k2
m
k2
k1k2
S
R
mk1
B1
If B1 is corrupt, sub-protocols P2 and P3, which
use weak paths q2 and q3 respectively, terminate
securely.
13
Impossibility
b1
R
S
b2
b3
Showing impossibility in this graph suffices. A
passive strategy of b1 coupled with an active
strategy of b2, along with delaying messages from
b3, creates indistinguishability at R.
14
Efficient protocol for threshold adv.

• At most t nodes could be corrupt (tn)
• Exponential sized adversary structure containing
  (n-2)Ct subsets
• Assume graph is 3t1 weakly connected and 2t1
  strongly connected
• Claim We can have an efficient protocol for PSMT
  between any two nodes.

15
Assume that a weak path is honest, run a
sub-protocol. Overall, 3t1 sub-protocols are run
out of which 2t1 terminate securely.
Important Every blocked node now has 2t1 paths
to R
k1
k1
k1
k2
m
k2
k1k2
S
R
mk1
16
More results in this work

• Minimum connectivity requirements for two
  variants of (0, ?)-USMT
• Monte Carlo
• Las Vegas
• Requirements match for Las Vegas (0, ?)-USMT and
  (0,0)-USMT (referred so far as PSMT)
• Requirements for Monte Carlo (0, ?)-USMT turn out
  to be the same as (1, ?)-USMT security for free!

17
Open questions

• How connectivity is affected by
• Limited topology knowledge
• Compromising security a little bit
• This variant has recently been studied (ICITS
  2011)
• Graph Testing Given a graph, two special nodes
  in it and the value of t, can we efficiently find
  out if it has sufficient connectivity for the
  existence of a protocol

18
Thank you