Secure Message Secure Message Transmission In Transmission In Asynchronous Directed Asynchronous Directed NetworksNetworks

Kannan Srinathan,Center for Security, Theory and Algorithmic Research,

IIIT-Hyderabad.

In collaboration with Shashank Agrawal and Abhinav Mehta

MotivationMotivation

Spy S is in a far away land. He wants to send a secret message to R.

Spy RFaithful messengers but no timing guarantee; may not be able to deliver messages in both directions

Not all intermediaries are faithful – who knows what’s on their mind.

A B

AbstractionAbstractionNetwork Model

◦ A directed graph N=(V,E)◦ Two special nodes S and R in the graph

Timing Model◦ Completely Asynchronous system

All nodes know◦ the topology of the network◦ the protocol specification

AbstractionAbstractionFault Model

◦ An adversary structure A = {B1,B2,B3,B4,…} where each Bi is a subset of V\{S,R}

◦ One of the Bi’s can be Byzantine corrupt in an execution

◦ Adversary knows the topology of the network the protocol specification

◦ Edges in the network are secure – messages cannot be read or altered but messages can be arbitrarily delayed

The problem - PSMTThe problem - PSMTS wants to send a secret message m

chosen from a field to R.

For every corruption Bi and every schedule◦ Reliability: R always terminates with the secret m.

◦ Privacy: Adversary does not know anything about the secret.

Compromising on reliability and/or privacy we can get different flavors of secure message transmission.

Routers or Computational Devices?Does it matter? YES!

No protocol for SMT if store-and-forward intermediate nodesSMT protocol exists if routers can compute on their payloads

Secret Sharing – an Secret Sharing – an important toolimportant toolWe use the simple (k,n) threshold scheme (n≥k) to create n shares of a secret

Knowledge of any set of at most k-1 shares reveals no information about the secret.

Suppose m shares are available (where k≤m≤n) ◦ The secret can be efficiently reconstructed if at

least (m+k)/2 shares are correct.◦ As long as at least (m-k)/2 shares are correct, an

incorrect secret will not be reconstructed.

Reducing Adversary Reducing Adversary structure’s sizestructure’s sizeA protocol for an arbitrary sized adversary

structure exists iff protocols for all its three sized subsets exist

Going from 3 to size 4◦ Consider A={B1,B2,B3,B4}

◦ Consider 4 subsets of A: A1={B1,B2,B3}, A2={B2,B3,B4}, A3={B1,B2,B4}, A4={B1,B3,B4}

Let Pi be the protocol tolerating Ai.

◦ At least 3 Ai’s tolerate the actual corrupt set

◦ S does a (2,4) secret sharing to obtain 4 shares of secret m

◦ The share mi is sent through the protocol Pi tolerating Ai

◦ R waits till 3 of the 4 protocols terminate with a consistent set of shares, and outputs the reconstructed secret

Assume BAssume B11 is corrupt is corrupt

S R

P1

P2

P3

P4

m1

m2

m3

m4

Paths in a directed graphPaths in a directed graphStrong path

◦ (the usual path)

Weak path◦ u1, u2 blocked nodes

◦ y1 head node

u1

y1

u2

Minimum connectivityMinimum connectivityAdversary structure A={B1,B2,B3}

Theorem◦ There must exist an honest weak path q1

such that every blocked node along the path q1 has a path to R avoiding nodes in B2 and B3.

◦ Similarly, path q2 and q3 must exist.

k1+k2

k2k1

m+k1

k1

m k2

k1

S R

If B1 is corrupt, sub-protocols P2 and P3, which use weak paths q2 and q3 respectively, terminate securely.

B1

Sub-protocol P1 using the weak path q1

ImpossibilityImpossibility

S R

b1

b2

b3

Showing impossibility in this graph suffices.A passive strategy of b1 coupled with an active strategy of b2, along with delaying messages from b3, creates indistinguishability at R.

Efficient protocol for Efficient protocol for threshold adv.threshold adv.At most t nodes could be corrupt (t≤n)

Exponential sized adversary structure containing (n-2)Ct subsets

Assume graph is 3t+1 weakly connected and 2t+1 strongly connected

Claim: We can have an efficient protocol for PSMT between any two nodes.

k1+k2

k2k1

m+k1

k1

m k2

k1

S R

Important: Every blocked node now has 2t+1 paths to R

Assume that a weak path is honest, run a sub-protocol.Overall, 3t+1 sub-protocols are run out of which 2t+1 terminate securely.

More results in this workMore results in this workMinimum connectivity requirements

for two variants of (0, ∆)-USMT◦ Monte Carlo◦ Las Vegas

Requirements match for Las Vegas (0, ∆)-USMT and (0,0)-USMT (referred so far as PSMT)

Requirements for Monte Carlo (0, ∆)-USMT turn out to be the same as (1, ∆)-USMT – security for free!

Open questionsOpen questionsHow connectivity is affected by

◦ Limited topology knowledge◦ Compromising security a little bit

This variant has recently been studied (ICITS 2011)

Graph Testing: Given a graph, two special nodes in it and the value of t, can we efficiently find out if it has sufficient connectivity for the existence of a protocol

Thank youThank you