1 / 18

Secure Message Transmission In Asynchronous Directed Networks

Secure Message Transmission In Asynchronous Directed Networks. Kannan Srinathan , Center for Security, Theory and Algorithmic Research, IIIT-Hyderabad. In collaboration with Shashank Agrawal and Abhinav Mehta. Motivation. A. B.

neona
Download Presentation

Secure Message Transmission In Asynchronous Directed Networks

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Secure Message Transmission In Asynchronous Directed Networks KannanSrinathan, Center for Security, Theory and Algorithmic Research, IIIT-Hyderabad. In collaboration with ShashankAgrawal and Abhinav Mehta

  2. Motivation A B Faithful messengers but no timing guarantee; may not be able to deliver messages in both directions Spy R Spy S is in a far away land. He wants to send a secret message to R. Not all intermediaries are faithful – who knows what’s on their mind.

  3. Abstraction • Network Model • A directed graph N=(V,E) • Two special nodes S and R in the graph • Timing Model • Completely Asynchronous system • All nodes know • the topology of the network • the protocol specification

  4. Abstraction • Fault Model • An adversary structure A = {B1,B2,B3,B4,…} where each Bi is a subset of V\{S,R} • One of the Bi’s can be Byzantine corrupt in an execution • Adversary knows • the topology of the network • the protocol specification • Edges in the network • are secure – messages cannot be read or altered • but messages can be arbitrarily delayed

  5. The problem - PSMT • S wants to send a secret message m chosen from a field to R. • For every corruption Bi and every schedule • Reliability: R always terminates with the secret m. • Privacy: Adversary does not know anything about the secret. • Compromising on reliability and/or privacy we can get different flavors of secure message transmission.

  6. Routers or Computational Devices? • Does it matter? YES! No protocol for SMT if store-and-forward intermediate nodes SMT protocol exists if routers can compute on their payloads

  7. Secret Sharing – an important tool • We use the simple (k,n) threshold scheme (n≥k) to create n shares of a secret • Knowledge of any set of at most k-1 shares reveals no information about the secret. • Suppose m shares are available (where k≤m≤n) • The secret can be efficiently reconstructed if at least (m+k)/2 shares are correct. • As long as at least (m-k)/2 shares are correct, an incorrect secret will not be reconstructed.

  8. Reducing Adversary structure’s size • A protocol for an arbitrary sized adversary structure exists iff protocols for all its three sized subsets exist • Going from 3 to size 4 • Consider A={B1,B2,B3,B4} • Consider 4 subsets of A: • A1={B1,B2,B3}, A2={B2,B3,B4}, A3={B1,B2,B4}, A4={B1,B3,B4} • Let Pi be the protocol tolerating Ai. • At least 3 Ai’s tolerate the actual corrupt set • S does a (2,4) secret sharing to obtain 4 shares of secret m • The share mi is sent through the protocol Pi tolerating Ai • R waits till 3 of the 4 protocols terminate with a consistent set of shares, and outputs the reconstructed secret

  9. Assume B1 is corrupt P1 m1 P2 m2 R S P3 m3 P4 m4

  10. Paths in a directed graph • Strong path • (the usual path) • Weak path • u1, u2 blocked nodes • y1 head node u1 u2 y1

  11. Minimum connectivity • Adversary structure A={B1,B2,B3} • Theorem • There must exist an honest weak path q1 such that every blocked node along the path q1 has a path to R avoiding nodes in B2 and B3. • Similarly, path q2 and q3 must exist.

  12. Sub-protocol P1 using the weak path q1 k1 k1 k1 k2 m k2 k1+k2 S R m+k1 B1 If B1 is corrupt, sub-protocols P2 and P3, which use weak paths q2 and q3 respectively, terminate securely.

  13. Impossibility b1 R S b2 b3 Showing impossibility in this graph suffices. A passive strategy of b1 coupled with an active strategy of b2, along with delaying messages from b3, creates indistinguishability at R.

  14. Efficient protocol for threshold adv. • At most t nodes could be corrupt (t≤n) • Exponential sized adversary structure containing (n-2)Ct subsets • Assume graph is 3t+1 weakly connected and 2t+1 strongly connected • Claim: We can have an efficient protocol for PSMT between any two nodes.

  15. Assume that a weak path is honest, run a sub-protocol. Overall, 3t+1 sub-protocols are run out of which 2t+1 terminate securely. Important: Every blocked node now has 2t+1 paths to R k1 k1 k1 k2 m k2 k1+k2 S R m+k1

  16. More results in this work • Minimum connectivity requirements for two variants of (0, ∆)-USMT • Monte Carlo • Las Vegas • Requirements match for Las Vegas (0, ∆)-USMT and (0,0)-USMT (referred so far as PSMT) • Requirements for Monte Carlo (0, ∆)-USMT turn out to be the same as (1, ∆)-USMT – security for free!

  17. Open questions • How connectivity is affected by • Limited topology knowledge • Compromising security a little bit • This variant has recently been studied (ICITS 2011) • Graph Testing: Given a graph, two special nodes in it and the value of t, can we efficiently find out if it has sufficient connectivity for the existence of a protocol

  18. Thank you

More Related