Presentation is loading. Please wait.

Presentation is loading. Please wait.

Secure Message Transmission In Asynchronous Directed Networks Kannan Srinathan, Center for Security, Theory and Algorithmic Research, IIIT-Hyderabad. In.

Published byMagnus Pierce Modified over 8 years ago

Similar presentations

Presentation on theme: "Secure Message Transmission In Asynchronous Directed Networks Kannan Srinathan, Center for Security, Theory and Algorithmic Research, IIIT-Hyderabad. In."— Presentation transcript:

1 Secure Message Transmission In Asynchronous Directed Networks Kannan Srinathan, Center for Security, Theory and Algorithmic Research, IIIT-Hyderabad. In collaboration with Shashank Agrawal and Abhinav Mehta

2 Motivation Spy S is in a far away land. He wants to send a secret message to R. Spy R Faithful messengers but no timing guarantee; may not be able to deliver messages in both directions Not all intermediaries are faithful – who knows what’s on their mind. AB

3 Abstraction Network Model ◦ A directed graph N=(V,E) ◦ Two special nodes S and R in the graph Timing Model ◦ Completely Asynchronous system All nodes know ◦ the topology of the network ◦ the protocol specification

4 Abstraction Fault Model ◦ An adversary structure A = {B 1,B 2,B 3,B 4,…} where each B i is a subset of V\{S,R} ◦ One of the B i ’s can be Byzantine corrupt in an execution ◦ Adversary knows  the topology of the network  the protocol specification ◦ Edges in the network  are secure – messages cannot be read or altered  but messages can be arbitrarily delayed

5 The problem - PSMT S wants to send a secret message m chosen from a field to R. For every corruption B i and every schedule ◦ Reliability: R always terminates with the secret m. ◦ Privacy: Adversary does not know anything about the secret. Compromising on reliability and/or privacy we can get different flavors of secure message transmission.

6 Routers or Computational Devices? Does it matter? YES! No protocol for SMT if store-and-forward intermediate nodes SMT protocol exists if routers can compute on their payloads

7 Secret Sharing – an important tool We use the simple (k,n) threshold scheme (n≥k) to create n shares of a secret Knowledge of any set of at most k-1 shares reveals no information about the secret. Suppose m shares are available (where k≤m≤n ) ◦ The secret can be efficiently reconstructed if at least (m+k)/2 shares are correct. ◦ As long as at least (m-k)/2 shares are correct, an incorrect secret will not be reconstructed.

8 Reducing Adversary structure’s size A protocol for an arbitrary sized adversary structure exists iff protocols for all its three sized subsets exist Going from 3 to size 4 ◦ Consider A={B 1,B 2,B 3,B 4 } ◦ Consider 4 subsets of A :  A 1 ={B 1,B 2,B 3 }, A 2 ={B 2,B 3,B 4 }, A 3 ={B 1,B 2,B 4 }, A 4 ={B 1,B 3,B 4 }  Let P i be the protocol tolerating A i. ◦ At least 3 A i ’s tolerate the actual corrupt set ◦ S does a (2,4) secret sharing to obtain 4 shares of secret m ◦ The share m i is sent through the protocol P i tolerating A i ◦ R waits till 3 of the 4 protocols terminate with a consistent set of shares, and outputs the reconstructed secret

9 Assume B 1 is corrupt S R P1P1 P2P2 P3P3 P4P4 m1m1 m2m2 m3m3 m4m4

10 Paths in a directed graph Strong path ◦ (the usual path) Weak path ◦ u 1, u 2 blocked nodes ◦ y 1 head node u1u1 y1y1 u2u2

11 Minimum connectivity Adversary structure A={B 1,B 2,B 3 } Theorem ◦ There must exist an honest weak path q 1 such that every blocked node along the path q 1 has a path to R avoiding nodes in B 2 and B 3. ◦ Similarly, path q 2 and q 3 must exist.

12 k1+k2 k2 k1 m+k1 k1 mk2 k1 S R If B 1 is corrupt, sub-protocols P 2 and P 3, which use weak paths q 2 and q 3 respectively, terminate securely. B1B1 Sub-protocol P 1 using the weak path q 1

13 Impossibility S R b1 b2 b3 Showing impossibility in this graph suffices. A passive strategy of b1 coupled with an active strategy of b2, along with delaying messages from b3, creates indistinguishability at R.

14 Efficient protocol for threshold adv. At most t nodes could be corrupt ( t≤n ) Exponential sized adversary structure containing (n-2) C t subsets Assume graph is 3t+1 weakly connected and 2t+1 strongly connected Claim: We can have an efficient protocol for PSMT between any two nodes.

15 k1+k2 k2 k1 m+k1 k1 mk2 k1 S R Important: Every blocked node now has 2t+1 paths to R Assume that a weak path is honest, run a sub-protocol. Overall, 3t+1 sub-protocols are run out of which 2t+1 terminate securely.

16 More results in this work Minimum connectivity requirements for two variants of (0, ∆)-USMT ◦ Monte Carlo ◦ Las Vegas Requirements match for Las Vegas (0, ∆)-USMT and (0,0)-USMT (referred so far as PSMT) Requirements for Monte Carlo (0, ∆)-USMT turn out to be the same as (1, ∆)-USMT – security for free!

17 Open questions How connectivity is affected by ◦ Limited topology knowledge ◦ Compromising security a little bit  This variant has recently been studied (ICITS 2011) Graph Testing: Given a graph, two special nodes in it and the value of t, can we efficiently find out if it has sufficient connectivity for the existence of a protocol

18 Thank you

Download ppt "Secure Message Transmission In Asynchronous Directed Networks Kannan Srinathan, Center for Security, Theory and Algorithmic Research, IIIT-Hyderabad. In."

Similar presentations

Routing Complexity of Faulty Networks Omer Angel Itai Benjamini Eran Ofek Udi Wieder The Weizmann Institute of Science.

Routing Complexity of Faulty Networks Omer Angel Itai Benjamini Eran Ofek Udi Wieder The Weizmann Institute of Science.
Secret Sharing Protocols [Sha79,Bla79]

Secret Sharing Protocols [Sha79,Bla79]
Multi-Party Contract Signing Sam Hasinoff April 9, 2001.

Multi-Party Contract Signing Sam Hasinoff April 9, 2001.
The Contest between Simplicity and Efficiency in Asynchronous Byzantine Agreement Allison Lewko The University of Texas at Austin TexPoint fonts used in.

The Contest between Simplicity and Efficiency in Asynchronous Byzantine Agreement Allison Lewko The University of Texas at Austin TexPoint fonts used in.
Impossibility of Distributed Consensus with One Faulty Process

Impossibility of Distributed Consensus with One Faulty Process
CSE 486/586, Spring 2012 CSE 486/586 Distributed Systems Consensus --- 2 Steve Ko Computer Sciences and Engineering University at Buffalo.

CSE 486/586, Spring 2012 CSE 486/586 Distributed Systems Consensus Steve Ko Computer Sciences and Engineering University at Buffalo.
Cryptography for Unconditionally Secure Message Transmission in Networks Kaoru Kurosawa.

Cryptography for Unconditionally Secure Message Transmission in Networks Kaoru Kurosawa.
BASIC BUILDING BLOCKS -Harit Desai. Byzantine Generals Problem If a computer fails, –it behaves in a well defined manner A component always shows a zero.

BASIC BUILDING BLOCKS -Harit Desai. Byzantine Generals Problem If a computer fails, –it behaves in a well defined manner A component always shows a zero.
Brewer’s Conjecture and the Feasibility of Consistent, Available, Partition-Tolerant Web Services Authored by: Seth Gilbert and Nancy Lynch Presented by:

Brewer’s Conjecture and the Feasibility of Consistent, Available, Partition-Tolerant Web Services Authored by: Seth Gilbert and Nancy Lynch Presented by:
Order Statistics Sorted

Order Statistics Sorted
Distribution and Revocation of Cryptographic Keys in Sensor Networks Amrinder Singh Dept. of Computer Science Virginia Tech.

Distribution and Revocation of Cryptographic Keys in Sensor Networks Amrinder Singh Dept. of Computer Science Virginia Tech.
Distributed Computing 8. Impossibility of consensus Shmuel Zaks ©

Distributed Computing 8. Impossibility of consensus Shmuel Zaks ©
On Fair Exchange, Fair Coins and Fair Sampling Shashank Agrawal, Manoj Prabhakaran University of Illinois at Urbana-Champaign.

On Fair Exchange, Fair Coins and Fair Sampling Shashank Agrawal, Manoj Prabhakaran University of Illinois at Urbana-Champaign.
Announcements. Midterm Open book, open note, closed neighbor No other external sources No portable electronic devices other than medically necessary medical.

Announcements. Midterm Open book, open note, closed neighbor No other external sources No portable electronic devices other than medically necessary medical.
Introduction to Modern Cryptography, Lecture 12 Secure Multi-Party Computation.

Introduction to Modern Cryptography, Lecture 12 Secure Multi-Party Computation.
NON-MALLEABLE EXTRACTORS AND SYMMETRIC KEY CRYPTOGRAPHY FROM WEAK SECRETS Yevgeniy Dodis and Daniel Wichs (NYU) STOC 2009.

NON-MALLEABLE EXTRACTORS AND SYMMETRIC KEY CRYPTOGRAPHY FROM WEAK SECRETS Yevgeniy Dodis and Daniel Wichs (NYU) STOC 2009.
Distributed Computing 8. Impossibility of consensus Shmuel Zaks ©

Distributed Computing 8. Impossibility of consensus Shmuel Zaks ©
Improving the Round Complexity of VSS in Point-to-Point Networks Jonathan Katz (University of Maryland) Chiu-Yuen Koo (Google Labs) Ranjit Kumaresan (University.

Improving the Round Complexity of VSS in Point-to-Point Networks Jonathan Katz (University of Maryland) Chiu-Yuen Koo (Google Labs) Ranjit Kumaresan (University.
Co-operative Private Equality Test(CPET) Ronghua Li and Chuan-Kun Wu (received June 21, 2005; revised and accepted July 4, 2005) International Journal.

Co-operative Private Equality Test(CPET) Ronghua Li and Chuan-Kun Wu (received June 21, 2005; revised and accepted July 4, 2005) International Journal.
Randomized Byzantine Agreements (Sam Toueg 1984).

Randomized Byzantine Agreements (Sam Toueg 1984).

Similar presentations

Ads by Google