The SecureRing Group Communication System By Kihlstrom, Moser, and Melliar-Smith ACM Transactions on Information and System Security, November 2001 Presented by Jessica Lunney

Motivation Reliable group communication to create a survivable, distributed system High throughput Reasonable latency Avoid the high overhead of protocols that excessively use digital signatures

Features of a SecureRing Remains correct and reliable despite Byzantine faulty behavior - survivability Allows one digital signature to cover multiple messages

System Model n processors Partially synchronous, distributed Every processor has unique id Completely connected network Processors multicast to everyone, including themselves Logical ring overlaid upon network Every processor has private key and access to public keys

Assumptions Network will not partition All processors (servers) operate deterministically A system of size n always contains: at least ceil((2n + 1)/3) correct processors up to floor((n-1)/3) faulty processors Faulty processors are unable to forge the signature of correct processors

Protocol Hierarchy

Message Delivery Protocol - Properties Non-duplicate Delivery: for any message m, every correct processor p delivers m at most once Authentication: for any message m that contains id of correct processor p, a correct processor q delivers m only if m was originated by p Uniqueness of Message ids: if correct processor p delivers m in configuration C, then no correct processor q delivers m’ in C having the same id as m but a different content

Message Delivery Protocols - Properties Reliable Delivery: if p and q are both correct processors in C, and there is no configuration change, if p originates m then q delivers m Total Order of Messages: if p and q are both correct processors in C that deliver m1 and m2, then p delivers m1 before m2 iff q delivers m1 before m2

Message Delivery Protocol – Block

Message Delivery Protocol - Token

Membership Protocol - Properties Uniqueness of Configuration ids: if a correct processor p installs C, then no correct processor q installs configuration C’ with the same id as C but different contents Self-inclusion: if correct processor p installs C, then p is in C Total order of Configuration: if p and q are both correct and install C1 and C2, then p installs C1 and then C2 iff q installs C1 and then C2

Membership Protocol - Properties Eventual inclusion: if p and q are both correct, there is a time after which p installs a configuration that includes q Eventual exclusion: if p is correct and q is Byzantine faulty, then there is a time after which p installs a configuration that excludes q, and p never subsequently installs a configuration that includes q Eventual inclusion + Eventual exclusion = Liveness

Membership Protocol - Block

Membership Protocol - States

Byzantine Fault Detector - Properties Eventual Strong Byzantine Completeness: there is a time after which every processor that has exhibited a detectable Byzantine fault is permanently suspected by every correct processor Eventual Strong Accuracy: there is a time after which every correct processor is never suspected by any correct processor => ‘Liveness’ of Membership Protocol

Byzantine Fault Detector - Block

Message Diffusion Protocol - Properties Self-receipt: if a correct processor D-multicasts a message m, then it eventually D-receives it Uniform receipt: if a correct processor D-receives a message m, then every correct processor eventually D-receives it

Message Diffusion Protocol Described during faulty operation by Membership and Fault Detection Protocols with complexity O(n2) Fault free operation could use different protocol to increase overall efficiency

Throughput – 300-bit key modulus

Throughput – 512-bit key modulus

Throughput – 768-bit key modulus

Latency – 200 byte messages

Membership Change Time