Key amplification in unstructured networks Shishir Nagaraja University of Cambridge

Problem statement Alice Bob LiveJournal Source: Trejkaz Xaoza, Touchgraph Alice Bob The objective here to use design a decentralized protocol for privacy amplification. The focus of our approach is to tap the topological characteristics of unstructured networks, and how these can be used in constructing an efficient design. Shishir Nagaraja University of Cambridge

University of Cambridge Problem statement Alice and Bob are part of a common network – for instance, a social network. Alice shares a weak human guessable secret with Bob. Both want to amplify their shared-key before using it. Bob would like to ensure that Alice is not a “dodgy” node and vice-versa. Shishir Nagaraja University of Cambridge

University of Cambridge Threat model Global passive adversary Adversary arrives after network bootstraps. Shishir Nagaraja University of Cambridge

University of Cambridge Context… Neither party possesses global topology information Each node shares a strong link key with its neighbours. There is no centralized reputation infrastructure available. Shishir Nagaraja University of Cambridge

University of Cambridge Background work Prior work on password authenticated key exchange, in several waves. EKE, SRP, OKE, AMP, S3P, GLNS … Provably secure schemes [GL03], [GL01], [CPP04] … Random walks on graph topologies have a rich history, security schemes based on them, less so SybilGuard, [BF93] … Our work is complementary to the probably secure schemes listed here. What we are trying to accomplish here is to see how one can combine a decentralized measure of network distance as a security metric and associate it with the degree of success achieved in creating a secure session. So the protocol details given in the associated paper is not the main thrust of this work. Our main goal was to analyze different decentralized schemes and compare them using a well defined framework. Shishir Nagaraja University of Cambridge

University of Cambridge Scheme Alice and Bob each carry out a random walk of k steps. Sybil Region Intersection2 Ali Intersection1 David Multiple independent random walks overlap substantially when the graph topology meets certain conditions – for instance a well mixing graph. The set of overlapping nodes determines a key amplification path, each of which contributes entropy to the initial weak secret. Shishir Nagaraja University of Cambridge

University of Cambridge Desirable properties Protocol efficiency - #collisions/walk-length Lower the risk of manipulation from corrupt nodes Lower the risk from localized graph sampling Avoid key amplification with dodgy nodes Maximize the set of potential entropy contributors to prevent corrupt nodes colluding together or where graph sampling is too localized increase the walk length sufficiently. In fact we should that the walk length required to achieve enough collisions is sufficient to minimize this risk. Lower the risk from localized graph sampling – otherwise this gives an attacker the incentive to come probing your logs looking for entropy contributions Protocol efficiency – Minimize the walk length and total time required to complete the walk. Shishir Nagaraja University of Cambridge

University of Cambridge Key steps Alice and Bob wish to generate a link key: Find common acquaintances. Acquire entropy contribution from acquaintances. Generate a common link key from the entropy contributions obtained. Shishir Nagaraja University of Cambridge

Directed network topologies Baseline topology – LiveJournal network of friendship ties Scale-freeness – presence of hubs Clustering and Weak-ties Community structure We select a number of network models based on independently testing the following network topology properties. The idea is to probe how the number of collisions between random walk schemes varies due to structural attributes of the network topology. Shishir Nagaraja University of Cambridge

University of Cambridge LiveJournal |V|=3.2 million |E|=55 million Source: Trejkaz Xaoza, Touchgraph Pavel Zakharov, Thermodynamic approach for community discovering within the complex networks: LiveJournal study. e-print on arxiv.org: physics/0602063. Shishir Nagaraja University of Cambridge

University of Cambridge Network models - 1 Scale-free Random (SFR) model. Based on massive call graphs from AT&T [Aiello & Chung 2000] Choose a gamma of 3.45 after LJ network. 3.2 million nodes and 55 million nodes Exactly the same degree distribution as the LJ network, but random (uniformly) in all other ways. Shishir Nagaraja University of Cambridge

University of Cambridge Network models – 2 Klienberg-Watts-Strogatz model of social networks p = 1 - local ties q = 0 - weak ties |V| = 3.2 million |E| ~ 55 million [Klienberg 2001] Shishir Nagaraja University of Cambridge

Protocol 1 – Single random walk # Collisions or intersections between two random walks each starting from Alice and Bob respectively. Simulation: Selecting a random node, Alice. Bob is selected as follows: With p=0.5, choose another node uniformly at random With p=0.5, choose Bob as the destination of a random walk of 100 steps with Alice as the starting node Conduct a single random walk from each node. Measure the # collisions generated. In the selection of bob, the 1st part gives has a sampling bias towards nodes that are close to you. The second part, gives you nodes that are usually quite far apart. The number 100 is a bit excessive but the basic idea is the walk length should be longer than that required for convergence. Shishir Nagaraja University of Cambridge

Protocol 1 – LJ vs Scale-free LiveJournal Scale-free Random Shishir Nagaraja University of Cambridge

Protocol1 – LJ vs small-world LiveJournal KWS –Weak/Strong ties As we can see, for a 50% chance of having a single collision with a randomly chosen Bob, you need anywhere from 500 to 700 steps. Too expensive! Shishir Nagaraja University of Cambridge

University of Cambridge Protocol 2 Instead of a single walk, Alice and Bob conduct k walks of length t each. We chose k=50 walks of length t=40 steps each. The length is roughly twice that required for convergence with the stationary distribution for LJ. The objective is to create a favourable bias in the neighbourhood of Alice and Bob. Shishir Nagaraja University of Cambridge

University of Cambridge LJ – Protocol 2 Shortest path distance = 4 Shortest path distance = 2 Shishir Nagaraja University of Cambridge Shortest path distance = 3

University of Cambridge LJ – Protocol 2 Shortest path distance = 10 Shortest path distance = 8 Shishir Nagaraja University of Cambridge Shortest path distance = 9

Scalefree (SFR) – Protocol 2 Shishir Nagaraja University of Cambridge

Small world (KWS) – Protocol 2 Shishir Nagaraja University of Cambridge

University of Cambridge Analysis Protocol 1 (single random walk) - small-world and scale-free perform comparably. In Protocol 2 (Multiple random walk), both scale-free and small-world seem to do far worse than LJ! Reason – Community structure of LJ So here it is – avoid the dodgy guys by controlling the number of walks and the walk-length – SybilGuard [YH 2006] proposed this first. Shishir Nagaraja University of Cambridge

University of Cambridge Analytical reasoning We can formulate this as the “same birthday as you” problem on a heavy tailed distribution of urn sampling. SybilGuard assumes a uniform distribution and is therefore wrong to conclude that the reqd length of random walk is sqrt(n)*logn. Shishir Nagaraja University of Cambridge

Checking back with the framework … Protocol efficiency - #collisions/walk-length Avoid key amplification with dodgy nodes Lower the risk of manipulation from corrupt nodes Lower the risk from localized graph sampling Maximize the set of potential entropy contributors to prevent corrupt nodes colluding together or where graph sampling is too localized increase the walk length sufficiently. In fact we should that the walk length required to achieve enough collisions is sufficient to minimize this risk. Lower the risk from localized graph sampling – otherwise this gives an attacker the incentive to come probing your logs looking for entropy contributions Protocol efficiency – Minimize the walk length and total time required to complete the walk. Shishir Nagaraja University of Cambridge

Corrupt nodes – Random selection Probability of a walk of length t going through ts randomly selected nodes of G(V,E) - Gilbert 1998 (Upper bound) Shishir Nagaraja University of Cambridge

Efficiency of random walks on KWS network model N=5000 nodes Walk length Shishir Nagaraja University of Cambridge

Mixing efficiency of SFR and KWS topologies Shishir Nagaraja University of Cambridge

Mixing efficiency of LiveJournal topology Shishir Nagaraja University of Cambridge

University of Cambridge Protocol details Token collection List negotiation Amplification Shishir Nagaraja University of Cambridge

University of Cambridge Token Collection Alice sends a blob to her neighbour, who signs it and forwards it to another neighbour and so on. passes it off to another neighbour Shishir Nagaraja University of Cambridge

List exchange & amplification Alice and Bob now exchange the list of nodes on their random walk. If Alice and Bob belong to different components that are weakly connected, then this list will be very small. Amplification: Shishir Nagaraja University of Cambridge

University of Cambridge Conclusions We have proposed a decentralized key amplification scheme, that combines a measure of network distance with key amplification success, to avoid dodgy nodes. We have shown from simulations that such a scheme is practical in the real world. We have played with a number of topology properties to conclude that community structure is vital for high efficiency. Applications to other unstructured networks such as sensor networks. Shishir Nagaraja University of Cambridge