Fighting Byzantine Adversaries in Networks: Network Error-Correcting Codes Michelle Effros Michael Langberg Tracey Ho Sachin Katti Muriel Médard Dina Katabi Sidharth Jaggi
Obligatory Example/History s t1t1 t2t2 b1b1 b2b2 b2b2 b2b2 b1b1 b1b1 b1b1 b1b1 b1b1 b1b1 (b 1,b 2 ) b 1 +b 2 (b 1,b 2 ) [ACLY00] [ACLY00] Characterization Non-constructive [LYC03], [KM02] Constructive (linear) Exp-time design [JCJ03], [SET03] Poly-time design Centralized design [HKMKE03], [JCJ03] Decentralized design EVERBETTEREVERBETTER... C=2 [This work] All the above, plus security Tons of work [SET03] Gap provably exists
Multicast Wired Wireless Simplifying assumptions All links unit capacity (1 packet/transmission) Acyclic network Network = Hypergraph ALL of Alice’s information decodable EXACTLY by EACH Bob Network Model [GDPHE04],[LME04] – No intereference
Multicast Networks Webcasting P2P networks Sensor networks
Multicast Network Model ALL of Alice’s information decodable EXACTLY by EACH Bob Upper bound for multicast capacity C, C ≤ min{C i } [ACLY00] With mixing, C = min{C i } achievable! [LCY02],[KM01],[JCJ03],[HKMKE03] Simple (linear) distributed codes suffice!
Mixing b1b1 b2b2 bmbm β1β1 β2β2 βkβk F(2 m )-linear network [KM01] Source:- Group together m bits, Every node:- Perform linear combinations over finite field F(2 m ) Generalization: The X are length n vectors over F(2 m ) X1X1 X2X2 XkXk
Problem! Eavesdropped links Attacked links Corrupted links
Setup 1.Scheme A B C 2.Network C 3.Message A C 4.Code C 5.Bad links C 6.Coin A 7.Transmit B C 8.Decode B Eurek a Eavesdropped links Z I Attacked links Z O Who knows what Stage Privacy
Result(s) First codes Optimal rates (C-2Z O,C-Z O ) Poly-time Distributed Unknown topology End-to-end Rateless Information theoretically secure Information theoretically private Wired/wireless [HLKMEK04],[JLHE05],[CY06],[CJL06],[GP06]
Error Correcting Codes Y=TX+E Generator matrix Low-weight vector Y X (Reed-Solomon Code) T E
Error Correcting Codes X T Y TZTZ Z Y=TX+E =TX+T Z Z Network transform matrices Low-weight vector Unknown
When stuck… “ε-rate secret uncorrupted channels” Useful abstraction/ building block Existing model ([GP06],[CJL06]) We improve!
Example C=3 Z O =1 n-length vectors 3n known4n unknown scalars 4n+6 unknown X 3 =X 1 +X 2 non-linear R = C - Z o secret hashes of X 4n+6 known4n known Redundancy added at source Solve for
Example C=3 Z O =1 X 3 =X 1 +X 2 6 secret hashes of X 4n+6 known4n+6 unknown Invertible with high probability Z=(0 z(2) z(3)… z(n))
Thm 1,Proof Theorem 1: Rate C-Z O -ε achievable with Z I ={E}, ε-rate secret uncorrupted channel Improves on [GP06/Avalanche] (Decentralized) and [CJL06] (optimal) R = C - Z o CxC identity matrix n>>C [HKMKE03] T packets
Thm 1,Proof Theorem 1: Rate C-Z O -ε achievable with Z I ={E}, ε-rate secret uncorrupted channel T TZTZ CxC matrix Invertible w.h.p.
Thm 2 Theorem 2: Rate C-2Z O -ε achievable with Z I ={E}
Example revisited X 3 =X 1 +X 2 n more constraints added on X Z=(0 z(2) z(3)… z(n)) DX=0DX=0 Z=(0 0 0… 0) R = C – Z o - redundancyR = C – Z o R = C – 2Z o Tight (ECC, [CY06]) nZ O
Thm 2,“Proof” Theorem 2: Rate C-2Z O -ε achievable with Z I ={E} R = C - 2Z o nZ O extra constraints D chosen uniformly at random, known to Alice, Bob and Calvin
Theorem 2: Rate C-2Z O -ε achievable with Z I ={E} Disjoint ? T’’ non-linearlinear Invertible Basis change May not be D of appropriate dimensions crucial Thm 2,“Proof”
Thm 3,Proof Theorem 3: Rate C-Z O -ε achievable, with Z I +2Z O <C Z I <C-2Z O Using algorithm 2 for small header, can transmit secret, correct information… … which can be used for algorithm 1 decoding! Algorithm 2 rate Eavesdropping rate Z I <R Information-theoretic Privacy Theorem 4, etc:
Summary RateConditions Thm 1C-Z O Secret Thm 2C-2Z O Omniscient Thm 3C-Z O Limited Optimal rates Poly-time Distributed Unknown topology End-to-end Rateless Information theoretically secure/private Wired/wireless
Backup slides
Network Coding “Justification” R. Ahlswede, N. Cai, S.-Y. R. Li and R. W. Yeung, "Network information flow," IEEE Trans. on Information Theory, vol. 46, pp , ≈ 200 papers in 3 years NetCod Workshops, DIMACS working group, ISIT sessions, tutorials, … Several patents, theses…
“The core notion of network coding is to allow and encourage mixing of data at intermediate network nodes.” (Network Coding homepage) But what IS Network Coding?
Point-to-point flows C Min-cut Max-flow (Menger’s) Theorem [M27] Ford-Fulkerson Algorithm [FF62] s t
Multicasting Webcasting P2P networks Sensor networks s1s1 t1t1 t2t2 t |T| Network s |S|
Justifications revisited - I s t1t1 t2t2 b1b1 b2b2 b2b2 b2b2 b1b1 b1b1 ? b1b1 b1b1 b1b1 b1b1 (b 1,b 2 ) b 1 +b 2 (b 1,b 2 ) [ACLY00] Throughput
Gap Without Coding... Coding capacity = h Routing capacity≤2 [JSCEEJT05] s
Multicasting Upper bound for multicast capacity C, C ≤ min{C i } s t1t1 t2t2 t |T| C |T| C1C1 C2C2 Network [ACLY00] - achievable! [LYC02] - linear codes suffice!! [KM01] - “finite field” linear codes suffice!!!
Multicasting b1b1 b2b2 bmbm β1β1 β2β2 βkβk F(2 m )-linear network [KM01] Source:- Group together `m’ bits, Every node:- Perform linear combinations over finite field F(2 m )
Multicasting Upper bound for multicast capacity C, C ≤ min{C i } s t1t1 t2t2 t |T| C |T| C1C1 C2C2 Network [ACLY00] - achievable! [LYC02] - linear codes suffice!! [KM01] - “finite field” linear codes suffice!!! [JCJ03],[SET03] - polynomial time code design!!!!
Thms: Deterministic Codes For m ≥ log(|T|), exists an F(2 m )-linear network which can be designed in O(|E||T|C(C+|T|)) time. [JCJ03],[SET03] Exist networks for which minimum m≈0.5(log(|T|)) [JCJ03],[LL03]
Justifications revisited - II s t1t1 t2t2 One link breaks Robustness/Distributed design
Justifications revisited - II s t1t1 t2t2 b1b1 b2b2 b2b2 b2b2 b1b1 b1b1 (b 1,b 2 ) b 1 +b 2 Robustness/Distributed design (b 1,b 2 ) b 1 +2b 2 (Finite field arithmetic) b 1 +b 2 b 1 +2b 2
Thm: Random Robust Codes s t1t1 t2t2 t |T| C |T| C1C1 C2C2 Original Network C = min{C i }
Thm: Random Robust Codes s t1t1 t2t2 t |T| C |T| ' C1'C1' C2'C2' Faulty Network C' = min{C i '} If value of C' known to s, same code can achieve C' rate! (interior nodes oblivious)
Thm: Random Robust Codes m sufficiently large, rate R<C Choose random [ß] at each node Probability over [ß] that code works >1-|E||T|2 -m(C-R)+|V| [JCJ03] [HKMKE03] (different notions of linearity) Decentralized design b1b1 b2b2 bmbm b’ 1 b’ 2 b’ m b’’ 1 b’’ 2 b’’ m ’’ ’’ Much “sparser” linear operations (O(m) instead of O(m 2 )) [JCE06] Vs. prob of error - necessary evil?
Zero-error Decentralized Codes No a priori network topological information available - information can only be percolated down links Desired - zero-error code design One additional resource - each node v i has a unique ID number i (GPS coordinates/IP address/…) Need to use yet other types of linear codes [JHE06?]
Inter-relationships between notions of linearity C B M M Multicast G General Global Local I/O ≠ Local I/O = a Acyclic A Algebraic B Block C Convolutional Does not exist Є epsilon rate loss G a G Є A M a M a M a G? M G a G M a G G [JEHM04]
Justifications revisited - III s t1t1 t2t2 Security Evil adversary hiding in network eavesdropping, injecting false information [JLHE05],[JLHKM06?]
Multicasting Simplifying assumptions (for this talk) Single source Directed, acyclic graph. Each link has unit capacity. Links have zero delay. s t1t1 t2t2 t |T| C |T| C1C1 C2C2 Network
Kinds of linearity b1b1 b2b2 bmbm β1β1 β2β2 βkβk Algebraic codes b0b0 b1b1 b m-1 Block codes b0b0 b1b1 Convolutional codes
p (“Noise parameter”) C (Capacity) Model 1 - ResultsModel 1 - Encoding 0.5
Model 1 - Encoding … T |E| … T 1... r1r1 r |E| nεnε D 11 …D 1|E| D |E|1 …D |E||E| D ij =T j (1).1+T j (2).r i +…+ T j (n(1- ε)).r i n(1- ε) … T j riri D ij j
Model 1 - Encoding … T |E| … T 1... r1r1 r |E| nεnε D 11 …D 1|E| D |E|1 …D |E||E| D ij =T j (1).1+T j (2).r i +…+ T j (n(1- ε)).r i n(1- ε) … T j riri D ij i
Model 1 - Transmission … T |E| … T 1... r1r1 r |E| D 11 …D 1|E| D |E|1 …D |E||E| … T |E| ’ … T 1 ’... r1’r1’ r |E| ’ D 11 ’…D 1|E| ’ D |E|1 ’…D |E||E| ’
Model 1 - Decoding … T |E| ’ … T 1 ’... r1’r1’ r |E| ’ D 11 ’…D 1|E| ’ D |E|1 ’…D |E||E| ’ “Quick consistency check” D ij ’=T j (1)’.1+T j (2)’.r i ’+…+ T j (n(1- ε))’.r i ’ n(1- ε) ? … T j ’ ri’ri’D ij ’
Model 1 - Decoding … T |E| ’ … T 1 ’... r1’r1’ r |E| ’ D 11 ’…D 1|E| ’ D |E|1 ’…D |E||E| ’ “Quick consistency check” D ij ’=T j (1)’.1+T j (2)’.r i ’+…+ T j (n(1- ε))’.r i ’ n(1- ε) ? … T j ’ ri’ri’D ij ’ D ji ’=T i (1)’.1+T i (2)’.r j ’+…+ T i (n(1- ε))’.r j ’ n(1- ε) ?
Model 1 - Decoding … T |E| ’ … T 1 ’... r1’r1’ r |E| ’ D 11 ’…D 1|E| ’ D |E|1 ’…D |E||E| ’ Edge i consistent with edge j D ij ’=T j (1)’.1+T j (2)’.r i ’+…+ T j (n(1- ε))’.r i ’ n(1- ε) D ji ’=T i (1)’.1+T i (2)’.r j ’+…+ T i (n(1- ε))’.r j ’ n(1- ε) Consistency graph
Model 1 - Decoding … T |E| ’ … T 1 ’... r1’r1’ r |E| ’ D 11 ’…D 1|E| ’ D |E|1 ’…D |E||E| ’ Consistency graph (Self-loops… not important) T r,D T Edge i consistent with edge j D ij ’=T j (1)’.1+T j (2)’.r i ’+…+ T j (n(1- ε))’.r i ’ n(1- ε) D ji ’=T i (1)’.1+T i (2)’.r j ’+…+ T i (n(1- ε))’.r j ’ n(1- ε)
Model 1 - Decoding … T |E| ’ … T 1 ’... r1’r1’ r |E| ’ D 11 ’…D 1|E| ’ D |E|1 ’…D |E||E| ’ T r,D T Consistency graph Detection – select vertices connected to at least |E|/2 other vertices in the consistency graph. Decode using T i s on corresponding edges.
Model 1 - Proof … T |E| ’ … T 1 ’... r1’r1’ r |E| ’ D 11 ’…D 1|E| ’ D |E|1 ’…D |E||E| ’ T r,D T Consistency graph D ij =T j (1)’.1+T j (2)’.r i +…+ T j (n(1- ε))’.r i n(1- ε) D ij =T j (1).1+T j (2).r i +…+ T j (n(1- ε)).r i n(1- ε) ∑ k (T j (k)-T j (k)’).r i k =0 Polynomial in r i of degree n over F q, value of r i unknown to Zorba Probability of error < n/q<<1
Greater throughput Robust against random errors... Aha! Network Coding!!!
? ? ?
Xavier Yvonne 1 Zorba ? ? ? Yvonne |T| ? ? ?......
Setup 1.Scheme X Y Z 2.Network Z 3.Message X Z 4.Code Z 5.Bad links Z 6.Coin X 7.Transmit Y Z 8.Decode Y Eurek a Wired Wireless (packet losses, fading) Eavesdropped links Z I Attacked links Z O Who knows what Stage
Unicast 1.Code (X,Y,Z) 2.Message (X,Z) 3.Bad links (Z) 4.Coin (X) 5.Transmission (Y,Z) 6.Decode correctly (Y) Eurek a
Xavier Yvonne 1 ? Zorba ? ? Zorba sees M I links Z I, controls M O links Z O p I =M I /C, p O =M O /C Xavier and Yvonnes share no resources (private key, randomness) Zorba computationally unbounded; Xavier and Yvonnes -- “simple” computations Setup Zorba knows protocols and already knows almost all of Xavier’s message (except Xavier’s private coin tosses) Goal: Transmit at “high” rate and w.h.p. decode correctly Zorba (hidden) knows network; Xavier and Yvonnes don’t C MOMO Yvonne |T| ? ? ? Distributed design (interior nodes oblivious/overlay to network coding)
Background Noisy channel models (Shannon,…) Binary Symmetric Channel p (“Noise parameter”) C (Capacity) 01 H(p) 0.5
Background Noisy channel models (Shannon,…) Binary Symmetric Channel Binary Erasure Channel p (“Noise parameter”) C (Capacity) 0E 1-p 0.5
Background Adversarial channel models “Limited-flip” adversary, p I =1 (Hamming,Gilbert-Varshanov,McEliece et al…) Large alphabets (F q instead of F 2 ) Shared randomness, cryptographic assumptions… p O (“Noise parameter”) C (Capacity)
p O (“Noise parameter”) C (Capacity) Upper bounds p O
p O (“Noise parameter”) C (Capacity) Upper bounds 0.5 ? ? ? 0
p I =p O (“Noise parameter” = “Knowledge parameter”) C (Capacity) Unicast – Results [JLHE05] 0.5
p O (“Noise parameter”) C (Capacity) Full knowledge [Folklore] 0.5 ( “Knowledge parameter” p I =1)
Ignorant Zorba 1.Code (X,Y,Z) 2.Message X p,X s (X) 3.Bad links (Z) 4.Coin (X) 5.Transmission (Y,Z) 6.Decode correctly (Y,Z) I(Z;X s )=0 Eurek a
p = |Z|/h C (Normalized by h) General Multicast Networks 0.5 h Z S R1R1 R |T| Slightly more intricate proof
|E|-|Z| |E| |E|-|Z| Unicast - Encoding
|E|-|Z| |E| MDS Code X |E|-|Z| Block-length n over finite field F q |E|-|Z| n(1-ε) x1x1 … n Vandermonde matrix T |E| |E| n(1-ε) T1T1... n Rate fudge-factor “Easy to use consistency information” nεnε Symbol from F q Unicast - Encoding
… T |E| … T 1... r r nεnε D 1 …D |E| D i =T i (1).1+T i (2).r+…+ T i (n(1- ε)).r n(1- ε) TiTi rDiDi i Unicast - Encoding
… T |E| … T 1... r r D 1 …D |E| … T |E| ’ … T 1 ’... r’ D 1 ’…D |E| ’ Unicast - Transmission
D i =T i (1)’.1+T i (2)’.r+…+ T i (n(1- ε))’.r n(1- ε) ? If so, accept T i, else reject T i Unicast - Quick Decoding … T |E| ’ … T 1 ’... r r’ D 1 …D |E| D 1 ’…D |E| ’ Choose majority (r,D 1,…,D |E| ) ∑ k (T i (k)-T i (k)’).r k =0 Polynomial in r of degree n over F q, value of r unknown to Zorba Probability of error < n/q<<1 Use accepted T i s to decode
? ? ? General Multicast Networks
t1t1 t |T| S Multicast Networks [HKMKE03] y s (j)=Tx s (j) x y1y1 β1β1 βiβi βhβh y |T| x b (i) x s (j) x b (1) x b (h) Rate h=C-M O Block Slice hxh identity matrix x ’ b (i) h<<n T x s (j)=T -1 y s (j)
pOpO C (Normalized by h) 0.5 Multicast Networks R1R1 R |T| S S’ |Z| S’ 2 S’ 1 Observation 1: Can treat adversaries as new sources
Multicast Networks y’ s (j)=Tx s (j)+T’x’ s (j) SS Supersource Observation 2: w.h.p. over network code design, {Tx S (j)} and {T’x’ S (j)} do not intersect (robust codes…). Corrupted Unknown
Multicast Networks y’ s (j)=Tx s (j)+T’x’ s (j) ε redundancy x s (2)+x s (5)- x s (3)=0 y s (2)+y s (5)-y s (3)= vector in {T’x’ s (j)} { T’x’ s (j)} { Tx s (j)} x s (3)+2x s (9)-5 x s (1)=0 y s (3)+2y s (9)-5y s (1)= another vector in {T’x’ s (j)}
Multicast Networks y’ s (j)=Tx s (j)+T’x’ s (j) ε redundancy { T’x’ s (j)} { Tx s (j)} Repeat M O times Discover {T’x’ s (j)} “Zero out” {T’x’ s (j)} when you have eliminated the impossible, whatever remains, however improbable, must be the truth Estimate T (redundant x s (j) known) Linear algebra Decode
Multicast Networks y’ s (j)=Tx s (j)+T’x’ s (j) x s (2)+x s (5)- x s (3)=0 y s (2)+y s (5)-y s (3)= vector in {T’x’ s (j)} x’ s (2)+x’ s (5)-x’ s (3)=0 y s (2)+y s (5)-y s (3)= 0
Scheme 1(a) “ε-rate secret uncorrupted channels” Useful abstraction
Scheme 1(b) “sub-header based scheme” Works … kind of… … for “many” networks
Scheme 2 “distributed network error-correcting code” ( Knowledge parameter p I =1) [CY06] – bounds, high complexity construction [JHLMK06?] – tight, poly-time construction p O (“Noise parameter”) C (Capacity) 0.5
Scheme 2 “distributed network error-correcting code” pOpO pOpO y’ s (j)=Tx s (j)+T’x’ s (j) error vector 1-2p O
Scheme 2 “distributed network error-correcting code” y’ s (j)=Tx s (j)+T’x’ s (j)
Scheme 2 “distributed network error-correcting code” y’ s (j)=T’’x s (j)+T’x’ s (j) e e e’
Scheme 2 “distributed network error-correcting code” y’ s (j)=T’’x s (j)+T’x’ s (j) e e e’ Linear algebra
Scheme 3 “non-omniscient adversary” y’ s (j)=T’’x s (j)+T’x’ s (j) M I +2M O <C M I <C-2M O Scheme 2 rate Zorba’s observations Using Scheme 2 as small header, can transmit secret, correct information… … which can be used for Scheme 1(a) decoding!
Variations - Feedback C p 0 1 1
Variations – Know thy enemy C p C p 0 1 1
Variations – Omniscient but not Omnipresent C p Achievability: Gilbert-Varshamov, Algebraic Geometry Codes Converse: Generalized MRRW bound
Variations – Random Noise C p 0 CNCN 1 SEPARATIONSEPARATION
p (“Noise parameter”) C (Capacity) Ignorant Zorba - Results X p +X s XsXs 1-2p
p (“Noise parameter”) C (Capacity) Ignorant Zorba - Results X p +X s XsXs 1-2p a+b+c a+2b+4c a+3b+9c MDS code