Detection of selfish and Byzantine nodes - Efficient, Reliable and Secure Distributed Protocols

7.5 Security

7.5.2 Detection of selfish and Byzantine nodes

Unforgeability and randomness of composite MACs ensure that no node except the destination node can learn any information from a received tag or create a valid tag on behalf of other nodes. Given that the authentication tags are unforgeable (in any meaningful manner), a node may follow one of the following three strategies: (a) Honest: follow the protocol correctly, (b) Selfish: leave the tag unchanged when it was required to modify (aggregate or overwrite) the tag, and (c) Byzantine: overwrite the tag with random bits.

Due to the randomness of the composite MAC, the strategies (a), (b) and (c) cannot be selectively applied on packets. Thus, even if a node were to switch between these strategies, it can at best do so randomly. The analysis of the tags, i.e., path identification and detection of misbehaving nodes, is performed over a collection of tags. Thus, analysing several tags will result in plausible evidences about a node’s misbehaviour. If a node switches between strategies (a), (b) and (c), this will be reflected in the evidences about this node. The security analysis therefore tolerates nodes which are switching their strategies; the results will simply apply in the ratio the respective strategies were used.

We define the following sets of nodes:

• I: Ordered set of nodes expected in the path.

• I′_{: Ordered set of nodes contained in the path traversed by the packet(s).}

• A: Good nodes in the network, following the protocol correctly and putting the correct identity of the former node into the composite MAC.

• B: Byzantine nodes in the network, modifying the tag in a way that makes it unreadable for the destination node.

7.5 Security

• C: Selfish nodes in the network that leave the tag unchanged. • R: Number of packets used for an analysis.

The detection capabilities of the composite MAC path authentication scheme for Byzantine and selfish nodes are expressed in the following lemma.

Lemma 7.5.1 Given a sufficiently large number of composite MACs, one can with high probability identify: (i) the good nodes in the path and the selfish nodes, prior to a good node in the path, and (ii) the last Byzantine node, or one of the selfish nodes that succeeds the Byzantine node, is detected up to two nodes accuracy. Formally, a series of R≥ 1 composite MACs as defined in Section 7.4 contains the following information with non-negligible probability P . Furthermore, P converges to 1 for R_{→ ∞. We distinguish the two cases B ∩ I}′ ₌_{∅ and B ∩ I}′_{6= ∅.}

1. B_{∩ I}′ ₌_{∅ :}

Let L∩(X, Y ) → Z be the function that takes an ordered set X and a set Y

as input, and returns a set Z, which contains for each element x∈ X ∩ Y the element prior to x in X. Then the information contained in a R≥ 1 composite MACs is:

A_{∩ I}′ and L∩(I′, A)∩ C ,

namely, the set of good nodes in the path and the set of selfish nodes prior to a good node in the path.

2. B_{∩ I}′ _{6= ∅ :}

Let P B(X) (pop-back) be the function that returns the last element of an ordered set X, and R∩(X, Y ) → Z be the function that takes an ordered set

X and a set Y as input, and returns a set Z which contains for each element x ∈ X ∩ Y the element after x in X. Then the information contained in the

7.5 Security

series of composite MACs is:

P B(B)_{∈ B ∪ C or P B(R}∩(I′, B))∈ B or (n ∈ C) ∈ B ∪ C ,

i.e., the last Byzantine, or one of the selfish nodes after him, is detected up to two nodes accuracy.

Lemma 7.5.1 shows that, in the absence of a Byzantine adversary, the good nodes can be exactly identified, and selfish nodes can be detected if they are followed by a good node. In the presence of Byzantine nodes, we can localise the misbehaving node to a set of at most two nodes. Since the destination node cannot decide whether a Byzantine or a selfish node is detected in the detection analysis, it has to fear the worst and accuse this node of being Byzantine. This, however, is an incentive for nodes to follow the protocol, since selfish behaviour might be interpreted as Byzantine behaviour.

Proof

1. B_{∩ I}′ =_{∅ :}

In the absence of a Byzantine adversary, each good node aggregates or overwrites the tag with non-negligible probability (p + q), and will be authenticated if no later node overwrites (≥ (1 − q)|I′_|

) the tag. Thus, each good node on the route (A∩ I′_{), is authenticated with non-negligible probability} _≥

(p+q)·(1−q)|I′_|

> 0. Consequently, the set A∩I′_{is encoded in a single compos-}

ite MAC with non-negligible probability, say P > 0. Since this statement holds for each composite MAC, in a collection of R composite MACs, the probability that A_∩I′ _{is encoded in one of the composite MACs is (1}_{−(1−P )}R₎_{−−−−→ 1.}R→∞

Each good node i includes the identity of the prior node IDi−1 (the node

7.5 Security

Thus, if a good node aggregates its MAC (which it does with non-negligible probability p > 0), this proves the existence of node i− 1 in the route. If node i_{− 1 is also supposed to aggregate or overwrite its MAC (probability =} p_{· (p + q) > 0), but it leaves the tag unchanged, then the selfish behaviour} of the node is detected. This argument holds for each selfish node that is followed by a good node on the path; hence, L∩(I′, A)∩ C is encoded in a

each composite MAC with non-negligible probability, say P . Consequently, the probability that L∩(I′, A)∩ C is encoded in one of the composite MACs

is (1_{− (1 − P )}R)_{−−−−→ 1.}R→∞ 2. B_{∩ I}′ _{6= ∅ :}

If one or several Byzantine nodes on the path overwrite the composite MAC with random content, then the destination node cannot verify the tag un- less the tag has been overwritten by a benign node that succeeded the last Byzantine node on the path. Firstly, with non-negligible probability, none of the nodes after the last Byzantine node may benignly overwrite the composite MAC, such that the tag remains unverifiable; such an unverifiable tag indicates the existence of a Byzantine node in the path. Secondly, with non- negligible probability, a node g after the Byzantine node (if there exists one), overwrites the tag benignly. This shows that there is no Byzantine node that succeed node g on the path. However, the node g may be the Byzantine node itself; a Byzantine node could correctly overwrite the tag that it is supposed to overwrite as part of the scheme, but overwrite the remaining tags (that was supposed to be aggregated or kept identical) with random content (see Ta- ble 7.2). Thus, by receiving a correctly overwritten tag, the destination node cannot pin-point the Byzantine node; however, it knows that the overwriting node itself or one of the former nodes is Byzantine.

With an increasing number of packets R, the probability that the first good node say a1 after the Byzantine node overwrites the tag converges to one. At

In document Efficient, Reliable and Secure Distributed Protocols for MANETs (Page 167-171)