Probabilities for authentication and detection

As mentioned in the description of the parameter R, the optimal configuration of cn,

p and q depends on the number of packets R used for the analysis. In this section we therefore determine, depending on the number of packets R, the probability to successfully verify or back trace, and to detect Byzantine nodes.

7.6.2.1 Path identification by verification

Analysis of an authentication tag starts with the destination node attempting to verify the tag against the expected path. To this end, the destination node calculates the composite MAC from the verification step in Definition 6 and compares it with the authentication tag in the packet.

As described earlier, let n be the length of the tag divided in cn sub-tags, p

the probability that a node aggregates its MAC to the authentication tag, q the probability that a node overwrites the tag with its MAC, and r the length of the path. The probability that a node at position s ∈ {1, . . . , r} can be verified by one sub-tag, and that the verification does not happen accidently because of the short tag, is:

pv(s) = (q + p)· (1 − q)r−s·

2n/cn_{− 1}

7.6 Configuration and results

Equation 7.2 is derived as follows. The node in position s overwrites it (q) or aggregates its MAC (p) and none of the remaining nodes overwrite it (1−q)r−s_{. The}

probability of not authenticating a node by a successful verification after examining 1 and R tags is then 1_{− p}v(s) and (1− pv(s))R, respectively. Consequently, the

probability to authenticate a node by a successful verification after R packets (= R_·cn

sub-tags) is pv,R(s) = 1− (1 − pv(s))R·cn. Finally, the probability to authenticate

all nodes in the path by successful verification is:

pv,R,r= Y s∈{1,...,r} pv,R(s) = Y s∈{1,...,r} 1− (1 − pv(s))R·cn . (7.3)

7.6.2.2 Path identification by back tracing

If the verification fails, i.e., the composite MAC calculated in the verification step in Definition 6 differs from the tag embedded in the packet, the destination node attempts to back trace with the goal of revealing identities of nodes on the unex- pected path. To this end, the destination node hypothesizes a plausible path, and verifies whether the composite MAC that corresponds to the plausible path matches the received tag. Thus it will perform the verification step in Definition 6 for each plausible path I′ other than the expected path I, and compares it with the received tag. The theoretical complexity of back tracing is exponential in |I′_{|. To reduce}

computational complexity, back tracing is limited to a depth d, i.e., back tracing is limited to one overwriting followed by at most d aggregations. However, tags that contain d + 1 or more aggregations may be ignored by the destination node; thus, some good evidence may be lost. We note that as long as the probability of d + 1 or more aggregations is small (p−d), then the probability of disregarding good evidence is small. Further, the destination node may heuristically enumerate plausible paths, starting with a hypothesized path I′ that slightly varies from the expected path I, to increase the chances of an early hit.

7.6 Configuration and results

Let n, cn, r, p, q, and R be defined as before, and|S| the total number of nodes

that potentially aggregate their MAC to the authentication tag (for example, all nodes in the network). Furthermore, let ˜_{S ⊂ S, | ˜S| > 0 be a set of nodes that} aggregated their MAC to a specific tag. Given _{S the probability that ˜S can be} uniquely derived is:

pd(|S|, | ˜S|, n, d) =      0, n <_{|S| or d < | ˜S|} Q| ˜S| i=12 n₋₂i−1 2n₋₁ , else (7.4)

Setting n = 3, the set of valid MACs is {001, 010, 011, 100, 101, 110, 111}. We do not allow _{0}n _{as a MAC, since it would not be traceable. The first MAC in ˜S can}

now be any element from these valid MACs, yielding a probability of 1 if _{| ˜S| = 1.} For a tag that consists of aggregated MACs in ˜_{S to be traceable, the second MAC} needs to be different from the first one, yielding a probability of 2₂33−2₋₁ that the tag

is traceable. The next MAC must not be identical to the first, or the second or the combination (XOR) of both. Thus the probability that 3 randomly chosen MACs from S are traceable after aggregating them is 23₋₂

23₋₁ ·2 3₋₂2

23₋₁.

The probability that the MAC of a node at position s _{∈ {1, . . . , r} can be} revealed, i.e., back traced from the authentication tag, and that the verification does not happen accidently, is:

pt(s) = (1− q)r−s· 2n/cn_{− 1} 2n/cn ·  q_{· B (d, r − s, p) · B (n/c}n− i, |S| − r, p) · pd(j + i, i, n/cn, d) + p· B (d − 1, r − s − 1, p) · B (n/cn− 1, |S| − r − 1, p) · pd(j + i + 1, i + 1, n/cn, d)  , (7.5) where B(k, m, p) =Pk

l=0pm(1− p)m−l ml
is the cumulative binomial distribution

function. The equation is essentially an extension of Equation 7.2. Firstly, q is the probability that the node at position s overwrites the tag. If this happens, then the nodes on the path between s and the destination node must not overwrite the packet.

7.6 Configuration and results

Furthermore, only a restricted number of nodes have to aggregate their MAC to the tag to keep the tag traceable. The rest of line one therefore calculates the probability that the tag remains traceable after aggregating MACs from the remaining r _{− s} nodes. pi_{(1− p)}r−s−i r−s

i
is the probability that exactly i of the remaining r − s

nodes in the path aggregate their MAC to the tag. pj_{(1− p)}|S|−r−j |S|−r

j
is the

probability that exactly j of the_{|S|−r (all but the r from the path) nodes aggregate} their MAC to the tag. The sums stop at d and _cn

n−i, since pdwould be 0 for greater

values. Recall that pd represents the probability that the tag is traceable. The

second term in the equation can be explained similarly under the supposition that the node at position s aggregates its MAC to the authentication tag. The fraction

2n/cn₋₁

2n/cn finally is the probability that the tag is not just a random tag, i.e., the

analysis of the tag is not a false positive.

Similar to the verification, the probability to authenticate all nodes in the path of length r by back tracing is:

pt,R,r =

Y

s∈{1,...,r}

1_{− (1 − p}t(s))R·cn . (7.6)

7.6.2.3 Detection of Byzantine nodes

Let r be the path length, R the number of the tags used for the analysis and p, q the probabilities for aggregating and overwriting the MAC respectively. The probability of identifying a node at position s∈ {1, . . . , r − 1} that is randomly overwriting the tag (up to a precision of two nodes) by analysing one authentication tag is3:

pB(s) = q(1− q)r−s−1·

2n/cn_{− 1}

2n/cn . (7.7)

3_{Recall from Lemma 7.5.1 that a Byzantine node can at best be identified up to an precision of}

7.6 Configuration and results

Equation 7.7 expresses the probability that the node is at position s + 1, and that none of the remaining nodes overwrites the tag. If the node at position s is corrupting the authentication tag, then the packets that are overwritten by a node between node s and the destination node are correctly embedded in the authentication tag. Once node s has overwritten a tag with its MAC, the destination node knows that the Byzantine node is either node s or one of the prior nodes. Evidently, the boundary between the Byzantine node and the subsequent good nodes in the path gets more precise with the number of analysed packets. The probability to reveal a Byzantine nodes’ identity (up to a precision of two nodes) using R authentication tags, is:

pB,R,r = 1− (1 − pB(s))R·cn . (7.8)