Authenticated Adversarial Routing

Yair Amir

∗

PaulBunn

†

RafailOstrovsky

‡

Abstract

Theaimofthispaperistodemonstratethefeasibilityofauthenticatedthroughput-ecient

routingin anunreliableanddynamicallychangingsynchronousnetwork inwhichthemajority

of maliciousinsiders tryto destroyand altermessages ordisruptcommunicationin any way.

Morespecically, in this paperwe seek to answerthe following question: Given anetwork in

whichthemajorityofnodesarecontrolledbyanode-controllingadversaryandwhosetopology

ischangingeveryround,isitpossibletodevelopaprotocolwithpolynomially-boundedmemory

perprocessorthatguaranteesthroughput-ecientand correctend-to-endcommunication? We

answer the questionarmatively for extremely general corruption patterns: we only request

thatthetopologyofthenetworkandthecorruptionpatternoftheadversaryleavesatleastone

patheachroundconnectingthesenderandreceiverthroughhonestnodes(thoughthispathmay

change ateveryround). Outconstructionworks inthepublic-keysettingandenjoysbounded

memoryperprocessor(thatdoesnotdepend ontheamountoftrac andispolynomialinthe

networksize.) Our protocol achievesoptimal transfer rate withnegligible decoding error. We

stressthatourprotocolassumesnoknowledgeofwhichnodesarecorruptednorwhichpathis

reliableat anyround, andisalsofullydistributed withnodesmakingdecisionslocally,sothat

theyneednotknowthetopologyofthenetworkatanytime.

Theoptimalitythatweproveforourprotocolisverystrong. Givenanyroutingprotocol,we

evaluateitseciency (rateofmessagedelivery)in theworstcase, thatis withrespecttothe

worstpossiblegraphandagainsttheworstpossible(polynomiallybounded)adversarialstrategy

(subjecttotheabovementionedconnectivityconstraints). Usingthismetric,weshowthatthere

doesnotexistanyprotocolthatcanbeasymptoticallysuperior(intermsofthroughput)toours

inthissetting.

Weremark that theaimofourpaperisto demonstrateviaexplicitexamplethefeasibility

ofthroughput-ecientauthenticatedadversarialrouting. However,westressthat outprotocol

isnotintendedtoprovideapracticalsolution,asduetoitscomplexity,noattemptthusfarhas

beenmadetomaketheprotocolpracticalbyreducingconstantsorthelarge(thoughpolynomial)

memoryrequirementsperprocessor.

Our result is related to recent work of Barak, Goldberg and Xiao in 2008 [8] who

stud-ied fault localization in networks assuming a private-keytrusted setup setting. Our work, in

∗

JohnsHopkinsUniversityDepartmentofComputerScience. Email: [email protected]

donewhilevisitingIPAMandsupportedinpartbyNSFgrant0430254.

†

UCLA Department of Mathematics. Email: [email protected] Supportedin part by NSF grants 0430254,

0716835,0716389and0830803.

‡

UCLADepartmentsofComputerScienceand Department ofMathematics. Email: [email protected] Part

ofthisworkwas donewhilevisiting IPAMandsupportedinpartbyIBMFacultyAward,XeroxInnovationGroup

mission optimality. Among other things, our work answers one of the open questions posed

in theBaraket.al. paperregardingfault localization onmultiple paths. Theuse ofa

public-key setting to achievestrong error-correctionresults in networks was inspiredby thework of

Micali, Peikert, Sudan and Wilson [13] who showed that classical error-correction against a

polynomially-boundedadversarycanbeachievedwithsurprisinglyhigh precision. Ourworkis

also related to an interactive coding theorem of Rajagopalan and Schulman [14] who showed

thatin noisy-edgestatic-topologynetworks aconstantoverheadincommunicationcanalsobe

achieved(providednoneoftheprocessorsaremalicious),thusestablishinganoptimal-rate

rout-ingtheorem forstatic-topologynetworks. Finally, ourwork isclosely relatedand buildsupon

to the problem of End-To-End Communication in distributed networks, studied by Afek and

Gafni [1], Awebuch, Mansour, and Shavit [7], and Afek, Awerbuch, Gafni, Mansour, Rosen,

and Shavit[2], though noneof these papersconsider orensure correctnessin the setting of a

node-controllingadversarythatmaycorruptthemajorityofthenetwork.

Keywords: NetworkRouting;Error-correction;FaultLocalization;Multi-parityComputation

in the presenceof Dishonest Majority; Communication Complexity; End-to-End

Communica-tion.

1 Introduction

Ourgoalistodesignaroutingprotocolforanunreliableanddynamicallychangingsynchronous

network that is resilient against malicious insiders who may try to destroy and alter messages or

disrupt communication in any way. We modelthe network asa communication graph

G

= (

V, E

)

whereeachvertexisaprocessorandeachedgeisacommunicationlink. Wedonotassumethatthe

topologyofthis graphisxedor knownbytheprocessors. Rather, weassumeacompletegraphon

n

vertices, where someof the edges areup and some aredown, andthestatusof eachedge can

change dynamicallyat anytime.

Weconcentrateonthemost basictask,namelyhowtwoprocessorsinthenetworkcanexchange

information. Thus, we assume that there aretwo designated vertices,called thesender

S

and the receiver

R

,whowish to communicate with eachother. The sender hasan innite read-onceinput

tape ofpackets and the receiver hasaninnite write-onceoutput tape which isinitiallyempty. We

assumethatpacketsareofsome boundedsize,and thatanyedgeinthesystemthatisup during

some round can transmit onlyone packet(or control variables,also ofbounded size)perround.

Wewill evaluate our protocolusing the following threeconsiderations:

1. Correctness. A protocol is correct if the sequence of packets output by the receiver is a

prex ofpackets appearing on thesender'sinput tape,without duplicationor omission.

2. Throughput. Thismeasures the numberof packets ontheoutput tapeasa function ofthe

numberof roundsthathave passed.

3. Processor Memory. This measures the memory required of each node by the protocol,

independent of thenumberofpackets to be transferred.

All three considerations will be measured in the worst-case scenario as standards that are

guar-anteed to exist regardless of adversarial interference. One can also evaluate a protocol based on

its dependence on global information to make decisions. In the protocol we present inthis paper,

thelocalconditions of its adjacent edgesand neighbors.

Our protocol is designed to be resilient against a malicious, polynomially-bounded adversary

whomayattempttoimpactthecorrectness, throughput, andmemoryofour protocolbydisrupting

linksbetweenthenodesortakingdirectcontroloverthenodesandforcingthemtodeviatefromour

protocol in anymanner theadversary wishes. In order to relateour work to previous results and

to clarifythetwomain formsofadversarialinterference, wedescribe twoseparate(yetcoordinated

witheach other) adversaries 1

:

Edge-Scheduling Adversary. This adversary controls the links between nodes every round.

More precisely, at each round, this adversary decides which edges in the network are up

and which are down. We will say that the edge-scheduling adversary is conforming if for

every round there is at least one path from the sender to the receiver (although the path

may change each round) 2

. The adversary can make any arbitrarypoly-time computation to

maximize interferenceinrouting, solongasitremains conforming.

Node-Controlling Adversary. This adversary controls the nodes of the network that it has

corrupted. More precisely, each round this adversary decideswhich nodes to corrupt. Once

corrupted,anodeisforeverundercompleteadversarialcontrolandcanbehaveinanarbitrary

malicious manner. We say that the node-controlling adversary is conforming if every round

thereisaconnectionbetweenthe senderandreceiverconsistingofedgesthatareup forthe

round (as specied by the edge-scheduling adversary) and that passes through uncorrupted

nodes. We emphasize thatthis pathcan change each round,and thereis noother restriction

onwhich nodesthe node-controlling adversarymaycorrupt (allowing even avastmajorityof

corrupt nodes).

There is another reason to view these adversaries as distinct: we deal with the challenges they

poseto correctness,throughput,andmemory indierent ways. Namely,asidefromtheconforming

condition, the edge-scheduling adversary cannot be controlled or eliminated. Edges themselves

are not inherently good or bad, so identifying an edge that has failed does not allow us to

forever refuse the protocol to utilize this edge, as it may come back up at any time (and indeed

it could form a crucial link on the path connecting the sender and receiver that the conforming

assumption guarantees). In sum, we cannot hope to control or alter the behavior of the

edge-scheduling adversary,but mustcomeup withaprotocolthatworks wellregardless ofthebehavior

of theever-present (conforming) edge-scheduling adversary.

By contrast, our protocol will limit the amount of inuence thenode-controlling adversaryhas

on correctness, throughput, and memory. Specically, we will show that if a node deviates from

the protocol in a suciently destructive manner (in a well-dened sense), then our protocol will

be able to identify it as corrupted in a timely fashion. Once a corrupt node has been identied,

it will be eliminated from the network. Namely, our protocol will call for honest nodes to refuse

1

The separation into two separate adversaries is articial: our protocol is secure whether edge-scheduling and

corruption of nodes are performed by two separate adversaries that have dierent capabilities yetcan coordinate

theiractionswitheachother,orthiscanbeviewedasasinglecoordinatedadversary.

2

Amoregeneraldenitionofanedge-scheduling adversarywouldbetoallowcompletelyarbitraryedgefailures,

with the exception that in the limit there is no permanent cut between the sender and receiver. However, this

denition(whilemoregeneral) greatlycomplicatestheexposition,including thedenitionofthroughputrate,and

all communication with nodes that have been identied as corrupt . Thus, there is an inherent

dierenceinhowwehandletheedge-schedulingadversaryverseshowwehandlethenode-controlling

adversary. We can restrict the inuence of the latter by eliminating the nodes it has corrupted,

whilethe former mustbe dealt withinamore ever-lasting manner.

1.1 Previous Work

Tomotivatetheimportanceofthe problemweconsiderinthispaper,andto emphasizethe

sig-nicance of our result, itwill be useful to highlight recent worksinrelatedareas. To date, routing

protocols that consider adversarial networks have been of two main avors: End-to-End

Com-municationprotocols thatconsiderdynamic topologies(a notion captured byour edge-scheduling

adversary),andFault DetectionandLocalizationprotocols,whichhandledeviousbehaviorofnodes

(asmodeled by ournode-controlling adversary).

End-to-End Communication: One of the most relevant research directions to our paper isthe

notion of End-to-End communication in distributed networks, considered by Afek and Gafni [1 ],

Awerbuch, Mansour and Shavit [7], Afek, Awebuch, Gafni, Mansour, Rosen, and Shavit [2 ], and

Kushilevitz, Ostrovsky andRosen[12 ] . Indeed,our startingpoint istheSlideprotocol 4

developed

inthese works. It wasdesigned to perform end-to-end communicationwith bounded memory ina

modelwhere(usingourterminology)anedge-schedulingadversarycontrolstheedges(subjecttothe

constraint thatthereisnopermanentcutbetween thesenderand receiver). TheSlideprotocolhas

proven to be incredibly useful in a variety of settings, including multi-commodity ow (Awerbuch

and Leigthon [6 ]) and in developing routing protocols that compete well (in terms of packet loss)

against an online bursty adversary ([4 ]). However, prior to our work there was no version of the

Slide protocolthatcouldhandlemalicious behaviorofthenodes. Acomparison ofvarious versions

of theSlideprotocoland our protocolis featuredinFigure 1of Section 1.2below.

Fault Detection and Localization Protocols: Attheotherend,therehave beenanumber

of works that explore the possibility of a node-controlling adversary that can corrupt nodes. In

particular,thereisarecentlineofworkthatconsidersanetworkconsistingofasinglepathfromthe

sender to thereceiver, culminatingintherecent work of Barak,Goldbergand Xiao[8] (forfurther

background on fault localizationsee references therein). In this model, the adversary can corrupt

anynode on the path (except thesender and receiver) ina dynamic and malicious manner. Since

corrupting anynode on the path will sever thehonest connection between

S

and

R

,the goal of a protocol in this model is not to guarantee that all messages sent to

R

are received. Instead, the

goalis to detect faultswhen they occurand to localizethefault to asingleedge.

There have been many results that provide Fault Detection (FD) and Fault Localization (FL)

inthis model. InBarak et.al. [8], they formalize thedenitions inthis model and thenotion of a

secureFD/FLprotocol,aswellasprovidinglowerboundsintermsofcommunicationcomplexityto

guarantee accurate fault detection/location in thepresenceof a node-controlling adversary. While

theBaraket.al.paperhasasimilaravor toour paper,we emphasizethattheir protocoldoesnot

seektoguaranteesuccessfulorecientroutingbetweenthesenderandreceiver. Instead,theirproof

ofsecurityguarantees thatifapacketisdeleted, maliciousnodescannotcolludeto convince

S

that

3

Theconformingassumptionguarantees thatthe senderandreceiverare incorruptible, and ourprotocolplaces

theresponsibilityofidentifyingandeliminatingcorruptnodesonthesetwonodes.

4

nofaultoccurred,norcantheypersuade

S

intobelievingthatthefaultoccurredonanhonestedge.

Localizing the fault intheir paper relies on cryptographic tools,and inparticular theassumption

thatone-wayfunctionsexist. Although utilizing thesetools (such asMACs or Signature Schemes)

increases communication cost, it is shown by Goldberg, Xiao, Barak, and Redford [11] that the

existence of a protocol thatis able to securely detect faults (in the presence of a node-controlling

adversary) implies theexistenceof one-wayfunctions, and itis shownin Baraket. al.[8] that any

protocol that is ableto securelylocalize faults necessarily requirestheintermediate nodes to have

a trusted setup. The proofs of these results do not rely on the fact that there is a single path

between

S

and

R

, and we can therefore extend them to the more general network encountered in our model to justify our use of cryptographic tools and a trusted setup assumption (i.e. PKI) to

identify malicious behavior.

AnotherpaperthataddressesroutingintheByzantinesettingistheworkofAwerbuch,Holmes,

Nina-Rotaryand Rubens[5],thoughthis paperdoesnot have afullyformal treatment of security,

and indeeda counter-example thatchallengesits securityisdiscussed intheappendixof [8 ].

Error-correction in the active setting: Dueto space considerations, we will not be able

togive acomprehensive account ofalltheworkinthisarea. Insteadwehighlightsome ofthemost

relevantworksandpointouthowtheydierfromoursettingandresults. Foralengthytreatmentof

error-correcting codesagainstpolynomially bounded adversaries, werefer to theworkof Micaliat.

al[13]andreferencestherein. Itisimportanttonotethatthisworkdealswithagraphwithasingle

noisy edge, as modelled by an adversary who can partially control and modify information that

crossestheedge. Inparticular,itdoesnot addressthroughput eciency or memory considerations

in a full communication network, nor does itaccount for malicious behavior at the vertices. Also

of relevance is the work on Rajagopalan and Schulman on error-correcting network coding [14 ],

where they show how to correctnoisy edges duringdistributed computation. Their work doesnot

consider actively malicious nodes, and thus is dierent from our setting. It should also be noted

thattheirwork utilizesSchulman'stree-codes[17]thatallowlength-exibleonlineerror-correction.

The important dierence between our work and that of Schulman is that in our network setting,

theamount of maliciousactivity ofcorrupt nodes isnot restricted.

1.2 Our Results

Todate,therehasnotbeenaprotocolthathasconsideredsimultaneouslyanetworksusceptible

to faults occurring due to edge-failures and faults occurring due to malicious activity of corrupt

nodes. Theend-to-endcommunication worksarenot securewhen thenodesareallowedto become

corrupted bya node-controlling adversary, and thefaultdetection and localization worksfocuson

a single path for some duration of time, and do not consider a fully distributed routing protocol

thatutilizesthe entire networkand attemptstomaximizethroughput eciencywhileguaranteeing

correctness in the presence of edge-failures and corrupt nodes. Indeed, our work answers one of

theopen questionsposedinthe Baraket. al. paper regardingfault localization on multiple paths.

In this paper we bridge the gap between these two research areas and obtain the rst routing

protocol simultaneously secure against both an edge-scheduling adversary and a node-controlling

adversary, even if these two adversaries attack the network using an arbitrary coordinated

poly-time strategy. Furthermore, our protocol achieves comparable eciency standards in terms of

throughput andprocessormemory asstate-of-the-artprotocolsthat arenotsecure againsta

inthe table,we emphasize that thelinear transmissionrate thatwe achieve (assuming at least

n

2

messagesaresent)is asymptoticallyoptimal, asany protocol operatingina network witha single

path connectingsender and receivercan do nobetter than one packet perround.

A ROUTING THEOREM FOR ADVERSARIAL NETWORKS (Informal): Ifone-way

functions exist, then for any

n

-node graph and

k

suciently large, there exists a trusted-setup linear

throughput transmission protocol that can send

n

2

messages in

O

(

n

2

₎

rounds with

O

(

n

4

₍

_k

_{+ log}

_n

₎₎

memoryperprocessorthatisresilientagainstanypoly-timeconformingEdge-SchedulingAdversary and

any conforming poly-time Node-Controlling Adversary, with negligible (in

k

) probability of failure or decoding error.

SecureAgainst SecureAgainst Processor ThroughputRate

Edge-Sched.Ad? Node-Cntr.Ad? Memory

x

rounds

→

f

(

x

)

packets

SlideProtocolof[2 ]

Y ES

N O

O

(

n

2

_log

_n

₎

_f

₍

_x

_{) =}

_O

₍

_x

₋

_n

2

₎

SlideProtocolof[12 ]

Y ES

N O

O

(

n

log

n

)

f

(

x

) =

O

(

x/n

−

n

2

₎

(folklore)

(Flooding

+

Signatures)

Y ES

Y ES

O

(1)

f

(

x

) =

O

(

x/n

−

n

2

₎

(folklore)

(Signatures

+

SequenceNo.'s)

Y ES

Y ES

unbounded

f

(

x

) =

O

(

x

−

n

2

₎

OurProtocol

Y ES

Y ES

O

(

n

4(

k

+

log

n

)

)

f

(

x

) =

O

(

x

−

n

2

₎

Figure 1: Comparison ofOur Protocol to RelatedExistingProtocols andFolklore.

2 Challenges and Naïve Solutions

Beforeproceeding,itwillbeusefultoconsideracoupleofnaïvesolutionsthatachievethegoalof

correctness(butperformpoorlyintermsofthroughput),and helptoillustrate someofthetechnical

challengesthatourtheoremresolves. Considertheapproachofhavingthesendercontinuouslyood

a singlesigned packetinto thenetwork for

n

rounds. Sincethe conformingassumption guarantees that the network provides a path between the sender and receiver through honest nodes at every

round, this packet will reach the receiver within

n

rounds, regardless of adversarial interference. After

n

rounds, the sender can begin ooding the network with the next packet, and so forth

5

.

Notice that this solution will require each processor to store and continuously broadcast a single

packetatanytime,andhencethissolutionachievesexcellenteciencyintermsofprocessormemory.

However, notice thatthethroughputrate issub-linear,namely after

x

rounds, only

O

(

x/n

)

packets havebeen outputted bythe receiver.

5

An alternative approach would have the sender continue ooding the rst packet, and upon receipt, the

re-ceiver oods conrmation of receipt. This alternative solution requires sequence numbers to accompany

pack-ets/conrmations,andtherulethatinternalnodesonlykeepandbroadcastthepacketandconrmationwithlargest

sequencenumber. Althoughthisalternativemaypotentiallyspeedthingsup,intheworst-caseitwillstilltake

O(n)

process, sending packets with ever-increasing sequence numbers without waiting for

n

rounds to pass (orsigned acknowledgments from the receiver) before sending the next packet. In particular,

across each of his edges the sender will send every packet once, waiting only for the neighboring

node'sconrmationofreceiptbeforesendingthenextpacketacrossthatedge. Theprotocolcallsfor

theinternal nodesto act similarly. Analysisof this approach shows that not only hastheattempt

to improve throughput failed (it is still

O

(

x/n

)

in the worst-case scenario), but additionally this modication requires arbitrarily large (polynomial in

n

and

k

) processor memory, since achieving

correctnessinthedynamictopologyofthegraph willforcethenodestorememberallofthepackets

they see until they have broadcasted them across all adjacent edges or seen conrmation of their

receiptfrom the receiver.

2.1 Challenges in Dealing with Node-Controlling Adversaries

Inthissection,wediscusssomepotentialstrategiesthatthenode-controllingandedge-scheduling

adversaries 6

mayincorporatetodisruptnetworkcommunication. Althoughourtheoremwillworkin

thepresenceofarbitrarymaliciousactivityoftheadversarialcontrollednodes(exceptwithnegligible

probability), itwill be instructiveto lista fewobviousforms ofdeviousbehaviorthatour protocol

mustprotectagainst. Itisimportanttostressthatthislistisnotintendedtobeexhaustive. Indeed,

we do not claim to know all the specic ways an arbitrary polynomially bounded adversary may

forcenodestodeviatefromagivenprotocol,andinthispaperwerigorouslyprovethatourprotocol

issecure against allpossibledeviations.

•

Packet Deletion/Modication. Insteadof forwarding a packet, a corrupt node drops itto the

oor (i.e. deletes itor eectively deletes itbyforeverstoring itinmemory), or modiesthe

packet before passing it on. Another manifestation of this is ifthe sender/receiver requests

faultlocalization information oftheinternal nodes,such asprovidingdocumentation of their

interactionswithneighbors. Acorruptnodecanthenblockormodifyinformationthatpasses

throughit inattemptto hidemalicious activityor implicatean honestnode.

•

IntroductionofJunk/Duplicate Packets. The adversarycanattempt todisruptcommunication

owandjam thenetwork byhavingcorrupted nodesintroduce junkpacketsorre-broadcast

old packets. Notice that junk packets can be handled by using cryptographic signatures to

prevent introduction of new packets, but this does not control the re-transmission of old,

correctlysigned packets.

•

Disobedience of Transfer Rules. If the protocol species how nodes should make decisions on

wheretosendpackets,etc.,thencorruptnodescandisregardtheserules. Thisincludeslying

to adjacent nodes about their current state.

•

Coordination of Edge-Failures. Theedge-scheduling adversarycan attempt todisrupt

commu-nicationowbyscheduling edge-failuresinanymannerthatisconsistentwiththeconforming

criterion. Coordinatingedgefailurescanbeusedtoimpedecorrectness,memory,and

through-put in various ways: e.g. packets may become lost across a failed edge, stuck at a suddenly

isolated node, or arrive at thereceiverout of order. A separate issuearises concerning fault

localization: when the sender/receiver requests documentation from the internal nodes, the

edge-scheduling adversarycanslowprogressofthis information,aswell asattempttoprotect

6

sothatincriminating evidencecannotreachthesender.

2.2 Highlights of Our Solution

OurstartingpointistheSlideprotocol[2],whichhasenjoyed practicalsuccessinnetworkswith

dynamic topologies, but is not secure against nodes that are allowed to behave maliciously. We

provide a detailed description of our version of the Slide protocol in Section 4, but highlight the

main ideas here. Begin byviewing theedges inthe graph asconsisting of two directededges, and

associate to each end of a directed edge a stack data-structure able to hold

2

n

packets and to be

maintainedbythe nodeatthatend. Theprotocolspeciesthefollowing simple,localconditionfor

transferringapacketacrossadirectededge: iftherearemorepacketsinthestackattheoriginating

end than the terminating end, transfer a packet across the edge. Similarly, within a node's local

stacks, packets are shued to average out the stack heights along each of its edges. Intuitively,

packetmovement isanalogous totheowofwater: highstackscreate apressurethatforcepackets

toow toneighboringlowerstacks. At thesource,thesendermaintains thepressurebyllinghis

outgoingstacks(aslongasthereisroom)whilethereceiverrelievespressurebyconsumingpackets

and keeping his stacks empty. Loosely speaking, packets traveling to nodes near thesender will

therefore require a very large potential, packets traveling to nodes near the receiver will require

a small potential, and packet transfers near intermediate nodes will require packages to have a

moderatepotential. Assuming thesepotential requirementsexist,packetswillpassfromthesender

witha highpotential, andthenow downwards acrossnodesrequiringlesspotential, all theway

to the receiver.

BecausetheSlideprotocolprovidesafullydistributedprotocolthatworkswell againstan

edge-schedulingadversary,ourstartingpointwastotrytoextendtheprotocolbyusingdigitalsignatures 7

to provide resilience against Byzantine attacks and arbitrary malicious behavior of corrupt nodes.

Thisprovedtobeahighlynontrivialtaskthatrequiredusto developalotofadditional machinery,

both intermsof additional protocol ideas and novel techniques for proving correctness. We give a

detailedexplanation ofour techniques inSection8 and formalpseudo-code inSection 9,aswellas

providing rigorous proofs of security inSection 10. However, belowwe rstgive a sample of some

of the key ideas we usedin ensuringour additional machinery would be provably secure against a

node-controlling adversary,and yetnot signicantly aectthroughputor memory,compared tothe

original Slideprotocol:

•

Addressing the Coordination of Edge-Scheduling Issues. In the absence of a

node-controlling adversary, previous versions of the Slide protocol (e.g. [2]) are secure and

ecient against an edge-scheduling adversary, and it will be useful to discuss how some of

thechallenges posedbyanetwork withadynamictopology arehandled. First,notethatthe

totalcapacityofthestackdata-structure isboundedby

4

n

3

. Thatis,eachofthe

n

nodescan

holdat most

2

n

packets ineachof their

2

n

stacks(along each directededge)at anytime.

7

Inthispaperweusepublic-keyoperationstosignindividualpacketswithcontrolinformation. Clearly,thisistoo

expensivetodoper-packetinpractice. Therearemethodsofamortizingthecostofsignaturesbysigningbatchesof

packets;usingprivate-keyinitialization[8,11 ],orusingacombinationofprivate-keyandpublickeyoperations,such

ason-line/o-line signatures[9, 16 ]. Forthesakeofclarity andsincetheprimaryfocusofourpaperistheoretical

feasibility,werestrict ourattention tothe straight-forwardpublic-keysettingwithoutconsideringtheseadditional

a node is required to maintain a copy of each packetit transmitsalong an edgeuntil it

receives conrmation fromtheneighbor ofsuccessfulreceipt.

To handle packets becoming stuck in some internal node's stack due to edge failures,

error-correction isutilized toallowthereceivertodecodeafullmessagewithoutneeding

every packet. In particular, ifan error-correcting code allowing a fractionof

λ

faults is utilized, then since the capacity of the network is

4

n

3

packets, if the sender is able to

pump

4

n

3

_/λ

codeword packets into the network and there is no malicious deletion or

modication of packets, then the receiverwill necessarilyhave received enough packets

to decode the message.

TheSlide protocolhasanatural boundintermsofmemory perprocessorof

O

(

n

2

_log

_n

₎

bits, where the bottleneck is the possibility of a node holding up to

2

n

2

packets in its

stacks, where eachpacketrequires

O

(log

n

)

bits to describe itspositioninthecode.

Ofcourse, these techniques areonly valid ifnodes areacting honestly,which leads us to our

rst extensionidea.

•

HandlingPacket Modification and Introductionof JunkPackets. Before

insert-ing any packets into the network, the sender will authenticate each packet using his digital

signature, and intermediatenodesand thereceiver neveraccept or forward messagesnot

ap-propriately signed. Thissimultaneously prevents honest nodes becomingbogged down with

junkpackets,aswellasensuringthatifthereceiverhasobtainedenoughauthenticatedpackets

to decode, a node-controlling adversary cannot impede the successful decoding of the

mes-sageasthe integrityofthecodeword packetsisguaranteedbytheinforgibilityofthesender's

signature.

•

FaultDetection. Intheabsenceofanode-controlling adversary,ourprotocollooksalmost

identical to the Slide protocol of [2 ], with the addition of signatures that accompany all

interactions between two nodes. First, the sender attempts to pump the

4

n

3

_/λ

codeword

packetsoftherstmessageinto thenetwork,withpacketmovement exactlyasintheoriginal

Slide protocol. We considerall possible outcomes:

1. Thesender isable to insertallcodewordpackets and the receiver is able todecode. In this

case, the message was transmitted successfully, and our protocol moves to transfer the

next message.

2. Thesenderisabletoinsertallcodewordpackets,butthereceiverhas notreceivedenoughto

decode. Inthiscase, thereceiveroods thenetwork withasingle-bitmessageindicating

packet deletion hasoccurred.

3. Thesenderisabletoinsert allcodewordpackets,butthe receivercannotdecodebecausehe

hasreceivedduplicatedpackets. Althoughthesender'sauthenticatingsignatureguarantees

thereceiverwillnotreceivejunkormodiedpackets, acorruptnodeisabletoduplicate

validpackets. Therefore,thereceivermayreceiveenough packets todecode,but cannot

because he hasreceived duplicates. Inthis case, the receiver oods the network with a

singlemessage indicating the labelofa duplicated packet.

4. After someamount of time, the sender still has not inserted allcodeword packets. In this

case, the duplication of old packets is sosevere that the network has become jammed,

accounted for by edge-failures alone, he will halt transmission and move to localizing

a corrupt node 8

. One contribution this paper makes is to prove a lower bound on the

insertion rate of the sender for the Slide protocolin the absence of the node-controlling

adversary. Thisbound not only alerts thesender whenthe jamming he isexperiencing

exceeds what can be expected in the absence of corrupt nodes, but it also provides a

mechanism forlocalizingtheoending node(s).

Theabovefourcasesexhaustallpossibilities. Furthermore,ifatransmissionisnotsuccessful,

thesenderisnotonlyabletodetectthefactthatmaliciousactivityhasoccured,butheisalso

ableto distinguishtheform of themaliciousactivity,i.e.which case2-4he isin. Meanwhile,

for thetop case,our protocolenjoys (withinaconstant factor)anequivalentthroughput rate

astheoriginal Slideprotocol.

•

Fault Localization. Onceafaulthasbeen detected,itremainsto describehowtolocalize

the problem to the oending node. To this end, we use digital signatures to achieve a new

mechanismwe callRouting withResponsibility. Byforcing nodesto signkeypartsof every

communication with their neighbors during the transfer of packets, they can later be held

accountable for their actions. In particular, once the sender has identied the reason for

failure (cases 2-4 above), he will request all internal nodes to return status reports, which

are signatures on the relevant parts of the communication with their neighbors. We then

proveineachcase thatwiththe completestatusreportfromeverynode,thesender canwith

overwhelming probability identify and eliminate a corrupt node. Of course, malicious nodes

may choose not to send incriminating information. We handle this separately as explained

below.

•

Processor Memory. The signatures on the communication a node has withits neighbors

for the purpose of fault localization is a burden on the memory required of each processor

that is not encountered in the original Slide protocol. One major challenge was to reduce

the amount of signed information each node must maintain as much as possible, while still

guaranteeing thateach node hasmaintained enough information to identify acorrupt node

inthecase ofarbitrarymalicious activityleading to a failureof type2-4above. The content

of Theorem 8.2in Section 8 demonstrates thattheextra memory required of our protocol is

a factorof

n

2

higher than thatoftheoriginal Slide protocol.

•

Incomplete Information. Asalreadymentioned,we showthatregardlessofthereasonof

failure2-4above,oncethesender receivesthestatusreportsfromeverynode,a corruptnode

can beidentied. However,this relieson thesenderobtainingallof therelevant information;

the absence of even a single node's information can prevent the localization of a fault. We

addressthis challenge inthefollowing ways:

1. We minimize the amount of information thesender requires of each node. This way, a

nodeneed not beconnected to thesender for very many roundsin orderfor the sender

8

Weemphasizeheretheimportancethatthesenderisabletodistinguishthecasethatthejammingisaresultof

theedge-schedulingadversary'scontrollingofedgesversesthecasethatacorruptnodeisduplicatingpackets.After

all, in the case of the former, there is noreward for localizing the fault to anedge that hasfailed, as all edges

arecontrolledbytheedge-schedulingadversary,andtherefore noedgeisinherentlybetterthananother. Butinthe

case anodeisduplicatingpackets,ifthesendercanidentifythenode,itcaneliminateitandeectivelyreducethe

statusreportconsistsof only

n

piecesof information fromeach node,i.e.one packet for each ofits edges.

2. Ifthe senderdoesnot have the

n

piecesof information from a node, itcannot aord to waitindenitely. Afterall,theedge-schedulingadversarymaykeepthenodedisconnected

indenitely,oracorrupt nodemaysimplyrefusetorespond. For thispurpose,we create

ablacklistfornon-respondingnodes,whichwilldisallowthemfromtransferringcodeword

packets in the future. This way, anytime the receiver failsto decode a codeword asin

cases 2-4 above, the sender can request the information he needs, blacklist nodes not

responding within some short amount of time, and then re-attempt to transmit the

codeword usingonlynon-blacklistednodes. Nodesshould nottransfercodeword packets

toblacklistednodes,buttheydostillcommunicatewiththemtotransfertheinformation

thesender hasrequested. If anew transmissionagainfails, thesender will onlyneed to

request information from nodes that were participating, i.e. he will not need to collect

newinformationfromblacklistednodes(althoughthenodeswillremainblacklisteduntil

the sender gets the original information he requested of them). Nodes will be removed

fromtheblacklistandre-allowedtoroutecodewordpacketsassoonasthesenderreceives

their information.

•

The Blacklist. Blacklisting nodesis a delicate matter; we want to place malicious nodes

playing-dead on thislist, while at thesametime wedon't want honestnodesthatare

tem-porarilydisconnectedfrombeingonthislistfortoolong. WeshowinTheorem8.1andLemma

10.9that the occasional honest nodethat getsput on theblacklist won'tsignicantly hinder

packet transmission. Intuitively, this is true because any honest node that is an important

link between the sender and receiver will not remain on the blacklist for very long, as his

connectiontothesender guaranteesthesenderwillreceive allrequestedinformation fromthe

node ina timelymanner.

Ultimately, the blacklist allows us to control the amount of malicious activity a single

corruptnodecancontributeto. Indeed,weshowthateachfailedmessagetransmission(cases

2-4 above) can be localized (eventually) to (at least) one corrupt node. More precisely, the

blacklist allows us to argue that malicious activity can cause at most

n

failed transmissions

before acorrupt nodecan necessarilybeidentied and eliminated. Since there areatmost

n

corruptnodes,thisboundsthenumberoffailedtransmissionsat

n

2

. Theresultofthisisthat

otherthan atmost

n

2

failedmessagetransmissions,our protocolenjoys thesame throughput

eciencyoftheoldSlideprotocol. Theformalstatement ofthisfactcanbefoundinTheorem

8.1inSection 8,and itsproof can be found inSection10.

3 The Formal Model

Itwillbeusefultodescribetwomodelsinthissection,one inthepresenceofanedge-scheduling

adversary (all nodes act honestly), and one in the presence of an adversary who may corrupt

someof thenodesinthenetwork. InSection 4we presentan ecient protocol(Slide)thatworks

wellintheedge-scheduling adversarialmodel,andwethenextendthisprotocolinSection8towork

We model a communication network by an undirected graph

G

= (

V, E

)

, where

|

V

|

=

n

.

Each vertex (or node) represents a processor that is capable of storing information (inits buers)

and passing information to other nodes along the edges. We distinguish two nodes, the sender,

denoted by

S

,and the receiver, denoted by

R

. In our model,

S

has an input stream of messages

{

m

1

, m

2

, . . .

}

ofuniformsizethathewishestotransmitthroughthenetworkto

R

. Asmentionedin

theIntroduction, thethree commoditieswe careabout areCorrectness, Throughput, andProcessor

Memory.

Weassume asynchronousnetwork, sothatthere isa universalclockthateach nodehasaccess

to 9

. Theglobaltimeisdividedintodiscretechunks,calledrounds,duringwhichnodescommunicate

witheachotherand transferpackets. Eachround consistsof two equal intervalsof unittimecalled

stages, sothatall nodesaresynchronized intermsofwheneach stagebegins andends. Weassume

that the edges have some xed capacity

P

in terms of the amount of information that can be

transmitted across them perstage. The messageswill be sub-divided into packets of uniform size

P

,sothatexactlyone packetcan be transferred alongan edgeperstage 10

.

The sole purpose of the network is to transmit the messages from

S

to

R

, so

S

is the only node that introduces new messages into the network, and

R

is the only node that removes them

fromthenetwork(although belowweintroduce anode-controlling adversary whomay corruptthe

intermediatenodesandattempttodisruptthenetwork byillegallydeleting/introducing messages).

Althoughtheedgesinourmodelarebi-directional,itwillbeusefultoconsidereachlinkasconsisting

of two directed edges. Except for the conformingrestriction (see below),we allowtheedges ofour

network to fail and resurrect arbitrarily. We model this via an Edge-Scheduling Adversary, who

controlsthestatusofeach edgeofthenetwork,and canalterthestateofanyedgeatanytime. We

saythat an edge isactive during a given stage/round ifthe edge-scheduling adversary allows that

edge to remain up for theentirety of thatstage/round. We impose one restriction on thefailure

of edges:

Denition 3.1. An edge-scheduling adversary is conforming if for every round of the protocol,

there exists at least one path between

S

and

R

consisting of edges that active for the entirety of theround.

For agiven round

t

,we will refer tothepath guaranteed bytheconformingassumption asthe

activepathofround

t

. Noticethatalthoughtheconformingassumption guaranteestheexistenceof

anactivepathforeachround,itisnotassumedthatanynode(including

S

and

R

)isawareofwhat

thatpath is. Furthermore,this path maychange from oneround to thenext. Theedge-scheduling

adversary cannot aect the network inanyway other than controlling thestatus of the edges. In

the next section, we introduce a node-controlling adversary who can take control of the nodes of

thenetwork 11

.

9

Althoughsynchronousnetworksarediculttorealizeinpractice,wecanfurtherrelaxthemodeltooneinwhich

thereisaknownupper-boundontheamountoftimeanactiveedgecantaketotransferapacket.

10

Our protocol for the node-controlling adversarial model will require the packets to include signatures from a

cryptographicsignature scheme. Thesecurity ofsuchschemesdependonthesecurityparameter

k

,andthesize of

the resulting signatures have size

O(k)

. Additionally, error-correctionwill require packets to carry with theman

indexof

O(log

n)

bits. Therefore,weassumethat

P

≥

(k

+ log

n)

,sothatineachtimestepacompletepacket(with

signatureandindex)canbetransferred.

11

3.2 The Node-Controlling

+

Edge-Scheduling Adversarial Model

Thismodelbeginswiththeedge-schedulingadversarial modeldescribedabove,andaddsa

poly-nomially bounded Node-Controlling Adversary that iscapable of corrupting nodes in thenetwork.

Thenode-controlling adversaryismalicious, meaning thattheadversarycantakecomplete control

overthenodes hecorrupts, and cantherefore forcethem todeviate fromanyprotocol inwhatever

mannerhelikes. Wefurtherassumethattheadversaryisdynamic,whichmeansthathecancorrupt

nodesat anystage ofthe protocol,decidingwhich nodestocorrupt basedonwhathe hasobserved

thus far 12

. For athorough discussionofthese notions, see[10] and referencestherein.

AsinMulti-Party Computation(MPC) literature, we willneed to specifyanaccess-structure

for theadversary.

Denition 3.2. Anode-controlling adversary isconformingifhe doesnot corrupt anynodeswho

havebeen or will be apartof anyround's active path.

Apart fromthisrestriction,the node-controlling adversary maycorrupt whoeverhelikes(i.e.it

isnotathreshold adversary). Notethatthe conformingassumptionimplicitly demandsthat

S

and

R

are incorruptible, since they are always a part of any active path. Also, this restriction on the

adversary is really more a statement about when our results remain valid. This is similar to e.g.

threshold adversarymodels,where the results areonly validifthenumber of corrupted nodesdoes

not exceed some threshold value

t

. Once corrupted, a node is forever considered to be a corrupt nodethattheadversaryhastotalcontrolover(althoughtheadversarymaychoosetohavethenode

acthonestly).

Notice that because correctness, throughput, and memory are the only commodities that our

modelvalues,anhonest-but-curiousadversaryiscompletelybenign, asprivacydoesnot need tobe

protected 13

(indeed,anyintermediatenodeispresumedtobeabletoreadanypacketthatispassed

through it). Our techniques for preventing/detecting malicious behavior will be to incorporate a

digital signature scheme that will serve the dual purpose of validating information that is passed

betweennodes,aswellasholdingnodesaccountableforinformation thattheirsignaturecommitted

them to.

We assume that there is a Public-Key Infrastructure (PKI) that allows digital signatures. In

particular, beforethe protocolbegins we choosea securityparameter

k

suciently large andrun a keygeneration algorithm for adigital signature scheme, producing

n

=

|

G

|

(secret key,verication

key) pairs

(

sk

N

, vk

N

)

. As output to the key generation, each processor

N

∈

G

is given its own privatesigning key

sk

N

and a list of all

n

signature verication keys

vk

b

N

for allnodes

N

b

∈

G

. In

particular,this allowsthesenderand receiverto signmessagestoeach otherthatcannotbeforged

(exceptwithnegligible probabilityinthesecurity parameter) byanyothernode inthesystem.

Edge-scheduling adversaries (asdescribedabove)are commonlyusedtomodeledgefailures innetworks,while the

contributionofourpaperisincontrollinganode-controllingadversary,whichhastheabilitytocorruptthenodesof

thenetwork.

12

Although the node-controlling adversary is dynamic, he is still constrained by the conforming assumption.

Namely,theadversarymaynotcorruptnodesthathavebeen,orwillbe,partofanyactivepathconnectingsender

andreceiver.

13

Inthissectionweformallydescribeour edge-schedulingprotocol, whichisessentiallytheSlide

protocol of[2].

4.1 Denitions and High-Level Ideas

Thegoaloftheprotocolistotransmitasequenceofmessages

{

m

1

, m

2

, . . .

}

ofuniformsizefrom thesender

S

to the receiver

R

(refer to Section 3.1for a complete descriptionof themodel). Each nodewillmaintainastack(i.e.FILObuers)alongeachofits (directed)edgesthatcan holdup to

2

n

packets concurrently. To allowfor packets to become stuckin thebuers, we will utilize

error-correction (see e.g. [10 ]). Specically, the messages

{

m

1

, m

2

, . . .

}

are converted into codewords

{

c

1

, c

2

, . . .

}

, allowing the receiver to decode a message provided he has received an appropriate

number(dependingonthe informationrateanderror-rate ofthecode)ofbitsofthecorresponding

codeword. Inthis paper, we assume theexistence ofa error-correcting code with information rate

σ

and error rate

λ

.

As part of the setup of our protocol, we assume that the messages

{

m

1

, m

2

, . . .

}

have been

partitioned to have uniform size

M

=

6

σP n

3

λ

(recall that

P

is thecapacityof each edgeand

σ

and

λ

are the parameters for the error-correction code). The messages are expanded into codewords,

which will have size

C

=

M

σ

=

6

P n

3

λ

. The codewords arethendivided into

C

P

=

6

n

3

λ

packets of size

P

. We emphasizethis quantityfor later use:

D

:=

6

n

3

λ

=

number of packets per codeword

.

(1)

Notethattheonlynoise inour networkresults fromundeliveredpackets orout-dated packets(in

theedge-scheduling adversarial model,anypacketthat

R

receiveshasnotbeen altered). Therefore,

since each codeword consists of

D

=

6

n

3

λ

packets, by denition of

λ

, if

R

receives

(1

−

λ

)

D

=

(1

−

λ

)

6

n

_λ

3

packetscorrespondingtothesamecodeword,hewillbeabletodecode. Weemphasize

this fact:

Fact 1. If thereceiverhasobtained

D

−

6

n

3

_{= (1}

₋

_λ

₎

6

n

3

λ

packetsfrom anycodeword, he

will be ableto decode the codeword to obtain thecorrespondingmessage.

Because our model allows for edges to go up/down, we force each node to keep incoming and

outgoing buersfor every possibleedge, even ifthatedgeisn'tpart ofthegraph at theoutset. We

introduce now the notion of height of a buer, which will be used to determine when packets are

transferred and how packets are re-shued between the internal buers of a given node between

rounds.

Denition 4.1. The height of an incoming/outgoing buer is the number of packets currently

stored inthatbuer.

Thepresenceofanedge-schedulingadversarythatcanforceedgestofailatanytimecomplicates

theinteraction between thenodes. Note thatour modeldoesnot assume thatthenodesareaware

of the status of any of its adjacent edges, so failed edges can only be detected when information

that wassupposed to be passed along theedge does not arrive. We handle potential edge failures

transmissionacrossthat edge,a nodeat thereceivingend of afailed edgemayhave to leave room

in its corresponding incoming buer. We refer to this gap as a ghost packet, but emphasize that

theheight of an incoming buer is notaected by ghost packets (by denition, height only counts

packets that arepresent inthe buer). Similarly, when a sending node sends a packetacross an

edge, itactually only sends acopyof thepacket, leaving theoriginal packetinits outgoing buer.

Wewillrefertotheoriginalcopyleftintheoutgoingbuerasaaggedpacket, andnotethatagged

packetscontinue to contribute tothe height ofan outgoing bueruntil they aredeleted.

The codewordswill be transferredsequentially,sothatat anytime,thesender isonlyinserting

packets corresponding to a single codeword. We will refer to the rounds for which the sender is

inserting codeword packets corresponding to the

i

th

codeword as the

i

th

transmission. Lemma

6.15 below states that after the sender has inserted

D

−

2

n

3

packets corresponding to the same

codeword, the receiver can necessarilydecode. Therefore,when the sender hasinserted this many

packets corresponding to codeword

b

i

, he will clear his outgoing buers and begin distributing

packetscorrespondingto the next codeword

b

i

+1

.

4.2 Detailed Description of the Edge-Scheduling Protocol

We describe now the two main parts of the edge-scheduling adversarial routing protocol: the

Setupand the RoutingPhase. For a formalpresentation ofthepseudo-code, seeSection 5.

Setup. Each internal (i.e. not

S

or

R

) nodehasthefollowing buers:

1. Incoming Buers. Recallthat we view each bi-directional edge asconsisting of two directed

edges. Thenforeachincomingedge,anodewillhaveabuerthathasthecapacitytohold

2

n

packetsat anygiventime. Additionally,each incoming buerwill be ableto store a Status

bit, the label of the Last-Received packet, and the Round-Received index (the round in

whichthisincomingbuerlastacceptedapacket,seeDenition6.5below). Thewaythatthis

additional information is used will be described in the Routing Rules for Receiving Node

sectionbelow.

2. Outgoing Buers. For each outgoing edge, a node will have a buer thathasthecapacity to

hold

2

n

packets at any given time. Like incoming buers, each outgoing buer will also be

able to store a statusbit, theindex label of one packet (called theFlagged packet), and a

Problem-Round index (index of themost recent round in which the status bitswitched to

1).

Thereceiverwillonly haveincoming buers(withcapacityofone)and alarge Storage Buer that

can hold up to

D

packets. Similarly, the sender has only outgoing buers (with capacity

2

n

) and

theinputstreamofmessages

{

m

1

, m

2

, . . .

}

which areencodedinto thecodewordsanddividedinto packets, thelatterthendistributed tothe sender'soutgoing buers.

Also aspartof theSetup, allnodeslearn therelevant parameters (

P

,

n

,

λ

,and

σ

).

Routing Phase. AsindicatedinSection 3.1, weassumea synchronous network,sothatthereare

well-denedroundsinwhichinformation ispassedbetween nodes. Eachroundconsistsoftwounits

oftime,calledStages. TheformaltreatmentoftheRoutingPhasecanbe foundinthepseudo-code

ofSection5. Informally,Figure2belowconsidersadirectededge

E

(

A, B

)

from

A

(including

A

=

S

)

H

A

:=

Height of bueralong

E

(

A, B

)

1

Height ofaggedp

.

(if thereis one)

−→

Round prev

.

packetwassent

←−

H

B

:=

Height of bueralong

E

(

A, B

)

Roundprev

.

packet wasreceived

Send packetif:

2

•

H

A

> H

B

OR

−→

•

B

didn't rec

.

prev

.

packet sent

Figure 2: Description of communication exchange along directed edge

E

(

A, B

)

during the Routing Phase of any round.

In addition to this communication, each node must update its internal state based on the

communication itreceives. In particular,from thecommunication

A

receivesfrom

B

inStage1 of

anyround,

A

can determine if

B

has received the most recent packet

A

sent. If so,

A

will delete this packetand switch thestatus ofthe outgoing bueralong this edgeto normal. Ifnot,

A

will

keep the packet as a agged packet, and switch the status of the outgoing buer along this edge

to problem. At the other end, if

B

does not receive

A

's Stage 1 communication or

B

does not receivea packetit wasexpectingfrom

A

inStage2,then

B

will leave agap inits incoming buer

(termed a ghost packet) and will switch this buer's status to problem. On theother hand,if

B

successfullyreceivesa packetinStage2,it will switch thebuerbackto normal status.

Re-Shue Rules. At the end of each round, nodes will shue the packets they are holding

accordingto the following rules:

1. Take apacketfromthefullestbuerand shueittotheemptiest buer,provided the

dier-enceinheightisat leasttwo(respectively one)whenthepacketismovedbetweentwobuers

ofthesametype(respectively whenthepacketmovesfromanincomingbuertoan outgoing

buer). Packets will never be re-shued from an outgoing buer to an incoming buer. If

two (or more) buers are tied for having the most packets, then a packet will preferentially

be chosenfromincomingbuersoveroutgoing buers(tiesarebrokenina round-robin

fash-ion). Conversely, iftwo (or more) buers aretied for the emptiest buer, thena packet will

preferentially be given to outgoing buersover incoming buers (again, ties are broken in a

round-robinfashion).

2. Repeatthe above step until the dierence between thefullest buer and theemptiest buer

does not meetthe criterion outlined inStep1.

Recallthatwhenapacketisshuedlocallybetween twobuers, packetstravelinaFILOmanner,

so that thetop-most packet of one buer is shued to the top spot of thenext buer. When an

outgoing buer has a agged packetor an incoming buer hasa ghost packet, we use insteadthe

following modications to the above re-shue rules. Recall that in terms of measuring a buer's

height, aggedpacketsarecounted butghost packetsare not.

- Outgoingbuersdonotshueaggedpackets. Inparticular,ifRule1aboveselectstotransfer

apacketfroman outgoing buer,thetop-mostnon-agged packetwillbe shued. Thismay

the incoming buer that created them, although we do allow ghost packets to slide down

within its incoming buer during re-shuing. Also, packets shuedinto an incoming buer

arenotallowedtooccupythesameslotasaghostpacket(theywilltaketherstnon-occupied

slot) 14

.

The sender and receiver have special rules for re-shuing packets. Namely, during the re-shue

phasethesenderwilllleachofhisoutgoingbuers(inanarbitraryorder)withpackets

correspond-ingto the current codeword. Meanwhile, the receiverwill emptyall ofits incoming buersinto its

storagebuer. Ifat anytime

R

hasreceived enough packets to decode a codeword

b

i

(Fact1 says

thisamount isat most

D

−

6

n

3

),then

R

outputs message

m

i

and deletesallpacketscorresponding to codeword

b

i

fromits storagebuer thathereceivesinlater rounds.

4.3 Analysis of the Edge-Scheduling Adversarial Protocol

We now evaluate our edge-scheduling protocol in terms of our three measurements of

perfor-mance: correctness, throughput, and processor memory. The throughput standard expressed in

Theorem 4.2 below will serve an additional purpose when we move to the node-controlling

ad-versary setting: The sender will know that malicious activity has occurred when the throughput

standard of Theorem 4.2is not observed. Both of thetheorems belowwill beproved rigorouslyin

Sections6 and 7,afterpresentingthe pseudo-code inSection 5.

Theorem 4.2. Each message

m

i

takes atmost

3

D

rounds topassfromthe sender tothe receiver. In particular, after

O

(

xD

)

rounds,

R

will have received atleast

O

(

x

)

messages. Since each message

has size

M

=

6

σ

λ

P n

3

=

O

(

n

3

₎

and

D

=

6

n

3

λ

=

O

(

n

3

₎

, after

O

(

x

)

rounds,

R

has received

O

(

x

)

bits of

information,and thus ouredge-scheduling adversarial protocol enjoys a linear throughput rate.

The abovetheorem implicitlystatesthatour edge-scheduling protocoliscorrect. For

complete-ness,wealsostatethememoryrequirementsofouredge-schedulingprotocol,whichisbottle-necked

by the

O

(

n

2

₎

packets thateach internal nodehasthecapacity to storeinits buers.

Theorem 4.3. The edge-scheduling protocol described in Section 4.2 (and formally in the

pseudo-code of Section 5)requires at most

O

(

n

2

_log

_n

₎

bits of memory of the internal processors.

14

Notethatbecauseghostpacketsdonotcounttowardsheight,thereappearstobeadangerthatthere-shuerules

maydictateapacketgetstransferredintoanincomingbuer,andthispacketeitherhasnoplacetogo(becausethe

ghostpacketoccupiesthetopslot)orthepacketincreasesinheight(whichwouldviolateClaim6.4below). However,

because onlyincoming buers are allowed to re-shue packets into otherincoming buers, and the dierence in

Setup

DEFINITIONOFVARIABLES:

01

n

:=

Numberofnodesin

G

;

02

D

:=

6

n

3

λ

;

03

T

:=

Transmissionindex; 04

t

:=

Stage/Roundindex;

05

P

:=

Capacity ofedge(inbits);

06 for every

N

∈

G

07 for everyoutgoingedge

E(N, B)

∈

G, B

6

=

S

and

N

6

=

R

08

OUT

∈

[2n]

× {

0,

1

}

P

; ##OutgoingBuerabletohold

2

n

packets 09

p

˜

∈ {

0,

1

}

P

_{∪ ⊥}

; ##Copyofpackettobesent

10

sb

∈ {

0,

1

}

; ##Statusbit

11

d

∈ {

0,

1

}

; ##Bitindicatingifapacketwassentinthepreviousround

12

F R

∈

[0..6D]

∪ ⊥

; ##FlaggedRound(indexofround

N

rsttriedtosend

p

˜

to

B

) 13

H

∈

[0..2n]

; ##Heightof

OUT

. Alsodenoted

H

OU T

whenthere'sambiguity 14

HF P

∈

[1..2n]

∪ ⊥

; ##HeightofFlaggedPacket

15

RR

∈

[

−

1..6D]

∪ ⊥

; ##RoundReceivedindex(fromadjacentincomingbuer)

16

HIN

∈

[0..2n]

∪ ⊥

; ##Heightofincomingbuerof

B

17 for everyincomingedge

E(A, N

)

∈

G, A

6

=

R

and

N

6

=

S

18

IN

∈

[2n]

× {

0,

1

}

P

; ##IncomingBuerabletohold

2

n

packets 19

p

∈ {

0,

1

}

P

_{∪ ⊥}

; ##Packetjustreceived

20

sb

∈ {

0,

1

}

; ##Statusbit

21

RR

∈

[

−

1..6D]

; ##RoundReceived(indexofround

N

lastrec'dap

.

from

A

)

22

H

∈

[0..2n]

; ##Heightof

IN

.Alsodenoted

H

IN

whenthere'sambiguity

23

HGP

∈

[1..2n]

∪ ⊥

; ##HeightofGhostPacket

24

HOU T

∈

[0..2n]

∪ ⊥

; ##Heightofoutgoingbuer,orheightofFlaggedPacketof

A

25

sbOU T

∈ {

0,

1

}

; ##StatusBitofoutgoingbuerof

A

26

F R

∈

[0..6D]

∪ ⊥

; ##FlaggedRoundindex(fromadjacentoutgoingbuer)

INITIALIZATION OFVARIABLES:

27 for every

N

∈

G

28 for everyincomingedge

E(A, N

)

∈

G, A

6

=

R

and

N

6

=

S

29 Initialize

IN

; ##Seteachentryin

IN

to

⊥

30

p, F R, HGP

=

⊥

;

31

sb, sbOU T, H, HOU T

= 0

;

RR

=

−

1

;

32 for everyoutgoingedge

E(N, B)

∈

G, B

6

=

S

and

N

6

=

R

33 Initialize

OUT

; ##Seteachentryin

OUT

to

⊥

34

p, HF P

˜

, RR, F R

=

⊥

;

35

sb, d, H, HIN

= 0

;

EndSetup

DEFINITION OFADDITIONAL VARIABLES FORSENDER:

36

M

:=

{

m

1

, m

2

, . . .

}

=

InputStreamofMessages;

37

κ

∈

[0..D]

=Numberofpacketscorrespondingtocurrentcodewordthesenderhasknowinglyinserted;

INITIALIZATION OFSENDER'SVARIABLES:

38 Distribute Packets; ##SeeFigure6

39

κ

= 0

;

DEFINITION OFADDITIONAL VARIABLES FORRECEIVER:

40

IR

∈

[D]

×

(

{

0,

1

}

P

∪ ⊥

)

=StorageBuertoholdpacketscorrespondingtocurrentcodeword;

41

κ

∈

[0..D]

:=Numberofpacketsreceivedcorrespondingtocurrentcodeword;

INITIALIZATION OFRECEIVER'SVARIABLES:

42

κ

= 0

;

43 Initialize

IR

; ##Setseachelementof

I

R

to

⊥

EndSenderand Receiver'sAdditional Setup

Figure 4: Additional Code for Senderand ReceiverSetup

Transmission

T

01 for every

N

∈

G

02 forevery

t

<

2

∗

(3D)

##Thefactorof2isforthe2stagesperround

03 if

t

(mod2)=0 then: ##STAGE1

04 for everyoutgoingedge

E(N, B)

∈

G, N

6

=

R, B

6

=

S

05 if

HF P

=

⊥

:

send

(H,

⊥

,

⊥

)

; else:

send

(H

−

1, HF P

, F R)

;

06

receive

(HIN

, RR)

;

07 ResetOutgoing Variables;

08 for everyincomingedge

E(A, N)

∈

G, N

6

=

S, A

6

=

R

09

send

(H, RR)

;

10

sbOU T

= 0

;

F R

=

⊥

;

11

receive

(H,

⊥

,

⊥

)

or

(H, HF P

, F R)

; ##If

H

=

⊥

or

F R > RR

,set

sbOU T

=

1

;and

##

HOU T

=

HF P

;O.W.set

HOU T

=

H

;

sbOU T

=

0

;

12 elseif

t

(mod2)=1 then: ##STAGE2

13 for everyoutgoingedge

E(N, B)

∈

G, N

6

=

R, B

6

=

S

14 if

HIN

6

=

⊥

then: ##Received

B

'sinfo.

15 CreateFlagged Packet;

16 if(

sb

=

1

or

(sb

=

0

and

HOU T

> HIN

)

) then:

17 Send Packet;

18 for everyincomingedge

E(A, N)

∈

G, N

6

=

S, A

6

=

R

19 Receive Packet;

20 if

N /

∈ {

S, R

}

then: Re-Shue;

21 else if

N

=

R

then: Receiver Re-Shue;

22 else if

N

=

S

then: Sender Re-Shue;

23 if

t

= 2(3D)

−

1

then: Endof Transmission Adjustments; End Transmission

T

25 if

d

= 1

: ##

N

sentapacketpreviousround 26

d

= 0

;

27 if

RR

=

⊥

or

_{⊥ 6}

₌

_{F R > RR}

##Didn'treceiveconf.ofpacketreceipt

28

sb

= 1

;

29 if

RR

6

=

⊥

:

30 if

⊥ 6

=

F R

≤

RR

: ##

B

rec'dmostrecentlysentpacket

31 if

N

=

S

then:

κ

=

κ

+ 1

;

32

OUT

[HF P

] =

⊥

;FillGap; ##Remove

p

˜

from

OUT

,shifting ##downpacketsontopof

p

˜

ifnecessary 33

F R,

p, HF P

˜

=

⊥

;

sb

= 0

;

H

=

H

−

1

;

34 if

⊥ 6

=

RR < F R

and

⊥ 6

=

HF P

< H

: ##

B

didnotreceivemostrecentlysentpacket

35 ElevateFlaggedPacket; ##Swap

OUT

[

H

]

and

OUT

[

H

F P

]

;Set

H

F P

=

H

;

36 Create Flagged Packet

37 if

sb

= 0

and

H > HIN

: ##NormalStatus,willsendtoppacket

38

p

˜

=

OUT

[H

]

;

HF P

=

H

;

F R

=

t

;

39 Send Packet

40

d

= 1

;

41

send

(˜

p, F R)

;

42 Receive Packet

43

receive

(p, F R)

;

44 if

HOU T

=

⊥

: ##Didn'tRec.

A

'sheightinfo.

45

sb

= 1

;

46 if

HGP

> H

or

_(HGP

₌

_⊥

and

_{H <}

_2n)

:

HGP

=

H

+ 1

;

47 else if

sbOU T

= 1

or

HOU T

> H

: ##Apacketshould'vebeensent

48 if

p

=

⊥

: ##Packetwasn'trec'd

49

sb

= 1

;

50 if

HGP

> H

or

(HGP

=

⊥

and

H <

2n)

:

HGP

=

H

+ 1

;

51 elseif

RR < F R

: ##Packetwasrec'dandshouldkeepit

52 if

HGP

=

⊥

:

HGP

=

H

+ 1

; ##Ifnoslotissavedfor

p

,putitontop

53

sb

= 0

;

IN

[HGP

] =

p

;

H

=

H

+ 1

;

HGP

=

⊥

;

RR

=

t

;

54 else: ##Packetwasrec'd,butalreadyhadit

55

sb

= 0

;FillGap;

HGP

=

⊥

; ##SeecommentaboutFillGaponline57below

56 else: ##ApacketshouldNOThavebeensent

57

sb

= 0

;FillGap;

HGP

=

⊥

; ##Ifpacketsoccupiedslotsabovethe

##GhostPacket,thenFillGapwillSlide

##thosepacketsdownoneslot

58 Endof Transmission Adjustments

59 for everyoutgoingedge

E(N, B)

∈

G

,

N

6

=

R

,

B

6

=

S

: 60 if

HF P

6

=

⊥

:

61

OU T

[HF P

] =

⊥

;FillGap; ##Removeanyaggedpacket

p

˜

from

OUT

,shifting ##downpacketsontopof

p

˜

ifnecessary

62

d, sb

= 0;

F R, HF P

,

p

˜

=

⊥

;

H

=

H

−

1

;

63 for everyincomingedge

E(A, N)

∈

G

,

N

6

=

S

,

A

6

=

R

: 64

HGP

=

⊥

;

sb

= 0

;

RR

=

−

1

;FillGap;

65 if

N

=

S

then: Distribute Packets;