Authenticated Adversarial Routing

The aim of this paper is to demonstrate the feasibility of authenticated throughput-efficient routing in an unreliable and dynamically changing synchronous network in which the majority of malicious insiders try to destroy and alter messages or disrupt communication in any way. More specifically, in this paper we seek to answer the following question: Given a network in which the majority of nodes are controlled by a malicious adversary and whose topology is changing every round, is it possible to develop a protocol with polynomially-bounded memory per processor that guarantees throughput-efficient and correct end-to-end communication? We answer the question affirmatively for extremely general corruption patterns: we only request that the topology of the network and the corruption pattern of the adversary leaves at least one path each round connecting the sender and receiver through honest nodes (though this path may change at every round). Out construction works in the public-key setting and enjoys bounded memory per processor (that does not depend on the amount of traffic and is polynomial in the network size.) Our protocol achieves optimal transfer rate with negligible decoding error. We stress that our protocol assumes no knowledge of which nodes are corrupted nor which path is reliable at any round, and is also fully distributed with nodes making decisions locally, so that they need not know the topology of the network at any time.

💡 Research Summary

The paper tackles the problem of reliable end‑to‑end communication in a synchronous network whose topology changes every round and where the majority of nodes may be under the control of a malicious adversary. Two adversarial models are defined. The first, the Edge‑Scheduling Adversary, decides each round which communication links are up or down, but must be conforming: at least one honest path from the sender S to the receiver R must exist in every round. The second, the Node‑Corruption Adversary, can corrupt any polynomial‑time computable set of nodes, possibly the vast majority, and once corrupted a node behaves arbitrarily. The two adversaries may act independently but are coordinated in the sense that they together shape the network each round.

The network is modeled as a complete graph on n vertices where each edge can be either up or down in a given round, and each up edge can transmit a single bounded‑size packet (or control variable). The sender has an infinite read‑only input tape of packets, the receiver an infinite write‑only output tape. The authors evaluate any routing protocol according to three worst‑case metrics: (1) Correctness – the receiver’s output must be a prefix of the sender’s input without duplication or loss; (2) Throughput – number of packets delivered per round; (3) Processor Memory – the amount of state each node must store, which must be polynomial in n and independent of the total traffic.

The core contribution is a public‑key authenticated extension of the Slide protocol. The original Slide protocol (Afek, Gafni, et al.) achieves optimal throughput against an edge‑scheduling adversary but assumes all nodes are honest. To protect against malicious nodes, the authors attach a digital signature to every packet and require each hop to verify the signature before forwarding. Nodes also exchange proofs of correct state transitions (essentially authenticated acknowledgments) so that any deviation can be detected locally. When a node receives an invalid signature or an unexpected state, it marks the neighbor as corrupted; corrupted nodes are then excluded from future routing decisions. This isolation is performed entirely with local information—no node needs a global view of the topology.

The protocol operates in two logical phases each round. Phase 1 (Path Discovery & Authentication): each node broadcasts its current authenticated state to its immediate neighbors, allowing honest nodes to construct a set of candidate honest paths that respect the current up‑edge configuration. Phase 2 (Packet Transmission): a packet is sent along a selected candidate path; at every hop the packet’s signature is re‑verified. If verification fails, the offending node is immediately black‑listed and the remaining honest nodes recompute a new path for subsequent rounds. Because decisions are made locally, the protocol works under the “no global knowledge” assumption and the per‑node memory requirement stays at O(n·polylog n).

The authors prove that under the conforming assumption the protocol achieves a linear transmission rate (one packet per round), which they show is optimal: any routing protocol that respects the same minimal connectivity condition cannot exceed this rate. The error probability is reduced to negligible levels, relying on the cryptographic hardness of forging signatures. Moreover, the memory overhead matches that of the original Slide protocol, demonstrating that the added authentication does not blow up resource consumption.

In the related‑work discussion, the paper positions itself against three strands of literature. (i) Fault detection and localization (Barak, Goldwasser, Xiao 2008) which handles a single path and requires a trusted setup; the present work extends to multiple dynamic paths and uses a public‑key infrastructure (PKI) to identify malicious nodes without a trusted setup. (ii) Error‑correcting network coding (Minali et al., Rajagopalan & Shulman) which deals with noisy edges but not with actively malicious nodes; the authors combine error‑correction ideas with authentication to handle both noise and adversarial behavior. (iii) Byzantine routing (Awerbuch et al.) which often assumes static topologies or global knowledge; the new protocol works with fully dynamic topologies and purely local decisions while retaining optimal throughput.

The paper concludes that it is the first to simultaneously address (a) dynamic edge failures, (b) a majority of corrupted nodes, and (c) optimal throughput with polynomial‑bounded memory, all under a fully distributed, locally‑deciding model. While the construction is theoretically sound, the authors acknowledge that constants hidden in the polynomial memory bound are large, making immediate practical deployment challenging. They suggest future work on reducing these constants, implementing the protocol in realistic network simulators, and exploring trade‑offs between security level, memory, and throughput.