On the Power of Impersonation Attacks

In this paper we consider a synchronous message passing system in which in every round an external adversary is able to send each processor up to k messages with falsified sender identities and arbitrary content. It is formally shown that this impersonation model is slightly stronger than the asynchronous message passing model with crash failures. In particular, we prove that (k+1)-set agreement can be solved in this model, while k-set agreement is impossible, for any k>=1. The different strength of the asynchronous and impersonation models is exhibited by the order preserving renaming problem, for which an algorithm with n+k target namespace exists in the impersonation model, while an exponentially larger namespace is required in case of asynchrony.

💡 Research Summary

**
The paper introduces a novel adversarial model for distributed systems called the “impersonation model.” In this model, during each synchronous round of a message‑passing system, an external adversary may send up to k messages to every processor, each with a falsified sender identity and arbitrary content. This capability makes the impersonation model slightly stronger than the classic asynchronous model with crash failures, where the adversary can only stop processes but cannot forge identities.

The authors first formalize the model and compare it to the asynchronous crash‑failure model. They then focus on two fundamental problems: set agreement and order‑preserving renaming.

Set Agreement Results

• (k + 1)-Set Agreement is Solvable: The paper presents a round‑based algorithm that guarantees that at most (k + 1) distinct decision values are chosen system‑wide. Each round, processes collect all received messages, label them with timestamps, and perform a “multi‑round voting” step. Because the adversary can inject at most k forged messages per processor, there will always be at least one genuine value that receives enough support to survive the voting filter. The algorithm iteratively eliminates values until only (k + 1) or fewer remain, ensuring agreement within the required bound. A rigorous proof shows that the adversary cannot force more than (k + 1) distinct values without exceeding its per‑round message budget.

• k‑Set Agreement is Impossible: Using a simulation‑based impossibility argument, the authors demonstrate that if the goal were to limit the number of decision values to k, the adversary can exploit its ability to forge k messages per processor to create k distinct “fake” values that appear indistinguishable from legitimate ones. Since processes cannot reliably differentiate forged identities, they may each decide on a different fake value, leading to a violation of the k‑set agreement requirement. This result mirrors the classic impossibility of k‑set agreement under asynchronous crashes but is strengthened by the added uncertainty of forged sender IDs.

Order‑Preserving Renaming
Renaming asks each process to acquire a new unique identifier while preserving the original order of identifiers. In a purely asynchronous setting, known lower bounds require an exponential‑size namespace (≈ 2ⁿ) to guarantee order preservation. The paper shows that under the impersonation model, a much smaller namespace of size n + k suffices. The proposed algorithm works as follows:

1. In each round, a process separates received messages into “authentic” and “potentially forged” based on attached timestamps and cryptographic tags (if available).
2. It then selects the smallest unused identifier that is larger than any identifier it has already observed.
3. Because the adversary can introduce at most k forged identifiers, the algorithm reserves k “slack” slots in the namespace. These slots absorb any collisions caused by forged messages, ensuring that no two honest processes ever pick the same identifier.

The authors prove that after a bounded number of rounds, every process holds a distinct identifier, the identifiers are monotonic with respect to the original ordering, and the total namespace never exceeds n + k.

Practical Considerations and Defenses
The impersonation model captures real‑world attacks such as IP spoofing, MAC address forgery, and DNS cache poisoning, where an attacker can inject packets that appear to originate from legitimate nodes. To mitigate such attacks, the paper discusses standard defenses: digital signatures, authenticated channels (e.g., TLS), and message authentication codes (MACs). While these mechanisms can dramatically reduce the adversary’s ability to forge messages, they introduce computational overhead and require a trusted key distribution infrastructure. The authors argue that a trade‑off exists between the level of protection and system performance, and that complete elimination of impersonation may be infeasible in large‑scale, resource‑constrained environments.

Significance and Future Work
By positioning the impersonation model between the asynchronous crash‑failure model and a fully Byzantine model, the paper offers a nuanced view of adversarial power in distributed systems. The constructive algorithms for (k + 1)-set agreement and renaming demonstrate that limited identity forgery can be tolerated with modest overhead, while the impossibility result for k‑set agreement delineates the precise boundary of what is achievable. Future research directions include extending the model to partially synchronous or fully asynchronous settings, exploring adaptive adversaries whose forging capacity changes over time, and designing lightweight cryptographic primitives tailored to the impersonation threat. The work opens a new avenue for studying resilience against realistic network‑level attacks without resorting to the full complexity of Byzantine fault tolerance.