secure message transmission against rational …wwa1056/pdf/yasuitransmission.pdfsecure message...
TRANSCRIPT
Securemessagetransmission
againstrationalmultipleadversaries
KenyaYasui1*,YoshifumiManabe11FacultyofInformatics,KogakuinUniversity,Shinjuku,Tokyo,Japan.*Correspondingauthor.email:[email protected],2014;acceptedMarch8,2014.
Abstract: Thispapershowsaninformationtheoreticallysecuremessagetransmissionagainstmultipleadversaries.FujitaandKoshibashowedasecuremessagetransmissionagainstonerationaladversaryusingtheGarayandOstrovsky'sprotocol.Weconsidermultipleadversariesandimproveexistingprotocols.Moreover,wedefinethesafetyprobabilityequationoftheproposedprotocol.Byusingtheequation,thesenderknowshowmanypathstoincreaseforsafetransmission.Weanalyzeeachadversary'sstrategyinamultipleadversaryenvironmentusinggametheoryandshowthattheproposedprotocolissafeandreliable.Bytheseveralsimulations,weshowthattheproposedprotocolissafeandreliableagainstvariousadversariesunderrealisticconditions.Keywords:InformationTheoreticalSecurity,Gametheory,SecretSharing,TransmissionProtocol
1. Introduction Recently,thecomputationpowerofcomputersystemsisrapidlyincreasingbyGPGPU,clusters,andcloudcomputing.Therefore,aninformationtheoreticalsecureprotocolbecomemoreeffectivethancomputationalsecureprotocolsinsomeapplications.Comparedtocomputationallysecureprotocols,informationtheoreticallysecureprotocolshaveadvantagessuchaseliminatingthekeymanagementissue;arelessvulnerabletotheman-in-the-middleandarerobusttoadversarieswithunlimitedcomputationalpower.Gametheoryisamethodofmathematicallyandlogicallyanalyzingwhatkindofstrategyistakengivenastatetopeoplewithmultipleutilities.WeimproveexistingASMTprotocolinordertobeusedformultipleadversaryenvironmentsinSession3.TheprobabilityofsafetyandreliabilityoftheproposedprotocolsimprovedinSession4.Weanalyzethesecurityundermultipleadversaryenvironmentsusinggametheory.WeshowthesimulationresultoftheprotocolinSession5.
2. SecretSharingTransmissionProtocol ASecretSharingTransmissionProtocolhasinformationtheoreticsecuritybyusingsecretsharing algorithm.ForexampleAlmostEverywhereSecureComputationwasproposedbyGarayandOstrovsky.[2]
2.1. GarayandOstrovsky’sASMTProtocol Inmessagetransmission,safetymeansthatthetransmissioncontentsarenotleakedout.Reliabilitymeansthatthemessageiscorrectlyreceivedbythereceiver.AprotocolsatisfyingsafetyandreliabilityiscalledPerfectSecureMessageTransmission(PSMT).AlmostSMT(ASMT)failstosendamessagewithasmallprobability.GarayandOstrovsky’sprotocol,shownshowininFig.1,isthreeroundASMTprotocol.Q-bitdatatobesentisencodedtoa12qbitdatabyacodingmethodthatiscapableoferrorcorrectionupto1/4dataerrors.[2]TheencodinganddecodingalgorithmaredenotedEncandDec,respectively.Thesendercannotdetecteavesdroppingbutcandetecttampering.Thetransmissionusesapublicpaththatanyonecanbrowsebutcannottamper.Tamperingdetectionisenabledbyreleasingapartofthetransmissionmessageusingthepublicpath.
79
2.1.1. Reliability Setl’suchthatl’>3l.Supposethatatamperedpathisnotdetectedbytamperingmorethanl’bitsthatisgreaterthantheerrorcorrectioncapabilityintheround1.Inround2theprobabilitythatthetamperedl’bitsarenotincludedinthepublished3lbitsis(4/5)l’.Theprobabilitythatanadversary’stamperingisnotdetectedis(1-(4/5)l’)kwhentheadversarytampersatkpaths.2.1.2. Safety Ifn≥t–1(t:thenumberofpathsdominatedbyanadversary),theadversarycannotrestorethemessagemwhenatleastoneofthenpathsisnotdominated,sothesafetyissatisfied.
2.1.3. Problemformultipleadversaries Asanextensionofthemodelthattherearemultipleadversaries,thefollowingproblemmustbeconsidered. Whensomeadversarytampersandthenumberofavailablepathsdecreases,thepossibilitythatthedominantratebyanotheradversaryamongtheremainingpathsmightbecomehigh.Theprobabilitythatanadversarydominatesalltheremainingpathsbecomeshighwhenmanyadversariestamper.Inordertolowerthepossibility,thispaperproposesthefollowingmethodtoincreasethenumberofpathswhenthenumberofpathstobeuseddecreasesduetotampering.Next,weproposeanimprovedGarayandOstrovsky'sASMTProtocolformultipleadversaries.
2.2. Proposedprotocol Adversarieswhoconspireareconsideredasoneadversary.Multipleadversariesareindependentofeachother.Ifanindependentadversarydominatesthesamepath,theadversaryisnoticedthatthereisanotheradversaryonthepath.Assumethatthesenderconsidersthecalculationcosttostartmessagetransmission.So,thesenderdoesnotusealltheexistingpathsfromthebeginning.Initially,randomlyselectednpathsamongallexistingpathsareusedandchecktamperingusingthesamealgorithmasGarayandOstrovsky'sASMTProtocol.Unusedpathsareaddedwhensomepathsaredetectedasbeingtampered. Thesendertransmitsamessageafterincreasingthenumberofpathssoastosatisfytherequiredsafetyprobability.Inthenextsection,wewillcalculatetheprobabilityofsafetyandreliabilitywhenthenumberofpathsisincreased.Afterround2inASMT,thefollowingprocedureisexecuted
Fig.1GarayandOstrovsky’sASMTProtocolProtocol
Thenumberofpaths:nMessagetobesent:m(|m|<q)Round1. Sender:ThesendergeneratesandtransmitsrandombitsRi(|Ri|=15l(q≤l))foreachpathi(1≤i≤n). Receiver:LetthereceivedbitsonthepathibeRi’.Thereceiverregardsthepathasatampering pathwhen|Ri'|≠15l.Round2. Sender:ThesendertransmitsRi*inwhichrandomlyselected12lbitsarereplacedwith*inRi usingthepublicpath. Receiver:ThereceivercomparesRi*foreachpathandRi’.Thereceivertransmitsthetamperedpath as0andthenon-tamperedpathas1tothesenderusingthepublicpath. Thereafter,thetamperedpathsarenotused. Thesenderconsiders12lbitsnotpublishedbyRi*as Ri.
_
Thereceiverconsiders12lbitsnotpublishedbyRi*as Ri'
_
.Round3. Sender:Thesenderadjuststhelengthofmessagemtoqbits.Thesenderdecidesmisuchthatm= m1⊕m2⊕...⊕mn’(n':thenumberofnon-tamperedpaths).Thesendertransmitssi=Enc(mi)⊕Ri
_
(1≤i≤n’)onthepublicpath. Receiver:Thereceivercalculatesm'i=Dec(si⊕ Ri'
_
)andrestoresthemessagebym'=m'1⊕m'2⊕...⊕m'n'.
80
3. SecretSharingTransmissionProtocol’ssafetyandreliability Assumptionsforprobabilitycalculationareshownbelow.Thetotalnumberofpathsish.Thenumberofpathscurrentlyusedfortransmissionisx.Thenumberofdecreasedpathsisy.Thenumberofaddedpathsisz.Thenumberofadversariesise.Thenumberofpathsdominatedbyeachadversaryarek1,k2,k3,…,ke.Safetyprobabilityisobtainedfromtheabovevalues.Thetransmissionissafeifthenumberofsomeadversary’sdominantpathsislessthanthenumberofcurrentlyusingpaths.
Basedonthissafetyprobability,thesenderdecidestosendthemessageusingthecurrentpathsortoaddsomenumberofnewpathstoincreasethesafety.Thisprobabilitychangeswhenatamperdetectionoccursandthenumberofusablepathsisdecreased.Iftheprobabilityishigherthanthesecurityrequiredbythesender,themessageistransmitted.Ifnonewpathisavailablewhentheprobabilityislowerthantherequirelevel,thetransmissionisinterrupted.
4. GametheoryforSecretSharingTransmissionProtocol Inthissection,gametheoryisappliedtoanalyzeprotocolsproposedinSection3.Eveninarealisticmodelinwhichtherearemultipleadversaries,whenn≥t+1issatisfied,thispapershowsthattheproposedprotocolisASMT.
4.1. Gametheory Gametheoryisamethodofmathematicallyandlogicallyanalyzingwhatkindofstrategyistakenwhengivenastatetopeoplewithmultipleutilities.Eachadversaryselectastrategythatmaximizesitsutilityinthegivensituation.Usinggametheory,itispossibletoobtaintheoutcomewheneachadversaryactsreasonably.
4.2. Adversary’sutilityontransmissionpathInthispaper,weassumetheadversary'sutilityasfollows.
4.3. Validationagainstadversaryutilities Whenverifyingthestrategyofmultipleadversaries,assumethatthereareadversarieswithdiferrentutilitiy.Whensomeadversarypursuesautilityotherthantheadversary’sfirstutilitybyastrategy,thestrategycanberegardedasthesamestrategythattheadversaryfirstpursuesthesamestrategybutpursuesanotherutilityasthesecondorlowerutility.Therefore,thereisnoneedtoconsiderthesecondorlowerutilityotherthanthe
Fig.2Proposedprotocol
Thesendercalculatescurrentsecurityprobabilityusingequation(1).Iftheprobabilityislessthanthesender'srequiredsecuritylevel,thesenderrandomlyselectsunusedpathsandverifiestamperingonthenewpathsbyusinground1and2.Ifnotamperingisdetected,thepathsareaddedforthetransmission.Round3.SameasFig1.
Fig.3Adversary’sUtility
Adversary’sUtility1. u1:Obtainsthecontentofthemessage(containsincreasingthedominantrate)2. u2:Thesenderfailstosendthecorrectmessage.3. u3:Temperspathsinwhichanotheradversarydominates.4. u4:Interruptsthetransmissionprotocol
81
adversary’sfirstutility.Wewillexaminethestrategiesofeachadversarywhopursueseachutilityfirstandexaminetheinfluenceonthetransmissionprotocol.4.3.1. Wiretaponlyutility Theutilityofwiretaponlyisu1.Letusconsideranadversarywhosemaximumutilityisu1.Ifanadversarydominatesalltransmissionpaths,theadversaryisabletoobtainoutgoingmessages.Accordingly,thisutilityisautilityincludingastrategytoraisethedominantrate.Sincetheadversarycannotexecuteactionsotherthantamperingandwiretapping,andtamperingisdetectedbythesenderwithhighprobability,thereisnoactiontotakefortheadversarytoincreasethedominationrateoftheadversary.TheonlypossibilitytoincreasethedominationrateofadversaryAisthatanotheradversary,sayadversaryB,tampersapaththatisnotdominatedbyadversaryAandthesenderusesanotherpaththatisdominatedbyA.Sincealladversariesareindependentandnocollusionexists,thereisnowayforadversaryAtomakeadversaryBtamperaspecificpath. Thus,thistypeofadversaryjustexecuteswiretapping.4.3.2. Wiretapandtamperingutility Theutilitiesofwiretapandtamperingarethefollowingthreeofu2,u3andu4.Thesethreeutilitiescauseanincreaseordecreasethenumberofpathsbytampering.Next,weverifywhetherthesethreeutilitiesdegradethesafetyandreliabilityofthetransmissionprotocol.4.3.3. Impactoftampering Changesintheadversary'sdominancemustbetakenintoconsiderationwithalltamperingutilities.Reductioninreliabilityoccurswhenthereismanytamperingorwhenthereareadversarieswithahighdominantrate.Theutilitiesu2andu4correspondtothiscase. Ifanadversarywhosemaximumutilityisu3wishestolowerthedominantrateofahostileadversaryonadominatedpath,theadversarywithutilityu3intentionallytampershostile'spaths.Then,thetamperedpathsaredetectedandotherpathsareused.Thealterationcausedbytheutilityu3occursonlyinacertainpath.Iftamperingoccursonmanypathsbymanyadversaries,thissituationisthesameasconsideringu4thatismanytamperingdescribedlater. Next,wediscussanadversarywhosemaximumutilityisu2oru4whichmaydegradethereliability.Theutilityu2canbeobtainedwiththesmallprobabilitybythecodingshowninSection3.1.1.Thesuccessprobabilityis(4/5)l’dependingonthebitlength.Itcanbeapproximatedtozeroiflistakenlargeenough.So,itisalmostimpossibletoachievethisutility.Adversarieswhosemaximumutilityisu4needtodominatemanypaths.Thehigherthedominatedpathrateoftheadversary,thegreatertheimpactonsafetyandreliabilitybecomes.Inordertoavoidtheproblem,thesenderusestheequationP1andaddsnewpaths.Thereliabilityandsafetyaredeterminedbyhowmanypathsarenottamperedamongtheentirepaths. Weshowedhowallutilitieseffectedthetransmissionprotocol.Inconclusion,ifthesenderpreparesasufficientnumberofpathsandtransmitwithsatisfactoryprobability,thereliabilityandsafetyisachieved.Inthenextsection,weshowtherelationshipbetweenthetamperingrateandthereliability.
5. SimulationforSecretSharingTransmissionProtocol Inthissection,usingtheprobabilityformulainSection4,weshowthecalculationresult.Inthecalculation,weassumethreetypesofadversaries.(1)Onlytamperingofu4.(2)Onlywiretapofu1.(3)tamperingorwiretapofu3.Anadversarytampersapathonlyifanotheradversarydominatesonthepath.Theupperlimitofthenumberofadversariesischangedfrom1to100andcalculatedthepossibilityofanadversarydominatesallusingpathsandinterruptstransmission.ThecalculationresultisshowninFig.5,6.Threetypesofadversariesarerandomlyplacedwiththesameprobability.Thecalculationisexecuted1000timesandthenumberoftimeseacheventoccurredissummedup.
82
Also,wechangedthenumberofthreetypesofadversaries.TheresultisshowninFig.7,8,9.
Fig.5-6indicatethatwhenthreetypesofadversarieshavethesameratio,thepathsaretamperedandthemessagecannotbesent.Evenifanadversarywhosedominancerateishighwiretapstransmission,theprobabilityofthedataleakedissmall.Thus,asshowninFig.5-9,thepossibilityoftransmissioninterruptismuchhigherthantheoneofdataleakageinanycases.Ifthetransmissionisnotinterrupted,thepossibilitythatthedataisnotleakedisveryhigh.Thus,thesenderneedstoavoidtransmissioninterrupt.Inordertoachievethis,thesenderneedstoprepareenoughnumberofuntappedpathsusingequationP1.
6. Conclusion Inthispaper,improvementsaremadetotheexistingASMTprotocolbyincreasingthenumberofpathsbasedontheequationofthesafetyandthereliability.Theprobabilityofsafetyandreliabilitythatvariesdependingonthestrategiesofmultipleadversariesisdiscussed.Weconsideredthecaseswhenthereareseveraltypesofadversarieswhohavedifferentutilitiesusinggametheory.Thecalculationresultshowsthatthesafetyandthereliabilityarealmostachieved.Forfurtherfuturestudy,weusethiscalculationresulttomakestatisticsthatcanpredictthetotalnumberofadversariesfromthenumberoftamperingundertherealworld.
References[1] Maiki Fujita and Takeshi Koshiba. ”Perfectly secure message transmission scheme against rational
adversaries”SCIS2016.InJapanese.[2] Juan A Garay and Rafail Ostrovsky. (2008) “Almost everywhere secure computation.” Advances in
Cryptology―EUROCRYPT.LNCS4965.SpringerBerlinHeidelberg,pp.307-323.[3] AdiShamir.(1979)“Howtoshareasecret.”CommunicationsoftheACM22(11):pp.612-613.[4] DannyDolevandCynthiaDwork,OrliWarts,MotiYung.(1993)“Perfectlysecuremessagetransmission.”
J.ACM40(1):pp.17-47.[5] MatthewFranklinandRebeccaN.Wright.(2000)“Securecommunicationinminimalconnectivitymodels.”
J.Cryptol13(1):pp.9-30.
83
KenyaYasuiwasborninTokyo,Japanin1993.Heisinhisfirstyearforhismaster’sinFacultyof Informatics, Kogakuin University. His research interest includes game theory, onionrouting,blockchain.
YoshifumiManabewasborninOsaka,Japanin1960.HereceivedB.E.,M.E.,andDr.E.degreesfromOsakaUniversity,Osaka,Japanin1983,1985,and1993,respectively.From1985to2013,heworkedforNipponTelegraphandTelephoneCorporation.HewasaguestassociateprofessorofKyotoUniversityin2001-2013.Since2013,heisaprofessorofKogakuinUniversity.Hisresearchinterestincludescryptography,distributedalgorithms,andgametheory.
Dr.ManabeisMemberofACM,IEEE,IPSJ,JSIAMandIEICE.
84