Securemessagetransmission

againstrationalmultipleadversaries

KenyaYasui1*,YoshifumiManabe11FacultyofInformatics,KogakuinUniversity,Shinjuku,Tokyo,Japan.*Correspondingauthor.email:em17019@ns.kogakuin.ac.jpManuscriptsubmittedJanuary10,2014;acceptedMarch8,2014.

Abstract: Thispapershowsaninformationtheoreticallysecuremessagetransmissionagainstmultipleadversaries.FujitaandKoshibashowedasecuremessagetransmissionagainstonerationaladversaryusingtheGarayandOstrovsky'sprotocol.Weconsidermultipleadversariesandimproveexistingprotocols.Moreover,wedefinethesafetyprobabilityequationoftheproposedprotocol.Byusingtheequation,thesenderknowshowmanypathstoincreaseforsafetransmission.Weanalyzeeachadversary'sstrategyinamultipleadversaryenvironmentusinggametheoryandshowthattheproposedprotocolissafeandreliable.Bytheseveralsimulations,weshowthattheproposedprotocolissafeandreliableagainstvariousadversariesunderrealisticconditions.Keywords:InformationTheoreticalSecurity,Gametheory,SecretSharing,TransmissionProtocol

1. Introduction Recently,thecomputationpowerofcomputersystemsisrapidlyincreasingbyGPGPU,clusters,andcloudcomputing.Therefore,aninformationtheoreticalsecureprotocolbecomemoreeffectivethancomputationalsecureprotocolsinsomeapplications.Comparedtocomputationallysecureprotocols,informationtheoreticallysecureprotocolshaveadvantagessuchaseliminatingthekeymanagementissue;arelessvulnerabletotheman-in-the-middleandarerobusttoadversarieswithunlimitedcomputationalpower.Gametheoryisamethodofmathematicallyandlogicallyanalyzingwhatkindofstrategyistakengivenastatetopeoplewithmultipleutilities.WeimproveexistingASMTprotocolinordertobeusedformultipleadversaryenvironmentsinSession3.TheprobabilityofsafetyandreliabilityoftheproposedprotocolsimprovedinSession4.Weanalyzethesecurityundermultipleadversaryenvironmentsusinggametheory.WeshowthesimulationresultoftheprotocolinSession5.

2. SecretSharingTransmissionProtocol ASecretSharingTransmissionProtocolhasinformationtheoreticsecuritybyusingsecretsharing algorithm.ForexampleAlmostEverywhereSecureComputationwasproposedbyGarayandOstrovsky.[2]

2.1. GarayandOstrovsky’sASMTProtocol Inmessagetransmission,safetymeansthatthetransmissioncontentsarenotleakedout.Reliabilitymeansthatthemessageiscorrectlyreceivedbythereceiver.AprotocolsatisfyingsafetyandreliabilityiscalledPerfectSecureMessageTransmission(PSMT).AlmostSMT(ASMT)failstosendamessagewithasmallprobability.GarayandOstrovsky’sprotocol,shownshowininFig.1,isthreeroundASMTprotocol.Q-bitdatatobesentisencodedtoa12qbitdatabyacodingmethodthatiscapableoferrorcorrectionupto1/4dataerrors.[2]TheencodinganddecodingalgorithmaredenotedEncandDec,respectively.Thesendercannotdetecteavesdroppingbutcandetecttampering.Thetransmissionusesapublicpaththatanyonecanbrowsebutcannottamper.Tamperingdetectionisenabledbyreleasingapartofthetransmissionmessageusingthepublicpath.

79

2.1.1. Reliability Setl’suchthatl’>3l.Supposethatatamperedpathisnotdetectedbytamperingmorethanl’bitsthatisgreaterthantheerrorcorrectioncapabilityintheround1.Inround2theprobabilitythatthetamperedl’bitsarenotincludedinthepublished3lbitsis(4/5)l’.Theprobabilitythatanadversary’stamperingisnotdetectedis(1-(4/5)l’)kwhentheadversarytampersatkpaths.2.1.2. Safety Ifn≥t–1(t:thenumberofpathsdominatedbyanadversary),theadversarycannotrestorethemessagemwhenatleastoneofthenpathsisnotdominated,sothesafetyissatisfied.

2.1.3. Problemformultipleadversaries Asanextensionofthemodelthattherearemultipleadversaries,thefollowingproblemmustbeconsidered. Whensomeadversarytampersandthenumberofavailablepathsdecreases,thepossibilitythatthedominantratebyanotheradversaryamongtheremainingpathsmightbecomehigh.Theprobabilitythatanadversarydominatesalltheremainingpathsbecomeshighwhenmanyadversariestamper.Inordertolowerthepossibility,thispaperproposesthefollowingmethodtoincreasethenumberofpathswhenthenumberofpathstobeuseddecreasesduetotampering.Next,weproposeanimprovedGarayandOstrovsky'sASMTProtocolformultipleadversaries.

2.2. Proposedprotocol Adversarieswhoconspireareconsideredasoneadversary.Multipleadversariesareindependentofeachother.Ifanindependentadversarydominatesthesamepath,theadversaryisnoticedthatthereisanotheradversaryonthepath.Assumethatthesenderconsidersthecalculationcosttostartmessagetransmission.So,thesenderdoesnotusealltheexistingpathsfromthebeginning.Initially,randomlyselectednpathsamongallexistingpathsareusedandchecktamperingusingthesamealgorithmasGarayandOstrovsky'sASMTProtocol.Unusedpathsareaddedwhensomepathsaredetectedasbeingtampered. Thesendertransmitsamessageafterincreasingthenumberofpathssoastosatisfytherequiredsafetyprobability.Inthenextsection,wewillcalculatetheprobabilityofsafetyandreliabilitywhenthenumberofpathsisincreased.Afterround2inASMT,thefollowingprocedureisexecuted

Fig.1GarayandOstrovsky’sASMTProtocolProtocol

Thenumberofpaths:nMessagetobesent:m(|m|<q)Round1. Sender:ThesendergeneratesandtransmitsrandombitsRi(|Ri|=15l(q≤l))foreachpathi(1≤i≤n). Receiver:LetthereceivedbitsonthepathibeRi’.Thereceiverregardsthepathasatampering pathwhen|Ri'|≠15l.Round2. Sender:ThesendertransmitsRi*inwhichrandomlyselected12lbitsarereplacedwith*inRi usingthepublicpath. Receiver:ThereceivercomparesRi*foreachpathandRi’.Thereceivertransmitsthetamperedpath as0andthenon-tamperedpathas1tothesenderusingthepublicpath. Thereafter,thetamperedpathsarenotused. Thesenderconsiders12lbitsnotpublishedbyRi*as Ri.

_

Thereceiverconsiders12lbitsnotpublishedbyRi*as Ri'

_

.Round3. Sender:Thesenderadjuststhelengthofmessagemtoqbits.Thesenderdecidesmisuchthatm= m1⊕m2⊕...⊕mn’(n':thenumberofnon-tamperedpaths).Thesendertransmitssi=Enc(mi)⊕Ri

_

(1≤i≤n’)onthepublicpath. Receiver:Thereceivercalculatesm'i=Dec(si⊕ Ri'

_

)andrestoresthemessagebym'=m'1⊕m'2⊕...⊕m'n'.

80

3. SecretSharingTransmissionProtocol’ssafetyandreliability Assumptionsforprobabilitycalculationareshownbelow.Thetotalnumberofpathsish.Thenumberofpathscurrentlyusedfortransmissionisx.Thenumberofdecreasedpathsisy.Thenumberofaddedpathsisz.Thenumberofadversariesise.Thenumberofpathsdominatedbyeachadversaryarek1,k2,k3,…,ke.Safetyprobabilityisobtainedfromtheabovevalues.Thetransmissionissafeifthenumberofsomeadversary’sdominantpathsislessthanthenumberofcurrentlyusingpaths.

Basedonthissafetyprobability,thesenderdecidestosendthemessageusingthecurrentpathsortoaddsomenumberofnewpathstoincreasethesafety.Thisprobabilitychangeswhenatamperdetectionoccursandthenumberofusablepathsisdecreased.Iftheprobabilityishigherthanthesecurityrequiredbythesender,themessageistransmitted.Ifnonewpathisavailablewhentheprobabilityislowerthantherequirelevel,thetransmissionisinterrupted.

4. GametheoryforSecretSharingTransmissionProtocol Inthissection,gametheoryisappliedtoanalyzeprotocolsproposedinSection3.Eveninarealisticmodelinwhichtherearemultipleadversaries,whenn≥t+1issatisfied,thispapershowsthattheproposedprotocolisASMT.

4.1. Gametheory Gametheoryisamethodofmathematicallyandlogicallyanalyzingwhatkindofstrategyistakenwhengivenastatetopeoplewithmultipleutilities.Eachadversaryselectastrategythatmaximizesitsutilityinthegivensituation.Usinggametheory,itispossibletoobtaintheoutcomewheneachadversaryactsreasonably.

4.2. Adversary’sutilityontransmissionpathInthispaper,weassumetheadversary'sutilityasfollows.

4.3. Validationagainstadversaryutilities Whenverifyingthestrategyofmultipleadversaries,assumethatthereareadversarieswithdiferrentutilitiy.Whensomeadversarypursuesautilityotherthantheadversary’sfirstutilitybyastrategy,thestrategycanberegardedasthesamestrategythattheadversaryfirstpursuesthesamestrategybutpursuesanotherutilityasthesecondorlowerutility.Therefore,thereisnoneedtoconsiderthesecondorlowerutilityotherthanthe

Fig.2Proposedprotocol

Thesendercalculatescurrentsecurityprobabilityusingequation(1).Iftheprobabilityislessthanthesender'srequiredsecuritylevel,thesenderrandomlyselectsunusedpathsandverifiestamperingonthenewpathsbyusinground1and2.Ifnotamperingisdetected,thepathsareaddedforthetransmission.Round3.SameasFig1.

Fig.3Adversary’sUtility

Adversary’sUtility1. u1:Obtainsthecontentofthemessage(containsincreasingthedominantrate)2. u2:Thesenderfailstosendthecorrectmessage.3. u3:Temperspathsinwhichanotheradversarydominates.4. u4:Interruptsthetransmissionprotocol

81

adversary’sfirstutility.Wewillexaminethestrategiesofeachadversarywhopursueseachutilityfirstandexaminetheinfluenceonthetransmissionprotocol.4.3.1. Wiretaponlyutility Theutilityofwiretaponlyisu1.Letusconsideranadversarywhosemaximumutilityisu1.Ifanadversarydominatesalltransmissionpaths,theadversaryisabletoobtainoutgoingmessages.Accordingly,thisutilityisautilityincludingastrategytoraisethedominantrate.Sincetheadversarycannotexecuteactionsotherthantamperingandwiretapping,andtamperingisdetectedbythesenderwithhighprobability,thereisnoactiontotakefortheadversarytoincreasethedominationrateoftheadversary.TheonlypossibilitytoincreasethedominationrateofadversaryAisthatanotheradversary,sayadversaryB,tampersapaththatisnotdominatedbyadversaryAandthesenderusesanotherpaththatisdominatedbyA.Sincealladversariesareindependentandnocollusionexists,thereisnowayforadversaryAtomakeadversaryBtamperaspecificpath. Thus,thistypeofadversaryjustexecuteswiretapping.4.3.2. Wiretapandtamperingutility Theutilitiesofwiretapandtamperingarethefollowingthreeofu2,u3andu4.Thesethreeutilitiescauseanincreaseordecreasethenumberofpathsbytampering.Next,weverifywhetherthesethreeutilitiesdegradethesafetyandreliabilityofthetransmissionprotocol.4.3.3. Impactoftampering Changesintheadversary'sdominancemustbetakenintoconsiderationwithalltamperingutilities.Reductioninreliabilityoccurswhenthereismanytamperingorwhenthereareadversarieswithahighdominantrate.Theutilitiesu2andu4correspondtothiscase. Ifanadversarywhosemaximumutilityisu3wishestolowerthedominantrateofahostileadversaryonadominatedpath,theadversarywithutilityu3intentionallytampershostile'spaths.Then,thetamperedpathsaredetectedandotherpathsareused.Thealterationcausedbytheutilityu3occursonlyinacertainpath.Iftamperingoccursonmanypathsbymanyadversaries,thissituationisthesameasconsideringu4thatismanytamperingdescribedlater. Next,wediscussanadversarywhosemaximumutilityisu2oru4whichmaydegradethereliability.Theutilityu2canbeobtainedwiththesmallprobabilitybythecodingshowninSection3.1.1.Thesuccessprobabilityis(4/5)l’dependingonthebitlength.Itcanbeapproximatedtozeroiflistakenlargeenough.So,itisalmostimpossibletoachievethisutility.Adversarieswhosemaximumutilityisu4needtodominatemanypaths.Thehigherthedominatedpathrateoftheadversary,thegreatertheimpactonsafetyandreliabilitybecomes.Inordertoavoidtheproblem,thesenderusestheequationP1andaddsnewpaths.Thereliabilityandsafetyaredeterminedbyhowmanypathsarenottamperedamongtheentirepaths. Weshowedhowallutilitieseffectedthetransmissionprotocol.Inconclusion,ifthesenderpreparesasufficientnumberofpathsandtransmitwithsatisfactoryprobability,thereliabilityandsafetyisachieved.Inthenextsection,weshowtherelationshipbetweenthetamperingrateandthereliability.

5. SimulationforSecretSharingTransmissionProtocol Inthissection,usingtheprobabilityformulainSection4,weshowthecalculationresult.Inthecalculation,weassumethreetypesofadversaries.(1)Onlytamperingofu4.(2)Onlywiretapofu1.(3)tamperingorwiretapofu3.Anadversarytampersapathonlyifanotheradversarydominatesonthepath.Theupperlimitofthenumberofadversariesischangedfrom1to100andcalculatedthepossibilityofanadversarydominatesallusingpathsandinterruptstransmission.ThecalculationresultisshowninFig.5,6.Threetypesofadversariesarerandomlyplacedwiththesameprobability.Thecalculationisexecuted1000timesandthenumberoftimeseacheventoccurredissummedup.

82

Also,wechangedthenumberofthreetypesofadversaries.TheresultisshowninFig.7,8,9.

Fig.5-6indicatethatwhenthreetypesofadversarieshavethesameratio,thepathsaretamperedandthemessagecannotbesent.Evenifanadversarywhosedominancerateishighwiretapstransmission,theprobabilityofthedataleakedissmall.Thus,asshowninFig.5-9,thepossibilityoftransmissioninterruptismuchhigherthantheoneofdataleakageinanycases.Ifthetransmissionisnotinterrupted,thepossibilitythatthedataisnotleakedisveryhigh.Thus,thesenderneedstoavoidtransmissioninterrupt.Inordertoachievethis,thesenderneedstoprepareenoughnumberofuntappedpathsusingequationP1.

6. Conclusion Inthispaper,improvementsaremadetotheexistingASMTprotocolbyincreasingthenumberofpathsbasedontheequationofthesafetyandthereliability.Theprobabilityofsafetyandreliabilitythatvariesdependingonthestrategiesofmultipleadversariesisdiscussed.Weconsideredthecaseswhenthereareseveraltypesofadversarieswhohavedifferentutilitiesusinggametheory.Thecalculationresultshowsthatthesafetyandthereliabilityarealmostachieved.Forfurtherfuturestudy,weusethiscalculationresulttomakestatisticsthatcanpredictthetotalnumberofadversariesfromthenumberoftamperingundertherealworld.

References[1] Maiki Fujita and Takeshi Koshiba. ”Perfectly secure message transmission scheme against rational

adversaries”SCIS2016.InJapanese.[2] Juan A Garay and Rafail Ostrovsky. (2008) “Almost everywhere secure computation.” Advances in

Cryptology―EUROCRYPT.LNCS4965.SpringerBerlinHeidelberg,pp.307-323.[3] AdiShamir.(1979)“Howtoshareasecret.”CommunicationsoftheACM22(11):pp.612-613.[4] DannyDolevandCynthiaDwork，OrliWarts,MotiYung.(1993)“Perfectlysecuremessagetransmission.”

J.ACM40(1):pp.17-47.[5] MatthewFranklinandRebeccaN.Wright.(2000)“Securecommunicationinminimalconnectivitymodels.”

J.Cryptol13(1):pp.9-30.

83

KenyaYasuiwasborninTokyo,Japanin1993.Heisinhisfirstyearforhismaster’sinFacultyof Informatics, Kogakuin University. His research interest includes game theory, onionrouting,blockchain.

YoshifumiManabewasborninOsaka,Japanin1960.HereceivedB.E.,M.E.,andDr.E.degreesfromOsakaUniversity,Osaka,Japanin1983,1985,and1993,respectively.From1985to2013,heworkedforNipponTelegraphandTelephoneCorporation.HewasaguestassociateprofessorofKyotoUniversityin2001-2013.Since2013,heisaprofessorofKogakuinUniversity.Hisresearchinterestincludescryptography,distributedalgorithms,andgametheory.

Dr.ManabeisMemberofACM,IEEE,IPSJ,JSIAMandIEICE.

84