Upload
others
View
2
Download
0
Embed Size (px)
Citation preview
Perfectly Secure Message Transmissionagainst
Independent Rational Adversaries
Kenji Yasunaga (Osaka University, Japan)
Takeshi Koshiba (Waseda University, Japan)
GameSec2019@Stockholm
or
Cryptography
l Theory of protocols for protecting honest users from malicious adversaries
2
No!
Game Theory
l Theory for analyzing behavior of rational players
3
Confess? Confess?
Sure Sure
Game Theory in Cryptography
l Both crypto and GT analyze behavior of “players”
l Q. What if players behave rationally in protocols?
4
vs.
Game Theory in Cryptography
l Direction 1: Honest à Rational
l Direction 2: Malicious à Rational
5
Resolve potential problems
Overcome existing barriers
Halpern and Teague (STOC’04)
l Target: Secret Sharing
l Direction: Honest à Rational
6
Following Work
Target Direction ReferencesSecret Sharing Honest à Rational [HT04, GK06, ADGH06,
KN08, OPRV09, FKN10, AL11, KOTY17, etc.]
Leader Election Honest à Rational [Gra10, ADH13, AGFS14]Public-Key Encryption Honest à Rational [Y16, YY17]Byzantine Agreement Malicious à Rational [GKTZ12]Multiparty Computation Malicious à Rational [ACH16, GK12]Protocol Design Malicious à Rational [GKMTZ13]Delegated Computation Malicious à Rational [AM13,GHRV14,GHRV16]Secure Message Transmission
Malicious à Rational [FYK18]
7Our Target & Direction
Secure Message Transmission (SMT)
l Send messages “securely” and “reliably” through n channelsl Adversary corrupts t channels
l Secrecy: m is hidden from Adversaryl Reliability: m’ = m
l Perfect SMT ó Perfect Secrecy & Reliability 8
1m m’234
1234
Known Facts of Perfect SMT (PSMT)
l Fact 1. ∃1-round PSMT ó t < n/3
l Fact 2. ∃multi-round PSMT ó t < n/2
9
1234
1234
1
2
3
1
2
3
Our Work & Direction
l PSMT against rational adversariesl Direction: Malicious à Rational
l Q. Can we overcome the existing barriers?10
1m m’234
1234
Previous Work
l Fujita, Yasunaga, Koshiba (GameSec 2018)l “Timid” adversary, who avoid being detected
l Construct PSMT against a timid adversary corrupting t < n channels
11
1234
1234
Overcome the PSMT barrier t < n/2
Not Detected
This Work
l PSMT against “multiple” timid adversaries
l All channels can be corrupted
12
1234
1234
Impossible for malicious adversaries
Our Results
l Construct four PSMT protocols P1, P2, P3, P4
13
t = # corrupted channels per adversaryCISS = Cheater-Identifiable Secret Sharing
Additional Assumption t # round Construction Idea
P1 Public channel < n 3 PSMT of [SJST11]
P2 ― < n/2 1 CISS of [HK18]
P3Strictly-timid adversaries < n 1 P2 & Punishment
P4Mixing of
rational/malicious < n/6 1 P2 & Error Correction
(t, n) Secret Sharing
l Generate n shares from such that≤ t shares reveal no information on
14
Cheater-Identifiable Secret Sharing (CISS)
l Identify the cheated shares
l Q. Is CISS a complete solution of PSMT?15
Detected
Q. Is CISS a complete solution of PSMT?
l A. No.l CISS only guarantees cheater identificationl PSMT requires recovering the message
16Detected
??
Not guaranteed
17
Our Idea for Protocol P2
l CISS can work as PSMTif adversaries avoid being detectedl Being silent is rational (a Nash equilibrium)l Use CISS of [HK18] w/ stronger hash functions
Not Detected
1
2
Protocol P2
l Theorem: P2 is PSMT against multiple timid adversaries, each corrupting t < n/2 channels
l Q. Can we overcome this barrier? 18
∃CISS ó t < n/2
1
2
3
Our Idea for Protocol P3
l A. Yes.l CISS with t ≥ n/2 works as PSMT
if adversaries strongly dislike being detected
l Construct (n – 1, n)-type CISS such thatif cheating is detected at channel i for share sj,then both i & j are punished (regarded cheating)
19
Avoiding detection is the most important
Strictly timid adversaries will not cheat
Protocol P3
l Theorem: P3 is PSMT against multiple strictly-timid adversaries, each corrupting t < n channels
20
Summary of Our ResultsAdditional
Assumption t # round Construction Idea
P1 Public channel < n 3 PSMT of [SJST11]
P2 ― < n/2 1 CISS of [HK18]
P3Strictly-timid adversaries < n 1 P2 & Punishment
P4Mixing of
rational/malicious < n/6 1 P2 & Error Correction
Conclusions
This Workl Target: PSMTl Direction: Malicious à Rational
l Feature: All channels can be corrupted
Future Workl Further study on mixing rational & maliciousl “Malicious à Rational” for other protocols 21
or
References (1/2)[ADGH06] Abraham, Dolev, Gonen, Halpern. Distributed computing meets game theory: robust mechanisms for rational secret sharing and multiparty computation. PODC 2006. [ADH13] Abraham, Dolev, Halpern. Distributed protocols for leader election: A game-theoretic perspective. DISC 2013.[AGFS14] Afek, Ginzberg, Feibish, Sulamy. Distributed computing building blocks for rational agents. PODC 2014.[AL11] Asharov, Lindell. Utility dependence in correct and fair rational secret sharing. J. Cryptology, 2011. [AM13] Azar, Micali. Super-efficient rational proofs. EC ’13.[HT04] Halpern, Teague. Rational secret sharing and multiparty computation: extended abstract. STOC 2004.[FKN10] Fuchsbauer, Katz, Naccache. Efficient rational secret sharing in standard communication networks. TCC 2010.[FYK18] Fujita, Yasunaga, Koshiba. Perfectly secure message transmission against rational timid adversaries. GameSec 2018. [GHRV14] Guo, Hubácek, Rosen, Vald. Rational arguments: single round delegation with sublinear verification. ITCS 2014. [GHRV16] Guo, Hubácek, Rosen, Vald. Rational sumchecks. TCC (A2) 2016.
22
References (2/2)[GK06] Gordon, Katz. Rational secret sharing, Revisited. SCN 2006.[GKMTZ13] Garay, Katz, Maurer, Tackmann, Zikas. Rational protocol design: Cryptography against incentive-driven adversaries. FOCS 2013.[GKTZ12] Groce, Katz, Thiruvengadam, Zikas. Byzantine agreement with a rational adversary. ICALP 2012. [Gra10] Gradwohl. Rationality in the full-information model. TCC 2010.[HK18] Hayashi, Koshiba. Universal construction of cheater-identifiable secret sharing against rushing cheaters based on message authentication. ISIT 2018. [KN08] Kol, Naor. Games for exchanging information. STOC 2008[KOTY17] Kawachi, Okamoto, Tanaka, Yasunaga. General constructions of rational secret sharing with expected constant-round reconstruction. Comput. J., 2017. [OPRV09] Ong, Parkes, Rosen, Vadhan. Fairness with an Honest Minority and a Rational Majority. TCC 2009[SJST11] Shi, Jiang, Safavi-Naini, Tuhin. On optimal secure message transmission by public discussion. IEEE Trans. Information Theory, 2011. [Y16] Yasunaga. Public-key encryption with lazy parties. IEICE Transactions, 2016. [YY17] Yasunaga, Yuzawa. Repeated games for generating randomness in encryption. IEICE Transactions, 2018.
23
SMT Game (for Two Adversaries A1, A2)1. Set suc = guess1 = guess2 = detect1 = detect2 = 0.2. Run the SMT protocol for random message m
3. Setl suc = 1 if the receiver outputs ml guess1 = 1 if A1 outputs ml guess2 = 1 if A2 outputs ml detect1 = 1 if the protocol detects deviation of A1l detect2 = 1 if the protocol detects deviation of A2
24
m
Detected
m’m1
m2
Utility of Timid Adversariesl For outcome (suc, guess1, guess2, detect1, detect2),
adversary A1 gets higher utility if eitherl suc = 0 (rather than suc = 1),l guess1 = 1 (rather than guess1 = 0),l detect1 = 0 (rather than detect1 = 1), orl detect2 = 1 (rather than detect2 = 0 )
l “Strictly” timid adversary A1 gets higher utility ifl suc = 1 rather than detect1 = 1
25
suc detect1 detect2
u1 0 0 0u2 1 0 0u3 0 1 1u4 1 1 0
u1
u2 u3
u4
(0, 0, 0)
(1, 0, 0)
(1, 1, 0)
Reliability failsSecrecy fails
Not detectedA2 detected
(0, 1, 1)
Security Definition
Protocol π is PSMT against (t1, t2)-adversariesó∃B1, B2 corrupting t1, t2 channels, resp. such that
1. Perfect security: π is PSMT against (B1, B2)
2. Nash equilibrium of (B1, B2):∀A1, A2 corrupting the same channels as B1, B2,U1(A1, B2) ≤ U1(B1, B2) and U2(B1, A2) ≤ U2(B1, B2)
26
Adversaries have no incentive to deviate from (B1, B2)
Our Protocols
l Suppose A1, A2 corrupts t1, t2 channels, resp.
27
Additional Assumption t1 t2 # round Construction
Idea
P1 Public channel < n < n 3 PSMT of[SJST11]
P2 ― < n/2 < n/2 1 CISS of [HK18]
P3Strictly-timid adversaries < n < n 1 P2 & Punishment
P4 A1 is malicious < n/3 < n/3< n/2 – t1
1 P2 & Error Correction
Protocol P2
l (s1, …, sn) : shares of ((n – 1)/2, n)-secret sharing for m ∈ {0,1}s
l hi ∈ H : family of pairwise ind. hash functions hi : {0,1}sà{0,1}k
l hi(sj) : the authentication tag for sj using hi
l ri,j ∈ {0,1}k : random key for encrypting hi(sj)l Ti,j = hi(sj) ⨁ ri,j : encrypted tag for sj
28
(s1, h1, T1,2, T1,3, r2,1, r3,1)(s2, h2, T2,1, T2,3, r1,2, r3,2)(s3, h3, T3,1, T3,2, r1,3, r2,3)
Tag for s2= h1(s2) ⨁ r1,2
Tag for s3= h1(s3) ⨁ r1,3
Keys for hiding s1
L1 = { j : h1(sj) ⨁ r1,j ≠ T1,j }
Authentication failure list verified with h1
L2 = { j : h2(sj) ⨁ r2,j ≠ T2,j } L3 = { j : h3(sj) ⨁ r3,j ≠ T3,j }
Majority voting on Li
Final failure list LRecover m using shares { si : i ∉ L }
Security Proof of P2
Proof:l (B1, B2) be the strategy of doing nothing à Ui(B1, B2) = u2
l P2 is PSMT against (B1, B2) l To get higher utility (than u2), A1 needs either
1. suc = 0à Tampering is detected on majority (≥ 1 – t1) lists Li
2. detect2 = 1à Impossible due to majority voting & t1 < n/2
29
Theorem. P2 is PSMT against (t1, t2)-adversaries with t1, t2 ∈ [1, (n – 1)/2], t1 + t2 ≤ n if
k ≥ log2( (u1 – u4)/(u2 – u4) ) + 2log2(n+1) – 1.
Protocol P3
l (s1, …, sn) : shares of (n – 1, n)-secret sharing for m ∈ {0,1}s
l hi ∈ H, ri,j ∈ {0,1}k , Ti,j = hi(sj) ⨁ ri,j are the same as P2
l If Ti,j verification fails, Li includes both i and j
30
(s1, h1, T1,2, T1,3, r2,1, r3,1)(s2, h2, T2,1, T2,3, r1,2, r3,2)(s3, h3, T3,1, T3,2, r1,3, r2,3)
Tag for s2= h1(s2) ⨁ r1,2
Tag for s3= h1(s3) ⨁ r1,3
Keys for hiding s1
L1 = { 1, j : h1(sj) ⨁ r1,j ≠ T1,j }
Authentication failure list verified with T1,j
L2 = { 2, j : h2(sj) ⨁ r2,j ≠ T2,j } L3 = { 3, j : h3(sj) ⨁ r3,j ≠ T3,j }
i is also punished
Union of Li’sIf L = ∅, recover mOtherwise, output ⊥ L = L1 ∪ L2 ∪ L3
Security Proof of P3
Proof:l (B1, B2) be the strategy of doing nothing à Ui(B1, B2) = u2
l P2 is PSMT against (B1, B2) l To get higher utility (than u2), A1 needs either
1. suc = 0à Tampering is detected w.h.p., implying detect1 = 1
2. detect2 = 1à Also cause detect1 = 1, which A1 should avoid
31
Theorem. P3 is PSMT against strictly-timid (t1, t2)-adversaries with t1, t2 ∈ [1, n – 1], t1 + t2 ≤ n if
k ≥ log2( (u1 – u3)/(u2 – u3) ) – 1.
Protocol P4
l (s1, …, sn) : shares of ((n – 1)/3, n)-secret sharing for mwith error-correcting propertyl Even if (n – 1)/3 shares are erroneous, m is recoverable
l hi ∈ H, ri,j ∈ {0,1}k , Ti,j = hi(sj) ⨁ ri,j are the same as P2
32
(s1, h1, T1,2, T1,3, r2,1, r3,1)(s2, h2, T2,1, T2,3, r1,2, r3,2)(s3, h3, T3,1, T3,2, r1,3, r2,3)
Tag for s2= h1(s2) ⨁ r1,2
Tag for s3= h1(s3) ⨁ r1,3
Keys for hiding s1
L1 = { j : h1(sj) ⨁ r1,j ≠ T1,j } L2 = { j : h2(sj) ⨁ r2,j ≠ T2,j } L3 = { j : h3(sj) ⨁ r3,j ≠ T3,j }
Majority voting on Li
Recover m from the received shares
Authentication failure list verified with h1
Final failure list L
Security Proof of P4
Proof:
l B2 be the strategy of doing nothingl Even if A1 malicious, m can be recovered à U2(A1, B2) = u2
l P2 is PSMT against (A1, B2)
l To get higher utility (than u2), A2 needs either1. suc = 0
à Tampering is detected on majority (≥ 1 – (t1 + t2)) lists Li
2. detect1 = 1à Impossible due to majority voting & t1 + t2 < n/2 33
Theorem. P3 is PSMT against (t1, t2)-adversaries with t1∈ [1, (n – 1)/3], t2 ∈ [1, min{(n – 1)/2 – t1, (n – 1)/3}], t1 + t2 ≤ n, where A1 is a malicious adversary, if
k ≥ log2( (u1 – u4)/(u2 – u4) ) – 1.