a concluding example · renou, t omala secure message transmission on directed graphs. intro...

IntroductionMotivationsModelWeakly A -connected graphsSecrecyStrong securityA concluding exampleSecure message transmission on directed graphsJerome Renault1 Ludovic Renou2 Tristan Tomala3

1TSE & 2Leicester & 3HECPSE, December 2010Renault, Renou, Tomala Secure message transmission on directed graphs

IntroductionMotivationsModelWeakly A -connected graphsSecrecyStrong securityA concluding exampleIntroductionConsider a sender S and a receiver R as two distant nodes in adirected graph and a collection A of potential adversaries.Each A ∈ A is a set of nodes di�erent from S and R.The sender has private information about θ ∈ Θ (a secret).A simple example with A = {{1},{2}}.6

6

��

��

��

-

r

r

rr

R1S2Renault, Renou, Tomala Secure message transmission on directed graphs

IntroductionMotivationsModelWeakly A -connected graphsSecrecyStrong securityA concluding exampleSecrecy and securityDe�nition (Secrecy)Secret communication between the sender and the receiver is possible ifthere exists a protocol (pro�le of behavioral strategies) such that thefollowing two requirements hold: if all nodes abide by the protocol, 1) thereceiver correctly learns the secret of the sender and 2) no adversaryA ∈ A gets additional information about the secret.De�nition (Strong security)Strongly secure communication between the sender and the receiver ispossible if there exists a protocol such that the following requirementshold: 1) secret communication between the sender and the receiver ispossible, 2) for any adversary A ∈ A , for any deviation of the adversary A,the receiver correctly learns the secret with arbitrary high probability andno adversary, including A, gets additional information about the secret.Renault, Renou, Tomala Secure message transmission on directed graphs

IntroductionMotivationsModelWeakly A -connected graphsSecrecyStrong securityA concluding exampleObjectivesThe objective of this study is to characterize the directed graphs suchthat:secret communication between the sender and the receiver ispossible,strongly secure communication between the sender and the receiveris possible.

Renault, Renou, Tomala Secure message transmission on directed graphs

IntroductionMotivationsModelWeakly A -connected graphsSecrecyStrong securityA concluding exampleSecure message transmissionThis work is related to the computer science literature on securetransmission of messages, e.g., Dolev et. al. (1993), Franklin and Wright(2000), Desmedt and Wang (2002), Renault and Tomala (2008).Most of this literature consider undirected graphs, more particularly,graphs with n disjoint paths (wires) between the sender and thereceiver.Our de�nition of security is stronger than the de�nition found in thisliterature: not only we do require that the receiver learns the secretwith arbitrarily high probability when an adversary deviates from theprotocol, we also require that no information is leaked. It does makea di�erence! (See concluding example.)Renault, Renou, Tomala Secure message transmission on directed graphs

IntroductionMotivationsModelWeakly A -connected graphsSecrecyStrong securityA concluding exampleNetwork coding on wiretap networksThe literature (e.g., Cai and Yeung (2002), Lima, Médard andBarros (2007)) on network coding considers multiple senders andmultiple receivers as distant nodes in directed networks (wirelessnetworks of communication).The problem is to design codes to achieve the maximal �ow ofinformation. The idea is to let the nodes (transmitters) to combinethe packets of information they receive, instead of forwarding everysingle packet of information.


IntroductionMotivationsModelWeakly A -connected graphsSecrecyStrong securityA concluding exampleThe butter�y networkWe want the receivers to learn the information θ1 and θ2 of both senders.Each message requires 1 bit, but node 1 cannot transfer more than 1 bit.�

��

��

6

@@

@@@I

6

6�

��

��

@@

@@@I

t t

t

t

t t

S1 S2

R1 R2

1

2

θ1 θ2

θ1 θ2

θ1 + θ2

θ1 + θ2 θ1 + θ2


IntroductionMotivationsModelWeakly A -connected graphsSecrecyStrong securityA concluding exampleProblem: Node 1 in the butter�y network learns the messages ofboth S1 and S2.Can we achieve the same �ow of information, but with secrecy?With strong security?We provide su�cient conditions for this to be possible.In a related work, Kamal (2004) has also provided su�cientconditions for secrecy (his model is slightly di�erent, however), butnot for security.


IntroductionMotivationsModelWeakly A -connected graphsSecrecyStrong securityA concluding exampleMechanism designRevelation principle: If a social choice function is implementable,then it is implementable by a direct mechanism in which playersprivately and directly communicate with the designer (star network).In a related work (Renou and Tomala (2010)), we characterize allthe networks that make it possible to implement any incentivecompatible social choice function.It turns out that secrecy is a necessary requirement.Indeed, suppose that the social choice function f depends on thetype of both players i and j and it is incentive compatible whenplayer j's belief is Pj. If player i reveals information about his type toplayer j (i.e., j's posterior belief is P′j 6= Pj), then player j might nothave an incentive to truthfully reveal his own type.Renault, Renou, Tomala Secure message transmission on directed graphs

IntroductionMotivationsModelWeakly A -connected graphsSecrecyStrong securityA concluding exampleCommunication networksA communication network ~G : (V ,E ) is a directed graph where V isa set of nodes with {S,R} ⊆ V and E a set of edges/links. There isa directed edge ij from player i to player j, if i can send a message toj securely and privately.C(i) = {j ∈ V : ij ∈ E } = {successorsof i}

D(i) = {j ∈ V : ji ∈ E } = {predecessorsof i}We assume that the graph is acyclic and strongly connected: for eachi ∈ V , there exists a directed path from i to R.


IntroductionMotivationsModelWeakly A -connected graphsSecrecyStrong securityA concluding exampleSecret and communicationThe sender S knows a secret θ , a realization of the random variableθ̃ , drawn from the �nite set Θ according to the distribution P (fullsupport).Communication is synchronous, proceeds in rounds and terminatesafter T rounds.At each round t ≤ T, node (player) i can send a message mt

ij ∈ Mtij tonode j ∈ C(i).A period t history ht

i for node i is an element of(×j∈C(i)M

1ij)× (×j∈D(i)M

1ji)×·· ·× (×j∈C(i)M

t−1ij )× (×j∈D(i)M

t−1ji ).We assume that all message spaces are �nite and that m0 ∈ Mt

ij, forall i, for all j ∈ C(i), for all t. The message m0 is the null message(remains silent).Renault, Renou, Tomala Secure message transmission on directed graphs

IntroductionMotivationsModelWeakly A -connected graphsSecrecyStrong securityA concluding exampleA period t strategy for player i is a map σ t

i from Hti , the set of period

t histories, to ∆(×j∈C(i)Mtij). (For the sender, the domain is Ht

i ×Θ.)A strategy σi for player i is a collection (σ1i , . . . ,σT

i ).The receiver R has a decoding function θd, which maps terminalhistories HT+1R to Θ∪{Pb}. We allow the receiver to output �thereis a problem.�We denote θ̂ the random variable with values in Θ∪{Pb} inducedby a pro�le of strategy σ and the decoding function θd.


IntroductionMotivationsModelWeakly A -connected graphsSecrecyStrong securityA concluding exampleAdversariesThere is a collection A of potential adversaries.Each A ∈ A is a subset of V \ {S,R}, e.g., A is the collection of allsubsets of V \ {S,R} with at most k elements.We allow for an adversary to correlate its play, i.e., we allow forstrategies of the form τ t

A : HtA → ∆(×i∈A ×j∈C(i) Mij), where

HtA = ∪i∈AHt

i .Renault, Renou, Tomala Secure message transmission on directed graphs

IntroductionMotivationsModelWeakly A -connected graphsSecrecyStrong securityA concluding exampleSecrecyDe�nitionA protocol 〈σ ,θd〉 is ε-secret if it satis�es the following two requirements:1 The receiver learns the secret with probability at least 1− ε, i.e.,

Pσ ,θd(θ̂ = θ̃) ≥ 1− ε.2 No adversary gets information about the secret, i.e., for all A ∈ A ,Pσ ,θd(θ̃ = θ |hT+1

A ) = P(θ̃ = θ ).Renault, Renou, Tomala Secure message transmission on directed graphs

IntroductionMotivationsModelWeakly A -connected graphsSecrecyStrong securityA concluding exampleSecrecy and detectionDe�nitionA protocol 〈σ ,θd〉 is ε-secret with δ -detection if it satis�es the followingtwo requirements:1 If the players abide by the protocol, the receiver learns the secretwith probability at least 1− ε, i.e., Pσ ,θd(θ̂ = θ̃ ) ≥ 1− ε.2 No adversary gets information about the secret, i.e., for all A ∈ A ,Pσ ,θd(θ̃ = θ |hT+1

A ) = P(θ̃ = θ ).3 If an adversary deviates from the protocol, the receiver eithercorrectly learns the secret or detects a problem, i.e., for all A ∈ A ,for all τA 6= σA, P(τA,σ−A),θd(θ̂ ∈ {θ̃ ,Pb}) ≥ 1− δ .Renault, Renou, Tomala Secure message transmission on directed graphs

IntroductionMotivationsModelWeakly A -connected graphsSecrecyStrong securityA concluding exampleStrong securityDe�nitionA protocol 〈σ ,θd〉 is ε-strongly secure if it satis�es the followingrequirement:1 For any adversary A ∈ A , for all τA, the protocol 〈(τA,σ−A),θd〉 is

ε-secret.Renault, Renou, Tomala Secure message transmission on directed graphs

IntroductionMotivationsModelWeakly A -connected graphsSecrecyStrong securityA concluding exampleDe�nitionThe directed graph ~G is weakly A -connected if for each adversaryA ∈ A , there exists a path (not necessarily directed) from the sender tothe receiver that does not intersect A.Example 1: A graph weakly A -connected with A = {{1},{2}}.

6

6

��

��

��

-

r

r

rr

R1S2Renault, Renou, Tomala Secure message transmission on directed graphs

IntroductionMotivationsModelWeakly A -connected graphsSecrecyStrong securityA concluding exampleExample 2: A graph not weakly A -connected with A = {{1},{2}}:player 1 �controls� all information (1 is a cut of the graph).6

6

-��*

r

r

rr

R1S2


IntroductionMotivationsModelWeakly A -connected graphsSecrecyStrong securityA concluding exampleSecrecyTheoremThe following statements are equivalent:1 The graph ~G is weakly A -connected.2 For each ε > 0, there exists an ε-secret protocol.3 For each δ > 0, there exists an 0-secret protocol with δ -detection.


IntroductionMotivationsModelWeakly A -connected graphsSecrecyStrong securityA concluding exampleAn exampleConsider the following graph:�

��

@@

@I

6

?

@@

@I

��

��

��*

��

��

��

�

q

q

q

q

q

q q

31S

54 R 2A is the collection of all sets with at most two elements.The graph is A -connected.Renault, Renou, Tomala Secure message transmission on directed graphs

IntroductionMotivationsModelWeakly A -connected graphsSecrecyStrong securityA concluding exampleAn exampleThe protocol for transmitting θ is the following. Assume Θ ⊆ Fn2 \ {0}.

��

��

@@

@I

6

?

@@

@I

��

��

��*

��

��

��

�

q

q

q

q

q

q q

t = 1, 3 draws X3

t = 1, 5 draws X5

t = 2, S sends θ +X3 +XS to 2, XS to 1t = 2, 4 sends X5 +X3

t = 3, 1 sends XS +X3 +X5

t = 3, 2 sends θ +X3 +XS

t = 4, R decodes θ +X3 +XS +XS +X3 +X5 +X5 = θ


IntroductionMotivationsModelWeakly A -connected graphsSecrecyStrong securityA concluding exampleNo information is leakedSuppose that the adversary is {1,2}.Their joint information is X3 + X5, XS and θ + XS + X3. We want toshow that there are jointly independent from θ .Note that we can write(X3 + X5,XS,θ + XS + X3) = (0,0,1)θ +(X3+ X5,XS,XS + X3).

X3, X5 and XS are uniformly distributed independent of θ .Also, (X3+X5, XS, XS +X3) are linearly independent in H, the vectorspace spanned by (XS,X3,X5). This implies that (X3 + X5, XS,XS + X3) are (stochastically) mutually independent and uniformlydistributed.Finally, this implies that (X3 + X5,XS,θ + XS + X3) are jointlyindependent from θ . (This uses a standard result in informationtheory: if Y is uniformly distributed independent from θ , thenZ = θ + Y is uniformly distributed independent from θ .)Renault, Renou, Tomala Secure message transmission on directed graphs

IntroductionMotivationsModelWeakly A -connected graphsSecrecyStrong securityA concluding exampleDetectionThis allows 0-secret information transmission. To ensure δ -detection forany δ > 0:Run in parallel a large number (≥ 1/δ ) of mutually independentcopies of the previous protocol.Let the sender S: -select one of these protocols at random, -inputhis secret θ in the selected protocol, -input 0 in all others.The receiver accepts if exactly one protocol has a non-zero output(i.e., θ ).Otherwise, the receiver outputs �Problem.�Renault, Renou, Tomala Secure message transmission on directed graphs

IntroductionMotivationsModelWeakly A -connected graphsSecrecyStrong securityA concluding exampleSecrecy: the protocol ACYSender. Chooses a unique kS ∈ C(S) and,for each k ∈ C(S)\{kS}, draw XSk and send it to k,send θ +∑l∈D(i) mli +∑k∈C(i)\{kS} XSk to player kS.The sender chooses a speci�c successor kS, sends independent keysto all his successors but kS, and sends (the sum of) all hisinformation (type, messages received and keys) to kS.Player i ∈ V \{S,R}. Chooses a unique ki ∈ C(i) and,for each k ∈ C(i)\{ki}, draw Xik and send it to k,send ∑l∈D(i) mli +∑k∈C(i)\{ki} Xik to player ki.Player i chooses a speci�c successor ki, sends independent keys to allhis successors but ki, and sends (the sum of) all his information(messages received and keys) to ki.Receiver. Computes ∑l∈D(R) mlR.Receiver computes the sum of all messages received.Renault, Renou, Tomala Secure message transmission on directed graphs

IntroductionMotivationsModelWeakly A -connected graphsSecrecyStrong securityA concluding exampleNow, suppose that the graph ~G is not A -connected.There exists then an adversary A ∈ A such that all paths (whetherdirected or not) from S to R go through A.We show that if the terminal histories of A (i.e., messages receivedand sent) are stochastically independent from θ , then the terminalhistories if R are stochastically independent from θ .Intuition: consider the graph S → A → R and one round ofcommunication.Pr(θ |mA) =

σA(mA|mS)σS(mS|θ )P(θ )

∑θ ′ σA(mA|mS)σS(mS|θ ′)P(θ ′).But since S must not reveal information to A, we have that σS is anon-revealing strategy, which implies that Pr(θ |mA) = Pr(θ ). Choose

ε < 1−maxθ ′ P(θ ′) to get a contradiction.So, the receiver cannot learn the secret if no information is leaked toA. Renault, Renou, Tomala Secure message transmission on directed graphs

IntroductionMotivationsModelWeakly A -connected graphsSecrecyStrong securityA concluding exampleStrong securityDenote 0A the strategy of the adversary A, which consists of sending thenull message, regardless of the history.TheoremThe following statements are equivalent:1 For each A ∈ A , the graph ~G\A contains a sub-graph that isstrongly connected and weakly A -connected.2 For any ε > 0, there exists an ε-strongly secure protocol.3 For any ε > 0, there exists a protocol 〈σ ,θd〉 such that〈(0A,σ−A),θd〉 is ε-secret for any A ∈ A .Renault, Renou, Tomala Secure message transmission on directed graphs

IntroductionMotivationsModelWeakly A -connected graphsSecrecyStrong securityA concluding exampleThe protocol for 1⇒ 2For each A ∈ A , run the protocol ACY with ε-detection on thesubgraph of ~G\A that is strongly connected and weaklyA -connected.This guarantees secrecy.Moreover, in all executions, a deviation is detected with probabilityat least 1− ε.Lastly, in at least one execution, no deviation is detected.Let the receiver decodes the secret according to the �rst executionwhere no deviation is detected.Renault, Renou, Tomala Secure message transmission on directed graphs

IntroductionMotivationsModelWeakly A -connected graphsSecrecyStrong securityA concluding exampleSecurityConsider the following graph ~G with A = {{1},{2},{3},{4},{5},{6}}.r r

r r r

r r

r

��6

@@

@@@I

�

6

��

��

6

QQ

QQ

QQk

��

��

��3

CCCCW - -

S1

2 34

5 6

R


IntroductionMotivationsModelWeakly A -connected graphsSecrecyStrong securityA concluding exampleThe graph ~G\ {3} does not contain a subgraph that is stronglyconnected and A -connected.r r

r r

r r

r

��

@@

@@@I

�

6

��

��Q

QQ

QQQk

��

��

��3

CCCCW

S1

2 4

5 6

R

Any other ~G\A contains a subgraph that is strongly connected andweakly A -connected.Renault, Renou, Tomala Secure message transmission on directed graphs

IntroductionMotivationsModelWeakly A -connected graphsSecrecyStrong securityA concluding exampleEven though strong security is not possible on that graph, security is.A protocol that guarantees that R learns the secret with arbitrary highprobability when 3 deviates is as follows:t = 1: 1 draws X1 and sends it to S and 6.t = 1: 5 draws X5 and sends it to R and 2.t = 2: S draws A,B and sends (θ + X1,A,B) to 4 and (A,B) to 2.t = 3: 4 computes Y5 = AX5 + B and sends (X5,Y5) to 3.t = 4: 3 forwards (X5,Y5) to 4.t = 5: Let (X′

5,Y′5) be the message received from 3 by 4. 4 testswhether Y ′

5 = AX′5 + B.If �Ok�, he sends (θ +X1 +X′

5,ok) to 6.If �there is a problem,� he sends (θ +X1,problem) to 6.t = 6:If 6 has received �ok,� he sends (θ +X1 +X′

5 +X1,ok) to R.If 6 has received �problem,� he sends (θ +X1 +X1,problem) to R.Problem: If 3 deviates, 6 learns the secret with high probability.Renault, Renou, Tomala Secure message transmission on directed graphs

a concluding example · renou, t omala secure message transmission on directed graphs. intro...

Documents