[ieee 2013 international conference on signal-image technology & internet-based systems (sitis)...

Perfomance Analysis of A Bidirectional Private Policy Matching Protocol Basedon Additively Homomorphic Encryption Systems

Hirofumi Yamaki

School of Information EnvironmentTokyo Denki University

Inzai, Chiba, JapanEmail: [email protected]

Fumihiro Mori, Momoko Aoyama

Graduate School of Information ScienceNagoya University

Nagoya, Aichi, JapanEmail: {mori, aoyama}@net.itc.nagoya-u.ac.jp

Abstract—Automated Trust Negotiation (ATN) is a mecha-nism to establish mutual trust between service providers andusers in an open network environment like the Internet. Inthis paper, we propose Bidirectional Private Policy Matchingbased on Additively Homomorphic Encryption Systems(BPPM/AHES) as an ATN negotiation protocol where uni-directional private policy matching based on additively ho-momorphic encryption systems is repeated. In this protocol,there is no disclosure of credentials before the negotiationsucceeds. Because there is no unnecessary disclosure of poli-cies except for policies which can be inferred the negotiationoutcome, the amount of the unnecessary disclosure of policiesdecreases compared to existing protocols.

Keywords-trust, Automated Trust Negotiation (ATN), ad-ditively homomorphic encryption, private policy matching

I. INTRODUCTION

In an open network environment like the Internet, ser-

vice users and providers are unknown to each other. Before

using or providing services, the users will determine

whether the providers are trustworthy, and the providers

also wish to restrict their services only to trustworthy

users. In this case, it is not easy for the users and the

providers to negotiate for establishing mutual trust, be-

cause both of them want to disclose their own information

only to the trust parties. Thus, the negotiations may fail

unless they communicate successfully. Also, since the

number of services has become enormous, it is very costly

to establish mutual trust every time they encounter. To

tackle this issue, Automated Trust Negotiation (ATN) [1]

has been proposed to establish mutual trust between

strangers. ATN is a process to automatically obtain the

sequence to exchange credentials without violating dis-

closure policies that each party has. In existing ATN

protocols [1], there is some problem such as unnecessary

disclosure of credentials or that of policies before the

negotiation succeeds.

In this paper, we propose Bidirectional Private Policy

Matching based on Additively Homomorphic Encryption

Systems (BPPM/AHES) as an ATN negotiation protocol,

where private policy matching based on additively homo-

morphic encryption systems is repeated.This paper is organized as follows. In Section 2, we

explain the techniques which our proposal is based on,

such as ATN, homomorphic encryption and private pol-

icy matching. In Section 3, we explain the protocol of

BPPM/AHES, as well as an example of negotiation. In

Section 4, we describe the property of BPPM/AHES from

the view point of security and performance. Finally, we

present a conclusion in Section 5.

II. ATN USING ADDITIVELY HOMOMORPHIC

ENCRYPTION SYSTEMS

A. Automated Trust Negotiation

We consider a situation where a user is trying to use a

service, where we have two parties, a service user and a

service provider. We refer them as a client and a serverrespectively in this paper. Both of them have their own

digital credentials and policies. Credentials are digital

data that contain such information as identifiers, names,

contacts, affiliations, etc., and that are certified by trusted

third parties. Policies are rules that define the condition on

which the client and the server disclose their credentials

to the counterpart. The server also has service-governing

policies (SGP’s) which gives on what condition the client

is allowed to use the service. We use the same notation

presented in [2] to describe these policies. We denote the

service by R, credentials of the client by C1, . . . , Cnc ,

credentials of the server by S1, . . . , Sns , where nc and

ns are the numbers of credentials possessed by the client

and the server respectively. The policy for disclosing the

client’s credential C is denoted by C ← FC(S1, . . . , Sns),where FC(S1, . . . , Sns) is a Boolean expression with

the server’s credentials S1, . . . , Sns . Similarly, SGP is

denoted by R ← FS(C1, . . . , Cnc). The policy for dis-

closing the server’s credential S is denoted by S ←FS(C1, . . . , Cnc), where FS(C1, . . . , Cnc) is a Boolean

expression with the client’s credentials C1, . . . , Cnc . The

policy of credential C will be satisfied, if the logi-

cal expression FC(S1, . . . , Sns) evaluates to true, after

substituting propositional symbols of already disclosed

credentials by the other party with true in the logical

expression FC(S1, . . . , Sns). If the policy of credential Cis satisfied, it can be disclosed to the other party. Table I

is an example of policies.

If credential C can be disclosed without any credentials

from the other party, such a policy is denoted by C ←true, and C is called an unprotected credential. On the

other hand, if credential C cannot be disclosed under any

circumstances, such a policy is denoted by C ← false.

If SGP is satisfied as the result of negotiation, the service

becomes available to the client.

2013 International Conference on Signal-Image Technology & Internet-Based Systems

978-1-4799-3211-5/13 $31.00 © 2013 IEEE

DOI 10.1109/SITIS.2013.111

679

Table IEXAMPLE OF POLICIES

client’s policies server’s policiesC1 ← true R← (C3 ∧ C4) ∨ C6

C2 ← true S1 ← trueC3 ← S1 ∧ S2 S2 ← (C1 ∧ C2) ∨ C3

C4 ← S3 ∨ S4 S3 ← C3 ∨ C4

C5 ← S2 ∨ S3 S4 ← C4

C6 ← false S5 ← C1 ∧ C5

The aim to perform ATN is to automatically obtain

the sequence to exchange credentials without violating

the policies in order to establish mutual trust between the

client and the server. Various protocols and strategies have

been proposed to achieve this [3], [1], [4], [2]. Below, we

briefly describe two basic strategies presented in [1], i.e.,

Eager Strategy and Parsimonious Strategy.

1) Eager Strategy: In Eager Strategy [1], the client and

the server in turns exchange all the currently unlocked cre-

dentials. As credentials are exchanged in the negotiation,

more credentials become unlocked. The negotiation suc-

ceeds when SGP is satisfied by the credentials disclosed

by the client, and fails when the client terminates the

negotiation because either of the negotiating parties has

no credential to newly disclose.

The negotiation process of Eager Strategy is very sim-

ple, and none of the server’s and the client’s policies

is directly disclosed. The weakness of Eager Strategy

is in that credentials are disclosed regardless of their

contribution to the success of the negotiation, i.e., some of

them may be unnecessarily disclosed. They are disclosed

even if the negotiation fails.

2) Parsimonious Strategy: Eager Strategy is an ap-

proach to disclose all the credentials that can be disclosed,

and no party sends requests for credentials to the other.

In contrast, in Parsimonious Strategy [1], each party first

repeats sending requests for credentials to the counterpart,

and discloses their credentials only after finding the se-

quence to exchange them for satisfying SGP. There is no

disclosure of unnecessary credentials, but the existence

of some policies that are not related to the sequence to

exchange credential may be known to the counterpart.

Most of protocols in the studies of ATN are extensions

of Parsimonious Strategy, and suffers from the same

weakness.

B. Private Policy Matching

Our goal is to create a new protocol that discloses

neither credentials nor policies that do not contribute to

the successful trust negotiation. In this section, we explain

private policy matching [5] which is used in the process

of BPPM/AHES.

1) The ElGamal Cryptosystem: The private policy

matching method is based on the ElGamal Cryptosys-

tem [6]. To describe its properties, we first define addi-

tively homomorphic encryption.

Definition 1 (Additively Homomorphic): Given an en-

cryption function E, a public key p with corresponding

secret key s, and a message m, we denote the encryption

of m with the public key p by Ep(m). An encryption func-

tion E is called additively homomorphic if the following

formula is satisfied for all message m1 and m2.

Ep(m1)Ep(m2) = Ep(m1 +m2)

Additively homomorphic encryption has the following

properties.

E(m)c = E(cm)

E(m)E(0) = E(m)

The ElGamal cryptosystem is a public key encryption

which depends on the difficulty of discrete logarithm

problem (LDP). Its definition is given as follows.

Definition 2 (ElGamal Cryptosystem): Let G = 〈g〉denote a finite cyclic (multiplicative) group of prime order

q. The public key of ElGamal cryptosystem is an element

h ∈ G and the encryption of a message m ∈ Zq is given

by the pair (a, b) = (gr, hrgm) where r ∈r Zq . The

secret key s is given by s = logg h. Given the private

key s, decryption of the ciphertext (a, b) = (gr, gmhr)is performed by first calculating b/as = gm, and then

solving for m ∈ Zq .

When the encryption of two messages m1, m2 ∈ Zq are

given by the pairs (gr1 , hr1gm1), (gr2 , hr2gm2), the mul-

tiplication of two ciphertexts is (gr1+r2 , hr1+r2gm1+m2).The ElGamal cryptosystem is additively homomorphic,

since

(gr1+r2 , hr1+r2gm1+m2) is the encryption of a message

m1 +m2 ∈ Zq .

2) Private Policy Matching Based on the ElGamalCryptosystem: Kursawe et al. [5] proposed private policy

matching based on the ElGamal cryptosystem. It is a

process to find out whether a match exists between the

credentials that a client can disclose and those requested

by a server. Below, we define the preference of a client as

the credentials that the client may disclose in order to get

access to certain service, and the preference of a server

are defined as the credentials that the server requests from

a client before granting access to the service. A set of

credentials is called a matching policy if it satisfies both

preferences. The formal definitions are given as follows.

Definition 3: Let C be a set of credentials and let Sbe a totally ordered set of scores with least element 0. In

this paper, we limit to the case S = {0, 1} for simplicity.

Preferences over the set of credentials C are described by

functions that assign to each set of credentials C ⊆ Ca score s ∈ S . The client’s preferences are defined as a

function f : 2C → S.

f(C) =

{1 if the client may disclose C0 otherwise

The server’s preferences are described as a function g :2C → S .

g(C) =

{1 if the server requests C0 otherwise

680

A matching function M : 2C × S × S → S assigns a

matching score to a set C ⊆ C based on C as follows.

M(C, f(C), g(C)) =

{1 f(C) = g(C) = 10 otherwise

In private policy matching, both of the parties know

whether matching policies exist and what they are, but

they cannot acquire any additional knowledge about the

preference of the counterpart.

The client’s preference function f is a monotonically

decreasing Boolean function, which means that, if f(A) =1 and B ⊆ A, then f(B) = 1. Likewise, the server’s

preference function g is usually monotonically increasing

Boolean function, which means that, if g(A) = 1 and

B ⊇ A, then g(B) = 1. Based on these facts, we define

generating subsets as follows.

Definition 4 (Generating Subsets): Let h : 2C →{0, 1} be a monotonically increasing Boolean function. We

say that H = {H1, . . . , Ha} ⊆ 2C is a set of generating

subsets for h iff for all C ⊆ Ch(C) = 1 ⇐⇒ ∃ i ∈ {1, . . . , a} : Hi ⊆ C

Since f is a monotonically decreasing function, ¬fis a monotonically increasing function that is described

through its set of generating subsets F = {F1, . . . , Fa}.Essentially, the sets F1, . . . , Fa are the minimal sets of

credentials that the client does not want to disclose to-

gether. Similarly, the function g is described through its

set of generating subsets G = {G1, . . . , Gb}, where the

sets G1, . . . , Gb are the minimal sets of credentials that

the server request from the client before granting access

to the service.

By using the notation of generating subsets, finding a

match is equivalent to finding a set of credentials C ⊆ C,

such that

• ∀Fi ∈ F : Fi � C, and

• ∃Gj ∈ G : Gj ⊆ C.

If a match exists, the matching policy is one of the server’s

generating subsets. Thus, the condition for the matching

policy C is represented more compactly as follows.

Gj ∈ G s.t. ∀Fi ∈ F : Fi � Gj (1)

Private policy matching which finds a matching policy

that satisfies in the formula (1) is performed as follows.

1) The client and the server share a distributed private

key by previously running a distributed key genera-

tion protocol [7]. They encrypt the strings describing

their generating subsets bit-by-bit under the same

public key.

2) They calculate a matching policy that satisfies the

formula (1) using the additively homomorphic prop-

erties of the cryptosystem.

3) Finally, they decrypt the two values obtained as the

output of the calculations, i.e., a matching policy

M and a bit e indicating whether a matching policy

exists (e = 1) or not (e = 0), with a threshold

decryption protocol [8].

Table IIEXAMPLE OF THE CLIENT’S NEGOTIATION TABLE

client’s policy DF MP

C1 ← true 0 trueC2 ← true 0 trueC3 ← S1 ∧ S2 0C4 ← S3 ∨ S4 0C5 ← S2 ∨ S3 0C6 ← false 0

Table IIIEXAMPLE OF THE SERVER’S NEGOTIATION TABLE

server’s policy DF MP

R ← (C3 ∧ C4) ∨ C6

S1 ← true 0 trueS2 ← (C1 ∧ C2) ∨ C3 0S3 ← C3 ∨ C4 0S4 ← C4 0S5 ← C1 ∧ C5 0

After this, they know whether a matching policy exists,

and what the matching policy is.

This protocol enables us to derive a minimal set of

credentials for the client to disclose, when only the server

has policies and the client’s credentials are unprotected.

In the following section, we extend this to be applied in

such bidirectional scenarious as in ATN, where both of

the server and the client have policies.

III. BIDIRECTIONAL PRIVATE POLICY

MATCHING

Our new protocol is derived by repeating private policy

matching described in the previous section. Below, we call

the original private policy matching as the server-sidepolicy matching, where the server’s policies are tested

against the client’s credentials. On the other hand, we call

the opposite where the client’s policies are examined as

the client-side policy matching. By repeating the server-

side and the client-side policy matchings alternately, the

information exchange needed in ATN is achieved. We call

our new protocol as Bidirectional Private Policy Matching

based on Additively Homomorphic Encryption Systems

(BPPM/AHES).

A. Negotiation Tables

This protocol takes the policies of the client and the

server as its input, and outputs the sequence to exchange

credentials. The process fails when no sequence is feasible.

Both the client and the server maintain negotiation tablesas exemplified in Tables II and III. These tables are

updated through the negotiation process.

A negotiation table has three columns, Policy, DF

and MP. DF and MP stand for disclosing flag (DF)

and matching policy (MP) respectively. A value in DF

means whether the credential is disclosed (DF= 1) or

not (DF= 0) in the negotiation process. The values in

DF are initialized to 0, which means that all credentials

are not disclosed before the negotiation. MP is for storing

encrypted matching policies found in the negotiation. For a

681

Figure 1. Policy Negotiation

policy the right-hand side of which is true, its MP column

is initialized to “unprotected.”

B. Protocol

The BPPM/AHES protocol consists of two stages,

policy negotiation and credential exchange. Below, we

explain each of them.

1) Policy Negotiation: In policy negotiation, the client

and the server repeat the server-side and the client-side

policy matchings alternately until they know that there is

a sequence to exchange credentials which satisfies SGP

or until the negotiation fails. If there is such a sequence,

they move to credential exchange. If there is not, the

negotiation process is terminated. The flowchart of policy

negotiation is depicted in Figure 1.

(1) First, the client requests a service to the server.

(2) The server which received a service request

sends a message that indicates the start of the

server-side policy matching.

(3) In the server-side policy matching, the client

and the server determine if there is any server’s

policy which gets satisfied by credentials which

can be disclosed by the client. Before the server-

side policy matching, if the value in DF of the

credential that can be disclosed at that time by

the client is 0, it is set to 1. The server-side

policy matching is performed as described in

Section II-B2. The server-side policy matchings

are performed in parallel for each of the server’s

policies. If a matching policy exists, the server

sets the policy of the credential to true, and

writes the matching policy in the column of MP

of the credential.

(4) After the server-side policy matching, the server

determines if SGP is satisfied. This is equivalent

to determining if there is a sequence to exchange

credentials which satisfies SGP.

(5) If SGP is satisfied, which means that the nego-

tiation succeeds, the negotiating party move to

credential exchange described in the next section.

(6) If SGP is not satisfied, the server determines if

there is any unprotected credential whose DF is

0. This is equivalent to determining if there is

any credential which can be disclosed newly.

(7) If there is a credential which can be disclosed

newly, the server sends a message that indicates

the start of the client-side policy matching to the

client.

(8) If there is no credential which can be disclosed

newly, the server sends a message that indicates

the end of the negotiation to the client. The

negotiation fails and is terminated.

(9) In the client-side policy matching, the client and

the server determine if there is any client’s policy

which gets satisfied by credentials which can

be disclosed by the server. Before the client-

side policy matching, if the value in DF of the

credential that can be disclosed at that time by

the server is 0, it is set to 1. The client-side

policy matching is performed as described in

Section II-B2. The client-side policy matchings

are performed in parallel for each of the client’s

policies. If a matching policy exists, the client

sets the policy of the credential to true, and

writes the matching policy in the column of MP

of the credential.

(10) After the client-side policy matching, the client

determines if there is any unprotected credential

whose DF is 0. This is equivalent to determining

if there is any credential which can be disclosed

newly.

(11) If there is a credential which can be disclosed

newly, the client sends a message that indicates

the start of the server-side policy matching to the

server.

(12) If there is no credential which can be disclosed

newly, the client sends a message that indicates

the end of the negotiation to the server. The

negotiation fails and is terminated.

2) Credential Exchange: After policy negotiation, the

client and the server first find the sequence to exchange

credentials and then exchange credentials according to it.

The flowchart of credential exchange is given in Figure 2.

(1) The server generates a request for credentials

which must be disclosed by the client, for the

server to satisfy the client’s request for the

server’s credentials or service. A request for cre-

dentials is generated by matching policies stored

in the columns of MP in the negotiation table.

The matching policies are decrypted by the client

and the server if needed to generate a request

for credentials. First of credential exchange, the

client and the server decrypt the column of MP of

the service R together, and the server generates

a request for credentials.

682

Figure 2. Credential Exchange

(2) The server sends it to the client.

(3) The client determines whether the request from

the server is satisfied by the client’s unprotected

credentials.

(4) If the request from the server is satisfied by the

client’s unprotected credentials, move to (11).

(5) If the request from the server is not satisfied by

the client’s unprotected credentials, move to (6).

(6) The client generates a request for credentials

which must be disclosed by the server, for the

client to satisfy the server’s request for the

client’s credentials.

(7) The client sends it to the server.

(8) The server determines whether the request from

the client is satisfied by the server’s unprotected

credentials.

(9) If the request from the client is satisfied by the

server’s unprotected credentials, move to (11).

(10) If the request from the client is not satisfied by

the server’s unprotected credentials, move to (1).

(11) The client and the server find the sequence

to exchange credentials by reversing previous

requests for credentials and exchange credentials

according to it.

(12) When SGP is satisfied by the credentials which is

disclosed last, the negotiation finishes in success.

C. Example of the Negotiation

In this section, we explain an example of negotiation in

BPPM/AHES by showing the changes of the negotiation

tables using the policies given in Table I. The negotiation

tables of the client and the server after the first server-side

and client-side policy matchings are shown in Table IV

and V.

At the first server-side policy matching, since the client

can disclose the credentials C1 and C2, the values in DF of

credentials C1 and C2 in Table IV are set to 1. When the

Table IVTHE NEGOTIATION TABLE OF THE CLIENT AFTER THE FIRST

SERVER-SIDE AND CLIENT-SIDE POLICY MATCHINGS


C1 ← true 1 trueC2 ← true 1 trueC3 ← S1 ∧ S2 true 0 EC3

C4 ← S3 ∨ S4 0C5 ← S2 ∨ S3 true 0 EC5

C6 ← false 0

Table VTHE NEGOTIATION TABLE OF THE SERVER AFTER THE FIRST

SERVER-SIDE AND CLIENT-SIDE POLICY MATCHINGS


R ← (C3 ∧ C4) ∨ C6

S1 ← true 1 trueS2 ← (C1 ∧ C2) ∨ C3 true 1 ES2

S3 ← C3 ∨ C4 0S4 ← C4 0S5 ← C1 ∧ C5 0

first server-side policy matching is performed, the server

knows that there is a matching policy that satisfied the

policy of server’s credential S2. The server sets the policy

of the credential S2 to true, and writes a matching policy

ES2 in the column of MP of the credential S2. After the

first server-side policy matching, the server determines if

SGP is satisfied and if there is any unprotected credential

whose value in DF is 0. Since SGP is not satisfied, and

there are credentials S1 and S2 as such values, the server

sends a message that indicates the start of the first client-

side policy matching to the client. After receiving it, the

client starts the first client-side policy matching with the

server.

At the first client-side policy matching, since the server

can disclose the credentials S1 and S2, the values in DF of

credentials S1 and S2 in Table V are set to 1. When the

first client-side policy matching is performed, the client

know that there are matching policies that satisfied the

policy of client’s credentials C3 and C5 respectively. The

client sets the policies of the credentials C3 and C5 to

true, and writes matching policies EC3and EC5

in the

columns of MP of the credentials C3 and C5 respectively.

After the first client-side policy matching, the client deter-

mines if there is any unprotected credential whose value

in DF is 0. Since there are credentials C3 and C5 as such

values, the client sends a message that indicates the start of

the second server-side policy matching to the server. After

receiving it, the server starts the second server-side policy

matching with the client. Similarly, the second server-side

and client-side policy matchings is performed.

The negotiation tables of the client and the server after

the third server-side policy matching are given in Table VI

and VII.

At the third server-side policy matching, since the client

can disclose the credential C4, the value in DF of the

credential C4 in Table VI is set to 1. When the third

server-side policy matching is performed, the server know

683

Table VITHE NEGOTIATION TABLE OF THE CLIENT AFTER THIRD

SERVER-SIDE POLICY MATCHING


C1 ← true 1 trueC2 ← true 1 trueC3 ← S1 ∧ S2 true 1 EC3

C4 ← S3 ∨ S4 true 1 EC4

C5 ← S2 ∨ S3 true 1 EC5

C6 ← false 0

Table VIITHE NEGOTIATION TABLE OF THE SERVER AFTER THIRD

SERVER-SIDE POLICY MATCHING


R ← (C3 ∧ C4) ∨ C6 true ER

S1 ← true 1 trueS2 ← (C1 ∧ C2) ∨ C3 true 1 ES2

S3 ← C3 ∨ C4 true 1 ES3

S4 ← C4 true 0 ES4

S5 ← C1 ∧ C5 true 1 ES5

that there are matching policies that satisfied SGP and the

policy of server’s credential S4 respectively. The server

sets SGP and the policies of the credential S4 to true,

and writes matching policies ER and ES2 in the columns

of MP of the service R and the credential S4 respectively.

After the third server-side policy matching, the server

determines if SGP is satisfied. Since SGP is satisfied in

this case, they move to credential exchange.

In credential exchange, the server first decrypts ER

cooperating with the client, and obtains ER = {C3, C4}.After that, the server generates a request for credentials

C3 ∧ C4, and sends it to the client. Since the request

from the server is not satisfied by the client’s unprotected

credentials, the client decrypts EC3 and EC4 cooperating

with the server, and obtains EC3 = {S1, S2} and EC4 ={S3} respectively. Then, the client generates a request for

credentials S1 ∧ S2 ∧ S3, and sends it to the server. Since

the request from the client is not satisfied by the server’s

unprotected credentials, the server decrypts ES2 and ES3

cooperating with the client, and obtains ES2 = {C1, C2}and ES3 = {C3} respectively. Then, the server generates

a request for credentials C1 ∧C2 ∧C3, and sends it to the

client. Since the request from the server is not satisfied by

the client’s unprotected credentials, the client generates

a request for credentials S1 ∧ S2, and sends it to the

server. Since the request from the client is not satisfied by

the server’s unprotected credentials, the server generates a

request for credentials C1 ∧C2, and sends it to the client.

The client terminates a request for credentials because the

server’s request for credentials C1 ∧C2 is satisfied by the

client’s unprotected credentials. The client and the server

find the sequence to exchange credentials C1, C2 → S1,

S2 → C1, C2, C3 → S1, S2, S3 → C3, C4 → R by

reversing previous requests for credentials and exchange

credentials according to it. When SGP is satisfied by the

exchanged credentials, the negotiation finishes in success.

Table VIIICOMPARISON OF ATN PROTOCOLS

��ProtocolCriteria Disclose Disclose

Credentials Policies

Eager Strategy Yes NoParsimonious Strategy No YesBPPM/AHES No No

IV. DISCUSSIONS

In this section, we describe the property of

BPPM/AHES from the view point of security and

performance.

A. Unnecessary Disclosure of Policies

First, we discuss about unnecessary disclosure of poli-

cies in BPPM/AHES. In policy negotiation, there is no

unnecessary disclosure of policies before the negotiation

succeeds, because the computation is performed by using

additively homomorphic properties of the cryptosystem,

and because the matching policies are not decrypted in

policy negotiation.

In credential exchange, there is no unnecessary dis-

closure of policies except for policies which can be

inferred from the sequence to exchange credentials. When

BPPM/AHES is performed over the policies of the client

and the server shown in Table I, the sequence to exchange

credentials is :C1, C2 → S1, S2 → C1, C2, C3 → S1,

S2, S3 → C3, C4 → R. In this example, such policies as

R← C3∧C4, C1 ← true and C2 ← true can be inferred.

These policies are disclosed, in contract, policies about

such credentials as S4 and C5, which are not exchanged

cannot be known.

In Table VIII, we compare three ATN protocols in terms

of the disclosure of credentials and policies before the


In Eager Strategy, since the client and the server ne-

gotiate by directly disclosing credentials, credentials are

disclosed no matter whether the negotiation succeeds, but

there is no unnecessary disclosure of policies. Since Parsi-

monious Strategy is a strategy where each party discloses

credentials only after finding the sequence to exchange

credentials for satisfying SGP, there is no disclosure of

credentials. But, the existence of some policies about

credentials that are not exchanged may be known to the

counterpart. As we have explained, there is no disclosure

of credentials and policies in BPPM/AHES before the


BPPM/AHES and Parsimonious Strategy have very

similar procedure for finding the sequence to exchange

credentials, but only the condition used to generate a re-

quest for credentials is different. In Parsimonious Strategy,

we use the policy of credential to generate the request for

credentials. On the other hand, we use a matching policy

(MP) registered in the negotiation table in BPPM/AHES.

The matching policy is a sufficient condition of the policy,

and, by using it, the client and the server can find the

sequence to exchange credentials which turns out that the

negotiation succeeds in the last of policy negotiation. In

684

Parsimonious Strategy, if the policies include OR (∨), un-

necessary disclosure of policies may occur in the process

of the request for credentials, and thus more policies may

be known than in BPPM/AHES. Otherwise, BPPM/AHES

and Parsimonious Strategy give the same security in terms

of inferred policies.

B. Communication and Memory Complexity ofBPPM/AHES

Below, we analyze the performance of BPPM/AHES

in terms of its communication cost and memory con-

sumption. We denote the maximum number of generating

subsets in the client’s policies by mc, and that in the

server’s policies by ms. The communication complexity

is given by the following theorem.

Theorem 1: Communication complexity of

BPPM/AHES is O(min(nc, ns)(mc+ms+log2(msnc)+log2(mcns))).

Proof: As described in [5], communication complex-

ity of server-side policy matching is O(ms+log2(msnc)),and communication complexity of client-side policy

matching is

O(mc + log2(mcns)). The number of server-side policy

matchings in BPPM/AHES is at most min(nc, ns) +1, and the number of client-side policy matchings

in BPPM/AHES is at most min(nc, ns). Two mes-

sages is required to decrypt a bit e indicating whether

a matching policy exists in each policy matching.

Thus, communication complexity of policy negotiation

is (ms + log2(msnc)) × (min(nc, ns) + 1) + (mc +log2(mcns))×min(nc, ns) + 2× (2min(nc, ns) + 1) =O(min(nc, ns)(ms + log2(msnc) +mc + log2(mcns))).In credential exchange, the number of messages for

decryption is 4min(nc, ns) + 2, and the number of

messages to exchange credentials is 2min(nc, ns) + 1.

Therefore, communication complexity of BPPM/AHES is

O(min(nc, ns)(mc +ms + log2(msnc) + log2(mcns))).

And, memory complexity is given as follows.

Theorem 2: Client side memory complexity of

BPPM/AHES is O(n2c + n2

s + ncns(mc + ms)).Server side memory complexity of BPPM/AHES is

O(n2c + n2

s + ncns(mc +ms)).Proof: Consider the client side first. As described

in [9], the memory complexity of adjacency-list represen-

tation of client’s policies is O(mc(nc + ns)). Memory

complexity of storing disclosing flags and matching poli-

cies in client’s negotiation table is O(nc) and O(ncns)respectively. The client has to store all sets of generating

subsets for computations. In the server-side policy match-

ing, the size of sets of generating subsets which the client

generates is at most n2c . That of the server generates is at

most ncnsms. In the client-side policy matching, the size

of sets of generating subsets which the client generates

is at most ncnsmc. That of the server generates is at

most n2s. Thus, the total size of the sets of generating

subsets is at most n2c + ncnsms + ncnsmc + n2

s =O(n2

c + n2s + ncns(mc + ms)). In credential exchange,

the client has to store the credentials which disclosed by

the server. Memory need to store them is bounded by

the number of credentials ns. Thus, the total memory

consumption is (mc(nc+cs))+nc+ncns+(n2c+ncnsms+

ncnsmc + n2s) + n2. Therefore, memory complexity of

BPPM/AHES at the client side is O(n2c+n2

s+ncns(mc+ms)). Similarly, memory complexity at the server side is

O(n2c + n2

s + ncns(mc +ms)).

V. CONCLUSION

In this paper, we proposed BPPM/AHES as an ATN

negotiation protocol. We extended private policy matching

proposed in a preceding work, and defined the server-

side policy matching and the client-side policy matching.

In each policy matching, computation is performed using

additively homomorphic properties of the cryptosystem.

The negotiation process proceeds by repeating the server-

side and the client-side policy matchings alternately, until

the sequence to exchange credentials without violating

policies is found. In this protocol, there is no disclosure

of credentials and policies before the negotiation suc-

ceeds. Also, because there is no unnecessary disclosure

of policies except for policies which can be inferred from

the sequence to exchange credentials, the amount of the

unnecessary disclosure of policies in BPPM/AHES is less

than or equal to that in Parsimonious Strategy.

Though this method achieved minimal direct disclosure

of credentials and policies, it is still possible to infer poli-

cies from obtained exchange sequences. This is inevitable

in such approaches as those based on Parsimonious Strat-

egy and BPPM/AHES, where credentials are exchanged

according to the minimal sequence obtained in former

processes. To cope with this, it is important to device a

new technique, where neither of the negotiating parties

does not know the sequence of credential disclosure by,

for example, encrypting the whole process.

REFERENCES

[1] W. Winsborough, K. Seamons, and V. Jones, “Automatedtrust negotiation,” in DARPA Information SurvivabilityConference and Exposition, vol. 1, 2000, pp. 88–102.

[2] T. Yu, X. Ma, and M. Winslett, “PRUNES: an efficient andcomplete strategy for automated trust negotiation over theInternet,” in Proceedings of the 7th ACM conference onComputer and communications security. ACM, 2000, pp.210–219.

[3] K. Nakatsuka and T. Ishida, “Distributed AND/OR Searchfor Automated Trust Negotiation,” Transactions, vol. 47,no. 8, pp. 2454–2463, 2006.

[4] H. Yamaki, M. Fujii, K. Nakatsuka, and T. Ishida, “Adynamic programming approach to automated trust nego-tiation for multiagent systems,” in Rational, Robust, andSecure Negotiation Mechanisms in Multi-Agent Systems,2005. IEEE, 2006, pp. 55–65.

[5] K. Kursawe, G. Neven, and P. Tuyls, “Private policy negoti-ation,” LECTURE NOTES IN COMPUTER SCIENCE, vol.4107, p. 81, 2006.

685

[6] T. ElGamal, “A public key cryptosystem and a signaturescheme based on discrete logarithms,” IEEE transactions oninformation theory, vol. 31, no. 4, pp. 469–472, 1985.

[7] R. Gennaro, S. Jarecki, H. Krawczyk, and T. Rabin, “Securedistributed key generation for discrete-log based cryptosys-tems,” Journal of Cryptology, vol. 20, no. 1, pp. 51–83, 2007.

[8] Y. Desmedt and Y. Frankel, “Threshold cryptosystems,”Lecture Notes in Computer Science, pp. 3–3, 1993.

[9] I. Katugampala, H. Yamaki, and Y. Yamaguchi, “MemoryComplexity of Automated Trust Negotiation Strategies,”Principles of Practice in Multi-Agent Systems, pp. 229–244,2009.

686

[ieee 2013 international conference on signal-image technology & internet-based systems (sitis)...

Documents