1: \documentstyle{article} %[graphicx]{article}
2: \textwidth 14 cm
3: \textheight 21 cm
4: \voffset=-0.5 cm
5: \hoffset=-10 mm
6: \newtheorem{theorem}{Theorem}[section]
7: \newtheorem{lemma}[theorem]{Lemma}
8: \newtheorem{proposition}[theorem]{Proposition}
9: \newtheorem{ex}{Example}
10: \newtheorem{definition}[theorem]{Definition}
11: \newtheorem{fact}{Fact}
12: %\newtheorem{conjecture}{Conjecture}
13:
14: \newcommand{\auth}{\mbox{auth}}
15: \newcommand{\astop}{\mbox{A\_STOP}}
16: \newcommand{\bstop}{\mbox{B\_STOP}}
17: \newcommand{\pr}{\mbox{Pr}}
18:
19: \makeatletter
20: \let\@xpar=\par
21: \newenvironment{proof}{{\vspace{1ex}\@xpar\noindent}%
22: {\bf Proof.}\hspace{3mm} }{\penalty10000\penalty10000%
23: \hfill$\Box$\vspace{.5ex}\@xpar\penalty-8000\noindent}
24:
25: \def\setcounterrefvalue#1#2{\@ifundefined{c@#1}{\@nocnterr}%
26: {\@ifundefined{r@#2}{\edef\@tempb{\z@}}{\edef\@tempc{\@nameuse{r@#2}}
27: \relax\edef\@tempb{\expandafter\@car\@tempc\@nil}}
28: \global\csname c@#1\endcsname \@tempb\relax}}
29:
30:
31: \newcount\@algordepth \@algordepth = 0
32:
33: \@definecounter{algori}
34: \@definecounter{algorii}
35:
36:
37: \def\setcounterrefvalue#1#2{\@ifundefined{c@#1}{\@nocnterr}%
38: \@ifundefined{r@#2}{\edef\@tempb{\z@}}{\edef\@tempc{\@nameuse{r@#2}}
39: \relax\edef\@tempb{\expandafter\@car\@tempc\@nil}
40: \global\csname c@#1\endcsname \@tempb\relax}}
41:
42: \def\algorithm#1{\ifnum \@algordepth >1 \@toodeep\else
43: \advance\@algordepth \@ne
44: \edef\@algorctr{algor\romannumeral\the\@algordepth}\list
45: {\hspace\labelsep \csname label\@algorctr\endcsname}%
46: {\settowidth\labelwidth{\hspace\labelsep {\bf Step #1}}%
47: \leftmargin\labelwidth
48: \advance\leftmargin\labelsep\usecounter{\@algorctr}}
49: \setlength{\itemsep}{2.0pt}
50: \setlength{\topsep}{4.5pt plus 1pt minus 1pt}%
51: \fi}
52:
53: \let\endalgorithm =\endlist
54:
55: \def\labelalgori{{\bf Step \arabic{algori}}}
56: \def\thealgori{\arabic{algori}}
57: \def\labelalgorii{{\bf Step \arabic{algori}.\alph{algorii}}}
58: \def\thealgorii{\alph{algorii}}
59: \def\p@algorii{\thealgori.}
60:
61:
62: \def\labelenumii{\arabic{enumi}.\alph{enumii})}
63:
64: \def\p@enumii{\theenumi.}
65:
66:
67:
68: \begin{document}
69: \bibliographystyle{plain}
70:
71: \title{Perfectly Secure Message Transmission Revisited\thanks{An extended
72: abstract of this paper has appeared in \cite{dwe02}}}
73:
74: \author{Yvo Desmedt\\
75: Computer Science, Florida State University, Tallahassee\\
76: Florida FL 32306-4530, USA, {\tt desmedt@cs.fsu.edu}\\
77: \and
78: Yongge Wang\\
79: Department of Software and Information Systems,\\
80: University of North Carolina at Charlotte,\\
81: 9201 University City Blvd, Charlotte, NC 28223,\\
82: {\tt yonwang@uncc.edu}
83: }
84:
85: \maketitle
86: %
87: \begin{abstract}
88: Achieving secure communications in networks has been one
89: of the most important problems in information technology.
90: Dolev, Dwork, Waarts, and Yung have studied secure
91: message transmission in one-way or two-way channels.
92: They only consider the case when all channels are two-way or
93: all channels are one-way. Goldreich, Goldwasser, and Linial,
94: Franklin and Yung, Franklin and Wright, and Wang and
95: Desmedt have studied secure communication and
96: secure computation in multi-recipient (multicast)
97: models. In a ``multicast channel'' (such as Ethernet), one processor
98: can send the same message---simultaneously and privately---to
99: a fixed subset of processors. In this paper, we shall
100: study necessary and sufficient conditions for achieving
101: secure communications against active adversaries in mixed
102: one-way and two-way channels. We also discuss
103: multicast channels and neighbor network channels.
104:
105: Keywords: network security, privacy, reliability, network connectivity
106: \end{abstract}
107: %
108: \section{Introduction}
109: %
110: If there is a private and authenticated channel between two parties,
111: then secure communication between them is guaranteed.
112: However, in most cases, many parties are only indirectly
113: connected, as elements of an incomplete network of private
114: and authenticated channels.
115: In other words they need to use intermediate or internal nodes.
116: Achieving participants cooperation in the presence of faults
117: is a major problem in distributed networks.
118: Original work on secure distributed computation assumed a
119: complete graph for secure and reliable communication.
120: Dolev, Dwork, Waarts, and Yung \cite{ddwy} were able
121: to reduce the size of the network graph by providing
122: protocols that achieve private and reliable communication
123: without the need for the parties to start with secret keys.
124: The interplay of network connectivity and secure
125: communication has been studied extensively
126: (see, e.g., \cite{bgw,ccd,dolev,ddwy,ha}).
127: For example, Dolev \cite{dolev} and Dolev et al. \cite{ddwy} showed
128: that, in the case of $k$ Byzantine faults, reliable communication
129: is achievable only if the system's network is
130: $2k+1$ connected. They also showed that if all the paths are one
131: way, then $3k+1$ connectivity is necessary and sufficient
132: for reliable and private communications.
133: However they did not prove any results for the general case
134: when there are certain number of directed paths in one direction
135: and another number of directed paths in the other direction.
136: While undirected graphs correspond naturally to the case of pairwise
137: two-way channels, directed graphs do not correspond to the case of
138: all-one-way or all-two-way channels considered in \cite{ddwy},
139: but to the mixed case where there are some paths in one direction
140: and some paths in the other direction.
141: In this paper, we will initiate the study in this direction
142: by showing what can be done with a general directed graph.
143: Note that this scenario is important in practice, in particular,
144: when the network is not symmetric. For example, a channel from $A$ to
145: $B$ is cheap and a channel from $B$ to $A$ is expensive but not impossible.
146: Another example is that $A$ has access to more resources than $B$ does.
147:
148:
149: Goldreich, Goldwasser, and Linial \cite{ggl},
150: Franklin and Yung \cite{fy}, Franklin and Wright \cite{fw},
151: and Wang and Desmedt \cite{wd}
152: have studied secure communication and
153: secure computation in {\it multi-recipient (multicast)}
154: models. In a ``multicast channel'' (such as Ethernet), one participant
155: can send the same message---simultaneously and privately---to
156: a fixed subset of participants.
157: Franklin and Yung \cite{fy} have given
158: a necessary and sufficient condition for
159: individuals to exchange private messages
160: in multicast models in the presence
161: of passive adversaries (passive gossipers).
162: For the case of active Byzantine adversaries,
163: many results have been presented by
164: Franklin and Wright \cite{fw}, and, Wang and Desmedt \cite{wd}.
165: Note that Goldreich, Goldwasser, and Linial \cite{ggl}
166: have also studied fault-tolerant computation
167: in the public multicast model (which can be thought of
168: as the largest possible multirecipient channels) in the presence
169: of active Byzantine adversaries. Specifically,
170: Goldreich, et al. \cite{ggl}
171: have made an investigation of general fault-tolerant distributed
172: computation in the full-information model.
173: In the full information model no restrictions are made on
174: the computational power of the faulty parties or
175: the information available to them. (Namely, the faulty
176: players may be infinitely powerful and there are no private
177: channels connecting pairs of honest players).
178: In particular, they present efficient two-party protocols for
179: fault-tolerant computation of any bivariate function.
180:
181: There are many examples of multicast channels (see, e.g. \cite{fw}),
182: such as an Ethernet bus
183: or a token ring. Another example is a shared cryptographic
184: key. By publishing an encrypted message, a participant
185: initiates a multicast to the subset of participants
186: that is able to decrypt it.
187:
188: We present our model in Section \ref{modelsec}.
189: In Sections \ref{digraphsecd} and \ref{digraphsec},
190: we study secure message transmission over directed graphs.
191: Section \ref{hypersec} is devoted to reliable message transmission
192: over hypergraphs, and Section \ref{neighborsec} is devoted to
193: secure message transmission over neighbor networks.
194:
195: \section{Model}
196: \label{modelsec}
197: %
198: We will abstract away the concrete network structures and
199: consider directed graphs. A directed graph is a graph $G(V,E)$
200: where all edges have directions. For a directed graph $G(V,E)$
201: and two nodes $A,B\in V$,
202: throughout this paper, $n$ denotes the number of
203: vertex disjoint paths between the two nodes and
204: $k$ denotes the number of faults under the
205: control of the adversary. We write $|S|$ to denote
206: the number of elements in the set $S$.
207: We write $x\in_R S$ to indicate that $x$ is chosen
208: with respect to the uniform distribution on $S$.
209: Let {\bf F} be a finite field, and let $a,b,c,M\in {\bf F}$.
210: We define $\auth(M;a,b) :=aM+b$ (following \cite{fw,gms,rab,rb})
211: and $\auth(M;a,b,c) :=aM^2+bM+c$ (following \cite{wd}).
212: Note that each authentication key $key=(a,b)$ can be used to
213: authenticate one message $M$ without
214: revealing any information about any component of the authentication key
215: and that each authentication key $key=(a,b,c)$ can be used to
216: authenticate two messages $M_1$ and $M_2$ without
217: revealing any information about any component of the authentication key.
218: We will also use a function $\langle \ldots \rangle$ which
219: maps a variable size (we assume that this variable size is
220: bounded by a pre-given bound) ordered subset of {\bf F} to an image element
221: in a field extension ${\bf F}^*$ of {\bf F}, and from any image element
222: we can uniquely and efficiently recover the ordered subset.
223: Let $k$ and $n$ be two integers such
224: that $0\leq k < n\le 3k+1$. A $(k+1)$-out-of-$n$ secret
225: sharing scheme is a probabilistic function
226: S: ${\bf F}\rightarrow {\bf F}^n$ with the property that
227: for any $M\in{\bf F}$ and $\mbox{S}(M)=(v_1,\ldots,v_n)$,
228: no information of $M$ can be inferred from any $k$ entries
229: of $(v_1,\ldots,v_n)$, and $M$ can
230: be recovered from any $k+1$ entries of $(v_1,\ldots,v_n)$.
231: The set of all possible $(v_1,\ldots,v_n)$ is called a code
232: and its elements codewords.
233: %
234: We say that a $(k+1)$-out-of-$n$ secret sharing scheme
235: can detect $k'$ errors if given any codeword $(v_1,\ldots,v_n)$ and any
236: tuple $(u_1,\ldots,u_n)$ over {\bf F}
237: such that
238: $0<|\{i: u_i\not= v_i, 1\le i \le n\}|\le k'$ one can detect
239: that $(u_1,\ldots,u_n)$ is not a codeword. If the code is
240: Maximal Distance Separable, then the maximum value of errors that can be
241: detected is $n-k-1$~\cite{MacWilliamsSloane78}.
242: %
243: We say that the $(k+1)$-out-of-$n$ secret sharing scheme can correct $k'$
244: errors if from any $\mbox{S}(M)=(v_1,\ldots,v_n)$ and any tuple
245: $(u_1,\ldots,u_n)$ over {\bf F} with
246: $|\{i: u_i\not= v_i, 1\le i \le n\}|\le k'$
247: one can recover the secret $m$.
248: If the code is Maximal Distance Separable, then the maximum value of errors
249: that allows the recovery of the vector $(v_1,\ldots,v_n)$
250: is $(n-k-1)/2$~\cite{MacWilliamsSloane78}.
251: A $(k+1)$-out-of-$n$ Maximal Distance Separable (MDS) secret
252: sharing scheme is a $(k+1)$-out-of-$n$ secret sharing scheme
253: with the property that for any $k'\le (n-k-1)/2$, one can correct $k'$
254: errors
255: and simultaneously detect $n-k-k'-1$ errors (as follows easily
256: by generalizing~\cite[p.~10]{MacWilliamsSloane78}).
257: Maximal Distance Separable (MDS) secret
258: sharing schemes can be constructed from any MDS codes, for example,
259: from Reed-Solomon code \cite{ms}.
260:
261: In a message transmission protocol, the sender $A$
262: starts with a message $M^A$ drawn from a message
263: space ${\cal M}$ with respect to a certain probability
264: distribution. At the end of the protocol, the receiver
265: $B$ outputs a message $M^B$. We consider a synchronous
266: system in which messages are sent via multicast in rounds.
267: During each round of the protocol, each node
268: receives any messages that were multicast for it
269: at the end of the previous round, flips
270: coins and perform local computations, and then
271: possibly multicasts a message. We will also
272: assume that the message space ${\cal M}$ is a
273: subset of a finite field {\bf F}.
274:
275: We consider two kinds of adversaries.
276: A passive adversary (or gossiper adversary)
277: is an adversary who can only observe the
278: traffic through $k$ internal nodes.
279: An active adversary (or Byzantine adversary)
280: is an adversary with unlimited computational
281: power who can control $k$ internal nodes.
282: That is, an active adversary will not only
283: listen to the traffics through the controlled
284: nodes, but also control the message sent by
285: those controlled nodes.
286: Both kinds of adversaries are assumed to know
287: the complete protocol specification, message
288: space, and the complete structure of the
289: graph. In this paper, we will not consider a dynamic
290: adversary who could change the nodes it controls
291: from round to round, instead we will only consider
292: static adversaries. That is,
293: at the start of the protocol, the
294: adversary chooses the $k$ faulty nodes.
295: An alternative interpretation is that $k$ nodes are static
296: collaborating adversaries.
297:
298: For any execution of the protocol, let $adv$ be the
299: adversary's view of the entire protocol. We write
300: $adv(M,r)$ to denote the adversary's view when
301: $M^A=M$ and when the sequence of coin flips used
302: by the adversary is $r$.
303: %
304: \begin{definition}
305: \label{poeitr}
306: (see Franklin and Wright \cite{fw})
307: \begin{enumerate}
308: \item Let $\delta < \frac{1}{2}$. A message transmission protocol is
309: $\delta$-{\rm reliable} if, with probability at least $1-\delta$, $B$
310: terminates
311: with $M^B=M^A$. The probability is over the choices of
312: $M^A$ and the coin flips of all nodes.
313: \item A message transmission protocol is {\rm reliable}
314: if it is $0$-{\rm reliable}.
315: \item A message transmission protocol is $\varepsilon$-{\rm private}
316: if, for every two messages $M_0,M_1$ and every $r$,
317: $\sum_c|\Pr[adv(M_0,r)=c]-\Pr[adv(M_1,r)=c]|\le 2\varepsilon.$
318: The probabilities are taken over the coin flips of the
319: honest parties, and the sum is over all possible values
320: of the adversary's view.
321: \item A message transmission protocol is {\rm perfectly private}
322: if it is $0$-{\rm private}.
323: \item A message transmission protocol is {\rm $(\varepsilon,\delta)$-secure}
324: if it is $\varepsilon$-private and $\delta$-reliable.
325: \item An $(\varepsilon,\delta)$-secure message transmission protocol is
326: {\rm efficient} if its round complexity and bit complexity
327: are polynomial in the size of the network, $\log\frac{1}{\varepsilon}$
328: (if $\varepsilon>0$) and $\log\frac{1}{\delta}$
329: (if $\delta>0$).
330: \end{enumerate}
331: \end{definition}
332: %
333: For two nodes $A$ and $B$ in a directed graph such that there are
334: $2k+1$ node disjoint paths from $A$ to $B$, there is a straightforward
335: reliable message transmission from $A$ to $B$ against a $k$-active
336: adversary:
337: $A$ sends the message $m$ to $B$ via all the $2k+1$ paths, and $B$ recovers
338: the message $m$ by a majority vote.
339: %
340: %
341: %
342: \section{$(0,\delta)$-Secure message transmission in directed graphs}
343: \label{digraphsecd}
344: %
345: Our discussion in this section will be concentrated on directed
346: graphs. Dolev, Dwork, Waarts, and Yung \cite{ddwy} addressed the problem
347: of secure message transmissions in a point-to-point
348: network. In particular, they showed that if all channels from
349: $A$ to $B$ are one-way, then $(3k+1)$-connectivity is necessary
350: and sufficient for (0,0)-secure message transmissions from
351: $A$ to $B$ against
352: a $k$-active adversary. They also showed that if all channels between $A$
353: and $B$ are two-way, then $(2k+1)$-connectivity is necessary
354: and sufficient for (0,0)-secure message transmissions between
355: $A$ and $B$ against a $k$-active adversary.
356: In this section we assume that there are only
357: $2k+1-u$ directed node disjoint paths from $A$ to $B$,
358: where $1\leq u\leq k$. We show that $u$ directed node disjoint paths
359: from $B$ to $A$ are necessary and sufficient to achieve
360: $(0,\delta)$-secure message transmissions from $A$ to $B$ against
361: a $k$-active adversary.
362:
363: Franklin and Wright \cite{fw} showed that even if all channels
364: between $A$ and $B$ are two way, $2k+1$ channels between $A$ and $B$
365: are still necessary for $(1-\delta)$-reliable (assuming
366: that $\delta< \frac{1}{2}\left(1-\frac{1}{|{\bf F}|}\right)$)
367: message transmission from $A$ to $B$ against a $k$-active adversary.
368:
369: \begin{theorem}
370: \label{necessary-minimum}
371: (Frandlin and Wright \cite{fw})
372: Let $G(V,E)$ be a directed graph, $A,B\in V$, and there are only
373: $2k$ two-way node disjoint paths between $A$ and $B$ in $G$.
374: Then $\delta$-reliable message transmission
375: from $A$ to $B$ against a $k$-active adversary is impossible
376: for $\delta< \frac{1}{2}\left(1-\frac{1}{{|\bf F}|}\right)$.
377: \end{theorem}
378:
379: In the following, we first show that if there is no directed path
380: from $B$ to $A$, then $2k+1$ directed paths from
381: $A$ to $B$ is necessary and sufficient for $(0,\delta)$-secure message transmission
382: from $A$ to $B$.
383: %
384: \begin{theorem}
385: \label{fwsuf}
386: Let $G(V,E)$ be a directed graph, $A,B\in V$, and $0<\delta <\frac{1}{2}$.
387: If there is no directed paths from $B$ to $A$, then
388: the necessary and sufficient condition for $(0,\delta)$-secure
389: message transmission from $A$ to $B$ against a $k$-active adversary
390: is that there are $2k+1$ directed node disjoint paths from $A$ to $B$.
391: \end{theorem}
392: \begin{proof}
393: The necessity is proved in Theorem \ref{necessary-minimum}.
394: Let $p_1,\allowbreak \ldots,\allowbreak p_{2k+1}$ be
395: the $2k+1$ directed node disjoint paths
396: from $A$ to $B$. Let $M^A\in {\bf F}$ be the secret that $A$ wants to
397: send to $B$. $A$ constructs $(k+1)$-out-of-$(2k+1)$ secret shares
398: $(s_1^A, \ldots, s_{2k+1}^A)$ of $M^A$. The protocol proceeds from round
399: $1$ through round $2k+1$. In each round $1\le i\le 2k+1$,
400: we have the following steps:
401: \begin{algorithm}{9}
402: \item $A$ chooses
403: $\{(a_{i,j}^A, b_{i,j}^A)\in_R{\bf F}^2: 1\le j\le 2k+1\}$.
404: \item $A$ sends $(s_i^A, \auth(s_i^A;a_{i,1}^A,b_{i,1}^A), \ldots,
405: \auth(s_i^A;a_{i,2k+1}^A,b_{i, 2k+1}^A))$
406: to $B$ via path $p_i$, and sends $(a^A_{i,j}, b_{i,j}^A)$
407: to $B$ via path $p_j$ for each $1\le j\le 2k+1$.
408: \item $B$ receives $(s^B_i, c^B_{i,1}, \ldots, c^B_{i,2k+1})$ via path
409: $p_i$, and receives $(a_{i,j}^B, b_{i,j}^B)$ via path $p_j$ for each
410: $1\le j\le 2k+1$.
411: \item $B$ computes $t=|\{j: c_{i,j}^B=\auth(s_i^B; a_{i,j}^B, b_{i,j}^B)\}|$.
412: If $t\geq k+1$, then $B$ decides that $s_i^B$ is a valid share.
413: Otherwise $B$ discards $s_i^B$.
414: \end{algorithm}
415: It is easy to check that after the round
416: $2k+1$, with high probability, $B$ will get at least $k+1$ valid
417: shares of $s^A$. Thus, with high probability, $B$ will recover the secret
418: $M^B=M^A$. It is straightforward that the protocol achieves perfect privacy.
419: Thus the above protocol is a $(0,\delta)$-secure message
420: transmission protocol from $A$ to $B$ against a $k$-active adversary.
421: \hfill{Q.E.D.}\end{proof}
422: %
423: By Theorem \ref{necessary-minimum}, the necessary condition for
424: $(0,\delta)$-secure message transmission
425: from $A$ to $B$ against a $k$-active adversary is that there are at least
426: $k+1$ node disjoint paths from $A$ to $B$ and there are at least
427: $2k+1$ node disjoint paths in total from $A$ to $B$ and from $B$ to $A$.
428: In the following, we show that this condition is also sufficient.
429: We first show that the condition is sufficient
430: for $k=1$.
431: %
432: \begin{theorem}
433: \label{forkis1}
434: Let $G(V,E)$ be a directed graph, $A,B\in V$. If there are
435: two directed node disjoint paths $p_0$ and $p_1$ from $A$ to $B$,
436: and one directed path $q$ (which is node disjoint from
437: $p_0$ and $p_1$) from $B$ to $A$, then for any $0<\delta<\frac{1}{2}$,
438: there is a $(0,\delta)$-secure message transmission protocol from $A$
439: to $B$ against a 1-active adversary.
440: \end{theorem}
441: \begin{proof}
442: In the following protocol, $A$ $(0,\delta)$-securely transmits
443: a message $M^A\in{\bf F}$ to $B$.
444: \begin{algorithm}{9}
445: \item $A$ chooses $s_0^A\in_R{\bf F}$, $(a_0^A,b_0^A),
446: (a_1^A,b_1^A)\in_R{\bf F}^2$, and
447: let $s_1^A=M^A-s_0^A$. For each $i\in\{0,1\}$, $A$ sends
448: $(s_i^A, (a_i^A,b_i^A),
449: \auth(s_{i}^A;a_{1-i}^A,b_{1-i}^A))$
450: to $B$ via path $p_i$.
451: \item Assumes that $B$ receives $(s_i^B, (a_i^B,b_i^B), c^B_i)$ via path
452: $p_i$. $B$ checks whether
453: $c^B_i= \auth(s_{i}^B;a_{1-i}^B,b_{1-i}^B)$ for $i=0,1$.
454: If both equations hold, then $B$ knows that
455: with high probability the adversary was either passive or not on the
456: paths from $A$ to $B$. $B$ can recover the secret message,
457: sends ``OK'' to $A$ via the path $q$, and terminates the protocol.
458: Otherwise, one of equations does not hold and $B$ knows that the adversary
459: was on one of the paths from $A$ to $B$. In this case, $B$ chooses
460: $(a^B,b^B)\in_R{\bf F}^2$, and sends
461: $((a^B,b^B), (s_0^B, (a_0^B,b_0^B), c^B_0), (s_1^B, (a_1^B,b_1^B), c^B_1))$
462: to $A$ via the path $q$.
463: \item If $A$ receives ``OK'', then $A$ terminates the protocol.
464: Otherwise, from the information $A$ received via path $q$, $A$ decides
465: which path from $A$ to $B$ is corrupted and recovers $B$'s authentication
466: key $(a^A,b^A)$. $A$ sends $(M^A, \auth(M^A; a^A,b^A))$
467: to $B$ via the uncorrupted path from $A$ to $B$.
468: \item $B$ recovers the message and checks that the authenticator
469: is correct.
470: \end{algorithm}
471: Similarly as in the proof of Theorem \ref{fwsuf}, it can be shown that the
472: above protocol is $(0,\delta)$-secure against a $1$-active adversary.
473: \hfill{Q.E.D.}\end{proof}
474:
475: \begin{theorem}
476: \label{probsufficient}
477: Let $G(V,E)$ be a directed graph, $A,B\in V$, and $k\ge u\ge 1$. If there are
478: $2k+1-u$ directed node disjoint paths $p_1$, $\ldots$, $p_{2k+1-u}$
479: from $A$ to $B$, and $u$ directed node disjoint
480: paths $q_1$, $\ldots$, $q_u$
481: ($q_1$, $\ldots$, $q_u$ are node disjoint from
482: $p_1$, $\ldots$, $p_{2k+1-u}$) from $B$ to $A$,
483: then for any $0<\delta<\frac{1}{2}$, there is an efficient
484: $(0,\delta)$-secure message transmission protocol from $A$ to $B$
485: against a $k$-active adversary.
486: \end{theorem}
487:
488: Before we give an efficient $(0,\delta)$-secure
489: message transmission protocol from $A$ to $B$. We first demonstrate the
490: underlying idea by giving a non-efficient (exponential in $k$)
491: $(0,\delta)$-secure
492: message transmission protocol from $A$ to $B$ against a $k$-active adversary.
493: Let $M^A\in {\bf F}$ be
494: the secret that $A$ wants to send to $B$, and ${\cal P}_1, \ldots,
495: {\cal P}_t$ be an enumeration of size $k+1$
496: subsets of $\{p_1,\ldots, p_{2k+1-u}, q_1,\ldots, q_u\}$. The
497: protocol proceeds from round $1$ through $t$. In each round $1\le m\le t$,
498: we have the following steps:
499: \begin{algorithm}{9}
500: \item For each $p_i\in {\cal P}_m$, $A$ chooses
501: $(a^A_{i,m}, b^A_{i,m})\in_R{\bf F}^2$ and sends
502: $(a^A_{i,m}, b^A_{i,m})$ to $B$ via $p_i$.
503: \item For each $p_i\in {\cal P}_m$, $B$ receives
504: $(a^B_{i,m}, b^B_{i,m})$ from $A$ via $p_i$.
505: \item For each $q_i\in {\cal P}_m$, $B$ chooses
506: $(c^B_{i,m}, d^B_{i,m})\in_R{\bf F}^2$ and sends
507: $(c^B_{i,m}, d^B_{i,m})$ to $A$ via $q_i$.
508: \item For each $q_i\in {\cal P}_m$, $A$ receives
509: $(c^A_{i,m}, d^A_{i,m})$ from $B$ via $q_i$.
510: \item $A$ computes $C^A=\sum_{p_i\in{\cal P}_m}a^A_{i,m}+
511: \sum_{q_i\in{\cal P}_m}c^A_{i,m}$,
512: $D^A=\sum_{p_i\in{\cal P}_m}b^A_{i,m}+
513: \sum_{q_i\in{\cal P}_m}d^A_{i,m}$,
514: and sends $(M^A+C^A, \auth(M^A+C^A; C^A,D^A))$ to $B$ via all paths
515: in $p_i$ in ${\cal P}_m$.
516: \item For each $p_i\in {\cal P}_m$,
517: $B$ receives $(e^B_{i,m},f^B_{i,m})$ from $A$ via $p_i$.
518: \item If $(e^B_{i,m},f^B_{i,m})=(e^B_{j,m},f^B_{j,m})$ for all
519: $p_i, p_j\in {\cal P}_m$, then $B$ goes to Step \ref{expnn1}. Otherwise,
520: $B$ goes to round $m+1$.
521: \item\label{expnn1} $B$ computes $C^B=\sum_{p_i\in{\cal P}_m}a^B_{i,m}+
522: \sum_{q_i\in{\cal P}_m}c^B_{i,m}$,
523: $D^B=\sum_{p_i\in{\cal P}_m}b^B_{i,m}+
524: \sum_{q_i\in{\cal P}_m}d^B_{i,m}$.
525: \item If $f^B_{i,m}=\auth(f^B_{i,m}; C^B,D^B)$, then $B$ computes the
526: secret $M^B=f^B_{i,m}-C^B$ and terminates the protocol. Otherwise,
527: $B$ goes to round $m+1$.
528: \end{algorithm}
529: Since there is at least one ${\cal P}_m$ such that all paths
530: in ${\cal P}_m$ are not corrupted, $B$ receives the correct
531: secret by the end of the protocol with high probability.
532: It is also straightforward to check that
533: the above protocol has perfect secrecy.
534:
535:
536: \begin{proof} (Proof of Theorem \ref{probsufficient})
537: Let $M^A\in {\bf F}$ be the secret that $A$ wants to
538: send to $B$. $A$ constructs $(k+1)$-out-of-$(2k+1-u)$ secret shares
539: $(s_1^A, \ldots, s_{2k+1-u}^A)$ of $M^A$. The protocol proceeds
540: from round $1$ through $2k+2+u$. For each round $1\le i\le 2k+1-u$,
541: we have the following steps:
542: \begin{algorithm}{9}
543: \item $A$ chooses $\{(a_{i,j}^A, b_{i,j}^A)\in_R{\bf F}^2$,
544: $: 1\le j\le 2k+1-u\}$.
545: \item $A$ sends $\{s_i^A,
546: \auth(s_i^A; a_{i,1}^A,b_{i,1}^A)$,
547: $\ldots$,
548: $\auth(s_i^A; a_{i,2k+1-u}^A,b_{i,2k+1-u}^A)\}$
549: to $B$ via path $p_i$, and sends $(a^A_{i,j}, b_{i,j}^A)$
550: to $B$ via path $p_j$ for each $1\le j\le 2k+1-u$.
551: \item $B$ receives $\{s^B_i,
552: d^B_{i,1}, \ldots, d^B_{i,2k+1-u}\}$ via path $p_i$, and
553: $(a_{i,j}^B, b_{i,j}^B)$ via path $p_j$ for each
554: $1\le j\le 2k+1-u$.
555: \item $B$ computes $t=|\{j: d_{i,j}^B=\auth(s_i^B;
556: a_{i,j}^B, b_{i,j}^B)\}|$.
557: If $t\geq k+1$, then $B$ decides that $s_i^B$ is a valid share.
558: Otherwise $B$ decides that $s_i^B$ is an invalid share.
559: \end{algorithm}
560: At the end of round $2k+1-u$, if $B$ has received $k+1$ valid shares,
561: then $B$ recovers the secret $M^B$ from these valid shares
562: and terminates the protocol. Otherwise, $B$ proceeds to
563: round $2k+2-u$. In round $2k+2-u$, we have the following steps:
564: \begin{algorithm}{9}
565: \item $A$ chooses $\{(a_i^A, b_i^A,c_i^A)\in_R{\bf F}^3$
566: $: 1\le i\le 2k+1-u\}$, and sends $(a_i^A, b_i^A,c_i^A)$ to $B$ via path
567: $p_i$ for each $i\le 2k+1-u$.
568: \item For each $1\le i\le 2k+1-u$,
569: $B$ receives $(a_i^B, b_i^B,c_i^B)$ on path $p_i$ from $A$ (if no value
570: is received on path $p_i$, $B$ sets it to a default value).
571: \item For each $1\le i\le 2k+1-u$, $B$ chooses $r_i^B\in_R{\bf F}$ and
572: computes $\beta^B=\{(r_i^B, \auth(r_i^B; a_i^B, b_i^B,c_i^B)):
573: 1\le i\le 2k+1-u\}$.
574: \end{algorithm}
575: In each round $2k+3-u\le i\le 2k+2$, we have the following steps:
576: \begin{algorithm}{9}
577: \item $B$ chooses $(d_i^B, e_i^B)\in_R{\bf F}^2$ and
578: $\{(v_{i,j}^B, w_{i,j}^B)\in_R{\bf F}^2: 1\le j\le u\}$.
579: \item $B$ sends $(d_i^B, e_i^B)$, $\beta^B$,
580: and $\{\auth(\langle d_i^B, e_i^B\rangle; v_{i,j}^B, w_{i,j}^B)$
581: $: 1\le j\le u\}$ to $A$ via path $q_i$, and $(v_{i,j}^B, w_{i,j}^B)$
582: to $A$ via path $q_j$ for each $1\le j\le u$.
583: \item $A$ receives (or substitutes default values)
584: $(d_i^A, e_i^A)$, $\beta_i^A$,
585: and $\{\alpha^A_{i,j}: 1\le j\le u\}$ from $B$ via path $q_i$,
586: and $(v_{i,j}^A, w_{i,j}^A)$
587: from $B$ via path $q_j$ for each $1\le j\le u$.
588: \end{algorithm}
589: According to the values that $A$ has received,
590: $A$ divides the paths set $\{q_1,\ldots, q_u\}$
591: into subsets ${\cal Q}_1, \ldots, {\cal Q}_t$ such that for any
592: $l,m,n$ with $1\le l\le t$, $1\le m,n\le u$, and $q_m,q_n\in {\cal Q}_l$,
593: we have
594: \begin{enumerate}
595: \item $\beta^A_m=\beta^A_n$;
596: \item $\alpha^A_{m,n}=
597: \auth(\langle d_m^B, e_m^B\rangle; v_{m,n}^B, w_{m,n}^B)$;
598: \item $\alpha^A_{n,m}=
599: \auth(\langle d_n^B, e_n^B\rangle; v_{n,m}^B, w_{n,m}^B)$.
600: \end{enumerate}
601: For each ${\cal Q}_l$, let $q_m\in {\cal Q}_l$ and
602: $\beta^A_m=\{(r_{i,l}^A,\gamma^A_{i,l}): 1\le i\le 2k+1-u\}$.
603: $A$ computes the number
604: $$t_l=|\{i: \gamma^A_{i,l}=\auth(r_{i,l}^A; a^A_i,b^A_i,c^A_i),
605: 1\le i\le 2k+1-u\}|+|{\cal Q}_l|$$
606: If $t_l\le k$, then $A$ decides that ${\cal Q}_l$
607: is an unacceptable set, otherwise, $A$ decides that ${\cal Q}_l$
608: is an acceptable set. Let ${\cal Q}_l=\emptyset$ for $t<l\le u$.
609:
610: For each round $2k+3\le l\le 2k+2+u$, we have the following steps:
611: \begin{algorithm}{9}
612: \item If ${\cal Q}_l=\emptyset$ or ${\cal Q}_l$ is an unacceptable set,
613: then go to round $l+1$.
614: \item $A$ computes ${\cal P}_l=\{p_i:
615: \gamma^A_{i,l}=\auth(r_{i,l}^A; a^A_i,b^A_i,c^A_i), 1\le i\le 2k+1-u\}$,
616: $C_l^A=\sum_{p_i\in {\cal P}_l}a^A_i+\sum_{q_i\in{\cal Q}_l}d^A_i$, and
617: $D_l^A=\sum_{p_i\in {\cal P}_l}b^A_i+\sum_{q_i\in{\cal Q}_l}e^A_i$.
618: \item $A$ sends $(\langle {\cal Q}_l, {\cal P}_l, M^A+C_l^A\rangle,
619: \auth(\langle {\cal Q}_l, {\cal P}_l, M^A+C_l^A\rangle;
620: C_l^A,D_l^A))$ to $B$ via all
621: paths $p_i\in{\cal P}_l$.
622: \item $B$ receives $(\alpha^B_{i,l}, \beta^B_{i,l})$ from path $p_i$ for
623: $1\le i\le 2k+1-u$.
624: \item For each $1\le i\le 2k+1-u$, $B$ computes
625: $\alpha^B_{i,l}=\langle {\cal Q}^B_{i,l}, {\cal P}^B_{i,l},
626: \beta^B_{i,l}\rangle$,
627: $C_{i,l}^B=\sum_{p_j\in {\cal P}_{i,l}}a^B_j+
628: \sum_{q_j\in{\cal Q}_{i,l}}d^B_j$, and
629: $D_{i,l}^B=\sum_{p_j\in {\cal P}_{i,l}}b^B_j+
630: \sum_{q_j\in{\cal Q}_{i,l}}e^B_j$.
631: \item For each $1\le i\le 2k+1-u$, $B$ checks whether
632: $\beta^B_{i,l}=\auth(\alpha^B_{i,l}; C_{i,l}^B, D_{i,l}^B)$.
633: If the equation holds, then $B$ computes the secret
634: $M^B=\beta^B_{i,l}-C_{i,l}^B$.
635: \end{algorithm}
636: If $B$ has not got the secret at the end of round $2k+1-u$, then
637: there exists an uncorrupted path $q_j$ from $B$ to $A$ and
638: a paths set ${\cal Q}_l$ such that $q_j\in {\cal Q}_l$ and the information
639: that $A$ receives from paths in ${\cal Q}_l$ are reliable.
640: Thus, at the end of round $2k+2+u$, $B$ will output a secret $M^B$.
641: It is easy to check that, with high probability,
642: this secret is the same as $M^A$.
643:
644: It is straightforward to show that the protocol achieves perfect
645: privacy. Thus it is a $(0,\delta)$-secure message transmission
646: transmission protocol from $A$ to $B$ against a $k$-active adversary.
647: \hfill{Q.E.D.}\end{proof}
648:
649: %
650: \section{$(0,0)$-Secure message transmission in directed graphs}
651: \label{digraphsec}
652: %
653: In the previous section, we addressed probabilistic reliable
654: message transmission in directed graphs. In this section, we consider
655: perfectly reliable message transmission in directed graphs.
656: We will show that if there are $u$
657: directed node disjoint paths from $B$ to $A$,
658: then a necessary and sufficient condition for $(0,0)$-secure
659: message transmission from $A$ to $B$ against a $k$-active adversary
660: is that there are $\max\{3k+1-2u, 2k+1\}$
661: directed node disjoint paths from $A$ to $B$.
662:
663: \begin{theorem}
664: \label{00necessary}
665: Let $G(V,E)$ be a directed graph, $A,B\in V$.
666: Assume that there are $u$ directed node disjoint paths from
667: $B$ to $A$. Then a necessary condition for $(0,0)$-secure
668: message transmission from $A$ to $B$ against a $k$-active adversary
669: is that there are $\max\{3k+1-2u, 2k+1\}$
670: directed node disjoint paths from $A$ to $B$.
671: \end{theorem}
672: \begin{proof}
673: If $u=0$, then by the results in \cite{ddwy}, we need $3k+1$ directed node
674: disjoint paths from $A$ to $B$ for $(0,0)$-secure message transmission
675: against a $k$-active adversary.
676: If $u\ge\lceil\frac{k}{2}\rceil$, then again by the results
677: in \cite{ddwy}, we need $2k+1$
678: directed node disjoint paths from $A$ to $B$ for $0$-reliable (that is,
679: perfectly reliable) message transmission from $A$ to $B$
680: against a $k$-active adversary.
681: From now on, we assume that $0<u< \lceil\frac{k}{2}\rceil$.
682:
683: For a contradiction,
684: we assume that there are only $3k-2u$
685: directed node disjoint paths from $A$ to $B$,
686: denoted as $p_1,\ldots, p_{3k-2u}$. Let $q_1,\ldots, q_u$ be the directed
687: node disjoint paths from $B$ to $A$.
688:
689: Let $\Pi$ be a $(0,0)$-secure message transmission protocol
690: from $A$ to $B$. In the following, we will construct a $k$-active
691: adversary to defeat this protocol. The transcripts
692: distribution $view^A_\Pi$ of $A$ is drawn from a probability distribution that
693: depends on the message $M^A$ to be transmitted by $A$,
694: the coin flips $R^A$ of $A$,
695: the coin flips $R^B$ of $B$, the coin flips $R^{\cal A}$ of the adversary
696: (without loss of generality, we assume that the value $R^{\cal A}$ will
697: determine the choice of faulty paths controlled by the adversary),
698: and the coin flips $R^{\cal T}$ of
699: all other honest nodes. Without loss of generality, we can
700: assume that the protocol
701: proceeds in steps, where $A$ is silent during even steps and $B$ is silent
702: during odd steps (see \cite{ddwy}).
703:
704: The strategy of the adversary is as follows.
705: First it uses $R^{\cal A}$ to choose a value $b$. If $b=0$,
706: then it uses $R^{\cal A}$ again to choose $k$ directed paths
707: $p_{a_1}, \ldots, p_{a_k}$ from $A$ to $B$ and controls the first node on each
708: of these $k$ paths. If $b=1$, then it uses $R^{\cal A}$ again to choose $k-u$
709: directed paths $p_{a_1}, \ldots, p_{a_{k-u}}$ from $A$ to $B$
710: and controls the first node on each of these $k-u$ paths
711: and the first node on each of the $u$ paths from $B$ to $A$.
712: It also uses $R^{\cal A}$ to choose a message $\hat{M}^A\in {\bf F}$
713: according to the same probability distribution from which the actual message
714: $M^A$ was drawn. In the following we describe the protocol the adversary
715: will follow.
716: \begin{itemize}
717: \item Case $b=0$. The $k$ paths $p_{a_1}, \ldots, p_{a_k}$
718: behaves as a passive adversary. That is, it proceeds according to the
719: protocol $\Pi$.
720: \item Case $b=1$. The $k-u$ paths $p_{a_1}, \ldots, p_{a_{k-u}}$
721: ignores what $A$ sends in
722: each step of the protocol and simulates what $A$ would send to $B$ when
723: $A$ sending $\hat{M}^A$ to $B$. The $u$ paths from $B$ ignores
724: what $B$ sends in each step
725: of the protocol and simulates what $B$ would send to $A$ when $b=0$.
726: \end{itemize}
727: In the following, we assume that the tuple
728: $(M^A, R^A,R^B, R^{\cal T}, R^{\cal A})$ is fixed, $b=0$,
729: the protocol halts in $l$ steps, and the view of $A$ is
730: $view_\Pi^A(M^A, R^A,R^B, R^{\cal T}, R^{\cal A})$. Let
731: $\alpha^A_{i,j}$ be the values that $A$ sends on path $p_i$
732: in step $j$ and $\vec{\alpha}^A_i =(\alpha^A_{i,1}, \ldots, \alpha^A_{i,l})$.
733: We can view $\vec{\alpha}^A_i$ as shares of the message $M^A$.
734: Similarly, let $\alpha^B_{i,j}$ be the values that $B$ receives on path $p_i$
735: in step $j$ and $\vec{\alpha}^B_i =(\alpha^B_{i,1}, \ldots, \alpha^B_{i,l})$.
736:
737: First, it is straightforward to show that for any $k$ paths
738: $p_{a_1}, \ldots, p_{a_k}$ from $A$ to $B$,
739: there is an $\hat{R}^{\cal A}_1$ such that $b=0$,
740: the adversary controls the paths $p_{a_1}, \ldots, p_{a_k}$, and
741: \begin{equation}
742: \label{indis00}view_\Pi^A(M^A, R^A,R^B, R^{\cal T}, R^{\cal A})=
743: view_\Pi^A(M^A, R^A,R^B, R^{\cal T}, \hat{R}^{\cal A}_1)
744: \end{equation}
745: Due to the fact that $\Pi$ is a perfectly private message
746: transmission protocol, from any $k$ shares from
747: $(\vec{\alpha}^A_1, \vec{\alpha}^A_2,\ldots, \vec{\alpha}^A_{3k-2u})$ one
748: cannot recover the secret message $M^A$. Thus
749: $(\vec{\alpha}^A_1, \vec{\alpha}^A_2,\ldots, \vec{\alpha}^A_{3k-2u})$
750: is at least a $(k+1)$-out-of-$(3k-2u)$ secret sharing scheme.
751:
752: Secondly, for any $k-u$ paths
753: $p_{a_1}, \ldots, p_{a_{k-u}}$ from $A$ to $B$,
754: there is an $\hat{R}^{\cal A}_2$ such that $b=1$, $\hat{M}^A\not=M^A$,
755: the adversary controls the paths
756: $p_{a_1}, \ldots, p_{a_{k-u}}, q_1,\ldots, q_u$, and
757: \begin{equation}
758: \label{indis01}view_\Pi^A(M^A, R^A,R^B, R^{\cal T}, R^{\cal A})=
759: view_\Pi^A(M^A, R^A,R^B, R^{\cal T}, \hat{R}^{\cal A}_2)
760: \end{equation}
761: Due to the fact that $\Pi$ is a perfectly reliable message
762: transmission protocol, any $k-u$ errors in the shares
763: $(\vec{\alpha}^B_1, \vec{\alpha}^B_2,\ldots, \vec{\alpha}^B_{3k-2u})$
764: can be corrected by $B$ to recover the secret message $M^A$.
765:
766: In summary,
767: $(\vec{\alpha}^A_1, \vec{\alpha}^A_2,\ldots, \vec{\alpha}^A_{3k-2u})$
768: is at least a $(k+1)$-out-of-$(3k-2u)$ secret sharing scheme
769: that can correct $k-u$ errors.
770: By the results in \cite{MacWilliamsSloane78}, we know that the maximum
771: number of errors that a $(k+1)$-out-of-$(3k-2u)$ secret sharing scheme
772: could correct is
773: $$\left\lfloor\frac{(3k-2u)-k-1}{2}\right\rfloor =
774: \left\lfloor\frac{2k-2u-1}{2}\right\rfloor=k-u-1.$$
775: This is a contradiction, which concludes the proof.
776: \hfill{Q.E.D.}\end{proof}
777:
778: For the sufficient condition, we first show the simple case for $u=1$.
779: \begin{theorem}
780: \label{perfectu1}
781: Let $G(V,E)$ be a directed graph, $A,B\in V$, and $k\ge 2$.
782: If there are $3k-1$ directed node disjoint paths $p_1,\ldots, p_{3k-1}$ from
783: $A$ to $B$ and one directed path $q$ from $B$ to $A$ ($q$ is node
784: disjoint from $p_1,\ldots, p_{3k-1}$) then there is a
785: $(0,0)$-secure message transmission
786: protocol from $A$ to $B$ against a $k$-active adversary.
787: \end{theorem}
788: \begin{proof}
789: In the following protocol $\pi$, $A$ $(0,0)$-securely
790: transmits $M^A\in_R{\bf F}$ to $B$:
791: \begin{algorithm}{9}
792: \item Both $A$ and $B$ sets $I=1$.
793: \item\label{u11} $A$ constructs $(k+1)$-out-of-$(3k-1)$ MDS secret
794: shares $(s^A_{1,I}, ..., s^A_{3k-1,I})$
795: of $M^A$. For each $1\le i\le 3k-1$, $A$ sends $s^A_{i,I}$ to $B$ via the
796: path $p_i$.
797: \item\label{bsends} For each $i\le 3k-1$, $B$ receives $s^B_{i,I}$
798: on path $p_i$. By correcting at most $k-1$ errors, $B$ recovers a value
799: $\hat{M}_I^B$ from these shares. $B$ sends $s^B_{I,I}$ to $A$ via the path $q$.
800: \item\label{areceives} $A$ receives $\bar{s}_{I,I}^A$ from $q$.
801: $A$ distinguishes the following two cases:
802: \begin{enumerate}
803: \item $\bar{s}^A_{I,I}=s^A_{I,I}$. $A$ reliably sends ``path $p_I$ maybe OK'',
804: sets $I=I+1$. If $I>3k-1$ then goes to Step \ref{00final}, otherwise,
805: goes to Step \ref{u11}.
806: \item $\bar{s}^A_{I,I}\not=s^A_{I,I}$. $A$ reliably sends
807: ``path $p_I$ or $q$ is faulty''. $A$ constructs $k$-out-of-$(3k-2)$ MDS secret
808: shares $\{r^A_{i,I}: i\not= I, 1\le i\le 3k-1\}$
809: of $M^A$. For each $i\le 3k-1$ such that $i\not=I$,
810: $A$ sends $r^A_{i,I}$ to $B$ via the path $p_i$. $A$ terminates the protocol.
811: \end{enumerate}
812: \item\label{brecovers} $B$ distinguishes the following two cases:
813: \begin{enumerate}
814: \item $B$ reliably receives ``path $p_I$ maybe OK''.
815: $B$ sets $I=I+1$. If $I>3k-1$ then goes to Step \ref{00final}, otherwise,
816: goes to Step \ref{u11}.
817: \item $B$ reliably receives ``path $p_I$ or $q$ is faulty''.
818: In this case, $B$ also receives $r^B_{i,I}$ from path $p_i$ for each
819: $i\not=I$. By correcting at most $k-1$ errors,
820: $B$ recovers $M^B$ from these shares and terminates the protocol.
821: \end{enumerate}
822: \item\label{00final} $B$ checks whether $\hat{M}^B_i=\hat{M}^B_j$
823: for all $1\le i,j \le 3k-1$. If all these values are equal,
824: then $B$ sets $M^B=\hat{M}^B_1$, sends ``stop'' to $A$ via $q$,
825: and terminates the protocol. Otherwise, $B$ sends the shares
826: $(s^B_{1,3k-1}, ..., s^B_{3k-1,3k-1})$ to $A$ via $q$.
827: \item $A$ distinguishes the following two cases:
828: \begin{enumerate}
829: \item $A$ receives
830: $(\bar{s}^A_{1,3k-1}, ..., \bar{s}^A_{3k-1,3k-1})$ on the path $q$.
831: $A$ computes ${\cal P}=\{i: \bar{s}^A_{i,3k-1}\not= s^A_{i,3k-1}\}$,
832: reliably sends ${\cal P}$ to $B$, and terminates the protocol.
833: \item $A$ receives anything else. $A$ terminates the protocol.
834: \end{enumerate}
835: \item $B$ reliable receives ${\cal P}$ from $A$, recovers
836: $M^B$ from the shares $\{s^B_{i,3k-1}: i\notin{\cal P}\}$, and
837: terminates the protocol.
838: \end{algorithm}
839: Since there could be $k$ faulty paths from $A$ to $B$, and a
840: $(k+1)$-out-of-$(3k-1)$ MDS secret sharing scheme can
841: correct at most $k-1$ errors and simultaneously detect $k-1$ errors.
842: $B$ may recover an incorrect message $\hat{M}^B_I$ in Step \ref{bsends}.
843: $B$ therefore needs to verify whether it has recovered the correct
844: message in the following steps. Note that if $q$ is faulty, then $B$ must
845: have recovered the correct message in Step \ref{bsends} for each $I$.
846: In Step \ref{bsends}, $B$ also sends $s^B_{I,I}$ to $A$ via
847: the path $q$. This does not violate the perfect privacy property since
848: if there are $k-1$ faulty paths from $A$ to $B$, then the adversary
849: gets at most $k$ shares including this share, and if there are
850: $k$ faulty paths from $A$ to $B$, then the adversary does not
851: control the path $q$ and does not get this share.
852:
853: In Step \ref{areceives}, if $\bar{s}^A_{I,I}=s^A_{I,I}$,
854: then it could be the case that $s^B_{I,I}=s^A_{I,I}$
855: or it could be the case that the path $q$ is faulty. In any case,
856: we have to continue the protocol further. However, if
857: $\bar{s}^A_{I,I}\not=s^A_{I,I}$, then $A$ is convinced that
858: either $p_I$ or $q$ is faulty. Since a
859: $k$-out-of-$(3k-2)$ MDS secret sharing scheme could correct $k-1$ errors
860: and detect $k-1$ errors simultaneously. $B$ will recover the correct message
861: in Step \ref{brecovers}.
862:
863: Now assume that $B$ does not recover the correct message at the end
864: of round $I=3k-1$. We can distinguish the following two cases:
865: \begin{itemize}
866: \item $B$ recovers the same message $\hat{M}^B_I$ in all
867: $3k-1$ rounds. If this happens, $B$ is convinced that
868: this uniquely recovered message is the correct message.
869: Note that this follows from the following two arguments:
870: If the path $q$ is faulty,
871: then obviously $B$ has recovered the same correct message in each round.
872: If the path $q$ is non-faulty and we assume that the path
873: $p_t$ ($1\le t\le 3k-1$) is faulty, then in order for the adversary
874: to avoid being caught by $A$ in round $t$, $p_t$ must behave
875: nicely in round $t$, that is, $s^A_{t,t}=s^B_{t,t}$
876: (otherwise $A$ has identified that
877: $q$ or $p_t$ is faulty in round $t$). Thus there are at most
878: $k-1$ errors in the shares that $B$ received in round $t$ and
879: $B$ recovers the correct message in round $t$.
880: \item $B$ recovers different messages in these $3k-1$ rounds.
881: This happens only if $q$ is honest. Thus, $B$ could send
882: the shares it receives in round $3k-1$ to $A$ via path $q$ and
883: $A$ can tell $B$ which shares are incorrect. Thus $B$ could recover the
884: correct message from these non-faulty shares (there are at least $2k-1$
885: non-faulty shares).
886: \end{itemize}
887: The above arguments show that the protocol $\pi$ is $(0,0)$-secure against
888: a $k$-active adversary.
889: \hfill{Q.E.D.}\end{proof}
890:
891:
892: \begin{theorem}
893: \label{perfectugen}
894: Let $G(V,E)$ be a directed graph, $A,B\in V$, and $k\ge 2$.
895: If there are $n=\max\{3k+1-2u, 2k+1\}$ directed node disjoint paths
896: $p_1,\ldots, p_n$ from
897: $A$ to $B$ and $u$ directed path $q_1,\ldots, q_u$ from
898: $B$ to $A$ ($q_1,\ldots, q_u$ are node disjoint from
899: $p_1,\ldots, p_n$) then there is a
900: $(0,0)$-secure message transmission
901: protocol from $A$ to $B$ against a $k$-active adversary.
902: \end{theorem}
903: \begin{proof}
904: For $u=1$ or $k=2$, the result is proved in Theorem \ref{perfectu1}.
905: We prove the theorem by induction. Assume that $u>1$, $k>2$, and
906: the theorem holds for $u-1$ and $k-1$. In the following,
907: we show that the Theorem holds for $u$ and $k$ by induction.
908:
909: Let ${\cal H}=\{h_I: h_I=\langle p_{I_1}, \ldots, p_{I_u}\rangle\}$
910: be the set of all ordered $u$-subsets of
911: $\{p_1,\ldots, p_n\}$. Then $|{\cal H}|=\frac{n!}{(n-u)!}$.
912: In the following protocol $\pi$, $A$ $(0,0)$-securely
913: transmits $M^A\in_R{\bf F}$ to $B$:
914: \begin{algorithm}{19}
915: \item\label{firststepu} Both $A$ and $B$ set $I=1$.
916: \item\label{ggu11} $A$ constructs $(k+1)$-out-of-$n$ MDS secret
917: shares $(s^A_{1,I}, ..., s^A_{n,I})$
918: of $M^A$. For each $i\le n$, $A$ sends $s^A_{i,I}$ to $B$ via the
919: path $p_i$.
920: \item\label{ggbsends} For each $i\le n$,
921: $B$ receives (or sets default) $s^B_{i,I}$ on path $p_i$. By correcting
922: at most $k-u$ errors, $B$ recovers a value $\hat{M}_I^B$ from these shares.
923: For each $i\le u$, $B$ sends $s^B_{I_i,I}$ to $A$ via the path $q_i$.
924: Note that we assume $h_I=\langle p_{I_1}, \ldots, p_{I_u}\rangle$ here.
925: \item\label{ggareceives} For each $i\le u$, $A$ receives
926: (or sets default) $\bar{s}_{I_i,I}^A$
927: from $q_i$.
928: $A$ distinguishes the following two cases:
929: \begin{enumerate}
930: \item $\bar{s}_{I_i,I}^A =s^A_{I_i,I}$ for all $i\le u$.
931: $A$ reliably sends ``paths in $h_I$ maybe OK'',
932: sets $I=I+1$. If $I>|{\cal H}|$ then $A$ goes to Step \ref{Iends},
933: otherwise, goes to Step \ref{ggu11}.
934: \item $\bar{s}_{I_{i_0},I}^A \not=s^A_{I_{i_0},I}$ for some $i_0\le u$.
935: $A$ reliably sends ``path $p_{I_{i_0}}$ or $q_{i_0}$ is faulty''.
936: $A$ goes to the $(0,0)$-secure message transmission protocol
937: against a $(k-1)$-active adversary on the paths
938: $\{p_i: i\not= I_{i_0}\}\cup\{q_i: i\not= i_0\}$
939: to transmit $M^A$ to $B$ (here we use induction).
940: \end{enumerate}
941: \item\label{ggbrecovers} $B$ distinguishes the following two cases:
942: \begin{enumerate}
943: \item $B$ reliably receives ``paths in $h_I$ maybe OK''.
944: $B$ sets $I=I+1$. If $I>|{\cal H}|$ then goes to
945: Step \ref{Iends}, otherwise,
946: goes to Step \ref{ggu11}.
947: \item $B$ reliably receives ``path $p_{I_{i_0}}$ or $q_{i_0}$ is faulty''.
948: In this case, $B$ goes to the $(0,0)$-secure message transmission
949: protocol against a $(k-1)$-active adversary
950: on the paths $\{p_i: i\not= I_{i_0}\}\cup\{q_i: i\not= i_0\}$
951: and receives the message $M^B$.
952: \end{enumerate}
953: \item\label{Iends}
954: $B$ computes
955: whether $\hat{M}^B_i=\hat{M}^B_j$
956: for all $i,j \le |{\cal H}|$. If all these values are equal,
957: then $B$ sets $M^B=\hat{M}^B_1$, sends ``stop'' to $A$ via all
958: paths $q_i$, and terminates the protocol.
959: Otherwise, $B$ goes to Step \ref{00ggfinal}.
960: \item\label{allstop} If $A$ receives ``stop'' on all paths $q_1,\ldots, q_u$,
961: then $A$ terminates the protocol, otherwise, $A$ goes to Step \ref{00ggfinal}.
962: \item\label{00ggfinal} $A$ chooses $R^A_1\in_R{\bf F}$, constructs
963: $(k+1)$-out-of-$n$ MDS secret
964: shares $(s^A_1, \ldots, s^A_n)$ of $R^A_1$, and sends $s^A_i$
965: to $B$ via path $p_i$ for each $i\le n$.
966: \item\label{bdetect1} For each $i\le n$, $B$ receives
967: (or sets default) $s^B_i$ on path $p_i$.
968: $B$ distinguishes the following two cases:
969: \begin{enumerate}
970: \item There are errors in the shares $(s^B_1, \ldots, s^B_n)$.
971: In this case, for each $j\le u$, $B$ sends $(s^B_1, \ldots, s^B_n)$
972: to $A$ via the path $q_j$.
973: Note that a $(k+1)$-out-of-$n$ MDS secret
974: sharing scheme could be used to detect $n-k-1\ge k$ errors.
975: \item There is no error in the shares $(s^B_1, \ldots, s^B_n)$. $B$
976: recovers the value $R_1^B$ from these shares and for each $j\le u$, $B$
977: sends ``OK'' to $A$ via path $q_j$.
978: \end{enumerate}
979: \item\label{Jareceive} For each $j\le u$, $A$ receives (or sets default)
980: $(\bar{s}_{1,j}^A,\ldots, \bar{s}_{n,j}^A)$ from the path
981: $q_j$. $A$ distinguishes the following two cases:
982: \begin{enumerate}
983: \item $\bar{s}_{i_0,j_0}^A \not=s_{i_0}^A$ for some $i_0\le n$ and
984: $j_0\le u$.
985: $A$ reliably sends ``path $p_{i_0}$ or $q_{j_0}$ is faulty'' to $B$.
986: $A$ goes to the $(0,0)$-secure message transmission protocol against
987: a $(k-1)$-active adversary
988: on the paths $\{p_i: i\not= i_0\}\cup\{q_j: j\not= j_0\}$
989: to transmit $M^A$ to $B$ (here we use induction again).
990: \item All other cases. $A$ reliably transmits ``continue the protocol''
991: to $B$ and goes to Step \ref{sendsR2}.
992: \end{enumerate}
993: \item\label{Jbrecovers} $B$ distinguishes the following two cases:
994: \begin{enumerate}
995: \item $B$ reliably receives ``continue the protocol''.
996: $B$ goes to Step \ref{sendsR2}.
997: \item $B$ reliably receives ``path $p_{i_0}$ or $q_{j_0}$ is faulty''.
998: In this case, $B$ goes to the $(0,0)$-secure message transmission
999: protocol against a $(k-1)$-active adversary
1000: on the paths $\{p_i: i\not= i_0\}\cup\{q_j: j\not= j_0\}$
1001: and receives the message $M^B$.
1002: \end{enumerate}
1003: \item\label{sendsR2} $A$ computes $R^A_2=M^A-R^A_1$, constructs
1004: $(k+1)$-out-of-$n$ MDS secret
1005: shares $(s^A_1, \ldots, s^A_n)$ of $R^A_2$, and sends $s^A_i$
1006: to $B$ via path $p_i$ for each $i\le n$.
1007: \item\label{bdetect2} For each $i\le n$, $B$ receives
1008: (or sets default) $s^B_i$ on path $p_i$.
1009: $B$ distinguishes the following two cases:
1010: \begin{enumerate}
1011: \item There are errors in the shares $(s^B_1, \ldots, s^B_n)$.
1012: In this case, for each $j\le u$, $B$ sends $(s^B_1, \ldots, s^B_n)$
1013: to $A$ via the path $q_j$.
1014: \item There is no error in the shares $(s^B_1, \ldots, s^B_n)$. $B$
1015: recovers the value $R_2^B$ from these shares,
1016: computes the secret $M^B=R^B_1+R^B_2$, and for each $j\le u$, $B$
1017: sends ``OK'' to $A$ via path $q_j$. $B$ terminates the protocol.
1018: \end{enumerate}
1019: \item\label{Jareceive2} For each $j\le u$, $A$ receives (or sets default)
1020: $(\bar{s}_{1,j}^A,\ldots, \bar{s}_{u,j}^A)$ from the path
1021: $q_j$. $A$ distinguishes the following two cases:
1022: \begin{enumerate}
1023: \item $\bar{s}_{i_0,j_0}^A \not=s_{i_0}^A$ for some $i_0\le n$ and
1024: $j_0\le u$.
1025: $A$ reliably sends ``path $p_{i_0}$ or $q_{j_0}$ is faulty'' to $B$.
1026: $A$ goes to the $(0,0)$-secure message transmission protocol against
1027: a $(k-1)$-active adversary
1028: on the paths $\{p_i: i\not= i_0\}\cup\{q_j: j\not= j_0\}$
1029: to transmit $M^A$ to $B$.
1030: \item All other cases. $A$ reliably transmits ``the protocol is complete''
1031: to $B$ and terminates the protocol.
1032: \end{enumerate}
1033: \item\label{Jbrecovers2} $B$ distinguishes the following two cases:
1034: \begin{enumerate}
1035: \item $B$ reliably receives ``the protocol is complete''.
1036: $B$ terminates the protocol.
1037: \item $B$ reliably receives ``path $p_{i_0}$ or $q_{j_0}$ is faulty''.
1038: In this case, $B$ goes to the $(0,0)$-secure message transmission
1039: protocol against a $(k-1)$-active adversary
1040: on the paths $\{p_i: i\not= i_0\}\cup\{q_j: j\not= j_0\}$
1041: and receives the message $M^B$.
1042: \end{enumerate}
1043: \end{algorithm}
1044: Since there could be $k$ faulty paths from $A$ to $B$, and a
1045: $(k+1)$-out-of-$n$ MDS secret sharing scheme in Steps \ref{ggu11}
1046: and \ref{ggbsends} can correct at most $k-u$ errors and
1047: simultaneously detect $k-u$ errors.
1048: $B$ may recover an incorrect message $\hat{M}^B_I$ in
1049: Step \ref{ggbsends}.
1050: $B$ therefore needs to verify whether it has recovered the correct
1051: message in the following steps. Note that if all the paths from $B$ to $A$ are
1052: faulty, then $B$ must have recovered the correct message
1053: in Step \ref{ggbsends} for each $I\le |{\cal H}|$.
1054: In Step \ref{ggbsends}, $B$ also sends $s^B_{I_i,I}$ to $A$ via
1055: the path $q_i$. This will not violate the perfect privacy property since
1056: if there are $t$ faulty paths from $B$ to $A$, then the adversary
1057: gets $k-t$ shares from the $A$ to $B$ paths and $t$
1058: shares from the $B$ to $A$ paths. That is,
1059: the adversary gets at most $k$ shares.
1060:
1061: In Step \ref{ggareceives}, if $\bar{s}^A_{I_i,I}=s^A_{I_i,I}$ for all $i\le u$,
1062: then for each $i\le u$, it could be the case that $s^B_{I_i,I}=s^A_{I_i,I}$
1063: or it could be the case that the path $q_i$ is faulty. In any case,
1064: we have to continue the protocol further. However, if
1065: $\bar{s}^A_{I_{i_0},I}\not=s^A_{I_{i_0},I}$ for some $i_0\le u$,
1066: then $A$ is convinced that either $p_{I_{i_0}}$ or $q_{i_0}$ is faulty.
1067: Thus if we delete the two paths $p_{I_{i_0}}$ and $q_{i_0}$, we
1068: have at most $k-1$ unknown faulty paths, $n-1$ paths from $A$ to $B$,
1069: and $u-1$ paths from $B$ to $A$. Since
1070: $$\begin{array}{lll}
1071: \max\{3(k-1)+1 - 2(u-1), 2(k-1)+1\}& = & \max\{3k-2u-4, 2k-1\}\\
1072: & \le & \max\{3k-2u, 2k\}\\
1073: & = &n-1,\end{array}$$
1074: there is (by induction) a $(0,0)$-secure message transmission
1075: protocol from $A$ to $B$ against a $(k-1)$-active adversary on the paths
1076: $\{p_i: i\not= I_{i_0}\}\cup \{q_i: i\not= i_0\}$, $B$ recovers the correct
1077: message $M^B$ in Step \ref{ggbrecovers}.
1078:
1079: Assume that $B$ does not recover the correct message at the beginning
1080: of Step \ref{Iends}. If $B$ recovers the same value $\hat{M}^B_I$
1081: in all the $|{\cal H}|$ rounds between Step \ref{ggu11} and
1082: Step \ref{ggbrecovers}, then $B$ is convinced that
1083: this uniquely recovered value is the correct message.
1084: Note that this follows from the following arguments:
1085: \begin{itemize}
1086: \item All paths $q_1,\ldots, q_u$ from $B$ to $A$ are faulty. In this case
1087: $B$ obviously has recovered the correct message in each round.
1088: \item There is non-faulty path from $B$ to $A$. In this case,
1089: let $t\ge 1$, $q_{i_1}, \ldots, q_{i_t}$ be a list of all non-faulty paths
1090: from $B$ to $A$, $p_{j_1}, \ldots, p_{j_t}$ be faulty,
1091: and $h_I=\langle p_{I_1}, \ldots, p_{I_u}\rangle$ with
1092: $I_{i_1}=j_1, \ldots, I_{i_t}=j_t$. If
1093: $(s^B_{1,I}, ..., s^B_{n,I})$ is the shares that $B$ receives
1094: in Step \ref{ggbsends} of round $I$, then $s^B_{{j_1},I}=s^A_{{j_1},I}$,
1095: $\ldots$, $s^B_{{j_t},I}=s^A_{{j_t},I}$ (otherwise $A$ identifies that
1096: some $q_i$ or $p_j$ is faulty in round $I$). That is, there are at most
1097: $k-u$ errors in the shares $(s^B_{1,I}, ..., s^B_{n,I})$, and $B$
1098: recovers the correct secret message in round $I$.
1099: \end{itemize}
1100:
1101: Now assume that $B$ does not recover the correct message at the beginning
1102: of Step \ref{Iends} and $B$ recovers different values in
1103: these $|{\cal H}|$ rounds between Step \ref{ggu11} and
1104: Step \ref{ggbrecovers}. If this happens, then there must be non-faulty
1105: paths from $B$ to $A$. In this case, both $A$ and $B$
1106: continues the protocol from Step \ref{00ggfinal}.
1107: During Step \ref{00ggfinal} and Step \ref{Jbrecovers2},
1108: $A$ tries to send $R^A_1$ and $R^A_2$ to $B$ using the
1109: $(k+1)$-out-of-$n$ MDS secret sharing scheme. Since there are
1110: at most $k$ faulty paths,
1111: and a $(k+1)$-out-of-$n$ MDS secret sharing scheme could be used to
1112: correct $0$ error and simultaneously detect at least
1113: $k$ errors, any error in these shares could be detected by $B$
1114: in Steps \ref{bdetect1} and \ref{bdetect2}. Since there are non-faulty
1115: paths from $B$ to $A$, any errors in these shares will be reported
1116: back $A$ via the non-faulty $B$ to $A$ paths. Thus $A$ initiates
1117: a $(0,0)$-secure message transmission protocol against
1118: a $(k-1)$-active adversary
1119: on the paths $\{p_i: i\not= i_0\}\cup\{q_j: j\not= j_0\}$ in
1120: Step \ref{Jareceive} or Step \ref{Jareceive2} and $B$ will receive the
1121: secret. If any error occurs in these cases, $B$ reports either the
1122: shares of $R^A_1$ or the shares of $R^A_2$ (but not both)
1123: to $A$ via the $B$ to $A$ paths. Thus we have
1124: achieved the perfect privacy here.
1125: On the other hand, if there is no error in these shares
1126: of $R^A_1$ and $R^A_2$, then $B$ recovers the correct secret
1127: $M^B=R^B_1+R^B_2$.
1128:
1129: We therefore proved that the protocol $\pi$ is $(0,0)$-secure
1130: against a $k$-active adversary.
1131: \hfill{Q.E.D.}\end{proof}
1132:
1133: In Theorem \ref{perfectugen}, we have the restriction that $k\ge 2$.
1134: In the following we show a sufficient condition which is applicable to
1135: $k=1$.
1136:
1137:
1138: \begin{theorem}
1139: \label{eperfectu1}
1140: Let $G(V,E)$ be a directed graph, $A,B\in V$.
1141: If there are $3k$ directed node disjoint paths $p_1,\ldots, p_{3k}$ from
1142: $A$ to $B$ and one directed path $q$ from $B$ to $A$ ($q$ is node
1143: disjoint from $p_1,\ldots, p_{3k}$) then there
1144: is a $(0,0)$-secure message transmission
1145: protocol from $A$ to $B$ against a $k$-active adversary.
1146: \end{theorem}
1147: \begin{proof}
1148: In the following protocol $\pi$, $A$ $(0,0)$-securely transmits
1149: $M^A\in_R{\bf F}$ to $B$.
1150: \begin{algorithm}{9}
1151: \item\label{eu11} $A$ constructs $(k+1)$-out-of-$3k$ MDS
1152: secret shares $v^A=(s^A_1, ..., s^A_{3k})$
1153: of $M^A$. For each $1\le i\le 3k$, $A$ sends $s_i$ to $B$ via the
1154: path $p_i$.
1155: \item\label{ebsends} Let $v^B=(s^B_1, ..., s^B_{3k})$
1156: be the shares $B$ receives.
1157: If $B$ finds that there are at most $k-1$ errors, $B$ recovers
1158: $M^B$ from the shares, sends ``stop'' to $A$ via the path $q$,
1159: and terminates the protocol.
1160: Otherwise there are $k$ errors. In this case $B$ sends $v^B$ back
1161: to $A$ via the path $q$ (note that $q$ is an honest path in this case).
1162: \item $A$ distinguishes the following two cases:
1163: \begin{enumerate}
1164: \item $A$ receives $\bar{v}^A=(\bar{s}^A_1, ..., \bar{s}^A_{3k})$
1165: from the path $q$.
1166: $A$ reliably sends ${\cal P}=\{i: s^A_i\not= \bar{s}^A_i\}$ to $B$.
1167: \item $A$ received ``stop'' or anything else via $q$.
1168: $A$ terminates the protocol.
1169: \end{enumerate}
1170: \item $B$ reliably receives ${\cal P}$ from $A$.
1171: $B$ recovers $M^B$ from the shares $\{s^B_i: i\notin {\cal P}\}$ and
1172: terminates the protocol
1173: (note that $|\{s^B_i: i\notin {\cal P}\}|=2k$).
1174: \end{algorithm}
1175: Note that if $B$ sends $v^B$ to $A$ in Step \ref{ebsends} then
1176: $k$ paths from $A$ to $B$ are corrupted and the path $q$ is honest.
1177: Thus the adversary will not learn $v^B$. If the
1178: adversary controls the path $q$, then it may change the message
1179: ``stop'' to something else. In this case,
1180: $A$ will not be able to identify the corrupted paths from $A$ to $B$.
1181: However, since $B$ has already recovered the key, $B$ will just ignore
1182: the next received message. It is straightforward to show that
1183: the protocol is $(0,0)$-secure.
1184: \hfill{Q.E.D.}\end{proof}
1185:
1186:
1187: \section{Efficient $(0,0)$-secure message transmission in directed graphs}
1188: In the previous section, we proved a necessary and sufficient condition
1189: for $(0,0)$-secure message transmission from $A$ to $B$. Our protocols in
1190: these proofs are not efficient (exponential in $k$). In this section,
1191: we show that if there are totally $3k+1$ paths between $A$ and $B$,
1192: then there are efficient (linear in $u$) $(0,0)$-secure message
1193: transmission protocols from $A$ to $B$.
1194:
1195: \begin{theorem}
1196: \label{perfectu}
1197: Let $G(V,E)$ be a directed graph, $A,B\in V$ and $k\ge u$.
1198: If there are $n=3k+1-u$ directed node
1199: disjoint paths $p_1,\ldots, p_n$ from
1200: $A$ to $B$ and $u$ directed node disjoint paths
1201: $q_1,\ldots, q_u$ from $B$ to $A$
1202: ($q_1,\ldots, q_u$ are node disjoint from $p_1,\ldots, p_n$)
1203: then there is an efficient $(0,0)$-secure message transmission
1204: protocol from $A$ to $B$ against a $k$-active adversary.
1205: \end{theorem}
1206: \begin{proof}
1207: If we replace the steps between Step \ref{firststepu} and Step \ref{allstop}
1208: of the protocol $\pi$ in the proof of Theorem \ref{perfectugen}
1209: with the following steps:
1210: \begin{algorithm}{9}
1211: \item\label{eff1} $A$ constructs $(k+1)$-out-of-$n$ MDS secret
1212: shares $(s^A_1, ..., s^A_n)$ of $M^A$.
1213: For each $i\le n$, $A$ sends $s^A_i$ to $B$ via the
1214: path $p_i$.
1215: \item\label{eff2} For each $i\le n$,
1216: $B$ receives (or sets default) $s^B_i$ on path $p_i$.
1217: If there are at most $k-u$ errors in the shares
1218: $(s^B_1, ..., s^B_n)$, then $B$ recovers the secret
1219: message $M^B$ from these shares by correcting the errors,
1220: sends ``stop'' to $A$ via all paths $q_i$, and terminates the protocol.
1221: Otherwise, $B$ sends ``continue the protocol'' to $A$ via all paths $q_i$
1222: and goes to Step \ref{00ggfinal} of the protocol $\pi$.
1223: \item\label{eff3} If $A$ receives ``stop'' on all paths $q_1,\ldots, q_u$,
1224: then $A$ terminates the protocol, otherwise, $A$ goes to Step \ref{00ggfinal}
1225: of the protocol $\pi$.
1226: \end{algorithm}
1227: Note that a $(k+1)$-out-of-$n$ MDS secret
1228: sharing scheme could be used to detect $k$ errors and simultaneously
1229: correct $k-u$ errors. Thus if all the paths $q_1,\ldots, q_u$ are
1230: controlled by the adversary, then $B$ recovers the secret message
1231: $M^B$ in Step \ref{eff2}. If at least one path from $B$ to $A$ is
1232: not controlled by the adversary, then the protocol $\pi$
1233: in the proof of Theorem \ref{perfectugen} starting from
1234: Step \ref{00ggfinal} will let $B$ to recover the secret
1235: message $M^B$. Here we should also note that the induction
1236: initiated in Step \ref{Jareceive} or Step \ref{Jareceive2} of
1237: the protocol $\pi$ works since $3k+1-u-1=3k-u> 3(k-1)+1-(u-1)$.
1238: It is straightforward that the protocol will
1239: terminates in at most $11u$ steps.
1240: \hfill{Q.E.D.}\end{proof}
1241: %
1242: In the previous theorems, including Theorem \ref{perfectu},
1243: we have the restriction that the directed paths from $B$ to $A$ are all
1244: node disjoint from the directed paths from $A$ to $B$.
1245: In the following theorem we partially remove this restriction.
1246: %
1247: \begin{theorem}
1248: \label{perfectustr}
1249: Let $G(V,E)$ be a directed graph, $A,B\in V$.
1250: Assume that there are $n=3k+1-u\ge 2k+1$ (which implies $k\ge u$)
1251: directed node disjoint paths $p_1,\ldots, p_n$ from $A$ to $B$
1252: and $u$ node disjoint directed paths $q_1,\ldots, q_u$ from $B$ to $A$.
1253: If $3k+1-2u$ paths among these $3k+1-u$
1254: paths from $A$ to $B$ are node disjoint from the $u$ paths from $B$ to $A$,
1255: then there is an efficient $(0,0)$-secure message transmission
1256: protocol from $A$ to $B$ against a $k$-active adversary.
1257: \end{theorem}
1258:
1259: \begin{proof}
1260: We note that the proof of Theorem \ref{perfectu}
1261: could not be used here since if we remove (in the induction step) two
1262: paths $p_i$ and $q_j$ such that one of them is corrupted,
1263: we are not guaranteed that the $k$-active adversary becomes
1264: a $(k-1)$-active adversary ($q_j$ may share a node with some other
1265: directed paths from $A$ to $B$ and that node could be corrupted).
1266:
1267: First we describe the proof informally.
1268: The protocol is divided into two phases.
1269: In phase one of the protocol, $A$ tries to transmit
1270: the secret message to $B$ assuming at least one of the directed paths
1271: from $B$ to $A$ is not corrupted. This is done by running $u$ concurrent
1272: sub-protocols in phase one, in each sub-protocol $B$ uses one of the
1273: directed paths from $B$ to $A$ to send some feedback information to $A$.
1274: In the second phase of the protocol, $A$ transmits
1275: shares of the secret message through the $A$ to $B$ paths excluding these
1276: paths which have intersection with $B$ to $A$ paths. $B$ will use the
1277: information received in the second phase only if $B$ detects that all
1278: directed paths from $B$ to $A$ are corrupted in phase one.
1279:
1280: In phase one, $A$ and $B$ execute the following protocol
1281: on the path set $\{p_i:1\le i \le n\}\cup\{q\}$ for each directed path $q$
1282: from $B$ to $A$. First $A$ chooses $R_0\in_R{\bf F}$ and
1283: sends shares of $R_0$ to $B$ via the paths $p_1,\ldots, p_n$
1284: using a $(k+1)$-out-of-$n$ MDS secret sharing scheme.
1285: If $B$ can correct the errors in the received shares (that is,
1286: there were at most $k-u$ errors), $B$ recovers $R_0$.
1287: Otherwise $B$ needs help from $A$ and $B$ sends the
1288: received shares back to $A$ via the $B$ to $A$ path $q$.
1289: The problems are that: $B$ may receive help even if $B$ has never asked for.
1290: However $B$ can detect this. Therefore $B$ always works with $A$ on
1291: such a protocol and recovers the correct $R_0$.
1292: Then $A$ sends $R_1=M^A-R_0$ using a $(k+1)$-out-of-$n$
1293: MDS secret sharing scheme. If $B$ can correct the errors in the
1294: received shares of $R_1$, $B$ has found the secret and can terminate the
1295: protocol. If $B$ cannot correct these errors, $B$ needs to continue the
1296: protocol. In this situation, $B$ distinguishes the following two cases:
1297: \begin{enumerate}
1298: \item $B$ has not asked for help in the transmission of $R_0$.
1299: $B$ can ask for help now and $B$ will then recover the secret $M^A$.
1300: \item $B$ has asked for help in the transmission of $R_0$. In this case $B$
1301: cannot ask for help (otherwise the adversary may learn both
1302: the values of $R_0$ and $R_1$ and thus may recover the secret).
1303: The sub-protocol needs to be restarted (that is, $A$ constructs
1304: different $R_0$ and $R_1$ for $M^A$ and sends them to $B$ again).
1305: Each time when $A$ and $B$ restart this sub-protocol, $A$ sends
1306: the shares of $R_0$ and $R_1$ only via these ``non-corrupted'' paths
1307: from $A$ to $B$.
1308: The ``non-corrupted'' paths are computed from the feedbacks that
1309: $A$ has received from the path $q$. If $q$ is not corrupted, then
1310: the computation is reliable. However, if $q$ is corrupted, then
1311: the computation is unreliable. If there is at least one
1312: non-corrupted path $q_{i_0}$ from $B$ to $A$, then $B$ recovers the secret
1313: from the sub-protocol running on the path set
1314: $\{p_1,\ldots, p_n\}\cup\{q_{i_0}\}$. Otherwise
1315: $B$ cannot recover the secret in phase one and we will go to phase two.
1316: \end{enumerate}
1317: If $B$ asks for help in the transmission of $R_0$,
1318: then both $A$ and $B$ ``identify'' the corrupted paths from $A$ and $B$
1319: according to the information that $B$ sends to $A$ via the path $q$.
1320: If $k'$ dishonest paths from $A$ to $B$ have been (correctly or incorrectly)
1321: identified at the restart of the sub-protocol, $A$ uses
1322: a $(k+1)$-out-of-$(3k+1-u-k')$ MDS secret sharing scheme.
1323: This MDS secret sharing scheme will only be used for error detection (or
1324: message recovery in the case that no error occurs),
1325: thus it can be used to detect $3k+1-u-k'-k -1= 2k-u-k'\ge k-k'$ errors.
1326: Due to the fact that this MDS secret sharing scheme cannot
1327: detect $k$ errors we need to organize ourselves that $B$ will
1328: never use incorrectly identified paths from $A$ to $B$ since otherwise
1329: $B$ could compute the incorrect ``secret". This is easy to be addressed
1330: by having $B$ detect whether the path $q$ from $B$ to $A$ is dishonest or not.
1331: This is done by having $A$ reliably send to $B$ what
1332: $A$ received via the path $q$.
1333: Since a $(k+1)$-out-of-$(3k+1-u)$ MDS secret sharing scheme
1334: can detect $k$ errors and simultaneously correct $k-u$ errors,
1335: both $A$ and $B$ identify at least $k'\geq k-u+1$
1336: dishonest paths from $A$ to $B$ in the first run of the sub-protocol.
1337: During each following run of the sub-protocol, $B$ will either recover the
1338: secret message (when no error occurs) or detect at least one corrupted path
1339: from $A$ to $B$ ($A$ could also detect the corrupted path from $A$ to $B$
1340: according to the information $A$ received on the path $q$).
1341: Thus the sub-protocol will be restarted at most $u$ times.
1342:
1343: In phase two of the protocol,
1344: $A$ constructs $(k+1)$-out-of-$(3k+1-2u)$
1345: MDS shares $(s_1,\ldots, s_{3k+1-2u})$ of the secret $M^A$
1346: and sends these shares to $B$ via the $3k+1-2u$ paths which are
1347: node disjoint from the paths from the $u$ paths from $B$ to $A$.
1348: Note that if $B$ has determined that all these $u$ paths from $B$ to $A$
1349: have been corrupted in phase one, then $B$ recovers the secret
1350: $M^A$ from the received shares $(s^B_1,\ldots, s^B_{3k+1-2u})$ in phase two
1351: since a $(k+1)$-out-of-$(3k+1-2u)$ MDS secret sharing scheme
1352: can be used to detect and correct $k-u$ errors simultaneously.
1353: Note that if at least one path from $B$ to $A$ is honest in phase one, then
1354: $B$ has recovered the secret in phase and can just ignore this last
1355: message.
1356:
1357: Now we present the entire protocol formally.
1358: \begin{algorithm}{99}
1359: \item $B$ sets $\mathrm{BA\_BAD}=\emptyset$.
1360: For each directed path $q$ from $B$ to $A$, $A$ and $B$
1361: run the sub-protocol between Step \ref{begss} and
1362: Step \ref{phase1end} (the sup-protocols for the $u$ paths could be run
1363: parallely).
1364: \item\label{begss} $A$ sets $\mathrm{AB\_CHANNEL}^A=\{p_1,\ldots, p_n\}$
1365: and $j^A=0$. $B$ sets $\mathrm{AB\_CHANNEL}^B=\{p_1,\ldots, p_n\}$
1366: and $j^B=0$.
1367: \item\label{begssj} Let $n_j=|\mathrm{AB\_CHANNEL}^A|$.
1368: $A$ chooses $R_0\in_R{\bf F}$, and
1369: constructs $(k+1)$-out-of-$n_j$ MDS secret
1370: shares $\{s^A_i: p_i\in \mathrm{AB\_CHANNEL}^A\}$ of $R_0$.
1371: For each $p_i\in \mathrm{AB\_CHANNEL}^A$, $A$ sends $s^A_i$ to
1372: $B$ via the path $p_i$.
1373: \item\label{bfim} For each $p_i\in \mathrm{AB\_CHANNEL}^B$,
1374: $B$ receives $s^B_i$ from
1375: $A$ via the path $p_i$. $B$ distinguishes the following two cases:
1376: \begin{enumerate}
1377: \item $B$ can recover $R_0$. If $j=0$ and there are
1378: at most $k-u$ errors, $B$ recovers $R_0$ by correcting the errors
1379: (note that a $(k+1)$-out-of-$n$ MDS scheme can be used to detect $k$ errors
1380: and simultaneously correct $k-u$ errors).
1381: If $j>0$, then $B$ recovers $R_0$ only if there is no error in
1382: the received shares. $B$ sends ``ok'' to $A$ via the path $q$.
1383: \item $B$ cannot recover $R_0$. $B$ sends
1384: $\{s^B_i: p_i\in \mathrm{AB\_CHANNEL}^B\}$ to $A$ via the path $q$.
1385: \end{enumerate}
1386: \item $A$ distinguishes the following two cases:
1387: \begin{enumerate}
1388: \item $A$ receives ``ok'' via the path $q$. $A$ reliably sends
1389: ``ok'' to $B$.
1390: \item $A$ receives $\{\bar{s}^B_i: p_i\in \mathrm{AB\_CHANNEL}^A\}$
1391: (or sets default values if the received values are not in valid format).
1392: $A$ sets $\mathrm{BAD}^A=\{p_i: \bar{s}^B_i\not= s^A_i\}$
1393: and reliably sends $\{\bar{s}^B_i: p_i\in \mathrm{AB\_CHANNEL}^A\}$
1394: and $\mathrm{BAD}^A$ to $B$. $A$ sets
1395: $\mathrm{AB\_CHANNEL}^A=\mathrm{AB\_CHANNEL}^A\setminus \mathrm{BAD}^A$,
1396: \end{enumerate}
1397: \item $B$ distinguishes the following two cases:
1398: \begin{enumerate}
1399: \item $B$ reliably receives ``ok'' from $A$. If $B$ sent
1400: ``ok'' to $A$ in the Step \ref{bfim}, then goes to Step \ref{sendingr1}.
1401: Otherwise, $B$ sets $\mathrm{BA\_BAD}=\mathrm{BA\_BAD}\cup\{q\}$
1402: and goes to Step \ref{phase1end}.
1403: \item $B$ reliably receives
1404: $\{\bar{s}^B_i: p_i\in \mathrm{AB\_CHANNEL}^B\}$ and
1405: $\mathrm{BAD}^B$ from $A$.
1406: If $\bar{s}^B_i=s^B_i$ for all $p_i\in \mathrm{AB\_CHANNEL}^B$,
1407: then $B$ sets $\mathrm{AB\_CHANNEL}^B=\mathrm{AB\_CHANNEL}^B\setminus
1408: \mathrm{BAD}^B$, recovers $R_0$ from
1409: $\{s^B_i: p_i\in \mathrm{AB\_CHANNEL}^B\}$, and goes to Step \ref{sendingr1}.
1410: Otherwise, $B$ sets $\mathrm{BA\_BAD}=\mathrm{BA\_BAD}\cup\{q\}$
1411: and goes to Step \ref{phase1end}.
1412: \end{enumerate}
1413: \item\label{sendingr1} Let $n_j=|\mathrm{AB\_CHANNEL}^A|$.
1414: $A$ constructs $(k+1)$-out-of-$n_j$ MDS secret
1415: shares $\{s^A_i: p_i\in \mathrm{AB\_CHANNEL}^A\}$ of $R_1=M^A-R_0$.
1416: For each $p_i\in \mathrm{AB\_CHANNEL}^A$, $A$ sends $s^A_i$ to
1417: $B$ via the path $p_i$.
1418: \item\label{r1bfim} For each $p_i\in \mathrm{AB\_CHANNEL}^B$,
1419: $B$ receives $s^B_i$ from
1420: $A$ via the path $p_i$. $B$ distinguishes the following two cases:
1421: \begin{enumerate}
1422: \item $B$ can recover $R_1$. $B$ recovers $R_1$ only if there is no error in
1423: the received shares. $B$ sends ``ok'' to $A$ via the path $q$.
1424: \item $B$ cannot recover $R_1$. For this situation we need
1425: to distinguish two cases:
1426: \begin{enumerate}
1427: \item $B$ sent ``ok'' to $A$ in Step \ref{bfim}. That is,
1428: $B$ has not asked for help to recover $R_0$. Then $B$ can ask for help now.
1429: $B$ sends $\{s^B_i: p_i\in \mathrm{AB\_CHANNEL}^B\}$ to $A$ via the path $q$.
1430: \item $B$ sent the received shares to $A$ in Step \ref{bfim}. That is,
1431: $B$ has asked for help to recover $R_0$. Then $B$ cannot ask for help now.
1432: $B$ sends ``continue to the next round'' to $A$ via the path $q$.
1433: \end{enumerate}
1434: \end{enumerate}
1435: \item $A$ distinguishes the following three cases:
1436: \begin{enumerate}
1437: \item $A$ receives ``ok'' via the path $q$. $A$ reliably sends
1438: ``ok'' to $B$.
1439: \item $A$ receives ``continue to the next round'' via the path $q$.
1440: $A$ sets $j^A=j^A+1$, reliably sends ``continue to the next round'' to $B$,
1441: and goes to Step \ref{begssj}.
1442: \item $A$ receives $\{\bar{s}^B_i: p_i\in \mathrm{AB\_CHANNEL}^A\}$
1443: (or sets default values if the received values are in invalid format).
1444: $A$ sets $\mathrm{BAD}^A=\{p_i: \bar{s}^B_i\not= s^A_i\}$,
1445: $\mathrm{AB\_CHANNEL}^A=\mathrm{AB\_CHANNEL}^A\setminus \mathrm{BAD}^A$,
1446: and reliably sends $\{\bar{s}^B_i: p_i\in \mathrm{AB\_CHANNEL}^A\}$
1447: and $\mathrm{BAD}^A$ to $B$.
1448: \end{enumerate}
1449: \item $B$ distinguishes the following three cases:
1450: \begin{enumerate}
1451: \item $B$ reliably receives ``ok'' from $A$. If $B$ sent
1452: ``ok'' to $A$ in the Step \ref{r1bfim}, then
1453: $B$ has recovered the secret. $B$ terminates the entire protocol.
1454: Otherwise, $B$ sets $\mathrm{BA\_BAD}=\mathrm{BA\_BAD}\cup\{q\}$
1455: and goes to Step \ref{phase1end}.
1456: \item $B$ reliably receives ``continues to the next round''.
1457: If $B$ sent ``continues to the next round'' to $A$ in the
1458: Step \ref{r1bfim}, then $B$ sets $j^B=j^B+1$ and goes to Step \ref{begssj}.
1459: Otherwise, $B$ sets $\mathrm{BA\_BAD}=\mathrm{BA\_BAD}\cup\{q\}$
1460: and goes to Step \ref{phase1end}.
1461: \item $B$ reliably receives
1462: $\{\bar{s}^B_i: p_i\in \mathrm{AB\_CHANNEL}^B\}$ and
1463: $\mathrm{BAD}^B$ from $A$.
1464: If $\bar{s}^B_i=s^B_i$ for all $p_i\in \mathrm{AB\_CHANNEL}^B$,
1465: then $B$ sets $\mathrm{AB\_CHANNEL}^B=\mathrm{AB\_CHANNEL}^B\setminus
1466: \mathrm{BAD}^B$, recovers $R_1$ from
1467: $\{s^B_i: p_i\in \mathrm{AB\_CHANNEL}^B\}$, recovers
1468: the secret $M^B$ from both $R_0$ and $R_1$, and terminates the entire protocol.
1469: Otherwise, $B$ sets $\mathrm{BA\_BAD}=\mathrm{BA\_BAD}\cup\{q\}$
1470: and goes to Step \ref{phase1end}.
1471: \end{enumerate}
1472: \item\label{phase1end} $B$ waits until all $u$ sub-protocols in phase one
1473: finish. If $|\mathrm{BA\_BAD}|=u$ then $B$ goes to Step
1474: \ref{phase2}. Otherwise, $B$ has recovered the secret message, thus
1475: terminates the entire protocol.
1476: \item\label{phase2} $A$ constructs $(k+1)$-out-of-$(3k+1-2u)$
1477: MDS shares $(s_1,\ldots, s_{3k+1-2u})$ of the secret $M^A$
1478: and sends these shares to $B$ via the $3k+1-2u$ paths which are
1479: node disjoint from the $u$ $B$ to $A$ paths.
1480: Note that if $|\mathrm{BA\_BAD}|=u$, then $B$ can recover the
1481: secret message $M^B$ from the received shares
1482: $(s^B_1,\ldots, s^B_{3k+1-2u})$ since a $(k+1)$-out-of-$(3k+1-2u)$ MDS
1483: secret sharing scheme can be used to detect and correct $k-u$ errors
1484: simultaneously.
1485: \end{algorithm}
1486: It is straightforward to show that at the beginning of each run
1487: of the sub-protocol between Step \ref{begss} and
1488: Step \ref{phase1end}, Both $A$ and $B$ have the same sets
1489: of $\mathrm{AB\_CHANNEL}$, that is, $\mathrm{AB\_CHANNEL}^A
1490: =\mathrm{AB\_CHANNEL}^B$ at Step \ref{begss}. From the analysis
1491: before the above protocol, it is straightforward that the above protocol
1492: is a $(0,0)$-secure message transmission protocol against a $k$-active
1493: adversary.
1494: \hfill{Q.E.D.}\end{proof}
1495:
1496: \section{Secure message transmissions in hypergraphs}
1497: \label{hypersec}
1498: %
1499: Applications of hypergraphs in secure communications have been
1500: studied by Franklin and Yung in \cite{fy}.
1501: A hypergraph $H$ is a pair $(V, E)$ where
1502: $V$ is the node set and $E$ is the hyperedge set. Each
1503: hyperedge $e\in E$ is a pair $(A, A^*)$ where $A\in V$ and
1504: $A^*$ is a subset of $V$. In a hypergraph, we assume that
1505: any message sent by a node $A$ will be received
1506: identically by all nodes in $A^*$, whether or not
1507: $A$ is faulty, and all parties outside
1508: of $A^*$ learn nothing about the content of
1509: the message.
1510:
1511: Let $A,B\in V$ be two nodes of the hypergraph $H(V,E)$.
1512: We say that there is a ``{\em direct link}'' from node $A$ to
1513: node $B$ if there exists a hyperedge $(A, A^*)$ such that
1514: $B\in A^*$. We say that there is an ``{\em undirected link}''
1515: from $A$ to $B$ if there is a directed link from $A$ to $B$
1516: or a directed link from $B$ to $A$. If there is a directed (undirected)
1517: link from $A_i$ to $A_{i+1}$ for every $i$, $0\le i<k$, then
1518: we say that there is a ``{\em directed path}''
1519: (``{\em undirected path}'') from
1520: $A_0$ to $A_k$. $A$ and $B$ are ``{\em strongly $k$-connected}''
1521: (``{\em weakly $k$-connected}'') in the hypergraph $H(V,E)$ if for all
1522: $S\subset V-\{A,B\}$, $|S|<k$, there remains a directed (undirected)
1523: path from $A$ to $B$ after the removal of $S$ and all hyperedges $(X,X^*)$
1524: such that $S\cap (X^*\cup\{X\})\not=\emptyset$.
1525: Franklin and Yung \cite{fy} showed that reliable and private
1526: communication from $A$ to $B$ is possible against a $k$-{\it passive\/}
1527: adversary if and only if $A$ and $B$ are strongly 1-connected
1528: and weakly $(k+1)$-connected.
1529: It should be noted that $B$ and $A$ are strongly $k$-connected
1530: does not necessarily mean that $A$ and $B$ are strongly $k$-connected.
1531:
1532: Following Franklin and Yung \cite{fy}, and, Franklin and Wright \cite{fw},
1533: we consider multicast as our only communication
1534: primitive in this section. A message that is multicast by any node $A$
1535: in a hypergraph is received by all nodes $A^*$ with privacy
1536: (that is, nodes not in $A^*$ learn nothing about what was sent)
1537: and authentication (that is, nodes in $A^*$ are guaranteed
1538: to receive the value that was multicast and to know
1539: which node multicast it).
1540: We assume that all nodes in the
1541: hypergraph know the complete protocol
1542: specification and the complete structure of the hypergraph.
1543: %
1544: \begin{definition}\label{definition-main}
1545: Let $H(V,E)$ be a hypergraph, $A,B \in V$ be distinct nodes of $H$, and
1546: $k\geq 0$. $A$, $B$ are $k$-{\em separable\/} in $H$
1547: if there is a node set $W\subset V$ with at most $k$ nodes
1548: such that any directed path from $A$ to $B$ goes
1549: through at least one node in $W$. We say that $W$ {\em separates\/} $A,B$.
1550: \end{definition}
1551: %
1552: {\bf Remark.} Note that there is no straightforward relationship between
1553: strong connectivity and separability in hypergraphs.
1554: %
1555: \begin{theorem}
1556: \label{mainlemma}
1557: Let $H(V,E)$ be a hypergraph, $A,B \in V$ be distinct nodes of $H$, and
1558: $k\geq 0$.
1559: The nodes $A$ and $B$ are not $2k$-separable
1560: if and only if there are $2k+1$ directed node disjoint
1561: paths from $A$ to $B$ in $H$.
1562: \end{theorem}
1563: \begin{proof} This follows directly from the maximum-flow
1564: minimum-cut theorem in classical graph theory. For details,
1565: see, e.g., \cite{ff}. \hfill \mbox{Q.E.D.}\end{proof}
1566: %
1567: \begin{theorem}
1568: \label{iffcondition}
1569: Let $H(V,E)$ be a hypergraph, $A,B \in V$ be distinct nodes of $H$, and
1570: $k\geq 0$.
1571: A necessary and sufficient condition for reliable message
1572: transmission
1573: from $A$ to $B$ against a $k$-active adversary is that $A$ and $B$
1574: are not $2k$-separable in $H$.
1575: \end{theorem}\begin{proof}
1576: First assume that $A$ and $B$ cannot be separated by a $2k$-node set.
1577: By Theorem \ref{mainlemma}, there are $2k+1$ directed node disjoint
1578: paths from $A$ to $B$ in $H$. Thus reliable message transmission from
1579: $A$ to $B$ is possible.
1580:
1581: Next assume that $A$ and $B$ can be separated by a $2k$-node set $W$ in $H$.
1582: We shall show that reliable message transmission
1583: is impossible.
1584: Suppose that $\pi$ is a message
1585: transmission protocol from $A$ to $B$ and
1586: let $W=W_0\cup W_1$ be a
1587: $2k$-node separation of $A$ and $B$ with $W_0$ and $W_1$ each
1588: having at most $k$ nodes. Let $m_0$ be the message that $A$ transmits.
1589: The adversary will attempt to maintain a simulation
1590: of the possible behavior of $A$ by executing
1591: $\pi$ for message $m_1\not= m_0$.
1592: The strategy of the adversary is to flip a coin and then,
1593: depending on the outcome, decide which set of $W_0$ or $W_1$ to control.
1594: Let $W_b$ be the chosen set. In each execution step of the
1595: transmission protocol, the adversary causes each node in
1596: $W_b$ to follow the protocol
1597: $\pi$ as if the protocol were transmitting the message $m_1$.
1598: This simulation succeeds with nonzero probability.
1599: Since $B$ does not know whether $b=0$ or $b=1$,
1600: at the end of the protocol $B$ cannot decide whether
1601: $A$ has transmitted $m_0$ or $m_1$ if the adversary succeeds.
1602: Thus with nonzero probability, the reliability
1603: is not achieved. \hfill{Q.E.D.}\end{proof}
1604: %
1605: Theorem \ref{iffcondition} gives a sufficient and necessary
1606: condition for achieving reliable message transmission against a $k$-active
1607: adversary over hypergraphs. In the following example, we show that
1608: this condition is not sufficient for achieving privacy against a $k$-active
1609: adversary (indeed, even not for a $k$-passive adversary).
1610: %
1611: \begin{ex}
1612: \label{reliablebutnotprivate}
1613: Let $H(V,E_h)$ be the hypergraph in Figure \ref{figure5}
1614: where $V=\{A$, $B$, $v_1$, $v_2$, $v$, $u_1$, $u_2\}$ and
1615: $E_h=\{(A,\{v_1,v_2\})$, $(v_1,\{v,B\})$, $(v_2,\{v,B\})$,
1616: $(A,\{u_1,u_2\})$, $(u_1,\{v,B\})$, $(u_2,\{v,B\})\}$.
1617: Then the nodes $A$ and $B$ are not 2-separable in $H$.
1618: Theorem \ref{iffcondition} shows that reliable message transmission
1619: from $A$ to $B$ is possible against a 1-active adversary.
1620: However, the hypergraph $H$ is not weakly 2-connected (the removal
1621: of the node $v$ and the removal of the corresponding
1622: hyperedges will disconnect $A$ and $B$). Thus, the result by
1623: Franklin and Yung \cite{fy} shows that private message transmission
1624: from $A$ to $B$ is not possible against a 1-passive adversary.
1625: \end{ex}
1626:
1627:
1628: \begin{figure}[htb]
1629: \begin{center}
1630: \setlength{\unitlength}{3947sp}%
1631: %
1632: \begingroup\makeatletter\ifx\SetFigFont\undefined%
1633: \gdef\SetFigFont#1#2#3#4#5{%
1634: \reset@font\fontsize{#1}{#2pt}%
1635: \fontfamily{#3}\fontseries{#4}\fontshape{#5}%
1636: \selectfont}%
1637: \fi\endgroup%
1638: \begin{picture}(2925,2535)(751,-1786)
1639: \thinlines
1640: {\put(1089,-286){\oval( 76, 12)[bl]}
1641: \put(1089,-211){\oval(224,162)[br]}
1642: }%
1643: {\put(1876,277){\oval( 32, 74)[tl]}
1644: \put(1914,277){\oval(108,108)[bl]}
1645: \put(1914,239){\oval( 74, 32)[br]}
1646: }%
1647: {\put(2439,239){\oval( 76, 12)[bl]}
1648: \put(2439,314){\oval(224,162)[br]}
1649: }%
1650: {\put(3151,-399){\oval( 12, 76)[tl]}
1651: \put(3226,-399){\oval(162,224)[bl]}
1652: }%
1653: {\put(1839,-361){\oval( 76, 12)[bl]}
1654: \put(1839,-286){\oval(224,162)[br]}
1655: }%
1656: {\put(2664,-286){\oval(226,162)[bl]}
1657: \put(2664,-361){\oval( 74, 12)[br]}
1658: }%
1659: {\put(2251,464){\circle{150}}
1660: }%
1661: {\put(976,-136){\circle{150}}
1662: }%
1663: {\put(1726,-136){\circle{150}}
1664: }%
1665: {\put(2776,-136){\circle{150}}
1666: }%
1667: {\put(3526,-136){\circle{150}}
1668: }%
1669: {\put(2251,-736){\circle{150}}
1670: }%
1671: {\put(2251,-1486){\circle{150}}
1672: }%
1673: {\put(2176,464){\vector(-2,-1){1170}}
1674: }%
1675: {\put(2251,389){\vector( 1,-1){450}}
1676: }%
1677: {\put(2326,464){\vector( 2,-1){1110}}
1678: }%
1679: {\put(976,-211){\vector( 1,-1){1200}}
1680: }%
1681: {\put(1051,-136){\vector( 2,-1){1140}}
1682: }%
1683: {\put(1726,-211){\vector( 1,-2){585}}
1684: }%
1685: {\put(1801,-136){\vector( 3,-4){414}}
1686: }%
1687: {\put(3451,-211){\vector(-2,-1){1110}}
1688: }%
1689: {\put(2176,389){\vector(-1,-1){450}}
1690: }%
1691: {\put(2701,-136){\vector(-3,-4){414}}
1692: }%
1693: {\put(2776,-211){\vector(-1,-3){405}}
1694: }%
1695: {\put(3526,-211){\vector(-1,-1){1237.500}}
1696: }%
1697: \put(2176,614){\makebox(0,0)[lb]{\smash{\SetFigFont{12}{14.4}
1698: {\rmdefault}{\mddefault}{\updefault}{$A$}%
1699: }}}
1700: \put(2176,-1786){\makebox(0,0)[lb]{\smash{\SetFigFont{12}{14.4}
1701: {\rmdefault}{\mddefault}{\updefault}{$B$}%
1702: }}}
1703: \put(751,-211){\makebox(0,0)[lb]{\smash{\SetFigFont{12}{14.4}
1704: {\rmdefault}{\mddefault}{\updefault}{$v_1$}%
1705: }}}
1706: \put(2926,-211){\makebox(0,0)[lb]{\smash{\SetFigFont{12}{14.4}
1707: {\rmdefault}{\mddefault}{\updefault}{$u_1$}%
1708: }}}
1709: \put(3676,-211){\makebox(0,0)[lb]{\smash{\SetFigFont{12}{14.4}
1710: {\rmdefault}{\mddefault}{\updefault}{$u_2$}%
1711: }}}
1712: \put(1876,-211){\makebox(0,0)[lb]{\smash{\SetFigFont{12}{14.4}
1713: {\rmdefault}{\mddefault}{\updefault}{$v_2$}%
1714: }}}
1715: \put(2251,-961){\makebox(0,0)[lb]{\smash{\SetFigFont{12}{14.4}
1716: {\rmdefault}{\mddefault}{\updefault}{$v$}%
1717: }}}
1718: \end{picture}
1719: \end{center}
1720: \caption{The hypergraph $H(V,E_h)$ in Example \ref{reliablebutnotprivate}}
1721: \label{figure5}
1722: \end{figure}
1723:
1724:
1725: \begin{theorem}
1726: \label{prohy}
1727: Let $\delta> 0$ and $A$ and $B$ be two nodes in a
1728: hypergraph $H(V,E)$ satisfying
1729: the following conditions:
1730: \begin{enumerate}
1731: \item $A$ and $B$ are not $2k$-separable in $H$.
1732: \item $B$ and $A$ are not $2k$-separable in $H$.
1733: \item $A$ and $B$ are strongly $k$-connected in $H$.
1734: \end{enumerate}
1735: Then there is a $(0,\delta)$-secure message transmission protocol
1736: from $A$ to $B$ against a $k$-active adversary.
1737: \end{theorem}
1738: \begin{proof}
1739: Assume that the conditions of the theorem is satisfied.
1740: For each $k$-node subset set $S$ of $V\setminus \{A,B\}$, let
1741: $p_S$ be a directed path from $A$ to $B$ which witnesses that
1742: $A$ and $B$ are strongly $k$-connected by removing the nodes in $S$ and
1743: corresponding hyperedges in $H$. Let
1744: ${\cal S}=\{S: S\subset V\setminus \{A,B\},|S|=k \}$ and
1745: ${\cal P}=\{p_S: S\in{\cal S}\}$. Then $A$ transmits
1746: the message $M^A$ to $B$ using the following protocol.
1747: \begin{algorithm}{9}
1748: \item For each $S\in {\cal S}$, $A$
1749: chooses a random pair $(a_S,b_S)\in_R {\bf F}^2$, and transmits
1750: this pair to $B$ via the path $p_S$.
1751: \item For each $S\in {\cal S}$,
1752: $B$ receives a pair $(a_S^B,b_S^B)$ from $A$ via the path $p_S$.
1753: \item For each $S\in {\cal S}$, $B$ chooses a random
1754: $r_S\in_R {\bf F}$ and computes $s_S=\auth(r_S; a_S^B,b_S^B)$.
1755: \item $B$ reliably transmits $s=\langle \langle r_S,s_S\rangle:
1756: S\in{\cal S} \rangle$ to $A$.
1757: \item $A$ reliably receives the value
1758: $s=\langle \langle r_S, s_S\rangle: S\in{\cal S} \rangle$ from $B$.
1759: \item $A$ computes the key index set $K_{\mathrm{index}}
1760: =\{i_S: s_S=\auth(r_S;a_S^A,b_S^A)\}$ and
1761: the shared secret $K^A=\sum_{i_S\in K_{\mathrm{index}}}a^A_S$.
1762: \item $A$ reliably transmits $\langle K_{\mathrm{index}}, M^A+K^A\rangle$
1763: to $B$, where $M^A$ is the secret message.
1764: \item $B$ reliably receives the value
1765: $\langle K_{\mathrm{index}}, c\rangle$ from $A$.
1766: $B$ computes the shared secret $K^B=\sum_{i_S\in K_{\mathrm{index}}}a^B_S$,
1767: and decrypts the message $M^B=c-K^B$.
1768: \end{algorithm}
1769: It is possible that $a^A_S\not= a^B_S$ but
1770: $\auth(r_S; a^A_S,b^A_S)=\auth(r_S; a^B_S,b^B_S)$
1771: for some $S\in{\cal S}$. However this probability is negligible.
1772: Thus the above protocol is reliable with high probability.
1773: Since $A$ and $B$ are strongly $k$-connected in $H$, there
1774: is a pair $(a_S,b_S)$ such that $(a_S,b_S)$ reliably reaches
1775: $B$ and the adversary cannot infer any information of $a_S$ from
1776: its view. Thus the above protocol is $(0,\delta)$-secure against
1777: a $k$-active adversary if one chooses sufficiently large {\bf F}.
1778: \hfill{Q.E.D.}\end{proof}
1779: %
1780: The results in Sections \ref{digraphsecd} and \ref{digraphsec}
1781: show that the condition in Theorem \ref{prohy} is not necessary.
1782: %
1783: %
1784: \section{Secure message transmission over neighbor networks}
1785: \label{neighborsec}
1786: %
1787: \subsection{Definitions}
1788: A special case of the hypergraph is the {\em neighbor networks}.
1789: A neighbor network is a graph $G(V,E)$. In a neighbor network,
1790: a node $A\in V$ is called a neighbor of another node $B\in V$
1791: if there is an edge $(A,B)\in E$.
1792: In a neighbor network, we assume that
1793: any message sent by a node $A$ will be received
1794: identically by all its neighbors, whether or not
1795: $A$ is faulty, and all parties outside
1796: of $A$'s neighbor learn nothing about the content of
1797: the message.
1798:
1799: For a neighbor network $G(V,E)$ and two nodes $A,B$ in it,
1800: Franklin and Wright \cite{fw}, and, Wang and Desmedt \cite{wd}
1801: showed that if there are $n$ multicast lines (that is, $n$ paths
1802: with disjoint neighborhoods)
1803: between $A$ and $B$ and there
1804: are at most $k$ malicious (Byzantine style) processors,
1805: then the condition $n>k$ is necessary and sufficient
1806: for achieving efficient probabilistically reliable
1807: and perfect private communication.
1808:
1809: For each neighbor network $G(V,E)$, there is a hypergraph
1810: $H_G(V,E_h)$ which is equivalent to $G(V,E)$ in functionality.
1811: $H_G(V,E_h)$ is defined by letting $E_h$ be the set of
1812: hyperedges $(A,A^*)$ where $A\in V$ and $A^*$ is the set of
1813: neighbors of $A$.
1814:
1815: Let $A$ and $B$ be two nodes in a neighbor network $G(V,E)$.
1816: We have the following definitions:
1817: \begin{enumerate}
1818: \item $A$ and $B$ are $k$-{\em connected} in $G(V,E)$ if there are
1819: $k$ node disjoint paths between $A$ and $B$ in $G(V,E)$.
1820: \item $A$ and $B$ are {\em weakly $k$-hyper-connected} in $G(V,E)$ if
1821: $A$ and $B$ are weakly $k$-connected in $H_G(V,E_h)$.
1822: \item $A$ and $B$ are $k$-{\em neighbor-connected} in $G(V,E)$ if for any
1823: set $V_1\subseteq V\setminus\{A,B\}$ with $|V_1|<k$, the removal
1824: of $neighbor(V_1)$ and all incident edges
1825: {from} $G(V,E)$ does not disconnect $A$ and $B$, where
1826: $$neighbor(V_1)=V_1\cup\{A\in V:
1827: \mathrm{ there exists} B\in V_1 (B,A)\mbox{ such that }\in E\}
1828: \setminus\{A,B\}.$$
1829: \item $A$ and $B$ are {\it weakly $(n,k)$-connected} if there are
1830: $n$ node disjoint paths $p_1,\allowbreak \ldots,\allowbreak p_n$
1831: between $A$ and $B$ and, for any node set
1832: $T\subseteq (V\setminus \{A,B\})$
1833: with $|T|\le k$, there exists $1\le i\le n$
1834: such that all nodes on $p_i$ have no neighbor in $T$.
1835: \end{enumerate}
1836: %
1837: It is easy to check that the following relationships hold.
1838: %
1839: \begin{center}
1840: weak $(n,k-1)$-connectivity $(n\ge k)$
1841: $\Rightarrow$ $k$-neighbor-connectivity
1842: $\Rightarrow$ weak $k$-hyper-connectivity
1843: $\Rightarrow$ $k$-connectivity
1844: \end{center}
1845: %
1846: In the following examples, we show that these implications
1847: are strict.
1848: \begin{ex}
1849: \label{exforcon}
1850: Let $G(V,E)$ be the graph in Figure \ref{figure1} where
1851: $V=\{A, B, C,D\}$ and $E=\{(A,C), (C,B),(A,D),(D,B), (C,D)\}$.
1852: Then it is straightforward to check that $G(V,E)$ is 2-connected
1853: but not weakly 2-hyper-connected.
1854: \end{ex}
1855:
1856: \begin{figure}[htb]
1857: \begin{center}
1858: \setlength{\unitlength}{3947sp}%
1859: %
1860: \begingroup\makeatletter\ifx\SetFigFont\undefined%
1861: \gdef\SetFigFont#1#2#3#4#5{%
1862: \reset@font\fontsize{#1}{#2pt}%
1863: \fontfamily{#3}\fontseries{#4}\fontshape{#5}%
1864: \selectfont}%
1865: \fi\endgroup%
1866: \begin{picture}(1650,1035)(451,-361)
1867: {\thinlines
1868: \put(676,164){\circle{150}}
1869: }%
1870: {\put(1351,464){\circle{150}}
1871: }%
1872: {\put(1351,-136){\circle{150}}
1873: }%
1874: {\put(1951,164){\circle{150}}
1875: }%
1876: {\put(751,239){\line( 5, 2){530.172}}
1877: }%
1878: {\put(751, 89){\line( 5,-2){530.172}}
1879: }%
1880: {\put(1426,-136){\line( 2, 1){450}}
1881: }%
1882: {\put(1426,464){\line( 5,-2){530.172}}
1883: }%
1884: {\put(1351,389){\line( 0,-1){450}}
1885: }%
1886: \put(451, 89){\makebox(0,0)[lb]{\smash{\SetFigFont{12}{14.4}
1887: {\rmdefault}{\mddefault}{\updefault}{$A$}%
1888: }}}
1889: \put(2101, 89){\makebox(0,0)[lb]{\smash{\SetFigFont{12}{14.4}
1890: {\rmdefault}{\mddefault}{\updefault}{$B$}%
1891: }}}
1892: \put(1276,-361){\makebox(0,0)[lb]{\smash{\SetFigFont{12}{14.4}
1893: {\rmdefault}{\mddefault}{\updefault}{$C$}%
1894: }}}
1895: \put(1276,539){\makebox(0,0)[lb]{\smash{\SetFigFont{12}{14.4}
1896: {\rmdefault}{\mddefault}{\updefault}{$D$}%
1897: }}}
1898: \end{picture}
1899: \end{center}
1900: \caption{The graph $G(V,E)$ in Example \ref{exforcon}}
1901: \label{figure1}
1902: \end{figure}
1903:
1904:
1905: \begin{ex}
1906: \label{exforwd}
1907: Let $G(V,E)$ be the graph in Figure \ref{figure2} where $V =\{A, B, C,D,F\}$
1908: and $E =\{(A,C)$, $(A,D)$, $(C,B)$, $(D,B)$, $(C,F)$, $(F,D)\}$.
1909: Then it is straightforward to check that $A$ and $B$ are weakly
1910: $2$-hyper-connected but not $2$-neighbor-connected.
1911: \end{ex}
1912:
1913:
1914: \begin{figure}[htb]
1915: \begin{center}
1916: \setlength{\unitlength}{3947sp}%
1917: %
1918: \begingroup\makeatletter\ifx\SetFigFont\undefined%
1919: \gdef\SetFigFont#1#2#3#4#5{%
1920: \reset@font\fontsize{#1}{#2pt}%
1921: \fontfamily{#3}\fontseries{#4}\fontshape{#5}%
1922: \selectfont}%
1923: \fi\endgroup%
1924: \begin{picture}(1500,1185)(226,-436)
1925: {\thinlines
1926: \put(451,239){\circle{150}}
1927: }%
1928: {\put(1051,539){\circle{150}}
1929: }%
1930: {\put(1051,239){\circle{150}}
1931: }%
1932: {\put(1051,-136){\circle{150}}
1933: }%
1934: {\put(1576,239){\circle{150}}
1935: }%
1936: {\put(526,314){\line( 2, 1){450}}
1937: }%
1938: {\put(1126,-136){\line( 3, 2){450}}
1939: }%
1940: {\put(526,164){\line( 4,-3){516}}
1941: }%
1942: {\put(1126,539){\line( 2,-1){450}}
1943: }%
1944: {\put(1051,464){\line( 0,-1){150}}
1945: }%
1946: {\put(1051,164){\line( 0,-1){225}}
1947: }%
1948: \put(226,164){\makebox(0,0)[lb]{\smash{\SetFigFont{12}{14.4}
1949: {\rmdefault}{\mddefault}{\updefault}{$A$}%
1950: }}}
1951: \put(1726,164){\makebox(0,0)[lb]{\smash{\SetFigFont{12}{14.4}
1952: {\rmdefault}{\mddefault}{\updefault}{$B$}%
1953: }}}
1954: \put(976,-436){\makebox(0,0)[lb]{\smash{\SetFigFont{12}{14.4}
1955: {\rmdefault}{\mddefault}{\updefault}{$C$}%
1956: }}}
1957: \put(976,614){\makebox(0,0)[lb]{\smash{\SetFigFont{12}{14.4}
1958: {\rmdefault}{\mddefault}{\updefault}{$D$}%
1959: }}}
1960: \put(901, 14){\makebox(0,0)[lb]{\smash{\SetFigFont{12}{14.4}
1961: {\rmdefault}{\mddefault}{\updefault}{$F$}%
1962: }}}
1963: \end{picture}
1964: \end{center}
1965: \caption{The graph $G(V,E)$ in Example \ref{exforwd}}
1966: \label{figure2}
1967: \end{figure}
1968:
1969:
1970: \begin{ex}
1971: \label{80ex}
1972: Let $G(V,E)$ be the graph in Figure \ref{figure80} where $V =\{A$, $B$,
1973: $C$, $D$, $E$, $F$, $G$, $H\}$
1974: and $E =\{(A,C)$, $(C,D)$, $(D,E)$ $(E,B)$,
1975: $(A,F)$, $(F,G)$, $(G,H)$ $(H,B)$,
1976: $(C,H)$, $(E,F)\}$.
1977: Then it is straightforward to check that $A$ and $B$ are
1978: $2$-neighbor-connected but not weakly $(2,1)$-connected.
1979: \end{ex}
1980:
1981:
1982: \begin{figure}[htb]
1983: \begin{center}
1984: \setlength{\unitlength}{3947sp}%
1985: %
1986: \begingroup\makeatletter\ifx\SetFigFont\undefined%
1987: \gdef\SetFigFont#1#2#3#4#5{%
1988: \reset@font\fontsize{#1}{#2pt}%
1989: \fontfamily{#3}\fontseries{#4}\fontshape{#5}%
1990: \selectfont}%
1991: \fi\endgroup%
1992: \begin{picture}(2775,1110)(151,-436)
1993: {\thinlines
1994: \put(376,164){\circle{150}}}%
1995: {\put(976,464){\circle{150}}}%
1996: {\put(1576,464){\circle{150}}}%
1997: {\put(2176,464){\circle{150}}}%
1998: {\put(976,-136){\circle{150}}}%
1999: {\put(1576,-136){\circle{150}}}%
2000: {\put(2176,-136){\circle{150}}}%
2001: {\put(2776,164){\circle{150}}}%
2002: {\put(451,239){\line( 2, 1){450}}}%
2003: {\put(1051,464){\line( 1, 0){450}}}%CD
2004: {\put(1651,464){\line( 1, 0){450}}}%
2005: {\put(2251,464){\line( 2,-1){450}}}%
2006: {\put(451, 89){\line( 2,-1){450}}}%
2007: {\put(1051,-136){\line( 1, 0){450}}}%
2008: {\put(1651,-136){\line( 1, 0){450}}}%
2009: {\put(2251,-136){\line( 5, 2){530.172}}}%
2010: {\put(1051,464){\line( 2, -1){1080}}}%CH
2011: {\put(1051,-136){\line( 2, 1){1080}}}%FE
2012: \put(151, 89){\makebox(0,0)[lb]{\smash{\SetFigFont{12}{14.4}
2013: {\rmdefault}{\mddefault}{\updefault}{$A$}%
2014: }}}
2015: \put(2926, 89){\makebox(0,0)[lb]{\smash{\SetFigFont{12}{14.4}
2016: {\rmdefault}{\mddefault}{\updefault}{$B$}%
2017: }}}
2018: \put(901,539){\makebox(0,0)[lb]{\smash{\SetFigFont{12}{14.4}
2019: {\rmdefault}{\mddefault}{\updefault}{$C$}%
2020: }}}
2021: \put(1501,539){\makebox(0,0)[lb]{\smash{\SetFigFont{12}{14.4}
2022: {\rmdefault}{\mddefault}{\updefault}{$D$}%
2023: }}}
2024: \put(2101,539){\makebox(0,0)[lb]{\smash{\SetFigFont{12}{14.4}
2025: {\rmdefault}{\mddefault}{\updefault}{$E$}%
2026: }}}
2027: \put(901,-436){\makebox(0,0)[lb]{\smash{\SetFigFont{12}{14.4}
2028: {\rmdefault}{\mddefault}{\updefault}{$F$}%
2029: }}}
2030: \put(1501,-436){\makebox(0,0)[lb]{\smash{\SetFigFont{12}{14.4}
2031: {\rmdefault}{\mddefault}{\updefault}{$G$}%
2032: }}}
2033: \put(2101,-436){\makebox(0,0)[lb]{\smash{\SetFigFont{12}{14.4}
2034: {\rmdefault}{\mddefault}{\updefault}{$H$}%
2035: }}}
2036: \end{picture}
2037:
2038:
2039: \end{center}
2040: \caption{The graph $G(V,E)$ in Example \ref{80ex}}
2041: \label{figure80}
2042: \end{figure}
2043:
2044: Example \ref{exforcon} shows that $k$-connectivity does
2045: not necessarily imply weak $k$-hyper-connectivity.
2046: Example \ref{exforwd} shows that weak $k$-hyper-connectivity
2047: does not necessarily imply $k$-neighbor-connectivity.
2048: Example \ref{80ex} shows that $k$-neighbor connectivity
2049: does not necessarily imply weak $(n,k-1)$-connectivity for some $n\ge k$.
2050: %
2051: \subsection{$(0,\delta)$-Secure message transmission over neighbor networks}
2052: Wang and Desmedt \cite{wd} have given a sufficient condition
2053: for achieving $(0,\delta)$-security message transmission
2054: against a $k$-active adversary over neighbor networks. In this section,
2055: we show that their condition is not necessary.
2056: %
2057: \begin{theorem}
2058: \label{ntwk}
2059: (Wang and Desmedt \cite{wd})
2060: If $A$ and $B$ are {\it weakly $(n,k)$-connected}
2061: for some $k<n$, then there is an efficient $(0,\delta)$-secure
2062: message transmission between $A$ and $B$.
2063: \end{theorem}
2064:
2065: The condition in Theorem \ref{ntwk} is not necessary. For example,
2066: the neighbor network $G$ in Example \ref{exforwd} is not
2067: $2$-neighbor-connected, thus not weakly $(2,1)$-connected. In the following
2068: we present a $(0,\delta)$-secure message transmission protocol
2069: against a 1-active adversary from $A$ to $B$ for the neighbor network
2070: of Example \ref{exforwd} .
2071:
2072: \vskip 5pt
2073: \noindent
2074: {\bf Message transmission protocol for neighbor network $G$ in
2075: Example \ref{exforwd}.}
2076:
2077: \begin{algorithm}{99}
2078: \item $A$ chooses two random pairs $(r^A_1, r^A_2)\in_R {\bf F}^2$ and
2079: $(r^A_3, r^A_4)\in_R {\bf F}^2$. $A$ sends $(r^A_1, r^A_2)$ to $C$ and
2080: $(r^A_3, r^A_4)$ to $D$.
2081: \item $B$ chooses two random pairs $(r^B_1, r^B_2)\in_R {\bf F}^2$ and
2082: $(r^B_3, r^B_4)\in_R {\bf F}^2$. $B$ sends $(r^B_1, r^B_2)$ to $C$ and
2083: $(r^B_3, r^B_4)$ to $D$.
2084: \item $C$ chooses a random pair $(a_1,b_1)\in_R {\bf F}^2$. $C$ sends
2085: $(a_1+r^A_1, b_1+r^A_2)$ to $A$ and $(a_1+r^B_1, b_1+r^B_2)$ to $B$.
2086: \item $D$ chooses a random pair $(a_2,b_2)\in_R {\bf F}^2$. $D$ sends
2087: $(a_2+r^A_3, b_2+r^A_4)$ to $A$ and $(a_2+r^B_3, b_2+r^B_4)$ to $B$.
2088: \item From the messages received from $C$ and $D$, $A$ computes
2089: $(a_1^A,b_1^A)$ and $(a_2^A,b_2^A)$.
2090: \item From the messages received from $C$ and $D$, $B$ computes
2091: $(a_1^B,b_1^B)$ and $(a_2^B,b_2^B)$.
2092: \item $B$ chooses a random $r\in_R {\bf F}$,
2093: computes $s_1=\auth(r; a^B_1,b^B_1)$
2094: and $s_2=\auth(r; a^B_2,b^B_2)$. Using the probabilistically
2095: reliable message transmission protocol of Franklin and Wright \cite{fw},
2096: $B$ transmits $\langle r, s_1, s_2\rangle$ to $A$.
2097: \item Let $\langle r^A, s^A_1, s^A_2\rangle$ be the message
2098: received by $A$ in the last step, $A$ computes
2099: the key index set $K_{\mathrm{index}}
2100: =\{i: s^A_i=\auth(r^A;a_i^A,b_i^A)\}$.
2101: $A$ also computes the shared secret $K^A=\sum_{i\in
2102: K_{\mathrm{index}}}a^A_i$.
2103: \item Using the probabilistically reliable message transmission protocol
2104: of Franklin and Wright \cite{fw}, $A$
2105: transmits $\langle K_{\mathrm{index}}, M^A+K^A\rangle$ to $B$,
2106: where $M^A$ is the secret message.
2107: \item Let $\langle K^B_{\mathrm{index}}, c^B\rangle$
2108: be the message that $B$ received in the last step. $B$ computes the shared
2109: secret $K^B=\sum_{i\in K^B_{\mathrm{index}}}a^B_i$,
2110: and decrypts the message $M^B=c^B-K^B$.
2111: \end{algorithm}
2112:
2113: It is straightforward to check that the above protocol is an efficient
2114: $(0,\delta)$-secure message transmission protocol from $A$ to $B$
2115: against a 1-active adversary.
2116:
2117:
2118: Example \ref{reliablebutnotprivate} shows that for a general
2119: hypergraph, the existence of a reliable message transmission
2120: protocol does not imply the existence of a private message transmission
2121: protocol. We show that this is true for probabilistic reliability
2122: and perfect privacy in neighbor networks also.
2123: %
2124: \begin{ex}
2125: \label{ness}
2126: Let $G(V,E)$ be the neighbor network in Figure \ref{figure3} where
2127: $V=\{A,\allowbreak B,\allowbreak C,\allowbreak D,\allowbreak E,\allowbreak
2128: F,\allowbreak G\}$ and
2129: $E=\{(A,C),\allowbreak (C,D),\allowbreak (D,B),\allowbreak
2130: (A,E),\allowbreak (E,F),\allowbreak (F,B),\allowbreak
2131: (G,C),\allowbreak (G,D),\allowbreak (G,E),\allowbreak (G,F)\}$.
2132: Then there is a probabilistic reliable message transmission
2133: protocol from $A$ to $B$ against a 1-active adversary in $G$. But there is
2134: no
2135: private message transmission from $A$ to $B$ against a 1-passive (or
2136: 1-active)
2137: adversary in $G$.
2138: \end{ex}
2139:
2140:
2141: \begin{figure}[htb]
2142: \begin{center}
2143: \setlength{\unitlength}{3947sp}%
2144: %
2145: \begingroup\makeatletter\ifx\SetFigFont\undefined%
2146: \gdef\SetFigFont#1#2#3#4#5{%
2147: \reset@font\fontsize{#1}{#2pt}%
2148: \fontfamily{#3}\fontseries{#4}\fontshape{#5}%
2149: \selectfont}%
2150: \fi\endgroup%
2151: \begin{picture}(2250,1335)(76,-586)
2152: {\thinlines
2153: \put(301, 89){\circle{150}}
2154: }%
2155: {\put(826,464){\circle{150}}
2156: }%
2157: {\put(1576,464){\circle{150}}
2158: }%
2159: {\put(2176, 89){\circle{150}}
2160: }%
2161: {\put(826,-286){\circle{150}}
2162: }%
2163: {\put(1576,-286){\circle{150}}
2164: }%
2165: {\put(1276, 89){\circle{150}}
2166: }%
2167: {\put(301,164){\line( 3, 2){450}}
2168: }%
2169: {\put(301, 14){\line( 3,-2){450}}
2170: }%
2171: {\put(901,-286){\line( 1, 0){600}}
2172: }%
2173: {\put(901,464){\line( 1, 0){600}}
2174: }%
2175: {\put(1651,464){\line( 3,-2){450}}
2176: }%
2177: {\put(1651,-286){\line( 5, 3){518.382}}
2178: }%
2179: {\put(901,-211){\line( 4, 3){300}}
2180: }%
2181: {\put(1351,164){\line( 1, 1){225}}
2182: }%
2183: {\put(901,389){\line( 4,-3){300}}
2184: }%
2185: {\put(1351, 14){\line( 1,-1){225}}
2186: }%
2187: \put( 76, 14){\makebox(0,0)[lb]{\smash{\SetFigFont{12}{14.4}
2188: {\rmdefault}{\mddefault}{\updefault}{$A$}%
2189: }}}
2190: \put(2326, 14){\makebox(0,0)[lb]{\smash{\SetFigFont{12}{14.4}
2191: {\rmdefault}{\mddefault}{\updefault}{$B$}%
2192: }}}
2193: \put(676,539){\makebox(0,0)[lb]{\smash{\SetFigFont{12}{14.4}
2194: {\rmdefault}{\mddefault}{\updefault}{$C$}%
2195: }}}
2196: \put(1501,614){\makebox(0,0)[lb]{\smash{\SetFigFont{12}{14.4}
2197: {\rmdefault}{\mddefault}{\updefault}{$D$}%
2198: }}}
2199: \put(751,-586){\makebox(0,0)[lb]{\smash{\SetFigFont{12}{14.4}
2200: {\rmdefault}{\mddefault}{\updefault}{$E$}%
2201: }}}
2202: \put(1576,-586){\makebox(0,0)[lb]{\smash{\SetFigFont{12}{14.4}
2203: {\rmdefault}{\mddefault}{\updefault}{$F$}%
2204: }}}
2205: \put(1426, 14){\makebox(0,0)[lb]{\smash{\SetFigFont{12}{14.4}
2206: {\rmdefault}{\mddefault}{\updefault}{$G$}%
2207: }}}
2208: \end{picture}
2209:
2210:
2211: \end{center}
2212: \caption{The graph $G(V,E)$ in Example \ref{ness}}
2213: \label{figure3}
2214: \end{figure}
2215: \begin{proof}
2216: It is straightforward to check that $G(V,E)$ is not weakly
2217: 2-hyper-connected.
2218: Indeed, in the hypergraph $H_G(V,E_h)$ of $G(V,E)$, the removal of node
2219: $G$ and the removal of the corresponding hyperedges
2220: will disconnect $A$ and $B$ completely. Thus Franklin and
2221: Yung's result in \cite{fy} shows that there is no private message
2222: transmission
2223: protocol against a 1-passive (or 1-active) adversary from $A$ to $B$.
2224: It is also straightforward to check that Franklin and Wright's
2225: \cite{fw} reliable message transmission protocol against a
2226: 1-active adversary works for the two paths $(A,C,D,B)$ and
2227: $(A,E,F,B)$.
2228: \hfill{Q.E.D.}\end{proof}
2229: %
2230: Though weak $k$-hyper-connectivity is a necessary
2231: condition for achieving probabilistically reliable and perfectly
2232: private message transmission against a $(k-1)$-active adversary, we do not
2233: know whether this condition is sufficient. We conjecture that there
2234: is no probabilistically reliable and perfectly
2235: private message transmission protocol against a 1-active
2236: adversary for the weakly 2-hyper-connected neighbor network $G(V,E)$ in
2237: Figure \ref{figure009}, where $V=\{A$, $B$, $C$, $D$, $E$, $F$, $G$, $H\}$
2238: and
2239: $E=\{(A,C)$, $(C,D)$, $(D,E)$, $(E,B)$, $(A,F)$, $(F,G)$, $(G,H)$,
2240: $(H,B)$, $(D,G)\}$. Note that in order to prove or refute our conjecture,
2241: it is sufficient to show whether there is a probabilistically
2242: reliable message transmission protocol against a 1-active
2243: adversary for the neighbor network. For this specific neighbor network,
2244: the trick in our previous protocol could be used to convert
2245: any probabilistically reliable message transmission protocol
2246: to a probabilistically reliable and perfectly
2247: private message transmission protocol against a 1-active
2248: adversary.
2249:
2250: \begin{figure}[htb]
2251: \begin{center}
2252: \setlength{\unitlength}{3947sp}%
2253: %
2254: \begingroup\makeatletter\ifx\SetFigFont\undefined%
2255: \gdef\SetFigFont#1#2#3#4#5{%
2256: \reset@font\fontsize{#1}{#2pt}%
2257: \fontfamily{#3}\fontseries{#4}\fontshape{#5}%
2258: \selectfont}%
2259: \fi\endgroup%
2260: \begin{picture}(2775,1110)(151,-436)
2261: {\thinlines
2262: \put(376,164){\circle{150}}}%
2263: {\put(976,464){\circle{150}}}%
2264: {\put(1576,464){\circle{150}}}%
2265: {\put(2176,464){\circle{150}}}%
2266: {\put(976,-136){\circle{150}}}%
2267: {\put(1576,-136){\circle{150}}}%
2268: {\put(2176,-136){\circle{150}}}%
2269: {\put(2776,164){\circle{150}}}%
2270: {\put(451,239){\line( 2, 1){450}}}%
2271: {\put(1051,464){\line( 1, 0){450}}}%CF
2272: {\put(1651,464){\line( 1, 0){450}}}%
2273: {\put(2251,464){\line( 2,-1){450}}}%
2274: {\put(451, 89){\line( 2,-1){450}}}%
2275: {\put(1051,-136){\line( 1, 0){450}}}%
2276: {\put(1651,-136){\line( 1, 0){450}}}%
2277: {\put(2251,-136){\line( 5, 2){530.172}}}%
2278: {\put(1576,389){\line( 0,-1){450}}}%
2279: \put(151, 89){\makebox(0,0)[lb]{\smash{\SetFigFont{12}{14.4}
2280: {\rmdefault}{\mddefault}{\updefault}{$A$}%
2281: }}}
2282: \put(2926, 89){\makebox(0,0)[lb]{\smash{\SetFigFont{12}{14.4}
2283: {\rmdefault}{\mddefault}{\updefault}{$B$}%
2284: }}}
2285: \put(901,539){\makebox(0,0)[lb]{\smash{\SetFigFont{12}{14.4}
2286: {\rmdefault}{\mddefault}{\updefault}{$C$}%
2287: }}}
2288: \put(1501,539){\makebox(0,0)[lb]{\smash{\SetFigFont{12}{14.4}
2289: {\rmdefault}{\mddefault}{\updefault}{$D$}%
2290: }}}
2291: \put(2101,539){\makebox(0,0)[lb]{\smash{\SetFigFont{12}{14.4}
2292: {\rmdefault}{\mddefault}{\updefault}{$E$}%
2293: }}}
2294: \put(901,-436){\makebox(0,0)[lb]{\smash{\SetFigFont{12}{14.4}
2295: {\rmdefault}{\mddefault}{\updefault}{$F$}%
2296: }}}
2297: \put(1501,-436){\makebox(0,0)[lb]{\smash{\SetFigFont{12}{14.4}
2298: {\rmdefault}{\mddefault}{\updefault}{$G$}%
2299: }}}
2300: \put(2101,-436){\makebox(0,0)[lb]{\smash{\SetFigFont{12}{14.4}
2301: {\rmdefault}{\mddefault}{\updefault}{$H$}%
2302: }}}
2303: \end{picture}
2304:
2305:
2306: \end{center}
2307: \caption{The graph $G(V,E)$}
2308: \label{figure009}
2309: \end{figure}
2310: %
2311: \begin{thebibliography}{99}
2312: \bibitem{bgw}
2313: M.~Ben-Or, S.~Goldwasser, and A.~Wigderson.
2314: Completeness theorems for non-cryptographic
2315: fault-tolerant distributed computing.
2316: In: {\it Proc. ACM STOC, '88},
2317: pages 1--10, ACM Press, 1988.
2318:
2319: \bibitem{ccd}
2320: D.~Chaum, C.~Crepeau, and I.~Damgard.
2321: Multiparty unconditional secure protocols.
2322: In: {\it Proc. ACM STOC '88},
2323: pages 11--19, ACM Press, 1988.
2324:
2325: \bibitem{dwe02}
2326: Y.~Desmedt and Y.~Wang.
2327: Perfectly secure message transmission revisited.
2328: In: {\it Proc. Eurocrypt '02},
2329: pages 502--517, Lecture Notes in Computer Science 2332,
2330: Springer-Verlag, 2002.
2331:
2332: \bibitem{dolev}
2333: D.~Dolev. The Byzantine generals strike again.
2334: {\it J. of Algorithms}, {\bf 3}:14--30, 1982.
2335:
2336: \bibitem{ddwy}
2337: D.~Dolev, C.~Dwork, O.~Waarts, and M.~Yung.
2338: Perfectly secure message transmission.
2339: {\it J. of the ACM}, {\bf 40}(1):17--47, 1993.
2340:
2341:
2342: \bibitem{ff}
2343: L.R.~Ford and D.~R.~Fulkerson.
2344: {\it Flows in Networks}. Princeton University Press,
2345: Princeton, NJ, 1962.
2346:
2347: \bibitem{fw}
2348: M.~Franklin and R.~Wright.
2349: Secure communication in minimal connectivity models.
2350: {\it Journal of Cryptology}, {\bf 13}(1):9--30, 2000.
2351:
2352: \bibitem{fy}
2353: M.~Franklin and M.~Yung.
2354: Secure hypergraphs: privacy from partial broadcast.
2355: In: {\it Proc. ACM STOC '95},
2356: pages 36--44, ACM Press, 1995.
2357:
2358: \bibitem{gms}
2359: E.~Gilbert, F.~MacWilliams, and N.~Sloane.
2360: Codes which detect deception.
2361: {\it The BELL System Technical Journal},
2362: {\bf 53}(3):405--424, 1974.
2363:
2364: \bibitem{ggl}
2365: O.~Goldreich, S.~Goldwasser, and N.~Linial.
2366: Fault-tolerant computation in the full information model.
2367: {\it SIAM J. Comput.} {\bf 27}(2):506--544, 1998.
2368:
2369:
2370: \bibitem{ha}
2371: V.~Hadzilacos. {\it Issues of Fault Tolerance in Concurrent
2372: Computations}.
2373: PhD thesis, Harvard University, Cambridge, MA, 1984.
2374:
2375: \bibitem{MacWilliamsSloane78}
2376: F.~J. MacWilliams and N.~J.~A. Sloane.
2377: \newblock {\em The theory of error-correcting codes}.
2378: \newblock North-Holland Publishing Company, 1978.
2379:
2380: \bibitem{ms}
2381: R.~J. McEliece and D.~V. Sarwate.
2382: \newblock On sharing secrets and {Reed-Solomon} codes.
2383: \newblock {\em Comm. ACM}, {\bf 24}(9):583--584, September 1981.
2384:
2385: \bibitem{rab}
2386: T.~Rabin. Robust sharing of secrets when the dealer is honest
2387: or faulty. {\it J. of the ACM}, {\bf 41}(6):1089--1109, 1994.
2388:
2389: \bibitem{rb}
2390: T.~Rabin and M.~Ben-Or.
2391: Verifiable secret sharing and multiparty protocols with
2392: honest majority.
2393: In: {\it Proc. ACM STOC '89},
2394: pages 73--85, ACM Press, 1989.
2395:
2396:
2397: \bibitem{shamir}
2398: A.~Shamir.
2399: \newblock How to share a secret.
2400: \newblock {\em Commun. ACM}, {\bf 22}:612--613, November 1979.
2401:
2402: \bibitem{wd}
2403: Y.~Wang and Y.~Desmedt. Secure communication in multicast channels:
2404: the answer to Franklin and Wright's question.
2405: {\em J. of Cryptology}, {\bf 14}(2):121--135, 2001.
2406:
2407: \end{thebibliography}
2408: \end{document}