Algebraic Techniques for Low Communication Secure Protocols

Internet communication is often encrypted with the aid of mathematical problems that are hard to solve. Another method to secure electronic communication is the use of a digital lock of which the digital key must be exchanged first. PhD student Robbert de Haan (CWI) researched models for a guaranteed safe communication between two people without the exchange of a digital key and without assumptions concerning the practical difficulty of solving certain mathematical problems. In ancient times Julius Caesar used secret codes to make his messages illegible for spies. He upped every letter of the alphabet with three positions: A became D, Z became C, and so on. Usually, cryptographers research secure communication between two people through one channel that can be monitored by malevolent people. De Haan studied the use of multiple channels. A minority of these channels may be in the hands of adversaries that can intercept, replace or block the message. He proved the most efficient way to securely communicate along these channels and thus solved a fundamental cryptography problem that was introduced almost 20 years ago by Dole, Dwork, Naor and Yung

Secure message transmission in the general adversary model

The problem of secure message transmission (SMT), due to its importance in both practice and theory, has been studied extensively. Given a communication network in which a sender S and a receiver R are indirectly connected by unreliable and distrusted channels, the aim of SMT is to enable messages to be transmitted from S to R with a reasonably high level of privacy and reliability. SMT must be achieved in the presence of a Byzantine adversary who has unlimited computational power and can corrupt the transmission. In the general adversary model, the adversary is characterized by an adversary structure. We study two diff�erent measures of security: perfect (PSMT) and almost perfect (APSMT). Moreover, reliable (but not private) message transmission (RMT) are considered as a specifi�c part of SMT. In this thesis, we study RMT, APSMT and PSMT in two di�fferent network settings: point-to-point and multicast. To prepare the study of SMT in these two network settings, we present some ideas and observations on secret sharing schemes (SSSs), generalized linear codes and critical paths. First, we prove that the error-correcting capability of an almost perfect SSS is the same as a perfect SSS. Next, we regard general access structures as linear codes, and introduce some new properties that allow us to construct pseudo-basis for efficient PSMT protocol design. In addition, we de�fine adversary structures over "critical paths", and observe their properties. Having these new developments, the contributions on SMT in the aforementioned two network settings can be presented as follows. The results on SMT in point-to-point networks are obtained in three aspects. First, we show a Guessing Attack on some existing PSMT protocols. This attack is critically important to the design of PSMT protocols in asymmetric networks. Second, we determine necessary and sufficient conditions for di�fferent levels of RMT and APSMT. In particular, by applying the result on almost perfect SSS, we show that relaxing the requirement of privacy does not weaken the minimal network connectivity. Our �final contribution in the point-to-point model is to give the �first ever efficient, constant round PSMT protocols in the general adversary model. These protocols are designed using linear codes and critical paths, and they signifi�cantly improve some previous results in terms of communication complexity and round complexity. Regarding SMT in multicast networks, we solve a problem that has been open for over a decade. That is, we show the necessary and sufficient conditions for all levels of SMT in di�fferent adversary models. First, we give an Extended Characterization of the network graphs based on our observation on the eavesdropping and separating activities of the adversary. Next, we determine the necessary and sufficient conditions for SMT in the general adversary model with the new Extended Characterization. Finally, we apply the results to the threshold adversary model to completely solve the problem of SMT in general multicast network graphs

Efficient Robust Secret Sharing from Expander Graphs

Threshold secret sharing is a protocol that allows a dealer to share a secret among $n$ players so that any coalition of $t$ players learns nothing about the secret, but any $t+1$ players can reconstruct the secret in its entirety. Robust secret sharing (RSS) provides the additional guarantee that even if $t$ malicious players mangle their shares, they cannot cause the honest players to reconstruct an incorrect secret. When $t \frac{n}{2}$, RSS is known to be impossible, but for $\frac{n}{3} < t < \frac{n}{2}$ much less is known. When $\frac{n}{3} < t < \frac{n}{2}$ previous RSS protocols could either achieve optimal share size with inefficient (exponential time) reconstruction procedures, or sub-optimal share size with polynomial time reconstruction. In this work, we construct a simple RSS protocol for $t = \left( \frac{1}{2} - \epsilon\right)n$ that achieves logarithmic overhead in terms of share size and simultaneously allows efficient reconstruction. Our shares size increases by an additive term of $O(\kappa + \log n)$, and reconstruction succeeds except with probability at most $2^{-\kappa}$. This provides a partial solution to a problem posed by Cevallos et al. in Eurocrypt 2012. Namely, when $t = \left( \frac{1}{2} - O(1) \right)n$ we show that the share size in RSS schemes do not require an overhead that is linear in $n$. Previous efficient RSS protocols like that of Rabin and Ben-Or (STOC \u2789) and Cevallos et al. (Eurocrypt \u2712) use MACs to allow each player to check the shares of each other player in the protocol. These checks provide robustness, but require significant overhead in share size. Our construction identifies the $n$ players as nodes in an expander graph, each player only checks its neighbors in the expander graph. When $t = \left\{ \frac{1}{2} - O(1) \right\}n$, the concurrent, independent work of Cramer et al. (Eurocrypt \u2715) shows how to achieve shares that \emph{decrease} with the number of players using completely different techniques

Error Decodable Secret Sharing and One-Round Perfectly Secure Message Transmission for General Adversary Structures

An error decodable secret-sharing scheme is a secret-sharing scheme with the additional property that the secret can be recovered from the set of all shares, even after a coalition of participants corrupts the shares they possess. In this paper we consider schemes that can tolerate corruption by sets of participants belonging to a monotone coalition structure, thus generalising both a related notion studied by Kurosawa, and the well-known error-correction properties of threshold schemes based on Reed-Solomon codes. We deduce a necessary and sufficient condition for the existence of such schemes, and we show how to reduce the storage requirements of a technique of Kurosawa for constructing error-decodable secret-sharing schemes with efficient decoding algorithms. In addition, we explore the connection between one-round perfectly secure message transmission (PSMT) schemes with general adversary structures and secret-sharing schemes, and we exploit this connection to investigate factors affecting the performance of one-round PSMT schemes such as the number of channels required, the communication overhead, and the efficiency of message recovery

Secure message transmission and its applications

In this thesis we focus on various aspects of secure message transmission protocols. Such protocols achieve the secure transmission of a message from a sender to a receiver - where the term “secure” encapsulates the notion of privacy and reliability of message transmission. These two parties are connected using an underlying network in which a static computationally unlimited active adversary able to corrupt up to t network nodes is assumed to be present. Such protocols are important to study as they are used extensively in various cryptographic protocols and are of interest to other research areas such as ad-hoc networks, military networks amongst others. Optimal bounds for the number of phases (communication from sender to receiver or vice versa), connectivity requirements (number of node disjoint network paths connecting sender and receiver - denoted by n), communication complexity (complexity of the number of field elements sent - where F is the finite field used and jFj = q) and transmission complexity (proportion of communication complexity to complexity of secrets transmitted) for secure message transmission protocols have been proven in previous work. In the one-phase model it has been shown that n 3t+1 node disjoint paths are required to achieve perfect communication. In the two phase model only n 2t + 1 node disjoint paths are necessary. This connectivity is also the required bound for almost perfectly secure one-phase protocols - protocols which achieve perfect privacy but with a negligible probability may fail to achieve reliability. In such cases the receiver accepts a different message to that transmitted by the sender or does not accept any message. The main focus of recent research in secure message transmission protocols has been to present new protocols which achieve optimal transmission complexity. This has been achieved through the transmission of multiple messages. If a protocol has a communication complexity of O(n3) field elements, to achieve optimal transmission complexity O(n2) secrets will have to be communicated. This has somewhat ignored the simplification and improvement of protocols which securely transmit a single secret. Such improvements include constructing more efficient protocols with regards to communication complexity, computational complexity and the number of field elements sent throughout the whole protocol. In the thesis we first consider one-phase almost perfectly secure message transmission and present two new protocols which improve on previous work. We present a polynomial time protocol of O(n2) communication complexity which at the time of writing this thesis, is computationally more efficient than any other protocol of similar communication complexity for the almost perfectly secure transmission of a single message. Even though our first almost perfectly secure transmission protocol is of polynomial time, it is important to study other protocols also and improve previous work presented by other researchers. This is the idea behind the second one-phase almost perfectly secure message transmission protocol we present which requires an exponential complexity of field operations but lower (O(n)) communication complexity. This protocol also improves on previous protocols of similar communication complexity, requiring in the order of O(log q) less computation to complete - where q denotes the size of the finite field used. Even though this protocol is of exponential time, for small values of n (e.g. when t = 1, t = 2 or t = 3) it may be beneficial to use this protocol for almost perfectly secure communication as opposed to using the polynomial time protocol. This is because less field elements need to be transmitted over the whole network which connects a sender and a receiver. Furthermore, an optimal almost perfectly secure transmission protocol will be one with O(n) communication complexity and with polynomial computational complexity. We hope that in the future, other researchers will be inspired by our proposed protocol, improve on our work and ideally achieve these optimal results. We also consider multi-phase protocols. By combining various cryptographic schemes, we present a new two-phase perfectly secure single message transmission protocol. At the time of writing this thesis, the protocol is the most efficient protocol when considering communication complexity. Our protocol has a communication complexity of O(n2) compared to O(n3) of previous work thus improving on the communication complexity by an order of O(n) for the perfectly secure message transmission of a single message. This protocol is then extended to a three phase protocol where a multi-recipient broadcast end channel network setting is considered. As opposed to point to point networks where a path from a sender reaches a single receiver, this network model is new in the field of message transmission protocols. In this model each path from a sender reaches multiple receivers, with all receivers receiving the same information from their common network communication channel. We show how the use of this protocol upon such a network can lead to great savings in the transmission and computation carried out by a single sender. We also discuss the importance and relevance of such a multi-recipient setting to practical applications. The first protocols in the field of perfectly secure message transmission with a human receiver are also presented. This is a topic proposed by my supervisor Professor Yvo Desmedt for which I constructed solutions. In such protocols, one of the communicating parties is considered to be a human who does not have access to a computational device. Because of this, solutions for such protocols need to be computationally efficient and computationally simple so that they can be executed by the human party. Experiments with human participants were carried out to assess how easily and accurately human parties used the proposed protocols. The experimental results are presented and these identify how well human participants used the protocols. In addition to the security of messages, we also consider how one can achieve anonymity of message transmission protocols. For such protocols, considering a single-receiver multi-sender scenario, the presence of a t-threshold bounded adversary and the transmission of multiple secrets (as many as the number of sender), once the protocols ends one should not be able to identify the sender of a received message. Considering a passive and active adversary new protocols are presented which achieve the secure and anonymous transmission of messages in the information-theoretic security model. Our proposed solutions can also be applied (with minor alterations) to the dual problem when a single-sender multi-recipient communication setting is considered. The contributions of the thesis are primarily theoretical - thus no implementation of the proposed protocols was carried out. Despite this, we reflect on practical aspects of secure message transmission protocols. We review the feasibility of implementing secure message transmission protocols in general upon various networks - focusing on the Internet which can be considered as the most important communication network at this time. We also describe in theory how concepts of secure message transmission protocols could possibly be used in practical implementations for secure communication on various existing communication networks. Open problems that remain unsolved in the research area of the proposed protocols are also discussed and we hope that these inspire research and future solutions for the design (and implementation) of better and more efficient secure message transmission protocols

Three Improved Algorithms for Multi-path Key Establishment in Sensor Networks Using Protocols for Secure Message Transmission

In this paper, we propose a security model to capture active attacks against multi-path key establishment (MPKE) in sensor networks. Our model strengthens previous models to capture more attacks and achieve essential security goals for multi-path key establishment. In this model, we can apply protocols for perfectly secure message transmission to solve the multi-path key establishment problem. We propose a simple new protocol for optimal one-round perfectly secure message transmission based on Reed-Solomon codes. Then we use this protocol to obtain two new multi-path key establishment schemes that can be applied provided that fewer than one third of the paths are controlled by the adversary. Finally, we describe another MPKE scheme that tolerates a higher fraction (less than 1/2) of paths controlled by the adversary. This scheme is based on a new protocol for a weakened version of message transmission, which is very simple and efficient. Our multi-path key establishment schemes achieve improved security and lower communication complexity, as compared to previous schemes

A Survey on Perfectly-Secure Verifiable Secret-Sharing

Verifiable Secret-Sharing (VSS) is a fundamental primitive in secure distributed computing. It is used as an important building block in several distributed computing tasks, such as Byzantine agreement and secure multi-party computation. VSS has been widely studied in various dimensions over the last three decades and several important results have been achieved related to the fault-tolerance, round-complexity and communication efficiency of VSS schemes. In this article, we consider VSS schemes with perfect security, tolerating computationally unbounded adversaries. We comprehensively survey the existing perfectly-secure VSS schemes in three different settings, namely synchronous, asynchronous and hybrid communication settings and provide the full details of each of the existing schemes in these settings. The aim of this survey is to provide a clear knowledge and foundation to researchers who are interested in knowing and extending the state-of-the-art perfectly-secure VSS schemes

Truly Efficient 2-Round Perfectly Secure Message Transmission Scheme

In the model of perfectly secure message transmission schemes (PSMTs), there are $n$ channels between a sender and a receiver. An infinitely powerful adversary \A may corrupt (observe and forge)the messages sent through $t$ out of $n$ channels. The sender wishes to send a secret $s$ to the receiver perfectly privately and perfectly reliably without sharing any key with the receiver. In this paper, we show the first $2$-round PSMT for $n=2t+1$ such that not only the transmission rate is $O(n)$ but also the computational costs of the sender and the receiver are both polynomial in $n$. This means that we solve the open problem raised by Agarwal, Cramer and de Haan at CRYPTO 2006

Investigation of unconditionally secure multi-party computation

Louis Cianciullo conducted an in-depth study of the cryptographic field of multi-party computation. He created a variety of different, novel cryptographic algorithms that improved upon the efficiency and security of exiting protocols. His work aims to advance the state-of-the-art in privacy preserving technologies