Keywords

1 Introduction

Cryptography in the traditional sense provides the confidentiality of messages between two parties, Alice and Bob. Symmetric-key cryptography requires to share the key before communication, and the key agreement is still a problem to be resolved. Asymmetric-key cryptography (a.k.a. public-key cryptography) is free from the key agreement problem but must rely on some unproven computational hardness of mathematical problems. In the standard setting, we implicitly assume that there is a single channel between Alice and Bob. Since computer networks nowadays are like a web, we may assume that several channels are available for communication between Alice and Bob. Secure message transmission (SMT) is a scheme for the communication between Alice and Bob in the environment in which several channels are available.

SMT is a two-party cryptographic protocol with n channels by which a sender Alice securely and reliably sends messages to a receiver Bob. SMT also assumes the existence of the adversary who can corrupt t channels out of the n channels. The adversary can eavesdrop messages from the corrupted channels and alter them. We consider privacy and reliability as properties of SMT against the adversaries. The privacy means that the adversary can obtain no information on the messages Alice sends to Bob. The reliability means that a message Bob receives coincides with the message Alice sends. An SMT protocol is said to be perfect if the protocol satisfies both properties in the perfect sense. An SMT protocol is said to be almost-reliable if the protocol satisfies the perfect privacy and allows transmission errors of small probability.

The notion of SMT was originally proposed by Dolev, Dwork, Waarts, and Yung [9]. They showed that any 1-round (i.e., non-interactive) perfect SMT must satisfy that \(t < n/3\), and any perfect SMT of at least two rounds must satisfy that \(t < n/2\). Since then, the efficiency of perfect SMT has been improved in the literature [3, 25, 28, 32]. The most efficient 2-round perfect SMT was given by Spini and Zémor [31]. In the case of almost-reliable SMT, the situation is different from the case of perfect SMT. Franklin and Wright [10] showed an almost-reliable SMT against \(t < n\) corruptions by using a public channel in addition to the usual channels. Later, Garay and Ostrovsky [15] and Shi et al. [30] gave the most round-efficient almost-reliable SMT protocols using public channels.

In the standard cryptographic setting, adversaries are assumed to be semi-honest or malicious. Semi-honest adversaries follow the protocol but try to extract secret information during the protocol execution. Malicious ones deviate from the protocol either to obtain secret information or to obstruct the protocol execution. Especially, malicious adversaries would do anything regardless of their risks. However, some adversaries realistically take their risks into account and rationally behave forward the other participants in the protocol. To incorporate the notion of “rationality” into cryptography, we employ game-theoretic ideas. Halpern and Teague [20] firstly investigated the power and the limitation of rational participants in secret sharing. Since then, rational secret sharing has been investigated in the literature [1, 6, 11, 24]. Besides secret sharing, rational settings have been employed in other cryptographic protocols such as leader election [2, 16], agreement protocols [18, 21], public-key cryptography [34, 35], two-party computation [5, 17], delegated computation [7, 19, 23], and protocol design [13, 14]. In particular, we can overcome the “impossibility barrier” in some cases [4, 12, 18] by considering that the adversaries rationally behave.

Fujita, Yasunaga, and Koshiba [12] studied a game-theoretic security model for SMT. They introduced rational “timid” adversaries who prefer to violate the security requirement of SMT but do not prefer the tampering actions to be detected. They showed that even if the adversary corrupts all but one of the channels, it is possible to construct perfect SMT protocols against rational timid adversaries. In the standard cryptographic setting, perfect SMT can be constructed only when the adversary corrupts a minority of the channels. This demonstrates a way of circumventing the impossibility results of cryptographic protocols based on a game-theoretic approach. In this paper, we further investigate the game-theoretic security of SMT.

In [12], the simplest game-theoretic setting (i.e., 1-player game) was employed. In the 1-player game, the player’s behavior is determined by the strategy of the largest expected utility. In this paper, we consider the case of games for two or more players (i.e., adversaries). We study a game-theoretic setting in which all the channels may be corrupted by two or more independent rational timid adversaries. More specifically, we assume that there are more than one adversaries who exclusively corrupt subsets of the channels, and prefer to violate the security of SMT with being undetected. Additionally, we assume that each adversary prefers other adversaries’ tampering to be detected. Note that if a single adversary corrupts all the channels, we cannot hope for the security of SMT. We show that secure SMT protocols can be constructed even if all the channels are corrupted by such independent rational adversaries. One protocol uses a public channel, and the others do not.

  • We show that Shi et al.’s almost-reliable SMT protocol (after a minor adaptation) in [30], which uses a public channel, works as a perfect SMT against multiple independent rational adversaries. We assume that there are \(\lambda \ge 2\) adversaries, and adversaries \(i \in \{1,\dots ,\lambda \}\) exclusively corrupt \(t_i \ge 1\) channels such that \(t_1 + \dots + t_\lambda \le n\).

    Since we employ a Nash equilibrium as a solution concept, the result is not surprising. Nash equilibrium requires that no deviation increases the utility, assuming that the other adversaries follow the prescribed strategy. Since the security against a single adversary corrupting \(n-1\) channels is provided in [12], a similar argument can be applied in our setting, though slightly different utility functions should be considered.

  • To construct perfect SMT protocols without public channel, we employ the idea of cheater-identifiable secret sharing (CISS), where every player who submits a forged share in the reconstruction phase can be identified. Intuitively, in the setting of rational SMT, timid adversaries will not tamper with shares because the tampering action will be detected with high probability, but the message can be recovered by using other shares. We construct a non-interactive SMT protocol based on the idea of CISS due to Hayashi and Koshiba [22]. Technically, our construction employs pairwise independent (a.k.a. strongly universal) hash functions as hash functions. Since the security requirements of CISS are not sufficient for proving the security of rational SMT, we provide the security analysis of our protocol, not for general CISS-based SMT protocols.

  • The limitation of CISS is that the number of forged shares should be a minority. Namely, the above construction only works for adversaries who corrupt at most \(\lfloor (n-1)/2 \rfloor \) channels. We show that a slight modification of the CISS-based protocol gives a perfect SMT protocol against strictly timid adversaries even if one of them may corrupt a majority of the channels. Adversaries are said to be strictly timid if they prefer being tampering undetected to violating the reliability. A similar idea was used in the previous work of [12], where robust secret sharing is employed for the protocol against a strictly timid adversary. Since we consider independent adversaries who prefer other adversaries to be detected, CISS is suitable in this setting.

  • Finally, we consider the setting in which a malicious adversary exists as well as rational adversaries. Namely, there are several adversaries, all but one behave rationally, but one behaves maliciously. We believe this setting is preferable because the assumption that all of the adversaries are rational may not be realistic. Mixing of malicious and rational adversaries was studied in the context of rational secret sharing [1, 24]. We show that a modification of the CISS-based protocol achieves a non-interactive perfect SMT protocol against such adversaries. The protocol is secure as long as a malicious adversary corrupts \(t^* \le \lfloor (n-1)/3 \rfloor \) channels, and each rational adversary corrupts at most \(\min \{\lfloor (n-1)/2 \rfloor - t^*, \lfloor (n-1)/3 \rfloor \}\) channels.

We clarify the differences from the previous work of [12]. In [12], there is only one adversary who corrupts at most \(n-1\) channels. This setting can be seen as one in which there are two independent adversaries \(\mathcal {A}_1\) and \(\mathcal {A}_2\). While \(\mathcal {A}_1\) tries to violate the security of the SMT protocol by corrupting at most \(t \le n-1\) channels, the other adversary \(\mathcal {A}_2\), who corrupt \(n-t \ge 1\) channels, does nothing for the protocol. Thus, the setting of [12] can be seen as a weaker setting of independent adversaries. In other words, this work provides stronger results for the problem of SMT protocols against rational adversaries. The mixed setting of malicious and rational adversaries in this work is closest to the traditional cryptographic setting of SMT. Even in this setting, we present a non-interactive protocol against adversaries corrupting in total \(t < n/2\) channels, for which cryptographic SMT requires interaction or a weaker bound \(t < n/3\).

2 Secure Message Transmission

A sender \(\mathcal {S}\) and a receiver \(\mathcal {R}\) are connected by n channels, and in addition, they may use an authentic and reliable public channel. Messages sent over the public channel are publicly accessible and correctly delivered to the receiver. We assume that SMT protocols proceed in rounds. In each round, one party can synchronously send messages over the n channels and the public channel. The messages will be delivered before the next round starts.

The adversary \(\mathcal {A}\) can corrupt at most t channels. Such an adversary is referred to as t-adversary. Messages sent over corrupted channels can be eavesdropped and tampered by the adversary. We assume that the adversary cannot delay messages over the corrupted channels. Namely, the tampered messages will be transmitted to the receiver in the same round. We also assume that \(\mathcal {A}\) is computationally unbounded.

Let \(\mathcal {M}\) be the message space. In SMT, the sender tries to send a message in \(\mathcal {M}\) to the receiver by using n channels and the public channel, and the receiver outputs some message after the protocol execution. For an SMT protocol \(\varPi \), let \(M_S\) denote the random variable of the message sent by \(\mathcal {S}\) and \(M_R\) the message output by \(\mathcal {R}\) in \(\varPi \). An execution of \(\varPi \) can be completely characterized by the random coins of all the parties, namely, \(\mathcal {S}\), \(\mathcal {M}\), and \(\mathcal {A}\), and the message \(M_S\) sent by \(\mathcal {S}\). Let \(V_A(m, r_A)\) denote the view of \(\mathcal {A}\) when the protocol is executed with \(M_S = m\) and the random coins \(r_A\) of \(\mathcal {A}\). Specifically, \(V_A(m, r_A)\) consists of the messages sent over the corrupted channels and the public channel when the protocol is run with \(M_S = m\) and \(\mathcal {A}\)’s random coins \(r_A\).

We formally define the properties of SMT protocols.

Definition 1

A protocol between \(\mathcal {S}\) and \(\mathcal {R}\) is \((\varepsilon , \delta )\)-Secure Message Transmission (SMT) against t-adversary if the following three conditions are satisfied against any t-adversary \(\mathcal {A}\).

  • Correctness: For any \(m \in \mathcal {M}\), if \(M_S = m\) and \(\mathcal {A}\) does not corrupt any channels, then \(\Pr [ M_R = m ] = 1\),

  • Privacy: For any \(m_0, m_1 \in \mathcal {M}\) and \(r_A \in \{0,1\}^*\), it holds that

    $$\begin{aligned} \mathrm {SD}( V_A(m_0, r_A), V_A(m_1, r_A) ) \le \varepsilon , \end{aligned}$$

    where \(\mathrm {SD}(X, Y)\) denotes the statistical distance between two random variables X and Y over a set \(\varOmega \), which is defined by

    $$\begin{aligned} \mathrm {SD}(X, Y) = \frac{1}{2} \sum _{u \in \varOmega } \left| \Pr [X = u] - \Pr [Y = u] \right| , \end{aligned}$$

    and

  • Reliability: For any message \(m \in \mathcal {M}\), when \(M_S = m\),

    $$\begin{aligned} \Pr [ M_R \ne m ] \le \delta , \end{aligned}$$

    where the probability is taken over the random coins of \(\mathcal {S}\), \(\mathcal {R}\), and \(\mathcal {A}\).

If a protocol achieves (0, 0)-SMT, the protocol is called perfect SMT, and if a protocol achieves \((0,\delta )\)-SMT, which admits transmission failures of small probability \(\delta \), the protocol is called almost-reliable SMT.

For perfect SMT, Dolev et al. [9] showed the below.

Theorem 1

([9]). Perfect SMT protocols against t-adversary are achievable if and only if \(t < n/2\).

3 SMT Against Independent Rational Adversaries

We define our security model of SMT in the presence of independent rational adversaries. Rationality of the adversary is characterized by a utility function which represents the preference of the adversary over possible outcomes of the protocol execution.

We can consider various preferences of adversaries regarding the SMT protocol execution. The adversaries may prefer to violate the security of SMT protocols without the detection of tampering actions. In addition, they may prefer other adversaries to be detected by tampering actions. Here, we consider the adversaries who prefer (1) to violate the privacy, (2) to violate the reliability, (3) their tampering actions to be undetected, and (4) other adversaries’ actions to be detected.

To define the utility function, we specify the SMT game as follows. We assume that there are \(\lambda \) adversaries \(1, 2, \dots , \lambda \) for \(\lambda \ge 2\). Each adversary does not cooperate with other adversaries. We assume that adversary \(j \in \{1, \dots , \lambda \}\) exclusively corrupt at most \(t_j\) channels out of the n channels for \(t_j \ge 1\), and that \(\sum _{j=1}^\lambda t_j \le n\).

The SMT Game. First, set parameters \(\mathsf {suc}= 0\) and \(\mathsf {guess}_j = \mathsf {detect}_j = 0\) for every \(j \in \{1,\dots ,\lambda \}\). Given an SMT protocol \(\varPi \) with the message space \(\mathcal {M}\), choose \(m \in \mathcal {M}\) uniformly at random, and run the protocol \(\varPi \) in which the message to be sent is \(M_S = m\). In the protocol execution, adversaries j can exclusively corrupt \(t_j\) channels, and tamper with any messages sent over the corrupted channels. The sender or the receiver may send a special message “DETECT at i” for \(i \in \{1, \dots , n\}\), meaning that some tampering action was detected at channel i. Then, if adversary j corrupts channel i, set \(\mathsf {detect}_j = 1\). After running the protocol, the receiver outputs \(M_R\), and each adversary j outputs \(M_j\) for \(j \in \{1,\dots ,\lambda \}\). If \(M_R = M_S\), set \(\mathsf {suc}= 1\). For \(j \in \{1,\dots ,\lambda \}\), if \(M_j = M_S\), set \(\mathsf {guess}_j = 1\). The outcome of the game is \(\left( \mathsf {suc}, \{\mathsf {guess}_{j'},\mathsf {detect}_{j'}\}_{j'\in \{1,\dots ,\lambda \}}\right) \).

The utility of the adversary is defined as the expected utility in the SMT game.

Definition 2 (Utility)

The utility \(U_j(\mathcal {A}_1, \dots , \mathcal {A}_\lambda ,U)\) of adversary j when strategy \((\mathcal {A}_1,\dots ,\mathcal {A}_\lambda )\) and utility function U are employed is the expected value \(E[U(j, \mathsf {out})]\), where U is a function that maps index j and the outcome \(\mathsf {out}= \left( \mathsf {suc}, \{\mathsf {guess}_{j'},\mathsf {detect}_{j'}\}_{j'\in \{1,\dots ,\lambda \}}\right) \) of the SMT game to real values, and the probability is taken over the random coins of the sender, the receiver, and the adversaries, and a random choice of message \(M_S\).

Each adversary \(j \in \{1, \dots , \lambda \}\) tries to maximize utility \(U_j\) by choosing a strategy \(A_j\). Since the utility depends on other adversaries’ strategies, we use game-theoretic notions in the security definition. We define the security of rational secure message transmission (RSMT). For strategies \(\mathcal {B}_1, \dots , \mathcal {B}_\lambda , \mathcal {A}_j\), we denote by \((\mathcal {A}_j,\mathcal {B}_{-j})\) the strategy profile \((\mathcal {B}_1, \dots , \mathcal {B}_{j-1}, \mathcal {A}_j, \mathcal {B}_{j+1}, \dots , \mathcal {B}_\lambda )\).

Definition 3 (Security of RSMT)

An SMT protocol \(\varPi \) is perfectly secure against rational \((t_1, \dots , t_\lambda )\)-adversaries with utility function U if there are \(t_j\)-adversary \(\mathcal {B}_j\) for \(j \in \{1, \dots , \lambda \}\) such that for any \(t_j\)-adversary \(\mathcal {A}_j\) for \(j \in \{1, \dots , \lambda \}\),

  1. 1.

    Perfect security: \(\varPi \) is (0, 0)-SMT against \((\mathcal {B}_1, \dots , \mathcal {B}_\lambda )\), and

  2. 2.

    Nash equilibrium: \(U_j(\mathcal {A}_j,\mathcal {B}_{-j},U) \le U_j(\mathcal {B}_j,\mathcal {B}_{-j},U)\) for every \(j \in \{1,\dots ,\lambda \}\) in the SMT game.

The perfect security guarantees that the strategy profile \((\mathcal {B}_1,\dots ,\mathcal {B}_\lambda )\) is harmless. The Nash equilibrium guarantees that no adversary j can gain more utility by changing the strategy from \(\mathcal {B}_j\) to \(\mathcal {A}_j\). Thus, the above security implies that each adversary j has no incentive to deviate from the harmless strategy \(\mathcal {B}_j\).

In the security proof of our protocol, we will consider the strategy profile \((\mathcal {B}_1,\dots ,\mathcal {B}_\lambda )\) in which each adversary j does not corrupt any channels, and outputs \(M_j\) by choosing a message uniformly at random from \(\mathcal {M}\). For such \((\mathcal {B}_1,\dots ,\mathcal {B}_\lambda )\), the perfect privacy and reliability immediately follow if \(\varPi \) satisfies the correctness.

Timid Adversaries

We construct secure protocols against independent timid adversaries, who do not prefer the tampering actions to be detected, and prefer to violate the reliability.

Regarding the utility function, let \(U_\mathsf {timid}^\mathsf {ind}\) be the set of utility functions that satisfy the following conditions:

  1. 1.

    \(U(j,\mathsf {out}) > U(j,\mathsf {out}')\) if \(\mathsf {suc}< \mathsf {suc}'\), \(\mathsf {guess}_j = \mathsf {guess}_j'\), and \(\mathsf {detect}_{j} = \mathsf {detect}_{j}'\),

  2. 2.

    \(U(j,\mathsf {out}) > U(j,\mathsf {out}')\) if \(\mathsf {suc}= \mathsf {suc}'\), \(\mathsf {guess}_j = \mathsf {guess}_j'\), \(\mathsf {detect}_j < \mathsf {detect}_j'\), and \(\mathsf {detect}_{k} = \mathsf {detect}_{k}'\) for every \(k \in \{1, \dots , \lambda \} \setminus \{j\}\), and

  3. 3.

    \(U(j,\mathsf {out}) > U(j,\mathsf {out}')\) if \(\mathsf {suc}= \mathsf {suc}'\), \(\mathsf {guess}_j = \mathsf {guess}_j'\), \(\mathsf {detect}_{k} > \mathsf {detect}_{k}'\) for some \(k \ne j\), and \(\mathsf {detect}_{j'} = \mathsf {detect}_{j'}'\) for every \(j' \in \{1, \dots , \lambda \} \setminus \{k\}\),

where \(\mathsf {out}= \left( \mathsf {suc}, \{\mathsf {guess}_j,\mathsf {detect}_j\}_{j\in \{1,\dots ,\lambda \}}\right) \) and \(\mathsf {out}' = (\mathsf {suc}', \{\mathsf {guess}_j',\mathsf {detect}_j'\}_{j\in \{1,\dots ,\lambda \}})\) are the outcomes of the SMT game.

In addition, timid adversaries may have the following property:

  1. 4.

    \(U(j,\mathsf {out}) > U(j,\mathsf {out}')\) if \(\mathsf {suc}> \mathsf {suc}'\), \(\mathsf {guess}_j = \mathsf {guess}_j'\), \(\mathsf {detect}_j < \mathsf {detect}_j'\), and \(\mathsf {detect}_{k} = \mathsf {detect}_{k}'\) for every \(k \in \{1, \dots , \lambda \} \setminus \{j\}\).

Let \(U_\mathsf {st \text {-}timid}^\mathsf {ind}\) be the set of utility functions satisfying the above four conditions. An adversary is said to be timid if his utility function is in \(U_\mathsf {timid}^\mathsf {ind}\), and strictly timid if the utility function is in \(U_\mathsf {st\text {-}timid}^\mathsf {ind}\).

For \(j \in \{1,\dots ,n\}\) and \(b \in \{0,1\}\), we write \(\mathsf {detect}_{-j}=b\) if \(\mathsf {detect}_{j'} = b\) for every \(j' \in \{1,\dots , n\} \setminus \{j\}\). In the analysis of the security of our protocols, we use the following values of utility of adversary \(j \in \{1,\dots ,\lambda \}\).

  • \(u_0\) is the utility when \(\Pr [\mathsf {guess}_j = 1] = \frac{1}{|\mathcal {M}|}\), \(\mathsf {suc}= 0\), \(\mathsf {detect}_{j}=0\), \(\mathsf {detect}_{-j}=1\),

  • \(u_1\) is the utility when \(\Pr [\mathsf {guess}_j = 1] = \frac{1}{|\mathcal {M}|}\), \(\mathsf {suc}= 0\), \(\mathsf {detect}_j=0\), \(\mathsf {detect}_{-j} = 0\),

  • \(u_2\) is the utility when \(\Pr [\mathsf {guess}_j = 1] = \frac{1}{|\mathcal {M}|}\), \(\mathsf {suc}= 1\), \(\mathsf {detect}_j=0\), \(\mathsf {detect}_{-j} = 0\),

  • \(u_3\) is the utility when \(\Pr [\mathsf {guess}_j = 1] = \frac{1}{|\mathcal {M}|}\), \(\mathsf {suc}= 0\), \(\mathsf {detect}_j=1\), \(\mathsf {detect}_{-j} = 0\), and

  • \(u_4\) is the utility when \(\Pr [\mathsf {guess}_j = 1] = \frac{1}{|\mathcal {M}|}\), \(\mathsf {suc}= 1\), \(\mathsf {detect}_j = 1\), \(\mathsf {detect}_{-j} = 0\).

For any utility function in \(U_\mathsf {timid}^\mathsf {ind}\), it holds that \(u_0> u_1 > \max \{u_2, u_3\}\) and \(\min \{u_2, u_3\} > u_4\). If the utility is in \(U_\mathsf {st \text {-}timid}^\mathsf {ind}\), it holds that \(u_0> u_1> u_2> u_3 > u_4\).

4 Protocol with Public Channel

We show that the SJST protocol of [30] works as a perfect SMT protocol against independent adversaries. See Sect. A.1 for the description of the protocol. More specifically, we slightly modify the SJST protocol such that in the second and the third rounds, if \(b_i = 1\) in B or \(v_i = 1\) in V for some \(i \in \{1, \dots , n\}\), the special message “DETECT at i” is also sent together.

Theorem 2

For any \(\lambda \ge 2\), let \(t_1, \dots , t_\lambda \) be integers satisfying \(t_1 + \dots + t_\lambda \le n\) and \(1\le t_i \le n-1\) for every \(i \in \{1, \dots , \lambda \}\). If the parameter \(\ell \) in the SJST protocol satisfies

$$\begin{aligned} \ell \ge \max _{t \in \{t_1, \dots , t_\lambda \}}\left\{ 1 + \log _2 t + \log _2 \frac{u_3 - u_4}{u_2 - u_4 - \alpha }, 1 + \frac{1}{t} \log _2 \frac{u_1-u_3}{\alpha } \right\} \end{aligned}$$

for some \(\alpha \in (0, u_2 - u_4)\), then the protocol is perfectly secure against rational \((t_1, \dots , t_\lambda )\)-adversaries with utility function \(U \in U_\mathsf {timid}^\mathsf {ind}\).

Proof

For each \(j \in \{1,\dots ,\lambda \}\), let \(\mathcal {B}_j\) be the adversary who does not corrupt any channels and outputs a uniformly random message from \(\mathcal {M}\) as \(M_j\). Then, the perfect security for \((\mathcal {B}_1, \dots , \mathcal {B}_\lambda )\) immediately follows.

We show that \((\mathcal {B}_1, \dots , \mathcal {B}_\lambda )\) is a Nash equilibrium. Since \(U_j(\mathcal {B}_1, \dots , \mathcal {B}_\lambda ) = u_2\) for \(j \in \{1,\dots ,\lambda \}\), it is sufficient to show that \(U_j(\mathcal {A}_j, \mathcal {B}_{-j}) \le u_2\) for any \(t_j\)-adversary \(\mathcal {A}_j\). Note that, since the SJST protocol achieves the perfect privacy against at most \(n-1\) corruptions, we have that \(\Pr [\mathsf {guess}_j = 1] = 1/|\mathcal {M}|\) for any \(t_j\)-adversary \(\mathcal {A}_j\).

Since messages in the second and the third rounds are sent through the public channel, the adversary \(\mathcal {A}_j\) can tamper with messages only in the first round. If \(\mathcal {A}_j\) changes the lengths of \(r_i\) or \(R_i\) of the i-th channel, the tampering will be detected, and hence \(\mathsf {detect}_j =1\). Thus, such tampering cannot increase the utility.

Suppose that \(\mathcal {A}_j\) corrupts \(t_j\) channels in the first round. Namely, there are exactly \(t_j\) distinct i’s such that \((r_i', R_i') \ne (r_i, R_i)\). Note that a tampering action such that \(r_i' \ne r_i\) and \(R_i' = R_i\) does not increase the probability that \(\mathsf {suc}= 0\), but may only increase that of \(\mathsf {detect}_j = 1\). Hence, we assume that \(R_i' \ne R_i\) for all the corrupted channels. Also, note that \(\mathcal {A}_j\) cannot cause \(\mathsf {detect}_{j'}\) for \(j' \ne j\) since a message “DETECT at i” is sent only when tampering is made by an adversary who corrupts the i-th channel. Thus, the maximum utility of \(U_j(\mathcal {A}_j,\mathcal {B}_{-j})\) is \(u_1\).

We define the following events:

  • \(E_1\): No tampering action is detected in the protocol,

  • \(E_2\): At least one but not all tampering actions are detected, and

  • \(E_3\): All tampering actions are detected.

Note that these three events are disjoint, and either event should occur. Thus, we have that \(\Pr [E_1] + \Pr [E_2] + \Pr [E_3]= 1\). It follows from the discussion in Sect. A.3 that the probability that the tampering action on one channel is not detected is \(2^{1-\ell }\). Since each hash function \(h_i\) is chosen independently for each channel i, we have that \(\Pr [ E_1] = 2^{(1-\ell ){t_j}}\). Similarly, we obtain that \(\Pr [ E_3 ] = (1 - 2^{1-\ell })^{t_j}\). Note that the utility when \(E_1\) occurs is at most \(u_1\). When \(E_2\) occurs, some tampering is detected, but not another tampering. Thus, we have \(\mathsf {suc}= 0\) and \(\mathsf {detect}_j = 1\). In the case of \(E_3\), we have \(\mathsf {suc}= 0\) and \(\mathsf {detect}_j=0\). Hence, the utilities when \(E_2\) and \(E_3\) occur are at most \(u_3\) and \(u_4\), respectively. Therefore, the utility of adversary j is

$$\begin{aligned} U_j(\mathcal {A}_j, \mathcal {B}_{-j})&\le u_1 \cdot \Pr [E_1] + u_3 \cdot \Pr [E_2] + u_4 \cdot \Pr [E_3] \nonumber \\&= u_3 + (u_1 - u_3) \Pr [E_1]- (u_3 - u_4)\Pr [E_3]\nonumber \\&\le u_3 + (u_1 - u_3) \,2^{(1-\ell )t_j} - (u_3 - u_4)\left( 1- t_j\, 2^{1-\ell }\right) \nonumber \\&\le u_3 + \alpha - (u_3 - u_4)\left( 1- t_j \,2^{1-\ell }\right) \end{aligned}$$
(1)
$$\begin{aligned}&\le u_2, \end{aligned}$$
(2)

where we use the relations \(\ell \ge 1 + \frac{1}{t_j} \log _2 \frac{u_1-u_3}{\alpha }\) and \(\ell \ge 1 + \log _2 t_j + \log _2 \frac{u_3 - u_4}{u_2 - u_4 - \alpha }\) in (1) and (2), respectively. Thus, the utility of adversary j when playing with \((\mathcal {A}_j, \mathcal {B}_{-j})\) is at most \(u_2\) for every \(j \in \{1,\dots ,\lambda \}\), and hence the statement follows.   \(\square \)

5 Protocol for Minority Corruptions

We provide a non-interactive SMT protocol based on secret-sharing and pairwise independent hash functions. The protocol is secure against independent adversaries who only corrupt minorities of the channels. Namely, we assume that each adversary corrupts at most \(\lfloor (n-1)/2 \rfloor \) channels. Note that the protocol does not use the public channel as in the protocol in Sect. 4.

We describe the construction of our protocol. The protocol can employ any secret-sharing scheme of threshold \(\lfloor (n-1)/2 \rfloor \), which may be Shamir’s scheme described in Sect. A.2. Let \((s_1, \dots , s_n)\) be the shares generated by the scheme from the message to be sent. Then, pairwise independent hash functions \(h_i\) are chosen for each \(i \in \{1, \dots , n\}\). For any \(j \ne i\), \(h_i(s_j)\) is computed as an authentication tag for \(s_j\). Then, \((s_i, h_i, \{h_i(s_j)\}_{j \ne i})\) will be sent through the i-th channel. When \(s_i\) is modified to \(s_i' \ne s_i\) by some adversary, the modification can be detected by the property of pairwise independent hash functions because the adversary cannot modify all tags \(h_j(s_i)\) for \(j \ne i\). In addition, a random mask \(r_{i,j}\) is applied to \(h_i(s_j)\) to conceal the information of \(s_j\) in \(h_i(s_j)\). The masks \(\{r_{j,i}\}_{j \ne i}\) for \(s_i\) will be sent through the i-th channel so that only the i-th channel reveals the information of \(s_i\). Hence, the message sent through the i-th channel is \((s_i, h_i, \{ h_i(s_j) \oplus r_{i,j}\}_{j \ne i}, \{r_{j,i}\}_{j \ne i})\). As long as minorities of the channels are corrupted by each adversary, a single adversary cannot cause erroneous detection of silent adversaries.

We give a formal description.

Protocol 1

Let \((\mathsf {Share}, \mathsf {Reconst})\) be a secret-sharing scheme of threshold \(\lfloor (n-1)/2 \rfloor \), where a secret is chosen from \(\mathcal {M}\), and the shares are defined over \(\mathcal {V}\). Let \(m \in \mathcal {M}\) be the message to be sent by the sender, and \(H = \{h :\mathcal {V} \rightarrow \{0, 1\}^\ell \}\) a class of pairwise independent hash functions in Sect. A.3.

  1. 1.

    The sender does the following: Generate the shares \((s_1, \dots , s_n)\) by \(\mathsf {Share}(m)\), and randomly choose \(h_i \in H\) for each \(i \in \{1,\dots ,n\}\). Also, for every distinct \(i,j \in \{1,\dots ,n\}\), choose \(r_{i,j} \in \{0,1\}^\ell \) uniformly at random, and then compute \(T_{i,j} = h_i(s_j) \oplus r_{i,j}\). Then, for each \(i \in \{1,\dots ,n\}\), send \(m_i = \left( s_i, h_i, \{T_{i,j}\}_{j \in \{1,\dots , n\} \setminus \{i\}}, \{r_{j,i}\}_{j \in \{1, \dots , n\} \setminus \{i\}}\right) \) through the i-th channel.

  2. 2.

    After receiving \(\tilde{m}_i = \left( \tilde{s}_i, \tilde{h}_i, \{\tilde{T}_{i,j}\}_{j \in \{1,\dots , n\} \setminus \{i\}}, \{\tilde{r}_{j,i}\}_{j \in \{1, \dots , n\} \setminus \{i\}}\right) \) on each channel \(i \in \{1, \dots , n\}\), the receiver does the following: For every \(i \in \{1,\dots ,n\}\), compute the list \(L_i = \left\{ j \in \{1, \dots , n\} :\tilde{h}_i(\tilde{s}_j) \oplus \tilde{r}_{i,j} \ne \tilde{T}_{i,j}\right\} \). If a majority of the lists coincide with a list L, reconstruct the message \(\tilde{m}\) by \(\mathsf {Reconst}(\{i, \tilde{s}_i\}_{i \in \{1,\dots ,n\} \setminus L})\), send messages “DETECT at i” for every \(i \in L\), and output \(\tilde{m}\).

Theorem 3

For any \(\lambda \ge 2\), let \(t_1, \dots , t_\lambda \) be integers satisfying \(t_1 + \dots + t_\lambda \le n\) and \(1\le t_i \le \lfloor (n-1)/2 \rfloor \) for every \(i \in \{1, \dots , \lambda \}\). If the parameter \(\ell \) in Protocol 1 satisfies

$$\begin{aligned} \ell \ge \log _2\frac{u_1-u_4}{u_2-u_4} + 2 \log _2(n+1) -1, \end{aligned}$$

then the protocol is perfectly secure against rational \((t_1, \dots , t_\lambda )\)-adversaries with utility function \(U \in U_\mathsf {timid}^\mathsf {ind}\).

Proof

For \(k \in \{1, \dots , \lambda \}\), let \(\mathcal {B}_{k}\) be the \(t_k\)-adversary who does not corrupt any channels and outputs a random message as \(M_k\). First, note that, for any \(i \in \{1, \dots , n\}\), the information of \(s_i\) can be obtained only by \(m_i\), the message sent over the i-th channel. This is because for any \(j \ne i\), \(h_j(s_i)\) is masked as \(h_j(s_i) \oplus r_{i,j}\), and the random mask \(r_{i,j}\) is included only in \(m_i\). Also, each \(s_i\) is a share of the secret sharing of threshold \(\lfloor (n-1)/2 \rfloor \). Since \(\mathcal {B}_k\) can obtain at most \(\lfloor (n-1)/2 \rfloor \) shares, \(\mathcal {B}_k\) can learn nothing about the message sent from the sender. Thus, the perfect security is achieved for \((\mathcal {B}_1, \dots , \mathcal {B}_\lambda )\).

Next, we show that \((\mathcal {B}_1, \dots , \mathcal {B}_\lambda )\) is a Nash equilibrium. For \(k \in \{1, \dots , \lambda \}\), let \(\mathcal {A}_k\) be any \(t_k\)-adversary. Since \(U_k(\mathcal {B}_1, \dots , \mathcal {B}_\lambda ) = u_2\), to increase the utility, \(\mathcal {A}_k\) needs to get either (a) \(\mathsf {suc}= 0\), or (b) \(\mathsf {suc}=1\), \(\mathsf {detect}_k=0\), and \(\mathsf {detect}_{k'}=1\) for some \(k' \ne k\).

For the case of (a), \(\mathcal {A}_k\) tries to change \(s_i\) into \(\tilde{s}_i \ne s_i\) for some \(i \in \{1, \dots , n\}\). Since \(\mathcal {A}_k\) does not corrupt some \(i' \in \{1, \dots , n\}\), the index i corrupted by \(\mathcal {A}_k\) will be included in the list \(L_{i'}\) unless \(h_{i'}(\tilde{s}_i) \oplus \tilde{r}_{i',i} = T_{i',i}\). Note that \(\tilde{s}_i\) and \(\tilde{r}_{i',i}\) are included in \(\tilde{m}_i\), and thus can be changed, but \(h_{i'}\) and \(T_{i',i}\) are in \(\tilde{m}_{i'}\), and thus have been unchanged. It follows from the property of pairwise independent hash functions that this can happen with probability \(2^{1- \ell }\) assuming \(\tilde{s}_i \ne s_i\). Thus, i will be included in \(L_{i'}\) with probability at least \(1 - 2^{1-\ell }\). Since there are at least \(n - \lfloor (n-1)/2 \rfloor = \lceil (n+1)/2 \rceil \) such indices \(i'\), the probability that a majority of the lists contains i is at least \(1 - \lceil (n+1)/2 \rceil \cdot 2^{1-\ell }\). Note that \(\mathcal {A}_k\) may corrupt \(\lfloor (n-1)/2 \rfloor \) channels in total. The probability that all the corrupted indices coincide with a majority of the list is at least \(1 - \lfloor (n-1)/2 \rfloor \cdot \lceil (n+1)/2 \rceil \cdot 2^{1-\ell } \ge 1 - (n+1)^2 \cdot 2^{-(\ell +1)}\). In that case, the message can be reconstructed by other shares, and thus we have \(\mathsf {suc}= 1\), \(\mathsf {detect}_k = 1\), and \(\mathsf {detect}_{k'} = 0\) for \(k' \ne k\), resulting in the utility of \(u_4\). Since \(\mathcal {A}_k\) only corrupts a minority of the channels, it cannot cause \(\mathsf {detect}_{k'}=1\) for \(k'\ne k\). Thus, the maximum utility of \(\mathcal {A}_k\) is \(u_1\). Thus, the utility of adversary k when tampering as \(\tilde{s}_i \ne s_i\) is at most

$$\begin{aligned} U_k(\mathcal {A}_k, \mathcal {B}_{-k}) \le (n+1)^2\cdot 2^{-(\ell +1)} \cdot u_1 + \left( 1 - (n+1)^2\cdot 2^{-(\ell +1)}\right) \cdot u_4, \end{aligned}$$

which is at most \(u_2\) by the assumption on \(\ell \).

For the case of (b), \(\mathcal {A}_k\) needs to generate the corrupted message \(\tilde{m}_i\) for the i-th channel so that for a majority of indices \(j \in \{1,\dots ,n\}\), \(\tilde{h}_i(s_j) \oplus r_{i,j} \ne \tilde{T}_{i,j}\), where each j is corrupted by \(\mathcal {B}_{k'}\) with \(k' \ne k\), and thus \(r_{i,j}\) and \(s_j\) are not tampered with. Since \(\mathcal {A}_k\) only corrupts a minority of the channels, this cannot happen.

Therefore, \((\mathcal {B}_1, \dots , \mathcal {B}_\lambda )\) is a Nash equilibrium.   \(\square \)

6 Protocol for Majority Corruptions

We present a protocol against adversaries who may corrupt a majority of the channels. We assume that adversaries are strictly timid in this setting. The protocol is a minor modification of the protocol for minority corruptions. In Protocol 1, the lists \(L_i\)’s of the corrupted channels are generated for each channel, and the final list L is determined by the majority voting. Thus, if an adversary corrupts a majority of the channels, the result of the majority voting can be easily forged, and hence the protocol does not work for majority corruption.

To cope with majority corruptions, we modify the protocol such that (1) the threshold of the secret sharing is changed from \(\lfloor (n-1)/2 \rfloor \) to \(n-1\), and (2) the final list L of the corrupted channels is composed of the union of all the set \(L_i\), namely, \(L = L_1 \cup \dots \cup L_n\). The threshold of \(n-1\) can be achieved by Shamir’s scheme. Intuitively, this protocol works for strictly timid adversaries because any tampering detection is approved without voting and thus such adversaries will keep silent not to be detected.

We give a formal description of the protocol.

Protocol 2

Let \((\mathsf {Share}, \mathsf {Reconst})\) be a secret-sharing scheme of threshold \(n-1\), where a secret is chosen from \(\mathcal {M}\), and the shares are defined over \(\mathcal {V}\). Let \(m \in \mathcal {M}\) be the message to be sent by the sender, and \(H = \{h :\mathcal {V} \rightarrow \{0, 1\}^\ell \}\) a class of pairwise independent hash functions in Sect. A.3.

  1. 1.

    The sender does the following: Generate the shares \((s_1, \dots , s_n)\) by \(\mathsf {Share}(m)\), and randomly choose \(h_i \in H\) for each \(i \in \{1,\dots ,n\}\). Also, for every distinct \(i,j \in \{1,\dots ,n\}\), choose \(r_{i,j} \in \{0,1\}^\ell \) uniformly at random, and then compute \(T_{i,j} = h_i(s_j) \oplus r_{i,j}\). Then, for each \(i \in \{1,\dots ,n\}\), send \(m_i = \left( s_i, h_i, \{T_{i,j}\}_{j \in \{1,\dots , n\} \setminus \{i\}}, \{r_{j,i}\}_{j \in \{1, \dots , n\} \setminus \{i\}}\right) \) through the i-th channel.

  2. 2.

    After receiving \(\tilde{m}_i = \left( \tilde{s}_i, \tilde{h}_i, \{\tilde{T}_{i,j}\}_{j \in \{1,\dots , n\} \setminus \{i\}}, \{\tilde{r}_{j,i}\}_{j \in \{1, \dots , n\} \setminus \{i\}}\right) \) on each channel \(i \in \{1, \dots , n\}\), the receiver does the following: For every \(i \in \{1,\dots ,n\}\), compute the list \(L_i = \left\{ j \in \{1, \dots , n\} :\tilde{h}_i(\tilde{s}_j) \oplus \tilde{r}_{i,j} \ne \tilde{T}_{i,j}\right\} \). Then, set \(L = L_1 \cup \dots \cup L_n\). If \(L = \emptyset \), reconstruct the message \(\tilde{m}\) by \(\mathsf {Reconst}(\{i, \tilde{s}_i\}_{i \in \{1,\dots ,n\}})\), and output \(\tilde{m}\). Otherwise, send messages “DETECT at i” for every \(i \in L\), and output \(\bot \) as the failure symbol.

Theorem 4

For any \(\lambda \ge 2\), let \(t_1, \dots , t_\lambda \) be integers satisfying \(t_1 + \dots + t_\lambda \le n\) and \(1 \le t_i \le n-1\) for every \(i \in \{1, \dots , \lambda \}\). If the parameter \(\ell \) in Protocol 2 satisfies

$$\begin{aligned} \ell \ge \log _2\frac{u_0-u_3}{u_2-u_3} -1, \end{aligned}$$

then the protocol is perfectly secure against rational \((t_1, \dots , t_\lambda )\)-adversaries with utility function \(U \in U_\mathsf {st\text {-}timid}^\mathsf {ind}\).

Proof

For \(k \in \{1, \dots , \lambda \}\), we define \(\mathcal {B}_{k}\) as the \(t_k\)-adversary who does not corrupt any channels and outputs a random message as \(M_j\). By the same reason as in the proof of Theorem 3, the protocol is perfectly secure against \((\mathcal {B}_1, \dots , \mathcal {B}_\lambda )\).

Next, we show that \((\mathcal {B}_1, \dots , \mathcal {B}_\lambda )\) is a Nash equilibrium. Let \(\mathcal {A}_k\) be any \(t_k\)-adversary for \(k \in \{1,\dots ,\lambda \}\). As in the proof of Theorem 3, \(\mathcal {A}_k\) needs to yield either (a) \(\mathsf {suc}= 0\), or (b) \(\mathsf {suc}=1\), \(\mathsf {detect}_k=0\), and \(\mathsf {detect}_{k'}=1\) for some \(k' \ne k\). For the case of (a), \(\mathcal {A}_k\) needs to corrupt the i-th channel so that \(\tilde{s}_i \ne s_i\). Since there is at least one index \(i' \in \{1,\dots ,n\}\) that is corrupted by \(\mathcal {B}_{k'}\) with \(k' \ne k\), the index i is included in the list \(L_{i'}\) with probability at least \(1-2^{1-\ell }\). Thus, the utility of adversary k is at most

$$\begin{aligned} U_k(\mathcal {A}_k, \mathcal {B}_{-k}) \le 2^{-(\ell +1)} \cdot u_0 + \left( 1 - 2^{-(\ell +1)}\right) \cdot u_3, \end{aligned}$$

which is at most \(u_2\) by assumption. For the case of (b), if some index is in the final list L, since the threshold of secret sharing is \(n-1\), the message is not reconstructed. Then we have \(\mathsf {suc}= 0\). Namely, (b) does not happen. Thus, \((\mathcal {B}_1, \dots , \mathcal {B}_\lambda )\) is a Nash equilibrium.   \(\square \)

7 SMT Against Malicious and Rational Adversaries

In the previous sections, we have discussed SMT against independent rational adversaries. We have assumed that all the adversaries behave rationally. The assumption may be strong in the sense that all of them can be characterized by the utility function we defined. In this section, we discuss more realistic situations in which some adversary may not behave rationally, but maliciously.

7.1 Rational SMT in the Presence of a Malicious Adversary

Without loss of generality, we assume that there are \(\lambda \ge 2\) adversaries, and adversaries \(1, \dots , \lambda -1\) are rational, and adversary \(\lambda \) behaves maliciously. We use the same definitions of the SMT game and the utility function in Sect. 3. We define robust security against rational adversaries. A similar definition appeared in the context of rational secret sharing [1]. For strategies \(\mathcal {B}_1, \dots , \mathcal {B}_{\lambda -1}, \mathcal {A}_\lambda , \mathcal {A}_j\) for \(j \in \{1,\dots ,\lambda -1\}\), we denote by \((\mathcal {A}_j,\mathcal {B}_{-j},\mathcal {A}_\lambda )\) the strategy profile \((\mathcal {B}_1, \dots , \mathcal {B}_{j-1}, \mathcal {A}_j, \mathcal {B}_{j+1}, \dots , \mathcal {B}_{\lambda -1}, \mathcal {A}_\lambda )\).

Definition 4 (Security of Robust RSMT)

An SMT protocol \(\varPi \) is \(t^*\)-robust perfectly secure against rational \((t_1, \dots , t_{\lambda -1})\)-adversaries with utility function U if there are \(t_j\)-adversary \(\mathcal {B}_j\) for \(j \in \{1, \dots , \lambda -1\}\) such that for any \(t_j\)-adversary \(\mathcal {A}_j\) for \(j \in \{1, \dots , \lambda -1\}\) and \(t^*\)-adversary \(\mathcal {A}_\lambda \),

  1. 1.

    Perfect security: \(\varPi \) is (0, 0)-SMT against \((\mathcal {B}_1, \dots , \mathcal {B}_{\lambda -1},\mathcal {A}_\lambda )\), and

  2. 2.

    Robust Nash equilibrium: \(U_j(\mathcal {A}_j,\mathcal {B}_{-j},\mathcal {A}_\lambda ,U) \le U_j(\mathcal {B}_j,\mathcal {B}_{-j},\mathcal {A}_\lambda ,U)\) for every \(j \in \{1,\dots ,\lambda -1\}\) in the SMT game.

Compared to Definition 3, robust RSMT requires that the perfect security is achieved even in the presence of a malicious adversary \(\mathcal {A}_\lambda \), and a strategy profile \((\mathcal {B}_1, \dots , \mathcal {B}_{\lambda -1},\mathcal {A}_\lambda )\) is a Nash equilibrium for adversary \(j \in \{1, \dots , \lambda -1\}\).

7.2 Protocol Against Malicious and Rational Adversaries

We show that a robust RSMT protocol can be constructed based on the protocol for minority corruption in Sect. 5. For \(t^*\)-robust against \((t_1, \dots , t_{\lambda -1})\)-adversaries, we assume that \(t^* \le \lfloor (n-1)/3 \rfloor \) and \(1 \le t_j \le \min \{ \lfloor (n-1)/2 \rfloor - t^*, (n-1)/3 \rfloor \}\) for each \(j \in \{1, \dots , \lambda -1\}\). Our non-interactive protocol is obtained simply by modifying the threshold of the secret sharing in Protocol 1 from \(\lfloor (n-1)/2 \rfloor \) to \(\lfloor (n-1)/3 \rfloor \). This protocol works because when only a malicious adversary corrupts at most \(\lfloor (n-1)/3 \rfloor \) channels, the transmission failure does not occur due to the error-correction property of the secret sharing. Thus, perfect security is achieved in the presence of a malicious adversary. Even if some rational adversary deviates from the protocol together with a malicious adversary, they can affect at most \(t_j + t^* \le \lfloor (n-1)/2 \rfloor \) votes, and thus any tampering will be identified with high probability by the majority voting.

The formal description is given below.

Protocol 3

Let \((\mathsf {Share}, \mathsf {Reconst})\) be a secret-sharing scheme of threshold \(\lfloor (n-1)/3 \rfloor \), where a secret is chosen from \(\mathcal {M}\), the shares are defined over \(\mathcal {V}\), and the secret can be reconstructed even if \(\lfloor (n-1)/3 \rfloor \) out of n shares are tampered with. Let \(m \in \mathcal {M}\) be the message to be sent by the sender, and \(H = \{h :\mathcal {V} \rightarrow \{0, 1\}^\ell \}\) a class of pairwise independent hash functions in Sect. A.3.

  1. 1.

    The sender does the following: Generate the shares \((s_1, \dots , s_n)\) by \(\mathsf {Share}(m)\), and randomly choose \(h_i \in H\) for each \(i \in \{1,\dots ,n\}\). For every distinct \(i,j \in \{1,\dots ,n\}\), choose \(r_{i,j} \in \{0,1\}^\ell \) uniformly at random, and then compute \(T_{i,j} = h_i(s_j) \oplus r_{i,j}\). For each \(i \in \{1,\dots ,n\}\), send \(m_i = \left( s_i, h_i, \{T_{i,j}\}_{j \in \{1,\dots , n\} \setminus \{i\}}, \{r_{j,i}\}_{j \in \{1, \dots , n\} \setminus \{i\}}\right) \) through the i-th channel.

  2. 2.

    After receiving \(\tilde{m}_i = \left( \tilde{s}_i, \tilde{h}_i, \{\tilde{T}_{i,j}\}_{j \in \{1,\dots , n\} \setminus \{i\}}, \{\tilde{r}_{j,i}\}_{j \in \{1, \dots , n\} \setminus \{i\}}\right) \) on each channel \(i \in \{1, \dots , n\}\), the receiver does the following: For every \(i \in \{1, \dots , n\}\), compute the list \(L_i = \left\{ j \in \{1, \dots , n\} :\tilde{h}_i(\tilde{s}_j) \oplus \tilde{r}_{i,j} \ne \tilde{T}_{i,j}\right\} \). If a majority of the list coincide with a list L, reconstruct the message \(\tilde{m}\) by \(\mathsf {Reconst}(\{i, \tilde{s}_i\}_{i \in \{1,\dots ,n\}})\), send message “DETECT at i” for every \(i \in L\), and output \(\tilde{m}\).

For the security analysis, we define the values of utility of adversary \(j \in \{1,\dots ,\lambda -1\}\) such that

  • \(u_1'\) is the utility in the same case as \(u_1\) except that \(\mathsf {detect}_\lambda = 1\),

  • \(u_2'\) is the utility in the same case as \(u_2\) except that \(\mathsf {detect}_\lambda = 1\), and

  • \(u_4'\) is the utility in the same case as \(u_4\) except that \(\mathsf {detect}_\lambda = 1\).

The values \(u_1, u_2, u_4\) are defined as the case that \(\mathsf {detect}_{j'}=0\) for every \(j' \in \{1,\dots ,\lambda \} \setminus \{j\}\). In the above, the values \(u_1', u_2', u_4'\) are defined as \(\mathsf {detect}_{j'}=0\) for every \(j' \in \{1,\dots ,\lambda -1\} \setminus \{j\}\) and \(\mathsf {detect}_\lambda = 1\).

Theorem 5

For any \(\lambda \ge 2\), let \(t_1, \dots , t_{\lambda -1}, t^*\) be integers satisfying \(t_1 + \dots + t_{\lambda -1}+t^* \le n\), \(0 \le t^* \le \lfloor (n-1)/3 \rfloor \), and \(1\le t_i \le \min \{ \lfloor (n-1)/2 \rfloor - t^*, \lfloor (n-1)/3 \rfloor \}\) for every \(i \in \{1, \dots , \lambda -1\}\). If the parameter \(\ell \) in Protocol 3 satisfies

then the protocol is \(t^*\)-robust perfectly secure against rational \((t_1, \dots , t_{\lambda -1})\)-adversaries with utility function \(U \in U_\mathsf {timid}^\mathsf {ind}\).

Proof

For \(k \in \{1, \dots , \lambda -1\}\), let \(\mathcal {B}_{k}\) be the \(t_k\)-adversary who does not corrupt any channels, and output a random message as \(M_k\). Let \(\mathcal {A}_\lambda \) be any \(t^*\)-adversary. Note that the information of \(s_i\) can be obtained only by seeing \(m_i\) since each \(h_j(s_i)\) is masked by \(r_{j,i}\), which is included only in \(m_i\). Since each \(s_i\) is a share of the secret sharing of threshold \(\lfloor (n-1)/3 \rfloor \), each adversary \(\mathcal {B}_k\) and \(\mathcal {A}_\lambda \) can learn nothing about the original message. Although at most \(t^*\) messages may be corrupted by \(\mathcal {A}_\lambda \), it follows from the property of the underlying secret sharing that the message can be correctly recovered in the presence of \(t^* \le \lfloor (n-1)/3 \rfloor \) corruptions out of n shares. Thus, the protocol is perfectly secure against \((\mathcal {B}_1, \dots , \mathcal {B}_{\lambda -1},\mathcal {A}_\lambda )\).

Next, we show that \((\mathcal {B}_1, \dots , \mathcal {B}_{\lambda -1},\mathcal {A}_\lambda )\) is a Nash equilibrium for any \(\mathcal {A}_\lambda \). When the strategy profile \((\mathcal {B}_1, \dots , \mathcal {B}_{\lambda -1},\mathcal {A}_\lambda )\) is employed, we have \(\mathsf {suc}= 1\). Hence, to increase the utility of adversary k, \(\mathcal {A}_k\) needs to get either (a) \(\mathsf {suc}= 0\), or (b) \(\mathsf {suc}=1\), \(\mathsf {detect}_k=0\), and \(\mathsf {detect}_{k'}=1\) for some \(k' \ne k\).

For the case of (a), \(\mathcal {A}_k\) tries to change \(s_i\) into \(\tilde{s}_i \ne s_i\) for some \(i \in \{1, \dots , n\}\). When playing with \((\mathcal {A}_k, \mathcal {B}_{-k},\mathcal {A}_\lambda )\), the number of corrupted channels is at most \(t_k + t^* \le \lfloor (n-1)/2 \rfloor \). Hence, there are a majority of indices \(i'\) that is not corrupted by \(\mathcal {A}_k\) or \(\mathcal {A}_\lambda \), and for each \(i'\), the tampering on the i-th channel will be detected, namely, the list \(L_{i'}\) will include i with high probability. By the same argument as in the proof of Theorem 3, any tampering of \(\tilde{s}_i \ne s_i\) by \(\mathcal {A}_k\) and \(\mathcal {A}_\lambda \) is detected with probability at least \(1 - (n+1)^2\cdot 2^{-(\ell +1)}\). Thus, we have that

$$\begin{aligned} U_k(\mathcal {A}_k, \mathcal {B}_{-k},\mathcal {A}_\lambda ) \le (n+1)^2\cdot 2^{-(\ell +1)} \cdot u_1^* + \left( 1 - (n+1)^2\cdot 2^{-(\ell +1)}\right) \cdot u_4^*, \end{aligned}$$

which is at most \(u_2^*\) by the assumption on \(\ell \).

For the case of (b), \(\mathcal {A}_k\) needs the result that \(j \in L_i\) for a majority of the list \(L_i\)’s, where the j-th channel is corrupted by adversary \(k'\). However, since \(\mathcal {A}_k\) and \(\mathcal {A}_\lambda \) can corrupt a minority of the channels, this event cannot happen.

Thus, we have shown that \((\mathcal {B}_1, \dots , \mathcal {B}_{\lambda -1})\) is a robust Nash equilibrium.   \(\square \)

8 Conclusions

We have studied the problem of constructing SMT protocols against adversaries who may corrupt all the channels between the sender and the receiver. If all adversaries are malicious, we cannot hope for reliable transmission because adversaries who interrupt all the messages can cause transmission failure. Also, if a single adversary corrupts all the channels, we cannot achieve privacy since the adversary can obtain the same information as the receiver who can recover the transmitted message. We show that if multiple rational adversaries exclusively corrupt the channels, perfectly secure SMT protocols can be constructed. Our results demonstrate that even if all the physical resources may be corrupted by adversaries, it is possible to provide secure protocols by considering the rationality and independence of each group of adversaries.