Efficient 2-Round General Perfectly Secure Message Transmission: A Minor Correction to Yang and Desmedt's Protocol

At Asiacrypt ’10, Yang and Desmedt proposed a number of perfectly secure message transmission protocols in the general adversary model. However, there is a minor flaw in the 2-round protocol in an undirected graph to transmit multiple messages. A small correction solves the problem. Here we fix the protocol and prove its security. 1 Brief Introduction The aim of perfectly secure message transmission (PSMT) is to transmit messages from a sender S to a receiver R in a network graph with perfect privacy and perfect reliability. Suppose a Byzantine adversary exists in the network, perfect privacy means that the adversary learns no information about the message, and perfect reliability means that the receiver R can output the messages correctly. We consider the general adversary model, in which the adversary is characterized by an adversary structure A [1]. Our protocol uses the following techniques: linear code, pseudo-basis and pseudo-dimension and randomness extractor. Since the goal of this paper is to fix a small part of Yang and Desmedt’s Asiacrypt paper, we refer to [2] for the other details, such as the model, the settings, etc. 2 Old 2-Round Undirected Protocol Here we copy the 2-round undirected protocol for multiple message transmission in an undirected network graph [2, pp. 460]. 2-round undirected protocol for ` = wtA(n− szA − 1) messages s1, . . . , s` Round 1 R to S: 1. R chooses wtAn random k-vectors r1, . . . , rwtAn ∈ F, and for each 1 ≤ i ≤ wtAn, S encodes ri to get codeword ci = EC(ri) = (ci1, . . . , cih). 2. For each 1 ≤ i ≤ n, R sends vectors ri+0·wtA , ri+1·wtA , . . . , ri+(wtA−1)wtA via path wi. R also sends codewords c1, . . . , cwtAn via W with respect to ψ. Round 2 S to R: 1. S receives wtA k-vectors ri+0·wtA , r ′ i+1·wtA , . . . , r ′ i+(wtA−1)wtA on each path wi (1 ≤ i ≤ n), and also receives wtAn h-vectors x1, . . . ,xwtAn from W . For each 1 ≤ i ≤ wtAn, let xi = (xi1, . . . , xih). 2. For each 1 ≤ i ≤ wtAn, S uses the pseudo-basis construction scheme to construct a pseudo-basis B from x1, . . . ,xwtAn. Let b be the pseudo-dimension of B, then b ≤ wtA. ? This result was originally going to appear in the full version of [2]. However, as required by some recent studies of this model, we show this correction on Cryptology ePrint Archive in advance. 3. For each 1 ≤ i ≤ wtAn, S encodes ri to get codeword ci = EC(ri) = (ci1, . . . , cih). S then constructs a set Di such that for each 1 ≤ j ≤ h, iff xij 6= cij , then (cij , j) ∈ Di. 4. For each 1 ≤ i ≤ wtAn, S decodes r′ i = DC(ri). S then constructs a set T such that iff |Di| ≤ wtA, then r′ i ∈ T . S uses the randomness extractor to get (z1, . . . , z`) = RE(T ), and for each 1 ≤ i ≤ `, S computes σi = si + zi. 5. S broadcasts the pseudo-basis B and σ1, . . . , σ`. For each 1 ≤ i ≤ wtAn, if |Di| > wtA, then S broadcasts “ignore i”; else, then S broadcasts Di. Recovery Phase 1. R finds the final error locator F from B. 2. For each Di that R receives on W , R constructs an h-vector c′′ i = (c ′′ i1, . . . , c ′′ ih) such that for each 1 ≤ j ≤ h, if (cij , j) ∈ Di, then c′′ ij = cij ; else, then c′′ ij = cij . R then decodes the information r′′ i of c ′′ i such that for any j ∈ F , c′′ ij is not used for decoding. R puts r′′ i in a set T ′. 3. R uses the randomness extractor to get (z′ 1, . . . , z ′ `) = RE(T ′), and for each 1 ≤ i ≤ `, R computes si = σi − z′ i. End. The original design of this protocol is to enable c′′ ij = c ′ ij for each j / ∈ F (1 ≤ j ≤ h) in the Recovery Phase. However, due to the existence of the invalid error vector [2], it is possible that cij 6= cij for some j / ∈ F and (cij , j) / ∈ Di. In this case c′′ ij = cij 6= cij . This may make the decoding unreliable. A minor correction can solve this problem, thus we fix this protocol in the next section. 3 Fixed 2-Round Undirected Protocol Here we give a fixed PSMT protocol which guarantees that T ′ = T , and hence the protocol is perfectly reliable. The protocol is almost the same as the original one. The only modifications are in Step 3 of Round 2 and Step 2 of the Recovery Phase. We emphasize the modifications using bold font and footnotes. Fixed 2-round undirected protocol for ` = wtA(n− szA − 1) messages s1, . . . , s` Round 1 R to S: 1. R chooses wtAn random k-vectors r1, . . . , rwtAn ∈ F, and for each 1 ≤ i ≤ wtAn, S encodes ri to get codeword ci = EC(ri) = (ci1, . . . , cih). 2. For each 1 ≤ i ≤ n, R sends vectors ri+0·wtA , ri+1·wtA , . . . , ri+(wtA−1)wtA via path wi. R also sends codewords c1, . . . , cwtAn via W with respect to ψ. Round 2 S to R: 1. S receives wtA k-vectors ri+0·wtA , r ′ i+1·wtA , . . . , r ′ i+(wtA−1)wtA on each path wi (1 ≤ i ≤ n), and also receives wtAn h-vectors x1, . . . ,xwtAn from W . For each 1 ≤ i ≤ wtAn, let xi = (xi1, . . . , xih). 2. For each 1 ≤ i ≤ wtAn, S uses the pseudo-basis construction scheme to construct a pseudo-basis B from x1, . . . ,xwtAn. Let b be the pseudo-dimension of B, then b ≤ wtA. 3. For each 1 ≤ i ≤ wtAn, S encodes ri to get codeword ci = EC(ri) = (ci1, . . . , cih). S then constructs a set Di such that for each 1 ≤ j ≤ h, iff xij 6= cij , then (cij , xij , j) ∈ Di. 4. For each 1 ≤ i ≤ wtAn, S decodes r′ i = DC(ri). S then constructs an ordered set T such that iff |Di| ≤ wtA, then r′ i ∈ T . S uses the randomness extractor to get (z1, . . . , z`) = RE(T ), and for each 1 ≤ i ≤ `, S computes σi = si + zi. 1 The only difference is that each tuple (cij , xij , j) ∈ Di has 3 elements now. In the old protocol the entry xij was not involved. A careful re-reading shows that a pair, i.e., ((c ′ ij − xij), j), can also be used, but here we use the 3-tuple for a simpler presentation.