Verifiable Rational Secret Sharing Scheme in Mobile Networks

1College of Computer and Information Engineering, Henan Normal University, Xinxiang 453007, China 2State Key Laboratory of Information Security, Institute of Information Engineering, Chinese Academy of Sciences, Beijing 100093, China 3Engineering Lab of Intelligence Business & Internet of Things, Xinxiang, Henan 453007, China 4College of Mathematics and Information Science, Henan Normal University, Xinxiang 453007, China


Introduction
1.1.Background.Secret sharing is playing a more and more important role in modern cryptography.In classical (, ) secret sharing schemes [1,2], a secret can be shared among  participants.At least  or more participants can reconstruct the secret, but  − 1 or fewer participants cannot obtain anything about the secret.Recently, a series of secret sharing schemes were proposed in [3][4][5][6].However, the works in [1][2][3][4][5][6] cannot prevent the dealer or players from cheating.For example, in Shamir's scheme, we assume that one party does not broadcast his share, while exactly −1 other players reveal their shares.He can still reconstruct the secret although his cheating can be detected by the scheme [7][8][9].
Motivated by the desire to develop more realistic models, the cryptographic community has significant interest in exploring protocols for rational secret sharing.Halpern and Teague [10] firstly introduced the notion of rational secret sharing.They pointed out that there exist many Nash equilibriums which, in some sense, are unreasonable.Therefore, they focus on one particular refinement of Nash equilibrium that is determined by iterated deletion of weakly dominated strategies.However, their protocols cannot work for 2 out of 2 secret sharing and require the online dealer.Later, a series of rational secret sharing schemes [11][12][13][14][15][16][17][18][19][20] were proposed.However, none of them are fully satisfactory.The works in [11][12][13] rely on secure multiparty computation which is strong.Kol and Naor's scheme [14] has information theoretic security.However, their scheme fails to resist against coalitions.The works in [15,16] require the involvement of some trusted external parties during the reconstruction phase which is difficult to find.The solution in [17] constructs a rational scheme based on repeated games.However, every player has high probability to learn the secret in his last round.The works of Lepinski et al. [19,20] and Izmalkov et al. [15,18] can guarantee fairness, prevent coalitions, and eliminate side information.However, their solutions rely on physical assumption such as secure envelopes and ballot boxes.The works in [10-14, 17, 21-25] assume the existence of broadcast channel which is not realistic.The works in [11][12][13][19][20][21][22][23][24][25][26][27] need to exchange public keys associated with certificate management, including revocation, storage and distribution, and the computational cost of certificate verification.Nowadays, with the development of mobile network, a large percent of the world's population now has access to mobile phones and incredibly fast mobile networks give users ubiquitous connectivity.New devices like smart phones and tablets are providing users with a lot of applications and services and have fundamentally changed our lives.However, smart phones and tablets are poor in computational resources such as processor speed, memory size, and disk capacity.A drawback of public key infrastructure (PKI) is that they are computationally very intensive, which makes them less suitable mobile phones.From the discussion above, it seems clear that all of above schemes cannot work in a mobile system.

Our Results.
In this paper, we propose a verifiable rational secret sharing scheme in mobile networks.The major contribution of this work is as follows.We present a new verifiable random function for multiparty case, which provides a noninteractively verifiable proof for the correctness of participants' share and handshake protocol is not necessary; there is no need for certificate generation, propagation, and storage in the scheme, which is more suitable for devices with limited size and processing power; the public key in our approach is based on each participant's identity (e.g., telephone number or email address), which can be very much shorter as compared to the 1024 bits public key in RSA cryptosystem; in the scheme, every participant uses her/his encryption on number of each round as the secret share and the dealer does not have to distribute any secret share, which reduce the computational consumption and communicational overhead; the participants do not know whether the current round is a test round or not, and every participant cannot gain more by cheating.Finally, every player can obtain the secret fairly (means that either everyone receives the secret, or else no one does) in mobile networks.To the best of our knowledge, we propose the first rational secret sharing scheme over mobile networks.

Overview. The rest of this paper is organized as follows.
In Section 2, the preliminary of game theory and cryptography for rational secret sharing are introduced.Section 3 introduces the rational secret scheme in mobile networks.In Section 4, we analyze the new scheme.Finally, we present our conclusions in Section 5.

Preliminaries
2.1.Basics of Game Theory.We begin by introducing some basic terminology of game theory in this section.For more details, please refer to [28].
Game theory aims to help us understand situations in which decision-makers interact.A strategic game consists of three components: (a) a set of players; (b) a set of actions for each player; (c) for each player, preferences over the set of action profiles.
Definition 1 (Nash equilibrium).Let Γ = ({  }, {  }  =1 ) be a game presented in normal form.A strategy profile  = ( 1 , . . .,   ) ∈  is Nash equilibrium if, for all  and every    ∈   , it holds that Generally speaking, Nash equilibrium holds the idea that no rational party has an incentive to deviate from the protocol.Everyone is playing a best response to everyone else and no individual can do strictly better by moving away.The definition of Nash equilibrium is designed to model a steady state among experienced players.In a steady state, no player wishes to change her behavior, considering the other players' behavior.
In a traditional secret sharing scheme, a player is thought as either honest or malicious.However, in a rational secret sharing scheme, it may make more sense to view the players, not as good or bad, but as rational individuals trying to maximize their own utility [10].For any player   , assume that any rational player prefers to get the secret rather than miss it.And secondarily, prefer that as few as possible of the other players get it.Now, let we introduce the definition of computational -immune [13] in which utility functions take the security parameter  as input.
Definition 2 (computational -immune).Let  be an efficient protocol for a computing game and C be a set of coalitions (subsets of players).Let   be the set of sequences of random tapes for the first  iterations that do not cause  to end.A sequence  ∈   is of the form  = ( 1 , . . .,   ) where   = (  1 , . . .,    ) and    is the random tape used by player  in iteration .
The protocol  is computational -immune if, for every coalition  ∈ C and every sequence of tapes  0 = ( 1 0 , . . .,   0 ) ∈   used by the players in the first  round, there exists a negligible function () such that, for every player  ∈ , every efficient (deviating) joint strategy    for players in , and every efficient joint strategy  − for players in / implementing  − , it holds that (2)

Cryptographic Terminology
Definition 3 (bilinear pairing).Let  1 and  2 be multiplicative groups of prime order . is the generator of  1 .
A bilinear pairings is a map  :  1 ×  1 →  2 with the following properties.
(3) Computable: there is an efficient algorithm to compute (, V) for all  and V ∈  1 .

Verifiable Random Function from Identity-Based Key Encapsulation (IB-KEM). Verifiable random function (VRF)
was firstly introduced by Micali et al. [29].A VRF is a pseudorandom function that provides a noninteractively verifiable proof for the correctness of its output, and the VRF has many useful applications.References [29][30][31][32], respectively, constructed a VRF.Next we briefly recall the VRF from a VRF-suitable IB-KEM [32].
The IB-KEM Scheme.An identity-based key encapsulation mechanism (IB-KEM) scheme allows a sender and a receiver to agree on a random session key .And it is defined by four algorithms: Setup(1  ) takes a security parameter as input and outputs a master key pairs (mpk, msk); KeyDer(msk, ID) uses the master secret key to compute sk ID for identity ID; Encap(mpk, ID) computes a random session key  and a ciphertext ; Decap(, sk ID ) allows the receiver to decapsulate  to get back a session key .An VRF-suitable IB-KEM scheme [33] is defined by the following algorithms.
(i) Setup(1  ) is a probabilistic algorithm that takes in input a security parameter  and outputs a master public key mpk and a master secret key msk.Let  1 ,  2 be bilinear groups of prime order .Additionally, let :  1 ×  1 →  2 denote the bilinear map.The description of  1 contains a generator  ∈  1 .Then the algorithm picks a random  ←  *  , sets ℎ =   , and outputs a master key pairs (mpk = (, ℎ), msk = ).
(ii) KeyDer(msk, ID): the key derivation algorithm uses the master secret key to compute a secret key sk ID =  1/(+ID) for identity ID.
(iii) Encap(mpk, ID): the encapsulation algorithm picks a random  ←   and computes a random session key  = (, )  using (mpk, ID).Moreover it uses (mpk, ID) to computes a ciphertext  = (   ID )  encrypted under the identity ID. (iv) Decap(C, sk ID ) allows the possessor of sk ID to compute a session key  from a ciphertext  as follows:  = (, sk ID ).
The VRF (Gen, Func, and Ver) Construction Is as follows With a modification, we extend the VRF from a VRFsuitable IB-KEM [32] to multiparty case, and this can be used in our rational secret sharing schemes.Let  1 , . . .,   be  participants, ID  ∈ ID ( = 1, . . ., ) be the identity of   , where ID is the identity space, and   be the private key of   .

The Model of Security
Init.The adversary declares the identity set  = (ID 1 , ID 2 , . . ., ID  ) that he wants to be challenged.
Setup.The challenger runs the setup phase of the algorithm and tells the adversary the public parameter.
Phase 1.The adversary is allowed to issue queries for private keys for many identities   , where |  ∩ | < .
Challenge.The adversary output a message  * .The challenger flips a random coin  and obtains a session key   .If  = 0, then   is a correct form, otherwise   is random.Finally, it sends   to the adversary.
Phase 2. This goes exactly as phase 1.
Guess.The adversary outputs a guess   of .The adversary wins if   = .
We define the advantage of an adversary in this game as Pr[  = ] − 1/2.

Protocol for Sharing Phase
Step 1.The dealer chooses an integer  real ∈  *  according to a geometric distribution with parameter .We discuss how to set  below.The dealer computes Gen(1  ) and obtains   .

Protocols for Reconstruction
We let  −1 = (0).The secret can be obtained as   = value ⊕  (), then the protocol continues.

Proof of Security
In this section, the poof of the security is discussed.
Theorem 4. If an adversary can break our scheme, then one can build a simulator to solve the -DBDHI assumption with a nonnegligible advantage.
Proof.We assume there exists an adversary  that has nonnegligible advantage () into breaking the protocol.
Then we can build a simulator  which is able to break the -DBDHI assumption with nonnegligible advantage.
Phase 2. This goes exactly as phase 1.
Guess.The adversary  outputs a guess   of . returns   as its guess as well.
For the sake of contradiction, suppose there exists a probabilistic polynomial time attacker  can break the protocol with probability 1/2 + ().Then we can build a simulator  which is able to break the -DBDHI assumption with probability 1/2 + ().(The output of  is the same as the output of .)Because the -DBDHI assumption is hard to be solved, there is no any adversary  that has nonnegligible advantage () into breaking the protocol.This completes the proof.
Theorem 5.The above rational secret sharing scheme is computational -immune, and rational participant has an incentive to abide by the protocol.
Proof.Given the  −  public values (  ),   (  ), the two ( − 1) degree polynomials (),   () cannot be constructed by anyone.So, an adversary can learn nothing about the secret.Any  − 1 or fewer participants cannot obtain the secret too.In the scheme, any rational participant can detect and determine who is cheating.
The participant   will get utility  +  , if the collusion  participates in the protocols and aborts in real round with probability .Otherwise, the participant   's utility is ( guess ).Therefore, when the collusion  deviates, the expected utility of   is at most When the collusion  abides by the protocol, the utility of the participant   is   .So, rational collusion  has an inventive not to deviate from the protocol if the protocol satisfies We denote   the probability that players in  can only have a negligible advantage over .There exists a negligible function () such that for every  it holds that We let  *  denote the utility when allowing for the computationally secure.Then )) <   +  () .
That is for every iteration and for all  ⊂ [] with || ≤  − 1, all  ∈ , and any    ∈ Δ(  ), no information about the secret is revealed.So, the scheme is computational -immune and rational player has an incentive to abide by the protocol.

Comparison
We compare the efficiency and security with previous rational secret sharing scheme as follows.
The work of Halpern and Teague [10] assumes the existence of simultaneous broadcast channels (SBC).Their schemes fail to resist against coalitions and have expected round complexity (5/ 3 ).The works in [11][12][13] rely on secure multiparty computation which are inefficient.The works of Kol and Naor [14] have shown how to avoid simultaneous broadcast, at the cost of increasing the round complexity.In addition, the scheme is not collusion-free, and the round complexity is (/) and the works in [15,16] require the involvement of some trusted external parties during the reconstruction phase which is difficult to find.The round complexity of Maleka et al. [17] is ( 2 ).The works of Izmalkov et al. [18] and Lepinski et al. [19,20] rely on a physical assumption such as secure envelopes and ballot boxes.The works in [10-14, 17, 21-25] assume the existence of broadcast channel which is not realistic.The works in [11][12][13][19][20][21][22][23][24][25][26][27] need handshake protocol and exchange public keys associated with certificate management, including distribution, storage, revocation, and the computational cost of certificate verification, which are relatively expensive and limit their practical application to mobile networks.In contrast with prior schemes, the round complexity is (1/) (the value of , , and  is roughly the same) in our scheme, and we do not assume multiparty computations, physical assumption, or trust party, which is more practical; the scheme provides a noninteractively verifiable proof for the correctness of participants' share and handshake protocol is not necessary; there is no need for certificate generation, propagation, and storage in the scheme, which is more suitable for devices with limited size and processing power; the public key in our approach is based on each participant's identity which can be very much shorter as compared to the 1024 bits public key in RSA cryptosystem; in the scheme, every participant uses her encryption on number of each round as the secret share and the dealer does not have to distribute any secret share, which reduce the computational consumption and communicational overhead; the scheme can withstand the conspiracy attack and no player of the coalition  can do better, even if the whole coalition  cheats.

Conclusions
We propose a rational secret sharing scheme in mobile networks.The scheme, without needing to resort to broadcast channel, eliminates the online certificate authority and simplifies key management, which is more practical for devices of limited size and processing power, such as mobile phones.In addition, the scheme assumes neither the availability of a trusted party nor multiparty computations in the reconstruction phase.Moreover, the scheme can withstand the conspiracy attack and no player of the coalition  can do better, even if the whole coalition  cheats.So, rational players have no incentive to cheat in the scheme, and, finally, every player can obtain the secret fairly in mobile networks.