Incentive-driven attacker for corrupting two-party protocols

Adversaries in two-party computation may sabotage a protocol, leading to possible collapse of the information security management. In practice, attackers often breach security protocols with specific incentives. For example, attackers manage to reap additional rewards by sabotaging computing tasks between two clouds. Unfortunately, most of the existing research works neglect this aspect when discussing the security of protocols. Furthermore, the construction of corrupting two parties is also missing in two-party computation. In this paper, we propose an incentive-driven attacking model where the attacker leverages corruption costs, benefits and possible consequences. We here formalize the utilities used for two-party protocols and the attacker(s), taking into account both corruption costs and attack benefits. Our proposed model can be considered as the extension of the seminal work presented by Groce and Katz (Annual international conference on the theory and applications of cryptographic techniques, Springer, Berlin, pp 81–98, 2012), while making significant contribution in addressing the corruption of two parties in two-party protocols. To the best of our knowledge, this is the first time to model the corruption of both parties in two-party protocols.


Introduction
Two-party protocols allow two distributed and distrustful parties to jointly consider a general function with their private inputs.Two-party protocols can be widely used in various fields such as cloud computing (Gao et al. 2018;Tian et al. 2018;Ibtihal et al. 2017;Zheng and Wang 2018), file encryption (Yang et al. 2018), verifiable computation (Chen et al. 2016), keyword searching (Li et al. 2015) and trust evaluation (Jiang et al. 2016(Jiang et al. , 2018;;Jhaveri et al. 2018).Normally, the security of two-party protocols is discussed with a single external attacker, who is assumed to arbitrarily sabotage the protocols by corrupting at most one party.In most cases, however, a realistic attacker often sabotages the security protocols with certain incentives instead of arbitrary purposes (Haddi and Benchaïba 2015;Zhao et al. 2012;Wu et al. 2014).If the attacker can justify his (or her) attacks, he (or she) will be motivated to launch the corruption such that the protocols are changed toward the way to benefit him (or her).On the other hand, corruption is not free for any involved party.Otherwise, any party will modify the protocols without any liability (Li et al. 2018;Liu et al. 2018b;Gupta et al. 2016).The settings of corrupting two parties are often missing, and it is less important to discuss the security of a protocol with two corrupted parties in two-party protocols.However, it has a great potential to consider the case of corrupting both parties for an incentive-driven attacker, who has to leverage corruption costs and possible benefits.It is worth pointing out that semihonest and malicious adversaries may never reveal authentic incentives (Li et al. 2017;Yu et al. 2018).
In this paper, we revisit the problem of incentive-driven attackers and corruption costs by significantly extending the framework reported in Groce and Katz (2012).We propose the new incentive-driven attacking model based on the intuition that no party will participate in a protocol without any benefit.Existing works assume parties are arbitrarily malicious, which is not proper for reality attackers.Rational parties take part into protocols to maximize their payoffs.It is rarely considered to corrupt two parties at the same time.However, currently corrupting two parties is in line with reality.For example, one malicious attacker learns additional information with respect to a protocol and can maximize his profit when obtaining inputs of both parties.At the same time, two parties in the protocol do not learn the additional information and can only obtain their own specific payoff when following the protocol.The malicious attacker has incentives to bribe both parties with a price, which is higher than the party's specific payoff, but lower than the maximize profit.On the other hand, the corrupted parties would like to sell their inputs and receive the bribe money.Therefore, we formalize this malicious attacker into an incentive-driven attacker and discuss the conditions when the bribe is feasible.The basic idea of this work is more or less similar to social engineering (Hadnagy 2010;Abraham and Chengalur-Smith 2010).The main contributions of our work are summarized below.
1. We propose a new incentive-driven attacking model for costing the corruption of two-party protocols.Our proposed model describes the price of an attack when the attacker(s) sabotage the protocols.This cost computation influences the decision made for the launch of any attack.2. We extensively discuss the required utilities under three corruption case studies.The significance of our work is the consideration of corrupting both parties, different from the other state-of-the-art techniques.3. We instantiate the incentives of the attacker(s) by largely extending the framework reported in Groce and Katz (2012).We take into account the private inputs from the parties involved in the protocols, which may lead to different outcomes.We substantially investigate the preconditions for the attacker(s) to successfully sabotage the protocols' security.
1.1 Comparison against the state of the arts Halpern and Teague (2004) introduced rational parties in secret sharing schemes and secure multi-party computation protocols, where rational parties have incentives to maximize their utilities.Asharov et al. (2011) presented formal definitions for the security of rational protocols with both positive and negative outputs on two-party protocols.Groce and Katz (2012) redefined utilities for rational parties.They proved that negative outcomes described in Asharov et al. (2011) can be avoided when rational parties were given proper incentives.However, their work has not considered the effects of costs on the corruption.Garay et al. introduced an external attacker and transferred a protocol to a two-party game (Garay et al. 2013).They also discussed the relationship between the corruption cost and the utilities when the attacker successfully broke privacy.However, they failed to present specific utility definitions with respect to the attacker's incentives.Furthermore, they only considered the corruption of partial parties instead of all the involved parties.Recently, bitcoin and blockchain (Meng et al. 2018;Lin et al. 2018;Liu et al. 2018a) are introduced as incentives in multi/two-party computation for correctness (Kumaresan and Bentov 2014) and fairness (Bentov and Kumaresan 2014;Andrychowicz et al. 2014).Andrychowicz et al. (2014) simulated fairness in two-party computation, where the party which does not learn the output may be awarded financial compensation.Unfortunately, their work does not cover the setting of corruption costs.Wang et al. (2018Wang et al. ( , 2016) ) propose rational secure two-party computation to describe the attacking model toward the view of game theory.Adat et al. (2018) propose an economic incentive-based risk transfer mechanism, which can prevent denial of service attack Adat et al. (2018) in Internet of Things.Their economic incentivebased agreement can provide additional security for Internet of Things if needed.Other attacking models consist of covert channels (Zhang et al. 2018) and correlated fading channels (Fan et al. 2017), which are out of the scope of this paper.
Our attacking model does not break the security of protocols per se.The attacker corrupts parties by stealing or bribing, which is the biggest difference from the work reported in Groce and Katz (2012).For the protocols, the attacker learns the output through cost estimation.On the other hand, honest or corrupted parties either obtain pecuniary compensation or certain beneficial outputs.We compare our work against the other and show the comparisons in Table 1.

Outlines
Section 2 presents the proposed environmental model and explains the used notions such as outcomes and expected utility.Section 3 shows the attacking model and defines the corresponding utility functions for different corruption cases.At the end of Sect.3, an instance based on the protocol of Groce and Katz (2012) is presented to show the possibility for an attacker to corrupt one party or both parties.Section 4 concludes this paper and presents future work.

Environmental model
In this paper, we consider a general two-party computation protocol π .Two distinct parties, who execute π , belong to set P = {A, B, C, D, . ..}.Note that parties may be entities such as hosts or machines.Let π P 1 P 2 denote an instance of π , where P 1 , P 2 ∈ P execute π with their inputs.Each party has his (or her) own identities such that they recognize each other in the specific protocol.Two parties can learn an output jointly with their inputs.Let A denote an attacker, either internal or external.The internal attacker is one of the parties inside the protocol and an external attacker outside the protocol.Note that the internal attacker belongs to P, who attacks the other parties by providing proper incentives.Recall that only external attackers are discussed in traditional two-party computation.In this paper, we consider the possibility of the internal attackers for simplicity.We will discuss this setting in the following sections.
The main target of the attacker is to learn the output of the protocol by attacking two parties in the protocol.The attacker is assumed to have the following abilities: (1) he (or she) controls the communication channel (like eavesdrop) between parties A and B; (2) the corruption is not free; (3) he (or she) may corrupt the parties to retrieve the identities (and the private inputs) to play protocol π .Here, corrupting one party has two styles.One is to steal inputs and identities with necessary costs without paying any cost for the corrupted parties.Another one is to bribe parties with bribery funds, and the corrupted parties reward the attacker afterward.
Let p A and p B denote the probabilities when the attacker bribes parties A and B, respectively.The attacker may learn the output by replacing the corrupted parties in protocol π with the stolen or rewarded inputs and identities from the corrupted parties.The difference between these two corruption styles is whether the corrupted parties are paid when they lose their inputs and identities.Both corruption styles are not free, and the costs are identical in both styles.Our model can apply to secure two-party computation protocols, where parties' identities are authenticated.The attacker may steal or bribe parties for their inputs and identities like session keys.
Suppose two parties A and B execute protocol π .In fact, any two parties belonging to P may execute the pro- } denote all the possible outcomes for A and B, respectively, where n denotes the number of the possible outcomes.Let vectors α = {α 1 , α 2 , α 3 , . . ., α n } and . ., u n B } denote the corresponding utilities for A and B, respectively.Therefore, parties A and B have the expected utilities The approach proposed in this paper is distinct from the established frameworks due to the incentives held by the attacker.The attacker A may not arbitrarily attack a protocol.Instead, he (or she) sabotages a protocol with specific incentives by paying necessary costs.We formulate the incentives through utilities.That is, the attacker has incentives to sabotage a protocol if it brings positive utilities.Therefore, the attacker should find additional criteria in the computation for costs or losses.For example, the attacker has higher probability γ = {γ 1 , γ 2 , γ 3 , . . ., γ n } and δ = {δ 1 , δ 2 , δ 3 , . . ., δ n } on the outcomes of parties A and B. In this case, the corresponding outcome and utility of A are denoted as

. , u n
A }, respectively.Note that u A may be different under the cases of corruptions A and B. For simplicity, in this paper, we only use u A to denote the corresponding utility of A when one party is corrupted.It will not exclude the case where both A and B are corrupted, which is often ignored in two-party computation protocols.

Attacking model and the corresponding utility functions
The attacking model on two-party protocols consists of three corruption cases: no one is corrupted, only one is corrupted and both are corrupted.In this section, we only present definitions of the utility functions with respect to these cases.In the following section, we instantiate the utilities by using a concrete protocol.
No one is corrupted A and B execute protocol π .A corrupts no one.The expected utilities are shown in Eq. (1).
U A AB , U B AB and U A AB denote the expected utilities of A, B and A, respectively, in the protocol π AB .The utility of A is the function of the intermediate messages m 1 , m 2 , . . ., m n within protocol π .It is hard to measure the attacker's utility when he/she does not participate in the protocol.Therefore, we assume a function f (•) with respect to the intermediate messages to denote his utility.

One party is corrupted
We only present the expected utility of the case when A is corrupted.The case when B is corrupted is analogously defined.A corrupts A with cost c A .The corruption cost c A should be at least U A AB , otherwise A would not accept the corruption.A participates in the protocol π with B instead of A. The expected utilities are demonstrated in Eq. ( 2). (2) denote the expected utilities of A, B and A, respectively, in the protocol π .Δ A denotes the utility if A does not learn the output.

Both is corrupted
Generally, corruption of two parties is often neglected since it is less important to discuss security property in two-party computation (Goldreich 2009).In this paper, we consider the attacking model on parties instead of the protocol itself.That is, the protocol per se is secure.On the contrary, we allow the attacker to corrupt the two parties with double costs.The balance between the utility gained by the corruption and the costs may be much higher than 0, which refers to the incentives for the attacker.In the example of two millionaires (Yao 1982), we assume that the inputs of two millionaires are x and y, respectively.Let Greater( f (x, y) x>y ) = (yes, no) if x > y, otherwise Greater( f (x, y) x>y ) = (no, yes), where the first value is returned to the first millionaire and the second value to the second millionaire.It is identical for the attacker to corrupt one party and two parties if x > y or x < y.An extreme case is x = y.If the attacker corrupts one party, he (or she) can learn which is of larger cost and the output of one party is either yes or no.However, if the attacker corrupts two parties, he (or she) may have the output (no, no), which means two millionaires have the same amount of money.If the attacker is another millionaire, the corruption of the two parties may infer additional information.In this paper, we include the case of the corruption of two parties and reason the practical scenario.It is possible A can learn the output by itself.The expected utilities are depicted in Eq. 3. (3) AA and U A AA denote the utilities for parties A, B and A, respectively.Δ A denotes the utility when A learns the output.Δ A is the utility when A does not learn the output.Δ B denotes the utility when B does not learn the output.
We only list the utilities for general cases, and the concrete utilities depend on specific implements.An instance of utilities are presented in the following section.

The basic framework of the hybrid protocol
We apply our proposed attacking model to the protocols (Moran et al. 2009;Katz 2007;Gordon et al. 2008;Gordon and Katz 2012;Groce and Katz 2012), which include a "preprocessing" stage and a "share-exchanging" stage.Recall that in the first stage, there exists a trusted party.We restate the framework of Groce and Katz (2012) for completeness.
The first stage of our proposed framework 1.Two parties A and B present their private inputs x A and x B to the trusted party, which correctly computes f (x A , x B ). 2. The trusted party selects i * (i * ∈ {1, 2, . . ., n}) according to a geometric distribution p.

Random values r A
i and r B i are chosen: (a) r A i and r B i are randomly chosen in the domain of f (•) (Black 2000) on values s A i , s B i and t A i , t B i are also generated to guarantee the validity of the shares.5. s A i , s B i and t A i , t B i with their corresponding message authentication codes are presented to A and B, respectively.
There are altogether n rounds in the second stage.A and B exchange their shares in each round.Groce and Katz (2012) Correct Incorrect The second stage of our proposed framework 1.In the ith round, (a) A firstly passes t B i to B. B ensures the validity of the shares using the corresponding message authentication codes.B computes r B i = t B i ⊕ s B i and the protocol moves to the second step.(b) B passes s A i to A. A verifies the validity of the shares using the corresponding message authentication codes.A computes r A i = t A i ⊕ s A i .2. Each party considers its latest reconstructed value as its final output.3.If both parties do not abort in the ith round, the protocol will move into the i + 1th round.
The utility matrix of Groce and Katz (2012) can be presented in a matrix (ref.

Analysis of the attacking model
We apply our attacking model to the protocol of Groce and Katz (2012), where both parties A and B are rational without the participation of an external/internal attacker A. There are two stages in Groce and Katz (2012): A and B receive shares of the result at the end of the first stage and exchange the shares in the second stage to reconstruct the result.In this paper, we consider practical settings and an attacking model for the second stage.
1. Suppose A and B have private types: honest or dishonest with incomplete information.Here, honest means that the parties honestly pass shares in each round and dishonest means that the parties abort in a certain round.Note that we do not consider the case where parties send fake shares since they will be detected due to the validity of message authentication codes (Black 2000).2. A and B have a prior probability on the private types.
B treats A as honest with probability μ.A regards B as honest with probability ν.Both parties hold the expected utilities at the end of the protocol.3. The practical attacker A owns some additional information on the private types of A and B. A regards A as honest with probability μ and B as honest with probability ν.We assume that η > μ and θ > ν.Otherwise, A has no incentives to attack this protocol.Note that A and B learn nothing about η and θ .Furthermore, they may not even know that A own the additional information.4. A may seek some advantage attacking one party or both of them, which depends on the utility functions.Here, when stating A corrupts the parties, we mean that A bribes one party or both the parties with required costs and participate the protocol with the replacement of the party or both of them.
Table 2 shows that b Correct means that the party learns the correct output, and Incorrect means that the party learns an incorrect output.In Groce and Katz (2012), the utilities of A and B are defined according to Table 2.
In this section, we list the expected utility of A and analyze the conditions for A to corrupt only one party.Consequently, the conditions for the cases, no one or both are corrupted, can be drawn based on the conditions mentioned above.That is, A has incentives to corrupt one party if he gets advantages for him compared with the case when no one is corrupted.Therefore, we should first get the expected utilities U A and U B when no one is corrupted, which are detailed below.Here, U H X and U D X denote the utility of X when A treats his (or her) opponent Y as an honest and dishonest ones, respectively, where X , Y ∈ {A, B, A} and X = Y [ref.Eq. ( 4)].
Let c A = U A , c B = U B be the maximum costs for A to corrupt A and B, respectively.Let U B AB = U B AB and Eq. ( 5)]. (5) Here, p denotes the probability of i = i * , after which round both parties reconstruct the output.However, B may reconstruct the output, but A cannot achieve the same when B receives the share and aborts in the i * th round.Let ϕ denote the probability of i < i * , where both parties reconstruct random values.Recall that we assume θ That is, given necessary information on the types of A and B, A has incentives to corrupt one party or both of them since the advantages are positive.

Definition 1
The advantage is defined as the additional income for an attacker, which is the attacker's utility minus the corruption cost.
The advantage is used for describing the attacker's incentives to corrupt parties.Recall that existing works malicious attackers sabotage protocols without reason, whom are simply assumed to break the security of the protocols.

Proposition 1 The attacker has incentives to corrupt parties if his advantage is positive.
In this paper, we utilize the notion of advantage to measure the incentives for the attacker to corrupt the parties.For example, the attacker has strong incentives to corrupt parties if advantage is large enough.
Proof (Brief:) The inequations θ > ν, η > μ mean that the attacker has additional information with respect to the private types of the parties.Each party learns little about the private type of his opponent.Therefore, they are cautious when they participate into the protocol.On the contrary, the attacker masters more information and he may take adventurous actions when he participate into the protocol.However, he should first corrupt one or two parties.Equation (5) lists the attacker's advantages when he corrupts A and B, respectively. Given Thus, the attacker has incentives to corrupt one or two parties according to Proposition 1.
As we have mentioned above, the attacker may be an internal party.For example, B may bribe A in the protocol.That is, B bribes A with cost c A , has the input of A and then learns the output.We assume the utility is still calculated referring to Table 2

A random solution for the proposed attacking model
The assumption on the adversary A is strong enough to corrupt both the parties, where the adversary's income is no less than c A + c B .However, we may have a sensible attacking model in practice if the adversary dominates the entire system.Therefore, measures must be taken to prevent such attack.The intuition is that two parties may resort to some cryptographic primitives in order to identify the membership of them.More specifically, two parties may request an accumulator, a one-way function (Derler et al. 2015), with probability ψ > 0 so as to enforce cooperation before they exchange their shares.The function of the accumulator is to proving a membership without leaking information with respect to any individual members.Note that ψ is not necessary to be 1 since the introduction of the accumulator through the hybrid protocol may increase the computational complexity.Therefore, we only choose a proper ψ to deter the adversary and prevent attacking.
In the scenario where the adversary corrupts two parties, one party (say A) has utility c A when he (or she) is corrupted (bribed).Suppose A calls an accumulator and cooperates with B with probability ψ, the expected utility is: ψa 1 + (1 − ψ)c A .It should satisfy ψa 1 + (1 − ψ)c A > c A such that the attack is prevented.It satisfies a 2 > c B for the same reason.Recall that in Eq. ( 2), u A γ T is at least a 1 and u A δ T is at least a 2 .In Eq. (3), Δ A is at least a 1 + a 2 , otherwise A has no incentives to corrupt one party or two parties.Therefore, the conditions for the two parties to resist the attack, where a 1 > c A or (and) a 2 > c B , are satisfied.That is, the adversary A cannot conduct the attack mentioned in Sect.4.2 when ψ > 0.

Conclusion
Secure two-party computation protocols may avoid attacks in the communication between two distributed parties in the presence of adversaries.In general, these protocols should satisfy specific security requirements like privacy, correctness and fairness.However, the abilities for the adversary are over-estimated and attacks to the system cannot be avoided in the real world.Therefore, the discussion under such settings can be made for impractical protocols.In this paper, we firstly considered a security problem in a realistic scenario, which cannot be directly solved by the existing two-party protocols.We proposed a new attacking model, where the attacker has asymmetrical information compared with the case of two parties.The attacker has incentives to corrupt one party or both of them if he (or she) is awarded enough by corrupting the protocols.We have derived the probability of corrupting both parties by giving an instance based on the protocol reported in Groce and Katz (2012).Finally, we compared our work against the other techniques in six aspects and concluded that our work has more better achievements than the others.
The future work includes the introduction of more intelligent settings like stealing shares instead of bribing parties.Furthermore, we will also consider the collusion between two parties or between the attacker and one party and demonstrate its impact on the communication security.

Table 2
Utility of