From daw@joseph.cs.berkeley.edu Fri Aug 16 22:55:31 PDT 1996
Article: 56344 of sci.crypt
Path: agate!not-for-mail
From: daw@joseph.cs.berkeley.edu (David Wagner)
Newsgroups: sci.crypt
Subject: Re: The Paranoid Spy
Date: 16 Aug 1996 22:53:34 -0700
Organization: ISAAC Group, UC Berkeley
Lines: 156
Message-ID: <4v3mou$3rk@joseph.cs.berkeley.edu>
References: <4v32oj$c6g@net.auckland.ac.nz>
NNTP-Posting-Host: joseph.cs.berkeley.edu
In article <4v32oj$c6g@net.auckland.ac.nz>,
Jon Haugsand wrote:
>
> THE PARANOID SPY PROBLEM
> ------------------------
>
> A spy has falled in disgrace with his now former employer. However,
> due to all the knowledge he has collected he is afraid that he might
> be killed to ensure the confidentiality of this information. The spy
> therefore tries to turn this threat into a life insurence by arranging
> it such that if he gets killed, the information will be released in
> order to damage his former employer. He must, however, take care to
> ensure the confidentiality of the information while he lives, but to
> be as sure as possible to disclose the information if he is killed.
[...]
> Suppose the spy knows $N$ persons he more or less trusts. That is,
> there is a probability of $p$ that any given (but arbitrary) person
> will fail to cooperate with the spy. If the ``collaborator'' is a
> traitress, she will try to disclose the information immidiately, and
> if the spies dies, she will try to deny disclosure. I.e. the
> non-traitresses will keep the information secret as long as the spy
> lives and disclose the information if the spy dies, while a traitress
> will try to do the opposite. The spy must consequently try to minimize
> the chance that his arrangement will fail.
[...]
> Suppose $(N,p)=(10,0.1)$. Find the best way to do it.
[...]
> 1. Can you find the best arrangement and prove it really is the best?
> What is the probability of success?
> 2. Can you generalize it for arbitrary $N$ and $p$?
> 3. If $p>0.5$, can $p[success]$ ever be greater than $0.5$?
>
Cool problem! This just cries out for an analysis based on secret sharing &
lattices.
Ok, here goes. This post is long, and I apologize for that in advance, but
I think it answers all your questions, and the solution is even fairly
elegant -- or at least, more elegant than you'd expect to see from a systems
guy. :-)
Any strategy for distributing the shares to the collaborators can be expressed
as a lattice $L$ of sets $S$, where $S \in L$ iff the set $S$ of persons can
recover the spy's secret information. Notice that if $L$ is an expression of
a secret sharing strategy, then $L$ will be "monotone", i.e. $S \in L$,
$S \subset T$ implies $T \in L$. Furthermore, given any monotone lattice $L$,
one can construct a corresponding secret sharing scheme. (Proof: for each
$S \in L$ with $|S|=k$, split the secret into $k$ shares in such a way that
the secret can be reconstructed only if all $k$ shares are available, and
give the $k$ shares to the persons names by $S$. Repeat for all $S \in L$.
One simple way to do such a splitting is to calculate random shares $s_1,
s_2, ..., s_{k-1}$ and let
$s_k = s_1 + s_2 + ... + s_{k-1} + secret$
where + denotes exclusive-or.) So this gives us:
Thm 1. Any strategy can be expressed as a monotone lattice, and vice versa.
Given a strategy, we can also express the elements of the probability space
as a lattice $M$, where each set $S$ describes the persons who are faithful
(i.e. not traiteresses): $M$ is defined so that $S \in M$ iff the strategy
succeeds on $S$. The lattice $M$ is endowed with a probability measure $p$,
defined on sets $S$ by
$p(S) = (1 - p)^{|S|} p^{n - |S|}$
and extended to the lattice $M$ additively by
$p(M) = \sum_{S \in M} p(S).$
Note that $p(M)$ is just the probability of success, which we want to maximize.
Of course $M$ is determined by $L$. Let's examine how. For any lattice $L$,
define the lattice $Rev(L)$ (think ``Reverse of L'') by
$S \in Rev(L)$ iff $V-S \in V'-L$
where I want $V$ to represent the full set containing all $n$ members and $V'$
to denote the full lattice containing all possible sets $S$ of persons; thus
$V-S$ is the set complement of $S$, and $V'-L$ is the lattice complement of
$L$. The $Rev$ operator has some nice properties: $|L| + |Rev(L)| = |V'|
= 2^n$, if $L$ is monotone then $Rev(L)$ is too, $Rev(Rev(L)) = L$,
$Rev(L \cap L') = Rev(L) \cup Rev(L')$, etc. When clarity is desired, write
$M(L)$ to represent the probability space induced by the strategy $L$. Now I
am ready to claim that
Thm 2. $M(L) = L \cap Rev(L)$ for all strategies $L$.
(Proof: certainly $M(L) \subset L$: that is the condition that some set of
faithful persons must be able to reveal the secret if the spy dies. Similarly,
we must have $M(L) \subset Rev(L)$: that is the condition that no set of
traiteresses can reveal the secret while the spy still lives. A converse also
holds: if both conditions are met (i.e. $S \in L \cap Rev(L)$), then the set
will represent success for the spy (i.e. $S \in M(L)$).)
Note, by the way, that $M(L)$ is monotone, since $L$ and $Rev(L)$ both are.
So we're getting somewhere: we can now calculate the probability of success
$p(M(L)) = p(L \cap Rev(L))$ for any strategy $L$.
It turns out that we can actually completely characterize the possible lattices
$M'$ which represent probability spaces attainable by some strategy. Clearly
if $M' \subset Rev(M')$, then $M'$ is an attainable probability space lattice,
as we may take $L = M'$ so that $M(L) = M'$. Conversely, for any strategy $L$,
we have $M(L) \subset Rev(M(L))$. (Proof: calculate $Rev(L \cap Rev(L)) =
Rev(L) \cup Rev(Rev(L)) = Rev(L) \cup L,$ and the result follows immediately)
So we have proved
Thm 3. $M$ represents an attainable probability space iff $M \subset Rev(M)$.
The original question is thus reduced to the problem of finding an attainable
$M$ which optimizes $p(M)$.
But now that's enough to solve all the questions you posed.
For example, when $n=9$, the optimal attainable probability space is the
lattice $M_9$ defined by
$S \in M_9$ iff $|S| > 4$.
One way to attain this is by the strategy $L_9 = M_9$. The success
probability of this strategy is
$p(M_9) = \sum{4 < i < 10} C(9,i) (1-p)^i p^{9-i}$
where $C(9,i) = 9! / (i! (9-i)!)$ is the binomial coefficient ``9 choose $i$''.
This strategy generalizes to all odd $n$.
As another example, take $n=10$. Then the archetypical optimum attainable
probability space is the lattice $M_10$ defined by
$S \in M_10$ iff either $|S| > 5$ or $S \in X$
where $X$ is a set of sets satisfying
$S \in X$ implies $|S| = 5$,
and $|X| = C(10,5)/2$.
All the optimal attainable probability spaces can be expressed in this form
for some choice of $M'$. Again, this can be attained by the strategy
$L_10 = M_10$. The success probability can be calculated as
$p(M_10) = \sum{5 < i < 10} C(10,i) (1-p)^i p^{10-i}
+ C(10,5)/2 (1-p)^5 p^5.$
I calculate that to be $p(M_10) = .999109$, though I could've made an
arithmetic error. This approach generalizes to all even $n$; we can see that
it's just a minor tweaking of the strategy for odd $n$.
To prove that these are the best strategies, note that $|Rev(L)| = 2^n - |L|$,
so that $|M| \le 2^{n-1}$ for any attainable probablity space $M$.
Furthermore, the strategies listed above meet that bound exactly, and $M_n$
ends up containing exactly the $2^{n-1}$ sets $S$ of highest probability
$p(S)$. So it should be apparent that one can't possibly do any better.
That answers all your questions, I believe. I hope that I haven't made any
serious mistakes, although I always seem to make a couple in any attempt of
this length.
I admit I haven't described an efficient way to implement the optimum threshold secret sharing scheme that
is described above, but I think with some additional thought you can figure
out how to improve the naive exponential-complexity method that I alluded to
in the beginning.
I'm sure this problem must be addressed somewhere in the literature, although
I'm not familiar with the published results on this kind of stuff. Anyhow, I
had far more fun figuring it out myself than I would've had with any book. :-)
You posed a very nice problem! It kept me entertained for two or three
pleasant hours. Thank you!
-- Dave Wagner