Dining Cryptographers with 0.924 Verifiable Collision Resolution

The dining cryptographers protocol implements a multiple access channel in which senders and recipients are anonymous. A problem is that a malicious participant can disrupt communication by deliberately creating collisions. We propose a computationally secure dining cryptographers protocol with collision resolution that achieves a maximum stable throughput of 0.924 messages per round and which allows to easily detect disruptors.

such an anonymous reservation phase is complicated and reservations do not adapt well to the situations where participants frequently join or leave the group.
The present paper shows that one can address collisions as they occur using a collision resolution algorithm and still prevent disruption by a malicious participant. First, we show that with a modified SICTA collision resolution algorithm, a maximum stable throughput (MST) of 0.924 packets per round can be achieved for the dining cryptographers protocol. Then, we show that it is possible to use zero-knowledge proofs to verify that each participant properly executes the collision resolution algorithm.
Compared to the existing techniques our approach is easier to implement as there is no reservation phase. Further, it adapts better to situation where participants join and leave. We see possible applications in the fields of electronic voting and low latency anonymous communication.
The rest of the paper is organized as follows. Section 2 contains preliminaries and definitions. In section 3, we discuss collision resolution with SICTA. In section 4 we show how disruptors can be detected. In section 5 we discuss related work, in section 6 we present possible applications, and we conclude in section 7.

Preliminaries
In this section, we briefly review the principle behind the dining cryptographers protocol and a technique to implement it efficiently.

Dining Cryptographers
In one round of the dining cryptographers protocol [3], every participant broadcasts a ciphertext (O), which may or may not contain a message (M ). (To keep the description simple, we assume that the participants have reliable broadcast channels at their disposal.) The encryption vanishes when the ciphertexts of all participants are combined (e.g., C := ∏ i O (i) ). If exactly one ciphertext contains a message, then this message appears (e.g., C = M ). However, there is a collision when several ciphertexts contain a message (e.g., C = M · M ′ · M ′′ ). We assume that messages are encoded with a checksum, so that it is possible to distinguish between a message and a collision of messages.
G. Each participant has a private key x and the corresponding public keysȳ = h x and y = g x are known to all participants.
In a round j of the protocol, each participant then generates a ciphertext O j ∈ G which has an algebraic structure. This means that O j is either of the form: (1) or of the form: wherein x ∈ Z is a secret key and M ∈ G is a message. As we have the BDDH assumption, one cannot distinguish whether O j contains a message M or not. The value A j is public and it is based on the public keysȳ = h x of the other participants and on a public random value R j which is different in every round. For example, n participants P (1) , ..., P (n) compute: .
The so obtained values A (i) j are different in each round and have the property that they cancel when they are multiplied. I.e., Therefore, only messages remain when a recipient multiplies the ciphertexts O provided by all the participants.

Collision Resolution with SICTA
In this section we explain the SICTA algorithm (Successive Inference Cancellation Tree Algorithm) [14] and show that in the context of the dining cryptographers protocol we can reach the throughput to 0.924 messages per round.

Collision Resolution
Let us assume in a round j each participant provides a ciphertext O j . If several of these ciphertexts contain a message, the combination of all these ciphertexts j only provides a multiplication of all the messages and no meaningful information is transmitted. The purpose of a collision resolution algorithm is to resolve such a collision by resending the involved messages in later rounds.
SICTA is a binary tree algorithm, in which a collision of messages is repeatedly split until all messages have been transmitted. When there is a collision in one round, two subsequent rounds are dedicated to the resolution of this collision. Each message
round id j .
Rysunek 1. Exemplary binary collision resolution tree with successive inference cancellation (SICTA). In rounds 1,2,4,6 and 14, the ciphertexts O j are transmitted, and C j is computed using these ciphertexts. In rounds 3,5,7 and 15, no data is transmitted and C j is computed using the data from the parent node and the sibling node.
involved in the collision is then retransmitted at random in one of two dedicated rounds. This process is repeated recursively until all collisions are resolved. An example of a SICTA collision resolution tree is shown in Figure 1. To simplify the description we adapt our notation to binary trees; when a collision occurs in round j, we assume that the rounds 2j and 2j + 1 are dedicated for the resolution. SICTA uses a technique called inference cancellation to reduce the number of transmissions. As we have C j = C 2j · C 2j+1 , it is not necessary to transfer any O 2j+1 for round 2j + 1. The value C 2j+1 can be inferred from C j and C 2j by computing C 2j+1 = C j /C 2j . For this inference cancellation to work, the algorithm operates in the blocked access mode which means that no new message can be sent until all collisions are resolved.

Performance
Let us consider the maximum stable throughput (MST), which denotes the maximal input rate (messages/round) for which all messages have a finite delay. Therefore we define S k as the average number of rounds needed to resolve a collision of k messages, and we consider the throughput k/S k .
Pobrane z czasopisma Annales AI-Informatica http://ai.annales.umcs.pl Data: 20/05/2022 10:42:58 U M C S A collision of k messages is split into two collisions with i and k − i messages with a probability ( k i ) 2 −k . Thus we have: With ) this can be written as: and after removing the recursion we obtain: As 'collisions' with 0 or 1 messages take only 1 round, we have S 0 = S 1 = 1. The throughput k/S k for the increasing values of k is shown in Figure 2. For SICTA the known MST of 0.693 is observed. We can achieve a higher throughput by exploiting the fact that in the dining cryptographers protocol all senders are also receivers. After a collision of two messages, the two respective senders can recover each other's message by removing their own from the collision. Then they can avoid a further collision by using a rule that for instance only the numerically smaller message is resent. This way, collisions of two messages are always resolved in two rounds, i.e., we have S 2 = 2, which leads to a MST of 0.924.
So we have just computed the possible throughput of the channel and seen that efficient collision resolution is possible. We have done this on the assumption that every participant is honest and that no disruption takes place. This assumption is reasonable, as we show in the next section that disruptors can easily be detected and eliminated from the group. Being exceptional events, disruptions have no impact on the asymptotic (number of rounds → ∞) behaviour of the channel.

Detecting Disruptors
In this section, we show that disruptors are easy to detect. We first present techniques using zero-knowledge proofs to prove statements about the retransmission of messages, and then we show how these techniques can be used to verify that each participant correctly performs the SICTA algorithm.

Zero-Knowledge Proofs for the Retransmission of Messages
It was shown in [10] that the algebraic structure of the ciphertexts makes it possible to prove statements about them using zero-knowledge proofs. Such a zero-knowledge proof allows a prover to prove to a verifier that a given statement holds, without giving the verifier any further information. That is, the verifier cannot compute anything that he could not have computed before. For instance one can prove the equality of discrete logarithms to different bases, and logical ∧ (and) and ∨ (or) combinations of such statements [1]. It is also possible to prove the inequality of logarithm to different bases [2]. Existing zero-knowledge proofs used in the dining cryptographers protocols contain statements about individual ciphertexts. For example, the statement holds when the ciphertext O 1 is empty (i.e., O 1 = A x 1 ). As a reminder, x is a secret key of the participant and y = g x the corresponding public key.
To verify the correct execution of the SICTA collision resolution protocols we use a new kind of statements, which hold when there is a relation between two or more ciphertexts coming from the same participant. E.g., the statement holds when both ciphertexts O 1 and O 2 encode the same message M (or when both encode no message). It is thus possible to construct more complex statements in order to verify the retransmission of a message. . . . round id . j .

2j + 1
Rysunek 3. Collision resolution in SICTA. Only a message involved in a collision in round j may be retransmitted also in round 2j. The round 2j + 1 is virtual; no transmission takes place. No new message can be sent until all collisions are resolved. holds.
holds for j ∈ {2, ..., k}. (Note that it is not sufficient to consider only the last statement, as a participant could encode In the multiplication O 2 O 3 ..., the factors E and E −1 would cancel, and the statement would hold. It is therefore necessary to consider each statement for j ∈ {2, ..., k}.)

Verification of Standard SICTA with a MST of 0.693
We now show how the techniques from the previous section can be used by the participants to prove that they executed the collision resolution algorithm correctly, without revealing if they are sending a message or not (so that the senders of the messages remain anonymous).
Correct participation in the standard SICTA algorithm means that a participant may only retransmit a message in round 2j if he already transmitted that message in round j. Remember that SICTA operates in the blocking mode no new message can be sent until the resolution has finished. This principle, which is illustrated in Figure 3 and may not send a message.) Using the techniques from the previous section, each participant can prove that his ciphertext O 2j is correct, without revealing if whether it contains a message or not. To do this, the participant generates a zero-knowledge proof that proves that holds. With this proof he can convince a verifier that he participated correctly, without compromising the anonymity of the protocol. As described before, SICTA is a recursive algorithm and there are virtual rounds during which C j is inferred, but no corresponding O j is transmitted. It is then not possible to prove statement (12), but luckily it is still possible to prove that O 2j is correct. To do this, the participant proves that a message contained in the nearest transmitted parent round was transmitted at most once in all the branches down to O 2j . Akin to Example 2, a participant proves that holds, wherein j 1 := 2j, j k := (j k−1 /2) − 1 and t such that j t /2 is the index of the nearest transmitted parent round of round j.

Example 3.
In the collision resolution process shown in Figure 1, each participant shows for O 2 that holds, then for O 4 that holds, then for O 6 that holds, then for O 14 that holds. So we have shown that a participant can prove in zero-knowledge that he properly participates in the standard SICTA collision resolution algorithm. Any participant who is not able to prove that his output is correct can be excluded from the group. The corresponding round is lost and must be repeated by the remaining participants. The special technique we described in the section to increase the MST from 0.693 to 0.924 uses a deterministic rule for the retransmission after a collision of two messages. For example, only the message with the lower value must be retransmitted. So we need additional verification to detect the participants that do not respect this rule. We cannot verify this with a single zero-knowledge proof, but we can for instance use the following approach.
If one of the two participants involved in the collision does not respect this rule, the other one can switch back to random retransmission in order to split the collision. Once the collision has been split and the two messages are out, everybody sees that there must have been a problem in a previous round, and an investigation can be started. The message M of the cheating participant is now known, and every participant must then for instance send a zero-knowledge proof that he did not send this message during the initial collision round (i.e. prove that log A1 O 1 /M ̸ = log g y). The disruptor will not be able to come up with an appropriate proof and can be eliminated from the group.

Further Minor Security Considerations
Malicious participants may attempt to delay the collision resolution process or to prevent it from terminating. For instance, • colluding participants can always choose the same round to retransmit their messages, or • a malicious participant can wait until all other participants have transmitted and then chooses to retransmit his message so that a collision occurs, or • a malicious participant may not send a valid message in the first place. However, such malicious behaviour is easy to detect. In the previously described SICTA algorithm with a MST of 0.924, the probability that a collision does not split is less than or equal to 1/4 (it is exactly 1/4 for the collisions with 3 messages). Thus, the probability that a collision does not split k times in a row is less than or equal to 1/4 k . For example, the probability that a collision does not split 5 times in a row is below 0.1%. When such malicious activity is detected, one can require commitment before transmission and one can use zero-knowledge proofs similar to those proposed in [10] to detect participants that are frequently involved in non-splitting collisions. If a lower throughput is acceptable, one can go for a simpler approach and just skip the branches of the resolution tree that do not split after several attempts, without trying to detect the malicious participants.

Related Work
Superposed receiving [12,13] is a collision resolution technique for the dining cryptographers protocol that achieves the throughput of 100%. Therein, messages are elements of an additive group. When a collision occurs, the average of the messages Pobrane z czasopisma Annales AI-Informatica http://ai.annales.umcs.pl Data: 20/05/2022 10:42:58 U M C S values is computed and only messages whose value is less than this average are retransmitted. Like in SICTA, inference cancellation is used, which leads to the 100% throughput. However, this approach requires the use of an additive finite group and it cannot be implemented using the algebraic ciphertexts that we need for efficient ciphertexts generation and for zero-knowledge proofs.
The fully verifiable dining cryptographers protocol was proposed in [8] and rediscovered in [5]. In this protocol, we have 100% throughput. However, there is the need for a reservation phase which can be lengthy and cumbersome. Current systems use mixnets to perform the reservations and therefore they are inefficient when only a few reservations are made. Further, they do not easily adapt to the situations where participants join or leave frequently.

Applications
Our protocol can be used to implement computationally secure anonymous communication channels with a low latency. Another application is the realization of secret shuffle algorithms (e.g. [11]). A secret shuffle algorithm is used to obtain a shuffled list of values from a plurality of participants, while keeping it secret which value is coming from which participant. Existing solutions typically require each participant to submit a value. The protocol proposed herein also works efficiently if only a few participants have a value to submit. In particular, it may be used to shuffle anonymous public keys for verifiable dining cryptographers protocols in which rounds are reserved [8,5].

Concluding Remarks
The main problems of the dining cryptographers protocol are collisions and malicious participants disrupting the communication.
We have shown that with a collision resolution algorithm, it is possible to achieve a maximum stable throughput of up to 0.924 messages per round. Further, we have shown that if we use ciphertexts with an algebraic structure as proposed in [10], we can verify in zero-knowledge that each participant properly retransmits his message during the collision resolution process.
Compared to other dining cryptographer protocols, our approach does not need a reservation phase to avoid collisions. It is therefore easier to implement and it adapts more naturally to the situations where participants frequently join and leave the group.
We see possible applications in the fields of low-latency anonymous communication and secret shuffling.