Long-term Data Sharing under Exclusivity Attacks

1. The Work in Context

1.1. Data Sharing among Firms

In today’s data-oriented economy (OECD, 2015), countless applications are based on the ability to extract statistically significant models out of acquired user data. Still, firms are hesitant to share information with other firms (Richter and Slowinski, 2019; Commission et al., 2018), as data is viewed as a resource that must be protected. This is in tension with the paradigm of the Wisdom of the crowds (Surowiecki, 2005), which emphasizes the added predictive value of aggregating multiple data sources. As early as 2001, the authors in (Banko and Brill, 2001) (note also a similar approach in (Halevy et al., 2009)) concluded that

“… a logical next step for the research community would be to direct efforts towards increasing the size of annotated training collections, while deemphasizing the focus on comparing different learning techniques trained only on small training corpora.”

Two popular frameworks to address issues arising in settings where data is shared are multi-party computation (Cramer et al., 2015) and differential privacy (Dwork, 2008). However, these paradigms are focused on addressing the issue of privacy (whether of the individual user or the firm’s data bank), but do not answer the basic conundrum of sharing data with competing firms: On one hand, cooperation enables the firm to enrich its own models, but at the same time enable other firms to do so as well. A firm is thus tempted to game the mechanism to allow itself better inference than other firms. We call this behavior exclusivity attacks

. Even if supplying intentionally false information could be a legal risk, the nature of data processing (rich with outliers, spam accounts, natural biases), allows firms to have “reasonable justification” to alter the data they share with others.

In this work, we present a model of collaborative information sharing between firms. The goal of every firm is first to have the best available model given the aggregate data. As a secondary goal, every firm wishes the others to have a downgraded version of the model. An appropriate framework to address this objective is the Non-cooperative computation (NCC) framework, introduced in (Shoham and Tennenholtz, 2005). The framework was considered with respect to one-shot data aggregation tasks in (Kantarcioglu and Jiang, 2013).

1.2. Open and Long-term Environments

In our work, we present a general communication protocol for collaborative data sharing among firms, that can be associated with any specific machine learning or data aggregation algorithm. The protocol possesses an

online nature, when any participating firm may send (additional) data points at any time. This is in contrast with previous NCC literature, which focuses on one-shot data-sharing procedures. The long-term setting yields two, somewhat contradicting, attributes:

A firm may send multiple subsequent inputs to the protocol, using it to learn how the model’s parameters change after each contribution. For an attacker, this allows better inference of the true model’s parameters, without revealing its true data points, as we demonstrate in Example 1 below.
A firm is not only interested in attaining the current correct parameters of the model, but also has a future interest to be able to attain correct answers, given that more data is later added by itself and its competitors. This has a chilling effect on attacks, as even a successful attack in the one-shot case could result in data corruption. For example, a possible short-term attack could be for a firm to send its true data, attain the correct parameters, and then send additional garbage data. Since we do not have built-in protection against such actions in the mechanism (for reasons further explained in Remark 1), this would result in data corruption for the other firms. Nevertheless, if the firm itself is interested in attaining meaningful information from the mechanism in the future, it would be disincentivized to do so.

We now give an example demonstrating the first point. In (Kantarcioglu and Jiang, 2013), the authors consider the problem of collaboratively calculating the average of data points. They show in their Theorem 4.6 and Theorem 4.7 that whether the number of different data points is known is essential to the truthfulness of the mechanism. When the number of data points is unknown, the denominator of the average term is unknown, and it is impossible for an attacker to know with certainty how to attain the true average from the average the mechanism reports given a false input of the attacker. We now show that in a model where it is possible to send multiple requests (in fact, two), it is possible to report false information and attain the correct average:

Example 0 ().

Consider a firm with some data points $D_{I}$ with a total sum $S_{I}$ and number of points $N_{I}$ . Other firms have data points $D_{O}$ with a total sum $S_{O}$ and number of points $N_{O}$ . Assume $S_{I} \neq 0, N_{I} = 2$ .¹¹1These assumptions are not required for the attack scheme to succeed, but make for a simpler demonstration. Instead of reporting $D_{I}$ , the firm first reports $D^{'} = [0]$ , receives an average $a_{1}$ , then reports $D^{''} = [0]$ and receives the updated average $a_{2}$ . The average that others, following the mechanism as given, attain is $\frac{S_{O}}{N_{O} + 2}$ , the true average is $\frac{S_{I} + S_{O}}{N_{I} + N_{O}}$ , and they are different by our assumption on $S_{I}, N_{I}$ . The firm is thus successful in misleading others. Moreover, the firm can infer the true average. Given

a_{1} = \frac{S_{O}}{N_{O} + 1} \neq \frac{S_{O}}{N_{O} + 2} = a_{2},

the firm²²2The only case where $a_{1} = a_{2}$ is when $S_{O} = 0$ . In this case, upon having $a_{1} = 0$ , we can choose $D^{''} = [1]$ , and a similar argument shows that we can infer the true average. can calculate

N_{O} = \frac{a_{1} - 2 a_{2}}{a_{2} - a_{1}}, S_{O} = a_{1} (N_{O} + 1),

and thus have all the information required to calculate the true average.

Remark 1 ().

Why should we not consider simply forbidding multiple subsequent updates by a firm? As noted in (Yokoo et al., 2004; Gafni et al., February 7-12; Afek et al., 2017), modern internet-based environments lack clear identities and allow for multiple inputs by the same agent using multiple identities. A common distinction in blockchain networks separates public (“permissionless”) and private (“permissioned”) networks (Liu et al., 2019), where public networks allow open access for everyone, while private networks require additional identification for participation. In both cases, however, it is impossible to totally prevent false-name manipulation, where a firm uses multiple identities to send her requests. Therefore, any “simple” solution of the problem demonstrated in Example 1 is impossible. The mechanism does not know whether multiple subsequent updates are really sent by different firms, or they are in fact “sock puppets” of a single firm. The mechanism therefore can not adjust appropriately (e.g., drop any request after the first one). In this work, we assume a firm may control up to $ℓ$ identities, and so in the formal model, we allow up to $ℓ$ subsequent updates of a single firm. The false identities are not part of the formal model: They instead are encapsulated by giving firms this ability to update $ℓ$ times subsequently.

1.3. Our Results

We define two long-term data-sharing protocols (the continuous and periodic communication protocols) for data sharing among firms. The models differ in how communication is structured temporally (whether the agents can communicate at any time, or are asked for their inputs at given times). Each model can be coupled with any choice of algorithm to aggregate the data shared by the agents.
We give a condition for NCC-vulnerability of an algorithm (given the communication model) in Definition 1. A successful NCC attack is one that (i) Can mislead the other agents, and (ii) Maintains the attacker’s ability to infer the true algorithm output. We give a stronger condition of NCC-vulnerability* that can moreover (i*) Mislead the other agents in every possible scenario. As a simple example of using these definitions, we show in Appendix B that finding the maximum over agent reports is NCC-vulnerable but not NCC-vulnerable*.
For the $k$ -center problem, we show that it is vulnerable under continuous communication but not vulnerable under periodic communication. Moreover, we show that it is not vulnerable* even in continuous communication, using a notion of explicitly-lying attacks.
For Multiple Linear Regression, we show that it is vulnerable* under continuous communication but not vulnerable under periodic communication. The vulnerability* in continuous communication depends on the number of identities an attacker can control: We show a form of attack so that an attacker with
$d + 2$ identities (where $d$ is the dimension of the feature space) is guaranteed to have an attack, and an attacker with less than $d - 2$ identities can not attack.

The vulnerability(*) results for the continuous communication protocol are summarized in Table 1. Both algorithms are not vulnerable(*) under the periodic communication protocol.

		Vulnerable	Vulnerable*
	$d$ -LinearRegression	Yes, for any $ℓ \geq 1$	${\begin{matrix} Yes & ℓ \geq d + 2 No & ℓ \leq d - 2 \end{matrix}$
	$k$ -Center	Yes, for any $ℓ \geq 1$	No

Table 1. A summary of vulnerability(*) results in the continuous communication protocol.

We overview related work in Appendix A.

2. Model and Vulnerability Notions

We consider a system where agents receive factual updates containing data points or states of the world. The agents apply their reporting strategy, performing ledger updates. Upon any ledger update, the ledger distributes the latest aggregate parameter calculation using $ρ$ , the computation algorithm.

Formally, let $[n] = {1, \dots, n}$ be a set of $n$ agents. An update $U$ is of some type, depending on the computational problem. An update with metadata $^U =< j, t, U >$ complements an update $U$ with an agent $j \in N$ , and a type $t \in {F a c t u a l, L e d g e r}$ , where “Factual” updates represent a factual state of nature observed by an agent, and “Ledger” updates are what the agent shares with the ledger, which may differ from what she factually observes. We note that the ledger (which for simplicity we assume is a centralized third party) does not make the data public, but only shares the algorithm’s updated outputs according to the protocol’s rules. The computation algorithm $ρ (U^{t})$ is an algorithm that receives a series of updates $U^{t} = (U_{1}, . . ., U_{t})$ of any length $t$ and outputs a result. In the continuous communication protocol, we have that algorithm outputs are shared with all agents upon every ledger update.

In this section and Sections 3-4 we focus on the continuous communication protocol. The continuous communication protocol simulates a system where agents may push updates at any time, initiated by them and not by the system manager. We model this by allowing them to respond to any change in the state of the system, including responding to their own ledger updates. The only limit to an agent endlessly sending updates to the ledger is that we restrict it to update at most $ℓ$ times subsequently. The continuous communication protocol is a messaging protocol between nature, the agents, and the ledger. A particular protocol run is instantiated with nature-input $I$ , which is a series of some length $| I |$ with each element being of the form $< j, U >$ , which is a tuple comprised of agent $j \in N$ and an update $U$ .

Figure 1. A continuous protocol run for $I = (< 2, 90 >, < 2, y >)$ with some $90 < y < x$ and the algorithm $ρ = max$ , as explained in the proof of Proposition 2. An agent’s observed history are all the nodes in her line, or nodes that have an outgoing edge from a node in her line.

Input: Nature-input

I

, Parameter

ℓ

the maximum number of subsequent updates by an agent

Output: Full Messaging History

1 for factual message $< j, U_{f a c t} >$ in $I$ do

Nature sends a message to

j

with

< j, F a c t u a l, U_{f a c t} >

; activeMessage

\leftarrow

True; // There is an active message

2 while activeMessage = True do

/* As long as some agent is responding */

3 activeMessage

\leftarrow

False; for agent $i := 1$ to $n$ do

4 if agent $i$ wishes to send a ledger update $U_{l e d g}$ and last $ℓ$ updates are not all of type $< i, L e d g e r, U >$ ³³3We can perhaps question whether agent $i$ respects the condition that not all of the last $ℓ$ updates are not all of type $< i, L e d g e r, U >$ for some $U$ . If she does not, she may send a message regardless of this constraint. But since nature can choose not to accept/respond to it, we simplify the protocol by assuming the agents self-enforce the constraint. then

i

sends a message to Ledger with

< i, L e d g e r, U_{l e d g} >

; Ledger sends a message to all with

ρ

’s algorithm output over all the past ledger updates; activeMessage

\leftarrow

True;

Protocol 1 The continuous communication protocol

For the analysis, we extract some useful variables from the run of the protocol that will be used in subsequent examples and proofs.

Let a run $R$ be all the messages sent in the system during the application of the continuous communication protocol with nature-input $I$ (where messages sent to ’all’ appear once, and the messages appear in their order of sending).

Let $L_{j} (R), F_{j} (R)$ be the sub-sequences of all ledger, factual updates respectively in $R$ of agent $j$ (if the index $j$ is omitted, then simply all such updates, regardless of an agent). Let $O_{j} (R)$ (“observed history” of $j$ ) be all the messages in $R$ received or sent by $j$ during the run of the nature protocol: These are all factual updates of $j$ , ledger updates by $j$ , and algorithm outputs shared by the ledger. Let $O_{j} (R)_{i_{1} : i_{2}}$ be the the elements of $O_{j} (R)$ starting with index $i_{1}$ and until (and including) index $i_{2}$ .

An update strategy for $j$ is a mapping $s_{j}$ from an observed history $O_{j} (R)$ to a ledger update $U_{l e d g}$ by agent $j$ . The truthful update strategy $t r u t h_{j}$ is the following: If the last element in $O_{j} (R)$ is of type $< j, F a c t u a l, U >$ , update with $< j, L e d g e r, U >$ . Otherwise, do not update.

A full run of the protocol with nature input $I$ and strategies $s_{1}, . . ., s_{n}$ is the run after completion of the nature protocol where nature uses input $I$ and each agent $j$ responds using strategy $s_{j}$ . Since we’re interested in the effect of one agent deviating from truthfulness, we say that we run nature-input $I$ with strategy $s_{j}$ , where $j$ is the deviating agent, and it is assumed that all other agents $i \neq j$ play $t r u t h_{i}$ . We denote the resulting run $R_{I, s_{j}}$ .

We can now define an NCC-attack on the nature protocol given algorithm $ρ$ and updates restriction $ℓ$ .

Definition 0 ().

An algorithm $ρ$ is $ℓ - N C C - v u l n e r a b l e$ if there exists an agent $j$ and update strategy $s_{j}$ such that:

i) There is a full run $R_{I, s_{j}}$ of the protocol with some nature-input $I$ and the strategy $s_{j}$ such that its last algorithm output is different from the last algorithm output in $R_{I, t r u t h_{j}}$ .

ii) For any two nature-inputs $I, I^{'}$ such that the observed histories satisfy

O_{j} (R_{I, t r u t h_{j}}) \neq O_{j} (R_{I^{'}, t r u t h_{j}}) ⟹ O_{j} (R_{I, s_{j}}) \neq O_{j} (R_{I^{'}, s_{j}}) .

In words, to consider strategy $s_{j}$ as a successful attack, the first condition requires that there is a case where the rest of the agents other than $j$ observe something different than the factual truth. Notice that we strictly require that the other agents (and not only the ledger) observe a different outcome: If $s_{j}$ updates with a ledger update that does not match its factual update, but this does not affect future algorithm outputs, we do not consider it an attack (It is a “Tree that falls in a forest unheard”). The second condition requires that the attacker is always able to infer (at least in theory) the last true algorithm output. Under NCC utilities (which we omit formally defining, and work instead directly with the logical formulation, similar to Definition 1 in (Shoham and Tennenholtz, 2005)), failure to infer the true algorithm output under strategy $s_{j}$ makes it worse than $t r u t h_{j}$ , no matter how much the agent manages to mislead others (which is only its secondary goal).

We remark without formal discussion that being $ℓ$ -NCC-vulnerable is enough to show that truthfulness is not an ex-post Nash equilibrium if the agents were to play a non-cooperative game using strategies $s_{j}$ with NCC utilities. However, it does not suffice to show that truthfulness is not a Bayesian-Nash equilibrium, as the cases where the deviation from truthfulness $s_{j}$ satisfies condition $(i)$ may be of measure 0. We give a stronger definition we call $ℓ$

-NCC-vulnerable*, that would guarantee the inexistence of the truthful Bayesian-Nash equilibrium for any possible probability measure, by amending condition

(i)

to hold for all cases:

Definition 0 ().

An algorithm $ρ$ is $ℓ - N C C - v u l n e r a b l e *$ if there exists an agent $j$ and update strategy $s_{j}$ with both condition $(i i)$ of Definition 1, and:

i*) For every full run $R_{I, s_{j}}$ of the protocol with some nature-input $I$ , the last algorithm output is different than the last algorithm output in $R_{I, t r u t h_{j}}$ .

As long as there is at least one full run of the protocol, it is clear that being $ℓ$ -NCC-vulnerable* implies being $ℓ$ -NCC-vulnerable. Similarly being $ℓ$ -NCC-vulnerable(*) implies being $(ℓ + 1)$ -NCC-vulnerable(*) (i.e., the implication works for both the vulnerable and vulnerable* cases).

In Appendix B, we illustrate the difference between the two definitions, as well as simple proof techniques, using a simple algorithm.

3. $k$ –Center and $k$ –Median in the Continuous Communication Protocol

In this section, we analyze the performance of prominent clustering algorithms in terms of our vulnerability(*) definitions. Together with Section 4

this demonstrates the applicability of the approach for both unsupervised and supervised learning algorithms.

Definition 0 ().

k-center: Each agent’s update $U$ is a set of data points, where each data point is of the form $x \in R^{d}$ . A possible output of the algorithm is some $k$ centers that are among the data points $x_{1}, \dots, x_{k} \in ⋃_{U \in U^{t}} U$ . Let $η_{i} = {x | arg {min}_{j = 1}^{k} | | x - x_{j} | |_{p} = i}_{x \in ⋃_{U \in U^{t}} U}$ for $1 \leq i \leq k$ and some $L_{p}$ norm function $| | v | |_{p} = \sqrt[p]{\sum_{i = 1}^{d} v_{i}^{p}}$ with $p \geq 1$ . In words, $η_{i}$ is the set of all agents that have $x_{i}$ as their closest point among $x_{1}, \dots, x_{k}$ . Let $C (x_{1}, \dots, x_{k}) = {max}_{i = 1}^{k} {max}_{x \in η_{i}} | | x - x_{i} | |$ be the cost function. In words, the cost of a possible algorithm output $x_{1}, \dots, x_{k}$ is the maximum distance between a point and a center it is attributed to. We then have

(1)

ρ_{k - c e n t e r} (U^{t}) = arg min x_{1}, \dots, x_{k} \in ⋃_{U \in U^{t}} U C (x_{1}, \dots, x_{k}),

i.e., the $k$ centers are the $k$ points among the reported points that minimize the cost if chosen as centers. Ties (both when determining $η_{i}$ and the final $k$ centers) are broken in favor of the candidate with the smallest norm⁴⁴4If this is not enough to determine, complement it with some arbitrary rule, e.g. over the radian coordinates of the points: This does not matter for the argument..

3.1. Sneak Attacks and Vulnerability

In this subsection, we present a template for a class of attacks. We then show it is successful in showing the vulnerability of the protocol for $k$ -center.

Figure 2. A general template for the sneak attack. Until the special conditions are met, and after the re-sync is done, the strategy behaves as $t r u t h_{j}$ .

Input: Observed history

O_{j}

. Parameters

U_{c o n d}, ρ_{c o n d}, U_{a t t a c k}, U_{r e - s y n c}

Output: A ledger update

< j, L e d g e r, U >

/* Condition to start attack */

1 if The last element in $O_{j}$ is $< j, F a c t u a l, U_{c o n d} >$ , the last algorithm output in $O_{j}$ is $ρ_{c o n d}$ , and the condition to start attack was not invoked before then

2 Return

< j, L e d g e r, U_{a t t a c k} >

/* Condition to end attack */

3 else if The condition to start attack was invoked, after that some agent (either $j$ or another) received a factual update, but the condition to end attack was not yet invoked then

4 Let

U

be the last update in

O_{j}

if it is a factual update for

j

, or

\emptyset

otherwise. Return

< j, L e d g e r, U \cup U_{r e - s y n c} >

/* If the special conditions do not hold, act as

t r u t h_{j}

5 else if Last update $U$ in $O_{j}$ is factual for $j$ then

6 Return

< j, L e d g e r, U >

Strategy Template 2 A template for a sneak attack

Notice that when we defined strategies, we required them to be memory-less, i.e., only observe $O_{j}$ and not their own past behavior (which by itself anyway only depends on the past observed histories, which are contained in $O_{j}$ ). However, the conditions in Strategy Template 2 require for example to check whether the attack was initiated before. The technical lemma below shows that this is possible to infer from $O_{j}$ .

Lemma 0 ().

If $U_{c o n d} \neq U_{a t t a c k}$ , the sneak attack is well defined, i.e., the conditions to start and end attack can be implemented using only $O_{j}$ .

We defer the proof details to Appendix C.

Strategy Template 2 presents the general sneak attack form, which requires four parameters: $U_{c o n d}$ , $ρ_{c o n d}$ , the factual update and last algorithm output that serve as a signal for the attacker to send $U_{a t t a c k}$ - the deviation from truth performs, and $U_{r e - s y n c}$ , the update returning the ledger to a synced state.

Two properties are important for a successful sneak attack. First, the attacker must know with certainty the algorithm output given the counter-factual that it would have sent $U_{c o n d}$ (as $t r u t h_{j}$ would have), rather than $U_{a t t a c k}$ . Second, after sending both $U_{a t t a c k}$ and $U_{r e - s y n c}$ , it should hold that all future algorithm outputs are the same as if sending only $U_{c o n d}$ . For example, if updates are sets of data points and the algorithm outputs some calculation over their union (later formally defined in Definition 5 as a set algorithm), this holds if $U_{c o n d} = U_{a t t a c k} \cup U_{r e - s y n c}$ .

We formalize this intuition in the following lemma:

Lemma 0 ().

A sneak attack where $U_{a t t a c k} \subseteq U_{c o n d}, U_{r e - s y n c} = U_{c o n d} ∖ U_{a t t a c k}$ , and that moreover can infer the last algorithm output in $R_{I, t r u t h_{j}}$ after starting the attack and sending $U_{a t t a c k}$ , satisfies condition $(i i)$ .

The proof of the lemma is given in Appendix C.

We now give a sneak attack for $k$ -center in $R$ . The example can be extended to a general dimension $R^{d}$ by setting the remaining coordinates in the attack parameters to $0$ .

Example 0 ().

$k$ -center with $k \geq 3$ is $1$ -NCC-vulnerable using a sneak attack: Use Strategy Template 2 with $U_{c o n d} = {1, 2, 10, \dots, 10^{k - 1}}, U_{a t t a c k} = {1}, U_{r e - s y n c} = U_{c o n d} ∖ U_{a t t a c k}, ρ_{c o n d} = {- ϵ, 0, \frac{ϵ}{k - 2}, \frac{ϵ}{k - 3}, \dots, ϵ}$ , with say $ϵ = \frac{1}{1000}$ .

Condition $(i)$ is satisfied for nature-input $I = (< 1,, ρ_{c o n d} >, < 2, U_{c o n d} >)$ . The run with $t r u t h_{2}$ yields algorithm outputs $ρ_{c o n d}, {1, 10, \dots, 10^{k - 1}}$ but the run with $s_{2}$ yields $ρ_{c o n d}, ρ_{c o n d} ∖ {\frac{ϵ}{k - 2}} \cup {1}$ .

As for condition $(i i)$ : Let $I$ be some nature-input, and let $t$ be the index of the element of $I$ after which the algorithm outputs $ρ_{c o n d}$ (i.e., $t + 1$ is $< 2, U_{c o n d} >$ , upon where agent $2$ starts the attack). Let $M_{+} = {max}_{x \in ⋃_{U \in U^{t}} U}$ , $M_{-} = {min}_{x \in ⋃_{U \in U^{t}} U}$ . Assume for simplicity that $| M_{+} | \geq | M_{-} |$ , otherwise a symmetric argument to the one we lay out follows. Given the algorithm output $ρ_{c o n d}$ , we know that $ϵ$ is the closest center to $M_{+}$ . Thus, $M_{+} - ϵ \leq C (- ϵ, 0, ϵ) \leq C (M_{-}, 0, M_{+}) \leq \frac{M_{+}}{2}$ . The last inequality is due to that every point is either in $[M_{-}, 0]$ or $[0, M_{+}]$ , and so its distance from the closest center is at most $\frac{1}{2} max {| M_{-} |, | M_{+} |} = \frac{M_{+}}{2}$ . We thus have that $M_{+} \leq 2 ϵ$ (as illustrated in Figure 3).

Therefore, under $t r u t h_{2}$ , after agent $2$ sends $U_{c o n d} = {1, 2, 10, \dots, 10^{k - 1}}$ , we have $C ({1, 10, \dots, 10^{k - 1}}) \leq 1 + 2 ϵ$ . For any other choice of $k$ centers $x_{1}, \dots, x_{k}$ (that may partially intersect), we have $C ({x_{1}, \dots, x_{k}}) \geq 2 - 2 ϵ$ (as illustrated in Figure 3). Choosing $ϵ < \frac{1}{4}$ we have that the algorithm output must be ${1, 10, \dots, 10^{k - 1}}$ . This shows that agent $2$ can infer with certainty the algorithm output under $t r u t h_{2}$ . We thus satisfy the conditions of Lemma 3, which guarantees condition $(i i)$ is satisfied.

3.2. $k$ –Center Vulnerability*

In the previous subsection, we have shown that $k$ -Center is vulnerable. However, in this subsection, we show it is not vulnerable*.

We note that a significant property of the $k$ -center algorithm is that its output is a subset of its input.

Definition 0 ().

A set algorithm is an algorithm where each update is a set, and the algorithm is defined over the union of all updates $S = ⋃_{U \in U^{t}} U$ .

A multi-set algorithm is an algorithm where each update is a multi-set of data points, and the algorithm is defined over the sum of all updates $S = ⨄_{U \in U^{t}} U$ .

A set-choice algorithm is a set algorithm that satisfies $ρ (S) \subseteq S$ , i.e., the algorithm output is a subset of the input.

Many common algorithms such as max, min, or median, are set-choice algorithms, as well as $k$ -center and $k$ -median that we discuss.

We notice a property of the sneak attack in Example 4: $U_{a t t a c k}$ deducts points that exist in the factual update $U_{c o n d}$ and does not include them in the ledger update. In fact, throughout the run of $s_{2}$ the union of ledger updates by agent $2$ is a subset of the union of its factual updates. This leads us to develop the following distinction. We partition the space of attack strategies (all attacks, not necessarily just sneak attacks) into two types, explicitly-lying attacks and omission attacks. This distinction has importance beyond the technical discussion, because of legal and regulatory issues. Strategic firms may be willing to omit data (which can be excused as operational issues, data cleaning, etc), but not to fabricate data.

Formally, for set and multi-set algorithms, we can partition all non-truthful strategies in the following way:

Definition 0 ().

An explicitly lying strategy $s_{j}$ is a strategy that for some nature-input $I$ has a point $x \in L_{j} (R_{I, s_{j}}), x \notin F_{j} (R_{I, s_{j}})$ , i.e., the strategy sends a ledger update with a point that does not exist in the union of all factual updates for that agent.

An omission strategy $s_{j}$ is a a strategy that satisfies condition $(i)$ (i.e., misleads others) that is not explicitly-lying.

For an omission strategy it must hold that for every run the agent past ledger updates are a subset of its factual updates, i.e., $L_{j} (R_{I, s_{j}}) \subseteq F_{j} (R_{I, s_{j}})$ .

We now use the notion of explicitly-lying strategy to prove that $k$ -center and $k$ -median are not vulnerable*. For this we need one more technical notion:

Definition 0 ().

A set-choice algorithm has forceable winners if for any set $S$ and a point $x \in S$ , there is a set $¯ S$ with $x \notin ¯ S$ so that $x \in ρ (S \cup ¯ S)$ .

In words, if the point $x$ is part of the algorithm input, it is always possible to send an update to force the point $x$ to be an output of the algorithm. It is interesting to compare this requirement with axioms of multi-winner social choice functions, as detailed e.g. in (Elkind et al., 2017).

Theorem 8 ().

A set-choice algorithm with forceable winners is not $ℓ$ -NCC-vulnerable* for any $ℓ$ .

We prove the theorem using the two following claims.

Claim 1 ().

A strategy $s_{j}$ that satisfies condition $(i *)$ for a set-choice algorithm is explicitly-lying.

Proof.

Consider a nature-input where agent $j$ receives no factual updates. To satisfy condition $(i *)$ , it must send some ledger update for the algorithm output under $s_{j}$ to differ from that under $t r u t h_{j}$ . Since the union of all its factual updates is an empty set, it must hold that it sends a data point that does not exist there. ∎

Claim 2 ().

An explicitly-lying strategy $s_{j}$ for a set-choice algorithm with forceable winners violates condition $(i i)$ .

Proof.

Consider the shortest nature-input $I$ (in terms of number of elements) where $s_{j}$ sends a ledger update with an explicit lie $x$ , and let $L_{R} = L_{j} (R_{I, s_{j}}), F_{R} = F_{j} (R_{I, s_{j}})$ be the union of all ledger, factual updates respectively by $j$ . Let $S = F_{R} \cup L_{R}$ , and $< i, ¯ S >$ the nature-input element that generates a factual update of an agent $i \neq j$ that forces $x \in ρ (S \cup ¯ S)$ (such an element exist by the forceable winners condition). Let $E_{1} = F_{R} \cup L_{R} \cup ¯ S, E_{2} = E_{1} ∖ {x}$ . Notice that $x \notin ¯ S$ (as required in Definition 7 of forceable winners), but $x \in L_{R}$ , and so $E_{1} \neq E_{2}$ . Also note that $x \notin F_{R}$ (as it is an explicit lie). Let $I_{1}, I_{2}$ be $I$ with an additional last element $E_{1}, E_{2}$ respectively.

Now notice that $O_{j} (R_{I_{1}, s_{j}}), O_{j} (R_{I_{2}, s_{j}})$ are composed of the observed history $O_{j} (R_{I, s_{j}})$ , together with the observations following each of their different last elements. As the last element is a factual update of an agent $i \neq j$ , the agent sends a truthful ledger update. We then have $L_{R} \cup E_{2} = L_{R} \cup ((F_{R} \cup L_{R} \cup ¯ S) ∖ {x}) = (L_{R} \cup {x}) \cup ((F_{R} \cup L_{R} \cup ¯ S) ∖ {x}) = L_{R} \cup (F_{R} \cup L_{R} \cup ¯ S) = L_{R} \cup E_{1} .$ Thus, the immediate algorithm output, and any further algorithm output following some ledger update by agent $j$ is taken over the same set, whether it is under $I_{1}$ or $I_{2}$ , and so identifies. We conclude that $O_{j} (R_{I_{1}, s_{j}}) = O_{j} (R_{I_{2}, s_{j}})$ .

On the other hand, the last algorithm output in $O_{j} (R_{I_{1}, t r u t h_{j}})$ is $ρ (F_{R} \cup E_{1}) = ρ (F_{R} \cup (F_{R} \cup L_{R} \cup ¯ S)) = ρ (S \cup ¯ S)$ , and thus has the element $x$ by Definition 7. On the other hand, the last algorithm output in $O_{j} (R_{I_{2}, t r u t h_{j}})$ is $ρ (F_{R} \cup E_{2}) = ρ (F_{R} \cup ((F_{R} \cup L_{R} \cup ¯ S) ∖ {x})) = ρ ((F_{R} \cup L_{R} \cup ¯ S) ∖ {x})$ . Since $ρ$ is a set-choice algorithm, it does not output $x$ since it does not appear in the input set. ∎

Figure 4. Demonstration of the proof of Claim 2. $x$ is an explicit lie by agent $j$ . $S$ is the state of the ledger under $t r u t h_{j}$ . $S^{'}$ is the state of the ledger under $s_{j}$ . $¯ S$ is a complementary set to $S$ from Definition 7 (forceable winners). Given that the next ledger update by a truthful agent is either $¯ S$ or $¯ S \cup {x}$ (which is represented by the rows), then the behavior under the different strategies (represented by the columns) is such that under $s_{j}$ , the two underlying states of the world are the same, but not so under $t r u t h_{j}$ .

Corollary 0 ().

$k$ -center is not $ℓ$ -NCC-vulnerable* for any $ℓ$ .

Proof.

$k$ -center is a set-choice algorithm. We show that it has forceable winners. We show the construction for $R$ , but the general $R^{d}, L_{p}$ is similar. Let some $S \subseteq R$ with $x \in S$ . Let $Δ = max {{max}_{s \in S} | x - s |, 1}$ . Let $¯ S = {x + Δ, x - Δ} \cup {x + 10 Δ, \dots, x + 10^{k - 1} Δ}$ . It must hold that $ρ (S \cup ¯ S) = {x, x + 10 Δ, \dots, x + 10^{k - 1} Δ}$ . ∎

Corollary 0 ().

$k$ -median is not $ℓ$ -NCC-vulnerable* for any $ℓ$ .

The proof is given in Appendix D.

4. Linear Regression under Continuous Communication

In this section, we study the vulnerability(*) of linear regression.

Definition 0 ().

Multiple linear regression in $d$ features $d - L R$ : Given a set of data points $S$ with $n$ points, where the data points features are a $(d + 1) \times n$ matrix $X$ with all elements of the first column normalized to 1, the targets are a $1 \times n$ vector $y$ , then

\begin{matrix} ρ_{d - L R} (U^{t}) = ρ_{d - L R} (\cup_{i = 1}^{t} U_{i}) = {\begin{matrix} (X^{T} X)^{- 1} X^{T} y & X columns are linearly% independent N u l l & O t h e r w i s e . \end{matrix} \end{matrix}

We slightly abuse notation by defining $ρ_{d - L R}$ both as a function on a series of updates $U^{t}$ , as well as on a set of data points. The latter satisfies, as long as the columns are linearly independent, $ρ_{d - L R} (S) = arg {min}_{β \in R^{d}} \sum_{i \in | S |} (y_{i} - \sum_{j = 1}^{d} x_{i}^{j} β_{j})^{2}$ . We subsequently assume for simplicity that the columns are always linearly independent (e.g., by having a first ledger update with $d$ linearly independent features. The property is then automatically maintained with any future updates).

It is not difficult to find omission sneak attacks for linear regression, as we demonstrate in Figure 5.

Figure 5.
A sneak attack for simple linear regression. Since the points by others and the factual update of the agent yield the same LR estimator
$^ρ$ , the result of running the regression on all points is $^ρ$ regardless of what are the actual points by others.

In Example 1 in Appendix E, we show a more complicated explicitly-lying sneak attack for $1 - L R$ (also called “simple linear regression”). The attack can be generalized for $d - L R$ . This yields

Theorem 2 ().

$d$ -LR is $1$ -NCC-vulnerable.

4.1. Triangulation Attacks and Vulnerability*

To study vulnerability*, we now define a stronger type of attacks and show they exist for $d - L R$ , as long as $ℓ \geq d + 2$ . We name this type of attacks triangulation attacks, and present a template parameterized by functions $f_{1}, . . ., f_{ℓ - 1}, h$ in Strategy Template 3.

Figure 6. A general template for the triangulation attack, with $k = 3$ . Until the special conditions are met, and after the re-sync is done, the strategy behaves as $t r u t h_{j}$ .

Input: Observed history

O_{j}

. Functions

f_{1}, \dots, f_{ℓ - 1}, h

Output: A ledger update

^U

1 Let

i = 1

if there is a factual update after the last ledger update by

j

. Otherwise, if a triangulation attack is ongoing, let

2 \leq i \leq ℓ

be its current step or else exit. Let

ρ_{i - 1}

be the last algorithm output in

O_{j}

. if $1 \leq i \leq ℓ - 1$ then

2 Return

< j, L e d g e r, f_{i} (ρ_{i - 1}) >

3else if $i = ℓ$ then

4 Return

< j, L e d g e r, h (ρ_{ℓ - 1}) >

Strategy Template 3 A template for a triangulation attack

The idea of triangulation attacks is that for any state of the ledger, the attacker can find $ℓ$ subsequent updates so that it can both infer the algorithm output if it applied strategy $t r u t h_{j}$ instead of $s_{j}$ (using $f_{1}, . . ., f_{ℓ - 1}$ the “triangulations”), and mislead others by the final update $h$ . Informally, this attack has the desirable property that regardless of the state of the ledger (and how corrupted it may be by previous updates of the attacker), the attacker can infer the true state.

As in the case of the sneak attack, we should show the strategy template can be implemented using only the information in $O_{j}$ .

Lemma 0 ().

The triangulation attack is well defined, i.e., the conditions in lines $1$ and $2$ can be implemented using only information available in $O_{j}$ . The assignment in line $3$ is valid, that is, given that line $3$ is executed there exists an algorithm output in $O_{j}$ .

We defer the proof details to Appendix C.

We now prove there is a triangulation attack for $d - L R$ with $ℓ \geq d + 2$ .

Theorem 4 ().

$d - L R$ is $(d + 2)$ -NCC-vulnerable* using a triangulation attack $f_{1}, . . ., f_{d + 1}, h$ .

Proof.

We shortly outline the overall flow of the proof. First, we give explicit construction of the ${f_{i}}_{1 \leq i \leq d + 1}$ functions. This suffices to show that condition $(i i)$ is satisfied, which means there is an inference function $i (O_{j})$ that maps observed histories under $s_{j}$ to the last algorithm output under $t r u t h_{j}$ . Given that inference function, we construct $h$ and show that with it condition $(i *)$ is satisfied. We give a formal treatment of inference function in Definition 4 and Lemma 5 of Appendix B, but for our purpose in this proof it suffices that it is a map as specified.

Construction of ${f_{i}}_{1 \leq i \leq d + 1}$ and condition $(i i)$ :

Let

ρ_{i - 1} = ⎡ ⎢ ⎢ ⎣ \begin{matrix} ρ_{i - 1}^{1} \dots ρ_{i - 1}^{d + 1} \end{matrix} ⎤ ⎥ ⎥ ⎦

be the last algorithm output before the application of $f_{i}$ . Define

$f_{i} (ρ_{i - 1}) = (X_{i}, y_{i})$ ,

where $X_{i}$ is the $(d + 1) \times 1$ vector with $X_{i}^{1} = X_{i}^{i} = 1$ , and

y_{i} = {\begin{matrix} ρ_{i - 1}^{1} + 1 & i = 1 ρ_{i - 1}^{1} + ρ_{i - 1}^{i} + 1 & 2 \leq i \leq d + 1 \end{matrix} .

Let $R_{I, s_{j}}$ be a run with some nature-input $I$ and $s_{j}$ the triangulation attack with the specified $f_{1}, \dots, f_{d + 1}$ (and any function $h$ ). Consider all the factual updates by agents $\neq j$ induced by $I$ . They are each of the form of $(X^{'}, y^{'})$ , where $X^{'}$ is of size $n \times (d + 1)$ and $y^{'}$ is $n \times 1$ , and where $n$ is the number of data points in the update. To consider all factual updates of the agents $\neq j$ , we can vertically concatenate these matrices. Let this aggregate be denoted $X_{F, - j}, y_{F, - j}$ . Similarly, let $X_{F, j}, y_{F, j}$ be the concatenation of all factual updates by $j$ . Let the concatenation of all ledger updates by $j$ before submission of any of the $f_{i}$ updates be $X_{L, j}, y_{L, j}$ . Recall that we denote by $ρ_{0}, \dots, ρ_{d + 1}$ the algorithm outputs (right before, and after each $f_{i}$ , e.g. $f_{1}$ is applied after $ρ_{0}$ and generates $ρ_{1}$ ). Let $X_{i}^{'}, y_{i}^{'}$ be the (concatenated) inputs to the $d - L R$ algorithm that generate $ρ_{i}$ . In terms of the defined variables above, we can write:

(2)

\begin{matrix} (X_{i}^{'})^{T} X_{i}^{'} = (X_{F, - j})^{T} X_{F, - j} + (X_{L, j})^{T} X_{L, j} + i \sum t = 1 (X_{i})^{T} X_{i}, (X_{i}^{'})^{T} y_{i}^{'} = (X_{F, - j})^{T} y_{F, - j} + (X_{L, j})^{T} y_{L, j} + i \sum t = 1 (X_{i})^{T} y_{i}, \end{matrix}

To show that condition $(i i)$ holds, it suffices to show that we can infer the last algorithm output $ρ_{t r u t h}$ of the run $R_{I, t r u t h_{j}}$ . Let $(X_{F}, y_{F})$ be the concatenation of all factual updates of all agents, then it is the input that generates $ρ_{t r u t h}$ , and it holds that:

(3)

Since in Equation 3, besides $X_{F, - j}, y_{F, - j}$ , all RHS variables are observed history under $s_{j}$ , we conclude that it is enough to deduce $X_{F, - j}^{T} X_{F, - j}, X_{F, - j}^{T} y_{F, - j}$ in order to infer $(X_{F})^{T} X_{F}, (X_{F})^{T} y_{F}$ , and thus also the last algorithm output under $t r u t h_{j}$ which is $((X_{F})^{T} X_{F})^{- 1} (X_{F})^{T} y_{F}$ .

Let $(X_{F, - j})^{T} X_{F, - j} d e f = ⎡ ⎢ ⎣ \begin{matrix} Σ_{1, 1} & \dots & Σ_{1, d + 1} \dots Σ_{d + 1, 1} & \dots & Σ_{d + 1, d + 1} \end{matrix} ⎤ ⎥ ⎦, (X_{F, - j})^{T} y_{F, - j} = ⎡ ⎢ ⎣ \begin{matrix} σ_{1} \dots σ_{d + 1} \end{matrix} ⎤ ⎥ ⎦$ .

For every $0 \leq i \leq d + 1$ , we have

(4)

(X_{i}^{'})^{T} X_{i}^{'} ρ_{i} = (X_{i}^{'})^{T} y_{i}^{'} .

By the construction of $f_{i}$ , we can rewrite these equations in the following way. Let $D^{i}$ be the $(d + 1) \times (d + 1)$ matrix with $D_{1, 1}^{i} = D_{i, 1}^{i} = D_{1, i}^{i} = D_{i, i}^{i} = 1$ , and all other elements zero. Let $v^{i}$ be the $1 \times (d + 1)$ vector with

v_{1}^{i} = v_{i}^{i} = {\begin{matrix} ρ_{0}^{1} + 1 & i = 1 ρ_{i - 1}^{1} + ρ_{i - 1}^{i} + 1 & i > 1 \end{matrix},

and all other elements zero.

We have for $0 \leq i \leq d + 1$ :

(5)

(⎡ ⎢ ⎣ \begin{matrix} Σ_{1, 1} & \dots & Σ_{1, d + 1} \dots Σ_{d + 1, 1} & \dots & Σ_{d + 1, d + 1} \end{matrix} ⎤ ⎥ ⎦ + i \sum t = 1 D^{i}) ρ_{i} = ⎡ ⎢ ⎣ \begin{matrix} σ_{1} \dots σ_{d + 1} \end{matrix} ⎤ ⎥ ⎦ + i \sum t = 1 v^{i} .

If we examine the differences between the $i$ equation and the $i - 1$ equation, we get for $1 \leq i \leq d + 1$ ,

(6)

(⎡ ⎢ ⎣ \begin{matrix} Σ_{1, 1} & \dots & Σ_{1, d + 1} \dots Σ_{d + 1, 1} & \dots & Σ_{d + 1, d + 1} \end{matrix} ⎤ ⎥ ⎦ + i - 1 \sum t = 1 D^{t}) (ρ_{i} - ρ_{i - 1}) = v^{i} - D^{i} ρ_{i} .

Notice that for any $1 \leq i \leq d + 1$ , $v^{i} - D^{i} ρ_{i}$ is not the zero vector. If it was, since $(X_{F, - j})^{T} X_{F, - j} + \sum_{t = 1}^{i - 1} D^{t}$ is invertible, we will have that $ρ_{i} = ρ_{i - 1}$ , which would contradict the following claim:

Claim 3 ().

For every algorithm output $ρ = ⎡ ⎢ ⎣ \begin{matrix} α_{1} \dots α_{d + 1} \end{matrix} ⎤ ⎥ ⎦$ , and a single point update $U * = (X^{*} = [\begin{matrix} 1 & x_{1} & \dots & x_{d} \end{matrix}], y^{*})$ so that $X^{*} \cdot ρ \neq y^{*}$ , the new algorithm output $ρ^{'}$ for the data with $U *$ satisfies $ρ^{'} \neq ρ$ , and has a different value at $X^{*}$ than $X^{*} \cdot ρ$ .

The proof of the claim is given in Appendix E.

Moreover, $v^{i} - D^{i} ρ_{i}$ by definition is a vector that has all elements $0$ besides element $1$ and $i$ that are $ρ_{i - 1}^{1} + ρ_{i - 1}^{i} + 1 - ρ_{i}^{1} - ρ_{i}^{i} \neq 0$ (since it is not a zero vector), and so the $i$ -th element of the vector is non-zero. Therefore, for the vector $w^{i} d e f = v^{i} - D^{i} ρ_{i} - \sum_{t = 1}^{i - 1} D^{t} (ρ_{t} - ρ_{t - 1})$ , the $i$ -th element is non-zero as well (Since $\sum_{t = 1}^{i - 1} D^{t} ρ_{i}$ has all elements with index higher than $i - 1$ as zero). For any $w^{t}$ with $t \leq i - 1$ , all elements with index higher than $i - 1$ are zero. Therefore, the set ${w^{i}}_{1 \leq i \leq d + 1}$ is linearly independent, and the matrix $W$ where each column $i$ is $w^{i}$ is invertible. If we let $M_{ρ}$ be the matrix where each column $i$ is $ρ_{i} - ρ_{i - 1}$ , we can rewrite Eq 6 as $(X_{F, - j})^{T} X_{F, - j} M_{ρ} W^{- 1} = I$ , where $I$ is the $(d + 1) \times (d + 1)$ identity matrix. We conclude that $M_{ρ}$ is invertible and $(X_{F, - j})^{T} X_{F, - j} = W M_{ρ}^{- 1}$ . We can directly calculate the RHS of this expression from the observed history under $s_{j}$ , and by the first equation of Eq 5 we can infer $(X_{F, - j})^{T} y_{F, - j} = (X_{F, - j})^{T} X_{F, - j} ρ_{0}$ , overall concluding the proof for condition $(i i)$ .

Construction of $h$ and condition (i*). Let $i$ be the inference function (which existence is guaranteed by the previous discussion) that matches observed histories running $s_{j}$ with the true algorithm outputs under $t r u t h_{j}$ . I.e., we has $i (O_{j}) = ρ_{t r u t h}$ . Let the last algorithm output in $O_{j}$ be $ρ_{l a s t} = ⎡ ⎢ ⎢ ⎣ \begin{matrix} ρ_{l a s t}^{1} \dots ρ_{l a s t}^{d + 1} \end{matrix} ⎤ ⎥ ⎥ ⎦$ . Let .

If $ρ_{l a s t} \neq ρ_{t r u t h}$ , $h$ does not send an update, and so for the nature-input that has observed history $O_{j}$ the last algorithm output under $s_{j}$ is different than that under $t r u t h_{j}$ , as required by condition $(i *)$ .

If $ρ_{l a s t} = ρ_{t r u t h}$ , $h$ sends an update with a point $(X, y)$ that satisfies $X \cdot ρ_{l a s t} = ρ_{l a s t}^{1} \neq ρ_{l a s t}^{1} + 1 = y$ . By Claim 3, the resulting algorithm output is different from $i (O_{j})$ .

∎

We demonstrate the construction and inference of the triangulation attack in an open-source implementation

https://github.com/yotam-gafni/triangulation_attack. Figure 7 shows a run of the attack for a random example for

2

-LR.

Figure 7. A script-run triangulation attack for $2$ -LR. The round red points represent an existing state of the ledger. The yellow x points (in (1)) represent a new factual update for the strategic agent. The red line in (1) represents the resulting linear regression estimator, if the agent reports truthfully. The four figures (2a)-(2d) show the flow of our triangulation attack construction. In (2a) is the last state of the ledger before the triangulation, with no triangulation point sent by the strategic agent. The rest of (2b)-(2d) consecutively add triangulation points (blue triangles). At the end of the triangulation attack (after (2d)), the linear regression estimator is different than in (1). It is possible to infer the estimator in (1) using knowledge of the triangulation points and estimators of (2a)-(2d) (without knowledge of the red points).

We show an asymptotically matching lower bound for triangulation attacks.

Theorem 5 ().

There is no triangulation attack for $d - L R$ with $d - 2$ or less functions (i.e., $ℓ \leq d - 2$ ).

Proof.

Consider all nature-input elements that are of the form $< i, (X, y) >, < j, ({¯ X}_{j}, {¯ y}_{j}) >$ , where $X$ is a $(d + 1) \times (d + 1)$ matrix, and $y$ is the $(d + 1) \times 1$ zero vector. $({¯ X}_{j}, {¯ y}_{j})$ of the same sizes but without any restriction over ${¯ y}_{j}$ . We show that for any triangulation attack $s_{j}$ , we can find two nature-inputs among this family with different observed history under $t r u t h_{j}$ , but the same observed history under $s_{j}$ .

By the choice of $y$ , the first algorithm output satisfies $ρ_{0} = (X^{T} X)^{- 1} X^{T} y = 0$ . As we know from the proof of Theorem 4, in particular Equation 5 (where it was done for a specific given triangulation attack), that the attack generates $d - 1$ vector equations for $X^{T} X$ (including the one over $ρ_{0}$ ). We also know that the first row of $X^{T}$ is all $1$ elements. We can make it a stricter constraint by demanding that the first row of $X^{T} X$ is of the form $[\begin{matrix} d + 1 & 0 & \dots & 0 \end{matrix}]$ . Then, the principal sub-matrix of $X^{T} X$ (removing the first row and column) is a general PSD matrix (as a principal submatrix of the $X^{T} X$ PSD matrix). To uniquely determine such a matrix of size $d \times d$ , we need $d$ vector equations, but the triangulation equations only yield $d - 1$ such equations. So there are some $X_{1} \neq X_{2}$ that are in the family of nature-inputs and have the same observed history under $s_{j}$ . Fix some invertible ${¯ X}_{j}$ . Since $(X_{2}^{T} X_{2} + {¯ X}_{j}^{T} {¯ X}_{j}) \neq (X_{1}^{T} X_{1} + {¯ X}_{j}^{T} {¯ X}_{j})$ , there must be some $v$ so that

(X_{2}^{T} X_{2} + {¯ X}_{j}^{T} {¯ X}_{j})^{- 1} v \neq (X^{T}

Long-term Data Sharing under Exclusivity Attacks

Related Research

Synthesis of Winning Attacks on Communication Protocols using Supervisory Control Theory

Vulnerability of Complex Networks in Center-Based Attacks

Vulnerability of Blockchain Technologies to Quantum Attacks

The Hsu-Harn-Mu-Zhang-Zhu group key establishment protocol is insecure

Sharing of vulnerability information among companies -- a survey of Swedish companies

Cognitive Honeypots against Lateral Movement for Mitigation of Long-Term Vulnerability

Automatic Identification and Classification of Share Buybacks and their Effect on Short-, Mid- and Long-Term Returns

1. The Work in Context

1.1. Data Sharing among Firms

1.2. Open and Long-term Environments

Example 0 ().

Remark 1 ().

1.3. Our Results

2. Model and Vulnerability Notions

Definition 0 ().

Definition 0 ().

3. k–Center and k–Median in the Continuous Communication Protocol

Definition 0 ().

3.1. Sneak Attacks and Vulnerability

Lemma 0 ().

Lemma 0 ().

Example 0 ().

3.2. k–Center Vulnerability*

Definition 0 ().

Definition 0 ().

Definition 0 ().

Theorem 8 ().

Claim 1 ().

Proof.

Claim 2 ().

Proof.

Corollary 0 ().

Proof.

Corollary 0 ().

4. Linear Regression under Continuous Communication

Definition 0 ().

Theorem 2 ().

4.1. Triangulation Attacks and Vulnerability*

Lemma 0 ().

Theorem 4 ().

Proof.

Claim 3 ().

Theorem 5 ().

Proof.

3. $k$ –Center and $k$ –Median in the Continuous Communication Protocol

3.2. $k$ –Center Vulnerability*