Optimizing Cost-sensitive Trust-negotiation Protocols

Similar documents
Problem Set 8 Solutions

Preemptive scheduling on a small number of hierarchical machines

Avoiding Forbidden Submatrices by Row Deletions

Clustering Methods without Given Number of Clusters

Social Studies 201 Notes for November 14, 2003

7.2 INVERSE TRANSFORMS AND TRANSFORMS OF DERIVATIVES 281

Lecture 21. The Lovasz splitting-off lemma Topics in Combinatorial Optimization April 29th, 2004

A BATCH-ARRIVAL QUEUE WITH MULTIPLE SERVERS AND FUZZY PARAMETERS: PARAMETRIC PROGRAMMING APPROACH

Chapter 4. The Laplace Transform Method

Online Appendix for Managerial Attention and Worker Performance by Marina Halac and Andrea Prat

Chapter Landscape of an Optimization Problem. Local Search. Coping With NP-Hardness. Gradient Descent: Vertex Cover

IEOR 3106: Fall 2013, Professor Whitt Topics for Discussion: Tuesday, November 19 Alternating Renewal Processes and The Renewal Equation

Approximating discrete probability distributions with Bayesian networks

A Provably Secure Scheme for Remote User Authentication

Theoretical Computer Science. Optimal algorithms for online scheduling with bounded rearrangement at the end

ON THE APPROXIMATION ERROR IN HIGH DIMENSIONAL MODEL REPRESENTATION. Xiaoqun Wang

CS 170: Midterm Exam II University of California at Berkeley Department of Electrical Engineering and Computer Sciences Computer Science Division

An inventory model with temporary price discount when lead time links to order quantity

Predicting the Performance of Teams of Bounded Rational Decision-makers Using a Markov Chain Model

Chapter 2 Sampling and Quantization. In order to investigate sampling and quantization, the difference between analog

Reliability Analysis of Embedded System with Different Modes of Failure Emphasizing Reboot Delay

Optimal Coordination of Samples in Business Surveys

Lecture 8: Period Finding: Simon s Problem over Z N

Chip-firing game and a partial Tutte polynomial for Eulerian digraphs

Microblog Hot Spot Mining Based on PAM Probabilistic Topic Model

White Rose Research Online URL for this paper: Version: Accepted Version

THE STOCHASTIC SCOUTING PROBLEM. Ana Isabel Barros

In presenting the dissertation as a partial fulfillment of the requirements for an advanced degree from the Georgia Institute of Technology, I agree

Optimization model in Input output analysis and computable general. equilibrium by using multiple criteria non-linear programming.

The Impact of Imperfect Scheduling on Cross-Layer Rate. Control in Multihop Wireless Networks

μ + = σ = D 4 σ = D 3 σ = σ = All units in parts (a) and (b) are in V. (1) x chart: Center = μ = 0.75 UCL =

List coloring hypergraphs

arxiv: v1 [math.mg] 25 Aug 2011

STOCHASTIC GENERALIZED TRANSPORTATION PROBLEM WITH DISCRETE DISTRIBUTION OF DEMAND

Lecture 9: Shor s Algorithm

Minimum Cost Noncrossing Flow Problem on Layered Networks

Codes Correcting Two Deletions

Social Studies 201 Notes for March 18, 2005

Stochastic Optimization with Inequality Constraints Using Simultaneous Perturbations and Penalty Functions

Technical Appendix: Auxiliary Results and Proofs

NCAAPMT Calculus Challenge Challenge #3 Due: October 26, 2011

Multicast Network Coding and Field Sizes

Standard Guide for Conducting Ruggedness Tests 1

Proactive Serving Decreases User Delay Exponentially: The Light-tailed Service Time Case

Bogoliubov Transformation in Classical Mechanics

CONGESTION control is a key functionality in modern

OBSERVER DESIGN FOR DISCRETE-TIME LINEAR SWITCHING SYSTEMS 1

IEEE TRANSACTIONS ON VEHICULAR TECHNOLOGY, VOL. 65, NO. 10, OCTOBER Wenguang Mao, Xudong Wang, Senior Member, IEEE, and Shanshan Wu

Source slideplayer.com/fundamentals of Analytical Chemistry, F.J. Holler, S.R.Crouch. Chapter 6: Random Errors in Chemical Analysis

[Saxena, 2(9): September, 2013] ISSN: Impact Factor: INTERNATIONAL JOURNAL OF ENGINEERING SCIENCES & RESEARCH TECHNOLOGY

into a discrete time function. Recall that the table of Laplace/z-transforms is constructed by (i) selecting to get

4. Connectivity Connectivity Connectivity. Whitney's s connectivity theorem: (G) (G) (G) for special

Convex Hulls of Curves Sam Burton

Lecture 10 Filtering: Applied Concepts

Dimensional Analysis A Tool for Guiding Mathematical Calculations

Comparing Means: t-tests for Two Independent Samples

Gain and Phase Margins Based Delay Dependent Stability Analysis of Two- Area LFC System with Communication Delays

LDPC Convolutional Codes Based on Permutation Polynomials over Integer Rings

Beta Burr XII OR Five Parameter Beta Lomax Distribution: Remarks and Characterizations

On the Isomorphism of Fractional Factorial Designs 1

Optimal revenue management in two class pre-emptive delay dependent Markovian queues

Memoryle Strategie in Concurrent Game with Reachability Objective Λ Krihnendu Chatterjee y Luca de Alfaro x Thoma A. Henzinger y;z y EECS, Univerity o

Evolutionary Algorithms Based Fixed Order Robust Controller Design and Robustness Performance Analysis

SERIES COMPENSATION: VOLTAGE COMPENSATION USING DVR (Lectures 41-48)

Unavoidable Cycles in Polynomial-Based Time-Invariant LDPC Convolutional Codes

GNSS Solutions: What is the carrier phase measurement? How is it generated in GNSS receivers? Simply put, the carrier phase

New bounds for Morse clusters

A Study on Simulating Convolutional Codes and Turbo Codes

SOME RESULTS ON INFINITE POWER TOWERS

EXTENDED STABILITY MARGINS ON CONTROLLER DESIGN FOR NONLINEAR INPUT DELAY SYSTEMS. Otto J. Roesch, Hubert Roth, Asif Iqbal

Efficient Heuristic Approach to Dominance Testing in CP-nets

The Secret Life of the ax + b Group

The machines in the exercise work as follows:

Symmetric Determinantal Representation of Formulas and Weakly Skew Circuits

arxiv: v3 [quant-ph] 23 Nov 2011

CHAPTER 6. Estimation

Online Parallel Scheduling of Non-uniform Tasks: Trading Failures for Energy

(b) Is the game below solvable by iterated strict dominance? Does it have a unique Nash equilibrium?

SMALL-SIGNAL STABILITY ASSESSMENT OF THE EUROPEAN POWER SYSTEM BASED ON ADVANCED NEURAL NETWORK METHOD

Control Systems Analysis and Design by the Root-Locus Method

Bayesian-Based Decision Making for Object Search and Characterization

Nonlinear Single-Particle Dynamics in High Energy Accelerators

CHAPTER 8 OBSERVER BASED REDUCED ORDER CONTROLLER DESIGN FOR LARGE SCALE LINEAR DISCRETE-TIME CONTROL SYSTEMS

EC381/MN308 Probability and Some Statistics. Lecture 7 - Outline. Chapter Cumulative Distribution Function (CDF) Continuous Random Variables

CONTROL SYSTEMS, ROBOTICS AND AUTOMATION Vol. VIII Decoupling Control - M. Fikar

Multicolor Sunflowers

Molecular Dynamics Simulations of Nonequilibrium Effects Associated with Thermally Activated Exothermic Reactions

HORNSAT, Model Checking, Verication and Games * (Abstract For Category A) Sandeep K. Shukla Harry B. Hunt III Daniel J.

Performance Evaluation

Question 1 Equivalent Circuits

Secretary problems with competing employers

UNIT 15 RELIABILITY EVALUATION OF k-out-of-n AND STANDBY SYSTEMS

MAE140 Linear Circuits Fall 2012 Final, December 13th

CDMA Signature Sequences with Low Peak-to-Average-Power Ratio via Alternating Projection

ALLOCATING BANDWIDTH FOR BURSTY CONNECTIONS

Suggested Answers To Exercises. estimates variability in a sampling distribution of random means. About 68% of means fall

Call Centers with a Postponed Callback Offer

ON MULTIPLE AND INFINITE LOG-CONCAVITY

MATEMATIK Datum: Tid: eftermiddag. A.Heintz Telefonvakt: Anders Martinsson Tel.:

Jul 4, 2005 turbo_code_primer Revision 0.0. Turbo Code Primer

Transcription:

Optimizing Cot-enitive Trut-negotiation Protocol Weifeng Chen, Lori Clarke, Jim Kuroe, Don Towley Department of Computer Science Univerity of Maachuett, Amhert {chenwf, clarke, kuroe, towley}@c.uma.edu Technical Report 2004-29 Abtract Trut negotiation i a proce that etablihe mutual trut by the exchange of digital credential and/or guiding policie among entitie who may have no pre-exiting knowledge about each other. Motivated by the deire to dicloe a little enitive information a poible in practice, thi paper invetigate the problem of minimizing the cot of the credential exchanged during a trut-negotiation protocol. A credential or a policy i aigned a weighted cot, referred to a it enitivity cot. We formalize an optimization problem, namely the Minimum Senitivity Cot problem, whoe objective i to minimize the total enitivity cot of the credential and policie dicloed by a trut-negotiation protocol. We tudy the complexity of the Minimal Senitivity Cot problem and propoe algorithm to olve the problem efficiently, in both cae when policie are cot-enitive and cot-inenitive. A imple F inite State M achine model of trut-negotiation protocol i preented to model variou trut-negotiation protocol, and ued to provide a quantitative evaluation of the number of exchange round needed to achieve a ucceful negotiation, and the probability of achieving a ucceful negotiation under variou credential dicloure trategie. keyword: Trut-negotiation protocol, enitivity cot Thi reearch ha been upported in part by the NSF under grant award UF-EIES-0205003-UMA and EIA-00809. Any opinion, finding, and concluion or recommendation expreed in thi material are thoe of the author( and do not necearily reflect the view of the National Science Foundation.

Introduction In an electronic environment (e.g., the Internet, electronic commerce, and digital government in which entitie may have no pre-exiting knowledge about each other, trutworthine i of critical concern. The concept of trut ha been addreed within many dicipline. It i complex and multidimenional [5]. A general definition of trut from [8] i that trut i a legal arrangement in which an individual (the trutor give fiduciary control of property to a peron or intitution (the trutee for the benefit of beneficiarie. Here, we focu on trut in an electronic environment [5, 7, 0]. We will ue the definition in [3] that trut i uually conidered a belief or cognitive tance that could eventually be quantified by a ubjective probability. Thi ubjective probability i built upon evidence. In real life, people etablih a trut relationhip baed on paper credential, e.g., an employment ID or a Social Security Number (SSN. Thee paper credential act a the foundation upon which a peron build trut with other. Trut relationhip in an electronic environment i typically etablihed by exchanging digital credential [6, 22, 25], the analogue of paper credential. Digital credential are digitally igned aertion by the credential iuer about the credential owner [, 20]. For intance, an X.509 certificate, which contain a digital ignature of the iuer, the identity and the public key of the owner, and an expiration date etc., i a common digital credential. Entitie can etablih one-direction trut or mutual trut. Mot current Internet application etablih one-direction trut, e.g., a client provide information to a erver in order for the erver to trut the client; it i implicitly or explicitly aumed that the client trut the erver. To make thi concrete, conider a cutomer regitering at amazon.com. The cutomer need to provide a mailing addre, phone number, etc. When the cutomer purchae a book, he/he alo need to provide credit card information. However, Amazon doe not need to authenticate itelf to the cutomer. In one-direction trut, one of the negotiator, generally the erver, i aumed to be truted and only the other negotiator (the client need to provide authentication information. However, etablihing mutual trut i often deirable in electronic environment. Thi i typically achieved through the proce of trut negotiation [2]. For example, in the DIAMETER protocol [4], a client eeking acce to network reource in dial-up PPP, wirele AP, or Mobile IP environment, exchange Capabilitie-Exchange-Requet and Capabilitie-Exchange-Anwer meage with a network acce erver in order to negotiate a mutually acceptable ervice baed on their capabilitie. During trut negotiation, an entity may not want to dicloe credential freely, ince credential can be enitive. An acce control policy (policy, for hort for a credential conequently pecifie the prerequiite condition that mut be atified in order for that credential to be dicloed. For example, a cutomer may have a policy for dicloing hi/her SSN that pecifie that the SSN will only be dicloed when an 2

authorization certificate iued by the Social Security Adminitration i received. In real life, people treat their paper credential with different level of enitivity. For example, an SSN will be more enitive than a telephone number. Given multiple credential-exchange equence achieving a ame reult, it i deirable to pick the equence that dicloe a et of le enitive credential. For example, when a cutomer i aked to dicloe either a telephone number or an SSN, the cutomer would likely chooe the former. Policie themelve may alo be conidered enitive [2, 4, 24]. We can thu aociate a cot or weight with each credential or policy. A credential with a high cot i more enitive. We can then define the enitivity cot to be the total cot of the dicloed credential and policie in a particular exchange equence. In thi report, we formulate and tudy the Minimal Senitivity Cot problem of minimizing the total enitivity cot of credential and policie dicloed during a trut-negotiation protocol execution. When policie have no enitivity cot (i.e., they can be freely dicloed, the Minimal Senitivity Cot problem i hown to be NP-complete. Fortunately, we find that heuritic algorithm baed on Dijktra algorithm perform quite well, achieving around 95% of optimal for the cae conidered. When policie themelve have a enitivity cot, olving the Minimal Senitivity Cot problem become even more computationally complex. Thu, we conider a greedy algorithm to olve thi problem approximately. We alo decribe a F inite State Machine model that provide a imple framework for analyzing the number of exchange round needed to achieve a ucceful negotiation, and the probability of achieving a ucceful negotiation under variou credential-dicloure trategie. The ret of the report i organized a follow. In Section 2, we briefly overview the literature of trut negotiation. We formulate the Minimal Senitivity Cot (MSC problem in Section 3. Section 4 attack the MSC problem when policie have no dicloure cot. Section 5 i devoted to olving the MSC problem when policie are themelve enitive. We dicu related optimization problem in Section 6. A FSM model i decribed in Section 7. Section 8 preent related work. Finally, we conclude the paper in Section 9. 2 Background During trut negotiation, the dicloure of a credential i guided by an acce control policy p that pecifie the prerequiite condition that mut be atified in order for credential to be dicloed. Typically, the prerequiite condition are a et of credential C C, where C i the et of all credential. In thi paper, policie are modelled uing propoitional formula. Specifically, for each credential c i C, we introduce a boolean variable x i. Every policy p ha the form: p : φ (x,..., x k where 3

φ (x,..., x k i a normal formula coniting only of literal x i, the Boolean operator and, and parenthee a needed. i referred to a the target of p, and φ (x,..., x k the condition of p. Given a et of credential C C, we denote g φ (C a the value of φ (x,..., x k given x i = c i C. For example, if φ = (x x 3 x 2, then g φ ({c, c 2, c 4 } = and g φ ({c, c 4 } = 0. Policy p i atified by a et of credential C C iff g φ (C =. During trut negotiation, a negotiator can dicloe credential if g φ (C = where C i the et of credential that the negotiator ha received from the oppoing negotiator. In the ret of paper, for notational implicity, we will replace x i with c i in policie, following the notation ued in [6, 22, 23, 25]. The φ in the example above i thu repreented a φ = (c c 3 c 2. A trut-negotiation protocol i normally initiated by a negotiator (typically, a client requeting particular ervice from another negotiator (a erver. Trut i etablihed if the initially requeted ervice are granted and all policie for dicloed credential are atified [22]. In thi cae, the credential-exchange equence i a ucceful negotiation. Otherwie, it i a failed negotiation. c Client c 2 2 3 c 3 2 c 4 TRUE 3 2 c 2 c 3 c c 4 Server c ( c c c 2 2 c 4 TRUE 3 5 2 Figure : An example of exchange equence of credential. Figure how a ucceful trut-negotiation proce initiated by a client requeting ervice from a erver. The client acce control policie are hown at the left, and the erver acce control policie are hown at the right. The client begin by revealing credential c 4, ince no previouly-received erver credential are needed in order for the client to dicloe c 4. The erver then dicloe 3 (which ha no precondition and 2 (which require the earlier receipt of client credential c 4. The credential-exchange proce continue a hown in the center of the figure. Note that at each round, all policie for dicloed credential are atified. The equence of exchanged credential depend on the deciion of each negotiator, referred to a a trategy. A trategy i baed on local credential, local policie, requet for local credential from the oppoing negotiator, and credential received from the oppoing negotiator. A trategy control which credential are Uually, monotonicity of policy language [5, 25] i alo aumed uch that no negative operator ( appear in policie. 4

dicloed and when, and when to terminate a negotiation [25]. Two negotiation trategie: an eager trategy and a parimoniou trategy are propoed in [9]. With eager trategie, two negotiator take turn dicloing a credential to the other ide a oon a acce control policy retriction for that credential are atified. For example, the negotiation proce in Figure i achieved uing an eager trategy. Converely, with a parimoniou trategy, neither negotiator will dicloe a credential until both of them know there exit a ucceful negotiation via an initial exchange of policie only. A a conequence, only credential are exchanged uing eager trategie, while under parimoniou trategie, both policie and credential may be exchanged. Figure 2 how the correponding negotiation proce of Figure with a parimoniou trategy. c 2 c c Client c 5 ( c c 2 c 2 2 c 3 2 3 c 3 2 4 TRUE c 4 2 c 4 2 3 c 2 c Server c 5 ( c c 2 c 2 2 c 4 TRUE 3 Figure 2: An exchange equence of credential for the negotiation in Figure uing a parimoniou trategy. A trategy i afe if, under the trategy, all policie for credential dicloure are atified whenever a credential i dicloed [4]. Conider p : c 5 (c c 2 in Figure. φ = c 5 (c c 2. When either c 5, or both c and c 2, are received, φ i atified and can be dicloed afely. When a credential c can be dicloed without the receipt of any credential from the oppoing negotiator, we ue the policy p c : c T RUE. Intead, if a negotiator doe not have a credential c, we have p c : c F ALSE, which i generally omitted. When negotiator applying a particular trategy are able to find a ucceful credential-exchange equence, whenever uch a equence exit, the trategy i a complete trategy [22]. There i a large body of work in the literature on trut negotiation [4, 9, 22, 25]. In thi previou work, however, credential are treated without preference (i.e., all credential are aumed to be of equal value to a negotiator, in that a negotiator doe not have a preference about whether to dicloe credential c i or c j when given a choice in the work. In thi report, we are concerned with the preference of credential. 5

3 Problem formulation Given the problem etting in Section 2, we formulate the trut negotiation problem in thi ection. Definition : Given a et of credential C S and policie P S proceed by a negotiating erver, and C C and P C by a client, the general trut negotiation problem initiated by a requet for C S from the client, i to find an exchange equence of credential and policie M M 2 M n, uch that ( M n ; (2 M k C S PS or M k C C PC, for k n; and (3 m M k, m C S g φm (C C ( j<k M j = and m C C g φm (C S ( j<k M j =, for all k n. Condition ( expree the requirement that the equence hould achieve a ucceful negotiation, i.e., that the initially requeted ervice i granted. Condition (2 indicate that, at each exchange round, both partie exchange credential or requet for credential. Thee requet for credential are in the form of policie that have credential in the condition of the policie. Condition (3 require that every dicloure of a credential i afe, i.e., that the correponding policy i atified when the credential i dicloed. In the above, n i called the number of exchange round. Definition i baed on exiting work [4, 6, 22], although no explicit formal definition i provided there. Similar to Definition, we have the following definition incorporating the enitivity cot of credential and policie. Definition 2: Given a et of credential C S and policie P S proceed by a negotiating erver, C C and P C by a client, and a enitivity cot w c for any credential or policy c C S PS CC PC, the Minimum Senitivity Cot (MSC problem initiated by a requet for C S from the client, i to find an exchange equence of credential and policie M M 2 M n, uch that ( M n ; (2 M k C S PS or M k C C PC, for k n; (3 m M k, m C S g φm (C C ( j<k M j = and m C C g φm (C S ( j<k M j =, for all k n; and (4 Σ c ( k n M kw c i minimum. For now, we aume that only credential are protected by policie. Note, however, the formulation can 6

be extended to the cae that policy dicloure themelve are protected by other policie [4]. In the remainder of thi report, we aume that there i no cot to dicloe the name or ID of credential to the oppoing negotiator. In other word, only the dicloure of the content of credential incur enitivity cot. In mot cae, poeing a credential i not enitive, e.g., everyone i known to have an SSN although the SSN number i enitive to dicloe. By doing thi, we exclude poeion-enitive credential dicued in [6, 8, 23], which we leave a a direction for future work. 4 Solving the MSC problem We will invetigate the complexity of olving the MSC problem defined in Section 3 under two cenario. In the firt cenario, policie have no enitivity cot and can be freely dicloed. Thi ection i devoted to thi firt cae. In the econd cenario, which i dicued in Section 5, policie themelve are enitive and dicloing a policy incur a poitive cot. 4. Policy-graph-baed Strategy When policie have no enitivity cot, we propoe a traightforward trategy, namely the policy-graphbaed trategy, to olve the MSC problem. The trategy conit of four tep: ( Both negotiating partie firt dicloe all policie and the cot of local credential to the other ide; (2 A policy graph baed on the exchanged policie i contructed; (3 The negotiator then apply algorithm to find, if it exit, a olution with minimum enitivity cot; (4 Both negotiator conduct the actual exchange equence of credential baed on the reulting olution. In thi ubection, we briefly decribe thee four tep; the following ubection focue on a complexity analyi of thi trategy. A policy graph conit of two kind of node: circle node correponding to credential and rectangle node correponding to operator in the policie. Conider a formula φ in policy p : φ. We aume that all φ are repreented in a dijunctive normal form, a dijunction (equence of OR coniting of one or more dijunct, each of which i a conjunction (AND of one or more credential. If a dijunct conit of a ingle credential c, there i a direct edge from node c to node. If a dijunct conit of everal 7

c c c c 5 5 ( 2 c 3 2 c 3 4 2 4 c c c c c c 2 3 3 c c 2 c 2 c 3 (a (b Figure 3: Example of policie and correponding policy graph. credential, each credential ha a directed edge to a rectangle node r, which further ha a directed edge to c. Figure 3 how three policy graph and their correponding policie. //Auming condition of all policie are repreented in a dijunctive normal form Contruct-Negotiation-Graph(P S, P C { ( E = {credential in the condition of p }; // p i the policy for originally requeted ervice ; (2 G = ; (3 BuildGraph(G, target of p, condition of p ; (4 WHILE (E i not empty { (5 Pick e from E; (6 IF (there i a policy p e P S PC.t. e i the target of p e { (7 (8 BuildGraph(G, target of p e, condition of p e; E = (E credential in the condition of p e \ {e}; } (9 ELSE { (0 BuildGraph(G, e, FALSE; ( E = E \ {e}; } } (2 RETURN G; } BuildGraph(G, target, condition { (3 IF (target / G Create a node for target; (4 IF (condition==false { (5 Prune(target, G; (6 return; } (7 FOR (each dijunct D of condition { (8 IF (D i a conjunct coniting of more than one literal { (9 Create a rectangle node R in G; (20 Link R to the node of target; (2 FOR (each element e of D { (22 IF (e G Link a direct edge from e to R; (23 ELSE Create a circle node for e and link a direct edge from e to R; } } (24 ELSE { //D i a ingle credential (25 IF (D G Link a direct edge from D to the node of target; (26 ELSE Create a circle node for D and link a direct edge from D to the node of target; (27 } } } Figure 4: Peudo-code for contructing a policy graph. Figure 4 preent the peudo code of the algorithm contructing a policy graph, G, given the input of the erver policie (P S and the client policie (P C. Note that each credential ha at mot one correponding circle node; however, there exit a unique rectangle node for each operator. Every credential that 8

can be dicloed without cot ha an incoming edge from a node T that correpond to TRUE. When a credential appear multiple time in the policie, it correponding node ha multiple outgoing edge. Conequently, there may exit cycle in a policy graph, a hown in Figure 5(b, which preent the policy graph contructed in tep (2 for the erver and client policie hown in Figure 5(a. c 6 c c 2 c 4 c 3 c2 2 3 c 3 c 4 c 5 Client TRUE TRUE TRUE Server c c6 ( c2 c4 c2 c3 ( c2 c4 2 c 3 c5 c4 ( ( c 5 3 c 3 T 2 : cycle (a (b Figure 5: A policy graph (b contructed baed on the policie (a. Once both negotiator have contructed a policy graph baed on the exchanged policie, they conduct earching algorithm to find a ucceful olution with minimum cot in the graph. The MSC problem can be tranlated into the following Minimum Directed-Acyclic-Graph problem. Definition 3: Given a directed graph G =< V, A >, a node u i reachable from a node u if there exit a equence v 0, v,..., v k uch that v 0 = u, v k = u and (v i, v i A for i =, 2,..., k. Definition 4: Given a directed graph G =< V, A >, where the node et V conit of circle node U and rectangle node R, i.e., V = U R, a directed acyclic graph (DAG tarting from a node u and ending at a node u i a ubgraph G G uch that ( G i acyclic and u, u G ; (2 There are no incoming edge to u and no outgoing edge from u in G ; (3 For all v G, v i reachable from u; and (4 If a rectangle node v i in G, then (v, v A v G for all v G. Note that condition (4 in Definition 4 enure that, if a rectangle node, v, i in a DAG, all it child node, node that have outgoing edge to v, mut alo be in the DAG. 9

Definition 5: Given a directed graph G =< V, A >, V = U R, a ource node u, a detination node u, and a cot map w : V Z, the Minimal DAG problem i to find a DAG, denoted a G u u, tarting from u and ending at u with minimum cot, i.e., min v G u u w(v ( To olve the MSC problem, we need to find a minimum G T in the contructed policy graph, where T i the node correponding to TRUE and repreent the initially requeted ervice. A we hall decribe in the next ubection, the complexity of finding a minimum DAG depend on the policy graph. More pecifically, if all node in the graph are circle node, it i polynomial olvable; however, the problem i NP-hard if the graph include rectangle node. Once a G T i found in a policy graph, there exit a ucceful negotiation. Both negotiator exchange equence of credential according to thi G T, achieving a ucceful outcome. The exchange can be initiated by a negotiator who ha freely-dicloed credential, i.e., one of the parent node of node T in the policy graph. If both negotiator have uch freely-dicloed credential, either can initiate the exchange equence. A credential c in G T can be dicloed by a negotiator if the negotiator ha received all credential appearing a the predeceor of c in G T from the oppoing negotiator. Propoition. The policy-graph-baed trategy i afe and complete. Proof: Condition (4 in Definition 4 guarantee that any node c in a G T ha at leat one of it child node, which correpond to a dijunct in φ c, in the G T. Credential c can be dicloed only when credential correponding to c child node in the G T are received, which mean φ c i atified. If a ucceful olution exit, there exit a G T in the policy graph. Thu the trategy i complete. 4.. Pruning the policy-graph We oberve that for a rectangle node in a policy graph to be in a G T, all it child node mut be in the G T. If a negotiator doe not have credential c, i.e., p c : c F ALSE, node c can not be in any G T. Conequently we can prune node c and all it child edge. Furthermore, if uch node c i a child node of a rectangle node r, r can alo not appear in a G T. Thu during the procedure of contructing a policy graph, when node c with policy p c : c F ALSE i encountered (tep (5 in Figure 4, a procedure Prune(c, G i called to prune the graph, but the pruned graph till contain all valid G T. Figure 6 how the peudo-code of the 0

pruning procedure. Prune(target, G { ( F = {target}; (2 WHILE (F i not empty { (3 Pick v from F ; (4 FOR (each parent u of v { (5 IF (u i a rectangle node (6 F = F {u}; (7 } (8 F = F \ {v}; (9 Delete v and all outgoing edge from v from G; (0 } } Figure 6: Peudo-code for pruning the policy graph during contruction. With thi pruning, the pruned policy graph of the one in Figure 5(b i hown in Figure 7. c c 2 c 4 3 2 c 5 c 3 : cycle T Figure 7: The pruned policy graph for policie hown in Figure 5(a 4.2 Complexity Analyi In thi ubection, we analyze the complexity of the policy-graph-baed trategy. In particular, we focu on the algorithm for contructing the policy graph, and algorithm for finding the minimum G T graph. in the reultant Propoition 2. The running time of the algorithm for contructing a policy graph i polynomial in the number and the length of policie P S and P C. Proof: We define the length, l p, of a policy p, a the number of credential in the condition of the policy. For example, policy p c 5 (c c 2 ha length of 3 ince there are total 3 credential in the

condition of p. Let L be the maximum length of all policie, i.e., L = max p P S P C l p. Conider tep (4 to ( in the WHILE loop. Since et E only include credential appearing in policie, E (L + ( P S + P C. During each execution of the loop, tep (8 or ( delete one element from E, thu the loop i at mot executed (L + ( P S + P C time. Next conider procedure BuildGraph(. The FOR loop from tep (7 to (25 ha at mot L execution ince each execution deal with one dijunction in the condition. Aume that the policy-graph i tored in an n n adjacency matrix, where n i the number of node in the output graph. Deciding whether a node ha been in G (tep (3, (2 and (24 require complexity of O(n. Since at leat two credential are required to incur an operator, a policy with length of l generate at mot l/2 rectangle node. Thu the reulting graph ha at mot L/2 ( P S + P C rectangle node and (L + ( P S + P C circle node (correponding to credential, i.e., n L/2 ( P S + P C + (L + ( P S + P C. Conequently, the running time of procedure BuildGraph( i at mot L( L/2 + L + ( P S + P C. A a reult, the algorithm in Figure 4 will have a total running time that i at mot L(L + ( L/2 + L + ( P S + P C 2. Although a policy graph can be contructed in polynomial time, finding the minimum G T i more complicated. in the graph Compute-Cot(G, W { //W i the cot matrix for all credential/ervice //L[v] and W [v] tore the LABEL and the cot of node v G repectively //A i the et of node that are parent node of node in S ( L[T ] = ; c[t ] = 0; (2 L[v] = ; c[v] = ; //for all other node except T node (3 S = {T }; (4 For (each parent u of node T { (5 Compute L[u] and W [u]; (6 If (W [u] i finite A = A {u}; } (7 WHILE ( / S or (A i not empty { (8 Pick v A with minimum cot; (9 S = S {v}; A = A \ {v}; (0 For (each parent u of node v { ( Compute L[u] and W [u]; (2 If (W [u] i finite A = A {u}; } (3 } (4 If (W [] i finite return L[] and W []; (5 } Figure 8: Peudo-code of variational Dijktra algorithm for finding a minimum G T in a policy-graph G. Propoition 3. If a policy graph doe not include rectangle node, the Minimum DAG problem can be olved uing a variation of Dijktra algorithm, hown in Figure 8. Proof: When Dijktra algorithm in [6] i ued, cot are aociated with edge in the graph. When a 2

variation of Dijktra algorithm hown in Figure 8 i ued, cot are aociated with node rather than edge. But in both algorithm, cot are non-negative and the variation of Dijktra algorithm hown in Figure 8 operate exactly the ame a Dijktra algorithm in [6]. The correctne of Dijktra algorithm in [6] guarantee that the variation of Dijktra algorithm return a DAG (L[] with a minimum cot (W []. When rectangle node exit in a policy graph, however, the MSC problem turn to be a NP-complete problem. Propoition 4: The general Minimum DAG problem i NP-complete. Proof: It i eay to how that the Minimum DAG problem NP. Given a G T, validating condition ( and computing the cot of G T can be done in polynomial time. To how that it i NP-hard, we prove that 3-SAT i polynomially reducible to the Minimum DAG problem. Given an intance of 3-SAT with claue et L = {l, l 2,..., l m } and variable et V = {x, x 2,..., x n }, we can formulate an intance of the Minimum DAG problem in Figure 9: u r l l 2... l m v v 2... v n x x x 2 x 2... x n x n u Figure 9: An intance of the Minimum DAG problem formulated from an intance of the 3-SAT problem Contruct 2n circle node {x, x, x 2, x 2,..., x n, x n } for literal, n circle node {v, v 2,..., v n } for variable, and m circle node for claue. Contruct a rectangle node r, a ource node u and a detination node u. Connect directed edge a hown in Figure 9. Note that a claue circle node, l i, ha three incoming edge from three literal node appearing in the claue. All literal node {x i, x i } have cot. Other node have cot 0. The contructed Minimum DAG problem i to find a G u u with cot w G u u 3 n ubject to condition (.

By olving thi Minimum DAG problem in Figure 9, we can olve the given 3-SAT problem. If there i a G u u with cot w G u u n, we anwer YES for the given 3-SAT problem and the literal node in the Gu u are aigned TRUE. Otherwie we anwer NO for the 3-SAT problem. Now, we want to how that there i a G u u with cot w G u u aignment atifying the 3-SAT intance. n in Figure 9 if and only if there i a truth. If a G u u with cot n exit, ince r i a rectangle node, all claue and variable node mut be in the G u u. Conequently, one and exact one node from each literal-node pair {x i, x i } mut be in the G u u. We then aign thoe literal node in the G u u with TRUE. Since every claue node i in the G u u, at leat one of the three literal node appearing in a claue i alo in the G u u, which mean the aignment above atifie all claue of the 3-CNF entence.. If there exit a truth aignment atifying the 3-CNF entence, we can put all node in Figure 9 in a G u u except thoe literal node that are NOT aigned TRUE. Such a G u u i a valid DAG tarting from u and ending at u ince each variable node ha exact one child node in the G u u and each claue node ha at leat one component literal node in the G u u. The G u u alo ha a cot equal to n. 4.3 Heuritic Algorithm Given the NP-completene of the Minimum Senitivity Cot problem even when policie can be dicloed freely, in thi ubection, we decribe two heuritic algorithm, followed by a performance tudy for thee heuritic via imulation. A we decribed in Section 4.2, a variation of Dijktra algorithm in Figure 8 can be ued to olve the Minimum DAG problem when there are no rectangle node in the policy graph. So we conider that algorithm a the firt heuritic, referred to a Dijktra heuritic, for the general Minimum DAG problem. Notice that, applying Dijktra heuritic, the cumulative cot of a rectangle node u i the enitivity cot of u plu the cumulative cot of all the child node of u, i.e., if u i a rectangle node, tep ( in Figure 8 i replaced by cot = W [u] + v C[v ], where v i a child node of u. To evaluate the performance of Dijktra heuritic, we randomly generate a et of client policie, erver policie and credential cot with the following aumption: The erver ha N S credential and a ervice that i initially requeted by the client; the client ha N C credential. 4

Formula of all policie are in a dijunctive normal form; a formula φ c for a protected credential c ha k (0 k K dijunct and each dijunct conit of m (0 m M credential from the oppoing negotiator. When k = 0, c can be dicloed freely, i.e., c T RUE. For the erver, each of N S credential ha the ame probability of appearing in a dijunct of a policy formula of the client. Similar aumption are made for the client credential. A credential c ha an integer cot w c (0 w c W if c i not freely-dicloed. k, m and w c are all uniformly ditributed in [0, K], [0, M] and [0, W ], repectively. 00 et of policie are randomly generated and for each et, we create 00 different cot aignment for credential. Among thee 0 4 experiment, 8600 experiment have ucceful olution 2. We define the error percentage, (C Approx /C Optimal, to denote the performance of the heuritic algorithm, where C Approx i the cot of the olution returned by Dijktra heuritic and C Optimal i the optimal olution 3. Figure 0 how the performance of Dijktra heuritic with input parameter N S = N C = 7, K = 3, M = 4 and W = 0. Dijktra heuritic perform quite well in that it find the olution with minimum cot in 833 of the 8600 experiment. Figure 0(a how the number of experiment that had a given error percentage. Roughly, a the error percentage increae, the correponding number of experiment decreae. Figure 0(b how the correponding cumulative ditribution of the number of experiment with a given error percentage, from which, one can ee that all olution returned by Dijktra heuritic have an error percentage that i le than 54%. We alo imulated the eager trategy for the ame 8600 experiment. The average cot achieved by the eager trategie, denoted a C Eager, i more than two time the cot returned by Dijktra heuritic, denoted a C Approx (e.g. C Eager = 38.7 and C Approx = 7.6. Note that in the 400 experiment that have no ucceful olution, Dijktra heuritic doe not dicloe any credential but eager trategie will dicloe a et of credential till the negotiation i found to be failed. To further improve the performance of the firt heuritic, conider the policy graph in Figure (a with the cot hown in the center. Dijktra heuritic chooe node c 2 rather than c 3 in the reultant G T ince w c2 < w c3. However, c 3 mut be in the G T becaue of the rectangle node. Conequently chooing c 3 a the predeceor of in the G T ha le cot than chooing c 2. To remedy thi ituation, a node c with n outgoing edge to n rectangle node ha a remedied cot w c = w c /(n +. Thi remedied cot w c, i then ued when earching for a G T uing Dijktra heuritic. 2 The exitence of ucceful olution i determined by the police, diregarding cot aignment. Thi mean that roughly 86 out of 00 et of policie were found to have ucceful olution. 3 The optimal olution i achieved by enumerating all poible DAG, which require exponentially computational complexity. 5

0000 N S =N C =7, K=3, M=4, W=0 N S =N C =7, K=3, M=4, W=0 0.99 Number of experiment 000 00 0 Probability 0.98 0.97 0.96 0.95 0 0 20 30 40 50 60 Error percentage (% 0.94 0 0 20 30 40 50 60 Error percentage (% (a Figure 0: Simulated performance of Dijktra heuritic (b c c2 c3 T c c2 c3 3 2 c 4 2 (a credential 2 c c2 c cot 7 2 0 3 4 2 T (b c 4 Figure : Two policy-graph. The cot of the reultant G T i till calculated uing w c. However, cot remediation may reult a wore G T than the one without remediation. For example, conider the policy graph in Figure (b. Here, the algorithm chooe c 3 in the reultant G T with cot remediation even though the optimal G T include c 2 intead of c 3. Thu the econd heuritic algorithm, referred to a the hybrid Dijktra heuritic, i to run the algorithm in Figure 8 twice: once with cot remediation and once without, and return the G T maller cot. with the Simulation reult in Figure 2 how that the hybrid Dijktra heuritic provide ome improvement over the firt heuritic algorithm. For example, it find the olution with minimum cot in 8243 of the 8600 experiment with input parameter: N S = N C = 7, K = 3, M = 4 and W = 0. 6

N S =N C =7, K=3, M=4, W=0 N S =N C =7, K=3, M=4, W=0 0000 Dijktra Hybrid 0.99 Number of experiment 000 00 0 Probability 0.98 0.97 0.96 Hybrid Dijktra 0.95 0 0 20 30 40 50 60 Error percentage (% 0.94 0 0 20 30 40 50 60 Error percentage (% (a (b Figure 2: Compared performance of two heuritic algorithm 5 The MSC problem with policy-dicloure cot In Section 4 we conidered the olution of the MSC problem when policie are free to dicloe. Thi ection dicue the cae when policie are themelve enitive, i.e., there i a cot in policy dicloure. A decribed earlier, with eager trategie, both negotiator immediately dicloe a credential once that credential condition are atified. A a reult, no policie are exchanged during the negotiation proce. On the other hand, uing policy-graph-baed trategie, both negotiator exchange all policie and find a ucceful G T with minimum enitivity cot and thu only dicloe a maller et of credential. It i poible that the minimum cot achievable uing policy-graph-baed trategie (including the cot of exchange policie i higher than the cot under eager trategie. However, without knowledge of all policie, it i impoible to find a ucceful olution with minimum cot. For thi reaon, we propoe a greedy trategy to approximately olve the MSC problem when policie are themelve enitive. The greedy trategy i baed on eager trategie and conit of two tep. In the firt tep, both negotiator exchange the name and correponding accumulative cot of credential uing eager trategie, i.e., a negotiator will dicloe the name of a credential if the credential i atified by the name of credential received from the oppoing negotiator 4. At the end of the firt tep, the negotiation i determined to have a ucceful olution or not. If a ucceful olution exit, the negotiation proce evolve to the econd tep in which both negotiator contruct the olution and exchange the content of the credential. Thee two tep are detailed in the following. 4 We aume that both negotiator have conitent name of credential. 7

5. Step One In the firt tep, the negotiation proce begin by one negotiator dicloing the name and cumulative cot of free credential. The cumulative cot for a freely-dicloed credential i zero. After thi initial tep, both negotiator ue eager trategie. More pecifically, when a credential (except the initially requet ervice, for reaon that will be decribed hortly, i atified by the name of the credential received from the oppoing negotiator, it name and cumulative cot are dicloed. The cumulative cot of a atified credential c i the um of the cot of the credential, w c, and the cumulative cot of all credential appearing in a atified dijunct of φ c. If multiple dijunct are atified, the one currently with minimal cumulative cot i choen. The exchange proce of name and cumulative cot continue till both negotiator have no more credential to dicloe. If the initially requeted ervice i not atified, it i a failed negotiation; otherwie, it i a ucceful negotiation. The reaon for not dicloing the name of immediately when i atified i to find other poible olution atifying with a maller cot. Client c c 2 3 c 3 2 c 4 2 cred. cot 2 3 2 3 5 2 0 0 Server c c4 c 3 c 4 ( TRUE TRUE c 2 c c2 c3 c4 2 7 2 Client 2 3 c2 c3 c4 (3 (0, (0 ( (7, (2, ( c (5 Server Client 2 c 4 c Server (a (b (c Figure 3: An exchange equence uing greedy trategie. Figure 3 how a imple two-tep exchange uing greedy trategie. The policie and cot are hown in Figure 3(a. Figure 3(b how the information exchanged during tep one of the greedy trategie. The actual exchange of credential conducted in tep two i hown in Figure 3(c. In Figure 3(b, the erver begin the negotiation by dicloing N = { 2 (0, 3 (0}, where the name of the credential, 2 and 3, are followed by their cumulative cot, which are both 0. After the client receive N, it dicloe in N 2 the name and cumulative cot of all credential atified by N, i.e., N 2 = {c 2 (7, c 3 (2, c 4 (}. Then the erver dicloe N 3 = { (3}. Conider p : c 3 c 4. The cumulative cot of i w + w c3 if c 3 i atified, or w + w c4 if c 4 i atified. If p i atified by both c 3 and c 4, the one with a maller cumulative cot i choen. So when the erver receive N 2, i atified by either c 3 8

or c 4, and c 4 i choen due to it maller cumulative cot. Alo note that i atified by c 2 in N 2, but the erver did not dicloe the name of immediately in N 3. Indeed, another olution (c c 4 wa found in a later dicloure with a maller cot. When both negotiator have no more name of credential to dicloe and i atified, the negotiation ha a ucceful olution and the negotiation proce enter the econd tep. 5.2 Step Two In the econd tep of the greedy trategy, both negotiator contruct a ucceful exchange equence and conduct the actual exchange of credential. To contruct the equence, the erver end the client the name of credential that are choen to atify p, which are referred to a a counter-requet, denoted a Q 2, e.g., Q 2 = {c, c 4 } in the example hown in Figure 3. When a negotiator receive Q i, the negotiator replie with Q i+ that include the name of credential choen to atify the credential in Q i. The proce top when Q n conit of only freely-dicloed credential (recall that n i the number of exchange round. Q n,..., Q 2, Q = {} conequently form a ucceful exchange equence. In the example hown in Figure 3, Q 5 = { 2 }, Q 4 = {c 4 }, Q 3 = {, 2 }, Q 2 = {c, c 4 } and Q = {}. The conequent exchange of credential i conducted according to thi equence except that all credential are dicloed at mot once, i.e., if the name of a credential appear in Q i and Q j (i > j, and the credential i dicloed in Q i, the credential will not be dicloed again in Q j. For example, a hown in Figure 3(c, 2 appear in both Q 5 and Q 3. 2 i dicloed at the firt round (when Q 5 i dicloed and i not dicloed again at the third round (when Q 3 i dicloed. Note that ymbol for credential in Figure 3(b repreent the name of the credential wherea ymbol in Figure 3(c repreent the content of the credential. Clearly, it i not guaranteed that the olution achieved under greedy trategie be the optimal olution. Our imulation reult in Figure 4 how that the greedy trategy find the olution with minimum cot in 76 of the 8600 experiment with input parameter: N S = N C = 7, K = 3, M = 4 and W = 0. The greedy trategy generate a higher error percentage (more than 200% compared to the performance of the two heuritic decribed in Section 4. Thi i becaue the negotiator have no knowledge about the policie. It hould be noted that, ince no information of the G T i included in N in tep one, a credential may incur multiple copie of enitivity cot in the cumulative cot if the credential appear multiple time in a olution. For example, c 4 incur cot for and incur cot again for in Figure 3. However, only one copy of the cot i calculated in computing the cot of a olution in the imulation. The average cot achieved by the eager trategie ( C Eager = 38.7 i around two time the average cot returned by the greedy trategy 9

N S =N C =7, K=3, M=4, W=0 N S =N C =7, K=3, M=4, W=0 0000 0.98 Number of experiment 000 00 0 Probability 0.96 0.94 0.92 0.9 0 50 00 50 200 Error percentage (% 0.88 0 50 00 50 200 Error percentage (% (a (b Figure 4: Simulated performance of greedy trategie ( C Greedy = 20.8. Policy Inference Under greedy trategie, although no policie are explicitly dicloed, partial information about the policie can be inferred baed on the behavior of the negotiator. For intance, in the example hown in Figure 3, the client may infer that c c 4 i one dijunct of φ baed on Q 2. Thi form of policy inference can be concealed if the erver add other mak credential into Q 2. However, a pointed out in [23], the quetion of how to prevent policy inference deerve more conideration in the future work. We conclude thi ection with the following propoition. Propoition 5: The greedy trategy i afe and complete. Proof: In tep one of the greedy trategy, both negotiator exchange the name of credential uing the eager trategy. Becaue of the completene of the eager trategy [9], a ucceful equence i guaranteed to be found if it exit. Thu the greedy trategy i complete. A counter-requet Q i+ include a et of credential that atify credential in Q i. In tep two of the greedy trategy, ince credential in Q i+ are dicloed earlier than the credential in Q i, the trategy i afe. 6 Dicuion Thu far, we have focued on the MSC problem minimizing the total cot of credential and policie dicloed by two negotiator during trut negotiation. In thi ection, we dicu related formulation of thi problem. 20

6. The MSC Problem for One Negotiator Conider an online-drug purchae during which a cutomer and an online tore etablih mutual trut followed by a tranaction. A ucceful tranaction i mot important to the tore and the tore may not care about the negotiation cot. However, the cutomer may till prefer the olution that minimize the cutomer cot. In thi cae, the goal of the optimization problem i to minimize the cot of only one negotiator, which can be defined a the Minimum Senitivity Cot problem for One Negotiator (MSCON. Definition 6: Given a et of credential C S and policie P S proceed by a negotiating erver, C C and P C by a client, and a enitivity cot w c for any credential or policy c C S PS CC PC, the Minimum Senitivity Cot problem for One Negotiator (MSCON initiated by a requet for C S from the client, i to find an exchange equence of credential and policie M M 2 M n, uch that ( M n ; (2 M k C S PS or M k C C PC, for k n; (3 m M k, m C S g φm (C C ( j<k M j = and m C C g φm (C S ( j<k M j =, for all k n; and (4 Σ c ( k n M k (C C P C w c i minimum or Σ c ( k n M k (C S P S w c i minimum. In the proof of Propoition 4, we howed the NP-completene of the MSC problem by reducing a general 3-SAT problem to a MSCON problem, which i a pecial cae of the MSC problem. Thu the MSCON problem i alo NP-hard even when policie are freely-dicloed. The policy-graph-baed trategy and the greedy trategy propoed earlier can be ued to approximately olve the MSCON problem when policie are free and with cot, repectively, by having the cot of all credential and policie of the oppoing negotiator to be 0. 6.2 The MSC Problem with Selfih Negotiator The MSC problem minimize the total cot of credential and policie dicloed by both negotiator during trut negotiation. However, an optimal olution for the MSC problem may not give the minimal cot for a ingle negotiator. When negotiator are elfih, a negotiator goal i to minimize hi/her own cot diregarding the cot of the oppoing negotiator. Thee conideration reult in the following problem: Definition 7: Given a et of credential C S and policie P S proceed by a negotiating erver, C C and P C by a client, and a enitivity cot w c for any credential or policy c C S PS CC PC, the Selfih- 2

Minimum Senitivity Cot (SMSC problem initiated by a requet for C S from the client, i to find an exchange equence of credential and policie M M 2 M n, uch that ( M n ; (2 M k C S PS or M k C C PC, for k n; (3 m M k, m C S g φm (C C ( j<k M j = and m C C g φm (C S ( j<k M j =, for all k n; and (4 Σ c ( k n M k (C C P C w c i minimum and Σ c ( k n M k (C S P S w c i minimum. Since a ucceful equence minimizing one negotiator cot may not minimize the cot of the other negotiator, the SMSC problem may have no olution even though there exit a ucceful negotiation. Thu we revie the problem uch that either negotiator afely dicloe a et of credential and policie that minimize the remaining cot at each tep. Definition 8: The remaining cot, CM R, of a dicloure, M, of credential and policie for a negotiator i defined a the minimum cot of credential and policie that the negotiator need to dicloe after dicloing M to achieve a ucceful outcome if there exit. If there i no ucceful negotiation, C R M M. = for any Definition 9: Given a et of credential C S and policie P S proceed by a negotiating erver, and C C and P C by a client, and a enitivity cot w c for any credential or policy c C S PS CC PC, the Minimum Remaining Senitivity Cot (MRSC problem initiated by a requet for C S from the client, i to find an exchange equence of credential and policie M M 2 M n, uch that ( M n ; (2 M k C S PS or M k C C PC, for k n; (3 m M k, m C S g φm (C C ( j<k M j = and m C C g φm (C S ( j<k M j =, for all k n; and (4 ( c M k w c + C R M k i minimum for each k =,..., n. Before a negotiator dicloe any credential and policie, the remaining cot i exactly the optimal olution of the MSCON problem. Thu finding the remaining cot of a particular dicloure even when policie have no dicloure cot i NP-hard. Conequently, the MRSC problem i alo NP-hard. We can firt apply heuritic evaluation function to approximate the remaining cot, followed by a minimini algorithm imilar to the minimax algorithm in [3] to find a approximation olution for the MRSC problem. 22

6.3 Minimal Exchange Round Problem When negotiator are concerned with the peed of trut negotiation rather than the cot, it i deirable to minimize the number of exchange round. Thi problem can be eaily defined and the eager trategie propoed in [9] achieve the minimum number of exchange round. In the following ection, a F inite State Machine i propoed to analyze the performance of a particular negotiation proce in term of the number of exchange round. 7 Modeling trut negotiation In previou ection, we conidered the computational complexity of olving cot optimization problem aociated with credential dicloure in trut negotiation protocol. In thi ection, we turn our attention from credential dicloure cot to the time needed to uccefully complete a negotiation protocol. Our goal will be to quantify the number of round needed to complete a negotiation under variou credential dicloure policie. 7. Varied Strategie without Policy Knowledge Let u begin by conidering a trut negotiation proce in which the erver ha a requeted ervice, and N S credential, among which, f S credential are freely-dicloed. The client ha N C credential, f C of which are freely-dicloed. We further aume that neither negotiator ha knowledge of it opponent policie, i.e., that policie are hidden [4] or enitive [2]. Recall that under an eager trategy, both negotiator immediately dicloe a credential once that credential condition are atified. Eager trategie thu achieve the minimum number of exchange round. The price paid for thi minimum number of exchange round, however, i that a negotiator may dicloe many more credential than what i minimally required to uccefully complete the negotiation. In contrat, under a prudent trategy, a negotiator dicloe only one atified credential (pecifically, the credential with minimum enitivity cot at each round. The goal of the prudent trategy i to minimize the number of credential dicloed. Note that a prudent trategy differ from the parimoniou trategie [9] we conidered earlier in that a prudent trategy ha no knowledge of the opponent policie. Prudent trategie dicloe a few credential a poible. However, in the abence of policy knowledge, the credential dicloed by a negotiator may not atify any of the opponent credential policie. In 23

other word, the dicloure of a ingle credential under a prudent trategy may not be ufficient to allow a negotiation continue if the oppoing negotiator ha no atified credential to dicloe at the next round. A a compromie, at each round, a negotiator may dicloe a few credential a poible, but enough to advance the negotiation. A natural way to achieve thi i to define a threhold 0 Γ. A negotiator will calculate the correponding probability, p(x, that the opponent i able to continue the negotiation at the next round, given that the negotiator will dicloe x credential. Clearly, p(x increae a x increae. The negotiator conequently dicloe a minimum number, m, of credential uch that p(m Γ. If a negotiator ha A atified credential and p(a < Γ, the negotiator will dicloe all A credential. We will refer to thi trategy a a threhold trategy with threhold Γ. Note that when Γ = 0, the threhold trategy i the ame a the prudent trategy; when Γ =, the threhold trategy i the ame a the eager trategy. Prudent trategie and threhold trategie can reduce the number of credential dicloed, but have a higher number of exchange round. Thu, there exit a trade-off between the number of exchange round and the number of credential dicloed. To quantitatively tudy thi tradeoff, we decribe a imple F inite State Machine to model the round of credential exchange in the trut negotiation proce. 7.2 A Non-determinitic Finite State Model Rather than conider a pecific et of client and erver credential dicloure policie, we eek here a more general model in which the dicloure of credential by one negotiator can lead to everal different tate for the other negotiator. Roughly peaking, thi non-determinim model the fact that the erver policie are unknown to the client, and conequently (depending on the pecific dicloure policie implemented by the erver a client dicloure of a et of credential can reult in any number of erver credential becoming atified a a reult of the client dicloure. Thu, a non-determinitic Finite State Model imilar to the probabilitic verification technique in [2] will be appropriate to model a trut-negotiation proce in abence of policy knowledge. The F inite State Machine i a 5-tuple (S, 0, T, P, A where S i a finite et of tate; 0 S i the initial tate; T : S 2 S i a non-determinitic tate tranition function; P : S S [0, ] i a probability function; and A S i a et of accepting tate. A tate i S conit of 5 element: (r, d S, a S, d C, a C, where r i the number of exchange round to reach thi tate; d S (d C i the number of credential dicloed by the erver (client to the client (erver; and a S (a C i the number of erver (client credential available, i.e., atified, but not dicloed to 24