1 / 33

Rational Secret Sharing in Game Theory: A Nash Equilibrium Approach

Explore how rational secret sharing schemes can be designed for rational players maximizing payoff. Discuss scheme construction, Nash Equilibrium, and the comparison of cryptographic and game theoretic settings.

silas-cochran
Télécharger la présentation

Rational Secret Sharing in Game Theory: A Nash Equilibrium Approach

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Games for Exchanging Information Gillat Kol Joint work with Moni Naor

  2. Our Goal Design secret sharing schemes that work assuming players are rational

  3. Talk Plan • Introduction • Background • Related Work • Our Contributions • Scheme Construction • Impossibility • SolutionConcept

  4. Cryptographic vs. Game Theoretic Settings • Cryptography: Players are either arbitrarilymalicious or totallyhonest. • Game Theory: Players are rational trying to maximize their payoff functions. • ui(σ) is i’s payoff when following the protocol σ=(σ1,..,σn). • We assume: • Players are rational: • Prefer to learn the secret above all else. • Secondly, prefer to learn alone. • Players are computationally unbounded. • Communicating via a simultaneous broadcast channel (SBC) - no rushing.

  5. Rational Secret Sharing (RSS) • MetaDef:m-out-of-nRSS scheme. • Shares assignment algorithm for the dealer (as in the usual crypto setting). • Game Theoretically stable (e.g., Nash equilibrium) reconstruction protocol for the players. • Def: σis a Nash Equilibrium no player can gain by deviating from his strategy, assuming that all the others are following theirs:  iσ’i: ui(σi,σ-i) ≥ ui(σ’i,σ-i) • Each player’s strategy is a best response to the strategies of the others.

  6. Is Shamir’s scheme an RSS? • Shamir’s scheme is not RSS. • Recall that to reconstruct players reveal their shares. • For p=m (p = num of participants): Not Nash • Higher payoff for keeping silence. • For p>m: “Unstable” Nash • No player, on its own, can prevent others from learning. • Silence is never worse revealing, but sometimes better. • Main Problem: Players deviate in the last round of the protocol, since they no longer fear future punishment. • Solution: Players shouldn't be able to identify the last round. • Protocols are unbounded and allow players to learn w.p. 1.

  7. Talk Plan • Introduction • Background • Related Work • Our Contributions • Scheme Construction • Impossibility • SolutionConcept

  8. Previous Works Previous results required one of the followings: • The dealer’s involvement in the reconstruction [HT04]. • Cryptographic tools [GK06, LT06, ADGH06]. • Requires computational assumptions and bounded players. • Achieves only approximated Nash. • Different (stronger) hardware assumptions: • Private channels [GK06, ADGH06] + [BGW88]. • Requires ≥ 4 players. • Envelopes and ballots boxes [LMPS04, LMS05, ILM05]. • Solve a more general problem (SFE given any utilities). • Achieve stronger solution concepts (coalitions).

  9. Talk Plan • Introduction • Background • Related Work • Our Contributions • Scheme Construction • Impossibility • SolutionConcept

  10. Our Contribution • Solution Concept: What is a good RSS scheme? • Previous criterion does not rule out all unstable protocols. • Previous crypto protocols are susceptible to backward induction (BI). • Impossibility: There is no “reasonable” Nash RSS with SBC taking shares from finite sets. • Constructing an RSS with SBC and finite shares taken from infinite sets. • Satisfies stronger solution concepts (strict Nash, no BI). • Unbounded players, No computational assumptions. • Can remove the simultaneity assumption and get approximated Nash.

  11. Talk Plan • Introduction • Background • Related Work • Our Contributions • Scheme Construction • Impossibility • SolutionConcept

  12. The Scheme Construction • Present a buggy 2-out-of-2 RSS. • Fix it. • Analyze it. • Generalize to m-out-of-n for all 2≤m≤n. • Remove the simultaneityassumption.

  13. 2-out-of-2 RSS: Dealer’s Algorithm S = {0,..,6} s = 4 Dealer (s): Uses a parameters (TBD), S is secrets set. • Select the shares sizes: ℓ1, ℓ2 = ℓ1+d where ℓ1,d ~ G() (Geometric distribution). • Select secrets list: random list L of ℓ2 secrets from S s.t. the ℓ1th secret is s. • Assign shares: choose player randomly, give him L, and the other L’ = L(1,...,ℓ1-1). • Players do not know whether their shares are short or long. • Shares are taken from unbounded sets. Long Player Short Player L L’ 4 ℓ1=5 ℓ2=7

  14. 2-out-of-2 RSS: Player’s Algorithm S = {0,..,6} s = 4 Player (share): • Broadcast the nextsecret in your list. Keep silent if your list ended. • If the other broadcasted a false value, abort. • If only a single player broadcasts: the last value broadcasted is s. Long Player Short Player L L’ Iteration 1 Iteration 2 Iteration 3 Iteration 4 4 Iteration 5 quiet

  15. Bug 1: Identifying the Last Iteration Long Player Short Player • Problem: The short player identifies the last iteration when his list ends. • May broadcast a fictitious secret. • Solution: Divide iterations into stages: • #stages in each iteration is chosen ~ G(). • Players broadcast only during the last stage. • Players get #stages for cells in their list. • The short player does not know #stages of the last iteration. Secrets #Stages

  16. Bug 2: Guessing the Secret L • Problem: If some secret appears a lot in the list, w.h.p it is the real secret. • Solution: Mask every secret in the list using a random mask • Dealer gives each player a share of every mask. • Shares of the tth mask are broadcasted by the players during iteration t-1. 4

  17. Bug 3: Broadcasting Fictitious Information • Problem: Players may broadcast fictitious information. • Solution: Dealer equip players with authentication information. Now it works…

  18.  Strict Nash Equilibrium • Def:σis a Strict Nash Equilibrium every player looses when deviating from his strategy, assuming that all the others are following theirs:  iσ’i: ui(σi,σ-i) >ui(σ’i,σ-i) • A player’s strategy is a strict, unique best response. • Strict Nash Nash • Example: Shamir’s reconstruction is not a strict Nash.

  19. Protocol Analysis • Recall:Pr[ current iteration is the last ]=. • Theorem: For a sufficiently small , the scheme is a strict Nash with expected number of rounds 1/2. • Proof: By deviating players risk early termination. •  must depend on the payoffs. • The higher the payoff for learning alone vs. learning with others, the smaller  is.

  20. Talk Plan • Introduction • Background • Related Work • Our Contributions • Scheme Construction • Impossibility • SolutionConcept

  21.  Revelation Point • Theorem: There is no Nash RSS with shares taken from finite sets without a revelation point (RP). • Def (Informal): RPof a reconstruction protocol is a point its execution for which: • Some players do not know the secret. • At any point after it, the secret is known to all. • Protocols with RP are “unreasonable”. • Players always learn after RP Should not reveal info. • Players learn right after RP Someone does reveal info. • Example:Shamir’s reconstruction has RP before the first round. • Strict NashNash with no RP

  22. Transcripts Trees A transcriptof σ is a possible sequence of messages m = (m1,…,mℓ) broadcasted by the players during rounds 1..ℓ while following σ. We view transcripts as vertices of a Transcripts Tree. Def: RP of σis a vertex in σ’s transcript tree that has children, but no grandchildren.

  23. p Impossible: no-one learns all learn Claim: Children are Correlated Assume for simplicity that σ allows players to learn together. Claim: For every transcriptp of σ, one of the following holds: • Players always learn after the next round. • Players never learn after the next round. (independently of their random tapes)

  24. Claim Proof: Hybrid Argument Proof: • Assume that the input is x, and that players learn given r = (r1,..,rn), but don’t learn given r’ = (r1’,..,rn’). • Define the hybridri = (r’1,..,r’i,ri+1,..,rn). • Hybrid Argument: i s.t. given shares x,all learn given ri, but no-one learns given ri+1. • Players other than i act the same given ri and ri+1 i learns given ri+1 since he learns given ri Contradiction! ▪

  25. Theorem Proof: Inductive Argument m0 x1 m1 Theorem: There is no Nash RSS with shares taken from finite sets without an RP. Proof: • Construct a path leading to the RP. • C(m) = Set of possible shares x for which players do not know s when reaching m. • m0= empty transcript. Take x1C(m0). • m, a descendent of m0, s.t. given x1, players learn s after m, but not before. x2 m2 p revelation point xk mk

  26. The finiteness of the shares set is used! Theorem Proof: Inductive argument • Let p be m’s parent. • If p has no grandchildren, p is an RP. • Otherwise, let m1 be a child of p with children. • Using the claim: Players learn after m given shares x1 They learn after m1given x1. • C(m0)  C(m1) Recall: C(m) = Set of possible shares for which players do not know s when reaching m. • Use the same argument to find m0,m1,m2… s.t. C(m0)  C(m1)  C(m2)… • Since the shares sets are finite, the sequence is finite. ▪

  27. Talk Plan • Introduction • Background • Related Work • Our Contributions • Scheme Construction • Impossibility • SolutionConcept • On Iterated Admissibility • On Backward Induction

  28. Previous Criterion: Iterated Admissibility (IA) • IA was used as a criterion distinguishing good from bad schemes in [HT04, GK06, LT06, ADGH06]. • Def: Strategy σiis (weakly) dominated if there exists a strategy i that is never worse than σibut sometimes strictly better (1)σ-i: ui(i , σ-i)≥ui(σi, σ-i ) (2)σ-i: ui(i, σ-i)>ui(σi, σ-i) • Example: Shamir’s reconstruction is dominated by the silence strategy. • Def: Astrategies is Iterated Admissible (IA) if it survives iterated deletion of dominated strategies.

  29.  IA doesn’t rule out all bad behaviors • No finite strategy is stable  The game played is infinite. • talk-oncei = Shamir’s reconstruction in the infinite game. • i reveals his share in round 1 and then broadcasts forever. • Theorem: talk-oncei is IA. • Proof: • i trying to dominate talk-oncei there is a “savior” σ-i. • Example: Fori = silence, σ-i = others keep silent in round 1, and reveal their shares in round 2 iff i talked in round 1. • In general: σ-i waits to see if player i follows talk-oncei, then rewards or punishes him accordingly. • Strict NashIA Nash

  30. Talk Plan • Introduction • Background • Related Work • Our Contributions • Scheme Construction • Impossibility • SolutionConcept • On Iterated Admissibility • On Backward Induction

  31. Backward Induction • Previous crypto solutions [LT06, ADGH06]: • Run the crypto SFE[GMW87] in every iteration. • Have small expected running time, but are unbounded. • Observation: Those protocols are essentially bounded by K iterations (K = #of keys for the SFE of iteration 1). • Problem: Backward Induction • The BI process: Players deviate in iteration K since it is the last, causing K-1 to be last. The same holds for K-1,K-2,..,1. • BI causes the instability in exponential events to be amplified. • Solution: Should require the protocol to still be stable after any history. • Our protocol satisfies this property! (as is every exact Nash)

  32. Concluding Remarks • Game Theory and Cryptography • Common areas of interest (e.g. simulating mediators). • Different assumptions and models. • By combining techniques / ideas we gain new insights. • We look for RSS schemes using SBC. • Solution concept is an issue. • The infiniteness of the shares sets is a necessary and sufficient condition for an exact solution.

  33. References [ADGH06] Abraham, Dolev, Gonen, and Halpern. Robust Mechanisms for Rational Secret Sharing and Multiparty Computation. PODC 2006. [BGW88] Ben-Or, Goldwasser, Wigderson. Completeness Theorems for Non-Cryptographic Fault-Tolerant Distributed Computation STOC 1988. [GK06] Gordon and Katz. Rational Secret Sharing, Revisited. SCN 2006. [GMW87] Goldreich, Micali, and Wigderson. How to Play any Mental Game. STOC 1987. [HT04] Halpern and Teague. Rational Secret Sharing and Multiparty Computation. STOC 2004. [ILM05] Izmalkov, Micali, and Lepinski. Rational Secure Computation and Ideal Mechanism Design. FOCS 2005. [LT06] Lysyanskaya and Triandopoulos. Rationality and Adversarial Behavior in Multi-Party Computation. CRYPTO 2006. [LMPS04] Lepinski, Micali, Peikert, and Shelat. Completely Fair SFE and Coalition-Safe Cheap Talk. PODC 2004. [LMS05] Lepinski, Micali, and Shelat. Collusion-Free Protocols. STOC 2005.

More Related