Presentation is loading. Please wait.

Presentation is loading. Please wait.

Games for Exchanging Information Gillat Kol Joint work with Moni Naor.

Similar presentations


Presentation on theme: "Games for Exchanging Information Gillat Kol Joint work with Moni Naor."— Presentation transcript:

1 Games for Exchanging Information Gillat Kol Joint work with Moni Naor

2 Our Goal Design secret sharing schemes that work assuming players are rational

3 Talk Plan Introduction  Background  Related Work Our Contributions  Scheme Construction  Impossibility  Solution Concept

4 Cryptographic vs. Game Theoretic Settings Cryptography: Players are either arbitrarily malicious or totally honest. Game Theory: Players are rational trying to maximize their payoff functions.  u i (σ) is i’s payoff when following the protocol σ=(σ 1,..,σ n ). We assume:  Players are rational: Prefer to learn the secret above all else. Secondly, prefer to learn alone.  Players are computationally unbounded.  Communicating via a simultaneous broadcast channel (SBC) - no rushing.

5 Rational Secret Sharing (RSS) MetaDef: m-out-of-n RSS scheme.  Shares assignment algorithm for the dealer (as in the usual crypto setting).  Game Theoretically stable (e.g., Nash equilibrium) reconstruction protocol for the players. Def: σ is a Nash Equilibrium no player can gain by deviating from his strategy, assuming that all the others are following theirs:   i  σ’ i : u i (σ i,σ -i ) ≥ u i (σ’ i,σ -i )  Each player’s strategy is a best response to the strategies of the others.

6 Is Shamir’s scheme an RSS? Shamir’s scheme is not RSS.  Recall that to reconstruct players reveal their shares.  For p=m (p = num of participants): Not Nash Higher payoff for keeping silence.  For p>m: “Unstable” Nash No player, on its own, can prevent others from learning. Silence is never worse revealing, but sometimes better. Main Problem: Players deviate in the last round of the protocol, since they no longer fear future punishment. Solution: Players shouldn't be able to identify the last round.  Protocols are unbounded and allow players to learn w.p. 1.

7 Talk Plan Introduction  Background  Related Work Our Contributions  Scheme Construction  Impossibility  Solution Concept

8 Previous Works Previous results required one of the followings: The dealer’s involvement in the reconstruction [HT04]. Cryptographic tools [GK06, LT06, ADGH06].  Requires computational assumptions and bounded players.  Achieves only approximated Nash. Different (stronger) hardware assumptions:  Private channels [GK06, ADGH06] + [BGW88]. Requires ≥ 4 players.  Envelopes and ballots boxes [LMPS04, LMS05, ILM05]. Solve a more general problem (SFE given any utilities). Achieve stronger solution concepts (coalitions).

9 Talk Plan Introduction  Background  Related Work Our Contributions  Scheme Construction  Impossibility  Solution Concept

10 Our Contribution Solution Concept: What is a good RSS scheme?  Previous criterion does not rule out all unstable protocols.  Previous crypto protocols are susceptible to backward induction (BI). Impossibility: There is no “reasonable” Nash RSS with SBC taking shares from finite sets. Constructing an RSS with SBC and finite shares taken from infinite sets.  Satisfies stronger solution concepts (strict Nash, no BI).  Unbounded players, No computational assumptions.  Can remove the simultaneity assumption and get approximated Nash.

11 Talk Plan Introduction  Background  Related Work Our Contributions  Scheme Construction  Impossibility  Solution Concept

12 The Scheme Construction Present a buggy 2-out-of-2 RSS. Fix it. Analyze it. Generalize to m-out-of-n for all 2≤m≤n. Remove the simultaneity assumption.

13 2-out-of-2 RSS: Dealer’s Algorithm ℓ 1 =5 ℓ 2 =7 L L’ Short Player Long Player S = {0,..,6} s = Dealer (s): Uses a parameters  (TBD), S is secrets set.TBD Select the shares sizes: ℓ 1, ℓ 2 = ℓ 1 +d where ℓ 1,d ~ G(  ) (Geometric distribution). Select secrets list: random list L of ℓ 2 secrets from S s.t. the ℓ 1 th secret is s. Assign shares: choose player randomly, give him L, and the other L’ = L(1,...,ℓ 1 -1).  Players do not know whether their shares are short or long.  Shares are taken from unbounded sets.

14 2-out-of-2 RSS: Player’s Algorithm Iteration 1 L L’ Short Player Long Player Iteration 2 Iteration 3 Iteration 4 Iteration 5 quiet 4 S = {0,..,6} s = 4 Player (share): Broadcast the next secret in your list. Keep silent if your list ended. If the other broadcasted a false value, abort. If only a single player broadcasts: the last value broadcasted is s.

15 Bug 1: Identifying the Last Iteration Problem: The short player identifies the last iteration when his list ends.  May broadcast a fictitious secret. Solution: Divide iterations into stages:  #stages in each iteration is chosen ~ G(  ).  Players broadcast only during the last stage.  Players get #stages for cells in their list. The short player does not know #stages of the last iteration Secrets #Stages Short Player Long Player

16 Bug 2: Guessing the Secret Problem: If some secret appears a lot in the list, w.h.p it is the real secret. Solution: Mask every secret in the list using a random mask  Dealer gives each player a share of every mask.  Shares of the t th mask are broadcasted by the players during iteration t L

17 Bug 3: Broadcasting Fictitious Information Problem: Players may broadcast fictitious information. Solution: Dealer equip players with authentication information. Now it works…

18 Strict Nash Equilibrium Def: σ is a Strict Nash Equilibrium every player looses when deviating from his strategy, assuming that all the others are following theirs:  i  σ’ i : u i (σ i,σ -i ) > u i (σ’ i,σ -i )  A player’s strategy is a strict, unique best response. Strict Nash Nash Example: Shamir’s reconstruction is not a strict Nash. 

19 Protocol Analysis Recall: Pr[ current iteration is the last ] = . Recall Theorem: For a sufficiently small , the scheme is a strict Nash with expected number of rounds 1/  2. Proof: By deviating players risk early termination.  must depend on the payoffs.  The higher the payoff for learning alone vs. learning with others, the smaller  is.

20 Talk Plan Introduction  Background  Related Work Our Contributions  Scheme Construction  Impossibility  Solution Concept Solution Concept

21 Revelation Point Theorem: There is no Nash RSS with shares taken from finite sets without a revelation point (RP). Def (Informal): RP of a reconstruction protocol is a point its execution for which:  Some players do not know the secret.  At any point after it, the secret is known to all. Protocols with RP are “unreasonable”.  Players always learn after RP  Should not reveal info.  Players learn right after RP  Someone does reveal info. Example: Shamir’s reconstruction has RP before the first round. Strict Nash Nash with no RP 

22 Transcripts Trees A transcript of σ is a possible sequence of messages m = (m 1,…,m ℓ ) broadcasted by the players during rounds 1..ℓ while following σ. We view transcripts as vertices of a Transcripts Tree. Def: RP of σ is a vertex in σ’s transcript tree that has children, but no grandchildren.

23 Claim: Children are Correlated Assume for simplicity that σ allows players to learn together. Claim: For every transcript p of σ, one of the following holds: Players always learn after the next round. Players never learn after the next round. (independently of their random tapes) Impossible: all learn p no-one learns

24 Claim Proof: Hybrid Argument Proof: Assume that the input is x, and that players learn given r = (r 1,..,r n ), but don’t learn given r’ = (r 1 ’,..,r n ’). Define the hybrid r i = (r’ 1,..,r’ i,r i+1,..,r n ). Hybrid Argument:  i s.t. given shares x, all learn given r i, but no-one learns given r i+1. Players other than i act the same given r i and r i+1  i learns given r i+1 since he learns given r i  Contradiction! ▪

25 Theorem Proof: Inductive Argument Theorem: There is no Nash RSS with shares taken from finite sets without an RP. Proof: Construct a path leading to the RP. C(m) = Set of possible shares x for which players do not know s when reaching m. m 0 = empty transcript. Take x 1  C( m 0 ).  m, a descendent of m 0, s.t. given x 1, players learn s after m, but not before. m0m0 m1m1 mkmk m2m2 p revelation point x1x1 x2x2 xkxk

26 Let p be m’s parent. If p has no grandchildren, p is an RP. Otherwise, let m 1 be a child of p with children. Using the claim: Players learn after m given shares x 1  They learn after m 1 given x 1.  C(m 0 )  C(m 1 ) Recall: C(m) = Set of possible shares for which players do not know s when reaching m. Use the same argument to find m 0, m 1, m 2 … s.t. C(m 0 )  C(m 1 )  C(m 2 )… Since the shares sets are finite, the sequence is finite. Theorem Proof: Inductive argument The finiteness of the shares set is used! ▪

27 Talk Plan Introduction  Background  Related Work Our Contributions  Scheme Construction  Impossibility  Solution Concept On Iterated Admissibility On Backward Induction

28 Previous Criterion: Iterated Admissibility (IA) IA was used as a criterion distinguishing good from bad schemes in [HT04, GK06, LT06, ADGH06]. Def: Strategy σ i is (weakly) dominated if there exists a strategy  i that is never worse than σ i but sometimes strictly better (1)  σ -i : u i (  i, σ -i ) ≥ u i (σ i, σ -i ) (2)  σ -i : u i (  i, σ -i ) > u i (σ i, σ -i ) Example: Shamir’s reconstruction is dominated by the silence strategy. Def: A strategies is Iterated Admissible (IA) if it survives iterated deletion of dominated strategies.

29 IA doesn’t rule out all bad behaviors No finite strategy is stable  The game played is infinite. talk-once i = Shamir’s reconstruction in the infinite game.  i reveals his share in round 1 and then broadcasts  forever. Theorem: talk-once i is IA. Proof:   i trying to dominate talk-once i there is a “savior” σ -i.  Example: For  i = silence, σ -i = others keep silent in round 1, and reveal their shares in round 2 iff i talked in round 1.  In general: σ -i waits to see if player i follows talk-once i, then rewards or punishes him accordingly. Strict Nash IA Nash 

30 Talk Plan Introduction  Background  Related Work Our Contributions  Scheme Construction  Impossibility  Solution Concept On Iterated Admissibility On Backward Induction

31 Backward Induction Previous crypto solutions [ LT06, ADGH06 ]:  Run the crypto SFE [GMW87] in every iteration.  Have small expected running time, but are unbounded. Observation: Those protocols are essentially bounded by K iterations ( K = #of keys for the SFE of iteration 1). Problem: Backward Induction  The BI process: Players deviate in iteration K since it is the last, causing K-1 to be last. The same holds for K-1,K-2,..,1.  BI causes the instability in exponential events to be amplified. Solution: Should require the protocol to still be stable after any history.  Our protocol satisfies this property! (as is every exact Nash)

32 Concluding Remarks Game Theory and Cryptography  Common areas of interest (e.g. simulating mediators).  Different assumptions and models.  By combining techniques / ideas we gain new insights. We look for RSS schemes using SBC.  Solution concept is an issue.  The infiniteness of the shares sets is a necessary and sufficient condition for an exact solution.

33 References [ADGH06] Abraham, Dolev, Gonen, and Halpern. Robust Mechanisms for Rational Secret Sharing and Multiparty Computation. PODC [BGW88] Ben-Or, Goldwasser, Wigderson. Completeness Theorems for Non- Cryptographic Fault-Tolerant Distributed Computation STOC [GK06] Gordon and Katz. Rational Secret Sharing, Revisited. SCN [GMW87] Goldreich, Micali, and Wigderson. How to Play any Mental Game. STOC [HT04] Halpern and Teague. Rational Secret Sharing and Multiparty Computation. STOC [ILM05] Izmalkov, Micali, and Lepinski. Rational Secure Computation and Ideal Mechanism Design. FOCS [LT06] Lysyanskaya and Triandopoulos. Rationality and Adversarial Behavior in Multi-Party Computation. CRYPTO [LMPS04] Lepinski, Micali, Peikert, and Shelat. Completely Fair SFE and Coalition-Safe Cheap Talk. PODC [LMS05] Lepinski, Micali, and Shelat. Collusion-Free Protocols. STOC 2005.


Download ppt "Games for Exchanging Information Gillat Kol Joint work with Moni Naor."

Similar presentations


Ads by Google