1. Cryptography and Game Theory: Designing Protocols for Exchanging Information Gillat Kol and Moni Naor

2. Our Goal Our Goal: Designing protocols encouraging rational players to exchange information Examples we deal with:  Rational secure function evaluation.  Rational secret sharing. this talk

3. Talk Plan Tool: Meaningful / Meaningless Encryption Application: Rational Secret Sharing

4. A public-key encryption scheme E. Special property: Some public keys are Meaningless - Yield encryptions that cannot be decrypted, even with unbounded computational power!  Cipher contains no information about the plaintext:  m,m', the distribution {E(pub_key,r,m)} r is identical to {E(pub_key,r,m’ )} r. Distinguishing Meaningful from Meaningless is hard. Given two public keys, one meaningful and one meaningless, guessing which is which cannot be done by a PPT with a non-negligible advantage over 1/2. Meaningful / Meaningless Encryption E plaintext ciphertext pub_key rand meaningless

5. A Construction based on Goldwasser and Micali’s Public Key Cryptosystem Private Key: Two large primes P and Q Public Key: (N,x) where N=PQ and x is:  Quadratic non-residue of N (x ≠ z 2 mod N) w.p. β.  Quadratic residue of N w.p. 1-β. Encryption: Encrypt each bit b i of the message:  Choose y i and calculate c i = y i 2 x b i mod N.  The ciphertext is (c 1,...,c n ). Decryption: Using the private key (P,Q): b i =0 iff c i is a quadratic residue. If x is a residue, then c i = y i 2 x b i is always a residue! meaningful key meaningless key Recall, in GM x is always a non-residue

6. Talk Plan Tool: Meaningful / Meaningless Encryption Application: Rational Secret Sharing

7. Secret Sharing k-out-of-n secret sharing: a dealer privately distributes shares of a secret s to a group of n players s.t.:  Given ≥ k shares, s can be reconstructed.  Given < k shares, no info about s can be inferred. Secret sharing assumes that players are either malicious or honest. However, in some situations it makes more sense to view players as rational.  P i tries to maximize a utility (payoff) function u i describing his gain for any outcome of the protocol. E.g. P i gets $100 if he learns the secret. u i (P i learns secret) = 100

8. Rational Secret Sharing [HT04] Good RSS scheme: Dealing: k-out-of-n share assignment Reconstruction: Game Theoretically stable Our Model:  Players prefer to learn the secret: u i (P i learns secret) > u i (P i doesn’t learn secret)  Communicating via a simultaneous broadcast channel. + no rushing! new requirement = no player can gain from deviating

9. The Crux of Rational Secret Sharing Cryptographic schemes require players to reveal their shares in order to reconstruct the secret. Problem: A rational player has no incentive to cooperate, since no one can punish him later.  Keeping silent is at least as good as revealing. Solution:  Constructing protocols that proceed in a sequence of iterations.  Ensuring that players won’t be able to identify the last iteration.  A player caught cheating is punished in the next iteration. If players are able to identify it, they deviate in the last round. Consequentially, they deviate in all the previous rounds as well. This process is called Backward Induction.

10. Previous Works Solutions were suggested in [ HT04 ], [ GK06 ], [ LT06 ] and [ ADGH06 ].  Deal with more involved models.  We’ll see a simplified version of their protocols. Show that protocols using computational based cryptography have a weak point. Suggest a new scheme, using a Meaningful / Meaningless encryption, overcoming the problem. Our Contribution

11. A Rational Secret Sharing Scheme Dealing: Assign P i with a k-out-of-n share of s + authen info. Reconstruction: In every iteration, players run SFE taking the shares and authen info as inputs:  Check the shares’ authenticity. Abort in case of deviations.  w.p. β ( TBD ) reconstruct and return s.  w.p. 1-β return . Continue to the next iteration. For a small enough β, the protocol is stable.  Deviations will most likely lead to an early abortion. Punishment! real iteration fake iteration

12. Problem: The SFE of the first iteration can be broken after an exponential number of rounds b.  Round b is essentially the last. As before, players deviate if it is reached.  Round b-1 is now essentially the last. Players deviate for the same reason.  Eventually, the instability in iteration b causes instability from iteration 1. Backward Induction causes exponential events to be amplified. backward induction Backward Induction …

13. Our Idea As before, an execution of the protocol consists of a sequence of fake iterations followed by a real one, in which the secret is revealed. However, we ’ ll implement the fake rounds using meaningless keys. Thus, no information about the shares exists in fake rounds. Now, there is no bound on the protocol length, and therefore no Backward Induction! Dealing: As before, except that the authentications are information theoretic.

14. Our Reconstruction Protocol In each iteration: Key Gen: New keys for E  are generated via (unfair) SFE. Gives each player pub_key + a share of priv_key. Encryption: Each player encrypts his share. Ciphertexts are broadcasted. Verification: The encryptions are validated via SFE. Receives as input the shares of priv_key. However, the shares of s are not used. Exchange: Each player broadcasts his share of priv_key. During the first meaningful iteration the ciphertexts are decrypted using priv_key and s is reconstructed. same  as before Meaningless key  fake iteration Meaningful key  real iteration prob of generating a meaningful key why would players encrypt their true shares?

15. Additional Results The scheme is naturally resistant to coalitions.  The SFEs used are such. Can be generalize to handle rational SFE.  Technique: Composing Meaningful \ Meaningless Encryptions with Yao’s Garbled Circuit. Getting rid of the assumption that the channel is simultaneous at the cost of longer protocols (linear in the range size). STOC08 paper: Characterization of the non- cryptographic case.

16. Thank You!