Fair Computation with Rational Players Adam Groce and Jonathan Katz University of Maryland.

Slides:



Advertisements
Similar presentations
Dov Gordon & Jonathan Katz University of Maryland.
Advertisements

Revisiting the efficiency of malicious two party computation David Woodruff MIT.
Quid-Pro-Quo-tocols Strengthening Semi-Honest Protocols with Dual Execution Yan Huang 1, Jonathan Katz 2, David Evans 1 1. University of Virginia 2. University.
Strict Polynomial-Time in Simulation and Extraction Boaz Barak & Yehuda Lindell.
Multi-Party Contract Signing Sam Hasinoff April 9, 2001.
Games for Exchanging Information
Shortest Vector In A Lattice is NP-Hard to approximate
Computational Privacy. Overview Goal: Allow n-private computation of arbitrary funcs. –Impossible in information-theoretic setting Computational setting:
Secure Computation of Linear Algebraic Functions
Cryptography and Game Theory: Designing Protocols for Exchanging Information Gillat Kol and Moni Naor.
Nash’s Theorem Theorem (Nash, 1951): Every finite game (finite number of players, finite number of pure strategies) has at least one mixed-strategy Nash.
Secure Multiparty Computations on Bitcoin
Foundations of Cryptography Lecture 10 Lecturer: Moni Naor.
Generating Random Numbers
Polling With Physical Envelopes A Rigorous Analysis of a Human–Centric Protocol Tal Moran Joint work with Moni Naor.
Game Theoretical Insights in Strategic Patrolling: Model and Analysis Nicola Gatti – DEI, Politecnico di Milano, Piazza Leonardo.
Joint Strategy Fictitious Play Sherwin Doroudi. “Adapted” from J. R. Marden, G. Arslan, J. S. Shamma, “Joint strategy fictitious play with inertia for.
Game Theory and Computer Networks: a useful combination? Christos Samaras, COMNET Group, DUTH.
 1. Introduction to game theory and its solutions.  2. Relate Cryptography with game theory problem by introducing an example.  3. Open questions and.
Rational Oblivious Transfer KARTIK NAYAK, XIONG FAN.
Negotiation A Lesson in Multiagent System Based on Jose Vidal’s book Fundamentals of Multiagent Systems Henry Hexmoor SIUC.
On Fair Exchange, Fair Coins and Fair Sampling Shashank Agrawal, Manoj Prabhakaran University of Illinois at Urbana-Champaign.
Achieving Byzantine Agreement and Broadcast against Rational Adversaries Adam Groce Aishwarya Thiruvengadam Ateeq Sharfuddin CMSC 858F: Algorithmic Game.
Introduction to Modern Cryptography, Lecture 12 Secure Multi-Party Computation.
Eran Omri, Bar-Ilan University Joint work with Amos Beimel and Ilan Orlov, BGU Ilan Orlov…!??!!
Derandomized parallel repetition theorems for free games Ronen Shaltiel, University of Haifa.
Yan Huang, Jonathan Katz, David Evans University of Maryland, University of Virginia Efficient Secure Two-Party Computation Using Symmetric Cut-and-Choose.
Rational Learning Leads to Nash Equilibrium Ehud Kalai and Ehud Lehrer Econometrica, Vol. 61 No. 5 (Sep 1993), Presented by Vincent Mak
Game-Theoretic Approaches to Multi-Agent Systems Bernhard Nebel.
An Introduction to Game Theory Part II: Mixed and Correlated Strategies Bernhard Nebel.
1 How to securely outsource cryptographic computations Susan Hohenberger and Anna Lysyanskaya TCC2005.
Oblivious Transfer based on the McEliece Assumptions
AWESOME: A General Multiagent Learning Algorithm that Converges in Self- Play and Learns a Best Response Against Stationary Opponents Vincent Conitzer.
How to Share a Secret Amos Beimel. Secret Sharing [Shamir79,Blakley79,ItoSaitoNishizeki87] ? bad.
PRISONER’S DILEMMA By Ajul Shah, Hiten Morar, Pooja Hindocha, Amish Parekh & Daniel Castellino.
CMSC 414 Computer and Network Security Lecture 6 Jonathan Katz.
Simulating Normal Random Variables Simulation can provide a great deal of information about the behavior of a random variable.
A Local Facility Location Algorithm Supervisor: Assaf Schuster Denis Krivitski Technion – Israel Institute of Technology.
DANSS Colloquium By Prof. Danny Dolev Presented by Rica Gonen
Adaptively Secure Broadcast, Revisited
Public-Key Encryption with Lazy Parties Kenji Yasunaga Institute of Systems, Information Technologies and Nanotechnologies (ISIT), Japan Presented at SCN.
Andrew Lindell Aladdin Knowledge Systems and Bar-Ilan University 04/09/08 CRYP-202 Legally-Enforceable Fairness in Secure Two-Party Computation.
1 Privacy-Preserving Distributed Information Sharing Nan Zhang and Wei Zhao Texas A&M University, USA.
A quantum protocol for sampling correlated equilibria unconditionally and without a mediator Iordanis Kerenidis, LIAFA, Univ Paris 7, and CNRS Shengyu.
Ragesh Jaiswal Indian Institute of Technology Delhi Threshold Direct Product Theorems: a survey.
2.4 Sequences and Summations
Secure two-party computation: a visual way by Paolo D’Arco and Roberto De Prisco.
Rational Exchange Levente Buttyán and Jean-Pierre Hubaux Swiss Federal Institute of Technology – Lausanne Laboratory for Computer Communications and Applications.
Device-independent security in quantum key distribution Lluis Masanes ICFO-The Institute of Photonic Sciences arXiv:
Rational Cryptography Some Recent Results Jonathan Katz University of Maryland.
1 What is Game Theory About? r Analysis of situations where conflict of interests is present r Goal is to prescribe how conflicts can be resolved 2 2 r.
Authenticated Key Exchange I. Definitions I. MAP I. matching conversations II. oracles II. (I)KA II. AKEP2 III. AKEP2 Security I. Session Keys II. Perfect.
Umans Complexity Theory Lectures Lecture 7b: Randomization in Communication Complexity.
Feasibility and Completeness of Cryptographic Tasks in the Quantum World Hong-Sheng Zhou (U. Maryland) Joint work with Jonathan Katz (U. Maryland) Fang.
“Towards Self Stabilizing Wait Free Shared Memory Objects” By:  Hopeman  Tsigas  Paptriantafilou Presented By: Sumit Sukhramani Kent State University.
Utility Dependence in Correct and Fair Rational Secret Sharing Gilad Asharov Yehuda Lindell Bar-Ilan University, Israel.
Limits on the Power of Cryptographic Cheap Talk Pavel Hubáček* Jesper Buus Nielsen Alon Rosen *Produced all the good slides.
Market Design and Analysis Lecture 2 Lecturer: Ning Chen ( 陈宁 )
Complexity 24-1 Complexity Andrei Bulatov Interactive Proofs.
A Game-Theoretic Perspective on Oblivious Transfer Kenji Yasunaga (ISIT) Joint work with Haruna Higo, Akihiro Yamada, Keisuke Tanaka (Tokyo Inst. of Tech.)
Round-Efficient Multi-Party Computation in Point-to-Point Networks Jonathan Katz Chiu-Yuen Koo University of Maryland.
PROBABILITY AND COMPUTING RANDOMIZED ALGORITHMS AND PROBABILISTIC ANALYSIS CHAPTER 1 IWAMA and ITO Lab. M1 Sakaidani Hikaru 1.
Contents of the Talk Preliminary Materials Motivation and Contribution
CSCE 668 DISTRIBUTED ALGORITHMS AND SYSTEMS
Communication Complexity as a Lower Bound for Learning in Games
Multiagent Systems Game Theory © Manfred Huber 2018.
Multiagent Systems Repeated Games © Manfred Huber 2018.
CSCE 668 DISTRIBUTED ALGORITHMS AND SYSTEMS
Example: multi-party coin toss
Presentation transcript:

Fair Computation with Rational Players Adam Groce and Jonathan Katz University of Maryland

Two-party computation Distance? NYCLA 2800

Two-party computation Fairness: If either player learns the output, then the other player does also. Impossible in general [Cleve86]

Dealing with this impossibility Fairness for specific functions [GHKL08] Partial fairness [BG89, GL90, GMPY06, MNS09, GK10], … Physical assumptions [LMPS04, LMS05, IML05] Here: assume rational behavior Generalizing prior work on rational secret sharing [HT04, GK06, LT06, ADGH06, KN08, FKN10], …

Our results (high level) Consider an ideal-world evaluation of the function (using a trusted third party) Look for a game-theoretic equilibrium in that setting Theorem (informal): If behaving honestly is a strict Nash equil. in the ideal world, then there is a real-world protocol that is fair when players are rational

Putting our result in context Much recent interest in combining game theory and cryptography Applying game theory to cryptographic tasks (bypass impossibility, increase efficiency, …) Using cryptography to remove a mediator [CS82, Forges90, Barany92, DHR00, …] Defining cryptographic goals in game-theoretic terms [ACH11] Had appeared to give a negative answer regarding fairness

The real-world game 1. Parties running a protocol to compute some function f 2. Receive inputs x 0, x 1 from known distribution 3. Run the protocol… 4. Output an answer 5. Utilities depend on both outputs, and the true answer f(x 0, x 1 ) D

Goal Design a rational fair protocol for f, i.e., such that running the protocol honestly is a computational Nash equilibrium That is, no polynomial-time player can gain more than negligible utility by deviating Note: stronger equilibrium notions have been considered in other cryptographic contexts We leave these for future work

Asharov-Canetti-Hazay (2011) They consider a special case of our real-world game (with different motivation): Uniform, independent binary inputs x 0 and x 1 Computing XOR Utilities given by: Results: There exists a rational protocol with correctness ½ No rational protocol can be correct with probability better than ½ RightWrong Right(0, 0)(1, -1) Wrong(-1, 1)(0, 0)

Asharov-Canetti-Hazay (2011) But wait! Guessing randomly is also an equilibrium… …and achieves the same payoff as any possible protocol (even with a trusted party) Parties may as well not run the protocol at all! RightWrong Right(0, 0)(1, -1) Wrong(-1, 1)(0, 0)

The ideal-world game 1. Receive inputs x 0, x 1 from known distribution 2. Send an input (or ) to the ideal functionality 3. Receive an output (or ) from the functionality 4. Output an answer 5. Utilities depend on both outputs, and the true answer f(x 0, x 1 ) D

Utilities RightWrong Right(a 0, a 1 )(b 0, c 1 ) Wrong(c 0, b 1 )(d 0, d 1 ) Payoff Matrix (Assume b > a d c)

Honest strategy of P 0 (ideal world) Send true input x 0 to functionality Output the answer given by the functionality If functionality gives, generate output according to distribution W 0 (x 0 ) Not used in an honest execution, but must exist. We can assume W 0 (x 0 ) has full support.

Our result Honest behavior is a strict Nash equilibrium in the ideal world There exists a real- world protocol that is rational fair (Fail-stop or Byzantine setting) Not true in [ACH11]

Our protocol I Use ideas from [GHKL08, MNS09, GK10] ShareGen Choose i* from geometric distribution with parameter p For each i n, create values r i, 0 and r i,1 If i i*, r i, 0 and r i,1 are the desired outputs If i < i*, r i, 0 and r i,1 are chosen according to distributions W 0 (x 0 ) and W 1 (x 1 ) Secret-share each r i, j value; give one share to P 0 and the other to P 1

Our protocol II Compute ShareGen (unfairly) In round i, parties exchange shares P 0 learns r i,0 and P 1 learns r i, 1 If the other player aborts early, output the last value learned If the protocol finishes, output r n,0 and r n,1

Analysis – will P 0 abort early? Assume P 0 is notified once i* has passed Aborting after this point cannot help If P 0 doesnt abort early utility a 0 If P 0 aborts early…. … in round i* utility b 0 … before round i* utility strictly less than a 0 Both correct P 0 correct, P 1 incorrect From ideal world equilibrium assumption

Analysis – will P 0 abort early? When P 0 sees output y in round i: Expected utility if abort Probability this is i* Utility if this is i* Probability this is before i* Expected utility if this is before i* + =

Analysis – Will P 0 abort early? When P 0 sees output y in round i: Expected utility if abort Probability this is i* b0b0 Probability this is before i* Expected utility if this is before i* +

Analysis – Will P 0 abort early? When P 0 sees output y in round i: Expected utility if abort Probability this is i* b0b0 Probability this is before i* a 0 - constant +

Analysis – Will P 0 abort early? Probability this is i* = Pr[P 0 gets y and this is i*] Pr[P 0 gets y] When P 0 sees output y in round i:

Analysis – Will P 0 abort early? Probability this is i* = Pr[P 0 gets y | this is i*] Pr[P 0 gets y] Pr[this is i*] When P 0 sees output y in round i:

Analysis – Will P 0 abort early? Probability this is i* = Pr[P 0 gets y | this is i*]Pr[this is i*] When P 0 sees output y in round i: Pr[P 0 gets y | this isnt i*] Pr[P 0 gets y | this is i*] Pr[this is i*] Pr[this isnt i*] +

Analysis – Will P 0 abort early? Probability this is i* = Pr[P 0 gets y | this is i*] When P 0 sees output y in round i: Pr[P 0 gets y | this isnt i*] Pr[P 0 gets y | this is i*] Pr[this isnt i*] + p p

Analysis – Will P 0 abort early? Probability this is i* = When P 0 sees output y in round i: Pr[P 0 gets y | this isnt i*] Pr[this isnt i*] + p p constant

Analysis – Will P 0 abort early? Probability this is i* = When P 0 sees output y in round i: Pr[P 0 gets y | this isnt i*] + p p constant 1-p

Analysis – Will P 0 abort early? Probability this is i* = When P 0 sees output y in round i: + p p constant 1-p constant > 0 Can make arbitrarily low by choice of p

Analysis – Will P 0 abort early? When P 0 sees output y in round i: Expected utility if abort Probability this is i* b0b0 a 0 - constant + Probability this is before i*

Analysis – Will P 0 abort early? When P 0 sees output y in round i: Expected utility if abort Probability this is before i* arbitrarily lowb0b0 a 0 - constant +

Analysis – Will P 0 abort early? When P 0 sees output y in round i: Expected utility if abort arbitrarily lowb0b0 1 – arbitrarily lowa 0 - constant + < a0a0 Utility of not aborting

Conclusion Rational fairness is possible! As long as there is a strict preference for fairness in the ideal world (by at least one of the parties) The more pronounced parties preferences are, the more round-efficient the real-world protocol is

Extensions and open problems Multi-party case, more general utilities Recent work with Amos Beimel and Ilan Orlov Open: Prove a (partial?) converse of our result Consider stronger notions of equilibrium in the real world Address other concerns besides fairness?

Thank you

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.