Presentation is loading. Please wait.

Presentation is loading. Please wait.

Fair Computation with Rational Players Adam Groce and Jonathan Katz University of Maryland.

Published byIsaiah Ayers Modified over 10 years ago

Similar presentations

Presentation on theme: "Fair Computation with Rational Players Adam Groce and Jonathan Katz University of Maryland."— Presentation transcript:

1 Fair Computation with Rational Players Adam Groce and Jonathan Katz University of Maryland

2 Two-party computation Distance? NYCLA 2800

3 Two-party computation Fairness: If either player learns the output, then the other player does also. Impossible in general [Cleve86]

4 Dealing with this impossibility Fairness for specific functions [GHKL08] Partial fairness [BG89, GL90, GMPY06, MNS09, GK10], … Physical assumptions [LMPS04, LMS05, IML05] Here: assume rational behavior Generalizing prior work on rational secret sharing [HT04, GK06, LT06, ADGH06, KN08, FKN10], …

5 Our results (high level) Consider an ideal-world evaluation of the function (using a trusted third party) Look for a game-theoretic equilibrium in that setting Theorem (informal): If behaving honestly is a strict Nash equil. in the ideal world, then there is a real-world protocol that is fair when players are rational

6 Putting our result in context Much recent interest in combining game theory and cryptography Applying game theory to cryptographic tasks (bypass impossibility, increase efficiency, …) Using cryptography to remove a mediator [CS82, Forges90, Barany92, DHR00, …] Defining cryptographic goals in game-theoretic terms [ACH11] Had appeared to give a negative answer regarding fairness

7 The real-world game 1. Parties running a protocol to compute some function f 2. Receive inputs x 0, x 1 from known distribution 3. Run the protocol… 4. Output an answer 5. Utilities depend on both outputs, and the true answer f(x 0, x 1 ) D

8 Goal Design a rational fair protocol for f, i.e., such that running the protocol honestly is a computational Nash equilibrium That is, no polynomial-time player can gain more than negligible utility by deviating Note: stronger equilibrium notions have been considered in other cryptographic contexts We leave these for future work

9 Asharov-Canetti-Hazay (2011) They consider a special case of our real-world game (with different motivation): Uniform, independent binary inputs x 0 and x 1 Computing XOR Utilities given by: Results: There exists a rational protocol with correctness ½ No rational protocol can be correct with probability better than ½ RightWrong Right(0, 0)(1, -1) Wrong(-1, 1)(0, 0)

10 Asharov-Canetti-Hazay (2011) But wait! Guessing randomly is also an equilibrium… …and achieves the same payoff as any possible protocol (even with a trusted party) Parties may as well not run the protocol at all! RightWrong Right(0, 0)(1, -1) Wrong(-1, 1)(0, 0)

11 The ideal-world game 1. Receive inputs x 0, x 1 from known distribution 2. Send an input (or ) to the ideal functionality 3. Receive an output (or ) from the functionality 4. Output an answer 5. Utilities depend on both outputs, and the true answer f(x 0, x 1 ) D

12 Utilities RightWrong Right(a 0, a 1 )(b 0, c 1 ) Wrong(c 0, b 1 )(d 0, d 1 ) Payoff Matrix (Assume b > a d c)

13 Honest strategy of P 0 (ideal world) Send true input x 0 to functionality Output the answer given by the functionality If functionality gives, generate output according to distribution W 0 (x 0 ) Not used in an honest execution, but must exist. We can assume W 0 (x 0 ) has full support.

14 Our result Honest behavior is a strict Nash equilibrium in the ideal world There exists a real- world protocol that is rational fair (Fail-stop or Byzantine setting) Not true in [ACH11]

15 Our protocol I Use ideas from [GHKL08, MNS09, GK10] ShareGen Choose i* from geometric distribution with parameter p For each i n, create values r i, 0 and r i,1 If i i*, r i, 0 and r i,1 are the desired outputs If i < i*, r i, 0 and r i,1 are chosen according to distributions W 0 (x 0 ) and W 1 (x 1 ) Secret-share each r i, j value; give one share to P 0 and the other to P 1

16 Our protocol II Compute ShareGen (unfairly) In round i, parties exchange shares P 0 learns r i,0 and P 1 learns r i, 1 If the other player aborts early, output the last value learned If the protocol finishes, output r n,0 and r n,1

17 Analysis – will P 0 abort early? Assume P 0 is notified once i* has passed Aborting after this point cannot help If P 0 doesnt abort early utility a 0 If P 0 aborts early…. … in round i* utility b 0 … before round i* utility strictly less than a 0 Both correct P 0 correct, P 1 incorrect From ideal world equilibrium assumption

18 Analysis – will P 0 abort early? When P 0 sees output y in round i: Expected utility if abort Probability this is i* Utility if this is i* Probability this is before i* Expected utility if this is before i* + =

19 Analysis – Will P 0 abort early? When P 0 sees output y in round i: Expected utility if abort Probability this is i* b0b0 Probability this is before i* Expected utility if this is before i* +

20 Analysis – Will P 0 abort early? When P 0 sees output y in round i: Expected utility if abort Probability this is i* b0b0 Probability this is before i* a 0 - constant +

21 Analysis – Will P 0 abort early? Probability this is i* = Pr[P 0 gets y and this is i*] Pr[P 0 gets y] When P 0 sees output y in round i:

22 Analysis – Will P 0 abort early? Probability this is i* = Pr[P 0 gets y | this is i*] Pr[P 0 gets y] Pr[this is i*] When P 0 sees output y in round i:

23 Analysis – Will P 0 abort early? Probability this is i* = Pr[P 0 gets y | this is i*]Pr[this is i*] When P 0 sees output y in round i: Pr[P 0 gets y | this isnt i*] Pr[P 0 gets y | this is i*] Pr[this is i*] Pr[this isnt i*] +

24 Analysis – Will P 0 abort early? Probability this is i* = Pr[P 0 gets y | this is i*] When P 0 sees output y in round i: Pr[P 0 gets y | this isnt i*] Pr[P 0 gets y | this is i*] Pr[this isnt i*] + p p

25 Analysis – Will P 0 abort early? Probability this is i* = When P 0 sees output y in round i: Pr[P 0 gets y | this isnt i*] Pr[this isnt i*] + p p constant

26 Analysis – Will P 0 abort early? Probability this is i* = When P 0 sees output y in round i: Pr[P 0 gets y | this isnt i*] + p p constant 1-p

27 Analysis – Will P 0 abort early? Probability this is i* = When P 0 sees output y in round i: + p p constant 1-p constant > 0 Can make arbitrarily low by choice of p

28 Analysis – Will P 0 abort early? When P 0 sees output y in round i: Expected utility if abort Probability this is i* b0b0 a 0 - constant + Probability this is before i*

29 Analysis – Will P 0 abort early? When P 0 sees output y in round i: Expected utility if abort Probability this is before i* arbitrarily lowb0b0 a 0 - constant +

30 Analysis – Will P 0 abort early? When P 0 sees output y in round i: Expected utility if abort arbitrarily lowb0b0 1 – arbitrarily lowa 0 - constant + < a0a0 Utility of not aborting

31 Conclusion Rational fairness is possible! As long as there is a strict preference for fairness in the ideal world (by at least one of the parties) The more pronounced parties preferences are, the more round-efficient the real-world protocol is

32 Extensions and open problems Multi-party case, more general utilities Recent work with Amos Beimel and Ilan Orlov Open: Prove a (partial?) converse of our result Consider stronger notions of equilibrium in the real world Address other concerns besides fairness?

33 Thank you

Download ppt "Fair Computation with Rational Players Adam Groce and Jonathan Katz University of Maryland."

Similar presentations

Dov Gordon & Jonathan Katz University of Maryland.

Dov Gordon & Jonathan Katz University of Maryland.
Revisiting the efficiency of malicious two party computation David Woodruff MIT.

Revisiting the efficiency of malicious two party computation David Woodruff MIT.
Quid-Pro-Quo-tocols Strengthening Semi-Honest Protocols with Dual Execution Yan Huang 1, Jonathan Katz 2, David Evans 1 1. University of Virginia 2. University.

Quid-Pro-Quo-tocols Strengthening Semi-Honest Protocols with Dual Execution Yan Huang 1, Jonathan Katz 2, David Evans 1 1. University of Virginia 2. University.
Strict Polynomial-Time in Simulation and Extraction Boaz Barak & Yehuda Lindell.

Strict Polynomial-Time in Simulation and Extraction Boaz Barak & Yehuda Lindell.
Multi-Party Contract Signing Sam Hasinoff April 9, 2001.

Multi-Party Contract Signing Sam Hasinoff April 9, 2001.
Games for Exchanging Information

Games for Exchanging Information
Shortest Vector In A Lattice is NP-Hard to approximate

Shortest Vector In A Lattice is NP-Hard to approximate
Computational Privacy. Overview Goal: Allow n-private computation of arbitrary funcs. –Impossible in information-theoretic setting Computational setting:

Computational Privacy. Overview Goal: Allow n-private computation of arbitrary funcs. –Impossible in information-theoretic setting Computational setting:
Secure Computation of Linear Algebraic Functions

Secure Computation of Linear Algebraic Functions
Cryptography and Game Theory: Designing Protocols for Exchanging Information Gillat Kol and Moni Naor.

Cryptography and Game Theory: Designing Protocols for Exchanging Information Gillat Kol and Moni Naor.
Nash’s Theorem Theorem (Nash, 1951): Every finite game (finite number of players, finite number of pure strategies) has at least one mixed-strategy Nash.

Nash’s Theorem Theorem (Nash, 1951): Every finite game (finite number of players, finite number of pure strategies) has at least one mixed-strategy Nash.
Secure Multiparty Computations on Bitcoin

Secure Multiparty Computations on Bitcoin
Foundations of Cryptography Lecture 10 Lecturer: Moni Naor.

Foundations of Cryptography Lecture 10 Lecturer: Moni Naor.
Generating Random Numbers

Generating Random Numbers
Polling With Physical Envelopes A Rigorous Analysis of a Human–Centric Protocol Tal Moran Joint work with Moni Naor.

Polling With Physical Envelopes A Rigorous Analysis of a Human–Centric Protocol Tal Moran Joint work with Moni Naor.
Game Theoretical Insights in Strategic Patrolling: Model and Analysis Nicola Gatti – DEI, Politecnico di Milano, Piazza Leonardo.

Game Theoretical Insights in Strategic Patrolling: Model and Analysis Nicola Gatti – DEI, Politecnico di Milano, Piazza Leonardo.
Joint Strategy Fictitious Play Sherwin Doroudi. “Adapted” from J. R. Marden, G. Arslan, J. S. Shamma, “Joint strategy fictitious play with inertia for.

Joint Strategy Fictitious Play Sherwin Doroudi. “Adapted” from J. R. Marden, G. Arslan, J. S. Shamma, “Joint strategy fictitious play with inertia for.
Game Theory and Computer Networks: a useful combination? Christos Samaras, COMNET Group, DUTH.

Game Theory and Computer Networks: a useful combination? Christos Samaras, COMNET Group, DUTH.
 1. Introduction to game theory and its solutions.  2. Relate Cryptography with game theory problem by introducing an example.  3. Open questions and.

 1. Introduction to game theory and its solutions.  2. Relate Cryptography with game theory problem by introducing an example.  3. Open questions and.
Rational Oblivious Transfer KARTIK NAYAK, XIONG FAN.

Rational Oblivious Transfer KARTIK NAYAK, XIONG FAN.

Similar presentations

Ads by Google