Presentation is loading. Please wait.

Presentation is loading. Please wait.

Rational Exchange Levente Buttyán and Jean-Pierre Hubaux Swiss Federal Institute of Technology – Lausanne Laboratory for Computer Communications and Applications.

Published byFrank Patrick Modified over 9 years ago

Similar presentations

Presentation on theme: "Rational Exchange Levente Buttyán and Jean-Pierre Hubaux Swiss Federal Institute of Technology – Lausanne Laboratory for Computer Communications and Applications."— Presentation transcript:

1 Rational Exchange Levente Buttyán and Jean-Pierre Hubaux Swiss Federal Institute of Technology – Lausanne Laboratory for Computer Communications and Applications EPFL-IC-LCA, CH-1015 Lausanne, Switzerland {levente.buttyan, jean-pierre.hubaux}@epfl.ch

2 [2] The exchange problem if Alice has access to item B but Bob does not have access to item A, then Bob has a disadvantage, and vice versa a misbehaving party may bring the other (correctly behaving) party in a disadvantageous situation Instances electronic contract signing (exchange of signatures on the contract text) certified electronic mail (exchange of mail for acknowledgement of receipt) purchase of network delivered services (exchange of electronic payment for services) Alice has item A and the description of item B she wants access to item B Bob has item B and the description of item A he wants access to item A

3 [3] Two approaches Fair exchange protocols a correctly behaving party cannot suffer any disadvantages  executing the protocol is safe for both parties extensively studied, many proposals in the literature all practical protocols use a TTP (on-line or off-line) Rational exchange protocols a misbehaving party cannot gain any advantages  misbehavior is not interesting and should happen only rarely only a few proposals: –Jakobsson’s coin ripping protocol –Sandholm’s unenforced exchange –Syverson’s rational exchange protocol

4 [4] Motivation for rational exchange rational exchange protocols seem to provide weaker guarantees than fair exchange protocols one expects that they should be less complex than fair exchange protocols (indeed some of them do not need a TTP) rational exchange protocols ~ trade off between complexity and true fairness  interesting solutions to the exchange problem in certain applications, such as –micropayment schemes (using fair exchange for every micropayment would be an overkill) –peer-to-peer systems and ad hoc networks (there may not be any TTP)

5 [5] An example: a rational payment protocol brief informal analysis no fairness, but … none of the parties gain any financial advantages by cheating needs a TTP (the bank), but … the bank is needed anyway to maintain the accounts it performs the same operations as in any check based payment system needs no communication between the user and the bank U  V : m 1 = U, V, tid, val, h(rnd), Sig U (U, V, tid, val, h(rnd)) V  U : m 2 = srv U  V : m 3 = rnd V  B : m 4 = m 1, rnd, Sig V (m 1, rnd) V  B : m’ 4 = m 1, Sig V (m 1 ) if V received m 1 and m 3 : if V received only m 1 : B : charges U with val credits V with val B : charges U with val

6 [6] Possible application scenarios m 1, m 2, m 3 m 4 / m 4 ’ body of m 1 signature m1m1 m2m2 m3m3 m 1 & m 3 scenario 1 scenario 2 decrease counter increase counter base station

7 [7] Outline motivation a brief introduction to game theory modeling exchange protocols as games formal definitions of rational exchange and fair exchange the relationship between rational exchange and fair exchange conclusion future work

8 [8] Games game tree –vertices: possible histories (action sequences) –edges: available actions after a given history games of imperfect information  information sets –set of indistinguishable action sequences for a given player preference relations –defined on terminal action sequences –often represented by payoffs A B B L L L R RR (1, 1)(5, 0)(0, 5)(3, 3)

9 [9] Strategy (of a player A) a function that assigns an action to every consistent action sequence (history) after which A has to move it assigns the same action to each action sequence that belong to the same information set of A A B B A A A LLRR

10 [10] Nash equilibrium let o(s A, s B ) denote the outcome (terminal action sequence) when A plays strategy s A and B plays strategy s B (s A *, s B * ) is a Nash equilibrium iff o (s A, s B *)  A  o (s A *, s B *) for all s A, and o (s A *, s B )  B  o (s A *, s B *) for all s B in other words: s A * is the best response to s B *, and vice versa  A is not motivated to deviate from s A *, given that B does not deviate from s B *, and vice versa

11 [11] Restricted game obtained from a game by restricting some of the players to follow fixed strategies A B B C C C A B B C C

12 [12] Synchronous system model assumption: the network is reliable (every submitted message is delivered within a constant time interval)  the parties interact in synchronous rounds in each round: 1.each party sends messages based on her current state 2.each party receives the messages that were sent to her in the current round, and performs a state transition local state of a protocol party: –activity flag (true iff the party has not quitted the protocol) –local event history (send and receive events) –current round number local state of the network: –network buffer (set of messages submitted in the current round)

13 [13] Synchronous protocol games players : protocol parties (Alice, Bob,...) + network information sets: q and q’ belong to the same information set of Alice (Bob,...) iff –it is Alice’s (Bob’s,...) turn to move after both q and q’, and –the local state of Alice (Bob,...) is the same after q and q’ the parties can send only messages that are compatible with the protocol (~ have the right format and cleartext fields are correct) A BB AAAA net 1 st round actions for A (B,...) - idle - quit - {send(M) : M is a subset of those msgs that A is able to send in her current local state} action for the network - deliver

14 [14] Payoffs (subjective) utility of items: –u A +, u A -, u B +, u B - –determining precise values is not important –we assume only: 0 < u A - < u A + and 0 < u B - < u B + payoff for player i : y i (q ) = y i + (q ) – y i - (q ) –y i + (q ) - gain –y i - (q ) - loss note: the payoff can take only 4 possible values: u i + > u i + -u i - > 0 > -u i - uA+uA+ uA-uA- uB+uB+ uB-uB- item A item B Alice Bob y i + (q ) = { u i +, if i gains access to item j in q 0, otherwise y i - (q ) = { u i -, if i loses control over item i in q 0, otherwise

15 [15] Definition of rationality rationality ~ Nash equilibrium rationality: a misbehaving party cannot gain any advantages Nash equilibrium: a deviating party cannot gain a higher payoff (given that the other parties do not deviate) a formal definition of rationality protocol:  = {  A,  B,  TTP } protocol game: G  each program  i is represented by a strategy s i * in G  we consider the restricted protocol game G   s TTP * (i.e., we assume that the TTP behaves correctly) the protocol is rational iff –(s A *, s B *) is a Nash equilibrium in G   s TTP * –both A and B prefer the outcome of (s A *, s B *) to any other Nash equilibrium in G   s TTP *

16 [16] Further properties fairness for every strategy s A of A: y A (q ) > 0 implies y B (q ) > 0, where q = o (s A, s B * ), and a similar condition for every strategy s B of B effectiveness y A (q ) > 0 and y B (q ) > 0, where q = o (s A *, s B * ) termination for every strategy s A of A: there exists a finite prefix q’ of q such that  B (q’ ) = false, where q = o (s A, s B * ), and a similar condition for every strategy s B of B gain closed property for every terminal action sequence q : y A + (q ) > 0 implies y B - (q ) > 0 and y B + (q ) > 0 implies y A - (q ) > 0 safe back out property...

17 [17] Fairness implies rationality (but not vice versa) proposition if the protocol satisfies the effectiveness, gain closed, and safe back out properties, then fairness implies rationality sketch of the proof (s A *, s B *) is a Nash equilibrium –assume it is not –y A (q’ ) > y A (q * ), where q * = o (s A *, s B * ) and q’ = o (s A ’, s B * ) –effectiveness, gain closed property  y A (q * ) = u A + - u A - –y A + (q’ ) = u A + and y A - (q’ ) = 0 –fairness  y A + (q’ ) = u A + implies y B + (q’ ) = u B + –gain closed property  y B + (q’ ) = u B + > 0 implies y A - (q’ ) > 0

18 [18] Fairness implies rationality (but not vice versa) sketch of the proof (cont’d) both A and B prefer the outcome of (s A *, s B *) to any other Nash equilibrium (s A ’, s B ’ ) –assume the contrary –y A (q’ ) > y A (q * ), where q’ = o (s A ’, s B ’ )  y A + (q’ ) = u A + and y A - (q’ ) = 0 –gain closed property  y A + (q’ ) = u A + > 0 implies y B - (q’ ) > 0 –gain closed property  y A - (q’ ) = 0 implies y B + (q’ ) = 0 –y B (q’ ) = y B + (q’ ) – y B - (q’ ) < 0 –safe back out property  B can always achieve a non-negative payoff by quitting at the beginning of the protocol –s B ’ is not the best response to s A ’ –(s A ’, s B ’ ) cannot be a Nash equilibrium

19 [19] rational exchange can be viewed as a trade-off between complexity and true fairness  it may provide interesting solutions to the exchange problem in certain applications Conclusion a formal model for exchange protocols based on game theory a formal definition of rational exchange (~ Nash equilibrium) formal definitions of various other properties (including fairness) a proof that fairness implies rationality (but not vice versa) proving rationality of two protocols –example rational payment protocol –Syverson’s rational exchange protocol rational exchange can be viewed as a trade-off between complexity and true fairness  it may provide interesting solutions to the exchange problem in certain applications

20 [20] Future work: Asynchronous rational exchange? example payment protocol revisited assume the network is unreliable (may delay or lose messages) –the network may delay the delivery of m 3 = rnd to V –V timeouts and sends m 4 ’ to B –V provided the service, but doesn’t get paid  payoff is negative –V would have been better off if it had quitted the protocol at the beginning  effectiveness and rationality is lost if the network doesn’t lose messages and the players don’t use timers –effectiveness can be retained if U and V follow the correct strategies and wait long enough for messages, then they will eventually get what they want –but rationality is still lost U knows that V will wait for m 3 forever (no timeout) the best strategy of U is to quit after receiving the service and to never send m 3 (i.e., misbehaving)

Download ppt "Rational Exchange Levente Buttyán and Jean-Pierre Hubaux Swiss Federal Institute of Technology – Lausanne Laboratory for Computer Communications and Applications."

Similar presentations

Reaching Agreements II. 2 What utility does a deal give an agent? Given encounter  T 1,T 2  in task domain  T,{1,2},c  We define the utility of a.

Reaching Agreements II. 2 What utility does a deal give an agent? Given encounter  T 1,T 2  in task domain  T,{1,2},c  We define the utility of a.
Distributed Snapshots: Determining Global States of Distributed Systems Joshua Eberhardt Research Paper: Kanianthra Mani Chandy and Leslie Lamport.

Distributed Snapshots: Determining Global States of Distributed Systems Joshua Eberhardt Research Paper: Kanianthra Mani Chandy and Leslie Lamport.
Impossibility of Distributed Consensus with One Faulty Process

Impossibility of Distributed Consensus with One Faulty Process
Auction Theory Class 5 – single-parameter implementation and risk aversion 1.

Auction Theory Class 5 – single-parameter implementation and risk aversion 1.
Secure Multiparty Computations on Bitcoin

Secure Multiparty Computations on Bitcoin
For e-Business F. Dignum Utrecht University Trust Reputation and.

For e-Business F. Dignum Utrecht University Trust Reputation and.
Brewer’s Conjecture and the Feasibility of Consistent, Available, Partition-Tolerant Web Services Authored by: Seth Gilbert and Nancy Lynch Presented by:

Brewer’s Conjecture and the Feasibility of Consistent, Available, Partition-Tolerant Web Services Authored by: Seth Gilbert and Nancy Lynch Presented by:
PROTOCOL VERIFICATION & PROTOCOL VALIDATION. Protocol Verification Communication Protocols should be checked for correctness, robustness and performance,

PROTOCOL VERIFICATION & PROTOCOL VALIDATION. Protocol Verification Communication Protocols should be checked for correctness, robustness and performance,
This Segment: Computational game theory Lecture 1: Game representations, solution concepts and complexity Tuomas Sandholm Computer Science Department Carnegie.

This Segment: Computational game theory Lecture 1: Game representations, solution concepts and complexity Tuomas Sandholm Computer Science Department Carnegie.
Stimulation for Cooperation in Ad Hoc Networks: Beyond Nuglets Levente Buttyán, Jean-Pierre Hubaux, and Naouel Ben Salem Swiss Federal Institute of Technology.

Stimulation for Cooperation in Ad Hoc Networks: Beyond Nuglets Levente Buttyán, Jean-Pierre Hubaux, and Naouel Ben Salem Swiss Federal Institute of Technology.
EC941 - Game Theory Lecture 7 Prof. Francesco Squintani

EC941 - Game Theory Lecture 7 Prof. Francesco Squintani
Recoverable and Untraceable E-Cash Dr. Joseph K. Liu The Chinese University of HongKong.

Recoverable and Untraceable E-Cash Dr. Joseph K. Liu The Chinese University of HongKong.
Outline. Theorem For the two processor network, Bit C(Leader) = Bit C(MaxF) = 2[log 2 ((M + 2)/3.5)] and Bit C t (Leader) = Bit C t (MaxF) = 2[log 2 ((M.

Outline. Theorem For the two processor network, Bit C(Leader) = Bit C(MaxF) = 2[log 2 ((M + 2)/3.5)] and Bit C t (Leader) = Bit C t (MaxF) = 2[log 2 ((M.
Lect. 18: Cryptographic Protocols. 2 1.Cryptographic Protocols 2.Special Signatures 3.Secret Sharing and Threshold Cryptography 4.Zero-knowledge Proofs.

Lect. 18: Cryptographic Protocols. 2 1.Cryptographic Protocols 2.Special Signatures 3.Secret Sharing and Threshold Cryptography 4.Zero-knowledge Proofs.
EC941 - Game Theory Prof. Francesco Squintani Lecture 8 1.

EC941 - Game Theory Prof. Francesco Squintani Lecture 8 1.
Bundling Equilibrium in Combinatorial Auctions Written by: Presented by: Ron Holzman Rica Gonen Noa Kfir-Dahav Dov Monderer Moshe Tennenholtz.

Bundling Equilibrium in Combinatorial Auctions Written by: Presented by: Ron Holzman Rica Gonen Noa Kfir-Dahav Dov Monderer Moshe Tennenholtz.
Introduction to Modern Cryptography, Lecture 13 Money Related Issues ($$$) and Odds and Ends.

Introduction to Modern Cryptography, Lecture 13 Money Related Issues ($$$) and Odds and Ends.
1 Principles of Reliable Distributed Systems Lecture 6: Synchronous Uniform Consensus Spring 2005 Dr. Idit Keidar.

1 Principles of Reliable Distributed Systems Lecture 6: Synchronous Uniform Consensus Spring 2005 Dr. Idit Keidar.
1 Introduction to Computability Theory Lecture12: Reductions Prof. Amos Israeli.

1 Introduction to Computability Theory Lecture12: Reductions Prof. Amos Israeli.
1 Complexity of Network Synchronization Raeda Naamnieh.

1 Complexity of Network Synchronization Raeda Naamnieh.

Similar presentations

Ads by Google