Presentation is loading. Please wait.

Presentation is loading. Please wait.

Utility Dependence in Correct and Fair Rational Secret Sharing Gilad Asharov Yehuda Lindell Bar-Ilan University, Israel.

Published byRudolf Allison Modified over 9 years ago

Similar presentations

Presentation on theme: "Utility Dependence in Correct and Fair Rational Secret Sharing Gilad Asharov Yehuda Lindell Bar-Ilan University, Israel."— Presentation transcript:

1 Utility Dependence in Correct and Fair Rational Secret Sharing Gilad Asharov Yehuda Lindell Bar-Ilan University, Israel

2 What is Secret Sharing? t-out-of-n secret sharing:  n parties wish to share a secret s, such that every subset of t parties can reconstruct the secret together, but every subset of less than t parties cannot learn anything about the secret Two Phases:  Sharing: A “dealer” creates and sends shares for the n parties  Reconstruction: at least t parties reconstruct the secret (using a reconstruction protocol)

3 Rational Secret Sharing The Goal: to construct a fair reconstruction protocol when the parties are rational  Fair: all parties learn the secret  Rational: all parties have utility functions that they wish to maximize

4 Naive Protocol for Share Reconstruction All parties broadcast their shares P1P1 P2P2 learns the secret

5 The Problem A party can not broadcast its share but still learn the secret In rational secret sharing we assume that:  Each party wants to learn the secret  Each party prefers to be the only one to learn the secret In the naïve reconstruction protocol – no one has incentive to cooperate! [Halpern Teague, STOC 04] P1P1 P2P2 cooperates keeps silent learns does not learn

6 Background – Utilities U i + : the utility for party P i when it alone learns the secret U i : the utility for party P i when all parties learn the secret U i - : the utility for party P i when it does not learn the secret Assumptions: for every party it holds that: U i + ≥ U i ≥ U i -

7 Background – Nash Equilibrium Best Response: is the strategy which produces the most favorable outcome for a player, taking other players' strategies as given Nash Equilibrium: a behavior strategy profile σ = (σ 1,…, σ n ) is a Nash Equilibrium if for every party i, σ i is the best response for σ -i = (σ \ {σ i })   i  σ’ i : u i (σ i,σ -i ) ≥ u i (σ’ i,σ -i )  There are other solution concepts and stronger equilibriums

8 Rational Secret Sharing Rational secret sharing:  There is (at least) a Nash equilibrium on the strategy that instructs all to cooperate and results in all parties learning the secret  Thus, the parties’ utilities are maximized when they cooperate and all learn the secret When following prescribed strategy, all gain U i Deviating from the strategy yields an expected utility less than U i

9 Background – the Gordon-Katz Protocol (simultaneous) The dealer at every round chooses shares for the real secret (s) with probability ¯, and for a fake secret with probability 1- ¯ Parties can distinguish between real secret and fake one At every round, the parties are supposed to broadcast their shares simultaneously (C=cooperate) If the reconstructed value is not the real secret, parties continue to the next round fake dealer fake dealer real dealer

10 Background – the Gordon-Katz Protocol (simultaneous) If a party “deviates” (D=deviate=keeps silent), then the game is terminated In this case, it can learn the secret alone, but only with probability ¯ “deviate” is a risk  “Big” ¯ - small risk  “Small” ¯ - big risk fake dealer fake dealer ¯ : real 1- ¯ : fake deviates The End

11 The Gordon-Katz Protocol (simultaneous) Consider 2-out-of-2 secret sharing, the strategy for both to cooperate is a Nash equilibrium if for every i: u i (C,C) > u i (D,C) The expected utility when deviating (D) is: ¯ ¢ U i + + (1- ¯ ) ¢ U i - Therefore, it should hold that: U i > ¯ ¢ U i + + (1- ¯ ) ¢ U i - This occurs when: Observe that the protocol is dependent on the utilities

12 Utility Dependence In reality, the utility of a party may not even be known to itself Even if a party knows its own utility, it is unclear how others can learn this value Therefore, we don’t know how to set the correct ¯

13 Our First Question Is it possible to construct a reconstruction protocol that achieves (at least) Nash Equilibrium for all possible values of utility functions (that fulfill the assumptions)? We call such a protocol “utility independent” Is there a difference between simultaneous and non-simultaneous channels?

14 Simultaneous vs. Non-Simultaneous … … … … Simultaneous Non-simultaneous Is there a difference between simultaneous and non-simultaneous channels?

15 Our Results Is it possible to construct a reconstruction protocol that achieves (at least) Nash Equilibrium for all possible values of utility functions (that fulfill the assumptions)? For 2-out-of-2:  NO (both models) For t-out-of-n:  Coalition of size more than t/2: NO (both models)  Coalition of size less then t/2: YES (simultaneous)

16 Positive Result Theorem  There exists a multiparty reconstruction protocol that is independent of the utility functions of the players and is resilient to coalitions of size less than t/2 (in the simultaneous model) This result does not appear in the proceedings  See the full version on ePrint report 2009/373 Based on an important observation that was made by Lysyanskaya-Triandopoulos (CRYPTO 2006)

17 Complete Independence t-out-of-n (simultaneous) P1P1 P3P3 S deviates P2P2 learns An additive share helps to achieve fairness Consider 2-out-of-3 secret sharing scheme, Naïve protocol  All 3 parties participate in the reconstruction phase Even if one of the parties does not cooperate, all parties learn the secret threshold: 2

18 An additive share helps to achieve fairness P1P1 P3P3 S deviates P2P2 learns All cooperating is Nash Equilibrium! [HT, STOC04]  Assume that all the other are cooperating: u i (C,C) = U i u i (D,C) = U i But, this Nash Equilibrium is very weak guarantee:  Deviating is never worse than cooperating, sometimes even better  Cooperating is weakly dominated by deviating The naïve protocol is not enough! threshold: 2

19 An additive share helps to achieve fairness P1P1 P3P3 ½: real ½: fake deviates P2P2 We need to add some penalty  Consider Gordon-Katz protocol, with ¯ = ½ Cooperating is still best response All cooperating is still in Nash Equilibrium Cooperation is not weakly dominated any more u i (D) = ½ U i + ½ U i - threshold: 2 u i (C) = U i

20 Complete Independence t-out-of-n (simultaneous) If the number of parties that are participating in the reconstruction phase is greater than the threshold – it is possible to achieve utility-independent protocol  t * >t parties in the reconstruction phase What about t * =t?  What about n-out-of-n secret sharing?

21 Complete Independence In Multiparty (simultaneous) The dealer protocol:  Generate a random r 2 {0,1} k  Create shares for r with threshold t  Create shares for s © r with threshold t/2 The reconstruction:  The parties will reconstruct r using the Naïve protocol If anyone deviates – the game is terminated  The parties will reconstruct s © r using the Gordon-Katz protocol with ¯ = ½

22 Complete Independence In Multiparty (simultaneous) We also showed a “stronger equilibrium” We showed that the protocol is resilient to coalitions of size less than t/2 Using our impossibility result, this protocol is optimal with respect to coalitions

23 Correctness in Non-Simultaneous Model (two party)

24 Simultaneous vs. Non-Simultaneous … … … … Simultaneous Non-simultaneous

25 Correctness in Non-Simultaneous Model Kol and Naor [STOC 08] – presented a protocol for the non-simultaneous model  In their protocol, a party can cause the other to output an incorrect value (at the expense of not learning)  They assumed that parties always prefer to learn and so will not carry out this attack

26 Correctness in Non-Simultaneous Model We added another utility value:  U f – a player does not learn the secret, but causes the other to output a wrong value  Kol-Naor assume that U f < U We study the setting where U f may be greater than U

27 Questions (non-simultaneous) Can we construct a protocol in the non-simultaneous model that works (both parties output correct secret) even if U f > U?  If the U f i values are known, the answer is YES  We construct a (utility dependent) protocol that solves this problem of correctness (based on the Kol-Naor protocol) Can we construct a protocol that works for every value of U i f ? (it may know the other utilities)  NO: Dependence on U f is inherent  We prove that a “correct” protocol cannot be “fair”

28 Conclusion Non-simultaneousSimultaneous U f is known U + is known yes  – two party ? – multiparty NOyes  – two party ? – multiparty  – two party – multiparty yesNO  – two party ? – multiparty  – two party – multiparty NO Blue – Known Results Red - Open Questions - our result, based on Kol-Naor protocol

29

Download ppt "Utility Dependence in Correct and Fair Rational Secret Sharing Gilad Asharov Yehuda Lindell Bar-Ilan University, Israel."

Similar presentations

Fair Computation with Rational Players Adam Groce and Jonathan Katz University of Maryland.

Fair Computation with Rational Players Adam Groce and Jonathan Katz University of Maryland.
Chapter 17: Making Complex Decisions April 1, 2004.

Chapter 17: Making Complex Decisions April 1, 2004.
Games for Exchanging Information

Games for Exchanging Information
Reaching Agreements II. 2 What utility does a deal give an agent? Given encounter  T 1,T 2  in task domain  T,{1,2},c  We define the utility of a.

Reaching Agreements II. 2 What utility does a deal give an agent? Given encounter  T 1,T 2  in task domain  T,{1,2},c  We define the utility of a.
Cryptography and Game Theory: Designing Protocols for Exchanging Information Gillat Kol and Moni Naor.

Cryptography and Game Theory: Designing Protocols for Exchanging Information Gillat Kol and Moni Naor.
Secure Multiparty Computations on Bitcoin

Secure Multiparty Computations on Bitcoin
ECON 100 Tutorial: Week 9 office: LUMS C85.

ECON 100 Tutorial: Week 9 office: LUMS C85.
This Segment: Computational game theory Lecture 1: Game representations, solution concepts and complexity Tuomas Sandholm Computer Science Department Carnegie.

This Segment: Computational game theory Lecture 1: Game representations, solution concepts and complexity Tuomas Sandholm Computer Science Department Carnegie.
3. Basic Topics in Game Theory. Strategic Behavior in Business and Econ Outline 3.1 What is a Game ? 3.1.1 The elements of a Game 3.1.2 The Rules of the.

3. Basic Topics in Game Theory. Strategic Behavior in Business and Econ Outline 3.1 What is a Game ? The elements of a Game The Rules of the.
Congestion Games with Player- Specific Payoff Functions Igal Milchtaich, Department of Mathematics, The Hebrew University of Jerusalem, 1993 Presentation.

Congestion Games with Player- Specific Payoff Functions Igal Milchtaich, Department of Mathematics, The Hebrew University of Jerusalem, 1993 Presentation.
Non-Cooperative Game Theory To define a game, you need to know three things: –The set of players –The strategy sets of the players (i.e., the actions they.

Non-Cooperative Game Theory To define a game, you need to know three things: –The set of players –The strategy sets of the players (i.e., the actions they.
6-1 LECTURE 6: MULTIAGENT INTERACTIONS An Introduction to MultiAgent Systems

6-1 LECTURE 6: MULTIAGENT INTERACTIONS An Introduction to MultiAgent Systems
Chapter 14 Infinite Horizon 1.Markov Games 2.Markov Solutions 3.Infinite Horizon Repeated Games 4.Trigger Strategy Solutions 5.Investing in Strategic Capital.

Chapter 14 Infinite Horizon 1.Markov Games 2.Markov Solutions 3.Infinite Horizon Repeated Games 4.Trigger Strategy Solutions 5.Investing in Strategic Capital.
Chapter 6 Game Theory © 2006 Thomson Learning/South-Western.

Chapter 6 Game Theory © 2006 Thomson Learning/South-Western.
Game Theory and Computer Networks: a useful combination? Christos Samaras, COMNET Group, DUTH.

Game Theory and Computer Networks: a useful combination? Christos Samaras, COMNET Group, DUTH.
Eponine Lupo.  Questions from last time  3 player games  Games larger than 2x2—rock, paper, scissors  Review/explain Nash Equilibrium  Nash Equilibrium.

Eponine Lupo.  Questions from last time  3 player games  Games larger than 2x2—rock, paper, scissors  Review/explain Nash Equilibrium  Nash Equilibrium.
Game Theory 1. Game Theory and Mechanism Design Game theory to analyze strategic behavior: Given a strategic environment (a “game”), and an assumption.

Game Theory 1. Game Theory and Mechanism Design Game theory to analyze strategic behavior: Given a strategic environment (a “game”), and an assumption.
 1. Introduction to game theory and its solutions.  2. Relate Cryptography with game theory problem by introducing an example.  3. Open questions and.

 1. Introduction to game theory and its solutions.  2. Relate Cryptography with game theory problem by introducing an example.  3. Open questions and.
EC941 - Game Theory Lecture 7 Prof. Francesco Squintani

EC941 - Game Theory Lecture 7 Prof. Francesco Squintani
Bounds on Code Length Theorem: Let l ∗ 1, l ∗ 2,..., l ∗ m be optimal codeword lengths for a source distribution p and a D-ary alphabet, and let L ∗ be.

Bounds on Code Length Theorem: Let l ∗ 1, l ∗ 2,..., l ∗ m be optimal codeword lengths for a source distribution p and a D-ary alphabet, and let L ∗ be.

Similar presentations

Ads by Google