Download Presentation

Cryptography and Game Theory: Designing Protocols for Exchanging Information

149 Views

Download Presentation
## Cryptography and Game Theory: Designing Protocols for Exchanging Information

- - - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - - -

**Cryptography and Game Theory: Designing Protocols for**Exchanging Information Gillat Kol and Moni Naor**Our Goal**• Our Goal: Designing protocols encouraging rationalplayers to exchange information • Examples we deal with: • Rational secure function evaluation. • Rational secret sharing. this talk**Talk Plan**• Tool: Meaningful / Meaningless Encryption • Application: Rational Secret Sharing**Meaningful / Meaningless Encryption**• A public-key encryption scheme E. • Special property: Some public keysare Meaningless - Yield encryptions that cannot be decrypted, even with unbounded computational power! • Cipher contains no information about the plaintext: • m,m', the distribution {E(pub_key,r,m)}r is identical to{E(pub_key,r,m’ )}r. • DistinguishingMeaningfulfrom Meaningless is hard. Given two public keys, one meaningful and one meaningless, guessing which is which cannot be done by a PPT with a non-negligible advantage over 1/2. meaningless pub_key rand plaintext ciphertext E**meaningful**key meaningless key A Construction based on Goldwasser and Micali’s Public Key Cryptosystem Private Key: Two large primes P and Q Public Key:(N,x) where N=PQ and xis: • Quadratic non-residue of N(x ≠ z2mod N) w.p. β. • Quadratic residue of N w.p. 1-β. Encryption: Encrypt each bit bi of the message: • Choose yiand calculate ci= yi2xbimod N. • The ciphertext is (c1,...,cn). Decryption:Using the private key (P,Q): bi=0 iff ci is a quadratic residue. If x is a residue, then ci = yi2xbi is always a residue! Recall, in GM x is always a non-residue**Talk Plan**• Tool: Meaningful / Meaningless Encryption • Application: Rational Secret Sharing**Secret Sharing**• k-out-of-n secret sharing: a dealer privately distributes sharesof a secrets to a group of n players s.t.: • Given ≥k shares, s can be reconstructed. • Given <k shares, no info about s can be inferred. • Secret sharing assumes that players are either malicious or honest. • However, in some situations it makes more sense to view players as rational. • Pitries to maximize a utility (payoff) functionuidescribing his gain for any outcome of the protocol. • E.g. Pi gets $100 if he learns the secret. ui(Pilearns secret) = 100**no rushing!**Rational Secret Sharing [HT04] • Good RSS scheme: Dealing:k-out-of-n share assignment Reconstruction: Game Theoreticallystable • Our Model: • Players prefer to learn the secret: ui(Pilearns secret)>ui(Pidoesn’t learn secret) • Communicating via a simultaneous broadcast channel. + = no player can gain from deviating newrequirement**If players are able to identify it,**they deviate in the last round. Consequentially, they deviate in all the previous rounds as well. This process is called Backward Induction. The Crux of Rational Secret Sharing • Cryptographic schemes require players to reveal their shares in order to reconstruct the secret. • Problem: A rational player has no incentive to cooperate, since no one can punish him later. • Keeping silent is at least as good as revealing. • Solution: • Constructing protocols that proceed in a sequence of iterations. • Ensuring that players won’t be able to identify the last iteration. • A player caught cheating is punished in the next iteration.**Previous Works**• Solutions were suggested in [HT04], [GK06], [LT06] and [ADGH06]. • Deal with more involved models. • We’ll see a simplified version of their protocols. • Show that protocols using computational based cryptography have a weak point. • Suggest a new scheme, using a Meaningful / Meaningless encryption, overcoming the problem. Our Contribution**Punishment!**real iteration fake iteration A Rational Secret Sharing Scheme • Dealing: Assign Pi with a k-out-of-n share of s + authen info. • Reconstruction: In every iteration, players run SFE taking the shares and authen info as inputs: • Check the shares’ authenticity. • Abort in case of deviations. • w.p. β (TBD) reconstruct and return s. • w.p. 1-β return. Continue to the next iteration. • For a small enough β, the protocol is stable. • Deviations will most likely lead to an early abortion.**backward induction**Backward Induction • Problem: The SFE of the first iteration can be broken after an exponential number of rounds b. • Round b isessentially the last. • As before, players deviate if it is reached. • Round b-1 is now essentially the last. • Players deviate for the same reason. • Eventually, the instability in iteration b causes instability from iteration 1. Backward Induction causes exponential events to be amplified. …**Our Idea**• As before, an execution of the protocol consists of a sequence of fake iterations followed by a real one, in which the secret is revealed. • However, we’ll implement the fake rounds using meaningless keys. • Thus,no information about the shares exists in fake rounds. • Now, there is no bound on the protocol length, and therefore no Backward Induction! Dealing:As before, except that the authentications are information theoretic.**same **as before prob of generating a meaningful key why would players encrypt their true shares? Meaninglesskey fake iteration Meaningfulkey real iteration Our Reconstruction Protocol In each iteration: Key Gen: New keys for E are generated via (unfair) SFE. • Gives each player pub_key + a shareof priv_key. Encryption: Each player encrypts his share. Ciphertexts are broadcasted. Verification: The encryptions are validated via SFE. • Receives as inputthe shares of priv_key. However, the shares of s are not used. Exchange: Each player broadcasts his share of priv_key. • During the first meaningful iteration the ciphertexts are decrypted using priv_key and s is reconstructed.**Additional Results**• The scheme is naturally resistant to coalitions. • The SFEs used are such. • Can be generalize to handle rational SFE. • Technique: Composing Meaningful \ Meaningless Encryptions with Yao’sGarbled Circuit. • Getting rid of the assumption that the channel is simultaneous at the cost of longer protocols (linear in the range size). • STOC08 paper: Characterization of the non-cryptographic case.