Cryptography and Game Theory: Designing Protocols for Exchanging Information

1 / 16

# Cryptography and Game Theory: Designing Protocols for Exchanging Information - PowerPoint PPT Presentation

## Cryptography and Game Theory: Designing Protocols for Exchanging Information

- - - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - - -
##### Presentation Transcript

1. Cryptography and Game Theory: Designing Protocols for Exchanging Information Gillat Kol and Moni Naor

2. Our Goal • Our Goal: Designing protocols encouraging rationalplayers to exchange information • Examples we deal with: • Rational secure function evaluation. • Rational secret sharing. this talk

3. Talk Plan • Tool: Meaningful / Meaningless Encryption • Application: Rational Secret Sharing

4. Meaningful / Meaningless Encryption • A public-key encryption scheme E. • Special property: Some public keysare Meaningless - Yield encryptions that cannot be decrypted, even with unbounded computational power! • Cipher contains no information about the plaintext: • m,m', the distribution {E(pub_key,r,m)}r is identical to{E(pub_key,r,m’ )}r. • DistinguishingMeaningfulfrom Meaningless is hard. Given two public keys, one meaningful and one meaningless, guessing which is which cannot be done by a PPT with a non-negligible advantage over 1/2. meaningless pub_key rand plaintext ciphertext E

5. meaningful key meaningless key A Construction based on Goldwasser and Micali’s Public Key Cryptosystem Private Key: Two large primes P and Q Public Key:(N,x) where N=PQ and xis: • Quadratic non-residue of N(x ≠ z2mod N) w.p. β. • Quadratic residue of N w.p. 1-β. Encryption: Encrypt each bit bi of the message: • Choose yiand calculate ci= yi2xbimod N. • The ciphertext is (c1,...,cn). Decryption:Using the private key (P,Q): bi=0 iff ci is a quadratic residue. If x is a residue, then ci = yi2xbi is always a residue! Recall, in GM x is always a non-residue

6. Talk Plan • Tool: Meaningful / Meaningless Encryption • Application: Rational Secret Sharing

7. Secret Sharing • k-out-of-n secret sharing: a dealer privately distributes sharesof a secrets to a group of n players s.t.: • Given ≥k shares, s can be reconstructed. • Given <k shares, no info about s can be inferred. • Secret sharing assumes that players are either malicious or honest. • However, in some situations it makes more sense to view players as rational. • Pitries to maximize a utility (payoff) functionuidescribing his gain for any outcome of the protocol. • E.g. Pi gets \$100 if he learns the secret. ui(Pilearns secret) = 100

8. no rushing! Rational Secret Sharing [HT04] • Good RSS scheme: Dealing:k-out-of-n share assignment Reconstruction: Game Theoreticallystable • Our Model: • Players prefer to learn the secret: ui(Pilearns secret)>ui(Pidoesn’t learn secret) • Communicating via a simultaneous broadcast channel. + = no player can gain from deviating newrequirement

9. If players are able to identify it, they deviate in the last round. Consequentially, they deviate in all the previous rounds as well. This process is called Backward Induction. The Crux of Rational Secret Sharing • Cryptographic schemes require players to reveal their shares in order to reconstruct the secret. • Problem: A rational player has no incentive to cooperate, since no one can punish him later. • Keeping silent is at least as good as revealing. • Solution: • Constructing protocols that proceed in a sequence of iterations. • Ensuring that players won’t be able to identify the last iteration. • A player caught cheating is punished in the next iteration.

10. Previous Works • Solutions were suggested in [HT04], [GK06], [LT06] and [ADGH06]. • Deal with more involved models. • We’ll see a simplified version of their protocols. • Show that protocols using computational based cryptography have a weak point. • Suggest a new scheme, using a Meaningful / Meaningless encryption, overcoming the problem. Our Contribution

11. Punishment! real iteration fake iteration A Rational Secret Sharing Scheme • Dealing: Assign Pi with a k-out-of-n share of s + authen info. • Reconstruction: In every iteration, players run SFE taking the shares and authen info as inputs: • Check the shares’ authenticity. • Abort in case of deviations. • w.p. β (TBD) reconstruct and return s. • w.p. 1-β return. Continue to the next iteration. • For a small enough β, the protocol is stable. • Deviations will most likely lead to an early abortion.

12. backward induction Backward Induction • Problem: The SFE of the first iteration can be broken after an exponential number of rounds b. • Round b isessentially the last. • As before, players deviate if it is reached. • Round b-1 is now essentially the last. • Players deviate for the same reason. • Eventually, the instability in iteration b causes instability from iteration 1. Backward Induction causes exponential events to be amplified. …

13. Our Idea • As before, an execution of the protocol consists of a sequence of fake iterations followed by a real one, in which the secret is revealed. • However, we’ll implement the fake rounds using meaningless keys. • Thus,no information about the shares exists in fake rounds. • Now, there is no bound on the protocol length, and therefore no Backward Induction! Dealing:As before, except that the authentications are information theoretic.

14. same  as before prob of generating a meaningful key why would players encrypt their true shares? Meaninglesskey  fake iteration Meaningfulkey real iteration Our Reconstruction Protocol In each iteration: Key Gen: New keys for E are generated via (unfair) SFE. • Gives each player pub_key + a shareof priv_key. Encryption: Each player encrypts his share. Ciphertexts are broadcasted. Verification: The encryptions are validated via SFE. • Receives as inputthe shares of priv_key. However, the shares of s are not used. Exchange: Each player broadcasts his share of priv_key. • During the first meaningful iteration the ciphertexts are decrypted using priv_key and s is reconstructed.

15. Additional Results • The scheme is naturally resistant to coalitions. • The SFEs used are such. • Can be generalize to handle rational SFE. • Technique: Composing Meaningful \ Meaningless Encryptions with Yao’sGarbled Circuit. • Getting rid of the assumption that the channel is simultaneous at the cost of longer protocols (linear in the range size). • STOC08 paper: Characterization of the non-cryptographic case.

16. Thank You!