Create Presentation
Download Presentation

Download Presentation

Rational Secret Sharing and Multiparty Computation by J.Halpern and V.Teague

Rational Secret Sharing and Multiparty Computation by J.Halpern and V.Teague

216 Views

Download Presentation
Download Presentation
## Rational Secret Sharing and Multiparty Computation by J.Halpern and V.Teague

- - - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - - -

**Rational Secret Sharing and Multiparty Computationby**J.Halpern and V.Teague DANSS Colloquium By Prof. Danny Dolev Presented by Rica Gonen**The Rational Secret Sharing Problem**• Shamir’s secret-sharing scheme • allows a player to share a secret s • among n other players, • so that any m of them can reconstruct it. • The idea is: • Player 0 (who wants to share the secret) • Chooses an m-1 degree polynomial f • Tell player i • For i=1,…,n; • is player i’s share of the secret. • Any m players can recover the secret by reconstructing the polynomial • Lagrange interpolation • Any subset of size less than m does not know the secret.**The Rational Secret Sharing Problem (cont)**• The underlying idea of Shamir’s protocol • Of the n players at most n-m are “bad’. • “Bad players might not cooperate • “Good” players will follow the protocol • It guarantees that the bad players cannot stop the good players from reconstructing the secret. • What if there are no “good” and “bad” players but just selfish players? • Selfish players have preferences over outcomes. • They follow the protocol iff following the protocol increases their expected utility.**The Rational Secret Sharing Problem (cont)**• Two assumptions under which Shamir’s scheme breaks: • Assumption (1) • the selfish players preferences are: • Primarily prefers to get the secret to not getting it. • Secondarily prefers that as few as possible of the other players get it. • Assumption (2) • players pool their share of the secret by broadcasting (simultaneously) a message with their share. 6 13 32 34**The Rational Secret Sharing Problem (cont)**• Problem with Shamir’s secret-sharing scheme • Rational players will not broadcast their shares. • Consider player 1’s situation: either m-1 other players broadcast their share, or they don’t. • Whether or not player 1 send the share does not affect whether others send theirs. • If player 1 send her share other players will learn the secret • If player 1 does not send her share either only player 1 learns the secret or no player does.**The Paper results**• Assumption (3) the protocol has a commonly known upper bound on running time • The impossibility result: • Under assumptions (1) and (2) and (3) any (non randomize) protocol for secret sharing reconstruction breaks. • The possibility result: • However such protocol is possible using randomized mechanism with constant expected running time.**Talk Outline**• Technical background and definitions • Dominated strategies • Nash equilibrium • Etc • The impossibility result • Iterated Deletion • Weakly dominated strategies • Good strategies • The possibility result • A randomized practical mechanism for secret sharing • The recommended protocol is a Nash equilibrium**Assumptions**• At each step, a player receives all the messages that were sent to it by other players at the previous step and only then send its messages (possibly non). • The system is synchronous • In each round players decide what messages to send before receiving any messages sent to them. • Communication is guaranteed • Messages takes one round to arrive. • At each step all the players move.**Definitions**• Game for n players is a forest of nodes. • The root nodes of the forest = the initial situations in the game. • The later nodes = the results of the players’ moves. • Local state- a sequence of messages sent and received and a utility function of each player in each node. • Run- path in the forest that starts at a root. • Every run has a tuple associated with it. • Where is player i’s utility if that run is played. • Strategy- for player i is a function from i’s local states to actions. • Joint strategy- is a tuple of strategies, one for each player. • Joint strategy ->distribution over runs -> expected utility for each player.**Definitions (cont)**• Expected utility (for player i)- the sum over the possible runs where for each run player i’s utility for the run is multiplied by the probability of this run. • denoted as if is played. • Weakly dominated strategy- if is a set of strategies for player i • i=1,…,n A strategy is weakly dominated by with respect to if, for some strategy , and for all strategies**Definitions (cont)**• Nash equilibrium- is a Nash equilibrium if for all players i and strategies of player i, • The paper focuses on Nash equilibrium that is determined by iterated deletion of weakly-dominated strategies. • Mechanism- a pair consisting of a game and a joint strategy for that game. • Practical mechanism- is a practical mechanism if is a Nash equilibrium of the game that survived iteration deletion of weakly-dominated strategies.**The Impossibility Result**• Theorem 3.1: If players’ utilities satisfy assumption (1), then there is no practical mechanism for m out of n secret sharing such that is finite and, using , some player learns the secret.**The Impossibility Result Proof Structure**• In general the proof of theorem 3.1 is a backward induction. • First it is argued that no players will send a message in the last round • Then it proceeds to show that no player will send a message k rounds before the last round, for each k. • More precisely: • A family of strategies that reveals useful information is constructed. • The family of strategies is deleted by steps of iterated deletion • No strategy other than the strategies in the family is deleted.**The Family of Strategies Definitions**• Revealing useful information- a strategy for player i reveals useful information at a node v if • There is some strategy for the other players such that reaches v with positive probability. • According to strategy at v player i sends (with positive probability) a share of the secret to player j although: • i does not know if j already has m shares • i does not know if j has the share he is sending. • - if there is a path of length h from v to a leaf in the game tree and there are no paths of length h+1 from v to a leaf in the game tree.**The Family of Strategies Definitions (cont)**• - consist of all strategies for player i in game that reveal useful information at a node v such that • - consist of all strategies for player i at a node v such that • i has m shares • i does not know if all player have m shares • i sends enough shares to all the other player to verify they all have m shares. • More strategies in the family that will not be used in this talk…**Iterated Deletion**• Let for let let let for • Proposition 3.1: Let M be a mechanism for secret sharing. After k steps of iterated deletion, all the strategies in have been deleted; moreover, no deterministic strategy not in has been deleted.**Iterated Deletion**• Proposition 3.1 is proved by induction on k. • The base case (k=1) corresponds to one step of iterated deletion. • Number of lemmas show that all the strategies in are deleted (lemma 3.1), • and number of lemmas show that no deterministic strategy not in is deleted (lemma 3.14).**Weakly Dominated Strategies**• Lemma 3.1: Every strategy in is weakly dominated. Proof: • w.l.g the lemma will be proved for player 1 strategies. • Suppose . • Let be a “bad” action of player 1 at node v’ such that: • Before 1 does not know all players have m shares • After 1 knows that all players have m shares. • leads (with positive probability) to a node v where (with positive probability) 1 performs a “bad” action. • Let T be identical to S except that • If S’s action at v (or v’ that is undistinguishable from v for 1) has positive probability on a “bad” action • Then T has the same positive probability on sending nothing.**Weakly Dominated Strategies (cont)**• It will be shown that T weakly dominates S. • There is a deterministic joint strategy for the other players such that • leads with positive probability to a node v’ • 1 can not distinguish v’ from v. • The other players are lacking exactly the shares that 1 sends them under S • They are silent for all subsequent steps. • Then gives 1 a strictly higher utility than**Weakly Dominated Strategies (cont)**• It will be shown that T is never strictly worse than S for player 1. • Let be a joint strategy for the other players. • The distribution over runs generated by and is identical except that • the probability placed by on runs where 1 performed “bad” action is shifted by • to runs where 1 stopped sending messages starting at the point where it would have performed a “bad” action. • 1 gets the worst utility at runs where a “bad” action is performed • 1’s payoff with must be at least as good as 1’s payoff with .**Good Strategies m=n=3**• Definition 3.1: • For any let the good strategies be any set of pure joint strategies such that • consists of all strategies. • Lemma 3.14: • let (S,S’) result in a lower payoff for player 1 then (T,S’). • Then there exist (S,S’’) that results in a higher payoff for player 1 then (T,S’’). • Where S,T good pure strategies for player 1 • and S’,S’’ good strategies for player 2,and 3**Good Strategies m=n=3**• Since (S,S’) result in a lower payoff for player 1 then (T,S’) • there is some node v reached by (S,S’) and (T,S’) • such that player 1 performs a different action with S than with T. • (one case out of many): • 1 does not have 2 and 3’s shares. • 1 sends different message to 3 using S than using T. • 1 considers it is possible that: • 2 does not have 3’s share. • 3 does not have 1’s share.**Good Strategies m=n=3**• Let v’ be a node where • 2 does not have 3’s share • 3 has only its own share. • Let S’’ be the strategy where • if 2 and 3 receives 1’s message using S then at node v’ • 2 sends 1 its own share, • in the next step 3 sends 1 its own share. • Otherwise S’’ is silent (if 2 and 3 receives 1’s message using T). • S’’ is a good strategy • 2 and 3 don’t have all three shares at the time they are sending a share to 1 • 1 learned all three shares with S but not with T.**A Randomized Practical Mechanism for Secret Sharing. (3 out**of 3) • Like repeated prisoner dilemma the only hope for cooperation lies in uncertainty on the number of moves in the game. • Consider a game where players toss coins. • If a player gets heads he send his share of the secret. • In the next step everyone reveals their coin. • If every one learns the secret, or if someone cheats (had heads but did not send) • Than the game is over • Otherwise the issuer issues new shares of the secret (different polynomial).**A Randomized Practical Mechanism for Secret Sharing. (3 out**of 3) • What are the incentive problems of this mechanism? • Even if it is possible to verify the true toss of every player, • Two problematic points should be looked at: • Is there an incentive for a player that got tails to continue and play. • Is there an incentive for a player that got heads not to send his share (although his lie can be reveled)? • Answers: • If he got tails and the other two players got heads, he learned the secret and surly will not continue to play.**A Randomized Practical Mechanism for Secret Sharing. (3 out**of 3) • Answers: 2. The probability of the other two players to get heads (and send the secret) is ¼. • So the probability for player 1 of learning the secret by himself in the first round is ¼. • While the probability that the other two players do not both get heads is ¾. • So the probability for player 1 for not learning the secret at all (not in the first round and then the game is stopped because player 1 cheated) is ¾. • If (only 1 learns the secret)+ (no one learns the secret)< (everyone learns the secret) player 1 will not cheat. • Either player utilities satisfy the above formula or the probability of heads can modified appropriately.**A Randomized Practical Mechanism for Secret Sharing. (3 out**of 3) • For , let denote , except is 1. let denote , except is 3. • A bit with probability , with probability • A bit with probability ½. • Let**The Protocol M( ):**• The issuer sends each player a share of the secret. • Each player i chooses a bit and a bit and sends to , to . (i should receive from and from ). • Each player i sends to (i should receive from ). • Each player i computes . . if then player i sends its share to the others.**The Protocol M( ):**5. If p=0 and i received no secret shares then the issuer is asked to restart the protocol otherwise, i stops the protocol for cheating. if p=1 and i received 1 share (possibly from itself) then the issuer is asked to restart the protocol otherwise, if i got 2 shares i stops the protocol (learned the secret) if i got no shares i stops the protocol for cheating. • If at stage 2 player i does not get a bit from and he stops the protocol. • If at stage 3 player i does not get a bit from he stops the protocol. • 001 • 010 • 100 • 111**The Possibility Result (m=n=3)**• Theorem 3.2: For all utility functions satisfying (1), if , there exist an such that M( ) is a practical mechanism for m out of n secret sharing for all • Proof: Who learns the secret if all the players follow the protocol? • Player i sends its secret iff and • all players learn the secret with probability • and no one learns the secret with probability • If no player sends its share. • Answer: either all players learn the secret, or no player does.**Cheating at step 4:**• Player i can cheat by not sending its share when it should. • If i gains with conditional probability • If i loses with conditional probability • i can not influence these probabilities • Each player j chooses its bit independently. • A rational player i will cheat only if: • (4) (only i learns the secret)+ (no one learns the secret) > (everyone learns the secret)**Cheating at step 4: (cont)**• If follows from (1) that (5) (only i learns the secret) > (everyone learns the secret) > (no one learns the secret) • It can be concluded from (5) that there exist some such that for all i and all (4) does not hold. • If then no player has any incentive to cheat at step 4.**Cheating at steps 3:**• If cheating is by not sending a bit then it would be detected by the player missing the bit. • If cheating is to send the wrong bit then may incorrectly compute • i can not get more than one share: • If p=1 and will not send his share. • If p=0 and will not send his share.**Cheating at step 2:**• If cheating is by not sending a bit then it would be detected by the player missing the bit. • If cheating is to send the wrong bits • It is equivalent to player i changing the distribution with which and are chosen. • But it does not affect the probabilities in (4) • Thus cheating in steps 2,3, and 4 is not a dominant strategy and the recommended protocol in M( ) is a Nash equilibrium for