Rational Secret Sharing and Multiparty Computationby J.Halpern and V.Teague DANSS Colloquium By Prof. Danny Dolev Presented by Rica Gonen
The Rational Secret Sharing Problem • Shamir’s secret-sharing scheme • allows a player to share a secret s • among n other players, • so that any m of them can reconstruct it. • The idea is: • Player 0 (who wants to share the secret) • Chooses an m-1 degree polynomial f • Tell player i • For i=1,…,n; • is player i’s share of the secret. • Any m players can recover the secret by reconstructing the polynomial • Lagrange interpolation • Any subset of size less than m does not know the secret.
The Rational Secret Sharing Problem (cont) • The underlying idea of Shamir’s protocol • Of the n players at most n-m are “bad’. • “Bad players might not cooperate • “Good” players will follow the protocol • It guarantees that the bad players cannot stop the good players from reconstructing the secret. • What if there are no “good” and “bad” players but just selfish players? • Selfish players have preferences over outcomes. • They follow the protocol iff following the protocol increases their expected utility.
The Rational Secret Sharing Problem (cont) • Two assumptions under which Shamir’s scheme breaks: • Assumption (1) • the selfish players preferences are: • Primarily prefers to get the secret to not getting it. • Secondarily prefers that as few as possible of the other players get it. • Assumption (2) • players pool their share of the secret by broadcasting (simultaneously) a message with their share. 6 13 32 34
The Rational Secret Sharing Problem (cont) • Problem with Shamir’s secret-sharing scheme • Rational players will not broadcast their shares. • Consider player 1’s situation: either m-1 other players broadcast their share, or they don’t. • Whether or not player 1 send the share does not affect whether others send theirs. • If player 1 send her share other players will learn the secret • If player 1 does not send her share either only player 1 learns the secret or no player does.
The Paper results • Assumption (3) the protocol has a commonly known upper bound on running time • The impossibility result: • Under assumptions (1) and (2) and (3) any (non randomize) protocol for secret sharing reconstruction breaks. • The possibility result: • However such protocol is possible using randomized mechanism with constant expected running time.
Talk Outline • Technical background and definitions • Dominated strategies • Nash equilibrium • Etc • The impossibility result • Iterated Deletion • Weakly dominated strategies • Good strategies • The possibility result • A randomized practical mechanism for secret sharing • The recommended protocol is a Nash equilibrium
Assumptions • At each step, a player receives all the messages that were sent to it by other players at the previous step and only then send its messages (possibly non). • The system is synchronous • In each round players decide what messages to send before receiving any messages sent to them. • Communication is guaranteed • Messages takes one round to arrive. • At each step all the players move.
Definitions • Game for n players is a forest of nodes. • The root nodes of the forest = the initial situations in the game. • The later nodes = the results of the players’ moves. • Local state- a sequence of messages sent and received and a utility function of each player in each node. • Run- path in the forest that starts at a root. • Every run has a tuple associated with it. • Where is player i’s utility if that run is played. • Strategy- for player i is a function from i’s local states to actions. • Joint strategy- is a tuple of strategies, one for each player. • Joint strategy ->distribution over runs -> expected utility for each player.
Definitions (cont) • Expected utility (for player i)- the sum over the possible runs where for each run player i’s utility for the run is multiplied by the probability of this run. • denoted as if is played. • Weakly dominated strategy- if is a set of strategies for player i • i=1,…,n A strategy is weakly dominated by with respect to if, for some strategy , and for all strategies
Definitions (cont) • Nash equilibrium- is a Nash equilibrium if for all players i and strategies of player i, • The paper focuses on Nash equilibrium that is determined by iterated deletion of weakly-dominated strategies. • Mechanism- a pair consisting of a game and a joint strategy for that game. • Practical mechanism- is a practical mechanism if is a Nash equilibrium of the game that survived iteration deletion of weakly-dominated strategies.
The Impossibility Result • Theorem 3.1: If players’ utilities satisfy assumption (1), then there is no practical mechanism for m out of n secret sharing such that is finite and, using , some player learns the secret.
The Impossibility Result Proof Structure • In general the proof of theorem 3.1 is a backward induction. • First it is argued that no players will send a message in the last round • Then it proceeds to show that no player will send a message k rounds before the last round, for each k. • More precisely: • A family of strategies that reveals useful information is constructed. • The family of strategies is deleted by steps of iterated deletion • No strategy other than the strategies in the family is deleted.
The Family of Strategies Definitions • Revealing useful information- a strategy for player i reveals useful information at a node v if • There is some strategy for the other players such that reaches v with positive probability. • According to strategy at v player i sends (with positive probability) a share of the secret to player j although: • i does not know if j already has m shares • i does not know if j has the share he is sending. • - if there is a path of length h from v to a leaf in the game tree and there are no paths of length h+1 from v to a leaf in the game tree.
The Family of Strategies Definitions (cont) • - consist of all strategies for player i in game that reveal useful information at a node v such that • - consist of all strategies for player i at a node v such that • i has m shares • i does not know if all player have m shares • i sends enough shares to all the other player to verify they all have m shares. • More strategies in the family that will not be used in this talk…
Iterated Deletion • Let for let let let for • Proposition 3.1: Let M be a mechanism for secret sharing. After k steps of iterated deletion, all the strategies in have been deleted; moreover, no deterministic strategy not in has been deleted.
Iterated Deletion • Proposition 3.1 is proved by induction on k. • The base case (k=1) corresponds to one step of iterated deletion. • Number of lemmas show that all the strategies in are deleted (lemma 3.1), • and number of lemmas show that no deterministic strategy not in is deleted (lemma 3.14).
Weakly Dominated Strategies • Lemma 3.1: Every strategy in is weakly dominated. Proof: • w.l.g the lemma will be proved for player 1 strategies. • Suppose . • Let be a “bad” action of player 1 at node v’ such that: • Before 1 does not know all players have m shares • After 1 knows that all players have m shares. • leads (with positive probability) to a node v where (with positive probability) 1 performs a “bad” action. • Let T be identical to S except that • If S’s action at v (or v’ that is undistinguishable from v for 1) has positive probability on a “bad” action • Then T has the same positive probability on sending nothing.
Weakly Dominated Strategies (cont) • It will be shown that T weakly dominates S. • There is a deterministic joint strategy for the other players such that • leads with positive probability to a node v’ • 1 can not distinguish v’ from v. • The other players are lacking exactly the shares that 1 sends them under S • They are silent for all subsequent steps. • Then gives 1 a strictly higher utility than
Weakly Dominated Strategies (cont) • It will be shown that T is never strictly worse than S for player 1. • Let be a joint strategy for the other players. • The distribution over runs generated by and is identical except that • the probability placed by on runs where 1 performed “bad” action is shifted by • to runs where 1 stopped sending messages starting at the point where it would have performed a “bad” action. • 1 gets the worst utility at runs where a “bad” action is performed • 1’s payoff with must be at least as good as 1’s payoff with .
Good Strategies m=n=3 • Definition 3.1: • For any let the good strategies be any set of pure joint strategies such that • consists of all strategies. • Lemma 3.14: • let (S,S’) result in a lower payoff for player 1 then (T,S’). • Then there exist (S,S’’) that results in a higher payoff for player 1 then (T,S’’). • Where S,T good pure strategies for player 1 • and S’,S’’ good strategies for player 2,and 3
Good Strategies m=n=3 • Since (S,S’) result in a lower payoff for player 1 then (T,S’) • there is some node v reached by (S,S’) and (T,S’) • such that player 1 performs a different action with S than with T. • (one case out of many): • 1 does not have 2 and 3’s shares. • 1 sends different message to 3 using S than using T. • 1 considers it is possible that: • 2 does not have 3’s share. • 3 does not have 1’s share.
Good Strategies m=n=3 • Let v’ be a node where • 2 does not have 3’s share • 3 has only its own share. • Let S’’ be the strategy where • if 2 and 3 receives 1’s message using S then at node v’ • 2 sends 1 its own share, • in the next step 3 sends 1 its own share. • Otherwise S’’ is silent (if 2 and 3 receives 1’s message using T). • S’’ is a good strategy • 2 and 3 don’t have all three shares at the time they are sending a share to 1 • 1 learned all three shares with S but not with T.
A Randomized Practical Mechanism for Secret Sharing. (3 out of 3) • Like repeated prisoner dilemma the only hope for cooperation lies in uncertainty on the number of moves in the game. • Consider a game where players toss coins. • If a player gets heads he send his share of the secret. • In the next step everyone reveals their coin. • If every one learns the secret, or if someone cheats (had heads but did not send) • Than the game is over • Otherwise the issuer issues new shares of the secret (different polynomial).
A Randomized Practical Mechanism for Secret Sharing. (3 out of 3) • What are the incentive problems of this mechanism? • Even if it is possible to verify the true toss of every player, • Two problematic points should be looked at: • Is there an incentive for a player that got tails to continue and play. • Is there an incentive for a player that got heads not to send his share (although his lie can be reveled)? • Answers: • If he got tails and the other two players got heads, he learned the secret and surly will not continue to play.
A Randomized Practical Mechanism for Secret Sharing. (3 out of 3) • Answers: 2. The probability of the other two players to get heads (and send the secret) is ¼. • So the probability for player 1 of learning the secret by himself in the first round is ¼. • While the probability that the other two players do not both get heads is ¾. • So the probability for player 1 for not learning the secret at all (not in the first round and then the game is stopped because player 1 cheated) is ¾. • If (only 1 learns the secret)+ (no one learns the secret)< (everyone learns the secret) player 1 will not cheat. • Either player utilities satisfy the above formula or the probability of heads can modified appropriately.
A Randomized Practical Mechanism for Secret Sharing. (3 out of 3) • For , let denote , except is 1. let denote , except is 3. • A bit with probability , with probability • A bit with probability ½. • Let
The Protocol M( ): • The issuer sends each player a share of the secret. • Each player i chooses a bit and a bit and sends to , to . (i should receive from and from ). • Each player i sends to (i should receive from ). • Each player i computes . . if then player i sends its share to the others.
The Protocol M( ): 5. If p=0 and i received no secret shares then the issuer is asked to restart the protocol otherwise, i stops the protocol for cheating. if p=1 and i received 1 share (possibly from itself) then the issuer is asked to restart the protocol otherwise, if i got 2 shares i stops the protocol (learned the secret) if i got no shares i stops the protocol for cheating. • If at stage 2 player i does not get a bit from and he stops the protocol. • If at stage 3 player i does not get a bit from he stops the protocol. • 001 • 010 • 100 • 111
The Possibility Result (m=n=3) • Theorem 3.2: For all utility functions satisfying (1), if , there exist an such that M( ) is a practical mechanism for m out of n secret sharing for all • Proof: Who learns the secret if all the players follow the protocol? • Player i sends its secret iff and • all players learn the secret with probability • and no one learns the secret with probability • If no player sends its share. • Answer: either all players learn the secret, or no player does.
Cheating at step 4: • Player i can cheat by not sending its share when it should. • If i gains with conditional probability • If i loses with conditional probability • i can not influence these probabilities • Each player j chooses its bit independently. • A rational player i will cheat only if: • (4) (only i learns the secret)+ (no one learns the secret) > (everyone learns the secret)
Cheating at step 4: (cont) • If follows from (1) that (5) (only i learns the secret) > (everyone learns the secret) > (no one learns the secret) • It can be concluded from (5) that there exist some such that for all i and all (4) does not hold. • If then no player has any incentive to cheat at step 4.
Cheating at steps 3: • If cheating is by not sending a bit then it would be detected by the player missing the bit. • If cheating is to send the wrong bit then may incorrectly compute • i can not get more than one share: • If p=1 and will not send his share. • If p=0 and will not send his share.
Cheating at step 2: • If cheating is by not sending a bit then it would be detected by the player missing the bit. • If cheating is to send the wrong bits • It is equivalent to player i changing the distribution with which and are chosen. • But it does not affect the probabilities in (4) • Thus cheating in steps 2,3, and 4 is not a dominant strategy and the recommended protocol in M( ) is a Nash equilibrium for