Game Theory and Cryptography

Game Theory and Cryptography 1 / 47
Game Theory and Cryptography
Nebojsa Milosavljevic, Anupam Prakash
Department of Electrical Engineering and Computer Sciences

University of California, Berkeley
March 10, 2009
UCBseal UC Berkeley Nebojsa Milosavljevic, Anupam Prakash

Game Theory and Cryptography > Introduction 2 / 47
Introduction
• Interaction between game theory and cryptography:
• Cryptography → Game Theory

Implementation of correlated equilibrium in the absence of a trusted
mediator.

Game Theory and Cryptography > Introduction 2 / 47
Introduction
• Interaction between game theory and cryptography:
• Cryptography → Game Theory

Implementation of correlated equilibrium in the absence of a trusted
mediator.
• Game Theory → Cryptography

Instead of having agents follow a cryptographic protocol blindly, what
happens if the agents are rational and attempt to maximize their
payoffs?

Game Theory and Cryptography > Multi Party Computation 3 / 47
Multi Party Computation
• There are n players who wish to compute f (t1 , t2 , · · · , tn ) = s.


• Input ti is with player i.


• The information learnt by player i at the end of the protocol must
be (ti , s).


be (ti , s).
• Probabilistic: s = f (t1 , t2 , · · · , tn , r).


be (ti , s).
• Multi-output: f (t1 , t2 , · · · , tn , r) = (s1 , s2 , · · · , sn ).


be (ti , s).
• No trusted party, honest but curious and malicious adversaries.


be (ti , s).
• No trusted party, honest but curious and malicious adversaries.
• General adversary: controls k < n players.

Example: Distrustful Millionaires
Who is the World’s Richest Duck?

Example: Mental Games
Playing bridge with additional information

Example: Mental Games
Playing bridge with additional information

Removing God in Mafia

Security of MPC
• Intuition: Outputs of the real protocol should be indistinguishable

from the outputs when a trusted party is present.

Security of MPC

• A: Adversary controlling k < n players in real model. (A0 in ideal
model)

Security of MPC

model)
• t: Input vector.

Security of MPC

model)
• REALA,π (t): Outputs of honest players and adversary A under π.

Security of MPC

model)
0
• IDEALA0 (t): Outputs of honest players and adversary A with
trusted party.

Security of MPC

model)
0
• IDEALA0 (t): Outputs of honest players and adversary A with
trusted party.
• For every input vector t, REALA,π (t) ≈ IDEALA0 (t).

Weaker notions of security
• This definition guarantees output delivery as outputs of the

honest players are included in REALA,π (t).


0
• If A can get the protocol aborted in the presence of a trusted
party, the guarantee obtained is fairness.


0
• Fairness: If the output is revealed to some parties, all honest
parties eventually receive the output.


0
• Weakest guarantee: Correctness and privacy.


0
• Guaranteed Output Delivery > Fairness > Correctness and Privacy


0
• Guaranteed Output Delivery > Fairness > Correctness and Privacy
• Issues: Indistinguishability, communication model.

Indistinguishability
• All communication, computation is polynomial in λ, the security

parameter.


parameter.
• Notions of indistinguishability between distributions p and q.


parameter.
• Perfect: The two distributions are the same.


parameter.
• Statistical: Statistical distance between the distributions
P
(1/2 x |p(x) − q(x)|) is negligible.


parameter.
• Statistical: Statistical distance between the distributions
P
(1/2 x |p(x) − q(x)|) is negligible.
• Computational: A computationally bounded adversary can not
distinguish between p and q with non-negligible probability.

Communication
• Secure and authenticated channels for communication between

two players.

Communication

two players.
• Broadcast channels: When a message is broadcast, everybody
receives the same message. (Reason!)

Communication

two players.
Definition
Envelopes must satisfy the following properties:
a) Value contained in envelope is hidden until it is opened.
b) Envelope can be opened only by the person who possesses it.
c) Encelope can not be opened in secret and resealed.

Communication

two players.
Definition
Envelopes must satisfy the following properties:
a) Value contained in envelope is hidden until it is opened.
b) Envelope can be opened only by the person who possesses it.
c) Encelope can not be opened in secret and resealed.
• Ballot Boxes: A device to randomize a sequence of envelopes.

MPC Results
• Table 1: Computationally Bounded Adversary

Adversary Guarantee Communication
k < n/2 output delivery broadcast

MPC Results

k<n correctness privacy broadcast

MPC Results

k<n fairness envelopes

MPC Results

• Table 2: Computationally Unbounded Adversary
k < n/3 output delivery secure channel

MPC Results

k < n/2 output delivery (error) broadcast

MPC Results

k < n/2 output delivery (error) broadcast
k<n output delivery ballot boxes

How is it done?
• Secret sharing: Choose a polynomial p(x) of degree k over the

finite field Fq . Player i gets (ai , p(ai )), where ai 6= 0. The secret
is the constant term of p(x).

How is it done?

• A group of k parties can not recover any information about the
secret, while a group of k + 1 can recover it completely.

How is it done?

• Computation is carried out gate by gate in the secret share
representation. (Imprecise, read ‘How to play any mental game’-
GMW).

How is it done?

GMW).
• Oblivious transfer, attend last few lectures of the cryptography
class to know more.

How is it done?

GMW).
• Oblivious transfer, attend last few lectures of the cryptography
class to know more.
• Finally everybody broadcasts the secret shares corresponding to
the output.

Game Theory and Cryptography > Correlated Equilibria 12 / 47
Correlated Equilibrium

• Definition
A correlated equilibrium is a distribution D over strategies such that
Es∼D|si [ui (si , s−i )] ≥ Es∼D|si [ui (s∗i , s−i )] for all players i and all
alternative strategies s∗i .

• Definition
• Privacy of the strategies revealed to the players is essential by

definition.

• Definition

definition.
• Better payoffs than Nash, computable in polynomial time for
normal form games.

• Definition

definition.
normal form games.
• Tractable for several types of succinct games. (P-05).

• Definition

definition.
normal form games.
• Tractable for several types of succinct games. (P-05).
• Would make Nash redundant, if we could implement it without a
trusted mediator.

Ways to remove the mediator
• We will see two approaches to the removal of the mediator.

Simulating MPC
The players run an M P C protocol in the preamble that performs the
computation f (t1 , t2 , · · · , tn , r) = (s1 , s2 , · · · , sn ) previously carried
out by the mediator.

Simulating MPC
The players run an M P C protocol in the preamble that performs the
computation f (t1 , t2 , · · · , tn , r) = (s1 , s2 , · · · , sn ) previously carried
out by the mediator.
Verifiable Mediator
The trusted mediator is replaced by a verifiable device, which carries
out computation in public while maintaining privacy.

Games of incomplete information
• Each player has type ti selected from a publicly known

distribution of types T .


• Mediator M takes as input the types ti of the players. Outputs a
sample from the strategy profile.


• Canonical strategy: Send type to mediator and follow the
recommended action.


recommended action.
• Players may send wrong types or not send types at all. M must
have sampling strategies for ti ∈ Ti ∪ ⊥.


recommended action.
• Extended Games: ‘Cheap talk’ phase preceding the game when
players can communicate in some model. Then the original game
is played.


recommended action.
• Extended Games: ‘Cheap talk’ phase preceding the game when
players can communicate in some model. Then the original game
is played.
• We need an equilibrium concept for games where players might
collude.
Computational Nash Equilibrium
• All communication and computation in the extended game to be

done in poly(λ).


done in poly(λ).
• Cheap talk phase modulo a hard cryptographic problem.


done in poly(λ).
• Cheap talk phase modulo a hard cryptographic problem.
Definition
A computational nash equilibrium is set of strategies (x1 , x2 , · · · , xn )
each one efficiently computable such that ui (xi , x−i ) ≥ ui (x∗i , x−i ) −
for all players i and efficient alternative strategies x∗i .

k-resilient equilibria

• Definition
A distribution D over strategies such that ∀C ⊂ [n], |C| ≤ k we have
Ex∼D|xC [ui (xC , x−C )] ≥ Ex∼D|xC [ui (xC ∗, x−C )] for all players i ∈ C
and for all alternative strategies x∗C .

• Definition
• Deviation not beneficial for even one player out of k.

• Definition

• Ex ante: (Before the event) Collusion before M sends out
strategies.

• Definition

strategies.
• Interim: The colluding players can see xC and then decide
alternative strategies.

• Definition

strategies.
• Interim: The colluding players can see xC and then decide
alternative strategies.
• Ex ante weaker than interim.

MPC to remove mediator

• Theorem
If x is a k-resilient CE for a game specified by function f , and π is a
M P C protocol (output delivery) secure against upto k parties, then
running π in the preamble yields a k-resilient CE for the extended
game with the same payoffs as x.

• Theorem
• k-resilient equilibrium is a ‘strong’ equilibrium concept. Result

also valid for realizing weaker equilibria.

• Theorem

• Fair M P C: If it terminates, it is the same as output delivery.
Assume that deviating party can be detected.

• Theorem

• The deviating parties in each run are thrown out and the protocol
continues without them.

• Theorem

• The deviating parties in each run are thrown out and the protocol
continues without them.
• With a correct and private M P C, if k = 1 other players can
decide to punish the deviating player. No solution for k > 1.
Directions
Other Equilibrium concepts

N E for extended games allows empty threats. Equilibrium concepts
such as sub game perfect equilibria or sequential equilibria need to be
formally defined in the computational setting relevant for
cryptographic protocols.

Directions
Other Equilibrium concepts

N E for extended games allows empty threats. Equilibrium concepts
such as sub game perfect equilibria or sequential equilibria need to be
formally defined in the computational setting relevant for
cryptographic protocols.
Collusion free protocols

Secure cryptographic protocols must use randomness, and this leads to
the possibility of steganography. LMS show how to realize protocols
eliminating the possibility of steganography during execution, using
envelopes and broadcast channels. Simulation of ex-ante equilibria?

Game Theory and Cryptography > Perfect Implementation 19 / 47
Perfect Implementation
• Game: Players, strategies, payoffs.


• Mechanism: Actions, the way actions lead to payoffs.


• Implementing a Vickrey auction:


• Players hand bids to M who computes in private and reveals
outcome. Complete trust and complete privacy.


• Players hand bids to M who makes the bids public. No trust and
no privacy.


• Players hand bids to M who makes the bids public. No trust and
no privacy.
• Want a verifiable mediator providing complete privacy!

Imperfect Implementations
• M : Mechanism with trusted mediator.


0
• Implementation M has an equilibrium corresponding to every
equilibrium of M .


0
equilibrium of M.
9, 6 −∞ −∞ −∞
−∞ 6, 9 −∞ −∞
•
−∞ −∞ 4,4 1,5
−∞ −∞ 5,1 −∞


0
equilibrium of M .
9, 6 −∞ −∞ −∞
−∞ 6, 9 −∞ −∞
•
−∞ −∞ 4,4 1,5
−∞ −∞ 5,1 −∞
• This is a correlated equilibrium. Explain.


0
equilibrium of M .
9, 6 −∞ −∞ −∞
−∞ 6, 9 −∞ −∞
•
−∞ −∞ 4,4 1,5
−∞ −∞ 5,1 −∞
• Implementation: Player 1 puts the five strategies into envelopes,
shuffles and player 2 chooses.


0
equilibrium of M .
9, 6 −∞ −∞ −∞
−∞ 6, 9 −∞ −∞
•
−∞ −∞ 4,4 1,5
−∞ −∞ 5,1 −∞
• The two players can come to an agreement so that only the first
two strategies get chosen.


0
equilibrium of M .
9, 6 −∞ −∞ −∞
−∞ 6, 9 −∞ −∞
•
−∞ −∞ 4,4 1,5
−∞ −∞ 5,1 −∞
• The two players can come to an agreement so that only the first
two strategies get chosen.
• Against the interests of the society! Will not happen with the
mediator.
0
• There is a bijection between the equilibria of M and the
equilibria of M .

0
equilibria of M .
• Example: Four player, two strategy game.

0
equilibria of M .
• Payoffs: (a, a, a, a) = (0, 1, 0, 1), (b, b, b, b) = (1, 0, 1, 0),
(a, b, a, b) = (10, 10, −100, −100), −∞ for all other strategies.
The CE?

0
equilibria of M .
The CE?
• Implementation: A and B flip a coin. Send outcome to C and D.

0
equilibria of M .
The CE?
• A and B control the game!

0
equilibria of M .
The CE?
• A and B control the game!
• We require that the information available to a subset of players in
0
a run of M is the same as the information available in a run of
M.

Properties of a perfect implementation
• The mediator is verifiable.


• Strategic Equivalence: For all players i there is a bijection φi
0
between strategies in M and M such that
ui (m1 , m2 , · · · , mn ) = ui (φ1 (m1 ), φ2 (m2 ), · · · , φn (mn )).


0
• Privacy Equivalence: For all subsets of players and any strategy
profile m = (m1 , m2 , · · · , mn ) the information available while
playing m in M equals the information available while playing
0
φ(m) in M .


0
• Privacy Equivalence: For all subsets of players and any strategy
profile m = (m1 , m2 , · · · , mn ) the information available while
playing m in M equals the information available while playing
0
φ(m) in M .
• Strategic equivalence ensures that all properties pertaining to
equilibria are preserved while privacy equivalence ensures no
subset of the players has any extra advantage.

Remarks
• This cannot be achieved through broadcast channels only.

(Aumann-Hart)

Remarks

(Aumann-Hart)
• Envelopes and ballot boxes: Used in elections for verifiable and
private computation of the tally function. They are universal!

Remarks

(Aumann-Hart)
• Moreover if M requires k steps of computation, the perfect
implementation will require ck steps of computation.

Remarks

(Aumann-Hart)
• Moreover if M requires k steps of computation, the perfect
implementation will require ck steps of computation.
• Can envelopes and ballot boxes be realized by cryptographic
primitives? Can they be replaced by realizable primitives?

Operations on Envelopes
• Publicly create an envelope E with content c.


• Publicly open an envelope E to reveal c.


• Publicly create a super-envelope containing envelopes
E1 , E2 , · · · , En .


E1 , E2 , · · · , En .
• Publicly open super-envelope.


E1 , E2 , · · · , En .
• Ballot box envelopes E1 , E2 , · · · , En to obtain randomly
0 0 0
permuted envelopes E1 , E2 , · · · , En .


E1 , E2 , · · · , En .
0 0 0
• Destroy ballots publicly.


E1 , E2 , · · · , En .
0 0 0
• Destroy ballots publicly.
• n = 5 will be sufficient for universal computation.

Verifiable mediator and computer
• Input: Sequence of ballots S, public record s.


• Output: Next operation to be performed on the ballots.


• Verifiable computation of g : X n → Y on disjoint ballots
S1 , S2 , · · · , Sn encoding the inputs xi guarantees:


• Privacy: Each public record is an element from S5 chosen
uniformly at random.


• Privacy: Each public record is an element from S5 chosen
uniformly at random.
• Correctness: The content of the final sequence of ballots is
g(x1 , x2 , · · · , xn ).

Universal Computation with Ballots
• Permutation Inverse

• Input: Envelopes A1 , A2 , · · · , A5 containing permutation σ.

• Output: Envelopes B1 , B2 , · · · , B5 containing σ −1 .

• Publicly make B = I and pack (A, B) = (σ, I) into five
super-envelopes.

super-envelopes.
• Ballot box to get (τ σ, τ ). Open the envelopes A to reveal τ σ
publicly.

super-envelopes.
• Ballot box to get (τ σ, τ ). Open the envelopes A to reveal τ σ
publicly.
• (τ σ)−1 ◦ τ = σ −1 .

• Permutation Product

• Input: Envelopes A, B containing σ, τ .

• Output: Envelopes containing στ .

• Obtain envelopes D containing σ −1 by previous algorithm.

• Pack (D, B) = (σ −1 , τ ) into five super-envelopes.

• Ballot box to get (ρσ −1 , ρτ ). Open B to reveal ρσ −1 publicly.

• Ballot box to get (ρσ −1 , ρτ ). Open B to reveal ρσ −1 publicly.
• (ρσ −1 )−1 ◦ ρτ = στ .

• Permutation Clone

• Input: Envelopes A containing σ.

• Output: Envelopes B, C containing σ.

• Publicly create B, C = I. Obtain envelopes D containing σ −1 .

• Pack (D, B, C) = (σ −1 , I, I) into five super-envelopes.

• Ballot box to get (τ σ −1 , τ, τ ). Open A to reveal τ σ −1 publicly.

• Ballot box to get (τ σ −1 , τ, τ ). Open A to reveal τ σ −1 publicly.
• (τ σ −1 )−1 ◦ τ = σ.

Universal Computation over S5
• Magic! Barrington

• 0 = 12345, 1 = 12453.

• 0 = 12345, 1 = 12453.
• Not(a)= 12354 ◦ a ◦ 12435

• 0 = 12345, 1 = 12453.
• Not(a)= 12354 ◦ a ◦ 12435
• And(a,b)=
13245 ◦ a ◦ 34125 ◦ b ◦ 34125 ◦ a−1 ◦ 34125 ◦ b−1 ◦ 24135.

• 0 = 12345, 1 = 12453.
• Not(a)= 12354 ◦ a ◦ 12435
• And(a,b)=
13245 ◦ a ◦ 34125 ◦ b ◦ 34125 ◦ a−1 ◦ 34125 ◦ b−1 ◦ 24135.
• Fanout: Use clone.

• 0 = 12345, 1 = 12453.
• Not(a)= 12354 ◦ a ◦ 12435
• And(a,b)=
13245 ◦ a ◦ 34125 ◦ b ◦ 34125 ◦ a−1 ◦ 34125 ◦ b−1 ◦ 24135.
• Randomness: Create two envelopes with contents 0 and 1. Ballot
box and destroy one of them.

• 0 = 12345, 1 = 12453.
• Not(a)= 12354 ◦ a ◦ 12435
• And(a,b)=
13245 ◦ a ◦ 34125 ◦ b ◦ 34125 ◦ a−1 ◦ 34125 ◦ b−1 ◦ 24135.
• Randomness: Create two envelopes with contents 0 and 1. Ballot
box and destroy one of them.
• This is a universal set of primitives.

• Encode strategies, types as S5 bits.


• Execute a verifiable ballot computer on these inputs.


• Open the final results publicly.


• Strategy equivalence: Obvious payoff preserving bijection.


• Strategy equivalence: Obvious payoff preserving bijection.
• Privacy equivalence: All that is revealed in an execution is a
sequence of random permutations.

Privately Aborting Strategies
• Problem: To verify that the input A sent by a player is a valid

encoding of a bit.


encoding of a bit.
• Execute algorithm for A−1 . A is a permutation iff. the public
record (τ.σ for a random τ ) is a permutation.


encoding of a bit.
• Create two copies B, C of A. Apply Not to C.


encoding of a bit.
• Pack B and C into one super-envelope each and ballot box the
super-envelopes.


encoding of a bit.
• Pack B and C into one super-envelope each and ballot box the
super-envelopes.
• Open one of the super-envelopes. This should be a valid encoding
of a bit but does not reveal any information.

Game Theory and Cryptography > Rationalizing MPC 32 / 47
MPC with rational players
• Cryptography assumes that all players are honest/malicious.


• What happens when the MPC players are rational instead?


• Payoffs: Correctness, Exclusivity, Privacy, Voyeurism.


• Let us first consider correctness > exclusivity model.


• Let us first consider correctness > exclusivity model.
• Loss of correctness outweighs gain due to exclusivity.

Function Evaluation Game
• Canonical Strategy: Send inputs to mediator, mediator sends

answer.


answer.
• Payoffs: a for correctness, a + b for exclusivity, 0 otherwise.


answer.
• Question: Is the canonical strategy a correlated equilibrium?


answer.
• A function is Non Cooperatively Computable (NCC) if the
canonical strategy is a correlated equilibrium.


answer.
• A function is Non Cooperatively Computable (NCC) if the
canonical strategy is a correlated equilibrium.
• In the player’s interests to report correct values.

Function that are not NCC
• Dominated: OR function, value fixed by input of some player.


• Reversible: Parity function, player can flip value and still manage
to compute the function.


Theorem
A function is NCC if and only if it is not dominated or reversible.


Theorem
• k − N CC: Canonical strategy a k-resilient CE.


Theorem

• OPEN: Rationalizing computation of non N CC functions.


Theorem

• OPEN: Rationalizing computation of non N CC functions.
• If the function is k − N CC then the M P C protocol
implementing it can be made rational.

Game Theory and Cryptography > Game Theoretic Influence on Cryptography 35 / 47
Problem Overview

Problem Overview
• The classical problem of t-out-of-n secret sharing involves a

“dealer” D who wishes to entrust a secret s to a group of n
players P1 , ..., Pn so that
1 any group of t or more players can reconstruct the secret without
further intervention of the dealer.
2 any group of fewer than t players has no information about the
secret.

Problem Overview
• The classical problem of t-out-of-n secret sharing involves a

“dealer” D who wishes to entrust a secret s to a group of n
players P1 , ..., Pn so that
1 any group of t or more players can reconstruct the secret without
further intervention of the dealer.
2 any group of fewer than t players has no information about the
secret.
• Equivalently, at least t players are honest but up to n − t players
may be arbitrarily malicious.

Shamir’s Scheme

Shamir’s Scheme
• Assume that secret s lies in a finite field F, with |F| > n.

Shamir’s Scheme
• The dealer chooses a random polynomial f (x) of degree at most

t − 1 subject to the constraint f (0) = s, and gives the “share”
f (i) to player Pi (for i = 1, ..., n).

Shamir’s Scheme

• Any set of t players can recover f (x) (and hence s) by

broadcasting their shares and interpolating the polynomial.

Shamir’s Scheme

• Any set of t players can recover f (x) (and hence s) by

broadcasting their shares and interpolating the polynomial.
• No set of fewer than t players can deduce any information about s.

Problem Statement - Halpern and Teague
• Players are neither completely honest nor arbitrarily malicious, but

instead they are assumed to be rational.


• Depending on the utility functions of the players, Shamir’s
protocol may no longer succeed in this scenario.


• Assume that all players prefer to learn the secret above all else,
but otherwise prefer that the fewest number of other players learn
the secret. Consider player P1 :


• If strictly fewer than t − 1 other players reveal their shares to the
rest of the group, then no one learns the secret regardless of
whether player P1 reveals his share or not.


• If more than t − 1 players reveal their shares, then everyone learns
the secret and P1 ’s action again have no effect.


• If more than t − 1 players reveal their shares, then everyone learns
the secret and P1 ’s action again have no effect.
• If exactly t − 1 other players reveal their shares, then P1 learns the
secret (using his share) but P1 can prevent other players from
learning the secret by not publicly revealing his share.
Definitions for Rational Sharing
• At the beginning of each iteration, D distributes some information

(privately) to each of the n players.


• During an iteration, the dealer does not take part in the protocol.


• Instead, some set of t∗ ≥ t players, all of whom are assumed to be
rational, run the protocol amongst themselves by simultaneously
broadcasting messages in a series of rounds.


• There is no private communication between the players.


• We assume that the same set of t∗ players runs the protocol in
every iteration.


every iteration.
• The dealer is honest and follows the protocol as specified.


every iteration.
• The dealer is honest and follows the protocol as specified.
• If t∗ ≥ t players follow the protocol in each iteration, then the
secret is eventually reconstructed.

• Let σi denote the strategy employed by player Pi , and let

σ = (σ1 , ..., σn ) denote the vector of players’ strategies.


• Let (σi0 , σ−i ) , (σ1 , ..., σi−1 , σi0 , σi+1 , ..., σn ).


• Let ui (o) denote the utility of player Pi for the outcome o.


• Let δi (o) be a bit denoting whether or not Pi learns the secret,
P
and let num(o) = i δi (o) be the number of players who learn
the secret.


• Let δi (o) be a bit denoting whether or not Pi learns the secret,
P
and let num(o) = i δi (o) be the number of players who learn
the secret.
• Utility functions of the players should satisfy:
1 δi (o) > δi (o0 ) ⇒ ui (o) > ui (o0 ).
2 If δi (o) = δi (o0 ), then num(o) < num(o0 ) ⇒ ui (o) > ui (o0 ).

Definition-weakly dominated strategy

Let Si denote a set of strategies for Pi and let
Si , S1 × · · · × Si−1 × Si+1 · · · Sn . A strategy σi ∈ Si is weakly
dominated by a strategy σi0 ∈ Si with respect to Si if
1 there exists a σ−i ∈ S−i such that Ui (σi , σ−i ) < Ui (σi0 , σ−i ).
2 for all σ−i ∈ S−i , it holds that Ui (σi , σ−i ) ≤ Ui (σi0 , σ−i ).

Definition-weakly dominated strategy

Let Si denote a set of strategies for Pi and let
Si , S1 × · · · × Si−1 × Si+1 · · · Sn . A strategy σi ∈ Si is weakly
dominated by a strategy σi0 ∈ Si with respect to Si if
1 there exists a σ−i ∈ S−i such that Ui (σi , σ−i ) < Ui (σi0 , σ−i ).
2 for all σ−i ∈ S−i , it holds that Ui (σi , σ−i ) ≤ Ui (σi0 , σ−i ).
Definition
Strategy σi is weakly dominated with respect to S−i if there exists a
σi0 ∈ Si such that σi is weakly dominated by σi0 with respect to S−i .

Example-Weakly dominated strategy
• A secret is shared using t-out-of-n secret sharing (t < n)


• The strategy vector is such that all n players reveal their secret.


• This is a Nash equilibrium: the secret is reconstructed even if any
single player deviates.


• This is a Nash equilibrium: the secret is reconstructed even if any
single player deviates.
• For each player Pi , revealing the share is weakly dominated by not
revealing the share:
1 If fewer than t − 1 players or more than t − 1 other players reveal
their shares, then nothing changes.
2 If exactly t − 1 other players reveal their shares then Pi learns the
secret but no one else does.

Shamir’s scheme - game-theoretic equilibria
• For any t, n, t∗ , it is a Nash equilibrium for no one to reveal their

share.


share.
• If t∗ > t, it is a Nash equilibrium for all t∗ participating players to
reveal their shares. But, it is a weakly dominating strategy for
each player not to reveal his share.


share.
• If t = t∗ , then having all participating players players reveal their
shares is not even a Nash equilibrium, since each player can
profitably deviate by not revealing his share.


share.
• If t = t∗ , then having all participating players players reveal their
shares is not even a Nash equilibrium, since each player can
profitably deviate by not revealing his share.
Shamir’s protocol with the trivial reconstruction procedure does not

suffice in the presence of rational players.

Definition
Let DOMi (S1 × · · · × Sn ) denote the set of strategies in Si that are
weakly dominated with respect to S−i . Let Si0 denote the initial set of
allowable strategies of Pi . For all k ≥ 1, define Sik inductively as
k k−1 k−1 k−1 ∞
T k
Si , Si \ DOMi (S1 × · · · × Sn ). Let Si , k Si .
We say σi survives iterated deletion of weakly dominated strategies if
σi ∈ Si∞ .

Secret sharing protocol-S. D. Gordon and J. Katz
• The dealer holds a secret s which lies in a strict subset S of a

finite field F.


finite field F.
• Players know S.


finite field F.
• Players know S.
• At the beginning of each iteration
• with probability β the dealer generates a random Shamir
sharing of s
• with probability 1 − β the dealer generates a random Shamir
sharing of an arbitrary element ŝ ∈ F \ S.


finite field F.
• Players know S.
sharing of s
• During an iteration, the players broadcast their shares.


finite field F.
• Players know S.
sharing of s
• If in any iteration some player does not broadcast his share, the
other players all refuse to participate in all subsequent iterations.


finite field F.
• Players know S.
sharing of s
• If in any iteration some player does not broadcast his share, the
other players all refuse to participate in all subsequent iterations.
• Otherwise, all shares are broadcast and the players can
reconstruct some value s0 .
• If s0 ∈ S then the players know that this is the true secret, and
can terminate the protocol.

• If s0 ∈ F \ S, the players know this is an invalid secret and proceed
to the next iteration.

• If s0 ∈ F \ S, the players know this is an invalid secret and proceed
to the next iteration.
Theorem
For appropriate choice of β, the protocol constitutes a Nash
equilibrium for t-out-of-n secret sharing that survives iterated deletion
of weakly dominated strategies.

Removing the Dealer
Setup:
• To share a secret s, the dealer prepares a valid t-out-of-n Shamir

sharing {si } of s.

Removing the Dealer
Setup:

sharing {si } of s.
• The dealer generates a signature σi on each share si with respect
to a publicly-known verification key P K.

Removing the Dealer
Setup:

sharing {si } of s.
• The dealer generates a signature σi on each share si with respect
to a publicly-known verification key P K.
• The dealer sends (si , σi ) to player Pi .

Removing the Dealer
Protocol:
At the beginning of each iteration, the players proceed as follows:
1 The t∗ participating parties run the protocol that computes the
following probabilistic functionality:

Removing the Dealer
Protocol:
• Each party inputs the values (si , σi ) received from the dealer.

Removing the Dealer
Protocol:
• The functionality checks that each σi is a valid signature on si ,
and aborts if this is not the case.

Removing the Dealer
Protocol:
• The t∗ ≥ t shares define a secret s.

Removing the Dealer
Protocol:
• With probability β, the functionality generates a fresh t-out-of-n
Shamir sharing {s0i } of s, and each player receives output s0i .

Removing the Dealer
Protocol:
• With probability β, the functionality generates a fresh t-out-of-n
Shamir sharing {s0i } of s, and each player receives output s0i .
• With probability 1 − β, the functionality generates a fresh
t-out-of-n Shamir sharing {s0i } of a bogus secret ŝ ∈ F \ S, and
each player Pi receives output s0i .

Removing the Dealer
Protocol:
2 If cheating is detected in the protocol, then parties terminate the

overall protocol without ever reconstructing the secret.

Removing the Dealer
Protocol:

3 Each player Pi broadcasts the output s0i they received from the
protocol applied in the stage (1)
• If this enables reconstruction of a secret s ∈ S, the protocol
terminates and the true secret has been reconstructed.

Removing the Dealer
Protocol:

• If some player refused to broadcast their output share, then parties
terminate the protocol without reconstructing the secret.

Removing the Dealer
Protocol:

• If some player refused to broadcast their output share, then parties
terminate the protocol without reconstructing the secret.
• In any other case, players erase the {s0i } and proceed to the next
iteration (using (si , σi ) as before).

Game Theory and Cryptography

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Game Theory and Cryptography

Uploaded by

Copyright:

Available Formats

Game Theory and Cryptography 1 / 47

Game Theory and Cryptography

Nebojsa Milosavljevic, Anupam Prakash

Department of Electrical Engineering and Computer Sciences

March 10, 2009

UCBseal UC Berkeley Nebojsa Milosavljevic, Anupam Prakash

• Interaction between game theory and cryptography:

• Cryptography → Game Theory

UCBseal UC Berkeley Nebojsa Milosavljevic, Anupam Prakash

• Interaction between game theory and cryptography:

• Cryptography → Game Theory

• Game Theory → Cryptography

UCBseal UC Berkeley Nebojsa Milosavljevic, Anupam Prakash

Multi Party Computation

• There are n players who wish to compute f (t1 , t2 , · · · , tn ) = s.

UCBseal UC Berkeley Nebojsa Milosavljevic, Anupam Prakash

Multi Party Computation

• There are n players who wish to compute f (t1 , t2 , · · · , tn ) = s.

UCBseal UC Berkeley Nebojsa Milosavljevic, Anupam Prakash

Multi Party Computation

• There are n players who wish to compute f (t1 , t2 , · · · , tn ) = s.

UCBseal UC Berkeley Nebojsa Milosavljevic, Anupam Prakash

Multi Party Computation

• There are n players who wish to compute f (t1 , t2 , · · · , tn ) = s.

UCBseal UC Berkeley Nebojsa Milosavljevic, Anupam Prakash

Multi Party Computation

• There are n players who wish to compute f (t1 , t2 , · · · , tn ) = s.

UCBseal UC Berkeley Nebojsa Milosavljevic, Anupam Prakash

Multi Party Computation

• There are n players who wish to compute f (t1 , t2 , · · · , tn ) = s.

UCBseal UC Berkeley Nebojsa Milosavljevic, Anupam Prakash

Multi Party Computation

• There are n players who wish to compute f (t1 , t2 , · · · , tn ) = s.

UCBseal UC Berkeley Nebojsa Milosavljevic, Anupam Prakash

Example: Distrustful Millionaires

Who is the World’s Richest Duck?

UCBseal UC Berkeley Nebojsa Milosavljevic, Anupam Prakash

Example: Mental Games

Playing bridge with additional information

UCBseal UC Berkeley Nebojsa Milosavljevic, Anupam Prakash

Example: Mental Games

Playing bridge with additional information

UCBseal UC Berkeley Nebojsa Milosavljevic, Anupam Prakash

• Intuition: Outputs of the real protocol should be indistinguishable

UCBseal UC Berkeley Nebojsa Milosavljevic, Anupam Prakash

• Intuition: Outputs of the real protocol should be indistinguishable

UCBseal UC Berkeley Nebojsa Milosavljevic, Anupam Prakash

• Intuition: Outputs of the real protocol should be indistinguishable

UCBseal UC Berkeley Nebojsa Milosavljevic, Anupam Prakash

• Intuition: Outputs of the real protocol should be indistinguishable

UCBseal UC Berkeley Nebojsa Milosavljevic, Anupam Prakash

• Intuition: Outputs of the real protocol should be indistinguishable

UCBseal UC Berkeley Nebojsa Milosavljevic, Anupam Prakash

• Intuition: Outputs of the real protocol should be indistinguishable

UCBseal UC Berkeley Nebojsa Milosavljevic, Anupam Prakash

Weaker notions of security

• This definition guarantees output delivery as outputs of the

UCBseal UC Berkeley Nebojsa Milosavljevic, Anupam Prakash

Weaker notions of security

• This definition guarantees output delivery as outputs of the

UCBseal UC Berkeley Nebojsa Milosavljevic, Anupam Prakash

Weaker notions of security

• This definition guarantees output delivery as outputs of the

UCBseal UC Berkeley Nebojsa Milosavljevic, Anupam Prakash