Games for Exchanging
Information
Gillat Kol
Joint work with Moni Naor
Our Goal
Design secret sharing schemes that work
assuming players are rational
Talk Plan


Introduction

Background

Related Work
Our Contributions

Scheme Construction

Impossibility

Solution Concept
Cryptographic vs. Game Theoretic Settings


Cryptography: Players are either arbitrarily malicious
or totally honest.
Game Theory: Players are rational trying to maximize
their payoff functions.


ui(σ) is i’s payoff when following the protocol σ=(σ1,..,σn).
We assume:



Players are rational:
 Prefer to learn the secret above all else.
 Secondly, prefer to learn alone.
Players are computationally unbounded.
Communicating via a simultaneous broadcast channel
(SBC) - no rushing.
Rational Secret Sharing (RSS)


MetaDef: m-out-of-n RSS scheme.

Shares assignment algorithm for the dealer (as in the
usual crypto setting).

Game Theoretically stable (e.g., Nash equilibrium)
reconstruction protocol for the players.
Def: σ is a Nash Equilibrium no player can gain by
deviating from his strategy, assuming that all the
others are following theirs:
i σ’i: ui(σi,σ-i) ≥ ui(σ’i,σ-i)

Each player’s strategy is a best response to the
strategies of the others.
Is Shamir’s scheme an RSS?

Shamir’s scheme is not RSS.

Recall that to reconstruct players reveal their shares.

For p=m (p = num of participants): Not Nash
 Higher payoff for keeping silence.
For p>m: “Unstable” Nash
 No player, on its own, can prevent others from learning.
 Silence is never worse revealing, but sometimes better.



Main Problem: Players deviate in the last round of the
protocol, since they no longer fear future punishment.
Solution: Players shouldn't be able to identify the last
round.

Protocols are unbounded and allow players to learn w.p. 1.
Talk Plan


Introduction

Background

Related Work
Our Contributions

Scheme Construction

Impossibility

Solution Concept
Previous Works
Previous results required one of the followings:

The dealer’s involvement in the reconstruction [HT04].

Cryptographic tools [GK06, LT06, ADGH06].



Requires computational assumptions and bounded players.
Achieves only approximated Nash.
Different (stronger) hardware assumptions:


Private channels [GK06, ADGH06] + [BGW88].
 Requires ≥ 4 players.
Envelopes and ballots boxes [LMPS04, LMS05, ILM05].
 Solve a more general problem (SFE given any utilities).
 Achieve stronger solution concepts (coalitions).
Talk Plan


Introduction

Background

Related Work
Our Contributions

Scheme Construction

Impossibility

Solution Concept
Our Contribution

Solution Concept: What is a good RSS scheme?


Previous criterion does not rule out all unstable protocols.
Previous crypto protocols are susceptible to backward
induction (BI).

Impossibility: There is no “reasonable” Nash RSS with
SBC taking shares from finite sets.

Constructing an RSS with SBC and finite shares
taken from infinite sets.



Satisfies stronger solution concepts (strict Nash, no BI).
Unbounded players, No computational assumptions.
Can remove the simultaneity assumption and get
approximated Nash.
Talk Plan


Introduction

Background

Related Work
Our Contributions

Scheme Construction

Impossibility

Solution Concept
The Scheme Construction

Present a buggy 2-out-of-2 RSS.

Fix it.

Analyze it.

Generalize to m-out-of-n for all 2≤m≤n.

Remove the simultaneity assumption.
2-out-of-2 RSS: Dealer’s Algorithm
S = {0,..,6}
s=4
Long Short
Player Player
L
L’
2
2
5
5
1
1
3
3
ℓ1=5 4
6
ℓ2=7
0
Dealer (s):
Uses a parameters  (TBD), S is secrets set.
 Select the shares sizes: ℓ1, ℓ2 = ℓ1+d
where ℓ1,d ~ G() (Geometric distribution).

Select secrets list: random list L of ℓ2
secrets from S s.t. the ℓ1th secret is s.

Assign shares: choose player randomly,
give him L, and the other L’ = L(1,...,ℓ1-1).

Players do not know whether their shares
are short or long.

Shares are taken from unbounded sets.
2-out-of-2 RSS: Player’s Algorithm
S = {0,..,6}
s=4
Long Short
Player Player
L
L’
Iteration 1
2
2
Iteration 2
5
5
Iteration 3
1
1
Iteration 4
3
3
Iteration 5
4
quiet
6
0
Player (share):

Broadcast the next secret in your list.
Keep silent if your list ended.

If the other broadcasted a false value,
abort.

If only a single player broadcasts: the
last value broadcasted is s.
Bug 1: Identifying the Last Iteration
Long Short
Player Player
2 4

2 4
Problem: The short player identifies the
last iteration when his list ends.

5 8
5 8

1 2
1 2
3 2
3 2
4 6
6 3
0 7
Secrets
#Stages
May broadcast a fictitious secret.
Solution: Divide iterations into stages:



#stages in each iteration is chosen ~ G().
Players broadcast only during the last stage.
Players get #stages for cells in their list.
 The short player does not know #stages of
the last iteration.
Bug 2: Guessing the Secret

Problem: If some secret appears a lot in the list,
w.h.p it is the real secret.

4
Solution: Mask every secret in the list using a
random mask
4

Dealer gives each player a share of every mask.
4

Shares of the tth mask are broadcasted by the
players during iteration t-1.
L
4
4
4
4
Bug 3: Broadcasting Fictitious Information


Problem: Players may broadcast fictitious
information.
Solution: Dealer equip players with authentication
information.
Now it works…
Strict Nash Equilibrium

Def: σ is a Strict Nash Equilibrium every player
looses when deviating from his strategy, assuming that
all the others are following theirs:
i σ’i: ui(σi,σ-i) > ui(σ’i,σ-i)

A player’s strategy is a strict, unique best response.

Strict Nash  Nash

Example: Shamir’s reconstruction is not a strict Nash.

Protocol Analysis


Recall: Pr[ current iteration is the last ] = .
Theorem: For a sufficiently small , the scheme is
a strict Nash with expected number of rounds 1/2.

Proof: By deviating players risk early termination.

 must depend on the payoffs.

The higher the payoff for learning alone vs. learning
with others, the smaller  is.
Talk Plan


Introduction

Background

Related Work
Our Contributions

Scheme Construction

Impossibility

Solution Concept
Revelation Point

Theorem: There is no Nash RSS with shares taken
from finite sets without a revelation point (RP).

Def (Informal): RP of a reconstruction protocol is a
point its execution for which:



Protocols with RP are “unreasonable”.




Some players do not know the secret.
At any point after it, the secret is known to all.
Players always learn after RP  Should not reveal info.
Players learn right after RP  Someone does reveal info.
Example: Shamir’s reconstruction has RP before the
first round.
Strict Nash 
 Nash with no RP
Transcripts Trees

A transcript of σ is a possible sequence of messages
m = (m1,…,mℓ) broadcasted by the players during
rounds 1..ℓ while following σ.

We view transcripts as vertices of a Transcripts Tree.

Def: RP of σ is a vertex in σ’s transcript tree that has
children, but no grandchildren.
Claim: Children are Correlated
Assume for simplicity that σ allows players to
learn together.
Claim: For every transcript p of σ, one of
the following holds:
 Players always learn after the next round.
 Players never learn after the next round.
(independently of their random tapes)
p
Impossible:
no-one
learns
all
learn
Claim Proof: Hybrid Argument
Proof:

Assume that the input is x, and that players learn
given r = (r1,..,rn), but don’t learn given r’ = (r1’,..,rn’).

Define the hybrid ri = (r’1,..,r’i,ri+1,..,rn).


Hybrid Argument: i s.t. given shares x, all learn
given ri, but no-one learns given ri+1.
Players other than i act the same given ri and ri+1 
i learns given ri+1 since he learns given ri 
Contradiction!
▪
Theorem Proof: Inductive Argument
m0
Theorem: There is no Nash RSS with
shares taken from finite sets without
an RP.
Proof:
 Construct a path leading to the RP.
 C(m) = Set of possible shares x for
which players do not know s when
reaching m.
 m0 = empty transcript. Take x1C(m0).
 m, a descendent of m0, s.t. given x1,
players learn s after m, but not before.
x1
m2
m1
x2
p
xk
mk
Theorem Proof: Inductive argument




Let p be m’s parent.
If p has no grandchildren, p is an RP.
Otherwise, let m1 be a child of p with children.
Using the claim: Players learn after m given shares x1
 They learn after m1 given x1.
 C(m0)  C(m1)
Recall: C(m) = Set of possible shares for which players do
not know s when reaching m.

Use the same argument to find m0, m1, m2… s.t.
C(m0)  C(m1)  C(m2)…

Since the shares sets are finite, the sequence is finite.
The finiteness of the shares set is used!
▪
Talk Plan


Introduction

Background

Related Work
Our Contributions

Scheme Construction

Impossibility

Solution Concept

On Iterated Admissibility

On Backward Induction
Previous Criterion: Iterated Admissibility (IA)


IA was used as a criterion distinguishing good from
bad schemes in [HT04, GK06, LT06, ADGH06].
Def: Strategy σi is (weakly) dominated if there
exists a strategy i that is never worse than σi but
sometimes strictly better
(1) σ-i: ui(i , σ-i) ≥ ui(σi, σ-i )
(2) σ-i: ui(i, σ-i) > ui(σi, σ-i)


Example: Shamir’s reconstruction is dominated by
the silence strategy.
Def: A strategies is Iterated Admissible (IA) if it
survives iterated deletion of dominated strategies.
IA doesn’t rule out all bad behaviors


No finite strategy is stable  The game played is infinite.
talk-oncei = Shamir’s reconstruction in the infinite game.




i reveals his share in round 1 and then broadcasts  forever.
Theorem: talk-oncei is IA.
Proof:
 i trying to dominate talk-oncei there is a “savior” σ-i.
 Example: For i = silence, σ-i = others keep silent in
round 1, and reveal their shares in round 2 iff i talked in
round 1.
 In general: σ-i waits to see if player i follows talk-oncei,
then rewards or punishes him accordingly.
Strict Nash 
 IA Nash
Talk Plan


Introduction

Background

Related Work
Our Contributions

Scheme Construction

Impossibility

Solution Concept

On Iterated Admissibility

On Backward Induction
Backward Induction

Previous crypto solutions [LT06, ADGH06]:


Run the crypto SFE [GMW87] in every iteration.
Have small expected running time, but are unbounded.

Observation: Those protocols are essentially bounded
by K iterations (K = #of keys for the SFE of iteration 1).

Problem: Backward Induction



The BI process: Players deviate in iteration K since it is the
last, causing K-1 to be last. The same holds for K-1,K-2,..,1.
BI causes the instability in exponential events to be
amplified.
Solution: Should require the protocol to still be stable
after any history.

Our protocol satisfies this property! (as is every exact Nash)
Concluding Remarks

Game Theory and Cryptography




Common areas of interest (e.g. simulating mediators).
Different assumptions and models.
By combining techniques / ideas we gain new insights.
We look for RSS schemes using SBC.


Solution concept is an issue.
The infiniteness of the shares sets is a necessary and
sufficient condition for an exact solution.
References
[ADGH06] Abraham, Dolev, Gonen, and Halpern. Robust Mechanisms for
Rational Secret Sharing and Multiparty Computation. PODC 2006.
[BGW88] Ben-Or, Goldwasser, Wigderson. Completeness Theorems for NonCryptographic Fault-Tolerant Distributed Computation STOC 1988.
[GK06] Gordon and Katz. Rational Secret Sharing, Revisited. SCN 2006.
[GMW87] Goldreich, Micali, and Wigderson. How to Play any Mental Game.
STOC 1987.
[HT04] Halpern and Teague. Rational Secret Sharing and Multiparty
Computation. STOC 2004.
[ILM05] Izmalkov, Micali, and Lepinski. Rational Secure Computation and Ideal
Mechanism Design. FOCS 2005.
[LT06] Lysyanskaya and Triandopoulos. Rationality and Adversarial Behavior
in Multi-Party Computation. CRYPTO 2006.
[LMPS04] Lepinski, Micali, Peikert, and Shelat. Completely Fair SFE and
Coalition-Safe Cheap Talk. PODC 2004.
[LMS05] Lepinski, Micali, and Shelat. Collusion-Free Protocols. STOC 2005.