Rational Exchange
Levente Buttyán and Jean-Pierre Hubaux
Swiss Federal Institute of Technology – Lausanne
Laboratory for Computer Communications and Applications
EPFL-IC-LCA, CH-1015 Lausanne, Switzerland
{levente.buttyan, jean-pierre.hubaux}@epfl.ch
The exchange problem
• Alice has itemA and the
description of itemB
• she wants access to itemB
•
•
•
•
Bob has itemB and the
description of itemA
he wants access to itemA
if Alice has access to itemB but Bob does not have access to itemA, then
Bob has a disadvantage, and vice versa
a misbehaving party may bring the other (correctly behaving) party in a
disadvantageous situation
Instances
•
•
•
electronic contract signing
(exchange of signatures on the contract text)
certified electronic mail
(exchange of mail for acknowledgement of receipt)
purchase of network delivered services
(exchange of electronic payment for services)
[2]
Two approaches
Fair exchange protocols
•
a correctly behaving party cannot suffer any disadvantages
 executing the protocol is safe for both parties
•
•
extensively studied, many proposals in the literature
all practical protocols use a TTP (on-line or off-line)
Rational exchange protocols
•
a misbehaving party cannot gain any advantages
 misbehavior is not interesting and should happen only rarely
•
only a few proposals:
– Jakobsson’s coin ripping protocol
– Sandholm’s unenforced exchange
– Syverson’s rational exchange protocol
[3]
Motivation for rational exchange
•
rational exchange protocols seem to provide weaker guarantees than fair
exchange protocols
• one expects that they should be less complex than fair exchange
protocols (indeed some of them do not need a TTP)
• rational exchange protocols ~ trade off between complexity and true
fairness
 interesting solutions to the exchange problem in certain applications,
such as
– micropayment schemes
(using fair exchange for every micropayment would be an overkill)
– peer-to-peer systems and ad hoc networks
(there may not be any TTP)
[4]
An example: a rational payment protocol
U  V : m1 = U, V, tid, val, h(rnd), SigU(U, V, tid, val, h(rnd))
V  U : m2 = srv
U  V : m3 = rnd
if V received m1 and m3 :
V  B : m4 = m1, rnd, SigV(m1, rnd)
if V received only m1 :
V  B : m’4 = m1, SigV(m1)
B : charges U with val
credits V with val
B : charges U with val
brief informal analysis
•
•
•
•
•
•
no fairness, but …
none of the parties gain any financial advantages by cheating
needs a TTP (the bank), but …
the bank is needed anyway to maintain the accounts
it performs the same operations as in any check based payment system
needs no communication between the user and the bank
[5]
Possible application scenarios
scenario 1
m1, m2, m3
m4 / m 4 ’
base station
scenario 2
body of m1
decrease
counter
signature
m1
m2
m3
m1 & m 3
increase
counter
[6]
Outline

•
•
•
•
•
•
motivation
a brief introduction to game theory
modeling exchange protocols as games
formal definitions of rational exchange and fair exchange
the relationship between rational exchange and fair exchange
conclusion
future work
[7]
Games
•
game tree
– vertices: possible histories (action sequences)
– edges: available actions after a given history
•
games of imperfect information  information sets
– set of indistinguishable action sequences for a given player
•
preference relations
– defined on terminal action sequences
– often represented by payoffs
A
L
R
B
L
(1, 1)
B
R
(5, 0)
L
(0, 5)
R
(3, 3)
[8]
Strategy (of a player A)
•
•
a function that assigns an action to every consistent action sequence
(history) after which A has to move
it assigns the same action to each action sequence that belong to the
same information set of A
A
B
B
L
A
R
L
A
R
A
[9]
Nash equilibrium
•
•
let o(sA, sB ) denote the outcome (terminal action sequence) when A plays
strategy sA and B plays strategy sB
(sA*, sB* ) is a Nash equilibrium iff
o (sA , sB*)  A o (sA*, sB*)
o (sA* , sB)  B o (sA*, sB*)
for all sA, and
for all sB
• in other words: sA* is the best response to sB*, and vice versa
 A is not motivated to deviate from sA*, given that B does not deviate
from sB*, and vice versa
[10]
Restricted game
•
obtained from a game by restricting some of the players to follow fixed
strategies
A
B
B
C
C
C
A
B
B
C
C
[11]
Synchronous system model
assumption: the network is reliable
(every submitted message is delivered within a constant time interval)
 the parties interact in synchronous rounds
in each round:
1. each party sends messages based on her current state
2. each party receives the messages that were sent to her in the
current round, and performs a state transition
•
local state of a protocol party:
–
–
–
•
activity flag (true iff the party has not quitted the protocol)
local event history (send and receive events)
current round number
local state of the network:
–
network buffer
(set of messages submitted in the current round)
[12]
Synchronous protocol games
A
B
net
net
net
net
A
A
A
A
1st round
B
actions for A (B, ...)
- idle
- quit
- {send(M) : M is a subset
of those msgs
that A is able
to send in her
current local
state}
action for the network
- deliver
•
•
•
players : protocol parties (Alice, Bob, ...) + network
information sets: q and q’ belong to the same information set of Alice (Bob, ...) iff
– it is Alice’s (Bob’s, ...) turn to move after both q and q’ , and
– the local state of Alice (Bob, ...) is the same after q and q’
the parties can send only messages that are compatible with the protocol (~ have
the right format and cleartext fields are correct)
[13]
Payoffs
•
•
•
(subjective) utility of items:
– uA+, uA-, uB+, uB– determining precise values is not important
– we assume only: 0 < uA- < uA+ and 0 < uB- < uB+
itemA itemB
Alice
uA-
uA+
Bob
uB+
uB-
payoff for player i : yi(q ) = yi+(q ) – yi-(q )
– yi+(q ) - gain
– yi-(q ) - loss
yi+(q ) =
{
ui+, if i gains access to itemj in q
0, otherwise
yi-(q
{
ui-, if i loses control over itemi in q
0, otherwise
)=
note: the payoff can take only 4 possible values:
ui+ > ui+ -ui- > 0 > -ui[14]
Definition of rationality
rationality ~ Nash equilibrium
• rationality: a misbehaving party cannot gain any advantages
• Nash equilibrium: a deviating party cannot gain a higher payoff (given
that the other parties do not deviate)
a formal definition of rationality
• protocol: p = { pA, pB, pTTP }
• protocol game: Gp
• each program pi is represented by a strategy si* in Gp
• we consider the restricted protocol game Gp |sTTP*
(i.e., we assume that the TTP behaves correctly)
•
the protocol is rational iff
– (sA*, sB*) is a Nash equilibrium in Gp |sTTP*
– both A and B prefer the outcome of (sA*, sB*) to any other Nash
equilibrium in Gp |sTTP*
[15]
Further properties
fairness
•
•
for every strategy sA of A:
yA (q ) > 0 implies yB (q ) > 0, where q = o (sA , sB*), and
a similar condition for every strategy sB of B
effectiveness
•
yA (q ) > 0 and yB (q ) > 0, where q = o (sA*, sB*)
termination
•
•
for every strategy sA of A:
there exists a finite prefix q’ of q such that aB (q’ ) = false,
where q = o (sA , sB*), and
a similar condition for every strategy sB of B
gain closed property
•
for every terminal action sequence q :
yA+(q ) > 0 implies yB -(q ) > 0 and yB +(q ) > 0 implies yA-(q ) > 0
safe back out property ...
[16]
Fairness implies rationality (but not vice versa)
proposition
if the protocol satisfies the effectiveness, gain closed, and safe back
out properties, then fairness implies rationality
sketch of the proof
•
(sA*, sB*) is a Nash equilibrium
–
–
–
–
–
–
assume it is not
yA(q’ ) > yA(q *), where q * = o (sA*, sB*) and q’ = o (sA’, sB*)
effectiveness, gain closed property  yA (q *) = uA+ - uAyA+(q’ ) = uA+ and yA-(q’ ) = 0
fairness  yA+(q’ ) = uA+ implies yB +(q’ ) = uB+
gain closed property  yB +(q’ ) = uB+ > 0 implies yA-(q’ ) > 0
[17]
Fairness implies rationality (but not vice versa)
sketch of the proof (cont’d)
•
both A and B prefer the outcome of (sA*, sB*) to any other Nash
equilibrium (sA’, sB’ )
–
–
–
–
–
–
assume the contrary
yA(q’ ) > yA(q *), where q’ = o (sA’, sB’ )  yA+(q’ ) = uA+ and yA-(q’ ) = 0
gain closed property  yA+(q’ ) = uA+ > 0 implies yB -(q’ ) > 0
gain closed property  yA-(q’ ) = 0 implies yB +(q’ ) = 0
yB (q’ ) = yB +(q’ ) – yB -(q’ ) < 0
safe back out property  B can always achieve a non-negative payoff by
quitting at the beginning of the protocol
– sB’ is not the best response to sA’
– (sA’, sB’ ) cannot be a Nash equilibrium
[18]
Conclusion
•
•
•
•
•
a formal model for exchange protocols based on game theory
a formal definition of rational exchange (~ Nash equilibrium)
formal definitions of various other properties (including fairness)
a proof that fairness implies rationality (but not vice versa)
proving rationality of two protocols
– example rational payment protocol
– Syverson’s rational exchange protocol
rational exchange can be viewed as a trade-off between complexity
and true fairness
 it may provide interesting solutions to the exchange problem
in certain applications
[19]
Future work: Asynchronous rational exchange?
example payment protocol revisited
•
assume the network is unreliable (may delay or lose messages)
– the network may delay the delivery of m3 = rnd to V
– V timeouts and sends m4’ to B
– V provided the service, but doesn’t get paid  payoff is negative
– V would have been better off if it had quitted the protocol at the beginning
 effectiveness and rationality is lost
•
if the network doesn’t lose messages and the players don’t use timers
– effectiveness can be retained
• if U and V follow the correct strategies and wait long enough for messages, then
they will eventually get what they want
– but rationality is still lost
• U knows that V will wait for m3 forever (no timeout)
• the best strategy of U is to quit after receiving the service and to never send m3
(i.e., misbehaving)
[20]