game theory and cryptography - peoplechristos/agt09/crypto.pdf · game theory and cryptography 1 /...

Game Theory and Cryptography 1 / 47

Game Theory and Cryptography

Nebojsa Milosavljevic, Anupam Prakash

Department of Electrical Engineering and Computer SciencesUniversity of California, Berkeley

March 10, 2009

UC Berkeley Nebojsa Milosavljevic, Anupam PrakashUCBseal

Game Theory and Cryptography > Introduction 2 / 47

Introduction

• Interaction between game theory and cryptography:

• Cryptography → Game Theory

Implementation of correlated equilibrium in the absence of a trustedmediator.

• Game Theory → Cryptography

Instead of having agents follow a cryptographic protocol blindly, whathappens if the agents are rational and attempt to maximize theirpayoffs?

Game Theory and Cryptography > Introduction 2 / 47

Introduction

• Interaction between game theory and cryptography:

• Cryptography → Game Theory

Implementation of correlated equilibrium in the absence of a trustedmediator.

• Game Theory → Cryptography

Instead of having agents follow a cryptographic protocol blindly, whathappens if the agents are rational and attempt to maximize theirpayoffs?

Game Theory and Cryptography > Multi Party Computation 3 / 47

Multi Party Computation

• There are n players who wish to compute f(t1, t2, · · · , tn) = s.

• Input ti is with player i.

• The information learnt by player i at the end of the protocol mustbe (ti, s).

• Probabilistic: s = f(t1, t2, · · · , tn, r).

• Multi-output: f(t1, t2, · · · , tn, r) = (s1, s2, · · · , sn).

• No trusted party, honest but curious and malicious adversaries.

• General adversary: controls k < n players.

Example: Distrustful Millionaires

Who is the World’s Richest Duck?

Example: Mental Games

Playing bridge with additional information

Removing God in Mafia

Example: Mental Games

Playing bridge with additional informationRemoving God in Mafia

Security of MPC

• Intuition: Outputs of the real protocol should be indistinguishablefrom the outputs when a trusted party is present.

• A: Adversary controlling k < n players in real model. (A′ in idealmodel)

• t: Input vector.

• REALA,π(t): Outputs of honest players and adversary A under π.

• IDEALA′ (t): Outputs of honest players and adversary A′

withtrusted party.

• For every input vector t, REALA,π(t) ≈ IDEALA′ (t).

Security of MPC

withtrusted party.

Security of MPC

withtrusted party.

Security of MPC

withtrusted party.

Security of MPC

withtrusted party.

Security of MPC

withtrusted party.

Weaker notions of security

• This definition guarantees output delivery as outputs of thehonest players are included in REALA,π(t).

• If A′

can get the protocol aborted in the presence of a trustedparty, the guarantee obtained is fairness.

• Fairness: If the output is revealed to some parties, all honestparties eventually receive the output.

• Weakest guarantee: Correctness and privacy.

• Guaranteed Output Delivery > Fairness > Correctness and Privacy

• Issues: Indistinguishability, communication model.

• If A′

Indistinguishability

• All communication, computation is polynomial in λ, the securityparameter.

• Notions of indistinguishability between distributions p and q.

• Perfect: The two distributions are the same.

• Statistical: Statistical distance between the distributions(1/2

∑x |p(x)− q(x)|) is negligible.

• Computational: A computationally bounded adversary can notdistinguish between p and q with non-negligible probability.

Communication

• Secure and authenticated channels for communication betweentwo players.

• Broadcast channels: When a message is broadcast, everybodyreceives the same message. (Reason!)

Definition

Envelopes must satisfy the following properties:a) Value contained in envelope is hidden until it is opened.b) Envelope can be opened only by the person who possesses it.c) Encelope can not be opened in secret and resealed.

• Ballot Boxes: A device to randomize a sequence of envelopes.

Communication

Definition

Communication

Definition

Communication

Definition

MPC Results

• Table 1: Computationally Bounded AdversaryAdversary Guarantee Communicationk < n/2 output delivery broadcast

k < n correctness privacy broadcast

k < n fairness envelopes

• Table 2: Computationally Unbounded AdversaryAdversary Guarantee Communicationk < n/3 output delivery secure channel

k < n/2 output delivery (error) broadcast

k < n output delivery ballot boxes

MPC Results

How is it done?

• Secret sharing: Choose a polynomial p(x) of degree k over thefinite field Fq. Player i gets (ai, p(ai)), where ai 6= 0. The secretis the constant term of p(x).

• A group of k parties can not recover any information about thesecret, while a group of k + 1 can recover it completely.

• Computation is carried out gate by gate in the secret sharerepresentation. (Imprecise, read ‘How to play any mental game’-GMW).

• Oblivious transfer, attend last few lectures of the cryptographyclass to know more.

• Finally everybody broadcasts the secret shares corresponding tothe output.

How is it done?

Game Theory and Cryptography > Correlated Equilibria 12 / 47

Correlated Equilibrium

• Definition

A correlated equilibrium is a distribution D over strategies such thatEs∼D|si

[ui(si, s−i)] ≥ Es∼D|si[ui(s∗i , s−i)] for all players i and all

alternative strategies s∗i .

• Privacy of the strategies revealed to the players is essential bydefinition.

• Better payoffs than Nash, computable in polynomial time fornormal form games.

• Tractable for several types of succinct games. (P-05).

• Would make Nash redundant, if we could implement it without atrusted mediator.

• Definition

Ways to remove the mediator

• We will see two approaches to the removal of the mediator.

Simulating MPC

The players run an MPC protocol in the preamble that performs thecomputation f(t1, t2, · · · , tn, r) = (s1, s2, · · · , sn) previously carriedout by the mediator.

Verifiable Mediator

The trusted mediator is replaced by a verifiable device, which carriesout computation in public while maintaining privacy.

Simulating MPC

Verifiable Mediator

Simulating MPC

Verifiable Mediator

Games of incomplete information

• Each player has type ti selected from a publicly knowndistribution of types T .

• Mediator M takes as input the types ti of the players. Outputs asample from the strategy profile.

• Canonical strategy: Send type to mediator and follow therecommended action.

• Players may send wrong types or not send types at all. M musthave sampling strategies for ti ∈ Ti∪ ⊥.

• Extended Games: ‘Cheap talk’ phase preceding the game whenplayers can communicate in some model. Then the original gameis played.

• We need an equilibrium concept for games where players mightcollude.

Computational Nash Equilibrium

• All communication and computation in the extended game to bedone in poly(λ).

• Cheap talk phase modulo a hard cryptographic problem.

Definition

A computational nash equilibrium is set of strategies (x1, x2, · · · , xn)each one efficiently computable such that ui(xi, x−i) ≥ ui(x∗i , x−i)− εfor all players i and efficient alternative strategies x∗i .

Definition

k-resilient equilibria

• Definition

A distribution D over strategies such that ∀C ⊂ [n], |C| ≤ k we haveEx∼D|xC

[ui(xC , x−C)] ≥ Ex∼D|xC[ui(xC∗, x−C)] for all players i ∈ C

and for all alternative strategies x∗C .

• Deviation not beneficial for even one player out of k.

• Ex ante: (Before the event) Collusion before M sends outstrategies.

• Interim: The colluding players can see xC and then decidealternative strategies.

• Ex ante weaker than interim.

• Definition

MPC to remove mediator

• Theorem

If x is a k-resilient CE for a game specified by function f , and π is aMPC protocol (output delivery) secure against upto k parties, thenrunning π in the preamble yields a k-resilient CE for the extendedgame with the same payoffs as x.

• k-resilient equilibrium is a ‘strong’ equilibrium concept. Resultalso valid for realizing weaker equilibria.

• Fair MPC: If it terminates, it is the same as output delivery.Assume that deviating party can be detected.

• The deviating parties in each run are thrown out and the protocolcontinues without them.

• With a correct and private MPC, if k = 1 other players candecide to punish the deviating player. No solution for k > 1.

• Theorem

Directions

Other Equilibrium concepts

NE for extended games allows empty threats. Equilibrium conceptssuch as sub game perfect equilibria or sequential equilibria need to beformally defined in the computational setting relevant forcryptographic protocols.

Collusion free protocols

Secure cryptographic protocols must use randomness, and this leads tothe possibility of steganography. LMS show how to realize protocolseliminating the possibility of steganography during execution, usingenvelopes and broadcast channels. Simulation of ex-ante equilibria?

Directions

Other Equilibrium concepts

NE for extended games allows empty threats. Equilibrium conceptssuch as sub game perfect equilibria or sequential equilibria need to beformally defined in the computational setting relevant forcryptographic protocols.

Collusion free protocols

Secure cryptographic protocols must use randomness, and this leads tothe possibility of steganography. LMS show how to realize protocolseliminating the possibility of steganography during execution, usingenvelopes and broadcast channels. Simulation of ex-ante equilibria?

Game Theory and Cryptography > Perfect Implementation 19 / 47

Perfect Implementation

• Game: Players, strategies, payoffs.

• Mechanism: Actions, the way actions lead to payoffs.

• Implementing a Vickrey auction:

• Players hand bids to M who computes in private and revealsoutcome. Complete trust and complete privacy.

• Players hand bids to M who makes the bids public. No trust andno privacy.

• Want a verifiable mediator providing complete privacy!

Imperfect Implementations

• M : Mechanism with trusted mediator.

• Implementation M′

has an equilibrium corresponding to everyequilibrium of M .

9, 6 −∞ −∞ −∞−∞ 6, 9 −∞ −∞−∞ −∞ 4,4 1,5

−∞ −∞ 5,1 −∞• This is a correlated equilibrium. Explain.

• Implementation: Player 1 puts the five strategies into envelopes,shuffles and player 2 chooses.

• The two players can come to an agreement so that only the firsttwo strategies get chosen.

• Against the interests of the society! Will not happen with themediator.

9, 6 −∞ −∞ −∞−∞ 6, 9 −∞ −∞−∞ −∞ 4,4 1,5

−∞ −∞ 5,1 −∞

• This is a correlated equilibrium. Explain.

9, 6 −∞ −∞ −∞−∞ 6, 9 −∞ −∞−∞ −∞ 4,4 1,5

• There is a bijection between the equilibria of M′

and theequilibria of M .

• Example: Four player, two strategy game.

• Payoffs: (a, a, a, a) = (0, 1, 0, 1), (b, b, b, b) = (1, 0, 1, 0),(a, b, a, b) = (10, 10,−100,−100), −∞ for all other strategies.The CE?

• Implementation: A and B flip a coin. Send outcome to C and D.

• A and B control the game!

• We require that the information available to a subset of players ina run of M

′is the same as the information available in a run of

Properties of a perfect implementation

• The mediator is verifiable.

• Strategic Equivalence: For all players i there is a bijection φibetween strategies in M and M

′such that

ui(m1,m2, · · · ,mn) = ui(φ1(m1), φ2(m2), · · · , φn(mn)).

• Privacy Equivalence: For all subsets of players and any strategyprofile m = (m1,m2, · · · ,mn) the information available whileplaying m in M equals the information available while playingφ(m) in M

• Strategic equivalence ensures that all properties pertaining toequilibria are preserved while privacy equivalence ensures nosubset of the players has any extra advantage.

′such that

Remarks

• This cannot be achieved through broadcast channels only.(Aumann-Hart)

• Envelopes and ballot boxes: Used in elections for verifiable andprivate computation of the tally function. They are universal!

• Moreover if M requires k steps of computation, the perfectimplementation will require ck steps of computation.

• Can envelopes and ballot boxes be realized by cryptographicprimitives? Can they be replaced by realizable primitives?

Remarks

Operations on Envelopes

• Publicly create an envelope E with content c.

• Publicly open an envelope E to reveal c.

• Publicly create a super-envelope containing envelopesE1, E2, · · · , En.

• Publicly open super-envelope.

• Ballot box envelopes E1, E2, · · · , En to obtain randomlypermuted envelopes E

′1, E

′2, · · · , E

• Destroy ballots publicly.

• n = 5 will be sufficient for universal computation.

′1, E

′2, · · · , E

′1, E

′2, · · · , E

′1, E

′2, · · · , E

′1, E

′2, · · · , E

′1, E

′2, · · · , E

′1, E

′2, · · · , E

Verifiable mediator and computer

• Input: Sequence of ballots S, public record s.

• Output: Next operation to be performed on the ballots.

• Verifiable computation of g : Xn → Y on disjoint ballotsS1, S2, · · · , Sn encoding the inputs xi guarantees:

• Privacy: Each public record is an element from S5 chosenuniformly at random.

• Correctness: The content of the final sequence of ballots isg(x1, x2, · · · , xn).

Universal Computation with Ballots

• Permutation Inverse

• Input: Envelopes A1, A2, · · · , A5 containing permutation σ.

• Output: Envelopes B1, B2, · · · , B5 containing σ−1.

• Publicly make B = I and pack (A,B) = (σ, I) into fivesuper-envelopes.

• Ballot box to get (τσ, τ). Open the envelopes A to reveal τσpublicly.

• (τσ)−1 ◦ τ = σ−1.

• Permutation Product

• Input: Envelopes A,B containing σ, τ .

• Output: Envelopes containing στ .

• Obtain envelopes D containing σ−1 by previous algorithm.

• Pack (D,B) = (σ−1, τ) into five super-envelopes.

• Ballot box to get (ρσ−1, ρτ). Open B to reveal ρσ−1 publicly.

• (ρσ−1)−1 ◦ ρτ = στ .

• Permutation Clone

• Input: Envelopes A containing σ.

• Output: Envelopes B,C containing σ.

• Publicly create B,C = I. Obtain envelopes D containing σ−1.

• Pack (D,B,C) = (σ−1, I, I) into five super-envelopes.

• Ballot box to get (τσ−1, τ, τ). Open A to reveal τσ−1 publicly.

• (τσ−1)−1 ◦ τ = σ.

Universal Computation over S5

• Magic! Barrington

• 0 = 12345, 1 = 12453.

• Not(a)= 12354 ◦ a ◦ 12435• And(a,b)=