Howto(not)AnalyzeCryptographicProtocolsusingGameTheory

JesperBuusNielsen

MainPoints

•  Idealizingcrypto:Replacereal‐lifecryptotoolsbyformalobjectsliketermalgebrasororaclestomakeanalysisofaprotocoleasier

•  Commonincryptography– knowntobesoundintheusualcrazy‐versus‐stupidmodels

•  ResearcherhavebeenidealizingcryptotoolsforthesakeofgametheoreIcanalysistoo– Thatistypicallynotsound

Terminology:ComputaIonalSoluIonConcept

•  Takescomputa3onfeasibilityintoaccount–  Examples:OnlyallowpolynomialImecomputablestrategies,pricecomputaIonviatheuIlityfuncIon,discounIng,…

•  Allowstheuseof(imperfect)cryptography–  Example:WhenyouropponentusesencrypIonthedeviaIonwhichmakesoneguessathissecretkeyandusesthekeytobreaktheprotocoliftheguessiscorrectgivesyouasmalladvantage,sogofor‐NEfornegligiblesmalltoallowstability

–  Example:UIlityofkey‐guessingsmallerthanthepriceofthecomputaIonordiscountedaway

Terminology:GameTheoreIcSoluIonConcept

•  AsoluIonconceptwhichallowsarbitrarystrategies

IdealizingCrypto

•  (Verysimple)idealizedsignatures:–  TheworldhasaglobalsigningoracleOwhichallparIeshaveaccessto

–  Sign:ApartyPicansendsign(m)toOwhichstores(i,(i,m))[readPihasasignatureonmfromPi]

–  Transfer:IfPkinputstrans((i,m),n)toOand(k,(i,m))isstoredinO,thenOstores(n,(i,m))

–  Verify:IfPkinputsverify(i,m)toOand(k,(i,m))isstoredinOthenOoutputsacceptotherwisereject

•  Possibletoshowthatanycryptographicprotocolwhichissecurewhenusingtheseidealizedsignaturesisequallysecurewhentheyarereplacedbyrealsignatures–  Uptonegligible–  PKI+unforgeablesignatures+UCframework

Why?(1/3)

•  Apossiblesolu3onheuris3c:–  IdealizethecryptotoolsinaprotocolandthenapplyyourfavoriteGTsoluIonconcepttotheidealizedprotocol

–  SincetheidealizedprotocoldoesnotrelyoncomputaIoncryptotoolsitisfreeofthedeviaIonswithnegligiblysmalladvantagewhichdisturbmostknownGTsoluIonconcepts

•  ImplicitassumpIon:Guaranteesthattherearenoproblemsbesideskey‐guessing‐likedeviaIons

Why?(2/3)

•  MightguidethedevelopmentofcomputaIonalsoluIonconcepts:– GivenGTsoluIonconceptXtrytodevelopacomputaIonalversionCX

– ThencheckifCXproducessoluIonssimilartothesoluIonsXproducesfortheidealizedprotocol

•  AssumpIon:ThecomputaIonalversionshouldbehavelikethepureGTnoIon

Why?(3/3)

•  Modularanalysisofcomplexprotocols•  GivenaprotocolusingbothsignatureandencrypIon:–  FirstidealizebothprimiIvesandgiveahopefullysimpleanalysisoftheidealizedprotocol

–  ShowthatplugginginrealsignaturespreservessoluIons

–  ShowthatplugginginrealencrypIonpreservessoluIons

–  ConcludethattherealprotocolhasthesamesoluIonsastheidealprotocol

Hope!

•  O`enacryptographicanalysis(honestparIesversuscorruptedparIes)ofanidealizedprotocolcanbeproventogivesoundconclusionsaboutthereal‐lifeprotocol– Signatures– EncrypIon– Zero‐knowledgeproofofknowledge

– Zero‐knowledgeproofofcorrectness

Claims

•  Thesolu3onheuris3cislikelytogivewrongconclusions

•  ComparisontoidealizaIonisnotagoodsanitycheckforcomputaIonalsoluIonconcepts

•  ComputaIonalsoluIonconceptsmustbedevelopedcauIouslyandhavetheirowncomputaIonalepistemologies

•  A`erdevelopinggoodcomputaIonalsoluIonconceptsidealizaIonispossibleasatoolformodularanalysis

“ProofbyExample”

•  Willtrytoarguemypointby“solving”asmallgameinthreedifferentseengs

•  WillseethatwegetdramaIcallydifferentsoluIonsdependingonwhetherweidealizecryptoornot

•  AndthesoluIoncalledbytheidealizedanalysisisarguablythewrongone

Overview

21 32:(g,b)

4:g1 4:(g3,b3)

1:signal

3:communica3on 3:comm.

Goodchoice

Badchoice

AFewPennies

•  Good&bad:P2playsg{1,2,3}andb{1,2,3}\{g}•  Guess:P1playsg1{1,2,3}•  Guess:P3playsg3{1,2,3,a}andb3{1,2,3}•  Abstain:IfP3playsaallparIesgetuIlity0•  Avoidbad:Ifg1=borg3=bthenP1andP3dieandP2wins

theworld•  Knowbad:SameifP3doesnotabstainandb3b•  Coordinate:Ifg1,g3{1,2,3}\{b}andb3=b,thenP1andP3

getaposiIveuIlityfromg1=g3butP2prefersg1g3–  P1hasnegaIveuIlityong1g3butP3doesnot,thoughhe

prefersg1=g3–  AndP1preferstomatchong

PlayedinaNetwork

•  BeforeP2specifies(g,b):– P1cansendasignaltoP3•  AlsoseenbyP2

•  ThenP1learns(g,b)butP3doesnot•  A`erP2specifies(g,b):– P1cansendamessagetoP2•  NotseenbyP3

– P2andP3cancommunicatewitheachother•  NotseenbyP1

Recap

21 32:(g,b)

4:g1 4:(g3,b3)

1:signal

3:comm. 3:comm.

Goodchoice

Badchoice

21 3(g,b)

g1 (g3,b3)

signal

comm comm

•  Abstain:g3=a:u1=u2=u3=0

•  Avoid:g1=borg3=b:u1=u3=‐,u2=

•  Know:g3a,b3b:u1=u3=‐,u2=

•  Otherwise:

•  g1g3: u1=‐2 u2=3 u3=0•  g1=g3=g: u1=1 u2=1 u3=1

•  g1=g3g: u1=0 u2=2 u3=1

Good

Bad

21 3(g,b)

g1 (g3,b3)

signal

comm comm

•  Abstain,Avoid,Know•  g1g3:‐2 3 0•  g1=g3=g:1 1 1

•  g1=g3g:0 2 1

Good

Bad

21 3(g,b)

g1 (g3,b3)

signal

comm comm

•  Abstain,Avoid,Know•  g1g3:‐2 3 0•  g1=g3=g:1 1 1

•  g1=g3g:0 2 1

•  Willdrawconclusionsfromthisgamebyinformallysolvingitusing“commonknowledgeofraIonality”inthefollowingseengs:1.  Arbitrarystrategies2.  Idealizedsignatures3.  Poly‐Imestrategies

Good

Bad

21 3(g,b)

g1 (g3,b3)

signal

comm comm

•  Abstain,Avoid,Know•  g1g3:‐2 3 0•  g1=g3=g:1 1 1

•  g1=g3g:0 2 1

•  Ifg3ainsomeNE(withposiIveprobability)givensome(signal,b)thenP2gainsbyshi`ingtothestrategywhereitpicksb=g3whenitseessignalandthenshowsP3communicaIonwiththedistribuIonitwouldhaveseenifP2hadplayedaccordingtotheNE

ArbitrarydeviaIonsCommonknowledgeofraIonality

Alwaysabstain

Good

Bad

•  Abstain,Avoid,Know•  g1g3:‐2 3 0•  g1=g3=g:1 1 1

•  g1=g3g:0 2 1

Good

Bad

21 3(g,b)

g1 (g3,b3)

signal

comm comm

•  “RaIonalizable”:•  P1:signal=verificaIonkeyvkofP1•  P2:pick(g,b)uniformlyatrandom•  P1:sends=sigsk(g,b)toP2•  P2:send(g,b)andstoP3ifreceived,otherwisenothing

•  P3:ifvervk((g,b),s)=acceptplayg3=gandb3=botherwiseg3=a

IdealizedsignaturesCommonknowledgeofraIonality

Neverabstain

Good

Bad

21 3(g,b)

g1 (g3,b3)

signal

comm comm

•  Abstain,Avoid,Know•  g1g3:‐2 3 0•  g1=g3=g:1 1 1

•  g1=g3g:0 2 1

•  P1:signal=verificaIonkeyvkofP1•  P2:pick(g,b)uniformlyatrandom•  P1:sends=sigsk(g,b)toP2•  P2:send(g,b)andstoP3ifreceived,otherwisenothing

•  P3:ifvervk((g,b),s)=acceptplayg3=gandb3=botherwiseg3=a

Realsignatures

P2canusestoprovetoP3thatP1signedavalueoftheform(.,b),using,e.g.,a

zero‐knowledgeproof

WhenP3knowsbbutnotgitshouldplay

“matchingpennies”withP2usingarandomg3,whichgivesP2higherpayoffbutgivesP1anegaIvepayoff

HenceraIonalforP1nottogiveanyverifiableinformaIononbaway

HenceP3willabstain

CommonknowledgeofraIonalityAlwaysabstain

WhatwentWrong?

•  IdealizaIonofsignatureshavebeenprovensoundincryptography,sowhatwentwrong?

•  P2canprovetoP3thatP1sentbwhilehidinggandthusrenegoIateP3intoastrategywhichisanadvantageforP2

•  CryptographyhasacentralizedadversarywhocontrolsandcoordinatesallcorruptedparIes,hencetheuseofcryptography“internaltothedeviaIon”doesnotgiveextrapowertotheadversarycomparedtotheidealizedcase

Conclusion1

•  TheheurisIcsoluIonconceptcaneasilygive“very”wrongsoluIons– Athree‐party,simultaneousmutualconflict/mutualadvantageofcooperaIonseeng,liketheoneused,canariseinmanyseengsandmightevenbesubtlyhidden

•  SeemshardtojudgewhetheraprotocolcanbesoundlyanalyzedusingtheheurisIc,sobekerjustabstainfromdoingit

Conclusion2

•  ItdoesnotseemasawayouttomakemoreinvolvedidealizaIonswhich,e.g.,allows“spliIng”ofsignaturesaswedidintheexample– TheidealizaIonwouldprobablyendupbeingmorecomplicatedthanthereal‐lifetool

– TheidealizaIonwouldhavetobeheadon:allowallpossibleusesandmisusesandnothingelsetohopeforsoundness

Conclusion3

•  ComparisontohowGTsoluIonconceptsbehaveonidealizedprotocolsisnotagoodsanitycheckforproposedcomputaIonalsoluIonconcepts–  InourcasethecomputaIonalnoIonshouldexactlygiveanothersoluIon

Conclusion4

•  TheredoesnotseemtobeawayaroundcauIouslydevelopingcomputaIonalsoluIonconceptsandtrytogiveepistemicmodelsbasedonboundedraIonality

TheGoodNews

•  ModularanalysisviaidealizaIonispossibleforComputaIonalNashEquilibrium(CNE)– OnlyreasonsviasingleagentdeviaIon– HencecryptocannotbeusedtofacilitatedeviaIons

•  In[PeterBroMiltersen,JesperBuusNielsen,NikosTriandopoulos:Privacy‐EnhancingAucIonsUsingRaIonalCryptography.CRYPTO2009]weshowacryptographicaucIonprotocoltobeaCNEviaasoundidealizingofthecryptoandagametheoreIcanalyzingoftheidealizedprotocol

Seeng

•  Thegoalin[MNT09]wastogiveagame‐theoreIcanalysisofaprotocolwhichnparIescanrunamongthemselvesontheInternettoemulateatrustedmediator– TheyshouldenduphavingsignedcontractsfromallotherparIesontheiroutcomestoavoiddisputesa`erthegameisover

– TheparIesareallowedtohaveprivacyconcerns,e.g.,toprefertokeeptheirtypesecretoverleakingit

AnalyIcTechnique

•  WeuseanoIonofprotocolgame,whichallowstomodelbothatrustedmediatorandtheInternetinaunifiedmanner

•  WethenrelatetheproperIesofthereal‐lifeprotocoltothemediatedcaseandconcludethatthereal‐lifeprotocolisasstableasthemediatedcaseandgivesthesameuIlityprofile–  ImpliesthatitleaksnomoreinformaIon,astheuIlityassociatedtoinformaIonloss/collecIoniscapturedintheuIlityfuncIons

ProtocolGames

C

n

1

t1 tn

L1 Ln

o1 on

communicaIondeviceparty party

fiscaluIlity:fi(t,o)informaIonuIlity:Ii(t,L)uIlity:ui(t,o,L)=fi(t,o)+Ii(t,L)

MediaIon

(o1,…,on)=M(b1,…,bn)

n

1

t1 tn

L1 Ln

o1 on

party party

fiscaluIlity:fi(t,o)informaIonuIlity:Ii(t,L)uIlity:ui(t,o,L)=fi(t,o)+Ii(t,L)

b1 bn

InternetContractGames

n

1

t1 tn

L1 Ln

o1 on

PlaysCA,seengupPKI

AllowscommunicaIonbetweenparIes

CallsoutcomeoiifPireturnsasignatureonoifromallparIes

party party

fiscaluIlity:fi(t,o)informaIonuIlity:Ii(t,L)uIlity:ui(t,o,L)=fi(t,o)+Ii(t,L)

ImportantDesignChoices

•  SametypeprofileTmakessenseinallseengs•  Outcomeiscalledbythedeviceaslastroundofoutputs,sowell‐definedinallseengs

•  LocalinformaIonisoutputbetheparIes,sowell‐definedinallseengs

•  So,sameu=f+Imakessenseinallseengs•  WecankeeptypesanduIliIesfixedandrelatedifferentstrategiesindifferentseengs– Wecantalkaboutwhetheritisbekertoplaysomegivenstrategyinthereal‐lifeseengthanitistoplaysomeotherstrategyintheidealseeng

NashImplementaIon

•  FixTandf=(f1,…,fn)•  Wesaythat(C,)isat‐resilientprivacy‐enhancedNashimplementaFonof(D,),wriSen(C,)t,T,r(D,),ifforalladmissibleIandu=f+Iitholdsthat:

•  NolessuFlity:ForallPi:ui(T,C,)ui(T,D,)‐

•  NomoreincenFvetodeviate:ForallC{1,…,n}with|C|tandallC

*thereexistsC*

suchthatui(T,D,(C*,‐C))ui(T,C,(C

*,‐

C))‐foralliC

TheResultinthePaper

•  WeconstructforeachmechanismMacontractgamefortheInternetwhichisan(n‐1)‐resilientprivacy‐enhancedNashimplementaIonoftheideallymediatedseengforMifallparIeshaveexinterimstrictraIonality

Property1ofNashImplementaIon

•  If(C,)isan‐NE(toleraIngcollusionsofsizet)and(C,)t,T,r(D,)then(D,)isan‐NE(toleraIngcollusionsofsizet)– Allowstoli`analysisfromanidealseengtoareal‐lifeseeng

•  So,any‐NEforthemediatedseeng(withexinterimstrictraIonality)isalsoa‐NEintheInternetcontractgame

Property2ofNashImplementaIon

•  If (C,)t,T,r(D,)and (D,)t,T,r(E,)

then (C,)t,T,r(E,)•  ThisallowsamodularanalysisgoingfromthemediatedseengtotheInternetseengviagraduallymorerefinedseengs(introducing,e.g.,onecryptoprimiIveataIme)

…

•  ThenoIonofNashimplementaIonisatrivialadopIonofthenoIonNEfromintra‐gameanalysistointer‐gameanalysis

•  YetitallowstodomodularanalysiswithmuchthesameflavorasmodularanalysisincryptoviaidealizaIon

•  ThereisjusIfiedhopethatothergoodcomputaIonalsoluIonconceptswillallowsimilarli`ingtointer‐gameanalysisandhenceallowmodularanalysis

•  WejustneedsomegoodcomputaIonalsoluIonconcepts…