Mehrdad Nojoumian

Mehrdad Nojoumian Department of Computer Science Florida Atlantic University, USA

Douglas R. Stinson

David R. Cheriton School of Computer Science University of Waterloo, Canada

GAMES 2016

Maastricht, The Netherlands

From Rational Secret Sharing to Social and Socio-Rational Secret Sharing

Mehrdad Nojoumian

Secret Sharing in a Multidisciplinary Model

2

Mehrdad Nojoumian

Trust and Reputation Systems

Ø  Trust versus Reputation:

ü  Trust is a personal quantity, created between “2” players, whereas

ü  Reputation is a social quantity in a network of “n” players.

Ø  Trust Function: Let Τij (p) be the trust value assigned by player Pj to Pi

in period “p”. Let Τi be the trust function representing the reputation of Pi.

Example:

If all players have an equal view, trust = reputation. 3

A1

A2

A3

A4

0.4

0.5

0.6

j=1

n Τ4 (p) = 1/(4-1) ∑ Τ4

j (p) = 1/3 (0.4 + 0.5 + 0.6) = 0.5

Mehrdad Nojoumian

Review of a Well-Known Solution

Ø  Previous Solution: trust value T(p+1) is given by the following equations and it depends on the previous trust rating where: α ≥ 0 and β ≤ 0 [CIA’00].

4

T(p) Cooperation Defection > 0 T(p) + α (1-T(p)) (T(p) + β) / (1- min{ |T(p)| , |β| }) < 0 (T(p) + α ) / (1 - min{ |T(p)| , |α| }) T(p) + β (1+T(p)) = 0 α β

00.010.020.030.040.050.060.070.080.090.1

Plus

-1 -0.8 -0.6 -0.4 -0.2 -0.1 -0 0.1 0.3 0.5 0.7 0.9

Trust Value

CooperationT(p) < 0

T(p) = 0

T(p) > 0

-0.25

-0.2

-0.15

-0.1

-0.05

0

Minus

-1 -0.7 -0.4 -0.1 0.08 0.2 0.5 0.8

Trust Value

DefectionT(p) < 0

T(p) = 0

T(p) > 0

Mehrdad Nojoumian

Our Trust Model Ø  Our Function is not just a function of a single round, but of the history:

ü  Reward more (or same) the better a participant is, ü  Penalize more (or same) the worse a participant is.

5

Discourage Reward TGood Pi ∈ (α,+1]

Opportunities Give/Take T New Pi: [β,α]

Penalize Encourage TBad Pi ∈ [-1,β) Defection Cooperation Trust Value

00.010.020.030.040.050.060.070.080.09

Plus

-1 -0.7 -0.4 -0.1 0.05 0.3 0.6 0.9 0.98

Trust Value

CooperationBad Pi (C)

Newcomer Pi (C)

Good Pi (C)

-0.09-0.08-0.07-0.06-0.05-0.04-0.03-0.02-0.01

0

Minus

-1 -0.9 -0.7 -0.4 -0.1 0.0 0.3 0.6 0.9

Trust Value

DefectionBad Pi (D)

Newcomer Pi (D)

Good Pi (D)

λ

λ

Mehrdad Nojoumian

Intuition and Motivation

6

There exist some common principles for trust modeling A lies to B for the 1st time: defection

A lies to B for the 2nd time: same defection + past history A cheat on B: costly defection

Impact of the brain’s history

λ

Mehrdad Nojoumian

Shamir Secret Sharing

1.  Sharing: a secret is divided into n shares in order to be distributed among n players.

2.  Reconstruction: an authorize subset of players then cooperate to reveal the secret, e.g., t players where t < n is the threshold.

Example: t = 2 points are sufficient to define a line:

( 1, 2 ), ( 2, 3 ), ( 3, 4 ), ( 4, 5 ) à y = x+1

t = 3 points are sufficient to define a parabola.

t = 4 points are sufficient to define a cubic curve.

In general, it takes t points to define a polynomial of degree t-1.

7

Secret = 1

Mehrdad Nojoumian

Application of Secret Sharing

Ø  Secure Multiparty Computation: compute ƒ with private inputs.

Ø  Sealed-Bid Auctions: preserve the privacy of different parameters.

ü  Secrecy of the selling price and winner’s identity are optional.

ü  To have a fair auction, confidentiality of the losing bids is important:

They can be used in future auctions and negotiations by different parties, e.g., auctioneers to maximize their revenues or competitors to win the auction.

8

ƒ(x1, …, xn)

reconstruction

P2 : x2

P1: x1

Pn : xn

sharing …

computation

+ …

× …

Sealed-Bid 1st-Price Auctions: the bidder who proposes the highest bid β wins & pays $β.

Mehrdad Nojoumian

Rational Secret Sharing

Ø  Problem: the players deny to reveal their shares in the secret recovery phase, therefore, the secret is not reconstructed at all.

Example: f (x) = 3 + 2 x + x2 à t=3 shares are enough for recovery.

ü  Model: players are selfish rather than being honest or malicious. If all

players act selfishly, secret recovery fails.

Ø  Solution:

9

Pi

Pj

Pk 6 11 only Pk learns the secret “3” 6

11 18

selfish

unknown real recovery round fake secret recovery rounds

…

Mehrdad Nojoumian

STOC’04 Paper Ø  Problem: 3-out-of-3 rational secret sharing.

Ø  Solution: a multi-round recovery approach.

1.  In each round, dealer initiates a fresh secret sharing of the same secret.

2.  During an iteration, each Pi flips a biased coin ci with Pr[ci = 1] = α.

3.  Players then compute c* = ⊕ ci by MPC without revealing ci-s.

4.  If c* = ci = 1, player Pi broadcast his share. There are 3 possibilities:

a.  If all shares are revealed, the secret is recovered and the protocol ends.

b.  If c* = 1 and 0 or 2 shares are revealed, players terminate the protocol.

c.  In any other cases, the dealer and players proceed to the next round.

10

c1 c2 c3 ⊕ci reveal 0 0 0 0 - 0 0 1 1 s3 0 1 0 1 s2 0 1 1 0 - 1 0 0 1 s1 1 0 1 0 - 1 1 0 0 - 1 1 1 1 s1,s2,s3

P1 P2 P3

s1 s2 s3 all players are selfish

3

0

0

0 0

1

1

1 1

0 , 2

0

0 0

Mehrdad Nojoumian

Socio-Rational Secret Sharing

Ø Motivation: we would like to consider a repeated secret sharing

game where players enter into a long-term interaction for executing

an unknown number of independent secret sharing schemes.

Ø Contribution: a public trust network is constructed to incentivize

players to be cooperative, i.e., they can then gain extra utilities. In

other words, players avoid selfish behaviors due to the social

reinforcement of the trust network.

11

Mehrdad Nojoumian

Application in Repeated Games

Ø  Sealed-Bid Auctions: consider a repeated secret sharing game.

1.  Bidders select “n” out of “N” auctioneers based on their reputation.

2.  Each bidder then acts as an independent dealer and shares his bid.

3.  Auctioneers simulate a secure MPC protocol to define the outcome.

4.  In the last round of the MPC, they need to recover the selling price.

ü  Only auctioneers who learn (report) the selling price are rewarded.

ü  At the end of each game, the reputation of each auctioneer is updated.

12

Mehrdad Nojoumian

Our Construction in Nutshell

Ø  Utility Estimation Function: is used by a rational foresighted player.

ü  Estimation of the future gain/loss due to the trust adjustment (virtual).

ü  Learning the secret at the current time (real).

ü  The number of other players learning the secret at the moment (real).

Ø  Prominent Properties: our solution

ü  Has a single reconstruction round.

ü  Provides a stable solution concept.

ü  Is immune to rushing attack.

ü  Prevents the players to abort. 13

deci

sion

mak

ing

$

despite all the existing protocols

Mehrdad Nojoumian

Utility Assumption

Ø  Rational vs Socio-Rational Secret Sharing: : whether Pi has learned the secret or not, and let .

1.  The first preference illustrates that whether Pi learns the secret or not, he prefers to stay reputable.

2.  The second assumption means Pi prefers the outcome in which he learns the secret.

3.  The third one means Pi prefers the outcome in which the fewest number of other players learn the secret.

14

Socio-Rational

Rat

iona

l

Mehrdad Nojoumian

Utility Computation Ø  Sample Function: which satisfies our utility assumptions.

15

assume Pi has contributed in two consecutive periods p and p-1

ωi ∈ [1 , 3]

[-3 , -1] or [1 , 3]

Ω = $100

ui  ’

Mehrdad Nojoumian

Protocol: Socio-Rational SS

16

1.  Sharing Phase:

Non-reputable Newcomer Reputable

%10 %30 %60

Mehrdad Nojoumian

Protocol: Socio-Rational SS

17

2.  Reconstruction Phase:

consider the current and a few games further

only consider the current game

Action Profile Reputation Profile Three Actions

Mehrdad Nojoumian

(2,2)- Secret Sharing with Selfish Players (2,2)- Socio-Rational Secret Sharing

Comparison

Ø  (2,2)-Socio-Rational Secret Sharing: despite rational secret sharing, Cooperation is always the best strategy even if the other party defects.

Ø  Utility Comparison: where

18

Mehrdad Nojoumian

Intuition and Motivation

19

Reputation is a key point for having a successful social collaboration

Rational players should have a long-term vision

as reputable persons or companies gain more profit all the time

Mehrdad Nojoumian

Thank You Very Much

More Resources:

ü  Nojoumian M. and Stinson D. R., Socio-Rational Secret Sharing as a New Direction in Rational Cryptography, 3rd Conference on Decision and Game Theory for Security (GameSec), Springer LNCS 7638, pp. 18-37, Budapest, Hungary, 2012.

ü  Nojoumian M., Novel Secret Sharing and Commitment Schemes for Cryptographic Applications, PhD Thesis, David R. Cheriton School of Computer Science, U of Waterloo, Canada, 2012.

ü  Nojoumian M. and Stinson D. R., Social Secret Sharing in Cloud Computing Using a New Trust Function, 10th IEEE Annual Conference on Privacy, Security and Trust (PST), pp. 161-167, Paris, France, 2012.

ü  Nojoumian M., Stinson D. R., and Grainger M., Unconditionally Secure Social Secret Sharing Scheme, IET Information Security (IFS), vol. 4, issue 4, pp. 202-211, 2010.

ü  Nojoumian M. and Stinson D. R., Brief Announcement: Secret Sharing Based on the Social Behaviors of Players, 29th ACM Symposium on Principles of Distributed Computing (PODC), pp. 239-240, Zurich, Switzerland, 2010.

ü  Nojoumian M. and Lethbridge T. C., A New Approach for the Trust Calculation in Social Networks, 3rd International Conference on E-Business (ICE-B), pp. 257-264, Setubal, Portugal, 2006.

20