from rational secret sharing to social and socio-rational...
TRANSCRIPT
Mehrdad Nojoumian
Mehrdad Nojoumian Department of Computer Science Florida Atlantic University, USA
Douglas R. Stinson
David R. Cheriton School of Computer Science University of Waterloo, Canada
GAMES 2016
Maastricht, The Netherlands
From Rational Secret Sharing to Social and Socio-Rational Secret Sharing
Mehrdad Nojoumian
Secret Sharing in a Multidisciplinary Model
2
Mehrdad Nojoumian
Trust and Reputation Systems
Ø Trust versus Reputation:
ü Trust is a personal quantity, created between “2” players, whereas
ü Reputation is a social quantity in a network of “n” players.
Ø Trust Function: Let Τij (p) be the trust value assigned by player Pj to Pi
in period “p”. Let Τi be the trust function representing the reputation of Pi.
Example:
If all players have an equal view, trust = reputation. 3
A1
A2
A3
A4
0.4
0.5
0.6
j=1
n Τ4 (p) = 1/(4-1) ∑ Τ4
j (p) = 1/3 (0.4 + 0.5 + 0.6) = 0.5
Mehrdad Nojoumian
Review of a Well-Known Solution
Ø Previous Solution: trust value T(p+1) is given by the following equations and it depends on the previous trust rating where: α ≥ 0 and β ≤ 0 [CIA’00].
4
T(p) Cooperation Defection > 0 T(p) + α (1-T(p)) (T(p) + β) / (1- min{ |T(p)| , |β| }) < 0 (T(p) + α ) / (1 - min{ |T(p)| , |α| }) T(p) + β (1+T(p)) = 0 α β
00.010.020.030.040.050.060.070.080.090.1
Plus
-1 -0.8 -0.6 -0.4 -0.2 -0.1 -0 0.1 0.3 0.5 0.7 0.9
Trust Value
CooperationT(p) < 0
T(p) = 0
T(p) > 0
-0.25
-0.2
-0.15
-0.1
-0.05
0
Minus
-1 -0.7 -0.4 -0.1 0.08 0.2 0.5 0.8
Trust Value
DefectionT(p) < 0
T(p) = 0
T(p) > 0
Mehrdad Nojoumian
Our Trust Model Ø Our Function is not just a function of a single round, but of the history:
ü Reward more (or same) the better a participant is, ü Penalize more (or same) the worse a participant is.
5
Discourage Reward TGood Pi ∈ (α,+1]
Opportunities Give/Take T New Pi: [β,α]
Penalize Encourage TBad Pi ∈ [-1,β) Defection Cooperation Trust Value
00.010.020.030.040.050.060.070.080.09
Plus
-1 -0.7 -0.4 -0.1 0.05 0.3 0.6 0.9 0.98
Trust Value
CooperationBad Pi (C)
Newcomer Pi (C)
Good Pi (C)
-0.09-0.08-0.07-0.06-0.05-0.04-0.03-0.02-0.01
0
Minus
-1 -0.9 -0.7 -0.4 -0.1 0.0 0.3 0.6 0.9
Trust Value
DefectionBad Pi (D)
Newcomer Pi (D)
Good Pi (D)
λ
λ
Mehrdad Nojoumian
Intuition and Motivation
6
There exist some common principles for trust modeling A lies to B for the 1st time: defection
A lies to B for the 2nd time: same defection + past history A cheat on B: costly defection
Impact of the brain’s history
λ
Mehrdad Nojoumian
Shamir Secret Sharing
1. Sharing: a secret is divided into n shares in order to be distributed among n players.
2. Reconstruction: an authorize subset of players then cooperate to reveal the secret, e.g., t players where t < n is the threshold.
Example: t = 2 points are sufficient to define a line:
( 1, 2 ), ( 2, 3 ), ( 3, 4 ), ( 4, 5 ) à y = x+1
t = 3 points are sufficient to define a parabola.
t = 4 points are sufficient to define a cubic curve.
In general, it takes t points to define a polynomial of degree t-1.
7
Secret = 1
Mehrdad Nojoumian
Application of Secret Sharing
Ø Secure Multiparty Computation: compute ƒ with private inputs.
Ø Sealed-Bid Auctions: preserve the privacy of different parameters.
ü Secrecy of the selling price and winner’s identity are optional.
ü To have a fair auction, confidentiality of the losing bids is important:
They can be used in future auctions and negotiations by different parties, e.g., auctioneers to maximize their revenues or competitors to win the auction.
8
ƒ(x1, …, xn)
reconstruction
P2 : x2
P1: x1
Pn : xn
sharing …
computation
+ …
× …
Sealed-Bid 1st-Price Auctions: the bidder who proposes the highest bid β wins & pays $β.
Mehrdad Nojoumian
Rational Secret Sharing
Ø Problem: the players deny to reveal their shares in the secret recovery phase, therefore, the secret is not reconstructed at all.
Example: f (x) = 3 + 2 x + x2 à t=3 shares are enough for recovery.
ü Model: players are selfish rather than being honest or malicious. If all
players act selfishly, secret recovery fails.
Ø Solution:
9
Pi
Pj
Pk 6 11 only Pk learns the secret “3” 6
11 18
selfish
unknown real recovery round fake secret recovery rounds
…
Mehrdad Nojoumian
STOC’04 Paper Ø Problem: 3-out-of-3 rational secret sharing.
Ø Solution: a multi-round recovery approach.
1. In each round, dealer initiates a fresh secret sharing of the same secret.
2. During an iteration, each Pi flips a biased coin ci with Pr[ci = 1] = α.
3. Players then compute c* = ⊕ ci by MPC without revealing ci-s.
4. If c* = ci = 1, player Pi broadcast his share. There are 3 possibilities:
a. If all shares are revealed, the secret is recovered and the protocol ends.
b. If c* = 1 and 0 or 2 shares are revealed, players terminate the protocol.
c. In any other cases, the dealer and players proceed to the next round.
10
c1 c2 c3 ⊕ci reveal 0 0 0 0 - 0 0 1 1 s3 0 1 0 1 s2 0 1 1 0 - 1 0 0 1 s1 1 0 1 0 - 1 1 0 0 - 1 1 1 1 s1,s2,s3
P1 P2 P3
s1 s2 s3 all players are selfish
3
0
0
0 0
1
1
1 1
0 , 2
0
0 0
Mehrdad Nojoumian
Socio-Rational Secret Sharing
Ø Motivation: we would like to consider a repeated secret sharing
game where players enter into a long-term interaction for executing
an unknown number of independent secret sharing schemes.
Ø Contribution: a public trust network is constructed to incentivize
players to be cooperative, i.e., they can then gain extra utilities. In
other words, players avoid selfish behaviors due to the social
reinforcement of the trust network.
11
Mehrdad Nojoumian
Application in Repeated Games
Ø Sealed-Bid Auctions: consider a repeated secret sharing game.
1. Bidders select “n” out of “N” auctioneers based on their reputation.
2. Each bidder then acts as an independent dealer and shares his bid.
3. Auctioneers simulate a secure MPC protocol to define the outcome.
4. In the last round of the MPC, they need to recover the selling price.
ü Only auctioneers who learn (report) the selling price are rewarded.
ü At the end of each game, the reputation of each auctioneer is updated.
12
Mehrdad Nojoumian
Our Construction in Nutshell
Ø Utility Estimation Function: is used by a rational foresighted player.
ü Estimation of the future gain/loss due to the trust adjustment (virtual).
ü Learning the secret at the current time (real).
ü The number of other players learning the secret at the moment (real).
Ø Prominent Properties: our solution
ü Has a single reconstruction round.
ü Provides a stable solution concept.
ü Is immune to rushing attack.
ü Prevents the players to abort. 13
deci
sion
mak
ing
$
despite all the existing protocols
Mehrdad Nojoumian
Utility Assumption
Ø Rational vs Socio-Rational Secret Sharing: : whether Pi has learned the secret or not, and let .
1. The first preference illustrates that whether Pi learns the secret or not, he prefers to stay reputable.
2. The second assumption means Pi prefers the outcome in which he learns the secret.
3. The third one means Pi prefers the outcome in which the fewest number of other players learn the secret.
14
Socio-Rational
Rat
iona
l
Mehrdad Nojoumian
Utility Computation Ø Sample Function: which satisfies our utility assumptions.
15
assume Pi has contributed in two consecutive periods p and p-1
ωi ∈ [1 , 3]
[-3 , -1] or [1 , 3]
Ω = $100
ui ’
Mehrdad Nojoumian
Protocol: Socio-Rational SS
16
1. Sharing Phase:
Non-reputable Newcomer Reputable
%10 %30 %60
Mehrdad Nojoumian
Protocol: Socio-Rational SS
17
2. Reconstruction Phase:
consider the current and a few games further
only consider the current game
Action Profile Reputation Profile Three Actions
Mehrdad Nojoumian
(2,2)- Secret Sharing with Selfish Players (2,2)- Socio-Rational Secret Sharing
Comparison
Ø (2,2)-Socio-Rational Secret Sharing: despite rational secret sharing, Cooperation is always the best strategy even if the other party defects.
Ø Utility Comparison: where
18
Mehrdad Nojoumian
Intuition and Motivation
19
Reputation is a key point for having a successful social collaboration
Rational players should have a long-term vision
as reputable persons or companies gain more profit all the time
Mehrdad Nojoumian
Thank You Very Much
More Resources:
ü Nojoumian M. and Stinson D. R., Socio-Rational Secret Sharing as a New Direction in Rational Cryptography, 3rd Conference on Decision and Game Theory for Security (GameSec), Springer LNCS 7638, pp. 18-37, Budapest, Hungary, 2012.
ü Nojoumian M., Novel Secret Sharing and Commitment Schemes for Cryptographic Applications, PhD Thesis, David R. Cheriton School of Computer Science, U of Waterloo, Canada, 2012.
ü Nojoumian M. and Stinson D. R., Social Secret Sharing in Cloud Computing Using a New Trust Function, 10th IEEE Annual Conference on Privacy, Security and Trust (PST), pp. 161-167, Paris, France, 2012.
ü Nojoumian M., Stinson D. R., and Grainger M., Unconditionally Secure Social Secret Sharing Scheme, IET Information Security (IFS), vol. 4, issue 4, pp. 202-211, 2010.
ü Nojoumian M. and Stinson D. R., Brief Announcement: Secret Sharing Based on the Social Behaviors of Players, 29th ACM Symposium on Principles of Distributed Computing (PODC), pp. 239-240, Zurich, Switzerland, 2010.
ü Nojoumian M. and Lethbridge T. C., A New Approach for the Trust Calculation in Social Networks, 3rd International Conference on E-Business (ICE-B), pp. 257-264, Setubal, Portugal, 2006.
20