how to (not) analyze cryptographic protocols using game...
TRANSCRIPT
![Page 1: How to (not) Analyze Cryptographic Protocols using Game …cs.au.dk/.../Cryptographic_protocols_game_theory_Jesper_Buus_Ni…Main Points • Idealizing crypto: Replace real‐life](https://reader034.vdocuments.net/reader034/viewer/2022042605/5aff53567f8b9a68498f9560/html5/thumbnails/1.jpg)
Howto(not)AnalyzeCryptographicProtocolsusingGameTheory
JesperBuusNielsen
![Page 2: How to (not) Analyze Cryptographic Protocols using Game …cs.au.dk/.../Cryptographic_protocols_game_theory_Jesper_Buus_Ni…Main Points • Idealizing crypto: Replace real‐life](https://reader034.vdocuments.net/reader034/viewer/2022042605/5aff53567f8b9a68498f9560/html5/thumbnails/2.jpg)
MainPoints
• Idealizingcrypto:Replacereal‐lifecryptotoolsbyformalobjectsliketermalgebrasororaclestomakeanalysisofaprotocoleasier
• Commonincryptography– knowntobesoundintheusualcrazy‐versus‐stupidmodels
• ResearcherhavebeenidealizingcryptotoolsforthesakeofgametheoreIcanalysistoo– Thatistypicallynotsound
![Page 3: How to (not) Analyze Cryptographic Protocols using Game …cs.au.dk/.../Cryptographic_protocols_game_theory_Jesper_Buus_Ni…Main Points • Idealizing crypto: Replace real‐life](https://reader034.vdocuments.net/reader034/viewer/2022042605/5aff53567f8b9a68498f9560/html5/thumbnails/3.jpg)
Terminology:ComputaIonalSoluIonConcept
• Takescomputa3onfeasibilityintoaccount– Examples:OnlyallowpolynomialImecomputablestrategies,pricecomputaIonviatheuIlityfuncIon,discounIng,…
• Allowstheuseof(imperfect)cryptography– Example:WhenyouropponentusesencrypIonthedeviaIonwhichmakesoneguessathissecretkeyandusesthekeytobreaktheprotocoliftheguessiscorrectgivesyouasmalladvantage,sogofor‐NEfornegligiblesmalltoallowstability
– Example:UIlityofkey‐guessingsmallerthanthepriceofthecomputaIonordiscountedaway
![Page 4: How to (not) Analyze Cryptographic Protocols using Game …cs.au.dk/.../Cryptographic_protocols_game_theory_Jesper_Buus_Ni…Main Points • Idealizing crypto: Replace real‐life](https://reader034.vdocuments.net/reader034/viewer/2022042605/5aff53567f8b9a68498f9560/html5/thumbnails/4.jpg)
Terminology:GameTheoreIcSoluIonConcept
• AsoluIonconceptwhichallowsarbitrarystrategies
![Page 5: How to (not) Analyze Cryptographic Protocols using Game …cs.au.dk/.../Cryptographic_protocols_game_theory_Jesper_Buus_Ni…Main Points • Idealizing crypto: Replace real‐life](https://reader034.vdocuments.net/reader034/viewer/2022042605/5aff53567f8b9a68498f9560/html5/thumbnails/5.jpg)
IdealizingCrypto
• (Verysimple)idealizedsignatures:– TheworldhasaglobalsigningoracleOwhichallparIeshaveaccessto
– Sign:ApartyPicansendsign(m)toOwhichstores(i,(i,m))[readPihasasignatureonmfromPi]
– Transfer:IfPkinputstrans((i,m),n)toOand(k,(i,m))isstoredinO,thenOstores(n,(i,m))
– Verify:IfPkinputsverify(i,m)toOand(k,(i,m))isstoredinOthenOoutputsacceptotherwisereject
• Possibletoshowthatanycryptographicprotocolwhichissecurewhenusingtheseidealizedsignaturesisequallysecurewhentheyarereplacedbyrealsignatures– Uptonegligible– PKI+unforgeablesignatures+UCframework
![Page 6: How to (not) Analyze Cryptographic Protocols using Game …cs.au.dk/.../Cryptographic_protocols_game_theory_Jesper_Buus_Ni…Main Points • Idealizing crypto: Replace real‐life](https://reader034.vdocuments.net/reader034/viewer/2022042605/5aff53567f8b9a68498f9560/html5/thumbnails/6.jpg)
Why?(1/3)
• Apossiblesolu3onheuris3c:– IdealizethecryptotoolsinaprotocolandthenapplyyourfavoriteGTsoluIonconcepttotheidealizedprotocol
– SincetheidealizedprotocoldoesnotrelyoncomputaIoncryptotoolsitisfreeofthedeviaIonswithnegligiblysmalladvantagewhichdisturbmostknownGTsoluIonconcepts
• ImplicitassumpIon:Guaranteesthattherearenoproblemsbesideskey‐guessing‐likedeviaIons
![Page 7: How to (not) Analyze Cryptographic Protocols using Game …cs.au.dk/.../Cryptographic_protocols_game_theory_Jesper_Buus_Ni…Main Points • Idealizing crypto: Replace real‐life](https://reader034.vdocuments.net/reader034/viewer/2022042605/5aff53567f8b9a68498f9560/html5/thumbnails/7.jpg)
Why?(2/3)
• MightguidethedevelopmentofcomputaIonalsoluIonconcepts:– GivenGTsoluIonconceptXtrytodevelopacomputaIonalversionCX
– ThencheckifCXproducessoluIonssimilartothesoluIonsXproducesfortheidealizedprotocol
• AssumpIon:ThecomputaIonalversionshouldbehavelikethepureGTnoIon
![Page 8: How to (not) Analyze Cryptographic Protocols using Game …cs.au.dk/.../Cryptographic_protocols_game_theory_Jesper_Buus_Ni…Main Points • Idealizing crypto: Replace real‐life](https://reader034.vdocuments.net/reader034/viewer/2022042605/5aff53567f8b9a68498f9560/html5/thumbnails/8.jpg)
Why?(3/3)
• Modularanalysisofcomplexprotocols• GivenaprotocolusingbothsignatureandencrypIon:– FirstidealizebothprimiIvesandgiveahopefullysimpleanalysisoftheidealizedprotocol
– ShowthatplugginginrealsignaturespreservessoluIons
– ShowthatplugginginrealencrypIonpreservessoluIons
– ConcludethattherealprotocolhasthesamesoluIonsastheidealprotocol
![Page 9: How to (not) Analyze Cryptographic Protocols using Game …cs.au.dk/.../Cryptographic_protocols_game_theory_Jesper_Buus_Ni…Main Points • Idealizing crypto: Replace real‐life](https://reader034.vdocuments.net/reader034/viewer/2022042605/5aff53567f8b9a68498f9560/html5/thumbnails/9.jpg)
Hope!
• O`enacryptographicanalysis(honestparIesversuscorruptedparIes)ofanidealizedprotocolcanbeproventogivesoundconclusionsaboutthereal‐lifeprotocol– Signatures– EncrypIon– Zero‐knowledgeproofofknowledge
– Zero‐knowledgeproofofcorrectness
![Page 10: How to (not) Analyze Cryptographic Protocols using Game …cs.au.dk/.../Cryptographic_protocols_game_theory_Jesper_Buus_Ni…Main Points • Idealizing crypto: Replace real‐life](https://reader034.vdocuments.net/reader034/viewer/2022042605/5aff53567f8b9a68498f9560/html5/thumbnails/10.jpg)
Claims
• Thesolu3onheuris3cislikelytogivewrongconclusions
• ComparisontoidealizaIonisnotagoodsanitycheckforcomputaIonalsoluIonconcepts
• ComputaIonalsoluIonconceptsmustbedevelopedcauIouslyandhavetheirowncomputaIonalepistemologies
• A`erdevelopinggoodcomputaIonalsoluIonconceptsidealizaIonispossibleasatoolformodularanalysis
![Page 11: How to (not) Analyze Cryptographic Protocols using Game …cs.au.dk/.../Cryptographic_protocols_game_theory_Jesper_Buus_Ni…Main Points • Idealizing crypto: Replace real‐life](https://reader034.vdocuments.net/reader034/viewer/2022042605/5aff53567f8b9a68498f9560/html5/thumbnails/11.jpg)
“ProofbyExample”
• Willtrytoarguemypointby“solving”asmallgameinthreedifferentseengs
• WillseethatwegetdramaIcallydifferentsoluIonsdependingonwhetherweidealizecryptoornot
• AndthesoluIoncalledbytheidealizedanalysisisarguablythewrongone
![Page 12: How to (not) Analyze Cryptographic Protocols using Game …cs.au.dk/.../Cryptographic_protocols_game_theory_Jesper_Buus_Ni…Main Points • Idealizing crypto: Replace real‐life](https://reader034.vdocuments.net/reader034/viewer/2022042605/5aff53567f8b9a68498f9560/html5/thumbnails/12.jpg)
Overview
21 32:(g,b)
4:g1 4:(g3,b3)
1:signal
3:communica3on 3:comm.
Goodchoice
Badchoice
![Page 13: How to (not) Analyze Cryptographic Protocols using Game …cs.au.dk/.../Cryptographic_protocols_game_theory_Jesper_Buus_Ni…Main Points • Idealizing crypto: Replace real‐life](https://reader034.vdocuments.net/reader034/viewer/2022042605/5aff53567f8b9a68498f9560/html5/thumbnails/13.jpg)
AFewPennies
• Good&bad:P2playsg{1,2,3}andb{1,2,3}\{g}• Guess:P1playsg1{1,2,3}• Guess:P3playsg3{1,2,3,a}andb3{1,2,3}• Abstain:IfP3playsaallparIesgetuIlity0• Avoidbad:Ifg1=borg3=bthenP1andP3dieandP2wins
theworld• Knowbad:SameifP3doesnotabstainandb3b• Coordinate:Ifg1,g3{1,2,3}\{b}andb3=b,thenP1andP3
getaposiIveuIlityfromg1=g3butP2prefersg1g3– P1hasnegaIveuIlityong1g3butP3doesnot,thoughhe
prefersg1=g3– AndP1preferstomatchong
![Page 14: How to (not) Analyze Cryptographic Protocols using Game …cs.au.dk/.../Cryptographic_protocols_game_theory_Jesper_Buus_Ni…Main Points • Idealizing crypto: Replace real‐life](https://reader034.vdocuments.net/reader034/viewer/2022042605/5aff53567f8b9a68498f9560/html5/thumbnails/14.jpg)
PlayedinaNetwork
• BeforeP2specifies(g,b):– P1cansendasignaltoP3• AlsoseenbyP2
• ThenP1learns(g,b)butP3doesnot• A`erP2specifies(g,b):– P1cansendamessagetoP2• NotseenbyP3
– P2andP3cancommunicatewitheachother• NotseenbyP1
![Page 15: How to (not) Analyze Cryptographic Protocols using Game …cs.au.dk/.../Cryptographic_protocols_game_theory_Jesper_Buus_Ni…Main Points • Idealizing crypto: Replace real‐life](https://reader034.vdocuments.net/reader034/viewer/2022042605/5aff53567f8b9a68498f9560/html5/thumbnails/15.jpg)
Recap
21 32:(g,b)
4:g1 4:(g3,b3)
1:signal
3:comm. 3:comm.
Goodchoice
Badchoice
![Page 16: How to (not) Analyze Cryptographic Protocols using Game …cs.au.dk/.../Cryptographic_protocols_game_theory_Jesper_Buus_Ni…Main Points • Idealizing crypto: Replace real‐life](https://reader034.vdocuments.net/reader034/viewer/2022042605/5aff53567f8b9a68498f9560/html5/thumbnails/16.jpg)
21 3(g,b)
g1 (g3,b3)
signal
comm comm
• Abstain:g3=a:u1=u2=u3=0
• Avoid:g1=borg3=b:u1=u3=‐,u2=
• Know:g3a,b3b:u1=u3=‐,u2=
• Otherwise:
• g1g3: u1=‐2 u2=3 u3=0• g1=g3=g: u1=1 u2=1 u3=1
• g1=g3g: u1=0 u2=2 u3=1
Good
Bad
![Page 17: How to (not) Analyze Cryptographic Protocols using Game …cs.au.dk/.../Cryptographic_protocols_game_theory_Jesper_Buus_Ni…Main Points • Idealizing crypto: Replace real‐life](https://reader034.vdocuments.net/reader034/viewer/2022042605/5aff53567f8b9a68498f9560/html5/thumbnails/17.jpg)
21 3(g,b)
g1 (g3,b3)
signal
comm comm
• Abstain,Avoid,Know• g1g3:‐2 3 0• g1=g3=g:1 1 1
• g1=g3g:0 2 1
Good
Bad
![Page 18: How to (not) Analyze Cryptographic Protocols using Game …cs.au.dk/.../Cryptographic_protocols_game_theory_Jesper_Buus_Ni…Main Points • Idealizing crypto: Replace real‐life](https://reader034.vdocuments.net/reader034/viewer/2022042605/5aff53567f8b9a68498f9560/html5/thumbnails/18.jpg)
21 3(g,b)
g1 (g3,b3)
signal
comm comm
• Abstain,Avoid,Know• g1g3:‐2 3 0• g1=g3=g:1 1 1
• g1=g3g:0 2 1
• Willdrawconclusionsfromthisgamebyinformallysolvingitusing“commonknowledgeofraIonality”inthefollowingseengs:1. Arbitrarystrategies2. Idealizedsignatures3. Poly‐Imestrategies
Good
Bad
![Page 19: How to (not) Analyze Cryptographic Protocols using Game …cs.au.dk/.../Cryptographic_protocols_game_theory_Jesper_Buus_Ni…Main Points • Idealizing crypto: Replace real‐life](https://reader034.vdocuments.net/reader034/viewer/2022042605/5aff53567f8b9a68498f9560/html5/thumbnails/19.jpg)
21 3(g,b)
g1 (g3,b3)
signal
comm comm
• Abstain,Avoid,Know• g1g3:‐2 3 0• g1=g3=g:1 1 1
• g1=g3g:0 2 1
• Ifg3ainsomeNE(withposiIveprobability)givensome(signal,b)thenP2gainsbyshi`ingtothestrategywhereitpicksb=g3whenitseessignalandthenshowsP3communicaIonwiththedistribuIonitwouldhaveseenifP2hadplayedaccordingtotheNE
ArbitrarydeviaIonsCommonknowledgeofraIonality
Alwaysabstain
Good
Bad
![Page 20: How to (not) Analyze Cryptographic Protocols using Game …cs.au.dk/.../Cryptographic_protocols_game_theory_Jesper_Buus_Ni…Main Points • Idealizing crypto: Replace real‐life](https://reader034.vdocuments.net/reader034/viewer/2022042605/5aff53567f8b9a68498f9560/html5/thumbnails/20.jpg)
• Abstain,Avoid,Know• g1g3:‐2 3 0• g1=g3=g:1 1 1
• g1=g3g:0 2 1
Good
Bad
21 3(g,b)
g1 (g3,b3)
signal
comm comm
• “RaIonalizable”:• P1:signal=verificaIonkeyvkofP1• P2:pick(g,b)uniformlyatrandom• P1:sends=sigsk(g,b)toP2• P2:send(g,b)andstoP3ifreceived,otherwisenothing
• P3:ifvervk((g,b),s)=acceptplayg3=gandb3=botherwiseg3=a
IdealizedsignaturesCommonknowledgeofraIonality
Neverabstain
![Page 21: How to (not) Analyze Cryptographic Protocols using Game …cs.au.dk/.../Cryptographic_protocols_game_theory_Jesper_Buus_Ni…Main Points • Idealizing crypto: Replace real‐life](https://reader034.vdocuments.net/reader034/viewer/2022042605/5aff53567f8b9a68498f9560/html5/thumbnails/21.jpg)
Good
Bad
21 3(g,b)
g1 (g3,b3)
signal
comm comm
• Abstain,Avoid,Know• g1g3:‐2 3 0• g1=g3=g:1 1 1
• g1=g3g:0 2 1
• P1:signal=verificaIonkeyvkofP1• P2:pick(g,b)uniformlyatrandom• P1:sends=sigsk(g,b)toP2• P2:send(g,b)andstoP3ifreceived,otherwisenothing
• P3:ifvervk((g,b),s)=acceptplayg3=gandb3=botherwiseg3=a
Realsignatures
P2canusestoprovetoP3thatP1signedavalueoftheform(.,b),using,e.g.,a
zero‐knowledgeproof
WhenP3knowsbbutnotgitshouldplay
“matchingpennies”withP2usingarandomg3,whichgivesP2higherpayoffbutgivesP1anegaIvepayoff
HenceraIonalforP1nottogiveanyverifiableinformaIononbaway
HenceP3willabstain
CommonknowledgeofraIonalityAlwaysabstain
![Page 22: How to (not) Analyze Cryptographic Protocols using Game …cs.au.dk/.../Cryptographic_protocols_game_theory_Jesper_Buus_Ni…Main Points • Idealizing crypto: Replace real‐life](https://reader034.vdocuments.net/reader034/viewer/2022042605/5aff53567f8b9a68498f9560/html5/thumbnails/22.jpg)
WhatwentWrong?
• IdealizaIonofsignatureshavebeenprovensoundincryptography,sowhatwentwrong?
• P2canprovetoP3thatP1sentbwhilehidinggandthusrenegoIateP3intoastrategywhichisanadvantageforP2
• CryptographyhasacentralizedadversarywhocontrolsandcoordinatesallcorruptedparIes,hencetheuseofcryptography“internaltothedeviaIon”doesnotgiveextrapowertotheadversarycomparedtotheidealizedcase
![Page 23: How to (not) Analyze Cryptographic Protocols using Game …cs.au.dk/.../Cryptographic_protocols_game_theory_Jesper_Buus_Ni…Main Points • Idealizing crypto: Replace real‐life](https://reader034.vdocuments.net/reader034/viewer/2022042605/5aff53567f8b9a68498f9560/html5/thumbnails/23.jpg)
Conclusion1
• TheheurisIcsoluIonconceptcaneasilygive“very”wrongsoluIons– Athree‐party,simultaneousmutualconflict/mutualadvantageofcooperaIonseeng,liketheoneused,canariseinmanyseengsandmightevenbesubtlyhidden
• SeemshardtojudgewhetheraprotocolcanbesoundlyanalyzedusingtheheurisIc,sobekerjustabstainfromdoingit
![Page 24: How to (not) Analyze Cryptographic Protocols using Game …cs.au.dk/.../Cryptographic_protocols_game_theory_Jesper_Buus_Ni…Main Points • Idealizing crypto: Replace real‐life](https://reader034.vdocuments.net/reader034/viewer/2022042605/5aff53567f8b9a68498f9560/html5/thumbnails/24.jpg)
Conclusion2
• ItdoesnotseemasawayouttomakemoreinvolvedidealizaIonswhich,e.g.,allows“spliIng”ofsignaturesaswedidintheexample– TheidealizaIonwouldprobablyendupbeingmorecomplicatedthanthereal‐lifetool
– TheidealizaIonwouldhavetobeheadon:allowallpossibleusesandmisusesandnothingelsetohopeforsoundness
![Page 25: How to (not) Analyze Cryptographic Protocols using Game …cs.au.dk/.../Cryptographic_protocols_game_theory_Jesper_Buus_Ni…Main Points • Idealizing crypto: Replace real‐life](https://reader034.vdocuments.net/reader034/viewer/2022042605/5aff53567f8b9a68498f9560/html5/thumbnails/25.jpg)
Conclusion3
• ComparisontohowGTsoluIonconceptsbehaveonidealizedprotocolsisnotagoodsanitycheckforproposedcomputaIonalsoluIonconcepts– InourcasethecomputaIonalnoIonshouldexactlygiveanothersoluIon
![Page 26: How to (not) Analyze Cryptographic Protocols using Game …cs.au.dk/.../Cryptographic_protocols_game_theory_Jesper_Buus_Ni…Main Points • Idealizing crypto: Replace real‐life](https://reader034.vdocuments.net/reader034/viewer/2022042605/5aff53567f8b9a68498f9560/html5/thumbnails/26.jpg)
Conclusion4
• TheredoesnotseemtobeawayaroundcauIouslydevelopingcomputaIonalsoluIonconceptsandtrytogiveepistemicmodelsbasedonboundedraIonality
![Page 27: How to (not) Analyze Cryptographic Protocols using Game …cs.au.dk/.../Cryptographic_protocols_game_theory_Jesper_Buus_Ni…Main Points • Idealizing crypto: Replace real‐life](https://reader034.vdocuments.net/reader034/viewer/2022042605/5aff53567f8b9a68498f9560/html5/thumbnails/27.jpg)
TheGoodNews
• ModularanalysisviaidealizaIonispossibleforComputaIonalNashEquilibrium(CNE)– OnlyreasonsviasingleagentdeviaIon– HencecryptocannotbeusedtofacilitatedeviaIons
• In[PeterBroMiltersen,JesperBuusNielsen,NikosTriandopoulos:Privacy‐EnhancingAucIonsUsingRaIonalCryptography.CRYPTO2009]weshowacryptographicaucIonprotocoltobeaCNEviaasoundidealizingofthecryptoandagametheoreIcanalyzingoftheidealizedprotocol
![Page 28: How to (not) Analyze Cryptographic Protocols using Game …cs.au.dk/.../Cryptographic_protocols_game_theory_Jesper_Buus_Ni…Main Points • Idealizing crypto: Replace real‐life](https://reader034.vdocuments.net/reader034/viewer/2022042605/5aff53567f8b9a68498f9560/html5/thumbnails/28.jpg)
Seeng
• Thegoalin[MNT09]wastogiveagame‐theoreIcanalysisofaprotocolwhichnparIescanrunamongthemselvesontheInternettoemulateatrustedmediator– TheyshouldenduphavingsignedcontractsfromallotherparIesontheiroutcomestoavoiddisputesa`erthegameisover
– TheparIesareallowedtohaveprivacyconcerns,e.g.,toprefertokeeptheirtypesecretoverleakingit
![Page 29: How to (not) Analyze Cryptographic Protocols using Game …cs.au.dk/.../Cryptographic_protocols_game_theory_Jesper_Buus_Ni…Main Points • Idealizing crypto: Replace real‐life](https://reader034.vdocuments.net/reader034/viewer/2022042605/5aff53567f8b9a68498f9560/html5/thumbnails/29.jpg)
AnalyIcTechnique
• WeuseanoIonofprotocolgame,whichallowstomodelbothatrustedmediatorandtheInternetinaunifiedmanner
• WethenrelatetheproperIesofthereal‐lifeprotocoltothemediatedcaseandconcludethatthereal‐lifeprotocolisasstableasthemediatedcaseandgivesthesameuIlityprofile– ImpliesthatitleaksnomoreinformaIon,astheuIlityassociatedtoinformaIonloss/collecIoniscapturedintheuIlityfuncIons
![Page 30: How to (not) Analyze Cryptographic Protocols using Game …cs.au.dk/.../Cryptographic_protocols_game_theory_Jesper_Buus_Ni…Main Points • Idealizing crypto: Replace real‐life](https://reader034.vdocuments.net/reader034/viewer/2022042605/5aff53567f8b9a68498f9560/html5/thumbnails/30.jpg)
ProtocolGames
C
n
1
t1 tn
L1 Ln
o1 on
communicaIondeviceparty party
fiscaluIlity:fi(t,o)informaIonuIlity:Ii(t,L)uIlity:ui(t,o,L)=fi(t,o)+Ii(t,L)
![Page 31: How to (not) Analyze Cryptographic Protocols using Game …cs.au.dk/.../Cryptographic_protocols_game_theory_Jesper_Buus_Ni…Main Points • Idealizing crypto: Replace real‐life](https://reader034.vdocuments.net/reader034/viewer/2022042605/5aff53567f8b9a68498f9560/html5/thumbnails/31.jpg)
MediaIon
(o1,…,on)=M(b1,…,bn)
n
1
t1 tn
L1 Ln
o1 on
party party
fiscaluIlity:fi(t,o)informaIonuIlity:Ii(t,L)uIlity:ui(t,o,L)=fi(t,o)+Ii(t,L)
b1 bn
![Page 32: How to (not) Analyze Cryptographic Protocols using Game …cs.au.dk/.../Cryptographic_protocols_game_theory_Jesper_Buus_Ni…Main Points • Idealizing crypto: Replace real‐life](https://reader034.vdocuments.net/reader034/viewer/2022042605/5aff53567f8b9a68498f9560/html5/thumbnails/32.jpg)
InternetContractGames
n
1
t1 tn
L1 Ln
o1 on
PlaysCA,seengupPKI
AllowscommunicaIonbetweenparIes
CallsoutcomeoiifPireturnsasignatureonoifromallparIes
party party
fiscaluIlity:fi(t,o)informaIonuIlity:Ii(t,L)uIlity:ui(t,o,L)=fi(t,o)+Ii(t,L)
![Page 33: How to (not) Analyze Cryptographic Protocols using Game …cs.au.dk/.../Cryptographic_protocols_game_theory_Jesper_Buus_Ni…Main Points • Idealizing crypto: Replace real‐life](https://reader034.vdocuments.net/reader034/viewer/2022042605/5aff53567f8b9a68498f9560/html5/thumbnails/33.jpg)
ImportantDesignChoices
• SametypeprofileTmakessenseinallseengs• Outcomeiscalledbythedeviceaslastroundofoutputs,sowell‐definedinallseengs
• LocalinformaIonisoutputbetheparIes,sowell‐definedinallseengs
• So,sameu=f+Imakessenseinallseengs• WecankeeptypesanduIliIesfixedandrelatedifferentstrategiesindifferentseengs– Wecantalkaboutwhetheritisbekertoplaysomegivenstrategyinthereal‐lifeseengthanitistoplaysomeotherstrategyintheidealseeng
![Page 34: How to (not) Analyze Cryptographic Protocols using Game …cs.au.dk/.../Cryptographic_protocols_game_theory_Jesper_Buus_Ni…Main Points • Idealizing crypto: Replace real‐life](https://reader034.vdocuments.net/reader034/viewer/2022042605/5aff53567f8b9a68498f9560/html5/thumbnails/34.jpg)
NashImplementaIon
• FixTandf=(f1,…,fn)• Wesaythat(C,)isat‐resilientprivacy‐enhancedNashimplementaFonof(D,),wriSen(C,)t,T,r(D,),ifforalladmissibleIandu=f+Iitholdsthat:
• NolessuFlity:ForallPi:ui(T,C,)ui(T,D,)‐
• NomoreincenFvetodeviate:ForallC{1,…,n}with|C|tandallC
*thereexistsC*
suchthatui(T,D,(C*,‐C))ui(T,C,(C
*,‐
C))‐foralliC
![Page 35: How to (not) Analyze Cryptographic Protocols using Game …cs.au.dk/.../Cryptographic_protocols_game_theory_Jesper_Buus_Ni…Main Points • Idealizing crypto: Replace real‐life](https://reader034.vdocuments.net/reader034/viewer/2022042605/5aff53567f8b9a68498f9560/html5/thumbnails/35.jpg)
TheResultinthePaper
• WeconstructforeachmechanismMacontractgamefortheInternetwhichisan(n‐1)‐resilientprivacy‐enhancedNashimplementaIonoftheideallymediatedseengforMifallparIeshaveexinterimstrictraIonality
![Page 36: How to (not) Analyze Cryptographic Protocols using Game …cs.au.dk/.../Cryptographic_protocols_game_theory_Jesper_Buus_Ni…Main Points • Idealizing crypto: Replace real‐life](https://reader034.vdocuments.net/reader034/viewer/2022042605/5aff53567f8b9a68498f9560/html5/thumbnails/36.jpg)
Property1ofNashImplementaIon
• If(C,)isan‐NE(toleraIngcollusionsofsizet)and(C,)t,T,r(D,)then(D,)isan‐NE(toleraIngcollusionsofsizet)– Allowstoli`analysisfromanidealseengtoareal‐lifeseeng
• So,any‐NEforthemediatedseeng(withexinterimstrictraIonality)isalsoa‐NEintheInternetcontractgame
![Page 37: How to (not) Analyze Cryptographic Protocols using Game …cs.au.dk/.../Cryptographic_protocols_game_theory_Jesper_Buus_Ni…Main Points • Idealizing crypto: Replace real‐life](https://reader034.vdocuments.net/reader034/viewer/2022042605/5aff53567f8b9a68498f9560/html5/thumbnails/37.jpg)
Property2ofNashImplementaIon
• If (C,)t,T,r(D,)and (D,)t,T,r(E,)
then (C,)t,T,r(E,)• ThisallowsamodularanalysisgoingfromthemediatedseengtotheInternetseengviagraduallymorerefinedseengs(introducing,e.g.,onecryptoprimiIveataIme)
![Page 38: How to (not) Analyze Cryptographic Protocols using Game …cs.au.dk/.../Cryptographic_protocols_game_theory_Jesper_Buus_Ni…Main Points • Idealizing crypto: Replace real‐life](https://reader034.vdocuments.net/reader034/viewer/2022042605/5aff53567f8b9a68498f9560/html5/thumbnails/38.jpg)
…
• ThenoIonofNashimplementaIonisatrivialadopIonofthenoIonNEfromintra‐gameanalysistointer‐gameanalysis
• YetitallowstodomodularanalysiswithmuchthesameflavorasmodularanalysisincryptoviaidealizaIon
• ThereisjusIfiedhopethatothergoodcomputaIonalsoluIonconceptswillallowsimilarli`ingtointer‐gameanalysisandhenceallowmodularanalysis
• WejustneedsomegoodcomputaIonalsoluIonconcepts…