Rational Secret Sharing and Multiparty Computationby J.Halpern and V.Teague

DANSS ColloquiumBy Prof. Danny Dolev

Presented by Rica Gonen 

The Rational Secret Sharing Problem

• Shamir’s secret-sharing scheme– allows a player to share a secret s– among n other players, – so that any m of them can reconstruct it.– The idea is:

• Player 0 (who wants to share the secret)• Chooses an m-1 degree polynomial f

–

• Tell player i– For i=1,…,n;– is player i’s share of the secret.

• Any m players can recover the secret by reconstructing the polynomial

– Lagrange interpolation• Any subset of size less than m does not know the secret.

0f s f i

f i

The Rational Secret Sharing Problem (cont)• The underlying idea of Shamir’s protocol

– Of the n players at most n-m are “bad’.• “Bad players might not cooperate • “Good” players will follow the protocol

– It guarantees that the bad players cannot stop the good players from reconstructing the secret.

• What if there are no “good” and “bad” players but just selfish players?– Selfish players have preferences over outcomes.– They follow the protocol iff following the protocol

increases their expected utility.

The Rational Secret Sharing Problem (cont)• Two assumptions under which Shamir’s scheme breaks:

– Assumption (1)

• the selfish players preferences are:• Primarily prefers to get the secret to not getting it.• Secondarily prefers that as few as possible of the

other players get it.

– Assumption (2) • players pool their share of the secret by

broadcasting (simultaneously) a message with their share.

6 13 32 34

The Rational Secret Sharing Problem (cont)• Problem with Shamir’s secret-sharing scheme• Rational players will not broadcast their shares.

– Consider player 1’s situation: either m-1 other players broadcast their share, or they don’t.

– Whether or not player 1 send the share does not affect whether others send theirs.

– If player 1 send her share other players will learn the secret

– If player 1 does not send her share either only player 1 learns the secret or no player does.

The Paper results

• Assumption (3) the protocol has a commonly known upper bound on running time

• The impossibility result:– Under assumptions (1) and (2) and (3) any (non

randomize) protocol for secret sharing reconstruction breaks.

• The possibility result:– However such protocol is possible using

randomized mechanism with constant expected running time.

Talk Outline

• Technical background and definitions– Dominated strategies– Nash equilibrium– Etc

• The impossibility result – Iterated Deletion– Weakly dominated strategies– Good strategies

• The possibility result– A randomized practical mechanism for secret sharing– The recommended protocol is a Nash equilibrium

Technical Background and Definitions

Assumptions

• At each step, a player receives all the messages that were sent to it by other players at the previous step and only then send its messages (possibly non).

• The system is synchronous – In each round players decide what messages to send

before receiving any messages sent to them.

• Communication is guaranteed

• Messages takes one round to arrive.

• At each step all the players move.

Definitions

• Game for n players is a forest of nodes.– The root nodes of the forest = the initial situations in

the game. – The later nodes = the results of the players’ moves.

• Local state- a sequence of messages sent and received and a utility function of each player in each node.

• Run- path in the forest that starts at a root. – Every run has a tuple associated with it. – Where is player i’s utility if that run is played.

• Strategy- for player i is a function from i’s local states to actions.

• Joint strategy- is a tuple of strategies, one for each player.– Joint strategy ->distribution over runs -> expected

utility for each player.

1,..., nu uiu

1,..., n

Definitions (cont)

• Expected utility (for player i)- the sum over the possible runs where for each run player i’s utility for the run is multiplied by the probability of this run. – denoted as if is played.

• Weakly dominated strategy- if is a set of strategies for player i– i=1,…,n

A strategy is weakly dominated by with respect to if,

for some strategy , and for all strategies

iU

iS

iS

iS iS

, ,i i i iU U

' , ' ,i i i iU U

i iS

' i iS

Definitions (cont)

• Nash equilibrium- is a Nash equilibrium if for all players i and strategies of player i,

– The paper focuses on Nash equilibrium that is determined by iterated deletion of weakly-dominated strategies.

• Mechanism- a pair consisting of a game and a joint strategy for that game.

• Practical mechanism- is a practical mechanism if

is a Nash equilibrium of the game that survived iteration deletion of weakly-dominated strategies.

'i

,

,

', ,i i i i i iU U

The Impossibility Result

• Theorem 3.1: If players’ utilities satisfy assumption (1), then

there is no practical mechanism for m out of n secret sharing such that

is finite and, using , some player learns the secret.

*,

*

The Impossibility Result Proof Structure

• In general the proof of theorem 3.1 is a backward induction.– First it is argued that no players will send a message

in the last round

– Then it proceeds to show that no player will send a message k rounds before the last round, for each k.

• More precisely:– A family of strategies that reveals useful information is

constructed.– The family of strategies is deleted by steps of iterated

deletion– No strategy other than the strategies in the family is

deleted.

The Family of Strategies Definitions

• Revealing useful information- a strategy for player i reveals useful information at a node v if– There is some strategy for the other players such

that reaches v with positive probability.– According to strategy at v player i sends (with

positive probability) a share of the secret to player j although:

• i does not know if j already has m shares • i does not know if j has the share he is sending.

• - if there is a path of length h from v to a leaf in the game tree and there are no paths of length h+1 from v to a leaf in the game tree.

i

i

,i i

i

round v h

The Family of Strategies Definitions (cont)

• - consist of all strategies for player i in game that reveal useful information at a node v such that

• - consist of all strategies for player i at a node v such that – i has m shares– i does not know if all player have m shares– i sends enough shares to all the other player to verify they all have

m shares.

• More strategies in the family that will not be used in this talk…

round v h

hiB

1iA

'1iA

2iA '2

iA3iA '3

iA ''3iA '''3

iAhiC

hiD 'h

iD

Iterated Deletion

• Let for let let

let for

• Proposition 3.1:

Let M be a mechanism for secret sharing. After k steps of iterated deletion, all the strategies in have been deleted; moreover, no deterministic strategy not in

has been deleted.

' '1 1 1j j j j j j jA A B C D D 1,2j

5j

' '' ''' '3 3 3 3 3 3 4 4 4A A A A B C D D '4 4 4 5 5 5A B C D D

1 1j j j jB C D

k

1 2 ... k

Iterated Deletion

• Proposition 3.1 is proved by induction on k.

• The base case (k=1) corresponds to one step of iterated deletion.

• Number of lemmas show that all the strategies in are deleted (lemma 3.1),

• and number of lemmas show that no deterministic strategy not in is deleted (lemma 3.14).1

1

Weakly Dominated Strategies

• Lemma 3.1: Every strategy in is weakly dominated.Proof:• w.l.g the lemma will be proved for player 1 strategies.• Suppose .• Let be a “bad” action of player 1 at node v’ such that:• Before 1 does not know all players have m shares• After 1 knows that all players have m shares.• leads (with positive probability) to a node v where

(with positive probability) 1 performs a “bad” action.• Let T be identical to S except that

– If S’s action at v (or v’ that is undistinguishable from v for 1) has positive probability on a “bad” action

– Then T has the same positive probability on sending nothing.

1A

11S A

aaa

1,S S

Weakly Dominated Strategies (cont)

• It will be shown that T weakly dominates S.

• There is a deterministic joint strategy for the other players such that – leads with positive probability to a node v’ – 1 can not distinguish v’ from v.– The other players are lacking exactly the shares that 1

sends them under S – They are silent for all subsequent steps.

• Then gives 1 a strictly higher utility than

1'S

1, 'S S

1, 'S S 1, 'T S

Weakly Dominated Strategies (cont)

• It will be shown that T is never strictly worse than S for player 1.

• Let be a joint strategy for the other players. • The distribution over runs generated by and

is identical except that

– the probability placed by on runs where 1 performed “bad” action is shifted by

– to runs where 1 stopped sending messages starting at the point where it would have performed a “bad” action.

• 1 gets the worst utility at runs where a “bad” action is performed

• 1’s payoff with must be at least as good as 1’s payoff with .

1T 1,S T

1,S T

1,S T

1,T T

1,T T

1,T T

Good Strategies m=n=3

• Definition 3.1:• For any let the good strategies be any set of pure

joint strategies such that – consists of all strategies.

• Lemma 3.14:• let (S,S’) result in a lower payoff for player 1 then (T,S’). • Then there exist (S,S’’) that results in a higher payoff for

player 1 then (T,S’’).– Where S,T good pure strategies for player 1 – and S’,S’’ good strategies for player 2,and 3

01

h h iiS

0S

h1h

Good Strategies m=n=3

• Since (S,S’) result in a lower payoff for player 1 then (T,S’)

• there is some node v reached by (S,S’) and (T,S’) • such that player 1 performs a different action with S than

with T.

• (one case out of many):– 1 does not have 2 and 3’s shares.– 1 sends different message to 3 using S than using T.– 1 considers it is possible that:

• 2 does not have 3’s share.• 3 does not have 1’s share.

Good Strategies m=n=3

• Let v’ be a node where – 2 does not have 3’s share – 3 has only its own share.

• Let S’’ be the strategy where – if 2 and 3 receives 1’s message using S then at node v’

• 2 sends 1 its own share,• in the next step 3 sends 1 its own share.

– Otherwise S’’ is silent (if 2 and 3 receives 1’s message using T).

• S’’ is a good strategy – 2 and 3 don’t have all three shares at the time they are

sending a share to 1• 1 learned all three shares with S but not with T.

The Possibility Result

A Randomized Practical Mechanism for Secret Sharing. (3 out of 3)• Like repeated prisoner dilemma the only hope for

cooperation lies in uncertainty on the number of moves in the game.

• Consider a game where players toss coins.• If a player gets heads he send his share of the secret.• In the next step everyone reveals their coin.• If every one learns the secret, or if someone cheats (had

heads but did not send)– Than the game is over– Otherwise the issuer issues new shares of the secret

(different polynomial).

A Randomized Practical Mechanism for Secret Sharing. (3 out of 3)• What are the incentive problems of this mechanism?• Even if it is possible to verify the true toss of every

player, • Two problematic points should be looked at:

1. Is there an incentive for a player that got tails to continue and play.

2. Is there an incentive for a player that got heads not to send his share (although his lie can be reveled)?

• Answers:1. If he got tails and the other two players got heads,

he learned the secret and surly will not continue to play.

A Randomized Practical Mechanism for Secret Sharing. (3 out of 3)• Answers:

2. The probability of the other two players to get heads (and send the secret) is ¼.

• So the probability for player 1 of learning the secret by himself in the first round is ¼.

– While the probability that the other two players do not both get heads is ¾.

• So the probability for player 1 for not learning the secret at all (not in the first round and then the game is stopped because player 1 cheated) is ¾.

– If (only 1 learns the secret)+ (no one learns the secret)< (everyone learns the secret) player 1 will not cheat.

• Either player utilities satisfy the above formula or the probability of heads can modified appropriately.

11 4 u 13 4 u1u

A Randomized Practical Mechanism for Secret Sharing. (3 out of 3)• For , let denote , except is 1. let

denote , except is 3.• A bit with probability , with probability

• A bit with probability ½.• Let

1,2,3i i 1i 3 i

1i 1

1ic 0ic 1

, 1ic , ,ii ic c c

The Protocol M( ):

1.The issuer sends each player a share of the secret.

2.Each player i chooses a bit and a bit and sends to , to . (i should receive from and from ).

3.Each player i sends to

(i should receive

from ).

4.Each player i computes . .

if then player i sends its share to the others.

ic ,ic ,ic i ,ic i

,ic

i i ,ic

, iic c

i

i

, , iii ip c c c c

1 2 3ii i

c c c c c c 1ip c

,, i iiic c c c

The Protocol M( ):5. If p=0 and i received no secret shares then the issuer is asked to restart the protocol otherwise, i stops the protocol for cheating. if p=1 and i received 1 share (possibly from itself) then the issuer is asked to restart the protocol otherwise, if i got 2 shares i stops the protocol (learned the secret)

if i got no shares i stops the protocol for cheating.

• If at stage 2 player i does not get a bit from and he stops the protocol.

• If at stage 3 player i does not get a bit from he stops the protocol.

001010100111

i

i

i

The Possibility Result (m=n=3)• Theorem 3.2: For all utility functions satisfying (1), if , there exist an such that M( ) is a practical mechanism for m out of n

secret sharing for all• Proof: Who learns the secret if all the players follow the protocol?

– Player i sends its secret iff and• all players learn the secret with

probability• and no one learns the secret with

probability – If no player sends its share.

• Answer: either all players learn the secret, or no player does.

3n*

*

1i i ic c c 1ic

1 2 3 1c c c 3

1ic 0i ic c

21

1 2 3 0c c c

• Cheating at step 4:• Player i can cheat by not sending its share when it should.

– If i gains with conditional probability

– If i loses with conditional probability

• i can not influence these probabilities• Each player j chooses its bit independently.

– A rational player i will cheat only if:– (4) (only i learns the secret)+

(no one learns the secret)

> (everyone learns the secret)

1i ic c

22 2 1 0

i ic c

2 221 1

jc

22 2 1 2 221 1 iu

iu

iu

Cheating at step 4: (cont)

• If follows from (1) that

(5) (only i learns the secret) > (everyone learns the secret) > (no one learns the secret)

• It can be concluded from (5) that there exist some such that for all i and all (4) does not hold.

• If then no player has any incentive to cheat at step 4.

iuiu

iu*

* *

• Cheating at steps 3:– If cheating is by not sending a bit then it would

be detected by the player missing the bit.– If cheating is to send the wrong bit then may

incorrectly compute– i can not get more than one share:

• If p=1 and will not send his share.• If p=0 and will not send his share.

i

1 2 3c c c

i

iˆ 0p ˆ 1p

• Cheating at step 2:– If cheating is by not sending a bit then it would be

detected by the player missing the bit.– If cheating is to send the wrong bits– It is equivalent to player i changing the distribution

with which and are chosen.– But it does not affect the probabilities in (4)

• Thus cheating in steps 2,3, and 4 is not a dominant strategy and the recommended protocol in M( ) is a Nash equilibrium for

*

ic ,ic

Thank You!