scalable mechanisms for rational secret sharing
TRANSCRIPT
Scalable Mechanisms for
Rational Secret SharingJared Saia
withVarsha Dani
Mahnush MovahediYamel Rodriguez
Thursday, July 28, 2011
Good: Follow instructions
Good and Bad
Bad: Don’t follow instructions
A simple moral code for an aspiring deity (or computer scientist)
Thursday, July 28, 2011
Good: Follow instructions
Good and Bad
Bad: Don’t follow instructions
A simple moral code for an aspiring deity (or computer scientist)
Byzantine agreement, Secure Multiparty Computation, etc.
Thursday, July 28, 2011
A hard(er) fact:
Nobody follows instructions that aren’t in their own best interest
Thursday, July 28, 2011
A hard(er) fact:
Nobody follows instructions that aren’t in their own best interest
Thursday, July 28, 2011
• Each player decides to pollute or not pollute
• Cost to a player is number of other players that pollute plus 2 if they do not to pollute
Pollution Game
Thursday, July 28, 2011
• Each player decides to pollute or not pollute
• Cost to a player is number of other players that pollute plus 2 if they do not to pollute
Nash Equilibrium: Everybody pollutes
Benevolent Dictator (Optimal): Nobody pollutes
Pollution Game
Thursday, July 28, 2011
Mediator
•Mediator privately suggests an action to each player
•Players may ignore suggestions of mediator; they retain free-will and remain selfish
•Goal: Use mediator to improve SW
Thursday, July 28, 2011
• Mediator: Advises each player not to pollute, until some player disregards advice. If this happens, from then on advise everyone to pollute.
• Result: Nobody pollutes!
• Significantly improves the SW
Pollution Game
Thursday, July 28, 2011
• The mediator is an algorithm!
• The mediator might conceivably be a randomized algorithm
• A mediator may work even for a single round game
Mediator
Thursday, July 28, 2011
f_1(x) = 1/2
1
0
cost
flow
1/2
f_2(x)
f_2(x):
Mediator:- With probability 1/3, tell
all players to go up- With probability 2/3, tellhalf the players to go up
and half to go down
El Farol
Thursday, July 28, 2011
f_1(x) = 1/2
1
0
cost
flow
1/2
f_2(x)
f_2(x):
Mediator:- With probability 1/3, tell
all players to go up- With probability 2/3, tellhalf the players to go up
and half to go down
Achieves S.W. of 1/3 vs 1/2for the Nash
El Farol
Thursday, July 28, 2011
Where does the mediator come from?
“It is the final proof of God's omnipotence that he need not exist in order to save us.” -
Peter De Vries
Mediator
Thursday, July 28, 2011
Goal: Implement a mediator in a fully decentralized manner (“cheap talk”)
Previous work: Abraham et al. [’06,’08], Lysyanskaya & Triandopoulos [’06]
Mediator
Thursday, July 28, 2011
Goal: Implement a mediator in a fully decentralized manner (“cheap talk”)
Previous work: Abraham et al. [’06,’08], Lysyanskaya & Triandopoulos [’06]
Problem: not scalable i.e. require all-to-all communication
Goal: Scalable protocol for secret sharing
Mediator
Thursday, July 28, 2011
Secret Sharing?
• m-out-of-n secret sharing: m ≤ n : A secret is distributed among n players such that m together can reconstruct the secret, but fewer than m obtain no information
• Shamir, Blakley [1979]
Thursday, July 28, 2011
Shamir’s Scheme
• Embed the secret S in a finite field
• Choose a random polynomial P of degree m-1 with P(0) = S
• Shares are P(1), P(2), ..., P(n)
• Any m of the points (i, P(i)) can be used to interpolate the polynomial P
Thursday, July 28, 2011
Adding Game Theory
• Shamir’s scheme assumes players follow instructions.
• What if instead they are selfish? Each wants to learn the secret, but doesn’t want the others to learn it.
• Goal: Nash Equilibrium protocol that ensures when (and only when) there is a quorum, everyone learns the secret
Thursday, July 28, 2011
Formal problem
• n rational players
• utility functions described by 3 parameters u+ : utility for learning alone u : utility for learning (others learn too) u- : utility for not learning
• GOAL: NE protocol that ensures that all players learn the secret.
Thursday, July 28, 2011
Prior Work
• Introduced by Halpern & Teague [’04]
• Abraham, Dolev, Gonen & Halpern [’06]; Gordon & Katz [’06]. Cryptographic.
• Kol & M. Naor [’08] -- Non-cryptographic.
Thursday, July 28, 2011
Modes of Communication
• Most previous work assumes simultaneous broadcast channels
• KN also allow non-simultaneous broadcast
• Broadcast is bad model for large network. Instead want point-to-point (private) channels.
Thursday, July 28, 2011
Modes of Communication
• Most previous work assumes simultaneous broadcast channels
• KN also allow non-simultaneous broadcast
• Broadcast is bad model for large network. Instead want point-to-point (private) channels.
Thursday, July 28, 2011
Modes of Communication
• Most previous work assumes simultaneous broadcast channels
• KN also allow non-simultaneous broadcast
• Broadcast is bad model for large network. Instead want point-to-point (private) channels.
Thursday, July 28, 2011
Idea: Fake Rounds
• Problem: If everyone sends me their shares, I learn the secret without revealing my share (others don’t learn, not NE)
• Idea: Have “fake” rounds to catch cheaters. If anyone cheats, everyone quits, nobody wins. Real secret is reconstructed on a random round.
Thursday, July 28, 2011
Idea: Different Lengths
Problem: If know # rounds, no penalty for defaulting on the last round. So second to last round is effectively the last, so no penalty for defaulting on second to last round, etc. (“Backward Induction”)
Thursday, July 28, 2011
Idea: Different Lengths
Problem: If know # rounds, no penalty for defaulting on the last round. So second to last round is effectively the last, so no penalty for defaulting on second to last round, etc. (“Backward Induction”)
Idea [KN]: Use shares of different lengths for players. Can’t tell from your input whether you have a shorter or longer share. No base case for backward induction!
Thursday, July 28, 2011
Scalable
• n rational players who can communicate over private channels
• utility functions described by 3 parameters u+ : utility for learning alone u : utility for learning (others learn too) u- : utility for not learning
• GOAL: NE protocol that ensures that all players learn the secret. Should be scalable, i.e. polylog(n) messages.
Thursday, July 28, 2011
Alas...
• There is none. [KN ’08] (specifically, no NE for non-simultaneous broadcast)
• Relax the requirements: still want private channels & scalability, but settle for weaker equilibrium concept.
Thursday, July 28, 2011
ε-Nash Equilibrium
• A set of strategies such that if all other players follow, no player can gain more than ε in expectation by deviating.
• We will actually get something stronger: no player can gain more than ε in expectation in any round, even conditioned on history (ε-everlasting equilibrium)
Thursday, July 28, 2011
The Mechanism
• Two components: 1) dealer’s protocol to create inputs; and 2) players’ protocol once the game starts
• Initially: n-out-of-n; Later: m-out-of-n
• Initially: success with probability 1-δ; Later: success w.h.p
Thursday, July 28, 2011
Tag and Hash
Dealer wants Alice to send a message m to Bob at a point in the future
Wants Bob to be able to verify the message is correct when received
Doesn’t want Bob to learn anything about the message before it’s received
Thursday, July 28, 2011
Tag and Hash
a & tag are random non-zero elements in Fq
Alice sends m and tag to Bob
Bob checks that b = a*m + tag
m, tag a,b
Prob(success in faking a message) ≤ 1/(q-1)
Thursday, July 28, 2011
Dealer’s Protocol
• Embed secret in large finite field Fq
• Choose a player at random: “short player”
• X, Y, Z i.i.d. ~ Geom(β) X : position of secret Y : padding on short input Z : additional padding on long input
• Long players get lists of length X+Y+Z. Short player gets list of length X+Y.
Thursday, July 28, 2011
Lists• A player’s input:
• List of potential (masked) secrets
• List of tags (to authenticate messages you send)
• List of hashes (to verify messages you receive)
• List of recursive shares for
• masks (for next round)
• indicators (0 if this is round X)
Thursday, July 28, 2011
Recursive Shares
• Create a complete binary tree with n leaves.
• Assign a player to each leaf.
• Assign all but one player to internal nodes.
• Perform recursive (Shamir-like) secret sharing starting at the root node
Thursday, July 28, 2011
5
f(-1) f(1)
Making the Sharesq=13
slope: 3
value to be reconstructed
f(x)=3x+5
Thursday, July 28, 2011
5
2 8
Making the Sharesq=13
slope: 3
slope: 2
value to be reconstructed
f(x)=2x+2
Thursday, July 28, 2011
5
2
0
8
4
Making the Sharesq=13
slope: 3
slope: 2
value to be reconstructed
f(x)=2x+2
Thursday, July 28, 2011
5
2
0
8
4
Making the Sharesq=13
slope: 3
slope: 2 slope: 7
value to be reconstructed
f(x)=7x+8
Thursday, July 28, 2011
5
2
0
8
4 151
Making the Sharesq=13
slope: 3
slope: 2 slope: 7
value to be reconstructed
f(x)=7x+8
Thursday, July 28, 2011
5
2
0
8
4 151
Making the Sharesq=13
slope: 3
slope: 2 slope: 7
value to be reconstructed
Shares for the 4 playersThursday, July 28, 2011
Players’ Protocol
• Two stages per round
• Up stage: values reconstructed recursively up the tree
• Down stage: values sent down from root
• All messages authenticated with tag and hashes
Thursday, July 28, 2011
Players’ Protocol
• Two stages per round
• Up stage: values reconstructed recursively up the tree
• Down stage: values sent down from root
• All messages authenticated with tag and hashes
If ever detect cheating, output potential secret from current round and QUIT.
Thursday, July 28, 2011
Round
• In each round, reconstruct:
• Mask for the next round
• Indicator for whether the current round holds the secret
Termination: At end of down stage, if indicator value is 0, use mask from previous round to decode secret and quit
Thursday, July 28, 2011
Why does it work?
• Tag & hash ⇒ can’t fake messages.
• Masks ⇒ can’t decode secret before round X-1
• No point cheating on round X : everyone outputs secret anyway
• Only viable time to cheat is round X-1 (if you can guess it). Tune parameter β, so that (unless Y is too small), cannot gain more than ε by cheating.
Thursday, July 28, 2011
Resource Cost
Our algorithm [KN] adaptation
messages (per player-round) O(1) ϴ(n)latency (per
round) O(log n) ϴ(n)
E(# rounds) O(1) Ω(n)
Thursday, July 28, 2011
Resource Cost
Our algorithm [KN] adaptation
messages (per player-round) O(1) ϴ(n)latency (per
round) O(log n) ϴ(n)
E(# rounds) O(1) Ω(n)
Since β doesn’t depend on nThursday, July 28, 2011
What about m-out-of-n?• This is difficult in general. If each player sends O
(log n) messages, then if m=o(n/log n), even if the active players are chosen randomly, it is likely that there is an active player who never receives a message from another active player.
• Moreover even with Θ(n) active players, if they are selected adversarially, then a small subset of them can always be isolated from the others.
• Need further relaxation of problem
Thursday, July 28, 2011
m-out-of-n
• Suppose m = Θ(n).
• Moreover, suppose the subset of active players is independent of the dealer’s coins
• Threshold fraction τ, parameter λ, and an algorithm such that cooperating is ε-Nash, and
• if m >(τ+λ)n then whp all active players learn
• if m <(τ-λ)n then whp secret not reconstructed
Thursday, July 28, 2011
Reducing Error• X and Y i.i.d. ~ Geom(β)
X+1: position of secret Y: padding on long input
• Half the players are now short (length X)
• Last round: Long players have the secret; Short players know this is last round
• Must carefully distribute short players in last round so they’re not descendants of each other
Thursday, July 28, 2011
Last Round
a b
ea c d
db
c
red = short
short player learns secret
No short descendants
to hide it from
Thursday, July 28, 2011
Probabilities
6 Varsha Dani, Mahnush Movahedi, Alignauthor Yamel Rodriguez, Jared Saia
with even label and there is no other even-labeled node
in this tree.
Case 2: Ts is of heights tow. Based on step three of
the algorithm 1, root label is as same as its only even-
labeled child. All other subtrees with the even-labeled
root have type two style with even-labeled root and
leaves children.
The only situation we still need to consider is whether
a player can guess the position of the secret, with suffi-
ciently high probability, before the definitive iteration.
We deal with this situation in the next few lemmas.
Lemma 2 A player deviating from the protocol cannotincrease his expected payoff by more than � unless hisprobability of successfully learning the secret by deviat-
ing is at least Ui(S�)+�−Ui(φ)
Ui(S)−Ui(φ)where S� is the set of all
players and S is the set of players who learn the secretafter i cheats, note that i ∈ S.
Proof Let p be the threshold success probability re-
quired to make deviating worthwhile, ie to increase one’s
payoff by �. Since the game ends when a player is caught
deviating from the protocol (and certainly if the player
stops sending messages, this will be detected by the
other players), a failed attempt at cheating means that
the player does not learn the secret. Thus a player’s ex-
pected utility from cheating while everyone else follows
the protocol is pUi(S)+(1−p)Ui(φ). On the other hand,
following the protocol results in everyone learning the
secret, with a utility of Ui(S�). Thus, at the threshold
for making cheating worthwhile, we have
pUi(S) + (1− p)Ui(φ) = Ui(S�) + �
Solving this for p gives the desired result.
We will now compute the probability of a player
successfully guessing the secret before it is actually re-
vealed during the protocol.
Lemma 3 Player i who initially received a list of lengthsi has at most 2β
1−β chance of (correctly) guessing theposition of the secret on round t or t + 1 if it has notalready been revealed.
Proof Assume that si shows the size of the list Li that
belongs to player i. If i is a short player then si is equalto X−1 and If i is a long player si is equal to X+Y −1.
Now consider the following two case:
Case 1. Player i’s share has ended (t = si + 1) A short
player can not guess the secret before the long players
send him their shares of the secret. By Lemma 1, the
short player can not fool long players by sending fake
message. By Lemma 1, the short player can not fool
other short players.
Case 2. Player i’s share has not ended (1 ≤ t ≤ si)In round t, after mask reconstructed, the player i may
guess that secret is in next round and fool others in
round t by not sending the mask for the next round
down. The probability of that he truly guess the secret
is Pr(X = t+ 1|X ≥ t ∧ si = k)
Pr(X = t+ 1|X ≥ t ∧ si = k)
=Pr(X = t+ 1 ∧ si = k)
Pr(X ≥ t ∧ si = k)
=Pr(ξ̄i ∧X = t+ 1 ∧ si = k)
Pr(ξi ∧X ≥ t ∧ si = k) + Pr(ξ̄i ∧X ≥ t ∧ si = k)
We can compute the three probabilities above.
The term in the numerator:
Pr(ξ̄i ∧X = t+ 1 ∧ si = k)
= Pr(ξ̄i)Pr(X = t+ 1)Pr(si = k)
Note that the events are independent. Moreover, since
i is not a short player so si = X +Y − 1 and X = t+1
so t+1+Y −1 = k then Y = k− t is same as the event
si = k and the above probability is:
Pr(ξ̄i)Pr(X = t+ 1)Pr(Y = k − t)
= Pr(ξ̄i)β(1− β)tβ(1− β)k−t−1
= Pr(ξ̄i)β2(1− β)k−1
The first term in the denominator:
Pr(ξi ∧X ≥ t ∧ si = k)
= Pr(ξi)Pr(X ≥ t)Pr(si = k)
= Pr(ξi)Pr(X = k + 1)
= Pr(ξi)β(1− β)k
The second term in the denominator:
Pr(ξ̄i ∧X ≥ t ∧ si = k)
= Pr(ξ̄i)k�
j=t−1
Pr(X = j + 1)Pr(Y = k − j)
= Pr(ξ̄i)k�
j=t−1
β(1− β)jβ(1− β)k−j−1
= Pr(ξ̄i)β2k�
j=t−1
(1− β)k−1
= Pr(ξ̄i)β2(1− β)k−1
(k − t+ 2)
Size of player i’s list
6 Varsha Dani, Mahnush Movahedi, Alignauthor Yamel Rodriguez, Jared Saia
with even label and there is no other even-labeled node
in this tree.
Case 2: Ts is of heights tow. Based on step three of
the algorithm 1, root label is as same as its only even-
labeled child. All other subtrees with the even-labeled
root have type two style with even-labeled root and
leaves children.
The only situation we still need to consider is whether
a player can guess the position of the secret, with suffi-
ciently high probability, before the definitive iteration.
We deal with this situation in the next few lemmas.
Lemma 2 A player deviating from the protocol cannotincrease his expected payoff by more than � unless hisprobability of successfully learning the secret by deviat-
ing is at least Ui(S�)+�−Ui(φ)
Ui(S)−Ui(φ)where S� is the set of all
players and S is the set of players who learn the secretafter i cheats, note that i ∈ S.
Proof Let p be the threshold success probability re-
quired to make deviating worthwhile, ie to increase one’s
payoff by �. Since the game ends when a player is caught
deviating from the protocol (and certainly if the player
stops sending messages, this will be detected by the
other players), a failed attempt at cheating means that
the player does not learn the secret. Thus a player’s ex-
pected utility from cheating while everyone else follows
the protocol is pUi(S)+(1−p)Ui(φ). On the other hand,
following the protocol results in everyone learning the
secret, with a utility of Ui(S�). Thus, at the threshold
for making cheating worthwhile, we have
pUi(S) + (1− p)Ui(φ) = Ui(S�) + �
Solving this for p gives the desired result.
We will now compute the probability of a player
successfully guessing the secret before it is actually re-
vealed during the protocol.
Lemma 3 Player i who initially received a list of lengthsi has at most 2β
1−β chance of (correctly) guessing theposition of the secret on round t or t + 1 if it has notalready been revealed.
Proof Assume that si shows the size of the list Li that
belongs to player i. If i is a short player then si is equalto X−1 and If i is a long player si is equal to X+Y −1.
Now consider the following two case:
Case 1. Player i’s share has ended (t = si + 1) A short
player can not guess the secret before the long players
send him their shares of the secret. By Lemma 1, the
short player can not fool long players by sending fake
message. By Lemma 1, the short player can not fool
other short players.
Case 2. Player i’s share has not ended (1 ≤ t ≤ si)In round t, after mask reconstructed, the player i may
guess that secret is in next round and fool others in
round t by not sending the mask for the next round
down. The probability of that he truly guess the secret
is Pr(X = t+ 1|X ≥ t ∧ si = k)
Pr(X = t+ 1|X ≥ t ∧ si = k)
=Pr(X = t+ 1 ∧ si = k)
Pr(X ≥ t ∧ si = k)
=Pr(ξ̄i ∧X = t+ 1 ∧ si = k)
Pr(ξi ∧X ≥ t ∧ si = k) + Pr(ξ̄i ∧X ≥ t ∧ si = k)
We can compute the three probabilities above.
The term in the numerator:
Pr(ξ̄i ∧X = t+ 1 ∧ si = k)
= Pr(ξ̄i)Pr(X = t+ 1)Pr(si = k)
Note that the events are independent. Moreover, since
i is not a short player so si = X +Y − 1 and X = t+1
so t+1+Y −1 = k then Y = k− t is same as the event
si = k and the above probability is:
Pr(ξ̄i)Pr(X = t+ 1)Pr(Y = k − t)
= Pr(ξ̄i)β(1− β)tβ(1− β)k−t−1
= Pr(ξ̄i)β2(1− β)k−1
The first term in the denominator:
Pr(ξi ∧X ≥ t ∧ si = k)
= Pr(ξi)Pr(X ≥ t)Pr(si = k)
= Pr(ξi)Pr(X = k + 1)
= Pr(ξi)β(1− β)k
The second term in the denominator:
Pr(ξ̄i ∧X ≥ t ∧ si = k)
= Pr(ξ̄i)k�
j=t−1
Pr(X = j + 1)Pr(Y = k − j)
= Pr(ξ̄i)k�
j=t−1
β(1− β)jβ(1− β)k−j−1
= Pr(ξ̄i)β2k�
j=t−1
(1− β)k−1
= Pr(ξ̄i)β2(1− β)k−1
(k − t+ 2)
6 Varsha Dani, Mahnush Movahedi, Alignauthor Yamel Rodriguez, Jared Saia
with even label and there is no other even-labeled node
in this tree.
Case 2: Ts is of heights tow. Based on step three of
the algorithm 1, root label is as same as its only even-
labeled child. All other subtrees with the even-labeled
root have type two style with even-labeled root and
leaves children.
The only situation we still need to consider is whether
a player can guess the position of the secret, with suffi-
ciently high probability, before the definitive iteration.
We deal with this situation in the next few lemmas.
Lemma 2 A player deviating from the protocol cannotincrease his expected payoff by more than � unless hisprobability of successfully learning the secret by deviat-
ing is at least Ui(S�)+�−Ui(φ)
Ui(S)−Ui(φ)where S� is the set of all
players and S is the set of players who learn the secretafter i cheats, note that i ∈ S.
Proof Let p be the threshold success probability re-
quired to make deviating worthwhile, ie to increase one’s
payoff by �. Since the game ends when a player is caught
deviating from the protocol (and certainly if the player
stops sending messages, this will be detected by the
other players), a failed attempt at cheating means that
the player does not learn the secret. Thus a player’s ex-
pected utility from cheating while everyone else follows
the protocol is pUi(S)+(1−p)Ui(φ). On the other hand,
following the protocol results in everyone learning the
secret, with a utility of Ui(S�). Thus, at the threshold
for making cheating worthwhile, we have
pUi(S) + (1− p)Ui(φ) = Ui(S�) + �
Solving this for p gives the desired result.
We will now compute the probability of a player
successfully guessing the secret before it is actually re-
vealed during the protocol.
Lemma 3 Player i who initially received a list of lengthsi has at most 2β
1−β chance of (correctly) guessing theposition of the secret on round t or t + 1 if it has notalready been revealed.
Proof Assume that si shows the size of the list Li that
belongs to player i. If i is a short player then si is equalto X−1 and If i is a long player si is equal to X+Y −1.
Now consider the following two case:
Case 1. Player i’s share has ended (t = si + 1) A short
player can not guess the secret before the long players
send him their shares of the secret. By Lemma 1, the
short player can not fool long players by sending fake
message. By Lemma 1, the short player can not fool
other short players.
Case 2. Player i’s share has not ended (1 ≤ t ≤ si)In round t, after mask reconstructed, the player i may
guess that secret is in next round and fool others in
round t by not sending the mask for the next round
down. The probability of that he truly guess the secret
is Pr(X = t+ 1|X ≥ t ∧ si = k)
Pr(X = t+ 1|X ≥ t ∧ si = k)
=Pr(X = t+ 1 ∧ si = k)
Pr(X ≥ t ∧ si = k)
=Pr(ξ̄i ∧X = t+ 1 ∧ si = k)
Pr(ξi ∧X ≥ t ∧ si = k) + Pr(ξ̄i ∧X ≥ t ∧ si = k)
We can compute the three probabilities above.
The term in the numerator:
Pr(ξ̄i ∧X = t+ 1 ∧ si = k)
= Pr(ξ̄i)Pr(X = t+ 1)Pr(si = k)
Note that the events are independent. Moreover, since
i is not a short player so si = X +Y − 1 and X = t+1
so t+1+Y −1 = k then Y = k− t is same as the event
si = k and the above probability is:
Pr(ξ̄i)Pr(X = t+ 1)Pr(Y = k − t)
= Pr(ξ̄i)β(1− β)tβ(1− β)k−t−1
= Pr(ξ̄i)β2(1− β)k−1
The first term in the denominator:
Pr(ξi ∧X ≥ t ∧ si = k)
= Pr(ξi)Pr(X ≥ t)Pr(si = k)
= Pr(ξi)Pr(X = k + 1)
= Pr(ξi)β(1− β)k
The second term in the denominator:
Pr(ξ̄i ∧X ≥ t ∧ si = k)
= Pr(ξ̄i)k�
j=t−1
Pr(X = j + 1)Pr(Y = k − j)
= Pr(ξ̄i)k�
j=t−1
β(1− β)jβ(1− β)k−j−1
= Pr(ξ̄i)β2k�
j=t−1
(1− β)k−1
= Pr(ξ̄i)β2(1− β)k−1
(k − t+ 2)
6 Varsha Dani, Mahnush Movahedi, Alignauthor Yamel Rodriguez, Jared Saia
with even label and there is no other even-labeled node
in this tree.
Case 2: Ts is of heights tow. Based on step three of
the algorithm 1, root label is as same as its only even-
labeled child. All other subtrees with the even-labeled
root have type two style with even-labeled root and
leaves children.
The only situation we still need to consider is whether
a player can guess the position of the secret, with suffi-
ciently high probability, before the definitive iteration.
We deal with this situation in the next few lemmas.
Lemma 2 A player deviating from the protocol cannotincrease his expected payoff by more than � unless hisprobability of successfully learning the secret by deviat-
ing is at least Ui(S�)+�−Ui(φ)
Ui(S)−Ui(φ)where S� is the set of all
players and S is the set of players who learn the secretafter i cheats, note that i ∈ S.
Proof Let p be the threshold success probability re-
quired to make deviating worthwhile, ie to increase one’s
payoff by �. Since the game ends when a player is caught
deviating from the protocol (and certainly if the player
stops sending messages, this will be detected by the
other players), a failed attempt at cheating means that
the player does not learn the secret. Thus a player’s ex-
pected utility from cheating while everyone else follows
the protocol is pUi(S)+(1−p)Ui(φ). On the other hand,
following the protocol results in everyone learning the
secret, with a utility of Ui(S�). Thus, at the threshold
for making cheating worthwhile, we have
pUi(S) + (1− p)Ui(φ) = Ui(S�) + �
Solving this for p gives the desired result.
We will now compute the probability of a player
successfully guessing the secret before it is actually re-
vealed during the protocol.
Lemma 3 Player i who initially received a list of lengthsi has at most 2β
1−β chance of (correctly) guessing theposition of the secret on round t or t + 1 if it has notalready been revealed.
Proof Assume that si shows the size of the list Li that
belongs to player i. If i is a short player then si is equalto X−1 and If i is a long player si is equal to X+Y −1.
Now consider the following two case:
Case 1. Player i’s share has ended (t = si + 1) A short
player can not guess the secret before the long players
send him their shares of the secret. By Lemma 1, the
short player can not fool long players by sending fake
message. By Lemma 1, the short player can not fool
other short players.
Case 2. Player i’s share has not ended (1 ≤ t ≤ si)In round t, after mask reconstructed, the player i may
guess that secret is in next round and fool others in
round t by not sending the mask for the next round
down. The probability of that he truly guess the secret
is Pr(X = t+ 1|X ≥ t ∧ si = k)
Pr(X = t+ 1|X ≥ t ∧ si = k)
=Pr(X = t+ 1 ∧ si = k)
Pr(X ≥ t ∧ si = k)
=Pr(ξ̄i ∧X = t+ 1 ∧ si = k)
Pr(ξi ∧X ≥ t ∧ si = k) + Pr(ξ̄i ∧X ≥ t ∧ si = k)
We can compute the three probabilities above.
The term in the numerator:
Pr(ξ̄i ∧X = t+ 1 ∧ si = k)
= Pr(ξ̄i)Pr(X = t+ 1)Pr(si = k)
Note that the events are independent. Moreover, since
i is not a short player so si = X +Y − 1 and X = t+1
so t+1+Y −1 = k then Y = k− t is same as the event
si = k and the above probability is:
Pr(ξ̄i)Pr(X = t+ 1)Pr(Y = k − t)
= Pr(ξ̄i)β(1− β)tβ(1− β)k−t−1
= Pr(ξ̄i)β2(1− β)k−1
The first term in the denominator:
Pr(ξi ∧X ≥ t ∧ si = k)
= Pr(ξi)Pr(X ≥ t)Pr(si = k)
= Pr(ξi)Pr(X = k + 1)
= Pr(ξi)β(1− β)k
The second term in the denominator:
Pr(ξ̄i ∧X ≥ t ∧ si = k)
= Pr(ξ̄i)k�
j=t−1
Pr(X = j + 1)Pr(Y = k − j)
= Pr(ξ̄i)k�
j=t−1
β(1− β)jβ(1− β)k−j−1
= Pr(ξ̄i)β2k�
j=t−1
(1− β)k−1
= Pr(ξ̄i)β2(1− β)k−1
(k − t+ 2)
Thursday, July 28, 2011
Conclusions
• n-out-of-n rational secret sharing using polylog resources
• Extends to m-out-of-n for m=Θ(n) randomly chosen active players
Thursday, July 28, 2011
Open Problems• Scalable Rational Secure Multiparty
Computation
• Scalable Rational Secret Sharing
• Better results for m-out-of-n
• for m = o(n), suitably easier problem must be considered.
• For m = Θ(n), is anything at all possible for worst-case choice of active players?
Thursday, July 28, 2011
Other Applications
• Run an auction or hold a lottery to allocate resources in a network
• Beet Auctions (double auction to determine market clearing prices for sugar beets between Danish beet farmers and the sugar company.)
Thursday, July 28, 2011