scalable mechanisms for rational secret sharing

Scalable Mechanisms for

Rational Secret SharingJared Saia

withVarsha Dani

Mahnush MovahediYamel Rodriguez

Thursday, July 28, 2011

A hard fact:

Not everyone follows instructions


Good: Follow instructions

Good and Bad

Bad: Don’t follow instructions

A simple moral code for an aspiring deity (or computer scientist)


Good: Follow instructions

Good and Bad

Bad: Don’t follow instructions

A simple moral code for an aspiring deity (or computer scientist)

Byzantine agreement, Secure Multiparty Computation, etc.


A hard(er) fact:

Nobody follows instructions that aren’t in their own best interest


• Each player decides to pollute or not pollute

• Cost to a player is number of other players that pollute plus 2 if they do not to pollute

Pollution Game


• Each player decides to pollute or not pollute

• Cost to a player is number of other players that pollute plus 2 if they do not to pollute

Nash Equilibrium: Everybody pollutes

Benevolent Dictator (Optimal): Nobody pollutes

Pollution Game


• SW in Nash:

• SW in Optimal:

• Price of Anarchy:

n2

2n

n/2

Pollution Game


Mediator

•Mediator privately suggests an action to each player

•Players may ignore suggestions of mediator; they retain free-will and remain selfish

•Goal: Use mediator to improve SW


• Mediator: Advises each player not to pollute, until some player disregards advice. If this happens, from then on advise everyone to pollute.

• Result: Nobody pollutes!

• Significantly improves the SW

Pollution Game


• The mediator is an algorithm!

• The mediator might conceivably be a randomized algorithm

• A mediator may work even for a single round game

Mediator


f_1(x) = 1/2

1

0

cost

flow

1/2

f_2(x)

f_2(x):

El Farol


f_1(x) = 1/2

1

0

cost

flow

1/2

f_2(x)

f_2(x):

Mediator:- With probability 1/3, tell

all players to go up- With probability 2/3, tellhalf the players to go up

and half to go down

El Farol


f_1(x) = 1/2

1

0

cost

flow

1/2

f_2(x)

f_2(x):

Mediator:- With probability 1/3, tell

all players to go up- With probability 2/3, tellhalf the players to go up

and half to go down

Achieves S.W. of 1/3 vs 1/2for the Nash

El Farol


Where does the mediator come from?

Mediator


Where does the mediator come from?

“It is the final proof of God's omnipotence that he need not exist in order to save us.” -

Peter De Vries

Mediator


Mediator

1

0

00

1

1

1

1


?

?

??

?

??

?


Mediator


Goal: Implement a mediator in a fully decentralized manner (“cheap talk”)

Previous work: Abraham et al. [’06,’08], Lysyanskaya & Triandopoulos [’06]

Mediator


Goal: Implement a mediator in a fully decentralized manner (“cheap talk”)

Previous work: Abraham et al. [’06,’08], Lysyanskaya & Triandopoulos [’06]

Problem: not scalable i.e. require all-to-all communication

Goal: Scalable protocol for secret sharing

Mediator


Secret Sharing?

• m-out-of-n secret sharing: m ≤ n : A secret is distributed among n players such that m together can reconstruct the secret, but fewer than m obtain no information

• Shamir, Blakley [1979]


Shamir’s Scheme

• Embed the secret S in a finite field

• Choose a random polynomial P of degree m-1 with P(0) = S

• Shares are P(1), P(2), ..., P(n)

• Any m of the points (i, P(i)) can be used to interpolate the polynomial P


Adding Game Theory

• Shamir’s scheme assumes players follow instructions.

• What if instead they are selfish? Each wants to learn the secret, but doesn’t want the others to learn it.

• Goal: Nash Equilibrium protocol that ensures when (and only when) there is a quorum, everyone learns the secret


Formal problem

• n rational players

• utility functions described by 3 parameters u+ : utility for learning alone u : utility for learning (others learn too) u- : utility for not learning

• GOAL: NE protocol that ensures that all players learn the secret.


Prior Work

• Introduced by Halpern & Teague [’04]

• Abraham, Dolev, Gonen & Halpern [’06]; Gordon & Katz [’06]. Cryptographic.

• Kol & M. Naor [’08] -- Non-cryptographic.


Modes of Communication

• Most previous work assumes simultaneous broadcast channels

• KN also allow non-simultaneous broadcast

• Broadcast is bad model for large network. Instead want point-to-point (private) channels.


Idea: Fake Rounds

• Problem: If everyone sends me their shares, I learn the secret without revealing my share (others don’t learn, not NE)

• Idea: Have “fake” rounds to catch cheaters. If anyone cheats, everyone quits, nobody wins. Real secret is reconstructed on a random round.


Idea: Different Lengths

Problem: If know # rounds, no penalty for defaulting on the last round. So second to last round is effectively the last, so no penalty for defaulting on second to last round, etc. (“Backward Induction”)


Idea: Different Lengths

Problem: If know # rounds, no penalty for defaulting on the last round. So second to last round is effectively the last, so no penalty for defaulting on second to last round, etc. (“Backward Induction”)

Idea [KN]: Use shares of different lengths for players. Can’t tell from your input whether you have a shorter or longer share. No base case for backward induction!


Scalable

• n rational players who can communicate over private channels

• utility functions described by 3 parameters u+ : utility for learning alone u : utility for learning (others learn too) u- : utility for not learning

• GOAL: NE protocol that ensures that all players learn the secret. Should be scalable, i.e. polylog(n) messages.


Alas...

• There is none. [KN ’08] (specifically, no NE for non-simultaneous broadcast)

• Relax the requirements: still want private channels & scalability, but settle for weaker equilibrium concept.


ε-Nash Equilibrium

• A set of strategies such that if all other players follow, no player can gain more than ε in expectation by deviating.

• We will actually get something stronger: no player can gain more than ε in expectation in any round, even conditioned on history (ε-everlasting equilibrium)


The Mechanism

• Two components: 1) dealer’s protocol to create inputs; and 2) players’ protocol once the game starts

• Initially: n-out-of-n; Later: m-out-of-n

• Initially: success with probability 1-δ; Later: success w.h.p


Tag and Hash

Dealer wants Alice to send a message m to Bob at a point in the future

Wants Bob to be able to verify the message is correct when received

Doesn’t want Bob to learn anything about the message before it’s received


Tag and Hash

a & tag are random non-zero elements in Fq

Alice sends m and tag to Bob

Bob checks that b = a*m + tag

m, tag a,b

Prob(success in faking a message) ≤ 1/(q-1)


Dealer’s Protocol

• Embed secret in large finite field Fq

• Choose a player at random: “short player”

• X, Y, Z i.i.d. ~ Geom(β) X : position of secret Y : padding on short input Z : additional padding on long input

• Long players get lists of length X+Y+Z. Short player gets list of length X+Y.


Lists• A player’s input:

• List of potential (masked) secrets

• List of tags (to authenticate messages you send)

• List of hashes (to verify messages you receive)

• List of recursive shares for

• masks (for next round)

• indicators (0 if this is round X)


Recursive Shares

• Create a complete binary tree with n leaves.

• Assign a player to each leaf.

• Assign all but one player to internal nodes.

• Perform recursive (Shamir-like) secret sharing starting at the root node


Making the Sharesq=13


5

Making the Sharesq=13 value to be reconstructed


5


slope: 3

value to be reconstructed

f(x)=3x+5


5

f(-1) f(1)


slope: 3


f(x)=3x+5


5

2 8


slope: 3


f(x)=3x+5


5

2 8


slope: 3

slope: 2


f(x)=2x+2


5

2

0

8

4


slope: 3

slope: 2


f(x)=2x+2


5

2

0

8

4


slope: 3

slope: 2 slope: 7


f(x)=7x+8


5

2

0

8

4 151


slope: 3

slope: 2 slope: 7


f(x)=7x+8


5

2

0

8

4 151


slope: 3

slope: 2 slope: 7


Shares for the 4 playersThursday, July 28, 2011

Players’ Protocol

• Two stages per round

• Up stage: values reconstructed recursively up the tree

• Down stage: values sent down from root

• All messages authenticated with tag and hashes


Players’ Protocol

• Two stages per round

• Up stage: values reconstructed recursively up the tree

• Down stage: values sent down from root

• All messages authenticated with tag and hashes

If ever detect cheating, output potential secret from current round and QUIT.


0 4 151

Up Stage

a b c d

a c

b


0 4 151

Up Stage

2 8

a b c d

a c

b


0 4 151

Up Stage

2 8

a b c d

a c

b 5


Down Stage

a b c d

a c

b 5


Down Stage

5 5

a b c d

a c

b 5


Down Stage

5 5

a b c d

a c

b 5

5 5 5 5


Down Stage

5 5

a b c d

a c

b 5

5

5 5 5 5


Round

• In each round, reconstruct:

• Mask for the next round

• Indicator for whether the current round holds the secret

Termination: At end of down stage, if indicator value is 0, use mask from previous round to decode secret and quit


Why does it work?

• Tag & hash ⇒ can’t fake messages.

• Masks ⇒ can’t decode secret before round X-1

• No point cheating on round X : everyone outputs secret anyway

• Only viable time to cheat is round X-1 (if you can guess it). Tune parameter β, so that (unless Y is too small), cannot gain more than ε by cheating.


Resource Cost

Our algorithm [KN] adaptation

messages (per player-round) O(1) ϴ(n)latency (per

round) O(log n) ϴ(n)

E(# rounds) O(1) Ω(n)


Resource Cost

Our algorithm [KN] adaptation

messages (per player-round) O(1) ϴ(n)latency (per

round) O(log n) ϴ(n)

E(# rounds) O(1) Ω(n)

Since β doesn’t depend on nThursday, July 28, 2011

What about m-out-of-n?• This is difficult in general. If each player sends O

(log n) messages, then if m=o(n/log n), even if the active players are chosen randomly, it is likely that there is an active player who never receives a message from another active player.

• Moreover even with Θ(n) active players, if they are selected adversarially, then a small subset of them can always be isolated from the others.

• Need further relaxation of problem


m-out-of-n

• Suppose m = Θ(n).

• Moreover, suppose the subset of active players is independent of the dealer’s coins

• Threshold fraction τ, parameter λ, and an algorithm such that cooperating is ε-Nash, and

• if m >(τ+λ)n then whp all active players learn

• if m <(τ-λ)n then whp secret not reconstructed


f2(−1) = f4(0) f2(1) = f5(0)

f1(−1) = f2(0) f1(1) = f3(0)

f1(0) = h


Reducing Error• X and Y i.i.d. ~ Geom(β)

X+1: position of secret Y: padding on long input

• Half the players are now short (length X)

• Last round: Long players have the secret; Short players know this is last round

• Must carefully distribute short players in last round so they’re not descendants of each other


Last Round

a b

ea c d

db

c

red = shortThursday, July 28, 2011

Last Round

a b

ea c d

db

c

red = short

short player learns secret


Last Round

a b

ea c d

db

c

red = short

short player learns secret

No short descendants

to hide it from


Probabilities

6 Varsha Dani, Mahnush Movahedi, Alignauthor Yamel Rodriguez, Jared Saia

with even label and there is no other even-labeled node

in this tree.

Case 2: Ts is of heights tow. Based on step three of

the algorithm 1, root label is as same as its only even-

labeled child. All other subtrees with the even-labeled

root have type two style with even-labeled root and

leaves children.

The only situation we still need to consider is whether

a player can guess the position of the secret, with suffi-

ciently high probability, before the definitive iteration.

We deal with this situation in the next few lemmas.

Lemma 2 A player deviating from the protocol cannotincrease his expected payoff by more than � unless hisprobability of successfully learning the secret by deviat-

ing is at least Ui(S�)+�−Ui(φ)

Ui(S)−Ui(φ)where S� is the set of all

players and S is the set of players who learn the secretafter i cheats, note that i ∈ S.

Proof Let p be the threshold success probability re-

quired to make deviating worthwhile, ie to increase one’s

payoff by �. Since the game ends when a player is caught

deviating from the protocol (and certainly if the player

stops sending messages, this will be detected by the

other players), a failed attempt at cheating means that

the player does not learn the secret. Thus a player’s ex-

pected utility from cheating while everyone else follows

the protocol is pUi(S)+(1−p)Ui(φ). On the other hand,

following the protocol results in everyone learning the

secret, with a utility of Ui(S�). Thus, at the threshold

for making cheating worthwhile, we have

pUi(S) + (1− p)Ui(φ) = Ui(S�) + �

Solving this for p gives the desired result.

We will now compute the probability of a player

successfully guessing the secret before it is actually re-

vealed during the protocol.

Lemma 3 Player i who initially received a list of lengthsi has at most 2β

1−β chance of (correctly) guessing theposition of the secret on round t or t + 1 if it has notalready been revealed.

Proof Assume that si shows the size of the list Li that

belongs to player i. If i is a short player then si is equalto X−1 and If i is a long player si is equal to X+Y −1.

Now consider the following two case:

Case 1. Player i’s share has ended (t = si + 1) A short

player can not guess the secret before the long players

send him their shares of the secret. By Lemma 1, the

short player can not fool long players by sending fake

message. By Lemma 1, the short player can not fool

other short players.

Case 2. Player i’s share has not ended (1 ≤ t ≤ si)In round t, after mask reconstructed, the player i may

guess that secret is in next round and fool others in

round t by not sending the mask for the next round

down. The probability of that he truly guess the secret

is Pr(X = t+ 1|X ≥ t ∧ si = k)

Pr(X = t+ 1|X ≥ t ∧ si = k)

=Pr(X = t+ 1 ∧ si = k)

Pr(X ≥ t ∧ si = k)

=Pr(ξ̄i ∧X = t+ 1 ∧ si = k)

Pr(ξi ∧X ≥ t ∧ si = k) + Pr(ξ̄i ∧X ≥ t ∧ si = k)

We can compute the three probabilities above.

The term in the numerator:

Pr(ξ̄i ∧X = t+ 1 ∧ si = k)

= Pr(ξ̄i)Pr(X = t+ 1)Pr(si = k)

Note that the events are independent. Moreover, since

i is not a short player so si = X +Y − 1 and X = t+1

so t+1+Y −1 = k then Y = k− t is same as the event

si = k and the above probability is:

Pr(ξ̄i)Pr(X = t+ 1)Pr(Y = k − t)

= Pr(ξ̄i)β(1− β)tβ(1− β)k−t−1

= Pr(ξ̄i)β2(1− β)k−1

The first term in the denominator:

Pr(ξi ∧X ≥ t ∧ si = k)

= Pr(ξi)Pr(X ≥ t)Pr(si = k)

= Pr(ξi)Pr(X = k + 1)

= Pr(ξi)β(1− β)k

The second term in the denominator:

Pr(ξ̄i ∧X ≥ t ∧ si = k)

= Pr(ξ̄i)k�

j=t−1

Pr(X = j + 1)Pr(Y = k − j)

= Pr(ξ̄i)k�

j=t−1

β(1− β)jβ(1− β)k−j−1

= Pr(ξ̄i)β2k�

j=t−1

(1− β)k−1

= Pr(ξ̄i)β2(1− β)k−1

(k − t+ 2)

Size of player i’s list



in this tree.





leaves children.





















pUi(S) + (1− p)Ui(φ) = Ui(S�) + �




















is Pr(X = t+ 1|X ≥ t ∧ si = k)

Pr(X = t+ 1|X ≥ t ∧ si = k)

=Pr(X = t+ 1 ∧ si = k)

Pr(X ≥ t ∧ si = k)

=Pr(ξ̄i ∧X = t+ 1 ∧ si = k)




Pr(ξ̄i ∧X = t+ 1 ∧ si = k)







= Pr(ξ̄i)β(1− β)tβ(1− β)k−t−1

= Pr(ξ̄i)β2(1− β)k−1




= Pr(ξi)Pr(X = k + 1)



Pr(ξ̄i ∧X ≥ t ∧ si = k)

= Pr(ξ̄i)k�

j=t−1

Pr(X = j + 1)Pr(Y = k − j)

= Pr(ξ̄i)k�

j=t−1

β(1− β)jβ(1− β)k−j−1

= Pr(ξ̄i)β2k�

j=t−1

(1− β)k−1

= Pr(ξ̄i)β2(1− β)k−1

(k − t+ 2)



in this tree.





leaves children.





















pUi(S) + (1− p)Ui(φ) = Ui(S�) + �




















is Pr(X = t+ 1|X ≥ t ∧ si = k)

Pr(X = t+ 1|X ≥ t ∧ si = k)

=Pr(X = t+ 1 ∧ si = k)

Pr(X ≥ t ∧ si = k)

=Pr(ξ̄i ∧X = t+ 1 ∧ si = k)




Pr(ξ̄i ∧X = t+ 1 ∧ si = k)







= Pr(ξ̄i)β(1− β)tβ(1− β)k−t−1

= Pr(ξ̄i)β2(1− β)k−1




= Pr(ξi)Pr(X = k + 1)



Pr(ξ̄i ∧X ≥ t ∧ si = k)

= Pr(ξ̄i)k�

j=t−1

Pr(X = j + 1)Pr(Y = k − j)

= Pr(ξ̄i)k�

j=t−1

β(1− β)jβ(1− β)k−j−1

= Pr(ξ̄i)β2k�

j=t−1

(1− β)k−1

= Pr(ξ̄i)β2(1− β)k−1

(k − t+ 2)



in this tree.





leaves children.





















pUi(S) + (1− p)Ui(φ) = Ui(S�) + �




















is Pr(X = t+ 1|X ≥ t ∧ si = k)

Pr(X = t+ 1|X ≥ t ∧ si = k)

=Pr(X = t+ 1 ∧ si = k)

Pr(X ≥ t ∧ si = k)

=Pr(ξ̄i ∧X = t+ 1 ∧ si = k)




Pr(ξ̄i ∧X = t+ 1 ∧ si = k)







= Pr(ξ̄i)β(1− β)tβ(1− β)k−t−1

= Pr(ξ̄i)β2(1− β)k−1




= Pr(ξi)Pr(X = k + 1)



Pr(ξ̄i ∧X ≥ t ∧ si = k)

= Pr(ξ̄i)k�

j=t−1

Pr(X = j + 1)Pr(Y = k − j)

= Pr(ξ̄i)k�

j=t−1

β(1− β)jβ(1− β)k−j−1

= Pr(ξ̄i)β2k�

j=t−1

(1− β)k−1

= Pr(ξ̄i)β2(1− β)k−1

(k − t+ 2)


Conclusions

• n-out-of-n rational secret sharing using polylog resources

• Extends to m-out-of-n for m=Θ(n) randomly chosen active players


Open Problems• Scalable Rational Secure Multiparty

Computation

• Scalable Rational Secret Sharing

• Better results for m-out-of-n

• for m = o(n), suitably easier problem must be considered.

• For m = Θ(n), is anything at all possible for worst-case choice of active players?


Other Applications

• Run an auction or hold a lottery to allocate resources in a network

• Beet Auctions (double auction to determine market clearing prices for sugar beets between Danish beet farmers and the sugar company.)


Communication

• Naive: Simulate broadcast on private channels by sending same message to everybody

• Problem 1: With channels, C doesn’t know what A said to B

• Problem 2: Requires Θ(n) messages per player


scalable mechanisms for rational secret sharing

Documents