Selected Topics of Information Security and Cryptography€¦ · Selected Topics of Information...
Transcript of Selected Topics of Information Security and Cryptography€¦ · Selected Topics of Information...
Selected Topics of Information
Security and Cryptography
A cryptographic solution for a game theoretic problem
Dodis, Halevi, Rabin
presented by Thorsten Tarrach
22 January 2009
Motivation
• Two players make a move trying to achieve highest payoff
• Trusted mediator can increase payoffs• Can we remove the mediator ?
2
Overview
Introduction to Game Theory
Example
Protocol design
Protocol analysis
Future Work
3
2 Player Game
• Set of actions
• Payoff function for every player
• Pure strategy Nash equilibrium
• Mixed strategy equilibrium
▫ Probability distribution instead of single action
• Correlated equilibrium
▫ Mediator suggests action
Higher payoffs
4
21 AAA
21: AAui
),(),( and ),(),(:, 21221221121121 aauaauaauaauaa
if ),( 21 aa
in PPT
believed to be not in PPT
deterministic
Mediator
• Players are rational
• Correlated equilibrium needs a mediator
▫ Mediator suggests players a joined strategy to follow
▫ Needs to be a trusted entity
• Goal: Remove the mediator
▫ Replace with a protocol only between parties
5
Chicken and Dare game
• Pure Nash equilibriums:
• Mixed equilibrium:
• Correlated equilibrium:
6
]5,1[);,( uDC
]3,3[);,(3
1),(
3
1),(
3
131
31 uCCCDDC
]1,5[);,( uCD
]2,2[);,(21
21
21
21
21
21 uDCDC
ui C D
C (4,4) (1,5)
D (5,1) (0,0)
Punishment in game theory
• Not possible in one-shot game, possible in multiple-round game
• Punishment needed for deviating players
• Only possible if deviating player detected
• Min-Max Punishment: Smallest payoff player can be forced to have.
• May also hurt the punishing player
7
Removing the mediator
• Possible strategies can be represented as list
▫ Probabilities can be achieved by repeating list item
▫ Chicken game:
List: {(C,D); (D,C); (C,C)}
• Correlated element selection problem in cryptography (CES)
8
),(3
1),(
3
1),(
3
1CCCDDC
Extended Game (Γ´)
It has two stages
1. Cheap talk phase: Players can exchange arbitrary messages; in our case a variant of CES is executed
2. Players play the actions derived from the protocol (game Γ)
Note:
▫ Cheap talk phase computed honestly ⇒ Nash equilibrium enforces step 2
▫ Min-max punishment if cheated in stage one
9
Theorem
Mediator Protocol
• Original Game Γ
• Mediator suggests action
• Correlated equilibrium s
• Extended game Γ´
• Actions derived from protocol execution
• Computational Nash equilibrium σ
10
Both games yield the same average payoff
Higher payoffs possible if one player cheats
But it will increase his payoff only negligibly
Prerequisites for CES
• Blindable encryption
• Special case:
▫ Blinding by 0 yields new cyphertext with the same corresponding plain text
11
)',()'(
)(
mcBlindmmEnc
mEncc
pkpk
pk
Protocol 1: Honest but curious
12
Permute and Encrypt
Producer Chooser
n
iii
ipkipkii
dc
bEncaEncdc
n
1
)()(
)},{( Send
))(),((),(
][over n permutatio random:
Choose and Blind
),( Send
),(),0,(),(
random],[ random Choose
fe
dBlindcBlindfe
nl
lpklpk
Decrypt and Output
Unblind and Output
b
a
fDecbeDeca sksk
~ Send
Output
)(~
),(
b
bb
Output
~
Protocol analysis
• More efficient than the generic secure two-party computation protocols
• But, both players can cheat in the protocol without being detected▫ We introduce zero-knowledge (ZK) proofs to catch
cheaters▫ Intuitively: using ZK a prover convinces a verifier
of a statement without revealing more than just the validity of the statement
13
ZK: Encrypted List Correspondence
14
Permute and Blind
Producer Chooser
Choose 0 or 1
Reply
Verify
•Pick random permutation ρ and new random tapes s•Send list z that is x permuted twice (π◦ρ) and blinded with a combination of the two random tapes (Combine(r,s))
Case 0: Send (ρ, s)Case 1: Send (π◦ρ, Combine(r,s))
Case 0: Permute and blind y with (ρ, s)Case 1: Permute and blind x with (π◦ρ, Combine(r,s))
Common: List x and y and pkProducer: Permutation π and random tapes r
Chance to cheat is ½
Protocol 2
15
Permute and Encrypt
Producer Chooser
n
iii
iipkiipkii
n
iii
dc
sbEncraEncdc
srn
1
)()()()(
1
)},{( Send
));(),;((),(
)},{( tapesRandom ];[over n permutatio random:
Choose and Blind
i
ipki
e
cBlinde
n
Send
)0,(
][over n permutatio random:
)(
Decrypt and Output
Verify and Output
n
iii
sk
sb
aeDeca
1)()(
1
)},{( Send
Output ),(
bsbEncd
sbsb
pk output then );( If
),(),(
)1(
)1()1(
Sub-protocol Π1: P proves in ZK that it knows the randomness (ri,si) and permutation π
Sub-protocol Π2 : C proves in ZK that it knows the permutation ρ
ELC
ELC
Comparison
Issue Cryptography Game Theory
Incentive None Payoff
Players Totally Honest/Malicious
Always rational
Punishing Cheaters Outside Model Central Part
Solution Concept Secure Protocol Equilibrium
Early Stopping Problem Not an Issue
16
Outlook
• Mediator replaced by a secure protocol▫ Efficient: Only five flows of communication
• Future work▫ Extend the protocol for more than two players
• Questions?
17