Selected Topics of Information

Security and Cryptography

A cryptographic solution for a game theoretic problem

Dodis, Halevi, Rabin

presented by Thorsten Tarrach

22 January 2009

Motivation

• Two players make a move trying to achieve highest payoff

• Trusted mediator can increase payoffs• Can we remove the mediator ?

2

Overview

Introduction to Game Theory

Example

Protocol design

Protocol analysis

Future Work

3

2 Player Game

• Set of actions

• Payoff function for every player

• Pure strategy Nash equilibrium

• Mixed strategy equilibrium

▫ Probability distribution instead of single action

• Correlated equilibrium

▫ Mediator suggests action

Higher payoffs

4

21 AAA

21: AAui

),(),( and ),(),(:, 21221221121121 aauaauaauaauaa

if ),( 21 aa

in PPT

believed to be not in PPT

deterministic

Mediator

• Players are rational

• Correlated equilibrium needs a mediator

▫ Mediator suggests players a joined strategy to follow

▫ Needs to be a trusted entity

• Goal: Remove the mediator

▫ Replace with a protocol only between parties

5

Chicken and Dare game

• Pure Nash equilibriums:

• Mixed equilibrium:

• Correlated equilibrium:

6

]5,1[);,( uDC

]3,3[);,(3

1),(

3

1),(

3

131

31 uCCCDDC

]1,5[);,( uCD

]2,2[);,(21

21

21

21

21

21 uDCDC

ui C D

C (4,4) (1,5)

D (5,1) (0,0)

Punishment in game theory

• Not possible in one-shot game, possible in multiple-round game

• Punishment needed for deviating players

• Only possible if deviating player detected

• Min-Max Punishment: Smallest payoff player can be forced to have.

• May also hurt the punishing player

7

Removing the mediator

• Possible strategies can be represented as list

▫ Probabilities can be achieved by repeating list item

▫ Chicken game:

List: {(C,D); (D,C); (C,C)}

• Correlated element selection problem in cryptography (CES)

8

),(3

1),(

3

1),(

3

1CCCDDC

Extended Game (Γ´)

It has two stages

1. Cheap talk phase: Players can exchange arbitrary messages; in our case a variant of CES is executed

2. Players play the actions derived from the protocol (game Γ)

Note:

▫ Cheap talk phase computed honestly ⇒ Nash equilibrium enforces step 2

▫ Min-max punishment if cheated in stage one

9

Theorem

Mediator Protocol

• Original Game Γ

• Mediator suggests action

• Correlated equilibrium s

• Extended game Γ´

• Actions derived from protocol execution

• Computational Nash equilibrium σ

10

Both games yield the same average payoff

Higher payoffs possible if one player cheats

But it will increase his payoff only negligibly

Prerequisites for CES

• Blindable encryption

• Special case:

▫ Blinding by 0 yields new cyphertext with the same corresponding plain text

11

)',()'(

)(

mcBlindmmEnc

mEncc

pkpk

pk

Protocol 1: Honest but curious

12

Permute and Encrypt

Producer Chooser

n

iii

ipkipkii

dc

bEncaEncdc

n

1

)()(

)},{( Send

))(),((),(

][over n permutatio random:

Choose and Blind

),( Send

),(),0,(),(

random],[ random Choose

fe

dBlindcBlindfe

nl

lpklpk

Decrypt and Output

Unblind and Output

b

a

fDecbeDeca sksk

~ Send

Output

)(~

),(

b

bb

Output

~

Protocol analysis

• More efficient than the generic secure two-party computation protocols

• But, both players can cheat in the protocol without being detected▫ We introduce zero-knowledge (ZK) proofs to catch

cheaters▫ Intuitively: using ZK a prover convinces a verifier

of a statement without revealing more than just the validity of the statement

13

ZK: Encrypted List Correspondence

14

Permute and Blind

Producer Chooser

Choose 0 or 1

Reply

Verify

•Pick random permutation ρ and new random tapes s•Send list z that is x permuted twice (π◦ρ) and blinded with a combination of the two random tapes (Combine(r,s))

Case 0: Send (ρ, s)Case 1: Send (π◦ρ, Combine(r,s))

Case 0: Permute and blind y with (ρ, s)Case 1: Permute and blind x with (π◦ρ, Combine(r,s))

Common: List x and y and pkProducer: Permutation π and random tapes r

Chance to cheat is ½

Protocol 2

15

Permute and Encrypt

Producer Chooser

n

iii

iipkiipkii

n

iii

dc

sbEncraEncdc

srn

1

)()()()(

1

)},{( Send

));(),;((),(

)},{( tapesRandom ];[over n permutatio random:

Choose and Blind

i

ipki

e

cBlinde

n

Send

)0,(

][over n permutatio random:

)(

Decrypt and Output

Verify and Output

n

iii

sk

sb

aeDeca

1)()(

1

)},{( Send

Output ),(

bsbEncd

sbsb

pk output then );( If

),(),(

)1(

)1()1(

Sub-protocol Π1: P proves in ZK that it knows the randomness (ri,si) and permutation π

Sub-protocol Π2 : C proves in ZK that it knows the permutation ρ

ELC

ELC

Comparison

Issue Cryptography Game Theory

Incentive None Payoff

Players Totally Honest/Malicious

Always rational

Punishing Cheaters Outside Model Central Part

Solution Concept Secure Protocol Equilibrium

Early Stopping Problem Not an Issue

16

Outlook

• Mediator replaced by a secure protocol▫ Efficient: Only five flows of communication

• Future work▫ Extend the protocol for more than two players

• Questions?

17