Rational Protocol Design: Cryptography against Incentive-Driven Adversaries

Existing work on "rational cryptographic protocols" treats each party (or coalition of parties) running the protocol as a selfish agent trying to maximize its utility. In this work we propose a fundamentally different approach that is better suited to modeling a protocol under attack from an external entity. Specifically, we consider a two-party game between an protocol designer and an external attacker. The goal of the attacker is to break security properties such as correctness or privacy, possibly by corrupting protocol participants; the goal of the protocol designer is to prevent the attacker from succeeding. We lay the theoretical groundwork for a study of cryptographic protocol design in this setting by providing a methodology for defining the problem within the traditional simulation paradigm. Our framework provides ways of reasoning about important cryptographic concepts (e.g., adaptive corruptions or attacks on communication resources) not handled by previous game-theoretic treatments of cryptography. We also prove composition theorems that-for the first time-provide a sound way to design rational protocols assuming "ideal communication resources" (such as broadcast or authenticated channels) and then instantiate these resources using standard cryptographic tools. Finally, we investigate the problem of secure function evaluation in our framework, where the attacker has to pay for each party it corrupts. Our results demonstrate how knowledge of the attacker's incentives can be used to circumvent known impossibility results in this setting.

[1]  Richard Cleve,et al.  Limits on the security of coin flips when half the processors are faulty , 1986, STOC '86.

[2]  Ariel Rubinstein,et al.  A Course in Game Theory , 1995 .

[3]  Danny Dolev,et al.  Distributed computing meets game theory: robust mechanisms for rational secret sharing and multiparty computation , 2006, PODC '06.

[4]  Abhi Shelat,et al.  Collusion-Free Protocols in the Mediated Model , 2008, CRYPTO.

[5]  Ran Canetti,et al.  Universally composable security: a new paradigm for cryptographic protocols , 2001, Proceedings 2001 IEEE International Conference on Cluster Computing.

[6]  Aggelos Kiayias,et al.  Resource-based corruptions and the combinatorics of hidden diversity , 2013, ITCS '13.

[7]  Birgit Pfitzmann,et al.  Reactively secure signature schemes , 2003, International Journal of Information Security.

[8]  Abhi Shelat,et al.  Completely fair SFE and coalition-safe cheap talk , 2004, PODC '04.

[9]  Jonathan Katz,et al.  Partial Fairness in Secure Two-Party Computation , 2010, Journal of Cryptology.

[10]  Eran Omri,et al.  1/p-Secure Multiparty Computation without Honest Majority and the Best of Both Worlds , 2011, CRYPTO.

[11]  Jonathan Katz On achieving the "best of both worlds" in secure multiparty computation , 2007, STOC '07.

[12]  Manoj Prabhakaran,et al.  Resource Fairness and Composability of Cryptographic Protocols , 2006, Journal of Cryptology.

[13]  Ronald L. Rivest,et al.  Defending against the Unknown Enemy: Applying FlipIt to System Security , 2012, GameSec.

[14]  Sergei Izmalkov,et al.  Verifiably Secure Devices , 2008, TCC.

[15]  Ran Canetti,et al.  Universally Composable Security with Local Adversaries , 2012, SCN.

[16]  Yehuda Lindell,et al.  Security Against Covert Adversaries: Efficient Protocols for Realistic Adversaries , 2007, Journal of Cryptology.

[17]  Martin Hirt,et al.  Adaptively Secure Broadcast , 2010, EUROCRYPT.

[18]  Moni Naor,et al.  Adaptively secure multi-party computation , 1996, STOC '96.

[19]  Moni Naor,et al.  Games for exchanging information , 2008, STOC.

[20]  Ueli Maurer,et al.  Universally Composable Synchronous Computation , 2013, TCC.

[21]  Ran Canetti,et al.  Security and Composition of Multiparty Cryptographic Protocols , 2000, Journal of Cryptology.

[22]  Abhi Shelat,et al.  Collusion-free protocols , 2005, STOC '05.

[23]  Rafail Ostrovsky,et al.  Secure Computation with Honest-Looking Parties: What If Nobody Is Truly Honest? (Extended Abstract) , 1999, STOC.

[24]  Georg Fuchsbauer,et al.  Efficient Rational Secret Sharing in Standard Communication Networks , 2010, IACR Cryptol. ePrint Arch..

[25]  Silvio Micali,et al.  Parallel Reducibility for Information-Theoretically Secure Computation , 2000, CRYPTO.

[26]  Yehuda Lindell,et al.  Utility Dependence in Correct and Fair Rational Secret Sharing , 2009, CRYPTO.

[27]  Jonathan Katz,et al.  Fair Computation with Rational Players , 2012, EUROCRYPT.

[28]  Joseph Y. Halpern Beyond nash equilibrium: solution concepts for the 21st century , 2008, PODC '08.

[29]  Yehuda Lindell,et al.  On Combining Privacy with Guaranteed Output Delivery in Secure Multiparty Computation , 2006, CRYPTO.

[30]  Yehuda Lindell,et al.  Universally composable two-party and multi-party secure computation , 2002, STOC '02.

[31]  Ran Canetti,et al.  Toward a Game Theoretic View of Secure Computation , 2011, Journal of Cryptology.

[32]  Abhi Shelat,et al.  Purely Rational Secret Sharing (Extended Abstract) , 2009, TCC.

[33]  Alon Rosen,et al.  Sequential Rationality in Cryptographic Protocols , 2010, 2010 IEEE 51st Annual Symposium on Foundations of Computer Science.

[34]  Jonathan Katz,et al.  Partial Fairness in Secure Two-Party Computation , 2010, EUROCRYPT.

[35]  Abhi Shelat,et al.  Collusion-Free Multiparty Computation in the Mediated Model , 2009, CRYPTO.

[36]  Moni Naor,et al.  Cryptography and Game Theory: Designing Protocols for Exchanging Information , 2008, TCC.

[37]  Ueli Maurer,et al.  Abstract Cryptography , 2011, ICS.

[38]  Jonathan Katz,et al.  Rational Secret Sharing, Revisited , 2006, SCN.

[39]  Shai Halevi,et al.  A Cryptographic Solution to a Game Theoretic Problem , 2000, CRYPTO.

[40]  Danny Dolev,et al.  Polynomial algorithms for multiple processor agreement , 1982, STOC '82.

[41]  Birgit Pfitzmann,et al.  A General Composition Theorem for Secure Reactive Systems , 2004, TCC.

[42]  Jonathan Katz,et al.  Adaptively secure broadcast, revisited , 2011, PODC '11.

[43]  Jonathan Katz,et al.  Byzantine Agreement with a Rational Adversary , 2012, ICALP.

[44]  Silvio Micali,et al.  How to play ANY mental game , 1987, STOC.

[45]  Ueli Maurer,et al.  Collusion-Preserving Computation , 2012, IACR Cryptol. ePrint Arch..

[46]  Yehuda Lindell,et al.  A Proof of Security of Yao’s Protocol for Two-Party Computation , 2009, Journal of Cryptology.

[47]  Ivan Visconti,et al.  Impossibility and Feasibility Results for Zero Knowledge with Public Keys , 2005, CRYPTO.

[48]  David C. Parkes,et al.  Fairness with an Honest Minority and a Rational Majority , 2009, TCC.

[49]  Joseph Y. Halpern,et al.  Rational secret sharing and multiparty computation: extended abstract , 2004, STOC '04.

[50]  Joseph Y. Halpern,et al.  Game theory with costly computation: formulation and application to protocol security , 2010, ICS.

[51]  Sergei Izmalkov,et al.  Rational secure computation and ideal mechanism design , 2005, 46th Annual IEEE Symposium on Foundations of Computer Science (FOCS'05).

[52]  Anna Lysyanskaya,et al.  Rationality and Adversarial Behavior in Multi-party Computation , 2006, CRYPTO.

[53]  Danny Dolev,et al.  Lower Bounds on Implementing Robust and Resilient Mediators , 2007, TCC.