Add to collection(s) Add to saved
  1. Business
  2. Economics
  3. Microeconomics
  4. Game Theory

Fair Computation with Rational Players

advertisement 
Fair Computation with
Rational Players
Adam Groce and Jonathan Katz
University of Maryland
Two-party computation
Distance?
NYC
2800
LA
2800
Two-party computation
Fairness: If either player learns the output,
then the other player does also.
Impossible in general [Cleve86]
Dealing with this impossibility
 Fairness for specific functions [GHKL08]
 Partial fairness [BG89, GL90, GMPY06, MNS09,
GK10], …
 Physical assumptions [LMPS04, LMS05, IML05]
 Here: assume rational behavior
 Generalizing prior work on rational secret sharing
[HT04, GK06, LT06, ADGH06, KN08, FKN10], …
Our results (high level)
 Consider an ideal-world evaluation of the
function (using a trusted third party)

Look for a game-theoretic equilibrium in that
setting
 Theorem (informal):
If behaving honestly is a strict Nash equil. in
the ideal world, then there is a real-world
protocol that is fair when players are rational
Putting our result in context
 Much recent interest in combining game
theory and cryptography



Applying game theory to cryptographic tasks
(bypass impossibility, increase efficiency, …)
Using cryptography to remove a mediator
[CS82, Forges90, Barany92, DHR00, …]
Defining cryptographic goals in game-theoretic
terms [ACH11]

Had appeared to give a negative answer
regarding fairness
The real-world game
1. Parties running a
2.
3.
4.
5.
protocol to compute
some function f
Receive inputs x0, x1
from known distribution
Run the protocol…
Output an answer
Utilities depend on
both outputs, and the
true answer f(x0, x1)
D
Goal
 Design a “rational fair” protocol for f, i.e., such
that running the protocol honestly is a
computational Nash equilibrium

That is, no polynomial-time player can gain
more than negligible utility by deviating
 Note: stronger equilibrium notions have been
considered in other cryptographic contexts

We leave these for future work
Asharov-Canetti-Hazay (2011)
 They consider a special case of our real-world
game (with different motivation):



Uniform, independent binary inputs x0 and x1
Computing XOR
Utilities given by:
 Results:
 There exists a rational protocol
with correctness ½
 No rational protocol can be correct
with probability better than ½
Right Wrong
Right
(0, 0)
(1, -1)
Wrong
(-1, 1)
(0, 0)
Asharov-Canetti-Hazay (2011)
 But wait!
 Guessing randomly is also an
equilibrium…
 …and achieves the same payoff
as any possible protocol (even
with a trusted party)
 Parties may as well not run the
protocol at all!
Right Wrong
Right
(0, 0)
(1, -1)
Wrong
(-1, 1)
(0, 0)
The ideal-world game
1.
2.
3.
4.
5.
Receive inputs x0, x1
from known distribution
Send an input (or ⊥) to
the ideal functionality
Receive an output
(or ⊥) from the
functionality
Output an answer
Utilities depend on both
outputs, and the true
answer f(x0, x1)
D
Utilities
Payoff Matrix
Right
Wrong
Right (a0, a1) (b0, c1)
Wrong (c0, b1) (d0, d1)
(Assume b > a ≥ d ≥ c)
Honest strategy of P0 (ideal world)
 Send true input x0 to functionality
 Output the answer given by the functionality
 If functionality gives ⊥, generate output
according to distribution W0(x0)
Not used in an
honest execution,
but must exist.
We can assume W0(x0) has full support.
Our result
Honest behavior
is a strict Nash
equilibrium in the
ideal world
There exists a realworld protocol that is
rational fair
(Fail-stop or Byzantine setting)
Not true in [ACH11]
Our protocol I
Use ideas from [GHKL08, MNS09, GK10]
ShareGen
• Choose i* from geometric distribution with parameter p
• For each i ≤ n, create values ri, 0 and ri,1
• If i ≥ i*, ri, 0 and ri,1 are the desired outputs
• If i < i*, ri, 0 and ri,1 are chosen according to
distributions W0(x0) and W1(x1)
• Secret-share each ri, j value; give one share to P0 and
the other to P1
Our protocol II
 Compute ShareGen (unfairly)
 In round i, parties exchange shares

P0 learns ri,0 and P1 learns ri, 1
 If the other player aborts early, output the last
value learned
 If the protocol finishes, output rn,0 and rn,1
Analysis – will P0 abort early?
Assume P0 is notified once i* has passed
Aborting after this point cannot help
Both
If P0 doesn’t abort early → utility a0
correct
If P0 aborts early….
P0 correct,
… in round i* → utility b0
P1 incorrect
… before round i* → utility strictly less than a0
From ideal world
equilibrium assumption
Analysis – will P0 abort early?
When P0 sees output y in round i:
Probability
this is i*
Expected
utility if
abort
=

Utility if
this is i*
+
Probability
this is
before i*

Expected
utility if
this is
before i*
Analysis – Will P0 abort early?
When P0 sees output y in round i:
Probability
this is i*
Expected
utility if
abort
≤

b0
+
Probability
this is
before i*

Expected
utility if
this is
before i*
Analysis – Will P0 abort early?
When P0 sees output y in round i:
Probability
this is i*
Expected
utility if
abort
≤

b0
+
Probability
this is
before i*

a0 - constant
Analysis – Will P0 abort early?
When P0 sees output y in round i:
Pr[P0 gets y and this is i*]
Probability
this is i*
=
Pr[P0 gets y]
Analysis – Will P0 abort early?
When P0 sees output y in round i:
Pr[P0 gets y | this is i*]
Probability
this is i*
=

Pr[P0 gets y]
Pr[this is i*]
Analysis – Will P0 abort early?
When P0 sees output y in round i:
Pr[P0 gets y | this is i*]
Probability
this is i*
=
Pr[P0 gets y |
this isn’t i*]
Pr[this
isn’t i*]
+

Pr[this is i*]
Pr[P0 gets y |
this is i*]
Pr[this
is i*]
Analysis – Will P0 abort early?
When P0 sees output y in round i:
Pr[P0 gets y | this is i*]
Probability
this is i*
=
Pr[P0 gets y |
this isn’t i*]
Pr[this
isn’t i*]
+

p
Pr[P0 gets y |
this is i*]
p
Analysis – Will P0 abort early?
When P0 sees output y in round i:

constant
Probability
this is i*
=
Pr[P0 gets y |
this isn’t i*]
Pr[this
isn’t i*]
+
p
constant
p
Analysis – Will P0 abort early?
When P0 sees output y in round i:

constant
Probability
this is i*
=
Pr[P0 gets y |
this isn’t i*]
1-p
+
p
constant
p
Analysis – Will P0 abort early?
When P0 sees output y in round i:

constant
Probability
this is i*
=
constant > 0
1-p
Can make arbitrarily
low by choice of p
+
p
constant
p
Analysis – Will P0 abort early?
When P0 sees output y in round i:
Probability
this is i*
Expected
utility if
abort
≤

b0
+
Probability
this is
before i*

a0 - constant
Analysis – Will P0 abort early?
When P0 sees output y in round i:
arbitrarily low
Expected
utility if
abort
≤

b0
+
Probability
this is
before i*

a0 - constant
Analysis – Will P0 abort early?
When P0 sees output y in round i:
arbitrarily low
Expected
utility if
abort
≤

b0
<
+
1 – arbitrarily low

a0
a0 - constant
Utility of not
aborting
Conclusion
 Rational fairness is possible!

As long as there is a strict preference for
fairness in the ideal world (by at least one of
the parties)
 The more pronounced parties’ preferences
are, the more round-efficient the real-world
protocol is
Extensions and open problems
 Multi-party case, more general utilities

Recent work with Amos Beimel and Ilan Orlov
 Open:



Prove a (partial?) converse of our result
Consider stronger notions of equilibrium in the
real world
Address other concerns besides fairness?
Thank you
Related documents
Growth Mindset
Growth Mindset
Volunteers are the only human beings on the face of the
Volunteers are the only human beings on the face of the
Candace Chandra
Candace Chandra
delle slides
delle slides
AP Economics Mr. Bernstein Utility Maximization
AP Economics Mr. Bernstein Utility Maximization
File
File
Utility Interconnection Package
Utility Interconnection Package
Utility Installation Review System
Utility Installation Review System
By the waters of babylon
By the waters of babylon
Speculative Parallelism in Intel Cilk Plus Ruben Perez
Speculative Parallelism in Intel Cilk Plus Ruben Perez
Download
advertisement