Post on 19-May-2018
Howto(not)AnalyzeCryptographicProtocolsusingGameTheory
JesperBuusNielsen
MainPoints
• Idealizingcrypto:Replacereal‐lifecryptotoolsbyformalobjectsliketermalgebrasororaclestomakeanalysisofaprotocoleasier
• Commonincryptography– knowntobesoundintheusualcrazy‐versus‐stupidmodels
• ResearcherhavebeenidealizingcryptotoolsforthesakeofgametheoreIcanalysistoo– Thatistypicallynotsound
Terminology:ComputaIonalSoluIonConcept
• Takescomputa3onfeasibilityintoaccount– Examples:OnlyallowpolynomialImecomputablestrategies,pricecomputaIonviatheuIlityfuncIon,discounIng,…
• Allowstheuseof(imperfect)cryptography– Example:WhenyouropponentusesencrypIonthedeviaIonwhichmakesoneguessathissecretkeyandusesthekeytobreaktheprotocoliftheguessiscorrectgivesyouasmalladvantage,sogofor‐NEfornegligiblesmalltoallowstability
– Example:UIlityofkey‐guessingsmallerthanthepriceofthecomputaIonordiscountedaway
Terminology:GameTheoreIcSoluIonConcept
• AsoluIonconceptwhichallowsarbitrarystrategies
IdealizingCrypto
• (Verysimple)idealizedsignatures:– TheworldhasaglobalsigningoracleOwhichallparIeshaveaccessto
– Sign:ApartyPicansendsign(m)toOwhichstores(i,(i,m))[readPihasasignatureonmfromPi]
– Transfer:IfPkinputstrans((i,m),n)toOand(k,(i,m))isstoredinO,thenOstores(n,(i,m))
– Verify:IfPkinputsverify(i,m)toOand(k,(i,m))isstoredinOthenOoutputsacceptotherwisereject
• Possibletoshowthatanycryptographicprotocolwhichissecurewhenusingtheseidealizedsignaturesisequallysecurewhentheyarereplacedbyrealsignatures– Uptonegligible– PKI+unforgeablesignatures+UCframework
Why?(1/3)
• Apossiblesolu3onheuris3c:– IdealizethecryptotoolsinaprotocolandthenapplyyourfavoriteGTsoluIonconcepttotheidealizedprotocol
– SincetheidealizedprotocoldoesnotrelyoncomputaIoncryptotoolsitisfreeofthedeviaIonswithnegligiblysmalladvantagewhichdisturbmostknownGTsoluIonconcepts
• ImplicitassumpIon:Guaranteesthattherearenoproblemsbesideskey‐guessing‐likedeviaIons
Why?(2/3)
• MightguidethedevelopmentofcomputaIonalsoluIonconcepts:– GivenGTsoluIonconceptXtrytodevelopacomputaIonalversionCX
– ThencheckifCXproducessoluIonssimilartothesoluIonsXproducesfortheidealizedprotocol
• AssumpIon:ThecomputaIonalversionshouldbehavelikethepureGTnoIon
Why?(3/3)
• Modularanalysisofcomplexprotocols• GivenaprotocolusingbothsignatureandencrypIon:– FirstidealizebothprimiIvesandgiveahopefullysimpleanalysisoftheidealizedprotocol
– ShowthatplugginginrealsignaturespreservessoluIons
– ShowthatplugginginrealencrypIonpreservessoluIons
– ConcludethattherealprotocolhasthesamesoluIonsastheidealprotocol
Hope!
• O`enacryptographicanalysis(honestparIesversuscorruptedparIes)ofanidealizedprotocolcanbeproventogivesoundconclusionsaboutthereal‐lifeprotocol– Signatures– EncrypIon– Zero‐knowledgeproofofknowledge
– Zero‐knowledgeproofofcorrectness
Claims
• Thesolu3onheuris3cislikelytogivewrongconclusions
• ComparisontoidealizaIonisnotagoodsanitycheckforcomputaIonalsoluIonconcepts
• ComputaIonalsoluIonconceptsmustbedevelopedcauIouslyandhavetheirowncomputaIonalepistemologies
• A`erdevelopinggoodcomputaIonalsoluIonconceptsidealizaIonispossibleasatoolformodularanalysis
“ProofbyExample”
• Willtrytoarguemypointby“solving”asmallgameinthreedifferentseengs
• WillseethatwegetdramaIcallydifferentsoluIonsdependingonwhetherweidealizecryptoornot
• AndthesoluIoncalledbytheidealizedanalysisisarguablythewrongone
Overview
21 32:(g,b)
4:g1 4:(g3,b3)
1:signal
3:communica3on 3:comm.
Goodchoice
Badchoice
AFewPennies
• Good&bad:P2playsg{1,2,3}andb{1,2,3}\{g}• Guess:P1playsg1{1,2,3}• Guess:P3playsg3{1,2,3,a}andb3{1,2,3}• Abstain:IfP3playsaallparIesgetuIlity0• Avoidbad:Ifg1=borg3=bthenP1andP3dieandP2wins
theworld• Knowbad:SameifP3doesnotabstainandb3b• Coordinate:Ifg1,g3{1,2,3}\{b}andb3=b,thenP1andP3
getaposiIveuIlityfromg1=g3butP2prefersg1g3– P1hasnegaIveuIlityong1g3butP3doesnot,thoughhe
prefersg1=g3– AndP1preferstomatchong
PlayedinaNetwork
• BeforeP2specifies(g,b):– P1cansendasignaltoP3• AlsoseenbyP2
• ThenP1learns(g,b)butP3doesnot• A`erP2specifies(g,b):– P1cansendamessagetoP2• NotseenbyP3
– P2andP3cancommunicatewitheachother• NotseenbyP1
Recap
21 32:(g,b)
4:g1 4:(g3,b3)
1:signal
3:comm. 3:comm.
Goodchoice
Badchoice
21 3(g,b)
g1 (g3,b3)
signal
comm comm
• Abstain:g3=a:u1=u2=u3=0
• Avoid:g1=borg3=b:u1=u3=‐,u2=
• Know:g3a,b3b:u1=u3=‐,u2=
• Otherwise:
• g1g3: u1=‐2 u2=3 u3=0• g1=g3=g: u1=1 u2=1 u3=1
• g1=g3g: u1=0 u2=2 u3=1
Good
Bad
21 3(g,b)
g1 (g3,b3)
signal
comm comm
• Abstain,Avoid,Know• g1g3:‐2 3 0• g1=g3=g:1 1 1
• g1=g3g:0 2 1
Good
Bad
21 3(g,b)
g1 (g3,b3)
signal
comm comm
• Abstain,Avoid,Know• g1g3:‐2 3 0• g1=g3=g:1 1 1
• g1=g3g:0 2 1
• Willdrawconclusionsfromthisgamebyinformallysolvingitusing“commonknowledgeofraIonality”inthefollowingseengs:1. Arbitrarystrategies2. Idealizedsignatures3. Poly‐Imestrategies
Good
Bad
21 3(g,b)
g1 (g3,b3)
signal
comm comm
• Abstain,Avoid,Know• g1g3:‐2 3 0• g1=g3=g:1 1 1
• g1=g3g:0 2 1
• Ifg3ainsomeNE(withposiIveprobability)givensome(signal,b)thenP2gainsbyshi`ingtothestrategywhereitpicksb=g3whenitseessignalandthenshowsP3communicaIonwiththedistribuIonitwouldhaveseenifP2hadplayedaccordingtotheNE
ArbitrarydeviaIonsCommonknowledgeofraIonality
Alwaysabstain
Good
Bad
• Abstain,Avoid,Know• g1g3:‐2 3 0• g1=g3=g:1 1 1
• g1=g3g:0 2 1
Good
Bad
21 3(g,b)
g1 (g3,b3)
signal
comm comm
• “RaIonalizable”:• P1:signal=verificaIonkeyvkofP1• P2:pick(g,b)uniformlyatrandom• P1:sends=sigsk(g,b)toP2• P2:send(g,b)andstoP3ifreceived,otherwisenothing
• P3:ifvervk((g,b),s)=acceptplayg3=gandb3=botherwiseg3=a
IdealizedsignaturesCommonknowledgeofraIonality
Neverabstain
Good
Bad
21 3(g,b)
g1 (g3,b3)
signal
comm comm
• Abstain,Avoid,Know• g1g3:‐2 3 0• g1=g3=g:1 1 1
• g1=g3g:0 2 1
• P1:signal=verificaIonkeyvkofP1• P2:pick(g,b)uniformlyatrandom• P1:sends=sigsk(g,b)toP2• P2:send(g,b)andstoP3ifreceived,otherwisenothing
• P3:ifvervk((g,b),s)=acceptplayg3=gandb3=botherwiseg3=a
Realsignatures
P2canusestoprovetoP3thatP1signedavalueoftheform(.,b),using,e.g.,a
zero‐knowledgeproof
WhenP3knowsbbutnotgitshouldplay
“matchingpennies”withP2usingarandomg3,whichgivesP2higherpayoffbutgivesP1anegaIvepayoff
HenceraIonalforP1nottogiveanyverifiableinformaIononbaway
HenceP3willabstain
CommonknowledgeofraIonalityAlwaysabstain
WhatwentWrong?
• IdealizaIonofsignatureshavebeenprovensoundincryptography,sowhatwentwrong?
• P2canprovetoP3thatP1sentbwhilehidinggandthusrenegoIateP3intoastrategywhichisanadvantageforP2
• CryptographyhasacentralizedadversarywhocontrolsandcoordinatesallcorruptedparIes,hencetheuseofcryptography“internaltothedeviaIon”doesnotgiveextrapowertotheadversarycomparedtotheidealizedcase
Conclusion1
• TheheurisIcsoluIonconceptcaneasilygive“very”wrongsoluIons– Athree‐party,simultaneousmutualconflict/mutualadvantageofcooperaIonseeng,liketheoneused,canariseinmanyseengsandmightevenbesubtlyhidden
• SeemshardtojudgewhetheraprotocolcanbesoundlyanalyzedusingtheheurisIc,sobekerjustabstainfromdoingit
Conclusion2
• ItdoesnotseemasawayouttomakemoreinvolvedidealizaIonswhich,e.g.,allows“spliIng”ofsignaturesaswedidintheexample– TheidealizaIonwouldprobablyendupbeingmorecomplicatedthanthereal‐lifetool
– TheidealizaIonwouldhavetobeheadon:allowallpossibleusesandmisusesandnothingelsetohopeforsoundness
Conclusion3
• ComparisontohowGTsoluIonconceptsbehaveonidealizedprotocolsisnotagoodsanitycheckforproposedcomputaIonalsoluIonconcepts– InourcasethecomputaIonalnoIonshouldexactlygiveanothersoluIon
Conclusion4
• TheredoesnotseemtobeawayaroundcauIouslydevelopingcomputaIonalsoluIonconceptsandtrytogiveepistemicmodelsbasedonboundedraIonality
TheGoodNews
• ModularanalysisviaidealizaIonispossibleforComputaIonalNashEquilibrium(CNE)– OnlyreasonsviasingleagentdeviaIon– HencecryptocannotbeusedtofacilitatedeviaIons
• In[PeterBroMiltersen,JesperBuusNielsen,NikosTriandopoulos:Privacy‐EnhancingAucIonsUsingRaIonalCryptography.CRYPTO2009]weshowacryptographicaucIonprotocoltobeaCNEviaasoundidealizingofthecryptoandagametheoreIcanalyzingoftheidealizedprotocol
Seeng
• Thegoalin[MNT09]wastogiveagame‐theoreIcanalysisofaprotocolwhichnparIescanrunamongthemselvesontheInternettoemulateatrustedmediator– TheyshouldenduphavingsignedcontractsfromallotherparIesontheiroutcomestoavoiddisputesa`erthegameisover
– TheparIesareallowedtohaveprivacyconcerns,e.g.,toprefertokeeptheirtypesecretoverleakingit
AnalyIcTechnique
• WeuseanoIonofprotocolgame,whichallowstomodelbothatrustedmediatorandtheInternetinaunifiedmanner
• WethenrelatetheproperIesofthereal‐lifeprotocoltothemediatedcaseandconcludethatthereal‐lifeprotocolisasstableasthemediatedcaseandgivesthesameuIlityprofile– ImpliesthatitleaksnomoreinformaIon,astheuIlityassociatedtoinformaIonloss/collecIoniscapturedintheuIlityfuncIons
ProtocolGames
C
n
1
t1 tn
L1 Ln
o1 on
communicaIondeviceparty party
fiscaluIlity:fi(t,o)informaIonuIlity:Ii(t,L)uIlity:ui(t,o,L)=fi(t,o)+Ii(t,L)
MediaIon
(o1,…,on)=M(b1,…,bn)
n
1
t1 tn
L1 Ln
o1 on
party party
fiscaluIlity:fi(t,o)informaIonuIlity:Ii(t,L)uIlity:ui(t,o,L)=fi(t,o)+Ii(t,L)
b1 bn
InternetContractGames
n
1
t1 tn
L1 Ln
o1 on
PlaysCA,seengupPKI
AllowscommunicaIonbetweenparIes
CallsoutcomeoiifPireturnsasignatureonoifromallparIes
party party
fiscaluIlity:fi(t,o)informaIonuIlity:Ii(t,L)uIlity:ui(t,o,L)=fi(t,o)+Ii(t,L)
ImportantDesignChoices
• SametypeprofileTmakessenseinallseengs• Outcomeiscalledbythedeviceaslastroundofoutputs,sowell‐definedinallseengs
• LocalinformaIonisoutputbetheparIes,sowell‐definedinallseengs
• So,sameu=f+Imakessenseinallseengs• WecankeeptypesanduIliIesfixedandrelatedifferentstrategiesindifferentseengs– Wecantalkaboutwhetheritisbekertoplaysomegivenstrategyinthereal‐lifeseengthanitistoplaysomeotherstrategyintheidealseeng
NashImplementaIon
• FixTandf=(f1,…,fn)• Wesaythat(C,)isat‐resilientprivacy‐enhancedNashimplementaFonof(D,),wriSen(C,)t,T,r(D,),ifforalladmissibleIandu=f+Iitholdsthat:
• NolessuFlity:ForallPi:ui(T,C,)ui(T,D,)‐
• NomoreincenFvetodeviate:ForallC{1,…,n}with|C|tandallC
*thereexistsC*
suchthatui(T,D,(C*,‐C))ui(T,C,(C
*,‐
C))‐foralliC
TheResultinthePaper
• WeconstructforeachmechanismMacontractgamefortheInternetwhichisan(n‐1)‐resilientprivacy‐enhancedNashimplementaIonoftheideallymediatedseengforMifallparIeshaveexinterimstrictraIonality
Property1ofNashImplementaIon
• If(C,)isan‐NE(toleraIngcollusionsofsizet)and(C,)t,T,r(D,)then(D,)isan‐NE(toleraIngcollusionsofsizet)– Allowstoli`analysisfromanidealseengtoareal‐lifeseeng
• So,any‐NEforthemediatedseeng(withexinterimstrictraIonality)isalsoa‐NEintheInternetcontractgame
Property2ofNashImplementaIon
• If (C,)t,T,r(D,)and (D,)t,T,r(E,)
then (C,)t,T,r(E,)• ThisallowsamodularanalysisgoingfromthemediatedseengtotheInternetseengviagraduallymorerefinedseengs(introducing,e.g.,onecryptoprimiIveataIme)
…
• ThenoIonofNashimplementaIonisatrivialadopIonofthenoIonNEfromintra‐gameanalysistointer‐gameanalysis
• YetitallowstodomodularanalysiswithmuchthesameflavorasmodularanalysisincryptoviaidealizaIon
• ThereisjusIfiedhopethatothergoodcomputaIonalsoluIonconceptswillallowsimilarli`ingtointer‐gameanalysisandhenceallowmodularanalysis
• WejustneedsomegoodcomputaIonalsoluIonconcepts…