Utility Dependence in Correct and Fair Rational Secret Sharing

Transcription

1 Utlty Dependence n Correct and Far Ratonal Secret Sharng Glad Asharov and Yehuda Lndell Department of Computer Scence Bar-Ilan Unversty, Israel glad asharov@yahoo.com, lndell@cs.bu.ac.l Abstract. The problem of carryng out cryptographc computatons when the partcpatng partes are ratonal n a game-theoretc sense has recently ganed much attenton. One problem that has been studed consderably s that of ratonal secret sharng. In ths settng, the am s to construct a mechansm (protocol) so that partes behavng ratonally have ncentve to cooperate and provde ther shares n the reconstructon phase, even f each party prefers to be the only one to learn the secret. Although ths queston was only recently asked by Halpern and Teague (STOC 2004), a number of works wth beautful deas have been presented to solve ths problem. However, they all have the property that the protocols constructed need to know the actual utlty values of the partes (or at least a bound on them). Ths assumpton s very problematc because the utltes of partes are not publc knowledge. We ask whether ths dependence on the actual utlty values s really necessary and prove that n the basc settng, ratonal secret sharng cannot be acheved wthout t. On the postve sde, we show that by somewhat relaxng the standard assumptons on the utlty functons, t s possble to acheve utlty ndependence. In addton to the above, observe that the known protocols for ratonal secret sharng that do not assume smultaneous channels all suffer from the problem that one of the partes can cause the others to output an ncorrect value. (Ths problem arses when a party gans hgher utlty by havng another output an ncorrect value than by learnng the secret tself; we argue that such a scenaro s not at all unlkely.) We show that ths problem s nherent n the non-smultaneous channels model, unless the actual values of the partes utltes from ths attack s known, n whch case t s possble to prevent ths from happenng. 1 Introducton Recently, there has been much nterest n the ntersecton between cryptography and game theory [6, 5, 10, 3, 1, 9, 10]. One specfc queston that has ganed much attenton s that of ratonal secret sharng. The basc problem that arses when consderng secret sharng (or to be more exact, protocols for the reconstructon Research supported by the srael scence foundaton (grant No. 781/07).

2 phase) s that the partes actually have no ncentve to reveal ther share. Specfcally, assume that t partes get together to reconstruct a secret that was shared usng a t-out-of-n secret sharng scheme. The way that ths reconstructon takes place s smply for each party to broadcast ts share to all others. However, f one party does not broadcast ts share, t can stll reconstruct the secret (because t receved the t 1 shares of all other partes and so has t shares overall), but the others cannot (because they only have t 1 shares). Thus, under the assumpton that partes prefer to be the only one to learn the secret, the ratonal behavor n the above nave reconstructon procedure s for every party to reman quet and not broadcast ts share [6]. The am of ratonal secret sharng s therefore to construct a mechansm so that t s n the nterest of ratonal partes to cooperate, wth the result beng that all partes learn the reconstructed secret. The fact that the partes are ratonal essentally means that they each have a utlty functon assgnng a value to every possble outcome of the protocol (ths value represents the gan that the party acheves f the gven outcome occurs). Furthermore, the partes am s to maxmze ther utlty. We remark that a mechansm s consdered successful f t acheves a Nash equlbrum (or one of ts varants) for the strategy whch nstructs all partes to cooperate. Loosely speakng, ths means that f any one of the partes devates from the prescrbed strategy (whle others follow t), then t wll not obtan a hgher utlty (and may even lose). Thus, t s n the nterest of all partes to follow the prescrbed strategy and cooperate. In order to construct a mechansm wth the above propertes, certan natural assumptons are made regardng the utltes of the partes. In partcular, t s assumed that a party always prefers to learn the secret than to not learn t (ths s essental to assume, or else there s no reason for a party to ever partcpate n the reconstructon). Furthermore, t s assumed that partes prefer to learn the secret, and have some or all of the other partes not learn t (when knowledge s power, ths makes a lot of sense). Although the above assumptons are very reasonable, a concern wth all of the known protocols s that they don t just assume that ths learnng preference holds. Rather, they assume that the actual utlty values of the partes (or at least bounds on them) are known to all, and the mechansm tself depends on these values. The problem wth ths assumpton s that n realty the utlty of a party may not even be known to tself, let alone to others. Furthermore, even f a party knows ts own utlty, t s unclear how others can learn ths value (t would not necessarly be ratonal for a party to be honest about ts utlty; rather, t may gan somethng by provdng ncorrect nformaton about ts utlty functon). Ths problem stands at the center of ths work, and we ask the followng fundamental queston: Is t possble to construct a sngle reconstructon mechansm for ratonal secret sharng that acheves a Nash equlbrum for all possble values of utlty functons that fulfll the aforementoned assumptons regardng learnng preference? In addton to the above, we observe that some of the known protocols suffer from a correctness ssue. Specfcally, most of the postve results on ths topc

3 assumed that the partes have access to a smultaneous channel (meanng that all partes can smultaneously send messages meanng that no party can see what the others broadcast before sendng ts own). Snce smultaneous channels are problematc to mplement n practce, a recent breakthrough was made that acheved ratonal secret sharng n non-smultaneous channels [10]. However, the protocol of [10] (and a follow-up protocol by [7]) has the problem that one of the partes can cause the others to output an ncorrect value, at the expense of not learnng the secret tself. Thus, the assumpton made by [10] s that snce a party always prefers to learn the secret, t wll never follow such a strategy. However, we do not beleve that ths assumpton s always reasonable. Rather, there are certanly scenaros where a party can gan more by havng another learn ncorrect nformaton than by learnng the nformaton tself (for example, consder the case where the use of ncorrect nformaton can result n a loss of reputaton, to the potental gan of others). In any case, t would certanly be preferable to not have to assume ths. Notng that ths problem of correctness does not arse n any of the protocols usng smultaneous channels, we ask: Is t possble to construct a reconstructon mechansm for ratonal secret sharng that uses non-smultaneous channels and acheves Nash equlbrum even f a party s utlty when another party outputs an ncorrect value s hgher than ts utlty when t learns the secret? Furthermore, s t possble to acheve ths wthout assumng knowledge of the actual utlty value? Our results. We focus manly on 2-out-of-2 secret sharng. Let U + denote the utlty of party P when t learns the secret and the other party does not. Furthermore, let U f denote the utlty of party P when the other party outputs an ncorrect (false) value, even f P tself dd not learn the output. We call a mechansm U + -ndependent f t acheves Nash equlbrum for all possble (polynomal) values of (U 1 +, U 2 + ) that fulfll the aforementoned learnng-preference assumptons (.e., that a party prefers to learn than not learn, and prefers to be the only one to learn). We defne U f -ndependence smlarly. We stress that when a mechansm s U + or U f -ndependent, t may stll know the values of the other utltes (.e., the utlty when all partes learn the secret or when none learn t). We begn by provng an nterestng connecton between U + -ndependence and complete farness, and between U f -ndependence and correctness (where farness and correctness here are n the presence of malcous adversaral behavor that may not be ratonal and s amed only to break the protocol). In Secton 3, we prove the followng nformally stated theorem: Theorem 1 Any two-party mechansm that acheves U + -ndependence guarantees complete farness n the presence of malcous adversaral behavor. Furthermore, any two-party mechansm that acheves U f -ndependence guarantees correctness n the presence of malcous adversaral behavor. Intutvely, Theorem 1 holds because f a mechansm s U + -ndependent, then t must be n a party s nterest to cooperate even f ts U + utlty s very

4 hgh. However, f a party s U + utlty s hgh enough but stll polynomal then t can be shown that ts best strategy s to just try and break farness (because then t gans U + ). Snce, t should not be able to succeed n dong ths, t follows that a malcous adversary also can only break farness wth neglgble probablty. The connecton between U f ndependence and correctness s proven n a smlar way. It s possble to use Theorem 1 n order to prove that there do not exst two-party reconstructon mechansms for ratonal secret sharng that are ndependent of U +, by showng how to toss a far con gven any such mechansm. (Intutvely, gven such a mechansm, we construct a protocol where n the frst stage multparty computaton s used to generate shares of an unbased con, and then the mechansm s used to farly reveal the con.) Usng the mpossblty result of Cleve [2] for con tossng, we then conclude that such a mechansm does not exst. However, we stress that unbased con tossng s only mpossble n the non-smultaneous channels model, and thus ths would only prove the mpossblty of obtanng U + -ndependence n ths model, and leaves open the possblty that there do exst U + -ndependent mechansms n the smultaneous channels model. We therefore provde a drect proof, rulng out the possblty of obtanng U + -ndependence even when gven a smultaneous channel. That s, we prove the followng: Theorem 2 There does not exst a two-party reconstructon mechansm for ratonal secret sharng that s ndependent of U + n ether the smultaneous or non-smultaneous channels model. In order to prove ths, we actually present a lower bound on the number of rounds needed for achevng far reconstructon and show that ths number s dependent on the actual utlty functons of the partes (or, to be more exact, a bound on them). Thus, no mechansm can be ndependent of the utltes because ths mples that ts number of rounds s also ndependent. Our lower bound s proven n the smultaneous-channels model and therefore also holds for non-smultaneous channels. Havng establshed that U + -ndependence s mpossble to acheve, we ask whether the other utlty values must also be known. For example, we know that U f -ndependence s possble n the smultaneous-channels model, because all of the known protocols for the smultaneous-channels model (cf. [5, 10]) are U f -ndependent. Ths leaves open the queston regardng U f -ndependence wth non-smultaneous channels. We prove that: Theorem 3 There does not exst a two-party reconstructon mechansm for ratonal secret sharng that s U f -ndependent n the non-smultaneous channels model. The proof of ths theorem uses Theorem 1 that states that a U f -ndependent mechansm guarantees correctness. We then prove that n the non-smultaneous channels model, t s not possble to construct a correct reconstructon mechansm.

5 Postve results. In Secton 5, we present two postve results as follows: 1. We present a two-party reconstructon mechansm for ratonal secret sharng that works n the non-smultaneous model. Ths mechansm uses the actual values of U f ; gven the mpossblty result of Theorem 3, ths s nherent. 2. We present a multparty reconstructon mechansm that uses smultaneous channels and s ndependent of all utlty values, under a relaxaton of the learnng-preference assumptons. Namely, we assume that a party prefers to be the only one to learn the secret but once one other party has learned the secret t makes no dfference f all learn t. In fact, t suffces to assume that even though each party prefers that as few other partes as possble learn the secret, the utlty f all but 1 or all but 2 partes learn s the same (.e., t makes no dfference f all partes learn the secret or f almost all partes learn the secret). The above results show that (a) correctness need not be forfeted n the model wth non-smultaneous channels, and (b) utlty ndependence s possble to acheve n some settngs, dependng on the assumptons on the utlty functons. Related work. The queston of ratonal secret sharng was frst ntroduced by [6]. They showed that there does not exst a mechansm wth a constant number of rounds, wth a Nash Equlbrum that survves terated deletons of weakly domnated strateges. Moreover, they presented a protocol for n 3 (that s U + -dependent) n the smultaneous model. More protocols, dealng wth other settngs, were presented for the smultaneous model n [5, 1, 9, 10], and for the non-smultaneous model n [10, 7]. The basc queston that we ask regardng utlty ndependence was proposed n [6]. The frst partal answer to ths queston was gven by [1] who showed that utlty ndependence s possble for t-out-of-n secret sharng as long as t < n/3. Ths queston was also consdered by [14] who gave a partal answer n ther model. Among other thngs, we have shown that t s not possble for the mportant case of 2-out-of-2 secret sharng. The works of [13, 11] can be used to obtan far secret sharng, but assume stronger physcal assumptons than a smultaneous channel. Other works have also consdered a mx of ratonal, honest and malcous partes [16, 14, 1]. 2 Defntons and Prelmnares We denote by S an effcently samplable dstrbuton for choosng the secret to be shared, by share the secret sharng scheme and by (Γ, σ) the reconstructon mechansm. Defntons of secret sharng and Nash equlbra can be found n the full verson. Outcome and utltes. The outcome of an executon of a game Γ wth some strategy profle σ s denoted o and conssts of the output of all of the partes. In the case of 2-out-of-2 secret sharng, each party may learn or may not learn the secret, and there are therefore exactly four possble outcomes. (Ths gnores the ssue of correctness whch we ntroduce n ths paper and dscuss below.)

6 Each party s utlty s a functon of these outcomes, and there are therefore also four possble utlty values for each party. The notatons for the four possble outcomes, and the assocated utlty for each party, are descrbed n Table 1. P 1 receves s P 2 receves s Outcome notaton P 1 s Utlty P 2 s Utlty NO NO o none U 1 U 2 NO YES o + 2 U 1 U + 2 YES NO o + 1 U + 1 U 2 YES YES o both U 1 U 2 Table 1. Outcome and Utlty In ths paper, we consder the possblty that partes may output ncorrect values and ntroduce a utlty U f for ths event (nformally, a party gans U f f t succeeds n havng the other party output a false/ncorrect value). Ths results n nne possble outcomes of the game (each party may learn the correct value, not learn, or output an ncorrect value). For smplcty we wll consder only the outcome where one party does not learn the secret whle the other outputs an ncorrect (or false) value. We denote ths event by o false, where P s the party who outputs the ncorrect value. (We explctly consder ths event because ths s the one that occurs naturally. Needless to say, when analyzng mechansms all possbltes need to be taken nto account.) Assumptons on the utlty functons. We assume that the utlty functons of all partes are polynomal n the securty parameter. Formally, a party s utlty functon u s a functon of the outcome and the securty parameter k. We therefore wrte U (1 k ) = u (1 k, o both ), U + (1k ) = u (1 k, o + ), U (1k ) = u (1 k, o none ), U (1 k ) = u (1 k, o + ), and U f (1k ) = u (1 k, o false ). As s now standard [6, 5, 10], we assume that each party always prefers to learn the secret than to not learn t, and that each party most prefers to be the sole party to learn the secret. We add an addtonal assumpton beng that a party prefers to have the other party output an ncorrect value than not, when n both cases the frst party does not learn anyway. We do not make any assumpton on U f beyond ths. (In [10] they mplctly assume that U f < U for all partes.) For lack of a better name, we call utlty functons that fulfll these assumptons natural. Formally: Defnton 4 Let U = {(U +, U, U, U, U f ) {1,2}} be a set of utlty functons for the partes. We say that U s natural f for every {1, 2} and for every k N t holds that U + (k) U (k) U (k) U (k) 0 and U f (k) U (k). We remark that n all prevous works, t was formally assumed that U (k) = U (k), even though none of the protocols utlzed ths fact. We have not defned t n ths way because we fnd t unsatsfactory to assume that once a party has not learned, t makes no dfference to ts utlty f others dd or dd not learn. On the contrary, t can be a lot worse f a party does not learn whle others do learn and so protocols should take ths nto account. We note that all prevous protocols can be modfed to work wth the value U. We also note that our

7 lower bounds hold even f U the value U. = U, and so we do not assume anythng about Far secret sharng. A number of dfferent notons have been used regardng the desred equlbrum for ratonal secret sharng. Our mpossblty results refer to the weakest of these assumptons, whch s ɛ-nash equlbrum for a neglgble functon ɛ( ) [10, 8]. However, we also requre that the number of rounds be polynomal (ths s needed for our lower bounds, but we argue that ths does not sgnfcantly weaken our results because a mechansm wth a super-polynomal of rounds s not computatonally feasble to run). The natural way to model ths s as a computatonal Nash equlbrum [3, 8] (although our results hold even f local computaton by each party s unbounded). We defne computatonally far reconstructon mechansms n ths lght: Defnton 5 Let U be a set of natural utlty functons for P 1 and P 2 (as n Defnton 4). We say that a mechansm (Γ, σ) s a far reconstructon mechansm for U f σ s a computatonal Nash Equlbrum and f the probablty that the result s not o both when both partes follow σ s neglgble. 3 Utlty-Independent Mechansms and Propertes 3.1 Defntons We now formalze the noton of utlty ndependence. Loosely speakng, a mechansm s ndependent of a gven utlty functon f t acheves ts desred propertes for any value of that utlty for all partes. Defnton 6 Let Û {U +, U, U, U, U f } be a utlty type and let U = {U +, U, U, U, U f }n =1 \ {Û} n =1 be a set of polynomal utlty functons (excludng all the Û values). We say that the mechansm (Γ, σ) s a Û-ndependent far reconstructon mechansm f for all polynomal utlty functons {Û} n =1 for whch U = U {Û} n =1 s natural, t holds that (Γ, σ) s a far reconstructon mechansm for U. Note that our defnton of utlty ndependence ncludes the assumpton that U s natural. In our results, we focus on U + and U f ndependence. Farness and correctness. In ths secton, we show that U + and U f ndependence mples the propertes of complete farness and correctness n the presence of adversaral behavor. 1 We stress that we defne these notons n an adversaral context and not n a game theoretc one. That s, we say that a protocol or mechansm s completely far/correct f t mantans ths property when one of the 1 We consder the two-party case only because we only deal wth the case of no coaltons n ths paper, and n the case of no coaltons we have an honest majorty and so farness and correctness (n the presence of a malcous adversary) can be acheved. Ths case s therefore not nterestng.

8 partes follows a worst-case strategy (meanng that t has no am to gan utlty and ts am s smply to break ths property of the protocol). We remark that we wll move freely between protocols n a cryptographc settng wth an adversary A and mechansms nvolvng ratonal adversares playng a game n order to acheve utlty. Ths s due to the fact that a mechansm trvally defnes a protocol and vce versa. We now proceed to defne complete farness and correctness. We present the defntons n a protocol context ; ther translaton to the game-theoretc context s dscussed below. Intutvely, a two-party reconstructon protocol s completely far f whenever one party learns the secret the other party s also guaranteed to learn the secret, except wth neglgble probablty. Lkewse, a reconstructon protocol s correct f the honest party s guaranteed to ether output the correct value (.e., the secret that was shared) or a specal abort symbol. Although t s dffcult to formalze these notons for general secure computaton wthout resortng to a full deal model/real model defnton (snce the output depends on the actual nputs used by the possbly malcous partes), n the case of secret sharng t s much smpler because the output of the protocol s well defned. In partcular, the output can only be the shared secret s or an abort symbol. We assume that any reconstructon protocol s non-trval meanng that f both partes are honest, then they both learn the secret except wth neglgble probablty. We frst ntroduce some notaton. Let real π,a, (share(s)) denote the outcome o of an executon of the reconstructon protocol π, wth the partes P 1 and P 2, an adversary A controllng party P ( {1, 2}), and a share s that was chosen by S and shared as n share; recall that an outcome s smply the concatenaton of the outputs of all partcpatng partes (snce A controls P, we consder only the output of A and the honest party). Next, denote by output X (real π,a, (share(s)) the output of party X (where X may be A or the honest party P ). Recall that the securty parameter s denoted k. Defnton 7 Let share be a share generaton algorthm for a 2-out-of-2 secret sharng scheme, and let π be the reconstructon protocol for the scheme. 1. We say that π s completely far f for every probablstc polynomal-tme adversary A that controls the party P there exsts a neglgble functon µ( ) such that Pr[output A (real π,a, (share(s))) = S] Pr[output P (real π,a, (share(s))) = S] + µ(k). 2. We say that π s correct f for every probablstc polynomal-tme adversary A that controls the party P there exsts a neglgble functon µ( ) such that Pr[output P (real π,a, (share(s))) / {S, }] µ(k). An equvalent formulaton of the above for mechansms s obtaned by requrng that the result of an executon where one party follows the prescrbed strategy and the other may follow any arbtrary alternatve strategy s far (or correct). For example, correctness of a mechansm (Γ, σ) can be formalzed by

9 sayng that for every arbtrary strategy σ followed by party P ( {1, 2}) there exsts a neglgble functon µ such that: Pr[output P (real Γ,P(σ ),P (σ ) (share(s))) {, S}] µ(k). (Observe that correctness s guaranteed only when party P follows the prescrbed strategy σ.) 3.2 U + -Independence vs Farness and U f -Independence vs Correctness We now prove that the exstence of a U + -ndependent reconstructon mechansm mples the exstence of a completely far reconstructon protocol. Intutvely ths holds because f complete farness s not acheved, then there exsts an adversary who can partcpate n the protocol nduced from the mechansm and wth nonneglgble probablty can learn the secret whle the honest party does not. Gven such an adversary, we can set the utlty U + of one of the partes to be hgh enough so that ts expected gan by followng the adversaral strategy s hgh enough. Our proof holds for both smultaneous and non-smultaneous channels. Proposton 8 If there exsts a U + -ndependent far reconstructon mechansm for a 2-out-of-2 secret sharng scheme (as n Defnton 6), then there exsts a completely far reconstructon protocol (as n Defnton 7) for the scheme. Proof: Let (Γ, σ) be a U + -ndependent far reconstructon mechansm and let U be a set of utltes specfyng {U, U, U, U f } for both partes. Denote by π the protocol derved from (Γ, σ) as descrbed above. Assume by contradcton that π s not a completely far reconstructon protocol. Ths mples that there exsts a probablstc polynomal-tme adversary A that controls some party P ( {1, 2}) and a polynomal p( ) such that for nfntely many k s: Pr [output A (real π,a, (share (S))) = S] > Pr [ output P (real π,a, (share (S))) = S ] + 1 p(k) Let σ A be the correspondng behavoral strategy of the adversary A n the game Γ. Note that the outcome of the game when party P plays accordng to σ A, whle the other party plays accordng to the prescrbed strategy σ, s o + wth probablty 1/p(k). We now defne the utlty functon U + for party P by U + p(k) (U +1). We show that for nfntely many k s, P s utlty s greater f t follows σ A than f t follows σ, whch s a contradcton to the assumpton that σ s a (computatonal) Nash equlbrum. Let O denote the set of all possble outcomes, and recall that u (o) s the utlty of P upon outcome o. We have that for nfntely many k s: ( ) u σ A, σ = Pr[o (σ A, σ )] u (o) o O Pr [ o + (σ A, σ ) ] U + 1 p(k) (p(k) (U + 1)) = U + 1.

10 In contrast, u (σ, σ ) = U. Thus, there exsts a non neglgble functon ɛ (even f U s neglgble), such that: u ( σ A, σ ) u (σ, σ ) + ɛ (k) n contradcton to the assumpton that σ s a computatonal Nash equlbrum for Γ. We therefore conclude that the protocol π nduced from (Γ, σ) s completely far, as n Defnton 7. U f -ndependence mples correctness. The followng s proved analogously to Proposton 8: Proposton 9 If a far reconstructon mechansm for a 2-out-of-2 secret sharng scheme s U f -ndependent (as n Defnton 6), then t acheve correctness (as n Defnton 7). 4 Negatve Results 4.1 Impossblty for U + -Independence As we have mentoned, Proposton 8 can be used to prove the mpossblty of obtanng U + -ndependent far reconstructon mechansms n the non-smultaneous channels model. Ths s because any such mechansm can be used to toss a far con, n contradcton to [2]. (Specfcally, secure computaton can be used to generate shares of a random bt, whch are then reconstructed usng the mechansm. By Proposton 8, ths mechansm guarantees complete farness n the presence of malcous behavor and so nether party can bas the outcome.) Such a proof leaves open the possblty of obtanng U + -ndependence n the smultaneous channels model. In ths secton we therefore prove a lower bound on the number of rounds that are needed n any far reconstructon mechansm, even n the smultaneous model. As we wll see, the number of rounds depends on the U + utltes of the partes; U + -ndependence s therefore not achevable. We prove our lower bound by consderng a specfc attack (or, an alternatve strategy) that can be carred out on every mechansm. The attack that we consder s a premature abort. When a party aborts prematurely, t does not broadcast ts message n the round that t quts, whle the other party does. Therefore, ntutvely, t may gan more nformaton about the secret than the other party. The mechansm must therefore guarantee that the amount of nformaton ganed n any sngle round s small enough so that carryng out such an attack s not proftable and wll yeld a lower utlty. We quantfy ths amount of nformaton and defne an abortng threshold for each party as follows: β 1 = U 1 U1 U U and β 2 = U 2 U2 U We now prove that the number of rounds n any far reconstructon mechansm depends on {β 1, β 2 } and so depends on the actual utltes. U + 2 2

11 Theorem 10 Let (Γ, σ) be a far reconstructon mechansm, let R Γ (σ 1,σ 2 ) be a random varable denotng the number of rounds n Γ when both partes play accordng to σ = (σ 1, σ 2 ), and let β mn {β 1, β 2 } be as above. Then: E[R Γ (σ 1,σ 2) ] > 1 8 β Proof Sketch: We start wth some notaton. Denote by a the output of party P 1 when P 2 quts at round before sendng ts message (that s, at round only P 1 broadcast ts message); lkewse b denotes the output of P 2 when P 1 quts at round. Note that when P 1 quts at round (before sendng ts message) and P 2 does not qut n that round, party P 1 receves an addtonal message and therefore may gan addtonal knowledge about the secret. In such a case, P 1 outputs a +1, whle P 2 outputs b. In the followng clam, we bound the amount of addtonal knowledge that a party can gan n such a stuaton: Clam 11 Let U be a set of natural utlty functons for P 1 and P 2 (as n Defnton 4), and let the mechansm (Γ, σ) be a far reconstructon mechansm for U (as n Defnton 5). For every round 0, the followng must hold: Pr [a +1 = s] Pr [b = s] + 2β 1 and Pr [b +1 = s] Pr [a = s] + 2β 2 Proof Sketch: Assume by contradcton that the above does not hold. Wthout loss of generalty, assume that there exsts an such that Pr [a +1 = s] > Pr [b = s] + 2β 1. In the proof, we consder an alternatve strategy σ 1 for P 1 whch s dentcal to the prescrbed strategy σ 1 except that t nstructs the party P 1 to qut before broadcastng the message n round. Assumng that the other party (P 2 ) does broadcast ts share n that round, and that the executon reaches round, we have that P 1 outputs a +1 whle P 2 outputs b. Usng the contradctng assumpton, t follows that: Pr [a +1 = s b s] Pr [a +1 = s] Pr [b = s] > 2β 1. That s, wth probablty at least 2β 1 the outcome s o + 1, and therefore P 1 gans U 1 + whle P 2 gans only U2. Thus, the expected utlty of P 1 s at least 2β 1 U + 1 +(1 2β 1) U 1 = 2β 1 (U + 1 U 1 )+U 1 = 2U 1 2U 1 +U 1 > U 1 where the last equalty s by the assumpton that U s non-neglgbly greater than U and U (note that f U U then P has no reason to play at all). Thus, the strategy σ1 of stoppng n round s a better strategy for P 1, n contradcton to the assumpton that σ = (σ 1, σ 2 ) s a Nash equlbrum. We stress that some mportant detals are omtted from ths proof sketch. For example, t does not take nto account the probablty that round s actually reached n the executon or the possblty of neglgble falure; see the full verson for detals.

12 We use the above clam to prove our lower bound. Now, consder the case that the secret s a unformly dstrbuted k-bt strng. In such a case, the probablty that any party outputs the correct secret before recevng any message s neglgble (.e., Pr[a 0 = s] = Pr[b 0 = s] = µ(k) for some neglgble functon µ). By smple nducton, we have that for every : and so Pr [a = s] 2β + µ(k) and Pr [b = s] 2β + µ(k) 2r(k) =1 Pr [a = s] 2r(k) =1 2β + µ(k) 4β r 2 (k) where r(k) denotes the expected number of rounds;.e., E[R(σ Γ 1,σ 2) ] = r(k). By ] [ ] Markov, Pr [R Γ(σ1,σ2) 2r(k) 1 2 and so Pr R(σ Γ < 2r(k) 1,σ 2) > 1 2. Now, f R(σ Γ < 2r(k) then for some {1,..., 2r(k)} t holds that a 1,σ 2) = s (because at the end, both partes must output s). Thus, We conclude that 2r(k) =1 Pr[a = s] > r(k) 1 2 < Pr [a = s] 4βr 2 (k) =1 mplyng that r(k) > 1. (Note that the theorem bounds r(k) > 1 and not 8β 8 β what we have shown here. Ths s due to addtonal factors that we have omtted from ths sketch; see the full verson for detals.) Usng Theorem 10 we conclude that there do not exst U + -ndependent far reconstructon mechansms wth an expected number of rounds that s polynomal, even n the smultaneous model. In order to see ths, we show that for all fxed polynomals U, U, U and r(k), there exsts a polynomal U + such that r(k) < 1. Specfcally, take U + 8 β 64r 2 (k) (U U because n such a case β = U U U U + and thus r(k) 1 8 β n contradcton. U U 64r 2 (k) (U U ) + U ) + U U =. Ths suffces 1 64r 2 (k) 4.2 Impossblty for U f -Independence (Non-Smultaneous) In Secton 3 we showed that any mechansm that s U f -ndependent acheves correctness. In the smultaneous channels model, U f -ndependence and correctness has been acheved by prevous protocols [5, 9]. However, as we have mentoned, the known protocols for the model wth non-smultaneous channels do not guarantee correctness. In partcular, f U f > U for some party P then the strategy profles σ of [10, 7] are not computatonal Nash equlbrums. In

13 ths secton we prove that ths s nherent to the non-smultaneous model. That s, there does not exst a far reconstructon mechansm that s U f -ndependent n the non-smultaneous model. The Kol-Naor mechansm [10] and correctness. Before proceedng wth our proof, we descrbe the mechansm of Kol and Naor for non-smultaneous channels and show why t does not acheve correctness. Ths example llustrates the problem of achevng U f -ndependence and s thus very nstructve. The Kol- Naor mechansm assumes that the utlty functons U fulfll the assumptons n Defnton 4. Furthermore, the mechansm tself s constructed gven the actual values of the utlty functons (.e., t s utlty dependent). The general dea of ther protocol s that the shares assgned to the party are actually lsts of possble secrets. One party receves a lst of sze l (ths party s called the short party ), and the other party receves a lst of sze l + d (ths party s called the long party ). The short lst s a strct prefx of the other. The lengths l and d are chosen accordng to a geometrc dstrbuton wth parameter β, where β depends on the utlty functons of the partes. The real secret s located at poston l + 1 n the long lst, whle all the other elements n the lsts are fake; the (l + 1)th round s called the defntve round because n ths round the secret s learned. In addton to the lsts descrbed above, the dealer selects an ndependent random permutaton for every round; ths permutaton determnes the order n whch the partes send ther lst elements n the round. The party that sends ts message frst n the defntve round s gven the long lst, and the other party s gven the short lst. In addton, the partes receve the permutatons for the rounds appearng n ther respectve lsts (.e., the short party receves the permutaton only for the frst l rounds). We stress that nether party knows f t the short or long party. In any gven round, we call the party who sends ts element frst the frst party and we call the other the second party. In order to reconstruct the secret, the partes proceed round by round; n the th round each party sends ts th lst element n the order determned by the permutaton. At teraton l + 1 (the defntve teraton ), the long party s the frst to broadcast ts share (that s, t s the frst party ). However, the short party s lst s fnshed and thus t has no element to send. It therefore remans slent n ths round. The frst round n whch only one party sends a lst element s the defntve round, and so the secret sent n ths round s taken to be the real secret. Intutvely, farness s acheved because the owner of the long lst does not know the length of the short lst, and n partcular does not know whch round s the defntve round. It therefore does not know whch of the elements n ts lst s the real secret and so has to send ts share every round. See [10] for detals. As ponted out n [10, Note 6.2], f one of the partes aborts prematurely (.e., remans slent n round for some < l) then the other party wll output an ncorrect value (wth hgh probablty the element s of the th round wll not equal the secret). It s mportant to note that the abortng party knows that s s not the real secret because ts lst s not yet fnshed. Furthermore, t can even have some nfluence over the ncorrect value output by the frst party (ths s because t can choose at whch pont to stop and thus t can choose whch of

14 the values n the prefx of the lst s output by the frst party). The protocol s therefore clearly not correct. We remark that the same problem also exsts for the protocol of [7]. As we have mentoned, [10] assume that ratonal partes wll not behave n ths way because they always prefer to learn the secret than to not learn t (observe that f a party aborts prematurely then t wll not learn the real secret). That s, they assume that U f < U. We show that ths assumpton s essental as long as U f -ndependence s desred. The mpossblty result. Our proof of mpossblty assumes that for all, U + s strctly greater than U by a non-neglgble amount; ths s called strct compettveness; see [10]. We are now ready to formally state the theorem. Theorem 12 There do not exst U f -ndependent far reconstructon mechansms for strctly compettve utlty functons n the non-smultaneous model. By Proposton 9, U f -ndependence mples correctness. We therefore prove that n the non-smultaneous model there does not exst a far reconstructon mechansm that s correct, as defned n Defnton 7. Intuton: We begn by descrbng 2 strateges σ stop 1 and σ stop 2. The strategy σ stop 1 for party P 1 s the strategy that follows the prescrbed σ n all the rounds wth the followng dfference. In every round, P 1 checks what ts output would be f P 2 quts at that round. In the frst round for whch the output s not, the strategy σ stop 1 nstructs P 1 to qut at that round. σ stop 2 s defned analogously. Snce we assume correctness, the probablty that one of the partes wll output a value whch s not s or when the other prematurely aborts s neglgble. Thus, when playng σ stop both of the partes wll output the correct s n the round that they qut. Next, we prove that when both partes follow σ stop, wth hgh probablty one of them learns the secret whle the other does not. We conclude by showng that the prescrbed strategy σ s not a computatonal Nash equlbrum by showng that one of the σ stop strateges has a better expected utlty than σ. That s, we show that ether u 2 (σ 1, σ stop 2 ) > u 2 (σ 1, σ 2 ) + ɛ or u 1 (σ stop 1, σ 2 ) > u 1 (σ 1, σ 2 ) + ɛ, for some non-neglgble functon ɛ. The proof of ths appears n the full verson. 5 Postve Results 5.1 U f -Dependent Reconstructon n the Non- Smultaneous Model In ths secton, we address the basc queston of whether or not t s possble to construct a far and correct reconstructon mechansm usng non-smultaneous channels even f U f U. We answer ths n the postve by constructng a mechansm that works as long as t knows the value of U f for each party P (n the same way that the mechansm knows the values of U +, U, U and U ). The dea behnd the mechansm. We wll consder the two party case only, but the dea works for the multparty case as well. We assume famlarty wth the protocol of Kol and Naor [10]; see the begnnng of Secton 4.2 for a short descrpton of the protocol and why t does not guarantee correctness. Ths wll

15 be used below. Lookng closely at the strategy for breakng correctness n the Kol-Naor mechansm, t arses because the frst party to send ts lst element n an teraton has no way of verfyng f the current round s the defntve round or not. Ths s necessary because f the long party could check f the current round s the defntve one before sendng ts element, t could learn the secret wthout the other party learnng t. Despte ths, our key observaton s that t s not necessary that all of the fake teratons be the same, as n the Kol-Naor mechansm. Rather, we ntroduce addtonal rounds wth the property that the second party n each such round knows that the round s fake whle the frst party does not. Now, f a frst party prematurely aborts on such a round, then t wll gan only U, and not U f (because the second party knows that the frst party has cheated and just aborts outputtng ). By addng enough of these addtonal rounds, we have that the probablty that a party successfully acheves U f s low enough so that a hgher expected utlty s obtaned by playng σ and obtanng U. See the full verson for a detaled descrpton and proof. 5.2 Full Independence for n 3 wth Relaxed Assumptons In ths secton we show that utlty dependence s not always essental. In partcular, we show that for a certan reasonable relaxaton of the utlty functons, t s possble to construct a utlty ndependent far reconstructon mechansm for the case of t-out-of-n secret sharng, where n 3. We do not clam that our assumptons always hold or should be used; rather our am here s to show that utlty ndependence can sometmes be acheved. The standard assumptons [6, 10] typcally used for the utlty functons are that a party always prefers to learn than not. Furthermore, assumng that a party learns, the fewer others that learn the better. We relax these assumptons, and assume that each party prefers to learn the secret alone, but once one of the other partes learns the secret t doesn t matter how many other partes learn t (thus U + denotes the utlty when t alone learns, and U denotes the utlty that t learns along wth any postve number of other partes). In addton to the above, we assume that the utlty functons are polynomal n the securty parameter, and that there s a non neglgble dfference between them. That s, there exsts a polynomal p( ), such that for nfntely many k s t holds that: U U + 1 p(k). (Our mpossblty result for U + -ndependence when n = 2 holds for such utlty functons.) Ths s a natural extenson of the strct dfferences between the utlty functons, as defned n [10], when they are modeled as functons of the securty parameter. (We remark that U + may equal U ; we only need a non-neglgble dfference between U and U.) Note that when the above does not hold, t means that P s utlty when not learnng s essentally the same as when learnng. Thus, P may as well not partcpate at all and ths case s not nterestng. Our protocol assumes smultaneous channels n order to acheve U f -ndependence. As we showed n Theorem 12, t s mpossble to acheve U f ndependence wth non-smultaneous channels. 2 2 A verson of our protocol for the non-smultaneous model can be constructed usng the technques of [10] and our protocol n Secton 5.1. However, note that the protocol

16 The protocol dea. The dea behnd our protocol s to enable one of the partes to learn the secret even when the others do not. Now, once ths party has learned the secret, t s not possble for any other party to obtan U +. Thus, the other partes can ether contnue wth the executon of the protocol and obtan U, or they can qut and obtan only U (whch s strctly less than U by the assumpton that U U + 1 p(k) ). The man queston s how to construct a protocol so that one of the partes can learn the secret, but only after there are t t partes partcpatng n the reconstructon phase, but then enable the resdual t 1 partes to reconstruct the secret wthout the cooperaton of the party who already learned the secret. We acheve ths n the followng way. Let s be the secret to be shared; for smplcty assume that s {0, 1} k (where k s the securty parameter). The dealer chooses a random r R {0, 1} k and generates shares of r and s wth threshold t and shares of r s wth threshold t 1 (overall three sets of shares). The dealer then sends each party ts shares. Before proceedng we note that no set of t 1 partes can reconstruct the secret s, because even though a set of ths sze can learn r s, wthout knowng r ths s of no help. In addton, gnorng ssues of ratonalty and utlty, t s possble for every set of t partes to obtan s by just reconstructng the shares of s, or by reconstructng r and r s (where the latter requres only t 1 to partcpate). We now nformally descrbe our reconstructon protocol. In the frst phase of the protocol t t partes reconstruct r by smply sendng ther shares to all others. In the second phase, the t partes reconstruct s by sendng ther shares one at a tme consecutvely (here t s crucal that a smultaneous channel not be used and so we use the smultaneous channel as a non-smultaneous one, by havng every party wat untl t receves all prevous messages before sendng ts own). Note that at the end of the second phase, the last t t + 1 partes can reconstruct the secret alone, and thus, they may not send ther shares. If any of the partes does not send ther share n the frst phase, or f any of the frst t 1 partes does not send ther share n the second phase, then all partes abort and output. At the end of ths phase, unless all have aborted, there reman t 1 partes who have not learned the secret. These partes contnue to the thrd phase. The crucal observaton s that none of these partes can obtan U + snce there are already t t partes who have learned the secret s. We utlze ths fact to use any one of the known ratonal reconstructon protocols whle settng β = 1 2 (where β s a parameter that usually depends on the utlty values, lke our β n the lower bound); observe that we fx β rrespectve of the actual utlty values. Ths works because at ths pont, once one party has learned the secret, the maxmum possble utlty the partes can obtan s U. In partcular, even f only one party of the remanng t 1 partes learns the secret, ts utlty s stll U because one party already knows the secret. Now, the known ratonal secret sharng protocols wth β = 1 2 all have the property that f the partes follow σ then they wll obtan U (wth probablty 1). However, f they for the non-smultaneous model needs to know the values of U f, U and U, and therefore the result s only U + -ndependent.

17 do not, then wth probablty 1 β they wll obtan U. Thus, the expected utlty by not followng σ s 1 2 U U < U, and so the partes follow σ and all learn the secret. Remark. Our constructon can be extended to deal wth the case that partes do prefer that as few as possble other partes learn, but do not care whether t 2 or t 1 partes learn (.e., t does not make any dfference f all learn, or all but one learn). Ths s a much mlder relaxaton on the utlty functons; see the full verson for detals. References 1. I. Abraham, D. Dolev, R. Gonen and J.Y. Halpern. Dstrbuted Computng Meets Game Theory: Robust Mechansms for Ratonal Secret Sharng and Multparty Computaton. In the 25th PODC, pages 53 62, R. Cleve. Lmts on the Securty of Con Flps when Half the Processors are Faulty. In 18th STOC, pages , Y. Dods and T. Rabn. Cryptography and Game Theory. In Algorthmc Game Theory, Cambrdge Unversty Press, O. Goldrech. Foundatons of Cryptography: Volume 2 Basc Applcatons. Cambrdge Unversty Press, S.D. Gordon and J. Katz. Ratonal Secret Sharng, Revsted. In the 5th Conference on Securty and Cryptography for Networks (SCN), pages , J. Halpern and V. Teague. Ratonal Secret Sharng and Multparty Computaton. In the 36th STOC, pages , G. Fuchsbauer, J. Katz, E. Level and D. Naccache. Effcent Ratonal Secret Sharng n the Standard Communcaton Model. Cryptology eprnt Archve, Report #2008/488, J. Katz. Brdgng Game Theory and Cryptography: Recent Results and Future Drectons. In 5th TCC, Sprnger-Verlag (LNCS 4948), pages , G. Kol and M. Naor. Cryptography and Game Theory: Desgnng Protocols for Exchangng Informaton. In the 5th TCC, Sprnger-Verlag (LNCS 4948), pages , G. Kol and M. Naor. Games for Exchangng Informaton. In the 40th STOC, pages , S. Izmalkov, S. Mcal, and M. Lepnsk. Ratonal Secure Computaton and Ideal Mechansm Desgn. In the 46th FOCS, pages , M. Lepnsk, S. Mcal, C. Pekert, and A. Shelat. Completely Far SFE and Coalton-Safe Cheap Talk. In the 23rd PODC, pages 1 10, M. Lepnsk, S. Mcal, and A. Shelat. Colluson-Free Protocols. In the 37th STOC, pages , A. Lysyanskaya and N. Trandopoulos. Ratonalty and Adversaral Behavor n Multparty Computaton. In CRYPTO 2006, Sprnger-Verlag (LNCS 4117), pages , A. Shamr. How to Share a Secret. In Communcatons of the ACM, 22(11): , S.J. Ong, D. Parkes, A. Rosen and S. Vadhan. Farness wth an Honest Mnorty and a Ratonal Majorty. In the 6th TCC, Sprnger-Verlag (LNCS 5444), pages 36 53, 2009.