Results 1  10
of
49
Mdpop: Faithful distributed implementation of efficient social choice problems
 In AAMAS’06  Autonomous Agents and Multiagent Systems
, 2006
"... In the efficient social choice problem, the goal is to assign values, subject to side constraints, to a set of variables to maximize the total utility across a population of agents, where each agent has private information about its utility function. In this paper we model the social choice problem ..."
Abstract

Cited by 48 (17 self)
 Add to MetaCart
(Show Context)
In the efficient social choice problem, the goal is to assign values, subject to side constraints, to a set of variables to maximize the total utility across a population of agents, where each agent has private information about its utility function. In this paper we model the social choice problem as a distributed constraint optimization problem (DCOP), in which each agent can communicate with other agents that share an interest in one or more variables. Whereas existing DCOP algorithms can be easily manipulated by an agent, either by misreporting private information or deviating from the algorithm, we introduce MDPOP, the first DCOP algorithm that provides a faithful distributed implementation for efficient social choice. This provides a concrete example of how the methods of mechanism design can be unified with those of distributed optimization. Faithfulness ensures that no agent can benefit by unilaterally deviating from any aspect of the protocol, neither informationrevelation, computation, nor communication, and whatever the private information of other agents. We allow for payments by agents to a central bank, which is the only central authority that we require. To achieve faithfulness, we carefully integrate the VickreyClarkeGroves (VCG) mechanism with the DPOP algorithm, such that each agent is only asked to perform computation, report
Bridging Game Theory and Cryptography: Recent Results and Future Directions
"... Abstract. Motivated by the desire to develop more realistic models of, and protocols for, interactions between mutually distrusting parties, there has recently been significant interest in combining the approaches and techniques of game theory with those of cryptographic protocol design. Broadly spe ..."
Abstract

Cited by 40 (3 self)
 Add to MetaCart
(Show Context)
Abstract. Motivated by the desire to develop more realistic models of, and protocols for, interactions between mutually distrusting parties, there has recently been significant interest in combining the approaches and techniques of game theory with those of cryptographic protocol design. Broadly speaking, two directions are currently being pursued: Applying cryptography to game theory: Certain gametheoretic equilibria are achievable if a trusted mediator is available. The question here is: to what extent can this mediator be replaced by a distributed cryptographic protocol run by the parties themselves? Applying gametheory to cryptography: Traditional cryptographic models assume some honest parties who faithfully follow the protocol, and some arbitrarily malicious players against whom the honest players must be protected. Gametheoretic models propose instead that all players are simply selfinterested (i.e., rational), and the question then is: how can we model and design meaningful protocols for such a setting? In addition to surveying known results in each of the above areas, I suggest some new definitions along with avenues for future research. 1
Cryptography and game theory: Designing protocols for exchanging information
 In Theory of Cryptography Conference
, 2008
"... The goal of this paper is nding fair protocols for the secret sharing and secure multiparty computation (SMPC) problems, when players are assumed to be rational. It was observed by Halpern and Teague (STOC 2004) that protocols with bounded number of iterations are susceptible to backward induction a ..."
Abstract

Cited by 40 (1 self)
 Add to MetaCart
(Show Context)
The goal of this paper is nding fair protocols for the secret sharing and secure multiparty computation (SMPC) problems, when players are assumed to be rational. It was observed by Halpern and Teague (STOC 2004) that protocols with bounded number of iterations are susceptible to backward induction and cannot be considered rational. Previously suggested cryptographic solutions all share the property of having an essential exponential upper bound on their running time, and hence they are also susceptible to backward induction. Although it seems that this bound is an inherent property of every cryptography based solution, we show that this is not the case. We suggest coalitionresilient secret sharing and SMPC protocols with the property that after any sequence of iterations it is still a computational best response to follow them. Therefore, the protocols can be run any number of iterations, and are immune to backward induction. The mean of communication assumed is a broadcast channel, and we consider both the simultaneous and nonsimultaneous cases.
Lower bounds on implementing robust and resilient mediators
, 2007
"... We consider games that have (k, t)robust equilibria when played with a mediator, where an equilibrium is (k, t)robust if it tolerates deviations by coalitions of size up to k and deviations by up to t players with unknown utilities. We prove lower bounds that match upper bounds on the ability to i ..."
Abstract

Cited by 28 (7 self)
 Add to MetaCart
(Show Context)
We consider games that have (k, t)robust equilibria when played with a mediator, where an equilibrium is (k, t)robust if it tolerates deviations by coalitions of size up to k and deviations by up to t players with unknown utilities. We prove lower bounds that match upper bounds on the ability to implement such mediators using cheap talk (that is, just allowing communication among the players). The bounds depend on (a) the relationship between k, t and n, the total number of players in the system; (b) whether players know the exact utilities of other players; (c) whether there are broadcast channels or just pointtopoint channels; (d) whether cryptography is available; and (e) whether the game has a (k + t)punishment strategy; that is, a strategy that, if used by all but at most k + t players, guarantees that every player gets a worse outcome than they do with the equilibrium strategy.
Efficient rational secret sharing in standard communication networks
 In TCC
, 2010
"... We propose a new methodology for rational secret sharing leading to various instantiations (in both the twoparty and multiparty settings) that are simple and efficient in terms of computation, share size, and round complexity. Our protocols do not require physical assumptions or simultaneous chann ..."
Abstract

Cited by 25 (2 self)
 Add to MetaCart
We propose a new methodology for rational secret sharing leading to various instantiations (in both the twoparty and multiparty settings) that are simple and efficient in terms of computation, share size, and round complexity. Our protocols do not require physical assumptions or simultaneous channels, and can even be run over asynchronous, pointtopoint networks. We also propose new equilibrium notions (namely, computational versions of strict Nash equilibrium and stability with respect to trembles) and prove that our protocols satisfy them. These notions guarantee, roughly speaking, that at each point in the protocol there is a unique legal message a party can send. This, in turn, ensures that protocol messages cannot be used as subliminal channels, something achieved in prior work only by making strong assumptions on the communication network. 1
Fairness with an honest minority and a rational majority. Cryptology ePrint Archive, Report 2008/097
, 2008
"... Abstract. We provide a simple protocol for secret reconstruction in any threshold secret sharing scheme, and prove that it is fair when executed with many rational parties together with a small minority of honest parties. That is, all parties will learn the secret with high probability when the hone ..."
Abstract

Cited by 21 (3 self)
 Add to MetaCart
(Show Context)
Abstract. We provide a simple protocol for secret reconstruction in any threshold secret sharing scheme, and prove that it is fair when executed with many rational parties together with a small minority of honest parties. That is, all parties will learn the secret with high probability when the honest parties follow the protocol and the rational parties act in their own selfinterest (as captured by a setNash analogue of trembling hand perfect equilibrium). The protocol only requires a standard (synchronous) broadcast channel, tolerates both early stopping and incorrectly computed messages, and only requires 2 rounds of communication. Previous protocols for this problem in the cryptographic or economic models have either required an honest majority, used strong communication channels that enable simultaneous exchange of information, or settled for approximate notions of security/equilibria. They all also required a nonconstant number of rounds of communication.
An Optimally Fair Coin Toss
"... We address one of the foundational problems in cryptography: the bias of coinflipping protocols. Coinflipping protocols allow mutually distrustful parties to generate a common unbiased random bit, guaranteeing that even if one of the parties is malicious, it cannot significantly bias the output of ..."
Abstract

Cited by 15 (0 self)
 Add to MetaCart
We address one of the foundational problems in cryptography: the bias of coinflipping protocols. Coinflipping protocols allow mutually distrustful parties to generate a common unbiased random bit, guaranteeing that even if one of the parties is malicious, it cannot significantly bias the output of the honest party. A classical result by Cleve [STOC ’86] showed that for any twoparty rround coinflipping protocol there exists an efficient adversary that can bias the output of the honest party by Ω(1/r). However, the best previously known protocol only guarantees O(1 / √ r) bias, and the question of whether Cleve’s bound is tight has remained open for more than twenty years. In this paper we establish the optimal tradeoff between the round complexity and the bias of twoparty coinflipping protocols. Under standard assumptions, we show that Cleve’s lower bound is tight: we construct an rround protocol with bias O(1/r).
Cryptography and Game Theory
"... The Cryptographic and Game Theory worlds seem to have an intersection in that they both deal with an interaction between mutually distrustful parties which has some end result. In the cryptographic setting the multiparty interaction takes the shape of a set of parties communicating for the purpose o ..."
Abstract

Cited by 14 (0 self)
 Add to MetaCart
The Cryptographic and Game Theory worlds seem to have an intersection in that they both deal with an interaction between mutually distrustful parties which has some end result. In the cryptographic setting the multiparty interaction takes the shape of a set of parties communicating for the purpose of evaluating a function on their inputs, where each party receives at the end some output of the computation. In the game theoretic setting parties interact in a game which guarantees some payoff for the participants according to their joint actions of all the parties, while the parties wish to maximize their own payoff. In the past few years the relationship between these two areas has been investigated with the hope of having cross fertilization and synergy. In this chapter we describe the two areas, the similarities and differences, and some of the new results stemming from their interaction. The first and second section will describe the cryptographic and the game theory settings (respectively). In the third section we contrast the two
Beyond Nash Equilibrium: Solution Concepts for the 21st Century

, 2008
"... Nash equilibrium is the most commonlyused notion of equilibrium in game theory. However, it suffers from numerous problems. Some are well known in the game theory community; for example, the Nash equilibrium of repeated prisoner’s dilemma is neither normatively nor descriptively reasonable. However ..."
Abstract

Cited by 12 (0 self)
 Add to MetaCart
(Show Context)
Nash equilibrium is the most commonlyused notion of equilibrium in game theory. However, it suffers from numerous problems. Some are well known in the game theory community; for example, the Nash equilibrium of repeated prisoner’s dilemma is neither normatively nor descriptively reasonable. However, new problems arise when considering Nash equilibrium from a computer science perspective: for example, Nash equilibrium is not robust (it does not tolerate “faulty” or “unexpected” behavior), it does not deal with coalitions, it does not take computation cost into account, and it does not deal with cases where players are not aware of all aspects of the game. Solution concepts that try to address these shortcomings of Nash equilibrium are discussed.
Fair Computation with Rational Players
 In http://eprint.iacr.org/2011/396.pdf
"... We consider the problem of fair twoparty computation, where fairness (informally) means that both parties should learn the correct output. A seminal result of Cleve (STOC 1986) shows that fairness is, in general, impossible to achieve for malicious parties. Here, we treat the parties as rational an ..."
Abstract

Cited by 9 (3 self)
 Add to MetaCart
(Show Context)
We consider the problem of fair twoparty computation, where fairness (informally) means that both parties should learn the correct output. A seminal result of Cleve (STOC 1986) shows that fairness is, in general, impossible to achieve for malicious parties. Here, we treat the parties as rational and seek to understand what can be done. Asharov et al. (Eurocrypt 2011) recently considered this problem and showed impossibility of rational fair computation for a particular function and a particular set of utilities. We observe, however, that in their setting the parties have no incentive to compute the function even in an ideal world where fairness is guaranteed. Revisiting the problem, we show that rational fair computation is possible (for arbitrary functions and utilities) as long as the parties have a strict incentive to compute the function in the ideal world. This gives a new example where game theory can be used to circumvent impossibility results in cryptography.