Results 1  10
of
29
Bridging Game Theory and Cryptography: Recent Results and Future Directions
"... Abstract. Motivated by the desire to develop more realistic models of, and protocols for, interactions between mutually distrusting parties, there has recently been significant interest in combining the approaches and techniques of game theory with those of cryptographic protocol design. Broadly spe ..."
Abstract

Cited by 40 (3 self)
 Add to MetaCart
(Show Context)
Abstract. Motivated by the desire to develop more realistic models of, and protocols for, interactions between mutually distrusting parties, there has recently been significant interest in combining the approaches and techniques of game theory with those of cryptographic protocol design. Broadly speaking, two directions are currently being pursued: Applying cryptography to game theory: Certain gametheoretic equilibria are achievable if a trusted mediator is available. The question here is: to what extent can this mediator be replaced by a distributed cryptographic protocol run by the parties themselves? Applying gametheory to cryptography: Traditional cryptographic models assume some honest parties who faithfully follow the protocol, and some arbitrarily malicious players against whom the honest players must be protected. Gametheoretic models propose instead that all players are simply selfinterested (i.e., rational), and the question then is: how can we model and design meaningful protocols for such a setting? In addition to surveying known results in each of the above areas, I suggest some new definitions along with avenues for future research. 1
Game Theory Meets Network Security and Privacy
"... This survey provides a structured and comprehensive overview of the research contributions that analyze and solve security and privacy problems in computer networks by gametheoretic approaches. A selected set of works are presented to highlight the application of game theory in order to address dif ..."
Abstract

Cited by 33 (5 self)
 Add to MetaCart
(Show Context)
This survey provides a structured and comprehensive overview of the research contributions that analyze and solve security and privacy problems in computer networks by gametheoretic approaches. A selected set of works are presented to highlight the application of game theory in order to address different forms of security and privacy problems in computer networks and mobile applications. The presented works are classified into six main categories based on their topics: security of the physical and MAC layers, application layer security in mobile networks, intrusion detection systems, anonymity and privacy, economics of network security, and cryptography. In each category, security problems, players, and game models are identified and the main results of selected works, such as equilibrium analysis and security mechanism designs are summarized. In addition, a discussion on advantages, drawbacks, and the future direction of using game theory in this field is provided. In this survey, we aim to provide a better understanding of the different research approaches for applying game theory to network security. This survey can also help researchers from various fields develop gametheoretic solutions to current and emerging security problems in computer networking. Categories and Subject Descriptors: C.2.0 [ComputerCommunication Networks]: General—
Computer science and game theory: A brief survey
 Palgrave Dictionary of Economics
"... ..."
(Show Context)
Utility Dependence in Correct and Fair Rational Secret Sharing
, 2009
"... The problem of carrying out cryptographic computations when the participating parties are rational in a gametheoretic sense has recently gained much attention. One problem that has been studied considerably is that of rational secret sharing. In this setting, the aim is to construct a mechanism (pr ..."
Abstract

Cited by 13 (2 self)
 Add to MetaCart
The problem of carrying out cryptographic computations when the participating parties are rational in a gametheoretic sense has recently gained much attention. One problem that has been studied considerably is that of rational secret sharing. In this setting, the aim is to construct a mechanism (protocol) so that parties behaving rationally have incentive to cooperate and provide their shares in the reconstruction phase, even if each party prefers to be the only one to learn the secret. Although this question was only recently asked by Halpern and Teague (STOC 2004), a number of works with beautiful ideas have been presented to solve this problem. However, they all have the property that the protocols constructed need to know the actual utility values of the parties (or at least a bound on them). This assumption is very problematic because the utilities of parties are not public knowledge. We ask whether this dependence on the actual utility values is really necessary and prove that in the case of two parties, rational secret sharing cannot be achieved without it. On the positive side, we show that in the multiparty case it is possible to construct a single mechanism that works for all (polynomial) utility functions. Our protocol has
Transmissionline Theory
 30 [7] , Transmissionline Theory
, 1955
"... We describe an algorithm for Byzantine agreement that is scalable in the sense that each processor sends only Õ(√n) bits, where n is the total number of processors. Our algorithm succeeds with high probability against an adaptive adversary, which can take over processors at any time during the proto ..."
Abstract

Cited by 13 (0 self)
 Add to MetaCart
(Show Context)
We describe an algorithm for Byzantine agreement that is scalable in the sense that each processor sends only Õ(√n) bits, where n is the total number of processors. Our algorithm succeeds with high probability against an adaptive adversary, which can take over processors at any time during the protocol, up to the point of taking over arbitrarily close to a 1/3 fraction. We assume synchronous communication but a rushing adversary. Moreover, our algorithm works in the presence of flooding: processors controlled by the adversary can send out any number of messages. We assume the existence of private channels between all pairs of processors but make no other cryptographic assumptions. Finally, our algorithm has latency that is polylogarithmic in n. To the best of our knowledge, ours is the first algorithm to solve Byzantine agreement against an adaptive adversary, while requiring o(n 2) total bits of communication.
Beyond Nash Equilibrium: Solution Concepts for the 21st Century

, 2008
"... Nash equilibrium is the most commonlyused notion of equilibrium in game theory. However, it suffers from numerous problems. Some are well known in the game theory community; for example, the Nash equilibrium of repeated prisoner’s dilemma is neither normatively nor descriptively reasonable. However ..."
Abstract

Cited by 11 (0 self)
 Add to MetaCart
Nash equilibrium is the most commonlyused notion of equilibrium in game theory. However, it suffers from numerous problems. Some are well known in the game theory community; for example, the Nash equilibrium of repeated prisoner’s dilemma is neither normatively nor descriptively reasonable. However, new problems arise when considering Nash equilibrium from a computer science perspective: for example, Nash equilibrium is not robust (it does not tolerate “faulty” or “unexpected” behavior), it does not deal with coalitions, it does not take computation cost into account, and it does not deal with cases where players are not aware of all aspects of the game. Solution concepts that try to address these shortcomings of Nash equilibrium are discussed.
Breaking the O(n2) bit barrier: scalable byzantine agreement with an adaptive adversary
 In PODC
, 2010
"... We describe an algorithm for Byzantine agreement that is scalable in the sense that each processor sends only Õ( n) bits, where n is the total number of processors. Our algorithm succeeds with high probability against an adaptive adversary, which can take over processors at any time during the pro ..."
Abstract

Cited by 10 (2 self)
 Add to MetaCart
We describe an algorithm for Byzantine agreement that is scalable in the sense that each processor sends only Õ( n) bits, where n is the total number of processors. Our algorithm succeeds with high probability against an adaptive adversary, which can take over processors at any time during the protocol, up to the point of taking over arbitrarily close to a 1/3 fraction. We assume synchronous communication but a rushing adversary. Moreover, our algorithm works in the presence of flooding: processors controlled by the adversary can send out any number of messages. We assume the existence of private channels between all pairs of processors but make no other cryptographic assumptions. Finally, our algorithm has latency that is polylogarithmic in n. To the best of our knowledge, ours is the first algorithm to solve Byzantine agreement against an adaptive adversary, while requiring o(n2) total bits of communication. This paper should not be considered for the best student paper award.
Game Theory with Costly Computation: Formulation and Application to Protocol Security
"... We develop a general gametheoretic framework for reasoning about strategic agents performing possibly costly computation. In this framework, many traditional gametheoretic results (such as the existence of a Nash equilibrium) no longer hold. Nevertheless, we can use the framework to provide psycho ..."
Abstract

Cited by 8 (3 self)
 Add to MetaCart
We develop a general gametheoretic framework for reasoning about strategic agents performing possibly costly computation. In this framework, many traditional gametheoretic results (such as the existence of a Nash equilibrium) no longer hold. Nevertheless, we can use the framework to provide psychologically appealing explanations to observed behavior in wellstudied games (such as finitely repeated prisoner’s dilemma and rockpaperscissors). Furthermore, we provide natural conditions on games sufficient to guarantee that equilibria exist. As an application of this framework, we develop a definition of protocol security relying on gametheoretic notions of implementation. We show that a natural special case of this this definition is equivalent to a variant of the traditional cryptographic definition of protocol security; this result shows that, when taking computation into account, the two approaches used for dealing with “deviating” players in two different communities—Nash equilibrium in game theory and zeroknowledge “simulation ” in cryptography—are intimately related.
Rational Protocol Design: Cryptography Against Incentivedriven Adversaries
"... Existing work on “rational cryptographic protocols ” treats each party (or coalition of parties) running the protocol as a selfish agent trying to maximize its utility. In this work we propose a fundamentally different approach that is better suited to modeling a protocol under attack from an extern ..."
Abstract

Cited by 3 (0 self)
 Add to MetaCart
Existing work on “rational cryptographic protocols ” treats each party (or coalition of parties) running the protocol as a selfish agent trying to maximize its utility. In this work we propose a fundamentally different approach that is better suited to modeling a protocol under attack from an external entity. Specifically, we consider a twoparty game between an protocol designer and an external attacker. The goal of the attacker is to break security properties such as correctness or privacy, possibly by corrupting protocol participants; the goal of the protocol designer is to prevent the attacker from succeeding. We lay the theoretical groundwork for a study of cryptographic protocol design in this setting by providing a methodology for defining the problem within the traditional simulation paradigm. Our framework provides ways of reasoning about important cryptographic concepts (e.g., adaptive corruptions or attacks on communication resources) not handled by previous gametheoretic treatments of cryptography. We also prove composition theorems that—for the first time—provide a sound way to design rational protocols assuming “ideal communication resources ” (e.g., broadcast or authenticated channels) and then instantiate these resources using standard cryptographic tools. Finally, we investigate the problem of secure function evaluation in our framework, where the attacker has to pay for each party it corrupts. Our results demonstrate how knowledge of the attacker’s incentives can be used to circumvent known impossibility results in this setting. 1
M.: Regret freedom isn’t free
 In: Proceedings of the 15th International Conference On Principles Of Distributed Systems (to appear). OPODIS’11
, 2011
"... Abstract. Cooperative, peertopeer (P2P) services—distributed systems consisting of participants from multiple administrative domains (MAD)—must deal with the threat of arbitrary (Byzantine) failures while incentivizing the cooperation of potentially selfish (rational) nodes that such services rel ..."
Abstract

Cited by 3 (1 self)
 Add to MetaCart
(Show Context)
Abstract. Cooperative, peertopeer (P2P) services—distributed systems consisting of participants from multiple administrative domains (MAD)—must deal with the threat of arbitrary (Byzantine) failures while incentivizing the cooperation of potentially selfish (rational) nodes that such services rely on to function. This paper investigates how to specify conditions (i.e., a solution concept) for rational cooperation in an environment that also contains Byzantine and obedient peers. We find that regretfree approaches—which, inspired by traditional Byzantine fault tolerance, condition rational cooperation on identifying a strategy that proves a best response regardless of how Byzantine failures occur—are unattainable in many faulttolerant distributed systems. We suggest an alternative regretbraving approach, in which rational nodes aim to best respond to their expectations regarding Byzantine failures: the chosen strategy guarantees no regret only to the extent that such expectations prove correct. While work on regretbraving solution concepts is just beginning, our preliminary results show that these solution concepts are not subject to the fundamental limitations inherent to regret freedom. 1