Distributed Computing Meets Game Theory: Robust Mechanisms for Rational Secret Sharing and Multiparty Computation Ittai Abraham * Hebrew University ittaia@cs.huji.ac.il Danny Dolev † Hebrew University dolev@cs.huji.ac.il Rica Gonen ‡ Bell Labs, Lucent Technologies gonen@lucent.com Joe Halpern § Cornell University halpern@cs.cornell.edu ABSTRACT We study k-resilient Nash equilibria, joint strategies where no member of a coalition C of size up to k can do better, even if the whole coalition defects. We show that such k-resilient Nash equilibria exist for secret sharing and multiparty com- putation, provided that players prefer to get the information than not to get it. Our results hold even if there are only 2 players, so we can do multiparty computation with only two rational agents. We extend our results so that they hold even in the presence of up to t players with “unexpected” utilities. Finally, we show that our techniques can be used to simulate games with mediators by games without media- tors. Categories and Subject Descriptors: F.0 [Theory of Computation]: General. General Terms: Economics, Security, Theory. Keywords: Distributed Computing, Game Theory, Secret Sharing, Secure Multiparty Computation. * Part of the work was done while the author visited Mi- crosoft Research Silicon Valley. † Part of the work was done while the author visited Cornell university. The work was funded in part by ISF, NSF, CCR, and AFOSR. ‡ Supported in part by the IDA. § Supported in part by NSF under grants CCR-0208535, ITR-0325453, and IIS-0534064, by ONR under grant N00014-01-10-511, by the DoD Multidisciplinary Univer- sity Research Initiative (MURI) program administered by the ONR under grants N00014-01-1-0795 and N00014-04-1- 0725, and by AFOSR under grant FA9550-05-1-0055. Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. To copy otherwise, to republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. PODC’06, July 22-26, 2006, Denver, Colorado, USA. Copyright 2006 ACM 1-59593-384-0/06/0007 ...$5.00. 1. INTRODUCTION Traditionally, work on secret sharing and multiparty com- putation in the cryptography community, just like work in distributed computation, has divided the agents into “good guys” and “bad guys”. The good guys follow the protocol; the bad guys do everything in their power to make sure it does not work. Then results are proved showing that if no more than a certain fraction of the agents are “bad”, the protocol will succeed. Halpern and Teague [10] studied secret sharing under the assumption that agents were rational : they would only do what was in their self-interest. For three or more players, under the assumption that a player prefers to get the secret over not getting it, they give a randomized protocol with constant expected running time in which all players learn the secret. They prove their protocol is a Nash equilibrium that survives iterated deletion of weakly dominated strategies. Indeed, traditional results in game theory mostly consider the equilibrium notions (like Nash equilibrium) that toler- ates the deviation of only one agent. That is, a joint strategy (σ1,...,σn) is a Nash equilibrium if no agent can do better by unilaterally deviating (while all the other agents continue to play their part of the joint strategy). However, in prac- tice, agents can form coalitions. It could well be that if three agents form a coalition and they all deviate from the protocol, then they could all do better. We define an equilibrium to be k-resilient if it tolerates deviations by coalitions of size up to k. Roughly speaking, a joint strategy (σ1,...,σn) is k-resilient if, for any coalition |C|≤ k that deviates from the equilibrium, none of the agents in C do better than they do with (σ1,...,σn). This is a very strong notion of resilience (much stronger than other notions in the literature). We will be interested in k-resilient practical mechanisms which, roughly speaking, are protocols that define a k-resilient Nash equilibrium that survives iterated deletion of weakly dominated strategies. 1.1 Our contributions In this paper we significantly extend and improve the results of Halpern and Teague in several important ways. While continuing to use rationality so as to move away from the tradition “good guys”–“bad guys” adversary model that is standard in the distributed computing community,