Rational Protocol Design: Cryptographic Security Against Incentive-driven Attacks

Juan Garay


Existing work on "rational cryptographic protocols" treats each party (or coalition of parties) as a selfish agent who tries to maximize its own utility. In this work we propose a fundamentally different approach better suited to modeling a protocol under attack from an external entity. Specifically, we model this situation as a two-party game between a protocol designer and a (rational) attacker. The goal of the attacker is to break certain security properties such as correctness or confidentiality, depending on its utility function, possibly by corrupting (the machines of) protocol participants; the goal of the protocol designer is to prevent the attacker from succeeding.

We lay the theoretical groundwork for a study of cryptographic protocol design in this setting by providing a methodology for defining the problem within the traditional real/ideal paradigm. Our framework provides ways of reasoning about important cryptographic concepts, such as adaptive corruptions or attacks on communication resources, something not available in previous game-theoretic treatments of cryptography. We also prove composition theorems that---for the first time---provide a sound way for designing rational protocols assuming "ideal communication" (e.g., broadcast, authenticated channels) and then instantiate these using standard cryptographic tools.

Finally, we investigate the problem of secure function evaluation (SFE) in our framework, where the attacker wants to violate correctness or confidentiality and has to pay for each party it corrupts. Our results demonstrate how knowledge of the attacker's incentives can be used to circumvent known impossibility results for SFE in the presence of arbitrarily malicious attackers.

This is joint work with J. Katz (U. Maryland), U. Maurer (ETH), B. Tackmann (ETH) and V. Zikas (UCLA).

Time and Place

Tuesday, January 28, 4:15pm
Gates 463A