Rational Cryptography

When defining security for joint computations by multiple parties, in cryptography we traditionally require that no adversarial parties can disturb the protocol for honest parties, i.e. parties sticking to the prescribed protocol. For example, in a secure computation of a blind auction honest parties are assured to obtain a correct and consistent result while their bids remain secret. This approach separates the participants into being either honest or arbitrarily malicious. In reality, however, we often face situations where each party has some gain from a protocol execution and aims to maximize this gain. In an auction, for example, each bidder wants to pay as less as possible while obtaining the offered good. There are no inherently honest or malicious parties but only win-maximizing rational ones. Rational cryptography focusses on such scenarios.

Concretely, in rational cryptography we formalize concepts like gain and rationality adopting techniques from the field of game theory. Furthermore, we answer questions whether there exist suitable protocols which such rational parties intrinsically follow (the surprising answer is: yes there are!). If you are roughly familiar with game theory, especially think of utility functions to model parties' gains, strategies being arbitrary computer programs, and designing protocols which correspond to (Nash) equilibria even if some parties collaborate. Last but not least, assuming rational parties sometimes allows us to model scenarios which are problematic in traditional cryptography, e.g. two-party coin tossing.

For illustration, let's stick to coin tossing. Imagine a scenario where Alice and Bob each propose a different activity for the evening. They agree to choose via virtually tossing a coin. Alice wins in case of heads and Bob wins otherwise. Their gain depends only on the coin's outcome. In order to increase their gain, they both have a rational incentive to bias the coin towards their respective assigned symbol. Traditional cryptographic protocols for coin tossing typically allow to bias the coin via following attack: One party, for concreteness Alice, first obtains the outcome and then chooses to publish it or terminate the protocol leaving Bob without a result. In our scenario, Alice would only reveal the outcome if it is heads and otherwise terminate. Knowing Alice prefers heads in our rational context, we can design our protocol to punish early-termination and any other malicious behaviour by outputting tails if something alike is detected. As deviating from the protocol now leads to a worse outcome for Alice, she rationally has no incentive to deviate at all.

We currently conduct research on suitable models for the rather young field of rational cryptography. This also includes research on the adaptation of game-theoretic notions to cryptography, which is not always possible in a straight-forward manner. This is, especially, the case since these notions were developed for settings where strategies are often very limited and computational hardness assumptions play no role. Also we are interested in designing efficient protocols in rational contexts for real world applications, like stable matchings.