Rational Exchange
Levente Buttyán and Jean-Pierre Hubaux
Swiss Federal Institute of Technology – Lausanne Laboratory for Computer Communications and Applications
EPFL-IC-LCA, CH-1015 Lausanne, Switzerland
{levente.buttyan, jean-pierre.hubaux}@epfl.ch
The exchange problem
• if Alice has access to itemB but Bob does not have access to itemA, then Bob has a disadvantage, and vice versa
• a misbehaving party may bring the other (correctly behaving) party in a disadvantageous situation
Instances
• electronic contract signing
(exchange of signatures on the contract text)
• certified electronic mail
(exchange of mail for acknowledgement of receipt)
• purchase of network delivered services
(exchange of electronic payment for services)
• Alice has itemA and the description of itemB
• she wants access to itemB
• Bob has itemB and the description of itemA
• he wants access to itemA
Two approaches
Fair exchange protocols
• a correctly behaving party cannot suffer any disadvantages
executing the protocol is safe for both parties
• extensively studied, many proposals in the literature
• all practical protocols use a TTP (on-line or off-line)
Rational exchange protocols
• a misbehaving party cannot gain any advantages
misbehavior is not interesting and should happen only rarely
• only a few proposals:
– Jakobsson’s coin ripping protocol – Sandholm’s unenforced exchange
– Syverson’s rational exchange protocol
Motivation for rational exchange
• rational exchange protocols seem to provide weaker guarantees than fair exchange protocols
• one expects that they should be less complex than fair exchange protocols (indeed some of them do not need a TTP)
• rational exchange protocols ~ trade off between complexity and true fairness
interesting solutions to the exchange problem in certain applications, such as
– micropayment schemes
(using fair exchange for every micropayment would be an overkill) – peer-to-peer systems and ad hoc networks
(there may not be any TTP)
An example: a rational payment protocol
brief informal analysis
• no fairness, but …
• none of the parties gain any financial advantages by cheating
• needs a TTP (the bank), but …
• the bank is needed anyway to maintain the accounts
• it performs the same operations as in any check based payment system
• needs no communication between the user and the bank
U V : m1 = U, V, tid, val, h(rnd), SigU(U, V, tid, val, h(rnd)) V U : m2 = srv
U V : m3 = rnd
V B : m4 = m1, rnd, SigV(m1, rnd)
V B : m’4 = m1, SigV(m1) if V received m1 and m3:
if V received only m1 :
B : charges U with val credits V with val B : charges U with val
Possible application scenarios
m1, m2,m3
m4 / m4’
body of m1
signature m1
m2 m3
m1 & m3
scenario 1
scenario 2
decrease counter
increase counter base station
Outline
motivation
• a brief introduction to game theory
• modeling exchange protocols as games
• formal definitions of rational exchange and fair exchange
• the relationship between rational exchange and fair exchange
• conclusion
• future work
Games
• game tree
– vertices: possible histories (action sequences) – edges: available actions after a given history
• games of imperfect information information sets
– set of indistinguishable action sequences for a given player
• preference relations
– defined on terminal action sequences – often represented by payoffs
A
B B
L
L L
R
R R
(1, 1) (5, 0) (0, 5) (3, 3)
Strategy (of a player A)
• a function that assigns an action to every consistent action sequence (history) after which A has to move
• it assigns the same action to each action sequence that belong to the same information set of A
A
B B
A A A
L R L R
Nash equilibrium
• let o(sA, sB ) denote the outcome (terminal action sequence) when A plays strategy sA and B plays strategy sB
• (sA*, sB*) is a Nash equilibrium iff
o (sA , sB*) Ao (sA*, sB*) for all sA, and o (sA*, sB) Bo (sA*, sB*) for all sB
• in other words: sA* is the best response to sB*, and vice versa
A is not motivated to deviate from sA*, given that B does not deviate from sB*, and vice versa
Restricted game
• obtained from a game by restricting some of the players to follow fixed strategies
A
B B
C C C
A
B B
C C
Synchronous system model
assumption: the network is reliable
(every submitted message is delivered within a constant time interval)
the parties interact in synchronous rounds in each round:
1. each party sends messages based on her current state
2. each party receives the messages that were sent to her in the current round, and performs a state transition
• local state of a protocol party:
– activity flag (true iff the party has not quitted the protocol) – local event history (send and receive events)
– current round number
• local state of the network:
– network buffer
(set of messages submitted in the current round)
Synchronous protocol games
• players : protocol parties (Alice, Bob, ...) + network
• information sets: q and q’ belong to the same information set of Alice (Bob, ...) iff – it is Alice’s (Bob’s, ...) turn to move after both q and q’ , and
– the local state of Alice (Bob, ...) is the same after q and q’
• the parties can send only messages that are compatible with the protocol (~ have
A
B B
A A A A
net net net net
1st round
actions for A (B, ...) - idle
- quit
- {send(M) : M is a subset of those msgs that A is able to send in her current local state}
action for the network - deliver
Payoffs
• (subjective) utility of items:
– uA+, uA-, uB+, uB-
– determining precise values is not important – we assume only: 0 < uA- < uA+ and 0 < uB- < uB+
• payoff for player i : yi(q ) = yi+(q ) – yi-(q ) – yi+(q ) - gain
– yi-(q ) - loss
• note: the payoff can take only 4 possible values:
ui+ > ui+ -ui- > 0 > -ui-
uA+ uA-
uB+ uB- itemA itemB Alice
Bob
yi+(q ) =
{
ui+, if i gains access to itemj in q 0, otherwiseyi-(q ) =
{
ui-, if i loses control over itemi in q 0, otherwiseDefinition of rationality
rationality ~ Nash equilibrium
• rationality: a misbehaving party cannot gain any advantages
• Nash equilibrium: a deviating party cannot gain a higher payoff (given that the other parties do not deviate)
a formal definition of rationality
• protocol: = { A, B, TTP }
• protocol game: G
• each program i is represented by a strategy si* in G
• we consider the restricted protocol game GsTTP*
(i.e., we assume that the TTP behaves correctly)
• the protocol is rational iff
– (sA*, sB*) is a Nash equilibrium in GsTTP*
– both A and B prefer the outcome of (sA*, sB*) to any other Nash equilibrium in GsTTP*
Further properties
fairness
• for every strategy sA of A:
yA (q ) > 0 implies yB (q ) > 0, where q = o (sA , sB*), and
• a similar condition for every strategy sB of B
effectiveness
• yA (q ) > 0 and yB (q ) > 0, where q = o (sA*, sB*)
termination
• for every strategy sA of A:
there exists a finite prefix q’ of q such that B (q’ ) = false, where q = o (sA , sB*), and
• a similar condition for every strategy sB of B
gain closed property
• for every terminal action sequence q :
yA+(q ) > 0 implies yB -(q ) > 0 and yB +(q ) > 0 implies yA-(q ) > 0
safe back out property ...
Fairness implies rationality (but not vice versa)
proposition
if the protocol satisfies the effectiveness, gain closed, and safe back out properties, then fairness implies rationality
sketch of the proof
• (sA*, sB*) is a Nash equilibrium
– assume it is not
– yA(q’ ) > yA(q *), where q * = o (sA*, sB*) and q’ = o (sA’, sB*) – effectiveness, gain closed property yA (q *) = uA+ - uA-
– yA+(q’ ) = uA+ and yA-(q’ ) = 0
– fairness yA+(q’ ) = uA+ implies yB +(q’ ) = uB+
– gain closed property yB +(q’ ) = uB+ > 0 implies yA-(q’ ) > 0
Fairness implies rationality (but not vice versa)
sketch of the proof (cont’d)
• both A and B prefer the outcome of (sA*, sB*) to any other Nash equilibrium (sA’, sB’ )
– assume the contrary
– yA(q’ ) > yA(q *), where q’ = o (sA’, sB’ ) yA+(q’ ) = uA+ and yA-(q’ ) = 0 – gain closed property yA+(q’ ) = uA+ > 0 implies yB -(q’ ) > 0
– gain closed property yA-(q’ ) = 0 implies yB +(q’ ) = 0 – yB (q’ ) = yB +(q’ ) – yB -(q’ ) < 0
– safe back out property B can always achieve a non-negative payoff by quitting at the beginning of the protocol
– sB’ is not the best response to sA’ – (sA’, sB’ ) cannot be a Nash equilibrium
rational exchange can be viewed as a trade-off between complexity and true fairness
it may provide interesting solutions to the exchange problem in certain applications
Conclusion
• a formal model for exchange protocols based on game theory
• a formal definition of rational exchange (~ Nash equilibrium)
• formal definitions of various other properties (including fairness)
• a proof that fairness implies rationality (but not vice versa)
• proving rationality of two protocols
– example rational payment protocol – Syverson’s rational exchange protocol
rational exchange can be viewed as a trade-off between complexity and true fairness
it may provide interesting solutions to the exchange problem
in certain applications
Future work: Asynchronous rational exchange?
example payment protocol revisited
• assume the network is unreliable (may delay or lose messages)
– the network may delay the delivery of m3 = rnd to V – V timeouts and sends m4’ to B
– V provided the service, but doesn’t get paid payoff is negative
– V would have been better off if it had quitted the protocol at the beginning
effectiveness and rationality is lost
• if the network doesn’t lose messages and the players don’t use timers
– effectiveness can be retained
• if U and V follow the correct strategies and wait long enough for messages, then they will eventually get what they want
– but rationality is still lost
• U knows that V will wait for m3 forever (no timeout)
• the best strategy of U is to quit after receiving the service and to never send m3
(i.e., misbehaving)