Rational Exchange

Rational Exchange

Levente Buttyán and Jean-Pierre Hubaux

Swiss Federal Institute of Technology – Lausanne Laboratory for Computer Communications and Applications

EPFL-IC-LCA, CH-1015 Lausanne, Switzerland

{levente.buttyan, jean-pierre.hubaux}@epfl.ch

The exchange problem

• if Alice has access to itemB but Bob does not have access to itemA, then Bob has a disadvantage, and vice versa

• a misbehaving party may bring the other (correctly behaving) party in a disadvantageous situation

Instances

• electronic contract signing

(exchange of signatures on the contract text)

• certified electronic mail

(exchange of mail for acknowledgement of receipt)

• purchase of network delivered services

(exchange of electronic payment for services)

• Alice has item_A and the description of item_B

• she wants access to item_B

• Bob has item_B and the description of item_A

• he wants access to item_A

Two approaches

Fair exchange protocols

• a correctly behaving party cannot suffer any disadvantages

 executing the protocol is safe for both parties

• extensively studied, many proposals in the literature

• all practical protocols use a TTP (on-line or off-line)

Rational exchange protocols

• a misbehaving party cannot gain any advantages

 misbehavior is not interesting and should happen only rarely

• only a few proposals:

– Jakobsson’s coin ripping protocol – Sandholm’s unenforced exchange

– Syverson’s rational exchange protocol

Motivation for rational exchange

• rational exchange protocols seem to provide weaker guarantees than fair exchange protocols

• one expects that they should be less complex than fair exchange protocols (indeed some of them do not need a TTP)

• rational exchange protocols ~ trade off between complexity and true fairness

 interesting solutions to the exchange problem in certain applications, such as

– micropayment schemes

(using fair exchange for every micropayment would be an overkill) – peer-to-peer systems and ad hoc networks

(there may not be any TTP)

An example: a rational payment protocol

brief informal analysis

• no fairness, but …

• none of the parties gain any financial advantages by cheating

• needs a TTP (the bank), but …

• the bank is needed anyway to maintain the accounts

• it performs the same operations as in any check based payment system

• needs no communication between the user and the bank

U  V : m₁ = U, V, tid, val, h(rnd), Sig_U(U, V, tid, val, h(rnd)) V  U : m₂ = srv

U  V : m₃ = rnd

V  B : m₄ = m₁, rnd, Sig_V(m₁, rnd)

V  B : m’₄ = m₁, Sig_V(m₁) if V received m₁ and m₃:

if V received only m₁ :

B : charges U with val credits V with val B : charges U with val

Possible application scenarios

m₁, m₂,m₃

m₄ / m₄’

body of m₁

signature m₁

m₂ m₃

m₁ & m₃

scenario 1

scenario 2

decrease counter

increase counter base station

Outline

 motivation

• a brief introduction to game theory

• modeling exchange protocols as games

• formal definitions of rational exchange and fair exchange

• the relationship between rational exchange and fair exchange

• conclusion

• future work

Games

• game tree

– vertices: possible histories (action sequences) – edges: available actions after a given history

• games of imperfect information  information sets

– set of indistinguishable action sequences for a given player

• preference relations

– defined on terminal action sequences – often represented by payoffs

A

B B

L

L L

R

R R

(1, 1) (5, 0) (0, 5) (3, 3)

Strategy (of a player A)

• a function that assigns an action to every consistent action sequence (history) after which A has to move

• it assigns the same action to each action sequence that belong to the same information set of A

A

B B

A A A

L R L R

Nash equilibrium

• let o(sA, sB ) denote the outcome (terminal action sequence) when A plays strategy sA and B plays strategy sB

• (sA*, sB*) is a Nash equilibrium iff

o (sA , sB*) _Ao (sA*, sB*) for all sA, and o (sA*, sB) _Bo (sA*, sB*) for all sB

• in other words: sA* is the best response to sB*, and vice versa

 A is not motivated to deviate from s_A*, given that B does not deviate from s_B*, and vice versa

Restricted game

• obtained from a game by restricting some of the players to follow fixed strategies

A

B B

C C C

A

B B

C C

Synchronous system model

assumption: the network is reliable

(every submitted message is delivered within a constant time interval)

 the parties interact in synchronous rounds in each round:

1. each party sends messages based on her current state

2. each party receives the messages that were sent to her in the current round, and performs a state transition

• local state of a protocol party:

– activity flag (true iff the party has not quitted the protocol) – local event history (send and receive events)

– current round number

• local state of the network:

– network buffer

(set of messages submitted in the current round)

Synchronous protocol games

• players : protocol parties (Alice, Bob, ...) + network

• information sets: q and q’ belong to the same information set of Alice (Bob, ...) iff – it is Alice’s (Bob’s, ...) turn to move after both q and q’ , and

– the local state of Alice (Bob, ...) is the same after q and q’

• the parties can send only messages that are compatible with the protocol (~ have

A

B B

A A A A

net net net net

1st round

actions for A (B, ...) - idle

- quit

- {send(M) : M is a subset of those msgs that A is able to send in her current local state}

action for the network - deliver

Payoffs

• (subjective) utility of items:

– uA⁺, uA^-, uB⁺, uB^-

– determining precise values is not important – we assume only: 0 < uA^- < uA⁺ and 0 < uB^- < uB⁺

• payoff for player i : yi(q ) = yi+(q ) – yi-(q ) – yⁱ⁺(q ) - gain

– y^i-(q ) - loss

• note: the payoff can take only 4 possible values:

ui+ > ui+ -ui- > 0 > -ui-

u_A⁺ u_A^-

u_B⁺ u_B^- item_A item_B Alice

Bob

y_i⁺(q ) =

{

y_i^-(q ) =

{

Definition of rationality

rationality ~ Nash equilibrium

• rationality: a misbehaving party cannot gain any advantages

• Nash equilibrium: a deviating party cannot gain a higher payoff (given that the other parties do not deviate)

a formal definition of rationality

• protocol:  = { _A, _B, _TTP }

• protocol game: G

• each program i is represented by a strategy si* in G

• we consider the restricted protocol game Gs_TTP*

(i.e., we assume that the TTP behaves correctly)

• the protocol is rational iff

– (sA*, sB*) is a Nash equilibrium in GsTTP*

– both A and B prefer the outcome of (sA*, s_B*) to any other Nash equilibrium in Gs_TTP*

Further properties

fairness

• for every strategy sA of A:

yA (q ) > 0 implies yB (q ) > 0, where q = o (sA , sB*), and

• a similar condition for every strategy sB of B

effectiveness

• yA (q ) > 0 and yB (q ) > 0, where q = o (sA*, sB*)

termination

• for every strategy sA of A:

there exists a finite prefix q’ of q such that _B (q’ ) = false, where q = o (sA , sB*), and

• a similar condition for every strategy sB of B

gain closed property

• for every terminal action sequence q :

yA+(q ) > 0 implies yB -(q ) > 0 and yB +(q ) > 0 implies yA-(q ) > 0

safe back out property ...

Fairness implies rationality (but not vice versa)

proposition

if the protocol satisfies the effectiveness, gain closed, and safe back out properties, then fairness implies rationality

sketch of the proof

• (sA*, sB*) is a Nash equilibrium

– assume it is not

– yA(q’ ) > yA(q *), where q * = o (sA*, sB*) and q’ = o (sA’, sB*) – effectiveness, gain closed property  yA (q *) = uA⁺ - uA^-

– yA⁺(q’ ) = uA⁺ and yA^-(q’ ) = 0

– fairness  yA⁺(q’ ) = uA⁺ implies yB ⁺(q’ ) = uB⁺

– gain closed property  yB ⁺(q’ ) = uB⁺ > 0 implies yA^-(q’ ) > 0

Fairness implies rationality (but not vice versa)

sketch of the proof (cont’d)

• both A and B prefer the outcome of (sA*, sB*) to any other Nash equilibrium (sA’, sB’ )

– assume the contrary

– yA(q’ ) > yA(q *), where q’ = o (sA’, sB’ )  yA⁺(q’ ) = uA⁺ and yA^-(q’ ) = 0 – gain closed property  yA⁺(q’ ) = uA⁺ > 0 implies yB ^-(q’ ) > 0

– gain closed property  yA^-(q’ ) = 0 implies yB ⁺(q’ ) = 0 – yB (q’ ) = yB ⁺(q’ ) – yB ^-(q’ ) < 0

– safe back out property  B can always achieve a non-negative payoff by quitting at the beginning of the protocol

– sB’ is not the best response to sA’ – (sA’, sB’ ) cannot be a Nash equilibrium

rational exchange can be viewed as a trade-off between complexity and true fairness

 it may provide interesting solutions to the exchange problem in certain applications

Conclusion

• a formal model for exchange protocols based on game theory

• a formal definition of rational exchange (~ Nash equilibrium)

• formal definitions of various other properties (including fairness)

• a proof that fairness implies rationality (but not vice versa)

• proving rationality of two protocols

– example rational payment protocol – Syverson’s rational exchange protocol

rational exchange can be viewed as a trade-off between complexity and true fairness

 it may provide interesting solutions to the exchange problem

in certain applications

Future work: Asynchronous rational exchange?

example payment protocol revisited

• assume the network is unreliable (may delay or lose messages)

– the network may delay the delivery of m3 = rnd to V – V timeouts and sends m4’ to B

– V provided the service, but doesn’t get paid  payoff is negative

– V would have been better off if it had quitted the protocol at the beginning

 effectiveness and rationality is lost

• if the network doesn’t lose messages and the players don’t use timers

– effectiveness can be retained

• if U and V follow the correct strategies and wait long enough for messages, then they will eventually get what they want

– but rationality is still lost

• U knows that V will wait for m3 forever (no timeout)

• the best strategy of U is to quit after receiving the service and to never send m3

(i.e., misbehaving)