**Utility Dependence in Correct and Fair Rational Secret Sharing**

*Gilad Asharov and Yehuda Lindell*

**Abstract: **The problem of carrying out cryptographic computations when the participating parties are \emph{rational} in a game-theoretic sense has recently gained much attention. One problem that has been studied considerably is that of rational secret sharing. In this setting, the aim is to construct a mechanism (protocol) so that parties behaving rationally have incentive to cooperate and provide their shares in the reconstruction phase, even if each party prefers to be the only one to learn the secret.

Although this question was only recently asked by Halpern and Teague (STOC 2004), a number of works with beautiful ideas have been presented to solve this problem. However, they all have the property that the protocols constructed need to know the actual utility values of the parties (or at least a bound on them). This assumption is very problematic because the utilities of parties are not public knowledge. We ask whether this \emph{dependence on the actual utility values} is really necessary and prove that in the case of two parties, rational secret sharing cannot be achieved without it. On the positive side, we show that in the multiparty case it is possible to construct a single mechanism that works for all (polynomial) utility functions. Our protocol has an expected number of rounds that is constant, and is optimally resilient to coalitions.

In addition to the above, we observe that the known protocols for rational secret sharing that do not assume simultaneous channels all suffer from the problem that one of the parties can cause the others to output an incorrect value. (This problem arises when a party gains higher utility by having another output an incorrect value than by learning the secret itself; we argue that such a scenario needs to be considered.) We show that this problem is inherent in the non-simultaneous channels model, unless the actual values of the parties' utilities from this attack is known, in which case it is possible to prevent this from happening.

**Category / Keywords: **cryptographic protocols / rational secret sharing, game theory and cryptography

**Publication Info: **A preliminary version of this paper appeared in CRYPTO 2009; this is the full version.

**Date: **received 29 Jul 2009, last revised 4 Mar 2010

**Contact author: **lindell at cs biu ac il

**Available format(s): **PDF | BibTeX Citation

**Note: **This paper contains many additional results that do not appear at all in the CRYPTO conference version. In addition, full proofs are given for all results.

**Version: **20100305:060947 (All versions of this report)

**Short URL: **ia.cr/2009/373

**Discussion forum: **Show discussion | Start new discussion

[ Cryptology ePrint archive ]