ON THE CRYPTOGRAPHIC HARDNESS OF FINDING A NASH EQUILIBRIUM NIR BITANSKY, OMER PANETH, ALON ROSEN.

Download Report

Transcript ON THE CRYPTOGRAPHIC HARDNESS OF FINDING A NASH EQUILIBRIUM NIR BITANSKY, OMER PANETH, ALON ROSEN. 

ON THE CRYPTOGRAPHIC HARDNESS
OF FINDING A NASH EQUILIBRIUM
NIR BITANSKY, OMER PANETH, ALON ROSEN
The Story Line
Games
Complexity
Crypto
Game Theory and Nash Equilibrium
[Nash 51]: a (mixed) equilibrium always exists
Cooperate
Defect
Cooperate
2\2
0\3
Defect
3\0
1\1
Nash Equilibrium
The CS Perspective
A (mixed) equilibrium always exists
Can it be computed efficiently?
“if your laptop can’t find it,
then neither can the market.”
[Kamal Jain, eBay]
How hard is finding a Nash Equilibrium?
?
?
?
Reduction
C
D
C
2\2
0\3
D
3\0
1\1
FNP
3SAT
TFNP
NASH
FP
Not NP-hard unless NP = coNP
[Megido-Papadimitriou 89]
The Class PPAD [Papadimitriou 94]
TFNP
PPAD
NASH
FP
Totality is proved via
“a parity argument in directed graphs”
The Class PPAD [Papadimitriou 94]
PPAD
EOL
Defined through its complete problem:
END-OF-THE-LINE (EOL)
End of the Line Problem (EOL)
Input:
A graph with in\out degree ≤ 1
A source:
Output:
Another source\sink:
End of the Line Problem (EOL)
Exponential size graph:
…
…
0𝑛
𝑃(𝑣)
Nodes are in 0,1
𝑣
𝑆(𝑣)
𝑛
Edges defined by programs 𝑆, 𝑃: 0,1
𝑛
→ 0,1
𝑛
PPAD and NASH [Papadimitriou 94]
Reduction
Reduction
Reduction?
C
D
C
2\2
0\3
D
3\0
1\1
[Daskalakis-Goldberg-Papadimitriou 05],
[Chen-Deng 05]
FNP
3SAT
Crypto:
FACTORING
DLOG
LWE
?
PPAD
EOL
BROUWER
SPERNER
FP
NASH
Today
Cryptographic hardness in PPAD
PPAD is as hard as breaking
indistinguishability obfuscation
The Story Line
Games
Complexity
Crypto
Program Obfuscation
y
𝑥
obfuscator
𝑥
obfuscated
program
y
Ideal Obfuscation
[Hada 00, Barak-Goldreich-Impagliazzo-Rudich-Sahai-Vadhan-Yang 01]
𝑂 is an ideal obfuscation if:
𝑃
𝑂 𝑃
𝐴𝑑𝑣
≈
𝑆𝑖𝑚
Hard EOL Instance from Ideal Obfuscation
[Folklore, Abbot-Kane-Valiant 04]
Using a pseudorandom permutation 𝑓𝑘
…
…
0𝑛
𝑓𝑘−1 (𝑣)
𝑓𝑘 (𝑣)
𝑆𝑘 (𝑣) =
"𝑠𝑖𝑛𝑘"
𝑣
if 𝑓𝑘 𝑣 ≠ 0𝑛
o.w.
−1
𝑓
𝑘 (𝑣)
𝑃𝑘 (𝑣) =
"𝑠𝑜𝑢𝑟𝑐𝑒"
if 𝑣 ≠ 0𝑛
o.w.
𝑓𝑘 (𝑣)
𝑓𝑘−1 (0𝑛 )
𝑺 = 𝑶(𝑺𝒌 )
𝑷 = 𝑶(𝑷𝒌 )
Hard EOL Instance from Ideal Obfuscation
[Folklore, Abbot-Kane-Valiant 04]
Using a pseudorandom permutation 𝑓𝑘
…
…
0𝑛
𝑓𝑘−1 (𝑣)
𝑣
𝑓𝑘 (𝑣)
𝑆𝑘 , 𝑃𝑘
𝑂 𝑆𝑘 , 𝑂(𝑃𝑘 )
𝐴𝑑𝑣
𝑆𝑖𝑚
Ideal obfuscation is subject
to strong lower bounds
Hada 00
Barak-Goldreich-Impagliazzo-Rudich-Sahai-Vadhan-Yang 01
Goldwasser-Kalai 05
Bitansky-Canetti-Cohn-Goldwasser-Kalai-P-Rosen 14
Indistinguishability Obfuscation (IO)
[Barak-Goldreich-Impagliazzo-Rudich-Sahai-Vadhan-Yang 01]
𝑃1 𝑥, 𝑦 :
OUTPUT (𝑥 + 𝑦)(𝑥 − 𝑦)
≡
𝑃2 𝑥, 𝑦 :
OUTPUT 𝑥 2 − 𝑦 2
Indistinguishability obfuscation
𝑃1 𝑥, 𝑦 :
OUTPUT (𝑥 + 𝑦)(𝑥 − 𝑦)
≈𝑐
𝑃2 𝑥, 𝑦 :
OUTPUT 𝑥 2 − 𝑦 2
[Garg-Gentry-Halevi-Raykova-Sahai-Waters 13]:
First candidate construction of IO
[GGHRSW 13, Sahai-Waters 14, … ]:
Functional encryption, Deniable encryption, Multiparty key
exchange, Efficient traitor tracing, Full Domain Hash, Adaptively
secure 2-round MPC, Publicly verifiable delegation, Noninteractive witness indistinguishable proofs, Trapdoor
permutations, Constant-rounds concurrent zero-knowledge…
Main Theorem
Assuming sub-exponentially secure IO,
The EOL problem is hard.
Should we believe in IO?
Hard EOL Instances
Using a pseudorandom function 𝑓𝑘
…
(1, 𝜎1 )
(𝑖 − 1, 𝜎𝑖−1 ) (𝑖, 𝜎𝑖 ) (𝑖 + 1, 𝜎𝑖+1 )
Where 𝜎𝑖 = 𝑓𝑘 (𝑖)
…
(𝑁, 𝜎𝑁 )
…
…
(1, 𝜎1 )
(𝑖 − 1, 𝜎𝑖−1 ) (𝑖, 𝜎𝑖 ) (𝑖 + 1, 𝜎𝑖+1 )
…
𝑆: 𝑺𝒌 𝒊, 𝝈 :
(𝑁, 𝜎𝑁 )
…
𝑃: 𝑷𝒌 𝒊, 𝝈 :
if i, 𝜎 = (𝑁, 𝜎𝑁 ):
return"𝑠𝑖𝑛𝑘“
if i, 𝜎 = (1, 𝜎1 ):
return"𝑠𝑜𝑢𝑟𝑐𝑒“
If i, 𝜎 = (𝑖, 𝜎𝑖 ):
return 𝑖 + 1, 𝜎𝑖+1
If i, 𝜎 = (𝑖, 𝜎𝑖 ):
return 𝑖 − 1, 𝜎𝑖−1
else:
return (𝑖, 𝜎)
else:
return (𝑖, 𝜎)
Need To Prove
𝑆𝑘
𝑃𝑘
𝜎𝑁
…
(1, 𝜎1 )
(𝑖 − 1, 𝜎𝑖−1 ) (𝑖, 𝜎𝑖 ) (𝑖 + 1, 𝜎𝑖+1 )
…
(𝑁, 𝜎𝑁 )
…
…
(𝑁, 𝜎𝑁 )
′
𝑆𝑘
≈𝑐
…
(1, 𝜎1 )
𝜎𝑁
𝑆𝑘
(𝑖 − 1, 𝜎𝑖−1 ) (𝑖, 𝜎𝑖 ) (𝑖 + 1, 𝜎𝑖+1 )
…
(𝑁, 𝜎𝑁 )
…
…
(𝑁, 𝜎𝑁 )
′
𝑆𝑘 /𝑆𝑘
…
(1, 𝜎1 )
(𝑖 − 1, 𝜎𝑖−1 ) (𝑖, 𝜎𝑖 ) (𝑖 + 1, 𝜎𝑖+1 )
…
(𝑁, 𝜎𝑁 )
…
…
(𝑁, 𝜎𝑁 )
′
𝑆𝑘
≡
𝑆𝑘
…
(1, 𝜎1 )
(𝑖 − 1, 𝜎𝑖−1 ) (𝑖, 𝜎𝑖 ) (𝑖 + 1, 𝜎𝑖+1 )
…
(𝑁, 𝜎𝑁 )
…
…
…
Step 2 × 𝑶(𝑵)
…
…
…
…
Step 2
Step 2: modify a node with in-degree 0
…
…
Step 1: remove a random edge
…
(1, 𝜎1 )
…
(𝑁, 𝜎𝑁 )
A Useful Lemma
𝑨
𝑩𝒓,𝒛 𝒙 :
if 𝑥 = 𝑟:
return 𝑧
else:
return 𝐴(𝑥)
𝐵𝑟,𝑧 (𝑥)
𝐴(𝑥)
𝑧
𝑥
𝑟
𝑥
A Useful Lemma
𝑨
𝑩𝒓,𝒛 𝒙 :
if 𝑥 = 𝑟:
return 𝑧
else:
return 𝐴(𝑥)
For a random 𝑟 and for all 𝑧:
𝑨
≈𝑐
𝑩𝒓,𝒛 𝒙 :
if 𝑥 = 𝑟:
return 𝑧
else:
return 𝐴(𝑥)
Proof of Lemma (using ideas from [SW14])
𝑩𝒓,𝒛 𝒙 :
𝑨
Also using an Injective,
length doubling PRG:
𝑔: 0,1
𝑛
→ 0,1
2𝑛
if 𝑥 = 𝑟:
return 𝑧
else:
return 𝐴(𝑥)
≈𝑐
using IO
𝑩∗𝒔=𝒈(𝒓),𝒛 𝒙 :
if 𝑔(𝑥) = 𝑠: return 𝑧
else:
return 𝐴(𝑥)
Proof of Lemma
𝑩𝒓,𝒛 𝒙 :
𝑨
using IO
≈𝑐
𝑩∗𝒔←𝑼,𝒛 𝒙 :
if 𝑔(𝑥) = 𝑠: return 𝑧
else:
return 𝐴(𝑥)
if 𝑥 = 𝑟:
return 𝑧
else:
return 𝐴(𝑥)
using 𝑔
≈𝑐
≈𝑐
using IO
𝑩∗𝒔=𝒈(𝒓),𝒛 𝒙 :
if 𝑔(𝑥) = 𝑠: return 𝑧
else:
return 𝐴(𝑥)
Step 1 - Proof
𝑺𝒌 (𝒊, 𝝈)
≈𝑐
𝑺′𝒌,𝒓 𝒊, 𝝈 :
if 𝑖 = 𝑟: return ⊥
else:
return 𝑺𝒌 (𝒊, 𝝈)
…
…
Step 1: remove a random edge
…
…
(1, 𝜎1 )
(𝑟, 𝜎𝑟 )
(𝑁, 𝜎𝑁 )
Step 2 - Proof
…
…
Step 2: modify a node with in-degree 0
…
…
(1, 𝜎1 )
(𝑖, 𝜎𝑖 )
pseudorandom
(𝑁, 𝜎𝑁 )
Puncturable Pseudorandom Functions
[Boneh-Waters 13, Boyle-Goldwasser-Ivan 13, Sahai-Waters 14]
𝜎1 , … , 𝜎𝑖−1 , 𝜎𝑖 , 𝜎𝑖+1 , … , 𝜎𝑁
𝑓𝑘
Puncturable Pseudorandom Functions
[Boneh-Waters 13, Boyle-Goldwasser-Ivan 13, Sahai-Waters 14]
𝜎1 , … , 𝜎𝑖−1 , ? , 𝜎𝑖+1 , … , 𝜎𝑁
𝑓𝑘{𝑖}
Step 2 - Proof
Independent of 𝑟
(𝑖,∗)
…
By Lemma
…
(𝑖, 𝑟)
…
By IO and puncturing
…
(𝑖, 𝑟)
…
…
(1, 𝜎1 )
(𝑖, 𝜎𝑖 )
(𝑁, 𝜎𝑁 )
…
…
(𝑁, 𝜎𝑁 )
≈𝑐
′
𝑆𝑘
𝑆𝑘
…
(1, 𝜎1 )
𝜎𝑁
𝑃𝑘
(𝑖 − 1, 𝜎𝑖−1 ) (𝑖, 𝜎𝑖 ) (𝑖 + 1, 𝜎𝑖+1 )
…
(𝑁, 𝜎𝑁 )
The Problem of Going Backwards
…
…
Step 2: modify a node with in-degree 0
…
(1, 𝜎1 )
…
(𝑁, 𝜎𝑁 )
Solution [Abbot-Kane-Valiant 04]
If the path is verifiable, then 𝑃 is for free
Idea: reversible computation [Bennet 84]:
Any sequential computation can be simulated
in a reversible way, with low overhead
Reversible Computation
…
…
𝑃1
≡
𝑃2
𝑃1
≈𝑐
𝑃2
multi-linear
maps
lattices
C
D
C
2\2
0\3
D
3\0
1\1
Security of IO and Multi-Linear Maps
Garg-Gentry-Halevi-Raykova-Sahai-Waters 13, BrakerskiRothblum 14, Barak-Garg-Kalai-P-Sahai 14, BrakerskiApplebaum 15, Zimmerman 15, Pass-Seth-Telang 14,
Gentry-Lewko-Sahai-Waters 14, Cheon-Han-Lee-Ryu-Stehlé
14, Boneh-Wu-Zimmerman 14, Gentry-Halevi-Maji-Sahai 14,
Coron-Lepoint-Tibouchi 14, Gentry-Halevi-Gorbunov 15,
Ananth-Jain 15 , Bitansky-Vaikuntanathan 15 …
𝑃1
≡
𝑃2
𝑃1
≈𝑐
𝑃2
multi-linear
maps
Thanks!
lattices
C
D
C
2\2
0\3
D
3\0
1\1