Cryptographic Rational Secret Sharing Schemes over General Networks

Abstract

We propose cryptographic rational secret sharing protocols over general networks. In a general network, the dealer may not have direct connections to each player, and players may not have direct connections to each of the other players. We present conditions on the network topology for which our proposed protocols are computational strict Nash equilibria and $(k-1)$-resilient, along with analysis on their round and communication complexity. We also present new notions of equilibria such as $\Phi$-resilient computational Nash equilibria, whereby a protocol is resilient to coalitions that satisfy conditions in $\Phi$, regardless of the coalition’s size. We also propose $(n-1)$-key leakage-tolerant equilibria applicable to cryptographic protocols involving secret keys, whereby the equilibrium holds even if some players acquire $(n-1)$ tuples of secret keys.

1. Introduction

Secret sharing schemes address the problem of securely disseminating a secret among several participants, which is a relatively old problem in cryptography. Perhaps the most popular early secret sharing scheme is the $(n,k)$ secret sharing scheme by [1], which is also termed as a $(n,k)$ threshold sharing scheme. In this secret sharing scheme, the setting involves a dealer who wants to share a secret among n players. The dealer subdivides the secret into n pieces (i.e., shares) and sends a piece to each player. If at least k players cooperate and share their shares, then the secret can be efficiently reconstructed. However, if less than k players cooperate, their shares reveal no information about the secret. To achieve these conditions, the scheme of [1] uses properties of polynomials and Lagrange interpolation, and it is shown to be secure under the formalized security notion of a secret sharing scheme [2]. Since this invention by [1], several other secret sharing schemes have been proposed [3], many of which are closely related to the field of secure multiparty computation [4,5,6,7].

The setting for standard $(n,k)$ secret sharing, however, assumes that players are either completely honest or malicious [8], and security is guaranteed against completely malicious players (termed adversaries). In a paper by [9], however, players are instead modeled as rational in the game-theoretic sense [10], i.e., players have associated utility functions, and the goal of each player is to maximize their own utility as a function of the game’s outcome—while taking into account the effects of the actions of other players in determining the outcome of the game. It is shown in [9], that standard non-rational secret sharing schemes would fail to obtain the desired objective of having all players learn the secret if participants are modeled as rational under natural assumptions on their utility functions. Thus, non-rational protocols have to be modified in order to factor-in the utility-maximizing behavior of players and the widened action space that comes from rationality. This notion of a rational player by [9] paved the way for the research area of rational secret sharing, where solutions are expressed in the form of protocols that induce Nash equilibria [11]. In particular, the rational secret sharing scheme in [9] is a protocol where players have an incentive to follow the protocol and learn the secret together, rather than for a player to deviate from the protocol and learn the secret by itself. In this regard, Ref. [9] showed that their scheme is not only a Nash equilibrium but is also not weakly dominated [11], which, in some instances, involves a stronger condition than Nash equilbrium. Moreover, [9] showed that no rational secret sharing scheme exists for $n=2$ players, but such a scheme exists for $n>2$ by taking advantage of randomness and uncertainty over the game’s outcome. Several other papers on rational secret sharing followed after [9]. The scheme of [12] is a simple rational secret sharing scheme that allows the dealer to either draw a true secret from some subset of a field, or draw a false secret—which is a simplification from the original protocol of [9]. This random drawing by the dealer gives uncertainty in players’ point of view, such that for the players, the more viable and less risky option is to comply with the protocol. Another paper by [13] considers the dependence of schemes on various notions of utility. The chapter of [14] claims that rational secret sharing contributed a new notion of equilibrium to the field of game theory, which is the $(k-1)$-resilient equilibrium. In particular, a protocol induces a $(k-1)$-resilient equilibrium if it is a Nash equilibrium and if any coalition of less than k players has no incentive to deviate from the protocol. Other rational secret sharing schemes are presented in [15,16,17,18].

The schemes of [9,12,19] consider settings where the dealer has a direct connection to each of the players to send each players’ share. In addition, players have access to a simultaneous broadcast channel, whereby any transmission sent over the channel is automatically received by all the players (although [12] presented a sketch in the end of his paper over an asynchronous broadcast channel). These assumptions are relaxed in [20], whereby players still have access to a broadcast channel, but transmissions are performed asynchronously. In addition, ref.  [20] showed that the schemes of [9,12] are not exactly Nash equilibria if players are allowed to perform a superpolynomial number of computations—which is not at all a given requirement in games according to game-theory literature (i.e., some games are even assumed to be infinite [21]). Ref. [20] thus presented a scheme that is a Nash equilibrium in an information-theoretic sense by drawing shares from an unbounded domain. The scheme of [20], however, assumes that players are allowed to receive shares of arbitrary size. The results of [20] have theoretical appeal, but as per [8], coming up with rational secret schemes where participants are constrained to compute in polynomial time, i.e., cryptographic rational secret schemes, are still meaningful. This led [8] to formulate notions of computational Nash equilibria, computationally strict Nash equilibria, as well as $(k-1)$-resilient computational Nash equilibria, which are modified notions of Nash equilibria over games that constrain its participants to operate in polynomial-time. Moreover, the equilibrium notions of [8] are defined in terms of actions cast as information transmissions relative to each participants’ point-of-view—disregarding any hidden internal computations done by other participants. The scheme of [8] is asynchronous and operates over point-to-point networks instead of broadcast channels. In particular, [8] uses cryptographic primitives termed verifiable random functions (VRFs) [22,23].

The setting considered in [8], however, assumes that the dealer has access to each of the players, and each player has access to all other players over a point-to-point network. In this paper, we consider rational secret sharing schemes over general networks, which is a further relaxation from the networks considered in [8,20]. In particular, in a general network, the dealer is not guaranteed to have direct access to each of the players, and players are not guaranteed to have direct access to each of the other players. This implies that transmissions from the dealer or from a player may have to pass through some other player nodes in the network before it reaches its intended recipient. The work of [24,25] deals with the problem of securely disseminating a player’s individual share of the secret given that the dealer is not directly connected with each player. In particular, Ref. [24] specifies a graphical property of the network, namely, the k-path disjoint property, as a condition for securely disseminating a player’s share despite general network constraints. The work of [26] presents a non-rational secret sharing scheme that is secure on general networks and has much less communication complexity—under the condition that the corresponding graph describing the network topology is k-propagating [26]. Both the schemes of [24,26], however, deal more with the first phase of a secret sharing scheme, namely, the secret generation and share/key dissemination phase.

In Section 4.1, we discuss the limitations of the secret sharing schemes surveyed in the above paragraphs. As discussed, the rational secret sharing schemes [8,9,12] assume a broadcast channel or a point-to-point network, by which participants can send messages to one another (whether simultaneous or asynchronously). However, in Section 4.1, we show that in some instances of a general network, equilibrium guarantees of these schemes would fail to hold. On the other hand, non-rational secret sharing schemes (as in [24,26]) are not valid in the case of rational participants, as given rationality and natural assumptions on utility, players are better off by not sharing their shares—as discussed in [9] and described in Section 2.3. It is the goal of the paper, then, to present protocols which provide equilibrium guarantees (under certain conditions of the network topology), even in the combined case of a general network topology over rational participants for all phases of a secret sharing protocol. In particular, our contributions are as follows:

Our Contributions

• In this paper, we provide protocols that guarantee equilibrium even in the combined case of a general network topology over rational participants for all phases of a secret sharing protocol. We likewise state the required graphical properties of such general networks in order for such equilibria to hold. Thus, our protocols are able to overcome the limitations of existing protocols that are either non-rational or which assume broadcast channels/point-to-point connections among participants—albeit under some conditions on the network topology. In particular, we present three protocols. The first protocol uses a pseudorandom function cryptographic primitive [2] and induces a computational Nash equilibrium given an online dealer, i.e., the dealer transmits information throughout the protocol. For the second protocol, we use the verifiable random functions as conducted in [8], which also results in a computational Nash equilibrium but requires only a semi-online dealer, i.e., the dealer transmits information only at certain phases of the protocol, but is not needed throughout the protocol’s execution. The second protocol, however, has much higher round complexity compared to the first scheme. The equilibria of each scheme borrows a technique proposed by [8], which is to randomly draw the value of a definitive iteration from a geometric distribution but to delay the moment when players discover the definitive iteration to create uncertainty. In addition, we apply a scheme inspired by [24] to distribute a secret perfectly in a general network. However, in Section 4.1, we mention that additional mechanisms are required in order for computational Nash equilibrium to provably hold—and we show reasons why the equilibrium is not clear under a straightforward combination of the schemes of [8,24]. Moreover, we mention the required graph-theoretic properties of the general network required for such equilibria, which we term as the k-disjoint property, where each pair of nodes in the graph has at least k disjoint paths connecting them.
• Aside from computational Nash equilbrium, we also show that our proposed protocol induces stronger notions of Nash equilibrium, i.e., computationally strict Nash equlibrium and $(k-1)$-resilient computational Nash equilibrium following [8]. For each equilibrium notion, we present the required properties of the network topology needed for the equilibrium to hold. These properties are expressed using graph theoretical concepts.
• We present new notions of the computational Nash equilibrium. The first is termed a $\Phi$-resilient computational Nash equilibrium, whereby a protocol is a $\Phi$-resilient if it is a computational Nash equilibrium and if it is resilient to any coalition that satisfies the properties listed in $\Phi$, regardless of the coalition’s size, where the properties in $\Phi$ are expressed using graph theoretical concepts. We present a third protocol which is a $\Phi$-resilient computational Nash equilibrium and derive the result that a k-resilient protocol may be resilient to some coalitions of size greater than k, as long as such coalitions satisfy the graphical properties required in $\Phi$. The second equilibrium notion is termed $(n-1)$-key leakage resilient equilibrium, whereby a rational secret sharing scheme is still a computational Nash equilibrium in spite of some players acquiring $(n-1)$ secret keys.

2. Model and Definitions

Let $\kappa \in \mathbb{N}$ denote a security parameter, where the notion of a security parameter relative to a cryptographic scheme is explained in detail in [2]. A function $f:\mathbb{N}\to \mathbb{R}$ is negligible if, for all $c>0$, there is a ${\kappa }_c>0$ such that $f\left(\kappa \right)<1/{\kappa }^c$ for all $\kappa >{\kappa }_c$. Throughout the paper, the notation $x\leftarrow X$ refers to x being randomly drawn from the probability distribution of random variable X, but it is also sometimes used as $y\leftarrow f\left(x\right)$, where f is some probabilistic function.

Let $\mathcal{A}$ be any probabilistic polynomial-time algorithm. The advantage of $\mathcal{A}$ is defined to be its capacity to distinguish between the probability distributions of two collections of random variables. For instance, let $\mathcal{X}={\left\{X_{\kappa }\right\}}_{\kappa \in \mathbb{N}}$ and $\mathcal{Y}={\left\{Y_{\kappa }\right\}}_{\kappa \in \mathbb{N}}$ be two collections of random variables indexed by $\kappa$. The advantage of algorithm $\mathcal{A}$ in this instance is $|Pr[\mathcal{A}(1^{\kappa },x)=1]-Pr[\mathcal{A}(1^{\kappa },y)=1]|$ for $x\leftarrow X_{\kappa }$ and $y\leftarrow Y_{\kappa }$. Two collections of random variables $\mathcal{X}$ and $\mathcal{Y}$ are computationally indistinguishable if the advantage of any polynomial-time algorithm is negligible in $\kappa$.

An $(n,k)$ secret sharing scheme $\Pi$ for domain $\mathcal{S}$ is a polynomial-time protocol carried out by a dealer d and a set of n players $\{p_1,p_2,\dots ,p_n\}$, where the time spent by the protocol and the size of $\mathcal{S}$ are functions of $\kappa$. In particular, $\left|\mathcal{S}\right|$ has to be superpolynomial with respect to $\kappa$ in order for a secret sharing scheme to be secure in the cryptographic sense. The protocol $\Pi$ is given by polynomial-time algorithms $(S_G,S_R)$, where $S_G$ is a share generation algorithm, and $S_R$ is a secret reconstruction algorithm. To securely disseminate a secret s among the n players, the protocol proceeds in two phases. The first phase is the secret generation and share (or key) dissemination phase, where the dealer uses $S_G$ on input $s\in \mathcal{S}$ to generate n shares $\{s_1,s_2,\dots ,s_n\}\in \mathcal{S}$. The dealer gives $s_i$ to player $p_i$ for $i\in \left[n\right]$. In the second phase, termed the secret reconstruction phase, a subset of players of size $n_a\le n$, termed the active players are meant to collaborate in reconstructing s, such that given any set consisting of at least k shares, the secret s can be efficiently and correctly reconstructed using algorithm $S_R$. This is termed the correctness property of secret sharing schemes. Moreover, secret sharing schemes satisfy the secrecy requirement, whereby any data that provide information on less than k shares reveal nothing about s.

2.1. Game Theory Definitions

Following standard notions in game-theory [11], a game is described by: (1) a set of participants who have associated utility functions (which are termed as players), and possibly other participants without utility functions (for instance, nature as described in [10]); (2) the possible actions available to each participant; (3) rules that determine the order in which participants make their moves; (4) a rule that determines the outcome of every possible game ending; and (5) a definition of the utility function associated with each player in the game. Several forms of games have been considered, but here we consider the extensive form of a game with imperfect information following [20]. Namely, an extensive form game $\mathcal{G}$ with imperfect information is a tuple

$$(N,{\left(A_i\right)}_{i\in \left[\right|N\left|\right]},{\Omega }_H,f_{\mathtt{next}},{\left({\mathcal{I}}_i\right)}_{i\in \left[\right|N\left|\right]},\mathit{o},{\left({\mu }_i\right)}_{i\in \left[\right|N\left|\right]})$$

where:

• N—a finite set of players denoted as $\{p_1,p_2,\dots ,p_n\}$ with $n=\left|N\right|$.
• $A_i$—the action space available to player $p_i$ with an element denoted as $\mathtt{act}\in A_i$. $A_i$ can be finite or infinite.
• ${\Omega }_H$—a set of sequences (termed histories) with elements $\omega :=({\mathtt{act}}_1,{\mathtt{act}}_2,\dots ,{\mathtt{act}}_m)$ (for some $m>0$) of actions taken by players that satisfy the following: (1) $\varnothing \in {\Omega }_H$ and (2) for any $m>0$, if $({\mathtt{act}}_1,{\mathtt{act}}_2,\dots ,{\mathtt{act}}_m)\in {\Omega }_H$ and $m^{\prime }<m$, then $({\mathtt{act}}_1,{\mathtt{act}}_2,\dots ,$${\mathtt{act}}_{m^{\prime }})\in {\Omega }_H$. A history $({\mathtt{act}}_1,{\mathtt{act}}_2,\dots ,{\mathtt{act}}_m)$ is terminal if there is no ${\mathtt{act}}_{m+1}$ such that

  $$({\mathtt{act}}_1,{\mathtt{act}}_2,\dots ,{\mathtt{act}}_{m+1})\in {\Omega }_H.$$
  The set of actions for player $p_i$ after a non-terminal history $\omega :=({\mathtt{act}}_1,{\mathtt{act}}_2,\dots ,{\mathtt{act}}_m)$ is denoted as $A_i\left(\omega \right):=\left\{{\mathtt{act}}_{m+1}\right|({\mathtt{act}}_1,{\mathtt{act}}_2,\dots ,{\mathtt{act}}_m,{\mathtt{act}}_{m+1})\in {\Omega }_H\}$.
• $f_{\mathtt{next}}$—a function $f_{\mathtt{next}}:{\Omega }_H\to N$ for which $f_{\mathtt{next}}\left(\omega \right)$ is the player who takes action after history $\omega \in {\Omega }_H$.
• ${\mathcal{I}}_i$—the information partition for player $p_i$, which is a partition of $\{\omega \in {\Omega }_H|f_{\mathtt{next}}\left(\omega \right)=p_i\}$ with the property that $A_i\left(\omega \right)=A_i\left({\omega }^{\prime }\right)$ if $\omega$ and ${\omega }^{\prime }$ are both in the same element of the partition. An element of ${\mathcal{I}}_i$ is denoted as I, which is termed an information set. The set of actions for $p_i$ after reaching I is $A_i\left(I\right)$.
• $\mathit{o}$—a set of outcomes, where an outcome is a description of events in the game once a terminal history is reached.
• ${\mu }_i$—a utility function from the set of terminal histories to $\mathtt{R}$, which determines $p_i$’s gain depending on the game’s outcome.

Definition 1.

Given an extensive form of game $\mathcal{G}$ with imperfect information, a behavioural strategy (or simply strategy) is denoted as a vector $\mathbf{\sigma }:=\{{\sigma }_1,{\sigma }_2,\dots ,{\sigma }_n\}$, where for $i\in \left[n\right]$, ${\sigma }_i$ is the strategy of player $p_i$. Each ${\sigma }_i$ for $i\in \left[n\right]$ is a function mapping I to a probability distribution over $A_i\left(I\right)$.

The definition of strategy given in Definition 1 is the standard definition in game-theory [11], whereby actions are functions of histories or information sets. An equivalent (and perhaps more intuitive) definition of strategy for player $p_i\in N$ views actions $A_i\left(I\right)$ taken by $p_i$ under information set I as conditional on the information contained in I. For instance, a history in an information set I may consist of past actions of a player’s internal computations, along with past actions of other players consisting of transmissions sent over a network. In this case, the set of information contained in I consists of the outputs of these internal computations plus the content of transmissions from other players. Strategy in this case is defined as actions taken by a player conditional on the information contained in I after reaching information set I. This notion of information contained in an information set is denoted as ${\varphi }_i\left(I\right)$ for $p_i\in N$ and is defined below.

Definition 2.

Let $p_i\in N$ reach information set I. The information from I or information in I is denoted as ${\varphi }_i\left(I\right)$, which consists of all possible information from the point of view of $p_i$ upon reaching I. The set of actions for $p_i$ after reaching I and conditional on ${\varphi }_i\left(I\right)$ is denoted as $A_i\left({\varphi }_i\left(I\right)\right)$ and $A_i\left({\varphi }_i\left(I\right)\right)=A_i\left(I\right)$, i.e., the difference between $A_i\left({\varphi }_i\left(I\right)\right)$ and $A_i\left(I\right)$ is merely conceptual.

Definition 3.

Given an extensive form game $\mathcal{G}$ with imperfect information, a behavioural strategy (or simply strategy) is denoted as a vector $\mathbf{\sigma }:=\{{\sigma }_1,{\sigma }_2,\dots ,{\sigma }_n\}$, where for $i\in \left[n\right]$, ${\sigma }_i$ is the strategy of player $p_i$. Each ${\sigma }_i$ for $i\in \left[n\right]$ is a function mapping the space of ${\varphi }_i\left(I\right)$ to a probability distribution over $A_i\left(I\right)$.

Definition 4.

Define: ${\mathbf{\sigma }}_{-i}:=({\sigma }_1,\dots ,{\sigma }_{i-1},\sigma i+1,\dots ,{\sigma }_n)$, and similarly, define $({\sigma }_i^{\prime },{\mathbf{\sigma }}_{-i})=({\sigma }_1,\dots ,{\sigma }_{i-1},{\sigma }_i^{\prime },{\sigma }_{i+1},\dots ,{\sigma }_n)$, i.e., the strategies of all players are the same as in $\mathbf{\sigma }$, except for player i, who changed his strategy to ${\sigma }_i^{\prime }$.

2.2. Graph Theory Definitions

Recall that a graph $G=(V,E)$ consists of a set of nodes V and a set of edges $E\subseteq V\times V$, such that two nodes $a_1,a_2\in V$ are joined or are adjacent to each other if $(a_1,a_2)\in E$. In this setting, graphs are assumed to be undirected. A walk from node a to node b is a finite sequence of edges $((a_1,b_1),(a_2,b_2),\dots ,(a_m,b_m))$ for some $m>0$ (i.e., all walks in this setting are assumed to end and we do not consider infinite walks), such that $a_1=a$, $b_m=b$, and $b_l=a_{l+1}$ for $l\in [m-1]$. The first edge of a walk $((a_1,b_1),(a_2,b_2),\dots ,(a_m,b_m))$ is the edge $(a_1,b_1)\in E$. Given a walk $((a_1,b_1),(a_2,b_2),\dots ,(a_m,b_m))$, the nodes $\{a_1,a_2,\dots ,a_m,b_m\}$ comprise the node sequence of the walk. A path from a to b is a walk in which all elements of its node sequence are distinct, and the first and last nodes in the node sequence are a and b, respectively. Given a path from a to b, the path is said to originate at a, and the node a is termed the origin-node, or the origin, while the node b is termed the end-receiver node or the end-node. Two distinct nodes $a,b\in V$ are connected if there exists a path from a to b, in which case the path is connecting a to b. Two paths are completely disjointed if their respective node sequences have empty intersection (i.e., they do not cross each other). Aside from these standard graph theory definitions, we also define special types of paths and graphs that will be used in this setting. Let $a,b\in V$ be a pair of distinct nodes.

Definition 5.

A set of paths from a to b is internally disjoint if: (1) the node sequences of the paths have a as the origin and b as the end-receiver and (2) if, aside from the beginning and end, the node sequences of the paths do not share any node in common. Furthermore, given a graph $G(V,E)$, let $a,b$ be two distinct pair of nodes in V. A set of k paths from a to b is a set of k-disjoint paths from a to b if they are internally disjoint. Lastly, given a graph $G(V,E)$, let $\overline{V}\subset V$. The set of nodes $\overline{V}$ is k-disconnected if, for each distinct pair of nodes $a,b\in \overline{V}$, we have: (1) $(a,b)\notin E$ and (2) for any path connecting a and b, the size of the node sequence is at least $k+2$.

While dense clique graphs are likely to be path-disjoint, it is not necessary for a graph to be a clique in order to be path-disjoint. As shown in Figure 1, we have a graph that is 3-path disjoint even though it is not a clique. A useful property of k-path disjoint graphs is stated in Lemma 1, which will be used in the proofs in the Appendix.

Lemma 1.

Given a k-path-disjoint graph $G(V,E)$, let $\overline{V}\subset V$ be a set of size $k-1$. For each distinct pair of nodes $a,b\in V$, any set of k-disjoint paths from a to b contains a path that does not contain nodes belonging to $\overline{V}$.

Proof. 

Let $a,b$ be an arbitrary pair of distinct nodes in V. Let $\overline{V}\subset V$ be an arbitrary subset of nodes of V of size $k-1$. Suppose that there exists a set of k-disjoint paths from a to b such that each path contains nodes belonging to $\overline{V}$. Since this particular set of paths is internally disjoint, this implies that there are k paths whose first edges are distinct from each other and which originate at a. Distribute the members of $\overline{V}$ to these k paths. However, since $|\overline{V}|<k$, some paths do not contain nodes belonging to $\overline{V}$, which is a contradiction.    □

2.3. Rational Secret Sharing

Early secret sharing schemes’ model players are either completely honest or malicious [1]. In a rational secret sharing scheme, however, players are rational in the game-theoretic sense and are associated with utilities depending on outcomes of a game [9]. Thus, a protocol $\Pi$ in rational secret sharing corresponds to a prescribed strategy over a game. In particular, in a rational secret sharing game, there are $n+1$ participants consisting of n players who wish to reconstruct the secret and have associated utility functions, plus a dealer without an associated utility function. However, among these n players, only a subset of $n_a\le n$ players are willing to participate in the protocol, namely, the active players. In the setting of [9], each active player has access to a broadcast channel, whereby if an active player transmits information in this channel, all other active players in the game learn the transmitted information automatically. An important result of [9] (and described in Section 4.1), is that standard non-rational cryptographic protocols fail if participants are modeled as rational instead of plainly honest or malicious.

The secret sharing game described in [9] proceeds in several iterations, and each iteration consists of multiple communication rounds. At the beginning of each iteration, the dealer privately distributes information to each of the n players. Afterwards, the subset of $n_a$ active players run the protocol among themselves by simultaneously broadcasting messages in a series of rounds. At the end of an iteration, the protocol either terminates or proceeds to the next iteration. At the beginning and throughout the game, it is assumed that the dealer and each of the players know the identities of the $n_a$ active players.

The strategies of the game’s active players in [9] can be viewed as probabilistic interactive Turing machines [27] that operate in polynomial-time following [8]. In this context, the dealer and the active players can perform arbitrary polynomial-time probabilistic computations internally in each round. In addition, in each round, the dealer and the active players can either (1) broadcast information (i.e., a share) or (2) abstain from broadcasting information (players only). In addition, players can (3) abort the game or (4) output a guess of the secret. If all active players abort, the game ends, and the outcome of a game is described in terms of the outputs of each active player. Following [9], the value of the utility function $\mu$ of a player increases if it correctly outputs the secret s. Each active player, however, prefers that the number of active players who correctly outputted s be as small as possible, as shown in Definition 6 below. For simplicity, however, in all that follows in this paper, we assume that all players are active, i.e., $n_a=n$, so that if some player is referred to as performing some action or strategy or whose utility is being computed, it is automatically assumed that the player is an active player.

Definition 6.

Let $\mathit{o}$ denote an outcome vector of length n such that $o_i=1$ if player $p_i$ outputs the secret s. If a player outputs s correctly, it is considered to have learned s, without the need to look into its internal computations. If $p_i$ outputs a wrong secret or aborts without any output, $p_i$ is considered to not have learned the secret and $o_i=0$. Let ${\mu }_i\left(\mathit{o}\right)$ denote the utility of player i given outcome $\mathit{o}$. Following [8], let $\mathit{o}=\{o_1,o_2,\dots ,o_n\}$ and ${\mathit{o}}^{\prime }=\{o_1^{\prime },o_2^{\prime },..,o_n^{\prime }\}$ be two distinct outcomes. For each player $p_i\in \mathit{P}$, we have: (1) if $o_i>o_i^{\prime }$ then ${\mu }_i\left(\mathit{o}\right)>{\mu }_i\left({\mathit{o}}^{\prime }\right)$, and (2) if $o_i=o_i^{\prime }$ and ${\sum }_{i\in \left[n\right]}{o}_i<{\sum }_{i\in \left[n\right]}{o}_i^{\prime }$, then ${\mu }_i\left(\mathit{o}\right)>{\mu }_i\left({\mathit{o}}^{\prime }\right)$.

Definition 7.

Given an outcome $\mathit{o}$, let $u_i\left(\mathit{o}\right)$ denote player i’s expected utility function, where expectation is taken over the value of s (which is assumed to be chosen uniformly by the dealer at the beginning of the game), the randomness of the dealer, and the randomness of each player’s strategy.

Definition 8.

Let $s\in \mathcal{S}$ be a secret. Following [8,12], define $U_i^{+}:={\mu }_i\left(\mathit{o}\right)$ if $o_i=1$, and $o_{i^{\prime }}=0$ for all $i^{\prime }\in \left[n\right]\backslash i$, i.e., player $p_i$ learns the secret but no other player does. On the other hand, for any $\mathit{o}$ such that $o_i=1$, and ${\sum }_{i^{\prime }\in \left[n\right]\backslash i}{o}_{i^{\prime }}>0$, i.e., player $p_i$ learns the secret and at least some other player does as well, we define the resulting utility as a single value $U_i:={\mu }_i\left(\mathit{o}\right)$. Lastly, for any $\mathit{o}$ such that $o_i=0$, i.e., player $p_i$ does not learn the secret, we define the resulting utility as a single value $U_i^{-}:={\mu }_i\left(\mathit{o}\right)$. For each player $p_i\in N$, define $U_{\mathtt{random}}$ as $U_{\mathtt{random}}:=(1/|\mathcal{S}\left|\right)U_i^{+}+(1-1/|\mathcal{S}\left|\right)U_i^{-}$, which is the expected utility of a player who outputs a random guess of s if other parties abort or output a wrong guess.

For this setting, the functions $U_i^{+}$, $U_i^{-}$ and $U_i$ are the same for all players so that we can refer to them simply as $U^{+}$, $U^{-}$ and U. For this paper, we assume that $U^{+}>U>U^{-}$. Moreover, it is required that $U>U_{\mathtt{random}}$ since, otherwise, players will have no incentive to participate in the game as shown in [8].

Definition 9.

A protocol Π in a rational secret sharing game has an online dealer if the dealer continually sends transmissions at each iteration until the secret is reconstructed, i.e., the dealer’s continual transmissions at each iteration throughout the game is required for players to reconstruct the secret. A protocol has a semi-online dealer if the dealer sends transmissions for a finite number of iterations, after which, the dealer stops sending any additional transmission even if the secret is still not yet constructed by the players, i.e., the players are left to reconstruct the secret on their own (without the dealer) at some point in the game.

2.4. $A_{GN}$ Rational Secret Sharing

The rational secret sharing schemes above consider games where players have access to broadcast channels, and where the dealer can directly transmit individual shares to each player. In this setting, we relax the assumption that the dealer can directly transmit individual shares to each player. Rather, the dealer has direct access to a certain number of players in the network (which may not necessarily include each player). In addition, players may be unable broadcast information to all other players at once. Rather, a player can only transmit information directly to a certain number of players (which may not necessarily include each player). This leads to the notion of asynchronous general network ($A_{GN}$) rational secret sharing, which is a generalization of a rational secret sharing game. To express these notions better, we use some concepts from graph theory.

We denote an $A_{GN}$ rational secret sharing game associated with a graph $G(V,E)$ with $n+1$ participants (i.e., 1 dealer and n players) in Definition 10. The placement of the dealer and each of the players in the general network’s topology is represented by G, where the dealer and each of the players are assigned a node in V so that $\left|V\right|=n+1$. If an edge in E joins two nodes of V, this implies that the player (or dealer) represented by the origin-node can send a transmission using the network to the other player represented by the end-node. In the description of $\mathcal{G}$ below, we switch between referring to the participants as computational models (i.e., Turing machines), and as nodes in the graph G. However, it will be understood from the context that if the dealer or a player performs some computations, it is doing so internally in its capacity as a computational model, while if the dealer node or a player node sends a transmission to another player node, the participants are sending transmissions with reference to their representations as nodes in G.

Definition 10.

An asynchronous general network ($A_{GN}$) rational secret sharing game $\mathcal{G}$ associated with a graph $G(V,E)$ and domain $\mathcal{S}$ is described by the following:

• The game has $n+1$ participants consisting of n players $N:=\{p_1,p_2,\dots ,p_n\}$, where each player $p_i$ is associated with utility function ${\mu }_i$ for $i\in \left[n\right]$, and a dealer d who does not have an associated utility function. The utility function ${\mu }_i$ for $p_i\in N$ follows the utility function described in Definition 6.
• The participants of the game are represented by the nodes V of G. An edge $(a,b)\in E$ implies that node a (i.e., a player or the dealer) can directly transmit information to node b (another player). The dealer is required to have at least one edge joining its node with another player’s node.
• The game proceeds in phases. The first set of phases is termed the key and share a generation/dissemination phase, while the next set of phases is termed the secret reconstruction phase. A protocol of the game should take care of letting players know when a phase ends and when the next phase begins. The key and share generation/dissemination phase is viewed as a single iteration of the game, i.e., iteration 0 and consists of several communication rounds. In iteration 0, the dealer samples a secret $s\in \mathcal{S}$ and distributes shares of the secret along with other arbitrary forms of information (i.e., secret/public keys) to the players.
• The secret reconstruction phase consists of a sequence of iterations $1,2,\dots$. Each iteration consists of a sequence of communication rounds (or round for short). In each round, the dealer and the players can internally perform arbitrary polynomial-time and size probabilistic computations, and can either (1) transmit information to several other player nodes with whom its node is joined according to E or (2) abstain. In addition, players can (3) output a guess of the secret key or (4) abort. If a player aborts, it leaves the game and no longer has access to information from subsequent iterations/rounds in the game.
• In each round in the key and share generation/dissemination phase, and in each round in an iteration in the secret reconstruction phase, the player and the dealer can transmit information to several other player nodes (with whom its node is joined in E) simultaneously. After transmitting information, a player can no longer transmit again within the round, i.e., transmission is performed simultaneously and once within a round. After transmission of information, a player receives information simultaneously from other players with whom it is joined in E. With this rule, it follows that information received by a player in one round can only be used in computations/transmissions in the next round.
• The value of iteration and each round within an iteration is common knowledge among all participants throughout the game. Likewise, a protocol of the game should take care of letting all participants know when the current iteration ends and when the next iteration begins.
• The game ends once all players abort. Once a game ends, its outcome is defined as a vector $\mathit{o}=\{o_1,o_2,\dots ,o_n\}$ such that $o_i=1$ if player $p_i$ $\mathtt{outputs}$ the secret s.
• The expected utility $u_i$ of player $p_i$ given outcome $\mathit{o}$ for $i\in \left[n\right]$ follows the expected utility function described in Definition 6.

From above definition, the graph in a rational secret sharing game with broadcast and dealer access to each player [9] can be seen as a special instance of an $A_{GN}$ rational secret sharing game, where the associated graph is fully connected, i.e., each player node has edges to all other player nodes, and the dealer has edges to each of the players. From the description of an $A_{GN}$ game above, it could be seen that the action space is very large since it includes all possible internal computations at each round as well as all possible transmissions among players. With a very large action space, listing down a function that maps information sets I to a probability distribution over a player’s actions is not feasible. This where the notion of ${\varphi }_i\left(I\right)$ becomes useful, whereby actions are dependent on the information contained in an information set I, where actions of a player are decided for each round. As a result, to define a strategy, we only need to define actions dependent on certain relevant information that directly affects its utility rather than specifying each possible information set. With this, let the participants of an $A_{GN}$ rational secret sharing game $\mathcal{G}$ be indexed by the set $0\cup \left[n\right]$ such that the dealer has index 0 and player $p_1$ has index 1, player $p_2$ has index 2, etc. We define strategies and secret sharing schemes in the context of an $A_{GN}$ rational secret sharing game as follows.

Definition 11.

Let $\mathcal{G}$ be an $A_{GN}$ rational sharing game associated with a graph $G(V,E)$ and domain $\mathcal{S}$. A polynomial-time strategy $\mathbf{\sigma }=\{{\sigma }_0,{\sigma }_1,\dots ,{\sigma }_n\}$ is a set of polynomial-time strategies for each participant that—conditional on information ${\varphi }_i\left(I\right)$ in information set I—defines at each round the participant’s (1) internal probabilistic computations, (2) transmissions (or lack of transmissions) among participants with whom it is joined by an edge in E, and (3) output and abort actions.

Definition 12.

Let $\mathcal{G}$ be an $A_{GN}$ rational sharing game associated with a graph $G(V,E)$ and domain $\mathcal{S}$. Given a polynomial-time protocol Π over $\mathcal{G}$, the strategy $\mathbf{\sigma }=\{{\sigma }_0,{\sigma }_1,\dots ,{\sigma }_n\}$ corresponding to Π is a set of polynomial-time strategies for each participant that define its actions at each round, such that the participant’s actions follow Π. In this case, $\mathbf{\sigma }$ is termed as the strategy prescribed by Π.

Definition 13.

Let $\mathcal{G}$ be an $A_{GN}$ rational sharing game associated with a graph $G(V,E)$ and domain $\mathcal{S}$, and let $s\in \mathcal{S}$ denote the secret chosen by the dealer at iteration 0. A protocol Π over $\mathcal{G}$ is an $(n,k)$$A_{GN}$ secret sharing scheme (not yet considering rationality) if it corresponds to a polynomial-time strategy $\mathbf{\sigma }$, such that if players follow the actions prescribed by $\mathbf{\sigma }$ and obtain information that reveal at least k shares, they can reconstruct the secret s efficiently (correctness). If players obtain information that reveal less than k shares, the probability of correctly outputting s is $1/\left|\mathcal{S}\right|$ (secrecy).

3. Equilibrium Notions

The standard notion of equilibria in a game-theoretic setting is the Nash equilibrium, and a protocol is said to induce a Nash equilibrium if no player can gain any advantage by deviating from the protocol—assuming that all other players follow the protocol. However, as observed in [8,9], the standard Nash equilibrium concept is inadequate (too weak) in the setting of rational secret sharing. This led [9] to consider more specialized versions of the Nash equilibrium, such as equilibrium surviving iterated deletion of weakly dominated strategies [11]. However, even this notion of equilibrium is not without problems [8,20], leading [20] to consider further refinements in the equilibrium such as the strict Nash equilibrium. In this paper, we adopt notions of computational equilibrium from [8], which have the merit of closely retaining the properties of a strict Nash equilibrium while considering computational constraints. For this, let $\mathcal{G}$ be an $A_{GN}$ rational sharing game associated with a graph $G(V,E)$ and domain $\mathcal{S}$. Let protocol $\Pi$ denote a $(n,k)$$A_{GN}$ secret sharing scheme over $\mathcal{G}$. Let $\mathbf{\sigma }=\{{\sigma }_0,{\sigma }_1,\dots ,{\sigma }_n\}$ denote the strategy corresponding to $\Pi$. Let f denote a negligible function over $\kappa$. We have the following:

Definition 14.

Π induces a computational Nash equilibrium over $\mathcal{G}$ if, for each player $p_i$ for $i\in \left[n\right]$ in $\mathcal{G}$, we have $u_i({\sigma }_i^{\prime },{\mathbf{\sigma }}_{-\mathbf{i}})\le u_i\left(\mathbf{\sigma }\right)+f\left(\kappa \right)$ for any other polynomial time strategy ${\sigma }_i^{\prime }$ for player $p_i$.

Definition 15.

From [8], we define ${\mathtt{view}}_{-i}^{\Pi }$ as follows. Let ${\mathtt{script}}_d$ denote the transmissions of the dealer to its adjacent nodes across all rounds of the game. Let ${\mathtt{script}}_i$ denote the transmissions of $p_i$ to its adjacent nodes (across all rounds of the game), but which do not include transmissions after $p_i$ $\mathtt{outputs}$ a guess of the secret s. Let ${\mathtt{script}}_{-i}$ denote the set of transmissions of $p_{i^{\prime }}$ for $i^{\prime }\in \left[n\right]$ with $i^{\prime }\ne i$ to its adjacent nodes (across all rounds of the game). Let all participants follow the strategies prescribed by Π. ${\mathtt{view}}_{-i}^{\Pi }$ is defined as information which includes ${\mathtt{script}}_d$, ${\mathtt{script}}_i$, and ${\mathtt{script}}_{-i}$, plus all randomness involved in the computations of $p_{i^{\prime }}$ for $i^{\prime }\in \left[n\right]$ with $i^{\prime }\ne i$ across all rounds.

Definition 16.

Let ${\rho }_i$ be another strategy of $p_i$ with ${\rho }_i\ne {\sigma }_i$. Let all participants (except $p_i$) follow the strategies prescribed by Π. For its part, player $p_i$ follows strategy ${\rho }_i$. Given this set of strategies, let ${\mathtt{script}}_d$, ${\mathtt{script}}_i$, and ${\mathtt{script}}_{-i}$ be defined as in Definition 15. Let T be some polynomial-time algorithm that knows the entire view of $p_i$ as it follows ${\rho }_i$ (i.e., player $p_i$’s randomness, its computations, its transmissions as written in ${\mathtt{script}}_i$, and any transmissions received from other participants) and which outputs a truncation ${\mathtt{script}}_i^{\prime }$ of ${\mathtt{script}}_i$. We define ${\mathtt{view}}_{-i}^{T,{\rho }_i,\Pi }$ as information which includes ${\mathtt{script}}_d$, ${\mathtt{script}}_i^{\prime }$, and ${\mathtt{script}}_{-i}$, plus all randomness involved in the computations of $p_{i^{\prime }}$ for $i^{\prime }\in \left[n\right]$ with $i^{\prime }\ne i$ across all rounds. Similarly, define ${\mathtt{view}}_{-i}^{{\rho }_i,\Pi }$ as the same information contained in ${\mathtt{view}}_{-i}^{T,{\rho }_i,\Pi }$ but which excludes reference to T.

Definition 17.

Let f denote a negligible function in κ. For $i\in \left[n\right]$, a strategy ${\rho }_i$ is equivalent with respect to Π or ${\rho }_i\sim \Pi$ if there exists a polynomial-time algorithm T such that for all polynomial-time distinguishers D, we have:

$$|Pr[D(1^{\kappa },{\mathtt{view}}_{-i}^{T,{\rho }_i,\Pi })=1]-Pr[D(1^{\kappa },{\mathtt{view}}_{-i}^{\Pi })=1]|\le f\left(\kappa \right)$$

Definition 18.

Let protocol Π denote a $(n,k)$$A_{GN}$ secret sharing scheme over $\mathcal{G}$. Let $\mathbf{\sigma }=\{{\sigma }_0,{\sigma }_1,\dots ,{\sigma }_n\}$ denote the strategy corresponding to Π. We say that Π induces a computational strict Nash equilibrium: (1) if it induces a computational Nash equilibrium and (2) if, for any polynomial-time strategy ${\sigma }_i^{\prime }$ for which ${\sigma }_i^{\prime }\nsim \Pi$, there is a $c>0$ such that $u_i\left(\mathbf{\sigma }\right)\ge u_i({\sigma }_i^{\prime },{\mathbf{\sigma }}_{-i})+1/{\kappa }^c$ for infinitely many values of κ.

Having considered the above notions of equilibrium, we now consider an extension of these equilibrium concepts in the presence of coalitions. Namely, given an $A_{GN}$ secret sharing game $\mathcal{G}$ with $n+1$ participants, a coalition $\mathcal{C}\subseteq \mathit{P}$ is a set of players whose strategies are coordinated arbitrarily. The $\mathtt{output}$ of $\mathcal{C}$ is a single value which represents the individual outputs of each member of $\mathcal{C}$. The utility function of $\mathcal{C}$ is denoted as ${\mu }_{\mathcal{C}}$, and the expected utility function is $u_{\mathcal{C}}$. Similarly, denote by $\mathbf{\sigma }=({\sigma }_{\mathcal{C}},{\sigma }_{-\mathcal{C}})$ the resulting strategy if members of $\mathcal{C}$ follow ${\sigma }_{\mathcal{C}}$ while other players that are not members of $\mathcal{C}$ follow ${\sigma }_{-\mathcal{C}}$. Let protocol $\Pi$ denote a $(n,k)$$A_{GN}$ secret sharing scheme over $\mathcal{G}$. Let $\mathbf{\sigma }=({\sigma }_{\mathcal{C}},{\sigma }_{-\mathcal{C}})$ be a strategy that corresponds to $\Pi$. Let f denote a negligible function over $\kappa$.

Definition 19.

Π induces a $(k-1)$-resilient computational Nash equilibrium if, for any $\mathcal{C}\subseteq \mathit{P}$ with $\left|\mathcal{C}\right|<k$, for any polynomial-time strategy ${\sigma }_{\mathcal{C}}^{\prime }$ such that ${\sigma }_{\mathcal{C}}^{\prime }\ne {\sigma }_{\mathcal{C}}$, we have $u_{\mathcal{C}}({\sigma }_{\mathcal{C}}^{\prime },{\sigma }_{\mathcal{C}})\le u_{\mathcal{C}}\left(\mathbf{\sigma }\right)+f\left(\kappa \right)$.

For completeness, coalition versions of the above definitions are stated in Appendix A.

Additional Equilibrium Notions

We now present two novel equilibrium notions, for which some of our proposed protocols satisfy. The first equilibrium notion (Definition 20) is a $(n-1)$-key leakage-tolerant computational Nash equilibrium, which is a computational Nash equilibrium that is resistant to secret key leakage—given a scheme which uses cryptographic primitives involving secret keys. The second equilibrium is the notion of a $\Phi$-equilibrium (Definition 21). This notion states that a $(k-1)$-computational Nash equilibrium can hold even in the presence of large coalitions whose size is larger than k—as long as these coalitions satisfy the graphical properties listed in $\Phi$. This is in contrast to standard definitions of $(k-1)$-resilient computational Nash equilibria whereby an upper bound on the size of any coalition is imposed.

Definition 20.

Let $\mathcal{G}$ be an $A_{GN}$ rational secret sharing game with $n+1$ participants associated with a graph $G(V,E)$ and domain $\mathcal{S}$. Let Π be a cryptographic protocol that uses cryptographic primitives involving a set of secret keys $\mathbf{sk}:={\left\{{\mathbf{sk}}_i\right\}}_{i\in \left[n\right]}$, where ${\mathbf{sk}}_i$ is a tuple of secret keys of player $p_i$. Π induces an $(n-1)$-key leakage-tolerant computational Nash equilibrium over $\mathcal{G}$ if it is a computational Nash equilibrium, even if each player acquires up to $n-1$ tuples of secret keys.

We note that as per Definition 20, each player is constrained to obtain up to $n-1$ secret keys, where the secret keys may be obtained through arbitrary means, i.e., by sharing of keys within a coalition or through side-channel attacks. This rules out the case whereby a certain player who currently has $n-1$ secret keys forms a coalition with the remaining player whose secret key it does not yet have in order to obtain n secret keys in total. Such cases are ruled out by the definition of the $n-1$-key leakage-tolerant computational Nash equilibrium.

Definition 21.

Let $\mathcal{G}$ be an $A_{GN}$ rational secret sharing game with $n+1$ participants associated with a graph $G(V,E)$ and domain $\mathcal{S}$. Let Φ be a set of conditions over V relative to E. Π induces a Φ-resilient computational Nash equilibrium over $\mathcal{G}$ if, for any arbitrary coalition $\mathcal{C}\subseteq N$ whose respective nodes in G satisfy the conditions in Φ, for any polynomial-time strategy ${\sigma }_{\mathcal{C}}^{\prime }$ such that ${\sigma }_{\mathcal{C}}^{\prime }\ne {\sigma }_{\mathcal{C}}$, we have $u_{\mathcal{C}}({\sigma }_{\mathcal{C}}^{\prime },{\sigma }_{\mathcal{C}})\le u_{\mathcal{C}}\left(\mathbf{\sigma }\right)+f\left(\kappa \right)$.

4. Protocols

4.1. Overview of Existing Protocols

Existing protocols in the literature are listed in

Table 1. Rational refers to whether the scheme considers participants as rational or not. Bounded refers to whether the shares used in the scheme are finite or infinite. Async refers to whether the scheme allows for asynchronous communication among participants. B/p2p refers to whether the scheme assumes that players are connected by either a broadcast or a point-to-point network. General refers to whether the scheme allows for participants to be connected under a general network topology. The schemes of [24,26] are marked with yes* under the “general” column since they work on a general network where the dealer may not have direct connections to all players during the share dissemination phase. However, it is not clear in [24,26] how players communicate their shares to each other and how the network topology would be during the secret reconstruction phase.

Scheme	Rational	Bounded	Async	b/p2p	General
Halpern and Teague [9]	yes	yes	no	yes	no
Gordon and Katz [12]	yes	yes	yes	yes	no
Fuchsbauer et al. [8]	yes	yes	yes	yes	no
Kol and Naor [20]	yes	no	yes	yes	no
Shah et al. [26]	no	yes	yes	no	yes*
Dolev et al. [24]	no	yes	yes	no	yes*
Ours	yes	yes	yes	no	yes

. These protocols can be grouped into two major categories: those that allow for rational participants and those that do not (i.e., non-rational protocols). From Table 1, we discuss the limitations of these schemes as follows.

• Rational schemes assume broadcast channels/point-to-point networks. The existing rational schemes [8,9,12,20] are not designed to operate on a general network since they assume that the dealer d along with n players have access to either a broadcast channel or a point-to-point network (i.e., all participants are pairwise connected), for which these schemes achieve $(k-1)$ equilibrium given some $k<n$. For reference, the algorithm of [8] is listed in detail in Appendix E. If applied to some instances of a general network, however, the equilibrium guarantees that these schemes would fail. For instance, in Figure 2, d is directly connected to only $l=3$ players, and yet, d needs to send at least 12 messages to all $n=12$ players in order to share the secret in a fair manner following the p2p/broadcast protocol (i.e., since all of these schemes make the dealer directly send a message to each player). Given this topology, d is forced to use only l connections to send all of its messages. As a result, one player that is directly connected to d (say player $p_i$) is bound to receive at least $d/l$ messages. If $d/l\ge k-1$, $p_i$ learns the secret. In this example, it follows that the equilibrium guarantees of these schemes would fail for some values of k. The same analogy could be applied to some player communicating information to another player in the secret reconstruction phase, i.e., several players may send information to one player who is in a network bottleneck.
• Non-rational schemes. On the other hand, the protocols of [24,26] are secure for general networks but assume that participants are non-rational. Specifically, [24] presents the SMT algorithm which addresses the problem of securely disseminating the shares of each player during the secret generation/share dissemination phase. Briefly, for each share outputted by the share generation algorithm, the SMT treats each share as a new secret, and breaks it down into another k sub-shares. For each player, SMT sends these k sub-shares along k-disjoint paths, for which each player is able to securely reconstruct its individual share (not yet the secret). The protocol of [26] improves upon the SMT concept by lowering communication complexities. Both [24,26], however, deal with the problem of disseminating shares in a general network during the secret generation and share dissemination phase. However, it is not clear in their paper how the secret reconstruction phase would proceed, i.e., whether players are still connected over a general network once they communicate shares to each other. In our proposed protocols, however, we assume that in both the secret generation/key dissemination phase, and the reconstruction phase, all participants are constrained by a general network. However, perhaps a more fundamental problem with non-rational cryptographic protocols is pointed out in [8,9]. In particular, if players are modeled as rational with natural assumptions on their utilities, such non-rational schemes would fail during the secret reconstruction phase. This is due to the widened action space of rational players, along with their utility maximizing behaviour (compared to plain honest players). For instance, suppose that utility is modeled whereby all players want to learn the secret, but prefer that the smallest number of other players learn the secret as possible (following Section 2.3). It can be shown that each player does no worse (and could even do better) by withholding from sharing his secret (this action is now possible since the player is no longer plainly honest, but rational). To see this, suppose that the non-rational scheme corresponds to an $(n,k)$ secure secret sharing scheme and consider a player $p_i$, $i\in \left[n\right]$. If less than $k-1$ players share the secret, $p_i$ would not learn the secret regardless of his actions. If more than $k-1$ players share the secret, $p_i$ would learn the secret regardless of his actions as well. If exactly $k-1$ players share the secret, then $p_i$ is better off by not sharing his secret since he can reconstruct the secret given his hidden share along with the $k-1$ other shares.

From the discussion above, the equilibrium results of existing rational secret sharing schemes need to be qualified in the case of a general network. On the other hand, existing non-rational schemes for general network have to be modified if rational participants are allowed. As such, the goal of the proposed secret sharing protocols below is to operate over a general network in all phases given rational participants. In the process, the specific network conditions (i.e., topology) that allow for the existence of desirable equilibrium where all players learn the secret are specified.

4.2. High-Level Overview of Our Protocols

The protocol of [8] is shown in detail in Appendix E. In summary, Ref. [8]’s protocol relies on two components to achieve computationally strict Nash equilibrium, namely: (1) uncertainty on the definitive stage and (2) protocol compliance checking. Given n players, the first component (1) is achieved by drawing two random polynomials, G and H, such that $G\left(0\right)=s$ and $H\left(0\right)=0$. In addition, we have ${\{g_i^{*}:=G\left(i\right)\oplus V_E(s{k}_i,r^{*})\}}_{i\in \left[n\right]}$ and ${\{h_i^{*}:=H\left(i\right)\oplus V_E(s{k}_i,r^{*}+1)\}}_{i\in \left[n\right]}$, where $r^{*}$ represents the definitive iteration and $V_E$ is an algorithm of a secure VRF (Appendix D). With this, players are able to discover the definitive iteration only at iteration $r^{*}+1$, since they can reconstruct H and evaluate $H\left(0\right)=0$. This delay of 1 iteration from $r^{*}$ results in a computational Nash equilibrium. The second component, i.e., protocol compliance checking results in a further computationally strict Nash equilibrium as players can use the VRF to check any deviations in transmissions from the protocol. However, implementing [8]’s protocol directly in a general network setting results in some problems, such as:

• The protocol of [8] assumes that the dealer is able to send shares/secret keys to each player directly at the beginning of the game in the share/key generation and dissemination phase. In a general network, the dealer may not have this ability, and as described in the previous section, the protocol of [8] may lead the dealer to concentrate transmissions to some player nodes.
• In addition, with rational participants, the action space widens in the first key dissemination phase. For instance, players may maul the share/secret keys from the dealer or refrain from sending the share/secret keys to the desired recipients. Given this larger action space of players, it is not clear if a certain combination of the SMT protocol to the protocol of [8] would result directly in an equilibrium, and additional mechanisms may be needed. In particular, in Appendix E.1, we show how a certain combination of the SMT protocol with [8] over an instance of a general network results in a strategy that is dominated by some other strategy.
• Moreover, in the secret reconstruction phase, point-to-point transmissions between players may not be available, and transmissions may have to pass through intermediate players. As a result, some players may maul or modify transmissions along the way. Once again, it is not clear if [8]’s protocol would still induce an equilibrium under this enlarged action space of players in the secret reconstruction phase.

To fix the preceding issues, one way for equilibrium to be preserved in a general network is to include additional coordination mechanisms among participants. However, additional coordination mechanisms imply that there have to be additional protocol compliance checking steps in order for a player to check if all other players are indeed following the coordination mechanism. Bearing these in mind, we developed the following approach for our protocols ${\Pi }_1, {\Pi }_2, {\Pi }_{2.1}$—as described from a high level.

• To guarantee computational Nash equilibrium under rational players in the share generation/key dissemination phase, we include the additional mechanism by which the dealer includes in its messages an explicit set of instructions referring to the path by which the message will be delivered. Together with this, we implement a form of protocol compliance checking by which each player receives several duplicate messages from the dealer sent along k-disjoint paths. If any player sees a discrepancy from messages it received, it knows that some player deviated from the protocol, and it is able to abort immediately. We note that this mechanism also prevents concentration of transmissions from the dealer.
• In the secret reconstruction phase, for our first proposed protocol $\left({\Pi }_1\right)$, we force the players to duplicate their transmissions along k-disjoint paths as another form of protocol compliance checking. This way, players are able to check if all duplicates they received are equal. If any player sees a discrepancy, it is able to abort since this indicates that some other player deviated from the protocol (i.e., by modifying or mauling a transmission along the way). However, for ${\Pi }_1$, without access to a VRF (see Appendix D) for all participants, the dealer needs to be online in the secret reconstruction phase in order to impose strict protocol compliance checking in all players (As noted in Lemma 2).
• In the secret reconstruction phase, for our next protocols, $\left({\Pi }_2\right)$ and $\left({\Pi }_{2.1}\right)$, we implement a VRF in order to achieve the same type of protocol compliance checking as ${\Pi }_1$, but with lower communication complexity under a semi-online dealer. However, compared to ${\Pi }_1$, the dealer in ${\Pi }_2$ and ${\Pi }_{2.1}$ includes a specific set of instructions by which players would send their transmissions to each other.
• Finally, we implement uncertainty in the definitive stage by letting players discover the definitive iteration $r^{*}$ only at iteration $r^{*}+1$. This is done using a pseudorandom function (see Appendix C) and random polynomials in ${\Pi }_1$, and through a secure VRF with the pseudorandom property in ${\Pi }_2$ and ${\Pi }_{2.1}$ following [8]. Moreover, the number of rounds in each iteration in ${\Pi }_1$, ${\Pi }_2$, and ${\Pi }_{2.1}$ are fixed a priori in order for players to synchronize and know when an iteration begins and when it ends, and by which it can unambiguously determine in a finite amount of time if some player deviated from the protocol by not sending any needed transmission, or when the definitive iteration has already been reached.

This combination of protocol compliance checking and uncertainty on the definitive stage results in an equilibrium for ${\Pi }_1, {\Pi }_2$, and ${\Pi }_{2.1}$, as we state in Theorems 1–6.

4.3. Proposed Protocol ${\Pi }_1(n,k)$: With Online Dealer

We now proceed to describe the first proposed protocol of this paper. This protocol $\left({\Pi }_1\right)$ uses a standard pseudorandom function (as defined in Appendix C) along with the Shamir secret sharing scheme (as defined in Appendix B) in order to achieve computational Nash equilibrium (and also leakage-tolerant equilibrium) in a general network whose corresponding graph is a k-path-disjoint. This is our first attempt to come up with a secret sharing protocol that can operate over a specific general network given rational participants. The protocol ${\Pi }_1$, however, assumes that the dealer is online. This requirement will be relaxed in the succeeding protocol ${\Pi }_2$.

Given a security parameter $\kappa \in \mathbb{N}$, denote by $\nu :=\nu \left(\kappa \right)$ the value of a polynomial in $\kappa$. Let $(S_G,S_R)$ correspond to polynomial-time algorithms that give a secure $(n,k)$ Shamir Secret Sharing scheme, where $S_G:{\{0,1\}}^{\kappa }\to {\{0,1\}}_1^{\nu }\times {\{0,1\}}_2^{\nu }\times \dots \times {\{0,1\}}_k^{\nu }$ and $S_R:{\{0,1\}}_1^{\nu }\times {\{0,1\}}_2^{\nu }\times \dots \times {\{0,1\}}_k^{\nu }\to {\{0,1\}}^{\kappa }$. Let $\Lambda :{\{0,1\}}^{\nu }\times {\{0,1\}}^{\nu }\to {\{0,1\}}^{\nu }$ denote a standard secure pseudorandom function. Let $\mathcal{G}$ be an $A_{GN}$ rational secret sharing game associated with a $k\le n$-path-disjoint graph $G(V,E)$ and domain $\mathcal{S}:={\{0,1\}}^{\nu }$, with $n+1$ participants consisting of a dealer d and n players ${\left\{p_i\right\}}_{i\in \left[n\right]}:=N$. Given $k\le n$, the first protocol proposed in this paper, ${\Pi }_1(n,k)$, is described as follows, which assumes that the dealer is online.

Protocol. 

${\Pi }_1(n,k)$.

Phase 0. Dealer Initialization//Secret Generation. 

The dealer d performs the following to share a secret $s\in {\{0,1\}}^{\nu }$:

• Choose $r\in \mathbb{N}$ according to a geometric distribution with parameter $\beta$;
• Generate secret keys $\{s{k}_1,s{k}_2,\dots ,s{k}_n\}$;
• For $i\in \left[n\right]$, the dealer computes $\{s_{i,1},s_{i,2},\dots ,s_{i,k}\}=S_G\left(s{k}_i\right)$;
• Choose random $(n-1)$-degree polynomials $G\in {\mathbb{F}}_{2^{\nu }}\left[x\right]$ and $H\in {\mathbb{F}}_{2^{\nu }}\left[x\right]$ with $G\left(0\right)=s$ and $H\left(0\right)=0$;
• Compute ${\{g_i^{*}:=G\left(i\right)\oplus \Lambda (s{k}_i,r^{*})\}}_{i\in \left[n\right]}$ and ${\{h_i^{*}:=H\left(i\right)\oplus \Lambda (s{k}_i,r^{*}+1)\}}_{i\in \left[n\right]}$.

Phase 1. Keys dissemination. 

Let $s^0$ be some uniformly sampled number from ${\{0,1\}}^{\nu }$ for each player $p_i$, $i\in \left[n\right]$. Let max_l denote the length of the longest path between any pair of nodes in G:

• For $i\in \left[n\right]$, and for $j\in \left[k\right]$, the dealer computes $\{s_{i,1},s_{i,2},\dots ,s_{i,j},..,s_{i,k}\}\leftarrow S_G\left(s{k}_i\right)$. Afterwards, the dealer d selects arbitrary k disjoint paths from d to $p_i$, and each path is given a path encoding corresponding to ${\mathtt{path}}_{i,j}:=(a_0=d,a_1,a_2,\dots ,a_m=p_i)$ for $j\in \left[k\right]$ and for some $m\le {\mathtt{max}}_l$. The dealer d sends ${\left\{(s_{i,j},{\left\{{\mathtt{path}}_{i,j}\right\}}_{j\in \left[k\right]},{\left\{g_i^{*}\right\}}_{i\in \left[n\right]},{\left\{h_i^{*}\right\}}_{i\in \left[n\right]})\right\}}_{j\in \left[k\right]}$ to $p_i$ along the k disjoint paths from d to $p_i$.
• For $i\in \left[n\right]$, if $p_i$ received a transmission from some other node $p_{i^{\prime }}$ containing ${\left\{{\mathtt{path}}_{i,j}\right\}}_{j\in \left[k\right]}$, it checks if its own node is actually in a path encoding corresponding to ${\mathtt{path}}_{i,j}$ for some $j\in \left[k\right]$ (this is unique given that the k paths are disjoint). If not, $p_i$ outputs $s^0$ and aborts. If true, $p_i$ checks if it is meant to receive a transmission from $p_{i^{\prime }}$. If not, $p_i$ outputs $s^0$ and aborts. Otherwise, if $p_i$ is the end-receiver according to ${\mathtt{path}}_{i,j}$, it keeps the transmission. If $p_i$ is not the end-receiver, it sends the transmission to the next node according to ${\mathtt{path}}_{i,j}$.
• For $i\in \left[n\right]$, if $p_i$ did not receive exactly k tuples of the form

  $$(s_{i,j},{\left\{{\mathtt{path}}_{i,j}\right\}}_{j\in \left[k\right]},{\left\{g_i^{*}\right\}}_{i\in \left[n\right]},{\left\{h_i^{*}\right\}}_{i\in \left[n\right]})$$

  after $\mathtt{max}\_\mathtt{l}$ rounds such that the origin-node of each path encoding is d and the end-node is $p_i$, it outputs $s^0$ then aborts. Otherwise, it verifies that all copies of ${\left\{{\mathtt{path}}_{i,j}\right\}}_{j\in \left[k\right]}$,${\left\{g_i^{*}\right\}}_{i\in \left[n\right]}$ and ${\left\{h_i^{*}\right\}}_{i\in \left[n\right]}{\}}_{j\in \left[k\right]}$ it received are equal. If not, it outputs $s^0$ then aborts. Otherwise, it reconstructs $s{k}_i=S_R(s_{i,1},s_{i,2},\dots ,s_{i,k})$.
• After $\mathtt{max}\_\mathtt{l}$ rounds, if all checks in (3) above do not fail, all participants move on to phase 2.

Phase 2. Secret Reconstruction. 

For iteration $r=1,2,\dots$, the players and the dealer perform the following (where Phase 2.0 can be performed simultaneously with Phase 2.1):

• Phase 2.0: Dealer transmits as origin-node to each player.
  • The dealer computes $h^{\prime }={\oplus }_{i\in \left[n\right]}\Lambda (s{k}_i,r)$. Afterwards, the dealer selects arbitrary k disjoint paths from d to $p_i$, where each path is given a path encoding corresponding to ${\mathtt{path}}_{i,j}:=(a_0=d,a_1,a_2,\dots ,a_m=p_i)$ for $j\in \left[k\right]$ and for some $m\le {\mathtt{max}}_l$. The dealer d sends $\{{\left\{{\mathtt{path}}_{i,j}\right\}}_{j\in \left[k\right]},h^{\prime }){\}}_{j\in \left[k\right]}$ to $p_i$ along the selected k disjoint paths from d to $p_i$.
• Phase 2.1: Players transmit information to each other.

  (a)

  For $i\in \left[n\right]$, if $p_i$ received any transmission from some other node $p_{i^{\prime }}$ containing a path encoding, it checks if its own node is actually in the encoded path, and if it is meant to receive a transmission from $p_{i^{\prime }}$. If any of these are not true, it outputs $s^{r-1}$ and aborts. Otherwise, if $p_i$ is the end-receiver according to the path encoding, it keeps the transmission. If $p_i$ is not the end-receiver, it sends the transmission to the next node according to the path encoding.

  (b)

  For $i\in \left[n\right]$, if $p_i$ does not receive exactly k sets of information of the form $({\left\{{\mathtt{path}}_{i,j}\right\}}_{j\in \left[k\right]},h^{\prime })$, such that the origin-node of each ${\mathtt{path}}_{i,j}$ for $j\in \left[k\right]$ is d and the end-node is $p_i$ after $\mathtt{max}\_\mathtt{l}$ rounds, it outputs $s^{r-1}$ then aborts. Otherwise, it verifies that all k copies of $({\left\{{\mathtt{path}}_{i,j}\right\}}_{j\in \left[k\right]},h^{\prime })$ it received are equal. If not, it outputs $s^{r-1}$ then aborts.

  (c)

  For $i\in \left[n\right]$, $p_i$ computes $g_i^r=\Lambda (s{k}_i,r)$ and $h_i^r=\Lambda (s{k}_i,r+1)$. For every other player $p_l$, ($l\in \left[n\right]$, $i\ne l$), $p_i$ selects arbitrary k disjoint paths from $p_i$ to $p_l$, where each path is given an encoding corresponding to ${\mathtt{path}}_{l,j}:=(a_0=p_i,a_1,a_2,\dots ,a_m=p_l)$ for some $m\le {\mathtt{max}}_l$. Afterwards, $p_i$ sends

  $${\left\{({\left\{{\mathtt{path}}_{l,j}\right\}}_{j\in \left[k\right]},g_i^r,h_i^r)\right\}}_{j\in \left[k\right]}$$

  to $p_l$ along the selected k disjoint paths for all other players $p_l$, $l\in \left[n\right]\backslash i$.

  (d)

  For $i\in \left[n\right]$, and for $l\in \left[n\right]\backslash i$, $p_i$ checks if it has received (within $\mathtt{max}\_\mathtt{l}$ rounds)) exactly k tuples of the form $({\left\{{\mathtt{path}}_{l,j}\right\}}_{j\in \left[k\right]},g_l^r,h_l^r)$ ($j\in \left[k\right]$) such that the origin-node of each path encoding is $p_l$ and the end-node is $p_i$. If not, $p_i$ outputs $s^{r-1}$ then aborts. Otherwise, for $l\in \left[n\right]\backslash i$, it verifies that all k copies of $({\left\{{\mathtt{path}}_{i,j}\right\}}_{j\in \left[k\right]},g_i^r,h_i^r)$ it received (whose origin-node is $p_l$) are equal. If not, $p_i$ outputs $s^{r-1}$ then aborts. Otherwise, once $p_i$ receives information from all players, $p_i$ checks if ${\oplus }_{i\in \left[n\right]}{h}_i^r=h^{\prime }$. If not, $p_i$ outputs $s^{r-1}$ then aborts.

  Otherwise, $p_i$ computes ${\{h_i^p:=h_i^{*}\oplus h_i^r\}}_{i\in \left[n\right]}$. It then interpolates an $n-1$ polynomial $H^r$ using ${\left\{h_i^p\right\}}_{i\in \left[n\right]}$ and checks if $H^r\left(0\right)=0$. If $H^r\left(0\right)=0$, it outputs $s^{r-1}$ then halts. Otherwise, it computes ${\{g_i^{\prime }:=g_i^{*}\oplus g_i^r\}}_{i\in \left[n\right]}$, then interpolates an $n-1$-degree polynomial $G^r$ using ${\left\{{\widehat{g}}_i\right\}}_{i\in \left[n\right]}$. Afterwards, it sets $s^r=G^r\left(0\right)$.

• After $\mathtt{max}\_\mathtt{l}$ rounds, if all checks above do not fail for any participant, all participants move on to the next iteration of phase 2.

Intuitively, the protocol ${\Pi }_1$ works by using redundancies in paths provided by the k-path-disjoint graph G as shown in Figure 3. Since G is k-path-disjoint, any transmission from either the dealer or a player to another player has to pass through k disjoint paths. In phase 1, the dealer breaks the share of each player into k pieces using the Shamir Secret Sharing scheme and sends these k pieces along k disjoint paths. Any player that sees a piece of a share does not have $k-1$ other pieces and cannot reconstruct the secret key by himself. Moreover, each transmission contains a copy of the path encoding and the public keys ${\left\{g_i^{*}\right\}}_{i\in \left[n\right]}$ and ${\left\{h_i^{*}\right\}}_{i\in \left[n\right]}$. Given that each player acquires k copies of a transmission, it knows that the path encoding and ${\left\{g_i^{*}\right\}}_{i\in \left[n\right]}$ and ${\left\{h_i^{*}\right\}}_{i\in \left[n\right]}$ are correct if all k copies of them match. This provides incentives for players not to deviate from ${\Pi }_1$ by modifying any content of a transmission in phase 1 given that they know such behaviour will be detected. This renders ${\Pi }_1$ secure against $k-1$-sized coalitions given that, as per Lemma 1, any set of k transmissions from one player to another has to pass through at least one path not belonging to the coalition, and any deviations by the coalition will be detected. In addition, the dealer uses an n-degree polynomial in phase 0 to make it secure against $n-1$ secret key leakage (which is inspired by a note in [8]).

For phase 2, the same reasoning applies, whereby the dealer sends a check variable $h^{\prime }$ to each player along k disjoint paths, and each player sends a transmission of the form $({\left\{{\mathtt{path}}_{l,j}\right\}}_{j\in \left[k\right]},g_l^r,h_l^r)$ for some $l\in \left[n\right]$ and $j\in \left[k\right]$ to all other players along k disjoint paths. By the same principle, players can use the k copies received from each player to verify the correctness of the transmission. We note that in ${\Pi }_1$, the check variable $h^{\prime }$ is crucial for verifying the correctness of the transmission given that, without $h^{\prime }$, some strategy strictly dominates ${\Pi }_1$, as shown in the following Lemma.

Lemma 2.

Without the check ${\oplus }_{i\in \left[n\right]}{h}_i^r\ne h^{\prime }$ in step 2.d of ${\Pi }_1(n,k)$, there exists a polynomial-time strategy for $p_i$ that strictly dominates ${\Pi }_1$, assuming all other players follow strategies prescribed by ${\Pi }_1$.

Proof. 

Let $p_i$ take the following strategy: follow ${\Pi }_1$ in all aspects, except that $p_i$ changes $h_i^r$ to some random number then sends it to all other players. Other players will not detect this since the check ${\oplus }_{i\in \left[n\right]}{h}_i^r\ne h^{\prime }$ is not implemented. With non-negligible probability, at $r=r^{*}+1$, all other players will have $H^r\left(0\right)\ne 0$ given that they did not receive the real $h_i^r$ from $p_i$. However, $p_i$ will know that the current iteration is $r^{*}+1$ since it has the real $h_i^r$ needed to interpolate the correct polynomial $H^r$ such that $H^r\left(0\right)=0$. $p_i$ would then output $G^r\left(0\right)=s$ and receive utility $U^{+}$ (given that all other players are not aware that $r=r^{*}+1$).    □

Finally, the equilibrium of ${\Pi }_1$ relies on the fact that players are not aware of the value of $r^{*}$ until they reach iteration $r^{*}+1$ following [8]. This generates uncertainty among the players such that, given a sufficiently low parameter $\beta$ in the geometric distribution from which $r^{*}$ is sampled, players prefer to follow ${\Pi }_1$ rather than deviate. Given this, the following results regarding ${\Pi }_1$ arrive at whose proofs are in the Annex.

Theorem 1.

Given $\kappa \in \mathbb{N}$, let $\nu :=\nu \left(\kappa \right)$ denote the value of a polynomial in κ. Let $\mathcal{G}$ be an $A_{GN}$ game with $n+1$ participants associated with a k-path-disjoint graph $G(V,E)$ for $k\le n$ and domain $\mathcal{S}:={\{0,1\}}^{\nu }$. The protocol ${\Pi }_1(n,k)$ is a computational Nash equilibrium, and is also an $(n-1)$-key leakage-tolerant equilibrium provided that $[(\beta \times U^{+})+(1-\beta )\times U_{\mathtt{rand}}-U]<0$, where β is the parameter of a geometric distribution. Given a maximum path length of $\mathtt{max}\_\mathtt{l}$ in G, the average round complexity of ${\Pi }_1(n,k)$ is $[1+(1/\beta \left)\right]\times \mathtt{max}\_\mathtt{l}$, with a communication complexity of at most $n\times \nu \times (k+2n+1)$ per round.

Theorem 2.

Given $\kappa \in \mathbb{N}$, let $\nu :=\nu \left(\kappa \right)$ denote the value of a polynomial in κ. Let $\mathcal{G}$ be an $A_{GN}$ game with $n+1$ participants associated with a k-path-disjoint graph $G(V,E)$ for $k\le n$ and domain $\mathcal{S}:={\{0,1\}}^{\nu }$. The protocol ${\Pi }_1(n,k)$ is a computational strict Nash equilibrium provided that $[(\beta \times U^{+})+(1-\beta )\times U_{\mathtt{rand}}-U]<0$.

Theorem 3.

Given $\kappa \in \mathbb{N}$, let $\nu :=\nu \left(\kappa \right)$ denote the value of a polynomial in κ. Let $\mathcal{G}$ be an $A_{GN}$ game with $n+1$ participants associated with a k-path-disjoint graph $G(V,E)$ for $k\le n$ and domain $\mathcal{S}:={\{0,1\}}^{\nu }$. Suppose that no player can acquire other secret keys unless information related to it is shared by another player through a transmission. The protocol ${\Pi }_1(n,k)$ is a $(k-1)$-resilient computational Nash equilibrium provided that $[(\beta \times U^{+})+(1-\beta )\times U_{\mathtt{rand}}-U]<0$.

4.4. Proposed Protocol ${\Pi }_2(n,k)$: With Semi-Online Dealer

We now proceed to describe the second proposed protocol $\left({\Pi }_2\right)$ of this paper, which does not require an online dealer but only a semi-online one. Due to this limitation, compared to ${\Pi }_1$, this protocol requires an additional VRF cryptographic primitive (as defined in Appendix D). ${\Pi }_2$ is inspired by the protocol of [8] (see Appendix E), but ${\Pi }_2$ includes several additional steps in order to accommodate a general network topology over the participants. Thus, given a graph $G(V,E)$, assume that it is k-path-disjoint. The protocol assumes that for each pair $a,b\in V$ representing distinct nodes of participants in the game, any transmission from a to b will be sent through k disjoint paths connecting a and b according to some order that could be known by all participants using a publicly known polynomial-time algorithm. For this purpose, we define two types of ordering termed path_ordering and transmission_ordering as follows:

Definition 22.

Given a graph $G(V,E)$ and a positive integer k, a path_orderingfrom a to b, with $a,b\in V$, $a\ne b$, is a unique sequence of k disjoint paths from the origin-node a to the end-node b that can be efficiently constructed given some rule on the choice of paths.

Definition 23.

Given an $A_{GN}$ game $\mathcal{G}$ with $n+1$ participants associated with a graph $G(V,E)$, a transmission_orderingfor $\mathcal{G}$ is a unique sequence of paths that can be efficiently constructed given: (1) a rule on the ordering of pairs of distinct nodes in V and (2) apath_orderingfor each distinct pair of origin-nodes and end-nodes. In addition,transmission_orderingmarks the origin-nodes and end-nodes of each path inpath_orderingwith special symbols to differentiate them from nodes that are intermediate along the path.

Example 1.

path_ordering: Let $k>0$ and let $G(V,E)$ be a k-path-disjoint graph with $\left|V\right|>k$. An example of apath_orderingfor each distinct pair $(a,b)$ of nodes in V is given by the following polynomial-time algorithm that operates according to a lexicographic rule: step 1: on input $(G,a,b)$, set $\mathtt{path}\_\mathtt{ordering}=\varnothing$; step 2:given $a,b$ list down all paths (not necessarily disjoint) in G from a to b;step 3:obtain the lexicographically first path from a to b in the list and include it inpaths, then remove all nodes crossed by the path from G to arrive at a residual graph $G^{\prime }$; using $G^{\prime }$, repeatstep 2 – step 3until k disjoint paths from a to b are inpath_ordering.

Example 2.

transmission_ordering: Let $k>0$, and let $G(V,E)$ be a k-path-disjoint graph with $\left|V\right|>k$. Letpath_orderingbe the same as in the prior example. Let $\mathcal{G}$ be an $A_{GN}$ game with $\left|V\right|=n+1$ participants, such that the nodes $V=\{a_0,a_1,a_2,\dots ,a_{\left|V\right|}\}$ of G are assigned as follows: $a_0=d$ (the dealer), $a_1=p_1$ (player 1), $a_2=p_2$ (player 2), etc. An example of atransmission_orderingfor $\mathcal{G}$ is given by the following polynomial-time algorithm:step 1: On input G, settransmission_ordering $=\varnothing$. step 2: construct the setpairingsas follows, set the first pair inpairingsas $(a_0,a_1)$, followed by a second pair $(a_0,a_2)$, etc., up to the nth pair $(a_0,a_n)$. After the nth pair, set the $n+1$th pair as $(a_1,a_2)$, then the $n+2$th pair as $(a_1,a_3)$, etc., up to $(a_1,a_n)$. Afterwards, the next pair is $(a_2,a_1)$ followed by $(a_2,a_3)$, etc., and so on and so forth so that $a_0$ (at the left of a pair) is paired with n other nodes (at the right of a pair), and each player node (at the left of a pair) is paired with $n-1$ other player nodes (at the right of a pair).step 3: for each pair inpairings, computepath_orderingusing the algorithm in the example above and includepath_orderingintransmission_ordering, where the origin-node and end-node of each path inpath_orderingare assigned special symbols.

Given common knowledge on the structure of $G(V,E)$ and the rules (i.e., polynomial-time algorithms) for constructing transmission_ordering, each player in the game can construct transmission_ordering in polynomial-time on his own at the start of the game. In the protocol ${\Pi }_2$ below, only one participant is meant to send a transmission for each round. The participant to send a transmission is the origin-node in the paths of transmission_ordering, and the protocol prescribes participants to follow the transmission ordering contained in transmission_ordering according to the edges listed in its paths, where each edge in a path corresponds to one round of transmission. With this rule, each participant in the game knows whose turn it is to send or receive a transmission given a certain round. It follows that a participant can verify if it received or sent information according to the protocol or not. Given this, we now proceed to describe ${\Pi }_2$. Given a security parameter $\kappa \in \mathbb{N}$, denote by $\nu :=\nu \left(\kappa \right)$ the value of a polynomial in $\kappa$. Let $(V_G,V_E,V_P,V_V)$ correspond to polynomial-time algorithms that give a secure Verifiable Random Function scheme, where $V_G:1^{*}\to {\{0,1\}}^{\nu }\times {\{0,1\}}^{\nu }$, $V_E:{\{0,1\}}^{\nu }\times {\{0,1\}}^{\nu }\to {0,1}^{\nu }$, $V_P:{\{0,1\}}^{\nu }\times {\{0,1\}}^{\nu }\to {\{0,1\}}^{\nu }$, and $V_V:{\{0,1\}}^{\nu }\times {\{0,1\}}^{\nu }\times {\{0,1\}}^{\nu }\times {\{0,1\}}^{\nu }\to \{0,1\}$. Let $\beta$ be a parameter of a geometric distribution that is independent of $\kappa$. Let $\mathcal{G}$ be an $A_{GN}$ rational secret sharing game associated with a k-path-disjoint graph $G(V,E)$ and domain $\mathcal{S}:={\{0,1\}}^{\nu }$, with $n+1$ participants consisting of a dealer d and n players ${\left\{p_i\right\}}_{i\in \left[n\right]}:=N$. The second protocol proposed in this paper, ${\Pi }_2(n,k)$ is described as follows.

Protocol. 

${\Pi }_2(n,k)$.

0. Initialization Phase. 

The dealer performs the following to share a secret $s\in {\{0,1\}}^{\nu }$:

• Choose $r^{*}\in \mathbb{N}$ according to a geometric distribution with parameter $\beta$;
• Generate public and secret key pairs $(p{k}_1,s{k}_1),(p{k}_2,s{k}_2),\dots ,(p{k}_n,s{k}_n)\leftarrow V_G\left(1^{\kappa }\right)$;
• Generate public and secret key pairs $(p{k}_1^{\prime },s{k}_1^{\prime }),(p{k}_2^{\prime },s{k}_2^{\prime }),\dots ,(p{k}_n^{\prime },s{k}_n^{\prime })\leftarrow V_G\left(1^{\kappa }\right)$;
• Choose random $(n-1)$-degree polynomials $G\in {\mathbb{F}}_{2^{\nu }}\left[x\right]$ and $H\in {\mathbb{F}}_{2^{\nu }}\left[x\right]$ such that $G\left(0\right)=s$ and $H\left(0\right)=0$;
• Compute ${\{g_i^{*}:=G\left(i\right)\oplus V_E(s{k}_i,r^{*})\}}_{i\in \left[n\right]}$ and ${\{h_i^{*}:=H\left(i\right)\oplus V_E(s{k}_i,r^{*}+1)\}}_{i\in \left[n\right]}$;
• Construct transmission_ordering_a by listing down k disjoint paths from d to $p_1$ according to path_ordering followed by d to $p_2$, then d to $p_3$, etc., up to d to $p_n$, such that in each path in transmission_ordering_a the origin-node d is marked with a special symbol start and the end-node of each path is marked with a special symbol end;
• Construct transmission_ordering_b by listing down one arbitrarily chosen path for each pair of players starting with a path from $p_1$ to $p_2$, followed by a path from $p_1$ to $p_3$, etc., up to $p_1$ to $p_n$. Afterwards, list down a path from $p_2$ to $p_1$, followed by a path from $p_2$ to $p_3$, etc. (The algorithm for path_ordering is not needed for transmission_ordering_b.) In each path in transmission_ordering_b, the origin-node is marked with a special symbol start, and the end-node of each path is marked with a special symbol end;
• Define the tuple of public information as:

  $$\begin{array}{ccc}\hfill \Psi & =({\left\{p{k}_i\right\}}_{i\in \left[n\right]},{\left\{p{k}_i^{\prime }\right\}}_{i\in \left[n\right]},{\left\{g_i\right\}}_{i\in \left[n\right]},{\left\{h_i\right\}}_{i\in \left[n\right]},\hfill & \hfill \mathtt{transmission}\_\mathtt{ordering}\_\mathtt{a},\\ \hfill & \mathtt{transmission}\_\mathtt{ordering}\_\mathtt{b}).\hfill \end{array}$$

1. Public Information dissemination Phase. 

Let $s^0\in {\{0,1\}}^{\nu }$ be a uniformly drawn number for each player $p_i\in N$:

• For $i\in \left[n\right]$ and for $j\in \left[k\right]$, d sends $\Psi$ to $p_i$ according to transmission_ordering_a.
• For $i\in \left[n\right]$, if $p_i$ does not yet have $\Psi$ and receives it for the first time, it checks if it is meant to receive $\Psi$ according to transmission_ordering_a$\in \Psi$. If not, it outputs $s^0$ then aborts. Otherwise, it keeps the information if it is its turn to receive it (i.e., its own node is marked with end), or sends the transmission to the respective node dictated by transmission_ordering_a.
• For $i\in \left[n\right]$, if $p_i$ has a prior copy of $\Psi$ (received from some previous round), it checks if it is meant to receive (or not receive) a transmission from some other node according to transmission_ordering_a in terms of the current round. If there is a violation, it outputs $s^0$ then aborts. Otherwise, if it received information, $p_i$ verifies if all of its copies of $\Psi$ are so far equal. If not, it outputs $s^0$ then aborts. Otherwise, it keeps $\Psi$ if it is its turn to receive it (i.e., its own node is marked with end), or sends the transmission to the respective node dictated by transmission_ordering_a.
• For $i\in \left[n\right]$, if $p_i$ still does not receive k copies of $\Psi$ as dictated by transmission_order-ing_a within $\mathtt{max}\_\mathtt{l}\times n\times k$ rounds, it outputs $s^0$ then aborts. Otherwise, it verifies that all k copies of $\Psi$ it received are equal. If not, it outputs $s^0$, then aborts.
• After $\mathtt{max}\_\mathtt{l}\times n\times k$ rounds, if all checks above do not fail for any participant, all participants move on to phase 2.

2. Secret Key dissemination Phase.

• For $i\in \left[n\right]$, the dealer computes $\{s_{i,1},s_{i,2},\dots ,s_{i,k}\}=S_G\left(s{k}_i\right)$ and $\{s_{i,1}^{\prime },s_{i,2}^{\prime },\dots ,s_{i,k}^{\prime }\}=S_G\left(s{k}_i^{\prime }\right)$.
• For $i\in \left[n\right]$ and for $j\in \left[k\right]$, d sends $\{s_{i,j},s_{i,j}^{\prime }\}$ to the end-receiver $p_i$ according to transmission_ordering_a.
• For $i\in \left[n\right]$, if $p_i$ receives or does not receive a transmission from some other node in violation of transmission_ordering_a in terms of the current round, it outputs $s^0$ then aborts. Otherwise, it keeps the information if it is its turn to receive it (i.e., its own node is marked with end) or sends the transmission to the respective node as dictated by transmission_ordering_a.
• For $i\in \left[n\right]$, if $p_i$ still does not receive k sets of information (following the transmissions dictated by transmission_ordering_a) within $\mathtt{max}\_\mathtt{l}\times n\times k$ rounds, it outputs $s^0$ then aborts. Otherwise, given ${\left\{s_{i,j}\right\}}_{j\in \left[k\right]}$ and ${\left\{s_{i,j}^{\prime }\right\}}_{j\in \left[k\right]}$, it reconstructs $s{k}_i=S_R(s_{i,1},s_{i,2},\dots ,s_{i,k})$ and $s{k}_i^{\prime }=S_R(s_{i,1}^{\prime },s_{i,2}^{\prime },\dots ,s_{i,k}^{\prime })$.
• After $\mathtt{max}\_\mathtt{l}\times n\times k$ rounds, if all checks above do not fail for any participant, all participants move on to phase 3.

3. Reconstruction Phase. 

• Given transmission_ordering_b, for $i\in \left[n\right]$, if it is $p_i$’s turn to transmit as the origin-node for the first time (i.e., its node is marked with start for the first time), $p_i$ computes the following:

  $$y_i^r=V_E(s{k}_i,r),z_i^r=V_E(s{k}_i^{\prime },r)$$

  $${\pi }_i^r=V_P(s{k}_i,r),{\psi }_i^r=V_P(s{k}_i^{\prime },r)$$

  Afterwards, $p_i$ sends $(g_i^r,h_i^r)$ to all other players ${\left\{p_{i^{\prime }}\right\}}_{i^{\prime }\in \left[n\right]\backslash i}$ according to the transmissions dictated in transmission_ordering_b.
• For $i\in \left[n\right]$, if $p_i$ receives or does not receive a transmission from some other node in violation of transmission_ordering_b in terms of the current round, it outputs $s^{r-1}$ then aborts. Otherwise, if its node is not marked with end (following transmission_ordering_b), it sends the transmission to the respective receiver node as dictated by transmission_ordering_b. However, if it is $p_i$’s turn to receive information (i.e., its node is marked with end), it sets source as the index of the origin-node of the transmission, i.e., the transmission originates from player $p_{\mathtt{source}}$. Afterwards, it performs the following:

  (a)

  Check if the information received is of the form $(y^r,z^r,{\pi }^r,{\psi }^r)$. If not true, output $s^{r-1}$ and abort.

  (b)

  Verify that both $V_V(p{k}_{\mathtt{source}},r,y^r,{\pi }^r)$ and $V_V(p{k}_{\mathtt{source}},r,z^r,{\psi }^r)$ are true. If any of these are false, abort.

  (c)

  Check if n tuples of the form $(y_{i^{\prime }}^r,z_{i^{\prime }}^r,{\pi }_{i^{\prime }}^r,{\psi }_{i^{\prime }}^r)$ for indices $i^{\prime }\in \left[n\right]$ have so far been acquired. If true, let I denote the player indices corresponding to such tuples. Compute $h_{i^{\prime }}^r:=h_{i^{\prime }}\oplus z_{i^{\prime }}^r$ for all $i^{\prime }\in I$, and interpolate a $(n-1)$-degree polynomial $H^r$ using ${\left\{h_{i^{\prime }}^r\right\}}_{i^{\prime }\in I}$. If $H^r\left(0\right)=0$, $\mathtt{output}$$s^{r-1}$ immediately as the computed secret and abort.

  (d)

  Otherwise, if $H^r\left(0\right)\ne 0$ in the above item, compute $s_i^r$ as follows: set $g_{i^{\prime }}^r:=g_{i^{\prime }}\oplus y_{i^{\prime }}^r$ for all $i^{\prime }\in I$. Interpolate a $(n-1)$-degree polynomial $G^r$ through ${\left\{g_r^{i^{\prime }}\right\}}_{i^{\prime }\in I}$ and set $s_i^r:=G^r\left(0\right)$.

• For $i,i^{\prime }\in \left[n\right]$, if $p_i$: (a) did not receive any transmission from some other origin-node$p_{i^{\prime }}$ ($i^{\prime }\ne i)$ according to transmission_ordering_b within $\mathtt{max}\_\mathtt{l}\times n^2\times k$ rounds, it outputs $s^{r-1}$ then aborts.
• After $\mathtt{max}\_\mathtt{l}\times n^2\times k$ rounds, if all checks above do not fail for any participant, all participants move on to the next iteration in phase 3.

Phases 1–2 of ${\Pi }_2$ follow the same principle as that of phase 1 in ${\Pi }_1$, whereby, given that G is k-path-disjoint, participants take advantage of the k disjoint paths for each pair of nodes in G in order to transmit redundant information. With this, players can check the correctness of the transmitted data by comparing the k copies to each other. In phase 3 of ${\Pi }_2$, however, instead of using k disjoint paths to transmit information, they use the properties of the VRF to verify that received data are correct. The absence of redundancy in phase 3 of ${\Pi }_2$ enables ${\Pi }_2$ to have less communication complexity than ${\Pi }_1$. The following results regarding ${\Pi }_2$ are arrived at, whose proofs are in the Appendix.

Theorem 4.

Given $\kappa \in \mathbb{N}$, let $\nu :=\nu \left(\kappa \right)$ denote the value of a polynomial in κ. Let $\mathcal{G}$ be an $A_{GN}$ game with $n+1$ participants associated with a k-path-disjoint graph $G(V,E)$ for $k\le n$, and domain $\mathcal{S}:={\{0,1\}}^{\nu }$. The protocol ${\Pi }_2(n,k)$ is a computational Nash equilibrium, and is also a $(n-1)$-key leakage-tolerant equilibrium provided that $[(\beta \times U^{+})+(1-\beta )\times U_{\mathtt{rand}}-U]<0$, where β is the parameter of a geometric distribution. The average round complexity of ${\Pi }_2(n,k)$ is $[2\times max\_\mathtt{l}\times n\times k]+[(1+1/\beta )\times \mathtt{max}\_\mathtt{l}\times n^2]$, and the communication complexity per round is at most $O\left(6n\nu \right)$.

Theorem 5.

Given $\kappa \in \mathbb{N}$, let $\nu :=\nu \left(\kappa \right)$ denote the value of a polynomial in κ. Let $\mathcal{G}$ be an $A_{GN}$ game with $n+1$ participants associated with a k-path-disjoint graph $G(V,E)$ for $k\le n$ and domain $\mathcal{S}:={\{0,1\}}^{\nu }$. The protocol ${\Pi }_2(n,k)$ is a computationally strict Nash equilibrium provided that $[(\beta \times U^{+})+(1-\beta )\times U_{\mathtt{rand}}-U]<0$.

Theorem 6.

Given $\kappa \in \mathbb{N}$, let $\nu :=\nu \left(\kappa \right)$ denote the value of a polynomial in κ. Let $\mathcal{G}$ be an $A_{GN}$ game with $n+1$ participants associated with a k-path-disjoint graph $G(V,E)$ for $k\le n$ and domain $\mathcal{S}:={\{0,1\}}^{\nu }$. Suppose that no player can acquire other secret keys unless information related to it is shared by another player through a transmission. The protocol ${\Pi }_2(n,k)$ is a $(k-1)$-resilient computational Nash equilibrium provided that $[(\beta \times U^{+})+(1-\beta )\times U_{\mathtt{rand}}-U]<0$.

Proposed Protocol ${\Pi }_{2.1}(n,k)$: With Dealer Connected Directly to Each Player

The last protocol of this paper ${\Pi }_{2.1}$ induces a $\Phi$-resilient computational Nash equilibrium, where $\Phi$ is the condition that a subset of nodes be 1-disconnected. The idea behind this protocol is to provide some equilibrium notions that allow for certain large-sized coalitions to be formed, contrary to the usual equilibrium notion where all coalitions are bounded by k. However, unlike ${\Pi }_2$, the dealer is assumed to be directly connected to each player in ${\Pi }_{2.1}$ so that it can transmit shares and keys in one simultaneous move. Given this advantage, protocol ${\Pi }_{2.1}$ performs additional checks, whereby any transmission received by a node is checked for correctness. Given that any coalition is 1-disconnected, any transmission among members of the coalition have to pass through at least one player not belonging to the coalition, such that any deviations from the protocol will be checked. This prevents members of the coalition to share information outside of ${\Pi }_{2.1}$ to each other—in particular, secret keys.

Protocol. 

${\Pi }_{2.1}(n,k)$.

0. Secret Generation and Key dissemination Phase. 

The dealer performs the following to share a secret $s\in {\{0,1\}}^{\nu }$:

• Choose $r^{*}\in \mathbb{N}$ according to a geometric distribution with parameter $\beta$;
• Generate public and secret key pairs $(p{k}_1,s{k}_1),(p{k}_2,s{k}_2),\dots ,(p{k}_n,s{k}_n)\leftarrow V_G\left(1^{\kappa }\right)$;
• Generate public and secret key pairs $(p{k}_1^{\prime },s{k}_1^{\prime }),(p{k}_2^{\prime },s{k}_2^{\prime }),\dots ,(p{k}_n^{\prime },s{k}_n^{\prime })\leftarrow V_G\left(1^{\kappa }\right)$;
• Choose random $(n-1)$-degree polynomials $G\in {\mathbb{F}}_{2^{\nu }}\left[x\right]$ and $H\in {\mathbb{F}}_{2^{\nu }}\left[x\right]$ such that $G\left(0\right)=s$ and $H\left(0\right)=0$;
• Compute ${\{g_i^{*}:=G\left(i\right)\oplus V_E(s{k}_i,r^{*})\}}_{i\in \left[n\right]}$ and ${\{h_i^{*}:=H\left(i\right)\oplus V_E(s{k}_i,r^{*}+1)\}}_{i\in \left[n\right]}$;
• Construct transmission_ordering_b by listing down one arbitrarily chosen path for each pair of players starting with a path from $p_1$ to $p_2$, followed by a path from $p_1$ to $p_3$, etc., up to $p_1$ to $p_n$. Afterwards, list down a path from $p_2$ to $p_1$, followed by a path from $p_2$ to $p_3$, etc. (The algorithm for path_ordering is not needed for transmission_ordering_b.) In each path in transmission_ordering_b, the origin-node is marked with a special symbol start, and the end-node of each path is marked with a special symbol end;
• Define the tuple of public information as:

  $$\begin{array}{cc}\hfill \Psi & =({\left\{p{k}_i\right\}}_{i\in \left[n\right]},{\left\{p{k}_i^{\prime }\right\}}_{i\in \left[n\right]},{\left\{g_i\right\}}_{i\in \left[n\right]},{\left\{h_i\right\}}_{i\in \left[n\right]},\hfill \\ \hfill & \mathtt{transmission}\_\mathtt{ordering}\_\mathtt{a}\hfill \\ \hfill & \mathtt{transmission}\_\mathtt{ordering}\_\mathtt{b});\hfill \end{array}$$
• For $i\in \left[n\right]$, send $((s{k}_i,s{k}_i^{\prime }),\Psi )$ to $p_i$.

1. Reconstruction Phase. 

• Given transmission_ordering_b, for $i\in \left[n\right]$, if it is $p_i$’s turn to transmit as the origin-node for the first time (i.e., its node is marked with start for the first time), $p_i$ computes the following:

  $$y_i^r=V_E(s{k}_i,r),z_i^r=V_E(s{k}_i^{\prime },r)$$

  $${\pi }_i^r=V_P(s{k}_i,r),{\psi }_i^r=V_P(s{k}_i^{\prime },r)$$
  Afterwards, $p_i$ sends $(g_i^r,h_i^r)$ to ${\left\{p_{i^{\prime }}\right\}}_{i^{\prime }\in \left[n\right]\backslash i}$ as per transmission_ordering_b.
• For $i\in \left[n\right]$, if $p_i$ receives or does not receive a transmission from some other node in violation of transmission_ordering_b in terms of the current round, it outputs $s^{r-1}$ then aborts. Otherwise, it checks transmission_ordering_b to determine the source of the transmission which is $p_{\mathtt{source}}$ for some $\mathtt{source}\in \left[n\right]$. Afterwards, given r and $\{r,y^r,{\pi }^r,z^r,{\psi }^r\}$ in the transmission, $p_i$ checks that both $V_V(p{k}_{\mathtt{source}},r,y^r,{\pi }^r)$ and $V_V(p{k}_{\mathtt{source}},r,z^r,{\psi }^r)$ are true. If any of these are false, $p_i$ aborts.
  Otherwise, if $p_i$’s node is not marked with end as per transmission_ordering_b, it sends the transmission to the respective receiver node as per transmission_ordering_b. However, if it is $p_i$’s turn to receive information (i.e., its node is marked with end), it sets source as the index of the origin-node of the transmission, i.e., the transmission originates from player $p_{\mathtt{source}}$. Afterwards, it performs the following:

  (a)

  Check if the information received is of the form $(y^r,z^r,{\pi }^r,{\psi }^r)$. If not true, output $s^{r-1}$ and abort.

  (b)

  Check if n tuples of the form $(y_{i^{\prime }}^r,z_{i^{\prime }}^r,{\pi }_{i^{\prime }}^r,{\psi }_{i^{\prime }}^r)$ for indices $i^{\prime }\in \left[n\right]$ have so far been acquired. If true, let I denote the player indices corresponding to such tuples. Compute $h_{i^{\prime }}^r:=h_{i^{\prime }}\oplus z_{i^{\prime }}^r$ for all $i^{\prime }\in I$, and interpolate an $(n-1)$-degree polynomial $H^r$ using ${\left\{h_{i^{\prime }}^r\right\}}_{i^{\prime }\in I}$. If $H^r\left(0\right)=0$, $\mathtt{output}$$s^{r-1}$ immediately as the computed secret and abort.

  (c)

  Otherwise, if $H^r\left(0\right)\ne 0$ in the above item, compute $s_i^r$ as follows: set $g_{i^{\prime }}^r:=g_{i^{\prime }}\oplus y_{i^{\prime }}^r$ for all $i^{\prime }\in I$. Interpolate an $(n-1)$-degree polynomial $G^r$ through ${\left\{g_r^{i^{\prime }}\right\}}_{i^{\prime }\in I}$ and set $s_i^r:=G^r\left(0\right)$.

• For $i,i^{\prime }\in \left[n\right]$, if $p_i$: (a) did not receive any transmission from some other origin-node $p_{i^{\prime }}$ ($i^{\prime }\ne i)$ according to transmission_ordering_b, it outputs $s^{r-1}$ then aborts.

Equilibrium properties of ${\Pi }_{2.1}$ are stated in Theorem 7, which says that ${\Pi }_{2.1}$ guarantees a computational Nash equilibrium. Proof for Theorem 7 is in the Appendix. The more interesting result, however, for ${\Pi }_{2.1}$ is in Corollary 1, which states that ${\Pi }_{2.1}$ can accommodate coalitions of a size larger than k, as long as these coalitions are 1-disconnected. An example instance for which Corollary 1 applies is shown in Figure 4.

Theorem 7.

Given $\kappa \in \mathbb{N}$, let $\nu :=\nu \left(\kappa \right)$ denote the value of a polynomial in κ. Let $\mathcal{G}$ be an $A_{GN}$ game with $n+1$ participants associated with a $G(V,E)$ and domain $\mathcal{S}:={\{0,1\}}^{\nu }$ such that the E has edges from the dealer node to each of the player nodes. Let Φ denote the set of conditions $\Phi :=\{$1$-disconnected\}$. The protocol ${\Pi }_{2.1}(n,k)$ is a Φ-resilient computational Nash equilibrium provided that $[(\beta \times U^{+})+(1-\beta )\times U_{\mathtt{rand}}-U]<0$, where β is the parameter of a geometric distribution.

Corollary 1.

Given $\kappa \in \mathbb{N}$, let $\nu :=\nu \left(\kappa \right)$ denote the value of a polynomial in κ. Let $\mathcal{G}$ be an $A_{GN}$ game with $n+1$ participants associated with a $G(V,E)$ and domain $\mathcal{S}:={\{0,1\}}^{\nu }$ such that the E has edges from the dealer node to each of the player nodes. Let Φ denote the set of conditions $\Phi :=\{$1$-disconnected\}$. If ${\Pi }_{2.1}(n,k)$ is a Φ-resilient computational Nash equilibrium, then ${\Pi }_{2.1}(n,k)$ is resilient against some coalitions of size larger than k.

Proof. 

By the definition of a $\Phi$-resilient computational Nash equilibrium, if a protocol is $\Phi$-resilient, then it is secure against any coalition that satisfies the requirements of $\Phi$ regardless of their size. The corollary thus follows.    □

5. Possible Directions for Future Work

Some possible directions for future work are as follows:

• Our paper showed the existence of protocols that guarantee equilibria in an $A_{GN}$ secret sharing game given very specific graph-theoretical properties. Natural extensions over these results would be to investigate if there are certain protocols that induce equilibria over more general graph-theoretical properties. On the other hand, one could also investigate if there are other graph-theoretical properties that allow either computationally strict Nash equilibria or $\Phi$-equilibria. For instance, aside from 1-disconnected, could other properties also be included in $\Phi$ in order to tolerate larger coalitions?
• Our protocols could be further simplified or optimized in terms of their round and communication complexity. For instance, there may be more computationally efficient secret sharing schemes aside from Shamir Secret Sharing that allow the protocol to induce the same types of equilibria. It is also possible to further improve the complexity of the $(n,k)$ Shamir Secret Sharing used in securely distributing the secret along k-disjoint paths.

6. Conclusions

In this paper, we address the problem of designing secret sharing protocols over a general network with rational players, such that these protocols induce the desirable equilibrium outcome whereby it is advantageous for each player to stick to the protocol and let all players correctly reconstruct the secret in the process. We present three protocols, whereby our first protocol uses the pseudorandom cryptographic primitive along with a standard Shamir Secret Sharing scheme in the presence of an online dealer. The second protocol uses a more sophisticated crytpographic primitive, namely, VRFs in order to reduce communication complexity from the first protocol and requires only a semi-online dealer. Our third protocol is similar to the second protocol, but requires a special type of general network whereby the dealer is directly connected to each player.

To formally express the game-theoretic behaviour of our protocols in the context of computational complexity, we utilize existing notions of computational Nash equilibrium and also present novel notions of computational equilibria—namely, $(n-1)$-key leakage-tolerant equilibrium and $\Phi$-resilient computational Nash equilibrium. Our results and proofs show that our first and second protocols, ${\Pi }_1$ and ${\Pi }_2$, respectively, both induce an $(n,k)$ strict computational Nash equilibrium, a $(n-1)$-key leakage-tolerant equilibrium, and a $(k-1)$-resilient computational Nash equilibrium relative to certain values of the geometric distribution parameter $\beta$ and the values of the players’ utilities $U^{+},U,U^{-}$. The communication complexity of ${\Pi }_2$ per round is less than ${\Pi }_1$, but ${\Pi }_2$ has much higher round complexity. Finally, for the third protocol, ${\Pi }_{2.1}$, we show that it induces a $\Phi$-resilient computational Nash equilibrium, where $\Phi$ contains the graphical property of being 1-disconnected. This implies that under ${\Pi }_{2.1}$, certain coalitions of size larger than k can be tolerated by the protocol as long as the location of the members of the coalition in the network’s graph satisfy the 1-disconnected property.