Cryptographic Rational Secret Sharing Schemes over General Networks

: We propose cryptographic rational secret sharing protocols over general networks. In a general network, the dealer may not have direct connections to each player, and players may not have direct connections to each of the other players. We present conditions on the network topology for which our proposed protocols are computational strict Nash equilibria and ( k − 1 ) -resilient, along with analysis on their round and communication complexity. We also present new notions of equilibria such as Φ -resilient computational Nash equilibria, whereby a protocol is resilient to coalitions that satisfy conditions in Φ , regardless of the coalition’s size. We also propose ( n − 1 ) -key leakage-tolerant equilibria applicable to cryptographic protocols involving secret keys, whereby the equilibrium holds even if some players acquire ( n − 1 ) tuples of secret keys.


Introduction
Secret sharing schemes address the problem of securely disseminating a secret among several participants, which is a relatively old problem in cryptography. Perhaps the most popular early secret sharing scheme is the (n, k) secret sharing scheme by [1], which is also termed as a (n, k) threshold sharing scheme. In this secret sharing scheme, the setting involves a dealer who wants to share a secret among n players. The dealer subdivides the secret into n pieces (i.e., shares) and sends a piece to each player. If at least k players cooperate and share their shares, then the secret can be efficiently reconstructed. However, if less than k players cooperate, their shares reveal no information about the secret. To achieve these conditions, the scheme of [1] uses properties of polynomials and Lagrange interpolation, and it is shown to be secure under the formalized security notion of a secret sharing scheme [2]. Since this invention by [1], several other secret sharing schemes have been proposed [3], many of which are closely related to the field of secure multiparty computation [4][5][6][7].
The setting for standard (n, k) secret sharing, however, assumes that players are either completely honest or malicious [8], and security is guaranteed against completely malicious players (termed adversaries). In a paper by [9], however, players are instead modeled as rational in the game-theoretic sense [10], i.e., players have associated utility functions, and the goal of each player is to maximize their own utility as a function of the game's outcome-while taking into account the effects of the actions of other players in determining the outcome of the game. It is shown in [9], that standard non-rational secret sharing schemes would fail to obtain the desired objective of having all players learn the secret if participants are modeled as rational under natural assumptions on their utility functions. Thus, non-rational protocols have to be modified in order to factor-in the utility-maximizing behavior of players and the widened action space that comes from rationality. This notion of a rational player by [9] paved the way for the research area of rational secret sharing, where solutions are expressed in the form of protocols that induce Nash equilibria [11]. In particular, the rational secret sharing scheme in [9] is a protocol where players have an incentive to follow the protocol and learn the secret together, rather than for a player to deviate from the protocol and learn the secret by itself. In this regard, Ref. [9] showed that their scheme is not only a Nash equilibrium but is also not weakly dominated [11], which, in some instances, involves a stronger condition than Nash equilbrium. Moreover, [9] showed that no rational secret sharing scheme exists for n = 2 players, but such a scheme exists for n > 2 by taking advantage of randomness and uncertainty over the game's outcome. Several other papers on rational secret sharing followed after [9]. The scheme of [12] is a simple rational secret sharing scheme that allows the dealer to either draw a true secret from some subset of a field, or draw a false secret-which is a simplification from the original protocol of [9]. This random drawing by the dealer gives uncertainty in players' point of view, such that for the players, the more viable and less risky option is to comply with the protocol. Another paper by [13] considers the dependence of schemes on various notions of utility. The chapter of [14] claims that rational secret sharing contributed a new notion of equilibrium to the field of game theory, which is the (k − 1)-resilient equilibrium. In particular, a protocol induces a (k − 1)-resilient equilibrium if it is a Nash equilibrium and if any coalition of less than k players has no incentive to deviate from the protocol. Other rational secret sharing schemes are presented in [15][16][17][18].
The schemes of [9,12,19] consider settings where the dealer has a direct connection to each of the players to send each players' share. In addition, players have access to a simultaneous broadcast channel, whereby any transmission sent over the channel is automatically received by all the players (although [12] presented a sketch in the end of his paper over an asynchronous broadcast channel). These assumptions are relaxed in [20], whereby players still have access to a broadcast channel, but transmissions are performed asynchronously. In addition, ref. [20] showed that the schemes of [9,12] are not exactly Nash equilibria if players are allowed to perform a superpolynomial number of computations-which is not at all a given requirement in games according to game-theory literature (i.e., some games are even assumed to be infinite [21]). Ref. [20] thus presented a scheme that is a Nash equilibrium in an information-theoretic sense by drawing shares from an unbounded domain. The scheme of [20], however, assumes that players are allowed to receive shares of arbitrary size. The results of [20] have theoretical appeal, but as per [8], coming up with rational secret schemes where participants are constrained to compute in polynomial time, i.e., cryptographic rational secret schemes, are still meaningful. This led [8] to formulate notions of computational Nash equilibria, computationally strict Nash equilibria, as well as (k − 1)-resilient computational Nash equilibria, which are modified notions of Nash equilibria over games that constrain its participants to operate in polynomial-time. Moreover, the equilibrium notions of [8] are defined in terms of actions cast as information transmissions relative to each participants' point-of-view-disregarding any hidden internal computations done by other participants. The scheme of [8] is asynchronous and operates over point-to-point networks instead of broadcast channels. In particular, [8] uses cryptographic primitives termed verifiable random functions (VRFs) [22,23].
The setting considered in [8], however, assumes that the dealer has access to each of the players, and each player has access to all other players over a point-to-point network. In this paper, we consider rational secret sharing schemes over general networks, which is a further relaxation from the networks considered in [8,20]. In particular, in a general network, the dealer is not guaranteed to have direct access to each of the players, and players are not guaranteed to have direct access to each of the other players. This implies that transmissions from the dealer or from a player may have to pass through some other player nodes in the network before it reaches its intended recipient. The work of [24,25] deals with the problem of securely disseminating a player's individual share of the secret given that the dealer is not directly connected with each player. In particular, Ref. [24] specifies a graphical property of the network, namely, the k-path disjoint property, as a condition for securely disseminating a player's share despite general network constraints. The work of [26] presents a non-rational secret sharing scheme that is secure on general networks and has much less communication complexity-under the condition that the corresponding graph describing the network topology is k-propagating [26]. Both the schemes of [24,26], however, deal more with the first phase of a secret sharing scheme, namely, the secret generation and share/key dissemination phase.
In Section 4.1, we discuss the limitations of the secret sharing schemes surveyed in the above paragraphs. As discussed, the rational secret sharing schemes [8,9,12] assume a broadcast channel or a point-to-point network, by which participants can send messages to one another (whether simultaneous or asynchronously). However, in Section 4.1, we show that in some instances of a general network, equilibrium guarantees of these schemes would fail to hold. On the other hand, non-rational secret sharing schemes (as in [24,26]) are not valid in the case of rational participants, as given rationality and natural assumptions on utility, players are better off by not sharing their shares-as discussed in [9] and described in Section 2.3. It is the goal of the paper, then, to present protocols which provide equilibrium guarantees (under certain conditions of the network topology), even in the combined case of a general network topology over rational participants for all phases of a secret sharing protocol. In particular, our contributions are as follows:

1.
In this paper, we provide protocols that guarantee equilibrium even in the combined case of a general network topology over rational participants for all phases of a secret sharing protocol. We likewise state the required graphical properties of such general networks in order for such equilibria to hold. Thus, our protocols are able to overcome the limitations of existing protocols that are either non-rational or which assume broadcast channels/point-to-point connections among participants-albeit under some conditions on the network topology. In particular, we present three protocols. The first protocol uses a pseudorandom function cryptographic primitive [2] and induces a computational Nash equilibrium given an online dealer, i.e., the dealer transmits information throughout the protocol. For the second protocol, we use the verifiable random functions as conducted in [8], which also results in a computational Nash equilibrium but requires only a semi-online dealer, i.e., the dealer transmits information only at certain phases of the protocol, but is not needed throughout the protocol's execution. The second protocol, however, has much higher round complexity compared to the first scheme. The equilibria of each scheme borrows a technique proposed by [8], which is to randomly draw the value of a definitive iteration from a geometric distribution but to delay the moment when players discover the definitive iteration to create uncertainty. In addition, we apply a scheme inspired by [24] to distribute a secret perfectly in a general network. However, in Section 4.1, we mention that additional mechanisms are required in order for computational Nash equilibrium to provably hold-and we show reasons why the equilibrium is not clear under a straightforward combination of the schemes of [8,24]. Moreover, we mention the required graph-theoretic properties of the general network required for such equilibria , which we term as the k-disjoint property, where each pair of nodes in the graph has at least k disjoint paths connecting them.

2.
Aside from computational Nash equilbrium, we also show that our proposed protocol induces stronger notions of Nash equilibrium, i.e., computationally strict Nash equlibrium and (k − 1)-resilient computational Nash equilibrium following [8]. For each equilibrium notion, we present the required properties of the network topology needed for the equilibrium to hold. These properties are expressed using graph theoretical concepts.

3.
We present new notions of the computational Nash equilibrium. The first is termed a Φ-resilient computational Nash equilibrium, whereby a protocol is a Φ-resilient if it is a computational Nash equilibrium and if it is resilient to any coalition that satisfies the properties listed in Φ, regardless of the coalition's size, where the properties in Φ

2.
A i -the action space available to player p i with an element denoted as act ∈ A i . A i can be finite or infinite. 3.
The set of actions for player p i after a non-terminal history ω := (act 1 , f next -a function f next : Ω H → N for which f next (ω) is the player who takes action after history ω ∈ Ω H . 5.
I i -the information partition for player p i , which is a partition of {ω ∈ Ω H | f next (ω) = p i } with the property that A i (ω) = A i (ω ) if ω and ω are both in the same element of the partition. An element of I i is denoted as I, which is termed an information set.
The set of actions for p i after reaching I is A i (I).

6.
o-a set of outcomes, where an outcome is a description of events in the game once a terminal history is reached. 7.
µ i -a utility function from the set of terminal histories to R, which determines p i 's gain depending on the game's outcome.

Definition 1.
Given an extensive form of game G with imperfect information, a behavioural strategy (or simply strategy) is denoted as a vector σ := {σ 1 , σ 2 , . . . , σ n }, where for i ∈ [n], σ i is the strategy of player p i . Each σ i for i ∈ [n] is a function mapping I to a probability distribution over A i (I).
The definition of strategy given in Definition 1 is the standard definition in gametheory [11], whereby actions are functions of histories or information sets. An equivalent (and perhaps more intuitive) definition of strategy for player p i ∈ N views actions A i (I) taken by p i under information set I as conditional on the information contained in I. For instance, a history in an information set I may consist of past actions of a player's internal computations, along with past actions of other players consisting of transmissions sent over a network. In this case, the set of information contained in I consists of the outputs of these internal computations plus the content of transmissions from other players. Strategy in this case is defined as actions taken by a player conditional on the information contained in I after reaching information set I. This notion of information contained in an information set is denoted as φ i (I) for p i ∈ N and is defined below. Definition 2. Let p i ∈ N reach information set I. The information from I or information in I is denoted as φ i (I), which consists of all possible information from the point of view of p i upon reaching I. The set of actions for p i after reaching I and conditional on φ i (I) is denoted as A i (φ i (I)) and A i (φ i (I)) = A i (I), i.e., the difference between A i (φ i (I)) and A i (I) is merely conceptual.

Definition 3.
Given an extensive form game G with imperfect information, a behavioural strategy (or simply strategy) is denoted as a vector σ := {σ 1 , σ 2 , . . . , σ n }, where for i ∈ [n], σ i is the strategy of player p i . Each σ i for i ∈ [n] is a function mapping the space of φ i (I) to a probability distribution over A i (I).

Graph Theory Definitions
Recall that a graph G = (V, E) consists of a set of nodes V and a set of edges E ⊆ V × V, such that two nodes a 1 , a 2 ∈ V are joined or are adjacent to each other if (a 1 , a 2 ) ∈ E. In this setting, graphs are assumed to be undirected. A walk from node a to node b is a finite sequence of edges ((a 1 , b 1 ), (a 2 , b 2 ), . . . , (a m , b m )) for some m > 0 (i.e., all walks in this setting are assumed to end and we do not consider infinite walks), such that a 1 = a, b m = b, and b l = a l+1 for l ∈ [m − 1]. The first edge of a walk ((a 1 , b 1 ), (a 2 , b 2 ), . . . , (a m , b m )) is the edge (a 1 , b 1 ) ∈ E. Given a walk ((a 1 , b 1 ), (a 2 , b 2 ), . . . , (a m , b m )), the nodes {a 1 , a 2 , . . . , a m , b m } comprise the node sequence of the walk. A path from a to b is a walk in which all elements of its node sequence are distinct, and the first and last nodes in the node sequence are a and b, respectively. Given a path from a to b, the path is said to originate at a, and the node a is termed the origin-node, or the origin, while the node b is termed the end-receiver node or the end-node. Two distinct nodes a, b ∈ V are connected if there exists a path from a to b, in which case the path is connecting a to b. Two paths are completely disjointed if their respective node sequences have empty intersection (i.e., they do not cross each other). Aside from these standard graph theory definitions, we also define special types of paths and graphs that will be used in this setting. Let a, b ∈ V be a pair of distinct nodes.

Definition 5.
A set of paths from a to b is internally disjoint if: (1) the node sequences of the paths have a as the origin and b as the end-receiver and (2) if, aside from the beginning and end, the node sequences of the paths do not share any node in common. Furthermore, given a graph G(V, E), let a, b be two distinct pair of nodes in V. A set of k paths from a to b is a set of k-disjoint paths from a to b if they are internally disjoint. Lastly, given a graph G(V, E), letV ⊂ V. The set of nodesV is k-disconnected if, for each distinct pair of nodes a, b ∈V, we have: (1) (a, b) ∈ E and (2) for any path connecting a and b, the size of the node sequence is at least k + 2.
While dense clique graphs are likely to be path-disjoint, it is not necessary for a graph to be a clique in order to be path-disjoint. As shown in Figure 1, we have a graph that is 3-path disjoint even though it is not a clique. A useful property of k-path disjoint graphs is stated in Lemma 1, which will be used in the proofs in the Appendix.
(a) (b) Figure 1. The left figure (a) shows a graph that is (k = 3)-path-disjoint even if it is not a clique. An example of a 3-disjoint paths from one green node to another green node given the graph in (a) is shown in the right figure (b). Lemma 1. Given a k-path-disjoint graph G(V, E), letV ⊂ V be a set of size k − 1. For each distinct pair of nodes a, b ∈ V, any set of k-disjoint paths from a to b contains a path that does not contain nodes belonging toV.
Proof. Let a, b be an arbitrary pair of distinct nodes in V. LetV ⊂ V be an arbitrary subset of nodes of V of size k − 1. Suppose that there exists a set of k-disjoint paths from a to b such that each path contains nodes belonging toV. Since this particular set of paths is internally disjoint, this implies that there are k paths whose first edges are distinct from each other and which originate at a. Distribute the members ofV to these k paths. However, since |V| < k, some paths do not contain nodes belonging toV, which is a contradiction.

Rational Secret Sharing
Early secret sharing schemes' model players are either completely honest or malicious [1]. In a rational secret sharing scheme, however, players are rational in the gametheoretic sense and are associated with utilities depending on outcomes of a game [9]. Thus, a protocol Π in rational secret sharing corresponds to a prescribed strategy over a game. In particular, in a rational secret sharing game, there are n + 1 participants consisting of n players who wish to reconstruct the secret and have associated utility functions, plus a dealer without an associated utility function. However, among these n players, only a subset of n a ≤ n players are willing to participate in the protocol, namely, the active players.
In the setting of [9], each active player has access to a broadcast channel, whereby if an active player transmits information in this channel, all other active players in the game learn the transmitted information automatically. An important result of [9] (and described in Section 4.1), is that standard non-rational cryptographic protocols fail if participants are modeled as rational instead of plainly honest or malicious.
The secret sharing game described in [9] proceeds in several iterations, and each iteration consists of multiple communication rounds. At the beginning of each iteration, the dealer privately distributes information to each of the n players. Afterwards, the subset of n a active players run the protocol among themselves by simultaneously broadcasting messages in a series of rounds. At the end of an iteration, the protocol either terminates or proceeds to the next iteration. At the beginning and throughout the game, it is assumed that the dealer and each of the players know the identities of the n a active players.
The strategies of the game's active players in [9] can be viewed as probabilistic interactive Turing machines [27] that operate in polynomial-time following [8]. In this context, the dealer and the active players can perform arbitrary polynomial-time probabilistic computations internally in each round. In addition, in each round, the dealer and the active players can either (1) broadcast information (i.e., a share) or (2) abstain from broadcasting information (players only). In addition, players can (3) abort the game or (4) output a guess of the secret. If all active players abort, the game ends, and the outcome of a game is described in terms of the outputs of each active player. Following [9], the value of the utility function µ of a player increases if it correctly outputs the secret s. Each active player, however, prefers that the number of active players who correctly outputted s be as small as possible, as shown in Definition 6 below. For simplicity, however, in all that follows in this paper, we assume that all players are active, i.e., n a = n, so that if some player is referred to as performing some action or strategy or whose utility is being computed, it is automatically assumed that the player is an active player. ., o n } be two distinct outcomes. For each player p i ∈ P, we have:

Definition 7.
Given an outcome o, let u i (o) denote player i's expected utility function, where expectation is taken over the value of s (which is assumed to be chosen uniformly by the dealer at the beginning of the game), the randomness of the dealer, and the randomness of each player's strategy. Definition 8. Let s ∈ S be a secret. Following [8,12], define U + i := µ i (o) if o i = 1, and o i = 0 for all i ∈ [n] \ i, i.e., player p i learns the secret but no other player does. On the other hand, for any o such that o i = 1, and ∑ i ∈[n]\i o i > 0, i.e., player p i learns the secret and at least some other player does as well, we define the resulting utility as a single value U i := µ i (o). Lastly, for any o such that o i = 0, i.e., player p i does not learn the secret, we define the resulting utility as a single value U − i := µ i (o). For each player p i ∈ N, define U random as U random := (1/|S|)U + i + (1 − 1/|S |)U − i , which is the expected utility of a player who outputs a random guess of s if other parties abort or output a wrong guess.
For this setting, the functions U + i , U − i and U i are the same for all players so that we can refer to them simply as U + , U − and U. For this paper, we assume that U + > U > U − . Moreover, it is required that U > U random since, otherwise, players will have no incentive to participate in the game as shown in [8].

Definition 9.
A protocol Π in a rational secret sharing game has an online dealer if the dealer continually sends transmissions at each iteration until the secret is reconstructed, i.e., the dealer's continual transmissions at each iteration throughout the game is required for players to reconstruct the secret. A protocol has a semi-online dealer if the dealer sends transmissions for a finite number of iterations, after which, the dealer stops sending any additional transmission even if the secret is still not yet constructed by the players, i.e., the players are left to reconstruct the secret on their own (without the dealer) at some point in the game.

A GN Rational Secret Sharing
The rational secret sharing schemes above consider games where players have access to broadcast channels, and where the dealer can directly transmit individual shares to each player. In this setting, we relax the assumption that the dealer can directly transmit individual shares to each player. Rather, the dealer has direct access to a certain number of players in the network (which may not necessarily include each player). In addition, players may be unable broadcast information to all other players at once. Rather, a player can only transmit information directly to a certain number of players (which may not necessarily include each player). This leads to the notion of asynchronous general network (A GN ) rational secret sharing, which is a generalization of a rational secret sharing game. To express these notions better, we use some concepts from graph theory.
We denote an A GN rational secret sharing game associated with a graph G(V, E) with n + 1 participants (i.e., 1 dealer and n players) in Definition 10. The placement of the dealer and each of the players in the general network's topology is represented by G, where the dealer and each of the players are assigned a node in V so that |V| = n + 1. If an edge in E joins two nodes of V, this implies that the player (or dealer) represented by the originnode can send a transmission using the network to the other player represented by the end-node. In the description of G below, we switch between referring to the participants as computational models (i.e., Turing machines), and as nodes in the graph G. However, it will be understood from the context that if the dealer or a player performs some computations, it is doing so internally in its capacity as a computational model, while if the dealer node or a player node sends a transmission to another player node, the participants are sending transmissions with reference to their representations as nodes in G.

Definition 10.
An asynchronous general network (A GN ) rational secret sharing game G associated with a graph G(V, E) and domain S is described by the following:

1.
The game has n + 1 participants consisting of n players N := {p 1 , p 2 , . . . , p n }, where each player p i is associated with utility function µ i for i ∈ [n], and a dealer d who does not have an associated utility function. The utility function µ i for p i ∈ N follows the utility function described in Definition 6.

2.
The participants of the game are represented by the nodes V of G. An edge (a, b) ∈ E implies that node a (i.e., a player or the dealer) can directly transmit information to node b (another player). The dealer is required to have at least one edge joining its node with another player's node.

3.
The game proceeds in phases. The first set of phases is termed the key and share a generation/dissemination phase, while the next set of phases is termed the secret reconstruction phase. A protocol of the game should take care of letting players know when a phase ends and when the next phase begins. The key and share generation/dissemination phase is viewed as a single iteration of the game, i.e., iteration 0 and consists of several communication rounds. In iteration 0, the dealer samples a secret s ∈ S and distributes shares of the secret along with other arbitrary forms of information (i.e., secret/public keys) to the players. 4.
The secret reconstruction phase consists of a sequence of iterations 1, 2, . . . . Each iteration consists of a sequence of communication rounds (or round for short). In each round, the dealer and the players can internally perform arbitrary polynomial-time and size probabilistic computations, and can either (1) transmit information to several other player nodes with whom its node is joined according to E or (2) abstain. In addition, players can (3) output a guess of the secret key or (4) abort. If a player aborts, it leaves the game and no longer has access to information from subsequent iterations/rounds in the game.

5.
In each round in the key and share generation/dissemination phase, and in each round in an iteration in the secret reconstruction phase, the player and the dealer can transmit information to several other player nodes (with whom its node is joined in E) simultaneously. After transmitting information, a player can no longer transmit again within the round, i.e., transmission is performed simultaneously and once within a round. After transmission of information, a player receives information simultaneously from other players with whom it is joined in E. With this rule, it follows that information received by a player in one round can only be used in computations/transmissions in the next round. 6.
The value of iteration and each round within an iteration is common knowledge among all participants throughout the game. Likewise, a protocol of the game should take care of letting all participants know when the current iteration ends and when the next iteration begins. 7.
The game ends once all players abort. Once a game ends, its outcome is defined as a vector o = {o 1 , o 2 , . . . , o n } such that o i = 1 if player p i outputs the secret s. 8.
The expected utility u i of player p i given outcome o for i ∈ [n] follows the expected utility function described in Definition 6.
From above definition, the graph in a rational secret sharing game with broadcast and dealer access to each player [9] can be seen as a special instance of an A GN rational secret sharing game, where the associated graph is fully connected, i.e., each player node has edges to all other player nodes, and the dealer has edges to each of the players. From the description of an A GN game above, it could be seen that the action space is very large since it includes all possible internal computations at each round as well as all possible transmissions among players. With a very large action space, listing down a function that maps information sets I to a probability distribution over a player's actions is not feasible. This where the notion of φ i (I) becomes useful, whereby actions are dependent on the information contained in an information set I, where actions of a player are decided for each round. As a result, to define a strategy, we only need to define actions dependent on certain relevant information that directly affects its utility rather than specifying each possible information set. With this, let the participants of an A GN rational secret sharing game G be indexed by the set 0 ∪ [n] such that the dealer has index 0 and player p 1 has index 1, player p 2 has index 2, etc. We define strategies and secret sharing schemes in the context of an A GN rational secret sharing game as follows.
Definition 11. Let G be an A GN rational sharing game associated with a graph G(V, E) and domain S. A polynomial-time strategy σ = {σ 0 , σ 1 , . . . , σ n } is a set of polynomial-time strategies for each participant that-conditional on information φ i (I) in information set I-defines at each round the participant's (1) internal probabilistic computations, (2) transmissions (or lack of transmissions) among participants with whom it is joined by an edge in E, and (3) output and abort actions.

Definition 12.
Let G be an A GN rational sharing game associated with a graph G(V, E) and domain S. Given a polynomial-time protocol Π over G, the strategy σ = {σ 0 , σ 1 , . . . , σ n } corresponding to Π is a set of polynomial-time strategies for each participant that define its actions at each round, such that the participant's actions follow Π. In this case, σ is termed as the strategy prescribed by Π.
Definition 13. Let G be an A GN rational sharing game associated with a graph G(V, E) and domain S, and let s ∈ S denote the secret chosen by the dealer at iteration 0. A protocol Π over G is an (n, k) A GN secret sharing scheme (not yet considering rationality) if it corresponds to a polynomial-time strategy σ, such that if players follow the actions prescribed by σ and obtain information that reveal at least k shares, they can reconstruct the secret s efficiently (correctness). If players obtain information that reveal less than k shares, the probability of correctly outputting s is 1/|S | (secrecy).

Equilibrium Notions
The standard notion of equilibria in a game-theoretic setting is the Nash equilibrium, and a protocol is said to induce a Nash equilibrium if no player can gain any advantage by deviating from the protocol-assuming that all other players follow the protocol. However, as observed in [8,9], the standard Nash equilibrium concept is inadequate (too weak) in the setting of rational secret sharing. This led [9] to consider more specialized versions of the Nash equilibrium, such as equilibrium surviving iterated deletion of weakly dominated strategies [11]. However, even this notion of equilibrium is not without problems [8,20], leading [20] to consider further refinements in the equilibrium such as the strict Nash equilibrium. In this paper, we adopt notions of computational equilibrium from [8], which have the merit of closely retaining the properties of a strict Nash equilibrium while considering computational constraints. For this, let G be an A GN rational sharing game associated with a graph G(V, E) and domain S. Let protocol Π denote a (n, k) A GN secret sharing scheme over G. Let σ = {σ 0 , σ 1 , . . . , σ n } denote the strategy corresponding to Π. Let f denote a negligible function over κ. We have the following: for any other polynomial time strategy σ i for player p i .

Definition 15.
From [8], we define view Π −i as follows. Let script d denote the transmissions of the dealer to its adjacent nodes across all rounds of the game. Let script i denote the transmissions of p i to its adjacent nodes (across all rounds of the game), but which do not include transmissions after p i outputs a guess of the secret s. Let script −i denote the set of transmissions of p i for i ∈ [n] with i = i to its adjacent nodes (across all rounds of the game). Let all participants follow the strategies prescribed by Π. view Π −i is defined as information which includes script d , script i , and script −i , plus all randomness involved in the computations of p i for i ∈ [n] with i = i across all rounds.

Definition 16.
Let ρ i be another strategy of p i with ρ i = σ i . Let all participants (except p i ) follow the strategies prescribed by Π. For its part, player p i follows strategy ρ i . Given this set of strategies, let script d , script i , and script −i be defined as in Definition 15. Let T be some polynomial-time algorithm that knows the entire view of p i as it follows ρ i (i.e., player p i 's randomness, its computations, its transmissions as written in script i , and any transmissions received from other participants) and which outputs a truncation script i of script i . We define Definition 17. Let f denote a negligible function in κ. For i ∈ [n], a strategy ρ i is equivalent with respect to Π or ρ i ∼ Π if there exists a polynomial-time algorithm T such that for all polynomial-time distinguishers D, we have: Definition 18. Let protocol Π denote a (n, k) A GN secret sharing scheme over G. Let σ = {σ 0 , σ 1 , . . . , σ n } denote the strategy corresponding to Π. We say that Π induces a computational strict Nash equilibrium: (1) if it induces a computational Nash equilibrium and (2) if, for any polynomial-time strategy σ i for which Having considered the above notions of equilibrium, we now consider an extension of these equilibrium concepts in the presence of coalitions. Namely, given an A GN secret sharing game G with n + 1 participants, a coalition C ⊆ P is a set of players whose strategies are coordinated arbitrarily. The output of C is a single value which represents the individual outputs of each member of C. The utility function of C is denoted as µ C , and the expected utility function is u C . Similarly, denote by σ = (σ C , σ −C ) the resulting strategy if members of C follow σ C while other players that are not members of C follow σ −C . Let protocol Π denote a (n, k) A GN secret sharing scheme over G. Let σ = (σ C , σ −C ) be a strategy that corresponds to Π. Let f denote a negligible function over κ.
For completeness, coalition versions of the above definitions are stated in Appendix A.

Additional Equilibrium Notions
We now present two novel equilibrium notions, for which some of our proposed protocols satisfy. The first equilibrium notion (Definition 20) is a (n − 1)-key leakage-tolerant computational Nash equilibrium, which is a computational Nash equilibrium that is resistant to secret key leakage-given a scheme which uses cryptographic primitives involving secret keys. The second equilibrium is the notion of a Φ-equilibrium (Definition 21). This notion states that a (k − 1)-computational Nash equilibrium can hold even in the presence of large coalitions whose size is larger than k-as long as these coalitions satisfy the graphical properties listed in Φ. This is in contrast to standard definitions of (k − 1)resilient computational Nash equilibria whereby an upper bound on the size of any coalition is imposed. Definition 20. Let G be an A GN rational secret sharing game with n + 1 participants associated with a graph G(V, E) and domain S. Let Π be a cryptographic protocol that uses cryptographic primitives involving a set of secret keys sk := {sk i } i∈[n] , where sk i is a tuple of secret keys of player p i . Π induces an (n − 1)-key leakage-tolerant computational Nash equilibrium over G if it is a computational Nash equilibrium, even if each player acquires up to n − 1 tuples of secret keys.
We note that as per Definition 20, each player is constrained to obtain up to n − 1 secret keys, where the secret keys may be obtained through arbitrary means, i.e., by sharing of keys within a coalition or through side-channel attacks. This rules out the case whereby a certain player who currently has n − 1 secret keys forms a coalition with the remaining player whose secret key it does not yet have in order to obtain n secret keys in total. Such cases are ruled out by the definition of the n − 1-key leakage-tolerant computational Nash equilibrium.

Definition 21.
Let G be an A GN rational secret sharing game with n + 1 participants associated with a graph G(V, E) and domain S. Let Φ be a set of conditions over V relative to E. Π induces a Φ-resilient computational Nash equilibrium over G if, for any arbitrary coalition C ⊆ N whose respective nodes in G satisfy the conditions in Φ, for any polynomial-time strategy σ C such that

Overview of Existing Protocols
Existing protocols in the literature are listed in Table 1. These protocols can be grouped into two major categories: those that allow for rational participants and those that do not (i.e., non-rational protocols). From Table 1, we discuss the limitations of these schemes as follows. Table 1. Rational refers to whether the scheme considers participants as rational or not. Bounded refers to whether the shares used in the scheme are finite or infinite. Async refers to whether the scheme allows for asynchronous communication among participants. B/p2p refers to whether the scheme assumes that players are connected by either a broadcast or a point-to-point network. General refers to whether the scheme allows for participants to be connected under a general network topology. The schemes of [24,26] are marked with yes * under the "general" column since they work on a general network where the dealer may not have direct connections to all players during the share dissemination phase. However, it is not clear in [24,26] how players communicate their shares to each other and how the network topology would be during the secret reconstruction phase. Rational schemes assume broadcast channels/point-to-point networks. The existing rational schemes [8,9,12,20] are not designed to operate on a general network since they assume that the dealer d along with n players have access to either a broadcast channel or a point-to-point network (i.e., all participants are pairwise connected), for which these schemes achieve (k − 1) equilibrium given some k < n. For reference, the algorithm of [8] is listed in detail in Appendix E. If applied to some instances of a general network, however, the equilibrium guarantees that these schemes would fail. For instance, in Figure 2, d is directly connected to only l = 3 players, and yet, d needs to send at least 12 messages to all n = 12 players in order to share the secret in a fair manner following the p2p/broadcast protocol (i.e., since all of these schemes make the dealer directly send a message to each player). Given this topology, d is forced to use only l connections to send all of its messages. As a result, one player that is directly connected to d (say player p i ) is bound to receive at least d/l messages. If d/l ≥ k − 1, p i learns the secret. In this example, it follows that the equilibrium guarantees of these schemes would fail for some values of k. The same analogy could be applied to some player communicating information to another player in the secret reconstruction phase, i.e., several players may send information to one player who is in a network bottleneck. Here, the dealer (green node) is only directly connected to 3 players, p1, p2, p3, whereas there are 12 players (blue nodes) in total. Given that in a broadcast/p2p-network rational secret sharing scheme, the dealer has to communicate messages to all players, the dealer in this case is forced to course at least 12 messages through the set of players p1, p2, p3 (many of which are not designed to be seen by p1, p2, p3). It follows that at least one of p1, p2, p3 would eventually obtain at least 4 messages from the dealer that provide information on the secret, breaking the equilibrium guarantees for all k < 4.

2.
Non-rational schemes. On the other hand, the protocols of [24,26] are secure for general networks but assume that participants are non-rational. Specifically, [24] presents the SMT algorithm which addresses the problem of securely disseminating the shares of each player during the secret generation/share dissemination phase. Briefly, for each share outputted by the share generation algorithm, the SMT treats each share as a new secret, and breaks it down into another k sub-shares. For each player, SMT sends these k sub-shares along k-disjoint paths, for which each player is able to securely reconstruct its individual share (not yet the secret). The protocol of [26] improves upon the SMT concept by lowering communication complexities. Both [24,26], however, deal with the problem of disseminating shares in a general network during the secret generation and share dissemination phase. However, it is not clear in their paper how the secret reconstruction phase would proceed, i.e., whether players are still connected over a general network once they communicate shares to each other. In our proposed protocols, however, we assume that in both the secret generation/key dissemination phase, and the reconstruction phase, all participants are constrained by a general network. However, perhaps a more fundamental problem with non-rational cryptographic protocols is pointed out in [8,9]. In particular, if players are modeled as rational with natural assumptions on their utilities, such non-rational schemes would fail during the secret reconstruction phase. This is due to the widened action space of rational players, along with their utility maximizing behaviour (compared to plain honest players). For instance, suppose that utility is modeled whereby all players want to learn the secret, but prefer that the smallest number of other players learn the secret as possible (following Section 2.3). It can be shown that each player does no worse (and could even do better) by withholding from sharing his secret (this action is now possible since the player is no longer plainly honest, but rational). To see this, suppose that the non-rational scheme corresponds to an (n, k) secure secret sharing scheme and consider a player p i , i ∈ [n]. If less than k − 1 players share the secret, p i would not learn the secret regardless of his actions. If more than k − 1 players share the secret, p i would learn the secret regardless of his actions as well. If exactly k − 1 players share the secret, then p i is better off by not sharing his secret since he can reconstruct the secret given his hidden share along with the k − 1 other shares.
From the discussion above, the equilibrium results of existing rational secret sharing schemes need to be qualified in the case of a general network. On the other hand, existing non-rational schemes for general network have to be modified if rational participants are allowed. As such, the goal of the proposed secret sharing protocols below is to operate over a general network in all phases given rational participants. In the process, the specific network conditions (i.e., topology) that allow for the existence of desirable equilibrium where all players learn the secret are specified.

High-Level Overview of Our Protocols
The protocol of [8] is shown in detail in Appendix E. In summary, Ref. [8]'s protocol relies on two components to achieve computationally strict Nash equilibrium, namely: (1) uncertainty on the definitive stage and (2) protocol compliance checking. Given n players, the first component (1) is achieved by drawing two random polynomials, G and H, such that G(0) = s and H(0) = 0. In addition, we have {g * , where r * represents the definitive iteration and V E is an algorithm of a secure VRF (Appendix D). With this, players are able to discover the definitive iteration only at iteration r * + 1, since they can reconstruct H and evaluate H(0) = 0. This delay of 1 iteration from r * results in a computational Nash equilibrium. The second component, i.e., protocol compliance checking results in a further computationally strict Nash equilibrium as players can use the VRF to check any deviations in transmissions from the protocol. However, implementing [8]'s protocol directly in a general network setting results in some problems, such as: 1. The protocol of [8] assumes that the dealer is able to send shares/secret keys to each player directly at the beginning of the game in the share/key generation and dissemination phase. In a general network, the dealer may not have this ability, and as described in the previous section, the protocol of [8] may lead the dealer to concentrate transmissions to some player nodes. 2. In addition, with rational participants, the action space widens in the first key dissemination phase. For instance, players may maul the share/secret keys from the dealer or refrain from sending the share/secret keys to the desired recipients. Given this larger action space of players, it is not clear if a certain combination of the SMT protocol to the protocol of [8] would result directly in an equilibrium, and additional mechanisms may be needed. In particular, in Appendix E.1, we show how a certain combination of the SMT protocol with [8] over an instance of a general network results in a strategy that is dominated by some other strategy. 3. Moreover, in the secret reconstruction phase, point-to-point transmissions between players may not be available, and transmissions may have to pass through intermediate players. As a result, some players may maul or modify transmissions along the way. Once again, it is not clear if [8]'s protocol would still induce an equilibrium under this enlarged action space of players in the secret reconstruction phase.
To fix the preceding issues, one way for equilibrium to be preserved in a general network is to include additional coordination mechanisms among participants. However, additional coordination mechanisms imply that there have to be additional protocol compliance checking steps in order for a player to check if all other players are indeed following the coordination mechanism. Bearing these in mind, we developed the following approach for our protocols Π 1 , Π 2 , Π 2.1 -as described from a high level.
1. To guarantee computational Nash equilibrium under rational players in the share generation/key dissemination phase, we include the additional mechanism by which the dealer includes in its messages an explicit set of instructions referring to the path by which the message will be delivered. Together with this, we implement a form of protocol compliance checking by which each player receives several duplicate messages from the dealer sent along k-disjoint paths. If any player sees a discrepancy from messages it received, it knows that some player deviated from the protocol, and it is able to abort immediately. We note that this mechanism also prevents concentration of transmissions from the dealer. 2. In the secret reconstruction phase, for our first proposed protocol (Π 1 ), we force the players to duplicate their transmissions along k-disjoint paths as another form of protocol compliance checking. This way, players are able to check if all duplicates they received are equal. If any player sees a discrepancy, it is able to abort since this indicates that some other player deviated from the protocol (i.e., by modifying or mauling a transmission along the way). However, for Π 1 , without access to a VRF (see Appendix D) for all participants, the dealer needs to be online in the secret reconstruction phase in order to impose strict protocol compliance checking in all players (As noted in Lemma 2). 3. In the secret reconstruction phase, for our next protocols, (Π 2 ) and (Π 2.1 ), we implement a VRF in order to achieve the same type of protocol compliance checking as Π 1 , but with lower communication complexity under a semi-online dealer. However, compared to Π 1 , the dealer in Π 2 and Π 2.1 includes a specific set of instructions by which players would send their transmissions to each other. 4. Finally, we implement uncertainty in the definitive stage by letting players discover the definitive iteration r * only at iteration r * + 1. This is done using a pseudorandom function (see Appendix C) and random polynomials in Π 1 , and through a secure VRF with the pseudorandom property in Π 2 and Π 2.1 following [8]. Moreover, the number of rounds in each iteration in Π 1 , Π 2 , and Π 2.1 are fixed a priori in order for players to synchronize and know when an iteration begins and when it ends, and by which it can unambiguously determine in a finite amount of time if some player deviated from the protocol by not sending any needed transmission, or when the definitive iteration has already been reached.
This combination of protocol compliance checking and uncertainty on the definitive stage results in an equilibrium for Π 1 , Π 2 , and Π 2.1 , as we state in Theorems 1-6.

Proposed Protocol Π 1 (n, k): With Online Dealer
We now proceed to describe the first proposed protocol of this paper. This protocol (Π 1 ) uses a standard pseudorandom function (as defined in Appendix C) along with the Shamir secret sharing scheme (as defined in Appendix B) in order to achieve computational Nash equilibrium (and also leakage-tolerant equilibrium) in a general network whose corresponding graph is a k-path-disjoint. This is our first attempt to come up with a secret sharing protocol that can operate over a specific general network given rational participants. The protocol Π 1 , however, assumes that the dealer is online. This requirement will be relaxed in the succeeding protocol Π 2 .
Given a security parameter κ ∈ N, denote by ν := ν(κ) the value of a polynomial in κ. Let (S G , S R ) correspond to polynomial-time algorithms that give a secure (n, k) Shamir Secret Sharing scheme, where S G : , 1} ν denote a standard secure pseudorandom function. Let G be an A GN rational secret sharing game associated with a k ≤ n-path-disjoint graph G(V, E) and domain S := {0, 1} ν , with n + 1 participants consisting of a dealer d and n players {p i } i∈[n] := N. Given k ≤ n, the first protocol proposed in this paper, Π 1 (n, k), is described as follows, which assumes that the dealer is online.
after max_l rounds such that the origin-node of each path encoding is d and the end-node is p i , it outputs s 0 then aborts. Otherwise, it verifies that all copies of , h ), such that the origin-node of each path i,j for j ∈ [k] is d and the end-node is p i after max_l rounds, it outputs s r−1 then aborts. Otherwise, it verifies that all k copies of ({path i,j } j∈[k] , h ) it received are equal. If not, it outputs s r−1 then aborts. (c) For i ∈ [n], p i computes g r i = Λ(sk i , r) and h r i = Λ(sk i , r + 1). For every other player p l , (l ∈ [n], i = l), p i selects arbitrary k disjoint paths from p i to p l , where each path is given an encoding corresponding to path l,j := (a 0 = p i , a 1 , a 2 , . . . , a m = p l ) for some m ≤ max l . Afterwards, p i sends to p l along the selected k disjoint paths for all other players p l , l ∈ [n] \ i. (d) For i ∈ [n], and for l ∈ [n] \ i, p i checks if it has received (within max_l rounds)) exactly k tuples of the form ({path l,j } j∈[k] , g r l , h r l ) (j ∈ [k]) such that the origin-node of each path encoding is p l and the end-node is p i . If not, p i outputs s r−1 then aborts. Otherwise, for l ∈ [n] \ i, it verifies that all k copies of ({path i,j } j∈[k] , g r i , h r i ) it received (whose origin-node is p l ) are equal. If not, p i outputs s r−1 then aborts. Otherwise, once p i receives information from all players, p i checks if ⊕ i∈[n] h r i = h . If not, p i outputs s r−1 then aborts. Otherwise, p i computes {h . It then interpolates an n − 1 polynomial H r using {h p i } i∈[n] and checks if H r (0) = 0. If H r (0) = 0, it outputs s r−1 then halts. Otherwise, it computes {g i := g * i ⊕ g r i } i∈[n] , then interpolates an n − 1-degree polynomial G r using {ĝ i } i∈ [n] . Afterwards, it sets s r = G r (0). 3. After max_l rounds, if all checks above do not fail for any participant, all participants move on to the next iteration of phase 2.
Intuitively, the protocol Π 1 works by using redundancies in paths provided by the k-path-disjoint graph G as shown in Figure 3. Since G is k-path-disjoint, any transmission from either the dealer or a player to another player has to pass through k disjoint paths. In phase 1, the dealer breaks the share of each player into k pieces using the Shamir Secret Sharing scheme and sends these k pieces along k disjoint paths. Any player that sees a piece of a share does not have k − 1 other pieces and cannot reconstruct the secret key by himself. Moreover, each transmission contains a copy of the path encoding and the public keys {g * i } i∈[n] and {h * i } i∈ [n] . Given that each player acquires k copies of a transmission, it knows that the path encoding and {g * i } i∈[n] and {h * i } i∈ [n] are correct if all k copies of them match. This provides incentives for players not to deviate from Π 1 by modifying any content of a transmission in phase 1 given that they know such behaviour will be detected. This renders Π 1 secure against k − 1-sized coalitions given that, as per Lemma 1, any set of k transmissions from one player to another has to pass through at least one path not belonging to the coalition, and any deviations by the coalition will be detected. In addition, the dealer uses an n-degree polynomial in phase 0 to make it secure against n − 1 secret key leakage (which is inspired by a note in [8]).
(a) (b) Figure 3. The graphs in (a,b) show a (k = 3)-path disjoint network graph max_l = 3. The left figure (a) shows an example of the dealer (green node) d sending messages m1, m2, m3 to player p 3 (a blue node) along 3 disjoint paths. In phases 1 and 2.1 of protocol Π 1 , we have m1 = m2 = m3, so that p 3 should receive 3 copies of the same message by the 3rd round. The right figure (b) shows an example of a player (p 3 ) sending messages m1 = m2 = m3 to player p 0 along 3-disjoint paths, which corresponds to the steps performed by each player in phase 2.1 of Π 1 .
For phase 2, the same reasoning applies, whereby the dealer sends a check variable h to each player along k disjoint paths, and each player sends a transmission of the form ({path l,j } j∈[k] , g r l , h r l ) for some l ∈ [n] and j ∈ [k] to all other players along k disjoint paths. By the same principle, players can use the k copies received from each player to verify the correctness of the transmission. We note that in Π 1 , the check variable h is crucial for verifying the correctness of the transmission given that, without h , some strategy strictly dominates Π 1 , as shown in the following Lemma.

Lemma 2.
Without the check ⊕ i∈[n] h r i = h in step 2.d of Π 1 (n, k), there exists a polynomial-time strategy for p i that strictly dominates Π 1 , assuming all other players follow strategies prescribed by Π 1 .
Proof. Let p i take the following strategy: follow Π 1 in all aspects, except that p i changes h r i to some random number then sends it to all other players. Other players will not detect this since the check ⊕ i∈[n] h r i = h is not implemented. With non-negligible probability, at r = r * + 1, all other players will have H r (0) = 0 given that they did not receive the real h r i from p i . However, p i will know that the current iteration is r * + 1 since it has the real h r i needed to interpolate the correct polynomial H r such that H r (0) = 0. p i would then output G r (0) = s and receive utility U + (given that all other players are not aware that r = r * + 1).
Finally, the equilibrium of Π 1 relies on the fact that players are not aware of the value of r * until they reach iteration r * + 1 following [8]. This generates uncertainty among the players such that, given a sufficiently low parameter β in the geometric distribution from which r * is sampled, players prefer to follow Π 1 rather than deviate. Given this, the following results regarding Π 1 arrive at whose proofs are in the Annex. Theorem 1. Given κ ∈ N, let ν := ν(κ) denote the value of a polynomial in κ. Let G be an A GN game with n + 1 participants associated with a k-path-disjoint graph G(V, E) for k ≤ n and domain S := {0, 1} ν . The protocol Π 1 (n, k) is a computational Nash equilibrium, and is also an (n − 1)key leakage-tolerant equilibrium provided that [(β × U + ) + (1 − β) × U rand − U] < 0, where β is the parameter of a geometric distribution. Given a maximum path length of max_l in G, the average round complexity of Π 1 (n, k) is [1 + (1/β)] × max_l, with a communication complexity of at most n × ν × (k + 2n + 1) per round.

Theorem 2.
Given κ ∈ N, let ν := ν(κ) denote the value of a polynomial in κ. Let G be an A GN game with n + 1 participants associated with a k-path-disjoint graph G(V, E) for k ≤ n and domain S := {0, 1} ν . The protocol Π 1 (n, k) is a computational strict Nash equilibrium provided that Theorem 3. Given κ ∈ N, let ν := ν(κ) denote the value of a polynomial in κ. Let G be an A GN game with n + 1 participants associated with a k-path-disjoint graph G(V, E) for k ≤ n and domain S := {0, 1} ν . Suppose that no player can acquire other secret keys unless information related to it is shared by another player through a transmission. The protocol

Proposed Protocol Π 2 (n, k): With Semi-Online Dealer
We now proceed to describe the second proposed protocol (Π 2 ) of this paper, which does not require an online dealer but only a semi-online one. Due to this limitation, compared to Π 1 , this protocol requires an additional VRF cryptographic primitive (as defined in Appendix D). Π 2 is inspired by the protocol of [8] (see Appendix E), but Π 2 includes several additional steps in order to accommodate a general network topology over the participants. Thus, given a graph G(V, E), assume that it is k-path-disjoint. The protocol assumes that for each pair a, b ∈ V representing distinct nodes of participants in the game, any transmission from a to b will be sent through k disjoint paths connecting a and b according to some order that could be known by all participants using a publicly known polynomial-time algorithm. For this purpose, we define two types of ordering termed path_ordering and transmission_ordering as follows: Definition 22. Given a graph G(V, E) and a positive integer k, a path_ordering from a to b, with a, b ∈ V, a = b, is a unique sequence of k disjoint paths from the origin-node a to the end-node b that can be efficiently constructed given some rule on the choice of paths.

Definition 23.
Given an A GN game G with n + 1 participants associated with a graph G(V, E), a transmission_ordering for G is a unique sequence of paths that can be efficiently constructed given: (1) a rule on the ordering of pairs of distinct nodes in V and (2) a path_ordering for each distinct pair of origin-nodes and end-nodes. In addition, transmission_ordering marks the origin-nodes and end-nodes of each path in path_ordering with special symbols to differentiate them from nodes that are intermediate along the path. Example 1. path_ordering: Let k > 0 and let G(V, E) be a k-path-disjoint graph with |V| > k. An example of a path_ordering for each distinct pair (a, b) of nodes in V is given by the following polynomial-time algorithm that operates according to a lexicographic rule: step 1: on input (G, a, b), set path_ordering = ∅; step 2: given a, b list down all paths (not necessarily disjoint) in G from a to b; step 3: obtain the lexicographically first path from a to b in the list and include it in paths, then remove all nodes crossed by the path from G to arrive at a residual graph G ; using G , repeat step 2-step 3 until k disjoint paths from a to b are in path_ordering.
Example 2. transmission_ordering: Let k > 0, and let G(V, E) be a k-path-disjoint graph with |V| > k. Let path_ordering be the same as in the prior example. Let G be an A GN game with |V| = n + 1 participants, such that the nodes V = {a 0 , a 1 , a 2 , . . . , a |V| } of G are assigned as follows: a 0 = d (the dealer), a 1 = p 1 (player 1), a 2 = p 2 (player 2), etc. An example of a transmission_ordering for G is given by the following polynomial-time algorithm: step 1: On input G, set transmission_ordering= ∅. step 2: construct the set pairings as follows, set the first pair in pairings as (a 0 , a 1 ), followed by a second pair (a 0 , a 2 ), etc., up to the nth pair (a 0 , a n ). After the nth pair, set the n + 1th pair as (a 1 , a 2 ), then the n + 2th pair as (a 1 , a 3 ), etc., up to (a 1 , a n ). Afterwards, the next pair is (a 2 , a 1 ) followed by (a 2 , a 3 ), etc., and so on and so forth so that a 0 (at the left of a pair) is paired with n other nodes (at the right of a pair), and each player node (at the left of a pair) is paired with n − 1 other player nodes (at the right of a pair). step 3: for each pair in pairings, compute path_ordering using the algorithm in the example above and include path_ordering in transmission_ordering, where the origin-node and end-node of each path in path_ordering are assigned special symbols.
Given common knowledge on the structure of G(V, E) and the rules (i.e., polynomialtime algorithms) for constructing transmission_ordering, each player in the game can construct transmission_ordering in polynomial-time on his own at the start of the game. In the protocol Π 2 below, only one participant is meant to send a transmission for each round. The participant to send a transmission is the origin-node in the paths of transmission_ordering, and the protocol prescribes participants to follow the transmission ordering contained in transmission_ordering according to the edges listed in its paths, where each edge in a path corresponds to one round of transmission. With this rule, each participant in the game knows whose turn it is to send or receive a transmission given a certain round. It follows that a participant can verify if it received or sent information according to the protocol or not. Given this, we now proceed to describe Π 2 . Given a security parameter κ ∈ N, denote by ν := ν(κ) the value of a polynomial in κ. Let (V G , V E , V P , V V ) correspond to polynomial-time algorithms that give a secure Verifiable Random Function scheme, where V G : 1}. Let β be a parameter of a geometric distribution that is independent of κ. Let G be an A GN rational secret sharing game associated with a k-path-disjoint graph G(V, E) and domain S := {0, 1} ν , with n + 1 participants consisting of a dealer d and n players {p i } i∈[n] := N. The second protocol proposed in this paper, Π 2 (n, k) is described as follows.

1.
Choose r * ∈ N according to a geometric distribution with parameter β; 2.
Generate public and secret key pairs (pk 1 , sk 1 ), (pk 2 , sk 2 ), . . . , (pk n , sk n ) Construct transmission_ordering_a by listing down k disjoint paths from d to p 1 according to path_ordering followed by d to p 2 , then d to p 3 , etc., up to d to p n , such that in each path in transmission_ordering_a the origin-node d is marked with a special symbol start and the end-node of each path is marked with a special symbol end; 7.
Construct transmission_ordering_b by listing down one arbitrarily chosen path for each pair of players starting with a path from p 1 to p 2 , followed by a path from p 1 to p 3 , etc., up to p 1 to p n . Afterwards, list down a path from p 2 to p 1 , followed by a path from p 2 to p 3 , etc. (The algorithm for path_ordering is not needed for transmission_ordering_b.) In each path in transmission_ordering_b, the originnode is marked with a special symbol start, and the end-node of each path is marked with a special symbol end; 8.

Public Information dissemination Phase.
Let s 0 ∈ {0, 1} ν be a uniformly drawn number for each player p i ∈ N: 1. For i ∈ [n] and for j ∈ [k], d sends Ψ to p i according to transmission_ordering_a.

2.
For i ∈ [n], if p i does not yet have Ψ and receives it for the first time, it checks if it is meant to receive Ψ according to transmission_ordering_a ∈ Ψ. If not, it outputs s 0 then aborts. Otherwise, it keeps the information if it is its turn to receive it (i.e., its own node is marked with end), or sends the transmission to the respective node dictated by transmission_ordering_a.

3.
For i ∈ [n], if p i has a prior copy of Ψ (received from some previous round), it checks if it is meant to receive (or not receive) a transmission from some other node according to transmission_ordering_a in terms of the current round. If there is a violation, it outputs s 0 then aborts. Otherwise, if it received information, p i verifies if all of its copies of Ψ are so far equal. If not, it outputs s 0 then aborts. Otherwise, it keeps Ψ if it is its turn to receive it (i.e., its own node is marked with end), or sends the transmission to the respective node dictated by transmission_ordering_a.

4.
For i ∈ [n], if p i still does not receive k copies of Ψ as dictated by transmission_order -ing_a within max_l × n × k rounds, it outputs s 0 then aborts. Otherwise, it verifies that all k copies of Ψ it received are equal. If not, it outputs s 0 , then aborts.

5.
After max_l × n × k rounds, if all checks above do not fail for any participant, all participants move on to phase 2.

2.
For i ∈ [n] and for j ∈ [k], d sends {s i,j , s i,j } to the end-receiver p i according to transmission_ordering_a.

3.
For i ∈ [n], if p i receives or does not receive a transmission from some other node in violation of transmission_ordering_a in terms of the current round, it outputs s 0 then aborts. Otherwise, it keeps the information if it is its turn to receive it (i.e., its own node is marked with end) or sends the transmission to the respective node as dictated by transmission_ordering_a.

4.
For i ∈ [n], if p i still does not receive k sets of information (following the transmissions dictated by transmission_ordering_a) within max_l × n × k rounds, it outputs s 0 then aborts. Otherwise, given {s i,j } j∈[k] and {s i,j } j∈[k] , it reconstructs sk i = S R (s i,1 , s i,2 , . . . , s i,k ) and sk i = S R (s i,1 , s i,2 , . . . , s i,k ).

5.
After max_l × n × k rounds, if all checks above do not fail for any participant, all participants move on to phase 3.

1.
Given transmission_ordering_b, for i ∈ [n], if it is p i 's turn to transmit as the origin-node for the first time (i.e., its node is marked with start for the first time), p i computes the following: \i according to the transmissions dictated in transmission_ordering_b.

2.
For i ∈ [n], if p i receives or does not receive a transmission from some other node in violation of transmission_ordering_b in terms of the current round, it outputs s r−1 then aborts. Otherwise, if its node is not marked with end (following transmission_ordering_b), it sends the transmission to the respective receiver node as dictated by transmission_ordering_b. However, if it is p i 's turn to receive information (i.e., its node is marked with end), it sets source as the index of the origin-node of the transmission, i.e., the transmission originates from player p source . Afterwards, it performs the following: (a) Check if the information received is of the form (y r , z r , π r , ψ r ). If not true, output s r−1 and abort.
Verify that both V V (pk source , r, y r , π r ) and V V (pk source , r, z r , ψ r ) are true. If any of these are false, abort. (c) Check if n tuples of the form (y r i , z r i , π r i , ψ r i ) for indices i ∈ [n] have so far been acquired. If true, let I denote the player indices corresponding to such tuples. Compute h r i := h i ⊕ z r i for all i ∈ I, and interpolate a (n − 1)-degree polynomial H r using {h r i } i ∈I . If H r (0) = 0, output s r−1 immediately as the computed secret and abort. (d) Otherwise, if H r (0) = 0 in the above item, compute s r i as follows: set g r i := g i ⊕ y r i for all i ∈ I. Interpolate a (n − 1)-degree polynomial G r through {g i r } i ∈I and set s r i := G r (0).

3.
For i, i ∈ [n], if p i : (a) did not receive any transmission from some other origin-node p i (i = i) according to transmission_ordering_b within max_l × n 2 × k rounds, , it outputs s r−1 then aborts.

4.
After max_l × n 2 × k rounds, if all checks above do not fail for any participant, all participants move on to the next iteration in phase 3.
Phases 1-2 of Π 2 follow the same principle as that of phase 1 in Π 1 , whereby, given that G is k-path-disjoint, participants take advantage of the k disjoint paths for each pair of nodes in G in order to transmit redundant information. With this, players can check the correctness of the transmitted data by comparing the k copies to each other. In phase 3 of Π 2 , however, instead of using k disjoint paths to transmit information, they use the properties of the VRF to verify that received data are correct. The absence of redundancy in phase 3 of Π 2 enables Π 2 to have less communication complexity than Π 1 . The following results regarding Π 2 are arrived at, whose proofs are in the Appendix. Theorem 4. Given κ ∈ N, let ν := ν(κ) denote the value of a polynomial in κ. Let G be an A GN game with n + 1 participants associated with a k-path-disjoint graph G(V, E) for k ≤ n, and domain S := {0, 1} ν . The protocol Π 2 (n, k) is a computational Nash equilibrium, and is also a (n − 1)-key leakage-tolerant equilibrium provided that where β is the parameter of a geometric distribution. The average round complexity of Π 2 (n, k) is , and the communication complexity per round is at most O(6nν).

Theorem 5.
Given κ ∈ N, let ν := ν(κ) denote the value of a polynomial in κ. Let G be an A GN game with n + 1 participants associated with a k-path-disjoint graph G(V, E) for k ≤ n and domain S := {0, 1} ν . The protocol Π 2 (n, k) is a computationally strict Nash equilibrium provided that Theorem 6. Given κ ∈ N, let ν := ν(κ) denote the value of a polynomial in κ. Let G be an A GN game with n + 1 participants associated with a k-path-disjoint graph G(V, E) for k ≤ n and domain S := {0, 1} ν . Suppose that no player can acquire other secret keys unless information related to it is shared by another player through a transmission. The protocol Proposed Protocol Π 2.1 (n, k): With Dealer Connected Directly to Each Player The last protocol of this paper Π 2.1 induces a Φ-resilient computational Nash equilibrium, where Φ is the condition that a subset of nodes be 1-disconnected. The idea behind this protocol is to provide some equilibrium notions that allow for certain large-sized coalitions to be formed, contrary to the usual equilibrium notion where all coalitions are bounded by k. However, unlike Π 2 , the dealer is assumed to be directly connected to each player in Π 2.1 so that it can transmit shares and keys in one simultaneous move. Given this advantage, protocol Π 2.1 performs additional checks, whereby any transmission received by a node is checked for correctness. Given that any coalition is 1-disconnected, any transmission among members of the coalition have to pass through at least one player not belonging to the coalition, such that any deviations from the protocol will be checked. This prevents members of the coalition to share information outside of Π 2.1 to each other-in particular, secret keys.

Secret Generation and Key dissemination Phase.
The dealer performs the following to share a secret s ∈ {0, 1} ν : 1. Choose r * ∈ N according to a geometric distribution with parameter β; 2. Generate public and secret key pairs (pk 1 , sk 1 ), (pk 2 , sk 2 ), . . . , (pk n , sk n ) ← V G (1 κ ); 3. Generate public and secret key pairs (pk 1 , sk 1 ), (pk 2 , sk 2 ), . . . , (pk n , sk n ) ← V G (1 κ ); 4. Choose random (n − 1)-degree polynomials G ∈ F 2 ν [x] and H ∈ F 2 ν [x] such that G(0) = s and H(0) = 0; 5. Compute {g * i := G(i) ⊕ V E (sk i , r * )} i∈[n] and {h * i := H(i) ⊕ V E (sk i , r * + 1)} i∈[n] ; 6. Construct transmission_ordering_b by listing down one arbitrarily chosen path for each pair of players starting with a path from p 1 to p 2 , followed by a path from p 1 to p 3 , etc., up to p 1 to p n . Afterwards, list down a path from p 2 to p 1 , followed by a path from p 2 to p 3 , etc. (The algorithm for path_ordering is not needed for transmission_ordering_b.) In each path in transmission_ordering_b, the originnode is marked with a special symbol start, and the end-node of each path is marked with a special symbol end; 7. Define the tuple of public information as:

Reconstruction Phase.
1. Given transmission_ordering_b, for i ∈ [n], if it is p i 's turn to transmit as the origin-node for the first time (i.e., its node is marked with start for the first time), p i computes the following: , if p i receives or does not receive a transmission from some other node in violation of transmission_ordering_b in terms of the current round, it outputs s r−1 then aborts. Otherwise, it checks transmission_ordering_b to determine the source of the transmission which is p source for some source ∈ [n]. Afterwards, given r and {r, y r , π r , z r , ψ r } in the transmission, p i checks that both V V (pk source , r, y r , π r ) and V V (pk source , r, z r , ψ r ) are true. If any of these are false, p i aborts. Otherwise, if p i 's node is not marked with end as per transmission_ordering_b, it sends the transmission to the respective receiver node as per transmission_ordering_b. However, if it is p i 's turn to receive information (i.e., its node is marked with end), it sets source as the index of the origin-node of the transmission, i.e., the transmission originates from player p source . Afterwards, it performs the following: (a) Check if the information received is of the form (y r , z r , π r , ψ r ). If not true, output s r−1 and abort. (b) Check if n tuples of the form (y r i , z r i , π r i , ψ r i ) for indices i ∈ [n] have so far been acquired. If true, let I denote the player indices corresponding to such tuples. Compute h r i := h i ⊕ z r i for all i ∈ I, and interpolate an (n − 1)-degree polynomial H r using {h r i } i ∈I . If H r (0) = 0, output s r−1 immediately as the computed secret and abort. (c) Otherwise, if H r (0) = 0 in the above item, compute s r i as follows: set g r i := g i ⊕ y r i for all i ∈ I. Interpolate an (n − 1)-degree polynomial G r through {g i r } i ∈I and set s r i := G r (0). 3. For i, i ∈ [n], if p i : (a) did not receive any transmission from some other origin-node p i (i = i) according to transmission_ordering_b, it outputs s r−1 then aborts. Equilibrium properties of Π 2.1 are stated in Theorem 7, which says that Π 2.1 guarantees a computational Nash equilibrium. Proof for Theorem 7 is in the Appendix. The more interesting result, however, for Π 2.1 is in Corollary 1, which states that Π 2.1 can accommodate coalitions of a size larger than k, as long as these coalitions are 1-disconnected. An example instance for which Corollary 1 applies is shown in Figure 4. The coalition is 1-disconnected, since no member of the coalition is directly connected to every other member of the coalition. By Corollary 1, this set-up is allowed under Π 2.1 and results in a computational Nash equilibrium even if there is a coalition of size greater than k = 3.

Theorem 7.
Given κ ∈ N, let ν := ν(κ) denote the value of a polynomial in κ. Let G be an A GN game with n + 1 participants associated with a G(V, E) and domain S := {0, 1} ν such that the E has edges from the dealer node to each of the player nodes. Let Φ denote the set of conditions Φ := {1-disconnected}. The protocol Π 2.1 (n, k) is a Φ-resilient computational Nash equilibrium provided that [(β × U + ) + (1 − β) × U rand − U] < 0, where β is the parameter of a geometric distribution.

Corollary 1.
Given κ ∈ N, let ν := ν(κ) denote the value of a polynomial in κ. Let G be an A GN game with n + 1 participants associated with a G(V, E) and domain S := {0, 1} ν such that the E has edges from the dealer node to each of the player nodes. Let Φ denote the set of conditions Φ := {1-disconnected}. If Π 2.1 (n, k) is a Φ-resilient computational Nash equilibrium, then Π 2.1 (n, k) is resilient against some coalitions of size larger than k.
Proof. By the definition of a Φ-resilient computational Nash equilibrium, if a protocol is Φ-resilient, then it is secure against any coalition that satisfies the requirements of Φ regardless of their size. The corollary thus follows.

Possible Directions for Future Work
Some possible directions for future work are as follows:

1.
Our paper showed the existence of protocols that guarantee equilibria in an A GN secret sharing game given very specific graph-theoretical properties. Natural extensions over these results would be to investigate if there are certain protocols that induce equilibria over more general graph-theoretical properties. On the other hand, one could also investigate if there are other graph-theoretical properties that allow either computationally strict Nash equilibria or Φ-equilibria. For instance, aside from 1-disconnected, could other properties also be included in Φ in order to tolerate larger coalitions? 2.
Our protocols could be further simplified or optimized in terms of their round and communication complexity. For instance, there may be more computationally efficient secret sharing schemes aside from Shamir Secret Sharing that allow the protocol to induce the same types of equilibria. It is also possible to further improve the complexity of the (n, k) Shamir Secret Sharing used in securely distributing the secret along k-disjoint paths.

Conclusions
In this paper, we address the problem of designing secret sharing protocols over a general network with rational players, such that these protocols induce the desirable equilibrium outcome whereby it is advantageous for each player to stick to the protocol and let all players correctly reconstruct the secret in the process. We present three protocols, whereby our first protocol uses the pseudorandom cryptographic primitive along with a standard Shamir Secret Sharing scheme in the presence of an online dealer. The second protocol uses a more sophisticated crytpographic primitive, namely, VRFs in order to reduce communication complexity from the first protocol and requires only a semi-online dealer. Our third protocol is similar to the second protocol, but requires a special type of general network whereby the dealer is directly connected to each player.
To formally express the game-theoretic behaviour of our protocols in the context of computational complexity, we utilize existing notions of computational Nash equilibrium and also present novel notions of computational equilibria-namely, (n − 1)-key leakagetolerant equilibrium and Φ-resilient computational Nash equilibrium. Our results and proofs show that our first and second protocols, Π 1 and Π 2 , respectively, both induce an (n, k) strict computational Nash equilibrium, a (n − 1)-key leakage-tolerant equilibrium, and a (k − 1)-resilient computational Nash equilibrium relative to certain values of the geometric distribution parameter β and the values of the players' utilities U + , U, U − . The communication complexity of Π 2 per round is less than Π 1 , but Π 2 has much higher round complexity. Finally, for the third protocol, Π 2.1 , we show that it induces a Φresilient computational Nash equilibrium, where Φ contains the graphical property of being 1-disconnected. This implies that under Π 2.1 , certain coalitions of size larger than k can be tolerated by the protocol as long as the location of the members of the coalition in the network's graph satisfy the 1-disconnected property.

Conflicts of Interest:
The authors declare no conflict of interest.

Appendix A. Coalition Equilibrium Notions
Definition A1. Let script d be as in Definition 15. Given a coalition C, we define view Π −C as follows. Let script C denote the transmissions of members of C to adjacent player nodes that are not members of C over the course of the game. script C does not include any transmissions of members of C, once a member of C outputs a guess of the secret s. Let script −C denote the set of transmissions of p i for i ∈ [n] with i ∈ C to its adjacent nodes over the course of the game. Let all participants follow the strategies prescribed by Π. view Π −i is defined as information which includes script d , script C , and script −C , plus all randomness involved in the computations of p i for i ∈ [n] with i ∈ C across all rounds. Definition A2. Let ρ C be a set of strategies of members of C such that ρ C = σ C . Let all participants (except those in C) follow the strategies prescribed by Π, while members of C follow ρ C . Given this set of strategies, let script d , script C , script −C be as in Definition A1. Let T be some polynomial-time algorithm that knows the entire view of members of C as they follow ρ C , and which outputs a truncation script C of script C . We define view T,ρ C ,Π −C as information which includes script d , script C , script −C , plus all randomness involved in the computations of p i for i ∈ [n] with i ∈ C across all rounds. Similarly, define view ρ C ,Π −C as the same information contained in view T,ρ C ,Π −C but which excludes reference to T.
Definition A3. Let f denote a negligible function over κ. For a coalition C, a strategy ρ C is equivalent with respect to Π, or ρ C ∼ Π if there exists a polynomial-time algorithm T such that for all polynomial-time distinguishers D, we have: Definition A4. Π induces a (k − 1)-resilient computational strict Nash equilibrium if: (1) it induces a (k − 1)-resilient computational Nash equilibrium and (2) for any coalition C ⊆ P such that |C| < k, and any polynomial-time strategy σ C such that σ C ∼ Π, there is a c > 0 such that u C (σ) ≥ u C (σ C , σ −C ) + 1/κ c for infinitely many values of κ.

Appendix B. Security of the Shamir Secret Sharing Scheme
The security notion of an (n, k) secret sharing scheme is stated formally in [2], whereby an (n, k)-secret sharing scheme (S G , S R ) over S is secure if, for every possible secret s, s ∈ S and every subset {s 1 , s 2 , . . . , s k−1 } ⊆ S k−1 of size k − 1, the distribution of S G (s) is identical to the distribution of S G (s ) such that given any set of shares of size k − 1, one cannot tell if the secret is s or s for all s, s ∈ S. For a specific instance of a secure (n, k) secret sharing scheme, below is a non-rational (n, k)-Shamir Secret Sharing scheme based on Lagrange Interpolation from [1].
[Share Generation.] S G (s): on input secret s, let Z p be a field for some prime p. Perform the following given n and k: Define the polynomial f (x) ∈ Z p [x] as f (x) := r k−1 x k−1 + r k−2 x k−2 + · · · + r 1 x + c; 3.
Evaluate y i = f (x i ) and set s i := (x i , y i ) for i ∈ [n]; 5.
[Secret Reconstruction.] S R (s ): on input s of size at least k, perform the following: 1.
Using any set of k shares from s', i.e., {s i := (x i , y i )} i∈ [j] , re-construct f (x) using Lagrange interpolation by constructing k polynomials of the form L i (x) below: and return s := g(0).
Lemma A1. From [2], the scheme above is a secure (n, k)-secret sharing scheme.
The following Lemma is a standard result using Lagrange Interpolation.

1.
Pseudorandomness: The pseudorandom security of a pseudorandom function Λ is defined in terms of an Attack Game between a challenger and an adversary. Given κ, at the start of the game, the challenger randomly draws b ∈ {0, 1} and selects a random function f from S to Y. The adversary submits a sequence of queries to the challenger, where each query consists of an element s ∈ S. If b = 0, the challenger draws sk ← SK and submits Λ(sk, s) to the adversary. If b = 1, the challenger submits f (s) to the adversary. The game ends once the adversary submits a guess b ∈ {0, 1} who wins if b = b. The advantage of the adversary in this game is defined as | Pr[b = b] − 1/2|. The pseudorandom function P is a secure PRF if the advantage of any polynomial time adversary in this game is negligible in κ. It follows that the distribution of the output of Λ is indistinguishable from uniform.

2.
Secure key recovery: Let Λ : SK × S → Y be a pseudorandom function. Given s ∈ S and y ∈ Y, it is computationally difficult to compute sk ∈ SK such that Λ(sk, s) = y.
We note that while secure key recovery is not normally included among the properties of a pseudorandom function in the literature [2], given that pseudorandomness is a stronger property than secure key recovery, we explicitly include it here for reference in the proofs.

Appendix D. Verifiable Random Functions
Definition A6. A verifiable random function (VRF) scheme with range R = {R} κ is a tuple of probabilistic polynomial-time algorithms (V G , V E , V P , V V ), where V G is a key generation algorithm, V E is an evaluation algorithm, V P is a proof generation algorithm, and V V is a proof verification algorithm. The following properties are required of a VRF following [8,24]: 1. Correctness: given κ, let (pk, sk) ← V G (1 κ ). Let y ← V E (sk, x) and π ← V P (sk, x) for some κ-bit input x. We have V V (pk, x, V E (sk, x), V P (sk, x)) = 1 with probability 1. 2. Verifiability: given κ, for all possible (pk, sk) ← V G (1 κ ), there does not exist a tuple (x, y, y , π, π ) with y = y such that V V (pk, x, y, π) = 1 = V V (pk, x, y , π ). 3. Uniqueness of proofs: given κ, for all possible (pk, sk) ← V G (1 κ ), there does not exist a tuple (x, y, π, π ) with π = π such that V V (pk, x, y, π) = 1 = V V (pk, x, y, π ). 4. Pseudorandomness: the security notion for pseudorandomness of a VRF is defined in terms of an Attack Game between a challenger and an adversary. Given κ, at the start of the game, the challenger samples b ∈ {0, 1}, and (pk, sk) ← V G (1 κ ) then gives pk to the adversary. The adversary adaptively sends a finite number of queries x i ∈ R κ to the challenger, for which the challenger returns (y i , π i ) = (V E (sk, x i ), V P (sk, x i )). At some point, the adversary performs a challenge query, whereby it sends the challenge query input x * to the challenger (subject to the restriction that x * is not in any previous query). Once the challenger receives x * , if b = 0, the challenger returns the challenge ciphertext y * = V E (sk, x * ) to the adversary. However, if b = 1, the challenger returns a uniformly sampled y * ← R κ . After the challenge query, the adversary may proceed to query the challenger again for a finite number of times (subject to the restriction that no query is equal to x * ). The game ends once the adversary outputs a guess b ∈ {0, 1}. The adversary wins if b = b . Under this Attack Game, a VRF is pseudorandom if, for all polynomial-time adversaries, the advantage |1/2 − Pr

Appendix E. Protocol by Fuchsbauer et al.
The following protocol by [8] provides an exactly t-out-of-n secret sharing. Let (V G , V E , V P , V V ) correspond to polynomial-time algorithms that give a secure Verifiable Random Function Scheme. To share a secret s ∈ {0, 1} l to n players p 1 , p 2 , . . . p n , [8]'s protocol has a sharing phase followed by a reconstruction phase, as follows: 1. Secret Generation and Key dissemination Phase.

Reconstruction Phase.
1. Each player p i chooses s 0 i uniformly, and in each iteration, each p i performs the following: Send the following to all players: • y r i = V E (ski, r) and z r i = V E (sk i , r); • V P (sk i , r) and V P (sk i , r).

(b)
If p i receives nothing or an incorrect proof from some other player p j , p i terminates and outputs s r−1 i and aborts. Otherwise: • p i sets h r j := h j ⊕ z r j for all other players, and interpolates a (t − 1) polynomial H r through these points. If H r (0) = 0, p i outputs s r−1 i and aborts. • Otherwise, p i sets g r j := g j ⊕ y r j and interpolates a (t − 1) polynomial G r through these points. It sets s r i := G(0).

Appendix E.1. Issues under a General Network with Combining SMT and [8]'s Protocol
Suppose that in some k-path disjoint graph, the dealer d is not directly connected to some player p l , but there is a path from d to p l passing through another player p i . Suppose that the prior protocol by [8] is implemented together with SMT in a general network, whereby, under this protocol's strategy, the dealer d sends (sk l , sk l ) to p l securely using SMT. Following SMT, (sk l , sk l ) is broken down to several sub-shares and is sent along k-disjoint paths to p l , for which p l securely reconstructs (sk l , sk l ). However, under the protocol of [8], the dealer d also has to send the tuple of public information Ψ := ({pk j , pk j } j∈[n] , {g j } j∈[n] , {h j } j∈[n] to player p l in phase 1. However, given that Ψ is public, SMT is no longer applied to Ψ under this protocol. Instead, d sends Ψ to p i , under the assumption that p i merely has to send Ψ to p l without any modifications. In addition, The strategy of this protocol for p i , however, is dominated by another strategy. Namely, in this dominating strategy, p i mauls {h j } j∈ [n] . As a result of this action by p i , p l can no longer correctly compute H(0) = r * + 1 in the secret reconstruction phase, and p l cannot determine if the definitive iteration has been reached. However, p i continues to receive the correct information from p l during the secret reconstruction phase given that the tuple (y r l , z r l , V P (sk l , r), V P (sk l , r)) provided by p l is independent of {h j } j∈ [n] . This implies that p i can still correctly compute H(0) = r * + 1 and determine if the definitive iteration has been reached, while p l can no longer do so. Given the utility assumptions in Section 2.3, p i has higher utility under this strategy since it means that one less player gets to know about the secret. It could be seen that if p l were able to determine that the Ψ it received from p i is mauled, then p l could avoid this situation by aborting. This is the idea behind the duplication checks in the proposed protocols of this paper. transmission, then at least one other player p j aborts before iteration r * + 1, which implies that view σ i ,Π 1 = view Π 1 and, therefore, σ i ∼ Π 1 .
Lemma A5. Given Π 1 (n, k), denote by σ the corresponding set of strategies prescribed by Π 1 . Let p i follow some polynomial-time strategy σ i and let all other players follow σ −i . The event abort occurs due to p i with non-negligible probability if for some iteration r ≤ r * , any of the following occurs: (1) p i aborts before iteration r * + 1; (2) some path encoding in a transmission from either the dealer or some other player is not followed in phase 2 by p i ; (3) in some transmission, p i sends h • such that h • = h (where h is from the dealer); (4) in some transmission from p l to p j that passes through p i , p i sends (ĝ l ,ĥ l ) such that (ĝ l ,ĥ l ) = (g r l , h r l ); (5) with p i as the origin-node, p i sends (ĝ i ,ĥ i ) such that (ĝ i ,ĥ i ) = (g r i , h r i ); or (6) maul occurs in phase 1 due to p i . If abort occurs due to p i , we have σ i ∼ Π 1 .
Proof. For (1), if p i itself aborts before iteration r * + 1, then abort occurs by definition. For (2), if p i does not follow some path encoding in a transmission from either the dealer or some other player (either by refusing to send or by modifying the path encoding), the same reasoning and cases as in the proof for Lemma A4 applies (changing the origin-node of the path encoding from the d to some other player's node as the case may be). Therefore, abort occurs in this case. For (3) if p i sends h • such that h • = h (where h is from the dealer) to some other player p j (i = j), this change will be detected by p j given that it has k − 1 other copies of h . In this case, p j aborts, and abort occurs. The same reasoning applies for (4), whereby if p i sends (ĝ l ,ĥ l ) such that (ĝ l ,ĥ l ) = (g r l , h r l ) to p j for some j ∈ [n] \ {i, l}, the player p j will detect this given that it has k − 1 other copies of (g r l , h r l ). In this case, p j aborts and abort occurs.
, the other players would not detect this using the k − 1 other copies of (ĝ i ,ĥ i ) since they are all equal. However, the players will detect the change given that ⊕ i∈[n] h r i = h with non-negligible probability, and abort occurs. This also implies (6) since, if p i modified some share s l,j meant for p l (i = l) (i.e., maul occurs due to p i ) along the jth path to p l , the player p l computes a secret key sk l such that sk l = sk l . It follows that all computations of p l involving Λ are affected by this change from sk l to sk l . In particular, p l computesĥ r l = Λ(sk l , r) such thatĥ r l = h r l with non-negligible probability. It follows that ⊕ j∈[n]\l h r j ⊕ĥ r l = h with non-negligible probability, and abort occurs. The same applies if p i for some reason modified s i,j for some j ∈ [k] (i.e., a share that is meant for p i as end-receiver).
Denote by view σ i ,Π 1 the set of information following Definition 16. For the last statement of the Lemma, we have σ i ∼ Π if view σ i ,Π 1 = view Π 1 . If p i performs any of (1)- (6) under σ i , then at least one other player p j notices this and abort occurs as shown above, which implies that view σ i ,Π 1 = view Π 1 and therefore σ i ∼ Π 1 .

Definition A9.
Let φ i denote the relevant information from p i 's point of view for achieving utilities U + or U at any information set in either phase 1 or 2 of Π 1 (n, k). It follows that we , and the polynomials H and G are all indistinguishable from random. In addition, the probability of guessing r * is β.
Proof. Without loss of generality, let p i acquire n − 1 secret keys except the last one, sk n , which is owned by p n . We first show that the above Lemma does not hold if p i has n pairs of secret keys at its disposal. Suppose that p i knows sk n as well. A strategy for p i to compute r * is to evaluate h r i = h * i ⊕ Λ(sk i , r) for i ∈ [n] and for r < 2 κ − 1 in one round maul modify sk j for j ∈ [n] toŝk j such thatŝk j = sk j . Information from phase 1 received by p i is independent of the value of the modifiedŝk j due to maul. Hence, the situation of p i in phase 1 is similar to its situation if maul did not occur. Using Lemma A6, we arrive at the statement of Lemma A6 for phase 1. It follows that without information on H and G, p i 's guess of s (so that true(i) occurs) is as good as random. Since this holds for any player, the Lemma is proven for phase 1. For phase 2, by the pseudorandomness of Λ, it follows that with non-negligible probability, we have Λ(ŝk j , r) = Λ(sk j , r) for all r > 0. In particular, at iteration r = 1, we haveĥ 1 Thus, the check in Π 1 fails at iteration 1 of phase 2 with non-negligible probability, and all players are forced to guess s from the uniform distribution. This proves the Lemma.
Lemma A9. Suppose that no player can acquire other secret keys unless information related to it is shared by another player through a transmission. For any coalition C ⊆ N of size at most k − 1, suppose that maul occured in phase 1 due to some deviation of p i ∈ C from Π 1 (n, k). The probabilities of true(i) and true(-i) are8 negligible at any phase.
Proof. This is a corollary of Lemma A8. Given that in a coalition C of size k − 1, the members can share up to k − 1 secret keys, the results of Lemma A8 can be applied to each member of C, which assumes a stronger condition of up to n − 1 secret keys.
Lemma A10. Given Π 1 (n, k), let p i follow any polynomial-time strategy σ i , and let the rest of the players follow strategies σ −i prescribed by Π 1 . We have the following, where S is the domain of the secret, and where f is some negligible function in κ. This result holds even if σ i led p i to acquire less than n secret keys.
for all information sets I in iteration r ≤ r * in phase 2. By Lemma A3, statements (1)- (6) follow under stat = maul.
Suppose now that stat=maul, where p i modified a share in phase 1. As per Π 1 , for players p j = p i , no abort is performed in phase 1 due to a share's value. It follows that for p j = p i , their actions in phase 1 are independent of maul or maul. For p i , following the above paragraph, we have that the distribution of φ i under e 1 in phase 1 is indistinguishable from the distribution of φ i in phase 1 under e 2 . Since this holds even if maul occurs, statement (1) follows under phase 1. For phase 2, as shown in the proof of Lemma A8, with non-negligible probability, all players abort at iteration 1 and are forced to output a random guess for s due to maul. Thus, under both e 0 and e 1 , the probability of the event early ∧ true(i)|maul in statement (6) holds with non-negligible probability. All other events in statements (2)-(5) are negligible, and the Lemma follows under phase 2.
Lemma A12. Under Π 1 (n, k), for any polynomial-time strategy σ i adopted by p i , there exists a negligible function f in κ such that we have the following, given a fixed stat ∈ {maul, maul} for each statement. This result holds even if σ i led p i to acquire less than n secret keys: represent the tuple of coordinates formed from φ i (I) at iteration r ≤ r * in phase 2, where h p c (j) = h * j ⊕ Λ(sk j , r) for j ∈ [n − 1] (and whereŝk i = sk i under e 2 , and h * i is randomly sampled in both e 1 and e 2 ). Combining this tuple with the coordinate (0, 0) results in an interpolated candidate polynomial H r c such that H r c (0) = 0. This gives a target value H r c (n) =ŷ. It follows that H r (0) = 0 if and only if h * n ⊕ Λ(sk n , r) =ŷ orŷ ⊕ h * n = Λ(sk n , r). By the pseudorandomness of Λ, the probability thatŷ ⊕ h * n = Λ(sk n , r) is close to uniform. Thus, the probability of case 2 is negligible. This in turn implies that the complement of case 2 in phase 2, i.e., case 3, is non-negligible. However, given case 3, the situation of players under e 2 is no different from their situation under e 1 and e 0 . Moreover, by the pseudorandomness of Λ, from the point of view of p i , the distribution of Λ(sk i , r) is indistinguishable from the distribution of Λ(ŝk i , r) for r > 0. It follows that the distribution of φ i (I) under e 1 is no different from the distribution of φ i (I) under e 2 for all information sets I in phase 1 and for all information sets I in iteration r ≤ r * in phase 2. By Lemma A3, statements (1)-(7) follow under stat = maul.
Suppose now that stat=maul, where p i modified a share in phase 1. As per Π 1 , for players p j = p i , no abort is performed in phase 1 due to a share's value. It follows that for p j = p i , their actions in phase 1 are independent of maul or maul regardless of the change from sk i toŝk i . For p i , following the above paragraph, we have that the distribution of sk i is indistinguishable from the distribution ofŝk i conditional on k − 1 other shares. Since, this holds even if maul occurs, given Lemma A8, statement (1)-(2) follows under phase 1. For phase 2, as shown in the proof of Lemma A8, with non-negligible probability, all players already abort at iteration 1 under e 1 and are forced to output a random guess for s due to maul. The reasoning of Lemma A8 holds even if sk i is changed toŝk i . Thus, under both e 1 and e 2 , the probability of the event early ∧ true(i)|maul in statement (7) holds with non-negligible probability. All other events in statements (2)-(6) are negligible and the Lemma follows under phase 2.
Proof of Theorem 1. The proof for this theorem follows the flow in the proof of [8]. Let Exp 0, Exp 1 and Exp 2 be defined as in Definition A10. Denote by (σ i , σ −i ) a polynomial-time strategy where p i follows some polynomial-time strategy σ i , and all other players following strategies σ −i prescribed by Π. For correctness of Π 1 , in phase 2, if all active n parties run Π honestly, the correct secret is reconstructed by Lagrange Interpolation unless: (1) r * ≥ 2 κ − 1 or (2) if for some r < r * + 1 and i ∈ [n], we have H(i) = h r i = Λ(sk i , r). Sampling r * such that r * ≥ 2 κ as in (1) occurs with negligible probability and the pseudorandomness of Λ implies that (2) occurs with negligible probability as well. Thus, the correctness of Π with overwhelming probability is shown. Denote by u i (σ i , σ −i ) the expected utility of player p i across phases 1 and 2 if (σ i , σ −i ) is followed. Denote by u 2 i (σ i , σ −i ) the expected utility of player p i achieved during phase 2 (conditional on the event that it has reached phase 2 under σ i ). Note that u 2 i (σ i , σ −i ) > 0 if and only if short has not occurred. We first consider the differences in utilities under the experiments in phase 2, followed by a combination of the differences in utilities under the experiments in both phase 1 and 2-similar to a backward-induction process. Combining all possibilities of events described in Definition A7 that apply to phase 2, we have the following expression for u 2 i (σ i , σ −i ): To come up with an expression for u 2 i (σ i , σ −i ), we modify some terms in util i (Pr, stat). All probabilities that involve events with exact ∧ true(i) can be ruled out since there exists a polynomial-time strategy for which this event occurs with probability 0. For instance, take the strategy, form a guess for r = r * , then output s r at iteration r. It follows that if exact occurs, true(i) automatically occurs as well. The probability Pr[exact ∧ true(−i)] can be replaced with some negligible function (say 1/|S |) given that if exact occurs at iteration r since p i aborts, other players will output s r−1 , which is not equal to the secret s with non-negligible probability. The same applies to Pr[early ∧ true(−i)]. We also note that Pr[true(−i)|late, stat]) = 0 if stat = maul as per Lemma A10, since at iteration r = r * + 1, all other players will output s r−1 = s regardless of the actions of p i . Moreover, any strategy such that Pr[true(i)|late, maul] occurs with positive probability is strictly dominated by a strategy that sets the probability of this event to 0, i.e., since p i reached late, this means that it followed strategies equivalent to Π 1 up to iteration r * + 1. At iteration r * + 1, all players can learn both r * and s. Under Π 1 , all other players will output s regardless of the actions of p i at iteration r * + 1, so p i will gain the most utility if it follows other players and output s as well. From these statements, we denote the upper bound for u 2 i (σ i , σ −i ), as follows: From Lemma A11, we have |u 2 i (σ i , σ −i ) − U exp_1 | ≤ f (κ) for some negligible function f in κ. It follows that U exp_1 also represents an upper bound for u 2 i (σ i , σ −i ) with some negligible difference. Let abort ∧ stat := (early ∧ stat) ∪ (exact ∧ stat) for stat ∈ {maul, maul}. Information-theoretically, we have Pr 1 [exact|abort, stat] = β and Pr 1 [early|abort, stat] = 1 − β since β is independent of stat. Using Lemma A10, we have the following bound for U exp_1 :  Simplifying the above equations, we have: By assumption, we have U > U rand and [(β × U + ) + (1 − β) × U rand − U] < 0. Hence, U exp_1 is maximized if Pr 1 [maul] > 0 and if Pr 1 [abort|maul] is minimized. Using the above equations, we define the following: so that U exp_1 = (Pr 1 [maul] × U exp_1|maul ) + (Pr 1 [maul] × U exp_1|maul ). We now consider differences in utilities between Exp 1 and Exp 2, as well as combine phases 1 and 2 of the protocol. Given any polynomial-time strategy (σ 1 i , σ −i ), we have the following expression for u i (σ i , σ −i ), using the following facts: (1) U + > U > U − , and (2) for stat ∈ {maul, maul}, the sum of Pr 1 [short ∧ true(i) ∧ true(−i)|stat]) and Pr 1 [short ∧ true(i) ∧ true(−i)| stat]) is equal to the probability Pr 1 [short ∧ true(i)|stat] (and the same applies as well to Pr 1 [short∧true(i)]): Let u i (σ i , σ −i ) represent an upper bound for u i (σ i , σ −i ) which the above expression holds with equality. We now define U exp_2 as follows: where the last line uses the definition U exp_1|maul = U rand . This gives us: From Lemma A12, we have |u i (σ i , σ −i ) − U exp_2 | ≤ f (κ) for some negligible function f in κ. It follows that U exp 2 represents an upper bound for u i (σ i , σ −i ) with some negligible difference. Define the equations (note the change from Pr 1 to Pr 2 ): Using Lemma A12 again, bothÛ exp_1|maul andÛ exp_1|maul differ from U exp_1|maul and U exp_1|maul by a negligible factor, respectively. This gives us the following expression, where f is a negligible function in κ: Finally, to prove that Π is a computational Nash equilibrium, we have to show that for any polynomial-time strategy σ i adopted by p i , we have u i (σ i , σ −i ) ≤ U + f (k) for some negligible function f in κ. Combining all of the above, we have the following, which proves Π 1 is a computational Nash equilibrium (i.e., u i (σ i , σ −i ) ≤ U + f (κ) for some negligible f in κ): B − := [(β × U + ) + (1 − β) × U rand − U] < 0 by assumption.
This proves that Π 1 is a computational Nash equilibrium. To show that Π 1 is also an (n − 1)-key leakage-tolerant equilibrium, we note that Lemmas A5, A4, A8, A11, and A12 used in the proof above hold even if a player acquires n − 1 secret keys. For the round complexity, in each round of Π 1 , each participant in the game can simultaneously send k transmissions along k disjoint paths to several other participants. Each transmission takes up to at most max_l rounds before it reaches its end-receiver. Phase 1 would then take up to max_l rounds, and each iteration in phase 2 takes up to max_l rounds. Given β, the expected value of r * is 1/β, from which it follows that an average of up to 1/β + 1 rounds will take place in phase 2, and we have that the average round complexity is 2 + 1/β rounds as stated. Finally, for the communication complexity, the largest amount of bits are communicated by the dealer during phase 1, which amounts to a total of ν × (k + 2n + 1) per player. Since there are n players, we have that the maximum amount of bits communicated in a single round would be at most n × ν × (k + 2n + 1), as stated.
Corollary A1. Let p i follow a strategy σ i such that σ i ∼ Π 1 (n, k), then u i (σ i , σ −i ) = U + f (κ) for some negligible function f in κ.
hold (given that only up to k − 1 secret keys can be shared by members of C), the above Theorem follows using a similar proof as in Theorem 1. check for correctness), the results of Lemma A14 readily apply. In addition, the condition in Φ (where a coalition should be 1-disconnected) implies that for each pair of members p i , p j ∈ C, any transmission from p i to p j has to pass through players that are not in C. It follows that all transmissions among members of C are checked for correctness, and they cannot include additional information in their transmission. In particular, members of C cannot transmit secret keys to each other as this will violate the VRF checks, and players are constrained to have only 1 secret key, and Lemmas A17 and A18 apply. It follows that all players strictly conform to the strategies prescribed by Π 2.1 , and given Lemmas A14, A12, and A18, we apply the same proof as in Theorem 4 to prove the Theorem above.