理性安全两方计算中的公平性研究
|
摘要
安全多方计算(Secure Multi-party Computation,SMPC)是现代密码学重要的研究方向之一,它不但作为密码学基础的一部分,研究分布式情况下进行安全计算的基本原理和方法,还是很多应用型密码学协议的直接基础,例如合同签署,电子投票,电子拍卖和电子签名等。SMPC可以描述为这样一个问题:多个相互独立的参与者拥有各自的私有输入,他们希望能够使用这些输入计算一个约定的函数。基本目标是,能够得到正确输出结果的同时不泄露自己私有输入的任何额外信息。假设存在一个可信第三方(Third Trusted Party, TTP)且每个参与者与TTP之间有一条完全保密的信道,各参与方通过保密信道将输入交给TTP计算这个约定的函数,TTP结束计算后,将计算结果通过保密信道发送给每个参与者。至此多方计算完成并且可以实现基本目标,这就是安全多方计算的理想模型。
多方安全计算的目的是使现实环境下的协议实现理想模型的基本目标,这些目标可以用几个特性概括,即,隐私性,正确性,输入独立性和输出公平性。输出公平性指的是被腐败的参与者接收到他的输出当且仅当诚实参与者也接收到输出。Cleve (STOC1986)证明了公平性在少数诚实参与者的情况下是不可能实现的,因此在传统SMPC,尤其是在安全两方计算(Secure Two-party Computation, STPC)中,公平性经常会被忽略。然而,公平性无论在SMPC还是在STPC中,都是非常重要的特性,尤其是在类似于合同签署和电子拍卖这样的现实协议中。最近很多文献给出了实现公平性的SMPC协议,例如,有的协议实现了非合作计算(Non-cooperation Computation)NCC函数的公平性,有的协议利用了物理信封和投票箱实现了公平性。另外很多较弱的公平性定义也相继提出来,例如部分公平性(Partial fairness)。
理性安全多方计算(Rational Secure Multi-party Computation, RSMPC)作为一种新方法,为实现SMPC协议的公平性提供了一种新的思路。所谓理性安全多方计算指的是带有理性参与者的安全多方计算。理性参与者与传统安全多方计算中参与者最大的不同之处在于他们是否遵守协议是根据他们的效用来决定的。这与传统SMPC中的诚实参与者,半诚实参与者和恶意敌手有很大的区别,因为这些参与者和敌手都不依效用来行动。理性参与者与Aumann和Lindell(JOC2010)中提到的隐蔽敌手有类似之处,他们都具有偏离协议的动机,而且都希望通过偏离协议获得各自的利益。RSMPC的思想来源于博弈论(Game Theory),因此在分析和证明RSMPC协议时,也采取博弈论中的证明思路。首先为每个参与者设定效用函数,这里效用的设定不是随意设定的,而是根据一些经典博弈进行改造的。例如绝大多数参与者的效用函数来源于囚徒困境(Prisoner's Dilemma)这一经典博弈。其次设计协议,使协议的最终结果能够保证隐私性,正确性,输入独立性和输出公平性。最后证明遵守协议是一个均衡,每个参与者都没有偏离协议的动机。也就说,每个参与者只有遵守协议才能够最大化他们的效用,否则就会得到一个较低的效用。从博弈论的角度来看,RSMPC协议的主要任务就是如何设计好协议,使得每个参与者都与其他参与者合作而不是背叛其他参与者。如果合作(即,遵守协议)对每一个参与者来说都是一个占优策略,那么公平性自然可以得到保证。
本文主要研究了理性安全两方计算中公平性的实现问题,也即,如何促进参与者合作。
1.首先将重复囚徒困境博弈中为了促进合作而使用的TFT(Tit-for-Tat)策略引入至RSMPC协议中来,因为在RSMPC中,为了实现公平性,必须保证参与者有合作的动机。利用TFT可策略,理性参与者可以至少在协议的前几轮合作,获得足够的份额恢复出函数值。虽然在引入TFT策略时,声誉作为震慑理性参与者的一个因素被考虑到效用函数中,但是在效用函数的定义中并没有体现出来。
2.本文的另一个工作是将声誉作为效用函数定义的一部分,扩展了根据囚徒困境博弈定义的效用。根据新的效用函数,重新定义了理性参与者类型。证明了,给定合适的参数,双方合作本身就是纳什均衡。因此RSMPC协议只需要一轮就可以完成份额的交换和函数值的恢复,这大大提高了RSMPC协议的效率。
3.本文最后讨论了一个复杂但是更符合实际情况的RSMPC协议,即,在不完全信息下,参与者有私有类型的情况。在这种情况下,理性参与者的效用函数不是以囚徒困境为基础,而是以连锁店博弈为基础,并且均衡类型也不是纳什均衡而是更强的序贯均衡。给定合适参数,公平性在理性安全两方计算中也可以实现。
以上三个问题主要研究了如何有效地在两个参与者之间实现公平性,可以证明,通过不同的策略和效用函数定义,公平性能够在理性两方计算协议中实现。这与传统两方安全计算中关于公平性的结论不同,这种不同源于对理性参与者的界定不同,正是因为有了效用这一特性,使得一些传统两方安全计算中不可能的结论变为可能。
除了公平性,RSMPC中还有很多公开问题,例如:如何设计更合理的策略促使每个参与者合作,如何设定更加符合实际的效用函数,是否存在除囚徒困境以外的经典博弈适合作为RSMPC的基础,参与者除了效用以外是否还具有其它属性。
Secure multi-party computation (SMPC) is one of important research fields in mod-ern cryptography and is a building block for many cryptographic protocols. It is not only one part of basic cryptographic research studying the basic principle and method of securely computing in distributed situations, but also is an important basis for some practical cryptographic protocols, such as, contract signing, electronic voting, electronic auction and electronic signature. SMPC can be described as follows:some independent parties who have respective private inputs, hoping to compute a conventional function-ality using these inputs. Their basic target is to correctly get the outputs of the function while do not reveal their respective private inputs. Assume that a third trusted party (TTP) exists in the ideal model and there is a secure communication channel between each party and TTP. Each party sends his input to TTP through the secure channel. Then TTP com-putes the conventional function using the inputs and finally sends the outputs to parties. Consequently, the computation is completed and the basic target can be achieved in the presence of TTP. The above model is called ideal model in SMPC.
The aim of SMPC for cryptographic protocols in the real world is to realize the basic target as the ideal model. Furthermore, the basic target can be described as the following properties:privacy, correctness, independence and fairness. Fairness means that corrupt-ed parties should receive their output if and only if honest parties do. Cleve (STOC1986) proved that fairness is impossible in the presence of honest minority for SMPC. Thus SMPC, especially STPC, protocols often ignore the achievement of fairness. However, fairness is an important property in SMPC and STPC, especially in electronic voting and auction. Previous research works presented many SMPC protocols to realize fairness. For example, some protocols realized non-cooperation computation (NCC) functions, some achieved fairness through physical envelopes and ballot. Additionally, some other weak notions about fairness is put forward like partial fairness.
Recently, rational secure multi-party computation (RSMPC) is considered as a new method to realize fairness. RSMPC mean SMPC in the presence of rational parties. The most difference between RSMPC and SMPC lies in that rational parties decide whether to follow the protocol according to their utilities. While honest parties, semi-honest par-ties and malicious adversaries in SMPC have no utilities. Rational parties are similar to covert adversaries mentioned in Aumann and Lindell (JOC2010) since both of them have incentives to deviate from protocols. The idea of RSMPC derives from game theory, so the security proof adopts the same idea from game theory. More specifically, the first step is to assign utilities for each. Note that, here utilities are not assigned arbitrarily, but designed according to some classical games. For example, most utilities derive from prisoner's dilemma (PD) game. The second step is to designing protocols such that they satisfy the above four properties. Finally, prove that the strategy of following protocols is an equilibrium and no one has incentives to deviate from protocols. In other words, every party can maximize their utilities by following protocols, otherwise, they may obtain an inferior utility. Toward a game theory view, the main task of RSMPC is to design proper protocols such that each party cooperates with others instead of defecting from others. If cooperation is a dominating strategy for each party, then fairness can be achieved trivially.
In this paper, we mainly discuss the achievement of fairness in Rational STPC. That is how to boost cooperation among parties.
1. To solve these problems, we introduce tit-for-tat (TFT) strategy in this paper, which is often used in iterated PD games to boost cooperation. Rational parties will at least cooperate in the first several rounds, then they can reconstruct the output by enough shares. Reputation is considered as a frighten factor in utility definition when introducing TFT strategy.
2. Another work is to define new utility by adding reputation as a new part. New rational parties are redefined according to the new utility. We also prove that given proper parameters, mutual cooperation is Nash equilibrium. Therefore, the new rational secure two-party computation (RSTPC) protocol only has one round and efficiency is greatly improved.
3. The last work in this paper is to present a more complex but practical RSTPC pro-tocol, where parties have private types under incomplete information. Here, the utility is defines on the basis of another famous game-store chain game. Further-more, under incomplete information, we achieve fairness by stronger sequential
equilibrium instead of Nash equilibrium.
The above three problems study how to efficiently achieve fairness between two par-ties. Given different strategies and utility definitions, fairness can be achieved in rational two-party computation protocols. This conclusion is different with previous works about STPC, where fairness is impossible. The difference derives from the intuition of utility, which makes some impossibility become possible.
As a new field, there are still some open problems in RSMPC. For example, how to design proper strategies such that parties cooperate with each other; how to design more practical utility functions; if there exist some other utility definitions according to new games other than PD game; are there any other properties other than utility etc.
多方安全计算的目的是使现实环境下的协议实现理想模型的基本目标,这些目标可以用几个特性概括,即,隐私性,正确性,输入独立性和输出公平性。输出公平性指的是被腐败的参与者接收到他的输出当且仅当诚实参与者也接收到输出。Cleve (STOC1986)证明了公平性在少数诚实参与者的情况下是不可能实现的,因此在传统SMPC,尤其是在安全两方计算(Secure Two-party Computation, STPC)中,公平性经常会被忽略。然而,公平性无论在SMPC还是在STPC中,都是非常重要的特性,尤其是在类似于合同签署和电子拍卖这样的现实协议中。最近很多文献给出了实现公平性的SMPC协议,例如,有的协议实现了非合作计算(Non-cooperation Computation)NCC函数的公平性,有的协议利用了物理信封和投票箱实现了公平性。另外很多较弱的公平性定义也相继提出来,例如部分公平性(Partial fairness)。
理性安全多方计算(Rational Secure Multi-party Computation, RSMPC)作为一种新方法,为实现SMPC协议的公平性提供了一种新的思路。所谓理性安全多方计算指的是带有理性参与者的安全多方计算。理性参与者与传统安全多方计算中参与者最大的不同之处在于他们是否遵守协议是根据他们的效用来决定的。这与传统SMPC中的诚实参与者,半诚实参与者和恶意敌手有很大的区别,因为这些参与者和敌手都不依效用来行动。理性参与者与Aumann和Lindell(JOC2010)中提到的隐蔽敌手有类似之处,他们都具有偏离协议的动机,而且都希望通过偏离协议获得各自的利益。RSMPC的思想来源于博弈论(Game Theory),因此在分析和证明RSMPC协议时,也采取博弈论中的证明思路。首先为每个参与者设定效用函数,这里效用的设定不是随意设定的,而是根据一些经典博弈进行改造的。例如绝大多数参与者的效用函数来源于囚徒困境(Prisoner's Dilemma)这一经典博弈。其次设计协议,使协议的最终结果能够保证隐私性,正确性,输入独立性和输出公平性。最后证明遵守协议是一个均衡,每个参与者都没有偏离协议的动机。也就说,每个参与者只有遵守协议才能够最大化他们的效用,否则就会得到一个较低的效用。从博弈论的角度来看,RSMPC协议的主要任务就是如何设计好协议,使得每个参与者都与其他参与者合作而不是背叛其他参与者。如果合作(即,遵守协议)对每一个参与者来说都是一个占优策略,那么公平性自然可以得到保证。
本文主要研究了理性安全两方计算中公平性的实现问题,也即,如何促进参与者合作。
1.首先将重复囚徒困境博弈中为了促进合作而使用的TFT(Tit-for-Tat)策略引入至RSMPC协议中来,因为在RSMPC中,为了实现公平性,必须保证参与者有合作的动机。利用TFT可策略,理性参与者可以至少在协议的前几轮合作,获得足够的份额恢复出函数值。虽然在引入TFT策略时,声誉作为震慑理性参与者的一个因素被考虑到效用函数中,但是在效用函数的定义中并没有体现出来。
2.本文的另一个工作是将声誉作为效用函数定义的一部分,扩展了根据囚徒困境博弈定义的效用。根据新的效用函数,重新定义了理性参与者类型。证明了,给定合适的参数,双方合作本身就是纳什均衡。因此RSMPC协议只需要一轮就可以完成份额的交换和函数值的恢复,这大大提高了RSMPC协议的效率。
3.本文最后讨论了一个复杂但是更符合实际情况的RSMPC协议,即,在不完全信息下,参与者有私有类型的情况。在这种情况下,理性参与者的效用函数不是以囚徒困境为基础,而是以连锁店博弈为基础,并且均衡类型也不是纳什均衡而是更强的序贯均衡。给定合适参数,公平性在理性安全两方计算中也可以实现。
以上三个问题主要研究了如何有效地在两个参与者之间实现公平性,可以证明,通过不同的策略和效用函数定义,公平性能够在理性两方计算协议中实现。这与传统两方安全计算中关于公平性的结论不同,这种不同源于对理性参与者的界定不同,正是因为有了效用这一特性,使得一些传统两方安全计算中不可能的结论变为可能。
除了公平性,RSMPC中还有很多公开问题,例如:如何设计更合理的策略促使每个参与者合作,如何设定更加符合实际的效用函数,是否存在除囚徒困境以外的经典博弈适合作为RSMPC的基础,参与者除了效用以外是否还具有其它属性。
Secure multi-party computation (SMPC) is one of important research fields in mod-ern cryptography and is a building block for many cryptographic protocols. It is not only one part of basic cryptographic research studying the basic principle and method of securely computing in distributed situations, but also is an important basis for some practical cryptographic protocols, such as, contract signing, electronic voting, electronic auction and electronic signature. SMPC can be described as follows:some independent parties who have respective private inputs, hoping to compute a conventional function-ality using these inputs. Their basic target is to correctly get the outputs of the function while do not reveal their respective private inputs. Assume that a third trusted party (TTP) exists in the ideal model and there is a secure communication channel between each party and TTP. Each party sends his input to TTP through the secure channel. Then TTP com-putes the conventional function using the inputs and finally sends the outputs to parties. Consequently, the computation is completed and the basic target can be achieved in the presence of TTP. The above model is called ideal model in SMPC.
The aim of SMPC for cryptographic protocols in the real world is to realize the basic target as the ideal model. Furthermore, the basic target can be described as the following properties:privacy, correctness, independence and fairness. Fairness means that corrupt-ed parties should receive their output if and only if honest parties do. Cleve (STOC1986) proved that fairness is impossible in the presence of honest minority for SMPC. Thus SMPC, especially STPC, protocols often ignore the achievement of fairness. However, fairness is an important property in SMPC and STPC, especially in electronic voting and auction. Previous research works presented many SMPC protocols to realize fairness. For example, some protocols realized non-cooperation computation (NCC) functions, some achieved fairness through physical envelopes and ballot. Additionally, some other weak notions about fairness is put forward like partial fairness.
Recently, rational secure multi-party computation (RSMPC) is considered as a new method to realize fairness. RSMPC mean SMPC in the presence of rational parties. The most difference between RSMPC and SMPC lies in that rational parties decide whether to follow the protocol according to their utilities. While honest parties, semi-honest par-ties and malicious adversaries in SMPC have no utilities. Rational parties are similar to covert adversaries mentioned in Aumann and Lindell (JOC2010) since both of them have incentives to deviate from protocols. The idea of RSMPC derives from game theory, so the security proof adopts the same idea from game theory. More specifically, the first step is to assign utilities for each. Note that, here utilities are not assigned arbitrarily, but designed according to some classical games. For example, most utilities derive from prisoner's dilemma (PD) game. The second step is to designing protocols such that they satisfy the above four properties. Finally, prove that the strategy of following protocols is an equilibrium and no one has incentives to deviate from protocols. In other words, every party can maximize their utilities by following protocols, otherwise, they may obtain an inferior utility. Toward a game theory view, the main task of RSMPC is to design proper protocols such that each party cooperates with others instead of defecting from others. If cooperation is a dominating strategy for each party, then fairness can be achieved trivially.
In this paper, we mainly discuss the achievement of fairness in Rational STPC. That is how to boost cooperation among parties.
1. To solve these problems, we introduce tit-for-tat (TFT) strategy in this paper, which is often used in iterated PD games to boost cooperation. Rational parties will at least cooperate in the first several rounds, then they can reconstruct the output by enough shares. Reputation is considered as a frighten factor in utility definition when introducing TFT strategy.
2. Another work is to define new utility by adding reputation as a new part. New rational parties are redefined according to the new utility. We also prove that given proper parameters, mutual cooperation is Nash equilibrium. Therefore, the new rational secure two-party computation (RSTPC) protocol only has one round and efficiency is greatly improved.
3. The last work in this paper is to present a more complex but practical RSTPC pro-tocol, where parties have private types under incomplete information. Here, the utility is defines on the basis of another famous game-store chain game. Further-more, under incomplete information, we achieve fairness by stronger sequential
equilibrium instead of Nash equilibrium.
The above three problems study how to efficiently achieve fairness between two par-ties. Given different strategies and utility definitions, fairness can be achieved in rational two-party computation protocols. This conclusion is different with previous works about STPC, where fairness is impossible. The difference derives from the intuition of utility, which makes some impossibility become possible.
As a new field, there are still some open problems in RSMPC. For example, how to design proper strategies such that parties cooperate with each other; how to design more practical utility functions; if there exist some other utility definitions according to new games other than PD game; are there any other properties other than utility etc.
引文
[1]A. Yao. Protocols for secure computation. In 23rd Annual Symposium on Foun-dations of Computer Science (FOCS). Los Alamitos:IEEE,1982,160-164.
[2]O. Goldreich, S. Micali, A. Wigderson. How to play any mental game-a complete-ness theorem for protocols with honest majority. In 19th STOC. New York, NY, USA:ACM,1987,218-229.
[3]A. Yao. How to generate and exchange secrets. In 27th Annual Symposium on Foundations of Computer Science (FOCS). Los Alamitos:IEEE,1986,162-167.
[4]M. Ben-Or, S. Goldwasser, A. Wigderson. Completeness theorems for non-cryptographic fault-tolerant distributed computation. In STOC'88 Proceedings of the twentieth annual ACM symposium on Theory of computing. Los Alamitos: IEEE,1988,1-10.
[5]S. Goldwasser, L. Levin. Fair computation of general functions in presence of immoral majority. In Cryptology-CRYPT0'90. Heidelberg:Springer,1990,77-93.
[6]S. Micali, P. Rogaway. Secure computation. In CRYPTO'91. Heidelberg:Springer, 1991,392-404.
[7]D. Beaver. Secure multi-party protocols and zero-knowledge proof systems toler-ating a faulty minority[J]. Journal of Cryptology,1991,4(2):75-122.
[8]D. Beaver. Foundations of secure interactive computing. In Advances in Cryptology-Crypto'91. Heidelberg:Springer,1991,377-391.
[9]C. Hazay, Y. Lindell. Efficient secure two-party protocols:Techniques and con-structions [M]. Springer,2010.
[10]Y. Aumann, Y.Lindell. Security against covert adversaries:Efficient protocols for realistic adversaries [J]. Journal of Cryptology,2010,23(2):281-343.
[11]J. Halpern, V. Teague. Rational secret sharing and multiparty computation:extend-ed abstract. In STOC'04:Proceedings of the thirty-sixth annual ACM symposium on Theory of computing. New York, NY, USA:ACM,2004,623-632.
[12]A. Shamir. How to share a secret[J]. Communications of the ACM,1979, 22(11):612-613.
[13]RJ. Aumann, MB. Maschler. Repeated games with incomplete information[M]. The MIT Press,1995.
[14]Shimon Even, Yacov Yacobi. Relations among public key signature systems. Tech-nical report, Technical Report 175, Technion, Haifa, Israel,1980.
[15]S. Even, O. Goldreich, A. Lempel. A randomized protocol for signing contracts[J]. Communications of the ACM,1985,28(6):637-647.
[16]O. Goldreich. A simple protocol for signing contracts. In Advances in Cryptology-CRYPT 1984. Heidelberg:Springer,1984,133-136.
[17]M. Ben-Or, O. Goldreich, S. Micali, R. Rivest. A fair protocol for signing con-tracts[J]. IEEE Trans. Information Theory,1990,36(1):40-46.
[18]Manuel Blum. Coin flipping by telephone:A protocol for solving impossible problems[J]. Advances in Cryptology-A Report on CRYPTO'81,1982.
[19]M. Blum. Coin flipping by telephone a protocol for solving impossible problem-s[J]. ACM SIGACT News,1983,15(1):23-27.
[20]A.Y. Lindell. Parallel coin-tossing and constant-round secure two-party computa-tion[J]. Journal of Cryptology,2003,16(3):143-184.
[21]R. Cleve. Limits on the security of coin flips when half the processors are faulty. In 18th Annual ACM Symposium on Theory of Computing (STOC). New York, NY, USA:ACM,1986,364-369.
[22]R. Cleve, R. Impagliazzo. Collective coin flipping and discrete control processes, 1993. Avalable online:http://www.cpsc.ucalgary.ca/cleve/pubs/martingales.ps.
[23]D. Boneh, M. Naor. Timed commitments. In Proc. CRYPTO 2000. Heidelberg: Springer,2000,236-254.
[24]J. A. Garay, P. D. MacKenzie, Ke Yang. Efficient and secure multi-party com-putation with faulty majority and complete fairness,2004. Avalable online: http://eprint.iacr.org/2004/009.
[25]M. Luby, S. Micali, C Rackoff. How to simultaneously exchange a secret bit by flipping a symmetrically-biased coin. In 24th Annual Symposium on Foundations of Computer Science (FOCS). Los Alamitos:IEEE,1983,23-30.
[26]S.D. Gordon, C. Hazay, J. Katz, Y. Lindell. Complete fairness in secure two-party computation. In STOC 2008. New York, NY, USA:ACM,2008,413-422.
[27]T. Moran, M. Naor, G. Segev. An optimally fair coin toss. In 6th Theory of Cryptography Conference-TCC 2009. Heidelberg:Springer,2009,1-18.
[28]A. Beimel, Y. Lindell, E. Omri, I. Orlov. Protocols for multiparty coin toss with dis-honest majority. In Advances in Cryptology-Crypto'2010. Heidelberg:Springer, 2010,538-557.
[29]Manuel Blum. How to exchange (secret) keys[J]. ACM Transactions on Computer Systems (TOCS),1983,1(2):175-193.
[30]R. Cleve. Controlled gradual disclosure schemes for random bits and their ap-plications. In Advances in Cryptology-Crypto'90. Heidelberg:Springer,1990, 573-588.
[31]I. Damgard. Practical and provably secure release of a secret and exchange of signatures [J]. Journal of Cryptography,1995,8(4):201-222.
[32]J. A. Garay, P. D. MacKenzie, M. Prabhakaran, K. Yang. Resource fairness and composability of cryptographic protocols. In 3rd Theory of Cryptography Conference-TCC 2006,. Heidelberg:Springer,2006,404-428.
[33]Z. Galil, S. Haber, M. Yung. Cryptographic computation:Secure faut-tolerant protocols and the public-key model. In Advances in Cryptology-Crypto'87. Hei-delberg:Springer,1987,135-155.
[34]B. Pinkas. Fair secure two-party computation. In Proc. EUROCRYPT 2003. Hei-delberg:Springer,2003,87-105.
[35]D. Beaver, S. Goldwasser. Multiparty computation with faulty majority. In 30th Annual Symposium on Foundations of Computer Science (FOCS). Los Alamitos: IEEE,1989,468-473.
[36]S. Goldwasser, L.Levin. Fair computation of general functions in presence of im-moral majority. In Advances in Cryptology-CRYPTO'90. Heidelberg:Springer, 1991,77-93.
[37]N. Asokan, M. Schunter, M. Waidner. Optimistic protocols for fair exchange. In Proceedings of the 4th ACM conference on Computer and communications secu-rity. New York, NY, USA:ACM,1997,7-17.
[38]L. Chen, C. Kudla, K.G. Paterson. Concurrent signatures. In Advances in Cryptology-EUROCRYPT 2004. Heidelberg:Springer,2004,287-305.
[39]A.Y. Lindell. Legally-enforceable fairness in secure two-party computation. In Topics in Cryptology-CT-RSA 2008. Heidelberg:Springer,2008,121-137.
[40]J. Katz. On achieving the best of both worlds in secure multiparty computation. In 39th Annual ACM Symposium on Theory of Computing (STOC). New York,NY, USA:ACM,2007,11-20.
[41]S.D. Gordon, J. Katz. Partial fairness in secure two-party computation. In EURO-CRYPT 2010. Heidelberg:Springer,2010,157-176.
[42]S.D. Gordon. On fairness in secure computation[D]. [Phd Thesis], University of Maryland,2010.
[43]G. Asharov, Y Lindell, T. Rabin. A full characterization of functions that imply fair coin tossing and ramifications to fairness. In 10th Theory of Cryptography Conference, TCC 2013. Heidelberg:Springer,2013,243-262.
[44]D. Gordon, Y. Ishai, T. Moran, R. Ostrovsky, A. Sahai. On complete primitives for fairness. In 3rd Theory of Cryptography Conference-TCC 2010,. Heidelberg: Springer,2010,91-108.
[45]D. Beaver. Correlated pseudorandomness and the complexity of private computa-tions. In Proceedings of the twenty-eighth annual ACM symposium on Theory of computing. New York, NY, USA:ACM,1996,479-488.
[46]A. Beimel, T. Malkin. A quantitative approach to reductions in secure computation. In Theory of Cryptography. Heidelberg:Springer,2004,238-257.
[47]B. Chor B, M. Gereb-Graus, E. Kushilevitz. On the structure of the privacy hier-archy[J]. Journal of Cryptology,1994,7(1):53-60.
[48]J. Kilian. More general completeness theorems for secure two-party computation. In Proceedings of the thirty-second annual ACM symposium on Theory of com-puting. New York, NY, USA:ACM,2000,316-324.
[49]H.K. Maji, M. Prabhakaran, M. Rosulek. Complexity of multi-party computation problems:The case of 2-party symmetric secure function evaluation. In Theory of Cryptography. Heidelberg:Springer,2009,256-273.
[50]S. Agrawal, M. Prabhakaran. On fair exchange, fair coins and fair sampling. In CRYPTO 2013. Heidelberg:Springer,2013,259-276.
[51]P. Gacs, J. Korner. Common information is far less than mutual information [J]. Problems of Control and Information Theory,1973,2(2):149-162.
[52]R. M. Gray, A. D. Wyner. Source coding for a simple network[J]. Bell System Technical Journal,1974,53(9):1681-1721.
[53]H.S. Witsenhausen. On sequences of pairs f dependent random variables[J]. SIAM Journal of Applied Mathematics,1975,28:100-113.
[54]A.D. Wyner. The common information of two dependent random variables [J], IEEE Transactions on Information Theory,1975,21(2):163-179.
[55]G. Asharov, Y. Lindell, H. Zarosim. Fair and efficient secure multiparty compu-tation with reputation systems. In Advances in Cryptology-ASIACRYPT 2013. Heidelberg:Springer,2013,201-220.
[56]E. Friedman, P. Resnick, R. Sami. Manipulation-resistant reputation systems[M]. Cambridge:Cambridge Unversity Press,2007.
[57]M. Babaioff, J. Chuang, M. Feldman. Incentives in Peer-to-peer systems[M]. Cam-bridge:Cambridge Unversity Press,2007.
[58]M. Osborne, A. Rubinstein. A Course in Game Theory[M]. Cambridge:MIT Press,1994.
[59]G. Asharov, Y. Lindell. Utility dependence in correct and fair rational secret shar-ing. In CRYPTO 2009. Heidelberg:Springer,2009,559-576.
[60]G. Fuchsbauer, J. Katz, D. Naccache. Efficient rational secret sharing in standard communication networks. In TCC 2010. Heidelberg:Springer,2010,419-436.
[61]S.D. Gordon, J. Katz. Rational secret sharing, revisited. In SCN 2006. Heidelberg: Springer,2006,229-241.
[62]J. Katz. Bridging game theory and cryptography:Recent results and future di-rections. In 5th Theory of Cryptography Conference TCC 2008. Heidelberg: Springer,2008,251-272.
[63]I. Abraham, D. Dolev, R. Gonen, J. Halpern. Distributed computing meets game theory:robust mechanisms for rational secret sharing and multiparty computation. In 25th ACM Symposium Annual on Principles of Distributed Computing. New York, NY, USA:ACM,2006,53-62.
[64]S. Maleka, A. Shareef. The deterministic protocol for rational secret sharing. In IEEE International Symposium on Parallel and Distributed Processing. Los Alami-tos:IEEE,2008,1-7.
[65]S. Maleka, A. Shareef, C. Pandu Rangan. Rational secret sharing with repeated games. In ISPEC'08 Proceedings of the 4th international conference on Informa-tion security practice and experience. Heidelberg:Springer,2008,334-346.
[66]S. Micali, A. Shelat. Purely rational secret sharing (extended abstract). In 6th Theory of Cryptography Conference. Heidelberg:Springer,2009,54-71.
[67]M. Nojoumian, D.R. Stinson, M. Gringer. Unconditional secure social secret shar-ing scheme[J]. IET Information Security, Special Issue on Multi-Agent and Dis-tributed Information Security,2010,4(4):202-211.
[68]M. Nojoumian, D.R. Stinson. Socio-rational secret sharing as a new direction in rational cryptography[J]. Decision and Game Theory for Security,2012,7638:18-37.
[69]ZF. Zhang, YM. Chee, S. Ling, ML Liu, HX Wang. Threshold changeable secret sharing schemes revisited[J]. Theoretical Computer Science,2012,418:106-115.
[70]ZF. Zhang, ML. Liu. Unconditionally secure rational secret sharing in standard communication networks. In Information Security and Cryptology-ICISC 2010. Heidelberg:Springer,2011,355-369.
[71]G. Kol, M. Naor. Cryptography and game theory:Designing protocols for ex-changing infor-mation. In Canetti, R. (ed.) TCC 2008. Heidelberg:Springer, 2008,320-339.
[72]G. Kol, M. Naor. Games for exchanging information. In STOC 2008. New York, NY, USA:ACM,2008,423-432.
[73]Amjed Shareef. Rational secret sharing without broadcast.[J]. IACR Cryptology ePrint Archive,2010,2010:249.
[74]M. Lepinski, S. Micali, C. Peikert, A. Shelat. Completely fair sfe and coalition-safe cheap talk. In 23rd ACM Symposium Annual on Principles of Distributed Computing. New York, NY, USA:ACM,2004,1-10.
[75]S. Izmalkov, S. Micali, M. Lepinski. Rational secure computation and ideal mech-anism design. In 46th Annual Symposium on Foundations of Computer Science (FOCS). Los Alamitos:IEEE,2005,585-595.
[76]S. Izmalkov, M. Lepinski, S. Micali. Verifiably secure devices. In Theory of Cryptography (TCC 2008). Heidelberg:Springer,2008,273-301.
[77]M. Lepinski, S. Micali, C. Peikert, A. Shelat. Collusion-free protocols. In 37th Annual ACM Symposium on Theory of Computing (STOC). New York, NY, USA: ACM,2005,543-552.
[78]J. Alwen, A. Shelat, I. Visconti. Collusion-free protocols in the mediatd model. In CRYPTO 2008. Heidelberg:Springer,2008,497-514.
[79]J. Alwen, J. Katz, Y. Lindell, G. Persiano, A. shelat, I. Visconti. Collusion-free multiparty computation in the mediated model. In CRYPTO 2009. Heidelberg: Springer,2009,524-540.
[80]J. Alwen, J. Katz, U. Maurer adn V. Zikas. Collusion-preserving computation. In CRYPTO 2012. Heidelberg:Springer,2012,124-143.
[81]S. J. Ong, D. C. Parkes, A. Rosen, S. Vadhan. Fairness with an honest minority and a rational majority. In 6th Theory of Cryptography Conference. Heidelberg: Springer,2009,36-53.
[82]A. Lysyanskaya, N. Triandopoulos. Rationality and adversarial behavior in multi-party computation. In CRYPTO 2006. Heidelberg:Springer,2006,180-197.
[83]Ran Canetti. Security and composition of multiparty cryptographic protocols [J]. Journal of Cryptology,2000,13(1):143-202.
[84]O. Goldreich. Foundations of Cryptography:Volume 2[M]. Cambridge University Press,2004.
[85]G. Asharov, R. Canetti, C. Hazay. Towards a game theoretic view of secure com-putation. In Cryptology-Eurocrypt 2011. Heidelberg:Springer,2011,426-445.
[86]A. Groce, J. Katz. Fair computation with rational players. In EUROCRYPT 2012. Heidelberg:Springer,2012,81-98.
[87]Adam Groce, Jonathan Katz, Aishwarya Thiruvengadam, Vassilis Zikas. Byzan-tine agreement with a rational adversary[J]. Automata, Languages, and Program-ming,2012,7392:561-572.
[88]AS Aiyer, L Alvisi, A Clement, M Dahlin, J-P Martin, C Porth. Bar fault tolerance for cooperative services. In Proceedings of the twentieth ACM symposium on Operating systems principles. New York, NY, USA:ACM,2005,45-58.
[89]A. Clement, H.C. Li, J.Napper, J-P Martine, L. Alvisi, M. Dahlin. Bar primer. In DSN 2008. Heidelberg:IEEE Computer Society,2008,287-296.
[90]H.C.Li, A. Clement, E.L. Wong, J. Napper, I. Roy, L. Alvisi, M. Dahlin. Bar gossip. In Proceedings of the 7th symposium on Operating systems design and implementation. CA, USA:USENIX Association Berkeley,2006,191-204.
[91]XH Bei, W. Chen, JL Zhang. Distributed consensus resilient to both crash failures and strategic manipulations,2012. ArXiv:1203.4324.
[92]J. A. Garay, J. Katz, U. Maurer, B. Tackmann, V. Zikas. Rational protocol de-sign:Cryptography against incentive-driven adversaries,2013. Avalable online: http://eprint.iacr.org/2013/496.
[93]J. Halpern, R. Pass. Game theory with costly computation,2008. Avalable online: http://arxiv.org/abs/0809.0024v 1.
[94]J. Halpern, R. Pass. Game theory with costly computation:Formulation and ap-plication to protocol security. In Proceedings of the Behavioral and Quantitative Game Theory:Conference on Future Directions. New York, NY, USA:ACM, 2010,89-101.
[95]J. Halpern. Beyond nash equilibrium:solution concepts for the 21st century. In Proceedings of the twenty-seventh ACM symposium on Principles of distributed computing. New York, NY,USA:ACM,2008,1-10.
[96]R. Gradwohl, N. Livne, A. Rosen. Sequential rationality in cryptographic pro-tocols. In Foundations of computer science (FOCS 2010). Los Alamitos:IEEE, 2010,623-632.
[97]R. Gradwohl, N. Livne, A. Rosen. Sequential rationality in cryptographic proto-cols[J]. ACM Transactions on Economics and Computation,2013,1(1):4-40.
[98]A. Beimel, Y. Lindell, E. Omri, I. Orlov.1/p-secure multiparty computation with-out honest majority and the best of both worlds. In Advances in Cryptology-Crypto'2011. Heidelberg:Springer,2011,277-296.
[99]R.Canetti. Universally composable security:a new paradigm for cryptogrphic protocols,2005. Avalable online:http://eprint.iacr.org/2005/067.
[100]J. Katz. Universally composable synchromous computation. In 10th Theory of Cryptography Conference TCC 2013. Heidelberg:Springer,2013,477-498.
[101]Y. Aumann, Y. Lindell. Security against covert adversaries:Efficient protocols for realistic adversaries. In Theory of Cryptography 2007. Heidelberg:Springer, 2007,137-156.
[102]张志芳,刘木兰.理性密钥共享的扩展博弈模型[J].中国科学:信息科学,2012,42(1):32-46.
[103]田有亮,马建峰,彭长根,姬文江.秘密共享体制的博弈论分析[J].电子学报,2012,39(12):2790-2795.
[104]张恩,蔡永泉.基于双线性对的可验证的理性秘密共享方案[J].电子学报,2012,40(5):1050-1054.
[105]张恩,蔡永泉.理性的安全两方计算协议[J].计算机研究与发展,2013,50(7):1409-1417.
[106]M.K. Franklin, M. Yung. Communication complexity of secure computation. In 24th STOC. New York, NY, USA:ACM,1992,699-710.
[107]Y. Ishai, A. Sahai, D. Wagner. Private circuits:Securing hardware against probing attacks. In Advances in Cryptology-CRYPTO 2003. Heidelberg:Spring,2003, 463-481.
[108]D. Malkhi, N. Nisan, B. Pinkas, Y. Sella. Fairplay-a secure two-party computation system. In 13th USENIX security symposium. CA, USA:USENIX Association Berkeley,2004,287-302.
[109]I. Damgard, M. Geisler, J.B. Nielsen. From passive to covert security at low cost[J]. Theory of Cryptography,2010,5978:128-145.
[110]L. von Ahn, N. Hopper, J. Langford. Covert two-party computation. In 37th STOC. New York, NY, USA:ACM,2005,513-522.
[111]N. Chandran, V. Goyal, R. Ostrovsky, A. Sahai. Covert multiparty computation. In 48th FOCS. New York, NY, USA:ACM,2007,238-248.
[112]Yilei Wang, Zhe Liu, Qiuliang Xu. New rational parties relying on reputation [J]. Security and Communication Networks,2013,418:DOI:10.1002/sec.844.
[113]Vipul Goyal, Payman Mohassel, Adam Smith. Efficient two party and mul-ti party computation against covert adversaries. In Advances in Cryptology-EUROCRYPT 2008. Heidelberg:Springer,2008,289-306.
[114]G. Asharov, C. Orlandi. Calling out cheaters:covert security with public verifiabil-ity. In Asiacrypt 2012. Heidelberg:Springer,2012,681-698.
[115]R. Axelrod. The Evolution of Cooperation[M]. Penguin Press,1990.
[116]R. Canetti. Universally composable security:a new paradigm for cryptogrphic protocols. In Foundations of computer science (FOCS 2001). Los Alamitos:IEEE, 2001,136-145.
[117]YiLei Wang, Hao Wang, Qiuliang Xu. Rational secret sharing with semi-rational players[J]. International Journal of Grid and Utility Computing,2012,3(1):59-67.
[118]D. Fudenberg, J. Tirole. Game Theory [M]. MIT Press,1991.
[119]DM. Kreps, P. Milgrom, J. Roberts, R. Wilson. Rational cooperation in the finitely repeated prisoners' dilemma[J]. Journal of Economic Theory,1982,27(2):245-252.
[120]D. Kreps, R. Wilson. Reputation and imperfect information [J]. Journal of Eco-nomic Theory,1982,27(2):253-279.
[2]O. Goldreich, S. Micali, A. Wigderson. How to play any mental game-a complete-ness theorem for protocols with honest majority. In 19th STOC. New York, NY, USA:ACM,1987,218-229.
[3]A. Yao. How to generate and exchange secrets. In 27th Annual Symposium on Foundations of Computer Science (FOCS). Los Alamitos:IEEE,1986,162-167.
[4]M. Ben-Or, S. Goldwasser, A. Wigderson. Completeness theorems for non-cryptographic fault-tolerant distributed computation. In STOC'88 Proceedings of the twentieth annual ACM symposium on Theory of computing. Los Alamitos: IEEE,1988,1-10.
[5]S. Goldwasser, L. Levin. Fair computation of general functions in presence of immoral majority. In Cryptology-CRYPT0'90. Heidelberg:Springer,1990,77-93.
[6]S. Micali, P. Rogaway. Secure computation. In CRYPTO'91. Heidelberg:Springer, 1991,392-404.
[7]D. Beaver. Secure multi-party protocols and zero-knowledge proof systems toler-ating a faulty minority[J]. Journal of Cryptology,1991,4(2):75-122.
[8]D. Beaver. Foundations of secure interactive computing. In Advances in Cryptology-Crypto'91. Heidelberg:Springer,1991,377-391.
[9]C. Hazay, Y. Lindell. Efficient secure two-party protocols:Techniques and con-structions [M]. Springer,2010.
[10]Y. Aumann, Y.Lindell. Security against covert adversaries:Efficient protocols for realistic adversaries [J]. Journal of Cryptology,2010,23(2):281-343.
[11]J. Halpern, V. Teague. Rational secret sharing and multiparty computation:extend-ed abstract. In STOC'04:Proceedings of the thirty-sixth annual ACM symposium on Theory of computing. New York, NY, USA:ACM,2004,623-632.
[12]A. Shamir. How to share a secret[J]. Communications of the ACM,1979, 22(11):612-613.
[13]RJ. Aumann, MB. Maschler. Repeated games with incomplete information[M]. The MIT Press,1995.
[14]Shimon Even, Yacov Yacobi. Relations among public key signature systems. Tech-nical report, Technical Report 175, Technion, Haifa, Israel,1980.
[15]S. Even, O. Goldreich, A. Lempel. A randomized protocol for signing contracts[J]. Communications of the ACM,1985,28(6):637-647.
[16]O. Goldreich. A simple protocol for signing contracts. In Advances in Cryptology-CRYPT 1984. Heidelberg:Springer,1984,133-136.
[17]M. Ben-Or, O. Goldreich, S. Micali, R. Rivest. A fair protocol for signing con-tracts[J]. IEEE Trans. Information Theory,1990,36(1):40-46.
[18]Manuel Blum. Coin flipping by telephone:A protocol for solving impossible problems[J]. Advances in Cryptology-A Report on CRYPTO'81,1982.
[19]M. Blum. Coin flipping by telephone a protocol for solving impossible problem-s[J]. ACM SIGACT News,1983,15(1):23-27.
[20]A.Y. Lindell. Parallel coin-tossing and constant-round secure two-party computa-tion[J]. Journal of Cryptology,2003,16(3):143-184.
[21]R. Cleve. Limits on the security of coin flips when half the processors are faulty. In 18th Annual ACM Symposium on Theory of Computing (STOC). New York, NY, USA:ACM,1986,364-369.
[22]R. Cleve, R. Impagliazzo. Collective coin flipping and discrete control processes, 1993. Avalable online:http://www.cpsc.ucalgary.ca/cleve/pubs/martingales.ps.
[23]D. Boneh, M. Naor. Timed commitments. In Proc. CRYPTO 2000. Heidelberg: Springer,2000,236-254.
[24]J. A. Garay, P. D. MacKenzie, Ke Yang. Efficient and secure multi-party com-putation with faulty majority and complete fairness,2004. Avalable online: http://eprint.iacr.org/2004/009.
[25]M. Luby, S. Micali, C Rackoff. How to simultaneously exchange a secret bit by flipping a symmetrically-biased coin. In 24th Annual Symposium on Foundations of Computer Science (FOCS). Los Alamitos:IEEE,1983,23-30.
[26]S.D. Gordon, C. Hazay, J. Katz, Y. Lindell. Complete fairness in secure two-party computation. In STOC 2008. New York, NY, USA:ACM,2008,413-422.
[27]T. Moran, M. Naor, G. Segev. An optimally fair coin toss. In 6th Theory of Cryptography Conference-TCC 2009. Heidelberg:Springer,2009,1-18.
[28]A. Beimel, Y. Lindell, E. Omri, I. Orlov. Protocols for multiparty coin toss with dis-honest majority. In Advances in Cryptology-Crypto'2010. Heidelberg:Springer, 2010,538-557.
[29]Manuel Blum. How to exchange (secret) keys[J]. ACM Transactions on Computer Systems (TOCS),1983,1(2):175-193.
[30]R. Cleve. Controlled gradual disclosure schemes for random bits and their ap-plications. In Advances in Cryptology-Crypto'90. Heidelberg:Springer,1990, 573-588.
[31]I. Damgard. Practical and provably secure release of a secret and exchange of signatures [J]. Journal of Cryptography,1995,8(4):201-222.
[32]J. A. Garay, P. D. MacKenzie, M. Prabhakaran, K. Yang. Resource fairness and composability of cryptographic protocols. In 3rd Theory of Cryptography Conference-TCC 2006,. Heidelberg:Springer,2006,404-428.
[33]Z. Galil, S. Haber, M. Yung. Cryptographic computation:Secure faut-tolerant protocols and the public-key model. In Advances in Cryptology-Crypto'87. Hei-delberg:Springer,1987,135-155.
[34]B. Pinkas. Fair secure two-party computation. In Proc. EUROCRYPT 2003. Hei-delberg:Springer,2003,87-105.
[35]D. Beaver, S. Goldwasser. Multiparty computation with faulty majority. In 30th Annual Symposium on Foundations of Computer Science (FOCS). Los Alamitos: IEEE,1989,468-473.
[36]S. Goldwasser, L.Levin. Fair computation of general functions in presence of im-moral majority. In Advances in Cryptology-CRYPTO'90. Heidelberg:Springer, 1991,77-93.
[37]N. Asokan, M. Schunter, M. Waidner. Optimistic protocols for fair exchange. In Proceedings of the 4th ACM conference on Computer and communications secu-rity. New York, NY, USA:ACM,1997,7-17.
[38]L. Chen, C. Kudla, K.G. Paterson. Concurrent signatures. In Advances in Cryptology-EUROCRYPT 2004. Heidelberg:Springer,2004,287-305.
[39]A.Y. Lindell. Legally-enforceable fairness in secure two-party computation. In Topics in Cryptology-CT-RSA 2008. Heidelberg:Springer,2008,121-137.
[40]J. Katz. On achieving the best of both worlds in secure multiparty computation. In 39th Annual ACM Symposium on Theory of Computing (STOC). New York,NY, USA:ACM,2007,11-20.
[41]S.D. Gordon, J. Katz. Partial fairness in secure two-party computation. In EURO-CRYPT 2010. Heidelberg:Springer,2010,157-176.
[42]S.D. Gordon. On fairness in secure computation[D]. [Phd Thesis], University of Maryland,2010.
[43]G. Asharov, Y Lindell, T. Rabin. A full characterization of functions that imply fair coin tossing and ramifications to fairness. In 10th Theory of Cryptography Conference, TCC 2013. Heidelberg:Springer,2013,243-262.
[44]D. Gordon, Y. Ishai, T. Moran, R. Ostrovsky, A. Sahai. On complete primitives for fairness. In 3rd Theory of Cryptography Conference-TCC 2010,. Heidelberg: Springer,2010,91-108.
[45]D. Beaver. Correlated pseudorandomness and the complexity of private computa-tions. In Proceedings of the twenty-eighth annual ACM symposium on Theory of computing. New York, NY, USA:ACM,1996,479-488.
[46]A. Beimel, T. Malkin. A quantitative approach to reductions in secure computation. In Theory of Cryptography. Heidelberg:Springer,2004,238-257.
[47]B. Chor B, M. Gereb-Graus, E. Kushilevitz. On the structure of the privacy hier-archy[J]. Journal of Cryptology,1994,7(1):53-60.
[48]J. Kilian. More general completeness theorems for secure two-party computation. In Proceedings of the thirty-second annual ACM symposium on Theory of com-puting. New York, NY, USA:ACM,2000,316-324.
[49]H.K. Maji, M. Prabhakaran, M. Rosulek. Complexity of multi-party computation problems:The case of 2-party symmetric secure function evaluation. In Theory of Cryptography. Heidelberg:Springer,2009,256-273.
[50]S. Agrawal, M. Prabhakaran. On fair exchange, fair coins and fair sampling. In CRYPTO 2013. Heidelberg:Springer,2013,259-276.
[51]P. Gacs, J. Korner. Common information is far less than mutual information [J]. Problems of Control and Information Theory,1973,2(2):149-162.
[52]R. M. Gray, A. D. Wyner. Source coding for a simple network[J]. Bell System Technical Journal,1974,53(9):1681-1721.
[53]H.S. Witsenhausen. On sequences of pairs f dependent random variables[J]. SIAM Journal of Applied Mathematics,1975,28:100-113.
[54]A.D. Wyner. The common information of two dependent random variables [J], IEEE Transactions on Information Theory,1975,21(2):163-179.
[55]G. Asharov, Y. Lindell, H. Zarosim. Fair and efficient secure multiparty compu-tation with reputation systems. In Advances in Cryptology-ASIACRYPT 2013. Heidelberg:Springer,2013,201-220.
[56]E. Friedman, P. Resnick, R. Sami. Manipulation-resistant reputation systems[M]. Cambridge:Cambridge Unversity Press,2007.
[57]M. Babaioff, J. Chuang, M. Feldman. Incentives in Peer-to-peer systems[M]. Cam-bridge:Cambridge Unversity Press,2007.
[58]M. Osborne, A. Rubinstein. A Course in Game Theory[M]. Cambridge:MIT Press,1994.
[59]G. Asharov, Y. Lindell. Utility dependence in correct and fair rational secret shar-ing. In CRYPTO 2009. Heidelberg:Springer,2009,559-576.
[60]G. Fuchsbauer, J. Katz, D. Naccache. Efficient rational secret sharing in standard communication networks. In TCC 2010. Heidelberg:Springer,2010,419-436.
[61]S.D. Gordon, J. Katz. Rational secret sharing, revisited. In SCN 2006. Heidelberg: Springer,2006,229-241.
[62]J. Katz. Bridging game theory and cryptography:Recent results and future di-rections. In 5th Theory of Cryptography Conference TCC 2008. Heidelberg: Springer,2008,251-272.
[63]I. Abraham, D. Dolev, R. Gonen, J. Halpern. Distributed computing meets game theory:robust mechanisms for rational secret sharing and multiparty computation. In 25th ACM Symposium Annual on Principles of Distributed Computing. New York, NY, USA:ACM,2006,53-62.
[64]S. Maleka, A. Shareef. The deterministic protocol for rational secret sharing. In IEEE International Symposium on Parallel and Distributed Processing. Los Alami-tos:IEEE,2008,1-7.
[65]S. Maleka, A. Shareef, C. Pandu Rangan. Rational secret sharing with repeated games. In ISPEC'08 Proceedings of the 4th international conference on Informa-tion security practice and experience. Heidelberg:Springer,2008,334-346.
[66]S. Micali, A. Shelat. Purely rational secret sharing (extended abstract). In 6th Theory of Cryptography Conference. Heidelberg:Springer,2009,54-71.
[67]M. Nojoumian, D.R. Stinson, M. Gringer. Unconditional secure social secret shar-ing scheme[J]. IET Information Security, Special Issue on Multi-Agent and Dis-tributed Information Security,2010,4(4):202-211.
[68]M. Nojoumian, D.R. Stinson. Socio-rational secret sharing as a new direction in rational cryptography[J]. Decision and Game Theory for Security,2012,7638:18-37.
[69]ZF. Zhang, YM. Chee, S. Ling, ML Liu, HX Wang. Threshold changeable secret sharing schemes revisited[J]. Theoretical Computer Science,2012,418:106-115.
[70]ZF. Zhang, ML. Liu. Unconditionally secure rational secret sharing in standard communication networks. In Information Security and Cryptology-ICISC 2010. Heidelberg:Springer,2011,355-369.
[71]G. Kol, M. Naor. Cryptography and game theory:Designing protocols for ex-changing infor-mation. In Canetti, R. (ed.) TCC 2008. Heidelberg:Springer, 2008,320-339.
[72]G. Kol, M. Naor. Games for exchanging information. In STOC 2008. New York, NY, USA:ACM,2008,423-432.
[73]Amjed Shareef. Rational secret sharing without broadcast.[J]. IACR Cryptology ePrint Archive,2010,2010:249.
[74]M. Lepinski, S. Micali, C. Peikert, A. Shelat. Completely fair sfe and coalition-safe cheap talk. In 23rd ACM Symposium Annual on Principles of Distributed Computing. New York, NY, USA:ACM,2004,1-10.
[75]S. Izmalkov, S. Micali, M. Lepinski. Rational secure computation and ideal mech-anism design. In 46th Annual Symposium on Foundations of Computer Science (FOCS). Los Alamitos:IEEE,2005,585-595.
[76]S. Izmalkov, M. Lepinski, S. Micali. Verifiably secure devices. In Theory of Cryptography (TCC 2008). Heidelberg:Springer,2008,273-301.
[77]M. Lepinski, S. Micali, C. Peikert, A. Shelat. Collusion-free protocols. In 37th Annual ACM Symposium on Theory of Computing (STOC). New York, NY, USA: ACM,2005,543-552.
[78]J. Alwen, A. Shelat, I. Visconti. Collusion-free protocols in the mediatd model. In CRYPTO 2008. Heidelberg:Springer,2008,497-514.
[79]J. Alwen, J. Katz, Y. Lindell, G. Persiano, A. shelat, I. Visconti. Collusion-free multiparty computation in the mediated model. In CRYPTO 2009. Heidelberg: Springer,2009,524-540.
[80]J. Alwen, J. Katz, U. Maurer adn V. Zikas. Collusion-preserving computation. In CRYPTO 2012. Heidelberg:Springer,2012,124-143.
[81]S. J. Ong, D. C. Parkes, A. Rosen, S. Vadhan. Fairness with an honest minority and a rational majority. In 6th Theory of Cryptography Conference. Heidelberg: Springer,2009,36-53.
[82]A. Lysyanskaya, N. Triandopoulos. Rationality and adversarial behavior in multi-party computation. In CRYPTO 2006. Heidelberg:Springer,2006,180-197.
[83]Ran Canetti. Security and composition of multiparty cryptographic protocols [J]. Journal of Cryptology,2000,13(1):143-202.
[84]O. Goldreich. Foundations of Cryptography:Volume 2[M]. Cambridge University Press,2004.
[85]G. Asharov, R. Canetti, C. Hazay. Towards a game theoretic view of secure com-putation. In Cryptology-Eurocrypt 2011. Heidelberg:Springer,2011,426-445.
[86]A. Groce, J. Katz. Fair computation with rational players. In EUROCRYPT 2012. Heidelberg:Springer,2012,81-98.
[87]Adam Groce, Jonathan Katz, Aishwarya Thiruvengadam, Vassilis Zikas. Byzan-tine agreement with a rational adversary[J]. Automata, Languages, and Program-ming,2012,7392:561-572.
[88]AS Aiyer, L Alvisi, A Clement, M Dahlin, J-P Martin, C Porth. Bar fault tolerance for cooperative services. In Proceedings of the twentieth ACM symposium on Operating systems principles. New York, NY, USA:ACM,2005,45-58.
[89]A. Clement, H.C. Li, J.Napper, J-P Martine, L. Alvisi, M. Dahlin. Bar primer. In DSN 2008. Heidelberg:IEEE Computer Society,2008,287-296.
[90]H.C.Li, A. Clement, E.L. Wong, J. Napper, I. Roy, L. Alvisi, M. Dahlin. Bar gossip. In Proceedings of the 7th symposium on Operating systems design and implementation. CA, USA:USENIX Association Berkeley,2006,191-204.
[91]XH Bei, W. Chen, JL Zhang. Distributed consensus resilient to both crash failures and strategic manipulations,2012. ArXiv:1203.4324.
[92]J. A. Garay, J. Katz, U. Maurer, B. Tackmann, V. Zikas. Rational protocol de-sign:Cryptography against incentive-driven adversaries,2013. Avalable online: http://eprint.iacr.org/2013/496.
[93]J. Halpern, R. Pass. Game theory with costly computation,2008. Avalable online: http://arxiv.org/abs/0809.0024v 1.
[94]J. Halpern, R. Pass. Game theory with costly computation:Formulation and ap-plication to protocol security. In Proceedings of the Behavioral and Quantitative Game Theory:Conference on Future Directions. New York, NY, USA:ACM, 2010,89-101.
[95]J. Halpern. Beyond nash equilibrium:solution concepts for the 21st century. In Proceedings of the twenty-seventh ACM symposium on Principles of distributed computing. New York, NY,USA:ACM,2008,1-10.
[96]R. Gradwohl, N. Livne, A. Rosen. Sequential rationality in cryptographic pro-tocols. In Foundations of computer science (FOCS 2010). Los Alamitos:IEEE, 2010,623-632.
[97]R. Gradwohl, N. Livne, A. Rosen. Sequential rationality in cryptographic proto-cols[J]. ACM Transactions on Economics and Computation,2013,1(1):4-40.
[98]A. Beimel, Y. Lindell, E. Omri, I. Orlov.1/p-secure multiparty computation with-out honest majority and the best of both worlds. In Advances in Cryptology-Crypto'2011. Heidelberg:Springer,2011,277-296.
[99]R.Canetti. Universally composable security:a new paradigm for cryptogrphic protocols,2005. Avalable online:http://eprint.iacr.org/2005/067.
[100]J. Katz. Universally composable synchromous computation. In 10th Theory of Cryptography Conference TCC 2013. Heidelberg:Springer,2013,477-498.
[101]Y. Aumann, Y. Lindell. Security against covert adversaries:Efficient protocols for realistic adversaries. In Theory of Cryptography 2007. Heidelberg:Springer, 2007,137-156.
[102]张志芳,刘木兰.理性密钥共享的扩展博弈模型[J].中国科学:信息科学,2012,42(1):32-46.
[103]田有亮,马建峰,彭长根,姬文江.秘密共享体制的博弈论分析[J].电子学报,2012,39(12):2790-2795.
[104]张恩,蔡永泉.基于双线性对的可验证的理性秘密共享方案[J].电子学报,2012,40(5):1050-1054.
[105]张恩,蔡永泉.理性的安全两方计算协议[J].计算机研究与发展,2013,50(7):1409-1417.
[106]M.K. Franklin, M. Yung. Communication complexity of secure computation. In 24th STOC. New York, NY, USA:ACM,1992,699-710.
[107]Y. Ishai, A. Sahai, D. Wagner. Private circuits:Securing hardware against probing attacks. In Advances in Cryptology-CRYPTO 2003. Heidelberg:Spring,2003, 463-481.
[108]D. Malkhi, N. Nisan, B. Pinkas, Y. Sella. Fairplay-a secure two-party computation system. In 13th USENIX security symposium. CA, USA:USENIX Association Berkeley,2004,287-302.
[109]I. Damgard, M. Geisler, J.B. Nielsen. From passive to covert security at low cost[J]. Theory of Cryptography,2010,5978:128-145.
[110]L. von Ahn, N. Hopper, J. Langford. Covert two-party computation. In 37th STOC. New York, NY, USA:ACM,2005,513-522.
[111]N. Chandran, V. Goyal, R. Ostrovsky, A. Sahai. Covert multiparty computation. In 48th FOCS. New York, NY, USA:ACM,2007,238-248.
[112]Yilei Wang, Zhe Liu, Qiuliang Xu. New rational parties relying on reputation [J]. Security and Communication Networks,2013,418:DOI:10.1002/sec.844.
[113]Vipul Goyal, Payman Mohassel, Adam Smith. Efficient two party and mul-ti party computation against covert adversaries. In Advances in Cryptology-EUROCRYPT 2008. Heidelberg:Springer,2008,289-306.
[114]G. Asharov, C. Orlandi. Calling out cheaters:covert security with public verifiabil-ity. In Asiacrypt 2012. Heidelberg:Springer,2012,681-698.
[115]R. Axelrod. The Evolution of Cooperation[M]. Penguin Press,1990.
[116]R. Canetti. Universally composable security:a new paradigm for cryptogrphic protocols. In Foundations of computer science (FOCS 2001). Los Alamitos:IEEE, 2001,136-145.
[117]YiLei Wang, Hao Wang, Qiuliang Xu. Rational secret sharing with semi-rational players[J]. International Journal of Grid and Utility Computing,2012,3(1):59-67.
[118]D. Fudenberg, J. Tirole. Game Theory [M]. MIT Press,1991.
[119]DM. Kreps, P. Milgrom, J. Roberts, R. Wilson. Rational cooperation in the finitely repeated prisoners' dilemma[J]. Journal of Economic Theory,1982,27(2):245-252.
[120]D. Kreps, R. Wilson. Reputation and imperfect information [J]. Journal of Eco-nomic Theory,1982,27(2):253-279.