Game theory is the study of strategic reasoning in rational agents. By definition, rationality means parties act to maximize their own utility. When all players choose such strategies, we call the resulting interaction an equilibrium. Unfortunately, the equilibrium often does not ensure the best outcome for the parties involved. The most famous example is the prisoner’s dilemma where two criminals are arrested and interrogated by police in separate rooms: each criminal can either cooperate with their accomplice, or defect and give them up to the police, resulting in a reduced sentence. Here, it is well-known that cooperation is not an equilibrium, as neither criminal can trust the other not to defect, although it would be in their common interest to do so. This poses problems if the interaction we are trying to model is of legal matters or otherwise related to security, as we often want to ensure it is rational to play some intended strategy.
Indeed, in cryptography, such complications are the cause of a seemingly irreconcilable gap between the worlds of rational cryptography and the classic cryptographic model: in , Halpern and Teague famously show there is no deterministic bounded-time interactive protocol for secure function evaluation on private inputs involving rational parties with a certain class of utility functions, namely parties who prefer to learn the output of the function, but prefer as few other parties as possible learn the output. By contrast, there are simple and efficient secure protocols when a sufficient subset of the parties are guaranteed to be honest, even when the remaining parties are allowed to deviate arbitrarily . A weaker notion of security called ‘covert security’ was proposed by Aumann and Lindell in 
. Here, parties are allowed to deviate but are caught with some constant non-zero probability. This was extended by Asharov and Orlandi in to publicly verifiable covert (PVC) security where a certificate is output that can be verified by a third party to determine if cheating has occurred. The underlying assumption of these protocols is that the cost associated with the risk of being caught outweighs the benefit of deviating. Indeed, the problem of misaligned equilibria is usually mitigated in practice by ensuring appropriate punishment for misbehaving, such as fining deviants, banning them from participating again, or subjecting them to other legal repercussions, effectively changing the utilities of the game to ensure being honest is, in fact, an equilibrium. In our example with the prisoner’s dilemma, a criminal who defects might face consequences after the other party is released from prison, as the adage goes: “snitches get stitches”. Sometimes, it is less clear how to punish parties, as when the games are models of interaction on the internet where parties can be anonymous. One solution is to offset the utility from deviating by withholding money from the deviating party, i.e. use a deposit scheme where parties initially pay a deposit that is only repaid if they acted honestly. In the economics literature, this is known as a ‘deposit-refund system’  and is often studied in the context of environmental issues for incentivizing compliance with laws and regulations. In , Grimes-Casey et al. propose a game-theoretic model for analyzing consumer behavior of refillable plastic bottles with such deposit-refund systems. Indeed, deposit-refund systems are currently used in many countries for closing the gap between the marginal private cost and the marginal external cost of disposing of e.g. bottles, batteries, tires, and consumer electronics (see e.g. ). Such systems can also be used at a higher level of governance: in , McEvoy studies deposit-refund systems as a means of enforcing nations to comply with international environmental agreements. Deposit-refund systems are also studied in the context of distributed systems. There are numerous works in the literature that take advantage of such systems to incentivize the participants to behave honestly. Such a deposit scheme is usually implemented by deploying a smart contract to run on a blockchain. The work most related to ours is by George and Kamara () who propose a framework for incentivizing honesty using ‘adversarial level agreements’ that specify damages parties must pay if found to act adversarially. We will show later that their model can be recovered as a special case of our model. In , Zhu, Ding and Huang propose a protocol for 2PC that incentivizes honesty using a PVC augmented with a deposit scheme. In , Dong et al. propose a protocol that uses deposit schemes to incentivize honesty in outsourcing cloud computations. BitHalo  implements an escrow using deposits and multisigs that was analyzed in  by Bigi et al. In , Asgaonkar and Krishnamachari propose a smart contract for decentralized commerce of digital goods using dual deposits. This was extended by Schwartzbach to non-digital goods in  in a way that uses deposits optimistically. Deposits have also been used for ‘truth-telling mechanisms’: in , Adler et al. propose a system, Astraea, that uses deposits and rewards to incentivize a group of voters to decide to validity of a proposition. Kleros  uses a similar mechanism to implement a decentralized court system.
None of the works mentioned treat deposit schemes in a setting that allows for ‘plug-and-play’ with an arbitrary finite game to incentivize certain behavior: all of them appear to use deposit schemes on an ad hoc basis, and do not treat deposit schemes in the abstract. In this work, we ask the following question:
Can we design a deposit scheme mechanism that incentivizes honesty in arbitrary finite games?
We answer this question in the affirmative and provide an algorithm for instantiating the deposit schemes to incentivize honesty by reducing the problem to linear programming. To the best knowledge of the author, this problem has not been explicitly studied before.
1.0.1 Our results.
We propose a model for games with deposit schemes and analyze how they can be instantiated to incentivize a specified strategy profile. A deposit scheme is a mechanism that takes as input a monetary deposit from each party and repays the parties based on how they acted in the game. This circumvents the impossibility result of Halpern and Teague by effectively altering the class of utility functions, such that parties can be incentivized to act in a certain manner. In the present work, we are not concerned with the implementation of such a deposit scheme, but mention briefly that a deposit scheme can be implemented using a trusted third party, or when this is not possible, as a smart contract deployed on a blockchain. Ensuring honesty is trivial if the deposit scheme is allowed to see all actions taken in the game, as this allows it to simply keep the deposit for a party who deviates from the intended strategy. Instead, we assume the deposit scheme is allowed to probabilistically infer information about what happened during the course of the game. As such, we consider games embedded with an information structure that defines how information is released from the game to an observer. This consists of an alphabet of possible outcomes that can be externally observed, and then each leaf in the game is given a distribution on this alphabet. When the game terminates in a given leaf, a symbol is sampled from the alphabet according to the distribution and is observed by the deposit scheme. We show that deposit schemes can be used to implement any set of utilities if and only if the information structure essentially leaks all information about what happened in the execution of the game. We propose a notion of game-theoretic security that generalizes subgame perfection by quantifying how much utility a party loses by deviating from the intended strategy. We show how finding an optimal deposit scheme that achieves this notion of security can be stated as a linear program, where optimal means the size of the largest deposit is minimized. We state some additional properties that we may want our deposit schemes to satisfy and discuss some tradeoffs when deploying these systems in practice. We prove a lower bound on the maximum size of the deposits, and show it must be linear in the security parameter.
The paper is organized as follows. We start in Section 3 by defining information structures and deposit schemes and show that deposit schemes can be used to implement any set of utilities iff the information structure is essentially trivial. In Section 4 we give our definition of game-theoretic security and show how finding a suitable deposit scheme that minimizes the size of the deposits can be stated as a linear program. In Section 5, we state some additional properties we might want our deposit schemes to satisfy and show how to state them as linear constraints. Finally, in Section 6, we show a lower bound on the size of the maximum deposits.
2 Preliminaries and notation
In this section we briefly state some preliminaries needed for the purpose of self-containment, as well as to establish notation. The set of all vectors withelements is given by , and the set of all matrices is given by . We use a boldface font to refer to vectors and matrices, and reserve capital symbols for matrices, and lowercase symbols for vectors. The identity matrix is denoted . We may denote by , resp. as either matrices or vectors containing only 0, resp. 1 and trust it is clear from the context what we mean.
We mostly assume familiarity with game theory and refer to  for more details. We give a brief recap to establish notation. An extensive-form game consists of a rooted tree , the leaves of which are labeled with a utility for each player. We denote by the set of leaves in , and suppose some arbitrary but fixed order on its elements, . We assume the existence of an matrix , called the utility matrix of , that for each player specifies how much utility they receive when the game terminates in the leaf . The remaining nodes are partitioned into sets, one belonging to each player. The game is played, starting at the root, by recursively letting the player who owns the current node choose a child to descend into. We stop when a leaf is reached, after which player is given utility. A mapping that dictates the moves a player makes is called a strategy for that player, and is said to be pure if it is deterministic, and mixed otherwise. A set of strategies , one for each player, is called a strategy profile and defines a distribution on the set of leaves in the game. We overload notation and let denote the expected utility for player when playing the strategy profile . If is a set of indices of players, a coalition, we denote by its complement so that we may write a strategy profile as . As solution concept, we will use a refinement of regular Nash equilibria that takes into account deviations by more than a single party, see  for details on this model. Formally, a strategy profile is said to be a -robust (Nash) equilibrium if for every strategy with , and every , it holds that:
A subgame of is a subtree such that whenever and is a child of , then . A strategy profile that is a -robust equilibrum for every subgame of is said to be a -robust subgame perfect equilibrium. These definitions suffice for so-called games of perfect information, where at each step, a player knows the actions taken by previous players, though, more generally, we may consider partitioning each set of nodes belonging to a player into information sets, the elements of which are sets of nodes that the player cannot tell apart. A game of perfect information is a special case where all information sets are singletons.
3 Deposit schemes
In this section, we present our model of games with deposit schemes and show when they can be used to ensure it is rational to play an intended strategy. We consider a set of parties playing a fixed finite extensive-form game of perfect information. For simplicity, we consider only games of perfect information as every such game allows for backward induction to determine the subgame perfect equilibria that takes linear time in the size of the game tree. In general, we should not hope to efficiently determine an optimal deposit scheme for games of imperfect information, as it is well-known that finding equilibria in these games is PPAD-complete as shown in  by Daskalakis, Goldberg and Papadimitriou.
We take as input a unique pure strategy profile that we want the parties to play that we call the honest strategy profile for lack of a better term. Note that is required to be pure, since it is impossible to determine if a player played a mixed strategy. This has the effect that defines, at each branch in the game, a unique ‘honest move’ that the corresponding party must play. Our goal is to construct a procedure that takes as input a game in a black-box way and produces an equivalent game that implements a different utility matrix such that is an equilibrium, and possibly satisfies some other desirable properties. In order to do this, we need to be able to infer something about what happened during the execution of the game, as otherwise we are simply ‘shifting’ the utilities of the game, not changing the structure of its equilibria. We call such a mechanism an information structure. We assume playing the game emits a symbol from a fixed finite alphabet of possible outcomes that can be observed by an outside observer. This alphabet serves as a proxy for how the parties acted in the execution of the game. We associate with each leaf of the game a distribution on . When the game terminates in a leaf, we sample a symbol according to the distribution and output that symbol.
An information structure for is a pair where is a finite alphabet of symbols with some arbitrary but fixed order on its symbols, for , and where is a matrix of emissions probabilities such that every column of is a pdf on the symbols of .
3.0.1 Deposit schemes.
A deposit scheme is a mechanism that can be used to augment any finite game that has an information structure. Before playing the game , each party makes a deposit to , and then the game is played as usual. At the end, the deposit scheme repays some of parties based on what was emitted by the information structure. We assume the utilities of the game are given in the same unit as some arbitrarily divisible currency which the deposit scheme is able to process. This means a party is indifferent to obtaining an outcome that gives them utility and receiving money. In other words, we make the implicit assumption that ‘everything has a price’ and intentionally exclude games that model interactions with events that are not interchangeable with money. This circumvents the impossibility result of Halpern and Teague who implicitly assume a fixed total order on the set of possible outcomes. By contrast, we allow deposit schemes to alter the order by punishing or rewarding parties with money. As mentioned, in the present work, we do not consider how to implement such a mechanism, but briefly mention that deposit schemes can be implemented by a trusted third party, or when this is not possible, as a smart contract running on a blockchain
A deposit scheme for is a matrix , where is an information structure for , and is the utility lost by when observing the symbol
In our definition, is a matrix that explicitly defines how much utility party loses when the deposit scheme observes the symbol . Note that is allowed to contain negative entries which means parties are compensated, i.e. receive back more utility from the deposit scheme than they initially deposited. Of course, this necessitates that other parties lose their deposit. In general, we might want our deposit schemes to ‘break even’, in the sense that the sum of the deposits is zero. We study zero inflation and other properties we might want our deposit schemes to satisfy in Section 5.
When the game is played reaching the leaf , the expected utility of party is the utility they would have received in a normal execution, minus their expected loss from engaging with the deposit scheme:
Correspondingly, the game is said to implement the utility matrix if . For the remainder of this paper, we study when and how can be instantiated to ensure implements some with desirable properties.
3.0.2 Adversarial level agreements.
We now show how the model of ‘adversarial level agreements’ (ALAs) by George and Kamara can be recovered as a special case of our model. An ALA for a game with players consists of 1) a description of the intended strategy for each player, and 2) a vector of damages that specifies how much utility party should lose when found to deviate from the intended strategy. Their model does not explicitly consider deviations by more than a single party, so we can state this as an information structure with the following alphabet:
Here, means all parties were honest, and means deviated. The emission matrix depends on the specific application. An ALA in the basic form then corresponds to a deposit scheme of the following form:
Note that we can easily generalize this to deviations by any parties by including more symbols, e.g. or .
3.1 Implementing deposit schemes
We now explain how a deposit scheme can be deployed in practice as a smart contract running on a blockchain, see Fig. 1 for an illustration. We want to ensure party loses utility when the symbol is observed. We can implement this by defining and letting each party make a deposit of size to a smart contract before playing the game. Afterwards, the parties are repaid appropriately by the deposit scheme to ensure their utility is as dictated by . Suppose we fix some deposit scheme , then the augmented game is played as follows:
Each makes a deposit of to the deposit scheme.
The game is played, reaching a leaf .
A symbol is sampled from according to the pdf in the column of .
Each party is repaid .
This can be implemented in a fairly straightforward manner using a scripting language and deployed as a smart contract running on a blockchain, assuming access to some information structure with known bounds on the emission probabilities.
We stress that this is only one possible implementation of a deposit scheme suitable in any scenario, even over the internet when parties are anonymous. The important thing is that party loses utility when symbol is observed. When parties are not anonymous and can be held accountable, the deposit scheme can be used in an optimistic manner as was argued by George and Kamara.
3.2 Trivial information structures
One might be tempted to simply choose a utility matrix with some properties that we like and solve for to yield a protocol with those properties. Unfortunately, as we will show, this is only possible for information structures that are ‘trivial’ in the sense that they leak all essentially all information about what happened.
Let be fixed matrices, and let be a fixed alphabet of size . Then there exists a for each such that implements if and only if there are at least as many symbols as leaves and is left-invertible.
We prove each claim separately:
If is left-invertible, then for any fixed we can let where is a left-inverse of . It follows that:
which means that implements , as we wanted to show.
Suppose there is such a for each . This means that we can always find that solves . Assume for the sake of contradiction that there are fewer symbols than leaves. This means there must be a leaf for which the deposits is a fixed linear combination of the deposits of the other leaves which means there must be an that we cannot implement. But this is a contradiction so we assume there are at least as many symbols as leaves. This means we can choose such that is left-invertible with left-inverse , which means that:
But this means that is the left-inverse of , a contradiction.∎
In particular, we can only implement any we want if there are at least as many symbols as leaves in the game tree, and that these symbols are not duplicates, i.e. the distributions of symbols across the leaves are linearly independent. Since we are considering pdfs which are normalized, linear independence means the pdfs are pairwise distinct. This means we can only ‘do what we want’ if the smart contract is basically able to infer completely what happened in the execution of the game. Of course, this makes the problem trivial as mentioned, as intuitively, we can simply keep the deposit for all players who deviated from the intended strategy. This always yields a protocol with game-theoretic security for sufficiently large deposits. Correspondingly, such a deposit scheme is considered trivial.
4 Game-theoretic security
In this section, we define what it means for a game to be secure in a game-theoretic sense and show how deposit schemes can be used to ensure these properties are satisfied. Intuitively, security in a game-theoretic sense means the honest strategy profile is an equilibrium, though this is likely not sufficient for some applications. The fact that the honest strategy profile is an equilibrium does not mean it is the only equilibrium. Namely, there might be several dishonest strategy profiles with the same properties, and there is no compelling argument for why parties should opt to be honest in the face of ambiguity. In fact, there might be reasons for being dishonest that are not captured by the utilities of the game, say for spite or for revenge. To remedy this, we want to quantify how much utility parties lose by deviating from the honest strategy profile, in effect measuring the cost of dishonesty. We introduce a parameter such that being dishonest results in the deviating parties losing at least utility. A game with this property is considered secure against -deviating rational parties. Our definition generalizes -robust subgame perfect equilibria for finite games of perfect information.
We let be a fixed finite game with players and leaves, and let be the corresponding utility matrix, and let be some fixed information structure on . As mentioned,  shows that computing equilibria in games of imperfect information is PPAD-complete, meaning it is unlikely there is an efficient procedure to compute an optimal deposit scheme for these games. To start, we say a utility vector is -inducible in for a coalition if there is a strategy such that playing terminates in a leaf labelled by with non-zero probability. We say has -strong -robust game-theoretic security if for every subgame of , and every -inducible vector in that subgame with , and every , it holds that:
In other words, every coalition of parties that deviate from at any point in the game lose at least utility for each party. We note that for finite games of percect information, -robust subgame perfect equilibria is retained as a special case of this definition by letting . We can write the necessary constraints for -strong -robust game-theoretic security as a set of linear constraints. For convenience, we will represent the utility matrix as a vector in row-major order. We will then collect the set of necessary constraints in a matrix where denotes the number of such constraints. We also let be a vector only containing . Note that is a constant that depends on the structure of the game. The set of utility matrices with -strong -robust game-theoretic security can then be recovered as the set of solutions to the following equation:
We note that, in general, it is hard to give an exact expression for since this is tightly dependent on the structure of the game, as is . Instead, the matrix can be computed using a simple recursive procedure. In the base case, the leaves, there are no constraints. At each branch owned by a player , we need to bound the probability of each undesirable outcome in terms of the honest outcome . To do so, we compute the -inducible region, defined as the set of outcomes inducible by a coalition containing of size . For each outcome in the -inducible region, we add a row to that ensures that . To do so, suppose and have indices respectively, we then let , and and zero elsewhere, and add an entry containing to . This procedure can be completed using a single pass of the game tree by keeping track of the -inducible region as we go along.
4.1 Finding an optimal deposit scheme
We now show how to find an optimal deposit scheme that satisfies Eq. 2. Since the feasible region is a convex polyhedron, we can essentially just apply linear programming to decide the minimal size of the deposits necessary to establish security. However, there is a technical issue since our decision variables are not in vector form, as is usual of linear programming. To remedy this, we also want to collect the deposits in a vector in row-major order. For a given information structure , we construct a matrix equivalent to in the following way: for every index in , we construct the ‘base matrix’ that is 1 in index , and 0 everywhere else. We then compute a row of by computing the product and putting it in row-major order. It is not hard to see that the image of is isomorphic to the column space of , and hence we say implements the utility vector iff . We now substitute this in Eq. 2 to get the following inequality:
We move the constant terms to the right-hand side to yield the following:
Now that we have defined the feasible region, we want to define our objective function. There are many options with different properties that will be discussed in Section 5. For now, suppose we wish to minimize the size of the largest deposit. To do so, we apply the standard trick of introducing an auxiliary variable that we want to minimize, and introduce constraints to ensure for every . However, this produces an unbounded linear program since, as mentioned, deposits can be shifted an arbitrary amount without changing the structure of its equilibria. Minimizing the deposits then corresponds to giving the parties increasingly large rewards for acting as intended. Even putting a bound on the deposits, this means using the optimal deposit scheme costs money to deploy, and it is unclear who should provide this service. Instead, we introduce the very natural property that the deposit scheme should not require outside funding to function. Specifically, we add the constraint that the sum of each column in should be nonnegative. This has the effect that the deposit scheme is ‘self-contained’ in the sense that it does not require outside funding. If a column sum is positive, this means the deposit scheme has money left over. If instead, the sum of each column is zero such that no funds are left over, we say the deposit scheme has zero inflation. As we will show in Section 5, this turns out to be a fairly restrictive property that can only be achieved for a small class of games unless the information structure is trivial. Technically speaking, the deposit scheme can do anything with the left over funds, except giving it to any of the participating parties, e.g. donating to a charity or amoritizing it for future deposit schemes such that we can relax the property of nonnegative column sums to achieve smaller deposits. We leave this dilemma as an open question for future research.
To summarize, we can find an optimal deposit scheme by solving the following linear program:
It is not hard to see the dominating computation is solving the linear program, not constructing it, which shows the following theorem:
Finding the optimal deposit scheme for ensuring game-theoretic security in games of perfect information, or determining no such deposit scheme exists, is no harder than linear programming.
We implemented the algorithm as an interactive web application that can be found at https://cs.au.dk/~nis/deposits/.
5 Properties of deposit schemes
In this section we present some additional properties that we may want our deposit schemes to satisfy depending on the application. We show that the properties we state can be stated as linear constraints which fit nicely with the linear program constructed in the previous section. However, as the properties we state reduce the feasible region, likely they will increase the size of the maximum deposits. Whether a given property is worth this cost depends on the specific application in mind.
Throughout this section, we consider some fixed finite game with information structure , and let be a deposit scheme that implements a utility matrix .
5.0.1 Honest invariance.
One possible issue with deposit schemes is that they inherently change the game. In particular, a deposit scheme may change the game even when all players are honest and play the intended strategy. This may dissuade the parties from playing the game to begin with, or may cause other adverse effects if some particular application requires the parties to receive a certain utility. The first property explicitly forbids this, by requiring that the utilities of the honest node remain unchanged. Formally, let be the index of the honest leaf, we say is honest invariant if for every . We can easily implement this in our linear program by adding the following set of constraints:
5.0.2 Envy freeness.
Often times minimizing the maximum deposit leads to the parties submitting different deposits. For some applications, particular if the games are ‘asymmetrical’ this might be tolerable, though for other games it might be preferable to ensure all parties make identical deposits. We call this property envy freeness. It can be instantiated by adding an auxiliary variable for every player, requiring that it upper bounds all deposits for that player, as well as ensuring , and then enforcing that for .
5.0.3 Zero inflation.
So far we have only required that the deposit schemes do not inflate the currency by minting money. In general, we might want the deposit scheme to ‘break even’ in the sense that it also does not deflate the currency by locking away funds. To implement this we require that the sum of every column in is exactly zero (or perhaps equal to the transaction fee on the blockchain). This has the effect that, for a given symbol, the sum of deposits for all players is zero. Formally, we say a deposit scheme has zero inflation if . It is not hard to implement this as a linear constraint, simply change all inequalities of the form to equalities.
Unfortunately, zero inflation is not an easy property to satisfy, as shown by the following lemma:
If a deposit scheme which implements has zero inflation then the columns of sum to zero.
First of all, note that any that implements must satisfy . Any such can be written as where is a fixed solution and is any element in the cokernel of , i.e. . In order for to have zero inflation, it must hold that
which implies that . Now assume has zero inflation, then we can multiply by from the right to yield:
But is an element of the cokernel of , and is a solution to the equation, so we get:
which means the columns of sum to zero, as desired.∎
In other words, we must be able to achieve game-theoretic security by giving utility from a party to another; it is not possible to e.g. simultaneously punish all parties for a specific action, and it is not possible to punish a party without rewarding another party. As such, the class of games that permit a zero inflation deposit scheme have a specific structure, and we should not in general hope to achieve zero inflation.
Note that for certain ‘well-behaved’ games, Lemma 2 also give sufficient conditions for zero inflation: namely, if there are fewer symbols than leafs and is right-invertible then has zero inflation if and only if the columns of sum to zero. This is an immediate consequence of the proof of Lemma 2 by following the deductions backwards.
5.0.4 Choice of objective function.
We now briefly discuss different instantiations of the objective function. So far, we have minimized the largest deposit by any party, though for some applications, it might be acceptable to have a slightly larger maximum deposit if in general the deposits are smaller. One option is to minimize the 2-norm though this means we have to minimize a quadratic program, and it is no longer clear we can do this efficiently. Instead, we can minimize the sum of the deposits, though this makes the deposit scheme indifferent between the parties not making a deposit, and one of the parties making a large to the rest of the parties. As an alternative, we can minimize the absolute sum of the deposits. In general, we should expect that different applications require different objective functions.
6 A lower bound on the size of deposits
In this section we prove a lower bound on the size of the largest deposit necessary to achieve game-theoretic security. We show that the largest deposit must be linear in the security parameter , as well as linear in some of the utilities in the game.
To establish our bound, we use properties of matrix norms. We give a brief recap of matrix norms for the purpose of self-containment and refer to  for more details. We say a mapping is a matrix norm if it satisfies the following properties for all matrices , and every scalar .
(Positivity). , and iff .
We denote by the matrix norm induced by the norm on vector spaces, and is defined as follows:
If in addition, , we say is submultiplicative. It can be shown that is submultiplicative for any value of . Some special cases that we will need are which can be characterized as follows. The quantity equals the maximum absolute column sum of the columns of , while the quantity gives the maximum absolute row sum of the rows of . Our lower bound is established by noting that we know these sums for the matrices used in our framework.
An example of a matrix norm that is not submultiplicative is the max norm, . However, we can relate this norm to using the following identity:
We will need the fact that all matrix norms are equivalent up to scalar multiple, in the sense that each pair of matrix norms are related in the following way:
where are constants. For our purposes, we need the following bounds:
6.0.1 Establish the lower bound.
Let be a fixed game with information structure . Let be fixed, and let be the corresponding constraints. We denote by the number of rows in . Now, let be any feasible deposit scheme. We have already seen that any such is a solution to the following equation:
Each row of is filled with , so the resulting absolute row sum is . Similarly, each row of contains exactly one 1 and one -1, so each absolute row sum is 2. Finally, each column of is a pdf, so its absolute row sum is 1. Combining these insights with Eqs. 6 and 5 and substituting in Eq. 8 gives the following bound:
We note that in general, there is not much to say about , as can lie in the kernel of . This occurs if already establishes exact -strong -robust game-theoretic security.
Note that the bound, strictly speaking, is a bound on the largest absolute deposit necessary to achieve security, while we are interested in bounding the largest positive deposit, denoted instead by . If the game already is secure, the bound for the largest deposit should be zero, while the above bound is positive for any . Indeed, iff we can pay more to a party to misbehave and still retain security than what we have to pay another party to behave properly. We note that this depends on the structure of the game and the intended strategy profile. In particular, it is independent of the security parameter. For this reason, we denote by the minmax deposit required to obtain 0-strong -robust game-theoretic security. We note that iff the game is not secure for any , while iff the game is already secure for .
We note that by definition, is a trivial lower bound on the size of the maximum deposit. We combine this with the above bounds to yield the following lower bound:
Let be a game on players with an information structure , and let be the intended strategy profile. If ensures -strong -robust game-theoretic security then the maximum deposit must satisfy:
7 Conclusion and future work
In this paper we proposed a model for finite games with deposit schemes. We showed how to define the information released by a game as an information structure. We showed that deposit schemes can be used to implement any set of utilities if and only if the information structure is essentially able to infer all actions taken in the game. We gave a definition of game-theoretic security that generalizes subgame perfection for finite games of perfect information by quantifying how much utility a party loses. We showed how to find an optimal deposit scheme for games of perfect using linear programming. Optimal means the size of the deposits is minimized. We stated additional properties we may want our deposit scheme to satisfy and discussed tradeoffs when deploying such a system in practice. Finally, we showed a lower bound on the size of deposits, showing that the maximum deposit must be linear in the security parameter.
-  (2006) Distributed computing meets game theory: robust mechanisms for rational secret sharing and multiparty computation. In Proceedings of the Twenty-Fifth Annual ACM Symposium on Principles of Distributed Computing, PODC ’06, New York, NY, USA, pp. 53–62. External Links: Cited by: §2.
-  (2018) Astraea: a decentralized blockchain oracle. In 2018 IEEE International Conference on Internet of Things (iThings) and IEEE Green Computing and Communications (GreenCom) and IEEE Cyber, Physical and Social Computing (CPSCom) and IEEE Smart Data (SmartData), Vol. , pp. 1145–1152. External Links: Cited by: §1.
-  (2019) Solving the buyer and seller’s dilemma: a dual-deposit escrow smart contract for provably cheat-proof delivery and payment for a digital good without a trusted mediator. In 2019 IEEE International Conference on Blockchain and Cryptocurrency (ICBC), Vol. , pp. 262–267. External Links: Cited by: §1.
-  (2012) Calling out cheaters: covert security with public verifiability. In Advances in Cryptology – ASIACRYPT 2012, X. Wang and K. Sako (Eds.), Berlin, Heidelberg, pp. 681–698. External Links: Cited by: §1.
-  (2007) Security against covert adversaries: efficient protocols for realistic adversaries. In Theory of Cryptography, S. P. Vadhan (Ed.), Berlin, Heidelberg, pp. 137–156. External Links: Cited by: §1.
-  (2015) Validation of decentralised smart contracts through game theory and formal methods. In Programming Languages with Applications to Biology and Security: Essays Dedicated to Pierpaolo Degano on the Occasion of His 65th Birthday, C. Bodei, G. Ferrari, and C. Priami (Eds.), pp. 142–161. External Links: Cited by: §1.
-  (2015) Secure multiparty computation and secret sharing. Cambridge University Press. External Links: Cited by: §1.
-  (2009-02) The complexity of computing a nash equilibrium. SIAM J. Comput. 39, pp. 195–259. External Links: Cited by: §3, §4.
-  (2017) Betrayal, distrust, and rationality: smart counter-collusion contracts for verifiable cloud computing. In Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security, CCS ’17, New York, NY, USA, pp. 211–227. External Links: Cited by: §1.
-  (2000) Two generalizations of a deposit-refund systems. American Economic Review 90 (2), pp. 238–242. Cited by: §1.
-  (2020) Adversarial level agreements for two-party protocols. Note: Cryptology ePrint Archive, Report 2020/1249https://eprint.iacr.org/2020/1249 Cited by: §1.
-  (1996) Matrix computations (3rd ed.). Johns Hopkins University Press, USA. External Links: Cited by: §6.
-  (2007-11) A game theory framework for cooperative management of the bottle life cycle. Journal of Cleaner Production 15, pp. 1618–1627. External Links: Cited by: §1.
Rational secret sharing and multiparty computation: extended abstract.
Proceedings of the Thirty-Sixth Annual ACM Symposium on Theory of Computing, STOC ’04, New York, NY, USA, pp. 623–632. External Links: Cited by: §1.
-  (2019-09) Kleros Short Paper v1.0.7. Technical report Cited by: §1.
-  (2013) Enforcing compliance with international environmental agreements using a deposit-refund system. International Environmental Agreements: Politics, Law and Economics 13 (4), pp. 481–496. External Links: Cited by: §1.
-  (1994) A course in game theory. The MIT Press, Cambridge, USA. Note: electronic edition External Links: Cited by: §2.
-  (2021) An incentive-compatible smart contract for decentralized commerce. In 2021 IEEE International Conference on Blockchain and Cryptocurrency (ICBC), Cited by: §1.
-  (2011) Deposit-refund systems in practice and theory. Environmental Economics eJournal. Cited by: §1.
-  (2019) Efficient publicly verifiable 2pc over a blockchain with applications to financially-secure computations. In Proceedings of the 2019 ACM SIGSAC Conference on Computer and Communications Security, CCS ’19, New York, NY, USA, pp. 633–650. External Links: Cited by: §1.
-  (2015) Two Party double deposit trustless escrow in cryptographic networks and Bitcoin.. Technical report Cited by: §1.