Cryptography and Mechanism Design

Mechanism Design is the algorithmic component of Game Theory, the synthesis of protocols for selfish parties to achieve certain properties. A protocol is a me thod to aggregate the preferences of the parties in order to decide on some "social choice," where typical examples include: deciding whether a community should build a bridge, how to route packets in a network and deciding who wins an auction. Each par ty has a utility function which expresses how much it values each possible outcome of the protocol. The goal is to design a protocol where the winning strategies achieve the social choice. Recently Mechanism Design has received at tent ion by computer scientists in light of the above applications, see [19, 20]. An important result in Mechanism Design is the Revelation Principle that essentially states that if there is a game with dominating strategies achieving a given social choice function, then there is a mechanism where the parties simply report their t rue util i ty functions. The resulting protocol is therefore: each par ty send in.formation about its utility function to a center. The center then decides on the outcome of the protocol based on the parties ' reports. It is often assumed that the center can be t rusted by the parties, but this might not always be true, especially in an Internet environment. The revelation principle might not be applicable if the center is corrupt and misuses the t ru thful bids it receives. Privacy is therefore essential in order to ensure the center's credibility. This problem was stated by Varian [23] as follows: "Even if current information can be safeguarded, records of past behavior can be extremely valuable, since historical data can be used to estimate the willingness to pay. What should be the appropriate technological and social safeguards to deal with this problem?" Cryptography deals with preserving the secrecy and integrity of da ta in computer and communication systems. An exciting topic of cryptographic research in the last two decades is secure .function evaluation (see [6] for an introduction). For any function f ( x l , x 2 , . . . , xn) it is possible in principle to construct a protocol that allows a group of n parties, where par ty i has as its private input ai, to jointly evaluate f(o~l, a 2 , . . . , an). Following the protocol the parties learn f(c~l, a 2 , . . , c~n) but no par ty i can learn about the other inputs {a j} j¢ i more than can be computed from ai and f (o~1, a2, • • • O~n). Given t h a t any mechanism can be considered as an evaluation of a function of the utility function, it is tempt ing to t ry and use such a secure evaluation protocol in order to eliminate the