Sequential Rationality in Cryptographic Protocols

Much of the literature on rational cryptography focuses on analyzing the strategic properties of cryptographic protocols. However, due to the presence of computationally-bounded players and the asymptotic nature of cryptographic security, a definition of sequential rationality for this setting has thus far eluded researchers. We propose a new framework for overcoming these obstacles, and provide the first definitions of computational solution concepts that guarantee sequential rationality. We argue that natural computational variants of subgame perfection are too strong for cryptographic protocols. As an alternative, we introduce a weakening called threat-free Nash equilibrium that is more permissive but still eliminates the undesirable ``empty threats’’ of non-sequential solution concepts. To demonstrate the applicability of our framework, we revisit the problem of implementing a mediator for correlated equilibria (Dodis-Halevi-Rabin, Crypto'00), and propose a variant of their protocol that is sequentially rational for a non-trivial class of correlated equilibria. Our treatment provides a better understanding of the conditions under which mediators in a correlated equilibrium can be replaced by a stable protocol.

💡 Research Summary

The paper tackles a long‑standing gap at the intersection of game theory and cryptography: how to define and achieve sequential rationality when players are computationally bounded and security is defined asymptotically. Traditional solution concepts such as Subgame Perfect Equilibrium (SPE) assume unlimited computational power and perfect information, which clash with the cryptographic setting where protocols must remain secure against polynomial‑time adversaries and where many security guarantees are only meaningful in the limit as the security parameter grows. The authors first demonstrate that a naïve “computational SPE” is either impossible to satisfy or forces protocols to become impractically complex, because each subgame would require fresh cryptographic assumptions and because players could exploit “empty threats” that are not enforceable in polynomial time.

To overcome these obstacles the authors introduce Threat‑Free Nash Equilibrium (TFNE), a new computational solution concept that sits between the classic Nash equilibrium and full subgame perfection. A strategy profile is a TFNE if (i) it is a Nash equilibrium—no player can gain by unilaterally deviating given the others’ strategies; (ii) for every reachable subgame, any threat that a player might threaten to carry out is either credible (i.e., can be executed by a polynomial‑time algorithm) or, if it is not credible, the opponent’s best response does not rely on that threat. In other words, the equilibrium eliminates “empty threats” while allowing the weaker requirement that only credible threats need to be considered. This definition respects computational constraints: all strategies are required to be implementable in polynomial time, and the security of underlying cryptographic primitives (commit‑and‑reveal, zero‑knowledge proofs, pseudorandom generators, etc.) is preserved.

The paper then applies TFNE to a concrete and historically important protocol: the Dodis‑Halevi‑Rabin (DHR) construction for implementing a mediator‑less correlated equilibrium (Crypto ’00). The original DHR protocol achieves the desired equilibrium distribution but fails to be sequentially rational because a player could, after seeing part of the transcript, deviate in a way that creates an “empty threat” to the other player, thereby gaining an advantage without violating any cryptographic security property. To fix this, the authors augment the protocol with two key mechanisms:

1. Simulatable Zero‑Knowledge Commitments – each player must provide a zero‑knowledge proof that their commitment is consistent with a pre‑committed value. The proof is simulatable, ensuring that no additional information leaks and that a cheating player cannot later open a different value without being caught.

2. Selective Reveal with Punishment Triggers – instead of revealing the entire correlated recommendation at once, the protocol reveals it in stages. If a player aborts or attempts to send an inconsistent message at any stage, the other player automatically obtains a cryptographic “punishment token” that can be used to force a loss on the deviator (e.g., by publishing a signed transcript that invalidates the deviator’s payoff).

These additions guarantee that any deviation that would constitute an empty threat is either computationally infeasible or immediately costly, thereby satisfying the TFNE condition. The authors prove that the modified protocol retains the original DHR security guarantees: it is still a correct implementation of the target correlated equilibrium under the standard assumptions of one‑way functions and collision‑resistant hash functions. Moreover, they show that for a non‑trivial class of correlated equilibria—those where each player’s recommended action does not depend on the opponent’s future threats—the protocol is a TFNE.

The paper also discusses the limits of TFNE. Not every correlated equilibrium can be implemented in a threat‑free manner; equilibria that inherently rely on contingent threats (e.g., “play A unless you threaten B, in which case I will switch to C”) fall outside the scope of the current construction. The authors argue that this limitation is not a flaw but a reflection of the intrinsic tension between cryptographic enforceability and game‑theoretic flexibility. They suggest that future work could explore richer cryptographic primitives (e.g., verifiable delay functions or secure multi‑party computation) to broaden the class of equilibria that admit TFNE implementations.

In conclusion, the paper makes three major contributions: (1) it formalizes the notion of sequential rationality for computationally bounded agents via the Threat‑Free Nash Equilibrium; (2) it demonstrates that natural extensions of subgame perfection are too strong for cryptographic protocols, thereby justifying the need for a weaker yet still robust concept; and (3) it provides a concrete, provably sequentially rational redesign of the DHR mediator‑less correlated equilibrium protocol, illustrating how TFNE can be applied in practice. The work opens a new research agenda at the crossroads of cryptography and game theory, inviting further exploration of automated verification tools, broader equilibrium classes, and the integration of TFNE with other cryptographic frameworks such as blockchain smart contracts.