129 research outputs found
Secure Multiparty Computation with Partial Fairness
A protocol for computing a functionality is secure if an adversary in this
protocol cannot cause more harm than in an ideal computation where parties give
their inputs to a trusted party which returns the output of the functionality
to all parties. In particular, in the ideal model such computation is fair --
all parties get the output. Cleve (STOC 1986) proved that, in general, fairness
is not possible without an honest majority. To overcome this impossibility,
Gordon and Katz (Eurocrypt 2010) suggested a relaxed definition -- 1/p-secure
computation -- which guarantees partial fairness. For two parties, they
construct 1/p-secure protocols for functionalities for which the size of either
their domain or their range is polynomial (in the security parameter). Gordon
and Katz ask whether their results can be extended to multiparty protocols.
We study 1/p-secure protocols in the multiparty setting for general
functionalities. Our main result is constructions of 1/p-secure protocols when
the number of parties is constant provided that less than 2/3 of the parties
are corrupt. Our protocols require that either (1) the functionality is
deterministic and the size of the domain is polynomial (in the security
parameter), or (2) the functionality can be randomized and the size of the
range is polynomial. If the size of the domain is constant and the
functionality is deterministic, then our protocol is efficient even when the
number of parties is O(log log n) (where n is the security parameter). On the
negative side, we show that when the number of parties is super-constant,
1/p-secure protocols are not possible when the size of the domain is
polynomial
An Incentive-Compatible Smart Contract for Decentralized Commerce
We propose a smart contract that allows two mutually distrusting parties to
transact any non-digital good or service by deploying a smart contract on a
blockchain to act as escrow. The contract settles disputes by letting parties
wager that they can convince an arbiter that they were the honest party. We
analyse the contract as an extensive-form game and prove that the honest
strategy is secure in a strong game-theoretic sense if and only if the arbiter
is biased in favor of honest parties. By relaxing the security notion, we can
replace the arbiter by a random coin toss. Finally, we show how to generalize
the contract to multiparty transactions in a way that amortizes the transaction
fees.Comment: 14 pages, 3 figure
On the Round Complexity of Randomized Byzantine Agreement
We prove lower bounds on the round complexity of randomized Byzantine agreement (BA) protocols, bounding the halting probability of such protocols after one and two rounds. In particular, we prove that:
1) BA protocols resilient against n/3 [resp., n/4] corruptions terminate (under attack) at the end of the first round with probability at most o(1) [resp., 1/2+ o(1)].
2) BA protocols resilient against n/4 corruptions terminate at the end of the second round with probability at most 1-Theta(1).
3) For a large class of protocols (including all BA protocols used in practice) and under a plausible combinatorial conjecture, BA protocols resilient against n/3 [resp., n/4] corruptions terminate at the end of the second round with probability at most o(1) [resp., 1/2 + o(1)].
The above bounds hold even when the parties use a trusted setup phase, e.g., a public-key infrastructure (PKI).
The third bound essentially matches the recent protocol of Micali (ITCS\u2717) that tolerates up to n/3 corruptions and terminates at the end of the third round with constant probability
Insured MPC: Efficient Secure Computation with Financial Penalties
Fairness in Secure Multiparty Computation (MPC) is known to be impossible to achieve in the presence of a dishonest majority. Previous works have proposed combining MPC protocols with Cryptocurrencies in order to financially punish aborting adversaries, providing an incentive for parties to honestly follow the protocol. This approach also yields privacy-preserving Smart Contracts, where private inputs can be processed with MPC in order to determine the distribution of funds given to the contract. The focus of existing work is on proving that this approach is possible and unfortunately they present monolithic and mostly inefficient constructions. In this work, we put forth the first modular construction of ``Insured MPC\u27\u27, where either the output of the private computation (which describes how to distribute funds) is fairly delivered or a proof that a set of parties has misbehaved is produced, allowing for financial punishments. Moreover, both the output and the proof of cheating are publicly verifiable, allowing third parties to independently validate an execution.
We present a highly efficient compiler that uses any MPC protocol with certain properties together with a standard (non-private) Smart Contract and a publicly verifiable homomorphic commitment scheme to implement Insured MPC. As an intermediate step, we propose the first construction of a publicly verifiable homomorphic commitment scheme achieving composability guarantees and concrete efficiency. Our results are proven in the Global Universal Composability framework using a Global Random Oracle as the setup assumption. From a theoretical perspective, our general results provide the first characterization of sufficient properties that MPC protocols must achieve in order to be efficiently combined with Cryptocurrencies, as well as insights into publicly verifiable protocols. On the other hand, our constructions have highly efficient concrete instantiations, allowing for fast implementations
CRAFT: Composable Randomness Beacons and Output-Independent Abort MPC From Time
Recently, time-based primitives such as time-lock puzzles (TLPs) and verifiable delay functions (VDFs) have received a lot of attention due to their power as building blocks for cryptographic protocols. However, even though exciting improvements on their efficiency and security (e.g. achieving non-malleability) have been made, most of the existing constructions do not offer general composability guarantees and thus have limited applicability. Baum et al. (EUROCRYPT 2021) presented in TARDIS the first (im)possibility results on constructing TLPs with Universally Composable (UC) security and an application to secure two-party computation with output-independent abort (OIA-2PC), where an adversary has to decide to abort before learning the output. While these results establish the feasibility of UC-secure TLPs and applications, they are limited to the two-party scenario and suffer from complexity overheads. In this paper, we introduce the first UC constructions of VDFs and of the related notion of publicly verifiable TLPs (PV-TLPs). We use our new UC VDF to prove a folklore result on VDF-based randomness beacons used in industry and build an improved randomness beacon from our new UC PV-TLPs. We moreover construct the first multiparty computation protocol with punishable output-independent aborts (POIA-MPC), i.e. MPC with OIA and financial punishment for cheating. Our novel POIA-MPC both establishes the feasibility of (non-punishable) OIA-MPC and significantly improves on the efficiency of state-of-the-art OIA-2PC and (non-OIA) MPC with punishable aborts
Just How Fair is an Unreactive World?
Fitzi, Garay, Maurer, and Ostrovsky (J. Cryptology 2005) showed that in the presence of a dishonest majority, no primitive of cardinality is complete for realizing an arbitrary -party functionality with guaranteed output delivery. In this work, we show that in the presence of corrupt parties, no unreactive primitive of cardinality is complete for realizing an arbitrary -party functionality with fairness. We show more generally that for , in the presence of malicious parties, no unreactive primitive of cardinality is complete for realizing an arbitrary -party functionality with fairness. We complement this result by noting that -wise fair exchange is complete for realizing an arbitrary -party functionality with fairness. In order to prove our results, we utilize the primitive of fair coin tossing and the notion of predictability. While this notion has been considered in some form in past works, we come up with a novel and non-trivial framework to employ it, one that readily generalizes from the setting of two parties to multiple parties, and also to the setting of unreactive functionalities
Serial composition of quantum coin-flipping, and bounds on cheat detection for bit-commitment
Quantum protocols for coin-flipping can be composed in series in such a way
that a cheating party gains no extra advantage from using entanglement between
different rounds. This composition principle applies to coin-flipping protocols
with cheat sensitivity as well, and is used to derive two results: There are no
quantum strong coin-flipping protocols with cheat sensitivity that is linear in
the bias (or bit-commitment protocols with linear cheat detection) because
these can be composed to produce strong coin-flipping with arbitrarily small
bias. On the other hand, it appears that quadratic cheat detection cannot be
composed in series to obtain even weak coin-flipping with arbitrarily small
bias.Comment: 7 pages, REVTeX 4 (minor corrections in v2
Leakage-resilient coin tossing
Proceedings 25th International Symposium, DISC 2011, Rome, Italy, September 20-22, 2011.The ability to collectively toss a common coin among n parties
in the presence of faults is an important primitive in the arsenal of
randomized distributed protocols. In the case of dishonest majority, it
was shown to be impossible to achieve less than 1
r bias in O(r) rounds
(Cleve STOC ’86). In the case of honest majority, in contrast, unconditionally
secure O(1)-round protocols for generating common unbiased
coins follow from general completeness theorems on multi-party secure
protocols in the secure channels model (e.g., BGW, CCD STOC ’88).
However, in the O(1)-round protocols with honest majority, parties
generate and hold secret values which are assumed to be perfectly hidden
from malicious parties: an assumption which is crucial to proving the
resulting common coin is unbiased. This assumption unfortunately does
not seem to hold in practice, as attackers can launch side-channel attacks
on the local state of honest parties and leak information on their secrets.
In this work, we present an O(1)-round protocol for collectively generating
an unbiased common coin, in the presence of leakage on the local
state of the honest parties. We tolerate t ≤ ( 1
3
− )n computationallyunbounded
Byzantine faults and in addition a Ω(1)-fraction leakage on
each (honest) party’s secret state. Our results hold in the memory leakage
model (of Akavia, Goldwasser, Vaikuntanathan ’08) adapted to the
distributed setting.
Additional contributions of our work are the tools we introduce to
achieve the collective coin toss: a procedure for disjoint committee election,
and leakage-resilient verifiable secret sharing.National Defense Science and Engineering Graduate FellowshipNational Science Foundation (U.S.) (CCF-1018064
Classical Cryptographic Protocols in a Quantum World
Cryptographic protocols, such as protocols for secure function evaluation
(SFE), have played a crucial role in the development of modern cryptography.
The extensive theory of these protocols, however, deals almost exclusively with
classical attackers. If we accept that quantum information processing is the
most realistic model of physically feasible computation, then we must ask: what
classical protocols remain secure against quantum attackers?
Our main contribution is showing the existence of classical two-party
protocols for the secure evaluation of any polynomial-time function under
reasonable computational assumptions (for example, it suffices that the
learning with errors problem be hard for quantum polynomial time). Our result
shows that the basic two-party feasibility picture from classical cryptography
remains unchanged in a quantum world.Comment: Full version of an old paper in Crypto'11. Invited to IJQI. This is
authors' copy with different formattin
- …