BOREALIS: Building Block for Sealed Bid Auctions on Blockchains

We focus on securely computing the ranks of sealed integers distributed among $n$ parties. For example, we securely compute the largest or smallest integer, the median, or in general the $k^{th}$-ranked integer. Such computations are a useful building block to securely implement a variety of sealed-bid auctions. Our objective is efficiency, specifically low interactivity between parties to support blockchains or other scenarios where multiple rounds are time-consuming. Hence, we dismiss powerful, yet highly-interactive MPC frameworks and propose BOREALIS, a special-purpose protocol for secure computation of ranks among integers. BOREALIS uses additively homomorphic encryption to implement core comparisons, but computes under distinct keys, chosen by each party to optimize the number of rounds. By carefully combining cryptographic primitives, such as ECC Elgamal encryption, encrypted comparisons, ciphertext blinding, secret sharing, and shuffling, BOREALIS sets up systems of multi-scalar equations which we efficiently prove with Groth-Sahai ZK proofs. Therewith, BOREALIS implements a multi-party computation of pairwise comparisons and rank zero-knowledge proofs secure against malicious adversaries. BOREALIS completes in at most $4$ rounds which is constant in both bit length $\ell$ of integers and the number of parties $n$. This is not only asymptotically optimal, but surpasses generic constant-round secure multi-party computation protocols, even those based on shared-key fully homomorphic encryption. Furthermore, our implementation shows that BOREALIS is very practical. Its main bottleneck, ZK proof computations, is small in practice. Even for a large number of parties ($n=200$) and high-precision integers ($\ell=32$), computation time of all proofs is less than a single Bitcoin block interval

A Method for Securely Comparing Integers using Binary Trees

In this paper, we propose a new protocol for secure integer comparison which consists of parties having each a private integer. The goal of the computation is to compare both integers securely and reveal to the parties a single bit that tells which integer is larger. Nothing more should be revealed. To achieve a low communication overhead, this can be done by using homomorphic encryption (HE). Our protocol relies on binary decision trees that is a special case of branching programs and can be implemented using HE. We assume a client-server setting where each party holds one of the integers, the client also holds the private key of a homomorphic encryption scheme and the evaluation is done by the server. In this setting, our protocol outperforms the original DGK protocol of Damgård et al. and reduces the running time by at least 45%. In the case where both inputs are encrypted, our scheme reduces the running time of a variant of DGK by 63%

Practically Efficient Secure Computation of Rank-based Statistics Over Distributed Datasets

In this paper, we propose a practically efficient model for securely computing rank-based statistics, e.g., median, percentiles and quartiles, over distributed datasets in the malicious setting without leaking individual data privacy. Based on the binary search technique of Aggarwal et al. (EUROCRYPT \textquotesingle 04), we respectively present an interactive protocol and a non-interactive protocol, involving at most $\log ||R||$ rounds, where $||R||$ is the range size of the dataset elements. Besides, we introduce a series of optimisation techniques to reduce the round complexity. Our computing model is modular and can be instantiated with either homomorphic encryption or secret-sharing schemes. Compared to the state-of-the-art solutions, it provides stronger security and privacy while maintaining high efficiency and accuracy. Unlike differential-privacy-based solutions, it does not suffer a trade-off between accuracy and privacy. On the other hand, it only involves $O(N \log ||R||)$ time complexity, which is far more efficient than those bitwise-comparison-based solutions with $O(N^2\log ||R||)$ time complexity, where $N$ is the dataset size. Finally, we provide a UC-secure instantiation with the threshold Paillier cryptosystem and $\Sigma$-protocol zero-knowledge proofs of knowledge

Cicada: A framework for private non-interactive on-chain auctions and voting

Auction and voting schemes play a crucial role in the Web3 ecosystem. Yet currently deployed implementations either do not offer bid/vote privacy or require at least two rounds, hindering usability and security. We introduce Cicada, a general framework for using linearly homomorphic time-lock puzzles (HTLPs) to enable provably secure, non-interactive private auction and voting protocols. We instantiate our framework with an efficient new HTLP construction and novel packing techniques that enable succinct ballot correctness proofs independent of the number of candidates. We demonstrate the practicality of our approach by implementing our protocols for the Ethereum Virtual Machine (EVM)

Scaling blockchains: can committee-based consensus help?

https://papers.ssrn.com/sol3/papers.cfm?abstract_id=3914471First author draf

Study Of Nash Equilibria In Blockchain Voting Systems

In the first part of this thesis we analyze the three most common blockchain committeesselection strategies: lottery, single-vote and approval voting, where voters can “approve” of any number of candidates. We first show that all these mechanisms converge to optimality exponentially quickly as the size of the committee grows. Approval-voting requires that even honest voters act strategically, we characterize different approval voting strategies and we show that although finding the optimal approval voting strategy is extremely complex, almost any approval voting strategy outperforms the single-vote mechanism enforced on the majority of blockchains. In the second part, we investigate a blockchain governance model where a group of n voters must choose between two collective alternatives. As opposed to the usual voting system (one person – one vote), we propose a voting system where each agent buys votes in favor of their preferred alternative, paying the m-th root of the number of votes purchased. Its novelty relies on allowing voters to express the intensity of their preferences in a simple manner. We provide a rigorous comparison of the utilitarian welfare between Regular Voting (m = 1) and Quadratic Voting (m = 2). We present closed form equilibrium solutions to the 2 voters and 3 voters games. In addition to characterizing the nature of equilibria, one of our main result demonstrates that the normalized utilitarian welfare of the mechanisms tends to one as the population size becomes large

Security and privacy of incentive-driven mechanisms

While cryptographic tools offer practical security and privacy supported by theory and formal proofs, there are often gaps between the theory and intricacies of the real world. This is especially apparent in the realm of game theoretic applications where protocol participants are motivated by incentives and preferences on the protocol outcome. These incentives can lead to additional requirements or unexpected attack vectors, making standard cryptographic concepts inapplicable. The goal of this thesis is to bridge some of the gaps between cryptography and incentive-driven mechanisms. The thesis will consist of three main research threads, each studying the privacy or security of a game-theoretic scenario in non-standard cryptographic frameworks in order to satisfy the scenario’s unique requirements. Our first scenario is preference aggregation, where we will analyze the privacy of voting rules while requiring the rules to be deterministic. Then, we will study games, and how to achieve collusion-freeness (and its composable version, collusion-preservation) in the decentralized setting. Finally, we explore the robustness of Nakamoto-style proof-of-work blockchains against 51% attacks when the main security assumption of honest majority fails. Most of the results in this thesis are also published in the following (in order): Ch. 3: [103], Ch. 4: [47], and Ch. 5: [104]. Our first focus is preference aggregation—in particular voting rules. Specifically, we answer the crucial question: How private is the voting rule we use and the voting information we release? This natural and seemingly simple question was sidestepped in previous works, where randomization was added to voting rules in order to achieve the widely-known notion of differential privacy (DP). Yet, randomness in an election can be undesirable, and may alter voter incentives and strategies. In this chapter of our thesis, we expand and improve upon previous works and study deterministic voting rules. In a similarly well-accepted framework of distributional differential privacy (DDP), we develop new techniques in analyzing and comparing the privacy of voting rules—leading to a new measure to contrast different rules in addition to existing ones in the field of social choice. We learn the positive message that even vote tallies have very limited privacy leakage that decreases quickly in the number of votes, and a surprising fact that outputting the winner using different voting rules can result in asymptotically different privacy leakage. Having studied privacy in the context of parties with preferences and incentives, we turn our attention to the secure implementation of games. Specifically, we study the issue of collusion and how to avoid it. Collusion, or subliminal communication, can introduce undesirable coalitions in games that allow malicious parties, e.g. cheating poker players, a wider set of strategies. Standard cryptographic security is insufficient to address the issue, spurring on a line of work that defined and constructed collusion-free (CF), or its composable version, collusion-preserving (CP) protocols. Unfortunately, they all required strong assumptions on the communication medium, such as physical presence of the parties, or a restrictive star-topology network with a trusted mediator in the center. In fact, CF is impossible without restricted communication, and CP is conjectured to always require a mediator. Thus, circumventing these impossibilities is necessary to truly implement games in a decentralized setting. Fortunately, in the rational setting, the attacker can also be assumed to have utility. By ensuring collusion is only possible by sending incorrect, penalizable messages, and composing our protocol with a blockchain protocol as the source of the penalization, we prove our protocol as CP against incentive-driven attackers in a framework of rational cryptography called rational protocol design (RPD). Lastly, it is also useful to analyze the security of the blockchain and its associated cryptocurrencies—cryptographic transaction ledger protocols with embedded monetary value— using a rational cryptography framework like RPD. Our last chapter studies the incentives of attackers that perform 51% attacks by breaking the main security assumption of honest majority in proof-of-work (PoW) blockchains such as Bitcoin and Ethereum Classic. Previous works abstracted the blockchain protocol and the attacker’s actions, analyzing 51% attacks via various techniques in economics or probability theory. This leads open the question of exploring this attack in a model closer to standard cryptographic analyses. We answer this question by working in the RPD framework. Improving upon previous analyses that geared towards only mining rewards, we construct utility functions that model the incentives of 51% attackers. Under the RPD framework, we are able to determine when an attacker is incentivized to attack a given instantiation of the blockchain protocol. More importantly, we can make general statements that indicate changes to protocol parameters to make it secure against all rational attackers under these incentives

Improving Reproducibility in Smart Contract Research

The most popular smart contract-based blockchain platform at the moment is Ethereum. Based on market value, it is the second-largest blockchain platform behind Bitcoin, with a steadily increasing market share. Ethereum smart contracts are used to secure billions of dollars worth of assets. Source code for smart contracts must be examined for any potential flaws that could result in significant financial losses and damage trust because they cannot be modified after deployment. A wide range of tools have been developed for this goal, and extensive literature on vulnerabilities and detection techniques on the subject above constantly keeps emerging. The analysis, testing, and debugging of smart contracts through automated processes have also been the subject of extensive research. Researchers have worked on the development of tools that can automatically detect and fix vulnerabilities in smart contracts, especially tools that rely on less explored methodologies, such as machine learning-based tools. We provide details on our work on \slithersimil, a statistical addition to a static analyzer, as a data-driven endeavor to complement the existing security analysis methods of smart contracts. \slithersimil~allows developers and auditors to check the similarity between the source code snippets of smart contracts written in Solidity and allows users to check smart contracts with a database of vulnerable smart contracts through the same mechanism of similarity checking in order to facilitate the discovery of security vulnerabilities in smart contracts. However, such automated analysis tools typically need datasets for their training, testing, and validation phases; collecting such data for smart contracts is time-consuming. Besides, it is difficult and time-consuming to replicate the findings of the majority of prior empirical studies or to contrast one's findings with those of others who have researched the above topics. Research studies offer datasets that frequently come in the form of sparse datasets with minimal to no usage guidance. Due to the fast-paced nature of the Ethereum ecosystem, the datasets available are often quickly outdated. These are significant barriers to performing verifiable, reproducible research, as it takes a substantial amount of time to accomplish many subtasks such as locating, extracting, cleaning, and categorizing a reasonable amount of high-quality, heterogeneous smart contract data. To address this issue, we introduce \etherbase, an extensible, queryable, and user-friendly database of smart contracts and their metrics that improve reproducibility and benchmarking in smart contract research