Applications of Blockchains - III

Slides:



Advertisements
Similar presentations
Dov Gordon & Jonathan Katz University of Maryland.
Advertisements

Multi-Party Contract Signing Sam Hasinoff April 9, 2001.
Secure Multiparty Computations on Bitcoin
Foundations of Cryptography Lecture 10 Lecturer: Moni Naor.
SSL CS772 Fall Secure Socket layer Design Goals: SSLv2) SSL should work well with the main web protocols such as HTTP. Confidentiality is the top.
Computational Security. Overview Goal: Obtain computational security against an active adversary. Hope: under a reasonable cryptographic assumption, obtain.
Introduction to Modern Cryptography, Lecture 12 Secure Multi-Party Computation.
Eran Omri, Bar-Ilan University Joint work with Amos Beimel and Ilan Orlov, BGU Ilan Orlov…!??!!
CMSC 414 Computer and Network Security Lecture 6 Jonathan Katz.
CMSC 414 Computer (and Network) Security Lecture 2 Jonathan Katz.
A Designer’s Guide to KEMs Alex Dent
CRYPTOGRAPHY WHAT IS IT GOOD FOR? Andrej Bogdanov Chinese University of Hong Kong CMSC 5719 | 6 Feb 2012.
Optimistic Synchronous Multi-Party Contract Signing N. Asokan, Baum-Waidner, M. Schunter, M. Waidner Presented By Uday Nayak Advisor: Chris Lynch.
CMSC 414 Computer and Network Security Lecture 6 Jonathan Katz.
1 CIS 5371 Cryptography 9. Data Integrity Techniques.
8. Data Integrity Techniques
Andrew Lindell Aladdin Knowledge Systems and Bar-Ilan University 04/09/08 CRYP-202 Legally-Enforceable Fairness in Secure Two-Party Computation.
Cryptography, Authentication and Digital Signatures
Lecture 3.4: Public Key Cryptography IV CS 436/636/736 Spring 2013 Nitesh Saxena.
4 th lecture.  Message to be encrypted: HELLO  Key: XMCKL H E L L O message 7 (H) 4 (E) 11 (L) 11 (L) 14 (O) message + 23 (X) 12 (M) 2 (C) 10 (K) 11.
Cryptography Lecture 9 Stefan Dziembowski
Succinct Functional Encryption: d Reusable Garbled Circuits and Beyond
Rational Cryptography Some Recent Results Jonathan Katz University of Maryland.
How to Use Bitcoin to Design Fair Protocols Ranjit Kumaresan (MIT) Joint work with Iddo Bentov (Technion), Tal Moran (IDC Herzliya)
Witness Encryption and Indistinguishability Obfuscation from the Multilinear Subgroup Elimination Assumption Craig Gentry IBM Allison Lewko Columbia Amit.
Attribute-Based Encryption With Verifiable Outsourced Decryption.
Impossibility proofs for RSA signatures in the standard model Pascal Paillier Topics in Cryptology – CT-RSA 2007.
Cryptography Lecture 10 Arpita Patra © Arpita Patra.
Cryptography Lecture 6 Arpita Patra. Quick Recall and Today’s Roadmap >> MAC for fixed-length messages >> Domain Extension for MAC >> Authenticated Encryption:
Intrusion Resilience via the Bounded-Storage Model Stefan Dziembowski Warsaw University and CNR Pisa.
Topic 36: Zero-Knowledge Proofs
Searchable Encryption in Cloud
Cryptography CS 555 Topic 34: SSL/TLS.
Lower Bounds on Assumptions behind Indistinguishability Obfuscation
Adaptively Secure Multi-Party Computation from LWE (via Equivocal FHE)
Security Outline Encryption Algorithms Authentication Protocols
On the Size of Pairing-based Non-interactive Arguments
Certificateless signature revisited
TCC 2016-B Composable Security in the Tamper-Proof Hardware Model under Minimal Complexity Carmit Hazay Bar-Ilan University, Israel Antigoni Ourania.
Authenticated encryption
Group theory exercise.
Modern symmetric-key Encryption
Secret Sharing (or, more accurately, “Secret Splitting”)
Digital signatures.
Digital Signature Schemes and the Random Oracle Model
Coin Flipping Protocol
Course Business I am traveling April 25-May 3rd
Cryptography Lecture 26.
B504/I538: Introduction to Cryptography
Cryptography Lecture 4.
CMSC 414 Computer and Network Security Lecture 3
Cryptography for Quantum Computers
Key Management Network Systems Security
Cryptography Lecture 12 Arpita Patra © Arpita Patra.
Cryptography Lecture 4.
Cryptography Lecture 5.
Cryptography Lecture 11.
Fast Secure Computation for Small Population over the Internet
Blockchains and Auditing
Helen: Maliciously Secure Coopetitive Learning for Linear Models
Cryptography Lecture 3.
Cryptography Lecture 22.
Cryptography Lecture 11.
Oblivious Transfer.
Operating Systems Concepts
Cryptography Lecture 24.
Cryptography Lecture 23.
Cryptography Lecture 26.
Secret Sharing CPS Computer Security Nisarg Raval Sep 24, 2014
Presentation transcript:

Applications of Blockchains - III Lecture 15 Applications of Blockchains - III

Fair Multiparty Computation from Public Bulletin Boards Arka Rai Choudhuri - Matthew Green - Abhishek Jain - Gabriel Kaptchuk - Ian Miers ACM CCS’17

Multi-Party Computation

Multi-Party Computation

Multi-Party Computation

Multi-Party Computation Malicious Security without abort Imagine the auction scenario – the is a monetary value to the adversary to aborting early and re-running

Fair Multi-Party Computation

Fair Multi-Party Computation

Attempts to Achieve Fairness General Fairness is impossible without an honest majority [Cleve 86] Gradual Release Mechanisms [BeaGol89, BonNao00, GarJak02] Restricted Class of functions [GHKL08,…] Fairness with Penalties [BenKum14, ADMM14] Δ-T fairness with Trusted Hardware [PST16] Restricted class is the class without XOR

Public Bulletin Boards

Public Bulletin Boards Public: Messages are visible to all parties Available: Messages are permanently available (cannot be modified or deleted) Unforgeable: No adversary can produce a “valid looking” state of the bulletin board which is different from the real state. (Can think of the bulletin board providing an unforgeable signature for every post)

Why Bulletin Boards? Existing technologies can be used as bulletin boards I. Proof-of-Stake based Blockchains II. Google Certificate Transparency Blockchain records are public and available. Proof-of-stake based blockchains satisfy unforgeability [Goyal-Goyal’17] Can be used as an append-only public log Certificates present in the log can be verified by root signature. Add “CT”

x1 x2

x1 x2 How to Decrypt?

Want: Fair Decryption Either both the parties should be able to decrypt, or no one Put differently, either both parties can learn decryption key or no one can Idea: Decryption key: = (a release token RT, and bulletin board’s signature on RT) But standard encryption schemes do not have such special keys! Add “CT”

Want: “Conditional Decryption” Want: Ciphertexts that can only be decrypted if a certain action was implemented Put differently, decryption should only be possible if a statement is true Problem: Regular encryption/decryption keys are random strings (without such structure)

Witness Encryption [Garg-Gentry-Sahai-Waters’13] CITATION [BCP14]

Witness Encryption [Garg-Gentry-Sahai-Waters’13] Security: If x is “false”, then Enc(m,x) is indistinguishable from Enc(m,x’)

Extractable Witness Encryption [Goldwasser-Kalai-Popa-Vaikuntanathan-Zeldovich’13] (Informal) Security: Enc(m,x) is indistinguishable from Enc(m,x’) even for “true” x if no PPT adversary can find a witness for x

(Extractable) Witness Encryption Candidate constructions known [Garg-Gentry-Sahai- Waters’13, Gentry-Lewko-Waters’14] Open problem: Constructing WE from standard crytpographic assumptions Add “CT”

Back to Fair MPC Idea: Let’s use Witness Encryption (WE) to encrypt the output After the initial (unfair) MPC, anyone can post a release token RT to the bulletin board. Then RT, together with signature of the bulletin board can be a “witness” for decryption Let’s suppose that RT is a public value Add “CT”

(RT, sig) x2 x1 x3 RT x4 = WE(y, x := RT was posted on bulletin board)

Problem What if adversary aborts in the initial unfair MPC so that only it learns the WE ciphertext (but not the honest parties) Now, even if adversary posts RT on bulletin board, the honest parties get the witness but not the WE ciphertext! Add “CT”

Solution Use a private release token RT Consider two party case (for simplicity): RT := (RT1, RT2) where RT1 is chosen by P1 and RT2 is chosen by P2 After initial MPC, parties exchange RT1 and RT2 with each other Now, if adversary aborts in the initial MPC, RT exchange phase will not happen, so adversary cannot learn the output If adversary aborts in the RT exchange phase, that’s ok. In order to recover output, it must post RT on bulletin board, which makes it public. Add “CT”

Security Think: Can we base security on Witness Encryption? Problem: Statement is always true (signatures on RT “exist”, just finding them without posting RT on bulletin board is “hard”) Therefore, need Extractable Witness Encryption for security (can be avoided in some special cases) Add “CT”

A more efficient solution Emulate Witness encryption using Trusted Hardware, e.g., Intel SGX In this case, an efficient solution can be obtained if we start from an efficient (unfair) MPC

Trusted Hardware?!? But Gabe, if you are using Trusted Hardware, isn’t all of this trivial? Trusted Hardware solves all security problems!

Trusted Hardware alone cannot guarantee fairness [Pass-Shi-Tramer’17]

Open Questions Can we base security on regular witness encryption? Can we base security on standard assumptions?

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.