How to Use Bitcoin to Design Fair Protocols Iddo Bentov (Technion) Ranjit Kumaresan (Technion) ePrint 2014/129

x f (x,y) y Secure Computation Most general problem in cryptography Feasibility results [Yao86,GMW87,…] Moving fast from theory to practice

Secure Computation Privacy Correctness Input independence Fairness Ideally… x y f (x,y) Best Possible Security x f (x,y) y ≈ Protocol for secure computation emulates a trusted party

Fairness in Secure Computation 2-party fair coin tossing impossible [Cle86] Fair secure computation possible only in restricted settings – For restricted class of functions [GHKL08,Ash14] – If majority of parties are honest [BGW88,RB89] f (x,y)

Fair Exchange [Rab81,BGMR85,ASW97,ASW98,BN00,….] Contract signing: Two parties want to sign a contract Neither wants to commit first – The other signer could be malicious… E.g., contract signing, digital media Special case of secure computation – Authenticity & fairness

Fair Exchange [Rab81,BGMR85,ASW97,ASW98,BN00,….] Fair exchange is impossible [Cle86,PG99,BN00]

Workarounds I Gradual release mechanisms [BG89,GL91,BN00,GJ02,GP03,Pin03,GMPY06,…] Partial fairness [MNS09,GK10,BOO10,BLOO11 ] Control adversary’s advantage in learning the output first Requires lots of rounds

Workarounds II Optimistic model [Rab81,BGMR85,ASW97,GJM99,Mic03,DR04,KL10…] – Trusted arbiter restores fairness – Contacted only when required Requires trusting a third party Potentially need to pay “subscription fee” to arbiter Requires trusting a third party Potentially need to pay “subscription fee” to arbiter f (x,y) Bad guys get away with cheating

Workarounds III Penalty model [ASW00,MS01,CLM07,Lin08,KL10] – Deviating party pays monetary penalty to honest party Bad guys get away with cheating lose money! “Secure computation with penalties”

Penalty Model “Legally enforceable fairness” [Lin08] – Requires central trusted bank “Usable optimistic exchange” [ASW00,MS01,CLM07,KL10] – Requires trusted arbiter (+ e-cash)

Bitcoin [Nak08] Decentralized digital currency – Essentially implements a bank – Provides some level of anonymity (Relatively) widely adopted Lots of recent research activity “Securely” implements a bank Defn.1: A cryptosystem is secure if my bank uses it and I’m not losing money

Bitcoin [Nak08] Wide variety of transactions – Expressive via Bitcoin “scripts” Wide range of applications – E.g.: Lottery, gambling, auctions,… – Currently done using a “trusted” party Can we use secure computation to replace the trusted party? “Fairness” issues Can we use secure computation to replace the trusted party? “Fairness” issues

Secure computation with penalties Secure lottery with penalties Can Bitcoin replace a trusted bank/arbiter? Can secure computation replace a trusted third party? x f (x,y) y

This Work Formal framework capturing financial transactions Formal specification of ideal functionalities – “Claim-or-refund” transaction functionality F CR – Secure computation with penalties – Secure lottery with penalties Efficient multiparty protocols in F CR hybrid model – Linear number of calls to F CR – Linear rounds

Related Work Bitcoin lottery in the penalty model – 2-party [BB13] – Multiparty [ADMM13a] Secure computation in the penalty model using Bitcoin – 2-party [ADMM13b] (Concurrent work) Somewhat ad-hoc construction/analysis Security not proven using the simulation paradigm No multiparty secure computation in the penalty model Multiparty lottery [ADMM13a] requires quadratic number of Bitcoin transactions Somewhat ad-hoc construction/analysis Security not proven using the simulation paradigm No multiparty secure computation in the penalty model Multiparty lottery [ADMM13a] requires quadratic number of Bitcoin transactions

This Work Formal framework capturing financial transactions Formal specification of ideal functionalities – “Claim-or-refund” transaction functionality F CR – Secure computation with penalties – Secure lottery with penalties Efficient multiparty protocols in F CR hybrid model – Linear number of calls to F CR – Linear rounds

Simulation Paradigm ≈ x f (x,y) y x y REALIDEAL   REALIDEAL ≈ R.V.s describing joint dist. of VIEW of adversary and output of honest parties [GL90,Bea91,MR91,Can95,Can01,Gol04] Security as emulation of a REAL execution in the IDEAL model

≈ HYBRIDHYBRID Modular Design & Sequential Composition [Can00,Can01] ≈ ≈ REAL IDEAL

REALIDEAL ≈ Universal Composition Interactive distinguisher Concurrent executions Interactive distinguisher Concurrent executions No notion of ‘coins’ [PSW00,PW00,PW01,Can01] Environment

Defining Coins Atomic entities Indistinguishable from one another (Unique) owner possesses given coin Ownership changes upon transfer Notation: coins(x) – coins(x) + coins(y) = coins(x + y) – coins(x) - coins(y) = coins(x - y) A Minimal Notion

Security with Coins Wallets & Safes – Used by parties to store coins – Safes store coins in current use Environment has power to create new coins – Can add/subtract coins from both honest & corrupt parties’ wallets during protocol – Does not have access to honest parties’ safes Adversary does not have power to create new coins – But has full access to corrupt parties’ wallets & safes VIEWs of environment/adversary include distribution of coins

≈ REALIDEAL Standard Security Definitions

REALIDEAL ≈ Security with Coins

HYBRIDHYBRID ≈ IDEAL Transaction functionality “Straightline” simulation in hybrid model – No rewinding wrt coins or crypto primitives Unfair ideal Fair ideal

This Work Formal framework capturing financial transactions Formal specification of ideal functionalities – “Claim-or-refund” transaction functionality F CR – Secure computation with penalties – Secure lottery with penalties Efficient multiparty protocols in F CR hybrid model – Linear number of calls to F CR – Linear rounds

Claim-or-Refund Functionality Accepts from “sender” – Deposit: coins(x) – Time bound:  – Circuit:  Designated “receiver” can claim this deposit – Produce witness T that satisfies  – Within time  If claimed, then witness revealed to ALL parties Else coins(x) returned to sender T ,  F CR Efficient realization via Bitcoin Bitcoin scripts & timelocks Efficient realization via Bitcoin Bitcoin scripts & timelocks Allows realization in & across different models Implicit in [BB13,Max13]

Secure Computation with Penalties Honest parties submit – Inputs – Deposit: coins(d) Ideal adversary submits – Inputs of corrupt parties – Penalty deposit: coins(x) Functionality F f* does: – Return coins(d) to each honest party – Deliver output to S iff x = hq where h = #honest parties If S returns abort, send coins(q) to each honest party If S returns continue, send output to each honest party and return coins(x) to S – If x != hq, then send output to all parties F f* q = penalty amount

Secure Lottery with Penalties Honest parties submit – Deposit: coins(d) Ideal adversary submits – Deposit: coins(x+ tq/n) Functionality F lot* does: – Pick lottery winner r* at random from {1,…,n} – Return coins(d-q/n) to each honest party – Send r* to S iff x = hq where h = #honest parties If S returns abort, then – Send coins(q+q/n) to each honest party – Return coins(tq/n) to S – If S returns continue or if x != hq, then send r* to each honest party and return coins(x) to S Send coins(q) to P r* F lot* n = number of parties q = penalty amount & lottery pot

This Work Formal framework capturing financial transactions Formal specification of ideal functionalities – “Claim-or-refund” transaction functionality F CR – Secure computation with penalties – Secure lottery with penalties Efficient multiparty protocols in F CR hybrid model – Linear number of calls to F CR – Linear rounds

Strategy Hybrid model with functionality f ’ – Computes output of f, say z – Secret share z into n additive shares sh 1,…,sh n – Computes commitments on shares c i = com(sh i ; w i ) for every i – Delivers output: ({c 1,…,c n }, T i = (sh i, w i )) to party P i F f ’ For straightline simulation use “honest-binding equivocal commitments” [GKKZ11] Realizable using OWF [Nao91], DDH [Ped91] For straightline simulation use “honest-binding equivocal commitments” [GKKZ11] Realizable using OWF [Nao91], DDH [Ped91] Reduce fair secure computation to fair reconstruction Use strategy for both MPC & lottery

Two Party Fair Reconstruction “Abort” Attack P 2 aborts without making its deposit but claims P 1 ’s deposit Honest P 1 loses money (although it learns output) “Abort” Attack P 2 aborts without making its deposit but claims P 1 ’s deposit Honest P 1 loses money (although it learns output) denotes P 2 must reveal witness T = (sh,w) within time  to claim coins(q) from P 1 denotes P 2 must reveal witness T = (sh,w) within time  to claim coins(q) from P 1 Secure computation with penalties Honest parties never have to lose coins If a party aborts after learning the output then every honest party is compensated Secure computation with penalties Honest parties never have to lose coins If a party aborts after learning the output then every honest party is compensated

Two Party Fair Reconstruction Deposits made top to bottom Claims made in reverse direction If P 1 claims the 2 nd deposit, then P 2 can always claim the 1 st Deposits made top to bottom Claims made in reverse direction If P 1 claims the 2 nd deposit, then P 2 can always claim the 1 st denotes P 2 must reveal witness T = (sh,w) within time  to claim coins(q) from P 1 denotes P 2 must reveal witness T = (sh,w) within time  to claim coins(q) from P 1 Secure computation with penalties Honest parties never have to lose coins If a party aborts after learning the output then every honest party is compensated Secure computation with penalties Honest parties never have to lose coins If a party aborts after learning the output then every honest party is compensated

Three Party Fair Reconstruction Malicious Coalitions Coalition of P 1 and P 2 obtain T 3 from P 3 Then P 2 does not claim 1 st transaction P 1, P 2 learn output but P 3 is not compensated Malicious Coalitions Coalition of P 1 and P 2 obtain T 3 from P 3 Then P 2 does not claim 1 st transaction P 1, P 2 learn output but P 3 is not compensated denotes P 2 must reveal witness T = (sh,w) within time  to claim coins(q) from P 1 denotes P 2 must reveal witness T = (sh,w) within time  to claim coins(q) from P 1 Secure computation with penalties Honest parties never have to lose coins If a party aborts after learning the output then every honest party is compensated Secure computation with penalties Honest parties never have to lose coins If a party aborts after learning the output then every honest party is compensated

Three Party Fair Reconstruction P 2 claims twice the penalty amount Sufficient to deal with malicious coalition of P 1, P 3 P 2 claims twice the penalty amount Sufficient to deal with malicious coalition of P 1, P 3 denotes P 2 must reveal witness T = (sh,w) within time  to claim coins(q) from P 1 denotes P 2 must reveal witness T = (sh,w) within time  to claim coins(q) from P 1 Secure computation with penalties Honest parties never have to lose coins If a party aborts after learning the output then every honest party is compensated Secure computation with penalties Honest parties never have to lose coins If a party aborts after learning the output then every honest party is compensated

Multiparty “Ladder” Protocol Ladder Roof Order of deposits/claims Roof deposits made simultaneously Ladder deposits made one after the other Ladder claims in reverse Roof claims at the end High-level Intuition At the end of ladder claims, all parties except P n have “evened out” If P n does not make roof claims then honest parties get coins(q) via roof refunds Else P n “evens out”

“Ladder” Protocol for Lottery Ladder Roof Ridge Order of deposits/claims Ridge & Roof deposits made simultaneously Ladder deposits made one after the other Ladder claims in reverse Ridge & Roof claims at the end

“Ladder” Protocol for Lottery Ladder Roof Ridge High-level Idea After ladder claims: P n has paid all other parties coins(q) to learn lottery outcome After roof claims: P n pays coins(q) to lottery winner After ridge claims: P n receives coins(q/n) from each party

Future Directions Fully rigorous framework for capturing financial transactions – Is our minimal model the right model? – Prove a composition theorem? Better understanding of functionalities offered by Bitcoin – Abstraction of other interesting Bitcoin transactions More applications – Anonymous lotteries – Penalizing any protocol deviation (suggested by Yuval Ishai)

Killer App for MPC?

Thank You!

The research leading to these results has received funding from the European Union's Seventh Framework Programme (FP7/ ) under grant agreement no – ERC – Cryptography and Complexity

Ladder Protocols