Andrew Lindell Aladdin Knowledge Systems and Bar-Ilan University 04/09/08 CRYP-202 Legally-Enforceable Fairness in Secure Two-Party Computation

Insert presenter logo here on slide master Secure Multiparty Computation  A set of parties with private inputs wish to compute some joint function of their inputs  Parties wish to preserve some security properties. E.g., privacy and correctness » Example: secure election protocol  Security must be preserved in the face of adversarial behavior by some of the participants, or by an external party

Insert presenter logo here on slide master Security Requirements  Privacy » Parties can learn their designated output and nothing more My private vote in an election is not revealed  Correctness » The correct function is computed The candidate with the majority vote is elected  Independence of inputs » Parties cannot make their inputs depend on others  Fairness » If one party receives output, then all receive output

Insert presenter logo here on slide master Fairness  Cleve (1986) showed that it is impossible for two parties to fairly toss a coin » Can be extended to other functionalities as well  Intuition behind proof » Assume that can compute fairly with m rounds » Consider an adversary that doesn’t send its last message » By the requirement of fairness, the other party still receives output Thus, this last message is not needed and the protocol can be made m–1 rounds

Insert presenter logo here on slide master Impossibility of Fairness (continued)  By induction, all messages can be removed, and so we are left with an empty protocol  But only trivial functions can be computed without interaction!  Conclusion: fairness cannot be achieved  Warning » This intuition is not exact, and the real situation is more involved

Insert presenter logo here on slide master Fairness – Alternatives  Gradual release [BG,GL] » The output is released slowly, so that no party has too much advantage in guessing it  Optimistic computation [M,ASW,CC] » An online trusted party is assumed to be in place » If no one cheats, the trusted party is not needed » If fairness is breached by cheating, the trusted party is invoked to help restore fairness

Insert presenter logo here on slide master A New Approach  Similar to the optimistic model, but use existing legal and financial infrastructure  Assume that digital signature law is in place and recognized » Digitally-signed cheques are enforced

Insert presenter logo here on slide master Concurrent Signatures – Prior Work  Problem of fair exchange of signatures  Fundamental observation by Chen, Kudla and Paterson » A signature can only be enforced by revealing it (e.g., in a court)  Their idea » First, one party receives only a keystone (useless by itself) » Then, the other party receives the full signature it is supposed to » Given the keystone and the other signature, the first party can derive its full signature  Construction under specific assumptions and using a random oracle

Insert presenter logo here on slide master Achieving Concurrent Signatures  To motivate our method, we show how to achieve concurrent signatures » With general assumptions and no random oracle  Requirement: » P 1 should receive a signature on m 1, denoted  1 =Sign(m 1 ). » P 2 should receive a signature on m 2, denoted  2 =Sign(m 2 ).  The protocol: » The parties use a secure two-party computation protocol First, P 1 receives  1 =Sign(m 1,  2 ) Then, P 2 receives  2 =Sign(m 2 )

Insert presenter logo here on slide master Achieving Concurrent Signatures  Reminder » P 1 receives  1 =Sign(m 1,  2 ) » P 2 receives  2 =Sign(m 2 )  If P 1 aborts after receiving  1, then P 2 may not receive its signature  2 » In order to enforce  1, P 1 has to present it (e.g., to a court) » But, this reveals  2, restoring fairness  Remark » This is not perfect, but it is very good...

Insert presenter logo here on slide master Secure Two-Party Protocol – Background  Requirement: » P 1 and P 2 have inputs x and y » P 1 and P 2 should receive f(x,y), for some function f  Notation » A cheque from P 1 to P 2 is a digitally signed message: Stating whom the recipient is Stating how much money should be transferred Containing an additional field for arbitrary text

Insert presenter logo here on slide master Our Protocol for Secure 2-Party Computation  Phase 1: The parties use a secure two-party computation protocol: » P 1 receives a signed cheque chq 1 for $10,000 from P 2 This cheque contains another cheque chq 2 for $10,000 for P 2 from P 1 The cheque chq 2 is encrypted so that only P 2 can decrypt The cheque chq 2 contains the output value f(x,y)  Phase 2 » P 1 sends the encrypted chq 2 to P 2 » P 2 decrypts, obtains f(x,y) and sends it back to P 1 chq 1 chq 2 f(x,y)

Insert presenter logo here on slide master Our Protocol for Secure 2-Party Computation Party P 2 Party P 1 x y x y Secure computation subprotocol chq 1 Contains encrypted counter-cheque chq 2 for P 2 (with output) chq 2, f(x,y) Decrypt, and obtain f(x,y) f(x,y)f(x,y) Output f(x,y)

Insert presenter logo here on slide master Early Aborting  If either party aborts before the end of phase 1 » No one learns anything and so fairness is preserved  If P 1 aborts after receiving chq 1 » It hasn’t learned the output and so fairness is preserved » If it tries to cash chq 1, P 2 will obtain chq 2 and will counter it (so P 2 won’t lose money) xy chq 1 chq 2, f(x,y ) f(x,y)f(x,y)

Insert presenter logo here on slide master Early Aborting  If P 2 aborts after receiving chq 2 » P 2 has learned f(x,y) and P 1 hasn’t, so fairness is breached » But P 1 has a cheque from P 2 and so can force P 2 to either present f(x,y) or pay!  Conclusion: » P 2 can breach fairness, but only by paying the cheque Setting the sum high enough makes this unlikely xy chq 1 chq 2, f(x,y ) f(x,y)f(x,y)

Insert presenter logo here on slide master A Comparison to the Optimistic Model  Optimistic model » Guarantees fairness always » Fairness is obtained immediately » Requires “special” infrastructure and trust  Our solution » Uses existing infrastructure in society (that is trusted) » Fairness is not immediate (need to wait for courts, bank…) » Adversary can choose to breach fairness for a high enough price

Insert presenter logo here on slide master Summary  We introduced a different approach to fairness  Future challenges » Construct efficient protocols according to our approach » Make the world a fairer place Although this may be out of the scope of this work

Insert presenter logo here on slide master Legal Notice © Copyright 2008 Aladdin Knowledge Systems Ltd. All rights reserved. Aladdin, Aladdin Knowledge Systems, the Aladdin Knowledge Systems logo, eToken and eSafe are trademarks of Aladdin Knowledge Systems Ltd. covered by patents other patents pending. You may not copy, reproduce (or the like), or use in any other way whatsoever, whether directly or indirectly, any of the materials represented and/or disclosed herein without the express written consent of Aladdin. Some of the information contained herein may be proprietary information of Aladdin or third parties and all text, images, graphics, trademarks, service marks, logos, trade names and other materials which are part of this communication are subject to intellectual property rights of Aladdin or third parties. The information herein is provided “as is” without any warranty, express or implied (by statute or otherwise), of any kind whatsoever. Aladdin does not undertake any obligation to update the information herein and it does not assume responsibility for errors or omissions.