How to Use Bitcoin to Design Fair Protocols Ranjit Kumaresan (MIT) Joint work with Iddo Bentov (Technion), Tal Moran (IDC Herzliya)

Slides:



Advertisements
Similar presentations
Dov Gordon & Jonathan Katz University of Maryland.
Advertisements

Revisiting the efficiency of malicious two party computation David Woodruff MIT.
Cryptography and Game Theory: Designing Protocols for Exchanging Information Gillat Kol and Moni Naor.
Secure Evaluation of Multivariate Polynomials
Secure Multiparty Computations on Bitcoin
Efficient Zero-Knowledge Proof Systems Jens Groth University College London.
Efficient Two-party and Multiparty Computation against Covert Adversaries Vipul Goyal Payman Mohassel Adam Smith Penn Sate UCLAUC Davis.
Polling With Physical Envelopes A Rigorous Analysis of a Human–Centric Protocol Tal Moran Joint work with Moni Naor.
1 Vipul Goyal Abhishek Jain UCLA On the Round Complexity of Covert Computation.
Rational Oblivious Transfer KARTIK NAYAK, XIONG FAN.
Simple, Black-Box Constructions of Adaptively Secure Protocols joint work with Dana Dachman-Soled (Columbia University), Tal Malkin (Columbia University),
CS555Topic 241 Cryptography CS 555 Topic 24: Secure Function Evaluation.
On Fair Exchange, Fair Coins and Fair Sampling Shashank Agrawal, Manoj Prabhakaran University of Illinois at Urbana-Champaign.
Computational Security. Overview Goal: Obtain computational security against an active adversary. Hope: under a reasonable cryptographic assumption, obtain.
Achieving Byzantine Agreement and Broadcast against Rational Adversaries Adam Groce Aishwarya Thiruvengadam Ateeq Sharfuddin CMSC 858F: Algorithmic Game.
Amortizing Garbled Circuits Yan Huang, Jonathan Katz, Alex Malozemoff (UMD) Vlad Kolesnikov (Bell Labs) Ranjit Kumaresan (Technion) Cut-and-Choose Yao-Based.
Introduction to Modern Cryptography, Lecture 12 Secure Multi-Party Computation.
Eran Omri, Bar-Ilan University Joint work with Amos Beimel and Ilan Orlov, BGU Ilan Orlov…!??!!
How to Use Bitcoin to Design Fair Protocols Iddo Bentov (Technion) Ranjit Kumaresan (Technion) ePrint 2014/129.
Short course on quantum computing Andris Ambainis University of Latvia.
Payment Systems 1. Electronic Payment Schemes Schemes for electronic payment are multi-party protocols Payment instrument modeled by electronic coin that.
Improving the Round Complexity of VSS in Point-to-Point Networks Jonathan Katz (University of Maryland) Chiu-Yuen Koo (Google Labs) Ranjit Kumaresan (University.
Modeling Insider Attacks on Group Key Exchange Protocols Jonathan Katz Ji Sun Shin University of Maryland.
General Cryptographic Protocols (aka secure multi-party computation) Oded Goldreich Weizmann Institute of Science.
Yan Huang, Jonathan Katz, David Evans University of Maryland, University of Virginia Efficient Secure Two-Party Computation Using Symmetric Cut-and-Choose.
Impossibility Results for Concurrent Two-Party Computation Yehuda Lindell IBM T.J.Watson.
How to Use Bitcoin to Incentivize Correct Computations Ranjit Kumaresan (MIT) Iddo Bentov (Technion) Appeared at CCS 2014.
Secure Multi-party Computations (MPC) A useful tool to cryptographic applications Vassilis Zikas.
A Framework for Fair (Multi-Party) Computation Juan Garay (Bell Labs) Phil MacKenzie (Bell Labs) Ke Yang (CMU)
Jointly Restraining Big Brother: Using cryptography to reconcile privacy with data aggregation Ran Canetti IBM Research.
CMSC 414 Computer and Network Security Lecture 19 Jonathan Katz.
1 Introduction to Secure Computation Benny Pinkas HP Labs, Princeton.
Optimistic Synchronous Multi-Party Contract Signing N. Asokan, Baum-Waidner, M. Schunter, M. Waidner Presented By Uday Nayak Advisor: Chris Lynch.
1 Cross-Domain Secure Computation Chongwon Cho (HRL Laboratories) Sanjam Garg (IBM T.J. Watson) Rafail Ostrovsky (UCLA)
Information-Theoretic Security and Security under Composition Eyal Kushilevitz (Technion) Yehuda Lindell (Bar-Ilan University) Tal Rabin (IBM T.J. Watson)
Adaptively Secure Broadcast, Revisited
Andrew Lindell Aladdin Knowledge Systems and Bar-Ilan University 04/09/08 CRYP-202 Legally-Enforceable Fairness in Secure Two-Party Computation.
How to Use Bitcoin to Enhance Secure Computation Ranjit Kumaresan (MIT) Based on joint works with Iddo Bentov (Technion), Tal Moran (IDC), Guy Zyskind.
Collusion-Free Multiparty Computation in the Mediated Model
Chapter 3 What Is Money?. © 2016 Pearson Education, Inc. All rights reserved.3-2 Preview In this chapter, we develop precise definitions by exploring.
GARBLED CIRCUITS CHECKING GARBLED CIRCUITS MORE EFFICIENT AND SECURE TWO-PARTY COMPUTATION Payman Mohassel Ben Riva University of Calgary Tel Aviv University.
Secure Computation (Lecture 3 & 4) Arpita Patra. Recap >> Why secure computation? >> What is secure (multi-party) computation (MPC)? >> Secret Sharing.
Electronic Money. What is Electronic Money? Scrip or money that is exchanged only through electronically is referred to as electronic money. Electronic.
1 Secure Multi-party Computation Minimizing Online Rounds Seung Geol Choi Columbia University Joint work with Ariel Elbaz(Columbia University) Tal Malkin(Columbia.
Rational Cryptography Some Recent Results Jonathan Katz University of Maryland.
Secure Computation (Lecture 2) Arpita Patra. Vishwaroop of MPC.
How to Use Bitcoin to Design Fair Protocols Iddo Bentov (Technion) Ranjit Kumaresan (Technion) ePrint 2014/129.
Secure Multiparty Computation and its Applications
Secure Computation Lecture Arpita Patra. Recap > Shamir Secret-sharing > BGW Protocol based on secret-sharing > Offline/Online phase > Creating.
Secure Computation (Lecture 9-10) Arpita Patra. Recap >> MPC with honest majority in i.t. settings > Protocol using (n,t)-sharing, proof of security---
Secure Computation with Minimal Interaction, Revisited Yuval Ishai (Technion) Ranjit Kumaresan (MIT) Eyal Kushilevitz (Technion) Anat Paskin-Cherniavsky.
Secure Computation Lecture Arpita Patra. Recap >Three orthogonal problems- (n,t)-sharing, reconstruction, multiplication protocol > Verifiable Secret.
Verifiable Threshold Secret Sharing and Full Fair Secure Two-party Computation YE Jian-wei March 7, 2009.
Round-Efficient Multi-Party Computation in Point-to-Point Networks Jonathan Katz Chiu-Yuen Koo University of Maryland.
Bit Commitment, Fair Coin Flips, and One-Way Accumulators Matt Ashoff 11/9/2004 Cryptographic Protocols.
Lower bounds for Unconditionally Secure MPC Ivan Damgård Jesper Buus Nielsen Antigoni Polychroniadou Aarhus University.
Topic 36: Zero-Knowledge Proofs
The Exact Round Complexity of Secure Computation
The Exact Round Complexity of Secure Computation
Carmit Hazay (Bar-Ilan University, Israel)
TCC 2016-B Composable Security in the Tamper-Proof Hardware Model under Minimal Complexity Carmit Hazay Bar-Ilan University, Israel Antigoni Ourania.
Foundations of Secure Computation
Committed MPC Multiparty Computation from Homomorphic Commitments
Applications of Blockchains - II
Applications of Blockchains - III
Secure Multiparty RAM Computation in Constant Rounds
On the Power of Hybrid Networks in Multi-Party Computation
Fiat-Shamir for Highly Sound Protocols is Instantiable
Example: multi-party coin toss
Probabilistic Contract Signing
Presentation transcript:

How to Use Bitcoin to Design Fair Protocols Ranjit Kumaresan (MIT) Joint work with Iddo Bentov (Technion), Tal Moran (IDC Herzliya)

Fair Exchange [Rab81,BGMR85,ASW97,ASW98,BN00,….] E.g., contract signing, digital media Abort Attacks Need to force exchange to happen simultaneously Fair exchange is impossible [Cle86,PG99,BN00]

x f (x,y) y Secure Computation [Yao86,GMW87] Most general problem in cryptography – Fair exchange is a special case Fair 2-party secure computation is impossible [Cle86] Definition of secure computation as inherently unfair in the presence of dishonest majority [GMW87]

Workarounds Penalty model [ASW00,MS01,CLM07,Lin08,KL10] – Deviating party pays monetary penalty to honest party Bad guys lose money if they deviate after learning output Honest parties never lose money Bad guys lose money if they deviate after learning output Honest parties never lose money “Secure computation with penalties”

Bitcoin [Nak08] Decentralized digital currency (Relatively) widely adopted Lots of recent research activity “Securely” implements a bank Simplified Model Two-party transactions – Conditional

Claim-or-Refund Functionality Accepts from “sender” S – Deposit: coins(x) – Time bound:  – Circuit:  Designated “receiver” R can claim this deposit – Produce witness T that satisfies  – Within time  If claimed, then witness revealed to ALL parties Else coins(x) returned to S T ,  F CR Efficient realization via Bitcoin Bitcoin scripts & timelocks Efficient realization via Bitcoin Bitcoin scripts & timelocks Allows realization in & across different models Implicit in [Max11,BBSU12,BB13]

HYBRIDHYBRID ≈ IDEAL Conditional transaction functionality Unfair ideal Fair ideal

Strategy Hybrid model with functionality f ’ – Computes output of f, say z – Secret share z into n additive shares sh 1,…,sh n – Computes commitments on shares c i = com(sh i ; w i ) for every i – Delivers output: ({c 1,…,c n }, T i = (sh i, w i )) to party P i F f ’ Reduce fair secure computation to fair reconstruction Reduce fair secure computation to fair reconstruction

Fair Reconstruction “Abort” Attack Adversary aborts without making its deposit but claims honest party’s deposit Honest party loses money (although it learns output) “Abort” Attack Adversary aborts without making its deposit but claims honest party’s deposit Honest party loses money (although it learns output) Secure computation with penalties Honest parties never have to lose coins If a party aborts after learning the output then every honest party is compensated Secure computation with penalties Honest parties never have to lose coins If a party aborts after learning the output then every honest party is compensated denotes P 2 must reveal witness T = (sh,w) within time  to claim coins(q) from P 1 denotes P 2 must reveal witness T = (sh,w) within time  to claim coins(q) from P 1 Malicious Coalitions Coalition of corrupt parties learn honest party’s shares Then adversary does not claim honest party’s claim-refund txn Adversary learns output but honest party is not compensated Malicious Coalitions Coalition of corrupt parties learn honest party’s shares Then adversary does not claim honest party’s claim-refund txn Adversary learns output but honest party is not compensated

“Ladder” Protocol Ladder Roof Order of deposits/claims Roof deposits made simultaneously Ladder deposits made one after the other Ladder claims in reverse Roof claims at the end High-level intuition At the end of ladder claims, all parties except P n have “evened out” If P n does not make roof claims then honest parties get coins(q) via roof refunds Else P n “evens out”

Related Work Bitcoin lottery in the penalty model – 2-party lottery [Back-Bentov arXiv13] – Multiparty lottery [ADMM, S&P’14] Secure computation in the penalty model using Bitcoin – 2-party secure computation [ADMM, FC’14] Somewhat ad-hoc construction/analysis Security not proven using the simulation paradigm No multiparty secure computation in the penalty model Somewhat ad-hoc construction/analysis Security not proven using the simulation paradigm No multiparty secure computation in the penalty model Constant round MPC [K-Bentov, CCS’14] Fairness in stateful computations [K-Moran-Bentov, CCS’15]

Summary Penalty model for enforcing fairness “Claim or refund” transactions in Bitcoin Constructions in F CR hybrid model for – Secure computation with penalties – More applications: E.g.: Verifiable computation, secure computation with restricted leakage [KB14] THANK YOU!!!