andrew lindell aladdin knowledge systems and bar-ilan university 04/09/08 cryp-202...

Andrew LindellAladdin Knowledge Systems and Bar-Ilan University04/09/08 CRYP-202

Legally-Enforceable Legally-Enforceable Fairness in Secure Fairness in Secure Two-Party ComputationTwo-Party Computation

Insert presenter logo here on slide master

Secure Multiparty Computation

A set of parties with private inputs wish to compute some joint function of their inputs

Parties wish to preserve some security properties. E.g., privacy and correctness» Example: secure election protocol

Security must be preserved in the face of adversarial behavior by some of the participants, or by an external party


Security Requirements

Privacy» Parties can learn their designated output and nothing more

• My private vote in an election is not revealed

Correctness» The correct function is computed

• The candidate with the majority vote is elected

Independence of inputs» Parties cannot make their inputs depend on others

Fairness» If one party receives output, then all receive output


Fairness

Cleve (1986) showed that it is impossible for two parties to fairly toss a coin» Can be extended to other functionalities as well

Intuition behind proof» Assume that can compute fairly with m rounds» Consider an adversary that doesn’t send its last message» By the requirement of fairness, the other party still receives

output• Thus, this last message is not needed

and the protocol can be made m–1 rounds


Impossibility of Fairness (continued)

By induction, all messages can be removed, and so we are left with an empty protocol

But only trivial functions can be computed without interaction!

Conclusion: fairness cannot be achieved

Warning» This intuition is not exact,

and the real situation is more involved


Fairness – Alternatives

Gradual release [BG,GL]» The output is released slowly, so that no party has too much

advantage in guessing it

Optimistic computation [M,ASW,CC]» An online trusted party is assumed to be in place» If no one cheats, the trusted party is not needed» If fairness is breached by cheating, the

trusted party is invoked to help restore fairness


A New Approach

Similar to the optimistic model, but use existing legal and financial infrastructure

Assume that digital signature law is in place and recognized» Digitally-signed cheques are enforced


Concurrent Signatures – Prior Work

Problem of fair exchange of signatures Fundamental observation by Chen, Kudla and Paterson

» A signature can only be enforced by revealing it (e.g., in a court)

Their idea» First, one party receives only a keystone (useless by itself)

» Then, the other party receives the full signature it is supposed to

» Given the keystone and the other signature, the first party can derive its full signature

Construction under specific assumptions and using a random oracle


Achieving Concurrent Signatures

To motivate our method, we show how to achieve concurrent signatures» With general assumptions and no random oracle

Requirement:» P1 should receive a signature on m1, denoted 1=Sign(m1).

» P2 should receive a signature on m2, denoted2=Sign(m2).

The protocol:» The parties use a secure two-party computation protocol

• First, P1 receives1=Sign(m1,2)

• Then, P2 receives2=Sign(m2)


Achieving Concurrent Signatures

Reminder» P1 receives1=Sign(m1,2)

» P2 receives2=Sign(m2)

If P1 aborts after receiving 1, then P2 may not receive its signature 2

» In order to enforce 1, P1 has to present it (e.g., to a court)

» But, this reveals 2, restoring fairness

Remark» This is not perfect, but it is very good...


Secure Two-Party Protocol – Background

Requirement:» P1 and P2 have inputs x and y

» P1 and P2 should receive f(x,y), for some function f

Notation» A cheque from P1 to P2 is a digitally signed message:

• Stating whom the recipient is• Stating how much money should be transferred• Containing an additional field for arbitrary text


Our Protocol for Secure 2-Party Computation

Phase 1: The parties use a secure two-party computation protocol:» P1 receives a signed cheque chq1 for $10,000 from P2

• This cheque contains another cheque chq2 for $10,000 for P2 from P1

• The cheque chq2 is encrypted so that only P2 can decrypt

• The cheque chq2 contains the output value f(x,y)

Phase 2» P1 sends the encrypted chq2 to P2

» P2 decrypts, obtains f(x,y) and sends it back to P1

chq1

chq2

f(x,y)


Our Protocol for Secure 2-Party Computation

Party P2Party P1 x y

x y

Secure computation subprotocol

chq1

Contains encrypted counter-cheque chq2 for P2 (with output)

Contains encrypted counter-cheque chq2 for P2 (with output)

chq2, f(x,y)

Decrypt, and obtain f(x,y)

f(x,y)

Output f(x,y)Output f(x,y)


Early Aborting

If either party aborts before the end of phase 1» No one learns anything and so

fairness is preserved

If P1 aborts after receiving chq1

» It hasn’t learned the output and so fairness is preserved

» If it tries to cash chq1, P2 will obtain chq2 and will counter it (so P2 won’t lose money)

x y

chq1 chq2, f(x,y)

f(x,y)


Early Aborting

If P2 aborts after receiving chq2

» P2 has learned f(x,y) and P1 hasn’t, so fairness is breached

» But P1 has a cheque from P2 and so can force P2 to either present f(x,y) or pay!

Conclusion:» P2 can breach fairness, but only by

paying the cheque• Setting the sum high enough makes this

unlikely

x y

chq1 chq2, f(x,y)

f(x,y)


A Comparison to the Optimistic Model

Optimistic model» Guarantees fairness always» Fairness is obtained immediately» Requires “special” infrastructure and trust

Our solution» Uses existing infrastructure in society (that is trusted)» Fairness is not immediate (need to wait for courts, bank…)» Adversary can choose to breach fairness for a high enough

price


Summary

We introduced a different approach to fairness

Future challenges» Construct efficient protocols according to our approach

» Make the world a fairer place• Although this may be out of the

scope of this work


Legal Notice

© Copyright 2008 Aladdin Knowledge Systems Ltd. All rights reserved.

Aladdin, Aladdin Knowledge Systems, the Aladdin Knowledge Systems logo, eToken and eSafe are trademarks of Aladdin Knowledge Systems Ltd. covered by patents www.aladdin.com/patents; other patents pending.

You may not copy, reproduce (or the like), or use in any other way whatsoever, whether directly or indirectly, any of the materials represented and/or disclosed herein without the express written consent of Aladdin.

Some of the information contained herein may be proprietary information of Aladdin or third parties and all text, images, graphics, trademarks, service marks, logos, trade names and other materials which are part of this communication are subject to intellectual property rights of Aladdin or third parties. The information herein is provided “as is” without any warranty, express or implied (by statute or otherwise), of any kind whatsoever. Aladdin does not undertake any obligation to update the information herein and it does not assume responsibility for errors or omissions.

andrew lindell aladdin knowledge systems and bar-ilan university 04/09/08 cryp-202...

Documents

trusted party

enforcedinsert presenter

involvedinsert presenter

outputinsert presenter

fairnessinsert presenter

m1 roundsinsert presenter

slide masterfairnesscleve

patersona signature