How to Use Bitcoin to Incentivize Correct Computations Ranjit Kumaresan (MIT) Iddo Bentov (Technion) Appeared at CCS 2014.

Slides:

Advertisements

Similar presentations

Revisiting the efficiency of malicious two party computation David Woodruff MIT.

Advertisements

Hash Functions A hash function takes data of arbitrary size and returns a value in a fixed range. If you compute the hash of the same data at different.

Cryptography and Game Theory: Designing Protocols for Exchanging Information Gillat Kol and Moni Naor.

Secure Evaluation of Multivariate Polynomials

Spreading Alerts Quietly and the Subgroup Escape Problem Aleksandr Yampolskiy (Yale) Joint work with James Aspnes, Zoë Diamadi, Kristian Gjøsteen, and.

Secure Multiparty Computations on Bitcoin

Efficient Two-party and Multiparty Computation against Covert Adversaries Vipul Goyal Payman Mohassel Adam Smith Penn Sate UCLAUC Davis.

ITIS 6200/ Secure multiparty computation – Alice has x, Bob has y, we want to calculate f(x, y) without disclosing the values – We can only do.

CS555Topic 241 Cryptography CS 555 Topic 24: Secure Function Evaluation.

Computational Security. Overview Goal: Obtain computational security against an active adversary. Hope: under a reasonable cryptographic assumption, obtain.

Amortizing Garbled Circuits Yan Huang, Jonathan Katz, Alex Malozemoff (UMD) Vlad Kolesnikov (Bell Labs) Ranjit Kumaresan (Technion) Cut-and-Choose Yao-Based.

Introduction to Modern Cryptography, Lecture 12 Secure Multi-Party Computation.

Eran Omri, Bar-Ilan University Joint work with Amos Beimel and Ilan Orlov, BGU Ilan Orlov…!??!!

Lect. 18: Cryptographic Protocols. 2 1.Cryptographic Protocols 2.Special Signatures 3.Secret Sharing and Threshold Cryptography 4.Zero-knowledge Proofs.

How to Use Bitcoin to Design Fair Protocols Iddo Bentov (Technion) Ranjit Kumaresan (Technion) ePrint 2014/129.

Improving the Round Complexity of VSS in Point-to-Point Networks Jonathan Katz (University of Maryland) Chiu-Yuen Koo (Google Labs) Ranjit Kumaresan (University.

General Cryptographic Protocols (aka secure multi-party computation) Oded Goldreich Weizmann Institute of Science.

Yan Huang, Jonathan Katz, David Evans University of Maryland, University of Virginia Efficient Secure Two-Party Computation Using Symmetric Cut-and-Choose.

CS426Fall 2010/Lecture 351 Computer Security CS 426 Lecture 35 Commitment & Zero Knowledge Proofs.

CNS2010handout 10 :: digital signatures1 computer and network security matt barrie.

CMSC 414 Computer (and Network) Security Lecture 2 Jonathan Katz.

Proactive Secure Mobile Digital Signatures Work in progress. Ivan Damgård and Gert Læssøe Mikkelsen University of Aarhus.

CMSC 414 Computer and Network Security Lecture 9 Jonathan Katz.

Electronic Voting Schemes and Other stuff. Requirements Only eligible voters can vote (once only) No one can tell how voter voted Publish who voted (?)

Optimistic Synchronous Multi-Party Contract Signing N. Asokan, Baum-Waidner, M. Schunter, M. Waidner Presented By Uday Nayak Advisor: Chris Lynch.

DANSS Colloquium By Prof. Danny Dolev Presented by Rica Gonen

BITCOIN An introduction to a decentralised and anonymous currency. By Andy Brodie.

Network Security – Part 2 V.T. Raja, Ph.D., Oregon State University.

K-Anonymous Message Transmission Luis von Ahn Andrew Bortz Nick Hopper The Aladdin Center Carnegie Mellon University.

Dan Boneh Introduction What is cryptography? Online Cryptography Course Dan Boneh.

1 Cross-Domain Secure Computation Chongwon Cho (HRL Laboratories) Sanjam Garg (IBM T.J. Watson) Rafail Ostrovsky (UCLA)

The RSA Algorithm Rocky K. C. Chang, March

Programming Satan’s Computer

Multi-Client Non-Interactive Verifiable Computation Seung Geol Choi (Columbia U.) Jonathan Katz (U. Maryland) Ranjit Kumaresan (Technion) Carlos Cid (Royal.

How to play ANY mental game

Efficient and Robust Private Set Intersection and multiparty multivariate polynomials Dana Dachman-Soled 1, Tal Malkin 1, Mariana Raykova 1, Moti Yung.

Andrew Lindell Aladdin Knowledge Systems and Bar-Ilan University 04/09/08 CRYP-202 Legally-Enforceable Fairness in Secure Two-Party Computation.

Bitcoin (what, why and how?)

How to Use Bitcoin to Enhance Secure Computation Ranjit Kumaresan (MIT) Based on joint works with Iddo Bentov (Technion), Tal Moran (IDC), Guy Zyskind.

Secure two-party computation: a visual way by Paolo D’Arco and Roberto De Prisco.

1 Bitcoin A Digital Currency. Functions of Money.

1 Information Security – Theory vs. Reality , Winter Lecture 10: Garbled circuits and obfuscation Eran Tromer Slides credit: Boaz.

Rational Cryptography Some Recent Results Jonathan Katz University of Maryland.

Non-Interactive Verifiable Computing August 5, 2009 Bryan Parno Carnegie Mellon University Rosario Gennaro, Craig Gentry IBM Research.

Secure Computation Lecture Arpita Patra. Recap >> Improving the complexity of GMW > Step I: Offline: O(n 2 c AND ) OTs; Online: i.t., no crypto.

How to Use Bitcoin to Design Fair Protocols Ranjit Kumaresan (MIT) Joint work with Iddo Bentov (Technion), Tal Moran (IDC Herzliya)

Privacy Preserving Payments in Credit Networks By: Moreno-Sanchez et al from Saarland University Presented By: Cody Watson Some Slides Borrowed From NDSS’15.

Efficient Private Matching and Set Intersection Mike Freedman, NYU Kobbi Nissim, MSR Benny Pinkas, HP Labs EUROCRYPT 2004.

Secure Computation with Minimal Interaction, Revisited Yuval Ishai (Technion) Ranjit Kumaresan (MIT) Eyal Kushilevitz (Technion) Anat Paskin-Cherniavsky.

Verifiable Threshold Secret Sharing and Full Fair Secure Two-party Computation YE Jian-wei March 7, 2009.

Round-Efficient Multi-Party Computation in Point-to-Point Networks Jonathan Katz Chiu-Yuen Koo University of Maryland.

Cryptographic methods. Outline  Preliminary Assumptions Public-key encryption  Oblivious Transfer (OT)  Random share based methods  Homomorphic Encryption.

Multi-Party Computation r n parties: P 1,…,P n  P i has input s i  Parties want to compute f(s 1,…,s n ) together  P i doesn’t want any information.

Lower bounds for Unconditionally Secure MPC Ivan Damgård Jesper Buus Nielsen Antigoni Polychroniadou Aarhus University.

Cryptographic Hash Function. A hash function H accepts a variable-length block of data as input and produces a fixed-size hash value h = H(M). The principal.

Digital vs. paper currencies Paper: Digital: 16fab13fc6890 Very useful if is also digital.

Block Chain 101 May 2017.

Topic 36: Zero-Knowledge Proofs

On the Size of Pairing-based Non-interactive Arguments

Cryptographic Hash Function

Applications of Blockchains - II

Helger Lipmaa University of Tartu, Estonia

Applications of Blockchains - III

Security through Encryption

Fiat-Shamir for Highly Sound Protocols is Instantiable

Helen: Maliciously Secure Coopetitive Learning for Linear Models

Identity Based Encryption from the Diffie-Hellman Assumption

Explore Txs, block, blockchain in Bitcoin

Presentation transcript:

How to Use Bitcoin to Incentivize Correct Computations Ranjit Kumaresan (MIT) Iddo Bentov (Technion) Appeared at CCS 2014

Bitcoin [Nak08] Decentralized digital currency – Provides some level of anonymity (Relatively) widely adopted Lots of recent research activity “Securely” implements a bank Wide variety of transactions – Expressive via Bitcoin “scripts” Wide range of applications – E.g.: Lottery, gambling, auctions,… – Currently done using a “trusted” party

This paper More applications but with… – Reduced trust assumptions – Formal security proofs Bit like “smart contracts” – More privacy/security – Reduced “validation complexity” Incentivization mechanisms fairly general – For other models, see [GM99,AM12,GRV14,…] Applications Verifiable computation Efficient secure computation Fair exchange Bitcoin bounties

Applications Verifiable computation Efficient secure computation Fair exchange Bitcoin bounties

Efficiency Metrics Computation/communication/round complexity – Varies depending on application Validation complexity – Complexity of scripts – Reduced load on the Bitcoin network – Faster validation – Transaction fee proportional to validation complexity Optimistic complexity – Typically expect parties to behave honestly – Optimize for this; not for worst case

Practical Issues Design mechanisms in idealized Bitcoin – Attacks on Bitcoin (e.g., 51%) break our mechanisms Good communication network – No DoS, etc. Extended script support – Currently many opcodes blacklisted – Altcoins with Turing-complete scripts (Ethereum) – Support with increased transaction fees (Cool but) heavy crypto – Garbled circuits, SNARKs, NIZKs, … – Currently impractical but expected to improve

Talk Outline Applications – Model, goal Basic Tools High level overview of constructions

Verifiable Computation Outsourcing computation to the cloud Many incentives for a cloud to cheat – Minimize resource usage – Malicious server! Verify correctness of server computations – Verification cheaper than computation Very well studied [GMR85,BFL91,Mic94,GKR08,GGP10,BCCT12,…] Application I

Verifiable Computation Incentive for the server? – Pay per computation model – Client pays server for output Fairness issues? – Client aborts after learning output, doesn’t pay – Cannot pay ahead of time, server might just not compute! Our contributions – Compile any VC scheme into a “fair” VC scheme Application I

Threat models – Semi-honest – Malicious Moving MPC from theory to practice – Major research direction – Semi-honest nearly practical – Malicious? In 2007: 680 x semi-honest [LP07] In 2014: 8 x semi-honest [HKKKM14,LR14] (amortized cost) Efficient Secure Computation Application II x f (x,y) y

Dual execution protocols [MF06] – 2 x semi-honest – But… leaks 1-bit of information! – Leakage happens only on cheating – Leakage undetected when cheater guesses leaked 1-bit Major problem when considering multiple executions! Our contributions – Punish cheating party whenever leakage detected Punishment corresponds to paying a penalty – Preserve efficiency of Dual-Ex when parties behave honestly Efficient Secure Computation Application II

Fair Exchange Application III [Rab81,BGMR85,ASW97,ASW98,BN00,….]

Contract signing – Two parties want to sign a contract – Neither wants to commit first The other signer could be malicious… Fair Exchange Application III Fair exchange is impossible [Cle86,PG99,BN00] Our contributions: – Fair secure computation in a “penalty model” – Anyone who aborts after learning output pays penalty to all parties

MakerCollector Miner Bitcoin Bounties Application IV Miners can steal the reward!!

Bitcoin Bounties Application IV Maker places bounty on solution of hard problem by sending a single message Collector can collect the bounty – Identity unknown at the time of bounty creation Maker learns solution upon collection Miners can’t collect bounty or learn solution

Talk Outline Applications – Model, goal Basic Tools – Claim-or-refund Transaction functionality High level overview of constructions

Claim-or-Refund Functionality Accepts from “sender” S – Deposit: coins(x) – Time bound:  – Circuit:  Designated “receiver” R can claim this deposit – Produce witness T that satisfies  – Within time  If claimed, then witness revealed to ALL parties Else coins(x) returned to S T ,  F CR Efficient realization via Bitcoin Bitcoin scripts & timelocks Efficient realization via Bitcoin Bitcoin scripts & timelocks Allows realization in & across different models Implicit in [Max11,BBSU12,BB13]

Candidate realization in Bitcoin S creates crTX that spends sTX (that S controls) to a script that can be redeemed by producing either – Both S’s and R’s signature; or – R’s signature and a valid witness T that satisfies  R signs a transaction that refunds crTX to S after time  Finally S broadcasts crTX to the Bitcoin network The steps above can be implemented safely since – S needs only to send Hash(crTX) to R – R can use fresh signing keys in this protocol Implicit in [Max11,BBSU12]

Talk Outline Applications – Model, goal Basic tools High level overview of constructions – Verifiable computation – Efficient secure computation – Fair secure computation – Bitcoin bounties

Verifiable Computation Weak client outsources computation of f – Client can verify output correctness – Pay per computation model – Client pays server for output Set  u (y) = 1 iff f (u) = y – Validation comp. = | f | T ,  F CR

Fair Verifiable Computation Public VC ( ek, vk ) <- KeyGen( f ) ( y, pf ) <- Compute( ek, u ) 0/1 <- Verify( vk, u, y, pf ) Set  vk,u ( y, pf ) = 1 iff Verify(vk, u, y, pf ) = 1 – Validation comp. = | Verify | – 288 bytes; 9 ms – Optimistic: zero – Prover comp. very high Malicious client supplies incorrect vk Honest server not paid for output Compiling a public VC scheme Solution Secure computation to emulate KeyGen T ,  F CR

Fair Verifiable Computation Incentivizing public VC is possible – But Input/output known to entire Bitcoin network Can incentivize private VC? – Input/output kept private even from server! Similar strategy for compiling private VC schemes – Securely emulate each algorithm except Compute – Client makes F CR deposit after secure emulation of Verify – Does not guarantee pay on computation for server – Validation comp. = hash invocation

Talk Outline Applications – Model, goal Basic tools High level overview of constructions – Verifiable computation – Efficient secure computation – Fair secure computation – Bitcoin bounties

Dual execution protocols [MF06] – 2 x semi-honest – But… leaks 1-bit of information! – Leakage happens only on cheating – Leakage undetected when cheater guesses leaked 1-bit Basic semi-honest garbled circuits protocol: Efficient Secure Computation Transfer input encodings GC Garbled circuits Method to compute over encrypted data Compute with input encodings to obtain output encodings Return output encodings Malicious Alice can learn Bob’s input!!

Dual Execution Transfer input encodings GC1 Transfer input encodings GC2 GC GC2 GC GC1 Secure equality test of output encodings; release output only if test passes Malicious party learns at most one bit! To incentivize: Generate encodings and GC from short seed – Allows to prove correct behavior via NIZK – Narrows down attack to false functions To claim penalty: – NIZK for own GC: to prove that party behaved correctly – Proof of leakage: to prove that other party didn’t follow protocol Fair secure equality test – Malicious party may abort after learning leaked bit Optimistic: O(1) hash – Worst-case: NIZK verification

Talk Outline Applications – Model, goal Basic tools High level overview of constructions – Verifiable computation – Efficient secure computation – Fair secure computation – Bitcoin bounties

Fair Secure Computation Deviating party pays monetary penalty to honest party Bad guys lose money if they deviate after learning output Honest parties never lose money Bad guys lose money if they deviate after learning output Honest parties never lose money Theorem [BK14]: Fair multiparty secure computation with penalties can be constructed using only claim-or-refund transactions [ADMM14, BK14]

Strategy Run secure computation that: – Computes output of f, say z – Secret share z into n additive shares sh 1,…,sh n – Computes commitments c i = SHA(sh i ; w i ) for every i – Delivers output: ({c 1,…,c n }, T i = (sh i, w i )) to party P i Reduce fair secure computation to fair reconstruction Reduce fair secure computation to fair reconstruction denotes P 2 must reveal witness T = (sh,w) within time  to claim coins(q) from P 1 denotes P 2 must reveal witness T = (sh,w) within time  to claim coins(q) from P 1

“Ladder” Protocol [BK14] Ladder Roof Order of deposits/claims Roof deposits made simultaneously Ladder deposits made one after the other Ladder claims in reverse Roof claims at the end High-level intuition At the end of ladder claims, all parties except P n have “evened out” If P n does not make roof claims then honest parties get coins(q) via roof refunds Else P n “evens out”

Multilock Functionality N-party mechanism (recall F CR was 2 party) – Everybody locks coins in a single transaction – Can redeem own coins by revealing T i within specified time – Upon failure, coins go to other parties Gives constant round fair secure computation

Talk Outline Applications – Model, goal Basic tools High level overview of constructions – Verifiable computation – Efficient secure computation – Fair secure computation – Bitcoin bounties

Bitcoin Bounties Maker places bounty on solution of hard problem by sending a single message Collector can collect the bounty – Identity unknown at the time of bounty creation Maker learns solution upon collection Miners don’t collect bounty or learn solution Bounty ( m, r ) <- Make( f ) c <- Collect( m, w ) 0/1 <- Verify( m, c ) w/NULL <- Extract( c, r ) Properties Correctness: Verify passes for c from w with f (w) = 1 Security (informal): If an eavesdropper can obtain information about w from ( m, c ) then it must already know w before knowing c

Bitcoin Bounties Witness Encryption [GGH13] ct <- WEnc( f, b ) b/NULL <- WDec( ct, w ) Properties Correctness: Dec recovers b iff f (w) = 1 Security (informal): If an eavesdropper can obtain information about b from ct, then it must already know w Maker WEnc( f, sk), bounty claimed by signing with sk Collector Decrypt to get sk; Claim bounty Miners don’t learn witness, can’t steal reward. Maker can learn witness by asking for an NIZK proof for which it generates Setup

Summary How to incentivize correct behavior in: – Verifiable computation – Efficient secure computation – Fair secure computation – Bitcoin bounty mechanism Future directions : – More applications? – Efficiency improvements? THANK YOU!!!