An Accountable Decryption System Based on Privacy-Preserving Smart Contracts

Abstract

Accountability is a fundamental after-the-fact approach to detect and punish illegal actions during the execution of a warrant for accessing users’ sensitive data. To achieve accountability in a security protocol, a trusted authority is required, denoted as judge, to faithfully cooperate with the rest of the entities in the system. However, malicious judges or uncooperative protocol participants may void the accountability mechanism in practice, for example by fabricating fake evidence or by refusing to provide any evidence at all. To provide remediation to these issues, in this paper we propose Fialka, a novel accountable decryption system based on privacy-preserving smart contracts (PPSC). The neutrality that is inherent to a secure blockchain platform is inherited by PPSC which are then used in our approach as an accountable key manager as well as a transparent judge. To the best of our knowledge, we present the first PPSC-based accountable decryption system to increase the transparency of warrant execution with formal definitions and proofs. Furthermore, we provide and evaluate a prototype implementation using the PPSC-enabled platform Oasis Devnet, which additionally demonstrates the feasibility of Fialka.

Appendices

A Appendix: Linear Problem

Definition 8

(Linear Problem  [5, 15]). Let \(\mathbb {G}\) be a cyclic multiplicative group with prime order p, and \(g_1, g_2, g_3\) be generators of \(\mathbb {G}\). Given \(g_1, g_2, g_3, g_1^a, g_2^b, g_3^c \in \mathbb {G}\), decide whether \(a + b\) equals to c. If \(a + b=c\), outputs true, or false otherwise. The advantage of an algorithm \(\mathcal {A}\) in deciding the linear problem in \(\mathbb {G}\) is

with the probability taken over the uniform random choice of the parameters to \(\mathcal {A}\) and over the coin tosses of \(\mathcal {A}\).

Assumption 1 (Decision Linear Assumption)

No adversary \(\mathcal {A}\) succeeds in deciding the Linear Problem in \(\mathbb {G}\) with a non-negligible advantage.

Lemma 2

Assume \(\mathsf {H}_2\) is a target collision-resistant hash function, under the Decision Linear Problem, Kiltz’s full PKE scheme  [15] is secure against chosen-ciphertext attacks.

B Appendix: Completeness

Proof (Theorem 2: Completeness)

Suppose that there exists an adversary who wins the completeness game with non-negligible probability. Then, we transform an adversary against Completeness into adversaries against PPSC security and IND-CCA security of Kiltz’s PKE scheme. We describe a sequence of games to conduct the proof.

Game . This is the unmodified completeness game. The winning probability equals the advantage of against Completeness game, namely, \(adv_{\mathcal {A},{\varPi }}^{\Game _{\text {comp}}}(\lambda )\).

Game . In this game, when the adversary calls the \(\mathcal {C}\), we disallow contract \(\mathsf {\widehat{c}_{ad}}\) to execute the algorithm \(\mathsf {Insp}\), and then \(\mathsf {\widehat{c}_{ad}}\) outputs \(\mathsf {true}\) to the adversary.

Game . In this game, we disallow \(\mathcal {A}\) calls \(\mathcal {C}\), and thus \(\mathbf{Transfer} \) in \(\mathsf {\widehat{c}_{km}}\) cannot be executed, indicating \(\mathcal {A}\) cannot obtain secret key from blockchain.

Clearly, without querying smart contract, the adversary’s advantage of winning equals the advantage of breaking the CCA security of PKE. The adversary against security of Kiltz’s PKE scheme is negligible, and the proof is given in Lemma 2. To find out the difference between these games, we define the events: (1) : blocking the transaction-based evidence. The adversary fetches the key from the blockchain, and successfully hides the transaction \(\mathsf {Tx}^\star \) that used for validation in the algorithm \(\mathsf {Insp}\). (2) : forging an inspection result. The adversary forges an inspection result by executing \(\lnot \mathsf {Insp}\), where \(\lnot \mathsf {Insp}\) means the malicious behaviors of inspection and it modifies the \(\mathsf {false}\) result as \(\mathsf {true}\). (3): breaking the security of PPSC. The adversary obtains a valid private key without invoking the blockchain.

Game \(\approx \) Game . The winning conditions for equals the winning conditions for if neither event nor event happen. Thus, we have We then consider the happening probabilities of the and . The happening of implies that the adversary hides the transaction evidence, which contradicts the assumption of the transparency properties. Thus, the wining advantages of is identical to breaking the promise of transaction-transparency. If the event happens, indicating that the adversary breaks the state-consistency of PPSC, the possibility is identical to the advantage of breaking the promise of state-consistency. Thus, we have and .

Game \(\approx \) Game . The winning condition for is equal to the winning condition for if and only if event does not happen. The possibility of is identical to the advantages of breaking the promise of state-privacy. Thus, .

Combining everything together, we obtain that