Secure multi-party computation with legally-enforceable fairness

Abstract

Fairness is a security notion of secure computation and cannot always be achieved if an adversary corrupts a majority of parties in standard settings. Lindell (CT-RSA 2008) showed that imposing a monetary penalty on an adversary can circumvent the impossibility. He formalized such a security notion as “legally enforceable fairness" for the two-party setting based on the ideal trusted bank functionality and showed a protocol achieving the requirements. Based on the same framework, we introduce secure multi-party computation with legally enforceable fairness that is applicable for an arbitrary number of parties. Further, we propose two protocols that realize our introduced functionality. The first one achieves O(n) rounds and \(O(n \alpha )\) fees, where n is the number of parties, and \(\alpha \) is a parameter for the penalty amount. The fee refers to the balance amount in the bank required at the beginning of the protocol, which evaluates the difficulty of participating in the protocol in a financial sense. The second one achieves O(1) rounds and \(O(n^2 \alpha )\) fees.

1 Introduction

1.1 Backgrounds

Secure computation is a cryptographic protocol to enable distrustful parties to compute a function on their private inputs jointly [14, 30]. Fairness is a security notion of secure computation, which requires that at the end of a protocol, either all parties learn the output or none of them learn it. Fairness implies that no adversary can abort the protocol without telling the output to honest parties. Unfortunately, for many functions, fairness is impossible to achieve in the plain model without a majority of honest parties [2, 10, 16].

There are works to circumvent the impossibility result. One of the works is the gradual release approach [6, 15]. In this approach, parties gradually disclose the output with multiple rounds instead of revealing it at once. It achieves fairness substantially since there is little difference in knowledge of the output value with an honest party, even if an adversary aborts. However, this solution has the drawback of requiring many rounds. Another approach is the optimistic model [3, 24] that uses a Trusted Third Party (TTP). Although the TTP does not appear in the protocol if all parties behave honestly, it works to restore fairness when an adversary violates fairness. This solution is efficient; however, it has the drawback of relying on the honesty of the third party.

Lindell [23] introduced a new approach to achieving fairness, which is a variant of the optimistic model. The new paradigm called legally enforceable fairness, guarantees that an adversary who violates fairness is imposed a monetary penalty, and an honest party who does not learn the output receives monetary compensation. If the penalty amount is determined appropriately, we can achieve fairness with this approach since adversaries refrain from aborting to avoid losing money and follow procedures. Lindell formalized secure two-party computation with legally enforceable fairness based on a trusted bank, which corresponds to TTP in the optimistic model, and showed a two-party protocol for any functionality. The bank manages all parties’ accounts and can update their balances. Further, parties can request that the bank updates their balances by submitting an electronic cheque.

1.2 Related works

Bentov and Kumaresan [7] introduced a functionality that achieves fairness with monetary penalties applicable to an arbitrary number of parties. However, their work uses Bitcoin [28] instead of the trusted bank. Blockchain-based cryptocurrencies, such as Bitcoin, have the advantage of not relying upon TTP. Thus, the cryptocurrency-based solution can avoid the TTP-dependent problem of the bank-based one. Against such a background, cryptocurrency-based solutions dominate in works to achieve fairness with monetary penalties, e.g., [1, 4, 5, 7, 8, 11, 13, 18, 20,21,22, 25, 26, 29].

However, cryptocurrency-based protocols also have some disadvantages. For cryptocurrencies that do not guarantee the anonymity, parties are forced to publicly disclose a part of the protocol since the blockchain is a public data structure. This can be a drawback for a party who does not want to disclose his/her participation in the protocol. Another issue is due to the double spending attack on cryptocurrencies. To counter the attack, parties must wait in a step with a certain time for mining process. For cryptocurrencies where the mining process takes a large amount of time, this can be a drawback in terms of protocol efficiency. Indeed, Bentov and Kumaresan [7] claim that parties should use about an hour per round on their protocol based on Bitcoin.

1.3 Our contribution

We introduce legally enforceable fairness applicable to an arbitrary number of parties. It guarantees that every honest party can receive monetary compensation if the protocol terminates when only an adversary learns the output. We note that guaranteeing that all honest parties receive compensation implicitly requires the adversary to lose money. It is a natural generalization of Lindell’s formalization for the two-party setting.

We show secure multi-party computation protocols with legally enforceable fairness. We evaluate the efficiency of a protocol by round complexity and the amount of fee to participate in the protocol. More specifically, the fee refers to the initial amount for which any (honest party’s) account balance does not become negative, i.e., less than zero, in any round. (Note that although the legally enforceable fairness assures every honest party’s account balance will not turn into a loss at the end of the protocol, it could be lost temporarily during the protocol.) The fee amount measures the wealth difficulty of participating in the protocol, which is introduced in the work of the Bitcoin-based protocol [26].

We propose two protocols: The first one achieves O(n) rounds and \(O(n \alpha )\) fees, where n is the number of parties, and \(\alpha \) is a parameter for the penalty amount. The second one achieves O(1) rounds and \(O(n^2 \alpha )\) fees.

The electronic cheque formalized by Lindell [23] has no field to specify an expiration time. Because of this, parties must hold their cheques indefinitely to reap legally enforceable fairness. This paper further tackles this issue. We introduce a new trusted bank that can handle electronic cheques with expiration times and show how to apply the bank to our protocols.

Remark 1

We formalize fairness with monetary penalties for the multi-party setting, as in Bentov and Kumaresan’s work [7]. However, since their model differs from ours, their formalization for the multi-party setting also differs. For instance, cryptocurrency-based protocols require parties to explicitly input coins (money) into the protocols as deposits. It is because parties need to create transactions on the public network specifying the coins they use. On the other hand, our formalization does not require such inputs, as well as [23], since the bank handles all monetary operations implicitly.

1.4 Differences from the conference version

We summarize differences from the earlier version of this paper [27] below:

1. (1)

   Proposal of new trusted bank functionality: We introduce a new trusted bank functionality that handles electronic cheques with expiration time. Furthermore, we present multi-party protocols with legally enforceable fairness based on the new bank functionality. (It corresponds to Sect. 5.)

2. (2)

   Security proof for our second protocol: We present a security proof for our second protocol. (It corresponds to Appendix B.)

Besides, we improve some descriptions of the proposed protocols and the security proof for our first protocol.

1.5 Organization

The remaining part of this paper is organized as follows: In Sect. 2, we introduce basic notations, a security model, and ideal functionalities. Section 3 describes Lindell’s two-party protocol with legally enforceable fairness [23]. Section 4 introduces secure multi-party computation with legally enforceable fairness and proposes two protocols as described above. In Sect. 5, we newly introduce a cheque with an expiration time and modified bank functionality according to it. Also, this section shows how to apply the modified cheque and bank to our proposed protocols. We conclude this paper in Sect. 6. (Sect. 5 and Appendix B are newly added from the earlier version [27].)

2 Preliminaries

2.1 Basic notations

For any positive integer i, we define \([i]:= \{1,\ldots ,i\}\). For a finite set X, \(x \in _\textrm{R}X\) means the process of choosing an element \(x\in X\) uniformly at random.

We denote by n and \(\lambda \) the number of parties and the security parameter, respectively. Let \(H \subseteq [n]\) be the set of honest parties and let \(C \subsetneq [n]\) be the set of corrupted parties controlled by an adversary. The sets satisfy \(h+c = n\), where \(h:= |H|\) and \(c:= |C|\) since each party is either honest or corrupted. We consider settings where \(c < n\). We assume that all parties are non-uniform Probabilistic Polynomial-Time (PPT) algorithms in \(\lambda \).

2.2 Public-key infrastructure

Our protocol assumes the existing of a public-key infrastructure, as well as [23]. We define the infrastructure as in Functionality 1 that holds the basic abilities of key registrations and retrievals. This definition is according to the formalization of certificate authority of [9].

2.3 Trusted bank functionality

Assume that a trusted bank manages all parties’ accounts, and it has the authority to update their balances. A party can request the bank to update balances by submitting a digital cheque. We define the cheque in the following notation.

Cheque. A cheque requesting payment of \(\$q\) from \(P_i\) to \(P_j\) is a signed message of the form \(\textsf{chq}(cid,i \rightarrow j,q,z)\), where cid is a unique identifier and z is an auxiliary information field. We say a cheque is valid when the cheque consists of the elements cid, \(i \rightarrow j\), q, and z and all of them are signed with \(P_i\)’s signing key.

Based on the cheque, we define a functionality that represents a trusted bank as in Functionality 2. Let \(\textsf{bal}[i]\) be a variable of the current balance of \(P_i\) for \(i \in [n]\). We allow an account balance to be negative for the sake of simplicity. (This assumption implies that, even if there is not a sufficient balance in a corrupted party’s account, honest parties can still take compensation from it.)

In the execution phase, \(\mathcal {F}_{\textrm{bank}}\) updates the balances according to a cheque sent from a party. Upon receiving a cheque \(\textsf{chq}(cid,i \rightarrow j,q,z)\), the functionality confirms the validity and sets balances as \(\textsf{bal}[i]=\textsf{bal}[i]-q\) and \(\textsf{bal}[j]=\textsf{bal}[j]+q\). After that, it sends \(P_i\) a copy of the cheque. We use a set \(\textsf{used}\) to prevent duplicate usages of a cheque.

2.4 Secure computation with Abort

Let \(\mathcal {F}\) be a PPT n-party ideal functionality and let \(\pi \) be a PPT protocol for computing \(\mathcal {F}\). We follow the real/ideal paradigm as a security notion. Informally, in the ideal world, parties send their inputs to \(\mathcal {F}\) that first replies to the output to a simulator. The simulator can choose whether or not to abort the protocol by replying \(\textsf{fair}\) or \(\textsf{unfair}\) to \(\mathcal {F}\). If it replies \(\textsf{fair}\), all parties learn the output, and the functionality terminates. Otherwise, the functionality terminates without sending the output to honest parties. Namely, this ideal world allows the simulator to violate fairness.

Let \(\textrm{IDEAL}_{\mathcal {F},\mathcal {S}}(\lambda ,z)\) denote the output vector of honest parties and a simulator \(\mathcal {S}\) (with an auxiliary input z) in the ideal world for realizing \(\mathcal {F}\). Let \(\textrm{HYBRID}^{\mathcal {G}}_{\pi , \mathcal {A}}(\lambda ,z)\) denote the output vector of honest parties and an adversary \(\mathcal {A}\) (with an auxiliary input z) in the real (hybrid) world for executing a hybrid protocol \(\pi \) with an ideal functionality \(\mathcal {G}\).

Definition 1

We say that a protocol \(\pi \) securely computes \(\mathcal {F}\) with abort in the \(\mathcal {G}\) hybrid model if for every non-uniform PPT adversary \(\mathcal {A}\), there exists a non-uniform PPT simulator \(\mathcal {S}\) such that two families of probability distributions \(\{\textrm{IDEAL}_{\mathcal {F},\mathcal {S}}(\lambda ,z)\}_{\lambda \in \mathbb {N},z\in \{0,1\}^*}\) and \(\{\textrm{HYBRID}^{\mathcal {G}}_{\pi , \mathcal {A}}(\lambda ,z)\}_{\lambda \in \mathbb {N},z\in \{0,1\}^*}\) are computationally indistinguishable.

3 Existing protocol for two-party setting

In this section, we introduce Lindell’s protocol [23] for secure two-party computation with legally-enforceable fairness, on which our protocols are based.

3.1 Ideal functionality for secure two-party computation

Before describing the protocol, we introduce the ideal functionality of secure two-party computation with legally-enforceable fairness [23]. Let \(\alpha \) be a parameter for the amount of penalty and compensation. In principle, the functionality guarantees the following properties.

• No honest party loses money.

• If a corrupted party \(P_j\) aborts after learning the output and does not tell the value to the other party \(P_i\), then \(P_j\) loses \(\$ \alpha \) and \(P_i\) obtains \(\$ \alpha \).

See Functionality 3 for a formal description of \(\mathcal {F}^{\alpha }_{2,f}\) computing a function f. A simulator \(\mathcal {S}\) corrupting \(P_j\) can obtain the output before an honest party \(P_i\), and can choose whether or not to tell the value to \(P_i\). In the case of telling the value to \(P_i\) (corresponding to the case where \(\mathcal {S}\) responds \(\textsf{fair}\)), the functionality sends the output to \(P_i\). In the other case (corresponding to the case where \(\mathcal {S}\) responds \(\textsf{unfair}\)), the functionality imposes a financial penalty to \(P_j\) and compensates \(P_i\) instead of not telling the output to \(P_i\).

3.2 Two-party protocol with legally enforceable fairness

Suppose parties \(P_1\) and \(P_2\) have inputs \(x_1\) and \(x_2\), respectively. Lindell’s protocol consists of the main computation and output exchange phases. We describe an overview of the protocol below. (Suppose that both parties have registered their key pairs to a certificate authority before beginning of the main computation phase.)

Main computation phase: \(P_1\) and \(P_2\) run secure two-party computation with inputs \(x_1\) and \((x_2,r)\), respectively, where r is a random string to mask a cheque. As a result, \(P_1\) receives a cheque \(\textsf{chq}_1 = \textsf{chq}(cid,2 \rightarrow 1,\alpha ,r \oplus \textsf{chq}_2)\), where \(\textsf{chq}_2 = \textsf{chq}(cid,1 \rightarrow 2,\alpha ,y)\) and \(y=f(x_1,x_2)\), and \(P_2\) receives nothing. Both \(\textsf{chq}_1\) and \(\textsf{chq}_2\) are valid, i.e., both cheques are signed with signing keys of \(P_2\) and \(P_1\), respectively. Note that, although \(\textsf{chq}_1\) includes \(\textsf{chq}_2\) holding the output y, \(P_1\) cannot learn the value since \(\textsf{chq}_2\) is masked with r.

Output exchange phase: At the beginning of this phase, \(P_1\) has \(\textsf{chq}_1\) and \(P_2\) has nothing. \(P_1\) sends \(\textsf{chq}_1\) to \(P_2\). (\(P_2\) can verify the validity of the received cheque using \(P_1\)’s verification key.) \(P_2\) unmasks the auxiliary information field and obtains \(\textsf{chq}_2\). Since \(\textsf{chq}_2\) has the output y in the auxiliary information field, \(P_2\) learns the value first. Afterward, \(P_2\) tells y to \(P_1\) by revealing \(\textsf{chq}_2\), and the protocol is finished. (\(P_1\) can verify the output validity by verifying the validity of \(\textsf{chq}_2\).)

As seen in the overview, \(\mathcal {F}_{\textrm{bank}}\) does not appear when both parties behave honestly. In the following, we explain the role of the bank in two cases where \(P_1\) is corrupted or \(P_2\) is corrupted.

The case where \(P_1\) is corrupted: Let us consider the case where corrupted \(P_1\) sends \(\textsf{chq}_1\) to \(\mathcal {F}_{\textrm{bank}}\) without sending it to \(P_2\). Since the cheque is valid, the bank sets \(\textsf{bal}[2]=\textsf{bal}[2]-\alpha \) and \(\textsf{bal}[1]=\textsf{bal}[1]+\alpha \), i.e., honest \(P_2\) loses \(\$ \alpha \). However, since \(P_2\) receives a copy of \(\textsf{chq}_1\) from the bank, he/she can learn the output y and get back \(\$ \alpha \) using \(\textsf{chq}_2\). Further, since \(P_1\) receives a copy of \(\textsf{chq}_2\), he/she also learns the output. This case satisfies fairness since both parties learn the output, and both balances are unchanged from the initial state.

The case where \(P_2\) is corrupted: Let us consider the case where corrupted \(P_2\) aborts the protocol without revealing y to \(P_1\). Then, honest \(P_1\) submits \(\textsf{chq}_1\) to \(\mathcal {F}_{\textrm{bank}}\) and obtains \(\$ \alpha \). To get back the money, \(P_2\) must send \(\textsf{chq}_2\) to \(\mathcal {F}_{\textrm{bank}}\). If \(P_2\) sends the cheque to the bank, \(P_1\) learns the output from the copy, and this case satisfies fairness. Otherwise, \(P_1\) obtains \(\$ \alpha \) as compensation instead not of learning y. This case also satisfies fairness.

4 Secure multi-party computation with legally enforceable fairness

This section shows our secure multi-party protocols with legally enforceable fairness. We propose two protocols: The first one achieves O(n) rounds and \(O(n\alpha )\) fees. The second one achieves O(1) rounds and \(O(n^2\alpha )\) fees. The two protocols are inspired by the Bitcoin-based protocols [7] and [25], respectively.

Overview of our protocols: We construct n-party protocols following Lindell’s construction for two-party protocol [23], that is, our protocols also consist of the main computation and the output exchange phases. It is well known that the ideal oblivious transfer \(\mathcal {F}_{\textrm{OT}}\) is sufficient to achieve secure computation for arbitrary functionality according to Definition 1 [17, 19]. Moreover, this can be performed in constant rounds [17]. The main computation phases in both protocols are performed in constant rounds in the \(\mathcal {F}_{\textrm{OT}}\)-hybrid model. Afterward, parties run an output exchange protocol based on the ideal bank functionality. Hence, we design protocols in the \((\mathcal {F}_{\textrm{OT}}, \mathcal {F}_{\textrm{CA}}, \mathcal {F}_{\textrm{bank}})\)-hybrid model. We note that there is almost no difference in efficiency of the main computation phases between the two protocols. The differences occur within the output exchange phase.

Main difference from the Bitcoin-based protocols: The main difference between Bitcoin-based protocols [7, 26] and our protocols is that the former uses claim-or-refund functionality, while the latter uses the trusted bank functionality. The claim-or-refund functionality allows a sender to transfer coins to a receiver if the receiver publishes a witness that satisfies a condition. The condition can be any predicate specified by the sender. On the other hand, the trusted bank functionality transfers money to the sender’s account if the receiver sends a cheque with a valid signature of the sender to the bank. Note that only signature verification can be set as a condition for money transfer. Because of this difference, we cannot use the same strategy as Bitcoin-based protocols, and so we construct our protocols by extending Lindell’s method to include another cheque in the auxiliary information field. This is the main difference from Bitcoin-based protocols.

4.1 Ideal functionality for secure multi-party computation

Before presenting our protocols, we introduce an ideal functionality for the multi-party setting. Our formalization is inspired by [7, 25]. In terms of generalizing Functionality 3, the functionality for multi-party setting should guarantee the following properties.

• No honest party loses money.

• If an adversary aborts after learning the output without telling the value to honest parties, then every honest party receives \(\$ \alpha \) or more as compensation.

Note that the second item does not guarantee that honest parties get compensation if an adversary aborts without learning the output. Also, it does not require that each honest party receives the same compensation. The property of the non-equivalence of compensation is needed to prove the security of our protocols, and we leave an open problem to construct a protocol satisfying the equivalence of compensation as in the two-party case.

Functionality 4 is a formal description for secure multi-party computation with legally enforceable fairness. In the input phase, the functionality \(\mathcal {F}^{\ge \alpha }_{n,f}\) receives inputs for f. Moreover, it allows the simulator \(\mathcal {S}\) to specify a subset \(H'\) of honest parties. The subset captures compensated parties. The simulator can choose how to pay the penalties from corrupted parties’ balances.

The output phase depends on \(h'=|H'|\). If \(h'=0\), all parties can learn the output, and no party is penalized. The case of \(0<h'<h\) captures the cases where an adversary aborts the protocol without learning the output. Note that not all honest parties receive compensation in this case. In the case of \(h' = h\), the functionality allows the simulator to learn the output first. Afterwards, the simulator can choose whether or not to abort the protocol without telling the output to honest parties by replying fair or unfair, like Functionality 3. This step allows the simulator to re-designate how to pay the penalties from corrupted parties’ balances. We use \(H''\) to capture the cases where an adversary tells only some of honest parties the output.

Definition 2

Let \(\pi \) be a protocol and let f be a multi-party functionality. We say that a protocol \(\pi \) securely computes f with \(\alpha \)-legally enforceable fairness if \(\pi \) securely compute the functionality \(\mathcal {F}^{\ge \alpha }_{n,f}\) according to Definition 1.

4.2 Proposed protocol I: O(n) rounds and \(O(n\alpha )\) fees

We first present our n-party protocol that achieves O(n) rounds and \(O(n\alpha )\) fees. Hereafter, we denote by \(\textsf{chq}^i_j\) a cheque for payment from \(P_j\) to \(P_i\).

Before presenting formal description, we informally give the idea behind of the proposed protocol I: In the main computation phase, parties run secure multi-party computation, and only \(P_1\) receives a cheque \(\textsf{chq}^1_2\), as well as the two-party protocol. The cheque \(\textsf{chq}^1_2\) has the recursive structure such as \(\textsf{chq}^1_2\) holds \(\textsf{chq}^2_3\) that holds \(\textsf{chq}^3_4\), and so on. The deepest one holds the desired value \(y=f(x_1,\dots ,x_n)\) and each \(\textsf{chq}^i_{i+1}\) is masked with a random value generated by \(P_i\). Thus, to learn y, parties need to unmask the cheques sequentially in the output exchange phase. (We defer to discuss security in the case of occurring malicious behaviour later in this subsection.)

We present the formal description in Protocol 5. Since the ideal oblivious transfer is sufficient to realize the main computation phase with constant rounds and the output exchange phase requires n rounds, the protocol requires O(n) rounds. Also, \(P_n\) is the party that requires the largest balance at the beginning of the protocol. The balance is \(\$ (n-1)\alpha \), and thus the protocol requires \(O(n \alpha )\) fees. To summarize the result, we can derive the following theorem.

Theorem 1

For every n-party functionality f there exists a protocol that securely computes f with \(\alpha \)-legally enforceable fairness in the \((\mathcal {F}_{\textrm{OT}}, \mathcal {F}_{\textrm{CA}}, \mathcal {F}_{\textrm{bank}})\)-hybrid model. The protocol requires O(n) rounds and \(O(n \alpha )\) fees.

To present an intuitive understanding of the security property, we here describe each case of the output exchange phase when some parties behave maliciously. (Appendix A shows the formal proof. )

Security intuition: Let us consider the case where corrupted \(P_j \, (2 \le j \le n)\) aborts, i.e., he/she does not send \(\textsf{chq}^j_{j+1}\) to \(P_{j+1}\). This case corresponds to the first item of the output exchange phase (some parties behave maliciously). Since we want to focus on the case where fairness may be violated, we suppose that \(P_j\) colludes with \(P_{j+1},\dots ,P_n\). Note that otherwise, the adversary cannot learn the output. Then, every honest party submits his/her cheque to the bank. That is, honest \(P_i\) sends \(\textsf{chq}^i_{i+1}\) to \(\mathcal {F}_{\textrm{bank}}\). As a result, every honest party gets \(\$ \alpha \) as compensation, i.e., the protocol achieves legally enforceable fairness in this case. Note that if \(P_1\) aborts, no one has published the random strings, the adversary cannot steal the output, and it is not a case of giving compensation.

Next, we describe the case where a malicious party submits his/her cheque to the bank, which is the second item. We discuss this case separately for the cases where \(P_j \, (1 \le j \le n-1)\) submits the cheque or \(P_n\) submits the cheque. If corrupted \(P_j\) submits \(\textsf{chq}^j_{j+1}\) to the bank and takes \(\$ j\alpha \) from \(P_{j+1}\). Since we want to focus on the case where fairness may be violated, we suppose that \(P_{j+1}\) is honest. \(\mathcal {F}_{\textrm{bank}}\) sends a copy of the cheque to the payer, and \(P_{j+1}\) learns \(R_j\) from the cheque and gets \(\textsf{chq}^{j+1}_{j+2}\). Then, \(P_{j+1}\) submits the cheque to the bank and gets \(\$ (j+1)\alpha \) from \(P_{j+2}\). Then, \(P_{j+2}\) can learn the cheque \(\textsf{chq}^{j+2}_{j+3}\) in the similar way. Parties repeat this procedure until \(P_n\) learns \(\{ \textsf{chq}^n_i \}_{i \in [n-1]}\) and submits them to the bank. As a result, since all cheques are submitted to the bank, parties’ balances return to the initial state and all parties learn the output y from the cheques of \(P_n\). If a corrupted party in \(P_{j+1}\dots ,P_n\) refuses to submit his/her cheque, the output is not revealed to honest parties. In this case, honest parties get \(\$ \alpha \) as compensation by submitting cheques. Thus, the protocol achieves legally enforceable fairness in this case. Suppose corrupted \(P_n\) submits \(\{ \textsf{chq}^n_i \}_{i \in H}\) to the bank and takes \(\$ \alpha \) from each honest party. Note that all honest parties must already hold their cheques before \(P_n\) gets the submitted cheques. Thus, each honest party can get back \(\$ \alpha \) by submitting cheques to the bank. Since all honest parties learn the output from \(P_n\)’s cheques, the protocol also achieves legally enforceable fairness in this case.

4.3 Proposed protocol II: O(1) rounds and \(O(n^2\alpha )\) fees

We next present our n-party protocol that achieves O(1) rounds and \(O(n^2 \alpha )\) fees. Before presenting formal description, we informally give the idea to achieve constant rounds: In the main computation phase, parties run secure multi-party computation, and only \(P_1\) receives cheques, which consist of unmasked and masked ones. We now focus on the masked cheque \(\textsf{chq}^1_n\) that holds \(\{ r_{n,i} \oplus \textsf{chq}^{n}_{i} \}_{i \in [n-1]}\) in the auxiliary information field, where each \(\textsf{chq}^{n}_{i}\) holds the output \(y=f(x_1,\dots ,x_n)\). The random strings \(\{ r_{n,i} \}_{i \in [n-1]}\) are generated by \(P_n\), and \(\textsf{chq}^1_n\) is masked with \(r'_2 \oplus \dots \oplus r'_{n-2}\), where each \(r'_k\) is generated by \(P_k\). Namely, \(\textsf{chq}^1_n\) has a two-tiered structure. That is, parties need to unmask this cheque two times to learn y, in the output exchange phase. On the first unmasking, \(P_2,\dots ,P_n\) send their random strings to \(P_1\), and \(P_1\) unmasks the cheque using the \(r'_2 \oplus \dots \oplus r'_{n-2}\), and \(P_1\) learns \(\{ r_{n,i} \oplus \textsf{chq}^{n}_{i} \}_{i \in [n-1]}\). On the second unmasking, \(P_1\) sends \(\{ r_{n,i} \oplus \textsf{chq}^{n}_{i} \}_{i \in [n-1]})\) to \(P_n\), and \(P_n\) unmasks these cheques using \(\{ r_{n,i} \}_{i \in [n-1]}\) and learns y.

See Protocol 6, which shows the formal description of our protocol. Since the ideal oblivious transfer is sufficient to achieve the main computation phase with constant rounds and the output exchange phase is realized with only four rounds, this protocol is performed with constant rounds. Also, \(P_1\) is the party that requires the largest balance at the beginning of the protocol. The balance is \(\$ ((n-1)(n-2)+1)\alpha \), and the protocol requires \(O(n^2 \alpha )\) fees. To summarize the result, we can derive the following theorem.

Theorem 2

For every n-party functionality f there exists a protocol that securely computes f with \(\alpha \)-legally enforceable fairness in the \((\mathcal {F}_{\textrm{OT}}, \mathcal {F}_{\textrm{CA}}, \mathcal {F}_{\textrm{bank}})\)-hybrid model. The protocol requires O(1) rounds and \(O(n^2 \alpha )\) fees.

Here, we give a security intuition of Theorem 2. (Appendix B shows the formal proof. ) Below, as in Sect. 4.2, we describe each case of the output exchange phase when some parties behave maliciously. Hereafter, let \(M:= \{2,\dots ,n-1 \}\).

Security intuition: First, let us consider the cases where \(P_1\) behaves maliciously. If corrupted \(P_1\) aborts the protocol in step 3, honest \(P_i\) submits \(\textsf{chq}^i_1\) to \(\mathcal {F}_{\textrm{bank}}\) for each \(i \in M\). Note that \(P_i\) has unmasked his/her cheque in step 2 for all \(i \in M\). As a result, every honest party obtains \(\$ \alpha \) or more as compensation. Thus, the protocol achieves legally enforceable fairness in this case.

If corrupted \(P_1\) submits \(\{ \textsf{chq}^1_i \}_{i \in \hat{H}}\) to \(\mathcal {F}_{\textrm{bank}}\), where \(\hat{H} \subseteq M\), then \(P_j\) submits \(\textsf{chq}^j_1\) to \(\mathcal {F}_{\textrm{bank}}\) for \(j \in \hat{H}\). As a result, every honest party obtains positive money. If \(P_1\) further submits \(\textsf{chq}^1_n\) to the bank, \(P_n\) submits \(\{ \textsf{chq}^n_i \}_{i \in [n-1]}\) and \(\{ P_i \}_{i \in M \setminus \hat{H}}\) to the bank. As a result, the balances of all honest parties become initial states since parties use all cheques. Since we confirmed honest parties do not lose money and learn the output value y from cheque \(\textsf{chq}^n_i\), the protocol achieves legally enforceable fairness in this case.

Next, let us discuss the cases where corrupted \(P_n\) behaves maliciously. If \(P_n\) aborts the protocol or submits \(\{ \textsf{chq}^n_i \}_{i \in H'}\) to \(\mathcal {F}_{\textrm{bank}}\), \(H' \subseteq [n-1]\) in step 4, then \(P_1\) submits \(\{ \textsf{chq}^1_j \}_{j \in M}\) to \(\mathcal {F}_{\textrm{bank}}\) and \(P_j\) submits \(\textsf{chq}^j_1\) to \(\mathcal {F}_{\textrm{bank}}\) for each \(j \in M\). The balances of parties who learn the output become initial states, and parties who do not learn the output receive compensation. Thus, the protocol achieves legally enforceable fairness in this case.

Finally, let us consider the case where some of \(\{ P_j \}_{j \in M}\) behave maliciously. We discuss this case separately for the cases where (i) \(C_1 = C_2 \vee C_1 = \emptyset \) or (ii) \(C_1 \ne C_2 \wedge C_1 \ne \emptyset \). In case (i), \(P_1\) submits \(\{ \textsf{chq}^1_j \}_{j \in M}\) and \(\textsf{chq}^1_n\), and \(\{ P_j \}_{j \in M \setminus C_1}\) submit \(\{ \textsf{chq}^1_j \}_{j \in M \setminus C_1}\) to \(\mathcal {F}_{\textrm{bank}}\). Further, \(P_n\) obtains \(\{ \textsf{chq}^n_i \}_{i \in [n-1]}\) from \(\textsf{chq}^1_n\) and submits the cheques to the bank. As a result, the balances of all honest parties become initial states since parties use all cheques.

In case (ii), \(P_1\) submits \(\{ \textsf{chq}^1_j \}_{j \in M}\), and \(\{ P_i \}_{i \in M \setminus C_1 \cup C_2}\) submit \(\{ \textsf{chq}^i_1 \}_{i \in M \setminus C_1 \cup C_2}\) to \(\mathcal {F}_{\textrm{bank}}\). We note that \(P_1\) cannot use \(\textsf{chq}^1_n\) in this case since there is a party in \(\{ P_j \}_{j \in M}\) who does not reveal the random value. Thus, we need to make sure that \(P_1\) can get compensation even if he/she cannot use \(\textsf{chq}^1_n\). Let \(\hat{M}:= M \setminus C_1\) be the set of parties who submit their cheques to the bank, i.e., cheques \(\{ \textsf{chq}_i \}_{i \in \hat{M}}\) are submitted to the bank. \(P_1\) obtains \(\$ (n-2)^2 \alpha \) by using \(\{ \textsf{chq}^1_j \}_{j \in M}\) and loses \(\$ (n-1)\hat{m} \alpha \), where \(\hat{m} =|\hat{M}|\). Noting that the maximum value of \(\hat{m}\) is \(n-3\), it needs to satisfy that \((n-2)^2 > (n-1)(n-3)\) for that \(P_1\) gets compensation without using \(\textsf{chq}^1_n\). Since the inequality satisfies for arbitrary positive integer n, we confirmed that \(P_1\) gets compensation for any \(\hat{m} \in [n-3]\). Thus, the protocol achieves legally enforceable fairness in this case too.

Remark 2

The reason why the payment amounts of \(\{\textsf{chq}^1_j\}_{j \in M}\) and \(\{\textsf{chq}^j_1\}_{j\in M}\) are \(\$ (n-2)\alpha \) and \(\$ (n-1)\alpha \), respectively, comes from the last case (ii) in the security intuition discussion. We show the derivation process: Let \(q_1\) and \(q_m\) be the payment amounts of \(\{\textsf{chq}^1_j\}_{j \in M}\) and \(\{\textsf{chq}^j_1\}_{j\in M}\), respectively. In order that \(P_1\) does not lose money even if he/she cannot use \(\textsf{chq}^1_n\), the total amount of money \(P_1\) receives by using \(\{\textsf{chq}^1_j\}_{j \in M}\) needs to be larger than the total amount of money he/she loses by \(n-3\) cheques in \(\{\textsf{chq}^j_1\}_{j\in M}\). (Note that \(P_1\) can use \(\textsf{chq}^1_n\) if all of \(\{\textsf{chq}^j_1\}_{j\in M}\) are submitted to the bank.) It means that \(q_1(n-2) > q_m(n-3)\) needs to hold. Further, in order that each of \(P_2,\dots ,P_{n-1}\) can receive compensation, \(q_m > q_1\) must hold since the difference \(q_m - q_1\) is his/her compensation. Since it is sufficient that \(q_m = q_1 + 1\) holds, we can derive the payment amounts from the inequality \(q_1(n-2) > (q_1 +1)(n-3)\). The least solution of this inequality is \(q_1 = n-2\).

5 Electronic cheque with expiration time

5.1 Modification of trusted bank functionality

Since the cheque discussed above does not have a expiration time, parties can use their cheques indefinitely. It implies that parties must hold the cheques forever to enjoy legally enforceable fairness. Since it is a heavy burden for parties, we here tackle this issue. Henceforth, we suppose that all parties (and the trusted bank) are synchronous, and they can watch the same wall clock.

To resolve the problem, we first modify the definition of the cheque so that it has a field to specify an expiration time. The modified format is \(\textsf{chq}(cid,i \rightarrow j,q,\tau ,z)\), where \(\tau \) refers to a positive integer representing the expiration time and the other parameters remain unchanged.

We further adjust the trusted bank functionality to reflect the above change. We note that it is not enough to reject expired cheques simply. This is because our protocols with such a trusted bank functionality does not satisfy the legally enforceable fairness. For instance, in Protocol 5, suppose that the expiration times of all cheques are \(\tau _{ex}\), which is a time long after the beginning of the protocol. Then, an adversary who corrupts \(P_1\) can violate fairness as follows: After \(P_1\) receives \(\textsf{chq}^1_2\) as the main computation result, the adversary waits for time to pass without proceeding with the procedure. Just before \(\tau _{ex}\), the adversary submits \(\textsf{chq}^1_2\) to the bank and gets money. Although the other parties can get back money by using their cheques, it may be impossible due to the lack of time remaining. As a result, the adversary obtains money and violates fairness.

To circumvent the above attack, we allow the bank to extend expiration times. Precisely, when a party uses a cheque, the bank extends the expiration times of corresponding other cheques. The extension of time is determined with a parameter t. We present the formal description in Functionality 7. See steps 2 and 4 in the execution phase. When a party submits a cheque before the expiration time \(\tau \), the bank extends the expiration time of other cheques to \(\max (\tau , \textsf{ct}+t)\), where \(\textsf{ct}\) is the current time. If we set t as a sufficient time to submit a cheque, the protocol circumvents the above attack.

5.2 Our protocols based on the modified functionality

We can apply the modified bank functionality to both of our proposed protocols, i.e., Protocols 5 and 6, with only a few changes. Before presenting the changes, we set the expiration time \(\tau \) of the cheques and the extension time parameter t: The expiration time of all cheques is set to be a sufficiently large integer, denoted by \(\tau _{ex}\), so that the protocol can complete before the time in the case where all parties are honest. The parameter t is also set to be sufficiently large to use a cheque. We suppose that all parties agree on these values before beginning of the protocol.

The only changes to the protocol procedures are to set appropriate time limits for some steps. We first set the time limit for the main computation phase. Let \(\tau _{main}\) be a sufficiently large integer time such that the main computation phase finishes before the time. Parties conclude that the protocol is aborted by an adversary if the main computation phase does not finish before \(\tau _{main}\). Next, we set the time limits for the output exchange phase. Let \(\rho \) denote the round number of the output exchange phase in the case where all parties behave honestly, i.e., \(\rho = n\) and \(\rho = 4\) for Protocols 5 and 6, respectively. We set the time limits \((\tau _1,\dots ,\tau _{\rho })\) to the output exchange phase, where \(\tau _i\) is the time limit for round i and \(\tau _{\rho } = \tau _{ex}\). The interval between \(\tau _i\) and \(\tau _{i+1}\) must be sufficiently large to complete the procedure for that round. If a party does not complete his/her procedure before the time limit, the other parties conclude that the party has aborted and use their cheques to restore fairness as in the protocols, described in Sect. 4.

Remark 3

Our formalization allows the bank to re-extend expiration times: If the expiration time \(\tau \) is extended to \(\textsf{ct}_1 + t\) and then a party submits a cheque with expiration time \(\tau \) at \(\textsf{ct}_2 \,(<\textsf{ct}_1 + t)\), the bank again extends the period to \(\textsf{ct}_2+t\). This fact allows an adversary to extend a expiration time maliciously. More specifically, it can repeatedly extend periods by making cheques whose payer is a corrupted party and continuing to submit them to the bank. However, note that parties cannot use multiple cheques with the same (cid, i, j) due to the list \(\textsf{used}\) in Functionality 7. Thus, an adversary can extend the time at most \((n-1)^2t\),¹ and thus the protocol terminates at most before the time \(\tau _{ex} + (n-1)^2t\).

To accurately capture the functionality of the proposed protocols based on the modified cheque, we describe a new functionality, Functionality 8. It adds two parameters \((\tau _{in},\tau _{out})\) to Functionality 4, where \(\tau _{in}\) and \(\tau _{out}\) are the time limits for simulator’s input and response, respectively. For our protocols, it is sufficient to set the parameters as \(\tau _{in} = \tau _{main}\) and \(\tau _{out} =\tau _{ex} + (n-1)^2t\). Below, we introduce modified legally enforceable fairness.

Definition 3

Let \(\pi \) be a protocol and let f be a multi-party functionality. We say that a protocol \(\pi \) securely computes f with \((\alpha ,\tau _{in},\tau _{out})\)-legally enforceable fairness if \(\pi \) securely compute the functionality \(\mathcal {F}^{\ge \alpha }_{n,f,(\tau _{in},\tau _{out})}\) according to Definition 1.

To summarise, we can derive the following theorem.

Theorem 3

Suppose that all parties can watch the same clock. For every n-party functionality f there exists a protocol that securely computes f with \((\alpha ,\tau _{in},\tau _{out})\)-legally enforceable fairness in the \((\mathcal {F}_{\textrm{OT}}, \mathcal {F}_{\textrm{CA}}, \mathcal {F}^{t}_{\textrm{bank}})\)-hybrid model.

We omit the proof since it is almost the same as the proofs of Theorems 1 and 2. Note that the simulator can watch the clock and knows the time limits set in the protocol. Hence, the simulator can determine whether the adversary has aborted or not according to the response times of the adversary.

6 Conclusion

This paper focused on secure computation with legally enforceable fairness that achieves fairness by imposing a monetary penalty on an adversary. Lindell [23] introduced the trusted bank functionality and formalized secure computation with legally enforceable fairness based on the functionality. Further, he showed a general protocol with legally enforceable fairness for any functionality. However, his formalization and protocol are applicable only to the two-party setting.

We formalized the legally enforceable fairness applicable to an arbitrary number of parties based on the trusted bank functionality as well as [23]. Furthermore, we proposed two protocols achieving secure multi-party computation with legally enforceable fairness. The first protocol achieves O(n) rounds and \(O(n \alpha )\) fees, where n is the number of parties, and \(\alpha \) is a parameter for the penalty amount. The second one achieves O(1) rounds and \(O(n^2 \alpha )\) fees. Moreover, we introduced a cheque with validity period and new bank functionality that can deal with such cheques. We showed how to apply the modified cheque and bank to our proposed protocols.

As mentioned in Sect. 1.2, the cryptocurrency-based solution is the mainstream in achieving fairness with monetary penalties. Such a line of works proposed more advanced applications: covert security with monetary penalties [12, 31] and secure cash distribution [5, 8, 11, 21]. The bank-based solution may also reach such advanced applications, and we hope that this work leads to them.

Appendices

Security Proof for Proposed Protocol I

This section presents a proof of Theorem 1. Hereafter, for a finite set X of positive integers, \(\max (X)\) and \(\min (X)\) denote the maximum and minimum element of X, respectively. Let \(\mathcal {A}\) be a (real-world) adversary corrupting \(\{ P_i \}_{i \in C}\). We partition the set of corrupted parties C as \(C = C_1 \sqcup \dots \sqcup C_{\mu }\) such that each \(C_i\) consists of consecutive elements \(C_i = \{\min (C_i), \min (C_i)+1, \ldots , \min (C_i)+|C_i|\}\) for \(1 \le i \le \mu \) and \(\max (C_i) < \min (C_{i+1})\) for \(1 \le i \le \mu -1\). For example, when \(C=\{ 1,2,5,7,8,9,10\}\), we partition the set into \(C_1 = \{1,2\}\), \(C_2 = \{5 \}\), \(C_3 = \{ 7,8,9,10 \}\).

Formally, the main computation phase realizes the following functionality.

Input::

For each \(j \in [n]\), \(P_j\) inputs \( ((vk_j,sk_j), \{ vk_i\}_{i \in [n] \setminus \{j \}},\) \((x_j,\textsf{rand}_j),\) \(\alpha ,\lambda ,cid_j)\), where \(\textsf{rand}_1 = \bot \), \(\textsf{rand}_i=r_i\) for \(i \in \{2,\dots ,n-1\}\), and \(\textsf{rand}_n= \{ r_{n,i} \}_{i\in [n-1]}\).

Output::

\(P_1\) receives \(\textsf{chq}^2_1\) and the other parties receive nothing. The property of \(\textsf{chq}^2_1\) is as in the protocol.

We suppose that this functionality is achieved according to Definition 1 under the \(\mathcal {F}_{\textrm{OT}}\)-hybrid model.

We construct a simulator \(\mathcal {S}\) as follows.

1. 1.

   \(\mathcal {S}\) invokes \(\mathcal {A}\) with its inputs \(\{ x_i \}_{i \in C}\), a security parameter \(\lambda \), and a penalty amount parameter \(\alpha \).

2. 2.

   \(\mathcal {S}\) generates a key-pair \((vk'_i,sk'_i) \leftarrow \textsf{Gen}(1^\lambda )\) for \(i\in H\), records the key-pairs, and reply to \(\mathcal {A}\) whenever \(\mathcal {A}\) sends a query intended for \(\mathcal {F}_{\textrm{CA}}\) as follows:

   • If \(\mathcal {A}\) sends \((\textsf{Register}, P_j,vk'_j)\) intended for \(\mathcal {F}_{\textrm{CA}}\), \(\mathcal {S}\) records \(vk'_j\) if \(j \in C\).

   • If \(\mathcal {A}\) sends \((\textsf{Retrieve}, P_i)\) intended for \(\mathcal {F}_{\textrm{CA}}\), \(\mathcal {S}\) replies \((\textsf{Retrieve},P_i,vk'_i)\).

3. 3.

   \(\mathcal {S}\) gets \(\mathcal {A}\)’s inputs \( \{ ((vk_j,sk_j), \{ vk_i\}_{i \in [n] \setminus \{ j \}},(x_j,\textsf{rand}_j),\) \( \alpha ,\lambda ,cid_j) \}_{j \in C}\) sent for the functionality of the main computation phase, where \(\textsf{rand}_1 = \bot \), \(\textsf{rand}_i=r_i\) for \(i \in \{2,\dots ,\) \(n-1\}\), and \(\textsf{rand}_n= \{ r_{n,i} \}_{i\in [n-1]}\). If some key differs from the key chosen in the previous step, \(\mathcal {S}\) sends an invalid input to \(\mathcal {F}^{\ge \alpha }_{n,f}\) and terminates the simulation.

4. 4.

   \(\mathcal {S}\) generates \(cid_i \in _\textrm{R}\{0,1\}^\lambda \) for \(i \in H\) and sets \(cid = cid_1 \parallel \dots \parallel cid_n\).

5. 5.

   If \(1 \in C\), \(\mathcal {S}\) runs Algorithm 9 for \(C_1\) and sends \(\mathcal {A}\) the output. Then, it waits the message from the adversary.

   • If \(\mathcal {S}\) receives \(\textsf{chq}^{\max (C_1)}_{\max (C_1)+1}\), \(\mathcal {S}\) runs Algorithm 10 for \(C_2\) and sends \(\mathcal {A}\) the output. (If the received cheque is invalid, \(\mathcal {S}\) ignores it.)

   • If \(\mathcal {A}\) sends \(\textsf{chq}^{\max (C_1)}_{\max (C_1)+1}\) intended for the bank (in order to steal money from honest \(P_{\max (C_1)+1}\)), \(\mathcal {S}\) runs Algorithm 10 for \(C_2\) and sends \(\mathcal {A}\) the output. (If the cheque \(\mathcal {A}\) sent is invalid, \(\mathcal {S}\) ignores it.)

   • If \(\mathcal {A}\) aborts, \(\mathcal {S}\) sends an invalid input to \(\mathcal {F}^{\ge \alpha }_{n,f}\) and terminates the simulation.

6. 6.

   If \(1 \notin C\), \(\mathcal {S}\) runs Algorithm 10 for \(C_1\), and sends \(\mathcal {A}\) the output.

7. 7.

   For \(i=2,\dots ,\mu -1\), \(\mathcal {S}\) works depending on \(\mathcal {A}\)’s response as follows:

   • If \(\mathcal {S}\) receives \(\textsf{chq}^{\max (C_i)}_{\max (C_i)+1}\), \(\mathcal {S}\) runs Algorithm 10 for \(C_{i+1}\) and sends \(\mathcal {A}\) the output. (If the received cheque is invalid, \(\mathcal {S}\) ignores it.)

   • If \(\mathcal {A}\) sends \(\textsf{chq}^{\max (C_i)}_{\max (C_i)+1}\) intended for the bank (in order to steal money from honest \(P_{\max (C_i)+1}\)), \(\mathcal {S}\) runs Algorithm 10 for \(C_{i+1}\) and sends \(\mathcal {A}\) the output. (If the cheque \(\mathcal {A}\) sent is invalid, \(\mathcal {S}\) ignores it.)

   • If \(\mathcal {A}\) aborts, \(\mathcal {S}\) sends \((\textsf{input},\{ x_i \}_{i \in C},H',\{\alpha _i \}_{i \in H'},\) \(\{\beta _j\}_{j\in C})\) to \(\mathcal {F}^{\ge \alpha }_{n,f}\), where \(H'\) is the set of honest parties whose identifiers are less than \(\min (C_i)\) and \(\alpha _i\) and \(\beta _j\) are set as in the protocol. Afterward, it terminates the simulation.

   Below, consider the case where the simulator receives valid \(\textsf{chq}^{\max (C_{\mu -1})}_{\max (C_{\mu -1})+1}\) from the adversary.

8. 8.

   If \(n \notin C\), \(\mathcal {S}\) runs Algorithm 10 for \(C_\mu \) and sends \(\mathcal {A}\) the output. It waits for \(\mathcal {A}\)’s response.

   • If \(\mathcal {S}\) receives \(\textsf{chq}^{\max (C_\mu )}_{\max (C_\mu )+1}\), \(\mathcal {S}\) sends \((\textsf{input},\{ x_i \}_{i \in C},\) \(\emptyset ,\bot ,\bot )\) to \(\mathcal {F}^{\ge \alpha }_{n,f}\), and learns y by the response. (If the received cheque is invalid, \(\mathcal {S}\) ignores it.) It further creates \(\{ \textsf{chq}^n_i \}_{i \in C}\) as the protocol and sends the cheques to \(\mathcal {A}\).

   • If \(\mathcal {A}\) sends \(\textsf{chq}^{\max (C_\mu )}_{\max (C_\mu )+1}\) intended for the bank (in order to steal money from honest \(P_{\max (C_\mu )+1}\)), \(\mathcal {S}\) creates \(\{ \textsf{chq}^n_i \}_{i \in C}\) as the protocol and sends \(\{ \textsf{chq}^n_i \}_{i \in C}\) and \(\{ \textsf{chq}^{\min (C_i)-1}_{\min (C_i)} \}_{i \in \{2,\dots ,\mu \}}\) to \(\mathcal {A}\). (If the cheque \(\mathcal {A}\) sent is invalid, \(\mathcal {S}\) ignores it.)

   • If \(\mathcal {A}\) aborts, \(\mathcal {S}\) sends \((\textsf{input},\{ x_i \}_{i \in C},H',\{\alpha _i \}_{i \in H'},\) \(\{\beta _j\}_{j\in C})\) to \(\mathcal {F}^{\ge \alpha }_{n,f}\), where \(H'\) is the set of honest parties whose identifiers are less than \(\min (C_i)\) and \(\alpha _i\) and \(\beta _j\) are set as in the protocol. Afterward, it terminates the simulation.

9. 9.

   If \(n \in C\), \(\mathcal {S}\) sends \((\textsf{input},\{ x_i \}_{i \in C},H,\{\alpha _i \}_{i \in H},\) \(\{\beta _j\}_{j\in C})\) to \(\mathcal {F}^{\ge \alpha }_{n,f}\), where \(\alpha _i\) and \(\beta _j\) are set as in the protocol, and learns y by the response. Afterward, \(\mathcal {S}\) runs Algorithm 11 for \(C_\mu \) and sends \(\mathcal {A}\) the output. It waits for \(\mathcal {A}\)’s response.

   • If \(\mathcal {A}\) responds \(\textsf{chq}^n_i\) for all \(i \in H\), \(\mathcal {S}\) sends \(\textsf{fair}\) to \(\mathcal {F}^{\ge \alpha }_{n,f}\).

   • If \(\mathcal {A}\) sends \(\{ \textsf{chq}^n_i \}_{i \in H}\) intended for the bank, \(\mathcal {S}\) sends \(\textsf{fair}\) to \(\mathcal {F}^{\ge \alpha }_{n,f}\). Further, it sends \(\{ \textsf{chq}^{\min (C_j)-1}_{\min (C_j)}\}_{j \in \{2,\dots ,\mu \}}\) to \(\mathcal {A}\).

   • If \(\mathcal {A}\) sends \(\{ \textsf{chq}^n_i \}_{i \in H''}\) intended for the bank, where \(H'' \subsetneq H\), \(\mathcal {S}\) sends \((\textsf{unfair},H'',\{\alpha '_i \}_{i \in H},\) \(\{\beta '_j\}_{j \in C})\) to \(\mathcal {F}^{\ge \alpha }_{n,f}\). \(\{\alpha '_i \}_{i \in H}\) and \(\{\beta '_j\}_{j \in C}\) consist of the same values to the protocol. (Note that \(\alpha '_i = 0\) for \(i \in H''\) and \(\alpha '_j \ge \alpha \) for \(j \in H \setminus H''\).) Furthermore, it sends \(\{ \textsf{chq}^{\min (C_j)-1}_{\min (C_j)}\}_{j \in \{2,\dots ,\mu \}}\) to \(\mathcal {A}\).

   • If \(\mathcal {A}\) responds \(\{ \textsf{chq}^n_i \}_{i \in H''}\), where \(H'' \subsetneq H\), i.e., the adversary sends the cheques to only some of honest parties, then \(\mathcal {S}\) sends \((\textsf{unfair},\) \(H'',\{\alpha '_i \}_{i \in H},\{\beta '_j\}_{j \in C})\) to \(\mathcal {F}^{\ge \alpha }_{n,f}\), where \(\{\alpha '_i \}_{i \in H}\) and \(\{\beta '_j\}_{j \in C}\) consist of the same values to the protocol. (Note that \(\alpha '_i \ge \alpha \) for all \(i \in H\).) Furthermore, \(\mathcal {S}\) sends \(\{ \textsf{chq}^{\min (C_i)-1}_{\min (C_i)}\}_{i \in \{2,\dots ,\mu \}}\) to \(\mathcal {A}\).

   • If \(\mathcal {A}\) aborts, \(\mathcal {S}\) sends \((\textsf{unfair},\emptyset ,\{\alpha '_i \}_{i \in H},\) \(\{\beta '_j\}_{j \in C})\) to \(\mathcal {F}^{\ge \alpha }_{n,f}\), where \(\{\alpha '_i \}_{i \in H}\) and \(\{\beta '_j\}_{j \in C}\) consist of the same values to the protocol. Furthermore, \(\mathcal {S}\) creates \(\{\textsf{chq}^{i-1}_{i} \}_{i \in C}\) and sends \(\mathcal {A}\) the cheques.

When \(\mathcal {S}\) terminates the simulation, it outputs whatever \(\mathcal {A}\) outputs. We complete making up the simulation. \(\mathcal {A}\)’s view in the simulation is identical to the one’s view in the hybrid execution of Protocol 5. \(\square \)

Security Proof for Proposed Protocol II

This section presents a proof of Theorem 2. We note that it generally follows the proof shown in Appendix A.

Formally, the main computation phase realizes the following functionality.

Input::

For each \(j \in [n]\), \(P_j\) inputs \( ((vk_j,sk_j), \{ vk_i\}_{i \in [n] \setminus \{j \}},\) \((x_j,\textsf{rand}_j),\) \( \alpha ,\lambda ,cid_j)\), where \(\textsf{rand}_1 = \bot \), \(\textsf{rand}_i=(r_i,r'_i)\) for \(i \in \{2,\dots ,n-1\}\), and \(\textsf{rand}_n= \{ r_{n,i} \}_{i\in [n-1]}\).

Output::

\(P_1\) receives \(\{ \textsf{chq}^1_i \}_{i \in M}\) and \(r'_2\oplus \dots \oplus r'_{n-1} \oplus \textsf{chq}^1_n\). (The properties of the cheques are as in the protocol.) The other parties receive nothing.

We suppose that this functionality is achieved according to Definition 1 under the \(\mathcal {F}_{\textrm{OT}}\)-hybrid model.

We construct a simulator \(\mathcal {S}\) as follows.

1. 1.

   \(\mathcal {S}\) invokes \(\mathcal {A}\) with its inputs \(\{ x_i \}_{i \in C}\), a security parameter \(\lambda \), and a penalty amount parameter \(\alpha \).

2. 2.

   \(\mathcal {S}\) generates a key-pair \((vk'_i,sk'_i) \leftarrow \textsf{Gen}(1^\lambda )\) for \(i\in H\), records the key-pairs, and reply to \(\mathcal {A}\) whenever \(\mathcal {A}\) sends a query intended for \(\mathcal {F}_{\textrm{CA}}\) as follows:

   • If \(\mathcal {A}\) sends \((\textsf{Register}, P_j,vk'_j)\) intended for \(\mathcal {F}_{\textrm{CA}}\), \(\mathcal {S}\) checks if \(j \in C\) and records \(vk'_j\).

   • If \(\mathcal {A}\) sends \((\textsf{Retrieve}, P_i)\) intended for \(\mathcal {F}_{\textrm{CA}}\), \(\mathcal {S}\) replies \((\textsf{Retrieve},P_i,vk'_i)\).

3. 3.

   \(\mathcal {S}\) gets \(\mathcal {A}\)’s inputs \( \{ ((vk_j,sk_j), \{ vk_i\}_{i \in [n] \setminus \{ j \}},(x_j,\textsf{rand}_j),\) \(\alpha ,\lambda ,cid_j) \}_{j \in C}\) sent for the functionality of the main computation phase, where \(\textsf{rand}_1 = \bot \), \(\textsf{rand}_i=(r_i,r'_i)\) for \(i \in \{2,\dots ,n-1\}\), and \(\textsf{rand}_n= \{ r_{n,i} \}_{i\in [n-1]}\). If some key differs from the key chosen in the previous step, \(\mathcal {S}\) sends an invalid input to \(\mathcal {F}^{\ge \alpha }_{n,f}\) and terminates the simulation.

4. 4.

   S generates \(cid_i \in _\textrm{R}\{0,1\}^\lambda \) for \(i \in H\) and sets \(cid = cid_1 \parallel \dots \parallel cid_n\).

From step 5 and onward, we describe the proof in four separate cases: (I) \(1 \in C \wedge n \in C\), (II) \(1 \in C \wedge n \notin C\), (III) \(1 \notin C \wedge n \in C\), (IV) \(1\notin C \wedge n \notin C\).

1.1 Case I: \(1 \in C \wedge n \in C\)

1. 5.

   \(\mathcal {S}\) runs Algorithm 12 and sends \(\mathcal {A}\) the output \((\{ \textsf{chq}^1_i \}_{i \in M},\) \(R_{\textsf{chq}})\).²\(\mathcal {S}\) waits the response from the adversary.

   • If \(\mathcal {S}\) receives \(\{ \textsf{chq}^1_i \}_{i \in M \cap H}\), \(\mathcal {S}\) sends \((\textsf{input},\{ x_i \}_{i \in C},\) \(H,\{\alpha _i \}_{i \in H},\{\beta _j\}_{j\in C})\) to \(\mathcal {F}^{\ge \alpha }_{n,f}\), where \(\alpha _i\) and \(\beta _j\) are set as in the protocol, and learns y by the response. (If there is an invalid cheque in the received cheques, \(\mathcal {S}\) ignores the message.) Afterwards, it runs Algorithm 13 and sends \(\mathcal {A}\) the output. Proceed to the next step.

   • If \(\mathcal {A}\) sends \(\{ \textsf{chq}^1_i \}_{i \in M\cap H}\) intended for the bank, \(\mathcal {S}\) creates \(\{ \textsf{chq}^i_1 \}_{i \in M\cap H}\) and sends \(\mathcal {A}\) them. Then, it terminates the simulation. (If there is an invalid cheque in the cheques \(\mathcal {A}\) sent, \(\mathcal {S}\) ignores it.)

   • If \(\mathcal {A}\) aborts, \(\mathcal {S}\) sends an invalid input to \(\mathcal {F}^{\ge \alpha }_{n,f}\) and terminates the simulation.

2. 6.

   \(\mathcal {S}\) waits to the response.³

   • If \(\mathcal {A}\) responds \(\textsf{chq}^n_i\) for all \(i \in H\), \(\mathcal {S}\) sends \(\textsf{fair}\) to \(\mathcal {F}^{\ge \alpha }_{n,f}\) and terminates the simulation.

   • If the adversary aborts, \(\mathcal {S}\) sends \((\textsf{unfair},\) \(\emptyset ,\{\alpha '_i \}_{i \in H},\) \( \{\beta '_j\}_{j \in C})\) to \(\mathcal {F}^{\ge \alpha }_{n,f}\), where \(\{\alpha '_i \}_{i \in H}\) and \(\{\beta '_j\}_{j \in C}\) as in the protocol. Afterwards, it creates \(\{ \textsf{chq}^1_i \}_{i \in M \cap C}\) and sends \(\mathcal {A}\) them. Then, \(\mathcal {S}\) terminates the simulation.

1.2 Case II: \(1 \in C \wedge n \notin C\)

1. 5.

   \(\mathcal {S}\) runs Algorithm 12 and sends \(\mathcal {A}\) the output \((\{ \textsf{chq}^1_i \}_{i \in M},\) \(R_{\textsf{chq}})\).

2. 6.

   Case of \(M \subset C\), i.e., only \(P_n\) is honest: \(\mathcal {S}\) waits the response from the adversary.

   • If \(\mathcal {S}\) receives \(\textsf{chq}^1_n\), it checks the validity. If it is invalid, \(\mathcal {S}\) ignores the message. Otherwise, \(\mathcal {S}\) sends \((\textsf{input},\{ x_i \}_{i \in C},\emptyset ,\bot ,\bot )\) to \(\mathcal {F}^{\ge \alpha }_{n,f}\), and learns y by the response. It further creates \(\{ \textsf{chq}^n_i \}_{i \in C}\) as the protocol and sends the cheques to \(\mathcal {A}\). Then, it terminates the simulation.

   • If \(\mathcal {A}\) sends \(\textsf{chq}^1_n\) intended for the bank, \(\mathcal {S}\) creates \(\{ \textsf{chq}^n_i \}_{i \in C}\) and sends \(\mathcal {A}\) them. Then, it terminates the simulation. (If the cheque \(\mathcal {A}\) sent is invalid, \(\mathcal {S}\) ignores it.)

   • If \(\mathcal {A}\) aborts, \(\mathcal {S}\) sends an invalid input to \(\mathcal {F}^{\ge \alpha }_{n,f}\) and terminates the simulation.

3. 7.

   Case of \(M \not \subset C\): \(\mathcal {S}\) waits the response from the adversary.

   • If \(\mathcal {S}\) receives \(\{ \textsf{chq}^1_i \}_{i \in M \cap H}\), \(\mathcal {S}\) runs Algorithm 13 and sends \(\mathcal {A}\) the output. (If there is an invalid cheque in the received cheques, \(\mathcal {S}\) ignores the message.) Proceed to the next step.

   • If \(\mathcal {A}\) sends \(\{ \textsf{chq}^1_i \}_{i \in M\cap H}\) intended for the bank, \(\mathcal {S}\) creates \(\{ \textsf{chq}^i_1 \}_{i \in M\cap H}\) and sends \(\mathcal {A}\) them. Then, it terminates the simulation. (If there is an invalid cheque in the cheques \(\mathcal {A}\) sent, \(\mathcal {S}\) ignores it.)

   • If \(\mathcal {A}\) aborts, \(\mathcal {S}\) sends an invalid input to \(\mathcal {F}^{\ge \alpha }_{n,f}\) and terminates the simulation.

4. 8.

   \(\mathcal {S}\) waits to the response.

   • If \(\mathcal {A}\) responds \(\textsf{chq}^1_n\), \(\mathcal {S}\) sends \((\textsf{input},\{ x_i \}_{i \in C},\emptyset ,\bot ,\bot )\) to \(\mathcal {F}^{\ge \alpha }_{n,f}\), and learns y by the response. It further creates \(\{ \textsf{chq}^n_i \}_{i \in C}\) as the protocol and sends the cheques to \(\mathcal {A}\). Then, it terminates the simulation.

   • If the adversary aborts, \(\mathcal {S}\) sends \((\textsf{input},\{ x_i \}_{i \in C},H',\) \(\{\alpha _i \}_{i \in H'}, \{\beta _j\}_{j\in C})\) to \(\mathcal {F}^{\ge \alpha }_{n,f}\), where \(H'\) is the set of honest parties whose identifiers are less than n, and \(\alpha _i\) and \(\beta _j\) are set as in the protocol. \(\mathcal {S}\) creates \(\{ \textsf{chq}^i_1 \}_{i \in M\cap H}\) and sends \(\mathcal {A}\) them. Then, it terminates the simulation.

1.3 Case III: \(1 \notin C \wedge n \in C\)

1. 5.

   For \(j \in M \cap C\), \(\mathcal {S}\) makes \(\textsf{chq}^1_j = \textsf{chq}(cid,j \rightarrow 1, (n-2)\alpha , r_j \oplus \textsf{chq}^j_1)\), where \( \textsf{chq}^j_1 = \textsf{chq}(cid,\) \(1 \rightarrow j,(n-1)\alpha ,r'_{j})\). It sends the cheques to \(\mathcal {A}\), and waits the response. (In this step, we suppose \(M \cap C \ne \emptyset \) for brevity.)

   • If \(\mathcal {S}\) receives \(\{ \textsf{chq}^i_1 \}_{i \in M \cap C}\), \(\mathcal {S}\) sends \((\textsf{input},\{ x_i \}_{i \in C},\) \(H,\{\alpha _i \}_{i \in H},\) \(\{\beta _j\}_{j\in C})\) to \(\mathcal {F}^{\ge \alpha }_{n,f}\), where \(\alpha _i\) and \(\beta _j\) are set as in the protocol, and learns y by the response. (If there is an invalid cheque in the received cheques, \(\mathcal {S}\) ignores the message.) Afterwards, \(\mathcal {S}\) creates \(\textsf{chq}^1_n = \textsf{chq}(cid,n \rightarrow 1, (n-1)\alpha , \{ r_{n,i} \oplus \textsf{chq}^{n}_{i} \}_{i \in [n-1]})\) and sends \(\mathcal {A}\) it. (Proceed to the next step.)

   • If \(\mathcal {A}\) sends \(\{ \textsf{chq}^i_1 \}_{i \in M \cap C}\) intended for the bank, \(\mathcal {S}\) sends \((\textsf{input},\{ x_i \}_{i \in C},\) \(H,\{\alpha _i \}_{i \in H},\) \(\{\beta _j\}_{j\in C})\) to \(\mathcal {F}^{\ge \alpha }_{n,f}\), where \(\alpha _i\) and \(\beta _j\) are set as in the protocol, and learns y by the response. (If there is an invalid cheque in the cheques \(\mathcal {A}\) sent, \(\mathcal {S}\) ignores it.) Afterwards, \(\mathcal {S}\) creates \(\{ \textsf{chq}^1_i \}_{i \in M \cap C}\) and \(\textsf{chq}^1_n\), and sends \(\mathcal {A}\) them. (Proceed to the next step.)

   • If \(\mathcal {A}\) aborts, \(\mathcal {S}\) sends \((\textsf{input},\{ x_i \}_{i \in C},H',\{\alpha _i \}_{i \in H'},\) \(\{\beta _j\}_{j\in C})\) to \(\mathcal {F}^{\ge \alpha }_{n,f}\), where \(H'\) is the set of honest parties whose identifiers are less than n and \(\alpha _i\) and \(\beta _j\) are set as in the protocol. It creates \(\{ \textsf{chq}^1_i \}_{i \in M \cap C}\) and sends \(\mathcal {A}\) them. Then, \(\mathcal {S}\) terminates the simulation.

2. 6.

   \(\mathcal {S}\) waits to the response.

   • If \(\mathcal {A}\) responds \(\textsf{chq}^n_i\) for all \(i \in H\), \(\mathcal {S}\) sends \(\textsf{fair}\) to \(\mathcal {F}^{\ge \alpha }_{n,f}\) and terminates the simulation.

   • If the adversary aborts, \(\mathcal {S}\) sends \((\textsf{unfair},\) \(\emptyset ,\{\alpha '_i \}_{i \in H},\) \( \{\beta '_j\}_{j \in C})\) to \(\mathcal {F}^{\ge \alpha }_{n,f}\), where \(\{\alpha '_i \}_{i \in H}\) and \(\{\beta '_j\}_{j \in C}\) as in the protocol. It creates \(\textsf{chq}^n_1\) and \(\{ \textsf{chq}^1_i \}_{i \in M \cap C}\), and sends \(\mathcal {A}\) them. Then, \(\mathcal {S}\) terminates the simulation.

1.4 Case IV: \(1\notin C \wedge n \notin C\)

1. 5.

   For \(j \in M \cap C\), \(\mathcal {S}\) makes \(\textsf{chq}^1_j = \textsf{chq}(cid,j \rightarrow 1, (n-2)\alpha , r_j \oplus \textsf{chq}^j_1)\), where \( \textsf{chq}^j_1 = \textsf{chq}(cid,\) \(1 \rightarrow j,(n-1)\alpha ,\) \(r'_j)\). It sends the cheques to \(\mathcal {A}\), and waits the response. (In this step, we suppose \(M \cap C \ne \emptyset \) for simplicity.)

   • If \(\mathcal {S}\) receives \(\{ \textsf{chq}^i_1 \}_{i \in M \cap C}\), \(\mathcal {S}\) sends \((\textsf{input},\{ x_i \}_{i \in C},\) \(\emptyset ,\bot ,\bot )\) to \(\mathcal {F}^{\ge \alpha }_{n,f}\) and learns the output y. (If there is an invalid cheque in the received cheques, \(\mathcal {S}\) ignores the message.) Afterwards, \(\mathcal {S}\) creates \(\{ \textsf{chq}^n_i \}_{i \in C}\) as in the protocol and sends them, and terminate the simulation.

   • If \(\mathcal {A}\) aborts, \(\mathcal {S}\) sends \((\textsf{input},\{ x_i \}_{i \in C},H',\{\alpha _i \}_{i \in H'},\) \(\{\beta _j\}_{j\in C})\) to \(\mathcal {F}^{\ge \alpha }_{n,f}\), where \(H'\) is the set of honest parties whose identifiers are less than n and \(\alpha _i\) and \(\beta _j\) are set as in the protocol. It creates \(\{ \textsf{chq}^1_i \}_{i \in M \cap C}\) and sends \(\mathcal {A}\) them. Then, \(\mathcal {S}\) terminates the simulation.

For all cases, when \(\mathcal {S}\) terminates the simulation, it outputs whatever \(\mathcal {A}\) outputs. We complete making up the simulation. \(\mathcal {A}\)’s view in the simulation is identical to the one’s view in the hybrid execution of Protocol 6. \(\square \)