Secure Multi-party Computation with Legally-Enforceable Fairness

Abstract

Fairness is a security notion of secure computation and cannot always be achieved if an adversary corrupts a majority of parties in standard settings. Lindell (CT-RSA 2008) showed that imposing a monetary penalty on an adversary can circumvent the impossibility. He formalized such a security notion as “legally enforceable fairness" for the two-party setting based on the ideal trusted bank functionality and showed a protocol achieving the requirements. Based on the same framework, we introduce secure multi-party computation with legally enforceable fairness that is applicable for an arbitrary number of parties. Further, we propose two protocols that realize our introduced functionality. The first one achieves O(n) rounds, \(O(n^2)\) communications, and \(O(n \alpha )\) fees, where n is the number of parties, and \(\alpha \) is a parameter for the penalty amount. The fee refers to the balance amount in the bank required at the beginning of the protocol, which evaluates the difficulty of participating in the protocol in a financial sense. The second one achieves O(1) rounds, O(n) communications, and \(O(n^2 \alpha )\) fees.

A Security Proof for Proposed Protocol I

This section presents a proof of Theorem 1. Hereafter, for a finite set X, \(\max (X)\) and \(\min (X)\) denote the maximum and minimum element of X, respectively. Let \(\mathcal {A}\) be a (real-world) adversary corrupting \(\{ P_i \}_{i \in C}\). We partition the sets of corrupted parties C as \(C = C_1 \sqcup \dots \sqcup C_{\mu }\) such that each \(C_i\) consists of consecutive elements \(C_i = \{\min (C_i), \min (C_i)+1, \ldots , \min (C_i)+|C_i|\}\) for \(1 \le i \le \mu \) and \(\max (C_i) < \min (C_{i+1})\) for \(1 \le i \le \mu -1\). For example, when \(C=\{ 1,2,5,7,8,9,10\}\), we partition the sets into \(C_1 = \{1,2\}\), \(C_2 = \{5 \}\), \(C_3 = \{ 7,8,9,10 \}\).

Formally, the main computation phase realizes the following functionality.

• Input: For \(j \in [n]\), \(P_j\) inputs \( ((vk_j,sk_j), \{ vk_i\}_{i \in [n] \setminus \{j \}},(x_j,R_j), \alpha ,\lambda ,cid_j)\), where \(R_1 = \bot \), \(R_i=r_i\) for \(i \in \{2,\dots ,n-1\}\), and \(R_n= \{ r_{n,i} \}_{i\in [n-1]}\).

• Output: \(P_1\) receives \(\textsf{chq}^2_1\) and the other parties receive nothing. (The property of \(\textsf{chq}^2_1\) is as in the protocol.)

We suppose that this functionality is achieved according to Definition 1 under the \(\mathcal {F}_{\textrm{OT}}\)-hybrid model.

We construct a simulator \(\mathcal {S}\) as follows.

1. 1.

   \(\mathcal {S}\) invokes \(\mathcal {A}\) with its inputs \(\{ x_i \}_{i \in C}\), a security parameter \(\lambda \), and a penalty amount parameter \(\alpha \).

2. 2.

   \(\mathcal {S}\) generates a key-pair \((vk'_i,sk'_i) \leftarrow \textsf{Gen}(1^\lambda )\) for \(i\in H\), records the key-pairs, and reply to \(\mathcal {A}\) whenever \(\mathcal {A}\) sends a query intended for \(\mathcal {F}_{\textrm{CA}}\) as follows:

   • If \(\mathcal {A}\) sends \((\textsf{Register}, P_j,vk'_j)\) intended for \(\mathcal {F}_{\textrm{CA}}\), \(\mathcal {S}\) checks if \(j \in C\) and records \(vk'_j\).

   • If \(\mathcal {A}\) sends \((\textsf{Retrieve}, P_i)\) intended for \(\mathcal {F}_{\textrm{CA}}\), \(\mathcal {S}\) replies \((\textsf{Retrieve},P_i,vk'_i)\).

3. 3.

   \(\mathcal {S}\) gets \(\mathcal {A}\)’s inputs \( ((vk_j,sk_j), \{ vk_i\}_{i \in [n] \setminus \{ j \}},(x_j,R_j), \alpha ,\lambda ,cid_j)\) for \(j \in C\) for the trusted party of the main computation phase, where \(R_1 = \bot \), \(R_i=r_i\) for \(i \in \{2,\dots ,n-1\}\), and \(R_n= \{ r_{n,i} \}_{i\in [n-1]}\). If some key differs from the key chosen in the previous step, \(\mathcal {S}\) sends an invalid input to \(\mathcal {F}^{\ge \alpha }_{n,f}\) and halts.

4. 4.

   \(\mathcal {S}\) sends \(\{ x_i \}_{i \in C}\) to \(\mathcal {F}^{\ge \alpha }_{n,f}\) and learns the output y.

5. 5.

   S generates \(cid_i \in _\textrm{R}\{0,1\}^\lambda \) for \(i \in H\) and sets \(cid = cid_1 \parallel \dots \parallel cid_n\).

6. 6.

   If \(1 \in C_1\), \(\mathcal {S}\) runs Algorithm 7 for \(C_1\) to generate \(\textsf{chq}^1_2\), and sends \(\mathcal {A}\) the cheque. Otherwise, \(\mathcal {S}\) runs Algorithm 8 for \(C_1\) to generate \(\textsf{chq}^{\min (C_1)}_{\min (C_1)+1}\), and sends \(\mathcal {A}\) the cheque.

7. 7.

   For \(i=1,\dots ,\mu -2\), \(\mathcal {S}\) works depending of \(\mathcal {A}\)’s response as follows:

   • If \(\mathcal {S}\) receives \(\textsf{chq}^{\max (C_i)+1}_{\max (C_i)+2}\), it checks the validity. If it is not valid, \(\mathcal {S}\) ignores the message. Otherwise, \(\mathcal {S}\) runs Algorithm 8 for \(C_{i+1}\) and sends \(\mathcal {A}\) the output.

   • If \(\mathcal {A}\) sends its cheque(s) intended for the bank, \(\mathcal {S}\) checks the validity. If it is not valid, \(\mathcal {S}\) ignores the message. Otherwise, \(\mathcal {S}\) creates \(\textsf{chq}^{\min (C_{i+1})-1}_{\min (C_{i+1})}\) and sends \(\mathcal {A}\) the cheque. Note that \(\mathcal {S}\) performs this process by using honest parties’ keys generated at step 2 and corrupted parties’ keys obtained at step 3.

   • If \(\mathcal {A}\) responds nothing, \(\mathcal {S}\) sends an invalid input to \(\mathcal {F}^{\ge \alpha }_{n,f}\) and halts.

8. 8.

   Receiving \(\textsf{chq}^{\max (C_{\mu -1})+1}_{\max (C_{\mu -1})+2}\), \(\mathcal {S}\) checks the validity. If it is not valid, \(\mathcal {S}\) ignores the message.

9. 9.

   If \(n \notin C\), \(\mathcal {S}\) sends \(\textsf{fair}\) to \(\mathcal {F}^{\ge \alpha }_{n,f}\). Further, it creates \(\{ \textsf{chq}^n_i \}_{i \in C}\) as the protocol and sends the cheques to \(\mathcal {A}\). \(\mathcal {S}\) outputs whatever \(\mathcal {A}\) outputs and terminates the simulation.

10. 10.

    If \(n \in C\), \(\mathcal {S}\) runs Algorithm 9 for \(C_\mu \) and sends \(\mathcal {A}\) the output. It waits for \(\mathcal {A}\)’s response.

    • If \(\mathcal {S}\) receives \(\textsf{chq}^n_i\) for all \(i \in H\), \(\mathcal {S}\) sends \(\textsf{fair}\) to \(\mathcal {F}^{\ge \alpha }_{n,f}\).

    • If \(\mathcal {A}\) sends its cheque(s) intended for the bank, \(\mathcal {S}\) sends \(\textsf{fair}\) to \(\mathcal {F}^{\ge \alpha }_{n,f}\). Further, it creates \(\{\textsf{chq}^{i-1}_{i} \}_{i \in C}\) and sends \(\mathcal {A}\) the cheque.

    • If \(\mathcal {A}\) responds nothing, \(\mathcal {S}\) sends \((\textsf{unfair},\emptyset ,\{\alpha '_i \}_{i \in H},\{j,\beta '_j\}_{j \in C})\) to \(\mathcal {F}^{\ge \alpha }_{n,f}\), where \(\{\alpha '_i \}_{i \in H}\) and \(\{j,\beta '_j\}_{j \in C}\) consist of the same values to the protocol. Further, \(\mathcal {S}\) creates \(\{\textsf{chq}^{i-1}_{i} \}_{i \in C}\) and sends \(\mathcal {A}\) the cheque.

    • If \(\mathcal {A}\) sends the cheques holding y to only some of honest parties \(\{ P_i \}_{i \in H''}\) where \(H'' \subsetneq H\), \(\mathcal {S}\) sends \((\textsf{unfair},H'',\{\alpha '_i \}_{i \in H},\{j,\beta '_j\}_{j \in C})\) to \(\mathcal {F}^{\ge \alpha }_{n,f}\), where \(\{\alpha '_i \}_{i \in H}\) and \(\{j,\beta '_j\}_{j \in C}\) consist of the same values to the protocol. Further, \(\mathcal {S}\) creates \(\{\textsf{chq}^{i-1}_{i} \}_{i \in C}\) and sends \(\mathcal {A}\) the cheque.

11. 11.

    \(\mathcal {S}\) outputs whatever \(\mathcal {A}\) outputs and terminates the simulation.

We complete making up the simulation. \(\mathcal {A}\)’s view in the simulation is identical to the one’s view in the hybrid execution of Protocol 5.    \(\square \)