多方安全计算
合集下载
相关主题
- 1、下载文档前请自行甄别文档内容的完整性,平台不提供额外的编辑、内容补充、找答案等附加服务。
- 2、"仅部分预览"的文档,不可在线预览部分如存在完整性等问题,可反馈申请退款(可完整预览的文档不适用该条件!)。
- 3、如文档侵犯您的权益,请联系客服反馈,我们会尽快为您处理(人工客服工作时间:9:00-18:30)。
Optimally Efficient Multi-Party Fair Exchange and Fair Secure Multi-Party Computation
Handan Kılınç⇤ 1 and Alptekin Küpçü† 2
1
EPFL, Koç University 2 Koç University
Abstract Multi-party fair exchange (MFE) and fair secure multi-party computation (fair SMPC) are under-studied fields of research, with practical importance. We examine MFE scenarios where every participant has some item, and at the end of the protocol, either every participant receives every other participant’s item, or no participant receives anything. This is a particularly hard scenario, even though it is directly applicable to protocols such as fair SMPC or multi-party contract signing. We further generalize our protocol to work for any exchange topology. We analyze the case where a trusted third party (TTP) is optimistically available, although we emphasize that the trust put on the TTP is only regarding the fairness, and our protocols preserve the privacy of the exchanged items even against a malicious TTP. We construct an asymptotically optimal (for the complete topology) multi-party fair exchange protocol that requires a constant number of rounds, in comparison to linear, and O(n2 ) messages, in comparison to cubic, where n is the number of participating parties. We enable the parties to efficiently exchange any item that can be efficiently put into a verifiable escrow (e.g., signatures on a contract). We show how to apply this protocol on top of any SMPC protocol to achieve a fairness guarantee with very little overhead, especially if the SMPC protocol works with arithmetic circuits. Our protocol guarantees fairness in its strongest sense: even if all n 1 other participants are malicious and colluding, fairness will hold.
⇤ †
handan.kilinc@epfl.ch akupcu.ku.edu.tr
1
parties, aux is an auxiliary input of A, and is the security parameter. to solve the fairness problem when it is necessary, but U is not real (just an ideal entity). Real World: There is no universally trusted party U for a real protocol ⇡ to compute Definition 1 (Fair. Secure Computation . Let a probabilistic polythe functionality There isMulti-Party an adversary A that controls ) the set⇡Pbe c of corrupted parties nomial time and let in be a protocol PPT multi-party functionality. We say The that and there is (PPT) a TTP protocol who is involved the when there is unfair behavior. ⇡pair computes fairly and securely if for every non-uniform PPT realreal world adversary of outputs of the honest party(s) Ph and the adversary A in the execution of A attacking , , there exists a non-uniform PPT ideal world simulator S so that for every the protocol⇡⇡ possibly employing the TTP, is denoted REAL ⇡ ,TTP,A(aux) (w1 , w2 , ...wn , ), w ,, the ideal and real are world where w1 ,w w ...wn , aux, and likeoutputs above. are computationally indistinguishable: 1 , w2 , ..., n2 Note that U and TTP are not related to each other. TTP is the part of the real protocol { IDEAL ,S (aux) (w1 , w2 , ..., wn , )} 2N ⌘c {REAL⇡ ,TTP,A(aux) (w1 , w2 , ..., wn , )} 2N to solve the fairness problem when it is necessary, but U is not real (just an ideal entity). The standard secure multi-party ideal world definition [39] lets the adversary A to Definition 1 (Fair Secure Multi-Party Computation). Let ⇡ be a probabilistic polyabort after learning his output but before the honest party(s) learns her output. Thus, nomial time (PPT) protocol and let be a PPT multi-party functionality. We say that proving protocols secure using the old definition would not meet the fairness requirements. ⇡ computes fairly and securely if for every non-uniform PPT real world adversary Therefore, we prove our protocols’ security and fairness under the modified definition above. A attacking ⇡ , there exists a non-uniform PPT ideal world simulator S so that for every Canetti [18] gives general definitions for security for multi-party protocols with the same w1 , w2 , ..., wn , the ideal and real world outputs are computationally indistinguishable: intuition as the security and fairness definition above. Further realize that since the TTP {IDEAL (w1 ,ideal w2 , ..., wn , ) } 2simulator ⌘c {REAL ..., w n , ) } 2N ,S (aux ⇡ ,TTP,also A(aux ) (w1 , w2 , its T does not exist in)the world, the should simulate behavior. N Optimistic Multi-Party Fair Exchange: participants arethe P1 , adversary P2 , ..., Pn . A Each The standard secure multi-party ideal worldThe definition [39] lets to participant fi to exchange, and to party(s) exchange his own fi with the i has an item abort afterPlearning his output but before thewants honest learns heritem output. Thus, other parties’ items {fj }jusing j 2 {1, ..., n}. Thus, at the every participant 6=i , , where proving protocols secure the oldi,definition would not meet the end, fairness requirements. should obtain fi }1our in a complete topology, or some subset it defined by some other Therefore, we{ prove security and fairness under theof modified definition above. in protocols’ exchange topology. Canetti [18] gives general definitions for security for multi-party protocols with the same Multi-Party exchange is also a multi-party computation wherethat the since functionality intuition as the fair security and fairness definition above. Further realize the TTP is via its parts (we a also complete topology): Tdefined does not exist in the ideal world, theexemplify simulator using should simulate its behavior. i as below Optimistic Multi-Party Fair Exchange: The participants are P1 , P2 , ..., Pn . Each i (f1 , ..., fn ) = (f1 , f2 , ..., fi 1 , fi+1 , ..., fn ) participant Pi has an item fi to exchange, and wants to exchange his own item fi with the The actual the topology. For example, it would i would other parties’ items depend {fj }j 6=i ,on , where i, j 2 {1, ..., n }. Thus,for at the the ring end, topology, every participant be defined as { , ..., f ) = fi 1 mod n if i 6= 1,or isome (f1 , ..., fn ) = i = 1.by Therefore we i( 11 n if should obtain ff topology, subset offit defined some other i} innin a complete can use Definition 1 as the security definition of the multi-party fair exchange, using the exchange topology. desired topology. i representing Multi-Partythe fair exchange is also a multi-party computation where the functionality Adversarial When there is dispute using between the parties, the TTP resolves is defined via its Model: parts i as below (we exemplify a complete topology): the conflict atomically. We assume that the adversary cannot prevent the honest party(s) i (f1 , ..., fn ) = (f1 , f2 , ..., fi 1 , fi+1 , ..., fn ) from reaching the TTP before the specified time interval. Secure channels are used to The actual onand the when topology. For example, for The the ring topology, it control would exchange the decryption shares contacting the TTP. adversary may i would depend
Keywords: multi-party fair exchange, fair computation, optimistic model, secure Fra Baidu bibliotekulti-party computation, electronic payments
1
Introduction
An exchange protocol allows two or more parties to exchange items. It is fair when the exchange guarantees that either all parties receive their desired items or none of them receives any item. Examples of such exchanges include signing electronic contracts, certified e-mail delivery, and fair purchase of electronic goods over the Internet. In addition, a fair exchange protocol can be adopted by secure two- or multi-party computation protocols [12, 29, 19, 9, 32, 49, 38] to achieve fairness [33]. Even in two-party fair exchange scenarios, preventing unfairness completely and efficiently without a trusted third party (TTP) is shown to be impossible [23, 45]. The main reason is that one of the parties will be sending the last message of the protocol, regardless of how the protocol looks like, and may choose not to send that message, potentially
Handan Kılınç⇤ 1 and Alptekin Küpçü† 2
1
EPFL, Koç University 2 Koç University
Abstract Multi-party fair exchange (MFE) and fair secure multi-party computation (fair SMPC) are under-studied fields of research, with practical importance. We examine MFE scenarios where every participant has some item, and at the end of the protocol, either every participant receives every other participant’s item, or no participant receives anything. This is a particularly hard scenario, even though it is directly applicable to protocols such as fair SMPC or multi-party contract signing. We further generalize our protocol to work for any exchange topology. We analyze the case where a trusted third party (TTP) is optimistically available, although we emphasize that the trust put on the TTP is only regarding the fairness, and our protocols preserve the privacy of the exchanged items even against a malicious TTP. We construct an asymptotically optimal (for the complete topology) multi-party fair exchange protocol that requires a constant number of rounds, in comparison to linear, and O(n2 ) messages, in comparison to cubic, where n is the number of participating parties. We enable the parties to efficiently exchange any item that can be efficiently put into a verifiable escrow (e.g., signatures on a contract). We show how to apply this protocol on top of any SMPC protocol to achieve a fairness guarantee with very little overhead, especially if the SMPC protocol works with arithmetic circuits. Our protocol guarantees fairness in its strongest sense: even if all n 1 other participants are malicious and colluding, fairness will hold.
⇤ †
handan.kilinc@epfl.ch akupcu.ku.edu.tr
1
parties, aux is an auxiliary input of A, and is the security parameter. to solve the fairness problem when it is necessary, but U is not real (just an ideal entity). Real World: There is no universally trusted party U for a real protocol ⇡ to compute Definition 1 (Fair. Secure Computation . Let a probabilistic polythe functionality There isMulti-Party an adversary A that controls ) the set⇡Pbe c of corrupted parties nomial time and let in be a protocol PPT multi-party functionality. We say The that and there is (PPT) a TTP protocol who is involved the when there is unfair behavior. ⇡pair computes fairly and securely if for every non-uniform PPT realreal world adversary of outputs of the honest party(s) Ph and the adversary A in the execution of A attacking , , there exists a non-uniform PPT ideal world simulator S so that for every the protocol⇡⇡ possibly employing the TTP, is denoted REAL ⇡ ,TTP,A(aux) (w1 , w2 , ...wn , ), w ,, the ideal and real are world where w1 ,w w ...wn , aux, and likeoutputs above. are computationally indistinguishable: 1 , w2 , ..., n2 Note that U and TTP are not related to each other. TTP is the part of the real protocol { IDEAL ,S (aux) (w1 , w2 , ..., wn , )} 2N ⌘c {REAL⇡ ,TTP,A(aux) (w1 , w2 , ..., wn , )} 2N to solve the fairness problem when it is necessary, but U is not real (just an ideal entity). The standard secure multi-party ideal world definition [39] lets the adversary A to Definition 1 (Fair Secure Multi-Party Computation). Let ⇡ be a probabilistic polyabort after learning his output but before the honest party(s) learns her output. Thus, nomial time (PPT) protocol and let be a PPT multi-party functionality. We say that proving protocols secure using the old definition would not meet the fairness requirements. ⇡ computes fairly and securely if for every non-uniform PPT real world adversary Therefore, we prove our protocols’ security and fairness under the modified definition above. A attacking ⇡ , there exists a non-uniform PPT ideal world simulator S so that for every Canetti [18] gives general definitions for security for multi-party protocols with the same w1 , w2 , ..., wn , the ideal and real world outputs are computationally indistinguishable: intuition as the security and fairness definition above. Further realize that since the TTP {IDEAL (w1 ,ideal w2 , ..., wn , ) } 2simulator ⌘c {REAL ..., w n , ) } 2N ,S (aux ⇡ ,TTP,also A(aux ) (w1 , w2 , its T does not exist in)the world, the should simulate behavior. N Optimistic Multi-Party Fair Exchange: participants arethe P1 , adversary P2 , ..., Pn . A Each The standard secure multi-party ideal worldThe definition [39] lets to participant fi to exchange, and to party(s) exchange his own fi with the i has an item abort afterPlearning his output but before thewants honest learns heritem output. Thus, other parties’ items {fj }jusing j 2 {1, ..., n}. Thus, at the every participant 6=i , , where proving protocols secure the oldi,definition would not meet the end, fairness requirements. should obtain fi }1our in a complete topology, or some subset it defined by some other Therefore, we{ prove security and fairness under theof modified definition above. in protocols’ exchange topology. Canetti [18] gives general definitions for security for multi-party protocols with the same Multi-Party exchange is also a multi-party computation wherethat the since functionality intuition as the fair security and fairness definition above. Further realize the TTP is via its parts (we a also complete topology): Tdefined does not exist in the ideal world, theexemplify simulator using should simulate its behavior. i as below Optimistic Multi-Party Fair Exchange: The participants are P1 , P2 , ..., Pn . Each i (f1 , ..., fn ) = (f1 , f2 , ..., fi 1 , fi+1 , ..., fn ) participant Pi has an item fi to exchange, and wants to exchange his own item fi with the The actual the topology. For example, it would i would other parties’ items depend {fj }j 6=i ,on , where i, j 2 {1, ..., n }. Thus,for at the the ring end, topology, every participant be defined as { , ..., f ) = fi 1 mod n if i 6= 1,or isome (f1 , ..., fn ) = i = 1.by Therefore we i( 11 n if should obtain ff topology, subset offit defined some other i} innin a complete can use Definition 1 as the security definition of the multi-party fair exchange, using the exchange topology. desired topology. i representing Multi-Partythe fair exchange is also a multi-party computation where the functionality Adversarial When there is dispute using between the parties, the TTP resolves is defined via its Model: parts i as below (we exemplify a complete topology): the conflict atomically. We assume that the adversary cannot prevent the honest party(s) i (f1 , ..., fn ) = (f1 , f2 , ..., fi 1 , fi+1 , ..., fn ) from reaching the TTP before the specified time interval. Secure channels are used to The actual onand the when topology. For example, for The the ring topology, it control would exchange the decryption shares contacting the TTP. adversary may i would depend
Keywords: multi-party fair exchange, fair computation, optimistic model, secure Fra Baidu bibliotekulti-party computation, electronic payments
1
Introduction
An exchange protocol allows two or more parties to exchange items. It is fair when the exchange guarantees that either all parties receive their desired items or none of them receives any item. Examples of such exchanges include signing electronic contracts, certified e-mail delivery, and fair purchase of electronic goods over the Internet. In addition, a fair exchange protocol can be adopted by secure two- or multi-party computation protocols [12, 29, 19, 9, 32, 49, 38] to achieve fairness [33]. Even in two-party fair exchange scenarios, preventing unfairness completely and efficiently without a trusted third party (TTP) is shown to be impossible [23, 45]. The main reason is that one of the parties will be sending the last message of the protocol, regardless of how the protocol looks like, and may choose not to send that message, potentially