Back and Bentov (arXiv 2014) and Andrychowicz et al. (Security and Privacy 2014) introduced techniques to perform secure multiparty computations on Bitcoin. Among other things, these works constructed lottery protocols that ensure that any party that aborts after learning the outcome pays a monetary penalty to all other parties. Following this, Andrychowicz et al. (Bitcoin Workshop 2014) and concurrently Bentov and Kumaresan (Crypto 2014) extended the solution to arbitrary secure function evaluation while guaranteeing fairness in the following sense: any party that aborts after learning the output pays a monetary penalty to all parties that did not learn the output. Andrychowicz et al. (Bitcoin Workshop 2014) also suggested extending to scenarios where parties receive a payoff according to the output of a secure function evaluation, and outlined a 2-party protocol for the same that in addition satisfies the notion of fairness described above. In this work, we formalize, generalize, and construct multiparty protocols for the primitive suggested by Andrychowicz et al. We call this primitive secure cash distribution with penalties. Our formulation of secure cash distribution with penalties poses it as a multistage reactive functionality (i.e., more general than secure function evaluation) that provides a way to securely implement smart contracts in a decentralized setting, and consequently suffices to capture a wide variety of stateful computations involving data and/or money, such as decentralized auctions, market, and games such as poker, etc. Our protocol realizing secure cash distribution with penalties works in a hybrid model where parties have access to a claim-or-refund transaction functionality FCR}* which can be efficiently realized in (a variant of) Bitcoin, and is otherwise independent of the Bitcoin ecosystem. We emphasize that our protocol is dropout-tolerant in the sense that any party that drops out during the protocol is forced to pay a monetary penalty to all other parties. Our formalization and construction generalize both secure computation with penalties of Bentov and Kumaresan (Crypto 2014), and secure lottery with penalties of Andrychowicz et al. (Security and Privacy 2014).
[1]
Andrew Chi-Chih Yao,et al.
Protocols for secure computations
,
1982,
FOCS 1982.
[2]
Andrew Chi-Chih Yao,et al.
How to Generate and Exchange Secrets (Extended Abstract)
,
1986,
FOCS.
[3]
Richard Cleve,et al.
Limits on the security of coin flips when half the processors are faulty
,
1986,
STOC '86.
[4]
Silvio Micali,et al.
How to play ANY mental game
,
1987,
STOC.
[5]
Ran Canetti,et al.
Universally composable security: a new paradigm for cryptographic protocols
,
2001,
Proceedings 2001 IEEE International Conference on Cluster Computing.
[6]
Oded Goldreich.
Foundations of Cryptography: Index
,
2001
.
[7]
B. E. Eckbo,et al.
Appendix
,
1826,
Epilepsy Research.
[8]
Markus Jakobsson,et al.
Secure Mobile Gambling
,
2001,
CT-RSA.
[9]
Yehuda Lindell,et al.
Universally composable two-party and multi-party secure computation
,
2002,
STOC '02.
[10]
Oded Goldreich,et al.
Foundations of Cryptography: Volume 2, Basic Applications
,
2004
.
[11]
Jonathan Katz,et al.
Adaptively secure broadcast, revisited
,
2011,
PODC '11.
[12]
Elaine Shi,et al.
Bitter to Better - How to Make Bitcoin a Better Currency
,
2012,
Financial Cryptography.
[13]
Iddo Bentov,et al.
How to Use Bitcoin to Incentivize Correct Computations
,
2014,
CCS.
[14]
S. Rajsbaum.
Foundations of Cryptography
,
2014
.
[15]
Iddo Bentov,et al.
Note on fair coin toss via Bitcoin
,
2014,
ArXiv.
[16]
Marcin Andrychowicz,et al.
Secure Multiparty Computations on Bitcoin
,
2014,
2014 IEEE Symposium on Security and Privacy.
[17]
Marcin Andrychowicz,et al.
Fair Two-Party Computations via Bitcoin Deposits
,
2014,
Financial Cryptography Workshops.
[18]
Iddo Bentov,et al.
How to Use Bitcoin to Design Fair Protocols
,
2014,
CRYPTO.
[19]
Elaine Shi,et al.
Hawk: The Blockchain Model of Cryptography and Privacy-Preserving Smart Contracts
,
2016,
2016 IEEE Symposium on Security and Privacy (SP).