Gage MPC: Bypassing Residual Function Leakage for Non-Interactive MPC

Abstract Existing models for non-interactive MPC cannot provide full privacy for inputs, because they inherently leak the residual function (i.e., the output of the function on the honest parties’ input together with all possible values of the adversarial inputs). For example, in any non-interactive sealed-bid auction, the last bidder can figure out what was the highest previous bid. We present a new MPC model which avoids this privacy leak. To achieve this, we utilize a blockchain in a novel way, incorporating smart contracts and arbitrary parties that can be incentivized to perform computation (“bounty hunters,” akin to miners). Security is maintained under a monetary assumption about the parties: an honest party can temporarily supply a recoverable collateral of value higher than the computational cost an adversary can expend. We thus construct non-interactive MPC protocols with strong security guarantees (full security, no residual leakage) in the short term. Over time, as the adversary can invest more and more computational resources, the security guarantee decays. Thus, our model, which we call Gage MPC, is suitable for secure computation with limited-time secrecy, such as auctions. A key ingredient in our protocols is a primitive we call “Gage Time Capsules” (GaTC): a time capsule that allows a party to commit to a value that others are able to reveal but only at a designated computational cost. A GaTC allows a party to commit to a value together with a monetary collateral. If the original party properly opens the GaTC, it can recover the collateral. Otherwise, the collateral is used to incentivize bounty hunters to open the GaTC. This primitive is used to ensure completion of Gage MPC protocols on the desired inputs. As a requisite tool (of independent interest), we present a generalization of garbled circuit that are more robust: they can tolerate exposure of extra input labels. This is in contrast to Yao’s garbled circuits, whose secrecy breaks down if even a single extra label is exposed. Finally, we present a proof-of-concept implementation of a special case of our construction, yielding an auction functionality over an Ethereum-like blockchain.

[1]  Silvio Micali,et al.  How to play ANY mental game , 1987, STOC.

[2]  S. Nakamoto,et al.  Bitcoin: A Peer-to-Peer Electronic Cash System , 2008 .

[3]  Dan Boneh,et al.  Verifiable Delay Functions , 2018, IACR Cryptol. ePrint Arch..

[4]  Ethan Heilman,et al.  The Arwen Trading Protocols , 2020, Financial Cryptography.

[5]  Andrew Chi-Chih Yao,et al.  Protocols for Secure Computations (Extended Abstract) , 1982, FOCS.

[6]  Avi Wigderson,et al.  Completeness Theorems for Non-Cryptographic Fault-Tolerant Distributed Computation (Extended Abstract) , 1988, STOC.

[7]  Hugo Krawczyk,et al.  Robust Non-Interactive Multiparty Computation Against Constant-Size Collusion , 2017, IACR Cryptol. ePrint Arch..

[8]  Silvio Micali,et al.  How to play any mental game, or a completeness theorem for protocols with honest majority , 2019, Providing Sound Foundations for Cryptography.

[9]  Aggelos Kiayias,et al.  Ouroboros: A Provably Secure Proof-of-Stake Blockchain Protocol , 2017, CRYPTO.

[10]  Ronald L. Rivest,et al.  Time-lock Puzzles and Timed-release Crypto , 1996 .

[11]  Aggelos Kiayias,et al.  The Bitcoin Backbone Protocol: Analysis and Applications , 2015, EUROCRYPT.

[12]  Avi Wigderson,et al.  Completeness theorems for non-cryptographic fault-tolerant distributed computation , 1988, STOC '88.

[13]  Ilan Komargodski,et al.  Continuous Verifiable Delay Functions , 2020, IACR Cryptol. ePrint Arch..

[14]  Matthew Green,et al.  Fairness in an Unfair World: Fair Multiparty Computation from Public Bulletin Boards , 2017, CCS.

[15]  Nico Döttling,et al.  Minting Mechanism for Proof of Stake Blockchains , 2020, ACNS.

[16]  Matthew Green,et al.  Giving State to the Stateless: Augmenting Trustworthy Computation with Ledgers , 2019, NDSS.

[17]  Moni Naor,et al.  Moderately Hard Functions: From Complexity to Spam Fighting , 2003, FSTTCS.

[18]  Giulio Malavolta,et al.  Homomorphic Time-Lock Puzzles and Applications , 2019, IACR Cryptol. ePrint Arch..

[19]  Rafael Dowsley,et al.  Insured MPC: Efficient Secure Computation with Financial Penalties , 2020, Financial Cryptography.

[20]  Adi Shamir,et al.  Zero Knowledge Proofs of Knowledge in Two Rounds , 1989, CRYPTO.

[21]  Vipul Goyal,et al.  Overcoming Cryptographic Impossibility Results Using Blockchains , 2017, TCC.

[22]  Eli Ben-Sasson,et al.  Zerocash: Decentralized Anonymous Payments from Bitcoin , 2014, 2014 IEEE Symposium on Security and Privacy.

[23]  Shen Noether,et al.  Ring SIgnature Confidential Transactions for Monero , 2015, IACR Cryptol. ePrint Arch..

[24]  Moni Naor,et al.  Timed Commitments , 2000, CRYPTO.

[25]  Marcin Andrychowicz,et al.  Secure Multiparty Computations on Bitcoin , 2014, 2014 IEEE Symposium on Security and Privacy.

[26]  Aggelos Kiayias,et al.  Resource-Restricted Cryptography: Revisiting MPC Bounds in the Proof-of-Work Era , 2020, EUROCRYPT.

[27]  Elaine Shi,et al.  Hawk: The Blockchain Model of Cryptography and Privacy-Preserving Smart Contracts , 2016, 2016 IEEE Symposium on Security and Privacy (SP).

[28]  David Chaum,et al.  Multiparty Unconditionally Secure Protocols (Extended Abstract) , 1988, STOC.

[29]  Mihir Bellare,et al.  Encapsulated Key Escrow , 1996 .

[30]  Nicolas van Saberhagen CryptoNote v 2.0 , 2013 .

[31]  Abhi Shelat,et al.  Analysis of the Blockchain Protocol in Asynchronous Networks , 2017, EUROCRYPT.

[32]  Aggelos Kiayias,et al.  Fair and Robust Multi-party Computation Using a Global Transaction Ledger , 2016, EUROCRYPT.

[33]  Rafail Ostrovsky,et al.  Robust Non-interactive Zero Knowledge , 2001, CRYPTO.

[34]  Yehuda Lindell,et al.  Secure Computation on the Web: Computing without Simultaneous Interaction , 2011, IACR Cryptol. ePrint Arch..

[35]  Aggelos Kiayias,et al.  Ouroboros Praos: An Adaptively-Secure, Semi-synchronous Proof-of-Stake Blockchain , 2018, EUROCRYPT.

[36]  Dan Boneh,et al.  Zether: Towards Privacy in a Smart Contract World , 2020, IACR Cryptol. ePrint Arch..

[37]  Tal Rabin,et al.  Verifiable secret sharing and multiparty protocols with honest majority , 1989, STOC '89.

[38]  Vipul Goyal,et al.  Founding Secure Computation on Blockchains , 2019, IACR Cryptol. ePrint Arch..

[39]  Jack Peterson,et al.  Augur: a decentralized, open-source platform for prediction markets , 2015, ArXiv.

[40]  Tal Malkin,et al.  Multi-party Computation of Polynomials and Branching Programs without Simultaneous Interaction , 2013, EUROCRYPT.

[41]  Ledger Edinburgh Research Explorer Fair and Robust Multi-party Computation Using a Global Transaction Ledger , 2016 .

[42]  Anat Paskin-Cherniavsky,et al.  Non-Interactive Secure Multiparty Computation , 2014, IACR Cryptol. ePrint Arch..

[43]  Zvika Brakerski,et al.  Leveraging Linear Decryption: Rate-1 Fully-Homomorphic Encryption and Time-Lock Puzzles , 2019, IACR Cryptol. ePrint Arch..

[44]  Moni Naor,et al.  Pricing via Processing or Combatting Junk Mail , 1992, CRYPTO.

[45]  Ueli Maurer,et al.  Bitcoin as a Transaction Ledger: A Composable Treatment , 2017, CRYPTO.

[46]  Iddo Bentov,et al.  How to Use Bitcoin to Design Fair Protocols , 2014, CRYPTO.

[47]  Moni Naor,et al.  A minimal model for secure computation (extended abstract) , 1994, STOC '94.

[48]  Yuval Ishai,et al.  Non-Interactive Multiparty Computation Without Correlated Randomness , 2017, ASIACRYPT.

[49]  Matthew Green,et al.  ZEXE: Enabling Decentralized Private Computation , 2020, 2020 IEEE Symposium on Security and Privacy (SP).

[50]  David Chaum,et al.  Multiparty unconditionally secure protocols , 1988, STOC '88.

[51]  Richard Cleve,et al.  Limits on the security of coin flips when half the processors are faulty , 1986, STOC '86.