Optimistic Fair Secure Computation

We present an efficient and fair protocol for secure two-party computation in the optimistic model, where a partially trusted third party T is available, but not involved in normal protocol executions. T is needed only if communication is disrupted or if one of the two parties misbehaves. The protocol guarantees that although one party may terminate the protocol at any time, the computation remains fair for the other party. Communication is over an asynchronous network. All our protocols are based on efficient proofs of knowledge and involve no general zero-knowledge tools. As intermediate steps we describe efficient verifiable oblivious transfer and verifiable secure function evaluation protocols, whose security is proved under the decisional Diffie-Hellman assumption.

[1]  N. Asokan,et al.  Optimistic protocols for fair exchange , 1997, CCS '97.

[2]  Silvio Micali,et al.  A fair protocol for signing contracts , 1990, IEEE Trans. Inf. Theory.

[3]  N. Asokan,et al.  Optimistic fair exchange of digital signatures , 1998, IEEE Journal on Selected Areas in Communications.

[4]  Ran Canetti,et al.  Security and Composition of Multiparty Cryptographic Protocols , 2000, Journal of Cryptology.

[5]  Richard Cleve,et al.  Limits on the security of coin flips when half the processors are faulty , 1986, STOC '86.

[6]  Ivan Damgård,et al.  Efficient Concurrent Zero-Knowledge in the Auxiliary String Model , 2000, EUROCRYPT.

[7]  Moni Naor,et al.  Number-theoretic constructions of efficient pseudo-random functions , 1997, Proceedings 38th Annual Symposium on Foundations of Computer Science.

[8]  Ernest F. Brickell,et al.  Gradual and Verifiable Release of a Secret , 1987, CRYPTO.

[9]  Silvio Micali,et al.  Non-Interactive Oblivious Transfer and Applications , 1989, CRYPTO.

[10]  Silvio Micali,et al.  Probabilistic Encryption , 1984, J. Comput. Syst. Sci..

[11]  Moni Naor,et al.  Non-malleable cryptography , 1991, STOC '91.

[12]  Ivan Damgård,et al.  Linear zero-knowledge—a note on efficient zero-knowledge proofs and arguments , 1997, STOC '97.

[13]  Ivan Damgård,et al.  Verifiable Encryption and Applications to Group Signatures and Signature Sharing , 1998, IACR Cryptol. ePrint Arch..

[14]  Ronald Cramer,et al.  A Practical Public Key Cryptosystem Provably Secure Against Adaptive Chosen Ciphertext Attack , 1998, CRYPTO.

[15]  Michael Waidner,et al.  Optimistic Synchronous Multi-Party Contract Signing , 1998 .

[16]  Tal Rabin,et al.  Simplified VSS and fast-track multiparty computations with applications to threshold cryptography , 1998, PODC '98.

[17]  A. Yao,et al.  Fair exchange with a semi-trusted third party (extended abstract) , 1997, CCS '97.

[18]  Donald Beaver,et al.  Multiparty computation with faulty majority , 1989, 30th Annual Symposium on Foundations of Computer Science.

[19]  T. J. Watson Optimistic Asynchronous Multi-Party Contract Signing , 1998 .

[20]  Mihir Bellare,et al.  On Defining Proofs of Knowledge , 1992, CRYPTO.

[21]  Markus Stadler,et al.  Publicly Verifiable Secret Sharing , 1996, EUROCRYPT.

[22]  Jeroen van de Graaf,et al.  Committed Oblivious Transfer and Private Multi-Party Computation , 1995, CRYPTO.

[23]  Amos Fiat,et al.  Zero-knowledge proofs of identity , 1987, Journal of Cryptology.

[24]  Jan Camenisch,et al.  Efficient Group Signature Schemes for Large Groups (Extended Abstract) , 1997, CRYPTO.

[25]  Donald Beaver,et al.  Multiparty Computation with Faulty Majority (Extended Announcement) , 1989, FOCS 1989.

[26]  Silvio Micali,et al.  A Digital Signature Scheme Secure Against Adaptive Chosen-Message Attacks , 1988, SIAM J. Comput..

[27]  Silvio Micali,et al.  How to play ANY mental game , 1987, STOC.

[28]  Silvio Micali,et al.  Secure Computation (Abstract) , 1991, CRYPTO.

[29]  Jan Camenisch,et al.  Efficient group signature schemes for large groups , 1997 .

[30]  Andrew Chi-Chih Yao,et al.  Protocols for secure computations , 1982, FOCS 1982.

[31]  Moni Naor,et al.  Non-Malleable Cryptography (Extended Abstract) , 1991, STOC 1991.

[32]  Ivan Damgård,et al.  Concurrent Zero-Knowledge is Easy in Practice , 1999, IACR Cryptol. ePrint Arch..

[33]  Silvio Micali,et al.  The round complexity of secure protocols , 1990, STOC '90.

[34]  Oded Goldreich,et al.  A randomized protocol for signing contracts , 1985, CACM.

[35]  David Chaum,et al.  Multiparty Computations Ensuring Privacy of Each Party's Input and Correctness of the Result , 1987, CRYPTO.

[36]  Moni Naor,et al.  A minimal model for secure computation (extended abstract) , 1994, STOC '94.

[37]  Leonid A. Levin,et al.  Fair Computation of General Functions in Presence of Immoral Majority , 1990, CRYPTO.

[38]  Taher El Gamal A public key cryptosystem and a signature scheme based on discrete logarithms , 1984, IEEE Trans. Inf. Theory.

[39]  David Chaum,et al.  Wallet Databases with Observers , 1992, CRYPTO.

[40]  Ivan Damgård,et al.  Proofs of Partial Knowledge and Simplified Design of Witness Hiding Protocols , 1994, CRYPTO.