ABSTRACT
We study a model of incentivizing correct computations in a variety of cryptographic tasks. For each of these tasks we propose a formal model and design protocols satisfying our model's constraints in a hybrid model where parties have access to special ideal functionalities that enable monetary transactions. We summarize our results:
Verifiable computation. We consider a setting where a delegator outsources computation to a worker who expects to get paid in return for delivering correct outputs. We design protocols that compile both public and private verification schemes to support incentivizations described above.
Secure computation with restricted leakage. Building on the recent work of Huang et al. (Security and Privacy 2012), we show an efficient secure computation protocol that monetarily penalizes an adversary that attempts to learn one bit of information but gets detected in the process.
Fair secure computation. Inspired by recent work, we consider a model of secure computation where a party that aborts after learning the output is monetarily penalized. We then propose an ideal transaction functionality FML and show a constant-round realization on the Bitcoin network. Then, in the FML-hybrid world we design a constant round protocol for secure computation in this model.
Noninteractive bounties. We provide formal definitions and candidate realizations of noninteractive bounty mechanisms on the Bitcoin network which (1) allow a bounty maker to place a bounty for the solution of a hard problem by sending a single message, and (2) allow a bounty collector (unknown at the time of bounty creation) with the solution to claim the bounty, while (3) ensuring that the bounty maker can learn the solution whenever its bounty is collected, and (4) preventing malicious eavesdropping parties from both claiming the bounty as well as learning the solution.
All our protocol realizations (except those realizing fair secure computation) rely on a special ideal functionality that is not currently supported in Bitcoin due to limitations imposed on Bitcoin scripts. Motivated by this, we propose validation complexity of a protocol, a formal complexity measure that captures the amount of computational effort required to validate Bitcoin transactions required to implement it in Bitcoin. Our protocols are also designed to take advantage of optimistic scenarios where participating parties behave honestly.
- Bitcoin wiki: CVEs. https://en.bitcoin.it/wiki/CVEs#CVE-2010--5141.Google Scholar
- G. Andresen. Turing complete language vs non-turing complete. https://bitcointalk.org/index.php?topic=431513.20#msg4882293.Google Scholar
- M. Andrychowicz, S. Dziembowski, D. Malinowski, and L. Mazurek. Fair two-party computations via the bitcoin deposits. In First Workshop on Bitcoin Research, FC, 2014.Google ScholarCross Ref
- M. Andrychowicz, S. Dziembowski, D. Malinowski, and L. Mazurek. Secure multiparty computations on bitcoin. In IEEE Security and Privacy, 2014. Google ScholarDigital Library
- Gilad Asharov, Yehuda Lindell, and Hila Zarosim. Fair and efficient secure multiparty computation with reputation systems. In Asiacrypt (2), pages 201--220, 2013.Google Scholar
- Gilad Asharov and Claudio Orlandi. Calling out cheaters: Covert security with public verifiability. In Asiacrypt, pages 681--698, 2012. Google ScholarDigital Library
- N. Asokan, V. Shoup, and M. Waidner. Optimistic fair exchange of digital signatures. In Eurocrypt, 1998.Google ScholarCross Ref
- Yonatan Aumann and Yehuda Lindell. Security against covert adversaries: Efficient protocols for realistic adversaries. In Salil P. Vadhan, editor, 4th Theory of Cryptography Conference -- TCC 2007, volume 4392 of LNCS, pages 137--156. Springer, February 2007. Google ScholarDigital Library
- S. Barber, X. Boyen, E. Shi, and E. Uzun. Bitter to better - how to make bitcoin a better currency. In FC, 2012.Google Scholar
- Mira Belenkiy, Melissa Chase, C. Christopher Erway, John Jannotti, Alptekin Kupcu, and Anna Lysyanskaya. Incentivizing outsourced computation. In NetEcon, pages85--90, 2008. Google ScholarDigital Library
- Iddo Bentov and Ranjit Kumaresan. How to use bitcoin to design fair protocols. In ePrint 2014/129, 2014.Google Scholar
- D. Cash, S. Jarecki, C. Jutla, H. Krawczyk, M. Rosu, and M. Steiner. Highly-scalable searchable symmetric encryption with support for boolean queries. In Crypto (1), 2013.Google Scholar
- J.-S. Coron, T. Lepoint, and M. Tibouchi. Practical multlinear maps over the integers. In Crypto (1), 2013.Google Scholar
- E. Friedman and P. Resnick. The social cost of cheap pseudonyms. In Journal of Economics and Management Strategy, pages 173--199, 2000.Google Scholar
- S. Garg, C. Gentry, S. Halevi, and D. Wichs. On the implausibility of differing-inputs obfuscation and extractable witness encryption with auxiliary input. In ePrint 2013/860.Google Scholar
- S. Garg, C. Gentry, A. Sahai, and B. Waters. Witness encryption and its applications. In STOC, 2013. Google ScholarDigital Library
- R. Gennaro, C. Gentry, and B. Parno. Non-interactive verifiable computing: Outsourcing computation to untrusted workers. In Advances in Cryptology -- Crypto 2010, 2010. Google ScholarDigital Library
- R. Gennaro, C. Gentry, B. Parno, and M. Raykova. Quadratic span programs and succinct nizks without pcps. In Eurocrypt, 2013.Google ScholarCross Ref
- Oded Goldreich. Foundations of cryptography - vol. 2. 2004.Google Scholar
- S. Goldwasser, Y. -- T. Kalai, R.Ã. Popa, V. Vaikuntanathan, and N. Zeldovich. How to run turing machines on encrypted data. In Crypto (2), pages 536--553, 2013.Google Scholar
- Philippe Golle and Ilya Mironov. Uncheatable distributed computations. In David Naccache, editor, Cryptographers? Track -- RSA 2001, volume 2020 of LNCS, pages 425--440. Springer, April 2001. Google ScholarDigital Library
- V. Goyal, P. Mohassel, and A. Smith. Efficient two party and multi party computation against covert adversaries. In Advances in Cryptology -- Eurocrypt 2008. Google ScholarDigital Library
- Y. Huang, J. Katz, and D. Evans. Quid-pro-quo-tocols: Strengthening semi-honest protocols with dual execution. In IEEE Security and Privacy, pages 272--284, 2012. Google ScholarDigital Library
- Y. Ishai, M. Prabhakaran, and A. Sahai. Founding cryptography on oblivious transfer - efficiently. In Advances in Cryptology -- Crypto 2008, pages 572--591, 2008. Google ScholarDigital Library
- S. Jarecki, C. Jutla, H. Krawczyk, M. Rosu, and M. Steiner. Outsourced symmetric private information retrieval. In CCS, pages 875--888. Google ScholarDigital Library
- L. Lamport. Fast paxos, 2005. MSR-TR-2005--112.Google Scholar
- Y. Lindell and B. Pinkas. A proof of security of Yao's protocol for two-party computation. Journal of Cryptology., 22(2):161--188, 2009. Google ScholarDigital Library
- G. Maxwell. Zero knowledge contingent payment. 2011. https://en.bitcoin.it/wiki/Zero_Knowledge_Contingent_Payment.Google Scholar
- P. Mohassel and M. Franklin. Efficiency tradeoffs for malicious two-party computation. In PKC 2006. Google ScholarDigital Library
- V. Pappas, B. Vo, F. Krell, S.-G. Choi, V. Kolesnikov, S. Bellovin, A. Keromytis, and T. Malkin. Blind seer: A scalable private dbms. In IEEE Security and Privacy, 2014. Google ScholarDigital Library
- B. Parno, J. Howell, C. Gentry, and M. Raykova. Pinocchio: Nearly practical verifiable computation. In IEEE S&P, 2013. Google ScholarDigital Library
- R. L. Rivest, A. Shamir, and D. A. Wagner. Time-lock puzzles and timed-release crypto. Technical Report MIT/LCS/TR-684, MIT, 1996. Google ScholarDigital Library
- A. Rosen and A. Shelat. Optimistic concurrent zero knowledge. In Advances in Cryptology -- Asiacrypt 2010.Google Scholar
- P. Todd. Reward offered for hash collisions for sha1, sha256, ripemd160. https://bitcointalk.org/index.php?topic=293382.0, 2013.Google Scholar
- Andrew Yao. How to generate and exchange secrets (extended abstract). In FOCS, pages 162--167, 1986. Google ScholarDigital Library
Index Terms
- How to Use Bitcoin to Incentivize Correct Computations
Recommendations
How to Use Bitcoin to Play Decentralized Poker
CCS '15: Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications SecurityBack and Bentov (arXiv 2014) and Andrychowicz et al. (Security and Privacy 2014) introduced techniques to perform secure multiparty computations on Bitcoin. Among other things, these works constructed lottery protocols that ensure that any party that ...
Improvements to Secure Computation with Penalties
CCS '16: Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications SecurityMotivated by the impossibility of achieving fairness in secure computation [Cleve, STOC 1986], recent works study a model of fairness in which an adversarial party that aborts on receiving output is forced to pay a mutually predefined monetary penalty ...
Amortizing Secure Computation with Penalties
CCS '16: Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications SecurityMotivated by the impossibility of achieving fairness in secure computation [Cleve, STOC 1986], recent works study a model of fairness in which an adversarial party that aborts on receiving output is forced to pay a mutually predefined monetary penalty ...
Comments