Legally-Enforceable
Fairness in Secure
Two-Party Computation
Andrew Lindell
Aladdin Knowledge Systems and Bar-Ilan University
04/09/08 CRYP-202
Secure Multiparty Computation
 A set of parties with private inputs wish to
compute some joint function of their inputs
 Parties wish to preserve some security
properties. E.g., privacy and correctness
» Example: secure election protocol
 Security must be preserved in the face of
adversarial behavior by some of the participants,
or by an external party
Insert presenter logo
here on slide master
Security Requirements
 Privacy
» Parties can learn their designated output and nothing more
•
My private vote in an election is not revealed
 Correctness
» The correct function is computed
•
The candidate with the majority vote is elected
 Independence of inputs
» Parties cannot make their inputs depend on others
 Fairness
» If one party receives output, then all receive output
Insert presenter logo
here on slide master
Fairness
 Cleve (1986) showed that it is impossible for two
parties to fairly toss a coin
» Can be extended to other functionalities as well
 Intuition behind proof
» Assume that can compute fairly with m rounds
» Consider an adversary that doesn’t send its last message
» By the requirement of fairness, the other party still receives
output
• Thus, this last message is not needed
and the protocol can be made m–1 rounds
Insert presenter logo
here on slide master
Impossibility of Fairness (continued)
 By induction, all messages can be removed,
and so we are left with an empty protocol
 But only trivial functions can be computed
without interaction!
 Conclusion: fairness cannot be achieved
 Warning
» This intuition is not exact,
and the real situation is
more involved
Insert presenter logo
here on slide master
Fairness – Alternatives
 Gradual release [BG,GL]
» The output is released slowly, so that no party has too much
advantage in guessing it
 Optimistic computation [M,ASW,CC]
» An online trusted party is assumed to be in place
» If no one cheats, the trusted party is not needed
» If fairness is breached by cheating, the
trusted party is invoked to help restore
fairness
Insert presenter logo
here on slide master
A New Approach
 Similar to the optimistic model, but use existing
legal and financial infrastructure
 Assume that digital signature law is in place and
recognized
» Digitally-signed cheques are enforced
Insert presenter logo
here on slide master
Concurrent Signatures – Prior Work
 Problem of fair exchange of signatures
 Fundamental observation by Chen, Kudla and Paterson
» A signature can only be enforced by revealing it (e.g., in a court)
 Their idea
» First, one party receives only a keystone (useless by itself)
» Then, the other party receives the full signature it is supposed to
» Given the keystone and the other signature, the first party can derive
its full signature
 Construction under specific assumptions and using a
random oracle
Insert presenter logo
here on slide master
Achieving Concurrent Signatures
 To motivate our method, we show how to achieve
concurrent signatures
» With general assumptions and no random oracle
 Requirement:
» P1 should receive a signature on m1, denoted 1=Sign(m1).
» P2 should receive a signature on m2, denoted 2=Sign(m2).
 The protocol:
» The parties use a secure two-party computation protocol
•
•
First, P1 receives 1=Sign(m1,2)
Then, P2 receives 2=Sign(m2)
Insert presenter logo
here on slide master
Achieving Concurrent Signatures
 Reminder
» P1 receives 1=Sign(m1,2)
» P2 receives 2=Sign(m2)
 If P1 aborts after receiving 1, then P2 may not
receive its signature 2
» In order to enforce 1, P1 has to present it (e.g., to a court)
» But, this reveals 2, restoring fairness
 Remark
» This is not perfect, but it is very good...
Insert presenter logo
here on slide master
Secure Two-Party Protocol – Background
 Requirement:
» P1 and P2 have inputs x and y
» P1 and P2 should receive f(x,y), for some function f
 Notation
» A cheque from P1 to P2 is a digitally signed message:
•
•
•
Stating whom the recipient is
Stating how much money should be transferred
Containing an additional field for arbitrary text
Insert presenter logo
here on slide master
Our Protocol for Secure 2-Party Computation
 Phase 1: The parties use a secure two-party
computation protocol:
» P1 receives a signed cheque chq1 for $10,000 from P2
•
•
•
This cheque contains another cheque chq2 for $10,000
for P2 from P1
The cheque chq2 is encrypted so that only P2 can decrypt
The cheque chq2 contains the output value f(x,y)
 Phase 2
» P1 sends the encrypted chq2 to P2
» P2 decrypts, obtains f(x,y) and sends it back to P1
Insert presenter logo
here on slide master
Our Protocol for Secure 2-Party Computation
Party P1 x
Party P2
y
x
Contains encrypted
counter-cheque
chq2 for P2 (with
output)
y
Secure
computation
subprotocol
chq1
chq2, f(x,y)
f(x,y)
Output f(x,y)
Insert presenter logo
here on slide master
Decrypt, and
obtain f(x,y)
Output f(x,y)
Early Aborting
 If either party aborts before the
end of phase 1
» No one learns anything and so
fairness is preserved
 If P1 aborts after receiving chq1
» It hasn’t learned the output and so
fairness is preserved
» If it tries to cash chq1, P2 will obtain
chq2 and will counter it (so P2 won’t
lose money)
Insert presenter logo
here on slide master
x
chq1
y
chq2, f(x,y)
f(x,y)
Early Aborting
 If P2 aborts after receiving chq2
» P2 has learned f(x,y) and P1 hasn’t, so fairness is breached
» But P1 has a cheque from P2 and so can force P2 to either
present f(x,y) or pay!
 Conclusion:
» P2 can breach fairness, but only by
paying the cheque
• Setting the sum high enough
makes this unlikely
Insert presenter logo
here on slide master
x
chq1
y
chq2, f(x,y)
f(x,y)
A Comparison to the Optimistic Model
 Optimistic model
» Guarantees fairness always
» Fairness is obtained immediately
» Requires “special” infrastructure and trust
 Our solution
» Uses existing infrastructure in society (that is trusted)
» Fairness is not immediate (need to wait for courts, bank…)
» Adversary can choose to breach fairness for a high enough
price
Insert presenter logo
here on slide master
Summary
 We introduced a different approach to fairness
 Future challenges
» Construct efficient protocols according to our approach
» Make the world a fairer place
•
Although this may be out of the
scope of this work 
Insert presenter logo
here on slide master
Legal Notice
© Copyright 2008 Aladdin Knowledge Systems Ltd. All rights reserved.
Aladdin, Aladdin Knowledge Systems, the Aladdin Knowledge Systems logo, eToken and eSafe are trademarks
of Aladdin Knowledge Systems Ltd. covered by patents www.aladdin.com/patents; other patents pending.
You may not copy, reproduce (or the like), or use in any other way whatsoever, whether directly or indirectly, any of
the materials represented and/or disclosed herein without the express written consent of Aladdin.
Some of the information contained herein may be proprietary information of Aladdin or third parties and all text,
images, graphics, trademarks, service marks, logos, trade names and other materials which are part of this
communication are subject to intellectual property rights of Aladdin or third parties. The information herein is
provided “as is” without any warranty, express or implied (by statute or otherwise), of any kind whatsoever. Aladdin
does not undertake any obligation to update the information herein and it does not assume responsibility for errors or
omissions.
Insert presenter logo
here on slide master