protocols Protocols where the users of the protocol dont trust each - - PowerPoint PPT Presentation

protocols
SMART_READER_LITE
LIVE PREVIEW

protocols Protocols where the users of the protocol dont trust each - - PowerPoint PPT Presentation

Dec 28, 2023 526 likes •805 views

Multiparty Computation (MPC) protocols Protocols where the users of the protocol dont trust each other, but nevertheless they want to achieve a common goal I dont trust Bob I dont trust Alice Alice Bob bfa1406343bb49 ga63w234349aa

slide-1
SLIDE 1

Multiparty Computation (MPC) protocols

Protocols where the users of the protocol don’t trust each other, but nevertheless they want to achieve a common goal

bfa1406343bb49 ga63w234349aa bfa144534555d9

Alice Bob I don’t trust Bob I don’t trust Alice

common goal achieved!

slide-2
SLIDE 2

With a “trusted third party” – it’s easy

A B Y Y

bfa1406343bb49 ga63w234349aa bfa144534555d9

But can we do it without a trusted third party? In other words: can we “simulate” the ideal world in the real world? ideal world: real world:

slide-3
SLIDE 3

The limitations

  • lack of fairness when there is no

honest majority (we will explain it in a moment),

  • no way to force the parties to provide

true input,

  • and to respect the outcome.

partial remedies exist beyond the scope of crypto

slide-4
SLIDE 4

Our idea Deal with these problems using Bitcoin

slide-5
SLIDE 5

Example: Two party lotteries

  • a random party earns 1

BTC

  • the other one looses 1

BTC

bfa1406343bb49 ga63w234349aa bfa144534555d9

slide-6
SLIDE 6

Looks similar to the “coin- tossing problem”.

bfa1406343bb49 ga63w234349aa bfa144534555d9

  • utput:

Y Y where Y = with probability 1/2 with probability 1/2

slide-7
SLIDE 7

How to solve the coin-tossing problem? Idea Remember the old game: rock-paper-scissors?

slide-8
SLIDE 8

draw Alice wins Bob wins Bob wins draw Alice wins Alice wins Bob wins draw Alice Bob

slide-9
SLIDE 9

Let’s simplify this game

In other words: Alice wins iff A xor B = 0. A=0 A=1 B=0 Alice wins Bob wins B=1 Bob wins Alice wins Alice Bob

slide-10
SLIDE 10

Another way to look at it

Alice has an input B Bob has an input A

they should jointly compute x = A xor B (in a secure way)

slide-11
SLIDE 11

What to do?

Problem: A and B should be sent at the same time (e.g. if A is sent before B then a malicious Bob can set B := x xor A, where x is chosen by him).

x = A xor B x = A xor B

random bit A random bit B

slide-12
SLIDE 12

How to guarantee this?

Seems hard: the internet is not synchronous...

A solution: bit commitments

slide-13
SLIDE 13

Commitment schemes – an intuition

Alice sends a locked box to Bob

a bit A A

Alice can later send the key to Bob

A

[binding] from now Alice cannot change A, [hiding] but Bob doesn’t know A Alice “commits herself to A” Alice “opens the commitment”

slide-14
SLIDE 14

How does it solve the coin- flipping problem?

chooses a random bit A commits to A sends B chooses a random bit B

  • pens A
  • utput

A xor B

  • utput

A xor B

A

slide-15
SLIDE 15

Problem 1

How to force Alice to open the commitment?

commits to A sends B

  • pens A

This is precisely the lack of fairness problem. It’s inherent to most of the interesting MPC protocols...

slide-16
SLIDE 16

Problem 2

commits to A sends B

  • pens A

You lost So what?

This is the problem of forcing the parties to respect the output. Even more inherent (it is present also in the “ideal world” solution)

slide-17
SLIDE 17

Idea: force the parties to open their commitments using the “deposits”

commits to bit A transaction commit

  • has value 1 BTC
  • can be redeemed by Alice
  • claiming the transaction requires revealing A

if Alice didn’t redeem commit, then Bob can do it after 1 day deposit:

slide-18
SLIDE 18

How can Alice commit to A?

can be spent using Alice’s signature and (A,X) such that Y = H(A,X)

  • r

both signatures of Alice and Bob Alice’s signature

T 1 BTC

post on the blockchain: send to Bob a Refund transaction:

Commit = some earlier transaction of Alice can be spent using Bob’s signature after 1 day Alice’s signature

Commit 1 BTC

Refund =

slide-19
SLIDE 19

This solves the problem of the lack of fairness!

commits with a Bitcoin- based commitment to A sends B

  • pens A

If Alice does not open her commitment within 1 day then Bob can get her 1 BTC by posting the Refund transaction with his signature Otherwise she gets her 1 BTC back.

slide-20
SLIDE 20

What about the problem of respecting the outcome?

This can also be solved. Main idea:

commits with a Bitcoin-based commitment to A commits with a Bitcoin-based commitment to B

a transaction that takes the

  • pening of the committed values

and “decides” who won

  • prob. 1/2
slide-21
SLIDE 21

“Murder contract”

1,000 BTC if Bob provides a proof that Carol is murdered during the next hour

Alice Bob

Question: what if Bob is just lucky and Carol was murdered by someone else?

slide-22
SLIDE 22

Solution: add some details

1,000 BTC if Bob provides a proof that Carol is murdered during the next hour using a .44 Remington Magnum gun

Alice Bob

slide-23
SLIDE 23

How a such a “proof” can look like?

Examples:

  • signed article from some press agency,
  • “authenticated data feed”,
  • several sources combined
slide-24
SLIDE 24

Example

1,000 BTC if Bob provides an article containing texts:

  • “Carol was murdered”
  • “.44 Remington Magnum

gun” signed by Associated Press

Alice Bob

slide-25
SLIDE 25

Two technical problems

  • 1. such conditions are impossible to express using

Bitcoin syntax

  • 2. a separate “contract” is needed for every potential

hitman Solution: a currency designed for doing contracts.

slide-26
SLIDE 26

Features

  • has a concept of a “contract’’ that can be posted on the

public register, and give money to anyone who provides some “solution”

  • allows to create arbitrarily complicated contracts.