Gage MPC: Bypassing Residual Function Leakage for Non-Interactive MPC - Privacy Enhancing Technologies Symposium
←
→
Page content transcription
If your browser does not render page correctly, please read the page content below
Proceedings on Privacy Enhancing Technologies ; 2021 (4):528–548
Ghada Almashaqbeh*, Fabrice Benhamouda, Seungwook Han, Daniel Jaroslawicz, Tal Malkin,
Alex Nicita, Tal Rabin, Abhishek Shah, and Eran Tromer
Gage MPC: Bypassing Residual Function
Leakage for Non-Interactive MPC
Abstract: Existing models for non-interactive MPC DOI 10.2478/popets-2021-0083
cannot provide full privacy for inputs, because they in- Received 2021-02-28; revised 2021-06-15; accepted 2021-06-16.
herently leak the residual function (i.e., the output of
the function on the honest parties’ input together with
all possible values of the adversarial inputs). For exam-
1 Introduction
ple, in any non-interactive sealed-bid auction, the last
bidder can figure out what was the highest previous bid.
Secure multiparty computation (MPC) is a fundamental
We present a new MPC model which avoids this privacy
area in cryptography, with a rich body of work devel-
leak. To achieve this, we utilize a blockchain in a novel
oped since the first papers in the 80’s [11, 18, 30, 44, 48].
way, incorporating smart contracts and arbitrary par-
The setting involves n parties, each holding a private
ties that can be incentivized to perform computation
input, who wish to compute a function on their inputs
(“bounty hunters,” akin to miners). Security is main-
in a manner that reveals only the output, and preserves
tained under a monetary assumption about the parties:
the privacy of the inputs.
an honest party can temporarily supply a recoverable
collateral of value higher than the computational cost Interaction in MPC. The question of availability and
an adversary can expend. required interaction among the parties in MPC proto-
We thus construct non-interactive MPC protocols with cols has been extensively studied. Most of the literature
strong security guarantees (full security, no residual on secure computation requires all parties to remain on-
leakage) in the short term. Over time, as the adversary line throughout the computation, engaging in interac-
can invest more and more computational resources, the tive communication with each other. This requirement
security guarantee decays. Thus, our model, which we is problematic in many settings, where the parties are
call Gage MPC, is suitable for secure computation with not all available for interaction at the same time (e.g.,
limited-time secrecy, such as auctions. due to geographic or power constraints), and may not
A key ingredient in our protocols is a primitive we call even be a priori aware of all other parties.
“Gage Time Capsules” (GaTC): a time capsule that al- Thus, an important goal is to reduce interaction and
lows a party to commit to a value that others are able online coordination in secure computation. Ideally, we
to reveal but only at a designated computational cost. envision the following setting for non-interactive MPC
A GaTC allows a party to commit to a value together (NIMPC). When a party is available it carries out some
with a monetary collateral. If the original party properly local computation based on its input and any needed
opens the GaTC, it can recover the collateral. Other- auxiliary information, and then it posts its result to
wise, the collateral is used to incentivize bounty hunters some public bulletin board. Once all the parties are
to open the GaTC. This primitive is used to ensure com-
pletion of Gage MPC protocols on the desired inputs.
As a requisite tool (of independent interest), we present
*Corresponding Author: Ghada Almashaqbeh: Univer-
a generalization of garbled circuit that are more robust: sity of Connecticut, E-mail: ghada.almashaqbeh@uconn.edu
they can tolerate exposure of extra input labels. This Fabrice Benhamouda: Algorand Foundation, E-mail: fab-
is in contrast to Yao’s garbled circuits, whose secrecy rice.benhamouda@gmail.com
breaks down if even a single extra label is exposed. Seungwook Han, Daniel Jaroslawicz, Tal Malkin, Alex
Finally, we present a proof-of-concept implementation Nicita, Abhishek Shah: Columbia University, E-mail:
{sh3264,dj2468,tm2118,a.nicita,as5258}@columbia.edu
of a special case of our construction, yielding an auc-
Tal Rabin: University of Pennsylvania, Algorand Foundation,
tion functionality over an Ethereum-like blockchain. E-mail: talr@seas.upenn.edu.
Eran Tromer: Columbia University, Tel-Aviv University, E-
Keywords: Non-interactive MPC, blockchain-model
mail: et2555@columbia.eduGage MPC 529
done, an output-producing party combines the informa- of combining blockchain technology with MPC, and the
tion from the public repository and computes the output interaction between these two designs has evolved over
of the function while maintaining security, i.e., no infor- several steps.
mation on the inputs is leaked beyond the output of
the function.1 However, it is known that this privacy- Gen I. Utilizing the blockchain to provide an imple-
preserving ideal is impossible: leakage of the residual mentation for the broadcast channel required for
function [34] is inherent. Specifically, an adversary con- many MPC protocols (e.g., via OP_RETURN data).
trolling the output-producing party and some of the Gen II. Incorporating payments into MPC protocols.
computing parties can always repeatedly apply the le- Gen III. This work. Incorporating smart contracts
gitimate protocol on any desired inputs provided by the and the miners as active participants in the MPC.
colluding parties, to compute the function on more than
a single input (see e.g., [9, 34]). Gen II started with such results as [8, 13, 36] that
The works of [9, 34] further prove that, beyond the introduced monetary compensation and incentives in
leakage of the residual function, there also needs to be order to go beyond existing lower bounds in MPC. In
some additional setup assumption in order to achieve particular, they address the fairness impossibility result
Non-Interactive MPC. The results of [9, 26] work in of [21], which states that in a two-party setting it can-
the semi-honest model and assume some pre-dealt cor- not be avoided that one party learns the output of the
related randomness that is given to the parties. The protocol and aborts prior to the other party learning the
works of [31, 34] rely on the existence of a PKI and output. These papers present solutions which require
assume the availability of an output-computing party each party to commit to a collateral via the payment
that is online at all times and can be viewed as a “co- capabilities of the blockchain. In case one party aborts,
ordinator” among the parties. Each party engages in their collateral can be used to provide financial com-
an interactive computation with the output-computing pensation for the party that did not receive the output.
party, but the parties do not need to interact with each Thus, the collateral is used to incentivize the party to
other. These papers provide solutions for restricted provide the output, and not abort. Note that while in
classes of functions. In [33] a solution is presented for some scenarios this incentive may be sufficient in order
all functions, at the expense of making a much stronger to achieve fairness, in fact the solution itself does not
assumption, namely indistinguishability obfuscation, guarantee that this happens. It may be the case that
and a PKI. However, when collusions occur, all these despite facing a monetary loss, the party that learns
results suffer from the unavoidable leakage of the resid- the output might think that it is beneficial to quit the
ual function. computation and prevent the other party from learning
the output. This could happen due to e.g., failure, irra-
MPC and Blockchain. In 2008, Nakamoto proposed tionality, or large external incentives to abort.
Bitcoin [40] as the first decentralized cryptocurrency.
The core of Bitcoin is an append-only ledger, called Our Work: Gage MPC (Gen III).2 In this pa-
blockchain, maintained by a consensus protocol. Trans- per, we propose a new model and constructions of non-
actions are combined into blocks. For a block to be interactive MPC for any function, without the privacy-
added to the blockchain, a proof of work is used: parties violating leakage of the residual function, and with se-
called miners need to solve a cryptographic puzzle. This curity against semi-honest adversaries.3 Thus, we cir-
process is called mining and successful miners are auto- cumnavigate the aforementioned impossibility.
matically rewarded using the BTC asset, whose issuance Our model, which we call the Gage MPC model,
and ownership are managed by the blockchain itself. assumes a monetary mechanism and a corresponding
It soon became clear that the consensus protocol can assumption that enables our solution. There is a party,
be extended to not only record transactions, but also
store arbitrary state and enforce properties about this
state and related transactions, through what became
2 Gage is an archaic word that means: a valued object deposited
known as smart contracts. This unearthed the potential as a guarantee of good faith.
3 We assume a semi-honest adversary only for the first step
of the protocol: parties are required to post honestly-generated
1 Due to the new monetary-incentivized model we consider, our messages on the blockchain in the first step of the protocol. Later
work realizes a slightly modified version of NIMPC that we de- they can arbitrarily misbehave. Furthermore this restriction can
fine later. be lifted using additional zero-knowledge proofs.Gage MPC 530
which we refer to as party zero, that sets up the com- tries to evaluate the (residual) function on additional
putations, and puts down some collateral. At a later inputs would have to perform the expensive computa-
stage, party zero can come back to provide some final tion and pay its cost without being compensated by the
message(s) that allow for the computation of the out- collateral.
put. If this last step is completed, party zero can recover Crucially, party zero can always recover the collat-
the collateral. We call this path of operation the nom- eral via the nominal path, and in that way not lose
inal opening, which reflects the behavior of an honest it. This implies that the collateral can in fact be much
party zero. If party zero fails to provide the messages higher than the amount of money party zero has, as
then the collateral is used as payment to bounty hunters party zero can for example take a short-term loan.4 In
who will complete the execution via an expensive com- contrast, for the adversary to break security, the collat-
putation. (These might be, but don’t have to be, the eral amount is the actual cost that needs to be spent
same as the blockchain miners.) We call this the bounty for computing the function, which can be prohibitively
opening. The bounty opening does not depend on any a high. This lends to the introduction of a new type of
priori determined miner (or set of miners) and thus, as monetary assumption:
long as there exist parties wishing to be paid for com-
An honest party can put down a temporary collateral of
putation, the bounty opening will complete successfully. value much higher than what an adversary can expend on
This means that under no circumstances can party zero computation.
prevent the computation from being completed and the
In our theorems we will prove that as long as the ad-
output from being exposed. This is in contrast to the
versary does not spend (significantly) more than some
Gen II MPC solutions [8, 13, 36], where the party also
amount related to the collateral, then it will not learn
puts down a collateral, but forgoing the collateral en-
any additional information.
ables to prevent the exposure of the output.
This bounty opening path matches the desired On Circumventing the Lower Bounds. The afore-
NIMPC setup outlined above. Each party posts a mes- mentioned impossibility, saying the leakage of the resid-
sage and then the output computing party (in this ual function is inherent in the standard model, is de-
case, the bounty hunters) will open the commitments scribed for parties that all execute the same protocol.
and evaluate the output (which is announced on the Yet, it extends to our setting where there exists a spe-
blockchain). On the other hand, the nominal path (and cial party, party zero, that speaks first.5 The necessity
Gage MPC 2-party protocol presented in Section 6) re- of correlated randomness likewise persists.6
sembles a different flavor of NIMPC. That is, party zero Our constructions avoid this by creating a setting
will come for a second round to open the commitments, where to compute the function on any set of inputs re-
and so allow computing the output, to avoid losing the quires considerable computational effort. This effort ef-
collateral. Nonetheless, party zero is not required to stay fectively disarms the adversary from being able to com-
online all the time since the parties are posting their pute the residual function, thus eliminating its leakage
messages on the blockchain. Also, the rest of the partic- and circumventing the lower bound. Furthermore, we
ipants perform a single round of interaction as before. eliminate setup assumptions such as pre-shared corre-
We rely on the underlying blockchain to ensure lated randomness (or PKI), or the need for a dedicated
a consistent consensus view of these events, as well party to be available throughout to ensure the resolu-
as delivery of commitment openings messages within tion of the computation. Our only requirements are the
bounded time (see below).
The collateral amount, along with the computa-
tional difficulty of the bounty opening, are set accord-
4 The main cost for the honest party is the time value of money.
ing to the difficulty that party zero wishes to create E.g., with a 10% APY loan, and a collateral locked for 3 days,
for adversaries interested in computing the (residual) the cost of a $1K collateral is less than $1.
function on additional inputs. To make such additional 5 Consider the case of two parties P0 and P1 . In the non-
computations very expensive, party zero will set a high interactive setting, after P0 speaks, an honest P1 must be able
computational difficulty, and post a corresponding large to compute the output of the function. This implies that a faulty
P1 can in fact compute the function on any input that it wishes,
collateral to compensate bounty hunters for their po-
exposing the residual function.
tential effort (in the case where party zero later aborts 6 Party zero could send correlated randomness to all the other
and bounty opening become necessary). This collateral parties, but only if it knows their identity in advance and has
is awarded only for the first opening; an adversary who establishing secure channels or PKI with them.Gage MPC 531
Fig. 1. Gage MPC design.
existence of the blockchain and availability of bounty i.e., an ordered list of messages that is consistently vis-
hunters (i.e., parties willing to perform computation for ible to all. Any party can post a message that becomes
a reward). visible to all parties within some bounded time. Fur-
The assumption that party zero makes about the thermore, we assume a liveness property, i.e., messages
adversary’s financial abilities might not hold indef- cannot be blocked or delayed beyond some bounded
initely. The model allows for a highly incentivized, duration (e.g., in Ethereum, it is assumed that the ma-
wealthy, and patient adversary to attack the computa- jority of the mining power is honest, and in particular
tion by outspending the collateral amount, and reveal- will not censor transactions that carry adequate trans-
ing additional information about the function. Thus, action fees; the requisite fees and queue size are publicly
there are two points to note. First, caution should be known). Functionally, we require the blockchain to sup-
taken when making assumptions about the finances of port smart contracts, i.e., updating its consensus state
the adversary. Second, the confidence we have in the according to (simple) programs we prescribe.
assumption holding in relation to the adversary, due to
Gage Time Capsules. We build on a primitive we call
the nature of the assumption, is weakened over time.
Gage Time Capsule (GaTC). A GaTC is a commitment
This implies that the guarantee that there is no leakage
mechanism, that contrary to regular commitments, en-
of any additional information about the function (and
sures that the committed value is exposed when needed.
in particular of the residual function) holds in the short
We start with a simplified construction of GaTC to
term and decays over time.
give the main ideas that underlie this primitive. GaTC
Thus, one should consider under what circum-
bring time capsules [10, 46] to the blockchain. Recall,
stances it makes sense to use this model. A natural set-
that time capsules enable a party to commit to a value
ting could be where the computation is of an ephemeral
in such a manner that another party, if it wishes, can
nature, and long after the output of the function has
brute-force open the commitment. GaTC combine, via
been announced, it is acceptable if additional informa-
a smart contract on the blockchain, a time capsule and a
tion about the inputs is eventually revealed. Auction
collateral that acts as an incentive mechanism for open-
settings (as in our sample application) are often such.
ing the time capsule. The GaTC will have two time peri-
ods. In the initial grace period, the creator of the GaTC
will be able to open the commitment and retrieve the
1.1 Overview of our Design collateral. In the second period, if the collateral has not
Our design creates a sequence of primitives built on been retrieved, it will be used to pay bounty hunters
top of one another. It starts with Proof-of-Opening who work to open the commitment. This use of the col-
Time Capsules which are incorporated into Gage Time lateral is similar to the notion of incentives for proof
Capsules. Those are combined with Label-Driven MPC of work [24]. Interestingly, this incentive mechanism en-
(LD-MPC) to finally construct our Gage MPC (Fig- sures that given a large enough pool of bounty hunters,
ure 1 shows how these primitives are combined in the it is virtually guaranteed that the GaTC will be opened
Gage MPC construction). In the following sections and if and when needed. Note, that these bounty hunters are
appendices we provide a description of our design and independent of the parties of the protocol and thus it
the flavor of each one of these constructions. Full details does not matter which ones participate in the opening.
can be found in the full version [7]. In addition, these bounty hunters do not need to be re-
lated to the miners maintaining the blockchain in case
Blockchain Model. Our model relies on the follow- of proof-of-work blockchains.
ing blockchain model properties. We assume that the
blockchain provides an any-to-all broadcast channel,Gage MPC 532
In contrast to designs of time capsules that require GaTC Opening by P0
P0 gets
(nominal path)
a minimum amount of sequential time to be opened, we collateral
are interested in time capsules that require some min-
j POTC1 ... POTCk Decommitted
imum amount of work to be opened. The work can be POTC j
Collateral
parallelized, and will be parallelized between the bounty Bounty hunter
Opening by a
hunters. bounty hunter gets collateral
However, this naive construction of GaTC from
Fig. 2. A GaTC consists of a collection of POTCs with a sin-
time capsules suffers from the problem that if a bounty
gle associated collateral. The collateral can be transferred to the
hunter finds an opening, other parties may steal it
party that opens the desired POTC, either P0 through the nomi-
and claim the collateral in place of the bounty hunter nal path or a bounty hunter. The index j indicates which POTC
who did the work. That is why instead of using plain to open.
time capsules, we introduce and use Proof-of-Opening
Time Capsules (POTC). A POTC adds a decommit-
hunters in the world who are interested in receiving the
ment value which requires time to compute. In opening
incentives.
the POTC the bounty hunter proves that it knows this
value rather than exposing it in the clear. This proof Label-Driven MPC (LD-MPC). Our construction
can be tied to the bounty hunter in such a way that is based on a garbled circuit framework, i.e., there is a
only the bounty hunter who produced the proof will be wire for each input and labels associated with that wire.
able to claim the collateral. In order to carry out the computation there is a need
Another problem to consider, is the risk of an at- to know one label for each wire. The general idea would
tacker posting malformed commitments that cannot be be that the labels of the wires would be committed to
opened. This presents a denial of service (DoS) attack via GaTCs and if needed would be brute-force opened
against bounty hunters who would waste their computa- to enable the computation. However, Yao-like schemes
tion resources without reward. For simplicity, we assume leak information about the inputs of the parties even
a semi-honest adversary for the first step (the commit- in the case that only one additional label, beyond those
ment posting). This assumption can be removed using required for the computation, is exposed [9]. Given this
a generic NIZK proof that P0 generates to prove the leakage, basing our solution on Yao will provide only
well-formedness of the commitment. limited results. Thus, we introduce a generalization of
The previous high-level definition of GaTC is actu- garbled circuits, called Label-Driven MPC that is ro-
ally still insufficient for our purpose: we need a more bust in the face of exposure of additional labels. This is
sophisticated primitive. A GaTC will bundle together a a powerful generalization that can find applications in
few POTCs and will accept as input an index (see Fig- other settings.
ure 2). It will only incentivize the opening of the POTC We obtain more robust garbled circuits by adding
that relates to the given index. No incentives will be one level of indirection. In order to compute the desired
given for the opening of the other POTCs inside the Yao garbled circuit C we add a computation of a circuit
GaTC. C 0 on top of it. The output of the computation of the
Our monetary assumption is utilized in the design circuit C 0 will be the needed label for each input wire for
of GaTCs. The level of the collateral sets the complexity the computation of the circuit C. It would seem that we
of opening a POTC. We assume that the complexity is have not done much, but the circuit C 0 will be designed
set high enough that the adversary would not be inter- in an innovative way by addressing two issues.
ested in exerting the level of computational power that The first element in the creation of C 0 is that we
is required to open the number of additional POTCs choose an error correcting code that takes words of
within the GaTC so as to violate the security of the length γ and expands them to codewords of length γ + κ
general protocol. (for a code of minimal distance κ + 1) where κ is the de-
In Section 2 we propose an idealized instantia- sired robustness level. The circuit C 0 will have γ + κ
tion of POTCs in the random oracle model and the inputs and the computation that it will execute is to
generic group model. We use Fiat-Shamir in order to test whether the input is a word in the code. If it is,
provide the proofs for the opening. In Section 3 we it will output the labels for the circuit C. Observe that
define our GaTC and provide an instantiation of those. the error correcting code in a sense adds a buffer of
Our GaTC can be used over any blockchain, including security. To move from one legal codeword to another
proof-of-stake based ones, as long as there are bounty there is a need to change κ input wires in C 0 . Given ourGage MPC 533
general idea that the labels of wires will be committed P OT Ci,b . Party P0 then comes and opens all the val-
via GaTCs this expansion with error correcting codes ues and reveals the committed labels, which allows ev-
provides the desired security level. erybody to evaluate the garbled circuit and learn the
The second issue is that if C 0 is built as a Yao gar- output y = f (x0 , . . . , xN ). Party P0 further retrieves its
bled circuit it may still suffer from the vulnerability of collateral.
having a single additional wire exposed. However, C 0 is In case P0 misbehaves and does not reveal the la-
a simple linear computation, one that only needs to test bels, after the initial grace period, bounty hunters are
if the input is in the code. Given that this is a linear incentivized to open the POTCs of those labels and re-
computation we can rely on techniques from NIMPC ceive the collateral as payment. Once all the needed
[12] that provide robustness to linear computations.7 POTCs are opened, the output y is computed the same
Utilizing these techniques we can offer robustness to C 0 way as in the nominal execution.
and thus in return provide robustness to the original As stated, the underlying garbled circuit is not ro-
computation. bust to the exposure of additional labels, and thus this
computation inherits this lack of robustness. However,
Gage MPC. To achieve our final result of an MPC
as long as the adversary does not exert the computa-
protocol that circumvents the lower bound of leaking
tional effort required to open any additional POTC,
the residual function we define the model of Gage Mul-
the resulting protocol achieves classical MPC secu-
tiparty Computations and combine our new LD-MPC
rity: the adversary learns no additional information but
with our GaTC.
y, x1 , . . . , xN .
We consider a public function f , with parties
If the difficulty of opening a POTC is set high
P0 , P1 . . . , PN holding inputs x0 , x1 , . . . , xN to f . The
enough and if there are relatively few GaTCs (i.e., few
parties will compute f (x0 , x1 , . . . , xN ). We note that if
input wires), the total collateral (of all the GaTCs) is
we want the function itself to be private, we can set the
not much larger than the difficulty of opening a single
public function f to be a universal circuit, and input the
GaTC. In that case, it is reasonable to assume that the
actual private function as the input x0 of party zero, P0 .
adversary cannot open any additional POTC and secu-
We will combine different LD-MPC to achieve our
rity holds.
solutions: a basic solution (based on Yao), and enhance-
However, when there are many input wires, this as-
ments utilizing the more robust version of LD-MPC.
sumption becomes less likely. The adversary may have
We provide the following security guarantees.
enough power to brute force one of the other labels on
0-robust security, public inputs. In this setting, the in- its own. To prevent this exposure we utilize our more
put of party zero, P0 , is the only private one, and other robust LD-MPC.
parties’ inputs are all public. This solution utilizes a
κ-robust security, public inputs. We present a design
standard garbled circuit that creates two labels for each
that protects against an adversary exerting enough com-
input wire. The POTCs of the two labels of a wire are
putational effort to open up to κ additional POTCs (i.e.,
combined into a GaT Ci for each wire i by P0 . More
learning κ additional garbled circuit labels). We use the
specifically, GaT Ci for wire i has P OT Ci,0 for label µi,0
κ-secure LD-MPC. We will want to relate the complex-
(wire value = 0) and P OT Ci,1 for µi,1 (wire value = 1)
ity of the work to the number γ of inputs to the func-
in it. It incentivizes to open only one of the labels. For
tion. If the adversary wants to compute the function
the sake of simplicity, in the introduction, we assume
on an additional input, we would like the adversary to
that each party Pi has a single input bit corresponding
have to work almost as much as it costs to compute
to the input wire i.
the function on a single input. Thus, we set the pa-
The nominal execution works as follows. Once the
rameters as follows. The length of the expanded input
parties post their inputs this fixes the index that GaT Ci
is γ 0 = γ + κ implying that to compute the function
should open: for input b of party Pi it should open the
on one input requires a number of POTCs (or labels)
equals to γ 0 . We would like the robustness κ to equal
(1 − )γ 0 . This creates a (1 − )γ 0 -robust Gage MPC
7 The main result of [12] is the construction of κ = O(1)-robust
NIMPC for polynomial-size circuits. Such NIMPC would pro- with γ 0 wires, where ε > 0. In other words, this new
vide κ = O(1)-robust LD-MPC. Unfortunately, this would not protocol ensures security as long as the adversary can
yield robustness for larger κ values. Instead, we use an interme- only exert enough computational effort to open a 1 −
diate result of [12] that gives a fully robust NIMPC for linear fraction of the POTCs that bounty hunters would have
functions, and combine them with the ideas we described above.Gage MPC 534
Public-Inputs
Sec. A.1 (1 − )γ 0 -Robust Sec. A
.2
Public-Inputs Sec. A Security .3 Private-Inputs
0-Robust Sec. A (1 − )γ 0 -Robust
.2
Security .3
Private-Inputs Sec. A Security
0-Robust
Two Parties
Fig. 3. Gage MPC. The fully private input versions are for two parties only.
to open in the bounty case. We remark that this is the 1.2 Application: Private Decentralized
best that can be achieved. Indeed, if the adversary can Auctions
open as many POTCs as bounty hunters would have
to open if P0 misbehaves, then the adversary would be An important application, highlighting the power of
able to evaluate the function f on another set of inputs. Gage MPC, is on-chain trading. Auctions allowing par-
This would break security (in other words, γ 0 -opening ties to place bids for a published offer, and more gen-
security is never achievable for a protocol with γ 0 wires). erally exchanges allowing to place multiple bids and of-
We stress that the adversary who puts enough fers (orders) in an order book, are crucial components
computational effort to open more than κ additional of economic markets.
POTCs may learn more than the output of the function The emergence of blockchain technology saw the
on one additional input. After exerting enough compu- introduction of many decentralized exchanges (or auc-
tation power, it may even learn the full function. We tions), which are implemented using a blockchain and
leave it as an open question whether there exists an ef- often trade assets whose ownership is represented on the
ficient solution whose security degrades more gracefully. blockchain. Goals and motivation in constructing such
0-robust security, private inputs, two parties. We pro- systems include: eliminating the need for trusted par-
vide a second, orthogonal transformation that provides ties to deliver correct execution, privacy, or asset cus-
privacy for all parties’ inputs (rather than just P0 ). We tody (credit risk); reducing costs, fees and onboarding
address this setting only for the case of two-party secure barriers; avoiding censorship; and enabling integration
computation (and we discuss how this can be extended with other blockchain-based systems, such as electronic
to the general multiparty case while pointing out poten- commerce and decentralized finance instruments. Many
tial practicality limitations). Thus, we consider parties such systems have been implemented [1–4, 6, 38, 43, 47],
P0 , P1 holding private inputs x0 , x1 respectively, try- and the total trading volume in decentralized exchanges
ing to securely compute f (x0 , x1 ).8 We can address has recently exceeded US $20B per month [22].
this setting by combining a two-round two-party se- The existing schemes that implement decentral-
cure computation evaluating the desired function with ized blockchain-based order-book exchanges follow two
a Gage MPC. This is done by transforming the second paradigms: open orders books where the orders are
step of the evaluation of the two-round protocol into a broadcast in plaintext, recorded on the blockchain, and
Gage MPC protocol. then settled later (by the miners following consensus
rules), or some weak notion of hidden order books (i.e.,
κ-robust security, private inputs, two parties. The two
dark pools) to keep the offers and bids secret. An exam-
transformations described above can be combined, to
ple of the latter is the commit-and-open paradigm: send-
achieve Gage two-party secure computation with secret
ing the order in the form of (hiding and biding) commit-
inputs and κ-robust security. See Fig. 3.
ments to a smart contract, and later publicly opening
all these commitments [6]. Another approach is to send
orders in secret-shared form to a committee, which uses
MPC to reveal just the outcome, while letting unexe-
cuted orders remain hidden [5]. Both approaches have
the drawback that they require the continued availabil-
8 As mentioned above, using universal circuits this can also be
ity and participation of specific parties (the traders in
used when P0 holds a private function g and P1 holds an input
x and they compute g(x). the former; the MPC committee members in the latter),Gage MPC 535
and if these parties become unavailable, the orders can trade any asset represented on the blockchain.9 Lastly,
never be executed. The requisite participation is incen- note that these auctions are merely a special case, and
tivized by escrows, or “bonds”, that are confiscated if our construction extend to any (efficiently-computable)
those parties fail to operate correctly. They are, how- two-party functionality, including those that control
ever, technically at liberty to abort and just accept the asset flows in more complex ways. Thus, we solve a spe-
penalty. That is, they operate in the Gen II model. cial case of the important problem of trustless privacy-
Crucially, these approaches do not guarantee execu- preserving smart contracts.
tion, they are not resilient to auxiliary incentives that
Implementation of POTC and Simple Auctions.
may induce participants to abort even if this entails a
As a proof of concept, and to demonstrate the poten-
penalty. For instance, a bidder may realize that the mar-
tial practicality of our constructions, we implemented a
ket price has jumped and their already-committed-to
library that provides a generic interface for our POTC
offer, if executed, would cause them enormous loss. Or
operations, and evaluated its performance overhead for
an auction seller, who has committed to a reserve price,
each operation. Next, we used the library to implement
may later realize that revealing their low reserve price
an instantiation of Gage MPC for a simple auction func-
will harm them in some future transaction. Either of
tionality, in our basic security setting (public-inputs,
these, or an attacker trying to cause a denial-of-service
no additional opening). That is, a seller posts an offer
disruption, may be willing to forego their bonds or bribe
with a secret reserve price, while buyers’ offers are pub-
MPC parties to lose theirs.
lic. Our prototype implementation is fully integrated in
An alternative, automated market maker, forgoes or-
Ethereum Virtual Machine (EVM). Our implementa-
der books and implements the trading counterparty as
tion is described in Section 7.
a smart contract. All bids and offers are public, as is
the trading algorithm itself (which moreover must be
supplied with large liquidity pools).
1.3 Related Work
A recent scheme, which (like us) targets the issue
of guaranteed execution without requiring the parties
Our work is related to several concepts found in the lit-
to stay online, exploits time-lock puzzles to realize a
erature, including time capsules, Non-Interactive MPC,
sequential blockchain-based auction functionality [23].
and the use of blockchains to circumvent some impossi-
It follows the commit-and-open paradigm; parties seal
bility results and/or build new cryptographic primitives.
their bids in commitments, provide time-lock puzzles
In what follows, we provide a brief description of some
for the opening, then if the parties do not come later
of the works in each of these areas, while a more detailed
to open their commitments other miners will open the
discussion can be found in the full version [7].
puzzles and execute the auction. Their goal is to build
The notion of time capsules was first introduced
an auction-based proof-of-stake (PoS) mining algorithm
in [10], and is closely related to the notions of timed
to discourage hoarding currency.
commitments [15] and time-lock puzzles [46]. These con-
Our Gage MPC construction enables auctions which
structions are different from our use of time capsules.
have guaranteed evaluation, and moreover, are privacy-
In particular, the constructions of [15, 46] need to en-
preserving. Unlike [23], which opens all inputs in the
sure that the attacker cannot utilize parallelism in or-
clear during the execution phase, our scheme reveals
der to improve the run-time for the breaking protocol.
only whether or not the bid matched the offer. The offer
Yet, we focus on the total amount of computation that
price remains secret, and (if using the aforementioned
the adversary needs to compute in order to break the
private-input transformation) so does the bid. The pri-
time capsule, irrespective if this work is done in paral-
vacy level can be calibrated by configuring the amount
lel or not. Thus, most applications that would need to
of computation required to force-open the puzzles, i.e.,
the bounty-hunting path, which is translated into mon-
etary cost.
Such privacy was unnecessary for the narrow set- 9 It is unclear how the mining auctions of [23] would be thus
ting of [23], but it is clearly of interest in more general generalized, when their incentives are specific to mining, i.e., the
prospects of transaction fees and block rewards. For instance,
auction applications. Moreover, we provide a general
without incentive for the nominal path, a party can post a bid
auction functionality that can be used by any user to and then disappear, leaving it to others to expensively open the
commitment and execute the auction — with no penalty, thus
enabling a DoS attack.Gage MPC 536
enforce some minimal amount of work, with the fine- even theoretical constructions under standard assump-
grained capability of configuring the amount of infor- tions) or the use of secure hardware like SGX. A more
mation leakage based on the computation power of the recent work [28] exploited the consensus protocols in
adversary, would need our modified time-capsules no- blockchains, particularly that what matters is the hon-
tion and construction. Other recent works [17, 39] in- est power majority (whether it is computing power, or
troduced the notion of homomorphic time-lock puzzles, stake, etc.) rather than the number of parties to circum-
which allows to combine homomorphically time puz- vent the n/3 lower bound of MPC with malicious par-
zles and then open a single puzzle containing the result ties when no private correlated randomness setup (e.g.,
of the computation. Homomorphic time-lock puzzles a PKI) is used.
also allow to design decentralized auctions, however the A related line of work used the blockchain model as
known constructions either require indistinguishability an alternative to strong assumptions. In [32] it is used
obfuscation [39] or multi-key fully homomorphic encryp- to avoid the trusted setup needed for non-interactive
tion [17]. The auction-based mining proposed in [23], knowledge (NIZK) proof systems, [19] strengthened this
similar to our work, brings the notion of time-lock puz- model and allowed the use of global public blockchains.
zles to the blockchain by having miners force open un- For implementing new cryptographic primitives or
opened puzzles. However, as discussed above, its focus is functionalities in the blockchain model, [35] used a pub-
on the time needed for opening rather than the compu- lic bulletin board to enable a trusted execution envi-
tational effort, and it does not incentivize the nominal ronment (TEE) hosted by an untrusted computer, to
path of puzzle opening, thereby leaving the miners vul- create a secure state without requiring a persistent in-
nerable to a DoS attack. ternal storage. In [37], a privacy preserving smart con-
Another related concept is verifiable delay func- tract framework is proposed, which permits implement-
tions [14, 25], in which a sequential function is evalu- ing MPC protocols on the blockchain. However, the pro-
ated over some input and takes at least t time steps posed framework requires to trust a manager with the
to be completed, while verifying the correctness of the users’ inputs. Our scheme does not introduce a privi-
output is much more efficient. Similar to time-lock puz- leged entity; it is fully distributed and decentralized. A
zles, VDFs are about ensuring a given bound on the stronger privacy notion appears in [16], where not only
computation delay is satisfied (and that parallelism is the user’s input is protected, but also the executed func-
not effective in attacking the scheme) rather than the tionality. Our scheme addresses both data privacy and
amount of computation. On the other hand, the notion function privacy (by garbling a universal circuit), but
of pricing functions [24, 41], where the proof-of-work without requiring a privacy-preserving ledger as in [16].
mining is an example of such functions, are similar in
spirit to our work. The goal is to utilize moderately hard
functions to put a price on some actions (e.g., sending
spam emails) in terms of amount of computation. Our
2 Proof-of-Opening Time
work extends this model by involving explicit monetary Capsules
rewards to enforce computation completion.
On the blockchain model and circumventing impos- In this section we present proof-of-opening time capsules
sibility results, as mentioned before, several works tar- (POTC), which enhance time capsules [10, 46] to add
geted the fairness issue in MPC. The works in [8, 13] the feature that a party that opens the time capsule
realize a financial-based notion of fairness in which the can prove in zero knowledge that it knows the open-
party that aborts after learning the output loses its ing (rather than exposing the committed value in the
penalty deposit to the honest players. This notion was clear). We propose candidate constructions that satisfy
formalized in [36] under what is called secure MPC our definition. The feature of proving the opening will
with compensation. As opposed to our constructions, be critical for our design of the new concept of GaTC
the output is not guaranteed: the honest players just and Gage MPC. Though we see the definition and proof
get compensated if they do not receive the output. On of these time capsules as an important contribution of
the other hand, [20] does not rely on financial incentives our paper, it is not the main one. We thus focus here
and achieve full fairness utilizing a public bulletin board on the aspects needed for the subsequent constructions,
(can be instantiated using a blockchain). However, their while (due to space limitation) formal security defini-
constructions require either extractable witness encryp- tions, constructions, and proofs can be found in the full
tion which has no known practical implementation (nor version [7].Gage MPC 537
2.1 Definition the proof is valid with regards to c, µ, and tag; and
outputs 0 otherwise.
We start by defining proof-of-opening time capsules. At We require the following properties to be satisfied:
a high level, POTC adds the following to the original Perfect correctness. TC.DVer returns 1 for hon-
time capsules [10, 46]. First, it allows the decommitment estly generated commitments and decommitments.
information to be different from the randomness used in TC.PVer returns 1 for honestly generated com-
generating the commitment (i.e, the capsule). As such, mitments and proofs. Furthermore, TC.ForceOpen
∗
we introduce an additional algorithm to verify a decom- makes about 2λ evaluations of H.
mitment. Second, it does not require the opening party Binding and Soundness. It is not possible to find a
to reveal the decommitment. This is needed since the commitment c for which there exists two valid de-
simple method of revealing the decommitment does not commitments d, d0 (resp., two valid proofs) for two
work for our purposes; an attacker who observes this different messages µ 6= µ0 .
value being sent can block or front-run it, and present Hiding and Simulatability. The original definition
∗
this opening as their own. By requiring a zero knowl- of time capsule stated that it should take about 2λ
edge proof instead to prove opening, our approach dis- evaluations of H to learn any information about the
arms such a malicious party and protects the party who committed message µ of a commitment c. This no-
did the work to open a capsule. tion is insufficient for our purpose, as we may use
In the definition below, λ is a standard crypto- many time capsules, in which case the adversary
graphic security parameter (in particular, a computa- may be able to open some of them. What we require
tion time of 2λ is not feasible). On the other hand, λ∗ is is that if the adversary makes significantly fewer
∗
a parameter capturing the hardness of forced-opening. than κ · 2λ evaluations of H, it should not be able
∗
That is, 2λ is the time it takes to recover the message to learn more than κ of the values in the capsules.
and a decommitment from the commitment alone; it This property is surprisingly difficult to formalize:
should be feasible (polynomial), but hard (λ∗ is a mea- our formal definition is simulation-based and uses
sure of how costly this is). ideas from trapdoor commitments [27].
Non-Malleability. Generating opening proofs for a
Definition 1 (informal). A Proof-of-Opening Time new tag tag (for which no such proof was gener-
Capsule is defined by five polynomial-time algorithms ated) for κ different commitments requires to make
∗
that make use of a hash function H modeled as a ran- around κ·2λ evaluations of H. In particular, seeing
dom oracle:
∗
proofs-of-opening for a commitment c and a tag tag0
– Commitment: (c, d) ← TC.Com(1λ , 1λ , µ) takes as does not help in generating a proof-of-opening for
input the security parameter λ, the opening hard- the same commitment and a different tag tag 6= tag0 .
ness parameter λ∗ , a message µ ∈ {0, 1}poly(λ) , and This property is used to ensure that parties cannot
outputs a commitment or time capsule c and its as- “steal” proof-of-opening from another party.
sociated decommitment d.
– Decommitment Verification: TC.DVer(1λ , c, µ, d)
takes as input the security parameter λ, a com- 2.2 Construction
mitment c, a message µ, a decommitment d and
outputs 1 if the decommitment is valid with regards We have the following theorem.
to c and µ; and outputs 0 otherwise.
– Forced Opening: (µ, d) ← TC.ForceOpen(c) takes as Theorem 2. There exists a POTC in the random ora-
input a commitment c, brute-forces its opening, and cle and generic group model.10
outputs the committed message µ and a valid decom-
mitment d. In this section, we present a simplified construc-
– Opening Proof: π ← TC.Prove(c, µ, d, tag) generates tion without proof-of-opening. Adding proof-of-opening
a proof π, with tag tag, that c commits to µ using could be done generically using simulation-extractable
the witness d. NIZK, but this would be highly inefficient. Instead, in
– Proof Verification: TC.PVer(1λ , c, µ, π, tag) takes as
input the security parameter λ, a commitment c, a
message µ, a proof π, a tag tag, and outputs 1 if 10 The construction uses both a hash function modeled as a
random oracle and a cyclic group modeled as a generic group.Gage MPC 538
the full version [7], we show how to transform the time Case 1. A single 15-bit seed. The probability that the
capsule below to make it more algebraic and uses a Fiat- adversary succeeds with q hash evaluations is around
Shamir proof. q/215 = q/32768. This is never negligible.
Our time capsule construction is based on the orig- Case 2. Eight 12-bit seeds. Let us simplify the proba-
inal construction in [10] and references within. In this bility analysis by allowing the adversary to make q hash
original construction, to commit to a message µ, the evaluations per seed, instead of q hash evaluations in
∗
committer first selects a low-entropy seed s ← R
{0, 1}λ , total (this only makes the adversary stronger). For each
then hashes this seed and uses this hash as a one-time seed, the adversary will hash the correct seed value with
pad to “encrypt” µ as c2 := H2 (s) xor µ (where H2 is probability around q/212 , which is not negligible. How-
a hash function). It also includes in the commitment a ever, the adversary must guess correctly each seed value,
hash of the seed, namely, c1 := H1 (s) where H1 is an- and each of these events are independent, so the adver-
other hash function, that is used to verify if a seed is sary’s success probability is about q 8 /(212 )8 = q 8 /296 ,
the valid one. The commitment is c := (c1 , c2 ).11 which is negligible in practice (by which we mean, less
Intuitively, to force open a commitment, we need to than 2−80 ).
enumerate the possible seeds s, hash them, and check We give some concrete parameters to show that the
∗
which one corresponds to c1 . This requires at most 2λ construction is efficient in the full version [7]. Even for
∗
hash evaluations of H1 , and on average 2λ /2 hash eval- 128 bits of security where the adversary should not learn
uations of H1 . any committed message (κ = 0), if the honest parties
Unfortunately, such a time-capsule does not satisfy are assumed to make about 240 hash evaluation to force
our definition of security. An adversary making even a open a commitment while the adversary is restricted
single hash evaluation of H1 and H2 may stumble upon to 230 hash evaluations, then only k = 15 seeds are
∗
the correct seed s, with probability 1/2λ , which is not required. For weaker notions of security (where the ad-
negligible. This makes such a commitment construction versary is allowed to open κ > 0 messages), the number
difficult, if not impossible, to use as a building block of of used seeds can be further decreased.
any cryptographic protocol.
We fix the above construction as follows. Instead
∗
of using a single seed s ∈ {0, 1}λ , we use k seeds
s1 , . . . , sk ∈ {0, 1}νs , where νs = λ∗ − blog2 kc. We 3 Gage Time Capsules
commit to each seed individually by computing c1,i =
H1 (iksi ), and then encrypt the message µ as c2 := 3.1 Definition
H2 (1ks1 ) xor · · · xor H2 (kksk ) xor µ. Thus, force opening a
∗
commitment takes about 2νs · k ≈ 2λ hash evaluations We proceed to introduce the notion of a Gage Time
(by trying every si ). Capsule (GaTC), which guarantees that one of several
However, the main difference now is that if the ad- posted commitments is opened according to some rule,
∗
versary can only make significantly fewer than 2λ hash even if the original committer does not cooperate in the
evaluations, the commitment will remain statistically opening.
hiding. For example, if the adversary makes at most k−1 A GaTC allows a committer party to publish several
hash evaluations, the message µ is perfectly hidden since commitments to values, and designate a controller party
the adversary will be missing one of the one-time pad that will choose which commitment will be opened.12
masks H2 (iksi ). This argument can be extended to an The committer also posts a collateral. It is guaranteed
adversary making many more than k hash evaluations that once the controller has made the choice of which
using a careful probability analysis and tail bounds. commitment to open, the commitment will indeed be
To provide more intuition of why this is true, let us opened shortly afterwards, one way or another. Either
consider two cases which require around the same num- the committer will open the designated commitment
ber of hash evaluations to brute force, which is about within a prescribed time window, and thereby reclaim
215 : the posted collateral; or someone (an arbitrary bounty
11 For the sake of simplicity, we do not include any salts in this 12 In our applications, the designated controller will be an ex-
overview, and assume that a single commitment is made. This isting smart contract, which commits to the procedure by which
is already sufficient to explain the issue we want to highlight. it will be decided which value to open.Gage MPC 539
hunter) will force-open the commitment, and receive the GaTC.ForceOpen have already been invoked and
collateral as profitable compensation for the requisite completed; otherwise it returns ⊥.
computational effort.
Abstractly, the GaTC functionality has the follow- Implicit parameters. For brevity, we let the message
ing interface. Given a broadcast channel, a consensus length be constant, and thus omit it from this descrip-
view of public events’ ordering, an approximate global tion. We also omit specification of the collateral amount
clock, and means to programmatically transfer assets and of the time window until the committer’s deadline;
(all of these will be realized, below, by an underlying these need to be calibrated to the properties of the appli-
blockchain): cation and the underlying asset and blockchain. In par-
ticular, the collateral amount should suffice to compen-
– Creation: The committer party invokes sate and incentivize the computation of TC.ForceOpen
∗
GaTC.Create(1λ , 1λ , µ, ctrl, deposit) (where λ is the (from the POTC) within GaTC.ForceOpen.
security parameter and λ∗ is the opening hard- The time window for the deadline should be long
ness parameter as defined in POTC) to commit enough to allow the committer party to open the time
to a vector of messages µ = (µ0 , . . . , µL−1 ) where capsules and recover its collateral. It is fixed indepen-
µi ∈ {0, 1}νµ , and places an associated collateral of dent of how long it takes to compute the opening by the
a prescribed monetary value, represented by deposit. bounty hunters. It only depends on how long (in num-
Initially, this collateral is locked up and inaccessible. ber of blocks) an adversary can censor a transaction
The existence of this new GaTC, and L, become (i.e., prevent it from being added to the blockchain),
public, but not the content of µ. The committer assuring that the committer party can post the open-
party also designates the party represented by ctrl ing.
as the controller of this GaTC.
– Request opening: The controller party invokes
GaTC.RequestOpen(σ) once, where σ ∈ ZL , to 3.2 Realization on a Blockchain
choose which commitment should be opened. This
index σ becomes public. From this event, we mea- Model. We realize the GaTC functionality using a
sure a prescribed time duration to a deadline T . POTC scheme TC along with a blockchain that supports
– Nominal opening: Subsequently, the committer may smart contracts and assets with monetary value. Specif-
invoke GaTC.NominalOpen(), which causes the value ically, we assume an append-only ledger, composed of
µσ to be publicly released. If this is the first time blocks each of which records an ordered list of trans-
that the committer called GaTC.NominalOpen, and actions; a consensus algorithm that provides all par-
moreover either the deadline T has not yet passed or ties with a consistent consensus view of this ledger; and
no call to GaTC.ForceOpen has been completed yet, a permissionless censorship-free protocol for appending
then the collateral is returned to the committer.13 transactions to this ledger. We assume that the transac-
– Bounty opening: GaTC.ForceOpen() can be invoked tion syntax and semantics support smart contracts, i.e.,
by any party (serving as a bounty hunter). This user-defined stateful interactive programs executed by
will cause that party to perform a computation- the blockchain’s consensus rules (e.g., as implemented
ally expensive process, and eventually publish the in Ethereum). We also assume that transactions can
value µσ . If the deadline T has passed, and moreover represent ownership and transfers of assets with mone-
this is the first invocation of GaTC.NominalOpen or tary value, such as a native cryptocurrency (e.g., ETH)
GaTC.ForceOpen that completed, then the the col- or other tokens (e.g., ERC-20 or ERC-721).
lateral is transferred to the bounty hunter. We consider time in terms of rounds, where a round
– Querying the result: GaTC.GetResult() may be in- is the time needed to append (i.e., mine) a block on
voked by anyone, after GaTC.RequestOpen has been the blockchain. Hence, a capsule’s grace period, i.e.,
invoked. This returns µσ if GaTC.NominalOpen or the time during which P0 can use the nominal path,
is defind in number of rounds. We assume a secure
blockchain that satisfies the liveness and persistence
security properties [29, 42]. In particular, censorship
(blocking publication of a valid transaction for un-
13 We assume a global clock; in the realization, this will be
defined by the length of a blockchain’s consensus view, measured
bounded time) is assumed infeasible due to the liveness
in blocks.You can also read
