Blockchain and secure computation Vassilis Zikas RPI Winter School - PowerPoint PPT Presentation

The Public Transaction Ledger [KZZ16] t G ledger ? Blockify(.) time? “State” (Submit, x) x Validate(.) Buffer State x 1 ,x 2, … x = Yes No π (x 1 ,…) “State” x (Permute, π ) GetState Can reorder the recently inserted transactions

The Public Transaction Ledger [KZZ16] t G ledger ? Blockify(.) time? “State” x (Submit, x) x Validate(.) Buffer State x 1 ,x 2, … x = Yes No π (x 1 ,…) “State” x (Permute, π ) GetState Can reorder the recently inserted transactions

The Public Transaction Ledger [KZZ16] t G ledger ? Blockify(.) time? “State” x (Submit, x) x Validate(.) Buffer State x Yes No “State” x (Permute, π ) GetState Can reorder the recently inserted transactions

The Public Transaction Ledger [KZZ16] t G ledger ? Blockify(.) time? (B, t) “State” x (Submit, x) x Validate(.) Buffer State x Yes No “State” x (Permute, π ) GetState Can reorder the recently inserted transactions

The Public Transaction Ledger [KZZ16] t G ledger ? Blockify(.) time? (B, t) “State” x (Submit, x) x Validate(.) Buffer State x Yes No “State” x (Permute, π ) GetState More adversarial interference to have an accurate abstraction Can reorder the recently [BadetscherMaurerTschudiZikas17] inserted transactions (Also a construction from the Bitcoin network/protocol)

What Crypto can get from Bitcoin? Use what is on A public this ledger transaction ledger A bulletin board with a filter on what gets written there

What Crypto can get from Bitcoin? Use what is on A public this ledger transaction ledger A bulletin board with a filter on what gets written there How can we use it?

A simple e-voting protocol

A simple e-voting protocol Tools 1/2: Threshold Encryption • n-servers S 1 ,…,S n • Each S i has secret key (share) sk i • There is one public key pk

A simple e-voting protocol Tools 1/2: Threshold Encryption • n-servers S 1 ,…,S n • Each S i has secret key (share) sk i • There is one public key pk • Encryption: Everyone with pk can compute an encryption of message m, i.e., c=Enc pk (m) • Decryption: All n servers together can decrypt, i.e., Dec sk1,…skn (c)=m • Threshold: No n-1 servers can learn any information from the encryption

A simple e-voting protocol Tool 2/2: Additive Homomorphic Encryption Given ciphertexts c 1 =Enc pk (m 1 ) and c 2 =Enc pk (m 2 ) we can compute encryption Enc pk (m 1 +m 2 )

A simple e-voting protocol Tool 2/2: Additive Homomorphic Encryption Same encryption key Given ciphertexts c 1 =Enc pk (m 1 ) and c 2 =Enc pk (m 2 ) we can compute encryption Enc pk (m 1 +m 2 )

A simple e-voting protocol … S 1 S n Setup • n electoral authorities S 1 ,…,S n with key shares sk 1 ,…,sk n and pk. Bulletin Board To vote • Each voter V i encrypts his vote i (0 or 1) and submits c i =Enc pk (vote i ) to the BB • The votes are homomorphically tallied Enc pk (vote 1 ) (i.e., c:=Enc pk (vote 1 + vote 2 + …) ) Enc pk (vote 1 ) • c is decrypted by the electoral authorities … V 1 V 2

A simple e-voting protocol … S 1 S n Setup • n electoral authorities S 1 ,…,S n with key shares sk 1 ,…,sk n and pk. G ledger To vote • Each voter V i encrypts his vote i (0 or 1) Validate(.) State Buffer G ledger and submits c i =Enc pk (vote i ) to the BB • The votes are homomorphically tallied Enc pk (vote 1 ) (i.e., c:=Enc pk (vote 1 + vote 2 + …) ) Enc pk (vote 1 ) • c is decrypted by the electoral authorities … V 1 V 2

A simple e-voting protocol … S 1 S n Setup • n electoral authorities S 1 ,…,S n with key shares sk 1 ,…,sk n and pk. G ledger To vote • Each voter V i encrypts his vote i (0 or 1) Validate(.) State Buffer G ledger and submits c i =Enc pk (vote i ) to the BB • The votes are homomorphically tallied Enc pk (vote 1 ) (i.e., c:=Enc pk (vote 1 + vote 2 + …) ) Enc pk (vote 1 ) • c is decrypted by the electoral authorities … V 1 V 2 Having a public transaction ledger ensures that • The Bulletin Board where the votes are kept is decentralized, i.e., no server needs to be trusted to maintain it • The parties can see when the votes are added (no reordering is allowed) • A vote that is added cannot be deleted

What Crypto can get from Bitcoin? What is on this A public ledger? transaction ledger A bulletin board with a filter on what gets written there

What Crypto can get from Bitcoin? What is on this A public ledger? transaction ledger A bulletin board with a filter on what gets written there

What Crypto can get from Bitcoin? What is on this A public ledger? transaction ledger A bulletin board with a filter on what gets Random written there Stuff

What Crypto can get from Bitcoin? What is on this A public ledger? transaction ledger A bulletin board with a filter on what gets Random written there Money Stuff

What Crypto can get from Bitcoin? What is on this A public ledger? transaction ledger A bulletin board with a filter on what gets Random written there Money ?? Stuff

What Crypto can get from Bitcoin? Use what is on A public this ledger transaction ledger A bulletin board with a filter on what gets Random written there Money ?? Stuff

The Bitcoin ledger as a random beacon G ledger Validate(.) State Buffer (t 1 ,0110), (t 2 ,0001) …

The Bitcoin ledger as a random beacon G ledger Validate(.) State Buffer (t 1 ,0110), (t 2 ,0001) … Why is this useful?

The Bitcoin ledger as a random beacon G ledger Validate(.) State Buffer (t 1 ,0110), (t 2 ,0001) … Why is this useful? • Lotteries:

The Bitcoin ledger as a random beacon G ledger Validate(.) State Buffer (t 1 ,0110), (t 2 ,0001) … Why is this useful? USE • Lotteries: CRYPTO

The Bitcoin ledger as a random beacon G ledger Validate(.) State Buffer (t 1 ,0110), (t 2 ,0001) … Why is this useful? USE • Lotteries: CRYPTO • Before time t 2 : collect tokens x 0000 , x 0001 ,…

The Bitcoin ledger as a random beacon G ledger Validate(.) State Buffer (t 1 ,0110), (t 2 ,0001) … Why is this useful? USE • Lotteries: CRYPTO • Before time t 2 : collect tokens x 0000 , x 0001 ,… • At time t 2: The token indexed by the beacon’s value wins

The Bitcoin ledger as a random beacon G ledger Validate(.) State Buffer (t 1 ,0110), (t 2 ,0001) … Why is this useful? USE • Lotteries: CRYPTO • Before time t 2 : collect tokens x 0000 , x 0001 ,… • At time t 2: The token indexed by the beacon’s value wins

The Bitcoin ledger as a random beacon G ledger Validate(.) State Buffer (t 1 ,0110), (t 2 ,0001) … Why is this useful? USE • Lotteries: CRYPTO • Before time t 2 : collect tokens x 0000 , x 0001 ,… • At time t 2: The token indexed by the beacon’s value wins • Zero-knowledge Proofs • Common Random String (aka the cryptographer’s paradise)

The Bitcoin ledger as a random beacon G ledger Validate(.) State Buffer (t 1 ,0110), (t 2 ,0001) … Why is this useful? Is it possible? • Heuristically: Hash each block [AndrychowiczDziembowski15] • No: if we require the rate of the beacon to be the same as the Bitcoin network [BentovGabizonKiayiasZhouZikasZuckerman17] • Yes: if we allow a much slower beacon rate • Under number theoretic assumptions [LenstraWesolowski15] • Assuming (only) random oracles [ongoing …]

What Crypto can get from Bitcoin? Use what is on A public this ledger transaction ledger A bulletin board with a filter on what gets Random written there Money ?? Stuff

What Crypto can get from Bitcoin? Use what is on A public this ledger transaction ledger A bulletin board with a filter on what gets Random written there Money ?? Stuff People (good or bad) want money

What Crypto can get from Bitcoin? Use what is on A public this ledger transaction ledger A bulletin board with a filter on what gets Random written there Money ?? Stuff People (good or bad) want money We can use bitcoins as compensation for relaxed security

Leveraging Security Loss with Coins … in Secure Multi-Party Computation (MPC)

Leveraging Security Loss with Coins … in Secure Multi-Party Computation (MPC)

Multi-Party Computation (MPC) Goal: Parties P 1 ,…,P n with inputs x 1 ,…,x n wish to compute a function f(x 1 ,…,x n ) securely

Multi-Party Computation (MPC) F f Ideal World x 1 x 2 x n f(x ̅ )=y f(x ̅ ) f(x ̅ ) … P 1 P 2 P n

Multi-Party Computation (MPC) F f Ideal World x 1 x 2 x n f(x ̅ )=y f(x ̅ ) f(x ̅ ) … P 1 P 2 P n Real World … P 1 P 2 P n

Multi-Party Computation (MPC) F f Ideal World x 1 x 2 x n f(x ̅ )=y f(x ̅ ) f(x ̅ ) … P 1 P 2 P n ≈ Real World π 1 (x 1 ) π 2 (x 2 ) π n (x n ) … P 1 P 2 P n

Multi-Party Computation (MPC) F f Ideal World x 1 x 2 x n f(x ̅ )=y f(x ̅ ) f(x ̅ ) … P 1 P 2 P n ≈ Real World π 1 (x 1 ) π 2 (x 2 ) π n (x n ) … P 1 P 2 P n

Multi-Party Computation (MPC) F f Ideal World x 1 x 2 x n f(x ̅ )=y f(x ̅ ) f(x ̅ ) … P 1 P 2 P n Protocol π is secure if for every adversary : ≈ • (privacy) Whatever the adversary learns he could compute by himself • (correctness) Honest (uncorrupted) parties learn their correct outputs Real World π 1 (x 1 ) π 2 (x 2 ) π n (x n ) … P 1 P 2 P n

Multi-Party Computation (MPC) Private blockchains are a special case F f Ideal World x 1 x 2 x n f(x ̅ )=y f(x ̅ ) f(x ̅ ) … P 1 P 2 P n Protocol π is secure if for every adversary : ≈ • (privacy) Whatever the adversary learns he could compute by himself • (correctness) Honest (uncorrupted) parties learn their correct outputs Real World π 1 (x 1 ) π 2 (x 2 ) π n (x n ) … P 1 P 2 P n

Fair MPC In fair MPC: If the adversary learns any information beyond (what is derived by) its inputs then every honest party should learn the output

Fair MPC In fair MPC: If the adversary learns any information beyond (what is derived by) its inputs then every honest party should learn the output F f y ⊥ ⊥ P 1 P 2 P n

Fair MPC In fair MPC: If the adversary learns any information beyond (what is derived by) its inputs then every honest party should learn the output F f ✘ (Unfair) y ⊥ ⊥ P 1 P 2 P n

Fair MPC In fair MPC: If the adversary learns any information beyond (what is derived by) its inputs then every honest party should learn the output F f ✘ (Unfair) y ⊥ ⊥ P 1 P 2 P n Fair MPC is impossible against corrupted majorities

Fair MPC In fair MPC: If the adversary learns any information beyond (what is derived by) its inputs then every honest party should learn the output F f ✘ (Unfair) y ⊥ ⊥ P 1 P 2 P n Fair MPC is impossible against corrupted majorities Security against Security with = corrupted majorities abort