Ranjit Kumaresan: How to Use Bitcoin to Design Fair Protocols

Friday, March 13, 2015 - 10:30am to 12:00pm
Ranjit Kumaresan, MIT
We study a model of fairness in secure computation in which an adversarial party that 
aborts on receiving output is forced to pay a mutually predefined monetary penalty. We 
then show how the Bitcoin network can be used to achieve the above notion of fairness 
in the two-party as well as the multiparty setting (with a dishonest majority). In particular, 
we propose new ideal functionalities and protocols for fair secure computation and  fair 
lottery in this model. 
One of our main contributions is the definition of an ideal primitive, which we call 
$\mathcal{F}_{\mathrm{CR}}^\star$ ($\mathrm{CR}$ stands for ``claim-or-refund''), that 
formalizes and abstracts the exact properties we require from the Bitcoin  network to 
achieve our goals. Naturally this abstraction allows us to design fair protocols in a hybrid 
model in which parties have access to the $\mathcal{F}_{\mathrm{CR}}^\star$  functionality, 
and is otherwise  independent of the Bitcoin ecosystem. We also show an efficient realization 
of $\mathcal{F}_{\mathrm{CR}}^\star$ that requires only two Bitcoin transactions to be made 
on the network. 
Our constructions also enjoy high efficiency. In a multiparty setting, our protocols  only 
require a constant number of calls to $\mathcal{F}_{\mathrm{CR}}^\star$ per party on top 
of a standard  multiparty secure computation protocol. Our fair multiparty lottery protocol 
improves over previous solutions which required a quadratic number of Bitcoin transactions. 
Joint work with Iddo Bentov (Technion).