Constant-Round Linear-Broadcast Secure Computation with Penalties

TL;DR

This paper presents a novel constant-round, linear-broadcast secure computation protocol with penalties based on Bitcoin, achieving improved efficiency by allowing non-equivalent penalties and removing this relaxation without efficiency loss.

Contribution

It introduces the first constant-round, linear-broadcast secure computation with penalties protocol based on Bitcoin, including a new ideal functionality and techniques for non-equivalent penalties.

Findings

Achieves constant-round and linear-broadcast efficiency.

Introduces a new ideal functionality 'claim-refund-or-give' for Bitcoin.

Provides a method to remove non-equivalence of penalties without efficiency loss.

Abstract

It is known that Bitcoin enables achieving fairness in secure computation by imposing monetary penalties on adversarial parties. This functionality is called secure computation with penalties. Bentov and Kumaresan (Crypto 2014) introduced the claim-or-refund functionality that can be implemented via Bitcoin. They achieved secure computation with penalties with $O(n)$ rounds and $O(n)$ broadcasts for any function, where $n$ is the number of parties. After that, Kumaresan and Bentov (CCS 2014) showed a constant-round protocol. Unfortunately, this protocol requires $O(n^2)$ broadcasts. As far as we know, no protocol achieves $O(1)$ rounds and $O(n)$ broadcasts based on Bitcoin. This work accomplishes such efficiency in secure computation with penalties. We first show a protocol in a slightly relaxed setting called secure computation with non-equivalent penalties. This setting is the same as secure computation with penalties except that every honest party receives more than a predetermined amount of compensation, while the previous one requires that every honest party receives the same amount of compensation. Namely, our setting allows the compensations for honest parties to be non-equivalent. Moreover, we present a technique to remove the non-equivalence of our protocol without sacrificing efficiency. We then propose a new ideal functionality called claim-refund-or-give that can be implemented via Bitcoin.