Paper 2014/129

How to Use Bitcoin to Design Fair Protocols

Iddo Bentov and Ranjit Kumaresan

Abstract

We study a model of fairness in secure computation in which an adversarial party that aborts on receiving output is forced to pay a mutually predefined monetary penalty. We then show how the Bitcoin network can be used to achieve the above notion of fairness in the two-party as well as the multiparty setting (with a dishonest majority). In particular, we propose new ideal functionalities and protocols for fair secure computation and fair lottery in this model. One of our main contributions is the definition of an ideal primitive, which we call ${\mathcal{F}}_{\mathrm{CR}}^{\star }$ ($\mathrm{CR}$ stands for ``claim-or-refund''), that formalizes and abstracts the exact properties we require from the Bitcoin network to achieve our goals. Naturally, this abstraction allows us to design fair protocols in a hybrid model in which parties have access to the $$ functionality, and is otherwise independent of the Bitcoin ecosystem. We also show an efficient realization of $$ that requires only two Bitcoin transactions to be made on the network. Our constructions also enjoy high efficiency. In a multiparty setting, our protocols only require a constant number of calls to $$ per party on top of a standard multiparty secure computation protocol. Our fair multiparty lottery protocol improves over previous solutions which required a quadratic number of Bitcoin transactions.