Paper 2018/942

Insured MPC: Efficient Secure Multiparty Computation with Punishable Abort

Carsten Baum and Bernardo David and Rafael Dowsley

Abstract

Fairness in Secure Multiparty Computation (MPC) is known to be impossible to achieve in the presence of a dishonest majority. Previous works have proposed combining MPC protocols with Cryptocurrencies in order to financially punish aborting adversaries, providing an incentive for parties to honestly follow the protocol. This approach also yields privacy-preserving Smart Contracts, where private inputs can be processed with MPC in order to determine the distribution of funds given to the contract. Unfortunately, the focus of existing work is on proving that this approach is possible and they present monolithic and mostly inefficient constructions. In this work, we put forth the first modular construction of ``Insured MPC'', where the result of the private computation of parties either yields an output describing how to distribute funds or a proof that a set of parties has misbehaved, allowing for financial punishments. Moreover, both the output and the proof of cheating are publicly verifiable, allowing third parties to independently validate an execution. We present a highly efficient protocol which allows public verification of cheating behavior during the output stage. This scheme is constructed using a publicly verifiable homomorphic commitment scheme, for which we propose an efficient construction. Furthermore, we construct a compiler that uses any such scheme together with a Smart Contract to implement Insured MPC. This compiler requires a standard (non-private) Smart Contract. Our results are proven in the Universal Composability framework using a Global Random Oracle as the setup assumption. From a theoretical perspective, our general results provide the first characterization of sufficient properties that MPC protocols must achieve in order to be efficiently combined with Cryptocurrencies, as well as insights on publicly verifiable protocols. On the other hand, all our constructions and protocols are highly efficient and allow for a fast implementation.