Toolkit for Secure Multi-Party Computation on Ledgers

blog
Secure multi-party computation (SMPC) [1,2] allows a set of mutually distrustful parties to jointly evaluate a function through the execution of a cryptographic protocol while preserving input/output privacy.

There exist efficient SMPC protocols when the adversary is passive (i.e., the protocol is executed as prescribed) and assuming honest majority (i.e., the number of malicious parties involved in the joint computation is smaller than the number of honest parties) [3]. The case with an active adversary (i.e., the adversary can arbitrarily deviate from the prescribed protocol) without honest majority is definitively more challenging. Interestingly, there are interesting functions admitting efficient SMPC protocols even in these harder scenarios [4].


In general, the design of an ad-hoc protocol for a specific function usually produces a more efficient implementation compared to generic protocols. On the other hand, every new ad-hoc protocol must be carefully analyzed and proven secure and this can be very expensive. Considering such difficulties, the task of implementing SMPC protocols for new functions is highly simplified by generic SMPC libraries that allow to run SMPC protocols for any function. Such libraries typically require point-to-point communication channels established through client-server TCP/IP connections among each pair of parties. This network requirement can create complications due to firewalls and privacy issues (i.e., hiding the IP address would require additional complications like the use of a VPN or of TOR). Moreover, during the computation the parties are required to be simultaneously online. Finally, there are fairness issues due to aborts (i.e., a player unhappy with the result might abort stopping others from computing the result) and lack of public verifiability about who did what.

The above issues can be significantly mitigated using a ledger as bulletin board hosting all messages of the joint computation. In this case parties will just upload data through transactions and receive data reading transactions posted by others, without directly exposing the IP addresses, or needing to bypass a firewall, or to be simultaneously online. Moreover, the entire execution is publicly verifiable, and penalties can be added (e.g., using the underlying cryptocurrency in case the ledger consists of a permissionless blockchain) to punish unfair parties. Finally, a message sent just once to the ledger is actually a broadcast that will be received by all parties, avoiding the delivery of the message to all other parties one-by-one through direct channels.

As part of its tasks in PRIViLEDGE, University of Salerno is building a toolkit for ledger-oriented secure two/multi-party computation. The goal of the toolkit is to upgrade existing libraries for SMPC so that they can leverage popular ledgers like Ethereum and Hyperledger Fabric to mitigate the above issues. A useful feature of the toolkit is that it essentially uses the SMPC libraries almost in a black-box way (i.e., without requiring any modification of the code of the SMPC library).

Given a communication channel between a party \(P_i\) and a party \(P_j\) both using the SMPC library, the toolkit behaves as a proxy as follows:
  • it redirects messages (generated by the SMPC library) coming from \(P_i\) and directed to \(P_j\) by encapsulating and posting such messages to a generic ledger;
  • it reads messages posted by \(P_j\)’s proxy to the ledger, removes the encapsulation and redirects them to \(P_i\) (in turn, to the SMPC library).

The toolkit consists of two main parts: the proxy component and the ledger component. The proxy component takes care of the communication with the SMPC library, and the ledger component is an interface that can be used by the proxy to post and read messages through transactions.

We have successfully tested the toolkit with two SMPC libraries, EMP [5] and MPyC [6]. We have also implemented a natural ad-hoc SMPC protocol for coin tossing that is active-secure against a majority of corrupt parties, interacting as usual through TCP sockets. Again, this joint computation can be transparently redirected to the ledger using the toolkit. One can concretely instantiate the generic ledger using Ethereum and Hyperledger Fabric (HLF), through some ad-hoc libraries allowing to connect the proxy to Ethereum peers and HLF peers. For testing purposes, the toolkit can also be connected to a dummy ledger (i.e., a centralized file managed by a server) emulating the entire process in a faster and cheaper environment. The language used to implement the toolkit is Java and the connections to the ledgers use the web3j library [7] for Ethereum and Fabric Java libraries for HLF.  

As pointed out in [8], when executing a protocol through a ledger, forks can be an issue if the protocol messages are sent without waiting that previous messages are confirmed in the ledger (i.e., immutable). Such a situation can happen for instance in Ethereum. Still, some SMPC protocols can be safely executed without waiting for any confirmation. Therefore, when configuring the proxy, it is possible to explicitly choose to run the SMPC protocol in quick mode (i.e., there is no delay due to unconfirmed transactions) or not (there is a delay but then the execution is secure for any SMPC protocol). 

The toolkit is a useful tool for developers and researchers interested in ledger-oriented SMPC. It will be an open-source proof-of-concept implementation offering some preliminary useful features. More features can be added by the interested community. The applicability of the toolkit goes even beyond SMPC since one can leverage the toolkit whenever public verifiability of messages exchanged in TCP/IP sessions is desired.


Written by Daniele Friolo and Ivan Visconti, the University of Salerno (UNISA).


References:

[1] Andrew Chi-Chih Yao. Protocols for secure computations (extended abstract). In 23rd Annual Symposium on Foundations of Computer Science, Chicago, Illinois, USA, 3-5 November 1982, pages 160–164, 1982.

[2] Oded Goldreich, Silvio Micali, and Avi Wigderson. How to play any mental game or A completeness theorem for protocols with honest majority. In Proceedings of the 19th Annual ACM. Symposium on Theory of Computing, 1987, New York, New York, USA, pages 218–229, 1987.

[3] Michael Ben-Or, Shafi Goldwasser, and Avi Wigderson. Completeness theorems for non-cryptographic fault-tolerant distributed computation. In STOC, pages 1–10, New York, NY, USA, 1988. ACM.

[4] Benny Pinkas, Mike Rosulek, Ni Trieu, Avishay Yanai: PSI from PaXoS: Fast, Malicious Private Set Intersection. EUROCRYPT (2) 2020: 739-767.

[5] EMP Toolkit. https://github.com/emp-toolkit

[6] MPyC – Python Package for Secure Multiparty Computation. https://github.com/lschoe/mpyc

[7] Web3j Ethereum libraries. http://docs.web3j.io/latest/

[8] Software Developers vs Blockchain Application Developers, Ivan Visconti, PRIViLEDGE Blog.https://priviledge-project.eu/news/software-developers-vs-blockchain-application-developers