Abstract. We address the problem of performing a multiparty computation when more than half of the processors are cooperating Byzantine faults. We show how to compute any boolean function of n inputs distributively, preserving the privacy of inputs held by nonfaulty processors, and ensuring that faulty processors obtain the function value “if and only if ” the nonfaulty processors do. If the nonfaulty processors do not obtain the correct function value, they detect cheating with high probability. Our solution is based on a new type of verifiable secret sharing in which the secret is revealed not all at once but in small increments. This slow-revealing process ensures that all processors discover the secret at roughly the same time. Our solution assumes the existence of an oblivious transfer protocol and uses broadcast channels. We do not require that the processors have equal computing power. 1

Electronic mail, or e-mail, has brought us a big step closer towards the vision of paperless offices. To advance even closer to this vision, however, it is essential that existing e-mail systems be enhanced with value-added services which are capable of replacing many of the human procedures established in pen and paper communications. One of the most important and desirable such services is certified e-mail delivery, in which the intended recipient will get the mail content if and only if the mail originator receives an irrefutable proof-of-delivery from the recipient. In this paper, we present the design of two third-party based certified mail protocols, termed CMP1 and CMP2. Both protocols are designed for integration into existing standard e-mail systems and both satisfy the requirements of non-repudiation of origin, non-repudiation of delivery, and fairness. The difference between CMP1 and CMP2 is that the former provides no mail content confidentiality protection while the lat...

This paper is concerned with the model for security of cryptographic protocols suggested by Dolev and Yao. The Dolev and Yao model deals with a restricted class of protocols, known as Two-Party Ping-Pong Protocols. In such a protocol, messages are exchanged in a memoryless manner. That is, the message sent by each party results from applying a predetermined operator to the message he has received. The Dolev and Yao model is presented, generalized in various directions and the affect of these generalizations is extensively studied. First, the model is trivially generalized to deal with multi-party ping-pong protocols. However, the problems which arise from this generalization are very far from being trivial. In particular, it is no longer clear how many saboteurs (adversaries) should be considered when testing the security of p-party ping-pong protocols. We demonstrate an upper bound of 3(p \Gamma 2) + 2 and a lower bound of 3(p \Gamma 2) + 1 on this number. Thus, for every fixed p, th...

Joseph Halpern Cornell University Ithaca, NY 14853 halpern@cs.cornell.edu Vanessa Teague Stanford University Stanford, CA 94305-9025 vteague@cs.stanford.edu ABSTRACT We consider the problems of secret sharing and multiparty computation, assuming that agents prefer to get the secret (resp., function value) to not getting it, and secondarily, prefer that as few as possible of the other agents get it. We show that, under these assumptions, neither secret sharing nor multiparty function computation is possible using a mechanism that has a fixed running time. However, we show that both are possible using randomized mechanisms with constant expected running time.

Distribution of content, such as music, remains one of the main drivers of P2P development. Subscription-based services are currently receiving a lot of attention from the content industry as a viable business model for P2P content distribution. One of the main problems that such services face is that users may choose to redistribute content outside the community of subscribers, thereby facilitating large-scale piracy. Digital Rights Management (DRM) systems typically employ tamper resistance techniques to control this risk. We propose a system architecture that uses economic incentives instead of tamper resistance to motivate users to keep the content within the subscription community. The key technical contribution we make is to integrate a P2P file sharing service with an escrow service that reliably "pays" the party that is serving up the content. The payment itself can be realized in a number of ways, using "actual" money or bonus points such as frequent flyer miles.

This thesis addresses the topic of secure distributed computation, a general and powerful tool for balancing cooperation and mistrust among independent agents. We study many related models, which differ as to the allowable communication among agents, the ways in which agents may misbehave, and the complexity (cryptographic) assumptions that are made. We present new protocols, both for general secure computation (i.e., of any function over a finite domain) and for specific tasks (e.g., electronic money). We investigate fundamental relationships among security needs and various resource requirements, with an emphasis on communication complexity. A number of mathematical methods are employed for our investigations, including algebraic, graph-theoretic, and cryptographic techniques.

In this paper we present protocols for distributed certified e-mail, which use encryption to ensure both confidentiality and fairness. As with other protocols for certified e-mail, ours achieve fairness by placing trust on an external entity, referred to as the Trusted Third Party (TTP). The TTP can become a bottleneck, however, and we explore scenarios that support a distributed TTP, in the context of both off-line and online protocols. With several servers dividing the TTP responsibilities, the level of confidence placed in individual servers can be reduced without compromising the TTP's overall trust.

The recent surge in popularity of e-commerce prompted a lot of activity in the area of electronic payments. Solutions have been developed for cash, credit card and check-based electronic transactions. Much less attention has been paid to non-monetary commerce such as barter. In this paper we discuss the notion of "secure group barter" or multi-party fair exchange. We develop a classification of types of barter schemes and present new cryptographic protocols for multi-party exchange with fairness. These protocols assume the presence of a "semi-trusted neutral party". 1 Introduction This paper is concerned with the barter of digital goods among groups of participants in the electronic world. The kind of barter we envision is an instantaneous, one-time, discrete trade arrangement by an ad hoc group of participants. A crucial issue for this kind of barter situation is "fairness". This is a kind of atomicity property for the exchange, whereby no participant gives anything away unless she g...

We introduce and construct timed commitment schemes, an extension to the standard notion of commitments in which a potential forced opening phase permits the receiver to recover (with effort) the committed value without the help of the committer. An important application of our timed-commitment scheme is contract signing: two mutually suspicious parties wish to exchange signatures on a contract. We show a two-party protocol that allows them to exchange RSA or Rabin signatures. The protocol is strongly fair: if one party quits the protocol early, then the two parties must invest comparable amounts of time to retrieve the signatures. This statement holds even if one party has many more machines than the other. Other applications, including honesty preserving auctions and collective coin-flipping, are discussed.

Abstract. We study efficiency tradeoffs for secure two-party computation in presence of malicious behavior. We investigate two main approaches for defending against malicious behavior in Yao’s garbled circuit method: (1) Committed-input scheme, (2) Equality-checker scheme. We provide asymptotic and concrete analysis of communication and computation costs of the designed protocols. We also develop a weaker definition of security (k-leaked model) for malicious two-party computation that allows for disclosure of some information to a malicious party. We design more efficient variations of Yao’s protocol that are secure in the proposed model. Keywords: secure two-party computation, secure function evaluation, Yao’s garbled circuit, malicious adversary. 1