Secure and Fair Computations on Forking Blockchains

In this work we consider finality issues in forking blockchains (as Bitcoin and Ethereum), and study security and efficiency of distributed protocols that leverage on them. In particular, we focus on multi-party computation (MPC) protocols run on-chain with the aid of smart contracts where honest players face the following dilemma: Should I immediately rush sending the next protocol message based on my current view of the blockchain, or rather wait that prior messages are final on the blockchain before sending the next one? To the best of our knowledge, the (implicit) default option used in previous work is the second one, and thus known on-chain MPC protocols take long time to be executed on those blockchains with poor finality (e.g., several hours per transaction in Bitcoin). We observe that while rushing would clearly be preferable for efficiency, we show that this is not necessarily the case for security, as there are natural examples of on-chain MPC protocols that simply become insecure in presence of rushing players. Our contributions are twofold: ˆ We design a compiler that takes any “digital and universally composable” MPC protocol (with or without honest majority) and transforms it into another one (for the same task and same setup) where all messages are played on chain and security is preserved in the presence of rushing players. The special requirements on the starting protocol mean that messages consists only of bits (e.g., no hardware token is sent) and security holds also in presence of other protocols. We show that our compiler also satisfies fairness with penalties as long as honest players become rushing after the first round of the protocol (of all players) has been confirmed on the blockchain. ˆ For the concrete case of fairly tossing multiple coins with penalties, we show that the lottery protocol of Andrychowicz et al. (S&P ’14) becomes insecure in the presence of rushing players. In addition, we present a new protocol that instead retains security even if the players are fully rushing (i.e., without waiting for any confirmation), thus improving the output of our generic compiler for this specific functionality. We analyze the performance of our new protocol using Ethereum as testbed.