1 Introduction
Secret Santa is a Christmas tradition, where members of a group are randomly assigned to another person, to whom they have to offer a gift. The identity of the person offering the present is usually secret [Liberti:2008:secretsanta, Mauw:2014:ssanta, Ryan2016], as well as the price of the present. Moreover, the participants often determine a common bound for the gift’s prices.
In Conspiracy Santa, a variant of Secret Santa, for each participant, the other members of the group collude and jointly decide on an appropriate gift. The gift is then usually bought by one of the colluding participants, and the expenses are shared among the colluding participants.
In this setting, the price of the gift must remain secret and, potentially, also who bought the present. At the same time, sharing the expenses usually results in numerous transactions. Existing results in the literature (e.g., [settleup, splitwise, tricount, Thesis12]) aim at minimizing the number of transactions, but they assume that all expenses are public, that all participants are honest, and that communications are safe. Our goal is instead to propose a secure Conspiracy Santa algorithm for paranoid cryptographers that do not want to disclose the prices. Further, they want to keep their privacy at all cost, so they might rely on external third parties but only in case they do not need to trust them.
1.1 Contributions
Our results can be split into the following contributions:

We show that the general problem of finding a solution with a minimal number of transactions when sharing expenses (Shared Expenses Problem, or SEP) is NPcomplete.

We provide secure protocols for Conspiracy Santa for arbitrary participants. The algorithms ensure that no participant learns the price of his gift, nor who bought it. Moreover, the algorithms reduce the number of transactions necessary to or (depending on the largest authorized amount for a given transaction) compared to a naïve solution of .

Our secure algorithms are entirely distributed and do not require any trusted third party. To also realize the payments in a distributed fashion, a secure peertopeer cryptocurrency can be used. Additionally, we present a physical payment solution where all participants need to be in the same place, using envelopes and bank notes.
Our algorithms can also be used in the case where expenses are shared within multiple groups. There, some people belong to several of these groups and the goal is to reduce the number of transactions while still ensuring privacy: all participants only learn about the expenses of their groups, not the other groups. One can also see this problem as a variant of the dining cryptographers [Chaum1988]. However, instead of respecting the cryptographers’ right to anonymously invite everybody, we here want to respect the cryptographers’ right to privately share expenses of multiple diners with different groups.
Table 1 summarizes the number of transactions, as well as the order of magnitude of the largest amount per transaction, required for the different algorithms considered in order to realize a conspiracy Santa.
Algorithm  Peertopeer  Transactions  Largest amount 
per transaction  
instances of SEP  ✔  constant  
With a trusted thirdparty  ✘  constant  
Here (Protocols 1, 2, 3)  ✔  constant  
Here (Protocols 1, 6, 7)  ✔  linear 
With respect to the conference version of this paper [fun:2018:conspiracy], we here provide the faster algorithm requiring only transactions, instead of . With respect to an upper bound on the price of any gift, in this faster protocol, the amount of each transaction can then grow up to , where it stayed below in our other protocol. We also provide a physical variant as well as complexity and security proofs for this novel protocol.
1.2 Outline
The remainder of the paper is structured as follows: in Section 2, we analyze the complexity of the general problem of sharing expenses. In Section 3, we present our protocol to solve the problem of privately sharing expenses in Conspiracy Santa, in a peertopeer setting. We also discuss further applications of our solution, and how to realize the anonymous payments required by the algorithm, either physically or online. In Section 4, we then present our second algorithm, with less transactions. We finally conclude in Section 5.
2 The Shared Expenses Problem and its Complexity
Before analyzing the Conspiracy Santa problem in more detail, we first discuss the problem of settling shared expenses with a minimal number of transactions. This problem frequently arises, for example when a group of security researchers attends a FUN conference and wants to share common expenses such as taxis, restaurants etc. Reducing the overall number of transactions might then reduce the overall currency exchange fees paid by the researchers.
In such a case, each participant covers some of the common expenses, and in the end of the conference, some transactions are necessary to ensure that all participants payed the same amount. Note for this first example, there are no privacy constraints, as all amounts are public.
Example 1.
Jannik, JeanGuillaume, and Pascal attended FUN’16. The first night, Jannik payed the restaurant for €, and JeanGuillaume the drinks at the bar for €. The second day Pascal payed the restaurant and drinks for a total of €.
The total sum is then €, meaning € per person. This means that Jannik payed € too much, JeanGuillaume needs to pay € more, and Pascal has to receive €. In this case, the optimal solution uses two transactions: JeanGuillaume gives € to Jannik, and € to Pascal.
There are numerous applications implementing solutions to this problem (e.g., [settleup, splitwise, tricount]), but it is unclear how they compute the transactions. Moreover, in these applications all expenses are public, making them unsuitable for Conspiracy Santa.
David Vávra wrote a master’s thesis [Thesis12] about a similar smartphone application that allows to settle expenses within a group. He discusses a greedy approximation algorithm (see below), and conjectures that the problem is complete, but without giving a formal proof. We start by formally defining the problem.
Definition 2.
Shared Expenses Problem (SEP).
 Input:

Given a multiset of values such that , where a positive means that participant has to pay money, and a negative means that has to be reimbursed.
 Question:

Is there a way to do all reimbursements using (strictly) less than transactions?
Note that there is always a solution using transactions using a greedy approach: given the values in , let be the index of the maximum value of () and let be the index of the minimum value of (), we use one transaction between and such that after the transaction either the participant or ends up at . I.e., if , then the participant ends up at , otherwise the participant ends up at . By then recursively applying the same procedure on the remaining values, we can do all reimbursements. Overall, this greedy solution uses transactions in the worst case.
It is easy to see that : guess a list of (less than ) transactions, and verify for each participant that in the end there are no debts or credits left.
We show that SEP is complete, for this we use a reduction from the Subset Sum Problem [Karp2010] which can be seen as a special case of the well known knapsack problem [Garey:1990:CIG:574848].
Definition 3.
Subset Sum Problem (SSP)
 Input:

Given a multiset of values .
 Question:

Is there a subset such that ?
The Subset Sum Problem is known to be complete (see, e.g., [Cormen]).
Theorem 4.
The Shared Expenses Problem is complete.
Proof.
Consider the following reduction algorithm:
Given a Subset Sum Problem (SSP) instance, i.e., a multiset of values , compute . If then return yes, otherwise let and return the answer of an oracle for the Shared Expenses Problem for .
It is easy to see that the reduction is polynomial, as computing the sum is in . We now need to show that the reduction is correct. We consider the two following cases:

Suppose the answer to the SSP is yes, then there is a subset such that . If , then the check in the reduction is true, and the algorithm returns yes. If , then we can balance the expenses in the sets and independently using the greedy algorithm explained above. This results in and transactions respectively, for a total of transactions. Thus there is a way to do all reimbursements using strictly less than transactions, hence the answer will be yes.

Suppose the answer to the SSP is no, then there is no subset such that . This means that there is no subset such that the expenses within this set can be balanced independently of the other expenses. To see this, suppose it were possible to balance the expenses in independently, then we must have , contradicting the hypothesis that there is no such subset (note that w.l.o.g. , if it contains the added value one can simply choose ).
Hence any way of balancing the expenses has to involve all participants, but building a connected graph with nodes requires at least edges. Thus there cannot be a solution with less than transactions, and the oracle will answer no.
∎∎
3 Cryptographer’s Conspiracy Santa
Consider now the problem of organizing Conspiracy Santa, where no participant shall learn the price of his gift. Obviously we cannot simply apply, e.g., the greedy algorithm explained above on all the expenses, as this would imply that everybody learns all the prices.
More formally, an instance of Conspiracy Santa with participant consists of shared expenses problem (subSEP), each with participants and with nonempty intersections of the participants. In each subSEP, the participants freely discuss, decide on a gift, its value and who pays it; then agree that their share for this gift is . Overall the share of each participant is
A participants balance is this share minus the values of the gifts he bought.
A simple solution would be to use a trusted third party, but most cryptographers are paranoid and do not like trusted third parties. A distributed solution would be to settle the expenses for each gift within the associated conspiracy group individually, but this then results in instances of the problem, with transactions each (assuming that only one person bought the gift), for a total of transactions.
Moreover, the problem becomes more complex if several groups with nonempty intersections want to minimize transactions all together while preserving the intergroup privacy.
Example 5.
Example 1 continued. For the same conference, FUN’16, Jannik, JeanGuillaume and Xavier shared a taxi from the airport and JeanGuillaume paid for a total of €, that is € per person. There are two possibilities. Either Jannik and Xavier make two new transactions to reimburse JeanGuillaume. Or, to minimize the overall number of transactions, they aggregate both accounts, i.e. those from Example 1 with those of the taxi ride. That is . Overall Jannik thus gives € to Pascal, JeanGuillaume reduces his debt to Pascal to only € and Xavier gives € to Pascal. The security issue, in this second case, is that maybe Jannik and JeanGuillaume did not want Xavier to know that they were having lunch with Pascal, nor that they had a debt of more than €, etc.
In the next part, we present our solution for the generalization of Conspiracy Santa as the aggregation of several shared expenses problems with nonempty intersections between the participants. This solution uses transactions, preserves privacy, and does not require a trusted third party.
3.1 A Distributed Solution using Cryptocurrencies
Assumptions

We suppose that all participants know a fixed upper bound for the value of any gift.

We suppose that each participant balance is an integral number. A simple solution for this is to express everything in cents (¢), and make users agree that shares could be unevenly distributed up to a difference of one cent.

We consider semihonest participants in the sense that the participants follow honestly the protocol, but they try to exploit all intermediate information that they have received during the protocol to break privacy.
Apart from the setup, the protocol has rounds, each one with transactions, and one initialization phase.
Initialization Phase
In the setup phase, the participants learn the price of the gifts in which they participate and can therefore compute their overall balance, . They also setup several anonymous addresses in a given public transaction cryptocurrency like Bitcoin [bitcoin], ZCash [zcash] or Monero [monero].
Finally the participants create one anonymous address which is used as a piggy bank. They all have access to the secret key associated to that piggy bank address. For instance, they can exchange encrypted emails to share this secret key. Protocol 1 presents the details of this setup phase.
First Round
The idea is that the participants will round their debts or credits so that the different amounts become indistinguishable. For this, the participants perform transactions to adjust their balance to either , or a negative multiple of . The first participant randomly selects an initial value between and ¢, and sends it to the second participant. This transaction is realized via any private payment channel between the two participants. It can be a physical payment, a bank transfer, a cryptocurrency payment, …, as long as no other participant learns the transferred amount. Then the second participant adds his balance to the received amount modulo , and forwards the money^{2}^{2}2up to , or such that its credit becomes a multiple of . to the next participant, and so on. The last participant also adds his balance and sends the resulting amount to the first participant. In the end, all participants obtain a balance of a multiple of , and the random amount chosen by the first participant has hidden the exact amounts. The details are described in Protocol 2.
Second Round
The second and third rounds of the protocol require anonymous payments, for which we use anonymous cryptocurrency addresses. These two rounds are presented in Protocol 3, where is a notation for parallel execution of a command where the order is not important.
In the second round, every participant makes one public transaction of ¢ to the piggy bank.
Third Round
Each creditor recovers their assets via public transactions of ¢ from the piggy bank. Note that if a participant needs to withdraw more than ¢ he needs to perform several transactions. To ensure anonymity, he needs to use a different anonymous address for each transaction. In the end, the account is empty and the number of transactions corresponds exactly to the number of initial transactions used to credit the piggy bank’s account.
Theorem 6.
Proof.
Including the piggy bank, all the transactions are among participants, therefore the sum of all the debts and credits is invariant and zero. There remains to prove that in the end of the protocol all the debts and credits are also zero. The value of any gift is bounded by , thus any initial debt for any gift is at most . As participants participate to at most gifts, the largest debt is thus lower than ¢. Then, during the first round, all participants, except , round their credits or debts to multiples of . But then, by the invariant, after the first round, the debt or credit of must also be a multiple of . Furthermore, any debtor will thus either be at zero after the first round or at a debt of exactly ¢. After the second round any debtor will then be either at zero or at a credit of exactly ¢. Thus after the second round only the piggy bank has a debt. Since the piggy bank received exactly ¢, exactly transactions of ¢ will make it zero and the invariant ensures that, after the third round, all the creditors must be zero too. ∎∎
Remark 7.
It is important to use a cryptocurrency such as Bitcoin, Monero or ZCash in order to hide both the issuer and the receiver of each transaction in the third round. This ensures that nobody can identify the users.
Note that when using Bitcoin, users can potentially be tracked if the addresses are used for other transactions. Using Monero or Zcash can offer more privacy since the exchanged amount can also be anonymized. Moreover, to avoid leaking the fact that some persons need to withdraw ¢ multiple times, and are thus doing multiple transaction at the same time, all the withdrawals should be synchronized. If exact synchronization is difficult to achieve, one can decide on a common time interval, e.g., an hour, and all the transactions have to be done at random time points during this interval, independently, whether they are executed from the same or a different participant.
Example 8.
We now have a look at the algorithm for our example with Jannik, JeanGuillaume, Pascal and Xavier. As in Example 5
, the initial balance vector is
^{3}^{3}3In our running example the values are integral numbers in euros, so for simplicity we continue in euros instead of cents as in the protocol description.. They decide on an upper bound of € (note that to provably ensure exactly transactions they should take an upper bound larger than any expense, that is larger than €, but is sufficient for our example here). For the first round, Jannik randomly selects and makes a first private transaction of € to JeanGuillaume. JeanGuillaume then makes a private transaction of € to Pascal; Pascal makes a private transaction of € to Xavier; who makes a private transaction of € to Jannik. All these transactions are represented in Figure 1. The balance vector is thus now , because for instance JeanGuillaume had a balance of €, received € from Jannik and sends € to Pascal, hence his new balance is €. Everybody sends € to the piggy bank address, so that the balance vector becomes . Finally there are four € transactions, one to an address controlled by Jannik and three to (different) addresses controlled by Pascal. These two last rounds are illustrated in Figure 2. Note that we have exactly transactions per round.3.2 Security Proof
We now provide a formal security proof for our protocol. We use the standard multiparty computations definition of security against semihonest adversaries [Ma2008]. As stated above, we consider semihonest adversaries in the sense that the entities run honestly the protocols, but they try to exploit all intermediate information that they have received during the protocol.
We start by formally defining the indistinguishability and the view of an entity.
Definition 9 (Indistinguishability).
Let be a security parameter and and two distributions. We say that and are indistinguishable, denoted , if for every probabilistic distinguisher we have:
Definition 10 (view of a party).
Let be an parties protocol for the entities using inputs . The view of a party (where ) during an execution of , denoted , is the set of all values sent and received by during the protocol.
To prove that a party learns nothing during execution of the protocol, we show that can run a simulator algorithm that simulates the protocol, such that (or any polynomially bounded algorithm) is not able to differentiate an execution of the simulator and an execution of the real protocol. The idea is the following: since the entity is able to generate his view using the simulator without the secret inputs of other entities, cannot extract any information from his view during the protocol. This notion is formalized in Definition 11.
Definition 11 (security with respect to semihonest behavior).
Let be an parties protocol between the entites using inputs . We say that is secure in the presence of semihonest adversaries if for each (where ) there exists a protocol where interacts with a polynomial time algorithm such that:
Theorem 12.
Our conspiracy Santa protocol is secure with respect to semihonest behavior.
Proof.
We denote our protocol by (for Secure Conspiracy Santa). For all , each entity has the input , where , is the balance of each of the participants. For all , we show how to build the protocol such that:
We first show that the view of in the real protocol is the same as in the protocol :

At Instruction 22 of Protocol 2, sends ¢ to such that:


The balance of is a multiple of .
We show that these two conditions hold in the simulator. At Instruction 3 of Protocol 2, the balance of is .

If the balance is positive, then and sends ¢ to . We then have:


The balance of is which is multiple of .


If the balance is negative, then sends ¢ to . We then have:


The balance of is: , which is a multiple of .



At Instruction 12 of Protocol 3, the users make the shared anonymous address pay ¢ to anonymous addresses. At Instruction 17 of Simulator 4, the balance of is:

if (because had ¢ and sent ¢ to the shared address).

Otherwise, the balance of is . Hence receives ¢ from the shared anonymous address times, and receives ¢ from the shared anonymous address times. We note that because and . Finally, and make the shared anonymous address pay ¢ to anonymous addresses because:

Finally, we deduce that the view of in the real protocol is the the same as in the simulator :
We then show that the view of in the real protocol is the same as in the protocol for any :

At instruction 10 and 16 of Protocol 2, each user receives ¢ from for any such that . We note that each depends on the value chosen by . Moreover,
comes form a uniform distribution and acts as a onetime pad on the values
, i.e., it randomizes such that cannot distinguish whether was correctly generated or comes from the uniform distribution on . At instruction 2 of Simulator 5, chooses at random in the uniform distribution on and sends to . 
At Instruction 12 of Protocol 3, the users make the shared anonymous address pay ¢ to anonymous addresses. At Instruction 10 of Simulator 5, the balance of is . Hence receives ¢ from the shared anonymous address times, and receives ¢ from the shared anonymous address times. We note that ; indeed, we have (Instruction 13 of Protocol 2). Since and , then we have , so we have . Finally, and make the shared anonymous address pay ¢ to anonymous addresses because:
Finally, to conclude the proof, we deduce that for all the view of in the real protocol is the the same as in the simulator :
∎∎
3.3 Physical Variant
If one does not wish to use cryptocurrencies, one can use the following physical variant of the protocol. In the first round each participant needs to transfer some money to another participant using a private channel. A simple physical solution is that they meet and perform the transfer face to face, while ensuring that nobody spies on them. For the second round, the balance of all participants is a multiple of ¢. During the first part of this algorithm, everyone puts an envelope containing ¢ onto a stack that is in a secure room. By secure room, we mean a place where no other participants can spy what is going on inside. In the second part all participants enter this secure room one after the other and do the following according to their balance:

If the balance is then the participant does nothing.

If the balance is a multiple of ¢, the participant takes envelopes from the top of the stack, opens them and collects the corresponding ¢. Then he places, in each of the now empty envelopes, a piece of paper that have the same shape and weight as a the ¢. These envelopes are placed under the stack of envelopes.
This method allows everyone to collect his money without revealing to the other ones how much they have taken.
We show that this protocol is secure with respect to semihonest behavior. For this, we physically simulate the protocol for any participant. We first note that the first round of the protocol is the same as Protocol 2, so this round can be simulated exactly as in the proof of Theorem 12. We simulate the second round for any participant as follows. During the first part of the algorithm, the simulator enters times the secure room and puts an envelope containing ¢ onto the stack. When it is his turn, the participant enters the room and puts an envelope containing ¢ onto the stack. Finally, there are envelopes containing ¢ on a stack. In the second part the simulator enters the room times and does nothing. When it is his turn, the participant enters the room and takes envelopes from the top of the stack, opens them and collects the corresponding ¢ as in the real protocol, where . Since each of the envelopes contains ¢, the simulation works for any .
We deduce that the view of the participant during the simulation is the same as during the real protocol, which implies that our physical protocol is secure with respect to semihonest behavior.
Remark 13.
This physical protocol mimics exactly the solution using cryptocurrencies. One advantage, though, of the physical world is that it is easier to perform transactions with ¢. Therefore there exists a simpler solution for the second round, where creditors do not have to give ¢ in advance: if the participant is in debt he puts an envelope containing ¢ onto the stack, otherwise he puts an envelope containing a piece of paper under the stack.
The first and third rounds are not modified, and the simulator for the security proof is not modified either.
4 A Faster Protocol
To the price of having much larger transactions, there exist a protocol for conspiracy Santa that requires less transactions: instead of .
4.1 Merging the first two rounds
We now propose a variant of the cryptocurrency protocol where the initialization phase and the third round are unchanged but the first and second round are merged.
The idea is that the participants will round their debts or credits so that the different amounts become indistinguishable, and at the same time they will give ¢ to the next player: this is what they would have given to the Piggy bank in the second round. At the end the first player will receive the amount needed to round his debt or credit as previously, plus times ¢. It is then sufficient for him to give ¢ to the Piggy bank, for the third round to take place as previously. The details are described in Protocols 6 and 7.
Theorem 14.
Proof.
Including the piggy bank, all the transactions are among participants, therefore the sum of all the debts and credits is invariant and zero. There remains to prove that in the end of the protocol all the debts and credits are also zero. Any initial debt for any gift is strictly lower than and the largest debt is thus strictly lower than ¢, that is all integral debts are between and . Then, during the first round, all participants, except , still round their credits or debts to multiples of : for , . Also, every participant sends more than he received: , so any creditor remains creditor. Furthermore, any debtor will thus either be at zero after the first round or at a credit of exactly ¢: any debtor has an initial debt ; then he receives so that his new debt is between and ; finally he sends the residue mod plus , so that his credit must be either or . All the money sent is immediately added to the debt of the receiver and removed from that of the sender (including an aggregation for at the end, ) so, overall, including the piggy bank, the sum of all debts and credits remains zero. We just showed that except all the credits or debts are now multiples of so that of must also be a multiple . Further, if is a debtor then . He sends , and receives so that his new balance is . As we have shown that this balance must be a multiple of , then either his balance is zero or he has a credit of . Therefore, at the end of Protocol 6, only the piggy bank has a debt. Since the piggy bank received exactly ¢, exactly transactions of ¢ will make it zero and the invariant ensures that, after Protocol 7, all the creditors must be zero too. ∎∎
Example 15.
We now have a look at the algorithm for our example with Jannik, JeanGuillaume, Pascal and Xavier. As in Example 8, the initial balance vector is and the upper bound is €. For the first round, Jannik randomly selects and makes a first private transaction of € to JeanGuillaume. JeanGuillaume then makes a private transaction of € to Pascal; Pascal makes a private transaction of € to Xavier; who makes a private transaction of € to Jannik and the balance vector is Finally Jannik gives € to the piggy bank so that the player’s balance vector becomes . Indeed, for instance, JeanGuillaume had a balance of €, received € from Jannik and sends € to Pascal, hence his new balance is €. All these transactions are represented in Figure 3. Finally there are four € transactions, one to an address controlled by Jannik and three to (different) addresses controlled by Pascal. This last round is exactly the one illustrated in Figure 2, right. Note that we have participants and exactly transactions in Protocol 6 and transactions in Protocol 7, hence the total is .
4.2 Security Proof of the Faster Variant
Theorem 16.
Our faster conspiracy Santa protocol is secure with respect to semihonest behavior.