A Faster Cryptographer's Conspiracy Santa

05/19/2020
by   Xavier Bultel, et al.
0

In Conspiracy Santa, a variant of Secret Santa, a group of people offer each other Christmas gifts, where each member of the group receives a gift from the other members of the group. To that end, the members of the group form conspiracies, to decide on appropriate gifts, and usually divide the cost of each gift among all participants of that conspiracy. This requires to settle the shared expenses per conspiracy, so Conspiracy Santa can actually be seen as an aggregation of several shared expenses problems. First, we show that the problem of finding a minimal number of transaction when settling shared expenses is NP-complete. Still, there exist good greedy approximations. Second, we present a greedy distributed secure solution to Conspiracy Santa. This solution allows a group of n people to share the expenses for the gifts in such a way that no participant learns the price of his gift, but at the same time notably reduces the number of transactions to 2 × n + 1 with respect to a naïve aggregation of n × (n – 2). Furthermore, our solution does not require a trusted third party, and can either be implemented physically (the participants are in the same room and exchange money using envelopes) or, over Internet, using a cryptocurrency.

READ FULL TEXT VIEW PDF

page 1

page 2

page 3

page 4

09/21/2020

Electing the Executive Branch

The executive branch, or government, is typically not elected directly b...
04/07/2021

Shared-Dining: Broadcasting Secret Shares using Dining-Cryptographers Groups

A k-anonymous broadcast can be implemented using a small group of dining...
08/06/2019

Tightly Coupled Secret Sharing and Its Application to Group Authentication

Group oriented applications are getting more and more popular in today's...
02/28/2015

Group Event Detection with a Varying Number of Group Members for Video Surveillance

This paper presents a novel approach for automatic recognition of group ...
06/24/2016

Resolving Distributed Knowledge

Distributed knowledge is the sum of the knowledge in a group; what someo...
03/26/2021

Heuristics facilitates the evolution of transitive inference and social hierarchy in a large group

Transitive inference (TI) refers to social cognition that facilitates th...
03/14/2021

Cooperation in lot-sizing problems with heterogeneous costs: the effect of consolidated periods

We consider a cooperative game defined by an economic lot-sizing problem...

1 Introduction

Secret Santa is a Christmas tradition, where members of a group are randomly assigned to another person, to whom they have to offer a gift. The identity of the person offering the present is usually secret [Liberti:2008:secretsanta, Mauw:2014:ssanta, Ryan2016], as well as the price of the present. Moreover, the participants often determine a common bound for the gift’s prices.

In Conspiracy Santa, a variant of Secret Santa, for each participant, the other members of the group collude and jointly decide on an appropriate gift. The gift is then usually bought by one of the colluding participants, and the expenses are shared among the colluding participants.

In this setting, the price of the gift must remain secret and, potentially, also who bought the present. At the same time, sharing the expenses usually results in numerous transactions. Existing results in the literature (e.g., [settleup, splitwise, tricount, Thesis12]) aim at minimizing the number of transactions, but they assume that all expenses are public, that all participants are honest, and that communications are safe. Our goal is instead to propose a secure Conspiracy Santa algorithm for paranoid cryptographers that do not want to disclose the prices. Further, they want to keep their privacy at all cost, so they might rely on external third parties but only in case they do not need to trust them.

1.1 Contributions

Our results can be split into the following contributions:

  • We show that the general problem of finding a solution with a minimal number of transactions when sharing expenses (Shared Expenses Problem, or SEP) is NP-complete.

  • We provide secure protocols for Conspiracy Santa for arbitrary participants. The algorithms ensure that no participant learns the price of his gift, nor who bought it. Moreover, the algorithms reduce the number of transactions necessary to or (depending on the largest authorized amount for a given transaction) compared to a naïve solution of .

  • Our secure algorithms are entirely distributed and do not require any trusted third party. To also realize the payments in a distributed fashion, a secure peer-to-peer cryptocurrency can be used. Additionally, we present a physical payment solution where all participants need to be in the same place, using envelopes and bank notes.

Our algorithms can also be used in the case where expenses are shared within multiple groups. There, some people belong to several of these groups and the goal is to reduce the number of transactions while still ensuring privacy: all participants only learn about the expenses of their groups, not the other groups. One can also see this problem as a variant of the dining cryptographers [Chaum1988]. However, instead of respecting the cryptographers’ right to anonymously invite everybody, we here want to respect the cryptographers’ right to privately share expenses of multiple diners with different groups.

Table 1 summarizes the number of transactions, as well as the order of magnitude of the largest amount per transaction, required for the different algorithms considered in order to realize a conspiracy Santa.

Algorithm Peer-to-peer Transactions Largest amount
per transaction
instances of SEP constant
With a trusted third-party constant
Here (Protocols 1, 2, 3) constant
Here (Protocols 1, 6, 7) linear
Table 1: Number of transactions for Conspiracy Santa

With respect to the conference version of this paper [fun:2018:conspiracy], we here provide the faster algorithm requiring only transactions, instead of . With respect to an upper bound on the price of any gift, in this faster protocol, the amount of each transaction can then grow up to , where it stayed below in our other protocol. We also provide a physical variant as well as complexity and security proofs for this novel protocol.

1.2 Outline

The remainder of the paper is structured as follows: in Section 2, we analyze the complexity of the general problem of sharing expenses. In Section 3, we present our protocol to solve the problem of privately sharing expenses in Conspiracy Santa, in a peer-to-peer setting. We also discuss further applications of our solution, and how to realize the anonymous payments required by the algorithm, either physically or online. In Section 4, we then present our second algorithm, with less transactions. We finally conclude in Section 5.

2 The Shared Expenses Problem and its Complexity

Before analyzing the Conspiracy Santa problem in more detail, we first discuss the problem of settling shared expenses with a minimal number of transactions. This problem frequently arises, for example when a group of security researchers attends a FUN conference and wants to share common expenses such as taxis, restaurants etc. Reducing the overall number of transactions might then reduce the overall currency exchange fees paid by the researchers.

In such a case, each participant covers some of the common expenses, and in the end of the conference, some transactions are necessary to ensure that all participants payed the same amount. Note for this first example, there are no privacy constraints, as all amounts are public.

Example 1.

Jannik, Jean-Guillaume, and Pascal attended FUN’16. The first night, Jannik payed the restaurant for €, and Jean-Guillaume the drinks at the bar for €. The second day Pascal payed the restaurant and drinks for a total of €.

The total sum is then €, meaning € per person. This means that Jannik payed € too much, Jean-Guillaume needs to pay € more, and Pascal has to receive €. In this case, the optimal solution uses two transactions: Jean-Guillaume gives € to Jannik, and € to Pascal.

There are numerous applications implementing solutions to this problem (e.g., [settleup, splitwise, tricount]), but it is unclear how they compute the transactions. Moreover, in these applications all expenses are public, making them unsuitable for Conspiracy Santa.

David Vávra wrote a master’s thesis [Thesis12] about a similar smartphone application that allows to settle expenses within a group. He discusses a greedy approximation algorithm (see below), and conjectures that the problem is -complete, but without giving a formal proof. We start by formally defining the problem.

Definition 2.

Shared Expenses Problem (SEP).

Input:

Given a multiset of values such that , where a positive means that participant has to pay money, and a negative means that has to be reimbursed.

Question:

Is there a way to do all reimbursements using (strictly) less than transactions?

Note that there is always a solution using transactions using a greedy approach: given the values in , let be the index of the maximum value of () and let be the index of the minimum value of (), we use one transaction between and such that after the transaction either the participant or ends up at . I.e., if , then the participant ends up at , otherwise the participant ends up at . By then recursively applying the same procedure on the remaining values, we can do all reimbursements. Overall, this greedy solution uses transactions in the worst case.

It is easy to see that : guess a list of (less than ) transactions, and verify for each participant that in the end there are no debts or credits left.

We show that SEP is -complete, for this we use a reduction from the Subset Sum Problem [Karp2010] which can be seen as a special case of the well known knapsack problem [Garey:1990:CIG:574848].

Definition 3.

Subset Sum Problem (SSP)

Input:

Given a multiset of values .

Question:

Is there a subset such that ?

The Subset Sum Problem is known to be -complete (see, e.g., [Cormen]).

Theorem 4.

The Shared Expenses Problem is -complete.

Proof.

Consider the following reduction algorithm:

Given a Subset Sum Problem (SSP) instance, i.e., a multiset of values , compute . If then return yes, otherwise let and return the answer of an oracle for the Shared Expenses Problem for .

It is easy to see that the reduction is polynomial, as computing the sum is in . We now need to show that the reduction is correct. We consider the two following cases:

  • Suppose the answer to the SSP is yes, then there is a subset such that . If , then the check in the reduction is true, and the algorithm returns yes. If , then we can balance the expenses in the sets and independently using the greedy algorithm explained above. This results in and transactions respectively, for a total of transactions. Thus there is a way to do all reimbursements using strictly less than transactions, hence the answer will be yes.

  • Suppose the answer to the SSP is no, then there is no subset such that . This means that there is no subset such that the expenses within this set can be balanced independently of the other expenses. To see this, suppose it were possible to balance the expenses in independently, then we must have , contradicting the hypothesis that there is no such subset (note that w.l.o.g. , if it contains the added value one can simply choose ).

    Hence any way of balancing the expenses has to involve all participants, but building a connected graph with nodes requires at least edges. Thus there cannot be a solution with less than transactions, and the oracle will answer no.

∎∎

3 Cryptographer’s Conspiracy Santa

Consider now the problem of organizing Conspiracy Santa, where no participant shall learn the price of his gift. Obviously we cannot simply apply, e.g., the greedy algorithm explained above on all the expenses, as this would imply that everybody learns all the prices.

More formally, an instance of Conspiracy Santa with participant consists of shared expenses problem (sub-SEP), each with participants and with non-empty intersections of the participants. In each sub-SEP, the participants freely discuss, decide on a gift, its value and who pays it; then agree that their share for this gift is . Overall the share of each participant is

A participants balance is this share minus the values of the gifts he bought.

A simple solution would be to use a trusted third party, but most cryptographers are paranoid and do not like trusted third parties. A distributed solution would be to settle the expenses for each gift within the associated conspiracy group individually, but this then results in instances of the problem, with transactions each (assuming that only one person bought the gift), for a total of transactions.

Moreover, the problem becomes more complex if several groups with non-empty intersections want to minimize transactions all together while preserving the inter-group privacy.

Example 5.

Example 1 continued. For the same conference, FUN’16, Jannik, Jean-Guillaume and Xavier shared a taxi from the airport and Jean-Guillaume paid for a total of €, that is € per person. There are two possibilities. Either Jannik and Xavier make two new transactions to reimburse Jean-Guillaume. Or, to minimize the overall number of transactions, they aggregate both accounts, i.e. those from Example 1 with those of the taxi ride. That is . Overall Jannik thus gives € to Pascal, Jean-Guillaume reduces his debt to Pascal to only € and Xavier gives € to Pascal. The security issue, in this second case, is that maybe Jannik and Jean-Guillaume did not want Xavier to know that they were having lunch with Pascal, nor that they had a debt of more than €, etc.

In the next part, we present our solution for the generalization of Conspiracy Santa as the aggregation of several shared expenses problems with non-empty intersections between the participants. This solution uses transactions, preserves privacy, and does not require a trusted third party.

3.1 A Distributed Solution using Cryptocurrencies

Assumptions

  1. We suppose that all participants know a fixed upper bound for the value of any gift.

  2. We suppose that each participant balance is an integral number. A simple solution for this is to express everything in cents (¢), and make users agree that shares could be unevenly distributed up to a difference of one cent.

  3. We consider semi-honest participants in the sense that the participants follow honestly the protocol, but they try to exploit all intermediate information that they have received during the protocol to break privacy.

Apart from the setup, the protocol has rounds, each one with transactions, and one initialization phase.

Initialization Phase

In the setup phase, the participants learn the price of the gifts in which they participate and can therefore compute their overall balance, . They also setup several anonymous addresses in a given public transaction cryptocurrency like Bitcoin [bitcoin], ZCash [zcash] or Monero [monero].

Finally the participants create one anonymous address which is used as a piggy bank. They all have access to the secret key associated to that piggy bank address. For instance, they can exchange encrypted emails to share this secret key. Protocol 1 presents the details of this setup phase.

1:An upper bound on the value of any gift;
2:All expenses.
3:Each participant learns his balance .
4:Each participant creates or several anonymous currency addresses.
5:A shared anonymous currency address.
6:One anonymous currency address is created and the associated secret key is shared among all participants.
7:for each exchange group do
8:     for each payment within the group do
9:         broadcast the amount paid to all members of the group;
10:     end for
11:     for each participant in the group do
12:         Sum all the paid amounts of all the participants;
13:         Divide by the number of participants in the group;
14:         This produces the in-group share by participant.
15:     end for
16:end for
17:for each overall participant do
18:     Add up all in-group shares;
19:     Subtract all own expenses to get ;
20:     if  then
21:         Create anonymous currency addresses.
22:     end if
23:end for
Protocol 1 SEP broadcast setup

First Round

The idea is that the participants will round their debts or credits so that the different amounts become indistinguishable. For this, the participants perform transactions to adjust their balance to either , or a negative multiple of . The first participant randomly selects an initial value between and  ¢, and sends it to the second participant. This transaction is realized via any private payment channel between the two participants. It can be a physical payment, a bank transfer, a cryptocurrency payment, …, as long as no other participant learns the transferred amount. Then the second participant adds his balance to the received amount modulo , and forwards the money222up to , or such that its credit becomes a multiple of . to the next participant, and so on. The last participant also adds his balance and sends the resulting amount to the first participant. In the end, all participants obtain a balance of a multiple of , and the random amount chosen by the first participant has hidden the exact amounts. The details are described in Protocol 2.

1:An upper bound on the value of any gift;
2:Each one of participants knows his balance ;
3:.
4:Each one of participants has a new balance , either , or a negative multiple of ;
5:;
6:Each transaction is between and ¢;
7:The protocol is zero-knowledge.
8:: uniformly sampled at random;
9:: ;
10: sends ¢ to ; Random transaction on a secure channel
11:: ;
12:for  to  do
13:     : ;
14:     : if  then end if
15:     : ;
16:      sends ¢ to ; Random transaction on a secure channel
17:     : ;
18:end for
19:: ;
20:: if  then end if
21:: ;
22: sends ¢ to ; Random transaction on a secure channel
23:: ;
Protocol 2 Secure rounding to multiple of the bound

Second Round

The second and third rounds of the protocol require anonymous payments, for which we use anonymous cryptocurrency addresses. These two rounds are presented in Protocol 3, where is a notation for parallel execution of a command where the order is not important.

1:An upper bound on the value of any gift;
2: participants each with a balance , either , or a negative multiple of .
3:All balances are zero;
4:The protocol is zero-knowledge.
5:parfor  to  do Everybody sends to the piggy bank
6:     : ;
7:      sends ¢ to the shared anonymous address; Public transaction of
8:end parfor
9:parfor  to  do
10:     if  then Creditors recover their assets
11:         parfor  to  do
12:               makes the shared anonymous address pay ¢ to one of his own anonymous addresses; Public transaction of
13:         end parfor
14:         : .
15:     end if
16:end parfor
Protocol 3 Peer-to-peer secure debt resolution

In the second round, every participant makes one public transaction of ¢ to the piggy bank.

Third Round

Each creditor recovers their assets via public transactions of ¢ from the piggy bank. Note that if a participant needs to withdraw more than ¢ he needs to perform several transactions. To ensure anonymity, he needs to use a different anonymous address for each transaction. In the end, the account is empty and the number of transactions corresponds exactly to the number of initial transactions used to credit the piggy bank’s account.

Theorem 6.

For participants, Protocols 1, 2, 3 are correct and, apart from the setup, require transactions.

Proof.

Including the piggy bank, all the transactions are among participants, therefore the sum of all the debts and credits is invariant and zero. There remains to prove that in the end of the protocol all the debts and credits are also zero. The value of any gift is bounded by , thus any initial debt for any gift is at most . As participants participate to at most gifts, the largest debt is thus lower than ¢. Then, during the first round, all participants, except , round their credits or debts to multiples of . But then, by the invariant, after the first round, the debt or credit of must also be a multiple of . Furthermore, any debtor will thus either be at zero after the first round or at a debt of exactly ¢. After the second round any debtor will then be either at zero or at a credit of exactly ¢. Thus after the second round only the piggy bank has a debt. Since the piggy bank received exactly ¢, exactly transactions of ¢ will make it zero and the invariant ensures that, after the third round, all the creditors must be zero too. ∎∎

Remark 7.

It is important to use a cryptocurrency such as Bitcoin, Monero or ZCash in order to hide both the issuer and the receiver of each transaction in the third round. This ensures that nobody can identify the users.

Note that when using Bitcoin, users can potentially be tracked if the addresses are used for other transactions. Using Monero or Zcash can offer more privacy since the exchanged amount can also be anonymized. Moreover, to avoid leaking the fact that some persons need to withdraw ¢ multiple times, and are thus doing multiple transaction at the same time, all the withdrawals should be synchronized. If exact synchronization is difficult to achieve, one can decide on a common time interval, e.g., an hour, and all the transactions have to be done at random time points during this interval, independently, whether they are executed from the same or a different participant.

Example 8.

We now have a look at the algorithm for our example with Jannik, Jean-Guillaume, Pascal and Xavier. As in Example 5

, the initial balance vector is

333In our running example the values are integral numbers in euros, so for simplicity we continue in euros instead of cents as in the protocol description.. They decide on an upper bound of € (note that to provably ensure exactly transactions they should take an upper bound larger than any expense, that is larger than €, but is sufficient for our example here). For the first round, Jannik randomly selects and makes a first private transaction of € to Jean-Guillaume. Jean-Guillaume then makes a private transaction of € to Pascal; Pascal makes a private transaction of € to Xavier; who makes a private transaction of € to Jannik. All these transactions are represented in Figure 1. The balance vector is thus now , because for instance Jean-Guillaume had a balance of €, received € from Jannik and sends € to Pascal, hence his new balance is  €. Everybody sends  € to the piggy bank address, so that the balance vector becomes . Finally there are four  € transactions, one to an address controlled by Jannik and three to (different) addresses controlled by Pascal. These two last rounds are illustrated in Figure 2. Note that we have exactly transactions per round.

J: 5

J-G: 48

P: -73

X: 20

Figure 1: First round (private transactions) of Example 8 (starting at , ending with ).

J: 0

J-G: 50

P: -100

X: 50

Piggy Bank

50 €

50 €

50 €

50 €

J: -50

J-G: 0

P: -150

X: 0

Piggy Bank

50 €

50 €

50 €

50 €
Figure 2: On the left: second round of Example 8. On the right: third round of Example 8. Dotted arrows represent anonymous transactions, in particular Pascal uses three different anonymous addresses.

3.2 Security Proof

We now provide a formal security proof for our protocol. We use the standard multi-party computations definition of security against semi-honest adversaries [Ma2008]. As stated above, we consider semi-honest adversaries in the sense that the entities run honestly the protocols, but they try to exploit all intermediate information that they have received during the protocol.

We start by formally defining the indistinguishability and the view of an entity.

Definition 9 (Indistinguishability).

Let be a security parameter and and two distributions. We say that and are indistinguishable, denoted , if for every probabilistic distinguisher we have:

Definition 10 (view of a party).

Let be an -parties protocol for the entities using inputs . The view of a party (where ) during an execution of , denoted , is the set of all values sent and received by during the protocol.

To prove that a party learns nothing during execution of the protocol, we show that can run a simulator algorithm that simulates the protocol, such that (or any polynomially bounded algorithm) is not able to differentiate an execution of the simulator and an execution of the real protocol. The idea is the following: since the entity is able to generate his view using the simulator without the secret inputs of other entities, cannot extract any information from his view during the protocol. This notion is formalized in Definition 11.

Definition 11 (security with respect to semi-honest behavior).

Let be an -parties protocol between the entites using inputs . We say that is secure in the presence of semi-honest adversaries if for each (where ) there exists a protocol where interacts with a polynomial time algorithm such that:

Theorem 12.

Our conspiracy Santa protocol is secure with respect to semi-honest behavior.

Proof.

We denote our protocol by (for Secure Conspiracy Santa). For all , each entity has the input , where , is the balance of each of the participants. For all , we show how to build the protocol such that:

is given in Simulator 4, and for is given in Simulator 5.

1: knows
2: receives ¢ from ;
3:if  then
4:      sends ¢ to ;
5:else if  then
6:      sends ¢ to ;
7:end if
8:for  to  do
9:      sends ¢ to the shared anonymous address;
10:end for
11:if  then
12:     ;
13:else if  then
14:     ;
15:end if
16:for  to  do
17:      makes the shared anonymous address pay ¢ to an anonymous address;
18:end for
Simulator 4 Algorithm of the protocol .
1: knows
2: ;
3: sends ¢ to ;
4: receives ¢ from ;
5:for  to  do
6:      sends ¢ to the shared anonymous address;
7:end for
8:;
9:for  to  do
10:      makes the shared anonymous address pay ¢ to an anonymous address;
11:end for
Simulator 5 Algorithm of the protocol , where .

We first show that the view of in the real protocol is the same as in the protocol :

  • At Instruction 2 of Simulator 4, receives ¢ from such that , as at Instruction 10 of Protocol 2.

  • At Instruction 22 of Protocol 2, sends ¢ to such that:

    • The balance of is a multiple of .

    We show that these two conditions hold in the simulator. At Instruction 3 of Protocol 2, the balance of is .

    1. If the balance is positive, then and sends ¢ to . We then have:

      • The balance of is which is multiple of .

    2. If the balance is negative, then sends ¢ to . We then have:

      • The balance of is: , which is a multiple of .

  • At Instruction 9 of Simulator 4, sends ¢ to the shared anonymous address times, and sends ¢ to the shared anonymous address time, so together they send ¢ times to the shared anonymous address, as at Instruction 7 of Protocol 3.

  • At Instruction 12 of Protocol 3, the users make the shared anonymous address pay ¢ to anonymous addresses. At Instruction 17 of Simulator 4, the balance of is:

    • if (because had ¢ and sent ¢ to the shared address).

    • Otherwise, the balance of is . Hence receives ¢ from the shared anonymous address times, and receives ¢ from the shared anonymous address times. We note that because and . Finally, and make the shared anonymous address pay ¢ to anonymous addresses because:

Finally, we deduce that the view of in the real protocol is the the same as in the simulator :

We then show that the view of in the real protocol is the same as in the protocol for any :

  • At instruction 10 and 16 of Protocol 2, each user receives ¢ from for any such that . We note that each depends on the value chosen by . Moreover,

    comes form a uniform distribution and acts as a one-time pad on the values

    , i.e., it randomizes such that cannot distinguish whether was correctly generated or comes from the uniform distribution on . At instruction 2 of Simulator 5, chooses at random in the uniform distribution on and sends to .

  • At Instruction 4 of Simulator 5, receives ¢ from such that , like at Instruction 16 of Protocol 2.

  • At Instruction 6 of Simulator 5, sends ¢ to the shared anonymous address times, and sends ¢ to the shared anonymous address time, so together they send ¢ times to the shared anonymous address, as at Instruction 7 of Protocol 3.

  • At Instruction 12 of Protocol 3, the users make the shared anonymous address pay ¢ to anonymous addresses. At Instruction 10 of Simulator 5, the balance of is . Hence receives ¢ from the shared anonymous address times, and receives ¢ from the shared anonymous address times. We note that ; indeed, we have (Instruction 13 of Protocol 2). Since and , then we have , so we have . Finally, and make the shared anonymous address pay ¢ to anonymous addresses because:

Finally, to conclude the proof, we deduce that for all the view of in the real protocol is the the same as in the simulator :

∎∎

3.3 Physical Variant

If one does not wish to use cryptocurrencies, one can use the following physical variant of the protocol. In the first round each participant needs to transfer some money to another participant using a private channel. A simple physical solution is that they meet and perform the transfer face to face, while ensuring that nobody spies on them. For the second round, the balance of all participants is a multiple of ¢. During the first part of this algorithm, everyone puts an envelope containing ¢ onto a stack that is in a secure room. By secure room, we mean a place where no other participants can spy what is going on inside. In the second part all participants enter this secure room one after the other and do the following according to their balance:

  • If the balance is then the participant does nothing.

  • If the balance is a multiple of ¢, the participant takes envelopes from the top of the stack, opens them and collects the corresponding ¢. Then he places, in each of the now empty envelopes, a piece of paper that have the same shape and weight as a the ¢. These envelopes are placed under the stack of envelopes.

This method allows everyone to collect his money without revealing to the other ones how much they have taken.

We show that this protocol is secure with respect to semi-honest behavior. For this, we physically simulate the protocol for any participant. We first note that the first round of the protocol is the same as Protocol 2, so this round can be simulated exactly as in the proof of Theorem 12. We simulate the second round for any participant as follows. During the first part of the algorithm, the simulator enters times the secure room and puts an envelope containing ¢ onto the stack. When it is his turn, the participant enters the room and puts an envelope containing ¢ onto the stack. Finally, there are envelopes containing ¢ on a stack. In the second part the simulator enters the room times and does nothing. When it is his turn, the participant enters the room and takes envelopes from the top of the stack, opens them and collects the corresponding ¢ as in the real protocol, where . Since each of the envelopes contains ¢, the simulation works for any .

We deduce that the view of the participant during the simulation is the same as during the real protocol, which implies that our physical protocol is secure with respect to semi-honest behavior.

Remark 13.

This physical protocol mimics exactly the solution using cryptocurrencies. One advantage, though, of the physical world is that it is easier to perform transactions with ¢. Therefore there exists a simpler solution for the second round, where creditors do not have to give ¢ in advance: if the participant is in debt he puts an envelope containing ¢ onto the stack, otherwise he puts an envelope containing a piece of paper under the stack.

The first and third rounds are not modified, and the simulator for the security proof is not modified either.

4 A Faster Protocol

To the price of having much larger transactions, there exist a protocol for conspiracy Santa that requires less transactions: instead of .

4.1 Merging the first two rounds

We now propose a variant of the cryptocurrency protocol where the initialization phase and the third round are unchanged but the first and second round are merged.

The idea is that the participants will round their debts or credits so that the different amounts become indistinguishable, and at the same time they will give  ¢ to the next player: this is what they would have given to the Piggy bank in the second round. At the end the first player will receive the amount needed to round his debt or credit as previously, plus times  ¢. It is then sufficient for him to give  ¢ to the Piggy bank, for the third round to take place as previously. The details are described in Protocols 6 and 7.

1:An upper bound on the value of any gift;
2:Each one of participants knows his integer balance ;
3:.
4:Each one of participants has a new balance , either , or a negative multiple of ;
5:;
6:The credit of the piggy bank is  ¢;
7:The protocol is zero-knowledge.
8:: uniformly sampled at random;
9:: ;
10: sends  ¢ to ; Random transaction on a secure channel
11:: ;
12:for  to  do
13:     : ;
14:     : ;
15:      sends  ¢ to ;
 d Transaction on a secure channel
16:     : ;
17:end for
18:: ;
19:: ;
20: sends  ¢ to ; Transaction on a secure channel
21: sends  ¢ to the piggy bank; Public transaction of
22:: ;
Protocol 6 Secure rounding with an extra multiple
1:An upper bound on the value of any gift;
2: participants each with a balance , either , or a negative multiple of , their sum being ;
3:The piggy bank has a credit of  ¢.
4:All balances are zero;
5:The protocol is zero-knowledge.
6:parfor  to  do
7:     if  then Creditors recover their assets
8:         parfor  to  do
9:               makes the shared anonymous address pay ¢ to one of his own anonymous addresses; Public transaction of
10:         end parfor
11:         : .
12:     end if
13:end parfor
Protocol 7 Secure recovering from the piggy bank
Theorem 14.

For participants, Protocols 1, 6, 7 are correct and, apart from the setup, require transactions.

Proof.

Including the piggy bank, all the transactions are among participants, therefore the sum of all the debts and credits is invariant and zero. There remains to prove that in the end of the protocol all the debts and credits are also zero. Any initial debt for any gift is strictly lower than and the largest debt is thus strictly lower than  ¢, that is all integral debts are between and . Then, during the first round, all participants, except , still round their credits or debts to multiples of : for , . Also, every participant sends more than he received: , so any creditor remains creditor. Furthermore, any debtor will thus either be at zero after the first round or at a credit of exactly  ¢: any debtor has an initial debt ; then he receives so that his new debt is between and ; finally he sends the residue mod plus , so that his credit must be either or . All the money sent is immediately added to the debt of the receiver and removed from that of the sender (including an aggregation for at the end, ) so, overall, including the piggy bank, the sum of all debts and credits remains zero. We just showed that except all the credits or debts are now multiples of so that of must also be a multiple . Further, if is a debtor then . He sends , and receives so that his new balance is . As we have shown that this balance must be a multiple of , then either his balance is zero or he has a credit of . Therefore, at the end of Protocol 6, only the piggy bank has a debt. Since the piggy bank received exactly  ¢, exactly transactions of  ¢ will make it zero and the invariant ensures that, after Protocol 7, all the creditors must be zero too. ∎∎

Example 15.

We now have a look at the algorithm for our example with Jannik, Jean-Guillaume, Pascal and Xavier. As in Example 8, the initial balance vector is and the upper bound is  €. For the first round, Jannik randomly selects and makes a first private transaction of  € to Jean-Guillaume. Jean-Guillaume then makes a private transaction of  € to Pascal; Pascal makes a private transaction of  € to Xavier; who makes a private transaction of  € to Jannik and the balance vector is Finally Jannik gives  € to the piggy bank so that the player’s balance vector becomes . Indeed, for instance, Jean-Guillaume had a balance of  €, received  € from Jannik and sends  € to Pascal, hence his new balance is  €. All these transactions are represented in Figure 3. Finally there are four  € transactions, one to an address controlled by Jannik and three to (different) addresses controlled by Pascal. This last round is exactly the one illustrated in Figure 2, right. Note that we have participants and exactly transactions in Protocol 6 and transactions in Protocol 7, hence the total is .

J: 5

J-G: 48

P: -73

X: 20

Piggy Bank

200 €

 €

 €

 €

 €
Figure 3: Merged round of Example 15 (starting at , ending with , and a final transaction of  € to the Piggy bank).

4.2 Security Proof of the Faster Variant

Theorem 16.

Our faster conspiracy Santa protocol is secure with respect to semi-honest behavior.

Proof.

We denote our protocol by (for Fast Secure Conspiracy Santa). For all , each entity has the input , where . For all , we show how to build the protocol such that:

is given in Simulator 8, and for is given in Simulator 9.

1: knows
2: receives ¢ from ;
3:if  then
4:      sends ¢ to ;)
5:else if  then
6:      sends ¢ to ;
7:end if
8:if  then
9:     ;
10:else if  then
11:     ;
12:end if
13:for  to  do
14:      makes the shared anonymous address pay ¢ to an anonymous address;
15:end for
Simulator 8 Algorithm of the protocol .
1: knows
2: ;
3: sends ¢ to ;
4: receives ¢ from ;
5: sends ¢ to the shared anonymous address;
6:;
7:for  to  do
8:      makes the shared anonymous address pay ¢ to an anonymous address;
9:end for
Simulator 9 Algorithm of the protocol