Witness and Transcript Encoding Scheme

Before we describe our main protocol in detail, we start by taking a closer look at how S generates the encoding z, and how R can either extract the witness x

or generate the complaint for the judge smart contract. We will consider three algorithms, the EncodeH algorithm run by S, the ExtractH algorithm run by R, and the JudgeH algorithm run by the smart contract. S takes x as an input and

outputs and encoding z, which hides x from the receiver before the encoding key k is published. ExtractH will take z and k and extract either the witness x (if φ(x) = 1) or output a proof of misbehavior π. IfJudgeH gets such a proof π over

an incorrect witness x, s.t. φ(x)6= 1 the algorithm outputs 1 and 0 otherwise. We present our protocol in a modular way using the subroutines EncodeH, ExtractH,

and JudgeH shown in Algorithms 1-3.

The challenges for this construction are (i) to keep all data that is sent to the contract small and (ii) reduce the computation inside the contract. The key idea is to let the judge contract check that S carried out some part of the claimed computation incorrectly instead of verifying the correctness of the entire compu- tation. In our construction, we let the judge validate only the operation and the result of a single incorrectly computed gate of φ. This is done via a concise proof of misbehavior. Such a proof includes the inputs π_in1, . . . π_in` , and the output outi of the gate φi where φi = (i,opi, Ii) specifies the index i within the circuit, the operationop_i and the set of indices of the input wires Ij. Thus we need to ensure that the judge gets all these inputs as part of the proof. In particular, we need to prevent R from sending values for different indices so the judge contract can be ensured that the values used for the proof of misbehavior were originally generated byS. We ensure this by an efficient commitment using Merkle trees.

Encode Algorithm. In the FairSwap protocol, S uses the algorithm ExtractH

to encode x and the intermediate values that are produced during the evaluation

of φ(x) (cf., Algorithm 1). The output z of this encoding procedure is sent to the

receiverR. Moreover, as described above, S sends a commitment of the key k to

the smart contract.

The encoding of every element is done by hashing the key k together with the

index of the gate i, which results in a new random string of the lengthµ(as given

by the random oracle).

zi =xi⊕ H(k||i)

Algorithm 6 EncodeH(φ, x) Input: φ= (φ1, . . . , φm) and x= (x1, . . . , xn) 1: k← {0,1}κ s.t. ∀i∈[m] : H(isPrgrmd(k||i))6= 1 . samplek 2: for eachi∈[n]do 3: outi=xi 4: ki=H(k||i) . generatei-th key

5: z_i=k_i⊕x_i . Encode witness through xor withi-th key

6: for eachi∈ {n+ 1, . . . , m}do 7: parseφi= (i,opi, Ii) 8: out_i=op_i(out_I

i[1], . . . ,outIi[`]) .Compute thei-th operation

9: ki=H(k||i) . generatei-th key

10: zi=ki⊕outi . Encode output values through xor withi-th key Output: z= (z1, . . . , zm), k

ciphertext, similar to the computation of a one-time pad. One may say we use the hash function to extend the domain of the key or generate a counter mode style encryption of the elements7 _{As we work in the programmable random oracle, we}

avoid using keys that have been programmed before the encoding. We ensure this by selecting a key randomly and checking if it has been programmed for any of the indices 1 to m.

Extract Algorithm. OnceSreveals the encoding keyk,Rcan run the extraction subroutine ExtractH (cf. Algorithm 2) and recover x. The algorithm gets as input

the encodingz, the circuitφ, the keykand outputs a tuple, where the first element

is the decoding of the witnessxand the second is either⊥(ifφ(x) = 1) or a concise

proof of misbehavior π (if φ(x) 6= 1). The proof π is used later to convince the

judge/contract that some step of the computation of φ(x) is incorrect.

On input the decoding key k, the root elements rz and rφ, and the proof π the algorithm JudgeH outputs 1 if the complaint succeeds or 0 otherwise (cf. Al-

gorithm 3). In order to verify the i−th step of φ(x), the judge needs to know

the label φi = (opi, i, Ii), all values outIi[1], . . . ,outIi[`] on its input wires and the

value of its output wire outi. Using this information, the algorithm computes the output of thei-th gate and compares it with the value outi. If both values are the same, then the computation was carried out correctly, and the algorithm outputs 0 (i.e., it rejects the complaint). Otherwise, it outputs 1, and we say that the judge

7_{We note that this is not an encryption scheme as it only works for one-time encryption, as} we reveal the key and we require a stronger property from commitments, i.e., the binding

algorithm accepts the complaint.

Algorithm 7 ExtractH(φ, z, k)

Input: φ= (φ1, . . . φm), z= (z1, . . . zn), k 1: for eachi∈[n]do

2: k_i=H(k||i) . Generatei-th key

3: xi=ki⊕zi .Extract witness by xor of key and encoding

4: Mz=MtreeH(z) . Compute Merkle tree overz 5: M_φ=MtreeH(φ) . Compute Merkle tree overφ 6: if ∃i∈[n] s.t. H(isPrgrmd(k||i))then

7: πφ= (φi,MproofH(i, Mφ) . Proof thatφi∈φ 8: πout= (zi,MproofH(i, Mz) . Proof thatzi∈z 9: set π= (π_φ, π_out,∅)

10: Terminate and Output: ((x1, . . . , xn), π) . Output complaint if any key is

programmed

11: for eachi∈ {n+ 1, . . . , m}do 12: parseφi= (i,opi, Ii)

13: outi=opi(outIi[1], . . . ,outIi[`]) . Compute output ofi-th gate

14: ki=H(k||i) . Generatei-th key

15: out0_i =ki⊕zi . Extract output by xor of key and encoding 16: if out0_i6=outi or (i=mandouti 6= 1) or (H(isPrgrmd(k||i)))then

17: πφ= (φi,MproofH(i, Mφ)) . Proof thatφi∈φ 18: πout= (zi,MproofH(i, Mz)) . Proof thatzi∈z 19: for eachk∈[`] do

20: setj =Ii[k] . jis thek-th index in setIi

21: πk_in=MproofH(j, Mz) . Proof thatzj∈z 22: setπ= (π_φ, π_out, π_in1, . . . , π`_in)

23: Output: ((x₁, . . . , x_n), π) 24: Output: ((x1, . . . , xn),⊥)

In particular if the algorithm encounters any programmed hash value, it also accepts the complaint. This is important to prevent that the sender programs the global random oracle H to make a false file hash to the correct root hash. This attack is captured by also generating a proof of misbehavior and sending it to the judge. Now it remains to construct the judge algorithm that correctly verifies the complaint.

Judge Algorithm. To guarantee thatR can only complain about values that he has indeed received fromS and that violate the predicate functionφon which both

S and R have agreed on, we require that the Merkle roots rz = root(MtreeH(z)) and rφ =root(MtreeH(φ)) are stored in the judge contract. Concretely,S sends rz

and rφ to the contract in the first step, and R will only deposit p coins into the contract if these values are consistent withz. When laterJudgeH receives a concise

proof of misbehavior JudgeH checks if the containing Merkle proofs are consistent

with rz and rφ. Only if this is the case, a complaint is accepted by the contract. Algorithm 8 JudgeH(k, rz, rφ, π)

1: parseπ= (πφ, πout, πin1, . . . , π`in)

2: parseπφ= (φi, ρφ)

3: parseφi= (i,opi, Ii) . Reject ifφinoti-th step ofφ(x)

4: k_i=H(k||i) . Generatei-th key

5: if H(isPrgrmd(k||i)) then

6: Terminate and Output1 . Accept if any key is programmed 7: else

8: outi =ki⊕zi . Extract output by xor of key and encoding

9: if MvrfyH(φi, ρφ, rφ)6= 1 output: 0

10: parseπout= (zi, ρout) .Reject ifzi noti-th element ofz 11: if MvrfyH(zi, ρout, rz)6= 1output: 0

12: if i=mandouti6= 1output: 1 .Accept ifφ(x)6= 1 13: for eachj∈[`] do . jis thek-th index in setI 14: parseπ_inj = (zj, ρj) .Reject ifzj notz[j] 15: if MvrfyH(zj, ρj, rz)6= 1output: 0

16: k_Ii[j]=H(k||I_i[j]) . GenerateIi[j]-th key

17: if H(isPrgrmd(k||Ii[j])) then

18: Terminate and Output1 . Accept if any key is programmed 19: else

20: outIi[j]=kIi[j]⊕zj . Extract output by xor of key and encoding

21: if op_i(out_Ii[1], . . . ,out_Ii[`])6=outi output: 1 .Accept 22: Else Output: 0 . Reject complaint if evaluation correct

This concise proof of misbehavior π consists of a total of `+ 2 Merkle proofs,

and hence the complexity of the judge is O(`log(m)). The first element πφ ∈ π includes the Merkle proof that shows that labelφiis indeed the label corresponding to thei-th gate inφ. The second elementπout includes a Merkle proof ρout, which

is required to verify that zi is indeed the i-th element in z. Finally, π contains Merkle proof π1

in, . . . , πin` for the ` encoded input values of the gate with label φi. Given these Merkle proofs, the judge algorithm verifies their correctness, extracts

zi of the i-th operationφi into the output valueouti. Then, it checks whether opi evaluated on the ` inputs yields into outi. If all these checks pass, it outputs 1; otherwise, it outputs 0.