Collusion-Preserving Computation Jo¨el Alwen 1 , Jonathan Katz 2, , Ueli Maurer 1 , and Vassilis Zikas 2, 1 ETH Z¨ urich {alwenj,maurer}@inf.ethz.ch 2 University of Maryland {jkatz,vzikas}@cs.umd.edu Abstract. In collusion-free protocols, subliminal communication is im- possible and parties are thus unable to communicate any information “beyond what the protocol allows.” Collusion-free protocols are inter- esting for several reasons, but have specifically attracted attention be- cause they can be used to reduce trust in game-theoretic mechanisms. Collusion-free protocols are impossible to achieve (in general) when all parties are connected by point-to-point channels, but exist under certain physical assumptions (Lepinksi et al., STOC 2005) or when parties are connected in specific network topologies (Alwen et al., Crypto 2008). We provide a “clean-slate” definition of the stronger notion of collusion preservation. Our goals in revisiting the definition are: To give a definition with respect to arbitrary communication re- sources (including as special cases the communication models from prior work). We can then, in particular, better understand what types of resources enable collusion-preserving protocols. To construct protocols that allow no additional subliminal communi- cation when parties can communicate via other means. (This property is not implied by collusion-freeness.) To support composition, so protocols can be designed in a modular fashion using sub-protocols run among subsets of the parties. In addition to proposing the definition, we explore implications of our model and show a general feasibility result for collusion-preserving com- putation of arbitrary functionalities. We formalize a model for concur- rently playing multiple extensive-form, mediated games while preserving many important equilibrium notions. 1 Introduction Subliminal channels [28,29,30] in protocols allow parties to embed “disallowed” communication into protocol messages, without being detected. (For example, a party might communicate a bit b by sending a valid message with first bit equal to b.) The existence of subliminal channels is often problematic. In a large- scale distributed computation, for instance, subliminal channels could allow two  Research supported in part by NSF grant #1111599.  Supported in part by a fellowship from the Swiss National Science Foundation (Project No. PBEZP2-134445). R. Safavi-Naini and R. Canetti (Eds.): CRYPTO 2012, LNCS 7417, pp. 124–143, 2012. c  International Association for Cryptologic Research 2012