How to Work with Honest but Curious Judges? (Preliminary Report)

The three-judges protocol, recently advocated by Mclver and Morgan as an example of stepwise refinement of security protocols, studies how to securely compute the majority function to reach a final verdict without revealing each individual judge’s decision. We extend their protocol in two different ways for an arbitrary number of 2n+1 judges. The first generalisation is inherently centralised, in the sense that it requires a judge as a leader who collects information from others, computes the majority function, and announces the final result. A different approach can be obtained by slightly modifying the well-known dining cryptographers protocol, however it reveals the number of votes rather than the final verdict. We define a notion of conditional anonymity in order to analyse these two solutions. Both of them have been checked in the model checker MCMAS.

💡 Research Summary

The paper revisits the three‑judge protocol introduced by McIver and Morgan, which securely computes the majority function among three “honest but curious” judges without revealing any individual decision. The authors extend this setting to an arbitrary odd number of judges, 2n + 1, and propose two distinct constructions that illustrate different architectural trade‑offs.

The first construction is a centralised, leader‑based protocol. One judge is designated as the leader; the remaining 2n judges encrypt their binary votes (guilty/innocent) with a secret‑key channel and send the ciphertexts to the leader. The leader decrypts all messages, evaluates the majority function locally, and broadcasts only the final verdict. Because the leader sees every vote, the protocol assumes a strong trust relationship in the leader. To mitigate this, the authors introduce a novel privacy notion called conditional anonymity: even if the leader knows its own vote and the final outcome, it cannot infer any other judge’s vote with probability better than random guessing. This property is formalised in epistemic logic and verified using the multi‑agent model checker MCMAS. The centralised design has the advantage of minimal communication rounds and simple implementation, but its security hinges on the leader’s honesty.

The second construction adapts the classic Dining Cryptographers (DC) protocol. In the original DC protocol, participants share pairwise secret bits and announce the XOR of their secret with their own message, allowing the group to learn whether an odd number of participants sent a “1” without learning who. The authors modify this scheme for majority voting: each judge shares secret bits with its two neighbours, XORs its vote with the two secrets, and broadcasts the result. After all broadcasts, every judge can compute the total number of “guilty” votes, but individual votes remain hidden. This approach is fully distributed—no leader is required—and all judges have equal authority. However, the protocol reveals the exact count of votes rather than the binary majority verdict. Consequently, while it satisfies conditional anonymity (no single vote is disclosed), it does not guarantee result anonymity: an adversary who knows the vote count and the distribution of judges’ preferences may be able to infer the final decision.

Both protocols are subjected to rigorous formal analysis. The authors encode the systems in MCMAS, specifying epistemic properties such as: (i) “no honest judge ever learns another judge’s vote,” (ii) “the leader, even with knowledge of its own vote and the final verdict, cannot deduce any other vote,” and (iii) “in the DC‑based scheme, the total number of votes is known but individual votes remain indistinguishable.” The model‑checking runs confirm that each construction satisfies its respective anonymity guarantees.

The paper’s contributions are threefold. First, it provides concrete, scalable extensions of the three‑judge protocol to any odd number of participants, illustrating both a centralised and a fully distributed alternative. Second, it introduces and formally defines conditional anonymity, enriching the taxonomy of privacy notions for secure multi‑party computation. Third, it demonstrates the practical applicability of epistemic model checking (via MCMAS) for verifying subtle privacy properties in complex multi‑agent protocols.

In the discussion, the authors emphasise that the choice between the two designs depends on the operational context. If a trusted coordinator exists and low latency is critical, the leader‑based protocol is attractive. If the environment demands decentralisation and resilience against a single point of failure, the DC‑derived protocol is preferable, albeit with the acceptance that the vote count becomes public. The paper concludes that any real‑world deployment—such as jury deliberations, distributed consensus in blockchain, or privacy‑preserving electronic voting—must carefully balance trust assumptions, communication overhead, and the granularity of information that may be safely disclosed.