Optimistic Fair Exchange Based on Publicly Verifiable Secret Sharing - PowerPoint PPT Presentation

ÉCOLE POLYTECHNIQUE FÉDÉRALE DE LAUSANNE Optimistic Fair Exchange Based on Publicly Verifiable Secret Sharing Gildas A VOINE & Serge V AUDENAY EPFL The 9th Australasian Conference on Information Security and Privacy 13-15 July 2004, Sydney, Australia Gildas A VOINE & Serge V AUDENAY – Optimistic Fair Exchange Based on Publicly Verifiable Secret Sharing – p.1

Outline Some Recalls on the Fair Exchange Problem A New Fair Exchange Protocol Based on Secret Sharing Analysis of the Protocol Gildas A VOINE & Serge V AUDENAY – Optimistic Fair Exchange Based on Publicly Verifiable Secret Sharing – p.2

� Some Recalls on the Fair Exchange Problem A New Fair Exchange Protocol Based on Secret Sharing Analysis of the Protocol Some Recalls on the Fair Exchange Problem Gildas A VOINE & Serge V AUDENAY – Optimistic Fair Exchange Based on Publicly Verifiable Secret Sharing – p.3

☎ ✆ ☎ ✆ ✂ ✂ ✁ ✁ ✂ ✆ ☎ ☎ ✁ ✁ ✂ ✆ ☎ ☎ ✁ ✆ ✂ ✆ ✂ ✆ ☎ ✆ Two-party fair exchange: definitions An exchange protocol between an originator and a recipient ✁✄✂ is a protocol in which and own some items and ✁✄☎ ✁✄✂ respectively and aim at exchanging them. When at least one of the two participants follows the protocol, the exchange protocol ensures fairness if the exchange termi- nates so that either gets and gets , or gets no information about and gets no information about . The exchange protocol ensures privacy if no other party gets any information about or . Gildas A VOINE & Serge V AUDENAY – Optimistic Fair Exchange Based on Publicly Verifiable Secret Sharing – p.4

The simplest exchange protocol Gildas A VOINE & Serge V AUDENAY – Optimistic Fair Exchange Based on Publicly Verifiable Secret Sharing – p.5

The simplest exchange protocol P P m o r o m r Gildas A VOINE & Serge V AUDENAY – Optimistic Fair Exchange Based on Publicly Verifiable Secret Sharing – p.5

The simplest exchange protocol P P m o r o m r Unfair Gildas A VOINE & Serge V AUDENAY – Optimistic Fair Exchange Based on Publicly Verifiable Secret Sharing – p.5

The simplest exchange protocol P P m o r o m r Unfair [Even and Yacobi, 1980] Gildas A VOINE & Serge V AUDENAY – Optimistic Fair Exchange Based on Publicly Verifiable Secret Sharing – p.5

✝ ✝ ✝ ✝ Fair exchange: classification FE with an on-line Trusted Third Party (TTP) FE with an off-line TTP Gradual FE Probabilistic FE Gildas A VOINE & Serge V AUDENAY – Optimistic Fair Exchange Based on Publicly Verifiable Secret Sharing – p.6

✝ ✝ ✝ ✝ Fair exchange: classification FE with an on-line Trusted Third Party (TTP) FE with an off-line TTP Gradual FE Probabilistic FE Gildas A VOINE & Serge V AUDENAY – Optimistic Fair Exchange Based on Publicly Verifiable Secret Sharing – p.6

FE with an off-line TTP (main protocol) P P o r Gildas A VOINE & Serge V AUDENAY – Optimistic Fair Exchange Based on Publicly Verifiable Secret Sharing – p.7

FE with an off-line TTP (main protocol) P P o r commitment on m o commitment on m r Gildas A VOINE & Serge V AUDENAY – Optimistic Fair Exchange Based on Publicly Verifiable Secret Sharing – p.7

FE with an off-line TTP (main protocol) P P o r commitment on m o commitment on m r m o m r Gildas A VOINE & Serge V AUDENAY – Optimistic Fair Exchange Based on Publicly Verifiable Secret Sharing – p.7

FE with an off-line TTP (recovery protocol) TTP P P o r Gildas A VOINE & Serge V AUDENAY – Optimistic Fair Exchange Based on Publicly Verifiable Secret Sharing – p.8

FE with an off-line TTP (recovery protocol) TTP P P o r commitments on and mr mo Gildas A VOINE & Serge V AUDENAY – Optimistic Fair Exchange Based on Publicly Verifiable Secret Sharing – p.8

FE with an off-line TTP (recovery protocol) TTP P P o r commitments on and commitments on and mr mo mr mo Gildas A VOINE & Serge V AUDENAY – Optimistic Fair Exchange Based on Publicly Verifiable Secret Sharing – p.8

FE with an off-line TTP (recovery protocol) TTP P P o r commitments on and commitments on and mr mo mr mo mr mo Gildas A VOINE & Serge V AUDENAY – Optimistic Fair Exchange Based on Publicly Verifiable Secret Sharing – p.8

� Some Recalls on the Fair Exchange Problem A New Fair Exchange Protocol Based on Secret Sharing Analysis of the Protocol A New Fair Exchange Protocol Based on Secret Sharing Gildas A VOINE & Serge V AUDENAY – Optimistic Fair Exchange Based on Publicly Verifiable Secret Sharing – p.9

✆ ✆ Secret sharing Secret sharing: a secret is shared among several participants such that only some specific subsets of participants can recover by collusion. Verifiable secret sharing: each participant can check his own share. Publicly verifiable secret sharing: anybody can check the shares. Gildas A VOINE & Serge V AUDENAY – Optimistic Fair Exchange Based on Publicly Verifiable Secret Sharing – p.10

☞ ✌ ✞ ✓ ☞ ✓ ✑✓ ✆ ✎ ✞ ✁ ✆ ✍ ☛ ✌ ✍ ☛ ✡ ✆ ✎ ✔ ✓ ✓ ✑ ✑ ✟ ✡ ✡ ☞ ✆ ✟ ✍ ✆ ✌ ✞ ✍ ✠ ✟ ✆ ✆ ✟ ☛ ✌ ✔ ✁ ✟ ✁ ✠ ✟ ✡ ✆ PVSS: distribution stage The dealer generates the shares of . He publishes the encrypted values such that only the participant is able to decrypt . He publishes an information which allows to prove that the distributed shares are correct i.e. they allow to recover some verifying . ☛✒✑✓ ✠✏✎ ✠✕✔ Share Gildas A VOINE & Serge V AUDENAY – Optimistic Fair Exchange Based on Publicly Verifiable Secret Sharing – p.11

✓ ✡ ✎ ✁ ✓ ✓ ✞ ✑ ✑ ✆ ✡ ✔ ☛ ✌ ✍ ✁ ✎ ✑✓ ✆ ✔ ✓ ✆ ✍ ✁ ✟ ✌ ✠ ✟ ✡ ✟ ✌ ☛ ☞ ☞ ✍ ✌ ✆ ✍ ☞ ✓ PVSS: verification stage Given the s’ public keys, the s, and , anybody can verify that the shares allow to recover some verifying . ☛✒✑ ✠✖✎ ✠✗✔ true or false Verify Gildas A VOINE & Serge V AUDENAY – Optimistic Fair Exchange Based on Publicly Verifiable Secret Sharing – p.12

✓ ✆ ✍ ✌ ✑ ✍ ✌ ✓ ✆ ✑ ✞ ✓ ✓ ✑ ✓ ✓ ✁ ✆ ✑ ✞ ✁ ☛ ✟ ✆ ✡ ✟ ✠ ✌ ✟ ✆ ✍ ✆ PVSS: reconstruction stage The participants decrypt their share from . They pool them in order to recover . ✟✙✘ ✟✛✚ Recover ✟✜✘ ✟✢✚ Gildas A VOINE & Serge V AUDENAY – Optimistic Fair Exchange Based on Publicly Verifiable Secret Sharing – p.13

Towards a new approach P P o r Gildas A VOINE & Serge V AUDENAY – Optimistic Fair Exchange Based on Publicly Verifiable Secret Sharing – p.14

Towards a new approach P P o r Gildas A VOINE & Serge V AUDENAY – Optimistic Fair Exchange Based on Publicly Verifiable Secret Sharing – p.14

Towards a new approach P P o r Gildas A VOINE & Serge V AUDENAY – Optimistic Fair Exchange Based on Publicly Verifiable Secret Sharing – p.14

Towards a new approach P P o r Gildas A VOINE & Serge V AUDENAY – Optimistic Fair Exchange Based on Publicly Verifiable Secret Sharing – p.14

Towards a new approach P P o r Gildas A VOINE & Serge V AUDENAY – Optimistic Fair Exchange Based on Publicly Verifiable Secret Sharing – p.14

Towards a new approach P P o r Gildas A VOINE & Serge V AUDENAY – Optimistic Fair Exchange Based on Publicly Verifiable Secret Sharing – p.14

Towards a new approach P P o r Can we take advantage of these neighbors? Gildas A VOINE & Serge V AUDENAY – Optimistic Fair Exchange Based on Publicly Verifiable Secret Sharing – p.14

Honesty [Avoine et al., 2004] proved that multi-party fair exchange without any form of honesty is impossible (Generalization of Even and Yacobi’s results). We assume that some participants are honest (i.e. they follow the protocol), but we don’t know who they are. Even if a participant is honest, he can be curious. Gildas A VOINE & Serge V AUDENAY – Optimistic Fair Exchange Based on Publicly Verifiable Secret Sharing – p.15

✁ ✁ ☎ ✁ ☎ ✂ ✁ ✞ ✞ ✞ ✂ ✎ ✤ ✞ ✣ Our fair exchange protocol Our protocol is an optimistic FE protocol: the main protocol consists of a commitment step based on a PVSS of parameter and an exchange step. Among the passive participants, the following behaviors exist: : participants who honestly collaborate with both and . ✁✥☎ : participants who may harm by colluding with . ✤✧✦ : participants who may harm by colluding with . ✤✩★ ✁✥✂ : participants who do not collaborate at all. ✤✫✪ Gildas A VOINE & Serge V AUDENAY – Optimistic Fair Exchange Based on Publicly Verifiable Secret Sharing – p.16