Optimistic Fair Exchange Based on Publicly Verifiable Secret Sharing - - PowerPoint PPT Presentation

ÉCOLE POLYTECHNIQUE FÉDÉRALE DE LAUSANNE

Optimistic Fair Exchange Based on Publicly Verifiable Secret Sharing

Gildas AVOINE & Serge VAUDENAY EPFL

The 9th Australasian Conference on Information Security and Privacy 13-15 July 2004, Sydney, Australia

Gildas AVOINE & Serge VAUDENAY – Optimistic Fair Exchange Based on Publicly Verifiable Secret Sharing – p.1

Outline

Some Recalls on the Fair Exchange Problem A New Fair Exchange Protocol Based on Secret Sharing Analysis of the Protocol

Gildas AVOINE & Serge VAUDENAY – Optimistic Fair Exchange Based on Publicly Verifiable Secret Sharing – p.2

• Some Recalls on the Fair Exchange Problem

A New Fair Exchange Protocol Based on Secret Sharing Analysis of the Protocol

Some Recalls on the Fair Exchange Problem

Gildas AVOINE & Serge VAUDENAY – Optimistic Fair Exchange Based on Publicly Verifiable Secret Sharing – p.3

Two-party fair exchange: definitions

An exchange protocol between an originator

and a recipient

is a protocol in which

and

• wn some items

and

respectively and aim at exchanging them. When at least one of the two participants follows the protocol, the exchange protocol ensures fairness if the exchange termi- nates so that either

gets

and

gets

, or

gets no information about

and

gets no information about

. The exchange protocol ensures privacy if no other party gets any information about

• r

.

Gildas AVOINE & Serge VAUDENAY – Optimistic Fair Exchange Based on Publicly Verifiable Secret Sharing – p.4

The simplest exchange protocol

Gildas AVOINE & Serge VAUDENAY – Optimistic Fair Exchange Based on Publicly Verifiable Secret Sharing – p.5

The simplest exchange protocol

m

• m

r P

• P

r

Gildas AVOINE & Serge VAUDENAY – Optimistic Fair Exchange Based on Publicly Verifiable Secret Sharing – p.5

The simplest exchange protocol

m

• m

r P

• P

r

Unfair

Gildas AVOINE & Serge VAUDENAY – Optimistic Fair Exchange Based on Publicly Verifiable Secret Sharing – p.5

The simplest exchange protocol

m

• m

r P

• P

r

Unfair [Even and Yacobi, 1980]

Gildas AVOINE & Serge VAUDENAY – Optimistic Fair Exchange Based on Publicly Verifiable Secret Sharing – p.5

Fair exchange: classification

FE with an on-line Trusted Third Party (TTP)

FE with an off-line TTP

Gradual FE

Probabilistic FE

Gildas AVOINE & Serge VAUDENAY – Optimistic Fair Exchange Based on Publicly Verifiable Secret Sharing – p.6

Fair exchange: classification

FE with an on-line Trusted Third Party (TTP)

FE with an off-line TTP

Gradual FE

Probabilistic FE

Gildas AVOINE & Serge VAUDENAY – Optimistic Fair Exchange Based on Publicly Verifiable Secret Sharing – p.6

FE with an off-line TTP (main protocol)

P

• P

r

Gildas AVOINE & Serge VAUDENAY – Optimistic Fair Exchange Based on Publicly Verifiable Secret Sharing – p.7

FE with an off-line TTP (main protocol)

m

• m

r

P

• P

r

commitment on commitment on

Gildas AVOINE & Serge VAUDENAY – Optimistic Fair Exchange Based on Publicly Verifiable Secret Sharing – p.7

FE with an off-line TTP (main protocol)

m

• m

r

m

• m

r

P

• P

r

commitment on commitment on

Gildas AVOINE & Serge VAUDENAY – Optimistic Fair Exchange Based on Publicly Verifiable Secret Sharing – p.7

FE with an off-line TTP (recovery protocol)

P r TTP

• P

Gildas AVOINE & Serge VAUDENAY – Optimistic Fair Exchange Based on Publicly Verifiable Secret Sharing – p.8

FE with an off-line TTP (recovery protocol)

P r mr mo commitments on and TTP

• P

Gildas AVOINE & Serge VAUDENAY – Optimistic Fair Exchange Based on Publicly Verifiable Secret Sharing – p.8

FE with an off-line TTP (recovery protocol)

P r mr mo commitments on and mr mo commitments on and TTP

• P

Gildas AVOINE & Serge VAUDENAY – Optimistic Fair Exchange Based on Publicly Verifiable Secret Sharing – p.8

FE with an off-line TTP (recovery protocol)

P r mr mo mr mo commitments on and mr mo commitments on and TTP

• P

Gildas AVOINE & Serge VAUDENAY – Optimistic Fair Exchange Based on Publicly Verifiable Secret Sharing – p.8

Some Recalls on the Fair Exchange Problem

• A New Fair Exchange Protocol Based on Secret Sharing

Analysis of the Protocol

A New Fair Exchange Protocol Based on Secret Sharing

Gildas AVOINE & Serge VAUDENAY – Optimistic Fair Exchange Based on Publicly Verifiable Secret Sharing – p.9

Secret sharing

Secret sharing: a secret

is shared among several participants such that only some specific subsets of participants can recover

by collusion. Verifiable secret sharing: each participant can check his own share. Publicly verifiable secret sharing: anybody can check the shares.

Gildas AVOINE & Serge VAUDENAY – Optimistic Fair Exchange Based on Publicly Verifiable Secret Sharing – p.10

PVSS: distribution stage

The dealer generates the shares

• f

.

He publishes the encrypted values

such that only the participant

is able to decrypt

.

He publishes an information

which allows to prove that the distributed shares are correct i.e. they allow to recover some

verifying

.

Share

Gildas AVOINE & Serge VAUDENAY – Optimistic Fair Exchange Based on Publicly Verifiable Secret Sharing – p.11

PVSS: verification stage

Given the

s’ public keys, the

s, and

, anybody can verify that the shares allow to recover some

verifying

.

Verify

true or false

Gildas AVOINE & Serge VAUDENAY – Optimistic Fair Exchange Based on Publicly Verifiable Secret Sharing – p.12

PVSS: reconstruction stage

The participants decrypt their share

from

.

They pool them in order to recover

.

Recover

Gildas AVOINE & Serge VAUDENAY – Optimistic Fair Exchange Based on Publicly Verifiable Secret Sharing – p.13

Towards a new approach

P

• P

r

Gildas AVOINE & Serge VAUDENAY – Optimistic Fair Exchange Based on Publicly Verifiable Secret Sharing – p.14

Towards a new approach

P

• P

r

Gildas AVOINE & Serge VAUDENAY – Optimistic Fair Exchange Based on Publicly Verifiable Secret Sharing – p.14

Towards a new approach

P

• P

r

Gildas AVOINE & Serge VAUDENAY – Optimistic Fair Exchange Based on Publicly Verifiable Secret Sharing – p.14

Towards a new approach

P

• P

r

Gildas AVOINE & Serge VAUDENAY – Optimistic Fair Exchange Based on Publicly Verifiable Secret Sharing – p.14

Towards a new approach

P

• P

r

Gildas AVOINE & Serge VAUDENAY – Optimistic Fair Exchange Based on Publicly Verifiable Secret Sharing – p.14

Towards a new approach

P

• P

r

Gildas AVOINE & Serge VAUDENAY – Optimistic Fair Exchange Based on Publicly Verifiable Secret Sharing – p.14

Towards a new approach

P

• P

r

Can we take advantage of these neighbors?

Gildas AVOINE & Serge VAUDENAY – Optimistic Fair Exchange Based on Publicly Verifiable Secret Sharing – p.14

Honesty

[Avoine et al., 2004] proved that multi-party fair exchange without any form of honesty is impossible (Generalization of Even and Yacobi’s results). We assume that some participants are honest (i.e. they follow the protocol), but we don’t know who they are. Even if a participant is honest, he can be curious.

Gildas AVOINE & Serge VAUDENAY – Optimistic Fair Exchange Based on Publicly Verifiable Secret Sharing – p.15

Our fair exchange protocol

Our protocol is an optimistic FE protocol: the main protocol consists of a commitment step based on a PVSS of parameter

and an exchange step. Among the passive participants, the following behaviors exist:

: participants who honestly collaborate with both

and

.

: participants who may harm

by colluding with

.

: participants who may harm

by colluding with

.

: participants who do not collaborate at all.

Gildas AVOINE & Serge VAUDENAY – Optimistic Fair Exchange Based on Publicly Verifiable Secret Sharing – p.16

Assumptions

; and

and

know some constant

such that

. Example 1: If

and

know that there is a majority of honest participants in the network i.e.

then we take

. Example 2: If

knows that at least 40% of the network is honest with him (i.e.

) and

knows that at least 70% of the network is honest with him (i.e.

) then we can take

such that

For instance, if

,

is chosen such that

.

Gildas AVOINE & Serge VAUDENAY – Optimistic Fair Exchange Based on Publicly Verifiable Secret Sharing – p.17

Assumptions (Cont)

We assume that

knows a constant

max

such that mes- sages from

to any participant are always delivered within a time delay less than

• max. We assume that all messages from

honest participants are eventually delivered.

Gildas AVOINE & Serge VAUDENAY – Optimistic Fair Exchange Based on Publicly Verifiable Secret Sharing – p.18

Some additional primitives

We suppose that

and

agree on the mathematical descrip- tion of the items they want to exchange (e.g. descr

).

Check

true or false descr(

)

They establish the contract:

descr

descr

.

Gildas AVOINE & Serge VAUDENAY – Optimistic Fair Exchange Based on Publicly Verifiable Secret Sharing – p.19

Some additional primitives

CheckEnc

true or false descr(

)

Gildas AVOINE & Serge VAUDENAY – Optimistic Fair Exchange Based on Publicly Verifiable Secret Sharing – p.20

Some additional primitives

CheckEnc

true or false descr(

)

Enc

Dec

Gildas AVOINE & Serge VAUDENAY – Optimistic Fair Exchange Based on Publicly Verifiable Secret Sharing – p.20

Recap

Share Check CheckEnc Verify Enc Recover Dec

Gildas AVOINE & Serge VAUDENAY – Optimistic Fair Exchange Based on Publicly Verifiable Secret Sharing – p.21

Exchange protocol Step by Step

Share

picks a random element

and computes

such that

. He computes Share

and sends

to

.

Gildas AVOINE & Serge VAUDENAY – Optimistic Fair Exchange Based on Publicly Verifiable Secret Sharing – p.22

Exchange protocol Step by Step

Share

Verify

checks that Verify

descr

is true where descr(

) is deduced from descr(

) (e.g.

• ✲

) and

. If the test succeeds then he sends

to

, else he has just to wait until the expiration date

to give up the exchange.

Gildas AVOINE & Serge VAUDENAY – Optimistic Fair Exchange Based on Publicly Verifiable Secret Sharing – p.22

Exchange protocol Step by Step

Share

Verify Check

checks that

is correct running Check

descr

. If it is the case then

sends

to

. Otherwise, he has just to wait until the expiration date

in order to give up the exchange.

Gildas AVOINE & Serge VAUDENAY – Optimistic Fair Exchange Based on Publicly Verifiable Secret Sharing – p.22

Exchange protocol Step by Step

Share

Verify Check

Check If

does not receive

• r if Check

descr

is false then he runs the recovery protocol.

Gildas AVOINE & Serge VAUDENAY – Optimistic Fair Exchange Based on Publicly Verifiable Secret Sharing – p.22

Recovery protocol

The recovery protocol is started before

max by the recipi-

ent,

, when he is injured, that is if the third message of the exchange,

, is wrong or missing.

Gildas AVOINE & Serge VAUDENAY – Optimistic Fair Exchange Based on Publicly Verifiable Secret Sharing – p.23

Recovery protocol Step by Step

• ❬

Enc

encrypts

for

and sends

,

,

, and

to

.

Gildas AVOINE & Serge VAUDENAY – Optimistic Fair Exchange Based on Publicly Verifiable Secret Sharing – p.24

Recovery protocol Step by Step

• ❬

Enc

CheckEnc

• ❬

computes CheckEnc

descr

where descr(

) is extracted from

; if the output is true and if the expiration date, contained in

, has not expired,

sends

to

and

to

.

Gildas AVOINE & Serge VAUDENAY – Optimistic Fair Exchange Based on Publicly Verifiable Secret Sharing – p.24

Recovery protocol Step by Step

• ❬

Enc Dec

CheckEnc

• ❬

Recover After having received

shares,

runs Recover. From

he com- putes

.

Gildas AVOINE & Serge VAUDENAY – Optimistic Fair Exchange Based on Publicly Verifiable Secret Sharing – p.24

Some Recalls on the Fair Exchange Problem A New Fair Exchange Protocol Based on Secret Sharing

• Analysis of the Protocol

Analysis of the Protocol

Gildas AVOINE & Serge VAUDENAY – Optimistic Fair Exchange Based on Publicly Verifiable Secret Sharing – p.25

Fairness

is honest and

is dishonest.

is wrong (or missing):

detects that

is wrong, therefore he does not transmit

and waits for

. If

does not run the recovery protocol then nobody can obtain anything valuable

• n the expected items and the exchange is trivially fair.

If

starts the recovery protocol after

then he cannot obtain

since

. If

starts the recovery protocol before

then

receives

from an external participant either in

• r

; therefore the protocol is fair iff

can obtain

that is if and only if

.

Gildas AVOINE & Serge VAUDENAY – Optimistic Fair Exchange Based on Publicly Verifiable Secret Sharing – p.26

Fairness (Cont)

is dishonest and

is honest.

is wrong (or missing):

detects that

is wrong and decides not to disclose

.The exchange ends therefore on a trivially fair termination after

.

is correct but

is not (or missing):

detects such a wrong

and therefore starts the recovery protocol. The fair- ness of the exchange relies thus on the ability of the passive par- ticipants to supply

to

, that is if and only if

The fairness is so ensured since

has already received

in

.

Gildas AVOINE & Serge VAUDENAY – Optimistic Fair Exchange Based on Publicly Verifiable Secret Sharing – p.27

Privacy

If the recovery protocol is not performed, then only information between

and

are exchanged and passive participants receive nothing.

If the recovery protocol is used, then some participants receive shares of

. However, although

participants colluding can re- cover

, they cannot recover

since they do not know

. Obvi-

• usly, they cannot discover

either.

Gildas AVOINE & Serge VAUDENAY – Optimistic Fair Exchange Based on Publicly Verifiable Secret Sharing – p.28

Complexity

When both

and

are honest, the complexity in terms of exchanged messages is very small since only three messages are exchanged. When somebody misbehaves, the

passive participants are contacted by

, each receives one message and sends at most two messages, so the complexity (worst case) is only

.

• ❬

Enc Dec

CheckEnc

• ❬

Recover

Gildas AVOINE & Serge VAUDENAY – Optimistic Fair Exchange Based on Publicly Verifiable Secret Sharing – p.29

Conclusion

Gildas AVOINE & Serge VAUDENAY – Optimistic Fair Exchange Based on Publicly Verifiable Secret Sharing – p.30

Conclusion

First optimistic fair exchange protocol which does not rely on a centralized trusted third party.

We proved that our protocol ensures fairness even in quite dishonest environment and implies only low communication

• verhead.

Our protocol works assuming that a majority of participants are honest or that only one is honest but we can estimate the number of participants in

who may harm

by colluding with

.

Gildas AVOINE & Serge VAUDENAY – Optimistic Fair Exchange Based on Publicly Verifiable Secret Sharing – p.31