Fair exchange and non-repudiation protocols

Similar documents
Fair Exchange Protocols

OPTIMISTIC NON-REPUDIABLE INFORMATION EXCHANGE

Exclusion-Freeness in Multi-party Exchange Protocols

Generic Non-Repudiation Protocols Supporting Transparent Off-line TTP

E-cash. Cryptography. Professor: Marius Zimand. e-cash. Benefits of cash: anonymous. difficult to copy. divisible (you can get change)

A MULTI-PARTY NON-REPUDIATION PROTOCOL

CHAPTER 4 VERIFIABLE ENCRYPTION OF AN ELLIPTIC CURVE DIGITAL SIGNATURE

Crypto-systems all around us ATM machines Remote logins using SSH Web browsers (https invokes Secure Socket Layer (SSL))

Imposing fairness in electronic commerce

A FAIR-EXCHANGE E-COMMERCE PROTOCOL WITH AUTOMATED DISPUTE RESOLUTION

Secure Multiparty Computation

Information Security. message M. fingerprint f = H(M) one-way hash. 4/19/2006 Information Security 1

ECE596C: Handout #9. Authentication Using Shared Secrets. Electrical and Computer Engineering, University of Arizona, Loukas Lazos

Lecture 1 Applied Cryptography (Part 1)

0/41. Alice Who? Authentication Protocols. Andreas Zeller/Stephan Neuhaus. Lehrstuhl Softwaretechnik Universität des Saarlandes, Saarbrücken

OPTIMIZING ONE FAIR DOCUMENT EXCHANGE PROTOCOL

Outline More Security Protocols CS 239 Computer Security February 4, 2004

Homework 2 CS161 Computer Security, Spring 2008 Assigned 2/13/08 Due 2/25/08

HOST Authentication Overview ECE 525

More crypto and security

ICT 6541 Applied Cryptography Lecture 8 Entity Authentication/Identification

APPLICATIONS AND PROTOCOLS. Mihir Bellare UCSD 1

Optimally Efficient Multi-Party Fair Exchange and Fair Secure Multi-Party Computation

Digital Signatures. Luke Anderson. 7 th April University Of Sydney.

Computer Security CS 426 Lecture 35. CS426 Fall 2010/Lecture 35 1

Multi-Party Non-Repudiation: A Survey

CSE 3461/5461: Introduction to Computer Networking and Internet Technologies. Network Security. Presentation L

Outline More Security Protocols CS 239 Computer Security February 6, 2006

UNIT - IV Cryptographic Hash Function 31.1

Lecture 10, Zero Knowledge Proofs, Secure Computation

Secure Multiparty Computation: Introduction. Ran Cohen (Tel Aviv University)

Outline Key Management CS 239 Computer Security February 9, 2004

Applied Cryptography Protocol Building Blocks

CPSC 467: Cryptography and Computer Security

Message authentication

CS573 Data Privacy and Security. Cryptographic Primitives and Secure Multiparty Computation. Li Xiong

Fault Tolerance. o Basic Concepts o Process Resilience o Reliable Client-Server Communication o Reliable Group Communication. o Distributed Commit

Outline. More Security Protocols CS 239 Security for System Software April 22, Needham-Schroeder Key Exchange

Chapter 9 Public Key Cryptography. WANG YANG

CS Computer Networks 1: Authentication

Solution to Problem Set 8

Overview. Game-Based Verification of Fair Exchange Protocols. The Problem of Fair Exchange. Game-Theoretic Model. Protocol as a Game Tree

CT30A8800 Secured communications

Intro to Public Key Cryptography Diffie & Hellman Key Exchange

Applied Cryptography and Computer Security CSE 664 Spring 2017

Timeout Estimation Using a Simulation Model for Non-repudiation Protocols

CS 161 Computer Security

Key Establishment and Authentication Protocols EECE 412

CSCI 454/554 Computer and Network Security. Topic 5.2 Public Key Cryptography

Distributed systems. Lecture 6: distributed transactions, elections, consensus and replication. Malte Schwarzkopf

Notes for Lecture 24

Outline. CSCI 454/554 Computer and Network Security. Introduction. Topic 5.2 Public Key Cryptography. 1. Introduction 2. RSA

1 A Tale of Two Lovers

CS 161 Computer Security

Fast Optimistically Fair Cut-and-Choose 2PC

Key Exchange. References: Applied Cryptography, Bruce Schneier Cryptography and Network Securiy, Willian Stallings

Outline. Public Key Cryptography. Applications of Public Key Crypto. Applications (Cont d)

S. Erfani, ECE Dept., University of Windsor Network Security

Coordination 1. To do. Mutual exclusion Election algorithms Next time: Global state. q q q

Issues. Separation of. Distributed system security. Security services. Security policies. Security mechanism

Introduction to Cryptography in Blockchain Technology. December 23, 2018

Transactions. CS 475, Spring 2018 Concurrent & Distributed Systems

Encryption. INST 346, Section 0201 April 3, 2018

Number Theory and RSA Public-Key Encryption

An Overview of Secure Multiparty Computation

CPSC 467b: Cryptography and Computer Security

Chapter 9: Key Management

Zero Knowledge Protocol

Practical Aspects of Modern Cryptography

Cryptographic Concepts

Key establishment in sensor networks

Session key establishment protocols

Session key establishment protocols

Public-key Cryptography: Theory and Practice

Analysis of Probabilistic Contract Signing

An Optimistic Fair Exchange E-commerce Protocol with Automated Dispute Resolution

Nigori: Storing Secrets in the Cloud. Ben Laurie

ECEN 5022 Cryptography

Public-Key Cryptography. Professor Yanmin Gong Week 3: Sep. 7

Distributed Systems Principles and Paradigms

Ideal Security Protocol. Identify Friend or Foe (IFF) MIG in the Middle 4/2/2012

Cryptography and Network Security. Prof. D. Mukhopadhyay. Department of Computer Science and Engineering. Indian Institute of Technology, Kharagpur

Kurose & Ross, Chapters (5 th ed.)

Notes for Lecture 14

Introduction to Cryptoeconomics

Mitigating the Untrusted Terminal Problem Using Conditional Signatures

Identification Schemes

Anonymous Credentials: How to show credentials without compromising privacy. Melissa Chase Microsoft Research

===============================================================================

CSC 774 Network Security

Key establishment in sensor networks

Lecture 5: Protocols - Authentication and Key Exchange* CS 392/6813: Computer Security Fall Nitesh Saxena

Cryptography III. Public-Key Cryptography Digital Signatures. 2/1/18 Cryptography III

Digital Signatures. KG November 3, Introduction 1. 2 Digital Signatures 2

Secret Sharing With Trusted Third Parties Using Piggy Bank Protocol

Certified Electronic Mail Protocol Resistant to a Minority of Malicious Third Parties

Detectable Byzantine Agreement Secure Against Faulty Majorities

Occasionally, a network or a gateway will go down, and the sequence. of hops which the packet takes from source to destination must change.

Lecture 22 - Oblivious Transfer (OT) and Private Information Retrieval (PIR)

RSA. Public Key CryptoSystem

Transcription:

Fair exchange and non-repudiation protocols Levente Buttyán Laboratory of Cryptography and System Security (CrySyS) Budapest University of Technology and Economics buttyan@crysys.hu 2010 Levente Buttyán Introduction in many applications, it is essential to ensure that participants of a transaction cannot deny having participated in the transaction the problem can be traced back to the problem of nonrepudiation of message origin and message delivery non-repudiation of message origin sender of the message cannot deny that he sent the message non-repudiation of message delivery (reception) receiver of a message cannot deny that he received the message ingredients of solutions digital signatures, fair exchange protocols 2/27

The classical fair exchange problem description desc B of item B description desc A of item A item A swap item B Bob Alice network if Alice has access to item B but Bob does not have access to item A, then Bob has a disadvantage, and vice versa Alice and Bob do not trust each other, they both believe that the other party may try to cheat 3/27 Fairness (strong) fairness: at the end of the protocol, either A gets item B and B gets item A or none of them get anything useful an alternative, more precise definition: if both parties are rational, then at the end of the protocol, the following conditions hold if A is honest, then B receives item A, only if A receives item B if B is honest, then A receives item B, only if B receives item A 4/27

Instances non-repudiation protocols exchange of message and its non-repudiation of origin (NRO) token for non-repudiation of receipt (NRR) token certified electronic mail exchange of mail for acknowledgement of receipt electronic contract signing exchange of signatures on the contract text purchase of network delivered services exchange of electronic payment for services mutual disclosure of identities exchange of identity information 5/27 More definitions weak fairness: if an honest party does not receive its expected item, while the other party does, then the first party receives a proof of this fact probabilistic fairness: a protocol provides ε-fairness, if it guarantees fairness with probability ε timeliness: all honest parties can reach, in a finite amount of time, a point in the protocol where they can stop the protocol while preserving fairness communication models: unreliable channel: messages can be lost resilient channel: all message are eventually delivered (after a finite, but unknown amount of time) reliable (operational) channel: all messages are delivered within a known, constant amount of time (there s an upper bound on the message delivery delay) 6/27

Types of fair exchange protocols no TTP (Trusted Third Party) main idea: break the exchange up into small steps if one party stops in the middle of the exchange, both parties need approximately the same amount of effort to finish the exchange (compute the other s item) doesn t achieve true fairness, usually needs many messages to exchange impractical in many applications, but theoretically interesting with TTP on-line TTP the TTP is involved in each run of the protocol off-line TTP the TTP is involved only if something goes wrong (a message is not received due to a communication error or some misbehavior) we may assume that, most of the time, there won t be any problems, so the protocol can be optimized (in terms of efficiency) for the faultless case ( also called optimistic protocols) 7/27 Fair exchange without any TTP a naïve protocol protocol: A has item A and desc B, B has item B and desc A A generates a random key k A and encrypts item A {item A } k A A sends {item A } k A to B B generates a random key k B and encrypts item B {item B } k B B sends {item B } k B to A A and B exchange k A and k B bit by bit: in the i-th step A sends k A [i] and B sends K B [i] at the end, both A and B decrypt the encrypted items and check them against the descriptions problem: what if a party sends random bits instead of the real key? each party must be able to verify that the other really sends the bits of his/her key! 8/27

A useful building block: bit commitment a bit commitment protocol ensures that A can commit to a binary value b in such a way that B cannot learn the committed value until A opens the commitment A cannot later change the committed value and claim that she has committed to b (instead of b) an example based on a collision resistant, one-way hash function H: A wants to commit to a bit b A generates a random number r (of sufficient length) A computes c = H(r b) A sends c to B B cannot compute b, because H is one-way when A wants to open the commitment, she sends (r, b) to B B verifies that H(r b) = c in order to cheat, A should be able to find r such that H(r b ) = H(r b) this is not possible, because H is collision resistant 9/27 Fair exchange without any TTP second attempt A has item A and desc B, B has item B and desc A A sends to B: [A, B, desc A, desc B, {item A } k A, C A, Sig A ( )] where C A = ( H(p 1 k A [1]),, H(p L k A [L]) ), L is the bit length of k A, and p i are random numbers B sends to A: [B, A, desc B, desc A, {item B } k B, C B, Sig B ( )] where C B = ( H(q 1 k B [1]),, H(q L k B [L]) ), and q i are random numbers A and B open their commitments one after the other: A sends (p i, k A [i]) and B sends (q i, k B [i]) A and B verify that they received the committed bits at the end, both A and B decrypt the encrypted items and check them against the descriptions 10/27

Brief analysis let us assume that A is honest and B stops after the t-th step A has [B, A, desc B, desc A, encitem, C B, Sig B ( )] (q 1, k[1]),, (q t, k[t]) if it is infeasible for A to determine the rest of k B (t is too small), then it is infeasible for B as well to determine the rest of k A let us assume that A tries to determine the rest of k B she tries to decrypt encitem with k[1..t] k[t+1..l] for all possible values of k[t+1..l] she may succeed and end up with an item that matches desc B B needs almost the same amount of effort to succeed if she doesn t succeed then she has a proof that B has cheated k[1..t] are the bits committed by B there s no k[t+1..l] such that decrypting encitem with k[1..t] k[t+1..l] results in an item that matches desc B B s signature proves that B provided false information to A 11/27 Other properties lot of messages need to be exchanged interactive, both parties should be on-line simultaneously not appropriate for some applications, e.g., e-mail both parties should have comparable computing power not applicable in some cases, e.g., when one of the parties is a mobile phone and the other is a server doesn t provide true fairness 12/27

Impossibility of true fairness without a TTP proof by Even and Yacobi [1980]: Alice Bob... last message Alice doesn t have item B yet, since otherwise the last message is unnecessary Bob must have item A, since he doesn t receive anymore messages in the protocol if Bob stops before sending the last message, then Alice suffers a disadvantage 13/27 A fair non-repudiation protocol with an on-line TTP protocol: 1. A TTP : E TTP ( A, B, m, sig A (A, B, h(m)) ) 2. TTP B : A, B, h(m), sig TTP (A, B, h(m)) 3. B TTP : E TTP ( sig B (A, B, h(m)) ) 4a. TTP A : sig B (A, B, h(m)) 4b. TTP B : m, sig A (A, B, h(m)) notes: NRO = sig A (A, B, h(m)), NRR = sig B (A, B, h(m)) E TTP ( ) is used to prevent eavesdropping of m and the evidences TTP is trusted for checking signatures and sending messages 4a and 4b simultaneously fairness is based on this simultaneous transmission of 4a and 4b, but there are problems: if channels are resilient, then it is unclear how long the TTP should wait for B s response, and thus, how long A should wait for the TTP s message (timeliness is not guaranteed) the TTP may crash between sending 4a and sending 4b, and leave B in an unfair situation 14/27

Fixing the timeliness problem protocol: 1. A TTP : E TTP ( A, B, m, T, NRO = sig A (A, B, h(m), T) ) 2. TTP B : A, B, h(m), T, sig TTP (A, B, h(m), T) 3. B TTP : E TTP ( NRR = sig B (A, B, h(m), T) ) if TTP receives msg 3 before T: 4. TTP publishes at T: A, B, h(m), T, m, NRO, NRR else: 4. TTP publishes at T: A, B, h(m), T, ABORTED 5a. after T, A checks for the result of the protocol 5b. after T, B checks for the result of the protocol notes: the TTP can publish results by making them available through a server (e.g., through the web) if TTP crashes before step 4, then no result will be available (for some time), but fairness is still preserved in any case, A and B should continue polling the server until they receive some response (their evidences or the abort indication) if channels are resilient, the protocol will end after a finite amount of time 15/27 Another variant (Zhou-Gollmann) protocol: C = E K (m) where K is a random session key 1. A B : A, C, T, NRO1 = sig A (A, B, C, T) 2. B A : B, NRR1 = sig B (A, B, C, T) 3. A TTP : E TTP ( A, B, T, K, sig A (A, B, T, K) ) 4. TTP publishes at T: A, B, T, K, NROR2 = sig TTP (A, B, T, K) 5a. after T, A tries to download NROR2 5b. after T, B tries to download NROR2 NRO = NRO1 + NROR2 NRR = NRR1 + NROR2 notes: NROR2 means as part of NRO: K was sent by A before T as part of NRR: K was made available to B after T if, in step 5, NROR2 is not on the server, then the downloading party can stop the protocol (in order to preserve fairness, the TTP should not ever publish NROR2 after T) 16/27

A protocol with an off-line TTP main protocol: 1. A B : A, B, id, E K (m), E TTP (K), NRO1 = sig A ( ) 2. B A : A, B, id, NRR = sig B ( A, B, id, E K (m), E TTP (K) ) 3. A B : A, B, id, K, NRO2 = sig A ( ) if B timeouts, then call the recovery protocol NRO = NRO1 + NRO2 recovery protocol (only for B): 1. B TTP : A, B, id, E K (m), E TTP (K), NRO1, NRR 2. TTP B : A, B, id, K, NRO2 = sig TTP ( ) 3. TTP A : A, B, id, NRR NRO = NRO1 + NRO2 notes: if A does not send message 3, then B can invoke the recovery protocol to re-establish fairness B will then get NRO!= NRO B may start recovery without sending message 2 (and hence NRR) that is why B must also provide NRR during recovery, which is then sent to A what if A sends E TTP (K ) in message 1? 17/27 A timeliness problem again A does not know when to stop if message 2 doesn t arrive if she stops, B may start the recovery protocol and obtain NRO (while A will no longer receive NRR) so she should wait, but B may have indeed stopped the protocol, and A will wait forever a potential solution an abort protocol that A can call any time to force termination 18/27

A protocol with an off-line TTP revised main protocol: 1. A B : A, B, id, E K (m), E TTP (K), NRO1 = sig A ( A, B, id, E K (m), E TTP (K) ) 2. B A : A, B, id, NRR1 = sig B ( A, B, id, E K (m), E TTP (K) ) if A timeouts, then call the abort protocol 3. A B : A, B, id, K, NRO2 = sig A ( A, B, id, K ) if B timeouts, then call the recovery protocol 4. B A : A, B, id, NRR2 = sig B ( A, B, id, K ) if A timeouts, then call the recovery protocol NRO = NRO1 + NRO2; NRR = NRR1 + NRR2 abort protocol (only for A): 1. A TTP : A, B, id, PLEASE ABORT if already aborted or recovered then stop, else aborted = TRUE and 2. TTP A : A, B, id, ABORTED, sig TTP ( ) 3. TTP B : A, B, id, ABORTED, sig TTP ( ) recovery protocol (for X in {A, B}): 1. X TTP : A, B, id, E K (m), E TTP (K), NRO1, NRR1 if already aborted or recovered then stop, else recovered = TRUE and 2. TTP A : A, B, id, K, NRR2 = sig TTP ( ), NRR1 3. TTP B : A, B, id, K, NRO2 = sig TTP ( ) 19/27 Properties fairness: if B feels something is going wrong, then he can invoke the recovery protocol at any time after receiving message 1 (which is the starting point for B) if A feels something is going wrong, then she can invoke the recovery protocol after receiving message 2 before that, she can cancel the transaction by calling the abort protocol abort and recovery are mutually exclusive when A invoked the abort protocol, she shouldn t continue the main protocol (even if B s message arrives later) B may misbehave (e.g., doesn t send message 4), and A cannot call the recovery protocol anymore an abort evidence is not a proof that the transaction didn t take place, because the abort protocol can be called after a successful run of the protocol timeliness at each point in the protocol both parties can force termination either by calling the recovery protocol or the abort protocol TTP is not transparent evidences produced in the protocol when TTP is used are different from those that are produced in the case when no TTP is used 20/27

A protocol with no TTP providing probabilistic fairness protocol: C = E K (m) where K is a random key 1. A B : A, B, id, C, NRO 0 = sig A ( A, B, id, C ) 2. B A : A, B, id, NRR 0 = sig B (A, B, id, C) with prob. ε, r 1 = K, and with prob. 1-ε, r 1 is a random number 3. A B : A, B, id, 1, r 1, NRO 1 = sig A ( A, B, id, 1, r 1 ) 4. B A : A, B, id, NRR 1 = sig B ( A, B, id, 1, r 1 ) with prob. ε, r n = K, and with prob. 1-ε, r n is a random number 2n+1. A B : A, B, id, n, r n, NRO n = sig A ( A, B, id, n, r n ) 2n+2. B A : A, B, id, NRR n = sig B ( A, B, id, n, r n ) A stops when K is sent or if she does not receive a response from B within some timeout time B stops when he does not receive the next message from A within some timeout time NRO = NRO 0 + NRO n ; NRR = NRR 0 + NRR n important assumption: decryption of C takes longer time than the timeout set by A in each step if B tries to test r i, then A timeouts and stops the protocol 21/27 Brief analysis fairness for B: if A has NRR n, then B must have NRO n (given that B is honest) fairness for A: in each step of the protocol, B may decide to stop he gets in advantageous situation (B has NRO n, but A doesn t have NRR n ) with prob. ε B s decision is wrong with prob. 1-ε, and in this case, fairness is preserved timeliness: it is safe to stop for B at any time in the protocol but how long should A wait for B s last message? if A stops prematurely, then she may end up in a disadvantageous state A should wait for B s response, but it may not have been sent by B overhead problem parameter ε should be small for better fairness the smaller ε is, the larger n is good fairness results in high overhead 22/27

Fair exchange with a semi-trusted on-line TTP Alice and Bob wants to exchange item A and item B with the help of TTP they don t want TTP to learn the value of their items idea: split the item into two pieces using a 2-out-of-2 secret sharing scheme one piece is exchanged directly with the other party, while the other is exchanged through the TTP TTP can still help to achieve fairness TTP learns only one share of each item out of the two needed to reconstruct the item share A,2 TTP share B,2 share share A,1 B,1 share share share B,2 B,2 share A,2 A,2 Alice share A,1 Bob share B,1 main challenge: parties need to be able to verify that they received correct shares and not garbage 23/27 Building block let G be a finite group let f: G G be a collision resistant one-way function let F: G x G G be an efficiently computable function f and F satisfy the following property: F(x, f(y)) = f(xy) example: G = Z p * = {1, 2,, p-1}, where p is a large prime, and g has order q < p-1 f(x) = g x mod p F(x, y) = y x mod p F(x, f(y)) = f(y) x mod p = g yx mod p = f(xy) 24/27

The protocol A and B wants to exchange K A and K B A has K A and f(k B ), and B has K B and f(k A ) A generates a random number x and sends it to B B generates a random number y and sends it to A A sends the following message to TTP: f(k A ), f(k B ), K A x -1, f(y) B sends the following message to TTP: f(k B ), f(k A ), K B y -1, f(x) TTP receives a A, b A, c A, d A from A and a B, b B, c B, d B from B TTP verifies that a A = b B = F(c A, d B ) /* F(K A x -1, f(x)) = f(k A ) */ a B = b A = F(c B, d A ) /* F(K B y -1, f(y)) = f(k B ) */ TTP sends c B (= K B y -1 ) to A and c A (= K A x -1 ) to B A computes c B y= K B y -1 y = K B B computes c A x= K A x -1 x = K A 25/27 Properties if all three parties are honest A learns K B and B learns K A if A and TTP are honest B learns nothing useful unless TTP sends c A to B but then TTP sends c B to A such that f(c B y) = f(k B ) this means that either c B = K B y -1 and A can compute c B y= K B, or B has found a collision of f at f(k B ) the latter is not possible because f is collision resistant if B and TTP are honest same as in the previous point due to symmetry if A and B are honest TTP learns nothing useful (i.e., it can simulate its view from f(k A ) and f(k B ) alone) the exchange may fail, but A and B can repeat it with another TTP 26/27

Some conclusions types of fair exchange protocols: with on-line TTP protocols of this kind are conceptually simple, but TTP is a bottleneck and a single point of failure with off-line TTP (full) protocol is complex, but main protocol can be simple less demand on the TTP, efficient in case of no faults with no TTP true fairness cannot be achieved lot of overhead strong assumptions (e.g., equal computing capacity of the parties) besides fairness, timeliness is also an important property there are many subtle details to consider during the design of a fair exchange protocol (formal methods?) useful reading: S. Kremer, O. Markowitch, J. Zhou, An Intensive Survey of Fair Nonrepudiation protocols, April 2002. N. Asokan, M. Schunter, and M. Waidner, Optimistic Protocols for Fair Exchange, 1997. 27/27

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback