Fair Exchange Protocols

Similar documents
Fair exchange and non-repudiation protocols

OPTIMISTIC NON-REPUDIABLE INFORMATION EXCHANGE

Exclusion-Freeness in Multi-party Exchange Protocols

OPTIMIZING ONE FAIR DOCUMENT EXCHANGE PROTOCOL

CHAPTER 4 VERIFIABLE ENCRYPTION OF AN ELLIPTIC CURVE DIGITAL SIGNATURE

Game Analysis of Abuse-free Contract Signing

Overview. Game-Based Verification of Fair Exchange Protocols. The Problem of Fair Exchange. Game-Theoretic Model. Protocol as a Game Tree

Generic Non-Repudiation Protocols Supporting Transparent Off-line TTP

A MULTI-PARTY NON-REPUDIATION PROTOCOL

Information Security. message M. fingerprint f = H(M) one-way hash. 4/19/2006 Information Security 1

Multi-Party Non-Repudiation: A Survey

Game Analysis of Abuse-free Contract Signing

Optimally Efficient Multi-Party Fair Exchange and Fair Secure Multi-Party Computation

An abuse-free fair contract-signing protocol based on the RSA signature

Abuse-Free Optimistic Contract Signing

Crypto-systems all around us ATM machines Remote logins using SSH Web browsers (https invokes Secure Socket Layer (SSL))

Verifiably Encrypted Signature Scheme with Threshold Adjudication

Zero Knowledge Protocol

Applied Cryptography and Computer Security CSE 664 Spring 2017

Outline More Security Protocols CS 239 Computer Security February 4, 2004

Key Exchange. References: Applied Cryptography, Bruce Schneier Cryptography and Network Securiy, Willian Stallings

Improvement of Camenisch-Neven-Shelat Oblivious Transfer Scheme

CSE 3461/5461: Introduction to Computer Networking and Internet Technologies. Network Security. Presentation L

Security protocols and their verification. Mark Ryan University of Birmingham

A Synchronous Multi-Party Contract Signing Protocol Improving Lower Bound of Steps

CS 161 Computer Security

Background. Network Security - Certificates, Keys and Signatures - Digital Signatures. Digital Signatures. Dr. John Keeney 3BA33

Certificateless Public Key Cryptography

Secure Multiparty Computation

Elements of Cryptography and Computer and Networking Security Computer Science 134 (COMPSCI 134) Fall 2016 Instructor: Karim ElDefrawy

Imposing fairness in electronic commerce

Estimation of TTP Features in Non-repudiation Service *

Zero-Knowledge Proofs of Knowledge

Introduction to Cryptography and Security Mechanisms: Unit 5. Public-Key Encryption

Number Theory and RSA Public-Key Encryption

Chapter 9 Public Key Cryptography. WANG YANG

Cryptography V: Digital Signatures

Timeout Estimation Using a Simulation Model for Non-repudiation Protocols

CS 161 Computer Security

CPSC 467: Cryptography and Computer Security

CSC 774 Advanced Network Security

Public Key Algorithms

Diffie-Hellman. Part 1 Cryptography 136

CS 395T. Analyzing SET with Inductive Method

CSC/ECE 774 Advanced Network Security

Inter-Domain Identity-based Authenticated Key Agreement Protocol from the Weil Pairing

Chapter 13. Digital Cash. Information Security/System Security p. 570/626

Lecture 9a: Secure Sockets Layer (SSL) March, 2004

Introduction to Cryptography in Blockchain Technology. December 23, 2018

Chapter 9. Public Key Cryptography, RSA And Key Management

Cristina Nita-Rotaru. CS355: Cryptography. Lecture 17: X509. PGP. Authentication protocols. Key establishment.

Introduction to Modern Cryptography. Benny Chor

CPSC 467b: Cryptography and Computer Security

Applied Cryptography Protocol Building Blocks

Spring 2010: CS419 Computer Security

Math236 Discrete Maths with Applications

Public-Key Cryptography. Professor Yanmin Gong Week 3: Sep. 7

Cryptography V: Digital Signatures

CSC 774 Network Security

Kurose & Ross, Chapters (5 th ed.)

Chapter 9: Key Management

Automatic Verification of Remote Electronic Voting Protocols

CS573 Data Privacy and Security. Cryptographic Primitives and Secure Multiparty Computation. Li Xiong

Digital Signatures. KG November 3, Introduction 1. 2 Digital Signatures 2

Ambiguous Optimistic Fair Exchange

What did we talk about last time? Public key cryptography A little number theory

CSCI 454/554 Computer and Network Security. Topic 5.2 Public Key Cryptography

Two Fair Payment Protocols for E-Commerce Transaction

HOST Cryptography I ECE 525. Cryptography Handbook of Applied Cryptography &

ASYMMETRIC CRYPTOGRAPHY

Digital Signatures. Luke Anderson. 7 th April University Of Sydney.

Secure Multiparty Computation: Introduction. Ran Cohen (Tel Aviv University)

Outline. CSCI 454/554 Computer and Network Security. Introduction. Topic 5.2 Public Key Cryptography. 1. Introduction 2. RSA

Analysis of Probabilistic Contract Signing

Analysis Techniques. Protocol Verification by the Inductive Method. Analysis using theorem proving. Recall: protocol state space.

Cryptography and Network Security. Sixth Edition by William Stallings

ICT 6541 Applied Cryptography Lecture 8 Entity Authentication/Identification

Grenzen der Kryptographie

Contract Signing, Optimism, and Advantage?

Encryption. INST 346, Section 0201 April 3, 2018

Outline. Public Key Cryptography. Applications of Public Key Crypto. Applications (Cont d)

ICS 180 May 4th, Guest Lecturer: Einar Mykletun

Digital Signature. Raj Jain

Digital Cash Systems

NETWORK SECURITY & CRYPTOGRAPHY

UNIVERSITY OF MASSACHUSETTS Dept. of Electrical & Computer Engineering. Introduction to Cryptography ECE 597XX/697XX

A Certified Protocol Suitable for Mobile Environments

1 Identification protocols

Lecture 7 - Applied Cryptography

Cryptography & Key Exchange Protocols. Faculty of Computer Science & Engineering HCMC University of Technology

Structure-Preserving Certificateless Encryption and Its Application

An Overview of Secure Multiparty Computation

THIRD PARTY AUDITING FOR SECURE DATA STORAGE IN CLOUD THROUGH DIGITAL SIGNATURE USING RSA

Defining Encryption. Lecture 2. Simulation & Indistinguishability

Lecture 1: Perfect Security

Module: Cryptographic Protocols. Professor Patrick McDaniel Spring CMPSC443 - Introduction to Computer and Network Security

CS Computer Networks 1: Authentication

HOST Authentication Overview ECE 525

A FAIR-EXCHANGE E-COMMERCE PROTOCOL WITH AUTOMATED DISPUTE RESOLUTION

Cryptography and Network Security. Prof. D. Mukhopadhyay. Department of Computer Science and Engineering. Indian Institute of Technology, Kharagpur

Transcription:

air Exchange Protocols Steve Kremer and Mark Ryan air Exchnage Protocols p.1

Examples of fair exchange protocols Electronic purchase of goods exchange of an electronic item against an electronic payment igital contract signing exchange of digital signatures on a given electronic document Non-repudiation protocols exchange of an electronic item and a non-repudiation of origin evidence against the corresponding non-repudiation of receipt evidence Certified e-mail exchange of an electronic message against a proof of receipt Barter an electronic item of a given value is exchanged against another item of a similar value... air Exchnage Protocols p.2

An example: digital contract signing Use digital signatures to sign a contract over a network What is the problem? Alice Signed contract Bob Signed contract Asymmetry: someone must be the first to sign airness A protocol is fair if at the end of the protocol, either all participants received the expected item, or none of them received the expected item. air Exchnage Protocols p.3

Evolution of fair exchange protocols protocols requiring a trusted third party (TTP... but create a bottleneck at the TTP act: no deterministic contract signing protocol exists without the participation of a TTP. [Even Yacobi 1980] protocols based on gradual release... but need to assume comparable computation power, do not achieve real fairness and require a high number of messages randomised protocols... but need to increase the number of messages to decrease the probability that someone may cheat optimistic protocols suppose that most entities are honest, TTP intervention only in case of problem... introduced only in 1997 independently by Asokan et al. and Micali air Exchnage Protocols p.4

A probabilistic contract signing protocol Alice chooses a random number, and then she chooses random keys. Bob doesn t know or the keys. Next, Alice and Bob exchange messages as follows. Each party will timeout and abandon the protocol if there is a delay of time units by the other party in sending the next message. ecryption time is assumed to be much greater than. ack( Alice ack( Bob ack(. ack( air Exchnage Protocols p.5

A first optimistic contract signing protocol Main protocol Alice Promise to sign contract Signed contract Bob Signed contract else recover with TTP air Exchnage Protocols p.6

A first optimistic contract signing protocol (2 Recovery protocol Bob Recovery request (including A s promise TTP Contract signed by TTP Alice Contract signed by TTP Note: communication channels between the TTP and participants are supposed to be resilient (all messages eventually arrive. air Exchnage Protocols p.7

A first optimistic contract signing protocol (3 This protocol is fair. But it still has a problem... After having sent the first message Alice can get stuck. Timeliness A protocol provides timeliness if and only if at each moment in the protocol each participant can reach, in a finite amount of time, a point where he can stop the protocol while preserving fairness. air Exchnage Protocols p.8

A second optimistic contract signing protocol Main protocol Alice Bob Promise to sign contract Promise to sign contract else stop else abort with TTP Signed contract Signed contract else recover with TTP else recover with TTP air Exchnage Protocols p.9

A second optimistic contract signing protocol (2 Abort Protocol Alice TTP Abort request Abort token signed by TTP Contract signed by TTP if protocol not yet recovered else Note: The abort token is not a proof that the protocol has been aborted. It is only a promise that the TTP will not allow this protocol to be recovered. Note: Each message of the protocol must contain a unique identifier for the protocol session. air Exchnage Protocols p.10

A second optimistic contract signing protocol (3 Recovery Protocol Alice TTP Recovery request (including B s promise Abort token signed by TTP if protocol already aborted Contract signed by TTP else Bob Contract signed by TTP Note: The recovery protocol for Bob is obtained by inversing Alice s and Bob s role. air Exchnage Protocols p.11

TTP invisibility The previous protocol is fair and respects timeliness. However, it is possible to determine whether the TTP did intervene or not. TTP invisibility Bad publicity! A company could be believed to have cheated whereas in fact it was the network which delayed some messages. Having Alice s signature on the contract may be preferable to the TTP s signature. A TTP producing evidences which are indistinguishable from the ones Alice or Bob would have produced in a faultless scenario is said to be invisible or transparent. air Exchnage Protocols p.12

Verifiable Recoverable Encrypted Signatures A VRES is a cryptographic primitive, which implements a promise of a signature; makes it infeasible for anyone to extract the standard signature except for the TTP; is verifiable, i.e. a verifier will be convinced that the VRES can be converted to a standard signature by the TTP; is recoverable by the TTP, i.e. the TTP can convert the VRES to a standard signature. In a fair exchange protocol use a VRES as a promise to sign the contract (first 2 messages; the VRES can be converted to a standard signature by the TTP in case of a recovery. air Exchnage Protocols p.13

!! + ' ;7 9 7 : 6 6 8 / 3 1 6 / 7 6 ;7 : 6 - / RSA in a nutshell (1 Key generation and Choose two large primes = Compute and gcd, such that Choose ", such that Compute Signature generation for message * ( $( ' Signature verification, $( $( How it works: since 34 21 0 5.5 *,.- - / 7 2 5 <- - by ermat s little thm: 5 - / 3 21 5 air Exchnage Protocols p.14

(, ( = ( RSA in a nutshell (2 Cross-decrytpion property and!, and compute, choose and and "! Given two relative prime RSA modula, such that "!! Given min : Encryption: the encryption of ( is: is ecryption: the decryption of *?@ = or *?> = How it works: * >, $( * >, ( air Exchnage Protocols p.15

B A C C, N K ML O A VRES based on RSA signatures Nenadić, Zhang, Barton 2004 Key generation (registration at the TTP generates an RSA modulus E and the correpsonding keys! E generates a second RSA modulus (relatively prime with correpsonding keys which she shares with TTP! and the VRES generation Choose a random prime G G H *J $( G I 3 2RQ P J S *J H G I air Exchnage Protocols p.16

+ S + H A VRES based on RSA signatures (2 VRES verification, *J $( G I, ( H, *TJ H G, I H H VRES recovery S *J G $( ' * J ( I U G Note: there exist more efficient VRES scheme which do not require to share a key with the TTP. air Exchnage Protocols p.17

V An advantage to one party Imagine Alice starts a protocol to sell stock options to Bob. Alice starts the protocol with Bob and then shows Bob s offer to Charlie. Alice can convince Charlie that Bob started the protocol with a given offer; Alice can choose the outcome of the protocol. Influence Charlie to make a better offer. act: any protocol with an optimistic signer, the other signer can at some point choose the outcome of the protocol. [Chadha et al, 2003] The best we can hope is to avoid provable advantage. Abuse-freeness A protocol is said to be abuse-free if it is impossible for any participant to prove to an outsider that he has the power to decide the outcome of the protocol. air Exchnage Protocols p.18

B A W Private contract signatures Garay, Jakobsson, MacKenzie 1999 To achieve abuse-freeness use PCS instead of VRES. A PCS is a cryptographic primitive, which is recoverable by a TTP designated verifier: only a given designated verifier, Bob, is convinced that Alice is the signer. The designated verifier property is implemented by giving Bob the possibility to simulate or fake the PCS. Charlie will not be convinced that Alice really started the protocol, as Bob could show a simulation of Alice s message. air Exchnage Protocols p.19

Conclusion Crucial protocols to enable secure electronic commerce Currently still at an academic stage... Complex structure (in comparison to authentication protocols Some properties need non-standard cryptographic primitives Still a lot of ongoing research... or a survey and pointers: [KMZ02] Steve Kremer, Olivier Markowitch, and Jianying Zhou. An intensive survey of non-repudiation protocols. Computer Communications, 25(17:1606 1621, November 2002. [PVG03] Henning Pagnia, Holger Vogt, and elix C. Gärtner. air exchange. The Computer Journal, 8(2:55 75, January 2003. air Exchnage Protocols p.20

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback