Usable optimistic fair exchange

Fairly exchanging digital content is an everyday problem. It has been shown that fair exchange cannot be achieved without a trusted third party (called the Arbiter). Yet, even with a trusted party, it is still non-trivial to come up with an efficient solution, especially one that can be used in a p2p file sharing system with a high volume of data exchanged. We provide an efficient optimistic fair exchange mechanism for bartering digital files, where receiving a payment in return for a file (buying) is also considered fair. The exchange is optimistic, removing the need for the Arbiter's involvement unless a dispute occurs. While the previous solutions employ costly cryptographic primitives for every file or block exchanged, our protocol employs them only once per peer, therefore achieving an O(n) efficiency improvement when n blocks are exchanged between two peers. Our protocol uses very efficient cryptography, making it perfectly suitable for a p-2-p file sharing system where tens of peers exchange thousands of blocks and they do not know beforehand which ones they will end up exchanging. Therefore, our system yields up to one-to-two orders of magnitude improvement in terms of both computation and communication (40s vs. 42min, 1.6MB vs. 200MB). Thus, for the first time, a provably secure (and privacy-respecting when payments are made using e-cash) fair exchange protocol can be used in real bartering applications (e.g., BitTorrent) [14] without sacrificing performance.

[1]  Nick Mathewson,et al.  Tor: The Second-Generation Onion Router , 2004, USENIX Security Symposium.

[2]  Mihir Bellare,et al.  Optimal Asymmetric Encryption , 1994, EUROCRYPT.

[3]  Jan Camenisch,et al.  Practical Verifiable Encryption and Decryption of Discrete Logarithms , 2003, CRYPTO.

[4]  Silvio Micali,et al.  Simple and fast optimistic protocols for fair electronic exchange , 2003, PODC '03.

[5]  Yevgeniy Dodis,et al.  Optimistic Fair Exchange in a Multi-user Setting , 2007, J. Univers. Comput. Sci..

[6]  John C. Mitchell,et al.  Compositional analysis of contract-signing protocols , 2006, Theor. Comput. Sci..

[7]  Ralph C. Merkle,et al.  A Digital Signature Based on a Conventional Encryption Function , 1987, CRYPTO.

[8]  Alptekin Küpçü,et al.  Incentivizing outsourced computation , 2008, NetEcon '08.

[9]  Rosario Gennaro,et al.  Securing Threshold Cryptosystems against Chosen Ciphertext Attack , 1998, EUROCRYPT.

[10]  Silvio Micali,et al.  A fair protocol for signing contracts , 1990, IEEE Trans. Inf. Theory.

[11]  David Chaum,et al.  Efficient Offline Electronic Checks (Extended Abstract) , 1989, EUROCRYPT.

[12]  Yehuda Lindell,et al.  Introduction to Modern Cryptography (Chapman & Hall/Crc Cryptography and Network Security Series) , 2007 .

[13]  Giuseppe Ateniese,et al.  Efficient verifiable encryption (and fair exchange) of digital signatures , 1999, CCS '99.

[14]  Vincent Rijmen,et al.  The Design of Rijndael: AES - The Advanced Encryption Standard , 2002 .

[15]  Jan Camenisch,et al.  Endorsed E-Cash , 2007, 2007 IEEE Symposium on Security and Privacy (SP '07).

[16]  Ivan Damgård,et al.  Verifiable Encryption, Group Encryption, and Their Applications to Separable Group Signatures and Signature Sharing Schemes , 2000, ASIACRYPT.

[17]  Andrew Y. Lindell Legally-Enforceable Fairness in Secure Two-Party Computation , 2008, CT-RSA.

[18]  Moni Naor,et al.  Nonmalleable Cryptography , 2000, SIAM Rev..

[19]  Kevin Barraclough,et al.  I and i , 2001, BMJ : British Medical Journal.

[20]  N. Asokan,et al.  Optimistic fair exchange of digital signatures , 1998, IEEE Journal on Selected Areas in Communications.

[21]  Silvio Micali,et al.  A Digital Signature Scheme Secure Against Adaptive Chosen-Message Attacks , 1988, SIAM J. Comput..

[22]  Jacques Stern,et al.  RSA-OAEP Is Secure under the RSA Assumption , 2001, Journal of Cryptology.

[23]  Ronald Cramer,et al.  A Practical Public Key Cryptosystem Provably Secure Against Adaptive Chosen Ciphertext Attack , 1998, CRYPTO.

[24]  Vitaly Shmatikov,et al.  Finite-state analysis of two contract signing protocols , 2002, Theor. Comput. Sci..

[25]  Philippe A. Janson,et al.  The State of the Art in Electronic Payment Systems , 1997, Computer.

[26]  Alexandru Iosup,et al.  Correlating Topology and Path Characteristics of Overlay Networks and the Internet , 2006, Sixth IEEE International Symposium on Cluster Computing and the Grid (CCGRID'06).

[27]  Yehuda Lindell,et al.  Introduction to Modern Cryptography , 2004 .

[28]  Serge Vaudenay,et al.  Optimistic Fair Exchange Based on Publicly Verifiable Secret Sharing , 2004, ACISP.

[29]  Jan Camenisch,et al.  Compact E-Cash , 2005, EUROCRYPT.

[30]  G. R. BLAKLEY Safeguarding cryptographic keys , 1979, 1979 International Workshop on Managing Requirements Knowledge (MARK).

[31]  Pascal Paillier,et al.  Public-Key Cryptosystems Based on Composite Degree Residuosity Classes , 1999, EUROCRYPT.

[32]  Alptekin Küpçü,et al.  Making p2p accountable without losing privacy , 2007, WPES '07.

[33]  Markus Jakobsson,et al.  Abuse-Free Optimistic Contract Signing , 1999, CRYPTO.

[34]  N. Asokan,et al.  Optimistic protocols for fair exchange , 1997, CCS '97.

[35]  David Chaum,et al.  Blind Signatures for Untraceable Payments , 1982, CRYPTO.

[36]  B. Cohen,et al.  Incentives Build Robustness in Bit-Torrent , 2003 .

[37]  Moni Naor,et al.  Timed Commitments , 2000, CRYPTO.

[38]  Henning Pagnia,et al.  On the Impossibility of Fair Exchange without a Trusted Third Party , 1999 .

[39]  Moni Naor,et al.  Universal one-way hash functions and their cryptographic applications , 1989, STOC '89.

[40]  Adi Shamir,et al.  How to share a secret , 1979, CACM.

[41]  Olivier Markowitch,et al.  Optimistic Fair Exchange with Transparent Signature Recovery , 2002, Financial Cryptography.

[42]  Jan Camenisch,et al.  How to win the clonewars: efficient periodic n-times anonymous authentication , 2006, CCS '06.

[43]  N. Asokan,et al.  Asynchronous protocols for optimistic fair exchange , 1998, Proceedings. 1998 IEEE Symposium on Security and Privacy (Cat. No.98CB36186).