Fair exchange in e-commerce and certified e-mail, new scenarios and protocols

We are witnessing a steady growth in the use of Internet in the electronic commerce field. This rise is promoting the migration from traditional processes and applications (paper based) to an electronic model. But the security of electronic transactions continues to pose an impediment to its implementation. Traditionally, most business transactions were conducted in person. Signing a contract required the meeting of all interested parties, the postman delivered certified mail in hand, and when paying for goods or services both customer and provider were present. When all parties are physically present, a transaction does not require a complex protocol. The participants acknowledge the presence of the other parties as assurance that they will receive their parts, whether a signature on a contract, or a receipt, etc. But with e-commerce growing in importance as sales and business channel, all these transactions have moved to its digital counterpart. Therefore we have digital signature of contracts, certified delivery of messages and electronic payment systems. With electronic transactions, the physical presence is not required,moreover, most of the times it is even impossible. The participants in a transaction can be thousands of kilometers away from each other, and they may not even be human participants, they can be machines. Thus, the security that the transaction will be executed without incident is not assured per se, we need additional security measures. To address this problem, fair exchange protocols were developed. In a fair exchange every party involved has an item that wants to exchange, but none of the participants is willing to give his item away unless he has an assurance he will receive the corresponding item from the other participants. Fair exchange has many applications, like digital signature of contracts, where the items to be exchanged are signatures on contracts, certified delivery of messages, where we exchange a message for evidence of receipt, or a payment process, where we exchange a payment (e-cash, e-check, visa, etc.) for digital goods or a receipt. The objective of this dissertation is the study of the fair exchange problem. In particular, it presents two new scenarios for digital contracting, the Atomic Multi- Two Party (AM2P) and the Agent Mediated Scenario (AMS), and proposes one optimistic contract signing protocol for each one. Moreover, it studies the efficiency of Multi-Party Contract Signing (MPCS) protocols from their architecture point of view, presenting a new lower bound for each architecture, in terms of minimum number of transactions needed. Regarding Certified Electronic Mail (CEM), this dissertation presents two optimistic CEMprotocols designed to be deployed on thecurrent e-mail infrastructure, therefore they assume the participation of multiple Mail Transfer Agents (MTAs). In one case, the protocol assumes untrusted MTAs whereas in the other one it assumes each User Agent (UA) trusts his own MTA. Regarding payment systems, this dissertation presents a secure and efficient electronic bearer bank check scheme allowing the electronic checks to be transferred fairly and anonymously.L’ús d’Internet en l’àmbit del comerç electrònic està experimentant un creixement estable. Aquest increment d’ús està promovent lamigració de processos tradicionals i aplicacions (basades en paper) cap a un model electrònic. Però la seguretat de les transaccions electròniques continua impedint la seva implantació. Tradicionalment, la majoria de les transaccions s’han dut a terme en persona. La firma d’un contracte requeria la presència de tots els firmants, el carter entrega les cartes certificades enmà, i quan es paga per un bé o servei ambdós venedor i comprador hi són presents. Quan totes les parts hi són presents, les transaccions no requereixen un protocol complex. Els participants assumeixen la presència de les altres parts com assegurança que rebran el que esperen d’elles, ja sigui la firma d’un contracte, un rebut d’entrega o un pagament. Però amb el creixement del comerç electrònic com a canal de venda i negoci, totes aquestes transaccions s’hanmogut al seu equivalent en el món electrònic. Així doncs tenim firma electrònica de contractes, enviament certificat de missatges, sistemes de pagament electrònic, etc. En les transaccions electròniques la presència física no és necessària, de fet, la majoria de vegades és fins it tot impossible. Els participants poden estar separats permilers de kilòmetres, i no és necessari que siguin humans, podrien sermàquines. Llavors, la seguretat de que la transacció s’executarà correctament no està assegurada per se, necessitem proporcionar mesures de seguretat addicionals. Per solucionar aquest problema, es van desenvolupar els protocols d’intercanvi equitatiu. En un intercanvi equitatiu totes les parts involucrades tenen un objecte que volen intercanviar, però cap de les parts implicades vol donar el seu objecte si no té la seguretat que rebrà els objectes de les altres parts. L’intercanvi equitatiu té multitud d’aplicacions, com la firma electrònica de contractes, on els elements a intercanviar son firmes de contractes, enviament certificat demissatges, on s’intercanvien unmissatge per una evidència de recepció, o un procés de pagament, on intercanviemun pagament (e-cash, visa, e-xec, etc.) per bens digitals o per un rebut. L’objectiu d’aquesta tesi és estudiar el problema de l’intercanvi equitatiu. En particular, la tesi presenta dos nous escenaris per a la firma electrònica de contractes, l’escenari multi-two party atòmic i l’escenari amb agents intermediaris, i proposa un protocol optimista per a cada un d’ells. A més, presenta un estudi de l’eficiència dels protocols de firma electrònica multi-part (Multi-Party Contract Signing (MPCS) protocols) des del punt de vista de la seva arquitectura, presentant una nova fita per a cada una, en termes de mínim nombre de transaccions necessàries. Pel que fa al correu electrònic certificat, aquesta tesi presenta dos protocols optimistes dissenyats per a ser desplegats damunt l’infraestructura actual de correu electrònic, per tant assumeix la participació demúltiples agents de transferència de correu. Un dels protocols assumeix que cap dels agents de transferència de correu participants és de confiança,mentre que l’altre assumeix que cada usuari confia en el seu propi agent. Pel que fa a sistemes de pagament, la tesi presenta un esquema de xec bancari al portador, eficient i segur, que garanteix que la transferència dels xecs es fa demanera anònima i equitativa

A second generation of nonrepudiation protocols

A non-repudiation protocol from party S to party R performs two tasks. First, the protocol enables party S to send to party R some text x along with sufficient evidence (that can convince a judge) that x was indeed sent by S. Second, the protocol enables party R to receive text x from S and to send to S sufficient evidence (that can convince a judge) that x was indeed received by R. The first generation of non-repudiation protocols were published in the period 1996-2000. In this dissertation, we design a second generation of non-repudiation protocols that enjoy several interesting properties. First, we identify in this dissertation a special class of non-repudiation protocols, called two-phase protocols. The two parties, S and R, in each two-phase protocol execute the protocol as specified until one of the two parties receives its needed proof. Then and only then does this party refrain from sending any more message specified by the protocol because these messages only help the other party complete its proof. We show that the execution of each two-phase protocol is deterministic and does not require synchronized real-time clocks. We also show that each two-phase protocol needs to involve a trusted third party T beside the two original parties, S and R. Second, we show that if party R in a two-phase protocol has a real-time clock and knows an upper bound on the round trip delay from R to S and back to R, then the two-phase protocol does not need to involve a trusted third party T. Third, we design a non-repudiation protocol for transferring file F from a sender S to a receiver R over a cloud C. This protocol is designed such that there is no direct communication between parties S and R. Rather all communications between S and R are carried out through cloud C. In this protocol parties S and R do not need to store a local copy of file F and the proofs that are needed by the two parties S and R (the only copy of file F and the proofs is stored in cloud C). Fourth, we design a new non-repudiation protocol from S to R over C where some of the proofs stored in cloud C get lost. This new protocol has an interesting stabilization property which ensures that when some of the proofs get lost, and one party can get the needed proofs but the other party cannot get its needed proofs from cloud C, then eventually, neither party is able to receive its needed proofs from cloud C. Fifth, we design a non-repudiation protocol for transferring files from a sender S to a subset of potential receivers {R.1, R.2, ..., R.n} over a cloud C. The protocol guarantees that after each file F is transferred from sender S to a subset of the potential receivers, then (1) each receiver R.i in the subset ends up with a proof that file F was indeed sent by sender S to R.i, and (2) sender S ends up with a proof that file F was indeed received from S by each receiver R.i in the subset.Computer Science

Contingent payments on a public ledger: models and reductions for automated verification

International audienceWe study protocols that rely on a public ledger infrastructure, concentrating on protocols for zero-knowledge contingent payment, whose security properties combine diverse notions of fairness and privacy. We argue that rigorous models are required for capturing the ledger semantics, the protocol-ledger interaction, the cryptographic primitives and, ultimately, the security properties one would like to achieve.Our focus is on a particular level of abstraction, where network messages are represented by a term algebra, protocol execution by state transition systems (e.g. multiset rewrite rules) and where the properties of interest can be analyzed with automated verification tools. We propose models for: (1) the rules guiding the ledger execution, taking the coin functionality of public ledgers such as Bitcoin as an example; (2) the security properties expected from ledger-based zero-knowledge contingent payment protocols; (3) two different security protocols that aim at achieving these properties relying on different ledger infrastructures; (4) reductions that allow simpler term algebras for homomorphic cryptographic schemes.Altogether, these models allow us to derive a first automated verification for ledger-based zero-knowledge contingent payment using the Tamarin prover. Furthermore , our models help in clarifying certain underlying assumptions, security and efficiency tradeoffs that should be taken into account when deploying protocols on the blockchain

Legally Fair Contract Signing Without Keystones

International audienceIn two-party computation, achieving both fairness and guaranteed output delivery is well known to be impossible. Despite this limitation , many approaches provide solutions of practical interest by weakening somewhat the fairness requirement. Such approaches fall roughly in three categories: " gradual release " schemes assume that the aggrieved party can eventually reconstruct the missing information; " optimistic schemes " assume a trusted third party arbitrator that can restore fairness in case of litigation; and " concurrent " or " legally fair " schemes in which a breach of fairness is compensated by the aggrieved party having a digitally signed cheque from the other party (called the keystone). In this paper we describe and analyse a new contract signing paradigm that doesn't require keystones to achieve legal fairness, and give a concrete construction based on Schnorr signatures which is compatible with standard Schnorr signatures and provably secure

Secure NN-dimensional Simultaneous Dense Coding and Applications

Simultaneous dense coding guarantees that Bob and Charlie simultaneously receive their respective information from Alice in their respective processes of dense coding. The idea is to use the so-called locking operation to "lock" the entanglement channels, thus requiring a joint unlocking operation by Bob and Charlie in order to simultaneously obtain the information sent by Alice. We present some new results on simultaneous dense coding: (1) We propose three simultaneous dense coding protocols, which use different $N$-dimensional entanglement (Bell state, W state and GHZ state). (2) Besides the quantum Fourier transform, two new locking operators are introduced (the double controlled-NOT operator and the SWAP operator). (3) In the case that spatially distant Bob and Charlie have to finalise the protocol by implementing the unlocking operation through communication, we improve our protocol's fairness, with respect to Bob and Charlie, by implementing the unlocking operation in series of steps. (4) We improve the security of simultaneous dense coding against the intercept-resend attack. (5) We show that simultaneous dense coding can be used to implement a fair contract signing protocol. (6) We also show that the $N$-dimensional quantum Fourier transform can act as the locking operator in simultaneous teleportation of $N$-level quantum systems.Comment: 22 pages, comments are welcom

P2DEX: Privacy-Preserving Decentralized Cryptocurrency Exchange

Cryptocurrency exchange services are either trusted central entities that have been routinely hacked (losing over 8 billion USD), or decentralized services that make all orders public before they are settled. The latter allows market participants to ``front run\u27\u27 each other, an illegal operation in most jurisdictions. We extend the ``Insured MPC\u27\u27 approach of Baum et al. (FC 2020) to construct an efficient universally composable privacy preserving decentralized exchange where a set of servers run private cross-chain exchange order matching in an outsourced manner, while being financially incentivised to behave honestly. Our protocol allows for exchanging assets over multiple public ledgers, given that users have access to a ledger that supports standard public smart contracts. If parties behave honestly, the on-chain complexity of our construction is as low as that of performing the transactions necessary for a centralized exchange. In case malicious behavior is detected, users are automatically refunded by malicious servers at low cost. Thus, an actively corrupted majority can only mount a denial-of-service attack that makes exchanges fail, in which case the servers are publicly identified and punished, while honest clients do not to lose their funds. For the first time in this line of research, we report experimental results on the MPC building block, showing the approach is efficient enough to be used in practice

DT-CP: a double-TTPs based contract-signing protocol with lower computational cost

This paper characterizes a contract signing protocol with high efficiency in Internet of Things. Recent studies show that existing contract-signing protocols can achieve abuse-freeness and resist inference attack, but cannot meet the high-efficiency and convenience requirement of the future Internet of things applications. To solve this problem, we propose a novel contract-signing protocol. Our proposed protocol includes two main parts: 1) we use the partial public key of the sender, instead of the zero-knowledge protocol, to verify the intermediate result; 2) we employ two independent Trusted Third Parties (TTPs) to prevent the honest-but-curious TTP. Our analysis shows that our double TTP protocol can not only result in lower computational cost, but also can achieve abuse-freeness with trapdoor commitment scheme. In a word, our proposed scheme performs better than the state of the art in terms of four metrics: encryption time, number of exponentiations, data to be exchanged and exchange steps in one round contract-signing