Optimistic Fair Exchange based on Publicly Verifiable Secret Sharing

In this paper we propose an optimistic two-party fair exchange protocol which does not rely on a centralized trusted third party. Instead, the fairness of the protocol relies on the honesty of part of the neighbor participants. This new concept, which is based on a generic verifiable secret sharing scheme, is particularly relevant in networks where centralized authority can neither be used on-line nor off-line

FairDrop: a Confidential Fair Exchange Protocol for Media Workers

In recent years, the asymmetry between open societies and regimes that control their media has increased, leading to the number of murdered journalists more than doubling worldwide. Even in countries in which freedom of the press is publicly recognized, the number of journalists jailed, assaulted, or criminally charged is relevant and growing. These attacks on media workers usually want to limit or control information regarding critical topics. In this context, the necessity of a system that allows reporters to publish their works without risking their own life is evident. Some systems to share information with newspapers while keeping the source anonymous exist. An example is SecureDrop, developed and maintained by the Freedom of the Press Foundation, and widely adopted by all major international newspapers. What limits them from extensively using this type of system is the lack of credibility in the information exchanged, which represents the main problem for the publisher's reputation. In this thesis, we present FairDrop, a system that allows the exchange of information between two untrusted parties and proposes a tradeoff between the anonymity of the source and the credibility of the information exchanged. We present a fair exchange protocol based on blockchain that allows sharing of a digital good fairly and confidentially. We also define the guidelines for a system based on ring signatures to measure the credibility of the exchanged information. All our design decisions are made taking into account the requirements of a journalist-newspaper communication, and the guidelines for anonymous sources applied by major newspapers around the world. We test the system in a real-world blockchain testnet, considering multi-seller and buyer situations, and introducing economic incentives for sources to use the system.In recent years, the asymmetry between open societies and regimes that control their media has increased, leading to the number of murdered journalists more than doubling worldwide. Even in countries in which freedom of the press is publicly recognized, the number of journalists jailed, assaulted, or criminally charged is relevant and growing. These attacks on media workers usually want to limit or control information regarding critical topics. In this context, the necessity of a system that allows reporters to publish their works without risking their own life is evident. Some systems to share information with newspapers while keeping the source anonymous exist. An example is SecureDrop, developed and maintained by the Freedom of the Press Foundation, and widely adopted by all major international newspapers. What limits them from extensively using this type of system is the lack of credibility in the information exchanged, which represents the main problem for the publisher's reputation. In this thesis, we present FairDrop, a system that allows the exchange of information between two untrusted parties and proposes a tradeoff between the anonymity of the source and the credibility of the information exchanged. We present a fair exchange protocol based on blockchain that allows sharing of a digital good fairly and confidentially. We also define the guidelines for a system based on ring signatures to measure the credibility of the exchanged information. All our design decisions are made taking into account the requirements of a journalist-newspaper communication, and the guidelines for anonymous sources applied by major newspapers around the world. We test the system in a real-world blockchain testnet, considering multi-seller and buyer situations, and introducing economic incentives for sources to use the system

Fair private set intersection with a semi-trusted arbiter

A private set intersection (PSI) protocol allows two parties to compute the intersection of their input sets privately. Most of the previous PSI protocols only output the result to one party and the other party gets nothing from running the protocols. However, a mutual PSI protocol in which both parties can get the output is highly desirable in many applications. A major obstacle in designing a mutual PSI protocol is how to ensure fairness. In this paper we present the first fair mutual PSI protocol which is efficient and secure. Fairness of the protocol is obtained in an optimistic fashion, i.e. by using an offline third party arbiter. In contrast to many optimistic protocols which require a fully trusted arbiter, in our protocol the arbiter is only required to be semi-trusted, in the sense that we consider it to be a potential threat to both parties' privacy but believe it will follow the protocol. The arbiter can resolve disputes without knowing any private information belongs to the two parties. This feature is appealing for a PSI protocol in which privacy may be of ultimate importance

Efficient Verifiable Escrow and Fair Exchange with Trusted Hardware

At the heart of many fair exchange problems is verifiable escrow: a sender encrypts some value using the public key of a trusted party (called the recovery agent), and then must convince the receiver of the ciphertext that the corresponding plaintext satisfies some property (e.g., it contains the sender\u27s signature on a contract). Previous solutions to this problem are interactive, and often rely on communication-intensive cut-and-choose zero-knowledge proofs. In this paper, we provide a solution that uses generic trusted hardware to create an efficient, non-interactive verifiable escrow scheme. Our solution allows the protocol to use a set of recovery agents with a threshold access structure, the \emph{verifiable group escrow} notion which was informally introduced by Camenisch and Damgard and which is formalized here. Finally, this paper shows how this new non-interactive verifiable escrow scheme can be used to create an efficient optimistic protocol for fair exchange of signatures

Recurring Contingent Service Payment

Fair exchange protocols let two mutually distrustful parties exchange digital data in a way that neither party can cheat. They have various applications such as the exchange of digital items, or the exchange of digital coins and digital services between a buyer and seller. At CCS 2017, two blockchain-based protocols were proposed to support the fair exchange of digital coins and a certain service; namely, "proofs of retrievability" (PoR). In this work, we identify two notable issues of these protocols, (1) waste of the seller's resources, and (2) real-time information leakage. To rectify these issues, we formally define and propose a blockchain-based generic construction called "recurring contingent service payment" (RC-S-P). RC-S-P lets a fair exchange of digital coins and verifiable service occur periodically while ensuring that the buyer cannot waste the seller's resources, and the parties' privacy is preserved. It supports arbitrary verifiable services, such as PoR, or verifiable computation and imposes low on-chain overheads. Also, we present a concrete efficient instantiation of RC-S-P when the verifiable service is PoR. The instantiation is called "recurring contingent PoR payment" (RC-PoR-P). We have implemented RC-PoR-P and analysed its cost. When it deals with a 4-GB outsourced file, a verifier can check a proof in 90 milliseconds, and a dispute between prover and verifier is resolved in 0.1 milliseconds

Recurring Contingent Service Payment

Fair exchange protocols let two mutually distrustful parties exchange digital data in a way that neither party can cheat. They have various applications such as the exchange of digital items, or the exchange of digital coins and digital services between a buyer/client and seller/server. In this work, we formally define and propose a generic blockchain-based construction called "Recurring Contingent Service Payment" (RC-S-P). It (i) lets a fair exchange of digital coins and verifiable service reoccur securely between clients and a server while ensuring that the server is paid if and only if it delivers a valid service, and (ii) ensures the parties' privacy is preserved. RC-S-P supports arbitrary verifiable services, such as "Proofs of Retrievability" (PoR) or verifiable computation and imposes low on-chain overheads. Our formal treatment and construction, for the first time, consider the setting where either client or server is malicious. We also present a concrete efficient instantiation of RC- S-P when the verifiable service is PoR. We implemented the concrete instantiation and analysed its cost. When it deals with a 4-GB outsourced file, a verifier can check a proof in only 90 milliseconds, and a dispute between a prover and verifier is resolved in 0.1 milliseconds. At CCS 2017, two blockchain-based protocols were proposed to support the fair exchange of digital coins and a certain verifiable service; namely, PoR. In this work, we show that these protocols (i) are susceptible to a free-riding attack which enables a client to receive the service without paying the server, and (ii) are not suitable for cases where parties' privacy matters, e.g., when the server's proof status or buyer's file size must remain private from the public. RC- S-P simultaneously mitigates the above attack and preserves the parties' privacy