Zero-Knowledge Contingent Payments Revisited: attacks and payments for services

Campanelli, Matteo; Gennaro, Rosario; Goldfeder, Steven y Nizzardo, Luca (2017). Zero-Knowledge Contingent Payments Revisited: attacks and payments for services. En: "Conference on Computer and Communications Security, CCS'17", 30 Oct-03 Nov 2017, Dallas, Estados Unidos. ISBN 978-1-4503-4946-8. pp. 229-243.


Título: Zero-Knowledge Contingent Payments Revisited: attacks and payments for services
  • Campanelli, Matteo
  • Gennaro, Rosario
  • Goldfeder, Steven
  • Nizzardo, Luca
Tipo de Documento: Ponencia en Congreso o Jornada (Artículo)
Título del Evento: Conference on Computer and Communications Security, CCS'17
Fechas del Evento: 30 Oct-03 Nov 2017
Lugar del Evento: Dallas, Estados Unidos
Título del Libro: CCS'17: proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security
Fecha: 2017
ISBN: 978-1-4503-4946-8
Volumen: 1
Escuela: E.T.S. de Ingenieros Informáticos (UPM)
Departamento: Otro
Licencias Creative Commons: Reconocimiento - Sin obra derivada - No comercial

Texto completo

Vista Previa
PDF (Document Portable Format) - Se necesita un visor de ficheros PDF, como GSview, Xpdf o Adobe Acrobat Reader
Descargar (436kB) | Vista Previa


Zero Knowledge Contingent Payment (ZKCP) protocols allow fair exchange of sold goods and payments over the Bitcoin network. In this paper we point out two main shortcomings of current proposals for ZKCP. First we show an attack that allows a buyer to learn partial information about the digital good being sold, without paying for it. This break in the zero-knowledge condition of ZKCP is due to the fact that in the protocols we attack, the buyer is allowed to choose common parameters that normally should be selected by a trusted third party. We present ways to fix this attack that do not require a trusted third party. Second, we show that ZKCP are not suited for the purchase of digital services rather than goods. Current constructions of ZKCP do not allow a seller to receive payments after proving that a certain service has been rendered, but only for the sale of a specific digital good. We define the notion of Zero-Knowledge Contingent Service Payment (ZKCSP) protocols and construct two new protocols, for either public or private verification. We implemented and tested the attack on ZKCP, and our two new ZKCSP protocols, showing their feasibility for very realistic examples. We present code that learns, without paying, the value of a Sudoku cell in the "Pay-to-Sudoku" ZKCP implementation [17]. We also implement ZKCSP protocols for the case of Proof of Retrievability, where a client pays the server for providing a proof that the client's data is correctly stored by the server. A side product of our implementation effort is a new optimized circuit for SHA256 with less than a quarter than the number of AND gates of the best previously publicly available one. Our new SHA256 circuit may be of independent use for circuit-based MPC and FHE protocols that require SHA256 circuits.

Más información

ID de Registro: 49540
Identificador DC:
Identificador OAI:
Identificador DOI: 10.1145/3133956.3134060
URL Oficial:
Depositado por: Memoria Investigacion
Depositado el: 16 Mar 2018 10:05
Ultima Modificación: 16 Mar 2018 10:05
  • InvestigaM
  • GEO_UP4
  • Open Access
  • Open Access
  • Sherpa-Romeo
    Compruebe si la revista anglosajona en la que ha publicado un artículo permite también su publicación en abierto.
  • Dulcinea
    Compruebe si la revista española en la que ha publicado un artículo permite también su publicación en abierto.
  • Recolecta
  • Observatorio I+D+i UPM
  • OpenCourseWare UPM