Zero-Knowledge Contingent Payments Revisited: attacks and payments for services

Campanelli, Matteo and Gennaro, Rosario and Goldfeder, Steven and Nizzardo, Luca (2017). Zero-Knowledge Contingent Payments Revisited: attacks and payments for services. In: "Conference on Computer and Communications Security, CCS'17", 30 Oct-03 Nov 2017, Dallas, Estados Unidos. ISBN 978-1-4503-4946-8. pp. 229-243. https://doi.org/10.1145/3133956.3134060.

Description

Title: Zero-Knowledge Contingent Payments Revisited: attacks and payments for services
Author/s:
  • Campanelli, Matteo
  • Gennaro, Rosario
  • Goldfeder, Steven
  • Nizzardo, Luca
Item Type: Presentation at Congress or Conference (Article)
Event Title: Conference on Computer and Communications Security, CCS'17
Event Dates: 30 Oct-03 Nov 2017
Event Location: Dallas, Estados Unidos
Title of Book: CCS'17: proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security
Date: 2017
ISBN: 978-1-4503-4946-8
Volume: 1
Subjects:
Faculty: E.T.S. de Ingenieros Informáticos (UPM)
Department: Otro
Creative Commons Licenses: Recognition - No derivative works - Non commercial

Full text

[img]
Preview
PDF - Requires a PDF viewer, such as GSview, Xpdf or Adobe Acrobat Reader
Download (436kB) | Preview

Abstract

Zero Knowledge Contingent Payment (ZKCP) protocols allow fair exchange of sold goods and payments over the Bitcoin network. In this paper we point out two main shortcomings of current proposals for ZKCP. First we show an attack that allows a buyer to learn partial information about the digital good being sold, without paying for it. This break in the zero-knowledge condition of ZKCP is due to the fact that in the protocols we attack, the buyer is allowed to choose common parameters that normally should be selected by a trusted third party. We present ways to fix this attack that do not require a trusted third party. Second, we show that ZKCP are not suited for the purchase of digital services rather than goods. Current constructions of ZKCP do not allow a seller to receive payments after proving that a certain service has been rendered, but only for the sale of a specific digital good. We define the notion of Zero-Knowledge Contingent Service Payment (ZKCSP) protocols and construct two new protocols, for either public or private verification. We implemented and tested the attack on ZKCP, and our two new ZKCSP protocols, showing their feasibility for very realistic examples. We present code that learns, without paying, the value of a Sudoku cell in the "Pay-to-Sudoku" ZKCP implementation [17]. We also implement ZKCSP protocols for the case of Proof of Retrievability, where a client pays the server for providing a proof that the client's data is correctly stored by the server. A side product of our implementation effort is a new optimized circuit for SHA256 with less than a quarter than the number of AND gates of the best previously publicly available one. Our new SHA256 circuit may be of independent use for circuit-based MPC and FHE protocols that require SHA256 circuits.

More information

Item ID: 49540
DC Identifier: http://oa.upm.es/49540/
OAI Identifier: oai:oa.upm.es:49540
DOI: 10.1145/3133956.3134060
Official URL: https://dl.acm.org/citation.cfm?id=3134060
Deposited by: Memoria Investigacion
Deposited on: 16 Mar 2018 10:05
Last Modified: 16 Mar 2018 10:05
  • Logo InvestigaM (UPM)
  • Logo GEOUP4
  • Logo Open Access
  • Open Access
  • Logo Sherpa/Romeo
    Check whether the anglo-saxon journal in which you have published an article allows you to also publish it under open access.
  • Logo Dulcinea
    Check whether the spanish journal in which you have published an article allows you to also publish it under open access.
  • Logo de Recolecta
  • Logo del Observatorio I+D+i UPM
  • Logo de OpenCourseWare UPM