Atomic multi-party commitments
Clash Royale CLAN TAG#URR8PPP
up vote
4
down vote
favorite
Alice and Bob publicly choose the messages $M_A$ and $M_B$ and independently sign them (Alice privately signs $M_A$, Bob signs $M_B$).
Now Alice and Bob are looking for a protocol that allows them to:
Make sure the other party's signature is valid (in a malicious adversary model)
Only reveal their own signature if they're guaranteed by the protocol to learn the other party's signature as well (atomic reveal)
Not rely on a trusted dealer
Is there such a protocol possible to construct? Can it be extended to N parties instead of 2? Can it work with an ECDSA signature scheme?
Edit: After researching the topic more and thanks to the answers below, I found out this is commonly known as a (strong) fair-exchange protocol and it's impossible in the two-party setup without a trusted third party. However, optimistic fair exchange protocols are possible and they only rely on a trusted party if one of the participants attempts to cheat.
signature dsa multiparty-computation
add a comment |Â
up vote
4
down vote
favorite
Alice and Bob publicly choose the messages $M_A$ and $M_B$ and independently sign them (Alice privately signs $M_A$, Bob signs $M_B$).
Now Alice and Bob are looking for a protocol that allows them to:
Make sure the other party's signature is valid (in a malicious adversary model)
Only reveal their own signature if they're guaranteed by the protocol to learn the other party's signature as well (atomic reveal)
Not rely on a trusted dealer
Is there such a protocol possible to construct? Can it be extended to N parties instead of 2? Can it work with an ECDSA signature scheme?
Edit: After researching the topic more and thanks to the answers below, I found out this is commonly known as a (strong) fair-exchange protocol and it's impossible in the two-party setup without a trusted third party. However, optimistic fair exchange protocols are possible and they only rely on a trusted party if one of the participants attempts to cheat.
signature dsa multiparty-computation
What's your adversary model: are parties malicious or honest-but-curious?
â Dragos
Aug 8 at 14:43
add a comment |Â
up vote
4
down vote
favorite
up vote
4
down vote
favorite
Alice and Bob publicly choose the messages $M_A$ and $M_B$ and independently sign them (Alice privately signs $M_A$, Bob signs $M_B$).
Now Alice and Bob are looking for a protocol that allows them to:
Make sure the other party's signature is valid (in a malicious adversary model)
Only reveal their own signature if they're guaranteed by the protocol to learn the other party's signature as well (atomic reveal)
Not rely on a trusted dealer
Is there such a protocol possible to construct? Can it be extended to N parties instead of 2? Can it work with an ECDSA signature scheme?
Edit: After researching the topic more and thanks to the answers below, I found out this is commonly known as a (strong) fair-exchange protocol and it's impossible in the two-party setup without a trusted third party. However, optimistic fair exchange protocols are possible and they only rely on a trusted party if one of the participants attempts to cheat.
signature dsa multiparty-computation
Alice and Bob publicly choose the messages $M_A$ and $M_B$ and independently sign them (Alice privately signs $M_A$, Bob signs $M_B$).
Now Alice and Bob are looking for a protocol that allows them to:
Make sure the other party's signature is valid (in a malicious adversary model)
Only reveal their own signature if they're guaranteed by the protocol to learn the other party's signature as well (atomic reveal)
Not rely on a trusted dealer
Is there such a protocol possible to construct? Can it be extended to N parties instead of 2? Can it work with an ECDSA signature scheme?
Edit: After researching the topic more and thanks to the answers below, I found out this is commonly known as a (strong) fair-exchange protocol and it's impossible in the two-party setup without a trusted third party. However, optimistic fair exchange protocols are possible and they only rely on a trusted party if one of the participants attempts to cheat.
signature dsa multiparty-computation
edited Aug 9 at 6:55
asked Aug 8 at 11:49
Lucian Boca
1926
1926
What's your adversary model: are parties malicious or honest-but-curious?
â Dragos
Aug 8 at 14:43
add a comment |Â
What's your adversary model: are parties malicious or honest-but-curious?
â Dragos
Aug 8 at 14:43
What's your adversary model: are parties malicious or honest-but-curious?
â Dragos
Aug 8 at 14:43
What's your adversary model: are parties malicious or honest-but-curious?
â Dragos
Aug 8 at 14:43
add a comment |Â
2 Answers
2
active
oldest
votes
up vote
3
down vote
accepted
I believe this impossible. (Edit: Major edit below)
Let's assume this is implemented by Alice and Bob sending messages to each other, how many messages would it take.
We will show if it is possible with n messages then it must be possible with n-1.
If it is possible with n messages, without loss of generality let the last message be from Alice to Bob
.
At this point Alice no longer receives any information so she must have already everything she needs to reveal, she may therefor choose not to send the last message. If Bob is still able to reveal as well then it is possible to solve with n-1 messages.
Via induction it is possible with 0 messages which is obviously impossible.
Edit: My above answer is technically correct. Which is the worst kind of lie.
As Dragos and Alpha Baravo point out, there is a lot of literature on fair exchange protocols.
So How do we work around the impossibility? Several options but the one which I believe matches most closely the question is to be more flexible with what it means to have everything needed to reveal.
The proof assumes you either can or can not reveal while in reality once you have a commitment you can reveal the underlying with enough computation. If we put a hard threshold on computational ability the above proof stands.If we make a weaker requirement, if Alice can reveal with some amount of work Bob can reveal without much more work the problem becomes solvable:
Each side has a random key protecting what is to be revealed, each side supplies a Zero Knowledge proof of having such a key. The keys are gradually revealed, each time with ZK proof the prefix is correct. If the proof doesn't pan out in one iteration the first diverging party has only a limited advantage in brute forcing the remaining key.
Spot on! This proves the impossibility of a larger definition of the problem, when Alice and Bob would attempt to atomically reveal a secret to each other.
â Lucian Boca
Aug 8 at 16:11
1
I think the answer is incorrect for n parties, partly because it contradicts a result saying that fairness (which is what the OP is looking for) can be achieved if we assume an honest majority of parties - see the debate on fairness and output delivery here: eprint.iacr.org/2014/668
â Dragos
Aug 8 at 16:18
The proof above holds, There are many fair exchange protocols, each with their own compromise to work around the above impossibility, some might be reasonable. For example if we gradually reduce the work required to reveal with iterated exchanges.
â Meir Maor
Aug 8 at 17:05
add a comment |Â
up vote
4
down vote
This can be achieved using fair exchange protocols, which seek to ensure that either Alice and Bob both get what they want or neither of them does.
add a comment |Â
2 Answers
2
active
oldest
votes
2 Answers
2
active
oldest
votes
active
oldest
votes
active
oldest
votes
up vote
3
down vote
accepted
I believe this impossible. (Edit: Major edit below)
Let's assume this is implemented by Alice and Bob sending messages to each other, how many messages would it take.
We will show if it is possible with n messages then it must be possible with n-1.
If it is possible with n messages, without loss of generality let the last message be from Alice to Bob
.
At this point Alice no longer receives any information so she must have already everything she needs to reveal, she may therefor choose not to send the last message. If Bob is still able to reveal as well then it is possible to solve with n-1 messages.
Via induction it is possible with 0 messages which is obviously impossible.
Edit: My above answer is technically correct. Which is the worst kind of lie.
As Dragos and Alpha Baravo point out, there is a lot of literature on fair exchange protocols.
So How do we work around the impossibility? Several options but the one which I believe matches most closely the question is to be more flexible with what it means to have everything needed to reveal.
The proof assumes you either can or can not reveal while in reality once you have a commitment you can reveal the underlying with enough computation. If we put a hard threshold on computational ability the above proof stands.If we make a weaker requirement, if Alice can reveal with some amount of work Bob can reveal without much more work the problem becomes solvable:
Each side has a random key protecting what is to be revealed, each side supplies a Zero Knowledge proof of having such a key. The keys are gradually revealed, each time with ZK proof the prefix is correct. If the proof doesn't pan out in one iteration the first diverging party has only a limited advantage in brute forcing the remaining key.
Spot on! This proves the impossibility of a larger definition of the problem, when Alice and Bob would attempt to atomically reveal a secret to each other.
â Lucian Boca
Aug 8 at 16:11
1
I think the answer is incorrect for n parties, partly because it contradicts a result saying that fairness (which is what the OP is looking for) can be achieved if we assume an honest majority of parties - see the debate on fairness and output delivery here: eprint.iacr.org/2014/668
â Dragos
Aug 8 at 16:18
The proof above holds, There are many fair exchange protocols, each with their own compromise to work around the above impossibility, some might be reasonable. For example if we gradually reduce the work required to reveal with iterated exchanges.
â Meir Maor
Aug 8 at 17:05
add a comment |Â
up vote
3
down vote
accepted
I believe this impossible. (Edit: Major edit below)
Let's assume this is implemented by Alice and Bob sending messages to each other, how many messages would it take.
We will show if it is possible with n messages then it must be possible with n-1.
If it is possible with n messages, without loss of generality let the last message be from Alice to Bob
.
At this point Alice no longer receives any information so she must have already everything she needs to reveal, she may therefor choose not to send the last message. If Bob is still able to reveal as well then it is possible to solve with n-1 messages.
Via induction it is possible with 0 messages which is obviously impossible.
Edit: My above answer is technically correct. Which is the worst kind of lie.
As Dragos and Alpha Baravo point out, there is a lot of literature on fair exchange protocols.
So How do we work around the impossibility? Several options but the one which I believe matches most closely the question is to be more flexible with what it means to have everything needed to reveal.
The proof assumes you either can or can not reveal while in reality once you have a commitment you can reveal the underlying with enough computation. If we put a hard threshold on computational ability the above proof stands.If we make a weaker requirement, if Alice can reveal with some amount of work Bob can reveal without much more work the problem becomes solvable:
Each side has a random key protecting what is to be revealed, each side supplies a Zero Knowledge proof of having such a key. The keys are gradually revealed, each time with ZK proof the prefix is correct. If the proof doesn't pan out in one iteration the first diverging party has only a limited advantage in brute forcing the remaining key.
Spot on! This proves the impossibility of a larger definition of the problem, when Alice and Bob would attempt to atomically reveal a secret to each other.
â Lucian Boca
Aug 8 at 16:11
1
I think the answer is incorrect for n parties, partly because it contradicts a result saying that fairness (which is what the OP is looking for) can be achieved if we assume an honest majority of parties - see the debate on fairness and output delivery here: eprint.iacr.org/2014/668
â Dragos
Aug 8 at 16:18
The proof above holds, There are many fair exchange protocols, each with their own compromise to work around the above impossibility, some might be reasonable. For example if we gradually reduce the work required to reveal with iterated exchanges.
â Meir Maor
Aug 8 at 17:05
add a comment |Â
up vote
3
down vote
accepted
up vote
3
down vote
accepted
I believe this impossible. (Edit: Major edit below)
Let's assume this is implemented by Alice and Bob sending messages to each other, how many messages would it take.
We will show if it is possible with n messages then it must be possible with n-1.
If it is possible with n messages, without loss of generality let the last message be from Alice to Bob
.
At this point Alice no longer receives any information so she must have already everything she needs to reveal, she may therefor choose not to send the last message. If Bob is still able to reveal as well then it is possible to solve with n-1 messages.
Via induction it is possible with 0 messages which is obviously impossible.
Edit: My above answer is technically correct. Which is the worst kind of lie.
As Dragos and Alpha Baravo point out, there is a lot of literature on fair exchange protocols.
So How do we work around the impossibility? Several options but the one which I believe matches most closely the question is to be more flexible with what it means to have everything needed to reveal.
The proof assumes you either can or can not reveal while in reality once you have a commitment you can reveal the underlying with enough computation. If we put a hard threshold on computational ability the above proof stands.If we make a weaker requirement, if Alice can reveal with some amount of work Bob can reveal without much more work the problem becomes solvable:
Each side has a random key protecting what is to be revealed, each side supplies a Zero Knowledge proof of having such a key. The keys are gradually revealed, each time with ZK proof the prefix is correct. If the proof doesn't pan out in one iteration the first diverging party has only a limited advantage in brute forcing the remaining key.
I believe this impossible. (Edit: Major edit below)
Let's assume this is implemented by Alice and Bob sending messages to each other, how many messages would it take.
We will show if it is possible with n messages then it must be possible with n-1.
If it is possible with n messages, without loss of generality let the last message be from Alice to Bob
.
At this point Alice no longer receives any information so she must have already everything she needs to reveal, she may therefor choose not to send the last message. If Bob is still able to reveal as well then it is possible to solve with n-1 messages.
Via induction it is possible with 0 messages which is obviously impossible.
Edit: My above answer is technically correct. Which is the worst kind of lie.
As Dragos and Alpha Baravo point out, there is a lot of literature on fair exchange protocols.
So How do we work around the impossibility? Several options but the one which I believe matches most closely the question is to be more flexible with what it means to have everything needed to reveal.
The proof assumes you either can or can not reveal while in reality once you have a commitment you can reveal the underlying with enough computation. If we put a hard threshold on computational ability the above proof stands.If we make a weaker requirement, if Alice can reveal with some amount of work Bob can reveal without much more work the problem becomes solvable:
Each side has a random key protecting what is to be revealed, each side supplies a Zero Knowledge proof of having such a key. The keys are gradually revealed, each time with ZK proof the prefix is correct. If the proof doesn't pan out in one iteration the first diverging party has only a limited advantage in brute forcing the remaining key.
edited Aug 8 at 17:46
answered Aug 8 at 15:58
Meir Maor
4,3021625
4,3021625
Spot on! This proves the impossibility of a larger definition of the problem, when Alice and Bob would attempt to atomically reveal a secret to each other.
â Lucian Boca
Aug 8 at 16:11
1
I think the answer is incorrect for n parties, partly because it contradicts a result saying that fairness (which is what the OP is looking for) can be achieved if we assume an honest majority of parties - see the debate on fairness and output delivery here: eprint.iacr.org/2014/668
â Dragos
Aug 8 at 16:18
The proof above holds, There are many fair exchange protocols, each with their own compromise to work around the above impossibility, some might be reasonable. For example if we gradually reduce the work required to reveal with iterated exchanges.
â Meir Maor
Aug 8 at 17:05
add a comment |Â
Spot on! This proves the impossibility of a larger definition of the problem, when Alice and Bob would attempt to atomically reveal a secret to each other.
â Lucian Boca
Aug 8 at 16:11
1
I think the answer is incorrect for n parties, partly because it contradicts a result saying that fairness (which is what the OP is looking for) can be achieved if we assume an honest majority of parties - see the debate on fairness and output delivery here: eprint.iacr.org/2014/668
â Dragos
Aug 8 at 16:18
The proof above holds, There are many fair exchange protocols, each with their own compromise to work around the above impossibility, some might be reasonable. For example if we gradually reduce the work required to reveal with iterated exchanges.
â Meir Maor
Aug 8 at 17:05
Spot on! This proves the impossibility of a larger definition of the problem, when Alice and Bob would attempt to atomically reveal a secret to each other.
â Lucian Boca
Aug 8 at 16:11
Spot on! This proves the impossibility of a larger definition of the problem, when Alice and Bob would attempt to atomically reveal a secret to each other.
â Lucian Boca
Aug 8 at 16:11
1
1
I think the answer is incorrect for n parties, partly because it contradicts a result saying that fairness (which is what the OP is looking for) can be achieved if we assume an honest majority of parties - see the debate on fairness and output delivery here: eprint.iacr.org/2014/668
â Dragos
Aug 8 at 16:18
I think the answer is incorrect for n parties, partly because it contradicts a result saying that fairness (which is what the OP is looking for) can be achieved if we assume an honest majority of parties - see the debate on fairness and output delivery here: eprint.iacr.org/2014/668
â Dragos
Aug 8 at 16:18
The proof above holds, There are many fair exchange protocols, each with their own compromise to work around the above impossibility, some might be reasonable. For example if we gradually reduce the work required to reveal with iterated exchanges.
â Meir Maor
Aug 8 at 17:05
The proof above holds, There are many fair exchange protocols, each with their own compromise to work around the above impossibility, some might be reasonable. For example if we gradually reduce the work required to reveal with iterated exchanges.
â Meir Maor
Aug 8 at 17:05
add a comment |Â
up vote
4
down vote
This can be achieved using fair exchange protocols, which seek to ensure that either Alice and Bob both get what they want or neither of them does.
add a comment |Â
up vote
4
down vote
This can be achieved using fair exchange protocols, which seek to ensure that either Alice and Bob both get what they want or neither of them does.
add a comment |Â
up vote
4
down vote
up vote
4
down vote
This can be achieved using fair exchange protocols, which seek to ensure that either Alice and Bob both get what they want or neither of them does.
This can be achieved using fair exchange protocols, which seek to ensure that either Alice and Bob both get what they want or neither of them does.
answered Aug 8 at 16:58
Alpha Bravo
516
516
add a comment |Â
add a comment |Â
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fcrypto.stackexchange.com%2fquestions%2f61386%2fatomic-multi-party-commitments%23new-answer', 'question_page');
);
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
What's your adversary model: are parties malicious or honest-but-curious?
â Dragos
Aug 8 at 14:43