STOC '87 Proceedings of the nineteenth annual ACM symposium on Theory of computing
Completeness theorems for non-cryptographic fault-tolerant distributed computation
STOC '88 Proceedings of the twentieth annual ACM symposium on Theory of computing
Fast asynchronous Byzantine agreement with optimal resilience
STOC '93 Proceedings of the twenty-fifth annual ACM symposium on Theory of computing
Asynchronous secure computation
STOC '93 Proceedings of the twenty-fifth annual ACM symposium on Theory of computing
Optimistic protocols for fair exchange
Proceedings of the 4th ACM conference on Computer and communications security
Efficient verifiable encryption (and fair exchange) of digital signatures
CCS '99 Proceedings of the 6th ACM conference on Computer and communications security
Non-Interactive and Information-Theoretic Secure Verifiable Secret Sharing
CRYPTO '91 Proceedings of the 11th Annual International Cryptology Conference on Advances in Cryptology
ASIACRYPT '00 Proceedings of the 6th International Conference on the Theory and Application of Cryptology and Information Security: Advances in Cryptology
Simple and fast optimistic protocols for fair electronic exchange
Proceedings of the twenty-second annual symposium on Principles of distributed computing
Fault-scalable Byzantine fault-tolerant services
Proceedings of the twentieth ACM symposium on Operating systems principles
SP '07 Proceedings of the 2007 IEEE Symposium on Security and Privacy
Making p2p accountable without losing privacy
Proceedings of the 2007 ACM workshop on Privacy in electronic society
Optimistic fair exchange in a multi-user setting
PKC'07 Proceedings of the 10th international conference on Practice and theory in public-key cryptography
Usable optimistic fair exchange
CT-RSA'10 Proceedings of the 2010 international conference on Topics in Cryptology
Optimistic fair exchange of digital signatures
IEEE Journal on Selected Areas in Communications
How to fix two RSA-based PVSS schemes: exploration and solution
ACISP'12 Proceedings of the 17th Australasian conference on Information Security and Privacy
Distributing trusted third parties
ACM SIGACT News
Hi-index | 0.00 |
Fair exchange is one of the most fundamental problems in secure distributed computation. Alice has something that Bob wants, and Bob has something that Alice wants. A fair exchange protocol would guarantee that, even if one of them maliciously deviates from the protocol, either both of them get the desired content, or neither of them do. It is known that no two-party protocol can guarantee fairness in general; therefore the presence of a trusted arbiter is necessary. In optimistic fair exchange, the arbiter only gets involved in case of faults, but needs to be trusted. To reduce the trust put in the arbiter, it is natural to consider employing multiple arbiters. Expensive techniques like byzantine agreement or secure multi-party computation with Ω(n2) communication can be applied to distribute arbiters in a nonautonomous way. Yet we are interested in efficient protocols that can be achieved by keeping the arbiters autonomous (non-communicating), especially for p2p settings in which the arbiters do not even know each other. Avoine and Vaudenay [6] employ multiple autonomous arbiters in their optimistic fair exchange protocol which uses global timeout mechanisms; all arbiters have access to -loosely- synchronized clocks. They left two open questions regarding the use of distributed autonomous arbiters: (1) Can an optimistic fair exchange protocol without timeouts provide fairness (since it is hard to achieve synchronization in a p2p setting) when employing multiple autonomous arbiters? (2) Can any other optimistic fair exchange protocol with timeouts achieve better bounds on the number of honest arbiters required? In this paper, we answer both questions negatively. To answer these questions, we define a general class of optimistic fair exchange protocols with multiple arbiters, called "distributed arbiter fair exchange" (DAFE) protocols. Informally, in a DAFE protocol, if a participant fails to send a correctly formed message, the other party must contact some subset of the arbiters and get correctly formed responses from them. The arbiters do not communicate with each other, but only to Alice and Bob.We prove that no DAFE protocol can meaningfully exist.