WI Is Not Enough: Zero-Knowledge Contingent (Service) Payments Revisited - Archive ouverte HAL Access content directly
Conference Papers Year :

WI Is Not Enough: Zero-Knowledge Contingent (Service) Payments Revisited

(1, 2)
1
2

Abstract

While fair exchange of goods is known to be impossible without assuming a trusted party, smart contracts in cryptocurrencies forgo such parties by assuming trust in the currency system. They allow a seller to sell a digital good, which the buyer will obtain if and only if she pays. Zero-knowledge contingent payments(zkCP) show that, despite the limited expressiveness of its scripting language,this is even possible in Bitcoin by using zero-knowledge proofs. At CCS’17, Campanelli, Gennaro, Goldfeder and Nizzardo showed that the zkCP protocol was flawed, in that the buyer could obtain information about the good without paying. They proposed counter-measures to repair zkCP and moreover observed that zkCP cannot be used when a service is sold. They introduce the notion of ZK contingent payments for services and give an instantiation based on a witness-indistinguishable (WI) proof system. We show that the main countermeasures they proposed are not sufficient and present an attack against their fixed zkCP scheme. We also show that their realization of zkCP for services is insecure,as the buyer could learn the desired information (i.e., whether the service was provided) without paying; in particular, we show that WI of the used proof system is not enough
Not file

Dates and versions

hal-02396308 , version 1 (05-12-2019)

Identifiers

Cite

Georg Fuchsbauer. WI Is Not Enough: Zero-Knowledge Contingent (Service) Payments Revisited. ACM CCS 2019 - 26th ACM Conference on Computer and Communications Security, Nov 2019, London, United Kingdom. pp.49-62, ⟨10.1145/3319535.3354234⟩. ⟨hal-02396308⟩
388 View
0 Download

Altmetric

Share

Gmail Facebook Twitter LinkedIn More