WI Is Not Enough: Zero-Knowledge Contingent (Service) Payments Revisited - Inria - Institut national de recherche en sciences et technologies du numérique Accéder directement au contenu
Communication Dans Un Congrès Année : 2019

WI Is Not Enough: Zero-Knowledge Contingent (Service) Payments Revisited

Résumé

While fair exchange of goods is known to be impossible without assuming a trusted party, smart contracts in cryptocurrencies forgo such parties by assuming trust in the currency system. They allow a seller to sell a digital good, which the buyer will obtain if and only if she pays. Zero-knowledge contingent payments(zkCP) show that, despite the limited expressiveness of its scripting language,this is even possible in Bitcoin by using zero-knowledge proofs. At CCS’17, Campanelli, Gennaro, Goldfeder and Nizzardo showed that the zkCP protocol was flawed, in that the buyer could obtain information about the good without paying. They proposed counter-measures to repair zkCP and moreover observed that zkCP cannot be used when a service is sold. They introduce the notion of ZK contingent payments for services and give an instantiation based on a witness-indistinguishable (WI) proof system. We show that the main countermeasures they proposed are not sufficient and present an attack against their fixed zkCP scheme. We also show that their realization of zkCP for services is insecure,as the buyer could learn the desired information (i.e., whether the service was provided) without paying; in particular, we show that WI of the used proof system is not enough
Fichier non déposé

Dates et versions

hal-02396308 , version 1 (05-12-2019)

Identifiants

Citer

Georg Fuchsbauer. WI Is Not Enough: Zero-Knowledge Contingent (Service) Payments Revisited. ACM CCS 2019 - 26th ACM Conference on Computer and Communications Security, Nov 2019, London, United Kingdom. pp.49-62, ⟨10.1145/3319535.3354234⟩. ⟨hal-02396308⟩
394 Consultations
0 Téléchargements

Altmetric

Partager

Gmail Facebook X LinkedIn More