Atomic multi-party commitments

The name of the pictureThe name of the pictureThe name of the pictureClash Royale CLAN TAG#URR8PPP











up vote
4
down vote

favorite












Alice and Bob publicly choose the messages $M_A$ and $M_B$ and independently sign them (Alice privately signs $M_A$, Bob signs $M_B$).



Now Alice and Bob are looking for a protocol that allows them to:



  1. Make sure the other party's signature is valid (in a malicious adversary model)


  2. Only reveal their own signature if they're guaranteed by the protocol to learn the other party's signature as well (atomic reveal)


  3. Not rely on a trusted dealer


Is there such a protocol possible to construct? Can it be extended to N parties instead of 2? Can it work with an ECDSA signature scheme?



Edit: After researching the topic more and thanks to the answers below, I found out this is commonly known as a (strong) fair-exchange protocol and it's impossible in the two-party setup without a trusted third party. However, optimistic fair exchange protocols are possible and they only rely on a trusted party if one of the participants attempts to cheat.







share|improve this question






















  • What's your adversary model: are parties malicious or honest-but-curious?
    – Dragos
    Aug 8 at 14:43














up vote
4
down vote

favorite












Alice and Bob publicly choose the messages $M_A$ and $M_B$ and independently sign them (Alice privately signs $M_A$, Bob signs $M_B$).



Now Alice and Bob are looking for a protocol that allows them to:



  1. Make sure the other party's signature is valid (in a malicious adversary model)


  2. Only reveal their own signature if they're guaranteed by the protocol to learn the other party's signature as well (atomic reveal)


  3. Not rely on a trusted dealer


Is there such a protocol possible to construct? Can it be extended to N parties instead of 2? Can it work with an ECDSA signature scheme?



Edit: After researching the topic more and thanks to the answers below, I found out this is commonly known as a (strong) fair-exchange protocol and it's impossible in the two-party setup without a trusted third party. However, optimistic fair exchange protocols are possible and they only rely on a trusted party if one of the participants attempts to cheat.







share|improve this question






















  • What's your adversary model: are parties malicious or honest-but-curious?
    – Dragos
    Aug 8 at 14:43












up vote
4
down vote

favorite









up vote
4
down vote

favorite











Alice and Bob publicly choose the messages $M_A$ and $M_B$ and independently sign them (Alice privately signs $M_A$, Bob signs $M_B$).



Now Alice and Bob are looking for a protocol that allows them to:



  1. Make sure the other party's signature is valid (in a malicious adversary model)


  2. Only reveal their own signature if they're guaranteed by the protocol to learn the other party's signature as well (atomic reveal)


  3. Not rely on a trusted dealer


Is there such a protocol possible to construct? Can it be extended to N parties instead of 2? Can it work with an ECDSA signature scheme?



Edit: After researching the topic more and thanks to the answers below, I found out this is commonly known as a (strong) fair-exchange protocol and it's impossible in the two-party setup without a trusted third party. However, optimistic fair exchange protocols are possible and they only rely on a trusted party if one of the participants attempts to cheat.







share|improve this question














Alice and Bob publicly choose the messages $M_A$ and $M_B$ and independently sign them (Alice privately signs $M_A$, Bob signs $M_B$).



Now Alice and Bob are looking for a protocol that allows them to:



  1. Make sure the other party's signature is valid (in a malicious adversary model)


  2. Only reveal their own signature if they're guaranteed by the protocol to learn the other party's signature as well (atomic reveal)


  3. Not rely on a trusted dealer


Is there such a protocol possible to construct? Can it be extended to N parties instead of 2? Can it work with an ECDSA signature scheme?



Edit: After researching the topic more and thanks to the answers below, I found out this is commonly known as a (strong) fair-exchange protocol and it's impossible in the two-party setup without a trusted third party. However, optimistic fair exchange protocols are possible and they only rely on a trusted party if one of the participants attempts to cheat.









share|improve this question













share|improve this question




share|improve this question








edited Aug 9 at 6:55

























asked Aug 8 at 11:49









Lucian Boca

1926




1926











  • What's your adversary model: are parties malicious or honest-but-curious?
    – Dragos
    Aug 8 at 14:43
















  • What's your adversary model: are parties malicious or honest-but-curious?
    – Dragos
    Aug 8 at 14:43















What's your adversary model: are parties malicious or honest-but-curious?
– Dragos
Aug 8 at 14:43




What's your adversary model: are parties malicious or honest-but-curious?
– Dragos
Aug 8 at 14:43










2 Answers
2






active

oldest

votes

















up vote
3
down vote



accepted










I believe this impossible. (Edit: Major edit below)



Let's assume this is implemented by Alice and Bob sending messages to each other, how many messages would it take.



We will show if it is possible with n messages then it must be possible with n-1.



If it is possible with n messages, without loss of generality let the last message be from Alice to Bob
.
At this point Alice no longer receives any information so she must have already everything she needs to reveal, she may therefor choose not to send the last message. If Bob is still able to reveal as well then it is possible to solve with n-1 messages.



Via induction it is possible with 0 messages which is obviously impossible.



Edit: My above answer is technically correct. Which is the worst kind of lie.
As Dragos and Alpha Baravo point out, there is a lot of literature on fair exchange protocols.



So How do we work around the impossibility? Several options but the one which I believe matches most closely the question is to be more flexible with what it means to have everything needed to reveal.



The proof assumes you either can or can not reveal while in reality once you have a commitment you can reveal the underlying with enough computation. If we put a hard threshold on computational ability the above proof stands.If we make a weaker requirement, if Alice can reveal with some amount of work Bob can reveal without much more work the problem becomes solvable:



Each side has a random key protecting what is to be revealed, each side supplies a Zero Knowledge proof of having such a key. The keys are gradually revealed, each time with ZK proof the prefix is correct. If the proof doesn't pan out in one iteration the first diverging party has only a limited advantage in brute forcing the remaining key.






share|improve this answer






















  • Spot on! This proves the impossibility of a larger definition of the problem, when Alice and Bob would attempt to atomically reveal a secret to each other.
    – Lucian Boca
    Aug 8 at 16:11






  • 1




    I think the answer is incorrect for n parties, partly because it contradicts a result saying that fairness (which is what the OP is looking for) can be achieved if we assume an honest majority of parties - see the debate on fairness and output delivery here: eprint.iacr.org/2014/668
    – Dragos
    Aug 8 at 16:18











  • The proof above holds, There are many fair exchange protocols, each with their own compromise to work around the above impossibility, some might be reasonable. For example if we gradually reduce the work required to reveal with iterated exchanges.
    – Meir Maor
    Aug 8 at 17:05

















up vote
4
down vote













This can be achieved using fair exchange protocols, which seek to ensure that either Alice and Bob both get what they want or neither of them does.






share|improve this answer




















    Your Answer




    StackExchange.ifUsing("editor", function ()
    return StackExchange.using("mathjaxEditing", function ()
    StackExchange.MarkdownEditor.creationCallbacks.add(function (editor, postfix)
    StackExchange.mathjaxEditing.prepareWmdForMathJax(editor, postfix, [["$", "$"], ["\\(","\\)"]]);
    );
    );
    , "mathjax-editing");

    StackExchange.ready(function()
    var channelOptions =
    tags: "".split(" "),
    id: "281"
    ;
    initTagRenderer("".split(" "), "".split(" "), channelOptions);

    StackExchange.using("externalEditor", function()
    // Have to fire editor after snippets, if snippets enabled
    if (StackExchange.settings.snippets.snippetsEnabled)
    StackExchange.using("snippets", function()
    createEditor();
    );

    else
    createEditor();

    );

    function createEditor()
    StackExchange.prepareEditor(
    heartbeatType: 'answer',
    convertImagesToLinks: false,
    noModals: false,
    showLowRepImageUploadWarning: true,
    reputationToPostImages: null,
    bindNavPrevention: true,
    postfix: "",
    noCode: true, onDemand: true,
    discardSelector: ".discard-answer"
    ,immediatelyShowMarkdownHelp:true
    );



    );













     

    draft saved


    draft discarded


















    StackExchange.ready(
    function ()
    StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fcrypto.stackexchange.com%2fquestions%2f61386%2fatomic-multi-party-commitments%23new-answer', 'question_page');

    );

    Post as a guest






























    2 Answers
    2






    active

    oldest

    votes








    2 Answers
    2






    active

    oldest

    votes









    active

    oldest

    votes






    active

    oldest

    votes








    up vote
    3
    down vote



    accepted










    I believe this impossible. (Edit: Major edit below)



    Let's assume this is implemented by Alice and Bob sending messages to each other, how many messages would it take.



    We will show if it is possible with n messages then it must be possible with n-1.



    If it is possible with n messages, without loss of generality let the last message be from Alice to Bob
    .
    At this point Alice no longer receives any information so she must have already everything she needs to reveal, she may therefor choose not to send the last message. If Bob is still able to reveal as well then it is possible to solve with n-1 messages.



    Via induction it is possible with 0 messages which is obviously impossible.



    Edit: My above answer is technically correct. Which is the worst kind of lie.
    As Dragos and Alpha Baravo point out, there is a lot of literature on fair exchange protocols.



    So How do we work around the impossibility? Several options but the one which I believe matches most closely the question is to be more flexible with what it means to have everything needed to reveal.



    The proof assumes you either can or can not reveal while in reality once you have a commitment you can reveal the underlying with enough computation. If we put a hard threshold on computational ability the above proof stands.If we make a weaker requirement, if Alice can reveal with some amount of work Bob can reveal without much more work the problem becomes solvable:



    Each side has a random key protecting what is to be revealed, each side supplies a Zero Knowledge proof of having such a key. The keys are gradually revealed, each time with ZK proof the prefix is correct. If the proof doesn't pan out in one iteration the first diverging party has only a limited advantage in brute forcing the remaining key.






    share|improve this answer






















    • Spot on! This proves the impossibility of a larger definition of the problem, when Alice and Bob would attempt to atomically reveal a secret to each other.
      – Lucian Boca
      Aug 8 at 16:11






    • 1




      I think the answer is incorrect for n parties, partly because it contradicts a result saying that fairness (which is what the OP is looking for) can be achieved if we assume an honest majority of parties - see the debate on fairness and output delivery here: eprint.iacr.org/2014/668
      – Dragos
      Aug 8 at 16:18











    • The proof above holds, There are many fair exchange protocols, each with their own compromise to work around the above impossibility, some might be reasonable. For example if we gradually reduce the work required to reveal with iterated exchanges.
      – Meir Maor
      Aug 8 at 17:05














    up vote
    3
    down vote



    accepted










    I believe this impossible. (Edit: Major edit below)



    Let's assume this is implemented by Alice and Bob sending messages to each other, how many messages would it take.



    We will show if it is possible with n messages then it must be possible with n-1.



    If it is possible with n messages, without loss of generality let the last message be from Alice to Bob
    .
    At this point Alice no longer receives any information so she must have already everything she needs to reveal, she may therefor choose not to send the last message. If Bob is still able to reveal as well then it is possible to solve with n-1 messages.



    Via induction it is possible with 0 messages which is obviously impossible.



    Edit: My above answer is technically correct. Which is the worst kind of lie.
    As Dragos and Alpha Baravo point out, there is a lot of literature on fair exchange protocols.



    So How do we work around the impossibility? Several options but the one which I believe matches most closely the question is to be more flexible with what it means to have everything needed to reveal.



    The proof assumes you either can or can not reveal while in reality once you have a commitment you can reveal the underlying with enough computation. If we put a hard threshold on computational ability the above proof stands.If we make a weaker requirement, if Alice can reveal with some amount of work Bob can reveal without much more work the problem becomes solvable:



    Each side has a random key protecting what is to be revealed, each side supplies a Zero Knowledge proof of having such a key. The keys are gradually revealed, each time with ZK proof the prefix is correct. If the proof doesn't pan out in one iteration the first diverging party has only a limited advantage in brute forcing the remaining key.






    share|improve this answer






















    • Spot on! This proves the impossibility of a larger definition of the problem, when Alice and Bob would attempt to atomically reveal a secret to each other.
      – Lucian Boca
      Aug 8 at 16:11






    • 1




      I think the answer is incorrect for n parties, partly because it contradicts a result saying that fairness (which is what the OP is looking for) can be achieved if we assume an honest majority of parties - see the debate on fairness and output delivery here: eprint.iacr.org/2014/668
      – Dragos
      Aug 8 at 16:18











    • The proof above holds, There are many fair exchange protocols, each with their own compromise to work around the above impossibility, some might be reasonable. For example if we gradually reduce the work required to reveal with iterated exchanges.
      – Meir Maor
      Aug 8 at 17:05












    up vote
    3
    down vote



    accepted







    up vote
    3
    down vote



    accepted






    I believe this impossible. (Edit: Major edit below)



    Let's assume this is implemented by Alice and Bob sending messages to each other, how many messages would it take.



    We will show if it is possible with n messages then it must be possible with n-1.



    If it is possible with n messages, without loss of generality let the last message be from Alice to Bob
    .
    At this point Alice no longer receives any information so she must have already everything she needs to reveal, she may therefor choose not to send the last message. If Bob is still able to reveal as well then it is possible to solve with n-1 messages.



    Via induction it is possible with 0 messages which is obviously impossible.



    Edit: My above answer is technically correct. Which is the worst kind of lie.
    As Dragos and Alpha Baravo point out, there is a lot of literature on fair exchange protocols.



    So How do we work around the impossibility? Several options but the one which I believe matches most closely the question is to be more flexible with what it means to have everything needed to reveal.



    The proof assumes you either can or can not reveal while in reality once you have a commitment you can reveal the underlying with enough computation. If we put a hard threshold on computational ability the above proof stands.If we make a weaker requirement, if Alice can reveal with some amount of work Bob can reveal without much more work the problem becomes solvable:



    Each side has a random key protecting what is to be revealed, each side supplies a Zero Knowledge proof of having such a key. The keys are gradually revealed, each time with ZK proof the prefix is correct. If the proof doesn't pan out in one iteration the first diverging party has only a limited advantage in brute forcing the remaining key.






    share|improve this answer














    I believe this impossible. (Edit: Major edit below)



    Let's assume this is implemented by Alice and Bob sending messages to each other, how many messages would it take.



    We will show if it is possible with n messages then it must be possible with n-1.



    If it is possible with n messages, without loss of generality let the last message be from Alice to Bob
    .
    At this point Alice no longer receives any information so she must have already everything she needs to reveal, she may therefor choose not to send the last message. If Bob is still able to reveal as well then it is possible to solve with n-1 messages.



    Via induction it is possible with 0 messages which is obviously impossible.



    Edit: My above answer is technically correct. Which is the worst kind of lie.
    As Dragos and Alpha Baravo point out, there is a lot of literature on fair exchange protocols.



    So How do we work around the impossibility? Several options but the one which I believe matches most closely the question is to be more flexible with what it means to have everything needed to reveal.



    The proof assumes you either can or can not reveal while in reality once you have a commitment you can reveal the underlying with enough computation. If we put a hard threshold on computational ability the above proof stands.If we make a weaker requirement, if Alice can reveal with some amount of work Bob can reveal without much more work the problem becomes solvable:



    Each side has a random key protecting what is to be revealed, each side supplies a Zero Knowledge proof of having such a key. The keys are gradually revealed, each time with ZK proof the prefix is correct. If the proof doesn't pan out in one iteration the first diverging party has only a limited advantage in brute forcing the remaining key.







    share|improve this answer














    share|improve this answer



    share|improve this answer








    edited Aug 8 at 17:46

























    answered Aug 8 at 15:58









    Meir Maor

    4,3921625




    4,3921625











    • Spot on! This proves the impossibility of a larger definition of the problem, when Alice and Bob would attempt to atomically reveal a secret to each other.
      – Lucian Boca
      Aug 8 at 16:11






    • 1




      I think the answer is incorrect for n parties, partly because it contradicts a result saying that fairness (which is what the OP is looking for) can be achieved if we assume an honest majority of parties - see the debate on fairness and output delivery here: eprint.iacr.org/2014/668
      – Dragos
      Aug 8 at 16:18











    • The proof above holds, There are many fair exchange protocols, each with their own compromise to work around the above impossibility, some might be reasonable. For example if we gradually reduce the work required to reveal with iterated exchanges.
      – Meir Maor
      Aug 8 at 17:05
















    • Spot on! This proves the impossibility of a larger definition of the problem, when Alice and Bob would attempt to atomically reveal a secret to each other.
      – Lucian Boca
      Aug 8 at 16:11






    • 1




      I think the answer is incorrect for n parties, partly because it contradicts a result saying that fairness (which is what the OP is looking for) can be achieved if we assume an honest majority of parties - see the debate on fairness and output delivery here: eprint.iacr.org/2014/668
      – Dragos
      Aug 8 at 16:18











    • The proof above holds, There are many fair exchange protocols, each with their own compromise to work around the above impossibility, some might be reasonable. For example if we gradually reduce the work required to reveal with iterated exchanges.
      – Meir Maor
      Aug 8 at 17:05















    Spot on! This proves the impossibility of a larger definition of the problem, when Alice and Bob would attempt to atomically reveal a secret to each other.
    – Lucian Boca
    Aug 8 at 16:11




    Spot on! This proves the impossibility of a larger definition of the problem, when Alice and Bob would attempt to atomically reveal a secret to each other.
    – Lucian Boca
    Aug 8 at 16:11




    1




    1




    I think the answer is incorrect for n parties, partly because it contradicts a result saying that fairness (which is what the OP is looking for) can be achieved if we assume an honest majority of parties - see the debate on fairness and output delivery here: eprint.iacr.org/2014/668
    – Dragos
    Aug 8 at 16:18





    I think the answer is incorrect for n parties, partly because it contradicts a result saying that fairness (which is what the OP is looking for) can be achieved if we assume an honest majority of parties - see the debate on fairness and output delivery here: eprint.iacr.org/2014/668
    – Dragos
    Aug 8 at 16:18













    The proof above holds, There are many fair exchange protocols, each with their own compromise to work around the above impossibility, some might be reasonable. For example if we gradually reduce the work required to reveal with iterated exchanges.
    – Meir Maor
    Aug 8 at 17:05




    The proof above holds, There are many fair exchange protocols, each with their own compromise to work around the above impossibility, some might be reasonable. For example if we gradually reduce the work required to reveal with iterated exchanges.
    – Meir Maor
    Aug 8 at 17:05










    up vote
    4
    down vote













    This can be achieved using fair exchange protocols, which seek to ensure that either Alice and Bob both get what they want or neither of them does.






    share|improve this answer
























      up vote
      4
      down vote













      This can be achieved using fair exchange protocols, which seek to ensure that either Alice and Bob both get what they want or neither of them does.






      share|improve this answer






















        up vote
        4
        down vote










        up vote
        4
        down vote









        This can be achieved using fair exchange protocols, which seek to ensure that either Alice and Bob both get what they want or neither of them does.






        share|improve this answer












        This can be achieved using fair exchange protocols, which seek to ensure that either Alice and Bob both get what they want or neither of them does.







        share|improve this answer












        share|improve this answer



        share|improve this answer










        answered Aug 8 at 16:58









        Alpha Bravo

        666




        666



























             

            draft saved


            draft discarded















































             


            draft saved


            draft discarded














            StackExchange.ready(
            function ()
            StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fcrypto.stackexchange.com%2fquestions%2f61386%2fatomic-multi-party-commitments%23new-answer', 'question_page');

            );

            Post as a guest













































































            Popular posts from this blog

            How to check contact read email or not when send email to Individual?

            Displaying single band from multi-band raster using QGIS

            How many registers does an x86_64 CPU actually have?