Paper 2017/566

Zero-Knowledge Contingent Payments Revisited: Attacks and Payments for Services

Matteo Campanelli, Rosario Gennaro, Steven Goldfeder, and Luca Nizzardo

Abstract

Zero Knowledge Contingent Payment (ZKCP) protocols allow fair exchange of sold goods and payments over the Bitcoin network. In this paper we point out two main shortcomings of current proposals for ZKCP. First we show an attack that allows a buyer to learn partial information about the digital good being sold, without paying for it. This break in the zero-knowledge condition of ZKCP is due to the fact that in the protocols we attack, the buyer is allowed to choose common parameters that normally should be selected by a trusted third party. We present ways to fix this attack that do not require a trusted third party. Second, we show that ZKCP are not suited for the purchase of digital services rather than goods. Current constructions of ZKCP do not allow a seller to receive payments after proving that a certain service has been rendered, but only for the sale of a specific digital good. We define the notion of Zero-Knowledge Contingent Service Payment (ZKCSP) protocols and construct two new protocols, for either public or private verification. We implemented and tested the attack on ZKCP, and our two new ZKCSP protocols, showing their feasibility for very realistic examples. We present code that learns, without paying, the value of a Sudoku cell in the "Pay-to-Sudoku" ZKCP implementation [17]. We also implement ZKCSP protocols for the case of Proof of Retrievability, where a client pays the server for providing a proof that the client's data is correctly stored by the server. A side product of our implementation effort is a new optimized circuit for SHA256 with less than a quarter than the number of AND gates of the best previously publicly available one. Our new SHA256 circuit may be of independent use for circuit-based MPC and FHE protocols that require SHA256 circuits.

Metadata
Available format(s)
PDF
Category
Cryptographic protocols
Publication info
Published elsewhere. MINOR revision.ACM CCS 2017
Keywords
fair exchangeBitcoinzero knowledgeSNARKs
Contact author(s)
stevenag @ cs princeton edu
History
2017-11-01: last of 2 revisions
2017-06-14: received
See all versions
Short URL
https://ia.cr/2017/566
License
Creative Commons Attribution
CC BY

BibTeX

@misc{cryptoeprint:2017/566,
      author = {Matteo Campanelli and Rosario Gennaro and Steven Goldfeder and Luca Nizzardo},
      title = {Zero-Knowledge Contingent Payments Revisited: Attacks and Payments for Services},
      howpublished = {Cryptology ePrint Archive, Paper 2017/566},
      year = {2017},
      note = {\url{https://eprint.iacr.org/2017/566}},
      url = {https://eprint.iacr.org/2017/566}
}
Note: In order to protect the privacy of readers, eprint.iacr.org does not use cookies or embedded third party content.