ABSTRACT
While fair exchange of goods is known to be impossible without assuming a trusted party, smart contracts in cryptocurrencies forgo such parties by assuming trust in the currency system. They allow a seller to sell a digital good, which the buyer will obtain if and only if she pays. Zero-knowledge contingent payments (zkCP) show that, despite the limited expressiveness of its scripting language, this is even possible in Bitcoin by using zero-knowledge proofs. At CCS'17, Campanelli, Gennaro, Goldfeder and Nizzardo showed that the zkCP protocol was flawed, in that the buyer could obtain information about the good without paying. They proposed countermeasures to repair zkCP and moreover observed that zkCP cannot be used when a service is sold. They introduce the notion of ZK contingent payments for services and give an instantiation based on a witness-indistinguishable (WI) proof system. We show that some of their proposed countermeasures are not sufficient by presenting an attack against their fixed zkCP scheme. We also show that their realization of zkCP for services is insecure, as the buyer could learn the desired information (i.e., whether the service was provided) without paying; in particular, we show that WI of the used proof system is not enough.
Supplemental Material
- Behzad Abdolmaleki, Karim Baghery, Helger Lipmaa, and Michal Zajac. 2017. A Subversion-Resistant SNARK. In ASIACRYPT 2017, Part III (LNCS ), Tsuyoshi Takagi and Thomas Peyrin (Eds.), Vol. 10626. Springer, Heidelberg, 3--33. https://doi.org/10.1007/978--3--319--70700--6_1Google ScholarDigital Library
- Waclaw Banasik, Stefan Dziembowski, and Daniel Malinowski. 2016. Efficient Zero-Knowledge Contingent Payments in Cryptocurrencies Without Scripts. In ESORICS 2016, Part II (LNCS ), Ioannis G. Askoxylakis, Sotiris Ioannidis, Sokratis K. Katsikas, and Catherine A. Meadows (Eds.), Vol. 9879. Springer, Heidelberg, 261--280. https://doi.org/10.1007/978--3--319--45741--3_14Google ScholarCross Ref
- Mihir Bellare, Georg Fuchsbauer, and Alessandra Scafuro. 2016. NIZKs with an Untrusted CRS: Security in the Face of Parameter Subversion. In ASIACRYPT 2016, Part II (LNCS ), Jung Hee Cheon and Tsuyoshi Takagi (Eds.), Vol. 10032. Springer, Heidelberg, 777--804. https://doi.org/10.1007/978--3--662--53890--6_26Google ScholarDigital Library
- Mihir Bellare and Oded Goldreich. 1993. On Defining Proofs of Knowledge. In CRYPTO'92 (LNCS ), Ernest F. Brickell (Ed.), Vol. 740. Springer, Heidelberg, 390--420. https://doi.org/10.1007/3--540--48071--4_28Google Scholar
- Mihir Bellare and Phillip Rogaway. 1993. Random Oracles are Practical: A Paradigm for Designing Efficient Protocols. In ACM CCS 93, Dorothy E. Denning, Raymond Pyle, Ravi Ganesan, Ravi S. Sandhu, and Victoria Ashby (Eds.). ACM Press, 62--73. https://doi.org/10.1145/168588.168596Google ScholarDigital Library
- Mihir Bellare and Phillip Rogaway. 2006. The Security of Triple Encryption and a Framework for Code-Based Game-Playing Proofs. In EUROCRYPT 2006 (LNCS ), Serge Vaudenay (Ed.), Vol. 4004. Springer, Heidelberg, 409--426. https://doi.org/10.1007/11761679_25Google ScholarDigital Library
- Eli Ben-Sasson, Alessandro Chiesa, Christina Garman, Matthew Green, Ian Miers, Eran Tromer, and Madars Virza. 2014. Zerocash: Decentralized Anonymous Payments from Bitcoin. In 2014 IEEE Symposium on Security and Privacy. IEEE Computer Society Press, 459--474. https://doi.org/10.1109/SP.2014.36Google ScholarDigital Library
- Eli Ben-Sasson, Alessandro Chiesa, Daniel Genkin, Eran Tromer, and Madars Virza. 2013. SNARKs for C: Verifying Program Executions Succinctly and in Zero Knowledge. In CRYPTO 2013, Part II (LNCS ), Ran Canetti and Juan A. Garay (Eds.), Vol. 8043. Springer, Heidelberg, 90--108. https://doi.org/10.1007/978--3--642--40084--1_6Google ScholarCross Ref
- Eli Ben-Sasson, Alessandro Chiesa, Daniel Genkin, Eran Tromer, and Madars Virza. 2014. libsnark. Available at https://github.com/scipr-lab/libsnark.Google Scholar
- Eli Ben-Sasson, Alessandro Chiesa, Matthew Green, Eran Tromer, and Madars Virza. 2015. Secure Sampling of Public Parameters for Succinct Zero Knowledge Proofs. In 2015 IEEE Symposium on Security and Privacy. IEEE Computer Society Press, 287--304. https://doi.org/10.1109/SP.2015.25Google Scholar
- Eli Ben-Sasson, Alessandro Chiesa, Eran Tromer, and Madars Virza. 2014. Succinct Non-Interactive Zero Knowledge for a von Neumann Architecture. In USENIX Security 2014, Kevin Fu and Jaeyeon Jung (Eds.). USENIX Association, 781--796.Google ScholarDigital Library
- Nir Bitansky, Ran Canetti, Alessandro Chiesa, and Eran Tromer. 2012. From extractable collision resistance to succinct non-interactive arguments of knowledge, and back again. In ITCS 2012, Shafi Goldwasser (Ed.). ACM, 326--349. https://doi.org/10.1145/2090236.2090263Google ScholarDigital Library
- Manuel Blum, Paul Feldman, and Silvio Micali. 1988. Non-Interactive Zero-Knowledge and Its Applications (Extended Abstract). In 20th ACM STOC. ACM Press, 103--112. https://doi.org/10.1145/62212.62222Google ScholarDigital Library
- Sean Bowe. 2016. pay-to-sudoku. https://github.com/zcash-hackworks/pay-to-sudoku.Google Scholar
- Sean Bowe, Ariel Gabizon, and Matthew D. Green. 2018. A Multi-party Protocol for Constructing the Public Parameters of the Pinocchio zk-SNARK. In Financial Cryptography and Data Security - FC 2018 (LNCS), Aviv Zohar, Ittay Eyal, Vanessa Teague, Jeremy Clark, Andrea Bracciali, Federico Pintore, and Massimiliano Sala (Eds.), Vol. 10958. Springer, 64--77.Google Scholar
- Vitalik Buterin. 2013. A next-generation smart contract and decentralized application platform. http://www.ethereum.org/pdfs/EthereumWhitePaper.pdf.Google Scholar
- Matteo Campanelli, Rosario Gennaro, Steven Goldfeder, and Luca Nizzardo. 2017. Zero-Knowledge Contingent Payments Revisited: Attacks and Payments for Services. In ACM CCS 2017, Bhavani M. Thuraisingham, David Evans, Tal Malkin, and Dongyan Xu (Eds.). ACM Press, 229--243. https://doi.org/10.1145/3133956.3134060Google ScholarDigital Library
- Richard Cleve. 1986. Limits on the Security of Coin Flips when Half the Processors Are Faulty (Extended Abstract). In 18th ACM STOC. ACM Press, 364--369. https://doi.org/10.1145/12130.12168Google ScholarDigital Library
- Gaby G. Dagher, Benedikt Bünz, Joseph Bonneau, Jeremy Clark, and Dan Boneh. 2015. Provisions: Privacy-preserving Proofs of Solvency for Bitcoin Exchanges. In ACM CCS 2015, Indrajit Ray, Ninghui Li, and Christopher Kruegel (Eds.). ACM Press, 720--731. https://doi.org/10.1145/2810103.2813674Google ScholarDigital Library
- George Danezis, Cédric Fournet, Jens Groth, and Markulf Kohlweiss. 2014. Square Span Programs with Applications to Succinct NIZK Arguments. In ASIACRYPT 2014, Part I (LNCS ), Palash Sarkar and Tetsu Iwata (Eds.), Vol. 8873. Springer, Heidelberg, 532--550. https://doi.org/10.1007/978--3--662--45611--8_28Google ScholarCross Ref
- Stefan Dziembowski, Lisa Eckey, and Sebastian Faust. 2018. FairSwap: How To Fairly Exchange Digital Goods. In ACM CCS 2018, David Lie, Mohammad Mannan, Michael Backes, and XiaoFeng Wang (Eds.). ACM Press, 967--984. https://doi.org/10.1145/3243734.3243857Google ScholarDigital Library
- Uriel Feige, Dror Lapidot, and Adi Shamir. 1990. Multiple Non-Interactive Zero Knowledge Proofs Based on a Single Random String (Extended Abstract). In 31st FOCS. IEEE Computer Society Press, 308--317. https://doi.org/10.1109/FSCS.1990.89549Google Scholar
- Amos Fiat and Adi Shamir. 1987. How to Prove Yourself: Practical Solutions to Identification and Signature Problems. In CRYPTO'86 (LNCS ), Andrew M. Odlyzko (Ed.), Vol. 263. Springer, Heidelberg, 186--194. https://doi.org/10.1007/3--540--47721--7_12Google Scholar
- Georg Fuchsbauer. 2018. Subversion-Zero-Knowledge SNARKs. In PKC 2018, Part I (LNCS ), Michel Abdalla and Ricardo Dahab (Eds.), Vol. 10769. Springer, Heidelberg, 315--347. https://doi.org/10.1007/978--3--319--76578--5_11Google ScholarCross Ref
- Ariel Gabizon. 2019. On the security of the BCTV Pinocchio zk-SNARK variant. Cryptology ePrint Archive, Report 2019/119. ia.cr/2019/119.Google Scholar
- Rosario Gennaro, Craig Gentry, Bryan Parno, and Mariana Raykova. 2013. Quadratic Span Programs and Succinct NIZKs without PCPs. In EUROCRYPT 2013 (LNCS ), Thomas Johansson and Phong Q. Nguyen (Eds.), Vol. 7881. Springer, Heidelberg, 626--645. https://doi.org/10.1007/978--3--642--38348--9_37Google ScholarCross Ref
- Craig Gentry and Daniel Wichs. 2011. Separating succinct non-interactive arguments from all falsifiable assumptions. In 43rd ACM STOC, Lance Fortnow and Salil P. Vadhan (Eds.). ACM Press, 99--108. https://doi.org/10.1145/1993636.1993651Google Scholar
- Oded Goldreich and Yair Oren. 1994. Definitions and Properties of Zero-Knowledge Proof Systems. Journal of Cryptology, Vol. 7, 1 (Dec. 1994), 1--32. https://doi.org/10.1007/BF00195207Google ScholarDigital Library
- Shafi Goldwasser, Silvio Micali, and Charles Rackoff. 1989. The Knowledge Complexity of Interactive Proof Systems. SIAM J. Comput., Vol. 18, 1 (1989), 186--208.Google ScholarDigital Library
- Jens Groth. 2016. On the Size of Pairing-Based Non-interactive Arguments. In EUROCRYPT 2016, Part II (LNCS ), Marc Fischlin and Jean-Sé bastien Coron (Eds.), Vol. 9666. Springer, Heidelberg, 305--326. https://doi.org/10.1007/978--3--662--49896--5_11Google ScholarCross Ref
- Lawrence Lessig. 2000. Code Is Law. Harvard Magazine. https://harvardmagazine.com/2000/01/code-is-law-html.Google Scholar
- Gregory Maxwell. 2011. Zero Knowledge Contingent Payments. https://en.bitcoin.it/wiki/Zero_Knowledge_Contingent_Payment.Google Scholar
- Satoshi Nakamoto. 2009. Bitcoin: A Peer-to-Peer Electronic Cash System. http://bitcoin.org/bitcoin.pdf.Google Scholar
- Bryan Parno, Jon Howell, Craig Gentry, and Mariana Raykova. 2013. Pinocchio: Nearly Practical Verifiable Computation. In 2013 IEEE Symposium on Security and Privacy. IEEE Computer Society Press, 238--252. https://doi.org/10.1109/SP.2013.47Google Scholar
- Claus-Peter Schnorr. 1991. Efficient Signature Generation by Smart Cards. Journal of Cryptology, Vol. 4, 3 (Jan. 1991), 161--174. https://doi.org/10.1007/BF00196725Google ScholarDigital Library
- Nick Szabo. 1997. Formalizing and Securing Relationships on Public Networks. First Monday 9.Google Scholar
- Florian Tramè r, Fan Zhang, Huang Lin, Jean-Pierre Hubaux, Ari Juels, and Elaine Shi. 2017. Sealed-Glass Proofs: Using Transparent Enclaves to Prove and Sell Knowledge. In EuroS&P 2017. IEEE, 19--34.Google Scholar
- Bitcoin Wiki. 2019. Hash-Locked Transaction. https://en.bitcoin.it/wiki/Hashlock.Google Scholar
- Gavin Wood. 2014. Ethereum: A secure decentralised generalised transaction ledger. https://gavwood.com/paper.pdf.Google Scholar
Index Terms
- WI Is Not Enough: Zero-Knowledge Contingent (Service) Payments Revisited
Recommendations
Zero-Knowledge Contingent Payments Revisited: Attacks and Payments for Services
CCS '17: Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications SecurityZero Knowledge Contingent Payment (ZKCP) protocols allow fair exchange of sold goods and payments over the Bitcoin network. In this paper we point out two main shortcomings of current proposals for ZKCP, and propose ways to address them.
First we show ...
Improvements to Secure Computation with Penalties
CCS '16: Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications SecurityMotivated by the impossibility of achieving fairness in secure computation [Cleve, STOC 1986], recent works study a model of fairness in which an adversarial party that aborts on receiving output is forced to pay a mutually predefined monetary penalty ...
How to Use Bitcoin to Incentivize Correct Computations
CCS '14: Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications SecurityWe study a model of incentivizing correct computations in a variety of cryptographic tasks. For each of these tasks we propose a formal model and design protocols satisfying our model's constraints in a hybrid model where parties have access to special ...
Comments