##
###
Improving Cut-and-Choose in Verifiable Encryption and Fair Exchange Protocols Using Trusted Computing Technology
[chapter]

Stephen R. Tate, Roopa Vishwanathan

2009
*
Lecture Notes in Computer Science
*

Cut-and-choose is used in interactive zero-knowledge protocols in which a prover answers a series of random challenges that establish with high probability that the prover is honestly following the defined protocol. In this paper, we examine one such protocol and explore the consequences of replacing the statistical trust gained from cut-and-choose with a level of trust that depends on the use of secure, trusted hardware. As a result, previous interactive protocols with multiple rounds can be
## more »

... proved to non-interactive protocols with computational requirements equivalent to a single round of the original protocol. Surprisingly, we accomplish this goal by using hardware that is not designed for our applications, but rather simply provides a generic operation that we call "certified randomness," which produces a one-way image of a random value along with an encrypted version that is signed by the hardware to indicate that these values are properly produced. It is important to stress that while we use this operation to improve cut-and-choose protocols, the trusted operation does not depend in any way on the particular protocol or even data used in the protocol: it operates only with random data that it generates. This functionality can be achieved with minor extensions to the standard Trusted Platform Modules (TPMs) that are being used in many current systems. We demonstrate our technique through application to cut-and-choose protocols for verifiable group encryption and optimistic fair exchange. In both cases we can remove or drastically reduce the amount of interaction required, as well as decrease the computational requirements significantly. In this paper, we explore the question of how much power trusted hardware adds in designing cyrptographic protocols, looking specifically at certain zero-knowledge proofs. Zero-knowledge proofs were first introduced by Goldwasser et al. [21] and have applications in a wide range of cryptographic protocols that require authentication of one party to another. A zero-knowledge proof is a protocol in which a prover P provides some information I to a verifier V , and then engages in a protocol to convince V that I satisfies some property Q(I) that would be difficult for V to compute on its own. For example, I might be an encrypted value and the property Q(I) refers to a simple property of the corresponding plaintext. Zero-knowledge proofs are used in higher-level protocols such as fair exchange [1], identification protocols [17] , and group signatures [4]. Interactive zero-knowledge proof systems often employ a paradigm called "cut-and-choose" in which the prover answers a series of random challenges given by the verifier. For each challenge, the verifier has at most a 50% chance of getting cheated. With sufficiently many challenges, the chances of a dishonest prover answering all of them correctly, and the verifier getting cheated on all of them is negligible. This requires several rounds of communication between the prover and verifier, and increases the communication costs, thereby decreasing the efficiency of the protocol. Several protocols for the verifiable encryption problem use such zero-knowledge proofs, and this is the core problem that we examine in this paper. Verifiable encryption is a protocol that actively involves two parties, a prover and a verifier, and passively involves one or more additional parties. In its simplest version, with a single trusted third party T , the prover P encrypts a secret value s that is supposed to satisfy some specific property (e.g., a signature on some message) with the public key of the trusted third party P K T , and sends the encrypted value E P K T (s) to the verifier V . The protocol is such that V is convinced that the received ciphertext will decrypt to a value s which satisfies the necessary property, but other than this fact V is not able to discover any additional information about the value s. In a typical application, a honest prover will later reveal the secret, and the trusted party is only involved if the protocol does not complete and V needs to recover the secret without the assistance of P . Verifiable encryption has been used to construct solutions for fair exchange [1, 2], escrow schemes [35] , signature sharing schemes [19] and publicly verifiable secret sharing [40] . In this paper we solve a generalized, more powerful version known as verifiable group encryption, in which there are multiple semi-trusted parties ("recovery agents" or "proxies") and authorized subsets of agents. The secret is encoded such that it can be recovered only by an authorized subset of recovery agents working together. Publicly verifiable secret sharing (PVSS) introduced by Stadler [40] operates in the same way. In PVSS, there is a "dealer" who makes shares of a secret value under the keys of n participants P 1 , · · · , P n and distributes the shares such that any coalition of k participants can recover the secret. It also has the property that anybody can verify that the secret shares are correctly distributed. This is just a restatement of the verifiable group encryption problem. The problem we address in this paper is actually a cross between this verifiable group encryption problem and the verifiable escrow problem of Asokan et al. [1]. The difference between verifiable encryption and verifiable escrow is that verifiable escrow attaches an arbitrary "condition" (sometimes called a label), given as a binary string, to an encryption such that the same condition must be supplied to the trusted third party when requesting a decryption. As described by Asokan et al., verifiable encryption and verifiable escrow are equivalent in the sense that a solution to either one can be used in a straightforward way to create a solution for the other. Our solutions all take a condition, so are escrow schemes, but parties can use a simple constant condition (such as a string of zeroes) can be used if the condition is not needed. One of the more important applications of verifiable encryption is the fair exchange problem: Two par-

doi:10.1007/978-3-642-03007-9_17
fatcat:vmjrdwkm7rezrkijibs53th6xq