[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [freehaven-dev] Micali's Exchange protocol
On Sun, 6 Feb 2000, Joseph Sokol-Margolis wrote:
> enough" ttp solutions included. so since it boils down to a trust
> thing why not eleminate the reciets and do it all in trust?
It means a bit less reliance on our trust module...
We have A and B doing a trade.
Without receipts : suppose A gets screwed over by B (he thinks).
By "screwed over" I mean B accepted responsibility
for A's share, but dropped it later.
One of our key insights was that A does NOT need
receipts to tell if B is screwing him. This is
because of the built-in verification process :
A can keep requesting his share and see if B
no longer has it nor is it anywhere else.
A broadcasts "B SCREWED ME" to everyone.
Everyone checks
1) Do I believe A? (reputation of A)
2) Does it matter that B screwed him?
(importance of A)
3) How does this affect my opinion of
A and B?
Both 1) and 2) require using trust to make a decision.
3) then modifies how A and B are trusted.
With a receipt : suppose A gets screwed over by B (he thinks)
A has a receipt by B which says "I agree to hold
your share, signed B".
Now A broadcasts "B SCREWED ME, receipt" to everyone.
This seems to remove the need for other people to
believe or not believe A. Afterwards, they still need
to determine how this affects their opinion of B.
So what receipts seem to do is just cut out a call to
the trust management module. :-)
The problem, of course, is getting the receipt.
I think the key to these optimistic TTP protocols may in the fact that
even if party A or party B drops off the face of the earth after the
protocol has gone far enough, party A and the TTP can reconstruct the
receipt -without B-. I need to sit down and write it out tomorrow.
By the way, I found a preprint of an article by Vitaly Shmatikov and John
C. Mitchell pointing out a flaw in a _different_ contract signing
protocol. It has to do with the exact sequence messages are sent. When we
get Micali's paper, we should make sure that this attack doesn't apply to
his protocol as well -- it probably doesn't, but just make sure.
http://www.hcs.harvard.edu/~dmolnar/afree.ps
Thanks,
-David