[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[freehaven-dev] Re: abuse-free contract signing implementation (fwd)

Here's a message from someone who has implemented a  TTP based contract
signing protocol. This was the optimistic protocol I showed people at the
meeting; it can be found as the paper "Abuse Free Optimistic Contract
Signing" here : http://www.bell-labs.com/user/markusj/

---------- Forwarded message ----------
Date: Mon, 07 Feb 2000 14:39:36 -0500
From: Ivan D Nestlerode <nestler@MIT.EDU>
To: dmolnar <dmolnar@hcs.harvard.edu>
Subject: Re: abuse-free contract signing implementation 


I don't have a good implementation report. I have something along
those lines, but it was targeted to my advisor who is not very
crypto savvy. I don't think it has the details you are looking for.
If you want it anyway, it is at http://web.mit.edu/nestler/www/aup.ps

I'm not sure what exactly you are referring to in regard to "overhead"
of the protocol messages. Basically, each type of proof in the
paper was implemented as a serializable Java object. These objects
were written over the socket connection using the object serialization
methods. Basically, the length of any of the first two protocol messages
(PCS messages) is going to be roughly 2*(|m| + 6*|p| + 2*|q|)
where q is is the order of generator g and m is the message.
Each second round message (full sigs) will be even longer with
an increase in length (per message) of roughly 5*|p| + |q|.
I think p was around 1024 bits or something. I don't quite remember.
q was significantly shorter. m is as large as whatever the
people are signing.

Also, in addition to the messages specified in the paper, there is
an initial negotiation round at the beginning. I think it just involves
Alice sending p, q, g, and m over to Bob. Bob replies with a yes or
something if he agrees on these parameters, and hangs up if he doesn't.

I am pretty sure that the TTP just needs the public keys of the
participants before starting.

Sorry if I don't have the details down pat. I don't have access
to my source code anymore. If you want to try to get it,
you should probably talk to Phil MacKenzie (philmac@research.bell-labs.com).
I warn you in advance that my implementation of the TTP is not
finished (it doesn't 'remember' things correctly yet). Also,
the support for standard public key formats has not yet been
added (X.509).

Our test runs took a few seconds to run the entire protocol using
realistic cryptographic sizes and using the Declaration of Independence
as the message m between 2 machines on the network in Murray Hill, NJ.