1

Imagine Alice wants to sell a file with important information to Bob for money. The file must be encrypted, so nobody can eavesdrop. It must also be signed upfront, so Bob knows it has not been fiddled around with. Trust is not established between them. Hence, a trusted third-party mediator is required. Ideally, the third-party mediator receives as little info/money as possible, but just enough so that neither Alice nor Bob can trick each other.

In other words: I am looking for an understandable description of a multi-party fair exchange protocol with a trusted third party. (For simplicity, let's assume the third-party is guaranteed to be reliable and available all time.) This question has a really nice, easy-to-understand description of such a protocol - except that it is not fully reliable because:

  1. If Alice uses Bob's public key to encrypt the file, then upon receipt and decryption he might simply not send her the money.
  2. Bob needs a way to verify the file's integrity, i.e. the file must be signed by Alice somehow.

One thing I was also wondering is to what degree non interactive zero knowledge proof protocols could be useful in this situation.

user4461099
  • 11
  • 1
  • By the way, this paper contains quite some useful information, yet it's also maybe a bit dated: https://web.archive.org/web/20130515012637/http://www.cs.odu.edu/~mukka/cs772s04/slides/Fairexchange.pdf – user4461099 Mar 18 '21 at 21:40
  • This is exactly the case of selling solution of a Sudoku puzzle, presented at Financial Crypto 2016 Bitcoin workshop. Google for Bowe and Maxwell. Solved with hash-lock transaction and a SNARK-proof. – Vadym Fedyukovych Apr 13 '21 at 15:53
  • Thanks for the pointer - "hash-locked transactions" seems to be the thing I'm really looking for. I just found this page: https://en.bitcoin.it/wiki/Zero_Knowledge_Contingent_Payment. Still need to google the Bowe and Maxwell paper. – user4461099 Apr 26 '21 at 13:43
  • 1
    Found the talk here: https://www.youtube.com/watch?v=ONUsnRgLVB8. And also this: https://bitcoincore.org/en/2016/02/26/zero-knowledge-contingent-payments-announcement/ – user4461099 Apr 26 '21 at 13:48
  • 1
    The magic term seems really to be "zero knowledge contingent payment". And here's a related question regarding Ethereum: https://ethereum.stackexchange.com/questions/65884/zero-knowledge-contingent-payment-on-etherum. This is also relevant (ZCash): https://github.com/zcash-hackworks/pay-to-sudoku – user4461099 Apr 26 '21 at 14:25

0 Answers0