Upload
lance
View
33
Download
0
Embed Size (px)
DESCRIPTION
Key Management and Fair Electronic Exchange. Silvio Micali MIT. Thesis. Key Management can and will be an enabler of Other Crypto Technologies: Fair Electronic Exchange. (= string ). (= string ). A has a. B has b. A gets b. B gets a. A. A. A. A. B. B. B. B. - PowerPoint PPT Presentation
Citation preview
1
Silvio MicaliMIT
Key Management andFair Electronic Exchange
Thesis
Key Management can and will be an enabler
of Other Crypto Technologies:
Fair Electronic Exchange
3
What?
EXCHANGE
A has a B has b
A gets b B gets a
ELECTRONIC
(= string) (= string)
FAIR
IF and only IF
YES endings (Complete transaction)
A Bab
(if both want) (if ≤ 1 wants)
A B??
NO endings (Incomplete transaction)
A B?b
A Ba?
4
Running Example: Certified E-Mail
Crucial to Electronic Commerce but Not Easy (even with digital signatures):
Recipient R gets message IF and only IF
Sender S gets R’s receipt for it
S R
m
S R
m
SIGR(m)
is Wishful not Fair :
Bye!
S R…
Still Unfair!
More rounds
(Whoever gets first what he wants may stop)
Q: Trusted Parties ?A: No Thanks !
5
Why Not?
m
SIGR(m)
Trusted party = Post Office
S PO R
m
SIGR(m)Bad:
0. 4 mssgs1. Congestion (at PO)2. Cost ($1/messg)3. Liabilities ($10/mssg)
Then What?
When PO goes down all receipts are lost. Massive Law Suit!
6
Virtual Trusted Parties!
Yet:
IF S and R do not fairly complete their transactionTHEN the TP will (ex post) complete itEXACTLY as S and B would have done if honest!
What does it mean??
♦ TP is off-line
♦ TP is unaware that S and R are transacting
♦ TP is unaware of S’s message and R’s signing key
If S & R honest
S
PO
R
receipt message
Else:
what you havemessage
receiptreceipt S
? R
either
Else: receipt S
message R
either
? S
message R
or
Else: what you have
message
receipt
More Specifically… (for Certified Electronic Mail)
HOW?
8
Basic CEM w/ Invisible PO
details
PO
S RM
pk (sk)
EPK(M,S,R) = σ
SIGR(σ) = yM
receiptmessage
PO’s public and secret encryption keys
9
Basic CEM w/ Invisible PO
details
PO
S RM
pk (sk)
EPO(M,S,R) = σ
SIGR(σ) = y
M,S,R
M
σ & y
receipt
y M
message
In Sum
S & R Honest: no PO!Else: cheating uselessThus: little or no cheating (1 ‰)
♦ Very Simple: Typical transaction has 3 messages rather than 4♦ No congestions: Typical transactions are peer-to-peer
♦ Very Economical: Infrastructure / Liability costs are 1,000 less: TP handles just 1‰ of the transactions. (A single laptop can handle the whole country)
Great Efficiency (in all senses)
Go to Market
IF you pay PO $10/month, can send unlimited certified e-mails for free, and if help is requested PO will fairly complete the transaction for $11. ELSE: good luck!”
Win-WinUser: Better paying $11 after the fact when I know I am dealing
with a dishonest user, than paying $11 all the time just in case the other user is dishonestPO: I get $10/month for doing nothing, and get paid extra when I have to work!
what do I gain?
12
1 claim$ 1M
$1M per claim
traditional trustee(1 of the few)
(reserves=$2M)
(1 of the thousands)
$1M / claim
invisible trustee
Turing test
($1B reserves to prove it)
Small TPs = Big TPs
13
From Certified E-Mail to Everything
Same CEM Solution immediately implies• Software Distribution• Content Downloading• (Sarbanes-Oxley)
Slight Variation implies Fair Contract Signing
General Solution implies All Fair Electronic Exchange!
History
Visible TPs
…Micali ’95 (U.S. No. 5,666,420)
Asokan Schunter Waidener ’97 (’96)Asokan Shoup Waidener ’00
Blum ’81 Even Goldreich Lempel ’81Luby Micali Rackoff ’83
…
Rabin ’81Ben-Or Goldreich Micali & Rivest ’85
Key Management
Mathematical Success = all on a single key
Concrete Wisdom = 1 key 3 keys (2-out-of-3)+
key management !
Practical because: PO rarely used!
Recommended because: People are People!=
To reveal skTo decrypt Epk(m)
Othe Enablements
Secure, Distributed, Compact
Storage
Other talk, Other Patents, Other Day
In Sum: Crypto Keys are great friends
And (proper) key management an even better one!
17
Thank You!