Reputation systems have been popular in estimating the trustworthiness and predicting the future behavior of nodes in a large-scale distributed system where nodes may transact with one another without prior knowledge or experience. One of the fundamental challenges in distributed reputation management is to understand vulnerabilities and develop mechanisms that can minimize the potential damages to a system by malicious nodes. In this paper, we identify three vulnerabilities that are detrimental to decentralized reputation management and propose TrustGuard -- safeguard framework for providing a highly dependable and yet efficient reputation system. First, we provide a dependable trust model and a set of formal methods to handle strategic malicious nodes that continuously change their behavior to gain unfair advantages in the system. Second, a transaction based reputation system must cope with the vulnerability that malicious nodes may misuse the system by flooding feedbacks with fake transactions. Third, but not least, we identify the importance of filtering out dishonest feedbacks when computing reputation-based trust of a node, including the feedbacks filed by malicious nodes through collusion. Our experiments show that, comparing with existing reputation systems, our framework is highly dependable and effective in countering malicious nodes regarding strategic oscillating behavior, flooding malevolent feedbacks with fake transactions, and dishonest feedbacks.

Non-interactive zero-knowledge proofs and non-interactive witness-indistinguishable proofs have played a significant role in the theory of cryptography. However, lack of efficiency has prevented them from being used in practice. One of the roots of this inefficiency is that non-interactive zero-knowledge proofs have been constructed for general NP-complete languages such as Circuit Satisfiability, causing an expensive blowup in the size of the statement when reducing it to a circuit. The contribution of this paper is a general methodology for constructing very simple and efficient non-interactive zero-knowledge proofs and non-interactive witness-indistinguishable proofs that work directly for groups with a bilinear map, without needing a reduction to Circuit Satisfiability. Groups with bilinear maps have enjoyed tremendous success in the field of cryptography in recent years and have been used to construct a plethora of protocols. This paper provides non-interactive witnessindistinguishable proofs and non-interactive zero-knowledge proofs that can be used in connection with these protocols. Our goal is to spread the use of non-interactive cryptographic proofs from mainly theoretical purposes to the large class of practical cryptographic protocols based on bilinear groups. Keywords: Non-interactive witness-indistinguishability, non-interactive zero-knowledge, common reference string, bilinear groups.

In PODC 2003, Micali presented a fair electronic exchange protocol for contract signing with an invisible trusted party [17]. The protocol was filed as a US patent No 5666420 in 1997 [16]. In the protocol, two mutually distrusted parties exchange their commitments to a contract in a fair way such that either each of them can obtain the other's commitment, or neither of them does. The protocol is optimistic in the sense that the trusted party need not be involved in the protocol unless a dispute occurs. In this paper, we show that Micali's protocol cannot achieve the claimed fairness. In resolving a dispute, the trusted party may face a dilemma situation that no matter what it does, one of the exchanging parties can succeed in cheating. In other words, there is always a party who can get the other's commitment without the other party obtaining his. We further propose a revised version of contract signing protocol that preserves fairness while remaining optimistic.

A fair contract signing protocol allows two potentially mistrusted parities to exchange their commitments (i.e., digital signatures) to an agreed contract over the Internet in a fair way, so that either each of them obtains the other's signature, or neither party does. Based on the RSA signature scheme, a new digital contract signing protocol is proposed in this paper. Like the existing RSA-based solutions for the same problem, our protocol is not only fair, but also optimistic, since the third trusted party is involved only in the situations where one party is cheating or the communication channel is interrupted. Furthermore, the proposed protocol satisfies a new property, i.e., it is abuse-free. That is, if the protocol is executed unsuccessfully, none of the two parties can show the validity of intermediate results to others. Technical details are provided to analyze the security and performance of the proposed protocol. In summary, we present the first abuse-free fair contract signing protocol based on the RSA signature, and show that it is both secure and e#cient.

Abstract. As a value-added service for standard e-mail systems, a certified e-mail scheme allows a sender to deliver a message to a receiver in a fair way in the sense that either the sender obtains a receipt from the receiver and the receiver accesses the content of the e-mail simultaneously, or neither party gets the expected item. In 2000, Ferrer-Gomila et al. [11] proposed a novel certified e-mail protocol. Their scheme is both efficient and optimistic, since it has only three steps and a trusted third party is not involved in normal cases. Later, Monteiro and Dahab [16] identified an attack on Ferrer-Gomila et al.’s scheme, and further presented a modified scheme. In this paper, we show that their improvement is still insecure by successfully identifying several weaknesses and security flaws. Our attacks also apply to Ferrer-Gomila et al.’s original scheme.

Electronic fair-exchange protocols have received significant attention from the research community in the recent past. In loose terms, the fair exchange problem is defined as atomically exchanging electronic items between two parties. All the known fair exchange protocols today utilize a centralized trusted third party server either actively or passively. In this paper, we propose a distributed protocol for exchange of electronic items using untrusted servers. We perform detailed security analysis and show that the protocol guarantees effectiveness and fairness with Byzantine failures of up to one third of the untrusted servers. We also give the probability of a fair exchange otherwise. Finally we discuss how to deploy the protocol to large online electronic communities and peer-to-peer systems and demonstrate its security guarantees, scalability and load balancing properties.

The contribution of this paper is threefold. First, we propose a novel specification of the fair exchange problem that clearly separates safety and liveness. This specification assumes a synchronous model where processes communicate by message passing and might behave maliciously. In this model, we prove a first impossibility related to the notion of trust, stating that no solution to fair exchange exists in the absence of an identified process that every process can trust a priori. Finally, we derive an enriched model where processes are divided into trusted and untrusted processes, and we show that an additional assumption is still necessary to solve fair exchange. Intuitively, this result expresses a condition on the connectivity of correct but untrusted processes with respect to trusted processes. We also revisit existing fair exchange solutions described in the literature, in the light of our enriched model, and show that our second impossibility result applies to them. 1

Optimistic fair exchange is a kind of protocols to solve the problem of fair exchange between two parties. Almost all the previous work on this topic are provably secure only in the random oracle model. In PKC 2007, Dodis et al. considered optimistic fair exchange in a multi-user setting, and showed that the security of an optimistic fair exchange in a single-user setting may no longer be secure in a multi-user setting. Besides, they also proposed one and reviewed several previous construction paradigms and showed that they are secure in the multi-user setting. However, their proofs are either in the random oracle model, or involving a complex and very inefficient NP-reduction. Furthermore, they only considered schemes in the certified-key model in which each user has to show his knowledge of the private key corresponding to his public key. In this paper, we make the following contributions. First, we consider a relaxed model called chosen-key model in the context of optimistic fair exchange, in which the adversary can arbitrarily choose public keys without showing the knowledge of the private keys. We separate the security of optimistic fair exchange in the chosen-key model from the certifiedkey

In this paper, we study the security notions of verifiably committed signatures by introducing privacy and cut-o# time, and then we propose the first scheme which is provably secure in the standard complexity model based on the strong RSA assumption. The idea behind the construction is that given any valid partial signature of messages, if a co-signer with its auxiliary input is able to generate variables called the resolution of messages such that the distribution of the variables is indistinguishable from that generated by the primary signer alone from the views of the verifier/arbitrator, a verifiably committed signature can be constructed.

Abstract: Certified email is a value-added service for standard email systems, which guarantees the fairness, i.e., the intended recipient gets the mail content if and only if the mail originator re-ceives a non-repudiation receipt showing that the message has been received by the recipient. As far as security is concerned, fairness is the most important requirements, though some other properties are also desirable in practice. Recently, a number of certified email protocols have been proposed. However, most of those schemes have more or less weaknesses and/or security flaws. In the worst case, fairness cannot be achieved since one dishonest party can mount some attacks to cheat the honest party such that the latter cannot get the expected items. In this paper, we analyze two latest certified email protocols to demonstrate some common attacks, and then propose some improvements to avoid those security problems. We further give several informal but useful guidelines to counter those common attacks in the design of certified email protocols.