Enhancing Crypto Technologies through Effective Key Management in Fair Electronic Exchanges

1. Key Management and Fair Electronic Exchange Silvio Micali MIT

2. Thesis Key Management can and will be an enabler of Other Crypto Technologies: Fair Electronic Exchange

3. (= string) (= string) A has a B has b A gets b B gets a A A A A B B B B YES endings (Complete transaction) ? b b ? ? a a ? (if both want) (if ≤ 1 wants) NO endings (Incomplete transaction) What? FAIR ELECTRONIC EXCHANGE IF and only IF

4. m m S R … is Wishful not Fair : R S R S Bye! SIGR(m) Running Example: Certified E-Mail Recipient R gets message IF and only IF Sender S gets R’s receipt for it Crucial to Electronic Commerce but Not Easy (even with digital signatures): More rounds Q: Trusted Parties ? A: No Thanks ! Still Unfair! (Whoever gets first what he wants may stop)

5. Trusted party = Post Office m m R PO S SIGR(m) SIGR(m) Why Not? Bad: 0. 4 mssgs When PO goes down all receipts are lost. Massive Law Suit! 1. Congestion (at PO) 2. Cost ($1/messg) 3. Liabilities ($10/mssg) Then What?

6. Virtual Trusted Parties! What does it mean?? • TP is off-line • TP is unaware that S and R are transacting • TP is unaware of S’s message and R’s signing key Yet: IFS and R do not fairly complete their transaction THENthe TP will (ex post) complete it EXACTLY as S and B would have done if honest!

7. More Specifically… (for Certified Electronic Mail) PO S R receipt message receiptS receipt message receipt message either what you have ?R HOW? If S & R honest Else: Else: Else: receiptS ?S what you have either or messageR messageR

8.  details EPK(M,S,R) = σ R S SIGR(σ) = y M PO Basic CEM w/ Invisible PO M receipt message PO’s public and secret encryption keys pk (sk)

9. EPO(M,S,R) = σ R S SIGR(σ) = y M message σ & y y M PO M,S,R Basic CEM w/ Invisible PO  details M receipt pk (sk)

10. In Sum S & R Honest: no PO! Else: cheating useless Thus: little or no cheating (1 ‰) Great Efficiency (in all senses) • Very Simple: Typical transaction has 3 messages rather than 4 • No congestions: Typical transactions are peer-to-peer • Very Economical: Infrastructure / Liability costs are 1,000 less: • TP handles just 1‰ of the transactions. • (A single laptop can handle the whole country)

11. what do I gain? Go to Market IF you pay PO $10/month, can send unlimited certified e-mails for free, and if help is requested PO will fairly complete the transaction for $11. ELSE: good luck!” Win-Win User: Better paying $11 after the fact when I know I am dealing with a dishonest user, than paying $11 all the time just in case the other user is dishonest PO: I get $10/month for doing nothing, and get paid extra when I have to work!

12. $1M per claim traditional trustee $1M / claim Turing test invisible trustee Small TPs = Big TPs ($1B reserves to prove it) 1 claim (1 of the few) $ 1M (reserves=$2M) (1 of the thousands)

13. Same CEM Solution immediately implies • Software Distribution • Content Downloading • (Sarbanes-Oxley) From Certified E-Mail to Everything Slight Variation implies Fair Contract Signing General Solution implies All Fair Electronic Exchange!

14. … Blum ’81 Even Goldreich Lempel ’81 Luby Micali Rackoff ’83 Rabin ’81 Ben-OrGoldreich Micali & Rivest ’85 Micali ’95 (U.S. No. 5,666,420) Asokan Schunter Waidener ’97 (’96) Asokan Shoup Waidener ’00 … History Visible TPs [Chandra Mitchell Scedrov Shmaticov]’s impossibility

15. To reveal sk To decrypt Epk(m) Key Management Mathematical Success = all on a single key + Concrete Wisdom = 1 key  3 keys (2-out-of-3) = key management ! Practical because: PO rarely used! Recommended because: People are People!

16. Othe Enablements Secure, Distributed, Compact Storage Other talk, Other Patents, Other Day In Sum: Crypto Keys are great friends And (proper) key management an even better one!

17. Thank You!