Alfonso de la Rocha
26 Feb 2021
•
7 min read
Selling goods and services is all about trust. You are able to sell your worn and used guitar to someone on the other side of the globe, and be sure that he will pay you conveniently because there is a third-party (let’s call it eBay for now), orchestrating the exchange. Of course, our friend eBay is also being paid for his mediation services. But what if we had to go without this third-party for the exchange, what would be the outcome? The conversation would go something like this:
You see where I am trying to get at, right? I don’t personally know Alice, and in order for us to be able to go through the exchange, there needs to be a minimum level of trust. There will always be an unbalance in the exchange for the party that sends its part first, because he can’t be sure that the other will fulfil its part of the bargain. This, my dearest readers, is the problem of fair exchange, and there are companies out there such as eBay (and think of any other second-hand marketplace) earning a lot of money with this problem.
As early as 1999, this paper already showed the impossibility of performing a fair-exchange without a third party. As stated in the paper: An exchange is fair if, at the end of the exchange, either each player receives the item it expects or neither player receives any additional information about the other's item.
So that’s it? End of story? We will have to be depending on the eBays of the world to perform fair exchanges forever? That could have seemed that way until 2008, but on the 31st of October of that year, the whitepaper for a third-party everyone could trust was released. You guessed right, I am referring to Bitcoin and blockchain technology.
Bitcoin was designed to remove some of the largest third-parties there are in the financial system, central banks. And the same way Bitcoin is able to supersede central banks, it can also become our more than needed third-party to perform fair-exchanges.
Now that I got you hooked on this fair-exchange problem, you may be wondering can we leverage Bitcoin to perform a fair exchange. The answer to this is a protocol called Zero Knowledge Contingent Payments (a.k.a ZKCP protocol). To illustrate how the ZKCP protocol works, we are going to consider a good more easily digitized than a guitar such as the solution to a Sudoku puzzle. This is actually the toy example you will recurrently find in the fair-exchange literature published on ZKCP protocols.
In this example, Alice sends the sudoku puzzle P to Bob. Bob is able to find a solution S to P, and wants to sell it to Alice. Alice is willing to pay for the solution because the sudoku was hard as f... really hard. But how can she indeed be sure that Bob managed to find the right solution before she sends her payment? And the other way around, how can Bob show he has the right solution without leaking any information about the solution? We are facing this evil problem again.
Before we jump into how ZKCP protocols work, let’s make a small detour to explain hash-lock transactions for those of you unfamiliar with the concept. A Hashlock is a type of encumbrance that restricts the spending of an output until a specified piece of data is publicly revealed. So with a hashlock transaction, Alice will be able to send a payment that can only be redeemed by someone able to reveal the secret pre-image to the hash used to lock the transaction. Thus, if Alice locks the transaction with SHA256(d), only someone disclosing d will be able to access the payment.
Hashlock transactions are one of the building blocks of a ZKCP protocol. The other one is zero-knowledge proofs. A zero-knowledge proof lets someone prove a mathematical fact to another person without teaching them anything about the fact itself. Now we are ready to introduce ZKCP protocols.
The step of a ZKCP protocol are generally the following:
S
to the Sudoku, it encrypts it with a symmetric key k
, c = Enc_k{S}
. It then computes the hash for that key, y = SHA256(k)
, and generates a zero-knowledge proof showing that the ciphertext c
was indeed encrypted using a key k
whose hash is y
, and that S
is the solution of the puzzle P, i.e. the proof shows thatSHA256^-1(k) = y; Enc_k ^ -1 = c; Sol(P) = S.
.(c, y, proof)
. At this point, Alice has the encrypted solution of the Sudoku, and a proof that validates that what it is hidden behind the ciphertext is the solution that Alice is looking for.SHA256(k)
, so Bob will have to reveal k
in order to access the payment, revealing the encryption key of the solution sent in the process.k
and recover S from the ciphertext and be happy with her solution to the hard Sudoku. Time to show off!There you go! With this ZKCP protocol and the help of Bitcoin, we managed to perform a fair-exchange of a digital good. The blockchain became our third-party mediating the exchange. If you want to go deep into the internals of ZKCP protocols I’d suggest starting with this paper. If you still want more, ping me and I can share more references (this has been a topic I’ve been extensively reading about these past few months).
Do you want to also tinker with some code? Here are a few implementations of ZKCP protocols (I haven’t tried them myself yet, but let me know if you do, I’d be interested in knowing your thoughts):
Some of you may be wondering, can we have a ZKCP protocol over any kind of blockchain network, not only Bitcoin? Of course, as long your blockchain network supports hashlock transactions or smart contracts you are covered. Actually, let me briefly share a paper that proposes an alternative to a ZKCP protocol to perform a fair-exchange over the Etheruem blockchain using no zkSNARKs: FairSwap: How to fairly exchange digital goods.
The paper proposes an optimistic approach to the exchange. In this approach, the blockchain orchestrates the exchange but really comes into action only when there is a dispute between the two parties. Oversimplifying it a bit, the protocol would operate as follows for our sudoku example:
In this case, the judge contract was the one responsible for orchestrating the fair exchange, and we didn’t need any hashlock transaction or zero-knowledge proofs. I’ve hidden some of the details of the protocol, but you can always check the paper shared above to get a better understanding of what is happening under the hood. But there you go, another example of a fair exchange protocol leveraging the capabilities of blockchain networks.
I really hope you’ve enjoyed this brief introduction to the decade-old problem of fair exchange. Research on new cryptographic protocols and constructions to make efficient fair-exchanges using blockchain networks is booming, so do not hesitate to have a quick look at all the exciting work being done in this field. Fair exchanges without trust are impossible without involving a third party, so we better select the third-party wisely. Fortunately, as shown in this publication, blockchains can be our best third-party friends.
Sign up to Blockchain Works for more articles, jobs and open source issues!
Alfonso de la Rocha
See other articles by Alfonso
Ground Floor, Verse Building, 18 Brunswick Place, London, N1 6DZ
108 E 16th Street, New York, NY 10003
Join over 111,000 others and get access to exclusive content, job opportunities and more!