Is there a way to do fair exchange between two parties who don't trust each other?

Question

Let's suppose we have an Alice who knows a secret key A, and Bob who knows key B. Using their own keys, they each encrypt a message (Alice encrypts $m_A$, Bob encrypts $m_B$) with their own key, and send the encrypted messages to one another.

Now is there some cryptographic scheme thinkable that lets Alice only decrypt her message (using key B) when Bob is able to decrypt his (via key A)? To guarantee that Alice will tell Bob her key after Bob told his?

The simplest solution would be a third-party which releases both keys at exactly the same time, but maybe there is also a cryptographic way to do this?

Answer 1

I think what you want to look at is "fair exchange". There's a giant catalog of protocols for fair exchange. They've been designed for doing exactly what (I think) you want.

See, e.g.,

• https://en.wikipedia.org/wiki/Multi_party_fair_exchange_protocol

• Alice trusts Bob only when Bob trusts Alice

Some fair exchange protocols require a third party who Alice and Bob trust, and involve the third party in the protocol. Others (called optimistic fair exchange) require that there be a trusted third party, but normally the third party does not have to be involved in any way -- the third party only gets involved to settle disputes, if something goes wrong. Still others try to avoid any third party (e.g., gradual fair exchange); they're not perfect, but they try to ensure that if Alice can learn Bob's message with some amount of effort, then Bob can learn Alice's messages with not too much more effort.

To learn more about fair exchange, do a literature search on fair exchange. There are lots of research papers on this topic.

Answer 2

Note that it is probably technically impossible to meet your requirement that both secrets have to be revealed at exactly the same time, if interpreted literally. However, if we interpret this requirement as meaning that each party needs guarantees that the other party selected its own message, before decrypting the message of the other party, then this might be achieved using a scheme by which each party commits to a message without revealing it, before actually sending it.

Note: In order to guarantee that Alice will get $M_B$ when revealing $M_A$, you need a trusted third party. However, if your requirements are consistent with simply giving Alice the ability to abort further interactions with Bob if Bob decides to cheat, the following scheme should be sufficient.

For simplicity, suppose each party has a RSA key pair that can be used for both signing and encryption, and that Alice already has the public key of Bob, and vice versa.

1. Alice selects a message $M_A$. Bob selects a message $M_B$.
2. Alice selects a symmetric AES key $K_A$. Bob selects a symmetric AES key $K_B$.
3. Alice generates $S_A = Sign_{Priv_A}(K_A)$. Bob generates $S_B = Sign_{Priv_B}(K_B)$.
4. Alice generates $C_A = AESEnc_{K_A}(M_A)$. Bob generates $C_B = AESEnc_{K_B}(M_B)$.
5. Alice sends $S_A,C_A$ to Bob. Bob sends $S_B,C_B$ to Alice.
6. Alice generates $T_A = Encrypt_{Publ_B}(K_A)$. Bob generates $T_B = Encrypt_{Publ_A}(K_B)$
7. Alice sends $T_A$ to Bob. Bob sends $T_B$ to Alice.
8. Alice generates $K'_B = Decrypt_{Priv_A}(T_B)$ and aborts if $Verify_{Publ_B}(S_B,K'_B)$ fails. Bob generates $K'_A = Decrypt_{Priv_B}(T_A)$ and aborts if $Verify_{Publ_A}(S_A,K'_A)$ fails.
9. Alice generates $M'_B = AESDec_{K'_B}(C_B)$. Bob generates $M'_A = AESDec_{K'_A}(C_A)$.

The above scheme should only be regarded as a general outline.