[Cryptography] Crypto for optimistic transactions ?

[Henry Baker]

As I pointed out in my previous posting, there is no "undo" for learning a bit of information, so it is *impossible* to truly "roll back" an optimistic transaction if that bit is inadvertently disclosed during the negotiation.

So is there a role for crypto in solving this problem?

Is there a way to use crypto to "escrow" any knowledge gained during the first ("negotiation"/"gathering") phase of a transaction in such a way that if the transaction never commits, the knowledge is never transmitted to the parties to the transaction?

Presumably, the information is to be used in the transaction is encrypted & signed, but the keys are escrowed until the transaction commits.  But we can't take a chance on a malicious participant, so the signature still must be checked as part of the commit protocol.

For example, suppose that a computer memory is optimistically asked to provide the contents of some memory location, but the requestor has not been validated.  Could the memory "seal" these contents in an envelope and store it in an escrow ("shadow") register, which can only be decrypted after the requestor has been validated?

Carl Hewitt and I addressed a similar problem in our 1977 paper "The Incremental Garbage Collection of Processes" which introduced the concept of a "future": an Algol-60-like "thunk" which had its own parallel computational power to speculatively evaluate an expression, but if the value of that expression was never required, these computational resources (CPU's, memory) would need to be recycled ("garbage collected") for reuse in subsequent computations.

A crypto scheme for enforcing the information-hiding in *abstract data types* might also work for enforcing secrecy on these "futures".  Then these same techniques should also work for enforcing secrecy during the negotiation phase of a 2-phase transaction protocol.

Perhaps someone in the crypto literature has already addressed this problem?