Fair exchange protocols let two mutually distrustful parties exchange digital data in a way that neither party can cheat. They have various applications such as the exchange of digital items, or the exchange of digital coins and digital services between a buyer/client and seller/server. In this work, we formally define and propose a generic blockchain-based construction called "Recurring Contingent Service Payment" (RC-S-P). It (i) lets a fair exchange of digital coins and verifiable service reoccur securely between clients and a server while ensuring that the server is paid if and only if it delivers a valid service, and (ii) ensures the parties' privacy is preserved. RC-S-P supports arbitrary verifiable services, such as "Proofs of Retrievability" (PoR) or verifiable computation and imposes low on-chain overheads. Our formal treatment and construction, for the first time, consider the setting where either client or server is malicious. We also present a concrete efficient instantiation of RC- S-P when the verifiable service is PoR. We implemented the concrete instantiation and analysed its cost. When it deals with a 4-GB outsourced file, a verifier can check a proof in only 90 milliseconds, and a dispute between a prover and verifier is resolved in 0.1 milliseconds. At CCS 2017, two blockchain-based protocols were proposed to support the fair exchange of digital coins and a certain verifiable service; namely, PoR. In this work, we show that these protocols (i) are susceptible to a free-riding attack which enables a client to receive the service without paying the server, and (ii) are not suitable for cases where parties' privacy matters, e.g., when the server's proof status or buyer's file size must remain private from the public. RC- S-P simultaneously mitigates the above attack and preserves the parties' privacy.

翻译：公平交换协议允许两个互不信任的参与方以任何一方无法作弊的方式交换数字数据。此类协议具有多种应用场景，例如数字物品的交换，或买方/客户与卖方/服务器之间的数字硬币与数字服务交换。在本工作中，我们正式定义并提出一种基于区块链的通用构造，称为"周期性条件服务支付"（RC-S-P）。该协议：(i) 实现了客户端与服务器之间数字硬币与可验证服务的安全重复公平交换，确保服务器仅在提供有效服务时获得报酬；(ii) 保障参与方的隐私安全。RC-S-P支持任意可验证服务（如"可检索性证明"（PoR）或可验证计算），且仅需较低的链上开销。我们的形式化处理与构造首次考虑了客户端或服务器存在恶意行为的场景。我们还给出了当可验证服务为PoR时RC-S-P的具体高效实例化方案。我们实现了该具体实例化并分析了其成本：在处理4GB外包文件时，验证者仅需90毫秒即可完成证明检查，而证明者与验证者之间的争议可在0.1毫秒内解决。在2017年CCS会议上，曾有学者提出两种基于区块链的协议以支持数字硬币与特定可验证服务（即PoR）的公平交换。本工作指出，这些协议：(i) 易受"搭便车攻击"——客户端可在不支付服务器的情况下获取服务；(ii) 不适用于参与方隐私敏感的场景（例如服务器证明状态或买方文件大小需对公众保密）。RC-S-P同时解决了上述攻击并保护了参与方隐私。