Optimistic Fair Exchange with Strong Resolution-Ambiguity

Lecture Notes in Computer Science, 2010

Recent research has shown that the single-user security of optimistic fair exchange cannot guarantee the multi-user security. This paper investigates the conditions under which the security of optimistic fair exchange in the single-user setting is preserved in the multi-user setting. We first introduce and define a property called "Strong Resolution-Ambiguity". Then we prove that in the certified-key model, an optimistic fair exchange protocol is secure in the multi-user setting if it is secure in the single-user setting and has the property of strong resolution-ambiguity. Finally we provide a new construction of optimistic fair exchange with strong resolution-ambiguity. The new protocol is setup-free, stand-alone and multi-user secure without random oracles.

Theoretical Computer Science, 2015

Optimistic fair exchange (OFE) is a protocol for solving the problem of exchanging items or services in a fair manner between two parties, a signer and a verifier, with the help of an arbitrator which is called in only when a dispute happens between the two parties. In almost all the previous work on OFE, after obtaining a partial signature from the signer, the verifier can present it to others and show that the signer has indeed committed itself to something corresponding to the partial signature even prior to the completion of the transaction. In some scenarios, this capability given to the verifier may be harmful to the signer. In this paper, we propose the notion of ambiguous optimistic fair exchange (AOFE), which is a variant of OFE and requires additionally that the verifier cannot convince anybody about the authorship of a partial signature generated by the signer. We present a formal security model for AOFE in the multi-user setting and chosen-key model, and propose a generic construction of AOFE that is provably secure under our model. Furthermore, we propose an efficient instantiation of the generic construction, security of which is based on Strong Diffie-Hellman assumption and Decision Linear assumption without random oracles.

International Journal of Applied Cryptography, 2008

Fair exchange protocols allow both or neither of two parties to obtain the other's items, and this property is essential in e-commerce. In this paper, we construct an optimistic fair exchange protocol that is applicable to any digital signature by prescribing three forms of signatures, namely presignature, post-signature and notarised signature. We set an expiration date for presignature, and thus realise the timely termination of the protocol. Next, we define an ideal functionality of fair exchange protocols in the universal composability framework. Then, we construct an optimistic fair exchange protocol based on the above protocol, and prove its security in the universal composability framework.

Information Sciences, 2013

Ambiguous Optimistic Fair Exchange (AOFE), introduced by Huang et al. in ASIACRYPT 2008, is an extension of OFE that enhances the fairness of the two communicating parties in the exchange of signatures. The first scheme was proven secure without random oracles while its partial signature contains dozens of group elements. Recently, interactive AOFE was introduced and the construction is more practical, where a partial signature only contains three group elements. It is based on the existence of Designated Confirmer Signature (DCS) with a special property where one is able to sample a confirmer signature efficiently from a signer's signature space. Nevertheless, we note that there are only a few DCS schemes that have this special property. Security of the interactive AOFE construction relies on the q-Computational and Decisional Hidden Strong Diffie-Hellman assumptions. In this paper, we propose a new construction of interactive AOFE from DCS, where the underlying DCS is standard and does not require any special property. We also propose a new DCS construction. By applying our transformation from DCS to interactive AOFE, we build a concrete interactive AOFE which is secure under more standard number-theoretic assumptions, namely Strong Diffie-Hellman and Decision Linear assumptions, without random oracles. A partial signature of the interactive AOFE contains six group elements, while a full signature contains two only.

Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics), 2012

Protocol for fair exchange of digital signatures is essential in many applications including contract signing, electronic commerce, or even peer-to-peer file sharing. In such a protocol, two parties, Alice and Bob, would like to exchange digital signatures on some messages in a fair way. It is known that a trusted arbitrator is necessary in the realization of such a protocol. We identify that in some scenarios, it is required that prior to the completion of the protocol, no observer should be able to tell whether Alice and Bob are conducting such an exchange. Consider the following scenario in which Apple engages Intel in an exchange protocol to sign a contract that terminates their OEM agreement. The information would be of value to a third party (such as the stock broker, or other OEM companies). If the protocol transcript can serve as an evidence that such a communication is in progress, any observer of this communication, including the employees of both companies, would be tempted to capture the transcript and sell it to outsiders. We introduce a new notion called perfect ambiguous optimistic fair exchange (PAOFE), which is particularly suitable to the above scenario. PAOFE fulfils all traditional requirements of cryptographic fair exchange of digital signatures and, in addition, guarantees that the communication transcript cannot be used as a proof to convince others that the protocol is in progress. Specifically, we formalize the notion of PAOFE and present a rigorous security model in the multi-user setting under the chosen-key attack. We also present a generic construction of PAOFE from existing cryptographic primitives and prove that our proposal is secure with respect to our definition in the standard model.

Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics), 2013

Fair exchange protocol aims to allow two parties to exchange digital items in a fair manner. It is well-known that fairness can only be achieved with the help of a trusted third party, usually referred to as arbitrator. A fair exchange protocol is optimistic if the arbitrator is not involved in the normal execution of the fair exchange process. That is, its presence is necessary only when one of the exchanging parties is dishonest. Traditionally, the items being exchanged are digital signatures. In this paper, we consider the items to be threshold signatures. Specifically, the signatures are created by a subset of legitimate signers instead of a single signer. We define a security model for this new notion, and provide an concrete instantiation. Our instantiation can be proven secure in the random oracle model. Our definition covers the case when the item being exchanged is a secret key of an identity-based encryption where the master secret key is split amongst a set of authorities.

Lecture Notes in Computer Science, 2014

How to sign an electronic contract online between two parties (say Alice and Bob) in a fair manner is an interesting problem, and has been studied for a long time. Optimistic Fair Exchange (OFE) is an efficient solution to this problem, in which a semi-trusted third party named arbitrator is called in to resolve a dispute if there is one during an exchange between Alice and Bob. Recently, several extensions of OFE, such as Ambiguous OFE (AOFE) and Perfect AOFE (PAOFE), have been proposed to protect the privacy of the exchanging parties. These variants prevent any outsider including the arbitrator from telling which parties are involved in the exchange of signatures before the exchange completes.

2003

In this paper, we propose a new practical fair exchange protocol allowing the exchange of an electronic item against a signature. The protocol is based on the Guillou-Quisquater scheme and assumes the existence of a trusted third party that is involved in the protocol only in the setup phase and when one of the parties does not follow the protocol or some technical problems occur during the execution of the protocol. The interesting feature of the protocol is the low communication and computational costs required by the parties. Moreover, in case of problems during the main protocol, the trusted third party acts transparently.

IEEE Transactions on Information Forensics and Security, 2000

Designated confirmer signature (DCS) extends the undeniable signature so that a party called confirmer can also confirm/disavow nonself-authenticating signatures on the signer's behalf. Previous DCS schemes, however, can let a signer confirm a valid signature but not disavow an invalid one, while only a confirmer can. It remains open to construct a DCS which also allows the signer to disavow. In this work, we propose new security models for formalizing the signer's ability to disavow. We propose a new DCS scheme and prove its security without random oracles. The new DCS scheme is efficient and also convertible. A signature in this new DCS consists of only three bilinear group elements. This is much shorter than any of the existing schemes. In addition, the scheme can be extended to support multiple confirmers and threshold conversion. Adding a confirmer incurs the addition of only one group element in a signature. Furthermore, we propose an efficient construction of ambiguous optimistic fair exchange (AOFE) of digital signatures based on the new DCS scheme. A partial AOFE signature consists of three elements in an elliptic curve group and four in group , and a full signature has only three group elements, which are shorter than those in Garay et al.'s scheme (Crypto 1999) and Huang et al.'s scheme (Asiacrypt 2008). Index Terms-Designated confirmer signature (DCS), optimistic fair exchange, ambiguity, standard model.

2006

For e-commerce payments, fair exchange is one of the essential problems. The optimistic fair exchange protocol allows two parties to efficiently exchange items so that either each party gets the other's item or neither does. We propose a new optimistic fair exchange protocol that is efficient and applicable to any digital signature scheme such as RSA or DSA. In our protocol, we introduce pre-signature, post-signature and notarized signature by prescribing the form of the digital signatures. Furthermore, we introduce a parameter that represents the expiration date of the pre-signature to realize the timely termination of the protocol.