Content uploaded by Michael Waidner
Author content
All content in this area was uploaded by Michael Waidner on Aug 04, 2014
Content may be subject to copyright.
Optimistic Fair Exchange of Digital Signatures
Abstract
We present a new protocol that allows two players to exchange digital signatures over the Internet in a fair way, so that
either each player gets the other's signature, or neither player does. The obvious application is where the signatures represent
items of value, for example, an electronic check or airline ticket. The protocol can also be adapted to exchange encrypted
data. The protocol relies on a trusted third party, but is “optimistic,” in that the third party is only needed in cases where
one player attempts to cheat or simply crashes. A key feature of our protocol is that a player can always force a timely and
fair termination, without the cooperation of the other player.
... We let pl be S's public price list, o be the amount paid to S for each valid proof, and l be the amount (misbehaving) C or S pays to R for resolving a dispute for each verification, o max be the maximum amount paid to S for a valid proof, l max be the maximum amount to resolve a potential dispute, and z be the total number of verifications and (o, l, o max , l max ) ∈ pl. We provide a notation table in Appendix A. Similar to the optimistic fair cryptographic protocols that aim efficiency, e.g., in [7], [8], [18], we assume the existence of a trusted third party arbiter which remains offline most of the time and is only invoked to resolve disputes. ...
... As stated above, each encoded query-proof pair c * j ∈ c * has a fixed size and contains random elements of U , i.e., they are uniformly random elements in the symmetric-key encryption scheme's output range. 8. The assumption that all queries have the same size is subsumed under the above assumption. ...
... RC-PoR-P asymptotic complexity, of z verifications, breakdown by parties.Client O(zφ log 2 (m)) O(z log 2 (||u * ||))The rest of phases (i.e.,[4][5][6][7][8] ...
... Typical approaches to have fairness involves employing semi-trusted third parties or other assumptions. [8] proposed an optimistic fair exchange using a TTP, and then it was recently shown that fair computation can be achieved by similar techniques in [9], [10], and [14], in which the output is encrypted and requires a third party to support a verifiable escrow scheme. As the encryption of shares demands excessive overhead in the online phase, this way is too expensive for SPDZ protocols. ...
... The fairness is defined as the property that corrupted parties should not be able to prevent honest parties from receiving their output. In general, this property can be achieved by using cryptographic tools as in [8] and [9]. The escrow scheme [9] integrated garbled circuits and an optimistic escrow scheme with a semi-trusted third party. ...
The fairness of multi-party computation has been investigated for long time. Classic results demonstrate that fair exchange can be achieved by utilizing cryptographic tools, as most of them are based on garbled circuits. For the secret-sharing schemes, such as SPDZ, it may incur significant overhead to simply apply a fair escrow scheme, since it encrypts all the shares of delivered results. To address this issue, we design a twolevel secret-sharing mechanism. The escrow encryption is only for the first level of sharing and performed in preprocessing. The second level of sharing is used for computation and always handled by plaintexts, such that the online phase is still efficient. Our work also employs a semi-trusted third party (TTP) which provide optimistic escrow for output delivery. The verification and delivery procedures prevent the malicious parties from corrupting the outcome or aborting, when there is at least one honest party. Furthermore, the TTP has no knowledge of output, so even if he is malicious and colluding, we only lose fairness. The escrow decryption is needed only when misconduct is detected for opening the first-level shares.
... There are multiple applications of verifiable encryption in the literature. Some early examples include publicly verifiable secret sharing [Sta96], group/ring signatures [CD00, BSZ05,BKM09] and verifiable encryption of signatures for optimistic fair exchange [ASW98,Ate99], and more recent applications include blockchains [DHMW23,CDK + 22]. Key escrow [YY98,PS00], where parties encrypt their private key to a trusted escrow authority, can be achieved with verifiable encryption, since it becomes possible for other parties on the network to ensure that the correct key has been escrowed. ...
Verifiable encryption (VE) is a protocol where one can provide assurance that an encrypted plaintext satisfies certain properties, or relations. It is an important building block in cryptography with many useful applications, such as key escrow, group signatures, optimistic fair exchange, and others. However, the majority of previous VE schemes are restricted to instantiation with specific public-key encryption schemes or relations. In this work, we propose a novel framework that realizes VE protocols using zero-knowledge proof systems based on the MPC-in-the-head paradigm (Ishai et al. STOC 2007). Our generic compiler can turn a large class of zero-knowledge proofs into secure VE protocols for any secure public-key encryption scheme with the undeniability property, a notion that essentially guarantees binding of encryption when used as a commitment scheme. Our framework is versatile: because the circuit proven by the MPC-in-the-head prover is decoupled from a complex encryption function, the work of the prover is focused on proving the encrypted data satisfies the relation, not the proof of plaintext knowledge. Hence, our approach allows for instantiation with various combinations of properties about the encrypted data and encryption functions. We then consider concrete applications, to demonstrate the efficiency of our framework, by first giving a new approach and implementation to verifiably encrypt discrete logarithms in any prime order group more efficiently than was previously known. Then we give the first practical verifiable encryption scheme for AES keys with post-quantum security, along with an implementation and benchmarks.
... However, using a third party increases communication overhead and the risk of cryptographic attacks [4,5]. To mitigate these issues, offline third parties, also known as optimistic models, were proposed [6]. Several optimistic fair exchange protocols have been proposed in recent years, including secure computation on optimistic models [7] and non-interactive optimistic fair exchange protocols [8]. ...
To address the risk of spoofing the information exchanged by users and reduce the trustworthiness of third party, we propose a quantum information fair exchange protocol based on three-particle GHZ states. This protocol achieves quantum multi-party fair exchange of secret information through the utilization of three-particle GHZ states, Pauli matrix, a semi-trusted third party, and polarization state of a single photon. By leveraging the unique physical properties of the GHZ state, this protocol achieves fair exchange of secret information with experimental results that align with theoretical derivation, thus demonstrating its feasibility. Additionally, it provides superdense coding which enhances transmission efficiency while also being resistant to false signal attacks, interception retransmission attacks, and entanglement attacks, ultimately improving security. Furthermore, compared with the classic fair exchange protocol, which requires a trusted third party, it only requires a semi-trusted third party, which raises the security from “computational security” to “unconditional security”. The implementation of this protocol resolves the risk of users who hand over information first, presenting a novel solution for digital currency trading, information swapping, and multi-party secure computing.
... However, this technique compensates the honest party only with earnings (e.g., Bitcoins), so it is not really fair. Another approach involves employing semi-trusted third parties or physical assumptions [13]. It was recently shown that fair computation can be achieved by applying a multi-party fair exchange protocol in [14], [21], and [22], in which the exchange uses ciphertexts of output and requires a third party to generate a global key pair. ...
Effective multi-party computation protocols have been developed, but concerns regarding privacy and correctness persist. Classic results demonstrate that guaranteed output delivery can be achieved by assuming fairness and identifiable abort. However, if the majority is malicious, it is still challenging to design an efficient implementation that can deliver correct outputs while maintaining robustness and fairness. To address this issue, we have redesigned the secret-sharing mechanism and employed a semi-trusted third party (TTP) as the key manager to provide optimistic backup for output delivery. The verification and delivery procedures prevent the malicious parties from “stealing” the output, when there is at least one honest party. Furthermore, the TTP has no knowledge of output, so even if he is malicious and colluding, we only lose fairness. The decryption is needed only when misconduct is detected. Our scheme also enables identified abort for offline preprocessing, and the audit of the offline sub-protocols can be publicly performed, holding corrupted parties accountable before receiving private inputs. With fairness and identifiable abort, output delivery is guaranteed by excluding the cheaters.
A Verifiably Encrypted Signature (VES) scheme encrypts a digital signature in a way that allows the public to verify the validity of the encrypted signature. Recently, several practical VES schemes for ECDSA have been proposed to enable escrowed transactions with cryptocurrencies. However, these schemes are inefficient in terms of both communication and computation, or require a large lookup table. In this paper, we present two efficient VES schemes for ECDSA that improve upon previous work. The first scheme is based on Castagnos-Laguillaumie (CL) encryption, while the second is based on modified Joye-Libert (JL) encryption. Our benchmark shows that our schemes outperform existing constructions by a factor of at least 2 in both computation and communication. Additionally, our solution does not rely on any lookup table. We demonstrate that these schemes can also be generalized to design VES for Schnorr signature scheme and EdDSA. The main technical contribution of this paper, which is of independent interest, is a zero-knowledge proof for the equality of the discrete log of an elliptic-curve point and that of a JL ciphertext. Importantly, the security of our proof does not rely on any non-standard assumptions.
In this article, we present the first proposal for contract signing based on blockchain that meets the requirements of fairness, hard-timeliness, and bc-optimism. The proposal, thanks to the use of blockchain, does not require the use of trusted third parties (TTPs), thus avoiding a point of failure and the problem of signatories having to agree on a TTP that is trusted by both. The presented protocol is fair because it is designed such that no honest signatory can be placed at a disadvantage. It meets the hard-timeliness requirement because both signatories can end the execution of the protocol at any time they wish. Finally, the proposal is bc-optimistic because blockchain functions are only executed in case of exception (and not in each execution of the protocol), with consequent savings when working with public blockchains. No previous proposal simultaneously met these three requirements. In addition to the above, this article clarifies the concept of timeliness, which previously has been defined in a confusing way (starting with the authors who used the term for the first time). We conducted a security review that allowed us to verify that our proposal meets the desired requirements. Furthermore, we provide the specifications of a smart contract designed for the Ethereum blockchain family and verified the economic feasibility of the proposal, ensuring it can be aligned with the financial requirements of different scenarios.
We present a new public-key signature scheme and a corresponding authentication scheme that are based on discrete logarithms in a subgroup of units in
p
where p is a sufficiently large prime, e.g., p 2512. A key idea is to use for the base of the discrete logarithm an integer in
p
such that the order of is a sufficiently large prime q, e.g., q 2140. In this way we improve the ElGamal signature scheme in the speed of the procedures for the generation and the verification of signatures and also in the bit length of signatures. We present an efficient algorithm that preprocesses the exponentiation of a random residue modulo p.
At EUROCRYPT’88, we introduced an interactive zero-knowledge protocol (Guillou and Quisquater [13]) fitted to the authentication of tamper-resistant devices (e.g. smart cards, Guillou and Ugon [14]).
Each security device stores its secret authentication number, an RSA-like signature computed by an authority from the device identity. Any transaction between a tamper-resistant security device and a verifier is limited to a unique interaction: the device sends its identity and a random test number; then the verifier tells a random large question; and finally the device answers by a witness number. The transaction is successful when the test number is reconstructed from the witness number, the question and the identity according to numbers published by the authority and rules of redundancy possibly standardized.
This protocol allows a cooperation between users in such a way that a group of cooperative users looks like a new entity, having a shadowed identity the product of the individual shadowed identities, while each member reveals nothing about its secret.
In another scenario, the secret is partitioned between distinct devices sharing the same identity. A group of cooperative users looks like a unique user having a larger public exponent which is the greater common multiple of each individual exponent.
In this paper, additional features are introduced in order to provide: firstly, a mutual interactive authentication of both communicating entities and previously exchanged messages, and, secondly, a digital signature of messages, with a non-interactive zero-knowledge protocol. The problem of multiple signature is solved here in a very smart way due to the possibilities of cooperation between users.
The only secret key is the factors of the composite number chosen by the authority delivering one authentication number to each smart card. This key is not known by the user. At the user level, such a scheme may be considered as a keyless identity-based integrity scheme. This integrity has a new and important property: it cannot be misused, i.e. derived into a confidentiality scheme.
The zero-knowledge proof of knowledge, first defined by Fiat, Fiege and Shamir, was used by Galil, Haber and Yung as a means
of constructing (out of a trapdoor function) an interactive public-key cryptosystem provably secure against chosen ciphertext
attack. We introduce a revised setting which permits the definition of a non-interactive analogue, the non-interactive zero-knowledge
proof of knowledge, and show how it may be constructed in that setting from a non-interactive zero-knowledge proof system
for N P (of the type introduced by Blum, Feldman and Micali). We give a formalization of chosen ciphertext attack in our model which
is stronger than the “lunchtime attack” considered by Naor and Yung, and prove a non-interactive public-key cryptosystem based
on non-interactive zero-knowledge proof of knowledge to be secure against it.
We propose two improvements to the Fiat Shamir authentication and signature scheme. We reduce the communication of the Fiat
Shamir authentication scheme to a single round while preserving the efficiency of the scheme. This also reduces the length
of Fiat Shamir signatures. Using secret keys consisting of small integers we reduce the time for signature generation by a
factor 3 to 4. We propose a variation of our scheme using class groups that may be secure even if factoring large integers
becomes easy.
Previously there have been essentially only two models for computers that people can use to handle ordinary consumer transactions:
(1) the tamper-proof module, such as a smart card, that the person cannot modify or probe; and (2) the personal workstation
whose inner working is totally under control of the individual. The first part of this article argues that a particular combination
of these two kinds of mechanism can overcome the limitations of each alone, providing both security and correctness for organizations
as well as privacy and even anonymity for individuals.
Then it is shown how this combined device, called a wallet, can carry a database containing personal information. The construction
presented ensures that no single part of the device (i.e. neither the tamper-proof part nor the workstation) can learn the
contents of the database — this information can only be recovered by the two parts together.
The main problem arising in value exchange over a network, e.g. in the exchange of digital money for other valuable information, is the lack of simultaneity of the exchange, yielding a temporary advantage for one party, who could then stop communication. The situation is even worse when this party is anonymous. This is normally the case when digital payment systems enabling unobservability are used. But third parties can be used to overcome this problem. We compare two rather different approaches using third parties. The first tries to provide security by third parties identifying perpetrators in cases of detected fraud, whereas the second uses a third party as trustee who takes an active part in the value exchange and can be completely controlled by each absolutely anonymous party.
We describe a generic protocol for fair exchange of electronic goods with non-repudiation. Goods can be signatures (i.e., non-repudiation tokens of public data), confidential data, or payments. The protocol does not involve a third party in the exchange in the fault-less case but only for recovery. Many commercial transactions can be modelled as a sequence of exchanges of electronic goods involving two or more parties. An exchange among several parties begins with an understanding about what item each party will contribute to the exchange and what it expects to receive at the end of it. A desirable requirement for exchange is fairness. A fair exchange should guarantee that at the end of the exchange, either each party has received what it expects to receive or no party has received anything. One example for fair exchange is non-repudiation of message transmission which is, in essence, a fair exchange of the message and a non-repudiation of receipt token for the message. In several draft documents, ISO (ISO1, ISO2, ISO3) defines non- repudiation services for transmission of messages and describes protocols that provide th em. In particular they define: • non-repudiation of origin which guarantees that the originator of a message cannot later falsely repudiate having originated that message, and • non-repudiation of receipt which guarantees that the recipient of a message cannot falsely repudiate having received that message (the ISO draft documents use the term "non-repudiation of delivery").