No full-text available
To read the full-text of this research,
you can request a copy directly from the authors.
Off-line Fair Payment Protocols using Convertible Signatures
Abstract
. An exchange or payment protocol is considered fair if neither of the two parties exchanging items or payment at any time during the protocol has a significant advantage over the other entity. Fairness is an important property for electronic commerce. This paper identifies a design framework based on existing fair protocols which use offline trusted third parties, but with convertible signatures as the underlying mechanism. We show that in principle any convertible signature scheme can be used to design a fair payment protocol. A specific protocol is detailed based on RSA undeniable signatures which is more efficient than other similar fair payment schemes. Furthermore, in this protocol the final signature obtained is always an ordinary RSA signature. 1 Introduction As more and more electronic transactions are being conducted on insecure networks, it is becoming obvious that electronic transactions are governed by different forces from the ones which affect normal physical...
... La plupart des méthodes ayant recours à une tierce partie lui accordent une confiance absolue, dans le sens où, à moins d'une remise en cause publique de la tierce partie de confiance ou d'un problème les concernant directement, leur confiance en la tierce partie de confiance reste entière. [23,27,29,12,74,75] Quelques méthodes ont été mises sur pied afin d'être à même de pouvoir se passer complètement d'une tierce partie de confiance activement impliquée dans une communication. Une telle approche est adoptée au cinquième chapitre. ...
... La mise en oeuvre de tels mécanismes est lourde et coûteuse en performance (de la même manière que les méthodes n'usant pas de tierce partie de confiance). 23 strong fairness en anglais. 24 weak fairness en anglais. ...
... La preuve de non-répudiation à la réception du chiffré 23 : ...
... However, we emphasize, that the results in this thesis apply to signature-exchange protocols only to the extent that this MSR characterization accurately reflects the properties of the primitives of the protocol. We have checked that MSR can accurately represent the black-box versions of the primitives in [3,9,28]. We discuss the characterization of the primitives of the Garay, Jakobsson and Mackenzie protocol [28] in chapter 2. ...
... Before, we start describing the protocol, we shall discuss some properties of the cryptographic primitives used in the GJM protocol. These properties are shared by several signature-exchange protocols [3,28,9] and are important in ensuring abuse-freeness. Later on, we shall discuss the cryptographic primitives of the GJM protocol in detail. ...
... Let vcsc A (m, B, T ) abstractly denote the verifiable, convertible signature commitments used in the protocols in [3,9,28]. The common properties showed by b) vcsc A (m, B, T ) can be verified by B, but cannot be used as a proof of A's intentions. ...
A fair signature exchange protocol lets two parties exchange digital signatures on a specified text. In optimistic protocols, it is possible for two signers to do so without invoking a trusted third party. However, an adjudicating third party remains available should one or both signers seek timely resolution. Each signer may have one or more objectives, ranging from “optimistically” trying to put the exchange in place as quickly as possible to maliciously manipulating the other party to gain an advantage. We study in detail the optimistic two-party signature exchange protocol of Garay, Jakobsson and MacKenzie [28] using a game-theoretic framework and show that no signer enjoys an advantage over an honest counterparty. In this setting, we employ the formal inductive proof methods previously used in the formal analysis of simpler, trace-based properties of authentication protocols. We extend this game-theoretic framework to include concepts of preferred behavior and analyze a class of signature exchange protocols. In the process of establishing relationships amongst various protocol properties obtained in the literature, we obtain a fundamental impossibility result: in any fair, optimistic protocol there is a point at which one signer realizes an advantage over an optimistic opponent.
... To illustrate the importance of timeliness, consider a protocol that is not timely, e.g., the Boyd-Foo protocol [9]. In this protocol, originator O releases some information that can be used by responder R to obtain O's signature from T at some later point. ...
... For each protocol, we identify the point at which a dishonest participant has advantage over an optimistic counterparty. The protocols we consider are the off-line fair payment protocol of Boyd and Foo [9], the optimistic signature exchange protocol of Asokan, Shoup, and Waidner [4] (not to be confused with the protocol of [3]), and the abuse-free contract signing protocol of Garay, Jakobsson, and MacKenzie [21]. We discuss the common structure shared by all of these protocols, and informally suggest how advantage enjoyed by each of the protocol participants decreases as message exchange progresses. ...
... In the case of [4,9,21], this is true because vcsc is a zero-knowledge proof which can be simulated by B; (c) vcsc A (m, B, T ) can be converted into a universally verifiable signature sig A (m) by T . In the definition above, simulation is used in the cryptographic sense (see any standard reference on foundations of cryptography such as [23]). ...
A contract signing protocol lets two parties exchange digital signatures on a pre-agreed text. Optimistic contract signing protocols enable the signers to do so without invoking a trusted third party. However, an adjudicating third
party remains available should one or both signers seek timely resolution. We analyze optimistic contract signing protocols
using a game-theoretic approach and prove a fundamental impossibility result: in any fair, optimistic, timely protocol, an
optimistic player yields an advantage to the opponent. The proof relies on a careful characterization of optimistic play that
postpones communication to the third party. Since advantage cannot be completely eliminated from optimistic protocols, we
argue that the strongest property attainable is the absence of provable advantage, i.e., abuse-freeness in the sense of Garay-Jakobsson-MacKenzie.
... Außerdem müssen sich die beteiligten Parteien authentisieren, damit unbefugte Parteien keinen Einfluß auf den Austauschvorgang nehmen können. Diese Sicherheitsanforderungen werden in den meisten Publikationen entweder ignoriert (z.B. [BP90,BF98,VPG99]) oder nur unzureichend behandelt (in [ZDB00, KM00, BK00, MK01] wurden z.B. verschiedene Angriffe übersehen). Daher zeige ich, wie sich durch den Einsatz einer richtig gewählten Transaktionsnummer die zuvor genannten Sicherheitsanforderungen erfüllen lassen. ...
... Diese Verfahren werden oft unter dem Begriff nachprüfbare Hinterlegung (engl. verifiable escrow) von Signaturen zusammengefaßt[Mao97,ASW00]: Eine Idee zur Realisierung[BF98,Che98] nutzt konvertierbare Signaturen[BCDP90]. Dabei handelt es sich um nichtabstreitbare Signaturen[CvA90,Cha90], die der Vermittler in gewöhnliche, von jedem überprüfbare Signaturen umwandeln kann. ...
... This is known as verifiably encrypted signature. However, regarding the validity and non-repudiation of a signature, as pointed out by Boyd and Foo [10], this raises the question of whether a non-interactive proof that a signature is encrypted is really having any difference from a signature itself, as the proof is already sufficient to convince any third party that the signer has committed to the message. ...
... Namely, the signer's signature is encrypted under the arbitrator's public key, and then a noninteractive proof is given to show that the ciphertext contains the signer's signature on the message. As pointed by Boyd et al. [10], the non-interactive proof is not much different from the signer's signature, as it's also sufficient to prove to others that the signer is bound to the message. Since AOFE requires that a verifier cannot prove to others that the signer is bound to a message, in the generic construction the signer has the verifier involved in the proof. ...
Optimistic fair exchange (OFE) is a protocol for solving the problem of exchanging items or services in a fair manner between two parties, a signer and a verifier, with the help of an arbitrator which is called in only when a dispute happens between the two parties. In almost all the previous work on OFE, after obtaining a partial signature from the signer, the verifier can present it to others and show that the signer has indeed committed itself to something corresponding to the partial signature even prior to the completion of the transaction. In some scenarios, this capability given to the verifier may be harmful to the signer. In this paper, we propose the notion of ambiguous optimistic fair exchange (AOFE), which is a variant of OFE and requires additionally that the verifier cannot convince anybody about the authorship of a partial signature generated by the signer. We present a formal security model for AOFE in the multiuser setting and chosen-key model, and propose a generic construction of AOFE that is provably secure under our model. Furthermore, we propose an efficient instantiation of the generic construction, security of which is based on Strong Diffie–Hellman assumption and Decision Linear assumption without random oracles.
... A fair exchange protocol allows two or more parties to exchange digital items such as the signed electronic contracts in a fair way. The fair exchange protocols can be classified into three types: the gradual secret exchange protocols [3,4], the fair exchange protocols with online TTP [5,6] and the fair exchange protocols with offline TTP (or optimistic fair exchange protocols) [7,8]. Although the first type of protocols need not any TTP, but they are impractical duo to their highly interactive manners. ...
... However, in this online system, TTP can become a bottleneck, and it cost a lot to maintain such a TTP too. Therefore, most of the researches are focused on the fair exchange protocols with offline TTP [7][8][9][10]. ...
Protocols for fair exchanges can be used to realize the fair exchanges in e-commerce. However, most of the fair exchange protocols ignore the protection for sensitive information such as the contents of important business contracts and the corresponding signed documents. Then, based on Xin's basic signature, using the Diffie-Hellman key exchange principle and technique of symmetric encryption, a fair exchange protocol with information protection is proposed. Our protocol allows two parties to exchange digital items such as the sensitive or secret business contracts in a fair and secure way. On the other hand, only the business partners can get the signed documents such as the secret business contracts. What is more, none but the partners knows what messages (say, the contents of the secret business contracts) are signed. Then, our protocol can protect the sensitive business contracts and the corresponding signed documents. In case of unfairness, the adjudicator can guarantee the fairness without knowing anything about the signed contracts. In case of court, some secret information can be released so that the contracts can be verified by the judge, which will help the judge make a decision. Our protocol is proved to be secure under the hardness assumptions of DLP, CDHP and k-CAAP.
... According to [1], any electronic health record generating system should keep eight criteria out of which non-repudiation is one. Though a significant amount of work has been done on maintaining non-repudiation, i.e., fair-exchange policy for electronic exchange in some areas like contract-signing protocols [5,8,11], certified email systems [16,18,32], and e-payment schemes in electronic commerce [6,13,24,25], the PHR exchanges have not received sufficient attention. Electronically exchanging personal health records while maintaining fair-exchange policy is trickier and cannot be achieved with the existing schemes of contract-signing protocols, certified email systems, or e-payment schemes in electronic commerce. ...
In today’s digital world, it is common to exchange sensitive data between different parties. There are many examples of sensitive data or documents that require a digital exchange, such as banking information, insurance data, health records. In many cases, the exchange exists between unknown and untrusted parties. Therefore, it is essential to execute the data exchange over a fair non-repudiation protocol. In this paper, we propose a P2P fair non-repudiation data exchange scheme by leveraging Blockchain and distributed ledger technology. The proposed scheme combines on-chain and off-chain communication patterns to enable the exchange of personal health records between patients and health care providers. We provide an informal security analysis for the proposed scheme. Moreover, we propose a design and implementation agnostic to existing Blockchain platforms to enable unbiased evaluation of the proposed scheme.
... Finally, a desirable property in designated confirmer signatures is the convertibility of the signatures to ordinary ones. Indeed, such a property turned out to play a central role in fair payment protocols [15]. ...
We study the Sign_then_Encrypt, Commit_then_Encrypt_and_Sign, and Encrypt_then_Sign paradigms in the context of two cryptographic primitives, namely designated confirmer signatures and signcryption. Our study identifies weaknesses in those paradigms which impose the use of expensive encryption (as a building block) in order to meet a reasonable security level. Next, we propose some optimizations which annihilate the found weaknesses and allow consequently cheap encryption without compromising the overall security. Our optimizations further enjoy verifiability, a property profoundly needed in many real-life applications of the studied primitives.
... This new property is to prevent the adversary from impersonating the signer by initiating either the confirmation or disavowal protocol with any third party. Among the main applications of undeniable signature schemes, we can name software licensing [8], e-cash [22] and e-voting [4]. ...
... In addition to the advantages of ordinary digital signatures, undeniable signatures provide privacy for signers by limiting the public verifiability of their signatures. Among the main applications of undeniable signature schemes, we can name software licensing, e-cash and e-voting [3][4][5]. ...
Certificateless cryptography addresses the private key escrow problem in identity-based systems, while overcoming the costly issues in traditional public key cryptography. Undeniable signature schemes were proposed with the aim of limiting the public verifiability of ordinary digital signatures. The first certificateless undeniable signature scheme was put forth by Duan. The proposed scheme can be considered as the certificateless version of the identity-based undeniable signature scheme which was introduced by Libert and Quisquater. In this paper, we propose a new scheme which is much more efficient comparing to Duan's scheme. Our scheme requires only one pairing evaluation for signature generation and provides more efficient confirmation and disavowal protocols for both the signer and the verifier. We also prove the security of our scheme in the strong security model based on the intractability of some well-known pairing-based assumptions in the random oracle model.
... The most practical paradigm for building an optimistic fair exchange protocol of signatures is based on the concept of verifiably encrypted signatures [8], i.e., a way of encrypting a signature under a designated public key, and subsequently proving that the resulting ciphertext indeed contains such a signature. However, many early schemes involve expensive and highly interactive zero-knowledge proofs in the exchange phase [3,7,2]. Contents lists available at ScienceDirect ...
This paper presents a verifiably encrypted Signature scheme that is provably secure without random oracles in a stronger security model, where two inside adversaries, malicious adjudicator and malicious verifier, have more powers than ever. The new scheme is more practical and trustworthy than the previous verifiably encrypted signature schemes in the real world since it tallies more with the actual circumstances of the Internet.
... S A (m ) is the convertible partial signature on m by A i 's private key d 2 [10]. A i signs the message m as follows: ...
In this paper, a floating coin is proposed for P2P payment system, which can transferred continuously from a peer to another peer. The optimistic exchange protocol for the cascading payment is presented. The possible disputes are analyzed and handling solution is presented. TTP need not be involved unless disputes have occurs. The optimistic scheme is fair, efficient and suitable for P2P transaction.
... After examining the evidence of the exchange provided by the participating parties, TTP makes the decision and takes necessary steps to resolve the dispute and restore non-repudiation and/or fairness. Protocols designed based on this approach are called optimistic protocols and can be found in the work of Asokan et al (2000), Bao et al (1998), Boyd and Foo (1998), Chen (1998), Chuan-Kun and Varadharajan (2001), Zhang et al (2002), Zhou et al (1999), etc. Optimistic protocols greatly reduce the involvement of, and communication and security requirements placed on, the TTP. Therefore, the optimistic TTP-based approach will be adopted for our FIDES project solution. ...
In e-commerce environments, there are cases where pre-established relationships between business parties do not exist, and therefore they are unlikely to trust each other a priori. It is not unusual for legitimate business parties to misbehave in order to gain some (usually financial) advantages. Protecting business parties from each other is therefore as important as protecting them from outside attackers. Non-repudiation and fairness security services are needed in e-commerce systems to provide solutions to these issues and enable secure and reliable execution of business transactions among distrustful business parties. Our work is concentrated on the design and development of a system capable of supporting efficient non-repudiation and fair electronic data exchange for a broad range of e-commerce processes, and implementation of these services using the emerging messaging technologies.
... Anyone can forward a signer's signature to someone else, convincing the receiver of what the signer has committed to. In some scenarios, such as software purchase [8,13] and e-payment [9], this may not be desirable. In [15], Chaum and van Antwerpen introduced the notion of Undeniable Signature (US). ...
A convertible undeniable signature allows a signer to confirm or disavow a non-self-authenticating signature and also convert a valid one to a publicly verifiable signature. During the conversion, existing schemes either require the signer to be stateful, or have their security based on the random oracle assumption, or result in getting a large converter. In this work we propose a new construction, which supports both selective conversion and universal conversion, and is provably secure without random oracles. It has the shortest undeniable signature and the smallest converter. A signature consists of three bilinear group elements and just one group element each in a selective converter and a universal converter. The scheme can be extended further to support new features, such as the delegation of conversion and confirmation/disavowal, threshold conversion and others. We also propose an alternative generic construction of stateless convertible undeniable signature. Unlike the conventional ‘sign-then-encrypt’ paradigm, a signer in this new generic scheme encrypts a signature using identity-based encryption instead of public key encryption. It also enjoys the advantage of a short selective converter.
... Finally, a desirable property in designated confirmer signatures is the convertibility of the signatures to ordinary ones. Indeed, such a property turned out to play a central role in fair payment protocols [6]. ...
Generic constructions of designated confirmer signatures f ollow one of the following two strategies; either produce a digital signature on the message to be signed, then encrypt the resulting signature, or produce a commitment on the message, encrypt the string used to generate the commitment and finally sign the latter. We study the second strategy by determining the exact security property needed in the encryption to achieve secure constructions. This study infers the exclusion of a u seful type of encryption from the design due an intrinsic weakness in the paradigm. Next, we propose a simple method to remediate to this weakness and we get efficient constructions which can be used with any digital signature. Keywords: Designated Confirmer signatures, "Signature of a commitmen t" paradigm, Generic construction, Reduction/meta-reduction, Zero Knowledge.
... The idea of an invisible TTP was first presented by Micali. Later, Asokan et al. [1] and Boyd and Foo [2] proposed fair exchange protocols with transparent TTPs by using, respectively, verifiable encryption (which however is computationally inefficient) and designated convertible signatures (requiring an additional interactive protocol, which is not efficient). ...
In this paper, we propose a new practical fair exchange pro-tocol allowing the exchange of an electronic item against a signature. The protocol is based on the Guillou-Quisquater scheme and assumes the existence of a trusted third party that is involved in the protocol only in the setup phase and when one of the parties does not follow the protocol or some technical problems occur during the execution of the proto-col. The interesting feature of the protocol is the low com-munication and computational costs required by the parties. Moreover, in case of problems during the main protocol, the trusted third party acts transparently.
... Therefore, these TTPs are potential performance and security bottlenecks. A big step towards more efficient solutions was the introduction of off-line TTPs that intervene only in case of dispute caused by a network failure or a party's misbehaviour (Asokan et al. 2000, Bao et al 1998, Boyd and Foo 1999, Chen 1998, Ray and Ray 2000, Zhang and Shi 2003, Zhou and Gollmann 1997, etc.). The rest of the time, when the network functions well and participants behave correctly or are capable of resolving the disputes themselves, the off-line TTP does not operate in the protocol execution. ...
This paper reports on the on-going Fair Integrated Data Exchange Services (FIDES) project aimed at developing a security middleware solution to support e-commerce transactions and the provision of the important fair exchange and non-repudiation security services. Fair exchange ensures that either both business parties participating in a transaction receive the exchanged valuable items or neither party receives anything useful. Non-repudiation ensures that neither party involved in the exchange can falsely deny sending or receiving a particular item and therefore taking part in the transaction.
... Namely, how two (or multiple) mutually mistrusted parties exchange digital items over computer networks in a fair way. Actually, fair exchange includes the following different but related issues: non-repudiation protocols [26,27,21,20,16], certified e-mail systems [4,14,23], fair exchange of digital signatures [11,5,3], contract signing schemes [1,23,6], and e-payment solution [8] . In a certified e-mail scheme, a sender Alice wants to deliver a digital message to a receiver Bob with the guarantee that Bob can access the content of the e-mail if and only if Alice obtains an irrefutable receipt from Bob. ...
A non-repudiation protocol is aimed for exchanging a digital message and an irrefutable receipt between two mistrusting parties over the Internet. Such a protocol is said fair, if at the end of any possible protocol execution, either both parties obtain their expected items or neither party does. In this paper, we first argue that it is really meaningful in practice to exploit generic fair non-repudiation protocols with transparent off-line TTP. Namely, in those protocols, each involved party could use any secure digital signature algorithm to produce non-repudiation evidences; and the issued evidences are the same regardless of whether the TTP is involved or not. Then, we present such a fair non-repudiation protocol to overcome the limitations and shortcomings in previous schemes. Technical discussions are provided to show that our protocol is both secure and very efficient. In addition, some extensions are also pointed out.
... The use of security modules in fair exchange was already explored in the two-party context: in particular, [34] employs smart cards as security modules to solve two-party fair exchange in an optimistic way, whereas [3] describes a probabilistic solution to two-party fair exchange. 11 Idea of using a distributed trusted third party in solving two-party fair exchange was exploited in [4]. Recent works [19,23] have solved various forms of secure multi-party computation (SMPC) for any number of dishonest parties (t < n). ...
The fair exchange problem is key to trading electronic items in systems of mutually untrusted parties. In modern variants of such systems,
each party is equipped with a security module. The security modules trust each other but can only communicate by exchanging
messages through their untrusted host parties, that could drop those messages.
We describe a synchronous algorithm that ensures deterministic fair exchange if a majority of parties are honest, which is optimal in terms of resilience. If there is no honest majority, our algorithm
degrades gracefully: it ensures that the probability of unfairness can be made arbitrarily low.
Our algorithm uses, as an underlying building block, an early-stopping subprotocol that solves, in a general omission failure
model, a specific variant of consensus we call biased consensus. Interestingly, this modular approach combines concepts from both cryptography and distributed computing, to derive new results
on the classical fair exchange problem.
... This can be achieved with cryptographic primitives like verifiable encryption (e.g. [5,6]) or convertible signatures (e.g. [8, 20]). ...
We analyzed two non-repudiation protocols and found some new attacks on the fairness and termination property of these protocols.
Our attacks are enabled by several inherent design weaknesses, which also apply to other non-repudiation protocols. To prevent
these attacks, we propose generic countermeasures that considerably strengthen the design and implementation of non-repudiation
protocols. The application of these countermeasures is finally shown by our construction of a new fair non-repudiation protocol.
... This can be achieved with cryptographic primitives like verifiable encryption (e.g. [5,6]) or convertible signatures (e.g. [8, 20]). ...
We analyzed two non-repudiation protocols and found some new attacks on the fairness and termination property of these protocols.
Our attacks are enabled by several inherent design weaknesses, which also apply to other non-repudiation protocols. To prevent
these attacks, we propose generic countermeasures that considerably strengthen the design and implementation of non-repudiation
protocols. The application of these countermeasures is finally shown by our construction of a new fair non-repudiation protocol.
This paper studies the privacy preserving average consensus (PPAC) of wireless sensor networks (WSNs). Note that most of the PPAC schemes only focus on the consensus of one-dimensional state, which is not suitable for the actual scenarios. In view of this, the multi-dimensional privacy-preserving average consensus (MPPAC) problem is considered in this paper, where the nodes are divided into two types, the sink nodes and the ordinary ones. A novel MPPAC algorithm is proposed by introducing the super-increasing sequence as well as the RSA algorithm, where the super-increasing sequence plays a key role in tackling the multi-dimensional measurement of the sensors, and the RSA algorithm realizes the privacy preserving average consensus among sink nodes. Simulation results illustrate the effectiveness of this proposed scheme.
An escrow protocol for Bitcoin allows fair trading using bitcoins. To ensure fairness, the existing proposals made various trade-offs between trust, privacy, and efficiency. In this work, we evaluate the existing escrow protocols for cryptocurrency and propose a practical escrow protocol for Bitcoin that is: (a) computationally efficient; (b) round efficient; and (c) privacy-preserving. The core component of our escrow protocol for Bitcoin is a new verifiably encrypted ECDSA scheme, which may be of independent interest. Furthermore, we implement the escrow protocol for Bitcoin in Bitcoin mainnet, demonstrating the feasibility of our protocol.
This chapter introduces the primitives subject to the study, namely designated-confirmer signatures and signcryption. The presentation covers the syntax of the mentioned primitives in addition to their security properties. Since establishing a formal security model for a cryptographic system is a real challenge and divergence between cryptographers, we subject the model we adhere to to an in-depth comparison with the already established ones; our goal is to have well-reasoned and stringent security properties which capture various attack scenarios.
The first provably secure identity-based undeniable signature schemes was proposed by Libert and Quisquater, where they formulated the security model of undeniable signature schemes in an identity-based setting for the first time. Later, Wu et al. proposed a convertible identity-based undeniable signature scheme. Both of the proposed schemes require pairing evaluations in their signing algorithm. In this paper, we propose an efficient identity-based undeniable signature scheme and prove its security in the random oracle model. Due to its efficient signing algorithm and short signature length, our scheme can be applied to systems with low-computation power which are operating in low-bandwidth communication channels (e.g. mobile phones, PDAs, etc.).
Optimistic fair exchange (OFE) is a protocol for solving the problem of exchanging items or services in a fair manner between two parties, a signer and a verifier, with the help of an arbitrator which is called in only when a dispute happens between the two parties. In almost all the previous work on OFE, after obtaining a partial signature from the signer, the verifier can present it to others and show that the signer has indeed committed itself to something corresponding to the partial signature even prior to the completion of the transaction. In some scenarios, this capability given to the verifier may be harmful to the signer. In this paper, we propose the notion of ambiguous optimistic fair exchange (AOFE), which is a variant of OFE and requires additionally that the verifier cannot convince anybody about the authorship of a partial signature generated by the signer. We present a formal security model for AOFE in the multi-user setting and chosen-key model, and propose a generic construction of AOFE that is provably secure under our model. Furthermore, we propose an efficient instantiation of the generic construction, security of which is based on Strong Diffie-Hellman assumption and Decision Linear assumption without random oracles.
Today we still do not have a widely available digital cash system for the masses. This is not because there are no inventions in this area or the money community is out of ideas on how to construct such a system. It is mainly because there are conflicts of interests between banks, government and community. In this paper we first present a short history of money and look at these conflicts. Then we focus on the so-called success-factors, which are essential for a highly accepted e-Payment system. Based on these success-factors, we will present a new system called fairCASH. By adopting our fairCASH system, users will be able to make payments of any value, including micro payments. fairCASH is a multipurpose, multi-currency, pre-paid inter-operable scheme for domestic usage and cross border payments. It features non-account-related completely anonymous payment transactions by encrypting the transferred e-Tokens. There is no need of registration for users of the fairCASH e-Money system. It is suitable for person-to-person, chip-to-chip or P2P money transfers. It is independent of the communication platform or the digital transmission standard. Highlights are the inherent zero transaction costs for B2C, B2B and C2C operations. Last but not least, we would like to point out that the system posses the multi-hopping capability allowing e-Token circulation that is very advantages for users of such system. Keywords:
Undeniable signatures, introduced by Chaum and van Antwerpen, require a verifier to interact with the signer to verify a signature, and hence allow the signer to control the verifiability of his signatures. Convertible undeniable signatures allow the signer to convert undeniable signatures into ordinary signatures. In this paper we propose some extended variants of the famous Diffie- Hellman assumption on bilinear group system, then design a new convertible undeniable signature scheme and provide proofs for all relevant security properties based on the new assumption in the random oracle model. The advantages of our scheme are the short length of the signatures, the low computational cost of the signature, the receipt generation and the provable security.
In Eurocrypt 2005, Kurosawa and Heng proposed a set of 3-move witness indistinguishable protocols to be incorporated in the confirmation and disavowal protocols of the FDH variant of undeniable signature schemes. Their 3-move protocols gave rise to the development of many other variants of undeniable signature schemes. In 2010, Zhou, Zhang and Li showed a weakness in Kurosawa and Heng's proof system which enables a malicious prover to impersonate the signer. Libert and Quisquater proposed the first identity-based undeniable signature scheme. In 2007, Li et al. proposed a universal forgery attack on their scheme. In this paper, we show that both of the attacks which were proposed on Kurosawa and Heng's proof system and Libert and Quisquater's scheme have fatal errors, and therefore, both claims are false.
Assuming the intractability of solving the discrete logarithm with short exponent problem, it was recently shown that the trailing n-ω(logn) bits of the discrete logarithm modulo an n-bit safe prime p are simultaneously hard. However, the question of hardness of the leading bits was left open. In this paper we show that the leading n-ω(logn) bits are also simultaneously hard, or equivalently that the distribution of g s modp, where g is a generator of ℤ p * and s is a uniformly chosen short exponent of ω(logn) bits, is indistinguishable from the uniform distribution on ℤ p * . We further show that this result implies the security of a short exponent version of PAK, a password-authenticated key exchange protocol that protects against offline dictionary attacks.
Verifiable random functions (VRF) and selectively convertible undeniable signature (SCUS) schemes were proposed independently in the literature. In this paper, we observe that they are tightly related. This directly yields several deterministic SCUS schemes based on existing VRF constructions. In addition, we create a new probabilistic SCUS scheme, which is very compact. The confirmation and disavowal protocols of these SCUS are efficient, and can be run either sequentially, concurrently, or arbitrarily. These protocols are based on what we call zero-knowledge protocols for generalized DDH and non-DDH, which are of independent interest.
Since the introduction of undeniable signature schemes, various proof systems with different properties and features have been introduced to be incorporated in the structure of undeniable signature schemes. Nonetheless, the non-interactive designated verifier proof system of Jakobsson et al. with its distinguishing properties and features was recognized as the most practical proof system. Due to its interesting features, a variation of Jakobsson et al. proof system has been employed in all of the proposed identity-based and certificateless undeniable signature schemes. We analyze the security of the variation of such proof system in the identity-based setting, and present a secure pairing-based non-interactive proof system with complete set of security proofs.
In certified email (CEM) protocols, trusted third party (TTP) transparency is an important security requirement which helps to avoid bad publicity as well as protecting individual users’ privacy. Cederquist et al. proposed an optimistic certified email protocol, which employs key chains to reduce the storage requirement of the TTP. We extend their protocol to satisfy the property of TTP transparency, using existing verifiably encrypted signature schemes. An implementation with the scheme based on bilinear pairing makes our extension one of the most efficient CEM protocols satisfying strong fairness, timeliness, and TTP transparency. We formally verify the security requirements of the extended protocol. The properties of fairness, timeliness and effectiveness are checked in the model checker Mocha, and TTP transparency is formalised and analysed using the toolsets µCRL and CADP.
It is important for electronic transactions to be fair because customers and merchants cannot interact face-to-face. Several proposed fair transaction protocols deal adequately with the fairness issue but not with the equally critical matters of customer anonymity and privacy. This paper proposes a novel fair transaction protocol based on electronic cash that achieves both anonymity and fairness. Utilizing an off-line trusted third party (TTP), the protocol is efficient and practical. The customer's anonymity and privacy are protected because payment information is not revealed to anyone, including the TTP. The proposed method is independent of the underlying electronic cash scheme and thus can be realized with any e-cash system based on blind signatures. It also offers anonymity revocation to prevent crime and solves the unlimited-growth problem of the bank's e-cash database.
Building on the concepts and the formal definitions of self, nonself, antigen, and detector introduced in the research of network intrusion detection, the dynamic evolution models and the corresponding recursive equations of self, antigen, immune-tolerance, lifecycle of mature detectors, and immune memory are presented. Following that, an immune-based model, referred to as AIBM, for dynamic intrusion detection is developed. Simulation results show that the proposed model has several desirable features including self-learning, self-adaption and diversity, thus providing a effective solution for network intrusion detection.
Today we still do not have a widely available digital cash system for the masses. This is not because there are no inventions in this area or the money community is out of ideas on how to construct such a system. It is mainly because there are conflicts of interests between banks, government and community. In this paper we first present a short history of money and look at these conflicts. Then we focus on the so-called success-factors, which are essential for a highly accepted e- Payment system. Based on these success-factors, we will present a new system called FairCASH. By adopting our FairCASH system, users will be able to make payments of any value, including micro payments. FairCASH is a multi-purpose, multi-currency, pre-paid inter-operable scheme for domestic usage and cross border payments. It features non-account-related completely anonymous payment transactions by encrypting the transferred e-Tokens. There is no need of registration for users of the FairCASH e-Money system. It is suitable for person-to-person, chip-to-chip or P2P money transfers. It is independent of the communication platform or the digital transmission standard. Highlights are the inherent zero transaction costs for B2C, B2B and C2C operations. Last but not least, we would like to point out that the system posses the multi-hopping capability allowing e-Token circulation that is very advantages for users of such system.
Zero-Knowledge sets, proposed by Micali et al. in FOCS'03, allow the owner of a set S to publish a very short commitment CS to S, so that the owner can later prove or disprove, against CS, the membership of any (potential infinity many) elements chosen by the verifier, without leaking more about S than the membership of the elements. This new secure primitive is proved to be useful in private data queries, and other similar scenarios where depends on the trust and privacy. We investigate the theoretical primitives underline this new secure notion. The main contribution of this paper is to present a generic scheme for zero-knowledge sets which is as efficient as that in [1]. The new scheme is constructed by adopting the Merkle type of commitment under the assumption of existence of claw free pairs of trapdoor pseudo-permutations.
Because of the new business trends such as cooperating, downsizing and resource sharing, the use of virtual organization (VO) is gaining increasing importance as a model for building large-scale business information systems. Authorization is essential in VO in order to control the access to shared resources. But authorization in VO is challenging because the participants of VO need to collaborate in a distributed, dynamic and heterogeneous environment, and accordingly the access control policies are complex. A delegation logic based authorization mechanism is put forward in this paper. Our proposed approach translates the access requests, credentials and access policies into unified delegation logic rules. Based on the calculation on those rules, the access decision is made. We introduce the concept of Access Unit (AU), which wraps the AC system of a task. The rule exchange interface of AU is defined. The main contribution of this paper is that it suggests a practical mechanism for implementing authorization for VO. In essence, we propose an approach to enforce RBAC in VO based on task/project structure.
Introduced at EuroCrypt'05, threshold attribute-based encryption (thABE) is a subclass of identity-based encryption which views each identity as a set of descriptive attributes. In order to decrypt a ciphertext c encrypted for a set ω of attributes, users must have attribute keys associated with a sufficiently large subset of ω. Applications of thABE include both biometric-based and role-based cryptographic access control. This paper presents an efficient and flexible thABE scheme which is provably secure in the random oracle model. Let d be a minimal number of attributes which a decryptor must have to decipher a ciphertext. The proposed scheme requires only two pairings for decryption (instead of d pairings as in the original thABE scheme). Moreover, the new scheme enables system engineers to specify various threshold values for distinct sets of attributes. Therefore, this paper describes a practical cryptographic mechanism to support both biometric-based and role-based access control.
Mobile services have been growing fast to facilitate business in wireless network environment. It is both critical and challenging to maintain security and anonymity so as to provide high quality services. In this paper, we propose a ticket-based architecture and a generic protocol for controlling access to mobile services. Our protocol has the following properties. First, it is a generic solution independent of cryptographic algorithms and service models. Second, it is secure against various malicious attacks on mobile services. Third, it provides identity anonymity for customers and/or service providers depending on business requirements. Fourth, it is flexible in dynamic environments where customers and/or service providers are cross multiple domains. We also show an efficient implementation option of this generic protocol based on elliptic curve digital signature algorithm.
In e-commerce environments, there are cases where pre-established relationships between business parties do not exist, and therefore they are unlikely to trust each other a priori. It is not unusual for genuine business parties to misbehave in order to gain some advantages. Protecting business parties from each other is therefore as important as protecting them from outside attackers.
Non-repudiation and Fairness security services are needed in e-commerce systems to provide solutions to these issues and enable secure and reliable execution of business transactions among suspicious business parties. Our work is concentrated on the design and development of a system capable of supporting efficient non-repudiation and fair electronic data exchange for e-commerce processes, and implementation of these services using the up-and-coming technologies.
Based on Zhang’s short signature scheme without random oracles and k+1-square roots assumption, a new fair contract signing protocol with the off-line semi-Trusted Third Party is given because the disadvantages of existed fair contract signing protocol. The off-line semi-TTP intervenes into the protocol in cases where one party attempts to cheat or simply crashes to make the fair exchange optimistic. The off-line TTP need not be completely trusted, since the TTP can get neither exchanged signature when dispute is mediated. Because this protocol is based on short signature, which needs low storage and little communication, it can be used in low-bandwidth communication and low-storage environments.
In this paper we discuss the two security issues: non-repudiation and fairness in association with e-commerce applications.
In particular, these issues are addressed in the context of electronic data exchange, which is one of the most commonly seen
e-commerce applications. In detail, this paper gives a survey of the approaches to non-repudiation and fair electronic data
exchange protocols. We additionally discuss the current technologies that propose solutions to these issues, and the emerging
standards in the area of business data formats and protocols for the exchange of such data. Finally, we discuss the architecture
layer at which to implement the protocols for non-repudiation and fair data exchange.
In this paper, a new cash scheme is proposed for electronic payment system, in which the cash can be transferred several times.
When this kind of cash is used, the fraud such as double spending can be found out but the bank and the trusted party needs
not be involved online in each transaction. This cash system is anonymous in normal transactions. But if a fraud happens,
the trusted party can withdraw the anonymity to find out the cheater. The new cash scheme is transferable, anonymous, off-line
and efficient.
This paper presents a simple partially blind signature scheme with low computation. By converse using the partially blind
signature scheme, we build a simple fair e-payment protocol. In the protocol, two participants achieve the goals of exchanging
their digital signatures from each other in a simple way. An advantage of this scheme is that this approach does not require
the intervention of the third party in any case. The low-computation property makes our scheme very attractive for mobile
client and smart-card implementation in many e-commerce applications.
We present a new protocol that allows two players to exchange digital signatures over the Internet in a fair way, so that
either each player gets the other's signature, or neither player does. The obvious application is where the signatures represent
items of value, for example, an electronic check or airline ticket. The protocol can also be adapted to exchange encrypted
data. The protocol relies on a trusted third party, but is “optimistic,” in that the third party is only needed in cases where
one player attempts to cheat or simply crashes. A key feature of our protocol is that a player can always force a timely and
fair termination, without the cooperation of the other player.
At EUROCRYPT’88, we introduced an interactive zero-knowledge protocol (Guillou and Quisquater [13]) fitted to the authentication of tamper-resistant devices (e.g. smart cards, Guillou and Ugon [14]).
Each security device stores its secret authentication number, an RSA-like signature computed by an authority from the device identity. Any transaction between a tamper-resistant security device and a verifier is limited to a unique interaction: the device sends its identity and a random test number; then the verifier tells a random large question; and finally the device answers by a witness number. The transaction is successful when the test number is reconstructed from the witness number, the question and the identity according to numbers published by the authority and rules of redundancy possibly standardized.
This protocol allows a cooperation between users in such a way that a group of cooperative users looks like a new entity, having a shadowed identity the product of the individual shadowed identities, while each member reveals nothing about its secret.
In another scenario, the secret is partitioned between distinct devices sharing the same identity. A group of cooperative users looks like a unique user having a larger public exponent which is the greater common multiple of each individual exponent.
In this paper, additional features are introduced in order to provide: firstly, a mutual interactive authentication of both communicating entities and previously exchanged messages, and, secondly, a digital signature of messages, with a non-interactive zero-knowledge protocol. The problem of multiple signature is solved here in a very smart way due to the possibilities of cooperation between users.
The only secret key is the factors of the composite number chosen by the authority delivering one authentication number to each smart card. This key is not known by the user. At the user level, such a scheme may be considered as a keyless identity-based integrity scheme. This integrity has a new and important property: it cannot be misused, i.e. derived into a confidentiality scheme.
We introduce a new concept called convertible undeniable signature schemes. In these schemes, release of a single bit string by the signer turns all of his signatures, which were originally undeniable signatures, into ordinary digital signatures. We prove that the existence of such schemes is implied by the existence of digital signature schemes. Then, looking at the problem more practically, we present a very efficient convertible undeniable signature scheme. This scheme has the added benefit that signatures can also be selectively converted.
We present a new protocol that allows two players to exchange
digital signatures over the Internet in a fair way, so that either each
player gets the other's signature, or neither player does. The obvious
application is where the signatures represent items of value, for
example, an electronic check or airline ticket. The protocol can also be
adapted to exchange encrypted data. It relies on a trusted third party,
but is “optimistic,” in that the third party is only needed
in cases where one player crashes or attempts to cheat. A key feature of
our protocol is that a player can always force a timely and fair
termination, without the cooperation of the other player, even in a
completely asynchronous network. A specialization of our protocol can be
used for contract signing; this specialization is not only more
efficient, but also has the important property that the third party can
be held accountable for its actions: if it ever cheats, this can be
detected and proven
In 1990 Boyar, Chaum, Damgard and Pedersen introduced the concept of convertible,undeniable signatures. They proved that those schemes exist iff one-wayfunctions exist and further gave an example of a practical convertible undeniablescheme which is based on the ElGamal signature scheme.In this paper we present an attack on this signature scheme. After the conversion,that means, the signer releases the secret parameter so that his signaturecan be checked by any verifier, we can show...
The simultaneous secret exchange protocol is the key tool for contract signing protocols and certified mail protocols. This paper proposes efficient simultaneous secret exchange protocols (or gradual secret releasing protocols) that are based on general assumptions such as the existence of one-way permutations and one-way functions, while the existing efficient simultaneous secret exchange protocols are based on more constrained assumptions such as specific number theoretic problems and the existence of oblivious transfer primitives (or trap-door one-way permutations). Moreover, while the existing simultaneous secret exchange protocols have an additional requirement that the underlying commit (encryption) function is “ideal”, the above-mentioned “general assumptions” are provably sufficient for our schemes. Therefore, our protocols are provably secure under the general assumptions. In addition, our protocols are at least as efficient as the existing practical protocols, when efficient one-way permutations and one-way functions are used.
The concept of designated confirmer signatures was introduced by D. Chaum [EUROCRYPT ’94, Lect. Notes Comput. Sci. 950, 86-91 (1995; Zbl 0881.94013)] to improve a shortcoming of undeniable signatures. The present paper formalizes the definition of designated confirmer signatures and proves that a designated confirmer signature scheme is equivalent to a public-key encryption scheme with respect to existence. In addition, the paper proposes practical designated confirmer signature schemes which are more efficient in signing than the previous scheme [loc. cit.].
Undeniable signatures are like ordinary digital signatures, except that testing validity of a signature requires interaction
with the signer. This gives the signer additional control over who will benefit from being convinced by a signature, and is
particularly relevant when signing sensitive, non-public data. Convertible undeniable signatures offer additional flexibility
in that there is a separate verification key that can be used to verify a signature (without interaction). This allows the
signer to delegate the ability to verify signatures to one or more participants, and ultimately to convert all signatures
to ordinary ones by making the verification key public. While provably secure theoretical solutions exist for convertible
schemes, earlier practical schemes proposed have either been broken or their status as far as security is concerned is very
unclear. In this paper, we present two new convertible schemes, in which forging signatures is provably equivalent to forging
El Gamal signatures. The difficulty of verifying signatures without interacting with the signer is based on the factoring
problem for one of the schemes and on the Diffie-Hellman problem for the other scheme.
We present a new protocol that allows two players to ex- change digital signatures over the Internet in a fair way, so that either each player gets the other's signature, or neither player does. The ob- vious application is where the signatures represent items of value, for example, an electronic check or airline ticket. The protocol can also be adapted to exchange encrypted data. The protocol relies on a trusted third party, but is "optimistic," in that the third party is only needed in cases where one player attempts to cheat or simply crashes. A key feature of our protocol is that a player can always force a timely and fair termination, without the cooperation of the other player.
This paper introduces a new kind of signature authentication and gives practical protocols that implement it. The technique can be used in ways that approach the functionality of known techniques, such as ordinary digital signatures and zero-knowledge proofs. But more importantly, it opens up a whole space of possibilities in between them. The technique works in essence by allowing the signer to prove to the signature’s recipient that designated parties can confirm the signature without the signer. But the signer is protected, since unless sufficient designated parties cooperate in confirmation, the signature is no more convincing than any other number.
We present protocols for fair exchange of electronic data (digital signatures, payment and confidential data) between two parties A and B. Novel properties of the proposed protocols include: 1) offline trusted third party (TTP), i.e., TTP does not take part in the exchange unless one of the parties behaves improperly; 2) only three message exchanges are required in the normal situation; 3) true fair exchange, i.e., either A and B obtain each other's data or no party receives anything useful; no loss can be incurred to a party no matter how maliciously the other party behaves during the exchange. This last property is in contrast to previously proposed protocols with offline TTP ([1] and [21]), where a misbehaving party may get another party's data while refusing to send his document to the other party, and the TTP can provide affidavits attesting to what happened during the exchange. To our knowledge, the protocols presented here are the first exchange protocols which use offline TTP and at the same time guarantee true fair exchange of digital messages. We introduce a novel cryptographic primitive, called the Certificate of Encrypted Message Being a Signature (CEMBS), as the basic building block of the fair exchange protocols. It is used to prove that an encrypted message is a certain party's signature on a public file, without revealing the signature. We also give two examples to show in detail how the certificate can be constructed
Fairness may be a desirable property of a non-repudiation service. Protocols can achieve fairness through the involvement of a trusted third party but the extent of the trusted third party's involvement can vary between protocols. Hence, one of the goals of designing an efficient non-repudiation protocol is to reduce the workload of the trusted third party. In this paper, we present a variant of our fair non-repudiation protocol (1996), where the trusted third party is involved only in the case that one party cannot obtain the expected non-repudiation evidence from the other party. This variant is efficient in an environment where the two parties are likely to resolve communications problems between themselves
. A partial key escrow cryptosystem based on publicly verifiable encryption is proposed. Partial key escrow adds a great deal of difficulty to mass privacy intrusion interested by malicious authorities (e.g., a human rights abusive government). Public verifiability improves efficiency and guarantees correctness in the establishment of partially escrowed key. 1 Introduction This paper proposes a publicly verifiable partial key escrow cryptosystem. In partial key escrow, a portion of a private key with a specified length will not be in escrow and as a result key recovery requires a non-trivial effort of computation to determine this portion after co-operating shareholders decrypt the key recovery material. Partial key escrow will add a great deal of difficulty to mass privacy intrusion interested by malicious authorities while preserving the property of an ordinary escrowed cryptosystem for targeting individual criminals. Partial key escrow must consider resilience to a so-called early ...
We present new protocols for two parties to exchange documents with fairness, i.e., such that no party can gain an advantage by quitting prematurely or otherwise misbehaving. We use a third party that is "semi-trusted", in the sense that it may misbehave on its own but will not conspire with either of the main parties. In our solutions, disruption by any one of the three parties will not allow the disrupter gain any useful new information about the documents. Our solutions are efficient and can be based on any of several cryptographic assumptions (e.g., factoring, discrete log, graph isomorphism). We also discuss the application of our techniques to electronic commerce protocols to achieve fair payment. 1 Introduction A fair exchange protocol is a protocol by which two parties swap secrets without allowing either party to gain an advantage by quitting prematurely or otherwise misbehaving. Though already a well-studied problem, fair exchange has recently experienced a resurgence of act...
. A secret sharing scheme allows to share a secret among several participants such that only certain groups of them can recover it. Veri#able secret sharing has been proposed to achieve security against cheating participants. Its #rst realization had the special property that everybody, not only the participants, can verify that the shares are correctly distributed. We will call suchschemes publicly veri#able secret sharing schemes, we discuss new applications to escrow cryptosystems and to payment systems with revocable anonymity, and we presenttwo new realizations based on ElGamal's cryptosystem. 1 Introduction A secret sharing scheme #20, 2# allows to split a secret into di#erent pieces, called shares, which are given to the participants, such that only certain groups of them can recover the secret. The #rst secret sharing schemes have been threshold schemes, where only groups of more than a certain number of participants can recover the secret. Veri#able secret sharing #...
We present new protocols for two parties to exchange documents with fairness, i.e., such that no party can gain an advantage by quitting prematurely or otherwise misbehaving. We use a third party that is "semi-trusted", in the sense that it may misbehave on its own but will not conspire with either of the main parties. In our solutions, disruption by any one of the three parties will not allow the disrupter gain any useful new information about the documents. Our solutions are efficient and can be based on any of several cryptographic assumptions (e.g., factoring, discrete log, graph isomorphism). We also discuss the application of our techniques to electronic commerce protocols to achieve fair payment. 1 Introduction A fair exchange protocol is a protocol by which two parties swap secrets without allowing either party to gain an advantage by quitting prematurely or otherwise misbehaving. Though already a well-studied problem, fair exchange has recently experienced a resurgence of ac...
We present the first undeniable signatures scheme based on RSA. Since their introduction in 1989 a significant amount of work has been devoted to the investigation of undeniable signatures. So far, this work has been based on discrete log systems. In contrast, our scheme uses regular RSA signatures to generate undeniable signatures. In this new setting, both the signature and verification exponents of RSA are kept secret by the signer, while the public key consists of a composite modulus and a sample RSA signature on a single public message.
Our scheme possesses several attractive properties. First of all, provable security, as forging the undeniable signatures is as hard as forging regular RSA signatures. Second, both the confirmation and denial protocols are zero-knowledge. In addition, these protocols are efficient (particularly, the confirmation protocol involves only two rounds of communication and a small number of exponentiations). Furthermore the RSA-based structure of our scheme provides with simple and elegant solutions to add several of the more advanced properties of undeniable signatures found in the literature, including convertibility of the undeniable signatures (into publicly verifiable ones), the possibility to delegate the ability to confirm and deny signatures to a third party without giving up the power to sign, and the existence of distributed (threshold) versions of the signing and confirmation operations.
Due to the above properties and the fact that our undeniable signatures are identical in form to standard RSA signatures, the scheme we present becomes a very attractive candidate for practical implementations.
Eficient and Practical Fair Exchange Protocols with Off-line TTP
- Robert H Bao
- Wenbo Deng
- Mao
Undeniable Signatures
- David Chaum
- Hans Van Antwerpen
David Chaum and Hans van Antwerpen. Undeniable Signatures. In Advances in
Cryptology -Proceedings of CRYPTO '89, pages 212{216, 1989.