No full-text available
To read the full-text of this research,
you can request a copy directly from the authors.
Concurrent signatures
Abstract
We introduce the concept of concurrent signatures. These allow two entities to produce two signatures in such a way that, from the point of view of any third party, both signatures are ambiguous with respect to the identity of the signing party until an extra piece of information (the keystone) is released by one of the parties. Upon release of the keystone, both signatures become binding to their true signers concurrently. Concurrent signatures fall just short of providing a full solution to the problem of fair exchange of signatures, but we discuss some applications in which concurrent signatures suffice. Concurrent signatures are highly efficient and require neither a trusted arbitrator nor a high degree of interaction between parties. We provide a model of security for concurrent signatures, and a concrete scheme which we prove secure in the random oracle model under the discrete logarithm assumption.
... Owing to these reasons, one of alternatives called the concept of concurrent signatures, has been suggested to the properties of fair exchange protocols. Concurrent signatures proposed by Chen et al. [8] provide an alternative solution without any TTP mediations to the problem of the fair exchange. The idea is that two parties make bilateral ambiguous signatures to bind to their relevant signers concurrently while a secret (i.e., the keystone) is released by one of the two parties. ...
... To surmount the perfect ambiguity problem, various concurrent-signature solutions for the investigation have been suggested, such as anonymously lattice-based group signatures [25], identity-based perfect concurrent signatures [9], 542 The International Arab Journal of Information Technology, Vol. 18, No. 4, July 2021 asymmetrical concurrent signatures [24], tripartite concurrent signatures [32], the fairness of perfect concurrent signatures [38], multi-party concurrent signatures [34], and so on. Unfortunately, previous studies in [8,13,24,32,38] have indicated that the existing concurrent signatures in terms of security suffer from the message substitution attack [22]. In addition, some proposed schemes [15,19,42] find that diverse ambiguous signatures for distinct messages might be linked to the same keystone simultaneously and this may jeopardize the accountability property of concurrent signatures. ...
... If any third parties perform an identity authentication process to validate the identity of the originator or signer prior to the binding of ambiguous signatures concurrently, the ambiguous signatures of respective messages for accountability can be guaranteed. Besides, we are concerned about the keystone information without the signers' identities bound to their authentic signatories when a relation is established, from the majority of the aforementioned concurrent-signature works [8,20,37]. Furthermore, Wang et al. [39] and Li et al. [18] employ a concurrent signature algorithm of quantum cryptography to perform the fair exchange problem. Although quantum mechanical properties offer faster and more secure interactions to the keystone information, quantum computing is still very much in its experimental stage. ...
The idea of concurrent signature schemes is that two parties produce two respective ambiguous signatures that are concurrently bound to their corresponding signatories only while either of the party releases a keystone. The main construct is that both parties need to reach a consensus on the true fairness in mutually exchanging the signatures, and, moreover, the protocols assume that there is no collusion between a trusted third party and any of the parties. However, by collaborating over business interests with the participants as strategic partners, the trusted third party may obtain access to sensitive key data held in escrow, leading them to the collusion attack associated with malicious intentions. To circumvent the misbehavior among the participating individuals, an identity authentication process can be used prior to exchanging or having access to any confidential information. In this paper, we propose a self-certified concurrent signature from bilinear pairings as an alternative solution to strengthen the security level for solving the fair exchange problem. Apart from resisting to the collusion attack, the proposed scheme provides the advanced security properties to prevent from the message substitution, the identity forgery and impersonation, and other generic attacks in an increasingly insecure network environment.
... Concurrent Signature, introduced by Chen, Kudla and Paterson [8], allows untrusted parties to exchange their digital signatures efficiently in a fair manner, that is, either allowing all the parties to get each other's signatures simultaneously or letting none of them get any counterpart's signature, in an all-or-nothing fashion. A concurrent signature scheme between two communicating parties, usually being referred to as an initial signer A with a public/private key pair (pk A , sk A ) and a matching signer B with (pk B , sk B ), is typically carried out interactively in the following three phases. ...
... In the Signature Binding Phase, the concurrency of binding upon the reveal of keystone ensures that either both parties get each other's binding signature, or neither of them does. Since the introduction of concurrent signature [8], it has been considered as a type of fair exchange protocols [13,15,2,18,16]. If we compare concurrent signature with other fair exchange solutions such as timed-release fair exchange [13,15], or optimistic fair exchange (OFE) [2,18,17] , we will notice that concurrent signature usually achieves higher computational and communication efficiency, and does not rely on any trusted or semi-trusted third party for dispute resolution or assume computational balance between the parties. ...
... This might give A certain extent of advantage over B in some applications [39]. However, in many other applications as initially proposed in [8], concurrent signature is a very useful tool for realizing fair exchange of signatures. For example, it can be applied for trading new artworks via e-market websites that benefit both art fans and emerging artists. ...
A concurrent signature provides an efficient way to exchange digital signatures between parties in a fair manner. Since its introduction in Eurocrypt 2004, removing the random oracle heuristic in the security analysis of a concurrent signature scheme has become an open problem, and the security of all the existing provably secure schemes could have only been done in the random oracle model, while it has been known that the security in the random oracle model may not be guaranteed when the underlying random oracles are replaced by real-life hash functions. In this paper, we solve this open problem by proposing a new concurrent signature scheme, which allows us to prove its security without random oracles. The security model we consider in this paper also slightly differs from previous works. Signatures before revealing the keystone are strongly ambiguous (or anonymous) in the sense that everyone is able to produce signatures that are indistinguishable from those generated honestly by the parties involved in the exchange, while signatures after revealing the keystone remain unforgeable without sacrificing the fairness property. In the multi-user setting and without random oracles, we prove the security of our scheme based on the intractability of Computational Diffie–Hellman (CDH) problem and collision resistance of hash functions.
... In AOFE, we require that after receiving a partial signature σ P from Alice (the signer), Bob (the verifier) cannot convince others but himself that Alice has committed to σ P . This property is analogous to the non-transferability of designated verifier signature [27] and the ambiguity of concurrent signature [12]. Also, the AOFE verification algorithm should take the public keys of both signer and (designated) verifier as inputs, in contrast to that in the traditional definition of OFE [2,15,21]. ...
... ambiguity. Informally, given a partial signature σ P from a signer A, a verifier B should not be able to convince others that σ P was generated by A. To capture this, we borrow the idea of defining the ambiguity in concurrent signatures [12], and require that B should be able to simulate partial signatures that look indistinguishable from those generated by A. We need the existence of a simulation algorithm FPSig, that takes as input (M, SK B , PK A , PK B , APK) and outputs a partial signature σ P that is valid under PK A , PK B . This is also the reason why a verifier should be equipped with a public/secret key pair, and its public key should be included in the inputs of PSig and Sig. ...
... For technical reasons, we first describe some weakened models below. In the definition of signer ambiguity (Definition 2), the two public/secret key pairs are selected by D. In a slightly weaker variant, the two key pairs are selected by the challenger, and then given to D. This is comparable to the ambiguity definition of concurrent signature [12], or the strongest definition of anonymity of ring signature considered in [6], namely anonymity against full key exposure. We can also define an even weaker version of signer ambiguity, in which D is given (PK A , PK B , SK B ) and oracle access to O PSig . ...
Optimistic fair exchange (OFE) is a protocol for solving the problem of exchanging items or services in a fair manner between two parties, a signer and a verifier, with the help of an arbitrator which is called in only when a dispute happens between the two parties. In almost all the previous work on OFE, after obtaining a partial signature from the signer, the verifier can present it to others and show that the signer has indeed committed itself to something corresponding to the partial signature even prior to the completion of the transaction. In some scenarios, this capability given to the verifier may be harmful to the signer. In this paper, we propose the notion of ambiguous optimistic fair exchange (AOFE), which is a variant of OFE and requires additionally that the verifier cannot convince anybody about the authorship of a partial signature generated by the signer. We present a formal security model for AOFE in the multiuser setting and chosen-key model, and propose a generic construction of AOFE that is provably secure under our model. Furthermore, we propose an efficient instantiation of the generic construction, security of which is based on Strong Diffie–Hellman assumption and Decision Linear assumption without random oracles.
... One of the electronic commerce applications of fair exchange is contract signing [1,2]. Concurrent signature, introduced by Chen, Kudla and Paterson [3], is an efficient approach for performing fair exchange of signatures. In a concurrent signature scheme, two parties A and B produce some signatures called ambiguous signatures σ A and σ B , respectively. ...
... Stated as an open problem in the seminal paper of concurrent signature [3], one of the research problems is to construct a multi-party concurrent signature scheme for the fair exchange of signatures among n parties, where n ≥ 2. The scheme should allow each of the n parties to have the signatures of all the other n − 1 parties concurrently when the party's own signature is given out to the other parties. It is not obvious to extend a two-party concurrent signature scheme (e.g.345) to this more general multi-party notion. ...
... Stated as an open problem in the seminal paper of concurrent signature [3], one of the research problems is to construct a multi-party concurrent signature scheme for the fair exchange of signatures among n parties, where n ≥ 2. The scheme should allow each of the n parties to have the signatures of all the other n − 1 parties concurrently when the party's own signature is given out to the other parties. It is not obvious to extend a two-party concurrent signature scheme (e.g.345) to this more general multi-party notion. A major difficulty is in the fairness. ...
Since the introduction of concurrent signature, improved results have been obtained on constructing schemes with enhanced ambiguity, refined security models and better efficiency, while extending concurrent signature to multiple users, that is, allowing n parties (where n≥2n≥2) to perform fair exchange of signatures concurrently, is still one of the most challenging problems that remain unsolved. In the literature, there is a three-party concurrent signature scheme which achieves a weaker form of ambiguity, that an ambiguous signature can either be generated by the real signer or jointly by the other two parties, but not by any single party of the rest. There are also two other multi-party concurrent signature schemes. However, both of them have been found insecure, that they could not achieve unforgeability, ambiguity, and fairness simultaneously. Furthermore, there is no formal security model available for Multi-party Concurrent Signature (MCS). In this paper, we propose an efficient MCS construction and show its security in the random oracle model under our newly proposed security model for MCS. The scheme is also comparable in efficiency to the best existing two-party concurrent signature schemes.
... The communication and the processing overheads imposed on LI can be reduced if the RD signing protocol makes use of the Concurrent Signature (CS) scheme [18]. This scheme is proposed to achieve fair signature exchange. ...
... This scheme does not require the signers to have the same level of computational power as in case of gradual release approach, nor does it require any assistance of a TTP. However, as reported in [18], the CS scheme can only provide a weak fairness. It can provide strong fairness, under two conditions: (1) the initial signer releases a secret token, called a keystone, ks, at the end of the exchange, and (2) he does not abuse a pre-binding token signed by the other signer before the completion of the exchange process (i.e. it can provide the abuse-freeness property). ...
... The concurrent signature (CS) is a digital signature scheme which consists of four algorithms: SETUP, ASIGN, AVERIFY, and VERIFY. These algorithms are briefly described below (more detail can be found in [18]). ...
Most of the fair contract signing protocols published to date make use of a Trusted Third Party (TTP) to achieve fairness. In this paper, we have designed a fair contract signing protocol to support fair reselling of a DRM license without using a dedicated TTP. This protocol makes use of the concurrent signature (CS) and the existing license distribution infrastructure. By making use of the CS scheme, and integrating it into the existing license distribution infrastructure, we avoid the use of a dedicated TTP, thus introducing no additional communication overhead in providing fair license reselling. Also, the protocol is designed such that none of the two signers can prove to an outside entity that he is in control of the outcome of the protocol, thus achieving abuse-freeness. Index Terms—Contract Signing, Concurrent Signatures, Fair- ness, Abuse-freeness, DRM, Reselling Deal, Non-repudiation
... Fairness is a fundamental requirement of contract signing protocols: no party wants to send his signature if he does not get the other party's signature in exchange. This problem of exchanging signatures in a fair manner has been extensively investigated in the last 30 years [8, 10, 14, 24, 1, 2, 17, 5, 4, 11, 25, 27, 16, 9, 12, 13, 6, 3, 23, 33, 15, 32, 22, 21, 20, 31]. Most fair exchange protocols have four communication rounds, during which the two parties, the initiator and the responder, first exchange partial signatures and then full signatures. ...
... Other protocols do not require an STTP, but at the price of a reduced notion of fairness. Concurrent signatures (CS) [13] and verifiably committed signatures (VCS) [16] have emerged as the two most convincing approaches proposed so far for fair exchange, respectively without and with STTP. ...
... Concurrent signatures The main idea of concurrent signatures (CS) [13] is to use ambiguous signatures to construct the partial signatures. From the point of view of any third party, partial signatures are meaningless since they could have been generated either by the initiator or by the responder. ...
Trapdoors are widely used in cryptography, in particular for digital signatures and public key encryption. In these classical
applications, it is highly desirable that trapdoors remain secret even after their use. In this paper, we consider positive applications of trapdoors that do not remain secret when they are used. We introduce and formally define one-time trapdoor one-way functions (OTTOWF), a primitive similar in spirit to classical trapdoor one-way functions, with the additional property that its trapdoor
always becomes public after use. We provide three constructions of OTTOWF. Two of them are based on factoring assumptions
and the third one on generic one-way functions. We then consider potential applications of our primitive, and in particular
the fair exchange problem. We provide two fair exchange protocols using OTTOWF, where the trapdoor is used to provide some
advantage to one of the parties, whereas any (abusive) use of this trapdoor will make the advantage available to the other
party as well. We compare our protocols with well-established solutions for fair exchange and describe some scenarios where
they have advantageous characteristics. These results demonstrate the interest of one-time trapdoor one-way functions, and
suggest looking for further applications of them.
... The concept of concurrent signatures was introduced by Chen, Kudla and Paterson in Eurocrypt 2004 [11] . Such signature schemes allow two parties to produce and exchange two ambiguous signatures until an extra piece of information (called keystone) is released by one of the parties. ...
... In [11], Chen et al. remarkably observed that the full power of fair exchange is not necessary in many applications, since there exist some mechanisms that provide a more natural dispute resolution than the reliance on a TTP. In particular, concurrent signatures can be used as a weak tool to realize practical exchanges, if one of the two parties would like to complete such an exchange. ...
... At the same time, by adding a time limit in the receipt, Bob could cancel Alice's order conveniently like the practice in booking air-tickets nowadays. The advantage is that those solutions using concurrent signatures [11, 27] can be implemented very efficiently in both aspects of computation and communication, and do not rely on any TTP. Therefore, the shortcomings in traditional solutions for fair exchange of signatures are overcome in a relatively simple and natural way. ...
In Eurocrypt 2004, Chen, Kudla and Paterson introduced the concept of concurrent signatures, which allow two parties to produce two ambiguous signatures until the initial signer releases an extra piece of information
(called keystone). Once the keystone is publicly known, both signatures are bound to their true signers concurrently. In ICICS 2004, Susilo, Mu and Zhang further proposed perfect concurrent signatures to strengthen the ambiguity of concurrent signatures. That is, even if the both signers are known having issued one of the
two ambiguous signatures, any third party is still unable to deduce who signed which signature, different from Chen et al.’s
scheme. In this paper, we point out that Susilo et al.’s two perfect concurrent signature schemes are actually not concurrent signatures. Specifically, we identify an attack that enables the initial signer to release a carefully prepared
keystone that binds the matching signer’s signature, but not the initial signer’s. Therefore, their schemes are unfair for the matching signer. Moreover, we present an effective way to avoid this attack so that the improved schemes are truly
perfect concurrent signatures.
KeywordsConcurrent signature-fair exchange-security protocol
... The concept of concurrent signatures was introduced in [3] . In a concurrent signature scheme, two parties A and B interact without the help of any third party to sign messages M A and M B in such a way that both signatures are ambiguous without an extra piece of information, known as the keystone. ...
... With the keystone, the signer for each signature is identified and both signatures become instantly binding to their respective signers. In the original proposal [3], the keystone is a randomly chosen piece of information and possessed by the protocol's initiator. During the signature generation phase, the keystone is not known to other parties. ...
... Previous solutions to the problem of fair exchange of digital signatures (see [1, 2] and references therein for a detailed survey) are either highly interactive with multiple rounds of exchange or require the existence of a third party trusted by both parties A and B. Multiple rounds of exchange are inefficient while the existence of a trusted third party is not always warranted. Previous concurrent signature proposals [3, 10] are based on the concept of ring signatures. In those schemes, each concurrent signature is a ring signature [8] generated from the ring consisting of all involved parties. ...
The concept of concurrent signatures allows two entities to produce two signatures in such a way that, the signer of each signature is ambiguous from a third party’s point of view until the release of a secret, known as the keystone. Once the keystone is released, both signatures become binding to their respective signers concurrently. Previous concurrent signature schemes use the concept of ring signatures in their construction. Ring signatures identify the ring and thus concurrent signatures constructed from ring signature are related and linkable. We propose a new concurrent signature scheme which is independent of the ring signature concept. Our concurrent signatures are anonymous. The ordinary signatures obtained from our concurrent signature protocol are unlinkable and do not reveal which concurrent signature transaction has occurred. The price we pay is our concurrent signatures are asymmetric in the sense that the initial signature and subsequent signatures are not of the same construction.
... Unlinkability is another notion related to privacy – two ring signatures issued by the same signer are unlinkable in any way, except the very fact that this signer appears in the rings of both ring signatures. These three properties make ring signatures widely applicable to various cryptographic schemes [2, 9, 13]. Taking the example of concurrent signatures [9, 13] which is a partial solution to the fair exchange of signatures without TTPs, anonymity provides the signer-ambiguity of signatures (before they are exchanged) and the spontaneity enables a solution without TTPs. ...
... These three properties make ring signatures widely applicable to various cryptographic schemes [2, 9, 13]. Taking the example of concurrent signatures [9, 13] which is a partial solution to the fair exchange of signatures without TTPs, anonymity provides the signer-ambiguity of signatures (before they are exchanged) and the spontaneity enables a solution without TTPs. Survey of ring signatures and related applications can be found in [12, 20]. ...
Ring signature is a group-oriented signature in which the signer can spontaneously form a group and generate a signature such that the verifier is convinced the signature was generated by one member of the group and yet does not know who actually signed. Linkable ring signature is a variant such that two signatures can be linked if and only if they were signed by the same person.
Recently, the first short linkable ring signature has been proposed. The short signature length makes it practical all of a sudden to use linkable ring signature as a building block in various cryptographic applications. However, we observed a subtle and yet imperative blemish glossed over by their security model definition which, if not carefully understood and properly handled, could lead to unanticipated security threats.
Inspired by the recent refinement of security definitions in conventional ring signatures, we formalize a new and better security model for linkable ring signature schemes that takes into account realistic adversarial capabilities. We show that the new model is strictly stronger than all existing ones in the literature. Under our new model, we propose a new short linkable ring signature scheme, improved upon the existing scheme.
... Recently, with the popularity of decentralized cryptocurrencies such as Bitcoin, a sequence of works [6,17,52,53] have shown how to implement a fairness-with-penalties model for MPC where adversarial parties who prematurely abort are forced to pay financial fines. Prior works in similar spirit considered fairness with reputation systems [10] and legally enforced fairness [24,55]. ...
Secure multiparty computation allows mutually distrusting parties to compute a function on their private inputs such that nothing but the function output is revealed. Achieving fairness --- that all parties learn the output or no one does -- is a long studied problem with known impossibility results in the standard model if a majority of parties are dishonest. We present a new model for achieving fairness in MPC against dishonest majority by using public bulletin boards implemented via existing infrastructure such as blockchains or Google's certificate transparency logs. We present both theoretical and practical constructions using either witness encryption or trusted hardware (such as Intel SGX). Unlike previous works that either penalize an aborting party or achieve weaker notions such as $\Delta$-fairness, we achieve complete fairness using existing infrastructure.
... The other n-1 persons are even unaware that their public keys have been included in the ring. The ring signature has been found in many practical applications since its introduction, such as whistle blowing [2], ad hoc network authentication [4], e-voting [5], e-auction [6], concurrent signature [7], and designated verifier signature [8]. ...
In this paper, we introduce a new concept called generalized ring signcryption (GRSC), which can achieve ring signature and ring signcryption functions with only one key pair and one algorithm. It is very useful for a system which has a large number of users, or has limited storage space, or whose function requirements may be changed later. We give a formal definition and a security model of GRSC and propose a concrete scheme based on bilinear pairings. In the random oracle model, the scheme’s confidentiality can be proved under the GBDH assumption, and its unforgeability can be proved under ’GDHassumption, and what is more, this scheme also allows unconditional anonymity. Compared with other identity-based ring signcryption schemes that use bilinear pairings as well, our scheme is a highly efficient one.
... Cachin and Camenisch (2009) designed an efficient optimistic fair secure 2PC protocol. Lindell (2008) proposed a fair 2PC by using concurrent signatures (Chen et al., 2004), where the fairness can be 'enforced' in the sense that any breach results in a loss of money by the adversarial party. Bentov and Kumaresan (2014) showed a fair multi-party computation with a dishonest majority in the Bitcoin network that is a peer-to-peer network using the power of cryptography to emulate a trusted bank. ...
With the development of modern internet and mobile networks, there is an increasing need for privacy-preserving cooperative computation and cloud computing. Secure multi-party computation (SMPC) gives a general solution to these applications and has become a hot topic in privacy-carrying protocols. The commit-prove-fair-open protocol is one of multi-party fair exchange protocols against the malicious adversary in breaking the fair play of the participants, and it provides an important tool of SMPC to make it possible to achieve the fairness with corrupted majority according to the standard real/ideal world simulation paradigm framework. In this paper, we at first prove two lemmas about the simplified Camenisch-Shoup commitment and the time-lines, and then propose a very efficient resource-fair commit-prove-fair-open protocol. Compared with the other commit-prove-fair-open protocols, our new protocol enjoys two important advantages: 1) communications cost and computations price are less than 20%; 2) it allows commitment to obtain value 0, which is not implemented in the other constructions.
... In the contract signing protocol, the sender, and the receiver fairly exchanging their respective digital signatures for the same digital contract, which is already known by both parties. The concurrent signature scheme [31] is another mechanism for fairly exchanging signatures. After concurrent signature exchange, each signer believes that he himself will obtain the correct signature of the opposing party fairly. ...
Transaction privacy has attracted a lot of attention in the e-commerce. This study proposes an efficient and provable fair document exchange protocol with transaction privacy. Using the proposed protocol, any untrusted parties can fairly exchange documents without the assistance of online, trusted third parties. Moreover, a notary only notarizes each document once. The authorized document owner can exchange a notarized document with different parties repeatedly without disclosing the origin of the document or the identities of transaction participants. Security and performance analyses indicate that the proposed protocol not only provides strong fairness, non-repudiation of origin, non-repudiation of receipt, and message confidentiality, but also enhances forward secrecy, transaction privacy, and authorized exchange. The proposed protocol is more efficient than other works.
... Existing group signature and concurrent signature [4] solutions, especially the improved and multi-party versions [5][6] [7] fit various purposes, but may not be most suitable for use by third party application developers who prefer well known solutions and expect fast and easy integration. Some existing designs for group signature use their own custom signatures and require additional solution-specific steps to sign the data and to verify a signature [8] [9], or allow only community members to sign [10], which is not suitable for communities that are formed in an ad-hoc fashion. ...
Digital signatures are widely used for non-repudiation and other purposes. In various cases, there is a group of two or more parties that have to agree on a common set of data and digitally sign it in order to provide the other party or parties a proof of non-repudiation. A simple and scalable infrastructure for community signatures or groups of individual party signatures is described. It allows third party applications to simultaneously digitally sign arbitrary XML documents by any number of entities, for any purpose, using high level interfaces, not having to deal with digital signatures themselves. A dedicated backend server dynamically merges received documents and signatures from all parties. When a sufficient number of entities have signed the document, a signal is triggered to announce the document finalization. Despite the simple overall design, handling security issues and user control at appropriate spots are crucial for any business application. In the paper we present the performance and robustness tests of the current prototypal community signatures infrastructure. We also present the results of end user trials and measure the quality of experience perceived by end-users that are using a pervasive application that is interacting with the community signatures infrastructure.
... Existing group signature and concurrent signature [13] solutions, especially the improved and multi-party versions [14][15] [16] fit various purposes, but may not be most suitable for use by third party application developers who prefer well known solutions and expect fast and easy integration. Some existing designs for group signature use their own custom signatures and require additional solutionspecific steps to sign the data and to verify a signature [7][8] [9], or allow only community members to sign [8], which is not suitable for ad-hoc communities. ...
Digital signatures are widely used for non-repudiation and other purposes. In various cases, there is a group of two or more parties that have to agree on a common set of data and digitally sign it in order to provide the other party or parties a proof of non-repudiation. A simple and scalable infrastructure for community signatures or groups of individual party signatures is described. It allows third party applications to simultaneously digitally sign arbitrary XML documents by any number of entities, for any purpose, using high level interfaces, not having to deal with digital signatures themselves. A dedicated backend server dynamically merges received documents and signatures from all parties. When a sufficient number of entities have signed the document, a signal is triggered to announce the document finalization. Despite the simple overall design, handling security issues and user control at appropriate spots are crucial for any business application.
... But usually they work only for a specific problem. For example, the concurrent signatures protocol [23] allows two parties to produce and exchange two ambiguous signatures until an extra piece of information (called keystone) is released by one of the parties. The two parities obtain the signature from the other party concurrently when the keystone is released and therefore fairness is achieved. ...
A private set intersection (PSI) protocol allows two parties to compute the intersection of their input sets privately. Most of the previous PSI protocols only output the result to one party and the other party gets nothing from running the protocols. However, a mutual PSI protocol in which both parties can get the output is highly desirable in many applications. A major obstacle in designing a mutual PSI protocol is how to ensure fairness. In this paper we present the first fair mutual PSI protocol which is efficient and secure. Fairness of the protocol is obtained in an optimistic fashion, i.e. by using an offline third party arbiter. In contrast to many optimistic protocols which require a fully trusted arbiter, in our protocol the arbiter is only required to be semi-trusted, in the sense that we consider it to be a potential threat to both parties’ privacy but believe it will follow the protocol. The arbiter can resolve disputes without knowing any private information belongs to the two parties. This feature is appealing for a PSI protocol in which privacy may be of ultimate importance.
... For this latter application it is sufficient to use a ring signature scheme which supports only rings of size two. Chen et al. [9] propose another application of ring signatures where rings of size two suffice. ...
Ring signatures, first introduced by Rivest, Shamir, and Tauman, enable a user to sign a message so that a ring of possible signers (of which the user is a member) is identified, without revealing exactly which member of that ring actually generated the signature. In contrast to group signatures, ring signatures are completely “ad-hoc” and
do not require any central authority or coordination among the various users (indeed, users do not even need to be aware of
each other); furthermore, ring signature schemes grant users fine-grained control over the level of anonymity associated with
any particular signature.
This paper has two main areas of focus. First, we examine previous definitions of security for ring signature schemes and
suggest that most of these prior definitions are too weak, in the sense that they do not take into account certain realistic
attacks. We propose new definitions of anonymity and unforgeability which address these threats, and give separation results
proving that our new notions are strictly stronger than previous ones. Second, we show the first constructions of ring signature
schemes in the standard model. One scheme is based on generic assumptions and satisfies our strongest definitions of security.
Two additional schemes are more efficient, but achieve weaker security guarantees and more limited functionality.
... – In a fair exchange of signatures protocol [1, 20, 16, 2], each party obtains the other's signature in a fair manner. There is a fundamental difference between exchanging a signature and exchanging one's identity. ...
This paper studies a new problem called fair identification: given two parties, how should they identify each other in a fair
manner. More precisely, if both parties are honest then they learn each other’s identity, and if anyone is cheating then either
both of them learn each other’s identity or no one learns no information about the identity of the other. We propose a security
model and a provably secure optimistic fair identification protocol.
... Ring signatures were formally introduced in [22] and have received a lot of attention since then. Some applications of ring signatures are the leakage of secrets, the generation of signatures with designated verifiers, or the computation of concurrent signatures [8]. Recent advances in the area of ring signatures include the design of schemes where the signatures have constant length [14] or schemes which can be proved secure in the standard model [5,23]. ...
Shamir proposed in 1984 the first identity-based signature scheme, whose security relies on the RSA problem. A similar scheme was proposed by Guillou and Quisquater in 1988. Formal security of these schemes was not argued and/or proved until many years later [D. Pointcheval, J. Stern, Security arguments for digital signatures and blind signatures, Journal of Cryptology 13 (3) (2000) 361–396; Y. Dodis, J. Katz, S. Xu, M. Yung, Strong key-insulated signature schemes, in: Proceedings of PKC’03, in: LNCS, vol. 2567, Springer-Verlag, 2002, pp. 130–144; M. Bellare, C. Namprempre, G. Neven, Security proofs for identity-based identification and signature schemes, in: Proceedings of Eurocrypt’04, in: LNCS, vol. 3027, Springer-Verlag, 2004, pp. 268–286].Taking the Guillou–Quisquater scheme as the starting point, we design and analyze in this work ring signature schemes and distributed ring signature schemes for identity-based scenarios whose security is based on the hardness of the RSA problem. These are the first identity-based ring signature schemes which do not employ bilinear pairings. Furthermore, the resulting schemes satisfy an interesting property: the real author(s) of a ring signature can later open the anonymity and prove that he is actually the person who signed the message.
... After the protocol, Alice obtains m B if and only if Bob obtains m A . In Eurocrypt 04', Liqun Chen et al. [12] have proposed a new kind of signature called concurrent signature which belongs to category 1. The key idea is that two signatures are generated and transferred to each other, but only the two involved in the protocol can verify the signature's validity. ...
This paper presents a new fair document exchange protocol based on bilinear pairing with off-line trusted third party (TTP). In such a fair exchange scenario, each party owns a valuable message. The protocol is executed with the help of verifiable encrypted message, which could be verified and decrypted by different parties, respectively. Once a party verifies that the exchangeable message could be decrypted by TTP, he firstly sends his own message in that TTP has already provided fairness. Furthermore, to pass verification, each message should be wrapped into a commit message and be certified by an authority. We give an efficient and secure construction by using bilinear pairing. Eventually, we analyze the secure issues and compare our protocol's efficiency with others.
... CVS could provide a seemingly better solution for trading non-regenerable items. Concurrent signatures [10] are another similar proposal for solving the contract signing problem but CVS cannot give a construction for concurrent signatures. ...
We introduce a new digital signature model, called conditionally verifiable signature (CVS), which allows a signer to specify and convince a recipient under what conditions his signature would become,valid and verifiable; the resulting signature is not publicly verifiab le immediately,but can be converted back into an ordinary one (verifiable by anyone) after the recipient has obtai ned proofs, in the form of signatures/endorsements from a number of third party witnesses, that all the specified conditions have been fulfilled. A fairly wide set of conditions could be specified in CVS. The only job of the witne sses is to certify the fulfillment of a condition and none of them need to be actively involved in the actual signature conversion, thus protecting user privacy. It is guarantee that the recipient cannot cheat as long as at l east one of the specified witnesses does not collude. We formalize the concept of CVS and define the related securit y notions. We also derive the relations between these notions. We give a generic CVS construction based on any CPA-secure identity based encryption scheme. Theoretically, we show that the existence of IBE with indistinguishability under a chosen plaintext attack (a weaker,notion than the standard one) is necessary and suffici ent for the construction of a secure CVS.
... Besides, we also managed to extend our CLS to achieve trust level 3 by adopting the technique used in [1]. Some future research includes finding a provably secure CLS scheme in the standard model and extending the CLS to ring signature scheme [7] and concurrent signature scheme [8]. ...
Certificateless public key cryptography (CLPKC) is a paradi-gm to solve the inherent key escrow problem suffered by identity-based
cryptography (IBC). While certificateless signature is one of the most important security primitives in CLPKC, there are relatively
few proposed schemes in the literature. In this paper, we manage to construct an efficient certificateless signature scheme
based on the intractability of the computational Diffie-Hellman problem. By using a shorter public key, two pairing computations
can be saved in the verification algorithm. Besides, no pairing computation is needed in the signing algorithm. The proposed
scheme is existential unforgeable in the random oracle model. We also present an extended construction whose trust level is
the same as that of a traditional signature scheme.
... A third model was proposed by Chen, Kudla and Paterson [16] and extended by Lindell [44]. In this model fairness is legally rather than technically enforceable: the guarantee is the honest party will either receive her output, or a "check" from the other party (for a pre-agreed amount). ...
For secure two-party and multi-party computation with abort, classification of which primitives are complete has been extensively studied in the literature. However, for fair secure computation, where (roughly speaking) either all parties learn the output or none do, the question of complete primitives has remained largely unstudied. In this work, we initiate a rigorous study of completeness for primitives that allow fair computation. We show the following results:
No “short” primitive is complete for fairness. In surprising contrast to other notions of security for secure two-party computation, we show that for fair secure computation, no primitive of size O(logk) is complete, where k is a security parameter. This is the case even if we can enforce parallelism in calls to the primitives (i.e., the adversary does not get output from any primitive in a parallel call until it sends input to all of them). This negative result holds regardless of any computational assumptions.
A fairness hierarchy. We clarify the fairness landscape further by exhibiting the existence of a “fairness hierarchy”. We show that for every “short” ℓ = O(logk), no protocol making (serial) access to any ℓ-bit primitive can be used to construct even a (ℓ + 1)-bit simultaneous broadcast.
Positive results. To complement the negative results, we exhibit a k-bit primitive that is complete for two-party fair secure computation. We show how to generalize this result to the multi-party setting.
Fairness combiners. We also introduce the question of constructing a protocol for fair secure computation from primitives that may be faulty. We show that this is possible when a majority of the instances are honest. On the flip side, we show that this result is tight: no functionality is complete for fairness if half (or more) of the instances can be malicious.
Functional signatures (FS) enable a master authority to delegate its signing privilege to an assistant. Concretely, the master authority uses its secret key skF to issue a signing key skf for a designated function \(f \in {{\cal F}_{{\rm{FS}}}}\) and sends both f and skf to the assistant \({\cal E}\), which is then able to compute a signature σf with respect to pkF for a message y in the range of f. In this paper, we modify the syntax of FS slightly to support the application scenario where a certificate of authorization is necessary. Compared with the original FS, our definition requires that \({{\cal F}_{{\rm{FS}}}}\) is an injective function family and for any f0, \({f_1} \in {{\cal F}_{{\rm{FS}}}}\) there does not exist an intersection between range(f0) and range(f1). Accordingly, we redefine the security of FS and introduce two additional security notions, called unlinkability and accountability. Signatures σf in our definition do not expose the intention of the master authority. We propose two constructions of FS. The first one is a generic construction based on signatures with perfectly re-randomizable keys, non-interactive zero-knowledge proof (NIZK) and traditional digital signatures, and the other is based on RSA (Rivest-Shamir-Adleman) signatures with full domain hash and NIZK. We prove that both schemes are secure under the given security models.
This paper1 introduces the notion of attribute-based concurrent signatures. This primitive can be considered as an interesting extension of concurrent signatures in the attribute-based setting. It allows two parties fairly exchange their signatures only if each of them has convinced the opposite party possesses certain attributes satisfying a given signing policy. Due to this new feature, this primitive can find useful applications in online contract signing, electronic transactions and so on. We formalize this notion and present a construction which is secure in the random oracle model under the Strong Diffie-Hellman assumption and the eXternal Diffie-Hellman assumption.
Wuu et al. proposed their off-line micro-payment scheme with dual signatures to provide customers' anonymity. However, some security flaw is pointed out. To remove this flaw, the channel between bank and trusted party and the channel between the bank and customers should be authenticated and secure.
Fair exchange is essential in E-commerce, and concurrent signature realizes the fair exchange of digital signatures with removing the requirement of a trusted third party. Multi-party concurrent signature is an extension to the multi-user scenario. The security of existing multi-party concurrent signatures is mostly based on traditional hard problems that could be solved efficiently with quantum algorithms in a post-quantum world. Meanwhile, the lattice-based cryptography is considered to be resistant to quantum attack. Wang et al. proposed a lattice-based multi-party concurrent signature. We give the analysis of their proposed signature scheme and find that it is not secure since an inside adversary can forge the signature. Moreover, the initial signer can produce any signatures, instead of a signature on the original messages, if he is malicious.
Internet transaction is increasing significantly due to very fast grown of mobile devices, electronic commerce, and electronic records. Many researchers proposed several protocols to analyze the accountability in Internet transaction. In this paper we propose accountability model and protocol in Internet transaction that have advantages over existing protocols and satisfies essential security properties: Confidentiality, Integrity, Authorization, Authentication, Non-repudiation, Liability and Responsiveness. The protocol is designed using asymmetric cryptography and hash function to ensure that it meets all above accountability properties. The proposed protocol is also analyzed and compared with existing accountability protocols.
A fair exchange protocol allows two parties to exchange items in a fair way, such that either both parties obtain the other’s item or neither party does. In this paper, we propose a time sequence protocol for exchanging participants’ warrants without a trusted third party (TTP). Then, each participant is able to sign a proxy signature on behalf of its opponent. Owing to the proxy signature’s restriction, the scheme achieves the desired effect of fair exchange of digital signatures. Our scheme is based on a time sequence rather than computation, and can be realized without the use of a TTP, thus differing from the existing fair exchange schemes. Compared with a concurrent signature, the proposed scheme does not need to release a keystone to wake the signatures when they exchange information fairly. The only advantage to the initial party is that it has the right to determine whether the exchanged warrants are valid before a designated time. However, because of the properties of proxy signatures, the initial party ultimately derives no benefit from this advantage. After the designated time, there is no additional advantage to benefit the initial party.
The usage of the Web has experienced a vertiginous
growth in the last few years. Watching video online has been one
major driving force for this growth lately. Until the appearance of
the HTML5 agglomerate of (still draft) specifications, the access
and consumption of multimedia content in the Web has not
been standardized. Hence, the use of proprietary Web browser
plugins flourished as intermediate solution. With the introduction
of the HTML5 VideoElement, Web browser plugins are replaced
with a standardized alternative. Still, HTML5 Video is currently
limited in many respects, including the access to only file-based
media. This paper investigates on approaches to develop video live
streaming solutions based on available Web standards. Besides
a pull-based design based on HTTP, a push-based architecture
is introduced, making use of the WebSocket protocol being
part of the HTML5 standards family as well. The evaluation
results of both conceptual principles emphasize, that pushbased
approaches have a higher potential of providing resource
and cost efficient solutions as their pull-based counterparts. In
addition, initial approaches to instrument the proposed pushbased
architecture with adaptiveness to network conditions have
been developed.
We study a model of fairness in secure computation in which an adversarial party that aborts on receiving output is forced to pay a mutually predefined monetary penalty. We then show how the Bitcoin network can be used to achieve the above notion of fairness in the two-party as well as the multiparty setting (with a dishonest majority). In particular, we propose new ideal functionalities and protocols for fair secure computation and fair lottery in this model.
One of our main contributions is the definition of an ideal primitive, which we call \(\mathcal{F}_{\mathrm{CR}}^\star\) (CR stands for “claim-or-refund”), that formalizes and abstracts the exact properties we require from the Bitcoin network to achieve our goals. Naturally, this abstraction allows us to design fair protocols in a hybrid model in which parties have access to the \(\mathcal{F}_{\mathrm{CR}}^\star\) functionality, and is otherwise independent of the Bitcoin ecosystem. We also show an efficient realization of \(\mathcal{F}_{\mathrm{CR}}^\star\) that requires only two Bitcoin transactions to be made on the network.
Our constructions also enjoy high efficiency. In a multiparty setting, our protocols only require a constant number of calls to \(\mathcal{F}_{\mathrm{CR}}^\star\) per party on top of a standard multiparty secure computation protocol. Our fair multiparty lottery protocol improves over previous solutions which required a quadratic number of Bitcoin transactions.
Data sharing has never been easier with the advances of cloud computing, and an accurate analysis on the shared data provides an array of benefits to both the society and individuals. Data sharing with a large number of participants must take into account several issues, including efficiency, data integrity and privacy of data owner. Ring signature is a promising candidate to construct an anonymous and authentic data sharing system. It allows a data owner to anonymously authenticate his data which can be put into the cloud for storage or analysis purpose. Yet the costly certificate verification in the traditional public key infrastructure (PKI) setting becomes a bottleneck for this solution to be scalable. Identity-based (ID-based) ring signature, which eliminates the process of certificate verification, can be used instead. In this paper, we further enhance the security of ID-based ring signature by providing forward security: If a secret key of any user has been compromised, all previous generated signatures that include this user still remain valid. This property is especially important to any large scale data sharing system, as it is impossible to ask all data owners to re-authenticate their data even if a secret key of one single user has been compromised. We provide a concrete and efficient instantiation of our scheme, prove its security and provide an implementation to show its practicality.
Abuse-freeness is one of the most interesting new problems in the electronic payment security today. It is an effective supplementary for the fairness. It is confusing to researchers how to get real abuse-freeness in electronic payment. An abuse-freeness electronic payment protocol for real goods is proposed in this paper. The protocol has the abuse-freeness by introducing a trusted third party and using the concurrent signature and it has prevented both sides in payment to originate and terminate protocol maliciously. At the same time fairness and security are also achieved in the proposed protocol.
There is an increasing demand of ad hoc anonymous authentication (AHAA) to secure communications between ad hoc group members while preserving privacy for the members. The main obstacles in AHAA is that it is difficult to deploy traditional public-key infrastructure (PKI) in this scenario and the end users are usually limited in computation. This paper addresses these obstacles with a pairing-free certificateless ring signature scheme. The scheme does not require a setup procedure and each user can sign on behalf of a group generated in an ad hoc way. The signer does not need any certificate but only a legal signer can generate a valid signature to be validated. The signature verification does not leak any information about the signer's identity, even if the attacker is computationally unbound. The scheme exploits only traditional efficient modular exponentiations, without relying on time-consuming bilinear map operations. The scheme is shown to be secure in the random oracle model. Therefore, our proposal is practical for ad hoc anonymous authentication.
Concurrent signatures were introduced as an alternative approach to solving the problem of fair exchange of signatures by Chen et al.(1), in which two entities can produce two signatures that are not binding, until the keystone is released by one of the parties. Recently, Huang et al.(10) proposed a more ambiguity and stronger fairness concurrent signature scheme based on identity. However, we will show that their scheme did not satisfy the strong unforgeability properties, and was vulnerable to forgery attack. Then, we propose an improved scheme to prevent such attack.
Current Digital Rights Management (DRM) systems permit a consumer to buy a digital license to access the corresponding content on his device. Under these current systems, however, the consumer is unable to resell the license.To allow the consumer to resell the license, all entities involved in the reselling process must be treated fairly. Fairness means that a reseller should obtain payment if and only if a buyer obtains the expected license and vice-versa. This paper presents a novel method to support fairness in reselling a digital license for DRM protected content. This method enables a reseller to fairly and securely exchange his/her license for payment from a buyer. In addition, it enables the reseller to maximize his profit and the buyer to minimize his cost in the same process.The method is designed such that the buyer can not cheat and the reseller has no incentive to do so. A practical mechanism is proposed to handle any misbehavior by the reseller. In comparison with related works, the method does not make use of any additional trusted hardware device, thus more cost-effective, while satisfying the interests of all the entities involved. The method also prevents reselling a non-resalable license and multiple reselling of the same license.
Ring signature allows specifying a set of possible signers without revealing which member actually produces the signature.
This concept was first formalized in 2001 by Rivest, Shamir and Tauman. In this paper, we review the state-of-the-art of ring
signature, summarize the study of ring signature schemes in the literature and investigate their relationships with other
existing cryptographic schemes. We also describe a large number of extensions, modifications and applications of ring signatures
after the original version of this work. Some problems in the study of this field were presented as well. Finally, we discuss
a number of interesting open problems and point out the possible future work.
In order to resolve the multi-party fair-exchange problem of the e-commerce, a new model of multi-party concurrent signatures based on short ring signatures was proposed. Using the technique of bilinear pairings, a concurrent signature scheme for multi-users which we prove secure in the random oracle model was constructed. Since the short ring signature is constructed based on dynamic accumulators, it has the advantage of constant-size signatures and simple public keys. Compared with the scheme proposed by Tonien, the signature size of our scheme has been shortened to 0(n). So the open problem questioned by Tonien is solved.
Most of the fair exchange protocols use a trusted third party (TTP) or an arbitrator T who can be called upon to handle disputes between two business parties. However, it is practically hard to find entities to act as TTP. In this paper, two fair E-Commerce protocols, without any TTP, based on concurrent signatures are presented. One protocol aims at delivering physical goods and the other is designed for digital goods. Finally, the fairness and security of these two protocols are discussed.
Optimistic fair exchange (OFE) is a protocol for solving the problem of exchanging items or services in a fair manner between two parties, a signer and a verier, with the help of an arbitrator which is called in only when a dispute happens between the two parties. In almost all the previous work on OFE, after obtaining a partial signature from the signer, the verier can present it to others and show that the signer has indeed committed itself to something corresponding to the partial signature even prior to the completion of the transaction. In some scenarios, this capability given to the verier may be harmful to the signer. In this paper, we propose the notion of ambiguous optimistic fair exchange (A-OFE), which is an OFE but also requires that the verier cannot convince anybody about the authorship of a partial signature generated by the signer. We present a formal security model for A-OFE in the multi-user setting and chosen-key model. We also propose an ecient construction with security proven without relying on the random oracle assumption.
The concept of concurrent signatures was introduced by Chen, Kudla and Paterson at Eurocrypt 2004, which allows two parties
to produce two ambiguous signatures until the initial signer releases an extra piece of information (called keystone). Once
the keystone is released, both signatures are bound to their true signers concurrently. However, Susilo, Mu and Zhang pointed
out the original concurrent signature is not ambiguous to any third party if both signers are known to be trustworthy, and
further proposed perfect concurrent signatures to strengthen the ambiguity of concurrent signatures in ICICS 2004. Unfortunately,
Susilo et al.’s schemes are unfair for the matching signer because they enable the initial signer to release a carefully prepared keystone
that binds the matching signer’s signature, but not the initial signer’s. Therefore, we present a fair identity based concurrent
signature in an effective way to correct these flaws in ambiguity and fairness. Moreover, our scheme is more efficient than
other concurrent signature schemes based on the bilinear paring.
In the setting of secure multiparty computation, a set of mutually distrustful parties wish to securely compute some joint function of their private inputs. The computation should be carried out in a secure way, meaning that the properties privacy, correctness, independence of inputs, fairness and guaranteed output delivery should all be preserved. Unfortunately, in the case of no honest majority - and specifically in the important two-party case - it is impossible to achieve fairness and guaranteed output delivery. In this paper, we show how a legal infrastructure that respects digital signatures can be used to enforce fairness in two-party computation. Our protocol has the property that if one party obtains output while the other does not (meaning that fairness is breached), then the party not obtaining output has a digitally signed cheque from the other party. Thus, fairness can be "enforced" in the sense that any breach results in a loss of money by the adversarial party.
Based on concurrent signature algorithm, a fair mobile payment protocol is proposed in the paper. The protocol possesses the characters of fairness and non-repudiation. It can protect both of the consumer and merchant's profits. As the electronic check is transferred by publishing a secret key, it guarantees that each participant could get the expected item at the same time. Compared to the traditional process, there are less transaction steps in our scheme. Moreover it can avoid network congestion caused by a traditional TTP and decrease the transaction center's processing pressure much. It could be used for physical goods transaction.
Since the introduction of concurrent signatures, the authorship binding of concurrent signatures has always been initiator-controlled, that is, only the initiator of a concurrent signature exchange can control "whether" and "when" to convert the exchanging ambiguous signatures to publicly verifiable ones concurrently. This binding control is not negotiable. In some applications however, this limitation is undesirable, and instead, as of optimistic fair exchange does, letting the responder control "whether" and "when" to have exchanged ambiguous signatures bound is needed. This motivates us towards constructing a new concurrent signature variant which supports negotiation between the original initiator-controlled binding and a new responder-controlled binding. In this paper, we formalize the notion and propose the first construction, which allows either the initiator or the responder to control "whether" and "when" the binding of the exchanging ambiguous signatures will take place concurrently. The scheme is backward compatible to the original concurrent signature and is also comparable in performance to the existing ones.
Since the introduction of nominative signature (NS) in 1996, there have been a handful of schemes proposed and almost all
of them have been found flawed. The only one which is secure requires multi-round of communications between the nominator
and the nominee for signature generation. In this paper, we propose a novel construction which is efficient and requires only
one-move communication for signature generation. We also show that the construction is secure under the strongest security
model currently available and the reductionist proofs only rely on standard number-theoretic assumptions. As of independent
interest, our construction illustrates an interesting use of ring signature.
Offline trading allows users to trade rights associated with digital content or any other digital asset without immediate access to a central authority. To conduct an offline trade all involved parties sign a contract describing the transaction. Later this contract may then be submitted to a central authority (e.g., a digital content repository or a bank) to conduct the actual change of ownership as specified in the contract. In this paper we show that there is a crucial problem when using offline trading: whoever signs the contract first is providing the other parties with an option to unilaterally control the contract. The other parties may sign the contract later and submit it to complete the transaction. Or they may simply discard it. If the value of the involved goods change over time, this option may have a significant value. We introduce an approach to limit the value of options granted through offline contract signing and discuss its impact, design alternatives as well as related aspects.
In a distributed ring signature scheme, a subset of users cooperate to compute a distributed anonymous signature on a message,
on behalf of a family of possible signing subsets. The receiver can verify that the signature comes from a subset of the ring,
but he cannot know which subset has actually signed. In this work we use the concept of dual access structures to construct
a distributed ring signature scheme which works with vector space families of possible signing subsets. The length of each
signature is linear on the number of involved users, which is desirable for some families with many possible signing subsets.
The scheme achieves the desired properties of correctness, anonymity and unforgeability. We analyze in detail the case in
which our scheme runs in an identity-based scenario, where public keys of the users can be derived from their identities.
This fact avoids the necessity of digital certificates, and therefore allows more efficient implementations of such systems.
But our scheme can be extended to work in more general scenarios, where users can have different types of keys.
We present a new public-key signature scheme and a corresponding authentication scheme that are based on discrete logarithms in a subgroup of units in
p
where p is a sufficiently large prime, e.g., p 2512. A key idea is to use for the base of the discrete logarithm an integer in
p
such that the order of is a sufficiently large prime q, e.g., q 2140. In this way we improve the ElGamal signature scheme in the speed of the procedures for the generation and the verification of signatures and also in the bit length of signatures. We present an efficient algorithm that preprocesses the exponentiation of a random residue modulo p.
Randomized protocols for signing contracts, certified mail, and flipping a coin are presented. The protocols use a 1-out-of-2 oblivious transfer subprotocol which is axiomatically defined.
The 1-out-of-2 oblivious transfer allows one party to transfer exactly one secret, out of two recognizable secrets, to his counterpart. The first (second) secret is received with probability one half, while the sender is ignorant of which secret has been received.
An implementation of the 1-out-of-2 oblivious transfer, using any public key cryptosystem, is presented.
We present a new protocol that allows two players to exchange
digital signatures over the Internet in a fair way, so that either each
player gets the other's signature, or neither player does. The obvious
application is where the signatures represent items of value, for
example, an electronic check or airline ticket. The protocol can also be
adapted to exchange encrypted data. It relies on a trusted third party,
but is “optimistic,” in that the third party is only needed
in cases where one player crashes or attempts to cheat. A key feature of
our protocol is that a player can always force a timely and fair
termination, without the cooperation of the other player, even in a
completely asynchronous network. A specialization of our protocol can be
used for contract signing; this specialization is not only more
efficient, but also has the important property that the third party can
be held accountable for its actions: if it ever cheats, this can be
detected and proven
Since the appearance of public-key cryptography in the seminal DiffieHellman paper, many new schemes have been proposed and many have been broken. Thus, the simple fact that a cryptographic algorithm withstands cryptanalytic attacks for several years is often considered as a kind of validation procedure. A much more convincing line of research has tried to provide "provable" security for cryptographic protocols. Unfortunately, in many cases, provable security is at the cost of a considerable loss in terms of efficiency. Another way to achieve some kind of provable security is to identify concrete cryptographic objects, such as hash functions, with ideal random objects and to use arguments from relativized complexity theory. The model underlying this approach is often called the "random oracle model." We use the word "arguments" for security results proved in this model. As usual, these arguments are relative to wellestablished hard algorithmic problems such as factorization or the discrete logarithm. In this paper we offer security arguments for a large class of known signature schemes. Moreover, we give for the first time an argument for a very slight variation of the wellknown El Gamal signature scheme. In spite of the existential forgery of the original scheme, we prove that our variant resists existential forgeries even against an adaptively chosen-message attack. This is provided that the discrete logarithm problem is hard to solve. Next, we study the security of blind signatures which are the most important ingredient for anonymity in off-line electronic cash systems. We first define an appropriate notion of security related to the setting of electronic cash. We then propose new schemes for which one can provide security arguments.
We present a digital signature scheme based on the computational diculty of integer factorization. The scheme possesses the novel property of being robust against an adaptive chosen-message attack: an adversary who receives signatures for messages of his choice (where each message may be chosen in a way that depends on the signatures of previously chosen messages) can not later forge the signature of even a single additional message. This may be somewhat surprising, since the properties of having forgery being equivalent to factoring and being invulnerable to an adaptive chosen-message attack were considered in the folklore to be contradictory. More generally, we show how to construct a signature scheme with such properties based on the existence of a "claw-free" pair of permutations - a potentially weaker assumption than the intractibility of integer factorization. The new scheme is potentially practical: signing and verifying signatures are reasonably fast, and signatures are compact.
We argue that the random oracle model ---where all parties have access to a public random oracle--- provides a bridge between cryptographic theory and cryptographic practice. In the paradigm we suggest, a practical protocol P is produced by first devising and proving correct a protocol P R for the random oracle model, and then replacing oracle accesses by the computation of an "appropriately chosen" function h. This paradigm yields protocols much more efficient than standard ones while retaining many of the advantages of provable security. We illustrate these gains for problems including encryption, signatures, and zero-knowledge proofs. Department of Computer Science & Engineering, Mail Code 0114, University of California at San Diego, 9500 Gilman Drive, La Jolla, CA 92093. E-mail: mihir@cs.ucsd.edu y Department of Computer Science, University of California at Davis, Davis, CA 95616, USA. E-mail: rogaway@cs.davis.edu 1 1 Introduction Cryptographic theory has provided a p...