Advances in optimistic fair exchange of digital signature

Abstract

Optimistic fair exchange (OFE) is a kind of cryptographic protocols for solving the problem of fair exchange between two parties. An offline third party, called the arbitrator, only involves when there is a dispute between them. Previous works on OFE have not been focusing on the security of OFE in the multi-user setting (where there are multiple signers and multiple verifiers) until Dodis et al.'s work in 2007, in which it is shown that the security of OFE in a single-user setting (where there are only one signer and one verifier) does not imply security in a multi-user setting. Previous constructions of OFE either are secure in the random oracle model or require complex NP-reduction in security proofs. Besides, they implicitly require the certified key model, in which before using a public key, the adversary needs to prove its knowledge of the corresponding secret key. In this thesis we investigate the following four problems: how to construct an efficient OFE scheme without resorting to random oracles; whether we can achieve the security of OFE in a more relaxed model, chosen key model, in which the adversary is free to use any public key without showing its knowledge of the secret key; since the partial signature of the signer reveals information about its will, how to prevent the verifier from abusing this information; traditional OFE is for two individual users to exchange their items, how to extend it to the exchange between two groups of users. Details are as below: Based on the observation that time capsule signature shares many desirable properties with OFE, we construct an OFE scheme directly from a time capsule signature. The security of the transformed scheme is proved in the multi-user setting. Combining a recent work on time capsule signature, we get the first efficient OFE scheme secure in the multi-user setting and without random oracles. We consider a relaxed model called chosen-key model in the context of OFE, in which the adversary can arbitrarily choose public keys without showing the knowledge of the secret keys. We separate the security of OFE in the chosen-key model from the certified-key model by giving a concrete counterexample. We strengthen the previous static security model in the multi-user setting to a more practical one which allows an adversary to choose a key adaptively. Then we propose an efficient and generic construction of OFE in the multi-user setting and chosen-key model. The security of the scheme is proven without random oracles. We also propose some efficient instantiations. In almost all the previous works on OFE, after obtaining a partial signature from the signer, the verifier can present it to others and show that the signer has indeed committed itself to something corresponding to the partial signature even prior to the completion of the transaction. In some scenarios, this capability given to the verifier may be harmful to the signer. We propose the notion of ambiguous optimistic fair exchange (AOFE), which is an OFE but also requires that the verifier cannot convince anybody about the authorship of a partial signature generated by the signer. We present a formal security model for AOFE in the multi-user setting and chosen-key model, and propose an efficient construction with security proven without relying on the random oracle assumption. All the previous works of OFE consider the setting in which the exchange happens between two individual parties. We introduce a new variant of OFE, called group-oriented optimistic fair exchange (GOFE), which allows users from two different groups to exchange signatures on behalf of their groups in a fair and anonymous manner. Although GOFE may be considered as a fair exchange for group signatures, it might be inefficient if it is constructed generically from a group signature scheme. Instead, we show that GOFE is backward compatible with AOFE. Also, we propose an efficient and concrete construction of GOFE, and prove its security under the security models we propose, based on the decision linear assumption and strong Diffie-Hellman assumption in the random oracle model.