Optimistic Fair Exchange of Ring Signatures

An optimistic fair exchange (OFE) protocol is an effective tool helping two parties exchange their digital items in an equitable way with assistance of a trusted third party, called arbitrator, who is only required if needed. In previous studies, fair exchange is usually carried out between individual parties. When fair exchange is carried out between two members from distinct groups, anonymity of the signer in a group could be necessary for achieving better privacy. In this paper, we consider optimistic fair exchange of ring signatures (OFERS), i.e. two members from two different groups can exchange their ring signatures in a fair way with ambiguous signers. Each user in these groups has its own public-private key pair and is able to sign a message on behalf of its own group anonymously. We first define the security model of OFERS in the multi-user setting under adaptive chosen message, chosen-key and chosen public-key attacks. Then, based on verifiably encrypted ring signatures (VERS) we construct a concrete scheme by combining the technologies of ring signatures, public-key encryption and proof of knowledge. Finally, we show that our OFERS solution is provably secure in our security model, and preserving signer-ambiguity of ring signatures. To the best of our knowledge, this is the first (formal) work on this topic.

[1]  Daniel R. Simon,et al.  Non-Interactive Zero-Knowledge Proof of Knowledge and Chosen Ciphertext Attack , 1991, CRYPTO.

[2]  Reihaneh Safavi-Naini,et al.  Efficient Verifiably Encrypted Signature and Partially Blind Signature from Bilinear Pairings , 2003, INDOCRYPT.

[3]  Kaisa Nyberg,et al.  Advances in Cryptology — EUROCRYPT'98 , 1998 .

[4]  Ivan Damgård,et al.  Efficient Multiparty Computations Secure Against an Adaptive Adversary , 1999, EUROCRYPT.

[5]  Mihir Bellare,et al.  Random oracles are practical: a paradigm for designing efficient protocols , 1993, CCS '93.

[6]  Tsuyoshi Takagi,et al.  Paillier's Cryptosystem Modulo p2q and Its Applications to Trapdoor Commitment Schemes , 2005, Mycrypt.

[7]  Mihir Bellare,et al.  On Probabilistic versus Deterministic Provers in the Definition of Proofs Of Knowledge , 2006, IACR Cryptol. ePrint Arch..

[8]  Silvio Micali,et al.  Accountable-subgroup multisignatures: extended abstract , 2001, CCS '01.

[9]  Ronald L. Rivest,et al.  The MD5 Message-Digest Algorithm , 1992, RFC.

[10]  Steven M. Bellovin,et al.  Augmented encrypted key exchange: a password-based protocol secure against dictionary attacks and password file compromise , 1993, CCS '93.

[11]  Silvio Micali,et al.  The Knowledge Complexity of Interactive Proof Systems , 1989, SIAM J. Comput..

[12]  T. Elgamal A public key cryptosystem and a signature scheme based on discrete logarithms , 1984, CRYPTO 1984.

[13]  Burton S. Kaliski Advances in Cryptology - CRYPTO '97 , 1997 .

[14]  Robert H. Deng,et al.  Practical protocols for certified electronic mail , 1996, Journal of Network and Systems Management.

[15]  Torben P. Pedersen Non-Interactive and Information-Theoretic Secure Verifiable Secret Sharing , 1991, CRYPTO.

[16]  Jean-Sébastien Coron,et al.  The Random Oracle Model and the Ideal Cipher Model Are Equivalent , 2008, CRYPTO.

[17]  Ashutosh Saxena,et al.  Verifiably Encrypted Signature Scheme Without Random Oracles , 2005, ICDCIT.

[18]  Guomin Yang,et al.  Efficient Optimistic Fair Exchange Secure in the Multi-user Setting and Chosen-Key Model without Random Oracles , 2008, CT-RSA.

[19]  Daniel Bleichenbacher,et al.  Chosen Ciphertext Attacks Against Protocols Based on the RSA Encryption Standard PKCS #1 , 1998, CRYPTO.

[20]  Dieter Gollmann,et al.  A fair non-repudiation protocol , 1996, Proceedings 1996 IEEE Symposium on Security and Privacy.

[21]  Tatsuaki Okamoto,et al.  Statistical Zero Knowledge Protocols to Prove Modular Polynomial Relations , 1997, CRYPTO.

[22]  Ivan Damgård,et al.  Collision Free Hash Functions and Public Key Signature Schemes , 1987, EUROCRYPT.

[23]  Moni Naor,et al.  Universal one-way hash functions and their cryptographic applications , 1989, STOC '89.

[24]  Guilin Wang An abuse-free fair contract-signing protocol based on the RSA signature , 2010, IEEE Trans. Inf. Forensics Secur..

[25]  Ke Yang,et al.  On Simulation-Sound Trapdoor Commitments , 2004, EUROCRYPT.

[26]  C. P. Schnorr,et al.  Efficient Identification and Signatures for Smart Cards (Abstract) , 1989, EUROCRYPT.

[27]  Adi Shamir,et al.  A method for obtaining digital signatures and public-key cryptosystems , 1978, CACM.

[28]  Silvio Micali,et al.  A fair protocol for signing contracts , 1990, IEEE Trans. Inf. Theory.

[29]  Ivan Damgård,et al.  Verifiable Encryption, Group Encryption, and Their Applications to Separable Group Signatures and Signature Sharing Schemes , 2000, ASIACRYPT.

[30]  Giuseppe Ateniese,et al.  Identity-Based Chameleon Hash and Applications , 2004, Financial Cryptography.

[31]  N. Asokan,et al.  Optimistic fair exchange of digital signatures , 1998, IEEE Journal on Selected Areas in Communications.

[32]  Carsten Rudolph,et al.  On the Security of Fair Non-repudiation Protocols , 2003, ISC.

[33]  Moni Naor,et al.  Public-key cryptosystems provably secure against chosen ciphertext attacks , 1990, STOC '90.

[34]  Yevgeniy Dodis,et al.  Optimistic Fair Exchange in a Multi-user Setting , 2007, J. Univers. Comput. Sci..

[35]  Feng Bao,et al.  Stand-Alone and Setup-Free Verifiably Committed Signatures , 2006, CT-RSA.

[36]  Rafail Ostrovsky,et al.  Sequential Aggregate Signatures and Multisignatures Without Random Oracles , 2006, EUROCRYPT.

[37]  Yael Tauman Kalai,et al.  How to Leak a Secret: Theory and Applications of Ring Signatures , 2001, Essays in Memory of Shimon Even.

[38]  Hugo Krawczyk,et al.  Advances in Cryptology - CRYPTO '98 , 1998 .

[39]  Jacques Stern,et al.  A new public key cryptosystem based on higher residues , 1998, CCS '98.

[40]  Giuseppe Ateniese Verifiable encryption of digital signatures and applications , 2004, TSEC.

[41]  Whitfield Diffie,et al.  New Directions in Cryptography , 1976, IEEE Trans. Inf. Theory.

[42]  Jianhong Zhang,et al.  A Novel Verifiably Encrypted Signature Scheme Without Random Oracle , 2007, ISPEC.

[43]  Whitfield Diffie,et al.  Multiuser cryptographic techniques , 1976, AFIPS '76.

[44]  Thomas Shrimpton,et al.  Cryptographic Hash-Function Basics: Definitions, Implications, and Separations for Preimage Resistance, Second-Preimage Resistance, and Collision Resistance , 2004, FSE.

[45]  Alexandra Boldyreva,et al.  Efficient threshold signature, multisignature and blind signature schemes based on the Gap-Diffie-Hellman-Group signature scheme , 2002 .

[46]  Cristina Nita-Rotaru,et al.  Stateless-Recipient Certified E-Mail System Based on Verifiable Encryption , 2002, CT-RSA.

[47]  Ronald Cramer,et al.  Signature schemes based on the strong RSA assumption , 2000, TSEC.

[48]  Guomin Yang,et al.  Ambiguous Optimistic Fair Exchange , 2008, ASIACRYPT.

[49]  Ronald Cramer,et al.  A Practical Public Key Cryptosystem Provably Secure Against Adaptive Chosen Ciphertext Attack , 1998, CRYPTO.

[50]  Yuliang Zheng,et al.  Advances in Cryptology — ASIACRYPT 2002 , 2002, Lecture Notes in Computer Science.

[51]  Pascal Paillier,et al.  Public-Key Cryptosystems Based on Composite Degree Residuosity Classes , 1999, EUROCRYPT.

[52]  Lei Zhang,et al.  Identity-Based Verifiably Encrypted Signatures without Random Oracles , 2009, ProvSec.

[53]  Tsz Hon Yuen,et al.  Ring signatures without random oracles , 2006, ASIACCS '06.

[54]  Tatsuaki Okamoto,et al.  A New Public-Key Cryptosystem as Secure as Factoring , 1998, EUROCRYPT.

[55]  Jianying Zhou,et al.  An intensive survey of fair non-repudiation protocols , 2002, Comput. Commun..

[56]  David Chaum,et al.  Minimum Disclosure Proofs of Knowledge , 1988, J. Comput. Syst. Sci..

[57]  Colin Boyd,et al.  Advances in Cryptology - ASIACRYPT 2001 , 2001 .

[58]  S. Goldwasser,et al.  A digital signature scheme against adaptive chosen message attack , 1988 .

[59]  D. Boneh,et al.  Short Signatures from the Weil Pairing , 2001, Journal of Cryptology.

[60]  Joseph K. Liu,et al.  Ring Signature with Designated Linkability , 2006, IWSEC.

[61]  Ernest F. Brickell,et al.  Advances in Cryptology — CRYPTO’ 92 , 2001, Lecture Notes in Computer Science.

[62]  Jan Camenisch,et al.  Practical Verifiable Encryption and Decryption of Discrete Logarithms , 2003, CRYPTO.

[63]  Tatsuaki Okamoto,et al.  Public Key Cryptography - PKC 2007, 10th International Conference on Practice and Theory in Public-Key Cryptography, Beijing, China, April 16-20, 2007, Proceedings , 2007, Public Key Cryptography.

[64]  Jacques Stern,et al.  Advances in Cryptology — EUROCRYPT ’99 , 1999, Lecture Notes in Computer Science.

[65]  Dan Boneh,et al.  Advances in Cryptology - CRYPTO 2003 , 2003, Lecture Notes in Computer Science.

[66]  Michael Wiener,et al.  Advances in Cryptology — CRYPTO’ 99 , 1999 .

[67]  Shai Halevi,et al.  Secure Hash-and-Sign Signatures Without the Random Oracle , 1999, EUROCRYPT.

[68]  Jan Camenisch,et al.  Proving in Zero-Knowledge that a Number Is the Product of Two Safe Primes , 1998, EUROCRYPT.

[69]  Masayuki Abe,et al.  1-out-of-n Signatures from a Variety of Keys , 2002, IEICE Trans. Fundam. Electron. Commun. Comput. Sci..

[70]  Rosario Gennaro,et al.  Multi-trapdoor Commitments and Their Applications to Proofs of Knowledge Secure Under Concurrent Man-in-the-Middle Attacks , 2004, CRYPTO.

[71]  Moni Naor,et al.  Non-Malleable Cryptography (Extended Abstract) , 1991, STOC 1991.

[72]  Amit Sahai,et al.  Efficient Non-interactive Proof Systems for Bilinear Groups , 2008, EUROCRYPT.

[73]  Hovav Shacham,et al.  Aggregate and Verifiably Encrypted Signatures from Bilinear Maps , 2003, EUROCRYPT.

[74]  Rafail Ostrovsky,et al.  Zero-Knowledge Proofs from Secure Multiparty Computation , 2009, SIAM J. Comput..

[75]  Yevgeniy Dodis,et al.  Breaking and repairing optimistic fair exchange from PODC 2003 , 2003, DRM '03.

[76]  Walter Fumy,et al.  Advances in Cryptology — EUROCRYPT ’97 , 2001, Lecture Notes in Computer Science.

[77]  Birgit Pfitzmann,et al.  Collision-Free Accumulators and Fail-Stop Signature Schemes Without Trees , 1997, EUROCRYPT.

[78]  Amit Sahai,et al.  Non-malleable non-interactive zero knowledge and adaptive chosen-ciphertext security , 1999, 40th Annual Symposium on Foundations of Computer Science (Cat. No.99CB37039).

[79]  Michael Schneider,et al.  Generic Constructions for Verifiably Encrypted Signatures without Random Oracles or NIZKs , 2010, ACNS.

[80]  Manuel Blum How to Exchange (Secret) Keys (Extended Abstract) , 1983, STOC 1983.

[81]  Tal Malkin Topics in Cryptology - CT-RSA 2008, The Cryptographers' Track at the RSA Conference 2008, San Francisco, CA, USA, April 8-11, 2008. Proceedings , 2008, CT-RSA.

[82]  Oded Goldreich,et al.  A randomized protocol for signing contracts , 1985, CACM.

[83]  Yi Mu,et al.  Universal Designated Verifier Signature Without Delegatability , 2006, ICICS.

[84]  Olivier Markowitch,et al.  Selective Receipt in Certified E-mail , 2001, INDOCRYPT.

[85]  Jianying Zhou,et al.  Analysis and Improvement of Micali's Fair Contract Signing Protocol , 2004, ACISP.

[86]  Olivier Markowitch,et al.  An Efficient Strong Designated Verifier Signature Scheme , 2003, ICISC.

[87]  Wenbo Mao,et al.  Modern Cryptography: Theory and Practice , 2003 .

[88]  N. Asokan,et al.  Optimistic protocols for fair exchange , 1997, CCS '97.

[89]  David Chaum,et al.  Undeniable Signatures , 1989, CRYPTO.

[90]  Hugo Krawczyk,et al.  RSA-Based Undeniable Signatures , 1997, Journal of Cryptology.

[91]  Giovanni Di Crescenzo,et al.  On Defining Proofs of Knowledge in the Bare Public Key Model , 2007, ICTCS.

[92]  Colin Boyd,et al.  Off-Line Fair Payment Protocols Using Convertible Signatures , 1998, ASIACRYPT.

[93]  Edwin K. P. Chong,et al.  Constructing fair-exchange protocols for E-commerce via distributed computation of RSA signatures , 2003, PODC '03.

[94]  Jan Camenisch,et al.  Separability and Efficiency for Generic Group Signature Schemes , 1999, CRYPTO.

[95]  Mihir Bellare,et al.  Relations among Notions of Security for Public-Key Encryption Schemes , 1998, IACR Cryptol. ePrint Arch..