Efficient Optimistic Fair Exchange Secure in the Multi-user Setting and Chosen-key Model without Random Oracles∗ Qiong Huang†

Guomin Yang†

Duncan S. Wong†

Willy Susilo‡

February 1, 2008

Abstract Optimistic fair exchange is a kind of protocols to solve the problem of fair exchange between two parties. Almost all the previous work on this topic are provably secure only in the random oracle model. In PKC 2007, Dodis et al. considered optimistic fair exchange in a multi-user setting, and showed that the security of an optimistic fair exchange in a single-user setting may no longer be secure in a multi-user setting. Besides, they also proposed one and reviewed several previous construction paradigms and showed that they are secure in the multi-user setting. However, their proofs are either in the random oracle model, or involving a complex and very inefficient NP-reduction. Furthermore, they only considered schemes in the certified-key model in which each user has to show his knowledge of the private key corresponding to his public key. In this paper, we make the following contributions. First, we consider a relaxed model called chosen-key model in the context of optimistic fair exchange, in which the adversary can arbitrarily choose public keys without showing the knowledge of the private keys. We separate the security of optimistic fair exchange in the chosen-key model from the certifiedkey model by giving a concrete counterexample. We also revisit a verifiably encrypted signature based generic construction of optimistic fair exchange and show that it remains secure in the chosen-key model. Second, we strengthen the previous static security model in the multi-user setting to a more practical one which allows an adversary to choose a key adaptively. Third, we propose an efficient and generic optimistic fair exchange scheme in the multi-user setting and chosen-key model. The security of our construction is proven without random oracles. We also propose some efficient instantiations. Fourth, based on the observation that time capsule signature shares many desirable properties with optimistic fair exchange, we construct an optimistic fair exchange directly from a time capsule signature. From the efficient construction of time capsule signature due to Libert and Quisquater, we also obtain another optimistic fair exchange construction secure without random oracles.

Keywords: optimistic fair exchange, ring signature, chosen-key model, time capsule signature ∗

A preliminary version of this paper is to appear in CT-RSA 2008 [HYWS08]. Department of Computer Science, City University of Hong Kong, Hong Kong S.A.R., China. {[email protected], [email protected], [email protected]}cityu.edu.hk ‡ School of Computer Science and Software Engineering, University of Wollongong, Australia. [email protected] †

Email: Email:

Contents 1 Introduction 1.1 Related Works . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.2 Our Contributions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.3 Paper Organization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

1 1 2 3

2 Definitions and Security Model 2.1 Definitions in the Multi-User Setting and Chosen-Key Model 2.2 Chosen-Key Model . . . . . . . . . . . . . . . . . . . . . . . . 2.3 Security Model . . . . . . . . . . . . . . . . . . . . . . . . . . 2.4 Differences From [DLY07] and Multi-Arbitrator Setting . . .

. . . .

3 3 5 6 7

3 Separating Chosen-Key Model From Certified-Key Model 3.1 A WVES-Based OFE . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3.2 An Attack Under Chosen-Key Model . . . . . . . . . . . . . . . . . . . . . . . . .

8 8 9

4 An Efficient and Generic Construction without Random Oracles 4.1 The Construction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4.2 Instantiations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

9 10 13

5 Two Previous Paradigms 5.1 Verifiably Encrypted Signature Paradigm . . . . . . . . . . . . . . . . . . . . . . 5.2 Two-Party Sequential Multisignature Paradigm . . . . . . . . . . . . . . . . . . .

14 14 15

6 Optimistic Fair Exchange From Time Capsule Signatures 6.1 The Construction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6.2 An Instantiation without Random Oracles . . . . . . . . . . . . . . . . . . . . . .

15 16 17

7 Conclusion

18

A Security Definition of Conventional Signatures

21

B Time Capsule Signatures [DY05]

22

C Review of Lu et al.’s Verifiably Encrypted Signature Scheme [LOS+ 06]

23

D Proof of Theorem 6.1

24

. . . .

. . . .

. . . .

. . . .

. . . .

. . . .

. . . .

. . . .

. . . .

. . . .

1

Introduction

Optimistic fair exchange (OFE, in short), introduced by Asokan, Schunter and Waidner [ASW97], is a kind of protocols to solve the problems in fairly exchanging items between two parties, say Alice and Bob. In such a protocol, there is an arbitrator who is semi-trusted by Alice and Bob and involves only if one party attempts to cheat the other or simply crashes. Let’s consider the following scenario, in which Alice wants to buy a notebook computer from Bob’s shop. Alice first partially authenticates a message that she allows Bob to get the money from her bank account. After checking the validity of Alice’s partial signature, Bob delivers the notebook to her. Later, if Alice is honest, she will sends her full signature to Bob, with which Bob can get the money from the bank. If Alice is dishonest, and refuses to send her full signature, Bob will turn to the arbitrator for help. He shows to the arbitrator the evidence of fulfilling his obligation, who will then resolve Alice’s partial signature into a full one, and send it to Bob. With the full signature, Bob then can complete the transaction and get the money from Alice’s bank account.

1.1

Related Works

Since the introduction, OFE has attracted many researchers’ attention, such as [ASW98, ASW00, CD00, PCS03, DR03, Kre03, Mic03, Zhu03, ZZF04, BWZZ04, Wan05, ES05, DLY07] and so on. There are two popular paradigms for building optimistic fair exchange schemes. One is based on verifiably encrypted signatures [BGLS03], such as [ASW98, ASW00, CD00], and the other is based on sequential two-party multisignatures, such as [PCS03]. Park et al.’s sequential two-party multisignature based optimistic fair exchange [PCS03] was broken and repaired by Dodis and Reyzin [DR03]. However, Dodis-Reyzin schemes are setup-driven [ZB06, ZSM07], which require key registration for all users with the arbitrator. In the same year, Micali proposed a fair electronic exchange protocol for contract signing with an invisible trusted party [Mic03], using a CCA2 secure public key encryption scheme with recoverable randomness (i.e., the decryption algorithm can extract from the ciphertext both the plaintext and the randomness used for generating the ciphertext) and a signature scheme that is existentially unforgeable under chosen message attacks. The idea is similar to that of the verifiably encrypted signature paradigm. Later, Bao et al. [BWZZ04] showed that the scheme does not satisfy the fairness requirement. A dishonest Bob can get Alice’s full commitment without letting Alice get his obligation. They also provided an improvement to avoid such an attack. To the best of our knowledge, almost all verifiably encrypted signature schemes and sequential multisignature schemes, even though efficient, are proven secure in the random oracle model [BR93], in which all parties have oracle access to a truly random function. However, such a model is only heuristic. Provable security of schemes in this model doesn’t guarantee anything about the security when the random oracles are replaced with real-life hash functions [CGH98]. The only schemes which are proven secure without random oracles are the verifiably encrypted signature scheme and the multisignature scheme proposed by Lu et al. [LOS+ 06]. Both schemes are based on Waters’ signature scheme [Wat05] (which in turn is based on Computational Diffie-Hellman (CDH) assumption), and have been proven secure in the certified-key model [LOS+ 06] (or the registered-key model [BCNP04]). However, we say, such a model is not practical enough, as each user has to show that it knows the corresponding private key of its public key. In a more practical case, everyone can freely choose a public key to use, without the need to show their knowledge of the private key. We call this model the chosen-key model, 1

which will be discussed later. Recently, Dodis et al. [DLY07] considered optimistic fair exchange in a multi-user setting. Prior to their work, almost all previous results considered the single-user setting only, in which there are only one signer and one verifier (along with an arbitrator). A more practical setting is the multi-user setting, in which there are many signers and many verifiers (along with an arbitrator), so that a dishonest party can collude with some other parties in an attempt of cheating another party. Though the security of both encryption and signature in the single-user setting is preserved in the multi-user setting, Dodis et al. [DLY07] showed that this is not necessarily true for optimistic fair exchange. They showed a counterexample that is secure in the single user setting but insecure in the multi-user setting. Furthermore, they proposed a formal definition of optimistic fair exchange in the multi-user setting, and presented a generic construction. Their generic construction is setup-free (i.e. no key registration is required between users and the arbitrator) and can be built if there exist one-way functions in the random oracle model, or if there exist trapdoor one-way permutations in the standard model. In [DLY07], the authors also revisited the two aforementioned paradigms and showed that they remain valid in the multi-user setting. However, all the schemes presented in [DLY07] were proven secure in the certified-key model only. If the adversary is allowed to choose public keys arbitrarily without requiring to show its knowledge of the corresponding private keys, these schemes may not be secure (see Sec. 3).

1.2

Our Contributions

Our contributions are in four-fold. First, we note that optimistic fair exchange schemes secure in the certified-key model may not be secure in the chosen-key model [LMRS04]. We separate these two models by presenting a counterexample. Namely, we present a scheme which is secure in the certified-key model but insecure in the chosen-key model. The crux of the problem is to allow the adversary in the chosen-key model to arbitrarily set public keys without showing its knowledge of the corresponding private keys (cf. certified-key model). Hence, the model is more realistic and it provides the adversary with more flexibility and power in attacking other honest parties in the system. Second, we further strengthen the security model in the multi-user setting for optimistic fair exchange first proposed by Dodis et al. [DLY07]. In particular, we notice that in [DLY07], the model capturing the security against the arbitrator is a static model which requires the malicious arbitrator to fix its keys before seeing the challenging public key of the signer. We propose to strengthen it to an adaptive model which allows the arbitrator to set its keys with reference to the value of the challenging public key of the signer. Third, we propose an efficient and generic construction of optimistic fair exchange in the multi-user setting and chosen-key model, and prove the security without random oracles. The construction is based on a conventional signature [GMR88, Wat05] and a ring signature [RST01, Wat05, BKM06, SW07, Boy07, CGS07], both of which can be constructed efficiently without random oracles. This also contributes a new paradigm for constructing optimistic fair exchange, besides the existing ones: the verifiably encrypted signatures based approach and the sequential two-party multisignature based one. In our generic construction, we further show that the ring signature scheme used in our construction does not need to be with the highest level of existential unforgeability considered in [BKM06], namely unforgeability with respect to insider corruptions. Instead, unforgeability against a static adversary [Boy07] will suffice. We also propose some 2

efficient instantiations of our generic construction. We discuss one instantiation which is based on Waters signature [Wat05] and Shacham-Waters ring signature [SW07], another instantiation based on Boneh-Boyen signature [BB04] and Chandran-Groth-Sahai ring signature [CGS07], and also the third instantiation which is only based on Boyen’s ring signature scheme [Boy07]. Additionally, we also re-examine the security of the two previous paradigms and show that the verifiably encrypted signature based construction remains secure in the chosen-key model. Fourth, we consider another approach to build optimistic fair exchange schemes. We show that optimistic fair exchange schemes in multi-user setting and under the certified-key model can easily be constructed from time capsule signatures, which was introduced by Dodis and Yum in FC 2005 [DY05], due to the fact that they share many desirable properties with optimistic fair exchange. In a time capsule signature scheme, there is a semi-trusted time server, which honestly publishes the corresponding secret information at each time event t. Alice produces a ‘premature’ signature σ 0 on a message m, which is claimed to become ‘mature’ at time event t, and sends it to Bob, which verifies the validity of σ 0 . At time t, the time server publishes the secret information with respect to t, which can be used by anybody to convert σ 0 into a matured signature of Alice. Besides, Alice can also pre-hatch her signature σ 0 before the claimed time t. In this paper, we show that optimistic fair exchange can be constructed from a time capsule signature in a straightforward way. Combining recent work on time capsule signature in the standard model due to Libert and Quisquater [LQ07], we then get an optimistic fair exchange scheme secure without random oracles in the multi-user setting and certified-key model.

1.3

Paper Organization

In the next section, we review the definition of optimistic fair exchange, and modify Dodis et al.’s security games to adapt the chosen-key model. In Sec. 3, we give a counterexample to separate the security level between the certified-key model and the chosen-key model. Our generic construction is then proposed and shown secure in the multi-user setting and under the chosen-key model in Sec. 4. Some efficient instantiations are also discussed in the section. In Sec. 5, we re-examine the security of the two popular paradigms in the chosen-key model. In Sec. 6, we show that an optimistic fair exchange scheme can be constructed directly from a time capsule signature scheme. Finally, we conclude this paper in Sec. 7.

2

Definitions and Security Model

Let k ∈ N be a security parameter. If x is a binary string, |x| denotes the length of x; if S is a set, |S| denotes the cardinality of S. For any binary strings x and y, xky denotes the concatenation of x and y. By x ← S we denote the operation that process S is performed and the output is x if S is an algorithm, or that x is randomly and uniformly selected from S if it is a distribution. By x := (a, b, c) we denote the simple assignment operation. By ‘PPT’ we mean that an algorithm is probabilistic polynomial-time. A function f is said to be negligible in n, if for every positive 1 polynomial p(·) and for all sufficiently large n, we have that f (n) < p(n) .

2.1

Definitions in the Multi-User Setting and Chosen-Key Model

The definition for non-interactive optimistic fair exchange (OFE) follows the one in the multiuser setting given in [DLY07] but having the authenticity assumption on public keys removed. 3

This implies that we do not restrict ourselves to the certified-key model [LOS+ 06], but consider the definition under a stronger security model, called the chosen-key model [LMRS04]. We will give more details shortly (Sec. 2.2) and make some additional remarks to discuss some subtleties in the definitions. Definition 2.1. A non-interactive optimistic fair exchange (OFE) involves two users (a signer and a verifier) and an arbitrator, and is formalized using the following PPT algorithms: • SetupTTP : On input 1k , it generates a secret arbitration key ASK and a public partial verification key AP K. • SetupUser : On input 1k and (optionally) AP K, it outputs a secret/public key pair (SK, P K). For a user Ui , we use (SKUi , P KUi ) to denote the user’s key pair. • Sig and Ver: Similar to the signing and verification algorithms of an ordinary digital signature scheme, Sig(m, SKUi , AP K) outputs a signature σUi , while Ver(m, σUi , P KUi , AP K) outputs accept or reject, where message m is chosen by user Ui from the message space M defined under P KUi . • PSig and PVer: They are partial signing and verification algorithms, respectively, where PSig together with Res should be functionally equivalent to Sig. PSig(m, SKUi , AP K) outputs a partial signature σU0 i , while PVer(m, σU0 i , P KUi , AP K) outputs accept or reject. • Res: This is the resolution algorithm. Res(m, σU0 i , ASK, P KUi ) outputs a signature σUi , or ⊥ indicating the failure of resolving a partial signature. For correctness, we require that for all security parameters k ∈ N, for any (ASK, AP K) ← SetupTTP (1k ), (SKUi , P KUi ) ← SetupUser (1k , AP K), we have Ver(m, Sig(m, SKUi , AP K), P KUi , AP K) = accept, PVer(m, PSig(m, SKUi , AP K), P KUi , AP K) = accept, and Ver(m, Res(m, PSig(m, SKUi , AP K), ASK, P KUi ), P KUi , AP K) = accept. The ambiguity property requires that any “resolved signature” Res(m, PSig(m, SKUi , AP K), ASK, P KUi ) is computationally indistinguishable from an “actual signature” Sig(m, SKUi , AP K). In a typical OFE protocol run, the signer Ui first generates the partial signature σU0 i using PSig and sends it to the verifier. The verifier then checks the partial signature using PVer and fulfills his obligation if PVer outputs accept. After which, the signer sends the full signature σUi to complete the transaction. If no problem occurs, the arbitrator does not participate in the protocol. However, if the signer refuses to send σUi at the end, the verifier will send σU0 i as well as a proof of fulfilling his obligation to the arbitrator. The arbitrator will generate σUi using Res and sends it to the verifier if the proof sounds. Similar to previous definitions (e.g. [DR03, DLY07]), the definition does not deal with the application-specific question of how the verifier proves to the arbitrator that he has fulfilled his obligation to the signer. However, unlike previous definitions, we do not assume the authenticity of public keys (Sec. 2.2). Remark 1 : (On the Ambiguity) Readers may note that the definition of ambiguity property above does not discuss if the adversary has any oracle access. In fact, similar to ring signature, we may specify various levels of ambiguity for OFE as well. They may include basic 4

ambiguity, ambiguity with respect to adversarially-chosen keys, and ambiguity against attribution attacks/full key exposure. Readers may refer to [BKM06] for their definitions in the context of ring signature. The ambiguity definition above follows that given in [DR03, DLY07] with the sole purpose of making the construction of OFE non-trivial. For stronger notions, say basic ambiguity, we may require that no PPT adversary can distinguish full signatures generated by the signer from those resolved by the arbitrator with non-negligible advantage, even if the adversary can access partial signature oracle and resolution oracle. We leave this as our future work. Remark 2 : (An Optional Input of SetupUser ) In the definition above, AP K is an optional input of SetupUser . This allows the arbitrator and the users to share some common system parameters without getting involved in any interactive registration phase. The advantage is that the setup-free feature [ZB06, ZSM07] can be ensured while having common system parameters shared across the entire system without having a dedicated system parameter generation algorithm defined. For schemes where the users and the arbitrator do not share any system parameter, AP K can simply be removed from the input of SetupUser .

2.2

Chosen-Key Model

Note that [DLY07] only considers OFE in the certified-key model [LOS+ 06]. In such a model, it is assumed that the authenticity of public keys of users in the system can be verified and each user should show his knowledge of the corresponding private key in some public key registration stage for defending against key substitution attacks. Alternatively, the adversary is required to show that the public keys included in queries to the signing oracle and in its forgery are properly generated. For example, each user in the system may randomly select a string r and send r to the authority in the registration stage, which then computes a public/secret key pair (P K, SK) using r, stores the public key and returns P K back to the user. The user can also compute the user secret key SK from r accordingly. We refer readers to [BCNP04] for details of the model. In this paper, we consider a stronger security model for OFE, the chosen-key model, which was originally introduced by Lysyanskaya et al. in the context of aggregate signature [LMRS04]. An adversary in a chosen-key model can arbitrarily set public keys without showing its knowledge of the corresponding private keys. The only limitations are that the adversary cannot replace the challenge user’s public key and all the public keys chosen by the adversary should fall into some public key space (which is defined under some system-wide parameters and known to all parties in the system). Such relaxation gives the adversary more flexibility and power in attacking other (honest) parties in the system. Schemes secure in the certified-key model may not necessarily be secure in the chosen-key model. For example, let us consider the Security Against Verifiers under the chosen-key model (Sec. 2.3). After receiving a partial signature from the challenge signer, the adversary may ask the arbitrator for resolving it into a full signature with respect to a different public key chosen maliciously by the adversary according to the challenge signer’s public key and the partial signature received. Based on this attacking approach, in Sec. 3, we describe a concrete OFE scheme as an example for showing that a scheme secure in the certified-key model does not necessarily be secure in the chosen-key model. In the following, we first formalize the adversarial model for OFE in the multi-user setting and chosen-key model. 5

2.3

Security Model

The security of optimistic fair exchange consists of three aspects: security against signers, security against verifiers, and security against the arbitrator. The definitions of them in the multi-user setting and chosen-key model are given as follows. • Security against signers: Intuitively, we require that no PPT adversary A should be able to produce a partial signature with non-negligible probability, which looks good to verifiers but cannot be resolved to a full signature by the honest arbitrator. This ensures the fairness for verifiers, that is, if the signer has committed to a message, the verifier will always be able to get the full commitment of the signer. Formally, we consider the following experiment: SetupTTP (1k ) → (ASK, AP K) (m, σ 0 , P K ∗ ) ← AORes (AP K) σ ← Res(m, σ 0 , ASK, P K ∗ ) success of A := [PVer(m, σ 0 , P K ∗ , AP K) = accept ∧ Ver(m, σ, P K ∗ , AP K) = reject] where oracle ORes takes as input a valid 1 partial signature σ 0 of user Ui on message m, i.e. (m, σ 0 , P KUi ), and outputs a full signature σ on m under P KUi . In this experiment, the adversary can arbitrarily choose public keys, and it may not know the corresponding private key of P K ∗ . The advantage of A in the experiment AdvA (k) is defined to be A’s success probability. • Security against verifiers: This security notion requires that any PPT verifier B should not be able to transform a partial signature into a full signature with non-negligible probability if no help has been obtained from the signer or the arbitrator. This requirement has some similarity to the notion of opacity for verifiably encrypted signature [BGLS03]. Formally, we consider the following experiment: SetupTTP (1k ) → (ASK, AP K) SetupUser (1k ) → (SK, P K) (m, σ) ← B OPSig ,ORes (P K, AP K) success of B := [Ver(m, σ, P K, AP K) = accept ∧ (m, ·, P K) 6∈ Query(B, ORes )] where oracle ORes is described in the previous experiment, the partial signing oracle OPSig takes as input a message m and returns a valid partial signature σ 0 on m under P K, and Query(B, ORes ) is the set of valid queries B issued to the resolution oracle ORes . In the experiment, B can ask the arbitrator for resolving any partial signature with respect to any public key (adaptively chosen by B, probably without the knowledge of the corresponding private key), with the limitation described in the experiment. The advantage of B in the experiment AdvB (k) is defined to be B’s success probability. By ‘valid’, we mean that σ 0 is a valid partial signature on m under public key P KUi , alternatively, the input (m, σ 0 , P KUi ) of ORes satisfies the condition that PVer(m, σ 0 , P KUi , AP K) = accept. 1

6

• Security against the arbitrator: Intuitively, this security notion requires that any PPT arbitrator C should not be able to generate with non-negligible probability a full signature without explicitly asking the signer for generating one. This ensures the fairness for signers, that is, no one can frame the actual signer on a message with a forgery. Formally, we consider the following experiment: SetupUser (1k ) → (SK, P K) (ASK ∗ , AP K) ← C(P K) (m, σ) ← C OPSig (ASK ∗ , AP K, P K) success of C := [Ver(m, σ, P K, AP K) = accept ∧ (m, ·) 6∈ Query(C, OPSig )] where the partial signing oracle OPSig is described in the previous experiment, ASK ∗ is C’s state information, which might not be the corresponding private key of AP K, and Query(C, OPSig ) is the set of queries C issued to the partial signing oracle OPSig . The advantage of C in this experiment AdvC (k) is defined to be C’s success probability. Definition 2.2. A non-interactive optimistic fair exchange scheme is said to be secure in the multi-user setting and chosen-key model if there is no PPT adversary that wins any of the experiments above with non-negligible advantage.

2.4

Differences From [DLY07] and Multi-Arbitrator Setting

Though the experiments of Security Against Signers and Security Against Verifiers remain in the same form as those in [DLY07], we put no requirement on that the adversary has to register a public key before using it. In other words, the adversary can freely choose public keys (from the public key space) and use them during the attack, without proving its knowledge of the corresponding private keys. In [DLY07] on the other hand, the authenticity assumption of public keys is made in all the experiments. On the Security Against the Arbitrator, our corresponding experiment seems to be stronger than the one considered in [DLY07], in which the adversary has to fix AP K before learning the challenge signer’s public key P K. This static form of adversarial key generation seems to be unnecessarily weak. We propose a strengthened one which allows the adversary to adaptively set AP K based on the value of P K generated using SetupUser . In this way, the security model considered in this paper will be at least as strong as that in [DLY07]’s, if not stronger. This observation is also supported by the counterexample given in Sec. 3. One may also notice that in the experiment for formalizing Security Against the Arbitrator, the adversary C has two phases. In the first phase, C merely generates AP K without having access to OPSig . In the second phase, C is to generate a forgery while allowing access to OPSig with respect to AP K. The purpose of having this two-phase arrangement is to make sure that the model is under the single-arbitrator setting. Although all the security requirements of optimistic fair exchange schemes are studied under the multi-user setting in this paper, to be consistent with previous work [DR03, DLY07], we restrict ourselves to focus on the formalization of a system which allows only one arbitrator. On the other side, if we combine the two phases in the experiment for Security Against the Arbitrator into one, that is, the second and the third statements are combined and replaced as follows, (AP K, m, σ) ← C OPSig (P K) 7

and modify OPSig by taking an additional input, which is a public partial verification key AP K 0 , then we are able to consider the multi-arbitrator setting for this security notion (by also changing the restriction such that we only require (m, ·, AP K) ∈ / Query(C, OPSig )). We will leave this and the extension of the other two notions to multi-arbitrator setting as our future work.

3

Separating Chosen-Key Model From Certified-Key Model

As reviewed in the introduction, OFE in the single-user setting can normally be built from verifiably encrypted signature or from sequential two-party multisignature. Dodis et al. [DLY07] showed that secure OFE in the multi-user setting can also be built from these primitives, but only the verifiably encrypted signature based ones may support the setup-free feature [ZB06, ZSM07]. Also note that in [DLY07], all the security analysis were carried out in the certified-key model [LOS+ 06] and therefore, they may not remain secure in the chosen-key model [LMRS04]. In the following, we give a concrete example for showing that a secure OFE in the certified-key model may no longer be secure in the chosen-key model. The example is based on Lu et al.’s [LOS+ 06] verifiably encrypted signature scheme. Readers can refer to [LOS+ 06] for Lu et al.’s scheme WVES, or to Appendix C for a brief review of it.

3.1

A WVES-Based OFE

Observe that Lu et al.’s WVES is an OFE in the single-user setting and the certified-key model 2 , under which, WVES.Kg and WVES.AKg constitute the OFE registration protocol Setup, and WVES.Sig, WVES. Ver, WVES.ESig, WVES.EVer and WVES.Adj are corresponding to Sig, Ver, PSig, PVer and Res, respectively. In the single-user setting and certified-key model [DR03, DLY07], Security Against Signers is due to the correctness of WVES. That is, if η is a valid verifiably encrypted signature, the adjudicator can always convert it to an ordinary signature. Security Against Verifiers is due to the opacity property [BGLS03] of WVES. The Security Against the Arbitrator does not trivially follow the unforgeability of the verifiably encrypted signature scheme, since in the corresponding experiment, the malicious arbitrator knows more secret information than a public verifier does. To show its security, we build a forger F of Waters’ signature scheme using the malicious arbitrator/adjudicator C. Given the system parameters and a public key A = e(g, g)α , F randomly picks β ← Zp and sends the system parameters, A and (β, v := g β ) to C 3 . The rest of the proof goes essentially the same as that in [LOS+ 06], except that F uses its signing oracle to simulate the PSig oracle. If C outputs a valid forgery (S1 , S2 ), i.e., Ver(P K, M, (S1 , S2 )) = accept, F simply outputs σ ∗ := (S1 , S2 ) on M as its forgery for Waters’ signature scheme. By the validity of (S1 , S2 ), we have that σ ∗ is also a valid forgery with respect to the challenge public key. Besides, the above scheme can easily be shown to be secure in the multi-user setting and the certified-key model as well. 2

We refer readers to [DR03, DLY07] for the formal definition and security model of OFE in the single-user setting and certified-key model. 3 Alternatively, C picks its key pair and shows its knowledge of ASK. This is due to the restriction of certifiedkey model. Readers can refer to [DLY07] for detailed discussions about this.

8

3.2

An Attack Under Chosen-Key Model

If we retain the multi-user setting but upgrade the model from certified-key model to the chosenkey model, we will see that the WVES-based OFE above will no longer be secure. Let us consider the Security Against Verifiers. In the chosen-key model, the adversary (i.e. the verifier in the experiment) can first ask the challenge signer for a partial signature on some message under the challenge public key P K. Then, the adversary makes up a new public key P K 0 according to the partial signature and P K, and queries the challenger for resolving the partial signature with respect to P K 0 rather than to P K. The adversary finally tries to find out the full signature under P K from the resolved signature. In the chosen-key model, since the adversary can arbitrarily pick public keys without showing its knowledge of the corresponding private keys, such an attack approach is possible. Below is the detail of the actual attack against the WVES-based OFE. (In)Security Against Verifiers: Upon receiving the challenge signer’s public key P K = e(g, g)α from the challenger, the adversary B queries OPSig for a partial signature σ 0 = (K1 , K2 , K3 ) on message M . Then B generates another public key P K 0 := P K · e(g, g)b where b ← Zp , and queries ORes for resolving a partial signature in the form σ 00 = (K1 · g b , K2 , K3 ) under the public key P K 0 . Note that σ 00 is a valid partial signature on M under P K 0 . Upon receiving the resolved signature σ = (S1 , S2 ), B outputs the full signature under the challenge public key P K as σ ˜ = (S1 /g b , S2 ) and wins the game. Therefore, WVES-based OFE is insecure in the multi-user setting under the chosen-key model. We should also emphasize that this does not contradict with the results given in [LOS+ 06] as their schemes were originally designed for security in the certified-key model only.

4

An Efficient and Generic Construction without Random Oracles

In this section, we propose an OFE proven secure in the multi-user setting and the chosen-key model, that is, under the adversarial model formalized in Sec. 2.3. Our construction is based on two primitives: conventional signature [GMR88] and ring signature [RST01]. Since there exist signature schemes and ring signature schemes proven secure without random oracles, it is possible for us to construct a secure OFE without random oracle also. Refers can refer to [GMR88] or Appendix A for the security definition of conventional signatures. In the following, we first briefly review the definition of ring signature. (Ring Signature): The notion of ring signature was introduced by Rivest et al. in Asiacrypt 2001 [RST01] and has later been widely studied [BKM06, Boy07, SW07, CGS07]. A ring signature scheme RS is a triple of PPT algorithms (KG, Sig, Ver), where KG is the key generation algorithm that takes as input the security parameter 1k and outputs a signing/verification key pair (sk, pk), Sig is the ring signing algorithm that takes as input a message m, a list of public keys R := {pki }`i=1 and a signing key ski (1 ≤ i ≤ `) such that (ski , pki ) is the output of KG(1k ) and outputs a ring signature σ on m under the ring R, and Ver is the verification algorithm that takes as input a message m, a signature σ and a list of public keys R := {pki }`i=1 and outputs accept or reject. The security of a ring signature scheme includes two parts, anonymity (or ambiguity) and unforgeability. Anonymity requires that no one can tell which ring member is the actual signer, 9

and unforgeability requires that no one can forge a signature if none of the ring members’ private keys is known. The strongest computational complexity based security notions of them are anonymity against attribution attacks/full key exposure and unforgeability with respect to insider corruption, respectively [BKM06, Boy07]. In our construction of OFE (to be shown later), we actually do not require a ring signature scheme to equip with such a strong level of anonymity and unforgeability. Instead, unforgeability under an adaptive attack, against a static adversary [Boy07] will suffice. It is defined as follows. (ski , pki ) ← RS.KG(1k ), for i = 1, · · · , ` R := {pki }`i=1 (R, m, σ) ← AORS.Sig (R) success of A := [RS.Ver(m, σ, R) = accept ∧ (·, m, R) 6∈ Query(A, ORS.Sig )] where A is a PPT adversary, ORS.Sig is the ring signing algorithm which takes as input an index i, a message m, a list of public keys S such that S ∩ R 6= ∅ and pki ∈ R, and outputs a ring signature σ on m under the ring S using the signing key ski , and Query(A, ORS.Sig ) is the set of ring signing queries (of the form (i, m, S)) issued by A. The advantage of A in the experiment is defined to be its success probability. A ring signature scheme is said to be (existentially) unforgeable under an adaptive attack, against a static adversary (where ‘static’ means that the adversary should not corrupt any honest user and its forgery should be with respect to the prescribed ring R,) if there is no PPT adversary which wins the experiment with non-negligible advantage. It’s readily seen that the above unforgeability is weaker than the unforgeability with respect to insider corruption considered in [BKM06]. For our purpose, the number ` of (honestly generated) public keys is 2 and the size of the ring S in a signing query issued by A is also 2 (i.e., ` = 2 and |S| = 2). For the security level of anonymity, since the definition of ambiguity for OFE does not consider any additional adversarial resource the distinguisher can own, the basic anonymity [BKM06] will already be strong enough for our OFE construction below. We refer readers to Sec. 2.1 for more discussions.

4.1

The Construction

Let SIG = (KG, Sig, Ver) be a conventional signature scheme and RS = (KG, Sig, Ver) a ring signature scheme. Our construction idea is as follows. The partial signature will be a conventional signature generated using SIG, and the full signature is the partial signature in conjunction with a ring signature generated under RS. The ‘ring’ members of the ring signature are the signer and the arbitrator. To resolve a partial signature, the arbitrator simply produces a ring signature. One of the main reasons of employing a ring signature scheme in our construction is that the unforgeability game of ring signature (that is, unforgeability under an adaptive attack, against a static adversary, as stated above) fits well in the chosen-key model for OFE. That is, the adversary can ask for a ring signature with respect to a ring which includes public keys not being certified. Below are the details of our generic construction denoted by OFE. • SetupTTP : The arbitrator runs (ask, apk) ← RS.KG(1k ) and sets (ASK, AP K) := (ask, apk). ˆ i , pk ˆ ) ← SIG.KG(1k ) and (sk ¯ i , pk ¯ ) ← RS.KG(1k ). Ui then • SetupUser : Each user Ui runs (sk i i ˆ i , sk ¯ i ), (pk ˆ , pk ¯ )). sets (SKUi , P KUi ) := ((sk i i 10

• Sig: On input a message m, the signer Ui first produces a conventional signature σ 0 as ˆ i , m), and then completes the signing process the partial signature, i.e. σ 0 ← SIG.Sig(sk ¯ i , mkσ 0 kP KU , R) where by generating a ring signature on m and σ 0 , i.e. σ RS ← RS.Sig(sk i ¯ , apk}. The full signature is then set as σ := (σ 0 , σ RS ). R := {pk i • Ver: On input a message m and a signature σ purportedly produced by Ui , where σ = ˆ ) and (σ 0 , σ RS ), the verifier checks the validity of σ 0 and σ RS by running SIG.Ver(m, σ 0 , pk i 0 RS ¯ RS.Ver(mkσ kP KUi , σ , R) respectively, where R := {pk i , apk}. If both output accept, it returns accept; otherwise, it returns reject. • PSig: On input a message m, the signer Ui computes a conventional signature, i.e. σ 0 ← ˆ i , m), and returns σ 0 as the partial signature. SIG.Sig(sk • PVer: On input a message m and a partial signature σ 0 purportedly produced by Ui , the ˆ ). verifier returns SIG.Ver(m, σ 0 , pk i • Res: On input a message m and a partial signature σ 0 of user Ui , the arbitrator first checks the validity of σ 0 by running OFE.PVer(m, σ 0 , P KUi , AP K). If σ 0 is invalid, it rejects the input by outputting ⊥; otherwise, it computes σ RS ← RS.Sig(ask, mkσ 0 kP KUi , R), where ¯ , apk}. The arbitrator returns σ := (σ 0 , σ RS ). R := {pk i As in [DLY07], one cannot view σ 0 as the full signature of the signer, even though it is itself a valid conventional signature. The signer’s full commitment to a message comprises the partial signature σ 0 generated using SIG, along with a ring signature σ RS produced by the signer or the arbitrator using RS. The correctness of the construction simply follows that of SIG and RS, and the ambiguity follows the anonymity requirement is satisfied due to that of the ring signature RS. Remark 3 : One may notice that Dodis et al.’s generic OFE construction [DLY07] uses a similar idea to ours. They employ a conventional signature as the partial signature and use an additional OR-signature to complete the generation of the full signature. An OR-signature itself can be viewed as a two-user ring signature. Even though OR-signature can express much richer languages, almost all the constructions of OR-signature follow the Fiat-Shamir heuristic, thus can only be proven secure in the random oracle model, or otherwise, require to have complex NPreduction and non-interactive witness indistinguishable proofs of knowledge involved, that could be very inefficient. By applying our idea, an efficient and generic OFE scheme without random oracles can be built, as there are already quite a number of efficient conventional signature schemes and ring signature schemes proven secure without random oracles available in the literature. Intuitively, for our construction above, the Security Against Signers holds unconditionally; the Security Against Verifiers follows the unforgeability property of the ring signature RS, and the Security Against the Arbitrator is guaranteed by the unforgeability of SIG. Thus, we have the following theorem. Theorem 4.1. The generic construction of optimistic fair exchange scheme OFE above is secure in the multi-user setting and chosen-key model, provided that SIG is a conventional signature scheme that is existentially unforgeable against chosen message attacks and RS is a secure ring signature scheme that is with basic anonymity and existential unforgeability under an adaptive attack, against a static adversary. 11

Proof. Theorem 4.1 immediately follows from the following lemmas. Lemma 4.2. The optimistic fair exchange scheme OFE above is unconditionally secure against signers. Proof. Obviously, for any message m and any valid signature σ 0 on m under the verification ˆ , the arbitrator can always produce a ring signature σ RS on mkσ 0 kP KU under the ring key pk i i ¯ , apk}. Therefore, no adversary can win the game. R := {pk i Lemma 4.3. The optimistic fair exchange scheme OFE above is secure against verifiers if RS is unforgeable under adaptive attacks against a static adversary. Proof. Suppose that B is a PPT adversary which breaks the Security Against Verifiers with ¯ to break the existential unforgeability of RS probability B . We construct a PPT algorithm B with the same probability. On input a security parameter 1k and given two public keys pk0 and pk1 , which are the (honestly generated) challenge public keys as in the unforgeability game of ring signature (See ˆ pk) ˆ of SIG by running (sk, ˆ pk) ˆ ← SIG.KG(1k ), ¯ randomly generates a key pair (sk, page 9), B ˆ pk1−b ). It then runs B on flips a bit b ← {0, 1}, and sets AP K := pkb and P K := (pk, ˆ and oracle ORes using B’s ¯ input (AP K, P K), and simulates oracle OPSig using the secret key sk ¯ ring signing oracle. More in detail, to answer an PSig query of m, B computes and returns ˆ m) to B. To answer an Res query of (m, σ 0 , P KU ), if σ 0 is a valid partial signature SIG.Sig(sk, i ¯ queries its ring signing oracle for getting a ring signature σ RS on message on m under P KUi , B mkσ 0 kP KUi under the ring {pk0 , pk1 } using the secret key corresponding to pkb , and then sends (σ 0 , σ RS ) back to B. At the end of the experiment, when B outputs its forgery (m, ˜ σ ˜ ), where σ ˜ = (˜ σ0, σ ˜ RS ), without 0 loss of generality, we assume that B has already got σ ˜ from a query to oracle OPSig . The other 0 case that B produced σ ˜ by itself will be covered by the Security Against the Arbitrator, which is to be shown later. Obviously, the simulation above is perfect, and thus B wins the game with probability B . We have that OFE.Ver(m, ˜ σ ˜ , P K, AP K) = accept and (m, ˜ ·, P K) 6∈ Query(B, ORes ). The former ˆ = accept and RS.Ver(mk˜ also implies that SIG.Ver(m, ˜ σ ˜ 0 , pk) ˜ σ 0 kP K, σ RS , (pk0 , pk1 )) = accept ¯ has never issued a query to its ring signing oracle hold. Since (m, ˜ ·, P K) 6∈ Query(B, ORes ), B 0 RS on input mk˜ ˜ σ kP K. Therefore, σ ˜ is a valid ring signature on the new message mk˜ ˜ σ 0 kP K ¯ output (mk˜ ¯ wins its own game under the ring {pk0 , pk1 }. We then let B ˜ σ 0 kP K, σ ˜ RS ) and B with probability B . Lemma 4.4. The optimistic fair exchange scheme OFE above is secure against the arbitrator if SIG is unforgeable under chosen-message attacks. Proof. Suppose that C is a PPT adversary which breaks the Security Against the Arbitrator with probability C . We build a PPT algorithm C¯ to break the unforgeability of the conventional signature scheme SIG with the same probability. Given the challenge verification key pk of SIG (along with a signing oracle Osk ), C¯ runs ¯ pk) ¯ and feeds P K := (pk, pk) ¯ as input to C, which then returns RS.KG(1k ) to get a key pair (sk, an arbitrator public key AP K and begins to issue queries to OPSig . This oracle can perfectly be simulated by C¯ using Osk . Namely, on input a message m, C¯ forwards it to Osk and relays the oracle’s answer to C as a valid partial signature. Finally, C outputs its forgery (m, ˜ σ ˜ ) where 12

σ ˜ = (˜ σ0, σ ˜ RS ), such that OFE.Ver(m, ˜ σ ˜ , P K, AP K) = accept and (m, ˜ ·) 6∈ Query(C, OPSig ). We 0 then have that σ ˜ is a valid signature on m, ˜ and m ˜ has never been issued by C¯ to its signing 0 ¯ oracle. We simply let C output (m, ˜ σ ˜ ). Obviously (m, ˜ σ ˜ 0 ) is a valid forgery for SIG, and C¯ wins the unforgeability game with advantage C .

4.2

Instantiations

There are quite a number of efficient conventional signature schemes and ring signature schemes without random oracles available in the literature, like [Wat05, BB04], [SW07, CGS07, Boy07] and many others. Using these schemes and applying our generic construction, we can get many concrete and efficient OFE schemes proven secure without random oracles in the multi-user setting and chosen-key model. For example, we can use Waters’ signature scheme [Wat05] as SIG and Shacham-Waters’ ring signature scheme [SW07] as RS. Note that in such an instantiation, Waters’ signature scheme may work in a group of composite order [SW07] rather than in a group of prime order [Wat05], so that SIG and RS can share the same set of system parameters. Besides, it is necessary to mention that there is a global setup process before any execution of the scheme. The requirement of having such a setup process stems from that of Shacham-Waters’ ring signature scheme. For this instantiation, the ambiguity of the scheme is based on sub-group decision assumption [BGN05, SW07], while the security against verifiers and security against the arbitrator are based on computational Diffie-Hellman assumption. The OFE.Sig algorithm of the resulting scheme requires no pairing operation, and the OFE.Ver algorithm requires four pairings. A main disadvantage of this instantiation is that the size of system parameters is large. It is determined by the output length of the underlying hash function used in Waters’ signature scheme [Wat05, SW07]. Alternatively, we may consider another instantiation, which enjoys much shorter system parameters but suffers from stronger underlying assumptions, i.e. strong Diffie-Hellman assumption [BB04, CGS07]. In this instantiation, we employ Boneh-Boyen’s weakly secure signature scheme [BB04] plus a one-time signature scheme as SIG4 , and Chandran-Groth-Sahai ring signature scheme (in the common reference string model) [CGS07] as RS. The reason that we use Boneh-Boyen’s weakly secure signature scheme plus a one-time signature scheme as SIG is the same as the one behind the combination of Waters signature and Shacham-Waters ring signature. (SIG and RS share system parameters.) Note that for RS, we do not need to use the signature compression technique as in [CGS07] since the ring in our case merely consists of two users. The Sig algorithm of the resulting scheme does not require any pairing operation either, while the Ver algorithm requires nine pairings. In these two instantiations, each user has two key pairs, one for the conventional signature and the other one for ring signature, just as in the generic construction (Sec. 4.1). To make the instantiations more practical and efficient, people may wish to combine the two key pairs into one. Boyen’s ring signature [Boy07] (or, say, his mesh signature) is a good candidate for this purpose. In Boyen’s ring signature scheme, the adversary can make not only ring signature queries, but also atomic (or conventional) signature queries. Boyen’s scheme works in the common reference string model. The anonymity holds unconditionally, and the unforgeability is guaranteed by the Poly Strong Diffie-Hellman assumption introduced by Boyen [Boy07], which is a stronger variant of the Strong Diffie-Hellman (SDH) assumption. In the resulting OFE scheme, the 4

It is easy to see that a weakly secure signature scheme plus a one-time signature scheme lead to a signature scheme that is unforgeable against chosen message attacks. We skip the detailed proof here.

13

signer Alice and the arbitrator Charlie form a ring. We view an atomic signature of Alice as her partial signature, and the combination of the atomic signature and a ring signature as Alice’s full commitment. We can see that, similar to the generic construction, the security against signers of this optimized instantiation also holds unconditionally. The security against verifiers will hold due to the unforgeability of Boyen’s (two-user) ring signature scheme, and the security against the arbitrator follows the unforgeability of the (single-user) ring signature scheme. Any 1 forgery of Alice’s atomic signature σ 0 on a message m, where σ 0 = (S, t) = (g a+bm+ct , t) and (a, b, c) is Alice’s secret key, can be trivially transformed into a forgery of the ring signature scheme under the ring consisting of Alice only, i.e. we set s0 := 0 and randomly select t0 from its domain, then the forgery is (S0 , S1 , t0 , t1 ) := (1, S, t0 , t). The validity of the forgery is readily seen. Though this instantiation relies on a stronger assumption, it enjoys higher efficiency and fewer system parameters. It also requires fewer pairing operations for OFE.Ver than that of the second instantiation, and has fewer system parameters than that of the first instantiation. The OFE.Sig does not require any pairing operation, and OFE.Ver requires only four pairings. Each user including the arbitrator needs to manage only one key pair (unlike the first two instantiations in which each user has two key pairs), and the public key consists of only three points on the elliptic curve (if we employ the symmetric group setting, i.e. e : G × G → Gt ) [Boy07].

5

Two Previous Paradigms

In this section, we review the two previous paradigms which have been commonly used for constructing OFE schemes and evaluate whether they will still be secure under the multi-user setting as well as the chosen-key model.

5.1

Verifiably Encrypted Signature Paradigm

One may think it as a drawback that our scheme is not stand-alone [ZB06, ZSM07]. However, the stone-alone property does not really provide much advantage to a scheme except that the full signature may enjoy a smaller size. We note that the verifiably encrypted signature based OFE generic construction reviewed by Dodis et al. [DLY07] has such a property. In their paper, they showed that this construction is secure in the multi-user setting and the certified-key model. In the following, we show that the construction is also secure if the certified-key model is enhanced to chosen-key model. Hence if the stand-alone property is desired, one can use the verifiably encrypted signature based construction. We first briefly review the construction here. Let E be a public-key encryption scheme and S be a conventional signature scheme. Let Π be an NIZK proof system. The arbitrator has a key pair for E, and each user holds a key pair for S. To partially sign a message, the signer produces a signature σ using S and encrypts the signature under the arbitrator’s public key. Then it runs Π to generate an NIZK proof showing that the ciphertext is correctly formed. The partial signature σ 0 includes the ciphertext and the proof. The signer’s full signature on this message is defined to be σ. To resolve a partial signature, the arbitrator uses its private key to extract the conventional signature σ. Note that in the proof given in [DLY07], there is no need for the game simulator to know the corresponding private keys of the public keys submitted by the adversary. For security against signers, it still holds due to the one-time simulation-soundness of the NIZK proof system. For security against verifiers, the simulator does not need to know any of the private keys of the 14

public keys submitted by the malicious verifier and can still simulate the game. This is also the case for the security against the arbitrator, who even does not need to submit its private key to the simulator. Everything can be simulated by the simulators using their knowledge of private keys of honestly generated public keys that are the inputs to the adversaries. Hence, we have the following theorem: Theorem 5.1. If E is a CCA2-secure encryption scheme [RS92], S is UF-CMA-secure signature scheme [GMR88], and Π is a one-time simulation-sound NIZK proof system, then the above construction is a stand-alone and setup-free OFE scheme that is secure in the multi-user setting and chosen-key model. The proof is the same as that in [DLY07], so we omit it here. Remark 4 : Though the verifiably encrypted signature based generic construction discussed above remains secure in the chosen-key model, it involves a complex NP-reduction in the NIZK proof, thus it is very inefficient for practical use. While our construction proposed in Sec. 4.1 requires only conventional signature and ring signature, where both of them can be made very practical.

5.2

Two-Party Sequential Multisignature Paradigm

We now re-examine the security of the generic construction based on two-party sequential multisignatures in [DLY07] in the multi-user setting, but under the chosen-key model. This construction was originally designed for the certified-key model. There is a key registration for each user and part of the user’s secret key is sent to the arbitrator for resolving partial signatures when needed. In other words, the arbitrator actually holds an arbitrator key for each user. It seems like that the setup-driven property contradicts the security under the chosen-key model, since in the chosen-key model, the adversary also needs to register public keys chosen maliciously by itself to the arbitrator. Thus, the attack shown in Sec. 3 is not applicable here. On the other hand, the security proof in [DLY07] relies on the requirement that the adversary also has to output the corresponding private keys of the public keys it chooses during the attack. Therefore, it remains unknown whether the two-party sequential multisignature based OFE is secure in the chosen-key model, even though the multisignature scheme due to Lu et al. [LOS+ 06] WMS is insecure under chosen-key model. An attack against WMS can be launched by an adversary in a similar way with that proposed in Sec. 3.

6

Optimistic Fair Exchange From Time Capsule Signatures

In the previous sections, we focus on discussing OFE schemes secure in the multi-user setting and the chosen-key model. In this section, we propose a brand new approach of constructing OFE schemes that can be proven secure in the weaker certified-key model. Our goal is this section is to introduce this new paradigm, namely, time capsule signature based OFE. Time capsule signature, introduced by Dodis and Yum in [DY05], is a kind of digit signature schemes which allows a signature to bear a (future) time t so that the signature will only become valid at time t or later, after a semi-trusted third party, called time server, releases timedependent information. Besides, the real signer of a time capsule signature has the privilege to make a time capsule signature valid before time t. In this section, we will show another way of constructing OFE schemes secure in the multi-user setting and certified-key model. 15

Roughly speaking, a time capsule signature scheme consists of 8 PPT algorithms (SetupTS , SetupUser , TSig, TVer, TRelease, Hatch, PreHatch, Ver). The time servers runs SetupTS to generate its key pair, and each user runs SetupUser to generate a user key pair. Any user can run TSig to produce a time capsule signature to be valid at some time period t, and can later make its signature mature before t by running PreHatch. At each time period t, the time servers runs TRelease to release some secret information related to t with which any user can make a time capsule signature mature and verify its validity. The security of time capsule signatures consists of three aspects: security against the signer, security against the verifier and security against the time server. Briefly, • Security against the signer requires that any PPT adversary should not be able to produce a time capsule signature σt0 , which looks good to the verifier but cannot be hatched into a full signature by the honest time server. • Security against the verifier requires that any PPT adversary should not be able to open a pre-mature time capsule signature without the help of the signer or the time server. • Security against time server requires that any PPT time server should not be able to produce a valid hatched or pre-hatched signature on a message m of the signer without explicitly asking the signer to produce a time capsule signature on that message. We refer readers to Appendix B or [DY05] for the formal definition of time capsule signature and its security models.

6.1

The Construction

Let TCS = (SetupTS , SetupUser , TSig, TVer, TRelease, Hatch, PreHatch, Ver) be a time capsule signature scheme. In the following, we show how to use TCS to build an optimistic fair exchange scheme OFE0 secure in the multi-user setting and the certified-key model. Let k be the security parameter. Suppose that H : {0, 1}∗ → T is a collision-free hash function, where T is the space of time events. Without loss of generality, we assume that the size of T is super-polynomial in k. This is to ensure the collision-freeness of H. • SetupTTP : The arbitrator runs (T SK, T P K) ← TCS.SetupTS (1k ) and sets (ASK, AP K) to be (T SK, T P K). • SetupUser : Each user Ui generates a public/private key pair by running (SKUi , P KUi ) ← TCS.SetupUser (1k ). • Sig: On input a message m, the signer Ui generates a time event t by computing t ← H(m, P KUi )5 . It then computes the full signature as σ ← TCS.PreHatch(m, σ 0 , SKUi , AP K, t) where σ 0 ← TCS.TSig(m, SKUi , AP K, t). • Ver: On input a message m and a signature σ purportedly produced by Ui , the verifier computes t ← H(m, P KUi ) and returns TCS.Ver(m, σ, P KUi , AP K, t). 5

The reason of computing t rather than randomly selecting t is to ensure that in the generation of each signature, the time event is distinct if the message or the signer is different, which is important in the proof of security against verifiers. To be shown later, as in the proof of Lemma D.2.

16

• PSig: On input a message m, the signer Ui computes t ← H(m, P KUi ), and runs σ 0 ← TCS.TSig(m, SKUi , AP K, t). It returns σ 0 . • PVer: On input a message m and a partial signature σ 0 purportedly produced by Ui , the verifier computes t ← H(m, P KUi ) and returns TCS.TVer(m, σ 0 , P KUi , AP K, t). • Res: On input a message m and a partial signature σ 0 of user Ui , the arbitrator first checks if σ 0 is a valid signature on m with respect to P KUi . If not, it rejects the input by outputting ⊥; otherwise, it computes t ← H(m, P KUi ), runs zt ← TCS.TRelease(t, ASK) and computes σ ← TCS.Hatch(m, σ 0 , P KUi , AP K, zt ). The arbitrator returns σ. This construction is setup-free. The stand-alone property depends on that of the underlying time capsule signature. The correctness of OFE0 is obvious and the ambiguity property simply follows that of TCS. Remark 5 : (On the Space T of Time Events) As of our best knowledge, all the time capsule signature schemes in the literature [DY05, HWH+ 07, LQ07]6 put no restriction/limitation on the range of possible time events. In fact, the time event t in these schemes can take any values from {0, 1}∗ , since a mechanism analogous to identity-based cryptography is used in their constructions, and t behaves as an identity. Therefore, it is reasonable for us to assume that the size of T is at least super-polynomial in the security parameter, or large enough for guaranteeing the collision-resistance of H. Besides, if the time event t can take any arbitrary value (i.e., {0, 1}∗ ), then we can simply remove H in our construction above for reducing the basic assumption for building OFE0 . That is, we directly use mkP KUi instead of the hashed value of it as the ‘time event’ t. For the security of the above construction of OFE, we have the following theorem. Note that since the security of time capsule signatures is defined in a compatible and very similar way to that of OFE in [DLY07], in the following, we only show the security of OFE0 in the certified-key model, not the stronger one we propose in Sec. 2. Theorem 6.1. If there exist secure time capsule signature schemes and collision-free hash functions, there exist secure optimistic fair exchange schemes in the multi-user setting and the certified-key model. The detailed proof is given in Appendix D.

6.2

An Instantiation without Random Oracles

Recently, Libert and Quisquater [LQ07] proposed an efficient time capsule signature scheme proven secure in the standard model, which is with the ambiguity property. By instantiating our generic construction above using their time capsule signature scheme, the final scheme will also enjoy the security without random oracles. In this particular scheme, we even do not need to introduce another collision-resistant hash function either. This is because the collision-free hash function H : {0, 1}∗ → {0, 1}n has already been employed in Libert-Quisquater time capsule signature scheme. We can simply use H to map mkP KUi into the time event space {0, 1}n , which is exactly the case in their implementation. 6

We note that schemes in [HWH+ 07] are not ambiguous. That is, the pre-hatched signatures are distinguishable from hatched signatures.

17

7

Conclusion

In this paper we considered optimistic fair exchange in the multi-user setting and separated the security of optimistic fair exchange in the certified-key model from that in the chosen-key model. We proposed the efficient generic construction of optimistic fair exchange in the multiuser setting and chosen-key model and proved its security without random oracles. Our scheme is built from a conventional signature and a ring signature, both of which can be efficiently constructed without random oracles. We also discussed some efficient instantiations of our generic construction. Furthermore, we re-examined the verifiably encrypted signature paradigm and the multisignature paradigm of constructing optimistic fair exchange schemes, and showed that the verifiably encrypted signature paradigm considered in [DLY07] remains secure in the chosen-key model, but it is still unknown whether the multisignature based construction is secure in this model. Furthermore, we observed that due to the very similar nature with optimistic fair exchange, it is straightforward to build an optimistic fair exchange scheme in the multi-user setting and the certified-key model from a time capsule signature scheme secure in the certifiedkey model in conjunction with a collision-resistant hash function. Combining recent work on time capsule signatures in the standard model and our generic transformation, we come up with an efficient optimistic fair exchange scheme secure without random oracles.

Acknowledgements We’d like to thank the anonymous reviewers of CT-RSA 2008 for their invaluable comments. The work was supported by grants from CityU (Project Nos. 7001959 and 7002001) and the Research Grants Council of the Hong Kong Special Administrative Region, China (RGC Ref. No. CityU 122107).

References [ASW97]

N. Asokan, Matthias Schunter, and Michael Waidner. Optimistic protocols for fair exchange. In ACM Conference on Computer and Communications Security, pages 7–17. ACM, 1997. (Cited on page 1.)

[ASW98]

N. Asokan, Victor Shoup, and Michael Waidner. Optimistic fair exchange of digital signatures (extended abstract). In Advances in Cryptology - EUROCRYPT 98, volume 1403 of Lecture Notes in Computer Science, pages 591–606. Springer, 1998. (Cited on page 1.)

[ASW00]

N. Asokan, Victor Shoup, and Michael Waidner. Optimistic fair exchange of digital signatures. IEEE Journal on Selected Areas in Communication, 18(4):593–610, 2000. (Cited on page 1.)

[BB04]

Dan Boneh and Xavier Boyen. Short signatures without random oracles. In Advances in Cryptology - EUROCRYPT 2004, volume 3027 of Lecture Notes in Computer Science, pages 56–73. Springer, 2004. (Cited on pages 3 and 13.)

[BCNP04] Boaz Barak, Ran Canetti, Jesper Buus Nielsen, and Rafael Pass. Universally composable protocols with relaxed set-up assumptions. In Proceedings of 45th IEEE Symp. on Foundations of Comp. Science (FOCS ’04), pages 186–195. IEEE Computer Society, 2004. (Cited on pages 1 and 5.) [BGLS03]

Dan Boneh, Craig Gentry, Ben Lynn, and Hovav Shacham. Aggregate and verifiably encrypted signatures from bilinear maps. In Advances in Cryptology - EUROCRYPT 2003,

18

volume 2656 of Lecture Notes in Computer Science, pages 416–432. Springer, 2003. (Cited on pages 1, 6, and 8.) [BGN05]

Dan Boneh, Eu-Jin Goh, and Kobbi Nissim. Evaluating 2-DNF formulas on ciphertexts. In Joe Kilian, editor, Proceedings of 2nd IACR Theory of Cryptography Conference, TCC 2005, volume 3378 of Lecture Notes in Computer Science, pages 325–341. Springer, Feb. 2005. (Cited on page 13.)

[BKM06]

Adam Bender, Jonathan Katz, and Ruggero Morselli. Ring signatures: Stronger definitions, and constructions without random oracles. In Shai Halevi and Tal Rabin, editors, Proceedings of 3rd IACR Theory of Cryptography Conference, TCC 2006, volume 3876 of Lecture Notes in Computer Science, pages 60–79. Springer, 2006. Also at Cryptology ePrint Archive, Report 2005/304, http://eprint.iacr.org/. (Cited on pages 2, 5, 9, and 10.)

[Boy07]

Xavier Boyen. Mesh signatures: How to leak a secret with unwitting and unwilling participants. In Moni Naor, editor, Advances in Cryptology - EUROCRYPT 2007, volume 4515 of Lecture Notes in Computer Science, pages 210–227. Springer, 2007. (Cited on pages 2, 3, 9, 10, 13, and 14.)

[BR93]

Mihir Bellare and Phillip Rogaway. Random oracles are practical: A paradigm for designing efficient protocols. In ACM Conference on Computer and Communications Security, pages 62–73. ACM, 1993. (Cited on page 1.)

[BWZZ04] Feng Bao, Guilin Wang, Jianying Zhou, and Huafei Zhu. Analysis and improvement of Micali’s fair contract signing protocol. In Huaxiong Wang, Josef Pieprzyk, and Vijay Varadharajan, editors, Proceedings of 9th Australasian Conference on Information Security and Privacy, ACISP 2004, volume 3108 of Lecture Notes in Computer Science, pages 176–187. Springer, 2004. (Cited on page 1.) [CD00]

Jan Camenisch and Ivan Damg˚ ard. Verifiable encryption, group encryption, and their applications to separable group signatures and signature sharing schemes. In Tatsuaki Okamoto, editor, Advances in Cryptology - ASIACRYPT 2000, volume 1976 of Lecture Notes in Computer Science, pages 331–345. Springer, 2000. (Cited on page 1.)

[CGH98]

Ran Canetti, Oded Goldreich, and Shai Halevi. The random oracle methodology, revisited. In Proceedings of 30th ACM Symp. on Theory of Computing, pages 209–218. ACM, 1998. (Cited on page 1.)

[CGS07]

Nishanth Chandran, Jens Groth, and Amit Sahai. Ring signatures of sub-linear size without random oracles. In Proceedings of 34th International Colloquium on Automata, Languages andProgramming, ICALP 2007, Lecture Notes in Computer Science. Springer, 2007. (Cited on pages 2, 3, 9, and 13.)

[DLY07]

Yevgeniy Dodis, Pil Joong Lee, and Dae Hyun Yum. Optimistic fair exchange in a multi-user setting. In Tatsuaki Okamoto and Xiaoyun Wang, editors, Proceedings of Public Key Cryptography 2007, volume 4450 of Lecture Notes in Computer Science, pages 118–133. Springer, 2007. Also at Cryptology ePrint Archive, Report 2007/182, http://eprint.iacr.org/. (Cited on pages 2, 1, 3, 4, 5, 7, 8, 11, 14, 15, 17, 18, and 24.)

[DR03]

Yevgeniy Dodis and Leonid Reyzin. Breaking and repairing optimistic fair exchange from PODC 2003. In ACM Workshop on Digital Rights Management, DRM 2003, pages 47–54. ACM, 2003. (Cited on pages 1, 4, 5, 7, and 8.)

[DY05]

Yevgeniy Dodis and Dae Hyun Yum. Time capsule signatures. In Andrew S. Patrick and Moti Yung, editors, Proceedings of Financial Cryptography and Data Security 2005, volume 3570 of Lecture Notes in Computer Science, pages 57–71. Springer, 2005. (Cited on pages 2, 3, 15, 16, 17, and 22.)

19

[ES05]

Paul D. Ezhilchelvan and Santosh K. Shrivastava. A family of trusted third party based fairexchange protocols. IEEE Transations on Dependable and Secure Computing, 2(4):273–286, Oct-Dec 2005. (Cited on page 1.)

[GMR88]

Shafi Goldwasser, Silvio Micali, and Ronald Rivest. A digital signature scheme secure against adaptive chosen-message attack. SIAM J. Computing, 17(2):281–308, April 1988. (Cited on pages 2, 9, 15, and 21.)

[HWH+ 07] Bessie C. Hu, Duncan S. Wong, Qiong Huang, Guomin Yang, and Xiaotie Deng. Time capsule signature: Efficient and provably secure constructions. In Javier Lopez and Pierangela Samarati, editors, Proceedings of 4th European PKI Workshop: Theory and Practice, EuroPKI 2007, volume 4582 of Lecture Notes in Computer Science, pages 126–142. Springer, 2007. Full paper is available at Cryptology ePrint Archive, Report 2007/146, http://eprint.iacr.org/. (Cited on page 17.) [HYWS08] Qiong Huang, Guomin Yang, Duncan S. Wong, and Willy Susilo. Efficient optimistic fair exchange secure in the multi-user setting and chosen-key model without random oracles. In Proceedings of Topics in Cryptology - CT-RSA 2008, volume ?? of Lecture Notes in Computer Science, pages ??–?? Springer, 2008. (Cited on page 1.) [Kre03]

Steve Kremer. Formal Analysis of Optimistic Fair Exchange Protocols. PhD thesis, Universit´e Libre de Bruxelles, 2003. (Cited on page 1.)

[LMRS04] Anna Lysyanskaya, Silvio Micali, Leonid Reyzin, and Hovav Shacham. Sequential aggregate signatures from trapdoor permutations. In Christian Cachin and Jan Camenisch, editors, Advances in Cryptology - EUROCRYPT 2004, volume 3027 of Lecture Notes in Computer Science, pages 74–90. Springer, May 2004. (Cited on pages 2, 4, 5, and 8.) [LOS+ 06]

Steve Lu, Rafail Ostrovsky, Amit Sahai, Hovav Shacham, and Brent Waters. Sequential aggregate signatures and multisignatures without random oracles. In Advances in Cryptology - EUROCRYPT 2006, volume 4004 of Lecture Notes in Computer Science, pages 465–485. Springer, 2006. (Cited on pages 2, 1, 4, 5, 8, 9, 15, and 23.)

[LQ07]

Benoˆıt Libert and Jean-Jacques Quisquater. Practical time capsule signatures in the standard model from bilinear maps. In Tsuyoshi Takagi, Takeshi Okamoto, Eiji Okamoto, and Tatsuaki Okamoto, editors, Proceedings of 1st International Conference on Pairing-Based Cryptography, Pairing 2007, volume 4575 of Lecture Notes in Computer Science, pages 23– 38. Springer, July 2007. (Cited on pages 3 and 17.)

[Mic03]

Silvio Micali. Simple and fast optimistic protocols for fair electronic exchange. In ACM Symposium on Principles of Distributed Computing, PODC 2003, pages 12–19. ACM, 2003. (Cited on page 1.)

[PCS03]

Jung Min Park, Edwin K.P. Chong, and Howard Jay Siegel. Constructing fair-exchange protocols for e-commerce via distributed computation of RSA signatures. In PODC 2003, pages 172–181. ACM, 2003. (Cited on page 1.)

[RS92]

Charles Rackoff and Daniel R. Simon. Non-interactive zero-knowledge proof of knowledge and chosen ciphertext attack. In Advances in Cryptology - CRYPTO 91, volume 576 of Lecture Notes in Computer Science, pages 433–444. Springer, 1992. (Cited on page 15.)

[RST01]

Ronald Rivest, Adi Shamir, and Yael Tauman. How to leak a secret. In Colin Boyd, editor, Advances in Cryptology - ASIACRYPT 2001, volume 2248 of Lecture Notes in Computer Science, pages 552–565. Springer, 2001. (Cited on pages 2 and 9.)

[SW07]

Hovav Shacham and Brent Waters. Efficient ring signatures without random oracles. In Tatsuaki Okamoto and Xiaoyun Wang, editors, Proceedings of Public Key Cryptography 2007, volume 4450 of Lecture Notes in Computer Science, pages 166–180. Springer, 2007. (Cited on pages 2, 3, 9, and 13.)

20

[Wan05]

Guilin Wang. An abuse-free fair contract signing protocol based on the RSA signature. In Proceedings of 14th International Conference on World Wide Web, WWW 2005, pages 412–421. ACM, 2005. (Cited on page 1.)

[Wat05]

Brent Waters. Efficient identity-based encryption without random oracles. In Ronald Cramer, editor, Advances in Cryptology - EUROCRYPT 2005, volume 3494 of Lecture Notes in Computer Science, pages 114–127. Springer, 2005. (Cited on pages 1, 2, 3, and 13.)

[ZB06]

Huafei Zhu and Feng Bao. Stand-alone and setup-free verifiably committed signatures. In Proceedings of Topics in Cryptology - CT-RSA 2006, volume 3860 of Lecture Notes in Computer Science, pages 159–173. Springer, 2006. (Cited on pages 1, 5, 8, and 14.)

[Zhu03]

Huafei Zhu. Constructing optimistic fair exchange protocols from committed signatures. Cryptology ePrint Archive, Report 2005/012, 2003. http://eprint.iacr.org/. (Cited on page 1.)

[ZSM07]

Huafei Zhu, Willy Susilo, and Yi Mu. Multi-party stand-alone and setup-free verifiably committed signatures. In Proceedings of Public Key Cryptography 2007, volume 4450 of Lecture Notes in Computer Science, pages 134–149. Springer, 2007. (Cited on pages 1, 5, 8, and 14.)

[ZZF04]

Zhenfeng Zhang, Yongbin Zhou, and Dengguo Feng. Efficient and optimistic fair exchanges based on standard RSA with provable security. Cryptology ePrint Archive, Report 2003/178, 2004. http://eprint.iacr.org/. (Cited on page 1.)

Appendix A

Security Definition of Conventional Signatures

A conventional digital signature scheme SIG consists of three PPT algorithms (KG, Sig, Ver), where KG is the key generation algorithm which takes as input the security parameter 1k and outputs a signing/verification key pair (sk, pk), Sig is the signing algorithm which takes as input sk and a message m, and outputs a signature σ, and Ver is the verification algorithm which takes m, σ and pk, outputs accept or reject. The standard security notion for conventional signature schemes is existential unforgeability under chosen message attacks [GMR88], which can be defined as follows. (sk, pk) ← SIG.KG(1k ) (m, σ) ← AOSIG.Sig (pk) success of A := [SIG.Ver(m, σ, pk) = accept ∧ m 6∈ Query(A, OSIG.Sig )] where A is a PPT adversary, OSIG.Sig is the signing oracle which takes as input a message m and outputs a signature on m under pk, and Query(A, OSIG.Sig ) is the set of all signing queries issued by A. The advantage of A in the experiment is defined to be its success probability. A signature scheme is said to be existentially unforgeable under chosen message attacks (or simply unforgeable) if there is no PPT adversary that wins the experiment with non-negligible advantage. 21

B

Time Capsule Signatures [DY05]

Definition B.1 ([DY05]). A time capsule signature scheme is specified by an 8-tuple of PPT algorithms (SetupTS , SetupUser , TSig, TVer, TRelease, Hatch, PreHatch, Ver) such that: • SetupTS : This setup algorithm is run by the Time Server. It takes a security parameter 1k and returns a private/public time release key pair (T SK, T P K). • SetupUser : This setup algorithm is run by each user. It takes as input 1k and returns the user’s private/public key pair (SK, P K). • TSig: The time capsule signature generation algorithm TSig takes as input (m, SK, T P K, t) where t is a specific time event from which the signature becomes valid, and outputs a time capsule signature σt0 . • TVer: The time capsule signature verification algorithm TVer takes (m, σt0 , P K, T P K, t) and returns accept or reject. • TRelease: This time release algorithm TRelease takes as input (t, T SK). At the beginning of each time event t, the time server publishes zt ← TRelease(t, T SK). • Hatch: This algorithm is run by any party and is used to open a valid time capsule signature which became mature. It takes as input (m, σt0 , P K, T P K, zt ) and returns a hatch signature σt . • PreHatch: This algorithm is run by the signer and used to open a valid time capsule signature which is not mature yet. It takes as input (m, σt0 , SK, T P K, t) and returns the pre-hatched signature σt . • Ver: This algorithm is used to verify a hatched or pre-hatched signature. Ver takes as input (m, σt , P K, T P K, t) and returns accept or reject. The correctness requirement states that TVer(m, TSig(m, SK, T P K, t), P K, T P K, t) = accept and Ver(m, σt , P K, T P K, t) = accept where σt ← Hatch(m, T Sig(m, SK, T P K, t), P K, T P K, TRelease(t, T SK)), or σt ← PreHatch(m, TSig(m, SK, T P K, t), SK, T P K, t). The ambiguity property requires that the “hatched signatures” σt ← Hatch(m, TSig(m, SK, T P K, t), P K, T P K, TRelease(t, T SK)) is (computationally) indistinguishable from the “pre-hatched signature” σt ← PreHatch(m, TSig(m, SK, T P K, t), SK, T P K, t), even if the distinguisher knows T SK. The security of time capsule signatures consists of three aspects: security against the signer Alice, security against the verifier Bob and security against time server. In the following, we denote by OTSig the oracle simulating the algorithm TSig, which takes (m, t) as input and returns Alice’s time capsule signature σt0 , by OTR the oracle simulating algorithm TRelease, which takes t as input and returns the secret time information zt , and by OPreH the oracle simulating algorithm PreHatch, which takes (m, t, σt0 ) as input and returns Alices’ pre-hatch signature σ. 22

• Security against alice: We require that any PPT adversary A could succeed with at most negligible probability in the following experiment: SetupTS (1k ) → (T SK, T P K) (m, t, σt0 , P K) ← AOTR (T P K) zt ← TRelease(t, T SK) σt ← Hatch(m, σt0 , P K, T P K, zt ) success of A = [TVer(m, σt0 , P K, T P K, t) = accept ∧ Ver(m, σt , P K, T P K, t) = reject] • Security against bob: We require that any PPT adversary B could succeed with at most negligible probability in the following experiment: SetupTS (1k ) → (T SK, T P K) SetupUser (1k ) → (SK, P K) (m, t, σt ) ← B OTSig ,OTR ,OPreH (P K, T P K) success of B = [Ver(m, σt , P K, T P K, t) = accept ∧ t 6∈ Query(B, OTR ) ∧ (m, t, ·) 6∈ Query(B, OPreH )] where Query(B, OTR ) is the set of queries B issued to the time release oracle OTR , and Query(B, OPreH ) is the set of valid queries B issued to the pre-hatch oracle OPreH (i.e., (m, t, σt0 ) such that TVer(m, σt0 , P K, T P K, t) = accept). • Security against time server: We require that any PPT adversary C could succeed with at most negligible probability in the following experiment: ∗

SetupTS (1k ) → (T SK ∗ , T P K) SetupUser (1k ) → (SK, P K) (m, t, σt ) ← C OTSig ,OPreH (P K, T P K, T SK ∗ ) success of C = [Ver(m, σt , P K, T P K, t) = accept ∧ (m, ·) 6∈ Query(C, OTSig )] ∗

where SetupTS denotes the run of SetupTS with a dishonest time server (run by C), T SK ∗ is C’s state after this run, and Query(C, OTSig ) is the set of queries C issued to the time capsule signature generation oracle OTSig (i.e., (m, t0 ) 6∈ Query(C, OTSig ) for all t0 ).

C

Review of Lu et al.’s Verifiably Encrypted Signature Scheme [LOS+ 06]

A verifiably encrypted signature scheme consists of seven PPT algorithms, (Kg, Sig, Ver, AKg, ESig, EVer, Adj). Let G, GT be groups of prime order p, and e : G × G → GT be an admissible bilinear pairing. Let g, u0 , u1 , · · · , uk be random generators of G, where k is a security parameter. Below is a brief review of Lu et al.’s verifiably encrypted signature scheme WVES [LOS+ 06]: Kg. Pick a random α ← Zp and set A ← e(g, g)α . The public key is P K := A and the private key is SK := α. 23

Sig. For a message M = (m1 , · · · , mk ) ∈ {0, 1}k , the signer picks a random r ← Zp , and r Q i computes S1 ← g α · u0 ki=1 um and S2 ← g r . The signature is σ := (S1 , S2 ). i −1 Q i Ver. For a signature σ = (S1 , S2 ) on message M , if e(S1 , g) · e S2 , u0 ki=1 um = A, output i accept. Otherwise, output reject. AKg. Randomly pick β ← Zp and set v ← g β . The adjudicator’s public key is AP K := v, and the private key is ASK := β. ESig. For a message M ∈ {0, 1}k , the signer computes signature (S1 , S2 ) using Sig, randomly picks s ← Zp and computes K1 ← S1 · v s and K2 ← S2 and K3 ← g s . The verifiably encrypted signature is η := (K1 , K2 , K3 ). −1 Q i EVer. For a verifiably encrypted signature η = (K1 , K2 , K3 ), if e(K1 , g)·e K2 , u0 ki=1 um · i e(K3 , v)−1 = A, output accept. Otherwise, output reject. Adj. Given η = (K1 , K2 , K3 ), the adjudicator outputs S1 ← K1 · K3−β and S2 ← K2 .

D

Proof of Theorem 6.1

Proof. For security against signers, security against verifiers and security against the arbitrator, we have the following three lemmas, respectively. And we note that since the security of time capsule signatures is defined in a compatible and very similar way to that of OFE in [DLY07], in the following, we only show the security proofs of OFE0 in the certified-key model, not the stronger one we propose in Sec. 2. Lemma D.1. The optimistic fair exchange scheme OFE0 above is secure against signers. Proof. Suppose that A is a PPT adversary that breaks the security against signers of OFE0 with non-negligible advantage A . We construct a PPT algorithm A¯ which breaks the security against the signer of TCS. Given the time server public key T P K and a time release oracle OTR which simulates the TCS.TRelease algorithm, A¯ randomly selects a hash function H : {0, 1}∗ → T , and runs A on input (T P K, H). During the execution, A has access to oracle ORes . To answer A’s query (m, σ 0 , P KUi ), A¯ first checks the validity of σ 0 by running OFE0 .PVer(m, σ 0 , P KUi , AP K). If invalid, A¯ returns ⊥. Otherwise, it issues a query to its oracle OTR on input t ← H(m, P KUi ), which returns the corresponding zt . A¯ then computes σ ← TCS.Hatch(m, σ 0 , P KUi , T P K, zt ) and returns σ back to A. Note that the above simulation of ORes is perfect. Finally, A outputs (m, σ 0 , P K). Without loss of generality, we assume that A wins the game. This happens with probability A . (If A fails, A¯ also fails and halts.) Thus we get that OFE0 .PVer(m, σ 0 , P K, T P K) = accept and OFE0 .Ver(m, σ, P K, T P K) = reject, where σ ← OFE0 .Res(m, σ 0 , ASK, P K). This indicates that TCS.TVer(m, σ 0 , P K, T P K, t) = accept and TCS. Ver(m, σ, P K, T P K, t) = reject, where t ← H(m, P K). Hence, we let A¯ output (m, t, σ 0 , P K), and A¯ wins its game with probability A .

24

Remark 6 : Note that in the proof, after receiving the output (m, σ 0 , P K) of A, A¯ can actually compute σ by generating the time event t as described above, issuing a query to oracle OTR to get zt , and then running σt ← TCS.Hatch( m, σt0 , P KA , T P K, zt ). If t was ever issued by A¯ to OTR during the simulation, A¯ can simply retrieve the corresponding zt from its memory instead of issuing a new query. Therefore, A¯ can check the validity of A’s output and decides to output (m, t, σ 0 , P KA ) or to abort. Lemma D.2. The optimistic fair exchange scheme OFE0 above is secure against verifiers. Proof. Suppose that B is a PPT adversary which breaks the security against verifiers of OFE0 ¯ which breaks the security with non-negligible advantage B , we construct a PPT algorithm B against the verifier of TCS. Given the time server public key T P K, the signer’s public key P K, and oracles OTSig simulating algorithm TCS.TSig, OTR simulating algorithm TCS.TRelease and OPreH simulating ¯ randomly selects a hash function H : {0, 1}∗ → T , and runs B algorithm TCS.PreHatch, B ¯ uses OTSig and OTR on input (T P K, P K, H). To simulate oracles OPSig and ORes for B, B respectively, as follows. ¯ generates time event t ← H(m, P K), and • When B issues a query to OPSig on input m, B issues a query to its oracle OTSig on input (m, t), which returns the signer’s signature σt0 . ¯ then returns σ 0 to B. B ¯ generates time event • When B issues a valid query to ORes on input (m, σ 0 , P KUi ), B t ← H(m, P KUi ), and issues a query to OTR on input t which returns the corresponding ¯ then returns σ ← TCS.Hatch(m, σ 0 , P KU , T P K, zt ). zt . B i It is readily seen that the above simulation is perfect. Finally, B outputs (m, σ). Without loss of generality, we assume that B wins the game. Thus we have that OFE0 .Ver(m, σ, P K, T P K) = accept and (m, ·, P K) 6∈ Query(B, ORes ). Since the hash function H is collision-free, it holds with only negligible probability that t ← H(m, P K) is the same as one of the previous time ¯ together ¯ during the simulation of ORes and OPSig . Otherwise, B and B events generated by B form an algorithm breaking the collision-freeness property of H. It is well understood that if t ¯ fails and halts. So we have that B ¯ did not issue a query to OTR on input t. appeared before, B ¯ Also note that during the whole execution, B never issued a query to OPreH . Therefore, we can ¯ output (m, t, σ) and B ¯ succeeds in its game with probability ¯ so |B − ¯ | is negligible let B B B in k. The difference is due to the negligible probability that a collision of H occurs. Lemma D.3. The optimistic fair exchange scheme OFE0 above is secure against the arbitrator. Proof. Suppose that C is a PPT adversary which breaks the security against the arbitrator of OFE0 with non-negligible advantage C , we construct a PPT algorithm C¯ which breaks the security against the time server of TCS. Given the time server private/public key pair (T SK ∗ , T P K), the public key P K of the signer Alice, and oracles OTSig simulating algorithm TCS.TSig, and OPreH simulating algorithm TCS.PreHatch, C¯ randomly selects a hash function H : {0, 1}∗ → T , and runs C on input (T SK ∗ , P K, T P K, H). To simulate the oracle OPSig for C, C¯ generates the time event t as described in the OFE0 .PSig algorithm, and then issues a query to OTSig on input (m, t), which returns Alice’s time capsule signature σ 0 . C¯ returns σ 0 to C. It’s easy to see that the simulation is perfect. 25

Finally, C outputs (m, σ). Again, we simply assume C wins its game. This happens with probability C . Thus we have that OFE0 .Ver(m, σ, P K, T P K) = accept and m 6∈ Query(C, OPSig ). It indicates that C¯ didn’t issue a query to its oracle OTSig on input (m, t0 ) for any t0 . Also note ¯ never issued a query to its oracle OPreH . Therefore, we can let B ¯ that during the simulation, B ¯ output (m, t, σ) where t ← H(m, P K), and B succeeds in its game with probability C . From the above three lemmas, Theorem 6.1 immediately follows.

26

Guomin Yang†

Duncan S. Wong†

Willy Susilo‡

February 1, 2008

Abstract Optimistic fair exchange is a kind of protocols to solve the problem of fair exchange between two parties. Almost all the previous work on this topic are provably secure only in the random oracle model. In PKC 2007, Dodis et al. considered optimistic fair exchange in a multi-user setting, and showed that the security of an optimistic fair exchange in a single-user setting may no longer be secure in a multi-user setting. Besides, they also proposed one and reviewed several previous construction paradigms and showed that they are secure in the multi-user setting. However, their proofs are either in the random oracle model, or involving a complex and very inefficient NP-reduction. Furthermore, they only considered schemes in the certified-key model in which each user has to show his knowledge of the private key corresponding to his public key. In this paper, we make the following contributions. First, we consider a relaxed model called chosen-key model in the context of optimistic fair exchange, in which the adversary can arbitrarily choose public keys without showing the knowledge of the private keys. We separate the security of optimistic fair exchange in the chosen-key model from the certifiedkey model by giving a concrete counterexample. We also revisit a verifiably encrypted signature based generic construction of optimistic fair exchange and show that it remains secure in the chosen-key model. Second, we strengthen the previous static security model in the multi-user setting to a more practical one which allows an adversary to choose a key adaptively. Third, we propose an efficient and generic optimistic fair exchange scheme in the multi-user setting and chosen-key model. The security of our construction is proven without random oracles. We also propose some efficient instantiations. Fourth, based on the observation that time capsule signature shares many desirable properties with optimistic fair exchange, we construct an optimistic fair exchange directly from a time capsule signature. From the efficient construction of time capsule signature due to Libert and Quisquater, we also obtain another optimistic fair exchange construction secure without random oracles.

Keywords: optimistic fair exchange, ring signature, chosen-key model, time capsule signature ∗

A preliminary version of this paper is to appear in CT-RSA 2008 [HYWS08]. Department of Computer Science, City University of Hong Kong, Hong Kong S.A.R., China. {[email protected], [email protected], [email protected]}cityu.edu.hk ‡ School of Computer Science and Software Engineering, University of Wollongong, Australia. [email protected] †

Email: Email:

Contents 1 Introduction 1.1 Related Works . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.2 Our Contributions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.3 Paper Organization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

1 1 2 3

2 Definitions and Security Model 2.1 Definitions in the Multi-User Setting and Chosen-Key Model 2.2 Chosen-Key Model . . . . . . . . . . . . . . . . . . . . . . . . 2.3 Security Model . . . . . . . . . . . . . . . . . . . . . . . . . . 2.4 Differences From [DLY07] and Multi-Arbitrator Setting . . .

. . . .

3 3 5 6 7

3 Separating Chosen-Key Model From Certified-Key Model 3.1 A WVES-Based OFE . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3.2 An Attack Under Chosen-Key Model . . . . . . . . . . . . . . . . . . . . . . . . .

8 8 9

4 An Efficient and Generic Construction without Random Oracles 4.1 The Construction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4.2 Instantiations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

9 10 13

5 Two Previous Paradigms 5.1 Verifiably Encrypted Signature Paradigm . . . . . . . . . . . . . . . . . . . . . . 5.2 Two-Party Sequential Multisignature Paradigm . . . . . . . . . . . . . . . . . . .

14 14 15

6 Optimistic Fair Exchange From Time Capsule Signatures 6.1 The Construction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6.2 An Instantiation without Random Oracles . . . . . . . . . . . . . . . . . . . . . .

15 16 17

7 Conclusion

18

A Security Definition of Conventional Signatures

21

B Time Capsule Signatures [DY05]

22

C Review of Lu et al.’s Verifiably Encrypted Signature Scheme [LOS+ 06]

23

D Proof of Theorem 6.1

24

. . . .

. . . .

. . . .

. . . .

. . . .

. . . .

. . . .

. . . .

. . . .

. . . .

1

Introduction

Optimistic fair exchange (OFE, in short), introduced by Asokan, Schunter and Waidner [ASW97], is a kind of protocols to solve the problems in fairly exchanging items between two parties, say Alice and Bob. In such a protocol, there is an arbitrator who is semi-trusted by Alice and Bob and involves only if one party attempts to cheat the other or simply crashes. Let’s consider the following scenario, in which Alice wants to buy a notebook computer from Bob’s shop. Alice first partially authenticates a message that she allows Bob to get the money from her bank account. After checking the validity of Alice’s partial signature, Bob delivers the notebook to her. Later, if Alice is honest, she will sends her full signature to Bob, with which Bob can get the money from the bank. If Alice is dishonest, and refuses to send her full signature, Bob will turn to the arbitrator for help. He shows to the arbitrator the evidence of fulfilling his obligation, who will then resolve Alice’s partial signature into a full one, and send it to Bob. With the full signature, Bob then can complete the transaction and get the money from Alice’s bank account.

1.1

Related Works

Since the introduction, OFE has attracted many researchers’ attention, such as [ASW98, ASW00, CD00, PCS03, DR03, Kre03, Mic03, Zhu03, ZZF04, BWZZ04, Wan05, ES05, DLY07] and so on. There are two popular paradigms for building optimistic fair exchange schemes. One is based on verifiably encrypted signatures [BGLS03], such as [ASW98, ASW00, CD00], and the other is based on sequential two-party multisignatures, such as [PCS03]. Park et al.’s sequential two-party multisignature based optimistic fair exchange [PCS03] was broken and repaired by Dodis and Reyzin [DR03]. However, Dodis-Reyzin schemes are setup-driven [ZB06, ZSM07], which require key registration for all users with the arbitrator. In the same year, Micali proposed a fair electronic exchange protocol for contract signing with an invisible trusted party [Mic03], using a CCA2 secure public key encryption scheme with recoverable randomness (i.e., the decryption algorithm can extract from the ciphertext both the plaintext and the randomness used for generating the ciphertext) and a signature scheme that is existentially unforgeable under chosen message attacks. The idea is similar to that of the verifiably encrypted signature paradigm. Later, Bao et al. [BWZZ04] showed that the scheme does not satisfy the fairness requirement. A dishonest Bob can get Alice’s full commitment without letting Alice get his obligation. They also provided an improvement to avoid such an attack. To the best of our knowledge, almost all verifiably encrypted signature schemes and sequential multisignature schemes, even though efficient, are proven secure in the random oracle model [BR93], in which all parties have oracle access to a truly random function. However, such a model is only heuristic. Provable security of schemes in this model doesn’t guarantee anything about the security when the random oracles are replaced with real-life hash functions [CGH98]. The only schemes which are proven secure without random oracles are the verifiably encrypted signature scheme and the multisignature scheme proposed by Lu et al. [LOS+ 06]. Both schemes are based on Waters’ signature scheme [Wat05] (which in turn is based on Computational Diffie-Hellman (CDH) assumption), and have been proven secure in the certified-key model [LOS+ 06] (or the registered-key model [BCNP04]). However, we say, such a model is not practical enough, as each user has to show that it knows the corresponding private key of its public key. In a more practical case, everyone can freely choose a public key to use, without the need to show their knowledge of the private key. We call this model the chosen-key model, 1

which will be discussed later. Recently, Dodis et al. [DLY07] considered optimistic fair exchange in a multi-user setting. Prior to their work, almost all previous results considered the single-user setting only, in which there are only one signer and one verifier (along with an arbitrator). A more practical setting is the multi-user setting, in which there are many signers and many verifiers (along with an arbitrator), so that a dishonest party can collude with some other parties in an attempt of cheating another party. Though the security of both encryption and signature in the single-user setting is preserved in the multi-user setting, Dodis et al. [DLY07] showed that this is not necessarily true for optimistic fair exchange. They showed a counterexample that is secure in the single user setting but insecure in the multi-user setting. Furthermore, they proposed a formal definition of optimistic fair exchange in the multi-user setting, and presented a generic construction. Their generic construction is setup-free (i.e. no key registration is required between users and the arbitrator) and can be built if there exist one-way functions in the random oracle model, or if there exist trapdoor one-way permutations in the standard model. In [DLY07], the authors also revisited the two aforementioned paradigms and showed that they remain valid in the multi-user setting. However, all the schemes presented in [DLY07] were proven secure in the certified-key model only. If the adversary is allowed to choose public keys arbitrarily without requiring to show its knowledge of the corresponding private keys, these schemes may not be secure (see Sec. 3).

1.2

Our Contributions

Our contributions are in four-fold. First, we note that optimistic fair exchange schemes secure in the certified-key model may not be secure in the chosen-key model [LMRS04]. We separate these two models by presenting a counterexample. Namely, we present a scheme which is secure in the certified-key model but insecure in the chosen-key model. The crux of the problem is to allow the adversary in the chosen-key model to arbitrarily set public keys without showing its knowledge of the corresponding private keys (cf. certified-key model). Hence, the model is more realistic and it provides the adversary with more flexibility and power in attacking other honest parties in the system. Second, we further strengthen the security model in the multi-user setting for optimistic fair exchange first proposed by Dodis et al. [DLY07]. In particular, we notice that in [DLY07], the model capturing the security against the arbitrator is a static model which requires the malicious arbitrator to fix its keys before seeing the challenging public key of the signer. We propose to strengthen it to an adaptive model which allows the arbitrator to set its keys with reference to the value of the challenging public key of the signer. Third, we propose an efficient and generic construction of optimistic fair exchange in the multi-user setting and chosen-key model, and prove the security without random oracles. The construction is based on a conventional signature [GMR88, Wat05] and a ring signature [RST01, Wat05, BKM06, SW07, Boy07, CGS07], both of which can be constructed efficiently without random oracles. This also contributes a new paradigm for constructing optimistic fair exchange, besides the existing ones: the verifiably encrypted signatures based approach and the sequential two-party multisignature based one. In our generic construction, we further show that the ring signature scheme used in our construction does not need to be with the highest level of existential unforgeability considered in [BKM06], namely unforgeability with respect to insider corruptions. Instead, unforgeability against a static adversary [Boy07] will suffice. We also propose some 2

efficient instantiations of our generic construction. We discuss one instantiation which is based on Waters signature [Wat05] and Shacham-Waters ring signature [SW07], another instantiation based on Boneh-Boyen signature [BB04] and Chandran-Groth-Sahai ring signature [CGS07], and also the third instantiation which is only based on Boyen’s ring signature scheme [Boy07]. Additionally, we also re-examine the security of the two previous paradigms and show that the verifiably encrypted signature based construction remains secure in the chosen-key model. Fourth, we consider another approach to build optimistic fair exchange schemes. We show that optimistic fair exchange schemes in multi-user setting and under the certified-key model can easily be constructed from time capsule signatures, which was introduced by Dodis and Yum in FC 2005 [DY05], due to the fact that they share many desirable properties with optimistic fair exchange. In a time capsule signature scheme, there is a semi-trusted time server, which honestly publishes the corresponding secret information at each time event t. Alice produces a ‘premature’ signature σ 0 on a message m, which is claimed to become ‘mature’ at time event t, and sends it to Bob, which verifies the validity of σ 0 . At time t, the time server publishes the secret information with respect to t, which can be used by anybody to convert σ 0 into a matured signature of Alice. Besides, Alice can also pre-hatch her signature σ 0 before the claimed time t. In this paper, we show that optimistic fair exchange can be constructed from a time capsule signature in a straightforward way. Combining recent work on time capsule signature in the standard model due to Libert and Quisquater [LQ07], we then get an optimistic fair exchange scheme secure without random oracles in the multi-user setting and certified-key model.

1.3

Paper Organization

In the next section, we review the definition of optimistic fair exchange, and modify Dodis et al.’s security games to adapt the chosen-key model. In Sec. 3, we give a counterexample to separate the security level between the certified-key model and the chosen-key model. Our generic construction is then proposed and shown secure in the multi-user setting and under the chosen-key model in Sec. 4. Some efficient instantiations are also discussed in the section. In Sec. 5, we re-examine the security of the two popular paradigms in the chosen-key model. In Sec. 6, we show that an optimistic fair exchange scheme can be constructed directly from a time capsule signature scheme. Finally, we conclude this paper in Sec. 7.

2

Definitions and Security Model

Let k ∈ N be a security parameter. If x is a binary string, |x| denotes the length of x; if S is a set, |S| denotes the cardinality of S. For any binary strings x and y, xky denotes the concatenation of x and y. By x ← S we denote the operation that process S is performed and the output is x if S is an algorithm, or that x is randomly and uniformly selected from S if it is a distribution. By x := (a, b, c) we denote the simple assignment operation. By ‘PPT’ we mean that an algorithm is probabilistic polynomial-time. A function f is said to be negligible in n, if for every positive 1 polynomial p(·) and for all sufficiently large n, we have that f (n) < p(n) .

2.1

Definitions in the Multi-User Setting and Chosen-Key Model

The definition for non-interactive optimistic fair exchange (OFE) follows the one in the multiuser setting given in [DLY07] but having the authenticity assumption on public keys removed. 3

This implies that we do not restrict ourselves to the certified-key model [LOS+ 06], but consider the definition under a stronger security model, called the chosen-key model [LMRS04]. We will give more details shortly (Sec. 2.2) and make some additional remarks to discuss some subtleties in the definitions. Definition 2.1. A non-interactive optimistic fair exchange (OFE) involves two users (a signer and a verifier) and an arbitrator, and is formalized using the following PPT algorithms: • SetupTTP : On input 1k , it generates a secret arbitration key ASK and a public partial verification key AP K. • SetupUser : On input 1k and (optionally) AP K, it outputs a secret/public key pair (SK, P K). For a user Ui , we use (SKUi , P KUi ) to denote the user’s key pair. • Sig and Ver: Similar to the signing and verification algorithms of an ordinary digital signature scheme, Sig(m, SKUi , AP K) outputs a signature σUi , while Ver(m, σUi , P KUi , AP K) outputs accept or reject, where message m is chosen by user Ui from the message space M defined under P KUi . • PSig and PVer: They are partial signing and verification algorithms, respectively, where PSig together with Res should be functionally equivalent to Sig. PSig(m, SKUi , AP K) outputs a partial signature σU0 i , while PVer(m, σU0 i , P KUi , AP K) outputs accept or reject. • Res: This is the resolution algorithm. Res(m, σU0 i , ASK, P KUi ) outputs a signature σUi , or ⊥ indicating the failure of resolving a partial signature. For correctness, we require that for all security parameters k ∈ N, for any (ASK, AP K) ← SetupTTP (1k ), (SKUi , P KUi ) ← SetupUser (1k , AP K), we have Ver(m, Sig(m, SKUi , AP K), P KUi , AP K) = accept, PVer(m, PSig(m, SKUi , AP K), P KUi , AP K) = accept, and Ver(m, Res(m, PSig(m, SKUi , AP K), ASK, P KUi ), P KUi , AP K) = accept. The ambiguity property requires that any “resolved signature” Res(m, PSig(m, SKUi , AP K), ASK, P KUi ) is computationally indistinguishable from an “actual signature” Sig(m, SKUi , AP K). In a typical OFE protocol run, the signer Ui first generates the partial signature σU0 i using PSig and sends it to the verifier. The verifier then checks the partial signature using PVer and fulfills his obligation if PVer outputs accept. After which, the signer sends the full signature σUi to complete the transaction. If no problem occurs, the arbitrator does not participate in the protocol. However, if the signer refuses to send σUi at the end, the verifier will send σU0 i as well as a proof of fulfilling his obligation to the arbitrator. The arbitrator will generate σUi using Res and sends it to the verifier if the proof sounds. Similar to previous definitions (e.g. [DR03, DLY07]), the definition does not deal with the application-specific question of how the verifier proves to the arbitrator that he has fulfilled his obligation to the signer. However, unlike previous definitions, we do not assume the authenticity of public keys (Sec. 2.2). Remark 1 : (On the Ambiguity) Readers may note that the definition of ambiguity property above does not discuss if the adversary has any oracle access. In fact, similar to ring signature, we may specify various levels of ambiguity for OFE as well. They may include basic 4

ambiguity, ambiguity with respect to adversarially-chosen keys, and ambiguity against attribution attacks/full key exposure. Readers may refer to [BKM06] for their definitions in the context of ring signature. The ambiguity definition above follows that given in [DR03, DLY07] with the sole purpose of making the construction of OFE non-trivial. For stronger notions, say basic ambiguity, we may require that no PPT adversary can distinguish full signatures generated by the signer from those resolved by the arbitrator with non-negligible advantage, even if the adversary can access partial signature oracle and resolution oracle. We leave this as our future work. Remark 2 : (An Optional Input of SetupUser ) In the definition above, AP K is an optional input of SetupUser . This allows the arbitrator and the users to share some common system parameters without getting involved in any interactive registration phase. The advantage is that the setup-free feature [ZB06, ZSM07] can be ensured while having common system parameters shared across the entire system without having a dedicated system parameter generation algorithm defined. For schemes where the users and the arbitrator do not share any system parameter, AP K can simply be removed from the input of SetupUser .

2.2

Chosen-Key Model

Note that [DLY07] only considers OFE in the certified-key model [LOS+ 06]. In such a model, it is assumed that the authenticity of public keys of users in the system can be verified and each user should show his knowledge of the corresponding private key in some public key registration stage for defending against key substitution attacks. Alternatively, the adversary is required to show that the public keys included in queries to the signing oracle and in its forgery are properly generated. For example, each user in the system may randomly select a string r and send r to the authority in the registration stage, which then computes a public/secret key pair (P K, SK) using r, stores the public key and returns P K back to the user. The user can also compute the user secret key SK from r accordingly. We refer readers to [BCNP04] for details of the model. In this paper, we consider a stronger security model for OFE, the chosen-key model, which was originally introduced by Lysyanskaya et al. in the context of aggregate signature [LMRS04]. An adversary in a chosen-key model can arbitrarily set public keys without showing its knowledge of the corresponding private keys. The only limitations are that the adversary cannot replace the challenge user’s public key and all the public keys chosen by the adversary should fall into some public key space (which is defined under some system-wide parameters and known to all parties in the system). Such relaxation gives the adversary more flexibility and power in attacking other (honest) parties in the system. Schemes secure in the certified-key model may not necessarily be secure in the chosen-key model. For example, let us consider the Security Against Verifiers under the chosen-key model (Sec. 2.3). After receiving a partial signature from the challenge signer, the adversary may ask the arbitrator for resolving it into a full signature with respect to a different public key chosen maliciously by the adversary according to the challenge signer’s public key and the partial signature received. Based on this attacking approach, in Sec. 3, we describe a concrete OFE scheme as an example for showing that a scheme secure in the certified-key model does not necessarily be secure in the chosen-key model. In the following, we first formalize the adversarial model for OFE in the multi-user setting and chosen-key model. 5

2.3

Security Model

The security of optimistic fair exchange consists of three aspects: security against signers, security against verifiers, and security against the arbitrator. The definitions of them in the multi-user setting and chosen-key model are given as follows. • Security against signers: Intuitively, we require that no PPT adversary A should be able to produce a partial signature with non-negligible probability, which looks good to verifiers but cannot be resolved to a full signature by the honest arbitrator. This ensures the fairness for verifiers, that is, if the signer has committed to a message, the verifier will always be able to get the full commitment of the signer. Formally, we consider the following experiment: SetupTTP (1k ) → (ASK, AP K) (m, σ 0 , P K ∗ ) ← AORes (AP K) σ ← Res(m, σ 0 , ASK, P K ∗ ) success of A := [PVer(m, σ 0 , P K ∗ , AP K) = accept ∧ Ver(m, σ, P K ∗ , AP K) = reject] where oracle ORes takes as input a valid 1 partial signature σ 0 of user Ui on message m, i.e. (m, σ 0 , P KUi ), and outputs a full signature σ on m under P KUi . In this experiment, the adversary can arbitrarily choose public keys, and it may not know the corresponding private key of P K ∗ . The advantage of A in the experiment AdvA (k) is defined to be A’s success probability. • Security against verifiers: This security notion requires that any PPT verifier B should not be able to transform a partial signature into a full signature with non-negligible probability if no help has been obtained from the signer or the arbitrator. This requirement has some similarity to the notion of opacity for verifiably encrypted signature [BGLS03]. Formally, we consider the following experiment: SetupTTP (1k ) → (ASK, AP K) SetupUser (1k ) → (SK, P K) (m, σ) ← B OPSig ,ORes (P K, AP K) success of B := [Ver(m, σ, P K, AP K) = accept ∧ (m, ·, P K) 6∈ Query(B, ORes )] where oracle ORes is described in the previous experiment, the partial signing oracle OPSig takes as input a message m and returns a valid partial signature σ 0 on m under P K, and Query(B, ORes ) is the set of valid queries B issued to the resolution oracle ORes . In the experiment, B can ask the arbitrator for resolving any partial signature with respect to any public key (adaptively chosen by B, probably without the knowledge of the corresponding private key), with the limitation described in the experiment. The advantage of B in the experiment AdvB (k) is defined to be B’s success probability. By ‘valid’, we mean that σ 0 is a valid partial signature on m under public key P KUi , alternatively, the input (m, σ 0 , P KUi ) of ORes satisfies the condition that PVer(m, σ 0 , P KUi , AP K) = accept. 1

6

• Security against the arbitrator: Intuitively, this security notion requires that any PPT arbitrator C should not be able to generate with non-negligible probability a full signature without explicitly asking the signer for generating one. This ensures the fairness for signers, that is, no one can frame the actual signer on a message with a forgery. Formally, we consider the following experiment: SetupUser (1k ) → (SK, P K) (ASK ∗ , AP K) ← C(P K) (m, σ) ← C OPSig (ASK ∗ , AP K, P K) success of C := [Ver(m, σ, P K, AP K) = accept ∧ (m, ·) 6∈ Query(C, OPSig )] where the partial signing oracle OPSig is described in the previous experiment, ASK ∗ is C’s state information, which might not be the corresponding private key of AP K, and Query(C, OPSig ) is the set of queries C issued to the partial signing oracle OPSig . The advantage of C in this experiment AdvC (k) is defined to be C’s success probability. Definition 2.2. A non-interactive optimistic fair exchange scheme is said to be secure in the multi-user setting and chosen-key model if there is no PPT adversary that wins any of the experiments above with non-negligible advantage.

2.4

Differences From [DLY07] and Multi-Arbitrator Setting

Though the experiments of Security Against Signers and Security Against Verifiers remain in the same form as those in [DLY07], we put no requirement on that the adversary has to register a public key before using it. In other words, the adversary can freely choose public keys (from the public key space) and use them during the attack, without proving its knowledge of the corresponding private keys. In [DLY07] on the other hand, the authenticity assumption of public keys is made in all the experiments. On the Security Against the Arbitrator, our corresponding experiment seems to be stronger than the one considered in [DLY07], in which the adversary has to fix AP K before learning the challenge signer’s public key P K. This static form of adversarial key generation seems to be unnecessarily weak. We propose a strengthened one which allows the adversary to adaptively set AP K based on the value of P K generated using SetupUser . In this way, the security model considered in this paper will be at least as strong as that in [DLY07]’s, if not stronger. This observation is also supported by the counterexample given in Sec. 3. One may also notice that in the experiment for formalizing Security Against the Arbitrator, the adversary C has two phases. In the first phase, C merely generates AP K without having access to OPSig . In the second phase, C is to generate a forgery while allowing access to OPSig with respect to AP K. The purpose of having this two-phase arrangement is to make sure that the model is under the single-arbitrator setting. Although all the security requirements of optimistic fair exchange schemes are studied under the multi-user setting in this paper, to be consistent with previous work [DR03, DLY07], we restrict ourselves to focus on the formalization of a system which allows only one arbitrator. On the other side, if we combine the two phases in the experiment for Security Against the Arbitrator into one, that is, the second and the third statements are combined and replaced as follows, (AP K, m, σ) ← C OPSig (P K) 7

and modify OPSig by taking an additional input, which is a public partial verification key AP K 0 , then we are able to consider the multi-arbitrator setting for this security notion (by also changing the restriction such that we only require (m, ·, AP K) ∈ / Query(C, OPSig )). We will leave this and the extension of the other two notions to multi-arbitrator setting as our future work.

3

Separating Chosen-Key Model From Certified-Key Model

As reviewed in the introduction, OFE in the single-user setting can normally be built from verifiably encrypted signature or from sequential two-party multisignature. Dodis et al. [DLY07] showed that secure OFE in the multi-user setting can also be built from these primitives, but only the verifiably encrypted signature based ones may support the setup-free feature [ZB06, ZSM07]. Also note that in [DLY07], all the security analysis were carried out in the certified-key model [LOS+ 06] and therefore, they may not remain secure in the chosen-key model [LMRS04]. In the following, we give a concrete example for showing that a secure OFE in the certified-key model may no longer be secure in the chosen-key model. The example is based on Lu et al.’s [LOS+ 06] verifiably encrypted signature scheme. Readers can refer to [LOS+ 06] for Lu et al.’s scheme WVES, or to Appendix C for a brief review of it.

3.1

A WVES-Based OFE

Observe that Lu et al.’s WVES is an OFE in the single-user setting and the certified-key model 2 , under which, WVES.Kg and WVES.AKg constitute the OFE registration protocol Setup, and WVES.Sig, WVES. Ver, WVES.ESig, WVES.EVer and WVES.Adj are corresponding to Sig, Ver, PSig, PVer and Res, respectively. In the single-user setting and certified-key model [DR03, DLY07], Security Against Signers is due to the correctness of WVES. That is, if η is a valid verifiably encrypted signature, the adjudicator can always convert it to an ordinary signature. Security Against Verifiers is due to the opacity property [BGLS03] of WVES. The Security Against the Arbitrator does not trivially follow the unforgeability of the verifiably encrypted signature scheme, since in the corresponding experiment, the malicious arbitrator knows more secret information than a public verifier does. To show its security, we build a forger F of Waters’ signature scheme using the malicious arbitrator/adjudicator C. Given the system parameters and a public key A = e(g, g)α , F randomly picks β ← Zp and sends the system parameters, A and (β, v := g β ) to C 3 . The rest of the proof goes essentially the same as that in [LOS+ 06], except that F uses its signing oracle to simulate the PSig oracle. If C outputs a valid forgery (S1 , S2 ), i.e., Ver(P K, M, (S1 , S2 )) = accept, F simply outputs σ ∗ := (S1 , S2 ) on M as its forgery for Waters’ signature scheme. By the validity of (S1 , S2 ), we have that σ ∗ is also a valid forgery with respect to the challenge public key. Besides, the above scheme can easily be shown to be secure in the multi-user setting and the certified-key model as well. 2

We refer readers to [DR03, DLY07] for the formal definition and security model of OFE in the single-user setting and certified-key model. 3 Alternatively, C picks its key pair and shows its knowledge of ASK. This is due to the restriction of certifiedkey model. Readers can refer to [DLY07] for detailed discussions about this.

8

3.2

An Attack Under Chosen-Key Model

If we retain the multi-user setting but upgrade the model from certified-key model to the chosenkey model, we will see that the WVES-based OFE above will no longer be secure. Let us consider the Security Against Verifiers. In the chosen-key model, the adversary (i.e. the verifier in the experiment) can first ask the challenge signer for a partial signature on some message under the challenge public key P K. Then, the adversary makes up a new public key P K 0 according to the partial signature and P K, and queries the challenger for resolving the partial signature with respect to P K 0 rather than to P K. The adversary finally tries to find out the full signature under P K from the resolved signature. In the chosen-key model, since the adversary can arbitrarily pick public keys without showing its knowledge of the corresponding private keys, such an attack approach is possible. Below is the detail of the actual attack against the WVES-based OFE. (In)Security Against Verifiers: Upon receiving the challenge signer’s public key P K = e(g, g)α from the challenger, the adversary B queries OPSig for a partial signature σ 0 = (K1 , K2 , K3 ) on message M . Then B generates another public key P K 0 := P K · e(g, g)b where b ← Zp , and queries ORes for resolving a partial signature in the form σ 00 = (K1 · g b , K2 , K3 ) under the public key P K 0 . Note that σ 00 is a valid partial signature on M under P K 0 . Upon receiving the resolved signature σ = (S1 , S2 ), B outputs the full signature under the challenge public key P K as σ ˜ = (S1 /g b , S2 ) and wins the game. Therefore, WVES-based OFE is insecure in the multi-user setting under the chosen-key model. We should also emphasize that this does not contradict with the results given in [LOS+ 06] as their schemes were originally designed for security in the certified-key model only.

4

An Efficient and Generic Construction without Random Oracles

In this section, we propose an OFE proven secure in the multi-user setting and the chosen-key model, that is, under the adversarial model formalized in Sec. 2.3. Our construction is based on two primitives: conventional signature [GMR88] and ring signature [RST01]. Since there exist signature schemes and ring signature schemes proven secure without random oracles, it is possible for us to construct a secure OFE without random oracle also. Refers can refer to [GMR88] or Appendix A for the security definition of conventional signatures. In the following, we first briefly review the definition of ring signature. (Ring Signature): The notion of ring signature was introduced by Rivest et al. in Asiacrypt 2001 [RST01] and has later been widely studied [BKM06, Boy07, SW07, CGS07]. A ring signature scheme RS is a triple of PPT algorithms (KG, Sig, Ver), where KG is the key generation algorithm that takes as input the security parameter 1k and outputs a signing/verification key pair (sk, pk), Sig is the ring signing algorithm that takes as input a message m, a list of public keys R := {pki }`i=1 and a signing key ski (1 ≤ i ≤ `) such that (ski , pki ) is the output of KG(1k ) and outputs a ring signature σ on m under the ring R, and Ver is the verification algorithm that takes as input a message m, a signature σ and a list of public keys R := {pki }`i=1 and outputs accept or reject. The security of a ring signature scheme includes two parts, anonymity (or ambiguity) and unforgeability. Anonymity requires that no one can tell which ring member is the actual signer, 9

and unforgeability requires that no one can forge a signature if none of the ring members’ private keys is known. The strongest computational complexity based security notions of them are anonymity against attribution attacks/full key exposure and unforgeability with respect to insider corruption, respectively [BKM06, Boy07]. In our construction of OFE (to be shown later), we actually do not require a ring signature scheme to equip with such a strong level of anonymity and unforgeability. Instead, unforgeability under an adaptive attack, against a static adversary [Boy07] will suffice. It is defined as follows. (ski , pki ) ← RS.KG(1k ), for i = 1, · · · , ` R := {pki }`i=1 (R, m, σ) ← AORS.Sig (R) success of A := [RS.Ver(m, σ, R) = accept ∧ (·, m, R) 6∈ Query(A, ORS.Sig )] where A is a PPT adversary, ORS.Sig is the ring signing algorithm which takes as input an index i, a message m, a list of public keys S such that S ∩ R 6= ∅ and pki ∈ R, and outputs a ring signature σ on m under the ring S using the signing key ski , and Query(A, ORS.Sig ) is the set of ring signing queries (of the form (i, m, S)) issued by A. The advantage of A in the experiment is defined to be its success probability. A ring signature scheme is said to be (existentially) unforgeable under an adaptive attack, against a static adversary (where ‘static’ means that the adversary should not corrupt any honest user and its forgery should be with respect to the prescribed ring R,) if there is no PPT adversary which wins the experiment with non-negligible advantage. It’s readily seen that the above unforgeability is weaker than the unforgeability with respect to insider corruption considered in [BKM06]. For our purpose, the number ` of (honestly generated) public keys is 2 and the size of the ring S in a signing query issued by A is also 2 (i.e., ` = 2 and |S| = 2). For the security level of anonymity, since the definition of ambiguity for OFE does not consider any additional adversarial resource the distinguisher can own, the basic anonymity [BKM06] will already be strong enough for our OFE construction below. We refer readers to Sec. 2.1 for more discussions.

4.1

The Construction

Let SIG = (KG, Sig, Ver) be a conventional signature scheme and RS = (KG, Sig, Ver) a ring signature scheme. Our construction idea is as follows. The partial signature will be a conventional signature generated using SIG, and the full signature is the partial signature in conjunction with a ring signature generated under RS. The ‘ring’ members of the ring signature are the signer and the arbitrator. To resolve a partial signature, the arbitrator simply produces a ring signature. One of the main reasons of employing a ring signature scheme in our construction is that the unforgeability game of ring signature (that is, unforgeability under an adaptive attack, against a static adversary, as stated above) fits well in the chosen-key model for OFE. That is, the adversary can ask for a ring signature with respect to a ring which includes public keys not being certified. Below are the details of our generic construction denoted by OFE. • SetupTTP : The arbitrator runs (ask, apk) ← RS.KG(1k ) and sets (ASK, AP K) := (ask, apk). ˆ i , pk ˆ ) ← SIG.KG(1k ) and (sk ¯ i , pk ¯ ) ← RS.KG(1k ). Ui then • SetupUser : Each user Ui runs (sk i i ˆ i , sk ¯ i ), (pk ˆ , pk ¯ )). sets (SKUi , P KUi ) := ((sk i i 10

• Sig: On input a message m, the signer Ui first produces a conventional signature σ 0 as ˆ i , m), and then completes the signing process the partial signature, i.e. σ 0 ← SIG.Sig(sk ¯ i , mkσ 0 kP KU , R) where by generating a ring signature on m and σ 0 , i.e. σ RS ← RS.Sig(sk i ¯ , apk}. The full signature is then set as σ := (σ 0 , σ RS ). R := {pk i • Ver: On input a message m and a signature σ purportedly produced by Ui , where σ = ˆ ) and (σ 0 , σ RS ), the verifier checks the validity of σ 0 and σ RS by running SIG.Ver(m, σ 0 , pk i 0 RS ¯ RS.Ver(mkσ kP KUi , σ , R) respectively, where R := {pk i , apk}. If both output accept, it returns accept; otherwise, it returns reject. • PSig: On input a message m, the signer Ui computes a conventional signature, i.e. σ 0 ← ˆ i , m), and returns σ 0 as the partial signature. SIG.Sig(sk • PVer: On input a message m and a partial signature σ 0 purportedly produced by Ui , the ˆ ). verifier returns SIG.Ver(m, σ 0 , pk i • Res: On input a message m and a partial signature σ 0 of user Ui , the arbitrator first checks the validity of σ 0 by running OFE.PVer(m, σ 0 , P KUi , AP K). If σ 0 is invalid, it rejects the input by outputting ⊥; otherwise, it computes σ RS ← RS.Sig(ask, mkσ 0 kP KUi , R), where ¯ , apk}. The arbitrator returns σ := (σ 0 , σ RS ). R := {pk i As in [DLY07], one cannot view σ 0 as the full signature of the signer, even though it is itself a valid conventional signature. The signer’s full commitment to a message comprises the partial signature σ 0 generated using SIG, along with a ring signature σ RS produced by the signer or the arbitrator using RS. The correctness of the construction simply follows that of SIG and RS, and the ambiguity follows the anonymity requirement is satisfied due to that of the ring signature RS. Remark 3 : One may notice that Dodis et al.’s generic OFE construction [DLY07] uses a similar idea to ours. They employ a conventional signature as the partial signature and use an additional OR-signature to complete the generation of the full signature. An OR-signature itself can be viewed as a two-user ring signature. Even though OR-signature can express much richer languages, almost all the constructions of OR-signature follow the Fiat-Shamir heuristic, thus can only be proven secure in the random oracle model, or otherwise, require to have complex NPreduction and non-interactive witness indistinguishable proofs of knowledge involved, that could be very inefficient. By applying our idea, an efficient and generic OFE scheme without random oracles can be built, as there are already quite a number of efficient conventional signature schemes and ring signature schemes proven secure without random oracles available in the literature. Intuitively, for our construction above, the Security Against Signers holds unconditionally; the Security Against Verifiers follows the unforgeability property of the ring signature RS, and the Security Against the Arbitrator is guaranteed by the unforgeability of SIG. Thus, we have the following theorem. Theorem 4.1. The generic construction of optimistic fair exchange scheme OFE above is secure in the multi-user setting and chosen-key model, provided that SIG is a conventional signature scheme that is existentially unforgeable against chosen message attacks and RS is a secure ring signature scheme that is with basic anonymity and existential unforgeability under an adaptive attack, against a static adversary. 11

Proof. Theorem 4.1 immediately follows from the following lemmas. Lemma 4.2. The optimistic fair exchange scheme OFE above is unconditionally secure against signers. Proof. Obviously, for any message m and any valid signature σ 0 on m under the verification ˆ , the arbitrator can always produce a ring signature σ RS on mkσ 0 kP KU under the ring key pk i i ¯ , apk}. Therefore, no adversary can win the game. R := {pk i Lemma 4.3. The optimistic fair exchange scheme OFE above is secure against verifiers if RS is unforgeable under adaptive attacks against a static adversary. Proof. Suppose that B is a PPT adversary which breaks the Security Against Verifiers with ¯ to break the existential unforgeability of RS probability B . We construct a PPT algorithm B with the same probability. On input a security parameter 1k and given two public keys pk0 and pk1 , which are the (honestly generated) challenge public keys as in the unforgeability game of ring signature (See ˆ pk) ˆ of SIG by running (sk, ˆ pk) ˆ ← SIG.KG(1k ), ¯ randomly generates a key pair (sk, page 9), B ˆ pk1−b ). It then runs B on flips a bit b ← {0, 1}, and sets AP K := pkb and P K := (pk, ˆ and oracle ORes using B’s ¯ input (AP K, P K), and simulates oracle OPSig using the secret key sk ¯ ring signing oracle. More in detail, to answer an PSig query of m, B computes and returns ˆ m) to B. To answer an Res query of (m, σ 0 , P KU ), if σ 0 is a valid partial signature SIG.Sig(sk, i ¯ queries its ring signing oracle for getting a ring signature σ RS on message on m under P KUi , B mkσ 0 kP KUi under the ring {pk0 , pk1 } using the secret key corresponding to pkb , and then sends (σ 0 , σ RS ) back to B. At the end of the experiment, when B outputs its forgery (m, ˜ σ ˜ ), where σ ˜ = (˜ σ0, σ ˜ RS ), without 0 loss of generality, we assume that B has already got σ ˜ from a query to oracle OPSig . The other 0 case that B produced σ ˜ by itself will be covered by the Security Against the Arbitrator, which is to be shown later. Obviously, the simulation above is perfect, and thus B wins the game with probability B . We have that OFE.Ver(m, ˜ σ ˜ , P K, AP K) = accept and (m, ˜ ·, P K) 6∈ Query(B, ORes ). The former ˆ = accept and RS.Ver(mk˜ also implies that SIG.Ver(m, ˜ σ ˜ 0 , pk) ˜ σ 0 kP K, σ RS , (pk0 , pk1 )) = accept ¯ has never issued a query to its ring signing oracle hold. Since (m, ˜ ·, P K) 6∈ Query(B, ORes ), B 0 RS on input mk˜ ˜ σ kP K. Therefore, σ ˜ is a valid ring signature on the new message mk˜ ˜ σ 0 kP K ¯ output (mk˜ ¯ wins its own game under the ring {pk0 , pk1 }. We then let B ˜ σ 0 kP K, σ ˜ RS ) and B with probability B . Lemma 4.4. The optimistic fair exchange scheme OFE above is secure against the arbitrator if SIG is unforgeable under chosen-message attacks. Proof. Suppose that C is a PPT adversary which breaks the Security Against the Arbitrator with probability C . We build a PPT algorithm C¯ to break the unforgeability of the conventional signature scheme SIG with the same probability. Given the challenge verification key pk of SIG (along with a signing oracle Osk ), C¯ runs ¯ pk) ¯ and feeds P K := (pk, pk) ¯ as input to C, which then returns RS.KG(1k ) to get a key pair (sk, an arbitrator public key AP K and begins to issue queries to OPSig . This oracle can perfectly be simulated by C¯ using Osk . Namely, on input a message m, C¯ forwards it to Osk and relays the oracle’s answer to C as a valid partial signature. Finally, C outputs its forgery (m, ˜ σ ˜ ) where 12

σ ˜ = (˜ σ0, σ ˜ RS ), such that OFE.Ver(m, ˜ σ ˜ , P K, AP K) = accept and (m, ˜ ·) 6∈ Query(C, OPSig ). We 0 then have that σ ˜ is a valid signature on m, ˜ and m ˜ has never been issued by C¯ to its signing 0 ¯ oracle. We simply let C output (m, ˜ σ ˜ ). Obviously (m, ˜ σ ˜ 0 ) is a valid forgery for SIG, and C¯ wins the unforgeability game with advantage C .

4.2

Instantiations

There are quite a number of efficient conventional signature schemes and ring signature schemes without random oracles available in the literature, like [Wat05, BB04], [SW07, CGS07, Boy07] and many others. Using these schemes and applying our generic construction, we can get many concrete and efficient OFE schemes proven secure without random oracles in the multi-user setting and chosen-key model. For example, we can use Waters’ signature scheme [Wat05] as SIG and Shacham-Waters’ ring signature scheme [SW07] as RS. Note that in such an instantiation, Waters’ signature scheme may work in a group of composite order [SW07] rather than in a group of prime order [Wat05], so that SIG and RS can share the same set of system parameters. Besides, it is necessary to mention that there is a global setup process before any execution of the scheme. The requirement of having such a setup process stems from that of Shacham-Waters’ ring signature scheme. For this instantiation, the ambiguity of the scheme is based on sub-group decision assumption [BGN05, SW07], while the security against verifiers and security against the arbitrator are based on computational Diffie-Hellman assumption. The OFE.Sig algorithm of the resulting scheme requires no pairing operation, and the OFE.Ver algorithm requires four pairings. A main disadvantage of this instantiation is that the size of system parameters is large. It is determined by the output length of the underlying hash function used in Waters’ signature scheme [Wat05, SW07]. Alternatively, we may consider another instantiation, which enjoys much shorter system parameters but suffers from stronger underlying assumptions, i.e. strong Diffie-Hellman assumption [BB04, CGS07]. In this instantiation, we employ Boneh-Boyen’s weakly secure signature scheme [BB04] plus a one-time signature scheme as SIG4 , and Chandran-Groth-Sahai ring signature scheme (in the common reference string model) [CGS07] as RS. The reason that we use Boneh-Boyen’s weakly secure signature scheme plus a one-time signature scheme as SIG is the same as the one behind the combination of Waters signature and Shacham-Waters ring signature. (SIG and RS share system parameters.) Note that for RS, we do not need to use the signature compression technique as in [CGS07] since the ring in our case merely consists of two users. The Sig algorithm of the resulting scheme does not require any pairing operation either, while the Ver algorithm requires nine pairings. In these two instantiations, each user has two key pairs, one for the conventional signature and the other one for ring signature, just as in the generic construction (Sec. 4.1). To make the instantiations more practical and efficient, people may wish to combine the two key pairs into one. Boyen’s ring signature [Boy07] (or, say, his mesh signature) is a good candidate for this purpose. In Boyen’s ring signature scheme, the adversary can make not only ring signature queries, but also atomic (or conventional) signature queries. Boyen’s scheme works in the common reference string model. The anonymity holds unconditionally, and the unforgeability is guaranteed by the Poly Strong Diffie-Hellman assumption introduced by Boyen [Boy07], which is a stronger variant of the Strong Diffie-Hellman (SDH) assumption. In the resulting OFE scheme, the 4

It is easy to see that a weakly secure signature scheme plus a one-time signature scheme lead to a signature scheme that is unforgeable against chosen message attacks. We skip the detailed proof here.

13

signer Alice and the arbitrator Charlie form a ring. We view an atomic signature of Alice as her partial signature, and the combination of the atomic signature and a ring signature as Alice’s full commitment. We can see that, similar to the generic construction, the security against signers of this optimized instantiation also holds unconditionally. The security against verifiers will hold due to the unforgeability of Boyen’s (two-user) ring signature scheme, and the security against the arbitrator follows the unforgeability of the (single-user) ring signature scheme. Any 1 forgery of Alice’s atomic signature σ 0 on a message m, where σ 0 = (S, t) = (g a+bm+ct , t) and (a, b, c) is Alice’s secret key, can be trivially transformed into a forgery of the ring signature scheme under the ring consisting of Alice only, i.e. we set s0 := 0 and randomly select t0 from its domain, then the forgery is (S0 , S1 , t0 , t1 ) := (1, S, t0 , t). The validity of the forgery is readily seen. Though this instantiation relies on a stronger assumption, it enjoys higher efficiency and fewer system parameters. It also requires fewer pairing operations for OFE.Ver than that of the second instantiation, and has fewer system parameters than that of the first instantiation. The OFE.Sig does not require any pairing operation, and OFE.Ver requires only four pairings. Each user including the arbitrator needs to manage only one key pair (unlike the first two instantiations in which each user has two key pairs), and the public key consists of only three points on the elliptic curve (if we employ the symmetric group setting, i.e. e : G × G → Gt ) [Boy07].

5

Two Previous Paradigms

In this section, we review the two previous paradigms which have been commonly used for constructing OFE schemes and evaluate whether they will still be secure under the multi-user setting as well as the chosen-key model.

5.1

Verifiably Encrypted Signature Paradigm

One may think it as a drawback that our scheme is not stand-alone [ZB06, ZSM07]. However, the stone-alone property does not really provide much advantage to a scheme except that the full signature may enjoy a smaller size. We note that the verifiably encrypted signature based OFE generic construction reviewed by Dodis et al. [DLY07] has such a property. In their paper, they showed that this construction is secure in the multi-user setting and the certified-key model. In the following, we show that the construction is also secure if the certified-key model is enhanced to chosen-key model. Hence if the stand-alone property is desired, one can use the verifiably encrypted signature based construction. We first briefly review the construction here. Let E be a public-key encryption scheme and S be a conventional signature scheme. Let Π be an NIZK proof system. The arbitrator has a key pair for E, and each user holds a key pair for S. To partially sign a message, the signer produces a signature σ using S and encrypts the signature under the arbitrator’s public key. Then it runs Π to generate an NIZK proof showing that the ciphertext is correctly formed. The partial signature σ 0 includes the ciphertext and the proof. The signer’s full signature on this message is defined to be σ. To resolve a partial signature, the arbitrator uses its private key to extract the conventional signature σ. Note that in the proof given in [DLY07], there is no need for the game simulator to know the corresponding private keys of the public keys submitted by the adversary. For security against signers, it still holds due to the one-time simulation-soundness of the NIZK proof system. For security against verifiers, the simulator does not need to know any of the private keys of the 14

public keys submitted by the malicious verifier and can still simulate the game. This is also the case for the security against the arbitrator, who even does not need to submit its private key to the simulator. Everything can be simulated by the simulators using their knowledge of private keys of honestly generated public keys that are the inputs to the adversaries. Hence, we have the following theorem: Theorem 5.1. If E is a CCA2-secure encryption scheme [RS92], S is UF-CMA-secure signature scheme [GMR88], and Π is a one-time simulation-sound NIZK proof system, then the above construction is a stand-alone and setup-free OFE scheme that is secure in the multi-user setting and chosen-key model. The proof is the same as that in [DLY07], so we omit it here. Remark 4 : Though the verifiably encrypted signature based generic construction discussed above remains secure in the chosen-key model, it involves a complex NP-reduction in the NIZK proof, thus it is very inefficient for practical use. While our construction proposed in Sec. 4.1 requires only conventional signature and ring signature, where both of them can be made very practical.

5.2

Two-Party Sequential Multisignature Paradigm

We now re-examine the security of the generic construction based on two-party sequential multisignatures in [DLY07] in the multi-user setting, but under the chosen-key model. This construction was originally designed for the certified-key model. There is a key registration for each user and part of the user’s secret key is sent to the arbitrator for resolving partial signatures when needed. In other words, the arbitrator actually holds an arbitrator key for each user. It seems like that the setup-driven property contradicts the security under the chosen-key model, since in the chosen-key model, the adversary also needs to register public keys chosen maliciously by itself to the arbitrator. Thus, the attack shown in Sec. 3 is not applicable here. On the other hand, the security proof in [DLY07] relies on the requirement that the adversary also has to output the corresponding private keys of the public keys it chooses during the attack. Therefore, it remains unknown whether the two-party sequential multisignature based OFE is secure in the chosen-key model, even though the multisignature scheme due to Lu et al. [LOS+ 06] WMS is insecure under chosen-key model. An attack against WMS can be launched by an adversary in a similar way with that proposed in Sec. 3.

6

Optimistic Fair Exchange From Time Capsule Signatures

In the previous sections, we focus on discussing OFE schemes secure in the multi-user setting and the chosen-key model. In this section, we propose a brand new approach of constructing OFE schemes that can be proven secure in the weaker certified-key model. Our goal is this section is to introduce this new paradigm, namely, time capsule signature based OFE. Time capsule signature, introduced by Dodis and Yum in [DY05], is a kind of digit signature schemes which allows a signature to bear a (future) time t so that the signature will only become valid at time t or later, after a semi-trusted third party, called time server, releases timedependent information. Besides, the real signer of a time capsule signature has the privilege to make a time capsule signature valid before time t. In this section, we will show another way of constructing OFE schemes secure in the multi-user setting and certified-key model. 15

Roughly speaking, a time capsule signature scheme consists of 8 PPT algorithms (SetupTS , SetupUser , TSig, TVer, TRelease, Hatch, PreHatch, Ver). The time servers runs SetupTS to generate its key pair, and each user runs SetupUser to generate a user key pair. Any user can run TSig to produce a time capsule signature to be valid at some time period t, and can later make its signature mature before t by running PreHatch. At each time period t, the time servers runs TRelease to release some secret information related to t with which any user can make a time capsule signature mature and verify its validity. The security of time capsule signatures consists of three aspects: security against the signer, security against the verifier and security against the time server. Briefly, • Security against the signer requires that any PPT adversary should not be able to produce a time capsule signature σt0 , which looks good to the verifier but cannot be hatched into a full signature by the honest time server. • Security against the verifier requires that any PPT adversary should not be able to open a pre-mature time capsule signature without the help of the signer or the time server. • Security against time server requires that any PPT time server should not be able to produce a valid hatched or pre-hatched signature on a message m of the signer without explicitly asking the signer to produce a time capsule signature on that message. We refer readers to Appendix B or [DY05] for the formal definition of time capsule signature and its security models.

6.1

The Construction

Let TCS = (SetupTS , SetupUser , TSig, TVer, TRelease, Hatch, PreHatch, Ver) be a time capsule signature scheme. In the following, we show how to use TCS to build an optimistic fair exchange scheme OFE0 secure in the multi-user setting and the certified-key model. Let k be the security parameter. Suppose that H : {0, 1}∗ → T is a collision-free hash function, where T is the space of time events. Without loss of generality, we assume that the size of T is super-polynomial in k. This is to ensure the collision-freeness of H. • SetupTTP : The arbitrator runs (T SK, T P K) ← TCS.SetupTS (1k ) and sets (ASK, AP K) to be (T SK, T P K). • SetupUser : Each user Ui generates a public/private key pair by running (SKUi , P KUi ) ← TCS.SetupUser (1k ). • Sig: On input a message m, the signer Ui generates a time event t by computing t ← H(m, P KUi )5 . It then computes the full signature as σ ← TCS.PreHatch(m, σ 0 , SKUi , AP K, t) where σ 0 ← TCS.TSig(m, SKUi , AP K, t). • Ver: On input a message m and a signature σ purportedly produced by Ui , the verifier computes t ← H(m, P KUi ) and returns TCS.Ver(m, σ, P KUi , AP K, t). 5

The reason of computing t rather than randomly selecting t is to ensure that in the generation of each signature, the time event is distinct if the message or the signer is different, which is important in the proof of security against verifiers. To be shown later, as in the proof of Lemma D.2.

16

• PSig: On input a message m, the signer Ui computes t ← H(m, P KUi ), and runs σ 0 ← TCS.TSig(m, SKUi , AP K, t). It returns σ 0 . • PVer: On input a message m and a partial signature σ 0 purportedly produced by Ui , the verifier computes t ← H(m, P KUi ) and returns TCS.TVer(m, σ 0 , P KUi , AP K, t). • Res: On input a message m and a partial signature σ 0 of user Ui , the arbitrator first checks if σ 0 is a valid signature on m with respect to P KUi . If not, it rejects the input by outputting ⊥; otherwise, it computes t ← H(m, P KUi ), runs zt ← TCS.TRelease(t, ASK) and computes σ ← TCS.Hatch(m, σ 0 , P KUi , AP K, zt ). The arbitrator returns σ. This construction is setup-free. The stand-alone property depends on that of the underlying time capsule signature. The correctness of OFE0 is obvious and the ambiguity property simply follows that of TCS. Remark 5 : (On the Space T of Time Events) As of our best knowledge, all the time capsule signature schemes in the literature [DY05, HWH+ 07, LQ07]6 put no restriction/limitation on the range of possible time events. In fact, the time event t in these schemes can take any values from {0, 1}∗ , since a mechanism analogous to identity-based cryptography is used in their constructions, and t behaves as an identity. Therefore, it is reasonable for us to assume that the size of T is at least super-polynomial in the security parameter, or large enough for guaranteeing the collision-resistance of H. Besides, if the time event t can take any arbitrary value (i.e., {0, 1}∗ ), then we can simply remove H in our construction above for reducing the basic assumption for building OFE0 . That is, we directly use mkP KUi instead of the hashed value of it as the ‘time event’ t. For the security of the above construction of OFE, we have the following theorem. Note that since the security of time capsule signatures is defined in a compatible and very similar way to that of OFE in [DLY07], in the following, we only show the security of OFE0 in the certified-key model, not the stronger one we propose in Sec. 2. Theorem 6.1. If there exist secure time capsule signature schemes and collision-free hash functions, there exist secure optimistic fair exchange schemes in the multi-user setting and the certified-key model. The detailed proof is given in Appendix D.

6.2

An Instantiation without Random Oracles

Recently, Libert and Quisquater [LQ07] proposed an efficient time capsule signature scheme proven secure in the standard model, which is with the ambiguity property. By instantiating our generic construction above using their time capsule signature scheme, the final scheme will also enjoy the security without random oracles. In this particular scheme, we even do not need to introduce another collision-resistant hash function either. This is because the collision-free hash function H : {0, 1}∗ → {0, 1}n has already been employed in Libert-Quisquater time capsule signature scheme. We can simply use H to map mkP KUi into the time event space {0, 1}n , which is exactly the case in their implementation. 6

We note that schemes in [HWH+ 07] are not ambiguous. That is, the pre-hatched signatures are distinguishable from hatched signatures.

17

7

Conclusion

In this paper we considered optimistic fair exchange in the multi-user setting and separated the security of optimistic fair exchange in the certified-key model from that in the chosen-key model. We proposed the efficient generic construction of optimistic fair exchange in the multiuser setting and chosen-key model and proved its security without random oracles. Our scheme is built from a conventional signature and a ring signature, both of which can be efficiently constructed without random oracles. We also discussed some efficient instantiations of our generic construction. Furthermore, we re-examined the verifiably encrypted signature paradigm and the multisignature paradigm of constructing optimistic fair exchange schemes, and showed that the verifiably encrypted signature paradigm considered in [DLY07] remains secure in the chosen-key model, but it is still unknown whether the multisignature based construction is secure in this model. Furthermore, we observed that due to the very similar nature with optimistic fair exchange, it is straightforward to build an optimistic fair exchange scheme in the multi-user setting and the certified-key model from a time capsule signature scheme secure in the certifiedkey model in conjunction with a collision-resistant hash function. Combining recent work on time capsule signatures in the standard model and our generic transformation, we come up with an efficient optimistic fair exchange scheme secure without random oracles.

Acknowledgements We’d like to thank the anonymous reviewers of CT-RSA 2008 for their invaluable comments. The work was supported by grants from CityU (Project Nos. 7001959 and 7002001) and the Research Grants Council of the Hong Kong Special Administrative Region, China (RGC Ref. No. CityU 122107).

References [ASW97]

N. Asokan, Matthias Schunter, and Michael Waidner. Optimistic protocols for fair exchange. In ACM Conference on Computer and Communications Security, pages 7–17. ACM, 1997. (Cited on page 1.)

[ASW98]

N. Asokan, Victor Shoup, and Michael Waidner. Optimistic fair exchange of digital signatures (extended abstract). In Advances in Cryptology - EUROCRYPT 98, volume 1403 of Lecture Notes in Computer Science, pages 591–606. Springer, 1998. (Cited on page 1.)

[ASW00]

N. Asokan, Victor Shoup, and Michael Waidner. Optimistic fair exchange of digital signatures. IEEE Journal on Selected Areas in Communication, 18(4):593–610, 2000. (Cited on page 1.)

[BB04]

Dan Boneh and Xavier Boyen. Short signatures without random oracles. In Advances in Cryptology - EUROCRYPT 2004, volume 3027 of Lecture Notes in Computer Science, pages 56–73. Springer, 2004. (Cited on pages 3 and 13.)

[BCNP04] Boaz Barak, Ran Canetti, Jesper Buus Nielsen, and Rafael Pass. Universally composable protocols with relaxed set-up assumptions. In Proceedings of 45th IEEE Symp. on Foundations of Comp. Science (FOCS ’04), pages 186–195. IEEE Computer Society, 2004. (Cited on pages 1 and 5.) [BGLS03]

Dan Boneh, Craig Gentry, Ben Lynn, and Hovav Shacham. Aggregate and verifiably encrypted signatures from bilinear maps. In Advances in Cryptology - EUROCRYPT 2003,

18

volume 2656 of Lecture Notes in Computer Science, pages 416–432. Springer, 2003. (Cited on pages 1, 6, and 8.) [BGN05]

Dan Boneh, Eu-Jin Goh, and Kobbi Nissim. Evaluating 2-DNF formulas on ciphertexts. In Joe Kilian, editor, Proceedings of 2nd IACR Theory of Cryptography Conference, TCC 2005, volume 3378 of Lecture Notes in Computer Science, pages 325–341. Springer, Feb. 2005. (Cited on page 13.)

[BKM06]

Adam Bender, Jonathan Katz, and Ruggero Morselli. Ring signatures: Stronger definitions, and constructions without random oracles. In Shai Halevi and Tal Rabin, editors, Proceedings of 3rd IACR Theory of Cryptography Conference, TCC 2006, volume 3876 of Lecture Notes in Computer Science, pages 60–79. Springer, 2006. Also at Cryptology ePrint Archive, Report 2005/304, http://eprint.iacr.org/. (Cited on pages 2, 5, 9, and 10.)

[Boy07]

Xavier Boyen. Mesh signatures: How to leak a secret with unwitting and unwilling participants. In Moni Naor, editor, Advances in Cryptology - EUROCRYPT 2007, volume 4515 of Lecture Notes in Computer Science, pages 210–227. Springer, 2007. (Cited on pages 2, 3, 9, 10, 13, and 14.)

[BR93]

Mihir Bellare and Phillip Rogaway. Random oracles are practical: A paradigm for designing efficient protocols. In ACM Conference on Computer and Communications Security, pages 62–73. ACM, 1993. (Cited on page 1.)

[BWZZ04] Feng Bao, Guilin Wang, Jianying Zhou, and Huafei Zhu. Analysis and improvement of Micali’s fair contract signing protocol. In Huaxiong Wang, Josef Pieprzyk, and Vijay Varadharajan, editors, Proceedings of 9th Australasian Conference on Information Security and Privacy, ACISP 2004, volume 3108 of Lecture Notes in Computer Science, pages 176–187. Springer, 2004. (Cited on page 1.) [CD00]

Jan Camenisch and Ivan Damg˚ ard. Verifiable encryption, group encryption, and their applications to separable group signatures and signature sharing schemes. In Tatsuaki Okamoto, editor, Advances in Cryptology - ASIACRYPT 2000, volume 1976 of Lecture Notes in Computer Science, pages 331–345. Springer, 2000. (Cited on page 1.)

[CGH98]

Ran Canetti, Oded Goldreich, and Shai Halevi. The random oracle methodology, revisited. In Proceedings of 30th ACM Symp. on Theory of Computing, pages 209–218. ACM, 1998. (Cited on page 1.)

[CGS07]

Nishanth Chandran, Jens Groth, and Amit Sahai. Ring signatures of sub-linear size without random oracles. In Proceedings of 34th International Colloquium on Automata, Languages andProgramming, ICALP 2007, Lecture Notes in Computer Science. Springer, 2007. (Cited on pages 2, 3, 9, and 13.)

[DLY07]

Yevgeniy Dodis, Pil Joong Lee, and Dae Hyun Yum. Optimistic fair exchange in a multi-user setting. In Tatsuaki Okamoto and Xiaoyun Wang, editors, Proceedings of Public Key Cryptography 2007, volume 4450 of Lecture Notes in Computer Science, pages 118–133. Springer, 2007. Also at Cryptology ePrint Archive, Report 2007/182, http://eprint.iacr.org/. (Cited on pages 2, 1, 3, 4, 5, 7, 8, 11, 14, 15, 17, 18, and 24.)

[DR03]

Yevgeniy Dodis and Leonid Reyzin. Breaking and repairing optimistic fair exchange from PODC 2003. In ACM Workshop on Digital Rights Management, DRM 2003, pages 47–54. ACM, 2003. (Cited on pages 1, 4, 5, 7, and 8.)

[DY05]

Yevgeniy Dodis and Dae Hyun Yum. Time capsule signatures. In Andrew S. Patrick and Moti Yung, editors, Proceedings of Financial Cryptography and Data Security 2005, volume 3570 of Lecture Notes in Computer Science, pages 57–71. Springer, 2005. (Cited on pages 2, 3, 15, 16, 17, and 22.)

19

[ES05]

Paul D. Ezhilchelvan and Santosh K. Shrivastava. A family of trusted third party based fairexchange protocols. IEEE Transations on Dependable and Secure Computing, 2(4):273–286, Oct-Dec 2005. (Cited on page 1.)

[GMR88]

Shafi Goldwasser, Silvio Micali, and Ronald Rivest. A digital signature scheme secure against adaptive chosen-message attack. SIAM J. Computing, 17(2):281–308, April 1988. (Cited on pages 2, 9, 15, and 21.)

[HWH+ 07] Bessie C. Hu, Duncan S. Wong, Qiong Huang, Guomin Yang, and Xiaotie Deng. Time capsule signature: Efficient and provably secure constructions. In Javier Lopez and Pierangela Samarati, editors, Proceedings of 4th European PKI Workshop: Theory and Practice, EuroPKI 2007, volume 4582 of Lecture Notes in Computer Science, pages 126–142. Springer, 2007. Full paper is available at Cryptology ePrint Archive, Report 2007/146, http://eprint.iacr.org/. (Cited on page 17.) [HYWS08] Qiong Huang, Guomin Yang, Duncan S. Wong, and Willy Susilo. Efficient optimistic fair exchange secure in the multi-user setting and chosen-key model without random oracles. In Proceedings of Topics in Cryptology - CT-RSA 2008, volume ?? of Lecture Notes in Computer Science, pages ??–?? Springer, 2008. (Cited on page 1.) [Kre03]

Steve Kremer. Formal Analysis of Optimistic Fair Exchange Protocols. PhD thesis, Universit´e Libre de Bruxelles, 2003. (Cited on page 1.)

[LMRS04] Anna Lysyanskaya, Silvio Micali, Leonid Reyzin, and Hovav Shacham. Sequential aggregate signatures from trapdoor permutations. In Christian Cachin and Jan Camenisch, editors, Advances in Cryptology - EUROCRYPT 2004, volume 3027 of Lecture Notes in Computer Science, pages 74–90. Springer, May 2004. (Cited on pages 2, 4, 5, and 8.) [LOS+ 06]

Steve Lu, Rafail Ostrovsky, Amit Sahai, Hovav Shacham, and Brent Waters. Sequential aggregate signatures and multisignatures without random oracles. In Advances in Cryptology - EUROCRYPT 2006, volume 4004 of Lecture Notes in Computer Science, pages 465–485. Springer, 2006. (Cited on pages 2, 1, 4, 5, 8, 9, 15, and 23.)

[LQ07]

Benoˆıt Libert and Jean-Jacques Quisquater. Practical time capsule signatures in the standard model from bilinear maps. In Tsuyoshi Takagi, Takeshi Okamoto, Eiji Okamoto, and Tatsuaki Okamoto, editors, Proceedings of 1st International Conference on Pairing-Based Cryptography, Pairing 2007, volume 4575 of Lecture Notes in Computer Science, pages 23– 38. Springer, July 2007. (Cited on pages 3 and 17.)

[Mic03]

Silvio Micali. Simple and fast optimistic protocols for fair electronic exchange. In ACM Symposium on Principles of Distributed Computing, PODC 2003, pages 12–19. ACM, 2003. (Cited on page 1.)

[PCS03]

Jung Min Park, Edwin K.P. Chong, and Howard Jay Siegel. Constructing fair-exchange protocols for e-commerce via distributed computation of RSA signatures. In PODC 2003, pages 172–181. ACM, 2003. (Cited on page 1.)

[RS92]

Charles Rackoff and Daniel R. Simon. Non-interactive zero-knowledge proof of knowledge and chosen ciphertext attack. In Advances in Cryptology - CRYPTO 91, volume 576 of Lecture Notes in Computer Science, pages 433–444. Springer, 1992. (Cited on page 15.)

[RST01]

Ronald Rivest, Adi Shamir, and Yael Tauman. How to leak a secret. In Colin Boyd, editor, Advances in Cryptology - ASIACRYPT 2001, volume 2248 of Lecture Notes in Computer Science, pages 552–565. Springer, 2001. (Cited on pages 2 and 9.)

[SW07]

Hovav Shacham and Brent Waters. Efficient ring signatures without random oracles. In Tatsuaki Okamoto and Xiaoyun Wang, editors, Proceedings of Public Key Cryptography 2007, volume 4450 of Lecture Notes in Computer Science, pages 166–180. Springer, 2007. (Cited on pages 2, 3, 9, and 13.)

20

[Wan05]

Guilin Wang. An abuse-free fair contract signing protocol based on the RSA signature. In Proceedings of 14th International Conference on World Wide Web, WWW 2005, pages 412–421. ACM, 2005. (Cited on page 1.)

[Wat05]

Brent Waters. Efficient identity-based encryption without random oracles. In Ronald Cramer, editor, Advances in Cryptology - EUROCRYPT 2005, volume 3494 of Lecture Notes in Computer Science, pages 114–127. Springer, 2005. (Cited on pages 1, 2, 3, and 13.)

[ZB06]

Huafei Zhu and Feng Bao. Stand-alone and setup-free verifiably committed signatures. In Proceedings of Topics in Cryptology - CT-RSA 2006, volume 3860 of Lecture Notes in Computer Science, pages 159–173. Springer, 2006. (Cited on pages 1, 5, 8, and 14.)

[Zhu03]

Huafei Zhu. Constructing optimistic fair exchange protocols from committed signatures. Cryptology ePrint Archive, Report 2005/012, 2003. http://eprint.iacr.org/. (Cited on page 1.)

[ZSM07]

Huafei Zhu, Willy Susilo, and Yi Mu. Multi-party stand-alone and setup-free verifiably committed signatures. In Proceedings of Public Key Cryptography 2007, volume 4450 of Lecture Notes in Computer Science, pages 134–149. Springer, 2007. (Cited on pages 1, 5, 8, and 14.)

[ZZF04]

Zhenfeng Zhang, Yongbin Zhou, and Dengguo Feng. Efficient and optimistic fair exchanges based on standard RSA with provable security. Cryptology ePrint Archive, Report 2003/178, 2004. http://eprint.iacr.org/. (Cited on page 1.)

Appendix A

Security Definition of Conventional Signatures

A conventional digital signature scheme SIG consists of three PPT algorithms (KG, Sig, Ver), where KG is the key generation algorithm which takes as input the security parameter 1k and outputs a signing/verification key pair (sk, pk), Sig is the signing algorithm which takes as input sk and a message m, and outputs a signature σ, and Ver is the verification algorithm which takes m, σ and pk, outputs accept or reject. The standard security notion for conventional signature schemes is existential unforgeability under chosen message attacks [GMR88], which can be defined as follows. (sk, pk) ← SIG.KG(1k ) (m, σ) ← AOSIG.Sig (pk) success of A := [SIG.Ver(m, σ, pk) = accept ∧ m 6∈ Query(A, OSIG.Sig )] where A is a PPT adversary, OSIG.Sig is the signing oracle which takes as input a message m and outputs a signature on m under pk, and Query(A, OSIG.Sig ) is the set of all signing queries issued by A. The advantage of A in the experiment is defined to be its success probability. A signature scheme is said to be existentially unforgeable under chosen message attacks (or simply unforgeable) if there is no PPT adversary that wins the experiment with non-negligible advantage. 21

B

Time Capsule Signatures [DY05]

Definition B.1 ([DY05]). A time capsule signature scheme is specified by an 8-tuple of PPT algorithms (SetupTS , SetupUser , TSig, TVer, TRelease, Hatch, PreHatch, Ver) such that: • SetupTS : This setup algorithm is run by the Time Server. It takes a security parameter 1k and returns a private/public time release key pair (T SK, T P K). • SetupUser : This setup algorithm is run by each user. It takes as input 1k and returns the user’s private/public key pair (SK, P K). • TSig: The time capsule signature generation algorithm TSig takes as input (m, SK, T P K, t) where t is a specific time event from which the signature becomes valid, and outputs a time capsule signature σt0 . • TVer: The time capsule signature verification algorithm TVer takes (m, σt0 , P K, T P K, t) and returns accept or reject. • TRelease: This time release algorithm TRelease takes as input (t, T SK). At the beginning of each time event t, the time server publishes zt ← TRelease(t, T SK). • Hatch: This algorithm is run by any party and is used to open a valid time capsule signature which became mature. It takes as input (m, σt0 , P K, T P K, zt ) and returns a hatch signature σt . • PreHatch: This algorithm is run by the signer and used to open a valid time capsule signature which is not mature yet. It takes as input (m, σt0 , SK, T P K, t) and returns the pre-hatched signature σt . • Ver: This algorithm is used to verify a hatched or pre-hatched signature. Ver takes as input (m, σt , P K, T P K, t) and returns accept or reject. The correctness requirement states that TVer(m, TSig(m, SK, T P K, t), P K, T P K, t) = accept and Ver(m, σt , P K, T P K, t) = accept where σt ← Hatch(m, T Sig(m, SK, T P K, t), P K, T P K, TRelease(t, T SK)), or σt ← PreHatch(m, TSig(m, SK, T P K, t), SK, T P K, t). The ambiguity property requires that the “hatched signatures” σt ← Hatch(m, TSig(m, SK, T P K, t), P K, T P K, TRelease(t, T SK)) is (computationally) indistinguishable from the “pre-hatched signature” σt ← PreHatch(m, TSig(m, SK, T P K, t), SK, T P K, t), even if the distinguisher knows T SK. The security of time capsule signatures consists of three aspects: security against the signer Alice, security against the verifier Bob and security against time server. In the following, we denote by OTSig the oracle simulating the algorithm TSig, which takes (m, t) as input and returns Alice’s time capsule signature σt0 , by OTR the oracle simulating algorithm TRelease, which takes t as input and returns the secret time information zt , and by OPreH the oracle simulating algorithm PreHatch, which takes (m, t, σt0 ) as input and returns Alices’ pre-hatch signature σ. 22

• Security against alice: We require that any PPT adversary A could succeed with at most negligible probability in the following experiment: SetupTS (1k ) → (T SK, T P K) (m, t, σt0 , P K) ← AOTR (T P K) zt ← TRelease(t, T SK) σt ← Hatch(m, σt0 , P K, T P K, zt ) success of A = [TVer(m, σt0 , P K, T P K, t) = accept ∧ Ver(m, σt , P K, T P K, t) = reject] • Security against bob: We require that any PPT adversary B could succeed with at most negligible probability in the following experiment: SetupTS (1k ) → (T SK, T P K) SetupUser (1k ) → (SK, P K) (m, t, σt ) ← B OTSig ,OTR ,OPreH (P K, T P K) success of B = [Ver(m, σt , P K, T P K, t) = accept ∧ t 6∈ Query(B, OTR ) ∧ (m, t, ·) 6∈ Query(B, OPreH )] where Query(B, OTR ) is the set of queries B issued to the time release oracle OTR , and Query(B, OPreH ) is the set of valid queries B issued to the pre-hatch oracle OPreH (i.e., (m, t, σt0 ) such that TVer(m, σt0 , P K, T P K, t) = accept). • Security against time server: We require that any PPT adversary C could succeed with at most negligible probability in the following experiment: ∗

SetupTS (1k ) → (T SK ∗ , T P K) SetupUser (1k ) → (SK, P K) (m, t, σt ) ← C OTSig ,OPreH (P K, T P K, T SK ∗ ) success of C = [Ver(m, σt , P K, T P K, t) = accept ∧ (m, ·) 6∈ Query(C, OTSig )] ∗

where SetupTS denotes the run of SetupTS with a dishonest time server (run by C), T SK ∗ is C’s state after this run, and Query(C, OTSig ) is the set of queries C issued to the time capsule signature generation oracle OTSig (i.e., (m, t0 ) 6∈ Query(C, OTSig ) for all t0 ).

C

Review of Lu et al.’s Verifiably Encrypted Signature Scheme [LOS+ 06]

A verifiably encrypted signature scheme consists of seven PPT algorithms, (Kg, Sig, Ver, AKg, ESig, EVer, Adj). Let G, GT be groups of prime order p, and e : G × G → GT be an admissible bilinear pairing. Let g, u0 , u1 , · · · , uk be random generators of G, where k is a security parameter. Below is a brief review of Lu et al.’s verifiably encrypted signature scheme WVES [LOS+ 06]: Kg. Pick a random α ← Zp and set A ← e(g, g)α . The public key is P K := A and the private key is SK := α. 23

Sig. For a message M = (m1 , · · · , mk ) ∈ {0, 1}k , the signer picks a random r ← Zp , and r Q i computes S1 ← g α · u0 ki=1 um and S2 ← g r . The signature is σ := (S1 , S2 ). i −1 Q i Ver. For a signature σ = (S1 , S2 ) on message M , if e(S1 , g) · e S2 , u0 ki=1 um = A, output i accept. Otherwise, output reject. AKg. Randomly pick β ← Zp and set v ← g β . The adjudicator’s public key is AP K := v, and the private key is ASK := β. ESig. For a message M ∈ {0, 1}k , the signer computes signature (S1 , S2 ) using Sig, randomly picks s ← Zp and computes K1 ← S1 · v s and K2 ← S2 and K3 ← g s . The verifiably encrypted signature is η := (K1 , K2 , K3 ). −1 Q i EVer. For a verifiably encrypted signature η = (K1 , K2 , K3 ), if e(K1 , g)·e K2 , u0 ki=1 um · i e(K3 , v)−1 = A, output accept. Otherwise, output reject. Adj. Given η = (K1 , K2 , K3 ), the adjudicator outputs S1 ← K1 · K3−β and S2 ← K2 .

D

Proof of Theorem 6.1

Proof. For security against signers, security against verifiers and security against the arbitrator, we have the following three lemmas, respectively. And we note that since the security of time capsule signatures is defined in a compatible and very similar way to that of OFE in [DLY07], in the following, we only show the security proofs of OFE0 in the certified-key model, not the stronger one we propose in Sec. 2. Lemma D.1. The optimistic fair exchange scheme OFE0 above is secure against signers. Proof. Suppose that A is a PPT adversary that breaks the security against signers of OFE0 with non-negligible advantage A . We construct a PPT algorithm A¯ which breaks the security against the signer of TCS. Given the time server public key T P K and a time release oracle OTR which simulates the TCS.TRelease algorithm, A¯ randomly selects a hash function H : {0, 1}∗ → T , and runs A on input (T P K, H). During the execution, A has access to oracle ORes . To answer A’s query (m, σ 0 , P KUi ), A¯ first checks the validity of σ 0 by running OFE0 .PVer(m, σ 0 , P KUi , AP K). If invalid, A¯ returns ⊥. Otherwise, it issues a query to its oracle OTR on input t ← H(m, P KUi ), which returns the corresponding zt . A¯ then computes σ ← TCS.Hatch(m, σ 0 , P KUi , T P K, zt ) and returns σ back to A. Note that the above simulation of ORes is perfect. Finally, A outputs (m, σ 0 , P K). Without loss of generality, we assume that A wins the game. This happens with probability A . (If A fails, A¯ also fails and halts.) Thus we get that OFE0 .PVer(m, σ 0 , P K, T P K) = accept and OFE0 .Ver(m, σ, P K, T P K) = reject, where σ ← OFE0 .Res(m, σ 0 , ASK, P K). This indicates that TCS.TVer(m, σ 0 , P K, T P K, t) = accept and TCS. Ver(m, σ, P K, T P K, t) = reject, where t ← H(m, P K). Hence, we let A¯ output (m, t, σ 0 , P K), and A¯ wins its game with probability A .

24

Remark 6 : Note that in the proof, after receiving the output (m, σ 0 , P K) of A, A¯ can actually compute σ by generating the time event t as described above, issuing a query to oracle OTR to get zt , and then running σt ← TCS.Hatch( m, σt0 , P KA , T P K, zt ). If t was ever issued by A¯ to OTR during the simulation, A¯ can simply retrieve the corresponding zt from its memory instead of issuing a new query. Therefore, A¯ can check the validity of A’s output and decides to output (m, t, σ 0 , P KA ) or to abort. Lemma D.2. The optimistic fair exchange scheme OFE0 above is secure against verifiers. Proof. Suppose that B is a PPT adversary which breaks the security against verifiers of OFE0 ¯ which breaks the security with non-negligible advantage B , we construct a PPT algorithm B against the verifier of TCS. Given the time server public key T P K, the signer’s public key P K, and oracles OTSig simulating algorithm TCS.TSig, OTR simulating algorithm TCS.TRelease and OPreH simulating ¯ randomly selects a hash function H : {0, 1}∗ → T , and runs B algorithm TCS.PreHatch, B ¯ uses OTSig and OTR on input (T P K, P K, H). To simulate oracles OPSig and ORes for B, B respectively, as follows. ¯ generates time event t ← H(m, P K), and • When B issues a query to OPSig on input m, B issues a query to its oracle OTSig on input (m, t), which returns the signer’s signature σt0 . ¯ then returns σ 0 to B. B ¯ generates time event • When B issues a valid query to ORes on input (m, σ 0 , P KUi ), B t ← H(m, P KUi ), and issues a query to OTR on input t which returns the corresponding ¯ then returns σ ← TCS.Hatch(m, σ 0 , P KU , T P K, zt ). zt . B i It is readily seen that the above simulation is perfect. Finally, B outputs (m, σ). Without loss of generality, we assume that B wins the game. Thus we have that OFE0 .Ver(m, σ, P K, T P K) = accept and (m, ·, P K) 6∈ Query(B, ORes ). Since the hash function H is collision-free, it holds with only negligible probability that t ← H(m, P K) is the same as one of the previous time ¯ together ¯ during the simulation of ORes and OPSig . Otherwise, B and B events generated by B form an algorithm breaking the collision-freeness property of H. It is well understood that if t ¯ fails and halts. So we have that B ¯ did not issue a query to OTR on input t. appeared before, B ¯ Also note that during the whole execution, B never issued a query to OPreH . Therefore, we can ¯ output (m, t, σ) and B ¯ succeeds in its game with probability ¯ so |B − ¯ | is negligible let B B B in k. The difference is due to the negligible probability that a collision of H occurs. Lemma D.3. The optimistic fair exchange scheme OFE0 above is secure against the arbitrator. Proof. Suppose that C is a PPT adversary which breaks the security against the arbitrator of OFE0 with non-negligible advantage C , we construct a PPT algorithm C¯ which breaks the security against the time server of TCS. Given the time server private/public key pair (T SK ∗ , T P K), the public key P K of the signer Alice, and oracles OTSig simulating algorithm TCS.TSig, and OPreH simulating algorithm TCS.PreHatch, C¯ randomly selects a hash function H : {0, 1}∗ → T , and runs C on input (T SK ∗ , P K, T P K, H). To simulate the oracle OPSig for C, C¯ generates the time event t as described in the OFE0 .PSig algorithm, and then issues a query to OTSig on input (m, t), which returns Alice’s time capsule signature σ 0 . C¯ returns σ 0 to C. It’s easy to see that the simulation is perfect. 25

Finally, C outputs (m, σ). Again, we simply assume C wins its game. This happens with probability C . Thus we have that OFE0 .Ver(m, σ, P K, T P K) = accept and m 6∈ Query(C, OPSig ). It indicates that C¯ didn’t issue a query to its oracle OTSig on input (m, t0 ) for any t0 . Also note ¯ never issued a query to its oracle OPreH . Therefore, we can let B ¯ that during the simulation, B ¯ output (m, t, σ) where t ← H(m, P K), and B succeeds in its game with probability C . From the above three lemmas, Theorem 6.1 immediately follows.

26