Ambiguous Optimistic Fair Exchange - Semantic Scholar

6 downloads 17092 Views 365KB Size Report
PSig(M,SKi,. PKi,PKj, AP K) outputs a partial signature σP , while PVer(M,σP ,PK, AP K) outputs 1 or 0, ..... with the strong unforgeability of digital signatures [21].
Ambiguous Optimistic Fair Exchange∗ Qiong Huang†

Guomin Yang†

Duncan S. Wong†

Willy Susilo‡

Abstract Optimistic fair exchange (OFE) is a protocol for solving the problem of exchanging items or services in a fair manner between two parties, a signer and a verifier, with the help of an arbitrator which is called in only when a dispute happens between the two parties. In almost all the previous work on OFE, after obtaining a partial signature from the signer, the verifier can present it to others and show that the signer has indeed committed itself to something corresponding to the partial signature even prior to the completion of the transaction. In some scenarios, this capability given to the verifier may be harmful to the signer. In this paper, we propose the notion of ambiguous optimistic fair exchange (A-OFE), which is an OFE but also requires that the verifier cannot convince anybody about the authorship of a partial signature generated by the signer. We present a formal security model for A-OFE in the multi-user setting and chosen-key model. We also propose an efficient construction with security proven without relying on the random oracle assumption.

Keywords: optimistic fair exchange, ambiguity, signature, NIZK proof, standard model



A preliminary version of this paper appears in Asiacrypt 2008 [23]. Department of Computer Science, City University of Hong Kong, Hong Kong S.A.R., China. [email protected],hk, [email protected], [email protected]. ‡ School of Computer Science and Software Engineering, University of Wollongong, Australia. [email protected]. †

Emails: Email:

1

Introduction

Optimistic Fair Exchange (OFE) allows two parties to fairly exchange information in such a way that at the end of a protocol run, either both parties have obtained the complete information from one another or none of them has obtained anything from the counter party. In an OFE, there is a third party, called Arbitrator, which only gets involved when a dispute occurred between the two parties. OFE is a useful tool in practice, for example, it can be used for performing contract signing, fair negotiation and similar applications on the Internet. Since its introduction [2], there have been many OFE schemes proposed [3, 17, 4, 13, 30, 16, 27, 29, 32, 5, 31, 15, 24].For all recently proposed schemes, an OFE protocol for signature typically consists of three message flows. The initiator of OFE, Alice, first sends a message σP , called partial signature, to the responder, Bob. The partial signature σP acts as Alice’s partial commitment to her full signature which is to be sent to Bob. But Bob needs to send his full signature to Alice first in the second message flow. After receiving Bob’s full signature, Alice sends her full signature to Bob in the third message flow. If in the second message flow that Bob refuses to send his full signature back to Alice, Alice’s partial signature σP should have no use to Bob, so that Alice has no concern about giving away σP . However, after Bob has sent his full signature to Alice while Alice refuses to send her full signature in the third message flow, then Bob can ask the Arbitrator to retrieve Alice’s full signature from σP after sending both σP and Bob’s full signature to the Arbitrator. To the best of our knowledge, among almost all the known OFE schemes, there is one common property about Alice’s partial signature σP which has neither been captured in any of the security models for OFE nor been considered as a requirement for OFE. The property is that once σP is given out, at least one of the following statements is true. 1. Everyone can verify that σP must be generated by Alice because σP , similar to a standard digital signature, has the non-repudiation property with respect to Alice’s public key; 2. Bob can show to anybody that Alice is the signer of σP . For example, in the schemes proposed in [15, 24], the partial signature of Alice is a standard signature, which can only be generated by Alice. In many OFE schemes in the literature, Alice’s signature is encrypted under the arbitrator’s public key, and then a non-interactive proof is generated to show that the ciphertext indeed contains a signature of Alice. This is known as verifiably encrypted signature. However, regarding the validity and non-repudiation of a signature, as pointed out by Boyd and Foo [12], this raises the question of whether a non-interactive proof that a signature is encrypted is really having any difference from a signature itself, as the proof is already sufficient to convince any third party that the signer has committed to the message. This property may cause no concern in some applications, for example, in those where only the full signature is deemed to have some actual value to the receiving party. However, it may be undesirable in some other applications. Since σP is publicly verifiable and non-repudiative, in practice, σP may not be completely useless to Bob. Instead, σP has evidently shown Alice’s commitment to the corresponding message. This may incur some unfair situation, to the advantage of Bob, if Bob does not send out his full signature. In contract signing applications, this could be undesirable because σP can already be considered as Alice’s undeniable commitment to a contract in court while there is no evidence showing that Bob has committed to anything. In another application, fair negotiation, the property above may also be undesirable. Suppose after obtaining σP from Alice on her offer, Bob may show it to Charlie, who is Alice’s competitor, and ask Charlie for making a better offer. If Charlie’s offer is better, then Bob may stop the OFE protocol run with Alice indicating that Bob is unwilling to conclude the negotiation with Alice, and instead carrying out a new OFE protocol run with Charlie. Bob can play the same game iteratively

1

until that no one can give an even better offer. Then Bob can resolve the negotiation by sending his service (i.e. his full signature as the commitment to his service) to the highest bidder. For making OFE be applicable to more applications and practical scenarios, in this paper, we propose to enhance the security requirements of OFE and construct a new OFE scheme which does not have the problems mentioned above. One may also think of this as an effort to make OFE more admissible as a viable fair exchange tool for real applications. We will build an OFE scheme which not only satisfies all the existing security requirements of OFE (with respect to the strongest security model available [24]), but in addition to that, will also have σP be not self-authenticating and unable for Bob to demonstrate to others that Alice has committed herself to something. We call this enhanced notion of OFE as Ambiguous Optimistic Fair Exchange (A-OFE). It inherits all the formalized properties of OFE [15, 24] and has a new property introduced: signer ambiguity. It requires that a partial signature σP generated by Alice or Bob should look alike and be indistinguishable even to Alice and Bob.

1.1

Related Work

There have been many OFE schemes proposed in the past [3, 4, 13, 30, 16, 27, 29, 32, 5, 31, 15, 24].In the following, we review some recent ones by starting from 2003 when Park, Chong and Siegel [30] proposed an OFE based on sequential two-party multi-signature. It was later broken and repaired by Dodis and Reyzin [16]. The scheme is setup-driven [33, 34], which requires all users to register their keys with the arbitrator prior to conducting any transaction. In [29], Micali proposed another scheme based on a CCA2 secure public key encryption with the property of recoverable randomness (i.e., both plaintext and randomness used for generating the ciphertext can be retrieved during decryption). Later, Bao et al. [5] showed that the scheme is not fair, where a dishonest party, Bob, can obtain the full commitment of another party, Alice, without letting Alice get his obligation. They also proposed a fix to defend against the attack. In PKC 2007, Dodis, Lee and Yum [15] considered OFE in a multi-user setting. Prior to their work, almost all previous results considered the single-user setting only which consists of a single signer and a single verifier (along with an arbitrator). The more practical multi-user setting considers a system to have multiple signers and verifiers (along with the arbitrator), so that a dishonest party can collude with other parties in an attempt of cheating. Dodis et al. [15] showed that security of OFE in the single-user setting does not necessarily imply the security in the multi-user setting. They also proposed a formal definition of OFE in the multi-user setting, and proposed a generic construction, which is setup-free (i.e. no key registration is required between users and the arbitrator) and can be built in the random oracle model [6] if there exist one-way functions, or in the standard model if there exist trapdoor one-way permutations. In CT-RSA 2008, Huang, Yang, Wong and Susilo [24] considered OFE in the multi-user setting and chosen-key model, in which the adversary is allowed to choose public keys arbitrarily without showing its knowledge of the corresponding private keys. Prior to their work, the security of all previous OFE schemes (including the one in [15]) are proven in a more restricted model, called certified-key model, which requires the adversary to prove its knowledge of the corresponding private key before using a public key. In [24], Huang et al. gave a formal security model for OFE in the multi-user setting and chosen-key model, and proposed an efficient OFE scheme based on ring signature. In their scheme, a partial signature is a conventional signature and a full signature is a two-member ring signature in additional to the conventional signature. The security of their scheme was proven without relying on the random oracle assumption. In [17], Garay, Jakobsson and MacKenzie introduced a similar notion for optimistic contract signing, named abuse-freeness. It requires that no party can ever prove to a third party that he is capable of choosing whether to validate or invalidate a contract. They also proposed a construction of abuse-

2

free optimistic contract signing protocol. The security of their scheme is based on DDH assumption under the random oracle model. Besides they did not consider the multi-user setting for their contract signing protocol. Liskov and Micali [28] proposed an online-untransferable signature scheme, which in essence is an enhanced version of designated confirmer signature. In an online-untransferable signature scheme, there’s also a party (confirmer) semi-trusted by both the signer and the recipient. A dishonest recipient, who is interacting with a signer, cannot convince a third party that the signature is generated by the signer. But both the signer and the conformer are capable of converting the signature to one so that anyone can identity its owner. The online non-transferability of online-untransferable signatures is similar with the signer ambiguity (see Def. 2.2) of our ambiguous optimistic fair exchange. However, the online attack considered in [28] doesn’t happen in our A-OFE, as the signature generation and verification are both non-interactive. Besides, their scheme is complex and the signing process requires several rounds of interaction with the recipient. Besides, their scheme works in the certified-key model, and is not setup-free, i.e. there is a setup stage between each signer and the confirmer, and the confirmer needs to store a public/secret key pair for each signer, thus a large storage is required for the confirmer.

1.2

Relation with Concurrent Signature

In Eurocrypt 2004, Chen, Kudla and Paterson [14] introduced the notion of concurrent signature. Unlike OFE, it has no arbitrator. Instead, the signer controls a ‘keystone’ K and computes a ‘keystone fix’ f from it using some one-way function. It then generates an ‘ambiguous’ signature using f and its private key. From the ambiguous signature, the verifier is not able to convince anybody that the signature was indeed generated by the signer. Then, the verifier also prepares an ambiguous signature using the same f and its private key. The two ambiguous signatures will bind to their owners simultaneously once K is released. Chen et al. [14] proposed a very efficient construction based on Abe, Ohkubo and Suzuki’s ring signature scheme [1] and under their security model, they showed its security in the random oracle model. Concurrent signature has a similar property with A-OFE, that is, the (partial) signature looks ambiguous to others. Thus, one may view A-OFE as a combination of OFE and concurrent signature with respect to the signer ambiguity property. One remarkable difference between OFE/A-OFE and concurrent signature is that the concurrent signature gives the signer (i.e. the initiator) the full control and the final decision on whether to let the two communicating parties commit or not, even after seeing the commitment of the verifier (i.e. the responder), since the signer is the only one who can release K. For OFE/A-OFE, on the other hand, once the partial signature is released and the verifier has committed itself, the signer is compelled to send out its full signature.

1.3

Our Contributions

In this paper we make the following contributions. 1. We propose the notion of Ambiguous Optimistic Fair Exchange (Ambiguous OFE or A-OFE in short) which allows a signer Alice to generate a partial signature in such a way that a verifier Bob cannot convince anybody about the authorship of this partial signature, and thus cannot prove to anybody that Alice committed herself to anything prematurely. Realizing the notion needs to make the partial signature ambiguous with respect to Alice and Bob. We will see that this requires us to include both Alice and Bob’s public keys into the signing and verification algorithms of A-OFE.

3

2. For formalizing A-OFE, we propose a strong security model in the multi-user setting and chosenkey model. Besides the existing security requirements for OFE, that is, resolution ambiguity (the ambiguity considered in [15, 24]), security against signers, security against verifiers and security against the arbitrator, A-OFE has an additional requirement: signer ambiguity. It requires that the verifier can generate partial signatures whose distribution is (computationally) indistinguishable from that of partial signatures generated by the signer. Thus, A-OFE can be viewed as a combination of ordinary OFE and concurrent signature. It has all the security properties from ordinary OFE, and in the meanwhile has the ambiguity from concurrent signature. We also evaluate the relations among the security requirements and show that if a scheme has security against the arbitrator and (a weaker variant of) signer ambiguity, then it already has (a weaker variant of) security against verifiers. 3. We revisit two generic methods in constructing OFE schemes [15, 24], and show that if we simply extend them to the construction of A-OFE, the resulting schemes would be insecure. Specifically, they are insecure against the arbitrator under our proposed model. 4. We propose a generic construction of A-OFE under our given model by modifying the generic construction of [15]. Instead of employing a CCA secure encryption scheme, a signature scheme that’s existentially unforgeable under chosen message attacks and a simulation-sound NIZK proof system, we use a selective-tag weakly CCA secure tag-based encryption [26], a weakly unforgeable signature [9], a strong one-time signature and a general NIZK proof system. The security of the revised scheme is proved under the proposed multi-user setting and chosen-key model without random oracles. 5. We propose the first concrete and efficient A-OFE scheme, and prove its security under the proposed model and in the standard model. The scheme is a concrete instantiation of the proposed generic construction, and it is based on Groth and Sahai’s idea of constructing a fully anonymous group signature scheme [19, 20]. The security of it relies on the decision linear assumption and strong Diffie-Hellman assumption.

1.4

Paper Organization

In the next section, we define A-OFE and propose a security model for it. We also show some relation among the formalized security requirements of A-OFE. A popular generic construction used in building OFE schemes is revisited in Sec. 4, and a new generic construction of A-OFE is proposed. The security of the construction is proved here. In Sec. 5 we propose a concrete construction of A-OFE, whose security can be proved in the standard model. We then provide a comparison with other solutions to OFE with similar property as ours in Sec. 6. The paper is concluded in Sec. 7.

2

Ambiguous Optimistic Fair Exchange

In an A-OFE scheme, we require that after receiving a partial signature σP from Alice (the signer), Bob (the verifier) cannot convince others but himself that Alice has committed herself to σP . This property is closely related to the non-transferability of designated verifier signature [25] and the ambiguity of concurrent signature [14]. Similarly, we require that the verification algorithm in A-OFE should also take as the public keys of both signer and (designated) verifier as inputs, in contrast to that in the traditional definition of OFE [2, 3, 15, 24].

4

Definition 2.1 (Ambiguous Optimistic Fair Exchange). An ambiguous optimistic fair exchange ( AOFE in short) scheme involves two users (a signer and a verifier) and an arbitrator, and consists of the following (probabilistic) polynomial-time algorithms: • PMGen: On input 1k where k is a security parameter, it outputs a system parameter PM. • SetupTTP : On input PM, the algorithm generates a public arbitration key AP K and a secret arbitration key ASK. • SetupUser : On input PM and (optionally) AP K, the algorithm outputs a public/secret key pair (P K, SK). For user Ui , we use (P Ki , SKi ) to denote its key pair. • Sig and Ver: Sig(M, SKi , P Ki , P Kj , AP K) outputs a (full) signature σF on M of user Ui with the designated verifier Uj , where message M is chosen by user Ui from the message space M defined under P Ki , while Ver(M, σF , P Ki , P Kj , AP K) outputs 1 or 0, indicating σF is Ui ’s valid full signature on M with designated verifier Uj or not. • PSig and PVer: They are partial signing and verification algorithms respectively. PSig(M, SKi , P Ki , P Kj , AP K) outputs a partial signature σP , while PVer(M, σP , PK, AP K) outputs 1 or 0, where PK = {P Ki , P Kj }. • Res: This is the resolution algorithm. Res(M, σP , ASK, PK), where PK = {P Ki , P Kj }, outputs a full signature σF , or ⊥ indicating the failure of resolving a partial signature. Note that we implicitly require that there is an efficient algorithm which given a a pair of (SK, P K), verifies if SK matches P K, i.e. (SK, P K) is an output of algorithm SetupUser . As in [15], PSig together with Res should be functionally equivalent to Sig. For the correctness, we require that for any k ∈ N, PM ← PMGen(1k ), (AP K, ASK) ← SetupTTP (PM), (P Ki , SKi ) ← SetupUser (PM, AP K), (P Kj , SKj ) ← SetupUser (PM, AP K), and M ∈ M(P Ki ), let PK = {P Ki , P Kj }, we have the following PVer(M, PSig(M, SKi , P Ki , P Kj , AP K), PK, AP K) = 1, Ver(M, Sig(M, SKi , P Ki , P Kj , AP K), P Ki , P Kj , AP K) = 1, and Ver(M, Res(M, PSig(M, SKi , P Ki , P Kj , AP K), ASK, PK), P Ki , P Kj , AP K) = 1.

2.1

Security Properties

(Resolution Ambiguity): The resolution ambiguity property requires that any ‘resolved signature’ Res(M, PSig(M , SKi , P Ki , P Kj , AP K), ASK, {P Ki , P Kj }) is computationally indistinguishable from an ‘actual signature’ generated by the signer, Sig(M, SKi , P Ki , P Kj , AP K). It is identical to ‘ambiguity’ defined in [15, 24]. Here we just use another name, in order to avoid any confusion, as we will define another kind of ambiguity next. (Signer Ambiguity): Informally, signer ambiguity means that given a partial signature σP from a signer A, a verifier B should not be able to convince others that σP was indeed generated by A. To capture this property, we use the idea of defining ambiguity in concurrent signature [14]. We require that B can generate partial signatures that look indistinguishable from those generated by A. This is also the reason why a verifier should also have a public/secret key pair, and the verifier’s public key should be included in the inputs of PSig and Sig. Formally, we define an experiment in which D is a probabilistic polynomial-time distinguisher. PM ← PMGen(1k ) 5

(AP K, ASK) ← SetupTTP (PM) (M, (P K0 , SK0 ), (P K1 , SK1 ), st) ← DORes (AP K) b ← {0, 1} σP ← PSig(M, SKb , P Kb , P K1−b , AP K) b0 ← DORes (st, σP ) success of D := [b0 = b ∧ (M, σP , {P K0 , P K1 }) 6∈ Query(D, ORes )] where st is D’s state information, oracle ORes takes as input a validpartial signature σP of user Ui on message M with respect to verifier Uj , i.e. (M, σP , {P Ki , P Kj }), and outputs a full signature σF on M under P Ki , P Kj , and Query(D, ORes ) is the set of valid queries D issued to the resolution oracle ORes . In this oracle query, D can arbitrarily choose a public key P K without knowing the corresponding private key. However, we do require that there exists a PPT algorithm to check the validity of the two key pairs output by D, i.e. if SKb matches P Kb for b = 0, 1, or if (P Kb , SKb ) is a possible output of SetupUser . The advantage of D, AdvSA D (k), is defined to be the gap between its 0 success probability in the experiment above and 1/2, i.e. AdvSA D (k) = |Pr[b = b] − 1/2|. Definition 2.2 (Signer Ambiguity). An OFE scheme is said to be signer ambiguous if for any probabilistic polynomial-time algorithm D, AdvSA D (k) is negligible in k. Remark 1 : We note that a similar notion was introduced in [17, 28]. It’s required that the signer’s partial signature can be simulated in an indistinguishable way. However, their ‘indistinguishability’ in [17, 28] is defined in CPA fashion, giving the adversary no oracle that resolves a partial signature to a full one, while our definition of signer ambiguity is done in the CCA fashion, allowing the adversary to ask for resolving any partial signature except the challenge one to a full signature, which is comparable to the CCA security of public key encryption schemes. (Security Against Signers): We require that no PPT adversary A should be able to produce a partial signature with non-negligible probability, which looks good to a verifier but cannot be resolved to a full signature by the honest arbitrator. This ensures the fairness for verifiers, that is, if the signer has committed to a message with respect to an (honest) verifier, the verifier should always be able to obtain the full commitment of the signer. Formally, we consider the following experiment: PM ← PMGen(1k ) (AP K, ASK) ← SetupTTP (PM) (P KB , SKB ) ← SetupUser (PM, AP K) B

(M, σP , P KA ) ← AOPSig ,ORes (AP K, P KB ) σF ← Res(M, σP , ASK, {P KA , P KB }) success of A := [PVer(M, σP , {P KA , P KB }, AP K) = 1 ∧ Ver(M, σF , P KA , P KB , AP K) = 0 B ∧ (M, P KA ) 6∈ Query(A, OPSig )] B where oracle ORes is described in the previous experiment, OPSig takes as input (M, P Ki ) and outputs B ) is the set of a partial signature on M under P Ki , P KB generated using SKB , and Query(A, OPSig B . In this experiment, the adversary can arbitrarily choose a public queries made by A to oracle OPSig key P Ki , and it may not know the corresponding private key of P Ki . Note that the adversary is not allowed to corrupt P KB , otherwise it can easily succeed in the experiment by simply using SKB to

6

produce a partial signature under public keys P KA , P KB and outputting it. The advantage of A in the experiment AdvSAS A (k) is defined to be A’s success probability. Definition 2.3 (Security Against Signers). An OFE scheme is said to be secure against signers if there is no PPT adversary A such that AdvSAS A (k) is non-negligible in k. (Security Against Verifiers): This security notion requires that any PPT verifier B should not be able to transform a partial signature into a full signature with non-negligible probability if no help has been obtained from the signer or the arbitrator. This requirement has some similarity to the notion of opacity for verifiably encrypted signature [11]. Formally, we consider the following experiment: PM ← PMGen(1k ) (AP K, ASK) ← SetupTTP (PM) (P KA , SKA ) ← SetupUser (PM, AP K) (M, P KB , σF ) ← B OPSig ,ORes (P KA , AP K) success of B := [Ver(M, σF , P KA , P KB , AP K) = 1 ∧ (M, ·, {P KA , P KB }) 6∈ Query(B, ORes )] where oracle ORes is described in the experiment of signer ambiguity, Query(B, ORes ) is the set of valid queries B issued to the resolution oracle ORes , and oracle OPSig takes as input a message M and a public key P Kj and returns a valid partial signature σP on M under P KA , P Kj generated using SKA . In the experiment, B can ask the arbitrator for resolving any partial signature with respect to any pair of public keys (adaptively chosen by B, probably without the knowledge of the corresponding private keys), with the limitation described in the experiment. The advantage of B in the experiment AdvSAV B (k) is defined to be B’s success probability in the experiment above. Definition 2.4 (Security Against Verifiers). An OFE scheme is said to be secure against verifiers if there is no PPT adversary B such that AdvSAV B (k) is non-negligible in k. (Security Against the Arbitrator): Intuitively, an OFE is secure against the arbitrator if no PPT adversary C including the arbitrator, should be able to generate with non-negligible probability a full signature without explicitly asking the signer for generating one. This ensures the fairness for signers, that is, no one can frame the actual signer on a message with a forgery. Formally, we consider the following experiment: PM ← PMGen(1k ) (AP K, ASK ∗ ) ← C(PM) (P KA , SKA ) ← SetupUser (PM, AP K) (M, P KB , σF ) ← C OPSig (ASK ∗ , AP K, P KA ) success of C := [Ver(M, σF , P KA , P KB , AP K) = 1 ∧ (M, P KB ) 6∈ Query(C, OPSig )] where the oracle OPSig is described in the previous experiment, ASK ∗ is C’s state information, which might not be the corresponding private key of AP K, and Query(C, OPSig ) is the set of queries C issued to the oracle OPSig . The advantage of C in this experiment AdvSAA C (k) is defined to be C’s success probability.

7

Definition 2.5 (Security Against the Arbitrator). An OFE scheme is said to be secure against the arbitrator if there is no PPT adversary C such that AdvSAA C (k) is non-negligible in k. Remark 2 : In A-OFE, both signer UA and verifier UB are equipped with public/secret key pairs (of the same structure), and UA and UB can generate indistinguishable partial signatures on the same message. If the security against the arbitrator holds for UA (as described in the experiment above), it should also hold for UB . That is, even when colluding with UA (and other signers), the arbitrator should not be able to frame UB for a full signature on a message, if it has not obtained a partial signature on the message generated by UB . Definition 2.6 (Secure Ambiguous Optimistic Fair Exchange). An A-OFE scheme is said to be secure in the multi-user setting and chosen-key model if it is resolution ambiguous, signer ambiguous, secure against signers, secure against verifiers and secure against the arbitrator.

2.2

Weaker Variants of the Model

In this section, we evaluate the relation between the signer ambiguity and security against verifiers. Intuitively, if an A-OFE scheme is not secure against verifiers, the scheme cannot be signer ambiguous because a malicious verifier can convert with non-negligible probability a signer’s partial signature to a full one which allows the verifier to win the signer ambiguity game. For technical reasons, we first describe some weakened models before giving the proof for a theorem regarding the relation. In our definition of signer ambiguity (Def. 2.2), the two public/secret key pairs are selected by the adversary D. In a weaker form, the key pairs can be selected by the challenger, and D is allowed to corrupt these two keys. This is comparable to the ambiguity definition for concurrent signature [14], or the strongest definition of anonymity of ring signature considered in [8], namely anonymity against full key exposure. We can also define an even weaker version of signer ambiguity, in which D is given two public keys, P KA , P KB , the oracle access of OPSig which returns UA ’s partial signatures, and is allowed to corrupt P KB . We call this form of signer ambiguity as weak signer ambiguity. In the definition of security against verifiers (Def. 2.4), the verifier’s public key P KB is adaptively selected by the adversary B. In a weaker model, P KB can be generated by the challenger and the corresponding user secret key can be corrupted by B. The rest of the model remains unchanged. We call this as weak security against verifiers. Below we show that if an OFE scheme is weakly signer ambiguous and secure against the arbitrator, then it is also weakly secure against verifiers. Theorem 2.7. In A-OFE, weak signer ambiguity and security against the arbitrator (Def. 2.5) together imply weak security against verifiers. Proof. Suppose that an A-OFE scheme is not weakly secure against verifiers. Let B be the PPT adversary that has non-negligible advantage  in the experiment of weak security against verifiers and B make at most q queries of the form (·, P KB ) to oracle OPSig . Due to the security against the arbitrator, B must have queried OPSig in the form (·, P KB ). Hence the value of q is at least one. Denote the experiment of weak security against verifiers by Ex(0) . Note that in Ex(0) all queries to OPSig are answered with partial signatures generated using SKA . We now define a series of experiments, Ex(1) , · · · , Ex(q) , so that Ex(i) (i ≥ 1) is the same as Ex(i−1) except that starting from the (q + 1 − i)-th query to OPSig up to the q-th query of the form (·, P KB ), they are answered with partial signatures generated using SKB . Let B’s success probability in experiment Ex(i) be i . Note that 0 = , and in experiment Ex(q) all queries of the form (·, P KB ) to OPSig are answered with partial signatures generated using SKB . Since B also knows SKB (through corruption), it can use SKB to generate partial signatures using SKB on any message. Therefore, making queries of the form (·, P KB ) to OPSig 8

does not help B on winning the experiment if answers are generated using SKB . It is equivalent to the case that B does not issue any query (·, P KB ) to OPSig . Hence guaranteed by the security against the arbitrator, we have that B’s advantage in Ex(q) is negligible as B has to output a full signature without getting any corresponding partial signature. Since the gap, |0 − q |, between B’s advantage in Ex(0) and that in Ex(q) is non-negligible, there must exist an 1 ≤ i ≤ q such that |i−1 − i | is at least |0 − q |/q, which is non-negligible as well. Let ∗ ∗ i∗ be such an i. We show how to make use of the difference of B’s advantage in Ex(i −1) and Ex(i ) to build a PPT algorithm D to break the weak signer ambiguity. Given AP K and P KA , P KB , D first asks its challenger for SKB , and then invokes B on (AP K, P KA , P KB ). D randomly selects an i∗ from {1, · · · , q}, and simulates the oracles for B as follows. If B asks for SKB , D simply gives it to B. The oracle ORes is simulated by D using its own resolution oracle. If B makes a query (M, P Kj ) to OPSig where P Kj 6= P KB , D forwards this query to its own partial signing oracle, and returns the obtained answer back to B. Now consider the `-th query of the form (M, P KB ) made by B to OPSig . If ` < q + 1 − i∗ , D forwards it to its own oracle, and returns the obtained answer. If ` = q + 1 − i∗ , D requests its challenger for the challenge partial signature σP∗ on M and returns it to B. If ` > q + 1 − i∗ , D simply uses SKB to produce a partial signature on M . At the end of the simluation, when B outputs (M ∗ , σF∗ ), if B succeeds in the experiment, D outputs 0; otherwise, D outputs 1. It’s easy to see that D guesses the correct i∗ with probability at least 1/q. Now suppose that D’s guess of i∗ is correct. If σP∗ was generated by D’s challenger using SKA , i.e. b = 0, the view of B is ∗ identical to that in Ex(i −1) . On the other side, if σP∗ was generated using SKB , i.e. b = 1, the view of ∗ B is identical to that in Ex(i ) . Let b0 be the bit output by D. Since D outputs 0 only if B succeeds in the experiment, we have Pr[b0 = 0|b = 0] = i∗ −1 and Pr[b0 = 0|b = 1] = i∗ . Therefore, the advantage of D in attacking the weak signer ambiguity over random guess is 1 1 0 0 0 Pr[b = b] − = Pr[b = 0 ∧ b = 0] + Pr[b = 1 ∧ b = 1] − 2 2 1 0 0 = Pr[b = 0 ∧ b = 0] + (Pr[b = 1] − Pr[b = 0 ∧ b = 1]) − 2 1 = Pr[b0 = 0|b = 0] − Pr[b0 = 0|b = 1] 2 1 ≥ |i∗ −1 − i∗ | 2q 1 ≥ 2 |0 − q | 2q which is also non-negligible. This contradicts the weak signer ambiguity assumption. Corollary 2.8. In A-OFE, signer ambiguity (Def. 2.2) and security against the arbitrator (Def. 2.5) together imply weak security against verifiers. Letting an adversary select the two challenge public keys gives the adversary more power in attacking signer ambiguity. Therefore, signer ambiguity defined in Sec. 2.1 is at least as strong as the weak signer ambiguity. Hence this corollary follows directly the theorem above.

3

Previous Constructions Revisited

In this section we first analyze the extension of two generic constructions to A-OFE, and show that the resulting schemes are actually insecure under our proposed security model. 9

3.1

The First Try

In [24] Huang et al. provided simple and straightforward method in constructing efficient optimistic fair exchange schemes. In their proposal, each user has two key pairs, one for public key signature, and the other for ring signature. The partial signature of a user consists of only a (standard) signature on the message, while the full signature includes additionally a ring signature under the ring consisting of the signer and the arbitrator. The main difference between OFE and A-OFE is that in addition to all the security properties of OFE, A-OFE also has the signer ambiguity. A natural way to extend their method in the construction of A-OFE is to use two ring signatures in the scheme, i.e. the partial signature consists of a ring signature on the message under the ring of the signer and the verifier, and the full signature includes additionally a ring signature under the ring of the signer and the arbitrator. (Insecurity): It seems like that we achieve the signer ambiguity by this method, due to the ambiguity/anonymity of the underlying ring signature scheme. However, we say, this construction is insecure against the arbitrator. That is, the arbitrator can frame any signer on any message without asking the signer to sign any message! To do this, the arbitrator C colludes with a verifier Uj , and selects a target user Ui and a target message M . Uj generates a partial signature σP on M with regard to the group {Ui , Uj }, and claims it as being generated by Ui . Then C resolves σP to σF by producing a ring signature under the ring {C, Ui }. In this way, the two ring signatures intersect at Ui , and thus σF is binding to Ui .

3.2

The Second Try

In [15] Dodis et al. revisited a generic construction of optimistic fair exchange. Roughly, the partial signature of a user includes an encryption c of his signature σ on the message M generated under the arbitrator’s public key, and an NIZK proof π showing that c contains the user’s signature on M . The user’s full signature on M is σ. They showed that this generic construction is a secure OFE scheme in the multi-user setting (under the certified-key model). One may trivially extends this scheme to A-OFE. Namely, the NIZK proof shows that c contains either the signer’s signature on M or the verifier’s signature on M , using the signature and the randomness for the encryption as the witness. This may seem to be a secure A-OFE scheme. Namely, the NIZK proof shows the membership of the following language:  L = ((pkTA , P Ki , P Kj , c, M ), (σ, r)) : c = E.Enc(pkTA , σ; r) ∧ (S.Ver(P Ki , σ, M ) = 1 ∨ S.Ver(P Kj , σ, M ) = 1) where pkTA is the public key of the arbitrator, E is the encryption scheme and S is the signature scheme. However, the following attack demonstrates that it is actually insecure under the security model proposed in Sec. 2.1. (The Attack): We consider the security against the arbitrator (see Def. 2.5). Let C be an adversary. Given the challenge public key P KA , C randomly selects a message M , and generates two public keys, say, P KB , P KD . Then it asks the oracle OPSig to sign M w.r.t. P KD , and obtains a ciphertext c, and an NIZK proof πAD showing that c contains a signature generated by either user A or user D. C then uses the arbitrator’s secret key to recover user A’s signature σ, and re-encrypts σ under the arbitrator’s public key using a fresh randomness r0 . Let the new ciphertext be c0 . Finally, the adversary produces a new NIZK proof πAB showing that c0 is an encryption of a signature on M generated by either A or B, using σ, r0 as the witness. By the validity of (c, πAD ), we can easily get that (c0 , πAB ) is also a valid output. Note that in the whole attack C didn’t submit (M, P KB ) to the oracle OPSig . Thus, the 10

security against the arbitrator breaks. However, it’s not hard to prove that this generic construction is secure against the arbitrator under a weaker model which differs from the one described in Sec. 2.1 only in that it’s required (M, ·) 6∈ Query(C, OPSig ) instead of (M, P KB ) 6∈ Query(C, OPSig ). This weak security against the arbitrator is guaranteed by the unforgeability (EUF-CMA) of the underlying signature scheme. From the attacks above, we learn that the construction of a secure A-OFE scheme is not that trivial. The introduction of signer ambiguity to OFE makes the security against the arbitrator more subtle. Besides, the security against the arbitrator of A-OFE seems to be stronger than that of OFE defined in [15, 24]. However, they in fact are not comparable. In the model considered in this paper, the public key of the verifier is involved in the generation of a partial signature, thus every query the adversary submits to oracles includes an additional public key; while this is not the case in the model of OFE. In the security against the arbitrator (Def. 2.5), the adversary is allowed to obtain the signer’s signature on M (but with respect to any any public key rather than P KB ). This is similar with the strong unforgeability of digital signatures [21].

4

Our Generic Construction

Now we propose a generic construction of A-OFE in the standard model, which is similar with the one widely used in building OFE schemes. Namely, the signer’s signature is encrypted under the arbitrator’s public key, and then a non-interactive proof is given to show that the ciphertext contains the signer’s signature on the message. As pointed by Boyd et al. [12], the non-interactive proof is not much different from the signer’s signature, as it’s also sufficient to prove to others that the signer is bound to the message. Since A-OFE requires that a verifier cannot prove to others that the signer is bound to a message, in the generic construction the signer has the verifier involved in the proof. That is, the signer provides a non-interactive proof showing that the ciphertext contains either the signer’s signature or the verifier’s signature on the message.

4.1

The Proposal

Let S = (Kg, Sig, Ver) be a public key signature scheme that is weakly existentially unforgeable under chosen message attacks [9, 21], and OTS = (Kg, Sig, Ver) be a strong one-time signature scheme. Let E = (Kg, Enc, Dec) be a tag-based public key encryption scheme that is selective-tag weakly CCA secure, and Π = (Kg, Prv, Ver, (Sim1 , Sim2 )) be a NIZK proof system for the following language.  L = ((pkTA , P Ki , P Kj , c, tag, M ), (σ, r)) : c = E.Enc(pkTA , tag, σ; r) ∧ (S.Ver(P Ki , σ, M ) = 1 ∨ S.Ver(P Kj , σ, M ) = 1) Algorithm Π.Kg takes as input 1k and outputs a common reference string crs. Prv and Ver are the prover strategy and verification algorithm respectively. (Sim1 , Sim2 ) is the simulator, where Sim1 takes as input 1k and outputs a simulated common reference string crs that’s indistinguishable from a real one, along with the corresponding trapdoor τS , and Sim2 takes as input (crs, τS , x) and outputs a non-interactive proof whose distribution is indistinguishable from that of proofs output by the prover. Note that the membership of the language above is efficiently checkable, so we have that L ∈ N P. For the security definitions of the primitives above, readers can refer to Appendix A. Figure 1 (on page 13) describes our generic construction of A-OFE, named GAOFE. Note that in Figure 1 we omit the description of the parameter generation algorithm just for simplicity. This algorithm simply calls the corresponding parameter generation algorithms of the 11

encryption scheme and the signature scheme to generate their parameters, which will be used in the other algorithms of GAOFE. Remark 3 : Note that in the construction, the public keys of both the signer and the verifier, i.e. P Ki and P Kj , are included in the message to be signed of the one-time signature δ. This is important, as otherwise the scheme would be vulnerable to an attack which compromises the security against signers. Specifically, the signer Alice runs as the verifier an execution of the protocol with Bob. After obtaining Bob’s partial signature σP,B , Alice aborts this execution, and then restarts a new execution as the signer with Bob. She sends σP,B as her partial signature to Bob. As σP,B is a valid signature with regard to the group consisting of Alice and Bob, and the partial signature doesn’t specify who the signer is and who the receiver is, Bob would view it as a valid one, and then returns his full signature. At this time, Alice aborts this execution again. Bob then resorts to the arbitrator for resolving σP,B to a full one. However, since it was originally generated by Bob himself, the arbitrator can only resolve it to Bob’s full signature. So in this case, Bob cannot get Alice’s full signature, and thus the security against signers is broken. Therefore, it seems necessary to specify in the message to be signed the identities of the signer and the verifier. Besides the validity check of the partial signature, the verifier should also check if the public key of the receiver specified in the signature, i.e. P Kj , is his. If not, it should reject. However, the inclusion of public keys doesn’t contradict the signer ambiguity. The embedding of P Ki and P Kj to the message to be signed doesn’t require any private information, and anyone can do it. The verifier is still able to use his secret key to produce indistinguishable partial signatures. We also note that the attack above does not happen in ordinary OFE at all. Thus, this attack shows a big difference between A-OFE and OFE.

4.2

Security Analysis

Theorem 4.1. GAOFE is a secure ambiguous optimistic fair exchange scheme. The theorem follows from the following lemmas directly: Lemma 4.2. GAOFE is resolution ambiguous. Proof. Guaranteed by the security against signers (as shown in Lemma 4.4), if a partial signature σP is valid, then with overwhelming probability that the arbitrator can extract the signer’s signature σ on the message. Conditioned on that the resolution succeeds, the signature output by the arbitrator is the same as that output by the signer. Therefore, the distribution of the output by the arbitrator is indistinguishable from that of the signer’s signatures. So the construction above is resolution ambiguous. Lemma 4.3. GAOFE is signer ambiguous. Proof. Let D be a PPT adversary against the security against verifiers. We modify the experiment so that the challenger runs Π.Sim1 algorithm to generate the common reference string crs along with a simulation trapdoor τS . By the common reference string indistinguishability of Π, D’s advantage in new experiment is negligibly close to that in the original experiment. Second, we modify the experiment so that to answer each query the adversary submits to OPSig and to prepare the challenge partial signature, the challenger calls Π.Sim2 with τS to produce the proof π, instead of calling the prover strategy with the witness (σ, r). Guaranteed by the zero-knowledge property of Π, this modification brings only a negligible difference to D’s advantage. Third, the experiment is modified again so that for each valid query submitted by the adversary to oracle ORes , i.e. (M, σP , {P Ki , P Kj }) where σP = (c, π, δ, otvk), if otvk was ever used by OPSig in 12

• SetupTTP : Given PM, the arbitrator runs E.Kg(1k ) to generate a key pair, (pkTA , skTA ), and invokes Π.Kg(1k ) to produce a common reference string. It publishes AP K = (pkTA , crs) and stores ASK = skTA secretly. • SetupUser : Each user Ui runs S.Kg(1k ) to generate a key pair for the signature scheme, (pki , ski ), and publishes P Ki = pki and stores SKi = ski . • PSig: To partially sign a message M with verifier Uj , the user Ui does the following: – generate a new pair of one-time key for OTS, i.e. (otvk, otsk) ← OTS.Kg(1k ); – compute a signature σ on otvk, i.e. σ ← S.Sig(SKi , otvk); – encrypt the signature under the arbitrator’s public key using randomness r with respect to tag otvk, i.e. c ← E.Enc(pkTA , otvk, σ; r); – produce an NIZK proof π using witness (σ, r), i.e. π ← Π.Prv(crs, (pkTA , P Ki , P Kj , c, otvk, otvk), (σ, r)) – sign the ciphertext, the proof and the message using otsk, i.e. δ ← OTS.Sig(otsk, ckπkM kP Ki kP Kj ) The parital signature σP is composed of (c, π, δ, otvk). • PVer: On receiving Ui ’s partial signature σP = (c, π, δ, otvk) on message M , user Uj checks if OTS.Ver(otvk, δ, ckπkM kP Ki kP Kj ) = 1 and Π.Ver(crs, (pkTA , P Ki , P Kj , c, otvk, otvk), π) = 1. If either fails, it rejects; otherwise, it accepts. • Sig: To sign a message M with verifier Uj , user Ui first computes a partial signature σP = (c, π, δ, otvk) as above, and then sets its full signature to be σF = (σ, σP ). • Ver: On receiving Ui ’s full signature σF = (σ, (c, π, δ, otvk)) on message M , the verifier first checks if PVer(M, (c, π, δ, otvk), {P Ki , P Kj }, AP K) = 1 and S.Ver(pki , σ, otvk) = 1. If either fails, it outputs 0 (reject); otherwise, it outputs 1 (accept). • Res: On receiving from Uj a partial signature σP = (c, π, δ, otvk) claimed to be generated by Ui , the arbitrator first checks the validity of σP by calling the PVer algorithm. If it’s invalid, it returns ⊥ to Uj . Otherwise, it recovers σ from c by computing σ ← E.Dec(skTA , otvk, c). If S.Ver(P Ki , σ, otvk) = 1, the arbitrator returns σ to Uj ; otherwise, it returns ⊥. Figure 1: Our Generic Construction of A-OFE, GAOFE

13

answering B’s partial signing query, i.e. (M 0 , P K 0 ) is the query and σ 0 = (c0 , π 0 , δ 0 , otvk) is the answer, but (c, π, M, {P Ki , P Kj }, δ) 6= (c0 , π 0 , M 0 , {P KA , P K 0 }, δ 0 ), the experiment is aborted. As discussed in the proof of Lemma 4.6, the probability that this case happens is negligible in k, guaranteed by the strong one-time unforgeability of OTS. So D’s advantage doesn’t change noticeably. Assume that D can win the experiment with non-negligible advantage D , we then use it to build another PPT algorithm D0 to break the selective-tag CCA security of E. D0 first calls OTS.Kg(1k ) to generate a one-time key pair (otvk ∗ , otsk ∗ ), and submits otvk ∗ to its challenger as the challenge tag, which then returns a public key pk of E. D0 runs Π.Sim1 (1k ) to generate (crs, τS ), and calls S.Kg(1k ) to generate a key pair for the honest user UA , say, (P KA , SKA ). It invokes D on input (AP K, P KA ) = ((pk, crs), P KA ), and then begins to simulate oracle ORes for D. Given a query (M, σP , {P Ki , P Kj }) where σP = (c, π, δ, otvk), D0 first checks if the query passes the PVer algorithm. If not, it returns ⊥ to D; otherwise, the soundness of Π implies that c contains a valid signature σ on otvk with respect to either P Ki or P Kj . D0 forwards the ciphertext c and the tag otvk to its own decryption oracle, and obtains σ. If either S.Ver(P Ki , σ, otvk) = 1 or S.Ver(P Kj , σ, otvk) = 1 holds, D0 returns σ to D. At some time, D submits (M ∗ , (P K0 , SK0 ), (P K1 , SK1 )). D0 first checks if SKb matches P Kb for b = 0, 1. If not, D aborts and outputs a random bit. Otherwise, it does the following: 1. run S.Sig twice to generate signatures σ0 , σ1 on otvk ∗ using SK0 , SK1 respectively; 2. submit σ0 , σ1 to its own challenger, which returns a ciphertext c∗ of σb with respect to tag otvk ∗ for some random bit b ∈ {0, 1}; 3. call the simulator Π.Sim2 with trapdoor τS with the simulation trapdoor τS to generate a proof π ∗ for (pk, P K0 , P K1 , c∗ , otvk ∗ ); 4. compute a one-time signature δ ∗ on c∗ kπ ∗ kM ∗ kP K0 kP K1 using otsk ∗ . D0 returns σP∗ = (c∗ , π ∗ , δ ∗ , otvk ∗ ) to D, and then continues to simulate the oracle ORes . Let (M, σP , {P Ki , P Kj }) be any of its valid queries, where σP = (c, π, δ, otvk). We distinguish the following two cases: 1. otvk 6= otvk ∗ . In this case, D0 simulates ORes in the same way as above. 2. otvk = otvk ∗ . We say, this case will not happen in the experiment. First of all, we can exclude the subcase that (c∗ kπ ∗ kM ∗ kP K0 kP K1 , δ ∗ ) = (ckπkM kP Ki kP Kj , δ), because the adversary is prohibited from asking ORes to resolve (M ∗ , σP∗ , {P K0 , P K1 }). On the other hand, if (c∗ kπ ∗ kM ∗ kP K0 kP K1 , δ ∗ ) 6= (ckπkM kP Ki kP Kj , δ), according to the specification of the experiment, the experiment is aborted. Finally, A outputs a bit d. D then outputs a bit b0 = d and halts. It’s readily seen that the oracle ORes is simulated indistinguishably by D0 . If D succeeds in the experiment, D0 also succeeds in outputting the bit b0 . So D’s advantage is AdvT-PKE (k) ≥ AdvSA D (k) = D D0 which is non-negligible by hypothesis. Therefore, the selective-tag CCA security of E is broken. Lemma 4.4. GAOFE is secure against signers.

14

Proof. If a partial signature (c, π, δ, otvk) of UA is valid on message M with respect to verifier UB , by the soundness of Π and the perfect completeness of E, with overwhelming probability the arbitrator can recover from the ciphertext c a valid signature σ on M generated by either UA or UB . On the other hand, due to the security against the arbitrator (as shown in Lemma 4.6), we know that only with negligible probability can the adversary A forge a signature on behalf of an honest user UB . Therefore, the valid signature must be generated by the adversary itself. Hence, the adversary can only break the security against signers with negligible probability. Lemma 4.5. GAOFE is secure against verifiers. Proof. Let B be an efficient adversary against the security against verifiers. Let P be the set of partial signatures returned by the oracle OPSig , and let (M ∗ , P KB , σF∗ ) be B’s final output, where σF∗ = (σP∗ , σ ∗ ). First of all, we modify the experiment so that if σP∗ 6∈ P, we abort it. Guaranteed by the security against the arbitrator (shown in Lemma 4.6), the modification leads to only a negligible difference in B’s success probability. Second, we modify the experiment so that the challenger runs Π.Sim1 algorithm to generate the common reference string crs along with a simulation trapdoor τS , and to answer each query the adversary submits to OPSig the challenger calls Π.Sim2 with τS to produce the proof π, instead of calling the prover strategy with the witness (σ, r). By the zero knowledge property of Π, we know that the modification brings a negligible difference to B’s success probability. Third, the experiment is modified again so that for each valid query submitted by the adversary to oracle ORes , i.e. (M, σP , {P Ki , P Kj }) where σP = (c, π, δ, otvk), if otvk was ever used by OPSig in answering B’s partial signing query, i.e. (M 0 , P K 0 ) is the query and σ 0 = (c0 , π 0 , δ 0 , otvk) is the answer, but (c, π, M, {P Ki , P Kj }, δ) 6= (c0 , π 0 , M 0 , {P KA , P K 0 }, δ 0 ), the experiment is aborted. If the case happens, obviously, it indicates that the adversary produces a forgery for the signature scheme OTS. Guaranteed by the strong one-time unforgeability of OTS, we have that the modification affects B’s success probability negligibly as well. Next we show that B’s success probability in this experiment, say, B , is negligible in k. Assume that B is non-negligible, we then use B to build another PPT algorithm D to break the selective-tag CCA security of E. D first invokes the algorithm S.Kg(1k ) to generate a pair of one-time key, (otvk ∗ , otvk ∗ ), submits otvk ∗ to its challenger as the target tag, and receives a challenge public key pk of E from the challenger. It runs Π.Sim1 (1k ) to generate (crs, τS ), and calls S.Kg to generate (P KA , SKA ). Suppose that B will submit at most q distinct query to oracle OPSig , which is polynomial in the security parameter. D picks i at random from the set {1, · · · , q}, and sets pkTA = pk, AP K = (crs, pkTA ). It invokes B on input (AP K, P KA ), and then begins to simulate oracles for B as follows. • ORes : On input a resolution query, (M, σP , P Ki , P Kj ), D first checks the validity of the query, and returns ⊥ if it doesn’t pass the PVer algorithm. It asks its decryption oracle to decrypt c with respect to tag otvk, and receives σ from it. D returns σ if S.Ver(P Ki , σ, otvk) = 1 or S.Ver(P Kj , σ, otvk) = 1. • OPSig : Let (M, P K 0 ) be the j-th distinct query B submits to the oracle. If j 6= i, this query is dealt with by D like a real user. If j = i, D computes σ ∗ ← S.Sig(SKA , otvk ∗ ). It sets σ0 = σ ∗ and randomly selects σ1 from the range of S.Sig(·, ·), and forwards σ0 , σ1 to its challenger, which randomly chooses one of them say, σb for some bit b ∈ {0, 1}, to encrypt. Let the ciphertext be c∗ . D then calls algorithm Π.Sim2 with the simulation trapdoor τS to produce a proof π ∗ on (pkTA , P KA , P K 0 , c∗ , otvk ∗ , otvk ∗ ). It then completes the generation of the partial signature by computing δ ∗ = OTS.Sig(otsk ∗ , c∗ kπ ∗ kM kP KA kP K 0 ), and returns σP∗ = (c∗ , π ∗ , δ ∗ , otvk ∗ ) back to the adversary B. 15

Finally B outputs (M ∗ , P KB , σF∗ ), where σF∗ = (σP∗ , σ ∗ ). If the output doesn’t satisfy the winning condition, D aborts and outputs a random bit. By the specification of the experiment, we know that σP∗ ∈ P. If (M ∗ , P KB ) is not the i-th distinct query to oracle OPSig , alternatively, D’s guess of i is incorrect, D aborts and outputs a random bit. If Ver(M ∗ , σF∗ , P KA , P KB , AP K) = 1, D outputs 0; otherwise, it outputs 1. We now consider the simulation of oracles ORes and OPSig . Let (M, σP = (c, π, δ, otvk), {P Ki , P Kj }) be a valid query submitted by the adversary to oracle ORes . If c 6= c∗ , D can handle this query as above. We then focus on the other case, c = c∗ . • If otvk 6= otvk ∗ , D can simply forward (otvk, c∗ ) to its decryption oracle as the tag otvk is different from the challenge one, otvk ∗ , and obtain the signature σ. • If otvk = otvk ∗ , in this case, D is not allowed to ask its oracle to decrypt c∗ with respect to tag otvk ∗ . However, as discussed in the proof of Lemma 4.3, this case will not happen. Regarding the oracle OPSig , it’s perfectly simulated when j 6= i. For j = i, if c∗ is an encryption of σ0 , the view of B is identical to that in a real attack, and B will succeed in the experiment with probability B , which is non-negligible. If c∗ is an encryption of σ1 , the view of the adversary is indistinguishable from that in a real attack, due to the zero knowledge property of Π. Since c∗ is independent of P KA , and thus provides no help to B in generating σF∗ . In this case, if B successfully produces a valid full signature σF∗ , it should be that B forges a full signature on behalf of the honest user UA , thus breaking the security against arbitrator. As shown in Lemma 4.6, B’s success probability in this case is negligible. Let b0 be the bit that D outputs. We want to show that |Pr[b0 = 1 ∧ b = 1] − Pr[b0 = 0 ∧ b = 1]| is non-negligible in k. No matter b = 0 or b = 1, the probability that D aborts due to an incorrect guess of i is the same, and when it aborts, it outputs 0 with probability exactly one-half. Therefore, we only need to focus on the case in which D guesses i correctly, which happens with probability 1/q. If b = 0, as we discussed above, the probability that B outputs a valid σF∗ is B . Thus, D outputs 0 with probability at least B as well. On the other side, i.e. b = 1, as discussed above, the probability that D outputs 0 is ε, which is the maximum probability that an efficient can break the security against the arbitrator, and is negligible. So we get the following: 1 T-PKE 0 AdvD = Pr[b = b] − 2 0 = |Pr[b = 0 ∧ b = 0] − Pr[b0 = 0 ∧ b = 1]| 1 = Pr[b0 = 0|b = 0] − Pr[b0 = 0|b = 1] 2 1 1 1 = B − ε 2 q q =

1 |B − ε| 2q

which is also non-negligible. Therefore, the selective-tag CCA security of E is broken. Lemma 4.6. GAOFE is secure against the arbitrator. Proof. Let C be a PPT adversary C which breaks the security against the arbitrator, and (M ∗ , σF∗ , P KB ) be its final output, where σF∗ = (σP∗ , σ ∗ ) and σP∗ = (c∗ , π ∗ , δ ∗ , otvk ∗ ). We distinguish the following two cases.

16

1. otvk ∗ never appeared in oracle OPSig ’s answers. In this case, we can use C’s capability to build a PPT adversary F0 to break the weak unforgeability of S. Suppose that C issues at most q distinct queries to oracle OPSig . F0 runs S.Kg(1k ) q times to generate q one-time key pairs, say, (otvk1 , otvk1 ), · · · , (otvkq , otskq ). It submits {otvk1 , · · · , otvkq } to its challenger, which then returns a public key pk and the corresponding signatures, {σ1 , · · · , σq }. F0 then invokes C on input 1k , which returns a public key of the arbitrator, AP K = (pkTA , crs). F0 then returns P KA = pk to C, and begins to simulate the partial signing oracle OPSig for C. On input the i-th distinct query (M, P Kji ), F0 chooses a random string r from the randomness space of E, uses r to encrypt σi under pkTA with respect to the tag otvki , and uses (σi , r) as the witness to compute a NIZK proof π. F0 runs OTS.Sig with secret key otski to generate a one-time signature δ on ckπkM kP KA kP Kji . It returns (c, π, δ, otvki ) to C. It’s readily seen that the simulation of OPSig is perfect. Finally, C outputs (M ∗ , P KB , σF∗ ) where σF∗ = ((c∗ , π ∗ , δ ∗ , otvk ∗ ), σ ∗ ), and wins the experiment with non-negligible probability C . F0 outputs (otvk ∗ , σ ∗ ). By the validity of C’s output, we know that S.Ver(pk, σ ∗ , otvk ∗ ) = 1. Since otvk ∗ is fresh, i.e., otvk ∗ 6∈ {otvk1 , · · · , otvkq }, F0 didn’t ask its signing oracle to return a signature on otvk ∗ . Thus, (otvk ∗ , σ ∗ ) is a valid forgery for S. Therefore, F0 breaks the security of S with probability at least the same as C. 2. otvk ∗ appeared in one of OPSig ’s answers to C’s partial signing queries. Again, we assume that C issues at most q queries to OPSig , which is polynomial in k. We use C to build an algorithm F1 to break the security of OTS. Given a public key otvk ∗ of OTS and a one-time signing oracle, F1 invokes C on input 1k and obtains AP K = (pkTA , crs) from it. It then calls S.Kg(1k ) to generate a key pair for user A, say, (P KA , SKA ), and randomly selects i from {1, · · · , q}. F1 gives P KA to C, and then begins to simulate oracle OPSig for it. If j 6= i, F1 simulates the oracle like an honest user UA does. If j = i, it uses SKA to generate a signature σ on otvk ∗ , selects a random string r, computes c ← E.Enc(pkTA , otvk ∗ , σ; r) and uses (σ, r) as the witness to produce a NIZK proof π. F1 then submits ckπkM kP KA kP Ki to its signing oracle, and obtains a signature δ ∗ . It then returns (c, π, δ, otvk ∗ ) back to C. Finally C outputs (M ∗ , σF∗ , P KB ) where σF∗ = (σP∗ , σ ∗ ) and σP∗ = (c∗ , π ∗ , δ ∗ , otvk ∗ ). F1 outputs (c∗ kπ ∗ kM ∗ kP KA kP KB , δ ∗ ). Assume that C wins the experiment. So we have that OTS.Ver(otvk ∗ , δ ∗ , c∗ kπ ∗ kM ∗ kP KA kP KB ) = 1 and C didn’t issue a query on input (M ∗ , P KB ). Since the pair (M ∗ , P KB ) is fresh, we have that c∗ kπ ∗ kM ∗ kP KA kP KB 6= ckπkM kP KA kP Ki . So δ ∗ is a valid signature on a new message. Therefore, the security of OTS is broken. Since we don’t know which of the two cases above will happen, we simply toss a coin b, and run the algorithm Fb . Still, we have non-negligible probability to break the security of either S or OTS, if C wins its experiment with non-negligible probability. Remark 4 : In our construction, the signer uses its secret key to generate a signature on a fresh one-time verification key, while the message is signed using the corresponding one-time signing key. As shown by Huang et al. in [21], this combination leads to a strongly unforgeable signature scheme. It’s not hard to see that our proposed A-OFE scheme actually achieves a stronger version of security against the arbitrator. That is, even if the adversary sees the signer UA ’s full signature σF on a message M with verifier UB , it cannot produce another full signature on M , say, σF0 , such that Ver(M, σF0 , P KA , P KB , AP K) = 1. The claim can be shown using the proof given above without much modification. 17

5

A Concrete Scheme without Random Oracles

In this section, we propose an A-OFE scheme, which is based on Groth and Sahai’s idea of constructing a fully anonymous group signature scheme [19, 20]. Before describing the scheme, we first introduce the assumptions and building tools used in our construction.

5.1

Assumptions

(Admissible Pairings): Let G1 and GT be two cyclic groups of large prime order p. ˆe is an admissible pairing if ˆe : G1 × G1 → GT is a map with the following properties: 1. Bilinear : ∀R, S ∈ G1 and ∀a, b ∈ Z, ˆe(Ra , S b ) = ˆe(R, S)ab ; 2. Non-degenerate: ∃R, S ∈ G1 such that ˆe(R, S) 6= 1; and 3. Computable: there exists an efficient algorithm for computing ˆe(R, S) for any R, S ∈ G1 . (Decision Linear Assumption (DLN)[10]): Let G1 be a cyclic group of large prime order p. The Decision Linear Assumption for G1 holds if for any PPT adversary A, the following probability is negligibly close to 1/2. Pr[F, H, W ← G1 ; r, s ← Zp ; Z0 ← W r+s ; Z1 ← G1 ; d ← {0, 1} : A(F, H, W, F r , H s , Zd ) = d] (q-Strong Diffie-Hellman Assumption (q-SDH) [9]): The q-SDH problem in G1 is defined as 2 q follows: given a (q + 1)-tuple (g, g x , g x , · · · , g x ), output a pair (g 1/(x+c) , c) where c ∈ Z∗p . The q-SDH assumption holds if for any PPT adversary A, the following probability is negligible. h i 1 q Pr x ← Z∗p : A(g, g x , · · · , g x ) = (g x+c , c)

5.2

Building Tools

(Tag-based Encryption Scheme): We use a tag-based public key encryption scheme E with security based on the DLN assumption reviewed above. Below is a brief review of a suitable scheme due to Kiltz [26]. • Key Generation: (pk, sk) = ((F, H, K, L), (κ, λ)) ← E.K(p, G1 , GT , ˆe, g), where F = g κ and H = gλ; • Encryption: Let M ∈ G1 be a message, tag ∈ Zp a tag, and r, s ∈ Zp the randomness. The ciphertext y is computed as y = (y1 , y2 , y3 , y4 , y5 ) = (F r , H s , M · g r+s , (g tag K)r , (g tag L)s ); • Decryption: The validity of a ciphertext can be checked without knowing the secret key. Anyone can check if ˆe(F, y4 ) = ˆe(y1 , g tag K) and ˆe(H, y5 ) = ˆe(y2 , g tag L). If any one fails, ⊥ is returned. −1/κ −1/λ Otherwise, M is recovered by computing M = y3 · y1 · y2 . Note that the plaintext can also be recovered if the discrete logarithms of K and L with respect 0 0 to g are known. Assume that K = g κ and L = g λ . After checking the validity of the ciphertext −1/(tag+κ0 ) −1/(tag+λ0 ) y = (y1 , y2 , y3 , y4 , y5 ), M can be computed as M = y3 · y4 · y5 . Kiltz proved [26] that under the DLN assumption, the tag-based encryption scheme is selective-tag weakly chosen-ciphertext secure, which means that it is hard for an adversary A to tell which message was encrypted under tag∗ (selected by A though) before seeing the public key, even when it has access to a decryption oracle 18

that decrypts ciphertexts under any tag other than tag∗ . Readers may refer to Appendix A or [26] for a definition of selective-tag weakly CCA security. (Non-interactive Proofs): Recently, Groth and Sahai [20] proposed a general methodology for constructing simple and efficient non-interactive witness indistinguishable (NIWI) proofs and noninteractive zero-knowledge (NIZK) proofs that work for bilinear groups, without requiring complex NP-reductions. They proposed efficient non-interactive (NI) proofs for a set of equations in a bilinear group (p, G1 , GT , ˆe, g) over variables in G1 and Zp , such as pairing products, i.e. ˆe(x1 , y1 )·ˆe(x2 , y2 ) = T , or multi-exponentiations, i.e. xδ11 xδ22 = 1, having solutions xi ∈ G1 , δj ∈ Zp , so that all equations are simultaneously satisfied. Their NI proofs can be based on subgroup decision assumption, (symmetric) external Diffie-Hellman ((S)XDH) assumption, and decision linear (DLN) assumption. In our construction, we will use their DLN-based technique. (Commitment Scheme): The core of Groth-Sahai’s DLN-based proofs consists of two commitment schemes, one for committing to variables of G1 , and the other one to variables in Zp . The common reference string for either of the two commitment schemes, can be generated in either of two indistinguishable ways. For the first commitment scheme, a real common reference string is set up to U = F R , V = H S , and W = g R+S , a commitment to a variable x ∈ G1 can be respectively expressed as c = (c1 , c2 , c3 ) = (F r U t , H s V t , g r+s W t x) for randomness r, s ∈ Zp . The key for extracting x from c is xk = (κ, λ) = (logg F, logg H), so the scheme is perfectly binding. A simulated common reference string consists of F, H, U = F R , V = H S and W = g T where T 6= R + S, and thus the scheme is also perfectly hiding. 0 For the commitment to a variable δ ∈ Zp , a real common reference string consists of F, H, U 0 = F R , 0 0 V 0 = H S and W 0 = g T where T 0 6= R0 + S 0 , and a commitment to δ is expressed as c0 = (c01 , c02 , c03 ) = 0 0 0 0 (F r (U 0 )δ , H s (V 0 )δ , g r +s (W 0 )δ ) for randomness r0 , s0 ∈ Zp . The commitment scheme is perfectly 0 0 0 0 binding. A simulated common reference string consists of F, H, U = F R , V = H S , W = g R +S . The commitment scheme then becomes perfectly hiding. The simulation trapdoor is tk = (R0 , S 0 ), and we can use it to reveal a commitment to 0 to any other value δ ∈ Zp . Due to the DLN assumption, we have that any PPT adversary cannot tell a real common reference string apart from a simulated one. (Groth-Sahai Proofs): Groth-Sahai NI proof system for bilinear groups consists of four PPT algorithms, (KN I , P, V, X), where the key generator KN I takes as input a system parameter (p, G1 , GT , ˆe, g) and outputs a common reference string crs = (F, H, U, V, W , U 0 , V 0 , W 0 ) and an extraction key xk; the algorithm P takes as input crs, a problem instance and a witness (· · · , xi , · · · , δj , · · · ) and outputs a proof π; the verification algorithm V takes as input crs, a problem instance, and a proof π, and outputs 1 indicating that π is valid or 0 indicating that π is invalid; and the extraction algorithm X takes as input crs, a problem instance, and a proof π, and outputs (· · · , xi , · · · ). Groth-Sahai NI proofs have perfect completeness, and perfect soundness on a real common reference string. Besides, they have perfect partial knowledge: the extraction algorithm will extract (· · · , xi , · · · ) from the proof, such that there is a solution for the equations using these xi ’s. GrothSahai proofs also have perfect witness-indistinguishability on a simulated common reference string: if there are many possible witnesses for the equations being satisfiable, the proof π does not reveal anything about which witness was used by the prover in generating π. In our construction (Sec. 5.4), we use two NI proof systems: NIWI and NIZK. The NIWI proof system is used for showing that a BB-signature σ is valid with respect to either P Ki or P Kj , i.e. n o _ NIWI α : ˆe(α, g H(otvk) P Ki ) = ˆe(g, g) ˆe(α, g H(otvk) P Kj ) = ˆe(g, g) The NIZK proof system is used for showing that the commitment c = (c1 , c2 , c3 ) = (F rc U t , H sc V t , g rc +sc W t σ) in the NIWI proof π1 and the ciphertext y = (y1 , y2 , y3 , y4 , y5 ) = (F ry , H sy , g ry +sy σ, 19

(g tag K)ry , (g tag L)sy ), where tag = H(otvk), contain the same σ. This is equivalent to showing the −1 −1 r t s t r+s W t = 1. knowledge of a solution to the equation (c−1 1 y1 )F U = 1 ∧ (c2 y2 )H V = 1 ∧ (c3 y3 )g If c and y contain different messages, then there will be no r, s, t satisfying all the equations above. Groth and Sahai [20] showed a way to turn the set of equations above to a tractable set, which has zero-knowledge proofs. The set of equations above is equivalent to the following one, which is tractable: ^ ^ ^ −1 φ r t φ s t φ r+s φ=1 (c−1 y ) F U = 1 (c y ) H V = 1 (c−1 W t = 1. 1 2 1 2 3 y3 ) g This NIZK proof system was also used by Groth in constructing a fully anonymous group signature scheme [19]. Readers may refer to [19, 20] for more details.

5.3

High Level Description of Our Construction

As mentioned in the introduction part, many OFE schemes in the literature follows a generic framework: Alice encrypts her signature under the arbitrator’s public key, and then provides a proof showing that the ciphertext indeed contains her signature on the message. To extend this framework to ambiguous optimistic fair exchange, we let Alice encrypt her signature under the arbitrator’s public key and provide a proof showing that the ciphertext contains either her signature on the message or Bob’s signature on it. Therefore, given Alice’s partial signature, Bob cannot convince others that Alice was committed herself to something, as he can also generate this signature. Our concrete construction below follows the aforementioned framework, which is based on the idea of Groth in constructing a fully anonymous group signature scheme [19]. In more details, Alice’s signature consists of a weakly secure BB-signature [9] and a strong one-time signature. Since only the BB-signature is related to Alice’s identity, we encrypt it under the arbitrator’s public key using Kiltz’ tag-based encryption scheme [26], with the one-time verification key as the tag. The noninteractive proof is based on a newly developed technique by Groth and Sahai [20], which is efficient and doesn’t require any complex NP-reduction. The proof consists of two parts. The first part includes a commitment to Alice’s BB-signature along with a non-interactive witness indistinguishable (NIWI) proof showing that either Alice’s BB-signature or Bob’s BB-signature on the one-time verification key is in the commitment. The second part is non-interactive zero-knowledge (NIZK) proof (of knowledge) showing that the commitment and the ciphertext contains the same thing. These two parts together imply that the ciphertext contains a BB-signature on the message generated by either Alice or Bob. Both the ciphertext and the proof are authenticated using the one-time signing key. Guaranteed by the strong unforgeability of the one-time signature, no efficient adversary can modify the ciphertext or the proof.

5.4

The Scheme and Security Analysis

Our proposed concrete scheme of A-OFE, AOFE, is described in Fig. 2 (on page 21). For the security, we have the following theorem: Theorem 5.1. The proposed A-OFE scheme is secure in the multi-user setting and chosen-key model (without random oracles) provided that DLN assumption and q-SDH assumption hold. Intuitively, the resolution ambiguity is guaranteed by the extractability and soundness of the NIWI proof of knowledge system. The signer ambiguity and security against verifiers are due to the CCA security of the encryption scheme. Security against signers and security against the arbitrator are guaranteed by the weak unforgeability of BB-signature scheme. AOFE follows the framework of the generic construction proposed in Sec. 4. However, for the completeness, we provide the detailed security proof below. 20

• PMGen takes 1k and outputs PM = (1k , p, G1 , GT , ˆe, g) so that G1 and GT are cyclic groups of prime order p; g is a random generator of G1 ; ˆe : G1 × G1 → GT is an admissible bilinear pairing; and group operations on G1 and GT can be efficiently performed. • SetupTTP : The arbitrator runs the key generation algorithm of the non-interactive proof system to generate a common reference string crs and an extraction key xk, i.e. (crs, xk) ← KN I (1k ), where crs = (F, H, U, V, W, U 0 , V 0 , W 0 ). It also randomly selects K, L ← G1 , and sets (AP K, ASK) = ((crs, K, L), xk), where F, H, K, L together form the public key of the tag-based encryption scheme [26], and xk is the extraction key of the NIWI proof system [19, 20], which is also the decryption key of the tag-based encryption scheme. • SetupUser : Each user Ui randomly selects xi ← Zp , and sets (P Ki , SKi ) = (g xi , xi ). • PSig: To partially sign a message m with verifier Uj , user Ui does the following: 1. call the key generation algorithm of S to generate a one-time key pair (otvk, otsk); 1

2. use SKi to compute a BB-signature σ on H(otvk), i.e. σ ← g xi +H(otvk) ; 3. compute an NIWI proof π1 showing that σ is a valid signature under either P Ki or P Kj , i.e. π1 ← PW I (crs, (ˆe(g, g), P Ki , P Kj , H(otvk)), (σ)), which shows that the following holds: _ ˆe(σ, P Ki · g H(otvk) ) = ˆe(g, g) ˆe(σ, P Kj · g H(otvk) ) = ˆe(g, g) 4. compute a tag-based encryption ([26]) y of σ, i.e. y = (y1 , y2 , y3 , y4 , y5 ) ← E.Epk (σ, tag), where pk = (F, H, K, L) and tag = H(otvk); 5. compute an NIZK proof π2 showing that y and the commitment C to σ in π1 contain the same σ, i.e. π2 ← PZK (crs, (y, π1 ), (r, s, t)); 6. use otsk to sign the whole transcript and the message M , i.e. S.Sotsk (M kπ1 kykπ2 kP Ki kP Kj ).



σot

The partial signature σP of Ui on message M then consists of (otvk, σot , π1 , y, π2 ). • PVer: After obtaining Ui ’s partial signature σP = (otvk, σot , π1 , y, π2 ), the verifier Uj checks the following. If any one fails, Uj rejects; otherwise, it accepts. 1. if σot is a valid one-time signature on M kπ1 kykπ2 kP Ki kP Kj under otvk; ?

2. if π1 is a valid NIWI proof, i.e. VW I (crs, (ˆe(g, g), P Ki , P Kj , H(otvk)), π1 ) = 1; ?

3. if π2 is a valid NIZK proof, i.e. VZK (crs, (y, π1 ), π2 ) = 1; • Sig: To sign a message M with verifier Uj , user Ui generates a partial signature σP as in PSig, and set the full signature σF as σF = (σP , σ). ?

• Ver: After receiving σF on M from Ui , user Uj checks if PVer(M, σP , {P Ki , P Kj }, AP K) = 1, ?

and if ˆe(σ, P Ki · g H(otvk) ) = ˆe(g, g). If any of the checks fails, Uj rejects; otherwise, it accepts. • Res: After receiving Ui ’s partial signature σP on message M from user Uj , the arbitrator firstly checks the validity of σP . If invalid, it returns ⊥ to Uj . Otherwise, it extracts σ from π1 by calling σ ← Xxk (crs, π1 ). The arbitrator returns σ to Uj . Figure 2: Our Proposed Concrete Scheme of A-OFE, AOFE 21

Lemma 5.2. The proposed OFE scheme is resolution ambiguous. Proof. Guaranteed by the perfect partial knowledge of the NIWI proof system, with probability one the arbitrator will extract σ from π1 . Guaranteed by the perfect soundness of the NIWI proof, we know that σ is a BB-signature of the signer who generated π1 (or the partial signature). Therefore, the full signature output by the arbitrator is identical to that generated by the signer. Lemma 5.3. The proposed OFE scheme is signer ambiguous, provided that DLN assumption holds. Proof. First, we modify the experiment of signer ambiguity in a way that once if the one-time verification key in the adversary’s query to the resolution oracle appears in the challenge partial signature, we abort the experiment. Guaranteed by the strong one-time security of S, we will abort the experiment with only a negligible probability. Second, we modify the experiment again in a way that if the hash of the one-time verification key in the adversary’s query to the resolution oracle is equal to that of the one-time verification key in the challenge partial signature, we abort the experiment. Due to the collision-resistance property of hash function H, we have that we abort the experiment in this case with only negligible probability. 0 Third, This time we modify the experiment in a way that K and L are selected as K = g κ and 0 L = g λ for some κ0 , λ0 ∈ Zp , and the resolution oracle uses the knowledge of κ0 , λ0 to decrypt the ciphertext y in the adversary’s query. Note that K, L are distributed identically to those in the previous experiment. By the validity check of the tag-based encryption scheme and the perfect soundness of the underlying NIZK proof system, we have that the obtained plaintext is the same signature σ as we get when running the extractor of the NIWI proof system. Therefore, the output distribution of the experiment remains identical to that of the previous one. Fourth, since in the previous experiment the resolution oracle does not use xk to extract σ, we now can switch the common reference string to a simulated one that gives us perfect witness indistinguishability and perfect zero-knowledge. Since the real common reference string and the simulated one are indistinguishable, this gives only a negligible difference in the adversary’s output. Perfect witness indistinguishability implies proof π1 does not reveal any information about whether SK0 or SK1 is used in generating the challenge partial signature. Now the only thing that may leak information about the bit b is the ciphertext y. Guaranteed by the selective-tag weakly CCA-security of E, y leaks only a negligible part of information about b. Otherwise, we can use the distinguisher D to build a PPT algorithm A to break the selective-tag weakly CCA-security of E. Given a system parameter PM = (p, G1 , GT , ˆe, g), A calls the key generation algorithm of S to generate a new one-time key pair (otvk ∗ , otsk ∗ ), and use tag∗ = H(otvk ∗ ) as the challenge tag. It submits tag∗ to its challenger, and obtains a public key pk = (F, H, K, L). A then can construct the other part of the common reference string crs using g, F, H, as the zero-knowledge trapdoor consists of the discrete logarithms of U 0 , V, W 0 with respect to F, H, g respectively. A runs D on input AP K = (crs, K, L). The resolution oracle ORes now is simulated by A using its decryption oracle. Namely, after receiving a partial signature σP from D, A first checks the validity of σP , and returns ⊥ if it’s invalid. A submits the ciphertext y contained in σP to its decryption oracle, and obtains σ from it. A returns σ to D. Until now the view of D is identical to that of D in the previous experiment. Next we describe how to generate the challenge partial signature on top of a challenge tag-based ciphertext. At some point D submits a message M , and two public/private key pairs, (P K0 , SK0 ) and (P K1 , SK1 ). The well-formedness of these key pairs can be easily verified by checking if P Ki = g SKi ∗ ∗ for each i = 0, 1. A prepares two BB-signatures, σ 0 = g 1/(SK0 +tag ) and σ 1 = g 1/(SK1 +tag ) and submits them to its challenger, which returns a ciphertext y ∗ = (y1∗ , y2∗ , y3∗ , y4∗ , y5∗ ) of either σ 0 or σ 1 22

under tag∗ . A then builds a complete partial signature σP . This can be done as the NIWI proof system is perfect witness indistinguishability and the NIZK proof system is perfect zero knowledge; the commitment scheme (for committing to a variable in G1 ) used in both the NIWI proof scheme and the NIZK proof scheme is perfectly hiding, thus a commitment to σ 0 itself can also be viewed as a commitment to σ 1 . σP is given to D, which continues to make resolution queries. Finally, A outputs the bit b0 output by D. It’s easy to see that the challenge partial signature and the resolution oracle are perfectly simulated by A as those in a real attack. Because D did not issue query (M, σP , {P KA , P KB }) to oracle ORes and our previous modification on the experiment, i.e. tag∗ is guaranteed to be distinct in this experiment, A did not issue a decryption query on input (·, tag∗ ) either. Therefore, if D breaks the signer ambiguity of the proposed ambiguous OFE scheme with non-negligible advantage, A also breaks the selective-tag weakly CCA-security of E with at least the same (non-negligible) advantage. Lemma 5.4. The proposed OFE scheme is secure against signers, provided that DLN assumption and q-SDH assumption hold. Proof. Suppose that there exists a PPT adversary A that breaks the security against signers with non-negligible advantage, we then can use it to build another PPT algorithm F to break the weak unforgeability of BB-signature scheme. Without loss of generality, we assume that the adversary A makes at most q queries to oracle B OPSig . Given PM = (p, G1 , GT , ˆe, g), algorithm F runs SetupTTP algorithm to generate an arbitrator key pair, (AP K, ASK), and calls the key generation of S to generate q copies of one-time key pair, {(otvki , otski )}1≤i≤q . It sends {H(otvki )}1≤i≤q to its challenger, which then returns a public key pk = g x for some unknown x ∈ Zp , and BB-signatures σ i ’s on H(otvki )’s respectively. F sets P KB = pk, and invokes A on input (AP K, P KB ), which then begins to makes oracle queries. The resolution oracle ORes can be perfectly simulated by F using its knowledge of ASK. If A submits the i-th query B , F picks (otvk , otsk , σ ) from its memory, and uses σ as the witness to (M, P Ki ) to oracle OPSig i i i i produce NIWI proof π1 , a tag-based ciphertext y under tag H(otvki ), and a NIZK proof π2 . It then signs M kπ1 kykπ2 kP KB kP Ki using otski to get σot . F returns σP = (otvki , σot , π1 , y, π2 ) to A. It’s B is also perfectly simulated. Finally, A outputs (M ∗ , σP∗ , P KA ), readily seen that the oracle OPSig ∗ , π ∗ , y ∗ , π ∗ ). F uses ASK to resolve σ ∗ to σ ∗ = (σ ∗ , σ ∗ ). If (M ∗ , σ ∗ , P K , σ ∗ ) where σP∗ = (otvk ∗ , σot A F 1 2 P F P P doesn’t satisfy the winning condition, F aborts. If otvk ∗ = otvki or H(otvk ∗ ) = H(otvki ) for some 1 ≤ i ≤ q, F also aborts. Otherwise, it outputs (H(otvk ∗ ), σ ∗ ). B , F didn’t use any otvk to produce a partial sigFirst, since A didn’t submit (M ∗ , P KA ) to OPSig i ∗ nature on M under P KA , P KB . Guaranteed by the strong one-time security of S and the collisionresistance property of H, we have that the probability that otvk ∗ = otvki or H(otvk ∗ ) = H(otvki ) is negligible. Conditioned on that F doesn’t abort, we know that H(otvk ∗ ) is different from all H(otvki )’s. On the other side, because the NIWI proof and NIZK proof are both perfectly sound, ∗ we get that the NIWI proof π1∗ must be generated using a witness which is either g 1/(SKA +H(otvk )) ∗ or g 1/(SKB +H(otvk )) . Since the NIWI proof has the perfect partial knowledge property and σF∗ fails to pass the verification algorithm, i.e. Ver(M ∗ , σF∗ , P KA , P KB , AP K) = 0, it must be the case that ∗ ∗ Ver(M ∗ , σF∗ , P KB , P KA , AP K) = 1. Therefore, we have that σ ∗ = g 1/(SKB +H(otvk )) = g 1/(x+H(otvk )) , which is a valid BB-signature on H(otvk ∗ ) under public key pk. Hence, the output of F is a valid forgery of BB-signature scheme. Since the experiment is simulated by F perfectly, A succeeds in the experiment with non-negligible advantage. Conditioned on that A succeeds, F aborts with only negligible probability, and if it doesn’t abort, it succeeds in outputting a valid forgery of BB-signature. Therefore, F wins its game with nonnegligible probability as well.

23

Lemma 5.5. The proposed OFE scheme is secure against verifiers, provided that DLN assumption and q-SDH assumption hold. Proof. First of all, we assume that before the adversary B outputs (M ∗ , P KB , σF∗ ), B issued a query to oracle OPSig on input (M ∗ , P KB ). This is guaranteed by the security against arbitrator (see Lemma 5.6). Otherwise, we can use B to build a PPT algorithm to break the weak unforgeability of the underlying BB-signature scheme. Second, let P be the set of partial signatures returned by oracle OPSig to B. Let (M, σP , P Ki , P Kj ) be any valid query submitted by B to ORes . If σP 6∈ P but the otvk contained in σP is equal to that contained in any partial signature in set P , the experiment is aborted. Guaranteed by the strong one-time security of S, we know that with probability negligibly close to 1, it should be that either σP ∈ P or σP contains a new otvk. Furthermore, if σP 6∈ P but the hash of otvk contained in σP is equal to that of the otvk contained in any partial signature in set P , the experiment is aborted as well. Due to the collision-resistance of the hash function, the experiment is aborted in this case with only negligible probability. 0 0 We then modify the experiment so that K, L in AP K are selected as K = g κ and L = g λ for some κ0 , λ0 ∈ Zp , and the resolution oracle uses κ0 , λ0 to answer B’s queries. As discussed in the proof of Lemma 5.3, the output distribution of the experiment remains unchanged. The experiment is modified again in a way that we use a simulated common reference string that gives us perfect witness indistinguishability and perfect zero-knowledge to replace the real one. The output distribution of this new experiment differs from that of the previous one only in a negligible part. Now π1 and π2 in each partial signature are perfect WI and perfect ZK respectively, and thus reveal no information about σ. Next we show that in the new experiment B’s success probability is negligible. Suppose that B has a non-negligible success probability  in this new experiment. We use it to build another PPT algorithm B to break the selective-tag weakly CCA-security of the tag-based encryption scheme E. Let q be the maximal number of queries B issued to oracle OPSig . Given a system parameter PM = (p, G1 , GT , ˆe, g), B randomly selects an index i ∈ {1, · · · , q}, and calls the key generation algorithm of S to generate a one-time key pair (otvk ∗ , otsk ∗ ). It submits tag∗ = H(otvk ∗ ) as the challenge tag to its own challenger, which returns a challenge public key pk = (F, H, K, L). It’s possible for B to build on top of PM and pk a (simulated) common reference string crs (and the corresponding trapdoor information), as in the proof of Lemma 5.3. The index i is B’s guess of to which distinct query the answer of OPSig will be converted by B to a full one without help from the signer or the arbitrator. With probability at least 1/q, B guesses i correctly. B then runs SetupUser to generate a user key pair (P KA , SKA ), and runs B on input (P KA , AP K) = (P KA , (crs, K, L)). The resolution oracle ORes is now simulated by B using its own decryption oracle. To simulate OPSig , on input the `-th distinct query (M, P Kj ), if ` 6= i, B computes σP by itself using SKA ; ∗ otherwise, B computes σ 0 = g 1/(SKA +tag ) and randomly selects σ 1 from G1 . It submits σ 0 , σ 1 to its challenger, which returns a ciphertext y ∗ of σ b under tag∗ , for some unknown bit b. B then builds a complete partial signature σP∗ based on y ∗ . As discussed in the proof of Lemma 5.3, it’s possible for B to build a complete partial signature on top of y ∗ , i.e. B uses σ 0 to generate π1 , and uses the simulation trapdoor key to generate π2 . Note that even if y ∗ is an encryption of σ 1 , B can also generate a valid π2 . This is because the commitment scheme for committing to variables in G1 is perfectly hiding, a commitment to σ 0 is also a commitment to σ 1 , and the problem instance to the simulator of the NIZK proof system is also a true instance. B then gives σP∗ to B, which may continue to issue queries to OPSig and ORes . If y ∗ is a ciphertext of σ 0 , B’s view is the same as that in a real experiment, and it will succeed in outputting (M ∗ , P KB , σF∗ ) with non-negligible probability . If y ∗ is a ciphertext of σ 1 , it is 24

independent of P KA , and thus provides no help to B in generating σF∗ . In this case, if B successfully outputs a full signature σF such that Ver(M ∗ , σF∗ , P KA , P KB , AP K) = 1, it indicates that B forges a full signature of an honest (and uncorrupted) user UA , thus breaking the security against the arbitrator. However, guaranteed by the security against the arbitrator (see Lemma 5.6), B outputs in this case a valid triple (M ∗ , P KB , σF∗ ) with at most the maximum probability that an adversary succeeds in the experiment of security against the arbitrator, which is negligible. We denote by B’s success probability by ε. Finally B outputs (M ∗ , P KB , σF∗ ), where σF∗ = (σP∗ , σ). If (M ∗ , P KB ) is not the i-th distinct query to OPSig , alternatively, B’s guess of i is incorrect, B aborts and outputs a random bit. If Ver(M ∗ , σF∗ , P KA , P KB , AP K) = 1, B outputs 0. Otherwise, it outputs 1. From the validity of σF∗ ∗ we know that σ ∗ is a valid BB-signature on tag∗ , i.e. ˆe(σ ∗ , P KA g tag ) = ˆe(g, g). It must be the case that σ ∗ = σ ∗0 , as BB-signature on a message is unique. If B succeeds, we know that it did not ask ORes to resolve (M ∗ , ·, P KA , P KB ), and tag∗ is different from the hash of the one-time verification key in σP in B’s any query to ORes . Therefore, B did not issue a query on input (·, tag∗ ) to its decryption oracle either. (Probability Analysis): Let b0 be the bit output by B. Next we show that |Pr[b0 = 0 ∧ b = 0] − Pr[b0 = 0 ∧ b = 1]| is non-negligible. Note that the simulation of oracle ORes and the simulation of OPSig are indistinguishable from real oracles. No matter b = 0 or b = 1, B aborts (due to an incorrect guess of i) with the same probability, and when B aborts, it outputs 0 with probability exactly 1/2. Therefore, we only need to focus on the case in which B does not abort, which happens with probability 1/q. If b = 0, as we discussed above, the probability that B outputs σ 0 is , which is non-negligible. Hence, the probability that B outputs 0 is also . On the other side, if b = 1, as discussed above, the probability that B outputs σ 0 is ε, which is negligible. Therefore, we get that AdvT-PKE (k) = Pr[b0 = 0 ∧ b = 0] − Pr[b0 = 0 ∧ b = 1] B 1 = Pr[b0 = 0|b = 0] − Pr[b0 = 0|b = 1] 2 1 1 1 =  − ε 2 q q =

1 | − ε| 2q

which is also non-negligible. Therefore, B breaks the selective-tag weakly CCA-security of E. Lemma 5.6. The proposed OFE scheme is secure against the arbitrator, provided that DLN assumption and q-SDH assumption hold. Proof. First, we modify the experiment in a way that if (the hash of) the one-time verification key in C’s forgery is equal to that in any of the answers given by the oracle OPSig , we abort the experiment. Guaranteed by the strong one-time security of S and the collision resistance of H, the experiment is aborted in this case with only negligible probability. Now we show that the advantage of C in this new experiment is negligible. To the contrary, suppose that C’s advantage is non-negligible, we then can use it to build another PPT algorithm C to break the weak unforgeability of BB-signature scheme with non-negligible probability as well. Without loss of generality, we assume that C issues at most q distinct queries to oracle OPSig . C works as follows: Given system parameter PM = (p, G1 , GT , ˆe, g), C runs C on input PM, which returns an arbitrator public key AP K = (crs, K, L). C then calls the key generation algorithm of S for q times to generate q one-time key pairs, say {(otvki , otski )}1≤i≤q . It submits {H(otvki )}1≤i≤q to its challenger, which 25

returns a public key pk = g x for some (unknown) x ∈ Zp and signatures σ i ’s on H(vkoti )’s respectively. It returns P KA = pk to C, which then begins to issue queries to oracle OPSig in an adaptive manner. Now we describe how C simulates oracle OPSig . On input the `-th distinct query (M, P Kj ), C picks the (otvk` , otsk` ) and σ ` . It sets (otvk, otsk) = (otvk` , otsk` ) and σ = σ ` , and completes the rest of the generation of a partial signature σP on M under P KA , P Kj as a real signer does. It’s easy to see that oracle OPSig is perfectly simulated. ∗ , π ∗ , y ∗ , π ∗ ). If Finally, C outputs (M ∗ , P KB , σF∗ ), where σF∗ = (σP∗ , σ ∗ ) and σP∗ = (otvk ∗ , σot 1 2 ∗ ∗ ∗ ∗ Ver(M , σF , P KA , P KB , AP K) = 0, C aborts. If otvk = otvk` or H(otvk ) = H(otvk` ) for some 1 ≤ ` ≤ q, C also aborts. Otherwise, C outputs σ ∗ and H(otvk ∗ ). If C did not submit (M ∗ , P KB ) to oracle OPSig , C did not get from its own challenger a BBsignature on H(otvk ∗ ) either. Thus, σ ∗ is a valid forgery of BB-signature scheme, and C breaks the weak unforgeability of BB-signature scheme with non-negligible probability, thus breaking the q-SDH assumption. By combining these lemmas, we get Theorem 5.1.

6

Comparison

We note that schemes proposed in [17, 28] have similar properties as our ambiguous OFE, i.e. (online, offline) non-transferability. Here we make a brief comparison with these two schemes. First of all, our A-OFE scheme is better than them in terms of the level of non-transferability. In [17, 28], the nontransferability is defined only in the CPA fashion. The adversary is not given an oracle for converting a partial signature to a full one. While in our definition of A-OFE, we define the ambiguity in the CCA fashion, allowing the adversary to ask for resolving a partial signature to a full one. Second, in terms of efficiency, our scheme outperforms the scheme proposed in [28], and is slightly slower than [17]. The generation of a partial signature of their scheme requires linear (in security parameter k) number of encryptions, and the size of a partial signature is also linear in k. While in our scheme both the computation cost and size of a partial signature are constant. The partial signature of ousr scheme includes about 41 group elements plus a one-time verification key and a one-time signature. Third, both our scheme and the scheme in [17] only require one move in generating a partial signature, while the scheme in [28] requires four moves. Fourth, in [28], there is a setup phase between each signer and the confirmer, in which the confirmer generates an encryption key pair for each signer. Therefore, the confirmer has to store a key pair for each signer, leading to a large storage. While our scheme and [17] don’t need such a phase. Fifth, in terms of security, our scheme and [28] are provably secure without using random oracle assumption. But the scheme in [17] is only provably secure in the random oracle model. Figure 3 (on page 31) shows the comparison of our scheme with [17, 28]. In terms of signature size, our scheme inherits the drawback of Groth-Sahai DLN assumption based non-interactive proofs. The signature consists of dozens of group elements, but the number is still constant. Garay et al.’s signature contains comparable (but smaller) number of group elements, while the number of signature components of Liskov et al.’s scheme is linear in the security parameter.

7

Conclusion

In this paper, we proposed the notion of ambiguous optimistic fair exchange (A-OFE), and gave a formal security model for it. We discussed the relationship among some variants of the model, and showed that signer ambiguity and security against the arbitrator together imply security against verifiers (in a weaker sense). We revisited two generic constructions of OFE, and showed that they 26

cannot be simply extended to A-OFE. We then proposed a generic construction of A-OFE, and proved its security under the proposed multi-user setting and chosen-key model. We also proposed a concrete construction of A-OFE in bilinear groups, whose security can be proved under the given model without random oracles. Though our scheme is efficient, it still requires several bilinear mapping evalutions, and the signature consists of dozens of group elements. We leave it as our further work to construct some more efficient A-OFE scheme (with or without using the random oracle assumption).

Acknowledgements We are grateful to the anonymous reviewers of Asiacrypt 2008 for their invaluable comments. The first three authors were supported by a grant from the Research Grants Council of the Hong Kong Special Administrative Region, China (RGC Ref. No. CityU 122107).

References [1] M. Abe, M. Ohkubo, and K. Suzuki. 1-out-of-n signatures from a variety of keys. In Advances in Cryptology - ASIACRYPT 2002, volume 2501 of Lecture Notes in Computer Science, pages 415–432. Springer, 2002. [2] N. Asokan, M. Schunter, and M. Waidner. Optimistic protocols for fair exchange. In ACM Conference on Computer and Communications Security, pages 7–17. ACM, 1997. [3] N. Asokan, V. Shoup, and M. Waidner. Optimistic fair exchange of digital signatures (extended abstract). In Advances in Cryptology - EUROCRYPT 98, volume 1403 of Lecture Notes in Computer Science, pages 591–606. Springer, 1998. [4] N. Asokan, V. Shoup, and M. Waidner. Optimistic fair exchange of digital signatures. IEEE Journal on Selected Areas in Communication, 18(4):593–610, 2000. [5] F. Bao, G. Wang, J. Zhou, and H. Zhu. Analysis and improvement of Micali’s fair contract signing protocol. In H. Wang, J. Pieprzyk, and V. Varadharajan, editors, Proceedings of 9th Australasian Conference on Information Security and Privacy, ACISP 2004, volume 3108 of Lecture Notes in Computer Science, pages 176–187. Springer, 2004. [6] M. Bellare and P. Rogaway. Random oracles are practical: A paradigm for designing efficient protocols. In ACM Conference on Computer and Communications Security, pages 62–73. ACM, 1993. [7] M. Bellare and S. Shoup. Tow-tier signatures, strongly unforgeable signatures, and Fiat-Shamir without random oracles. In Proceedings of Public Key Cryptography 2007, volume 4450 of Lecture Notes in Computer Science, pages 201–216. Springer, 2007. [8] A. Bender, J. Katz, and R. Morselli. Ring signatures: Stronger definitions, and constructions without random oracles. In S. Halevi and T. Rabin, editors, Proceedings of 3rd IACR Theory of Cryptography Conference, TCC 2006, volume 3876 of Lecture Notes in Computer Science, pages 60–79. Springer, 2006. Also at Cryptology ePrint Archive, Report 2005/304, http://eprint.iacr.org/. [9] D. Boneh and X. Boyen. Short signatures without random oracles. In Advances in Cryptology - EUROCRYPT 2004, volume 3027 of Lecture Notes in Computer Science, pages 56–73. Springer, 2004. [10] D. Boneh, X. Boyen, and H. Shacham. Short group signatures. In Advances in Cryptology - CRYPTO 2004, volume 3152 of Lecture Notes in Computer Science, pages 41–55. Springer, 2004. [11] D. Boneh, C. Gentry, B. Lynn, and H. Shacham. Aggregate and verifiably encrypted signatures from bilinear maps. In Advances in Cryptology - EUROCRYPT 2003, volume 2656 of Lecture Notes in Computer Science, pages 416–432. Springer, 2003. [12] C. Boyd and E. Foo. Off-line fair payment protocols using convertible signatures. In Advances in Cryptology - ASIACRYPT 98, volume 1514 of Lecture Notes in Computer Science, pages 271–285. Springer, 1998.

27

[13] J. Camenisch and I. Damg˚ ard. Verifiable encryption, group encryption, and their applications to separable group signatures and signature sharing schemes. In T. Okamoto, editor, Advances in Cryptology ASIACRYPT 2000, volume 1976 of Lecture Notes in Computer Science, pages 331–345. Springer, 2000. [14] L. Chen, C. Kudla, and K. G. Paterson. Concurrent signatures. In Advances in Cryptology - EUROCRYPT 2004, volume 3027 of Lecture Notes in Computer Science, pages 287–305. Springer, 2004. [15] Y. Dodis, P. J. Lee, and D. H. Yum. Optimistic fair exchange in a multi-user setting. In T. Okamoto and X. Wang, editors, Proceedings of Public Key Cryptography 2007, volume 4450 of Lecture Notes in Computer Science, pages 118–133. Springer, 2007. Also at Cryptology ePrint Archive, Report 2007/182, http://eprint.iacr.org/. [16] Y. Dodis and L. Reyzin. Breaking and repairing optimistic fair exchange from PODC 2003. In ACM Workshop on Digital Rights Management, DRM 2003, pages 47–54. ACM, 2003. [17] J. A. Garay, M. Jakobsson, and P. MacKenzie. Abuse-free optimistic contract signing. In Advances in Cryptology - CRYPTO 99, volume 1666 of Lecture Notes in Computer Science, pages 449–466. Springer, 1999. [18] O. Goldreich. Foundations of Cryptography, volume II. Cambridge University Press, 2004. [19] J. Groth. Fully anonymous group signatures without random oracles. In K. Kurosawa, editor, Advances in Cryptology - ASIACRYPT 2007, volume 4833 of Lecture Notes in Computer Science, pages 164–180. Springer, 2007. Also at Cryptology ePrint Archive, Report 2007/186, http://eprint.iacr.org/. [20] J. Groth and A. Sahai. Efficient non-interactive proof systems for bilinear groups. In N. Smart, editor, Advances in Cryptology - EUROCRYPT 2008, volume 4965 of Lecture Notes in Computer Science, pages 415–432. Springer, 2008. Also at Cryptology ePrint Archive, Report 2007/155, http://eprint.iacr.org/. [21] Q. Huang, D. S. Wong, J. Li, and Y. Zhao. Generic transformation from weakly to strongly unforgeable signatures. Journal of Computer Science and Technology, 23(2):240–252, March 2008. [22] Q. Huang, D. S. Wong, and Y. Zhao. Generic transformation to strongly unforgeable signatures. In Proceedings of 5th International Conference on Applied Cryptography and Network Security, ACNS 2007, volume 4521 of Lecture Notes in Computer Science, pages 1–17. Springer, 2007. [23] Q. Huang, G. Yang, D. S. Wong, and W. Susilo. Ambiguous optimistic fair exchange. In Advances in Cryptology - ASIACRYPT 2008, volume 5350 of Lecture Notes in Computer Science, pages 74–89. Springer, 2008. [24] Q. Huang, G. Yang, D. S. Wong, and W. Susilo. Efficient optimistic fair exchange secure in the multi-user setting and chosen-key model without random oracles. In Proceedings of Topics in Cryptology - CT-RSA 2008, volume 4964 of Lecture Notes in Computer Science, pages 106–120. Springer, 2008. [25] M. Jakobsson, K. Sako, and R. Impagliazzo. Designated verifier proofs and their applications. In Advances in Cryptology - EUROCRYPT 96, volume 1070 of Lecture Notes in Computer Science, pages 143 – 154. Springer, 1996. [26] E. Kiltz. Chosen-ciphertext security from tag-based encryption. In S. Halevi and T. Rabin, editors, Proceedings of 3rd IACR Theory of Cryptography Conference, TCC 2006, volume 3876 of Lecture Notes in Computer Science, pages 581–600. Springer, 2006. [27] S. Kremer. Formal Analysis of Optimistic Fair Exchange Protocols. PhD thesis, Universit´e Libre de Bruxelles, 2003. [28] M. Liskov and S. Micali. Online-untransferable signatures. In Proceedings of Public Key Cryptography 2008, volume 4939 of Lecture Notes in Computer Science, pages 248–267. Springer, 2008. [29] S. Micali. Simple and fast optimistic protocols for fair electronic exchange. In ACM Symposium on Principles of Distributed Computing, PODC 2003, pages 12–19. ACM, 2003. [30] J. M. Park, E. K. Chong, and H. J. Siegel. Constructing fair-exchange protocols for e-commerce via distributed computation of RSA signatures. In PODC 2003, pages 172–181. ACM, 2003.

28

[31] G. Wang. An abuse-free fair contract signing protocol based on the RSA signature. In Proceedings of 14th International Conference on World Wide Web, WWW 2005, pages 412–421. ACM, 2005. [32] H. Zhu. Constructing optimistic fair exchange protocols from committed signatures. Cryptology ePrint Archive, Report 2005/012, 2003. http://eprint.iacr.org/. [33] H. Zhu and F. Bao. Stand-alone and setup-free verifiably committed signatures. In Proceedings of Topics in Cryptology - CT-RSA 2006, volume 3860 of Lecture Notes in Computer Science, pages 159–173. Springer, 2006. [34] H. Zhu, W. Susilo, and Y. Mu. Multi-party stand-alone and setup-free verifiably committed signatures. In Proceedings of Public Key Cryptography 2007, volume 4450 of Lecture Notes in Computer Science, pages 134–149. Springer, 2007.

A

Review of Some Security Definitions

(Tag-based Public Key Encryption): A tag-based public key encryption scheme E consists of three PPT algorithms, (Kg, Enc, Dec), where Kg takes 1k as input and outputs a key pair (pk, sk), Enc takes as input a public key pk, a tag tag, and a message M , and outputs a ciphertext c, and Dec takes as input a secret key sk, a tag tag and a ciphertext, and outputs M or ⊥ indicating decryption failure. We also write the encryption algorithm as Enc(pk, tag, M ; r) to emphasize that r is used as a random string in the encryption. E is said to be selective-tag weakly CCA secure if there is no PPT adversary A that wins the following game with non-negligible advantage: 1. A selects a challenge tag, tag∗ , and submits it to the challenger; 2. The challenger runs E.Kg(1k ) to generate a key pair, (pk, sk), and gives pk to A. 3. The adversary adaptively issues queries to oracle ODec , which takes as input a ciphertext c and a tag tag, and returns the corresponding message M or ⊥ indicating the decryption failure. 4. A selects two equal-length messages, M0 and M1 , and submits them to the challenger, which then tosses a coin, b, selects a random string r, and returns c∗ = E.Enc(pk, tag∗ , Mb ; r). 5. A continues to issue queries as in Step 2. Finally, it outputs a bit b0 , and wins the game if (a) b0 = b; (b) A didn’t issue a query to ODec on any input (·, tag∗ ). The advantage of A is defined to be AdvT-PKE (k) = |Pr[b0 = b] − 21 |. A (Public Key Signature): A signature scheme S consists of three PPT algorithms, (Kg, Sig, Ver), where Kg takes 1k as input and outputs a key pair (pk, sk), Sig takes as input a secret key sk, a message M , and outputs a signature σ, and Ver takes as input a public key, a signature σ and a message M , and outputs 1 (accept) or 0 (reject). S is said to be weakly existentially unforgeable under chosen-message attacks (or simply, weakly unforgeable) if there is no PPT adversary A that wins the the following game with non-negligible probability: 1. A chooses a list of messages, {M1 , · · · , Mq }, where q a polynomial in the security parameter k, and send the list to the challenger C.

29

2. C runs Kg(1k ) to generate a key pair, (pk, sk), and uses sk to produce signatures σ1 , · · · , σq on M1 , · · · , Mq respectively. It gives pk and {σ1 , · · · , σq } to A. 3. Finally, A outputs (M ∗ , σ ∗ ), and wins the game if (a) S.Ver(pk, σ ∗ , M ∗ ) = 1, and (b) M ∗ 6∈ {M1 , · · · , Mq }. (Strong One-Time Signature): A signature scheme OTS = (Kg, Sig, Ver) is said to be strongly one-time unforgeable if there is no PPT adversary A that wins the following game against challenger C with non-negligible probability: • C generates a one-time key pair (otvk, otsk) ← Kg(1k ), and runs A on input otvk; • A may select a message M of any length, and request a signature on it. C then runs σ ← Sig(otsk, M ) and returns σ to A. A can request for at most one signature; • A outputs a message M ∗ and a signature σ ∗ . It wins the game if 1. Ver(otvk, σ ∗ , M ∗ ) = 1, and 2. (M ∗ , σ ∗ ) = 6 (M, σ) (if A has ever requested a signature σ on a message M ). Strong one-time signature can be constructed from one-way functions [18], and more efficiently from collision-resistant hash function [22], or based on some specific number-theoretic assumption [7]. (Collision-Resistant Hash Functions): H is a family of collision-resistant hash functions H : {0, 1}∗ → Zp if for any (non-uniform) polynomial-time adversary A, h i Pr H ← H; (x, y) ← A(1k , H) : H(x) = H(y) is negligible in security parameter k. In our construction, for convenience, we assume that everyone in the system shares a collision-resistant hash function H, and we omit it from the system parameter. (Non-interactive Zero-Knowledge (NIZK) Proof ): A proof system Π for a language L (with relation RL ) consists of a key generation algorithm Kg, a prover Prv and a verifier Ver. The key generation algorithm produces a common reference string crs. The prover takes as input (crs, x, w) and checks whether (x, w) ∈ RL . If so, it produces a proof π, otherwise it outputs ⊥. The verifier takes as input (crs, x, π) and outputs 1 if the proof is valid, or 0 if it’s invalid. We call (Kg, Prv, Ver) a proof system for L if it satisfies the following conditions. Completeness: For all adversaries A we have that Pr[crs ← Kg(1k ); (x, w) ← A(crs); π ← Prv(crs, x, w) : Ver(crs, x, π) = 1 if (x, w) ∈ RL ] ≈ 1 Soundness: For all adversaries A we have that Pr[crs ← Kg(1k ); (x, π) ← A(crs) : Ver(crs, x, π) = 0 if x 6∈ L] ≈ 1 We call a proof system Π = (Kg, Prv, Ver) an NIZK proof for L if there exists three probabilistic polynomial-time algorithms, (Sim1 , Sim2 ) such that the following conditions are satisfied: Common Reference String Indistinguishability: For all adversaries A, we have Pr[crs ← Kg(1k ) : A(crs) = 1] ≈ Pr[(crs, τS ) ← Sim1 (1k ) : A(crs) = 1] Zero-Knowledge: For all adversaries A we have 0

Pr[crs ← Kg(1k ) : APrv(crs,·,·) (crs) = 1] ≈ Pr[(crs, τS ) ← Sim1 (1k ) : AS (crs,τS ,·,·) (crs) = 1] where S 0 (crs, τS , x, w) = Sim2 (crs, τS , x). 30

Schemes [17] [28] Ours

Ambiguity CPA CPA CCA

Efficiency 1 3 2

Sig. Size Constant Linear Constant

Interactive N Y N

Setup-Free Y N Y

RO Y N N

Ambiguity: the level of non-transferability/ambiguity; Efficiency: order of computational efficiency, where 1 means the scheme is the most efficient one among the three; Sig. Size: signature size, in terms of the number of signature components; Interactive: if the signature generation is interactive; Setup-Free: if a key registration phase is needed between each user and the trusted party; RO: if the security of the scheme relies on the random oracle assumption. Figure 3: Comparison with [17, 28].

31