Further Observations on Optimistic Fair Exchange Protocols in the Multi-user Setting [chapter]

Xinyi Huang, Yi Mu, Willy Susilo, Wei Wu, Yang Xiang
2010 Lecture Notes in Computer Science  
Recent research has shown that the single-user security of optimistic fair exchange cannot guarantee the multi-user security. This paper investigates the conditions under which the security of optimistic fair exchange in the single-user setting is preserved in the multi-user setting. We first introduce and define a property called "Strong Resolution-Ambiguity". Then we prove that in the certified-key model, an optimistic fair exchange protocol is secure in the multi-user setting if it is secure
more » ... in the single-user setting and has the property of strong resolution-ambiguity. Finally we provide a new construction of optimistic fair exchange with strong resolution-ambiguity. The new protocol is setup-free, stand-alone and multi-user secure without random oracles. The signer (say, Alice) first issues a verifiable "partial signature" σ to the verifier (say, Bob). Bob verifies the validity of σ and fulfills his obligation if σ is valid. After that, Alice sends Bob a "full signature" σ to complete the transaction. Thus, if no problem occurs, the arbitrator does not participate in the exchange. However, if Bob does not receive the full signature σ from Alice, Bob can send σ (and the proof of fulfilling his obligation) to the arbitrator, who will convert σ to σ for Bob. An optimistic fair exchange protocol can be setup-driven or setup-free [23] . An optimistic fair exchange protocol is called setup-driven if an initial-key-setup procedure between a signer and the arbitrator is involved. On the other hand, an optimistic fair exchange protocol is called setup-free if the signer does not need to contact the arbitrator, except that the signer can obtain and verify the arbitrator's public key certificate and vice versa. As shown in [10], setup-free is more desirable for the realization of optimistic fair exchange in the multi-user setting. Another notion of optimistic fair exchange is stand-alone [23] , which requires that the full signature be an ordinary signature. Previous Work As one of the fundamental problems in secure electronic transactions and digital rights management, fair exchange has been studied intensively since its introduction. It is known that optimistic fair exchange can be constructed (in a generic way) using "two signatures" construction [11], verifiably encrypted signature [2, 3, 8, 9, 15, 20, 18] , the sequential two-party multisignature (first introduced by Park et al. [17] , and then broken and repaired by Dodis and Reyzin [11]), the OR-proof [10], and conventional signature and ring signature [14] . In the following, we only review some results which are most relevant to this paper. Optimistic Fair Exchange in the Single-user Setting There are three parties involved in an optimistic fair exchange protocol, which are signer(s), verifier(s) and arbitrator(s). Most work about optimistic fair exchange was considered only in the single-user setting, namely there is only one signer. The first formal security model of optimistic fair exchange was proposed in [2, 3] . Dodis and Reyzin [11] defined a more generalized and unified model for non-interactive optimistic fair exchange, by introducing a new cryptographic primitive called verifiably committed signature. In [11] , the security of a verifiably committed signature scheme (equivalently, an optimistic fair exchange protocol) in the single-user setting consists of three aspects: security against the signer, security against the verifier and security against the arbitrator. While the arbitrator is not fully trusted, it is still assumed to be semi-trusted in the sense that the arbitrator will not collude with the signer or the verifier. In the remainder of this paper, an optimistic fair exchange protocol is single-user secure (or, secure in the single-user setting) means that it is secure in the single-user setting defined in [11] . Notice that their definition does not include all security notions of optimistic fair exchange (e.g., abuse-free [12] , non-repudiation [16, 21] , timelytermination [2,3] and signer-ambiguity [13]), but it does not affect the point we
doi:10.1007/978-3-642-13013-7_8 fatcat:rcvt3xpe5zgmhghb6h4qfne7bq