Doctor of Philosophy
School of Computer Science and Software Engineering
Wang, Yang, Contributions on fair exchange of digital signatures, Doctor of Philosophy thesis, School of Computer Science and Software Engineering, University of Wollongong, 2014. http://ro.uow.edu.au/theses/4012
Fair exchange protocols aim to allow two parties to exchange digital items in a fair manner. Optimistic fair exchange (OFE) is a kind of protocols that solves the fair exchange problem with the help of a trusted third party (TTP), usually referred to as an `arbitrator'. The participation of the arbitrator is only required when there is a dispute between the exchanging parties. In the literature, the highest level of security of optimistic fair exchange is the multi-user security in the chosen-key model, proposed by Huang, Yang, Wong and Susilo in CT-RSA 2008. They showed that an efficient optimistic fair exchange scheme, secure in this sense, can be constructed generically from a conventional signature and a ring signature. In particular, the underlying ring signature is required to be unforgeable under an adaptive attack, against a static adversary in the 2-user setting.
Concurrent signatures, introduced by Chen, Kudla and Paterson in Eurocrypt 2004, allow two parties to produce two ambiguous signatures until an extra piece of information, the keystone, is released by one of the parties. Upon the release of the keystone, the ambiguity will be revoked and the signatures bind to their true signers concurrently. Concurrent signatures, however, are known to fall just short of fully solving the long standing fair exchange of signatures problem. The price for not requiring any TTP is that the party who holds the keystone always has an advantage over the other party in controlling when and whether the protocol completes or not.
In this thesis, the fair exchange of digital signatures problem is studied. In the first part of this thesis, the OFE security is strengthened and a more practical model which is called enhanced chosen-key model is proposed. Unlike the existing multiuser setting and chosen-key model, an adversary in the enhanced chosen-key model is further provided with the signing oracle that outputs full signatures generated by the signer, and may even be allowed to have access to the arbitrator's secret key. The necessity for the new model is demonstrated. It is shown that two existing methodologies for constructing optimistic fair exchange schemes remain valid in the enhanced chosen-key model.
Next, the efficiency of OFE constructions is improved. A model for 2-user ring signatures called `unforgeability against restricted adaptive attacks' is proposed and it is shown that the new ring model is strictly weaker than the model of unforgeability under an adaptive attack, against a static adversary in the 2-user setting. Based on the finding that 2-user ring signatures secure in this weaker model will suffice to guarantee the security of the resulting OFE schemes in the enhanced chosenkey model, the most efficient OFE scheme whose security does not rely on random oracles is proposed.
New situations in OFE are also investigated, and the applications of OFE are extended. The scenarios where the digital items to be exchanged are threshold signatures are considered, and the notion of threshold-oriented OFE (TOFE) together with a security model and an efficient concrete scheme is proposed. It is identified that in some scenarios, it is required that prior to the completion of the protocol, no information about the actual exchange should be revealed to an outsider. To achieve this purpose, the notion of perfect ambiguous optimistic fair exchange (PAOFE) is introduced, the security model for PAOFE is proposed and a generic construction based on existing primitives is offered. OFE in the attribute-based setting is considered and the notion of attribute-based optimistic fair exchange (ABOFE) is proposed. The security model and a construction for ABOFE are presented as well.
Finally, concurrent signatures is revisited. It is showed that theoretically the party who controls the keystone in a concurrent signature scheme has more advantages than previously thought. In particular, the notion is examined and the advantages are classified into three levels.It is demonstrated that concurrent signatures may be abused in practical applications if one fails to take these advantages into account.