How to protect privacy in optimistic fair exchange of digital signatures
All rights reserved. How to sign an electronic contract online between two parties (say Alice and Bob) in a fair manner is an interesting problem, and has been extensively studied for a long time. Optimistic Fair Exchange (OFE) is an efficient solution to it, in which a semi-trusted third party, named the arbitrator, is responsible for resolving any dispute that may arise during an exchange between Alice and Bob. Recently, several variants of OFE, such as Ambiguous OFE (AOFE) and Perfect AOFE (PAOFE), have been introduced to protect the privacy of Alice and Bob. These primitives prevent any outsider from telling which parties are involved in an exchange of digital signatures before the exchange completes. However, in PAOFE, AOFE and all the existing works on OFE, the arbitrator can always learn the signer's full signature at (or even before) the end of resolution, which is undesirable in some important applications, for example, signing a contract between two parties which do not want others to find out even when there is a dispute that needs resolution by the arbitrator. In this work, we introduce a new notion called Privacy-Preserving Optimistic Fair Exchange (P2OFE) for protecting the privacy of users, in which other than Alice and Bob, no one else including the arbitrator, can collect any evidence about an exchange between them even after the resolution of a dispute. We formally define P2OFE and present the corresponding security models and propose a concrete and efficient construction of P2OFE. We also discuss about several extensions about implementation. Our scheme is proved to be secure under the given security models based on the Strong Diffie-Helllman and Decision Linear assumptions without relying on the random oracle heuristic.