Revisiting security against the arbitrator in optimistic fair exchange
The problem to allow two parties (say Alice and Bob) to sign an electronic contract online fairly is an interesting problem and it has been studied for a long time. Optimistic fair exchange (OFE) is an efficient remedy to this problem, which incorporates a semi-trusted third party called arbitrator, who will be called in to resolve a dispute during an exchange between Alice and Bob. It should be noted that the arbitrator is not required to be fully trusted, or else such an entity may not be available in practice. To reduce the trust level of the arbitrator, the requirement that the arbitrator should not be able to produce a full signature without the signer's content has been proposed in literature. Nevertheless, we observe that the existing OFE models do not capture the realistic situation that the arbitrator itself should not be able to generate a partial signature on a new message. This requirement is essential since we only put a partial trust towards the arbitrator, but on the other hand, we also assume that the arbitrator will not do such a forgery. Therefore, to reflect this situation, we propose an enhanced model of OFE that explicitly captures this requirement. We demonstrate the difference between our enhanced model and the existing chosen-key model through a concrete OFE scheme that serves as a counter example. Since our model is strictly stronger than the existing model, we investigate the security of the existing schemes in our enhanced model. Interestingly, we show that OFE schemes based on verifiably encrypted signature and those based on ring signature can remain secure in our enhanced model given slight modifications to the primitives.