P2OFE: Privacy-Preserving Optimistic Fair Exchange of Digital Signatures
How to sign an electronic contract online between two parties (say Alice and Bob) in a fair manner is an interesting problem, and has been studied for a long time. Optimistic Fair Exchange (OFE) is an efficient solution to this problem, in which a semi-trusted third party named arbitrator is called in to resolve a dispute if there is one during an exchange between Alice and Bob. Recently, several extensions of OFE, such as Ambiguous OFE (AOFE) and Perfect AOFE (PAOFE), have been proposed to protect the privacy of the exchanging parties. These variants prevent any outsider including the arbitrator from telling which parties are involved in the exchange of signatures before the exchange completes. However, in PAOFE, AOFE, and all the current work on OFE, the arbitrator can always learn the signer's signature at (or before) the end of a resolution, which is undesirable in some important applications, for example, signing a contract between two parties which do not wish others to find out even when there is a dispute that needs a resolution by the arbitrator. In this work, we introduce a new notion called Privacy-Preserving Optimistic Fair Exchange (P2OFE), in which other than Alice and Bob, no one else, including the arbitrator, can collect any evidence about an exchange between them even after the resolution of a dispute. We formally define P2OFE and propose a security model. We also propose a concrete and efficient construction of P2OFE, and prove its security based on the Strong Diffie-Helllman and Decision Linear assumptions in the standard model.