TY - GEN
T1 - Breaking and repairing optimistic fair exchange from PODC 2003
AU - Dodis, Yevgeniy
AU - Reyzin, Leonid
PY - 2003
Y1 - 2003
N2 - In PODC 2003, Park, Chong, Siegel and Ray proposed an optimistic protocol for fair exchange, based on RSA signatures. We show that their protocol is totally breakable already in the registration phase: the honest-but-curious arbitrator can easily determine the signer's secret key. On a positive note, the authors of informally introduced a connection between fair exchange and "sequential two-party multisignature schemes" (which we call two-signatures), but used an insecure two-signature scheme in their actual construction. Nonetheless, we show that this connection can be properly formalized to imply provably secure fair exchange protocols. By utilizing the state-of-the-art non-interactive two-signature of Boldyreva, we obtain an efficient and provably secure (in the random oracle model) fair exchange protocol, which is based on GDH signatures. Of independent interest, we introduce a unified model for non-interactive fair exchange protocols, which results in a new primitive we call verifiably committed signatures. Verifiably committed signatures generalize (non-interactive) verifiably encrypted signatures and two-signatures, both of which are sufficient for fair exchange.
AB - In PODC 2003, Park, Chong, Siegel and Ray proposed an optimistic protocol for fair exchange, based on RSA signatures. We show that their protocol is totally breakable already in the registration phase: the honest-but-curious arbitrator can easily determine the signer's secret key. On a positive note, the authors of informally introduced a connection between fair exchange and "sequential two-party multisignature schemes" (which we call two-signatures), but used an insecure two-signature scheme in their actual construction. Nonetheless, we show that this connection can be properly formalized to imply provably secure fair exchange protocols. By utilizing the state-of-the-art non-interactive two-signature of Boldyreva, we obtain an efficient and provably secure (in the random oracle model) fair exchange protocol, which is based on GDH signatures. Of independent interest, we introduce a unified model for non-interactive fair exchange protocols, which results in a new primitive we call verifiably committed signatures. Verifiably committed signatures generalize (non-interactive) verifiably encrypted signatures and two-signatures, both of which are sufficient for fair exchange.
KW - Digital signatures
KW - Fair exchange
KW - Multisignatures
KW - Verifiably committed signatures
KW - Verifiably encrypted signatures
UR - http://www.scopus.com/inward/record.url?scp=4544253137&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=4544253137&partnerID=8YFLogxK
U2 - 10.1145/947380.947387
DO - 10.1145/947380.947387
M3 - Conference contribution
AN - SCOPUS:4544253137
SN - 1581137869
SN - 9781581137866
T3 - DRM 2003: Proceedings of the Third ACM Workshop on Digital Rights Management
SP - 47
EP - 54
BT - DRM 2003
PB - Association for Computing Machinery (ACM)
T2 - DRM 2003: Proceedings of the Third ACM Workshop on Digital Rights Management
Y2 - 27 October 2003 through 27 October 2003
ER -