Abstract
Inspired by Maurer’s universal zero knowledge (UZK) abstract perspective and building on legally fair contract signing protocols without keystones, we propose and analyze the security of the first UZK class of co-signing protocols. We construct our main idea considering the stringent issue of scheme compatibility which characterizes communication systems. Typical examples are the cases of certificates in a public key infrastructure and the general issue of upgrading the version of a system. Thus, working in a general framework may reduce implementation errors and save application development and maintenance time.
Access provided by Autonomous University of Puebla. Download conference paper PDF
Similar content being viewed by others
Keywords
1 Introduction
The main issue addressed by zero knowledge proofs (ZKP) is represented by identification schemes (entity authentication). Thus, building on the most important goal that a ZKP can achieve one may find elegant solutions to various problems that arise in different areas: digital cash, auctioning, Internet of Things (IoT), password authentication and so on [1].
A typical zero knowledge protocol involves a prover Peggy which possesses a piece of secret information x associated with her identity and a verifier Victor whose job is to check that Peggy really owns x. Two classical examples of such protocols (proposed for smartcards) are the Schnorr protocol [17] and the Guillou-Quisquater protocol [11]. Working in an abstract framework, Maurer shows in [12] that the previously mentioned protocols are actually instantiations of the same one.
Inspired by Maurer’s generic perspective, we considered of great interest extending the unification paradigm to contract signing protocols. Therefore, we construct our main idea considering the stringent issue of scheme compatibility which characterizes communication systems. Typical examples are the cases of certificates in a public key infrastructure and the general issue of upgrading the version of a system. Thus, working in a general framework may reduce implementation errors and save application development (and maintenance) time.
Various contract signing schemes which fall into three different design categories were proposed during the last decades: gradual release [8,9,10, 14], optimistic [2, 3, 13] and concurrent [4] or legally fair [6] models. A typical co-signing protocol involves two (mutually distrustful) signing partners, Alice and Bob wishing to compute a common function on their private inputs.
Compared to older paradigms like gradual release or optimistic models, concurrent signatures or legally fair protocols do not rely on trusted third parties and do not require too much interaction between co-signers. As such features seem much more attractive for users, we further consider legally fair co-signing protocols (rather than older solutions) in our paper.
To the best of our knowledge, in this work we present the first unified class of legally fair co-signing protocols without keystones and prove its security. Thus, we provide the reader with a common theoretical framework. To be more precise, we propose a class of UZK based co-signing protocols that maintains the valuable propertiesFootnote 1 of the scheme presented in [6].
As digital signature schemes represent the core of modern contract signing protocols, we preserve this perspective and prove the security of our main result building on the unified digital signature scheme we propose in Sect. 3.
Outline. We introduce notations, definitions, schemes and protocols used throughout the paper in Sect. 2. We present a signature scheme inspired by Maurer’s UZK paradigm in Sect. 3 and prove its security in Appendix A. In Sect. 4 we present our main result, namely a UZK based co-signing protocol built on the legally fair contract signing protocol of [6]. We conclude and discuss related open problems in Sect. 5.
2 Preliminaries
Notations. Throughout the paper, the notation |S| denotes the cardinal of a set S. The action of selecting a random element x from a sample space X is denoted by , while \(x \leftarrow y\) represents the assignment of value y to variable x. The probability of the event E to happen is denoted by Pr[E]. The subset \(\{0, \ldots , s\} \in \mathbb N\) is denoted by [0, s]. Let \(h: \{0, 1\}^* \rightarrow \mathcal C\) be a hash function, where \(\mathcal C \subset \mathbb N\).
2.1 Groups
Let \((\mathbb G, \star )\) and \((\mathbb H, \otimes )\) be two groups. We assume that the group operations \(\star \) and \(\otimes \) are efficiently computable. We further consider a more restrictive set of initial conditions compared to [12], in the sense that we also assume that \(\mathbb G\) is commutativeFootnote 2.
Definition 1
(Homomorphism). Let \(f: \mathbb G \rightarrow \mathbb H\) be a function (not necessarily one-to-one). We say that f is a homomorphism if \(f(x \star y) = f(x) \otimes f(y)\).
Throughout the rest of the paper we consider f to be a homomorphism as well as a one-way functionFootnote 3. To be consistent with [12], we denote the value f(x) by [x]. Note that given [x] and [y] we can efficiently compute \([x \star y] = [x] \otimes [y]\), due to the fact that f is a homomorphism. We further denote the set of public parameters by \(\mathsf {pp} = (\mathbb G, \mathbb H, f, h)\).
2.2 Zero-Knowledge Protocols
Let \(Q: \{0,1\}^* \times \{0,1\}^* \rightarrow \{\mathtt {true}, \mathtt {false}\}\) be a predicate. Given a value y, Peggy will try to convince Victor that she knows a value x such that \(Q(y, x) = \mathtt {true}\). We further recall a definition from [5]. This definition captures the notion that being successful in a protocol (P, V) implies having the knowledge of a value x such that \(Q(y, x) = \mathtt {true}\).
Definition 2
(Proof of Knowledge Protocol). An interactive protocol (P, V) is a proof of knowledge protocol for predicate Q if the following properties hold
-
Completeness: V accepts the proof when P has as input an x with \(Q(y,x) = \mathtt {true}\);
-
Soundness: there is an efficient program K (called knowledge extractor) such that for any \(\hat{P}\) (possibly dishonest) with non-negligible probability of making V accept the proof, K can interact with \(\hat{P}\) and output (with overwhelming probability) an x such that \(Q(y,x) = \mathtt {true}\).
Definition 3
(2-Extractable). Let Q be a predicate for a proof of knowledge. A 3-move protocolFootnote 4 with challenge space \(\mathcal C\) is 2-extractable if from any two triplets (r, c, s) and \((r, c', s')\), with distinct \(c, c' \in \mathcal C\) accepted by Victor, one can efficiently compute an x such that \(Q(y, x) = \mathtt {true}\).
According to [12], UZK (Fig. 1) is a zero-knowledge protocol if the conditions from Theorem 1 are satisfied. If the challenge space \(\mathcal C\) is small, then one needs several 3-move rounds to make the soundness error negligible. We further assume that UZK satisfies the conditions stated in Theorem 1.
Theorem 1
If values \(\ell \in \mathbb Z\) and \(u \in \mathbb G\) are known such that \(\gcd (c_0-c_1, \ell ) = 1\) for all \(c_0, c_1 \in \mathcal C\) with \(c_0 \ne c_1\) and \([u] = y^\ell \), then the protocol described in Fig. 1 is 2-extractable. Moreover, a protocol consisting of \(\alpha \) rounds is a proof of knowledge if \(1/|\mathcal {C}|^\alpha \) is negligible, and it is a zero-knowledge protocol if \(|\mathcal {C}|\) is polynomially bounded.
2.3 Signatures
Definition 4
(Signature Scheme). A Signature Scheme consists of three PPT algorithms: \(\mathsf {KeyGen}\), \(\mathsf {Sign}\) and \(\mathsf {Verify}\). The first one takes as input a security parameter and outputs the system’s parameters, the public key and the matching secret key. The secret key together with the \(\mathsf {Sign}\) algorithm are used to generate a signature \(\sigma \) for a message m. Using the public key, the third algorithm verifies that a signature \(\sigma \) for a message m is generated using the matching secret key.
Throughout the paper we only consider signature schemes which, on input m, produce triplets of the form \((\sigma _1, h(m \Vert \sigma _1), \sigma _2)\), independent of previous signatures. In these triplets we consider \(\sigma _2\) as being dependent on m, \(\sigma _1\) and \(h(m \Vert \sigma _1)\). In some cases \(h(m \Vert \sigma _1)\) is easily computable from the available data and, thus, can be omitted.
Lemma 1
(Forking Lemma). Let \(\mathcal A\) be a PPT algorithm, given only the public data as input. If A can find a valid signature \((m, \sigma _1, h(m \Vert \sigma _1), \sigma _2)\) with non-negligible probability, then, also with non-negligible probability, a replay of this machine with a different hashing oracle \(h'\) outputs two valid signatures \((m, \sigma _1, h(m \Vert \sigma _1), \sigma _2)\) and \((m, \sigma _1, h'(m \Vert \sigma _1), \sigma _2')\) such that \(h(m \Vert \sigma _1) \ne h'(m \Vert \sigma _1)\).
Security Model. We further present the security model of [16] for signature schemes.
Definition 5
(Signature Unforgeability - ef-cma). The notion of unforgeability for signatures is defined in terms of the following security game between the adversary \(\mathcal A\) and a challenger:
-
1.
The \(\mathsf {KeyGen}\) algorithm is run and all the public parameters are provided to \(\mathcal A\).
-
2.
\(\mathcal A\) can perform any number of signature queries to the challenger.
-
3.
Finally, \(\mathcal A\) outputs a tuple \((m, \sigma _1, h(m \Vert \sigma _1), \sigma _2)\).
\(\mathcal A\) wins the game if \(\mathsf {Verify}(m, \sigma _1, h(m \Vert \sigma _1), \sigma _2) = \mathsf {True}\) and \(\mathcal A\) did not query the challenger on m. We say that a signature scheme is unforgeable when the success probability of \(\mathcal A\) in this game is negligible.
2.4 Legally Fair Signatures Without Keystones
In [6] the authors present a new contract signing paradigm that does not require keystones to achieve legal fairness. Their provably secure co-signature construction recalled in Fig. 2 is based on Schnorr digital signatures [17].
In Fig. 2, \(\mathcal {L}\) represents a local non-volatile memory used by Bob and \(\mathcal C = [0,q-1]\). During the protocol, Alice makes use of a publicly known auxiliary signature scheme \(\sigma _{x_A}\) using her secret key \(x_A\).
Security Model. According to the analysis presented in [6], a legally fair signature scheme is secure when it achieves existential unforgeability against an active adversary \(\mathcal A\) with access to an unlimited amount of conversations and valid co-signatures, i.e. \(\mathcal A\) can perform the following queries:
-
Hash queries: \(\mathcal A\) can request the value of h(x) for an x of his choosing.
-
Sign queries: \(\mathcal A\) can request a valid signature t for a message m and a public key \(y_C\) of his choosing.
-
CoSign queries: \(\mathcal A\) can request a valid co-signature (r, s) for a message m and a common public key \(y_{C,D}\) of his choosing.
-
Transcript queries: \(\mathcal A\) can request a valid transcript \((m, \rho , r_C, t, r_D, s_C, s_D)\) of the co-signing protocol for a message m of his choosing, between users C and D of his choosing.
-
SKExtract queries: \(\mathcal A\) can request the private key corresponding to a public key.
-
Directory queries: \(\mathcal A\) can request the public key of any user.
The following definition captures the notion of unforgeability in the co-signing context:
Definition 6
(Co-Signature Unforgeability). The notion of unforgeability for co-signatures is defined in terms of the following security game between the adversary \(\mathcal A\) and a challenger:
-
1.
The \(\mathsf {KeyGen}\) algorithm is run and all the public parameters are provided to \(\mathcal A\).
-
2.
\(\mathcal A\) can perform any number of queries to the challenger, as described above.
-
3.
Finally, \(\mathcal A\) outputs a tuple \((m, r, s, y_{C,D})\).
\(\mathcal A\) wins the game if \(\mathsf {Verify}(m, r, s) = \mathsf {True}\) and there exist public keys \(y_C, y_D \in \mathcal D\) such that \(y_{C,D} = y_Cy_D\) and either of the following holds:
-
\(\mathcal A\) did not query SKExtract on \(y_C\) nor on \(y_D\), and did not query CoSign on \((m, y_{C,D})\), and did not query Transcript on \((m, y_C, y_D)\) nor \((m, y_D, y_C)\).
-
\(\mathcal A\) did not query Transcript on \((m, y_C, y_i)\) for any \(y_i \ne y_C\) and did not query SKExtract on \(y_C\), and did not query CoSign on \((m, y_C, y_i)\) for any \(y_i \ne y_C\).
We say that a co-signature scheme is unforgeable when the success probability of \(\mathcal A\) in this game is negligible.
3 A UZK Based Digital Signature Scheme
We describe our proposed UZK based digital signature scheme (further referred to as UDS) in Table 1. We further provide the security margins of our scheme in Sect. 3.2.
3.1 Description
By applying the Fiat-Shamir transform [7] to the UZK protocol in Fig. 1 we obtain the signature scheme presented in Table 1.
3.2 Security Analysis
The proofs presented in [15, 16] do not cover the generic case. Thus, we adapt the initial results to the UDS case and provide the reader with the proof of Theorem 2 in Appendix A.
Theorem 2
If an ef-cma attack on the UDS has non-negligible probability of success in the ROM, then the homomorphism \([\cdot ]\) can be inverted in polynomial time.
4 Main Protocol
We describe our main result (a UZK class of legally fair contract signing protocols) in Fig. 3 and discuss its correctness. We further prove the security of our proposed idea in Sect. 4.2 based on the security of the UDS scheme presented in Sect. 3.
Compared to the initial work on legally fair contract signing protocols without keystones [6], we give a more complete proof by taking into account the signature scheme \(\sigma \) too.
4.1 Description
To illustrate our unified paradigm, we now discuss a legally fair co-signing protocol built from the UDS (Fig. 3), which produces signatures compatible with standard UDS (Table 1). This contract signing protocol is provably secure in the ROM assuming the one-way property of \([\cdot ]\).
Correctness. To prove the correctness of the co-signing schemes class described in Fig. 3 we use the commutative property of \(\mathbb G\) which is preserved by f(x):
4.2 Security Analysis
To prove that the unified co-signature protocol is secure in the ROM we use the following strategy: assuming \(\mathcal A\) is an efficient forger for the co-signature scheme, we turn \(\mathcal A\) into an efficient forger for UDS, then invoke Lemma 1 to prove the existence of an efficient inverter for the homomorphism \([\cdot ]\). We further address two scenarios: when the attacker plays Alice’s role, and when the attacker plays Bob’s.
4.2.1 Adversary Attacks Bob
Theorem 3
If \(\mathcal A_{\text {Alice}}\) plays the role of Alice and is able to forge a co-signature with non-negligible probability, then we can construct an ef-cma attack on the UDS that has non-negligible probability of success.
Proof
The proof consists in constructing a simulator \(\mathcal S_{\text {Bob}}\) that interacts with the adversary and forces it to actually produce a UDS forgery. Here is how this simulator behaves at each step of the protocol.
Key Establishment Phase. \(\mathcal S_{\text {Bob}}\) is given a target public key y. As a simulator, \(\mathcal S_{\text {Bob}}\) emulates not only Bob, but also all oracles and the directory \(\mathcal D\) (see Fig. 4).
To inject a target \(y \leftarrow [x] \) into \(\mathcal {A}\), the simulator \(\mathcal S_{\text {Bob}}\) reads \(y_{\mathcal {A}}\) from \(\mathcal D\) and poses as an entity whose public-key is \(y_{\mathcal S_{\text {Bob}}} \leftarrow y \otimes (y_{\mathcal {A}})^{-1} \). It follows that \(y_{\mathcal {A}, \mathcal S_{\text {Bob}}}\), the common public-key of \(\mathcal {A}\) and \(\mathcal S_{\text {Bob}}\) will be precisely \(y_{\mathcal {A}, \mathcal S_{\text {Bob}}} \leftarrow y_{\mathcal S_{\text {Bob}}} \otimes y_{\mathcal {A}}\) which, by construction, is exactly y.
Then \(\mathcal S_{\text {Bob}}\) activates \(\mathcal A_{\text {Alice}}\), who queries the directory and gets \(y_B\). At this point in time, \(\mathcal A_{\text {Alice}}\) is tricked into believing that she has successfully established a co-signature public-key set \((\mathsf {pp},y)\) with the “co-signer” \(\mathcal S_{\text {Bob}}\).
Query Phase. \(\mathcal A_{\text {Alice}}\) will start to present queries to \(\mathcal S\). Thus, \(\mathcal S\) must respond to three types of queries: hash queries, co-signature queries and transcript queries. \(\mathcal S\) will maintain a table T containing all the hash queries performed throughout the attack. At start \(T \leftarrow \varnothing \). We further describe the simulations of the hash function in Algorithm 1 and the co-signature protocol in Algorithm 2. When \(\mathcal A_{\text {Alice}}\) requests a conversation transcript, \(\mathcal S_{\text {Bob}}\) replies by sending \((m, \rho , r_A, t, r_B, s_B, s_A)\) from a previously successful interaction.
Output Phase. After performing queries, \(\mathcal A_{\text {Alice}}\) eventually outputs a co-signature (r, s) valid for \(y_{\mathcal A, \mathcal S_{\text {Bob}}}\) where \(r = r_A \otimes r_B\) and \(s = s_A \star s_B\). By design, these parameters are those of a UDS and therefore \(\mathcal A_{\text {Alice}}\) has produced a UDS forgery.
To understand \(\mathcal S_{\text {Bob}}\)’s co-signature reply (Algorithm 2), assume that \(\mathcal A_{\text {Alice}}\) is an honest Alice who plays by the protocol’s rules. For such an Alice, (r, s) is a valid signature with respect to the co-signature public-key set \(\{\mathsf {pp},y\}\).
There is a case in which \(\mathcal S_{\text {Bob}}\) aborts the protocol before completion: this happens when it turns out that \(1 \Vert m \Vert r \Vert \text{ Alice }\Vert \text{ Bob }\Vert t\) has been previously queried by \(\mathcal A_{\text {Alice}}\). In that case, it is no longer possible for \(\mathcal S_{\text {Bob}}\) to reprogram the oracle, which is why \(\mathcal S_{\text {Bob}}\) must abort. Since \(\mathcal A_{\text {Alice}}\) does not know the random value \(r_B\), such a bad event would only occur with a negligible probability exactly equal to \(q_h/q\), where \(q_h\) is the number of queries to \(\mathcal O_h\).
Therefore, \(\mathcal A\) is turned into a forger for the SFS with probability \(1-q_h/q\). As \(\mathcal A\) has a success probability \(\epsilon _{succ}\), the success probability of \(\mathcal A\) in the simulated environment is \(\epsilon _{sim} = (1-q_h/q)\epsilon _{succ}\). \(\square \)
Corollary 1
If \(\mathcal A_{\text {Alice}}\) plays the role of Alice and is able to forge a co-signature with non-negligible probability, then the homomorphism \([\cdot ]\) can be inverted in polynomial time.
4.2.2 Adversary Attacks Alice
Theorem 4
If \(\mathcal A_{\text {Bob}}\) plays the role of Bob and is able to forge a co-signature with non-negligible probability, then we can construct an ef-cma attack on the UDS that has non-negligible probability of success if signature \(\sigma _{x_A}\) can be simulated without knowing the secret key \(x_A\).
Proof
Here also the proof consists in constructing a simulator, \(\mathcal S_{\text {Alice}}\), that interacts with the adversary and forces it to actually produce a UDS forgery. The simulator’s behavior at different stages of the security game is as follows.
The Key Establishment Phase. \(\mathcal S_{\text {Alice}}\) is given a target public key y. Again, \(\mathcal S_{\text {Alice}}\) impersonates not only Alice, but also all the oracles and \(\mathcal D\).
\(\mathcal S_{\text {Alice}}\) injects the target y into the game as described in Theorem 3. Now \(\mathcal S_{\text {Alice}}\) activates \(\mathcal A_{\text {Bob}}\), who queries \(\mathcal D\) (actually controlled by \(\mathcal S_{\text {Alice}}\)) to get \(y_A\). \(\mathcal A_{\text {Bob}}\) is thus tricked into believing that it has successfully established a co-signature public-key set \((\mathsf {pp},y)\) with the “co-signer” \(\mathcal S_{\text {Alice}}\).
Query Phase. \(\mathcal A\) will start to present queries to \(\mathcal S\). Thus, \(\mathcal S\) must respond to four types of queries: hash queries, signature queries, co-signature queries and transcript queries. We consider oracles \(\mathcal O_h\) as in Theorem 3. We denote by \(\mathcal O_\sigma \) the simulation of \(\sigma _{x_A}\). We further describe the simulation of the co-signature algorithm in Algorithm 3. When \(\mathcal A_{\text {Alice}}\) requests a conversation transcript, \(\mathcal S_{\text {Bob}}\) replies by sending \((m, \rho , r_A, t, r_B, s_B, s_A)\) from a previously successful interaction.
Output Phase. After performing queries, \(\mathcal A_{\text {Bob}}\) eventually outputs a co-signature (r, s) valid for \(y_{\mathcal S_{\text {Alice}}, \mathcal A_{\text {Bob}}}\) where \(r = r_A \otimes r_B\) and \(s = s_A \star s_B\). By design, these parameters are those of a UDS and therefore \(\mathcal A_{\text {Bob}}\) has produced a UDS forgery.
As in Theorem 3, Algorithm 3 may fail with probability \(q_h/q\). Thus, the success probability of \(\mathcal A\) in the simulated environment is \(\epsilon _{sim} = (1-q_h/q)\epsilon _{succ}\).
\(\square \)
Corollary 2
If \(\mathcal A_{\text {Bob}}\) plays the role of Bob and is able to forge a co-signature with non-negligible probability, then the homomorphism \([\cdot ]\) can be inverted in polynomial time if signature \(\sigma _{x_A}\) can be simulated without knowing the secret key \(x_A\).
5 Conclusion
In this paper we presented a signature scheme inspired by Maurer’s UZK paradigm from [12] and proved its security. We further described our main result, i.e. a UZK class of co-signing protocols based on both Maurer’s abstract perspective and the legally fair framework from [6] and then proved its security.
Open Problems. A couple of interesting related studies could be the analysis of our co-signature protocols’ resistance to SETUP (Secretly Embedded Trapdoor with Universal Protection) attacks and the proposal of suitable countermeasures.
Notes
- 1.
Legal fairness without keystones, guaranteed output delivery.
- 2.
The group \(\mathbb G\) is considered as being generic in [12].
- 3.
Meaning that it is infeasible to compute x from f(x).
- 4.
In which Peggy sends r, Victor sends c, Peggy sends s.
References
Zero-Knowledge Proof: More secure than passwords? https://blog.ingenico.com/posts/2017/07/zero-knowledge-proof-more-secure-than-passwords.html
Asokan, N., Schunter, M., Waidner, M.: Optimistic protocols for fair exchange. In: Proceedings of the 4th ACM Conference on Computer and Communications Security - CCS 1997, pp. 7–17. ACM (1997)
Cachin, C., Camenisch, J.: Optimistic fair secure computation. In: Bellare, M. (ed.) CRYPTO 2000. LNCS, vol. 1880, pp. 93–111. Springer, Heidelberg (2000). https://doi.org/10.1007/3-540-44598-6_6
Chen, L., Kudla, C., Paterson, K.G.: Concurrent signatures. In: Cachin, C., Camenisch, J.L. (eds.) EUROCRYPT 2004. LNCS, vol. 3027, pp. 287–305. Springer, Heidelberg (2004). https://doi.org/10.1007/978-3-540-24676-3_18
Feige, U., Fiat, A., Shamir, A.: Zero-knowledge proofs of identity. J. Cryptology 1(2), 77–94 (1988)
Ferradi, H., Géraud, R., Maimuţ, D., Naccache, D., Pointcheval, D.: Legally fair contract signing without keystones. In: Manulis, M., Sadeghi, A.-R., Schneider, S. (eds.) ACNS 2016. LNCS, vol. 9696, pp. 175–190. Springer, Cham (2016). https://doi.org/10.1007/978-3-319-39555-5_10
Fiat, A., Shamir, A.: How to prove yourself: practical solutions to identification and signature problems. In: Odlyzko, A.M. (ed.) CRYPTO 1986. LNCS, vol. 263, pp. 186–194. Springer, Heidelberg (1987). https://doi.org/10.1007/3-540-47721-7_12
Garay, J., MacKenzie, P., Prabhakaran, M., Yang, K.: Resource fairness and composability of cryptographic protocols. In: Halevi, S., Rabin, T. (eds.) TCC 2006. LNCS, vol. 3876, pp. 404–428. Springer, Heidelberg (2006). https://doi.org/10.1007/11681878_21
Goldwasser, S., Levin, L.: Fair computation of general functions in presence of immoral majority. In: Menezes, A.J., Vanstone, S.A. (eds.) CRYPTO 1990. LNCS, vol. 537, pp. 77–93. Springer, Heidelberg (1991). https://doi.org/10.1007/3-540-38424-3_6
Gordon, S.D., Hazay, C., Katz, J., Lindell, Y.: Complete fairness in secure two-party computation. J. ACM 58(6), 1–37 (2011)
Guillou, L.C., Quisquater, J.-J.: A practical zero-knowledge protocol fitted to security microprocessor minimizing both transmission and memory. In: Barstow, D., et al. (eds.) EUROCRYPT 1988. LNCS, vol. 330, pp. 123–128. Springer, Heidelberg (1988). https://doi.org/10.1007/3-540-45961-8_11
Maurer, U.: Unifying zero-knowledge proofs of knowledge. In: Preneel, B. (ed.) AFRICACRYPT 2009. LNCS, vol. 5580, pp. 272–286. Springer, Heidelberg (2009). https://doi.org/10.1007/978-3-642-02384-2_17
Micali, S.: Simple and fast optimistic protocols for fair electronic exchange. In: Proceedings of the 22nd Annual Symposium on Principles of Distributed Computing - PODC 2003, pp. 12–19. ACM (2003)
Pinkas, B.: Fair secure two-party computation. In: Biham, E. (ed.) EUROCRYPT 2003. LNCS, vol. 2656, pp. 87–105. Springer, Heidelberg (2003). https://doi.org/10.1007/3-540-39200-9_6
Pointcheval, D., Stern, J.: Security proofs for signature schemes. In: Maurer, U. (ed.) EUROCRYPT 1996. LNCS, vol. 1070, pp. 387–398. Springer, Heidelberg (1996). https://doi.org/10.1007/3-540-68339-9_33
Pointcheval, D., Stern, J.: Security arguments for digital signatures and blind signatures. J. Cryptology 13(3), 361–396 (2000)
Schnorr, C.P.: Efficient identification and signatures for smart cards. In: Brassard, G. (ed.) CRYPTO 1989. LNCS, vol. 435, pp. 239–252. Springer, New York (1990). https://doi.org/10.1007/0-387-34805-0_22
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
A Proof of Theorem 2
A Proof of Theorem 2
If an attacker \(\mathcal A\) can forge a UDS, then we are able to construct a simulator \(\mathcal S\) that interacts with \(\mathcal A\) and forces it to produce a forgery. By using Lemma 1 we transform \(\mathcal A\) into a homomorphism inverter (i.e. that computes an \(x'\) such that \(y = [x']\)). We further show how \(\mathcal S\) can simulate the three phases necessary to mount the ef-cma attack.
Key Establishment Phase. In this phase \(\mathcal S\) sets up the public key as \(y = [x]\) and then activates \(\mathcal A\) with input y.
Query Phase. \(\mathcal A\) will start to present queries to the \(\mathcal S\). Thus, \(\mathcal S\) must respond to two types of queries: hash and signature queries. We consider oracle \(\mathcal O_h\) as in Theorem 3. We further describe the simulations of the signature scheme in Algorithm 4.
Output Phase. After the query phase, \(\mathcal A\) will eventually produce a forgery (r, s).
When simulating the signing oracle \(\mathcal O_S\) there is a case when \(\mathcal S\) aborts before completion: this happens when \(m\Vert r\) has already been queried by \(\mathcal A\). In this case, \(\mathcal S\) can not reprogram \(\mathcal O_h\), which is why it must abort. Since \(\mathcal A\) does not know the random value r, the previously described event occurs with a negligible probability \(q_h/q\), where \(q_h\) is the number of queries to \(\mathcal O_h\).
Therefore, \(\mathcal A\) is turned into a forger for the UDS with probability \(1-q_h/q\). As \(\mathcal A\) has a success probability \(\epsilon _{succ}\), the success probability of \(\mathcal A\) in the simulated environment is \(\epsilon _{sim} = (1-q_h/q)\epsilon _{succ}\).
Let \(\beta \) be the position of \(m\Vert r\) in T from \(\mathcal O_h\). After \(\mathcal A\) produces a forgery (r, s), \(\mathcal S\) runs \(\mathcal A\) with the same inputs and a different h oracle (Algorithm 5). As before, \(\mathcal S\) will maintain a table \(\tilde{T}\) containing all the h queries performed throughout this phase of the attack. At start \(\tilde{T} \leftarrow \varnothing \). Then, by Lemma 1, \(\mathcal A\) will produce a different forgery \((r,s')\). Thus, we obtain \(c = \mathcal O_h(m\Vert r) \ne \mathcal O_h'(m\Vert r) = c'\). Using the 2-extractable property of UZK, we obtain an \(x'\) such that \(y = [x']\).
Rights and permissions
Copyright information
© 2019 Springer Nature Switzerland AG
About this paper
Cite this paper
Maimuţ, D., Teşeleanu, G. (2019). A Unified Security Perspective on Legally Fair Contract Signing Protocols. In: Lanet, JL., Toma, C. (eds) Innovative Security Solutions for Information Technology and Communications. SECITC 2018. Lecture Notes in Computer Science(), vol 11359. Springer, Cham. https://doi.org/10.1007/978-3-030-12942-2_35
Download citation
DOI: https://doi.org/10.1007/978-3-030-12942-2_35
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-12941-5
Online ISBN: 978-3-030-12942-2
eBook Packages: Computer ScienceComputer Science (R0)