Breaking and repairing optimistic fair exchange from PODC 2003

Yevgeniy Dodis, Leonid Reyzin

Research output: Chapter in Book/Report/Conference proceedingConference contribution

Abstract

In PODC 2003, Park, Chong, Siegel and Ray proposed an optimistic protocol for fair exchange, based on RSA signatures. We show that their protocol is totally breakable already in the registration phase: the honest-but-curious arbitrator can easily determine the signer's secret key. On a positive note, the authors of informally introduced a connection between fair exchange and "sequential two-party multisignature schemes" (which we call two-signatures), but used an insecure two-signature scheme in their actual construction. Nonetheless, we show that this connection can be properly formalized to imply provably secure fair exchange protocols. By utilizing the state-of-the-art non-interactive two-signature of Boldyreva, we obtain an efficient and provably secure (in the random oracle model) fair exchange protocol, which is based on GDH signatures. Of independent interest, we introduce a unified model for non-interactive fair exchange protocols, which results in a new primitive we call verifiably committed signatures. Verifiably committed signatures generalize (non-interactive) verifiably encrypted signatures and two-signatures, both of which are sufficient for fair exchange.

Original languageEnglish (US)
Title of host publicationDRM 2003: Proceedings of the Third ACM Workshop on Digital Rights Management
EditorsM. Yung
Pages47-54
Number of pages8
StatePublished - 2003
EventDRM 2003: Proceedings of the Third ACM Workshop on Digital Rights Management - Washington, DC, United States
Duration: Oct 27 2003Oct 27 2003

Other

OtherDRM 2003: Proceedings of the Third ACM Workshop on Digital Rights Management
CountryUnited States
CityWashington, DC
Period10/27/0310/27/03

Keywords

  • Digital signatures
  • Fair exchange
  • Multisignatures
  • Verifiably committed signatures
  • Verifiably encrypted signatures

ASJC Scopus subject areas

  • Engineering(all)

Cite this

Dodis, Y., & Reyzin, L. (2003). Breaking and repairing optimistic fair exchange from PODC 2003. In M. Yung (Ed.), DRM 2003: Proceedings of the Third ACM Workshop on Digital Rights Management (pp. 47-54)

Breaking and repairing optimistic fair exchange from PODC 2003. / Dodis, Yevgeniy; Reyzin, Leonid.

DRM 2003: Proceedings of the Third ACM Workshop on Digital Rights Management. ed. / M. Yung. 2003. p. 47-54.

Research output: Chapter in Book/Report/Conference proceedingConference contribution

Dodis, Y & Reyzin, L 2003, Breaking and repairing optimistic fair exchange from PODC 2003. in M Yung (ed.), DRM 2003: Proceedings of the Third ACM Workshop on Digital Rights Management. pp. 47-54, DRM 2003: Proceedings of the Third ACM Workshop on Digital Rights Management, Washington, DC, United States, 10/27/03.
Dodis Y, Reyzin L. Breaking and repairing optimistic fair exchange from PODC 2003. In Yung M, editor, DRM 2003: Proceedings of the Third ACM Workshop on Digital Rights Management. 2003. p. 47-54
Dodis, Yevgeniy ; Reyzin, Leonid. / Breaking and repairing optimistic fair exchange from PODC 2003. DRM 2003: Proceedings of the Third ACM Workshop on Digital Rights Management. editor / M. Yung. 2003. pp. 47-54
@inproceedings{22d1b735cf79435e958871d7c3f9b858,
title = "Breaking and repairing optimistic fair exchange from PODC 2003",
abstract = "In PODC 2003, Park, Chong, Siegel and Ray proposed an optimistic protocol for fair exchange, based on RSA signatures. We show that their protocol is totally breakable already in the registration phase: the honest-but-curious arbitrator can easily determine the signer's secret key. On a positive note, the authors of informally introduced a connection between fair exchange and {"}sequential two-party multisignature schemes{"} (which we call two-signatures), but used an insecure two-signature scheme in their actual construction. Nonetheless, we show that this connection can be properly formalized to imply provably secure fair exchange protocols. By utilizing the state-of-the-art non-interactive two-signature of Boldyreva, we obtain an efficient and provably secure (in the random oracle model) fair exchange protocol, which is based on GDH signatures. Of independent interest, we introduce a unified model for non-interactive fair exchange protocols, which results in a new primitive we call verifiably committed signatures. Verifiably committed signatures generalize (non-interactive) verifiably encrypted signatures and two-signatures, both of which are sufficient for fair exchange.",
keywords = "Digital signatures, Fair exchange, Multisignatures, Verifiably committed signatures, Verifiably encrypted signatures",
author = "Yevgeniy Dodis and Leonid Reyzin",
year = "2003",
language = "English (US)",
isbn = "1581137869",
pages = "47--54",
editor = "M. Yung",
booktitle = "DRM 2003: Proceedings of the Third ACM Workshop on Digital Rights Management",

}

TY - GEN

T1 - Breaking and repairing optimistic fair exchange from PODC 2003

AU - Dodis, Yevgeniy

AU - Reyzin, Leonid

PY - 2003

Y1 - 2003

N2 - In PODC 2003, Park, Chong, Siegel and Ray proposed an optimistic protocol for fair exchange, based on RSA signatures. We show that their protocol is totally breakable already in the registration phase: the honest-but-curious arbitrator can easily determine the signer's secret key. On a positive note, the authors of informally introduced a connection between fair exchange and "sequential two-party multisignature schemes" (which we call two-signatures), but used an insecure two-signature scheme in their actual construction. Nonetheless, we show that this connection can be properly formalized to imply provably secure fair exchange protocols. By utilizing the state-of-the-art non-interactive two-signature of Boldyreva, we obtain an efficient and provably secure (in the random oracle model) fair exchange protocol, which is based on GDH signatures. Of independent interest, we introduce a unified model for non-interactive fair exchange protocols, which results in a new primitive we call verifiably committed signatures. Verifiably committed signatures generalize (non-interactive) verifiably encrypted signatures and two-signatures, both of which are sufficient for fair exchange.

AB - In PODC 2003, Park, Chong, Siegel and Ray proposed an optimistic protocol for fair exchange, based on RSA signatures. We show that their protocol is totally breakable already in the registration phase: the honest-but-curious arbitrator can easily determine the signer's secret key. On a positive note, the authors of informally introduced a connection between fair exchange and "sequential two-party multisignature schemes" (which we call two-signatures), but used an insecure two-signature scheme in their actual construction. Nonetheless, we show that this connection can be properly formalized to imply provably secure fair exchange protocols. By utilizing the state-of-the-art non-interactive two-signature of Boldyreva, we obtain an efficient and provably secure (in the random oracle model) fair exchange protocol, which is based on GDH signatures. Of independent interest, we introduce a unified model for non-interactive fair exchange protocols, which results in a new primitive we call verifiably committed signatures. Verifiably committed signatures generalize (non-interactive) verifiably encrypted signatures and two-signatures, both of which are sufficient for fair exchange.

KW - Digital signatures

KW - Fair exchange

KW - Multisignatures

KW - Verifiably committed signatures

KW - Verifiably encrypted signatures

UR - http://www.scopus.com/inward/record.url?scp=4544253137&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=4544253137&partnerID=8YFLogxK

M3 - Conference contribution

SN - 1581137869

SP - 47

EP - 54

BT - DRM 2003: Proceedings of the Third ACM Workshop on Digital Rights Management

A2 - Yung, M.

ER -