![Page 1: Fair Exchange of Short Signatures without Trusted Third Party](https://reader035.vdocuments.us/reader035/viewer/2022062514/558e67d91a28ab7c218b4762/html5/thumbnails/1.jpg)
Fair Exchange of Short Signatureswithout Trusted Third Party
Philippe Camacho University of Chile
![Page 2: Fair Exchange of Short Signatures without Trusted Third Party](https://reader035.vdocuments.us/reader035/viewer/2022062514/558e67d91a28ab7c218b4762/html5/thumbnails/2.jpg)
Digital Goods Economy
![Page 3: Fair Exchange of Short Signatures without Trusted Third Party](https://reader035.vdocuments.us/reader035/viewer/2022062514/558e67d91a28ab7c218b4762/html5/thumbnails/3.jpg)
Enforcing Secure Transactions through a Trusted Third Party (TTP)
![Page 4: Fair Exchange of Short Signatures without Trusted Third Party](https://reader035.vdocuments.us/reader035/viewer/2022062514/558e67d91a28ab7c218b4762/html5/thumbnails/4.jpg)
Problems with TTP
![Page 5: Fair Exchange of Short Signatures without Trusted Third Party](https://reader035.vdocuments.us/reader035/viewer/2022062514/558e67d91a28ab7c218b4762/html5/thumbnails/5.jpg)
Problems with TTP
![Page 6: Fair Exchange of Short Signatures without Trusted Third Party](https://reader035.vdocuments.us/reader035/viewer/2022062514/558e67d91a28ab7c218b4762/html5/thumbnails/6.jpg)
Fair Exchange in the Physical World is “easy”
Buyer
SellerWitness
WitnessWitness
Physical proximity provides a high incentive to behave correctly.
More precautions need to be taken in the digital world.
![Page 7: Fair Exchange of Short Signatures without Trusted Third Party](https://reader035.vdocuments.us/reader035/viewer/2022062514/558e67d91a28ab7c218b4762/html5/thumbnails/7.jpg)
Modeling Transactions with Digital Signatures
BuyerSeller
Digital Check
Software License
The problem: Who starts first?Impossibility Result [Cleve86]
![Page 8: Fair Exchange of Short Signatures without Trusted Third Party](https://reader035.vdocuments.us/reader035/viewer/2022062514/558e67d91a28ab7c218b4762/html5/thumbnails/8.jpg)
Gradual Release of a Secret
1001 0111
Bob’s signature Alice’s signature
1
0
0
1
0
1
1
1
Allows to circumvent Cleve’s impossibility result (relaxed security definition).
How do I know that the bit I received is not garbage?
![Page 9: Fair Exchange of Short Signatures without Trusted Third Party](https://reader035.vdocuments.us/reader035/viewer/2022062514/558e67d91a28ab7c218b4762/html5/thumbnails/9.jpg)
Our Construction
• Fair Exchange of Digital Signatures
• Boneh-Boyen [BB04] Short Signatures
• No TTP
• Practical
![Page 10: Fair Exchange of Short Signatures without Trusted Third Party](https://reader035.vdocuments.us/reader035/viewer/2022062514/558e67d91a28ab7c218b4762/html5/thumbnails/10.jpg)
Contributions
• Formal definition of Partial Fairness
• Efficiency
• First protocol for Boneh-Boyen signatures
: Security Parameter# Rounds 161Communication bits 52 kB
# Crypto operations per participant
![Page 11: Fair Exchange of Short Signatures without Trusted Third Party](https://reader035.vdocuments.us/reader035/viewer/2022062514/558e67d91a28ab7c218b4762/html5/thumbnails/11.jpg)
Contributions
• NIZK argument to prove that a commitment encodes a bit vector.
• NIZK argument to prove a commitment to a bit vector is the binary expansion of the discrete logarithm of .
![Page 12: Fair Exchange of Short Signatures without Trusted Third Party](https://reader035.vdocuments.us/reader035/viewer/2022062514/558e67d91a28ab7c218b4762/html5/thumbnails/12.jpg)
Commitments
secret
Commitment
secret =+
I will try to open the box with
another value.
I will try to know what is in the box
before I get the key.
1
2
3secret
The secret is revealed.
![Page 13: Fair Exchange of Short Signatures without Trusted Third Party](https://reader035.vdocuments.us/reader035/viewer/2022062514/558e67d91a28ab7c218b4762/html5/thumbnails/13.jpg)
Non-InteractiveZero-Knowledge Proofs
0 𝜋,
I want to fool Alice: Make she believe that the value in the box is binary while it is not (e.g: 15).
I want to know exactly what is in the box (not only that the secret is a bit).
= Yes / No+0 𝜋
1
2
Prove something about the secret in the box without opening the box.
![Page 14: Fair Exchange of Short Signatures without Trusted Third Party](https://reader035.vdocuments.us/reader035/viewer/2022062514/558e67d91a28ab7c218b4762/html5/thumbnails/14.jpg)
Abstract Protocol
Release Bits
KeyGen
Encrypt Signature
Verify Encrypted Signature
Setup
Recover Signature
![Page 15: Fair Exchange of Short Signatures without Trusted Third Party](https://reader035.vdocuments.us/reader035/viewer/2022062514/558e67d91a28ab7c218b4762/html5/thumbnails/15.jpg)
Partial Fairness
𝑚𝐴 ,𝑚𝐵 ,𝑝𝑘𝐴 (𝑠𝑘𝐵 ,𝑝𝑘𝐵)
𝑂𝑆𝑖𝑔𝑛 (𝑠𝑘𝐵 , ⋅ )
𝜎𝐵on𝑚𝐴
Bet according to partially released secret𝜎 𝐴on𝑚𝐵
Not queried to signing oracle
![Page 16: Fair Exchange of Short Signatures without Trusted Third Party](https://reader035.vdocuments.us/reader035/viewer/2022062514/558e67d91a28ab7c218b4762/html5/thumbnails/16.jpg)
ProtocolSignature
1 0 110 0
35=(100011 )2 Encrypted Signature=+1
2
3 𝜋 1 Each small box contains a bit.
𝜋 2The sequence of small boxes is the binary expansionof the secret inside the big box.
4 1 0 110 00 00 1 11
5Encrypted Signature + 35=(100011 )2 = Signature
![Page 17: Fair Exchange of Short Signatures without Trusted Third Party](https://reader035.vdocuments.us/reader035/viewer/2022062514/558e67d91a28ab7c218b4762/html5/thumbnails/17.jpg)
Bilinear maps
• generates
![Page 18: Fair Exchange of Short Signatures without Trusted Third Party](https://reader035.vdocuments.us/reader035/viewer/2022062514/558e67d91a28ab7c218b4762/html5/thumbnails/18.jpg)
Assumptions
• Given it’s hard to compute• (- Diffie-Hellman Inversion)• (-Bilinear Diffie-Hellman Inversion)• ( ) (-Strong Diffie-Hellman)• for
( Diffie-Hellman Exponent)
![Page 19: Fair Exchange of Short Signatures without Trusted Third Party](https://reader035.vdocuments.us/reader035/viewer/2022062514/558e67d91a28ab7c218b4762/html5/thumbnails/19.jpg)
Assumptions
• Proposition:
• Our protocol is secure under
![Page 20: Fair Exchange of Short Signatures without Trusted Third Party](https://reader035.vdocuments.us/reader035/viewer/2022062514/558e67d91a28ab7c218b4762/html5/thumbnails/20.jpg)
Short Signatures w/o Random Oracle [BB04]
1. 2. 3. 4. return
5. 6. return 7. Check that
![Page 21: Fair Exchange of Short Signatures without Trusted Third Party](https://reader035.vdocuments.us/reader035/viewer/2022062514/558e67d91a28ab7c218b4762/html5/thumbnails/21.jpg)
ProtocolSignature
1 0 110 0
35=(100011 )2 Encrypted Signature=+1
2
3 𝜋 1 Each small box contains a bit.
𝜋 2The sequence of small boxes is the binary expansionof the secret inside the big box.
4 1 0 110 00 00 1 11
5Encrypted Signature + 35=(100011 )2 = Signature
![Page 22: Fair Exchange of Short Signatures without Trusted Third Party](https://reader035.vdocuments.us/reader035/viewer/2022062514/558e67d91a28ab7c218b4762/html5/thumbnails/22.jpg)
The Encrypted Signature
• Computing
• Checking Given parse pk as
Secret key / “blinding” factor
Boneh-Boyen signature “blinded” by
![Page 23: Fair Exchange of Short Signatures without Trusted Third Party](https://reader035.vdocuments.us/reader035/viewer/2022062514/558e67d91a28ab7c218b4762/html5/thumbnails/23.jpg)
ProtocolSignature
1 0 110 0
35=(100011 )2 Encrypted Signature=+1
2
3 𝜋 1 Each small box contains a bit.
𝜋 2The sequence of small boxes is the binary expansionof the secret inside the big box.
4 1 0 110 00 00 1 11
5Encrypted Signature + 35=(100011 )2 = Signature
![Page 24: Fair Exchange of Short Signatures without Trusted Third Party](https://reader035.vdocuments.us/reader035/viewer/2022062514/558e67d91a28ab7c218b4762/html5/thumbnails/24.jpg)
NIZK argument 1
• StatementLet The prover knows such that
• Argument
• such that • Return for each
• Verification
Shift by positions to the right.
Force the product to be computed in the
exponent.
![Page 25: Fair Exchange of Short Signatures without Trusted Third Party](https://reader035.vdocuments.us/reader035/viewer/2022062514/558e67d91a28ab7c218b4762/html5/thumbnails/25.jpg)
NIZK argument 1
• Theorem:The argument is perfectly complete, computationally sound under the - DHE assumption and perfectly zero-knowledge.
Proof (sketch).
𝐵𝑖
If the adversary breaks the assumption.
![Page 26: Fair Exchange of Short Signatures without Trusted Third Party](https://reader035.vdocuments.us/reader035/viewer/2022062514/558e67d91a28ab7c218b4762/html5/thumbnails/26.jpg)
ProtocolSignature
1 0 110 0
35=(100011 )2 Encrypted Signature=+1
2
3 𝜋 1 Each small box contains a bit.
𝜋 2The sequence of small boxes is the binary expansionof the secret inside the big box.
4 1 0 110 00 00 1 11
5Encrypted Signature + 35=(100011 )2 = Signature
![Page 27: Fair Exchange of Short Signatures without Trusted Third Party](https://reader035.vdocuments.us/reader035/viewer/2022062514/558e67d91a28ab7c218b4762/html5/thumbnails/27.jpg)
NIZK argument 2
• We set (security parameter)
• Statement The prover knows and
such that , and
![Page 28: Fair Exchange of Short Signatures without Trusted Third Party](https://reader035.vdocuments.us/reader035/viewer/2022062514/558e67d91a28ab7c218b4762/html5/thumbnails/28.jpg)
NIZK argument 2
• Verification: Input
• Parse
• Check that
• Check that
𝑟 ’=∑𝑖
𝑟 𝑖
![Page 29: Fair Exchange of Short Signatures without Trusted Third Party](https://reader035.vdocuments.us/reader035/viewer/2022062514/558e67d91a28ab7c218b4762/html5/thumbnails/29.jpg)
• Theorem:The argument is perfectly complete, computationally sound under the assumption and perfectly zero-knowledge.
NIZK argument 2
![Page 30: Fair Exchange of Short Signatures without Trusted Third Party](https://reader035.vdocuments.us/reader035/viewer/2022062514/558e67d91a28ab7c218b4762/html5/thumbnails/30.jpg)
ProtocolSignature
1 0 110 0
35=(100011 )2 Encrypted Signature=+1
2
3 𝜋 1 Each small box contains a bit.
𝜋 2The sequence of small boxes is the binary expansionof the secret inside the big box.
4 1 0 110 00 00 1 11
5Encrypted Signature + 35=(100011 )2 = Signature
![Page 31: Fair Exchange of Short Signatures without Trusted Third Party](https://reader035.vdocuments.us/reader035/viewer/2022062514/558e67d91a28ab7c218b4762/html5/thumbnails/31.jpg)
Recovering the Signature
• All the bits are revealed
• Compute
• We have
• Compute
![Page 32: Fair Exchange of Short Signatures without Trusted Third Party](https://reader035.vdocuments.us/reader035/viewer/2022062514/558e67d91a28ab7c218b4762/html5/thumbnails/32.jpg)
Proofs of Knowledge
• Discrete logarithm of
• such that
Needed in order to simulate the adversary despite it aborts early.
![Page 33: Fair Exchange of Short Signatures without Trusted Third Party](https://reader035.vdocuments.us/reader035/viewer/2022062514/558e67d91a28ab7c218b4762/html5/thumbnails/33.jpg)
Simultaneous Hardness of Bits for Discrete Logarithm
𝑙=𝜔( log𝜅)
An adversary cannot distinguish between a random sequence of bitsand the first bits of given .
Holds in the generic group model [Schnorr98]
![Page 34: Fair Exchange of Short Signatures without Trusted Third Party](https://reader035.vdocuments.us/reader035/viewer/2022062514/558e67d91a28ab7c218b4762/html5/thumbnails/34.jpg)
Conclusion
• Fair exchange protocol for short signatures [BB04] without TTP
• Practical
• Two new NIZK arguments
Thank you!
![Page 35: Fair Exchange of Short Signatures without Trusted Third Party](https://reader035.vdocuments.us/reader035/viewer/2022062514/558e67d91a28ab7c218b4762/html5/thumbnails/35.jpg)
Partial Fairness
• A randomized protocol for signing contracts [EGL85]
• Gradual release of a secret [BCDB87]• Practically and Provably secure release of a
secret and exchange of signatures [Damgard95]
• Resource Fairness and Composability of Cryptographic protocols [GMPY06] “Time-line”
assumptions,Generic
construction
RSA, Rabin, ElGamal
signatures
Only contract signing
![Page 36: Fair Exchange of Short Signatures without Trusted Third Party](https://reader035.vdocuments.us/reader035/viewer/2022062514/558e67d91a28ab7c218b4762/html5/thumbnails/36.jpg)
• Theorem:The protocol is partially fair under the and the assumption.
![Page 37: Fair Exchange of Short Signatures without Trusted Third Party](https://reader035.vdocuments.us/reader035/viewer/2022062514/558e67d91a28ab7c218b4762/html5/thumbnails/37.jpg)
Proof (Sketch)
• Type I• Does not forge values but aborts «early»• => He has to break the signature scheme
• Careful:What happens if A detects he is simulated?
• The simulator will try to break the SHDL assumption• If few bits remain, it does not win, everything is OK!
![Page 38: Fair Exchange of Short Signatures without Trusted Third Party](https://reader035.vdocuments.us/reader035/viewer/2022062514/558e67d91a28ab7c218b4762/html5/thumbnails/38.jpg)
Proof (Sketch)
• Type II
• Forge values • The simulator can extract all values computed by
adversary and break the soundness of the NIZK arguments or binding property of commitment scheme.