TY - GEN
T1 - Fairness in concurrent signatures revisited
AU - Susilo, Willy
AU - Au, Man Ho Allen
AU - Wang, Yang
AU - Wong, Duncan S.
PY - 2013/9/26
Y1 - 2013/9/26
N2 - Concurrent signature, introduced by Chen, Kudla and Paterson, is known to just fall short to solve the long standing fair exchange of signature problem without requiring any trusted third party (TTP). The price for not requiring any TTP is that the initial signer is always having some advantage over the matching signer in controlling whether the protocol completes or not, and hence, whether the two ambiguous signatures will bind concurrently to their true signers or not. In this paper, we examine the notion and classify the advantages of the initial signer into three levels, some of which but not all of them may be known in the literature. - Advantage level 0 is the commonly acknowledged fact that concurrent signature is not abuse-free since an initial signer who holds a keystone can always choose to complete or abort a concurrent signature protocol run by deciding whether to release the keystone or not. - Advantage level 1 refers to the fact that the initial signer can convince a third party that both ambiguous signatures are valid without actually making the signatures publicly verifiable. - Advantage level 2 allows the initial signer to convince a third party that the matching signer agrees to commit to a specific message, and nothing else. We stress that advantage level 2 is not about proving the possession of a keystone. Proving the knowledge of a keystone would make the malicious initial signer accountable as this could only be done by the initial signer. We remark that the original security models for concurrent signature do not rule out the aforementioned advantages of the initial signer. Indeed, we show that theoretically, the initial signer always enjoys the above advantages for any concurrent signatures. Our work demonstrates a clear gap between the notion of concurrent signature and optimistic fair exchange (OFE) in which no party enjoys advantage level 1. Furthermore, in a variant known as Ambiguous OFE, no party enjoys advantage level 1 and 2.
AB - Concurrent signature, introduced by Chen, Kudla and Paterson, is known to just fall short to solve the long standing fair exchange of signature problem without requiring any trusted third party (TTP). The price for not requiring any TTP is that the initial signer is always having some advantage over the matching signer in controlling whether the protocol completes or not, and hence, whether the two ambiguous signatures will bind concurrently to their true signers or not. In this paper, we examine the notion and classify the advantages of the initial signer into three levels, some of which but not all of them may be known in the literature. - Advantage level 0 is the commonly acknowledged fact that concurrent signature is not abuse-free since an initial signer who holds a keystone can always choose to complete or abort a concurrent signature protocol run by deciding whether to release the keystone or not. - Advantage level 1 refers to the fact that the initial signer can convince a third party that both ambiguous signatures are valid without actually making the signatures publicly verifiable. - Advantage level 2 allows the initial signer to convince a third party that the matching signer agrees to commit to a specific message, and nothing else. We stress that advantage level 2 is not about proving the possession of a keystone. Proving the knowledge of a keystone would make the malicious initial signer accountable as this could only be done by the initial signer. We remark that the original security models for concurrent signature do not rule out the aforementioned advantages of the initial signer. Indeed, we show that theoretically, the initial signer always enjoys the above advantages for any concurrent signatures. Our work demonstrates a clear gap between the notion of concurrent signature and optimistic fair exchange (OFE) in which no party enjoys advantage level 1. Furthermore, in a variant known as Ambiguous OFE, no party enjoys advantage level 1 and 2.
KW - concurrent signatures
KW - fairness
KW - scenarios
UR - http://www.scopus.com/inward/record.url?scp=84884485538&partnerID=8YFLogxK
U2 - 10.1007/978-3-642-39059-3_22
DO - 10.1007/978-3-642-39059-3_22
M3 - Conference article published in proceeding or book
SN - 9783642390586
T3 - Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
SP - 318
EP - 329
BT - Information Security and Privacy - 18th Australasian Conference, ACISP 2013, Proceedings
T2 - 18th Australasian Conference on Information Security and Privacy, ACISP 2013
Y2 - 1 July 2013 through 3 July 2013
ER -