Revisiting optimistic fair exchange based on ring signatures

Optimistic fair exchange (OFE) is a kind of protocol that solves the fair exchange problem with the help of a trusted third party, usually referred to as an arbitrator. Participation of the arbitrator is required only when there is a dispute among the exchanging parties. Thus, the majority of the executions of the exchange does not involve the arbitrator and hence the term optimistic. The passive nature of the arbitrator makes optimistic fair exchange a desirable tool in applications, such as contract signing and electronic commerce. The highest level of security of optimistic fair exchange in the literature is the multiuser security in the chosen-key model, proposed by Huang, Yang, Wong, and Susilo in CT-RSA 2008. They showed that an efficient optimistic fair exchange scheme secure in this sense can be constructed generically from a conventional digital signature and a two-party ring signature. In particular, the underlying ring signature is required to be unforgeable under an adaptive attack, against a static adversary in the 2-user setting. In this paper, we propose a new security model for two-party ring signatures called unforgeability against restricted adaptive attacks and demonstrate that our new model is strictly weaker than the model of unforgeable under an adaptive attack, against a static adversary in the 2-user setting. We make an observation that two-party ring signatures secure in this weaker model will suffice to guarantee the security of the resulting OFE scheme following the aforementioned generic construction. Based on this observation, more efficient OFE schemes secure in the standard model can be constructed. Specifically, we prove that the wellknown Bender, Katz, and Morselli's 2-user ring signature is secure in our weakened model. Based on this two-party ring signature, we construct an OFE secure in the chosen-key model offering multiuser security in the standard model under the computational Diffie-Hellman assumption. The assumption is arguably weaker than those used in all existing constructions, which rely on the random oracle model, decisional assumptions, or the strong Diffie-Hellman assumptions. It is also worth noting that our scheme is the most efficient one in the standard model, and offers comparable efficiency against those secure under the random oracle model.