Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
Fair Exchange of Short Signatures   without Trusted Third Party           Philippe Camacho           University of Chile
Digital Goods Economy
Enforcing Secure Transactionsthrough a Trusted Third Party (TTP)
Problems with TTP
Problems with TTP
Fair Exchange in the             Physical World is “easy”Witness                                 Witness Witness          ...
Modeling Transactions        with Digital Signatures           The problem: Who starts first?           Impossibility Resu...
Gradual Release of a Secret               Bob’s signature       Alice’s signature                                 1  1001 ...
Our Construction• Fair Exchange of Digital Signatures• Boneh-Boyen [BB04] Short Signatures• No TTP• Practical
Contributions• Formal definition of Partial Fairness• Efficiency   # Rounds                               161   Communicat...
Contributions
I will try to open                            I will try to know                     Commitments   the box with           ...
Non-Interactive                               Zero-Knowledge Proofs                                      Prove something a...
Abstract Protocol      Setup     KeyGenEncrypt SignatureVerify Encrypted   Signature Release BitsRecover Signature
Partial Fairness                   Bet according to               partially released secret
Protocol    Signature                                      Encrypted1                +                        =        Sig...
Bilinear maps
Assumptions
Assumptions
Short Signatures w/oRandom Oracle [BB04]
Protocol    Signature                                      Encrypted1                +                        =        Sig...
The Encrypted Signature        Secret key / “blinding” factor
Protocol    Signature                                      Encrypted1                +                        =        Sig...
NIZK argument 1
NIZK argument 1
Protocol    Signature                                      Encrypted1                +                        =        Sig...
NIZK argument 2
NIZK argument 2
NIZK argument 2
Protocol    Signature                                      Encrypted1                +                        =        Sig...
Recovering the Signature
Proofs of Knowledge                    Needed in order to                  simulate the adversary                  despite...
Simultaneous Hardness of Bits   for Discrete Logarithm                  Holds in the generic group model                  ...
Conclusion• Fair exchange protocol for short signatures  [BB04] without TTP• Practical• Two new NIZK arguments
Partial Fairness                Only contract                                                  signing• A randomized proto...
Proof (Sketch)• Type I  • Does not forge values but aborts «early»  • => He has to break the signature scheme  • Careful: ...
Proof (Sketch)• Type II  • Forge values  • The simulator can extract all values computed by    adversary and break the sou...
Fair Exchange of Short Signatures without Trusted Third Party
Upcoming SlideShare
Loading in …5
×

Fair Exchange of Short Signatures without Trusted Third Party

Presentation of the paper "Fair Exchange of Short Signatures without a Trusted Third Party" at CT-RSA 2013. Full version paper at http://eprint.iacr.org/2012/288

  • Login to see the comments

  • Be the first to like this

Fair Exchange of Short Signatures without Trusted Third Party

  1. 1. Fair Exchange of Short Signatures without Trusted Third Party Philippe Camacho University of Chile
  2. 2. Digital Goods Economy
  3. 3. Enforcing Secure Transactionsthrough a Trusted Third Party (TTP)
  4. 4. Problems with TTP
  5. 5. Problems with TTP
  6. 6. Fair Exchange in the Physical World is “easy”Witness Witness Witness Seller Physical proximity provides a high incentive to behave correctly.Buyer More precautions need to be taken in the digital world.
  7. 7. Modeling Transactions with Digital Signatures The problem: Who starts first? Impossibility Result [Cleve86] Software License Digital Check SellerBuyer
  8. 8. Gradual Release of a Secret Bob’s signature Alice’s signature 1 1001 0 0111Allows to circumvent Cleve’s impossibility result 0(relaxed security definition). 1 0 1 How do I know that the bit I received 1 is not garbage? 1
  9. 9. Our Construction• Fair Exchange of Digital Signatures• Boneh-Boyen [BB04] Short Signatures• No TTP• Practical
  10. 10. Contributions• Formal definition of Partial Fairness• Efficiency # Rounds 161 Communication # Cryptooperations per participant• First protocol for Boneh-Boyen signatures
  11. 11. Contributions
  12. 12. I will try to open I will try to know Commitments the box with what is in the box another value. before I get the key. Commitment secret 1 3 2 + secret = secret The secret is revealed.
  13. 13. Non-Interactive Zero-Knowledge Proofs Prove something about the secret in the box without opening the box. I want to fool Alice: I want to know exactly what is in the boxMake she believe that the value in the (not only that the secret is a bit). box is binary while it is not (e.g: 15). 1 0 , 2 0 + = Yes / No
  14. 14. Abstract Protocol Setup KeyGenEncrypt SignatureVerify Encrypted Signature Release BitsRecover Signature
  15. 15. Partial Fairness Bet according to partially released secret
  16. 16. Protocol Signature Encrypted1 + = Signature2 1 0 0 0 1 13 Each small box contains a bit. The sequence of small boxes is the binary expansion of the secret inside the big box.4 1 0 0 0 1 1 Encrypted5 Signature + = Signature
  17. 17. Bilinear maps
  18. 18. Assumptions
  19. 19. Assumptions
  20. 20. Short Signatures w/oRandom Oracle [BB04]
  21. 21. Protocol Signature Encrypted1 + = Signature2 1 0 0 0 1 13 Each small box contains a bit. The sequence of small boxes is the binary expansion of the secret inside the big box.4 1 0 0 0 1 1 Encrypted5 Signature + = Signature
  22. 22. The Encrypted Signature Secret key / “blinding” factor
  23. 23. Protocol Signature Encrypted1 + = Signature2 1 0 0 0 1 13 Each small box contains a bit. The sequence of small boxes is the binary expansion of the secret inside the big box.4 1 0 0 0 1 1 Encrypted5 Signature + = Signature
  24. 24. NIZK argument 1
  25. 25. NIZK argument 1
  26. 26. Protocol Signature Encrypted1 + = Signature2 1 0 0 0 1 13 Each small box contains a bit. The sequence of small boxes is the binary expansion of the secret inside the big box.4 1 0 0 0 1 1 Encrypted5 Signature + = Signature
  27. 27. NIZK argument 2
  28. 28. NIZK argument 2
  29. 29. NIZK argument 2
  30. 30. Protocol Signature Encrypted1 + = Signature2 1 0 0 0 1 13 Each small box contains a bit. The sequence of small boxes is the binary expansion of the secret inside the big box.4 1 0 0 0 1 1 Encrypted5 Signature + = Signature
  31. 31. Recovering the Signature
  32. 32. Proofs of Knowledge Needed in order to simulate the adversary despite it aborts early.
  33. 33. Simultaneous Hardness of Bits for Discrete Logarithm Holds in the generic group model [Schnorr98]
  34. 34. Conclusion• Fair exchange protocol for short signatures [BB04] without TTP• Practical• Two new NIZK arguments
  35. 35. Partial Fairness Only contract signing• A randomized protocol for signing contracts [EGL85]• Gradual release of a secret [BCDB87]• Practically and Provably secure release of a secret and exchange of signatures RSA, Rabin, ElGam [Damgard95] al signatures• Resource Fairness and Composability of Cryptographic protocols [GMPY06] “Time-line” assumptions, Generic construction
  36. 36. Proof (Sketch)• Type I • Does not forge values but aborts «early» • => He has to break the signature scheme • Careful: What happens if A detects he is simulated? • The simulator will try to break the SHDL assumption • If few bits remain, it does not win, everything is OK!
  37. 37. Proof (Sketch)• Type II • Forge values • The simulator can extract all values computed by adversary and break the soundness of the NIZK arguments or binding property of commitment scheme.

×