Ambiguous Optimistic Fair Exchange - PowerPoint PPT Presentation

Loading...

PPT – Ambiguous Optimistic Fair Exchange PowerPoint presentation | free to view - id: 134491-ZTUxO



Loading


The Adobe Flash plugin is needed to view this content

Get the plugin now

View by Category
About This Presentation
Title:

Ambiguous Optimistic Fair Exchange

Description:

Propose the notion of 'Ambiguous Optimistic Fair Exchange'; Provide a formal security model; ... Ambiguous OFE. PMGen system parameter generator. SetupTTP ... – PowerPoint PPT presentation

Number of Views:133
Avg rating:3.0/5.0
Slides: 22
Provided by: deaki2
Category:

less

Write a Comment
User Comments (0)
Transcript and Presenter's Notes

Title: Ambiguous Optimistic Fair Exchange


1
Ambiguous Optimistic Fair Exchange
  • Qiong Huang
  • Joint work with Guomin Yang, Duncan S. Wong and
    Willy Susilo

2
Fair Exchange
  • Gradual Release of Secret
  • bit by bit
  • Optimistic Fair Exchange
  • Semi-trusted (offline) party
  • Involved only when theres a dispute

3
Optimistic Fair Exchange
  • Asokan-Shoup-Waidner ACM CCS 97

Valid?
Valid?
4
Optimistic Fair Exchange
  • Dodis-Lee-Yum PKC 07
  • Multi-user setting ?single-user setting
  • Huang-Yang-Wong-Susilo CT-RSA 08
  • Multi-user setting chosen-key model

5
Motivation of This Work
  • Alices partial signature reveals her will!
  • Everyone can verify that sP was generated by
    Alice, or
  • Bob can show to anybody that Alice is the signer
    of sP .

6
Motivation of This Work
  • Alice and Bob sign a contract.
  • Given Alices sP , Bob holds the execution and
    turns to Ted for a higher price.
  • Unfair for Alice!

7
Related Work
  • Garay, Jakobsson and MacKenzie. Abuse-free
    Optimistic Contract Signing. Crypto 99.
  • No party can prove to others that hes capable of
    choosing whether to validate or invalidate a
    contract
  • A scheme based on DDH assumption in the random
    oracle model
  • No consideration of multi-user setting

8
Related Work
  • Liskov and Micali. Online-untransferable
    signatures. PKC 08.
  • Enhanced version of DCS
  • A dishonest, online recipient cannot convince
    others the real owner of a signature
  • Complex, interactive signing

9
Our Work
  • Propose the notion of Ambiguous Optimistic Fair
    Exchange
  • Provide a formal security model
  • Propose an efficient scheme
  • w/o random oracles
  • secure under the proposed model

10
Ambiguous OFE
  • PMGen system parameter generator
  • SetupTTP key generation for arbitrator
  • SetupUSER key generation for user
  • Psig, Pver
  • partial signature generation and verification
  • Sig, Ver
  • full signature generation and verification
  • Res resolve a partial signature to full one

11
Ambiguous OFE
  • Each party has a key
  • Resolution Ambiguity
  • Signer Ambiguity
  • Bob is able to produce sP similar with Alices

12
Ambiguous OFE
  • Security against signers
  • Security against verifiers
  • Security against arbitrator

13
Signer Ambiguity
D
  • Weak Signer Ambiguity
  • PK0, PK1 are chosen by the challenger and given
    to D.
  • D can corrupt PK1.

b b?
sPPsig(PM, APK, SKb, PK0, PK1, M)
14
Security Against Verifiers
B
  • Weak Security Against Verifiers
  • PKB is chosen by challenger.
  • B can corrupt it.
  • M, sF, PKB
  • Ver(M, sF, PKA, PKB, APK) 1 ?
  • (M, ., PKA, PKB) ? Query(B, ORes)

15
Theorem
Weak Signer Ambiguity
Weak Security Against Verifiers
Security Against Arbitrator
Similar with the relation between
indistinguishability security and one-way
security of public key encryption
Our proposed construction achieves the strong
versions of the security properties.
16
Building Tools
  • BB short signature
  • q-SDH assumption
  • Kiltz tag-based encryption
  • Selective-tag weakly CCA security
  • DLN assumption
  • Groth-Sahai NI proofs
  • NIWIPK
  • NIZK
  • DLN assumption
  • Strong one-time signature

17
The Scheme
NIWIa e(a, gH(otvk) PKA) e(g,g) ? e(a,
gH(otvk) PKB) e(g,g)
  • Borrow the idea of Groths group signature
    (Asiacrypt 07)
  • partial signature sP
  • (otvk, otsk) a fresh one-time key pair
  • s BB signature on H(otvk)
  • p1 NIWIs was generated by either Alice or
    Bob
  • y encryption of s
  • p2 NIZKCmt in p1 and y contain the same
    message
  • sOT one-time signature on (M, p1, y, p2, PKA,
    PKB)
  • sP (otvk, sOT, p1, y, p2)

18
The Scheme
  • full signature sF (sP, s)
  • resolution
  • Use the extraction key of NIWIPK or the
    decryption key of the encryption scheme to
    recover s

Theorem The proposed A-OFE scheme is secure in
the multi-user setting and chosen-key model
provided that DLN assumption and q-SDH assumption
hold.
19
Comparison
Non-Transfer. Level of non-transferability Effici
ency order of efficiency Interaction
interactive or non-interactive Setup-Free
whether a key registration is needed between the
trusted party and user RO with random oracles or
not
20
Conclusion
  • Proposed the notion of A-OFE
  • Provided a formal security model
  • Proposed an efficient construction in the
    standard model

21
Q A
Thanks!
About PowerShow.com