FREE ELECTRONIC LIBRARY - Dissertations, online materials

Pages:   || 2 |

«Three-round Abuse-free Optimistic Contract Signing With Everlasting Secrecy (Short Paper) Xiaofeng Chen1, Fangguo Zhang2, Haibo Tian2, Qianhong ...»

-- [ Page 1 ] --

Three-round Abuse-free Optimistic Contract

Signing With Everlasting Secrecy (Short Paper)

Xiaofeng Chen1, Fangguo Zhang2, Haibo Tian2, Qianhong Wu3,4,

Yi Mu5, Jangseong Kim6, Kwangjo Kim6


Key Laboratory of Computer Networks and Information Security,

Ministry of Education, Xidian University, P.R.China


School of Information Science and Technology, Sun Yat-sen University, P.R.China


Department of Computer Engineering and Mathematics,

UNESCO Chair in Data Privacy, Universitat Rovira i Virgili, Catalonia 4 Key Laboratory of Aerospace Information Security and Trusted Computing, Ministry of Education, Wuhan University, P.R.China 5 School of Computer Science and Software Engineering, University of Wollongong, Australia 6 Department of Computer Science, KAIST, KOREA Abstract. We introduce the novel notion of Verifiable Encryption of Chameleon Signatures (VECS), and then use it to design a three-round abuse-free optimistic contract signing protocol.

Key words: Verifiable encryption, Chameleon signatures, Contract signing.

1 Introduction Contract signing is an important part of business transactions. Fairness is a basic requirement for contract signing. However, most of the existing contract signing protocols only focus on the fairness while ignoring the privacy of the players. We argue that the privacy of the players is close related to the fairness. For example, if one player or the trusted third party can reap profits at the expense of the other player by intentionally releasing some useful information related to the contract, then the contract signing protocols cannot achieve the true fairness.

Garay et al. [9] first introduced the notion of abuse-free contract signing, which ensures neither party can prove to others that he is capable of choosing whether to validate or invalidate the contract in any stage of the protocol. To illustrate by example, suppose Bob and Carol are two potential competitors who will sign a contract with Alice. If Alice can convince Carol that Bob would like to sign a contract m with her, she may obtain a better contract m from Carol. In this sense, a contract signing protocol without the property of abuse- free cannot ensure the fairness for both parties. However, it seems that all the efficient contract signing [1, 2, 4, 7] based on the state-of-the-art technique of verifiable encryption of digital signatures (VEDS) are not abuse-free since VEDS is universal verifiable.

2 On the other hand, we should consider the misbehavior of the trusted third party in contract signing protocols. Although the third party is (by definition) trusted, it is difficult to find a fully trusted third party in the internet. Asokan et al. [3]and Garay et al. [9] introduced the property of accountability in contract signing, i.e., it can be detected and proven if the third party misbehaved. However, all of the existing contract signing protocols do not consider the following misbehavior of the third party: if the third party can know all the information related a contract such as the contract content and the corresponding signatures of two parties, he may sell this associated commercial secret to an interested party. In this sense, it is unfair for both parties, though the contract signing protocol is fair as defined.

In this paper, we first introduce a novel notion named Verifiable Encryption of Chameleon Signatures (VECS), which can be referred to as a special instance of VEDS. Meanwhile, we use this notion to design an efficient optimistic contract signing protocol, which enjoys the properties of completeness, fairness, abuse-freeness, accountability, and invisibility of the third party. The distinguishing property of our signing protocol is the everlasting secrecy about the contract against the third party. That is, the third party cannot know any useful information of the contract in any stage of the protocol, which prevents him from illegally selling the commercial secret to any interested party. Moreover, our exchange protocol is only three-pass in the normal situation and thus much efficient for practical use.

2 Verifiable Encryption of Chameleon Signatures

2.1 Formal Definition Definition 1. (Verifiable Encryption of Chameleon Signatures) A secure VECS scheme consists of a five tuple (PG, KG, SG, VE, SR).

– System Parameters Generation PG: An efficient probabilistic algorithm that, on input a security parameter k, outputs the system parameters SP.

– Key Generation KG : An efficient algorithm that, on input the system parameters SP, outputs a secret/public key pair (sk, pk) for each user.

– Signature Generation SG: An efficient probabilistic algorithm that, on input a label L, the public key pkV of the verifier V, the secret key skP of the prover P, a message m, and an auxiliary random element r, outputs a signature σ on the chameleon hash value h = Hash(L, m, r, pkV ).

– Verifiable Encryption VE: A non-interactive protocol between the prover P and the verifier V. Let (E, D) be the encryption/decryption algorithm as well as the public/secret key of a secure public key encryption system. Let VP (E, σ, r) denote the output of V when interacting with P on input (E, σ, r).

– Signature Recovery SR: An efficient deterministic algorithm that, on input the decryption algorithm D and the ciphertext VP (E, σ, r), outputs a chameleon signature (σ, r) on message m with respect to the public key pk V.


–  –  –

If c = c, V accepts the fact that C2 is a valid T -verifiable encryption of P ’s chameleon signature on message m.

– Signature Recovery SR: In case of dispute, T can compute σ 2 = K1 /K2 x

–  –  –

3 Secret Abuse-Free Contract Signing

3.1 Security Model Asokan et al. [2] presented a formal security model for fair signature exchange, which is also suitable for contract signing. In the optimistic two-party contract 4 signing, there are two players A and B, and a trusted third party T that acts as a server: it receives a request from a client, updates its internal state and sends a response back to the client. We assume that all participants have secret/public keys which will be specified later.

We assume that communication channels between any two participants are confidential, which means that eavesdroppers will not be able to determine the contents of messages in these channels. Moreover, we assume that the communication channel between any player and T is resilient. The resilient channel assumption leads to an asynchronous communication model without global clocks, where messages can be delayed arbitrarily but with finite amount of time.

Since the misbehavior of dishonest participants could lead to a loss of fairness, we consider the possible misbehavior of the participants in the contract signing.

Firstly, although T is by definition trusted, T may collude with one party to weaken the fairness, or gain some benefits by selling the commercial secret of the contract. Therefore, T must be accountable for his dishonest actions, i.e., it can be detected and proven if T misbehaves. Secondly, A or B may reap benefits at the expense of the other party. The abuse-freeness contract signing protocol can only partially solve this problem. For example, a dishonest A can execute the Abort protocol after correctly executing the Exchange protocol with B [10]. As a result, B obtains A’s signature while A obtains B’s signature and the abort-token. Trivially, the output of the protocol violates the original definition of fairness. This means that Asokan et al.’s security model is not perfect. The reason is that it does not consider the misbehavior of A and B. Therefore, we should define the accountability of A and B, i.e., it can be detected and proven if A and B misbehaves. Moreover, It can be a part of the agreed contract content for how to punish the dishonest party.

The security properties of contract signing are defined in term of completeness, fairness, abuse-freeness, accountability, T invisibility [2, 9]. Besides, we dene a new property named T secrecy. We argue that a contract and the corresponding signatures of two players should be a commercial secret and T cannot reveal it to outsiders for some benefits in any stage of the protocol.

– Completeness: It is infeasible for the adversary to prevent honest A and B from successfully obtaining a valid signature (or the non-repudiation token) of each other. The adversary has the signing oracles that can be queried on any message except the contract. The adversary can interact with T, but cannot interfere with the interaction of A and B, except insofar as the adversary still has the power to schedule the messages from A and B to T.

– Fairness: We consider a game between an adversary and an honest party.

Generally, we let the adversary play the role of the corrupt party, who completely controls the network, arbitrarily interacts with T, and arbitrarily delays the honest party’s requests to T. We argue that the misbehavior of the adversary may weaken the fairness. So, if the honest party can provide a proof that the adversary misbehaves, then he has the power to validate or invalidate the contract for the punishment of the adversary. In this sense, the fairness means that it is infeasible for the adversary to obtain the honest 5 party’s signature on a contract, while without allowing the honest party to obtain the adversary’s signature or a proof that the adversary misbehaves.

Abuse-freeness: It is infeasible for one party at any point in the protocol – to be able to prove an outside party that he has the power to terminate (abort) or successfully complete the contract.

Accountability: It can be detected and proven if any participant misbe haves.

T invisibility: It is infeasible to determine whether T has been involved in – the protocol or not.

T secrecy: It is infeasible for T to obtain any useful information about the – contract in any stage of the protocol.

3.2 Our Protocol In this section, we use the proposed VECS to present an efficient abuse-free contract signing protocol. We first give some notations. Let H be a key exposure free chameleon hash function. Denote by Sig(SKX, M ) the signature on message M with the secret key SKX of the party X ∈ {A, B, T }; Denote by OB (E, σA, P KT ) a verifiable encryption of A’s signature σA under T ’s public key P KT. Our abuse-free contract signing protocol has three sub-protocols: Exchange, Abort, and Resolve. In the normal case, only the exchange protocol is executed.

Suppose A and B have agreed on a message M = (m, rA, rB ), where m is a common contract and (rA, rB ) are two random integers. We do not describe this agreement in details here and it may require a number of rounds of communication between A and B through an authenticated channel. Moreover, this agreement should not achieve the non-repudiation property, i.e., neither party should generate any non-repudiation token on the agreed message.

Exchange Protocol

1. A computes the chameleon hash value hA = H(m, rA, P KB ) and the signa ture σA = Sig(SKA, hA ||T ), where || denotes concatenation. A then com putes the ciphertext C = OB (E, σA, P KT ) and sends it to B.

2. If C is invalid, B quits. Otherwise, B computes the signature σB = Sig(SKB, hB ) on the chameleon hash value hB = H(m, rB, P KA ) and then sends σB to A.

3. If σB is invalid, A runs the Abort protocol. Otherwise, A computes the signature σA = Sig(SKA, hA ) and sends it to B. If σA is not valid, B runs the Resolve protocol.

Abort Protocol

1. A computes the signature Sig(SKA, abort||C) on message “abort||C” and then sends (C, Sig(SKA, abort||C)) to T. If the signature is valid and B has not resolved, T issues an abort-token AT = Sig(SKT, Sig(SKA, abort||C)) to A and stores it. The abort token is not a proof that the exchange has been aborted, but a guarantee by T that it has not and will not execute the Resolve protocol.


–  –  –

perform the denial protocol of chameleon signatures. On the other hand, A is not allowed to run the Abort protocol after having received σB. Similarly, A is not allowed to run the Abort protocol after sending σA to B. Moreover, A should never send σA to B unless A has obtained σB successfully. That is, if the case 5, or case 6, or case 9 occurs, it is a proof that A misbehaves. If the case 7 or 8 occurs, then T must be accountable for his misbehavior.

4 Security Analysis of the Contract Signing Protocol Due to the properties of non-repudiation and non-transferability of chameleon signatures, the proposed contract signing protocol satisfies the completeness and abuse-freeness, respectively. Also, as discussed in section 3.3, it is trivial that the proposed contract signing protocol satisfies the accountability. Due to the space consideration, we only focus on the fairness, T invisibility and T secrecy.

Theorem 1. The proposed contract signing protocol satisfies the property of fairness.

Proof. We first prove the fairness for A. Consider an honest A playing against a dishonest B. We say that B wins the game if and only if either B obtains σA ∗ while A does not obtain σB, or B obtains σA while A obtains neither σB nor σˆ. Assume A does not obtain σB, A must run the Abort protocol at some B point after sending C to B and thus B cannot obtain σA. If B does not run the Resolve protocol before A aborted, then both parties obtain the abort-token ∗ AT. Else, B can obtain σA from the T. However, it ensures that A can also obtain σˆ from T. Therefore, the successful probability for B to win the game B is negligible.

We then prove the fairness for B. Consider an honest B playing against a dishonest A. We say that A wins the game if and only if either A obtains σB ∗ while B obtains neither σA nor σA, or A obtains σˆ while B does not obtain B ∗ ∗ σA. Firstly, we argue if A obtains σˆ, then B must obtain σA unless the T is B dishonest. Secondly, assume B does not obtain σA, so B must run the Resolve protocol at some point after sending σB to A. If A does not run the Abort ∗ protocol before B resolved, then B can obtain σA from the T. Else, B can obtain the abort-token AT. However, it is a proof that A misbehaves in the protocol and A must be accountable for this. Therefore, the successful probability for A to win the game is negligible.

Pages:   || 2 |

Similar works:

«GEMEENTEBESTUUR MAASMECHELEN VERGADERING VAN DE GEMEENTERAAD STE 1 Uitnodiging : Mevrouw, Mijnheer, Wij hebben de eer u uit te nodigen om de vergadering van de gemeenteraad van Maasmechelen bij te wonen, die zal plaats hebben in de raadzaal van het Gemeentehuis te Maasmechelen, op dinsdag 2 juli 2013 om 20u00. Commissie 01. Nr.001 Bekrachtiging besluit schepencollege d.d. 17.05.2013 houdende voordracht vertegenwoordiger Raad van Bestuur en afgevaardigde AV Kleine Landeigendom. Bij schrijven van...»

«Sermon #1648 Metropolitan Tabernacle Pulpit 1 PILATE AND OURSELVES GUILTY OF THE SAVIOR’S DEATH NO. 1648 A SERMON DELIVERED ON LORD’S-DAY MORNING, MARCH 5, 1882, BY C. H. SPURGEON, AT THE METROPOLITAN TABERNACLE, NEWINGTON. “When Pilate saw that he could prevail nothing, but that rather a tumult was made, he took water, and washed his hands before the multitude, saying, I am innocent of the blood of this just person: see you to it. Then answered all the people, and said, His blood be on...»

«Městský úřad Litoměřice Odbor životního prostředí Vaše značka: Ze dne: Č. j.: 0070427/12/ŽP/PGr Sp. zn.: 0061155/12/ŽP Dle rozdělovníku Vyřizuje: Ing. Pavel Gryndler Telefon: +420 416 916 179 Fax: +420 416 916 211 E-mail: pavel.gryndler@litomerice.cz Litoměřice 25.10. 2012 ROZHODNUTÍ Městský úřad Litoměřice, odbor životního prostředí, rozhodující jako věcně a místně příslušný orgán podle § 60 zákona č. 449/2001 Sb., o myslivosti (dále jen,,zákon o...»

«Special Volume 3 (2012), pp. 135–142 Angus Graham – Kristian D. Strutt – Morag Hunter – Sarah Jones – Aurélia Masson – Marie Millet – Benjamin Pennington Reconstructing Landscapes and Waterscapes in Thebes, Egypt in Wiebke Bebermeier – Robert Hebenstreit – Elke Kaiser – Jan Krause (eds.), Landscape Archaeology. Proceedings of the International Conference Held in Berlin, 6th – 8th June 2012 Edited by Gerd Graßhoff and Michael Meyer, Excellence Cluster Topoi, Berlin eTopoi...»

«Vascular Permeability to Horseradish Peroxidase in Brainstem Lesions of Thiamine-Deficient Rats Herbert J. Manz, MD and David M. Robertson, MD In the early brainstem lesions of acute dietary thiamine deficiency in rats, an outstanding feature is the occurrence of edema. This study, using horseradish peroxidase as a marker, confirms and extends our previous observations using fluorescent dye-labeled albumin that vascular permeability to proteins remains essentially intact during this phase, and...»

«Bachelor of Arts in English (Honors) Objectives The Department of English offers Bachelor of Arts in English (Honors) program with concentration in English Literature and ELT (English Language Teaching). This program aims at providing modern and extensive education in English language literature and language teaching for preparing graduates equipped with knowledge and skills required for professional success in different sectors. The program also aims at training students In the basic skills of...»

«Data & Knowledge Engineering 63 (2007) 63–75 www.elsevier.com/locate/datak Integration of association rules and ontologies for semantic query expansion a,*, Il-Yeol Song b, Xiaohua Hu b, Robert B. Allen b Min Song a Department of Information Systems, New Jersey Institute of Technology, University Heights, Newark, NJ 07102, USA b College of Information Science and Technology, Drexel University, Philadelphia, PA 19104, USA Received 13 October 2006; received in revised form 13 October 2006;...»

«6º CONGRESSO BRASILEIRO DE ENGENHARIA DE FABRICAÇÃO th 6 BRAZILIAN CONFERENCE ON MANUFACTURING ENGINEERING 11 a 15 de abril de 2011 – Caxias do Sul – RS Brasil th th April 11 to 15, 2011 – Caxias do Sul – RS – Brazil ADDITIVE MANUFACTURING TO BUILD POLYCAPROLACTONE SCAFFOLDS Ana Lívia Chemeli Senedese, ana-livia.senedese@cti.gov.br1,2,3 Arnaldo Luis Lixandrão Filho, arnaldo.filho@cti.gov.br1 Jorge Vicente Lopes da Silva, jorge.silva@cti.gov.br1,3 Paulo Inforçatti Neto,...»

«DISTRIBUTED COMPUTING Securing Elasticity in the Cloud Elastic computing has great potential, but many security challenges remain. Dustin Owens, BT Americas As somewhat of a technology-hype curmudgeon, I was until very recently in the camp that believed cloud computing was not much more than the latest marketing-driven hysteria for an idea that has been around for years. Outsourced IT infrastructure services, aka IaaS (Infrastructure as a Service), has been around since at least the 1980s,...»

«Internet Research On Rhythm Bones October 1999 Steve Wixson 1060 Lower Brow Road Signal Mountain, TN 37377 423/886-1744 wixson@chattanooga.net Introduction This document presents the current state of 'bone playing' and includes the results of a web search using several search engines for 'rhythm bones', 'rattling bones' and 'bone playing'. It is fairly extensive, but obviously not complete. The web addresses are accurate at the time of the search, but they can go out of date quickly. Web...»

«NATHAN N EAGLE The Santa Fe Institute voice: + 1 505 204 6637 1399 Hyde Park Rd., Santa Fe, NM 87501 email: nathan@mit.edu Engineering Social Systems, Machine Intelligence, Appropriate Technology, Large-Scale Research Network Analysis, Mobile Computing, Developmental Entrepreneurship, Prosperity EnInterests gineering Education Massachusetts Institute of Technology, Cambridge, MA 2005 PhD, Media Arts and Sciences, MIT Media Laboratory Dissertation: Machine Perception and Learning of Complex...»

«Advances in Anthropology, 2014, 4, 164-167 Published Online August 2014 in SciRes. http://www.scirp.org/journal/aa http://dx.doi.org/10.4236/aa.2014.43020 Removing the “Hermetic Seal” from the Aquatic Ape Hypothesis: Waterside Hypotheses of Human Evolution Algis V. Kuliukas University of Western Australia, Perth, Australia Email: algis.kuliukas@uwa.edu.au Received 26 April 2014; revised 21 May 2014; accepted 15 June 2014 Copyright © 2014 by author and Scientific Research Publishing Inc....»

<<  HOME   |    CONTACTS
2016 www.dissertation.xlibx.info - Dissertations, online materials

Materials of this site are available for review, all rights belong to their respective owners.
If you do not agree with the fact that your material is placed on this site, please, email us, we will within 1-2 business days delete him.