# «Three-round Abuse-free Optimistic Contract Signing With Everlasting Secrecy (Short Paper) Xiaofeng Chen1, Fangguo Zhang2, Haibo Tian2, Qianhong ...»

Three-round Abuse-free Optimistic Contract

Signing With Everlasting Secrecy (Short Paper)

Xiaofeng Chen1, Fangguo Zhang2, Haibo Tian2, Qianhong Wu3,4,

Yi Mu5, Jangseong Kim6, Kwangjo Kim6

1

Key Laboratory of Computer Networks and Information Security,

Ministry of Education, Xidian University, P.R.China

2

School of Information Science and Technology, Sun Yat-sen University, P.R.China

3

Department of Computer Engineering and Mathematics,

UNESCO Chair in Data Privacy, Universitat Rovira i Virgili, Catalonia 4 Key Laboratory of Aerospace Information Security and Trusted Computing, Ministry of Education, Wuhan University, P.R.China 5 School of Computer Science and Software Engineering, University of Wollongong, Australia 6 Department of Computer Science, KAIST, KOREA Abstract. We introduce the novel notion of Veriﬁable Encryption of Chameleon Signatures (VECS), and then use it to design a three-round abuse-free optimistic contract signing protocol.

Key words: Veriﬁable encryption, Chameleon signatures, Contract signing.

1 Introduction Contract signing is an important part of business transactions. Fairness is a basic requirement for contract signing. However, most of the existing contract signing protocols only focus on the fairness while ignoring the privacy of the players. We argue that the privacy of the players is close related to the fairness. For example, if one player or the trusted third party can reap proﬁts at the expense of the other player by intentionally releasing some useful information related to the contract, then the contract signing protocols cannot achieve the true fairness.

Garay et al. [9] ﬁrst introduced the notion of abuse-free contract signing, which ensures neither party can prove to others that he is capable of choosing whether to validate or invalidate the contract in any stage of the protocol. To illustrate by example, suppose Bob and Carol are two potential competitors who will sign a contract with Alice. If Alice can convince Carol that Bob would like to sign a contract m with her, she may obtain a better contract m from Carol. In this sense, a contract signing protocol without the property of abuse- free cannot ensure the fairness for both parties. However, it seems that all the eﬃcient contract signing [1, 2, 4, 7] based on the state-of-the-art technique of veriﬁable encryption of digital signatures (VEDS) are not abuse-free since VEDS is universal veriﬁable.

2 On the other hand, we should consider the misbehavior of the trusted third party in contract signing protocols. Although the third party is (by deﬁnition) trusted, it is diﬃcult to ﬁnd a fully trusted third party in the internet. Asokan et al. [3]and Garay et al. [9] introduced the property of accountability in contract signing, i.e., it can be detected and proven if the third party misbehaved. However, all of the existing contract signing protocols do not consider the following misbehavior of the third party: if the third party can know all the information related a contract such as the contract content and the corresponding signatures of two parties, he may sell this associated commercial secret to an interested party. In this sense, it is unfair for both parties, though the contract signing protocol is fair as deﬁned.

In this paper, we ﬁrst introduce a novel notion named Veriﬁable Encryption of Chameleon Signatures (VECS), which can be referred to as a special instance of VEDS. Meanwhile, we use this notion to design an eﬃcient optimistic contract signing protocol, which enjoys the properties of completeness, fairness, abuse-freeness, accountability, and invisibility of the third party. The distinguishing property of our signing protocol is the everlasting secrecy about the contract against the third party. That is, the third party cannot know any useful information of the contract in any stage of the protocol, which prevents him from illegally selling the commercial secret to any interested party. Moreover, our exchange protocol is only three-pass in the normal situation and thus much eﬃcient for practical use.

2 Veriﬁable Encryption of Chameleon Signatures

2.1 Formal Deﬁnition Deﬁnition 1. (Veriﬁable Encryption of Chameleon Signatures) A secure VECS scheme consists of a ﬁve tuple (PG, KG, SG, VE, SR).

– System Parameters Generation PG: An eﬃcient probabilistic algorithm that, on input a security parameter k, outputs the system parameters SP.

– Key Generation KG : An eﬃcient algorithm that, on input the system parameters SP, outputs a secret/public key pair (sk, pk) for each user.

– Signature Generation SG: An eﬃcient probabilistic algorithm that, on input a label L, the public key pkV of the veriﬁer V, the secret key skP of the prover P, a message m, and an auxiliary random element r, outputs a signature σ on the chameleon hash value h = Hash(L, m, r, pkV ).

– Veriﬁable Encryption VE: A non-interactive protocol between the prover P and the veriﬁer V. Let (E, D) be the encryption/decryption algorithm as well as the public/secret key of a secure public key encryption system. Let VP (E, σ, r) denote the output of V when interacting with P on input (E, σ, r).

– Signature Recovery SR: An eﬃcient deterministic algorithm that, on input the decryption algorithm D and the ciphertext VP (E, σ, r), outputs a chameleon signature (σ, r) on message m with respect to the public key pk V.

3

If c = c, V accepts the fact that C2 is a valid T -veriﬁable encryption of P ’s chameleon signature on message m.

– Signature Recovery SR: In case of dispute, T can compute σ 2 = K1 /K2 x

3 Secret Abuse-Free Contract Signing

3.1 Security Model Asokan et al. [2] presented a formal security model for fair signature exchange, which is also suitable for contract signing. In the optimistic two-party contract 4 signing, there are two players A and B, and a trusted third party T that acts as a server: it receives a request from a client, updates its internal state and sends a response back to the client. We assume that all participants have secret/public keys which will be speciﬁed later.

We assume that communication channels between any two participants are conﬁdential, which means that eavesdroppers will not be able to determine the contents of messages in these channels. Moreover, we assume that the communication channel between any player and T is resilient. The resilient channel assumption leads to an asynchronous communication model without global clocks, where messages can be delayed arbitrarily but with ﬁnite amount of time.

Since the misbehavior of dishonest participants could lead to a loss of fairness, we consider the possible misbehavior of the participants in the contract signing.

Firstly, although T is by deﬁnition trusted, T may collude with one party to weaken the fairness, or gain some beneﬁts by selling the commercial secret of the contract. Therefore, T must be accountable for his dishonest actions, i.e., it can be detected and proven if T misbehaves. Secondly, A or B may reap beneﬁts at the expense of the other party. The abuse-freeness contract signing protocol can only partially solve this problem. For example, a dishonest A can execute the Abort protocol after correctly executing the Exchange protocol with B [10]. As a result, B obtains A’s signature while A obtains B’s signature and the abort-token. Trivially, the output of the protocol violates the original deﬁnition of fairness. This means that Asokan et al.’s security model is not perfect. The reason is that it does not consider the misbehavior of A and B. Therefore, we should deﬁne the accountability of A and B, i.e., it can be detected and proven if A and B misbehaves. Moreover, It can be a part of the agreed contract content for how to punish the dishonest party.

The security properties of contract signing are deﬁned in term of completeness, fairness, abuse-freeness, accountability, T invisibility [2, 9]. Besides, we dene a new property named T secrecy. We argue that a contract and the corresponding signatures of two players should be a commercial secret and T cannot reveal it to outsiders for some beneﬁts in any stage of the protocol.

– Completeness: It is infeasible for the adversary to prevent honest A and B from successfully obtaining a valid signature (or the non-repudiation token) of each other. The adversary has the signing oracles that can be queried on any message except the contract. The adversary can interact with T, but cannot interfere with the interaction of A and B, except insofar as the adversary still has the power to schedule the messages from A and B to T.

– Fairness: We consider a game between an adversary and an honest party.

Generally, we let the adversary play the role of the corrupt party, who completely controls the network, arbitrarily interacts with T, and arbitrarily delays the honest party’s requests to T. We argue that the misbehavior of the adversary may weaken the fairness. So, if the honest party can provide a proof that the adversary misbehaves, then he has the power to validate or invalidate the contract for the punishment of the adversary. In this sense, the fairness means that it is infeasible for the adversary to obtain the honest 5 party’s signature on a contract, while without allowing the honest party to obtain the adversary’s signature or a proof that the adversary misbehaves.

Abuse-freeness: It is infeasible for one party at any point in the protocol – to be able to prove an outside party that he has the power to terminate (abort) or successfully complete the contract.

Accountability: It can be detected and proven if any participant misbe haves.

T invisibility: It is infeasible to determine whether T has been involved in – the protocol or not.

T secrecy: It is infeasible for T to obtain any useful information about the – contract in any stage of the protocol.

3.2 Our Protocol In this section, we use the proposed VECS to present an eﬃcient abuse-free contract signing protocol. We ﬁrst give some notations. Let H be a key exposure free chameleon hash function. Denote by Sig(SKX, M ) the signature on message M with the secret key SKX of the party X ∈ {A, B, T }; Denote by OB (E, σA, P KT ) a veriﬁable encryption of A’s signature σA under T ’s public key P KT. Our abuse-free contract signing protocol has three sub-protocols: Exchange, Abort, and Resolve. In the normal case, only the exchange protocol is executed.

Suppose A and B have agreed on a message M = (m, rA, rB ), where m is a common contract and (rA, rB ) are two random integers. We do not describe this agreement in details here and it may require a number of rounds of communication between A and B through an authenticated channel. Moreover, this agreement should not achieve the non-repudiation property, i.e., neither party should generate any non-repudiation token on the agreed message.

Exchange Protocol

1. A computes the chameleon hash value hA = H(m, rA, P KB ) and the signa ture σA = Sig(SKA, hA ||T ), where || denotes concatenation. A then com putes the ciphertext C = OB (E, σA, P KT ) and sends it to B.

2. If C is invalid, B quits. Otherwise, B computes the signature σB = Sig(SKB, hB ) on the chameleon hash value hB = H(m, rB, P KA ) and then sends σB to A.

3. If σB is invalid, A runs the Abort protocol. Otherwise, A computes the signature σA = Sig(SKA, hA ) and sends it to B. If σA is not valid, B runs the Resolve protocol.

Abort Protocol

1. A computes the signature Sig(SKA, abort||C) on message “abort||C” and then sends (C, Sig(SKA, abort||C)) to T. If the signature is valid and B has not resolved, T issues an abort-token AT = Sig(SKT, Sig(SKA, abort||C)) to A and stores it. The abort token is not a proof that the exchange has been aborted, but a guarantee by T that it has not and will not execute the Resolve protocol.

6

perform the denial protocol of chameleon signatures. On the other hand, A is not allowed to run the Abort protocol after having received σB. Similarly, A is not allowed to run the Abort protocol after sending σA to B. Moreover, A should never send σA to B unless A has obtained σB successfully. That is, if the case 5, or case 6, or case 9 occurs, it is a proof that A misbehaves. If the case 7 or 8 occurs, then T must be accountable for his misbehavior.

4 Security Analysis of the Contract Signing Protocol Due to the properties of non-repudiation and non-transferability of chameleon signatures, the proposed contract signing protocol satisﬁes the completeness and abuse-freeness, respectively. Also, as discussed in section 3.3, it is trivial that the proposed contract signing protocol satisﬁes the accountability. Due to the space consideration, we only focus on the fairness, T invisibility and T secrecy.

** Theorem 1. The proposed contract signing protocol satisﬁes the property of fairness.**

Proof. We ﬁrst prove the fairness for A. Consider an honest A playing against a dishonest B. We say that B wins the game if and only if either B obtains σA ∗ while A does not obtain σB, or B obtains σA while A obtains neither σB nor σˆ. Assume A does not obtain σB, A must run the Abort protocol at some B point after sending C to B and thus B cannot obtain σA. If B does not run the Resolve protocol before A aborted, then both parties obtain the abort-token ∗ AT. Else, B can obtain σA from the T. However, it ensures that A can also obtain σˆ from T. Therefore, the successful probability for B to win the game B is negligible.

We then prove the fairness for B. Consider an honest B playing against a dishonest A. We say that A wins the game if and only if either A obtains σB ∗ while B obtains neither σA nor σA, or A obtains σˆ while B does not obtain B ∗ ∗ σA. Firstly, we argue if A obtains σˆ, then B must obtain σA unless the T is B dishonest. Secondly, assume B does not obtain σA, so B must run the Resolve protocol at some point after sending σB to A. If A does not run the Abort ∗ protocol before B resolved, then B can obtain σA from the T. Else, B can obtain the abort-token AT. However, it is a proof that A misbehaves in the protocol and A must be accountable for this. Therefore, the successful probability for A to win the game is negligible.