Presentation of the paper "Fair Exchange of Short Signatures without a Trusted Third Party" at CT-RSA 2013. Full version paper at http://eprint.iacr.org/2012/288
6. Fair Exchange in the
Physical World is “easy”
Witness
Witness
Witness
Seller
Physical proximity provides a high incentive
to behave correctly.
Buyer
More precautions need to be taken
in the digital world.
7. Modeling Transactions
with Digital Signatures
The problem: Who starts first?
Impossibility Result [Cleve86]
Software License
Digital Check
Seller
Buyer
8. Gradual Release of a Secret
Bob’s signature Alice’s signature
1
1001 0
0111
Allows to circumvent Cleve’s impossibility result
0
(relaxed security definition).
1
0
1
How do I know that the bit I received
1
is not garbage?
1
9. Our Construction
• Fair Exchange of Digital Signatures
• Boneh-Boyen [BB04] Short Signatures
• No TTP
• Practical
10. Contributions
• Formal definition of Partial Fairness
• Efficiency
# Rounds 161
Communication
# Cryptooperations per
participant
• First protocol for Boneh-Boyen signatures
12. I will try to open I will try to know
Commitments
the box with what is in the box
another value. before I get the
key.
Commitment
secret
1
3
2 + secret
= secret
The secret is revealed.
13. Non-Interactive
Zero-Knowledge Proofs
Prove something about the secret in the box
without opening the box.
I want to fool Alice:
I want to know exactly what is in the box
Make she believe that the value in the
(not only that the secret is a bit).
box is binary while it is not (e.g: 15).
1 0 ,
2
0 + = Yes / No
16. Protocol
Signature Encrypted
1 + = Signature
2 1 0 0 0 1 1
3 Each small box contains a bit.
The sequence of small boxes is the binary expansion
of the secret inside the big box.
4 1 0 0 0 1 1
Encrypted
5 Signature + = Signature
21. Protocol
Signature Encrypted
1 + = Signature
2 1 0 0 0 1 1
3 Each small box contains a bit.
The sequence of small boxes is the binary expansion
of the secret inside the big box.
4 1 0 0 0 1 1
Encrypted
5 Signature + = Signature
23. Protocol
Signature Encrypted
1 + = Signature
2 1 0 0 0 1 1
3 Each small box contains a bit.
The sequence of small boxes is the binary expansion
of the secret inside the big box.
4 1 0 0 0 1 1
Encrypted
5 Signature + = Signature
26. Protocol
Signature Encrypted
1 + = Signature
2 1 0 0 0 1 1
3 Each small box contains a bit.
The sequence of small boxes is the binary expansion
of the secret inside the big box.
4 1 0 0 0 1 1
Encrypted
5 Signature + = Signature
30. Protocol
Signature Encrypted
1 + = Signature
2 1 0 0 0 1 1
3 Each small box contains a bit.
The sequence of small boxes is the binary expansion
of the secret inside the big box.
4 1 0 0 0 1 1
Encrypted
5 Signature + = Signature
32. Proofs of Knowledge
Needed in order to
simulate the adversary
despite it aborts early.
33. Simultaneous Hardness of Bits
for Discrete Logarithm
Holds in the generic group model
[Schnorr98]
34. Conclusion
• Fair exchange protocol for short signatures
[BB04] without TTP
• Practical
• Two new NIZK arguments
35. Partial Fairness Only contract
signing
• A randomized protocol for signing contracts
[EGL85]
• Gradual release of a secret [BCDB87]
• Practically and Provably secure release of a
secret and exchange of signatures RSA, Rabin, ElGam
[Damgard95] al signatures
• Resource Fairness and Composability of
Cryptographic protocols [GMPY06] “Time-line”
assumptions,
Generic
construction
36.
37. Proof (Sketch)
• Type I
• Does not forge values but aborts «early»
• => He has to break the signature scheme
• Careful:
What happens if A detects he is simulated?
• The simulator will try to break the SHDL assumption
• If few bits remain, it does not win, everything is OK!
38. Proof (Sketch)
• Type II
• Forge values
• The simulator can extract all values computed by
adversary and break the soundness of the NIZK
arguments or binding property of commitment
scheme.
Let me startwiththemotivation of thiswork. Itis more and more commontotrade digital goodsonthe web: music, e-books, applicationsor virtual goodsliketheone of farmville.
Obviously as thegoods are made of 0 and 1 itmakessensetotradethemonthe web. Sohow do weensurethatthese can be buyedsecurely? Themostcommonsolutionistorelyon a trustedthirdpartythatwillreceivethepaymentfortheseller and thendelivertheproducttothebuyer. Thissolutionis simple conceptually and thewidelyadopted.
Howeverthe use of TTP has somedrawbacks.Thefirstoneisthatit produces a strong incentive forcorruptedpartiesstealcritical data likepasswords. Despitealltheprecautionsthese TTP maytake, itis quite difficult in practicetoavoidbeinghacked.
Anotherissueraisedbythepresence of TTP isrelatedtoprivacy. Indeedthisintermediary has accesstoallthedetails of thecommercialtransactions and itisnotalwaysclearforusershowthisinformationishandled.So in thisworkweproposetoenablesecurecommercialtransactionbetweentoparticipantswithoutthepresence of a trustedthirdparty. Such a solutionwouldnothavethedrawbacksmentionedbefore and would open a pathtosmoother (?) transactions.
So technicallytheproblemwewanttosolveconsists in exchangingvaluesfairlywhichmeansthateitherbothpartiesobtainwhattheyexpectedornonedoes. Ifwe observe whathappens in thephysicalworldwerealizethattheproblem of fairexchangeissolvedtriviallybecause of theproximity of theparticipants. [CLICK] In thisexample a womanwantstobuyto bread to a man and clearlyifshedoesnotpayorifthesellerdoesnotdeliverthe bread someonewillnotice.[CLICK] So in thephysicalworldthereis a strong incentive to do thingsrightbecause a maliciousparticipantisverylikelyto be caught.[CLICK] As usual things are notthat simple in the digital world. Themainreasonisthatthereis no thisproximityanymore and theidentity of theparticipantsmightnot be known. So weneedtowork more in ordertogetthesamelevel of securitythatwehave in thephysicalworld.
So let’s try tomodel a commercialtransactionusing digital signatures. Thismightnotwork in all cases butclearlyitappliesto a widerange of situations and thusthisishowwewillmodelthesetransactions.In thisexamplethebuyerholds a digital signaturethatrepresents a digital check and thesellerholds a digital signaturethatwillenabletoactivatehis software.
Ifwetolerateone of theparticipantstogetsomeadvantage, a natural idea that comes tomindistoreleasethesecretvalue (in our case a signature) graduallybyrevealingeach bit in alternation[Click] Bob releaseshisfirst bit Alice releasesherfirst bit[Click] Bob releasehissecond bit Alice releasehersecond bit….[Click] So this idea seemstowork in avoidingCleve’simpossibilityresultconsidering of course a weakersecuritydefinition. [Click] Butwestillface a problem as a maliciousparticipant can still lie aboutthe bit itreleases.
So in thisworkwe show howtosolvethisproblemfor a particular signaturescheme, theonebyBoneh and Boyenpresented at Eurocrypt 2004. As alreadymentionedourgoalistoaoidthedependencyon a TTP and as weshallseeourconstructionis quite practical.
Ourfirstcontributionistoprovide a formal definitionforpartialfairnessthatdoesnotrequiretohandletheexact time of execution of theparticipants and avoidtherelatedstrongassumptions (time line)Regardingefficiency, ourprotocolruns in k+1 rounds where k isthesecurityparameter (TYPO) and bothcommunication and time complexity are quite practical.Moreoverourprotocolisthefirst of thesortforBoneh-Boyen signatures.
Finallyweprovide new techniquesforprovingthat a commitmentencodes a bit vector and thatthis bit vector isthebinaryexpansion of someothercommittedvalue.
[Click] In thispresentationcommitmentswill be representedby red boxes thatwhenopenedwithsomekey [Click] revealthevalueinsidethe box thatisturnedto color green [Click].As usual wehavetwoadversaries. [Click ] Bob will try tochangehismindwhenopeningthecommitments and [Click] Alice will try to open the red box beforebeinggiventhekey.
Wewillalso use Non-Interactive Zero-Knowledgearguments, in particular [Click] [Click]toprovethat a commitmentsencodes a bit.[Click] Here Bob will try to produce a fakeargumentfor a commitmentto a non-bit value and ontheotherside [Click] Alice will try toguessthe bit thatis in the box.
Solet’sintrodcetheabstractsyntax of theprotocol. Firstsetup: werequirethe use of a CRS. Bothplayersagreeonthemessagesto be signedKeygen: forthesignatureschemeEncryptSig: VerifySign: checkthattheencryptedsignatureiswellformed and thatdecryptionwill lead totheobtention of thesignaturefortherespectivemessages.
So let’s introduce nowthesecuritydefinition. We use thefollowingexperimentto define whatwecallpartialfairness, as complete fairnessisnotpossiblewithouttrustedthirdparty.[Click] At thebeginningthehonestparticipantwillgeneratehispair of signingkeys[Click] . Theadversarywillaskforsignaturesonmessages of itschoice [Click] Thentheadversarywillchoosetwomessagesm_A, m_Bforwhichthesignatureswill be exchanged. [Click] Obviouslythemessagerelativetothehonestparticipantmustnothavebeenrequestedpreviouslytothesigningoracle.[Click] Thenbothparticipantswillinteractarbitrarily and in particular theadversarymayabortprematurelytheprotocol.[Click] Whentheexchange of messagesstopsthehonestparticipantwill output a tentativesignatureonmessagem_Ausingthe bits theadversary has released. Forexampleiftwo bits remainedto bit releasedthen Bob willchoose at randomone of thefourpossiblecombinationsto complete thesequence of bits and output thecorrespondingsignatureattempt.[Click] Theadversarywillpursueitsowncomputations and output itstentativesignatureonmessagem_B as well.[Click] So wesaythattheprotocolispartiallyfairiftherespectiveprobabilitiesto output a correctsignaturediffers at mostby a polynomial factor.(Justify more therelevance / accuracy of thedefinition?)
OK we are readyto introduce ourprotocol.So wewilldepictitfromthepoint of view of Bob butrecallthat Alice willperform similar operations.[Click] Bob first computes hissignature and then a blinding factor [Click] thatishidden in a commitment. Whencombinedbothvalues lead toanencryptedsignature. [Click] Thisencryptedsignatureiscomplementedby a commitmentto a bit vector thatisthebinaryexpansion of thepreviousblindingvalue [Click].[Click] Thenweneed Bob to compute a NIZK argumentthatproveseachsmall box contains a bit. Thereasonisthatthe idea of gradual realease of a secretisbasedonthefactthatiftheotherparticipantaborts, I can stillperform a bruteforceattackontheremaining bits and these are nottoomany. Butiftheotherunrevealedvalues are not bits thenspaceforthisbruteforceattackwill be toobig and thustheadversarywoudwin.[Click] Thenweneed a secondargumenttoprovethatindeedthesequence of small red boxes correspondtothebinaryexpansion of thevalue in thebig red box. Thisargument can be seen as the bridge betweenthesequence of bits commitments and theblinding factor.[Click] Therestisstraightforward, Bob willsimply open each bit commitment (in alternationwith Alice).[Click] Finally Alice will be abletorecomputetheblinding factor and recoverthesignature.
Well,unsurprisinglywehavebilinearmapsforourprotocolfortheirnicealgebraicproperties and alsobecausetheBoneh-Boyen schemeworksforbilinearmaps as well.
We use q-type (Isitthewayto denote them?) assumptions. Given s a secretweconsiderthe vector g, g^s, g^{s^2} and so one and weassumeitishardto compute g^{1/s} whichisthe q DH assumption.Thebilinearvariant of thisassumptionwewill use isthe q-BilinearAssumption and consists in tryingfortheadversarythevalue e(g,g)^1/s.Thesecurity of theboneh-boyen schemereliesonthe q-SDH assumpitionwhichstatesthatitishardto compute a scalar c and thegroupelement g^{1/(s+c)}. Thesecurity of oursecondargumentalsoneedthisassumption.Finallywe introduce a new assumptioncalledtheq+i DHE assumptionwhichissimplythegeneralization of a previouslyproposedassumption, namelythe q+1 DHE assumption.
Itisnothardtoseethatth q-BDHIimpliestheq+i DHE (type: “-” missing)And ourprotocolissecureunderthe q-SDH assumption and the q-BDHI assumption (thereis a typo!)If 𝑐isfixedthen 𝑞−𝐷𝐻𝐼⇔ 𝑞−𝑆𝐷𝐻Trivial 𝑞−𝐵𝐷𝐻𝐼⇒ 𝑞−𝐷𝐻𝐼
Let’srecallbrieflytheBoneh and Boyen signaturescheme.[Click] Thekeygenerationalgorithm produces thevaluesx,y in Z_p and compute u=g^x and v=g^yThepublickeywill be thepair (u,v) and thesecretkeyisformedbytheexponents x and y.[Click] Tosign a message m, thesignerfirst compute r, therandomness of thesignature and then output g^1{x+m+yr} alongwiththerandomnessitself.[Click] Verifying a signature \\sigma for a message m consists of computing e(sigma_r,ug^mv^r) and checkthatitisequaltothevalue e(g,g). [Click] Thereasonwhytheschemeiscorrectisbecausetheexponents cancel outduetothebilinearity of e.
So nowwe are goingtosee in detailhowtheencryptedsignatureiscomputed.
Firstwechoose a randomblinding factor \\theta in Z_pwhere p istheorder of thegroups. And we compute D=g^thetawhichwill be public.[Click] Thenwe compute thepair (g^{theta/x+m+yr},r) whichis a commonsignaturebutwherethefirstcomponentisraisedtoexponent theta[Click] Given D, \\sigma thepublickey of thesignaturescheme and a message m weverifythattheencryptedsignatureiscorrectbycomputinge(sigma_theta,ug^mv^r) and verifythatitisequalto e(D,g). [Click] As beforethereasonitworksisbecausetheexponents cancel out.
OK, so nowlet’shave a look at thefirstargumentthatprovethatthesequence of commitments (small boxes) encodes a bit vector.
Thisargumentmakes use of thecommonreferencestring CRS whichisthetuple of theassumptionsmentionedbefore.[Click] Thestatementtoproveisthatgiventhesequence of commitments C_1,C_2,…,C_qtheproversknowstherandomnessr_i and a bit valueb_isuch -thatC_i=g^{r_i}g_i^b_i. So herewe can note thateachcommitment in position i correspondstothe i-th bit and thatthe position isidentifiedbythe CRS groupelementg_i. Note alsothattherandomnessforeachcommitmentis placed in position “0”.[Click] Theargumentconsist of computingA_i=g_{q-i}^r_ig_q^{b_i} whichconceptually can be seen as the[Click] commmitmentC_iwhichisshiftedby q-i positions totheright. Thenwewillasktheproverto compute thegroupelementB_i so thatwehavetheequality e(A_i,C_ig_i^-1) = e(B_i,g). The idea hereistoforcetheproverto compute theproductb_i(b_i-1) in theexponentwhichshould be equalto 0 as b_iisexpectedto be a bit. In thenextslidewewillsee more detailaboutthis.[Click] Theargumentwillconsist in thepairs (A_i,B_i) foreach position i[Click] Verifyingtheargumentwill be done bycheckingthatA_iiscomputedbyshifttinhthecommitmentC_iby q-i positions totheright and checkingthatB_isatisfiestherelationinvolvingA_iC_i and g_i^{-1}.
[Click] So hereisthetheoremforthesecurity of ourargument. Thisargumentisperfectly complete, soundundertheq+i DHE assumption and perfectlyzero-knowledge.[Click] Tojustifythesoundness and completeness as welllet’shave a look at theexpressionintroduced in thepreviousslide e(A_i,C_ig_i^{-1}). Ifwerewritethisexpressionweget e(g_{q-i}^{r_i^2}g_q^{r_i(2b_i-1)} multipliedby g_{q+i}^{b_i(b_i-1)},g). So thefirstpartB_i can be computedbytheprover as itknowstherandomnessr_i and thevaluecommitmentb_i.[Click] Ifb_iisnot a bit we can observe thatsomehowtheproverwillhaveto break theq+i DHE assumption in orderto compute B_i.
We are done withthefirstargument, let’shave a look nowtothesecondargumentwhichpurposeisto relate the bit vector commitment and theblindingvalueusedtoencryptthesignature. Obviouslythisstepiscritical as withoutitwetheverifiercannot be sureifthe bit which are released in step 4 willreallyhelptorecoverthesignature.
So firstwe use thesamecommonreferencestring and[Click] we set q to \\kappa whichisthesecurityparameter, thatisthenumber of bits toencode a groupelementoranexponent.[Click] Thestatementtoproveisthattheproverknowstherandomness and thevalueb_icommitted in eachC_ithatthesevaluesformthebinaryexpansion of thediscretelogarithm of thegroupelement D whichisused in theencryptedsignature.
[Click] Theargumentiscomposedbythreevalues: r’ whichis a scalar and togroupelements U and V.[Click] A problemwefaceforcomputingthisargumentisthateachcommitmentisindeed a randomvalue, itis a petersencommitment and thusistotallyindependentfromthevalue D and itsdiscretelogarithm. So whatwehaveto do firstistoremovetherandomness of eachcommitment so thatwe can thensomehow compare the bits inside of eachcommitmentwiththediscretelogarithm of D. Howeverwecannotsimplyrevealtherandomness of eachcommitmentbecauseitwouldgivetotheadversarytomuchinformation and ourprotocolwouldnot be fairanymore. So the idea istomultiplyeachcommitments. Whendoingthatwe can obversethattherandomness of allcommitmentwillaccumulate in the position 0 thatis a theexponent of g. So r’ will be the sum of alltherandomness of eachcommitment. Nowwe can divide theproduct of thecommitmentsby g^{r’} to cancel thisrandomness.Buthow do weknowthattheproverisnotlying?[Click] The idea hereistoseetheproduct of thecommitments as a vector where r’ isthefirstcomponent in position 0, whichisfollowedbythe bits. So nowtheproverwill compute a productthatwillcorrespondtothesamearraybutshiftedbyone position totheleftwhich can be done iftherandomness r’ iscancelled. Nowiftheprover tries to lie he willsomehow be ableto compute theinverse of thesecret $s$ in theexponent. Finallyusingthebilinearmaptheverifier can checkthat r’ isindeedtheaccumulatedrandomness of allthecommitments.[Click] Thenextstepnowistoprovethat U whichrepresentthe bit vector correspondstothebinaryexpansion of theta, whichthediscretelogarithm of D. So whatwe do istocheckthat e(U/D,g)=e(V,g_1g^{-2}) where V iscomputedbytheprover. [Click] The idea istointerpretthe U as thelist of coefficients of somepolynomial P and provethatwhenwe compute P(s)-\\theta in theexponentwe can divide by s-2 whichmeansthat theta isindeedthevaluetakenbythepolynomial P when s=2. And thisiswhatwewantbecausethismeansthatthearray of bits representedby U isthebinaryexpansion of theta. Ifthisrelationshipdoesnotoldthensomehowtheproverwill be ableto divide by s-2 in theexponent and thuswill break the q-SDH assumption.
So tosummarizeoursecondargmentisperfectly complete, perfectlyzero-knowledge and computationallysoundunderthe q-SDH assumption.
We are almost done. As wehaveseenstep 4 consistssimply in openingthe bit commitments in alternation as withtheargumentwe can be surethatthe bit thatwill be revealedgraduallywill lead torecoverthesignature, whichhappens at step 5. Let’sseehowitworks.
Indeeditis quite straightforward. Giventhe bits [Click] werecompute theta andusingtheblindedsignatureweextractthefirstcomponent and [Click] cancel the theta factor.
I willnot show thesecurityproof of theprotocolhowever I willmention a couple of importantpointsrelatedtoit. [Click] Firstweneed a proof of knowledgeforthediscretelogarithm of D [Click] and alsofortherepresentation in base (g,g_i) of eachpedersencommitment. [Click] Thereasonisthatthesimulatorfortheprotocolneedstokeepsimulatingtheadversarydespitethisoneaborts in orderto be ableto break someassumptionrelatedtothecommitments and theirarguments.
Anothertechnicallydifficultyweface in thesecurityproofisrelatedtowhathappenswhenwegraduallyrevealeach bit. Whatcouldhappenisthatforsomereasonsome bits orgroups of are harderto compute thanotherswhichcouldgivetheadversarysomeimportantadvantageifitaborts at therightmoment. So in ordertosolvethisissueweneedto introduce anotherassumptioncalledthe “SimultaneousHardness of Bits forDiscreteLogarithmassumption”.[Click] Thisassumptionstatesthat no adversaryisabletodistinguishbetween a randomsequence of k-l bits and thefirst k-l bits of thediscretelogarithm. So thisfits.[Click] More precisely and formallytheadversarycannotdistinguishbetweenthefirstworldwhereitisgiveng^theta and thefirstk-l bits of theta fromtheworldwherethe bits revealed are random and indepentfromthe bits of theta. And obviously l, thenumber of bits that are notdisclosedmust be largeenough so thattheadversarycannotperform a bruteforceattackthatwouldinvalidatetheassumption.[Click] And finally as shownbySchnorr, thisassumptionholds in thegenericgroupmodel.
We are readytoconclude. Weintroduced a protocoltoexchange in a fairwayboneh boyen signaturewithoutrelying a ontrustedthirdparty. Ourprotocolis quite efficient and as a sideproductweproposedtwo new NIZK argumentsthatmayfindapplications in otherconstructions.[Click] Thankyouverymuchforyourattention!