Fair Exchange of Short Signatures without Trusted Third Party

•

1 like•712 views

Presentation of the paper "Fair Exchange of Short Signatures without a Trusted Third Party" at CT-RSA 2013. Full version paper at http://eprint.iacr.org/2012/288

Fair Exchange of Short Signatures
without Trusted Third Party
Philippe Camacho
University of Chile

Enforcing Secure Transactions
through a Trusted Third Party (TTP)

Fair Exchange in the
Physical World is “easy”
Witness
Witness

Witness
Seller

Physical proximity provides a high incentive
to behave correctly.
Buyer

More precautions need to be taken
in the digital world.

Modeling Transactions
with Digital Signatures
The problem: Who starts first?
Impossibility Result [Cleve86]

Software License

Digital Check

Seller
Buyer

Gradual Release of a Secret

Bob’s signature Alice’s signature

1

1001 0
0111

Allows to circumvent Cleve’s impossibility result
0
(relaxed security definition).
1

0

1
How do I know that the bit I received
1
is not garbage?
1

Our Construction
• Fair Exchange of Digital Signatures

• Boneh-Boyen [BB04] Short Signatures

• No TTP

• Practical

Contributions
• Formal definition of Partial Fairness

• Efficiency

# Rounds 161
Communication
# Cryptooperations per
participant

• First protocol for Boneh-Boyen signatures

I will try to open I will try to know

Commitments
the box with what is in the box
another value. before I get the
key.

Commitment

secret

1
3
2 + secret
= secret

The secret is revealed.

Non-Interactive
Zero-Knowledge Proofs
Prove something about the secret in the box
without opening the box.

I want to fool Alice:
I want to know exactly what is in the box
Make she believe that the value in the
(not only that the secret is a bit).
box is binary while it is not (e.g: 15).

1 0 ,
2

0 + = Yes / No

Abstract Protocol
Setup

KeyGen

Encrypt Signature

Verify Encrypted
Signature

Release Bits

Recover Signature

Partial Fairness

Bet according to
partially released secret

Protocol
Signature Encrypted
1 + = Signature

2 1 0 0 0 1 1

3 Each small box contains a bit.

The sequence of small boxes is the binary expansion
of the secret inside the big box.

4 1 0 0 0 1 1

Encrypted
5 Signature + = Signature

Short Signatures w/o
Random Oracle [BB04]

The Encrypted Signature

Secret key / “blinding” factor

Proofs of Knowledge

Needed in order to
simulate the adversary
despite it aborts early.

Simultaneous Hardness of Bits
for Discrete Logarithm
Holds in the generic group model
[Schnorr98]

Conclusion
• Fair exchange protocol for short signatures
[BB04] without TTP

• Practical

• Two new NIZK arguments

Partial Fairness Only contract
signing

• A randomized protocol for signing contracts
[EGL85]
• Gradual release of a secret [BCDB87]
• Practically and Provably secure release of a
secret and exchange of signatures RSA, Rabin, ElGam
[Damgard95] al signatures

• Resource Fairness and Composability of
Cryptographic protocols [GMPY06] “Time-line”
assumptions,
Generic
construction

Proof (Sketch)
• Type I
• Does not forge values but aborts «early»
• => He has to break the signature scheme

• Careful:
What happens if A detects he is simulated?
• The simulator will try to break the SHDL assumption
• If few bits remain, it does not win, everything is OK!

Proof (Sketch)

• Type II

• Forge values

• The simulator can extract all values computed by
adversary and break the soundness of the NIZK
arguments or binding property of commitment
scheme.

More from Philippe Camacho, Ph.D.

No más Madoff: Satoshi al rescatePhilippe Camacho, Ph.D.

Protocols for Provable SolvencyPhilippe Camacho, Ph.D.

Más allá del dinero: BitcoinPhilippe Camacho, Ph.D.

Introducción a BitcoinPhilippe Camacho, Ph.D.

How to explain bitcoin to your motherPhilippe Camacho, Ph.D.

Predicate-Preserving Collision-Resistant HashingPhilippe Camacho, Ph.D.

CuidatusbitcoinsPhilippe Camacho, Ph.D.

Foaf+sslPhilippe Camacho, Ph.D.

Agilidad al rescatePhilippe Camacho, Ph.D.

XPDay2009: NameactionPhilippe Camacho, Ph.D.

On the Impossibility of Batch Update for Cryptographic AccumulatorsPhilippe Camacho, Ph.D.

Short Transitive Signatures For Directed TreesPhilippe Camacho, Ph.D.

Strong Accumulators From Collision-Resistant HashingPhilippe Camacho, Ph.D.

Security of DNSPhilippe Camacho, Ph.D.

Agile daychile2010Philippe Camacho, Ph.D.

Agiles2010Philippe Camacho, Ph.D.

More from Philippe Camacho, Ph.D. (16)

No más Madoff: Satoshi al rescate

Protocols for Provable Solvency

Más allá del dinero: Bitcoin

Introducción a Bitcoin

How to explain bitcoin to your mother

Predicate-Preserving Collision-Resistant Hashing

Cuidatusbitcoins

Foaf+ssl

Agilidad al rescate

XPDay2009: Nameaction

On the Impossibility of Batch Update for Cryptographic Accumulators

Short Transitive Signatures For Directed Trees

Strong Accumulators From Collision-Resistant Hashing

Security of DNS

Agile daychile2010

Agiles2010

Fair Exchange of Short Signatures without Trusted Third Party

1. Fair Exchange of Short Signatures without Trusted Third Party Philippe Camacho University of Chile

2. Digital Goods Economy

3. Enforcing Secure Transactions through a Trusted Third Party (TTP)

4. Problems with TTP

5. Problems with TTP

6. Fair Exchange in the Physical World is “easy” Witness Witness Witness Seller Physical proximity provides a high incentive to behave correctly. Buyer More precautions need to be taken in the digital world.

7. Modeling Transactions with Digital Signatures The problem: Who starts first? Impossibility Result [Cleve86] Software License Digital Check Seller Buyer

8. Gradual Release of a Secret Bob’s signature Alice’s signature 1 1001 0 0111 Allows to circumvent Cleve’s impossibility result 0 (relaxed security definition). 1 0 1 How do I know that the bit I received 1 is not garbage? 1

9. Our Construction • Fair Exchange of Digital Signatures • Boneh-Boyen [BB04] Short Signatures • No TTP • Practical

10. Contributions • Formal definition of Partial Fairness • Efficiency # Rounds 161 Communication # Cryptooperations per participant • First protocol for Boneh-Boyen signatures

11. Contributions

12. I will try to open I will try to know Commitments the box with what is in the box another value. before I get the key. Commitment secret 1 3 2 + secret = secret The secret is revealed.

13. Non-Interactive Zero-Knowledge Proofs Prove something about the secret in the box without opening the box. I want to fool Alice: I want to know exactly what is in the box Make she believe that the value in the (not only that the secret is a bit). box is binary while it is not (e.g: 15). 1 0 , 2 0 + = Yes / No

14. Abstract Protocol Setup KeyGen Encrypt Signature Verify Encrypted Signature Release Bits Recover Signature

15. Partial Fairness Bet according to partially released secret

16. Protocol Signature Encrypted 1 + = Signature 2 1 0 0 0 1 1 3 Each small box contains a bit. The sequence of small boxes is the binary expansion of the secret inside the big box. 4 1 0 0 0 1 1 Encrypted 5 Signature + = Signature

17. Bilinear maps

18. Assumptions

19. Assumptions

20. Short Signatures w/o Random Oracle [BB04]

21. Protocol Signature Encrypted 1 + = Signature 2 1 0 0 0 1 1 3 Each small box contains a bit. The sequence of small boxes is the binary expansion of the secret inside the big box. 4 1 0 0 0 1 1 Encrypted 5 Signature + = Signature

22. The Encrypted Signature Secret key / “blinding” factor

23. Protocol Signature Encrypted 1 + = Signature 2 1 0 0 0 1 1 3 Each small box contains a bit. The sequence of small boxes is the binary expansion of the secret inside the big box. 4 1 0 0 0 1 1 Encrypted 5 Signature + = Signature

24. NIZK argument 1

25. NIZK argument 1

26. Protocol Signature Encrypted 1 + = Signature 2 1 0 0 0 1 1 3 Each small box contains a bit. The sequence of small boxes is the binary expansion of the secret inside the big box. 4 1 0 0 0 1 1 Encrypted 5 Signature + = Signature

27. NIZK argument 2

28. NIZK argument 2

29. NIZK argument 2

30. Protocol Signature Encrypted 1 + = Signature 2 1 0 0 0 1 1 3 Each small box contains a bit. The sequence of small boxes is the binary expansion of the secret inside the big box. 4 1 0 0 0 1 1 Encrypted 5 Signature + = Signature

31. Recovering the Signature

32. Proofs of Knowledge Needed in order to simulate the adversary despite it aborts early.

33. Simultaneous Hardness of Bits for Discrete Logarithm Holds in the generic group model [Schnorr98]

34. Conclusion • Fair exchange protocol for short signatures [BB04] without TTP • Practical • Two new NIZK arguments

35. Partial Fairness Only contract signing • A randomized protocol for signing contracts [EGL85] • Gradual release of a secret [BCDB87] • Practically and Provably secure release of a secret and exchange of signatures RSA, Rabin, ElGam [Damgard95] al signatures • Resource Fairness and Composability of Cryptographic protocols [GMPY06] “Time-line” assumptions, Generic construction

36.

37. Proof (Sketch) • Type I • Does not forge values but aborts «early» • => He has to break the signature scheme • Careful: What happens if A detects he is simulated? • The simulator will try to break the SHDL assumption • If few bits remain, it does not win, everything is OK!

38. Proof (Sketch) • Type II • Forge values • The simulator can extract all values computed by adversary and break the soundness of the NIZK arguments or binding property of commitment scheme.

Editor's Notes

Thankyoufortheintroduction. AndGoodafternooneveryone.
Let me startwiththemotivation of thiswork. Itis more and more commontotrade digital goodsonthe web: music, e-books, applicationsor virtual goodsliketheone of farmville.
Obviously as thegoods are made of 0 and 1 itmakessensetotradethemonthe web. Sohow do weensurethatthese can be buyedsecurely? Themostcommonsolutionistorelyon a trustedthirdpartythatwillreceivethepaymentfortheseller and thendelivertheproducttothebuyer. Thissolutionis simple conceptually and thewidelyadopted.
Howeverthe use of TTP has somedrawbacks.Thefirstoneisthatit produces a strong incentive forcorruptedpartiesstealcritical data likepasswords. Despitealltheprecautionsthese TTP maytake, itis quite difficult in practicetoavoidbeinghacked.
Anotherissueraisedbythepresence of TTP isrelatedtoprivacy. Indeedthisintermediary has accesstoallthedetails of thecommercialtransactions and itisnotalwaysclearforusershowthisinformationishandled.So in thisworkweproposetoenablesecurecommercialtransactionbetweentoparticipantswithoutthepresence of a trustedthirdparty. Such a solutionwouldnothavethedrawbacksmentionedbefore and would open a pathtosmoother (?) transactions.
So technicallytheproblemwewanttosolveconsists in exchangingvaluesfairlywhichmeansthateitherbothpartiesobtainwhattheyexpectedornonedoes. Ifwe observe whathappens in thephysicalworldwerealizethattheproblem of fairexchangeissolvedtriviallybecause of theproximity of theparticipants. [CLICK] In thisexample a womanwantstobuyto bread to a man and clearlyifshedoesnotpayorifthesellerdoesnotdeliverthe bread someonewillnotice.[CLICK] So in thephysicalworldthereis a strong incentive to do thingsrightbecause a maliciousparticipantisverylikelyto be caught.[CLICK] As usual things are notthat simple in the digital world. Themainreasonisthatthereis no thisproximityanymore and theidentity of theparticipantsmightnot be known. So weneedtowork more in ordertogetthesamelevel of securitythatwehave in thephysicalworld.
So let’s try tomodel a commercialtransactionusing digital signatures. Thismightnotwork in all cases butclearlyitappliesto a widerange of situations and thusthisishowwewillmodelthesetransactions.In thisexamplethebuyerholds a digital signaturethatrepresents a digital check and thesellerholds a digital signaturethatwillenabletoactivatehis software.
Ifwetolerateone of theparticipantstogetsomeadvantage, a natural idea that comes tomindistoreleasethesecretvalue (in our case a signature) graduallybyrevealingeach bit in alternation[Click] Bob releaseshisfirst bit Alice releasesherfirst bit[Click] Bob releasehissecond bit Alice releasehersecond bit….[Click] So this idea seemstowork in avoidingCleve’simpossibilityresultconsidering of course a weakersecuritydefinition. [Click] Butwestillface a problem as a maliciousparticipant can still lie aboutthe bit itreleases.
So in thisworkwe show howtosolvethisproblemfor a particular signaturescheme, theonebyBoneh and Boyenpresented at Eurocrypt 2004. As alreadymentionedourgoalistoaoidthedependencyon a TTP and as weshallseeourconstructionis quite practical.
Ourfirstcontributionistoprovide a formal definitionforpartialfairnessthatdoesnotrequiretohandletheexact time of execution of theparticipants and avoidtherelatedstrongassumptions (time line)Regardingefficiency, ourprotocolruns in k+1 rounds where k isthesecurityparameter (TYPO) and bothcommunication and time complexity are quite practical.Moreoverourprotocolisthefirst of thesortforBoneh-Boyen signatures.
Finallyweprovide new techniquesforprovingthat a commitmentencodes a bit vector and thatthis bit vector isthebinaryexpansion of someothercommittedvalue.
[Click] In thispresentationcommitmentswill be representedby red boxes thatwhenopenedwithsomekey [Click] revealthevalueinsidethe box thatisturnedto color green [Click].As usual wehavetwoadversaries. [Click ] Bob will try tochangehismindwhenopeningthecommitments and [Click] Alice will try to open the red box beforebeinggiventhekey.
Wewillalso use Non-Interactive Zero-Knowledgearguments, in particular [Click] [Click]toprovethat a commitmentsencodes a bit.[Click] Here Bob will try to produce a fakeargumentfor a commitmentto a non-bit value and ontheotherside [Click] Alice will try toguessthe bit thatis in the box.
Solet’sintrodcetheabstractsyntax of theprotocol. Firstsetup: werequirethe use of a CRS. Bothplayersagreeonthemessagesto be signedKeygen: forthesignatureschemeEncryptSig: VerifySign: checkthattheencryptedsignatureiswellformed and thatdecryptionwill lead totheobtention of thesignaturefortherespectivemessages.
So let’s introduce nowthesecuritydefinition. We use thefollowingexperimentto define whatwecallpartialfairness, as complete fairnessisnotpossiblewithouttrustedthirdparty.[Click] At thebeginningthehonestparticipantwillgeneratehispair of signingkeys[Click] . Theadversarywillaskforsignaturesonmessages of itschoice [Click] Thentheadversarywillchoosetwomessagesm_A, m_Bforwhichthesignatureswill be exchanged. [Click] Obviouslythemessagerelativetothehonestparticipantmustnothavebeenrequestedpreviouslytothesigningoracle.[Click] Thenbothparticipantswillinteractarbitrarily and in particular theadversarymayabortprematurelytheprotocol.[Click] Whentheexchange of messagesstopsthehonestparticipantwill output a tentativesignatureonmessagem_Ausingthe bits theadversary has released. Forexampleiftwo bits remainedto bit releasedthen Bob willchoose at randomone of thefourpossiblecombinationsto complete thesequence of bits and output thecorrespondingsignatureattempt.[Click] Theadversarywillpursueitsowncomputations and output itstentativesignatureonmessagem_B as well.[Click] So wesaythattheprotocolispartiallyfairiftherespectiveprobabilitiesto output a correctsignaturediffers at mostby a polynomial factor.(Justify more therelevance / accuracy of thedefinition?)
OK we are readyto introduce ourprotocol.So wewilldepictitfromthepoint of view of Bob butrecallthat Alice willperform similar operations.[Click] Bob first computes hissignature and then a blinding factor [Click] thatishidden in a commitment. Whencombinedbothvalues lead toanencryptedsignature. [Click] Thisencryptedsignatureiscomplementedby a commitmentto a bit vector thatisthebinaryexpansion of thepreviousblindingvalue [Click].[Click] Thenweneed Bob to compute a NIZK argumentthatproveseachsmall box contains a bit. Thereasonisthatthe idea of gradual realease of a secretisbasedonthefactthatiftheotherparticipantaborts, I can stillperform a bruteforceattackontheremaining bits and these are nottoomany. Butiftheotherunrevealedvalues are not bits thenspaceforthisbruteforceattackwill be toobig and thustheadversarywoudwin.[Click] Thenweneed a secondargumenttoprovethatindeedthesequence of small red boxes correspondtothebinaryexpansion of thevalue in thebig red box. Thisargument can be seen as the bridge betweenthesequence of bits commitments and theblinding factor.[Click] Therestisstraightforward, Bob willsimply open each bit commitment (in alternationwith Alice).[Click] Finally Alice will be abletorecomputetheblinding factor and recoverthesignature.
Well,unsurprisinglywehavebilinearmapsforourprotocolfortheirnicealgebraicproperties and alsobecausetheBoneh-Boyen schemeworksforbilinearmaps as well.
We use q-type (Isitthewayto denote them?) assumptions. Given s a secretweconsiderthe vector g, g^s, g^{s^2} and so one and weassumeitishardto compute g^{1/s} whichisthe q DH assumption.Thebilinearvariant of thisassumptionwewill use isthe q-BilinearAssumption and consists in tryingfortheadversarythevalue e(g,g)^1/s.Thesecurity of theboneh-boyen schemereliesonthe q-SDH assumpitionwhichstatesthatitishardto compute a scalar c and thegroupelement g^{1/(s+c)}. Thesecurity of oursecondargumentalsoneedthisassumption.Finallywe introduce a new assumptioncalledtheq+i DHE assumptionwhichissimplythegeneralization of a previouslyproposedassumption, namelythe q+1 DHE assumption.
Itisnothardtoseethatth q-BDHIimpliestheq+i DHE (type: “-” missing)And ourprotocolissecureunderthe q-SDH assumption and the q-BDHI assumption (thereis a typo!)If 𝑐isfixedthen 𝑞−𝐷𝐻𝐼⇔ 𝑞−𝑆𝐷𝐻Trivial 𝑞−𝐵𝐷𝐻𝐼⇒ 𝑞−𝐷𝐻𝐼
Let’srecallbrieflytheBoneh and Boyen signaturescheme.[Click] Thekeygenerationalgorithm produces thevaluesx,y in Z_p and compute u=g^x and v=g^yThepublickeywill be thepair (u,v) and thesecretkeyisformedbytheexponents x and y.[Click] Tosign a message m, thesignerfirst compute r, therandomness of thesignature and then output g^1{x+m+yr} alongwiththerandomnessitself.[Click] Verifying a signature \\sigma for a message m consists of computing e(sigma_r,ug^mv^r) and checkthatitisequaltothevalue e(g,g). [Click] Thereasonwhytheschemeiscorrectisbecausetheexponents cancel outduetothebilinearity of e.
So nowwe are goingtosee in detailhowtheencryptedsignatureiscomputed.
Firstwechoose a randomblinding factor \\theta in Z_pwhere p istheorder of thegroups. And we compute D=g^thetawhichwill be public.[Click] Thenwe compute thepair (g^{theta/x+m+yr},r) whichis a commonsignaturebutwherethefirstcomponentisraisedtoexponent theta[Click] Given D, \\sigma thepublickey of thesignaturescheme and a message m weverifythattheencryptedsignatureiscorrectbycomputinge(sigma_theta,ug^mv^r) and verifythatitisequalto e(D,g). [Click] As beforethereasonitworksisbecausetheexponents cancel out.
OK, so nowlet’shave a look at thefirstargumentthatprovethatthesequence of commitments (small boxes) encodes a bit vector.
Thisargumentmakes use of thecommonreferencestring CRS whichisthetuple of theassumptionsmentionedbefore.[Click] Thestatementtoproveisthatgiventhesequence of commitments C_1,C_2,…,C_qtheproversknowstherandomnessr_i and a bit valueb_isuch -thatC_i=g^{r_i}g_i^b_i. So herewe can note thateachcommitment in position i correspondstothe i-th bit and thatthe position isidentifiedbythe CRS groupelementg_i. Note alsothattherandomnessforeachcommitmentis placed in position “0”.[Click] Theargumentconsist of computingA_i=g_{q-i}^r_ig_q^{b_i} whichconceptually can be seen as the[Click] commmitmentC_iwhichisshiftedby q-i positions totheright. Thenwewillasktheproverto compute thegroupelementB_i so thatwehavetheequality e(A_i,C_ig_i^-1) = e(B_i,g). The idea hereistoforcetheproverto compute theproductb_i(b_i-1) in theexponentwhichshould be equalto 0 as b_iisexpectedto be a bit. In thenextslidewewillsee more detailaboutthis.[Click] Theargumentwillconsist in thepairs (A_i,B_i) foreach position i[Click] Verifyingtheargumentwill be done bycheckingthatA_iiscomputedbyshifttinhthecommitmentC_iby q-i positions totheright and checkingthatB_isatisfiestherelationinvolvingA_iC_i and g_i^{-1}.
[Click] So hereisthetheoremforthesecurity of ourargument. Thisargumentisperfectly complete, soundundertheq+i DHE assumption and perfectlyzero-knowledge.[Click] Tojustifythesoundness and completeness as welllet’shave a look at theexpressionintroduced in thepreviousslide e(A_i,C_ig_i^{-1}). Ifwerewritethisexpressionweget e(g_{q-i}^{r_i^2}g_q^{r_i(2b_i-1)} multipliedby g_{q+i}^{b_i(b_i-1)},g). So thefirstpartB_i can be computedbytheprover as itknowstherandomnessr_i and thevaluecommitmentb_i.[Click] Ifb_iisnot a bit we can observe thatsomehowtheproverwillhaveto break theq+i DHE assumption in orderto compute B_i.
We are done withthefirstargument, let’shave a look nowtothesecondargumentwhichpurposeisto relate the bit vector commitment and theblindingvalueusedtoencryptthesignature. Obviouslythisstepiscritical as withoutitwetheverifiercannot be sureifthe bit which are released in step 4 willreallyhelptorecoverthesignature.
So firstwe use thesamecommonreferencestring and[Click] we set q to \\kappa whichisthesecurityparameter, thatisthenumber of bits toencode a groupelementoranexponent.[Click] Thestatementtoproveisthattheproverknowstherandomness and thevalueb_icommitted in eachC_ithatthesevaluesformthebinaryexpansion of thediscretelogarithm of thegroupelement D whichisused in theencryptedsignature.
[Click] Theargumentiscomposedbythreevalues: r’ whichis a scalar and togroupelements U and V.[Click] A problemwefaceforcomputingthisargumentisthateachcommitmentisindeed a randomvalue, itis a petersencommitment and thusistotallyindependentfromthevalue D and itsdiscretelogarithm. So whatwehaveto do firstistoremovetherandomness of eachcommitment so thatwe can thensomehow compare the bits inside of eachcommitmentwiththediscretelogarithm of D. Howeverwecannotsimplyrevealtherandomness of eachcommitmentbecauseitwouldgivetotheadversarytomuchinformation and ourprotocolwouldnot be fairanymore. So the idea istomultiplyeachcommitments. Whendoingthatwe can obversethattherandomness of allcommitmentwillaccumulate in the position 0 thatis a theexponent of g. So r’ will be the sum of alltherandomness of eachcommitment. Nowwe can divide theproduct of thecommitmentsby g^{r’} to cancel thisrandomness.Buthow do weknowthattheproverisnotlying?[Click] The idea hereistoseetheproduct of thecommitments as a vector where r’ isthefirstcomponent in position 0, whichisfollowedbythe bits. So nowtheproverwill compute a productthatwillcorrespondtothesamearraybutshiftedbyone position totheleftwhich can be done iftherandomness r’ iscancelled. Nowiftheprover tries to lie he willsomehow be ableto compute theinverse of thesecret $s$ in theexponent. Finallyusingthebilinearmaptheverifier can checkthat r’ isindeedtheaccumulatedrandomness of allthecommitments.[Click] Thenextstepnowistoprovethat U whichrepresentthe bit vector correspondstothebinaryexpansion of theta, whichthediscretelogarithm of D. So whatwe do istocheckthat e(U/D,g)=e(V,g_1g^{-2}) where V iscomputedbytheprover. [Click] The idea istointerpretthe U as thelist of coefficients of somepolynomial P and provethatwhenwe compute P(s)-\\theta in theexponentwe can divide by s-2 whichmeansthat theta isindeedthevaluetakenbythepolynomial P when s=2. And thisiswhatwewantbecausethismeansthatthearray of bits representedby U isthebinaryexpansion of theta. Ifthisrelationshipdoesnotoldthensomehowtheproverwill be ableto divide by s-2 in theexponent and thuswill break the q-SDH assumption.
So tosummarizeoursecondargmentisperfectly complete, perfectlyzero-knowledge and computationallysoundunderthe q-SDH assumption.
We are almost done. As wehaveseenstep 4 consistssimply in openingthe bit commitments in alternation as withtheargumentwe can be surethatthe bit thatwill be revealedgraduallywill lead torecoverthesignature, whichhappens at step 5. Let’sseehowitworks.
Indeeditis quite straightforward. Giventhe bits [Click] werecompute theta andusingtheblindedsignatureweextractthefirstcomponent and [Click] cancel the theta factor.
I willnot show thesecurityproof of theprotocolhowever I willmention a couple of importantpointsrelatedtoit. [Click] Firstweneed a proof of knowledgeforthediscretelogarithm of D [Click] and alsofortherepresentation in base (g,g_i) of eachpedersencommitment. [Click] Thereasonisthatthesimulatorfortheprotocolneedstokeepsimulatingtheadversarydespitethisoneaborts in orderto be ableto break someassumptionrelatedtothecommitments and theirarguments.
Anothertechnicallydifficultyweface in thesecurityproofisrelatedtowhathappenswhenwegraduallyrevealeach bit. Whatcouldhappenisthatforsomereasonsome bits orgroups of are harderto compute thanotherswhichcouldgivetheadversarysomeimportantadvantageifitaborts at therightmoment. So in ordertosolvethisissueweneedto introduce anotherassumptioncalledthe “SimultaneousHardness of Bits forDiscreteLogarithmassumption”.[Click] Thisassumptionstatesthat no adversaryisabletodistinguishbetween a randomsequence of k-l bits and thefirst k-l bits of thediscretelogarithm. So thisfits.[Click] More precisely and formallytheadversarycannotdistinguishbetweenthefirstworldwhereitisgiveng^theta and thefirstk-l bits of theta fromtheworldwherethe bits revealed are random and indepentfromthe bits of theta. And obviously l, thenumber of bits that are notdisclosedmust be largeenough so thattheadversarycannotperform a bruteforceattackthatwouldinvalidatetheassumption.[Click] And finally as shownbySchnorr, thisassumptionholds in thegenericgroupmodel.
We are readytoconclude. Weintroduced a protocoltoexchange in a fairwayboneh boyen signaturewithoutrelying a ontrustedthirdparty. Ourprotocolis quite efficient and as a sideproductweproposedtwo new NIZK argumentsthatmayfindapplications in otherconstructions.[Click] Thankyouverymuchforyourattention!

Fair Exchange of Short Signatures without Trusted Third Party

Recommended

More Related Content

More from Philippe Camacho, Ph.D.

More from Philippe Camacho, Ph.D. (16)

Fair Exchange of Short Signatures without Trusted Third Party

Editor's Notes