Abstract
Contract signing protocols have been proposed and analyzed for more than three decades now. One of the main problems that appeared while studying such schemes is the impossibility of achieving both fairness and guaranteed output delivery. As workarounds, cryptographers have put forth three main categories of contract signing schemes: gradual release, optimistic and concurrent or legally fair schemes. Concurrent signature schemes or legally fair protocols do not rely on trusted arbitrators and, thus, may seem more attractive for users. Boosting user trust in such manner, an attacker may cleverly come up with specific applications. Thus, our work focuses on embedding trapdoors into contract signing protocols. In particular, we describe and analyze various SETUP (Secretly Embedded Trapdoor with Universal Protection) mechanisms which can be injected in concurrent signature schemes and legally fair protocols without keystones.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
e.g. tamper proof devices.
- 2.
We refer the reader to Appendix A for a definition of the concept.
- 3.
Recalled in Appendix A.
- 4.
Another mechanism (detailed in Appendix B) naturally arises.
- 5.
A function for which every element of the range of the function corresponds to precisely one element of the domain.
- 6.
As in Definition 6.
- 7.
see Footnote 6.
- 8.
Game 0.
- 9.
Game 1.
- 10.
Another attack (detailed in Appendix C) naturally arises.
- 11.
More or less.
- 12.
- 13.
see Footnote 6.
- 14.
see Footnote 6.
- 15.
Game 0.
- 16.
Game 1.
References
Abdalla, M., An, J.H., Bellare, M., Namprempre, C.: From identification to signatures via the fiat-shamir transform: minimizing assumptions for security and forward-security. In: Knudsen, L.R. (ed.) EUROCRYPT 2002. LNCS, vol. 2332, pp. 418–433. Springer, Heidelberg (2002). doi:10.1007/3-540-46035-7_28
Asokan, N., Schunter, M., Waidner, M.: Optimistic protocols for fair exchange. In: Proceedings of the 4th ACM Conference on Computer and Communications Security (CCS 1997), pp. 7–17. ACM (1997)
Bellare, M., Rogaway, P.: Random oracles are practical: a paradigm for designing efficient protocols. In: Proceedings of the 1st ACM Conference on Computer and Communications Security (CCS 1993), pp. 62–73. ACM (1993)
Bellare, M., Rogaway, P.: Introduction to Modern Cryptography. UCSD CSE 207:207 (2005)
Cachin, C., Camenisch, J.: Optimistic fair secure computation. In: Bellare, M. (ed.) CRYPTO 2000. LNCS, vol. 1880, pp. 93–111. Springer, Heidelberg (2000). doi:10.1007/3-540-44598-6_6
Chen, L., Kudla, C., Paterson, K.G.: Concurrent signatures. In: Cachin, C., Camenisch, J.L. (eds.) EUROCRYPT 2004. LNCS, vol. 3027, pp. 287–305. Springer, Heidelberg (2004). doi:10.1007/978-3-540-24676-3_18
Diffie, W., Hellman, M.: New directions in cryptography. IEEE Trans. Inf. Theory 22(6), 644–654 (2006)
Dodis, Y., Gennaro, R., Håstad, J., Krawczyk, H., Rabin, T.: Randomness extraction and key derivation using the CBC, Cascade and HMAC modes. In: Franklin, M. (ed.) CRYPTO 2004. LNCS, vol. 3152, pp. 494–510. Springer, Heidelberg (2004). doi:10.1007/978-3-540-28628-8_30
ElGamal, T.: A public key cryptosystem and a signature scheme based on discrete logarithms. IEEE Trans. Inf. Theory 31(4), 469–472 (1985)
Ferradi, H., Géraud, R., Maimuţ, D., Naccache, D., Pointcheval, D.: Legally fair contract signing without keystones. In: Manulis, M., Sadeghi, A.-R., Schneider, S. (eds.) ACNS 2016. LNCS, vol. 9696, pp. 175–190. Springer, Cham (2016). doi:10.1007/978-3-319-39555-5_10
Fiege, U., Fiat, A., Shamir, A.: Zero knowledge proofs of identity. In: Proceedings of the 19th Annual ACM Symposium on Theory of Computing (STOC 1987), pp. 210–217. ACM (1987)
Garay, J., MacKenzie, P., Prabhakaran, M., Yang, K.: Resource fairness and composability of cryptographic protocols. In: Halevi, S., Rabin, T. (eds.) TCC 2006. LNCS, vol. 3876, pp. 404–428. Springer, Heidelberg (2006). doi:10.1007/11681878_21
Goldreich, O.: A simple protocol for signing contracts. In: Chaum, D. (ed.) Advances in Cryptology. Springer, Boston (1984). doi:10.1007/978-1-4684-4730-9_11
Goldwasser, S., Levin, L.: Fair computation of general functions in presence of immoral majority. In: Menezes, A.J., Vanstone, S.A. (eds.) CRYPTO 1990. LNCS, vol. 537, pp. 77–93. Springer, Heidelberg (1991). doi:10.1007/3-540-38424-3_6
Gordon, S.D., Hazay, C., Katz, J., Lindell, Y.: Complete fairness in secure two-party computation. J. ACM 58(6), 1–37 (2011)
Lindell, A.Y.: Legally-enforceable fairness in secure two-party computation. In: Malkin, T. (ed.) CT-RSA 2008. LNCS, vol. 4964, pp. 121–137. Springer, Heidelberg (2008). doi:10.1007/978-3-540-79263-5_8
Micali, S.: Simple and fast optimistic protocols for fair electronic exchange. In: Proceedings of the 22nd Annual Symposium on Principles of Distributed Computing (PODC 2003), pp. 12–19. ACM (2003)
Pinkas, B.: Fair secure two-party computation. In: Biham, E. (ed.) EUROCRYPT 2003. LNCS, vol. 2656, pp. 87–105. Springer, Heidelberg (2003). doi:10.1007/3-540-39200-9_6
Schnorr, C.P.: Efficient identification and signatures for smart cards. In: Brassard, G. (ed.) CRYPTO 1989. LNCS, vol. 435, pp. 239–252. Springer, New York (1990). doi:10.1007/0-387-34805-0_22
Shoup, V.: Sequences of games: a tool for taming complexity in security proofs. IACR Cryptology ePrint Archive 2004, 332 (2004)
Simmons, G.J.: The subliminal channel and digital signatures. In: Beth, T., Cot, N., Ingemarsson, I. (eds.) EUROCRYPT 1984. LNCS, vol. 209, pp. 364–378. Springer, Heidelberg (1985). doi:10.1007/3-540-39757-4_25
Simmons, G.J.: Subliminal communication is easy using the DSA. In: Helleseth, T. (ed.) EUROCRYPT 1993. LNCS, vol. 765, pp. 218–232. Springer, Heidelberg (1994). doi:10.1007/3-540-48285-7_18
Young, A., Yung, M.: The dark side of “black-box” cryptography or: should we trust capstone? In: Koblitz, N. (ed.) CRYPTO 1996. LNCS, vol. 1109, pp. 89–103. Springer, Heidelberg (1996). doi:10.1007/3-540-68697-5_8
Young, A., Yung, M.: Kleptography: using cryptography against cryptography. In: Fumy, W. (ed.) EUROCRYPT 1997. LNCS, vol. 1233, pp. 62–74. Springer, Heidelberg (1997). doi:10.1007/3-540-69053-0_6
Young, A., Yung, M.: The prevalence of kleptographic attacks on discrete-log based cryptosystems. In: Kaliski, B.S. (ed.) CRYPTO 1997. LNCS, vol. 1294, pp. 264–276. Springer, Heidelberg (1997). doi:10.1007/BFb0052241
Young, A., Yung, M.: Malicious Cryptography: Exposing Cryptovirology. Wiley, New York (2004)
Young, A., Yung, M.: Malicious cryptography: kleptographic aspects. In: Menezes, A. (ed.) CT-RSA 2005. LNCS, vol. 3376, pp. 7–18. Springer, Heidelberg (2005). doi:10.1007/978-3-540-30574-3_2
Acknowledgments
The authors would like to thank Adrian Atanasiu and the anonymous reviewers for their helpful comments.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Appendices
A Additional Preliminaries
1.1 Security Models
Definition 7
(Entropy Smoothing - es ). Let \(\mathbb G\) be a cyclic group of order n, \(\mathcal {K}\) the key space and A a PPT algorithm. Also, let \(\mathcal {H} = \{h_i\}_{i\in \mathcal {K}}\) be a family of keyed hash functions, where each \(h_i\) maps \(\mathbb G\) to \(\mathbb {Z}_n^*\). We define the advantage
If \({ADV}_{\mathcal {H}}^{\textsc {es}}(A)\) is negligible for any PPT algorithm A, we say that \(\mathcal {H}\) is entropy smoothing.
Remark 7
In [8], the authors prove that the CBC-MAC, HMAC and Merkle-Damgård constructions satisfy the definition above as long as the underling primitives satisfy certain security properties.
1.2 Schnorr Signatures
ElGamal signatures [9] inspired the construction of many other \(\textsc {dlp}\) based signatures. We particular refer to Schnorr signatures [19] for the purpose of our current work. This family of signatures is obtained by converting interactive identification protocols into signaturesFootnote 12.
We shortly describe the algorithms of the Schnorr digital signature scheme in Table 2.
B A Supplementary SETUP Attack on Concurrent Signatures
Description. Let \(H: \mathbb {G} \rightarrow \mathbb {Z}_q^*\) be a hash function. Let \(\alpha \) be either Alice or Bob. Then, \(\delta _{\alpha , 0}\) represents \(\alpha \)’s secret key \(x_\alpha \), \(r_{\alpha , 0}\) represents \(\alpha \)’s public key \(y_\alpha \) and \(r_{\alpha , i} \leftarrow g^{\delta _{\alpha , i}}\). As in Sect. 3, Eve has a valid pair of keys \((x_E,y_E)\), where \(y_E\) is stored on the victim’s device.
Again, changes required by the SETUP mechanisms will further be underlined using red colored text in Fig. 7.
Eve can decide to recover Alice’s secret key whenever she wants. To do that, she must first compute \(\delta _{A, i} = H(r_{A, i-1}^{x_E})\). Eve recovers \(r_{A,i-1}\) from an older protocol in which Alice was involved, more precisely the \(i-1\) one. Thus, Eve calculates
Eve’s final goal is finding \(x_A\) which can be achieved by computing \(e_{A,i}^{-1}(\delta _{A, i} - s_{A, i})\). The values \(e_{A,i}\) and \(s_{A,i}\) are transmitted during the protocol and are public. Similarly, she can recover Bob’s secret key.
The most efficient way to recover secret keys is by observing two consecutive protocol iterations that need to reach .
Exceptions. An exception is iteration 1, since \(\delta _{\alpha , 0}\) is already known. Thus, only protocol 1 needs to reach . Eve can also recover secret keys at iteration i by computing all intermediary values, \(\delta _{\alpha , j}\) for \(0 \le j < i\). This method is computationally costly.
Malicious Co-signers. If Eve is replaced by Alice, the most efficient way to recover secret keys is by observing two protocol iterations that need to reach .
If Eve is replaced by Bob, the most efficient way to recover secret keys is by running two protocol iterations that need to reach .
Security Analysis. We present the main security results, more precisely Theorems 5 and 6, and provide the reader with the necessary proofs.
When referring to the security analysis presented in the current section, \(\varTheta \) is considered an additional security parameter and refers to the maximal number of protocol iterations.
Theorem 5
Let i be an integer smaller than \(\varTheta \). If ddh is hard in \(\mathbb G\) and H is es, then iterations i of the protocols presented in Figs. 3 and 7 are ind-setup in the standard model. Formally, let A be an efficient PPT ind-setup adversary then there exist two efficient PPT algorithms \(B_1, B_2\) such that
Proof
We denote iterations i of the protocols presented in Figs. 3 and 7 by \(P_{3}\) and \(P_{7}\). Let A be an ind-setup adversary trying to distinguish between \(P_{3}\) and \(P_{7}\). We show that his advantage is negligible. We present the proof as a sequence of games and all the required changes are made to \(P_{7}\). Let \(W_i\) be the event that A wins game i.
Game 0. The first game is identical to the ind-setup gameFootnote 13. Thus, we have
Game 1. In this game, \(y_E^{\delta _{A, i-1}}\) and \(y_E^{\delta _{B, i-1}}\) from Game 0 become \(g^{z_{A, i}}\) and \(g^{z_{B, i}}\), where . Since this is the only change between Game 0 and Game 1, A will not notice the difference assuming the ddh assumption holds. Formally, this means that there exists an algorithm \(B_1\) such that
Game 2. Since H is es then we can make the change and adversary A will not notice. Formally, this means that there exists an algorithm \(B_2\) such that
The changes made to \(P_{7}\) in Game 1 and Game 2, transformed it into \(P_{3}\). Thus, we have
Finally, the statement is proven by combining the equalities (13)–(16). \(\square \)
Remark 8
From Theorem 5, the maximum advantage an ind-setup adversary can obtain in the standard model is
The advantage remains negligible if parameter \(\varTheta \) is polynomial.
Theorem 6
Let i be an integer smaller than \(\varTheta \). If cdh is hard in \(\mathbb G\), then iterations i of the protocols presented in Figs. 3 and 7 are ind-setup in the ROM. Formally, let A be an efficient PPT ind-setup adversary then there exist an efficient PPT algorithms C such that
Proof
We will use the same notations as in the proof for Theorem 5.
Game 0. The first game is identical to the ind-setup gameFootnote 14. Thus, we have
The challenger picks a random oracle \(H: \mathbb {G} \rightarrow \mathbb {Z}_q^*\) at random from the set of all such functions. A can make a sequence of queries of the following type:
Hash oracle query Footnote 15 : A presents the challenger with \(m \in \mathbb {G}\), who responds with H(m).
Game 1. At the beginning of the game choose . We change the challenger’s way to respond to queries as follows:
Hash oracle query Footnote 16 : A presents the challenger with \(m \in \mathbb {G}\). The challenger responds with:
-
\(z_{A, i}\), if \(m = y_E^{\delta _{A, i-1}}\);
-
\(z_{B, i}\), if \(m = y_E^{\delta _{B, i-1}}\);
-
H(m), otherwise.
We also make the changes \(\delta _{A, i} \leftarrow z_{A, i}\) and \(\delta _{B, i} \leftarrow z_{B, i}\) in \(P_{7}\).
Since we have replaced the values \(y_E^{\delta _{A, i-1}}\) and \(y_E^{\delta _{B, i-1}}\) throughout the game, we have
Game 2. In this game, we revert to the original hash oracle query (i.e the challenger responds with H(m) for all m). Let F be the event that the adversary makes a query with \(m \leftarrow y_E^{\delta _{A, i-1}}\) or \(m \leftarrow y_E^{\delta _{B, i-1}}\). Game 1 and Game 2 are identical until F occurs. Thus, we have
We need to prove that
where C is an algorithm that takes as input \(y_E\), \(r_{A, i-1}\) and \(r_{B, i-1}\). C will play the role of the challenger in Game 2. Algorithm C has a list of queries and responses, such that if A makes a query that matches one of the previous queries, C can return the previous output. At the end of the game, algorithm C will output a list with all the responses to A’s queries. It is easy to see that the probability of C returning a list containing \(y_E^{\delta _{A, i-1}}\) or \(y_E^{\delta _{B, i-1}}\) is the same as Pr[F].
The changes made to \(P_{7}\) in Game 1 and Game 2, transformed it into \(P_{3}\). Thus, we have
Finally, the statement is proven by combining the equalities (17)–(21). \(\square \)
Remark 9
From Theorem 6, the maximum advantage an ind-setup adversary can obtain in the ROM is
The advantage remains negligible if parameter \(\varTheta \) is polynomial.
C A Supplementary SETUP Attack on Legally Fair Signatures Without Keystones
Description. To implement an attack, Eve will work in almost the same environment as in Appendix B. Thus, we only mention the differences between the environments.
As in Sect. 3, changes required by the SETUP mechanisms are further underlined using red colored text in Fig. 8.
The most efficient way for Eve to recover secret keys is taking into account the following requirements:
-
1.
an iteration needs to reach ;
-
2.
the previous protocol iteration needs to reach .
Malicious Co-signers. If Eve is replaced by Alice, the most efficient way to recover secret keys is taking into account the following requirements:
-
1.
an iteration needs to reach ;
-
2.
the previous protocol iteration needs to reach .
If Eve is replaced by Bob, the most efficient way to recover secret keys is taking into account the following requirements:
-
1.
an iteration needs to reach ;
-
2.
the previous protocol iteration needs to reach .
Security Analysis. The main security results are presented in Theorems 7 and 8. The proofs are omitted given their similarities with the ones constructed in Appendix B.
Theorem 7
Let i be an integer smaller than \(\varTheta \). If ddh is hard in \(\mathbb G\) and H is es, then iterations i of the protocols presented in Figs. 4 and 8 are ind-setup in the standard model. Formally, let A be an efficient PPT ind-setup adversary. There exist two efficient PPT algorithms \(B_1, B_2\) such that
Remark 10
From Theorem 7, the maximum advantage an ind-setup adversary can obtain in the standard model is
The advantage remains negligible if parameter \(\varTheta \) is polynomial.
Theorem 8
Let i be an integer smaller than \(\varTheta \). If cdh is hard in \(\mathbb G\), then iterations i of the protocols presented in Figs. 4 and 8 are ind-setup in the ROM. Formally, let A be an efficient PPT ind-setup adversary. There exist an efficient PPT algorithms C such that
Remark 11
From Theorem 8, the maximum advantage an ind-setup adversary can obtain in the ROM is
The advantage remains negligible if parameter \(\varTheta \) is polynomial.
Rights and permissions
Copyright information
© 2017 Springer International Publishing AG
About this paper
Cite this paper
Maimuţ, D., Teşeleanu, G. (2017). Secretly Embedding Trapdoors into Contract Signing Protocols. In: Farshim, P., Simion, E. (eds) Innovative Security Solutions for Information Technology and Communications. SecITC 2017. Lecture Notes in Computer Science(), vol 10543. Springer, Cham. https://doi.org/10.1007/978-3-319-69284-5_12
Download citation
DOI: https://doi.org/10.1007/978-3-319-69284-5_12
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-69283-8
Online ISBN: 978-3-319-69284-5
eBook Packages: Computer ScienceComputer Science (R0)