Secretly Embedding Trapdoors into Contract Signing Protocols

Abstract

Contract signing protocols have been proposed and analyzed for more than three decades now. One of the main problems that appeared while studying such schemes is the impossibility of achieving both fairness and guaranteed output delivery. As workarounds, cryptographers have put forth three main categories of contract signing schemes: gradual release, optimistic and concurrent or legally fair schemes. Concurrent signature schemes or legally fair protocols do not rely on trusted arbitrators and, thus, may seem more attractive for users. Boosting user trust in such manner, an attacker may cleverly come up with specific applications. Thus, our work focuses on embedding trapdoors into contract signing protocols. In particular, we describe and analyze various SETUP (Secretly Embedded Trapdoor with Universal Protection) mechanisms which can be injected in concurrent signature schemes and legally fair protocols without keystones.

Appendices

A Additional Preliminaries

1.1 Security Models

Definition 7

(Entropy Smoothing - es ). Let \(\mathbb G\) be a cyclic group of order n, \(\mathcal {K}\) the key space and A a PPT algorithm. Also, let \(\mathcal {H} = \{h_i\}_{i\in \mathcal {K}}\) be a family of keyed hash functions, where each \(h_i\) maps \(\mathbb G\) to \(\mathbb {Z}_n^*\). We define the advantage

If \({ADV}_{\mathcal {H}}^{\textsc {es}}(A)\) is negligible for any PPT algorithm A, we say that \(\mathcal {H}\) is entropy smoothing.

Remark 7

In [8], the authors prove that the CBC-MAC, HMAC and Merkle-Damgård constructions satisfy the definition above as long as the underling primitives satisfy certain security properties.

1.2 Schnorr Signatures

ElGamal signatures [9] inspired the construction of many other \(\textsc {dlp}\) based signatures. We particular refer to Schnorr signatures [19] for the purpose of our current work. This family of signatures is obtained by converting interactive identification protocols into signatures¹².

We shortly describe the algorithms of the Schnorr digital signature scheme in Table 2.

Table 2. Schnorr digital signature.

B A Supplementary SETUP Attack on Concurrent Signatures

Description. Let \(H: \mathbb {G} \rightarrow \mathbb {Z}_q^*\) be a hash function. Let \(\alpha \) be either Alice or Bob. Then, \(\delta _{\alpha , 0}\) represents \(\alpha \)’s secret key \(x_\alpha \), \(r_{\alpha , 0}\) represents \(\alpha \)’s public key \(y_\alpha \) and \(r_{\alpha , i} \leftarrow g^{\delta _{\alpha , i}}\). As in Sect. 3, Eve has a valid pair of keys \((x_E,y_E)\), where \(y_E\) is stored on the victim’s device.

Again, changes required by the SETUP mechanisms will further be underlined using red colored text in Fig. 7.

Fig. 7.

Iteration i of the protocol presented in Fig. 3 with a supplementary SETUP mechanism. (Color figure online)

Eve can decide to recover Alice’s secret key whenever she wants. To do that, she must first compute \(\delta _{A, i} = H(r_{A, i-1}^{x_E})\). Eve recovers \(r_{A,i-1}\) from an older protocol in which Alice was involved, more precisely the \(i-1\) one. Thus, Eve calculates

$$\begin{aligned} g^{s_{A,i-1}} y_A^{e_{A,i-1}} \equiv g^{s_{A,i-1}+e_{A,i-1}x_A} \equiv g^{\delta _{A,i-1}} \equiv r_{A,i-1}. \end{aligned}$$

Eve’s final goal is finding \(x_A\) which can be achieved by computing \(e_{A,i}^{-1}(\delta _{A, i} - s_{A, i})\). The values \(e_{A,i}\) and \(s_{A,i}\) are transmitted during the protocol and are public. Similarly, she can recover Bob’s secret key.

The most efficient way to recover secret keys is by observing two consecutive protocol iterations that need to reach .

Exceptions. An exception is iteration 1, since \(\delta _{\alpha , 0}\) is already known. Thus, only protocol 1 needs to reach . Eve can also recover secret keys at iteration i by computing all intermediary values, \(\delta _{\alpha , j}\) for \(0 \le j < i\). This method is computationally costly.

Malicious Co-signers. If Eve is replaced by Alice, the most efficient way to recover secret keys is by observing two protocol iterations that need to reach .

If Eve is replaced by Bob, the most efficient way to recover secret keys is by running two protocol iterations that need to reach .

Security Analysis. We present the main security results, more precisely Theorems 5 and 6, and provide the reader with the necessary proofs.

When referring to the security analysis presented in the current section, \(\varTheta \) is considered an additional security parameter and refers to the maximal number of protocol iterations.

Theorem 5

Let i be an integer smaller than \(\varTheta \). If ddh is hard in \(\mathbb G\) and H is es, then iterations i of the protocols presented in Figs. 3 and 7 are ind-setup in the standard model. Formally, let A be an efficient PPT ind-setup adversary then there exist two efficient PPT algorithms \(B_1, B_2\) such that

$$\begin{aligned} {ADV}_{\textsc {DH}, P_{3}, P_{7}}^{{\textsc {ind}}{\text {-}}{\textsc {setup}}}(A) \le 4 {ADV}_{\mathbb G,g}^{\textsc {ddh}}(B_1) + 4 {ADV}_{\mathcal {H}}^{\textsc {es}}(B_2). \end{aligned}$$

Proof

We denote iterations i of the protocols presented in Figs. 3 and 7 by \(P_{3}\) and \(P_{7}\). Let A be an ind-setup adversary trying to distinguish between \(P_{3}\) and \(P_{7}\). We show that his advantage is negligible. We present the proof as a sequence of games and all the required changes are made to \(P_{7}\). Let \(W_i\) be the event that A wins game i.

Game 0. The first game is identical to the ind-setup game¹³. Thus, we have

$$\begin{aligned} | 2 Pr[W_0] - 1 | = {ADV}_{\textsc {DH}, P_{3}, P_{7}}^{{\textsc {ind}}{\text {-}}{\textsc {setup}}}(A). \end{aligned}$$

(13)

Game 1. In this game, \(y_E^{\delta _{A, i-1}}\) and \(y_E^{\delta _{B, i-1}}\) from Game 0 become \(g^{z_{A, i}}\) and \(g^{z_{B, i}}\), where . Since this is the only change between Game 0 and Game 1, A will not notice the difference assuming the ddh assumption holds. Formally, this means that there exists an algorithm \(B_1\) such that

$$\begin{aligned} | Pr[W_0] - Pr[W_1] | = 2 {ADV}_{\mathbb G,g}^{\textsc {ddh}}(B_1). \end{aligned}$$

(14)

Game 2. Since H is es then we can make the change and adversary A will not notice. Formally, this means that there exists an algorithm \(B_2\) such that

$$\begin{aligned} | Pr[W_1] - Pr[W_2] | = 2 {ADV}_{\mathcal {H}}^{\textsc {es}}(B_2) \end{aligned}$$

(15)

The changes made to \(P_{7}\) in Game 1 and Game 2, transformed it into \(P_{3}\). Thus, we have

$$\begin{aligned} Pr[W_2] = 1/2. \end{aligned}$$

(16)

Finally, the statement is proven by combining the equalities (13)–(16).    \(\square \)

Remark 8

From Theorem 5, the maximum advantage an ind-setup adversary can obtain in the standard model is

$$\begin{aligned} {ADV}_{\textsc {DH}, P_{3}, P_{7}}^{{\textsc {ind}}{\text {-}}{\textsc {setup}}}(A) \le 4\varTheta {ADV}_{\mathbb G,g}^{\textsc {ddh}}(B_1) + 4\varTheta {ADV}_{\mathcal {H}}^{\textsc {es}}(B_2). \end{aligned}$$

The advantage remains negligible if parameter \(\varTheta \) is polynomial.

Theorem 6

Let i be an integer smaller than \(\varTheta \). If cdh is hard in \(\mathbb G\), then iterations i of the protocols presented in Figs. 3 and 7 are ind-setup in the ROM. Formally, let A be an efficient PPT ind-setup adversary then there exist an efficient PPT algorithms C such that

$$\begin{aligned} {ADV}_{\textsc {DH}, P_{3}, P_{7}}^{{\textsc {ind}}{\text {-}}{\textsc {setup}}}(A) \le 4 ADV_{\mathbb {G},g}^\textsc {cdh}(C). \end{aligned}$$

Proof

We will use the same notations as in the proof for Theorem 5.

Game 0. The first game is identical to the ind-setup game¹⁴. Thus, we have

$$\begin{aligned} | 2 Pr[W_0] - 1 | = {ADV}_{\textsc {DH}, P_{3}, P_{7}}^{{\textsc {ind}}{\text {-}}{\textsc {setup}}}(A). \end{aligned}$$

(17)

The challenger picks a random oracle \(H: \mathbb {G} \rightarrow \mathbb {Z}_q^*\) at random from the set of all such functions. A can make a sequence of queries of the following type:

Hash oracle query ¹⁵ : A presents the challenger with \(m \in \mathbb {G}\), who responds with H(m).

Game 1. At the beginning of the game choose . We change the challenger’s way to respond to queries as follows:

Hash oracle query ¹⁶ : A presents the challenger with \(m \in \mathbb {G}\). The challenger responds with:

• \(z_{A, i}\), if \(m = y_E^{\delta _{A, i-1}}\);

• \(z_{B, i}\), if \(m = y_E^{\delta _{B, i-1}}\);

• H(m), otherwise.

We also make the changes \(\delta _{A, i} \leftarrow z_{A, i}\) and \(\delta _{B, i} \leftarrow z_{B, i}\) in \(P_{7}\).

Since we have replaced the values \(y_E^{\delta _{A, i-1}}\) and \(y_E^{\delta _{B, i-1}}\) throughout the game, we have

$$\begin{aligned} Pr[W_0] = Pr[W_1]. \end{aligned}$$

(18)

Game 2. In this game, we revert to the original hash oracle query (i.e the challenger responds with H(m) for all m). Let F be the event that the adversary makes a query with \(m \leftarrow y_E^{\delta _{A, i-1}}\) or \(m \leftarrow y_E^{\delta _{B, i-1}}\). Game 1 and Game 2 are identical until F occurs. Thus, we have

$$\begin{aligned} | Pr[W_1] - Pr[W_2] | \le Pr[F]. \end{aligned}$$

(19)

We need to prove that

$$\begin{aligned} Pr[F] = ADV_{\mathbb {G},g}^\textsc {lcdh2}(C), \end{aligned}$$

(20)

where C is an algorithm that takes as input \(y_E\), \(r_{A, i-1}\) and \(r_{B, i-1}\). C will play the role of the challenger in Game 2. Algorithm C has a list of queries and responses, such that if A makes a query that matches one of the previous queries, C can return the previous output. At the end of the game, algorithm C will output a list with all the responses to A’s queries. It is easy to see that the probability of C returning a list containing \(y_E^{\delta _{A, i-1}}\) or \(y_E^{\delta _{B, i-1}}\) is the same as Pr[F].

The changes made to \(P_{7}\) in Game 1 and Game 2, transformed it into \(P_{3}\). Thus, we have

$$\begin{aligned} Pr[W_2] = 1/2. \end{aligned}$$

(21)

Finally, the statement is proven by combining the equalities (17)–(21).    \(\square \)

Remark 9

From Theorem 6, the maximum advantage an ind-setup adversary can obtain in the ROM is

$$\begin{aligned} {ADV}_{\textsc {DH}, P_{3}, P_{7}}^{{\textsc {ind}}{\text {-}}{\textsc {setup}}}(A) \le 4\varTheta ADV_{\mathbb {G},g}^\textsc {cdh}(C). \end{aligned}$$

The advantage remains negligible if parameter \(\varTheta \) is polynomial.

C A Supplementary SETUP Attack on Legally Fair Signatures Without Keystones

Description. To implement an attack, Eve will work in almost the same environment as in Appendix B. Thus, we only mention the differences between the environments.

As in Sect. 3, changes required by the SETUP mechanisms are further underlined using red colored text in Fig. 8.

Fig. 8.

Iteration i of the Protocol presented in Fig. 4 with a supplementary SETUP mechanism. (Color figure online)

The most efficient way for Eve to recover secret keys is taking into account the following requirements:

1. 1.

   an iteration needs to reach ;

2. 2.

   the previous protocol iteration needs to reach .

Malicious Co-signers. If Eve is replaced by Alice, the most efficient way to recover secret keys is taking into account the following requirements:

1. 1.

   an iteration needs to reach ;

2. 2.

   the previous protocol iteration needs to reach .

If Eve is replaced by Bob, the most efficient way to recover secret keys is taking into account the following requirements:

1. 1.

   an iteration needs to reach ;

2. 2.

   the previous protocol iteration needs to reach .

Security Analysis. The main security results are presented in Theorems 7 and 8. The proofs are omitted given their similarities with the ones constructed in Appendix B.

Theorem 7

Let i be an integer smaller than \(\varTheta \). If ddh is hard in \(\mathbb G\) and H is es, then iterations i of the protocols presented in Figs. 4 and 8 are ind-setup in the standard model. Formally, let A be an efficient PPT ind-setup adversary. There exist two efficient PPT algorithms \(B_1, B_2\) such that

$$\begin{aligned} {ADV}_{\textsc {DH}, P_{4}, P_{8}}^{{\textsc {ind}}{\text {-}}{\textsc {setup}}}(A) \le 4 {ADV}_{\mathbb G,g}^{\textsc {ddh}}(B_1) + 4 {ADV}_{\mathcal {H}}^{\textsc {es}}(B_2). \end{aligned}$$

Remark 10

From Theorem 7, the maximum advantage an ind-setup adversary can obtain in the standard model is

$$\begin{aligned} {ADV}_{\textsc {DH}, P_{4}, P_{8}}^{{\textsc {ind}}{\text {-}}{\textsc {setup}}}(A) \le 4\varTheta {ADV}_{\mathbb G,g}^{\textsc {ddh}}(B_1) + 4\varTheta {ADV}_{\mathcal {H}}^{\textsc {es}}(B_2). \end{aligned}$$

The advantage remains negligible if parameter \(\varTheta \) is polynomial.

Theorem 8

Let i be an integer smaller than \(\varTheta \). If cdh is hard in \(\mathbb G\), then iterations i of the protocols presented in Figs. 4 and 8 are ind-setup in the ROM. Formally, let A be an efficient PPT ind-setup adversary. There exist an efficient PPT algorithms C such that

$$\begin{aligned} {ADV}_{\textsc {DH}, P_{4}, P_{8}}^{{\textsc {ind}}{\text {-}}{\textsc {setup}}}(A) \le 4 ADV_{\mathbb {G},g}^\textsc {cdh}(C). \end{aligned}$$

Remark 11

From Theorem 8, the maximum advantage an ind-setup adversary can obtain in the ROM is

$$\begin{aligned} {ADV}_{\textsc {DH}, P_{4}, P_{8}}^{{\textsc {ind}}{\text {-}}{\textsc {setup}}}(A) \le 4\varTheta ADV_{\mathbb {G},g}^\textsc {cdh}(C). \end{aligned}$$

The advantage remains negligible if parameter \(\varTheta \) is polynomial.