Optimistic fair exchange (OFE) is a kind of protocol to guarantee fairness for the parties involved in an exchange with the help of an arbitrator. A fundamental work of optimistic fair exchange is to define security models capturing realistic attacks and design schemes secure in practical models. The security models are very essential to ensure that they capture practical situation, which will ensure that the protocols can be adopted in practice. The contributions of this paper are three fold. First, we observe that the existing OFE models do not capture realistic situation, where the adversary can actually observe the full signatures generated by the signer, prior to launching the actual attack. That is to say, the adversary is not provided with the signing oracle, which will produce full signatures generated by the signer. It is commonly believed that the full signatures generated by the signer can be simulated by the full signatures generated by the arbitrator. Unfortunately, we show that this perception is false. Second, we propose an enhanced model of OFE that explicitly provides the adversary with the signing oracle, which outputs the full signatures generated by the signer. We demonstrate the difference between our enhanced model and the existing chosen-key model through two concrete OFE schemes that serve as counterexamples. Finally, we revisit two existing generic constructions of optimistic fair exchange schemes, one based on verifiably encrypted signatures, and the other based on conventional signatures and ring signatures. Our result shows that the two generic approaches can still offer schemes secure in our enhanced model, which captures the real scenario that dishonest users may have access to the full signatures generated by the signer.
AbstractOptimistic fair exchange (OFE) is a kind of protocol to guarantee fairness for the parties involved in an exchange with the help of an arbitrator. A fundamental work of optimistic fair exchange is to define security models capturing realistic attacks and design schemes secure in practical models. The security models are very essential to ensure that they capture practical situation, which will ensure that the protocols can be adopted in practice. The contributions of this paper are three fold. First, we observe that the existing OFE models do not capture realistic situation, where the adversary can actually observe the full signatures generated by the signer, prior to launching the actual attack. That is to say, the adversary is not provided with the signing oracle, which will produce full signatures generated by the signer. It is commonly believed that the full signatures generated by the signer can be simulated by the full signatures generated by the arbitrator. Unfortunately, we show that this perception is false. Second, we propose an enhanced model of OFE that explicitly provides the adversary with the signing oracle, which outputs the full signatures generated by the signer. We demonstrate the difference between our enhanced model and the * ...