Fair Exchange Protocols with Off-line TTP

Feng Bao, Robert H. Deng, Wenbao Mao

IEEE Symposium on Security and Privacy 1998

 

Protocol 1 Fair Exchange of Signatures on A Common File

Quantities

PK+†††††††††††††††† public encryption key, + indicates public

Sk-††††††††††††††††† signing encryption key, - indicates private

Cert†††††††††††††††† value that can be used to prove that a ciphertext was encrypted with a PK

††††††††††††††††††††††† And the value encrypted was M signed by sk

Veri(Cert, CT, M, PKT, pkA)††††††††††††††† Determines whether the message within M was signed by

††††††††††††††††††††††††††††††††††††††††††††††††††††††††††† pka and then encrypted by PKT, with the help of Cert.

SB(x)††††††††††††††† B signs x with signing key skB-.

dSB(x)††††††††††††† decrypt x with signing decryption key skB+

CT††††††††††††††††††† PT(m)

PT(x)††††††††††††††† public key encrytion of x with Tís PKT+

dPT(x)††††††††††††† public key decrytion of x with TísPKT- key

 

Goals

A and B want to exchange signatures of a document that is not valid until both parties have signed the document.However, neither party wants to be denied a copy of the otherís signature.

 

 

A -> B: CT, Cert

B: if Veri(Cert, CT, M, PKT, pkA) = yes then

B -> A: SB(M)

A: if (SB(M) correct) then

A -> B: SA(M)

††††††††††††††††††††††† B: if not(correct SA(M)) then

††††††††††††††††††††††††††††††††††† B -> T: MA, MB, CT, SB(M)

††††††††††††††††††††††††††††††††††† T: if ((SB(M) correct) & (SA(M) correct)) then

††††††††††††††††††††††††††††††††††† T -> A: SB(M)

††††††††††††††††††††††††††††††††††† T -> B: SA(M)

 

Notes:

  1. Secure Channels or cryptographically secure channels required using different keys
  2. Assumes A & B have already agreed to exchange their signatures on a common file.
  3. A may have to wait, but this doesnít invalidate protocol

 

* †††††††† ? How does T know what M is in order to determine whether contracts are valid?

††††††††††† Does this mean that M must be plaintext? Or Does it mean that T just compares

††††††††††† the contents of the two signatures to see that they are the same?

 

Protocol 2 Fair Exchange of Signatures on Different Files

 

Quantities

signA†††† ††††††††††† SA(MA, hash(MB))

signB†††† ††††††††††† SB(MB, hash(MA))

CT††††††† ††††††††††† PT(signA)

 

A -> B: CT, Cert

B: if Veri(Cert, CT, MA, PKT, pkA) = yes then

††††††††††† B -> A: SB(M)

A: if (SB(M) correct) then

A -> B: SA(M)

††††††††††††††††††††††† B: if not(correct SA(M)) then

††††††††††††††††††††††††††††††††††† B -> T: MA, MB, CT, SB(M)

††††††††††††††††††††††††††††††††††† T: if ((SB(M) correct) & (SA(M) correct)) then

††††††††††††††††††††††††††††††††††† T -> A: SB(M)

††††††††††††††††††††††††††††††††††† T -> B: SA(M)

 

Protocol 3 Fair Exchange of Confidential Data and Signature

 

Quantities

signA†††† ††††††††††† SA(hash(M))

 

A -> B: CT, Cert

B: if Veri(Cert, CT, M, PKT, pkA) = yes then

††††††††††† B -> A: M

A: if (M correct) then

A -> B: SA(M)

††††††††††††††††††††††† B: if not(correct SA(M)) then

††††††††††††††††††††††††††††††††††† B -> T: M, CT

††††††††††††††††††††††††††††††††††† T: if (SA(M) correct) then

††††††††††††††††††††††††††††††††††† T -> A: M

††††††††††††††††††††††††††††††††††† T -> B: SA(M)

 

Notes:

Assumes that A already possesses a one-way hash of the message desired so that A knows it is signing the correct item.