Feng Bao, Robert H. Deng, Wenbao Mao

IEEE Symposium on Security and Privacy 1998

__Protocol
1 Fair Exchange of Signatures on A Common File__

PK+ public encryption key, + indicates public

Sk- signing encryption key, - indicates private

Cert value that can be used to prove that a ciphertext was encrypted with a PK

And the value encrypted was M signed by sk

Veri(Cert, C_{T}, M, PK_{T}, pk_{A}) Determines whether the message
within M was signed by

pka
and then encrypted by PK_{T}, with the help of Cert.

S_{B}(x) B
signs x with signing key sk_{B}-.

dS_{B}(x) decrypt
x with signing decryption key sk_{B}+

C_{T} P_{T}(m)

P_{T}(x) public
key encrytion of x with T’s PK_{T}+

dP_{T}(x) public
key decrytion of x with T’sPK_{T}- key

A and B want to exchange signatures of a document that is not valid until both parties have signed the document. However, neither party wants to be denied a copy of the other’s signature.

A -> B: C_{T}, Cert

B: if Veri(Cert, C_{T}, M, PK_{T}, pk_{A})
= yes then

B -> A: S_{B}(M)

A: if (S_{B}(M) correct)
then

A -> B: S_{A}(M)

B:
if not(correct S_{A}(M)) then

B
-> T: M_{A}, M_{B}, C_{T}, S_{B}(M)

T:
if ((S_{B}(M) correct) & (S_{A}(M) correct)) then

T
-> A: S_{B}(M)

T
-> B: S_{A}(M)

Notes:

- Secure Channels or cryptographically secure channels required using different keys
- Assumes A & B have already agreed to exchange their signatures on a common file.
- A may have to wait, but this doesn’t invalidate protocol

* ? How does T know what M is in order to determine whether contracts are valid?

Does this mean that M must be plaintext? Or Does it mean that T just compares

the contents of the two signatures to see that they are the same?

sign_{A} S_{A}(M_{A}, hash(M_{B}))

sign_{B} S_{B}(M_{B}, hash(M_{A}))

C_{T} P_{T}(sign_{A})

A -> B: CT, Cert

B: if Veri(Cert, C_{T}, M_{A}, PK_{T},
pk_{A}) = yes then

B -> A:
S_{B}(M)

A: if (S_{B}(M) correct)
then

A -> B: S_{A}(M)

B:
if not(correct S_{A}(M)) then

B
-> T: M_{A}, M_{B}, C_{T}, S_{B}(M)

T:
if ((S_{B}(M) correct) & (S_{A}(M) correct)) then

T
-> A: S_{B}(M)

T
-> B: S_{A}(M)

sign_{A} S_{A}(hash(M))

A -> B: CT, Cert

B: if Veri(Cert, C_{T}, M, PK_{T}, pk_{A})
= yes then

B -> A: M

A: if (M correct) then

A -> B: S_{A}(M)

B:
if not(correct S_{A}(M)) then

B
-> T: M_{, }C_{T}

T:
if (S_{A}(M) correct) then

T -> A: M

T
-> B: S_{A}(M)

Notes:

Assumes that A already possesses a one-way hash of the message desired so that A knows it is signing the correct item.